From: Max Reitz <mreitz@redhat.com>
To: qemu-block@nongnu.org
Cc: Kevin Wolf <kwolf@redhat.com>, John Snow <jsnow@redhat.com>,
qemu-devel@nongnu.org
Subject: Re: [Qemu-devel] [PATCH v2 7/7] block: Ignore loosening perm restrictions failures
Date: Wed, 8 May 2019 23:50:30 +0200 [thread overview]
Message-ID: <124f90ab-08fb-99ea-e736-0c9d327868f6@redhat.com> (raw)
In-Reply-To: <20190508182546.2239-8-mreitz@redhat.com>
[-- Attachment #1: Type: text/plain, Size: 6050 bytes --]
On 08.05.19 20:25, Max Reitz wrote:
> We generally assume that loosening permission restrictions can never
> fail. We have seen in the past that this assumption is wrong. This has
> led to crashes because we generally pass &error_abort when loosening
> permissions.
>
> However, a failure in such a case should actually be handled in quite
> the opposite way: It is very much not fatal, so qemu may report it, but
> still consider the operation successful. The only realistic problem is
> that qemu may then retain permissions and thus locks on images it
> actually does not require. But again, that is not fatal.
>
> To implement this behavior, we make all functions that change
> permissions and that pass &error_abort to the initiating function
> (bdrv_check_perm() or bdrv_child_check_perm()) evaluate the
> @loosen_restrictions value introduced in the previous patch. If it is
> true and an error did occur, we abort the permission update, report
> the error, and report success to the caller.
Hm, I just noticed that while make check passes, it emits two of these
warnings:
TEST: tests/i440fx-test... (pid=23021)
qemu-system-x86_64: warning: Failed to loosen restrictions: Could not
reopen file: No such file or directory
qemu-system-x86_64: warning: Failed to loosen restrictions: Could not
reopen file: No such file or directory
PASS: tests/i440fx-test
This is because the test creates temporary files which it unlinks after
qemu has opened them. The bdrv_close_all() then attempts to drop the
WRITE permission, which requires reopening the file, which fails.
(Reproducer:
$ touch /tmp/foo; x86_64-softmmu/qemu-system-x86_64 -hda /tmp/foo &; \
sleep 1; rm /tmp/foo; kill %1
[1] 23236
WARNING: Image format was not specified for '/tmp/foo' and probing
guessed raw.
Automatically detecting the format is dangerous for raw images,
write operations on block 0 will be restricted.
Specify the 'raw' format explicitly to remove the restrictions.
qemu-system-x86_64: terminating on signal 15 from pid 7922 (-zsh)
qemu-system-x86_64: warning: Failed to loosen restrictions: Could not
reopen file: No such file or directory
qemu-system-x86_64: warning: Failed to loosen restrictions: Could not
reopen file: No such file or directory
[1] + 23236 done x86_64-softmmu/qemu-system-x86_64 -hda /tmp/foo
)
Should I just drop the warning?
Max
> bdrv_child_try_set_perm() itself does not pass &error_abort, but it is
> the only public function to change permissions. As such, callers may
> pass &error_abort to it, expecting dropping permission restrictions to
> never fail.
