From: "Daniel P. Berrangé" <berrange@redhat.com>
To: Junjie Cao <junjie.cao@intel.com>
Cc: qemu-devel@nongnu.org, peterx@redhat.com, farosas@suse.de
Subject: Re: [PATCH v2 2/3] migration/file: fix type mismatch and NULL deref in multifd_file_recv_data
Date: Tue, 24 Mar 2026 10:53:32 +0000 [thread overview]
Message-ID: <acJtLOkGyLc2cAjp@redhat.com> (raw)
In-Reply-To: <20260318140113.434-3-junjie.cao@intel.com>
On Wed, Mar 18, 2026 at 10:01:12PM +0800, Junjie Cao wrote:
> multifd_file_recv_data() stores the return value of qio_channel_pread()
> (ssize_t) in a size_t variable. On I/O error the -1 return value wraps
> to SIZE_MAX, producing a nonsensical read size in the error message.
>
> More critically, a short read (0 <= ret < data->size) is possible when
> the migration file is truncated. In that case qio_channel_pread()
> returns a non-negative value without setting *errp. The function then
> calls error_prepend(errp, ...) which dereferences *errp -- a NULL
> pointer -- crashing QEMU.
>
> Fix both issues by switching to qio_channel_pread_all() introduced in
> the previous commit, which retries on short reads and treats
> end-of-file as an error, so the caller no longer needs to check the
> byte count manually. Add ERRP_GUARD() so that error_prepend() works
> correctly even when errp is &error_fatal or NULL.
>
> Suggested-by: Peter Xu <peterx@redhat.com>
> Signed-off-by: Junjie Cao <junjie.cao@intel.com>
> ---
> migration/file.c | 17 ++++++++---------
> 1 file changed, 8 insertions(+), 9 deletions(-)
Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
With regards,
Daniel
--
|: https://berrange.com ~~ https://hachyderm.io/@berrange :|
|: https://libvirt.org ~~ https://entangle-photo.org :|
|: https://pixelfed.art/berrange ~~ https://fstop138.berrange.com :|
next prev parent reply other threads:[~2026-03-24 10:53 UTC|newest]
Thread overview: 12+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-03-16 8:46 [PATCH] migration/file: fix type mismatch and NULL deref in multifd_file_recv_data Junjie Cao
2026-03-16 20:41 ` Peter Xu
2026-03-17 8:58 ` Daniel P. Berrangé
2026-03-18 14:01 ` [PATCH v2 0/3] " Junjie Cao
2026-03-18 14:01 ` [PATCH v2 1/3] io/channel: introduce qio_channel_pread{v, }_all() and preadv_all_eof() Junjie Cao
2026-03-24 10:51 ` Daniel P. Berrangé via qemu development
2026-03-18 14:01 ` [PATCH v2 2/3] migration/file: fix type mismatch and NULL deref in multifd_file_recv_data Junjie Cao
2026-03-24 10:53 ` Daniel P. Berrangé [this message]
2026-03-18 14:01 ` [PATCH v2 3/3] tests/unit: add pread_all and preadv_all tests for io channel file Junjie Cao
2026-03-24 8:27 ` [PATCH v2 0/3] migration/file: fix type mismatch and NULL deref in multifd_file_recv_data Junjie Cao
2026-03-24 10:54 ` Daniel P. Berrangé
2026-03-26 15:21 ` Peter Xu
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=acJtLOkGyLc2cAjp@redhat.com \
--to=berrange@redhat.com \
--cc=farosas@suse.de \
--cc=junjie.cao@intel.com \
--cc=peterx@redhat.com \
--cc=qemu-devel@nongnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox