qemu/block.c
<<
>>
Prefs
   1/*
   2 * QEMU System Emulator block driver
   3 *
   4 * Copyright (c) 2003 Fabrice Bellard
   5 *
   6 * Permission is hereby granted, free of charge, to any person obtaining a copy
   7 * of this software and associated documentation files (the "Software"), to deal
   8 * in the Software without restriction, including without limitation the rights
   9 * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
  10 * copies of the Software, and to permit persons to whom the Software is
  11 * furnished to do so, subject to the following conditions:
  12 *
  13 * The above copyright notice and this permission notice shall be included in
  14 * all copies or substantial portions of the Software.
  15 *
  16 * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
  17 * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
  18 * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL
  19 * THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
  20 * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
  21 * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
  22 * THE SOFTWARE.
  23 */
  24
  25#include "qemu/osdep.h"
  26#include "block/trace.h"
  27#include "block/block_int.h"
  28#include "block/blockjob.h"
  29#include "block/nbd.h"
  30#include "block/qdict.h"
  31#include "qemu/error-report.h"
  32#include "module_block.h"
  33#include "qemu/main-loop.h"
  34#include "qemu/module.h"
  35#include "qapi/error.h"
  36#include "qapi/qmp/qdict.h"
  37#include "qapi/qmp/qjson.h"
  38#include "qapi/qmp/qnull.h"
  39#include "qapi/qmp/qstring.h"
  40#include "qapi/qobject-output-visitor.h"
  41#include "qapi/qapi-visit-block-core.h"
  42#include "sysemu/block-backend.h"
  43#include "sysemu/sysemu.h"
  44#include "qemu/notify.h"
  45#include "qemu/option.h"
  46#include "qemu/coroutine.h"
  47#include "block/qapi.h"
  48#include "qemu/timer.h"
  49#include "qemu/cutils.h"
  50#include "qemu/id.h"
  51
  52#ifdef CONFIG_BSD
  53#include <sys/ioctl.h>
  54#include <sys/queue.h>
  55#ifndef __DragonFly__
  56#include <sys/disk.h>
  57#endif
  58#endif
  59
  60#ifdef _WIN32
  61#include <windows.h>
  62#endif
  63
  64#define NOT_DONE 0x7fffffff /* used while emulated sync operation in progress */
  65
  66static QTAILQ_HEAD(, BlockDriverState) graph_bdrv_states =
  67    QTAILQ_HEAD_INITIALIZER(graph_bdrv_states);
  68
  69static QTAILQ_HEAD(, BlockDriverState) all_bdrv_states =
  70    QTAILQ_HEAD_INITIALIZER(all_bdrv_states);
  71
  72static QLIST_HEAD(, BlockDriver) bdrv_drivers =
  73    QLIST_HEAD_INITIALIZER(bdrv_drivers);
  74
  75static BlockDriverState *bdrv_open_inherit(const char *filename,
  76                                           const char *reference,
  77                                           QDict *options, int flags,
  78                                           BlockDriverState *parent,
  79                                           const BdrvChildRole *child_role,
  80                                           Error **errp);
  81
  82/* If non-zero, use only whitelisted block drivers */
  83static int use_bdrv_whitelist;
  84
  85#ifdef _WIN32
  86static int is_windows_drive_prefix(const char *filename)
  87{
  88    return (((filename[0] >= 'a' && filename[0] <= 'z') ||
  89             (filename[0] >= 'A' && filename[0] <= 'Z')) &&
  90            filename[1] == ':');
  91}
  92
  93int is_windows_drive(const char *filename)
  94{
  95    if (is_windows_drive_prefix(filename) &&
  96        filename[2] == '\0')
  97        return 1;
  98    if (strstart(filename, "\\\\.\\", NULL) ||
  99        strstart(filename, "//./", NULL))
 100        return 1;
 101    return 0;
 102}
 103#endif
 104
 105size_t bdrv_opt_mem_align(BlockDriverState *bs)
 106{
 107    if (!bs || !bs->drv) {
 108        /* page size or 4k (hdd sector size) should be on the safe side */
 109        return MAX(4096, qemu_real_host_page_size);
 110    }
 111
 112    return bs->bl.opt_mem_alignment;
 113}
 114
 115size_t bdrv_min_mem_align(BlockDriverState *bs)
 116{
 117    if (!bs || !bs->drv) {
 118        /* page size or 4k (hdd sector size) should be on the safe side */
 119        return MAX(4096, qemu_real_host_page_size);
 120    }
 121
 122    return bs->bl.min_mem_alignment;
 123}
 124
 125/* check if the path starts with "<protocol>:" */
 126int path_has_protocol(const char *path)
 127{
 128    const char *p;
 129
 130#ifdef _WIN32
 131    if (is_windows_drive(path) ||
