Markus Armbruster <arm...@redhat.com> writes: > qio_channel_rdma_readv() assigns the size_t value of qemu_rdma_fill() > to an int variable before it adds it to @done / subtracts it from > @want, both size_t. Truncation when qemu_rdma_fill() copies more than > INT_MAX bytes. Seems vanishingly unlikely, but needs fixing all the > same. > > Fixes: 6ddd2d76ca6f (migration: convert RDMA to use QIOChannel interface) > Signed-off-by: Markus Armbruster <arm...@redhat.com> > --- > migration/rdma.c | 14 +++++++------- > 1 file changed, 7 insertions(+), 7 deletions(-) > > diff --git a/migration/rdma.c b/migration/rdma.c > index 4289346617..5f423f66f0 100644 > --- a/migration/rdma.c > +++ b/migration/rdma.c > @@ -2852,7 +2852,7 @@ static ssize_t qio_channel_rdma_readv(QIOChannel *ioc, > RDMAControlHeader head; > int ret = 0; > ssize_t i; > - size_t done = 0; > + size_t done = 0, len; > > RCU_READ_LOCK_GUARD(); > rdma = qatomic_rcu_read(&rioc->rdmain); > @@ -2873,9 +2873,9 @@ static ssize_t qio_channel_rdma_readv(QIOChannel *ioc, > * were given and dish out the bytes until we run > * out of bytes. > */ > - ret = qemu_rdma_fill(rdma, data, want, 0); > - done += ret; > - want -= ret; > + len = qemu_rdma_fill(rdma, data, want, 0); > + done += len; > + want -= len; > /* Got what we needed, so go to next iovec */ > if (want == 0) { > continue; > @@ -2902,9 +2902,9 @@ static ssize_t qio_channel_rdma_readv(QIOChannel *ioc, > /* > * SEND was received with new bytes, now try again. > */ > - ret = qemu_rdma_fill(rdma, data, want, 0); > - done += ret; > - want -= ret; > + len = qemu_rdma_fill(rdma, data, want, 0); > + done += len; > + want -= len; > > /* Still didn't get enough, so lets just return */ > if (want) {
Reviewed-by: Fabiano Rosas <faro...@suse.de>