1 /*
2 * Block node graph modifications tests
3 *
4 * Copyright (c) 2019-2021 Virtuozzo International GmbH. All rights reserved.
5 *
6 * This program is free software; you can redistribute it and/or modify
7 * it under the terms of the GNU General Public License as published by
8 * the Free Software Foundation; either version 2 of the License, or
9 * (at your option) any later version.
10 *
11 * This program is distributed in the hope that it will be useful,
12 * but WITHOUT ANY WARRANTY; without even the implied warranty of
13 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 * GNU General Public License for more details.
15 *
16 * You should have received a copy of the GNU General Public License
17 * along with this program. If not, see <http://www.gnu.org/licenses/>.
18 *
19 */
20
21 #include "qemu/osdep.h"
22 #include "qapi/error.h"
23 #include "qemu/main-loop.h"
24 #include "block/block_int.h"
25 #include "sysemu/block-backend.h"
26
27 static BlockDriver bdrv_pass_through = {
28 .format_name = "pass-through",
29 .is_filter = true,
30 .filtered_child_is_backing = true,
31 .bdrv_child_perm = bdrv_default_perms,
32 };
33
no_perm_default_perms(BlockDriverState * bs,BdrvChild * c,BdrvChildRole role,BlockReopenQueue * reopen_queue,uint64_t perm,uint64_t shared,uint64_t * nperm,uint64_t * nshared)34 static void no_perm_default_perms(BlockDriverState *bs, BdrvChild *c,
35 BdrvChildRole role,
36 BlockReopenQueue *reopen_queue,
37 uint64_t perm, uint64_t shared,
38 uint64_t *nperm, uint64_t *nshared)
39 {
40 *nperm = 0;
41 *nshared = BLK_PERM_ALL;
42 }
43
44 static BlockDriver bdrv_no_perm = {
45 .format_name = "no-perm",
46 .supports_backing = true,
47 .bdrv_child_perm = no_perm_default_perms,
48 };
49
exclusive_write_perms(BlockDriverState * bs,BdrvChild * c,BdrvChildRole role,BlockReopenQueue * reopen_queue,uint64_t perm,uint64_t shared,uint64_t * nperm,uint64_t * nshared)50 static void exclusive_write_perms(BlockDriverState *bs, BdrvChild *c,
51 BdrvChildRole role,
52 BlockReopenQueue *reopen_queue,
53 uint64_t perm, uint64_t shared,
54 uint64_t *nperm, uint64_t *nshared)
55 {
56 *nperm = BLK_PERM_WRITE;
57 *nshared = BLK_PERM_ALL & ~BLK_PERM_WRITE;
58 }
59
60 static BlockDriver bdrv_exclusive_writer = {
61 .format_name = "exclusive-writer",
62 .is_filter = true,
63 .filtered_child_is_backing = true,
64 .bdrv_child_perm = exclusive_write_perms,
65 };
66
no_perm_node(const char * name)67 static BlockDriverState *no_perm_node(const char *name)
68 {
69 return bdrv_new_open_driver(&bdrv_no_perm, name, BDRV_O_RDWR, &error_abort);
70 }
71
pass_through_node(const char * name)72 static BlockDriverState *pass_through_node(const char *name)
73 {
74 return bdrv_new_open_driver(&bdrv_pass_through, name,
75 BDRV_O_RDWR, &error_abort);
76 }
77
exclusive_writer_node(const char * name)78 static BlockDriverState *exclusive_writer_node(const char *name)
79 {
80 return bdrv_new_open_driver(&bdrv_exclusive_writer, name,
81 BDRV_O_RDWR, &error_abort);
82 }
83
84 /*
85 * test_update_perm_tree
86 *
87 * When checking node for a possibility to update permissions, it's subtree
88 * should be correctly checked too. New permissions for each node should be
89 * calculated and checked in context of permissions of other nodes. If we
90 * check new permissions of the node only in context of old permissions of
91 * its neighbors, we can finish up with wrong permission graph.
92 *
93 * This test firstly create the following graph:
94 * +--------+
95 * | root |
96 * +--------+
97 * |
98 * | perm: write, read
99 * | shared: except write
100 * v
101 * +--------------------+ +----------------+
102 * | passthrough filter |--------->| null-co node |
103 * +--------------------+ +----------------+
104 *
105 *
106 * and then, tries to append filter under node. Expected behavior: fail.
107 * Otherwise we'll get the following picture, with two BdrvChild'ren, having
108 * write permission to one node, without actually sharing it.
