[PATCH] block/nvme: Fix possible array index out of bounds in nvme_process_completion()
The range of 'cid' is [1, NVME_QUEUE_SIZE-1], so when 'cid' is equal to NVME_QUEUE_SIZE, it should be continued, otherwise it will lead to array index out of bounds when accessing 'q->reqs[cid-1]' Reported-by: Euler Robot Signed-off-by: Alex Chen --- block/nvme.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/block/nvme.c b/block/nvme.c index a06a188d53..3a2b3f5486 100644 --- a/block/nvme.c +++ b/block/nvme.c @@ -402,7 +402,7 @@ static bool nvme_process_completion(NVMeQueuePair *q) q->cq_phase = !q->cq_phase; } cid = le16_to_cpu(c->cid); -if (cid == 0 || cid > NVME_QUEUE_SIZE) { +if (cid == 0 || cid >= NVME_QUEUE_SIZE) { warn_report("NVMe: Unexpected CID in completion queue: %"PRIu32", " "queue size: %u", cid, NVME_QUEUE_SIZE); continue; -- 2.19.1
[PATCH v3] qemu-nbd: Fix a memleak in nbd_client_thread()
When the qio_channel_socket_connect_sync() fails we should goto 'out_socket' label to free the 'sioc' instead of goto 'out' label. In addition, there's a lot of redundant code in the successful branch and the error branch, optimize it. Reported-by: Euler Robot Signed-off-by: Alex Chen Signed-off-by: Eric Blake Reviewed-by: Vladimir Sementsov-Ogievskiy --- qemu-nbd.c | 40 +--- 1 file changed, 17 insertions(+), 23 deletions(-) diff --git a/qemu-nbd.c b/qemu-nbd.c index a7075c5419..ee2fbc4cdb 100644 --- a/qemu-nbd.c +++ b/qemu-nbd.c @@ -265,8 +265,8 @@ static void *nbd_client_thread(void *arg) char *device = arg; NBDExportInfo info = { .request_sizes = false, .name = g_strdup("") }; QIOChannelSocket *sioc; -int fd; -int ret; +int fd = -1; +int ret = EXIT_FAILURE; pthread_t show_parts_thread; Error *local_error = NULL; @@ -278,26 +278,24 @@ static void *nbd_client_thread(void *arg) goto out; } -ret = nbd_receive_negotiate(NULL, QIO_CHANNEL(sioc), -NULL, NULL, NULL, &info, &local_error); -if (ret < 0) { +if (nbd_receive_negotiate(NULL, QIO_CHANNEL(sioc), + NULL, NULL, NULL, &info, &local_error) < 0) { if (local_error) { error_report_err(local_error); } -goto out_socket; +goto out; } fd = open(device, O_RDWR); if (fd < 0) { /* Linux-only, we can use %m in printf. */ error_report("Failed to open %s: %m", device); -goto out_socket; +goto out; } -ret = nbd_init(fd, sioc, &info, &local_error); -if (ret < 0) { +if (nbd_init(fd, sioc, &info, &local_error) < 0) { error_report_err(local_error); -goto out_fd; +goto out; } /* update partition table */ @@ -311,24 +309,20 @@ static void *nbd_client_thread(void *arg) dup2(STDOUT_FILENO, STDERR_FILENO); } -ret = nbd_client(fd); -if (ret) { -goto out_fd; +if (nbd_client(fd) < 0) { +goto out; } -close(fd); -object_unref(OBJECT(sioc)); -g_free(info.name); -kill(getpid(), SIGTERM); -return (void *) EXIT_SUCCESS; -out_fd: -close(fd); -out_socket: +ret = EXIT_SUCCESS; + + out: +if (fd >= 0) { +close(fd); +} object_unref(OBJECT(sioc)); -out: g_free(info.name); kill(getpid(), SIGTERM); -return (void *) EXIT_FAILURE; +return (void *) (intptr_t) ret; } #endif /* HAVE_NBD_DEVICE */ -- 2.19.1
Re: [PATCH v2] qemu-nbd: Fix a memleak in nbd_client_thread()