 132        is_windows_drive_prefix(path)) {
 133        return 0;
 134    }
 135    p = path + strcspn(path, ":/\\");
 136#else
 137    p = path + strcspn(path, ":/");
 138#endif
 139
 140    return *p == ':';
 141}
 142
 143int path_is_absolute(const char *path)
 144{
 145#ifdef _WIN32
 146    /* specific case for names like: "\\.\d:" */
 147    if (is_windows_drive(path) || is_windows_drive_prefix(path)) {
 148        return 1;
 149    }
 150    return (*path == '/' || *path == '\\');
 151#else
 152    return (*path == '/');
 153#endif
 154}
 155
 156/* if filename is absolute, just return its duplicate. Otherwise, build a
 157   path to it by considering it is relative to base_path. URL are
 158   supported. */
 159char *path_combine(const char *base_path, const char *filename)
 160{
 161    const char *protocol_stripped = NULL;
 162    const char *p, *p1;
 163    char *result;
 164    int len;
 165
 166    if (path_is_absolute(filename)) {
 167        return g_strdup(filename);
 168    }
 169
 170    if (path_has_protocol(base_path)) {
 171        protocol_stripped = strchr(base_path, ':');
 172        if (protocol_stripped) {
 173            protocol_stripped++;
 174        }
 175    }
 176    p = protocol_stripped ?: base_path;
 177
 178    p1 = strrchr(base_path, '/');
 179#ifdef _WIN32
 180    {
 181        const char *p2;
 182        p2 = strrchr(base_path, '\\');
 183        if (!p1 || p2 > p1) {
 184            p1 = p2;
 185        }
 186    }
 187#endif
 188    if (p1) {
 189        p1++;
 190    } else {
 191        p1 = base_path;
 192    }
 193    if (p1 > p) {
 194        p = p1;
 195    }
 196    len = p - base_path;
 197
 198    result = g_malloc(len + strlen(filename) + 1);
 199    memcpy(result, base_path, len);
 200    strcpy(result + len, filename);
 201
 202    return result;
 203}
 204
 205/*
 206 * Helper function for bdrv_parse_filename() implementations to remove optional
 207 * protocol prefixes (especially "file:") from a filename and for putting the
 208 * stripped filename into the options QDict if there is such a prefix.
 209 */
 210void bdrv_parse_filename_strip_prefix(const char *filename, const char *prefix,
 211                                      QDict *options)
 212{
 213    if (strstart(filename, prefix, &filename)) {
 214        /* Stripping the explicit protocol prefix may result in a protocol
 215         * prefix being (wrongly) detected (if the filename contains a colon) */
 216        if (path_has_protocol(filename)) {
 217            QString *fat_filename;
 218
 219            /* This means there is some colon before the first slash; therefore,
 220             * this cannot be an absolute path */
 221            assert(!path_is_absolute(filename));
 222
 223            /* And we can thus fix the protocol detection issue by prefixing it
 224             * by "./" */
 225            fat_filename = qstring_from_str("./");
 226            qstring_append(fat_filename, filename);
 227
 228            assert(!path_has_protocol(qstring_get_str(fat_filename)));
 229
 230            qdict_put(options, "filename", fat_filename);
 231        } else {
 232            /* If no protocol prefix was detected, we can use the shortened
 233             * filename as-is */
 234            qdict_put_str(options, "filename", filename);
 235        }
 236    }
 237}
 238
 239
 240/* Returns whether the image file is opened as read-only. Note that this can
 241 * return false and writing to the image file is still not possible because the
 242 * image is inactivated. */
 243bool bdrv_is_read_only(BlockDriverState *bs)
 244{
 245    return bs->read_only;
 246}
 247
 248int bdrv_can_set_read_only(BlockDriverState *bs, bool read_only,
 249                           bool ignore_allow_rdw, Error **errp)
 250{
 251    /* Do not set read_only if copy_on_read is enabled */
 252    if (bs->copy_on_read && read_only) {
 253        error_setg(errp, "Can't set node '%s' to r/o with copy-on-read enabled",
 254                   bdrv_get_device_or_node_name(bs));
 255        return -EINVAL;
 256    }
 257
 258    /* Do not clear read_only if it is prohibited */
 259    if (!read_only && !(bs->open_flags & BDRV_O_ALLOW_RDWR) &&
 260        !ignore_allow_rdw)
 261    {
 262        error_setg(errp, "Node '%s' is read only",
 263                   bdrv_get_device_or_node_name(bs));
 264        return -EPERM;
 265    }
 266
 267    return 0;
 268}
 269
 270/*
 271 * Called by a driver that can only provide a read-only image.
