git://git.qemu.org / qemu.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
Merge tag 'block-pull-request' of https://gitlab.com/stefanha/qemu into staging
[qemu.git] / block.c
1 /*
2 * QEMU System Emulator block driver
3 *
4 * Copyright (c) 2003 Fabrice Bellard
5 * Copyright (c) 2020 Virtuozzo International GmbH.
6 *
7 * Permission is hereby granted, free of charge, to any person obtaining a copy
8 * of this software and associated documentation files (the "Software"), to deal
9 * in the Software without restriction, including without limitation the rights
10 * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
11 * copies of the Software, and to permit persons to whom the Software is
12 * furnished to do so, subject to the following conditions:
13 *
14 * The above copyright notice and this permission notice shall be included in
15 * all copies or substantial portions of the Software.
16 *
17 * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
18 * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
19 * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL
20 * THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
21 * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
22 * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
23 * THE SOFTWARE.
24 */
25
26 #include "qemu/osdep.h"
27 #include "block/trace.h"
28 #include "block/block_int.h"
29 #include "block/blockjob.h"
30 #include "block/fuse.h"
31 #include "block/nbd.h"
32 #include "block/qdict.h"
33 #include "qemu/error-report.h"
34 #include "block/module_block.h"
35 #include "qemu/main-loop.h"
36 #include "qemu/module.h"
37 #include "qapi/error.h"
38 #include "qapi/qmp/qdict.h"
39 #include "qapi/qmp/qjson.h"
40 #include "qapi/qmp/qnull.h"
41 #include "qapi/qmp/qstring.h"
42 #include "qapi/qobject-output-visitor.h"
43 #include "qapi/qapi-visit-block-core.h"
44 #include "sysemu/block-backend.h"
45 #include "qemu/notify.h"
46 #include "qemu/option.h"
47 #include "qemu/coroutine.h"
48 #include "block/qapi.h"
49 #include "qemu/timer.h"
50 #include "qemu/cutils.h"
51 #include "qemu/id.h"
52 #include "qemu/range.h"
53 #include "qemu/rcu.h"
54 #include "block/coroutines.h"
55
56 #ifdef CONFIG_BSD
57 #include <sys/ioctl.h>
58 #include <sys/queue.h>
59 #if defined(HAVE_SYS_DISK_H)
60 #include <sys/disk.h>
61 #endif
62 #endif
63
64 #ifdef _WIN32
65 #include <windows.h>
66 #endif
67
68 #define NOT_DONE 0x7fffffff /* used while emulated sync operation in progress */
69
70 static QTAILQ_HEAD(, BlockDriverState) graph_bdrv_states =
71 QTAILQ_HEAD_INITIALIZER(graph_bdrv_states);
72
73 static QTAILQ_HEAD(, BlockDriverState) all_bdrv_states =
74 QTAILQ_HEAD_INITIALIZER(all_bdrv_states);
75
76 static QLIST_HEAD(, BlockDriver) bdrv_drivers =
77 QLIST_HEAD_INITIALIZER(bdrv_drivers);
78
79 static BlockDriverState *bdrv_open_inherit(const char *filename,
80 const char *reference,
81 QDict *options, int flags,
82 BlockDriverState *parent,
83 const BdrvChildClass *child_class,
84 BdrvChildRole child_role,
85 Error **errp);
86
87 static bool bdrv_recurse_has_child(BlockDriverState *bs,
88 BlockDriverState *child);
89
90 static void bdrv_child_free(BdrvChild *child);
91 static void bdrv_replace_child_noperm(BdrvChild **child,
92 BlockDriverState *new_bs,
93 bool free_empty_child);
94 static void bdrv_remove_file_or_backing_child(BlockDriverState *bs,
95 BdrvChild *child,
96 Transaction *tran);
97 static void bdrv_remove_filter_or_cow_child(BlockDriverState *bs,
98 Transaction *tran);
99
100 static int bdrv_reopen_prepare(BDRVReopenState *reopen_state,
101 BlockReopenQueue *queue,
102 Transaction *change_child_tran, Error **errp);
103 static void bdrv_reopen_commit(BDRVReopenState *reopen_state);
104 static void bdrv_reopen_abort(BDRVReopenState *reopen_state);
105
106 static bool bdrv_backing_overridden(BlockDriverState *bs);
107
108 /* If non-zero, use only whitelisted block drivers */
109 static int use_bdrv_whitelist;
110
111 #ifdef _WIN32
112 static int is_windows_drive_prefix(const char *filename)
113 {
114 return (((filename[0] >= 'a' && filename[0] <= 'z') ||
115 (filename[0] >= 'A' && filename[0] <= 'Z')) &&
116 filename[1] == ':');
117 }
118
119 int is_windows_drive(const char *filename)
120 {
121 if (is_windows_drive_prefix(filename) &&
122 filename[2] == '\0')
123 return 1;
124 if (strstart(filename, "\\\\.\\", NULL) ||
125 strstart(filename, "//./", NULL))
126 return 1;
127 return 0;
128 }
129 #endif
130
131 size_t bdrv_opt_mem_align(BlockDriverState *bs)
132 {
133 if (!bs || !bs->drv) {
134 /* page size or 4k (hdd sector size) should be on the safe side */
135 return MAX(4096, qemu_real_host_page_size);
136 }
137
138 return bs->bl.opt_mem_alignment;
139 }
140
141 size_t bdrv_min_mem_align(BlockDriverState *bs)
142 {
143 if (!bs || !bs->drv) {
144 /* page size or 4k (hdd sector size) should be on the safe side */
145 return MAX(4096, qemu_real_host_page_size);
146 }
147
148 return bs->bl.min_mem_alignment;
149 }
150
151 /* check if the path starts with "<protocol>:" */
152 int path_has_protocol(const char *path)
153 {
154 const char *p;
155
156 #ifdef _WIN32
157 if (is_windows_drive(path) ||
158 is_windows_drive_prefix(path)) {
159 return 0;
160 }
161 p = path + strcspn(path, ":/\\");
162 #else
163 p = path + strcspn(path, ":/");
164 #endif
165
166 return *p == ':';
167 }
168
169 int path_is_absolute(const char *path)
170 {
171 #ifdef _WIN32
172 /* specific case for names like: "\\.\d:" */
173 if (is_windows_drive(path) || is_windows_drive_prefix(path)) {
174 return 1;
175 }
176 return (*path == '/' || *path == '\\');
177 #else
178 return (*path == '/');
179 #endif
180 }
181
182 /* if filename is absolute, just return its duplicate. Otherwise, build a
183 path to it by considering it is relative to base_path. URL are
184 supported. */
185 char *path_combine(const char *base_path, const char *filename)
186 {
187 const char *protocol_stripped = NULL;
188 const char *p, *p1;
189 char *result;
190 int len;
191
192 if (path_is_absolute(filename)) {
193 return g_strdup(filename);
194 }
195
196 if (path_has_protocol(base_path)) {
197 protocol_stripped = strchr(base_path, ':');
198 if (protocol_stripped) {
199 protocol_stripped++;
200 }
201 }
202 p = protocol_stripped ?: base_path;
203
204 p1 = strrchr(base_path, '/');
205 #ifdef _WIN32
206 {
207 const char *p2;
208 p2 = strrchr(base_path, '\\');
209 if (!p1 || p2 > p1) {
210 p1 = p2;
211 }
212 }
213 #endif
214 if (p1) {
215 p1++;
216 } else {
217 p1 = base_path;
218 }
219 if (p1 > p) {
220 p = p1;
221 }
222 len = p - base_path;
223
224 result = g_malloc(len + strlen(filename) + 1);
225 memcpy(result, base_path, len);
226 strcpy(result + len, filename);
227
228 return result;
229 }
230
231 /*
232 * Helper function for bdrv_parse_filename() implementations to remove optional
233 * protocol prefixes (especially "file:") from a filename and for putting the
234 * stripped filename into the options QDict if there is such a prefix.
235 */
236 void bdrv_parse_filename_strip_prefix(const char *filename, const char *prefix,
237 QDict *options)
238 {
239 if (strstart(filename, prefix, &filename)) {
240 /* Stripping the explicit protocol prefix may result in a protocol
241 * prefix being (wrongly) detected (if the filename contains a colon) */
242 if (path_has_protocol(filename)) {
243 GString *fat_filename;
244
245 /* This means there is some colon before the first slash; therefore,
246 * this cannot be an absolute path */
247 assert(!path_is_absolute(filename));
248
249 /* And we can thus fix the protocol detection issue by prefixing it
250 * by "./" */
251 fat_filename = g_string_new("./");
252 g_string_append(fat_filename, filename);
253
254 assert(!path_has_protocol(fat_filename->str));
255
256 qdict_put(options, "filename",
257 qstring_from_gstring(fat_filename));
258 } else {
259 /* If no protocol prefix was detected, we can use the shortened
260 * filename as-is */
261 qdict_put_str(options, "filename", filename);
262 }
263 }
264 }
265
266
267 /* Returns whether the image file is opened as read-only. Note that this can
268 * return false and writing to the image file is still not possible because the
269 * image is inactivated. */
270 bool bdrv_is_read_only(BlockDriverState *bs)
271 {
272 return !(bs->open_flags & BDRV_O_RDWR);
273 }
274
275 int bdrv_can_set_read_only(BlockDriverState *bs, bool read_only,
276 bool ignore_allow_rdw, Error **errp)
277 {
278 /* Do not set read_only if copy_on_read is enabled */
279 if (bs->copy_on_read && read_only) {
280 error_setg(errp, "Can't set node '%s' to r/o with copy-on-read enabled",
281 bdrv_get_device_or_node_name(bs));
282 return -EINVAL;
283 }
284
285 /* Do not clear read_only if it is prohibited */
286 if (!read_only && !(bs->open_flags & BDRV_O_ALLOW_RDWR) &&
287 !ignore_allow_rdw)
288 {
289 error_setg(errp, "Node '%s' is read only",
290 bdrv_get_device_or_node_name(bs));
291 return -EPERM;
292 }
293
294 return 0;
295 }
296
297 /*
298 * Called by a driver that can only provide a read-only image.
299 *
300 * Returns 0 if the node is already read-only or it could switch the node to
301 * read-only because BDRV_O_AUTO_RDONLY is set.
302 *
303 * Returns -EACCES if the node is read-write and BDRV_O_AUTO_RDONLY is not set
304 * or bdrv_can_set_read_only() forbids making the node read-only. If @errmsg
305 * is not NULL, it is used as the error message for the Error object.
306 */
307 int bdrv_apply_auto_read_only(BlockDriverState *bs, const char *errmsg,
308 Error **errp)
309 {
310 int ret = 0;
311
312 if (!(bs->open_flags & BDRV_O_RDWR)) {
313 return 0;
314 }
315 if (!(bs->open_flags & BDRV_O_AUTO_RDONLY)) {
316 goto fail;
317 }
318
319 ret = bdrv_can_set_read_only(bs, true, false, NULL);
320 if (ret < 0) {
321 goto fail;
322 }
323
324 bs->open_flags &= ~BDRV_O_RDWR;
325
326 return 0;
327
328 fail:
329 error_setg(errp, "%s", errmsg ?: "Image is read-only");
330 return -EACCES;
331 }
332
333 /*
334 * If @backing is empty, this function returns NULL without setting
335 * @errp. In all other cases, NULL will only be returned with @errp
336 * set.
337 *
338 * Therefore, a return value of NULL without @errp set means that
339 * there is no backing file; if @errp is set, there is one but its
340 * absolute filename cannot be generated.
341 */
342 char *bdrv_get_full_backing_filename_from_filename(const char *backed,
343 const char *backing,
344 Error **errp)
345 {
346 if (backing[0] == '\0') {
347 return NULL;
348 } else if (path_has_protocol(backing) || path_is_absolute(backing)) {
349 return g_strdup(backing);
350 } else if (backed[0] == '\0' || strstart(backed, "json:", NULL)) {
351 error_setg(errp, "Cannot use relative backing file names for '%s'",
352 backed);
353 return NULL;
354 } else {
355 return path_combine(backed, backing);
356 }
357 }
358
359 /*
360 * If @filename is empty or NULL, this function returns NULL without
361 * setting @errp. In all other cases, NULL will only be returned with
362 * @errp set.
363 */
364 static char *bdrv_make_absolute_filename(BlockDriverState *relative_to,
365 const char *filename, Error **errp)
366 {
367 char *dir, *full_name;
368
369 if (!filename || filename[0] == '\0') {
370 return NULL;
371 } else if (path_has_protocol(filename) || path_is_absolute(filename)) {
372 return g_strdup(filename);
373 }
374
375 dir = bdrv_dirname(relative_to, errp);
376 if (!dir) {
377 return NULL;
378 }
379
380 full_name = g_strconcat(dir, filename, NULL);
381 g_free(dir);
382 return full_name;
383 }
384
385 char *bdrv_get_full_backing_filename(BlockDriverState *bs, Error **errp)
386 {
387 return bdrv_make_absolute_filename(bs, bs->backing_file, errp);
388 }
389
390 void bdrv_register(BlockDriver *bdrv)
391 {
392 assert(bdrv->format_name);
393 QLIST_INSERT_HEAD(&bdrv_drivers, bdrv, list);
394 }
395
396 BlockDriverState *bdrv_new(void)
397 {
398 BlockDriverState *bs;
399 int i;
400
401 bs = g_new0(BlockDriverState, 1);
402 QLIST_INIT(&bs->dirty_bitmaps);
403 for (i = 0; i < BLOCK_OP_TYPE_MAX; i++) {
404 QLIST_INIT(&bs->op_blockers[i]);
405 }
406 qemu_co_mutex_init(&bs->reqs_lock);
407 qemu_mutex_init(&bs->dirty_bitmap_mutex);
408 bs->refcnt = 1;
409 bs->aio_context = qemu_get_aio_context();
410
411 qemu_co_queue_init(&bs->flush_queue);
412
413 qemu_co_mutex_init(&bs->bsc_modify_lock);
414 bs->block_status_cache = g_new0(BdrvBlockStatusCache, 1);
415
416 for (i = 0; i < bdrv_drain_all_count; i++) {
417 bdrv_drained_begin(bs);
418 }
419
420 QTAILQ_INSERT_TAIL(&all_bdrv_states, bs, bs_list);
421
422 return bs;
423 }
424
425 static BlockDriver *bdrv_do_find_format(const char *format_name)
426 {
427 BlockDriver *drv1;
428
429 QLIST_FOREACH(drv1, &bdrv_drivers, list) {
430 if (!strcmp(drv1->format_name, format_name)) {
431 return drv1;
432 }
433 }
434
435 return NULL;
436 }
437
438 BlockDriver *bdrv_find_format(const char *format_name)
439 {
440 BlockDriver *drv1;
441 int i;
442
443 drv1 = bdrv_do_find_format(format_name);
444 if (drv1) {
445 return drv1;
446 }
447
448 /* The driver isn't registered, maybe we need to load a module */
449 for (i = 0; i < (int)ARRAY_SIZE(block_driver_modules); ++i) {
450 if (!strcmp(block_driver_modules[i].format_name, format_name)) {
451 block_module_load_one(block_driver_modules[i].library_name);
452 break;
453 }
454 }
455
456 return bdrv_do_find_format(format_name);
457 }
458
459 static int bdrv_format_is_whitelisted(const char *format_name, bool read_only)
460 {
461 static const char *whitelist_rw[] = {
462 CONFIG_BDRV_RW_WHITELIST
463 NULL
464 };
465 static const char *whitelist_ro[] = {
466 CONFIG_BDRV_RO_WHITELIST
467 NULL
468 };
469 const char **p;
470
471 if (!whitelist_rw[0] && !whitelist_ro[0]) {
472 return 1; /* no whitelist, anything goes */
473 }
474
475 for (p = whitelist_rw; *p; p++) {
476 if (!strcmp(format_name, *p)) {
477 return 1;
478 }
479 }
480 if (read_only) {
481 for (p = whitelist_ro; *p; p++) {
482 if (!strcmp(format_name, *p)) {
483 return 1;
484 }
485 }
486 }
487 return 0;
488 }
489
490 int bdrv_is_whitelisted(BlockDriver *drv, bool read_only)
491 {
492 return bdrv_format_is_whitelisted(drv->format_name, read_only);
493 }
494
495 bool bdrv_uses_whitelist(void)
496 {
497 return use_bdrv_whitelist;
498 }
499
500 typedef struct CreateCo {
501 BlockDriver *drv;
502 char *filename;
503 QemuOpts *opts;
504 int ret;
505 Error *err;
506 } CreateCo;
507
508 static void coroutine_fn bdrv_create_co_entry(void *opaque)
509 {
510 Error *local_err = NULL;
511 int ret;
512
513 CreateCo *cco = opaque;
514 assert(cco->drv);
515
516 ret = cco->drv->bdrv_co_create_opts(cco->drv,
517 cco->filename, cco->opts, &local_err);
518 error_propagate(&cco->err, local_err);
519 cco->ret = ret;
520 }
521
522 int bdrv_create(BlockDriver *drv, const char* filename,
523 QemuOpts *opts, Error **errp)
524 {
525 int ret;
526
527 Coroutine *co;
528 CreateCo cco = {
529 .drv = drv,
530 .filename = g_strdup(filename),
531 .opts = opts,
532 .ret = NOT_DONE,
533 .err = NULL,
534 };
535
536 if (!drv->bdrv_co_create_opts) {
537 error_setg(errp, "Driver '%s' does not support image creation", drv->format_name);
538 ret = -ENOTSUP;
539 goto out;
540 }
541
542 if (qemu_in_coroutine()) {
543 /* Fast-path if already in coroutine context */
544 bdrv_create_co_entry(&cco);
545 } else {
546 co = qemu_coroutine_create(bdrv_create_co_entry, &cco);
547 qemu_coroutine_enter(co);
548 while (cco.ret == NOT_DONE) {
549 aio_poll(qemu_get_aio_context(), true);
550 }
551 }
552
553 ret = cco.ret;
554 if (ret < 0) {
555 if (cco.err) {
556 error_propagate(errp, cco.err);
557 } else {
558 error_setg_errno(errp, -ret, "Could not create image");
559 }
560 }
561
562 out:
563 g_free(cco.filename);
564 return ret;
565 }
566
567 /**
568 * Helper function for bdrv_create_file_fallback(): Resize @blk to at
569 * least the given @minimum_size.
570 *
571 * On success, return @blk's actual length.
