qemu/block.c
<<
>>
Prefs
   1/*
   2 * QEMU System Emulator block driver
   3 *
   4 * Copyright (c) 2003 Fabrice Bellard
   5 *
   6 * Permission is hereby granted, free of charge, to any person obtaining a copy
   7 * of this software and associated documentation files (the "Software"), to deal
   8 * in the Software without restriction, including without limitation the rights
   9 * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
  10 * copies of the Software, and to permit persons to whom the Software is
  11 * furnished to do so, subject to the following conditions:
  12 *
  13 * The above copyright notice and this permission notice shall be included in
  14 * all copies or substantial portions of the Software.
  15 *
  16 * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
  17 * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
  18 * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL
  19 * THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
  20 * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
  21 * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
  22 * THE SOFTWARE.
  23 */
  24
  25#include "qemu/osdep.h"
  26#include "block/trace.h"
  27#include "block/block_int.h"
  28#include "block/blockjob.h"
  29#include "block/nbd.h"
  30#include "block/qdict.h"
  31#include "qemu/error-report.h"
  32#include "module_block.h"
  33#include "qemu/module.h"
  34#include "qapi/error.h"
  35#include "qapi/qmp/qdict.h"
  36#include "qapi/qmp/qjson.h"
  37#include "qapi/qmp/qnull.h"
  38#include "qapi/qmp/qstring.h"
  39#include "qapi/qobject-output-visitor.h"
  40#include "qapi/qapi-visit-block-core.h"
  41#include "sysemu/block-backend.h"
  42#include "sysemu/sysemu.h"
  43#include "qemu/notify.h"
  44#include "qemu/option.h"
  45#include "qemu/coroutine.h"
  46#include "block/qapi.h"
  47#include "qemu/timer.h"
  48#include "qemu/cutils.h"
  49#include "qemu/id.h"
  50
  51#ifdef CONFIG_BSD
  52#include <sys/ioctl.h>
  53#include <sys/queue.h>
  54#ifndef __DragonFly__
  55#include <sys/disk.h>
  56#endif
  57#endif
  58
  59#ifdef _WIN32
  60#include <windows.h>
  61#endif
  62
  63#define NOT_DONE 0x7fffffff /* used while emulated sync operation in progress */
  64
  65static QTAILQ_HEAD(, BlockDriverState) graph_bdrv_states =
  66    QTAILQ_HEAD_INITIALIZER(graph_bdrv_states);
  67
  68static QTAILQ_HEAD(, BlockDriverState) all_bdrv_states =
  69    QTAILQ_HEAD_INITIALIZER(all_bdrv_states);
  70
  71static QLIST_HEAD(, BlockDriver) bdrv_drivers =
  72    QLIST_HEAD_INITIALIZER(bdrv_drivers);
  73
  74static BlockDriverState *bdrv_open_inherit(const char *filename,
  75                                           const char *reference,
  76                                           QDict *options, int flags,
  77                                           BlockDriverState *parent,
  78                                           const BdrvChildRole *child_role,
  79                                           Error **errp);
  80
  81/* If non-zero, use only whitelisted block drivers */
  82static int use_bdrv_whitelist;
  83
  84#ifdef _WIN32
  85static int is_windows_drive_prefix(const char *filename)
  86{
  87    return (((filename[0] >= 'a' && filename[0] <= 'z') ||
  88             (filename[0] >= 'A' && filename[0] <= 'Z')) &&
  89            filename[1] == ':');
  90}
  91
  92int is_windows_drive(const char *filename)
  93{
  94    if (is_windows_drive_prefix(filename) &&
  95        filename[2] == '\0')
  96        return 1;
  97    if (strstart(filename, "\\\\.\\", NULL) ||
  98        strstart(filename, "//./", NULL))
  99        return 1;
 100    return 0;
 101}
 102#endif
 103
 104size_t bdrv_opt_mem_align(BlockDriverState *bs)
 105{
 106    if (!bs || !bs->drv) {
 107        /* page size or 4k (hdd sector size) should be on the safe side */
 108        return MAX(4096, getpagesize());
 109    }
 110
 111    return bs->bl.opt_mem_alignment;
 112}
 113
 114size_t bdrv_min_mem_align(BlockDriverState *bs)
 115{
 116    if (!bs || !bs->drv) {
 117        /* page size or 4k (hdd sector size) should be on the safe side */
 118        return MAX(4096, getpagesize());
 119    }
 120
 121    return bs->bl.min_mem_alignment;
 122}
 123
 124/* check if the path starts with "<protocol>:" */
 125int path_has_protocol(const char *path)
 126{
 127    const char *p;
 128
 129#ifdef _WIN32
 130    if (is_windows_drive(path) ||
 131        is_windows_drive_prefix(path)) {
 132        return 0;
 133    }
 134    p = path + strcspn(path, ":/\\");
 135#else
 136    p = path + strcspn(path, ":/");
 137#endif
 138
 139    return *p == ':';
 140}
 141
 142int path_is_absolute(const char *path)
 143{
 144#ifdef _WIN32
 145    /* specific case for names like: "\\.\d:" */
 146    if (is_windows_drive(path) || is_windows_drive_prefix(path)) {
 147        return 1;
 148    }
 149    return (*path == '/' || *path == '\\');
 150#else
 151    return (*path == '/');
 152#endif
 153}
 154
 155/* if filename is absolute, just return its duplicate. Otherwise, build a
 156   path to it by considering it is relative to base_path. URL are
 157   supported. */
 158char *path_combine(const char *base_path, const char *filename)
 159{
 160    const char *protocol_stripped = NULL;
 161    const char *p, *p1;
 162    char *result;
 163    int len;
 164
 165    if (path_is_absolute(filename)) {
 166        return g_strdup(filename);
 167    }
 168
 169    if (path_has_protocol(base_path)) {
 170        protocol_stripped = strchr(base_path, ':');
 171        if (protocol_stripped) {
 172            protocol_stripped++;
 173        }
 174    }
 175    p = protocol_stripped ?: base_path;
 176
 177    p1 = strrchr(base_path, '/');
 178#ifdef _WIN32
 179    {
 180        const char *p2;
 181        p2 = strrchr(base_path, '\\');
 182        if (!p1 || p2 > p1) {
 183            p1 = p2;
 184        }
 185    }
 186#endif
 187    if (p1) {
 188        p1++;
 189    } else {
 190        p1 = base_path;
 191    }
 192    if (p1 > p) {
 193        p = p1;
 194    }
 195    len = p - base_path;
 196
 197    result = g_malloc(len + strlen(filename) + 1);
 198    memcpy(result, base_path, len);
 199    strcpy(result + len, filename);
 200
 201    return result;
 202}
 203
 204/*
 205 * Helper function for bdrv_parse_filename() implementations to remove optional
 206 * protocol prefixes (especially "file:") from a filename and for putting the
 207 * stripped filename into the options QDict if there is such a prefix.
 208 */
 209void bdrv_parse_filename_strip_prefix(const char *filename, const char *prefix,
 210                                      QDict *options)
 211{
 212    if (strstart(filename, prefix, &filename)) {
 213        /* Stripping the explicit protocol prefix may result in a protocol
 214         * prefix being (wrongly) detected (if the filename contains a colon) */
 215        if (path_has_protocol(filename)) {
 216            QString *fat_filename;
 217
 218            /* This means there is some colon before the first slash; therefore,
 219             * this cannot be an absolute path */
 220            assert(!path_is_absolute(filename));
 221
 222            /* And we can thus fix the protocol detection issue by prefixing it
 223             * by "./" */
 224            fat_filename = qstring_from_str("./");
 225            qstring_append(fat_filename, filename);
 226
 227            assert(!path_has_protocol(qstring_get_str(fat_filename)));
 228
 229            qdict_put(options, "filename", fat_filename);
 230        } else {
 231            /* If no protocol prefix was detected, we can use the shortened
 232             * filename as-is */
 233            qdict_put_str(options, "filename", filename);
 234        }
 235    }
 236}
 237
 238
 239/* Returns whether the image file is opened as read-only. Note that this can
 240 * return false and writing to the image file is still not possible because the
 241 * image is inactivated. */
 242bool bdrv_is_read_only(BlockDriverState *bs)
 243{
 244    return bs->read_only;
 245}
 246
 247int bdrv_can_set_read_only(BlockDriverState *bs, bool read_only,
 248                           bool ignore_allow_rdw, Error **errp)
 249{
 250    /* Do not set read_only if copy_on_read is enabled */
 251    if (bs->copy_on_read && read_only) {
 252        error_setg(errp, "Can't set node '%s' to r/o with copy-on-read enabled",
 253                   bdrv_get_device_or_node_name(bs));
 254        return -EINVAL;
 255    }
 256
 257    /* Do not clear read_only if it is prohibited */
 258    if (!read_only && !(bs->open_flags & BDRV_O_ALLOW_RDWR) &&
 259        !ignore_allow_rdw)
 260    {
 261        error_setg(errp, "Node '%s' is read only",
 262                   bdrv_get_device_or_node_name(bs));
 263        return -EPERM;
 264    }
 265
 266    return 0;
 267}
 268
 269/*
 270 * Called by a driver that can only provide a read-only image.
 271 *
 272 * Returns 0 if the node is already read-only or it could switch the node to
 273 * read-only because BDRV_O_AUTO_RDONLY is set.
 274 *
 275 * Returns -EACCES if the node is read-write and BDRV_O_AUTO_RDONLY is not set
 276 * or bdrv_can_set_read_only() forbids making the node read-only. If @errmsg
 277 * is not NULL, it is used as the error message for the Error object.
 278 */
 279int bdrv_apply_auto_read_only(BlockDriverState *bs, const char *errmsg,
 280                              Error **errp)
 281{
 282    int ret = 0;
 283
 284    if (!(bs->open_flags & BDRV_O_RDWR)) {
 285        return 0;
 286    }
 287    if (!(bs->open_flags & BDRV_O_AUTO_RDONLY)) {
 288        goto fail;
 289    }
 290
 291    ret = bdrv_can_set_read_only(bs, true, false, NULL);
 292    if (ret < 0) {
 293        goto fail;
 294    }
 295
 296    bs->read_only = true;
 297    bs->open_flags &= ~BDRV_O_RDWR;
 298
 299    return 0;
 300
 301fail:
 302    error_setg(errp, "%s", errmsg ?: "Image is read-only");
 303    return -EACCES;
 304}
 305
 306/*
 307 * If @backing is empty, this function returns NULL without setting
 308 * @errp.  In all other cases, NULL will only be returned with @errp
 309 * set.
 310 *
 311 * Therefore, a return value of NULL without @errp set means that
 312 * there is no backing file; if @errp is set, there is one but its
 313 * absolute filename cannot be generated.
 314 */
 315char *bdrv_get_full_backing_filename_from_filename(const char *backed,
 316                                                   const char *backing,
 317                                                   Error **errp)
 318{
 319    if (backing[0] == '\0') {
 320        return NULL;
 321    } else if (path_has_protocol(backing) || path_is_absolute(backing)) {
 322        return g_strdup(backing);
 323    } else if (backed[0] == '\0' || strstart(backed, "json:", NULL)) {
 324        error_setg(errp, "Cannot use relative backing file names for '%s'",
 325                   backed);
 326        return NULL;
 327    } else {
 328        return path_combine(backed, backing);
 329    }
 330}
 331
 332/*
 333 * If @filename is empty or NULL, this function returns NULL without
 334 * setting @errp.  In all other cases, NULL will only be returned with
 335 * @errp set.
 336 */
 337static char *bdrv_make_absolute_filename(BlockDriverState *relative_to,
 338                                         const char *filename, Error **errp)
 339{
 340    char *dir, *full_name;
 341
 342    if (!filename || filename[0] == '\0') {
 343        return NULL;
 344    } else if (path_has_protocol(filename) || path_is_absolute(filename)) {
 345        return g_strdup(filename);
 346    }
 347
 348    dir = bdrv_dirname(relative_to, errp);
 349    if (!dir) {
 350        return NULL;
 351    }
 352
 353    full_name = g_strconcat(dir, filename, NULL);
 354    g_free(dir);
 355    return full_name;
 356}
 357
 358char *bdrv_get_full_backing_filename(BlockDriverState *bs, Error **errp)
 359{
 360    return bdrv_make_absolute_filename(bs, bs->backing_file, errp);
 361}
 362
 363void bdrv_register(BlockDriver *bdrv)
 364{
 365    QLIST_INSERT_HEAD(&bdrv_drivers, bdrv, list);
 366}
 367
 368BlockDriverState *bdrv_new(void)
 369{
 370    BlockDriverState *bs;
 371    int i;
 372
 373    bs = g_new0(BlockDriverState, 1);
 374    QLIST_INIT(&bs->dirty_bitmaps);
 375    for (i = 0; i < BLOCK_OP_TYPE_MAX; i++) {
 376        QLIST_INIT(&bs->op_blockers[i]);
 377    }
 378    notifier_with_return_list_init(&bs->before_write_notifiers);
 379    qemu_co_mutex_init(&bs->reqs_lock);
 380    qemu_mutex_init(&bs->dirty_bitmap_mutex);
 381    bs->refcnt = 1;
 382    bs->aio_context = qemu_get_aio_context();
 383
 384    qemu_co_queue_init(&bs->flush_queue);
 385
 386    for (i = 0; i < bdrv_drain_all_count; i++) {
 387        bdrv_drained_begin(bs);
 388    }
 389
 390    QTAILQ_INSERT_TAIL(&all_bdrv_states, bs, bs_list);
 391
 392    return bs;
 393}
 394
 395static BlockDriver *bdrv_do_find_format(const char *format_name)
 396{
 397    BlockDriver *drv1;
 398
 399    QLIST_FOREACH(drv1, &bdrv_drivers, list) {
 400        if (!strcmp(drv1->format_name, format_name)) {
 401            return drv1;
 402        }
 403    }
 404
 405    return NULL;
 406}
 407
 408BlockDriver *bdrv_find_format(const char *format_name)
 409{
 410    BlockDriver *drv1;
 411    int i;
 412
 413    drv1 = bdrv_do_find_format(format_name);
 414    if (drv1) {
 415        return drv1;
 416    }
 417
 418    /* The driver isn't registered, maybe we need to load a module */
 419    for (i = 0; i < (int)ARRAY_SIZE(block_driver_modules); ++i) {
 420        if (!strcmp(block_driver_modules[i].format_name, format_name)) {
 421            block_module_load_one(block_driver_modules[i].library_name);
 422            break;
 423        }
 424    }
 425
 426    return bdrv_do_find_format(format_name);
 427}
 428
 429static int bdrv_format_is_whitelisted(const char *format_name, bool read_only)
 430{
 431    static const char *whitelist_rw[] = {
 432        CONFIG_BDRV_RW_WHITELIST
 433    };
 434    static const char *whitelist_ro[] = {
 435        CONFIG_BDRV_RO_WHITELIST
 436    };
 437    const char **p;
 438
 439    if (!whitelist_rw[0] && !whitelist_ro[0]) {
 440        return 1;               /* no whitelist, anything goes */
 441    }
 442
 443    for (p = whitelist_rw; *p; p++) {
 444        if (!strcmp(format_name, *p)) {
 445            return 1;
 446        }
 447    }
 448    if (read_only) {
 449        for (p = whitelist_ro; *p; p++) {
 450            if (!strcmp(format_name, *p)) {
 451                return 1;
 452            }
 453        }
 454    }
 455    return 0;
 456}
 457
 458int bdrv_is_whitelisted(BlockDriver *drv, bool read_only)
 459{
 460    return bdrv_format_is_whitelisted(drv->format_name, read_only);
 461}
 462
 463bool bdrv_uses_whitelist(void)
 464{
 465    return use_bdrv_whitelist;
 466}
 467
 468typedef struct CreateCo {
 469    BlockDriver *drv;
 470    char *filename;
 471    QemuOpts *opts;
 472    int ret;
 473    Error *err;
 474} CreateCo;
 475
 476static void coroutine_fn bdrv_create_co_entry(void *opaque)
 477{
 478    Error *local_err = NULL;
 479    int ret;
 480
 481    CreateCo *cco = opaque;
 482    assert(cco->drv);
 483
 484    ret = cco->drv->bdrv_co_create_opts(cco->filename, cco->opts, &local_err);
 485    error_propagate(&cco->err, local_err);
 486    cco->ret = ret;
 487}
 488
 489int bdrv_create(BlockDriver *drv, const char* filename,
 490                QemuOpts *opts, Error **errp)
 491{
 492    int ret;
 493
 494    Coroutine *co;
 495    CreateCo cco = {
 496        .drv = drv,
 497        .filename = g_strdup(filename),
 498        .opts = opts,
 499        .ret = NOT_DONE,
 500        .err = NULL,
 501    };
 502
 503    if (!drv->bdrv_co_create_opts) {
 504        error_setg(errp, "Driver '%s' does not support image creation", drv->format_name);
 505        ret = -ENOTSUP;
 506        goto out;
 507    }
 508
 509    if (qemu_in_coroutine()) {
 510        /* Fast-path if already in coroutine context */
 511        bdrv_create_co_entry(&cco);
 512    } else {
 513        co = qemu_coroutine_create(bdrv_create_co_entry, &cco);
 514        qemu_coroutine_enter(co);
 515        while (cco.ret == NOT_DONE) {
 516            aio_poll(qemu_get_aio_context(), true);
 517        }
 518    }
 519
 520    ret = cco.ret;
 521    if (ret < 0) {
 522        if (cco.err) {
 523            error_propagate(errp, cco.err);
 524        } else {
 525            error_setg_errno(errp, -ret, "Could not create image");
 526        }
 527    }
 528
 529out:
 530    g_free(cco.filename);
 531    return ret;
 532}
 533
 534int bdrv_create_file(const char *filename, QemuOpts *opts, Error **errp)
 535{
 536    BlockDriver *drv;
 537    Error *local_err = NULL;
 538    int ret;
 539
 540    drv = bdrv_find_protocol(filename, true, errp);
 541    if (drv == NULL) {
 542        return -ENOENT;
 543    }
 544
 545    ret = bdrv_create(drv, filename, opts, &local_err);
 546    error_propagate(errp, local_err);
 547    return ret;
 548}
 549
 550/**
 551 * Try to get @bs's logical and physical block size.
 552 * On success, store them in @bsz struct and return 0.
 553 * On failure return -errno.
 554 * @bs must not be empty.
 555 */
 556int bdrv_probe_blocksizes(BlockDriverState *bs, BlockSizes *bsz)
 557{
 558    BlockDriver *drv = bs->drv;
 559
 560    if (drv && drv->bdrv_probe_blocksizes) {
 561        return drv->bdrv_probe_blocksizes(bs, bsz);
 562    } else if (drv && drv->is_filter && bs->file) {
 563        return bdrv_probe_blocksizes(bs->file->bs, bsz);
 564    }
 565
 566    return -ENOTSUP;
 567}
 568
 569/**
 570 * Try to get @bs's geometry (cyls, heads, sectors).
 571 * On success, store them in @geo struct and return 0.
 572 * On failure return -errno.
 573 * @bs must not be empty.
 574 */
 575int bdrv_probe_geometry(BlockDriverState *bs, HDGeometry *geo)
 576{
 577    BlockDriver *drv = bs->drv;
 578
 579    if (drv && drv->bdrv_probe_geometry) {
 580        return drv->bdrv_probe_geometry(bs, geo);
 581    } else if (drv && drv->is_filter && bs->file) {
 582        return bdrv_probe_geometry(bs->file->bs, geo);
 583    }
 584
 585    return -ENOTSUP;
 586}
 587
 588/*
 589 * Create a uniquely-named empty temporary file.
 590 * Return 0 upon success, otherwise a negative errno value.
 591 */
 592int get_tmp_filename(char *filename, int size)
 593{
 594#ifdef _WIN32
 595    char temp_dir[MAX_PATH];
 596    /* GetTempFileName requires that its output buffer (4th param)
 597       have length MAX_PATH or greater.  */
 598    assert(size >= MAX_PATH);
 599    return (GetTempPath(MAX_PATH, temp_dir)
 600            && GetTempFileName(temp_dir, "qem", 0, filename)
 601            ? 0 : -GetLastError());
 602#else
 603    int fd;
 604    const char *tmpdir;
 605    tmpdir = getenv("TMPDIR");
 606    if (!tmpdir) {
 607        tmpdir = "/var/tmp";
 608    }
 609    if (snprintf(filename, size, "%s/vl.XXXXXX", tmpdir) >= size) {
 610        return -EOVERFLOW;
 611    }
 612    fd = mkstemp(filename);
 613    if (fd < 0) {
 614        return -errno;
 615    }
 616    if (close(fd) != 0) {
 617        unlink(filename);
 618        return -errno;
 619    }
 620    return 0;
 621#endif
 622}
 623
 624/*
 625 * Detect host devices. By convention, /dev/cdrom[N] is always
 626 * recognized as a host CDROM.
 627 */
 628static BlockDriver *find_hdev_driver(const char *filename)
 629{
 630    int score_max = 0, score;
 631    BlockDriver *drv = NULL, *d;
 632
 633    QLIST_FOREACH(d, &bdrv_drivers, list) {
 634        if (d->bdrv_probe_device) {
 635            score = d->bdrv_probe_device(filename);
 636            if (score > score_max) {
 637                score_max = score;
 638                drv = d;
 639            }
 640        }
 641    }
 642
 643    return drv;
 644}
 645
 646static BlockDriver *bdrv_do_find_protocol(const char *protocol)
 647{
 648    BlockDriver *drv1;
 649
 650    QLIST_FOREACH(drv1, &bdrv_drivers, list) {
 651        if (drv1->protocol_name && !strcmp(drv1->protocol_name, protocol)) {
 652            return drv1;
 653        }
 654    }
 655
 656    return NULL;
 657}
 658
 659BlockDriver *bdrv_find_protocol(const char *filename,
 660                                bool allow_protocol_prefix,
 661                                Error **errp)
 662{
 663    BlockDriver *drv1;
 664    char protocol[128];
 665    int len;
 666    const char *p;
 667    int i;
 668
 669    /* TODO Drivers without bdrv_file_open must be specified explicitly */
 670
 671    /*
 672     * XXX(hch): we really should not let host device detection
 673     * override an explicit protocol specification, but moving this
 674     * later breaks access to device names with colons in them.
 675     * Thanks to the brain-dead persistent naming schemes on udev-
 676     * based Linux systems those actually are quite common.
 677     */
 678    drv1 = find_hdev_driver(filename);
 679    if (drv1) {
 680        return drv1;
 681    }
 682
 683    if (!path_has_protocol(filename) || !allow_protocol_prefix) {
 684        return &bdrv_file;
 685    }
 686
 687    p = strchr(filename, ':');
 688    assert(p != NULL);
 689    len = p - filename;
 690    if (len > sizeof(protocol) - 1)
 691        len = sizeof(protocol) - 1;
 692    memcpy(protocol, filename, len);
 693    protocol[len] = '\0';
 694
 695    drv1 = bdrv_do_find_protocol(protocol);
 696    if (drv1) {
 697        return drv1;
 698    }
 699
 700    for (i = 0; i < (int)ARRAY_SIZE(block_driver_modules); ++i) {
 701        if (block_driver_modules[i].protocol_name &&
 702            !strcmp(block_driver_modules[i].protocol_name, protocol)) {
 703            block_module_load_one(block_driver_modules[i].library_name);
 704            break;
 705        }
 706    }
 707
 708    drv1 = bdrv_do_find_protocol(protocol);
 709    if (!drv1) {
 710        error_setg(errp, "Unknown protocol '%s'", protocol);
 711    }
 712    return drv1;
 713}
 714
 715/*
 716 * Guess image format by probing its contents.
 717 * This is not a good idea when your image is raw (CVE-2008-2004), but
 718 * we do it anyway for backward compatibility.
 719 *
 720 * @buf         contains the image's first @buf_size bytes.
 721 * @buf_size    is the buffer size in bytes (generally BLOCK_PROBE_BUF_SIZE,
 722 *              but can be smaller if the image file is smaller)
 723 * @filename    is its filename.
 724 *
 725 * For all block drivers, call the bdrv_probe() method to get its
 726 * probing score.
 727 * Return the first block driver with the highest probing score.
 728 */
 729BlockDriver *bdrv_probe_all(const uint8_t *buf, int buf_size,
 730                            const char *filename)
 731{
 732    int score_max = 0, score;
 733    BlockDriver *drv = NULL, *d;
 734
 735    QLIST_FOREACH(d, &bdrv_drivers, list) {
 736        if (d->bdrv_probe) {
 737            score = d->bdrv_probe(buf, buf_size, filename);
 738            if (score > score_max) {
 739                score_max = score;
 740                drv = d;
 741            }
 742        }
 743    }
 744
 745    return drv;
 746}
 747
 748static int find_image_format(BlockBackend *file, const char *filename,
 749                             BlockDriver **pdrv, Error **errp)
 750{
 751    BlockDriver *drv;
 752    uint8_t buf[BLOCK_PROBE_BUF_SIZE];
 753    int ret = 0;
 754
 755    /* Return the raw BlockDriver * to scsi-generic devices or empty drives */
 756    if (blk_is_sg(file) || !blk_is_inserted(file) || blk_getlength(file) == 0) {
 757        *pdrv = &bdrv_raw;
 758        return ret;
 759    }
 760
 761    ret = blk_pread(file, 0, buf, sizeof(buf));
 762    if (ret < 0) {
 763        error_setg_errno(errp, -ret, "Could not read image for determining its "
 764                         "format");
 765        *pdrv = NULL;
 766        return ret;
 767    }
 768
 769    drv = bdrv_probe_all(buf, ret, filename);
 770    if (!drv) {
 771        error_setg(errp, "Could not determine image format: No compatible "
 772                   "driver found");
 773        ret = -ENOENT;
 774    }
 775    *pdrv = drv;
 776    return ret;
 777}
 778
 779/**
 780 * Set the current 'total_sectors' value
 781 * Return 0 on success, -errno on error.
 782 */
 783int refresh_total_sectors(BlockDriverState *bs, int64_t hint)
 784{
 785    BlockDriver *drv = bs->drv;
 786
 787    if (!drv) {
 788        return -ENOMEDIUM;
 789    }
 790
 791    /* Do not attempt drv->bdrv_getlength() on scsi-generic devices */
 792    if (bdrv_is_sg(bs))
 793        return 0;
 794
 795    /* query actual device if possible, otherwise just trust the hint */
 796    if (drv->bdrv_getlength) {
 797        int64_t length = drv->bdrv_getlength(bs);
 798        if (length < 0) {
 799            return length;
 800        }
 801        hint = DIV_ROUND_UP(length, BDRV_SECTOR_SIZE);
 802    }
 803
 804    bs->total_sectors = hint;
 805    return 0;
 806}
 807
 808/**
 809 * Combines a QDict of new block driver @options with any missing options taken
 810 * from @old_options, so that leaving out an option defaults to its old value.
 811 */
 812static void bdrv_join_options(BlockDriverState *bs, QDict *options,
 813                              QDict *old_options)
 814{
 815    if (bs->drv && bs->drv->bdrv_join_options) {
 816        bs->drv->bdrv_join_options(options, old_options);
 817    } else {
 818        qdict_join(options, old_options, false);
 819    }
 820}
 821
 822static BlockdevDetectZeroesOptions bdrv_parse_detect_zeroes(QemuOpts *opts,
 823                                                            int open_flags,
 824                                                            Error **errp)
 825{
 826    Error *local_err = NULL;
 827    char *value = qemu_opt_get_del(opts, "detect-zeroes");
 828    BlockdevDetectZeroesOptions detect_zeroes =
 829        qapi_enum_parse(&BlockdevDetectZeroesOptions_lookup, value,
 830                        BLOCKDEV_DETECT_ZEROES_OPTIONS_OFF, &local_err);
 831    g_free(value);
 832    if (local_err) {
 833        error_propagate(errp, local_err);
 834        return detect_zeroes;
 835    }
 836
 837    if (detect_zeroes == BLOCKDEV_DETECT_ZEROES_OPTIONS_UNMAP &&
 838        !(open_flags & BDRV_O_UNMAP))
 839    {
 840        error_setg(errp, "setting detect-zeroes to unmap is not allowed "
 841                   "without setting discard operation to unmap");
 842    }
 843
 844    return detect_zeroes;
 845}
 846
 847/**
 848 * Set open flags for a given discard mode
 849 *
 850 * Return 0 on success, -1 if the discard mode was invalid.
