From: Peter Maydell <peter.maydell@linaro.org>
To: Stefan Hajnoczi <stefanha@redhat.com>
Cc: Fam Zheng <fam@euphon.net>, Kevin Wolf <kwolf@redhat.com>,
Vladimir Sementsov-Ogievskiy <vsementsov@virtuozzo.com>,
Qemu-block <qemu-block@nongnu.org>,
QEMU Developers <qemu-devel@nongnu.org>,
Max Reitz <mreitz@redhat.com>, John Snow <jsnow@redhat.com>
Subject: Re: [Qemu-devel] [PULL 01/12] util/iov: introduce qemu_iovec_init_extended
Date: Mon, 9 Sep 2019 18:39:24 +0100 [thread overview]
Message-ID: <CAFEAcA8MsjfKTr9JANt39vGZNPk5McQaex7wTRJkOn+hqB54bg@mail.gmail.com> (raw)
In-Reply-To: <20190827201639.30368-2-stefanha@redhat.com>
On Tue, 27 Aug 2019 at 21:16, Stefan Hajnoczi <stefanha@redhat.com> wrote:
>
> From: Vladimir Sementsov-Ogievskiy <vsementsov@virtuozzo.com>
>
> Introduce new initialization API, to create requests with padding. Will
> be used in the following patch. New API uses qemu_iovec_init_buf if
> resulting io vector has only one element, to avoid extra allocations.
> So, we need to update qemu_iovec_destroy to support destroying such
> QIOVs.
>
> Signed-off-by: Vladimir Sementsov-Ogievskiy <vsementsov@virtuozzo.com>
> Acked-by: Stefan Hajnoczi <stefanha@redhat.com>
> Message-id: 20190604161514.262241-2-vsementsov@virtuozzo.com
> Message-Id: <20190604161514.262241-2-vsementsov@virtuozzo.com>
> Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
Hi -- Coverity thinks this new function could have an
out-of-bounds read (CID 1405302):
> +/*
> + * Compile new iovec, combining @head_buf buffer, sub-qiov of @mid_qiov,
> + * and @tail_buf buffer into new qiov.
> + */
> +void qemu_iovec_init_extended(
> + QEMUIOVector *qiov,
> + void *head_buf, size_t head_len,
> + QEMUIOVector *mid_qiov, size_t mid_offset, size_t mid_len,
> + void *tail_buf, size_t tail_len)
> +{
> + size_t mid_head, mid_tail;
> + int total_niov, mid_niov = 0;
> + struct iovec *p, *mid_iov;
> +
> + if (mid_len) {
> + mid_iov = qiov_slice(mid_qiov, mid_offset, mid_len,
> + &mid_head, &mid_tail, &mid_niov);
> + }
> +
> + total_niov = !!head_len + mid_niov + !!tail_len;
> + if (total_niov == 1) {
> + qemu_iovec_init_buf(qiov, NULL, 0);
> + p = &qiov->local_iov;
> + } else {
> + qiov->niov = qiov->nalloc = total_niov;
> + qiov->size = head_len + mid_len + tail_len;
> + p = qiov->iov = g_new(struct iovec, qiov->niov);
> + }
> +
> + if (head_len) {
> + p->iov_base = head_buf;
> + p->iov_len = head_len;
> + p++;
> + }
> +
> + if (mid_len) {
> + memcpy(p, mid_iov, mid_niov * sizeof(*p));
> + p[0].iov_base = (uint8_t *)p[0].iov_base + mid_head;
> + p[0].iov_len -= mid_head;
> + p[mid_niov - 1].iov_len -= mid_tail;
> + p += mid_niov;
> + }
> +
> + if (tail_len) {
> + p->iov_base = tail_buf;
> + p->iov_len = tail_len;
> + }
> +}
but I'm not familiar enough with the code to be able to tell
if it's correct or if it's just getting confused. Could
somebody have a look? (It's possible it's getting confused
because the calculation of 'total_niov' uses 'mid_niov',
but the condition guarding the code that fills in that part
of the vector is 'mid_len', so it thinks it can take the
"total_niov == 1" codepath and also the "head_len == true"
and "mid_len != 0" paths; in which case using "if (mid_niov)"
instead might make it happier.)
thanks
-- PMM
next prev parent reply other threads:[~2019-09-09 17:40 UTC|newest]
Thread overview: 16+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-08-27 20:16 [Qemu-devel] [PULL 00/12] Block patches Stefan Hajnoczi
2019-08-27 20:16 ` [Qemu-devel] [PULL 01/12] util/iov: introduce qemu_iovec_init_extended Stefan Hajnoczi
2019-09-09 17:39 ` Peter Maydell [this message]
2019-09-10 9:03 ` Vladimir Sementsov-Ogievskiy
2019-08-27 20:16 ` [Qemu-devel] [PULL 02/12] util/iov: improve qemu_iovec_is_zero Stefan Hajnoczi
2019-08-27 20:16 ` [Qemu-devel] [PULL 03/12] block/io: refactor padding Stefan Hajnoczi
2019-08-27 20:16 ` [Qemu-devel] [PULL 04/12] block: define .*_part io handlers in BlockDriver Stefan Hajnoczi
2019-08-27 20:16 ` [Qemu-devel] [PULL 05/12] block/io: bdrv_co_do_copy_on_readv: use and support qiov_offset Stefan Hajnoczi
2019-08-27 20:16 ` [Qemu-devel] [PULL 06/12] block/io: bdrv_co_do_copy_on_readv: lazy allocation Stefan Hajnoczi
2019-08-27 20:16 ` [Qemu-devel] [PULL 07/12] block/io: bdrv_aligned_preadv: use and support qiov_offset Stefan Hajnoczi
2019-08-27 20:16 ` [Qemu-devel] [PULL 08/12] block/io: bdrv_aligned_pwritev: " Stefan Hajnoczi
2019-08-27 20:16 ` [Qemu-devel] [PULL 09/12] block/io: introduce bdrv_co_p{read, write}v_part Stefan Hajnoczi
2019-08-27 20:16 ` [Qemu-devel] [PULL 10/12] block/qcow2: refactor qcow2_co_preadv to use buffer-based io Stefan Hajnoczi
2019-08-27 20:16 ` [Qemu-devel] [PULL 11/12] block/qcow2: implement .bdrv_co_preadv_part Stefan Hajnoczi
2019-08-27 20:16 ` [Qemu-devel] [PULL 12/12] block/qcow2: implement .bdrv_co_pwritev(_compressed)_part Stefan Hajnoczi
2019-09-03 10:05 ` [Qemu-devel] [PULL 00/12] Block patches Peter Maydell
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=CAFEAcA8MsjfKTr9JANt39vGZNPk5McQaex7wTRJkOn+hqB54bg@mail.gmail.com \
--to=peter.maydell@linaro.org \
--cc=fam@euphon.net \
--cc=jsnow@redhat.com \
--cc=kwolf@redhat.com \
--cc=mreitz@redhat.com \
--cc=qemu-block@nongnu.org \
--cc=qemu-devel@nongnu.org \
--cc=stefanha@redhat.com \
--cc=vsementsov@virtuozzo.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).