572 * Otherwise, return -errno.
573 */
574 static int64_t create_file_fallback_truncate(BlockBackend *blk,
575 int64_t minimum_size, Error **errp)
576 {
577 Error *local_err = NULL;
578 int64_t size;
579 int ret;
580
581 ret = blk_truncate(blk, minimum_size, false, PREALLOC_MODE_OFF, 0,
582 &local_err);
583 if (ret < 0 && ret != -ENOTSUP) {
584 error_propagate(errp, local_err);
585 return ret;
586 }
587
588 size = blk_getlength(blk);
589 if (size < 0) {
590 error_free(local_err);
591 error_setg_errno(errp, -size,
592 "Failed to inquire the new image file's length");
593 return size;
594 }
595
596 if (size < minimum_size) {
597 /* Need to grow the image, but we failed to do that */
598 error_propagate(errp, local_err);
599 return -ENOTSUP;
600 }
601
602 error_free(local_err);
603 local_err = NULL;
604
605 return size;
606 }
607
608 /**
609 * Helper function for bdrv_create_file_fallback(): Zero the first
610 * sector to remove any potentially pre-existing image header.
611 */
612 static int create_file_fallback_zero_first_sector(BlockBackend *blk,
613 int64_t current_size,
614 Error **errp)
615 {
616 int64_t bytes_to_clear;
617 int ret;
618
619 bytes_to_clear = MIN(current_size, BDRV_SECTOR_SIZE);
620 if (bytes_to_clear) {
621 ret = blk_pwrite_zeroes(blk, 0, bytes_to_clear, BDRV_REQ_MAY_UNMAP);
622 if (ret < 0) {
623 error_setg_errno(errp, -ret,
624 "Failed to clear the new image's first sector");
625 return ret;
626 }
627 }
628
629 return 0;
630 }
631
632 /**
633 * Simple implementation of bdrv_co_create_opts for protocol drivers
634 * which only support creation via opening a file
635 * (usually existing raw storage device)
636 */
637 int coroutine_fn bdrv_co_create_opts_simple(BlockDriver *drv,
638 const char *filename,
639 QemuOpts *opts,
640 Error **errp)
641 {
642 BlockBackend *blk;
643 QDict *options;
644 int64_t size = 0;
645 char *buf = NULL;
646 PreallocMode prealloc;
647 Error *local_err = NULL;
648 int ret;
649
650 size = qemu_opt_get_size_del(opts, BLOCK_OPT_SIZE, 0);
651 buf = qemu_opt_get_del(opts, BLOCK_OPT_PREALLOC);
652 prealloc = qapi_enum_parse(&PreallocMode_lookup, buf,
653 PREALLOC_MODE_OFF, &local_err);
654 g_free(buf);
655 if (local_err) {
656 error_propagate(errp, local_err);
657 return -EINVAL;
658 }
659
660 if (prealloc != PREALLOC_MODE_OFF) {
661 error_setg(errp, "Unsupported preallocation mode '%s'",
662 PreallocMode_str(prealloc));
663 return -ENOTSUP;
664 }
665
666 options = qdict_new();
667 qdict_put_str(options, "driver", drv->format_name);
668
669 blk = blk_new_open(filename, NULL, options,
670 BDRV_O_RDWR | BDRV_O_RESIZE, errp);
671 if (!blk) {
672 error_prepend(errp, "Protocol driver '%s' does not support image "
673 "creation, and opening the image failed: ",
674 drv->format_name);
675 return -EINVAL;
676 }
677
678 size = create_file_fallback_truncate(blk, size, errp);
679 if (size < 0) {
680 ret = size;
681 goto out;
682 }
683
684 ret = create_file_fallback_zero_first_sector(blk, size, errp);
685 if (ret < 0) {
686 goto out;
687 }
688
689 ret = 0;
690 out:
691 blk_unref(blk);
692 return ret;
693 }
694
695 int bdrv_create_file(const char *filename, QemuOpts *opts, Error **errp)
696 {
697 QemuOpts *protocol_opts;
698 BlockDriver *drv;
699 QDict *qdict;
700 int ret;
701
702 drv = bdrv_find_protocol(filename, true, errp);
703 if (drv == NULL) {
704 return -ENOENT;
705 }
706
707 if (!drv->create_opts) {
708 error_setg(errp, "Driver '%s' does not support image creation",
709 drv->format_name);
710 return -ENOTSUP;
711 }
712
713 /*
714 * 'opts' contains a QemuOptsList with a combination of format and protocol
715 * default values.
716 *
717 * The format properly removes its options, but the default values remain
718 * in 'opts->list'. So if the protocol has options with the same name
719 * (e.g. rbd has 'cluster_size' as qcow2), it will see the default values
720 * of the format, since for overlapping options, the format wins.
721 *
722 * To avoid this issue, lets convert QemuOpts to QDict, in this way we take
723 * only the set options, and then convert it back to QemuOpts, using the
724 * create_opts of the protocol. So the new QemuOpts, will contain only the
725 * protocol defaults.
726 */
727 qdict = qemu_opts_to_qdict(opts, NULL);
728 protocol_opts = qemu_opts_from_qdict(drv->create_opts, qdict, errp);
729 if (protocol_opts == NULL) {
730 ret = -EINVAL;
731 goto out;
732 }
733
734 ret = bdrv_create(drv, filename, protocol_opts, errp);
735 out:
736 qemu_opts_del(protocol_opts);
737 qobject_unref(qdict);
738 return ret;
739 }
740
741 int coroutine_fn bdrv_co_delete_file(BlockDriverState *bs, Error **errp)
742 {
743 Error *local_err = NULL;
744 int ret;
745
746 assert(bs != NULL);
747
748 if (!bs->drv) {
749 error_setg(errp, "Block node '%s' is not opened", bs->filename);
750 return -ENOMEDIUM;
751 }
752
753 if (!bs->drv->bdrv_co_delete_file) {
754 error_setg(errp, "Driver '%s' does not support image deletion",
755 bs->drv->format_name);
756 return -ENOTSUP;
757 }
758
759 ret = bs->drv->bdrv_co_delete_file(bs, &local_err);
760 if (ret < 0) {
761 error_propagate(errp, local_err);
762 }
763
764 return ret;
765 }
766
767 void coroutine_fn bdrv_co_delete_file_noerr(BlockDriverState *bs)
768 {
769 Error *local_err = NULL;
770 int ret;
771
772 if (!bs) {
773 return;
774 }
775
776 ret = bdrv_co_delete_file(bs, &local_err);
777 /*
778 * ENOTSUP will happen if the block driver doesn't support
779 * the 'bdrv_co_delete_file' interface. This is a predictable
780 * scenario and shouldn't be reported back to the user.
781 */
782 if (ret == -ENOTSUP) {
783 error_free(local_err);
784 } else if (ret < 0) {
785 error_report_err(local_err);
786 }
787 }
788
789 /**
790 * Try to get @bs's logical and physical block size.
791 * On success, store them in @bsz struct and return 0.
792 * On failure return -errno.
793 * @bs must not be empty.
794 */
795 int bdrv_probe_blocksizes(BlockDriverState *bs, BlockSizes *bsz)
796 {
797 BlockDriver *drv = bs->drv;
798 BlockDriverState *filtered = bdrv_filter_bs(bs);
799
800 if (drv && drv->bdrv_probe_blocksizes) {
801 return drv->bdrv_probe_blocksizes(bs, bsz);
802 } else if (filtered) {
803 return bdrv_probe_blocksizes(filtered, bsz);
804 }
805
806 return -ENOTSUP;
807 }
808
809 /**
810 * Try to get @bs's geometry (cyls, heads, sectors).
811 * On success, store them in @geo struct and return 0.
812 * On failure return -errno.
813 * @bs must not be empty.
814 */
815 int bdrv_probe_geometry(BlockDriverState *bs, HDGeometry *geo)
816 {
817 BlockDriver *drv = bs->drv;
818 BlockDriverState *filtered = bdrv_filter_bs(bs);
819
820 if (drv && drv->bdrv_probe_geometry) {
821 return drv->bdrv_probe_geometry(bs, geo);
822 } else if (filtered) {
823 return bdrv_probe_geometry(filtered, geo);
824 }
825
826 return -ENOTSUP;
827 }
828
829 /*
830 * Create a uniquely-named empty temporary file.
831 * Return 0 upon success, otherwise a negative errno value.
832 */
833 int get_tmp_filename(char *filename, int size)
834 {
835 #ifdef _WIN32
836 char temp_dir[MAX_PATH];
837 /* GetTempFileName requires that its output buffer (4th param)
838 have length MAX_PATH or greater. */
839 assert(size >= MAX_PATH);
840 return (GetTempPath(MAX_PATH, temp_dir)
841 && GetTempFileName(temp_dir, "qem", 0, filename)
842 ? 0 : -GetLastError());
843 #else
844 int fd;
845 const char *tmpdir;
846 tmpdir = getenv("TMPDIR");
847 if (!tmpdir) {
848 tmpdir = "/var/tmp";
849 }
850 if (snprintf(filename, size, "%s/vl.XXXXXX", tmpdir) >= size) {
851 return -EOVERFLOW;
852 }
853 fd = mkstemp(filename);
854 if (fd < 0) {
855 return -errno;
856 }
857 if (close(fd) != 0) {
858 unlink(filename);
859 return -errno;
860 }
861 return 0;
862 #endif
863 }
864
865 /*
866 * Detect host devices. By convention, /dev/cdrom[N] is always
867 * recognized as a host CDROM.
868 */
869 static BlockDriver *find_hdev_driver(const char *filename)
870 {
871 int score_max = 0, score;
872 BlockDriver *drv = NULL, *d;
873
874 QLIST_FOREACH(d, &bdrv_drivers, list) {
875 if (d->bdrv_probe_device) {
876 score = d->bdrv_probe_device(filename);
877 if (score > score_max) {
878 score_max = score;
879 drv = d;
880 }
881 }
882 }
883
884 return drv;
885 }
886
887 static BlockDriver *bdrv_do_find_protocol(const char *protocol)
888 {
889 BlockDriver *drv1;
890
891 QLIST_FOREACH(drv1, &bdrv_drivers, list) {
892 if (drv1->protocol_name && !strcmp(drv1->protocol_name, protocol)) {
893 return drv1;
894 }
895 }
896
897 return NULL;
898 }
899
900 BlockDriver *bdrv_find_protocol(const char *filename,
901 bool allow_protocol_prefix,
902 Error **errp)
903 {
904 BlockDriver *drv1;
905 char protocol[128];
906 int len;
907 const char *p;
908 int i;
909
910 /* TODO Drivers without bdrv_file_open must be specified explicitly */
911
912 /*
913 * XXX(hch): we really should not let host device detection
914 * override an explicit protocol specification, but moving this
915 * later breaks access to device names with colons in them.
916 * Thanks to the brain-dead persistent naming schemes on udev-
917 * based Linux systems those actually are quite common.
918 */
919 drv1 = find_hdev_driver(filename);
920 if (drv1) {
921 return drv1;
922 }
923
924 if (!path_has_protocol(filename) || !allow_protocol_prefix) {
925 return &bdrv_file;
926 }
927
928 p = strchr(filename, ':');
929 assert(p != NULL);
930 len = p - filename;
931 if (len > sizeof(protocol) - 1)
932 len = sizeof(protocol) - 1;
933 memcpy(protocol, filename, len);
934 protocol[len] = '\0';
935
936 drv1 = bdrv_do_find_protocol(protocol);
937 if (drv1) {
938 return drv1;
939 }
940
941 for (i = 0; i < (int)ARRAY_SIZE(block_driver_modules); ++i) {
942 if (block_driver_modules[i].protocol_name &&
943 !strcmp(block_driver_modules[i].protocol_name, protocol)) {
944 block_module_load_one(block_driver_modules[i].library_name);
945 break;
946 }
947 }
948
949 drv1 = bdrv_do_find_protocol(protocol);
950 if (!drv1) {
951 error_setg(errp, "Unknown protocol '%s'", protocol);
952 }
953 return drv1;
954 }
955
956 /*
957 * Guess image format by probing its contents.
958 * This is not a good idea when your image is raw (CVE-2008-2004), but
959 * we do it anyway for backward compatibility.
960 *
961 * @buf contains the image's first @buf_size bytes.
962 * @buf_size is the buffer size in bytes (generally BLOCK_PROBE_BUF_SIZE,
963 * but can be smaller if the image file is smaller)
964 * @filename is its filename.
965 *
966 * For all block drivers, call the bdrv_probe() method to get its
967 * probing score.
968 * Return the first block driver with the highest probing score.
969 */
970 BlockDriver *bdrv_probe_all(const uint8_t *buf, int buf_size,
971 const char *filename)
972 {
973 int score_max = 0, score;
974 BlockDriver *drv = NULL, *d;
975
976 QLIST_FOREACH(d, &bdrv_drivers, list) {
977 if (d->bdrv_probe) {
978 score = d->bdrv_probe(buf, buf_size, filename);
979 if (score > score_max) {
980 score_max = score;
981 drv = d;
982 }
983 }
984 }
985
986 return drv;
987 }
988
989 static int find_image_format(BlockBackend *file, const char *filename,
990 BlockDriver **pdrv, Error **errp)
991 {
992 BlockDriver *drv;
993 uint8_t buf[BLOCK_PROBE_BUF_SIZE];
994 int ret = 0;
995
996 /* Return the raw BlockDriver * to scsi-generic devices or empty drives */
997 if (blk_is_sg(file) || !blk_is_inserted(file) || blk_getlength(file) == 0) {
998 *pdrv = &bdrv_raw;
999 return ret;
1000 }
1001
1002 ret = blk_pread(file, 0, buf, sizeof(buf));
1003 if (ret < 0) {
1004 error_setg_errno(errp, -ret, "Could not read image for determining its "
1005 "format");
1006 *pdrv = NULL;
1007 return ret;
1008 }
1009
1010 drv = bdrv_probe_all(buf, ret, filename);
1011 if (!drv) {
1012 error_setg(errp, "Could not determine image format: No compatible "
1013 "driver found");
1014 ret = -ENOENT;
1015 }
1016 *pdrv = drv;
1017 return ret;
1018 }
1019
1020 /**
1021 * Set the current 'total_sectors' value
1022 * Return 0 on success, -errno on error.
1023 */
1024 int refresh_total_sectors(BlockDriverState *bs, int64_t hint)
1025 {
1026 BlockDriver *drv = bs->drv;
1027
1028 if (!drv) {
1029 return -ENOMEDIUM;
1030 }
1031
1032 /* Do not attempt drv->bdrv_getlength() on scsi-generic devices */
1033 if (bdrv_is_sg(bs))
1034 return 0;
1035
1036 /* query actual device if possible, otherwise just trust the hint */
1037 if (drv->bdrv_getlength) {
1038 int64_t length = drv->bdrv_getlength(bs);
1039 if (length < 0) {
1040 return length;
1041 }
1042 hint = DIV_ROUND_UP(length, BDRV_SECTOR_SIZE);
1043 }
1044
1045 bs->total_sectors = hint;
1046
1047 if (bs->total_sectors * BDRV_SECTOR_SIZE > BDRV_MAX_LENGTH) {
1048 return -EFBIG;
1049 }
1050
1051 return 0;
1052 }
1053
1054 /**
1055 * Combines a QDict of new block driver @options with any missing options taken
1056 * from @old_options, so that leaving out an option defaults to its old value.
1057 */
1058 static void bdrv_join_options(BlockDriverState *bs, QDict *options,
1059 QDict *old_options)
1060 {
1061 if (bs->drv && bs->drv->bdrv_join_options) {
1062 bs->drv->bdrv_join_options(options, old_options);
1063 } else {
1064 qdict_join(options, old_options, false);
1065 }
1066 }
1067
1068 static BlockdevDetectZeroesOptions bdrv_parse_detect_zeroes(QemuOpts *opts,
1069 int open_flags,
1070 Error **errp)
1071 {
1072 Error *local_err = NULL;
1073 char *value = qemu_opt_get_del(opts, "detect-zeroes");
1074 BlockdevDetectZeroesOptions detect_zeroes =
1075 qapi_enum_parse(&BlockdevDetectZeroesOptions_lookup, value,
1076 BLOCKDEV_DETECT_ZEROES_OPTIONS_OFF, &local_err);
1077 g_free(value);
1078 if (local_err) {
1079 error_propagate(errp, local_err);
1080 return detect_zeroes;
1081 }
1082
1083 if (detect_zeroes == BLOCKDEV_DETECT_ZEROES_OPTIONS_UNMAP &&
1084 !(open_flags & BDRV_O_UNMAP))
1085 {
1086 error_setg(errp, "setting detect-zeroes to unmap is not allowed "
1087 "without setting discard operation to unmap");
1088 }
1089
1090 return detect_zeroes;
1091 }
1092
1093 /**
1094 * Set open flags for aio engine
1095 *
1096 * Return 0 on success, -1 if the engine specified is invalid
1097 */
1098 int bdrv_parse_aio(const char *mode, int *flags)
1099 {
1100 if (!strcmp(mode, "threads")) {
1101 /* do nothing, default */
1102 } else if (!strcmp(mode, "native")) {
1103 *flags |= BDRV_O_NATIVE_AIO;
1104 #ifdef CONFIG_LINUX_IO_URING
1105 } else if (!strcmp(mode, "io_uring")) {
1106 *flags |= BDRV_O_IO_URING;
1107 #endif
1108 } else {
1109 return -1;
1110 }
1111
1112 return 0;
1113 }
1114
1115 /**
1116 * Set open flags for a given discard mode
1117 *
1118 * Return 0 on success, -1 if the discard mode was invalid.
1119 */
1120 int bdrv_parse_discard_flags(const char *mode, int *flags)
1121 {
1122 *flags &= ~BDRV_O_UNMAP;
1123
1124 if (!strcmp(mode, "off") || !strcmp(mode, "ignore")) {
1125 /* do nothing */
1126 } else if (!strcmp(mode, "on") || !strcmp(mode, "unmap")) {
1127 *flags |= BDRV_O_UNMAP;
1128 } else {
1129 return -1;
1130 }
1131
1132 return 0;
1133 }
1134
1135 /**
1136 * Set open flags for a given cache mode
1137 *
1138 * Return 0 on success, -1 if the cache mode was invalid.
