[PATCH] block/nvme: Fix possible array index out of bounds in nvme_process_completion()
The range of 'cid' is [1, NVME_QUEUE_SIZE-1], so when 'cid' is equal to
NVME_QUEUE_SIZE, it should be continued, otherwise it will lead to array
index out of bounds when accessing 'q->reqs[cid-1]'
Reported-by: Euler Robot
Signed-off-by: Alex Chen
---
block/nvme.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/block/nvme.c b/block/nvme.c
index a06a188d53..3a2b3f5486 100644
--- a/block/nvme.c
+++ b/block/nvme.c
@@ -402,7 +402,7 @@ static bool nvme_process_completion(NVMeQueuePair *q)
q->cq_phase = !q->cq_phase;
}
cid = le16_to_cpu(c->cid);
-if (cid == 0 || cid > NVME_QUEUE_SIZE) {
+if (cid == 0 || cid >= NVME_QUEUE_SIZE) {
warn_report("NVMe: Unexpected CID in completion queue: %"PRIu32", "
"queue size: %u", cid, NVME_QUEUE_SIZE);
continue;
--
2.19.1
[PATCH v3] qemu-nbd: Fix a memleak in nbd_client_thread()
When the qio_channel_socket_connect_sync() fails
we should goto 'out_socket' label to free the 'sioc' instead of
goto 'out' label.
In addition, there's a lot of redundant code in the successful branch
and the error branch, optimize it.
Reported-by: Euler Robot
Signed-off-by: Alex Chen
Signed-off-by: Eric Blake
Reviewed-by: Vladimir Sementsov-Ogievskiy
---
qemu-nbd.c | 40 +---
1 file changed, 17 insertions(+), 23 deletions(-)
diff --git a/qemu-nbd.c b/qemu-nbd.c
index a7075c5419..ee2fbc4cdb 100644
--- a/qemu-nbd.c
+++ b/qemu-nbd.c
@@ -265,8 +265,8 @@ static void *nbd_client_thread(void *arg)
char *device = arg;
NBDExportInfo info = { .request_sizes = false, .name = g_strdup("") };
QIOChannelSocket *sioc;
-int fd;
-int ret;
+int fd = -1;
+int ret = EXIT_FAILURE;
pthread_t show_parts_thread;
Error *local_error = NULL;
@@ -278,26 +278,24 @@ static void *nbd_client_thread(void *arg)
goto out;
}
-ret = nbd_receive_negotiate(NULL, QIO_CHANNEL(sioc),
-NULL, NULL, NULL, , _error);
-if (ret < 0) {
+if (nbd_receive_negotiate(NULL, QIO_CHANNEL(sioc),
+ NULL, NULL, NULL, , _error) < 0) {
if (local_error) {
error_report_err(local_error);
}
-goto out_socket;
+goto out;
}
fd = open(device, O_RDWR);
if (fd < 0) {
/* Linux-only, we can use %m in printf. */
error_report("Failed to open %s: %m", device);
-goto out_socket;
+goto out;
}
-ret = nbd_init(fd, sioc, , _error);
-if (ret < 0) {
+if (nbd_init(fd, sioc, , _error) < 0) {
error_report_err(local_error);
-goto out_fd;
+goto out;
}
/* update partition table */
@@ -311,24 +309,20 @@ static void *nbd_client_thread(void *arg)
dup2(STDOUT_FILENO, STDERR_FILENO);
}
-ret = nbd_client(fd);
-if (ret) {
-goto out_fd;
+if (nbd_client(fd) < 0) {
+goto out;
}
-close(fd);
-object_unref(OBJECT(sioc));
-g_free(info.name);
-kill(getpid(), SIGTERM);
-return (void *) EXIT_SUCCESS;
-out_fd:
-close(fd);
-out_socket:
+ret = EXIT_SUCCESS;
+
+ out:
+if (fd >= 0) {
+close(fd);
+}
object_unref(OBJECT(sioc));
-out:
g_free(info.name);
kill(getpid(), SIGTERM);
-return (void *) EXIT_FAILURE;
+return (void *) (intptr_t) ret;
}
#endif /* HAVE_NBD_DEVICE */
--
2.19.1
Re: [PATCH v2] qemu-nbd: Fix a memleak in nbd_client_thread()
On 2020/12/8 21:41, Vladimir Sementsov-Ogievskiy wrote:
> 03.12.2020 16:58, Alex Chen wrote:
>> When the qio_channel_socket_connect_sync() fails
>> we should goto 'out_socket' label to free the 'sioc' instead of
>> goto 'out' label.
