The following changes since commit eda1df0345f5a1e337e30367124dcb0e802bdfde: Merge remote-tracking branch 'remotes/armbru/tags/pull-pflash-2019-03-11' into staging (2019-03-12 11:12:36 +0000) are available in the Git repository at: git://repo.or.cz/qemu/kevin.git tags/for-upstream for you to fetch changes up to c31dfeb02a1d155bdb961edeb61a137a589c174b: qemu-iotests: Test the x-blockdev-reopen QMP command (2019-03-12 17:58:37 +0100) ---------------------------------------------------------------- Block layer patches: - file-posix: Make auto-read-only dynamic - Add x-blockdev-reopen QMP command - Finalize block-latency-histogram QMP command - gluster: Build fixes for newer lib version ---------------------------------------------------------------- Alberto Garcia (13): block: Allow freezing BdrvChild links block: Freeze the backing chain for the duration of the commit job block: Freeze the backing chain for the duration of the mirror job block: Freeze the backing chain for the duration of the stream job block: Add 'keep_old_opts' parameter to bdrv_reopen_queue() block: Handle child references in bdrv_reopen_queue() block: Allow omitting the 'backing' option in certain cases block: Allow changing the backing file on reopen block: Add a 'mutable_opts' field to BlockDriver block: Add bdrv_reset_options_allowed() block: Remove the AioContext parameter from bdrv_reopen_multiple() block: Add an 'x-blockdev-reopen' QMP command qemu-iotests: Test the x-blockdev-reopen QMP command Keith Busch (1): nvme: fix write zeroes offset and count Kevin Wolf (10): tests/virtio-blk-test: Disable auto-read-only qemu-iotests: commit to backing file with auto-read-only block: Avoid useless local_err block: Make permission changes in reopen less wrong file-posix: Fix bdrv_open_flags() for snapshot=on file-posix: Factor out raw_reconfigure_getfd() file-posix: Store BDRVRawState.reopen_state during reopen file-posix: Lock new fd in raw_reopen_prepare() file-posix: Prepare permission code for fd switching file-posix: Make auto-read-only dynamic Niels de Vos (1): gluster: the glfs_io_cbk callback function pointer adds pre/post stat args Prasanna Kumar Kalever (1): gluster: Handle changed glfs_ftruncate signature Vladimir Sementsov-Ogievskiy (2): qapi: move to QOM path for x-block-latency-histogram-set qapi: drop x- from x-block-latency-histogram-set qapi/block-core.json | 66 ++- configure | 42 ++ include/block/block.h | 13 +- include/block/block_int.h | 14 + block.c | 440 +++++++++++++++++-- block/commit.c | 16 + block/file-posix.c | 254 ++++++++--- block/gluster.c | 10 +- block/mirror.c | 8 + block/qapi.c | 12 +- block/qcow2.c | 25 ++ block/raw-format.c | 3 + block/replication.c | 7 +- block/stream.c | 21 + blockdev.c | 61 ++- hw/block/nvme.c | 6 +- qemu-io-cmds.c | 4 +- tests/virtio-blk-test.c | 2 +- tests/qemu-iotests/051 | 7 + tests/qemu-iotests/051.out | 9 + tests/qemu-iotests/051.pc.out | 9 + tests/qemu-iotests/232 | 31 ++ tests/qemu-iotests/232.out | 32 +- tests/qemu-iotests/245 | 991 ++++++++++++++++++++++++++++++++++++++++++ tests/qemu-iotests/245.out | 5 + tests/qemu-iotests/group | 1 + 26 files changed, 1929 insertions(+), 160 deletions(-) create mode 100644 tests/qemu-iotests/245 create mode 100644 tests/qemu-iotests/245.out From: Prasanna Kumar Kalever <prasanna.kalever@redhat.com> New versions of Glusters libgfapi.so have an updated glfs_ftruncate() function that returns additional 'struct stat' structures to enable advanced caching of attributes. This is useful for file servers, not so much for QEMU. Nevertheless, the API has changed and needs to be adopted. Signed-off-by: Prasanna Kumar Kalever <prasanna.kalever@redhat.com> Signed-off-by: Niels de Vos <ndevos@redhat.com> Signed-off-by: Kevin Wolf <kwolf@redhat.com> --- configure | 18 ++++++++++++++++++ block/gluster.c | 4 ++++ 2 files changed, 22 insertions(+) diff --git a/configure b/configure index XXXXXXX..XXXXXXX 100755 --- a/configure +++ b/configure @@ -XXX,XX +XXX,XX @@ glusterfs_xlator_opt="no" glusterfs_discard="no" glusterfs_fallocate="no" glusterfs_zerofill="no" +glusterfs_ftruncate_has_stat="no" gtk="" gtk_gl="no" tls_priority="NORMAL" @@ -XXX,XX +XXX,XX @@ if test "$glusterfs" != "no" ; then glusterfs_fallocate="yes" glusterfs_zerofill="yes" fi + cat > $TMPC << EOF +#include <glusterfs/api/glfs.h> + +int +main(void) +{ + /* new glfs_ftruncate() passes two additional args */ + return glfs_ftruncate(NULL, 0, NULL, NULL); +} +EOF + if compile_prog "$glusterfs_cflags" "$glusterfs_libs" ; then + glusterfs_ftruncate_has_stat="yes" + fi else if test "$glusterfs" = "yes" ; then feature_not_found "GlusterFS backend support" \ @@ -XXX,XX +XXX,XX @@ if test "$glusterfs_zerofill" = "yes" ; then echo "CONFIG_GLUSTERFS_ZEROFILL=y" >> $config_host_mak fi +if test "$glusterfs_ftruncate_has_stat" = "yes" ; then + echo "CONFIG_GLUSTERFS_FTRUNCATE_HAS_STAT=y" >> $config_host_mak +fi + if test "$libssh2" = "yes" ; then echo "CONFIG_LIBSSH2=m" >> $config_host_mak echo "LIBSSH2_CFLAGS=$libssh2_cflags" >> $config_host_mak diff --git a/block/gluster.c b/block/gluster.c index XXXXXXX..XXXXXXX 100644 --- a/block/gluster.c +++ b/block/gluster.c @@ -XXX,XX +XXX,XX @@ #include "qemu/option.h" #include "qemu/cutils.h" +#ifdef CONFIG_GLUSTERFS_FTRUNCATE_HAS_STAT +# define glfs_ftruncate(fd, offset) glfs_ftruncate(fd, offset, NULL, NULL) +#endif + #define GLUSTER_OPT_FILENAME "filename" #define GLUSTER_OPT_VOLUME "volume" #define GLUSTER_OPT_PATH "path" -- 2.20.1 From: Niels de Vos <ndevos@redhat.com> The glfs_*_async() functions do a callback once finished. This callback has changed its arguments, pre- and post-stat structures have been added. This makes it possible to improve caching, which is useful for Samba and NFS-Ganesha, but not so much for QEMU. Gluster 6 is the first release that includes these new arguments. With an additional detection in ./configure, the new arguments can conditionally get included in the glfs_io_cbk handler. Signed-off-by: Niels de Vos <ndevos@redhat.com> Signed-off-by: Kevin Wolf <kwolf@redhat.com> --- configure | 24 ++++++++++++++++++++++++ block/gluster.c | 6 +++++- 2 files changed, 29 insertions(+), 1 deletion(-) diff --git a/configure b/configure index XXXXXXX..XXXXXXX 100755 --- a/configure +++ b/configure @@ -XXX,XX +XXX,XX @@ glusterfs_discard="no" glusterfs_fallocate="no" glusterfs_zerofill="no" glusterfs_ftruncate_has_stat="no" +glusterfs_iocb_has_stat="no" gtk="" gtk_gl="no" tls_priority="NORMAL" @@ -XXX,XX +XXX,XX @@ EOF if compile_prog "$glusterfs_cflags" "$glusterfs_libs" ; then glusterfs_ftruncate_has_stat="yes" fi + cat > $TMPC << EOF +#include <glusterfs/api/glfs.h> + +/* new glfs_io_cbk() passes two additional glfs_stat structs */ +static void +glusterfs_iocb(glfs_fd_t *fd, ssize_t ret, struct glfs_stat *prestat, struct glfs_stat *poststat, void *data) +{} + +int +main(void) +{ + glfs_io_cbk iocb = &glusterfs_iocb; + iocb(NULL, 0 , NULL, NULL, NULL); + return 0; +} +EOF + if compile_prog "$glusterfs_cflags" "$glusterfs_libs" ; then + glusterfs_iocb_has_stat="yes" + fi else if test "$glusterfs" = "yes" ; then feature_not_found "GlusterFS backend support" \ @@ -XXX,XX +XXX,XX @@ if test "$glusterfs_ftruncate_has_stat" = "yes" ; then echo "CONFIG_GLUSTERFS_FTRUNCATE_HAS_STAT=y" >> $config_host_mak fi +if test "$glusterfs_iocb_has_stat" = "yes" ; then + echo "CONFIG_GLUSTERFS_IOCB_HAS_STAT=y" >> $config_host_mak +fi + if test "$libssh2" = "yes" ; then echo "CONFIG_LIBSSH2=m" >> $config_host_mak echo "LIBSSH2_CFLAGS=$libssh2_cflags" >> $config_host_mak diff --git a/block/gluster.c b/block/gluster.c index XXXXXXX..XXXXXXX 100644 --- a/block/gluster.c +++ b/block/gluster.c @@ -XXX,XX +XXX,XX @@ static struct glfs *qemu_gluster_init(BlockdevOptionsGluster *gconf, /* * AIO callback routine called from GlusterFS thread. */ -static void gluster_finish_aiocb(struct glfs_fd *fd, ssize_t ret, void *arg) +static void gluster_finish_aiocb(struct glfs_fd *fd, ssize_t ret, +#ifdef CONFIG_GLUSTERFS_IOCB_HAS_STAT + struct glfs_stat *pre, struct glfs_stat *post, +#endif + void *arg) { GlusterAIOCB *acb = (GlusterAIOCB *)arg; -- 2.20.1 From: Vladimir Sementsov-Ogievskiy <vsementsov@virtuozzo.com> Signed-off-by: Vladimir Sementsov-Ogievskiy <vsementsov@virtuozzo.com> Signed-off-by: Kevin Wolf <kwolf@redhat.com> --- qapi/block-core.json | 4 ++-- blockdev.c | 12 ++++++------ 2 files changed, 8 insertions(+), 8 deletions(-) diff --git a/qapi/block-core.json b/qapi/block-core.json index XXXXXXX..XXXXXXX 100644 --- a/qapi/block-core.json +++ b/qapi/block-core.json @@ -XXX,XX +XXX,XX @@ # If only @device parameter is specified, remove all present latency histograms # for the device. Otherwise, add/reset some of (or all) latency histograms. # -# @device: device name to set latency histogram for. +# @id: The name or QOM path of the guest device. # # @boundaries: list of interval boundary values (see description in # BlockLatencyHistogramInfo definition). If specified, all @@ -XXX,XX +XXX,XX @@ # <- { "return": {} } ## { 'command': 'x-block-latency-histogram-set', - 'data': {'device': 'str', + 'data': {'id': 'str', '*boundaries': ['uint64'], '*boundaries-read': ['uint64'], '*boundaries-write': ['uint64'], diff --git a/blockdev.c b/blockdev.c index XXXXXXX..XXXXXXX 100644 --- a/blockdev.c +++ b/blockdev.c @@ -XXX,XX +XXX,XX @@ void qmp_x_blockdev_set_iothread(const char *node_name, StrOrNull *iothread, } void qmp_x_block_latency_histogram_set( - const char *device, + const char *id, bool has_boundaries, uint64List *boundaries, bool has_boundaries_read, uint64List *boundaries_read, bool has_boundaries_write, uint64List *boundaries_write, bool has_boundaries_flush, uint64List *boundaries_flush, Error **errp) { - BlockBackend *blk = blk_by_name(device); + BlockBackend *blk = qmp_get_blk(NULL, id, errp); BlockAcctStats *stats; int ret; if (!blk) { - error_setg(errp, "Device '%s' not found", device); return; } + stats = blk_get_stats(blk); if (!has_boundaries && !has_boundaries_read && !has_boundaries_write && @@ -XXX,XX +XXX,XX @@ void qmp_x_block_latency_histogram_set( stats, BLOCK_ACCT_READ, has_boundaries_read ? boundaries_read : boundaries); if (ret) { - error_setg(errp, "Device '%s' set read boundaries fail", device); + error_setg(errp, "Device '%s' set read boundaries fail", id); return; } } @@ -XXX,XX +XXX,XX @@ void qmp_x_block_latency_histogram_set( stats, BLOCK_ACCT_WRITE, has_boundaries_write ? boundaries_write : boundaries); if (ret) { - error_setg(errp, "Device '%s' set write boundaries fail", device); + error_setg(errp, "Device '%s' set write boundaries fail", id); return; } } @@ -XXX,XX +XXX,XX @@ void qmp_x_block_latency_histogram_set( stats, BLOCK_ACCT_FLUSH, has_boundaries_flush ? boundaries_flush : boundaries); if (ret) { - error_setg(errp, "Device '%s' set flush boundaries fail", device); + error_setg(errp, "Device '%s' set flush boundaries fail", id); return; } } -- 2.20.1 From: Vladimir Sementsov-Ogievskiy <vsementsov@virtuozzo.com> Drop x- and x_ prefixes for latency histograms and update version to 3.1 Signed-off-by: Vladimir Sementsov-Ogievskiy <vsementsov@virtuozzo.com> Signed-off-by: Kevin Wolf <kwolf@redhat.com> --- qapi/block-core.json | 20 ++++++++++---------- block/qapi.c | 12 ++++++------ blockdev.c | 2 +- 3 files changed, 17 insertions(+), 17 deletions(-) diff --git a/qapi/block-core.json b/qapi/block-core.json index XXXXXXX..XXXXXXX 100644 --- a/qapi/block-core.json +++ b/qapi/block-core.json @@ -XXX,XX +XXX,XX @@ # +------------------ # 10 50 100 # -# Since: 2.12 +# Since: 4.0 ## { 'struct': 'BlockLatencyHistogramInfo', 'data': {'boundaries': ['uint64'], 'bins': ['uint64'] } } ## -# @x-block-latency-histogram-set: +# @block-latency-histogram-set: # # Manage read, write and flush latency histograms for the device. # @@ -XXX,XX +XXX,XX @@ # # Returns: error if device is not found or any boundary arrays are invalid. # -# Since: 2.12 +# Since: 4.0 # # Example: set new histograms for all io types with intervals # [0, 10), [10, 50), [50, 100), [100, +inf): @@ -XXX,XX +XXX,XX @@ # "arguments": { "device": "drive0" } } # <- { "return": {} } ## -{ 'command': 'x-block-latency-histogram-set', +{ 'command': 'block-latency-histogram-set', 'data': {'id': 'str', '*boundaries': ['uint64'], '*boundaries-read': ['uint64'], @@ -XXX,XX +XXX,XX @@ # @timed_stats: Statistics specific to the set of previously defined # intervals of time (Since 2.5) # -# @x_rd_latency_histogram: @BlockLatencyHistogramInfo. (Since 2.12) +# @rd_latency_histogram: @BlockLatencyHistogramInfo. (Since 4.0) # -# @x_wr_latency_histogram: @BlockLatencyHistogramInfo. (Since 2.12) +# @wr_latency_histogram: @BlockLatencyHistogramInfo. (Since 4.0) # -# @x_flush_latency_histogram: @BlockLatencyHistogramInfo. (Since 2.12) +# @flush_latency_histogram: @BlockLatencyHistogramInfo. (Since 4.0) # # Since: 0.14.0 ## @@ -XXX,XX +XXX,XX @@ 'invalid_wr_operations': 'int', 'invalid_flush_operations': 'int', 'account_invalid': 'bool', 'account_failed': 'bool', 'timed_stats': ['BlockDeviceTimedStats'], - '*x_rd_latency_histogram': 'BlockLatencyHistogramInfo', - '*x_wr_latency_histogram': 'BlockLatencyHistogramInfo', - '*x_flush_latency_histogram': 'BlockLatencyHistogramInfo' } } + '*rd_latency_histogram': 'BlockLatencyHistogramInfo', + '*wr_latency_histogram': 'BlockLatencyHistogramInfo', + '*flush_latency_histogram': 'BlockLatencyHistogramInfo' } } ## # @BlockStats: diff --git a/block/qapi.c b/block/qapi.c index XXXXXXX..XXXXXXX 100644 --- a/block/qapi.c +++ b/block/qapi.c @@ -XXX,XX +XXX,XX @@ static void bdrv_query_blk_stats(BlockDeviceStats *ds, BlockBackend *blk) } bdrv_latency_histogram_stats(&stats->latency_histogram[BLOCK_ACCT_READ], - &ds->has_x_rd_latency_histogram, - &ds->x_rd_latency_histogram); + &ds->has_rd_latency_histogram, + &ds->rd_latency_histogram); bdrv_latency_histogram_stats(&stats->latency_histogram[BLOCK_ACCT_WRITE], - &ds->has_x_wr_latency_histogram, - &ds->x_wr_latency_histogram); + &ds->has_wr_latency_histogram, + &ds->wr_latency_histogram); bdrv_latency_histogram_stats(&stats->latency_histogram[BLOCK_ACCT_FLUSH], - &ds->has_x_flush_latency_histogram, - &ds->x_flush_latency_histogram); + &ds->has_flush_latency_histogram, + &ds->flush_latency_histogram); } static BlockStats *bdrv_query_bds_stats(BlockDriverState *bs, diff --git a/blockdev.c b/blockdev.c index XXXXXXX..XXXXXXX 100644 --- a/blockdev.c +++ b/blockdev.c @@ -XXX,XX +XXX,XX @@ void qmp_x_blockdev_set_iothread(const char *node_name, StrOrNull *iothread, aio_context_release(old_context); } -void qmp_x_block_latency_histogram_set( +void qmp_block_latency_histogram_set( const char *id, bool has_boundaries, uint64List *boundaries, bool has_boundaries_read, uint64List *boundaries_read, -- 2.20.1 tests/virtio-blk-test uses a temporary image file that it deletes while QEMU is still running, so it can't be reopened when writers are attached or detached. Disable auto-read-only to keep it always writable. Signed-off-by: Kevin Wolf <kwolf@redhat.com> Reviewed-by: Eric Blake <eblake@redhat.com> --- tests/virtio-blk-test.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tests/virtio-blk-test.c b/tests/virtio-blk-test.c index XXXXXXX..XXXXXXX 100644 --- a/tests/virtio-blk-test.c +++ b/tests/virtio-blk-test.c @@ -XXX,XX +XXX,XX @@ static void *virtio_blk_test_setup(GString *cmd_line, void *arg) char *tmp_path = drive_create(); g_string_append_printf(cmd_line, - " -drive if=none,id=drive0,file=%s,format=raw " + " -drive if=none,id=drive0,file=%s,format=raw,auto-read-only=off " "-drive if=none,id=drive1,file=null-co://,format=raw ", tmp_path); -- 2.20.1 Signed-off-by: Kevin Wolf <kwolf@redhat.com> Reviewed-by: Eric Blake <eblake@redhat.com> --- tests/qemu-iotests/232 | 31 +++++++++++++++++++++++++++++++ tests/qemu-iotests/232.out | 20 ++++++++++++++++++++ 2 files changed, 51 insertions(+) diff --git a/tests/qemu-iotests/232 b/tests/qemu-iotests/232 index XXXXXXX..XXXXXXX 100755 --- a/tests/qemu-iotests/232 +++ b/tests/qemu-iotests/232 @@ -XXX,XX +XXX,XX @@ status=1 # failure is the default! _cleanup() { _cleanup_test_img + rm -f $TEST_IMG.[01234] } trap "_cleanup; exit \$status" 0 1 2 3 15 @@ -XXX,XX +XXX,XX @@ run_qemu_info_block -blockdev driver=file,filename="$TEST_IMG",node-name=node0,a run_qemu_info_block -blockdev driver=file,filename="$TEST_IMG",node-name=node0,auto-read-only=on run_qemu_info_block -blockdev driver=file,filename="$TEST_IMG",node-name=node0 +echo +echo "=== Try commit to backing file with auto-read-only ===" +echo + +TEST_IMG="$TEST_IMG.0" _make_test_img $size +TEST_IMG="$TEST_IMG.1" _make_test_img $size +TEST_IMG="$TEST_IMG.2" _make_test_img $size +TEST_IMG="$TEST_IMG.3" _make_test_img $size +TEST_IMG="$TEST_IMG.4" _make_test_img $size + +(cat <<EOF +{"execute":"qmp_capabilities"} +{"execute":"block-commit", + "arguments":{"device":"format-4", "top-node": "format-2", "base-node":"format-0", "job-id":"job0"}} +EOF +sleep 1 +echo '{"execute":"quit"}' +) | $QEMU -qmp stdio -nographic -nodefaults \ + -blockdev file,node-name=file-0,filename=$TEST_IMG.0,auto-read-only=on \ + -blockdev qcow2,node-name=format-0,file=file-0,read-only=on \ + -blockdev file,node-name=file-1,filename=$TEST_IMG.1,auto-read-only=on \ + -blockdev qcow2,node-name=format-1,file=file-1,read-only=on,backing=format-0 \ + -blockdev file,node-name=file-2,filename=$TEST_IMG.2,auto-read-only=on \ + -blockdev qcow2,node-name=format-2,file=file-2,read-only=on,backing=format-1 \ + -blockdev file,node-name=file-3,filename=$TEST_IMG.3,auto-read-only=on \ + -blockdev qcow2,node-name=format-3,file=file-3,read-only=on,backing=format-2 \ + -blockdev file,node-name=file-4,filename=$TEST_IMG.4,auto-read-only=on \ + -blockdev qcow2,node-name=format-4,file=file-4,read-only=on,backing=format-3 | + _filter_qmp + # success, all done echo "*** done" rm -f $seq.full diff --git a/tests/qemu-iotests/232.out b/tests/qemu-iotests/232.out index XXXXXXX..XXXXXXX 100644 --- a/tests/qemu-iotests/232.out +++ b/tests/qemu-iotests/232.out @@ -XXX,XX +XXX,XX @@ QEMU_PROG: -blockdev driver=file,filename=TEST_DIR/t.IMGFMT,node-name=node0,read QEMU_PROG: -blockdev driver=file,filename=TEST_DIR/t.IMGFMT,node-name=node0,auto-read-only=off: Could not open 'TEST_DIR/t.IMGFMT': Permission denied node0: TEST_DIR/t.IMGFMT (file, read-only) QEMU_PROG: -blockdev driver=file,filename=TEST_DIR/t.IMGFMT,node-name=node0: Could not open 'TEST_DIR/t.IMGFMT': Permission denied + +=== Try commit to backing file with auto-read-only === + +Formatting 'TEST_DIR/t.IMGFMT.0', fmt=IMGFMT size=134217728 +Formatting 'TEST_DIR/t.IMGFMT.1', fmt=IMGFMT size=134217728 +Formatting 'TEST_DIR/t.IMGFMT.2', fmt=IMGFMT size=134217728 +Formatting 'TEST_DIR/t.IMGFMT.3', fmt=IMGFMT size=134217728 +Formatting 'TEST_DIR/t.IMGFMT.4', fmt=IMGFMT size=134217728 +QMP_VERSION +{"return": {}} +{"timestamp": {"seconds": TIMESTAMP, "microseconds": TIMESTAMP}, "event": "JOB_STATUS_CHANGE", "data": {"status": "created", "id": "job0"}} +{"timestamp": {"seconds": TIMESTAMP, "microseconds": TIMESTAMP}, "event": "JOB_STATUS_CHANGE", "data": {"status": "running", "id": "job0"}} +{"return": {}} +{"timestamp": {"seconds": TIMESTAMP, "microseconds": TIMESTAMP}, "event": "JOB_STATUS_CHANGE", "data": {"status": "waiting", "id": "job0"}} +{"timestamp": {"seconds": TIMESTAMP, "microseconds": TIMESTAMP}, "event": "JOB_STATUS_CHANGE", "data": {"status": "pending", "id": "job0"}} +{"timestamp": {"seconds": TIMESTAMP, "microseconds": TIMESTAMP}, "event": "BLOCK_JOB_COMPLETED", "data": {"device": "job0", "len": 134217728, "offset": 134217728, "speed": 0, "type": "commit"}} +{"timestamp": {"seconds": TIMESTAMP, "microseconds": TIMESTAMP}, "event": "JOB_STATUS_CHANGE", "data": {"status": "concluded", "id": "job0"}} +{"timestamp": {"seconds": TIMESTAMP, "microseconds": TIMESTAMP}, "event": "JOB_STATUS_CHANGE", "data": {"status": "null", "id": "job0"}} +{"return": {}} +{"timestamp": {"seconds": TIMESTAMP, "microseconds": TIMESTAMP}, "event": "SHUTDOWN", "data": {"guest": false, "reason": "host-qmp-quit"}} *** done -- 2.20.1 Signed-off-by: Kevin Wolf <kwolf@redhat.com> Reviewed-by: Alberto Garcia <berto@igalia.com> Reviewed-by: Eric Blake <eblake@redhat.com> --- block.c | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/block.c b/block.c index XXXXXXX..XXXXXXX 100644 --- a/block.c +++ b/block.c @@ -XXX,XX +XXX,XX @@ int bdrv_reopen_multiple(AioContext *ctx, BlockReopenQueue *bs_queue, Error **er { int ret = -1; BlockReopenQueueEntry *bs_entry, *next; - Error *local_err = NULL; assert(bs_queue != NULL); QSIMPLEQ_FOREACH(bs_entry, bs_queue, entry) { assert(bs_entry->state.bs->quiesce_counter > 0); - if (bdrv_reopen_prepare(&bs_entry->state, bs_queue, &local_err)) { - error_propagate(errp, local_err); + if (bdrv_reopen_prepare(&bs_entry->state, bs_queue, errp)) { goto cleanup; } bs_entry->prepared = true; -- 2.20.1 The way that reopen interacts with permission changes has one big problem: Both operations are recursive, and the permissions are changes for each node in the reopen queue. For a simple graph that consists just of parent and child, .bdrv_check_perm will be called twice for the child, once recursively when adjusting the permissions of parent, and once again when the child itself is reopened. Even worse, the first .bdrv_check_perm call happens before .bdrv_reopen_prepare was called for the child and the second one is called afterwards. Making sure that .bdrv_check_perm (and the other permission callbacks) are called only once is hard. We can cope with multiple calls right now, but as soon as file-posix gets a dynamic auto-read-only that may need to open a new file descriptor, we get the additional requirement that all of them are after the .bdrv_reopen_prepare call. So reorder things in bdrv_reopen_multiple() to first call .bdrv_reopen_prepare for all involved nodes and only then adjust permissions. Signed-off-by: Kevin Wolf <kwolf@redhat.com> --- block.c | 35 ++++++++++++++++++++++++----------- 1 file changed, 24 insertions(+), 11 deletions(-) diff --git a/block.c b/block.c index XXXXXXX..XXXXXXX 100644 --- a/block.c +++ b/block.c @@ -XXX,XX +XXX,XX @@ static void bdrv_child_set_perm(BdrvChild *c, uint64_t perm, uint64_t shared); typedef struct BlockReopenQueueEntry { bool prepared; + bool perms_checked; BDRVReopenState state; QSIMPLEQ_ENTRY(BlockReopenQueueEntry) entry; } BlockReopenQueueEntry; @@ -XXX,XX +XXX,XX @@ int bdrv_reopen_multiple(AioContext *ctx, BlockReopenQueue *bs_queue, Error **er bs_entry->prepared = true; } + QSIMPLEQ_FOREACH(bs_entry, bs_queue, entry) { + BDRVReopenState *state = &bs_entry->state; + ret = bdrv_check_perm(state->bs, bs_queue, state->perm, + state->shared_perm, NULL, errp); + if (ret < 0) { + goto cleanup_perm; + } + bs_entry->perms_checked = true; + } + /* If we reach this point, we have success and just need to apply the * changes */ @@ -XXX,XX +XXX,XX @@ int bdrv_reopen_multiple(AioContext *ctx, BlockReopenQueue *bs_queue, Error **er } ret = 0; +cleanup_perm: + QSIMPLEQ_FOREACH_SAFE(bs_entry, bs_queue, entry, next) { + BDRVReopenState *state = &bs_entry->state; + + if (!bs_entry->perms_checked) { + continue; + } + if (ret == 0) { + bdrv_set_perm(state->bs, state->perm, state->shared_perm); + } else { + bdrv_abort_perm_update(state->bs); + } + } cleanup: QSIMPLEQ_FOREACH_SAFE(bs_entry, bs_queue, entry, next) { if (ret) { @@ -XXX,XX +XXX,XX @@ int bdrv_reopen_prepare(BDRVReopenState *reopen_state, BlockReopenQueue *queue, } while ((entry = qdict_next(reopen_state->options, entry))); } - ret = bdrv_check_perm(reopen_state->bs, queue, reopen_state->perm, - reopen_state->shared_perm, NULL, errp); - if (ret < 0) { - goto error; - } - ret = 0; /* Restore the original reopen_state->options QDict */ @@ -XXX,XX +XXX,XX @@ void bdrv_reopen_commit(BDRVReopenState *reopen_state) bdrv_refresh_limits(bs, NULL); - bdrv_set_perm(reopen_state->bs, reopen_state->perm, - reopen_state->shared_perm); - new_can_write = !bdrv_is_read_only(bs) && !(bdrv_get_flags(bs) & BDRV_O_INACTIVE); if (!old_can_write && new_can_write && drv->bdrv_reopen_bitmaps_rw) { @@ -XXX,XX +XXX,XX @@ void bdrv_reopen_abort(BDRVReopenState *reopen_state) if (drv->bdrv_reopen_abort) { drv->bdrv_reopen_abort(reopen_state); } - - bdrv_abort_perm_update(reopen_state->bs); } -- 2.20.1 Using a different read-only setting for bs->open_flags than for the flags to the driver's open function is just inconsistent and a bad idea. After this patch, the temporary snapshot keeps being opened read-only if read-only=on,snapshot=on is passed. If we wanted to change this behaviour to make only the orginal image file read-only, but the temporary overlay read-write (as the comment in the removed code suggests), that change would have to be made in bdrv_temp_snapshot_options() (where the comment suggests otherwise). Addressing this inconsistency before introducing dynamic auto-read-only is important because otherwise we would immediately try to reopen the temporary overlay even though the file is already unlinked. Signed-off-by: Kevin Wolf <kwolf@redhat.com> --- block.c | 7 ------- tests/qemu-iotests/051 | 7 +++++++ tests/qemu-iotests/051.out | 9 +++++++++ tests/qemu-iotests/051.pc.out | 9 +++++++++ 4 files changed, 25 insertions(+), 7 deletions(-) diff --git a/block.c b/block.c index XXXXXXX..XXXXXXX 100644 --- a/block.c +++ b/block.c @@ -XXX,XX +XXX,XX @@ static int bdrv_open_flags(BlockDriverState *bs, int flags) */ open_flags &= ~(BDRV_O_SNAPSHOT | BDRV_O_NO_BACKING | BDRV_O_PROTOCOL); - /* - * Snapshots should be writable. - */ - if (flags & BDRV_O_TEMPORARY) { - open_flags |= BDRV_O_RDWR; - } - return open_flags; } diff --git a/tests/qemu-iotests/051 b/tests/qemu-iotests/051 index XXXXXXX..XXXXXXX 100755 --- a/tests/qemu-iotests/051 +++ b/tests/qemu-iotests/051 @@ -XXX,XX +XXX,XX @@ $QEMU_IO -c "read -P 0x33 0 4k" "$TEST_IMG" | _filter_qemu_io # Using snapshot=on with a non-existent TMPDIR TMPDIR=/nonexistent run_qemu -drive driver=null-co,snapshot=on +# Using snapshot=on together with read-only=on +echo "info block" | + run_qemu -drive file="$TEST_IMG",snapshot=on,read-only=on,if=none,id=$device_id | + _filter_qemu_io | + sed -e 's#"/[^"]*/vl\.[A-Za-z]\{6\}"#SNAPSHOT_PATH#g' + + # success, all done echo "*** done" rm -f $seq.full diff --git a/tests/qemu-iotests/051.out b/tests/qemu-iotests/051.out index XXXXXXX..XXXXXXX 100644 --- a/tests/qemu-iotests/051.out +++ b/tests/qemu-iotests/051.out @@ -XXX,XX +XXX,XX @@ read 4096/4096 bytes at offset 0 Testing: -drive driver=null-co,snapshot=on QEMU_PROG: -drive driver=null-co,snapshot=on: Could not get temporary filename: No such file or directory +Testing: -drive file=TEST_DIR/t.qcow2,snapshot=on,read-only=on,if=none,id=drive0 +QEMU X.Y.Z monitor - type 'help' for more information +(qemu) info block +drive0 (NODE_NAME): json:{"backing": {"driver": "qcow2", "file": {"driver": "file", "filename": "TEST_DIR/t.qcow2"}}, "driver": "qcow2", "file": {"driver": "file", "filename": SNAPSHOT_PATH}} (qcow2, read-only) + Removable device: not locked, tray closed + Cache mode: writeback, ignore flushes + Backing file: TEST_DIR/t.qcow2 (chain depth: 1) +(qemu) quit + *** done diff --git a/tests/qemu-iotests/051.pc.out b/tests/qemu-iotests/051.pc.out index XXXXXXX..XXXXXXX 100644 --- a/tests/qemu-iotests/051.pc.out +++ b/tests/qemu-iotests/051.pc.out @@ -XXX,XX +XXX,XX @@ read 4096/4096 bytes at offset 0 Testing: -drive driver=null-co,snapshot=on QEMU_PROG: -drive driver=null-co,snapshot=on: Could not get temporary filename: No such file or directory +Testing: -drive file=TEST_DIR/t.qcow2,snapshot=on,read-only=on,if=none,id=drive0 +QEMU X.Y.Z monitor - type 'help' for more information +(qemu) info block +drive0 (NODE_NAME): json:{"backing": {"driver": "qcow2", "file": {"driver": "file", "filename": "TEST_DIR/t.qcow2"}}, "driver": "qcow2", "file": {"driver": "file", "filename": SNAPSHOT_PATH}} (qcow2, read-only) + Removable device: not locked, tray closed + Cache mode: writeback, ignore flushes + Backing file: TEST_DIR/t.qcow2 (chain depth: 1) +(qemu) quit + *** done -- 2.20.1 Signed-off-by: Kevin Wolf <kwolf@redhat.com> --- block/file-posix.c | 107 ++++++++++++++++++++++++++------------------- 1 file changed, 62 insertions(+), 45 deletions(-) diff --git a/block/file-posix.c b/block/file-posix.c index XXXXXXX..XXXXXXX 100644 --- a/block/file-posix.c +++ b/block/file-posix.c @@ -XXX,XX +XXX,XX @@ static int raw_handle_perm_lock(BlockDriverState *bs, return ret; } +static int raw_reconfigure_getfd(BlockDriverState *bs, int flags, + int *open_flags, Error **errp) +{ + BDRVRawState *s = bs->opaque; + int fd = -1; + int ret; + int fcntl_flags = O_APPEND | O_NONBLOCK; +#ifdef O_NOATIME + fcntl_flags |= O_NOATIME; +#endif + + *open_flags = 0; + if (s->type == FTYPE_CD) { + *open_flags |= O_NONBLOCK; + } + + raw_parse_flags(flags, open_flags); + +#ifdef O_ASYNC + /* Not all operating systems have O_ASYNC, and those that don't + * will not let us track the state into rs->open_flags (typically + * you achieve the same effect with an ioctl, for example I_SETSIG + * on Solaris). But we do not use O_ASYNC, so that's fine. + */ + assert((s->open_flags & O_ASYNC) == 0); +#endif + + if ((*open_flags & ~fcntl_flags) == (s->open_flags & ~fcntl_flags)) { + /* dup the original fd */ + fd = qemu_dup(s->fd); + if (fd >= 0) { + ret = fcntl_setfl(fd, *open_flags); + if (ret) { + qemu_close(fd); + fd = -1; + } + } + } + + /* If we cannot use fcntl, or fcntl failed, fall back to qemu_open() */ + if (fd == -1) { + const char *normalized_filename = bs->filename; + ret = raw_normalize_devicepath(&normalized_filename, errp); + if (ret >= 0) { + assert(!(*open_flags & O_CREAT)); + fd = qemu_open(normalized_filename, *open_flags); + if (fd == -1) { + error_setg_errno(errp, errno, "Could not reopen file"); + return -1; + } + } + } + + return fd; +} + static int raw_reopen_prepare(BDRVReopenState *state, BlockReopenQueue *queue, Error **errp) { @@ -XXX,XX +XXX,XX @@ static int raw_reopen_prepare(BDRVReopenState *state, state->opaque = g_new0(BDRVRawReopenState, 1); rs = state->opaque; - rs->fd = -1; /* Handle options changes */ opts = qemu_opts_create(&raw_runtime_opts, NULL, 0, &error_abort); @@ -XXX,XX +XXX,XX @@ static int raw_reopen_prepare(BDRVReopenState *state, * bdrv_reopen_prepare() will detect changes and complain. */ qemu_opts_to_qdict(opts, state->options); - if (s->type == FTYPE_CD) { - rs->open_flags |= O_NONBLOCK; - } - - raw_parse_flags(state->flags, &rs->open_flags); - - int fcntl_flags = O_APPEND | O_NONBLOCK; -#ifdef O_NOATIME - fcntl_flags |= O_NOATIME; -#endif - -#ifdef O_ASYNC - /* Not all operating systems have O_ASYNC, and those that don't - * will not let us track the state into rs->open_flags (typically - * you achieve the same effect with an ioctl, for example I_SETSIG - * on Solaris). But we do not use O_ASYNC, so that's fine. - */ - assert((s->open_flags & O_ASYNC) == 0); -#endif - - if ((rs->open_flags & ~fcntl_flags) == (s->open_flags & ~fcntl_flags)) { - /* dup the original fd */ - rs->fd = qemu_dup(s->fd); - if (rs->fd >= 0) { - ret = fcntl_setfl(rs->fd, rs->open_flags); - if (ret) { - qemu_close(rs->fd); - rs->fd = -1; - } - } - } - - /* If we cannot use fcntl, or fcntl failed, fall back to qemu_open() */ - if (rs->fd == -1) { - const char *normalized_filename = state->bs->filename; - ret = raw_normalize_devicepath(&normalized_filename, errp); - if (ret >= 0) { - assert(!(rs->open_flags & O_CREAT)); - rs->fd = qemu_open(normalized_filename, rs->open_flags); - if (rs->fd == -1) { - error_setg_errno(errp, errno, "Could not reopen file"); - ret = -1; - } - } + rs->fd = raw_reconfigure_getfd(state->bs, state->flags, &rs->open_flags, + &local_err); + if (local_err) { + error_propagate(errp, local_err); + ret = -1; + goto out; } /* Fail already reopen_prepare() if we can't get a working O_DIRECT -- 2.20.1 We'll want to access the file descriptor in the reopen_state while processing permission changes in the context of the repoen. Signed-off-by: Kevin Wolf <kwolf@redhat.com> --- block/file-posix.c | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/block/file-posix.c b/block/file-posix.c index XXXXXXX..XXXXXXX 100644 --- a/block/file-posix.c +++ b/block/file-posix.c @@ -XXX,XX +XXX,XX @@ typedef struct BDRVRawState { uint64_t locked_perm; uint64_t locked_shared_perm; + BDRVReopenState *reopen_state; + #ifdef CONFIG_XFS bool is_xfs:1; #endif @@ -XXX,XX +XXX,XX @@ static int raw_reopen_prepare(BDRVReopenState *state, } } + s->reopen_state = state; out: qemu_opts_del(opts); return ret; @@ -XXX,XX +XXX,XX @@ static void raw_reopen_commit(BDRVReopenState *state) g_free(state->opaque); state->opaque = NULL; + + assert(s->reopen_state == state); + s->reopen_state = NULL; } static void raw_reopen_abort(BDRVReopenState *state) { BDRVRawReopenState *rs = state->opaque; + BDRVRawState *s = state->bs->opaque; /* nothing to do if NULL, we didn't get far enough */ if (rs == NULL) { @@ -XXX,XX +XXX,XX @@ static void raw_reopen_abort(BDRVReopenState *state) } g_free(state->opaque); state->opaque = NULL; + + assert(s->reopen_state == state); + s->reopen_state = NULL; } static int hdev_get_max_transfer_length(BlockDriverState *bs, int fd) -- 2.20.1 There is no reason why we can take locks on the new file descriptor only in raw_reopen_commit() where error handling isn't possible any more. Instead, we can already do this in raw_reopen_prepare(). Signed-off-by: Kevin Wolf <kwolf@redhat.com> --- block/file-posix.c | 27 ++++++++++++++++----------- 1 file changed, 16 insertions(+), 11 deletions(-) diff --git a/block/file-posix.c b/block/file-posix.c index XXXXXXX..XXXXXXX 100644 --- a/block/file-posix.c +++ b/block/file-posix.c @@ -XXX,XX +XXX,XX @@ static int raw_reopen_prepare(BDRVReopenState *state, BDRVRawState *s; BDRVRawReopenState *rs; QemuOpts *opts; - int ret = 0; + int ret; Error *local_err = NULL; assert(state != NULL); @@ -XXX,XX +XXX,XX @@ static int raw_reopen_prepare(BDRVReopenState *state, if (rs->fd != -1) { raw_probe_alignment(state->bs, rs->fd, &local_err); if (local_err) { - qemu_close(rs->fd); - rs->fd = -1; error_propagate(errp, local_err); ret = -EINVAL; + goto out_fd; + } + + /* Copy locks to the new fd */ + ret = raw_apply_lock_bytes(NULL, rs->fd, s->locked_perm, + s->locked_shared_perm, false, errp); + if (ret < 0) { + ret = -EINVAL; + goto out_fd; } } s->reopen_state = state; + ret = 0; +out_fd: + if (ret < 0) { + qemu_close(rs->fd); + rs->fd = -1; + } out: qemu_opts_del(opts); return ret; @@ -XXX,XX +XXX,XX @@ static void raw_reopen_commit(BDRVReopenState *state) { BDRVRawReopenState *rs = state->opaque; BDRVRawState *s = state->bs->opaque; - Error *local_err = NULL; s->check_cache_dropped = rs->check_cache_dropped; s->open_flags = rs->open_flags; - /* Copy locks to the new fd before closing the old one. */ - raw_apply_lock_bytes(NULL, rs->fd, s->locked_perm, - s->locked_shared_perm, false, &local_err); - if (local_err) { - /* shouldn't fail in a sane host, but report it just in case. */ - error_report_err(local_err); - } qemu_close(s->fd); s->fd = rs->fd; -- 2.20.1 In order to be able to dynamically reopen the file read-only or read-write, depending on the users that are attached, we need to be able to switch to a different file descriptor during the permission change. This interacts with reopen, which also creates a new file descriptor and performs permission changes internally. In this case, the permission change code must reuse the reopen file descriptor instead of creating a third one. In turn, reopen can drop its code to copy file locks to the new file descriptor because that is now done when applying the new permissions. Signed-off-by: Kevin Wolf <kwolf@redhat.com> --- block/file-posix.c | 96 ++++++++++++++++++++++++++++++++++++++++------ 1 file changed, 85 insertions(+), 11 deletions(-) diff --git a/block/file-posix.c b/block/file-posix.c index XXXXXXX..XXXXXXX 100644 --- a/block/file-posix.c +++ b/block/file-posix.c @@ -XXX,XX +XXX,XX @@ typedef struct BDRVRawState { uint64_t locked_perm; uint64_t locked_shared_perm; + int perm_change_fd; BDRVReopenState *reopen_state; #ifdef CONFIG_XFS @@ -XXX,XX +XXX,XX @@ static int raw_handle_perm_lock(BlockDriverState *bs, } static int raw_reconfigure_getfd(BlockDriverState *bs, int flags, - int *open_flags, Error **errp) + int *open_flags, bool force_dup, + Error **errp) { BDRVRawState *s = bs->opaque; int fd = -1; @@ -XXX,XX +XXX,XX @@ static int raw_reconfigure_getfd(BlockDriverState *bs, int flags, assert((s->open_flags & O_ASYNC) == 0); #endif + if (!force_dup && *open_flags == s->open_flags) { + /* We're lucky, the existing fd is fine */ + return s->fd; + } + if ((*open_flags & ~fcntl_flags) == (s->open_flags & ~fcntl_flags)) { /* dup the original fd */ fd = qemu_dup(s->fd); @@ -XXX,XX +XXX,XX @@ static int raw_reopen_prepare(BDRVReopenState *state, qemu_opts_to_qdict(opts, state->options); rs->fd = raw_reconfigure_getfd(state->bs, state->flags, &rs->open_flags, - &local_err); + true, &local_err); if (local_err) { error_propagate(errp, local_err); ret = -1; @@ -XXX,XX +XXX,XX @@ static int raw_reopen_prepare(BDRVReopenState *state, ret = -EINVAL; goto out_fd; } - - /* Copy locks to the new fd */ - ret = raw_apply_lock_bytes(NULL, rs->fd, s->locked_perm, - s->locked_shared_perm, false, errp); - if (ret < 0) { - ret = -EINVAL; - goto out_fd; - } } s->reopen_state = state; @@ -XXX,XX +XXX,XX @@ static QemuOptsList raw_create_opts = { static int raw_check_perm(BlockDriverState *bs, uint64_t perm, uint64_t shared, Error **errp) { - return raw_handle_perm_lock(bs, RAW_PL_PREPARE, perm, shared, errp); + BDRVRawState *s = bs->opaque; + BDRVRawReopenState *rs = NULL; + int open_flags; + int ret; + + if (s->perm_change_fd) { + /* + * In the context of reopen, this function may be called several times + * (directly and recursively while change permissions of the parent). + * This is even true for children that don't inherit from the original + * reopen node, so s->reopen_state is not set. + * + * Ignore all but the first call. + */ + return 0; + } + + if (s->reopen_state) { + /* We already have a new file descriptor to set permissions for */ + assert(s->reopen_state->perm == perm); + assert(s->reopen_state->shared_perm == shared); + rs = s->reopen_state->opaque; + s->perm_change_fd = rs->fd; + } else { + /* We may need a new fd if auto-read-only switches the mode */ + ret = raw_reconfigure_getfd(bs, bs->open_flags, &open_flags, + false, errp); + if (ret < 0) { + return ret; + } else if (ret != s->fd) { + s->perm_change_fd = ret; + } + } + + /* Prepare permissions on old fd to avoid conflicts between old and new, + * but keep everything locked that new will need. */ + ret = raw_handle_perm_lock(bs, RAW_PL_PREPARE, perm, shared, errp); + if (ret < 0) { + goto fail; + } + + /* Copy locks to the new fd */ + if (s->perm_change_fd) { + ret = raw_apply_lock_bytes(NULL, s->perm_change_fd, perm, ~shared, + false, errp); + if (ret < 0) { + raw_handle_perm_lock(bs, RAW_PL_ABORT, 0, 0, NULL); + goto fail; + } + } + return 0; + +fail: + if (s->perm_change_fd && !s->reopen_state) { + qemu_close(s->perm_change_fd); + } + s->perm_change_fd = 0; + return ret; } static void raw_set_perm(BlockDriverState *bs, uint64_t perm, uint64_t shared) { BDRVRawState *s = bs->opaque; + + /* For reopen, we have already switched to the new fd (.bdrv_set_perm is + * called after .bdrv_reopen_commit) */ + if (s->perm_change_fd && s->fd != s->perm_change_fd) { + qemu_close(s->fd); + s->fd = s->perm_change_fd; + } + s->perm_change_fd = 0; + raw_handle_perm_lock(bs, RAW_PL_COMMIT, perm, shared, NULL); s->perm = perm; s->shared_perm = shared; @@ -XXX,XX +XXX,XX @@ static void raw_set_perm(BlockDriverState *bs, uint64_t perm, uint64_t shared) static void raw_abort_perm_update(BlockDriverState *bs) { + BDRVRawState *s = bs->opaque; + + /* For reopen, .bdrv_reopen_abort is called afterwards and will close + * the file descriptor. */ + if (s->perm_change_fd && !s->reopen_state) { + qemu_close(s->perm_change_fd); + } + s->perm_change_fd = 0; + raw_handle_perm_lock(bs, RAW_PL_ABORT, 0, 0, NULL); } -- 2.20.1 Until now, with auto-read-only=on we tried to open the file read-write first and if that failed, read-only was tried. This is actually not good enough for libvirt, which gives QEMU SELinux permissions for read-write only as soon as it actually intends to write to the image. So we need to be able to switch between read-only and read-write at runtime. This patch makes auto-read-only dynamic, i.e. the file is opened read-only as long as no user of the node has requested write permissions, but it is automatically reopened read-write as soon as the first writer is attached. Conversely, if the last writer goes away, the file is reopened read-only again. bs->read_only is no longer set for auto-read-only=on files even if the file descriptor is opened read-only because it will be transparently upgraded as soon as a writer is attached. This changes the output of qemu-iotests 232. Signed-off-by: Kevin Wolf <kwolf@redhat.com> --- block/file-posix.c | 36 +++++++++++++++++------------------- tests/qemu-iotests/232.out | 12 ++++++------ 2 files changed, 23 insertions(+), 25 deletions(-) diff --git a/block/file-posix.c b/block/file-posix.c index XXXXXXX..XXXXXXX 100644 --- a/block/file-posix.c +++ b/block/file-posix.c @@ -XXX,XX +XXX,XX @@ static void raw_probe_alignment(BlockDriverState *bs, int fd, Error **errp) } } -static void raw_parse_flags(int bdrv_flags, int *open_flags) +static void raw_parse_flags(int bdrv_flags, int *open_flags, bool has_writers) { + bool read_write = false; assert(open_flags != NULL); *open_flags |= O_BINARY; *open_flags &= ~O_ACCMODE; - if (bdrv_flags & BDRV_O_RDWR) { + + if (bdrv_flags & BDRV_O_AUTO_RDONLY) { + read_write = has_writers; + } else if (bdrv_flags & BDRV_O_RDWR) { + read_write = true; + } + + if (read_write) { *open_flags |= O_RDWR; } else { *open_flags |= O_RDONLY; @@ -XXX,XX +XXX,XX @@ static int raw_open_common(BlockDriverState *bs, QDict *options, false); s->open_flags = open_flags; - raw_parse_flags(bdrv_flags, &s->open_flags); + raw_parse_flags(bdrv_flags, &s->open_flags, false); s->fd = -1; fd = qemu_open(filename, s->open_flags, 0644); ret = fd < 0 ? -errno : 0; - if (ret == -EACCES || ret == -EROFS) { - /* Try to degrade to read-only, but if it doesn't work, still use the - * normal error message. */ - if (bdrv_apply_auto_read_only(bs, NULL, NULL) == 0) { - bdrv_flags &= ~BDRV_O_RDWR; - raw_parse_flags(bdrv_flags, &s->open_flags); - assert(!(s->open_flags & O_CREAT)); - fd = qemu_open(filename, s->open_flags); - ret = fd < 0 ? -errno : 0; - } - } - if (ret < 0) { error_setg_errno(errp, -ret, "Could not open '%s'", filename); if (ret == -EROFS) { @@ -XXX,XX +XXX,XX @@ static int raw_handle_perm_lock(BlockDriverState *bs, } static int raw_reconfigure_getfd(BlockDriverState *bs, int flags, - int *open_flags, bool force_dup, + int *open_flags, uint64_t perm, bool force_dup, Error **errp) { BDRVRawState *s = bs->opaque; int fd = -1; int ret; + bool has_writers = perm & + (BLK_PERM_WRITE | BLK_PERM_WRITE_UNCHANGED | BLK_PERM_RESIZE); int fcntl_flags = O_APPEND | O_NONBLOCK; #ifdef O_NOATIME fcntl_flags |= O_NOATIME; @@ -XXX,XX +XXX,XX @@ static int raw_reconfigure_getfd(BlockDriverState *bs, int flags, *open_flags |= O_NONBLOCK; } - raw_parse_flags(flags, open_flags); + raw_parse_flags(flags, open_flags, has_writers); #ifdef O_ASYNC /* Not all operating systems have O_ASYNC, and those that don't @@ -XXX,XX +XXX,XX @@ static int raw_reopen_prepare(BDRVReopenState *state, qemu_opts_to_qdict(opts, state->options); rs->fd = raw_reconfigure_getfd(state->bs, state->flags, &rs->open_flags, - true, &local_err); + state->perm, true, &local_err); if (local_err) { error_propagate(errp, local_err); ret = -1; @@ -XXX,XX +XXX,XX @@ static int raw_check_perm(BlockDriverState *bs, uint64_t perm, uint64_t shared, s->perm_change_fd = rs->fd; } else { /* We may need a new fd if auto-read-only switches the mode */ - ret = raw_reconfigure_getfd(bs, bs->open_flags, &open_flags, + ret = raw_reconfigure_getfd(bs, bs->open_flags, &open_flags, perm, false, errp); if (ret < 0) { return ret; diff --git a/tests/qemu-iotests/232.out b/tests/qemu-iotests/232.out index XXXXXXX..XXXXXXX 100644 --- a/tests/qemu-iotests/232.out +++ b/tests/qemu-iotests/232.out @@ -XXX,XX +XXX,XX @@ NODE_NAME: TEST_DIR/t.IMGFMT (file, read-only) NODE_NAME: TEST_DIR/t.IMGFMT (file, read-only) QEMU_PROG: -drive driver=file,file=TEST_DIR/t.IMGFMT,if=none,read-only=off,auto-read-only=off: Could not open 'TEST_DIR/t.IMGFMT': Permission denied -NODE_NAME: TEST_DIR/t.IMGFMT (file, read-only) -NODE_NAME: TEST_DIR/t.IMGFMT (file, read-only) +NODE_NAME: TEST_DIR/t.IMGFMT (file) +NODE_NAME: TEST_DIR/t.IMGFMT (file) QEMU_PROG: -drive driver=file,file=TEST_DIR/t.IMGFMT,if=none,auto-read-only=off: Could not open 'TEST_DIR/t.IMGFMT': Permission denied -NODE_NAME: TEST_DIR/t.IMGFMT (file, read-only) -NODE_NAME: TEST_DIR/t.IMGFMT (file, read-only) +NODE_NAME: TEST_DIR/t.IMGFMT (file) +NODE_NAME: TEST_DIR/t.IMGFMT (file) === -blockdev with read-write image: read-only/auto-read-only combinations === @@ -XXX,XX +XXX,XX @@ node0: TEST_DIR/t.IMGFMT (file, read-only) node0: TEST_DIR/t.IMGFMT (file, read-only) QEMU_PROG: -blockdev driver=file,filename=TEST_DIR/t.IMGFMT,node-name=node0,read-only=off,auto-read-only=off: Could not open 'TEST_DIR/t.IMGFMT': Permission denied -node0: TEST_DIR/t.IMGFMT (file, read-only) +node0: TEST_DIR/t.IMGFMT (file) QEMU_PROG: -blockdev driver=file,filename=TEST_DIR/t.IMGFMT,node-name=node0,read-only=off: Could not open 'TEST_DIR/t.IMGFMT': Permission denied QEMU_PROG: -blockdev driver=file,filename=TEST_DIR/t.IMGFMT,node-name=node0,auto-read-only=off: Could not open 'TEST_DIR/t.IMGFMT': Permission denied -node0: TEST_DIR/t.IMGFMT (file, read-only) +node0: TEST_DIR/t.IMGFMT (file) QEMU_PROG: -blockdev driver=file,filename=TEST_DIR/t.IMGFMT,node-name=node0: Could not open 'TEST_DIR/t.IMGFMT': Permission denied === Try commit to backing file with auto-read-only === -- 2.20.1 From: Keith Busch <keith.busch@intel.com> The implementation used blocks units rather than the expected bytes. Fixes: c03e7ef12a9 ("nvme: Implement Write Zeroes") Reported-by: Ming Lei <ming.lei@redhat.com> Signed-off-by: Keith Busch <keith.busch@intel.com> Reviewed-by: Christoph Hellwig <hch@lst.de> Signed-off-by: Kevin Wolf <kwolf@redhat.com> --- hw/block/nvme.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/hw/block/nvme.c b/hw/block/nvme.c index XXXXXXX..XXXXXXX 100644 --- a/hw/block/nvme.c +++ b/hw/block/nvme.c @@ -XXX,XX +XXX,XX @@ static uint16_t nvme_write_zeros(NvmeCtrl *n, NvmeNamespace *ns, NvmeCmd *cmd, const uint8_t data_shift = ns->id_ns.lbaf[lba_index].ds; uint64_t slba = le64_to_cpu(rw->slba); uint32_t nlb = le16_to_cpu(rw->nlb) + 1; - uint64_t aio_slba = slba << (data_shift - BDRV_SECTOR_BITS); - uint32_t aio_nlb = nlb << (data_shift - BDRV_SECTOR_BITS); + uint64_t offset = slba << data_shift; + uint32_t count = nlb << data_shift; if (unlikely(slba + nlb > ns->id_ns.nsze)) { trace_nvme_err_invalid_lba_range(slba, nlb, ns->id_ns.nsze); @@ -XXX,XX +XXX,XX @@ static uint16_t nvme_write_zeros(NvmeCtrl *n, NvmeNamespace *ns, NvmeCmd *cmd, req->has_sg = false; block_acct_start(blk_get_stats(n->conf.blk), &req->acct, 0, BLOCK_ACCT_WRITE); - req->aiocb = blk_aio_pwrite_zeroes(n->conf.blk, aio_slba, aio_nlb, + req->aiocb = blk_aio_pwrite_zeroes(n->conf.blk, offset, count, BDRV_REQ_MAY_UNMAP, nvme_rw_cb, req); return NVME_NO_COMPLETE; } -- 2.20.1 From: Alberto Garcia <berto@igalia.com> Our permission system is useful to define what operations are allowed on a certain block node and includes things like BLK_PERM_WRITE or BLK_PERM_RESIZE among others. One of the permissions is BLK_PERM_GRAPH_MOD which allows "changing the node that this BdrvChild points to". The exact meaning of this has never been very clear, but it can be understood as "change any of the links connected to the node". This can be used to prevent changing a backing link, but it's too coarse. This patch adds a new 'frozen' attribute to BdrvChild, which forbids detaching the link from the node it points to, and new API to freeze and unfreeze a backing chain. After this change a few functions can fail, so they need additional checks. Signed-off-by: Alberto Garcia <berto@igalia.com> Signed-off-by: Kevin Wolf <kwolf@redhat.com> --- include/block/block.h | 5 +++ include/block/block_int.h | 6 ++++ block.c | 76 +++++++++++++++++++++++++++++++++++++++ 3 files changed, 87 insertions(+) diff --git a/include/block/block.h b/include/block/block.h index XXXXXXX..XXXXXXX 100644 --- a/include/block/block.h +++ b/include/block/block.h @@ -XXX,XX +XXX,XX @@ int bdrv_drop_intermediate(BlockDriverState *top, BlockDriverState *base, BlockDriverState *bdrv_find_overlay(BlockDriverState *active, BlockDriverState *bs); BlockDriverState *bdrv_find_base(BlockDriverState *bs); +bool bdrv_is_backing_chain_frozen(BlockDriverState *bs, BlockDriverState *base, + Error **errp); +int bdrv_freeze_backing_chain(BlockDriverState *bs, BlockDriverState *base, + Error **errp); +void bdrv_unfreeze_backing_chain(BlockDriverState *bs, BlockDriverState *base); typedef struct BdrvCheckResult { diff --git a/include/block/block_int.h b/include/block/block_int.h index XXXXXXX..XXXXXXX 100644 --- a/include/block/block_int.h +++ b/include/block/block_int.h @@ -XXX,XX +XXX,XX @@ struct BdrvChild { uint64_t backup_perm; uint64_t backup_shared_perm; + /* + * This link is frozen: the child can neither be replaced nor + * detached from the parent. + */ + bool frozen; + QLIST_ENTRY(BdrvChild) next; QLIST_ENTRY(BdrvChild) next_parent; }; diff --git a/block.c b/block.c index XXXXXXX..XXXXXXX 100644 --- a/block.c +++ b/block.c @@ -XXX,XX +XXX,XX @@ static void bdrv_replace_child_noperm(BdrvChild *child, BlockDriverState *old_bs = child->bs; int i; + assert(!child->frozen); + if (old_bs && new_bs) { assert(bdrv_get_aio_context(old_bs) == bdrv_get_aio_context(new_bs)); } @@ -XXX,XX +XXX,XX @@ void bdrv_set_backing_hd(BlockDriverState *bs, BlockDriverState *backing_hd, bool update_inherits_from = bdrv_chain_contains(bs, backing_hd) && bdrv_inherits_from_recursive(backing_hd, bs); + if (bdrv_is_backing_chain_frozen(bs, backing_bs(bs), errp)) { + return; + } + if (backing_hd) { bdrv_ref(backing_hd); } @@ -XXX,XX +XXX,XX @@ void bdrv_replace_node(BlockDriverState *from, BlockDriverState *to, if (!should_update_child(c, to)) { continue; } + if (c->frozen) { + error_setg(errp, "Cannot change '%s' link to '%s'", + c->name, from->node_name); + goto out; + } list = g_slist_prepend(list, c); perm |= c->perm; shared &= c->shared_perm; @@ -XXX,XX +XXX,XX @@ BlockDriverState *bdrv_find_base(BlockDriverState *bs) return bdrv_find_overlay(bs, NULL); } +/* + * Return true if at least one of the backing links between @bs and + * @base is frozen. @errp is set if that's the case. + */ +bool bdrv_is_backing_chain_frozen(BlockDriverState *bs, BlockDriverState *base, + Error **errp) +{ + BlockDriverState *i; + + for (i = bs; i != base && i->backing; i = backing_bs(i)) { + if (i->backing->frozen) { + error_setg(errp, "Cannot change '%s' link from '%s' to '%s'", + i->backing->name, i->node_name, + backing_bs(i)->node_name); + return true; + } + } + + return false; +} + +/* + * Freeze all backing links between @bs and @base. + * If any of the links is already frozen the operation is aborted and + * none of the links are modified. + * Returns 0 on success. On failure returns < 0 and sets @errp. + */ +int bdrv_freeze_backing_chain(BlockDriverState *bs, BlockDriverState *base, + Error **errp) +{ + BlockDriverState *i; + + if (bdrv_is_backing_chain_frozen(bs, base, errp)) { + return -EPERM; + } + + for (i = bs; i != base && i->backing; i = backing_bs(i)) { + i->backing->frozen = true; + } + + return 0; +} + +/* + * Unfreeze all backing links between @bs and @base. The caller must + * ensure that all links are frozen before using this function. + */ +void bdrv_unfreeze_backing_chain(BlockDriverState *bs, BlockDriverState *base) +{ + BlockDriverState *i; + + for (i = bs; i != base && i->backing; i = backing_bs(i)) { + assert(i->backing->frozen); + i->backing->frozen = false; + } +} + /* * Drops images above 'base' up to and including 'top', and sets the image * above 'top' to have base as its backing file. @@ -XXX,XX +XXX,XX @@ int bdrv_drop_intermediate(BlockDriverState *top, BlockDriverState *base, goto exit; } + /* This function changes all links that point to top and makes + * them point to base. Check that none of them is frozen. */ + QLIST_FOREACH(c, &top->parents, next_parent) { + if (c->frozen) { + goto exit; + } + } + /* If 'base' recursively inherits from 'top' then we should set * base->inherits_from to top->inherits_from after 'top' and all * other intermediate nodes have been dropped. -- 2.20.1 From: Alberto Garcia <berto@igalia.com> Signed-off-by: Alberto Garcia <berto@igalia.com> Signed-off-by: Kevin Wolf <kwolf@redhat.com> --- block/commit.c | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) diff --git a/block/commit.c b/block/commit.c index XXXXXXX..XXXXXXX 100644 --- a/block/commit.c +++ b/block/commit.c @@ -XXX,XX +XXX,XX @@ typedef struct CommitBlockJob { BlockDriverState *base_bs; BlockdevOnError on_error; bool base_read_only; + bool chain_frozen; char *backing_file_str; } CommitBlockJob; @@ -XXX,XX +XXX,XX @@ static int commit_prepare(Job *job) { CommitBlockJob *s = container_of(job, CommitBlockJob, common.job); + bdrv_unfreeze_backing_chain(s->commit_top_bs, s->base_bs); + s->chain_frozen = false; + /* Remove base node parent that still uses BLK_PERM_WRITE/RESIZE before * the normal backing chain can be restored. */ blk_unref(s->base); @@ -XXX,XX +XXX,XX @@ static void commit_abort(Job *job) CommitBlockJob *s = container_of(job, CommitBlockJob, common.job); BlockDriverState *top_bs = blk_bs(s->top); + if (s->chain_frozen) { + bdrv_unfreeze_backing_chain(s->commit_top_bs, s->base_bs); + } + /* Make sure commit_top_bs and top stay around until bdrv_replace_node() */ bdrv_ref(top_bs); bdrv_ref(s->commit_top_bs); @@ -XXX,XX +XXX,XX @@ void commit_start(const char *job_id, BlockDriverState *bs, } } + if (bdrv_freeze_backing_chain(commit_top_bs, base, errp) < 0) { + goto fail; + } + s->chain_frozen = true; + ret = block_job_add_bdrv(&s->common, "base", base, 0, BLK_PERM_ALL, errp); if (ret < 0) { goto fail; @@ -XXX,XX +XXX,XX @@ void commit_start(const char *job_id, BlockDriverState *bs, return; fail: + if (s->chain_frozen) { + bdrv_unfreeze_backing_chain(commit_top_bs, base); + } if (s->base) { blk_unref(s->base); } -- 2.20.1 From: Alberto Garcia <berto@igalia.com> Signed-off-by: Alberto Garcia <berto@igalia.com> Signed-off-by: Kevin Wolf <kwolf@redhat.com> --- block/mirror.c | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/block/mirror.c b/block/mirror.c index XXXXXXX..XXXXXXX 100644 --- a/block/mirror.c +++ b/block/mirror.c @@ -XXX,XX +XXX,XX @@ static int mirror_exit_common(Job *job) } s->prepared = true; + if (bdrv_chain_contains(src, target_bs)) { + bdrv_unfreeze_backing_chain(mirror_top_bs, target_bs); + } + bdrv_release_dirty_bitmap(src, s->dirty_bitmap); /* Make sure that the source BDS doesn't go away during bdrv_replace_node, @@ -XXX,XX +XXX,XX @@ static void mirror_start_job(const char *job_id, BlockDriverState *bs, goto fail; } } + + if (bdrv_freeze_backing_chain(mirror_top_bs, target, errp) < 0) { + goto fail; + } } QTAILQ_INIT(&s->ops_in_flight); -- 2.20.1 From: Alberto Garcia <berto@igalia.com> Signed-off-by: Alberto Garcia <berto@igalia.com> Signed-off-by: Kevin Wolf <kwolf@redhat.com> --- block/stream.c | 21 +++++++++++++++++++++ 1 file changed, 21 insertions(+) diff --git a/block/stream.c b/block/stream.c index XXXXXXX..XXXXXXX 100644 --- a/block/stream.c +++ b/block/stream.c @@ -XXX,XX +XXX,XX @@ typedef struct StreamBlockJob { BlockdevOnError on_error; char *backing_file_str; bool bs_read_only; + bool chain_frozen; } StreamBlockJob; static int coroutine_fn stream_populate(BlockBackend *blk, @@ -XXX,XX +XXX,XX @@ static int coroutine_fn stream_populate(BlockBackend *blk, return blk_co_preadv(blk, offset, qiov.size, &qiov, BDRV_REQ_COPY_ON_READ); } +static void stream_abort(Job *job) +{ + StreamBlockJob *s = container_of(job, StreamBlockJob, common.job); + + if (s->chain_frozen) { + BlockJob *bjob = &s->common; + bdrv_unfreeze_backing_chain(blk_bs(bjob->blk), s->base); + } +} + static int stream_prepare(Job *job) { StreamBlockJob *s = container_of(job, StreamBlockJob, common.job); @@ -XXX,XX +XXX,XX @@ static int stream_prepare(Job *job) Error *local_err = NULL; int ret = 0; + bdrv_unfreeze_backing_chain(bs, base); + s->chain_frozen = false; + if (bs->backing) { const char *base_id = NULL, *base_fmt = NULL; if (base) { @@ -XXX,XX +XXX,XX @@ static const BlockJobDriver stream_job_driver = { .free = block_job_free, .run = stream_run, .prepare = stream_prepare, + .abort = stream_abort, .clean = stream_clean, .user_resume = block_job_user_resume, .drain = block_job_drain, @@ -XXX,XX +XXX,XX @@ void stream_start(const char *job_id, BlockDriverState *bs, &error_abort); } + if (bdrv_freeze_backing_chain(bs, base, errp) < 0) { + job_early_fail(&s->common.job); + goto fail; + } + s->base = base; s->backing_file_str = g_strdup(backing_file_str); s->bs_read_only = bs_read_only; + s->chain_frozen = true; s->on_error = on_error; trace_stream_start(bs, base, s); -- 2.20.1 From: Alberto Garcia <berto@igalia.com> The bdrv_reopen_queue() function is used to create a queue with the BDSs that are going to be reopened and their new options. Once the queue is ready bdrv_reopen_multiple() is called to perform the operation. The original options from each one of the BDSs are kept, with the new options passed to bdrv_reopen_queue() applied on top of them. For "x-blockdev-reopen" we want a function that behaves much like "blockdev-add". We want to ignore the previous set of options so that only the ones actually specified by the user are applied, with the rest having their default values. One of the things that we need is a way to tell bdrv_reopen_queue() whether we want to keep the old set of options or not, and that's what this patch does. All current callers are setting this new parameter to true and x-blockdev-reopen will set it to false. Signed-off-by: Alberto Garcia <berto@igalia.com> Signed-off-by: Kevin Wolf <kwolf@redhat.com> --- include/block/block.h | 3 ++- block.c | 34 +++++++++++++++++++--------------- block/replication.c | 4 ++-- qemu-io-cmds.c | 2 +- 4 files changed, 24 insertions(+), 19 deletions(-) diff --git a/include/block/block.h b/include/block/block.h index XXXXXXX..XXXXXXX 100644 --- a/include/block/block.h +++ b/include/block/block.h @@ -XXX,XX +XXX,XX @@ BlockDriverState *bdrv_open(const char *filename, const char *reference, BlockDriverState *bdrv_new_open_driver(BlockDriver *drv, const char *node_name, int flags, Error **errp); BlockReopenQueue *bdrv_reopen_queue(BlockReopenQueue *bs_queue, - BlockDriverState *bs, QDict *options); + BlockDriverState *bs, QDict *options, + bool keep_old_opts); int bdrv_reopen_multiple(AioContext *ctx, BlockReopenQueue *bs_queue, Error **errp); int bdrv_reopen_set_read_only(BlockDriverState *bs, bool read_only, Error **errp); diff --git a/block.c b/block.c index XXXXXXX..XXXXXXX 100644 --- a/block.c +++ b/block.c @@ -XXX,XX +XXX,XX @@ static BlockReopenQueue *bdrv_reopen_queue_child(BlockReopenQueue *bs_queue, QDict *options, const BdrvChildRole *role, QDict *parent_options, - int parent_flags) + int parent_flags, + bool keep_old_opts) { assert(bs != NULL); @@ -XXX,XX +XXX,XX @@ static BlockReopenQueue *bdrv_reopen_queue_child(BlockReopenQueue *bs_queue, */ /* Old explicitly set values (don't overwrite by inherited value) */ - if (bs_entry) { - old_options = qdict_clone_shallow(bs_entry->state.explicit_options); - } else { - old_options = qdict_clone_shallow(bs->explicit_options); + if (bs_entry || keep_old_opts) { + old_options = qdict_clone_shallow(bs_entry ? + bs_entry->state.explicit_options : + bs->explicit_options); + bdrv_join_options(bs, options, old_options); + qobject_unref(old_options); } - bdrv_join_options(bs, options, old_options); - qobject_unref(old_options); explicit_options = qdict_clone_shallow(options); @@ -XXX,XX +XXX,XX @@ static BlockReopenQueue *bdrv_reopen_queue_child(BlockReopenQueue *bs_queue, flags = bdrv_get_flags(bs); } - /* Old values are used for options that aren't set yet */ - old_options = qdict_clone_shallow(bs->options); - bdrv_join_options(bs, options, old_options); - qobject_unref(old_options); + if (keep_old_opts) { + /* Old values are used for options that aren't set yet */ + old_options = qdict_clone_shallow(bs->options); + bdrv_join_options(bs, options, old_options); + qobject_unref(old_options); + } /* We have the final set of options so let's update the flags */ options_copy = qdict_clone_shallow(options); @@ -XXX,XX +XXX,XX @@ static BlockReopenQueue *bdrv_reopen_queue_child(BlockReopenQueue *bs_queue, g_free(child_key_dot); bdrv_reopen_queue_child(bs_queue, child->bs, new_child_options, - child->role, options, flags); + child->role, options, flags, keep_old_opts); } return bs_queue; @@ -XXX,XX +XXX,XX @@ static BlockReopenQueue *bdrv_reopen_queue_child(BlockReopenQueue *bs_queue, BlockReopenQueue *bdrv_reopen_queue(BlockReopenQueue *bs_queue, BlockDriverState *bs, - QDict *options) + QDict *options, bool keep_old_opts) { - return bdrv_reopen_queue_child(bs_queue, bs, options, NULL, NULL, 0); + return bdrv_reopen_queue_child(bs_queue, bs, options, NULL, NULL, 0, + keep_old_opts); } /* @@ -XXX,XX +XXX,XX @@ int bdrv_reopen_set_read_only(BlockDriverState *bs, bool read_only, qdict_put_bool(opts, BDRV_OPT_READ_ONLY, read_only); bdrv_subtree_drained_begin(bs); - queue = bdrv_reopen_queue(NULL, bs, opts); + queue = bdrv_reopen_queue(NULL, bs, opts, true); ret = bdrv_reopen_multiple(bdrv_get_aio_context(bs), queue, errp); bdrv_subtree_drained_end(bs); diff --git a/block/replication.c b/block/replication.c index XXXXXXX..XXXXXXX 100644 --- a/block/replication.c +++ b/block/replication.c @@ -XXX,XX +XXX,XX @@ static void reopen_backing_file(BlockDriverState *bs, bool writable, QDict *opts = qdict_new(); qdict_put_bool(opts, BDRV_OPT_READ_ONLY, !writable); reopen_queue = bdrv_reopen_queue(reopen_queue, s->hidden_disk->bs, - opts); + opts, true); } if (s->orig_secondary_read_only) { QDict *opts = qdict_new(); qdict_put_bool(opts, BDRV_OPT_READ_ONLY, !writable); reopen_queue = bdrv_reopen_queue(reopen_queue, s->secondary_disk->bs, - opts); + opts, true); } if (reopen_queue) { diff --git a/qemu-io-cmds.c b/qemu-io-cmds.c index XXXXXXX..XXXXXXX 100644 --- a/qemu-io-cmds.c +++ b/qemu-io-cmds.c @@ -XXX,XX +XXX,XX @@ static int reopen_f(BlockBackend *blk, int argc, char **argv) } bdrv_subtree_drained_begin(bs); - brq = bdrv_reopen_queue(NULL, bs, opts); + brq = bdrv_reopen_queue(NULL, bs, opts, true); bdrv_reopen_multiple(bdrv_get_aio_context(bs), brq, &local_err); bdrv_subtree_drained_end(bs); -- 2.20.1 From: Alberto Garcia <berto@igalia.com> Children in QMP are specified with BlockdevRef / BlockdevRefOrNull, which can contain a set of child options, a child reference, or NULL. In optional attributes like "backing" it can also be missing. Only the first case (set of child options) is being handled properly by bdrv_reopen_queue(). This patch deals with all the others. Here's how these cases should be handled when bdrv_reopen_queue() is deciding what to do with each child of a BlockDriverState: 1) Set of child options: if the child was implicitly created (i.e inherits_from points to the parent) then the options are removed from the parent's options QDict and are passed to the child with a recursive bdrv_reopen_queue() call. This case was already working fine. 2) Child reference: there's two possibilites here. 2a) Reference to the current child: if the child was implicitly created then it is put in the reopen queue, keeping its current set of options (since this was a child reference there was no way to specify a different set of options). If the child is not implicit then it keeps its current set of options but it is not reopened (and therefore does not inherit any new option from the parent). 2b) Reference to a different BDS: the current child is not put in the reopen queue at all. Passing a reference to a different BDS can be used to replace a child, although at the moment no driver implements this, so it results in an error. In any case, the current child is not going to be reopened (and might in fact disappear if it's replaced) 3) NULL: This is similar to (2b). Although no driver allows this yet it can be used to detach the current child so it should not be put in the reopen queue. 4) Missing option: at the moment "backing" is the only case where this can happen. With "blockdev-add", leaving "backing" out means that the default backing file is opened. We don't want to open a new image during reopen, so we require that "backing" is always present. We'll relax this requirement a bit in the next patch. If keep_old_opts is true and "backing" is missing then this behaves like 2a (the current child is reopened). Signed-off-by: Alberto Garcia <berto@igalia.com> Signed-off-by: Kevin Wolf <kwolf@redhat.com> --- include/block/block.h | 1 + block.c | 52 +++++++++++++++++++++++++++++++++++++------ 2 files changed, 46 insertions(+), 7 deletions(-) diff --git a/include/block/block.h b/include/block/block.h index XXXXXXX..XXXXXXX 100644 --- a/include/block/block.h +++ b/include/block/block.h @@ -XXX,XX +XXX,XX @@ typedef struct BDRVReopenState { BlockDriverState *bs; int flags; BlockdevDetectZeroesOptions detect_zeroes; + bool backing_missing; uint64_t perm, shared_perm; QDict *options; QDict *explicit_options; diff --git a/block.c b/block.c index XXXXXXX..XXXXXXX 100644 --- a/block.c +++ b/block.c @@ -XXX,XX +XXX,XX @@ static BlockReopenQueue *bdrv_reopen_queue_child(BlockReopenQueue *bs_queue, bs_entry->state.perm = UINT64_MAX; bs_entry->state.shared_perm = 0; + /* + * If keep_old_opts is false then it means that unspecified + * options must be reset to their original value. We don't allow + * resetting 'backing' but we need to know if the option is + * missing in order to decide if we have to return an error. + */ + if (!keep_old_opts) { + bs_entry->state.backing_missing = + !qdict_haskey(options, "backing") && + !qdict_haskey(options, "backing.driver"); + } + QLIST_FOREACH(child, &bs->children, next) { - QDict *new_child_options; - char *child_key_dot; + QDict *new_child_options = NULL; + bool child_keep_old = keep_old_opts; /* reopen can only change the options of block devices that were * implicitly created and inherited options. For other (referenced) @@ -XXX,XX +XXX,XX @@ static BlockReopenQueue *bdrv_reopen_queue_child(BlockReopenQueue *bs_queue, continue; } - child_key_dot = g_strdup_printf("%s.", child->name); - qdict_extract_subqdict(explicit_options, NULL, child_key_dot); - qdict_extract_subqdict(options, &new_child_options, child_key_dot); - g_free(child_key_dot); + /* Check if the options contain a child reference */ + if (qdict_haskey(options, child->name)) { + const char *childref = qdict_get_try_str(options, child->name); + /* + * The current child must not be reopened if the child + * reference is null or points to a different node. + */ + if (g_strcmp0(childref, child->bs->node_name)) { + continue; + } + /* + * If the child reference points to the current child then + * reopen it with its existing set of options (note that + * it can still inherit new options from the parent). + */ + child_keep_old = true; + } else { + /* Extract child options ("child-name.*") */ + char *child_key_dot = g_strdup_printf("%s.", child->name); + qdict_extract_subqdict(explicit_options, NULL, child_key_dot); + qdict_extract_subqdict(options, &new_child_options, child_key_dot); + g_free(child_key_dot); + } bdrv_reopen_queue_child(bs_queue, child->bs, new_child_options, - child->role, options, flags, keep_old_opts); + child->role, options, flags, child_keep_old); } return bs_queue; @@ -XXX,XX +XXX,XX @@ int bdrv_reopen_prepare(BDRVReopenState *reopen_state, BlockReopenQueue *queue, drv_prepared = true; + if (drv->supports_backing && reopen_state->backing_missing) { + error_setg(errp, "backing is missing for '%s'", + reopen_state->bs->node_name); + ret = -EINVAL; + goto error; + } + /* Options that are not handled are only okay if they are unchanged * compared to the old state. It is expected that some options are only * used for the initial open, but not reopen (e.g. filename) */ -- 2.20.1 From: Alberto Garcia <berto@igalia.com> Of all options of type BlockdevRef used to specify children in BlockdevOptions, 'backing' is the only one that is optional. For "x-blockdev-reopen" we want that if an option is omitted then it must be reset to its default value. The default value of 'backing' means that QEMU opens the backing file specified in the image metadata, but this is not something that we want to support for the reopen operation. Because of this the 'backing' option has to be specified during reopen, pointing to the existing backing file if we want to keep it, or pointing to a different one (or NULL) if we want to replace it (to be implemented in a subsequent patch). In order to simplify things a bit and not to require that the user passes the 'backing' option to every single block device even when it's clearly not necessary, this patch allows omitting this option if the block device being reopened doesn't have a backing file attached _and_ no default backing file is specified in the image metadata. Signed-off-by: Alberto Garcia <berto@igalia.com> Signed-off-by: Kevin Wolf <kwolf@redhat.com> --- block.c | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/block.c b/block.c index XXXXXXX..XXXXXXX 100644 --- a/block.c +++ b/block.c @@ -XXX,XX +XXX,XX @@ int bdrv_reopen_prepare(BDRVReopenState *reopen_state, BlockReopenQueue *queue, drv_prepared = true; - if (drv->supports_backing && reopen_state->backing_missing) { + /* + * We must provide the 'backing' option if the BDS has a backing + * file or if the image file has a backing file name as part of + * its metadata. Otherwise the 'backing' option can be omitted. + */ + if (drv->supports_backing && reopen_state->backing_missing && + (backing_bs(reopen_state->bs) || reopen_state->bs->backing_file[0])) { error_setg(errp, "backing is missing for '%s'", reopen_state->bs->node_name); ret = -EINVAL; -- 2.20.1 From: Alberto Garcia <berto@igalia.com> This patch allows the user to change the backing file of an image that is being reopened. Here's what it does: - In bdrv_reopen_prepare(): check that the value of 'backing' points to an existing node or is null. If it points to an existing node it also needs to make sure that replacing the backing file will not create a cycle in the node graph (i.e. you cannot reach the parent from the new backing file). - In bdrv_reopen_commit(): perform the actual node replacement by calling bdrv_set_backing_hd(). There may be temporary implicit nodes between a BDS and its backing file (e.g. a commit filter node). In these cases bdrv_reopen_prepare() looks for the real (non-implicit) backing file and requires that the 'backing' option points to it. Replacing or detaching a backing file is forbidden if there are implicit nodes in the middle. Although x-blockdev-reopen is meant to be used like blockdev-add, there's an important thing that must be taken into account: the only way to set a new backing file is by using a reference to an existing node (previously added with e.g. blockdev-add). If 'backing' contains a dictionary with a new set of options ({"driver": "qcow2", "file": { ... }}) then it is interpreted that the _existing_ backing file must be reopened with those options. Signed-off-by: Alberto Garcia <berto@igalia.com> Signed-off-by: Kevin Wolf <kwolf@redhat.com> --- include/block/block.h | 2 + block.c | 166 ++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 168 insertions(+) diff --git a/include/block/block.h b/include/block/block.h index XXXXXXX..XXXXXXX 100644 --- a/include/block/block.h +++ b/include/block/block.h @@ -XXX,XX +XXX,XX @@ typedef struct BDRVReopenState { int flags; BlockdevDetectZeroesOptions detect_zeroes; bool backing_missing; + bool replace_backing_bs; /* new_backing_bs is ignored if this is false */ + BlockDriverState *new_backing_bs; /* If NULL then detach the current bs */ uint64_t perm, shared_perm; QDict *options; QDict *explicit_options; diff --git a/block.c b/block.c index XXXXXXX..XXXXXXX 100644 --- a/block.c +++ b/block.c @@ -XXX,XX +XXX,XX @@ BlockDriverState *bdrv_open(const char *filename, const char *reference, NULL, errp); } +/* + * Returns true if @child can be reached recursively from @bs + */ +static bool bdrv_recurse_has_child(BlockDriverState *bs, + BlockDriverState *child) +{ + BdrvChild *c; + + if (bs == child) { + return true; + } + + QLIST_FOREACH(c, &bs->children, next) { + if (bdrv_recurse_has_child(c->bs, child)) { + return true; + } + } + + return false; +} + /* * Adds a BlockDriverState to a simple queue for an atomic, transactional * reopen of multiple devices. @@ -XXX,XX +XXX,XX @@ int bdrv_reopen_multiple(AioContext *ctx, BlockReopenQueue *bs_queue, Error **er if (ret < 0) { goto cleanup_perm; } + /* Check if new_backing_bs would accept the new permissions */ + if (state->replace_backing_bs && state->new_backing_bs) { + uint64_t nperm, nshared; + bdrv_child_perm(state->bs, state->new_backing_bs, + NULL, &child_backing, bs_queue, + state->perm, state->shared_perm, + &nperm, &nshared); + ret = bdrv_check_update_perm(state->new_backing_bs, NULL, + nperm, nshared, NULL, errp); + if (ret < 0) { + goto cleanup_perm; + } + } bs_entry->perms_checked = true; } @@ -XXX,XX +XXX,XX @@ cleanup_perm: bdrv_set_perm(state->bs, state->perm, state->shared_perm); } else { bdrv_abort_perm_update(state->bs); + if (state->replace_backing_bs && state->new_backing_bs) { + bdrv_abort_perm_update(state->new_backing_bs); + } } } cleanup: @@ -XXX,XX +XXX,XX @@ cleanup: qobject_unref(bs_entry->state.explicit_options); qobject_unref(bs_entry->state.options); } + if (bs_entry->state.new_backing_bs) { + bdrv_unref(bs_entry->state.new_backing_bs); + } g_free(bs_entry); } g_free(bs_queue); @@ -XXX,XX +XXX,XX @@ static void bdrv_reopen_perm(BlockReopenQueue *q, BlockDriverState *bs, *shared = cumulative_shared_perms; } +/* + * Take a BDRVReopenState and check if the value of 'backing' in the + * reopen_state->options QDict is valid or not. + * + * If 'backing' is missing from the QDict then return 0. + * + * If 'backing' contains the node name of the backing file of + * reopen_state->bs then return 0. + * + * If 'backing' contains a different node name (or is null) then check + * whether the current backing file can be replaced with the new one. + * If that's the case then reopen_state->replace_backing_bs is set to + * true and reopen_state->new_backing_bs contains a pointer to the new + * backing BlockDriverState (or NULL). + * + * Return 0 on success, otherwise return < 0 and set @errp. + */ +static int bdrv_reopen_parse_backing(BDRVReopenState *reopen_state, + Error **errp) +{ + BlockDriverState *bs = reopen_state->bs; + BlockDriverState *overlay_bs, *new_backing_bs; + QObject *value; + const char *str; + + value = qdict_get(reopen_state->options, "backing"); + if (value == NULL) { + return 0; + } + + switch (qobject_type(value)) { + case QTYPE_QNULL: + new_backing_bs = NULL; + break; + case QTYPE_QSTRING: + str = qobject_get_try_str(value); + new_backing_bs = bdrv_lookup_bs(NULL, str, errp); + if (new_backing_bs == NULL) { + return -EINVAL; + } else if (bdrv_recurse_has_child(new_backing_bs, bs)) { + error_setg(errp, "Making '%s' a backing file of '%s' " + "would create a cycle", str, bs->node_name); + return -EINVAL; + } + break; + default: + /* 'backing' does not allow any other data type */ + g_assert_not_reached(); + } + + /* + * TODO: before removing the x- prefix from x-blockdev-reopen we + * should move the new backing file into the right AioContext + * instead of returning an error. + */ + if (new_backing_bs) { + if (bdrv_get_aio_context(new_backing_bs) != bdrv_get_aio_context(bs)) { + error_setg(errp, "Cannot use a new backing file " + "with a different AioContext"); + return -EINVAL; + } + } + + /* + * Find the "actual" backing file by skipping all links that point + * to an implicit node, if any (e.g. a commit filter node). + */ + overlay_bs = bs; + while (backing_bs(overlay_bs) && backing_bs(overlay_bs)->implicit) { + overlay_bs = backing_bs(overlay_bs); + } + + /* If we want to replace the backing file we need some extra checks */ + if (new_backing_bs != backing_bs(overlay_bs)) { + /* Check for implicit nodes between bs and its backing file */ + if (bs != overlay_bs) { + error_setg(errp, "Cannot change backing link if '%s' has " + "an implicit backing file", bs->node_name); + return -EPERM; + } + /* Check if the backing link that we want to replace is frozen */ + if (bdrv_is_backing_chain_frozen(overlay_bs, backing_bs(overlay_bs), + errp)) { + return -EPERM; + } + reopen_state->replace_backing_bs = true; + if (new_backing_bs) { + bdrv_ref(new_backing_bs); + reopen_state->new_backing_bs = new_backing_bs; + } + } + + return 0; +} + /* * Prepares a BlockDriverState for reopen. All changes are staged in the * 'opaque' field of the BDRVReopenState, which is used and allocated by @@ -XXX,XX +XXX,XX @@ int bdrv_reopen_prepare(BDRVReopenState *reopen_state, BlockReopenQueue *queue, goto error; } + /* + * Allow changing the 'backing' option. The new value can be + * either a reference to an existing node (using its node name) + * or NULL to simply detach the current backing file. + */ + ret = bdrv_reopen_parse_backing(reopen_state, errp); + if (ret < 0) { + goto error; + } + qdict_del(reopen_state->options, "backing"); + /* Options that are not handled are only okay if they are unchanged * compared to the old state. It is expected that some options are only * used for the initial open, but not reopen (e.g. filename) */ @@ -XXX,XX +XXX,XX @@ void bdrv_reopen_commit(BDRVReopenState *reopen_state) bs->read_only = !