 272 *
 273 * Returns 0 if the node is already read-only or it could switch the node to
 274 * read-only because BDRV_O_AUTO_RDONLY is set.
 275 *
 276 * Returns -EACCES if the node is read-write and BDRV_O_AUTO_RDONLY is not set
 277 * or bdrv_can_set_read_only() forbids making the node read-only. If @errmsg
 278 * is not NULL, it is used as the error message for the Error object.
 279 */
 280int bdrv_apply_auto_read_only(BlockDriverState *bs, const char *errmsg,
 281                              Error **errp)
 282{
 283    int ret = 0;
 284
 285    if (!(bs->open_flags & BDRV_O_RDWR)) {
 286        return 0;
 287    }
 288    if (!(bs->open_flags & BDRV_O_AUTO_RDONLY)) {
 289        goto fail;
 290    }
 291
 292    ret = bdrv_can_set_read_only(bs, true, false, NULL);
 293    if (ret < 0) {
 294        goto fail;
 295    }
 296
 297    bs->read_only = true;
 298    bs->open_flags &= ~BDRV_O_RDWR;
 299
 300    return 0;
 301
 302fail:
 303    error_setg(errp, "%s", errmsg ?: "Image is read-only");
 304    return -EACCES;
 305}
 306
 307/*
 308 * If @backing is empty, this function returns NULL without setting
 309 * @errp.  In all other cases, NULL will only be returned with @errp
 310 * set.
 311 *
 312 * Therefore, a return value of NULL without @errp set means that
 313 * there is no backing file; if @errp is set, there is one but its
 314 * absolute filename cannot be generated.
 315 */
 316char *bdrv_get_full_backing_filename_from_filename(const char *backed,
 317                                                   const char *backing,
 318                                                   Error **errp)
 319{
 320    if (backing[0] == '\0') {
 321        return NULL;
 322    } else if (path_has_protocol(backing) || path_is_absolute(backing)) {
 323        return g_strdup(backing);
 324    } else if (backed[0] == '\0' || strstart(backed, "json:", NULL)) {
 325        error_setg(errp, "Cannot use relative backing file names for '%s'",
 326                   backed);
 327        return NULL;
 328    } else {
 329        return path_combine(backed, backing);
 330    }
 331}
 332
 333/*
 334 * If @filename is empty or NULL, this function returns NULL without
 335 * setting @errp.  In all other cases, NULL will only be returned with
 336 * @errp set.
 337 */
 338static char *bdrv_make_absolute_filename(BlockDriverState *relative_to,
 339                                         const char *filename, Error **errp)
 340{
 341    char *dir, *full_name;
 342
 343    if (!filename || filename[0] == '\0') {
 344        return NULL;
 345    } else if (path_has_protocol(filename) || path_is_absolute(filename)) {
 346        return g_strdup(filename);
 347    }
 348
 349    dir = bdrv_dirname(relative_to, errp);
 350    if (!dir) {
 351        return NULL;
 352    }
 353
 354    full_name = g_strconcat(dir, filename, NULL);
 355    g_free(dir);
 356    return full_name;
 357}
 358
 359char *bdrv_get_full_backing_filename(BlockDriverState *bs, Error **errp)
 360{
 361    return bdrv_make_absolute_filename(bs, bs->backing_file, errp);
 362}
 363
 364void bdrv_register(BlockDriver *bdrv)
 365{
 366    QLIST_INSERT_HEAD(&bdrv_drivers, bdrv, list);
 367}
 368
 369BlockDriverState *bdrv_new(void)
 370{
 371    BlockDriverState *bs;
 372    int i;
 373
 374    bs = g_new0(BlockDriverState, 1);
 375    QLIST_INIT(&bs->dirty_bitmaps);
 376    for (i = 0; i < BLOCK_OP_TYPE_MAX; i++) {
 377        QLIST_INIT(&bs->op_blockers[i]);
 378    }
 379    notifier_with_return_list_init(&bs->before_write_notifiers);
 380    qemu_co_mutex_init(&bs->reqs_lock);
 381    qemu_mutex_init(&bs->dirty_bitmap_mutex);
 382    bs->refcnt = 1;
 383    bs->aio_context = qemu_get_aio_context();
 384
 385    qemu_co_queue_init(&bs->flush_queue);
 386
 387    for (i = 0; i < bdrv_drain_all_count; i++) {
 388        bdrv_drained_begin(bs);
 389    }
 390
 391    QTAILQ_INSERT_TAIL(&all_bdrv_states, bs, bs_list);
 392
 393    return bs;
 394}
 395
 396static BlockDriver *bdrv_do_find_format(const char *format_name)
 397{
 398    BlockDriver *drv1;
 399