1139 */
1140 int bdrv_parse_cache_mode(const char *mode, int *flags, bool *writethrough)
1141 {
1142 *flags &= ~BDRV_O_CACHE_MASK;
1143
1144 if (!strcmp(mode, "off") || !strcmp(mode, "none")) {
1145 *writethrough = false;
1146 *flags |= BDRV_O_NOCACHE;
1147 } else if (!strcmp(mode, "directsync")) {
1148 *writethrough = true;
1149 *flags |= BDRV_O_NOCACHE;
1150 } else if (!strcmp(mode, "writeback")) {
1151 *writethrough = false;
1152 } else if (!strcmp(mode, "unsafe")) {
1153 *writethrough = false;
1154 *flags |= BDRV_O_NO_FLUSH;
1155 } else if (!strcmp(mode, "writethrough")) {
1156 *writethrough = true;
1157 } else {
1158 return -1;
1159 }
1160
1161 return 0;
1162 }
1163
1164 static char *bdrv_child_get_parent_desc(BdrvChild *c)
1165 {
1166 BlockDriverState *parent = c->opaque;
1167 return g_strdup_printf("node '%s'", bdrv_get_node_name(parent));
1168 }
1169
1170 static void bdrv_child_cb_drained_begin(BdrvChild *child)
1171 {
1172 BlockDriverState *bs = child->opaque;
1173 bdrv_do_drained_begin_quiesce(bs, NULL, false);
1174 }
1175
1176 static bool bdrv_child_cb_drained_poll(BdrvChild *child)
1177 {
1178 BlockDriverState *bs = child->opaque;
1179 return bdrv_drain_poll(bs, false, NULL, false);
1180 }
1181
1182 static void bdrv_child_cb_drained_end(BdrvChild *child,
1183 int *drained_end_counter)
1184 {
1185 BlockDriverState *bs = child->opaque;
1186 bdrv_drained_end_no_poll(bs, drained_end_counter);
1187 }
1188
1189 static int bdrv_child_cb_inactivate(BdrvChild *child)
1190 {
1191 BlockDriverState *bs = child->opaque;
1192 assert(bs->open_flags & BDRV_O_INACTIVE);
1193 return 0;
1194 }
1195
1196 static bool bdrv_child_cb_can_set_aio_ctx(BdrvChild *child, AioContext *ctx,
1197 GSList **ignore, Error **errp)
1198 {
1199 BlockDriverState *bs = child->opaque;
1200 return bdrv_can_set_aio_context(bs, ctx, ignore, errp);
1201 }
1202
1203 static void bdrv_child_cb_set_aio_ctx(BdrvChild *child, AioContext *ctx,
1204 GSList **ignore)
1205 {
1206 BlockDriverState *bs = child->opaque;
1207 return bdrv_set_aio_context_ignore(bs, ctx, ignore);
1208 }
1209
1210 /*
1211 * Returns the options and flags that a temporary snapshot should get, based on
1212 * the originally requested flags (the originally requested image will have
1213 * flags like a backing file)
1214 */
1215 static void bdrv_temp_snapshot_options(int *child_flags, QDict *child_options,
1216 int parent_flags, QDict *parent_options)
1217 {
1218 *child_flags = (parent_flags & ~BDRV_O_SNAPSHOT) | BDRV_O_TEMPORARY;
1219
1220 /* For temporary files, unconditional cache=unsafe is fine */
1221 qdict_set_default_str(child_options, BDRV_OPT_CACHE_DIRECT, "off");
1222 qdict_set_default_str(child_options, BDRV_OPT_CACHE_NO_FLUSH, "on");
1223
1224 /* Copy the read-only and discard options from the parent */
1225 qdict_copy_default(child_options, parent_options, BDRV_OPT_READ_ONLY);
1226 qdict_copy_default(child_options, parent_options, BDRV_OPT_DISCARD);
1227
1228 /* aio=native doesn't work for cache.direct=off, so disable it for the
1229 * temporary snapshot */
1230 *child_flags &= ~BDRV_O_NATIVE_AIO;
1231 }
1232
1233 static void bdrv_backing_attach(BdrvChild *c)
1234 {
1235 BlockDriverState *parent = c->opaque;
1236 BlockDriverState *backing_hd = c->bs;
1237
1238 assert(!parent->backing_blocker);
1239 error_setg(&parent->backing_blocker,
1240 "node is used as backing hd of '%s'",
1241 bdrv_get_device_or_node_name(parent));
1242
1243 bdrv_refresh_filename(backing_hd);
1244
1245 parent->open_flags &= ~BDRV_O_NO_BACKING;
1246
1247 bdrv_op_block_all(backing_hd, parent->backing_blocker);
1248 /* Otherwise we won't be able to commit or stream */
1249 bdrv_op_unblock(backing_hd, BLOCK_OP_TYPE_COMMIT_TARGET,
1250 parent->backing_blocker);
1251 bdrv_op_unblock(backing_hd, BLOCK_OP_TYPE_STREAM,
1252 parent->backing_blocker);
1253 /*
1254 * We do backup in 3 ways:
1255 * 1. drive backup
1256 * The target bs is new opened, and the source is top BDS
1257 * 2. blockdev backup
1258 * Both the source and the target are top BDSes.
1259 * 3. internal backup(used for block replication)
1260 * Both the source and the target are backing file
1261 *
1262 * In case 1 and 2, neither the source nor the target is the backing file.
1263 * In case 3, we will block the top BDS, so there is only one block job
1264 * for the top BDS and its backing chain.
1265 */
1266 bdrv_op_unblock(backing_hd, BLOCK_OP_TYPE_BACKUP_SOURCE,
1267 parent->backing_blocker);
1268 bdrv_op_unblock(backing_hd, BLOCK_OP_TYPE_BACKUP_TARGET,
1269 parent->backing_blocker);
1270 }
1271
1272 static void bdrv_backing_detach(BdrvChild *c)
1273 {
1274 BlockDriverState *parent = c->opaque;
1275
1276 assert(parent->backing_blocker);
1277 bdrv_op_unblock_all(c->bs, parent->backing_blocker);
1278 error_free(parent->backing_blocker);
1279 parent->backing_blocker = NULL;
1280 }
1281
1282 static int bdrv_backing_update_filename(BdrvChild *c, BlockDriverState *base,
1283 const char *filename, Error **errp)
1284 {
1285 BlockDriverState *parent = c->opaque;
1286 bool read_only = bdrv_is_read_only(parent);
1287 int ret;
1288
1289 if (read_only) {
1290 ret = bdrv_reopen_set_read_only(parent, false, errp);
1291 if (ret < 0) {
1292 return ret;
1293 }
1294 }
1295
1296 ret = bdrv_change_backing_file(parent, filename,
1297 base->drv ? base->drv->format_name : "",
1298 false);
1299 if (ret < 0) {
1300 error_setg_errno(errp, -ret, "Could not update backing file link");
1301 }
1302
1303 if (read_only) {
1304 bdrv_reopen_set_read_only(parent, true, NULL);
1305 }
1306
1307 return ret;
1308 }
1309
1310 /*
1311 * Returns the options and flags that a generic child of a BDS should
1312 * get, based on the given options and flags for the parent BDS.
1313 */
1314 static void bdrv_inherited_options(BdrvChildRole role, bool parent_is_format,
1315 int *child_flags, QDict *child_options,
1316 int parent_flags, QDict *parent_options)
1317 {
1318 int flags = parent_flags;
1319
1320 /*
1321 * First, decide whether to set, clear, or leave BDRV_O_PROTOCOL.
1322 * Generally, the question to answer is: Should this child be
1323 * format-probed by default?
1324 */
1325
1326 /*
1327 * Pure and non-filtered data children of non-format nodes should
1328 * be probed by default (even when the node itself has BDRV_O_PROTOCOL
1329 * set). This only affects a very limited set of drivers (namely
1330 * quorum and blkverify when this comment was written).
1331 * Force-clear BDRV_O_PROTOCOL then.
1332 */
1333 if (!parent_is_format &&
1334 (role & BDRV_CHILD_DATA) &&
1335 !(role & (BDRV_CHILD_METADATA | BDRV_CHILD_FILTERED)))
1336 {
1337 flags &= ~BDRV_O_PROTOCOL;
1338 }
1339
1340 /*
1341 * All children of format nodes (except for COW children) and all
1342 * metadata children in general should never be format-probed.
1343 * Force-set BDRV_O_PROTOCOL then.
1344 */
1345 if ((parent_is_format && !(role & BDRV_CHILD_COW)) ||
1346 (role & BDRV_CHILD_METADATA))
1347 {
1348 flags |= BDRV_O_PROTOCOL;
1349 }
1350
1351 /*
1352 * If the cache mode isn't explicitly set, inherit direct and no-flush from
1353 * the parent.
1354 */
1355 qdict_copy_default(child_options, parent_options, BDRV_OPT_CACHE_DIRECT);
1356 qdict_copy_default(child_options, parent_options, BDRV_OPT_CACHE_NO_FLUSH);
1357 qdict_copy_default(child_options, parent_options, BDRV_OPT_FORCE_SHARE);
1358
1359 if (role & BDRV_CHILD_COW) {
1360 /* backing files are opened read-only by default */
1361 qdict_set_default_str(child_options, BDRV_OPT_READ_ONLY, "on");
1362 qdict_set_default_str(child_options, BDRV_OPT_AUTO_READ_ONLY, "off");
1363 } else {
1364 /* Inherit the read-only option from the parent if it's not set */
1365 qdict_copy_default(child_options, parent_options, BDRV_OPT_READ_ONLY);
1366 qdict_copy_default(child_options, parent_options,
1367 BDRV_OPT_AUTO_READ_ONLY);
1368 }
1369
1370 /*
1371 * bdrv_co_pdiscard() respects unmap policy for the parent, so we
1372 * can default to enable it on lower layers regardless of the
1373 * parent option.
1374 */
1375 qdict_set_default_str(child_options, BDRV_OPT_DISCARD, "unmap");
1376
1377 /* Clear flags that only apply to the top layer */
1378 flags &= ~(BDRV_O_SNAPSHOT | BDRV_O_NO_BACKING | BDRV_O_COPY_ON_READ);
1379
1380 if (role & BDRV_CHILD_METADATA) {
1381 flags &= ~BDRV_O_NO_IO;
1382 }
1383 if (role & BDRV_CHILD_COW) {
1384 flags &= ~BDRV_O_TEMPORARY;
1385 }
1386
1387 *child_flags = flags;
1388 }
1389
1390 static void bdrv_child_cb_attach(BdrvChild *child)
1391 {
1392 BlockDriverState *bs = child->opaque;
1393
1394 QLIST_INSERT_HEAD(&bs->children, child, next);
1395
1396 if (child->role & BDRV_CHILD_COW) {
1397 bdrv_backing_attach(child);
1398 }
1399
1400 bdrv_apply_subtree_drain(child, bs);
1401 }
1402
1403 static void bdrv_child_cb_detach(BdrvChild *child)
1404 {
1405 BlockDriverState *bs = child->opaque;
1406
1407 if (child->role & BDRV_CHILD_COW) {
1408 bdrv_backing_detach(child);
1409 }
1410
1411 bdrv_unapply_subtree_drain(child, bs);
1412
1413 QLIST_REMOVE(child, next);
1414 }
1415
1416 static int bdrv_child_cb_update_filename(BdrvChild *c, BlockDriverState *base,
1417 const char *filename, Error **errp)
1418 {
1419 if (c->role & BDRV_CHILD_COW) {
1420 return bdrv_backing_update_filename(c, base, filename, errp);
1421 }
1422 return 0;
1423 }
1424
1425 AioContext *child_of_bds_get_parent_aio_context(BdrvChild *c)
1426 {
1427 BlockDriverState *bs = c->opaque;
1428
1429 return bdrv_get_aio_context(bs);
1430 }
1431
1432 const BdrvChildClass child_of_bds = {
1433 .parent_is_bds = true,
1434 .get_parent_desc = bdrv_child_get_parent_desc,
1435 .inherit_options = bdrv_inherited_options,
1436 .drained_begin = bdrv_child_cb_drained_begin,
1437 .drained_poll = bdrv_child_cb_drained_poll,
1438 .drained_end = bdrv_child_cb_drained_end,
1439 .attach = bdrv_child_cb_attach,
1440 .detach = bdrv_child_cb_detach,
1441 .inactivate = bdrv_child_cb_inactivate,
1442 .can_set_aio_ctx = bdrv_child_cb_can_set_aio_ctx,
1443 .set_aio_ctx = bdrv_child_cb_set_aio_ctx,
1444 .update_filename = bdrv_child_cb_update_filename,
1445 .get_parent_aio_context = child_of_bds_get_parent_aio_context,
1446 };
1447
1448 AioContext *bdrv_child_get_parent_aio_context(BdrvChild *c)
1449 {
1450 return c->klass->get_parent_aio_context(c);
1451 }
1452
1453 static int bdrv_open_flags(BlockDriverState *bs, int flags)
1454 {
1455 int open_flags = flags;
1456
1457 /*
1458 * Clear flags that are internal to the block layer before opening the
1459 * image.
1460 */
1461 open_flags &= ~(BDRV_O_SNAPSHOT | BDRV_O_NO_BACKING | BDRV_O_PROTOCOL);
1462
1463 return open_flags;
1464 }
1465
1466 static void update_flags_from_options(int *flags, QemuOpts *opts)
1467 {
1468 *flags &= ~(BDRV_O_CACHE_MASK | BDRV_O_RDWR | BDRV_O_AUTO_RDONLY);
1469
1470 if (qemu_opt_get_bool_del(opts, BDRV_OPT_CACHE_NO_FLUSH, false)) {
1471 *flags |= BDRV_O_NO_FLUSH;
1472 }
1473
1474 if (qemu_opt_get_bool_del(opts, BDRV_OPT_CACHE_DIRECT, false)) {
1475 *flags |= BDRV_O_NOCACHE;
1476 }
1477
1478 if (!qemu_opt_get_bool_del(opts, BDRV_OPT_READ_ONLY, false)) {
1479 *flags |= BDRV_O_RDWR;
1480 }
1481
1482 if (qemu_opt_get_bool_del(opts, BDRV_OPT_AUTO_READ_ONLY, false)) {
1483 *flags |= BDRV_O_AUTO_RDONLY;
1484 }
1485 }
1486
1487 static void update_options_from_flags(QDict *options, int flags)
1488 {
1489 if (!qdict_haskey(options, BDRV_OPT_CACHE_DIRECT)) {
1490 qdict_put_bool(options, BDRV_OPT_CACHE_DIRECT, flags & BDRV_O_NOCACHE);
1491 }
1492 if (!qdict_haskey(options, BDRV_OPT_CACHE_NO_FLUSH)) {
1493 qdict_put_bool(options, BDRV_OPT_CACHE_NO_FLUSH,
1494 flags & BDRV_O_NO_FLUSH);
1495 }
1496 if (!qdict_haskey(options, BDRV_OPT_READ_ONLY)) {
1497 qdict_put_bool(options, BDRV_OPT_READ_ONLY, !(flags & BDRV_O_RDWR));
1498 }
1499 if (!qdict_haskey(options, BDRV_OPT_AUTO_READ_ONLY)) {
1500 qdict_put_bool(options, BDRV_OPT_AUTO_READ_ONLY,
1501 flags & BDRV_O_AUTO_RDONLY);
1502 }
1503 }
1504
1505 static void bdrv_assign_node_name(BlockDriverState *bs,
1506 const char *node_name,
1507 Error **errp)
1508 {
1509 char *gen_node_name = NULL;
1510
1511 if (!node_name) {
1512 node_name = gen_node_name = id_generate(ID_BLOCK);
1513 } else if (!id_wellformed(node_name)) {
1514 /*
1515 * Check for empty string or invalid characters, but not if it is
1516 * generated (generated names use characters not available to the user)
1517 */
1518 error_setg(errp, "Invalid node-name: '%s'", node_name);
1519 return;
1520 }
1521
1522 /* takes care of avoiding namespaces collisions */
1523 if (blk_by_name(node_name)) {
1524 error_setg(errp, "node-name=%s is conflicting with a device id",
1525 node_name);
1526 goto out;
1527 }
1528
1529 /* takes care of avoiding duplicates node names */
1530 if (bdrv_find_node(node_name)) {
1531 error_setg(errp, "Duplicate nodes with node-name='%s'", node_name);
1532 goto out;
1533 }
1534
1535 /* Make sure that the node name isn't truncated */
1536 if (strlen(node_name) >= sizeof(bs->node_name)) {
1537 error_setg(errp, "Node name too long");
1538 goto out;
1539 }
1540
1541 /* copy node name into the bs and insert it into the graph list */
1542 pstrcpy(bs->node_name, sizeof(bs->node_name), node_name);
1543 QTAILQ_INSERT_TAIL(&graph_bdrv_states, bs, node_list);
1544 out:
1545 g_free(gen_node_name);
1546 }
1547
1548 static int bdrv_open_driver(BlockDriverState *bs, BlockDriver *drv,
1549 const char *node_name, QDict *options,
1550 int open_flags, Error **errp)
1551 {
1552 Error *local_err = NULL;
1553 int i, ret;
1554
1555 bdrv_assign_node_name(bs, node_name, &local_err);
1556 if (local_err) {
1557 error_propagate(errp, local_err);
1558 return -EINVAL;
1559 }
1560
1561 bs->drv = drv;
1562 bs->opaque = g_malloc0(drv->instance_size);
1563
1564 if (drv->bdrv_file_open) {
1565 assert(!drv->bdrv_needs_filename || bs->filename[0]);
1566 ret = drv->bdrv_file_open(bs, options, open_flags, &local_err);
1567 } else if (drv->bdrv_open) {
1568 ret = drv->bdrv_open(bs, options, open_flags, &local_err);
1569 } else {
1570 ret = 0;
1571 }
1572
1573 if (ret < 0) {
1574 if (local_err) {
1575 error_propagate(errp, local_err);
1576 } else if (bs->filename[0]) {
1577 error_setg_errno(errp, -ret, "Could not open '%s'", bs->filename);
1578 } else {
1579 error_setg_errno(errp, -ret, "Could not open image");
1580 }
1581 goto open_failed;
1582 }
1583
1584 ret = refresh_total_sectors(bs, bs->total_sectors);
1585 if (ret < 0) {
1586 error_setg_errno(errp, -ret, "Could not refresh total sector count");
1587 return ret;
1588 }
1589
1590 bdrv_refresh_limits(bs, NULL, &local_err);
1591 if (local_err) {
1592 error_propagate(errp, local_err);
1593 return -EINVAL;
1594 }
1595
1596 assert(bdrv_opt_mem_align(bs) != 0);
1597 assert(bdrv_min_mem_align(bs) != 0);
1598 assert(is_power_of_2(bs->bl.request_alignment));
1599
1600 for (i = 0; i < bs->quiesce_counter; i++) {
1601 if (drv->bdrv_co_drain_begin) {
1602 drv->bdrv_co_drain_begin(bs);
1603 }
1604 }
1605
1606 return 0;
1607 open_failed:
1608 bs->drv = NULL;
1609 if (bs->file != NULL) {
1610 bdrv_unref_child(bs, bs->file);
1611 bs->file = NULL;
1612 }
1613 g_free(bs->opaque);
1614 bs->opaque = NULL;
1615 return ret;
1616 }
1617
1618 /*
1619 * Create and open a block node.
