1 /*
2  * Block node graph modifications tests
3  *
4  * Copyright (c) 2019-2021 Virtuozzo International GmbH. All rights reserved.
5  *
6  * This program is free software; you can redistribute it and/or modify
7  * it under the terms of the GNU General Public License as published by
8  * the Free Software Foundation; either version 2 of the License, or
9  * (at your option) any later version.
10  *
11  * This program is distributed in the hope that it will be useful,
12  * but WITHOUT ANY WARRANTY; without even the implied warranty of
13  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
14  * GNU General Public License for more details.
15  *
16  * You should have received a copy of the GNU General Public License
17  * along with this program.  If not, see <http://www.gnu.org/licenses/>.
18  *
19  */
20 
21 #include "qemu/osdep.h"
22 #include "qapi/error.h"
23 #include "qemu/main-loop.h"
24 #include "block/block_int.h"
25 #include "sysemu/block-backend.h"
26 
27 static BlockDriver bdrv_pass_through = {
28     .format_name = "pass-through",
29     .is_filter = true,
30     .filtered_child_is_backing = true,
31     .bdrv_child_perm = bdrv_default_perms,
32 };
33 
34 static void no_perm_default_perms(BlockDriverState *bs, BdrvChild *c,
35                                          BdrvChildRole role,
36                                          BlockReopenQueue *reopen_queue,
37                                          uint64_t perm, uint64_t shared,
38                                          uint64_t *nperm, uint64_t *nshared)
39 {
40     *nperm = 0;
41     *nshared = BLK_PERM_ALL;
42 }
43 
44 static BlockDriver bdrv_no_perm = {
45     .format_name = "no-perm",
46     .supports_backing = true,
47     .bdrv_child_perm = no_perm_default_perms,
48 };
49 
50 static void exclusive_write_perms(BlockDriverState *bs, BdrvChild *c,
51                                   BdrvChildRole role,
52                                   BlockReopenQueue *reopen_queue,
53                                   uint64_t perm, uint64_t shared,
54                                   uint64_t *nperm, uint64_t *nshared)
55 {
56     *nperm = BLK_PERM_WRITE;
57     *nshared = BLK_PERM_ALL & ~BLK_PERM_WRITE;
58 }
59 
60 static BlockDriver bdrv_exclusive_writer = {
61     .format_name = "exclusive-writer",
62     .is_filter = true,
63     .filtered_child_is_backing = true,
64     .bdrv_child_perm = exclusive_write_perms,
65 };
66 
67 static BlockDriverState *no_perm_node(const char *name)
68 {
69     return bdrv_new_open_driver(&bdrv_no_perm, name, BDRV_O_RDWR, &error_abort);
70 }
71 
72 static BlockDriverState *pass_through_node(const char *name)
73 {
74     return bdrv_new_open_driver(&bdrv_pass_through, name,
75                                 BDRV_O_RDWR, &error_abort);
76 }
77 
78 static BlockDriverState *exclusive_writer_node(const char *name)
79 {
80     return bdrv_new_open_driver(&bdrv_exclusive_writer, name,
81                                 BDRV_O_RDWR, &error_abort);
82 }
83 
84 /*
85  * test_update_perm_tree
86  *
87  * When checking node for a possibility to update permissions, it's subtree
88  * should be correctly checked too. New permissions for each node should be
89  * calculated and checked in context of permissions of other nodes. If we
90  * check new permissions of the node only in context of old permissions of
91  * its neighbors, we can finish up with wrong permission graph.
92  *
93  * This test firstly create the following graph:
94  *                                +--------+
95  *                                |  root  |
96  *                                +--------+
97  *                                    |
98  *                                    | perm: write, read
99  *                                    | shared: except write
100  *                                    v
101  *  +--------------------+          +----------------+
102  *  | passthrough filter |--------->|  null-co node  |
103  *  +--------------------+          +----------------+
104  *
105  *
106  * and then, tries to append filter under node. Expected behavior: fail.
107  * Otherwise we'll get the following picture, with two BdrvChild'ren, having
108  * write permission to one node, without actually sharing it.
