From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from eggs.gnu.org ([2001:4830:134:3::10]:49553) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1X3WEV-00045N-IU for qemu-devel@nongnu.org; Sat, 05 Jul 2014 16:06:57 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1X3WEP-0004OA-Bm for qemu-devel@nongnu.org; Sat, 05 Jul 2014 16:06:51 -0400 Received: from mx1.redhat.com ([209.132.183.28]:15417) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1X3WEP-0004Nx-1j for qemu-devel@nongnu.org; Sat, 05 Jul 2014 16:06:45 -0400 Received: from int-mx13.intmail.prod.int.phx2.redhat.com (int-mx13.intmail.prod.int.phx2.redhat.com [10.5.11.26]) by mx1.redhat.com (8.14.4/8.14.4) with ESMTP id s65K6hes016356 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK) for ; Sat, 5 Jul 2014 16:06:44 -0400 Message-ID: <53B85AD2.2090706@redhat.com> Date: Sat, 05 Jul 2014 22:06:42 +0200 From: Max Reitz MIME-Version: 1.0 References: <1404489305-8750-1-git-send-email-kwolf@redhat.com> <1404489305-8750-4-git-send-email-kwolf@redhat.com> In-Reply-To: <1404489305-8750-4-git-send-email-kwolf@redhat.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Subject: Re: [Qemu-devel] [PATCH 3/4] qed: Make qiov match request size until backing file EOF List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , To: Kevin Wolf , qemu-devel@nongnu.org Cc: stefanha@redhat.com On 04.07.2014 17:55, Kevin Wolf wrote: > If a QED image has a shorter backing file and a read request to > unallocated clusters goes across EOF of the backing file, the backing > file sees a shortened request and the rest is filled with zeros. > However, the original too long qiov was used with the shortened request. > > This patch makes the qiov size match the request size, avoiding a > potential buffer overflow in raw-posix. > > Signed-off-by: Kevin Wolf > --- > block/qed.c | 26 +++++++++++++++++++++++--- > block/qed.h | 1 + > 2 files changed, 24 insertions(+), 3 deletions(-) > > diff --git a/block/qed.c b/block/qed.c > index b69374b..1f63b8f 100644 > --- a/block/qed.c > +++ b/block/qed.c > @@ -772,6 +772,7 @@ static BDRVQEDState *acb_to_s(QEDAIOCB *acb) > */ > static void qed_read_backing_file(BDRVQEDState *s, uint64_t pos, > QEMUIOVector *qiov, > + QEMUIOVector **backing_qiov, This could be documented in the comment above the function header. > BlockDriverCompletionFunc *cb, void *opaque) > { > uint64_t backing_length = 0; > @@ -804,15 +805,20 @@ static void qed_read_backing_file(BDRVQEDState *s, uint64_t pos, > /* If the read straddles the end of the backing file, shorten it */ > size = MIN((uint64_t)backing_length - pos, qiov->size); > > + *backing_qiov = g_new(QEMUIOVector, 1); I guess at least because of the qemu_iovec_destroy() block in qed_aio_next_io() *backing_qiov always has to be NULL before this point. I guess I'd like an assert(!*backing_qiov) here (or assert(!acb->backing_qiov) before the call to qed_read_backing_file() in qed_aio_read_data()) anyway to express clearly that there can be no leaks. Speaking of leaks: Shouldn't the backing_qiov be freed in qed_aio_complete()? Max