Series comparison

-[PULL 0/2] Block patches
+[PULL v3 0/5] Block patches
-The following changes since commit 67c1115edd98f388ca89dd38322ea3fadf034523:
+The following changes since commit 813bac3d8d70d85cb7835f7945eb9eed84c2d8d0:
-  Merge remote-tracking branch 'remotes/kraxel/tags/ui-20210323-pull-request' into staging (2021-03-23 23:47:30 +0000)
+  Merge tag '2023q3-bsd-user-pull-request' of https://gitlab.com/bsdimp/qemu into staging (2023-08-29 08:58:00 -0400)
 are available in the Git repository at:
   https://gitlab.com/stefanha/qemu.git tags/block-pull-request
-for you to fetch changes up to 3460fd7f3959d1fa7bcc255796844aa261c805a4:
+for you to fetch changes up to 87ec6f55af38e29be5b2b65a8acf84da73e06d06:
-  migrate-bitmaps-postcopy-test: check that we can't remove in-flight bitmaps (2021-03-24 13:41:19 +0000)
+  aio-posix: zero out io_uring sqe user_data (2023-08-30 07:39:59 -0400)
 ----------------------------------------------------------------
 Pull request
-This dirty bitmap fix solves a crash that can be triggered in the destination
+v3:
-QEMU process during live migration.
+- Drop UFS emulation due to CI failures
 - Add "aio-posix: zero out io_uring sqe user_data"
 ----------------------------------------------------------------
-Vladimir Sementsov-Ogievskiy (2):
+Andrey Drobyshev (3):
-  migration/block-dirty-bitmap: make incoming disabled bitmaps busy
+  block: add subcluster_size field to BlockDriverInfo
-  migrate-bitmaps-postcopy-test: check that we can't remove in-flight
+  block/io: align requests to subcluster_size
-    bitmaps
+  tests/qemu-iotests/197: add testcase for CoR with subclusters
- migration/block-dirty-bitmap.c                         |  6 ++++++
+Fabiano Rosas (1):
- tests/qemu-iotests/tests/migrate-bitmaps-postcopy-test | 10 ++++++++++
+  block-migration: Ensure we don't crash during migration cleanup
-files changed, 16 insertions(+)
 Stefan Hajnoczi (1):
   aio-posix: zero out io_uring sqe user_data
  include/block/block-common.h |  5 ++++
  include/block/block-io.h     |  8 +++---
  block.c                      |  7 +++++
  block/io.c                   | 50 ++++++++++++++++++------------------
  block/mirror.c               |  8 +++---
  block/qcow2.c                |  1 +
  migration/block.c            | 11 ++++++--
  util/fdmon-io_uring.c        |  2 ++
  tests/qemu-iotests/197       | 29 +++++++++++++++++++++
  tests/qemu-iotests/197.out   | 24 +++++++++++++++++
 files changed, 110 insertions(+), 35 deletions(-)
 --
-.30.2
+.41.0

-New patch
+[PULL v3 1/5] block-migration: Ensure we don't crash during migration cleanup
+From: Fabiano Rosas <farosas@suse.de>
+We can fail the blk_insert_bs() at init_blk_migration(), leaving the
+BlkMigDevState without a dirty_bitmap and BlockDriverState. Account
+for the possibly missing elements when doing cleanup.
+Fix the following crashes:
+Thread 1 "qemu-system-x86" received signal SIGSEGV, Segmentation fault.
+x0000555555ec83ef in bdrv_release_dirty_bitmap (bitmap=0x0) at ../block/dirty-bitmap.c:359
+BlockDriverState *bs = bitmap->bs;
+ #0  0x0000555555ec83ef in bdrv_release_dirty_bitmap (bitmap=0x0) at ../block/dirty-bitmap.c:359
+ #1  0x0000555555bba331 in unset_dirty_tracking () at ../migration/block.c:371
+ #2  0x0000555555bbad98 in block_migration_cleanup_bmds () at ../migration/block.c:681
+Thread 1 "qemu-system-x86" received signal SIGSEGV, Segmentation fault.
+x0000555555e971ff in bdrv_op_unblock (bs=0x0, op=BLOCK_OP_TYPE_BACKUP_SOURCE, reason=0x0) at ../block.c:7073
+QLIST_FOREACH_SAFE(blocker, &bs->op_blockers[op], list, next) {
+ #0  0x0000555555e971ff in bdrv_op_unblock (bs=0x0, op=BLOCK_OP_TYPE_BACKUP_SOURCE, reason=0x0) at ../block.c:7073
+ #1  0x0000555555e9734a in bdrv_op_unblock_all (bs=0x0, reason=0x0) at ../block.c:7095
+ #2  0x0000555555bbae13 in block_migration_cleanup_bmds () at ../migration/block.c:690
+Signed-off-by: Fabiano Rosas <farosas@suse.de>
+Message-id: 20230731203338.27581-1-farosas@suse.de
+Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
+---
+ migration/block.c | 11 +++++++++--
+file changed, 9 insertions(+), 2 deletions(-)
+diff --git a/migration/block.c b/migration/block.c
+index XXXXXXX..XXXXXXX 100644
+--- a/migration/block.c
++++ b/migration/block.c
+@@ -XXX,XX +XXX,XX @@ static void unset_dirty_tracking(void)
+     BlkMigDevState *bmds;
+     QSIMPLEQ_FOREACH(bmds, &block_mig_state.bmds_list, entry) {
+-        bdrv_release_dirty_bitmap(bmds->dirty_bitmap);
++        if (bmds->dirty_bitmap) {
++            bdrv_release_dirty_bitmap(bmds->dirty_bitmap);
++        }
+     }
+ }
+@@ -XXX,XX +XXX,XX @@ static int64_t get_remaining_dirty(void)
+ static void block_migration_cleanup_bmds(void)
+ {
+     BlkMigDevState *bmds;
++    BlockDriverState *bs;
+     AioContext *ctx;
+     unset_dirty_tracking();
+     while ((bmds = QSIMPLEQ_FIRST(&block_mig_state.bmds_list)) != NULL) {
+         QSIMPLEQ_REMOVE_HEAD(&block_mig_state.bmds_list, entry);
+-        bdrv_op_unblock_all(blk_bs(bmds->blk), bmds->blocker);
++
++        bs = blk_bs(bmds->blk);
++        if (bs) {
++            bdrv_op_unblock_all(bs, bmds->blocker);
++        }
+         error_free(bmds->blocker);
+         /* Save ctx, because bmds->blk can disappear during blk_unref.  */
+--
+.41.0

-New patch
+[PULL v3 2/5] block: add subcluster_size field to BlockDriverInfo
+From: Andrey Drobyshev <andrey.drobyshev@virtuozzo.com>
+This is going to be used in the subsequent commit as requests alignment
+(in particular, during copy-on-read).  This value only makes sense for
+the formats which support subclusters (currently QCOW2 only).  If this
+field isn't set by driver's own bdrv_get_info() implementation, we
+simply set it equal to the cluster size thus treating each cluster as
+having a single subcluster.
+Reviewed-by: Eric Blake <eblake@redhat.com>
+Reviewed-by: Denis V. Lunev <den@openvz.org>
+Signed-off-by: Andrey Drobyshev <andrey.drobyshev@virtuozzo.com>
+Reviewed-by: Vladimir Sementsov-Ogievskiy <vsementsov@yandex-team.ru>
+Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
+Message-ID: <20230711172553.234055-2-andrey.drobyshev@virtuozzo.com>
+---
+ include/block/block-common.h | 5 +++++
+ block.c                      | 7 +++++++
+ block/qcow2.c                | 1 +
+files changed, 13 insertions(+)
+diff --git a/include/block/block-common.h b/include/block/block-common.h
+index XXXXXXX..XXXXXXX 100644
+--- a/include/block/block-common.h
++++ b/include/block/block-common.h
+@@ -XXX,XX +XXX,XX @@ typedef struct BlockZoneWps {
+ typedef struct BlockDriverInfo {
+     /* in bytes, 0 if irrelevant */
+     int cluster_size;
++    /*
++     * A fraction of cluster_size, if supported (currently QCOW2 only); if
++     * disabled or unsupported, set equal to cluster_size.
++     */
++    int subcluster_size;
+     /* offset at which the VM state can be saved (0 if not possible) */
+     int64_t vm_state_offset;
+     bool is_dirty;
+diff --git a/block.c b/block.c
+index XXXXXXX..XXXXXXX 100644
+--- a/block.c
++++ b/block.c
+@@ -XXX,XX +XXX,XX @@ int coroutine_fn bdrv_co_get_info(BlockDriverState *bs, BlockDriverInfo *bdi)
+     }
+     memset(bdi, 0, sizeof(*bdi));
+     ret = drv->bdrv_co_get_info(bs, bdi);
++    if (bdi->subcluster_size == 0) {
++        /*
++         * If the driver left this unset, subclusters are not supported.
++         * Then it is safe to treat each cluster as having only one subcluster.
++         */
++        bdi->subcluster_size = bdi->cluster_size;
++    }
+     if (ret < 0) {
+         return ret;
+     }
+diff --git a/block/qcow2.c b/block/qcow2.c
+index XXXXXXX..XXXXXXX 100644
+--- a/block/qcow2.c
++++ b/block/qcow2.c
+@@ -XXX,XX +XXX,XX @@ qcow2_co_get_info(BlockDriverState *bs, BlockDriverInfo *bdi)
+ {
+     BDRVQcow2State *s = bs->opaque;
+     bdi->cluster_size = s->cluster_size;
++    bdi->subcluster_size = s->subcluster_size;
+     bdi->vm_state_offset = qcow2_vm_state_offset(s);
+     bdi->is_dirty = s->incompatible_features & QCOW2_INCOMPAT_DIRTY;
+     return 0;
+--
+.41.0

