* [PATCH 0/2] fix fcntl(F_SETFD) usage
@ 2020-04-20 17:53 Eric Blake
2020-04-20 17:53 ` [PATCH 1/2] hax: Fix setting of FD_CLOEXEC Eric Blake
` (2 more replies)
0 siblings, 3 replies; 8+ messages in thread
From: Eric Blake @ 2020-04-20 17:53 UTC (permalink / raw)
To: qemu-devel; +Cc: qemu-trivial, peter.maydell
As recently pointed out:
https://lists.gnu.org/archive/html/qemu-devel/2020-04/msg03133.html
code that blindly calls fcntl(fd, F_SETFD, 1) rather than performing a
read-modify-write when it intends to add FD_CLOEXEC is broken, in that
it can inadvertently clear other bits.
Thankfully, the culprits fixed in this series are unlikely to be
clearing either FD_CLOFORK (if Linux ever follows Solaris' lead in
adding that), or the new FD_32BIT_MODE being proposed (as the fds in
question are unlikely to have that set) - but it is still better to
write proper code than to set up a bad example prone to copy-and-paste
propagation. And as these usages are not new to 5.0, I don't see any
reason against waiting until 5.1 to apply them.
Eric Blake (2):
hax: Fix setting of FD_CLOEXEC
tools: Fix use of fcntl(F_SETFD) during socket activation
target/i386/hax-posix.c | 6 +++---
util/systemd.c | 4 +++-
2 files changed, 6 insertions(+), 4 deletions(-)
--
2.26.1
^ permalink raw reply [flat|nested] 8+ messages in thread* [PATCH 1/2] hax: Fix setting of FD_CLOEXEC 2020-04-20 17:53 [PATCH 0/2] fix fcntl(F_SETFD) usage Eric Blake @ 2020-04-20 17:53 ` Eric Blake 2020-04-20 22:07 ` Eduardo Habkost 2020-04-21 1:22 ` Colin Xu 2020-04-20 17:53 ` [PATCH 2/2] tools: Fix use of fcntl(F_SETFD) during socket activation Eric Blake 2020-04-20 19:10 ` [PATCH 0/2] fix fcntl(F_SETFD) usage Peter Maydell 2 siblings, 2 replies; 8+ messages in thread From: Eric Blake @ 2020-04-20 17:53 UTC (permalink / raw) To: qemu-devel Cc: peter.maydell, Eduardo Habkost, qemu-trivial, open list:X86 HAXM CPUs, Colin Xu, Wenchao Wang, Paolo Bonzini, Richard Henderson Blindly setting FD_CLOEXEC without a read-modify-write will inadvertently clear any other intentionally-set bits, such as a proposed new bit for designating a fd that must behave in 32-bit mode. Use our wrapper function instead of an incorrect hand-rolled version. Signed-off-by: Eric Blake <eblake@redhat.com> --- target/i386/hax-posix.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/target/i386/hax-posix.c b/target/i386/hax-posix.c index 3bad89f13337..5f9d1b803dec 100644 --- a/target/i386/hax-posix.c +++ b/target/i386/hax-posix.c @@ -23,7 +23,7 @@ hax_fd hax_mod_open(void) fprintf(stderr, "Failed to open the hax module\n"); } - fcntl(fd, F_SETFD, FD_CLOEXEC); + qemu_set_cloexec(fd); return fd; } @@ -147,7 +147,7 @@ hax_fd hax_host_open_vm(struct hax_state *hax, int vm_id) fd = open(vm_name, O_RDWR); g_free(vm_name); - fcntl(fd, F_SETFD, FD_CLOEXEC); + qemu_set_cloexec(fd); return fd; } @@ -200,7 +200,7 @@ hax_fd hax_host_open_vcpu(int vmid, int vcpuid) if (fd < 0) { fprintf(stderr, "Failed to open the vcpu devfs\n"); } - fcntl(fd, F_SETFD, FD_CLOEXEC); + qemu_set_cloexec(fd); return fd; } -- 2.26.1 ^ permalink raw reply related [flat|nested] 8+ messages in thread
* Re: [PATCH 1/2] hax: Fix setting of FD_CLOEXEC 2020-04-20 17:53 ` [PATCH 1/2] hax: Fix setting of FD_CLOEXEC Eric Blake @ 2020-04-20 22:07 ` Eduardo Habkost 2020-06-02 17:47 ` Eric Blake 2020-04-21 1:22 ` Colin Xu 1 sibling, 1 reply; 8+ messages in thread From: Eduardo Habkost @ 2020-04-20 22:07 UTC (permalink / raw) To: Eric Blake Cc: peter.maydell, qemu-trivial, qemu-devel, open list:X86 HAXM CPUs, Colin Xu, Paolo Bonzini, Richard Henderson, Wenchao Wang On Mon, Apr 20, 2020 at 12:53:07PM -0500, Eric Blake wrote: > Blindly setting FD_CLOEXEC without a read-modify-write will > inadvertently clear any other intentionally-set bits, such as a > proposed new bit for designating a fd that must behave in 32-bit mode. > Use our wrapper function instead of an incorrect hand-rolled version. > > Signed-off-by: Eric Blake <eblake@redhat.com> Thanks, queued for 5.1. -- Eduardo ^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [PATCH 