From: Stefan Hajnoczi <stefanha@redhat.com>
To: Peter Maydell <peter.maydell@linaro.org>, qemu-devel@nongnu.org
Cc: "Laurent Vivier" <lvivier@redhat.com>,
"Kevin Wolf" <kwolf@redhat.com>, "Thomas Huth" <thuth@redhat.com>,
"Daniel P. Berrangé" <berrange@redhat.com>,
"Eduardo Habkost" <ehabkost@redhat.com>,
qemu-block@nongnu.org, "Markus Armbruster" <armbru@redhat.com>,
"Dr. David Alan Gilbert" <dgilbert@redhat.com>,
"Coiby Xu" <Coiby.Xu@gmail.com>, "Max Reitz" <mreitz@redhat.com>,
"Stefan Hajnoczi" <stefanha@redhat.com>,
"Cleber Rosa" <crosa@redhat.com>,
"Paolo Bonzini" <pbonzini@redhat.com>,
"Fam Zheng" <fam@euphon.net>
Subject: [PULL 14/30] util/vhost-user-server: fix memory leak in vu_message_read()
Date: Fri, 9 Oct 2020 20:35:13 +0100 [thread overview]
Message-ID: <20201009193529.322822-15-stefanha@redhat.com> (raw)
In-Reply-To: <20201009193529.322822-1-stefanha@redhat.com>
fds[] is leaked when qio_channel_readv_full() fails.
Use vmsg->fds[] instead of keeping a local fds[] array. Then we can
reuse goto fail to clean up fds. vmsg->fd_num must be zeroed before the
loop to make this safe.
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
Message-id: 20200924151549.913737-8-stefanha@redhat.com
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
---
util/vhost-user-server.c | 50 ++++++++++++++++++----------------------
1 file changed, 23 insertions(+), 27 deletions(-)
diff --git a/util/vhost-user-server.c b/util/vhost-user-server.c
index 892815827d..5a60e2ca2a 100644
--- a/util/vhost-user-server.c
+++ b/util/vhost-user-server.c
@@ -100,21 +100,11 @@ vu_message_read(VuDev *vu_dev, int conn_fd, VhostUserMsg *vmsg)
};
int rc, read_bytes = 0;
Error *local_err = NULL;
- /*
- * Store fds/nfds returned from qio_channel_readv_full into
- * temporary variables.
- *
- * VhostUserMsg is a packed structure, gcc will complain about passing
- * pointer to a packed structure member if we pass &VhostUserMsg.fd_num
- * and &VhostUserMsg.fds directly when calling qio_channel_readv_full,
- * thus two temporary variables nfds and fds are used here.
- */
- size_t nfds = 0, nfds_t = 0;
const size_t max_fds = G_N_ELEMENTS(vmsg->fds);
- int *fds_t = NULL;
VuServer *server = container_of(vu_dev, VuServer, vu_dev);
QIOChannel *ioc = server->ioc;
+ vmsg->fd_num = 0;
if (!ioc) {
error_report_err(local_err);
goto fail;
@@ -122,41 +112,47 @@ vu_message_read(VuDev *vu_dev, int conn_fd, VhostUserMsg *vmsg)
assert(qemu_in_coroutine());
do {
+ size_t nfds = 0;
+ int *fds = NULL;
+
/*
* qio_channel_readv_full may have short reads, keeping calling it
* until getting VHOST_USER_HDR_SIZE or 0 bytes in total
*/
- rc = qio_channel_readv_full(ioc, &iov, 1, &fds_t, &nfds_t, &local_err);
+ rc = qio_channel_readv_full(ioc, &iov, 1, &fds, &nfds, &local_err);
if (rc < 0) {
if (rc == QIO_CHANNEL_ERR_BLOCK) {
+ assert(local_err == NULL);
qio_channel_yield(ioc, G_IO_IN);
continue;
} else {
error_report_err(local_err);
- return false;
+ goto fail;
}
}
- read_bytes += rc;
- if (nfds_t > 0) {
- if (nfds + nfds_t > max_fds) {
+
+ if (nfds > 0) {
+ if (vmsg->fd_num + nfds > max_fds) {
error_report("A maximum of %zu fds are allowed, "
"however got %lu fds now",
- max_fds, nfds + nfds_t);
+ max_fds, vmsg->fd_num + nfds);
+ g_free(fds);
goto fail;
}
- memcpy(vmsg->fds + nfds, fds_t,
- nfds_t *sizeof(vmsg->fds[0]));
- nfds += nfds_t;
- g_free(fds_t);
+ memcpy(vmsg->fds + vmsg->fd_num, fds, nfds * sizeof(vmsg->fds[0]));
+ vmsg->fd_num += nfds;
+ g_free(fds);
}
- if (read_bytes == VHOST_USER_HDR_SIZE || rc == 0) {
- break;
+
+ if (rc == 0) { /* socket closed */
+ goto fail;
}
- iov.iov_base = (char *)vmsg + read_bytes;
- iov.iov_len = VHOST_USER_HDR_SIZE - read_bytes;
- } while (true);
- vmsg->fd_num = nfds;
+ iov.iov_base += rc;
+ iov.iov_len -= rc;
+ read_bytes += rc;
+ } while (read_bytes != VHOST_USER_HDR_SIZE);
+
/* qio_channel_readv_full will make socket fds blocking, unblock them */
vmsg_unblock_fds(vmsg);