 400    QLIST_FOREACH(drv1, &bdrv_drivers, list) {
 401        if (!strcmp(drv1->format_name, format_name)) {
 402            return drv1;
 403        }
 404    }
 405
 406    return NULL;
 407}
 408
 409BlockDriver *bdrv_find_format(const char *format_name)
 410{
 411    BlockDriver *drv1;
 412    int i;
 413
 414    drv1 = bdrv_do_find_format(format_name);
 415    if (drv1) {
 416        return drv1;
 417    }
 418
 419    /* The driver isn't registered, maybe we need to load a module */
 420    for (i = 0; i < (int)ARRAY_SIZE(block_driver_modules); ++i) {
 421        if (!strcmp(block_driver_modules[i].format_name, format_name)) {
 422            block_module_load_one(block_driver_modules[i].library_name);
 423            break;
 424        }
 425    }
 426
 427    return bdrv_do_find_format(format_name);
 428}
 429
 430static int bdrv_format_is_whitelisted(const char *format_name, bool read_only)
 431{
 432    static const char *whitelist_rw[] = {
 433        CONFIG_BDRV_RW_WHITELIST
 434    };
 435    static const char *whitelist_ro[] = {
 436        CONFIG_BDRV_RO_WHITELIST
 437    };
 438    const char **p;
 439
 440    if (!whitelist_rw[0] && !whitelist_ro[0]) {
 441        return 1;               /* no whitelist, anything goes */
 442    }
 443
 444    for (p = whitelist_rw; *p; p++) {
 445        if (!strcmp(format_name, *p)) {
 446            return 1;
 447        }
 448    }
 449    if (read_only) {
 450        for (p = whitelist_ro; *p; p++) {
 451            if (!strcmp(format_name, *p)) {
 452                return 1;
 453            }
 454        }
 455    }
 456    return 0;
 457}
 458
 459int bdrv_is_whitelisted(BlockDriver *drv, bool read_only)
 460{
 461    return bdrv_format_is_whitelisted(drv->format_name, read_only);
 462}
 463
 464bool bdrv_uses_whitelist(void)
 465{
 466    return use_bdrv_whitelist;
 467}
 468
 469typedef struct CreateCo {
 470    BlockDriver *drv;
 471    char *filename;
 472    QemuOpts *opts;
 473    int ret;
 474    Error *err;
 475} CreateCo;
 476
 477static void coroutine_fn bdrv_create_co_entry(void *opaque)
 478{
 479    Error *local_err = NULL;
 480    int ret;
 481
 482    CreateCo *cco = opaque;
 483    assert(cco->drv);
 484
 485    ret = cco->drv->bdrv_co_create_opts(cco->filename, cco->opts, &local_err);
 486    error_propagate(&cco->err, local_err);
 487    cco->ret = ret;
 488}
 489
 490int bdrv_create(BlockDriver *drv, const char* filename,
 491                QemuOpts *opts, Error **errp)
 492{
 493    int ret;
 494
 495    Coroutine *co;
 496    CreateCo cco = {
 497        .drv = drv,
 498        .filename = g_strdup(filename),
 499        .opts = opts,
 500        .ret = NOT_DONE,
 501        .err = NULL,
 502    };
 503
 504    if (!drv->bdrv_co_create_opts) {
 505        error_setg(errp, "Driver '%s' does not support image creation", drv->format_name);
 506        ret = -ENOTSUP;
 507        goto out;
 508    }
 509
 510    if (qemu_in_coroutine()) {
 511        /* Fast-path if already in coroutine context */
 512        bdrv_create_co_entry(&cco);
 513    } else {
 514        co = qemu_coroutine_create(bdrv_create_co_entry, &cco);
 515        qemu_coroutine_enter(co);
 516        while (cco.ret == NOT_DONE) {
 517            aio_poll(qemu_get_aio_context(), true);
 518        }
 519    }
 520
 521    ret = cco.ret;
 522    if (ret < 0) {
 523        if (cco.err) {
 524            error_propagate(errp, cco.err);
 525        } else {
 526            error_setg_errno(errp, -ret, "Could not create image");
 527        }
 528    }
 529
 530out:
 531    g_free(cco.filename);
 532    return ret;
 533}
 534
 535int bdrv_create_file(const char *filename, QemuOpts *opts, Error **errp)
 536{
 537    BlockDriver *drv;
 538    Error *local_err = NULL;
 539    int ret;
 540
 541    drv = bdrv_find_protocol(filename, true, errp);
 542    if (drv == NULL) {
 543        return -ENOENT;
 544    }
 545
 546    ret = bdrv_create(drv, filename, opts, &local_err);
 547    error_propagate(errp, local_err);
 548    return ret;
 549}
 550
 551/**
 552 * Try to get @bs's logical and physical block size.
