* [PATCH v4 1/3] util/main-loop: Fix maximum number of wait objects for win32
@ 2022-10-19 10:20 Bin Meng
2022-10-19 10:20 ` [PATCH v4 2/3] util/main-loop: Avoid adding the same HANDLE twice Bin Meng
` (3 more replies)
0 siblings, 4 replies; 10+ messages in thread
From: Bin Meng @ 2022-10-19 10:20 UTC (permalink / raw)
To: qemu-devel, Daniel P . Berrangé, Marc-André Lureau
Cc: Bin Meng, Paolo Bonzini
From: Bin Meng <bin.meng@windriver.com>
The maximum number of wait objects for win32 should be
MAXIMUM_WAIT_OBJECTS, not MAXIMUM_WAIT_OBJECTS + 1.
Signed-off-by: Bin Meng <bin.meng@windriver.com>
---
Changes in v4:
- make the out of bounds access protection explicit
Changes in v3:
- move the check of adding the same HANDLE twice to a separete patch
Changes in v2:
- fix the logic in qemu_add_wait_object() to avoid adding
the same HANDLE twice
util/main-loop.c | 10 +++++-----
1 file changed, 5 insertions(+), 5 deletions(-)
diff --git a/util/main-loop.c b/util/main-loop.c
index f00a25451b..de38876064 100644
--- a/util/main-loop.c
+++ b/util/main-loop.c
@@ -363,10 +363,10 @@ void qemu_del_polling_cb(PollingFunc *func, void *opaque)
/* Wait objects support */
typedef struct WaitObjects {
int num;
- int revents[MAXIMUM_WAIT_OBJECTS + 1];
- HANDLE events[MAXIMUM_WAIT_OBJECTS + 1];
- WaitObjectFunc *func[MAXIMUM_WAIT_OBJECTS + 1];
- void *opaque[MAXIMUM_WAIT_OBJECTS + 1];
+ int revents[MAXIMUM_WAIT_OBJECTS];
+ HANDLE events[MAXIMUM_WAIT_OBJECTS];
+ WaitObjectFunc *func[MAXIMUM_WAIT_OBJECTS];
+ void *opaque[MAXIMUM_WAIT_OBJECTS];
} WaitObjects;
static WaitObjects wait_objects = {0};
@@ -395,7 +395,7 @@ void qemu_del_wait_object(HANDLE handle, WaitObjectFunc *func, void *opaque)
if (w->events[i] == handle) {
found = 1;
}
- if (found) {
+ if (found && i < (MAXIMUM_WAIT_OBJECTS - 1)) {
w->events[i] = w->events[i + 1];
w->func[i] = w->func[i + 1];
w->opaque[i] = w->opaque[i + 1];
--
2.34.1
^ permalink raw reply related [flat|nested] 10+ messages in thread
* [PATCH v4 2/3] util/main-loop: Avoid adding the same HANDLE twice
2022-10-19 10:20 [PATCH v4 1/3] util/main-loop: Fix maximum number of wait objects for win32 Bin Meng
@ 2022-10-19 10:20 ` Bin Meng
2022-11-01 13:40 ` Philippe Mathieu-Daudé
2022-10-19 10:20 ` [PATCH v4 3/3] util/aio-win32: Correct the event array size in aio_poll() Bin Meng
` (2 subsequent siblings)
3 siblings, 1 reply; 10+ messages in thread
From: Bin Meng @ 2022-10-19 10:20 UTC (permalink / raw)
To: qemu-devel, Daniel P . Berrangé, Marc-André Lureau
Cc: Bin Meng, Paolo Bonzini
From: Bin Meng <bin.meng@windriver.com>
Fix the logic in qemu_add_wait_object() to avoid adding the same
HANDLE twice, as the behavior is undefined when passing an array
that contains same HANDLEs to WaitForMultipleObjects() API.