 851 */
 852int bdrv_parse_discard_flags(const char *mode, int *flags)
 853{
 854    *flags &= ~BDRV_O_UNMAP;
 855
 856    if (!strcmp(mode, "off") || !strcmp(mode, "ignore")) {
 857        /* do nothing */
 858    } else if (!strcmp(mode, "on") || !strcmp(mode, "unmap")) {
 859        *flags |= BDRV_O_UNMAP;
 860    } else {
 861        return -1;
 862    }
 863
 864    return 0;
 865}
 866
 867/**
 868 * Set open flags for a given cache mode
 869 *
 870 * Return 0 on success, -1 if the cache mode was invalid.
 871 */
 872int bdrv_parse_cache_mode(const char *mode, int *flags, bool *writethrough)
 873{
 874    *flags &= ~BDRV_O_CACHE_MASK;
 875
 876    if (!strcmp(mode, "off") || !strcmp(mode, "none")) {
 877        *writethrough = false;
 878        *flags |= BDRV_O_NOCACHE;
 879    } else if (!strcmp(mode, "directsync")) {
 880        *writethrough = true;
 881        *flags |= BDRV_O_NOCACHE;
 882    } else if (!strcmp(mode, "writeback")) {
 883        *writethrough = false;
 884    } else if (!strcmp(mode, "unsafe")) {
 885        *writethrough = false;
 886        *flags |= BDRV_O_NO_FLUSH;
 887    } else if (!strcmp(mode, "writethrough")) {
 888        *writethrough = true;
 889    } else {
 890        return -1;
 891    }
 892
 893    return 0;
 894}
 895
 896static char *bdrv_child_get_parent_desc(BdrvChild *c)
 897{
 898    BlockDriverState *parent = c->opaque;
 899    return g_strdup(bdrv_get_device_or_node_name(parent));
 900}
 901
 902static void bdrv_child_cb_drained_begin(BdrvChild *child)
 903{
 904    BlockDriverState *bs = child->opaque;
 905    bdrv_do_drained_begin_quiesce(bs, NULL, false);
 906}
 907
 908static bool bdrv_child_cb_drained_poll(BdrvChild *child)
 909{
 910    BlockDriverState *bs = child->opaque;
 911    return bdrv_drain_poll(bs, false, NULL, false);
 912}
 913
 914static void bdrv_child_cb_drained_end(BdrvChild *child,
 915                                      int *drained_end_counter)
 916{
 917    BlockDriverState *bs = child->opaque;
 918    bdrv_drained_end_no_poll(bs, drained_end_counter);
 919}
 920
 921static void bdrv_child_cb_attach(BdrvChild *child)
 922{
 923    BlockDriverState *bs = child->opaque;
 924    bdrv_apply_subtree_drain(child, bs);
 925}
 926
 927static void bdrv_child_cb_detach(BdrvChild *child)
 928{
 929    BlockDriverState *bs = child->opaque;
 930    bdrv_unapply_subtree_drain(child, bs);
 931}
 932
 933static int bdrv_child_cb_inactivate(BdrvChild *child)
 934{
 935    BlockDriverState *bs = child->opaque;
 936    assert(bs->open_flags & BDRV_O_INACTIVE);
 937    return 0;
 938}
 939
 940static bool bdrv_child_cb_can_set_aio_ctx(BdrvChild *child, AioContext *ctx,
 941                                          GSList **ignore, Error **errp)
 942{
 943    BlockDriverState *bs = child->opaque;
 944    return bdrv_can_set_aio_context(bs, ctx, ignore, errp);
 945}
 946
 947static void bdrv_child_cb_set_aio_ctx(BdrvChild *child, AioContext *ctx,
 948                                      GSList **ignore)
 949{
 950    BlockDriverState *bs = child->opaque;
 951    return bdrv_set_aio_context_ignore(bs, ctx, ignore);
 952}
 953
 954/*
 955 * Returns the options and flags that a temporary snapshot should get, based on
 956 * the originally requested flags (the originally requested image will have
 957 * flags like a backing file)
 958 */
 959static void bdrv_temp_snapshot_options(int *child_flags, QDict *child_options,
 960                                       int parent_flags, QDict *parent_options)
 961{
 962    *child_flags = (parent_flags & ~BDRV_O_SNAPSHOT) | BDRV_O_TEMPORARY;
 963
 964    /* For temporary files, unconditional cache=unsafe is fine */
 965    qdict_set_default_str(child_options, BDRV_OPT_CACHE_DIRECT, "off");
 966    qdict_set_default_str(child_options, BDRV_OPT_CACHE_NO_FLUSH, "on");
 967
 968    /* Copy the read-only and discard options from the parent */
 969    qdict_copy_default(child_options, parent_options, BDRV_OPT_READ_ONLY);
 970    qdict_copy_default(child_options, parent_options, BDRV_OPT_DISCARD);
 971
 972    /* aio=native doesn't work for cache.direct=off, so disable it for the
 973     * temporary snapshot */
 974    *child_flags &= ~BDRV_O_NATIVE_AIO;
 975}
 976
 977/*
 978 * Returns the options and flags that bs->file should get if a protocol driver
 979 * is expected, based on the given options and flags for the parent BDS
 980 */
 981static void bdrv_inherited_options(int *child_flags, QDict *child_options,
 982                                   int parent_flags, QDict *parent_options)
 983{
 984    int flags = parent_flags;
 985
 986    /* Enable protocol handling, disable format probing for bs->file */
 987    flags |= BDRV_O_PROTOCOL;
 988
 989    /* If the cache mode isn't explicitly set, inherit direct and no-flush from
 990     * the parent. */
 991    qdict_copy_default(child_options, parent_options, BDRV_OPT_CACHE_DIRECT);
 992    qdict_copy_default(child_options, parent_options, BDRV_OPT_CACHE_NO_FLUSH);
 993    qdict_copy_default(child_options, parent_options, BDRV_OPT_FORCE_SHARE);
 994
 995    /* Inherit the read-only option from the parent if it's not set */
 996    qdict_copy_default(child_options, parent_options, BDRV_OPT_READ_ONLY);
 997    qdict_copy_default(child_options, parent_options, BDRV_OPT_AUTO_READ_ONLY);
 998
 999    /* Our block drivers take care to send flushes and respect unmap policy,
1000     * so we can default to enable both on lower layers regardless of the
1001     * corresponding parent options. */
1002    qdict_set_default_str(child_options, BDRV_OPT_DISCARD, "unmap");
1003
1004    /* Clear flags that only apply to the top layer */
1005    flags &= ~(BDRV_O_SNAPSHOT | BDRV_O_NO_BACKING | BDRV_O_COPY_ON_READ |
1006               BDRV_O_NO_IO);
1007
1008    *child_flags = flags;
1009}
1010
1011const BdrvChildRole child_file = {
1012    .parent_is_bds   = true,
1013    .get_parent_desc = bdrv_child_get_parent_desc,
1014    .inherit_options = bdrv_inherited_options,
1015    .drained_begin   = bdrv_child_cb_drained_begin,
1016    .drained_poll    = bdrv_child_cb_drained_poll,
1017    .drained_end     = bdrv_child_cb_drained_end,
1018    .attach          = bdrv_child_cb_attach,
1019    .detach          = bdrv_child_cb_detach,
1020    .inactivate      = bdrv_child_cb_inactivate,
1021    .can_set_aio_ctx = bdrv_child_cb_can_set_aio_ctx,
1022    .set_aio_ctx     = bdrv_child_cb_set_aio_ctx,
1023};
1024
1025/*
1026 * Returns the options and flags that bs->file should get if the use of formats
1027 * (and not only protocols) is permitted for it, based on the given options and
1028 * flags for the parent BDS
1029 */
1030static void bdrv_inherited_fmt_options(int *child_flags, QDict *child_options,
1031                                       int parent_flags, QDict *parent_options)
1032{
1033    child_file.inherit_options(child_flags, child_options,
1034                               parent_flags, parent_options);
1035
1036    *child_flags &= ~(BDRV_O_PROTOCOL | BDRV_O_NO_IO);
1037}
1038
1039const BdrvChildRole child_format = {
1040    .parent_is_bds   = true,
1041    .get_parent_desc = bdrv_child_get_parent_desc,
1042    .inherit_options = bdrv_inherited_fmt_options,
1043    .drained_begin   = bdrv_child_cb_drained_begin,
1044    .drained_poll    = bdrv_child_cb_drained_poll,
1045    .drained_end     = bdrv_child_cb_drained_end,
1046    .attach          = bdrv_child_cb_attach,
1047    .detach          = bdrv_child_cb_detach,
1048    .inactivate      = bdrv_child_cb_inactivate,
1049    .can_set_aio_ctx = bdrv_child_cb_can_set_aio_ctx,
1050    .set_aio_ctx     = bdrv_child_cb_set_aio_ctx,
1051};
1052
1053static void bdrv_backing_attach(BdrvChild *c)
1054{
1055    BlockDriverState *parent = c->opaque;
1056    BlockDriverState *backing_hd = c->bs;
1057
1058    assert(!parent->backing_blocker);
1059    error_setg(&parent->backing_blocker,
1060               "node is used as backing hd of '%s'",
1061               bdrv_get_device_or_node_name(parent));
1062
1063    bdrv_refresh_filename(backing_hd);
1064
1065    parent->open_flags &= ~BDRV_O_NO_BACKING;
1066    pstrcpy(parent->backing_file, sizeof(parent->backing_file),
1067            backing_hd->filename);
1068    pstrcpy(parent->backing_format, sizeof(parent->backing_format),
1069            backing_hd->drv ? backing_hd->drv->format_name : "");
1070
1071    bdrv_op_block_all(backing_hd, parent->backing_blocker);
1072    /* Otherwise we won't be able to commit or stream */
1073    bdrv_op_unblock(backing_hd, BLOCK_OP_TYPE_COMMIT_TARGET,
1074                    parent->backing_blocker);
1075    bdrv_op_unblock(backing_hd, BLOCK_OP_TYPE_STREAM,
1076                    parent->backing_blocker);
1077    /*
1078     * We do backup in 3 ways:
1079     * 1. drive backup
1080     *    The target bs is new opened, and the source is top BDS
1081     * 2. blockdev backup
1082     *    Both the source and the target are top BDSes.
1083     * 3. internal backup(used for block replication)
1084     *    Both the source and the target are backing file
1085     *
1086     * In case 1 and 2, neither the source nor the target is the backing file.
1087     * In case 3, we will block the top BDS, so there is only one block job
1088     * for the top BDS and its backing chain.
1089     */
1090    bdrv_op_unblock(backing_hd, BLOCK_OP_TYPE_BACKUP_SOURCE,
1091                    parent->backing_blocker);
1092    bdrv_op_unblock(backing_hd, BLOCK_OP_TYPE_BACKUP_TARGET,
1093                    parent->backing_blocker);
1094
1095    bdrv_child_cb_attach(c);
1096}
1097
1098static void bdrv_backing_detach(BdrvChild *c)
1099{
1100    BlockDriverState *parent = c->opaque;
1101
1102    assert(parent->backing_blocker);
1103    bdrv_op_unblock_all(c->bs, parent->backing_blocker);
1104    error_free(parent->backing_blocker);
1105    parent->backing_blocker = NULL;
1106
1107    bdrv_child_cb_detach(c);
1108}
1109
1110/*
1111 * Returns the options and flags that bs->backing should get, based on the
1112 * given options and flags for the parent BDS
1113 */
1114static void bdrv_backing_options(int *child_flags, QDict *child_options,
1115                                 int parent_flags, QDict *parent_options)
1116{
1117    int flags = parent_flags;
1118
1119    /* The cache mode is inherited unmodified for backing files; except WCE,
1120     * which is only applied on the top level (BlockBackend) */
1121    qdict_copy_default(child_options, parent_options, BDRV_OPT_CACHE_DIRECT);
1122    qdict_copy_default(child_options, parent_options, BDRV_OPT_CACHE_NO_FLUSH);
1123    qdict_copy_default(child_options, parent_options, BDRV_OPT_FORCE_SHARE);
1124
1125    /* backing files always opened read-only */
1126    qdict_set_default_str(child_options, BDRV_OPT_READ_ONLY, "on");
1127    qdict_set_default_str(child_options, BDRV_OPT_AUTO_READ_ONLY, "off");
1128    flags &= ~BDRV_O_COPY_ON_READ;
1129
1130    /* snapshot=on is handled on the top layer */
1131    flags &= ~(BDRV_O_SNAPSHOT | BDRV_O_TEMPORARY);
1132
1133    *child_flags = flags;
1134}
1135
1136static int bdrv_backing_update_filename(BdrvChild *c, BlockDriverState *base,
1137                                        const char *filename, Error **errp)
1138{
1139    BlockDriverState *parent = c->opaque;
1140    bool read_only = bdrv_is_read_only(parent);
1141    int ret;
1142
1143    if (read_only) {
1144        ret = bdrv_reopen_set_read_only(parent, false, errp);
1145        if (ret < 0) {
1146            return ret;
1147        }
1148    }
1149
1150    ret = bdrv_change_backing_file(parent, filename,
1151                                   base->drv ? base->drv->format_name : "");
1152    if (ret < 0) {
1153        error_setg_errno(errp, -ret, "Could not update backing file link");
1154    }
1155
1156    if (read_only) {
1157        bdrv_reopen_set_read_only(parent, true, NULL);
1158    }
1159
1160    return ret;
1161}
1162
1163const BdrvChildRole child_backing = {
1164    .parent_is_bds   = true,
1165    .get_parent_desc = bdrv_child_get_parent_desc,
1166    .attach          = bdrv_backing_attach,
1167    .detach          = bdrv_backing_detach,
1168    .inherit_options = bdrv_backing_options,
1169    .drained_begin   = bdrv_child_cb_drained_begin,
1170    .drained_poll    = bdrv_child_cb_drained_poll,
1171    .drained_end     = bdrv_child_cb_drained_end,
1172    .inactivate      = bdrv_child_cb_inactivate,
1173    .update_filename = bdrv_backing_update_filename,
1174    .can_set_aio_ctx = bdrv_child_cb_can_set_aio_ctx,
1175    .set_aio_ctx     = bdrv_child_cb_set_aio_ctx,
1176};
1177
1178static int bdrv_open_flags(BlockDriverState *bs, int flags)
1179{
1180    int open_flags = flags;
1181
1182    /*
1183     * Clear flags that are internal to the block layer before opening the
1184     * image.
1185     */
1186    open_flags &= ~(BDRV_O_SNAPSHOT | BDRV_O_NO_BACKING | BDRV_O_PROTOCOL);
1187
1188    return open_flags;
1189}
1190
1191static void update_flags_from_options(int *flags, QemuOpts *opts)
1192{
1193    *flags &= ~(BDRV_O_CACHE_MASK | BDRV_O_RDWR | BDRV_O_AUTO_RDONLY);
1194
1195    if (qemu_opt_get_bool_del(opts, BDRV_OPT_CACHE_NO_FLUSH, false)) {
1196        *flags |= BDRV_O_NO_FLUSH;
1197    }
1198
1199    if (qemu_opt_get_bool_del(opts, BDRV_OPT_CACHE_DIRECT, false)) {
1200        *flags |= BDRV_O_NOCACHE;
1201    }
1202
1203    if (!qemu_opt_get_bool_del(opts, BDRV_OPT_READ_ONLY, false)) {
1204        *flags |= BDRV_O_RDWR;
1205    }
1206
1207    if (qemu_opt_get_bool_del(opts, BDRV_OPT_AUTO_READ_ONLY, false)) {
1208        *flags |= BDRV_O_AUTO_RDONLY;
1209    }
1210}
1211
1212static void update_options_from_flags(QDict *options, int flags)
1213{
1214    if (!qdict_haskey(options, BDRV_OPT_CACHE_DIRECT)) {
1215        qdict_put_bool(options, BDRV_OPT_CACHE_DIRECT, flags & BDRV_O_NOCACHE);
1216    }
1217    if (!qdict_haskey(options, BDRV_OPT_CACHE_NO_FLUSH)) {
1218        qdict_put_bool(options, BDRV_OPT_CACHE_NO_FLUSH,
1219                       flags & BDRV_O_NO_FLUSH);
1220    }
1221    if (!qdict_haskey(options, BDRV_OPT_READ_ONLY)) {
1222        qdict_put_bool(options, BDRV_OPT_READ_ONLY, !(flags & BDRV_O_RDWR));
1223    }
1224    if (!qdict_haskey(options, BDRV_OPT_AUTO_READ_ONLY)) {
1225        qdict_put_bool(options, BDRV_OPT_AUTO_READ_ONLY,
1226                       flags & BDRV_O_AUTO_RDONLY);
1227    }
1228}
1229
1230static void bdrv_assign_node_name(BlockDriverState *bs,
1231                                  const char *node_name,
1232                                  Error **errp)
1233{
1234    char *gen_node_name = NULL;
1235
1236    if (!node_name) {
1237        node_name = gen_node_name = id_generate(ID_BLOCK);
1238    } else if (!id_wellformed(node_name)) {
1239        /*
1240         * Check for empty string or invalid characters, but not if it is
1241         * generated (generated names use characters not available to the user)
1242         */
1243        error_setg(errp, "Invalid node name");
1244        return;
1245    }
1246
1247    /* takes care of avoiding namespaces collisions */
1248    if (blk_by_name(node_name)) {
1249        error_setg(errp, "node-name=%s is conflicting with a device id",
1250                   node_name);
1251        goto out;
1252    }
1253
1254    /* takes care of avoiding duplicates node names */
1255    if (bdrv_find_node(node_name)) {
1256        error_setg(errp, "Duplicate node name");
1257        goto out;
1258    }
1259
1260    /* Make sure that the node name isn't truncated */
1261    if (strlen(node_name) >= sizeof(bs->node_name)) {
1262        error_setg(errp, "Node name too long");
1263        goto out;
1264    }
1265
1266    /* copy node name into the bs and insert it into the graph list */
1267    pstrcpy(bs->node_name, sizeof(bs->node_name), node_name);
1268    QTAILQ_INSERT_TAIL(&graph_bdrv_states, bs, node_list);
1269out:
1270    g_free(gen_node_name);
1271}
1272
1273static int bdrv_open_driver(BlockDriverState *bs, BlockDriver *drv,
1274                            const char *node_name, QDict *options,
1275                            int open_flags, Error **errp)
1276{
1277    Error *local_err = NULL;
1278    int i, ret;
1279
1280    bdrv_assign_node_name(bs, node_name, &local_err);
1281    if (local_err) {
1282        error_propagate(errp, local_err);
1283        return -EINVAL;
1284    }
1285
1286    bs->drv = drv;
1287    bs->read_only = !(bs->open_flags & BDRV_O_RDWR);
1288    bs->opaque = g_malloc0(drv->instance_size);
1289
1290    if (drv->bdrv_file_open) {
1291        assert(!drv->bdrv_needs_filename || bs->filename[0]);
1292        ret = drv->bdrv_file_open(bs, options, open_flags, &local_err);
1293    } else if (drv->bdrv_open) {
1294        ret = drv->bdrv_open(bs, options, open_flags, &local_err);
1295    } else {
1296        ret = 0;
1297    }
1298
1299    if (ret < 0) {
1300        if (local_err) {
1301            error_propagate(errp, local_err);
1302        } else if (bs->filename[0]) {
1303            error_setg_errno(errp, -ret, "Could not open '%s'", bs->filename);
1304        } else {
1305            error_setg_errno(errp, -ret, "Could not open image");
1306        }
1307        goto open_failed;
1308    }
1309
1310    ret = refresh_total_sectors(bs, bs->total_sectors);
1311    if (ret < 0) {
1312        error_setg_errno(errp, -ret, "Could not refresh total sector count");
1313        return ret;
1314    }
1315
1316    bdrv_refresh_limits(bs, &local_err);
1317    if (local_err) {
1318        error_propagate(errp, local_err);
1319        return -EINVAL;
1320    }
1321
1322    assert(bdrv_opt_mem_align(bs) != 0);
1323    assert(bdrv_min_mem_align(bs) != 0);
1324    assert(is_power_of_2(bs->bl.request_alignment));
1325
1326    for (i = 0; i < bs->quiesce_counter; i++) {
1327        if (drv->bdrv_co_drain_begin) {
1328            drv->bdrv_co_drain_begin(bs);
1329        }
1330    }
1331
1332    return 0;
1333open_failed:
1334    bs->drv = NULL;
1335    if (bs->file != NULL) {
1336        bdrv_unref_child(bs, bs->file);
1337        bs->file = NULL;
1338    }
1339    g_free(bs->opaque);
1340    bs->opaque = NULL;
1341    return ret;
1342}
1343
1344BlockDriverState *bdrv_new_open_driver(BlockDriver *drv, const char *node_name,
1345                                       int flags, Error **errp)
1346{
1347    BlockDriverState *bs;
1348    int ret;
1349
1350    bs = bdrv_new();
1351    bs->open_flags = flags;
1352    bs->explicit_options = qdict_new();
1353    bs->options = qdict_new();
1354    bs->opaque = NULL;
1355
1356    update_options_from_flags(bs->options, flags);
1357
1358    ret = bdrv_open_driver(bs, drv, node_name, bs->options, flags, errp);
1359    if (ret < 0) {
1360        qobject_unref(bs->explicit_options);
1361        bs->explicit_options = NULL;
1362        qobject_unref(bs->options);
1363        bs->options = NULL;
1364        bdrv_unref(bs);
1365        return NULL;
1366    }
1367
1368    return bs;
1369}
1370
1371QemuOptsList bdrv_runtime_opts = {
1372    .name = "bdrv_common",
1373    .head = QTAILQ_HEAD_INITIALIZER(bdrv_runtime_opts.head),
1374    .desc = {
1375        {
1376            .name = "node-name",
1377            .type = QEMU_OPT_STRING,
1378            .help = "Node name of the block device node",
1379        },
1380        {
1381            .name = "driver",
1382            .type = QEMU_OPT_STRING,
1383            .help = "Block driver to use for the node",
1384        },
1385        {
1386            .name = BDRV_OPT_CACHE_DIRECT,
1387            .type = QEMU_OPT_BOOL,
1388            .help = "Bypass software writeback cache on the host",
1389        },
1390        {
1391            .name = BDRV_OPT_CACHE_NO_FLUSH,
1392            .type = QEMU_OPT_BOOL,
1393            .help = "Ignore flush requests",
1394        },
1395        {
1396            .name = BDRV_OPT_READ_ONLY,
1397            .type = QEMU_OPT_BOOL,
1398            .help = "Node is opened in read-only mode",
1399        },
1400        {
1401            .name = BDRV_OPT_AUTO_READ_ONLY,
1402            .type = QEMU_OPT_BOOL,
1403            .help = "Node can become read-only if opening read-write fails",
1404        },
1405        {
1406            .name = "detect-zeroes",
1407            .type = QEMU_OPT_STRING,
1408            .help = "try to optimize zero writes (off, on, unmap)",
1409        },
1410        {
1411            .name = BDRV_OPT_DISCARD,
1412            .type = QEMU_OPT_STRING,
1413            .help = "discard operation (ignore/off, unmap/on)",
1414        },
1415        {
1416            .name = BDRV_OPT_FORCE_SHARE,
1417            .type = QEMU_OPT_BOOL,
1418            .help = "always accept other writers (default: off)",
1419        },
1420        { /* end of list */ }
1421    },
1422};
1423
1424/*
1425 * Common part for opening disk images and files
1426 *
1427 * Removes all processed options from *options.
1428 */
1429static int bdrv_open_common(BlockDriverState *bs, BlockBackend *file,
1430                            QDict *options, Error **errp)
1431{
1432    int ret, open_flags;
1433    const char *filename;
1434    const char *driver_name = NULL;
1435    const char *node_name = NULL;
1436    const char *discard;
1437    QemuOpts *opts;
1438    BlockDriver *drv;
1439    Error *local_err = NULL;
1440
1441    assert(bs->file == NULL);
1442    assert(options != NULL && bs->options != options);
1443
1444    opts = qemu_opts_create(&bdrv_runtime_opts, NULL, 0, &error_abort);
1445    qemu_opts_absorb_qdict(opts, options, &local_err);
1446    if (local_err) {
1447        error_propagate(errp, local_err);
1448        ret = -EINVAL;
1449        goto fail_opts;
1450    }
1451
1452    update_flags_from_options(&bs->open_flags, opts);
1453
1454    driver_name = qemu_opt_get(opts, "driver");
1455    drv = bdrv_find_format(driver_name);
1456    assert(drv != NULL);
1457
1458    bs->force_share = qemu_opt_get_bool(opts, BDRV_OPT_FORCE_SHARE, false);
1459
1460    if (bs->force_share && (bs->open_flags & BDRV_O_RDWR)) {
1461        error_setg(errp,
1462                   BDRV_OPT_FORCE_SHARE
1463                   "=on can only be used with read-only images");
1464        ret = -EINVAL;
1465        goto fail_opts;
1466    }
1467
1468    if (file != NULL) {
1469        bdrv_refresh_filename(blk_bs(file));
1470        filename = blk_bs(file)->filename;
1471    } else {
1472        /*
1473         * Caution: while qdict_get_try_str() is fine, getting
1474         * non-string types would require more care.  When @options
1475         * come from -blockdev or blockdev_add, its members are typed
1476         * according to the QAPI schema, but when they come from
1477         * -drive, they're all QString.
1478         */
1479        filename = qdict_get_try_str(options, "filename");
1480    }
1481
1482    if (drv->bdrv_needs_filename && (!filename || !filename[0])) {
1483        error_setg(errp, "The '%s' block driver requires a file name",
1484                   drv->format_name);
1485        ret = -EINVAL;
1486        goto fail_opts;
1487    }
1488
1489    trace_bdrv_open_common(bs, filename ?: "", bs->open_flags,
1490                           drv->format_name);
1491
1492    bs->read_only = !(bs->open_flags & BDRV_O_RDWR);
1493
1494    if (use_bdrv_whitelist && !bdrv_is_whitelisted(drv, bs->read_only)) {
1495        if (!bs->read_only && bdrv_is_whitelisted(drv, true)) {
1496            ret = bdrv_apply_auto_read_only(bs, NULL, NULL);
1497        } else {
1498            ret = -ENOTSUP;
1499        }
1500        if (ret < 0) {
1501            error_setg(errp,
1502                       !bs->read_only && bdrv_is_whitelisted(drv, true)
1503                       ? "Driver '%s' can only be used for read-only devices"
1504                       : "Driver '%s' is not whitelisted",
1505                       drv->format_name);
1506            goto fail_opts;
1507        }
1508    }
1509
1510    /* bdrv_new() and bdrv_close() make it so */
1511    assert(atomic_read(&bs->copy_on_read) == 0);
1512
1513    if (bs->open_flags & BDRV_O_COPY_ON_READ) {
1514        if (!bs->read_only) {
1515            bdrv_enable_copy_on_read(bs);
1516        } else {
1517            error_setg(errp, "Can't use copy-on-read on read-only device");
1518            ret = -EINVAL;
1519            goto fail_opts;
1520        }
1521    }
1522
1523    discard = qemu_opt_get(opts, BDRV_OPT_DISCARD);
1524    if (discard != NULL) {
1525        if (bdrv_parse_discard_flags(discard, &bs->open_flags) != 0) {
1526            error_setg(errp, "Invalid discard option");
1527            ret = -EINVAL;
1528            goto fail_opts;
1529        }
1530    }
1531
1532    bs->detect_zeroes =
1533        bdrv_parse_detect_zeroes(opts, bs->open_flags, &local_err);
1534    if (local_err) {
1535        error_propagate(errp, local_err);
1536        ret = -EINVAL;
1537        goto fail_opts;
1538    }
1539
1540    if (filename != NULL) {
1541        pstrcpy(bs->filename, sizeof(bs->filename), filename);
1542    } else {
1543        bs->filename[0] = '\0';
1544    }
1545    pstrcpy(bs->exact_filename, sizeof(bs->exact_filename), bs->filename);
1546
1547    /* Open the image, either directly or using a protocol */
1548    open_flags = bdrv_open_flags(bs, bs->open_flags);
1549    node_name = qemu_opt_get(opts, "node-name");
1550
1551    assert(!drv->bdrv_file_open || file == NULL);
1552    ret = bdrv_open_driver(bs, drv, node_name, options, open_flags, errp);
1553    if (ret < 0) {
1554        goto fail_opts;
1555    }
1556
1557    qemu_opts_del(opts);
1558    return 0;
1559
1560fail_opts:
1561    qemu_opts_del(opts);
1562    return ret;
1563}
1564
1565static QDict *parse_json_filename(const char *filename, Error **errp)
1566{
1567    QObject *options_obj;
1568    QDict *options;
1569    int ret;
1570
1571    ret = strstart(filename, "json:", &filename);
1572    assert(ret);
1573
1574    options_obj = qobject_from_json(filename, errp);
1575    if (!options_obj) {
1576        error_prepend(errp, "Could not parse the JSON options: ");
1577        return NULL;
1578    }
1579
1580    options = qobject_to(QDict, options_obj);
1581    if (!options) {
1582        qobject_unref(options_obj);
1583        error_setg(errp, "Invalid JSON object given");
1584        return NULL;
1585    }
1586
1587    qdict_flatten(options);
1588
1589    return options;
1590}
1591
1592static void parse_json_protocol(QDict *options, const char **pfilename,
1593                                Error **errp)
1594{
1595    QDict *json_options;
1596    Error *local_err = NULL;
1597
1598    /* Parse json: pseudo-protocol */
1599    if (!*pfilename || !g_str_has_prefix(*pfilename, "json:")) {
1600        return;
1601    }
1602
1603    json_options = parse_json_filename(*pfilename, &local_err);
1604    if (local_err) {
1605        error_propagate(errp, local_err);
1606        return;
1607    }
1608
1609    /* Options given in the filename have lower priority than options
1610     * specified directly */
1611    qdict_join(options, json_options, false);
1612    qobject_unref(json_options);
1613    *pfilename = NULL;
1614}
1615
1616/*
1617 * Fills in default options for opening images and converts the legacy
1618 * filename/flags pair to option QDict entries.
