From patchwork Tue Mar 29 12:13:08 2011
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: MORITA Kazutaka <morita.kazutaka@lab.ntt.co.jp>
X-Patchwork-Id: 88752
Return-Path: <qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org>
X-Original-To: incoming@patchwork.ozlabs.org
Delivered-To: patchwork-incoming@bilbo.ozlabs.org
Received: from lists.gnu.org (lists.gnu.org [199.232.76.165])
	(using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
	(Client did not present a certificate)
	by ozlabs.org (Postfix) with ESMTPS id E51F8B6EEB
	for <incoming@patchwork.ozlabs.org>;
	Tue, 29 Mar 2011 23:17:00 +1100 (EST)
Received: from localhost ([127.0.0.1]:49529 helo=lists.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.43) id 1Q4Xr0-000537-08
	for incoming@patchwork.ozlabs.org; Tue, 29 Mar 2011 08:16:58 -0400
Received: from [140.186.70.92] (port=48802 helo=eggs.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.43) id 1Q4XpR-0004eu-3S
	for qemu-devel@nongnu.org; Tue, 29 Mar 2011 08:15:24 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <morita.kazutaka@lab.ntt.co.jp>) id 1Q4XpP-0001UX-Mv
	for qemu-devel@nongnu.org; Tue, 29 Mar 2011 08:15:20 -0400
Received: from sh.osrg.net ([192.16.179.4]:33312)
	by eggs.gnu.org with esmtp (Exim 4.71)
	(envelope-from <morita.kazutaka@lab.ntt.co.jp>) id 1Q4XpP-0001SO-7p
	for qemu-devel@nongnu.org; Tue, 29 Mar 2011 08:15:19 -0400
Received: from fs.osrg.net (postfix@fs.osrg.net [10.0.0.12])
	by sh.osrg.net (8.14.3/8.14.3/OSRG-NET) with ESMTP id p2TCEpJT009291;
	Tue, 29 Mar 2011 21:14:52 +0900
Received: from localhost (dfs1401.osrg.net [10.68.14.1])
	by fs.osrg.net (Postfix) with ESMTP id C60AD3E02EB;
	Tue, 29 Mar 2011 21:14:51 +0900 (JST)
From: MORITA Kazutaka <morita.kazutaka@lab.ntt.co.jp>
To: kwolf@redhat.com
Date: Tue, 29 Mar 2011 21:13:08 +0900
Message-Id: <1301400788-801-4-git-send-email-morita.kazutaka@lab.ntt.co.jp>
X-Mailer: git-send-email 1.5.6.5
In-Reply-To: <1301400788-801-1-git-send-email-morita.kazutaka@lab.ntt.co.jp>
References: <1301400788-801-1-git-send-email-morita.kazutaka@lab.ntt.co.jp>
X-Dispatcher: imput version 20070423(IM149)
Lines: 41
X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-3.0
	(sh.osrg.net [192.16.179.4]); Tue, 29 Mar 2011 21:14:53 +0900 (JST)
X-Virus-Scanned: clamav-milter 0.97 at sh
X-Virus-Status: Clean
X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.6 (newer, 2)
X-Received-From: 192.16.179.4
Cc: stefanha@gmail.com, sheepdog@lists.wpkg.org, qemu-devel@nongnu.org,
	nick@bytemark.co.uk
Subject: [Qemu-devel] [PATCH 3/3] sheepdog: avoid accessing a buffer of the
	canceled I/O request
X-BeenThere: qemu-devel@nongnu.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: qemu-devel.nongnu.org
List-Unsubscribe: <http://lists.nongnu.org/mailman/listinfo/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <http://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <http://lists.nongnu.org/mailman/listinfo/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=subscribe>
Sender: qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org
Errors-To: qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org

We cannot access the buffer of the canceled I/O request because its
AIOCB callback is already called and the buffer is not valid.

Signed-off-by: MORITA Kazutaka <morita.kazutaka@lab.ntt.co.jp>
---
 block/sheepdog.c |   12 ++++++++++--
 1 files changed, 10 insertions(+), 2 deletions(-)

diff --git a/block/sheepdog.c b/block/sheepdog.c
index ed98701..6f60721 100644
--- a/block/sheepdog.c
+++ b/block/sheepdog.c
@@ -79,6 +79,7 @@
 #define SD_DATA_OBJ_SIZE (UINT64_C(1) << 22)
 #define SD_MAX_VDI_SIZE (SD_DATA_OBJ_SIZE * MAX_DATA_OBJS)
 #define SECTOR_SIZE 512
+#define BUF_SIZE 4096
 
 #define SD_INODE_SIZE (sizeof(SheepdogInode))
 #define CURRENT_VDI_ID 0
@@ -900,8 +901,15 @@ static void aio_read_response(void *opaque)
         }
         conn_state = C_IO_DATA;
     case C_IO_DATA:
-        ret = do_readv(fd, acb->qiov->iov, aio_req->data_len - done,
-                       aio_req->iov_offset + done);
+        if (acb->canceled) {
+            char tmp_buf[BUF_SIZE];
+            int len = MIN(aio_req->data_len - done, sizeof(tmp_buf));
+
+            ret = do_read(fd, tmp_buf, len, 0);
+        } else {
+            ret = do_readv(fd, acb->qiov->iov, aio_req->data_len - done,
+                           aio_req->iov_offset + done);
+        }
         if (ret < 0) {
             error_report("failed to get the data, %s\n", strerror(errno));
             conn_state = C_IO_CLOSED;