(reopen_state->flags & BDRV_O_RDWR); bs->detect_zeroes = reopen_state->detect_zeroes; + if (reopen_state->replace_backing_bs) { + qdict_del(bs->explicit_options, "backing"); + qdict_del(bs->options, "backing"); + } + /* Remove child references from bs->options and bs->explicit_options. * Child options were already removed in bdrv_reopen_queue_child() */ QLIST_FOREACH(child, &bs->children, next) { @@ -XXX,XX +XXX,XX @@ void bdrv_reopen_commit(BDRVReopenState *reopen_state) qdict_del(bs->options, child->name); } + /* + * Change the backing file if a new one was specified. We do this + * after updating bs->options, so bdrv_refresh_filename() (called + * from bdrv_set_backing_hd()) has the new values. + */ + if (reopen_state->replace_backing_bs) { + BlockDriverState *old_backing_bs = backing_bs(bs); + assert(!old_backing_bs || !old_backing_bs->implicit); + /* Abort the permission update on the backing bs we're detaching */ + if (old_backing_bs) { + bdrv_abort_perm_update(old_backing_bs); + } + bdrv_set_backing_hd(bs, reopen_state->new_backing_bs, &error_abort); + } + bdrv_refresh_limits(bs, NULL); new_can_write = -- 2.20.1 From: Alberto Garcia <berto@igalia.com> If we reopen a BlockDriverState and there is an option that is present in bs->options but missing from the new set of options then we have to return an error unless the driver is able to reset it to its default value. This patch adds a new 'mutable_opts' field to BlockDriver. This is a list of runtime options that can be modified during reopen. If an option in this list is unspecified on reopen then it must be reset (or return an error). Signed-off-by: Alberto Garcia <berto@igalia.com> Signed-off-by: Kevin Wolf <kwolf@redhat.com> --- include/block/block_int.h | 8 ++++++++ block/file-posix.c | 6 ++++++ block/qcow2.c | 25 +++++++++++++++++++++++++ block/raw-format.c | 3 +++ 4 files changed, 42 insertions(+) diff --git a/include/block/block_int.h b/include/block/block_int.h index XXXXXXX..XXXXXXX 100644 --- a/include/block/block_int.h +++ b/include/block/block_int.h @@ -XXX,XX +XXX,XX @@ struct BlockDriver { /* List of options for creating images, terminated by name == NULL */ QemuOptsList *create_opts; + /* + * If this driver supports reopening images this contains a + * NULL-terminated list of the runtime options that can be + * modified. If an option in this list is unspecified during + * reopen then it _must_ be reset to its default value or return + * an error. + */ + const char *const *mutable_opts; /* * Returns 0 for completed check, -errno for internal errors. diff --git a/block/file-posix.c b/block/file-posix.c index XXXXXXX..XXXXXXX 100644 --- a/block/file-posix.c +++ b/block/file-posix.c @@ -XXX,XX +XXX,XX @@ static QemuOptsList raw_runtime_opts = { }, }; +static const char *const mutable_opts[] = { "x-check-cache-dropped", NULL }; + static int raw_open_common(BlockDriverState *bs, QDict *options, int bdrv_flags, int open_flags, bool device, Error **errp) @@ -XXX,XX +XXX,XX @@ BlockDriver bdrv_file = { .bdrv_set_perm = raw_set_perm, .bdrv_abort_perm_update = raw_abort_perm_update, .create_opts = &raw_create_opts, + .mutable_opts = mutable_opts, }; /***********************************************/ @@ -XXX,XX +XXX,XX @@ static BlockDriver bdrv_host_device = { .bdrv_reopen_abort = raw_reopen_abort, .bdrv_co_create_opts = hdev_co_create_opts, .create_opts = &raw_create_opts, + .mutable_opts = mutable_opts, .bdrv_co_invalidate_cache = raw_co_invalidate_cache, .bdrv_co_pwrite_zeroes = hdev_co_pwrite_zeroes, @@ -XXX,XX +XXX,XX @@ static BlockDriver bdrv_host_cdrom = { .bdrv_reopen_abort = raw_reopen_abort, .bdrv_co_create_opts = hdev_co_create_opts, .create_opts = &raw_create_opts, + .mutable_opts = mutable_opts, .bdrv_co_invalidate_cache = raw_co_invalidate_cache, @@ -XXX,XX +XXX,XX @@ static BlockDriver bdrv_host_cdrom = { .bdrv_reopen_abort = raw_reopen_abort, .bdrv_co_create_opts = hdev_co_create_opts, .create_opts = &raw_create_opts, + .mutable_opts = mutable_opts, .bdrv_co_preadv = raw_co_preadv, .bdrv_co_pwritev = raw_co_pwritev, diff --git a/block/qcow2.c b/block/qcow2.c index XXXXXXX..XXXXXXX 100644 --- a/block/qcow2.c +++ b/block/qcow2.c @@ -XXX,XX +XXX,XX @@ int qcow2_validate_table(BlockDriverState *bs, uint64_t offset, return 0; } +static const char *const mutable_opts[] = { + QCOW2_OPT_LAZY_REFCOUNTS, + QCOW2_OPT_DISCARD_REQUEST, + QCOW2_OPT_DISCARD_SNAPSHOT, + QCOW2_OPT_DISCARD_OTHER, + QCOW2_OPT_OVERLAP, + QCOW2_OPT_OVERLAP_TEMPLATE, + QCOW2_OPT_OVERLAP_MAIN_HEADER, + QCOW2_OPT_OVERLAP_ACTIVE_L1, + QCOW2_OPT_OVERLAP_ACTIVE_L2, + QCOW2_OPT_OVERLAP_REFCOUNT_TABLE, + QCOW2_OPT_OVERLAP_REFCOUNT_BLOCK, + QCOW2_OPT_OVERLAP_SNAPSHOT_TABLE, + QCOW2_OPT_OVERLAP_INACTIVE_L1, + QCOW2_OPT_OVERLAP_INACTIVE_L2, + QCOW2_OPT_OVERLAP_BITMAP_DIRECTORY, + QCOW2_OPT_CACHE_SIZE, + QCOW2_OPT_L2_CACHE_SIZE, + QCOW2_OPT_L2_CACHE_ENTRY_SIZE, + QCOW2_OPT_REFCOUNT_CACHE_SIZE, + QCOW2_OPT_CACHE_CLEAN_INTERVAL, + NULL +}; + static QemuOptsList qcow2_runtime_opts = { .name = "qcow2", .head = QTAILQ_HEAD_INITIALIZER(qcow2_runtime_opts.head), @@ -XXX,XX +XXX,XX @@ BlockDriver bdrv_qcow2 = { .create_opts = &qcow2_create_opts, .strong_runtime_opts = qcow2_strong_runtime_opts, + .mutable_opts = mutable_opts, .bdrv_co_check = qcow2_co_check, .bdrv_amend_options = qcow2_amend_options, diff --git a/block/raw-format.c b/block/raw-format.c index XXXXXXX..XXXXXXX 100644 --- a/block/raw-format.c +++ b/block/raw-format.c @@ -XXX,XX +XXX,XX @@ typedef struct BDRVRawState { bool has_size; } BDRVRawState; +static const char *const mutable_opts[] = { "offset", "size", NULL }; + static QemuOptsList raw_runtime_opts = { .name = "raw", .head = QTAILQ_HEAD_INITIALIZER(raw_runtime_opts.head), @@ -XXX,XX +XXX,XX @@ BlockDriver bdrv_raw = { .create_opts = &raw_create_opts, .bdrv_has_zero_init = &raw_has_zero_init, .strong_runtime_opts = raw_strong_runtime_opts, + .mutable_opts = mutable_opts, }; static void bdrv_raw_init(void) -- 2.20.1 From: Alberto Garcia <berto@igalia.com> bdrv_reopen_prepare() receives a BDRVReopenState with (among other things) a new set of options to be applied to that BlockDriverState. If an option is missing then it means that we want to reset it to its default value rather than keep the previous one. This way the state of the block device after being reopened is comparable to that of a device added with "blockdev-add" using the same set of options. Not all options from all drivers can be changed this way, however. If the user attempts to reset an immutable option to its default value using this method then we must forbid it. This new function takes a BlockDriverState and a new set of options and checks if there's any option that was previously set but is missing from the new set of options. If the option is present in both sets we don't need to check that they have the same value. The loop at the end of bdrv_reopen_prepare() already takes care of that. Signed-off-by: Alberto Garcia <berto@igalia.com> Signed-off-by: Kevin Wolf <kwolf@redhat.com> --- block.c | 58 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 58 insertions(+) diff --git a/block.c b/block.c index XXXXXXX..XXXXXXX 100644 --- a/block.c +++ b/block.c @@ -XXX,XX +XXX,XX @@ BlockDriverState *bdrv_open(const char *filename, const char *reference, NULL, errp); } +/* Return true if the NULL-terminated @list contains @str */ +static bool is_str_in_list(const char *str, const char *const *list) +{ + if (str && list) { + int i; + for (i = 0; list[i] != NULL; i++) { + if (!strcmp(str, list[i])) { + return true; + } + } + } + return false; +} + +/* + * Check that every option set in @bs->options is also set in + * @new_opts. + * + * Options listed in the common_options list and in + * @bs->drv->mutable_opts are skipped. + * + * Return 0 on success, otherwise return -EINVAL and set @errp. + */ +static int bdrv_reset_options_allowed(BlockDriverState *bs, + const QDict *new_opts, Error **errp) +{ + const QDictEntry *e; + /* These options are common to all block drivers and are handled + * in bdrv_reopen_prepare() so they can be left out of @new_opts */ + const char *const common_options[] = { + "node-name", "discard", "cache.direct", "cache.no-flush", + "read-only", "auto-read-only", "detect-zeroes", NULL + }; + + for (e = qdict_first(bs->options); e; e = qdict_next(bs->options, e)) { + if (!qdict_haskey(new_opts, e->key) && + !is_str_in_list(e->key, common_options) && + !is_str_in_list(e->key, bs->drv->mutable_opts)) { + error_setg(errp, "Option '%s' cannot be reset " + "to its default value", e->key); + return -EINVAL; + } + } + + return 0; +} + /* * Returns true if @child can be reached recursively from @bs */ @@ -XXX,XX +XXX,XX @@ int bdrv_reopen_prepare(BDRVReopenState *reopen_state, BlockReopenQueue *queue, } if (drv->bdrv_reopen_prepare) { + /* + * If a driver-specific option is missing, it means that we + * should reset it to its default value. + * But not all options allow that, so we need to check it first. + */ + ret = bdrv_reset_options_allowed(reopen_state->bs, + reopen_state->options, errp); + if (ret) { + goto error; + } + ret = drv->bdrv_reopen_prepare(reopen_state, queue, &local_err); if (ret) { if (local_err != NULL) { -- 2.20.1 From: Alberto Garcia <berto@igalia.com> This parameter has been unused since 1a63a907507fbbcfaee3f622907ec244b Signed-off-by: Alberto Garcia <berto@igalia.com> Signed-off-by: Kevin Wolf <kwolf@redhat.com> --- include/block/block.h | 2 +- block.c | 4 ++-- block/replication.c | 3 +-- qemu-io-cmds.c | 2 +- 4 files changed, 5 insertions(+), 6 deletions(-) diff --git a/include/block/block.h b/include/block/block.h index XXXXXXX..XXXXXXX 100644 --- a/include/block/block.h +++ b/include/block/block.h @@ -XXX,XX +XXX,XX @@ BlockDriverState *bdrv_new_open_driver(BlockDriver *drv, const char *node_name, BlockReopenQueue *bdrv_reopen_queue(BlockReopenQueue *bs_queue, BlockDriverState *bs, QDict *options, bool keep_old_opts); -int bdrv_reopen_multiple(AioContext *ctx, BlockReopenQueue *bs_queue, Error **errp); +int bdrv_reopen_multiple(BlockReopenQueue *bs_queue, Error **errp); int bdrv_reopen_set_read_only(BlockDriverState *bs, bool read_only, Error **errp); int bdrv_reopen_prepare(BDRVReopenState *reopen_state, diff --git a/block.c b/block.c index XXXXXXX..XXXXXXX 100644 --- a/block.c +++ b/block.c @@ -XXX,XX +XXX,XX @@ BlockReopenQueue *bdrv_reopen_queue(BlockReopenQueue *bs_queue, * All affected nodes must be drained between bdrv_reopen_queue() and * bdrv_reopen_multiple(). */ -int bdrv_reopen_multiple(AioContext *ctx, BlockReopenQueue *bs_queue, Error **errp) +int bdrv_reopen_multiple(BlockReopenQueue *bs_queue, Error **errp) { int ret = -1; BlockReopenQueueEntry *bs_entry, *next; @@ -XXX,XX +XXX,XX @@ int bdrv_reopen_set_read_only(BlockDriverState *bs, bool read_only, bdrv_subtree_drained_begin(bs); queue = bdrv_reopen_queue(NULL, bs, opts, true); - ret = bdrv_reopen_multiple(bdrv_get_aio_context(bs), queue, errp); + ret = bdrv_reopen_multiple(queue, errp); bdrv_subtree_drained_end(bs); return ret; diff --git a/block/replication.c b/block/replication.c index XXXXXXX..XXXXXXX 100644 --- a/block/replication.c +++ b/block/replication.c @@ -XXX,XX +XXX,XX @@ static void reopen_backing_file(BlockDriverState *bs, bool writable, } if (reopen_queue) { - bdrv_reopen_multiple(bdrv_get_aio_context(bs), - reopen_queue, &local_err); + bdrv_reopen_multiple(reopen_queue, &local_err); error_propagate(errp, local_err); } diff --git a/qemu-io-cmds.c b/qemu-io-cmds.c index XXXXXXX..XXXXXXX 100644 --- a/qemu-io-cmds.c +++ b/qemu-io-cmds.c @@ -XXX,XX +XXX,XX @@ static int reopen_f(BlockBackend *blk, int argc, char **argv) bdrv_subtree_drained_begin(bs); brq = bdrv_reopen_queue(NULL, bs, opts, true); - bdrv_reopen_multiple(bdrv_get_aio_context(bs), brq, &local_err); + bdrv_reopen_multiple(brq, &local_err); bdrv_subtree_drained_end(bs); if (local_err) { -- 2.20.1 From: Alberto Garcia <berto@igalia.com> This command allows reopening an arbitrary BlockDriverState with a new set of options. Some options (e.g node-name) cannot be changed and some block drivers don't allow reopening, but otherwise this command is modelled after 'blockdev-add' and the state of the reopened BlockDriverState should generally be the same as if it had just been added by 'blockdev-add' with the same set of options. One notable exception is the 'backing' option: 'x-blockdev-reopen' requires that it is always present unless the BlockDriverState in question doesn't have a current or default backing file. This command allows reconfiguring the graph by using the appropriate options to change the children of a node. At the moment it's possible to change a backing file by setting the 'backing' option to the name of the new node, but it should also be possible to add a similar functionality to other block drivers (e.g. Quorum, blkverify). Although the API is unlikely to change, this command is marked experimental for the time being so there's room to see if the semantics need changes. Signed-off-by: Alberto Garcia <berto@igalia.com> Signed-off-by: Kevin Wolf <kwolf@redhat.com> --- qapi/block-core.json | 42 +++++++++++++++++++++++++++++++++++++++ blockdev.c | 47 ++++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 89 insertions(+) diff --git a/qapi/block-core.json b/qapi/block-core.json index XXXXXXX..XXXXXXX 100644 --- a/qapi/block-core.json +++ b/qapi/block-core.json @@ -XXX,XX +XXX,XX @@ ## { 'command': 'blockdev-add', 'data': 'BlockdevOptions', 'boxed': true } +## +# @x-blockdev-reopen: +# +# Reopens a block device using the given set of options. Any option +# not specified will be reset to its default value regardless of its +# previous status. If an option cannot be changed or a particular +# driver does not support reopening then the command will return an +# error. +# +# The top-level @node-name option (from BlockdevOptions) must be +# specified and is used to select the block device to be reopened. +# Other @node-name options must be either omitted or set to the +# current name of the appropriate node. This command won't change any +# node name and any attempt to do it will result in an error. +# +# In the case of options that refer to child nodes, the behavior of +# this command depends on the value: +# +# 1) A set of options (BlockdevOptions): the child is reopened with +# the specified set of options. +# +# 2) A reference to the current child: the child is reopened using +# its existing set of options. +# +# 3) A reference to a different node: the current child is replaced +# with the specified one. +# +# 4) NULL: the current child (if any) is detached. +# +# Options (1) and (2) are supported in all cases, but at the moment +# only @backing allows replacing or detaching an existing child. +# +# Unlike with blockdev-add, the @backing option must always be present +# unless the node being reopened does not have a backing file and its +# image does not have a default backing file name as part of its +# metadata. +# +# Since: 4.0 +## +{ 'command': 'x-blockdev-reopen', + 'data': 'BlockdevOptions', 'boxed': true } + ## # @blockdev-del: # diff --git a/blockdev.c b/blockdev.c index XXXXXXX..XXXXXXX 100644 --- a/blockdev.c +++ b/blockdev.c @@ -XXX,XX +XXX,XX @@ fail: visit_free(v); } +void qmp_x_blockdev_reopen(BlockdevOptions *options, Error **errp) +{ + BlockDriverState *bs; + AioContext *ctx; + QObject *obj; + Visitor *v = qobject_output_visitor_new(&obj); + Error *local_err = NULL; + BlockReopenQueue *queue; + QDict *qdict; + + /* Check for the selected node name */ + if (!options->has_node_name) { + error_setg(errp, "Node name not specified"); + goto fail; + } + + bs = bdrv_find_node(options->node_name); + if (!bs) { + error_setg(errp, "Cannot find node named '%s'", options->node_name); + goto fail; + } + + /* Put all options in a QDict and flatten it */ + visit_type_BlockdevOptions(v, NULL, &options, &local_err); + if (local_err) { + error_propagate(errp, local_err); + goto fail; + } + + visit_complete(v, &obj); + qdict = qobject_to(QDict, obj); + + qdict_flatten(qdict); + + /* Perform the reopen operation */ + ctx = bdrv_get_aio_context(bs); + aio_context_acquire(ctx); + bdrv_subtree_drained_begin(bs); + queue = bdrv_reopen_queue(NULL, bs, qdict, false); + bdrv_reopen_multiple(queue, errp); + bdrv_subtree_drained_end(bs); + aio_context_release(ctx); + +fail: + visit_free(v); +} + void qmp_blockdev_del(const char *node_name, Error **errp) { AioContext *aio_context; -- 2.20.1 From: Alberto Garcia <berto@igalia.com> This patch adds several tests for the x-blockdev-reopen QMP command. Signed-off-by: Alberto Garcia <berto@igalia.com> Signed-off-by: Kevin Wolf <kwolf@redhat.com> --- tests/qemu-iotests/245 | 991 +++++++++++++++++++++++++++++++++++++ tests/qemu-iotests/245.out | 5 + tests/qemu-iotests/group | 1 + 3 files changed, 997 insertions(+) create mode 100644 tests/qemu-iotests/245 create mode 100644 tests/qemu-iotests/245.out diff --git a/tests/qemu-iotests/245 b/tests/qemu-iotests/245 new file mode 100644 index XXXXXXX..XXXXXXX --- /dev/null +++ b/tests/qemu-iotests/245 @@ -XXX,XX +XXX,XX @@ +#!/usr/bin/env python +# +# Test cases for the QMP 'x-blockdev-reopen' command +# +# Copyright (C) 2018-2019 Igalia, S.L. +# Author: Alberto Garcia <berto@igalia.com> +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; either version 2 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see <http://www.gnu.org/licenses/>. +# + +import os +import re +import iotests +import copy +import json +from iotests import qemu_img, qemu_io + +hd_path = [ + os.path.join(iotests.test_dir, 'hd0.img'), + os.path.join(iotests.test_dir, 'hd1.img'), + os.path.join(iotests.test_dir, 'hd2.img') +] + +def hd_opts(idx): + return {'driver': iotests.imgfmt, + 'node-name': 'hd%d' % idx, + 'file': {'driver': 'file', + 'node-name': 'hd%d-file' % idx, + 'filename': hd_path[idx] } } + +class TestBlockdevReopen(iotests.QMPTestCase): + total_io_cmds = 0 + + def setUp(self): + qemu_img('create', '-f', iotests.imgfmt, hd_path[0], '3M') + qemu_img('create', '-f', iotests.imgfmt, '-b', hd_path[0], hd_path[1]) + qemu_img('create', '-f', iotests.imgfmt, hd_path[2], '3M') + qemu_io('-f', iotests.imgfmt, '-c', 'write -P 0xa0 0 1M', hd_path[0]) + qemu_io('-f', iotests.imgfmt, '-c', 'write -P 0xa1 1M 1M', hd_path[1]) + qemu_io('-f', iotests.imgfmt, '-c', 'write -P 0xa2 2M 1M', hd_path[2]) + self.vm = iotests.VM() + self.vm.launch() + + def tearDown(self): + self.vm.shutdown() + self.check_qemu_io_errors() + os.remove(hd_path[0]) + os.remove(hd_path[1]) + os.remove(hd_path[2]) + + # The output of qemu-io is not returned by vm.hmp_qemu_io() but + # it's stored in the log and can only be read when the VM has been + # shut down. This function runs qemu-io and keeps track of the + # number of times it's been called. + def run_qemu_io(self, img, cmd): + result = self.vm.hmp_qemu_io(img, cmd) + self.assert_qmp(result, 'return', '') + self.total_io_cmds += 1 + + # Once the VM is shut down we can parse the log and see if qemu-io + # ran without errors. + def check_qemu_io_errors(self): + self.assertFalse(self.vm.is_running()) + found = 0 + log = self.vm.get_log() + for line in log.split("\n"): + if line.startswith("Pattern verification failed"): + raise Exception("%s (command #%d)" % (line, found)) + if re.match("read .*/.* bytes at offset", line): + found += 1 + self.assertEqual(found, self.total_io_cmds, + "Expected output of %d qemu-io commands, found %d" % + (found, self.total_io_cmds)) + + # Run x-blockdev-reopen with 'opts' but applying 'newopts' + # on top of it. The original 'opts' dict is unmodified + def reopen(self, opts, newopts = {}, errmsg = None): + opts = copy.deepcopy(opts) + + # Apply the changes from 'newopts' on top of 'opts' + for key in newopts: + value = newopts[key] + # If key has the form "foo.bar" then we need to do + # opts["foo"]["bar"] = value, not opts["foo.bar"] = value + subdict = opts + while key.find('.') != -1: + [prefix, key] = key.split('.', 1) + subdict = opts[prefix] + subdict[key] = value + + result = self.vm.qmp('x-blockdev-reopen', conv_keys = False, **opts) + if errmsg: + self.assert_qmp(result, 'error/class', 'GenericError') + self.assert_qmp(result, 'error/desc', errmsg) + else: + self.assert_qmp(result, 'return', {}) + + + # Run query-named-block-nodes and return the specified entry + def get_node(self, node_name): + result = self.vm.qmp('query-named-block-nodes') + for node in result['return']: + if node['node-name'] == node_name: + return node + return None + + # Run 'query-named-block-nodes' and compare its output with the + # value passed by the user in 'graph' + def check_node_graph(self, graph): + result = self.vm.qmp('query-named-block-nodes') + self.assertEqual(json.dumps(graph, sort_keys=True), + json.dumps(result, sort_keys=True)) + + # This test opens one single disk image (without backing files) + # and tries to reopen it with illegal / incorrect parameters. + def test_incorrect_parameters_single_file(self): + # Open 'hd0' only (no backing files) + opts = hd_opts(0) + result = self.vm.qmp('blockdev-add', conv_keys = False, **opts) + self.assert_qmp(result, 'return', {}) + original_graph = self.vm.qmp('query-named-block-nodes') + + # We can reopen the image passing the same options + self.reopen(opts) + + # We can also reopen passing a child reference in 'file' + self.reopen(opts, {'file': 'hd0-file'}) + + # We cannot change any of these + self.reopen(opts, {'node-name': 'not-found'}, "Cannot find node named 'not-found'") + self.reopen(opts, {'node-name': ''}, "Cannot find node named ''") + self.reopen(opts, {'node-name': None}, "Invalid parameter type for 'node-name', expected: string") + self.reopen(opts, {'driver': 'raw'}, "Cannot change the option 'driver'") + self.reopen(opts, {'driver': ''}, "Invalid parameter ''") + self.reopen(opts, {'driver': None}, "Invalid parameter type for 'driver', expected: string") + self.reopen(opts, {'file': 'not-found'}, "Cannot change the option 'file'") + self.reopen(opts, {'file': ''}, "Cannot change the option 'file'") + self.reopen(opts, {'file': None}, "Invalid parameter type for 'file', expected: BlockdevRef") + self.reopen(opts, {'file.node-name': 'newname'}, "Cannot change the option 'node-name'") + self.reopen(opts, {'file.driver': 'host_device'}, "Cannot change the option 'driver'") + self.reopen(opts, {'file.filename': hd_path[1]}, "Cannot change the option 'filename'") + self.reopen(opts, {'file.aio': 'native'}, "Cannot change the option 'aio'") + self.reopen(opts, {'file.locking': 'off'}, "Cannot change the option 'locking'") + self.reopen(opts, {'file.filename': None}, "Invalid parameter type for 'file.filename', expected: string") + + # node-name is optional in BlockdevOptions, but x-blockdev-reopen needs it + del opts['node-name'] + self.reopen(opts, {}, "Node name not specified") + + # Check that nothing has changed + self.check_node_graph(original_graph) + + # Remove the node + result = self.vm.qmp('blockdev-del', conv_keys = True, node_name = 'hd0') + self.assert_qmp(result, 'return', {}) + + # This test opens an image with a backing file and tries to reopen + # it with illegal / incorrect parameters. + def test_incorrect_parameters_backing_file(self): + # Open hd1 omitting the backing options (hd0 will be opened + # with the default options) + opts = hd_opts(1) + result = self.vm.qmp('blockdev-add', conv_keys = False, **opts) + self.assert_qmp(result, 'return', {}) + original_graph = self.vm.qmp('query-named-block-nodes') + + # We can't reopen the image passing the same options, 'backing' is mandatory + self.reopen(opts, {}, "backing is missing for 'hd1'") + + # Everything works if we pass 'backing' using the existing node name + for node in original_graph['return']: + if node['drv'] == iotests.imgfmt and node['file'] == hd_path[0]: + backing_node_name = node['node-name'] + self.reopen(opts, {'backing': backing_node_name}) + + # We can't use a non-existing or empty (non-NULL) node as the backing image + self.reopen(opts, {'backing': 'not-found'}, "Cannot find device= nor node_name=not-found") + self.reopen(opts, {'backing': ''}, "Cannot find device= nor node_name=") + + # We can reopen the image just fine if we specify the backing options + opts['backing'] = {'driver': iotests.imgfmt, + 'file': {'driver': 'file', + 'filename': hd_path[0]}} + self.reopen(opts) + + # We cannot change any of these options + self.reopen(opts, {'backing.node-name': 'newname'}, "Cannot change the option 'node-name'") + self.reopen(opts, {'backing.driver': 'raw'}, "Cannot change the option 'driver'") + self.reopen(opts, {'backing.file.node-name': 'newname'}, "Cannot change the option 'node-name'") + self.reopen(opts, {'backing.file.driver': 'host_device'}, "Cannot change the option 'driver'") + + # Check that nothing has changed since the beginning + self.check_node_graph(original_graph) + + # Remove the node + result = self.vm.qmp('blockdev-del', conv_keys = True, node_name = 'hd1') + self.assert_qmp(result, 'return', {}) + + # Reopen an image several times changing some of its options + def test_reopen(self): + # Open the hd1 image passing all backing options + opts = hd_opts(1) + opts['backing'] = hd_opts(0) + result = self.vm.qmp('blockdev-add', conv_keys = False, **opts) + self.assert_qmp(result, 'return', {}) + original_graph = self.vm.qmp('query-named-block-nodes') + + # We can reopen the image passing the same options + self.reopen(opts) + + # Reopen in read-only mode + self.assert_qmp(self.get_node('hd1'), 'ro', False) + + self.reopen(opts, {'read-only': True}) + self.assert_qmp(self.get_node('hd1'), 'ro', True) + self.reopen(opts) + self.assert_qmp(self.get_node('hd1'), 'ro', False) + + # Change the cache options + self.assert_qmp(self.get_node('hd1'), 'cache/writeback', True) + self.assert_qmp(self.get_node('hd1'), 'cache/direct', False) + self.assert_qmp(self.get_node('hd1'), 'cache/no-flush', False) + self.reopen(opts, {'cache': { 'direct': True, 'no-flush': True }}) + self.assert_qmp(self.get_node('hd1'), 'cache/writeback', True) + self.assert_qmp(self.get_node('hd1'), 'cache/direct', True) + self.assert_qmp(self.get_node('hd1'), 'cache/no-flush', True) + + # Reopen again with the original options + self.reopen(opts) + self.assert_qmp(self.get_node('hd1'), 'cache/writeback', True) + self.assert_qmp(self.get_node('hd1'), 'cache/direct', False) + self.assert_qmp(self.get_node('hd1'), 'cache/no-flush', False) + + # Change 'detect-zeroes' and 'discard' + self.assert_qmp(self.get_node('hd1'), 'detect_zeroes', 'off') + self.reopen(opts, {'detect-zeroes': 'on'}) + self.assert_qmp(self.get_node('hd1'), 'detect_zeroes', 'on') + self.reopen(opts, {'detect-zeroes': 'unmap'}, + "setting detect-zeroes to unmap is not allowed " + + "without setting discard operation to unmap") + self.assert_qmp(self.get_node('hd1'), 'detect_zeroes', 'on') + self.reopen(opts, {'detect-zeroes': 'unmap', 'discard': 'unmap'}) + self.assert_qmp(self.get_node('hd1'), 'detect_zeroes', 'unmap') + self.reopen(opts) + self.assert_qmp(self.get_node('hd1'), 'detect_zeroes', 'off') + + # Changing 'force-share' is currently not supported + self.reopen(opts, {'force-share': True}, "Cannot change the option 'force-share'") + + # Change some qcow2-specific options + # No way to test for success other than checking the return message + if iotests.imgfmt == 'qcow2': + self.reopen(opts, {'l2-cache-entry-size': 128 * 1024}, + "L2 cache entry size must be a power of two "+ + "between 512 and the cluster size (65536)") + self.reopen(opts, {'l2-cache-size': 1024 * 1024, + 'cache-size': 512 * 1024}, + "l2-cache-size may not exceed cache-size") + self.reopen(opts, {'l2-cache-size': 4 * 1024 * 1024, + 'refcount-cache-size': 4 * 1024 * 1024, + 'l2-cache-entry-size': 32 * 1024}) + self.reopen(opts, {'pass-discard-request': True}) + + # Check that nothing has changed since the beginning + # (from the parameters that we can check) + self.check_node_graph(original_graph) + + # Check that the node names (other than the top-level one) are optional + del opts['file']['node-name'] + del opts['backing']['node-name'] + del opts['backing']['file']['node-name'] + self.reopen(opts) + self.check_node_graph(original_graph) + + # Reopen setting backing = null, this removes the backing image from the chain + self.reopen(opts, {'backing': None}) + self.assert_qmp_absent(self.get_node('hd1'), 'image/backing-image') + + # Open the 'hd0' image + result = self.vm.qmp('blockdev-add', conv_keys = False, **hd_opts(0)) + self.assert_qmp(result, 'return', {}) + + # Reopen the hd1 image setting 'hd0' as its backing image + self.reopen(opts, {'backing': 'hd0'}) + self.assert_qmp(self.get_node('hd1'), 'image/backing-image/filename', hd_path[0]) + + # Check that nothing has changed since the beginning + self.reopen(hd_opts(0), {'read-only': True}) + self.check_node_graph(original_graph) + + # The backing file (hd0) is now a reference, we cannot change backing.