>
> Signed-off-by: Max Reitz <mreitz@redhat.com>
> ---
> block.c | 40 ++++++++++++++++++++++++++++++++++------
> 1 file changed, 34 insertions(+), 6 deletions(-)
>
> diff --git a/block.c b/block.c
> index 8f517be5b4..a5a03906d0 100644
> --- a/block.c
> +++ b/block.c
> @@ -2088,11 +2088,20 @@ static void bdrv_child_abort_perm_update(BdrvChild *c)
> int bdrv_child_try_set_perm(BdrvChild *c, uint64_t perm, uint64_t shared,
> Error **errp)
> {
> + Error *local_err = NULL;
> int ret;
> + bool tighten_restrictions;
>
> - ret = bdrv_child_check_perm(c, NULL, perm, shared, NULL, NULL, errp);
> + ret = bdrv_child_check_perm(c, NULL, perm, shared, NULL,
> + &tighten_restrictions, &local_err);
> if (ret < 0) {
> bdrv_child_abort_perm_update(c);
> + if (tighten_restrictions) {
> + error_propagate(errp, local_err);
> + } else {
> + warn_reportf_err(local_err, "Failed to loosen restrictions: ");
> + ret = 0;
> + }
> return ret;
> }
>
> @@ -2275,10 +2284,20 @@ static void bdrv_replace_child(BdrvChild *child, BlockDriverState *new_bs)
> /* Update permissions for old node. This is guaranteed to succeed
> * because we're just taking a parent away, so we're loosening
> * restrictions. */
> + bool tighten_restrictions;
> + Error *local_err = NULL;
> + int ret;
> +
> bdrv_get_cumulative_perm(old_bs, &perm, &shared_perm);
> - bdrv_check_perm(old_bs, NULL, perm, shared_perm, NULL,
> - NULL, &error_abort);
> - bdrv_set_perm(old_bs, perm, shared_perm);
> + ret = bdrv_check_perm(old_bs, NULL, perm, shared_perm, NULL,
> + &tighten_restrictions, &local_err);
> + assert(tighten_restrictions == false);
> + if (ret < 0) {
> + warn_reportf_err(local_err, "Failed to loosen restrictions: ");
> + bdrv_abort_perm_update(old_bs);
> + } else {
> + bdrv_set_perm(old_bs, perm, shared_perm);
> + }
> }
> }
>
> @@ -5322,7 +5341,9 @@ static bool bdrv_has_bds_parent(BlockDriverState *bs, bool only_active)
> static int bdrv_inactivate_recurse(BlockDriverState *bs)
> {
> BdrvChild *child, *parent;
> + bool tighten_restrictions;
> uint64_t perm, shared_perm;
> + Error *local_err = NULL;
> int ret;
>
> if (!bs->drv) {
> @@ -5358,8 +5379,15 @@ static int bdrv_inactivate_recurse(BlockDriverState *bs)
>
> /* Update permissions, they may differ for inactive nodes */
> bdrv_get_cumulative_perm(bs, &perm, &shared_perm);
> - bdrv_check_perm(bs, NULL, perm, shared_perm, NULL, NULL, &error_abort);
> - bdrv_set_perm(bs, perm, shared_perm);
> + ret = bdrv_check_perm(bs, NULL, perm, shared_perm, NULL,
> + &tighten_restrictions, &local_err);
> + assert(tighten_restrictions == false);
> + if (ret < 0) {
> + warn_reportf_err(local_err, "Failed to loosen restrictions: ");
> + bdrv_abort_perm_update(bs);
> + } else {
> + bdrv_set_perm(bs, perm, shared_perm);
> + }
>
>
> /* Recursively inactivate children */
>
[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 488 bytes --]
prev parent reply other threads:[~2019-05-08 21:51 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-05-08 18:25 [Qemu-devel] [PATCH v2 0/7] block: Ignore loosening perm restrictions failures Max Reitz
2019-05-08 18:25 ` [Qemu-devel] [PATCH v2 1/7] file-posix: Update open_flags in raw_set_perm() Max Reitz
2019-05-08 18:25 ` [Qemu-devel] [PATCH v2 2/7] block: Add bdrv_child_refresh_perms() Max Reitz
2019-05-08 18:25 ` [Qemu-devel] [PATCH v2 3/7] block/mirror: Fix child permissions Max Reitz
2019-05-08 18:25 ` [Qemu-devel] [PATCH v2 4/7] block/commit: Drop bdrv_child_try_set_perm() Max Reitz
2019-05-08 18:25 ` [Qemu-devel] [PATCH v2 5/7] block: Fix order in bdrv_replace_child() Max Reitz
2019-05-08 18:25 ` [Qemu-devel] [PATCH v2 6/7] block: Add *tighten_restrictions to *check*_perm() Max Reitz
2019-05-08 18:25 ` [Qemu-devel] [PATCH v2 7/7] block: Ignore loosening perm restrictions failures Max Reitz
2019-05-08 21:50 ` Max Reitz [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=124f90ab-08fb-99ea-e736-0c9d327868f6@redhat.com \
--to=mreitz@redhat.com \
--cc=jsnow@redhat.com \
--cc=kwolf@redhat.com \
--cc=qemu-block@nongnu.org \
--cc=qemu-devel@nongnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).