From: Max Reitz <mreitz@redhat.com>
To: Lukas Straub <lukasstraub2@web.de>, qemu-devel <qemu-devel@nongnu.org>
Cc: "Kevin Wolf" <kwolf@redhat.com>,
"Alberto Garcia" <berto@igalia.com>,
"Dr. David Alan Gilbert" <dgilbert@redhat.com>,
"Wainer dos Santos Moschetta" <wainersm@redhat.com>,
"Zhang Chen" <chen.zhang@intel.com>,
"Cleber Rosa" <crosa@redhat.com>,
"Philippe Mathieu-Daudé" <philmd@redhat.com>
Subject: Re: [PATCH v3 1/7] block/quorum.c: stable children names
Date: Wed, 2 Sep 2020 14:22:44 +0200 [thread overview]
Message-ID: <250d7ece-9137-8993-fffb-8d5ab205be5b@redhat.com> (raw)
In-Reply-To: <5d5f930424c1c770754041aa8ad6421dc4e2b58e.1596536719.git.lukasstraub2@web.de>
[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #1: Type: text/plain; charset=WINDOWS-1252, Size: 4772 bytes --]
On 04.08.20 12:46, Lukas Straub wrote:
> If we remove the child with the highest index from the quorum,
> decrement s->next_child_index. This way we get stable children
> names as long as we only remove the last child.
>
> Signed-off-by: Lukas Straub <lukasstraub2@web.de>
> Fixes: https://bugs.launchpad.net/bugs/1881231
> Reviewed-by: Zhang Chen <chen.zhang@intel.com>
> Reviewed-by: Alberto Garcia <berto@igalia.com>
> ---
> block/quorum.c | 20 ++++++++++++++------
> 1 file changed, 14 insertions(+), 6 deletions(-)
>
> diff --git a/block/quorum.c b/block/quorum.c
> index 6df9449fc2..e846a7e892 100644
> --- a/block/quorum.c
> +++ b/block/quorum.c
> @@ -29,6 +29,8 @@
>
> #define HASH_LENGTH 32
>
> +#define INDEXSTR_LEN 32
> +
I don’t like this too much. There is no real concept such as an index
string, and it doesn’t have a fixed length. It just so happens that
there are a couple of places where we need some buffer to snprintf()
into, and all those places happen to use 32 because that’s definitely
sufficient for “children.%u”. (Technically, it should not be fixed to
32, but “sizeof("children.") + ceil(log_10(INT_MAX))”.)
Whenever we then use such a buffer, we shouldn’t use the same hard-coded
magic number or constant, but instead just refer to the size of the buffer:
> #define QUORUM_OPT_VOTE_THRESHOLD "vote-threshold"
> #define QUORUM_OPT_BLKVERIFY "blkverify"
> #define QUORUM_OPT_REWRITE "rewrite-corrupted"
> @@ -970,9 +972,9 @@ static int quorum_open(BlockDriverState *bs, QDict *options, int flags,
> opened = g_new0(bool, s->num_children);
>
> for (i = 0; i < s->num_children; i++) {
> - char indexstr[32];
> - ret = snprintf(indexstr, 32, "children.%d", i);
> - assert(ret < 32);
> + char indexstr[INDEXSTR_LEN];
> + ret = snprintf(indexstr, INDEXSTR_LEN, "children.%d", i);
> + assert(ret < INDEXSTR_LEN);
So in lines 2 and 3 here we should just use sizeof(indexstr).
>
> s->children[i] = bdrv_open_child(NULL, options, indexstr, bs,
> &child_of_bds, BDRV_CHILD_DATA, false,
> @@ -1024,7 +1026,7 @@ static void quorum_add_child(BlockDriverState *bs, BlockDriverState *child_bs,
> {
> BDRVQuorumState *s = bs->opaque;
> BdrvChild *child;
> - char indexstr[32];
> + char indexstr[INDEXSTR_LEN];
> int ret;
>
> if (s->is_blkverify) {
> @@ -1039,8 +1041,8 @@ static void quorum_add_child(BlockDriverState *bs, BlockDriverState *child_bs,
> return;
> }
>
> - ret = snprintf(indexstr, 32, "children.%u", s->next_child_index);
> - if (ret < 0 || ret >= 32) {
> + ret = snprintf(indexstr, INDEXSTR_LEN, "children.%u", s->next_child_index);
> + if (ret < 0 || ret >= INDEXSTR_LEN) {
Same here.