-New patch
+[PULL v3 3/5] block/io: align requests to subcluster_size
+From: Andrey Drobyshev <andrey.drobyshev@virtuozzo.com>
 When target image is using subclusters, and we align the request during
 copy-on-read, it makes sense to align to subcluster_size rather than
 cluster_size.  Otherwise we end up with unnecessary allocations.
 This commit renames bdrv_round_to_clusters() to bdrv_round_to_subclusters()
 and utilizes subcluster_size field of BlockDriverInfo to make necessary
 alignments.  It affects copy-on-read as well as mirror job (which is
 using bdrv_round_to_clusters()).
 This change also fixes the following bug with failing assert (covered by
 the test in the subsequent commit):
 qemu-img create -f qcow2 base.qcow2 64K
 qemu-img create -f qcow2 -o extended_l2=on,backing_file=base.qcow2,backing_fmt=qcow2 img.qcow2 64K
 qemu-io -c "write -P 0xaa 0 2K" img.qcow2
 qemu-io -C -c "read -P 0x00 2K 62K" img.qcow2
 qemu-io: ../block/io.c:1236: bdrv_co_do_copy_on_readv: Assertion `skip_bytes < pnum' failed.
 Reviewed-by: Eric Blake <eblake@redhat.com>
 Reviewed-by: Denis V. Lunev <den@openvz.org>
 Signed-off-by: Andrey Drobyshev <andrey.drobyshev@virtuozzo.com>
 Reviewed-by: Vladimir Sementsov-Ogievskiy <vsementsov@yandex-team.ru>
 Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
 Message-ID: <20230711172553.234055-3-andrey.drobyshev@virtuozzo.com>
 ---
  include/block/block-io.h |  8 +++----
  block/io.c               | 50 ++++++++++++++++++++--------------------
  block/mirror.c           |  8 +++----
 files changed, 33 insertions(+), 33 deletions(-)
 diff --git a/include/block/block-io.h b/include/block/block-io.h
 index XXXXXXX..XXXXXXX 100644
 --- a/include/block/block-io.h
 +++ b/include/block/block-io.h
@@ -XXX,XX +XXX,XX @@ bdrv_get_info(BlockDriverState *bs, BlockDriverInfo *bdi);
  ImageInfoSpecific *bdrv_get_specific_info(BlockDriverState *bs,
                                            Error **errp);
  BlockStatsSpecific *bdrv_get_specific_stats(BlockDriverState *bs);
 -void bdrv_round_to_clusters(BlockDriverState *bs,
 -                            int64_t offset, int64_t bytes,
 -                            int64_t *cluster_offset,
 -                            int64_t *cluster_bytes);
 +void bdrv_round_to_subclusters(BlockDriverState *bs,
 +                               int64_t offset, int64_t bytes,
 +                               int64_t *cluster_offset,
 +                               int64_t *cluster_bytes);
  void bdrv_get_backing_filename(BlockDriverState *bs,
                                 char *filename, int filename_size);
 diff --git a/block/io.c b/block/io.c
 index XXXXXXX..XXXXXXX 100644
 --- a/block/io.c
 +++ b/block/io.c
@@ -XXX,XX +XXX,XX @@ BdrvTrackedRequest *coroutine_fn bdrv_co_get_self_request(BlockDriverState *bs)
  }
  /**
 - * Round a region to cluster boundaries
 + * Round a region to subcluster (if supported) or cluster boundaries
   */
  void coroutine_fn GRAPH_RDLOCK
 -bdrv_round_to_clusters(BlockDriverState *bs, int64_t offset, int64_t bytes,
 -                       int64_t *cluster_offset, int64_t *cluster_bytes)
 +bdrv_round_to_subclusters(BlockDriverState *bs, int64_t offset, int64_t bytes,
 +                          int64_t *align_offset, int64_t *align_bytes)
  {
      BlockDriverInfo bdi;
      IO_CODE();
 -    if (bdrv_co_get_info(bs, &bdi) < 0 || bdi.cluster_size == 0) {
 -        *cluster_offset = offset;
 -        *cluster_bytes = bytes;
 +    if (bdrv_co_get_info(bs, &bdi) < 0 || bdi.subcluster_size == 0) {
 +        *align_offset = offset;
 +        *align_bytes = bytes;
      } else {
 -        int64_t c = bdi.cluster_size;
 -        *cluster_offset = QEMU_ALIGN_DOWN(offset, c);
 -        *cluster_bytes = QEMU_ALIGN_UP(offset - *cluster_offset + bytes, c);
 +        int64_t c = bdi.subcluster_size;
 +        *align_offset = QEMU_ALIGN_DOWN(offset, c);
 +        *align_bytes = QEMU_ALIGN_UP(offset - *align_offset + bytes, c);
      }
  }
@@ -XXX,XX +XXX,XX @@ bdrv_co_do_copy_on_readv(BdrvChild *child, int64_t offset, int64_t bytes,
      void *bounce_buffer = NULL;
      BlockDriver *drv = bs->drv;
 -    int64_t cluster_offset;
 -    int64_t cluster_bytes;
 +    int64_t align_offset;
 +    int64_t align_bytes;
      int64_t skip_bytes;
      int ret;
      int max_transfer = MIN_NON_ZERO(bs->bl.max_transfer,
@@ -XXX,XX +XXX,XX @@ bdrv_co_do_copy_on_readv(BdrvChild *child, int64_t offset, int64_t bytes,
       * BDRV_REQUEST_MAX_BYTES (even when the original read did not), which
       * is one reason we loop rather than doing it all at once.
       */
 -    bdrv_round_to_clusters(bs, offset, bytes, &cluster_offset, &cluster_bytes);
 -    skip_bytes = offset - cluster_offset;
 +    bdrv_round_to_subclusters(bs, offset, bytes, &align_offset, &align_bytes);
 +    skip_bytes = offset - align_offset;
      trace_bdrv_co_do_copy_on_readv(bs, offset, bytes,
 -                                   cluster_offset, cluster_bytes);
 +                                   align_offset, align_bytes);
 -    while (cluster_bytes) {
 +    while (align_bytes) {
          int64_t pnum;
          if (skip_write) {
              ret = 1; /* "already allocated", so nothing will be copied */
 -            pnum = MIN(cluster_bytes, max_transfer);
 +            pnum = MIN(align_bytes, max_transfer);
          } else {
 -            ret = bdrv_is_allocated(bs, cluster_offset,
 -                                    MIN(cluster_bytes, max_transfer), &pnum);
 +            ret = bdrv_is_allocated(bs, align_offset,
 +                                    MIN(align_bytes, max_transfer), &pnum);
              if (ret < 0) {
                  /*
                   * Safe to treat errors in querying allocation as if
                   * unallocated; we'll probably fail again soon on the
                   * read, but at least that will set a decent errno.
                   */
 -                pnum = MIN(cluster_bytes, max_transfer);
 +                pnum = MIN(align_bytes, max_transfer);
              }
              /* Stop at EOF if the image ends in the middle of the cluster */
@@ -XXX,XX +XXX,XX @@ bdrv_co_do_copy_on_readv(BdrvChild *child, int64_t offset, int64_t bytes,
              /* Must copy-on-read; use the bounce buffer */
              pnum = MIN(pnum, MAX_BOUNCE_BUFFER);
              if (!bounce_buffer) {
 -                int64_t max_we_need = MAX(pnum, cluster_bytes - pnum);
 +                int64_t max_we_need = MAX(pnum, align_bytes - pnum);
                  int64_t max_allowed = MIN(max_transfer, MAX_BOUNCE_BUFFER);
                  int64_t bounce_buffer_len = MIN(max_we_need, max_allowed);
@@ -XXX,XX +XXX,XX @@ bdrv_co_do_copy_on_readv(BdrvChild *child, int64_t offset, int64_t bytes,
              }
              qemu_iovec_init_buf(&local_qiov, bounce_buffer, pnum);
 -            ret = bdrv_driver_preadv(bs, cluster_offset, pnum,
 +            ret = bdrv_driver_preadv(bs, align_offset, pnum,
                                       &local_qiov, 0, 0);
              if (ret < 0) {
                  goto err;
@@ -XXX,XX +XXX,XX @@ bdrv_co_do_copy_on_readv(BdrvChild *child, int64_t offset, int64_t bytes,
                  /* FIXME: Should we (perhaps conditionally) be setting
                   * BDRV_REQ_MAY_UNMAP, if it will allow for a sparser copy
                   * that still correctly reads as zero? */
 -                ret = bdrv_co_do_pwrite_zeroes(bs, cluster_offset, pnum,
 +                ret = bdrv_co_do_pwrite_zeroes(bs, align_offset, pnum,
                                                 BDRV_REQ_WRITE_UNCHANGED);
              } else {
                  /* This does not change the data on the disk, it is not
                   * necessary to flush even in cache=writethrough mode.
                   */
 -                ret = bdrv_driver_pwritev(bs, cluster_offset, pnum,
 +                ret = bdrv_driver_pwritev(bs, align_offset, pnum,
                                            &local_qiov, 0,
                                            BDRV_REQ_WRITE_UNCHANGED);
              }
@@ -XXX,XX +XXX,XX @@ bdrv_co_do_copy_on_readv(BdrvChild *child, int64_t offset, int64_t bytes,
              }
          }
 -        cluster_offset += pnum;
 -        cluster_bytes -= pnum;
 +        align_offset += pnum;
 +        align_bytes -= pnum;
          progress += pnum - skip_bytes;
          skip_bytes = 0;
      }
 diff --git a/block/mirror.c b/block/mirror.c
 index XXXXXXX..XXXXXXX 100644
 --- a/block/mirror.c
 +++ b/block/mirror.c
@@ -XXX,XX +XXX,XX @@ static int coroutine_fn mirror_cow_align(MirrorBlockJob *s, int64_t *offset,
      need_cow |= !test_bit((*offset + *bytes - 1) / s->granularity,
                            s->cow_bitmap);
      if (need_cow) {
 -        bdrv_round_to_clusters(blk_bs(s->target), *offset, *bytes,
 -                               &align_offset, &align_bytes);
 +        bdrv_round_to_subclusters(blk_bs(s->target), *offset, *bytes,
 +                                  &align_offset, &align_bytes);
      }
      if (align_bytes > max_bytes) {
@@ -XXX,XX +XXX,XX @@ static void coroutine_fn mirror_iteration(MirrorBlockJob *s)
              int64_t target_offset;
              int64_t target_bytes;
              WITH_GRAPH_RDLOCK_GUARD() {
 -                bdrv_round_to_clusters(blk_bs(s->target), offset, io_bytes,
 -                                       &target_offset, &target_bytes);
 +                bdrv_round_to_subclusters(blk_bs(s->target), offset, io_bytes,
 +                                          &target_offset, &target_bytes);
              }
              if (target_offset == offset &&
                  target_bytes == io_bytes) {
 --
 .41.0

