1 /* 2 * Copyright (C) 2005 Anthony Liguori <anthony@codemonkey.ws> 3 * 4 * Network Block Device Server Side 5 * 6 * This program is free software; you can redistribute it and/or modify 7 * it under the terms of the GNU General Public License as published by 8 * the Free Software Foundation; under version 2 of the License. 9 * 10 * This program is distributed in the hope that it will be useful, 11 * but WITHOUT ANY WARRANTY; without even the implied warranty of 12 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 13 * GNU General Public License for more details. 14 * 15 * You should have received a copy of the GNU General Public License 16 * along with this program; if not, see <http://www.gnu.org/licenses/>. 17 */ 18 19 #include "qemu/osdep.h" 20 #include "qapi/error.h" 21 #include "nbd-internal.h" 22 23 static int system_errno_to_nbd_errno(int err) 24 { 25 switch (err) { 26 case 0: 27 return NBD_SUCCESS; 28 case EPERM: 29 case EROFS: 30 return NBD_EPERM; 31 case EIO: 32 return NBD_EIO; 33 case ENOMEM: 34 return NBD_ENOMEM; 35 #ifdef EDQUOT 36 case EDQUOT: 37 #endif 38 case EFBIG: 39 case ENOSPC: 40 return NBD_ENOSPC; 41 case EINVAL: 42 default: 43 return NBD_EINVAL; 44 } 45 } 46 47 /* Definitions for opaque data types */ 48 49 typedef struct NBDRequest NBDRequest; 50 51 struct NBDRequest { 52 QSIMPLEQ_ENTRY(NBDRequest) entry; 53 NBDClient *client; 54 uint8_t *data; 55 bool complete; 56 }; 57 58 struct NBDExport { 59 int refcount; 60 void (*close)(NBDExport *exp); 61 62 BlockBackend *blk; 63 char *name; 64 off_t dev_offset; 65 off_t size; 66 uint16_t nbdflags; 67 QTAILQ_HEAD(, NBDClient) clients; 68 QTAILQ_ENTRY(NBDExport) next; 69 70 AioContext *ctx; 71 72 BlockBackend *eject_notifier_blk; 73 Notifier eject_notifier; 74 }; 75 76 static QTAILQ_HEAD(, NBDExport) exports = QTAILQ_HEAD_INITIALIZER(exports); 77 78 struct NBDClient { 79 int refcount; 80 void (*close)(NBDClient *client); 81 82 NBDExport *exp; 83 QCryptoTLSCreds *tlscreds; 84 char *tlsaclname; 85 QIOChannelSocket *sioc; /* The underlying data channel */ 86 QIOChannel *ioc; /* The current I/O channel which may differ (eg TLS) */ 87 88 Coroutine *recv_coroutine; 89 90 CoMutex send_lock; 91 Coroutine *send_coroutine; 92 93 bool can_read; 94 95 QTAILQ_ENTRY(NBDClient) next; 96 int nb_requests; 97 bool closing; 98 }; 99 100 /* That's all folks */ 101 102 static void nbd_set_handlers(NBDClient *client); 103 static void nbd_unset_handlers(NBDClient *client); 104 static void nbd_update_can_read(NBDClient *client); 105 106 static gboolean nbd_negotiate_continue(QIOChannel *ioc, 107 GIOCondition condition, 108 void *opaque) 109 { 110 qemu_coroutine_enter(opaque); 111 return TRUE; 112 } 113 114 static ssize_t nbd_negotiate_read(QIOChannel *ioc, void *buffer, size_t size) 115 { 116 ssize_t ret; 117 guint watch; 118 119 assert(qemu_in_coroutine()); 120 /* Negotiation are always in main loop. */ 121 watch = qio_channel_add_watch(ioc, 122 G_IO_IN, 123 nbd_negotiate_continue, 124 qemu_coroutine_self(), 125 NULL); 126 ret = read_sync(ioc, buffer, size); 127 g_source_remove(watch); 128 return ret; 129 130 } 131 132 static ssize_t nbd_negotiate_write(QIOChannel *ioc, void *buffer, size_t size) 133 { 134 ssize_t ret; 135 guint watch; 136 137 assert(qemu_in_coroutine()); 138 /* Negotiation are always in main loop. */ 139 watch = qio_channel_add_watch(ioc, 140 G_IO_OUT, 141 nbd_negotiate_continue, 142 qemu_coroutine_self(), 143 NULL); 144 ret = write_sync(ioc, buffer, size); 145 g_source_remove(watch); 146 return ret; 147 } 148 149 static ssize_t nbd_negotiate_drop_sync(QIOChannel *ioc, size_t size) 150 { 151 ssize_t ret, dropped = size; 152 uint8_t *buffer = g_malloc(MIN(65536, size)); 153 154 while (size > 0) { 155 ret = nbd_negotiate_read(ioc, buffer, MIN(65536, size)); 156 if (ret < 0) { 157 g_free(buffer); 158 return ret; 159 } 160 161 assert(ret <= size); 162 size -= ret; 163 } 164 165 g_free(buffer); 166 return dropped; 167 } 168 169 /* Basic flow for negotiation 170 171 Server Client 172 Negotiate 173 174 or 175 176 Server Client 177 Negotiate #1 178 Option 179 Negotiate #2 180 181 ---- 182 183 followed by 184 185 Server Client 186 Request 187 Response 188 Request 189 Response 190 ... 