From: Paolo Bonzini <pbonzini@redhat.com>
To: P J P <ppandit@redhat.com>
Cc: Wenxiang Qian <leonwxqian@gmail.com>,
John Snow <jsnow@redhat.com>,
QEMU Developers <qemu-devel@nongnu.org>
Subject: Re: [PATCH] ide:atapi: check io_buffer_index in ide_atapi_cmd_reply_end
Date: Tue, 1 Dec 2020 16:30:21 +0100 [thread overview]
Message-ID: <a964ffea-ece6-3f33-3dd1-ee9c2b729b75@redhat.com> (raw)
In-Reply-To: <933np1s-8p4p-o74p-rp94-517r98nop2o6@erqung.pbz>
On 01/12/20 16:00, P J P wrote:
> * I was thinking about checking 'elementary_transfer_size' against
> 'byte_count_limit', but that did not work out. The loop is confusing there,
> it first sets elementary_size = size and subtracts the same
Yes, that part is correct.
> * 's->lba == -1' did not strike me as wrong, because code explicitly checks it
> and gets past it. It does not flag an error when 's->lba == -1'.
The command spec only matters to some extent (it matters more in writing
a fix than in understanding the bug).
The questions to ask yourself after reading the code are:
1) ide_atapi_cmd_reply_end does contain an attempt at resetting an
out-of-bounds io_buffer_index to 0. Why is the reproducer bypassing it?
The answer must be because s->lba == -1.
2) what it means for ide_atapi_cmd_reply_end treats s->lba == -1
differently. The answer is that s->lba == -1 means the command is not a
read (according to the code) but in this case you get there with a read.
> * I tested the patch with a reproducer and it helped to fix the crash.
Yes, but fixing the crash is not enough. You need to ensure that the
code makes sense. You need to distinguish between violated
preconditions and the consequences of those violations. Once a
precondition is violated, all bets are off on what happens in the code
below it. So if you don't catch the violated precondition at the
_first_ place where it can happen, you can have other issues elsewhere.
So again the question to ask is, how do you get s->lba == -1 in read
context? Where did things go wrong? Are there other read paths that
can set s->lba == -1? This is where reading the spec (as opposed to the
code) starts to be important.
> * My doubt about the patch was that it prematurely ends the while loop ie.
> before s->packet_transfer_size reaches zero(0), there may be possible data
> loss.
Right, catching the problem above means that you can just raise an ATAPI
command error.
> | 3) We also need to ensure that the bug will not happen again. Did you get a
> | reproducer from the reporter? If not, how did you trust the report to be
> | correct? If so, did you try to include it in the QEMU qtest testsuite?
>
> * I did test it against a reproducer, but did not get to the qtest part for
> the time constraints.
qtests are not just helpful. Adding regression tests for bugs is a
*basic* software engineering principle. If you don't have time to write
tests, you (or your organization) should find it.
But even if you don't write tests you need at least to enclose the
reproducer, otherwise you're posting a puzzle not a patch. :)
Paolo
next prev parent reply other threads:[~2020-12-01 15:32 UTC|newest]
Thread overview: 19+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-11-18 14:27 [PATCH] ide:atapi: check io_buffer_index in ide_atapi_cmd_reply_end P J P
2020-11-27 13:57 ` P J P
2020-12-01 11:51 ` Paolo Bonzini
2020-12-01 15:00 ` P J P
2020-12-01 15:23 ` Philippe Mathieu-Daudé
2020-12-01 15:30 ` Peter Maydell
2020-12-01 15:42 ` Paolo Bonzini
2020-12-01 15:30 ` Paolo Bonzini
2020-12-01 15:30 ` Paolo Bonzini [this message]
2020-12-02 7:07 ` Markus Armbruster
2020-12-02 13:17 ` P J P
2020-12-02 13:33 ` Paolo Bonzini
2020-12-02 13:36 ` Philippe Mathieu-Daudé
2020-12-03 9:48 ` P J P
2020-12-11 8:23 ` Wenxiang Qian
2020-12-11 8:32 ` Wenxiang Qian
2020-12-11 11:46 ` Paolo Bonzini
2020-12-11 11:45 ` Paolo Bonzini
2020-12-11 14:16 ` P J P
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=a964ffea-ece6-3f33-3dd1-ee9c2b729b75@redhat.com \
--to=pbonzini@redhat.com \
--cc=jsnow@redhat.com \
--cc=leonwxqian@gmail.com \
--cc=ppandit@redhat.com \
--cc=qemu-devel@nongnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.