From 1af7737871fb3b66036f5e520acb0a98fc2605f7 Mon Sep 17 00:00:00 2001 From: Vladimir Sementsov-Ogievskiy Date: Thu, 2 Sep 2021 13:38:05 +0300 Subject: [PATCH] block/nbd: check that received handle is valid If we don't have active request, that waiting for this handle to be received, we should report an error. Signed-off-by: Vladimir Sementsov-Ogievskiy Message-Id: <20210902103805.25686-6-vsementsov@virtuozzo.com> Reviewed-by: Eric Blake Signed-off-by: Eric Blake --- block/nbd.c | 11 +++-------- 1 file changed, 3 insertions(+), 8 deletions(-) diff --git a/block/nbd.c b/block/nbd.c index 8ff6daf43d..5ef462db1b 100644 --- a/block/nbd.c +++ b/block/nbd.c @@ -58,6 +58,7 @@ typedef struct { Coroutine *coroutine; uint64_t offset; /* original offset of the request */ bool receiving; /* sleeping in the yield in nbd_receive_replies */ + bool reply_possible; /* reply header not yet received */ } NBDClientRequest; typedef enum NBDClientState { @@ -415,14 +416,7 @@ static coroutine_fn int nbd_receive_replies(BDRVNBDState *s, uint64_t handle) return 0; } ind2 = HANDLE_TO_INDEX(s, s->reply.handle); - if (ind2 >= MAX_NBD_REQUESTS || !s->requests[ind2].coroutine) { - /* - * We only check that ind2 request exists. But don't check - * whether it is now waiting for the reply header or - * not. We can't just check s->requests[ind2].receiving: - * ind2 request may wait in trying to lock - * receive_mutex. So that's a TODO. - */ + if (ind2 >= MAX_NBD_REQUESTS || !s->requests[ind2].reply_possible) { nbd_channel_error(s, -EINVAL); return -EINVAL; } @@ -468,6 +462,7 @@ static int nbd_co_send_request(BlockDriverState *bs, s->requests[i].coroutine = qemu_coroutine_self(); s->requests[i].offset = request->from; s->requests[i].receiving = false; + s->requests[i].reply_possible = true; request->handle = INDEX_TO_HANDLE(s, i);