>> In addition, there's a lot of redundant code in the successful branch
>> and the error branch, optimize it.
>>
>> Reported-by: Euler Robot
>> Signed-off-by: Alex Chen
>> Signed-off-by: Eric Blake
>> ---
>> qemu-nbd.c | 38 +++---
>> 1 file changed, 15 insertions(+), 23 deletions(-)
>>
>> diff --git a/qemu-nbd.c b/qemu-nbd.c
>> index a7075c5419..9583ee1af6 100644
>> --- a/qemu-nbd.c
>> +++ b/qemu-nbd.c
>> @@ -265,8 +265,8 @@ static void *nbd_client_thread(void *arg)
>> char *device = arg;
>> NBDExportInfo info = { .request_sizes = false, .name = g_strdup("") };
>> QIOChannelSocket *sioc;
>> -int fd;
>> -int ret;
>> +int fd = -1;
>> +int ret = EXIT_FAILURE;
>> pthread_t show_parts_thread;
>> Error *local_error = NULL;
>> @@ -278,26 +278,24 @@ static void *nbd_client_thread(void *arg)
>> goto out;
>> }
>> -ret = nbd_receive_negotiate(NULL, QIO_CHANNEL(sioc),
>> -NULL, NULL, NULL, , _error);
>> -if (ret < 0) {
>> +if (nbd_receive_negotiate(NULL, QIO_CHANNEL(sioc),
>> + NULL, NULL, NULL, , _error) < 0) {
>> if (local_error) {
>> error_report_err(local_error);
>> }
>> -goto out_socket;
>> +goto out;
>> }
>> fd = open(device, O_RDWR);
>> if (fd < 0) {
>> /* Linux-only, we can use %m in printf. */
>> error_report("Failed to open %s: %m", device);
>> -goto out_socket;
>> +goto out;
>> }
>> -ret = nbd_init(fd, sioc, , _error);
>> -if (ret < 0) {
>> +if (nbd_init(fd, sioc, , _error) < 0) {
>> error_report_err(local_error);
>> -goto out_fd;
>> +goto out;
>> }
>> /* update partition table */
>> @@ -311,24 +309,18 @@ static void *nbd_client_thread(void *arg)
>> dup2(STDOUT_FILENO, STDERR_FILENO);
>> }
>> -ret = nbd_client(fd);
>> -if (ret) {
>> -goto out_fd;
>> +if (nbd_client(fd) == 0) {
>> +ret = EXIT_SUCCESS;
>
> It's not obvious that nbd_client() returns 0 on success, it calls ioctl(),
> which may return something positive in theory..
>
> So, with s/==/>=/, or with just
>
> if (nbd_client(fd) < 0) {
> goto out;
> }
>
> ret = EXIT_SUCCESS;
>
>
> (which is good common pattern I think)
>
> :
>
Thanks for your review, I will fix it and send patch v3.
Thanks,
Alex
[PATCH v2] qemu-nbd: Fix a memleak in nbd_client_thread()
When the qio_channel_socket_connect_sync() fails
we should goto 'out_socket' label to free the 'sioc' instead of
goto 'out' label.
In addition, there's a lot of redundant code in the successful branch
and the error branch, optimize it.
