From: Eric Blake <eblake@redhat.com>
To: qemu-devel@nongnu.org
Cc: Fam Zheng <fam@euphon.net>, Kevin Wolf <kwolf@redhat.com>,
Vladimir Sementsov-Ogievskiy <vsementsov@virtuozzo.com>,
"open list:Block I/O path" <qemu-block@nongnu.org>,
Hanna Reitz <hreitz@redhat.com>,
Stefan Hajnoczi <stefanha@redhat.com>
Subject: [PULL 03/20] qcow2: check request on vmstate save/load path
Date: Mon, 27 Sep 2021 16:55:28 -0500 [thread overview]
Message-ID: <20210927215545.3930309-4-eblake@redhat.com> (raw)
In-Reply-To: <20210927215545.3930309-1-eblake@redhat.com>
From: Vladimir Sementsov-Ogievskiy <vsementsov@virtuozzo.com>
We modify the request by adding an offset to vmstate. Let's check the
modified request. It will help us to safely move .bdrv_co_preadv_part
and .bdrv_co_pwritev_part to int64_t type of offset and bytes.
Signed-off-by: Vladimir Sementsov-Ogievskiy <vsementsov@virtuozzo.com>
Reviewed-by: Eric Blake <eblake@redhat.com>
Message-Id: <20210903102807.27127-3-vsementsov@virtuozzo.com>
Signed-off-by: Eric Blake <eblake@redhat.com>
---
include/block/block_int.h | 3 +++
block/io.c | 6 +++---
block/qcow2.c | 43 +++++++++++++++++++++++++++++++++------
3 files changed, 43 insertions(+), 9 deletions(-)
diff --git a/include/block/block_int.h b/include/block/block_int.h
index 5451f89b8df9..ed60495938a6 100644
--- a/include/block/block_int.h
+++ b/include/block/block_int.h
@@ -94,6 +94,9 @@ typedef struct BdrvTrackedRequest {
struct BdrvTrackedRequest *waiting_for;
} BdrvTrackedRequest;
+int bdrv_check_qiov_request(int64_t offset, int64_t bytes,
+ QEMUIOVector *qiov, size_t qiov_offset,
+ Error **errp);
int bdrv_check_request(int64_t offset, int64_t bytes, Error **errp);
struct BlockDriver {
diff --git a/block/io.c b/block/io.c
index 58602f84dbf0..a4f124f75577 100644
--- a/block/io.c
+++ b/block/io.c
@@ -956,9 +956,9 @@ bool coroutine_fn bdrv_make_request_serialising(BdrvTrackedRequest *req,
return waited;
}
-static int bdrv_check_qiov_request(int64_t offset, int64_t bytes,
- QEMUIOVector *qiov, size_t qiov_offset,
- Error **errp)
+int bdrv_check_qiov_request(int64_t offset, int64_t bytes,
+ QEMUIOVector *qiov, size_t qiov_offset,
+ Error **errp)
{
/*
* Check generic offset/bytes correctness
diff --git a/block/qcow2.c b/block/qcow2.c
index 02f9f3e63679..1c3cf7f91d86 100644
--- a/block/qcow2.c
+++ b/block/qcow2.c
@@ -5227,24 +5227,55 @@ static int qcow2_has_zero_init(BlockDriverState *bs)
}
}
+/*
+ * Check the request to vmstate. On success return
+ * qcow2_vm_state_offset(bs) + @pos
+ */
+static int64_t qcow2_check_vmstate_request(BlockDriverState *bs,
+ QEMUIOVector *qiov, int64_t pos)
+{
+ BDRVQcow2State *s = bs->opaque;
+ int64_t vmstate_offset = qcow2_vm_state_offset(s);
+ int ret;
+
+ /* Incoming requests must be OK */
+ bdrv_check_qiov_request(pos, qiov->size, qiov, 0, &error_abort);
+
+ if (INT64_MAX - pos < vmstate_offset) {
+ return -EIO;
+ }
+
+ pos += vmstate_offset;
+ ret = bdrv_check_qiov_request(pos, qiov->size, qiov, 0, NULL);
+ if (ret < 0) {
+ return ret;
+ }
+
+ return pos;
+}
+
static int qcow2_save_vmstate(BlockDriverState *bs, QEMUIOVector *qiov,
int64_t pos)
{
- BDRVQcow2State *s = bs->opaque;
+ int64_t offset = qcow2_check_vmstate_request(bs, qiov, pos);
+ if (offset < 0) {
+ return offset;
+ }
BLKDBG_EVENT(bs->file, BLKDBG_VMSTATE_SAVE);
- return bs->drv->bdrv_co_pwritev_part(bs, qcow2_vm_state_offset(s) + pos,
- qiov->size, qiov, 0, 0);
+ return bs->drv->bdrv_co_pwritev_part(bs, offset, qiov->size, qiov, 0, 0);