* anymore + self.reopen(opts, {}, "Cannot change the option 'backing.driver'") + + # We can't remove 'hd0' while it's a backing image of 'hd1' + result = self.vm.qmp('blockdev-del', conv_keys = True, node_name = 'hd0') + self.assert_qmp(result, 'error/class', 'GenericError') + self.assert_qmp(result, 'error/desc', "Node 'hd0' is busy: node is used as backing hd of 'hd1'") + + # But we can remove both nodes if done in the proper order + result = self.vm.qmp('blockdev-del', conv_keys = True, node_name = 'hd1') + self.assert_qmp(result, 'return', {}) + result = self.vm.qmp('blockdev-del', conv_keys = True, node_name = 'hd0') + self.assert_qmp(result, 'return', {}) + + # Reopen a raw image and see the effect of changing the 'offset' option + def test_reopen_raw(self): + opts = {'driver': 'raw', 'node-name': 'hd0', + 'file': { 'driver': 'file', + 'filename': hd_path[0], + 'node-name': 'hd0-file' } } + + # First we create a 2MB raw file, and fill each half with a + # different value + qemu_img('create', '-f', 'raw', hd_path[0], '2M') + qemu_io('-f', 'raw', '-c', 'write -P 0xa0 0 1M', hd_path[0]) + qemu_io('-f', 'raw', '-c', 'write -P 0xa1 1M 1M', hd_path[0]) + + # Open the raw file with QEMU + result = self.vm.qmp('blockdev-add', conv_keys = False, **opts) + self.assert_qmp(result, 'return', {}) + + # Read 1MB from offset 0 + self.run_qemu_io("hd0", "read -P 0xa0 0 1M") + + # Reopen the image with a 1MB offset. + # Now the results are different + self.reopen(opts, {'offset': 1024*1024}) + self.run_qemu_io("hd0", "read -P 0xa1 0 1M") + + # Reopen again with the original options. + # We get the original results again + self.reopen(opts) + self.run_qemu_io("hd0", "read -P 0xa0 0 1M") + + # Remove the block device + result = self.vm.qmp('blockdev-del', conv_keys = True, node_name = 'hd0') + self.assert_qmp(result, 'return', {}) + + # Omitting an option should reset it to the default value, but if + # an option cannot be changed it shouldn't be possible to reset it + # to its default value either + def test_reset_default_values(self): + opts = {'driver': 'qcow2', 'node-name': 'hd0', + 'file': { 'driver': 'file', + 'filename': hd_path[0], + 'x-check-cache-dropped': True, # This one can be changed + 'locking': 'off', # This one can NOT be changed + 'node-name': 'hd0-file' } } + + # Open the file with QEMU + result = self.vm.qmp('blockdev-add', conv_keys = False, **opts) + self.assert_qmp(result, 'return', {}) + + # file.x-check-cache-dropped can be changed... + self.reopen(opts, { 'file.x-check-cache-dropped': False }) + # ...and dropped completely (resetting to the default value) + del opts['file']['x-check-cache-dropped'] + self.reopen(opts) + + # file.locking cannot be changed nor reset to the default value + self.reopen(opts, { 'file.locking': 'on' }, "Cannot change the option 'locking'") + del opts['file']['locking'] + self.reopen(opts, {}, "Option 'locking' cannot be reset to its default value") + # But we can reopen it if we maintain its previous value + self.reopen(opts, { 'file.locking': 'off' }) + + # Remove the block device + result = self.vm.qmp('blockdev-del', conv_keys = True, node_name = 'hd0') + self.assert_qmp(result, 'return', {}) + + # This test modifies the node graph a few times by changing the + # 'backing' option on reopen and verifies that the guest data that + # is read afterwards is consistent with the graph changes. + def test_io_with_graph_changes(self): + opts = [] + + # Open hd0, hd1 and hd2 without any backing image + for i in range(3): + opts.append(hd_opts(i)) + opts[i]['backing'] = None + result = self.vm.qmp('blockdev-add', conv_keys = False, **opts[i]) + self.assert_qmp(result, 'return', {}) + + # hd0 + self.run_qemu_io("hd0", "read -P 0xa0 0 1M") + self.run_qemu_io("hd0", "read -P 0 1M 1M") + self.run_qemu_io("hd0", "read -P 0 2M 1M") + + # hd1 <- hd0 + self.reopen(opts[0], {'backing': 'hd1'}) + + self.run_qemu_io("hd0", "read -P 0xa0 0 1M") + self.run_qemu_io("hd0", "read -P 0xa1 1M 1M") + self.run_qemu_io("hd0", "read -P 0 2M 1M") + + # hd1 <- hd0 , hd1 <- hd2 + self.reopen(opts[2], {'backing': 'hd1'}) + + self.run_qemu_io("hd2", "read -P 0 0 1M") + self.run_qemu_io("hd2", "read -P 0xa1 1M 1M") + self.run_qemu_io("hd2", "read -P 0xa2 2M 1M") + + # hd1 <- hd2 <- hd0 + self.reopen(opts[0], {'backing': 'hd2'}) + + self.run_qemu_io("hd0", "read -P 0xa0 0 1M") + self.run_qemu_io("hd0", "read -P 0xa1 1M 1M") + self.run_qemu_io("hd0", "read -P 0xa2 2M 1M") + + # hd2 <- hd0 + self.reopen(opts[2], {'backing': None}) + + self.run_qemu_io("hd0", "read -P 0xa0 0 1M") + self.run_qemu_io("hd0", "read -P 0 1M 1M") + self.run_qemu_io("hd0", "read -P 0xa2 2M 1M") + + # hd2 <- hd1 <- hd0 + self.reopen(opts[1], {'backing': 'hd2'}) + self.reopen(opts[0], {'backing': 'hd1'}) + + self.run_qemu_io("hd0", "read -P 0xa0 0 1M") + self.run_qemu_io("hd0", "read -P 0xa1 1M 1M") + self.run_qemu_io("hd0", "read -P 0xa2 2M 1M") + + # Illegal operation: hd2 is a child of hd1 + self.reopen(opts[2], {'backing': 'hd1'}, + "Making 'hd1' a backing file of 'hd2' would create a cycle") + + # hd2 <- hd0, hd2 <- hd1 + self.reopen(opts[0], {'backing': 'hd2'}) + + self.run_qemu_io("hd1", "read -P 0 0 1M") + self.run_qemu_io("hd1", "read -P 0xa1 1M 1M") + self.run_qemu_io("hd1", "read -P 0xa2 2M 1M") + + # More illegal operations + self.reopen(opts[2], {'backing': 'hd1'}, + "Making 'hd1' a backing file of 'hd2' would create a cycle") + self.reopen(opts[2], {'file': 'hd0-file'}, "Cannot change the option 'file'") + + result = self.vm.qmp('blockdev-del', conv_keys = True, node_name = 'hd2') + self.assert_qmp(result, 'error/class', 'GenericError') + self.assert_qmp(result, 'error/desc', "Node 'hd2' is busy: node is used as backing hd of 'hd0'") + + # hd1 doesn't have a backing file now + self.reopen(opts[1], {'backing': None}) + + self.run_qemu_io("hd1", "read -P 0 0 1M") + self.run_qemu_io("hd1", "read -P 0xa1 1M 1M") + self.run_qemu_io("hd1", "read -P 0 2M 1M") + + # We can't remove the 'backing' option if the image has a + # default backing file + del opts[1]['backing'] + self.reopen(opts[1], {}, "backing is missing for 'hd1'") + + self.run_qemu_io("hd1", "read -P 0 0 1M") + self.run_qemu_io("hd1", "read -P 0xa1 1M 1M") + self.run_qemu_io("hd1", "read -P 0 2M 1M") + + # This test verifies that we can't change the children of a block + # device during a reopen operation in a way that would create + # cycles in the node graph + def test_graph_cycles(self): + opts = [] + + # Open all three images without backing file + for i in range(3): + opts.append(hd_opts(i)) + opts[i]['backing'] = None + result = self.vm.qmp('blockdev-add', conv_keys = False, **opts[i]) + self.assert_qmp(result, 'return', {}) + + # hd1 <- hd0, hd1 <- hd2 + self.reopen(opts[0], {'backing': 'hd1'}) + self.reopen(opts[2], {'backing': 'hd1'}) + + # Illegal: hd2 is backed by hd1 + self.reopen(opts[1], {'backing': 'hd2'}, + "Making 'hd2' a backing file of 'hd1' would create a cycle") + + # hd1 <- hd0 <- hd2 + self.reopen(opts[2], {'backing': 'hd0'}) + + # Illegal: hd2 is backed by hd0, which is backed by hd1 + self.reopen(opts[1], {'backing': 'hd2'}, + "Making 'hd2' a backing file of 'hd1' would create a cycle") + + # Illegal: hd1 cannot point to itself + self.reopen(opts[1], {'backing': 'hd1'}, + "Making 'hd1' a backing file of 'hd1' would create a cycle") + + # Remove all backing files + self.reopen(opts[0]) + self.reopen(opts[2]) + + ########################################## + # Add a blkverify node using hd0 and hd1 # + ########################################## + bvopts = {'driver': 'blkverify', + 'node-name': 'bv', + 'test': 'hd0', + 'raw': 'hd1'} + result = self.vm.qmp('blockdev-add', conv_keys = False, **bvopts) + self.assert_qmp(result, 'return', {}) + + # blkverify doesn't currently allow reopening. TODO: implement this + self.reopen(bvopts, {}, "Block format 'blkverify' used by node 'bv'" + + " does not support reopening files") + + # Illegal: hd0 is a child of the blkverify node + self.reopen(opts[0], {'backing': 'bv'}, + "Making 'bv' a backing file of 'hd0' would create a cycle") + + # Delete the blkverify node + result = self.vm.qmp('blockdev-del', conv_keys = True, node_name = 'bv') + self.assert_qmp(result, 'return', {}) + + # Misc reopen tests with different block drivers + def test_misc_drivers(self): + #################### + ###### quorum ###### + #################### + for i in range(3): + opts = hd_opts(i) + # Open all three images without backing file + opts['backing'] = None + result = self.vm.qmp('blockdev-add', conv_keys = False, **opts) + self.assert_qmp(result, 'return', {}) + + opts = {'driver': 'quorum', + 'node-name': 'quorum0', + 'children': ['hd0', 'hd1', 'hd2'], + 'vote-threshold': 2} + result = self.vm.qmp('blockdev-add', conv_keys = False, **opts) + self.assert_qmp(result, 'return', {}) + + # Quorum doesn't currently allow reopening. TODO: implement this + self.reopen(opts, {}, "Block format 'quorum' used by node 'quorum0'" + + " does not support reopening files") + + # You can't make quorum0 a backing file of hd0: + # hd0 is already a child of quorum0. + self.reopen(hd_opts(0), {'backing': 'quorum0'}, + "Making 'quorum0' a backing file of 'hd0' would create a cycle") + + # Delete quorum0 + result = self.vm.qmp('blockdev-del', conv_keys = True, node_name = 'quorum0') + self.assert_qmp(result, 'return', {}) + + # Delete hd0, hd1 and hd2 + for i in range(3): + result = self.vm.qmp('blockdev-del', conv_keys = True, + node_name = 'hd%d' % i) + self.assert_qmp(result, 'return', {}) + + ###################### + ###### blkdebug ###### + ###################### + opts = {'driver': 'blkdebug', + 'node-name': 'bd', + 'config': '/dev/null', + 'image': hd_opts(0)} + result = self.vm.qmp('blockdev-add', conv_keys = False, **opts) + self.assert_qmp(result, 'return', {}) + + # blkdebug allows reopening if we keep the same options + self.reopen(opts) + + # but it currently does not allow changes + self.reopen(opts, {'image': 'hd1'}, "Cannot change the option 'image'") + self.reopen(opts, {'align': 33554432}, "Cannot change the option 'align'") + self.reopen(opts, {'config': '/non/existent'}, "Cannot change the option 'config'") + del opts['config'] + self.reopen(opts, {}, "Option 'config' cannot be reset to its default value") + + # Delete the blkdebug node + result = self.vm.qmp('blockdev-del', conv_keys = True, node_name = 'bd') + self.assert_qmp(result, 'return', {}) + + ################## + ###### null ###### + ################## + opts = {'driver': 'null-aio', 'node-name': 'root', 'size': 1024} + + result = self.vm.qmp('blockdev-add', conv_keys = False, **opts) + self.assert_qmp(result, 'return', {}) + + # 1 << 30 is the default value, but we cannot change it explicitly + self.reopen(opts, {'size': (1 << 30)}, "Cannot change the option 'size'") + + # We cannot change 'size' back to its default value either + del opts['size'] + self.reopen(opts, {}, "Option 'size' cannot be reset to its default value") + + result = self.vm.qmp('blockdev-del', conv_keys = True, node_name = 'root') + self.assert_qmp(result, 'return', {}) + + ################## + ###### file ###### + ################## + opts = hd_opts(0) + opts['file']['locking'] = 'on' + result = self.vm.qmp('blockdev-add', conv_keys = False, **opts) + self.assert_qmp(result, 'return', {}) + + # 'locking' cannot be changed + del opts['file']['locking'] + self.reopen(opts, {'file.locking': 'on'}) + self.reopen(opts, {'file.locking': 'off'}, "Cannot change the option 'locking'") + self.reopen(opts, {}, "Option 'locking' cannot be reset to its default value") + + # Trying to reopen the 'file' node directly does not make a difference + opts = opts['file'] + self.reopen(opts, {'locking': 'on'}) + self.reopen(opts, {'locking': 'off'}, "Cannot change the option 'locking'") + self.reopen(opts, {}, "Option 'locking' cannot be reset to its default value") + + result = self.vm.qmp('blockdev-del', conv_keys = True, node_name = 'hd0') + self.assert_qmp(result, 'return', {}) + + ###################### + ###### throttle ###### + ###################### + opts = { 'qom-type': 'throttle-group', 'id': 'group0', + 'props': { 'limits': { 'iops-total': 1000 } } } + result = self.vm.qmp('object-add', conv_keys = False, **opts) + self.assert_qmp(result, 'return', {}) + + opts = { 'qom-type': 'throttle-group', 'id': 'group1', + 'props': { 'limits': { 'iops-total': 2000 } } } + result = self.vm.qmp('object-add', conv_keys = False, **opts) + self.assert_qmp(result, 'return', {}) + + # Add a throttle filter with group = group0 + opts = { 'driver': 'throttle', 'node-name': 'throttle0', + 'throttle-group': 'group0', 'file': hd_opts(0) } + result = self.vm.qmp('blockdev-add', conv_keys = False, **opts) + self.assert_qmp(result, 'return', {}) + + # We can reopen it if we keep the same options + self.reopen(opts) + + # We can also reopen if 'file' is a reference to the child + self.reopen(opts, {'file': 'hd0'}) + + # This is illegal + self.reopen(opts, {'throttle-group': 'notfound'}, "Throttle group 'notfound' does not exist") + + # But it's possible to change the group to group1 + self.reopen(opts, {'throttle-group': 'group1'}) + + # Now group1 is in use, it cannot be deleted + result = self.vm.qmp('object-del', id = 'group1') + self.assert_qmp(result, 'error/class', 'GenericError') + self.assert_qmp(result, 'error/desc', "object 'group1' is in use, can not be deleted") + + # Default options, this switches the group back to group0 + self.reopen(opts) + + # So now we cannot delete group0 + result = self.vm.qmp('object-del', id = 'group0') + self.assert_qmp(result, 'error/class', 'GenericError') + self.assert_qmp(result, 'error/desc', "object 'group0' is in use, can not be deleted") + + # But group1 is free this time, and it can be deleted + result = self.vm.qmp('object-del', id = 'group1') + self.assert_qmp(result, 'return', {}) + + # Let's delete the filter node + result = self.vm.qmp('blockdev-del', conv_keys = True, node_name = 'throttle0') + self.assert_qmp(result, 'return', {}) + + # And we can finally get rid of group0 + result = self.vm.qmp('object-del', id = 'group0') + self.assert_qmp(result, 'return', {}) + + # If an image has a backing file then the 'backing' option must be + # passed on reopen. We don't allow leaving the option out in this + # case because it's unclear what the correct semantics would be. + def test_missing_backing_options_1(self): + # hd2 + opts = hd_opts(2) + result = self.vm.qmp('blockdev-add', conv_keys = False, **opts) + self.assert_qmp(result, 'return', {}) + + # hd0 + opts = hd_opts(0) + result = self.vm.qmp('blockdev-add', conv_keys = False, **opts) + self.assert_qmp(result, 'return', {}) + + # hd0 has no backing file: we can omit the 'backing' option + self.reopen(opts) + + # hd2 <- hd0 + self.reopen(opts, {'backing': 'hd2'}) + + # hd0 has a backing file: we must set the 'backing' option + self.reopen(opts, {}, "backing is missing for 'hd0'") + + # hd2 can't be removed because it's the backing file of hd0 + result = self.vm.qmp('blockdev-del', conv_keys = True, node_name = 'hd2') + self.assert_qmp(result, 'error/class', 'GenericError') + self.assert_qmp(result, 'error/desc', "Node 'hd2' is busy: node is used as backing hd of 'hd0'") + + # Detach hd2 from hd0. + self.reopen(opts, {'backing': None}) + self.reopen(opts, {}, "backing is missing for 'hd0'") + + # Remove both hd0 and hd2 + result = self.vm.qmp('blockdev-del', conv_keys = True, node_name = 'hd0') + self.assert_qmp(result, 'return', {}) + + result = self.vm.qmp('blockdev-del', conv_keys = True, node_name = 'hd2') + self.assert_qmp(result, 'return', {}) + + # If an image has default backing file (as part of its metadata) + # then the 'backing' option must be passed on reopen. We don't + # allow leaving the option out in this case because it's unclear + # what the correct semantics would be. + def test_missing_backing_options_2(self): + # hd0 <- hd1 + # (hd0 is hd1's default backing file) + opts = hd_opts(1) + result = self.vm.qmp('blockdev-add', conv_keys = False, **opts) + self.assert_qmp(result, 'return', {}) + + # hd1 has a backing file: we can't omit the 'backing' option + self.reopen(opts, {}, "backing is missing for 'hd1'") + + # Let's detach the backing file + self.reopen(opts, {'backing': None}) + + # No backing file attached to hd1 now, but we still can't omit the 'backing' option + self.reopen(opts, {}, "backing is missing for 'hd1'") + + result = self.vm.qmp('blockdev-del', conv_keys = True, node_name = 'hd1') + self.assert_qmp(result, 'return', {}) + + # Test that making 'backing' a reference to an existing child + # keeps its current options + def test_backing_reference(self): + # hd2 <- hd1 <- hd0 + opts = hd_opts(0) + opts['backing'] = hd_opts(1) + opts['backing']['backing'] = hd_opts(2) + # Enable 'detect-zeroes' on all three nodes + opts['detect-zeroes'] = 'on' + opts['backing']['detect-zeroes'] = 'on' + opts['backing']['backing']['detect-zeroes'] = 'on' + result = self.vm.qmp('blockdev-add', conv_keys = False, **opts) + self.assert_qmp(result, 'return', {}) + + # Reopen the chain passing the minimum amount of required options. + # By making 'backing' a reference to hd1 (instead of a sub-dict) + # we tell QEMU to keep its current set of options. + opts = {'driver': iotests.imgfmt, + 'node-name': 'hd0', + 'file': 'hd0-file', + 'backing': 'hd1' } + self.reopen(opts) + + # This has reset 'detect-zeroes' on hd0, but not on hd1 and hd2. + self.assert_qmp(self.get_node('hd0'), 'detect_zeroes', 'off') + self.assert_qmp(self.get_node('hd1'), 'detect_zeroes', 'on') + self.assert_qmp(self.get_node('hd2'), 'detect_zeroes', 'on') + + # Test what happens if the graph changes due to other operations + # such as block-stream + def test_block_stream_1(self): + # hd1 <- hd0 + opts = hd_opts(0) + opts['backing'] = hd_opts(1) + opts['backing']['backing'] = None + result = self.vm.qmp('blockdev-add', conv_keys = False, **opts) + self.assert_qmp(result, 'return', {}) + + # Stream hd1 into hd0 and wait until it's done + result = self.vm.qmp('block-stream', conv_keys = True, job_id = 'stream0', device = 'hd0') + self.assert_qmp(result, 'return', {}) + self.wait_until_completed(drive = 'stream0') + + # Now we have only hd0 + self.assertEqual(self.get_node('hd1'), None) + + # We have backing.* options but there's no backing file anymore + self.reopen(opts, {}, "Cannot change the option 'backing.driver'") + + # If we remove the 'backing' option then we can reopen hd0 just fine + del opts['backing'] + self.reopen(opts) + + # We can also reopen hd0 if we set 'backing' to null + self.reopen(opts, {'backing': None}) + + result = self.vm.qmp('blockdev-del', conv_keys = True, node_name = 'hd0') + self.assert_qmp(result, 'return', {}) + + # Another block_stream test + def test_block_stream_2(self): + # hd2 <- hd1 <- hd0 + opts = hd_opts(0) + opts['backing'] = hd_opts(1) + opts['backing']['backing'] = hd_opts(2) + result = self.vm.qmp('blockdev-add', conv_keys = False, **opts) + self.assert_qmp(result, 'return', {}) + + # Stream hd1 into hd0 and wait until it's done + result = self.vm.qmp('block-stream', conv_keys = True, job_id = 'stream0', + device = 'hd0', base_node = 'hd2') + self.assert_qmp(result, 'return', {}) + self.wait_until_completed(drive = 'stream0') + + # The chain is hd2 <- hd0 now. hd1 is missing + self.assertEqual(self.get_node('hd1'), None) + + # The backing options in the dict were meant for hd1, but we cannot + # use them with hd2 because hd1 had a backing file while hd2 does not. + self.reopen(opts, {}, "Cannot change the option 'backing.driver'") + + # If we remove hd1's options from the dict then things work fine + opts['backing'] = opts['backing']['backing'] + self.reopen(opts) + + # We can also reopen hd0 if we use a reference to the backing file + self.reopen(opts, {'backing': 'hd2'}) + + # But we cannot leave the option out + del opts['backing'] + self.reopen(opts, {}, "backing is missing for 'hd0'") + + # Now we can delete hd0 (and hd2) + result = self.vm.qmp('blockdev-del', conv_keys = True, node_name = 'hd0') + self.assert_qmp(result, 'return', {}) + self.assertEqual(self.get_node('hd2'), None) + + # Reopen the chain during a block-stream job (from hd1 to hd0) + def test_block_stream_3(self): + # hd2 <- hd1 <- hd0 + opts = hd_opts(0) + opts['backing'] = hd_opts(1) + opts['backing']['backing'] = hd_opts(2) + result = self.vm.qmp('blockdev-add', conv_keys = False, **opts) + self.assert_qmp(result, 'return', {}) + + # hd2 <- hd0 + result = self.vm.qmp('block-stream', conv_keys = True, job_id = 'stream0', + device = 'hd0', base_node = 'hd2', speed = 512 * 1024) + self.assert_qmp(result, 'return', {}) + + # We can't remove hd2 while the stream job is ongoing + opts['backing']['backing'] = None + self.reopen(opts, {}, "Cannot change 'backing' link from 'hd1' to 'hd2'") + + # We can't remove hd1 while the stream job is ongoing + opts['backing'] = None + self.reopen(opts, {}, "Cannot change 'backing' link from 'hd0' to 'hd1'") + + self.wait_until_completed(drive = 'stream0') + + # Reopen the chain during a block-stream job (from hd2 to hd1) + def test_block_stream_4(self): + # hd2 <- hd1 <- hd0 + opts = hd_opts(0) + opts['backing'] = hd_opts(1) + opts['backing']['backing'] = hd_opts(2) + result = self.vm.qmp('blockdev-add', conv_keys = False, **opts) + self.assert_qmp(result, 'return', {}) + + # hd1 <- hd0 + result = self.vm.qmp('block-stream', conv_keys = True, job_id = 'stream0', + device = 'hd1', speed = 512 * 1024) + self.assert_qmp(result, 'return', {}) + + # We can't reopen with the original options because that would + # make hd1 read-only and block-stream requires it to be read-write + self.reopen(opts, {}, "Can't set node 'hd1' to r/o with copy-on-read enabled") + + # We can't remove hd2 while the stream job is ongoing + opts['backing']['backing'] = None + self.reopen(opts, {'backing.read-only': False}, "Cannot change 'backing' link from 'hd1' to 'hd2'") + + # We can detach hd1 from hd0 because it doesn't affect the stream job + opts['backing'] = None + self.reopen(opts) + + self.wait_until_completed(drive = 'stream0') + + # Reopen the chain during a block-commit job (from hd0 to hd2) + def test_block_commit_1(self): + # hd2 <- hd1 <- hd0 + opts = hd_opts(0) + opts['backing'] = hd_opts(1) + opts['backing']['backing'] = hd_opts(2) + result = self.vm.qmp('blockdev-add', conv_keys = False, **opts) + self.assert_qmp(result, 'return', {}) + + result = self.vm.qmp('block-commit', conv_keys = True, job_id = 'commit0', + device = 'hd0', speed = 1024 * 1024) + self.assert_qmp(result, 'return', {}) + + # We can't remove hd2 while the commit job is ongoing + opts['backing']['backing'] = None + self.reopen(opts, {}, "Cannot change 'backing' link from 'hd1' to 'hd2'") + + # We can't remove hd1 while the commit job is ongoing + opts['backing'] = None + self.reopen(opts, {}, "Cannot change 'backing' link from 'hd0' to 'hd1'") + + event = self.vm.event_wait(name='BLOCK_JOB_READY') + self.assert_qmp(event, 'data/device', 'commit0') + self.assert_qmp(event, 'data/type', 'commit') + self.assert_qmp_absent(event, 'data/error') + + result = self.vm.qmp('block-job-complete', device='commit0') + self.assert_qmp(result, 'return', {}) + + self.wait_until_completed(drive = 'commit0') + + # Reopen the chain during a block-commit job (from hd1 to hd2) + def test_block_commit_2(self): + # hd2 <- hd1 <- hd0 + opts = hd_opts(0) + opts['backing'] = hd_opts(1) + opts['backing']['backing'] = hd_opts(2) + result = self.vm.qmp('blockdev-add', conv_keys = False, **opts) + self.assert_qmp(result, 'return', {}) + + result = self.vm.qmp('block-commit', conv_keys = True, job_id = 'commit0', + device = 'hd0', top_node = 'hd1', speed = 1024 * 1024) + self.assert_qmp(result, 'return', {}) + + # We can't remove hd2 while the commit job is ongoing + opts['backing']['backing'] = None + self.reopen(opts, {}, "Cannot change the option 'backing.driver'") + + # We can't remove hd1 while the commit job is ongoing + opts['backing'] = None + self.reopen(opts, {}, "Cannot change backing link if 'hd0' has an implicit backing file") + + # hd2 <- hd0 + self.wait_until_completed(drive = 'commit0') + + self.assert_qmp(self.get_node('hd0'), 'ro', False) + self.assertEqual(self.get_node('hd1'), None) + self.assert_qmp(self.get_node('hd2'), 'ro', True) + + # We don't allow setting a backing file that uses a different AioContext + def test_iothreads(self): + opts = hd_opts(0) + result = self.vm.qmp('blockdev-add', conv_keys = False, **opts) + self.assert_qmp(result, 'return', {}) + + opts2 = hd_opts(2) + result = self.vm.qmp('blockdev-add', conv_keys = False, **opts2) + self.assert_qmp(result, 'return', {}) + + result = self.vm.qmp('object-add', qom_type='iothread', id='iothread0') + self.assert_qmp(result, 'return', {}) + + result = self.vm.qmp('object-add', qom_type='iothread', id='iothread1') + self.assert_qmp(result, 'return', {}) + + result = self.vm.qmp('x-blockdev-set-iothread', node_name='hd0', iothread='iothread0') + self.assert_qmp(result, 'return', {}) + + self.reopen(opts, {'backing': 'hd2'}, "Cannot use a new backing file with a different AioContext") + + result = self.vm.qmp('x-blockdev-set-iothread', node_name='hd2', iothread='iothread1') + self.assert_qmp(result, 'return', {}) + + self.reopen(opts, {'backing': 'hd2'}, "Cannot use a new backing file with a different AioContext") + + result = self.vm.qmp('x-blockdev-set-iothread', node_name='hd2', iothread='iothread0') + self.assert_qmp(result, 'return', {}) + + self.reopen(opts, {'backing': 'hd2'}) + +if __name__ == '__main__': + iotests.main(supported_fmts=["qcow2"]) diff --git a/tests/qemu-iotests/245.out b/tests/qemu-iotests/245.out new file mode 100644 index XXXXXXX..XXXXXXX --- /dev/null +++ b/tests/qemu-iotests/245.out @@ -XXX,XX +XXX,XX @@ +.................. +---------------------------------------------------------------------- +Ran 18 tests + +OK diff --git a/tests/qemu-iotests/group b/tests/qemu-iotests/group index XXXXXXX..XXXXXXX 100644 --- a/tests/qemu-iotests/group +++ b/tests/qemu-iotests/group @@ -XXX,XX +XXX,XX @@ 242 rw auto quick 243 rw auto quick 244 rw auto quick +245 rw auto -- 2.20.1 The following changes since commit ccdf06c1db192152ac70a1dd974c624f566cb7d4: Open 6.1 development tree (2021-04-30 11:15:40 +0100) are available in the Git repository at: git://repo.or.cz/qemu/kevin.git tags/for-upstream for you to fetch changes up to 68bf7336533faa6aa90fdd4558edddbf5d8ef814: vhost-user-blk: Fail gracefully on too large queue size (2021-04-30 12:27:48 +0200) ---------------------------------------------------------------- Block layer patches - Fix permission update order problems with block graph changes - qemu-img convert: Unshare write permission for source - vhost-user-blk: Fail gracefully on too large queue size ---------------------------------------------------------------- Kevin Wolf (3): block: Add BDRV_O_NO_SHARE for blk_new_open() qemu-img convert: Unshare write permission for source vhost-user-blk: Fail gracefully on too large queue size Vladimir Sementsov-Ogievskiy (36): tests/test-bdrv-graph-mod: add test_parallel_exclusive_write tests/test-bdrv-graph-mod: add test_parallel_perm_update tests/test-bdrv-graph-mod: add test_append_greedy_filter block: bdrv_append(): don't consume reference block: BdrvChildClass: add .get_parent_aio_context handler block: drop ctx argument from bdrv_root_attach_child block: make bdrv_reopen_{prepare,commit,abort} private util: add transactions.c block: bdrv_refresh_perms: check for parents permissions conflict block: refactor bdrv_child* permission functions block: rewrite bdrv_child_try_set_perm() using bdrv_refresh_perms() block: inline bdrv_child_*() permission functions calls block: use topological sort for permission update block: add bdrv_drv_set_perm transaction action block: add bdrv_list_* permission update functions block: add bdrv_replace_child_safe() transaction action block: fix bdrv_replace_node_common block: add bdrv_attach_child_common() transaction action block: add bdrv_attach_child_noperm() transaction action block: split out bdrv_replace_node_noperm() block: adapt bdrv_append() for inserting filters block: add bdrv_remove_filter_or_cow transaction action block: introduce bdrv_drop_filter() block/backup-top: drop .active block: drop ignore_children for permission update functions block: make bdrv_unset_inherits_from to be a transaction action block: make bdrv_refresh_limits() to be a transaction action block: add bdrv_set_backing_noperm() transaction action block: bdrv_reopen_multiple(): move bdrv_flush to separate pre-prepare block: bdrv_reopen_multiple: refresh permissions on updated graph block: drop unused permission update functions block: inline bdrv_check_perm_common() block: inline bdrv_replace_child() block: refactor bdrv_child_set_perm_safe() transaction action block: rename bdrv_replace_child_safe() to bdrv_replace_child() block: refactor bdrv_node_check_perm() include/block/block.h | 14 +- include/block/block_int.h | 8 +- include/qemu/transactions.h | 63 ++ block.c | 1329 ++++++++++++++++++++------------- block/backup-top.c | 48 +- block/block-backend.c | 30 +- block/commit.c | 1 + block/file-posix.c | 91 +-- block/io.c | 31 +- block/mirror.c | 3 - blockdev.c | 4 - blockjob.c | 11 +- hw/block/vhost-user-blk.c | 5 + qemu-img.c | 2 +- tests/unit/test-bdrv-drain.c | 2 +- tests/unit/test-bdrv-graph-mod.c | 209 +++++- util/transactions.c | 96 +++ MAINTAINERS | 6 + tests/qemu-iotests/245 | 2 +- tests/qemu-iotests/283.out | 2 +- tests/qemu-iotests/tests/qsd-jobs.out | 2 +- util/meson.build | 1 + 22 files changed, 1280 insertions(+), 680 deletions(-) create mode 100644 include/qemu/transactions.h create mode 100644 util/transactions.c From: Vladimir Sementsov-Ogievskiy <vsementsov@virtuozzo.com> Add the test that shows that concept of ignore_children is incomplete. Actually, when we want to update something, ignoring permission of some existing BdrvChild, we should ignore also the propagated effect of this child to the other children. But that's not done. Better approach (update permissions on already updated graph) will be implemented later. Now the test fails, so it's added with -d argument to not break make check. Test fails with "Conflicts with use by fl1 as 'backing', which does not allow 'write' on base" because when updating permissions we can ignore original top->fl1 BdrvChild. But we don't ignore exclusive write permission in fl1->base BdrvChild, which is propagated. Correct thing to do is make graph change first and then do permission update from the top node. To run test do ./test-bdrv-graph-mod -d -p /bdrv-graph-mod/parallel-exclusive-write from <build-directory>/tests. Signed-off-by: Vladimir Sementsov-Ogievskiy <vsementsov@virtuozzo.com> Reviewed-by: Kevin Wolf <kwolf@redhat.com> Message-Id: <20210428151804.439460-2-vsementsov@virtuozzo.com> Signed-off-by: Kevin Wolf <kwolf@redhat.com> --- tests/unit/test-bdrv-graph-mod.c | 70 +++++++++++++++++++++++++++++++- 1 file changed, 69 insertions(+), 1 deletion(-) diff --git a/tests/unit/test-bdrv-graph-mod.c b/tests/unit/test-bdrv-graph-mod.c index XXXXXXX..XXXXXXX 100644 --- a/tests/unit/test-bdrv-graph-mod.c +++ b/tests/unit/test-bdrv-graph-mod.c @@ -XXX,XX +XXX,XX @@ /* * Block node graph modifications tests * - * Copyright (c) 2019 Virtuozzo International GmbH. All rights reserved. + * Copyright (c) 2019-2021 Virtuozzo International GmbH. All rights reserved. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License as published by @@ -XXX,XX +XXX,XX @@ static BlockDriver bdrv_no_perm = { .bdrv_child_perm = no_perm_default_perms, }; +static void exclusive_write_perms(BlockDriverState *bs, BdrvChild *c, + BdrvChildRole role, + BlockReopenQueue *reopen_queue, + uint64_t perm, uint64_t shared, + uint64_t *nperm, uint64_t *nshared) +{ + *nperm = BLK_PERM_WRITE; + *nshared = BLK_PERM_ALL & ~BLK_PERM_WRITE; +} + +static BlockDriver bdrv_exclusive_writer = { + .format_name = "exclusive-writer", + .bdrv_child_perm = exclusive_write_perms, +}; + static BlockDriverState *no_perm_node(const char *name) { return bdrv_new_open_driver(&bdrv_no_perm, name, BDRV_O_RDWR, &error_abort); @@ -XXX,XX +XXX,XX @@ static BlockDriverState *pass_through_node(const char *name) BDRV_O_RDWR, &error_abort); } +static BlockDriverState *exclusive_writer_node(const char *name) +{ + return bdrv_new_open_driver(&bdrv_exclusive_writer, name, + BDRV_O_RDWR, &error_abort); +} + /* * test_update_perm_tree * @@ -XXX,XX +XXX,XX @@ static void test_should_update_child(void) blk_unref(root); } +/* + * test_parallel_exclusive_write + * + * Check that when we replace node, old permissions of the node being removed + * doesn't break the replacement. + */ +static void test_parallel_exclusive_write(void) +{ + BlockDriverState *top = exclusive_writer_node("top"); + BlockDriverState *base = no_perm_node("base"); + BlockDriverState *fl1 = pass_through_node("fl1"); + BlockDriverState *fl2 = pass_through_node("fl2"); + + /* + * bdrv_attach_child() eats child bs reference, so we need two @base + * references for two filters: + */ + bdrv_ref(base); + + bdrv_attach_child(top, fl1, "backing", &child_of_bds, BDRV_CHILD_DATA, + &error_abort); + bdrv_attach_child(fl1, base, "backing", &child_of_bds, BDRV_CHILD_FILTERED, + &error_abort); + bdrv_attach_child(fl2, base, "backing", &child_of_bds, BDRV_CHILD_FILTERED, + &error_abort); + + bdrv_replace_node(fl1, fl2, &error_abort); + + bdrv_unref(fl2); + bdrv_unref(top); +} + int main(int argc, char *argv[]) { + int i; + bool debug = false; + + for (i = 1; i < argc; i++) { + if (!strcmp(argv[i], "-d")) { + debug = true; + break; + } + } + bdrv_init(); qemu_init_main_loop(&error_abort); @@ -XXX,XX +XXX,XX @@ int main(int argc, char *argv[]) g_test_add_func("/bdrv-graph-mod/should-update-child", test_should_update_child); + if (debug) { + g_test_add_func("/bdrv-graph-mod/parallel-exclusive-write", + test_parallel_exclusive_write); + } + return g_test_run(); } -- 2.30.2 From: Vladimir Sementsov-Ogievskiy <vsementsov@virtuozzo.com> Add test to show that simple DFS recursion order is not correct for permission update. Correct order is topological-sort order, which will be introduced later. Consider the block driver which has two filter children: one active with exclusive write access and one inactive with no specific permissions. And, these two children has a common base child, like this: ┌─────┐ ┌──────┐ │ fl2 │ ◀── │ top │ └─────┘ └──────┘ │ │ │ │ w │ ▼ │ ┌──────┐ │ │ fl1 │ │ └──────┘ │ │ │ │ w │ ▼ │ ┌──────┐ └───────▶ │ base │ └──────┘ So, exclusive write is propagated. Assume, we want to make fl2 active instead of fl1. So, we set some option for top driver and do permission update. If permission update (remember, it's DFS) goes first through top->fl1->base branch it will succeed: it firstly drop exclusive write permissions and than apply them for another BdrvChildren. But if permission update goes first through top->fl2->base branch it will fail, as when we try to update fl2->base child, old not yet updated fl1->base child will be in conflict. Now test fails, so it runs only with -d flag. To run do ./test-bdrv-graph-mod -d -p /bdrv-graph-mod/parallel-perm-update from <build-directory>/tests. Signed-off-by: Vladimir Sementsov-Ogievskiy <vsementsov@virtuozzo.com> Reviewed-by: Kevin Wolf <kwolf@redhat.com> Message-Id: <20210428151804.439460-3-vsementsov@virtuozzo.com> Signed-off-by: Kevin Wolf <kwolf@redhat.com> --- tests/unit/test-bdrv-graph-mod.c | 116 +++++++++++++++++++++++++++++++ 1 file changed, 116 insertions(+) diff --git a/tests/unit/test-bdrv-graph-mod.c b/tests/unit/test-bdrv-graph-mod.c index XXXXXXX..XXXXXXX 100644 --- a/tests/unit/test-bdrv-graph-mod.c +++ b/tests/unit/test-bdrv-graph-mod.c @@ -XXX,XX +XXX,XX @@ static void test_parallel_exclusive_write(void) bdrv_unref(top); } +static void write_to_file_perms(BlockDriverState *bs, BdrvChild *c, + BdrvChildRole role, + BlockReopenQueue *reopen_queue, + uint64_t perm, uint64_t shared, + uint64_t *nperm, uint64_t *nshared) +{ + if (bs->file && c == bs->file) { + *nperm = BLK_PERM_WRITE; + *nshared = BLK_PERM_ALL & ~BLK_PERM_WRITE; + } else { + *nperm = 0; + *nshared = BLK_PERM_ALL; + } +} + +static BlockDriver bdrv_write_to_file = { + .format_name = "tricky-perm", + .bdrv_child_perm = write_to_file_perms, +}; + + +/* + * The following test shows that topological-sort order is required for + * permission update, simple DFS is not enough. + * + * Consider the block driver which has two filter children: one active + * with exclusive write access and one inactive with no specific + * permissions. + * + * And, these two children has a common base child, like this: + * + * ┌─────┐ ┌──────┐ + * │ fl2 │ ◀── │ top │ + * └─────┘ └──────┘ + * │ │ + * │ │ w + * │ ▼ + * │ ┌──────┐ + * │ │ fl1 │ + * │ └──────┘ + * │ │ + * │ │ w + * │ ▼ + * │ ┌──────┐ + * └───────▶ │ base │ + * └──────┘ + * + * So, exclusive write is propagated. + * + * Assume, we want to make fl2 active instead of fl1. + * So, we set some option for top driver and do permission update. + * + * With simple DFS, if permission update goes first through + * top->fl1->base branch it will succeed: it firstly drop exclusive write + * permissions and than apply them for another BdrvChildren. + * But if permission update goes first through top->fl2->base branch it + * will fail, as when we try to update fl2->base child, old not yet + * updated fl1->base child will be in conflict. + * + * With topological-sort order we always update parents before children, so fl1 + * and fl2 are both updated when we update base and there is no conflict. + */ +static void test_parallel_perm_update(void) +{ + BlockDriverState *top = no_perm_node("top"); + BlockDriverState *tricky = + bdrv_new_open_driver(&bdrv_write_to_file, "tricky", BDRV_O_RDWR, + &error_abort); + BlockDriverState *base = no_perm_node("base"); + BlockDriverState *fl1 = pass_through_node("fl1"); + BlockDriverState *fl2 = pass_through_node("fl2"); + BdrvChild *c_fl1, *c_fl2; + + /* + * bdrv_attach_child() eats child bs reference, so we need two @base + * references for two filters: + */ + bdrv_ref(base); + + bdrv_attach_child(top, tricky, "file", &child_of_bds, BDRV_CHILD_DATA, + &error_abort); + c_fl1 = bdrv_attach_child(tricky, fl1, "first", &child_of_bds, + BDRV_CHILD_FILTERED, &error_abort); + c_fl2 = bdrv_attach_child(tricky, fl2, "second", &child_of_bds, + BDRV_CHILD_FILTERED, &error_abort); + bdrv_attach_child(fl1, base, "backing", &child_of_bds, BDRV_CHILD_FILTERED, + &error_abort); + bdrv_attach_child(fl2, base, "backing", &child_of_bds, BDRV_CHILD_FILTERED, + &error_abort); + + /* Select fl1 as first child to be active */ + tricky->file = c_fl1; + bdrv_child_refresh_perms(top, top->children.lh_first, &error_abort); + + assert(c_fl1->perm & BLK_PERM_WRITE); + assert(!(c_fl2->perm & BLK_PERM_WRITE)); + + /* Now, try to switch active child and update permissions */ + tricky->file = c_fl2; + bdrv_child_refresh_perms(top, top->children.lh_first, &error_abort); + + assert(c_fl2->perm & BLK_PERM_WRITE); + assert(!(c_fl1->perm & BLK_PERM_WRITE)); + + /* Switch once more, to not care about real child order in the list */ + tricky->file = c_fl1; + bdrv_child_refresh_perms(top, top->children.lh_first, &error_abort); + + assert(c_fl1->perm & BLK_PERM_WRITE); + assert(!