191 ... 192 Request (type == 2) 193 194 */ 195 196 static int nbd_negotiate_send_rep(QIOChannel *ioc, uint32_t type, uint32_t opt) 197 { 198 uint64_t magic; 199 uint32_t len; 200 201 TRACE("Reply opt=%" PRIx32 " type=%" PRIx32, type, opt); 202 203 magic = cpu_to_be64(NBD_REP_MAGIC); 204 if (nbd_negotiate_write(ioc, &magic, sizeof(magic)) != sizeof(magic)) { 205 LOG("write failed (rep magic)"); 206 return -EINVAL; 207 } 208 opt = cpu_to_be32(opt); 209 if (nbd_negotiate_write(ioc, &opt, sizeof(opt)) != sizeof(opt)) { 210 LOG("write failed (rep opt)"); 211 return -EINVAL; 212 } 213 type = cpu_to_be32(type); 214 if (nbd_negotiate_write(ioc, &type, sizeof(type)) != sizeof(type)) { 215 LOG("write failed (rep type)"); 216 return -EINVAL; 217 } 218 len = cpu_to_be32(0); 219 if (nbd_negotiate_write(ioc, &len, sizeof(len)) != sizeof(len)) { 220 LOG("write failed (rep data length)"); 221 return -EINVAL; 222 } 223 return 0; 224 } 225 226 static int nbd_negotiate_send_rep_list(QIOChannel *ioc, NBDExport *exp) 227 { 228 uint64_t magic, name_len; 229 uint32_t opt, type, len; 230 231 TRACE("Advertising export name '%s'", exp->name ? exp->name : ""); 232 name_len = strlen(exp->name); 233 magic = cpu_to_be64(NBD_REP_MAGIC); 234 if (nbd_negotiate_write(ioc, &magic, sizeof(magic)) != sizeof(magic)) { 235 LOG("write failed (magic)"); 236 return -EINVAL; 237 } 238 opt = cpu_to_be32(NBD_OPT_LIST); 239 if (nbd_negotiate_write(ioc, &opt, sizeof(opt)) != sizeof(opt)) { 240 LOG("write failed (opt)"); 241 return -EINVAL; 242 } 243 type = cpu_to_be32(NBD_REP_SERVER); 244 if (nbd_negotiate_write(ioc, &type, sizeof(type)) != sizeof(type)) { 245 LOG("write failed (reply type)"); 246 return -EINVAL; 247 } 248 len = cpu_to_be32(name_len + sizeof(len)); 249 if (nbd_negotiate_write(ioc, &len, sizeof(len)) != sizeof(len)) { 250 LOG("write failed (length)"); 251 return -EINVAL; 252 } 253 len = cpu_to_be32(name_len); 254 if (nbd_negotiate_write(ioc, &len, sizeof(len)) != sizeof(len)) { 255 LOG("write failed (length)"); 256 return -EINVAL; 257 } 258 if (nbd_negotiate_write(ioc, exp->name, name_len) != name_len) { 259 LOG("write failed (buffer)"); 260 return -EINVAL; 261 } 262 return 0; 263 } 264 265 static int nbd_negotiate_handle_list(NBDClient *client, uint32_t length) 266 { 267 NBDExport *exp; 268 269 if (length) { 270 if (nbd_negotiate_drop_sync(client->ioc, length) != length) { 271 return -EIO; 272 } 273 return nbd_negotiate_send_rep(client->ioc, 274 NBD_REP_ERR_INVALID, NBD_OPT_LIST); 275 } 276 277 /* For each export, send a NBD_REP_SERVER reply. */ 278 QTAILQ_FOREACH(exp, &exports, next) { 279 if (nbd_negotiate_send_rep_list(client->ioc, exp)) { 280 return -EINVAL; 281 } 282 } 283 /* Finish with a NBD_REP_ACK. */ 284 return nbd_negotiate_send_rep(client->ioc, NBD_REP_ACK, NBD_OPT_LIST); 285 } 286 287 static int nbd_negotiate_handle_export_name(NBDClient *client, uint32_t length) 288 { 289 int rc = -EINVAL; 290 char name[NBD_MAX_NAME_SIZE + 1]; 291 292 /* Client sends: 293 [20 .. xx] export name (length bytes) 294 */ 295 TRACE("Checking length"); 296 if (length >= sizeof(name)) { 297 LOG("Bad length received"); 298 goto fail; 299 } 300 if (nbd_negotiate_read(client->ioc, name, length) != length) { 301 LOG("read failed"); 302 goto fail; 303 } 304 name[length] = '\0'; 305 306 TRACE("Client requested export '%s'", name); 307 308 client->exp = nbd_export_find(name); 309 if (!client->exp) { 310 LOG("export not found"); 311 goto fail; 312 } 313 314 QTAILQ_INSERT_TAIL(&client->exp->clients, client, next); 315 nbd_export_get(client->exp); 316 rc = 0; 317 fail: 318 return rc; 319 } 320 321 322 static QIOChannel *nbd_negotiate_handle_starttls(NBDClient *client, 323 uint32_t length) 324 { 325 QIOChannel *ioc; 326 QIOChannelTLS *tioc; 327 struct NBDTLSHandshakeData data = { 0 }; 328 329 TRACE("Setting up TLS"); 330 ioc = client->ioc; 331 if (length) { 332 if (nbd_negotiate_drop_sync(ioc, length) != length) { 333 return NULL; 334 } 335 nbd_negotiate_send_rep(ioc, NBD_REP_ERR_INVALID, NBD_OPT_STARTTLS); 336 return NULL; 337 } 338 339 if (nbd_negotiate_send_rep(client->ioc, NBD_REP_ACK, 340 