1619 * The BDRV_O_PROTOCOL flag in *flags will be set or cleared accordingly if a
1620 * block driver has been specified explicitly.
1621 */
1622static int bdrv_fill_options(QDict **options, const char *filename,
1623                             int *flags, Error **errp)
1624{
1625    const char *drvname;
1626    bool protocol = *flags & BDRV_O_PROTOCOL;
1627    bool parse_filename = false;
1628    BlockDriver *drv = NULL;
1629    Error *local_err = NULL;
1630
1631    /*
1632     * Caution: while qdict_get_try_str() is fine, getting non-string
1633     * types would require more care.  When @options come from
1634     * -blockdev or blockdev_add, its members are typed according to
1635     * the QAPI schema, but when they come from -drive, they're all
1636     * QString.
1637     */
1638    drvname = qdict_get_try_str(*options, "driver");
1639    if (drvname) {
1640        drv = bdrv_find_format(drvname);
1641        if (!drv) {
1642            error_setg(errp, "Unknown driver '%s'", drvname);
1643            return -ENOENT;
1644        }
1645        /* If the user has explicitly specified the driver, this choice should
1646         * override the BDRV_O_PROTOCOL flag */
1647        protocol = drv->bdrv_file_open;
1648    }
1649
1650    if (protocol) {
1651        *flags |= BDRV_O_PROTOCOL;
1652    } else {
1653        *flags &= ~BDRV_O_PROTOCOL;
1654    }
1655
1656    /* Translate cache options from flags into options */
1657    update_options_from_flags(*options, *flags);
1658
1659    /* Fetch the file name from the options QDict if necessary */
1660    if (protocol && filename) {
1661        if (!qdict_haskey(*options, "filename")) {
1662            qdict_put_str(*options, "filename", filename);
1663            parse_filename = true;
1664        } else {
1665            error_setg(errp, "Can't specify 'file' and 'filename' options at "
1666                             "the same time");
1667            return -EINVAL;
1668        }
1669    }
1670
1671    /* Find the right block driver */
1672    /* See cautionary note on accessing @options above */
1673    filename = qdict_get_try_str(*options, "filename");
1674
1675    if (!drvname && protocol) {
1676        if (filename) {
1677            drv = bdrv_find_protocol(filename, parse_filename, errp);
1678            if (!drv) {
1679                return -EINVAL;
1680            }
1681
1682            drvname = drv->format_name;
1683            qdict_put_str(*options, "driver", drvname);
1684        } else {
1685            error_setg(errp, "Must specify either driver or file");
1686            return -EINVAL;
1687        }
1688    }
1689
1690    assert(drv || !protocol);
1691
1692    /* Driver-specific filename parsing */
1693    if (drv && drv->bdrv_parse_filename && parse_filename) {
1694        drv->bdrv_parse_filename(filename, *options, &local_err);
1695        if (local_err) {
1696            error_propagate(errp, local_err);
1697            return -EINVAL;
1698        }
1699
1700        if (!drv->bdrv_needs_filename) {
1701            qdict_del(*options, "filename");
1702        }
1703    }
1704
1705    return 0;
1706}
1707
1708static int bdrv_child_check_perm(BdrvChild *c, BlockReopenQueue *q,
1709                                 uint64_t perm, uint64_t shared,
1710                                 GSList *ignore_children,
1711                                 bool *tighten_restrictions, Error **errp);
1712static void bdrv_child_abort_perm_update(BdrvChild *c);
1713static void bdrv_child_set_perm(BdrvChild *c, uint64_t perm, uint64_t shared);
1714static void bdrv_get_cumulative_perm(BlockDriverState *bs, uint64_t *perm,
1715                                     uint64_t *shared_perm);
1716
1717typedef struct BlockReopenQueueEntry {
1718     bool prepared;
1719     bool perms_checked;
1720     BDRVReopenState state;
1721     QSIMPLEQ_ENTRY(BlockReopenQueueEntry) entry;
1722} BlockReopenQueueEntry;
1723
1724/*
1725 * Return the flags that @bs will have after the reopens in @q have
1726 * successfully completed. If @q is NULL (or @bs is not contained in @q),
1727 * return the current flags.
1728 */
1729static int bdrv_reopen_get_flags(BlockReopenQueue *q, BlockDriverState *bs)
1730{
1731    BlockReopenQueueEntry *entry;
1732
1733    if (q != NULL) {
1734        QSIMPLEQ_FOREACH(entry, q, entry) {
1735            if (entry->state.bs == bs) {
1736                return entry->state.flags;
1737            }
1738        }
1739    }
1740
1741    return bs->open_flags;
1742}
1743
1744/* Returns whether the image file can be written to after the reopen queue @q
1745 * has been successfully applied, or right now if @q is NULL. */
1746static bool bdrv_is_writable_after_reopen(BlockDriverState *bs,
1747                                          BlockReopenQueue *q)
1748{
1749    int flags = bdrv_reopen_get_flags(q, bs);
1750
1751    return (flags & (BDRV_O_RDWR | BDRV_O_INACTIVE)) == BDRV_O_RDWR;
1752}
1753
1754/*
1755 * Return whether the BDS can be written to.  This is not necessarily
1756 * the same as !bdrv_is_read_only(bs), as inactivated images may not
1757 * be written to but do not count as read-only images.
1758 */
1759bool bdrv_is_writable(BlockDriverState *bs)
1760{
1761    return bdrv_is_writable_after_reopen(bs, NULL);
1762}
1763
1764static void bdrv_child_perm(BlockDriverState *bs, BlockDriverState *child_bs,
1765                            BdrvChild *c, const BdrvChildRole *role,
1766                            BlockReopenQueue *reopen_queue,
1767                            uint64_t parent_perm, uint64_t parent_shared,
1768                            uint64_t *nperm, uint64_t *nshared)
1769{
1770    assert(bs->drv && bs->drv->bdrv_child_perm);
1771    bs->drv->bdrv_child_perm(bs, c, role, reopen_queue,
1772                             parent_perm, parent_shared,
1773                             nperm, nshared);
1774    /* TODO Take force_share from reopen_queue */
1775    if (child_bs && child_bs->force_share) {
1776        *nshared = BLK_PERM_ALL;
1777    }
1778}
1779
1780/*
1781 * Check whether permissions on this node can be changed in a way that
1782 * @cumulative_perms and @cumulative_shared_perms are the new cumulative
1783 * permissions of all its parents. This involves checking whether all necessary
1784 * permission changes to child nodes can be performed.
1785 *
1786 * Will set *tighten_restrictions to true if and only if new permissions have to
1787 * be taken or currently shared permissions are to be unshared.  Otherwise,
1788 * errors are not fatal as long as the caller accepts that the restrictions
1789 * remain tighter than they need to be.  The caller still has to abort the
1790 * transaction.
1791 * @tighten_restrictions cannot be used together with @q: When reopening, we may
1792 * encounter fatal errors even though no restrictions are to be tightened.  For
1793 * example, changing a node from RW to RO will fail if the WRITE permission is
1794 * to be kept.
1795 *
1796 * A call to this function must always be followed by a call to bdrv_set_perm()
1797 * or bdrv_abort_perm_update().
1798 */
1799static int bdrv_check_perm(BlockDriverState *bs, BlockReopenQueue *q,
1800                           uint64_t cumulative_perms,
1801                           uint64_t cumulative_shared_perms,
1802                           GSList *ignore_children,
1803                           bool *tighten_restrictions, Error **errp)
1804{
1805    BlockDriver *drv = bs->drv;
1806    BdrvChild *c;
1807    int ret;
1808
1809    assert(!q || !tighten_restrictions);
1810
1811    if (tighten_restrictions) {
1812        uint64_t current_perms, current_shared;
1813        uint64_t added_perms, removed_shared_perms;
1814
1815        bdrv_get_cumulative_perm(bs, &current_perms, &current_shared);
1816
1817        added_perms = cumulative_perms & ~current_perms;
1818        removed_shared_perms = current_shared & ~cumulative_shared_perms;
1819
1820        *tighten_restrictions = added_perms || removed_shared_perms;
1821    }
1822
1823    /* Write permissions never work with read-only images */
1824    if ((cumulative_perms & (BLK_PERM_WRITE | BLK_PERM_WRITE_UNCHANGED)) &&
1825        !bdrv_is_writable_after_reopen(bs, q))
1826    {
1827        if (!bdrv_is_writable_after_reopen(bs, NULL)) {
1828            error_setg(errp, "Block node is read-only");
1829        } else {
1830            uint64_t current_perms, current_shared;
1831            bdrv_get_cumulative_perm(bs, &current_perms, &current_shared);
1832            if (current_perms & (BLK_PERM_WRITE | BLK_PERM_WRITE_UNCHANGED)) {
1833                error_setg(errp, "Cannot make block node read-only, there is "
1834                           "a writer on it");
1835            } else {
1836                error_setg(errp, "Cannot make block node read-only and create "
1837                           "a writer on it");
1838            }
1839        }
1840
1841        return -EPERM;
1842    }
1843
1844    /* Check this node */
1845    if (!drv) {
1846        return 0;
1847    }
1848
1849    if (drv->bdrv_check_perm) {
1850        return drv->bdrv_check_perm(bs, cumulative_perms,
1851                                    cumulative_shared_perms, errp);
1852    }
1853
1854    /* Drivers that never have children can omit .bdrv_child_perm() */
1855    if (!drv->bdrv_child_perm) {
1856        assert(QLIST_EMPTY(&bs->children));
1857        return 0;
1858    }
1859
1860    /* Check all children */
1861    QLIST_FOREACH(c, &bs->children, next) {
1862        uint64_t cur_perm, cur_shared;
1863        bool child_tighten_restr;
1864
1865        bdrv_child_perm(bs, c->bs, c, c->role, q,
1866                        cumulative_perms, cumulative_shared_perms,
1867                        &cur_perm, &cur_shared);
1868        ret = bdrv_child_check_perm(c, q, cur_perm, cur_shared, ignore_children,
1869                                    tighten_restrictions ? &child_tighten_restr
1870                                                         : NULL,
1871                                    errp);
1872        if (tighten_restrictions) {
1873            *tighten_restrictions |= child_tighten_restr;
1874        }
1875        if (ret < 0) {
1876            return ret;
1877        }
1878    }
1879
1880    return 0;
1881}
1882
1883/*
1884 * Notifies drivers that after a previous bdrv_check_perm() call, the
1885 * permission update is not performed and any preparations made for it (e.g.
1886 * taken file locks) need to be undone.
1887 *
1888 * This function recursively notifies all child nodes.
1889 */
1890static void bdrv_abort_perm_update(BlockDriverState *bs)
1891{
1892    BlockDriver *drv = bs->drv;
1893    BdrvChild *c;
1894
1895    if (!drv) {
1896        return;
1897    }
1898
1899    if (drv->bdrv_abort_perm_update) {
1900        drv->bdrv_abort_perm_update(bs);
1901    }
1902
1903    QLIST_FOREACH(c, &bs->children, next) {
1904        bdrv_child_abort_perm_update(c);
1905    }
1906}
1907
1908static void bdrv_set_perm(BlockDriverState *bs, uint64_t cumulative_perms,
1909                          uint64_t cumulative_shared_perms)
1910{
1911    BlockDriver *drv = bs->drv;
1912    BdrvChild *c;
1913
1914    if (!drv) {
1915        return;
1916    }
1917
1918    /* Update this node */
1919    if (drv->bdrv_set_perm) {
1920        drv->bdrv_set_perm(bs, cumulative_perms, cumulative_shared_perms);
1921    }
1922
1923    /* Drivers that never have children can omit .bdrv_child_perm() */
1924    if (!drv->bdrv_child_perm) {
1925        assert(QLIST_EMPTY(&bs->children));
1926        return;
1927    }
1928
1929    /* Update all children */
1930    QLIST_FOREACH(c, &bs->children, next) {
1931        uint64_t cur_perm, cur_shared;
1932        bdrv_child_perm(bs, c->bs, c, c->role, NULL,
1933                        cumulative_perms, cumulative_shared_perms,
1934                        &cur_perm, &cur_shared);
1935        bdrv_child_set_perm(c, cur_perm, cur_shared);
1936    }
1937}
1938
1939static void bdrv_get_cumulative_perm(BlockDriverState *bs, uint64_t *perm,
1940                                     uint64_t *shared_perm)
1941{
1942    BdrvChild *c;
1943    uint64_t cumulative_perms = 0;
1944    uint64_t cumulative_shared_perms = BLK_PERM_ALL;
1945
1946    QLIST_FOREACH(c, &bs->parents, next_parent) {
1947        cumulative_perms |= c->perm;
1948        cumulative_shared_perms &= c->shared_perm;
1949    }
1950
1951    *perm = cumulative_perms;
1952    *shared_perm = cumulative_shared_perms;
1953}
1954
1955static char *bdrv_child_user_desc(BdrvChild *c)
1956{
1957    if (c->role->get_parent_desc) {
1958        return c->role->get_parent_desc(c);
1959    }
1960
1961    return g_strdup("another user");
1962}
1963
1964char *bdrv_perm_names(uint64_t perm)
1965{
1966    struct perm_name {
1967        uint64_t perm;
1968        const char *name;
1969    } permissions[] = {
1970        { BLK_PERM_CONSISTENT_READ, "consistent read" },
1971        { BLK_PERM_WRITE,           "write" },
1972        { BLK_PERM_WRITE_UNCHANGED, "write unchanged" },
1973        { BLK_PERM_RESIZE,          "resize" },
1974        { BLK_PERM_GRAPH_MOD,       "change children" },
1975        { 0, NULL }
1976    };
1977
1978    char *result = g_strdup("");
1979    struct perm_name *p;
1980
1981    for (p = permissions; p->name; p++) {
1982        if (perm & p->perm) {
1983            char *old = result;
1984            result = g_strdup_printf("%s%s%s", old, *old ? ", " : "", p->name);
1985            g_free(old);
1986        }
1987    }
1988
1989    return result;
1990}
1991
1992/*
1993 * Checks whether a new reference to @bs can be added if the new user requires
1994 * @new_used_perm/@new_shared_perm as its permissions. If @ignore_children is
1995 * set, the BdrvChild objects in this list are ignored in the calculations;
1996 * this allows checking permission updates for an existing reference.
1997 *
1998 * See bdrv_check_perm() for the semantics of @tighten_restrictions.
1999 *
2000 * Needs to be followed by a call to either bdrv_set_perm() or
2001 * bdrv_abort_perm_update(). */
2002static int bdrv_check_update_perm(BlockDriverState *bs, BlockReopenQueue *q,
2003                                  uint64_t new_used_perm,
2004                                  uint64_t new_shared_perm,
2005                                  GSList *ignore_children,
2006                                  bool *tighten_restrictions,
2007                                  Error **errp)
2008{
2009    BdrvChild *c;
2010    uint64_t cumulative_perms = new_used_perm;
2011    uint64_t cumulative_shared_perms = new_shared_perm;
2012
2013    assert(!q || !tighten_restrictions);
2014
2015    /* There is no reason why anyone couldn't tolerate write_unchanged */
2016    assert(new_shared_perm & BLK_PERM_WRITE_UNCHANGED);
2017
2018    QLIST_FOREACH(c, &bs->parents, next_parent) {
2019        if (g_slist_find(ignore_children, c)) {
2020            continue;
2021        }
2022
2023        if ((new_used_perm & c->shared_perm) != new_used_perm) {
2024            char *user = bdrv_child_user_desc(c);
2025            char *perm_names = bdrv_perm_names(new_used_perm & ~c->shared_perm);
2026
2027            if (tighten_restrictions) {
2028                *tighten_restrictions = true;
2029            }
2030
2031            error_setg(errp, "Conflicts with use by %s as '%s', which does not "
2032                             "allow '%s' on %s",
2033                       user, c->name, perm_names, bdrv_get_node_name(c->bs));
2034            g_free(user);
2035            g_free(perm_names);
2036            return -EPERM;
2037        }
2038
2039        if ((c->perm & new_shared_perm) != c->perm) {
2040            char *user = bdrv_child_user_desc(c);
2041            char *perm_names = bdrv_perm_names(c->perm & ~new_shared_perm);
2042
2043            if (tighten_restrictions) {
2044                *tighten_restrictions = true;
2045            }
2046
2047            error_setg(errp, "Conflicts with use by %s as '%s', which uses "
2048                             "'%s' on %s",
2049                       user, c->name, perm_names, bdrv_get_node_name(c->bs));
2050            g_free(user);
2051            g_free(perm_names);
2052            return -EPERM;
2053        }
2054
2055        cumulative_perms |= c->perm;
2056        cumulative_shared_perms &= c->shared_perm;
2057    }
2058
2059    return bdrv_check_perm(bs, q, cumulative_perms, cumulative_shared_perms,
2060                           ignore_children, tighten_restrictions, errp);
2061}
2062
2063/* Needs to be followed by a call to either bdrv_child_set_perm() or
2064 * bdrv_child_abort_perm_update(). */
2065static int bdrv_child_check_perm(BdrvChild *c, BlockReopenQueue *q,
2066                                 uint64_t perm, uint64_t shared,
2067                                 GSList *ignore_children,
2068                                 bool *tighten_restrictions, Error **errp)
2069{
2070    int ret;
2071
2072    ignore_children = g_slist_prepend(g_slist_copy(ignore_children), c);
2073    ret = bdrv_check_update_perm(c->bs, q, perm, shared, ignore_children,
2074                                 tighten_restrictions, errp);
2075    g_slist_free(ignore_children);
2076
2077    if (ret < 0) {
2078        return ret;
2079    }
2080
2081    if (!c->has_backup_perm) {
2082        c->has_backup_perm = true;
2083        c->backup_perm = c->perm;
2084        c->backup_shared_perm = c->shared_perm;
2085    }
2086    /*
2087     * Note: it's OK if c->has_backup_perm was already set, as we can find the
2088     * same child twice during check_perm procedure
2089     */
2090
2091    c->perm = perm;
2092    c->shared_perm = shared;
2093
2094    return 0;
2095}
2096
2097static void bdrv_child_set_perm(BdrvChild *c, uint64_t perm, uint64_t shared)
2098{
2099    uint64_t cumulative_perms, cumulative_shared_perms;
2100
2101    c->has_backup_perm = false;
2102
2103    c->perm = perm;
2104    c->shared_perm = shared;
2105
2106    bdrv_get_cumulative_perm(c->bs, &cumulative_perms,
2107                             &cumulative_shared_perms);
2108    bdrv_set_perm(c->bs, cumulative_perms, cumulative_shared_perms);
2109}
2110
2111static void bdrv_child_abort_perm_update(BdrvChild *c)
2112{
2113    if (c->has_backup_perm) {
2114        c->perm = c->backup_perm;
2115        c->shared_perm = c->backup_shared_perm;
2116        c->has_backup_perm = false;
2117    }
2118
2119    bdrv_abort_perm_update(c->bs);
2120}
2121
2122int bdrv_child_try_set_perm(BdrvChild *c, uint64_t perm, uint64_t shared,
2123                            Error **errp)
2124{
2125    Error *local_err = NULL;
2126    int ret;
2127    bool tighten_restrictions;
2128
2129    ret = bdrv_child_check_perm(c, NULL, perm, shared, NULL,
2130                                &tighten_restrictions, &local_err);
2131    if (ret < 0) {
2132        bdrv_child_abort_perm_update(c);
2133        if (tighten_restrictions) {
2134            error_propagate(errp, local_err);
2135        } else {
2136            /*
2137             * Our caller may intend to only loosen restrictions and
2138             * does not expect this function to fail.  Errors are not
2139             * fatal in such a case, so we can just hide them from our
2140             * caller.
2141             */
2142            error_free(local_err);
2143            ret = 0;
2144        }
2145        return ret;
2146    }
2147
2148    bdrv_child_set_perm(c, perm, shared);
2149
2150    return 0;
2151}
2152
2153int bdrv_child_refresh_perms(BlockDriverState *bs, BdrvChild *c, Error **errp)
2154{
2155    uint64_t parent_perms, parent_shared;
2156    uint64_t perms, shared;
2157
2158    bdrv_get_cumulative_perm(bs, &parent_perms, &parent_shared);
2159    bdrv_child_perm(bs, c->bs, c, c->role, NULL, parent_perms, parent_shared,
2160                    &perms, &shared);
2161
2162    return bdrv_child_try_set_perm(c, perms, shared, errp);
2163}
2164
2165void bdrv_filter_default_perms(BlockDriverState *bs, BdrvChild *c,
2166                               const BdrvChildRole *role,
2167                               BlockReopenQueue *reopen_queue,
2168                               uint64_t perm, uint64_t shared,
2169                               uint64_t *nperm, uint64_t *nshared)
2170{
2171    if (c == NULL) {
2172        *nperm = perm & DEFAULT_PERM_PASSTHROUGH;
2173        *nshared = (shared & DEFAULT_PERM_PASSTHROUGH) | DEFAULT_PERM_UNCHANGED;
2174        return;
2175    }
2176
2177    *nperm = (perm & DEFAULT_PERM_PASSTHROUGH) |
2178             (c->perm & DEFAULT_PERM_UNCHANGED);
2179    *nshared = (shared & DEFAULT_PERM_PASSTHROUGH) |
2180               (c->shared_perm & DEFAULT_PERM_UNCHANGED);
2181}
2182
2183void bdrv_format_default_perms(BlockDriverState *bs, BdrvChild *c,
2184                               const BdrvChildRole *role,
2185                               BlockReopenQueue *reopen_queue,
2186                               uint64_t perm, uint64_t shared,
2187                               uint64_t *nperm, uint64_t *nshared)
2188{
2189    bool backing = (role == &child_backing);
2190    assert(role == &child_backing || role == &child_file);
2191
2192    if (!backing) {
2193        int flags = bdrv_reopen_get_flags(reopen_queue, bs);
2194
2195        /* Apart from the modifications below, the same permissions are
2196         * forwarded and left alone as for filters */
2197        bdrv_filter_default_perms(bs, c, role, reopen_queue, perm, shared,
2198                                  &perm, &shared);
2199
2200        /* Format drivers may touch metadata even if the guest doesn't write */
2201        if (bdrv_is_writable_after_reopen(bs, reopen_queue)) {
2202            perm |= BLK_PERM_WRITE | BLK_PERM_RESIZE;
2203        }
2204
2205        /* bs->file always needs to be consistent because of the metadata. We
2206         * can never allow other users to resize or write to it. */
2207        if (!(flags & BDRV_O_NO_IO)) {
2208            perm |= BLK_PERM_CONSISTENT_READ;
2209        }
2210        shared &= ~(BLK_PERM_WRITE | BLK_PERM_RESIZE);
2211    } else {
2212        /* We want consistent read from backing files if the parent needs it.
2213         * No other operations are performed on backing files. */
2214        perm &= BLK_PERM_CONSISTENT_READ;
2215
2216        /* If the parent can deal with changing data, we're okay with a
2217         * writable and resizable backing file. */
2218        /* TODO Require !(perm & BLK_PERM_CONSISTENT_READ), too? */
2219        if (shared & BLK_PERM_WRITE) {
2220            shared = BLK_PERM_WRITE | BLK_PERM_RESIZE;
2221        } else {
2222            shared = 0;
2223        }
2224
2225        shared |= BLK_PERM_CONSISTENT_READ | BLK_PERM_GRAPH_MOD |
2226                  BLK_PERM_WRITE_UNCHANGED;
2227    }
2228
2229    if (bs->open_flags & BDRV_O_INACTIVE) {
2230        shared |= BLK_PERM_WRITE | BLK_PERM_RESIZE;
2231    }
2232
2233    *nperm = perm;
2234    *nshared = shared;
2235}
2236
2237static void bdrv_replace_child_noperm(BdrvChild *child,
2238                                      BlockDriverState *new_bs)
2239{
2240    BlockDriverState *old_bs = child->bs;
2241    int i;
2242
2243    assert(!child->frozen);
2244
2245    if (old_bs && new_bs) {
2246        assert(bdrv_get_aio_context(old_bs) == bdrv_get_aio_context(new_bs));
2247    }
2248    if (old_bs) {
2249        /* Detach first so that the recursive drain sections coming from @child
2250         * are already gone and we only end the drain sections that came from
2251         * elsewhere. */
2252        if (child->role->detach) {
2253            child->role->detach(child);
2254        }
2255        while (child->parent_quiesce_counter) {
2256            bdrv_parent_drained_end_single(child);
2257        }
2258        QLIST_REMOVE(child, next_parent);
2259    } else {
2260        assert(child->parent_quiesce_counter == 0);
2261    }
2262
2263    child->bs = new_bs;
2264
2265    if (new_bs) {
2266        QLIST_INSERT_HEAD(&new_bs->parents, child, next_parent);
2267        if (new_bs->quiesce_counter) {
2268            int num = new_bs->quiesce_counter;
2269            if (child->role->parent_is_bds) {
2270                num -= bdrv_drain_all_count;
2271            }
2272            assert(num >= 0);
2273            for (i = 0; i < num; i++) {
2274                bdrv_parent_drained_begin_single(child, true);
2275            }
2276        }
2277
2278        /* Attach only after starting new drained sections, so that recursive
2279         * drain sections coming from @child don't get an extra .drained_begin
2280         * callback. */
2281        if (child->role->attach) {
2282            child->role->attach(child);
2283        }
2284    }
2285}
2286
2287/*
2288 * Updates @child to change its reference to point to @new_bs, including
2289 * checking and applying the necessary permisson updates both to the old node
2290 * and to @new_bs.
2291 *
2292 * NULL is passed as @new_bs for removing the reference before freeing @child.
2293 *
2294 * If @new_bs is not NULL, bdrv_check_perm() must be called beforehand, as this
2295 * function uses bdrv_set_perm() to update the permissions according to the new
2296 * reference that @new_bs gets.
2297 */
2298static void bdrv_replace_child(BdrvChild *child, BlockDriverState *new_bs)
2299{
2300    BlockDriverState *old_bs = child->bs;
2301    uint64_t perm, shared_perm;
2302
2303    bdrv_replace_child_noperm(child, new_bs);
2304
2305    /*
2306     * Start with the new node's permissions.  If @new_bs is a (direct
2307     * or indirect) child of @old_bs, we must complete the permission
2308     * update on @new_bs before we loosen the restrictions on @old_bs.
2309     * Otherwise, bdrv_check_perm() on @old_bs would re-initiate
2310     * updating the permissions of @new_bs, and thus not purely loosen
2311     * restrictions.
2312     */
2313    if (new_bs) {
2314        bdrv_get_cumulative_perm(new_bs, &perm, &shared_perm);
2315        bdrv_set_perm(new_bs, perm, shared_perm);
2316    }
2317
2318    if (old_bs) {
2319        /* Update permissions for old node. This is guaranteed to succeed
2320         * because we're just taking a parent away, so we're loosening
2321         * restrictions. */
2322        bool tighten_restrictions;
2323        int ret;
2324
2325        bdrv_get_cumulative_perm(old_bs, &perm, &shared_perm);
2326        ret = bdrv_check_perm(old_bs, NULL, perm, shared_perm, NULL,
2327                              &tighten_restrictions, NULL);
2328        assert(tighten_restrictions == false);
2329        if (ret < 0) {
2330            /* We only tried to loosen restrictions, so errors are not fatal */
2331            bdrv_abort_perm_update(old_bs);
2332        } else {
2333            bdrv_set_perm(old_bs, perm, shared_perm);
2334        }
2335
2336        /* When the parent requiring a non-default AioContext is removed, the
2337         * node moves back to the main AioContext */
2338        bdrv_try_set_aio_context(old_bs, qemu_get_aio_context(), NULL);
2339    }
2340}
2341
2342/*
2343 * This function steals the reference to child_bs from the caller.