Signed-off-by: Bin Meng <bin.meng@windriver.com>
---
(no changes since v3)
Changes in v3:
- new patch: avoid adding the same HANDLE twice
include/qemu/main-loop.h | 2 ++
util/main-loop.c | 10 ++++++++++
2 files changed, 12 insertions(+)
diff --git a/include/qemu/main-loop.h b/include/qemu/main-loop.h
index aac707d073..3c9a9a982d 100644
--- a/include/qemu/main-loop.h
+++ b/include/qemu/main-loop.h
@@ -157,6 +157,8 @@ typedef void WaitObjectFunc(void *opaque);
* in the main loop's calls to WaitForMultipleObjects. When the handle
* is in a signaled state, QEMU will call @func.
*
+ * If the same HANDLE is added twice, this function returns -1.
+ *
* @handle: The Windows handle to be observed.
* @func: A function to be called when @handle is in a signaled state.
* @opaque: A pointer-size value that is passed to @func.
diff --git a/util/main-loop.c b/util/main-loop.c
index de38876064..10fa74c6e3 100644
--- a/util/main-loop.c
+++ b/util/main-loop.c
@@ -373,10 +373,20 @@ static WaitObjects wait_objects = {0};
int qemu_add_wait_object(HANDLE handle, WaitObjectFunc *func, void *opaque)
{
+ int i;
WaitObjects *w = &wait_objects;
+
if (w->num >= MAXIMUM_WAIT_OBJECTS) {
return -1;
}
+
+ for (i = 0; i < w->num; i++) {
+ /* check if the same handle is added twice */
+ if (w->events[i] == handle) {
+ return -1;
+ }
+ }
+
w->events[w->num] = handle;
w->func[w->num] = func;
w->opaque[w->num] = opaque;
--
2.34.1
^ permalink raw reply related [flat|nested] 10+ messages in thread
* [PATCH v4 3/3] util/aio-win32: Correct the event array size in aio_poll()
2022-10-19 10:20 [PATCH v4 1/3] util/main-loop: Fix maximum number of wait objects for win32 Bin Meng
2022-10-19 10:20 ` [PATCH v4 2/3] util/main-loop: Avoid adding the same HANDLE twice Bin Meng
@ 2022-10-19 10:20 ` Bin Meng
2022-11-01 13:41 ` Philippe Mathieu-Daudé
2022-10-25 16:41 ` [PATCH v4 1/3] util/main-loop: Fix maximum number of wait objects for win32 Bin Meng
2022-11-01 13:40 ` Philippe Mathieu-Daudé
3 siblings, 1 reply; 10+ messages in thread
From: Bin Meng @ 2022-10-19 10:20 UTC (permalink / raw)
To: qemu-devel, Daniel P . Berrangé, Marc-André Lureau
Cc: Bin Meng, Stefan Weil, Marc-André Lureau, Fam Zheng,
Stefan Hajnoczi, qemu-block
From: Bin Meng <bin.meng@windriver.com>
WaitForMultipleObjects() can only wait for MAXIMUM_WAIT_OBJECTS
object handles. Correct the event array size in aio_poll() and
add a assert() to ensure it does not cause out of bound access.