NBD_OPT_STARTTLS) < 0) { 341 return NULL; 342 } 343 344 tioc = qio_channel_tls_new_server(ioc, 345 client->tlscreds, 346 client->tlsaclname, 347 NULL); 348 if (!tioc) { 349 return NULL; 350 } 351 352 qio_channel_set_name(QIO_CHANNEL(tioc), "nbd-server-tls"); 353 TRACE("Starting TLS handshake"); 354 data.loop = g_main_loop_new(g_main_context_default(), FALSE); 355 qio_channel_tls_handshake(tioc, 356 nbd_tls_handshake, 357 &data, 358 NULL); 359 360 if (!data.complete) { 361 g_main_loop_run(data.loop); 362 } 363 g_main_loop_unref(data.loop); 364 if (data.error) { 365 object_unref(OBJECT(tioc)); 366 error_free(data.error); 367 return NULL; 368 } 369 370 return QIO_CHANNEL(tioc); 371 } 372 373 374 static int nbd_negotiate_options(NBDClient *client) 375 { 376 uint32_t flags; 377 bool fixedNewstyle = false; 378 379 /* Client sends: 380 [ 0 .. 3] client flags 381 382 [ 0 .. 7] NBD_OPTS_MAGIC 383 [ 8 .. 11] NBD option 384 [12 .. 15] Data length 385 ... Rest of request 386 387 [ 0 .. 7] NBD_OPTS_MAGIC 388 [ 8 .. 11] Second NBD option 389 [12 .. 15] Data length 390 ... Rest of request 391 */ 392 393 if (nbd_negotiate_read(client->ioc, &flags, sizeof(flags)) != 394 sizeof(flags)) { 395 LOG("read failed"); 396 return -EIO; 397 } 398 TRACE("Checking client flags"); 399 be32_to_cpus(&flags); 400 if (flags & NBD_FLAG_C_FIXED_NEWSTYLE) { 401 TRACE("Client supports fixed newstyle handshake"); 402 fixedNewstyle = true; 403 flags &= ~NBD_FLAG_C_FIXED_NEWSTYLE; 404 } 405 if (flags != 0) { 406 TRACE("Unknown client flags 0x%" PRIx32 " received", flags); 407 return -EIO; 408 } 409 410 while (1) { 411 int ret; 412 uint32_t clientflags, length; 413 uint64_t magic; 414 415 if (nbd_negotiate_read(client->ioc, &magic, sizeof(magic)) != 416 sizeof(magic)) { 417 LOG("read failed"); 418 return -EINVAL; 419 } 420 TRACE("Checking opts magic"); 421 if (magic != be64_to_cpu(NBD_OPTS_MAGIC)) { 422 LOG("Bad magic received"); 423 return -EINVAL; 424 } 425 426 if (nbd_negotiate_read(client->ioc, &clientflags, 427 sizeof(clientflags)) != sizeof(clientflags)) { 428 LOG("read failed"); 429 return -EINVAL; 430 } 431 clientflags = be32_to_cpu(clientflags); 432 433 if (nbd_negotiate_read(client->ioc, &length, sizeof(length)) != 434 sizeof(length)) { 435 LOG("read failed"); 436 return -EINVAL; 437 } 438 length = be32_to_cpu(length); 439 440 TRACE("Checking option 0x%" PRIx32, clientflags); 441 if (client->tlscreds && 442 client->ioc == (QIOChannel *)client->sioc) { 443 QIOChannel *tioc; 444 if (!fixedNewstyle) { 445 TRACE("Unsupported option 0x%" PRIx32, clientflags); 446 return -EINVAL; 447 } 448 switch (clientflags) { 449 case NBD_OPT_STARTTLS: 450 tioc = nbd_negotiate_handle_starttls(client, length); 451 if (!tioc) { 452 return -EIO; 453 } 454 object_unref(OBJECT(client->ioc)); 455 client->ioc = QIO_CHANNEL(tioc); 456 break; 457 458 case NBD_OPT_EXPORT_NAME: 459 /* No way to return an error to client, so drop connection */ 460 TRACE("Option 0x%x not permitted before TLS", clientflags); 461 return -EINVAL; 462 463 default: 464 TRACE("Option 0x%" PRIx32 " not permitted before TLS", 465 clientflags); 466 if (nbd_negotiate_drop_sync(client->ioc, length) != length) { 467 return -EIO; 468 } 469 ret = nbd_negotiate_send_rep(client->ioc, NBD_REP_ERR_TLS_REQD, 470 clientflags); 471 if (ret < 0) { 472 return ret; 473 } 474 break; 475 } 476 } else if (fixedNewstyle) { 477 switch (clientflags) { 478 case NBD_OPT_LIST: 479 ret = nbd_negotiate_handle_list(client, length); 480 if (ret < 0) { 481 return ret; 482 } 483 break; 484 485 case NBD_OPT_ABORT: 486 return -EINVAL; 487 488 case NBD_OPT_EXPORT_NAME: 489 return nbd_negotiate_handle_export_name(client, length); 490 491 case NBD_OPT_STARTTLS: 492 if (nbd_negotiate_drop_sync(client->ioc, length) != length) { 493 return -EIO; 494 } 495 if (client->tlscreds) { 496 TRACE("TLS already enabled"); 497 ret = nbd_negotiate_send_rep(client->ioc, 498 NBD_REP_ERR_INVALID, 499 clientflags); 500 } else { 501 TRACE("TLS not configured"); 502 ret = nbd_negotiate_send_rep(client->ioc, 503 NBD_REP_ERR_POLICY, 504 clientflags); 505 } 506 if (ret < 0) { 507 return ret; 508 } 509 break; 510 default: 511 TRACE("Unsupported option 