1/2] hax: Fix setting of FD_CLOEXEC 2020-04-20 22:07 ` Eduardo Habkost @ 2020-06-02 17:47 ` Eric Blake 0 siblings, 0 replies; 8+ messages in thread From: Eric Blake @ 2020-06-02 17:47 UTC (permalink / raw) To: Eduardo Habkost Cc: peter.maydell, qemu-trivial, qemu-devel, open list:X86 HAXM CPUs, Colin Xu, Paolo Bonzini, Richard Henderson, Wenchao Wang On 4/20/20 5:07 PM, Eduardo Habkost wrote: > On Mon, Apr 20, 2020 at 12:53:07PM -0500, Eric Blake wrote: >> Blindly setting FD_CLOEXEC without a read-modify-write will >> inadvertently clear any other intentionally-set bits, such as a >> proposed new bit for designating a fd that must behave in 32-bit mode. >> Use our wrapper function instead of an incorrect hand-rolled version. >> >> Signed-off-by: Eric Blake <eblake@redhat.com> > > Thanks, queued for 5.1. Ping - I still don't see this upstream. -- Eric Blake, Principal Software Engineer Red Hat, Inc. +1-919-301-3226 Virtualization: qemu.org | libvirt.org ^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [PATCH 1/2] hax: Fix setting of FD_CLOEXEC 2020-04-20 17:53 ` [PATCH 1/2] hax: Fix setting of FD_CLOEXEC Eric Blake 2020-04-20 22:07 ` Eduardo Habkost @ 2020-04-21 1:22 ` Colin Xu 1 sibling, 0 replies; 8+ messages in thread From: Colin Xu @ 2020-04-21 1:22 UTC (permalink / raw) To: BEric Blake Cc: peter.maydell, Eduardo Habkost, qemu-trivial, qemu-devel, open list:X86 HAXM CPUs, Colin Xu, Paolo Bonzini, Richard Henderson, Wenchao Wang Looks good to me. Reviewed-by: Colin Xu <colin.xu@intel.com> -- Best Regards, Colin Xu On Tue, 21 Apr 2020, Eric Blake wrote: > Blindly setting FD_CLOEXEC without a read-modify-write will > inadvertently clear any other intentionally-set bits, such as a > proposed new bit for designating a fd that must behave in 32-bit mode. > Use our wrapper function instead of an incorrect hand-rolled version. > > Signed-off-by: Eric Blake <eblake@redhat.com> > --- > target/i386/hax-posix.c | 6 +++--- > 1 file changed, 3 insertions(+), 3 deletions(-) > > diff --git a/target/i386/hax-posix.c b/target/i386/hax-posix.c > index 3bad89f13337..5f9d1b803dec 100644 > --- a/target/i386/hax-posix.c > +++ b/target/i386/hax-posix.c > @@ -23,7 +23,7 @@ hax_fd hax_mod_open(void) > fprintf(stderr, "Failed to open the hax module\n"); > } > > - fcntl(fd, F_SETFD, FD_CLOEXEC); > + qemu_set_cloexec(fd); > > return fd; > } > @@ -147,7 +147,7 @@ hax_fd hax_host_open_vm(struct hax_state *hax, int vm_id) > fd = open(vm_name, O_RDWR); > g_free(vm_name); > > - fcntl(fd, F_SETFD, FD_CLOEXEC); > + qemu_set_cloexec(fd); > > return fd; > } > @@ -200,7 +200,7 @@ hax_fd hax_host_open_vcpu(int vmid, int vcpuid) > if (fd < 0) { > fprintf(stderr, "Failed to open the vcpu devfs\n"); > } > - fcntl(fd, F_SETFD, FD_CLOEXEC); > + qemu_set_cloexec(fd); > return fd; > } > > -- > 2.26.1 > > ^ permalink raw reply [flat|nested] 8+ messages in thread
* [PATCH 2/2] tools: Fix use of fcntl(F_SETFD) during socket activation 2020-04-20 17:53 [PATCH 0/2] fix fcntl(F_SETFD) usage Eric Blake 2020-04-20 17:53 ` [PATCH 1/2] hax: Fix setting of FD_CLOEXEC Eric Blake @ 2020-04-20 17:53 ` Eric Blake 2020-04-21 21:46 ` Eric Blake 2020-04-20 19:10 ` [PATCH 0/2] fix fcntl(F_SETFD) usage Peter Maydell 2 siblings, 1 reply; 8+ messages in thread From: Eric Blake @ 2020-04-20 17:53 UTC (permalink / raw) To: qemu-devel; +Cc: qemu-trivial, peter.maydell Blindly setting FD_CLOEXEC without a read-modify-write will inadvertently clear any other intentionally-set bits, such as a proposed new bit for designating a fd that must behave in 32-bit mode. However, we cannot use our wrapper qemu_set_cloexec(), because that wrapper intentionally abort()s on failure, whereas the probe here intentionally tolerates failure to deal with incorrect socket activation gracefully. Instead, fix the code to do the proper read-modify-write. Signed-off-by: Eric Blake <eblake@redhat.com> --- util/systemd.