Signed-off-by: Bin Meng <bin.meng@windriver.com>
Reviewed-by: Stefan Weil <sw@weilnetz.de>
Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com>
Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
---
(no changes since v2)
Changes in v2:
- change 'count' to unsigned
util/aio-win32.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/util/aio-win32.c b/util/aio-win32.c
index 44003d645e..80cfe012ad 100644
--- a/util/aio-win32.c
+++ b/util/aio-win32.c
@@ -326,9 +326,9 @@ void aio_dispatch(AioContext *ctx)
bool aio_poll(AioContext *ctx, bool blocking)
{
AioHandler *node;
- HANDLE events[MAXIMUM_WAIT_OBJECTS + 1];
+ HANDLE events[MAXIMUM_WAIT_OBJECTS];
bool progress, have_select_revents, first;
- int count;
+ unsigned count;
int timeout;
/*
@@ -369,6 +369,7 @@ bool aio_poll(AioContext *ctx, bool blocking)
QLIST_FOREACH_RCU(node, &ctx->aio_handlers, node) {
if (!node->deleted && node->io_notify
&& aio_node_check(ctx, node->is_external)) {
+ assert(count < MAXIMUM_WAIT_OBJECTS);
events[count++] = event_notifier_get_handle(node->e);
}
}
--
2.34.1
^ permalink raw reply related [flat|nested] 10+ messages in thread
* Re: [PATCH v4 1/3] util/main-loop: Fix maximum number of wait objects for win32
2022-10-19 10:20 [PATCH v4 1/3] util/main-loop: Fix maximum number of wait objects for win32 Bin Meng
2022-10-19 10:20 ` [PATCH v4 2/3] util/main-loop: Avoid adding the same HANDLE twice Bin Meng
2022-10-19 10:20 ` [PATCH v4 3/3] util/aio-win32: Correct the event array size in aio_poll() Bin Meng
@ 2022-10-25 16:41 ` Bin Meng
2022-11-01 1:14 ` Bin Meng
2022-11-01 13:40 ` Philippe Mathieu-Daudé
3 siblings, 1 reply; 10+ messages in thread
From: Bin Meng @ 2022-10-25 16:41 UTC (permalink / raw)
To: qemu-devel, Daniel P . Berrangé, Marc-André Lureau
Cc: Bin Meng, Paolo Bonzini
On Wed, Oct 19, 2022 at 6:20 PM Bin Meng <bmeng.cn@gmail.com> wrote:
>
> From: Bin Meng <bin.meng@windriver.com>
>
> The maximum number of wait objects for win32 should be
> MAXIMUM_WAIT_OBJECTS, not MAXIMUM_WAIT_OBJECTS + 1.
>
> Signed-off-by: Bin Meng <bin.meng@windriver.com>
> ---
>
> Changes in v4:
> - make the out of bounds access protection explicit
>
> Changes in v3:
> - move the check of adding the same HANDLE twice to a separete patch
>
> Changes in v2:
> - fix the logic in qemu_add_wait_object() to avoid adding
> the same HANDLE twice
>
> util/main-loop.c | 10 +++++-----
> 1 file changed, 5 insertions(+), 5 deletions(-)
>
Ping?
^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: [PATCH v4 1/3] util/main-loop: Fix maximum number of wait objects for win32
2022-10-25 16:41 ` [PATCH v4 1/3] util/main-loop: Fix maximum number of wait objects for win32 Bin Meng
@ 2022-11-01 1:14 ` Bin Meng
2022-11-01 12:03 ` Daniel P. Berrangé
0 siblings, 1 reply; 10+ messages in thread
From: Bin Meng @ 2022-11-01 1:14 UTC (permalink / raw)
To: qemu-devel, Daniel P . Berrangé, Marc-André Lureau
Cc: Bin Meng, Paolo Bonzini
Hi Daniel,
On Wed, Oct 26, 2022 at 12:41 AM Bin Meng <bmeng.cn@gmail.com> wrote:
>
> On Wed, Oct 19, 2022 at 6:20 PM Bin Meng <bmeng.cn@gmail.com> wrote:
> >
> > From: Bin Meng <bin.meng@windriver.com>
> >
> > The maximum number of wait objects for win32 should be
> > MAXIMUM_WAIT_OBJECTS, not MAXIMUM_WAIT_OBJECTS + 1.
> >
> > Signed-off-by: Bin Meng <bin.meng@windriver.com>
> > ---
> >
> > Changes in v4:
> > - make the out of bounds access protection explicit
> >
> > Changes in v3:
> > - move the check of adding the same HANDLE twice to a separete patch
> >
> > Changes in v2:
> > - fix the logic in qemu_add_wait_object() to avoid adding
> > the same HANDLE twice
> >
> > util/main-loop.c | 10 +++++-----
> > 1 file changed, 5 insertions(+), 5 deletions(-)
> >
>
> Ping?