2344 * That reference is later dropped by bdrv_root_unref_child().
2345 *
2346 * On failure NULL is returned, errp is set and the reference to
2347 * child_bs is also dropped.
2348 *
2349 * The caller must hold the AioContext lock @child_bs, but not that of @ctx
2350 * (unless @child_bs is already in @ctx).
2351 */
2352BdrvChild *bdrv_root_attach_child(BlockDriverState *child_bs,
2353                                  const char *child_name,
2354                                  const BdrvChildRole *child_role,
2355                                  AioContext *ctx,
2356                                  uint64_t perm, uint64_t shared_perm,
2357                                  void *opaque, Error **errp)
2358{
2359    BdrvChild *child;
2360    Error *local_err = NULL;
2361    int ret;
2362
2363    ret = bdrv_check_update_perm(child_bs, NULL, perm, shared_perm, NULL, NULL,
2364                                 errp);
2365    if (ret < 0) {
2366        bdrv_abort_perm_update(child_bs);
2367        bdrv_unref(child_bs);
2368        return NULL;
2369    }
2370
2371    child = g_new(BdrvChild, 1);
2372    *child = (BdrvChild) {
2373        .bs             = NULL,
2374        .name           = g_strdup(child_name),
2375        .role           = child_role,
2376        .perm           = perm,
2377        .shared_perm    = shared_perm,
2378        .opaque         = opaque,
2379    };
2380
2381    /* If the AioContexts don't match, first try to move the subtree of
2382     * child_bs into the AioContext of the new parent. If this doesn't work,
2383     * try moving the parent into the AioContext of child_bs instead. */
2384    if (bdrv_get_aio_context(child_bs) != ctx) {
2385        ret = bdrv_try_set_aio_context(child_bs, ctx, &local_err);
2386        if (ret < 0 && child_role->can_set_aio_ctx) {
2387            GSList *ignore = g_slist_prepend(NULL, child);;
2388            ctx = bdrv_get_aio_context(child_bs);
2389            if (child_role->can_set_aio_ctx(child, ctx, &ignore, NULL)) {
2390                error_free(local_err);
2391                ret = 0;
2392                g_slist_free(ignore);
2393                ignore = g_slist_prepend(NULL, child);;
2394                child_role->set_aio_ctx(child, ctx, &ignore);
2395            }
2396            g_slist_free(ignore);
2397        }
2398        if (ret < 0) {
2399            error_propagate(errp, local_err);
2400            g_free(child);
2401            bdrv_abort_perm_update(child_bs);
2402            return NULL;
2403        }
2404    }
2405
2406    /* This performs the matching bdrv_set_perm() for the above check. */
2407    bdrv_replace_child(child, child_bs);
2408
2409    return child;
2410}
2411
2412/*
2413 * This function transfers the reference to child_bs from the caller
2414 * to parent_bs. That reference is later dropped by parent_bs on
2415 * bdrv_close() or if someone calls bdrv_unref_child().
2416 *
2417 * On failure NULL is returned, errp is set and the reference to
2418 * child_bs is also dropped.
2419 *
2420 * If @parent_bs and @child_bs are in different AioContexts, the caller must
2421 * hold the AioContext lock for @child_bs, but not for @parent_bs.
2422 */
2423BdrvChild *bdrv_attach_child(BlockDriverState *parent_bs,
2424                             BlockDriverState *child_bs,
2425                             const char *child_name,
2426                             const BdrvChildRole *child_role,
2427                             Error **errp)
2428{
2429    BdrvChild *child;
2430    uint64_t perm, shared_perm;
2431
2432    bdrv_get_cumulative_perm(parent_bs, &perm, &shared_perm);
2433
2434    assert(parent_bs->drv);
2435    bdrv_child_perm(parent_bs, child_bs, NULL, child_role, NULL,
2436                    perm, shared_perm, &perm, &shared_perm);
2437
2438    child = bdrv_root_attach_child(child_bs, child_name, child_role,
2439                                   bdrv_get_aio_context(parent_bs),
2440                                   perm, shared_perm, parent_bs, errp);
2441    if (child == NULL) {
2442        return NULL;
2443    }
2444
2445    QLIST_INSERT_HEAD(&parent_bs->children, child, next);
2446    return child;
2447}
2448
2449static void bdrv_detach_child(BdrvChild *child)
2450{
2451    if (child->next.le_prev) {
2452        QLIST_REMOVE(child, next);
2453        child->next.le_prev = NULL;
2454    }
2455
2456    bdrv_replace_child(child, NULL);
2457
2458    g_free(child->name);
2459    g_free(child);
2460}
2461
2462void bdrv_root_unref_child(BdrvChild *child)
2463{
2464    BlockDriverState *child_bs;
2465
2466    child_bs = child->bs;
2467    bdrv_detach_child(child);
2468    bdrv_unref(child_bs);
2469}
2470
2471/**
2472 * Clear all inherits_from pointers from children and grandchildren of
2473 * @root that point to @root, where necessary.
2474 */
2475static void bdrv_unset_inherits_from(BlockDriverState *root, BdrvChild *child)
2476{
2477    BdrvChild *c;
2478
2479    if (child->bs->inherits_from == root) {
2480        /*
2481         * Remove inherits_from only when the last reference between root and
2482         * child->bs goes away.
2483         */
2484        QLIST_FOREACH(c, &root->children, next) {
2485            if (c != child && c->bs == child->bs) {
2486                break;
2487            }
2488        }
2489        if (c == NULL) {
2490            child->bs->inherits_from = NULL;
2491        }
2492    }
2493
2494    QLIST_FOREACH(c, &child->bs->children, next) {
2495        bdrv_unset_inherits_from(root, c);
2496    }
2497}
2498
2499void bdrv_unref_child(BlockDriverState *parent, BdrvChild *child)
2500{
2501    if (child == NULL) {
2502        return;
2503    }
2504
2505    bdrv_unset_inherits_from(parent, child);
2506    bdrv_root_unref_child(child);
2507}
2508
2509
2510static void bdrv_parent_cb_change_media(BlockDriverState *bs, bool load)
2511{
2512    BdrvChild *c;
2513    QLIST_FOREACH(c, &bs->parents, next_parent) {
2514        if (c->role->change_media) {
2515            c->role->change_media(c, load);
2516        }
2517    }
2518}
2519
2520/* Return true if you can reach parent going through child->inherits_from
2521 * recursively. If parent or child are NULL, return false */
2522static bool bdrv_inherits_from_recursive(BlockDriverState *child,
2523                                         BlockDriverState *parent)
2524{
2525    while (child && child != parent) {
2526        child = child->inherits_from;
2527    }
2528
2529    return child != NULL;
2530}
2531
2532/*
2533 * Sets the backing file link of a BDS. A new reference is created; callers
2534 * which don't need their own reference any more must call bdrv_unref().
2535 */
2536void bdrv_set_backing_hd(BlockDriverState *bs, BlockDriverState *backing_hd,
2537                         Error **errp)
2538{
2539    bool update_inherits_from = bdrv_chain_contains(bs, backing_hd) &&
2540        bdrv_inherits_from_recursive(backing_hd, bs);
2541
2542    if (bdrv_is_backing_chain_frozen(bs, backing_bs(bs), errp)) {
2543        return;
2544    }
2545
2546    if (backing_hd) {
2547        bdrv_ref(backing_hd);
2548    }
2549
2550    if (bs->backing) {
2551        bdrv_unref_child(bs, bs->backing);
2552    }
2553
2554    if (!backing_hd) {
2555        bs->backing = NULL;
2556        goto out;
2557    }
2558
2559    bs->backing = bdrv_attach_child(bs, backing_hd, "backing", &child_backing,
2560                                    errp);
2561    /* If backing_hd was already part of bs's backing chain, and
2562     * inherits_from pointed recursively to bs then let's update it to
2563     * point directly to bs (else it will become NULL). */
2564    if (bs->backing && update_inherits_from) {
2565        backing_hd->inherits_from = bs;
2566    }
2567
2568out:
2569    bdrv_refresh_limits(bs, NULL);
2570}
2571
2572/*
2573 * Opens the backing file for a BlockDriverState if not yet open
2574 *
2575 * bdref_key specifies the key for the image's BlockdevRef in the options QDict.
2576 * That QDict has to be flattened; therefore, if the BlockdevRef is a QDict
2577 * itself, all options starting with "${bdref_key}." are considered part of the
2578 * BlockdevRef.
2579 *
2580 * TODO Can this be unified with bdrv_open_image()?
2581 */
2582int bdrv_open_backing_file(BlockDriverState *bs, QDict *parent_options,
2583                           const char *bdref_key, Error **errp)
2584{
2585    char *backing_filename = NULL;
2586    char *bdref_key_dot;
2587    const char *reference = NULL;
2588    int ret = 0;
2589    bool implicit_backing = false;
2590    BlockDriverState *backing_hd;
2591    QDict *options;
2592    QDict *tmp_parent_options = NULL;
2593    Error *local_err = NULL;
2594
2595    if (bs->backing != NULL) {
2596        goto free_exit;
2597    }
2598
2599    /* NULL means an empty set of options */
2600    if (parent_options == NULL) {
2601        tmp_parent_options = qdict_new();
2602        parent_options = tmp_parent_options;
2603    }
2604
2605    bs->open_flags &= ~BDRV_O_NO_BACKING;
2606
2607    bdref_key_dot = g_strdup_printf("%s.", bdref_key);
2608    qdict_extract_subqdict(parent_options, &options, bdref_key_dot);
2609    g_free(bdref_key_dot);
2610
2611    /*
2612     * Caution: while qdict_get_try_str() is fine, getting non-string
2613     * types would require more care.  When @parent_options come from
2614     * -blockdev or blockdev_add, its members are typed according to
2615     * the QAPI schema, but when they come from -drive, they're all
2616     * QString.
2617     */
2618    reference = qdict_get_try_str(parent_options, bdref_key);
2619    if (reference || qdict_haskey(options, "file.filename")) {
2620        /* keep backing_filename NULL */
2621    } else if (bs->backing_file[0] == '\0' && qdict_size(options) == 0) {
2622        qobject_unref(options);
2623        goto free_exit;
2624    } else {
2625        if (qdict_size(options) == 0) {
2626            /* If the user specifies options that do not modify the
2627             * backing file's behavior, we might still consider it the
2628             * implicit backing file.  But it's easier this way, and
2629             * just specifying some of the backing BDS's options is
2630             * only possible with -drive anyway (otherwise the QAPI
2631             * schema forces the user to specify everything). */
2632            implicit_backing = !strcmp(bs->auto_backing_file, bs->backing_file);
2633        }
2634
2635        backing_filename = bdrv_get_full_backing_filename(bs, &local_err);
2636        if (local_err) {
2637            ret = -EINVAL;
2638            error_propagate(errp, local_err);
2639            qobject_unref(options);
2640            goto free_exit;
2641        }
2642    }
2643
2644    if (!bs->drv || !bs->drv->supports_backing) {
2645        ret = -EINVAL;
2646        error_setg(errp, "Driver doesn't support backing files");
2647        qobject_unref(options);
2648        goto free_exit;
2649    }
2650
2651    if (!reference &&
2652        bs->backing_format[0] != '\0' && !qdict_haskey(options, "driver")) {
2653        qdict_put_str(options, "driver", bs->backing_format);
2654    }
2655
2656    backing_hd = bdrv_open_inherit(backing_filename, reference, options, 0, bs,
2657                                   &child_backing, errp);
2658    if (!backing_hd) {
2659        bs->open_flags |= BDRV_O_NO_BACKING;
2660        error_prepend(errp, "Could not open backing file: ");
2661        ret = -EINVAL;
2662        goto free_exit;
2663    }
2664
2665    if (implicit_backing) {
2666        bdrv_refresh_filename(backing_hd);
2667        pstrcpy(bs->auto_backing_file, sizeof(bs->auto_backing_file),
2668                backing_hd->filename);
2669    }
2670
2671    /* Hook up the backing file link; drop our reference, bs owns the
2672     * backing_hd reference now */
2673    bdrv_set_backing_hd(bs, backing_hd, &local_err);
2674    bdrv_unref(backing_hd);
2675    if (local_err) {
2676        error_propagate(errp, local_err);
2677        ret = -EINVAL;
2678        goto free_exit;
2679    }
2680
2681    qdict_del(parent_options, bdref_key);
2682
2683free_exit:
2684    g_free(backing_filename);
2685    qobject_unref(tmp_parent_options);
2686    return ret;
2687}
2688
2689static BlockDriverState *
2690bdrv_open_child_bs(const char *filename, QDict *options, const char *bdref_key,
2691                   BlockDriverState *parent, const BdrvChildRole *child_role,
2692                   bool allow_none, Error **errp)
2693{
2694    BlockDriverState *bs = NULL;
2695    QDict *image_options;
2696    char *bdref_key_dot;
2697    const char *reference;
2698
2699    assert(child_role != NULL);
2700
2701    bdref_key_dot = g_strdup_printf("%s.", bdref_key);
2702    qdict_extract_subqdict(options, &image_options, bdref_key_dot);
2703    g_free(bdref_key_dot);
2704
2705    /*
2706     * Caution: while qdict_get_try_str() is fine, getting non-string
2707     * types would require more care.  When @options come from
2708     * -blockdev or blockdev_add, its members are typed according to
2709     * the QAPI schema, but when they come from -drive, they're all
2710     * QString.
2711     */
2712    reference = qdict_get_try_str(options, bdref_key);
2713    if (!filename && !reference && !qdict_size(image_options)) {
2714        if (!allow_none) {
2715            error_setg(errp, "A block device must be specified for \"%s\"",
2716                       bdref_key);
2717        }
2718        qobject_unref(image_options);
2719        goto done;
2720    }
2721
2722    bs = bdrv_open_inherit(filename, reference, image_options, 0,
2723                           parent, child_role, errp);
2724    if (!bs) {
2725        goto done;
2726    }
2727
2728done:
2729    qdict_del(options, bdref_key);
2730    return bs;
2731}
2732
2733/*
2734 * Opens a disk image whose options are given as BlockdevRef in another block
2735 * device's options.
2736 *
2737 * If allow_none is true, no image will be opened if filename is false and no
2738 * BlockdevRef is given. NULL will be returned, but errp remains unset.
2739 *
2740 * bdrev_key specifies the key for the image's BlockdevRef in the options QDict.
2741 * That QDict has to be flattened; therefore, if the BlockdevRef is a QDict
2742 * itself, all options starting with "${bdref_key}." are considered part of the
2743 * BlockdevRef.
2744 *
2745 * The BlockdevRef will be removed from the options QDict.
2746 */
2747BdrvChild *bdrv_open_child(const char *filename,
2748                           QDict *options, const char *bdref_key,
2749                           BlockDriverState *parent,
2750                           const BdrvChildRole *child_role,
2751                           bool allow_none, Error **errp)
2752{
2753    BlockDriverState *bs;
2754
2755    bs = bdrv_open_child_bs(filename, options, bdref_key, parent, child_role,
2756                            allow_none, errp);
2757    if (bs == NULL) {
2758        return NULL;
2759    }
2760
2761    return bdrv_attach_child(parent, bs, bdref_key, child_role, errp);
2762}
2763
2764/* TODO Future callers may need to specify parent/child_role in order for
2765 * option inheritance to work. Existing callers use it for the root node. */
2766BlockDriverState *bdrv_open_blockdev_ref(BlockdevRef *ref, Error **errp)
2767{
2768    BlockDriverState *bs = NULL;
2769    Error *local_err = NULL;
2770    QObject *obj = NULL;
2771    QDict *qdict = NULL;
2772    const char *reference = NULL;
2773    Visitor *v = NULL;
2774
2775    if (ref->type == QTYPE_QSTRING) {
2776        reference = ref->u.reference;
2777    } else {
2778        BlockdevOptions *options = &ref->u.definition;
2779        assert(ref->type == QTYPE_QDICT);
2780
2781        v = qobject_output_visitor_new(&obj);
2782        visit_type_BlockdevOptions(v, NULL, &options, &local_err);
2783        if (local_err) {
2784            error_propagate(errp, local_err);
2785            goto fail;
2786        }
2787        visit_complete(v, &obj);
2788
2789        qdict = qobject_to(QDict, obj);
2790        qdict_flatten(qdict);
2791
2792        /* bdrv_open_inherit() defaults to the values in bdrv_flags (for
2793         * compatibility with other callers) rather than what we want as the
2794         * real defaults. Apply the defaults here instead. */
2795        qdict_set_default_str(qdict, BDRV_OPT_CACHE_DIRECT, "off");
2796        qdict_set_default_str(qdict, BDRV_OPT_CACHE_NO_FLUSH, "off");
2797        qdict_set_default_str(qdict, BDRV_OPT_READ_ONLY, "off");
2798        qdict_set_default_str(qdict, BDRV_OPT_AUTO_READ_ONLY, "off");
2799
2800    }
2801
2802    bs = bdrv_open_inherit(NULL, reference, qdict, 0, NULL, NULL, errp);
2803    obj = NULL;
2804
2805fail:
2806    qobject_unref(obj);
2807    visit_free(v);
2808    return bs;
2809}
2810
2811static BlockDriverState *bdrv_append_temp_snapshot(BlockDriverState *bs,
2812                                                   int flags,
2813                                                   QDict *snapshot_options,
2814                                                   Error **errp)
2815{
2816    /* TODO: extra byte is a hack to ensure MAX_PATH space on Windows. */
2817    char *tmp_filename = g_malloc0(PATH_MAX + 1);
2818    int64_t total_size;
2819    QemuOpts *opts = NULL;
2820    BlockDriverState *bs_snapshot = NULL;
2821    Error *local_err = NULL;
2822    int ret;
2823
2824    /* if snapshot, we create a temporary backing file and open it
2825       instead of opening 'filename' directly */
2826
2827    /* Get the required size from the image */
2828    total_size = bdrv_getlength(bs);
2829    if (total_size < 0) {
2830        error_setg_errno(errp, -total_size, "Could not get image size");
2831        goto out;
2832    }
2833
2834    /* Create the temporary image */
2835    ret = get_tmp_filename(tmp_filename, PATH_MAX + 1);
2836    if (ret < 0) {
2837        error_setg_errno(errp, -ret, "Could not get temporary filename");
2838        goto out;
2839    }
2840
2841    opts = qemu_opts_create(bdrv_qcow2.create_opts, NULL, 0,
2842                            &error_abort);
2843    qemu_opt_set_number(opts, BLOCK_OPT_SIZE, total_size, &error_abort);
2844    ret = bdrv_create(&bdrv_qcow2, tmp_filename, opts, errp);
2845    qemu_opts_del(opts);
2846    if (ret < 0) {
2847        error_prepend(errp, "Could not create temporary overlay '%s': ",
2848                      tmp_filename);
2849        goto out;
2850    }
2851
2852    /* Prepare options QDict for the temporary file */
2853    qdict_put_str(snapshot_options, "file.driver", "file");
2854    qdict_put_str(snapshot_options, "file.filename", tmp_filename);
2855    qdict_put_str(snapshot_options, "driver", "qcow2");
2856
2857    bs_snapshot = bdrv_open(NULL, NULL, snapshot_options, flags, errp);
2858    snapshot_options = NULL;
2859    if (!bs_snapshot) {
2860        goto out;
2861    }
2862
2863    /* bdrv_append() consumes a strong reference to bs_snapshot
2864     * (i.e. it will call bdrv_unref() on it) even on error, so in
2865     * order to be able to return one, we have to increase
2866     * bs_snapshot's refcount here */
2867    bdrv_ref(bs_snapshot);
2868    bdrv_append(bs_snapshot, bs, &local_err);
2869    if (local_err) {
2870        error_propagate(errp, local_err);
2871        bs_snapshot = NULL;
2872        goto out;
2873    }
2874
2875out:
2876    qobject_unref(snapshot_options);
2877    g_free(tmp_filename);
2878    return bs_snapshot;
2879}
2880
2881/*
2882 * Opens a disk image (raw, qcow2, vmdk, ...)
2883 *
2884 * options is a QDict of options to pass to the block drivers, or NULL for an
2885 * empty set of options. The reference to the QDict belongs to the block layer
2886 * after the call (even on failure), so if the caller intends to reuse the
2887 * dictionary, it needs to use qobject_ref() before calling bdrv_open.
2888 *
2889 * If *pbs is NULL, a new BDS will be created with a pointer to it stored there.
2890 * If it is not NULL, the referenced BDS will be reused.
2891 *
2892 * The reference parameter may be used to specify an existing block device which
2893 * should be opened. If specified, neither options nor a filename may be given,
2894 * nor can an existing BDS be reused (that is, *pbs has to be NULL).
2895 */
2896static BlockDriverState *bdrv_open_inherit(const char *filename,
2897                                           const char *reference,
2898                                           QDict *options, int flags,
2899                                           BlockDriverState *parent,
2900                                           const BdrvChildRole *child_role,
2901                                           Error **errp)
2902{
2903    int ret;
2904    BlockBackend *file = NULL;
2905    BlockDriverState *bs;
2906    BlockDriver *drv = NULL;
2907    BdrvChild *child;
2908    const char *drvname;
2909    const char *backing;
2910    Error *local_err = NULL;
2911    QDict *snapshot_options = NULL;
2912    int snapshot_flags = 0;
2913
2914    assert(!child_role || !flags);
2915    assert(!child_role == !parent);
2916
2917    if (reference) {
2918        bool options_non_empty = options ? qdict_size(options) : false;
2919        qobject_unref(options);
2920
2921        if (filename || options_non_empty) {
2922            error_setg(errp, "Cannot reference an existing block device with "
2923                       "additional options or a new filename");
2924            return NULL;
2925        }
2926
2927        bs = bdrv_lookup_bs(reference, reference, errp);
2928        if (!bs) {
2929            return NULL;
2930        }
2931
2932        bdrv_ref(bs);
2933        return bs;
2934    }
2935
2936    bs = bdrv_new();
2937
2938    /* NULL means an empty set of options */
2939    if (options == NULL) {
2940        options = qdict_new();
2941    }
2942
2943    /* json: syntax counts as explicit options, as if in the QDict */
2944    parse_json_protocol(options, &filename, &local_err);
2945    if (local_err) {
2946        goto fail;
2947    }
2948
2949    bs->explicit_options = qdict_clone_shallow(options);
2950
2951    if (child_role) {
2952        bs->inherits_from = parent;
2953        child_role->inherit_options(&flags, options,
2954                                    parent->open_flags, parent->options);
2955    }
2956
2957    ret = bdrv_fill_options(&options, filename, &flags, &local_err);
2958    if (local_err) {
2959        goto fail;
2960    }
2961
2962    /*
2963     * Set the BDRV_O_RDWR and BDRV_O_ALLOW_RDWR flags.
2964     * Caution: getting a boolean member of @options requires care.
2965     * When @options come from -blockdev or blockdev_add, members are
2966     * typed according to the QAPI schema, but when they come from
2967     * -drive, they're all QString.
2968     */
2969    if (g_strcmp0(qdict_get_try_str(options, BDRV_OPT_READ_ONLY), "on") &&
2970        !qdict_get_try_bool(options, BDRV_OPT_READ_ONLY, false)) {
2971        flags |= (BDRV_O_RDWR | BDRV_O_ALLOW_RDWR);
2972    } else {
2973        flags &= ~BDRV_O_RDWR;
2974    }
2975
2976    if (flags & BDRV_O_SNAPSHOT) {
2977        snapshot_options = qdict_new();
2978        bdrv_temp_snapshot_options(&snapshot_flags, snapshot_options,
2979                                   flags, options);
2980        /* Let bdrv_backing_options() override "read-only" */
2981        qdict_del(options, BDRV_OPT_READ_ONLY);
2982        bdrv_backing_options(&flags, options, flags, options);
2983    }
2984
2985    bs->open_flags = flags;
2986    bs->options = options;
2987    options = qdict_clone_shallow(options);
2988
2989    /* Find the right image format driver */
2990    /* See cautionary note on accessing @options above */
2991    drvname = qdict_get_try_str(options, "driver");
2992    if (drvname) {
2993        drv = bdrv_find_format(drvname);
2994        if (!drv) {
2995            error_setg(errp, "Unknown driver: '%s'", drvname);
2996            goto fail;
2997        }
2998    }
2999
3000    assert(drvname || !(flags & BDRV_O_PROTOCOL));
3001
3002    /* See cautionary note on accessing @options above */
3003    backing = qdict_get_try_str(options, "backing");
3004    if (qobject_to(QNull, qdict_get(options, "backing")) != NULL ||
3005        (backing && *backing == '\0'))
3006    {
3007        if (backing) {
3008            warn_report("Use of \"backing\": \"\" is deprecated; "
3009                        "use \"backing\": null instead");
3010        }
3011        flags |= BDRV_O_NO_BACKING;
3012        qdict_del(options, "backing");
3013    }
3014
3015    /* Open image file without format layer. This BlockBackend is only used for
3016     * probing, the block drivers will do their own bdrv_open_child() for the
3017     * same BDS, which is why we put the node name back into options. */
3018    if ((flags & BDRV_O_PROTOCOL) == 0) {
3019        BlockDriverState *file_bs;
3020
3021        file_bs = bdrv_open_child_bs(filename, options, "file", bs,
3022                                     &child_file, true, &local_err);
3023        if (local_err) {
3024            goto fail;
3025        }
3026        if (file_bs != NULL) {
3027            /* Not requesting BLK_PERM_CONSISTENT_READ because we're only
3028             * looking at the header to guess the image format. This works even
3029             * in cases where a guest would not see a consistent state. */
3030            file = blk_new(bdrv_get_aio_context(file_bs), 0, BLK_PERM_ALL);
3031            blk_insert_bs(file, file_bs, &local_err);
3032            bdrv_unref(file_bs);
3033            if (local_err) {
3034                goto fail;
3035            }
3036
3037            qdict_put_str(options, "file", bdrv_get_node_name(file_bs));
3038        }
3039    }
3040
3041    /* Image format probing */
3042    bs->probed = !drv;
3043    if (!drv && file) {
3044        ret = find_image_format(file, filename, &drv, &local_err);
3045        if (ret < 0) {
3046            goto fail;
3047        }
3048        /*
3049         * This option update would logically belong in bdrv_fill_options(),
3050         * but we first need to open bs->file for the probing to work, while
3051         * opening bs->file already requires the (mostly) final set of options
3052         * so that cache mode etc. can be inherited.
3053         *
3054         * Adding the driver later is somewhat ugly, but it's not an option
3055         * that would ever be inherited, so it's correct. We just need to make
3056         * sure to update both bs->options (which has the full effective
3057         * options for bs) and options (which has file.* already removed).