-[PULL 2/2] migrate-bitmaps-postcopy-test: check that we can't remove in-flight bitmaps
+[PULL v3 4/5] tests/qemu-iotests/197: add testcase for CoR with subclusters
-From: Vladimir Sementsov-Ogievskiy <vsementsov@virtuozzo.com>
+From: Andrey Drobyshev <andrey.drobyshev@virtuozzo.com>
-Check that we can't remove bitmaps being migrated on destination vm.
+Add testcase which checks that allocations during copy-on-read are
-The new check proves that previous commit helps.
+performed on the subcluster basis when subclusters are enabled in target
 image.
-Signed-off-by: Vladimir Sementsov-Ogievskiy <vsementsov@virtuozzo.com>
+This testcase also triggers the following assert with previous commit
 not being applied, so we check that as well:
 qemu-io: ../block/io.c:1236: bdrv_co_do_copy_on_readv: Assertion `skip_bytes < pnum' failed.
 Reviewed-by: Eric Blake <eblake@redhat.com>
 Reviewed-by: Denis V. Lunev <den@openvz.org>
 Signed-off-by: Andrey Drobyshev <andrey.drobyshev@virtuozzo.com>
 Reviewed-by: Vladimir Sementsov-Ogievskiy <vsementsov@yandex-team.ru>
 Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
-Message-Id: <20210322094906.5079-3-vsementsov@virtuozzo.com>
+Message-ID: <20230711172553.234055-4-andrey.drobyshev@virtuozzo.com>
 ---
- tests/qemu-iotests/tests/migrate-bitmaps-postcopy-test | 10 ++++++++++
+ tests/qemu-iotests/197     | 29 +++++++++++++++++++++++++++++
-file changed, 10 insertions(+)
+ tests/qemu-iotests/197.out | 24 ++++++++++++++++++++++++
 files changed, 53 insertions(+)
-diff --git a/tests/qemu-iotests/tests/migrate-bitmaps-postcopy-test b/tests/qemu-iotests/tests/migrate-bitmaps-postcopy-test
+diff --git a/tests/qemu-iotests/197 b/tests/qemu-iotests/197
 index XXXXXXX..XXXXXXX 100755
---- a/tests/qemu-iotests/tests/migrate-bitmaps-postcopy-test
+--- a/tests/qemu-iotests/197
-+++ b/tests/qemu-iotests/tests/migrate-bitmaps-postcopy-test
++++ b/tests/qemu-iotests/197
-@@ -XXX,XX +XXX,XX @@ class TestDirtyBitmapPostcopyMigration(iotests.QMPTestCase):
+@@ -XXX,XX +XXX,XX @@ $QEMU_IO -f qcow2 -C -c 'read 0 1024' "$TEST_WRAP" | _filter_qemu_io
-         self.start_postcopy()
+ $QEMU_IO -f qcow2 -c map "$TEST_WRAP"
+ _check_test_img
-         self.vm_b_events += self.vm_b.get_qmp_events()
 +echo
 +echo '=== Copy-on-read with subclusters ==='
 +echo
 +
-+        # While being here, let's check that we can't remove in-flight bitmaps.
++# Create base and top images 64K (1 cluster) each.  Make subclusters enabled
-+        for vm in (self.vm_a, self.vm_b):
++# for the top image
-+            for i in range(0, nb_bitmaps):
++_make_test_img 64K
-+                result = vm.qmp('block-dirty-bitmap-remove', node='drive0',
++IMGPROTO=file IMGFMT=qcow2 TEST_IMG_FILE="$TEST_WRAP" \
-+                                name=f'bitmap{i}')
++    _make_test_img --no-opts -o extended_l2=true -F "$IMGFMT" -b "$TEST_IMG" \
-+                self.assert_qmp(result, 'error/desc',
++    64K | _filter_img_create
 +                                f"Bitmap 'bitmap{i}' is currently in use by "
 +                                "another operation and cannot be used")
 +
-         self.vm_b.shutdown()
++$QEMU_IO -c "write -P 0xaa 0 64k" "$TEST_IMG" | _filter_qemu_io
-         # recreate vm_b, so there is no incoming option, which prevents
++
-         # loading bitmaps from disk
++# Allocate individual subclusters in the top image, and not the whole cluster
 +$QEMU_IO -c "write -P 0xbb 28K 2K" -c "write -P 0xcc 34K 2K" "$TEST_WRAP" \
 +    | _filter_qemu_io
 +
 +# Only 2 subclusters should be allocated in the top image at this point
 +$QEMU_IMG map "$TEST_WRAP" | _filter_qemu_img_map
 +
 +# Actual copy-on-read operation
 +$QEMU_IO -C -c "read -P 0xaa 30K 4K" "$TEST_WRAP" | _filter_qemu_io
 +
 +# And here we should have 4 subclusters allocated right in the middle of the
 +# top image. Make sure the whole cluster remains unallocated
 +$QEMU_IMG map "$TEST_WRAP" | _filter_qemu_img_map
 +
 +_check_test_img
 +
  # success, all done
  echo '*** done'
  status=0
 diff --git a/tests/qemu-iotests/197.out b/tests/qemu-iotests/197.out
 index XXXXXXX..XXXXXXX 100644
 --- a/tests/qemu-iotests/197.out
 +++ b/tests/qemu-iotests/197.out
@@ -XXX,XX +XXX,XX @@ read 1024/1024 bytes at offset 0
 KiB, X ops; XX:XX:XX.X (XXX YYY/sec and XXX ops/sec)
 KiB (0x400) bytes     allocated at offset 0 bytes (0x0)
  No errors were found on the image.
 +
 +=== Copy-on-read with subclusters ===
 +
 +Formatting 'TEST_DIR/t.IMGFMT', fmt=IMGFMT size=65536
 +Formatting 'TEST_DIR/t.wrap.IMGFMT', fmt=IMGFMT size=65536 backing_file=TEST_DIR/t.IMGFMT backing_fmt=IMGFMT
 +wrote 65536/65536 bytes at offset 0
 +64 KiB, X ops; XX:XX:XX.X (XXX YYY/sec and XXX ops/sec)
 +wrote 2048/2048 bytes at offset 28672
 +2 KiB, X ops; XX:XX:XX.X (XXX YYY/sec and XXX ops/sec)
 +wrote 2048/2048 bytes at offset 34816
 +2 KiB, X ops; XX:XX:XX.X (XXX YYY/sec and XXX ops/sec)
 +Offset          Length          File
 +0               0x7000          TEST_DIR/t.IMGFMT
 +0x7000          0x800           TEST_DIR/t.wrap.IMGFMT
 +0x7800          0x1000          TEST_DIR/t.IMGFMT
 +0x8800          0x800           TEST_DIR/t.wrap.IMGFMT
 +0x9000          0x7000          TEST_DIR/t.IMGFMT
 +read 4096/4096 bytes at offset 30720
 +4 KiB, X ops; XX:XX:XX.X (XXX YYY/sec and XXX ops/sec)
 +Offset          Length          File
 +0               0x7000          TEST_DIR/t.IMGFMT
 +0x7000          0x2000          TEST_DIR/t.wrap.IMGFMT
 +0x9000          0x7000          TEST_DIR/t.IMGFMT
 +No errors were found on the image.
  *** done
 --
-.30.2
+.41.0