109  *
110  *                     +--------+
111  *                     |  root  |
112  *                     +--------+
113  *                         |
114  *                         | perm: write, read
115  *                         | shared: except write
116  *                         v
117  *                +--------------------+
118  *                | passthrough filter |
119  *                +--------------------+
120  *                       |   |
121  *     perm: write, read |   | perm: write, read
122  *  shared: except write |   | shared: except write
123  *                       v   v
124  *                +----------------+
125  *                |  null co node  |
126  *                +----------------+
127  */
128 static void test_update_perm_tree(void)
129 {
130     int ret;
131 
132     BlockBackend *root = blk_new(qemu_get_aio_context(),
133                                  BLK_PERM_WRITE | BLK_PERM_CONSISTENT_READ,
134                                  BLK_PERM_ALL & ~BLK_PERM_WRITE);
135     BlockDriverState *bs = no_perm_node("node");
136     BlockDriverState *filter = pass_through_node("filter");
137 
138     blk_insert_bs(root, bs, &error_abort);
139 
140     bdrv_graph_wrlock();
141     bdrv_attach_child(filter, bs, "child", &child_of_bds,
142                       BDRV_CHILD_DATA, &error_abort);
143     bdrv_graph_wrunlock();
144 
145     ret = bdrv_append(filter, bs, NULL);
146     g_assert_cmpint(ret, <, 0);
147 
148     bdrv_unref(filter);
149     blk_unref(root);
150 }
151 
152 /*
153  * test_should_update_child
154  *
155  * Test that bdrv_replace_node, and concretely should_update_child
156  * do the right thing, i.e. not creating loops on the graph.
157  *
158  * The test does the following:
159  * 1. initial graph:
160  *
161  *   +------+          +--------+
162  *   | root |          | filter |
163  *   +------+          +--------+
164  *      |                  |
165  *  root|            target|
166  *      v                  v
167  *   +------+          +--------+
168  *   | node |<---------| target |
169  *   +------+  backing +--------+
170  *
171  * 2. Append @filter above @node. If should_update_child works correctly,
172  * it understands, that backing child of @target should not be updated,
173  * as it will create a loop on node graph. Resulting picture should
174  * be the left one, not the right:
175  *
176  *     +------+                            +------+
177  *     | root |                            | root |
178  *     +------+                            +------+
179  *        |                                   |
180  *    root|                               root|
181  *        v                                   v
182  *    +--------+   target                 +--------+   target
183  *    | filter |--------------+           | filter |--------------+
184  *    +--------+              |           +--------+              |
185  *        |                   |               |  ^                v
186  * backing|                   |        backing|  |           +--------+
187  *        v                   v               |  +-----------| target |
188  *     +------+          +--------+           v      backing +--------+
189  *     | node |<---------| target |        +------+
190  *     +------+  backing +--------+        | node |
191  *                                         +------+
192  *
193  *    (good picture)                       (bad picture)
194  *
195  */
196 static void test_should_update_child(void)
197 {
198     BlockBackend *root = blk_new(qemu_get_aio_context(), 0, BLK_PERM_ALL);
199     BlockDriverState *bs = no_perm_node("node");
200     BlockDriverState *filter = no_perm_node("filter");
201     BlockDriverState *target = no_perm_node("target");
202 
203     blk_insert_bs(root, bs, &error_abort);
204 
205     bdrv_set_backing_hd(target, bs, &error_abort);
206 
207     bdrv_graph_wrlock();
208     g_assert(target->backing->bs == bs);
209     bdrv_attach_child(filter, target, "target", &child_of_bds,
210                       BDRV_CHILD_DATA, &error_abort);
211     bdrv_graph_wrunlock();
212     bdrv_append(filter, bs, &error_abort);
213 
214     bdrv_graph_rdlock_main_loop();
215     g_assert(target->backing->bs == bs);
216     bdrv_graph_rdunlock_main_loop();
217 
218     bdrv_unref(filter);
219     bdrv_unref(bs);
220     blk_unref(root);
221 }
222 
223 /*
224  * test_parallel_exclusive_write
225  *
226  * Check that when we replace node, old permissions of the node being removed
227  * doesn't break the replacement.
228  */
229 static void test_parallel_exclusive_write(void)
230 {
231     BlockDriverState *top = exclusive_writer_node("top");
232     BlockDriverState *base = no_perm_node("base");
233     BlockDriverState *fl1 = pass_through_node("fl1");
234     BlockDriverState *fl2 = pass_through_node("fl2");
235 
236     bdrv_drained_begin(fl1);
237     bdrv_drained_begin(fl2);
238 
239     /*
240      * bdrv_attach_child() eats child bs reference, so we need two @base
241      * references for two filters. We also need an additional @fl1 reference so
242      * that it still exists when we want to undrain it.