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/util/systemd.c b/util/systemd.c index 1dd0367d9a84..5bcac9b40169 100644 --- a/util/systemd.c +++ b/util/systemd.c @@ -23,6 +23,7 @@ unsigned int check_socket_activation(void) unsigned long nr_fds; unsigned int i; int fd; + int f; int err; s = getenv("LISTEN_PID"); @@ -54,7 +55,8 @@ unsigned int check_socket_activation(void) /* So the file descriptors don't leak into child processes. */ for (i = 0; i < nr_fds; ++i) { fd = FIRST_SOCKET_ACTIVATION_FD + i; - if (fcntl(fd, F_SETFD, FD_CLOEXEC) == -1) { + f = fcntl(fd, F_GETFD); + if (f == -1 || fcntl(fd, F_SETFD, f | FD_CLOEXEC) == -1) { /* If we cannot set FD_CLOEXEC then it probably means the file * descriptor is invalid, so socket activation has gone wrong * and we should exit. -- 2.26.1 ^ permalink raw reply related [flat|nested] 8+ messages in thread
* Re: [PATCH 2/2] tools: Fix use of fcntl(F_SETFD) during socket activation 2020-04-20 17:53 ` [PATCH 2/2] tools: Fix use of fcntl(F_SETFD) during socket activation Eric Blake @ 2020-04-21 21:46 ` Eric Blake 0 siblings, 0 replies; 8+ messages in thread From: Eric Blake @ 2020-04-21 21:46 UTC (permalink / raw) To: qemu-devel; +Cc: qemu-trivial, peter.maydell On 4/20/20 12:53 PM, Eric Blake wrote: > Blindly setting FD_CLOEXEC without a read-modify-write will > inadvertently clear any other intentionally-set bits, such as a > proposed new bit for designating a fd that must behave in 32-bit mode. > However, we cannot use our wrapper qemu_set_cloexec(), because that > wrapper intentionally abort()s on failure, whereas the probe here > intentionally tolerates failure to deal with incorrect socket > activation gracefully. Instead, fix the code to do the proper > read-modify-write. > > Signed-off-by: Eric Blake <eblake@redhat.com> > --- > util/systemd.c | 4 +++- > 1 file changed, 3 insertions(+), 1 deletion(-) As qemu-nbd is impacted, I'll queue 2/2 through my NBD tree if qemu-trivial doesn't pick it up first. -- Eric Blake, Principal Software Engineer Red Hat, Inc. +1-919-301-3226 Virtualization: qemu.org | libvirt.org ^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [PATCH 0/2] fix fcntl(F_SETFD) usage 2020-04-20 17:53 [PATCH 0/2] fix fcntl(F_SETFD) usage Eric Blake 2020-04-20 17:53 ` [PATCH 1/2] hax: Fix setting of FD_CLOEXEC Eric Blake 2020-04-20 17:53 ` [PATCH 2/2] tools: Fix use of fcntl(F_SETFD) during socket activation Eric Blake @ 2020-04-20 19:10 ` Peter Maydell 2 siblings, 0 replies; 8+ messages in thread From: Peter Maydell @ 2020-04-20 19:10 UTC (permalink / raw) To: Eric Blake; +Cc: QEMU Trivial, QEMU Developers On Mon, 20 Apr 2020 at 18:53, Eric Blake <eblake@redhat.com> wrote: > > As recently pointed out: > https://lists.gnu.org/archive/html/qemu-devel/2020-04/msg03133.html > code that blindly calls fcntl(fd, F_SETFD, 1) rather than performing a > read-modify-write when it intends to add FD_CLOEXEC is broken, in that > it can inadvertently clear other bits. > > Thankfully, the culprits fixed in this series are unlikely to be > clearing either FD_CLOFORK (if Linux ever follows Solaris' lead in > adding that), or the new FD_32BIT_MODE being proposed (as the fds in > question are unlikely to have that set) - but it is still better to > write proper code than to set up a bad example prone to copy-and-paste > propagation. And as these usages are not new to 5.0, I don't see any > reason against waiting until 5.1 to apply them. Reviewed-by: Peter Maydell <peter.maydell@linaro.org> thanks -- PMM ^ permalink raw reply [flat|nested] 8+ messages in thread
end of thread, other threads:[~2020-06-02 17:48 UTC | newest] Thread overview: 8+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2020-04-20 17:53 [PATCH 0/2] fix fcntl(F_SETFD) usage Eric Blake 2020-04-20 17:53 ` [PATCH 1/2] hax: Fix setting of FD_CLOEXEC Eric Blake 2020-04-20 22:07 ` Eduardo Habkost 2020-06-02 17:47 ` Eric Blake 2020-04-21 1:22 ` Colin Xu 2020-04-20 17:53 ` [PATCH 2/2] tools: Fix use of fcntl(F_SETFD) during socket activation Eric Blake 2020-04-21 21:46 ` Eric Blake 2020-04-20 19:10 ` [PATCH 0/2] fix fcntl(F_SETFD) usage Peter Maydell
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for NNTP newsgroup(s).