0x%" PRIx32, clientflags); 512 if (nbd_negotiate_drop_sync(client->ioc, length) != length) { 513 return -EIO; 514 } 515 ret = nbd_negotiate_send_rep(client->ioc, NBD_REP_ERR_UNSUP, 516 clientflags); 517 if (ret < 0) { 518 return ret; 519 } 520 break; 521 } 522 } else { 523 /* 524 * If broken new-style we should drop the connection 525 * for anything except NBD_OPT_EXPORT_NAME 526 */ 527 switch (clientflags) { 528 case NBD_OPT_EXPORT_NAME: 529 return nbd_negotiate_handle_export_name(client, length); 530 531 default: 532 TRACE("Unsupported option 0x%" PRIx32, clientflags); 533 return -EINVAL; 534 } 535 } 536 } 537 } 538 539 typedef struct { 540 NBDClient *client; 541 Coroutine *co; 542 } NBDClientNewData; 543 544 static coroutine_fn int nbd_negotiate(NBDClientNewData *data) 545 { 546 NBDClient *client = data->client; 547 char buf[8 + 8 + 8 + 128]; 548 int rc; 549 const uint16_t myflags = (NBD_FLAG_HAS_FLAGS | NBD_FLAG_SEND_TRIM | 550 NBD_FLAG_SEND_FLUSH | NBD_FLAG_SEND_FUA); 551 bool oldStyle; 552 553 /* Old style negotiation header without options 554 [ 0 .. 7] passwd ("NBDMAGIC") 555 [ 8 .. 15] magic (NBD_CLIENT_MAGIC) 556 [16 .. 23] size 557 [24 .. 25] server flags (0) 558 [26 .. 27] export flags 559 [28 .. 151] reserved (0) 560 561 New style negotiation header with options 562 [ 0 .. 7] passwd ("NBDMAGIC") 563 [ 8 .. 15] magic (NBD_OPTS_MAGIC) 564 [16 .. 17] server flags (0) 565 ....options sent.... 566 [18 .. 25] size 567 [26 .. 27] export flags 568 [28 .. 151] reserved (0) 569 */ 570 571 qio_channel_set_blocking(client->ioc, false, NULL); 572 rc = -EINVAL; 573 574 TRACE("Beginning negotiation."); 575 memset(buf, 0, sizeof(buf)); 576 memcpy(buf, "NBDMAGIC", 8); 577 578 oldStyle = client->exp != NULL && !client->tlscreds; 579 if (oldStyle) { 580 TRACE("advertising size %" PRIu64 " and flags %x", 581 client->exp->size, client->exp->nbdflags | myflags); 582 stq_be_p(buf + 8, NBD_CLIENT_MAGIC); 583 stq_be_p(buf + 16, client->exp->size); 584 stw_be_p(buf + 26, client->exp->nbdflags | myflags); 585 } else { 586 stq_be_p(buf + 8, NBD_OPTS_MAGIC); 587 stw_be_p(buf + 16, NBD_FLAG_FIXED_NEWSTYLE); 588 } 589 590 if (oldStyle) { 591 if (client->tlscreds) { 592 TRACE("TLS cannot be enabled with oldstyle protocol"); 593 goto fail; 594 } 595 if (nbd_negotiate_write(client->ioc, buf, sizeof(buf)) != sizeof(buf)) { 596 LOG("write failed"); 597 goto fail; 598 } 599 } else { 600 if (nbd_negotiate_write(client->ioc, buf, 18) != 18) { 601 LOG("write failed"); 602 goto fail; 603 } 604 rc = nbd_negotiate_options(client); 605 if (rc != 0) { 606 LOG("option negotiation failed"); 607 goto fail; 608 } 609 610 TRACE("advertising size %" PRIu64 " and flags %x", 611 client->exp->size, client->exp->nbdflags | myflags); 612 stq_be_p(buf + 18, client->exp->size); 613 stw_be_p(buf + 26, client->exp->nbdflags | myflags); 614 if (nbd_negotiate_write(client->ioc, buf + 18, sizeof(buf) - 18) != 615 sizeof(buf) - 18) { 616 LOG("write failed"); 617 goto fail; 618 } 619 } 620 621 TRACE("Negotiation succeeded."); 622 rc = 0; 623 fail: 624 return rc; 625 } 626 627 static ssize_t nbd_receive_request(QIOChannel *ioc, struct nbd_request *request) 628 { 629 uint8_t buf[NBD_REQUEST_SIZE]; 630 uint32_t magic; 631 ssize_t ret; 632 633 ret = read_sync(ioc, buf, sizeof(buf)); 634 if (ret < 0) { 635 return ret; 636 } 637 638 if (ret != sizeof(buf)) { 639 LOG("read failed"); 640 return -EINVAL; 641 } 642 643 /* Request 644 [ 0 .. 3] magic (NBD_REQUEST_MAGIC) 645 [ 4 .. 7] type (0 == READ, 1 == WRITE) 646 [ 8 .. 15] handle 647 [16 .. 23] from 648 [24 .. 27] len 649 */ 650 651 magic = ldl_be_p(buf); 652 request->type = ldl_be_p(buf + 4); 653 request->handle = ldq_be_p(buf + 8); 654 request->from = ldq_be_p(buf + 16); 655 request->len = ldl_be_p(buf + 24); 656 657 TRACE("Got request: { magic = 0x%" PRIx32 ", .type = %" PRIx32 658 ", from = %" PRIu64 " , len = %" PRIu32 " }", 659 magic, request->type, request->from, request->len); 660 661 if (magic != NBD_REQUEST_MAGIC) { 662 LOG("invalid magic (got 0x%" PRIx32 ")", magic); 663 return -EINVAL; 664 } 665 return 0; 666 } 667 668 static ssize_t nbd_send_reply(QIOChannel *ioc, struct nbd_reply *reply) 669 { 670 uint8_t buf[NBD_REPLY_SIZE]; 671 ssize_t ret; 672 673 reply->error = system_errno_to_nbd_errno(reply->error); 674 675 TRACE("Sending response to client: { .error = %" PRId32 676 ", handle = %" PRIu64 " }", 677 reply->error, reply->handle); 678 679 /* Reply 680 [ 0 .. 