Richard W.M. Jones
2019-May-23 09:32 UTC
[Libguestfs] [PATCH libnbd 0/3] Prevent some misuse of multi-conn.
Per recent discussion here: https://www.redhat.com/archives/libguestfs/2019-May/thread.html#00175
Richard W.M. Jones
2019-May-23 09:32 UTC
[Libguestfs] [PATCH libnbd 1/3] states: Factor out common code for setting export size and eflags.
Simple refactoring. --- generator/states-newstyle-opt-export-name.c | 12 +++++------ generator/states-newstyle-opt-go.c | 13 ++++++------ generator/states-oldstyle.c | 10 +++------- lib/flags.c | 22 +++++++++++++++++++++ lib/internal.h | 5 +++++ 5 files changed, 42 insertions(+), 20 deletions(-) diff --git a/generator/states-newstyle-opt-export-name.c b/generator/states-newstyle-opt-export-name.c index 8ff1c1c..07b6c9e 100644 --- a/generator/states-newstyle-opt-export-name.c +++ b/generator/states-newstyle-opt-export-name.c @@ -58,13 +58,13 @@ return 0; NEWSTYLE.OPT_EXPORT_NAME.CHECK_REPLY: - conn->h->exportsize = be64toh (conn->sbuf.export_name_reply.exportsize); - conn->h->eflags = be16toh (conn->sbuf.export_name_reply.eflags); - debug (conn->h, "exportsize: %" PRIu64 " eflags: 0x%" PRIx16, - conn->h->exportsize, conn->h->eflags); - if (conn->h->eflags == 0) { + uint64_t exportsize; + uint16_t eflags; + + exportsize = be64toh (conn->sbuf.export_name_reply.exportsize); + eflags = be16toh (conn->sbuf.export_name_reply.eflags); + if (nbd_internal_set_size_and_flags (conn->h, exportsize, eflags) == -1) { SET_NEXT_STATE (%.DEAD); - set_error (EINVAL, "handshake: invalid eflags == 0 from server"); return -1; } SET_NEXT_STATE (%.READY); diff --git a/generator/states-newstyle-opt-go.c b/generator/states-newstyle-opt-go.c index 4dbeee9..97f25f8 100644 --- a/generator/states-newstyle-opt-go.c +++ b/generator/states-newstyle-opt-go.c @@ -106,6 +106,8 @@ uint32_t reply; uint32_t len; const size_t maxpayload = sizeof conn->sbuf.or.payload; + uint64_t exportsize; + uint16_t eflags; magic = be64toh (conn->sbuf.or.option_reply.magic); option = be32toh (conn->sbuf.or.option_reply.option); @@ -129,14 +131,11 @@ if (len <= maxpayload /* see RECV_NEWSTYLE_OPT_GO_REPLY */) { if (len >= sizeof conn->sbuf.or.payload.export) { if (be16toh (conn->sbuf.or.payload.export.info) == NBD_INFO_EXPORT) { - conn->h->exportsize - be64toh (conn->sbuf.or.payload.export.exportsize); - conn->h->eflags = be16toh (conn->sbuf.or.payload.export.eflags); - debug (conn->h, "exportsize: %" PRIu64 " eflags: 0x%" PRIx16, - conn->h->exportsize, conn->h->eflags); - if (conn->h->eflags == 0) { + exportsize = be64toh (conn->sbuf.or.payload.export.exportsize); + eflags = be16toh (conn->sbuf.or.payload.export.eflags); + if (nbd_internal_set_size_and_flags (conn->h, + exportsize, eflags) == -1) { SET_NEXT_STATE (%.DEAD); - set_error (EINVAL, "handshake: invalid eflags == 0 from server"); return -1; } } diff --git a/generator/states-oldstyle.c b/generator/states-oldstyle.c index 95b7df9..29cb341 100644 --- a/generator/states-oldstyle.c +++ b/generator/states-oldstyle.c @@ -47,14 +47,10 @@ eflags = be16toh (conn->sbuf.old_handshake.eflags); conn->gflags = gflags; - conn->h->exportsize = exportsize; - conn->h->eflags = eflags; - debug (conn->h, "exportsize: %" PRIu64 " eflags: 0x%" PRIx16 - " gflags: 0x%" PRIx16, - exportsize, eflags, gflags); - if (eflags == 0) { + debug (conn->h, "gflags: 0x%" PRIx16, gflags); + + if (nbd_internal_set_size_and_flags (conn->h, exportsize, eflags) == -1) { SET_NEXT_STATE (%.DEAD); - set_error (EINVAL, "handshake: invalid eflags == 0 from server"); return -1; } diff --git a/lib/flags.c b/lib/flags.c index f0d9dc3..825b326 100644 --- a/lib/flags.c +++ b/lib/flags.c @@ -21,10 +21,32 @@ #include <stdio.h> #include <stdlib.h> #include <stdbool.h> +#include <stdint.h> +#include <inttypes.h> #include <errno.h> #include "internal.h" +/* Set the export size and eflags on the handle, validating them. + * This is called from the state machine when either the newstyle or + * oldstyle negotiation reaches the point that these are available. + */ +int +nbd_internal_set_size_and_flags (struct nbd_handle *h, + uint64_t exportsize, uint16_t eflags) +{ + debug (h, "exportsize: %" PRIu64 " eflags: 0x%" PRIx16, exportsize, eflags); + + if (eflags == 0) { + set_error (EINVAL, "handshake: invalid eflags == 0 from server"); + return -1; + } + + h->exportsize = exportsize; + h->eflags = eflags; + return 0; +} + static int get_flag (struct nbd_handle *h, uint16_t flag) { diff --git a/lib/internal.h b/lib/internal.h index 8eadada..f0705ef 100644 --- a/lib/internal.h +++ b/lib/internal.h @@ -265,6 +265,11 @@ extern void nbd_internal_set_last_error (int errnum, char *error); nbd_internal_set_last_error ((errnum), _errp); \ } while (0) +/* flags.c */ +extern int nbd_internal_set_size_and_flags (struct nbd_handle *h, + uint64_t exportsize, + uint16_t eflags); + /* protocol.c */ extern int nbd_internal_errno_of_nbd_error (uint32_t error); extern const char *nbd_internal_name_of_nbd_cmd (uint16_t type); -- 2.21.0
