All of lore.kernel.org
 help / color / mirror / Atom feed
* [Qemu-devel] [PATCH 0/3] block: A few more copy offloading fixes
@ 2018-06-29  6:03 Fam Zheng
  2018-06-29  6:03 ` [Qemu-devel] [PATCH 1/3] qcow2: Fix src_offset in copy offloading Fam Zheng
                   ` (3 more replies)
  0 siblings, 4 replies; 5+ messages in thread
From: Fam Zheng @ 2018-06-29  6:03 UTC (permalink / raw)
  To: qemu-devel; +Cc: Kevin Wolf, Max Reitz, qemu-block

These are unfortunately more serious than the previous two fixes but the
patches are not complicated.

Fam Zheng (3):
  qcow2: Fix src_offset in copy offloading
  iscsi: Don't blindly use designator length in response for memcpy
  file-posix: Fix EINTR handling

 block/file-posix.c         | 17 +++++++++--------
 block/iscsi.c              |  2 +-
 block/qcow2.c              |  1 +
 tests/qemu-iotests/063     |  9 +++++++++
 tests/qemu-iotests/063.out | 12 ++++++++++++
 5 files changed, 32 insertions(+), 9 deletions(-)

-- 
2.17.1

^ permalink raw reply	[flat|nested] 5+ messages in thread
* [Qemu-devel] [PATCH 1/3] qcow2: Fix src_offset in copy offloading
  2018-06-29  6:03 [Qemu-devel] [PATCH 0/3] block: A few more copy offloading fixes Fam Zheng
@ 2018-06-29  6:03 ` Fam Zheng
  2018-06-29  6:03 ` [Qemu-devel] [PATCH 2/3] iscsi: Don't blindly use designator length in response for memcpy Fam Zheng
                   ` (2 subsequent siblings)
  3 siblings, 0 replies; 5+ messages in thread
From: Fam Zheng @ 2018-06-29  6:03 UTC (permalink / raw)
  To: qemu-devel; +Cc: Kevin Wolf, Max Reitz, qemu-block

Not updating src_offset will result in wrong data being written to dst
image.

Reported-by: Max Reitz <mreitz@redhat.com>
Signed-off-by: Fam Zheng <famz@redhat.com>
---
 block/qcow2.c              |  1 +
 tests/qemu-iotests/063     |  9 +++++++++
 tests/qemu-iotests/063.out | 12 ++++++++++++
 3 files changed, 22 insertions(+)

diff --git a/block/qcow2.c b/block/qcow2.c
index a3a3aa2a97..9d4e6e32e4 100644
--- a/block/qcow2.c
+++ b/block/qcow2.c
@@ -3422,6 +3422,7 @@ qcow2_co_copy_range_to(BlockDriverState *bs,
         }
 
         bytes -= cur_bytes;
+        src_offset += cur_bytes;
         dst_offset += cur_bytes;
     }
     ret = 0;
diff --git a/tests/qemu-iotests/063 b/tests/qemu-iotests/063
index e4f6ea9385..adc037c1f5 100755
--- a/tests/qemu-iotests/063
+++ b/tests/qemu-iotests/063
@@ -91,6 +91,15 @@ if $QEMU_IMG convert -f $IMGFMT -O $IMGFMT -n "$TEST_IMG.orig" "$TEST_IMG" >/dev
     exit 1
 fi
 
