[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [PATCH 15/22] mirror: Prevent loops
|
From: |
Vladimir Sementsov-Ogievskiy |
|
Subject: |
Re: [PATCH 15/22] mirror: Prevent loops |
|
Date: |
Thu, 26 Sep 2019 13:08:43 +0000 |
20.09.2019 18:27, Max Reitz wrote:
> While bdrv_replace_node() will not follow through with it, a specific
> @replaces asks the mirror job to create a loop.
>
> For example, say both the source and the target share a child where the
> source is a filter; by letting @replaces point to the common child, you
> ask for a loop.
source[filter]
|
v
child <----- target
and we want target to be a child if itself. OK, it's a loop.
>
> Or if you use @replaces in drive-mirror with sync=none and
> mode=absolute-paths, you generally ask for a loop (@replaces must point
> to a child of the source, and sync=none makes the source the backing
> file of the target after the job).
>
> bdrv_replace_node() will not create those loops, but it by doing so, it
s/but it/but ?
> ignores the user-requested configuration, which is not ideally either.
> (In the first example above, the target's child will remain what it was,
> which may still be reasonable. But in the second example, the target
> will just not become a child of the source, which is precisely what was
> requested with @replaces.)
so you say that second example is bad [1]
>
> So prevent such configurations, both before the job, and before it
> actually completes.
>
> Signed-off-by: Max Reitz <address@hidden>
> ---
> include/block/block_int.h | 3 +++
> block.c | 30 ++++++++++++++++++++++++
> block/mirror.c | 19 +++++++++++++++-
> blockdev.c | 48 ++++++++++++++++++++++++++++++++++++++-
> 4 files changed, 98 insertions(+), 2 deletions(-)
>
> diff --git a/include/block/block_int.h b/include/block/block_int.h
> index 70f26530c9..8a26a0d88a 100644
> --- a/include/block/block_int.h
> +++ b/include/block/block_int.h
> @@ -1256,6 +1256,9 @@ void bdrv_format_default_perms(BlockDriverState *bs,
> BdrvChild *c,
> bool bdrv_recurse_can_replace(BlockDriverState *bs,
> BlockDriverState *to_replace);
>
> +bool bdrv_is_child_of(BlockDriverState *child, BlockDriverState *parent,
> + int min_level);
> +
> /*
> * Default implementation for drivers to pass bdrv_co_block_status() to
> * their file.
> diff --git a/block.c b/block.c
> index 0d9b3de98f..332191fb47 100644
> --- a/block.c
> +++ b/block.c
> @@ -6260,6 +6260,36 @@ out:
> return to_replace_bs;
> }
>
> +/*
> + * Return true iff @child is a (recursive) child of @parent, with at
> + * least @min_level edges between them.
> + *
> + * (If @min_level == 0, return true if @child == @parent. For
> + * @min_level == 1, @child needs to be at least a real child; for
> + * @min_level == 2, it needs to be at least a grand-child; and so on.)
> + */
> +bool bdrv_is_child_of(BlockDriverState *child, BlockDriverState *parent,
> + int min_level)
> +{
> + BdrvChild *c;
> +
> + if (child == parent && min_level <= 0) {
> + return true;
> + }
> +
> + if (!parent) {
> + return false;
> + }
> +
> + QLIST_FOREACH(c, &parent->children, next) {
> + if (bdrv_is_child_of(child, c->bs, min_level - 1)) {
> + return true;
> + }
> + }
> +
> + return false;
> +}
> +
> /**
> * Iterates through the list of runtime option keys that are said to
> * be "strong" for a BDS. An option is called "strong" if it changes
> diff --git a/block/mirror.c b/block/mirror.c
> index d877637e1e..f30a6933d8 100644
> --- a/block/mirror.c
> +++ b/block/mirror.c
> @@ -701,7 +701,24 @@ static int mirror_exit_common(Job *job)
> * there.
> */
> if (bdrv_recurse_can_replace(src, to_replace)) {
> - bdrv_replace_node(to_replace, target_bs, &local_err);
> + /*
> + * It is OK for @to_replace to be an immediate child of
> + * @target_bs, because that is what happens with
> + * drive-mirror sync=none mode=absolute-paths: target_bs's
> + * backing file will be the source node, which is also
> + * to_replace (by default).