-[PULL 1/2] migration/block-dirty-bitmap: make incoming disabled bitmaps busy
+[PULL v3 5/5] aio-posix: zero out io_uring sqe user_data
-From: Vladimir Sementsov-Ogievskiy <vsementsov@virtuozzo.com>
+liburing does not clear sqe->user_data. We must do it ourselves to avoid
 undefined behavior in process_cqe() when user_data is used.
-Incoming enabled bitmaps are busy, because we do
+Note that fdmon-io_uring is currently disabled, so this is a latent bug
-bdrv_dirty_bitmap_create_successor() for them. But disabled bitmaps
+that does not affect users. Let's merge this fix now to make it easier
-being migrated are not marked busy, and user can remove them during the
+to enable fdmon-io_uring in the future (and I'm working on that).
 incoming migration. Then we may crash in cancel_incoming_locked() when
 try to remove the bitmap that was already removed by user, like this:
- #0  qemu_mutex_lock_impl (mutex=0x5593d88c50d1, file=0x559680554b20
+Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
-   "../block/dirty-bitmap.c", line=64) at ../util/qemu-thread-posix.c:77
+Message-ID: <20230426212639.82310-1-stefanha@redhat.com>
- #1  bdrv_dirty_bitmaps_lock (bs=0x5593d88c0ee9)
+---
-   at ../block/dirty-bitmap.c:64
+ util/fdmon-io_uring.c | 2 ++
- #2  bdrv_release_dirty_bitmap (bitmap=0x5596810e9570)
+file changed, 2 insertions(+)
    at ../block/dirty-bitmap.c:362
  #3  cancel_incoming_locked (s=0x559680be8208 <dbm_state+40>)
    at ../migration/block-dirty-bitmap.c:918
  #4  dirty_bitmap_load (f=0x559681d02b10, opaque=0x559680be81e0
    <dbm_state>, version_id=1) at ../migration/block-dirty-bitmap.c:1194
  #5  vmstate_load (f=0x559681d02b10, se=0x559680fb5810)
    at ../migration/savevm.c:908
  #6  qemu_loadvm_section_part_end (f=0x559681d02b10,
    mis=0x559680fb4a30) at ../migration/savevm.c:2473
  #7  qemu_loadvm_state_main (f=0x559681d02b10, mis=0x559680fb4a30)
    at ../migration/savevm.c:2626
  #8  postcopy_ram_listen_thread (opaque=0x0)
    at ../migration/savevm.c:1871
  #9  qemu_thread_start (args=0x5596817ccd10)
    at ../util/qemu-thread-posix.c:521
  #10 start_thread () at /lib64/libpthread.so.0
  #11 clone () at /lib64/libc.so.6
-Note bs pointer taken from bitmap: it's definitely bad aligned. That's
+diff --git a/util/fdmon-io_uring.c b/util/fdmon-io_uring.c
 because we are in use after free, bitmap is already freed.
 So, let's make disabled bitmaps (being migrated) busy during incoming
 migration.
 Signed-off-by: Vladimir Sementsov-Ogievskiy <vsementsov@virtuozzo.com>
 Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
 Message-Id: <20210322094906.5079-2-vsementsov@virtuozzo.com>
 ---
  migration/block-dirty-bitmap.c | 6 ++++++
 file changed, 6 insertions(+)
 diff --git a/migration/block-dirty-bitmap.c b/migration/block-dirty-bitmap.c
 index XXXXXXX..XXXXXXX 100644
---- a/migration/block-dirty-bitmap.c
+--- a/util/fdmon-io_uring.c
-+++ b/migration/block-dirty-bitmap.c
++++ b/util/fdmon-io_uring.c
-@@ -XXX,XX +XXX,XX @@ static int dirty_bitmap_load_start(QEMUFile *f, DBMLoadState *s)
+@@ -XXX,XX +XXX,XX @@ static void add_poll_remove_sqe(AioContext *ctx, AioHandler *node)
-             error_report_err(local_err);
+ #else
-             return -EINVAL;
+     io_uring_prep_poll_remove(sqe, node);
-         }
+ #endif
-+    } else {
++    io_uring_sqe_set_data(sqe, NULL);
-+        bdrv_dirty_bitmap_set_busy(s->bitmap, true);
+ }
-     }
+ /* Add a timeout that self-cancels when another cqe becomes ready */
-     b = g_new(LoadBitmapState, 1);
+@@ -XXX,XX +XXX,XX @@ static void add_timeout_sqe(AioContext *ctx, int64_t ns)
-@@ -XXX,XX +XXX,XX @@ static void cancel_incoming_locked(DBMLoadState *s)
-         assert(!s->before_vm_start_handled || !b->migrated);
+     sqe = get_sqe(ctx);
-         if (bdrv_dirty_bitmap_has_successor(b->bitmap)) {
+     io_uring_prep_timeout(sqe, &ts, 1, 0);
-             bdrv_reclaim_dirty_bitmap(b->bitmap, &error_abort);
++    io_uring_sqe_set_data(sqe, NULL);
-+        } else {
+ }
-+            bdrv_dirty_bitmap_set_busy(b->bitmap, false);
-         }
+ /* Add sqes from ctx->submit_list for submission */
          bdrv_release_dirty_bitmap(b->bitmap);
      }
@@ -XXX,XX +XXX,XX @@ static void dirty_bitmap_load_complete(QEMUFile *f, DBMLoadState *s)
      if (bdrv_dirty_bitmap_has_successor(s->bitmap)) {
          bdrv_reclaim_dirty_bitmap(s->bitmap, &error_abort);
 +    } else {
 +        bdrv_dirty_bitmap_set_busy(s->bitmap, false);
      }
      for (item = s->bitmaps; item; item = g_slist_next(item)) {
 --
-.30.2
+.41.0

