1 /*
2  * Block node graph modifications tests
3  *
4  * Copyright (c) 2019-2021 Virtuozzo International GmbH. All rights reserved.
5  *
6  * This program is free software; you can redistribute it and/or modify
7  * it under the terms of the GNU General Public License as published by
8  * the Free Software Foundation; either version 2 of the License, or
9  * (at your option) any later version.
10  *
11  * This program is distributed in the hope that it will be useful,
12  * but WITHOUT ANY WARRANTY; without even the implied warranty of
13  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
14  * GNU General Public License for more details.
15  *
16  * You should have received a copy of the GNU General Public License
17  * along with this program.  If not, see <http://www.gnu.org/licenses/>.
18  *
19  */
20 
21 #include "qemu/osdep.h"
22 #include "qapi/error.h"
23 #include "qemu/main-loop.h"
24 #include "block/block_int.h"
25 #include "sysemu/block-backend.h"
26 
27 static BlockDriver bdrv_pass_through = {
28     .format_name = "pass-through",
29     .is_filter = true,
30     .filtered_child_is_backing = true,
31     .bdrv_child_perm = bdrv_default_perms,
32 };
33 
34 static void no_perm_default_perms(BlockDriverState *bs, BdrvChild *c,
35                                          BdrvChildRole role,
36                                          BlockReopenQueue *reopen_queue,
37                                          uint64_t perm, uint64_t shared,
38                                          uint64_t *nperm, uint64_t *nshared)
39 {
40     *nperm = 0;
41     *nshared = BLK_PERM_ALL;
42 }
43 
44 static BlockDriver bdrv_no_perm = {
45     .format_name = "no-perm",
46     .supports_backing = true,
47     .bdrv_child_perm = no_perm_default_perms,
48 };
49 
50 static void exclusive_write_perms(BlockDriverState *bs, BdrvChild *c,
51                                   BdrvChildRole role,
52                                   BlockReopenQueue *reopen_queue,
53                                   uint64_t perm, uint64_t shared,
54                                   uint64_t *nperm, uint64_t *nshared)
55 {
56     *nperm = BLK_PERM_WRITE;
57     *nshared = BLK_PERM_ALL & ~BLK_PERM_WRITE;
58 }
59 
60 static BlockDriver bdrv_exclusive_writer = {
61     .format_name = "exclusive-writer",
62     .is_filter = true,
63     .filtered_child_is_backing = true,
64     .bdrv_child_perm = exclusive_write_perms,
65 };
66 
67 static BlockDriverState *no_perm_node(const char *name)
68 {
69     return bdrv_new_open_driver(&bdrv_no_perm, name, BDRV_O_RDWR, &error_abort);
70 }
71 
72 static BlockDriverState *pass_through_node(const char *name)
73 {
74     return bdrv_new_open_driver(&bdrv_pass_through, name,
75                                 BDRV_O_RDWR, &error_abort);
76 }
77 
78 static BlockDriverState *exclusive_writer_node(const char *name)
79 {
80     return bdrv_new_open_driver(&bdrv_exclusive_writer, name,
81                                 BDRV_O_RDWR, &error_abort);
82 }
83 
84 /*
85  * test_update_perm_tree
86  *
87  * When checking node for a possibility to update permissions, it's subtree
88  * should be correctly checked too. New permissions for each node should be
89  * calculated and checked in context of permissions of other nodes. If we
90  * check new permissions of the node only in context of old permissions of
91  * its neighbors, we can finish up with wrong permission graph.
92  *
93  * This test firstly create the following graph:
94  *                                +--------+
95  *                                |  root  |
96  *                                +--------+
97  *                                    |
98  *                                    | perm: write, read
99  *                                    | shared: except write
100  *                                    v
101  *  +--------------------+          +----------------+
102  *  | passthrough filter |--------->|  null-co node  |
103  *  +--------------------+          +----------------+
104  *
105  *
106  * and then, tries to append filter under node. Expected behavior: fail.
107  * Otherwise we'll get the following picture, with two BdrvChild'ren, having
108  * write permission to one node, without actually sharing it.