109 *
110 * +--------+
111 * | root |
112 * +--------+
113 * |
114 * | perm: write, read
115 * | shared: except write
116 * v
117 * +--------------------+
118 * | passthrough filter |
119 * +--------------------+
120 * | |
121 * perm: write, read | | perm: write, read
122 * shared: except write | | shared: except write
123 * v v
124 * +----------------+
125 * | null co node |
126 * +----------------+
127 */
test_update_perm_tree(void)128 static void test_update_perm_tree(void)
129 {
130 int ret;
131
132 BlockBackend *root = blk_new(qemu_get_aio_context(),
133 BLK_PERM_WRITE | BLK_PERM_CONSISTENT_READ,
134 BLK_PERM_ALL & ~BLK_PERM_WRITE);
135 BlockDriverState *bs = no_perm_node("node");
136 BlockDriverState *filter = pass_through_node("filter");
137
138 blk_insert_bs(root, bs, &error_abort);
139
140 bdrv_graph_wrlock();
141 bdrv_attach_child(filter, bs, "child", &child_of_bds,
142 BDRV_CHILD_DATA, &error_abort);
143 bdrv_graph_wrunlock();
144
145 ret = bdrv_append(filter, bs, NULL);
146 g_assert_cmpint(ret, <, 0);
147
148 bdrv_unref(filter);
149 blk_unref(root);
150 }
151
152 /*
153 * test_should_update_child
154 *
155 * Test that bdrv_replace_node, and concretely should_update_child
156 * do the right thing, i.e. not creating loops on the graph.
157 *
158 * The test does the following:
159 * 1. initial graph:
160 *
161 * +------+ +--------+
162 * | root | | filter |
163 * +------+ +--------+
164 * | |
165 * root| target|
166 * v v
167 * +------+ +--------+
168 * | node |<---------| target |
169 * +------+ backing +--------+
170 *
171 * 2. Append @filter above @node. If should_update_child works correctly,
172 * it understands, that backing child of @target should not be updated,
173 * as it will create a loop on node graph. Resulting picture should
174 * be the left one, not the right:
175 *
176 * +------+ +------+
177 * | root | | root |
178 * +------+ +------+
179 * | |
180 * root| root|
181 * v v
182 * +--------+ target +--------+ target
183 * | filter |--------------+ | filter |--------------+
184 * +--------+ | +--------+ |
185 * | | | ^ v
186 * backing| | backing| | +--------+
187 * v v | +-----------| target |
188 * +------+ +--------+ v backing +--------+
189 * | node |<---------| target | +------+
190 * +------+ backing +--------+ | node |
191 * +------+
192 *
193 * (good picture) (bad picture)
194 *
195 */
test_should_update_child(void)196 static void test_should_update_child(void)
197 {
198 BlockBackend *root = blk_new(qemu_get_aio_context(), 0, BLK_PERM_ALL);
199 BlockDriverState *bs = no_perm_node("node");
200 BlockDriverState *filter = no_perm_node("filter");
201 BlockDriverState *target = no_perm_node("target");
202
203 blk_insert_bs(root, bs, &error_abort);
204
205 bdrv_set_backing_hd(target, bs, &error_abort);
206
207 bdrv_graph_wrlock();
208 g_assert(target->backing->bs == bs);
209 bdrv_attach_child(filter, target, "target", &child_of_bds,
210 BDRV_CHILD_DATA, &error_abort);
211 bdrv_graph_wrunlock();
212 bdrv_append(filter, bs, &error_abort);
213
214 bdrv_graph_rdlock_main_loop();
215 g_assert(target->backing->bs == bs);
216 bdrv_graph_rdunlock_main_loop();
217
218 bdrv_unref(filter);
219 bdrv_unref(bs);
220 blk_unref(root);
221 }
222
223 /*
224 * test_parallel_exclusive_write
225 *
226 * Check that when we replace node, old permissions of the node being removed
227 * doesn't break the replacement.
228 */
test_parallel_exclusive_write(void)229 static void test_parallel_exclusive_write(void)
230 {
231 BlockDriverState *top = exclusive_writer_node("top");
232 BlockDriverState *base = no_perm_node("base");
233 BlockDriverState *fl1 = pass_through_node("fl1");
234 BlockDriverState *fl2 = pass_through_node("fl2");
235
236 bdrv_drained_begin(fl1);
237 bdrv_drained_begin(fl2);
238
239 /*
240 * bdrv_attach_child() eats child bs reference, so we need two @base
241 * references for two filters. We also need an additional @fl1 reference so
242 * that it still exists when we want to undrain it.