The following changes since commit 67c1115edd98f388ca89dd38322ea3fadf034523:

Merge remote-tracking branch 'remotes/kraxel/tags/ui-20210323-pull-request' into staging (2021-03-23 23:47:30 +0000)

are available in the Git repository at:

https://gitlab.com/stefanha/qemu.git tags/block-pull-request

for you to fetch changes up to 3460fd7f3959d1fa7bcc255796844aa261c805a4:

migrate-bitmaps-postcopy-test: check that we can't remove in-flight bitmaps (2021-03-24 13:41:19 +0000)

----------------------------------------------------------------
Pull request

This dirty bitmap fix solves a crash that can be triggered in the destination
QEMU process during live migration.

----------------------------------------------------------------

Vladimir Sementsov-Ogievskiy (2):
  migration/block-dirty-bitmap: make incoming disabled bitmaps busy
  migrate-bitmaps-postcopy-test: check that we can't remove in-flight
    bitmaps

migration/block-dirty-bitmap.c                         |  6 ++++++
 tests/qemu-iotests/tests/migrate-bitmaps-postcopy-test | 10 ++++++++++
 2 files changed, 16 insertions(+)

-- 
2.30.2

From: Vladimir Sementsov-Ogievskiy <vsementsov@virtuozzo.com>

Incoming enabled bitmaps are busy, because we do
bdrv_dirty_bitmap_create_successor() for them. But disabled bitmaps
being migrated are not marked busy, and user can remove them during the
incoming migration. Then we may crash in cancel_incoming_locked() when
try to remove the bitmap that was already removed by user, like this:

#0  qemu_mutex_lock_impl (mutex=0x5593d88c50d1, file=0x559680554b20
   "../block/dirty-bitmap.c", line=64) at ../util/qemu-thread-posix.c:77
 #1  bdrv_dirty_bitmaps_lock (bs=0x5593d88c0ee9)
   at ../block/dirty-bitmap.c:64
 #2  bdrv_release_dirty_bitmap (bitmap=0x5596810e9570)
   at ../block/dirty-bitmap.c:362
 #3  cancel_incoming_locked (s=0x559680be8208 <dbm_state+40>)
   at ../migration/block-dirty-bitmap.c:918
 #4  dirty_bitmap_load (f=0x559681d02b10, opaque=0x559680be81e0
   <dbm_state>, version_id=1) at ../migration/block-dirty-bitmap.c:1194
 #5  vmstate_load (f=0x559681d02b10, se=0x559680fb5810)
   at ../migration/savevm.c:908
 #6  qemu_loadvm_section_part_end (f=0x559681d02b10,
   mis=0x559680fb4a30) at ../migration/savevm.c:2473
 #7  qemu_loadvm_state_main (f=0x559681d02b10, mis=0x559680fb4a30)
   at ../migration/savevm.c:2626
 #8  postcopy_ram_listen_thread (opaque=0x0)
   at ../migration/savevm.c:1871
 #9  qemu_thread_start (args=0x5596817ccd10)
   at ../util/qemu-thread-posix.c:521
 #10 start_thread () at /lib64/libpthread.so.0
 #11 clone () at /lib64/libc.so.6

Note bs pointer taken from bitmap: it's definitely bad aligned. That's
because we are in use after free, bitmap is already freed.

So, let's make disabled bitmaps (being migrated) busy during incoming
migration.

Signed-off-by: Vladimir Sementsov-Ogievskiy <vsementsov@virtuozzo.com>
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
Message-Id: <20210322094906.5079-2-vsementsov@virtuozzo.com>
---
 migration/block-dirty-bitmap.c | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/migration/block-dirty-bitmap.c b/migration/block-dirty-bitmap.c
index XXXXXXX..XXXXXXX 100644
--- a/migration/block-dirty-bitmap.c
+++ b/migration/block-dirty-bitmap.c
@@ -XXX,XX +XXX,XX @@ static int dirty_bitmap_load_start(QEMUFile *f, DBMLoadState *s)
             error_report_err(local_err);
             return -EINVAL;
         }
+    } else {
+        bdrv_dirty_bitmap_set_busy(s->bitmap, true);
     }
 
     b = g_new(LoadBitmapState, 1);
@@ -XXX,XX +XXX,XX @@ static void cancel_incoming_locked(DBMLoadState *s)
         assert(!s->before_vm_start_handled || !b->migrated);
         if (bdrv_dirty_bitmap_has_successor(b->bitmap)) {
             bdrv_reclaim_dirty_bitmap(b->bitmap, &error_abort);
+        } else {
+            bdrv_dirty_bitmap_set_busy(b->bitmap, false);
         }
         bdrv_release_dirty_bitmap(b->bitmap);
     }
@@ -XXX,XX +XXX,XX @@ static void dirty_bitmap_load_complete(QEMUFile *f, DBMLoadState *s)
 
     if (bdrv_dirty_bitmap_has_successor(s->bitmap)) {
         bdrv_reclaim_dirty_bitmap(s->bitmap, &error_abort);
+    } else {
+        bdrv_dirty_bitmap_set_busy(s->bitmap, false);
     }
 
     for (item = s->bitmaps; item; item = g_slist_next(item)) {
-- 
2.30.2

From: Vladimir Sementsov-Ogievskiy <vsementsov@virtuozzo.com>

Check that we can't remove bitmaps being migrated on destination vm.
The new check proves that previous commit helps.

Signed-off-by: Vladimir Sementsov-Ogievskiy <vsementsov@virtuozzo.com>
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
Message-Id: <20210322094906.5079-3-vsementsov@virtuozzo.com>
---
 tests/qemu-iotests/tests/migrate-bitmaps-postcopy-test | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/tests/qemu-iotests/tests/migrate-bitmaps-postcopy-test b/tests/qemu-iotests/tests/migrate-bitmaps-postcopy-test
index XXXXXXX..XXXXXXX 100755
--- a/tests/qemu-iotests/tests/migrate-bitmaps-postcopy-test
+++ b/tests/qemu-iotests/tests/migrate-bitmaps-postcopy-test
@@ -XXX,XX +XXX,XX @@ class TestDirtyBitmapPostcopyMigration(iotests.QMPTestCase):
         self.start_postcopy()
 
         self.vm_b_events += self.vm_b.get_qmp_events()
+
+        # While being here, let's check that we can't remove in-flight bitmaps.
+        for vm in (self.vm_a, self.vm_b):
+            for i in range(0, nb_bitmaps):
+                result = vm.qmp('block-dirty-bitmap-remove', node='drive0',
+                                name=f'bitmap{i}')
+                self.assert_qmp(result, 'error/desc',
+                                f"Bitmap 'bitmap{i}' is currently in use by "
+                                "another operation and cannot be used")
+
         self.vm_b.shutdown()
         # recreate vm_b, so there is no incoming option, which prevents
         # loading bitmaps from disk
-- 
2.30.2

The following changes since commit 813bac3d8d70d85cb7835f7945eb9eed84c2d8d0:

Merge tag '2023q3-bsd-user-pull-request' of https://gitlab.com/bsdimp/qemu into staging (2023-08-29 08:58:00 -0400)

are available in the Git repository at:

https://gitlab.com/stefanha/qemu.git tags/block-pull-request

for you to fetch changes up to 87ec6f55af38e29be5b2b65a8acf84da73e06d06:

aio-posix: zero out io_uring sqe user_data (2023-08-30 07:39:59 -0400)

----------------------------------------------------------------
Pull request

v3:
- Drop UFS emulation due to CI failures
- Add "aio-posix: zero out io_uring sqe user_data"

----------------------------------------------------------------

Andrey Drobyshev (3):
  block: add subcluster_size field to BlockDriverInfo
  block/io: align requests to subcluster_size
  tests/qemu-iotests/197: add testcase for CoR with subclusters

Fabiano Rosas (1):
  block-migration: Ensure we don't crash during migration cleanup

Stefan Hajnoczi (1):
  aio-posix: zero out io_uring sqe user_data

-- 
2.41.0

From: Fabiano Rosas <farosas@suse.de>

We can fail the blk_insert_bs() at init_blk_migration(), leaving the
BlkMigDevState without a dirty_bitmap and BlockDriverState. Account
for the possibly missing elements when doing cleanup.