1620 *
1621 * @options is a QDict of options to pass to the block drivers, or NULL for an
1622 * empty set of options. The reference to the QDict belongs to the block layer
1623 * after the call (even on failure), so if the caller intends to reuse the
1624 * dictionary, it needs to use qobject_ref() before calling bdrv_open.
1625 */
1626 BlockDriverState *bdrv_new_open_driver_opts(BlockDriver *drv,
1627 const char *node_name,
1628 QDict *options, int flags,
1629 Error **errp)
1630 {
1631 BlockDriverState *bs;
1632 int ret;
1633
1634 bs = bdrv_new();
1635 bs->open_flags = flags;
1636 bs->options = options ?: qdict_new();
1637 bs->explicit_options = qdict_clone_shallow(bs->options);
1638 bs->opaque = NULL;
1639
1640 update_options_from_flags(bs->options, flags);
1641
1642 ret = bdrv_open_driver(bs, drv, node_name, bs->options, flags, errp);
1643 if (ret < 0) {
1644 qobject_unref(bs->explicit_options);
1645 bs->explicit_options = NULL;
1646 qobject_unref(bs->options);
1647 bs->options = NULL;
1648 bdrv_unref(bs);
1649 return NULL;
1650 }
1651
1652 return bs;
1653 }
1654
1655 /* Create and open a block node. */
1656 BlockDriverState *bdrv_new_open_driver(BlockDriver *drv, const char *node_name,
1657 int flags, Error **errp)
1658 {
1659 return bdrv_new_open_driver_opts(drv, node_name, NULL, flags, errp);
1660 }
1661
1662 QemuOptsList bdrv_runtime_opts = {
1663 .name = "bdrv_common",
1664 .head = QTAILQ_HEAD_INITIALIZER(bdrv_runtime_opts.head),
1665 .desc = {
1666 {
1667 .name = "node-name",
1668 .type = QEMU_OPT_STRING,
1669 .help = "Node name of the block device node",
1670 },
1671 {
1672 .name = "driver",
1673 .type = QEMU_OPT_STRING,
1674 .help = "Block driver to use for the node",
1675 },
1676 {
1677 .name = BDRV_OPT_CACHE_DIRECT,
1678 .type = QEMU_OPT_BOOL,
1679 .help = "Bypass software writeback cache on the host",
1680 },
1681 {
1682 .name = BDRV_OPT_CACHE_NO_FLUSH,
1683 .type = QEMU_OPT_BOOL,
1684 .help = "Ignore flush requests",
1685 },
1686 {
1687 .name = BDRV_OPT_READ_ONLY,
1688 .type = QEMU_OPT_BOOL,
1689 .help = "Node is opened in read-only mode",
1690 },
1691 {
1692 .name = BDRV_OPT_AUTO_READ_ONLY,
1693 .type = QEMU_OPT_BOOL,
1694 .help = "Node can become read-only if opening read-write fails",
1695 },
1696 {
1697 .name = "detect-zeroes",
1698 .type = QEMU_OPT_STRING,
1699 .help = "try to optimize zero writes (off, on, unmap)",
1700 },
1701 {
1702 .name = BDRV_OPT_DISCARD,
1703 .type = QEMU_OPT_STRING,
1704 .help = "discard operation (ignore/off, unmap/on)",
1705 },
1706 {
1707 .name = BDRV_OPT_FORCE_SHARE,
1708 .type = QEMU_OPT_BOOL,
1709 .help = "always accept other writers (default: off)",
1710 },
1711 { /* end of list */ }
1712 },
1713 };
1714
1715 QemuOptsList bdrv_create_opts_simple = {
1716 .name = "simple-create-opts",
1717 .head = QTAILQ_HEAD_INITIALIZER(bdrv_create_opts_simple.head),
1718 .desc = {
1719 {
1720 .name = BLOCK_OPT_SIZE,
1721 .type = QEMU_OPT_SIZE,
1722 .help = "Virtual disk size"
1723 },
1724 {
1725 .name = BLOCK_OPT_PREALLOC,
1726 .type = QEMU_OPT_STRING,
1727 .help = "Preallocation mode (allowed values: off)"
1728 },
1729 { /* end of list */ }
1730 }
1731 };
1732
1733 /*
1734 * Common part for opening disk images and files
1735 *
1736 * Removes all processed options from *options.
1737 */
1738 static int bdrv_open_common(BlockDriverState *bs, BlockBackend *file,
1739 QDict *options, Error **errp)
1740 {
1741 int ret, open_flags;
1742 const char *filename;
1743 const char *driver_name = NULL;
1744 const char *node_name = NULL;
1745 const char *discard;
1746 QemuOpts *opts;
1747 BlockDriver *drv;
1748 Error *local_err = NULL;
1749 bool ro;
1750
1751 assert(bs->file == NULL);
1752 assert(options != NULL && bs->options != options);
1753
1754 opts = qemu_opts_create(&bdrv_runtime_opts, NULL, 0, &error_abort);
1755 if (!qemu_opts_absorb_qdict(opts, options, errp)) {
1756 ret = -EINVAL;
1757 goto fail_opts;
1758 }
1759
1760 update_flags_from_options(&bs->open_flags, opts);
1761
1762 driver_name = qemu_opt_get(opts, "driver");
1763 drv = bdrv_find_format(driver_name);
1764 assert(drv != NULL);
1765
1766 bs->force_share = qemu_opt_get_bool(opts, BDRV_OPT_FORCE_SHARE, false);
1767
1768 if (bs->force_share && (bs->open_flags & BDRV_O_RDWR)) {
1769 error_setg(errp,
1770 BDRV_OPT_FORCE_SHARE
1771 "=on can only be used with read-only images");
1772 ret = -EINVAL;
1773 goto fail_opts;
1774 }
1775
1776 if (file != NULL) {
1777 bdrv_refresh_filename(blk_bs(file));
1778 filename = blk_bs(file)->filename;
1779 } else {
1780 /*
1781 * Caution: while qdict_get_try_str() is fine, getting
1782 * non-string types would require more care. When @options
1783 * come from -blockdev or blockdev_add, its members are typed
1784 * according to the QAPI schema, but when they come from
1785 * -drive, they're all QString.
1786 */
1787 filename = qdict_get_try_str(options, "filename");
1788 }
1789
1790 if (drv->bdrv_needs_filename && (!filename || !filename[0])) {
1791 error_setg(errp, "The '%s' block driver requires a file name",
1792 drv->format_name);
1793 ret = -EINVAL;
1794 goto fail_opts;
1795 }
1796
1797 trace_bdrv_open_common(bs, filename ?: "", bs->open_flags,
1798 drv->format_name);
1799
1800 ro = bdrv_is_read_only(bs);
1801
1802 if (use_bdrv_whitelist && !bdrv_is_whitelisted(drv, ro)) {
1803 if (!ro && bdrv_is_whitelisted(drv, true)) {
1804 ret = bdrv_apply_auto_read_only(bs, NULL, NULL);
1805 } else {
1806 ret = -ENOTSUP;
1807 }
1808 if (ret < 0) {
1809 error_setg(errp,
1810 !ro && bdrv_is_whitelisted(drv, true)
1811 ? "Driver '%s' can only be used for read-only devices"
1812 : "Driver '%s' is not whitelisted",
1813 drv->format_name);
1814 goto fail_opts;
1815 }
1816 }
1817
1818 /* bdrv_new() and bdrv_close() make it so */
1819 assert(qatomic_read(&bs->copy_on_read) == 0);
1820
1821 if (bs->open_flags & BDRV_O_COPY_ON_READ) {
1822 if (!ro) {
1823 bdrv_enable_copy_on_read(bs);
1824 } else {
1825 error_setg(errp, "Can't use copy-on-read on read-only device");
1826 ret = -EINVAL;
1827 goto fail_opts;
1828 }
1829 }
1830
1831 discard = qemu_opt_get(opts, BDRV_OPT_DISCARD);
1832 if (discard != NULL) {
1833 if (bdrv_parse_discard_flags(discard, &bs->open_flags) != 0) {
1834 error_setg(errp, "Invalid discard option");
1835 ret = -EINVAL;
1836 goto fail_opts;
1837 }
1838 }
1839
1840 bs->detect_zeroes =
1841 bdrv_parse_detect_zeroes(opts, bs->open_flags, &local_err);
1842 if (local_err) {
1843 error_propagate(errp, local_err);
1844 ret = -EINVAL;
1845 goto fail_opts;
1846 }
1847
1848 if (filename != NULL) {
1849 pstrcpy(bs->filename, sizeof(bs->filename), filename);
1850 } else {
1851 bs->filename[0] = '\0';
1852 }
1853 pstrcpy(bs->exact_filename, sizeof(bs->exact_filename), bs->filename);
1854
1855 /* Open the image, either directly or using a protocol */
1856 open_flags = bdrv_open_flags(bs, bs->open_flags);
1857 node_name = qemu_opt_get(opts, "node-name");
1858
1859 assert(!drv->bdrv_file_open || file == NULL);
1860 ret = bdrv_open_driver(bs, drv, node_name, options, open_flags, errp);
1861 if (ret < 0) {
1862 goto fail_opts;
1863 }
1864
1865 qemu_opts_del(opts);
1866 return 0;
1867
1868 fail_opts:
1869 qemu_opts_del(opts);
1870 return ret;
1871 }
1872
1873 static QDict *parse_json_filename(const char *filename, Error **errp)
1874 {
1875 QObject *options_obj;
1876 QDict *options;
1877 int ret;
1878
1879 ret = strstart(filename, "json:", &filename);
1880 assert(ret);
1881
1882 options_obj = qobject_from_json(filename, errp);
1883 if (!options_obj) {
1884 error_prepend(errp, "Could not parse the JSON options: ");
1885 return NULL;
1886 }
1887
1888 options = qobject_to(QDict, options_obj);
1889 if (!options) {
1890 qobject_unref(options_obj);
1891 error_setg(errp, "Invalid JSON object given");
1892 return NULL;
1893 }
1894
1895 qdict_flatten(options);
1896
1897 return options;
1898 }
1899
1900 static void parse_json_protocol(QDict *options, const char **pfilename,
1901 Error **errp)
1902 {
1903 QDict *json_options;
1904 Error *local_err = NULL;
1905
1906 /* Parse json: pseudo-protocol */
1907 if (!*pfilename || !g_str_has_prefix(*pfilename, "json:")) {
1908 return;
1909 }
1910
1911 json_options = parse_json_filename(*pfilename, &local_err);
1912 if (local_err) {
1913 error_propagate(errp, local_err);
1914 return;
1915 }
1916
1917 /* Options given in the filename have lower priority than options
1918 * specified directly */
1919 qdict_join(options, json_options, false);
1920 qobject_unref(json_options);
1921 *pfilename = NULL;
1922 }
1923
1924 /*
1925 * Fills in default options for opening images and converts the legacy
1926 * filename/flags pair to option QDict entries.
1927 * The BDRV_O_PROTOCOL flag in *flags will be set or cleared accordingly if a
1928 * block driver has been specified explicitly.
1929 */
1930 static int bdrv_fill_options(QDict **options, const char *filename,
1931 int *flags, Error **errp)
1932 {
1933 const char *drvname;
1934 bool protocol = *flags & BDRV_O_PROTOCOL;
1935 bool parse_filename = false;
1936 BlockDriver *drv = NULL;
1937 Error *local_err = NULL;
1938
1939 /*
1940 * Caution: while qdict_get_try_str() is fine, getting non-string
1941 * types would require more care. When @options come from
1942 * -blockdev or blockdev_add, its members are typed according to
1943 * the QAPI schema, but when they come from -drive, they're all
1944 * QString.
1945 */
1946 drvname = qdict_get_try_str(*options, "driver");
1947 if (drvname) {
1948 drv = bdrv_find_format(drvname);
1949 if (!drv) {
1950 error_setg(errp, "Unknown driver '%s'", drvname);
1951 return -ENOENT;
1952 }
1953 /* If the user has explicitly specified the driver, this choice should
1954 * override the BDRV_O_PROTOCOL flag */
1955 protocol = drv->bdrv_file_open;
1956 }
1957
1958 if (protocol) {
1959 *flags |= BDRV_O_PROTOCOL;
1960 } else {
1961 *flags &= ~BDRV_O_PROTOCOL;
1962 }
1963
1964 /* Translate cache options from flags into options */
1965 update_options_from_flags(*options, *flags);
1966
1967 /* Fetch the file name from the options QDict if necessary */
1968 if (protocol && filename) {
1969 if (!qdict_haskey(*options, "filename")) {
1970 qdict_put_str(*options, "filename", filename);
1971 parse_filename = true;
1972 } else {
1973 error_setg(errp, "Can't specify 'file' and 'filename' options at "
1974 "the same time");
1975 return -EINVAL;
1976 }
1977 }
1978
1979 /* Find the right block driver */
1980 /* See cautionary note on accessing @options above */
1981 filename = qdict_get_try_str(*options, "filename");
1982
1983 if (!drvname && protocol) {
1984 if (filename) {
1985 drv = bdrv_find_protocol(filename, parse_filename, errp);
1986 if (!drv) {
1987 return -EINVAL;
1988 }
1989
1990 drvname = drv->format_name;
1991 qdict_put_str(*options, "driver", drvname);
1992 } else {
1993 error_setg(errp, "Must specify either driver or file");
1994 return -EINVAL;
1995 }
1996 }
1997
1998 assert(drv || !protocol);
1999
2000 /* Driver-specific filename parsing */
2001 if (drv && drv->bdrv_parse_filename && parse_filename) {
2002 drv->bdrv_parse_filename(filename, *options, &local_err);
2003 if (local_err) {
2004 error_propagate(errp, local_err);
2005 return -EINVAL;
2006 }
2007
2008 if (!drv->bdrv_needs_filename) {
2009 qdict_del(*options, "filename");
2010 }
2011 }
2012
2013 return 0;
2014 }
2015
2016 typedef struct BlockReopenQueueEntry {
2017 bool prepared;
2018 bool perms_checked;
2019 BDRVReopenState state;
2020 QTAILQ_ENTRY(BlockReopenQueueEntry) entry;
2021 } BlockReopenQueueEntry;
2022
2023 /*
2024 * Return the flags that @bs will have after the reopens in @q have
2025 * successfully completed. If @q is NULL (or @bs is not contained in @q),
2026 * return the current flags.
2027 */
2028 static int bdrv_reopen_get_flags(BlockReopenQueue *q, BlockDriverState *bs)
2029 {
2030 BlockReopenQueueEntry *entry;
2031
2032 if (q != NULL) {
2033 QTAILQ_FOREACH(entry, q, entry) {
2034 if (entry->state.bs == bs) {
2035 return entry->state.flags;
2036 }
2037 }
2038 }
2039
2040 return bs->open_flags;
2041 }
2042
2043 /* Returns whether the image file can be written to after the reopen queue @q
2044 * has been successfully applied, or right now if @q is NULL. */
2045 static bool bdrv_is_writable_after_reopen(BlockDriverState *bs,
2046 BlockReopenQueue *q)
2047 {
2048 int flags = bdrv_reopen_get_flags(q, bs);
2049
2050 return (flags & (BDRV_O_RDWR | BDRV_O_INACTIVE)) == BDRV_O_RDWR;
2051 }
2052
2053 /*
2054 * Return whether the BDS can be written to. This is not necessarily
2055 * the same as !bdrv_is_read_only(bs), as inactivated images may not
2056 * be written to but do not count as read-only images.
2057 */
2058 bool bdrv_is_writable(BlockDriverState *bs)
2059 {
2060 return bdrv_is_writable_after_reopen(bs, NULL);
2061 }
2062
2063 static char *bdrv_child_user_desc(BdrvChild *c)
2064 {
2065 return c->klass->get_parent_desc(c);
2066 }
2067
2068 /*
2069 * Check that @a allows everything that @b needs. @a and @b must reference same
2070 * child node.
2071 */
2072 static bool bdrv_a_allow_b(BdrvChild *a, BdrvChild *b, Error **errp)
2073 {
2074 const char *child_bs_name;
2075 g_autofree char *a_user = NULL;
2076 g_autofree char *b_user = NULL;
2077 g_autofree char *perms = NULL;
2078
2079 assert(a->bs);
2080 assert(a->bs == b->bs);
2081
2082 if ((b->perm & a->shared_perm) == b->perm) {
2083 return true;
2084 }
2085
2086 child_bs_name = bdrv_get_node_name(b->bs);
2087 a_user = bdrv_child_user_desc(a);
2088 b_user = bdrv_child_user_desc(b);
2089 perms = bdrv_perm_names(b->perm & ~a->shared_perm);
2090
2091 error_setg(errp, "Permission conflict on node '%s': permissions '%s' are "
2092 "both required by %s (uses node '%s' as '%s' child) and "
2093 "unshared by %s (uses node '%s' as '%s' child).",
2094 child_bs_name, perms,
2095 b_user, child_bs_name, b->name,
2096 a_user, child_bs_name, a->name);
2097
2098 return false;
2099 }
2100
2101 static bool bdrv_parent_perms_conflict(BlockDriverState *bs, Error **errp)
2102 {
2103 BdrvChild *a, *b;
2104
2105 /*
2106 * During the loop we'll look at each pair twice. That's correct because
2107 * bdrv_a_allow_b() is asymmetric and we should check each pair in both
2108 * directions.