(c_fl2->perm & BLK_PERM_WRITE)); + + bdrv_unref(top); +} + int main(int argc, char *argv[]) { int i; @@ -XXX,XX +XXX,XX @@ int main(int argc, char *argv[]) if (debug) { g_test_add_func("/bdrv-graph-mod/parallel-exclusive-write", test_parallel_exclusive_write); + g_test_add_func("/bdrv-graph-mod/parallel-perm-update", + test_parallel_perm_update); } return g_test_run(); -- 2.30.2 From: Vladimir Sementsov-Ogievskiy <vsementsov@virtuozzo.com> bdrv_append() is not quite good for inserting filters: it does extra permission update in intermediate state, where filter get it filtered child but is not yet replace it in a backing chain. Some filters (for example backup-top) may want permissions even when have no parents. And described intermediate state becomes invalid. That's (half a) reason, why we need "inactive" state for backup-top filter. bdrv_append() will be improved later, now let's add a unit test. Now test fails, so it runs only with -d flag. To run do ./test-bdrv-graph-mod -d -p /bdrv-graph-mod/append-greedy-filter from <build-directory>/tests. Signed-off-by: Vladimir Sementsov-Ogievskiy <vsementsov@virtuozzo.com> Reviewed-by: Kevin Wolf <kwolf@redhat.com> Message-Id: <20210428151804.439460-4-vsementsov@virtuozzo.com> Signed-off-by: Kevin Wolf <kwolf@redhat.com> --- tests/unit/test-bdrv-graph-mod.c | 33 ++++++++++++++++++++++++++++++++ 1 file changed, 33 insertions(+) diff --git a/tests/unit/test-bdrv-graph-mod.c b/tests/unit/test-bdrv-graph-mod.c index XXXXXXX..XXXXXXX 100644 --- a/tests/unit/test-bdrv-graph-mod.c +++ b/tests/unit/test-bdrv-graph-mod.c @@ -XXX,XX +XXX,XX @@ static void test_parallel_perm_update(void) bdrv_unref(top); } +/* + * It's possible that filter required permissions allows to insert it to backing + * chain, like: + * + * 1. [top] -> [filter] -> [base] + * + * but doesn't allow to add it as a branch: + * + * 2. [filter] --\ + * v + * [top] -> [base] + * + * So, inserting such filter should do all graph modifications and only then + * update permissions. If we try to go through intermediate state [2] and update + * permissions on it we'll fail. + * + * Let's check that bdrv_append() can append such a filter. + */ +static void test_append_greedy_filter(void) +{ + BlockDriverState *top = exclusive_writer_node("top"); + BlockDriverState *base = no_perm_node("base"); + BlockDriverState *fl = exclusive_writer_node("fl1"); + + bdrv_attach_child(top, base, "backing", &child_of_bds, BDRV_CHILD_COW, + &error_abort); + + bdrv_append(fl, base, &error_abort); + bdrv_unref(top); +} + int main(int argc, char *argv[]) { int i; @@ -XXX,XX +XXX,XX @@ int main(int argc, char *argv[]) test_parallel_exclusive_write); g_test_add_func("/bdrv-graph-mod/parallel-perm-update", test_parallel_perm_update); + g_test_add_func("/bdrv-graph-mod/append-greedy-filter", + test_append_greedy_filter); } return g_test_run(); -- 2.30.2 From: Vladimir Sementsov-Ogievskiy <vsementsov@virtuozzo.com> We have too much comments for this feature. It seems better just don't do it. Most of real users (tests don't count) have to create additional reference. Drop also comment in external_snapshot_prepare: - bdrv_append doesn't "remove" old bs in common sense, it sounds strange - the fact that bdrv_append can fail is obvious from the context - the fact that we must rollback all changes in transaction abort is known (it's the direct role of abort) Signed-off-by: Vladimir Sementsov-Ogievskiy <vsementsov@virtuozzo.com> Reviewed-by: Kevin Wolf <kwolf@redhat.com> Message-Id: <20210428151804.439460-5-vsementsov@virtuozzo.com> Signed-off-by: Kevin Wolf <kwolf@redhat.com> --- block.c | 25 +++---------------------- block/backup-top.c | 1 - block/commit.c | 1 + block/mirror.c | 3 --- blockdev.c | 4 ---- tests/unit/test-bdrv-drain.c | 2 +- tests/unit/test-bdrv-graph-mod.c | 3 +++ 7 files changed, 8 insertions(+), 31 deletions(-) diff --git a/block.c b/block.c index XXXXXXX..XXXXXXX 100644 --- a/block.c +++ b/block.c @@ -XXX,XX +XXX,XX @@ static BlockDriverState *bdrv_append_temp_snapshot(BlockDriverState *bs, goto out; } - /* bdrv_append() consumes a strong reference to bs_snapshot - * (i.e. it will call bdrv_unref() on it) even on error, so in - * order to be able to return one, we have to increase - * bs_snapshot's refcount here */ - bdrv_ref(bs_snapshot); ret = bdrv_append(bs_snapshot, bs, errp); if (ret < 0) { bs_snapshot = NULL; @@ -XXX,XX +XXX,XX @@ int bdrv_replace_node(BlockDriverState *from, BlockDriverState *to, * bs_new must not be attached to a BlockBackend. * * This function does not create any image files. - * - * bdrv_append() takes ownership of a bs_new reference and unrefs it because - * that's what the callers commonly need. bs_new will be referenced by the old - * parents of bs_top after bdrv_append() returns. If the caller needs to keep a - * reference of its own, it must call bdrv_ref(). */ int bdrv_append(BlockDriverState *bs_new, BlockDriverState *bs_top, Error **errp) { int ret = bdrv_set_backing_hd(bs_new, bs_top, errp); if (ret < 0) { - goto out; + return ret; } ret = bdrv_replace_node(bs_top, bs_new, errp); if (ret < 0) { bdrv_set_backing_hd(bs_new, NULL, &error_abort); - goto out; + return ret; } - ret = 0; - -out: - /* - * bs_new is now referenced by its new parents, we don't need the - * additional reference any more. - */ - bdrv_unref(bs_new); - - return ret; + return 0; } static void bdrv_delete(BlockDriverState *bs) diff --git a/block/backup-top.c b/block/backup-top.c index XXXXXXX..XXXXXXX 100644 --- a/block/backup-top.c +++ b/block/backup-top.c @@ -XXX,XX +XXX,XX @@ BlockDriverState *bdrv_backup_top_append(BlockDriverState *source, bdrv_drained_begin(source); - bdrv_ref(top); ret = bdrv_append(top, source, errp); if (ret < 0) { error_prepend(errp, "Cannot append backup-top filter: "); diff --git a/block/commit.c b/block/commit.c index XXXXXXX..XXXXXXX 100644 --- a/block/commit.c +++ b/block/commit.c @@ -XXX,XX +XXX,XX @@ void commit_start(const char *job_id, BlockDriverState *bs, commit_top_bs->total_sectors = top->total_sectors; ret = bdrv_append(commit_top_bs, top, errp); + bdrv_unref(commit_top_bs); /* referenced by new parents or failed */ if (ret < 0) { commit_top_bs = NULL; goto fail; diff --git a/block/mirror.c b/block/mirror.c index XXXXXXX..XXXXXXX 100644 --- a/block/mirror.c +++ b/block/mirror.c @@ -XXX,XX +XXX,XX @@ static BlockJob *mirror_start_job( bs_opaque->is_commit = target_is_backing; - /* bdrv_append takes ownership of the mirror_top_bs reference, need to keep - * it alive until block_job_create() succeeds even if bs has no parent. */ - bdrv_ref(mirror_top_bs); bdrv_drained_begin(bs); ret = bdrv_append(mirror_top_bs, bs, errp); bdrv_drained_end(bs); diff --git a/blockdev.c b/blockdev.c index XXXXXXX..XXXXXXX 100644 --- a/blockdev.c +++ b/blockdev.c @@ -XXX,XX +XXX,XX @@ static void external_snapshot_prepare(BlkActionState *common, goto out; } - /* This removes our old bs and adds the new bs. This is an operation that - * can fail, so we need to do it in .prepare; undoing it for abort is - * always possible. */ - bdrv_ref(state->new_bs); ret = bdrv_append(state->new_bs, state->old_bs, errp); if (ret < 0) { goto out; diff --git a/tests/unit/test-bdrv-drain.c b/tests/unit/test-bdrv-drain.c index XXXXXXX..XXXXXXX 100644 --- a/tests/unit/test-bdrv-drain.c +++ b/tests/unit/test-bdrv-drain.c @@ -XXX,XX +XXX,XX @@ static void test_append_to_drained(void) g_assert_cmpint(base_s->drain_count, ==, 1); g_assert_cmpint(base->in_flight, ==, 0); - /* Takes ownership of overlay, so we don't have to unref it later */ bdrv_append(overlay, base, &error_abort); g_assert_cmpint(base->in_flight, ==, 0); g_assert_cmpint(overlay->in_flight, ==, 0); @@ -XXX,XX +XXX,XX @@ static void test_append_to_drained(void) g_assert_cmpint(overlay->quiesce_counter, ==, 0); g_assert_cmpint(overlay_s->drain_count, ==, 0); + bdrv_unref(overlay); bdrv_unref(base); blk_unref(blk); } diff --git a/tests/unit/test-bdrv-graph-mod.c b/tests/unit/test-bdrv-graph-mod.c index XXXXXXX..XXXXXXX 100644 --- a/tests/unit/test-bdrv-graph-mod.c +++ b/tests/unit/test-bdrv-graph-mod.c @@ -XXX,XX +XXX,XX @@ static void test_update_perm_tree(void) ret = bdrv_append(filter, bs, NULL); g_assert_cmpint(ret, <, 0); + bdrv_unref(filter); blk_unref(root); } @@ -XXX,XX +XXX,XX @@ static void test_should_update_child(void) bdrv_append(filter, bs, &error_abort); g_assert(target->backing->bs == bs); + bdrv_unref(filter); bdrv_unref(bs); blk_unref(root); } @@ -XXX,XX +XXX,XX @@ static void test_append_greedy_filter(void) &error_abort); bdrv_append(fl, base, &error_abort); + bdrv_unref(fl); bdrv_unref(top); } -- 2.30.2 From: Vladimir Sementsov-Ogievskiy <vsementsov@virtuozzo.com> Add new handler to get aio context and implement it in all child classes. Add corresponding public interface to be used soon. Signed-off-by: Vladimir Sementsov-Ogievskiy <vsementsov@virtuozzo.com> Reviewed-by: Alberto Garcia <berto@igalia.com> Reviewed-by: Kevin Wolf <kwolf@redhat.com> Message-Id: <20210428151804.439460-6-vsementsov@virtuozzo.com> Signed-off-by: Kevin Wolf <kwolf@redhat.com> --- include/block/block.h | 2 ++ include/block/block_int.h | 2 ++ block.c | 13 +++++++++++++ block/block-backend.c | 9 +++++++++ blockjob.c | 8 ++++++++ 5 files changed, 34 insertions(+) diff --git a/include/block/block.h b/include/block/block.h index XXXXXXX..XXXXXXX 100644 --- a/include/block/block.h +++ b/include/block/block.h @@ -XXX,XX +XXX,XX @@ bool bdrv_child_can_set_aio_context(BdrvChild *c, AioContext *ctx, GSList **ignore, Error **errp); bool bdrv_can_set_aio_context(BlockDriverState *bs, AioContext *ctx, GSList **ignore, Error **errp); +AioContext *bdrv_child_get_parent_aio_context(BdrvChild *c); + int bdrv_probe_blocksizes(BlockDriverState *bs, BlockSizes *bsz); int bdrv_probe_geometry(BlockDriverState *bs, HDGeometry *geo); diff --git a/include/block/block_int.h b/include/block/block_int.h index XXXXXXX..XXXXXXX 100644 --- a/include/block/block_int.h +++ b/include/block/block_int.h @@ -XXX,XX +XXX,XX @@ struct BdrvChildClass { bool (*can_set_aio_ctx)(BdrvChild *child, AioContext *ctx, GSList **ignore, Error **errp); void (*set_aio_ctx)(BdrvChild *child, AioContext *ctx, GSList **ignore); + + AioContext *(*get_parent_aio_context)(BdrvChild *child); }; extern const BdrvChildClass child_of_bds; diff --git a/block.c b/block.c index XXXXXXX..XXXXXXX 100644 --- a/block.c +++ b/block.c @@ -XXX,XX +XXX,XX @@ static int bdrv_child_cb_update_filename(BdrvChild *c, BlockDriverState *base, return 0; } +static AioContext *bdrv_child_cb_get_parent_aio_context(BdrvChild *c) +{ + BlockDriverState *bs = c->opaque; + + return bdrv_get_aio_context(bs); +} + const BdrvChildClass child_of_bds = { .parent_is_bds = true, .get_parent_desc = bdrv_child_get_parent_desc, @@ -XXX,XX +XXX,XX @@ const BdrvChildClass child_of_bds = { .can_set_aio_ctx = bdrv_child_cb_can_set_aio_ctx, .set_aio_ctx = bdrv_child_cb_set_aio_ctx, .update_filename = bdrv_child_cb_update_filename, + .get_parent_aio_context = bdrv_child_cb_get_parent_aio_context, }; +AioContext *bdrv_child_get_parent_aio_context(BdrvChild *c) +{ + return c->klass->get_parent_aio_context(c); +} + static int bdrv_open_flags(BlockDriverState *bs, int flags) { int open_flags = flags; diff --git a/block/block-backend.c b/block/block-backend.c index XXXXXXX..XXXXXXX 100644 --- a/block/block-backend.c +++ b/block/block-backend.c @@ -XXX,XX +XXX,XX @@ static void blk_root_detach(BdrvChild *child) } } +static AioContext *blk_root_get_parent_aio_context(BdrvChild *c) +{ + BlockBackend *blk = c->opaque; + + return blk_get_aio_context(blk); +} + static const BdrvChildClass child_root = { .inherit_options = blk_root_inherit_options, @@ -XXX,XX +XXX,XX @@ static const BdrvChildClass child_root = { .can_set_aio_ctx = blk_root_can_set_aio_ctx, .set_aio_ctx = blk_root_set_aio_ctx, + + .get_parent_aio_context = blk_root_get_parent_aio_context, }; /* diff --git a/blockjob.c b/blockjob.c index XXXXXXX..XXXXXXX 100644 --- a/blockjob.c +++ b/blockjob.c @@ -XXX,XX +XXX,XX @@ static void child_job_set_aio_ctx(BdrvChild *c, AioContext *ctx, job->job.aio_context = ctx; } +static AioContext *child_job_get_parent_aio_context(BdrvChild *c) +{ + BlockJob *job = c->opaque; + + return job->job.aio_context; +} + static const BdrvChildClass child_job = { .get_parent_desc = child_job_get_parent_desc, .drained_begin = child_job_drained_begin, @@ -XXX,XX +XXX,XX @@ static const BdrvChildClass child_job = { .can_set_aio_ctx = child_job_can_set_aio_ctx, .set_aio_ctx = child_job_set_aio_ctx, .stay_at_node = true, + .get_parent_aio_context = child_job_get_parent_aio_context, }; void block_job_remove_all_bdrv(BlockJob *job) -- 2.30.2 From: Vladimir Sementsov-Ogievskiy <vsementsov@virtuozzo.com> Passing parent aio context is redundant, as child_class and parent opaque pointer are enough to retrieve it. Drop the argument and use new bdrv_child_get_parent_aio_context() interface. Signed-off-by: Vladimir Sementsov-Ogievskiy <vsementsov@virtuozzo.com> Reviewed-by: Alberto Garcia <berto@igalia.com> Reviewed-by: Kevin Wolf <kwolf@redhat.com> Message-Id: <20210428151804.439460-7-vsementsov@virtuozzo.com> Signed-off-by: Kevin Wolf <kwolf@redhat.com> --- include/block/block_int.h | 1 - block.c | 8 +++++--- block/block-backend.c | 4 ++-- blockjob.c | 3 +-- 4 files changed, 8 insertions(+), 8 deletions(-) diff --git a/include/block/block_int.h b/include/block/block_int.h index XXXXXXX..XXXXXXX 100644 --- a/include/block/block_int.h +++ b/include/block/block_int.h @@ -XXX,XX +XXX,XX @@ BdrvChild *bdrv_root_attach_child(BlockDriverState *child_bs, const char *child_name, const BdrvChildClass *child_class, BdrvChildRole child_role, - AioContext *ctx, uint64_t perm, uint64_t shared_perm, void *opaque, Error **errp); void bdrv_root_unref_child(BdrvChild *child); diff --git a/block.c b/block.c index XXXXXXX..XXXXXXX 100644 --- a/block.c +++ b/block.c @@ -XXX,XX +XXX,XX @@ BdrvChild *bdrv_root_attach_child(BlockDriverState *child_bs, const char *child_name, const BdrvChildClass *child_class, BdrvChildRole child_role, - AioContext *ctx, uint64_t perm, uint64_t shared_perm, void *opaque, Error **errp) { BdrvChild *child; Error *local_err = NULL; int ret; + AioContext *ctx; ret = bdrv_check_update_perm(child_bs, NULL, perm, shared_perm, NULL, errp); if (ret < 0) { @@ -XXX,XX +XXX,XX @@ BdrvChild *bdrv_root_attach_child(BlockDriverState *child_bs, .opaque = opaque, }; + ctx = bdrv_child_get_parent_aio_context(child); + /* If the AioContexts don't match, first try to move the subtree of * child_bs into the AioContext of the new parent. If this doesn't work, * try moving the parent into the AioContext of child_bs instead. */ @@ -XXX,XX +XXX,XX @@ BdrvChild *bdrv_attach_child(BlockDriverState *parent_bs, perm, shared_perm, &perm, &shared_perm); child = bdrv_root_attach_child(child_bs, child_name, child_class, - child_role, bdrv_get_aio_context(parent_bs), - perm, shared_perm, parent_bs, errp); + child_role, perm, shared_perm, parent_bs, + errp); if (child == NULL) { return NULL; } diff --git a/block/block-backend.c b/block/block-backend.c index XXXXXXX..XXXXXXX 100644 --- a/block/block-backend.c +++ b/block/block-backend.c @@ -XXX,XX +XXX,XX @@ BlockBackend *blk_new_open(const char *filename, const char *reference, blk->root = bdrv_root_attach_child(bs, "root", &child_root, BDRV_CHILD_FILTERED | BDRV_CHILD_PRIMARY, - blk->ctx, perm, BLK_PERM_ALL, blk, errp); + perm, BLK_PERM_ALL, blk, errp); if (!blk->root) { blk_unref(blk); return NULL; @@ -XXX,XX +XXX,XX @@ int blk_insert_bs(BlockBackend *blk, BlockDriverState *bs, Error **errp) bdrv_ref(bs); blk->root = bdrv_root_attach_child(bs, "root", &child_root, BDRV_CHILD_FILTERED | BDRV_CHILD_PRIMARY, - blk->ctx, blk->perm, blk->shared_perm, + blk->perm, blk->shared_perm, blk, errp); if (blk->root == NULL) { return -EPERM; diff --git a/blockjob.c b/blockjob.c index XXXXXXX..XXXXXXX 100644 --- a/blockjob.c +++ b/blockjob.c @@ -XXX,XX +XXX,XX @@ int block_job_add_bdrv(BlockJob *job, const char *name, BlockDriverState *bs, if (need_context_ops && job->job.aio_context != qemu_get_aio_context()) { aio_context_release(job->job.aio_context); } - c = bdrv_root_attach_child(bs, name, &child_job, 0, - job->job.aio_context, perm, shared_perm, job, + c = bdrv_root_attach_child(bs, name, &child_job, 0, perm, shared_perm, job, errp); if (need_context_ops && job->job.aio_context != qemu_get_aio_context()) { aio_context_acquire(job->job.aio_context); -- 2.30.2 From: Vladimir Sementsov-Ogievskiy <vsementsov@virtuozzo.com> These functions are called only from bdrv_reopen_multiple() in block.c. No reason to publish them. Signed-off-by: Vladimir Sementsov-Ogievskiy <vsementsov@virtuozzo.com> Reviewed-by: Alberto Garcia <berto@igalia.com> Reviewed-by: Kevin Wolf <kwolf@redhat.com> Message-Id: <20210428151804.439460-8-vsementsov@virtuozzo.com> Signed-off-by: Kevin Wolf <kwolf@redhat.com> --- include/block/block.h | 4 ---- block.c | 13 +++++++++---- 2 files changed, 9 insertions(+), 8 deletions(-) diff --git a/include/block/block.h b/include/block/block.h index XXXXXXX..XXXXXXX 100644 --- a/include/block/block.h +++ b/include/block/block.h @@ -XXX,XX +XXX,XX @@ BlockReopenQueue *bdrv_reopen_queue(BlockReopenQueue *bs_queue, int bdrv_reopen_multiple(BlockReopenQueue *bs_queue, Error **errp); int bdrv_reopen_set_read_only(BlockDriverState *bs, bool read_only, Error **errp); -int bdrv_reopen_prepare(BDRVReopenState *reopen_state, - BlockReopenQueue *queue, Error **errp); -void bdrv_reopen_commit(BDRVReopenState *reopen_state); -void bdrv_reopen_abort(BDRVReopenState *reopen_state); int bdrv_pwrite_zeroes(BdrvChild *child, int64_t offset, int64_t bytes, BdrvRequestFlags flags); int bdrv_make_zero(BdrvChild *child, BdrvRequestFlags flags); diff --git a/block.c b/block.c index XXXXXXX..XXXXXXX 100644 --- a/block.c +++ b/block.c @@ -XXX,XX +XXX,XX @@ static BlockDriverState *bdrv_open_inherit(const char *filename, BdrvChildRole child_role, Error **errp); +static int bdrv_reopen_prepare(BDRVReopenState *reopen_state, BlockReopenQueue + *queue, Error **errp); +static void bdrv_reopen_commit(BDRVReopenState *reopen_state); +static void bdrv_reopen_abort(BDRVReopenState *reopen_state); + /* If non-zero, use only whitelisted block drivers */ static int use_bdrv_whitelist; @@ -XXX,XX +XXX,XX @@ static int bdrv_reopen_parse_backing(BDRVReopenState *reopen_state, * commit() for any other BDS that have been left in a prepare() state * */ -int bdrv_reopen_prepare(BDRVReopenState *reopen_state, BlockReopenQueue *queue, - Error **errp) +static int bdrv_reopen_prepare(BDRVReopenState *reopen_state, + BlockReopenQueue *queue, Error **errp) { int ret = -1; int old_flags; @@ -XXX,XX +XXX,XX @@ error: * makes them final by swapping the staging BlockDriverState contents into * the active BlockDriverState contents. */ -void bdrv_reopen_commit(BDRVReopenState *reopen_state) +static void bdrv_reopen_commit(BDRVReopenState *reopen_state) { BlockDriver *drv; BlockDriverState *bs; @@ -XXX,XX +XXX,XX @@ void bdrv_reopen_commit(BDRVReopenState *reopen_state) * Abort the reopen, and delete and free the staged changes in * reopen_state */ -void bdrv_reopen_abort(BDRVReopenState *reopen_state) +static void bdrv_reopen_abort(BDRVReopenState *reopen_state) { BlockDriver *drv; -- 2.30.2 From: Vladimir Sementsov-Ogievskiy <vsementsov@virtuozzo.com> Add simple transaction API to use in further update of block graph operations. Supposed usage is: - "prepare" is main function of the action and it should make the main effect of the action to be visible for the following actions, keeping possibility of roll-back, saving necessary things in action state, which is prepended to the action list (to do that, prepare func should call tran_add()). So, driver struct doesn't include "prepare" field, as it is supposed to be called directly. - commit/rollback is supposed to be called for the list of action states, to commit/rollback all the actions in reverse order - When possible "commit" should not make visible effect for other actions, which make possible transparent logical interaction between actions. Signed-off-by: Vladimir Sementsov-Ogievskiy <vsementsov@virtuozzo.com> Reviewed-by: Kevin Wolf <kwolf@redhat.com> Message-Id: <20210428151804.439460-9-vsementsov@virtuozzo.com> Signed-off-by: Kevin Wolf <kwolf@redhat.com> --- include/qemu/transactions.h | 63 ++++++++++++++++++++++++ util/transactions.c | 96 +++++++++++++++++++++++++++++++++++++ MAINTAINERS | 6 +++ util/meson.build | 1 + 4 files changed, 166 insertions(+) create mode 100644 include/qemu/transactions.h create mode 100644 util/transactions.c diff --git a/include/qemu/transactions.h b/include/qemu/transactions.h new file mode 100644 index XXXXXXX..XXXXXXX --- /dev/null +++ b/include/qemu/transactions.h @@ -XXX,XX +XXX,XX @@ +/* + * Simple transactions API + * + * Copyright (c) 2021 Virtuozzo International GmbH. + * + * Author: + * Vladimir Sementsov-Ogievskiy <vsementsov@virtuozzo.com> + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 2 of the License, or + * (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + * + * = Generic transaction API = + * + * The intended usage is the following: you create "prepare" functions, which + * represents the actions. They will usually have Transaction* argument, and + * call tran_add() to register finalization callbacks. For finalization + * callbacks, prepare corresponding TransactionActionDrv structures. + * + * Then, when you need to make a transaction, create an empty Transaction by + * tran_create(), call your "prepare" functions on it, and finally call + * tran_abort() or tran_commit() to finalize the transaction by corresponding + * finalization actions in reverse order. + */ + +#ifndef QEMU_TRANSACTIONS_H +#define QEMU_TRANSACTIONS_H + +#include <gmodule.h> + +typedef struct TransactionActionDrv { + void (*abort)(void *opaque); + void (*commit)(void *opaque); + void (*clean)(void *opaque); +} TransactionActionDrv; + +typedef struct Transaction Transaction; + +Transaction *tran_new(void); +void tran_add(Transaction *tran, TransactionActionDrv *drv, void *opaque); +void tran_abort(Transaction *tran); +void tran_commit(Transaction *tran); + +static inline void tran_finalize(Transaction *tran, int ret) +{ + if (ret < 0) { + tran_abort(tran); + } else { + tran_commit(tran); + } +} + +#endif /* QEMU_TRANSACTIONS_H */ diff --git a/util/transactions.c b/util/transactions.c new file mode 100644 index XXXXXXX..XXXXXXX --- /dev/null +++ b/util/transactions.c @@ -XXX,XX +XXX,XX @@ +/* + * Simple transactions API + * + * Copyright (c) 2021 Virtuozzo International GmbH. + * + * Author: + * Sementsov-Ogievskiy Vladimir <vsementsov@virtuozzo.com> + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 2 of the License, or + * (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + */ + +#include "qemu/osdep.h" + +#include "qemu/transactions.h" +#include "qemu/queue.h" + +typedef struct TransactionAction { + TransactionActionDrv *drv; + void *opaque; + QSLIST_ENTRY(TransactionAction) entry; +} TransactionAction; + +struct Transaction { + QSLIST_HEAD(, TransactionAction) actions; +}; + +Transaction *tran_new(void) +{ + Transaction *tran = g_new(Transaction, 1); + + QSLIST_INIT(&tran->actions); + + return tran; +} + +void tran_add(Transaction *tran, TransactionActionDrv *drv, void *opaque) +{ + TransactionAction *act; + + act = g_new(TransactionAction, 1); + *act = (TransactionAction) { + .drv = drv, + .opaque = opaque + }; + + QSLIST_INSERT_HEAD(&tran->actions, act, entry); +} + +void tran_abort(Transaction *tran) +{ + TransactionAction *act, *next; + + QSLIST_FOREACH_SAFE(act, &tran->actions, entry, next) { + if (act->drv->abort) { + act->drv->abort(act->opaque); + } + + if (act->drv->clean) { + act->drv->clean(act->opaque); + } + + g_free(act); + } + + g_free(tran); +} + +void tran_commit(Transaction *tran) +{ + TransactionAction *act, *next; + + QSLIST_FOREACH_SAFE(act, &tran->actions, entry, next) { + if (act->drv->commit) { + act->drv->commit(act->opaque); + } + + if (act->drv->clean) { + act->drv->clean(act->opaque); + } + + g_free(act); + } + + g_free(tran); +} diff --git a/MAINTAINERS b/MAINTAINERS index XXXXXXX..XXXXXXX 100644 --- a/MAINTAINERS +++ b/MAINTAINERS @@ -XXX,XX +XXX,XX @@ M: Vladimir Sementsov-Ogievskiy <vsementsov@virtuozzo.com> S: Maintained F: scripts/simplebench/ +Transactions helper +M: Vladimir Sementsov-Ogievskiy <vsementsov@virtuozzo.com> +S: Maintained +F: include/qemu/transactions.h +F: util/transactions.c + QAPI M: Markus Armbruster <armbru@redhat.com> M: Michael Roth <michael.roth@amd.com> diff --git a/util/meson.build b/util/meson.build index XXXXXXX..XXXXXXX 100644 --- a/util/meson.build +++ b/util/meson.build @@ -XXX,XX +XXX,XX @@ util_ss.add(files('qsp.c')) util_ss.add(files('range.c')) util_ss.add(files('stats64.c')) util_ss.add(files('systemd.c')) +util_ss.add(files('transactions.c')) util_ss.add(when: 'CONFIG_POSIX', if_true: files('drm.c')) util_ss.add(files('guest-random.c')) util_ss.add(files('yank.c')) -- 2.30.2 From: Vladimir Sementsov-Ogievskiy <vsementsov@virtuozzo.com> Add additional check that node parents do not interfere with each other. This should not hurt existing callers and allows in further patch use bdrv_refresh_perms() to update a subtree of changed BdrvChild (check that change is correct). New check will substitute bdrv_check_update_perm() in following permissions refactoring, so keep error messages the same to avoid unit test result changes. Signed-off-by: Vladimir Sementsov-Ogievskiy <vsementsov@virtuozzo.com> Reviewed-by: Alberto Garcia <berto@igalia.com> Reviewed-by: Kevin Wolf <kwolf@redhat.com> Message-Id: <20210428151804.439460-10-vsementsov@virtuozzo.com> Signed-off-by: Kevin Wolf <kwolf@redhat.com> --- block.c | 63 ++++++++++++++++++++++++++++++++++++++++++++++++--------- 1 file changed, 54 insertions(+), 9 deletions(-) diff --git a/block.c b/block.c index XXXXXXX..XXXXXXX 100644 --- a/block.c +++ b/block.c @@ -XXX,XX +XXX,XX @@ bool bdrv_is_writable(BlockDriverState *bs) return bdrv_is_writable_after_reopen(bs, NULL); } +static char *bdrv_child_user_desc(BdrvChild *c) +{ + if (c->klass->get_parent_desc) { + return c->klass->get_parent_desc(c); + } + + return g_strdup("another user"); +} + +static bool bdrv_a_allow_b(BdrvChild *a, BdrvChild *b, Error **errp) +{ + g_autofree char *user = NULL; + g_autofree char *perm_names = NULL; + + if ((b->perm & a->shared_perm) == b->perm) { + return true; + } + + perm_names = bdrv_perm_names(b->perm & ~a->shared_perm); + user = bdrv_child_user_desc(a); + error_setg(errp, "Conflicts with use by %s as '%s', which does not " + "allow '%s' on %s", + user, a->name, perm_names, bdrv_get_node_name(b->bs)); + + return false; +} + +static bool bdrv_parent_perms_conflict(BlockDriverState *bs, Error **errp) +{ + BdrvChild *a, *b; + + /* + * During the loop we'll look at each pair twice. That's correct because + * bdrv_a_allow_b() is asymmetric and we should check each pair in both + * directions. + */ + QLIST_FOREACH(a, &bs->parents, next_parent) { + QLIST_FOREACH(b, &bs->parents, next_parent) { + if (a == b) { + continue; + } + + if (!bdrv_a_allow_b(a, b, errp)) { + return true; + } + } + } + + return false; +} + static void bdrv_child_perm(BlockDriverState *bs, BlockDriverState *child_bs, BdrvChild *c, BdrvChildRole role, BlockReopenQueue *reopen_queue, @@ -XXX,XX +XXX,XX @@ void bdrv_get_cumulative_perm(BlockDriverState *bs, uint64_t *perm, *shared_perm = cumulative_shared_perms; } -static char *bdrv_child_user_desc(BdrvChild *c) -{ - if (c->klass->get_parent_desc) { - return c->klass->get_parent_desc(c); - } - - return g_strdup("another user"); -} - char *bdrv_perm_names(uint64_t perm) { struct perm_name { @@ -XXX,XX +XXX,XX @@ static int bdrv_refresh_perms(BlockDriverState *bs, Error **errp) int ret; uint64_t perm, shared_perm; + if (bdrv_parent_perms_conflict(bs, errp)) { + return -EPERM; + } bdrv_get_cumulative_perm(bs, &perm, &shared_perm); ret = bdrv_check_perm(bs, NULL, perm, shared_perm, NULL, errp); if (ret < 0) { -- 2.30.2 From: Vladimir Sementsov-Ogievskiy <vsementsov@virtuozzo.com> Split out non-recursive parts, and refactor as block graph transaction action. Signed-off-by: Vladimir Sementsov-Ogievskiy <vsementsov@virtuozzo.com> Reviewed-by: Kevin Wolf <kwolf@redhat.com> Message-Id: <20210428151804.439460-11-vsementsov@virtuozzo.com> Signed-off-by: Kevin Wolf <kwolf@redhat.com> --- block.c | 79 ++++++++++++++++++++++++++++++++++++++++++--------------- 1 file changed, 59 insertions(+), 20 deletions(-) diff --git a/block.c b/block.c index XXXXXXX..XXXXXXX 100644 --- a/block.c +++ b/block.c @@ -XXX,XX +XXX,XX @@ #include "qemu/timer.h" #include "qemu/cutils.h" #include "qemu/id.h" +#include "qemu/transactions.h" #include "block/coroutines.h" #ifdef CONFIG_BSD @@ -XXX,XX +XXX,XX @@ static void bdrv_child_perm(BlockDriverState *bs, BlockDriverState *child_bs, } } +static void bdrv_child_set_perm_commit(void *opaque) +{ + BdrvChild *c = opaque; + + c->has_backup_perm = false; +} + +static void bdrv_child_set_perm_abort(void *opaque) +{ + BdrvChild *c = opaque; + /* + * We may have child->has_backup_perm unset at this point, as in case of + * _check_ stage of permission update failure we may _check_ not the whole + * subtree. Still, _abort_ is called on the whole subtree anyway. + */ + if (c->has_backup_perm) { + c->perm = c->backup_perm; + c->shared_perm = c->backup_shared_perm; + c->has_backup_perm = false; + } +} + +static TransactionActionDrv bdrv_child_set_pem_drv = { + .abort = bdrv_child_set_perm_abort, + .commit = bdrv_child_set_perm_commit, +}; + +/* + * With tran=NULL needs to be followed by direct call to either + * bdrv_child_set_perm_commit() or bdrv_child_set_perm_abort(). + * + * With non-NULL tran needs to be followed by tran_abort() or tran_commit() + * instead. + */ +static void bdrv_child_set_perm_safe(BdrvChild *c, uint64_t perm, + uint64_t shared, Transaction *tran) +{ + if (!c->has_backup_perm) { + c->has_backup_perm = true; + c->backup_perm = c->perm; + c->backup_shared_perm = c->shared_perm; + } + /* + * Note: it's OK if c->has_backup_perm was already set, as we can find the + * same c twice during check_perm procedure + */ + + c->perm = perm; + c->shared_perm = shared; + + if (tran) { + tran_add(tran, &bdrv_child_set_pem_drv, c); + } +} + /* * Check whether permissions on this node can be changed in a way that * @cumulative_perms and @cumulative_shared_perms are the new cumulative @@ -XXX,XX +XXX,XX @@ static int bdrv_child_check_perm(BdrvChild *c, BlockReopenQueue *q, return ret; } - if (!c->has_backup_perm) { - c->has_backup_perm = true; - c->backup_perm = c->perm; - c->backup_shared_perm = c->shared_perm; - } - /* - * Note: it's OK if c->has_backup_perm was already set, as we can find the - * same child twice during check_perm procedure - */ - - c->perm = perm; - c->shared_perm = shared; + bdrv_child_set_perm_safe(c, perm, shared, NULL); return 0; } static void bdrv_child_set_perm(BdrvChild *c) { - c->has_backup_perm = false; - + bdrv_child_set_perm_commit(c); bdrv_set_perm(c->bs); } static void bdrv_child_abort_perm_update(BdrvChild *c) { - if (c->has_backup_perm) { - c->perm = c->backup_perm; - c->shared_perm = c->backup_shared_perm; - c->has_backup_perm = false; - } - + bdrv_child_set_perm_abort(c); bdrv_abort_perm_update(c->bs); } -- 2.30.2 From: Vladimir Sementsov-Ogievskiy <vsementsov@virtuozzo.com> We are going to drop recursive bdrv_child_* functions, so stop use them in bdrv_child_try_set_perm() as a first step. Signed-off-by: Vladimir Sementsov-Ogievskiy <vsementsov@virtuozzo.com> Reviewed-by: Kevin Wolf <kwolf@redhat.com> Message-Id: <20210428151804.439460-12-vsementsov@virtuozzo.com> Signed-off-by: Kevin Wolf <kwolf@redhat.com> --- block.c | 14 ++++++++------ 1 file changed, 8 insertions(+), 6 deletions(-) diff --git a/block.c b/block.c index XXXXXXX..XXXXXXX 100644 --- a/block.c +++ b/block.c @@ -XXX,XX +XXX,XX @@ int bdrv_child_try_set_perm(BdrvChild *c, uint64_t perm, uint64_t shared, Error **errp) { Error *local_err = NULL; + Transaction *tran = tran_new(); int ret; - ret = bdrv_child_check_perm(c, NULL, perm, shared, NULL, &local_err); + bdrv_child_set_perm_safe(c, perm, shared, tran); + + ret = bdrv_refresh_perms(c->bs, &local_err); + + tran_finalize(tran, ret); + if (ret < 0) { - bdrv_child_abort_perm_update(c); if ((perm & ~c->perm) || (c->shared_perm & ~shared)) { /* tighten permissions */ error_propagate(errp, local_err); @@ -XXX,XX +XXX,XX @@ int bdrv_child_try_set_perm(BdrvChild *c, uint64_t perm, uint64_t shared, error_free(local_err); ret = 0; } - return ret; } - bdrv_child_set_perm(c); - - return 0; + return ret; } int bdrv_child_refresh_perms(BlockDriverState *bs, BdrvChild *c, Error **errp) -- 2.30.2 From: Vladimir Sementsov-Ogievskiy <vsementsov@virtuozzo.com> Each of them has only one caller. Open-coding simplifies further pemission-update system changes. Signed-off-by: Vladimir Sementsov-Ogievskiy <vsementsov@virtuozzo.com> Reviewed-by: Alberto Garcia <berto@igalia.com> Reviewed-by: Kevin Wolf <kwolf@redhat.com> Message-Id: <20210428151804.439460-13-vsementsov@virtuozzo.com> Signed-off-by: Kevin Wolf <kwolf@redhat.com> --- block.c | 59 +++++++++++++++++---------------------------------------- 1 file changed, 17 insertions(+), 42 deletions(-) diff --git a/block.c b/block.c index XXXXXXX..XXXXXXX 100644 --- a/block.c +++ b/block.c @@ -XXX,XX +XXX,XX @@ static int bdrv_fill_options(QDict **options, const char *filename, return 0; } -static int bdrv_child_check_perm(BdrvChild *c, BlockReopenQueue *q, - uint64_t perm, uint64_t shared, - GSList *ignore_children, Error **errp); -static void bdrv_child_abort_perm_update(BdrvChild *c); -static void bdrv_child_set_perm(BdrvChild *c); +static int bdrv_check_update_perm(BlockDriverState *bs, BlockReopenQueue *q, + uint64_t new_used_perm, + uint64_t new_shared_perm, + GSList *ignore_children, + Error **errp); typedef struct BlockReopenQueueEntry { bool prepared; @@ -XXX,XX +XXX,XX @@ static int bdrv_check_perm(BlockDriverState *bs, BlockReopenQueue *q, /* Check all children */ QLIST_FOREACH(c, &bs->children, next) { uint64_t cur_perm, cur_shared; + GSList *cur_ignore_children; bdrv_child_perm(bs, c->bs, c, c->role, q, cumulative_perms, cumulative_shared_perms, &cur_perm, &cur_shared); - ret = bdrv_child_check_perm(c, q, cur_perm, cur_shared, ignore_children, - errp); + + cur_ignore_children = g_slist_prepend(g_slist_copy(ignore_children), c); + ret = bdrv_check_update_perm(c->bs, q, cur_perm, cur_shared, + cur_ignore_children, errp); + g_slist_free(cur_ignore_children); if (ret < 0) { return ret; } + + bdrv_child_set_perm_safe(c, cur_perm, cur_shared, NULL); } return 0; @@ -XXX,XX +XXX,XX @@ static void bdrv_abort_perm_update(BlockDriverState *bs) } QLIST_FOREACH(c, &bs->children, next) { - bdrv_child_abort_perm_update(c); + bdrv_child_set_perm_abort(c); + bdrv_abort_perm_update(c->bs); } } @@ -XXX,XX +XXX,XX @@ static void bdrv_set_perm(BlockDriverState *bs) /* Update all children */ QLIST_FOREACH(c, &bs->children, next) { - bdrv_child_set_perm(c); + bdrv_child_set_perm_commit(c); + bdrv_set_perm(c->bs); } } @@ -XXX,XX +XXX,XX @@ static int bdrv_check_update_perm(BlockDriverState *bs, BlockReopenQueue *q, ignore_children, errp); } -/* Needs to be followed by a call to either bdrv_child_set_perm() or - * bdrv_child_abort_perm_update(). */ -static int bdrv_child_check_perm(BdrvChild *c, BlockReopenQueue *q, - uint64_t perm, uint64_t shared, - GSList *ignore_children, Error **errp) -{ - int ret; - - ignore_children = g_slist_prepend(g_slist_copy(ignore_children), c); - ret = bdrv_check_update_perm(c->bs, q, perm, shared, ignore_children, errp); - g_slist_free(ignore_children); - - if (ret < 0) { - return ret; - } - - bdrv_child_set_perm_safe(c, perm, shared, NULL); - - return 0; -} - -static void bdrv_child_set_perm(BdrvChild *c) -{ - bdrv_child_set_perm_commit(c); - bdrv_set_perm(c->bs); -} - -static void bdrv_child_abort_perm_update(BdrvChild *c) -{ - bdrv_child_set_perm_abort(c); - bdrv_abort_perm_update(c->bs); -} - static int bdrv_refresh_perms(BlockDriverState *bs, Error **errp) { int ret; -- 2.30.2 From: Vladimir Sementsov-Ogievskiy <vsementsov@virtuozzo.com> Rewrite bdrv_check_perm(), bdrv_abort_perm_update() and bdrv_set_perm() to update nodes in topological sort order instead of simple DFS. With topologically sorted nodes, we update a node only when all its parents already updated. With DFS it's not so. Consider the following example: A -+ | | | v | B | | v | C<-+ A is parent for B and C, B is parent for C. Obviously, to update permissions, we should go in order A B C, so, when we update C, all parent permissions already updated. But with current approach (simple recursion) we can update in sequence A C B C (C is updated twice). On first update of C, we consider old B permissions, so doing wrong thing. If it succeed, all is OK, on second C update we will finish with correct graph. But if the wrong thing failed, we break the whole process for no reason (it's possible that updated B permission will be less strict, but we will never check it). Also new approach gives a way to simultaneously and correctly update several nodes, we just need to run bdrv_topological_dfs() several times to add all nodes and their subtrees into one topologically sorted list (next patch will update bdrv_replace_node() in this manner). Test test_parallel_perm_update() is now passing, so move it out of debugging "if". We also need to support ignore_children in bdrv_parent_perms_conflict() For test 283 order of conflicting parents check is changed. Note also that in bdrv_check_perm() we don't check for parents conflict at root bs, as we may be in the middle of permission update in bdrv_reopen_multiple(). bdrv_reopen_multiple() will be updated soon. Signed-off-by: Vladimir Sementsov-Ogievskiy <vsementsov@virtuozzo.com> Reviewed-by: Kevin Wolf <kwolf@redhat.com> Message-Id: <20210428151804.439460-14-vsementsov@virtuozzo.com> Signed-off-by: Kevin Wolf <kwolf@redhat.com> --- block.c | 116 +++++++++++++++++++++++++------ tests/unit/test-bdrv-graph-mod.c | 4 +- tests/qemu-iotests/283.out | 2 +- 3 files changed, 99 insertions(+), 23 deletions(-) diff --git a/block.c b/block.c index XXXXXXX..XXXXXXX 100644 --- a/block.c +++ b/block.c @@ -XXX,XX +XXX,XX @@ static bool bdrv_a_allow_b(BdrvChild *a, BdrvChild *b, Error **errp) return false; } -static bool bdrv_parent_perms_conflict(BlockDriverState *bs, Error **errp) +static bool bdrv_parent_perms_conflict(BlockDriverState *bs, + GSList *ignore_children, + Error **errp) { BdrvChild *a, *b; @@ -XXX,XX +XXX,XX @@ static bool bdrv_parent_perms_conflict(BlockDriverState *bs, Error **errp) * directions. */ QLIST_FOREACH(a, &bs->parents, next_parent) { + if (g_slist_find(ignore_children, a)) { + continue; + } + QLIST_FOREACH(b, &bs->parents, next_parent) { - if (a == b) { + if (a == b || g_slist_find(ignore_children, b)) { continue; } @@ -XXX,XX +XXX,XX @@ static void bdrv_child_perm(BlockDriverState *bs, BlockDriverState *child_bs, } } +/* + * Adds the whole subtree of @bs (including @bs itself) to the @list (except for + * nodes that are already in the @list, of course) so that final list is + * topologically sorted. Return the result (GSList @list object is updated, so + * don't use old reference after function call). + * + * On function start @list must be already topologically sorted and for any node + * in the @list the whole subtree of the node must be in the @list as well. The + * simplest way to satisfy this criteria: use only result of + * bdrv_topological_dfs() or NULL as @list parameter. + */ +static GSList *bdrv_topological_dfs(GSList *list, GHashTable *found, + BlockDriverState *bs) +{ + BdrvChild *child; + g_autoptr(GHashTable) local_found = NULL; + + if (!found) { + assert(!list); + found = local_found = g_hash_table_new(NULL, NULL); + } + + if (g_hash_table_contains(found, bs)) { + return list; + } + g_hash_table_add(found, bs); + + QLIST_FOREACH(child, &bs->children, next) { + list = bdrv_topological_dfs(list, found, child->bs); + } + + return g_slist_prepend(list, bs); +} + static void bdrv_child_set_perm_commit(void *opaque) { BdrvChild *c = opaque; @@ -XXX,XX +XXX,XX @@ static void bdrv_child_set_perm_safe(BdrvChild *c, uint64_t perm, * A call to this function must always be followed by a call to bdrv_set_perm() * or bdrv_abort_perm_update(). */ -static int bdrv_check_perm(BlockDriverState *bs, BlockReopenQueue *q, - uint64_t cumulative_perms, - uint64_t cumulative_shared_perms, - GSList *ignore_children, Error **errp) +static int bdrv_node_check_perm(BlockDriverState *bs, BlockReopenQueue *q, + uint64_t cumulative_perms, + uint64_t cumulative_shared_perms, + GSList *ignore_children, Error **errp) { BlockDriver *drv = bs->drv; BdrvChild *c; @@ -XXX,XX +XXX,XX @@ static int bdrv_check_perm(BlockDriverState *bs, BlockReopenQueue *q, /* Check all children */ QLIST_FOREACH(c, &bs->children, next) { uint64_t cur_perm, cur_shared; - GSList *cur_ignore_children; bdrv_child_perm(bs, c->bs, c, c->role, q, cumulative_perms, cumulative_shared_perms, &cur_perm, &cur_shared); + bdrv_child_set_perm_safe(c, cur_perm, cur_shared, NULL); + } + + return 0; +} + +static int bdrv_check_perm(BlockDriverState *bs, BlockReopenQueue *q, + uint64_t cumulative_perms, + uint64_t cumulative_shared_perms, + GSList *ignore_children, Error **errp) +{ + int ret; + BlockDriverState *root = bs; + g_autoptr(GSList) list = bdrv_topological_dfs(NULL, NULL, root); - cur_ignore_children = g_slist_prepend(g_slist_copy(ignore_children), c); - ret = bdrv_check_update_perm(c->bs, q, cur_perm, cur_shared, - cur_ignore_children, errp); - g_slist_free(cur_ignore_children); + for ( ; list; list = list->next) { + bs = list->data; + + if (bs != root) { + if (bdrv_parent_perms_conflict(bs, ignore_children, errp)) { + return -EINVAL; + } + + bdrv_get_cumulative_perm(bs, &cumulative_perms, + &cumulative_shared_perms); + } + + ret = bdrv_node_check_perm(bs, q, cumulative_perms, + cumulative_shared_perms, + ignore_children, errp); if (ret < 0) { return ret; } - - bdrv_child_set_perm_safe(c, cur_perm, cur_shared, NULL); } return 0; @@ -XXX,XX +XXX,XX @@ static int bdrv_check_perm(BlockDriverState *bs, BlockReopenQueue *q, * Notifies drivers that after a previous bdrv_check_perm() call, the * permission update is not performed and any preparations made for it (e.g. * taken file locks) need to be undone. - * - * This function recursively notifies all child nodes. */ -static void bdrv_abort_perm_update(BlockDriverState *bs) +static void bdrv_node_abort_perm_update(BlockDriverState *bs) { BlockDriver *drv = bs->drv; BdrvChild *c; @@ -XXX,XX +XXX,XX @@ static void bdrv_abort_perm_update(BlockDriverState *bs) QLIST_FOREACH(c, &bs->children, next) { bdrv_child_set_perm_abort(c); - bdrv_abort_perm_update(c->bs); } } -static void bdrv_set_perm(BlockDriverState *bs) +static void bdrv_abort_perm_update(BlockDriverState *bs) +{ + g_autoptr(GSList) list = bdrv_topological_dfs(NULL, NULL, bs); + + for ( ; list; list = list->next) { + bdrv_node_abort_perm_update((BlockDriverState *)list->data); + } +} + +static void bdrv_node_set_perm(BlockDriverState *bs) { uint64_t cumulative_perms, cumulative_shared_perms; BlockDriver *drv = bs->drv; @@ -XXX,XX +XXX,XX @@ static void bdrv_set_perm(BlockDriverState *bs) /* Update all children */ QLIST_FOREACH(c, &bs->children, next) { bdrv_child_set_perm_commit(c); - bdrv_set_perm(c->bs); + } +} + +static void bdrv_set_perm(BlockDriverState *bs) +{ + g_autoptr(GSList) list = bdrv_topological_dfs(NULL, NULL, bs); + + for ( ; list; list = list->next) { + bdrv_node_set_perm((BlockDriverState *)list->data); } } @@ -XXX,XX +XXX,XX @@ static int bdrv_refresh_perms(BlockDriverState *bs, Error **errp) int ret; uint64_t perm, shared_perm; - if (bdrv_parent_perms_conflict(bs, errp)) { + if (bdrv_parent_perms_conflict(bs, NULL, errp)) { return -EPERM; } bdrv_get_cumulative_perm(bs, &perm, &shared_perm); diff --git a/tests/unit/test-bdrv-graph-mod.c b/tests/unit/test-bdrv-graph-mod.c index XXXXXXX..XXXXXXX 100644 --- a/tests/unit/test-bdrv-graph-mod.c +++ b/tests/unit/test-bdrv-graph-mod.c @@ -XXX,XX +XXX,XX @@ int main(int argc, char *argv[]) g_test_add_func("/bdrv-graph-mod/update-perm-tree", test_update_perm_tree); g_test_add_func("/bdrv-graph-mod/should-update-child", test_should_update_child); + g_test_add_func("/bdrv-graph-mod/parallel-perm-update", + test_parallel_perm_update); if (debug) { g_test_add_func("/bdrv-graph-mod/parallel-exclusive-write", test_parallel_exclusive_write); - g_test_add_func("/bdrv-graph-mod/parallel-perm-update", - test_parallel_perm_update); g_test_add_func("/bdrv-graph-mod/append-greedy-filter", test_append_greedy_filter); } diff --git a/tests/qemu-iotests/283.out b/tests/qemu-iotests/283.out index XXXXXXX..XXXXXXX 100644 --- a/tests/qemu-iotests/283.out +++ b/tests/qemu-iotests/283.out @@ -XXX,XX +XXX,XX @@ {"execute": "blockdev-add", "arguments": {"driver": "blkdebug", "image": "base", "node-name": "other", "take-child-perms": ["write"]}} {"return": {}} {"execute": "blockdev-backup", "arguments": {"device": "source", "sync": "full", "target": "target"}} -{"error": {"class": "GenericError", "desc": "Cannot set permissions for backup-top filter: Conflicts with use by other as 'image', which uses 'write' on base"}} +{"error": {"class": "GenericError", "desc": "Cannot set permissions for backup-top filter: Conflicts with use by source as 'image', which does not allow 'write' on base"}} === backup-top should be gone after job-finalize === -- 2.30.2 From: Vladimir Sementsov-Ogievskiy <vsementsov@virtuozzo.com> Refactor calling driver callbacks to a separate transaction action to be used later. Signed-off-by: Vladimir Sementsov-Ogievskiy <vsementsov@virtuozzo.com> Reviewed-by: Kevin Wolf <kwolf@redhat.com> Message-Id: <20210428151804.439460-15-vsementsov@virtuozzo.com> Signed-off-by: Kevin Wolf <kwolf@redhat.com> --- block.c | 70 ++++++++++++++++++++++++++++++++++++++++++++------------- 1 file changed, 54 insertions(+), 16 deletions(-) diff --git a/block.c b/block.c index XXXXXXX..XXXXXXX 100644 --- a/block.c +++ b/block.c @@ -XXX,XX +XXX,XX @@ static void bdrv_child_set_perm_safe(BdrvChild *c, uint64_t perm, } } +static void bdrv_drv_set_perm_commit(void *opaque) +{ + BlockDriverState *bs = opaque; + uint64_t cumulative_perms, cumulative_shared_perms; + + if (bs->drv->bdrv_set_perm) { + bdrv_get_cumulative_perm(bs, &cumulative_perms, + &cumulative_shared_perms); + bs->drv->bdrv_set_perm(bs, cumulative_perms, cumulative_shared_perms); + } +} + +static void bdrv_drv_set_perm_abort(void *opaque) +{ + BlockDriverState *bs = opaque; + + if (bs->drv->bdrv_abort_perm_update) { + bs->drv->bdrv_abort_perm_update(bs); + } +} + +TransactionActionDrv bdrv_drv_set_perm_drv = { + .abort = bdrv_drv_set_perm_abort, + .commit = bdrv_drv_set_perm_commit, +}; + +static int bdrv_drv_set_perm(BlockDriverState *bs, uint64_t perm, + uint64_t shared_perm, Transaction *tran, + Error **errp) +{ + if (!bs->drv) { + return 0; + } + + if (bs->drv->bdrv_check_perm) { + int ret = bs->drv->bdrv_check_perm(bs, perm, shared_perm, errp); + if (ret < 0) { + return ret; + } + } + + if (tran) { + tran_add(tran, &bdrv_drv_set_perm_drv, bs); + } + + return 0; +} + /* * Check whether permissions on this node can be changed in a way that * @cumulative_perms and @cumulative_shared_perms are the new cumulative @@ -XXX,XX +XXX,XX @@ static int bdrv_node_check_perm(BlockDriverState *bs, BlockReopenQueue *q, return 0; } - if (drv->bdrv_check_perm) { - ret = drv->bdrv_check_perm(bs, cumulative_perms, - cumulative_shared_perms, errp); - if (ret < 0) { - return ret; - } + ret = bdrv_drv_set_perm(bs, cumulative_perms, cumulative_shared_perms, NULL, + errp); + if (ret < 0) { + return ret; } /* Drivers that never have children can omit .bdrv_child_perm() */ @@ -XXX,XX +XXX,XX @@ static void bdrv_node_abort_perm_update(BlockDriverState *bs) return; } - if (drv->bdrv_abort_perm_update) { - drv->bdrv_abort_perm_update(bs); - } + bdrv_drv_set_perm_abort(bs); QLIST_FOREACH(c, &bs->children, next) { bdrv_child_set_perm_abort(c); @@ -XXX,XX +XXX,XX @@ static void bdrv_abort_perm_update(BlockDriverState *bs) static void bdrv_node_set_perm(BlockDriverState *bs) { - uint64_t cumulative_perms, cumulative_shared_perms; BlockDriver *drv = bs->drv; BdrvChild *c; @@ -XXX,XX +XXX,XX @@ static void bdrv_node_set_perm(BlockDriverState *bs) return; } - bdrv_get_cumulative_perm(bs, &cumulative_perms, &cumulative_shared_perms); - - /* Update this node */ - if (drv->bdrv_set_perm) { - drv->bdrv_set_perm(bs, cumulative_perms, cumulative_shared_perms); - } + bdrv_drv_set_perm_commit(bs); /* Drivers that never have children can omit .bdrv_child_perm() */ if (!drv->bdrv_child_perm) { -- 2.30.2 From: Vladimir Sementsov-Ogievskiy <vsementsov@virtuozzo.com> Add new interface, allowing use of existing node list. It will be used to fix bdrv_replace_node() in the further commit. Signed-off-by: Vladimir Sementsov-Ogievskiy <vsementsov@virtuozzo.com> Reviewed-by: Kevin Wolf <kwolf@redhat.com> Message-Id: <20210428151804.439460-16-vsementsov@virtuozzo.com> Signed-off-by: Kevin Wolf <kwolf@redhat.com> --- block.c | 106 +++++++++++++++++++++++++++++++++++++------------------- 1 file changed, 71 insertions(+), 35 deletions(-) diff --git a/block.c b/block.c index XXXXXXX..XXXXXXX 100644 --- a/block.c +++ b/block.c @@ -XXX,XX +XXX,XX @@ static int bdrv_drv_set_perm(BlockDriverState *bs, uint64_t perm, static int bdrv_node_check_perm(BlockDriverState *bs, BlockReopenQueue *q, uint64_t cumulative_perms, uint64_t cumulative_shared_perms, - GSList *ignore_children, Error **errp) + GSList *ignore_children, + Transaction *tran, Error **errp) { BlockDriver *drv = bs->drv; BdrvChild *c; @@ -XXX,XX +XXX,XX @@ static int bdrv_node_check_perm(BlockDriverState *bs, BlockReopenQueue *q, return 0; } - ret = bdrv_drv_set_perm(bs, cumulative_perms, cumulative_shared_perms, NULL, + ret = bdrv_drv_set_perm(bs, cumulative_perms, cumulative_shared_perms, tran, errp); if (ret < 0) { return ret; @@ -XXX,XX +XXX,XX @@ static int bdrv_node_check_perm(BlockDriverState *bs, BlockReopenQueue *q, bdrv_child_perm(bs, c->bs, c, c->role, q, cumulative_perms, cumulative_shared_perms, &cur_perm, &cur_shared); - bdrv_child_set_perm_safe(c, cur_perm, cur_shared, NULL); + bdrv_child_set_perm_safe(c, cur_perm, cur_shared, tran); } return 0; } -static int bdrv_check_perm(BlockDriverState *bs, BlockReopenQueue *q, - uint64_t cumulative_perms, - uint64_t cumulative_shared_perms, - GSList *ignore_children, Error **errp) +/* + * If use_cumulative_perms is true, use cumulative_perms and + * cumulative_shared_perms for first element of the list. Otherwise just refresh + * all permissions. + */ +static int bdrv_check_perm_common(GSList *list, BlockReopenQueue *q, + bool use_cumulative_perms, + uint64_t cumulative_perms, + uint64_t cumulative_shared_perms, + GSList *ignore_children, + Transaction *tran, Error **errp) { int ret; - BlockDriverState *root = bs; - g_autoptr(GSList) list = bdrv_topological_dfs(NULL, NULL, root); + BlockDriverState *bs; - for ( ; list; list = list->next) { + if (use_cumulative_perms) { bs = list->data; - if (bs != root) { - if (bdrv_parent_perms_conflict(bs, ignore_children, errp)) { - return -EINVAL; - } + ret = bdrv_node_check_perm(bs, q, cumulative_perms, + cumulative_shared_perms, + ignore_children, tran, errp); + if (ret < 0) { + return ret; + } - bdrv_get_cumulative_perm(bs, &cumulative_perms, - &cumulative_shared_perms); + list = list->next; + } + + for ( ; list; list = list->next) { + bs = list->data; + + if (bdrv_parent_perms_conflict(bs, ignore_children, errp)) { + return -EINVAL; } + bdrv_get_cumulative_perm(bs, &cumulative_perms, + &cumulative_shared_perms); + ret = bdrv_node_check_perm(bs, q, cumulative_perms, cumulative_shared_perms, - ignore_children, errp); + ignore_children, tran, errp); if (ret < 0) { return ret; } @@ -XXX,XX +XXX,XX @@ static int bdrv_check_perm(BlockDriverState *bs, BlockReopenQueue *q, return 0; } +static int bdrv_check_perm(BlockDriverState *bs, BlockReopenQueue *q, + uint64_t cumulative_perms, + uint64_t cumulative_shared_perms, + GSList *ignore_children, Error **errp) +{ + g_autoptr(GSList) list = bdrv_topological_dfs(NULL, NULL, bs); + return bdrv_check_perm_common(list, q, true, cumulative_perms, + cumulative_shared_perms, ignore_children, + NULL, errp); +} + +static int bdrv_list_refresh_perms(GSList *list, BlockReopenQueue *q, + Transaction *tran, Error **errp) +{ + return bdrv_check_perm_common(list, q, false, 0, 0, NULL, tran, errp); +} + /* * Notifies drivers that after a previous bdrv_check_perm() call, the * permission update is not performed and any preparations made for it (e.g. @@ -XXX,XX +XXX,XX @@ static void bdrv_node_abort_perm_update(BlockDriverState *bs) } } -static void bdrv_abort_perm_update(BlockDriverState *bs) +static void bdrv_list_abort_perm_update(GSList *list) { - g_autoptr(GSList) list = bdrv_topological_dfs(NULL, NULL, bs); - for ( ; list; list = list->next) { bdrv_node_abort_perm_update((BlockDriverState *)list->data); } } +static void bdrv_abort_perm_update(BlockDriverState *bs) +{ + g_autoptr(GSList) list = bdrv_topological_dfs(NULL, NULL, bs); + return bdrv_list_abort_perm_update(list); +} + static void bdrv_node_set_perm(BlockDriverState *bs) { BlockDriver *drv = bs->drv; @@ -XXX,XX +XXX,XX @@ static void bdrv_node_set_perm(BlockDriverState *bs) } } -static void bdrv_set_perm(BlockDriverState *bs) +static void bdrv_list_set_perm(GSList *list) { - g_autoptr(GSList) list = bdrv_topological_dfs(NULL, NULL, bs); - for ( ; list; list = list->next) { bdrv_node_set_perm((BlockDriverState *)list->data); } } +static void bdrv_set_perm(BlockDriverState *bs) +{ + g_autoptr(GSList) list = bdrv_topological_dfs(NULL, NULL, bs); + return bdrv_list_set_perm(list); +} + void bdrv_get_cumulative_perm(BlockDriverState *bs, uint64_t *perm, uint64_t *shared_perm) { @@ -XXX,XX +XXX,XX @@ static int bdrv_check_update_perm(BlockDriverState *bs, BlockReopenQueue *q, static int bdrv_refresh_perms(BlockDriverState *bs, Error **errp) { int ret; - uint64_t perm, shared_perm; + Transaction *tran = tran_new(); + g_autoptr(GSList) list = bdrv_topological_dfs(NULL, NULL, bs); - if (bdrv_parent_perms_conflict(bs, NULL, errp)) { - return -EPERM; - } - bdrv_get_cumulative_perm(bs, &perm, &shared_perm); - ret = bdrv_check_perm(bs, NULL, perm, shared_perm, NULL, errp); - if (ret < 0) { - bdrv_abort_perm_update(bs); - return ret; - } - bdrv_set_perm(bs); + ret = bdrv_list_refresh_perms(list, NULL, tran, errp); + tran_finalize(tran, ret); - return 0; + return ret; } int bdrv_child_try_set_perm(BdrvChild *c, uint64_t perm, uint64_t shared, -- 2.30.2 From: Vladimir Sementsov-Ogievskiy <vsementsov@virtuozzo.com> To be used in the following commit. Signed-off-by: Vladimir Sementsov-Ogievskiy <vsementsov@virtuozzo.com> Reviewed-by: Kevin Wolf <kwolf@redhat.com> Message-Id: <20210428151804.439460-17-vsementsov@virtuozzo.com> Signed-off-by: Kevin Wolf <kwolf@redhat.com> --- block.c | 54 ++++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 54 insertions(+) diff --git a/block.c b/block.c index XXXXXXX..XXXXXXX 100644 --- a/block.c +++ b/block.c @@ -XXX,XX +XXX,XX @@ static BlockDriverState *bdrv_open_inherit(const char *filename, BdrvChildRole child_role, Error **errp); +static void bdrv_replace_child_noperm(BdrvChild *child, + BlockDriverState *new_bs); + static int bdrv_reopen_prepare(BDRVReopenState *reopen_state, BlockReopenQueue *queue, Error **errp); static void bdrv_reopen_commit(BDRVReopenState *reopen_state); @@ -XXX,XX +XXX,XX @@ static int bdrv_drv_set_perm(BlockDriverState *bs, uint64_t perm, return 0; } +typedef struct BdrvReplaceChildState { + BdrvChild *child; + BlockDriverState *old_bs; +} BdrvReplaceChildState; + +static void bdrv_replace_child_commit(void *opaque) +{ + BdrvReplaceChildState *s = opaque; + + bdrv_unref(s->old_bs); +} + +static void bdrv_replace_child_abort(void *opaque) +{ + BdrvReplaceChildState *s = opaque; + BlockDriverState *new_bs = s->child->bs; + + /* old_bs reference is transparently moved from @s to @s->child */ + bdrv_replace_child_noperm(s->child, s->old_bs); + bdrv_unref(new_bs); +} + +static TransactionActionDrv bdrv_replace_child_drv = { + .commit = bdrv_replace_child_commit, + .abort = bdrv_replace_child_abort, + .clean = g_free, +}; + +/* + * bdrv_replace_child_safe + * + * Note: real unref of old_bs is done only on commit. + */ +__attribute__((unused)) +static void bdrv_replace_child_safe(BdrvChild *child, BlockDriverState *new_bs, + Transaction *tran) +{ + BdrvReplaceChildState *s = g_new(BdrvReplaceChildState, 1); + *s = (BdrvReplaceChildState) { + .child = child, + .old_bs = child->bs, + }; + tran_add(tran, &bdrv_replace_child_drv, s); + + if (new_bs) { + bdrv_ref(new_bs); + } + bdrv_replace_child_noperm(child, new_bs); + /* old_bs reference is transparently moved from @child to @s */ +} + /* * Check whether permissions on this node can be changed in a way that * @cumulative_perms and @cumulative_shared_perms are the new cumulative -- 2.30.2 From: Vladimir Sementsov-Ogievskiy <vsementsov@virtuozzo.com> inore_children thing doesn't help to track all propagated permissions of children we want to ignore. The simplest way to correctly update permissions is update graph first and then do permission update. In this case we just referesh permissions for the whole subgraph (in topological-sort defined order) and everything is correctly calculated automatically without any ignore_children. So, refactor bdrv_replace_node_common to first do graph update and then refresh the permissions. Test test_parallel_exclusive_write() now pass, so move it out of debugging "if". Signed-off-by: Vladimir Sementsov-Ogievskiy <vsementsov@virtuozzo.com> Reviewed-by: Kevin Wolf <kwolf@redhat.com> Message-Id: <20210428151804.439460-18-vsementsov@virtuozzo.com> Signed-off-by: Kevin Wolf <kwolf@redhat.com> --- block.c | 43 +++++++++++++------------------- tests/unit/test-bdrv-graph-mod.c | 4 +-- 2 files changed, 20 insertions(+), 27 deletions(-) diff --git a/block.c b/block.c index XXXXXXX..XXXXXXX 100644 --- a/block.c +++ b/block.c @@ -XXX,XX +XXX,XX @@ static TransactionActionDrv bdrv_replace_child_drv = { * * Note: real unref of old_bs is done only on commit. */ -__attribute__((unused)) static void bdrv_replace_child_safe(BdrvChild *child, BlockDriverState *new_bs, Transaction *tran) { @@ -XXX,XX +XXX,XX @@ static int bdrv_replace_node_common(BlockDriverState *from, bool auto_skip, Error **errp) { BdrvChild *c, *next; - GSList *list = NULL, *p; - uint64_t perm = 0, shared = BLK_PERM_ALL; + Transaction *tran = tran_new(); + g_autoptr(GHashTable) found = NULL; + g_autoptr(GSList) refresh_list = NULL; int ret; /* Make sure that @from doesn't go away until we have successfully attached @@ -XXX,XX +XXX,XX @@ static int bdrv_replace_node_common(BlockDriverState *from, assert(bdrv_get_aio_context(from) == bdrv_get_aio_context(to)); bdrv_drained_begin(from); - /* Put all parents into @list and calculate their cumulative permissions */ + /* + * Do the replacement without permission update. + * Replacement may influence the permissions, we should calculate new + * permissions based on new graph. If we fail, we'll roll-back the + * replacement. + */ QLIST_FOREACH_SAFE(c, &from->parents, next_parent, next) { assert(c->bs == from); if (!should_update_child(c, to)) { @@ -XXX,XX +XXX,XX @@ static int bdrv_replace_node_common(BlockDriverState *from, c->name, from->node_name); goto out; } - list = g_slist_prepend(list, c); - perm |= c->perm; - shared &= c->shared_perm; + bdrv_replace_child_safe(c, to, tran); } - /* Check whether the required permissions can be granted on @to, ignoring - * all BdrvChild in @list so that they can't block themselves. */ - ret = bdrv_check_update_perm(to, NULL, perm, shared, list, errp); - if (ret < 0) { - bdrv_abort_perm_update(to); - goto out; - } + found = g_hash_table_new(NULL, NULL); - /* Now actually perform the change. We performed the permission check for - * all elements of @list at once, so set the permissions all at once at the - * very end. */ - for (p = list; p != NULL; p = p->next) { - c = p->data; + refresh_list = bdrv_topological_dfs(refresh_list, found, to); + refresh_list = bdrv_topological_dfs(refresh_list, found, from); - bdrv_ref(to); - bdrv_replace_child_noperm(c, to); - bdrv_unref(from); + ret = bdrv_list_refresh_perms(refresh_list, NULL, tran, errp); + if (ret < 0) { + goto out; } - bdrv_set_perm(to); - ret = 0; out: - g_slist_free(list); + tran_finalize(tran, ret); + bdrv_drained_end(from); bdrv_unref(from); diff --git a/tests/unit/test-bdrv-graph-mod.c b/tests/unit/test-bdrv-graph-mod.c index XXXXXXX..XXXXXXX 100644 --- a/tests/unit/test-bdrv-graph-mod.c +++ b/tests/unit/test-bdrv-graph-mod.c @@ -XXX,XX +XXX,XX @@ int main(int argc, char *argv[]) test_should_update_child); g_test_add_func("/bdrv-graph-mod/parallel-perm-update", test_parallel_perm_update); + g_test_add_func("/bdrv-graph-mod/parallel-exclusive-write", + test_parallel_exclusive_write); if (debug) { - g_test_add_func("/bdrv-graph-mod/parallel-exclusive-write", - test_parallel_exclusive_write); g_test_add_func("/bdrv-graph-mod/append-greedy-filter", test_append_greedy_filter); } -- 2.30.2 From: Vladimir Sementsov-Ogievskiy <vsementsov@virtuozzo.com> Split out no-perm part of bdrv_root_attach_child() into separate transaction action. bdrv_root_attach_child() now moves to new permission update paradigm: first update graph relations then update permissions. qsd-jobs test output updated. Seems now permission update goes in another order. Still, the test comment say that we only want to check that command doesn't crash, and it's still so. Error message is a bit misleading as it looks like job was added first. But actually in new paradigm of graph update we can't distinguish such things. We should update the error message, but let's not do it now. Signed-off-by: Vladimir Sementsov-Ogievskiy <vsementsov@virtuozzo.com> Message-Id: <20210428151804.439460-19-vsementsov@virtuozzo.com> Signed-off-by: Kevin Wolf <kwolf@redhat.com> --- block.c | 190 ++++++++++++++++++-------- tests/qemu-iotests/tests/qsd-jobs.out | 2 +- 2 files changed, 137 insertions(+), 55 deletions(-) diff --git a/block.c b/block.c index XXXXXXX..XXXXXXX 100644 --- a/block.c +++ b/block.c @@ -XXX,XX +XXX,XX @@ static void bdrv_replace_child(BdrvChild *child, BlockDriverState *new_bs) } } -/* - * This function steals the reference to child_bs from the caller. - * That reference is later dropped by bdrv_root_unref_child(). - * - * On failure NULL is returned, errp is set and the reference to - * child_bs is also dropped. - * - * The caller must hold the AioContext lock @child_bs, but not that of @ctx - * (unless @child_bs is already in @ctx). - */ -BdrvChild *bdrv_root_attach_child(BlockDriverState *child_bs, - const char *child_name, - const BdrvChildClass *child_class, - BdrvChildRole child_role, - uint64_t perm, uint64_t shared_perm, - void *opaque, Error **errp) +static void bdrv_remove_empty_child(BdrvChild *child) { - BdrvChild *child; - Error *local_err = NULL; - int ret; - AioContext *ctx; + assert(!child->bs); + QLIST_SAFE_REMOVE(child, next); + g_free(child->name); + g_free(child); +} - ret = bdrv_check_update_perm(child_bs, NULL, perm, shared_perm, NULL, errp); - if (ret < 0) { - bdrv_abort_perm_update(child_bs); - bdrv_unref(child_bs); - return NULL; +typedef struct BdrvAttachChildCommonState { + BdrvChild **child; + AioContext *old_parent_ctx; + AioContext *old_child_ctx; +} BdrvAttachChildCommonState; + +static void bdrv_attach_child_common_abort(void *opaque) +{ + BdrvAttachChildCommonState *s = opaque; + BdrvChild *child = *s->child; + BlockDriverState *bs = child->bs; + + bdrv_replace_child_noperm(child, NULL); + + if (bdrv_get_aio_context(bs) != s->old_child_ctx) { + bdrv_try_set_aio_context(bs, s->old_child_ctx, &error_abort); } - child = g_new(BdrvChild, 1); - *child = (BdrvChild) { + if (bdrv_child_get_parent_aio_context(child) != s->old_parent_ctx) { + GSList *ignore = g_slist_prepend(NULL, child); + + child->klass->can_set_aio_ctx(child, s->old_parent_ctx, &ignore, + &error_abort); + g_slist_free(ignore); + ignore = g_slist_prepend(NULL, child); + child->klass->set_aio_ctx(child, s->old_parent_ctx, &ignore); + + g_slist_free(ignore); + } + + bdrv_unref(bs); + bdrv_remove_empty_child(child); + *s->child = NULL; +} + +static TransactionActionDrv bdrv_attach_child_common_drv = { + .abort = bdrv_attach_child_common_abort, + .clean = g_free, +}; + +/* + * Common part of attaching bdrv child to bs or to blk or to job + */ +static int bdrv_attach_child_common(BlockDriverState *child_bs, + const char *child_name, + const BdrvChildClass *child_class, + BdrvChildRole child_role, + uint64_t perm, uint64_t shared_perm, + void *opaque, BdrvChild **child, + Transaction *tran, Error **errp) +{ + BdrvChild *new_child; + AioContext *parent_ctx; + AioContext *child_ctx = bdrv_get_aio_context(child_bs); + + assert(child); + assert(*child == NULL); + + new_child = g_new(BdrvChild, 1); + *new_child = (BdrvChild) { .bs = NULL, .name = g_strdup(child_name), .klass = child_class, @@ -XXX,XX +XXX,XX @@ BdrvChild *bdrv_root_attach_child(BlockDriverState *child_bs, .opaque = opaque, }; - ctx = bdrv_child_get_parent_aio_context(child); - - /* If the AioContexts don't match, first try to move the subtree of + /* + * If the AioContexts don't match, first try to move the subtree of * child_bs into the AioContext of the new parent. If this doesn't work, - * try moving the parent into the AioContext of child_bs instead. */ - if (bdrv_get_aio_context(child_bs) != ctx) { - ret = bdrv_try_set_aio_context(child_bs, ctx, &local_err); + * try moving the parent into the AioContext of child_bs instead. + */ + parent_ctx = bdrv_child_get_parent_aio_context(new_child); + if (child_ctx != parent_ctx) { + Error *local_err = NULL; + int ret = bdrv_try_set_aio_context(child_bs, parent_ctx, &local_err); + if (ret < 0 && child_class->can_set_aio_ctx) { - GSList *ignore = g_slist_prepend(NULL, child); - ctx = bdrv_get_aio_context(child_bs); - if (child_class->can_set_aio_ctx(child, ctx, &ignore, NULL)) { + GSList *ignore = g_slist_prepend(NULL, new_child); + if (child_class->can_set_aio_ctx(new_child, child_ctx, &ignore, + NULL)) + { error_free(local_err); ret = 0; g_slist_free(ignore); - ignore = g_slist_prepend(NULL, child); - child_class->set_aio_ctx(child, ctx, &ignore); + ignore = g_slist_prepend(NULL, new_child); + child_class->set_aio_ctx(new_child, child_ctx, &ignore); } g_slist_free(ignore); } + if (ret < 0) { error_propagate(errp, local_err); - g_free(child); - bdrv_abort_perm_update(child_bs); - bdrv_unref(child_bs); - return NULL; + bdrv_remove_empty_child(new_child); + return ret; } } - /* This performs the matching bdrv_set_perm() for the above check. */ - bdrv_replace_child(child, child_bs); + bdrv_ref(child_bs); + bdrv_replace_child_noperm(new_child, child_bs); + *child = new_child; + + BdrvAttachChildCommonState *s = g_new(BdrvAttachChildCommonState, 1); + *s = (BdrvAttachChildCommonState) { + .child = child, + .old_parent_ctx = parent_ctx, + .old_child_ctx = child_ctx, + }; + tran_add(tran, &bdrv_attach_child_common_drv, s); + + return 0; +} + +static void bdrv_detach_child(BdrvChild *child) +{ + bdrv_replace_child(child, NULL); + bdrv_remove_empty_child(child); +} + +/* + * This function steals the reference to child_bs from the caller. + * That reference is later dropped by bdrv_root_unref_child(). + * + * On failure NULL is returned, errp is set and the reference to + * child_bs is also dropped. + * + * The caller must hold the AioContext lock @child_bs, but not that of @ctx + * (unless @child_bs is already in @ctx). + */ +BdrvChild *bdrv_root_attach_child(BlockDriverState *child_bs, + const char *child_name, + const BdrvChildClass *child_class, + BdrvChildRole child_role, + uint64_t perm, uint64_t shared_perm, + void *opaque, Error **errp) +{ + int ret; + BdrvChild *child = NULL; + Transaction *tran = tran_new(); + + ret = bdrv_attach_child_common(child_bs, child_name, child_class, + child_role, perm, shared_perm, opaque, + &child, tran, errp); + if (ret < 0) { + bdrv_unref(child_bs); + return NULL; + } + + ret = bdrv_refresh_perms(child_bs, errp); + tran_finalize(tran, ret); + + bdrv_unref(child_bs); return child; } @@ -XXX,XX +XXX,XX @@ BdrvChild *bdrv_attach_child(BlockDriverState *parent_bs, return child; } -static void bdrv_detach_child(BdrvChild *child) -{ - QLIST_SAFE_REMOVE(child, next); - - bdrv_replace_child(child, NULL); - - g_free(child->name); - g_free(child); -} - /* Callers must ensure that child->frozen is false. */ void bdrv_root_unref_child(BdrvChild *child) { diff --git a/tests/qemu-iotests/tests/qsd-jobs.out b/tests/qemu-iotests/tests/qsd-jobs.out index XXXXXXX..XXXXXXX 100644 --- a/tests/qemu-iotests/tests/qsd-jobs.out +++ b/tests/qemu-iotests/tests/qsd-jobs.out @@ -XXX,XX +XXX,XX @@ QMP_VERSION {"return": {}} {"timestamp": {"seconds": TIMESTAMP, "microseconds": TIMESTAMP}, "event": "JOB_STATUS_CHANGE", "data": {"status": "created", "id": "job0"}} {"timestamp": {"seconds": TIMESTAMP, "microseconds": TIMESTAMP}, "event": "JOB_STATUS_CHANGE", "data": {"status": "null", "id": "job0"}} -{"error": {"class": "GenericError", "desc": "Conflicts with use by a block device as 'root', which uses 'write' on fmt_base"}} +{"error": {"class": "GenericError", "desc": "Conflicts with use by stream job 'job0' as 'intermediate node', which does not allow 'write' on fmt_base"}} {"return": {}} {"timestamp": {"seconds": TIMESTAMP, "microseconds": TIMESTAMP}, "event": "BLOCK_EXPORT_DELETED", "data": {"id": "export1"}} *** done -- 2.30.2 From: Vladimir Sementsov-Ogievskiy <vsementsov@virtuozzo.com> Split no-perm part of bdrv_attach_child as separate transaction action. It will be used in later commits. Signed-off-by: Vladimir Sementsov-Ogievskiy <vsementsov@virtuozzo.com> Reviewed-by: Kevin Wolf <kwolf@redhat.com> Message-Id: <20210428151804.439460-20-vsementsov@virtuozzo.com> Signed-off-by: Kevin Wolf <kwolf@redhat.com> --- block.c | 71 ++++++++++++++++++++++++++++++++++++++++++++++----------- 1 file changed, 58 insertions(+), 13 deletions(-) diff --git a/block.c b/block.c index XXXXXXX..XXXXXXX 100644 --- a/block.c +++ b/block.c @@ -XXX,XX +XXX,XX @@ static BlockDriverState *bdrv_open_inherit(const char *filename, static void bdrv_replace_child_noperm(BdrvChild *child, BlockDriverState *new_bs); +static int bdrv_attach_child_noperm(BlockDriverState *parent_bs, + BlockDriverState *child_bs, + const char *child_name, + const BdrvChildClass *child_class, + BdrvChildRole child_role, + BdrvChild **child, + Transaction *tran, + Error **errp); static int bdrv_reopen_prepare(BDRVReopenState *reopen_state, BlockReopenQueue *queue, Error **errp); @@ -XXX,XX +XXX,XX @@ static int bdrv_attach_child_common(BlockDriverState *child_bs, return 0; } +static int bdrv_attach_child_noperm(BlockDriverState *parent_bs, + BlockDriverState *child_bs, + const char *child_name, + const BdrvChildClass *child_class, + BdrvChildRole child_role, + BdrvChild **child, + Transaction *tran, + Error **errp) +{ + int ret; + uint64_t perm, shared_perm; + + assert(parent_bs->drv); + + bdrv_get_cumulative_perm(parent_bs, &perm, &shared_perm); + bdrv_child_perm(parent_bs, child_bs, NULL, child_role, NULL, + perm, shared_perm, &perm, &shared_perm); + + ret = bdrv_attach_child_common(child_bs, child_name, child_class, + child_role, perm, shared_perm, parent_bs, + child, tran, errp); + if (ret < 0) { + return ret; + } + + QLIST_INSERT_HEAD(&parent_bs->children, *child, next); + /* + * child is removed in bdrv_attach_child_common_abort(), so don't care to + * abort this change separately. + */ + + return 0; +} + static void bdrv_detach_child(BdrvChild *child) { bdrv_replace_child(child, NULL); @@ -XXX,XX +XXX,XX @@ BdrvChild *bdrv_attach_child(BlockDriverState *parent_bs, BdrvChildRole child_role, Error **errp) { - BdrvChild *child; - uint64_t perm, shared_perm; - - bdrv_get_cumulative_perm(parent_bs, &perm, &shared_perm); + int ret; + BdrvChild *child = NULL; + Transaction *tran = tran_new(); - assert(parent_bs->drv); - bdrv_child_perm(parent_bs, child_bs, NULL, child_role, NULL, - perm, shared_perm, &perm, &shared_perm); + ret = bdrv_attach_child_noperm(parent_bs, child_bs, child_name, child_class, + child_role, &child, tran, errp); + if (ret < 0) { + goto out; + } - child = bdrv_root_attach_child(child_bs, child_name, child_class, - child_role, perm, shared_perm, parent_bs, - errp); - if (child == NULL) { - return NULL; + ret = bdrv_refresh_perms(parent_bs, errp); + if (ret < 0) { + goto out; } - QLIST_INSERT_HEAD(&parent_bs->children, child, next); +out: + tran_finalize(tran, ret); + + bdrv_unref(child_bs); + return child; } -- 2.30.2 From: Vladimir Sementsov-Ogievskiy <vsementsov@virtuozzo.com> Split part of bdrv_replace_node_common() to be used separately. Signed-off-by: Vladimir Sementsov-Ogievskiy <vsementsov@virtuozzo.com> Reviewed-by: Kevin Wolf <kwolf@redhat.com> Message-Id: <20210428151804.439460-21-vsementsov@virtuozzo.com> Signed-off-by: Kevin Wolf <kwolf@redhat.com> --- block.c | 50 +++++++++++++++++++++++++++++++------------------- 1 file changed, 31 insertions(+), 19 deletions(-) diff --git a/block.c b/block.c index XXXXXXX..XXXXXXX 100644 --- a/block.c +++ b/block.c @@ -XXX,XX +XXX,XX @@ static bool should_update_child(BdrvChild *c, BlockDriverState *to) return ret; } +static int bdrv_replace_node_noperm(BlockDriverState *from, + BlockDriverState *to, + bool auto_skip, Transaction *tran, + Error **errp) +{ + BdrvChild *c, *next; + + QLIST_FOREACH_SAFE(c, &from->parents, next_parent, next) { + assert(c->bs == from); + if (!should_update_child(c, to)) { + if (auto_skip) { + continue; + } + error_setg(errp, "Should not change '%s' link to '%s'", + c->name, from->node_name); + return -EINVAL; + } + if (c->frozen) { + error_setg(errp, "Cannot change '%s' link to '%s'", + c->name, from->node_name); + return -EPERM; + } + bdrv_replace_child_safe(c, to, tran); + } + + return 0; +} + /* * With auto_skip=true bdrv_replace_node_common skips updating from parents * if it creates a parent-child relation loop or if parent is block-job. @@ -XXX,XX +XXX,XX @@ static int bdrv_replace_node_common(BlockDriverState *from, BlockDriverState *to, bool auto_skip, Error **errp) { - BdrvChild *c, *next; Transaction *tran = tran_new(); g_autoptr(GHashTable) found = NULL; g_autoptr(GSList) refresh_list = NULL; @@ -XXX,XX +XXX,XX @@ static int bdrv_replace_node_common(BlockDriverState *from, * permissions based on new graph. If we fail, we'll roll-back the * replacement. */ - QLIST_FOREACH_SAFE(c, &from->parents, next_parent, next) { - assert(c->bs == from); - if (!should_update_child(c, to)) { - if (auto_skip) { - continue; - } - ret = -EINVAL; - error_setg(errp, "Should not change '%s' link to '%s'", - c->name, from->node_name); - goto out; - } - if (c->frozen) { - ret = -EPERM; - error_setg(errp, "Cannot change '%s' link to '%s'", - c->name, from->node_name); - goto