Richard W.M. Jones
2019-May-23 09:32 UTC
[Libguestfs] [PATCH libnbd 2/3] states: Prevent multi-conn connection unless the server advertizes it.
It is unsafe to connect using multi-conn to a server unless the server advertizes it, so fail if the caller tries to do this. --- generator/generator | 16 ++++++++++++++-- lib/flags.c | 10 ++++++++++ 2 files changed, 24 insertions(+), 2 deletions(-) diff --git a/generator/generator b/generator/generator index a372074..a8e6fb6 100755 --- a/generator/generator +++ b/generator/generator @@ -897,7 +897,8 @@ The C<multi_conn> parameter controls whether this feature is enabled (if E<gt> 1) or disabled (if C<1>). The parameter passed must not be C<0>. Usually small powers of 2 (eg. 2, 4, 8) will provide increments in performance. Some servers do not -support this feature and will return an error on connection. +support this feature and libnbd will fail on connection to +these servers if this setting is E<gt> 1. At present, libnbd assumes that all connections will report the same capabilities; a server that behaves otherwise may trigger @@ -1171,7 +1172,18 @@ connected to and completed the handshake with the server."; Returns true if the server supports multi-conn (see C<nbd_set_multi_conn>). Returns false if the server does not. Can return an error if we have not -connected to and completed the handshake with the server."; +connected to and completed the handshake with the server. + +Note that you I<cannot> set multi-conn on the handle +to E<gt> 1, connect, and then check this setting, because +if the server does not support multi-conn the connection +will fail. Instead you should connect with multi-conn +set to C<1> (the default), check this setting, then if +multi-conn is found to be supported you can call +C<nbd_set_multi_conn> with a larger value to increase +the number of connection objects, then call one of the +C<nbd_connect*> functions again on the handle to connect +the remaining connections."; }; "can_cache", { diff --git a/lib/flags.c b/lib/flags.c index 825b326..1956db6 100644 --- a/lib/flags.c +++ b/lib/flags.c @@ -42,6 +42,16 @@ nbd_internal_set_size_and_flags (struct nbd_handle *h, return -1; } + /* It is unsafe to connect to a server with multi-conn set unless + * the server says it is safe to do so. + */ + if (h->multi_conn > 1 && (eflags & NBD_FLAG_CAN_MULTI_CONN) == 0) { + set_error (EINVAL, "handshake: multi-conn is set on this handle, " + "but the server does not advertize multi-conn support " + "so disconnecting because it is not safe to continue"); + return -1; + } + h->exportsize = exportsize; h->eflags = eflags; return 0; -- 2.21.0
Richard W.M. Jones
2019-May-23 09:32 UTC
[Libguestfs] [PATCH libnbd 3/3] lib/connect.c: Fail synchronous nbd_connect_command if multi-conn is set.
However we don't modify the asynchronous call, continuing the general policy of allowing users to do what they want with AIO even if it is unwise. --- lib/connect.c | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/lib/connect.c b/lib/connect.c index c5970d2..61d945f 100644 --- a/lib/connect.c +++ b/lib/connect.c @@ -150,12 +150,15 @@ nbd_unlocked_connect_tcp (struct nbd_handle *h, return wait_all_connected (h); } -/* Connect to a local command. Multi-conn doesn't make much sense - * here, should it be an error? - */ +/* Connect to a local command. */ int nbd_unlocked_connect_command (struct nbd_handle *h, char **argv) { + if (h->multi_conn > 1) { + set_error (EINVAL, "multi-conn cannot be used when connecting to a command"); + return -1; + } + if (!nbd_unlocked_aio_is_created (h->conns[0])) { set_error (0, "first connection in this handle is not in the created state, this is likely to be caused by a programming error in the calling program"); return -1; -- 2.21.0
Eric Blake
2019-May-23 12:25 UTC
Re: [Libguestfs] [PATCH libnbd 2/3] states: Prevent multi-conn connection unless the server advertizes it.
