On 08/04/2017 09:08 AM, Alberto Garcia wrote:
> A bdrv_getlength() call can fail and return a negative value. This
> is not being handled in quorum_co_flush(), which can result in a
> QUORUM_REPORT_BAD event with an arbitrary value on the 'sectors-count'
> field.
>
> Reported-by: Markus Armbruster <arm...@redhat.com>
> Signed-off-by: Alberto Garcia <be...@igalia.com>
> ---
> block/quorum.c | 3 ++-
> 1 file changed, 2 insertions(+), 1 deletion(-)
>
> diff --git a/block/quorum.c b/block/quorum.c
> index 55ba916655..d77991d680 100644
> --- a/block/quorum.c
> +++ b/block/quorum.c
> @@ -785,8 +785,9 @@ static coroutine_fn int quorum_co_flush(BlockDriverState
> *bs)
> for (i = 0; i < s->num_children; i++) {
> result = bdrv_co_flush(s->children[i]->bs);
> if (result) {
> + int64_t length = bdrv_getlength(s->children[i]->bs);
> quorum_report_bad(QUORUM_OP_TYPE_FLUSH, 0,
> - bdrv_getlength(s->children[i]->bs),
> + length > 0 ? length : 0,In the fallback case, is always picking 0 good enough? Then again, this is in the error path, so it is unlikely in practice, and I don't see any better way to handle it. Reviewed-by: Eric Blake <ebl...@redhat.com> -- Eric Blake, Principal Software Engineer Red Hat, Inc. +1-919-301-3266 Virtualization: qemu.org | libvirt.org
signature.asc
Description: OpenPGP digital signature