out; - } - bdrv_replace_child_safe(c, to, tran); + ret = bdrv_replace_node_noperm(from, to, auto_skip, tran, errp); + if (ret < 0) { + goto out; } found = g_hash_table_new(NULL, NULL); -- 2.30.2 From: Vladimir Sementsov-Ogievskiy <vsementsov@virtuozzo.com> bdrv_append is not very good for inserting filters: it does extra permission update as part of bdrv_set_backing_hd(). During this update filter may conflict with other parents of top_bs. Instead, let's first do all graph modifications and after it update permissions. append-greedy-filter test-case in test-bdrv-graph-mod is now works, so move it out of debug option. Note: bdrv_append() is still only works for backing-child based filters. It's something to improve later. Note2: we use the fact that bdrv_append() is used to append new nodes, without backing child, so we don't need frozen check and inherits_from logic from bdrv_set_backing_hd(). Signed-off-by: Vladimir Sementsov-Ogievskiy <vsementsov@virtuozzo.com> Reviewed-by: Kevin Wolf <kwolf@redhat.com> Message-Id: <20210428151804.439460-22-vsementsov@virtuozzo.com> Signed-off-by: Kevin Wolf <kwolf@redhat.com> --- block.c | 27 ++++++++++++++++++++------- tests/unit/test-bdrv-graph-mod.c | 17 ++--------------- 2 files changed, 22 insertions(+), 22 deletions(-) diff --git a/block.c b/block.c index XXXXXXX..XXXXXXX 100644 --- a/block.c +++ b/block.c @@ -XXX,XX +XXX,XX @@ int bdrv_replace_node(BlockDriverState *from, BlockDriverState *to, * This will modify the BlockDriverState fields, and swap contents * between bs_new and bs_top. Both bs_new and bs_top are modified. * - * bs_new must not be attached to a BlockBackend. + * bs_new must not be attached to a BlockBackend and must not have backing + * child. * * This function does not create any image files. */ int bdrv_append(BlockDriverState *bs_new, BlockDriverState *bs_top, Error **errp) { - int ret = bdrv_set_backing_hd(bs_new, bs_top, errp); + int ret; + Transaction *tran = tran_new(); + + assert(!bs_new->backing); + + ret = bdrv_attach_child_noperm(bs_new, bs_top, "backing", + &child_of_bds, bdrv_backing_role(bs_new), + &bs_new->backing, tran, errp); if (ret < 0) { - return ret; + goto out; } - ret = bdrv_replace_node(bs_top, bs_new, errp); + ret = bdrv_replace_node_noperm(bs_top, bs_new, true, tran, errp); if (ret < 0) { - bdrv_set_backing_hd(bs_new, NULL, &error_abort); - return ret; + goto out; } - return 0; + ret = bdrv_refresh_perms(bs_new, errp); +out: + tran_finalize(tran, ret); + + bdrv_refresh_limits(bs_top, NULL); + + return ret; } static void bdrv_delete(BlockDriverState *bs) diff --git a/tests/unit/test-bdrv-graph-mod.c b/tests/unit/test-bdrv-graph-mod.c index XXXXXXX..XXXXXXX 100644 --- a/tests/unit/test-bdrv-graph-mod.c +++ b/tests/unit/test-bdrv-graph-mod.c @@ -XXX,XX +XXX,XX @@ static void test_append_greedy_filter(void) int main(int argc, char *argv[]) { - int i; - bool debug = false; - - for (i = 1; i < argc; i++) { - if (!strcmp(argv[i], "-d")) { - debug = true; - break; - } - } - bdrv_init(); qemu_init_main_loop(&error_abort); @@ -XXX,XX +XXX,XX @@ int main(int argc, char *argv[]) test_parallel_perm_update); g_test_add_func("/bdrv-graph-mod/parallel-exclusive-write", test_parallel_exclusive_write); - - if (debug) { - g_test_add_func("/bdrv-graph-mod/append-greedy-filter", - test_append_greedy_filter); - } + g_test_add_func("/bdrv-graph-mod/append-greedy-filter", + test_append_greedy_filter); return g_test_run(); } -- 2.30.2 From: Vladimir Sementsov-Ogievskiy <vsementsov@virtuozzo.com> Signed-off-by: Vladimir Sementsov-Ogievskiy <vsementsov@virtuozzo.com> Reviewed-by: Kevin Wolf <kwolf@redhat.com> Message-Id: <20210428151804.439460-23-vsementsov@virtuozzo.com> Signed-off-by: Kevin Wolf <kwolf@redhat.com> --- block.c | 84 +++++++++++++++++++++++++++++++++++++++++++++++++++++++-- 1 file changed, 82 insertions(+), 2 deletions(-) diff --git a/block.c b/block.c index XXXXXXX..XXXXXXX 100644 --- a/block.c +++ b/block.c @@ -XXX,XX +XXX,XX @@ static void bdrv_replace_child(BdrvChild *child, BlockDriverState *new_bs) } } +static void bdrv_child_free(void *opaque) +{ + BdrvChild *c = opaque; + + g_free(c->name); + g_free(c); +} + static void bdrv_remove_empty_child(BdrvChild *child) { assert(!child->bs); QLIST_SAFE_REMOVE(child, next); - g_free(child->name); - g_free(child); + bdrv_child_free(child); } typedef struct BdrvAttachChildCommonState { @@ -XXX,XX +XXX,XX @@ static bool should_update_child(BdrvChild *c, BlockDriverState *to) return ret; } +typedef struct BdrvRemoveFilterOrCowChild { + BdrvChild *child; + bool is_backing; +} BdrvRemoveFilterOrCowChild; + +static void bdrv_remove_filter_or_cow_child_abort(void *opaque) +{ + BdrvRemoveFilterOrCowChild *s = opaque; + BlockDriverState *parent_bs = s->child->opaque; + + QLIST_INSERT_HEAD(&parent_bs->children, s->child, next); + if (s->is_backing) { + parent_bs->backing = s->child; + } else { + parent_bs->file = s->child; + } + + /* + * We don't have to restore child->bs here to undo bdrv_replace_child() + * because that function is transactionable and it registered own completion + * entries in @tran, so .abort() for bdrv_replace_child_safe() will be + * called automatically. + */ +} + +static void bdrv_remove_filter_or_cow_child_commit(void *opaque) +{ + BdrvRemoveFilterOrCowChild *s = opaque; + + bdrv_child_free(s->child); +} + +static TransactionActionDrv bdrv_remove_filter_or_cow_child_drv = { + .abort = bdrv_remove_filter_or_cow_child_abort, + .commit = bdrv_remove_filter_or_cow_child_commit, + .clean = g_free, +}; + +/* + * A function to remove backing-chain child of @bs if exists: cow child for + * format nodes (always .backing) and filter child for filters (may be .file or + * .backing) + */ +__attribute__((unused)) +static void bdrv_remove_filter_or_cow_child(BlockDriverState *bs, + Transaction *tran) +{ + BdrvRemoveFilterOrCowChild *s; + BdrvChild *child = bdrv_filter_or_cow_child(bs); + + if (!child) { + return; + } + + if (child->bs) { + bdrv_replace_child_safe(child, NULL, tran); + } + + s = g_new(BdrvRemoveFilterOrCowChild, 1); + *s = (BdrvRemoveFilterOrCowChild) { + .child = child, + .is_backing = (child == bs->backing), + }; + tran_add(tran, &bdrv_remove_filter_or_cow_child_drv, s); + + QLIST_SAFE_REMOVE(child, next); + if (s->is_backing) { + bs->backing = NULL; + } else { + bs->file = NULL; + } +} + static int bdrv_replace_node_noperm(BlockDriverState *from, BlockDriverState *to, bool auto_skip, Transaction *tran, -- 2.30.2 From: Vladimir Sementsov-Ogievskiy <vsementsov@virtuozzo.com> Using bdrv_replace_node() for removing filter is not good enough: it keeps child reference of the filter, which may conflict with original top node during permission update. Instead let's create new interface, which will do all graph modifications first and then update permissions. Let's modify bdrv_replace_node_common(), allowing it additionally drop backing chain child link pointing to new node. This is quite appropriate for bdrv_drop_intermediate() and makes possible to add new bdrv_drop_filter() as a simple wrapper. Signed-off-by: Vladimir Sementsov-Ogievskiy <vsementsov@virtuozzo.com> Reviewed-by: Kevin Wolf <kwolf@redhat.com> Message-Id: <20210428151804.439460-24-vsementsov@virtuozzo.com> Signed-off-by: Kevin Wolf <kwolf@redhat.com> --- include/block/block.h | 1 + block.c | 43 +++++++++++++++++++++++++++++++++++++++---- 2 files changed, 40 insertions(+), 4 deletions(-) diff --git a/include/block/block.h b/include/block/block.h index XXXXXXX..XXXXXXX 100644 --- a/include/block/block.h +++ b/include/block/block.h @@ -XXX,XX +XXX,XX @@ int bdrv_replace_node(BlockDriverState *from, BlockDriverState *to, Error **errp); BlockDriverState *bdrv_insert_node(BlockDriverState *bs, QDict *node_options, int flags, Error **errp); +int bdrv_drop_filter(BlockDriverState *bs, Error **errp); int bdrv_parse_aio(const char *mode, int *flags); int bdrv_parse_cache_mode(const char *mode, int *flags, bool *writethrough); diff --git a/block.c b/block.c index XXXXXXX..XXXXXXX 100644 --- a/block.c +++ b/block.c @@ -XXX,XX +XXX,XX @@ static TransactionActionDrv bdrv_remove_filter_or_cow_child_drv = { * format nodes (always .backing) and filter child for filters (may be .file or * .backing) */ -__attribute__((unused)) static void bdrv_remove_filter_or_cow_child(BlockDriverState *bs, Transaction *tran) { @@ -XXX,XX +XXX,XX @@ static int bdrv_replace_node_noperm(BlockDriverState *from, * * With auto_skip=false the error is returned if from has a parent which should * not be updated. + * + * With @detach_subchain=true @to must be in a backing chain of @from. In this + * case backing link of the cow-parent of @to is removed. */ static int bdrv_replace_node_common(BlockDriverState *from, BlockDriverState *to, - bool auto_skip, Error **errp) + bool auto_skip, bool detach_subchain, + Error **errp) { Transaction *tran = tran_new(); g_autoptr(GHashTable) found = NULL; g_autoptr(GSList) refresh_list = NULL; + BlockDriverState *to_cow_parent; int ret; + if (detach_subchain) { + assert(bdrv_chain_contains(from, to)); + assert(from != to); + for (to_cow_parent = from; + bdrv_filter_or_cow_bs(to_cow_parent) != to; + to_cow_parent = bdrv_filter_or_cow_bs(to_cow_parent)) + { + ; + } + } + /* Make sure that @from doesn't go away until we have successfully attached * all of its parents to @to. */ bdrv_ref(from); @@ -XXX,XX +XXX,XX @@ static int bdrv_replace_node_common(BlockDriverState *from, goto out; } + if (detach_subchain) { + bdrv_remove_filter_or_cow_child(to_cow_parent, tran); + } + found = g_hash_table_new(NULL, NULL); refresh_list = bdrv_topological_dfs(refresh_list, found, to); @@ -XXX,XX +XXX,XX @@ out: int bdrv_replace_node(BlockDriverState *from, BlockDriverState *to, Error **errp) { - return bdrv_replace_node_common(from, to, true, errp); + return bdrv_replace_node_common(from, to, true, false, errp); +} + +int bdrv_drop_filter(BlockDriverState *bs, Error **errp) +{ + return bdrv_replace_node_common(bs, bdrv_filter_or_cow_bs(bs), true, true, + errp); } /* @@ -XXX,XX +XXX,XX @@ int bdrv_drop_intermediate(BlockDriverState *top, BlockDriverState *base, updated_children = g_slist_prepend(updated_children, c); } - bdrv_replace_node_common(top, base, false, &local_err); + /* + * It seems correct to pass detach_subchain=true here, but it triggers + * one more yet not fixed bug, when due to nested aio_poll loop we switch to + * another drained section, which modify the graph (for example, removing + * the child, which we keep in updated_children list). So, it's a TODO. + * + * Note, bug triggered if pass detach_subchain=true here and run + * test-bdrv-drain. test_drop_intermediate_poll() test-case will crash. + * That's a FIXME. + */ + bdrv_replace_node_common(top, base, false, false, &local_err); if (local_err) { error_report_err(local_err); goto exit; -- 2.30.2 From: Vladimir Sementsov-Ogievskiy <vsementsov@virtuozzo.com> We don't need this workaround anymore: bdrv_append is already smart enough and we can use new bdrv_drop_filter(). This commit efficiently reverts also recent 705dde27c6c53b73, which checked .active on io path. Still it said that the problem should be theoretical. And the logic of filter removement is changed anyway. Signed-off-by: Vladimir Sementsov-Ogievskiy <vsementsov@virtuozzo.com> Reviewed-by: Kevin Wolf <kwolf@redhat.com> Message-Id: <20210428151804.439460-25-vsementsov@virtuozzo.com> Signed-off-by: Kevin Wolf <kwolf@redhat.com> --- block/backup-top.c | 47 +------------------------------------- tests/qemu-iotests/283.out | 2 +- 2 files changed, 2 insertions(+), 47 deletions(-) diff --git a/block/backup-top.c b/block/backup-top.c index XXXXXXX..XXXXXXX 100644 --- a/block/backup-top.c +++ b/block/backup-top.c @@ -XXX,XX +XXX,XX @@ typedef struct BDRVBackupTopState { BlockCopyState *bcs; BdrvChild *target; - bool active; int64_t cluster_size; } BDRVBackupTopState; @@ -XXX,XX +XXX,XX @@ static coroutine_fn int backup_top_co_preadv( BlockDriverState *bs, uint64_t offset, uint64_t bytes, QEMUIOVector *qiov, int flags) { - BDRVBackupTopState *s = bs->opaque; - - if (!s->active) { - return -EIO; - } - return bdrv_co_preadv(bs->backing, offset, bytes, qiov, flags); } @@ -XXX,XX +XXX,XX @@ static coroutine_fn int backup_top_cbw(BlockDriverState *bs, uint64_t offset, BDRVBackupTopState *s = bs->opaque; uint64_t off, end; - if (!s->active) { - return -EIO; - } - if (flags & BDRV_REQ_WRITE_UNCHANGED) { return 0; } @@ -XXX,XX +XXX,XX @@ static void backup_top_child_perm(BlockDriverState *bs, BdrvChild *c, uint64_t perm, uint64_t shared, uint64_t *nperm, uint64_t *nshared) { - BDRVBackupTopState *s = bs->opaque; - - if (!s->active) { - /* - * The filter node may be in process of bdrv_append(), which firstly do - * bdrv_set_backing_hd() and then bdrv_replace_node(). This means that - * we can't unshare BLK_PERM_WRITE during bdrv_append() operation. So, - * let's require nothing during bdrv_append() and refresh permissions - * after it (see bdrv_backup_top_append()). - */ - *nperm = 0; - *nshared = BLK_PERM_ALL; - return; - } - if (!(role & BDRV_CHILD_FILTERED)) { /* * Target child @@ -XXX,XX +XXX,XX @@ BlockDriverState *bdrv_backup_top_append(BlockDriverState *source, } appended = true; - /* - * bdrv_append() finished successfully, now we can require permissions - * we want. - */ - state->active = true; - ret = bdrv_child_refresh_perms(top, top->backing, errp); - if (ret < 0) { - error_prepend(errp, "Cannot set permissions for backup-top filter: "); - goto fail; - } - state->cluster_size = cluster_size; state->bcs = block_copy_state_new(top->backing, state->target, cluster_size, perf->use_copy_range, @@ -XXX,XX +XXX,XX @@ BlockDriverState *bdrv_backup_top_append(BlockDriverState *source, fail: if (appended) { - state->active = false; bdrv_backup_top_drop(top); } else { bdrv_unref(top); @@ -XXX,XX +XXX,XX @@ void bdrv_backup_top_drop(BlockDriverState *bs) { BDRVBackupTopState *s = bs->opaque; - bdrv_drained_begin(bs); + bdrv_drop_filter(bs, &error_abort); block_copy_state_free(s->bcs); - s->active = false; - bdrv_child_refresh_perms(bs, bs->backing, &error_abort); - bdrv_replace_node(bs, bs->backing->bs, &error_abort); - bdrv_set_backing_hd(bs, NULL, &error_abort); - - bdrv_drained_end(bs); - bdrv_unref(bs); } diff --git a/tests/qemu-iotests/283.out b/tests/qemu-iotests/283.out index XXXXXXX..XXXXXXX 100644 --- a/tests/qemu-iotests/283.out +++ b/tests/qemu-iotests/283.out @@ -XXX,XX +XXX,XX @@ {"execute": "blockdev-add", "arguments": {"driver": "blkdebug", "image": "base", "node-name": "other", "take-child-perms": ["write"]}} {"return": {}} {"execute": "blockdev-backup", "arguments": {"device": "source", "sync": "full", "target": "target"}} -{"error": {"class": "GenericError", "desc": "Cannot set permissions for backup-top filter: Conflicts with use by source as 'image', which does not allow 'write' on base"}} +{"error": {"class": "GenericError", "desc": "Cannot append backup-top filter: Conflicts with use by source as 'image', which does not allow 'write' on base"}} === backup-top should be gone after job-finalize === -- 2.30.2 From: Vladimir Sementsov-Ogievskiy <vsementsov@virtuozzo.com> This argument is always NULL. Drop it. Signed-off-by: Vladimir Sementsov-Ogievskiy <vsementsov@virtuozzo.com> Reviewed-by: Kevin Wolf <kwolf@redhat.com> Message-Id: <20210428151804.439460-26-vsementsov@virtuozzo.com> Signed-off-by: Kevin Wolf <kwolf@redhat.com> --- block.c | 38 +++++++++++--------------------------- 1 file changed, 11 insertions(+), 27 deletions(-) diff --git a/block.c b/block.c index XXXXXXX..XXXXXXX 100644 --- a/block.c +++ b/block.c @@ -XXX,XX +XXX,XX @@ static int bdrv_fill_options(QDict **options, const char *filename, static int bdrv_check_update_perm(BlockDriverState *bs, BlockReopenQueue *q, uint64_t new_used_perm, uint64_t new_shared_perm, - GSList *ignore_children, Error **errp); typedef struct BlockReopenQueueEntry { @@ -XXX,XX +XXX,XX @@ static bool bdrv_a_allow_b(BdrvChild *a, BdrvChild *b, Error **errp) return false; } -static bool bdrv_parent_perms_conflict(BlockDriverState *bs, - GSList *ignore_children, - Error **errp) +static bool bdrv_parent_perms_conflict(BlockDriverState *bs, Error **errp) { BdrvChild *a, *b; @@ -XXX,XX +XXX,XX @@ static bool bdrv_parent_perms_conflict(BlockDriverState *bs, * directions. */ QLIST_FOREACH(a, &bs->parents, next_parent) { - if (g_slist_find(ignore_children, a)) { - continue; - } - QLIST_FOREACH(b, &bs->parents, next_parent) { - if (a == b || g_slist_find(ignore_children, b)) { + if (a == b) { continue; } @@ -XXX,XX +XXX,XX @@ static void bdrv_replace_child_safe(BdrvChild *child, BlockDriverState *new_bs, static int bdrv_node_check_perm(BlockDriverState *bs, BlockReopenQueue *q, uint64_t cumulative_perms, uint64_t cumulative_shared_perms, - GSList *ignore_children, Transaction *tran, Error **errp) { BlockDriver *drv = bs->drv; @@ -XXX,XX +XXX,XX @@ static int bdrv_check_perm_common(GSList *list, BlockReopenQueue *q, bool use_cumulative_perms, uint64_t cumulative_perms, uint64_t cumulative_shared_perms, - GSList *ignore_children, Transaction *tran, Error **errp) { int ret; @@ -XXX,XX +XXX,XX @@ static int bdrv_check_perm_common(GSList *list, BlockReopenQueue *q, ret = bdrv_node_check_perm(bs, q, cumulative_perms, cumulative_shared_perms, - ignore_children, tran, errp); + tran, errp); if (ret < 0) { return ret; } @@ -XXX,XX +XXX,XX @@ static int bdrv_check_perm_common(GSList *list, BlockReopenQueue *q, for ( ; list; list = list->next) { bs = list->data; - if (bdrv_parent_perms_conflict(bs, ignore_children, errp)) { + if (bdrv_parent_perms_conflict(bs, errp)) { return -EINVAL; } @@ -XXX,XX +XXX,XX @@ static int bdrv_check_perm_common(GSList *list, BlockReopenQueue *q, ret = bdrv_node_check_perm(bs, q, cumulative_perms, cumulative_shared_perms, - ignore_children, tran, errp); + tran, errp); if (ret < 0) { return ret; } @@ -XXX,XX +XXX,XX @@ static int bdrv_check_perm_common(GSList *list, BlockReopenQueue *q, static int bdrv_check_perm(BlockDriverState *bs, BlockReopenQueue *q, uint64_t cumulative_perms, - uint64_t cumulative_shared_perms, - GSList *ignore_children, Error **errp) + uint64_t cumulative_shared_perms, Error **errp) { g_autoptr(GSList) list = bdrv_topological_dfs(NULL, NULL, bs); return bdrv_check_perm_common(list, q, true, cumulative_perms, - cumulative_shared_perms, ignore_children, - NULL, errp); + cumulative_shared_perms, NULL, errp); } static int bdrv_list_refresh_perms(GSList *list, BlockReopenQueue *q, Transaction *tran, Error **errp) { - return bdrv_check_perm_common(list, q, false, 0, 0, NULL, tran, errp); + return bdrv_check_perm_common(list, q, false, 0, 0, tran, errp); } /* @@ -XXX,XX +XXX,XX @@ char *bdrv_perm_names(uint64_t perm) static int bdrv_check_update_perm(BlockDriverState *bs, BlockReopenQueue *q, uint64_t new_used_perm, uint64_t new_shared_perm, - GSList *ignore_children, Error **errp) { BdrvChild *c; @@ -XXX,XX +XXX,XX @@ static int bdrv_check_update_perm(BlockDriverState *bs, BlockReopenQueue *q, assert(new_shared_perm & BLK_PERM_WRITE_UNCHANGED); QLIST_FOREACH(c, &bs->parents, next_parent) { - if (g_slist_find(ignore_children, c)) { - continue; - } - if ((new_used_perm & c->shared_perm) != new_used_perm) { char *user = bdrv_child_user_desc(c); char *perm_names = bdrv_perm_names(new_used_perm & ~c->shared_perm); @@ -XXX,XX +XXX,XX @@ static int bdrv_check_update_perm(BlockDriverState *bs, BlockReopenQueue *q, } return bdrv_check_perm(bs, q, cumulative_perms, cumulative_shared_perms, - ignore_children, errp); + errp); } static int bdrv_refresh_perms(BlockDriverState *bs, Error **errp) @@ -XXX,XX +XXX,XX @@ int bdrv_reopen_multiple(BlockReopenQueue *bs_queue, Error **errp) QTAILQ_FOREACH(bs_entry, bs_queue, entry) { BDRVReopenState *state = &bs_entry->state; ret = bdrv_check_perm(state->bs, bs_queue, state->perm, - state->shared_perm, NULL, errp); + state->shared_perm, errp); if (ret < 0) { goto cleanup_perm; } @@ -XXX,XX +XXX,XX @@ int bdrv_reopen_multiple(BlockReopenQueue *bs_queue, Error **errp) bs_queue, state->perm, state->shared_perm, &nperm, &nshared); ret = bdrv_check_update_perm(state->new_backing_bs, NULL, - nperm, nshared, NULL, errp); + nperm, nshared, errp); if (ret < 0) { goto cleanup_perm; } -- 2.30.2 From: Vladimir Sementsov-Ogievskiy <vsementsov@virtuozzo.com> To be used in the further commit. Signed-off-by: Vladimir Sementsov-Ogievskiy <vsementsov@virtuozzo.com> Reviewed-by: Kevin Wolf <kwolf@redhat.com> Message-Id: <20210428151804.439460-27-vsementsov@virtuozzo.com> Signed-off-by: Kevin Wolf <kwolf@redhat.com> --- block.c | 46 ++++++++++++++++++++++++++++++++++++++++++---- 1 file changed, 42 insertions(+), 4 deletions(-) diff --git a/block.c b/block.c index XXXXXXX..XXXXXXX 100644 --- a/block.c +++ b/block.c @@ -XXX,XX +XXX,XX @@ void bdrv_root_unref_child(BdrvChild *child) bdrv_unref(child_bs); } +typedef struct BdrvSetInheritsFrom { + BlockDriverState *bs; + BlockDriverState *old_inherits_from; +} BdrvSetInheritsFrom; + +static void bdrv_set_inherits_from_abort(void *opaque) +{ + BdrvSetInheritsFrom *s = opaque; + + s->bs->inherits_from = s->old_inherits_from; +} + +static TransactionActionDrv bdrv_set_inherits_from_drv = { + .abort = bdrv_set_inherits_from_abort, + .clean = g_free, +}; + +/* @tran is allowed to be NULL. In this case no rollback is possible */ +static void bdrv_set_inherits_from(BlockDriverState *bs, + BlockDriverState *new_inherits_from, + Transaction *tran) +{ + if (tran) { + BdrvSetInheritsFrom *s = g_new(BdrvSetInheritsFrom, 1); + + *s = (BdrvSetInheritsFrom) { + .bs = bs, + .old_inherits_from = bs->inherits_from, + }; + + tran_add(tran, &bdrv_set_inherits_from_drv, s); + } + + bs->inherits_from = new_inherits_from; +} + /** * Clear all inherits_from pointers from children and grandchildren of * @root that point to @root, where necessary. + * @tran is allowed to be NULL. In this case no rollback is possible */ -static void bdrv_unset_inherits_from(BlockDriverState *root, BdrvChild *child) +static void bdrv_unset_inherits_from(BlockDriverState *root, BdrvChild *child, + Transaction *tran) { BdrvChild *c; @@ -XXX,XX +XXX,XX @@ static void bdrv_unset_inherits_from(BlockDriverState *root, BdrvChild *child) } } if (c == NULL) { - child->bs->inherits_from = NULL; + bdrv_set_inherits_from(child->bs, NULL, tran); } } QLIST_FOREACH(c, &child->bs->children, next) { - bdrv_unset_inherits_from(root, c); + bdrv_unset_inherits_from(root, c, tran); } } @@ -XXX,XX +XXX,XX @@ void bdrv_unref_child(BlockDriverState *parent, BdrvChild *child) return; } - bdrv_unset_inherits_from(parent, child); + bdrv_unset_inherits_from(parent, child, NULL); bdrv_root_unref_child(child); } -- 2.30.2 From: Vladimir Sementsov-Ogievskiy <vsementsov@virtuozzo.com> To be used in further commit. Signed-off-by: Vladimir Sementsov-Ogievskiy <vsementsov@virtuozzo.com> Reviewed-by: Kevin Wolf <kwolf@redhat.com> Message-Id: <20210428151804.439460-28-vsementsov@virtuozzo.com> Signed-off-by: Kevin Wolf <kwolf@redhat.com> --- include/block/block.h | 3 ++- block.c | 9 ++++----- block/io.c | 31 +++++++++++++++++++++++++++++-- 3 files changed, 35 insertions(+), 8 deletions(-) diff --git a/include/block/block.h b/include/block/block.h index XXXXXXX..XXXXXXX 100644 --- a/include/block/block.h +++ b/include/block/block.h @@ -XXX,XX +XXX,XX @@ #include "block/dirty-bitmap.h" #include "block/blockjob.h" #include "qemu/hbitmap.h" +#include "qemu/transactions.h" /* * generated_co_wrapper @@ -XXX,XX +XXX,XX @@ int64_t bdrv_get_allocated_file_size(BlockDriverState *bs); BlockMeasureInfo *bdrv_measure(BlockDriver *drv, QemuOpts *opts, BlockDriverState *in_bs, Error **errp); void bdrv_get_geometry(BlockDriverState *bs, uint64_t *nb_sectors_ptr); -void bdrv_refresh_limits(BlockDriverState *bs, Error **errp); +void bdrv_refresh_limits(BlockDriverState *bs, Transaction *tran, Error **errp); int bdrv_commit(BlockDriverState *bs); int bdrv_make_empty(BdrvChild *c, Error **errp); int bdrv_change_backing_file(BlockDriverState *bs, const char *backing_file, diff --git a/block.c b/block.c index XXXXXXX..XXXXXXX 100644 --- a/block.c +++ b/block.c @@ -XXX,XX +XXX,XX @@ #include "qemu/timer.h" #include "qemu/cutils.h" #include "qemu/id.h" -#include "qemu/transactions.h" #include "block/coroutines.h" #ifdef CONFIG_BSD @@ -XXX,XX +XXX,XX @@ static int bdrv_open_driver(BlockDriverState *bs, BlockDriver *drv, return ret; } - bdrv_refresh_limits(bs, &local_err); + bdrv_refresh_limits(bs, NULL, &local_err); if (local_err) { error_propagate(errp, local_err); return -EINVAL; @@ -XXX,XX +XXX,XX @@ int bdrv_set_backing_hd(BlockDriverState *bs, BlockDriverState *backing_hd, } out: - bdrv_refresh_limits(bs, NULL); + bdrv_refresh_limits(bs, NULL, NULL); return ret; } @@ -XXX,XX +XXX,XX @@ static void bdrv_reopen_commit(BDRVReopenState *reopen_state) bdrv_set_backing_hd(bs, reopen_state->new_backing_bs, &error_abort); } - bdrv_refresh_limits(bs, NULL); + bdrv_refresh_limits(bs, NULL, NULL); } /* @@ -XXX,XX +XXX,XX @@ int bdrv_append(BlockDriverState *bs_new, BlockDriverState *bs_top, out: tran_finalize(tran, ret); - bdrv_refresh_limits(bs_top, NULL); + bdrv_refresh_limits(bs_top, NULL, NULL); return ret; } diff --git a/block/io.c b/block/io.c index XXXXXXX..XXXXXXX 100644 --- a/block/io.c +++ b/block/io.c @@ -XXX,XX +XXX,XX @@ static void bdrv_merge_limits(BlockLimits *dst, const BlockLimits *src) dst->max_iov = MIN_NON_ZERO(dst->max_iov, src->max_iov); } -void bdrv_refresh_limits(BlockDriverState *bs, Error **errp) +typedef struct BdrvRefreshLimitsState { + BlockDriverState *bs; + BlockLimits old_bl; +} BdrvRefreshLimitsState; + +static void bdrv_refresh_limits_abort(void *opaque) +{ + BdrvRefreshLimitsState *s = opaque; + + s->bs->bl = s->old_bl; +} + +static TransactionActionDrv bdrv_refresh_limits_drv = { + .abort = bdrv_refresh_limits_abort, + .clean = g_free, +}; + +/* @tran is allowed to be NULL, in this case no rollback is possible. */ +void bdrv_refresh_limits(BlockDriverState *bs, Transaction *tran, Error **errp) { ERRP_GUARD(); BlockDriver *drv = bs->drv; BdrvChild *c; bool have_limits; + if (tran) { + BdrvRefreshLimitsState *s = g_new(BdrvRefreshLimitsState, 1); + *s = (BdrvRefreshLimitsState) { + .bs = bs, + .old_bl = bs->bl, + }; + tran_add(tran, &bdrv_refresh_limits_drv, s); + } + memset(&bs->bl, 0, sizeof(bs->bl)); if (!drv) { @@ -XXX,XX +XXX,XX @@ void bdrv_refresh_limits(BlockDriverState *bs, Error **errp) QLIST_FOREACH(c, &bs->children, next) { if (c->role & (BDRV_CHILD_DATA | BDRV_CHILD_FILTERED | BDRV_CHILD_COW)) { - bdrv_refresh_limits(c->bs, errp); + bdrv_refresh_limits(c->bs, tran, errp); if (*errp) { return; } -- 2.30.2 From: Vladimir Sementsov-Ogievskiy <vsementsov@virtuozzo.com> Split out no-perm part of bdrv_set_backing_hd() as a separate transaction action. Note the in case of existing BdrvChild we reuse it, not recreate, just to do less actions. We don't need to create extra reference to backing_hd as we don't lose it in bdrv_attach_child(). Signed-off-by: Vladimir Sementsov-Ogievskiy <vsementsov@virtuozzo.com> Reviewed-by: Kevin Wolf <kwolf@redhat.com> Message-Id: <20210428151804.439460-29-vsementsov@virtuozzo.com> Signed-off-by: Kevin Wolf <kwolf@redhat.com> --- block.c | 54 +++++++++++++++++++++++++++++++++++++----------------- 1 file changed, 37 insertions(+), 17 deletions(-) diff --git a/block.c b/block.c index XXXXXXX..XXXXXXX 100644 --- a/block.c +++ b/block.c @@ -XXX,XX +XXX,XX @@ static int bdrv_attach_child_noperm(BlockDriverState *parent_bs, BdrvChild **child, Transaction *tran, Error **errp); +static void bdrv_remove_filter_or_cow_child(BlockDriverState *bs, + Transaction *tran); static int bdrv_reopen_prepare(BDRVReopenState *reopen_state, BlockReopenQueue *queue, Error **errp); @@ -XXX,XX +XXX,XX @@ static BdrvChildRole bdrv_backing_role(BlockDriverState *bs) * Sets the bs->backing link of a BDS. A new reference is created; callers * which don't need their own reference any more must call bdrv_unref(). */ -int bdrv_set_backing_hd(BlockDriverState *bs, BlockDriverState *backing_hd, - Error **errp) +static int bdrv_set_backing_noperm(BlockDriverState *bs, + BlockDriverState *backing_hd, + Transaction *tran, Error **errp) { int ret = 0; bool update_inherits_from = bdrv_chain_contains(bs, backing_hd) && @@ -XXX,XX +XXX,XX @@ int bdrv_set_backing_hd(BlockDriverState *bs, BlockDriverState *backing_hd, return -EPERM; } - if (backing_hd) { - bdrv_ref(backing_hd); - } - if (bs->backing) { /* Cannot be frozen, we checked that above */ - bdrv_unref_child(bs, bs->backing); - bs->backing = NULL; + bdrv_unset_inherits_from(bs, bs->backing, tran); + bdrv_remove_filter_or_cow_child(bs, tran); } if (!backing_hd) { goto out; } - bs->backing = bdrv_attach_child(bs, backing_hd, "backing", &child_of_bds, - bdrv_backing_role(bs), errp); - if (!bs->backing) { - ret = -EPERM; - goto out; + ret = bdrv_attach_child_noperm(bs, backing_hd, "backing", + &child_of_bds, bdrv_backing_role(bs), + &bs->backing, tran, errp); + if (ret < 0) { + return ret; } - /* If backing_hd was already part of bs's backing chain, and + + /* + * If backing_hd was already part of bs's backing chain, and * inherits_from pointed recursively to bs then let's update it to - * point directly to bs (else it will become NULL). */ + * point directly to bs (else it will become NULL). + */ if (update_inherits_from) { - backing_hd->inherits_from = bs; + bdrv_set_inherits_from(backing_hd, bs, tran); } out: - bdrv_refresh_limits(bs, NULL, NULL); + bdrv_refresh_limits(bs, tran, NULL); + + return 0; +} + +int bdrv_set_backing_hd(BlockDriverState *bs, BlockDriverState *backing_hd, + Error **errp) +{ + int ret; + Transaction *tran = tran_new(); + + ret = bdrv_set_backing_noperm(bs, backing_hd, tran, errp); + if (ret < 0) { + goto out; + } + + ret = bdrv_refresh_perms(bs, errp); +out: + tran_finalize(tran, ret); return ret; } -- 2.30.2 From: Vladimir Sementsov-Ogievskiy <vsementsov@virtuozzo.com> During reopen we may add backing bs from other aio context, which may lead to changing original context of top bs. We are going to move graph modification to prepare stage. So, it will be possible that bdrv_flush() in bdrv_reopen_prepare called on bs in non-original aio context, which we didn't aquire which leads to crash. To avoid this problem move bdrv_flush() to be a separate reopen stage before bdrv_reopen_prepare(). This doesn't seem correct to acquire only one aio context and not all contexts participating in reopen. But it's not obvious how to do it correctly, keeping in mind: 1. rules of bdrv_set_aio_context_ignore() that requires new_context lock not being held 2. possible deadlocks because of holding all (or several?) AioContext locks Signed-off-by: Vladimir Sementsov-Ogievskiy <vsementsov@virtuozzo.com> Reviewed-by: Kevin Wolf <kwolf@redhat.com> Message-Id: <20210428151804.439460-30-vsementsov@virtuozzo.com> Signed-off-by: Kevin Wolf <kwolf@redhat.com> --- block.c | 14 ++++++++------ 1 file changed, 8 insertions(+), 6 deletions(-) diff --git a/block.c b/block.c index XXXXXXX..XXXXXXX 100644 --- a/block.c +++ b/block.c @@ -XXX,XX +XXX,XX @@ int bdrv_reopen_multiple(BlockReopenQueue *bs_queue, Error **errp) assert(bs_queue != NULL); + QTAILQ_FOREACH(bs_entry, bs_queue, entry) { + ret = bdrv_flush(bs_entry->state.bs); + if (ret < 0) { + error_setg_errno(errp, -ret, "Error flushing drive"); + goto cleanup; + } + } + QTAILQ_FOREACH(bs_entry, bs_queue, entry) { assert(bs_entry->state.bs->quiesce_counter > 0); if (bdrv_reopen_prepare(&bs_entry->state, bs_queue, errp)) { @@ -XXX,XX +XXX,XX @@ static int bdrv_reopen_prepare(BDRVReopenState *reopen_state, bdrv_reopen_perm(queue, reopen_state->bs, &reopen_state->perm, &reopen_state->shared_perm); - ret = bdrv_flush(reopen_state->bs); - if (ret) { - error_setg_errno(errp, -ret, "Error flushing drive"); - goto error; - } - if (drv->bdrv_reopen_prepare) { /* * If a driver-specific option is missing, it means that we -- 2.30.2 From: Vladimir Sementsov-Ogievskiy <vsementsov@virtuozzo.com> Move bdrv_reopen_multiple to new paradigm of permission update: first update graph relations, then do refresh the permissions. We have to modify reopen process in file-posix driver: with new scheme we don't have prepared permissions in raw_reopen_prepare(), so we should reconfigure fd in raw_check_perm(). Still this seems more native and simple anyway. Signed-off-by: Vladimir Sementsov-Ogievskiy <vsementsov@virtuozzo.com> Reviewed-by: Kevin Wolf <kwolf@redhat.com> Message-Id: <20210428151804.439460-31-vsementsov@virtuozzo.com> Signed-off-by: Kevin Wolf <kwolf@redhat.com> --- include/block/block.h | 3 +- block.c | 187 ++++++++++++------------------------------ block/file-posix.c | 91 +++++++------------- 3 files changed, 84 insertions(+), 197 deletions(-) diff --git a/include/block/block.h b/include/block/block.h index XXXXXXX..XXXXXXX 100644 --- a/include/block/block.h +++ b/include/block/block.h @@ -XXX,XX +XXX,XX @@ typedef struct BDRVReopenState { BlockdevDetectZeroesOptions detect_zeroes; bool backing_missing; bool replace_backing_bs; /* new_backing_bs is ignored if this is false */ - BlockDriverState *new_backing_bs; /* If NULL then detach the current bs */ - uint64_t perm, shared_perm; + BlockDriverState *old_backing_bs; /* keep pointer for permissions update */ QDict *options; QDict *explicit_options; void *opaque; diff --git a/block.c b/block.c index XXXXXXX..XXXXXXX 100644 --- a/block.c +++ b/block.c @@ -XXX,XX +XXX,XX @@ static int bdrv_attach_child_noperm(BlockDriverState *parent_bs, static void bdrv_remove_filter_or_cow_child(BlockDriverState *bs, Transaction *tran); -static int bdrv_reopen_prepare(BDRVReopenState *reopen_state, BlockReopenQueue - *queue, Error **errp); +static int bdrv_reopen_prepare(BDRVReopenState *reopen_state, + BlockReopenQueue *queue, + Transaction *set_backings_tran, Error **errp); static void bdrv_reopen_commit(BDRVReopenState *reopen_state); static void bdrv_reopen_abort(BDRVReopenState *reopen_state); @@ -XXX,XX +XXX,XX @@ static void bdrv_list_abort_perm_update(GSList *list) } } +__attribute__((unused)) static void bdrv_abort_perm_update(BlockDriverState *bs) { g_autoptr(GSList) list = bdrv_topological_dfs(NULL, NULL, bs); @@ -XXX,XX +XXX,XX @@ char *bdrv_perm_names(uint64_t perm) * * Needs to be followed by a call to either bdrv_set_perm() or * bdrv_abort_perm_update(). */ +__attribute__((unused)) static int bdrv_check_update_perm(BlockDriverState *bs, BlockReopenQueue *q, uint64_t new_used_perm, uint64_t new_shared_perm, @@ -XXX,XX +XXX,XX @@ static BlockReopenQueue *bdrv_reopen_queue_child(BlockReopenQueue *bs_queue, bs_entry->state.explicit_options = explicit_options; bs_entry->state.flags = flags; - /* This needs to be overwritten in bdrv_reopen_prepare() */ - bs_entry->state.perm = UINT64_MAX; - bs_entry->state.shared_perm = 0; - /* * If keep_old_opts is false then it means that unspecified * options must be reset to their original value. We don't allow @@ -XXX,XX +XXX,XX @@ int bdrv_reopen_multiple(BlockReopenQueue *bs_queue, Error **errp) { int ret = -1; BlockReopenQueueEntry *bs_entry, *next; + Transaction *tran = tran_new(); + g_autoptr(GHashTable) found = NULL; + g_autoptr(GSList) refresh_list = NULL; assert(bs_queue != NULL); @@ -XXX,XX +XXX,XX @@ int bdrv_reopen_multiple(BlockReopenQueue *bs_queue, Error **errp) QTAILQ_FOREACH(bs_entry, bs_queue, entry) { assert(bs_entry->state.bs->quiesce_counter > 0); - if (bdrv_reopen_prepare(&bs_entry->state, bs_queue, errp)) { - goto cleanup; + ret = bdrv_reopen_prepare(&bs_entry->state, bs_queue, tran, errp); + if (ret < 0) { + goto abort; } bs_entry->prepared = true; } + found = g_hash_table_new(NULL, NULL); QTAILQ_FOREACH(bs_entry, bs_queue, entry) { BDRVReopenState *state = &bs_entry->state; - ret = bdrv_check_perm(state->bs, bs_queue, state->perm, - state->shared_perm, errp); - if (ret < 0) { - goto cleanup_perm; - } - /* Check if new_backing_bs would accept the new permissions */ - if (state->replace_backing_bs && state->new_backing_bs) { - uint64_t nperm, nshared; - bdrv_child_perm(state->bs, state->new_backing_bs, - NULL, bdrv_backing_role(state->bs), - bs_queue, state->perm, state->shared_perm, - &nperm, &nshared); - ret = bdrv_check_update_perm(state->new_backing_bs, NULL, - nperm, nshared, errp); - if (ret < 0) { - goto cleanup_perm; - } + + refresh_list = bdrv_topological_dfs(refresh_list, found, state->bs); + if (state->old_backing_bs) { + refresh_list = bdrv_topological_dfs(refresh_list, found, + state->old_backing_bs); } - bs_entry->perms_checked = true; + } + + /* + * Note that file-posix driver rely on permission update done during reopen + * (even if no permission changed), because it wants "new" permissions for + * reconfiguring the fd and that's why it does it in raw_check_perm(), not + * in raw_reopen_prepare() which is called with "old" permissions. + */ + ret = bdrv_list_refresh_perms(refresh_list, bs_queue, tran, errp); + if (ret < 0) { + goto