qemu-devel.nongnu.org archive mirror
 help / color / mirror / Atom feed
* [Qemu-devel] [PATCH 0/3] block: A few more copy offloading fixes
@ 2018-06-29  6:03 Fam Zheng
  2018-06-29  6:03 ` [Qemu-devel] [PATCH 1/3] qcow2: Fix src_offset in copy offloading Fam Zheng
                   ` (3 more replies)
  0 siblings, 4 replies; 5+ messages in thread
From: Fam Zheng @ 2018-06-29  6:03 UTC (permalink / raw)
  To: qemu-devel; +Cc: Kevin Wolf, Max Reitz, qemu-block

These are unfortunately more serious than the previous two fixes but the
patches are not complicated.

Fam Zheng (3):
  qcow2: Fix src_offset in copy offloading
  iscsi: Don't blindly use designator length in response for memcpy
  file-posix: Fix EINTR handling

 block/file-posix.c         | 17 +++++++++--------
 block/iscsi.c              |  2 +-
 block/qcow2.c              |  1 +
 tests/qemu-iotests/063     |  9 +++++++++
 tests/qemu-iotests/063.out | 12 ++++++++++++
 5 files changed, 32 insertions(+), 9 deletions(-)

-- 
2.17.1

^ permalink raw reply	[flat|nested] 5+ messages in thread
* [Qemu-devel] [PATCH 1/3] qcow2: Fix src_offset in copy offloading
  2018-06-29  6:03 [Qemu-devel] [PATCH 0/3] block: A few more copy offloading fixes Fam Zheng
@ 2018-06-29  6:03 ` Fam Zheng
  2018-06-29  6:03 ` [Qemu-devel] [PATCH 2/3] iscsi: Don't blindly use designator length in response for memcpy Fam Zheng
                   ` (2 subsequent siblings)
  3 siblings, 0 replies; 5+ messages in thread
From: Fam Zheng @ 2018-06-29  6:03 UTC (permalink / raw)
  To: qemu-devel; +Cc: Kevin Wolf, Max Reitz, qemu-block

Not updating src_offset will result in wrong data being written to dst
image.

Reported-by: Max Reitz <mreitz@redhat.com>
Signed-off-by: Fam Zheng <famz@redhat.com>
---
 block/qcow2.c              |  1 +
 tests/qemu-iotests/063     |  9 +++++++++
 tests/qemu-iotests/063.out | 12 ++++++++++++
 3 files changed, 22 insertions(+)

diff --git a/block/qcow2.c b/block/qcow2.c
index a3a3aa2a97..9d4e6e32e4 100644
--- a/block/qcow2.c
+++ b/block/qcow2.c
@@ -3422,6 +3422,7 @@ qcow2_co_copy_range_to(BlockDriverState *bs,
         }
 
         bytes -= cur_bytes;
+        src_offset += cur_bytes;
         dst_offset += cur_bytes;
     }
     ret = 0;
diff --git a/tests/qemu-iotests/063 b/tests/qemu-iotests/063
index e4f6ea9385..adc037c1f5 100755
--- a/tests/qemu-iotests/063
+++ b/tests/qemu-iotests/063
@@ -91,6 +91,15 @@ if $QEMU_IMG convert -f $IMGFMT -O $IMGFMT -n "$TEST_IMG.orig" "$TEST_IMG" >/dev
     exit 1
 fi
 