Fix the following crashes:

Thread 1 "qemu-system-x86" received signal SIGSEGV, Segmentation fault.
0x0000555555ec83ef in bdrv_release_dirty_bitmap (bitmap=0x0) at ../block/dirty-bitmap.c:359
359         BlockDriverState *bs = bitmap->bs;
 #0  0x0000555555ec83ef in bdrv_release_dirty_bitmap (bitmap=0x0) at ../block/dirty-bitmap.c:359
 #1  0x0000555555bba331 in unset_dirty_tracking () at ../migration/block.c:371
 #2  0x0000555555bbad98 in block_migration_cleanup_bmds () at ../migration/block.c:681

Thread 1 "qemu-system-x86" received signal SIGSEGV, Segmentation fault.
0x0000555555e971ff in bdrv_op_unblock (bs=0x0, op=BLOCK_OP_TYPE_BACKUP_SOURCE, reason=0x0) at ../block.c:7073
7073        QLIST_FOREACH_SAFE(blocker, &bs->op_blockers[op], list, next) {
 #0  0x0000555555e971ff in bdrv_op_unblock (bs=0x0, op=BLOCK_OP_TYPE_BACKUP_SOURCE, reason=0x0) at ../block.c:7073
 #1  0x0000555555e9734a in bdrv_op_unblock_all (bs=0x0, reason=0x0) at ../block.c:7095
 #2  0x0000555555bbae13 in block_migration_cleanup_bmds () at ../migration/block.c:690

Signed-off-by: Fabiano Rosas <farosas@suse.de>
Message-id: 20230731203338.27581-1-farosas@suse.de
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
---
 migration/block.c | 11 +++++++++--
 1 file changed, 9 insertions(+), 2 deletions(-)

diff --git a/migration/block.c b/migration/block.c
index XXXXXXX..XXXXXXX 100644
--- a/migration/block.c
+++ b/migration/block.c
@@ -XXX,XX +XXX,XX @@ static void unset_dirty_tracking(void)
     BlkMigDevState *bmds;
 
     QSIMPLEQ_FOREACH(bmds, &block_mig_state.bmds_list, entry) {
-        bdrv_release_dirty_bitmap(bmds->dirty_bitmap);
+        if (bmds->dirty_bitmap) {
+            bdrv_release_dirty_bitmap(bmds->dirty_bitmap);
+        }
     }
 }
 
@@ -XXX,XX +XXX,XX @@ static int64_t get_remaining_dirty(void)
 static void block_migration_cleanup_bmds(void)
 {
     BlkMigDevState *bmds;
+    BlockDriverState *bs;
     AioContext *ctx;
 
     unset_dirty_tracking();
 
     while ((bmds = QSIMPLEQ_FIRST(&block_mig_state.bmds_list)) != NULL) {
         QSIMPLEQ_REMOVE_HEAD(&block_mig_state.bmds_list, entry);
-        bdrv_op_unblock_all(blk_bs(bmds->blk), bmds->blocker);
+
+        bs = blk_bs(bmds->blk);
+        if (bs) {
+            bdrv_op_unblock_all(bs, bmds->blocker);
+        }
         error_free(bmds->blocker);
 
         /* Save ctx, because bmds->blk can disappear during blk_unref.  */
-- 
2.41.0

From: Andrey Drobyshev <andrey.drobyshev@virtuozzo.com>

This is going to be used in the subsequent commit as requests alignment
(in particular, during copy-on-read).  This value only makes sense for
the formats which support subclusters (currently QCOW2 only).  If this
field isn't set by driver's own bdrv_get_info() implementation, we
simply set it equal to the cluster size thus treating each cluster as
having a single subcluster.

Reviewed-by: Eric Blake <eblake@redhat.com>
Reviewed-by: Denis V. Lunev <den@openvz.org>
Signed-off-by: Andrey Drobyshev <andrey.drobyshev@virtuozzo.com>
Reviewed-by: Vladimir Sementsov-Ogievskiy <vsementsov@yandex-team.ru>
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
Message-ID: <20230711172553.234055-2-andrey.drobyshev@virtuozzo.com>
---
 include/block/block-common.h | 5 +++++
 block.c                      | 7 +++++++
 block/qcow2.c                | 1 +
 3 files changed, 13 insertions(+)

diff --git a/include/block/block-common.h b/include/block/block-common.h
index XXXXXXX..XXXXXXX 100644
--- a/include/block/block-common.h
+++ b/include/block/block-common.h
@@ -XXX,XX +XXX,XX @@ typedef struct BlockZoneWps {
 typedef struct BlockDriverInfo {
     /* in bytes, 0 if irrelevant */
     int cluster_size;
+    /*
+     * A fraction of cluster_size, if supported (currently QCOW2 only); if
+     * disabled or unsupported, set equal to cluster_size.
+     */
+    int subcluster_size;
     /* offset at which the VM state can be saved (0 if not possible) */
     int64_t vm_state_offset;
     bool is_dirty;
diff --git a/block.c b/block.c
index XXXXXXX..XXXXXXX 100644
--- a/block.c
+++ b/block.c
@@ -XXX,XX +XXX,XX @@ int coroutine_fn bdrv_co_get_info(BlockDriverState *bs, BlockDriverInfo *bdi)
     }
     memset(bdi, 0, sizeof(*bdi));
     ret = drv->bdrv_co_get_info(bs, bdi);
+    if (bdi->subcluster_size == 0) {
+        /*
+         * If the driver left this unset, subclusters are not supported.
+         * Then it is safe to treat each cluster as having only one subcluster.
+         */
+        bdi->subcluster_size = bdi->cluster_size;
+    }
     if (ret < 0) {
         return ret;
     }
diff --git a/block/qcow2.c b/block/qcow2.c
index XXXXXXX..XXXXXXX 100644
--- a/block/qcow2.c
+++ b/block/qcow2.c
@@ -XXX,XX +XXX,XX @@ qcow2_co_get_info(BlockDriverState *bs, BlockDriverInfo *bdi)
 {
     BDRVQcow2State *s = bs->opaque;
     bdi->cluster_size = s->cluster_size;
+    bdi->subcluster_size = s->subcluster_size;
     bdi->vm_state_offset = qcow2_vm_state_offset(s);
     bdi->is_dirty = s->incompatible_features & QCOW2_INCOMPAT_DIRTY;
     return 0;
-- 
2.41.0

From: Andrey Drobyshev <andrey.drobyshev@virtuozzo.com>

When target image is using subclusters, and we align the request during
copy-on-read, it makes sense to align to subcluster_size rather than
cluster_size.  Otherwise we end up with unnecessary allocations.

This commit renames bdrv_round_to_clusters() to bdrv_round_to_subclusters()
and utilizes subcluster_size field of BlockDriverInfo to make necessary
alignments.  It affects copy-on-read as well as mirror job (which is
using bdrv_round_to_clusters()).

This change also fixes the following bug with failing assert (covered by
the test in the subsequent commit):

qemu-img create -f qcow2 base.qcow2 64K
qemu-img create -f qcow2 -o extended_l2=on,backing_file=base.qcow2,backing_fmt=qcow2 img.qcow2 64K
qemu-io -c "write -P 0xaa 0 2K" img.qcow2
qemu-io -C -c "read -P 0x00 2K 62K" img.qcow2

qemu-io: ../block/io.c:1236: bdrv_co_do_copy_on_readv: Assertion `skip_bytes < pnum' failed.

