From: Eric Blake <eblake@redhat.com>
To: Maxim Levitsky <mlevitsk@redhat.com>, qemu-devel@nongnu.org
Cc: Kevin Wolf <kwolf@redhat.com>,
vsementsov@virtuozzo.com, qemu-block@nongnu.org,
Max Reitz <mreitz@redhat.com>
Subject: Re: [PATCH v3 1/4] nbd/server: Prefer heap over stack for parsing client names
Date: Thu, 14 Nov 2019 07:33:29 -0600 [thread overview]
Message-ID: <4fe7cc9a-f798-de4c-2480-b2b29d319072@redhat.com> (raw)
In-Reply-To: <afcf9e178e7fa28b495756020c0b9bbf189d67b8.camel@redhat.com>
On 11/14/19 4:04 AM, Maxim Levitsky wrote:
> On Wed, 2019-11-13 at 20:46 -0600, Eric Blake wrote:
>> As long as we limit NBD names to 256 bytes (the bare minimum permitted
>> by the standard), stack-allocation works for parsing a name received
>> from the client. But as mentioned in a comment, we eventually want to
>> permit up to the 4k maximum of the NBD standard, which is too large
>> for stack allocation; so switch everything in the server to use heap
>> allocation. For now, there is no change in actually supported name
>> length.
>
> I am just curios, why is this so?
> I know that kernel uses 8K stacks due to historical limitation
> of 1:1 physical memory mapping which creates fragmentation,
> but in the userspace stacks shouldn't really be limited and grow on demand.
Actually, 4k rather than 8k stack overflow guard pages are typical on
some OS. The problem with stack-allocating anything larger than the
guard page size is that you can end up overshooting the guard page, and
then the OS is unable to catch stack overflow in the normal manner of
sending SIGSEGV. Also, when using coroutines, it is very common to have
limited stack size in the first place, where large stack allocations can
run into issues. So in general, it's a good rule of thumb to never
stack-allocate something if it can be larger than 4k.
> Some gcc security option limits this?
Not by default, but you can compile with -Wframe-larger-than=4096 (or
even smaller) to catch instances where stack allocation is likely to run
into trouble.
>> @@ -427,7 +431,7 @@ static void nbd_check_meta_export(NBDClient *client)
>> static int nbd_negotiate_handle_export_name(NBDClient *client, bool no_zeroes,
>> Error **errp)
>> {
>> - char name[NBD_MAX_NAME_SIZE + 1];
>> + g_autofree char *name;
>
> That is what patchew complained about I think.
Yes, and I've already fixed the missing initializer.
>
> Isn't it wonderful how g_autofree fixes one issue
> and introduces another. I mean 'name' isn't really
> used here prior to allocation according to plain C,
> but due to g_autofree, it can be now on any error
> path. Nothing against g_autofree though, just noting this.
Yes, and our documentation for g_auto* reminds that all such variables
with automatic cleanup must have an initializer or be set prior to any
exit path. I think I see why I didn't catch it beforehand - I'm
compiling with --enable-debug, which passes CFLAGS=-g, while the
compiler warning occurs when -O2 is in effect; but it is rather annoying
that gcc doesn't catch the bug when not optimizing.
>
> Looks correct, but I might have missed something.
>
> Reviewed-by: Maxim Levitsky <mlevitsk@redhat.com>
>
Thanks, and assuming that's with my initializer fix squashed in.
> Best regards,
> Maxim Levitsky
>
>
--
Eric Blake, Principal Software Engineer
Red Hat, Inc. +1-919-301-3226
Virtualization: qemu.org | libvirt.org
next prev parent reply other threads:[~2019-11-14 13:34 UTC|newest]
Thread overview: 21+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-11-14 2:46 [PATCH v3 for-4.2 0/4] Better NBD string length handling Eric Blake
2019-11-14 2:46 ` [PATCH v3 1/4] nbd/server: Prefer heap over stack for parsing client names Eric Blake
2019-11-14 2:59 ` Eric Blake
2019-11-14 10:04 ` Maxim Levitsky
2019-11-14 13:33 ` Eric Blake [this message]
2019-11-15 15:15 ` Maxim Levitsky
2019-11-15 14:59 ` Vladimir Sementsov-Ogievskiy
2019-11-14 2:46 ` [PATCH v3 2/4] bitmap: Enforce maximum bitmap name length Eric Blake
2019-11-14 10:04 ` Maxim Levitsky
2019-11-15 15:04 ` Vladimir Sementsov-Ogievskiy
2019-11-15 15:47 ` Vladimir Sementsov-Ogievskiy
2019-11-15 16:33 ` Eric Blake
2019-11-15 17:09 ` Vladimir Sementsov-Ogievskiy
2019-11-14 2:46 ` [PATCH v3 3/4] nbd: Don't send oversize strings Eric Blake
2019-11-14 10:04 ` Maxim Levitsky
2019-11-15 17:08 ` Vladimir Sementsov-Ogievskiy
2019-11-15 21:30 ` Eric Blake
2019-11-14 2:46 ` [PATCH v3 for-5.0 4/4] nbd: Allow description when creating NBD blockdev Eric Blake
2019-11-14 2:57 ` [PATCH v3 for-4.2 0/4] Better NBD string length handling no-reply
2019-11-14 3:00 ` no-reply
2019-11-14 3:04 ` Eric Blake
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4fe7cc9a-f798-de4c-2480-b2b29d319072@redhat.com \
--to=eblake@redhat.com \
--cc=kwolf@redhat.com \
--cc=mlevitsk@redhat.com \
--cc=mreitz@redhat.com \
--cc=qemu-block@nongnu.org \
--cc=qemu-devel@nongnu.org \
--cc=vsementsov@virtuozzo.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.