+echo "== Regression testing for copy offloading bug =="
+
+_make_test_img 1M
+TEST_IMG="$TEST_IMG.target" _make_test_img 1M
+$QEMU_IO -c 'write -P 1 0 512k' -c 'write -P 2 512k 512k' "$TEST_IMG" | _filter_qemu_io
+$QEMU_IO -c 'write -P 4 512k 512k' -c 'write -P 3 0 512k' "$TEST_IMG.target" | _filter_qemu_io
+$QEMU_IMG convert -n -O $IMGFMT "$TEST_IMG" "$TEST_IMG.target"
+$QEMU_IMG compare "$TEST_IMG" "$TEST_IMG.target"
+
 echo "*** done"
 rm -f $seq.full
 status=0
diff --git a/tests/qemu-iotests/063.out b/tests/qemu-iotests/063.out
index de1c99afd8..7b691b2c9e 100644
--- a/tests/qemu-iotests/063.out
+++ b/tests/qemu-iotests/063.out
@@ -7,4 +7,16 @@ Formatting 'TEST_DIR/t.IMGFMT', fmt=IMGFMT size=4194304
 No errors were found on the image.
 == Testing conversion to a smaller file fails ==
 Formatting 'TEST_DIR/t.IMGFMT', fmt=IMGFMT size=2097152
+== Regression testing for copy offloading bug ==
+Formatting 'TEST_DIR/t.IMGFMT', fmt=IMGFMT size=1048576
+Formatting 'TEST_DIR/t.IMGFMT.target', fmt=IMGFMT size=1048576
+wrote 524288/524288 bytes at offset 0
+512 KiB, X ops; XX:XX:XX.X (XXX YYY/sec and XXX ops/sec)
+wrote 524288/524288 bytes at offset 524288
+512 KiB, X ops; XX:XX:XX.X (XXX YYY/sec and XXX ops/sec)
+wrote 524288/524288 bytes at offset 524288
+512 KiB, X ops; XX:XX:XX.X (XXX YYY/sec and XXX ops/sec)
+wrote 524288/524288 bytes at offset 0
+512 KiB, X ops; XX:XX:XX.X (XXX YYY/sec and XXX ops/sec)
+Images are identical.
 *** done
-- 
2.17.1

^ permalink raw reply related	[flat|nested] 5+ messages in thread
* [Qemu-devel] [PATCH 2/3] iscsi: Don't blindly use designator length in response for memcpy
  2018-06-29  6:03 [Qemu-devel] [PATCH 0/3] block: A few more copy offloading fixes Fam Zheng
  2018-06-29  6:03 ` [Qemu-devel] [PATCH 1/3] qcow2: Fix src_offset in copy offloading Fam Zheng
@ 2018-06-29  6:03 ` Fam Zheng
  2018-06-29  6:03 ` [Qemu-devel] [PATCH 3/3] file-posix: Fix EINTR handling Fam Zheng
  2018-06-29  7:50 ` [Qemu-devel] [PATCH 0/3] block: A few more copy offloading fixes Kevin Wolf
  3 siblings, 0 replies; 5+ messages in thread
From: Fam Zheng @ 2018-06-29  6:03 UTC (permalink / raw)
  To: qemu-devel; +Cc: Kevin Wolf, Max Reitz, qemu-block

Per SCSI definition the designator_length we receive from INQUIRY is 8,
12 or at most 16, but we should be careful because the remote iscsi
target may misbehave, otherwise we could have a buffer overflow.

Reported-by: Max Reitz <mreitz@redhat.com>
Signed-off-by: Fam Zheng <famz@redhat.com>
---
 block/iscsi.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/block/iscsi.c b/block/iscsi.c
index 9f00fb47a5..4b7f574510 100644
--- a/block/iscsi.c
+++ b/block/iscsi.c
@@ -2226,7 +2226,7 @@ static void iscsi_populate_target_desc(unsigned char *desc, IscsiLun *lun)
     desc[5] = (dd->designator_type & 0xF)
         | ((dd->association & 3) << 4);
     desc[7] = dd->designator_length;
-    memcpy(desc + 8, dd->designator, dd->designator_length);
+    memcpy(desc + 8, dd->designator, MIN(dd->designator_length, 20));
 
     desc[28] = 0;
     desc[29] = (lun->block_size >> 16) & 0xFF;
-- 
2.17.1

^ permalink raw reply related	[flat|nested] 5+ messages in thread
* [Qemu-devel] [PATCH 3/3] file-posix: Fix EINTR handling
  2018-06-29  6:03 [Qemu-devel] [PATCH 0/3] block: A few more copy offloading fixes Fam Zheng
  2018-06-29  6:03 ` [Qemu-devel] [PATCH 1/3] qcow2: Fix src_offset in copy offloading Fam Zheng
  2018-06-29  6:03 ` [Qemu-devel] [PATCH 2/3] iscsi: Don't blindly use designator length in response for memcpy Fam Zheng
@ 2018-06-29  6:03 ` Fam Zheng
  2018-06-29  7:50 ` [Qemu-devel] [PATCH 0/3] block: A few more copy offloading fixes Kevin Wolf
  3 siblings, 0 replies; 5+ messages in thread
From: Fam Zheng @ 2018-06-29  6:03 UTC (permalink / raw)
  To: qemu-devel; +Cc: Kevin Wolf, Max Reitz, qemu-block

EINTR should be checked against errno, not ret. While fixing the bug,
collect the branches with a switch block.