3058         */
3059        qdict_put_str(bs->options, "driver", drv->format_name);
3060        qdict_put_str(options, "driver", drv->format_name);
3061    } else if (!drv) {
3062        error_setg(errp, "Must specify either driver or file");
3063        goto fail;
3064    }
3065
3066    /* BDRV_O_PROTOCOL must be set iff a protocol BDS is about to be created */
3067    assert(!!(flags & BDRV_O_PROTOCOL) == !!drv->bdrv_file_open);
3068    /* file must be NULL if a protocol BDS is about to be created
3069     * (the inverse results in an error message from bdrv_open_common()) */
3070    assert(!(flags & BDRV_O_PROTOCOL) || !file);
3071
3072    /* Open the image */
3073    ret = bdrv_open_common(bs, file, options, &local_err);
3074    if (ret < 0) {
3075        goto fail;
3076    }
3077
3078    if (file) {
3079        blk_unref(file);
3080        file = NULL;
3081    }
3082
3083    /* If there is a backing file, use it */
3084    if ((flags & BDRV_O_NO_BACKING) == 0) {
3085        ret = bdrv_open_backing_file(bs, options, "backing", &local_err);
3086        if (ret < 0) {
3087            goto close_and_fail;
3088        }
3089    }
3090
3091    /* Remove all children options and references
3092     * from bs->options and bs->explicit_options */
3093    QLIST_FOREACH(child, &bs->children, next) {
3094        char *child_key_dot;
3095        child_key_dot = g_strdup_printf("%s.", child->name);
3096        qdict_extract_subqdict(bs->explicit_options, NULL, child_key_dot);
3097        qdict_extract_subqdict(bs->options, NULL, child_key_dot);
3098        qdict_del(bs->explicit_options, child->name);
3099        qdict_del(bs->options, child->name);
3100        g_free(child_key_dot);
3101    }
3102
3103    /* Check if any unknown options were used */
3104    if (qdict_size(options) != 0) {
3105        const QDictEntry *entry = qdict_first(options);
3106        if (flags & BDRV_O_PROTOCOL) {
3107            error_setg(errp, "Block protocol '%s' doesn't support the option "
3108                       "'%s'", drv->format_name, entry->key);
3109        } else {
3110            error_setg(errp,
3111                       "Block format '%s' does not support the option '%s'",
3112                       drv->format_name, entry->key);
3113        }
3114
3115        goto close_and_fail;
3116    }
3117
3118    bdrv_parent_cb_change_media(bs, true);
3119
3120    qobject_unref(options);
3121    options = NULL;
3122
3123    /* For snapshot=on, create a temporary qcow2 overlay. bs points to the
3124     * temporary snapshot afterwards. */
3125    if (snapshot_flags) {
3126        BlockDriverState *snapshot_bs;
3127        snapshot_bs = bdrv_append_temp_snapshot(bs, snapshot_flags,
3128                                                snapshot_options, &local_err);
3129        snapshot_options = NULL;
3130        if (local_err) {
3131            goto close_and_fail;
3132        }
3133        /* We are not going to return bs but the overlay on top of it
3134         * (snapshot_bs); thus, we have to drop the strong reference to bs
3135         * (which we obtained by calling bdrv_new()). bs will not be deleted,
3136         * though, because the overlay still has a reference to it. */
3137        bdrv_unref(bs);
3138        bs = snapshot_bs;
3139    }
3140
3141    return bs;
3142
3143fail:
3144    blk_unref(file);
3145    qobject_unref(snapshot_options);
3146    qobject_unref(bs->explicit_options);
3147    qobject_unref(bs->options);
3148    qobject_unref(options);
3149    bs->options = NULL;
3150    bs->explicit_options = NULL;
3151    bdrv_unref(bs);
3152    error_propagate(errp, local_err);
3153    return NULL;
3154
3155close_and_fail:
3156    bdrv_unref(bs);
3157    qobject_unref(snapshot_options);
3158    qobject_unref(options);
3159    error_propagate(errp, local_err);
3160    return NULL;
3161}
3162
3163BlockDriverState *bdrv_open(const char *filename, const char *reference,
3164                            QDict *options, int flags, Error **errp)
3165{
3166    return bdrv_open_inherit(filename, reference, options, flags, NULL,
3167                             NULL, errp);
3168}
3169
3170/* Return true if the NULL-terminated @list contains @str */
3171static bool is_str_in_list(const char *str, const char *const *list)
3172{
3173    if (str && list) {
3174        int i;
3175        for (i = 0; list[i] != NULL; i++) {
3176            if (!strcmp(str, list[i])) {
3177                return true;
3178            }
3179        }
3180    }
3181    return false;
3182}
3183
3184/*
3185 * Check that every option set in @bs->options is also set in
3186 * @new_opts.
3187 *
3188 * Options listed in the common_options list and in
3189 * @bs->drv->mutable_opts are skipped.
3190 *
3191 * Return 0 on success, otherwise return -EINVAL and set @errp.
3192 */
3193static int bdrv_reset_options_allowed(BlockDriverState *bs,
3194                                      const QDict *new_opts, Error **errp)
3195{
3196    const QDictEntry *e;
3197    /* These options are common to all block drivers and are handled
3198     * in bdrv_reopen_prepare() so they can be left out of @new_opts */
3199    const char *const common_options[] = {
3200        "node-name", "discard", "cache.direct", "cache.no-flush",
3201        "read-only", "auto-read-only", "detect-zeroes", NULL
3202    };
3203
3204    for (e = qdict_first(bs->options); e; e = qdict_next(bs->options, e)) {
3205        if (!qdict_haskey(new_opts, e->key) &&
3206            !is_str_in_list(e->key, common_options) &&
3207            !is_str_in_list(e->key, bs->drv->mutable_opts)) {
3208            error_setg(errp, "Option '%s' cannot be reset "
3209                       "to its default value", e->key);
3210            return -EINVAL;
3211        }
3212    }
3213
3214    return 0;
3215}
3216
3217/*
3218 * Returns true if @child can be reached recursively from @bs
3219 */
3220static bool bdrv_recurse_has_child(BlockDriverState *bs,
3221                                   BlockDriverState *child)
3222{
3223    BdrvChild *c;
3224
3225    if (bs == child) {
3226        return true;
3227    }
3228
3229    QLIST_FOREACH(c, &bs->children, next) {
3230        if (bdrv_recurse_has_child(c->bs, child)) {
3231            return true;
3232        }
3233    }
3234
3235    return false;
3236}
3237
3238/*
3239 * Adds a BlockDriverState to a simple queue for an atomic, transactional
3240 * reopen of multiple devices.
3241 *
3242 * bs_queue can either be an existing BlockReopenQueue that has had QSIMPLE_INIT
3243 * already performed, or alternatively may be NULL a new BlockReopenQueue will
3244 * be created and initialized. This newly created BlockReopenQueue should be
3245 * passed back in for subsequent calls that are intended to be of the same
3246 * atomic 'set'.
3247 *
3248 * bs is the BlockDriverState to add to the reopen queue.
3249 *
3250 * options contains the changed options for the associated bs
3251 * (the BlockReopenQueue takes ownership)
3252 *
3253 * flags contains the open flags for the associated bs
3254 *
3255 * returns a pointer to bs_queue, which is either the newly allocated
3256 * bs_queue, or the existing bs_queue being used.
3257 *
3258 * bs must be drained between bdrv_reopen_queue() and bdrv_reopen_multiple().
3259 */
3260static BlockReopenQueue *bdrv_reopen_queue_child(BlockReopenQueue *bs_queue,
3261                                                 BlockDriverState *bs,
3262                                                 QDict *options,
3263                                                 const BdrvChildRole *role,
3264                                                 QDict *parent_options,
3265                                                 int parent_flags,
3266                                                 bool keep_old_opts)
3267{
3268    assert(bs != NULL);
3269
3270    BlockReopenQueueEntry *bs_entry;
3271    BdrvChild *child;
3272    QDict *old_options, *explicit_options, *options_copy;
3273    int flags;
3274    QemuOpts *opts;
3275
3276    /* Make sure that the caller remembered to use a drained section. This is
3277     * important to avoid graph changes between the recursive queuing here and
3278     * bdrv_reopen_multiple(). */
3279    assert(bs->quiesce_counter > 0);
3280
3281    if (bs_queue == NULL) {
3282        bs_queue = g_new0(BlockReopenQueue, 1);
3283        QSIMPLEQ_INIT(bs_queue);
3284    }
3285
3286    if (!options) {
3287        options = qdict_new();
3288    }
3289
3290    /* Check if this BlockDriverState is already in the queue */
3291    QSIMPLEQ_FOREACH(bs_entry, bs_queue, entry) {
3292        if (bs == bs_entry->state.bs) {
3293            break;
3294        }
3295    }
3296
3297    /*
3298     * Precedence of options:
3299     * 1. Explicitly passed in options (highest)
3300     * 2. Retained from explicitly set options of bs
3301     * 3. Inherited from parent node
3302     * 4. Retained from effective options of bs
3303     */
3304
3305    /* Old explicitly set values (don't overwrite by inherited value) */
3306    if (bs_entry || keep_old_opts) {
3307        old_options = qdict_clone_shallow(bs_entry ?
3308                                          bs_entry->state.explicit_options :
3309                                          bs->explicit_options);
3310        bdrv_join_options(bs, options, old_options);
3311        qobject_unref(old_options);
3312    }
3313
3314    explicit_options = qdict_clone_shallow(options);
3315
3316    /* Inherit from parent node */
3317    if (parent_options) {
3318        flags = 0;
3319        role->inherit_options(&flags, options, parent_flags, parent_options);
3320    } else {
3321        flags = bdrv_get_flags(bs);
3322    }
3323
3324    if (keep_old_opts) {
3325        /* Old values are used for options that aren't set yet */
3326        old_options = qdict_clone_shallow(bs->options);
3327        bdrv_join_options(bs, options, old_options);
3328        qobject_unref(old_options);
3329    }
3330
3331    /* We have the final set of options so let's update the flags */
3332    options_copy = qdict_clone_shallow(options);
3333    opts = qemu_opts_create(&bdrv_runtime_opts, NULL, 0, &error_abort);
3334    qemu_opts_absorb_qdict(opts, options_copy, NULL);
3335    update_flags_from_options(&flags, opts);
3336    qemu_opts_del(opts);
3337    qobject_unref(options_copy);
3338
3339    /* bdrv_open_inherit() sets and clears some additional flags internally */
3340    flags &= ~BDRV_O_PROTOCOL;
3341    if (flags & BDRV_O_RDWR) {
3342        flags |= BDRV_O_ALLOW_RDWR;
3343    }
3344
3345    if (!bs_entry) {
3346        bs_entry = g_new0(BlockReopenQueueEntry, 1);
3347        QSIMPLEQ_INSERT_TAIL(bs_queue, bs_entry, entry);
3348    } else {
3349        qobject_unref(bs_entry->state.options);
3350        qobject_unref(bs_entry->state.explicit_options);
3351    }
3352
3353    bs_entry->state.bs = bs;
3354    bs_entry->state.options = options;
3355    bs_entry->state.explicit_options = explicit_options;
3356    bs_entry->state.flags = flags;
3357
3358    /* This needs to be overwritten in bdrv_reopen_prepare() */
3359    bs_entry->state.perm = UINT64_MAX;
3360    bs_entry->state.shared_perm = 0;
3361
3362    /*
3363     * If keep_old_opts is false then it means that unspecified
3364     * options must be reset to their original value. We don't allow
3365     * resetting 'backing' but we need to know if the option is
3366     * missing in order to decide if we have to return an error.
3367     */
3368    if (!keep_old_opts) {
3369        bs_entry->state.backing_missing =
3370            !qdict_haskey(options, "backing") &&
3371            !qdict_haskey(options, "backing.driver");
3372    }
3373
3374    QLIST_FOREACH(child, &bs->children, next) {
3375        QDict *new_child_options = NULL;
3376        bool child_keep_old = keep_old_opts;
3377
3378        /* reopen can only change the options of block devices that were
3379         * implicitly created and inherited options. For other (referenced)
3380         * block devices, a syntax like "backing.foo" results in an error. */
3381        if (child->bs->inherits_from != bs) {
3382            continue;
3383        }
3384
3385        /* Check if the options contain a child reference */
3386        if (qdict_haskey(options, child->name)) {
3387            const char *childref = qdict_get_try_str(options, child->name);
3388            /*
3389             * The current child must not be reopened if the child
3390             * reference is null or points to a different node.
3391             */
3392            if (g_strcmp0(childref, child->bs->node_name)) {
3393                continue;
3394            }
3395            /*
3396             * If the child reference points to the current child then
3397             * reopen it with its existing set of options (note that
3398             * it can still inherit new options from the parent).
3399             */
3400            child_keep_old = true;
3401        } else {
3402            /* Extract child options ("child-name.*") */
3403            char *child_key_dot = g_strdup_printf("%s.", child->name);
3404            qdict_extract_subqdict(explicit_options, NULL, child_key_dot);
3405            qdict_extract_subqdict(options, &new_child_options, child_key_dot);
3406            g_free(child_key_dot);
3407        }
3408
3409        bdrv_reopen_queue_child(bs_queue, child->bs, new_child_options,
3410                                child->role, options, flags, child_keep_old);
3411    }
3412
3413    return bs_queue;
3414}
3415
3416BlockReopenQueue *bdrv_reopen_queue(BlockReopenQueue *bs_queue,
3417                                    BlockDriverState *bs,
3418                                    QDict *options, bool keep_old_opts)
3419{
3420    return bdrv_reopen_queue_child(bs_queue, bs, options, NULL, NULL, 0,
3421                                   keep_old_opts);
3422}
3423
3424/*
3425 * Reopen multiple BlockDriverStates atomically & transactionally.
3426 *
3427 * The queue passed in (bs_queue) must have been built up previous
3428 * via bdrv_reopen_queue().
3429 *
3430 * Reopens all BDS specified in the queue, with the appropriate
3431 * flags.  All devices are prepared for reopen, and failure of any
3432 * device will cause all device changes to be abandoned, and intermediate
3433 * data cleaned up.
3434 *
3435 * If all devices prepare successfully, then the changes are committed
3436 * to all devices.
3437 *
3438 * All affected nodes must be drained between bdrv_reopen_queue() and
3439 * bdrv_reopen_multiple().
3440 */
3441int bdrv_reopen_multiple(BlockReopenQueue *bs_queue, Error **errp)
3442{
3443    int ret = -1;
3444    BlockReopenQueueEntry *bs_entry, *next;
3445
3446    assert(bs_queue != NULL);
3447
3448    QSIMPLEQ_FOREACH(bs_entry, bs_queue, entry) {
3449        assert(bs_entry->state.bs->quiesce_counter > 0);
3450        if (bdrv_reopen_prepare(&bs_entry->state, bs_queue, errp)) {
3451            goto cleanup;
3452        }
3453        bs_entry->prepared = true;
3454    }
3455
3456    QSIMPLEQ_FOREACH(bs_entry, bs_queue, entry) {
3457        BDRVReopenState *state = &bs_entry->state;
3458        ret = bdrv_check_perm(state->bs, bs_queue, state->perm,
3459                              state->shared_perm, NULL, NULL, errp);
3460        if (ret < 0) {
3461            goto cleanup_perm;
3462        }
3463        /* Check if new_backing_bs would accept the new permissions */
3464        if (state->replace_backing_bs && state->new_backing_bs) {
3465            uint64_t nperm, nshared;
3466            bdrv_child_perm(state->bs, state->new_backing_bs,
3467                            NULL, &child_backing, bs_queue,
3468                            state->perm, state->shared_perm,
3469                            &nperm, &nshared);
3470            ret = bdrv_check_update_perm(state->new_backing_bs, NULL,
3471                                         nperm, nshared, NULL, NULL, errp);
3472            if (ret < 0) {
3473                goto cleanup_perm;
3474            }
3475        }
3476        bs_entry->perms_checked = true;
3477    }
3478
3479    /* If we reach this point, we have success and just need to apply the
3480     * changes
3481     */
3482    QSIMPLEQ_FOREACH(bs_entry, bs_queue, entry) {
3483        bdrv_reopen_commit(&bs_entry->state);
3484    }
3485
3486    ret = 0;
3487cleanup_perm:
3488    QSIMPLEQ_FOREACH_SAFE(bs_entry, bs_queue, entry, next) {
3489        BDRVReopenState *state = &bs_entry->state;
3490
3491        if (!bs_entry->perms_checked) {
3492            continue;
3493        }
3494
3495        if (ret == 0) {
3496            bdrv_set_perm(state->bs, state->perm, state->shared_perm);
3497        } else {
3498            bdrv_abort_perm_update(state->bs);
3499            if (state->replace_backing_bs && state->new_backing_bs) {
3500                bdrv_abort_perm_update(state->new_backing_bs);
3501            }
3502        }
3503    }
3504cleanup:
3505    QSIMPLEQ_FOREACH_SAFE(bs_entry, bs_queue, entry, next) {
3506        if (ret) {
3507            if (bs_entry->prepared) {
3508                bdrv_reopen_abort(&bs_entry->state);
3509            }
3510            qobject_unref(bs_entry->state.explicit_options);
3511            qobject_unref(bs_entry->state.options);
3512        }
3513        if (bs_entry->state.new_backing_bs) {
3514            bdrv_unref(bs_entry->state.new_backing_bs);
3515        }
3516        g_free(bs_entry);
3517    }
3518    g_free(bs_queue);
3519
3520    return ret;
3521}
3522
3523int bdrv_reopen_set_read_only(BlockDriverState *bs, bool read_only,
3524                              Error **errp)
3525{
3526    int ret;
3527    BlockReopenQueue *queue;
3528    QDict *opts = qdict_new();
3529
3530    qdict_put_bool(opts, BDRV_OPT_READ_ONLY, read_only);
3531
3532    bdrv_subtree_drained_begin(bs);
3533    queue = bdrv_reopen_queue(NULL, bs, opts, true);
3534    ret = bdrv_reopen_multiple(queue, errp);
3535    bdrv_subtree_drained_end(bs);
3536
3537    return ret;
3538}
3539
3540static BlockReopenQueueEntry *find_parent_in_reopen_queue(BlockReopenQueue *q,
3541                                                          BdrvChild *c)
3542{
3543    BlockReopenQueueEntry *entry;
3544
3545    QSIMPLEQ_FOREACH(entry, q, entry) {
3546        BlockDriverState *bs = entry->state.bs;
3547        BdrvChild *child;
3548
3549        QLIST_FOREACH(child, &bs->children, next) {
3550            if (child == c) {
3551                return entry;
3552            }
3553        }
3554    }
3555
3556    return NULL;
3557}
3558
3559static void bdrv_reopen_perm(BlockReopenQueue *q, BlockDriverState *bs,
3560                             uint64_t *perm, uint64_t *shared)
3561{
3562    BdrvChild *c;
3563    BlockReopenQueueEntry *parent;
3564    uint64_t cumulative_perms = 0;
3565    uint64_t cumulative_shared_perms = BLK_PERM_ALL;
3566
3567    QLIST_FOREACH(c, &bs->parents, next_parent) {
3568        parent = find_parent_in_reopen_queue(q, c);
3569        if (!parent) {
3570            cumulative_perms |= c->perm;
3571            cumulative_shared_perms &= c->shared_perm;
3572        } else {
3573            uint64_t nperm, nshared;
3574
3575            bdrv_child_perm(parent->state.bs, bs, c, c->role, q,
3576                            parent->state.perm, parent->state.shared_perm,
3577                            &nperm, &nshared);
3578
3579            cumulative_perms |= nperm;
3580            cumulative_shared_perms &= nshared;
3581        }
3582    }
3583    *perm = cumulative_perms;
3584    *shared = cumulative_shared_perms;
3585}
3586
3587/*
3588 * Take a BDRVReopenState and check if the value of 'backing' in the
3589 * reopen_state->options QDict is valid or not.
3590 *
3591 * If 'backing' is missing from the QDict then return 0.
3592 *
3593 * If 'backing' contains the node name of the backing file of
3594 * reopen_state->bs then return 0.
3595 *
3596 * If 'backing' contains a different node name (or is null) then check
3597 * whether the current backing file can be replaced with the new one.
3598 * If that's the case then reopen_state->replace_backing_bs is set to
3599 * true and reopen_state->new_backing_bs contains a pointer to the new
3600 * backing BlockDriverState (or NULL).
3601 *
3602 * Return 0 on success, otherwise return < 0 and set @errp.
3603 */
3604static int bdrv_reopen_parse_backing(BDRVReopenState *reopen_state,
3605                                     Error **errp)
3606{
3607    BlockDriverState *bs = reopen_state->bs;
3608    BlockDriverState *overlay_bs, *new_backing_bs;
3609    QObject *value;
3610    const char *str;
3611
3612    value = qdict_get(reopen_state->options, "backing");
3613    if (value == NULL) {
3614        return 0;
3615    }
3616
3617    switch (qobject_type(value)) {
3618    case QTYPE_QNULL:
3619        new_backing_bs = NULL;
3620        break;
3621    case QTYPE_QSTRING:
3622        str = qobject_get_try_str(value);
3623        new_backing_bs = bdrv_lookup_bs(NULL, str, errp);
3624        if (new_backing_bs == NULL) {
3625            return -EINVAL;
3626        } else if (bdrv_recurse_has_child(new_backing_bs, bs)) {
3627            error_setg(errp, "Making '%s' a backing file of '%s' "
3628                       "would create a cycle", str, bs->node_name);
3629            return -EINVAL;
3630        }
3631        break;
3632    default:
3633        /* 'backing' does not allow any other data type */
3634        g_assert_not_reached();
3635    }
3636
3637    /*
3638     * TODO: before removing the x- prefix from x-blockdev-reopen we
3639     * should move the new backing file into the right AioContext
3640     * instead of returning an error.
3641     */
3642    if (new_backing_bs) {
3643        if (bdrv_get_aio_context(new_backing_bs) != bdrv_get_aio_context(bs)) {
3644            error_setg(errp, "Cannot use a new backing file "
3645                       "with a different AioContext");
3646            return -EINVAL;
3647        }
3648    }
3649
3650    /*
3651     * Find the "actual" backing file by skipping all links that point
3652     * to an implicit node, if any (e.g. a commit filter node).
3653     */
3654    overlay_bs = bs;
3655    while (backing_bs(overlay_bs) && backing_bs(overlay_bs)->implicit) {
3656        overlay_bs = backing_bs(overlay_bs);
3657    }
3658
3659    /* If we want to replace the backing file we need some extra checks */
3660    if (new_backing_bs != backing_bs(overlay_bs)) {
3661        /* Check for implicit nodes between bs and its backing file */
3662        if (bs != overlay_bs) {
3663            error_setg(errp, "Cannot change backing link if '%s' has "
3664                       "an implicit backing file", bs->node_name);
3665            return -EPERM;
3666        }
3667        /* Check if the backing link that we want to replace is frozen */
3668        if (bdrv_is_backing_chain_frozen(overlay_bs, backing_bs(overlay_bs),
3669                                         errp)) {
3670            return -EPERM;
3671        }
3672        reopen_state->replace_backing_bs = true;
3673        if (new_backing_bs) {
3674            bdrv_ref(new_backing_bs);
3675            reopen_state->new_backing_bs = new_backing_bs;
3676        }
3677    }
3678
3679    return 0;
3680}
3681
3682/*
3683 * Prepares a BlockDriverState for reopen. All changes are staged in the
3684 * 'opaque' field of the BDRVReopenState, which is used and allocated by
3685 * the block driver layer .bdrv_reopen_prepare()
3686 *
3687 * bs is the BlockDriverState to reopen
3688 * flags are the new open flags
3689 * queue is the reopen queue
3690 *
3691 * Returns 0 on success, non-zero on error.  On error errp will be set
3692 * as well.
3693 *
3694 * On failure, bdrv_reopen_abort() will be called to clean up any data.
3695 * It is the responsibility of the caller to then call the abort() or
3696 * commit() for any other BDS that have been left in a prepare() state
3697 *
3698 */
3699int bdrv_reopen_prepare(BDRVReopenState *reopen_state, BlockReopenQueue *queue,
3700                        Error **errp)
3701{
3702    int ret = -1;
3703    int old_flags;
3704    Error *local_err = NULL;
3705    BlockDriver *drv;
3706    QemuOpts *opts;
3707    QDict *orig_reopen_opts;
3708    char *discard = NULL;
3709    bool read_only;
3710    bool drv_prepared = false;
3711
3712    assert(reopen_state != NULL);
3713    assert(reopen_state->bs->drv != NULL);
3714    drv = reopen_state->bs->drv;
3715
3716    /* This function and each driver's bdrv_reopen_prepare() remove
3717     * entries from reopen_state->options as they are processed, so
3718     * we need to make a copy of the original QDict. */
3719    orig_reopen_opts = qdict_clone_shallow(reopen_state->options);
3720
3721    /* Process generic block layer options */
3722    opts = qemu_opts_create(&bdrv_runtime_opts, NULL, 0, &error_abort);
3723    qemu_opts_absorb_qdict(opts, reopen_state->options, &local_err);
3724    if (local_err) {
3725        error_propagate(errp, local_err);
3726        ret = -EINVAL;
3727        goto error;
3728    }
3729
3730    /* This was already called in bdrv_reopen_queue_child() so the flags
3731     * are up-to-date. This time we simply want to remove the options from
3732     * QemuOpts in order to indicate that they have been processed. */
3733    old_flags = reopen_state->flags;
3734    update_flags_from_options(&reopen_state->flags, opts);
3735    assert(old_flags == reopen_state->flags);
3736
3737    discard = qemu_opt_get_del(opts, BDRV_OPT_DISCARD);
3738    if (discard != NULL) {
3739        if (bdrv_parse_discard_flags(discard, &reopen_state->flags) != 0) {
3740            error_setg(errp, "Invalid discard option");
3741            ret = -EINVAL;
3742            goto error;
3743        }
3744    }
3745
3746    reopen_state->detect_zeroes =
3747        bdrv_parse_detect_zeroes(opts, reopen_state->flags, &local_err);
3748    if (local_err) {
3749        error_propagate(errp, local_err);
3750        ret = -EINVAL;
3751        goto error;
3752    }
3753
3754    /* All other options (including node-name and driver) must be unchanged.
3755     * Put them back into the QDict, so that they are checked at the end
3756     * of this function. */
3757    qemu_opts_to_qdict(opts, reopen_state->options);
3758
3759    /* If we are to stay read-only, do not allow permission change
3760     * to r/w. Attempting to set to r/w may fail if either BDRV_O_ALLOW_RDWR is
3761     * not set, or if the BDS still has copy_on_read enabled */
3762    read_only = !(reopen_state->flags & BDRV_O_RDWR);
3763    ret = bdrv_can_set_read_only(reopen_state->bs, read_only, true, &local_err);
3764    if (local_err) {
3765        error_propagate(errp, local_err);
3766        goto error;
3767    }
3768
3769    /* Calculate required permissions after reopening */
3770    bdrv_reopen_perm(queue, reopen_state->bs,
3771                     &reopen_state->perm, &reopen_state->shared_perm);
3772
3773    ret = bdrv_flush(reopen_state->bs);
3774    if (ret) {
3775        error_setg_errno(errp, -ret, "Error flushing drive");
3776        goto error;
3777    }
3778
3779    if (drv->bdrv_reopen_prepare) {
3780        /*
3781         * If a driver-specific option is missing, it means that we
3782         * should reset it to its default value.
3783         * But not all options allow that, so we need to check it first.
3784         */
3785        ret = bdrv_reset_options_allowed(reopen_state->bs,
3786                                         reopen_state->options, errp);
3787        if (ret) {
3788            goto error;
3789        }
3790
3791        ret = drv->bdrv_reopen_prepare(reopen_state, queue, &local_err);
3792        if (ret) {
3793            if (local_err != NULL) {
3794                error_propagate(errp, local_err);
3795            } else {
3796                bdrv_refresh_filename(reopen_state->bs);
3797                error_setg(errp, "failed while preparing to reopen image '%s'",
3798                           reopen_state->bs->filename);
3799            }
3800            goto error;
3801        }
3802    } else {
3803        /* It is currently mandatory to have a bdrv_reopen_prepare()
3804         * handler for each supported drv. */
3805        error_setg(errp, "Block format '%s' used by node '%s' "
3806                   "does not support reopening files", drv->format_name,
3807                   bdrv_get_device_or_node_name(reopen_state->bs));
3808        ret = -1;
3809        goto error;
3810    }
3811
3812    drv_prepared = true;
3813
3814    /*
3815     * We must provide the 'backing' option if the BDS has a backing
3816     * file or if the image file has a backing file name as part of
3817     * its metadata. Otherwise the 'backing' option can be omitted.
3818     */
3819    if (drv->supports_backing && reopen_state->backing_missing &&
3820        (backing_bs(reopen_state->bs) || reopen_state->bs->backing_file[0])) {
3821        error_setg(errp, "backing is missing for '%s'",
3822                   reopen_state->bs->node_name);
3823        ret = -EINVAL;
3824        goto error;
3825    }
3826
3827    /*
3828     * Allow changing the 'backing' option. The new value can be
3829     * either a reference to an existing node (using its node name)
3830     * or NULL to simply detach the current backing file.