abort; } /* @@ -XXX,XX +XXX,XX @@ int bdrv_reopen_multiple(BlockReopenQueue *bs_queue, Error **errp) bdrv_reopen_commit(&bs_entry->state); } - ret = 0; -cleanup_perm: - QTAILQ_FOREACH_SAFE(bs_entry, bs_queue, entry, next) { - BDRVReopenState *state = &bs_entry->state; - - if (!bs_entry->perms_checked) { - continue; - } - - if (ret == 0) { - uint64_t perm, shared; + tran_commit(tran); - bdrv_get_cumulative_perm(state->bs, &perm, &shared); - assert(perm == state->perm); - assert(shared == state->shared_perm); + QTAILQ_FOREACH_REVERSE(bs_entry, bs_queue, entry) { + BlockDriverState *bs = bs_entry->state.bs; - bdrv_set_perm(state->bs); - } else { - bdrv_abort_perm_update(state->bs); - if (state->replace_backing_bs && state->new_backing_bs) { - bdrv_abort_perm_update(state->new_backing_bs); - } + if (bs->drv->bdrv_reopen_commit_post) { + bs->drv->bdrv_reopen_commit_post(&bs_entry->state); } } - if (ret == 0) { - QTAILQ_FOREACH_REVERSE(bs_entry, bs_queue, entry) { - BlockDriverState *bs = bs_entry->state.bs; + ret = 0; + goto cleanup; - if (bs->drv->bdrv_reopen_commit_post) - bs->drv->bdrv_reopen_commit_post(&bs_entry->state); +abort: + tran_abort(tran); + QTAILQ_FOREACH_SAFE(bs_entry, bs_queue, entry, next) { + if (bs_entry->prepared) { + bdrv_reopen_abort(&bs_entry->state); } + qobject_unref(bs_entry->state.explicit_options); + qobject_unref(bs_entry->state.options); } + cleanup: QTAILQ_FOREACH_SAFE(bs_entry, bs_queue, entry, next) { - if (ret) { - if (bs_entry->prepared) { - bdrv_reopen_abort(&bs_entry->state); - } - qobject_unref(bs_entry->state.explicit_options); - qobject_unref(bs_entry->state.options); - } - if (bs_entry->state.new_backing_bs) { - bdrv_unref(bs_entry->state.new_backing_bs); - } g_free(bs_entry); } g_free(bs_queue); @@ -XXX,XX +XXX,XX @@ int bdrv_reopen_set_read_only(BlockDriverState *bs, bool read_only, return ret; } -static BlockReopenQueueEntry *find_parent_in_reopen_queue(BlockReopenQueue *q, - BdrvChild *c) -{ - BlockReopenQueueEntry *entry; - - QTAILQ_FOREACH(entry, q, entry) { - BlockDriverState *bs = entry->state.bs; - BdrvChild *child; - - QLIST_FOREACH(child, &bs->children, next) { - if (child == c) { - return entry; - } - } - } - - return NULL; -} - -static void bdrv_reopen_perm(BlockReopenQueue *q, BlockDriverState *bs, - uint64_t *perm, uint64_t *shared) -{ - BdrvChild *c; - BlockReopenQueueEntry *parent; - uint64_t cumulative_perms = 0; - uint64_t cumulative_shared_perms = BLK_PERM_ALL; - - QLIST_FOREACH(c, &bs->parents, next_parent) { - parent = find_parent_in_reopen_queue(q, c); - if (!parent) { - cumulative_perms |= c->perm; - cumulative_shared_perms &= c->shared_perm; - } else { - uint64_t nperm, nshared; - - bdrv_child_perm(parent->state.bs, bs, c, c->role, q, - parent->state.perm, parent->state.shared_perm, - &nperm, &nshared); - - cumulative_perms |= nperm; - cumulative_shared_perms &= nshared; - } - } - *perm = cumulative_perms; - *shared = cumulative_shared_perms; -} - static bool bdrv_reopen_can_attach(BlockDriverState *parent, BdrvChild *child, BlockDriverState *new_child, @@ -XXX,XX +XXX,XX @@ static bool bdrv_reopen_can_attach(BlockDriverState *parent, * Return 0 on success, otherwise return < 0 and set @errp. */ static int bdrv_reopen_parse_backing(BDRVReopenState *reopen_state, + Transaction *set_backings_tran, Error **errp) { BlockDriverState *bs = reopen_state->bs; @@ -XXX,XX +XXX,XX @@ static int bdrv_reopen_parse_backing(BDRVReopenState *reopen_state, /* If we want to replace the backing file we need some extra checks */ if (new_backing_bs != bdrv_filter_or_cow_bs(overlay_bs)) { + int ret; + /* Check for implicit nodes between bs and its backing file */ if (bs != overlay_bs) { error_setg(errp, "Cannot change backing link if '%s' has " @@ -XXX,XX +XXX,XX @@ static int bdrv_reopen_parse_backing(BDRVReopenState *reopen_state, return -EPERM; } reopen_state->replace_backing_bs = true; - if (new_backing_bs) { - bdrv_ref(new_backing_bs); - reopen_state->new_backing_bs = new_backing_bs; + reopen_state->old_backing_bs = bs->backing ? bs->backing->bs : NULL; + ret = bdrv_set_backing_noperm(bs, new_backing_bs, set_backings_tran, + errp); + if (ret < 0) { + return ret; } } @@ -XXX,XX +XXX,XX @@ static int bdrv_reopen_parse_backing(BDRVReopenState *reopen_state, * */ static int bdrv_reopen_prepare(BDRVReopenState *reopen_state, - BlockReopenQueue *queue, Error **errp) + BlockReopenQueue *queue, + Transaction *set_backings_tran, Error **errp) { int ret = -1; int old_flags; @@ -XXX,XX +XXX,XX @@ static int bdrv_reopen_prepare(BDRVReopenState *reopen_state, goto error; } - /* Calculate required permissions after reopening */ - bdrv_reopen_perm(queue, reopen_state->bs, - &reopen_state->perm, &reopen_state->shared_perm); - if (drv->bdrv_reopen_prepare) { /* * If a driver-specific option is missing, it means that we @@ -XXX,XX +XXX,XX @@ static int bdrv_reopen_prepare(BDRVReopenState *reopen_state, * either a reference to an existing node (using its node name) * or NULL to simply detach the current backing file. */ - ret = bdrv_reopen_parse_backing(reopen_state, errp); + ret = bdrv_reopen_parse_backing(reopen_state, set_backings_tran, errp); if (ret < 0) { goto error; } @@ -XXX,XX +XXX,XX @@ static void bdrv_reopen_commit(BDRVReopenState *reopen_state) qdict_del(bs->explicit_options, child->name); qdict_del(bs->options, child->name); } - - /* - * Change the backing file if a new one was specified. We do this - * after updating bs->options, so bdrv_refresh_filename() (called - * from bdrv_set_backing_hd()) has the new values. - */ - if (reopen_state->replace_backing_bs) { - BlockDriverState *old_backing_bs = child_bs(bs->backing); - assert(!old_backing_bs || !old_backing_bs->implicit); - /* Abort the permission update on the backing bs we're detaching */ - if (old_backing_bs) { - bdrv_abort_perm_update(old_backing_bs); - } - bdrv_set_backing_hd(bs, reopen_state->new_backing_bs, &error_abort); - } - bdrv_refresh_limits(bs, NULL, NULL); } diff --git a/block/file-posix.c b/block/file-posix.c index XXXXXXX..XXXXXXX 100644 --- a/block/file-posix.c +++ b/block/file-posix.c @@ -XXX,XX +XXX,XX @@ typedef struct BDRVRawState { } BDRVRawState; typedef struct BDRVRawReopenState { - int fd; int open_flags; bool drop_cache; bool check_cache_dropped; @@ -XXX,XX +XXX,XX @@ static int raw_reopen_prepare(BDRVReopenState *state, BDRVRawReopenState *rs; QemuOpts *opts; int ret; - Error *local_err = NULL; assert(state != NULL); assert(state->bs != NULL); @@ -XXX,XX +XXX,XX @@ static int raw_reopen_prepare(BDRVReopenState *state, * bdrv_reopen_prepare() will detect changes and complain. */ qemu_opts_to_qdict(opts, state->options); - rs->fd = raw_reconfigure_getfd(state->bs, state->flags, &rs->open_flags, - state->perm, true, &local_err); - if (local_err) { - error_propagate(errp, local_err); - ret = -1; - goto out; - } - - /* Fail already reopen_prepare() if we can't get a working O_DIRECT - * alignment with the new fd. */ - if (rs->fd != -1) { - raw_probe_alignment(state->bs, rs->fd, &local_err); - if (local_err) { - error_propagate(errp, local_err); - ret = -EINVAL; - goto out_fd; - } - } + /* + * As part of reopen prepare we also want to create new fd by + * raw_reconfigure_getfd(). But it wants updated "perm", when in + * bdrv_reopen_multiple() .bdrv_reopen_prepare() callback called prior to + * permission update. Happily, permission update is always a part (a seprate + * stage) of bdrv_reopen_multiple() so we can rely on this fact and + * reconfigure fd in raw_check_perm(). + */ s->reopen_state = state; ret = 0; -out_fd: - if (ret < 0) { - qemu_close(rs->fd); - rs->fd = -1; - } + out: qemu_opts_del(opts); return ret; @@ -XXX,XX +XXX,XX @@ static void raw_reopen_commit(BDRVReopenState *state) s->drop_cache = rs->drop_cache; s->check_cache_dropped = rs->check_cache_dropped; s->open_flags = rs->open_flags; - - qemu_close(s->fd); - s->fd = rs->fd; - g_free(state->opaque); state->opaque = NULL; @@ -XXX,XX +XXX,XX @@ static void raw_reopen_abort(BDRVReopenState *state) return; } - if (rs->fd >= 0) { - qemu_close(rs->fd); - rs->fd = -1; - } g_free(state->opaque); state->opaque = NULL; @@ -XXX,XX +XXX,XX @@ static int raw_check_perm(BlockDriverState *bs, uint64_t perm, uint64_t shared, Error **errp) { BDRVRawState *s = bs->opaque; - BDRVRawReopenState *rs = NULL; + int input_flags = s->reopen_state ? s->reopen_state->flags : bs->open_flags; int open_flags; int ret; - if (s->perm_change_fd) { + /* We may need a new fd if auto-read-only switches the mode */ + ret = raw_reconfigure_getfd(bs, input_flags, &open_flags, perm, + false, errp); + if (ret < 0) { + return ret; + } else if (ret != s->fd) { + Error *local_err = NULL; + /* - * In the context of reopen, this function may be called several times - * (directly and recursively while change permissions of the parent). - * This is even true for children that don't inherit from the original - * reopen node, so s->reopen_state is not set. - * - * Ignore all but the first call. + * Fail already check_perm() if we can't get a working O_DIRECT + * alignment with the new fd. */ - return 0; - } - - if (s->reopen_state) { - /* We already have a new file descriptor to set permissions for */ - assert(s->reopen_state->perm == perm); - assert(s->reopen_state->shared_perm == shared); - rs = s->reopen_state->opaque; - s->perm_change_fd = rs->fd; - s->perm_change_flags = rs->open_flags; - } else { - /* We may need a new fd if auto-read-only switches the mode */ - ret = raw_reconfigure_getfd(bs, bs->open_flags, &open_flags, perm, - false, errp); - if (ret < 0) { - return ret; - } else if (ret != s->fd) { - s->perm_change_fd = ret; - s->perm_change_flags = open_flags; + raw_probe_alignment(bs, ret, &local_err); + if (local_err) { + error_propagate(errp, local_err); + return -EINVAL; } + + s->perm_change_fd = ret; + s->perm_change_flags = open_flags; } /* Prepare permissions on old fd to avoid conflicts between old and new, @@ -XXX,XX +XXX,XX @@ static int raw_check_perm(BlockDriverState *bs, uint64_t perm, uint64_t shared, return 0; fail: - if (s->perm_change_fd && !s->reopen_state) { + if (s->perm_change_fd) { qemu_close(s->perm_change_fd); } s->perm_change_fd = 0; @@ -XXX,XX +XXX,XX @@ static void raw_abort_perm_update(BlockDriverState *bs) /* For reopen, .bdrv_reopen_abort is called afterwards and will close * the file descriptor. */ - if (s->perm_change_fd && !s->reopen_state) { + if (s->perm_change_fd) { qemu_close(s->perm_change_fd); } s->perm_change_fd = 0; -- 2.30.2 From: Vladimir Sementsov-Ogievskiy <vsementsov@virtuozzo.com> Signed-off-by: Vladimir Sementsov-Ogievskiy <vsementsov@virtuozzo.com> Reviewed-by: Kevin Wolf <kwolf@redhat.com> Message-Id: <20210428151804.439460-32-vsementsov@virtuozzo.com> Signed-off-by: Kevin Wolf <kwolf@redhat.com> --- block.c | 103 -------------------------------------------------------- 1 file changed, 103 deletions(-) diff --git a/block.c b/block.c index XXXXXXX..XXXXXXX 100644 --- a/block.c +++ b/block.c @@ -XXX,XX +XXX,XX @@ static int bdrv_fill_options(QDict **options, const char *filename, return 0; } -static int bdrv_check_update_perm(BlockDriverState *bs, BlockReopenQueue *q, - uint64_t new_used_perm, - uint64_t new_shared_perm, - Error **errp); - typedef struct BlockReopenQueueEntry { bool prepared; bool perms_checked; @@ -XXX,XX +XXX,XX @@ static int bdrv_check_perm_common(GSList *list, BlockReopenQueue *q, return 0; } -static int bdrv_check_perm(BlockDriverState *bs, BlockReopenQueue *q, - uint64_t cumulative_perms, - uint64_t cumulative_shared_perms, Error **errp) -{ - g_autoptr(GSList) list = bdrv_topological_dfs(NULL, NULL, bs); - return bdrv_check_perm_common(list, q, true, cumulative_perms, - cumulative_shared_perms, NULL, errp); -} - static int bdrv_list_refresh_perms(GSList *list, BlockReopenQueue *q, Transaction *tran, Error **errp) { return bdrv_check_perm_common(list, q, false, 0, 0, tran, errp); } -/* - * Notifies drivers that after a previous bdrv_check_perm() call, the - * permission update is not performed and any preparations made for it (e.g. - * taken file locks) need to be undone. - */ -static void bdrv_node_abort_perm_update(BlockDriverState *bs) -{ - BlockDriver *drv = bs->drv; - BdrvChild *c; - - if (!drv) { - return; - } - - bdrv_drv_set_perm_abort(bs); - - QLIST_FOREACH(c, &bs->children, next) { - bdrv_child_set_perm_abort(c); - } -} - -static void bdrv_list_abort_perm_update(GSList *list) -{ - for ( ; list; list = list->next) { - bdrv_node_abort_perm_update((BlockDriverState *)list->data); - } -} - -__attribute__((unused)) -static void bdrv_abort_perm_update(BlockDriverState *bs) -{ - g_autoptr(GSList) list = bdrv_topological_dfs(NULL, NULL, bs); - return bdrv_list_abort_perm_update(list); -} - static void bdrv_node_set_perm(BlockDriverState *bs) { BlockDriver *drv = bs->drv; @@ -XXX,XX +XXX,XX @@ char *bdrv_perm_names(uint64_t perm) return g_string_free(result, FALSE); } -/* - * Checks whether a new reference to @bs can be added if the new user requires - * @new_used_perm/@new_shared_perm as its permissions. If @ignore_children is - * set, the BdrvChild objects in this list are ignored in the calculations; - * this allows checking permission updates for an existing reference. - * - * Needs to be followed by a call to either bdrv_set_perm() or - * bdrv_abort_perm_update(). */ -__attribute__((unused)) -static int bdrv_check_update_perm(BlockDriverState *bs, BlockReopenQueue *q, - uint64_t new_used_perm, - uint64_t new_shared_perm, - Error **errp) -{ - BdrvChild *c; - uint64_t cumulative_perms = new_used_perm; - uint64_t cumulative_shared_perms = new_shared_perm; - - - /* There is no reason why anyone couldn't tolerate write_unchanged */ - assert(new_shared_perm & BLK_PERM_WRITE_UNCHANGED); - - QLIST_FOREACH(c, &bs->parents, next_parent) { - if ((new_used_perm & c->shared_perm) != new_used_perm) { - char *user = bdrv_child_user_desc(c); - char *perm_names = bdrv_perm_names(new_used_perm & ~c->shared_perm); - - error_setg(errp, "Conflicts with use by %s as '%s', which does not " - "allow '%s' on %s", - user, c->name, perm_names, bdrv_get_node_name(c->bs)); - g_free(user); - g_free(perm_names); - return -EPERM; - } - - if ((c->perm & new_shared_perm) != c->perm) { - char *user = bdrv_child_user_desc(c); - char *perm_names = bdrv_perm_names(c->perm & ~new_shared_perm); - - error_setg(errp, "Conflicts with use by %s as '%s', which uses " - "'%s' on %s", - user, c->name, perm_names, bdrv_get_node_name(c->bs)); - g_free(user); - g_free(perm_names); - return -EPERM; - } - - cumulative_perms |= c->perm; - cumulative_shared_perms &= c->shared_perm; - } - - return bdrv_check_perm(bs, q, cumulative_perms, cumulative_shared_perms, - errp); -} static int bdrv_refresh_perms(BlockDriverState *bs, Error **errp) { -- 2.30.2 From: Vladimir Sementsov-Ogievskiy <vsementsov@virtuozzo.com> bdrv_check_perm_common() has only one caller, so no more sense in "common". Signed-off-by: Vladimir Sementsov-Ogievskiy <vsementsov@virtuozzo.com> Reviewed-by: Kevin Wolf <kwolf@redhat.com> Message-Id: <20210428151804.439460-33-vsementsov@virtuozzo.com> Signed-off-by: Kevin Wolf <kwolf@redhat.com> --- block.c | 32 +++----------------------------- 1 file changed, 3 insertions(+), 29 deletions(-) diff --git a/block.c b/block.c index XXXXXXX..XXXXXXX 100644 --- a/block.c +++ b/block.c @@ -XXX,XX +XXX,XX @@ static int bdrv_node_check_perm(BlockDriverState *bs, BlockReopenQueue *q, return 0; } -/* - * If use_cumulative_perms is true, use cumulative_perms and - * cumulative_shared_perms for first element of the list. Otherwise just refresh - * all permissions. - */ -static int bdrv_check_perm_common(GSList *list, BlockReopenQueue *q, - bool use_cumulative_perms, - uint64_t cumulative_perms, - uint64_t cumulative_shared_perms, - Transaction *tran, Error **errp) +static int bdrv_list_refresh_perms(GSList *list, BlockReopenQueue *q, + Transaction *tran, Error **errp) { int ret; + uint64_t cumulative_perms, cumulative_shared_perms; BlockDriverState *bs; - if (use_cumulative_perms) { - bs = list->data; - - ret = bdrv_node_check_perm(bs, q, cumulative_perms, - cumulative_shared_perms, - tran, errp); - if (ret < 0) { - return ret; - } - - list = list->next; - } - for ( ; list; list = list->next) { bs = list->data; @@ -XXX,XX +XXX,XX @@ static int bdrv_check_perm_common(GSList *list, BlockReopenQueue *q, return 0; } -static int bdrv_list_refresh_perms(GSList *list, BlockReopenQueue *q, - Transaction *tran, Error **errp) -{ - return bdrv_check_perm_common(list, q, false, 0, 0, tran, errp); -} - static void bdrv_node_set_perm(BlockDriverState *bs) { BlockDriver *drv = bs->drv; -- 2.30.2 From: Vladimir Sementsov-Ogievskiy <vsementsov@virtuozzo.com> bdrv_replace_child() has only one caller, the second argument is unused. Inline it now. This triggers deletion of some more unused interfaces. Signed-off-by: Vladimir Sementsov-Ogievskiy <vsementsov@virtuozzo.com> Reviewed-by: Kevin Wolf <kwolf@redhat.com> Message-Id: <20210428151804.439460-34-vsementsov@virtuozzo.com> Signed-off-by: Kevin Wolf <kwolf@redhat.com> --- block.c | 101 ++++++++++---------------------------------------------- 1 file changed, 18 insertions(+), 83 deletions(-) diff --git a/block.c b/block.c index XXXXXXX..XXXXXXX 100644 --- a/block.c +++ b/block.c @@ -XXX,XX +XXX,XX @@ static int bdrv_list_refresh_perms(GSList *list, BlockReopenQueue *q, return 0; } -static void bdrv_node_set_perm(BlockDriverState *bs) -{ - BlockDriver *drv = bs->drv; - BdrvChild *c; - - if (!drv) { - return; - } - - bdrv_drv_set_perm_commit(bs); - - /* Drivers that never have children can omit .bdrv_child_perm() */ - if (!drv->bdrv_child_perm) { - assert(QLIST_EMPTY(&bs->children)); - return; - } - - /* Update all children */ - QLIST_FOREACH(c, &bs->children, next) { - bdrv_child_set_perm_commit(c); - } -} - -static void bdrv_list_set_perm(GSList *list) -{ - for ( ; list; list = list->next) { - bdrv_node_set_perm((BlockDriverState *)list->data); - } -} - -static void bdrv_set_perm(BlockDriverState *bs) -{ - g_autoptr(GSList) list = bdrv_topological_dfs(NULL, NULL, bs); - return bdrv_list_set_perm(list); -} - void bdrv_get_cumulative_perm(BlockDriverState *bs, uint64_t *perm, uint64_t *shared_perm) { @@ -XXX,XX +XXX,XX @@ static void bdrv_replace_child_noperm(BdrvChild *child, } } -/* - * Updates @child to change its reference to point to @new_bs, including - * checking and applying the necessary permission updates both to the old node - * and to @new_bs. - * - * NULL is passed as @new_bs for removing the reference before freeing @child. - * - * If @new_bs is not NULL, bdrv_check_perm() must be called beforehand, as this - * function uses bdrv_set_perm() to update the permissions according to the new - * reference that @new_bs gets. - * - * Callers must ensure that child->frozen is false. - */ -static void bdrv_replace_child(BdrvChild *child, BlockDriverState *new_bs) -{ - BlockDriverState *old_bs = child->bs; - - /* Asserts that child->frozen == false */ - bdrv_replace_child_noperm(child, new_bs); - - /* - * Start with the new node's permissions. If @new_bs is a (direct - * or indirect) child of @old_bs, we must complete the permission - * update on @new_bs before we loosen the restrictions on @old_bs. - * Otherwise, bdrv_check_perm() on @old_bs would re-initiate - * updating the permissions of @new_bs, and thus not purely loosen - * restrictions. - */ - if (new_bs) { - bdrv_set_perm(new_bs); - } - - if (old_bs) { - /* - * Update permissions for old node. We're just taking a parent away, so - * we're loosening restrictions. Errors of permission update are not - * fatal in this case, ignore them. - */ - bdrv_refresh_perms(old_bs, NULL); - - /* When the parent requiring a non-default AioContext is removed, the - * node moves back to the main AioContext */ - bdrv_try_set_aio_context(old_bs, qemu_get_aio_context(), NULL); - } -} - static void bdrv_child_free(void *opaque) { BdrvChild *c = opaque; @@ -XXX,XX +XXX,XX @@ static int bdrv_attach_child_noperm(BlockDriverState *parent_bs, static void bdrv_detach_child(BdrvChild *child) { - bdrv_replace_child(child, NULL); + BlockDriverState *old_bs = child->bs; + + bdrv_replace_child_noperm(child, NULL); bdrv_remove_empty_child(child); + + if (old_bs) { + /* + * Update permissions for old node. We're just taking a parent away, so + * we're loosening restrictions. Errors of permission update are not + * fatal in this case, ignore them. + */ + bdrv_refresh_perms(old_bs, NULL); + + /* + * When the parent requiring a non-default AioContext is removed, the + * node moves back to the main AioContext + */ + bdrv_try_set_aio_context(old_bs, qemu_get_aio_context(), NULL); + } } /* -- 2.30.2 From: Vladimir Sementsov-Ogievskiy <vsementsov@virtuozzo.com> Old interfaces dropped, nobody directly calls bdrv_child_set_perm_abort() and bdrv_child_set_perm_commit(), so we can use personal state structure for the action and stop exploiting BdrvChild structure. Also, drop "_safe" suffix which is redundant now. Signed-off-by: Vladimir Sementsov-Ogievskiy <vsementsov@virtuozzo.com> Reviewed-by: Kevin Wolf <kwolf@redhat.com> Message-Id: <20210428151804.439460-35-vsementsov@virtuozzo.com> Signed-off-by: Kevin Wolf <kwolf@redhat.com> --- include/block/block_int.h | 5 ---- block.c | 63 ++++++++++++++------------------------- 2 files changed, 22 insertions(+), 46 deletions(-) diff --git a/include/block/block_int.h b/include/block/block_int.h index XXXXXXX..XXXXXXX 100644 --- a/include/block/block_int.h +++ b/include/block/block_int.h @@ -XXX,XX +XXX,XX @@ struct BdrvChild { */ uint64_t shared_perm; - /* backup of permissions during permission update procedure */ - bool has_backup_perm; - uint64_t backup_perm; - uint64_t backup_shared_perm; - /* * This link is frozen: the child can neither be replaced nor * detached from the parent. diff --git a/block.c b/block.c index XXXXXXX..XXXXXXX 100644 --- a/block.c +++ b/block.c @@ -XXX,XX +XXX,XX @@ static GSList *bdrv_topological_dfs(GSList *list, GHashTable *found, return g_slist_prepend(list, bs); } -static void bdrv_child_set_perm_commit(void *opaque) -{ - BdrvChild *c = opaque; - - c->has_backup_perm = false; -} +typedef struct BdrvChildSetPermState { + BdrvChild *child; + uint64_t old_perm; + uint64_t old_shared_perm; +} BdrvChildSetPermState; static void bdrv_child_set_perm_abort(void *opaque) { - BdrvChild *c = opaque; - /* - * We may have child->has_backup_perm unset at this point, as in case of - * _check_ stage of permission update failure we may _check_ not the whole - * subtree. Still, _abort_ is called on the whole subtree anyway. - */ - if (c->has_backup_perm) { - c->perm = c->backup_perm; - c->shared_perm = c->backup_shared_perm; - c->has_backup_perm = false; - } + BdrvChildSetPermState *s = opaque; + + s->child->perm = s->old_perm; + s->child->shared_perm = s->old_shared_perm; } static TransactionActionDrv bdrv_child_set_pem_drv = { .abort = bdrv_child_set_perm_abort, - .commit = bdrv_child_set_perm_commit, + .clean = g_free, }; -/* - * With tran=NULL needs to be followed by direct call to either - * bdrv_child_set_perm_commit() or bdrv_child_set_perm_abort(). - * - * With non-NULL tran needs to be followed by tran_abort() or tran_commit() - * instead. - */ -static void bdrv_child_set_perm_safe(BdrvChild *c, uint64_t perm, - uint64_t shared, Transaction *tran) +static void bdrv_child_set_perm(BdrvChild *c, uint64_t perm, + uint64_t shared, Transaction *tran) { - if (!c->has_backup_perm) { - c->has_backup_perm = true; - c->backup_perm = c->perm; - c->backup_shared_perm = c->shared_perm; - } - /* - * Note: it's OK if c->has_backup_perm was already set, as we can find the - * same c twice during check_perm procedure - */ + BdrvChildSetPermState *s = g_new(BdrvChildSetPermState, 1); + + *s = (BdrvChildSetPermState) { + .child = c, + .old_perm = c->perm, + .old_shared_perm = c->shared_perm, + }; c->perm = perm; c->shared_perm = shared; - if (tran) { - tran_add(tran, &bdrv_child_set_pem_drv, c); - } + tran_add(tran, &bdrv_child_set_pem_drv, s); } static void bdrv_drv_set_perm_commit(void *opaque) @@ -XXX,XX +XXX,XX @@ static int bdrv_node_check_perm(BlockDriverState *bs, BlockReopenQueue *q, bdrv_child_perm(bs, c->bs, c, c->role, q, cumulative_perms, cumulative_shared_perms, &cur_perm, &cur_shared); - bdrv_child_set_perm_safe(c, cur_perm, cur_shared, tran); + bdrv_child_set_perm(c, cur_perm, cur_shared, tran); } return 0; @@ -XXX,XX +XXX,XX @@ int bdrv_child_try_set_perm(BdrvChild *c, uint64_t perm, uint64_t shared, Transaction *tran = tran_new(); int ret; - bdrv_child_set_perm_safe(c, perm, shared, tran); + bdrv_child_set_perm(c, perm, shared, tran); ret = bdrv_refresh_perms(c->bs, &local_err); -- 2.30.2 From: Vladimir Sementsov-Ogievskiy <vsementsov@virtuozzo.com> We don't have bdrv_replace_child(), so it's time for bdrv_replace_child_safe() to take its place. Signed-off-by: Vladimir Sementsov-Ogievskiy <vsementsov@virtuozzo.com> Reviewed-by: Kevin Wolf <kwolf@redhat.com> Message-Id: <20210428151804.439460-36-vsementsov@virtuozzo.com> Signed-off-by: Kevin Wolf <kwolf@redhat.com> --- block.c | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/block.c b/block.c index XXXXXXX..XXXXXXX 100644 --- a/block.c +++ b/block.c @@ -XXX,XX +XXX,XX @@ static TransactionActionDrv bdrv_replace_child_drv = { }; /* - * bdrv_replace_child_safe + * bdrv_replace_child * * Note: real unref of old_bs is done only on commit. */ -static void bdrv_replace_child_safe(BdrvChild *child, BlockDriverState *new_bs, - Transaction *tran) +static void bdrv_replace_child(BdrvChild *child, BlockDriverState *new_bs, + Transaction *tran) { BdrvReplaceChildState *s = g_new(BdrvReplaceChildState, 1); *s = (BdrvReplaceChildState) { @@ -XXX,XX +XXX,XX @@ static void bdrv_remove_filter_or_cow_child(BlockDriverState *bs, } if (child->bs) { - bdrv_replace_child_safe(child, NULL, tran); + bdrv_replace_child(child, NULL, tran); } s = g_new(BdrvRemoveFilterOrCowChild, 1); @@ -XXX,XX +XXX,XX @@ static int bdrv_replace_node_noperm(BlockDriverState *from, c->name, from->node_name); return -EPERM; } - bdrv_replace_child_safe(c, to, tran); + bdrv_replace_child(c, to, tran); } return 0; -- 2.30.2 From: Vladimir Sementsov-Ogievskiy <vsementsov@virtuozzo.com> Now, bdrv_node_check_perm() is called only with fresh cumulative permissions, so its actually "refresh_perm". Move permission calculation to the function. Also, drop unreachable error message and rewrite the remaining one to be more generic (as now we don't know which node is added and which was already here). Add also Virtuozzo copyright, as big work is done at this point. Signed-off-by: Vladimir Sementsov-Ogievskiy <vsementsov@virtuozzo.com> Reviewed-by: Kevin Wolf <kwolf@redhat.com> Message-Id: <20210428151804.439460-37-vsementsov@virtuozzo.com> Signed-off-by: Kevin Wolf <kwolf@redhat.com> --- block.c | 38 +++++++++++--------------------------- tests/qemu-iotests/245 | 2 +- 2 files changed, 12 insertions(+), 28 deletions(-) diff --git a/block.c b/block.c index XXXXXXX..XXXXXXX 100644 --- a/block.c +++ b/block.c @@ -XXX,XX +XXX,XX @@ * QEMU System Emulator block driver * * Copyright (c) 2003 Fabrice Bellard + * Copyright (c) 2020 Virtuozzo International GmbH. * * Permission is hereby granted, free of charge, to any person obtaining a copy * of this software and associated documentation files (the "Software"), to deal @@ -XXX,XX +XXX,XX @@ static void bdrv_replace_child(BdrvChild *child, BlockDriverState *new_bs, } /* - * Check whether permissions on this node can be changed in a way that - * @cumulative_perms and @cumulative_shared_perms are the new cumulative - * permissions of all its parents. This involves checking whether all necessary - * permission changes to child nodes can be performed. - * - * A call to this function must always be followed by a call to bdrv_set_perm() - * or bdrv_abort_perm_update(). + * Refresh permissions in @bs subtree. The function is intended to be called + * after some graph modification that was done without permission update. */ -static int bdrv_node_check_perm(BlockDriverState *bs, BlockReopenQueue *q, - uint64_t cumulative_perms, - uint64_t cumulative_shared_perms, - Transaction *tran, Error **errp) +static int bdrv_node_refresh_perm(BlockDriverState *bs, BlockReopenQueue *q, + Transaction *tran, Error **errp) { BlockDriver *drv = bs->drv; BdrvChild *c; int ret; + uint64_t cumulative_perms, cumulative_shared_perms; + + bdrv_get_cumulative_perm(bs, &cumulative_perms, &cumulative_shared_perms); /* Write permissions never work with read-only images */ if ((cumulative_perms & (BLK_PERM_WRITE | BLK_PERM_WRITE_UNCHANGED)) && @@ -XXX,XX +XXX,XX @@ static int bdrv_node_check_perm(BlockDriverState *bs, BlockReopenQueue *q, if (!bdrv_is_writable_after_reopen(bs, NULL)) { error_setg(errp, "Block node is read-only"); } else { - uint64_t current_perms, current_shared; - bdrv_get_cumulative_perm(bs, &current_perms, &current_shared); - if (current_perms & (BLK_PERM_WRITE | BLK_PERM_WRITE_UNCHANGED)) { - error_setg(errp, "Cannot make block node read-only, there is " - "a writer on it"); - } else { - error_setg(errp, "Cannot make block node read-only and create " - "a writer on it"); - } + error_setg(errp, "Read-only block node '%s' cannot support " + "read-write users", bdrv_get_node_name(bs)); } return -EPERM; @@ -XXX,XX +XXX,XX @@ static int bdrv_list_refresh_perms(GSList *list, BlockReopenQueue *q, Transaction *tran, Error **errp) { int ret; - uint64_t cumulative_perms, cumulative_shared_perms; BlockDriverState *bs; for ( ; list; list = list->next) { @@ -XXX,XX +XXX,XX @@ static int bdrv_list_refresh_perms(GSList *list, BlockReopenQueue *q, return -EINVAL; } - bdrv_get_cumulative_perm(bs, &cumulative_perms, - &cumulative_shared_perms); - - ret = bdrv_node_check_perm(bs, q, cumulative_perms, - cumulative_shared_perms, - tran, errp); + ret = bdrv_node_refresh_perm(bs, q, tran, errp); if (ret < 0) { return ret; } diff --git a/tests/qemu-iotests/245 b/tests/qemu-iotests/245 index XXXXXXX..XXXXXXX 100755 --- a/tests/qemu-iotests/245 +++ b/tests/qemu-iotests/245 @@ -XXX,XX +XXX,XX @@ class TestBlockdevReopen(iotests.QMPTestCase): # We can't reopen hd1 to read-only, as block-stream requires it to be # read-write self.reopen(opts['backing'], {'read-only': True}, - "Cannot make block node read-only, there is a writer on it") + "Read-only block node 'hd1' cannot support read-write users") # We can't remove hd2 while the stream job is ongoing opts['backing']['backing'] = None -- 2.30.2 Normally, blk_new_open() just shares all permissions. This was fine originally when permissions only protected against uses in the same process because no other part of the code would actually get to access the block nodes opened with blk_new_open(). However, since we use it for file locking now, unsharing permissions becomes desirable. Add a new BDRV_O_NO_SHARE flag that is used in blk_new_open() to unshare any permissions that can be unshared. Signed-off-by: Kevin Wolf <kwolf@redhat.com> Message-Id: <20210422164344.283389-2-kwolf@redhat.com> Reviewed-by: Eric Blake <eblake@redhat.com> Reviewed-by: Vladimir Sementsov-Ogievskiy <vsementsov@virtuozzo.com> Signed-off-by: Kevin Wolf <kwolf@redhat.com> --- include/block/block.h | 1 + block/block-backend.c | 19 +++++++++++++------ 2 files changed, 14 insertions(+), 6 deletions(-) diff --git a/include/block/block.h b/include/block/block.h index XXXXXXX..XXXXXXX 100644 --- a/include/block/block.h +++ b/include/block/block.h @@ -XXX,XX +XXX,XX @@ typedef struct HDGeometry { uint32_t cylinders; } HDGeometry; +#define BDRV_O_NO_SHARE 0x0001 /* don't share permissions */ #define BDRV_O_RDWR 0x0002 #define BDRV_O_RESIZE 0x0004 /* request permission for resizing the node */ #define BDRV_O_SNAPSHOT 0x0008 /* open the file read only and save writes in a snapshot */ diff --git a/block/block-backend.c b/block/block-backend.c index XXXXXXX..XXXXXXX 100644 --- a/block/block-backend.c +++ b/block/block-backend.c @@ -XXX,XX +XXX,XX @@ BlockBackend *blk_new_open(const char *filename, const char *reference, BlockBackend *blk; BlockDriverState *bs; uint64_t perm = 0; + uint64_t shared = BLK_PERM_ALL; - /* blk_new_open() is mainly used in .bdrv_create implementations and the - * tools where sharing isn't a concern because the BDS stays private, so we - * just request permission according to the flags. + /* + * blk_new_open() is mainly used in .bdrv_create implementations and the + * tools where sharing isn't a major concern because the BDS stays private + * and the file is generally not supposed to be used by a second process, + * so we just request permission according to the flags. * * The exceptions are xen_disk and blockdev_init(); in these cases, the * caller of blk_new_open() doesn't make use of the permissions, but they * shouldn't hurt either. We can still share everything here because the - * guest devices will add their own blockers if they can't share. */ + * guest devices will add their own blockers if they can't share. + */ if ((flags & BDRV_O_NO_IO) == 0) { perm |= BLK_PERM_CONSISTENT_READ; if (flags & BDRV_O_RDWR) { @@ -XXX,XX +XXX,XX @@ BlockBackend *blk_new_open(const char *filename, const char *reference, if (flags & BDRV_O_RESIZE) { perm |= BLK_PERM_RESIZE; } + if (flags & BDRV_O_NO_SHARE) { + shared = BLK_PERM_CONSISTENT_READ | BLK_PERM_WRITE_UNCHANGED; + } - blk = blk_new(qemu_get_aio_context(), perm, BLK_PERM_ALL); + blk = blk_new(qemu_get_aio_context(), perm, shared); bs = bdrv_open(filename, reference, options, flags, errp); if (!bs) { blk_unref(blk); @@ -XXX,XX +XXX,XX @@ BlockBackend *blk_new_open(const char *filename, const char *reference, blk->root = bdrv_root_attach_child(bs, "root", &child_root, BDRV_CHILD_FILTERED | BDRV_CHILD_PRIMARY, - perm, BLK_PERM_ALL, blk, errp); + perm, shared, blk, errp); if (!blk->root) { blk_unref(blk); return NULL; -- 2.30.2 For a successful conversion of an image, we must make sure that its content doesn't change during the conversion. A special case of this is using the same image file both as the source and as the destination. If both input and output format are raw, the operation would just be useless work, with other formats it is a sure way to destroy the image. This will now fail because the image file can't be opened a second time for the output when opening it for the input has already acquired file locks to unshare BLK_PERM_WRITE. Nevertheless, if there is some reason in a special case why it is actually okay to allow writes to the image while it is being converted, -U can still be used to force sharing all permissions. Note that for most image formats, BLK_PERM_WRITE would already be unshared by the format driver, so this only really makes a difference for raw source images (but any output format). Reported-by: Xueqiang Wei <xuwei@redhat.com> Signed-off-by: Kevin Wolf <kwolf@redhat.com> Reviewed-by: Eric Blake <eblake@redhat.com> Message-Id: <20210422164344.283389-3-kwolf@redhat.com> Reviewed-by: Vladimir Sementsov-Ogievskiy <vsementsov@virtuozzo.com> Signed-off-by: Kevin Wolf <kwolf@redhat.com> --- qemu-img.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/qemu-img.c b/qemu-img.c index XXXXXXX..XXXXXXX 100644 --- a/qemu-img.c +++ b/qemu-img.c @@ -XXX,XX +XXX,XX @@ static void set_rate_limit(BlockBackend *blk, int64_t rate_limit) static int img_convert(int argc, char **argv) { - int c, bs_i, flags, src_flags = 0; + int c, bs_i, flags, src_flags = BDRV_O_NO_SHARE; const char *fmt = NULL, *out_fmt = NULL, *cache = "unsafe", *src_cache = BDRV_DEFAULT_CACHE, *out_baseimg = NULL, *out_filename, *out_baseimg_param, *snapshot_name = NULL; -- 2.30.2 virtio_add_queue() aborts when queue_size > VIRTQUEUE_MAX_SIZE, so vhost_user_blk_device_realize() should check this before calling it. Simple reproducer: qemu-system-x86_64 \ -chardev null,id=foo \ -device vhost-user-blk-pci,queue-size=4096,chardev=foo Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1935014 Signed-off-by: Kevin Wolf <kwolf@redhat.com> Message-Id: <20210413165654.50810-1-kwolf@redhat.com> Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com> Reviewed-by: Raphael Norwitz <raphael.norwitz@nutanix.com> Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com> Tested-by: Philippe Mathieu-Daudé <philmd@redhat.com> Signed-off-by: Kevin Wolf <kwolf@redhat.com> --- hw/block/vhost-user-blk.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/hw/block/vhost-user-blk.c b/hw/block/vhost-user-blk.c index XXXXXXX..XXXXXXX 100644 --- a/hw/block/vhost-user-blk.c +++ b/hw/block/vhost-user-blk.c @@ -XXX,XX +XXX,XX @@ static void vhost_user_blk_device_realize(DeviceState *dev, Error **errp) error_setg(errp, "vhost-user-blk: queue size must be non-zero"); return; } + if (s->queue_size > VIRTQUEUE_MAX_SIZE) { + error_setg(errp, "vhost-user-blk: queue size must not exceed %d", + VIRTQUEUE_MAX_SIZE); + return; + } if (!vhost_user_init(&s->vhost_user, &s->chardev, errp)) { return; -- 2.30.2