Reviewed-by: Eric Blake <eblake@redhat.com>
Reviewed-by: Denis V. Lunev <den@openvz.org>
Signed-off-by: Andrey Drobyshev <andrey.drobyshev@virtuozzo.com>
Reviewed-by: Vladimir Sementsov-Ogievskiy <vsementsov@yandex-team.ru>
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
Message-ID: <20230711172553.234055-3-andrey.drobyshev@virtuozzo.com>
---
 include/block/block-io.h |  8 +++----
 block/io.c               | 50 ++++++++++++++++++++--------------------
 block/mirror.c           |  8 +++----
 3 files changed, 33 insertions(+), 33 deletions(-)

diff --git a/include/block/block-io.h b/include/block/block-io.h
index XXXXXXX..XXXXXXX 100644
--- a/include/block/block-io.h
+++ b/include/block/block-io.h
@@ -XXX,XX +XXX,XX @@ bdrv_get_info(BlockDriverState *bs, BlockDriverInfo *bdi);
 ImageInfoSpecific *bdrv_get_specific_info(BlockDriverState *bs,
                                           Error **errp);
 BlockStatsSpecific *bdrv_get_specific_stats(BlockDriverState *bs);
-void bdrv_round_to_clusters(BlockDriverState *bs,
-                            int64_t offset, int64_t bytes,
-                            int64_t *cluster_offset,
-                            int64_t *cluster_bytes);
+void bdrv_round_to_subclusters(BlockDriverState *bs,
+                               int64_t offset, int64_t bytes,
+                               int64_t *cluster_offset,
+                               int64_t *cluster_bytes);
 
 void bdrv_get_backing_filename(BlockDriverState *bs,
                                char *filename, int filename_size);
diff --git a/block/io.c b/block/io.c
index XXXXXXX..XXXXXXX 100644
--- a/block/io.c
+++ b/block/io.c
@@ -XXX,XX +XXX,XX @@ BdrvTrackedRequest *coroutine_fn bdrv_co_get_self_request(BlockDriverState *bs)
 }
 
 /**
- * Round a region to cluster boundaries
+ * Round a region to subcluster (if supported) or cluster boundaries
  */
 void coroutine_fn GRAPH_RDLOCK
-bdrv_round_to_clusters(BlockDriverState *bs, int64_t offset, int64_t bytes,
-                       int64_t *cluster_offset, int64_t *cluster_bytes)
+bdrv_round_to_subclusters(BlockDriverState *bs, int64_t offset, int64_t bytes,
+                          int64_t *align_offset, int64_t *align_bytes)
 {
     BlockDriverInfo bdi;
     IO_CODE();
-    if (bdrv_co_get_info(bs, &bdi) < 0 || bdi.cluster_size == 0) {
-        *cluster_offset = offset;
-        *cluster_bytes = bytes;
+    if (bdrv_co_get_info(bs, &bdi) < 0 || bdi.subcluster_size == 0) {
+        *align_offset = offset;
+        *align_bytes = bytes;
     } else {
-        int64_t c = bdi.cluster_size;
-        *cluster_offset = QEMU_ALIGN_DOWN(offset, c);
-        *cluster_bytes = QEMU_ALIGN_UP(offset - *cluster_offset + bytes, c);
+        int64_t c = bdi.subcluster_size;
+        *align_offset = QEMU_ALIGN_DOWN(offset, c);
+        *align_bytes = QEMU_ALIGN_UP(offset - *align_offset + bytes, c);
     }
 }
 
@@ -XXX,XX +XXX,XX @@ bdrv_co_do_copy_on_readv(BdrvChild *child, int64_t offset, int64_t bytes,
     void *bounce_buffer = NULL;
 
     BlockDriver *drv = bs->drv;
-    int64_t cluster_offset;
-    int64_t cluster_bytes;
+    int64_t align_offset;
+    int64_t align_bytes;
     int64_t skip_bytes;
     int ret;
     int max_transfer = MIN_NON_ZERO(bs->bl.max_transfer,
@@ -XXX,XX +XXX,XX @@ bdrv_co_do_copy_on_readv(BdrvChild *child, int64_t offset, int64_t bytes,
      * BDRV_REQUEST_MAX_BYTES (even when the original read did not), which
      * is one reason we loop rather than doing it all at once.
      */
-    bdrv_round_to_clusters(bs, offset, bytes, &cluster_offset, &cluster_bytes);
-    skip_bytes = offset - cluster_offset;
+    bdrv_round_to_subclusters(bs, offset, bytes, &align_offset, &align_bytes);
+    skip_bytes = offset - align_offset;
 
     trace_bdrv_co_do_copy_on_readv(bs, offset, bytes,
-                                   cluster_offset, cluster_bytes);
+                                   align_offset, align_bytes);
 
-    while (cluster_bytes) {
+    while (align_bytes) {
         int64_t pnum;
 
         if (skip_write) {
             ret = 1; /* "already allocated", so nothing will be copied */
-            pnum = MIN(cluster_bytes, max_transfer);
+            pnum = MIN(align_bytes, max_transfer);
         } else {
-            ret = bdrv_is_allocated(bs, cluster_offset,
-                                    MIN(cluster_bytes, max_transfer), &pnum);
+            ret = bdrv_is_allocated(bs, align_offset,
+                                    MIN(align_bytes, max_transfer), &pnum);
             if (ret < 0) {
                 /*
                  * Safe to treat errors in querying allocation as if
                  * unallocated; we'll probably fail again soon on the
                  * read, but at least that will set a decent errno.
                  */
-                pnum = MIN(cluster_bytes, max_transfer);
+                pnum = MIN(align_bytes, max_transfer);
             }
 
             /* Stop at EOF if the image ends in the middle of the cluster */
@@ -XXX,XX +XXX,XX @@ bdrv_co_do_copy_on_readv(BdrvChild *child, int64_t offset, int64_t bytes,
             /* Must copy-on-read; use the bounce buffer */
             pnum = MIN(pnum, MAX_BOUNCE_BUFFER);
             if (!bounce_buffer) {
-                int64_t max_we_need = MAX(pnum, cluster_bytes - pnum);
+                int64_t max_we_need = MAX(pnum, align_bytes - pnum);
                 int64_t max_allowed = MIN(max_transfer, MAX_BOUNCE_BUFFER);
                 int64_t bounce_buffer_len = MIN(max_we_need, max_allowed);
 
@@ -XXX,XX +XXX,XX @@ bdrv_co_do_copy_on_readv(BdrvChild *child, int64_t offset, int64_t bytes,
             }
             qemu_iovec_init_buf(&local_qiov, bounce_buffer, pnum);
 
-            ret = bdrv_driver_preadv(bs, cluster_offset, pnum,
+            ret = bdrv_driver_preadv(bs, align_offset, pnum,
                                      &local_qiov, 0, 0);
             if (ret < 0) {
                 goto err;
@@ -XXX,XX +XXX,XX @@ bdrv_co_do_copy_on_readv(BdrvChild *child, int64_t offset, int64_t bytes,
                 /* FIXME: Should we (perhaps conditionally) be setting
                  * BDRV_REQ_MAY_UNMAP, if it will allow for a sparser copy
                  * that still correctly reads as zero? */
-                ret = bdrv_co_do_pwrite_zeroes(bs, cluster_offset, pnum,
+                ret = bdrv_co_do_pwrite_zeroes(bs, align_offset, pnum,
                                                BDRV_REQ_WRITE_UNCHANGED);
             } else {
                 /* This does not change the data on the disk, it is not
                  * necessary to flush even in cache=writethrough mode.
                  */
-                ret = bdrv_driver_pwritev(bs, cluster_offset, pnum,
+                ret = bdrv_driver_pwritev(bs, align_offset, pnum,
                                           &local_qiov, 0,
                                           BDRV_REQ_WRITE_UNCHANGED);
             }
@@ -XXX,XX +XXX,XX @@ bdrv_co_do_copy_on_readv(BdrvChild *child, int64_t offset, int64_t bytes,
             }
         }
 