3831     */
3832    ret = bdrv_reopen_parse_backing(reopen_state, errp);
3833    if (ret < 0) {
3834        goto error;
3835    }
3836    qdict_del(reopen_state->options, "backing");
3837
3838    /* Options that are not handled are only okay if they are unchanged
3839     * compared to the old state. It is expected that some options are only
3840     * used for the initial open, but not reopen (e.g. filename) */
3841    if (qdict_size(reopen_state->options)) {
3842        const QDictEntry *entry = qdict_first(reopen_state->options);
3843
3844        do {
3845            QObject *new = entry->value;
3846            QObject *old = qdict_get(reopen_state->bs->options, entry->key);
3847
3848            /* Allow child references (child_name=node_name) as long as they
3849             * point to the current child (i.e. everything stays the same). */
3850            if (qobject_type(new) == QTYPE_QSTRING) {
3851                BdrvChild *child;
3852                QLIST_FOREACH(child, &reopen_state->bs->children, next) {
3853                    if (!strcmp(child->name, entry->key)) {
3854                        break;
3855                    }
3856                }
3857
3858                if (child) {
3859                    const char *str = qobject_get_try_str(new);
3860                    if (!strcmp(child->bs->node_name, str)) {
3861                        continue; /* Found child with this name, skip option */
3862                    }
3863                }
3864            }
3865
3866            /*
3867             * TODO: When using -drive to specify blockdev options, all values
3868             * will be strings; however, when using -blockdev, blockdev-add or
3869             * filenames using the json:{} pseudo-protocol, they will be
3870             * correctly typed.
3871             * In contrast, reopening options are (currently) always strings
3872             * (because you can only specify them through qemu-io; all other
3873             * callers do not specify any options).
3874             * Therefore, when using anything other than -drive to create a BDS,
3875             * this cannot detect non-string options as unchanged, because
3876             * qobject_is_equal() always returns false for objects of different
3877             * type.  In the future, this should be remedied by correctly typing
3878             * all options.  For now, this is not too big of an issue because
3879             * the user can simply omit options which cannot be changed anyway,
3880             * so they will stay unchanged.
3881             */
3882            if (!qobject_is_equal(new, old)) {
3883                error_setg(errp, "Cannot change the option '%s'", entry->key);
3884                ret = -EINVAL;
3885                goto error;
3886            }
3887        } while ((entry = qdict_next(reopen_state->options, entry)));
3888    }
3889
3890    ret = 0;
3891
3892    /* Restore the original reopen_state->options QDict */
3893    qobject_unref(reopen_state->options);
3894    reopen_state->options = qobject_ref(orig_reopen_opts);
3895
3896error:
3897    if (ret < 0 && drv_prepared) {
3898        /* drv->bdrv_reopen_prepare() has succeeded, so we need to
3899         * call drv->bdrv_reopen_abort() before signaling an error
3900         * (bdrv_reopen_multiple() will not call bdrv_reopen_abort()
3901         * when the respective bdrv_reopen_prepare() has failed) */
3902        if (drv->bdrv_reopen_abort) {
3903            drv->bdrv_reopen_abort(reopen_state);
3904        }
3905    }
3906    qemu_opts_del(opts);
3907    qobject_unref(orig_reopen_opts);
3908    g_free(discard);
3909    return ret;
3910}
3911
3912/*
3913 * Takes the staged changes for the reopen from bdrv_reopen_prepare(), and
3914 * makes them final by swapping the staging BlockDriverState contents into
3915 * the active BlockDriverState contents.
3916 */
3917void bdrv_reopen_commit(BDRVReopenState *reopen_state)
3918{
3919    BlockDriver *drv;
3920    BlockDriverState *bs;
3921    BdrvChild *child;
3922    bool old_can_write, new_can_write;
3923
3924    assert(reopen_state != NULL);
3925    bs = reopen_state->bs;
3926    drv = bs->drv;
3927    assert(drv != NULL);
3928
3929    old_can_write =
3930        !bdrv_is_read_only(bs) && !(bdrv_get_flags(bs) & BDRV_O_INACTIVE);
3931
3932    /* If there are any driver level actions to take */
3933    if (drv->bdrv_reopen_commit) {
3934        drv->bdrv_reopen_commit(reopen_state);
3935    }
3936
3937    /* set BDS specific flags now */
3938    qobject_unref(bs->explicit_options);
3939    qobject_unref(bs->options);
3940
3941    bs->explicit_options   = reopen_state->explicit_options;
3942    bs->options            = reopen_state->options;
3943    bs->open_flags         = reopen_state->flags;
3944    bs->read_only = !(reopen_state->flags & BDRV_O_RDWR);
3945    bs->detect_zeroes      = reopen_state->detect_zeroes;
3946
3947    if (reopen_state->replace_backing_bs) {
3948        qdict_del(bs->explicit_options, "backing");
3949        qdict_del(bs->options, "backing");
3950    }
3951
3952    /* Remove child references from bs->options and bs->explicit_options.
3953     * Child options were already removed in bdrv_reopen_queue_child() */
3954    QLIST_FOREACH(child, &bs->children, next) {
3955        qdict_del(bs->explicit_options, child->name);
3956        qdict_del(bs->options, child->name);
3957    }
3958
3959    /*
3960     * Change the backing file if a new one was specified. We do this
3961     * after updating bs->options, so bdrv_refresh_filename() (called
3962     * from bdrv_set_backing_hd()) has the new values.
3963     */
3964    if (reopen_state->replace_backing_bs) {
3965        BlockDriverState *old_backing_bs = backing_bs(bs);
3966        assert(!old_backing_bs || !old_backing_bs->implicit);
3967        /* Abort the permission update on the backing bs we're detaching */
3968        if (old_backing_bs) {
3969            bdrv_abort_perm_update(old_backing_bs);
3970        }
3971        bdrv_set_backing_hd(bs, reopen_state->new_backing_bs, &error_abort);
3972    }
3973
3974    bdrv_refresh_limits(bs, NULL);
3975
3976    new_can_write =
3977        !bdrv_is_read_only(bs) && !(bdrv_get_flags(bs) & BDRV_O_INACTIVE);
3978    if (!old_can_write && new_can_write && drv->bdrv_reopen_bitmaps_rw) {
3979        Error *local_err = NULL;
3980        if (drv->bdrv_reopen_bitmaps_rw(bs, &local_err) < 0) {
3981            /* This is not fatal, bitmaps just left read-only, so all following
3982             * writes will fail. User can remove read-only bitmaps to unblock
3983             * writes.
3984             */
3985            error_reportf_err(local_err,
3986                              "%s: Failed to make dirty bitmaps writable: ",
3987                              bdrv_get_node_name(bs));
3988        }
3989    }
3990}
3991
3992/*
3993 * Abort the reopen, and delete and free the staged changes in
3994 * reopen_state
3995 */
3996void bdrv_reopen_abort(BDRVReopenState *reopen_state)
3997{
3998    BlockDriver *drv;
3999
4000    assert(reopen_state != NULL);
4001    drv = reopen_state->bs->drv;
4002    assert(drv != NULL);
4003
4004    if (drv->bdrv_reopen_abort) {
4005        drv->bdrv_reopen_abort(reopen_state);
4006    }
4007}
4008
4009
4010static void bdrv_close(BlockDriverState *bs)
4011{
4012    BdrvAioNotifier *ban, *ban_next;
4013    BdrvChild *child, *next;
4014
4015    assert(!bs->refcnt);
4016
4017    bdrv_drained_begin(bs); /* complete I/O */
4018    bdrv_flush(bs);
4019    bdrv_drain(bs); /* in case flush left pending I/O */
4020
4021    if (bs->drv) {
4022        if (bs->drv->bdrv_close) {
4023            bs->drv->bdrv_close(bs);
4024        }
4025        bs->drv = NULL;
4026    }
4027
4028    QLIST_FOREACH_SAFE(child, &bs->children, next, next) {
4029        bdrv_unref_child(bs, child);
4030    }
4031
4032    bs->backing = NULL;
4033    bs->file = NULL;
4034    g_free(bs->opaque);
4035    bs->opaque = NULL;
4036    atomic_set(&bs->copy_on_read, 0);
4037    bs->backing_file[0] = '\0';
4038    bs->backing_format[0] = '\0';
4039    bs->total_sectors = 0;
4040    bs->encrypted = false;
4041    bs->sg = false;
4042    qobject_unref(bs->options);
4043    qobject_unref(bs->explicit_options);
4044    bs->options = NULL;
4045    bs->explicit_options = NULL;
4046    qobject_unref(bs->full_open_options);
4047    bs->full_open_options = NULL;
4048
4049    bdrv_release_named_dirty_bitmaps(bs);
4050    assert(QLIST_EMPTY(&bs->dirty_bitmaps));
4051
4052    QLIST_FOREACH_SAFE(ban, &bs->aio_notifiers, list, ban_next) {
4053        g_free(ban);
4054    }
4055    QLIST_INIT(&bs->aio_notifiers);
4056    bdrv_drained_end(bs);
4057}
4058
4059void bdrv_close_all(void)
4060{
4061    assert(job_next(NULL) == NULL);
4062    nbd_export_close_all();
4063
4064    /* Drop references from requests still in flight, such as canceled block
4065     * jobs whose AIO context has not been polled yet */
4066    bdrv_drain_all();
4067
4068    blk_remove_all_bs();
4069    blockdev_close_all_bdrv_states();
4070
4071    assert(QTAILQ_EMPTY(&all_bdrv_states));
4072}
4073
4074static bool should_update_child(BdrvChild *c, BlockDriverState *to)
4075{
4076    GQueue *queue;
4077    GHashTable *found;
4078    bool ret;
4079
4080    if (c->role->stay_at_node) {
4081        return false;
4082    }
4083
4084    /* If the child @c belongs to the BDS @to, replacing the current
4085     * c->bs by @to would mean to create a loop.
4086     *
4087     * Such a case occurs when appending a BDS to a backing chain.
4088     * For instance, imagine the following chain:
4089     *
4090     *   guest device -> node A -> further backing chain...
4091     *
4092     * Now we create a new BDS B which we want to put on top of this
4093     * chain, so we first attach A as its backing node:
4094     *
4095     *                   node B
4096     *                     |
4097     *                     v
4098     *   guest device -> node A -> further backing chain...
4099     *
4100     * Finally we want to replace A by B.  When doing that, we want to
4101     * replace all pointers to A by pointers to B -- except for the
4102     * pointer from B because (1) that would create a loop, and (2)
4103     * that pointer should simply stay intact:
4104     *
4105     *   guest device -> node B
4106     *                     |
4107     *                     v
4108     *                   node A -> further backing chain...
4109     *
4110     * In general, when replacing a node A (c->bs) by a node B (@to),
4111     * if A is a child of B, that means we cannot replace A by B there
4112     * because that would create a loop.  Silently detaching A from B
4113     * is also not really an option.  So overall just leaving A in
4114     * place there is the most sensible choice.
4115     *
4116     * We would also create a loop in any cases where @c is only
4117     * indirectly referenced by @to. Prevent this by returning false
4118     * if @c is found (by breadth-first search) anywhere in the whole
4119     * subtree of @to.
4120     */
4121
4122    ret = true;
4123    found = g_hash_table_new(NULL, NULL);
4124    g_hash_table_add(found, to);
4125    queue = g_queue_new();
4126    g_queue_push_tail(queue, to);
4127
4128    while (!g_queue_is_empty(queue)) {
4129        BlockDriverState *v = g_queue_pop_head(queue);
4130        BdrvChild *c2;
4131
4132        QLIST_FOREACH(c2, &v->children, next) {
4133            if (c2 == c) {
4134                ret = false;
4135                break;
4136            }
4137
4138            if (g_hash_table_contains(found, c2->bs)) {
4139                continue;
4140            }
4141
4142            g_queue_push_tail(queue, c2->bs);
4143            g_hash_table_add(found, c2->bs);
4144        }
4145    }
4146
4147    g_queue_free(queue);
4148    g_hash_table_destroy(found);
4149
4150    return ret;
4151}
4152
4153void bdrv_replace_node(BlockDriverState *from, BlockDriverState *to,
4154                       Error **errp)
4155{
4156    BdrvChild *c, *next;
4157    GSList *list = NULL, *p;
4158    uint64_t old_perm, old_shared;
4159    uint64_t perm = 0, shared = BLK_PERM_ALL;
4160    int ret;
4161
4162    /* Make sure that @from doesn't go away until we have successfully attached
4163     * all of its parents to @to. */
4164    bdrv_ref(from);
4165
4166    assert(qemu_get_current_aio_context() == qemu_get_aio_context());
4167    bdrv_drained_begin(from);
4168
4169    /* Put all parents into @list and calculate their cumulative permissions */
4170    QLIST_FOREACH_SAFE(c, &from->parents, next_parent, next) {
4171        assert(c->bs == from);
4172        if (!should_update_child(c, to)) {
4173            continue;
4174        }
4175        if (c->frozen) {
4176            error_setg(errp, "Cannot change '%s' link to '%s'",
4177                       c->name, from->node_name);
4178            goto out;
4179        }
4180        list = g_slist_prepend(list, c);
4181        perm |= c->perm;
4182        shared &= c->shared_perm;
4183    }
4184
4185    /* Check whether the required permissions can be granted on @to, ignoring
4186     * all BdrvChild in @list so that they can't block themselves. */
4187    ret = bdrv_check_update_perm(to, NULL, perm, shared, list, NULL, errp);
4188    if (ret < 0) {
4189        bdrv_abort_perm_update(to);
4190        goto out;
4191    }
4192
4193    /* Now actually perform the change. We performed the permission check for
4194     * all elements of @list at once, so set the permissions all at once at the
4195     * very end. */
4196    for (p = list; p != NULL; p = p->next) {
4197        c = p->data;
4198
4199        bdrv_ref(to);
4200        bdrv_replace_child_noperm(c, to);
4201        bdrv_unref(from);
4202    }
4203
4204    bdrv_get_cumulative_perm(to, &old_perm, &old_shared);
4205    bdrv_set_perm(to, old_perm | perm, old_shared | shared);
4206
4207out:
4208    g_slist_free(list);
4209    bdrv_drained_end(from);
4210    bdrv_unref(from);
4211}
4212
4213/*
4214 * Add new bs contents at the top of an image chain while the chain is
4215 * live, while keeping required fields on the top layer.
4216 *
4217 * This will modify the BlockDriverState fields, and swap contents
4218 * between bs_new and bs_top. Both bs_new and bs_top are modified.
4219 *
4220 * bs_new must not be attached to a BlockBackend.
4221 *
4222 * This function does not create any image files.
4223 *
4224 * bdrv_append() takes ownership of a bs_new reference and unrefs it because
4225 * that's what the callers commonly need. bs_new will be referenced by the old
4226 * parents of bs_top after bdrv_append() returns. If the caller needs to keep a
4227 * reference of its own, it must call bdrv_ref().
4228 */
4229void bdrv_append(BlockDriverState *bs_new, BlockDriverState *bs_top,
4230                 Error **errp)
4231{
4232    Error *local_err = NULL;
4233
4234    bdrv_set_backing_hd(bs_new, bs_top, &local_err);
4235    if (local_err) {
4236        error_propagate(errp, local_err);
4237        goto out;
4238    }
4239
4240    bdrv_replace_node(bs_top, bs_new, &local_err);
4241    if (local_err) {
4242        error_propagate(errp, local_err);
4243        bdrv_set_backing_hd(bs_new, NULL, &error_abort);
4244        goto out;
4245    }
4246
4247    /* bs_new is now referenced by its new parents, we don't need the
4248     * additional reference any more. */
4249out:
4250    bdrv_unref(bs_new);
4251}
4252
4253static void bdrv_delete(BlockDriverState *bs)
4254{
4255    assert(bdrv_op_blocker_is_empty(bs));
4256    assert(!bs->refcnt);
4257
4258    /* remove from list, if necessary */
4259    if (bs->node_name[0] != '\0') {
4260        QTAILQ_REMOVE(&graph_bdrv_states, bs, node_list);
4261    }
4262    QTAILQ_REMOVE(&all_bdrv_states, bs, bs_list);
4263
4264    bdrv_close(bs);
4265
4266    g_free(bs);
4267}
4268
4269/*
4270 * Run consistency checks on an image
4271 *
4272 * Returns 0 if the check could be completed (it doesn't mean that the image is
4273 * free of errors) or -errno when an internal error occurred. The results of the
4274 * check are stored in res.
4275 */
4276static int coroutine_fn bdrv_co_check(BlockDriverState *bs,
4277                                      BdrvCheckResult *res, BdrvCheckMode fix)
4278{
4279    if (bs->drv == NULL) {
4280        return -ENOMEDIUM;
4281    }
4282    if (bs->drv->bdrv_co_check == NULL) {
4283        return -ENOTSUP;
4284    }
4285
4286    memset(res, 0, sizeof(*res));
4287    return bs->drv->bdrv_co_check(bs, res, fix);
4288}
4289
4290typedef struct CheckCo {
4291    BlockDriverState *bs;
4292    BdrvCheckResult *res;
4293    BdrvCheckMode fix;
4294    int ret;
4295} CheckCo;
4296
4297static void coroutine_fn bdrv_check_co_entry(void *opaque)
4298{
4299    CheckCo *cco = opaque;
4300    cco->ret = bdrv_co_check(cco->bs, cco->res, cco->fix);
4301    aio_wait_kick();
4302}
4303
4304int bdrv_check(BlockDriverState *bs,
4305               BdrvCheckResult *res, BdrvCheckMode fix)
4306{
4307    Coroutine *co;
4308    CheckCo cco = {
4309        .bs = bs,
4310        .res = res,
4311        .ret = -EINPROGRESS,
4312        .fix = fix,
4313    };
4314
4315    if (qemu_in_coroutine()) {
4316        /* Fast-path if already in coroutine context */
4317        bdrv_check_co_entry(&cco);
4318    } else {
4319        co = qemu_coroutine_create(bdrv_check_co_entry, &cco);
4320        bdrv_coroutine_enter(bs, co);
4321        BDRV_POLL_WHILE(bs, cco.ret == -EINPROGRESS);
4322    }
4323
4324    return cco.ret;
4325}
4326
4327/*
4328 * Return values:
4329 * 0        - success
4330 * -EINVAL  - backing format specified, but no file
4331 * -ENOSPC  - can't update the backing file because no space is left in the
4332 *            image file header
4333 * -ENOTSUP - format driver doesn't support changing the backing file
4334 */
4335int bdrv_change_backing_file(BlockDriverState *bs,
4336    const char *backing_file, const char *backing_fmt)
4337{
4338    BlockDriver *drv = bs->drv;
4339    int ret;
4340
4341    if (!drv) {
4342        return -ENOMEDIUM;
4343    }
4344
4345    /* Backing file format doesn't make sense without a backing file */
4346    if (backing_fmt && !backing_file) {
4347        return -EINVAL;
4348    }
4349
4350    if (drv->bdrv_change_backing_file != NULL) {
4351        ret = drv->bdrv_change_backing_file(bs, backing_file, backing_fmt);
4352    } else {
4353        ret = -ENOTSUP;
4354    }
4355
4356    if (ret == 0) {
4357        pstrcpy(bs->backing_file, sizeof(bs->backing_file), backing_file ?: "");
4358        pstrcpy(bs->backing_format, sizeof(bs->backing_format), backing_fmt ?: "");
4359        pstrcpy(bs->auto_backing_file, sizeof(bs->auto_backing_file),
4360                backing_file ?: "");
4361    }
4362    return ret;
4363}
4364
4365/*
4366 * Finds the image layer in the chain that has 'bs' as its backing file.
4367 *
4368 * active is the current topmost image.
4369 *
4370 * Returns NULL if bs is not found in active's image chain,
4371 * or if active == bs.
4372 *
4373 * Returns the bottommost base image if bs == NULL.
4374 */
4375BlockDriverState *bdrv_find_overlay(BlockDriverState *active,
4376                                    BlockDriverState *bs)
4377{
4378    while (active && bs != backing_bs(active)) {
4379        active = backing_bs(active);
4380    }
4381
4382    return active;
4383}
4384
4385/* Given a BDS, searches for the base layer. */
4386BlockDriverState *bdrv_find_base(BlockDriverState *bs)
4387{
4388    return bdrv_find_overlay(bs, NULL);
4389}
4390
4391/*
4392 * Return true if at least one of the backing links between @bs and
4393 * @base is frozen. @errp is set if that's the case.
4394 * @base must be reachable from @bs, or NULL.
4395 */
4396bool bdrv_is_backing_chain_frozen(BlockDriverState *bs, BlockDriverState *base,
4397                                  Error **errp)
4398{
4399    BlockDriverState *i;
4400
4401    for (i = bs; i != base; i = backing_bs(i)) {
4402        if (i->backing && i->backing->frozen) {
4403            error_setg(errp, "Cannot change '%s' link from '%s' to '%s'",
4404                       i->backing->name, i->node_name,
4405                       backing_bs(i)->node_name);
4406            return true;
4407        }
4408    }
4409
4410    return false;
4411}
4412
4413/*
4414 * Freeze all backing links between @bs and @base.
4415 * If any of the links is already frozen the operation is aborted and
4416 * none of the links are modified.
4417 * @base must be reachable from @bs, or NULL.
4418 * Returns 0 on success. On failure returns < 0 and sets @errp.
4419 */
4420int bdrv_freeze_backing_chain(BlockDriverState *bs, BlockDriverState *base,
4421                              Error **errp)
4422{
4423    BlockDriverState *i;
4424
4425    if (bdrv_is_backing_chain_frozen(bs, base, errp)) {
4426        return -EPERM;
4427    }
4428
4429    for (i = bs; i != base; i = backing_bs(i)) {
4430        if (i->backing && backing_bs(i)->never_freeze) {
4431            error_setg(errp, "Cannot freeze '%s' link to '%s'",
4432                       i->backing->name, backing_bs(i)->node_name);
4433            return -EPERM;
4434        }
4435    }
4436
4437    for (i = bs; i != base; i = backing_bs(i)) {
4438        if (i->backing) {
4439            i->backing->frozen = true;
4440        }
4441    }
4442
4443    return 0;
4444}
4445
4446/*
4447 * Unfreeze all backing links between @bs and @base. The caller must
4448 * ensure that all links are frozen before using this function.
4449 * @base must be reachable from @bs, or NULL.
4450 */
4451void bdrv_unfreeze_backing_chain(BlockDriverState *bs, BlockDriverState *base)
4452{
4453    BlockDriverState *i;
4454
4455    for (i = bs; i != base; i = backing_bs(i)) {
4456        if (i->backing) {
4457            assert(i->backing->frozen);
4458            i->backing->frozen = false;
4459        }
4460    }
4461}
4462
4463/*
4464 * Drops images above 'base' up to and including 'top', and sets the image
4465 * above 'top' to have base as its backing file.
4466 *
4467 * Requires that the overlay to 'top' is opened r/w, so that the backing file
4468 * information in 'bs' can be properly updated.
4469 *
4470 * E.g., this will convert the following chain:
4471 * bottom <- base <- intermediate <- top <- active
4472 *
4473 * to
4474 *
4475 * bottom <- base <- active
4476 *
4477 * It is allowed for bottom==base, in which case it converts:
4478 *
4479 * base <- intermediate <- top <- active
4480 *
4481 * to
4482 *
4483 * base <- active
4484 *
4485 * If backing_file_str is non-NULL, it will be used when modifying top's
4486 * overlay image metadata.
4487 *
4488 * Error conditions:
4489 *  if active == top, that is considered an error
4490 *
4491 */
4492int bdrv_drop_intermediate(BlockDriverState *top, BlockDriverState *base,
4493                           const char *backing_file_str)
4494{
4495    BlockDriverState *explicit_top = top;
4496    bool update_inherits_from;
4497    BdrvChild *c, *next;
4498    Error *local_err = NULL;
4499    int ret = -EIO;
4500
4501    bdrv_ref(top);
4502
4503    if (!top->drv || !base->drv) {
4504        goto exit;
4505    }
4506
4507    /* Make sure that base is in the backing chain of top */
4508    if (!bdrv_chain_contains(top, base)) {
4509        goto exit;
4510    }
4511
4512    /* This function changes all links that point to top and makes
4513     * them point to base. Check that none of them is frozen. */
4514    QLIST_FOREACH(c, &top->parents, next_parent) {
4515        if (c->frozen) {
4516            goto exit;
4517        }
4518    }
4519
4520    /* If 'base' recursively inherits from 'top' then we should set
4521     * base->inherits_from to top->inherits_from after 'top' and all
4522     * other intermediate nodes have been dropped.
4523     * If 'top' is an implicit node (e.g. "commit_top") we should skip
4524     * it because no one inherits from it. We use explicit_top for that. */
4525    while (explicit_top && explicit_top->implicit) {
4526        explicit_top = backing_bs(explicit_top);
4527    }
4528    update_inherits_from = bdrv_inherits_from_recursive(base, explicit_top);
4529
4530    /* success - we can delete the intermediate states, and link top->base */
4531    /* TODO Check graph modification op blockers (BLK_PERM_GRAPH_MOD) once
4532     * we've figured out how they should work. */
4533    if (!backing_file_str) {
4534        bdrv_refresh_filename(base);
4535        backing_file_str = base->filename;
4536    }
4537
4538    QLIST_FOREACH_SAFE(c, &top->parents, next_parent, next) {
4539        /* Check whether we are allowed to switch c from top to base */
4540        GSList *ignore_children = g_slist_prepend(NULL, c);
4541        ret = bdrv_check_update_perm(base, NULL, c->perm, c->shared_perm,
4542                                     ignore_children, NULL, &local_err);
4543        g_slist_free(ignore_children);
4544        if (ret < 0) {
4545            error_report_err(local_err);
4546            goto exit;
4547        }
4548
4549        /* If so, update the backing file path in the image file */
4550        if (c->role->update_filename) {
4551            ret = c->role->update_filename(c, base, backing_file_str,
4552                                           &local_err);
4553            if (ret < 0) {
4554                bdrv_abort_perm_update(base);
4555                error_report_err(local_err);
4556                goto exit;
4557            }
4558        }
4559
4560        /* Do the actual switch in the in-memory graph.
4561         * Completes bdrv_check_update_perm() transaction internally. */
4562        bdrv_ref(base);
4563        bdrv_replace_child(c, base);
4564        bdrv_unref(top);
4565    }
4566
4567    if (update_inherits_from) {
4568        base->inherits_from = explicit_top->inherits_from;
4569    }
4570
4571    ret = 0;
4572exit:
4573    bdrv_unref(top);
4574    return ret;
4575}
4576
4577/**
4578 * Length of a allocated file in bytes. Sparse files are counted by actual
4579 * allocated space. Return < 0 if error or unknown.
4580 */
4581int64_t bdrv_get_allocated_file_size(BlockDriverState *bs)
4582{
4583    BlockDriver *drv = bs->drv;
4584    if (!drv) {
4585        return -ENOMEDIUM;
4586    }
4587    if (drv->bdrv_get_allocated_file_size) {
4588        return drv->bdrv_get_allocated_file_size(bs);
4589    }
4590    if (bs->file) {
4591        return bdrv_get_allocated_file_size(bs->file->bs);
4592    }
4593    return -ENOTSUP;
4594}
4595
4596/*
4597 * bdrv_measure:
4598 * @drv: Format driver
4599 * @opts: Creation options for new image
4600 * @in_bs: Existing image containing data for new image (may be NULL)
4601 * @errp: Error object
4602 * Returns: A #BlockMeasureInfo (free using qapi_free_BlockMeasureInfo())
4603 *          or NULL on error
4604 *
4605 * Calculate file size required to create a new image.
4606 *
4607 * If @in_bs is given then space for allocated clusters and zero clusters
4608 * from that image are included in the calculation.  If @opts contains a
4609 * backing file that is shared by @in_bs then backing clusters may be omitted
4610 * from the calculation.
4611 *
4612 * If @in_bs is NULL then the calculation includes no allocated clusters
4613 * unless a preallocation option is given in @opts.
4614 *
4615 * Note that @in_bs may use a different BlockDriver from @drv.
4616 *
4617 * If an error occurs the @errp pointer is set.
4618 */
4619BlockMeasureInfo *bdrv_measure(BlockDriver *drv, QemuOpts *opts,
4620                               BlockDriverState *in_bs, Error **errp)
4621{
4622    if (!drv->bdrv_measure) {
4623        error_setg(errp, "Block driver '%s' does not support size measurement",
4624                   drv->format_name);
4625        return NULL;
4626    }
4627
4628    return drv->bdrv_measure(opts, in_bs, errp);
4629}
4630
4631/**
4632 * Return number of sectors on success, -errno on error.
4633 */
4634int64_t bdrv_nb_sectors(BlockDriverState *bs)
4635{
4636    BlockDriver *drv = bs->drv;
4637
4638    if (!drv)
4639        return -ENOMEDIUM;
4640
4641    if (drv->has_variable_length) {
4642        int ret = refresh_total_sectors(bs, bs->total_sectors);
4643        if (ret < 0) {
4644            return ret;
4645        }
4646    }
4647    return bs->total_sectors;
4648}
4649
4650/**
4651 * Return length in bytes on success, -errno on error.