 553 * On success, store them in @bsz struct and return 0.
 554 * On failure return -errno.
 555 * @bs must not be empty.
 556 */
 557int bdrv_probe_blocksizes(BlockDriverState *bs, BlockSizes *bsz)
 558{
 559    BlockDriver *drv = bs->drv;
 560
 561    if (drv && drv->bdrv_probe_blocksizes) {
 562        return drv->bdrv_probe_blocksizes(bs, bsz);
 563    } else if (drv && drv->is_filter && bs->file) {
 564        return bdrv_probe_blocksizes(bs->file->bs, bsz);
 565    }
 566
 567    return -ENOTSUP;
 568}
 569
 570/**
 571 * Try to get @bs's geometry (cyls, heads, sectors).
 572 * On success, store them in @geo struct and return 0.
 573 * On failure return -errno.
 574 * @bs must not be empty.
 575 */
 576int bdrv_probe_geometry(BlockDriverState *bs, HDGeometry *geo)
 577{
 578    BlockDriver *drv = bs->drv;
 579
 580    if (drv && drv->bdrv_probe_geometry) {
 581        return drv->bdrv_probe_geometry(bs, geo);
 582    } else if (drv && drv->is_filter && bs->file) {
 583        return bdrv_probe_geometry(bs->file->bs, geo);
 584    }
 585
 586    return -ENOTSUP;
 587}
 588
 589/*
 590 * Create a uniquely-named empty temporary file.
 591 * Return 0 upon success, otherwise a negative errno value.
 592 */
 593int get_tmp_filename(char *filename, int size)
 594{
 595#ifdef _WIN32
 596    char temp_dir[MAX_PATH];
 597    /* GetTempFileName requires that its output buffer (4th param)
 598       have length MAX_PATH or greater.  */
 599    assert(size >= MAX_PATH);
 600    return (GetTempPath(MAX_PATH, temp_dir)
 601            && GetTempFileName(temp_dir, "qem", 0, filename)
 602            ? 0 : -GetLastError());
 603#else
 604    int fd;
 605    const char *tmpdir;
 606    tmpdir = getenv("TMPDIR");
 607    if (!tmpdir) {
 608        tmpdir = "/var/tmp";
 609    }
 610    if (snprintf(filename, size, "%s/vl.XXXXXX", tmpdir) >= size) {
 611        return -EOVERFLOW;
 612    }
 613    fd = mkstemp(filename);
 614    if (fd < 0) {
 615        return -errno;
 616    }
 617    if (close(fd) != 0) {
 618        unlink(filename);
 619        return -errno;
 620    }
 621    return 0;
 622#endif
 623}
 624
 625/*
 626 * Detect host devices. By convention, /dev/cdrom[N] is always
 627 * recognized as a host CDROM.
 628 */
 629static BlockDriver *find_hdev_driver(const char *filename)
 630{
 631    int score_max = 0, score;
 632    BlockDriver *drv = NULL, *d;
 633
 634    QLIST_FOREACH(d, &bdrv_drivers, list) {
 635        if (d->bdrv_probe_device) {
 636            score = d->bdrv_probe_device(filename);
 637            if (score > score_max) {
 638                score_max = score;
 639                drv = d;
 640            }
 641        }
 642    }
 643
 644    return drv;
 645}
 646
 647static BlockDriver *bdrv_do_find_protocol(const char *protocol)
 648{
 649    BlockDriver *drv1;
 650
 651    QLIST_FOREACH(drv1, &bdrv_drivers, list) {
 652        if (drv1->protocol_name && !strcmp(drv1->protocol_name, protocol)) {
 653            return drv1;
 654        }
 655    }
 656
 657    return NULL;
 658}
 659
 660BlockDriver *bdrv_find_protocol(const char *filename,
 661                                bool allow_protocol_prefix,
 662                                Error **errp)
 663{
 664    BlockDriver *drv1;
 665    char protocol[128];
 666    int len;
 667    const char *p;
 668    int i;
 669
 670    /* TODO Drivers without bdrv_file_open must be specified explicitly */
 671
 672    /*
 673     * XXX(hch): we really should not let host device detection
 674     * override an explicit protocol specification, but moving this
 675     * later breaks access to device names with colons in them.