3] magic (NBD_REPLY_MAGIC) 681 [ 4 .. 7] error (0 == no error) 682 [ 7 .. 15] handle 683 */ 684 stl_be_p(buf, NBD_REPLY_MAGIC); 685 stl_be_p(buf + 4, reply->error); 686 stq_be_p(buf + 8, reply->handle); 687 688 ret = write_sync(ioc, buf, sizeof(buf)); 689 if (ret < 0) { 690 return ret; 691 } 692 693 if (ret != sizeof(buf)) { 694 LOG("writing to socket failed"); 695 return -EINVAL; 696 } 697 return 0; 698 } 699 700 #define MAX_NBD_REQUESTS 16 701 702 void nbd_client_get(NBDClient *client) 703 { 704 client->refcount++; 705 } 706 707 void nbd_client_put(NBDClient *client) 708 { 709 if (--client->refcount == 0) { 710 /* The last reference should be dropped by client->close, 711 * which is called by client_close. 712 */ 713 assert(client->closing); 714 715 nbd_unset_handlers(client); 716 object_unref(OBJECT(client->sioc)); 717 object_unref(OBJECT(client->ioc)); 718 if (client->tlscreds) { 719 object_unref(OBJECT(client->tlscreds)); 720 } 721 g_free(client->tlsaclname); 722 if (client->exp) { 723 QTAILQ_REMOVE(&client->exp->clients, client, next); 724 nbd_export_put(client->exp); 725 } 726 g_free(client); 727 } 728 } 729 730 static void client_close(NBDClient *client) 731 { 732 if (client->closing) { 733 return; 734 } 735 736 client->closing = true; 737 738 /* Force requests to finish. They will drop their own references, 739 * then we'll close the socket and free the NBDClient. 740 */ 741 qio_channel_shutdown(client->ioc, QIO_CHANNEL_SHUTDOWN_BOTH, 742 NULL); 743 744 /* Also tell the client, so that they release their reference. */ 745 if (client->close) { 746 client->close(client); 747 } 748 } 749 750 static NBDRequest *nbd_request_get(NBDClient *client) 751 { 752 NBDRequest *req; 753 754 assert(client->nb_requests <= MAX_NBD_REQUESTS - 1); 755 client->nb_requests++; 756 nbd_update_can_read(client); 757 758 req = g_new0(NBDRequest, 1); 759 nbd_client_get(client); 760 req->client = client; 761 return req; 762 } 763 764 static void nbd_request_put(NBDRequest *req) 765 { 766 NBDClient *client = req->client; 767 768 if (req->data) { 769 qemu_vfree(req->data); 770 } 771 g_free(req); 772 773 client->nb_requests--; 774 nbd_update_can_read(client); 775 nbd_client_put(client); 776 } 777 778 static void blk_aio_attached(AioContext *ctx, void *opaque) 779 { 780 NBDExport *exp = opaque; 781 NBDClient *client; 782 783 TRACE("Export %s: Attaching clients to AIO context %p\n", exp->name, ctx); 784 785 exp->ctx = ctx; 786 787 QTAILQ_FOREACH(client, &exp->clients, next) { 788 nbd_set_handlers(client); 789 } 790 } 791 792 static void blk_aio_detach(void *opaque) 793 { 794 NBDExport *exp = opaque; 795 NBDClient *client; 796 797 TRACE("Export %s: Detaching clients from AIO context %p\n", exp->name, exp->ctx); 798 799 QTAILQ_FOREACH(client, &exp->clients, next) { 800 nbd_unset_handlers(client); 801 } 802 803 exp->ctx = NULL; 804 } 805 806 static void nbd_eject_notifier(Notifier *n, void *data) 807 { 808 NBDExport *exp = container_of(n, NBDExport, eject_notifier); 809 nbd_export_close(exp); 810 } 811 812 NBDExport *nbd_export_new(BlockDriverState *bs, off_t dev_offset, off_t size, 813 uint16_t nbdflags, void (*close)(NBDExport *), 814 bool writethrough, BlockBackend *on_eject_blk, 815 Error **errp) 816 { 817 BlockBackend *blk; 818 NBDExport *exp = g_malloc0(sizeof(NBDExport)); 819 820 blk = blk_new(); 821 blk_insert_bs(blk, bs); 822 blk_set_enable_write_cache(blk, !writethrough); 823 824 exp->refcount = 1; 825 QTAILQ_INIT(&exp->clients); 826 exp->blk = blk; 827 exp->dev_offset = dev_offset; 828 exp->nbdflags = nbdflags; 829 exp->size = size < 0 ? blk_getlength(blk) : size; 830 if (exp->size < 0) { 831 error_setg_errno(errp, -exp->size, 832 "Failed to determine the NBD export's length"); 833 goto fail; 834 } 835 exp->size -= exp->size % BDRV_SECTOR_SIZE; 836 837 exp->close = close; 838 exp->ctx = blk_get_aio_context(blk); 839 blk_add_aio_context_notifier(blk, blk_aio_attached, blk_aio_detach, exp); 840 841 if (on_eject_blk) { 842 blk_ref(on_eject_blk); 843 exp->eject_notifier_blk = on_eject_blk; 844 exp->eject_notifier.notify = nbd_eject_notifier; 845 blk_add_remove_bs_notifier(on_eject_blk, &exp->eject_notifier); 846 } 847 848 /* 849 * NBD exports are used for non-shared storage migration. Make sure 850 * that BDRV_O_INACTIVE is cleared and the image is ready for write 851 * access since the export could be available before migration handover. 