a3fa63d2ce
CVE-2015-6815: net: e1000: infinite loop issue (bz #1260225) CVE-2015-6855: ide: divide by zero issue (bz #1261793) CVE-2015-5278: Infinite loop in ne2000_receive() (bz #1263284) CVE-2015-5279: Heap overflow vulnerability in ne2000_receive() (bz #1263287) Make block copy more stable (bz #1264416) Fix hang at start of live merge for large images (bz #1262901)
61 lines
2.5 KiB
Diff
61 lines
2.5 KiB
Diff
From: Stefan Hajnoczi <stefanha@redhat.com>
|
|
Date: Wed, 1 Jul 2015 15:45:50 +0100
|
|
Subject: [PATCH] block/mirror: limit qiov to IOV_MAX elements
|
|
|
|
If mirror has more free buffers than IOV_MAX, preadv(2)/pwritev(2)
|
|
EINVAL failures may be encountered.
|
|
|
|
It is possible to trigger this by setting granularity to a low value
|
|
like 8192.
|
|
|
|
This patch stops appending chunks once IOV_MAX is reached.
|
|
|
|
The spurious EINVAL failure can be reproduced with a qcow2 image file
|
|
and the following QMP invocation:
|
|
|
|
qmp.command('drive-mirror', device='virtio0', target='/tmp/r7.s1',
|
|
granularity=8192, sync='full', mode='absolute-paths',
|
|
format='raw')
|
|
|
|
While the guest is running dd if=/dev/zero of=/var/tmp/foo oflag=direct
|
|
bs=4k.
|
|
|
|
Cc: Jeff Cody <jcody@redhat.com>
|
|
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
|
|
Reviewed-by: Paolo Bonzini <pbonzini@redhat.com>
|
|
Message-id: 1435761950-26714-1-git-send-email-stefanha@redhat.com
|
|
Signed-off-by: Jeff Cody <jcody@redhat.com>
|
|
(cherry picked from commit cae98cb87d269c33d23b2bccd79bb8d99a60d811)
|
|
---
|
|
block/mirror.c | 4 ++++
|
|
trace-events | 1 +
|
|
2 files changed, 5 insertions(+)
|
|
|
|
diff --git a/block/mirror.c b/block/mirror.c
|
|
index bd079a4..9407287 100644
|
|
--- a/block/mirror.c
|
|
+++ b/block/mirror.c
|
|
@@ -248,6 +248,10 @@ static uint64_t coroutine_fn mirror_iteration(MirrorBlockJob *s)
|
|
trace_mirror_break_buf_busy(s, nb_chunks, s->in_flight);
|
|
break;
|
|
}
|
|
+ if (IOV_MAX < nb_chunks + added_chunks) {
|
|
+ trace_mirror_break_iov_max(s, nb_chunks, added_chunks);
|
|
+ break;
|
|
+ }
|
|
|
|
/* We have enough free space to copy these sectors. */
|
|
bitmap_set(s->in_flight_bitmap, next_chunk, added_chunks);
|
|
diff --git a/trace-events b/trace-events
|
|
index 30eba92..6f992c4 100644
|
|
--- a/trace-events
|
|
+++ b/trace-events
|
|
@@ -94,6 +94,7 @@ mirror_yield(void *s, int64_t cnt, int buf_free_count, int in_flight) "s %p dirt
|
|
mirror_yield_in_flight(void *s, int64_t sector_num, int in_flight) "s %p sector_num %"PRId64" in_flight %d"
|
|
mirror_yield_buf_busy(void *s, int nb_chunks, int in_flight) "s %p requested chunks %d in_flight %d"
|
|
mirror_break_buf_busy(void *s, int nb_chunks, int in_flight) "s %p requested chunks %d in_flight %d"
|
|
+mirror_break_iov_max(void *s, int nb_chunks, int added_chunks) "s %p requested chunks %d added_chunks %d"
|
|
|
|
# block/backup.c
|
|
backup_do_cow_enter(void *job, int64_t start, int64_t sector_num, int nb_sectors) "job %p start %"PRId64" sector_num %"PRId64" nb_sectors %d"
|