On 5/23/19 4:32 AM, Richard W.M. Jones wrote:> It is unsafe to connect using multi-conn to a server unless the server > advertizes it, so fail if the caller tries to do this.Actually, I think we can be a little bit looser: It is unsafe to connect with write access using multi-conn. But for read-only (where we can't corrupt data), having multiple connections even when the server does not advertise multi-conn should (in general) still be safe.> --- > generator/generator | 16 ++++++++++++++-- > lib/flags.c | 10 ++++++++++ > 2 files changed, 24 insertions(+), 2 deletions(-) > > diff --git a/generator/generator b/generator/generator > index a372074..a8e6fb6 100755 > --- a/generator/generator > +++ b/generator/generator > @@ -897,7 +897,8 @@ The C<multi_conn> parameter controls whether this feature is > enabled (if E<gt> 1) or disabled (if C<1>). The parameter > passed must not be C<0>. Usually small powers of 2 (eg. 2, 4, 8) > will provide increments in performance. Some servers do not > -support this feature and will return an error on connection. > +support this feature and libnbd will fail on connection to > +these servers if this setting is E<gt> 1.So maybe change this to: ...libnbd will fail on read-write connections to these servers if...> > At present, libnbd assumes that all connections will report the > same capabilities; a server that behaves otherwise may trigger > @@ -1171,7 +1172,18 @@ connected to and completed the handshake with the server."; > Returns true if the server supports multi-conn > (see C<nbd_set_multi_conn>). Returns false if > the server does not. Can return an error if we have not > -connected to and completed the handshake with the server."; > +connected to and completed the handshake with the server. > + > +Note that you I<cannot> set multi-conn on the handle > +to E<gt> 1, connect, and then check this setting, because > +if the server does not support multi-conn the connection > +will fail. Instead you should connect with multi-conn > +set to C<1> (the default), check this setting, then if > +multi-conn is found to be supported you can call > +C<nbd_set_multi_conn> with a larger value to increase > +the number of connection objects, then call one of the > +C<nbd_connect*> functions again on the handle to connect > +the remaining connections.";This one is good.> }; > > "can_cache", { > diff --git a/lib/flags.c b/lib/flags.c > index 825b326..1956db6 100644 > --- a/lib/flags.c > +++ b/lib/flags.c > @@ -42,6 +42,16 @@ nbd_internal_set_size_and_flags (struct nbd_handle *h, > return -1; > } > > + /* It is unsafe to connect to a server with multi-conn set unless > + * the server says it is safe to do so. > + */ > + if (h->multi_conn > 1 && (eflags & NBD_FLAG_CAN_MULTI_CONN) == 0) {Here, I'd add && !(eflags & NBD_FLAG_READ_ONLY)> + set_error (EINVAL, "handshake: multi-conn is set on this handle, " > + "but the server does not advertize multi-conn support "I know that in general -ise vs. -ize is a common US/UK thing, but https://english.stackexchange.com/questions/341707/should-advertised-be-spelled-with-a-z-in-american-english says that advertise is preferred in both. -- Eric Blake, Principal Software Engineer Red Hat, Inc. +1-919-301-3226 Virtualization: qemu.org | libvirt.org
Eric Blake
2019-May-23 12:33 UTC
Re: [Libguestfs] [PATCH libnbd 1/3] states: Factor out common code for setting export size and eflags.
On 5/23/19 4:32 AM, Richard W.M. Jones wrote:> Simple refactoring. > --- > generator/states-newstyle-opt-export-name.c | 12 +++++------ > generator/states-newstyle-opt-go.c | 13 ++++++------ > generator/states-oldstyle.c | 10 +++------- > lib/flags.c | 22 +++++++++++++++++++++ > lib/internal.h | 5 +++++ > 5 files changed, 42 insertions(+), 20 deletions(-)ACK. Odd that the diffstat doesn't match that this does look simpler in the end. It also gives us a common hook point to enforce (which we may want - although we're still deciding that) that secondary multi-conn connections come up with the same eflags as the first. -- Eric Blake, Principal Software Engineer Red Hat, Inc. +1-919-301-3226 Virtualization: qemu.org | libvirt.org
Apparently Analagous Threads
- [PATCH libnbd 0/3] Prevent some misuse of multi-conn.
- [PATCH libnbd 1/3] states: Factor out common code for setting export size and eflags.
- Re: [PATCH libnbd v2 1/6] api: Synchronous connect waits til all connections are connected.
- [PATCH libnbd v2 0/6] Test connection states.
- [libnbd PATCH v2 5/5] states: Add DF flag support for pread