852 */ 853 aio_context_acquire(exp->ctx); 854 blk_invalidate_cache(blk, NULL); 855 aio_context_release(exp->ctx); 856 return exp; 857 858 fail: 859 blk_unref(blk); 860 g_free(exp); 861 return NULL; 862 } 863 864 NBDExport *nbd_export_find(const char *name) 865 { 866 NBDExport *exp; 867 QTAILQ_FOREACH(exp, &exports, next) { 868 if (strcmp(name, exp->name) == 0) { 869 return exp; 870 } 871 } 872 873 return NULL; 874 } 875 876 void nbd_export_set_name(NBDExport *exp, const char *name) 877 { 878 if (exp->name == name) { 879 return; 880 } 881 882 nbd_export_get(exp); 883 if (exp->name != NULL) { 884 g_free(exp->name); 885 exp->name = NULL; 886 QTAILQ_REMOVE(&exports, exp, next); 887 nbd_export_put(exp); 888 } 889 if (name != NULL) { 890 nbd_export_get(exp); 891 exp->name = g_strdup(name); 892 QTAILQ_INSERT_TAIL(&exports, exp, next); 893 } 894 nbd_export_put(exp); 895 } 896 897 void nbd_export_close(NBDExport *exp) 898 { 899 NBDClient *client, *next; 900 901 nbd_export_get(exp); 902 QTAILQ_FOREACH_SAFE(client, &exp->clients, next, next) { 903 client_close(client); 904 } 905 nbd_export_set_name(exp, NULL); 906 nbd_export_put(exp); 907 } 908 909 void nbd_export_get(NBDExport *exp) 910 { 911 assert(exp->refcount > 0); 912 exp->refcount++; 913 } 914 915 void nbd_export_put(NBDExport *exp) 916 { 917 assert(exp->refcount > 0); 918 if (exp->refcount == 1) { 919 nbd_export_close(exp); 920 } 921 922 if (--exp->refcount == 0) { 923 assert(exp->name == NULL); 924 925 if (exp->close) { 926 exp->close(exp); 927 } 928 929 if (exp->blk) { 930 if (exp->eject_notifier_blk) { 931 notifier_remove(&exp->eject_notifier); 932 blk_unref(exp->eject_notifier_blk); 933 } 934 blk_remove_aio_context_notifier(exp->blk, blk_aio_attached, 935 blk_aio_detach, exp); 936 blk_unref(exp->blk); 937 exp->blk = NULL; 938 } 939 940 g_free(exp); 941 } 942 } 943 944 BlockBackend *nbd_export_get_blockdev(NBDExport *exp) 945 { 946 return exp->blk; 947 } 948 949 void nbd_export_close_all(void) 950 { 951 NBDExport *exp, *next; 952 953 QTAILQ_FOREACH_SAFE(exp, &exports, next, next) { 954 nbd_export_close(exp); 955 } 956 } 957 958 static ssize_t nbd_co_send_reply(NBDRequest *req, struct nbd_reply *reply, 959 int len) 960 { 961 NBDClient *client = req->client; 962 ssize_t rc, ret; 963 964 g_assert(qemu_in_coroutine()); 965 qemu_co_mutex_lock(&client->send_lock); 966 client->send_coroutine = qemu_coroutine_self(); 967 nbd_set_handlers(client); 968 969 if (!len) { 970 rc = nbd_send_reply(client->ioc, reply); 971 } else { 972 qio_channel_set_cork(client->ioc, true); 973 rc = nbd_send_reply(client->ioc, reply); 974 if (rc >= 0) { 975 ret = write_sync(client->ioc, req->data, len); 976 if (ret != len) { 977 rc = -EIO; 978 } 979 } 980 qio_channel_set_cork(client->ioc, false); 981 } 982 983 client->send_coroutine = NULL; 984 nbd_set_handlers(client); 985 qemu_co_mutex_unlock(&client->send_lock); 986 return rc; 987 } 988 989 /* Collect a client request. Return 0 if request looks valid, -EAGAIN 990 * to keep trying the collection, -EIO to drop connection right away, 991 * and any other negative value to report an error to the client 992 * (although the caller may still need to disconnect after reporting 993 * the error). */ 994 static ssize_t nbd_co_receive_request(NBDRequest *req, 995 struct nbd_request *request) 996 { 997 NBDClient *client = req->client; 998 uint32_t command; 999 ssize_t rc; 1000 1001 g_assert(qemu_in_coroutine()); 1002 client->recv_coroutine = qemu_coroutine_self(); 1003 nbd_update_can_read(client); 1004 1005 rc = nbd_receive_request(client->ioc, request); 1006 if (rc < 0) { 1007 if (rc != -EAGAIN) { 1008 rc = -EIO; 1009 } 1010 goto out; 