243 */
244 bdrv_ref(base);
245 bdrv_ref(fl1);
246
247 bdrv_graph_wrlock();
248 bdrv_attach_child(top, fl1, "backing", &child_of_bds,
249 BDRV_CHILD_FILTERED | BDRV_CHILD_PRIMARY,
250 &error_abort);
251 bdrv_attach_child(fl1, base, "backing", &child_of_bds,
252 BDRV_CHILD_FILTERED | BDRV_CHILD_PRIMARY,
253 &error_abort);
254 bdrv_attach_child(fl2, base, "backing", &child_of_bds,
255 BDRV_CHILD_FILTERED | BDRV_CHILD_PRIMARY,
256 &error_abort);
257
258 bdrv_replace_node(fl1, fl2, &error_abort);
259 bdrv_graph_wrunlock();
260
261 bdrv_drained_end(fl2);
262 bdrv_drained_end(fl1);
263
264 bdrv_unref(fl1);
265 bdrv_unref(fl2);
266 bdrv_unref(top);
267 }
268
269 /*
270 * write-to-selected node may have several DATA children, one of them may be
271 * "selected". Exclusive write permission is taken on selected child.
272 *
273 * We don't realize write handler itself, as we need only to test how permission
274 * update works.
275 */
276 typedef struct BDRVWriteToSelectedState {
277 BdrvChild *selected;
278 } BDRVWriteToSelectedState;
279
write_to_selected_perms(BlockDriverState * bs,BdrvChild * c,BdrvChildRole role,BlockReopenQueue * reopen_queue,uint64_t perm,uint64_t shared,uint64_t * nperm,uint64_t * nshared)280 static void write_to_selected_perms(BlockDriverState *bs, BdrvChild *c,
281 BdrvChildRole role,
282 BlockReopenQueue *reopen_queue,
283 uint64_t perm, uint64_t shared,
284 uint64_t *nperm, uint64_t *nshared)
285 {
286 BDRVWriteToSelectedState *s = bs->opaque;
287
288 if (s->selected && c == s->selected) {
289 *nperm = BLK_PERM_WRITE;
290 *nshared = BLK_PERM_ALL & ~BLK_PERM_WRITE;
291 } else {
292 *nperm = 0;
293 *nshared = BLK_PERM_ALL;
294 }
295 }
296
297 static BlockDriver bdrv_write_to_selected = {
298 .format_name = "write-to-selected",
299 .instance_size = sizeof(BDRVWriteToSelectedState),
300 .bdrv_child_perm = write_to_selected_perms,
301 };
302
303
304 /*
305 * The following test shows that topological-sort order is required for
306 * permission update, simple DFS is not enough.
307 *
308 * Consider the block driver (write-to-selected) which has two children: one is
309 * selected so we have exclusive write access to it and for the other one we
310 * don't need any specific permissions.
311 *
312 * And, these two children has a common base child, like this:
313 * (additional "top" on top is used in test just because the only public
314 * function to update permission should get a specific child to update.
315 * Making bdrv_refresh_perms() public just for this test isn't worth it)
316 *
317 * ┌─────┐ ┌───────────────────┐ ┌─────┐
318 * │ fl2 │ ◀── │ write-to-selected │ ◀── │ top │
319 * └─────┘ └───────────────────┘ └─────┘
320 * │ │
321 * │ │ w
322 * │ ▼
323 * │ ┌──────┐
324 * │ │ fl1 │
325 * │ └──────┘
326 * │ │
327 * │ │ w
328 * │ ▼
329 * │ ┌──────┐
330 * └───────▶ │ base │
331 * └──────┘
332 *
333 * So, exclusive write is propagated.
334 *
335 * Assume, we want to select fl2 instead of fl1.
336 * So, we set some option for write-to-selected driver and do permission update.
337 *
338 * With simple DFS, if permission update goes first through
339 * write-to-selected -> fl1 -> base branch it will succeed: it firstly drop
340 * exclusive write permissions and than apply them for another BdrvChildren.
341 * But if permission update goes first through write-to-selected -> fl2 -> base
342 * branch it will fail, as when we try to update fl2->base child, old not yet
343 * updated fl1->base child will be in conflict.
344 *
345 * With topological-sort order we always update parents before children, so fl1
346 * and fl2 are both updated when we update base and there is no conflict.