Reported-by: Euler Robot
Signed-off-by: Alex Chen
Signed-off-by: Eric Blake
---
qemu-nbd.c | 38 +++---
1 file changed, 15 insertions(+), 23 deletions(-)
diff --git a/qemu-nbd.c b/qemu-nbd.c
index a7075c5419..9583ee1af6 100644
--- a/qemu-nbd.c
+++ b/qemu-nbd.c
@@ -265,8 +265,8 @@ static void *nbd_client_thread(void *arg)
char *device = arg;
NBDExportInfo info = { .request_sizes = false, .name = g_strdup("") };
QIOChannelSocket *sioc;
-int fd;
-int ret;
+int fd = -1;
+int ret = EXIT_FAILURE;
pthread_t show_parts_thread;
Error *local_error = NULL;
@@ -278,26 +278,24 @@ static void *nbd_client_thread(void *arg)
goto out;
}
-ret = nbd_receive_negotiate(NULL, QIO_CHANNEL(sioc),
-NULL, NULL, NULL, , _error);
-if (ret < 0) {
+if (nbd_receive_negotiate(NULL, QIO_CHANNEL(sioc),
+ NULL, NULL, NULL, , _error) < 0) {
if (local_error) {
error_report_err(local_error);
}
-goto out_socket;
+goto out;
}
fd = open(device, O_RDWR);
if (fd < 0) {
/* Linux-only, we can use %m in printf. */
error_report("Failed to open %s: %m", device);
-goto out_socket;
+goto out;
}
-ret = nbd_init(fd, sioc, , _error);
-if (ret < 0) {
+if (nbd_init(fd, sioc, , _error) < 0) {
error_report_err(local_error);
-goto out_fd;
+goto out;
}
/* update partition table */
@@ -311,24 +309,18 @@ static void *nbd_client_thread(void *arg)
dup2(STDOUT_FILENO, STDERR_FILENO);
}
-ret = nbd_client(fd);
-if (ret) {
-goto out_fd;
+if (nbd_client(fd) == 0) {
+ret = EXIT_SUCCESS;
}
-close(fd);
-object_unref(OBJECT(sioc));
-g_free(info.name);
-kill(getpid(), SIGTERM);
-return (void *) EXIT_SUCCESS;
-out_fd:
-close(fd);
-out_socket:
+ out:
+if (fd >= 0) {
+close(fd);
+}
object_unref(OBJECT(sioc));
-out:
g_free(info.name);
kill(getpid(), SIGTERM);
-return (void *) EXIT_FAILURE;
+return (void *) (intptr_t) ret;
}
#endif /* HAVE_NBD_DEVICE */
--
2.19.1
Re: [PATCH] qemu-nbd: Fix a memleak in nbd_client_thread()
On 2020/12/2 4:15, Eric Blake wrote:
> On 12/1/20 12:13 AM, Alex Chen wrote:
>> When the qio_channel_socket_connect_sync() fails
>> we should goto 'out_socket' label to free the 'sioc' instead of
>> goto 'out' label.
>> In addition, now the 'out' label is useless, delete it.
>>
>> Reported-by: Euler Robot
>> Signed-off-by: Alex Chen
>> ---
>> qemu-nbd.c | 3 +--
>> 1 file changed, 1 insertion(+), 2 deletions(-)
>>
>> diff --git a/qemu-nbd.c b/qemu-nbd.c
>> index 47587a709e..643b0777c0 100644
>> --- a/qemu-nbd.c
>> +++ b/qemu-nbd.c
>> @@ -275,7 +275,7 @@ static void *nbd_client_thread(void *arg)
>> saddr,
>> _error) < 0) {
>> error_report_err(local_error);
>> -goto out;
>> +goto out_socket;
>> }
>>
>> ret = nbd_receive_negotiate(NULL, QIO_CHANNEL(sioc),
>> @@ -325,7 +325,6 @@ out_fd:
>> close(fd);
>> out_socket:
>> object_unref(OBJECT(sioc));
>> -out:
>> g_free(info.name);
>> kill(getpid(), SIGTERM);
>> return (void *) EXIT_FAILURE;
>>
>
> While the patch looks correct, we have a lot of duplication. Simpler
> might be a solution with only one exit label altogether:
>
Thanks for your review, I will modify the patch and send patch v2 according to
your suggestion.
BTW, do I need to split this patch into two patches, one to solve the memleak
and the other to optimizes the redundant code?
