Patchwork [3/3] sheepdog: avoid accessing a buffer of the canceled I/O request

login
register
mail settings
Submitter MORITA Kazutaka
Date March 29, 2011, 12:13 p.m.
Message ID <1301400788-801-4-git-send-email-morita.kazutaka@lab.ntt.co.jp>
Download mbox | patch
Permalink /patch/88752/
State New
Headers show

Comments

MORITA Kazutaka - March 29, 2011, 12:13 p.m.
We cannot access the buffer of the canceled I/O request because its
AIOCB callback is already called and the buffer is not valid.

Signed-off-by: MORITA Kazutaka <morita.kazutaka@lab.ntt.co.jp>
---
 block/sheepdog.c |   12 ++++++++++--
 1 files changed, 10 insertions(+), 2 deletions(-)

Patch

diff --git a/block/sheepdog.c b/block/sheepdog.c
index ed98701..6f60721 100644
--- a/block/sheepdog.c
+++ b/block/sheepdog.c
@@ -79,6 +79,7 @@ 
 #define SD_DATA_OBJ_SIZE (UINT64_C(1) << 22)
 #define SD_MAX_VDI_SIZE (SD_DATA_OBJ_SIZE * MAX_DATA_OBJS)
 #define SECTOR_SIZE 512
+#define BUF_SIZE 4096
 
 #define SD_INODE_SIZE (sizeof(SheepdogInode))
 #define CURRENT_VDI_ID 0
@@ -900,8 +901,15 @@  static void aio_read_response(void *opaque)
         }
         conn_state = C_IO_DATA;
     case C_IO_DATA:
-        ret = do_readv(fd, acb->qiov->iov, aio_req->data_len - done,
-                       aio_req->iov_offset + done);
+        if (acb->canceled) {
+            char tmp_buf[BUF_SIZE];
+            int len = MIN(aio_req->data_len - done, sizeof(tmp_buf));
+
+            ret = do_read(fd, tmp_buf, len, 0);
+        } else {
+            ret = do_readv(fd, acb->qiov->iov, aio_req->data_len - done,
+                           aio_req->iov_offset + done);
+        }
         if (ret < 0) {
             error_report("failed to get the data, %s\n", strerror(errno));
             conn_state = C_IO_CLOSED;