109  *
110  *                     +--------+
111  *                     |  root  |
112  *                     +--------+
113  *                         |
114  *                         | perm: write, read
115  *                         | shared: except write
116  *                         v
117  *                +--------------------+
118  *                | passthrough filter |
119  *                +--------------------+
120  *                       |   |
121  *     perm: write, read |   | perm: write, read
122  *  shared: except write |   | shared: except write
123  *                       v   v
124  *                +----------------+
125  *                |  null co node  |
126  *                +----------------+
127  */
128 static void test_update_perm_tree(void)
129 {
130     int ret;
131 
132     BlockBackend *root = blk_new(qemu_get_aio_context(),
133                                  BLK_PERM_WRITE | BLK_PERM_CONSISTENT_READ,
134                                  BLK_PERM_ALL & ~BLK_PERM_WRITE);
135     BlockDriverState *bs = no_perm_node("node");
136     BlockDriverState *filter = pass_through_node("filter");
137 
138     blk_insert_bs(root, bs, &error_abort);
139 
140     bdrv_graph_wrlock(NULL);
141     bdrv_attach_child(filter, bs, "child", &child_of_bds,
142                       BDRV_CHILD_DATA, &error_abort);
143     bdrv_graph_wrunlock();
144 
145     aio_context_acquire(qemu_get_aio_context());
146     ret = bdrv_append(filter, bs, NULL);
147     g_assert_cmpint(ret, <, 0);
148     aio_context_release(qemu_get_aio_context());
149 
150     bdrv_unref(filter);
151     blk_unref(root);
152 }
153 
154 /*
155  * test_should_update_child
156  *
157  * Test that bdrv_replace_node, and concretely should_update_child
158  * do the right thing, i.e. not creating loops on the graph.
159  *
160  * The test does the following:
161  * 1. initial graph:
162  *
163  *   +------+          +--------+
164  *   | root |          | filter |
165  *   +------+          +--------+
166  *      |                  |
167  *  root|            target|
168  *      v                  v
169  *   +------+          +--------+
170  *   | node |<---------| target |
171  *   +------+  backing +--------+
172  *
173  * 2. Append @filter above @node. If should_update_child works correctly,
174  * it understands, that backing child of @target should not be updated,
175  * as it will create a loop on node graph. Resulting picture should
176  * be the left one, not the right:
177  *
178  *     +------+                            +------+
179  *     | root |                            | root |
180  *     +------+                            +------+
181  *        |                                   |
182  *    root|                               root|
183  *        v                                   v
184  *    +--------+   target                 +--------+   target
185  *    | filter |--------------+           | filter |--------------+
186  *    +--------+              |           +--------+              |
187  *        |                   |               |  ^                v
188  * backing|                   |        backing|  |           +--------+
189  *        v                   v               |  +-----------| target |
190  *     +------+          +--------+           v      backing +--------+
191  *     | node |<---------| target |        +------+
192  *     +------+  backing +--------+        | node |
193  *                                         +------+
194  *
195  *    (good picture)                       (bad picture)
196  *
197  */
198 static void test_should_update_child(void)
199 {
200     BlockBackend *root = blk_new(qemu_get_aio_context(), 0, BLK_PERM_ALL);
201     BlockDriverState *bs = no_perm_node("node");
202     BlockDriverState *filter = no_perm_node("filter");
203     BlockDriverState *target = no_perm_node("target");
204 
205     blk_insert_bs(root, bs, &error_abort);
206 
207     bdrv_set_backing_hd(target, bs, &error_abort);
208 
209     bdrv_graph_wrlock(NULL);
210     g_assert(target->backing->bs == bs);
211     bdrv_attach_child(filter, target, "target", &child_of_bds,
212                       BDRV_CHILD_DATA, &error_abort);
213     bdrv_graph_wrunlock();
214     aio_context_acquire(qemu_get_aio_context());
215     bdrv_append(filter, bs, &error_abort);
216     aio_context_release(qemu_get_aio_context());
217 
218     bdrv_graph_rdlock_main_loop();
219     g_assert(target->backing->bs == bs);
220     bdrv_graph_rdunlock_main_loop();
221 
222     bdrv_unref(filter);
223     bdrv_unref(bs);
224     blk_unref(root);
225 }
226 
227 /*
228  * test_parallel_exclusive_write
229  *
230  * Check that when we replace node, old permissions of the node being removed
231  * doesn't break the replacement.
232  */
233 static void test_parallel_exclusive_write(void)
234 {
235     BlockDriverState *top = exclusive_writer_node("top");
236     BlockDriverState *base = no_perm_node("base");
237     BlockDriverState *fl1 = pass_through_node("fl1");
238     BlockDriverState *fl2 = pass_through_node("fl2");
239 
240     bdrv_drained_begin(fl1);
241     bdrv_drained_begin(fl2);
242 
243     /*
244      * bdrv_attach_child() eats child bs reference, so we need two @base
245      * references for two filters. We also need an additional @fl1 reference so
246      * that it still exists when we want to undrain it.