2109 */
2110 QLIST_FOREACH(a, &bs->parents, next_parent) {
2111 QLIST_FOREACH(b, &bs->parents, next_parent) {
2112 if (a == b) {
2113 continue;
2114 }
2115
2116 if (!bdrv_a_allow_b(a, b, errp)) {
2117 return true;
2118 }
2119 }
2120 }
2121
2122 return false;
2123 }
2124
2125 static void bdrv_child_perm(BlockDriverState *bs, BlockDriverState *child_bs,
2126 BdrvChild *c, BdrvChildRole role,
2127 BlockReopenQueue *reopen_queue,
2128 uint64_t parent_perm, uint64_t parent_shared,
2129 uint64_t *nperm, uint64_t *nshared)
2130 {
2131 assert(bs->drv && bs->drv->bdrv_child_perm);
2132 bs->drv->bdrv_child_perm(bs, c, role, reopen_queue,
2133 parent_perm, parent_shared,
2134 nperm, nshared);
2135 /* TODO Take force_share from reopen_queue */
2136 if (child_bs && child_bs->force_share) {
2137 *nshared = BLK_PERM_ALL;
2138 }
2139 }
2140
2141 /*
2142 * Adds the whole subtree of @bs (including @bs itself) to the @list (except for
2143 * nodes that are already in the @list, of course) so that final list is
2144 * topologically sorted. Return the result (GSList @list object is updated, so
2145 * don't use old reference after function call).
2146 *
2147 * On function start @list must be already topologically sorted and for any node
2148 * in the @list the whole subtree of the node must be in the @list as well. The
2149 * simplest way to satisfy this criteria: use only result of
2150 * bdrv_topological_dfs() or NULL as @list parameter.
2151 */
2152 static GSList *bdrv_topological_dfs(GSList *list, GHashTable *found,
2153 BlockDriverState *bs)
2154 {
2155 BdrvChild *child;
2156 g_autoptr(GHashTable) local_found = NULL;
2157
2158 if (!found) {
2159 assert(!list);
2160 found = local_found = g_hash_table_new(NULL, NULL);
2161 }
2162
2163 if (g_hash_table_contains(found, bs)) {
2164 return list;
2165 }
2166 g_hash_table_add(found, bs);
2167
2168 QLIST_FOREACH(child, &bs->children, next) {
2169 list = bdrv_topological_dfs(list, found, child->bs);
2170 }
2171
2172 return g_slist_prepend(list, bs);
2173 }
2174
2175 typedef struct BdrvChildSetPermState {
2176 BdrvChild *child;
2177 uint64_t old_perm;
2178 uint64_t old_shared_perm;
2179 } BdrvChildSetPermState;
2180
2181 static void bdrv_child_set_perm_abort(void *opaque)
2182 {
2183 BdrvChildSetPermState *s = opaque;
2184
2185 s->child->perm = s->old_perm;
2186 s->child->shared_perm = s->old_shared_perm;
2187 }
2188
2189 static TransactionActionDrv bdrv_child_set_pem_drv = {
2190 .abort = bdrv_child_set_perm_abort,
2191 .clean = g_free,
2192 };
2193
2194 static void bdrv_child_set_perm(BdrvChild *c, uint64_t perm,
2195 uint64_t shared, Transaction *tran)
2196 {
2197 BdrvChildSetPermState *s = g_new(BdrvChildSetPermState, 1);
2198
2199 *s = (BdrvChildSetPermState) {
2200 .child = c,
2201 .old_perm = c->perm,
2202 .old_shared_perm = c->shared_perm,
2203 };
2204
2205 c->perm = perm;
2206 c->shared_perm = shared;
2207
2208 tran_add(tran, &bdrv_child_set_pem_drv, s);
2209 }
2210
2211 static void bdrv_drv_set_perm_commit(void *opaque)
2212 {
2213 BlockDriverState *bs = opaque;
2214 uint64_t cumulative_perms, cumulative_shared_perms;
2215
2216 if (bs->drv->bdrv_set_perm) {
2217 bdrv_get_cumulative_perm(bs, &cumulative_perms,
2218 &cumulative_shared_perms);
2219 bs->drv->bdrv_set_perm(bs, cumulative_perms, cumulative_shared_perms);
2220 }
2221 }
2222
2223 static void bdrv_drv_set_perm_abort(void *opaque)
2224 {
2225 BlockDriverState *bs = opaque;
2226
2227 if (bs->drv->bdrv_abort_perm_update) {
2228 bs->drv->bdrv_abort_perm_update(bs);
2229 }
2230 }
2231
2232 TransactionActionDrv bdrv_drv_set_perm_drv = {
2233 .abort = bdrv_drv_set_perm_abort,
2234 .commit = bdrv_drv_set_perm_commit,
2235 };
2236
2237 static int bdrv_drv_set_perm(BlockDriverState *bs, uint64_t perm,
2238 uint64_t shared_perm, Transaction *tran,
2239 Error **errp)
2240 {
2241 if (!bs->drv) {
2242 return 0;
2243 }
2244
2245 if (bs->drv->bdrv_check_perm) {
2246 int ret = bs->drv->bdrv_check_perm(bs, perm, shared_perm, errp);
2247 if (ret < 0) {
2248 return ret;
2249 }
2250 }
2251
2252 if (tran) {
2253 tran_add(tran, &bdrv_drv_set_perm_drv, bs);
2254 }
2255
2256 return 0;
2257 }
2258
2259 typedef struct BdrvReplaceChildState {
2260 BdrvChild *child;
2261 BdrvChild **childp;
2262 BlockDriverState *old_bs;
2263 bool free_empty_child;
2264 } BdrvReplaceChildState;
2265
2266 static void bdrv_replace_child_commit(void *opaque)
2267 {
2268 BdrvReplaceChildState *s = opaque;
2269
2270 if (s->free_empty_child && !s->child->bs) {
2271 bdrv_child_free(s->child);
2272 }
2273 bdrv_unref(s->old_bs);
2274 }
2275
2276 static void bdrv_replace_child_abort(void *opaque)
2277 {
2278 BdrvReplaceChildState *s = opaque;
2279 BlockDriverState *new_bs = s->child->bs;
2280
2281 /*
2282 * old_bs reference is transparently moved from @s to s->child.
2283 *
2284 * Pass &s->child here instead of s->childp, because:
2285 * (1) s->old_bs must be non-NULL, so bdrv_replace_child_noperm() will not
2286 * modify the BdrvChild * pointer we indirectly pass to it, i.e. it
2287 * will not modify s->child. From that perspective, it does not matter
2288 * whether we pass s->childp or &s->child.
2289 * (2) If new_bs is not NULL, s->childp will be NULL. We then cannot use
2290 * it here.
2291 * (3) If new_bs is NULL, *s->childp will have been NULLed by
2292 * bdrv_replace_child_tran()'s bdrv_replace_child_noperm() call, and we
2293 * must not pass a NULL *s->childp here.
2294 *
2295 * So whether new_bs was NULL or not, we cannot pass s->childp here; and in
2296 * any case, there is no reason to pass it anyway.
2297 */
2298 bdrv_replace_child_noperm(&s->child, s->old_bs, true);
2299 /*
2300 * The child was pre-existing, so s->old_bs must be non-NULL, and
2301 * s->child thus must not have been freed
2302 */
2303 assert(s->child != NULL);
2304 if (!new_bs) {
2305 /* As described above, *s->childp was cleared, so restore it */
2306 assert(s->childp != NULL);
2307 *s->childp = s->child;
2308 }
2309 bdrv_unref(new_bs);
2310 }
2311
2312 static TransactionActionDrv bdrv_replace_child_drv = {
2313 .commit = bdrv_replace_child_commit,
2314 .abort = bdrv_replace_child_abort,
2315 .clean = g_free,
2316 };
2317
2318 /*
2319 * bdrv_replace_child_tran
2320 *
2321 * Note: real unref of old_bs is done only on commit.
2322 *
2323 * The function doesn't update permissions, caller is responsible for this.
2324 *
2325 * (*childp)->bs must not be NULL.
2326 *
2327 * Note that if new_bs == NULL, @childp is stored in a state object attached
2328 * to @tran, so that the old child can be reinstated in the abort handler.
2329 * Therefore, if @new_bs can be NULL, @childp must stay valid until the
2330 * transaction is committed or aborted.
2331 *
2332 * If @free_empty_child is true and @new_bs is NULL, the BdrvChild is
2333 * freed (on commit). @free_empty_child should only be false if the
2334 * caller will free the BDrvChild themselves (which may be important
2335 * if this is in turn called in another transactional context).
2336 */
2337 static void bdrv_replace_child_tran(BdrvChild **childp,
2338 BlockDriverState *new_bs,
2339 Transaction *tran,
2340 bool free_empty_child)
2341 {
2342 BdrvReplaceChildState *s = g_new(BdrvReplaceChildState, 1);
2343 *s = (BdrvReplaceChildState) {
2344 .child = *childp,
2345 .childp = new_bs == NULL ? childp : NULL,
2346 .old_bs = (*childp)->bs,
2347 .free_empty_child = free_empty_child,
2348 };
2349 tran_add(tran, &bdrv_replace_child_drv, s);
2350
2351 /* The abort handler relies on this */
2352 assert(s->old_bs != NULL);
2353
2354 if (new_bs) {
2355 bdrv_ref(new_bs);
2356 }
2357 /*
2358 * Pass free_empty_child=false, we will free the child (if
2359 * necessary) in bdrv_replace_child_commit() (if our
2360 * @free_empty_child parameter was true).
2361 */
2362 bdrv_replace_child_noperm(childp, new_bs, false);
2363 /* old_bs reference is transparently moved from *childp to @s */
2364 }
2365
2366 /*
2367 * Refresh permissions in @bs subtree. The function is intended to be called
2368 * after some graph modification that was done without permission update.
2369 */
2370 static int bdrv_node_refresh_perm(BlockDriverState *bs, BlockReopenQueue *q,
2371 Transaction *tran, Error **errp)
2372 {
2373 BlockDriver *drv = bs->drv;
2374 BdrvChild *c;
2375 int ret;
2376 uint64_t cumulative_perms, cumulative_shared_perms;
2377
2378 bdrv_get_cumulative_perm(bs, &cumulative_perms, &cumulative_shared_perms);
2379
2380 /* Write permissions never work with read-only images */
2381 if ((cumulative_perms & (BLK_PERM_WRITE | BLK_PERM_WRITE_UNCHANGED)) &&
2382 !bdrv_is_writable_after_reopen(bs, q))
2383 {
2384 if (!bdrv_is_writable_after_reopen(bs, NULL)) {
2385 error_setg(errp, "Block node is read-only");
2386 } else {
2387 error_setg(errp, "Read-only block node '%s' cannot support "
2388 "read-write users", bdrv_get_node_name(bs));
2389 }
2390
2391 return -EPERM;
2392 }
2393
2394 /*
2395 * Unaligned requests will automatically be aligned to bl.request_alignment
2396 * and without RESIZE we can't extend requests to write to space beyond the
2397 * end of the image, so it's required that the image size is aligned.
2398 */
2399 if ((cumulative_perms & (BLK_PERM_WRITE | BLK_PERM_WRITE_UNCHANGED)) &&
2400 !(cumulative_perms & BLK_PERM_RESIZE))
2401 {
2402 if ((bs->total_sectors * BDRV_SECTOR_SIZE) % bs->bl.request_alignment) {
2403 error_setg(errp, "Cannot get 'write' permission without 'resize': "
2404 "Image size is not a multiple of request "
2405 "alignment");
2406 return -EPERM;
2407 }
2408 }
2409
2410 /* Check this node */
2411 if (!drv) {
2412 return 0;
2413 }
2414
2415 ret = bdrv_drv_set_perm(bs, cumulative_perms, cumulative_shared_perms, tran,
2416 errp);
2417 if (ret < 0) {
2418 return ret;
2419 }
2420
2421 /* Drivers that never have children can omit .bdrv_child_perm() */
2422 if (!drv->bdrv_child_perm) {
2423 assert(QLIST_EMPTY(&bs->children));
2424 return 0;
2425 }
2426
2427 /* Check all children */
2428 QLIST_FOREACH(c, &bs->children, next) {
2429 uint64_t cur_perm, cur_shared;
2430
2431 bdrv_child_perm(bs, c->bs, c, c->role, q,
2432 cumulative_perms, cumulative_shared_perms,
2433 &cur_perm, &cur_shared);
2434 bdrv_child_set_perm(c, cur_perm, cur_shared, tran);
2435 }
2436
2437 return 0;
2438 }
2439
2440 static int bdrv_list_refresh_perms(GSList *list, BlockReopenQueue *q,
2441 Transaction *tran, Error **errp)
2442 {
2443 int ret;
2444 BlockDriverState *bs;
2445
2446 for ( ; list; list = list->next) {
2447 bs = list->data;
2448
2449 if (bdrv_parent_perms_conflict(bs, errp)) {
2450 return -EINVAL;
2451 }
2452
2453 ret = bdrv_node_refresh_perm(bs, q, tran, errp);
2454 if (ret < 0) {
2455 return ret;
2456 }
2457 }
2458
2459 return 0;
2460 }
2461
2462 void bdrv_get_cumulative_perm(BlockDriverState *bs, uint64_t *perm,
2463 uint64_t *shared_perm)
2464 {
2465 BdrvChild *c;
2466 uint64_t cumulative_perms = 0;
2467 uint64_t cumulative_shared_perms = BLK_PERM_ALL;
2468
2469 QLIST_FOREACH(c, &bs->parents, next_parent) {
2470 cumulative_perms |= c->perm;
2471 cumulative_shared_perms &= c->shared_perm;
2472 }
2473
2474 *perm = cumulative_perms;
2475 *shared_perm = cumulative_shared_perms;
2476 }
2477
2478 char *bdrv_perm_names(uint64_t perm)
2479 {
2480 struct perm_name {
2481 uint64_t perm;
2482 const char *name;
2483 } permissions[] = {
2484 { BLK_PERM_CONSISTENT_READ, "consistent read" },
2485 { BLK_PERM_WRITE, "write" },
2486 { BLK_PERM_WRITE_UNCHANGED, "write unchanged" },
2487 { BLK_PERM_RESIZE, "resize" },
2488 { 0, NULL }
2489 };
2490
2491 GString *result = g_string_sized_new(30);
2492 struct perm_name *p;
2493
2494 for (p = permissions; p->name; p++) {
2495 if (perm & p->perm) {
2496 if (result->len > 0) {
2497 g_string_append(result, ", ");
2498 }
2499 g_string_append(result, p->name);
2500 }
2501 }
2502
2503 return g_string_free(result, FALSE);
2504 }
2505
2506
2507 static int bdrv_refresh_perms(BlockDriverState *bs, Error **errp)
2508 {
2509 int ret;
2510 Transaction *tran = tran_new();
2511 g_autoptr(GSList) list = bdrv_topological_dfs(NULL, NULL, bs);
2512
2513 ret = bdrv_list_refresh_perms(list, NULL, tran, errp);
2514 tran_finalize(tran, ret);
2515
2516 return ret;
2517 }
2518
2519 int bdrv_child_try_set_perm(BdrvChild *c, uint64_t perm, uint64_t shared,
2520 Error **errp)
2521 {
2522 Error *local_err = NULL;
2523 Transaction *tran = tran_new();
2524 int ret;
2525
2526 bdrv_child_set_perm(c, perm, shared, tran);
2527
2528 ret = bdrv_refresh_perms(c->bs, &local_err);
2529
2530 tran_finalize(tran, ret);
2531
2532 if (ret < 0) {
2533 if ((perm & ~c->perm) || (c->shared_perm & ~shared)) {
2534 /* tighten permissions */
2535 error_propagate(errp, local_err);
2536 } else {
2537 /*
2538 * Our caller may intend to only loosen restrictions and
2539 * does not expect this function to fail. Errors are not
2540 * fatal in such a case, so we can just hide them from our
2541 * caller.
2542 */
2543 error_free(local_err);
2544 ret = 0;
2545 }
2546 }
2547
2548 return ret;
2549 }
2550
2551 int bdrv_child_refresh_perms(BlockDriverState *bs, BdrvChild *c, Error **errp)
2552 {
2553 uint64_t parent_perms, parent_shared;
2554 uint64_t perms, shared;
2555
2556 bdrv_get_cumulative_perm(bs, &parent_perms, &parent_shared);
2557 bdrv_child_perm(bs, c->bs, c, c->role, NULL,
2558 parent_perms, parent_shared, &perms, &shared);
2559
2560 return bdrv_child_try_set_perm(c, perms, shared, errp);
2561 }
2562
2563 /*
2564 * Default implementation for .bdrv_child_perm() for block filters:
2565 * Forward CONSISTENT_READ, WRITE, WRITE_UNCHANGED, and RESIZE to the
2566 * filtered child.
2567 */
2568 static void bdrv_filter_default_perms(BlockDriverState *bs, BdrvChild *c,
2569 BdrvChildRole role,
2570 BlockReopenQueue *reopen_queue,
2571 uint64_t perm, uint64_t shared,
2572 uint64_t *nperm, uint64_t *nshared)
2573 {
2574 *nperm = perm & DEFAULT_PERM_PASSTHROUGH;
2575 *nshared = (shared & DEFAULT_PERM_PASSTHROUGH) | DEFAULT_PERM_UNCHANGED;
2576 }
2577
2578 static void bdrv_default_perms_for_cow(BlockDriverState *bs, BdrvChild *c,
2579 BdrvChildRole role,
2580 BlockReopenQueue *reopen_queue,
2581 uint64_t perm, uint64_t shared,
2582 uint64_t *nperm, uint64_t *nshared)
2583 {
2584 assert(role & BDRV_CHILD_COW);
2585
2586 /*
2587 * We want consistent read from backing files if the parent needs it.
2588 * No other operations are performed on backing files.
2589 */
2590 perm &= BLK_PERM_CONSISTENT_READ;
2591
2592 /*
2593 * If the parent can deal with changing data, we're okay with a
2594 * writable and resizable backing file.
2595 * TODO Require !(perm & BLK_PERM_CONSISTENT_READ), too?