Would you queue this series? Thanks!
Regards,
Bin
^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: [PATCH v4 1/3] util/main-loop: Fix maximum number of wait objects for win32
2022-11-01 1:14 ` Bin Meng
@ 2022-11-01 12:03 ` Daniel P. Berrangé
2022-11-01 13:06 ` Bin Meng
0 siblings, 1 reply; 10+ messages in thread
From: Daniel P. Berrangé @ 2022-11-01 12:03 UTC (permalink / raw)
To: Bin Meng; +Cc: qemu-devel, Marc-André Lureau, Bin Meng, Paolo Bonzini
On Tue, Nov 01, 2022 at 09:14:55AM +0800, Bin Meng wrote:
> Hi Daniel,
>
> On Wed, Oct 26, 2022 at 12:41 AM Bin Meng <bmeng.cn@gmail.com> wrote:
> >
> > On Wed, Oct 19, 2022 at 6:20 PM Bin Meng <bmeng.cn@gmail.com> wrote:
> > >
> > > From: Bin Meng <bin.meng@windriver.com>
> > >
> > > The maximum number of wait objects for win32 should be
> > > MAXIMUM_WAIT_OBJECTS, not MAXIMUM_WAIT_OBJECTS + 1.
> > >
> > > Signed-off-by: Bin Meng <bin.meng@windriver.com>
> > > ---
> > >
> > > Changes in v4:
> > > - make the out of bounds access protection explicit
> > >
> > > Changes in v3:
> > > - move the check of adding the same HANDLE twice to a separete patch
> > >
> > > Changes in v2:
> > > - fix the logic in qemu_add_wait_object() to avoid adding
> > > the same HANDLE twice
> > >
> > > util/main-loop.c | 10 +++++-----
> > > 1 file changed, 5 insertions(+), 5 deletions(-)
> > >
> >
> > Ping?
>
> Would you queue this series? Thanks!
The main loop is not my area as maintainer - it would normally be
Paolo IIRC.
With regards,
Daniel
--
|: https://berrange.com -o- https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org -o- https://fstop138.berrange.com :|
|: https://entangle-photo.org -o- https://www.instagram.com/dberrange :|
^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: [PATCH v4 1/3] util/main-loop: Fix maximum number of wait objects for win32
2022-11-01 12:03 ` Daniel P. Berrangé
@ 2022-11-01 13:06 ` Bin Meng
0 siblings, 0 replies; 10+ messages in thread
From: Bin Meng @ 2022-11-01 13:06 UTC (permalink / raw)
To: Daniel P. Berrangé, Paolo Bonzini
Cc: qemu-devel, Marc-André Lureau, Bin Meng
On Tue, Nov 1, 2022 at 8:03 PM Daniel P. Berrangé <berrange@redhat.com> wrote:
>
> On Tue, Nov 01, 2022 at 09:14:55AM +0800, Bin Meng wrote:
> > Hi Daniel,
> >
> > On Wed, Oct 26, 2022 at 12:41 AM Bin Meng <bmeng.cn@gmail.com> wrote:
> > >
> > > On Wed, Oct 19, 2022 at 6:20 PM Bin Meng <bmeng.cn@gmail.com> wrote:
> > > >
> > > > From: Bin Meng <bin.meng@windriver.com>
> > > >
> > > > The maximum number of wait objects for win32 should be
> > > > MAXIMUM_WAIT_OBJECTS, not MAXIMUM_WAIT_OBJECTS + 1.