247      */
248     bdrv_ref(base);
249     bdrv_ref(fl1);
250 
251     bdrv_graph_wrlock(NULL);
252     bdrv_attach_child(top, fl1, "backing", &child_of_bds,
253                       BDRV_CHILD_FILTERED | BDRV_CHILD_PRIMARY,
254                       &error_abort);
255     bdrv_attach_child(fl1, base, "backing", &child_of_bds,
256                       BDRV_CHILD_FILTERED | BDRV_CHILD_PRIMARY,
257                       &error_abort);
258     bdrv_attach_child(fl2, base, "backing", &child_of_bds,
259                       BDRV_CHILD_FILTERED | BDRV_CHILD_PRIMARY,
260                       &error_abort);
261 
262     bdrv_replace_node(fl1, fl2, &error_abort);
263     bdrv_graph_wrunlock();
264 
265     bdrv_drained_end(fl2);
266     bdrv_drained_end(fl1);
267 
268     bdrv_unref(fl1);
269     bdrv_unref(fl2);
270     bdrv_unref(top);
271 }
272 
273 /*
274  * write-to-selected node may have several DATA children, one of them may be
275  * "selected". Exclusive write permission is taken on selected child.
276  *
277  * We don't realize write handler itself, as we need only to test how permission
278  * update works.
279  */
280 typedef struct BDRVWriteToSelectedState {
281     BdrvChild *selected;
282 } BDRVWriteToSelectedState;
283 
284 static void write_to_selected_perms(BlockDriverState *bs, BdrvChild *c,
285                                     BdrvChildRole role,
286                                     BlockReopenQueue *reopen_queue,
287                                     uint64_t perm, uint64_t shared,
288                                     uint64_t *nperm, uint64_t *nshared)
289 {
290     BDRVWriteToSelectedState *s = bs->opaque;
291 
292     if (s->selected && c == s->selected) {
293         *nperm = BLK_PERM_WRITE;
294         *nshared = BLK_PERM_ALL & ~BLK_PERM_WRITE;
295     } else {
296         *nperm = 0;
297         *nshared = BLK_PERM_ALL;
298     }
299 }
300 
301 static BlockDriver bdrv_write_to_selected = {
302     .format_name = "write-to-selected",
303     .instance_size = sizeof(BDRVWriteToSelectedState),
304     .bdrv_child_perm = write_to_selected_perms,
305 };
306 
307 
308 /*
309  * The following test shows that topological-sort order is required for
310  * permission update, simple DFS is not enough.
311  *
312  * Consider the block driver (write-to-selected) which has two children: one is
313  * selected so we have exclusive write access to it and for the other one we
314  * don't need any specific permissions.
315  *
316  * And, these two children has a common base child, like this:
317  *   (additional "top" on top is used in test just because the only public
318  *    function to update permission should get a specific child to update.
319  *    Making bdrv_refresh_perms() public just for this test isn't worth it)
320  *
321  * ┌─────┐     ┌───────────────────┐     ┌─────┐
322  * │ fl2 │ ◀── │ write-to-selected │ ◀── │ top │
323  * └─────┘     └───────────────────┘     └─────┘
324  *   │           │
325  *   │           │ w
326  *   │           ▼
327  *   │         ┌──────┐
328  *   │         │ fl1  │
329  *   │         └──────┘
330  *   │           │
331  *   │           │ w
332  *   │           ▼
333  *   │         ┌──────┐
334  *   └───────▶ │ base │
335  *             └──────┘
336  *
337  * So, exclusive write is propagated.
338  *
339  * Assume, we want to select fl2 instead of fl1.
340  * So, we set some option for write-to-selected driver and do permission update.
341  *
342  * With simple DFS, if permission update goes first through
343  * write-to-selected -> fl1 -> base branch it will succeed: it firstly drop
344  * exclusive write permissions and than apply them for another BdrvChildren.
345  * But if permission update goes first through write-to-selected -> fl2 -> base
346  * branch it will fail, as when we try to update fl2->base child, old not yet
347  * updated fl1->base child will be in conflict.
348  *
349  * With topological-sort order we always update parents before children, so fl1
350  * and fl2 are both updated when we update base and there is no conflict.