243      */
244     bdrv_ref(base);
245     bdrv_ref(fl1);
246 
247     bdrv_graph_wrlock();
248     bdrv_attach_child(top, fl1, "backing", &child_of_bds,
249                       BDRV_CHILD_FILTERED | BDRV_CHILD_PRIMARY,
250                       &error_abort);
251     bdrv_attach_child(fl1, base, "backing", &child_of_bds,
252                       BDRV_CHILD_FILTERED | BDRV_CHILD_PRIMARY,
253                       &error_abort);
254     bdrv_attach_child(fl2, base, "backing", &child_of_bds,
255                       BDRV_CHILD_FILTERED | BDRV_CHILD_PRIMARY,
256                       &error_abort);
257 
258     bdrv_replace_node(fl1, fl2, &error_abort);
259     bdrv_graph_wrunlock();
260 
261     bdrv_drained_end(fl2);
262     bdrv_drained_end(fl1);
263 
264     bdrv_unref(fl1);
265     bdrv_unref(fl2);
266     bdrv_unref(top);
267 }
268 
269 /*
270  * write-to-selected node may have several DATA children, one of them may be
271  * "selected". Exclusive write permission is taken on selected child.
272  *
273  * We don't realize write handler itself, as we need only to test how permission
274  * update works.
275  */
276 typedef struct BDRVWriteToSelectedState {
277     BdrvChild *selected;
278 } BDRVWriteToSelectedState;
279 
280 static void write_to_selected_perms(BlockDriverState *bs, BdrvChild *c,
281                                     BdrvChildRole role,
282                                     BlockReopenQueue *reopen_queue,
283                                     uint64_t perm, uint64_t shared,
284                                     uint64_t *nperm, uint64_t *nshared)
285 {
286     BDRVWriteToSelectedState *s = bs->opaque;
287 
288     if (s->selected && c == s->selected) {
289         *nperm = BLK_PERM_WRITE;
290         *nshared = BLK_PERM_ALL & ~BLK_PERM_WRITE;
291     } else {
292         *nperm = 0;
293         *nshared = BLK_PERM_ALL;
294     }
295 }
296 
297 static BlockDriver bdrv_write_to_selected = {
298     .format_name = "write-to-selected",
299     .instance_size = sizeof(BDRVWriteToSelectedState),
300     .bdrv_child_perm = write_to_selected_perms,
301 };
302 
303 
304 /*
305  * The following test shows that topological-sort order is required for
306  * permission update, simple DFS is not enough.
307  *
308  * Consider the block driver (write-to-selected) which has two children: one is
309  * selected so we have exclusive write access to it and for the other one we
310  * don't need any specific permissions.
311  *
312  * And, these two children has a common base child, like this:
313  *   (additional "top" on top is used in test just because the only public
314  *    function to update permission should get a specific child to update.
315  *    Making bdrv_refresh_perms() public just for this test isn't worth it)
316  *
317  * ┌─────┐     ┌───────────────────┐     ┌─────┐
318  * │ fl2 │ ◀── │ write-to-selected │ ◀── │ top │
319  * └─────┘     └───────────────────┘     └─────┘
320  *   │           │
321  *   │           │ w
322  *   │           ▼
323  *   │         ┌──────┐
324  *   │         │ fl1  │
325  *   │         └──────┘
326  *   │           │
327  *   │           │ w
328  *   │           ▼
329  *   │         ┌──────┐
330  *   └───────▶ │ base │
331  *             └──────┘
332  *
333  * So, exclusive write is propagated.
334  *
335  * Assume, we want to select fl2 instead of fl1.
336  * So, we set some option for write-to-selected driver and do permission update.
337  *
338  * With simple DFS, if permission update goes first through
339  * write-to-selected -> fl1 -> base branch it will succeed: it firstly drop
340  * exclusive write permissions and than apply them for another BdrvChildren.
341  * But if permission update goes first through write-to-selected -> fl2 -> base
342  * branch it will fail, as when we try to update fl2->base child, old not yet
343  * updated fl1->base child will be in conflict.
344  *
345  * With topological-sort order we always update parents before children, so fl1
346  * and fl2 are both updated when we update base and there is no conflict.
