Peter Xu <pet...@redhat.com> writes:
> There are many error_report()s that can be used in frequently called
> functions, especially on IO paths. That can be unideal in that
> malicious guest can try to trigger the error tons of time which might
> use up the log space on the host (e.g., libvirt can capture the stderr
> of QEMU and put it persistently onto disk). In VT-d emulation code, we
> have trace_vtd_error() tracer. AFAIU all those places can be replaced
> by something like error_report() but trace points are mostly used to
> avoid the DDOS attack that mentioned above. However using trace points
> mean that errors are not dumped if trace not enabled.
>
> It's not a big deal in most modern server managements since we have
> things like logrotate to maintain the logs and make sure the quota is
> expected. However it'll still be nice that we just provide another way
> to restrict message generations. In most cases, this kind of
> error_report()s will only provide valid information on the first message
> sent, and all the rest of similar messages will be mostly talking about
> the same thing. This patch introduces *_report_once() helpers to allow
> a message to be dumped only once during one QEMU process's life cycle.
> It will make sure: (1) it's on by deffault, so we can even get something
default
> without turning the trace on and reproducing, and (2) it won't be
> affected by DDOS attack.
>
> To implement it, I stole the printk_once() macro from Linux.
>
> CC: Eric Blake <ebl...@redhat.com>
> CC: Markus Armbruster <arm...@redhat.com>
> Signed-off-by: Peter Xu <pet...@redhat.com>
> ---
> include/qemu/error-report.h | 32 ++++++++++++++++++++++++++++++++
> 1 file changed, 32 insertions(+)
>
> diff --git a/include/qemu/error-report.h b/include/qemu/error-report.h
> index e1c8ae1a52..c7ec54cb97 100644
> --- a/include/qemu/error-report.h
> +++ b/include/qemu/error-report.h
> @@ -44,6 +44,38 @@ void error_report(const char *fmt, ...) GCC_FMT_ATTR(1, 2);
> void warn_report(const char *fmt, ...) GCC_FMT_ATTR(1, 2);
> void info_report(const char *fmt, ...) GCC_FMT_ATTR(1, 2);
>
> +/*
> + * Similar to error_report(), but it only prints the message once. It
> + * returns true when it prints the first time, otherwise false.
I like to start function contracts with a single line stating the
function's purpose, and I prefer imperative mood, like this:
* Similar to error_report(), but it only prints the message once.
* Return true when it prints, false otherwise.
> + */
> +#define error_report_once(fmt, ...) \
> + ({ \
> + static bool print_once_; \
> + bool ret_print_once_ = !print_once_; \
> + \
> + if (!print_once_) { \
> + print_once_ = true; \
> + error_report(fmt, ##__VA_ARGS__); \
> + } \
> + unlikely(ret_print_once_); \
> + })
Please align the backslashes, say with emacs command c-backslash-region,
bound to C-c C-\.
> +
> +/*
> + * Similar to warn_report(), but it only prints the message once. It
> + * returns true when it prints the first time, otherwise false.
> + */
> +#define warn_report_once(fmt, ...) \
> + ({ \
> + static bool print_once_; \
> + bool ret_print_once_ = !print_once_; \
> + \
> + if (!print_once_) { \
> + print_once_ = true; \
> + warn_report(fmt, ##__VA_ARGS__); \
> + } \
> + unlikely(ret_print_once_); \
> + })
Likewise.
> +
> const char *error_get_progname(void);
> extern bool enable_timestamp_msg;
With these nits addressed:
Reviewed-by: Markus Armbruster <arm...@redhat.com>
I can touch them up when I apply.