1011 } 1012 1013 TRACE("Decoding type"); 1014 1015 command = request->type & NBD_CMD_MASK_COMMAND; 1016 if (command != NBD_CMD_WRITE) { 1017 /* No payload, we are ready to read the next request. */ 1018 req->complete = true; 1019 } 1020 1021 if (command == NBD_CMD_DISC) { 1022 /* Special case: we're going to disconnect without a reply, 1023 * whether or not flags, from, or len are bogus */ 1024 TRACE("Request type is DISCONNECT"); 1025 rc = -EIO; 1026 goto out; 1027 } 1028 1029 /* Check for sanity in the parameters, part 1. Defer as many 1030 * checks as possible until after reading any NBD_CMD_WRITE 1031 * payload, so we can try and keep the connection alive. */ 1032 if ((request->from + request->len) < request->from) { 1033 LOG("integer overflow detected, you're probably being attacked"); 1034 rc = -EINVAL; 1035 goto out; 1036 } 1037 1038 if (command == NBD_CMD_READ || command == NBD_CMD_WRITE) { 1039 if (request->len > NBD_MAX_BUFFER_SIZE) { 1040 LOG("len (%" PRIu32" ) is larger than max len (%u)", 1041 request->len, NBD_MAX_BUFFER_SIZE); 1042 rc = -EINVAL; 1043 goto out; 1044 } 1045 1046 req->data = blk_try_blockalign(client->exp->blk, request->len); 1047 if (req->data == NULL) { 1048 rc = -ENOMEM; 1049 goto out; 1050 } 1051 } 1052 if (command == NBD_CMD_WRITE) { 1053 TRACE("Reading %" PRIu32 " byte(s)", request->len); 1054 1055 if (read_sync(client->ioc, req->data, request->len) != request->len) { 1056 LOG("reading from socket failed"); 1057 rc = -EIO; 1058 goto out; 1059 } 1060 req->complete = true; 1061 } 1062 1063 /* Sanity checks, part 2. */ 1064 if (request->from + request->len > client->exp->size) { 1065 LOG("operation past EOF; From: %" PRIu64 ", Len: %" PRIu32 1066 ", Size: %" PRIu64, request->from, request->len, 1067 (uint64_t)client->exp->size); 1068 rc = command == NBD_CMD_WRITE ? -ENOSPC : -EINVAL; 1069 goto out; 1070 } 1071 if (request->type & ~NBD_CMD_MASK_COMMAND & ~NBD_CMD_FLAG_FUA) { 1072 LOG("unsupported flags (got 0x%x)", 1073 request->type & ~NBD_CMD_MASK_COMMAND); 1074 rc = -EINVAL; 1075 goto out; 1076 } 1077 1078 rc = 0; 1079 1080 out: 1081 client->recv_coroutine = NULL; 1082 nbd_update_can_read(client); 1083 1084 return rc; 1085 } 1086 1087 static void nbd_trip(void *opaque) 1088 { 1089 NBDClient *client = opaque; 1090 NBDExport *exp = client->exp; 1091 NBDRequest *req; 1092 struct nbd_request request; 1093 struct nbd_reply reply; 1094 ssize_t ret; 1095 uint32_t command; 1096 int flags; 1097 1098 TRACE("Reading request."); 1099 if (client->closing) { 1100 return; 1101 } 1102 1103 req = nbd_request_get(client); 1104 ret = nbd_co_receive_request(req, &request); 1105 if (ret == -EAGAIN) { 1106 goto done; 1107 } 1108 if (ret == -EIO) { 1109 goto out; 1110 } 1111 1112 reply.handle = request.handle; 1113 reply.error = 0; 1114 1115 if (ret < 0) { 1116 reply.error = -ret; 1117 goto error_reply; 1118 } 1119 command = request.type & NBD_CMD_MASK_COMMAND; 1120 1121 if (client->closing) { 1122 /* 1123 * The client may be closed when we are blocked in 1124 * nbd_co_receive_request() 1125 */ 1126 goto done; 1127 } 1128 1129 switch (command) { 1130 case NBD_CMD_READ: 1131 TRACE("Request type is READ"); 1132 1133 if (request.type & NBD_CMD_FLAG_FUA) { 1134 ret = blk_co_flush(exp->blk); 1135 if (ret < 0) { 1136 LOG("flush failed"); 1137 reply.error = -ret; 1138 goto error_reply; 1139 } 1140 } 1141 1142 ret = blk_pread(exp->blk, request.from + exp->dev_offset, 1143 req->data, request.len); 1144 if (ret < 0) { 1145 LOG("reading from file failed"); 1146 reply.error = -ret; 1147 goto error_reply; 1148 } 1149 1150 TRACE("Read %" PRIu32" byte(s)", request.len); 1151 if (nbd_co_send_reply(req, &reply, request.len) < 0) 1152 goto out; 1153 break; 1154 case NBD_CMD_WRITE: 1155 TRACE("Request type is WRITE"); 1156 1157 if (exp->nbdflags & NBD_FLAG_READ_ONLY) { 1158 TRACE("Server is read-only, return error"); 1159 reply.error = EROFS; 1160 goto error_reply; 1161 } 1162 1163 TRACE("Writing to device"); 1164 1165 flags = 0; 1166 if (request.type & NBD_CMD_FLAG_FUA) { 1167 flags |= BDRV_REQ_FUA; 1168 } 1169 ret = blk_pwrite(exp->blk, request.from + exp->dev_offset, 1170 req->data, request.len, flags); 