> > > >
> > > > Signed-off-by: Bin Meng <bin.meng@windriver.com>
> > > > ---
> > > >
> > > > Changes in v4:
> > > > - make the out of bounds access protection explicit
> > > >
> > > > Changes in v3:
> > > > - move the check of adding the same HANDLE twice to a separete patch
> > > >
> > > > Changes in v2:
> > > > - fix the logic in qemu_add_wait_object() to avoid adding
> > > > the same HANDLE twice
> > > >
> > > > util/main-loop.c | 10 +++++-----
> > > > 1 file changed, 5 insertions(+), 5 deletions(-)
> > > >
> > >
> > > Ping?
> >
> > Would you queue this series? Thanks!
>
> The main loop is not my area as maintainer - it would normally be
> Paolo IIRC.
>
Thanks, but Paolo has been silent since day 1 ...
Regards,
Bin
^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: [PATCH v4 1/3] util/main-loop: Fix maximum number of wait objects for win32
2022-10-19 10:20 [PATCH v4 1/3] util/main-loop: Fix maximum number of wait objects for win32 Bin Meng
` (2 preceding siblings ...)
2022-10-25 16:41 ` [PATCH v4 1/3] util/main-loop: Fix maximum number of wait objects for win32 Bin Meng
@ 2022-11-01 13:40 ` Philippe Mathieu-Daudé
3 siblings, 0 replies; 10+ messages in thread
From: Philippe Mathieu-Daudé @ 2022-11-01 13:40 UTC (permalink / raw)
To: Bin Meng, qemu-devel, Daniel P . Berrangé,
Marc-André Lureau
Cc: Bin Meng, Paolo Bonzini
On 19/10/22 12:20, Bin Meng wrote:
> From: Bin Meng <bin.meng@windriver.com>
>
> The maximum number of wait objects for win32 should be
> MAXIMUM_WAIT_OBJECTS, not MAXIMUM_WAIT_OBJECTS + 1.
>
> Signed-off-by: Bin Meng <bin.meng@windriver.com>
> ---
>
> Changes in v4:
> - make the out of bounds access protection explicit
>
> Changes in v3:
> - move the check of adding the same HANDLE twice to a separete patch
>
> Changes in v2:
> - fix the logic in qemu_add_wait_object() to avoid adding
> the same HANDLE twice
>
> util/main-loop.c | 10 +++++-----
> 1 file changed, 5 insertions(+), 5 deletions(-)
>
> diff --git a/util/main-loop.c b/util/main-loop.c
> index f00a25451b..de38876064 100644
> --- a/util/main-loop.c
> +++ b/util/main-loop.c
> @@ -363,10 +363,10 @@ void qemu_del_polling_cb(PollingFunc *func, void *opaque)
> /* Wait objects support */
> typedef struct WaitObjects {
> int num;
> - int revents[MAXIMUM_WAIT_OBJECTS + 1];
> - HANDLE events[MAXIMUM_WAIT_OBJECTS + 1];
> - WaitObjectFunc *func[MAXIMUM_WAIT_OBJECTS + 1];
> - void *opaque[MAXIMUM_WAIT_OBJECTS + 1];
> + int revents[MAXIMUM_WAIT_OBJECTS];
> + HANDLE events[MAXIMUM_WAIT_OBJECTS];
> + WaitObjectFunc *func[MAXIMUM_WAIT_OBJECTS];
> + void *opaque[MAXIMUM_WAIT_OBJECTS];
> } WaitObjects;
>
> static WaitObjects wait_objects = {0};
> @@ -395,7 +395,7 @@ void qemu_del_wait_object(HANDLE handle, WaitObjectFunc *func, void *opaque)
> if (w->events[i] == handle) {
> found = 1;
> }
> - if (found) {
> + if (found && i < (MAXIMUM_WAIT_OBJECTS - 1)) {
Matter of style, I find this form easier to review (same logic than
what follows):
if (found && i + 1 < MAXIMUM_WAIT_OBJECTS) {
> w->events[i] = w->events[i + 1];
> w->func[i] = w->func[i + 1];
> w->opaque[i] = w->opaque[i + 1];
Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: [PATCH v4 2/3] util/main-loop: Avoid adding the same HANDLE twice
2022-10-19 10:20 ` [PATCH v4 2/3] util/main-loop: Avoid adding the same HANDLE twice Bin Meng
@ 2022-11-01 13:40 ` Philippe Mathieu-Daudé
0 siblings, 0 replies; 10+ messages in thread
From: Philippe Mathieu-Daudé @ 2022-11-01 13:40 UTC (permalink / raw)
To: Bin Meng, qemu-devel, Daniel P . Berrangé,
Marc-André Lureau
Cc: Bin Meng, Paolo Bonzini
On 19/10/22 12:20, Bin Meng wrote:
> From: Bin Meng <bin.meng@windriver.com>
>
> Fix the logic in qemu_add_wait_object() to avoid adding the same
> HANDLE twice, as the behavior is undefined when passing an array
> that contains same HANDLEs to WaitForMultipleObjects() API.