 676     * Thanks to the brain-dead persistent naming schemes on udev-
 677     * based Linux systems those actually are quite common.
 678     */
 679    drv1 = find_hdev_driver(filename);
 680    if (drv1) {
 681        return drv1;
 682    }
 683
 684    if (!path_has_protocol(filename) || !allow_protocol_prefix) {
 685        return &bdrv_file;
 686    }
 687
 688    p = strchr(filename, ':');
 689    assert(p != NULL);
 690    len = p - filename;
 691    if (len > sizeof(protocol) - 1)
 692        len = sizeof(protocol) - 1;
 693    memcpy(protocol, filename, len);
 694    protocol[len] = '\0';
 695
 696    drv1 = bdrv_do_find_protocol(protocol);
 697    if (drv1) {
 698        return drv1;
 699    }
 700
 701    for (i = 0; i < (int)ARRAY_SIZE(block_driver_modules); ++i) {
 702        if (block_driver_modules[i].protocol_name &&
 703            !strcmp(block_driver_modules[i].protocol_name, protocol)) {
 704            block_module_load_one(block_driver_modules[i].library_name);
 705            break;
 706        }
 707    }
 708
 709    drv1 = bdrv_do_find_protocol(protocol);
 710    if (!drv1) {
 711        error_setg(errp, "Unknown protocol '%s'", protocol);
 712    }
 713    return drv1;
 714}
 715
 716/*
 717 * Guess image format by probing its contents.
 718 * This is not a good idea when your image is raw (CVE-2008-2004), but
 719 * we do it anyway for backward compatibility.
 720 *
 721 * @buf         contains the image's first @buf_size bytes.
 722 * @buf_size    is the buffer size in bytes (generally BLOCK_PROBE_BUF_SIZE,
 723 *              but can be smaller if the image file is smaller)
 724 * @filename    is its filename.
 725 *
 726 * For all block drivers, call the bdrv_probe() method to get its
 727 * probing score.
 728 * Return the first block driver with the highest probing score.
 729 */
 730BlockDriver *bdrv_probe_all(const uint8_t *buf, int buf_size,
 731                            const char *filename)
 732{
 733    int score_max = 0, score;
 734    BlockDriver *drv = NULL, *d;
 735
 736    QLIST_FOREACH(d, &bdrv_drivers, list) {
 737        if (d->bdrv_probe) {
 738            score = d->bdrv_probe(buf, buf_size, filename);
 739            if (score > score_max) {
 740                score_max = score;
 741                drv = d;
 742            }
 743        }
 744    }
 745
 746    return drv;
 747}
 748
 749static int find_image_format(BlockBackend *file, const char *filename,
 750                             BlockDriver **pdrv, Error **errp)
 751{
 752    BlockDriver *drv;
 753    uint8_t buf[BLOCK_PROBE_BUF_SIZE];
 754    int ret = 0;
 755
 756    /* Return the raw BlockDriver * to scsi-generic devices or empty drives */
 757    if (blk_is_sg(file) || !blk_is_inserted(file) || blk_getlength(file) == 0) {
 758        *pdrv = &bdrv_raw;
 759        return ret;
 760    }
 761
 762    ret = blk_pread(file, 0, buf, sizeof(buf));
 763    if (ret < 0) {
 764        error_setg_errno(errp, -ret, "Could not read image for determining its "
 765                         "format");
 766        *pdrv = NULL;
 767        return ret;
 768    }
 769
 770    drv = bdrv_probe_all(buf, ret, filename);
 771    if (!drv) {
 772        error_setg(errp, "Could not determine image format: No compatible "
 773                   "driver found");
 774        ret = -ENOENT;
 775    }
 776    *pdrv = drv;
 777    return ret;
 778}
 779
 780/**
 781 * Set the current 'total_sectors' value
 782 * Return 0 on success, -errno on error.
 783 */
 784int refresh_total_sectors(BlockDriverState *bs, int64_t hint)
 785{
 786    BlockDriver *drv = bs->drv;
 787
 788    if (!drv) {
 789        return -ENOMEDIUM;
 790    }
 791
 792    /* Do not attempt drv->bdrv_getlength() on scsi-generic devices */
 793    if (bdrv_is_sg(bs))
 794        return 0;
 795
 796    /* query actual device if possible, otherwise just trust the hint */
 797    if (drv->bdrv_getlength) {
 798        int64_t length = drv->bdrv_getlength(bs);
 799        if (length < 0) {
 800            return length;
 801        }
 802        hint = DIV_ROUND_UP(length, BDRV_SECTOR_SIZE);
 803    }
 804
 805    bs->total_sectors = hint;
 806    return 0;
 807}
 808
 809/**
 810 * Combines a QDict of new block driver @options with any missing options taken
 811 * from @old_options, so that leaving out an option defaults to its old value.