2596 */
2597 if (shared & BLK_PERM_WRITE) {
2598 shared = BLK_PERM_WRITE | BLK_PERM_RESIZE;
2599 } else {
2600 shared = 0;
2601 }
2602
2603 shared |= BLK_PERM_CONSISTENT_READ | BLK_PERM_WRITE_UNCHANGED;
2604
2605 if (bs->open_flags & BDRV_O_INACTIVE) {
2606 shared |= BLK_PERM_WRITE | BLK_PERM_RESIZE;
2607 }
2608
2609 *nperm = perm;
2610 *nshared = shared;
2611 }
2612
2613 static void bdrv_default_perms_for_storage(BlockDriverState *bs, BdrvChild *c,
2614 BdrvChildRole role,
2615 BlockReopenQueue *reopen_queue,
2616 uint64_t perm, uint64_t shared,
2617 uint64_t *nperm, uint64_t *nshared)
2618 {
2619 int flags;
2620
2621 assert(role & (BDRV_CHILD_METADATA | BDRV_CHILD_DATA));
2622
2623 flags = bdrv_reopen_get_flags(reopen_queue, bs);
2624
2625 /*
2626 * Apart from the modifications below, the same permissions are
2627 * forwarded and left alone as for filters
2628 */
2629 bdrv_filter_default_perms(bs, c, role, reopen_queue,
2630 perm, shared, &perm, &shared);
2631
2632 if (role & BDRV_CHILD_METADATA) {
2633 /* Format drivers may touch metadata even if the guest doesn't write */
2634 if (bdrv_is_writable_after_reopen(bs, reopen_queue)) {
2635 perm |= BLK_PERM_WRITE | BLK_PERM_RESIZE;
2636 }
2637
2638 /*
2639 * bs->file always needs to be consistent because of the
2640 * metadata. We can never allow other users to resize or write
2641 * to it.
2642 */
2643 if (!(flags & BDRV_O_NO_IO)) {
2644 perm |= BLK_PERM_CONSISTENT_READ;
2645 }
2646 shared &= ~(BLK_PERM_WRITE | BLK_PERM_RESIZE);
2647 }
2648
2649 if (role & BDRV_CHILD_DATA) {
2650 /*
2651 * Technically, everything in this block is a subset of the
2652 * BDRV_CHILD_METADATA path taken above, and so this could
2653 * be an "else if" branch. However, that is not obvious, and
2654 * this function is not performance critical, therefore we let
2655 * this be an independent "if".
2656 */
2657
2658 /*
2659 * We cannot allow other users to resize the file because the
2660 * format driver might have some assumptions about the size
2661 * (e.g. because it is stored in metadata, or because the file
2662 * is split into fixed-size data files).
2663 */
2664 shared &= ~BLK_PERM_RESIZE;
2665
2666 /*
2667 * WRITE_UNCHANGED often cannot be performed as such on the
2668 * data file. For example, the qcow2 driver may still need to
2669 * write copied clusters on copy-on-read.
2670 */
2671 if (perm & BLK_PERM_WRITE_UNCHANGED) {
2672 perm |= BLK_PERM_WRITE;
2673 }
2674
2675 /*
2676 * If the data file is written to, the format driver may
2677 * expect to be able to resize it by writing beyond the EOF.
2678 */
2679 if (perm & BLK_PERM_WRITE) {
2680 perm |= BLK_PERM_RESIZE;
2681 }
2682 }
2683
2684 if (bs->open_flags & BDRV_O_INACTIVE) {
2685 shared |= BLK_PERM_WRITE | BLK_PERM_RESIZE;
2686 }
2687
2688 *nperm = perm;
2689 *nshared = shared;
2690 }
2691
2692 void bdrv_default_perms(BlockDriverState *bs, BdrvChild *c,
2693 BdrvChildRole role, BlockReopenQueue *reopen_queue,
2694 uint64_t perm, uint64_t shared,
2695 uint64_t *nperm, uint64_t *nshared)
2696 {
2697 if (role & BDRV_CHILD_FILTERED) {
2698 assert(!(role & (BDRV_CHILD_DATA | BDRV_CHILD_METADATA |
2699 BDRV_CHILD_COW)));
2700 bdrv_filter_default_perms(bs, c, role, reopen_queue,
2701 perm, shared, nperm, nshared);
2702 } else if (role & BDRV_CHILD_COW) {
2703 assert(!(role & (BDRV_CHILD_DATA | BDRV_CHILD_METADATA)));
2704 bdrv_default_perms_for_cow(bs, c, role, reopen_queue,
2705 perm, shared, nperm, nshared);
2706 } else if (role & (BDRV_CHILD_METADATA | BDRV_CHILD_DATA)) {
2707 bdrv_default_perms_for_storage(bs, c, role, reopen_queue,
2708 perm, shared, nperm, nshared);
2709 } else {
2710 g_assert_not_reached();
2711 }
2712 }
2713
2714 uint64_t bdrv_qapi_perm_to_blk_perm(BlockPermission qapi_perm)
2715 {
2716 static const uint64_t permissions[] = {
2717 [BLOCK_PERMISSION_CONSISTENT_READ] = BLK_PERM_CONSISTENT_READ,
2718 [BLOCK_PERMISSION_WRITE] = BLK_PERM_WRITE,
2719 [BLOCK_PERMISSION_WRITE_UNCHANGED] = BLK_PERM_WRITE_UNCHANGED,
2720 [BLOCK_PERMISSION_RESIZE] = BLK_PERM_RESIZE,
2721 };
2722
2723 QEMU_BUILD_BUG_ON(ARRAY_SIZE(permissions) != BLOCK_PERMISSION__MAX);
2724 QEMU_BUILD_BUG_ON(1UL << ARRAY_SIZE(permissions) != BLK_PERM_ALL + 1);
2725
2726 assert(qapi_perm < BLOCK_PERMISSION__MAX);
2727
2728 return permissions[qapi_perm];
2729 }
2730
2731 /**
2732 * Replace (*childp)->bs by @new_bs.
2733 *
2734 * If @new_bs is NULL, *childp will be set to NULL, too: BDS parents
2735 * generally cannot handle a BdrvChild with .bs == NULL, so clearing
2736 * BdrvChild.bs should generally immediately be followed by the
2737 * BdrvChild pointer being cleared as well.
2738 *
2739 * If @free_empty_child is true and @new_bs is NULL, the BdrvChild is
2740 * freed. @free_empty_child should only be false if the caller will
2741 * free the BdrvChild themselves (this may be important in a
2742 * transactional context, where it may only be freed on commit).
2743 */
2744 static void bdrv_replace_child_noperm(BdrvChild **childp,
2745 BlockDriverState *new_bs,
2746 bool free_empty_child)
2747 {
2748 BdrvChild *child = *childp;
2749 BlockDriverState *old_bs = child->bs;
2750 int new_bs_quiesce_counter;
2751 int drain_saldo;
2752
2753 assert(!child->frozen);
2754 assert(old_bs != new_bs);
2755
2756 if (old_bs && new_bs) {
2757 assert(bdrv_get_aio_context(old_bs) == bdrv_get_aio_context(new_bs));
2758 }
2759
2760 new_bs_quiesce_counter = (new_bs ? new_bs->quiesce_counter : 0);
2761 drain_saldo = new_bs_quiesce_counter - child->parent_quiesce_counter;
2762
2763 /*
2764 * If the new child node is drained but the old one was not, flush
2765 * all outstanding requests to the old child node.
2766 */
2767 while (drain_saldo > 0 && child->klass->drained_begin) {
2768 bdrv_parent_drained_begin_single(child, true);
2769 drain_saldo--;
2770 }
2771
2772 if (old_bs) {
2773 /* Detach first so that the recursive drain sections coming from @child
2774 * are already gone and we only end the drain sections that came from
2775 * elsewhere. */
2776 if (child->klass->detach) {
2777 child->klass->detach(child);
2778 }
2779 QLIST_REMOVE(child, next_parent);
2780 }
2781
2782 child->bs = new_bs;
2783 if (!new_bs) {
2784 *childp = NULL;
2785 }
2786
2787 if (new_bs) {
2788 QLIST_INSERT_HEAD(&new_bs->parents, child, next_parent);
2789
2790 /*
2791 * Detaching the old node may have led to the new node's
2792 * quiesce_counter having been decreased. Not a problem, we
2793 * just need to recognize this here and then invoke
2794 * drained_end appropriately more often.
2795 */
2796 assert(new_bs->quiesce_counter <= new_bs_quiesce_counter);
2797 drain_saldo += new_bs->quiesce_counter - new_bs_quiesce_counter;
2798
2799 /* Attach only after starting new drained sections, so that recursive
2800 * drain sections coming from @child don't get an extra .drained_begin
2801 * callback. */
2802 if (child->klass->attach) {
2803 child->klass->attach(child);
2804 }
2805 }
2806
2807 /*
2808 * If the old child node was drained but the new one is not, allow
2809 * requests to come in only after the new node has been attached.
2810 */
2811 while (drain_saldo < 0 && child->klass->drained_end) {
2812 bdrv_parent_drained_end_single(child);
2813 drain_saldo++;
2814 }
2815
2816 if (free_empty_child && !child->bs) {
2817 bdrv_child_free(child);
2818 }
2819 }
2820
2821 /**
2822 * Free the given @child.
2823 *
2824 * The child must be empty (i.e. `child->bs == NULL`) and it must be
2825 * unused (i.e. not in a children list).
2826 */
2827 static void bdrv_child_free(BdrvChild *child)
2828 {
2829 assert(!child->bs);
2830 assert(!child->next.le_prev); /* not in children list */
2831
2832 g_free(child->name);
2833 g_free(child);
2834 }
2835
2836 typedef struct BdrvAttachChildCommonState {
2837 BdrvChild **child;
2838 AioContext *old_parent_ctx;
2839 AioContext *old_child_ctx;
2840 } BdrvAttachChildCommonState;
2841
2842 static void bdrv_attach_child_common_abort(void *opaque)
2843 {
2844 BdrvAttachChildCommonState *s = opaque;
2845 BdrvChild *child = *s->child;
2846 BlockDriverState *bs = child->bs;
2847
2848 /*
2849 * Pass free_empty_child=false, because we still need the child
2850 * for the AioContext operations on the parent below; those
2851 * BdrvChildClass methods all work on a BdrvChild object, so we
2852 * need to keep it as an empty shell (after this function, it will
2853 * not be attached to any parent, and it will not have a .bs).
2854 */
2855 bdrv_replace_child_noperm(s->child, NULL, false);
2856
2857 if (bdrv_get_aio_context(bs) != s->old_child_ctx) {
2858 bdrv_try_set_aio_context(bs, s->old_child_ctx, &error_abort);
2859 }
2860
2861 if (bdrv_child_get_parent_aio_context(child) != s->old_parent_ctx) {
2862 GSList *ignore;
2863
2864 /* No need to ignore `child`, because it has been detached already */
2865 ignore = NULL;
2866 child->klass->can_set_aio_ctx(child, s->old_parent_ctx, &ignore,
2867 &error_abort);
2868 g_slist_free(ignore);
2869
2870 ignore = NULL;
2871 child->klass->set_aio_ctx(child, s->old_parent_ctx, &ignore);
2872 g_slist_free(ignore);
2873 }
2874
2875 bdrv_unref(bs);
2876 bdrv_child_free(child);
2877 }
2878
2879 static TransactionActionDrv bdrv_attach_child_common_drv = {
2880 .abort = bdrv_attach_child_common_abort,
2881 .clean = g_free,
2882 };
2883
2884 /*
2885 * Common part of attaching bdrv child to bs or to blk or to job
2886 *
2887 * Resulting new child is returned through @child.
2888 * At start *@child must be NULL.
2889 * @child is saved to a new entry of @tran, so that *@child could be reverted to
2890 * NULL on abort(). So referenced variable must live at least until transaction
2891 * end.
2892 *
2893 * Function doesn't update permissions, caller is responsible for this.
2894 */
2895 static int bdrv_attach_child_common(BlockDriverState *child_bs,
2896 const char *child_name,
2897 const BdrvChildClass *child_class,
2898 BdrvChildRole child_role,
2899 uint64_t perm, uint64_t shared_perm,
2900 void *opaque, BdrvChild **child,
2901 Transaction *tran, Error **errp)
2902 {
2903 BdrvChild *new_child;
2904 AioContext *parent_ctx;
2905 AioContext *child_ctx = bdrv_get_aio_context(child_bs);
2906
2907 assert(child);
2908 assert(*child == NULL);
2909 assert(child_class->get_parent_desc);
2910
2911 new_child = g_new(BdrvChild, 1);
2912 *new_child = (BdrvChild) {
2913 .bs = NULL,
2914 .name = g_strdup(child_name),
2915 .klass = child_class,
2916 .role = child_role,
2917 .perm = perm,
2918 .shared_perm = shared_perm,
2919 .opaque = opaque,
2920 };
2921
2922 /*
2923 * If the AioContexts don't match, first try to move the subtree of
2924 * child_bs into the AioContext of the new parent. If this doesn't work,
2925 * try moving the parent into the AioContext of child_bs instead.
2926 */
2927 parent_ctx = bdrv_child_get_parent_aio_context(new_child);
2928 if (child_ctx != parent_ctx) {
2929 Error *local_err = NULL;
2930 int ret = bdrv_try_set_aio_context(child_bs, parent_ctx, &local_err);
2931
2932 if (ret < 0 && child_class->can_set_aio_ctx) {
2933 GSList *ignore = g_slist_prepend(NULL, new_child);
2934 if (child_class->can_set_aio_ctx(new_child, child_ctx, &ignore,
2935 NULL))
2936 {
2937 error_free(local_err);
2938 ret = 0;
2939 g_slist_free(ignore);
2940 ignore = g_slist_prepend(NULL, new_child);
2941 child_class->set_aio_ctx(new_child, child_ctx, &ignore);
2942 }
2943 g_slist_free(ignore);
2944 }
2945
2946 if (ret < 0) {
2947 error_propagate(errp, local_err);
2948 bdrv_child_free(new_child);
2949 return ret;
2950 }
2951 }
2952
2953 bdrv_ref(child_bs);
2954 bdrv_replace_child_noperm(&new_child, child_bs, true);
2955 /* child_bs was non-NULL, so new_child must not have been freed */
2956 assert(new_child != NULL);
2957
2958 *child = new_child;
2959
2960 BdrvAttachChildCommonState *s = g_new(BdrvAttachChildCommonState, 1);
2961 *s = (BdrvAttachChildCommonState) {
2962 .child = child,
2963 .old_parent_ctx = parent_ctx,
2964 .old_child_ctx = child_ctx,
2965 };
2966 tran_add(tran, &bdrv_attach_child_common_drv, s);
2967
2968 return 0;
2969 }
2970
2971 /*
2972 * Variable referenced by @child must live at least until transaction end.
2973 * (see bdrv_attach_child_common() doc for details)
2974 *
2975 * Function doesn't update permissions, caller is responsible for this.
2976 */
2977 static int bdrv_attach_child_noperm(BlockDriverState *parent_bs,
2978 BlockDriverState *child_bs,
2979 const char *child_name,
2980 const BdrvChildClass *child_class,
2981 BdrvChildRole child_role,
2982 BdrvChild **child,
2983 Transaction *tran,
2984 Error **errp)
2985 {
2986 int ret;
2987 uint64_t perm, shared_perm;
2988
2989 assert(parent_bs->drv);
2990
2991 if (bdrv_recurse_has_child(child_bs, parent_bs)) {
2992 error_setg(errp, "Making '%s' a %s child of '%s' would create a cycle",
2993 child_bs->node_name, child_name, parent_bs->node_name);
2994 return -EINVAL;
2995 }
2996
2997 bdrv_get_cumulative_perm(parent_bs, &perm, &shared_perm);
2998 bdrv_child_perm(parent_bs, child_bs, NULL, child_role, NULL,
2999 perm, shared_perm, &perm, &shared_perm);
3000
3001 ret = bdrv_attach_child_common(child_bs, child_name, child_class,
3002 child_role, perm, shared_perm, parent_bs,
3003 child, tran, errp);
3004 if (ret < 0) {
3005 return ret;
3006 }
3007
3008 return 0;
3009 }
3010
3011 static void bdrv_detach_child(BdrvChild **childp)
3012 {
3013 BlockDriverState *old_bs = (*childp)->bs;
3014
3015 bdrv_replace_child_noperm(childp, NULL, true);
3016
3017 if (old_bs) {
3018 /*
3019 * Update permissions for old node. We're just taking a parent away, so
3020 * we're loosening restrictions. Errors of permission update are not
3021 * fatal in this case, ignore them.
3022 */
3023 bdrv_refresh_perms(old_bs, NULL);
3024
3025 /*
3026 * When the parent requiring a non-default AioContext is removed, the
3027 * node moves back to the main AioContext
3028 */
3029 bdrv_try_set_aio_context(old_bs, qemu_get_aio_context(), NULL);
3030 }
3031 }
3032
3033 /*
3034 * This function steals the reference to child_bs from the caller.
3035 * That reference is later dropped by bdrv_root_unref_child().
3036 *
3037 * On failure NULL is returned, errp is set and the reference to
3038 * child_bs is also dropped.
3039 *
3040 * The caller must hold the AioContext lock @child_bs, but not that of @ctx
3041 * (unless @child_bs is already in @ctx).
3042 */
3043 BdrvChild *bdrv_root_attach_child(BlockDriverState *child_bs,
3044 const char *child_name,
3045 const BdrvChildClass *child_class,
3046 BdrvChildRole child_role,
3047 uint64_t perm, uint64_t shared_perm,
3048 void *opaque, Error **errp)
3049 {
3050 int ret;
3051 BdrvChild *child = NULL;
3052 Transaction *tran = tran_new();
3053
3054 ret = bdrv_attach_child_common(child_bs, child_name, child_class,
3055 child_role, perm, shared_perm, opaque,
3056 &child, tran, errp);
3057 if (ret < 0) {
3058 goto out;
3059 }
3060
3061 ret = bdrv_refresh_perms(child_bs, errp);
3062
3063 out:
3064 tran_finalize(tran, ret);
3065 /* child is unset on failure by bdrv_attach_child_common_abort() */
3066 assert((ret < 0) == !child);
3067
3068 bdrv_unref(child_bs);
3069 return child;
3070 }
3071
3072 /*
3073 * This function transfers the reference to child_bs from the caller
3074 * to parent_bs. That reference is later dropped by parent_bs on
3075 * bdrv_close() or if someone calls bdrv_unref_child().
3076 *
3077 * On failure NULL is returned, errp is set and the reference to
3078 * child_bs is also dropped.
3079 *
3080 * If @parent_bs and @child_bs are in different AioContexts, the caller must
3081 * hold the AioContext lock for @child_bs, but not for @parent_bs.
