It's already included by iov.h.

Why removing the parameter names from existing functions?

IMO, it's a bit confusing, that we're passing two pointers here which are related to each other. Wouldn't it make things more clear to pass a single iov pointer and then passing an niov_in and niov_out length to this function?

I think that to prevent header dependency issues, every source or header file should always include every header file whose definitions and declarations it uses directly. This file uses now uses the standard bool type and thus needs to include stdbool.h.

Given that these parameter names in function prototypes are ignored by the compiler, not even causing a warning if the name is different from what the actual function implementation is using, they serve very little purpose if any purpose at all. I generally consider them noise that adds no value but clutters up the code and lengthens lines needlessly.

For this reason I don't add them for new functions or functions that I change, and in a case like this where it's relatively unintrusive I change the others, too, to make it all nice and consistent.

I reworked it to return the data_iov pointer instead and streamlined the split_iov() code somewhat. Please let me know what you think?

Conceptually, this function is splitting an iovec array in two and returning the number of entries on the left side in *niov, and the number of entries on the right side in *niov_rem. I think I have trouble with the meaning of "remaining" here, I would naively expect *niov_rem to be the number of iovecs before offset, not after. More generally, the "remainder" is what's left of the original after you take something away, but here it's used to refer to that which is being taken away, so the implementation is somewhat confusing to me.

Can we please rename the variables and reword the comment accordingly?

Not something to be fixed in this patch, but we should be checking for overflow here...

Same here with respect to overflow.

I guess that's just another linguistic nuance that escaped me, not being a native english speaker. :-)

I've tried to reword it to be clearer, using neutral terms "1st part" and "2nd part", and renaming the variables accordingly. Please let me know if that's what you had in mind.

How would you suggest to handle detection of an overflow here?

Currently, this code implicitly relies on the limits set by the virtio device emulation to prevent overflows, and the guest honoring them. Given that an overflow at this point is quite unlikely to happen other than for some sort of severe error or corruption in another place, I wonder whether it's reasonable to just use an assertion here, making the reliance on sensible I/O size and iovec count limits explicit rather than implicit. (I kinda doubt we'll see single I/O requests in the exabyte range anytime soon).

Thank you, I think this is better, but for my taste this implementation still seems too complicated. My attempt is below, what do you think?

+/*
+ * Given an iovec and an offset, split the iovec into two at the offset and
+ * return a pointer to the beginning of the second iovec.
+ *
+ * The caller is responsible for providing an extra iovec in the array for the
+ * split.  That is, there should be space for *niov1 + 1 iovecs in the array.
+ */
+struct iovec *
+split_iov(struct iovec *iov, size_t *niov1, size_t offset, size_t *niov2)
+{
+       size_t count, resid;
+
+       /* Find the iovec entry that contains the offset. */
+       resid = offset;
+       for (count = 0; count < *niov1; count++) {
+               if (resid < iov[count].iov_len)
+                       break;
+               resid -= iov[count].iov_len;
+       }
+
+       if (resid == 0 || count == *niov1) {
+               /* Easy case, we don't have to split an iovec entry. */
+               *niov2 = *niov1 - count;
+               *niov1 = count;
+               if (*niov2 == 0)
+                       return (NULL);
+               return (&iov[count]);
+       }
+
+       /* The entry iov[count] needs to be split. */
+       *niov1 = count + 1;
+       *niov2 = *niov1 - count;
+       memmove(&iov[count + 1], &iov[count], sizeof(struct iovec) * (*niov2));
+       iov[count].iov_len = resid;
+       iov[count + 1].iov_base = (char *)iov[count].iov_base + resid;
+       iov[count + 1].iov_len -= resid;
+       return (&iov[count + 1]);
+}
+

Someone independently reported that this truncate_iov() is simply broken. It always returns exactly one entry because the test toseek <= iov[i].iov_len is always true. :(

I will post a minimal patch to fix this, so that it can easily be backported to existing stable branches. After that, your patch will just remove the implementation.

We have to take into account the possibility of a malicious guest which intentionally sets up descriptors to trigger overflow here.

Perhaps it'd be easiest to 1) assert against overflow in these generic functions, 2) add checks to vq_getchain() to abort processing if we detect that we're building an iovec with total length greater than SIZE_MAX. As part of that I think I'd add a new struct which combines the iov array pointer and array length rather than passing everything separately.