From d1d85b5a0ef97c5081367d8ed3f0d01d04dad6dd Mon Sep 17 00:00:00 2001 From: "Perry E. Metzger" Date: Thu, 16 Apr 2026 16:02:54 -1000 Subject: [PATCH] FIO: Fix Big Endian sim_fwrite() error This problem was discovered by Codex initiated by Perry Metzger. sim_fwrite() in sim_fio.c has a bug in the big-endian/swapped write path. When a write spans more than one internal flip buffer, the function advances its source pointer by size * count on every chunk instead of by size * c, where c is the number of elements actually written in that chunk. This causes later chunks to read from the wrong part of the caller's buffer, which corrupts the file contents. Why this is wrong sim_fwrite() may break the caller's write into multiple pieces: nelem is the number of elements that fit in the flip buffer nbuf is the number of chunks to write c is the number of elements in the current chunk After writing one chunk, the source pointer must advance by the size of that chunk: sptr = sptr + size * c; But the original code advanced by the size of the entire original request every time: sptr = sptr + size * count; That is only correct if there is exactly one chunk. --- sim_fio.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/sim_fio.c b/sim_fio.c index 11757098..c2135d9f 100644 --- a/sim_fio.c +++ b/sim_fio.c @@ -289,7 +289,7 @@ sptr = (const unsigned char *) bptr; /* init input ptr */ for (i = (int32)nbuf; i > 0; i--) { /* loop on buffers */ c = (i == 1)? lcnt: nelem; sim_buf_copy_swapped (sim_flip, sptr, size, c); - sptr = sptr + size * count; + sptr = sptr + size * c; c = fwrite (sim_flip, size, c, fptr); if (c == 0) { free(sim_flip);