From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.lore.kernel.org (Postfix) with ESMTPS id 1518EC07E9D for ; Tue, 27 Sep 2022 06:42:30 +0000 (UTC) Received: from localhost ([::1]:59080 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1od4IW-0003F5-Tc for qemu-devel@archiver.kernel.org; Tue, 27 Sep 2022 02:42:28 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:52920) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1od3zN-0000DN-1o for qemu-devel@nongnu.org; Tue, 27 Sep 2022 02:22:44 -0400 Received: from us-smtp-delivery-124.mimecast.com ([170.10.133.124]:30133) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1od3zK-0008Sw-AA for qemu-devel@nongnu.org; Tue, 27 Sep 2022 02:22:39 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1664259757; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=da7TfaJTwlv6KJkJn5exId0yDWWlgAimMGibg24a5eA=; b=fngy8dA0bbn0Ow4UnztQ2KdmpKWTWpiK70+IeA5sESyRdEX3b0u+kmAXYCFUp8OAGXUrGu yRlAsVmcfLFpPouJgP/L046SPDrKJVbBJUSUg/kmNGcF5Ckn0jAiO2UvgFAizExFGR5XDn RADyk46WkZM1UTZE/eHronzFxZiRMZY= Received: from mimecast-mx02.redhat.com (mimecast-mx02.redhat.com [66.187.233.88]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id us-mta-662--PAF9RJdPYW5itdvyRS3jQ-1; Tue, 27 Sep 2022 02:22:34 -0400 X-MC-Unique: -PAF9RJdPYW5itdvyRS3jQ-1 Received: from smtp.corp.redhat.com (int-mx03.intmail.prod.int.rdu2.redhat.com [10.11.54.3]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx02.redhat.com (Postfix) with ESMTPS id B7AC3862FDC; Tue, 27 Sep 2022 06:22:33 +0000 (UTC) Received: from blackfin.pond.sub.org (unknown [10.39.192.163]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 3303D1121314; Tue, 27 Sep 2022 06:22:32 +0000 (UTC) Received: by blackfin.pond.sub.org (Postfix, from userid 1000) id F1D6D21E691D; Tue, 27 Sep 2022 08:22:30 +0200 (CEST) From: Markus Armbruster To: Bin Meng Cc: =?utf-8?Q?Marc-Andr=C3=A9?= Lureau , Daniel P . =?utf-8?Q?Berrang=C3=A9?= , Bin Meng , Hanna Reitz , Kevin Wolf , Qemu-block , "qemu-devel@nongnu.org Developers" Subject: Re: [PATCH v2] block: Refactor get_tmp_filename() References: <20220924114544.1906498-1-bmeng.cn@gmail.com> <87edvya1ez.fsf@pond.sub.org> Date: Tue, 27 Sep 2022 08:22:30 +0200 In-Reply-To: (Bin Meng's message of "Mon, 26 Sep 2022 23:28:08 +0800") Message-ID: <87o7v1mj4p.fsf@pond.sub.org> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/27.2 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain X-Scanned-By: MIMEDefang 3.1 on 10.11.54.3 Received-SPF: pass client-ip=170.10.133.124; envelope-from=armbru@redhat.com; helo=us-smtp-delivery-124.mimecast.com X-Spam_score_int: -21 X-Spam_score: -2.2 X-Spam_bar: -- X-Spam_report: (-2.2 / 5.0 requ) BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.082, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+qemu-devel=archiver.kernel.org@nongnu.org Sender: "Qemu-devel" Bin Meng writes: > On Mon, Sep 26, 2022 at 6:13 PM Markus Armbruster wrote: >> >> Bin Meng writes: >> >> > From: Bin Meng >> > >> > At present there are two callers of get_tmp_filename() and they are >> > inconsistent. >> > >> > One does: >> > >> > /* TODO: extra byte is a hack to ensure MAX_PATH space on Windows. */ >> > char *tmp_filename = g_malloc0(PATH_MAX + 1); >> > ... >> > ret = get_tmp_filename(tmp_filename, PATH_MAX + 1); >> > >> > while the other does: >> > >> > s->qcow_filename = g_malloc(PATH_MAX); >> > ret = get_tmp_filename(s->qcow_filename, PATH_MAX); >> > >> > As we can see different 'size' arguments are passed. There are also >> > platform specific implementations inside the function, and this use >> > of snprintf is really undesirable. >> > >> > Refactor this routine by changing its signature to: >> > >> > char *get_tmp_filename(void) >> > >> > and use g_file_open_tmp() for a consistent implementation. >> > >> > Signed-off-by: Bin Meng >> > --- >> > >> > Changes in v2: >> > - Use g_autofree and g_steal_pointer >> > >> > include/block/block_int-common.h | 2 +- >> > block.c | 42 ++++++++++---------------------- >> > block/vvfat.c | 8 +++--- >> > 3 files changed, 18 insertions(+), 34 deletions(-) >> > >> > diff --git a/include/block/block_int-common.h b/include/block/block_int-common.h >> > index 8947abab76..ea69a9349c 100644 >> > --- a/include/block/block_int-common.h >> > +++ b/include/block/block_int-common.h >> > @@ -1230,7 +1230,7 @@ static inline BlockDriverState *child_bs(BdrvChild *child) >> > } >> > >> > int bdrv_check_request(int64_t offset, int64_t bytes, Error **errp); >> > -int get_tmp_filename(char *filename, int size); >> > +char *get_tmp_filename(void); >> > void bdrv_parse_filename_strip_prefix(const char *filename, const char *prefix, >> > QDict *options); >> > >> > diff --git a/block.c b/block.c >> > index bc85f46eed..4e7a795566 100644 >> > --- a/block.c >> > +++ b/block.c >> > @@ -860,38 +860,23 @@ int bdrv_probe_geometry(BlockDriverState *bs, HDGeometry *geo) >> > >> > /* >> > * Create a uniquely-named empty temporary file. >> > - * Return 0 upon success, otherwise a negative errno value. >> > + * Return the actual name used upon success, otherwise NULL. >> > + * The called function is responsible for freeing it. >> > */ >> > -int get_tmp_filename(char *filename, int size) >> > +char *get_tmp_filename(void) >> > { >> > -#ifdef _WIN32 >> > - char temp_dir[MAX_PATH]; >> > - /* GetTempFileName requires that its output buffer (4th param) >> > - have length MAX_PATH or greater. */ >> > - assert(size >= MAX_PATH); >> > - return (GetTempPath(MAX_PATH, temp_dir) >> > - && GetTempFileName(temp_dir, "qem", 0, filename) >> > - ? 0 : -GetLastError()); >> > -#else >> > + g_autofree char *filename = NULL; >> > int fd; >> > - const char *tmpdir; >> > - tmpdir = getenv("TMPDIR"); >> > - if (!tmpdir) { >> > - tmpdir = "/var/tmp"; >> > - } >> > - if (snprintf(filename, size, "%s/vl.XXXXXX", tmpdir) >= size) { >> > - return -EOVERFLOW; >> > - } >> > - fd = mkstemp(filename); >> > + >> > + fd = g_file_open_tmp("vl.XXXXXX", &filename, NULL); >> > if (fd < 0) { >> > - return -errno; >> > + return NULL; >> > } >> > if (close(fd) != 0) { >> > unlink(filename); >> > - return -errno; >> > + return NULL; >> > } >> > - return 0; >> > -#endif >> > + return g_steal_pointer(&filename); >> > } >> >> Oh my, what a lovely mess you're messing with! >> >> The function creates a temporary *file*, not just a filename. Makes >> sense, as creating a unique filename is inherently racy. The contract >> is clear enough ("Create a uniquely-named empty temporary file"), but >> the function name is actively misleading. > > Agreed that the name is misleading. Care to fix that? >> Of course, creating a temporary file for the caller to (re)open is also >> racy. By the time the caller gets around to it, the filename could name >> anything. Return an open file file descriptor is a better idea. It's >> basically g_file_open_tmp(). Could we rework the two users of >> get_tmp_filename() accept a file descriptor? > > I looked at the 2 callers, and it looks like we need to do more than > these 2 callers to teach them to accept a file descriptor. :( Looks like it requires surgery to bdrv_create() at least. I'm not demanding you do that now. [...]