> + * bdrv_replace_node() handles this case by not letting
> + * target_bs->backing point to itself, but to the source
> + * still.
but here you said [1] is good
> + */
> + if (!bdrv_is_child_of(to_replace, target_bs, 2)) {
> + bdrv_replace_node(to_replace, target_bs, &local_err);
> + } else {
So, we allow bdrv_replace_node automatically handle case whith immediate child
of target is
replaces.. But if consider several additional filters above target (so target
is a filter),
we not allow it. Why filtered case is worse?
> + error_setg(&local_err, "Can no longer replace '%s' by '%s', "
> + "because the former is now a child of the latter,
> "
> + "and doing so would thus create a loop",
> + to_replace->node_name, target_bs->node_name);
> + }
> } else {
> error_setg(&local_err, "Can no longer replace '%s' by '%s', "
> "because it can no longer be guaranteed that doing
> so "
> diff --git a/blockdev.c b/blockdev.c
> index 0420bc29be..27344247d5 100644
> --- a/blockdev.c
> +++ b/blockdev.c
> @@ -3845,7 +3845,7 @@ static void blockdev_mirror_common(const char *job_id,
> BlockDriverState *bs,
> }
>
> if (has_replaces) {
> - BlockDriverState *to_replace_bs;
> + BlockDriverState *to_replace_bs, *target_backing_bs;
> AioContext *replace_aio_context;
> int64_t bs_size, replace_size;
>
> @@ -3860,6 +3860,52 @@ static void blockdev_mirror_common(const char *job_id,
> BlockDriverState *bs,
> return;
> }
>
> + if (bdrv_is_child_of(to_replace_bs, target, 1)) {
> + error_setg(errp, "Replacing %s by %s would result in a loop, "
> + "because the former is a child of the latter",
> + to_replace_bs->node_name, target->node_name);
> + return;
> + }
> +
> + if (backing_mode == MIRROR_SOURCE_BACKING_CHAIN ||
> + backing_mode == MIRROR_OPEN_BACKING_CHAIN)
> + {
> + /*
> + * While we do not quite know what OPEN_BACKING_CHAIN
> + * (used for mode=existing) will yield, it is probably
> + * best to restrict it exactly like SOURCE_BACKING_CHAIN,
> + * because that is our best guess.
> + */
> + switch (sync) {
> + case MIRROR_SYNC_MODE_FULL:
> + target_backing_bs = NULL;
> + break;
> +
> + case MIRROR_SYNC_MODE_TOP:
> + target_backing_bs = backing_bs(bs);
> + break;
> +
> + case MIRROR_SYNC_MODE_NONE:
> + target_backing_bs = bs;
> + break;
> +
> + default:
> + abort();
> + }
> + } else {
> + assert(backing_mode == MIRROR_LEAVE_BACKING_CHAIN);
> + target_backing_bs = backing_bs(target);
> + }
> +
> + if (bdrv_is_child_of(to_replace_bs, target_backing_bs, 0)) {
> + error_setg(errp, "Replacing '%s' by '%s' with this sync mode
> would "
> + "result in a loop, because the former would be a
> child "
> + "of the latter's backing file ('%s') after the mirror
> "
> + "job", to_replace_bs->node_name, target->node_name,
> + target_backing_bs->node_name);
> + return;
> + }
> +
> replace_aio_context = bdrv_get_aio_context(to_replace_bs);
> aio_context_acquire(replace_aio_context);
> replace_size = bdrv_getlength(to_replace_bs);
>
--
Best regards,
Vladimir
- Re: [PATCH 10/22] quorum: Implement .bdrv_recurse_can_replace(), (continued)
- [PATCH 13/22] mirror: Double-check immediately before replacing, Max Reitz, 2019/09/20
- [PATCH 16/22] iotests: Use complete_and_wait() in 155, Max Reitz, 2019/09/20
- [PATCH 17/22] iotests: Add VM.assert_block_path(), Max Reitz, 2019/09/20
- [PATCH 15/22] mirror: Prevent loops, Max Reitz, 2019/09/20
- Re: [PATCH 15/22] mirror: Prevent loops,
Vladimir Sementsov-Ogievskiy <=
- [PATCH 19/22] iotests: Use self.image_len in TestRepairQuorum, Max Reitz, 2019/09/20
- [PATCH 21/22] iotests: Check that @replaces can replace filters, Max Reitz, 2019/09/20
- [PATCH 20/22] iotests: Add tests for invalid Quorum @replaces, Max Reitz, 2019/09/20
- [PATCH 18/22] iotests: Resolve TODOs in 041, Max Reitz, 2019/09/20
- [PATCH 22/22] iotests: Mirror must not attempt to create loops, Max Reitz, 2019/09/20