>
> Signed-off-by: Bin Meng <bin.meng@windriver.com>
> ---
>
> (no changes since v3)
>
> Changes in v3:
> - new patch: avoid adding the same HANDLE twice
>
> include/qemu/main-loop.h | 2 ++
> util/main-loop.c | 10 ++++++++++
> 2 files changed, 12 insertions(+)
Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: [PATCH v4 3/3] util/aio-win32: Correct the event array size in aio_poll()
2022-10-19 10:20 ` [PATCH v4 3/3] util/aio-win32: Correct the event array size in aio_poll() Bin Meng
@ 2022-11-01 13:41 ` Philippe Mathieu-Daudé
0 siblings, 0 replies; 10+ messages in thread
From: Philippe Mathieu-Daudé @ 2022-11-01 13:41 UTC (permalink / raw)
To: Bin Meng, qemu-devel, Daniel P . Berrangé,
Marc-André Lureau
Cc: Bin Meng, Stefan Weil, Marc-André Lureau, Fam Zheng,
Stefan Hajnoczi, qemu-block
On 19/10/22 12:20, Bin Meng wrote:
> From: Bin Meng <bin.meng@windriver.com>
>
> WaitForMultipleObjects() can only wait for MAXIMUM_WAIT_OBJECTS
> object handles. Correct the event array size in aio_poll() and
> add a assert() to ensure it does not cause out of bound access.
>
> Signed-off-by: Bin Meng <bin.meng@windriver.com>
> Reviewed-by: Stefan Weil <sw@weilnetz.de>
> Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com>
> Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
> ---
>
> (no changes since v2)
>
> Changes in v2:
> - change 'count' to unsigned
>
> util/aio-win32.c | 5 +++--
> 1 file changed, 3 insertions(+), 2 deletions(-)
Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
^ permalink raw reply [flat|nested] 10+ messages in thread
end of thread, other threads:[~2022-11-01 17:19 UTC | newest]
Thread overview: 10+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2022-10-19 10:20 [PATCH v4 1/3] util/main-loop: Fix maximum number of wait objects for win32 Bin Meng
2022-10-19 10:20 ` [PATCH v4 2/3] util/main-loop: Avoid adding the same HANDLE twice Bin Meng
2022-11-01 13:40 ` Philippe Mathieu-Daudé
2022-10-19 10:20 ` [PATCH v4 3/3] util/aio-win32: Correct the event array size in aio_poll() Bin Meng
2022-11-01 13:41 ` Philippe Mathieu-Daudé
2022-10-25 16:41 ` [PATCH v4 1/3] util/main-loop: Fix maximum number of wait objects for win32 Bin Meng
2022-11-01 1:14 ` Bin Meng
2022-11-01 12:03 ` Daniel P. Berrangé
2022-11-01 13:06 ` Bin Meng
2022-11-01 13:40 ` Philippe Mathieu-Daudé
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).