+echo "== Regression testing for copy offloading bug =="
+
+_make_test_img 1M
+TEST_IMG="$TEST_IMG.target" _make_test_img 1M
+$QEMU_IO -c 'write -P 1 0 512k' -c 'write -P 2 512k 512k' "$TEST_IMG" | _filter_qemu_io
+$QEMU_IO -c 'write -P 4 512k 512k' -c 'write -P 3 0 512k' "$TEST_IMG.target" | _filter_qemu_io
+$QEMU_IMG convert -n -O $IMGFMT "$TEST_IMG" "$TEST_IMG.target"
+$QEMU_IMG compare "$TEST_IMG" "$TEST_IMG.target"
+
 echo "*** done"
 rm -f $seq.full
 status=0
diff --git a/tests/qemu-iotests/063.out b/tests/qemu-iotests/063.out
index de1c99afd8..7b691b2c9e 100644
--- a/tests/qemu-iotests/063.out
+++ b/tests/qemu-iotests/063.out
@@ -7,4 +7,16 @@ Formatting 'TEST_DIR/t.IMGFMT', fmt=IMGFMT size=4194304
 No errors were found on the image.
 == Testing conversion to a smaller file fails ==
 Formatting 'TEST_DIR/t.IMGFMT', fmt=IMGFMT size=2097152
+== Regression testing for copy offloading bug ==
+Formatting 'TEST_DIR/t.IMGFMT', fmt=IMGFMT size=1048576
+Formatting 'TEST_DIR/t.IMGFMT.target', fmt=IMGFMT size=1048576
+wrote 524288/524288 bytes at offset 0
+512 KiB, X ops; XX:XX:XX.X (XXX YYY/sec and XXX ops/sec)
+wrote 524288/524288 bytes at offset 524288
+512 KiB, X ops; XX:XX:XX.X (XXX YYY/sec and XXX ops/sec)
+wrote 524288/524288 bytes at offset 524288
+512 KiB, X ops; XX:XX:XX.X (XXX YYY/sec and XXX ops/sec)
+wrote 524288/524288 bytes at offset 0
+512 KiB, X ops; XX:XX:XX.X (XXX YYY/sec and XXX ops/sec)
+Images are identical.
 *** done
-- 
2.17.1

^ permalink raw reply related	[flat|nested] 5+ messages in thread
* [Qemu-devel] [PATCH 2/3] iscsi: Don't blindly use designator length in response for memcpy
  2018-06-29  6:03 [Qemu-devel] [PATCH 0/3] block: A few more copy offloading fixes Fam Zheng
  2018-06-29  6:03 ` [Qemu-devel] [PATCH 1/3] qcow2: Fix src_offset in copy offloading Fam Zheng
@ 2018-06-29  6:03 ` Fam Zheng
  2018-06-29  6:03 ` [Qemu-devel] [PATCH 3/3] file-posix: Fix EINTR handling Fam Zheng
  2018-06-29  7:50 ` [Qemu-devel] [PATCH 0/3] block: A few more copy offloading fixes Kevin Wolf
  3 siblings, 0 replies; 5+ messages in thread
From: Fam Zheng @ 2018-06-29  6:03 UTC (permalink / raw)
  To: qemu-devel; +Cc: Kevin Wolf, Max Reitz, qemu-block

Per SCSI definition the designator_length we receive from INQUIRY is 8,
12 or at most 16, but we should be careful because the remote iscsi
target may misbehave, otherwise we could have a buffer overflow.

Reported-by: Max Reitz <mreitz@redhat.com>
Signed-off-by: Fam Zheng <famz@redhat.com>
---
 block/iscsi.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/block/iscsi.c b/block/iscsi.c
index 9f00fb47a5..4b7f574510 100644
--- a/block/iscsi.c
+++ b/block/iscsi.c
@@ -2226,7 +2226,7 @@ static void iscsi_populate_target_desc(unsigned char *desc, IscsiLun *lun)
     desc[5] = (dd->designator_type & 0xF)
         | ((dd->association & 3) << 4);
     desc[7] = dd->designator_length;
-    memcpy(desc + 8, dd->designator, dd->designator_length);
+    memcpy(desc + 8, dd->designator, MIN(dd->designator_length, 20));
 
     desc[28] = 0;
     desc[29] = (lun->block_size >> 16) & 0xFF;
-- 
2.17.1

^ permalink raw reply related	[flat|nested] 5+ messages in thread
* [Qemu-devel] [PATCH 3/3] file-posix: Fix EINTR handling
  2018-06-29  6:03 [Qemu-devel] [PATCH 0/3] block: A few more copy offloading fixes Fam Zheng
  2018-06-29  6:03 ` [Qemu-devel] [PATCH 1/3] qcow2: Fix src_offset in copy offloading Fam Zheng
  2018-06-29  6:03 ` [Qemu-devel] [PATCH 2/3] iscsi: Don't blindly use designator length in response for memcpy Fam Zheng
@ 2018-06-29  6:03 ` Fam Zheng
  2018-06-29  7:50 ` [Qemu-devel] [PATCH 0/3] block: A few more copy offloading fixes Kevin Wolf
  3 siblings, 0 replies; 5+ messages in thread
From: Fam Zheng @ 2018-06-29  6:03 UTC (permalink / raw)
  To: qemu-devel; +Cc: Kevin Wolf, Max Reitz, qemu-block