Thanks,
Alex
> diff --git i/qemu-nbd.c w/qemu-nbd.c
> index a7075c5419d7..d7bdcd0011ba 100644
> --- i/qemu-nbd.c
> +++ w/qemu-nbd.c
> @@ -265,8 +265,8 @@ static void *nbd_client_thread(void *arg)
> char *device = arg;
> NBDExportInfo info = { .request_sizes = false, .name = g_strdup("") };
> QIOChannelSocket *sioc;
> -int fd;
> -int ret;
> +int fd = -1;
> +int ret = EXIT_FAILURE;
> pthread_t show_parts_thread;
> Error *local_error = NULL;
>
> @@ -278,26 +278,24 @@ static void *nbd_client_thread(void *arg)
> goto out;
> }
>
> -ret = nbd_receive_negotiate(NULL, QIO_CHANNEL(sioc),
> -NULL, NULL, NULL, , _error);
> -if (ret < 0) {
> +if (nbd_receive_negotiate(NULL, QIO_CHANNEL(sioc),
> + NULL, NULL, NULL, , _error) < 0) {
> if (local_error) {
> error_report_err(local_error);
> }
> -goto out_socket;
> +goto out;
> }
>
> fd = open(device, O_RDWR);
> if (fd < 0) {
> /* Linux-only, we can use %m in printf. */
> error_report("Failed to open %s: %m", device);
> -goto out_socket;
> +goto out;
> }
>
> -ret = nbd_init(fd, sioc, , _error);
> -if (ret < 0) {
> +if (nbd_init(fd, sioc, , _error) < 0) {
> error_report_err(local_error);
> -goto out_fd;
> +goto out;
> }
>
> /* update partition table */
> @@ -311,24 +309,18 @@ static void *nbd_client_thread(void *arg)
> dup2(STDOUT_FILENO, STDERR_FILENO);
> }
>
> -ret = nbd_client(fd);
> -if (ret) {
> -goto out_fd;
> +if (nbd_client(fd) == 0) {
> +ret = EXIT_SUCCESS;
> }
> -close(fd);
> -object_unref(OBJECT(sioc));
> -g_free(info.name);
> -kill(getpid(), SIGTERM);
> -return (void *) EXIT_SUCCESS;
>
> -out_fd:
> -close(fd);
> -out_socket:
> + out:
> +if (fd >= 0) {
> +close(fd);
> +}
> object_unref(OBJECT(sioc));
> -out:
> g_free(info.name);
> kill(getpid(), SIGTERM);
> -return (void *) EXIT_FAILURE;
> +return (void *) (intptr_t) ret;
> }
> #endif /* HAVE_NBD_DEVICE */
>
[PATCH] qemu-nbd: Fix a memleak in nbd_client_thread()
When the qio_channel_socket_connect_sync() fails
we should goto 'out_socket' label to free the 'sioc' instead of
goto 'out' label.
In addition, now the 'out' label is useless, delete it.
Reported-by: Euler Robot
Signed-off-by: Alex Chen
---
qemu-nbd.c | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
diff --git a/qemu-nbd.c b/qemu-nbd.c
index 47587a709e..643b0777c0 100644
--- a/qemu-nbd.c
+++ b/qemu-nbd.c
@@ -275,7 +275,7 @@ static void *nbd_client_thread(void *arg)
saddr,
_error) < 0) {
error_report_err(local_error);
-goto out;
+goto out_socket;
}
ret = nbd_receive_negotiate(NULL, QIO_CHANNEL(sioc),
@@ -325,7 +325,6 @@ out_fd:
close(fd);
out_socket:
object_unref(OBJECT(sioc));
-out:
g_free(info.name);
kill(getpid(), SIGTERM);
return (void *) EXIT_FAILURE;
--
2.19.1
[PATCH] qemu-nbd: Fix a memleak in qemu_nbd_client_list()
When the qio_channel_socket_connect_sync() fails
we should goto 'out' label to free the 'sioc' instead of return.
Reported-by: Euler Robot
Signed-off-by: Alex Chen
---
qemu-nbd.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/qemu-nbd.c b/qemu-nbd.c
index a7075c5419..47587a709e 100644
--- a/qemu-nbd.c
+++ b/qemu-nbd.c
@@ -181,7 +181,7 @@ static int qemu_nbd_client_list(SocketAddress *saddr,
QCryptoTLSCreds *tls,
sioc = qio_channel_socket_new();
if (qio_channel_socket_connect_sync(sioc, saddr, ) < 0) {
error_report_err(err);
-return EXIT_FAILURE;
+goto out;
}
rc = nbd_receive_export_list(QIO_CHANNEL(sioc), tls, hostname, ,
);
--
2.19.1