4652 * The length is always a multiple of BDRV_SECTOR_SIZE.
4653 */
4654int64_t bdrv_getlength(BlockDriverState *bs)
4655{
4656    int64_t ret = bdrv_nb_sectors(bs);
4657
4658    ret = ret > INT64_MAX / BDRV_SECTOR_SIZE ? -EFBIG : ret;
4659    return ret < 0 ? ret : ret * BDRV_SECTOR_SIZE;
4660}
4661
4662/* return 0 as number of sectors if no device present or error */
4663void bdrv_get_geometry(BlockDriverState *bs, uint64_t *nb_sectors_ptr)
4664{
4665    int64_t nb_sectors = bdrv_nb_sectors(bs);
4666
4667    *nb_sectors_ptr = nb_sectors < 0 ? 0 : nb_sectors;
4668}
4669
4670bool bdrv_is_sg(BlockDriverState *bs)
4671{
4672    return bs->sg;
4673}
4674
4675bool bdrv_is_encrypted(BlockDriverState *bs)
4676{
4677    if (bs->backing && bs->backing->bs->encrypted) {
4678        return true;
4679    }
4680    return bs->encrypted;
4681}
4682
4683const char *bdrv_get_format_name(BlockDriverState *bs)
4684{
4685    return bs->drv ? bs->drv->format_name : NULL;
4686}
4687
4688static int qsort_strcmp(const void *a, const void *b)
4689{
4690    return strcmp(*(char *const *)a, *(char *const *)b);
4691}
4692
4693void bdrv_iterate_format(void (*it)(void *opaque, const char *name),
4694                         void *opaque, bool read_only)
4695{
4696    BlockDriver *drv;
4697    int count = 0;
4698    int i;
4699    const char **formats = NULL;
4700
4701    QLIST_FOREACH(drv, &bdrv_drivers, list) {
4702        if (drv->format_name) {
4703            bool found = false;
4704            int i = count;
4705
4706            if (use_bdrv_whitelist && !bdrv_is_whitelisted(drv, read_only)) {
4707                continue;
4708            }
4709
4710            while (formats && i && !found) {
4711                found = !strcmp(formats[--i], drv->format_name);
4712            }
4713
4714            if (!found) {
4715                formats = g_renew(const char *, formats, count + 1);
4716                formats[count++] = drv->format_name;
4717            }
4718        }
4719    }
4720
4721    for (i = 0; i < (int)ARRAY_SIZE(block_driver_modules); i++) {
4722        const char *format_name = block_driver_modules[i].format_name;
4723
4724        if (format_name) {
4725            bool found = false;
4726            int j = count;
4727
4728            if (use_bdrv_whitelist &&
4729                !bdrv_format_is_whitelisted(format_name, read_only)) {
4730                continue;
4731            }
4732
4733            while (formats && j && !found) {
4734                found = !strcmp(formats[--j], format_name);
4735            }
4736
4737            if (!found) {
4738                formats = g_renew(const char *, formats, count + 1);
4739                formats[count++] = format_name;
4740            }
4741        }
4742    }
4743
4744    qsort(formats, count, sizeof(formats[0]), qsort_strcmp);
4745
4746    for (i = 0; i < count; i++) {
4747        it(opaque, formats[i]);
4748    }
4749
4750    g_free(formats);
4751}
4752
4753/* This function is to find a node in the bs graph */
4754BlockDriverState *bdrv_find_node(const char *node_name)
4755{
4756    BlockDriverState *bs;
4757
4758    assert(node_name);
4759
4760    QTAILQ_FOREACH(bs, &graph_bdrv_states, node_list) {
4761        if (!strcmp(node_name, bs->node_name)) {
4762            return bs;
4763        }
4764    }
4765    return NULL;
4766}
4767
4768/* Put this QMP function here so it can access the static graph_bdrv_states. */
4769BlockDeviceInfoList *bdrv_named_nodes_list(Error **errp)
4770{
4771    BlockDeviceInfoList *list, *entry;
4772    BlockDriverState *bs;
4773
4774    list = NULL;
4775    QTAILQ_FOREACH(bs, &graph_bdrv_states, node_list) {
4776        BlockDeviceInfo *info = bdrv_block_device_info(NULL, bs, errp);
4777        if (!info) {
4778            qapi_free_BlockDeviceInfoList(list);
4779            return NULL;
4780        }
4781        entry = g_malloc0(sizeof(*entry));
4782        entry->value = info;
4783        entry->next = list;
4784        list = entry;
4785    }
4786
4787    return list;
4788}
4789
4790#define QAPI_LIST_ADD(list, element) do { \
4791    typeof(list) _tmp = g_new(typeof(*(list)), 1); \
4792    _tmp->value = (element); \
4793    _tmp->next = (list); \
4794    (list) = _tmp; \
4795} while (0)
4796
4797typedef struct XDbgBlockGraphConstructor {
4798    XDbgBlockGraph *graph;
4799    GHashTable *graph_nodes;
4800} XDbgBlockGraphConstructor;
4801
4802static XDbgBlockGraphConstructor *xdbg_graph_new(void)
4803{
4804    XDbgBlockGraphConstructor *gr = g_new(XDbgBlockGraphConstructor, 1);
4805
4806    gr->graph = g_new0(XDbgBlockGraph, 1);
4807    gr->graph_nodes = g_hash_table_new(NULL, NULL);
4808
4809    return gr;
4810}
4811
4812static XDbgBlockGraph *xdbg_graph_finalize(XDbgBlockGraphConstructor *gr)
4813{
4814    XDbgBlockGraph *graph = gr->graph;
4815
4816    g_hash_table_destroy(gr->graph_nodes);
4817    g_free(gr);
4818
4819    return graph;
4820}
4821
4822static uintptr_t xdbg_graph_node_num(XDbgBlockGraphConstructor *gr, void *node)
4823{
4824    uintptr_t ret = (uintptr_t)g_hash_table_lookup(gr->graph_nodes, node);
4825
4826    if (ret != 0) {
4827        return ret;
4828    }
4829
4830    /*
4831     * Start counting from 1, not 0, because 0 interferes with not-found (NULL)
4832     * answer of g_hash_table_lookup.
4833     */
4834    ret = g_hash_table_size(gr->graph_nodes) + 1;
4835    g_hash_table_insert(gr->graph_nodes, node, (void *)ret);
4836
4837    return ret;
4838}
4839
4840static void xdbg_graph_add_node(XDbgBlockGraphConstructor *gr, void *node,
4841                                XDbgBlockGraphNodeType type, const char *name)
4842{
4843    XDbgBlockGraphNode *n;
4844
4845    n = g_new0(XDbgBlockGraphNode, 1);
4846
4847    n->id = xdbg_graph_node_num(gr, node);
4848    n->type = type;
4849    n->name = g_strdup(name);
4850
4851    QAPI_LIST_ADD(gr->graph->nodes, n);
4852}
4853
4854static void xdbg_graph_add_edge(XDbgBlockGraphConstructor *gr, void *parent,
4855                                const BdrvChild *child)
4856{
4857    typedef struct {
4858        unsigned int flag;
4859        BlockPermission num;
4860    } PermissionMap;
4861
4862    static const PermissionMap permissions[] = {
4863        { BLK_PERM_CONSISTENT_READ, BLOCK_PERMISSION_CONSISTENT_READ },
4864        { BLK_PERM_WRITE,           BLOCK_PERMISSION_WRITE },
4865        { BLK_PERM_WRITE_UNCHANGED, BLOCK_PERMISSION_WRITE_UNCHANGED },
4866        { BLK_PERM_RESIZE,          BLOCK_PERMISSION_RESIZE },
4867        { BLK_PERM_GRAPH_MOD,       BLOCK_PERMISSION_GRAPH_MOD },
4868        { 0, 0 }
4869    };
4870    const PermissionMap *p;
4871    XDbgBlockGraphEdge *edge;
4872
4873    QEMU_BUILD_BUG_ON(1UL << (ARRAY_SIZE(permissions) - 1) != BLK_PERM_ALL + 1);
4874
4875    edge = g_new0(XDbgBlockGraphEdge, 1);
4876
4877    edge->parent = xdbg_graph_node_num(gr, parent);
4878    edge->child = xdbg_graph_node_num(gr, child->bs);
4879    edge->name = g_strdup(child->name);
4880
4881    for (p = permissions; p->flag; p++) {
4882        if (p->flag & child->perm) {
4883            QAPI_LIST_ADD(edge->perm, p->num);
4884        }
4885        if (p->flag & child->shared_perm) {
4886            QAPI_LIST_ADD(edge->shared_perm, p->num);
4887        }
4888    }
4889
4890    QAPI_LIST_ADD(gr->graph->edges, edge);
4891}
4892
4893
4894XDbgBlockGraph *bdrv_get_xdbg_block_graph(Error **errp)
4895{
4896    BlockBackend *blk;
4897    BlockJob *job;
4898    BlockDriverState *bs;
4899    BdrvChild *child;
4900    XDbgBlockGraphConstructor *gr = xdbg_graph_new();
4901
4902    for (blk = blk_all_next(NULL); blk; blk = blk_all_next(blk)) {
4903        char *allocated_name = NULL;
4904        const char *name = blk_name(blk);
4905
4906        if (!*name) {
4907            name = allocated_name = blk_get_attached_dev_id(blk);
4908        }
4909        xdbg_graph_add_node(gr, blk, X_DBG_BLOCK_GRAPH_NODE_TYPE_BLOCK_BACKEND,
4910                           name);
4911        g_free(allocated_name);
4912        if (blk_root(blk)) {
4913            xdbg_graph_add_edge(gr, blk, blk_root(blk));
4914        }
4915    }
4916
4917    for (job = block_job_next(NULL); job; job = block_job_next(job)) {
4918        GSList *el;
4919
4920        xdbg_graph_add_node(gr, job, X_DBG_BLOCK_GRAPH_NODE_TYPE_BLOCK_JOB,
4921                           job->job.id);
4922        for (el = job->nodes; el; el = el->next) {
4923            xdbg_graph_add_edge(gr, job, (BdrvChild *)el->data);
4924        }
4925    }
4926
4927    QTAILQ_FOREACH(bs, &graph_bdrv_states, node_list) {
4928        xdbg_graph_add_node(gr, bs, X_DBG_BLOCK_GRAPH_NODE_TYPE_BLOCK_DRIVER,
4929                           bs->node_name);
4930        QLIST_FOREACH(child, &bs->children, next) {
4931            xdbg_graph_add_edge(gr, bs, child);
4932        }
4933    }
4934
4935    return xdbg_graph_finalize(gr);
4936}
4937
4938BlockDriverState *bdrv_lookup_bs(const char *device,
4939                                 const char *node_name,
4940                                 Error **errp)
4941{
4942    BlockBackend *blk;
4943    BlockDriverState *bs;
4944
4945    if (device) {
4946        blk = blk_by_name(device);
4947
4948        if (blk) {
4949            bs = blk_bs(blk);
4950            if (!bs) {
4951                error_setg(errp, "Device '%s' has no medium", device);
4952            }
4953
4954            return bs;
4955        }
4956    }
4957
4958    if (node_name) {
4959        bs = bdrv_find_node(node_name);
4960
4961        if (bs) {
4962            return bs;
4963        }
4964    }
4965
4966    error_setg(errp, "Cannot find device=%s nor node_name=%s",
4967                     device ? device : "",
4968                     node_name ? node_name : "");
4969    return NULL;
4970}
4971
4972/* If 'base' is in the same chain as 'top', return true. Otherwise,
4973 * return false.  If either argument is NULL, return false. */
4974bool bdrv_chain_contains(BlockDriverState *top, BlockDriverState *base)
4975{
4976    while (top && top != base) {
4977        top = backing_bs(top);
4978    }
4979
4980    return top != NULL;
4981}
4982
4983BlockDriverState *bdrv_next_node(BlockDriverState *bs)
4984{
4985    if (!bs) {
4986        return QTAILQ_FIRST(&graph_bdrv_states);
4987    }
4988    return QTAILQ_NEXT(bs, node_list);
4989}
4990
4991BlockDriverState *bdrv_next_all_states(BlockDriverState *bs)
4992{
4993    if (!bs) {
4994        return QTAILQ_FIRST(&all_bdrv_states);
4995    }
4996    return QTAILQ_NEXT(bs, bs_list);
4997}
4998
4999const char *bdrv_get_node_name(const BlockDriverState *bs)
5000{
5001    return bs->node_name;
5002}
5003
5004const char *bdrv_get_parent_name(const BlockDriverState *bs)
5005{
5006    BdrvChild *c;
5007    const char *name;
5008
5009    /* If multiple parents have a name, just pick the first one. */
5010    QLIST_FOREACH(c, &bs->parents, next_parent) {
5011        if (c->role->get_name) {
5012            name = c->role->get_name(c);
5013            if (name && *name) {
5014                return name;
5015            }
5016        }
5017    }
5018
5019    return NULL;
5020}
5021
5022/* TODO check what callers really want: bs->node_name or blk_name() */
5023const char *bdrv_get_device_name(const BlockDriverState *bs)
5024{
5025    return bdrv_get_parent_name(bs) ?: "";
5026}
5027
5028/* This can be used to identify nodes that might not have a device
5029 * name associated. Since node and device names live in the same
5030 * namespace, the result is unambiguous. The exception is if both are
5031 * absent, then this returns an empty (non-null) string. */
5032const char *bdrv_get_device_or_node_name(const BlockDriverState *bs)
5033{
5034    return bdrv_get_parent_name(bs) ?: bs->node_name;
5035}
5036
5037int bdrv_get_flags(BlockDriverState *bs)
5038{
5039    return bs->open_flags;
5040}
5041
5042int bdrv_has_zero_init_1(BlockDriverState *bs)
5043{
5044    return 1;
5045}
5046
5047int bdrv_has_zero_init(BlockDriverState *bs)
5048{
5049    if (!bs->drv) {
5050        return 0;
5051    }
5052
5053    /* If BS is a copy on write image, it is initialized to
5054       the contents of the base image, which may not be zeroes.  */
5055    if (bs->backing) {
5056        return 0;
5057    }
5058    if (bs->drv->bdrv_has_zero_init) {
5059        return bs->drv->bdrv_has_zero_init(bs);
5060    }
5061    if (bs->file && bs->drv->is_filter) {
5062        return bdrv_has_zero_init(bs->file->bs);
5063    }
5064
5065    /* safe default */
5066    return 0;
5067}
5068
5069bool bdrv_unallocated_blocks_are_zero(BlockDriverState *bs)
5070{
5071    BlockDriverInfo bdi;
5072
5073    if (bs->backing) {
5074        return false;
5075    }
5076
5077    if (bdrv_get_info(bs, &bdi) == 0) {
5078        return bdi.unallocated_blocks_are_zero;
5079    }
5080
5081    return false;
5082}
5083
5084bool bdrv_can_write_zeroes_with_unmap(BlockDriverState *bs)
5085{
5086    if (!(bs->open_flags & BDRV_O_UNMAP)) {
5087        return false;
5088    }
5089
5090    return bs->supported_zero_flags & BDRV_REQ_MAY_UNMAP;
5091}
5092
5093void bdrv_get_backing_filename(BlockDriverState *bs,
5094                               char *filename, int filename_size)
5095{
5096    pstrcpy(filename, filename_size, bs->backing_file);
5097}
5098
5099int bdrv_get_info(BlockDriverState *bs, BlockDriverInfo *bdi)
5100{
5101    BlockDriver *drv = bs->drv;
5102    /* if bs->drv == NULL, bs is closed, so there's nothing to do here */
5103    if (!drv) {
5104        return -ENOMEDIUM;
5105    }
5106    if (!drv->bdrv_get_info) {
5107        if (bs->file && drv->is_filter) {
5108            return bdrv_get_info(bs->file->bs, bdi);
5109        }
5110        return -ENOTSUP;
5111    }
5112    memset(bdi, 0, sizeof(*bdi));
5113    return drv->bdrv_get_info(bs, bdi);
5114}
5115
5116ImageInfoSpecific *bdrv_get_specific_info(BlockDriverState *bs,
5117                                          Error **errp)
5118{
5119    BlockDriver *drv = bs->drv;
5120    if (drv && drv->bdrv_get_specific_info) {
5121        return drv->bdrv_get_specific_info(bs, errp);
5122    }
5123    return NULL;
5124}
5125
5126void bdrv_debug_event(BlockDriverState *bs, BlkdebugEvent event)
5127{
5128    if (!bs || !bs->drv || !bs->drv->bdrv_debug_event) {
5129        return;
5130    }
5131
5132    bs->drv->bdrv_debug_event(bs, event);
5133}
5134
5135int bdrv_debug_breakpoint(BlockDriverState *bs, const char *event,
5136                          const char *tag)
5137{
5138    while (bs && bs->drv && !bs->drv->bdrv_debug_breakpoint) {
5139        bs = bs->file ? bs->file->bs : NULL;
5140    }
5141
5142    if (bs && bs->drv && bs->drv->bdrv_debug_breakpoint) {
5143        return bs->drv->bdrv_debug_breakpoint(bs, event, tag);
5144    }
5145
5146    return -ENOTSUP;
5147}
5148
5149int bdrv_debug_remove_breakpoint(BlockDriverState *bs, const char *tag)
5150{
5151    while (bs && bs->drv && !bs->drv->bdrv_debug_remove_breakpoint) {
5152        bs = bs->file ? bs->file->bs : NULL;
5153    }
5154
5155    if (bs && bs->drv && bs->drv->bdrv_debug_remove_breakpoint) {
5156        return bs->drv->bdrv_debug_remove_breakpoint(bs, tag);
5157    }
5158
5159    return -ENOTSUP;
5160}
5161
5162int bdrv_debug_resume(BlockDriverState *bs, const char *tag)
5163{
5164    while (bs && (!bs->drv || !bs->drv->bdrv_debug_resume)) {
5165        bs = bs->file ? bs->file->bs : NULL;
5166    }
5167
5168    if (bs && bs->drv && bs->drv->bdrv_debug_resume) {
5169        return bs->drv->bdrv_debug_resume(bs, tag);
5170    }
5171
5172    return -ENOTSUP;
5173}
5174
5175bool bdrv_debug_is_suspended(BlockDriverState *bs, const char *tag)
5176{
5177    while (bs && bs->drv && !bs->drv->bdrv_debug_is_suspended) {
5178        bs = bs->file ? bs->file->bs : NULL;
5179    }
5180
5181    if (bs && bs->drv && bs->drv->bdrv_debug_is_suspended) {
5182        return bs->drv->bdrv_debug_is_suspended(bs, tag);
5183    }
5184
5185    return false;
5186}
5187
5188/* backing_file can either be relative, or absolute, or a protocol.  If it is
5189 * relative, it must be relative to the chain.  So, passing in bs->filename
5190 * from a BDS as backing_file should not be done, as that may be relative to
5191 * the CWD rather than the chain. */
5192BlockDriverState *bdrv_find_backing_image(BlockDriverState *bs,
5193        const char *backing_file)
5194{
5195    char *filename_full = NULL;
5196    char *backing_file_full = NULL;
5197    char *filename_tmp = NULL;
5198    int is_protocol = 0;
5199    BlockDriverState *curr_bs = NULL;
5200    BlockDriverState *retval = NULL;
5201
5202    if (!bs || !bs->drv || !backing_file) {
5203        return NULL;
5204    }
5205
5206    filename_full     = g_malloc(PATH_MAX);
5207    backing_file_full = g_malloc(PATH_MAX);
5208
5209    is_protocol = path_has_protocol(backing_file);
5210
5211    for (curr_bs = bs; curr_bs->backing; curr_bs = curr_bs->backing->bs) {
5212
5213        /* If either of the filename paths is actually a protocol, then
5214         * compare unmodified paths; otherwise make paths relative */
5215        if (is_protocol || path_has_protocol(curr_bs->backing_file)) {
5216            char *backing_file_full_ret;
5217
5218            if (strcmp(backing_file, curr_bs->backing_file) == 0) {
5219                retval = curr_bs->backing->bs;
5220                break;
5221            }
5222            /* Also check against the full backing filename for the image */
5223            backing_file_full_ret = bdrv_get_full_backing_filename(curr_bs,
5224                                                                   NULL);
5225            if (backing_file_full_ret) {
5226                bool equal = strcmp(backing_file, backing_file_full_ret) == 0;
5227                g_free(backing_file_full_ret);
5228                if (equal) {
5229                    retval = curr_bs->backing->bs;
5230                    break;
5231                }
5232            }
5233        } else {
5234            /* If not an absolute filename path, make it relative to the current
5235             * image's filename path */
5236            filename_tmp = bdrv_make_absolute_filename(curr_bs, backing_file,
5237                                                       NULL);
5238            /* We are going to compare canonicalized absolute pathnames */
5239            if (!filename_tmp || !realpath(filename_tmp, filename_full)) {
5240                g_free(filename_tmp);
5241                continue;
5242            }
5243            g_free(filename_tmp);
5244
5245            /* We need to make sure the backing filename we are comparing against
5246             * is relative to the current image filename (or absolute) */
5247            filename_tmp = bdrv_get_full_backing_filename(curr_bs, NULL);
5248            if (!filename_tmp || !realpath(filename_tmp, backing_file_full)) {
5249                g_free(filename_tmp);
5250                continue;
5251            }
5252            g_free(filename_tmp);
5253
5254            if (strcmp(backing_file_full, filename_full) == 0) {
5255                retval = curr_bs->backing->bs;
5256                break;
5257            }
5258        }
5259    }
5260
5261    g_free(filename_full);
5262    g_free(backing_file_full);
5263    return retval;
5264}
5265
5266void bdrv_init(void)
5267{
5268    module_call_init(MODULE_INIT_BLOCK);
5269}
5270
5271void bdrv_init_with_whitelist(void)
5272{
5273    use_bdrv_whitelist = 1;
5274    bdrv_init();
5275}
5276
5277static void coroutine_fn bdrv_co_invalidate_cache(BlockDriverState *bs,
5278                                                  Error **errp)
5279{
5280    BdrvChild *child, *parent;
5281    uint64_t perm, shared_perm;
5282    Error *local_err = NULL;
5283    int ret;
5284    BdrvDirtyBitmap *bm;
5285
5286    if (!bs->drv)  {
5287        return;
5288    }
5289
5290    if (!(bs->open_flags & BDRV_O_INACTIVE)) {
5291        return;
5292    }
5293
5294    QLIST_FOREACH(child, &bs->children, next) {
5295        bdrv_co_invalidate_cache(child->bs, &local_err);
5296        if (local_err) {
5297            error_propagate(errp, local_err);
5298            return;
5299        }
5300    }
5301
5302    /*
5303     * Update permissions, they may differ for inactive nodes.
5304     *
5305     * Note that the required permissions of inactive images are always a
5306     * subset of the permissions required after activating the image. This
5307     * allows us to just get the permissions upfront without restricting
5308     * drv->bdrv_invalidate_cache().
5309     *
5310     * It also means that in error cases, we don't have to try and revert to
5311     * the old permissions (which is an operation that could fail, too). We can
5312     * just keep the extended permissions for the next time that an activation
5313     * of the image is tried.
5314     */
5315    bs->open_flags &= ~BDRV_O_INACTIVE;
5316    bdrv_get_cumulative_perm(bs, &perm, &shared_perm);
5317    ret = bdrv_check_perm(bs, NULL, perm, shared_perm, NULL, NULL, &local_err);
5318    if (ret < 0) {
5319        bs->open_flags |= BDRV_O_INACTIVE;
5320        error_propagate(errp, local_err);
5321        return;
5322    }
5323    bdrv_set_perm(bs, perm, shared_perm);
5324
5325    if (bs->drv->bdrv_co_invalidate_cache) {
5326        bs->drv->bdrv_co_invalidate_cache(bs, &local_err);
5327        if (local_err) {
5328            bs->open_flags |= BDRV_O_INACTIVE;
5329            error_propagate(errp, local_err);
5330            return;
5331        }
5332    }
5333
5334    for (bm = bdrv_dirty_bitmap_next(bs, NULL); bm;
5335         bm = bdrv_dirty_bitmap_next(bs, bm))
5336    {
5337        bdrv_dirty_bitmap_set_migration(bm, false);
5338    }
5339
5340    ret = refresh_total_sectors(bs, bs->total_sectors);
5341    if (ret < 0) {
5342        bs->open_flags |= BDRV_O_INACTIVE;
5343        error_setg_errno(errp, -ret, "Could not refresh total sector count");
5344        return;
5345    }
5346
5347    QLIST_FOREACH(parent, &bs->parents, next_parent) {
5348        if (parent->role->activate) {
5349            parent->role->activate(parent, &local_err);
5350            if (local_err) {
5351                bs->open_flags |= BDRV_O_INACTIVE;
5352                error_propagate(errp, local_err);
5353                return;
5354            }
5355        }
5356    }
5357}
5358
5359typedef struct InvalidateCacheCo {
5360    BlockDriverState *bs;
5361    Error **errp;
5362    bool done;
5363} InvalidateCacheCo;
5364
5365static void coroutine_fn bdrv_invalidate_cache_co_entry(void *opaque)
5366{
5367    InvalidateCacheCo *ico = opaque;
5368    bdrv_co_invalidate_cache(ico->bs, ico->errp);
5369    ico->done = true;
5370    aio_wait_kick();
5371}
5372
5373void bdrv_invalidate_cache(BlockDriverState *bs, Error **errp)
5374{
5375    Coroutine *co;
5376    InvalidateCacheCo ico = {
5377        .bs = bs,
5378        .done = false,
5379        .errp = errp
5380    };
5381
5382    if (qemu_in_coroutine()) {
5383        /* Fast-path if already in coroutine context */
5384        bdrv_invalidate_cache_co_entry(&ico);
5385    } else {
5386        co = qemu_coroutine_create(bdrv_invalidate_cache_co_entry, &ico);
5387        bdrv_coroutine_enter(bs, co);
5388        BDRV_POLL_WHILE(bs, !ico.done);
5389    }
5390}
5391
5392void bdrv_invalidate_cache_all(Error **errp)
5393{
5394    BlockDriverState *bs;
5395    Error *local_err = NULL;
5396    BdrvNextIterator it;
5397
5398    for (bs = bdrv_first(&it); bs; bs = bdrv_next(&it)) {
5399        AioContext *aio_context = bdrv_get_aio_context(bs);
5400
5401        aio_context_acquire(aio_context);
5402        bdrv_invalidate_cache(bs, &local_err);
5403        aio_context_release(aio_context);
5404        if (local_err) {
5405            error_propagate(errp, local_err);
5406            bdrv_next_cleanup(&it);
5407            return;
5408        }
5409    }
5410}
5411
5412static bool bdrv_has_bds_parent(BlockDriverState *bs, bool only_active)
5413{
5414    BdrvChild *parent;
5415
5416    QLIST_FOREACH(parent, &bs->parents, next_parent) {
5417        if (parent->role->parent_is_bds) {
5418            BlockDriverState *parent_bs = parent->opaque;
5419            if (!only_active || !(parent_bs->open_flags & BDRV_O_INACTIVE)) {
5420                return true;
5421            }
5422        }
5423    }
5424
5425    return false;
5426}
5427
5428static int bdrv_inactivate_recurse(BlockDriverState *bs)
5429{
5430    BdrvChild *child, *parent;
5431    bool tighten_restrictions;
5432    uint64_t perm, shared_perm;
5433    int ret;
5434
5435    if (!bs->drv) {
5436        return -ENOMEDIUM;
5437    }
5438
5439    /* Make sure that we don't inactivate a child before its parent.