351  */
352 static void test_parallel_perm_update(void)
353 {
354     BlockDriverState *top = no_perm_node("top");
355     BlockDriverState *ws =
356             bdrv_new_open_driver(&bdrv_write_to_selected, "ws", BDRV_O_RDWR,
357                                  &error_abort);
358     BDRVWriteToSelectedState *s = ws->opaque;
359     BlockDriverState *base = no_perm_node("base");
360     BlockDriverState *fl1 = pass_through_node("fl1");
361     BlockDriverState *fl2 = pass_through_node("fl2");
362     BdrvChild *c_fl1, *c_fl2;
363 
364     /*
365      * bdrv_attach_child() eats child bs reference, so we need two @base
366      * references for two filters:
367      */
368     bdrv_ref(base);
369 
370     bdrv_graph_wrlock(NULL);
371     bdrv_attach_child(top, ws, "file", &child_of_bds, BDRV_CHILD_DATA,
372                       &error_abort);
373     c_fl1 = bdrv_attach_child(ws, fl1, "first", &child_of_bds,
374                               BDRV_CHILD_DATA, &error_abort);
375     c_fl2 = bdrv_attach_child(ws, fl2, "second", &child_of_bds,
376                               BDRV_CHILD_DATA, &error_abort);
377     bdrv_attach_child(fl1, base, "backing", &child_of_bds,
378                       BDRV_CHILD_FILTERED | BDRV_CHILD_PRIMARY,
379                       &error_abort);
380     bdrv_attach_child(fl2, base, "backing", &child_of_bds,
381                       BDRV_CHILD_FILTERED | BDRV_CHILD_PRIMARY,
382                       &error_abort);
383     bdrv_graph_wrunlock();
384 
385     /* Select fl1 as first child to be active */
386     s->selected = c_fl1;
387 
388     bdrv_graph_rdlock_main_loop();
389 
390     bdrv_child_refresh_perms(top, top->children.lh_first, &error_abort);
391 
392     assert(c_fl1->perm & BLK_PERM_WRITE);
393     assert(!(c_fl2->perm & BLK_PERM_WRITE));
394 
395     /* Now, try to switch active child and update permissions */
396     s->selected = c_fl2;
397     bdrv_child_refresh_perms(top, top->children.lh_first, &error_abort);
398 
399     assert(c_fl2->perm & BLK_PERM_WRITE);
400     assert(!(c_fl1->perm & BLK_PERM_WRITE));
401 
402     /* Switch once more, to not care about real child order in the list */
403     s->selected = c_fl1;
404     bdrv_child_refresh_perms(top, top->children.lh_first, &error_abort);
405 
406     assert(c_fl1->perm & BLK_PERM_WRITE);
407     assert(!(c_fl2->perm & BLK_PERM_WRITE));
408 
409     bdrv_graph_rdunlock_main_loop();
410     bdrv_unref(top);
411 }
412 
413 /*
414  * It's possible that filter required permissions allows to insert it to backing
415  * chain, like:
416  *
417  *  1.  [top] -> [filter] -> [base]
418  *
419  * but doesn't allow to add it as a branch:
420  *
421  *  2.  [filter] --\
422  *                 v
423  *      [top] -> [base]
424  *
425  * So, inserting such filter should do all graph modifications and only then
426  * update permissions. If we try to go through intermediate state [2] and update
427  * permissions on it we'll fail.
428  *
429  * Let's check that bdrv_append() can append such a filter.
430  */
431 static void test_append_greedy_filter(void)
432 {
433     BlockDriverState *top = exclusive_writer_node("top");
434     BlockDriverState *base = no_perm_node("base");
435     BlockDriverState *fl = exclusive_writer_node("fl1");
436 
437     bdrv_graph_wrlock(NULL);
438     bdrv_attach_child(top, base, "backing", &child_of_bds,
439                       BDRV_CHILD_FILTERED | BDRV_CHILD_PRIMARY,
440                       &error_abort);
441     bdrv_graph_wrunlock();
442 
443     aio_context_acquire(qemu_get_aio_context());
444     bdrv_append(fl, base, &error_abort);
445     aio_context_release(qemu_get_aio_context());
446     bdrv_unref(fl);
447     bdrv_unref(top);
448 }
449 
450 int main(int argc, char *argv[])
451 {
452     bdrv_init();
453     qemu_init_main_loop(&error_abort);
454 
455     g_test_init(&argc, &argv, NULL);
456 
457     g_test_add_func("/bdrv-graph-mod/update-perm-tree", test_update_perm_tree);
458     g_test_add_func("/bdrv-graph-mod/should-update-child",
459                     test_should_update_child);
460     g_test_add_func("/bdrv-graph-mod/parallel-perm-update",
461                     test_parallel_perm_update);
462     g_test_add_func("/bdrv-graph-mod/parallel-exclusive-write",
463                     test_parallel_exclusive_write);
464     g_test_add_func("/bdrv-graph-mod/append-greedy-filter",
465                     test_append_greedy_filter);
466 
467     return g_test_run();
468 }
469