}
static int qcow2_load_vmstate(BlockDriverState *bs, QEMUIOVector *qiov,
int64_t pos)
{
- BDRVQcow2State *s = bs->opaque;
+ int64_t offset = qcow2_check_vmstate_request(bs, qiov, pos);
+ if (offset < 0) {
+ return offset;
+ }
BLKDBG_EVENT(bs->file, BLKDBG_VMSTATE_LOAD);
- return bs->drv->bdrv_co_preadv_part(bs, qcow2_vm_state_offset(s) + pos,
- qiov->size, qiov, 0, 0);
+ return bs->drv->bdrv_co_preadv_part(bs, offset, qiov->size, qiov, 0, 0);
}
/*
--
2.31.1
next prev parent reply other threads:[~2021-09-27 21:57 UTC|newest]
Thread overview: 35+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-09-27 21:55 [PULL 00/20] NBD patches through 2021-09-27 Eric Blake
2021-09-27 21:55 ` [PULL 01/20] qemu-nbd: Change default cache mode to writeback Eric Blake
2021-09-27 21:55 ` [PULL 02/20] block/io: bring request check to bdrv_co_(read, write)v_vmstate Eric Blake
2021-09-27 21:55 ` Eric Blake [this message]
2021-09-27 21:55 ` [PULL 04/20] block: use int64_t instead of uint64_t in driver read handlers Eric Blake
2021-09-27 21:55 ` [PULL 05/20] block: use int64_t instead of uint64_t in driver write handlers Eric Blake
2021-09-27 21:55 ` [PULL 06/20] block: use int64_t instead of uint64_t in copy_range driver handlers Eric Blake
2021-09-27 21:55 ` [PULL 07/20] block: make BlockLimits::max_pwrite_zeroes 64bit Eric Blake
2021-09-27 21:55 ` [PULL 08/20] block: use int64_t instead of int in driver write_zeroes handlers Eric Blake
2021-09-27 21:55 ` [PULL 09/20] block/io: allow 64bit write-zeroes requests Eric Blake
2021-09-27 21:55 ` [PULL 10/20] block: make BlockLimits::max_pdiscard 64bit Eric Blake
2021-09-27 21:55 ` [PULL 11/20] block: use int64_t instead of int in driver discard handlers Eric Blake
2021-09-27 21:55 ` [PULL 12/20] block/io: allow 64bit discard requests Eric Blake
2021-09-27 21:55 ` [PULL 13/20] nbd/server: Allow LIST_META_CONTEXT without STRUCTURED_REPLY Eric Blake
2021-09-27 21:55 ` [PULL 14/20] nbd/client-connection: nbd_co_establish_connection(): fix non set errp Eric Blake
2021-09-27 21:55 ` [PULL 15/20] block/nbd: nbd_channel_error() shutdown channel unconditionally Eric Blake
2021-09-27 21:55 ` [PULL 16/20] block/nbd: move nbd_recv_coroutines_wake_all() up Eric Blake
2021-09-27 21:55 ` [PULL 17/20] block/nbd: refactor nbd_recv_coroutines_wake_all() Eric Blake
2021-09-27 21:55 ` [PULL 18/20] block/nbd: drop connection_co Eric Blake
2022-02-02 11:49 ` Fabian Ebner
2022-02-02 13:53 ` Eric Blake
2022-02-02 14:21 ` Hanna Reitz
2022-02-03 8:49 ` Fabian Ebner
2021-09-27 21:55 ` [PULL 19/20] block/nbd: check that received handle is valid Eric Blake
2021-09-27 21:55 ` [PULL 20/20] nbd/server: Add --selinux-label option Eric Blake
2021-09-29 8:59 ` [PULL 00/20] NBD patches through 2021-09-27 Peter Maydell
2021-09-29 12:40 ` Paolo Bonzini
2021-09-29 13:58 ` Richard Henderson
2021-09-29 15:03 ` Paolo Bonzini
2021-09-29 18:29 ` Eric Blake
2021-09-29 19:14 ` Richard W.M. Jones
2021-09-30 8:29 ` Daniel P. Berrangé
2021-09-30 8:45 ` Richard W.M. Jones
2021-09-30 14:27 ` Richard Henderson
2021-09-30 14:37 ` Richard W.M. Jones
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20210927215545.3930309-4-eblake@redhat.com \
--to=eblake@redhat.com \
--cc=fam@euphon.net \
--cc=hreitz@redhat.com \
--cc=kwolf@redhat.com \
--cc=qemu-block@nongnu.org \
--cc=qemu-devel@nongnu.org \
--cc=stefanha@redhat.com \
--cc=vsementsov@virtuozzo.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).