5440     * It will be covered by recursion from the yet active parent. */
5441    if (bdrv_has_bds_parent(bs, true)) {
5442        return 0;
5443    }
5444
5445    assert(!(bs->open_flags & BDRV_O_INACTIVE));
5446
5447    /* Inactivate this node */
5448    if (bs->drv->bdrv_inactivate) {
5449        ret = bs->drv->bdrv_inactivate(bs);
5450        if (ret < 0) {
5451            return ret;
5452        }
5453    }
5454
5455    QLIST_FOREACH(parent, &bs->parents, next_parent) {
5456        if (parent->role->inactivate) {
5457            ret = parent->role->inactivate(parent);
5458            if (ret < 0) {
5459                return ret;
5460            }
5461        }
5462    }
5463
5464    bs->open_flags |= BDRV_O_INACTIVE;
5465
5466    /* Update permissions, they may differ for inactive nodes */
5467    bdrv_get_cumulative_perm(bs, &perm, &shared_perm);
5468    ret = bdrv_check_perm(bs, NULL, perm, shared_perm, NULL,
5469                          &tighten_restrictions, NULL);
5470    assert(tighten_restrictions == false);
5471    if (ret < 0) {
5472        /* We only tried to loosen restrictions, so errors are not fatal */
5473        bdrv_abort_perm_update(bs);
5474    } else {
5475        bdrv_set_perm(bs, perm, shared_perm);
5476    }
5477
5478
5479    /* Recursively inactivate children */
5480    QLIST_FOREACH(child, &bs->children, next) {
5481        ret = bdrv_inactivate_recurse(child->bs);
5482        if (ret < 0) {
5483            return ret;
5484        }
5485    }
5486
5487    return 0;
5488}
5489
5490int bdrv_inactivate_all(void)
5491{
5492    BlockDriverState *bs = NULL;
5493    BdrvNextIterator it;
5494    int ret = 0;
5495    GSList *aio_ctxs = NULL, *ctx;
5496
5497    for (bs = bdrv_first(&it); bs; bs = bdrv_next(&it)) {
5498        AioContext *aio_context = bdrv_get_aio_context(bs);
5499
5500        if (!g_slist_find(aio_ctxs, aio_context)) {
5501            aio_ctxs = g_slist_prepend(aio_ctxs, aio_context);
5502            aio_context_acquire(aio_context);
5503        }
5504    }
5505
5506    for (bs = bdrv_first(&it); bs; bs = bdrv_next(&it)) {
5507        /* Nodes with BDS parents are covered by recursion from the last
5508         * parent that gets inactivated. Don't inactivate them a second
5509         * time if that has already happened. */
5510        if (bdrv_has_bds_parent(bs, false)) {
5511            continue;
5512        }
5513        ret = bdrv_inactivate_recurse(bs);
5514        if (ret < 0) {
5515            bdrv_next_cleanup(&it);
5516            goto out;
5517        }
5518    }
5519
5520out:
5521    for (ctx = aio_ctxs; ctx != NULL; ctx = ctx->next) {
5522        AioContext *aio_context = ctx->data;
5523        aio_context_release(aio_context);
5524    }
5525    g_slist_free(aio_ctxs);
5526
5527    return ret;
5528}
5529
5530/**************************************************************/
5531/* removable device support */
5532
5533/**
5534 * Return TRUE if the media is present
5535 */
5536bool bdrv_is_inserted(BlockDriverState *bs)
5537{
5538    BlockDriver *drv = bs->drv;
5539    BdrvChild *child;
5540
5541    if (!drv) {
5542        return false;
5543    }
5544    if (drv->bdrv_is_inserted) {
5545        return drv->bdrv_is_inserted(bs);
5546    }
5547    QLIST_FOREACH(child, &bs->children, next) {
5548        if (!bdrv_is_inserted(child->bs)) {
5549            return false;
5550        }
5551    }
5552    return true;
5553}
5554
5555/**
5556 * If eject_flag is TRUE, eject the media. Otherwise, close the tray
5557 */
5558void bdrv_eject(BlockDriverState *bs, bool eject_flag)
5559{
5560    BlockDriver *drv = bs->drv;
5561
5562    if (drv && drv->bdrv_eject) {
5563        drv->bdrv_eject(bs, eject_flag);
5564    }
5565}
5566
5567/**
5568 * Lock or unlock the media (if it is locked, the user won't be able
5569 * to eject it manually).
5570 */
5571void bdrv_lock_medium(BlockDriverState *bs, bool locked)
5572{
5573    BlockDriver *drv = bs->drv;
5574
5575    trace_bdrv_lock_medium(bs, locked);
5576
5577    if (drv && drv->bdrv_lock_medium) {
5578        drv->bdrv_lock_medium(bs, locked);
5579    }
5580}
5581
5582/* Get a reference to bs */
5583void bdrv_ref(BlockDriverState *bs)
5584{
5585    bs->refcnt++;
5586}
5587
5588/* Release a previously grabbed reference to bs.
5589 * If after releasing, reference count is zero, the BlockDriverState is
5590 * deleted. */
5591void bdrv_unref(BlockDriverState *bs)
5592{
5593    if (!bs) {
5594        return;
5595    }
5596    assert(bs->refcnt > 0);
5597    if (--bs->refcnt == 0) {
5598        bdrv_delete(bs);
5599    }
5600}
5601
5602struct BdrvOpBlocker {
5603    Error *reason;
5604    QLIST_ENTRY(BdrvOpBlocker) list;
5605};
5606
5607bool bdrv_op_is_blocked(BlockDriverState *bs, BlockOpType op, Error **errp)
5608{
5609    BdrvOpBlocker *blocker;
5610    assert((int) op >= 0 && op < BLOCK_OP_TYPE_MAX);
5611    if (!QLIST_EMPTY(&bs->op_blockers[op])) {
5612        blocker = QLIST_FIRST(&bs->op_blockers[op]);
5613        error_propagate_prepend(errp, error_copy(blocker->reason),
5614                                "Node '%s' is busy: ",
5615                                bdrv_get_device_or_node_name(bs));
5616        return true;
5617    }
5618    return false;
5619}
5620
5621void bdrv_op_block(BlockDriverState *bs, BlockOpType op, Error *reason)
5622{
5623    BdrvOpBlocker *blocker;
5624    assert((int) op >= 0 && op < BLOCK_OP_TYPE_MAX);
5625
5626    blocker = g_new0(BdrvOpBlocker, 1);
5627    blocker->reason = reason;
5628    QLIST_INSERT_HEAD(&bs->op_blockers[op], blocker, list);
5629}
5630
5631void bdrv_op_unblock(BlockDriverState *bs, BlockOpType op, Error *reason)
5632{
5633    BdrvOpBlocker *blocker, *next;
5634    assert((int) op >= 0 && op < BLOCK_OP_TYPE_MAX);
5635    QLIST_FOREACH_SAFE(blocker, &bs->op_blockers[op], list, next) {
5636        if (blocker->reason == reason) {
5637            QLIST_REMOVE(blocker, list);
5638            g_free(blocker);
5639        }
5640    }
5641}
5642
5643void bdrv_op_block_all(BlockDriverState *bs, Error *reason)
5644{
5645    int i;
5646    for (i = 0; i < BLOCK_OP_TYPE_MAX; i++) {
5647        bdrv_op_block(bs, i, reason);
5648    }
5649}
5650
5651void bdrv_op_unblock_all(BlockDriverState *bs, Error *reason)
5652{
5653    int i;
5654    for (i = 0; i < BLOCK_OP_TYPE_MAX; i++) {
5655        bdrv_op_unblock(bs, i, reason);
5656    }
5657}
5658
5659bool bdrv_op_blocker_is_empty(BlockDriverState *bs)
5660{
5661    int i;
5662
5663    for (i = 0; i < BLOCK_OP_TYPE_MAX; i++) {
5664        if (!QLIST_EMPTY(&bs->op_blockers[i])) {
5665            return false;
5666        }
5667    }
5668    return true;
5669}
5670
5671void bdrv_img_create(const char *filename, const char *fmt,
5672                     const char *base_filename, const char *base_fmt,
5673                     char *options, uint64_t img_size, int flags, bool quiet,
5674                     Error **errp)
5675{
5676    QemuOptsList *create_opts = NULL;
5677    QemuOpts *opts = NULL;
5678    const char *backing_fmt, *backing_file;
5679    int64_t size;
5680    BlockDriver *drv, *proto_drv;
5681    Error *local_err = NULL;
5682    int ret = 0;
5683
5684    /* Find driver and parse its options */
5685    drv = bdrv_find_format(fmt);
5686    if (!drv) {
5687        error_setg(errp, "Unknown file format '%s'", fmt);
5688        return;
5689    }
5690
5691    proto_drv = bdrv_find_protocol(filename, true, errp);
5692    if (!proto_drv) {
5693        return;
5694    }
5695
5696    if (!drv->create_opts) {
5697        error_setg(errp, "Format driver '%s' does not support image creation",
5698                   drv->format_name);
5699        return;
5700    }
5701
5702    if (!proto_drv->create_opts) {
5703        error_setg(errp, "Protocol driver '%s' does not support image creation",
5704                   proto_drv->format_name);
5705        return;
5706    }
5707
5708    create_opts = qemu_opts_append(create_opts, drv->create_opts);
5709    create_opts = qemu_opts_append(create_opts, proto_drv->create_opts);
5710
5711    /* Create parameter list with default values */
5712    opts = qemu_opts_create(create_opts, NULL, 0, &error_abort);
5713    qemu_opt_set_number(opts, BLOCK_OPT_SIZE, img_size, &error_abort);
5714
5715    /* Parse -o options */
5716    if (options) {
5717        qemu_opts_do_parse(opts, options, NULL, &local_err);
5718        if (local_err) {
5719            goto out;
5720        }
5721    }
5722
5723    if (base_filename) {
5724        qemu_opt_set(opts, BLOCK_OPT_BACKING_FILE, base_filename, &local_err);
5725        if (local_err) {
5726            error_setg(errp, "Backing file not supported for file format '%s'",
5727                       fmt);
5728            goto out;
5729        }
5730    }
5731
5732    if (base_fmt) {
5733        qemu_opt_set(opts, BLOCK_OPT_BACKING_FMT, base_fmt, &local_err);
5734        if (local_err) {
5735            error_setg(errp, "Backing file format not supported for file "
5736                             "format '%s'", fmt);
5737            goto out;
5738        }
5739    }
5740
5741    backing_file = qemu_opt_get(opts, BLOCK_OPT_BACKING_FILE);
5742    if (backing_file) {
5743        if (!strcmp(filename, backing_file)) {
5744            error_setg(errp, "Error: Trying to create an image with the "
5745                             "same filename as the backing file");
5746            goto out;
5747        }
5748    }
5749
5750    backing_fmt = qemu_opt_get(opts, BLOCK_OPT_BACKING_FMT);
5751
5752    /* The size for the image must always be specified, unless we have a backing
5753     * file and we have not been forbidden from opening it. */
5754    size = qemu_opt_get_size(opts, BLOCK_OPT_SIZE, img_size);
5755    if (backing_file && !(flags & BDRV_O_NO_BACKING)) {
5756        BlockDriverState *bs;
5757        char *full_backing;
5758        int back_flags;
5759        QDict *backing_options = NULL;
5760
5761        full_backing =
5762            bdrv_get_full_backing_filename_from_filename(filename, backing_file,
5763                                                         &local_err);
5764        if (local_err) {
5765            goto out;
5766        }
5767        assert(full_backing);
5768
5769        /* backing files always opened read-only */
5770        back_flags = flags;
5771        back_flags &= ~(BDRV_O_RDWR | BDRV_O_SNAPSHOT | BDRV_O_NO_BACKING);
5772
5773        backing_options = qdict_new();
5774        if (backing_fmt) {
5775            qdict_put_str(backing_options, "driver", backing_fmt);
5776        }
5777        qdict_put_bool(backing_options, BDRV_OPT_FORCE_SHARE, true);
5778
5779        bs = bdrv_open(full_backing, NULL, backing_options, back_flags,
5780                       &local_err);
5781        g_free(full_backing);
5782        if (!bs && size != -1) {
5783            /* Couldn't open BS, but we have a size, so it's nonfatal */
5784            warn_reportf_err(local_err,
5785                            "Could not verify backing image. "
5786                            "This may become an error in future versions.\n");
5787            local_err = NULL;
5788        } else if (!bs) {
5789            /* Couldn't open bs, do not have size */
5790            error_append_hint(&local_err,
5791                              "Could not open backing image to determine size.\n");
5792            goto out;
5793        } else {
5794            if (size == -1) {
5795                /* Opened BS, have no size */
5796                size = bdrv_getlength(bs);
5797                if (size < 0) {
5798                    error_setg_errno(errp, -size, "Could not get size of '%s'",
5799                                     backing_file);
5800                    bdrv_unref(bs);
5801                    goto out;
5802                }
5803                qemu_opt_set_number(opts, BLOCK_OPT_SIZE, size, &error_abort);
5804            }
5805            bdrv_unref(bs);
5806        }
5807    } /* (backing_file && !(flags & BDRV_O_NO_BACKING)) */
5808
5809    if (size == -1) {
5810        error_setg(errp, "Image creation needs a size parameter");
5811        goto out;
5812    }
5813
5814    if (!quiet) {
5815        printf("Formatting '%s', fmt=%s ", filename, fmt);
5816        qemu_opts_print(opts, " ");
5817        puts("");
5818    }
5819
5820    ret = bdrv_create(drv, filename, opts, &local_err);
5821
5822    if (ret == -EFBIG) {
5823        /* This is generally a better message than whatever the driver would
5824         * deliver (especially because of the cluster_size_hint), since that
5825         * is most probably not much different from "image too large". */
5826        const char *cluster_size_hint = "";
5827        if (qemu_opt_get_size(opts, BLOCK_OPT_CLUSTER_SIZE, 0)) {
5828            cluster_size_hint = " (try using a larger cluster size)";
5829        }
5830        error_setg(errp, "The image size is too large for file format '%s'"
5831                   "%s", fmt, cluster_size_hint);
5832        error_free(local_err);
5833        local_err = NULL;
5834    }
5835
5836out:
5837    qemu_opts_del(opts);
5838    qemu_opts_free(create_opts);
5839    error_propagate(errp, local_err);
5840}
5841
5842AioContext *bdrv_get_aio_context(BlockDriverState *bs)
5843{
5844    return bs ? bs->aio_context : qemu_get_aio_context();
5845}
5846
5847void bdrv_coroutine_enter(BlockDriverState *bs, Coroutine *co)
5848{
5849    aio_co_enter(bdrv_get_aio_context(bs), co);
5850}
5851
5852static void bdrv_do_remove_aio_context_notifier(BdrvAioNotifier *ban)
5853{
5854    QLIST_REMOVE(ban, list);
5855    g_free(ban);
5856}
5857
5858static void bdrv_detach_aio_context(BlockDriverState *bs)
5859{
5860    BdrvAioNotifier *baf, *baf_tmp;
5861
5862    assert(!bs->walking_aio_notifiers);
5863    bs->walking_aio_notifiers = true;
5864    QLIST_FOREACH_SAFE(baf, &bs->aio_notifiers, list, baf_tmp) {
5865        if (baf->deleted) {
5866            bdrv_do_remove_aio_context_notifier(baf);
5867        } else {
5868            baf->detach_aio_context(baf->opaque);
5869        }
5870    }
5871    /* Never mind iterating again to check for ->deleted.  bdrv_close() will
5872     * remove remaining aio notifiers if we aren't called again.
5873     */
5874    bs->walking_aio_notifiers = false;
5875
5876    if (bs->drv && bs->drv->bdrv_detach_aio_context) {
5877        bs->drv->bdrv_detach_aio_context(bs);
5878    }
5879
5880    if (bs->quiesce_counter) {
5881        aio_enable_external(bs->aio_context);
5882    }
5883    bs->aio_context = NULL;
5884}
5885
5886static void bdrv_attach_aio_context(BlockDriverState *bs,
5887                                    AioContext *new_context)
5888{
5889    BdrvAioNotifier *ban, *ban_tmp;
5890
5891    if (bs->quiesce_counter) {
5892        aio_disable_external(new_context);
5893    }
5894
5895    bs->aio_context = new_context;
5896
5897    if (bs->drv && bs->drv->bdrv_attach_aio_context) {
5898        bs->drv->bdrv_attach_aio_context(bs, new_context);
5899    }
5900
5901    assert(!bs->walking_aio_notifiers);
5902    bs->walking_aio_notifiers = true;
5903    QLIST_FOREACH_SAFE(ban, &bs->aio_notifiers, list, ban_tmp) {
5904        if (ban->deleted) {
5905            bdrv_do_remove_aio_context_notifier(ban);
5906        } else {
5907            ban->attached_aio_context(new_context, ban->opaque);
5908        }
5909    }
5910    bs->walking_aio_notifiers = false;
5911}
5912
5913/*
5914 * Changes the AioContext used for fd handlers, timers, and BHs by this
5915 * BlockDriverState and all its children and parents.
5916 *
5917 * Must be called from the main AioContext.
5918 *
5919 * The caller must own the AioContext lock for the old AioContext of bs, but it
5920 * must not own the AioContext lock for new_context (unless new_context is the
5921 * same as the current context of bs).
5922 *
5923 * @ignore will accumulate all visited BdrvChild object. The caller is
5924 * responsible for freeing the list afterwards.
5925 */
5926void bdrv_set_aio_context_ignore(BlockDriverState *bs,
5927                                 AioContext *new_context, GSList **ignore)
5928{
5929    AioContext *old_context = bdrv_get_aio_context(bs);
5930    BdrvChild *child;
5931
5932    g_assert(qemu_get_current_aio_context() == qemu_get_aio_context());
5933
5934    if (old_context == new_context) {
5935        return;
5936    }
5937
5938    bdrv_drained_begin(bs);
5939
5940    QLIST_FOREACH(child, &bs->children, next) {
5941        if (g_slist_find(*ignore, child)) {
5942            continue;
5943        }
5944        *ignore = g_slist_prepend(*ignore, child);
5945        bdrv_set_aio_context_ignore(child->bs, new_context, ignore);
5946    }
5947    QLIST_FOREACH(child, &bs->parents, next_parent) {
5948        if (g_slist_find(*ignore, child)) {
5949            continue;
5950        }
5951        assert(child->role->set_aio_ctx);
5952        *ignore = g_slist_prepend(*ignore, child);
5953        child->role->set_aio_ctx(child, new_context, ignore);
5954    }
5955
5956    bdrv_detach_aio_context(bs);
5957
5958    /* Acquire the new context, if necessary */
5959    if (qemu_get_aio_context() != new_context) {
5960        aio_context_acquire(new_context);
5961    }
5962
5963    bdrv_attach_aio_context(bs, new_context);
5964
5965    /*
5966     * If this function was recursively called from
5967     * bdrv_set_aio_context_ignore(), there may be nodes in the
5968     * subtree that have not yet been moved to the new AioContext.
5969     * Release the old one so bdrv_drained_end() can poll them.
5970     */
5971    if (qemu_get_aio_context() != old_context) {
5972        aio_context_release(old_context);
5973    }
5974
5975    bdrv_drained_end(bs);
5976
5977    if (qemu_get_aio_context() != old_context) {
5978        aio_context_acquire(old_context);
5979    }
5980    if (qemu_get_aio_context() != new_context) {
5981        aio_context_release(new_context);
5982    }
5983}
5984
5985static bool bdrv_parent_can_set_aio_context(BdrvChild *c, AioContext *ctx,
5986                                            GSList **ignore, Error **errp)
5987{
5988    if (g_slist_find(*ignore, c)) {
5989        return true;
5990    }
5991    *ignore = g_slist_prepend(*ignore, c);
5992
5993    /* A BdrvChildRole that doesn't handle AioContext changes cannot
5994     * tolerate any AioContext changes */
5995    if (!c->role->can_set_aio_ctx) {
5996        char *user = bdrv_child_user_desc(c);
5997        error_setg(errp, "Changing iothreads is not supported by %s", user);
5998        g_free(user);
5999        return false;
6000    }
6001    if (!c->role->can_set_aio_ctx(c, ctx, ignore, errp)) {
6002        assert(!errp || *errp);
6003        return false;
6004    }
6005    return true;
6006}
6007
6008bool bdrv_child_can_set_aio_context(BdrvChild *c, AioContext *ctx,
6009                                    GSList **ignore, Error **errp)
6010{
6011    if (g_slist_find(*ignore, c)) {
6012        return true;
6013    }
6014    *ignore = g_slist_prepend(*ignore, c);
6015    return bdrv_can_set_aio_context(c->bs, ctx, ignore, errp);
6016}
6017
6018/* @ignore will accumulate all visited BdrvChild object. The caller is
6019 * responsible for freeing the list afterwards. */
6020bool bdrv_can_set_aio_context(BlockDriverState *bs, AioContext *ctx,
6021                              GSList **ignore, Error **errp)
6022{
6023    BdrvChild *c;
6024
6025    if (bdrv_get_aio_context(bs) == ctx) {
6026        return true;
6027    }
6028
6029    QLIST_FOREACH(c, &bs->parents, next_parent) {
6030        if (!bdrv_parent_can_set_aio_context(c, ctx, ignore, errp)) {
6031            return false;
6032        }
6033    }
6034    QLIST_FOREACH(c, &bs->children, next) {
6035        if (!bdrv_child_can_set_aio_context(c, ctx, ignore, errp)) {
6036            return false;
6037        }
6038    }
6039
6040    return true;
6041}
6042
6043int bdrv_child_try_set_aio_context(BlockDriverState *bs, AioContext *ctx,
6044                                   BdrvChild *ignore_child, Error **errp)
6045{
6046    GSList *ignore;
6047    bool ret;
6048
6049    ignore = ignore_child ? g_slist_prepend(NULL, ignore_child) : NULL;
6050    ret = bdrv_can_set_aio_context(bs, ctx, &ignore, errp);
6051    g_slist_free(ignore);
6052
6053    if (!ret) {
6054        return -EPERM;
6055    }
6056
6057    ignore = ignore_child ? g_slist_prepend(NULL, ignore_child) : NULL;
6058    bdrv_set_aio_context_ignore(bs, ctx, &ignore);
6059    g_slist_free(ignore);
6060
6061    return 0;
6062}
6063
6064int bdrv_try_set_aio_context(BlockDriverState *bs, AioContext *ctx,
6065                             Error **errp)
6066{
6067    return bdrv_child_try_set_aio_context(bs, ctx, NULL, errp);
6068}
6069
6070void bdrv_add_aio_context_notifier(BlockDriverState *bs,
6071        void (*attached_aio_context)(AioContext *new_context, void *opaque),
6072        void (*detach_aio_context)(void *opaque), void *opaque)
6073{
6074    BdrvAioNotifier *ban = g_new(BdrvAioNotifier, 1);
6075    *ban = (BdrvAioNotifier){
6076        .attached_aio_context = attached_aio_context,
6077        .detach_aio_context   = detach_aio_context,
6078        .opaque               = opaque
6079    };
6080
6081    QLIST_INSERT_HEAD(&bs->aio_notifiers, ban, list);
6082}
6083
6084void bdrv_remove_aio_context_notifier(BlockDriverState *bs,
6085                                      void (*attached_aio_context)(AioContext *,
6086                                                                   void *),
6087                                      void (*detach_aio_context)(void *),
6088                                      void *opaque)
6089{
6090    BdrvAioNotifier *ban, *ban_next;
6091
6092    QLIST_FOREACH_SAFE(ban, &bs->aio_notifiers, list, ban_next) {
6093        if (ban->attached_aio_context == attached_aio_context &&
6094            ban->detach_aio_context   == detach_aio_context   &&
6095            ban->opaque               == opaque               &&
6096            ban->deleted              == false)
6097        {
6098            if (bs->walking_aio_notifiers) {
6099                ban->deleted = true;
6100            } else {
6101                bdrv_do_remove_aio_context_notifier(ban);
6102            }
6103            return;
6104        }
6105    }
6106
6107    abort();
6108}
6109
6110int bdrv_amend_options(BlockDriverState *bs, QemuOpts *opts,
6111                       BlockDriverAmendStatusCB *status_cb, void *cb_opaque,
6112                       Error **errp)
6113{
6114    if (!bs->drv) {
6115        error_setg(errp, "Node is ejected");
6116        return -ENOMEDIUM;
6117    }
6118    if (!bs->drv->bdrv_amend_options) {
6119        error_setg(errp, "Block driver '%s' does not support option amendment",
6120                   bs->drv->format_name);
6121        return -ENOTSUP;
6122    }
6123    return bs->drv->bdrv_amend_options(bs, opts, status_cb, cb_opaque, errp);
6124}
6125
6126/* This function will be called by the bdrv_recurse_is_first_non_filter method
6127 * of block filter and by bdrv_is_first_non_filter.
6128 * It is used to test if the given bs is the candidate or recurse more in the
6129 * node graph.
6130 */
6131bool bdrv_recurse_is_first_non_filter(BlockDriverState *bs,
6132                                      BlockDriverState *candidate)
6133{
6134    /* return false if basic checks fails */
6135    if (!bs || !bs->drv) {
6136        return false;
6137    }
6138
6139    /* the code reached a non block filter driver -> check if the bs is
6140     * the same as the candidate. It's the recursion termination condition.
6141     */
6142    if (!bs->drv->is_filter) {
6143        return bs == candidate;
6144    }
6145    /* Down this path the driver is a block filter driver */
6146
6147    /* If the block filter recursion method is defined use it to recurse down
6148     * the node graph.
6149     */
6150    if (bs->drv->bdrv_recurse_is_first_non_filter) {
6151        return bs->drv->bdrv_recurse_is_first_non_filter(bs, candidate);
6152    }
6153
6154    /* the driver is a block filter but don't allow to recurse -> return false
6155     */
6156    return false;
6157}
6158
6159/* This function checks if the candidate is the first non filter bs down it's
6160 * bs chain. Since we don't have pointers to parents it explore all bs chains
6161 * from the top. Some filters can choose not to pass down the recursion.
6162 */
6163bool bdrv_is_first_non_filter(BlockDriverState *candidate)
6164{
6165    BlockDriverState *bs;
6166    BdrvNextIterator it;
6167
6168    /* walk down the bs forest recursively */
6169    for (bs = bdrv_first(&it); bs; bs = bdrv_next(&it)) {
6170        bool perm;
6171
6172        /* try to recurse in this top level bs */
6173        perm = bdrv_recurse_is_first_non_filter(bs, candidate);
6174
6175        /* candidate is the first non filter */
6176        if (perm) {
6177            bdrv_next_cleanup(&it);
6178            return true;
6179        }
6180    }
6181
6182    return false;
6183}
6184
6185BlockDriverState *check_to_replace_node(BlockDriverState *parent_bs,
6186                                        const char *node_name, Error **errp)
6187{
6188    BlockDriverState *to_replace_bs = bdrv_find_node(node_name);
6189    AioContext *aio_context;
6190
6191    if (!to_replace_bs) {
6192        error_setg(errp, "Node name '%s' not found", node_name);
6193        return NULL;
6194    }
6195
6196    aio_context = bdrv_get_aio_context(to_replace_bs);
6197    aio_context_acquire(aio_context);
6198
6199    if (bdrv_op_is_blocked(to_replace_bs, BLOCK_OP_TYPE_REPLACE, errp)) {
6200        to_replace_bs = NULL;
6201        goto out;
6202    }
6203
6204    /* We don't want arbitrary node of the BDS chain to be replaced only the top
6205     * most non filter in order to prevent data corruption.
6206     * Another benefit is that this tests exclude backing files which are
6207     * blocked by the backing blockers.
6208     */
6209    if (!bdrv_recurse_is_first_non_filter(parent_bs, to_replace_bs)) {
6210        error_setg(errp, "Only top most non filter can be replaced");
6211        to_replace_bs = NULL;
6212        goto out;
6213    }
6214
6215out:
6216    aio_context_release(aio_context);
6217    return to_replace_bs;
6218}
6219
6220/**
6221 * Iterates through the list of runtime option keys that are said to
6222 * be "strong" for a BDS.  An option is called "strong" if it changes
6223 * a BDS's data.  For example, the null block driver's "size" and
6224 * "read-zeroes" options are strong, but its "latency-ns" option is
6225 * not.
6226 *
6227 * If a key returned by this function ends with a dot, all options
6228 * starting with that prefix are strong.
6229 */
6230static const char *const *strong_options(BlockDriverState *bs,
6231                                         const char *const *curopt)
6232{
6233    static const char *const global_options[] = {
6234        "driver", "filename", NULL
6235    };
6236
6237    if (!curopt) {
6238        return &global_options[0];
6239    }
6240
6241    curopt++;
6242    if (curopt == &global_options[ARRAY_SIZE(global_options) - 1] && bs->drv) {
6243        curopt = bs->drv->strong_runtime_opts;
6244    }
6245
6246    return (curopt && *curopt) ? curopt : NULL;
6247}
6248
6249/**
6250 * Copies all strong runtime options from bs->options to the given
6251 * QDict.  The set of strong option keys is determined by invoking
6252 * strong_options().
6253 *
6254 * Returns true iff any strong option was present in bs->options (and
6255 * thus copied to the target QDict) with the exception of "filename"
6256 * and "driver".  The caller is expected to use this value to decide
6257 * whether the existence of strong options prevents the generation of
6258 * a plain filename.
6259 */
6260static bool append_strong_runtime_options(QDict *d, BlockDriverState *bs)
6261{
6262    bool found_any = false;
6263    const char *const *option_name = NULL;
6264
6265    if (!bs->drv) {