> error_setg(errp, "cannot generate child name");
> return;
> }
> @@ -1068,6 +1070,7 @@ static void quorum_del_child(BlockDriverState *bs, BdrvChild *child,
> Error **errp)
> {
> BDRVQuorumState *s = bs->opaque;
> + char indexstr[INDEXSTR_LEN];
> int i;
>
> for (i = 0; i < s->num_children; i++) {
> @@ -1089,6 +1092,11 @@ static void quorum_del_child(BlockDriverState *bs, BdrvChild *child,
> /* We know now that num_children > threshold, so blkverify must be false */
> assert(!s->is_blkverify);
>
> + snprintf(indexstr, INDEXSTR_LEN, "children.%u", s->next_child_index - 1);
> + if (!strncmp(child->name, indexstr, INDEXSTR_LEN)) {
And here.
I also wonder if there should be an assertion/check checking snprintf’s
return value (as is done in the other places), but then again, it
doesn’t really matter. But it would make the length limitation of
strncmp() superfluous and a plain strcmp() would suffice.
(I don’t like strncmp() very much here, because we have a problem if
indexstr’s length doesn’t suffice to hold children.%u, and we then
compare only the first INDEXSTR_LEN bytes with child->name. That would
be a bug. Just a different bug than an out-of-bounds read.)
> + s->next_child_index--;
> + }
> +
> bdrv_drained_begin(bs);
>
> /* We can safely remove this child now */
Now, all in all, it doesn’t really matter of course. This patch works
and introducing INDEXSTR_LEN isn’t worse than just using 32 as a magic
number. So I’ll take the patch as-is for now – if you think that using
sizeof(indexstr) and/or replacing the strncmp() by assert()+strcmp()
would be so much better to justify a v4 (of this patch) or a follow-up
patch, then, well, that could still be done. O:)
tl;dr: Thanks, I’ve applied this patch to my block branch:
https://git.xanclic.moe/XanClic/qemu/commits/branch/block
Max
next prev parent reply other threads:[~2020-09-02 12:23 UTC|newest]
Thread overview: 14+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-08-04 10:46 [PATCH v3 0/7] colo: Introduce resource agent and test suite/CI Lukas Straub
2020-08-04 10:46 ` [PATCH v3 1/7] block/quorum.c: stable children names Lukas Straub
2020-09-02 12:22 ` Max Reitz [this message]
2020-08-04 10:46 ` [PATCH v3 2/7] avocado_qemu: Introduce pick_qemu_util to pick qemu utility binaries Lukas Straub
2020-08-04 10:46 ` [PATCH v3 3/7] boot_linux.py: Use pick_qemu_util Lukas Straub
2020-08-04 10:46 ` [PATCH v3 4/7] colo: Introduce resource agent Lukas Straub
2020-08-04 10:47 ` [PATCH v3 5/7] colo: Introduce high-level test suite Lukas Straub
2020-08-04 10:47 ` [PATCH v3 6/7] configure,Makefile: Install colo resource-agent Lukas Straub
2020-09-04 10:45 ` Philippe Mathieu-Daudé
2020-08-04 10:47 ` [PATCH v3 7/7] MAINTAINERS: Add myself as maintainer for COLO resource agent Lukas Straub
2020-08-18 12:27 ` [PATCH v3 0/7] colo: Introduce resource agent and test suite/CI Lukas Straub
2020-08-18 12:31 ` Philippe Mathieu-Daudé
2020-08-27 8:40 ` Lukas Straub
2020-09-04 10:42 ` Philippe Mathieu-Daudé
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=250d7ece-9137-8993-fffb-8d5ab205be5b@redhat.com \
--to=mreitz@redhat.com \
--cc=berto@igalia.com \
--cc=chen.zhang@intel.com \
--cc=crosa@redhat.com \
--cc=dgilbert@redhat.com \
--cc=kwolf@redhat.com \
--cc=lukasstraub2@web.de \
--cc=philmd@redhat.com \
--cc=qemu-devel@nongnu.org \
--cc=wainersm@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).