if (vmsg->size > sizeof(vmsg->payload)) {
--
2.26.2
next prev parent reply other threads:[~2020-10-09 19:56 UTC|newest]
Thread overview: 34+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-10-09 19:34 [PULL 00/30] Block patches Stefan Hajnoczi
2020-10-09 19:35 ` [PULL 01/30] block/nvme: Add driver statistics for access alignment and hw errors Stefan Hajnoczi
2020-10-09 19:35 ` [PULL 02/30] libvhost-user: Allow vu_message_read to be replaced Stefan Hajnoczi
2020-10-09 19:35 ` [PULL 03/30] libvhost-user: remove watch for kick_fd when de-initialize vu-dev Stefan Hajnoczi
2020-10-09 19:35 ` [PULL 04/30] util/vhost-user-server: generic vhost user server Stefan Hajnoczi
2020-10-09 19:35 ` [PULL 05/30] block: move logical block size check function to a common utility function Stefan Hajnoczi
2020-10-09 19:35 ` [PULL 06/30] block/export: vhost-user block device backend server Stefan Hajnoczi
2020-10-09 19:35 ` [PULL 07/30] test: new qTest case to test the vhost-user-blk-server Stefan Hajnoczi
2020-10-09 19:35 ` [PULL 08/30] MAINTAINERS: Add vhost-user block device backend server maintainer Stefan Hajnoczi
2020-10-09 19:35 ` [PULL 09/30] util/vhost-user-server: s/fileds/fields/ typo fix Stefan Hajnoczi
2020-10-09 19:35 ` [PULL 10/30] util/vhost-user-server: drop unnecessary QOM cast Stefan Hajnoczi
2020-10-09 19:35 ` [PULL 11/30] util/vhost-user-server: drop unnecessary watch deletion Stefan Hajnoczi
2020-10-09 19:35 ` [PULL 12/30] block/export: consolidate request structs into VuBlockReq Stefan Hajnoczi
2020-10-09 19:35 ` [PULL 13/30] util/vhost-user-server: drop unused DevicePanicNotifier Stefan Hajnoczi
2020-10-09 19:35 ` Stefan Hajnoczi [this message]
2020-10-09 19:35 ` [PULL 15/30] util/vhost-user-server: check EOF when reading payload Stefan Hajnoczi
2020-10-09 19:35 ` [PULL 16/30] util/vhost-user-server: rework vu_client_trip() coroutine lifecycle Stefan Hajnoczi
2020-10-09 19:35 ` [PULL 17/30] block/export: report flush errors Stefan Hajnoczi
2020-10-09 19:35 ` [PULL 18/30] block/export: convert vhost-user-blk server to block export API Stefan Hajnoczi
2020-10-09 19:35 ` [PULL 19/30] util/vhost-user-server: move header to include/ Stefan Hajnoczi
2020-10-09 19:35 ` [PULL 20/30] util/vhost-user-server: use static library in meson.build Stefan Hajnoczi
2020-10-09 19:35 ` [PULL 21/30] qemu-storage-daemon: avoid compiling blockdev_ss twice Stefan Hajnoczi
2020-10-09 19:35 ` [PULL 22/30] block: move block exports to libblockdev Stefan Hajnoczi
2020-10-09 19:35 ` [PULL 23/30] block/export: add iothread and fixed-iothread options Stefan Hajnoczi
2020-10-09 19:35 ` [PULL 24/30] block/export: add vhost-user-blk multi-queue support Stefan Hajnoczi
2020-10-09 19:35 ` [PULL 25/30] tests/qtest: add multi-queue test case to vhost-user-blk-test Stefan Hajnoczi
2020-10-09 19:35 ` [PULL 26/30] block/io: fix bdrv_co_block_status_above Stefan Hajnoczi
2020-10-09 19:35 ` [PULL 27/30] block/io: bdrv_common_block_status_above: support include_base Stefan Hajnoczi
2020-10-09 19:35 ` [PULL 28/30] block/io: bdrv_common_block_status_above: support bs == base Stefan Hajnoczi
2020-10-09 19:35 ` [PULL 29/30] block/io: fix bdrv_is_allocated_above Stefan Hajnoczi
2020-10-09 19:35 ` [PULL 30/30] iotests: add commit top->base cases to 274 Stefan Hajnoczi
2020-10-09 20:21 ` [PULL 00/30] Block patches no-reply
2020-10-11 18:32 ` Peter Maydell
2020-10-12 15:50 ` Stefan Hajnoczi
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20201009193529.322822-15-stefanha@redhat.com \
--to=stefanha@redhat.com \
--cc=Coiby.Xu@gmail.com \
--cc=armbru@redhat.com \
--cc=berrange@redhat.com \
--cc=crosa@redhat.com \
--cc=dgilbert@redhat.com \
--cc=ehabkost@redhat.com \
--cc=fam@euphon.net \
--cc=kwolf@redhat.com \
--cc=lvivier@redhat.com \
--cc=mreitz@redhat.com \
--cc=pbonzini@redhat.com \
--cc=peter.maydell@linaro.org \
--cc=qemu-block@nongnu.org \
--cc=qemu-devel@nongnu.org \
--cc=thuth@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).