EINTR should be checked against errno, not ret. While fixing the bug,
collect the branches with a switch block.

Also, change the return value from -ENOSTUP to -ENOSPC when the actual
issue is request range passes EOF, which should be distinguishable from
the case of error == ENOSYS by the caller, so that it could still retry
with other byte ranges, whereas it shouldn't retry anymore upon ENOSYS.

Signed-off-by: Fam Zheng <famz@redhat.com>
---
 block/file-posix.c | 17 +++++++++--------
 1 file changed, 9 insertions(+), 8 deletions(-)

diff --git a/block/file-posix.c b/block/file-posix.c
index 07bb061fe4..6b736f603a 100644
--- a/block/file-posix.c
+++ b/block/file-posix.c
@@ -1474,20 +1474,21 @@ static ssize_t handle_aiocb_copy_range(RawPosixAIOData *aiocb)
         ssize_t ret = copy_file_range(aiocb->aio_fildes, &in_off,
                                       aiocb->aio_fd2, &out_off,
                                       bytes, 0);
-        if (ret == -EINTR) {
-            continue;
+        if (ret == 0) {
+            /* No progress (e.g. when beyond EOF), let the caller fall back to
+             * buffer I/O. */
+            return -ENOSPC;
         }
         if (ret < 0) {
-            if (errno == ENOSYS) {
+            switch (errno) {
+            case ENOSYS:
                 return -ENOTSUP;
-            } else {
+            case EINTR:
+                continue;
+            default:
                 return -errno;
             }
         }
-        if (!ret) {
-            /* No progress (e.g. when beyond EOF), fall back to buffer I/O. */
-            return -ENOTSUP;
-        }
         bytes -= ret;
     }
     return 0;
-- 
2.17.1

^ permalink raw reply related	[flat|nested] 5+ messages in thread
* Re: [Qemu-devel] [PATCH 0/3] block: A few more copy offloading fixes
  2018-06-29  6:03 [Qemu-devel] [PATCH 0/3] block: A few more copy offloading fixes Fam Zheng
                   ` (2 preceding siblings ...)
  2018-06-29  6:03 ` [Qemu-devel] [PATCH 3/3] file-posix: Fix EINTR handling Fam Zheng
@ 2018-06-29  7:50 ` Kevin Wolf
  3 siblings, 0 replies; 5+ messages in thread
From: Kevin Wolf @ 2018-06-29  7:50 UTC (permalink / raw)
  To: Fam Zheng; +Cc: qemu-devel, Max Reitz, qemu-block

Am 29.06.2018 um 08:03 hat Fam Zheng geschrieben:
> These are unfortunately more serious than the previous two fixes but the
> patches are not complicated.

Thanks, applied to the block branch.

Kevin

^ permalink raw reply	[flat|nested] 5+ messages in thread
end of thread, other threads:[~2018-06-29  7:51 UTC | newest]

Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2018-06-29  6:03 [Qemu-devel] [PATCH 0/3] block: A few more copy offloading fixes Fam Zheng
2018-06-29  6:03 ` [Qemu-devel] [PATCH 1/3] qcow2: Fix src_offset in copy offloading Fam Zheng
2018-06-29  6:03 ` [Qemu-devel] [PATCH 2/3] iscsi: Don't blindly use designator length in response for memcpy Fam Zheng
2018-06-29  6:03 ` [Qemu-devel] [PATCH 3/3] file-posix: Fix EINTR handling Fam Zheng
2018-06-29  7:50 ` [Qemu-devel] [PATCH 0/3] block: A few more copy offloading fixes Kevin Wolf

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.