3082 */
3083 BdrvChild *bdrv_attach_child(BlockDriverState *parent_bs,
3084 BlockDriverState *child_bs,
3085 const char *child_name,
3086 const BdrvChildClass *child_class,
3087 BdrvChildRole child_role,
3088 Error **errp)
3089 {
3090 int ret;
3091 BdrvChild *child = NULL;
3092 Transaction *tran = tran_new();
3093
3094 ret = bdrv_attach_child_noperm(parent_bs, child_bs, child_name, child_class,
3095 child_role, &child, tran, errp);
3096 if (ret < 0) {
3097 goto out;
3098 }
3099
3100 ret = bdrv_refresh_perms(parent_bs, errp);
3101 if (ret < 0) {
3102 goto out;
3103 }
3104
3105 out:
3106 tran_finalize(tran, ret);
3107 /* child is unset on failure by bdrv_attach_child_common_abort() */
3108 assert((ret < 0) == !child);
3109
3110 bdrv_unref(child_bs);
3111
3112 return child;
3113 }
3114
3115 /* Callers must ensure that child->frozen is false. */
3116 void bdrv_root_unref_child(BdrvChild *child)
3117 {
3118 BlockDriverState *child_bs;
3119
3120 child_bs = child->bs;
3121 bdrv_detach_child(&child);
3122 bdrv_unref(child_bs);
3123 }
3124
3125 typedef struct BdrvSetInheritsFrom {
3126 BlockDriverState *bs;
3127 BlockDriverState *old_inherits_from;
3128 } BdrvSetInheritsFrom;
3129
3130 static void bdrv_set_inherits_from_abort(void *opaque)
3131 {
3132 BdrvSetInheritsFrom *s = opaque;
3133
3134 s->bs->inherits_from = s->old_inherits_from;
3135 }
3136
3137 static TransactionActionDrv bdrv_set_inherits_from_drv = {
3138 .abort = bdrv_set_inherits_from_abort,
3139 .clean = g_free,
3140 };
3141
3142 /* @tran is allowed to be NULL. In this case no rollback is possible */
3143 static void bdrv_set_inherits_from(BlockDriverState *bs,
3144 BlockDriverState *new_inherits_from,
3145 Transaction *tran)
3146 {
3147 if (tran) {
3148 BdrvSetInheritsFrom *s = g_new(BdrvSetInheritsFrom, 1);
3149
3150 *s = (BdrvSetInheritsFrom) {
3151 .bs = bs,
3152 .old_inherits_from = bs->inherits_from,
3153 };
3154
3155 tran_add(tran, &bdrv_set_inherits_from_drv, s);
3156 }
3157
3158 bs->inherits_from = new_inherits_from;
3159 }
3160
3161 /**
3162 * Clear all inherits_from pointers from children and grandchildren of
3163 * @root that point to @root, where necessary.
3164 * @tran is allowed to be NULL. In this case no rollback is possible
3165 */
3166 static void bdrv_unset_inherits_from(BlockDriverState *root, BdrvChild *child,
3167 Transaction *tran)
3168 {
3169 BdrvChild *c;
3170
3171 if (child->bs->inherits_from == root) {
3172 /*
3173 * Remove inherits_from only when the last reference between root and
3174 * child->bs goes away.
3175 */
3176 QLIST_FOREACH(c, &root->children, next) {
3177 if (c != child && c->bs == child->bs) {
3178 break;
3179 }
3180 }
3181 if (c == NULL) {
3182 bdrv_set_inherits_from(child->bs, NULL, tran);
3183 }
3184 }
3185
3186 QLIST_FOREACH(c, &child->bs->children, next) {
3187 bdrv_unset_inherits_from(root, c, tran);
3188 }
3189 }
3190
3191 /* Callers must ensure that child->frozen is false. */
3192 void bdrv_unref_child(BlockDriverState *parent, BdrvChild *child)
3193 {
3194 if (child == NULL) {
3195 return;
3196 }
3197
3198 bdrv_unset_inherits_from(parent, child, NULL);
3199 bdrv_root_unref_child(child);
3200 }
3201
3202
3203 static void bdrv_parent_cb_change_media(BlockDriverState *bs, bool load)
3204 {
3205 BdrvChild *c;
3206 QLIST_FOREACH(c, &bs->parents, next_parent) {
3207 if (c->klass->change_media) {
3208 c->klass->change_media(c, load);
3209 }
3210 }
3211 }
3212
3213 /* Return true if you can reach parent going through child->inherits_from
3214 * recursively. If parent or child are NULL, return false */
3215 static bool bdrv_inherits_from_recursive(BlockDriverState *child,
3216 BlockDriverState *parent)
3217 {
3218 while (child && child != parent) {
3219 child = child->inherits_from;
3220 }
3221
3222 return child != NULL;
3223 }
3224
3225 /*
3226 * Return the BdrvChildRole for @bs's backing child. bs->backing is
3227 * mostly used for COW backing children (role = COW), but also for
3228 * filtered children (role = FILTERED | PRIMARY).
3229 */
3230 static BdrvChildRole bdrv_backing_role(BlockDriverState *bs)
3231 {
3232 if (bs->drv && bs->drv->is_filter) {
3233 return BDRV_CHILD_FILTERED | BDRV_CHILD_PRIMARY;
3234 } else {
3235 return BDRV_CHILD_COW;
3236 }
3237 }
3238
3239 /*
3240 * Sets the bs->backing or bs->file link of a BDS. A new reference is created;
3241 * callers which don't need their own reference any more must call bdrv_unref().
3242 *
3243 * Function doesn't update permissions, caller is responsible for this.
3244 */
3245 static int bdrv_set_file_or_backing_noperm(BlockDriverState *parent_bs,
3246 BlockDriverState *child_bs,
3247 bool is_backing,
3248 Transaction *tran, Error **errp)
3249 {
3250 int ret = 0;
3251 bool update_inherits_from =
3252 bdrv_inherits_from_recursive(child_bs, parent_bs);
3253 BdrvChild *child = is_backing ? parent_bs->backing : parent_bs->file;
3254 BdrvChildRole role;
3255
3256 if (!parent_bs->drv) {
3257 /*
3258 * Node without drv is an object without a class :/. TODO: finally fix
3259 * qcow2 driver to never clear bs->drv and implement format corruption
3260 * handling in other way.
3261 */
3262 error_setg(errp, "Node corrupted");
3263 return -EINVAL;
3264 }
3265
3266 if (child && child->frozen) {
3267 error_setg(errp, "Cannot change frozen '%s' link from '%s' to '%s'",
3268 child->name, parent_bs->node_name, child->bs->node_name);
3269 return -EPERM;
3270 }
3271
3272 if (is_backing && !parent_bs->drv->is_filter &&
3273 !parent_bs->drv->supports_backing)
3274 {
3275 error_setg(errp, "Driver '%s' of node '%s' does not support backing "
3276 "files", parent_bs->drv->format_name, parent_bs->node_name);
3277 return -EINVAL;
3278 }
3279
3280 if (parent_bs->drv->is_filter) {
3281 role = BDRV_CHILD_FILTERED | BDRV_CHILD_PRIMARY;
3282 } else if (is_backing) {
3283 role = BDRV_CHILD_COW;
3284 } else {
3285 /*
3286 * We only can use same role as it is in existing child. We don't have
3287 * infrastructure to determine role of file child in generic way
3288 */
3289 if (!child) {
3290 error_setg(errp, "Cannot set file child to format node without "
3291 "file child");
3292 return -EINVAL;
3293 }
3294 role = child->role;
3295 }
3296
3297 if (child) {
3298 bdrv_unset_inherits_from(parent_bs, child, tran);
3299 bdrv_remove_file_or_backing_child(parent_bs, child, tran);
3300 }
3301
3302 if (!child_bs) {
3303 goto out;
3304 }
3305
3306 ret = bdrv_attach_child_noperm(parent_bs, child_bs,
3307 is_backing ? "backing" : "file",
3308 &child_of_bds, role,
3309 is_backing ? &parent_bs->backing :
3310 &parent_bs->file,
3311 tran, errp);
3312 if (ret < 0) {
3313 return ret;
3314 }
3315
3316
3317 /*
3318 * If inherits_from pointed recursively to bs then let's update it to
3319 * point directly to bs (else it will become NULL).
3320 */
3321 if (update_inherits_from) {
3322 bdrv_set_inherits_from(child_bs, parent_bs, tran);
3323 }
3324
3325 out:
3326 bdrv_refresh_limits(parent_bs, tran, NULL);
3327
3328 return 0;
3329 }
3330
3331 static int bdrv_set_backing_noperm(BlockDriverState *bs,
3332 BlockDriverState *backing_hd,
3333 Transaction *tran, Error **errp)
3334 {
3335 return bdrv_set_file_or_backing_noperm(bs, backing_hd, true, tran, errp);
3336 }
3337
3338 int bdrv_set_backing_hd(BlockDriverState *bs, BlockDriverState *backing_hd,
3339 Error **errp)
3340 {
3341 int ret;
3342 Transaction *tran = tran_new();
3343
3344 ret = bdrv_set_backing_noperm(bs, backing_hd, tran, errp);
3345 if (ret < 0) {
3346 goto out;
3347 }
3348
3349 ret = bdrv_refresh_perms(bs, errp);
3350 out:
3351 tran_finalize(tran, ret);
3352
3353 return ret;
3354 }
3355
3356 /*
3357 * Opens the backing file for a BlockDriverState if not yet open
3358 *
3359 * bdref_key specifies the key for the image's BlockdevRef in the options QDict.
3360 * That QDict has to be flattened; therefore, if the BlockdevRef is a QDict
3361 * itself, all options starting with "${bdref_key}." are considered part of the
3362 * BlockdevRef.
3363 *
3364 * TODO Can this be unified with bdrv_open_image()?
3365 */
3366 int bdrv_open_backing_file(BlockDriverState *bs, QDict *parent_options,
3367 const char *bdref_key, Error **errp)
3368 {
3369 char *backing_filename = NULL;
3370 char *bdref_key_dot;
3371 const char *reference = NULL;
3372 int ret = 0;
3373 bool implicit_backing = false;
3374 BlockDriverState *backing_hd;
3375 QDict *options;
3376 QDict *tmp_parent_options = NULL;
3377 Error *local_err = NULL;
3378
3379 if (bs->backing != NULL) {
3380 goto free_exit;
3381 }
3382
3383 /* NULL means an empty set of options */
3384 if (parent_options == NULL) {
3385 tmp_parent_options = qdict_new();
3386 parent_options = tmp_parent_options;
3387 }
3388
3389 bs->open_flags &= ~BDRV_O_NO_BACKING;
3390
3391 bdref_key_dot = g_strdup_printf("%s.", bdref_key);
3392 qdict_extract_subqdict(parent_options, &options, bdref_key_dot);
3393 g_free(bdref_key_dot);
3394
3395 /*
3396 * Caution: while qdict_get_try_str() is fine, getting non-string
3397 * types would require more care. When @parent_options come from
3398 * -blockdev or blockdev_add, its members are typed according to
3399 * the QAPI schema, but when they come from -drive, they're all
3400 * QString.
3401 */
3402 reference = qdict_get_try_str(parent_options, bdref_key);
3403 if (reference || qdict_haskey(options, "file.filename")) {
3404 /* keep backing_filename NULL */
3405 } else if (bs->backing_file[0] == '\0' && qdict_size(options) == 0) {
3406 qobject_unref(options);
3407 goto free_exit;
3408 } else {
3409 if (qdict_size(options) == 0) {
3410 /* If the user specifies options that do not modify the
3411 * backing file's behavior, we might still consider it the
3412 * implicit backing file. But it's easier this way, and
3413 * just specifying some of the backing BDS's options is
3414 * only possible with -drive anyway (otherwise the QAPI
3415 * schema forces the user to specify everything). */
3416 implicit_backing = !strcmp(bs->auto_backing_file, bs->backing_file);
3417 }
3418
3419 backing_filename = bdrv_get_full_backing_filename(bs, &local_err);
3420 if (local_err) {
3421 ret = -EINVAL;
3422 error_propagate(errp, local_err);
3423 qobject_unref(options);
3424 goto free_exit;
3425 }
3426 }
3427
3428 if (!bs->drv || !bs->drv->supports_backing) {
3429 ret = -EINVAL;
3430 error_setg(errp, "Driver doesn't support backing files");
3431 qobject_unref(options);
3432 goto free_exit;
3433 }
3434
3435 if (!reference &&
3436 bs->backing_format[0] != '\0' && !qdict_haskey(options, "driver")) {
3437 qdict_put_str(options, "driver", bs->backing_format);
3438 }
3439
3440 backing_hd = bdrv_open_inherit(backing_filename, reference, options, 0, bs,
3441 &child_of_bds, bdrv_backing_role(bs), errp);
3442 if (!backing_hd) {
3443 bs->open_flags |= BDRV_O_NO_BACKING;
3444 error_prepend(errp, "Could not open backing file: ");
3445 ret = -EINVAL;
3446 goto free_exit;
3447 }
3448
3449 if (implicit_backing) {
3450 bdrv_refresh_filename(backing_hd);
3451 pstrcpy(bs->auto_backing_file, sizeof(bs->auto_backing_file),
3452 backing_hd->filename);
3453 }
3454
3455 /* Hook up the backing file link; drop our reference, bs owns the
3456 * backing_hd reference now */
3457 ret = bdrv_set_backing_hd(bs, backing_hd, errp);
3458 bdrv_unref(backing_hd);
3459 if (ret < 0) {
3460 goto free_exit;
3461 }
3462
3463 qdict_del(parent_options, bdref_key);
3464
3465 free_exit:
3466 g_free(backing_filename);
3467 qobject_unref(tmp_parent_options);
3468 return ret;
3469 }
3470
3471 static BlockDriverState *
3472 bdrv_open_child_bs(const char *filename, QDict *options, const char *bdref_key,
3473 BlockDriverState *parent, const BdrvChildClass *child_class,
3474 BdrvChildRole child_role, bool allow_none, Error **errp)
3475 {
3476 BlockDriverState *bs = NULL;
3477 QDict *image_options;
3478 char *bdref_key_dot;
3479 const char *reference;
3480
3481 assert(child_class != NULL);
3482
3483 bdref_key_dot = g_strdup_printf("%s.", bdref_key);
3484 qdict_extract_subqdict(options, &image_options, bdref_key_dot);
3485 g_free(bdref_key_dot);
3486
3487 /*
3488 * Caution: while qdict_get_try_str() is fine, getting non-string
3489 * types would require more care. When @options come from
3490 * -blockdev or blockdev_add, its members are typed according to
3491 * the QAPI schema, but when they come from -drive, they're all
3492 * QString.
3493 */
3494 reference = qdict_get_try_str(options, bdref_key);
3495 if (!filename && !reference && !qdict_size(image_options)) {
3496 if (!allow_none) {
3497 error_setg(errp, "A block device must be specified for \"%s\"",
3498 bdref_key);
3499 }
3500 qobject_unref(image_options);
3501 goto done;
3502 }
3503
3504 bs = bdrv_open_inherit(filename, reference, image_options, 0,
3505 parent, child_class, child_role, errp);
3506 if (!bs) {
3507 goto done;
3508 }
3509
3510 done:
3511 qdict_del(options, bdref_key);
3512 return bs;
3513 }
3514
3515 /*
3516 * Opens a disk image whose options are given as BlockdevRef in another block
3517 * device's options.
3518 *
3519 * If allow_none is true, no image will be opened if filename is false and no
3520 * BlockdevRef is given. NULL will be returned, but errp remains unset.
3521 *
3522 * bdrev_key specifies the key for the image's BlockdevRef in the options QDict.
3523 * That QDict has to be flattened; therefore, if the BlockdevRef is a QDict
3524 * itself, all options starting with "${bdref_key}." are considered part of the
3525 * BlockdevRef.
3526 *
3527 * The BlockdevRef will be removed from the options QDict.
3528 */
3529 BdrvChild *bdrv_open_child(const char *filename,
3530 QDict *options, const char *bdref_key,
3531 BlockDriverState *parent,
3532 const BdrvChildClass *child_class,
3533 BdrvChildRole child_role,
3534 bool allow_none, Error **errp)
3535 {
3536 BlockDriverState *bs;
3537
3538 bs = bdrv_open_child_bs(filename, options, bdref_key, parent, child_class,
3539 child_role, allow_none, errp);
3540 if (bs == NULL) {
3541 return NULL;
3542 }
3543
3544 return bdrv_attach_child(parent, bs, bdref_key, child_class, child_role,
3545 errp);
3546 }
3547
3548 /*
3549 * TODO Future callers may need to specify parent/child_class in order for
3550 * option inheritance to work. Existing callers use it for the root node.
