From: Eric Blake <eblake@redhat.com>
To: Vladimir Sementsov-Ogievskiy <vsementsov@virtuozzo.com>,
qemu-block@nongnu.org
Cc: kwolf@redhat.com, fam@euphon.net, integration@gluster.org,
berto@igalia.com, pavel.dovgaluk@ispras.ru,
qemu-devel@nongnu.org, dillaman@redhat.com, pl@kamp.de,
ronniesahlberg@gmail.com, mreitz@redhat.com, den@openvz.org,
sheepdog@lists.wpkg.org, stefanha@redhat.com,
namei.unix@gmail.com, pbonzini@redhat.com, sw@weilnetz.de,
jsnow@redhat.com, ari@tuxera.com
Subject: Re: [PATCH v2 04/17] block/io: use int64_t bytes in driver wrappers
Date: Wed, 29 Apr 2020 15:27:49 -0500 [thread overview]
Message-ID: <b9daa960-b607-6ef4-9dbb-67807d4fd13c@redhat.com> (raw)
In-Reply-To: <20200427082325.10414-5-vsementsov@virtuozzo.com>
On 4/27/20 3:23 AM, Vladimir Sementsov-Ogievskiy wrote:
> We are generally moving to int64_t for both offset and bytes parameters
> on all io paths. Convert driver wrappers parameters which are
> already 64bit to signed type.
>
> Signed-off-by: Vladimir Sementsov-Ogievskiy <vsementsov@virtuozzo.com>
> ---
> block/io.c | 8 ++++----
> 1 file changed, 4 insertions(+), 4 deletions(-)
>
> diff --git a/block/io.c b/block/io.c
> index 1267918def..4796476835 100644
> --- a/block/io.c
> +++ b/block/io.c
> @@ -1086,7 +1086,7 @@ static void bdrv_co_io_em_complete(void *opaque, int ret)
> }
>
> static int coroutine_fn bdrv_driver_preadv(BlockDriverState *bs,
> - uint64_t offset, uint64_t bytes,
> + int64_t offset, int64_t bytes,
Remains 64 bits, the question is whether any caller could pass in
something larger than 63 bits. Callers are:
bdrv_co_do_copy_on_readv() - passes 'int64_t pnum', but sets pnum in a
fragmenting loop, MAX_BOUNCE_BUFFER when copy-on-read is needed, or
max_transfer bounded by BDRV_REQUEST_MAX_BYTES otherwise
bdrv_aligned_preadv() - passes 'unsigned int bytes' further limited by
fragmenting loop on max_transfer <= INT_MAX
Input is bounded to < 2G, internal use of 'bytes' is:
drv->bdrv_co_preadv_part(uint64_t) - safe
qemu_iovec_init_slice(size_t) - potential truncation on 32-bit platform,
if you don't fix qemu_iovec
drv->bdrv_co_preadv(uint64_t) - safe
drv->bdrv_aio_preadv(uint64_t) - safe
drv->bdrv_co_readv(int) after assertion of <2G - safe
> QEMUIOVector *qiov,
> size_t qiov_offset, int flags)
> {
> @@ -1155,7 +1155,7 @@ out:
> }
>
> static int coroutine_fn bdrv_driver_pwritev(BlockDriverState *bs,
> - uint64_t offset, uint64_t bytes,
> + int64_t offset, int64_t bytes,
Remains 64 bits, the question is whether any caller could pass in
something larger than 63. Callers are:
bdrv_co_do_copy_on_readv() - passes 'int64_t pnum', but set in a
fragmenting loop bounded by MAX_BOUNCE_BUFFER
bdrv_co_do_pwrite_zeroes() - passes 'int num'
bdrv_aligned_pwritev() - passes 'unsigned int bytes' further limited by
fragmenting loop on max_transfer <= INT_MAX
Input is bounded to < 2G, internal use of 'bytes' is:
drv->bdrv_co_pwritev_part(uint64_t) - safe
