The number of io_event in AIO event queue allowed currently is no more
than 2^32-1, because the syscall defines:
asmlinkage long sys_io_setup(unsigned nr_events, aio_context_t __user *ctxp)
We internally allocate a ring buffer for nr_events and keeps tracks of
page descriptors for each of these ring buffer pages. Since page size
is significantly larger than AIO event size (4096 versus 32), I don't
think it is ever possible to overflow nr_pages in 32-bit quantity.
This patch changes nr_pages to unsigned int. on 64-bit arch, changing
it to unsigned int also allows better packing of aio_ring_info structure.
Signed-off-by: Ken Chen <[email protected]>
--- ./include/linux/aio.h.orig 2006-12-24 22:31:55.000000000 -0800
+++ ./include/linux/aio.h 2006-12-24 22:41:28.000000000 -0800
@@ -165,7 +165,7 @@ struct aio_ring_info {
struct page **ring_pages;
spinlock_t ring_lock;
- long nr_pages;
+ unsigned nr_pages;
unsigned nr, tail;
> --- ./include/linux/aio.h.orig 2006-12-24 22:31:55.000000000 -0800
> +++ ./include/linux/aio.h 2006-12-24 22:41:28.000000000 -0800
> @@ -165,7 +165,7 @@ struct aio_ring_info {
>
> struct page **ring_pages;
> spinlock_t ring_lock;
> - long nr_pages;
> + unsigned nr_pages;
>
> unsigned nr, tail;
>
>
Hmm.
This seems so trivial as to not be worth it. It'd be more compelling
if it was more thorough -- doing things like updating the 'long i'
iterators that a feww have over ->nr_pages. That kind of thing.
Giving some confidence that the references of ->nr_pages were audited.
- z
Zach Brown wrote on Tuesday, January 02, 2007 5:14 PM
> To: Chen, Kenneth W
> > --- ./include/linux/aio.h.orig 2006-12-24 22:31:55.000000000 -0800
> > +++ ./include/linux/aio.h 2006-12-24 22:41:28.000000000 -0800
> > @@ -165,7 +165,7 @@ struct aio_ring_info {
> >
> > struct page **ring_pages;
> > spinlock_t ring_lock;
> > - long nr_pages;
> > + unsigned nr_pages;
> >
> > unsigned nr, tail;
>
> Hmm.
>
> This seems so trivial as to not be worth it. It'd be more compelling
> if it was more thorough -- doing things like updating the 'long i'
> iterators that a feww have over ->nr_pages. That kind of thing.
> Giving some confidence that the references of ->nr_pages were audited.
I had that changes earlier, but dropped it to make the patch smaller. It
all started with head and tail index, which is defined as unsigned int in
structure, but in aio.c, all local variables that does temporary head and
tail calculation are unsigned long. While cleaning that, it got expanded
into nr_pages etc. Oh well.
- Ken
>
> I had that changes earlier, but dropped it to make the patch smaller.
Still have it kicking around?
Making this stuff more consistent would be nice, I agree, I'm just
not sure it's worth the risk of running into some subtle bugs.
- z