Commit d93e5726 authored by Vladimir Sementsov-Ogievskiy's avatar Vladimir Sementsov-Ogievskiy Committed by Kevin Wolf
Browse files

block/io: bdrv_pdiscard: support int64_t bytes parameter 



This fixes at least one overflow in qcow2_process_discards, which
passes 64bit region length to bdrv_pdiscard where bytes (or sectors in
the past) parameter is int since its introduction in 0b919fae.

Signed-off-by: default avatarVladimir Sementsov-Ogievskiy <vsementsov@virtuozzo.com>
Signed-off-by: default avatarKevin Wolf <kwolf@redhat.com>
parent 1477b6c8

block/io.c

+8 −8
Original line number Diff line number Diff line
@@ -2632,7 +2632,7 @@ int bdrv_flush(BlockDriverState *bs) 
typedef struct DiscardCo {

    BdrvChild *child;

    int64_t offset;

    int bytes;

    int64_t bytes;

    int ret;

} DiscardCo;

static void coroutine_fn bdrv_pdiscard_co_entry(void *opaque)
@@ -2643,14 +2643,15 @@ static void coroutine_fn bdrv_pdiscard_co_entry(void *opaque) 
    aio_wait_kick();

}



int coroutine_fn bdrv_co_pdiscard(BdrvChild *child, int64_t offset, int bytes)

int coroutine_fn bdrv_co_pdiscard(BdrvChild *child, int64_t offset,

                                  int64_t bytes)

{

    BdrvTrackedRequest req;

    int max_pdiscard, ret;

    int head, tail, align;

    BlockDriverState *bs = child->bs;



    if (!bs || !bs->drv) {

    if (!bs || !bs->drv || !bdrv_is_inserted(bs)) {

        return -ENOMEDIUM;

    }
@@ -2658,9 +2659,8 @@ int coroutine_fn bdrv_co_pdiscard(BdrvChild *child, int64_t offset, int bytes) 
        return -EPERM;

    }



    ret = bdrv_check_byte_request(bs, offset, bytes);

    if (ret < 0) {

        return ret;

    if (offset < 0 || bytes < 0 || bytes > INT64_MAX - offset) {

        return -EIO;

    }



    /* Do nothing if disabled.  */
@@ -2695,7 +2695,7 @@ int coroutine_fn bdrv_co_pdiscard(BdrvChild *child, int64_t offset, int bytes) 
    assert(max_pdiscard >= bs->bl.request_alignment);



    while (bytes > 0) {

        int num = bytes;

        int64_t num = bytes;



        if (head) {

            /* Make small requests to get to alignment boundaries. */
@@ -2757,7 +2757,7 @@ out: 
    return ret;

}



int bdrv_pdiscard(BdrvChild *child, int64_t offset, int bytes)

int bdrv_pdiscard(BdrvChild *child, int64_t offset, int64_t bytes)

{

    Coroutine *co;

    DiscardCo rwco = {

include/block/block.h

+2 −2
Original line number Diff line number Diff line
@@ -434,8 +434,8 @@ void bdrv_drain_all(void); 
    AIO_WAIT_WHILE(bdrv_get_aio_context(bs_),              \

                   cond); })



int bdrv_pdiscard(BdrvChild *child, int64_t offset, int bytes);

int bdrv_co_pdiscard(BdrvChild *child, int64_t offset, int bytes);

int bdrv_pdiscard(BdrvChild *child, int64_t offset, int64_t bytes);

int bdrv_co_pdiscard(BdrvChild *child, int64_t offset, int64_t bytes);

int bdrv_has_zero_init_1(BlockDriverState *bs);

int bdrv_has_zero_init(BlockDriverState *bs);

bool bdrv_unallocated_blocks_are_zero(BlockDriverState *bs);