From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from eggs.gnu.org ([2001:4830:134:3::10]:36532) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1X4V7z-0003h8-56 for qemu-devel@nongnu.org; Tue, 08 Jul 2014 09:08:18 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1X4V7n-0001yF-Tv for qemu-devel@nongnu.org; Tue, 08 Jul 2014 09:08:11 -0400 Received: from mx1.redhat.com ([209.132.183.28]:41965) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1X4V7n-0001xo-Ll for qemu-devel@nongnu.org; Tue, 08 Jul 2014 09:07:59 -0400 Received: from int-mx10.intmail.prod.int.phx2.redhat.com (int-mx10.intmail.prod.int.phx2.redhat.com [10.5.11.23]) by mx1.redhat.com (8.14.4/8.14.4) with ESMTP id s68D7wrs001044 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK) for ; Tue, 8 Jul 2014 09:07:58 -0400 Date: Tue, 8 Jul 2014 15:07:54 +0200 From: Kevin Wolf Message-ID: <20140708130754.GD3857@noname.str.redhat.com> References: <1404489305-8750-1-git-send-email-kwolf@redhat.com> <1404489305-8750-4-git-send-email-kwolf@redhat.com> <53B85AD2.2090706@redhat.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <53B85AD2.2090706@redhat.com> Subject: Re: [Qemu-devel] [PATCH 3/4] qed: Make qiov match request size until backing file EOF List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , To: Max Reitz Cc: qemu-devel@nongnu.org, stefanha@redhat.com Am 05.07.2014 um 22:06 hat Max Reitz geschrieben: > On 04.07.2014 17:55, Kevin Wolf wrote: > >If a QED image has a shorter backing file and a read request to > >unallocated clusters goes across EOF of the backing file, the backing > >file sees a shortened request and the rest is filled with zeros. > >However, the original too long qiov was used with the shortened request. > > > >This patch makes the qiov size match the request size, avoiding a > >potential buffer overflow in raw-posix. > > > >Signed-off-by: Kevin Wolf > >--- > > block/qed.c | 26 +++++++++++++++++++++++--- > > block/qed.h | 1 + > > 2 files changed, 24 insertions(+), 3 deletions(-) > > > >diff --git a/block/qed.c b/block/qed.c > >index b69374b..1f63b8f 100644 > >--- a/block/qed.c > >+++ b/block/qed.c > >@@ -772,6 +772,7 @@ static BDRVQEDState *acb_to_s(QEDAIOCB *acb) > > */ > > static void qed_read_backing_file(BDRVQEDState *s, uint64_t pos, > > QEMUIOVector *qiov, > >+ QEMUIOVector **backing_qiov, > > This could be documented in the comment above the function header. > > > BlockDriverCompletionFunc *cb, void *opaque) > > { > > uint64_t backing_length = 0; > >@@ -804,15 +805,20 @@ static void qed_read_backing_file(BDRVQEDState *s, uint64_t pos, > > /* If the read straddles the end of the backing file, shorten it */ > > size = MIN((uint64_t)backing_length - pos, qiov->size); > >+ *backing_qiov = g_new(QEMUIOVector, 1); > > I guess at least because of the qemu_iovec_destroy() block in > qed_aio_next_io() *backing_qiov always has to be NULL before this > point. I guess I'd like an assert(!*backing_qiov) here (or > assert(!acb->backing_qiov) before the call to > qed_read_backing_file() in qed_aio_read_data()) anyway to express > clearly that there can be no leaks. Okay, I'll add the suggested comment and assertion. > Speaking of leaks: Shouldn't the backing_qiov be freed in > qed_aio_complete()? I can't see a code path where cb (i.e. qed_aio_next_io or qed_copy_from_backing_file_write) wouldn't be called before reaching qed_aio_complete(). Both of them free backing_qiov. Kevin