From patchwork Thu Nov 22 09:07:55 2012
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Stefan Priebe - Profihost AG <s.priebe@profihost.ag>
X-Patchwork-Id: 1787621
Return-Path: <ceph-devel-owner@vger.kernel.org>
X-Original-To: patchwork-ceph-devel@patchwork.kernel.org
Delivered-To: patchwork-process-083081@patchwork2.kernel.org
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by patchwork2.kernel.org (Postfix) with ESMTP id C6FFADF24C
	for <patchwork-ceph-devel@patchwork.kernel.org>;
	Thu, 22 Nov 2012 20:14:46 +0000 (UTC)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S1755150Ab2KVUOn (ORCPT
	<rfc822;patchwork-ceph-devel@patchwork.kernel.org>);
	Thu, 22 Nov 2012 15:14:43 -0500
Received: from packetbuilder64bit.de-nserver.de ([85.158.179.228]:35582 "EHLO
	packetbuilder64bit.de-nserver.de" rhost-flags-OK-OK-OK-OK)
	by vger.kernel.org with ESMTP id S1750773Ab2KVUOl (ORCPT
	<rfc822;ceph-devel@vger.kernel.org>);
	Thu, 22 Nov 2012 15:14:41 -0500
Received: (qmail 1389 invoked by uid 0); 22 Nov 2012 10:07:57 +0100
From: Stefan Priebe <s.priebe@profihost.ag>
To: qemu-devel@nongnu.org
Cc: stefanha@gmail.com, josh.durgin@inktank.com,
	ceph-devel@vger.kernel.org, sw@weilnetz.de,
	peter.maydell@linaro.org, Stefan Priebe <s.priebe@profihost.ag>
Subject: [PATCH] overflow of int ret: use ssize_t for ret
Date: Thu, 22 Nov 2012 10:07:55 +0100
Message-Id: <1353575275-1343-1-git-send-email-s.priebe@profihost.ag>
X-Mailer: git-send-email 1.7.10.4
Sender: ceph-devel-owner@vger.kernel.org
Precedence: bulk
List-ID: <ceph-devel.vger.kernel.org>
X-Mailing-List: ceph-devel@vger.kernel.org

When acb->cmd is WRITE or DISCARD block/rbd stores rcb->size into acb->ret

Look here:
   if (acb->cmd == RBD_AIO_WRITE ||
        acb->cmd == RBD_AIO_DISCARD) {
        if (r < 0) {
            acb->ret = r;
            acb->error = 1;
        } else if (!acb->error) {
            acb->ret = rcb->size;
        }

right now acb->ret is just an int and we might get an overflow if size is too big.
For discards rcb->size holds the size of the discard - this might be some TB if you
discard a whole device.

The steps to reproduce are:
mkfs.xfs -f a whole device bigger than int in bytes. mkfs.xfs sends a discard. Important is that you use scsi-hd and set discard_granularity=512. Otherwise rbd disabled discard support.
Signed-off-by: Stefan Priebe <s.priebe@profihost.ag>
---
 block/rbd.c |    4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/block/rbd.c b/block/rbd.c
index 5a0f79f..0384c6c 100644
--- a/block/rbd.c
+++ b/block/rbd.c
@@ -69,7 +69,7 @@ typedef enum {
 typedef struct RBDAIOCB {
     BlockDriverAIOCB common;
     QEMUBH *bh;
-    int ret;
+    ssize_t ret;
     QEMUIOVector *qiov;
     char *bounce;
     RBDAIOCmd cmd;
@@ -86,7 +86,7 @@ typedef struct RADOSCB {
     int done;
     int64_t size;
     char *buf;
-    int ret;
+    ssize_t ret;
 } RADOSCB;
 
 #define RBD_FD_READ 0