On Wed, Jun 22, 2016 at 09:51:00AM -0600, Eric Blake wrote:
> @@ -2204,14 +2203,15 @@ BlockAIOCB *bdrv_aio_discard(BlockDriverState *bs,
> {
> Coroutine *co;
> BlockAIOCBCoroutine *acb;
> + QEMUIOVector qiov = { .size = nb_sectors << BDRV_SECTOR_BITS, };
>
> trace_bdrv_aio_discard(bs, sector_num, nb_sectors, opaque);
>
> acb = qemu_aio_get(&bdrv_em_co_aiocb_info, bs, cb, opaque);
> acb->need_bh = true;
> acb->req.error = -EINPROGRESS;
> - acb->req.sector = sector_num;
> - acb->req.nb_sectors = nb_sectors;
> + acb->req.offset = sector_num << BDRV_SECTOR_BITS;
> + acb->req.qiov = &qiov;This looks unsafe: the pointer to a stack-allocated qiov is held after the function returns.
signature.asc
Description: PGP signature