qemu_iovec_init_slice(size_t) - potential truncation on 32-bit platform,
if you don't fix qemu_iovec
drv->bdrv_co_pwritev(uint64_t) - safe
drv->bdrv_aio_pwritev(uint64_t) - safe
drv->bdrv_co_writev(int) after assertion of <2G - safe
> QEMUIOVector *qiov,
> size_t qiov_offset, int flags)
> {
> @@ -1235,8 +1235,8 @@ emulate_flags:
> }
>
> static int coroutine_fn
> -bdrv_driver_pwritev_compressed(BlockDriverState *bs, uint64_t offset,
> - uint64_t bytes, QEMUIOVector *qiov,
> +bdrv_driver_pwritev_compressed(BlockDriverState *bs, int64_t offset,
> + int64_t bytes, QEMUIOVector *qiov,
> size_t qiov_offset)
Remains 64 bits, the question is whether any caller could pass in
something larger than 63. Callers are:
bdrv_aligned_pwritev() - passes 'unsigned int bytes'
Input is bounded to < 4G, internal use of 'bytes' is:
drv->bdrv_co_pwritev_compressed_part(uint64_t) - safe
drv->bdrv_co_pwritev_compressed(uint64_t) - safe
qemu_iovec_init_slice(size_t) - potential truncation on 32-bit platform,
if you don't fix qemu_iovec
Because our input is bounded, all of the changes made here have no
semantic impact, and I argue this patch is safe. However, I also
pointed out the spots where we have latent bugs (on 32-bit machines
only) if the callers are relaxed to pass larger than 2G or 4G. As long
as you are auditing things, it would be nice to either fix that in this
patch, or document in the commit message how a future patch will address
that latent problem (whether by enforcing max_transfer to be capped at
2G on 32-bit platforms, or else fixing qemu_iovec to use int64_t instead
of size_t bounds).
Reviewed-by: Eric Blake <eblake@redhat.com>
--
Eric Blake, Principal Software Engineer
Red Hat, Inc. +1-919-301-3226
Virtualization: qemu.org | libvirt.org
next prev parent reply other threads:[~2020-04-29 20:33 UTC|newest]
Thread overview: 45+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-04-27 8:23 [PATCH v2 00/17] 64bit block-layer Vladimir Sementsov-Ogievskiy
2020-04-27 8:23 ` [PATCH v2 01/17] block/throttle-groups: throttle_group_co_io_limits_intercept(): 64bit bytes Vladimir Sementsov-Ogievskiy
2020-04-27 10:05 ` Philippe Mathieu-Daudé
2020-04-27 14:12 ` Eric Blake
2020-04-28 22:09 ` Eric Blake
2020-04-29 5:05 ` Vladimir Sementsov-Ogievskiy
2020-04-29 12:53 ` Eric Blake
2020-04-27 8:23 ` [PATCH v2 02/17] block: use int64_t as bytes type in tracked requests Vladimir Sementsov-Ogievskiy
2020-04-27 10:11 ` Philippe Mathieu-Daudé
2020-04-27 11:26 ` Vladimir Sementsov-Ogievskiy
2020-04-27 11:40 ` Philippe Mathieu-Daudé
2020-04-27 11:26 ` Vladimir Sementsov-Ogievskiy
2020-04-29 15:50 ` Eric Blake
2020-04-30 8:21 ` Vladimir Sementsov-Ogievskiy
2020-04-30 8:33 ` Vladimir Sementsov-Ogievskiy
2020-04-27 8:23 ` [PATCH v2 03/17] block/io: use int64_t bytes parameter in bdrv_check_byte_request() Vladimir Sementsov-Ogievskiy
2020-04-29 19:27 ` Eric Blake
2020-04-30 5:15 ` Vladimir Sementsov-Ogievskiy