1171 if (ret < 0) { 1172 LOG("writing to file failed"); 1173 reply.error = -ret; 1174 goto error_reply; 1175 } 1176 1177 if (nbd_co_send_reply(req, &reply, 0) < 0) { 1178 goto out; 1179 } 1180 break; 1181 1182 case NBD_CMD_DISC: 1183 /* unreachable, thanks to special case in nbd_co_receive_request() */ 1184 abort(); 1185 1186 case NBD_CMD_FLUSH: 1187 TRACE("Request type is FLUSH"); 1188 1189 ret = blk_co_flush(exp->blk); 1190 if (ret < 0) { 1191 LOG("flush failed"); 1192 reply.error = -ret; 1193 } 1194 if (nbd_co_send_reply(req, &reply, 0) < 0) { 1195 goto out; 1196 } 1197 break; 1198 case NBD_CMD_TRIM: 1199 TRACE("Request type is TRIM"); 1200 ret = blk_co_pdiscard(exp->blk, request.from + exp->dev_offset, 1201 request.len); 1202 if (ret < 0) { 1203 LOG("discard failed"); 1204 reply.error = -ret; 1205 } 1206 if (nbd_co_send_reply(req, &reply, 0) < 0) { 1207 goto out; 1208 } 1209 break; 1210 default: 1211 LOG("invalid request type (%" PRIu32 ") received", request.type); 1212 reply.error = EINVAL; 1213 error_reply: 1214 /* We must disconnect after NBD_CMD_WRITE if we did not 1215 * read the payload. 1216 */ 1217 if (nbd_co_send_reply(req, &reply, 0) < 0 || !req->complete) { 1218 goto out; 1219 } 1220 break; 1221 } 1222 1223 TRACE("Request/Reply complete"); 1224 1225 done: 1226 nbd_request_put(req); 1227 return; 1228 1229 out: 1230 nbd_request_put(req); 1231 client_close(client); 1232 } 1233 1234 static void nbd_read(void *opaque) 1235 { 1236 NBDClient *client = opaque; 1237 1238 if (client->recv_coroutine) { 1239 qemu_coroutine_enter(client->recv_coroutine); 1240 } else { 1241 qemu_coroutine_enter(qemu_coroutine_create(nbd_trip, client)); 1242 } 1243 } 1244 1245 static void nbd_restart_write(void *opaque) 1246 { 1247 NBDClient *client = opaque; 1248 1249 qemu_coroutine_enter(client->send_coroutine); 1250 } 1251 1252 static void nbd_set_handlers(NBDClient *client) 1253 { 1254 if (client->exp && client->exp->ctx) { 1255 aio_set_fd_handler(client->exp->ctx, client->sioc->fd, 1256 true, 1257 client->can_read ? nbd_read : NULL, 1258 client->send_coroutine ? nbd_restart_write : NULL, 1259 client); 1260 } 1261 } 1262 1263 static void nbd_unset_handlers(NBDClient *client) 1264 { 1265 if (client->exp && client->exp->ctx) { 1266 aio_set_fd_handler(client->exp->ctx, client->sioc->fd, 1267 true, NULL, NULL, NULL); 1268 } 1269 } 1270 1271 static void nbd_update_can_read(NBDClient *client) 1272 { 1273 bool can_read = client->recv_coroutine || 1274 client->nb_requests < MAX_NBD_REQUESTS; 1275 1276 if (can_read != client->can_read) { 1277 client->can_read = can_read; 1278 nbd_set_handlers(client); 1279 1280 /* There is no need to invoke aio_notify(), since aio_set_fd_handler() 1281 * in nbd_set_handlers() will have taken care of that */ 1282 } 1283 } 1284 1285 static coroutine_fn void nbd_co_client_start(void *opaque) 1286 { 1287 NBDClientNewData *data = opaque; 1288 NBDClient *client = data->client; 1289 NBDExport *exp = client->exp; 1290 1291 if (exp) { 1292 nbd_export_get(exp); 1293 } 1294 if (nbd_negotiate(data)) { 1295 client_close(client); 1296 goto out; 1297 } 1298 qemu_co_mutex_init(&client->send_lock); 1299 nbd_set_handlers(client); 1300 1301 if (exp) { 1302 QTAILQ_INSERT_TAIL(&exp->clients, client, next); 1303 } 1304 out: 1305 g_free(data); 1306 } 1307 1308 void nbd_client_new(NBDExport *exp, 1309 QIOChannelSocket *sioc, 1310 QCryptoTLSCreds *tlscreds, 1311 const char *tlsaclname, 1312 void (*close_fn)(NBDClient *)) 1313 { 1314 NBDClient *client; 1315 NBDClientNewData *data = g_new(NBDClientNewData, 1); 1316 1317 client = g_malloc0(sizeof(NBDClient)); 1318 client->refcount = 1; 1319 client->exp = exp; 1320 client->tlscreds = tlscreds; 1321 if (tlscreds) { 1322 object_ref(OBJECT(client->tlscreds)); 1323 } 1324 client->tlsaclname = g_strdup(tlsaclname); 1325 client->sioc = sioc; 1326 object_ref(OBJECT(client->sioc)); 1327 client->ioc = QIO_CHANNEL(sioc); 1328 object_ref(OBJECT(client->ioc)); 1329 client->can_read = true; 1330 client->close = close_fn; 1331 1332 data->client = client; 1333 data->co = qemu_coroutine_create(nbd_co_client_start, data); 1334 qemu_coroutine_enter(data->co); 1335 } 1336