b106ad9185
free_cluster_index is only correct if update_refcount() was called from an allocation function, and even there it's brittle because it's used to protect unfinished allocations which still have a refcount of 0 - if it moves in the wrong place, the unfinished allocation can be corrupted. So not using it any more seems to be a good idea. Instead, use the first requested cluster to do the calculations. Return -EAGAIN if unfinished allocations could become invalid and let the caller restart its search for some free clusters. The context of creating a snapsnot is one situation where update_refcount() is called outside of a cluster allocation. For this case, the change fixes a buffer overflow if a cluster is referenced in an L2 table that cannot be represented by an existing refcount block. (new_table[refcount_table_index] was out of bounds) [Bump the qemu-iotests 026 refblock_alloc.write leak count from 10 to 11. --Stefan] Signed-off-by: Kevin Wolf <kwolf@redhat.com> Reviewed-by: Max Reitz <mreitz@redhat.com> Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com> |
||
---|---|---|
.. | ||
acpi-test-data | ||
libqos | ||
multiboot | ||
qapi-schema | ||
qemu-iotests | ||
tcg | ||
.gitignore | ||
acpi-test.c | ||
blockdev-test.c | ||
boot-order-test.c | ||
check-block.sh | ||
check-qdict.c | ||
check-qfloat.c | ||
check-qint.c | ||
check-qjson.c | ||
check-qlist.c | ||
check-qom-interface.c | ||
check-qstring.c | ||
e1000-test.c | ||
eepro100-test.c | ||
endianness-test.c | ||
fdc-test.c | ||
fw_cfg-test.c | ||
hd-geo-test.c | ||
i440fx-test.c | ||
ide-test.c | ||
ipoctal232-test.c | ||
libqtest.c | ||
libqtest.h | ||
m48t59-test.c | ||
Makefile | ||
ne2000-test.c | ||
pcnet-test.c | ||
qdev-monitor-test.c | ||
qemu-iotests-quick.sh | ||
qom-test.c | ||
rtc-test.c | ||
rtl8139-test.c | ||
spapr-phb-test.c | ||
test-aio.c | ||
test-bitops.c | ||
test-coroutine.c | ||
test-cutils.c | ||
test-hbitmap.c | ||
test-int128.c | ||
test-iov.c | ||
test-mul64.c | ||
test-opts-visitor.c | ||
test-qdev-global-props.c | ||
test-qmp-commands.c | ||
test-qmp-input-strict.c | ||
test-qmp-input-visitor.c | ||
test-qmp-output-visitor.c | ||
test-rfifolock.c | ||
test-string-input-visitor.c | ||
test-string-output-visitor.c | ||
test-thread-pool.c | ||
test-throttle.c | ||
test-visitor-serialization.c | ||
test-vmstate.c | ||
test-x86-cpuid.c | ||
test-xbzrle.c | ||
tmp105-test.c | ||
tpci200-test.c | ||
virtio-balloon-test.c | ||
virtio-blk-test.c | ||
virtio-console-test.c | ||
virtio-net-test.c | ||
virtio-rng-test.c | ||
virtio-scsi-test.c | ||
virtio-serial-test.c | ||
vmxnet3-test.c |