2020-04-27 8:23 ` [PATCH v2 04/17] block/io: use int64_t bytes in driver wrappers Vladimir Sementsov-Ogievskiy
2020-04-29 20:27 ` Eric Blake [this message]
2020-04-27 8:23 ` [PATCH v2 05/17] block/io: support int64_t bytes in bdrv_co_do_pwrite_zeroes() Vladimir Sementsov-Ogievskiy
2020-04-29 21:14 ` Eric Blake
2020-04-27 8:23 ` [PATCH v2 06/17] block/io: support int64_t bytes in bdrv_aligned_pwritev() Vladimir Sementsov-Ogievskiy
2020-04-29 22:04 ` Eric Blake
2020-04-30 5:25 ` Vladimir Sementsov-Ogievskiy
2020-04-30 5:30 ` Vladimir Sementsov-Ogievskiy
2020-04-30 5:37 ` Vladimir Sementsov-Ogievskiy
2020-04-30 9:26 ` Vladimir Sementsov-Ogievskiy
2020-04-27 8:23 ` [PATCH v2 07/17] block/io: support int64_t bytes in bdrv_co_do_copy_on_readv() Vladimir Sementsov-Ogievskiy
2020-04-27 8:23 ` [PATCH v2 08/17] block/io: support int64_t bytes in bdrv_aligned_preadv() Vladimir Sementsov-Ogievskiy
2020-04-27 8:23 ` [PATCH v2 09/17] block/io: support int64_t bytes in bdrv_co_p{read, write}v_part() Vladimir Sementsov-Ogievskiy
2020-04-27 8:23 ` [PATCH v2 10/17] block/io: support int64_t bytes in read/write wrappers Vladimir Sementsov-Ogievskiy
2020-04-27 8:23 ` [PATCH v2 11/17] block/io: use int64_t bytes in copy_range Vladimir Sementsov-Ogievskiy
2020-04-27 8:23 ` [PATCH v2 12/17] block/block-backend: convert blk io path to use int64_t parameters Vladimir Sementsov-Ogievskiy
2020-04-27 8:23 ` [PATCH v2 13/17] block: use int64_t instead of uint64_t in driver read handlers Vladimir Sementsov-Ogievskiy
2020-04-27 8:23 ` [PATCH v2 14/17] block: use int64_t instead of uint64_t in driver write handlers Vladimir Sementsov-Ogievskiy
2020-04-27 8:23 ` [PATCH v2 15/17] block: use int64_t instead of uint64_t in copy_range driver handlers Vladimir Sementsov-Ogievskiy
2020-04-27 8:23 ` [PATCH v2 16/17] block: use int64_t instead of int in driver write_zeroes handlers Vladimir Sementsov-Ogievskiy
2020-04-27 8:23 ` [PATCH v2 17/17] block: use int64_t instead of int in driver discard handlers Vladimir Sementsov-Ogievskiy
2020-04-27 9:30 ` [PATCH v2 00/17] 64bit block-layer no-reply
2020-04-27 10:02 ` no-reply
2020-04-27 10:08 ` no-reply
2020-04-27 14:17 ` Vladimir Sementsov-Ogievskiy
2020-04-28 21:33 ` Eric Blake
2020-04-29 5:24 ` Vladimir Sementsov-Ogievskiy
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=b9daa960-b607-6ef4-9dbb-67807d4fd13c@redhat.com \
--to=eblake@redhat.com \
--cc=ari@tuxera.com \
--cc=berto@igalia.com \
--cc=den@openvz.org \
--cc=dillaman@redhat.com \
--cc=fam@euphon.net \
--cc=integration@gluster.org \
--cc=jsnow@redhat.com \
--cc=kwolf@redhat.com \
--cc=mreitz@redhat.com \
--cc=namei.unix@gmail.com \
--cc=pavel.dovgaluk@ispras.ru \
--cc=pbonzini@redhat.com \
--cc=pl@kamp.de \
--cc=qemu-block@nongnu.org \
--cc=qemu-devel@nongnu.org \
--cc=ronniesahlberg@gmail.com \
--cc=sheepdog@lists.wpkg.org \
--cc=stefanha@redhat.com \
--cc=sw@weilnetz.de \
--cc=vsementsov@virtuozzo.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).