3551 */
3552 BlockDriverState *bdrv_open_blockdev_ref(BlockdevRef *ref, Error **errp)
3553 {
3554 BlockDriverState *bs = NULL;
3555 QObject *obj = NULL;
3556 QDict *qdict = NULL;
3557 const char *reference = NULL;
3558 Visitor *v = NULL;
3559
3560 if (ref->type == QTYPE_QSTRING) {
3561 reference = ref->u.reference;
3562 } else {
3563 BlockdevOptions *options = &ref->u.definition;
3564 assert(ref->type == QTYPE_QDICT);
3565
3566 v = qobject_output_visitor_new(&obj);
3567 visit_type_BlockdevOptions(v, NULL, &options, &error_abort);
3568 visit_complete(v, &obj);
3569
3570 qdict = qobject_to(QDict, obj);
3571 qdict_flatten(qdict);
3572
3573 /* bdrv_open_inherit() defaults to the values in bdrv_flags (for
3574 * compatibility with other callers) rather than what we want as the
3575 * real defaults. Apply the defaults here instead. */
3576 qdict_set_default_str(qdict, BDRV_OPT_CACHE_DIRECT, "off");
3577 qdict_set_default_str(qdict, BDRV_OPT_CACHE_NO_FLUSH, "off");
3578 qdict_set_default_str(qdict, BDRV_OPT_READ_ONLY, "off");
3579 qdict_set_default_str(qdict, BDRV_OPT_AUTO_READ_ONLY, "off");
3580
3581 }
3582
3583 bs = bdrv_open_inherit(NULL, reference, qdict, 0, NULL, NULL, 0, errp);
3584 obj = NULL;
3585 qobject_unref(obj);
3586 visit_free(v);
3587 return bs;
3588 }
3589
3590 static BlockDriverState *bdrv_append_temp_snapshot(BlockDriverState *bs,
3591 int flags,
3592 QDict *snapshot_options,
3593 Error **errp)
3594 {
3595 /* TODO: extra byte is a hack to ensure MAX_PATH space on Windows. */
3596 char *tmp_filename = g_malloc0(PATH_MAX + 1);
3597 int64_t total_size;
3598 QemuOpts *opts = NULL;
3599 BlockDriverState *bs_snapshot = NULL;
3600 int ret;
3601
3602 /* if snapshot, we create a temporary backing file and open it
3603 instead of opening 'filename' directly */
3604
3605 /* Get the required size from the image */
3606 total_size = bdrv_getlength(bs);
3607 if (total_size < 0) {
3608 error_setg_errno(errp, -total_size, "Could not get image size");
3609 goto out;
3610 }
3611
3612 /* Create the temporary image */
3613 ret = get_tmp_filename(tmp_filename, PATH_MAX + 1);
3614 if (ret < 0) {
3615 error_setg_errno(errp, -ret, "Could not get temporary filename");
3616 goto out;
3617 }
3618
3619 opts = qemu_opts_create(bdrv_qcow2.create_opts, NULL, 0,
3620 &error_abort);
3621 qemu_opt_set_number(opts, BLOCK_OPT_SIZE, total_size, &error_abort);
3622 ret = bdrv_create(&bdrv_qcow2, tmp_filename, opts, errp);
3623 qemu_opts_del(opts);
3624 if (ret < 0) {
3625 error_prepend(errp, "Could not create temporary overlay '%s': ",
3626 tmp_filename);
3627 goto out;
3628 }
3629
3630 /* Prepare options QDict for the temporary file */
3631 qdict_put_str(snapshot_options, "file.driver", "file");
3632 qdict_put_str(snapshot_options, "file.filename", tmp_filename);
3633 qdict_put_str(snapshot_options, "driver", "qcow2");
3634
3635 bs_snapshot = bdrv_open(NULL, NULL, snapshot_options, flags, errp);
3636 snapshot_options = NULL;
3637 if (!bs_snapshot) {
3638 goto out;
3639 }
3640
3641 ret = bdrv_append(bs_snapshot, bs, errp);
3642 if (ret < 0) {
3643 bs_snapshot = NULL;
3644 goto out;
3645 }
3646
3647 out:
3648 qobject_unref(snapshot_options);
3649 g_free(tmp_filename);
3650 return bs_snapshot;
3651 }
3652
3653 /*
3654 * Opens a disk image (raw, qcow2, vmdk, ...)
3655 *
3656 * options is a QDict of options to pass to the block drivers, or NULL for an
3657 * empty set of options. The reference to the QDict belongs to the block layer
3658 * after the call (even on failure), so if the caller intends to reuse the
3659 * dictionary, it needs to use qobject_ref() before calling bdrv_open.
3660 *
3661 * If *pbs is NULL, a new BDS will be created with a pointer to it stored there.
3662 * If it is not NULL, the referenced BDS will be reused.
3663 *
3664 * The reference parameter may be used to specify an existing block device which
3665 * should be opened. If specified, neither options nor a filename may be given,
3666 * nor can an existing BDS be reused (that is, *pbs has to be NULL).
3667 */
3668 static BlockDriverState *bdrv_open_inherit(const char *filename,
3669 const char *reference,
3670 QDict *options, int flags,
3671 BlockDriverState *parent,
3672 const BdrvChildClass *child_class,
3673 BdrvChildRole child_role,
3674 Error **errp)
3675 {
3676 int ret;
3677 BlockBackend *file = NULL;
3678 BlockDriverState *bs;
3679 BlockDriver *drv = NULL;
3680 BdrvChild *child;
3681 const char *drvname;
3682 const char *backing;
3683 Error *local_err = NULL;
3684 QDict *snapshot_options = NULL;
3685 int snapshot_flags = 0;
3686
3687 assert(!child_class || !flags);
3688 assert(!child_class == !parent);
3689
3690 if (reference) {
3691 bool options_non_empty = options ? qdict_size(options) : false;
3692 qobject_unref(options);
3693
3694 if (filename || options_non_empty) {
3695 error_setg(errp, "Cannot reference an existing block device with "
3696 "additional options or a new filename");
3697 return NULL;
3698 }
3699
3700 bs = bdrv_lookup_bs(reference, reference, errp);
3701 if (!bs) {
3702 return NULL;
3703 }
3704
3705 bdrv_ref(bs);
3706 return bs;
3707 }
3708
3709 bs = bdrv_new();
3710
3711 /* NULL means an empty set of options */
3712 if (options == NULL) {
3713 options = qdict_new();
3714 }
3715
3716 /* json: syntax counts as explicit options, as if in the QDict */
3717 parse_json_protocol(options, &filename, &local_err);
3718 if (local_err) {
3719 goto fail;
3720 }
3721
3722 bs->explicit_options = qdict_clone_shallow(options);
3723
3724 if (child_class) {
3725 bool parent_is_format;
3726
3727 if (parent->drv) {
3728 parent_is_format = parent->drv->is_format;
3729 } else {
3730 /*
3731 * parent->drv is not set yet because this node is opened for
3732 * (potential) format probing. That means that @parent is going
3733 * to be a format node.
3734 */
3735 parent_is_format = true;
3736 }
3737
3738 bs->inherits_from = parent;
3739 child_class->inherit_options(child_role, parent_is_format,
3740 &flags, options,
3741 parent->open_flags, parent->options);
3742 }
3743
3744 ret = bdrv_fill_options(&options, filename, &flags, &local_err);
3745 if (ret < 0) {
3746 goto fail;
3747 }
3748
3749 /*
3750 * Set the BDRV_O_RDWR and BDRV_O_ALLOW_RDWR flags.
3751 * Caution: getting a boolean member of @options requires care.
3752 * When @options come from -blockdev or blockdev_add, members are
3753 * typed according to the QAPI schema, but when they come from
3754 * -drive, they're all QString.
3755 */
3756 if (g_strcmp0(qdict_get_try_str(options, BDRV_OPT_READ_ONLY), "on") &&
3757 !qdict_get_try_bool(options, BDRV_OPT_READ_ONLY, false)) {
3758 flags |= (BDRV_O_RDWR | BDRV_O_ALLOW_RDWR);
3759 } else {
3760 flags &= ~BDRV_O_RDWR;
3761 }
3762
3763 if (flags & BDRV_O_SNAPSHOT) {
3764 snapshot_options = qdict_new();
3765 bdrv_temp_snapshot_options(&snapshot_flags, snapshot_options,
3766 flags, options);
3767 /* Let bdrv_backing_options() override "read-only" */
3768 qdict_del(options, BDRV_OPT_READ_ONLY);
3769 bdrv_inherited_options(BDRV_CHILD_COW, true,
3770 &flags, options, flags, options);
3771 }
3772
3773 bs->open_flags = flags;
3774 bs->options = options;
3775 options = qdict_clone_shallow(options);
3776
3777 /* Find the right image format driver */
3778 /* See cautionary note on accessing @options above */
3779 drvname = qdict_get_try_str(options, "driver");
3780 if (drvname) {
3781 drv = bdrv_find_format(drvname);
3782 if (!drv) {
3783 error_setg(errp, "Unknown driver: '%s'", drvname);
3784 goto fail;
3785 }
3786 }
3787
3788 assert(drvname || !(flags & BDRV_O_PROTOCOL));
3789
3790 /* See cautionary note on accessing @options above */
3791 backing = qdict_get_try_str(options, "backing");
3792 if (qobject_to(QNull, qdict_get(options, "backing")) != NULL ||
3793 (backing && *backing == '\0'))
3794 {
3795 if (backing) {
3796 warn_report("Use of \"backing\": \"\" is deprecated; "
3797 "use \"backing\": null instead");
3798 }
3799 flags |= BDRV_O_NO_BACKING;
3800 qdict_del(bs->explicit_options, "backing");
3801 qdict_del(bs->options, "backing");
3802 qdict_del(options, "backing");
3803 }
3804
3805 /* Open image file without format layer. This BlockBackend is only used for
3806 * probing, the block drivers will do their own bdrv_open_child() for the
3807 * same BDS, which is why we put the node name back into options. */
3808 if ((flags & BDRV_O_PROTOCOL) == 0) {
3809 BlockDriverState *file_bs;
3810
3811 file_bs = bdrv_open_child_bs(filename, options, "file", bs,
3812 &child_of_bds, BDRV_CHILD_IMAGE,
3813 true, &local_err);
3814 if (local_err) {
3815 goto fail;
3816 }
3817 if (file_bs != NULL) {
3818 /* Not requesting BLK_PERM_CONSISTENT_READ because we're only
3819 * looking at the header to guess the image format. This works even
3820 * in cases where a guest would not see a consistent state. */
3821 file = blk_new(bdrv_get_aio_context(file_bs), 0, BLK_PERM_ALL);
3822 blk_insert_bs(file, file_bs, &local_err);
3823 bdrv_unref(file_bs);
3824 if (local_err) {
3825 goto fail;
3826 }
3827
3828 qdict_put_str(options, "file", bdrv_get_node_name(file_bs));
3829 }
3830 }
3831
3832 /* Image format probing */
3833 bs->probed = !drv;
3834 if (!drv && file) {
3835 ret = find_image_format(file, filename, &drv, &local_err);
3836 if (ret < 0) {
3837 goto fail;
3838 }
3839 /*
3840 * This option update would logically belong in bdrv_fill_options(),
3841 * but we first need to open bs->file for the probing to work, while
3842 * opening bs->file already requires the (mostly) final set of options
3843 * so that cache mode etc. can be inherited.
3844 *
3845 * Adding the driver later is somewhat ugly, but it's not an option
3846 * that would ever be inherited, so it's correct. We just need to make
3847 * sure to update both bs->options (which has the full effective
3848 * options for bs) and options (which has file.* already removed).
3849 */
3850 qdict_put_str(bs->options, "driver", drv->format_name);
3851 qdict_put_str(options, "driver", drv->format_name);
3852 } else if (!drv) {
3853 error_setg(errp, "Must specify either driver or file");
3854 goto fail;
3855 }
3856
3857 /* BDRV_O_PROTOCOL must be set iff a protocol BDS is about to be created */
3858 assert(!!(flags & BDRV_O_PROTOCOL) == !!drv->bdrv_file_open);
3859 /* file must be NULL if a protocol BDS is about to be created
3860 * (the inverse results in an error message from bdrv_open_common()) */
3861 assert(!(flags & BDRV_O_PROTOCOL) || !file);
3862
3863 /* Open the image */
3864 ret = bdrv_open_common(bs, file, options, &local_err);
3865 if (ret < 0) {
3866 goto fail;
3867 }
3868
3869 if (file) {
3870 blk_unref(file);
3871 file = NULL;
3872 }
3873
3874 /* If there is a backing file, use it */
3875 if ((flags & BDRV_O_NO_BACKING) == 0) {
3876 ret = bdrv_open_backing_file(bs, options, "backing", &local_err);
3877 if (ret < 0) {
3878 goto close_and_fail;
3879 }
3880 }
3881
3882 /* Remove all children options and references
3883 * from bs->options and bs->explicit_options */
3884 QLIST_FOREACH(child, &bs->children, next) {
3885 char *child_key_dot;
3886 child_key_dot = g_strdup_printf("%s.", child->name);
3887 qdict_extract_subqdict(bs->explicit_options, NULL, child_key_dot);
3888 qdict_extract_subqdict(bs->options, NULL, child_key_dot);
3889 qdict_del(bs->explicit_options, child->name);
3890 qdict_del(bs->options, child->name);
3891 g_free(child_key_dot);
3892 }
3893
3894 /* Check if any unknown options were used */
3895 if (qdict_size(options) != 0) {
3896 const QDictEntry *entry = qdict_first(options);
3897 if (flags & BDRV_O_PROTOCOL) {
3898 error_setg(errp, "Block protocol '%s' doesn't support the option "
3899 "'%s'", drv->format_name, entry->key);
3900 } else {
3901 error_setg(errp,
3902 "Block format '%s' does not support the option '%s'",
3903 drv->format_name, entry->key);
3904 }
3905
3906 goto close_and_fail;
3907 }
3908
3909 bdrv_parent_cb_change_media(bs, true);
3910
3911 qobject_unref(options);
3912 options = NULL;
3913
3914 /* For snapshot=on, create a temporary qcow2 overlay. bs points to the
3915 * temporary snapshot afterwards. */
3916 if (snapshot_flags) {
3917 BlockDriverState *snapshot_bs;
3918 snapshot_bs = bdrv_append_temp_snapshot(bs, snapshot_flags,
3919 snapshot_options, &local_err);
3920 snapshot_options = NULL;
3921 if (local_err) {
3922 goto close_and_fail;
3923 }
3924 /* We are not going to return bs but the overlay on top of it
3925 * (snapshot_bs); thus, we have to drop the strong reference to bs
3926 * (which we obtained by calling bdrv_new()). bs will not be deleted,
3927 * though, because the overlay still has a reference to it. */
3928 bdrv_unref(bs);
3929 bs = snapshot_bs;
3930 }
3931
3932 return bs;
3933
3934 fail:
3935 blk_unref(file);
3936 qobject_unref(snapshot_options);
3937 qobject_unref(bs->explicit_options);
3938 qobject_unref(bs->options);
3939 qobject_unref(options);
3940 bs->options = NULL;
3941 bs->explicit_options = NULL;
3942 bdrv_unref(bs);
3943 error_propagate(errp, local_err);
3944 return NULL;
3945
3946 close_and_fail:
3947 bdrv_unref(bs);
3948 qobject_unref(snapshot_options);
3949 qobject_unref(options);
3950 error_propagate(errp, local_err);
3951 return NULL;
3952 }
3953
3954 BlockDriverState *bdrv_open(const char *filename, const char *reference,
3955 QDict *options, int flags, Error **errp)
3956 {
3957 return bdrv_open_inherit(filename, reference, options, flags, NULL,
3958 NULL, 0, errp);
3959 }
3960
3961 /* Return true if the NULL-terminated @list contains @str */
3962 static bool is_str_in_list(const char *str, const char *const *list)
3963 {
3964 if (str && list) {
3965 int i;
3966 for (i = 0; list[i] != NULL; i++) {
3967 if (!strcmp(str, list[i])) {
3968 return true;
3969 }
3970 }
3971 }
3972 return false;
3973 }
3974
3975 /*
3976 * Check that every option set in @bs->options is also set in
3977 * @new_opts.
3978 *
3979 * Options listed in the common_options list and in
3980 * @bs->drv->mutable_opts are skipped.
3981 *
3982 * Return 0 on success, otherwise return -EINVAL and set @errp.
3983 */
3984 static int bdrv_reset_options_allowed(BlockDriverState *bs,
3985 const QDict *new_opts, Error **errp)
3986 {
3987 const QDictEntry *e;
3988 /* These options are common to all block drivers and are handled
3989 * in bdrv_reopen_prepare() so they can be left out of @new_opts */
3990 const char *const common_options[] = {
3991 "node-name", "discard", "cache.direct", "cache.no-flush",
3992 "read-only", "auto-read-only", "detect-zeroes", NULL
3993 };
3994
3995 for (e = qdict_first(bs->options); e; e = qdict_next(bs->options, e)) {
3996 if (!qdict_haskey(new_opts, e->key) &&
3997 !is_str_in_list(e->key, common_options) &&
3998 !is_str_in_list(e->key, bs->drv->mutable_opts)) {
3999 error_setg(errp, "Option '%s' cannot be reset "
4000 "to its default value", e->key);
4001 return -EINVAL;
4002 }
4003 }
4004
4005 return 0;
4006 }
4007
4008 /*
4009 * Returns true if @child can be reached recursively from @bs
4010 */
4011 static bool bdrv_recurse_has_child(BlockDriverState *bs,
4012 BlockDriverState *child)
4013 {
4014 BdrvChild *c;
4015
4016 if (bs == child) {
4017 return true;
4018 }
4019
4020 QLIST_FOREACH(c, &bs->children, next) {
4021 if (bdrv_recurse_has_child(c->bs, child)) {
4022 return true;
4023 }
4024 }
4025
4026 return false;
4027 }
4028
4029 /*
4030 * Adds a BlockDriverState to a simple queue for an atomic, transactional
4031 * reopen of multiple devices.
4032 *
4033 * bs_queue can either be an existing BlockReopenQueue that has had QTAILQ_INIT
4034 * already performed, or alternatively may be NULL a new BlockReopenQueue will
4035 * be created and initialized. This newly created BlockReopenQueue should be
4036 * passed back in for subsequent calls that are intended to be of the same
4037 * atomic 'set'.
4038 *
4039 * bs is the BlockDriverState to add to the reopen queue.
4040 *
4041 * options contains the changed options for the associated bs
4042 * (the BlockReopenQueue takes ownership)
4043 *
4044 * flags contains the open flags for the associated bs
4045 *
4046 * returns a pointer to bs_queue, which is either the newly allocated
4047 * bs_queue, or the existing bs_queue being used.
4048 *
4049 * bs must be drained between bdrv_reopen_queue() and bdrv_reopen_multiple().
4050 */
4051 static BlockReopenQueue *bdrv_reopen_queue_child(BlockReopenQueue *bs_queue,
4052 BlockDriverState *bs,
4053 QDict *options,
4054 const BdrvChildClass *klass,
4055 BdrvChildRole role,
4056 bool parent_is_format,
4057 QDict *parent_options,
4058 int parent_flags,
4059 bool keep_old_opts)
4060 {
4061 assert(bs != NULL);
4062
4063 BlockReopenQueueEntry *bs_entry;
4064 BdrvChild *child;
4065 QDict *old_options, *explicit_options, *options_copy;
4066 int flags;
4067 QemuOpts *opts;
4068
4069 /* Make sure that the caller remembered to use a drained section. This is
4070 * important to avoid graph changes between the recursive queuing here and
4071 * bdrv_reopen_multiple(). */
4072 assert(bs->quiesce_counter > 0);
4073
4074 if (bs_queue == NULL) {
4075 bs_queue = g_new0(BlockReopenQueue, 1);
4076 QTAILQ_INIT(bs_queue);
4077 }
4078
4079 if (!options) {
4080 options = qdict_new();
4081 }
4082
4083 /* Check if this BlockDriverState is already in the queue */
4084 QTAILQ_FOREACH(bs_entry, bs_queue, entry) {
4085 if (bs == bs_entry->state.bs) {
4086 break;
4087 }
4088 }