On 2020/12/8 21:41, Vladimir Sementsov-Ogievskiy wrote: > 03.12.2020 16:58, Alex Chen wrote: >> When the qio_channel_socket_connect_sync() fails >> we should goto 'out_socket' label to free the 'sioc' instead of >> goto 'out' label. >> In addition, there's a lot of redundant code in the successful branch >> and the error branch, optimize it. >> >> Reported-by: Euler Robot >> Signed-off-by: Alex Chen >> Signed-off-by: Eric Blake >> --- >> qemu-nbd.c | 38 +++--- >> 1 file changed, 15 insertions(+), 23 deletions(-) >> >> diff --git a/qemu-nbd.c b/qemu-nbd.c >> index a7075c5419..9583ee1af6 100644 >> --- a/qemu-nbd.c >> +++ b/qemu-nbd.c >> @@ -265,8 +265,8 @@ static void *nbd_client_thread(void *arg) >> char *device = arg; >> NBDExportInfo info = { .request_sizes = false, .name = g_strdup("") }; >> QIOChannelSocket *sioc; >> -int fd; >> -int ret; >> +int fd = -1; >> +int ret = EXIT_FAILURE; >> pthread_t show_parts_thread; >> Error *local_error = NULL; >> @@ -278,26 +278,24 @@ static void *nbd_client_thread(void *arg) >> goto out; >> } >> -ret = nbd_receive_negotiate(NULL, QIO_CHANNEL(sioc), >> -NULL, NULL, NULL, &info, &local_error); >> -if (ret < 0) { >> +if (nbd_receive_negotiate(NULL, QIO_CHANNEL(sioc), >> + NULL, NULL, NULL, &info, &local_error) < 0) { >> if (local_error) { >> error_report_err(local_error); >> } >> -goto out_socket; >> +goto out; >> } >> fd = open(device, O_RDWR); >> if (fd < 0) { >> /* Linux-only, we can use %m in printf. */ >> error_report("Failed to open %s: %m", device); >> -goto out_socket; >> +goto out; >> } >> -ret = nbd_init(fd, sioc, &info, &local_error); >> -if (ret < 0) { >> +if (nbd_init(fd, sioc, &info, &local_error) < 0) { >> error_report_err(local_error); >> -goto out_fd; >> +goto out; >> } >> /* update partition table */ >> @@ -311,24 +309,18 @@ static void *nbd_client_thread(void *arg) >> dup2(STDOUT_FILENO, STDERR_FILENO); >> } >> -ret = nbd_client(fd); >> -if (ret) { >> -goto out_fd; >> +if (nbd_client(fd) == 0) { >> +ret = EXIT_SUCCESS; > > It's not obvious that nbd_client() returns 0 on success, it calls ioctl(), > which may return something positive in theory.. > > So, with s/==/>=/, or with just > > if (nbd_client(fd) < 0) { > goto out; > } > > ret = EXIT_SUCCESS; > > > (which is good common pattern I think) > > : > Thanks for your review, I will fix it and send patch v3. Thanks, Alex
[PATCH v2] qemu-nbd: Fix a memleak in nbd_client_thread()
When the qio_channel_socket_connect_sync() fails we should goto 'out_socket' label to free the 'sioc' instead of goto 'out' label. In addition, there's a lot of redundant code in the successful branch and the error branch, optimize it. Reported-by: Euler Robot Signed-off-by: Alex Chen Signed-off-by: Eric Blake --- qemu-nbd.c | 38 +++--- 1 file changed, 15 insertions(+), 23 deletions(-) diff --git a/qemu-nbd.c b/qemu-nbd.c index a7075c5419..9583ee1af6 100644 --- a/qemu-nbd.c +++ b/qemu-nbd.c @@ -265,8 +265,8 @@ static void *nbd_client_thread(void *arg) char *device = arg; NBDExportInfo info = { .request_sizes = false, .name = g_strdup("") }; QIOChannelSocket *sioc; -int fd; -int ret; +int fd = -1; +int ret = EXIT_FAILURE; pthread_t show_parts_thread; Error *local_error = NULL; @@ -278,26 +278,24 @@ static void *nbd_client_thread(void *arg) goto out; } -ret = nbd_receive_negotiate(NULL, QIO_CHANNEL(sioc), -NULL, NULL, NULL, &info, &local_error); -if (ret < 0) { +if (nbd_receive_negotiate(NULL, QIO_CHANNEL(sioc), + NULL, NULL, NULL, &info, &local_error) < 0) { if (local_error) { error_report_err(local_error); } -goto out_socket; +goto out; } fd = open(device, O_RDWR); if (fd < 0) { /* Linux-only, we can use %m in printf. */ error_report("Failed to open %s: %m", device); -goto out_socket; +goto out; } -ret = nbd_init(fd, sioc, &info, &local_error); -if (ret < 0) { +if (nbd_init(fd, sioc, &info, &local_error) < 0) { error_report_err(local_error); -goto out_fd; +goto out; } /* update partition table */ @@ -311,24 +309,18 @@ static void *nbd_client_thread(void *arg) dup2(STDOUT_FILENO, STDERR_FILENO); } -ret = nbd_client(fd); -if (ret) { -goto out_fd; +if (nbd_client(fd) == 0) { +ret = EXIT_SUCCESS; } -close(fd); -object_unref(OBJECT(sioc)); -g_free(info.name); -kill(getpid(), SIGTERM); -return (void *) EXIT_SUCCESS; -out_fd: -close(fd); -out_socket: + out: +if (fd >= 0) { +close(fd); +} object_unref(OBJECT(sioc)); -out: g_free(info.name); kill(getpid(), SIGTERM); -return (void *) EXIT_FAILURE; +return (void *) (intptr_t) ret; } #endif /* HAVE_NBD_DEVICE */ -- 2.19.1
Re: [PATCH] qemu-nbd: Fix a memleak in nbd_client_thread()
On 2020/12/2 4:15, Eric Blake wrote: > On 12/1/20 12:13 AM, Alex Chen wrote: >> When the qio_channel_socket_connect_sync() fails >> we should goto 'out_socket' label to free the 'sioc' instead of >> goto 'out' label. >> In addition, now the 'out' label is useless, delete it. >> >> Reported-by: Euler Robot >> Signed-off-by: Alex Chen >> --- >> qemu-nbd.c | 3 +-- >> 1 file changed, 1 insertion(+), 2 deletions(-) >> >> diff --git a/qemu-nbd.c b/qemu-nbd.c >> index 47587a709e..643b0777c0 100644 >> --- a/qemu-nbd.c >> +++ b/qemu-nbd.c >> @@ -275,7 +275,7 @@ static void *nbd_client_thread(void *arg) >> saddr, >> &local_error) < 0) { >> error_report_err(local_error); >> -goto out; >> +goto out_socket; >> } >> >> ret = nbd_receive_negotiate(NULL, QIO_CHANNEL(sioc), >> @@ -325,7 +325,6 @@ out_fd: >> close(fd); >> out_socket: >> object_unref(OBJECT(sioc)); >> -out: >> g_free(info.name); >> kill(getpid(), SIGTERM); >> return (void *) EXIT_FAILURE; >> > > While the patch looks correct, we have a lot of duplication. Simpler > might be a solution with only one exit label altogether: > Thanks for your review, I will modify the patch and send patch v2 according to your suggestion. BTW, do I need to split this patch into two patches, one to solve the memleak and the other to optimizes the redundant code? Thanks, Alex > diff --git i/qemu-nbd.c w/qemu-nbd.c > index a7075c5419d7..d7bdcd0011ba 100644 > --- i/qemu-nbd.c > +++ w/qemu-nbd.c > @@ -265,8 +265,8 @@ static void *nbd_client_thread(void *arg) > char *device = arg; > NBDExportInfo info = { .request_sizes = false, .name = g_strdup("") }; > QIOChannelSocket *sioc; > -int fd; > -int ret; > +int fd = -1; > +int ret = EXIT_FAILURE; > pthread_t show_parts_thread; > Error *local_error = NULL; > > @@ -278,26 +278,24 @@ static void *nbd_client_thread(void *arg) > goto out; > } > > -ret = nbd_receive_negotiate(NULL, QIO_CHANNEL(sioc), > -NULL, NULL, NULL, &info, &local_error); > -if (ret < 0) { > +if (nbd_receive_negotiate(NULL, QIO_CHANNEL(sioc), > + NULL, NULL, NULL, &info, &local_error) < 0) { > if (local_error) { > error_report_err(local_error); > } > -goto out_socket; > +goto out; > } > > fd = open(device, O_RDWR); > if (fd < 0) { > /* Linux-only, we can use %m in printf. */ > error_report("Failed to open %s: %m", device); > -goto out_socket; > +goto out; > } > > -ret = nbd_init(fd, sioc, &info, &local_error); > -if (ret < 0) { > +if (nbd_init(fd, sioc, &info, &local_error) < 0) { > error_report_err(local_error); > -goto out_fd; > +goto out; > } > > /* update partition table */ > @@ -311,24 +309,18 @@ static void *nbd_client_thread(void *arg) > dup2(STDOUT_FILENO, STDERR_FILENO); > } > > -ret = nbd_client(fd); > -if (ret) { > -goto out_fd; > +if (nbd_client(fd) == 0) { > +ret = EXIT_SUCCESS; > } > -close(fd); > -object_unref(OBJECT(sioc)); > -g_free(info.name); > -kill(getpid(), SIGTERM); > -return (void *) EXIT_SUCCESS; > > -out_fd: > -close(fd); > -out_socket: > + out: > +if (fd >= 0) { > +close(fd); > +} > object_unref(OBJECT(sioc)); > -out: > g_free(info.name); > kill(getpid(), SIGTERM); > -return (void *) EXIT_FAILURE; > +return (void *) (intptr_t) ret; > } > #endif /* HAVE_NBD_DEVICE */ >
[PATCH] qemu-nbd: Fix a memleak in nbd_client_thread()
When the qio_channel_socket_connect_sync() fails we should goto 'out_socket' label to free the 'sioc' instead of goto 'out' label. In addition, now the 'out' label is useless, delete it. Reported-by: Euler Robot Signed-off-by: Alex Chen --- qemu-nbd.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/qemu-nbd.c b/qemu-nbd.c index 47587a709e..643b0777c0 100644 --- a/qemu-nbd.c +++ b/qemu-nbd.c @@ -275,7 +275,7 @@ static void *nbd_client_thread(void *arg) saddr, &local_error) < 0) { error_report_err(local_error); -goto out; +goto out_socket; } ret = nbd_receive_negotiate(NULL, QIO_CHANNEL(sioc), @@ -325,7 +325,6 @@ out_fd: close(fd); out_socket: object_unref(OBJECT(sioc)); -out: g_free(info.name); kill(getpid(), SIGTERM); return (void *) EXIT_FAILURE; -- 2.19.1
[PATCH] qemu-nbd: Fix a memleak in qemu_nbd_client_list()
When the qio_channel_socket_connect_sync() fails we should goto 'out' label to free the 'sioc' instead of return. Reported-by: Euler Robot Signed-off-by: Alex Chen --- qemu-nbd.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/qemu-nbd.c b/qemu-nbd.c index a7075c5419..47587a709e 100644 --- a/qemu-nbd.c +++ b/qemu-nbd.c @@ -181,7 +181,7 @@ static int qemu_nbd_client_list(SocketAddress *saddr, QCryptoTLSCreds *tls, sioc = qio_channel_socket_new(); if (qio_channel_socket_connect_sync(sioc, saddr, &err) < 0) { error_report_err(err); -return EXIT_FAILURE; +goto out; } rc = nbd_receive_export_list(QIO_CHANNEL(sioc), tls, hostname, &list, &err); -- 2.19.1