-        cluster_offset += pnum;
-        cluster_bytes -= pnum;
+        align_offset += pnum;
+        align_bytes -= pnum;
         progress += pnum - skip_bytes;
         skip_bytes = 0;
     }
diff --git a/block/mirror.c b/block/mirror.c
index XXXXXXX..XXXXXXX 100644
--- a/block/mirror.c
+++ b/block/mirror.c
@@ -XXX,XX +XXX,XX @@ static int coroutine_fn mirror_cow_align(MirrorBlockJob *s, int64_t *offset,
     need_cow |= !test_bit((*offset + *bytes - 1) / s->granularity,
                           s->cow_bitmap);
     if (need_cow) {
-        bdrv_round_to_clusters(blk_bs(s->target), *offset, *bytes,
-                               &align_offset, &align_bytes);
+        bdrv_round_to_subclusters(blk_bs(s->target), *offset, *bytes,
+                                  &align_offset, &align_bytes);
     }
 
     if (align_bytes > max_bytes) {
@@ -XXX,XX +XXX,XX @@ static void coroutine_fn mirror_iteration(MirrorBlockJob *s)
             int64_t target_offset;
             int64_t target_bytes;
             WITH_GRAPH_RDLOCK_GUARD() {
-                bdrv_round_to_clusters(blk_bs(s->target), offset, io_bytes,
-                                       &target_offset, &target_bytes);
+                bdrv_round_to_subclusters(blk_bs(s->target), offset, io_bytes,
+                                          &target_offset, &target_bytes);
             }
             if (target_offset == offset &&
                 target_bytes == io_bytes) {
-- 
2.41.0

From: Andrey Drobyshev <andrey.drobyshev@virtuozzo.com>

Add testcase which checks that allocations during copy-on-read are
performed on the subcluster basis when subclusters are enabled in target
image.

This testcase also triggers the following assert with previous commit
not being applied, so we check that as well:

qemu-io: ../block/io.c:1236: bdrv_co_do_copy_on_readv: Assertion `skip_bytes < pnum' failed.

Reviewed-by: Eric Blake <eblake@redhat.com>
Reviewed-by: Denis V. Lunev <den@openvz.org>
Signed-off-by: Andrey Drobyshev <andrey.drobyshev@virtuozzo.com>
Reviewed-by: Vladimir Sementsov-Ogievskiy <vsementsov@yandex-team.ru>
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
Message-ID: <20230711172553.234055-4-andrey.drobyshev@virtuozzo.com>
---
 tests/qemu-iotests/197     | 29 +++++++++++++++++++++++++++++
 tests/qemu-iotests/197.out | 24 ++++++++++++++++++++++++
 2 files changed, 53 insertions(+)

diff --git a/tests/qemu-iotests/197 b/tests/qemu-iotests/197
index XXXXXXX..XXXXXXX 100755
--- a/tests/qemu-iotests/197
+++ b/tests/qemu-iotests/197
@@ -XXX,XX +XXX,XX @@ $QEMU_IO -f qcow2 -C -c 'read 0 1024' "$TEST_WRAP" | _filter_qemu_io
 $QEMU_IO -f qcow2 -c map "$TEST_WRAP"
 _check_test_img
 
+echo
+echo '=== Copy-on-read with subclusters ==='
+echo
+
+# Create base and top images 64K (1 cluster) each.  Make subclusters enabled
+# for the top image
+_make_test_img 64K
+IMGPROTO=file IMGFMT=qcow2 TEST_IMG_FILE="$TEST_WRAP" \
+    _make_test_img --no-opts -o extended_l2=true -F "$IMGFMT" -b "$TEST_IMG" \
+    64K | _filter_img_create
+
+$QEMU_IO -c "write -P 0xaa 0 64k" "$TEST_IMG" | _filter_qemu_io
+
+# Allocate individual subclusters in the top image, and not the whole cluster
+$QEMU_IO -c "write -P 0xbb 28K 2K" -c "write -P 0xcc 34K 2K" "$TEST_WRAP" \
+    | _filter_qemu_io
+
+# Only 2 subclusters should be allocated in the top image at this point
+$QEMU_IMG map "$TEST_WRAP" | _filter_qemu_img_map
+
+# Actual copy-on-read operation
+$QEMU_IO -C -c "read -P 0xaa 30K 4K" "$TEST_WRAP" | _filter_qemu_io
+
+# And here we should have 4 subclusters allocated right in the middle of the
+# top image. Make sure the whole cluster remains unallocated
+$QEMU_IMG map "$TEST_WRAP" | _filter_qemu_img_map
+
+_check_test_img
+
 # success, all done
 echo '*** done'
 status=0
diff --git a/tests/qemu-iotests/197.out b/tests/qemu-iotests/197.out
index XXXXXXX..XXXXXXX 100644
--- a/tests/qemu-iotests/197.out
+++ b/tests/qemu-iotests/197.out
@@ -XXX,XX +XXX,XX @@ read 1024/1024 bytes at offset 0
 1 KiB, X ops; XX:XX:XX.X (XXX YYY/sec and XXX ops/sec)
 1 KiB (0x400) bytes     allocated at offset 0 bytes (0x0)
 No errors were found on the image.
+
+=== Copy-on-read with subclusters ===
+
+Formatting 'TEST_DIR/t.IMGFMT', fmt=IMGFMT size=65536
+Formatting 'TEST_DIR/t.wrap.IMGFMT', fmt=IMGFMT size=65536 backing_file=TEST_DIR/t.IMGFMT backing_fmt=IMGFMT
+wrote 65536/65536 bytes at offset 0
+64 KiB, X ops; XX:XX:XX.X (XXX YYY/sec and XXX ops/sec)
+wrote 2048/2048 bytes at offset 28672
+2 KiB, X ops; XX:XX:XX.X (XXX YYY/sec and XXX ops/sec)
+wrote 2048/2048 bytes at offset 34816
+2 KiB, X ops; XX:XX:XX.X (XXX YYY/sec and XXX ops/sec)
+Offset          Length          File
+0               0x7000          TEST_DIR/t.IMGFMT
+0x7000          0x800           TEST_DIR/t.wrap.IMGFMT
+0x7800          0x1000          TEST_DIR/t.IMGFMT
+0x8800          0x800           TEST_DIR/t.wrap.IMGFMT
+0x9000          0x7000          TEST_DIR/t.IMGFMT
+read 4096/4096 bytes at offset 30720
+4 KiB, X ops; XX:XX:XX.X (XXX YYY/sec and XXX ops/sec)
+Offset          Length          File
+0               0x7000          TEST_DIR/t.IMGFMT
+0x7000          0x2000          TEST_DIR/t.wrap.IMGFMT
+0x9000          0x7000          TEST_DIR/t.IMGFMT
+No errors were found on the image.
 *** done
-- 
2.41.0

liburing does not clear sqe->user_data. We must do it ourselves to avoid
undefined behavior in process_cqe() when user_data is used.

Note that fdmon-io_uring is currently disabled, so this is a latent bug
that does not affect users. Let's merge this fix now to make it easier
to enable fdmon-io_uring in the future (and I'm working on that).

Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
Message-ID: <20230426212639.82310-1-stefanha@redhat.com>
---
 util/fdmon-io_uring.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/util/fdmon-io_uring.c b/util/fdmon-io_uring.c
index XXXXXXX..XXXXXXX 100644
--- a/util/fdmon-io_uring.c
+++ b/util/fdmon-io_uring.c
@@ -XXX,XX +XXX,XX @@ static void add_poll_remove_sqe(AioContext *ctx, AioHandler *node)
 #else
     io_uring_prep_poll_remove(sqe, node);
 #endif
+    io_uring_sqe_set_data(sqe, NULL);
 }
 
 /* Add a timeout that self-cancels when another cqe becomes ready */
@@ -XXX,XX +XXX,XX @@ static void add_timeout_sqe(AioContext *ctx, int64_t ns)
 
     sqe = get_sqe(ctx);
     io_uring_prep_timeout(sqe, &ts, 1, 0);
+    io_uring_sqe_set_data(sqe, NULL);
 }
 
 /* Add sqes from ctx->submit_list for submission */
-- 
2.41.0