 812 */
 813static void bdrv_join_options(BlockDriverState *bs, QDict *options,
 814                              QDict *old_options)
 815{
 816    if (bs->drv && bs->drv->bdrv_join_options) {
 817        bs->drv->bdrv_join_options(options, old_options);
 818    } else {
 819        qdict_join(options, old_options, false);
 820    }
 821}
 822
 823static BlockdevDetectZeroesOptions bdrv_parse_detect_zeroes(QemuOpts *opts,
 824                                                            int open_flags,
 825                                                            Error **errp)
 826{
 827    Error *local_err = NULL;
 828    char *value = qemu_opt_get_del(opts, "detect-zeroes");
 829    BlockdevDetectZeroesOptions detect_zeroes =
 830        qapi_enum_parse(&BlockdevDetectZeroesOptions_lookup, value,
 831                        BLOCKDEV_DETECT_ZEROES_OPTIONS_OFF, &local_err);
 832    g_free(value);
 833    if (local_err) {
 834        error_propagate(errp, local_err);
 835        return detect_zeroes;
 836    }
 837
 838    if (detect_zeroes == BLOCKDEV_DETECT_ZEROES_OPTIONS_UNMAP &&
 839        !(open_flags & BDRV_O_UNMAP))
 840    {
 841        error_setg(errp, "setting detect-zeroes to unmap is not allowed "
 842                   "without setting discard operation to unmap");
 843    }
 844
 845    return detect_zeroes;
 846}
 847
 848/**
 849 * Set open flags for a given discard mode
 850 *
 851 * Return 0 on success, -1 if the discard mode was invalid.
 852 */
 853int bdrv_parse_discard_flags(const char *mode, int *flags)
 854{
 855    *flags &= ~BDRV_O_UNMAP;
 856
 857    if (!strcmp(mode, "off") || !strcmp(mode, "ignore")) {
 858        /* do nothing */
 859    } else if (!strcmp(mode, "on") || !strcmp(mode, "unmap")) {
 860        *flags |= BDRV_O_UNMAP;
 861    } else {
 862        return -1;
 863    }
 864
 865    return 0;
 866}
 867
 868/**
 869 * Set open flags for a given cache mode
 870 *
 871 * Return 0 on success, -1 if the cache mode was invalid.
 872 */
 873int bdrv_parse_cache_mode(const char *mode, int *flags, bool *writethrough)
 874{
 875    *flags &= ~BDRV_O_CACHE_MASK;
 876
 877    if (!strcmp(mode, "off") || !strcmp(mode, "none")) {
 878        *writethrough = false;
 879        *flags |= BDRV_O_NOCACHE;
 880    } else if (!strcmp(mode, "directsync")) {
 881        *writethrough = true;
 882        *flags |= BDRV_O_NOCACHE;
 883    } else if (!strcmp(mode, "writeback")) {
 884        *writethrough = false;
 885    } else if (!strcmp(mode, "unsafe")) {
 886        *writethrough = false;
 887        *flags |= BDRV_O_NO_FLUSH;
 888    } else if (!strcmp(mode, "writethrough")) {
 889        *writethrough = true;
 890    } else {
 891        return -1;
 892    }
 893
 894    return 0;
 895}
 896
 897static char *bdrv_child_get_parent_desc(BdrvChild *c)
 898{
 899    BlockDriverState *parent = c->opaque;
 900    return g_strdup(bdrv_get_device_or_node_name(parent));
 901}
 902
 903static void bdrv_child_cb_drained_begin(BdrvChild *child)
 904{
 905    BlockDriverState *bs = child->opaque;
 906    bdrv_do_drained_begin_quiesce(bs, NULL, false);
 907}
 908
 909static bool bdrv_child_cb_drained_poll(BdrvChild *child)
 910{
 911    BlockDriverState *bs = child->opaque;
 912    return bdrv_drain_poll(bs, false, NULL, false);
 913}
 914
 915static void bdrv_child_cb_drained_end(BdrvChild *child,
 916                                      int *drained_end_counter)
 917{
 918    BlockDriverState *bs = child->opaque;
 919    bdrv_drained_end_no_poll(bs, drained_end_counter);
 920}
 921
 922static void bdrv_child_cb_attach(BdrvChild *child)
 923{
 924    BlockDriverState *bs = child->opaque;
 925    bdrv_apply_subtree_drain(child, bs);
 926}
 927
 928static void bdrv_child_cb_detach(BdrvChild *child)