Also, change the return value from -ENOSTUP to -ENOSPC when the actual
issue is request range passes EOF, which should be distinguishable from
the case of error == ENOSYS by the caller, so that it could still retry
with other byte ranges, whereas it shouldn't retry anymore upon ENOSYS.

Signed-off-by: Fam Zheng <famz@redhat.com>
---
 block/file-posix.c | 17 +++++++++--------
 1 file changed, 9 insertions(+), 8 deletions(-)

diff --git a/block/file-posix.c b/block/file-posix.c
index 07bb061fe4..6b736f603a 100644
--- a/block/file-posix.c
+++ b/block/file-posix.c
@@ -1474,20 +1474,21 @@ static ssize_t handle_aiocb_copy_range(RawPosixAIOData *aiocb)
         ssize_t ret = copy_file_range(aiocb->aio_fildes, &in_off,
                                       aiocb->aio_fd2, &out_off,
                                       bytes, 0);
-        if (ret == -EINTR) {
-            continue;
+        if (ret == 0) {
+            /* No progress (e.g. when beyond EOF), let the caller fall back to
+             * buffer I/O. */
+            return -ENOSPC;
         }
         if (ret < 0) {
-            if (errno == ENOSYS) {
+            switch (errno) {
+            case ENOSYS:
                 return -ENOTSUP;
-            } else {
+            case EINTR:
+                continue;
+            default:
                 return -errno;
             }
         }
-        if (!ret) {
-            /* No progress (e.g. when beyond EOF), fall back to buffer I/O. */
-            return -ENOTSUP;
-        }
         bytes -= ret;
     }
     return 0;
-- 
2.17.1

^ permalink raw reply related	[flat|nested] 5+ messages in thread
* Re: [Qemu-devel] [PATCH 0/3] block: A few more copy offloading fixes
  2018-06-29  6:03 [Qemu-devel] [PATCH 0/3] block: A few more copy offloading fixes Fam Zheng
                   ` (2 preceding siblings ...)
  2018-06-29  6:03 ` [Qemu-devel] [PATCH 3/3] file-posix: Fix EINTR handling Fam Zheng
@ 2018-06-29  7:50 ` Kevin Wolf
  3 siblings, 0 replies; 5+ messages in thread
From: Kevin Wolf @ 2018-06-29  7:50 UTC (permalink / raw)
  To: Fam Zheng; +Cc: qemu-devel, Max Reitz, qemu-block

Am 29.06.2018 um 08:03 hat Fam Zheng geschrieben:
> These are unfortunately more serious than the previous two fixes but the
> patches are not complicated.

Thanks, applied to the block branch.

Kevin

^ permalink raw reply	[flat|nested] 5+ messages in thread
end of thread, other threads:[~2018-06-29  7:51 UTC | newest]

Thread overview: 5+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2018-06-29  6:03 [Qemu-devel] [PATCH 0/3] block: A few more copy offloading fixes Fam Zheng
2018-06-29  6:03 ` [Qemu-devel] [PATCH 1/3] qcow2: Fix src_offset in copy offloading Fam Zheng
2018-06-29  6:03 ` [Qemu-devel] [PATCH 2/3] iscsi: Don't blindly use designator length in response for memcpy Fam Zheng
2018-06-29  6:03 ` [Qemu-devel] [PATCH 3/3] file-posix: Fix EINTR handling Fam Zheng
2018-06-29  7:50 ` [Qemu-devel] [PATCH 0/3] block: A few more copy offloading fixes Kevin Wolf

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).