347  */
348 static void test_parallel_perm_update(void)
349 {
350     BlockDriverState *top = no_perm_node("top");
351     BlockDriverState *ws =
352             bdrv_new_open_driver(&bdrv_write_to_selected, "ws", BDRV_O_RDWR,
353                                  &error_abort);
354     BDRVWriteToSelectedState *s = ws->opaque;
355     BlockDriverState *base = no_perm_node("base");
356     BlockDriverState *fl1 = pass_through_node("fl1");
357     BlockDriverState *fl2 = pass_through_node("fl2");
358     BdrvChild *c_fl1, *c_fl2;
359 
360     /*
361      * bdrv_attach_child() eats child bs reference, so we need two @base
362      * references for two filters:
363      */
364     bdrv_ref(base);
365 
366     bdrv_graph_wrlock();
367     bdrv_attach_child(top, ws, "file", &child_of_bds, BDRV_CHILD_DATA,
368                       &error_abort);
369     c_fl1 = bdrv_attach_child(ws, fl1, "first", &child_of_bds,
370                               BDRV_CHILD_DATA, &error_abort);
371     c_fl2 = bdrv_attach_child(ws, fl2, "second", &child_of_bds,
372                               BDRV_CHILD_DATA, &error_abort);
373     bdrv_attach_child(fl1, base, "backing", &child_of_bds,
374                       BDRV_CHILD_FILTERED | BDRV_CHILD_PRIMARY,
375                       &error_abort);
376     bdrv_attach_child(fl2, base, "backing", &child_of_bds,
377                       BDRV_CHILD_FILTERED | BDRV_CHILD_PRIMARY,
378                       &error_abort);
379     bdrv_graph_wrunlock();
380 
381     /* Select fl1 as first child to be active */
382     s->selected = c_fl1;
383 
384     bdrv_graph_rdlock_main_loop();
385 
386     bdrv_child_refresh_perms(top, top->children.lh_first, &error_abort);
387 
388     assert(c_fl1->perm & BLK_PERM_WRITE);
389     assert(!(c_fl2->perm & BLK_PERM_WRITE));
390 
391     /* Now, try to switch active child and update permissions */
392     s->selected = c_fl2;
393     bdrv_child_refresh_perms(top, top->children.lh_first, &error_abort);
394 
395     assert(c_fl2->perm & BLK_PERM_WRITE);
396     assert(!(c_fl1->perm & BLK_PERM_WRITE));
397 
398     /* Switch once more, to not care about real child order in the list */
399     s->selected = c_fl1;
400     bdrv_child_refresh_perms(top, top->children.lh_first, &error_abort);
401 
402     assert(c_fl1->perm & BLK_PERM_WRITE);
403     assert(!(c_fl2->perm & BLK_PERM_WRITE));
404 
405     bdrv_graph_rdunlock_main_loop();
406     bdrv_unref(top);
407 }
408 
409 /*
410  * It's possible that filter required permissions allows to insert it to backing
411  * chain, like:
412  *
413  *  1.  [top] -> [filter] -> [base]
414  *
415  * but doesn't allow to add it as a branch:
416  *
417  *  2.  [filter] --\
418  *                 v
419  *      [top] -> [base]
420  *
421  * So, inserting such filter should do all graph modifications and only then
422  * update permissions. If we try to go through intermediate state [2] and update
423  * permissions on it we'll fail.
424  *
425  * Let's check that bdrv_append() can append such a filter.
426  */
427 static void test_append_greedy_filter(void)
428 {
429     BlockDriverState *top = exclusive_writer_node("top");
430     BlockDriverState *base = no_perm_node("base");
431     BlockDriverState *fl = exclusive_writer_node("fl1");
432 
433     bdrv_graph_wrlock();
434     bdrv_attach_child(top, base, "backing", &child_of_bds,
435                       BDRV_CHILD_FILTERED | BDRV_CHILD_PRIMARY,
436                       &error_abort);
437     bdrv_graph_wrunlock();
438 
439     bdrv_append(fl, base, &error_abort);
440     bdrv_unref(fl);
441     bdrv_unref(top);
442 }
443 
444 int main(int argc, char *argv[])
445 {
446     bdrv_init();
447     qemu_init_main_loop(&error_abort);
448 
449     g_test_init(&argc, &argv, NULL);
450 
451     g_test_add_func("/bdrv-graph-mod/update-perm-tree", test_update_perm_tree);
452     g_test_add_func("/bdrv-graph-mod/should-update-child",
453                     test_should_update_child);
454     g_test_add_func("/bdrv-graph-mod/parallel-perm-update",
455                     test_parallel_perm_update);
456     g_test_add_func("/bdrv-graph-mod/parallel-exclusive-write",
457                     test_parallel_exclusive_write);
458     g_test_add_func("/bdrv-graph-mod/append-greedy-filter",
459                     test_append_greedy_filter);
460 
461     return g_test_run();
462 }
463