347 */
test_parallel_perm_update(void)348 static void test_parallel_perm_update(void)
349 {
350 BlockDriverState *top = no_perm_node("top");
351 BlockDriverState *ws =
352 bdrv_new_open_driver(&bdrv_write_to_selected, "ws", BDRV_O_RDWR,
353 &error_abort);
354 BDRVWriteToSelectedState *s = ws->opaque;
355 BlockDriverState *base = no_perm_node("base");
356 BlockDriverState *fl1 = pass_through_node("fl1");
357 BlockDriverState *fl2 = pass_through_node("fl2");
358 BdrvChild *c_fl1, *c_fl2;
359
360 /*
361 * bdrv_attach_child() eats child bs reference, so we need two @base
362 * references for two filters:
363 */
364 bdrv_ref(base);
365
366 bdrv_graph_wrlock();
367 bdrv_attach_child(top, ws, "file", &child_of_bds, BDRV_CHILD_DATA,
368 &error_abort);
369 c_fl1 = bdrv_attach_child(ws, fl1, "first", &child_of_bds,
370 BDRV_CHILD_DATA, &error_abort);
371 c_fl2 = bdrv_attach_child(ws, fl2, "second", &child_of_bds,
372 BDRV_CHILD_DATA, &error_abort);
373 bdrv_attach_child(fl1, base, "backing", &child_of_bds,
374 BDRV_CHILD_FILTERED | BDRV_CHILD_PRIMARY,
375 &error_abort);
376 bdrv_attach_child(fl2, base, "backing", &child_of_bds,
377 BDRV_CHILD_FILTERED | BDRV_CHILD_PRIMARY,
378 &error_abort);
379 bdrv_graph_wrunlock();
380
381 /* Select fl1 as first child to be active */
382 s->selected = c_fl1;
383
384 bdrv_graph_rdlock_main_loop();
385
386 bdrv_child_refresh_perms(top, top->children.lh_first, &error_abort);
387
388 assert(c_fl1->perm & BLK_PERM_WRITE);
389 assert(!(c_fl2->perm & BLK_PERM_WRITE));
390
391 /* Now, try to switch active child and update permissions */
392 s->selected = c_fl2;
393 bdrv_child_refresh_perms(top, top->children.lh_first, &error_abort);
394
395 assert(c_fl2->perm & BLK_PERM_WRITE);
396 assert(!(c_fl1->perm & BLK_PERM_WRITE));
397
398 /* Switch once more, to not care about real child order in the list */
399 s->selected = c_fl1;
400 bdrv_child_refresh_perms(top, top->children.lh_first, &error_abort);
401
402 assert(c_fl1->perm & BLK_PERM_WRITE);
403 assert(!(c_fl2->perm & BLK_PERM_WRITE));
404
405 bdrv_graph_rdunlock_main_loop();
406 bdrv_unref(top);
407 }
408
409 /*
410 * It's possible that filter required permissions allows to insert it to backing
411 * chain, like:
412 *
413 * 1. [top] -> [filter] -> [base]
414 *
415 * but doesn't allow to add it as a branch:
416 *
417 * 2. [filter] --\
418 * v
419 * [top] -> [base]
420 *
421 * So, inserting such filter should do all graph modifications and only then
422 * update permissions. If we try to go through intermediate state [2] and update
423 * permissions on it we'll fail.
424 *
425 * Let's check that bdrv_append() can append such a filter.
426 */
test_append_greedy_filter(void)427 static void test_append_greedy_filter(void)
428 {
429 BlockDriverState *top = exclusive_writer_node("top");
430 BlockDriverState *base = no_perm_node("base");
431 BlockDriverState *fl = exclusive_writer_node("fl1");
432
433 bdrv_graph_wrlock();
434 bdrv_attach_child(top, base, "backing", &child_of_bds,
435 BDRV_CHILD_FILTERED | BDRV_CHILD_PRIMARY,
436 &error_abort);
437 bdrv_graph_wrunlock();
438
439 bdrv_append(fl, base, &error_abort);
440 bdrv_unref(fl);
441 bdrv_unref(top);
442 }
443
main(int argc,char * argv[])444 int main(int argc, char *argv[])
445 {
446 bdrv_init();
447 qemu_init_main_loop(&error_abort);
448
449 g_test_init(&argc, &argv, NULL);
450
451 g_test_add_func("/bdrv-graph-mod/update-perm-tree", test_update_perm_tree);
452 g_test_add_func("/bdrv-graph-mod/should-update-child",
453 test_should_update_child);
454 g_test_add_func("/bdrv-graph-mod/parallel-perm-update",
455 test_parallel_perm_update);
456 g_test_add_func("/bdrv-graph-mod/parallel-exclusive-write",
457 test_parallel_exclusive_write);
458 g_test_add_func("/bdrv-graph-mod/append-greedy-filter",
459 test_append_greedy_filter);
460
461 return g_test_run();
462 }
463