 929{
 930    BlockDriverState *bs = child->opaque;
 931    bdrv_unapply_subtree_drain(child, bs);
 932}
 933
 934static int bdrv_child_cb_inactivate(BdrvChild *child)
 935{
 936    BlockDriverState *bs = child->opaque;
 937    assert(bs->open_flags & BDRV_O_INACTIVE);
 938    return 0;
 939}
 940
 941static bool bdrv_child_cb_can_set_aio_ctx(BdrvChild *child, AioContext *ctx,
 942                                          GSList **ignore, Error **errp)
 943{
 944    BlockDriverState *bs = child->opaque;
 945    return bdrv_can_set_aio_context(bs, ctx, ignore, errp);
 946}
 947
 948static void bdrv_child_cb_set_aio_ctx(BdrvChild *child, AioContext *ctx,
 949                                      GSList **ignore)
 950{
 951    BlockDriverState *bs = child->opaque;
 952    return bdrv_set_aio_context_ignore(bs, ctx, ignore);
 953}
 954
 955/*
 956 * Returns the options and flags that a temporary snapshot should get, based on
 957 * the originally requested flags (the originally requested image will have
 958 * flags like a backing file)
 959 */
 960static void bdrv_temp_snapshot_options(int *child_flags, QDict *child_options,
 961                                       int parent_flags, QDict *parent_options)
 962{
 963    *child_flags = (parent_flags & ~BDRV_O_SNAPSHOT) | BDRV_O_TEMPORARY;
 964
 965    /* For temporary files, unconditional cache=unsafe is fine */
 966    qdict_set_default_str(child_options, BDRV_OPT_CACHE_DIRECT, "off");
 967    qdict_set_default_str(child_options, BDRV_OPT_CACHE_NO_FLUSH, "on");
 968
 969    /* Copy the read-only and discard options from the parent */
 970    qdict_copy_default(child_options, parent_options, BDRV_OPT_READ_ONLY);
 971    qdict_copy_default(child_options, parent_options, BDRV_OPT_DISCARD);
 972
 973    /* aio=native doesn't work for cache.direct=off, so disable it for the
 974     * temporary snapshot */
 975    *child_flags &= ~BDRV_O_NATIVE_AIO;
 976}
 977
 978/*
 979 * Returns the options and flags that bs->file should get if a protocol driver
 980 * is expected, based on the given options and flags for the parent BDS
 981 */
 982static void bdrv_inherited_options(int *child_flags, QDict *child_options,
 983                                   int parent_flags, QDict *parent_options)
 984{
 985    int flags = parent_flags;
 986
 987    /* Enable protocol handling, disable format probing for bs->file */
 988    flags |= BDRV_O_PROTOCOL;
 989
 990    /* If the cache mode isn't explicitly set, inherit direct and no-flush from
 991     * the parent. */
 992    qdict_copy_default(child_options, parent_options, BDRV_OPT_CACHE_DIRECT);
 993    qdict_copy_default(child_options, parent_options, BDRV_OPT_CACHE_NO_FLUSH);
 994    qdict_copy_default(child_options, parent_options, BDRV_OPT_FORCE_SHARE);
 995
 996    /* Inherit the read-only option from the parent if it's not set */
 997    qdict_copy_default(child_options, parent_options, BDRV_OPT_READ_ONLY);
 998    qdict_copy_default(child_options, parent_options, BDRV_OPT_AUTO_READ_ONLY);
 999
1000    /* Our block drivers take care to send flushes and respect unmap policy,
1001     * so we can default to enable both on lower layers regardless of the
1002     * corresponding parent options. */
1003    qdict_set_default_str(child_options, BDRV_OPT_DISCARD, "unmap");
1004
1005    /* Clear flags that only apply to the top layer */
1006    flags &= ~(BDRV_O_SNAPSHOT | BDRV_O_NO_BACKING | BDRV_O_COPY_ON_READ |
1007               BDRV_O_NO_IO);
1008
1009    *child_flags = flags;
1010}
1011
1012const BdrvChildRole child_file = {
1013    .parent_is_bds   = true,
1014    .get_parent_desc = bdrv_child_get_parent_desc,
1015    .inherit_options = bdrv_inherited_options,
1016    .drained_begin   = bdrv_child_cb_drained_begin,
1017    .drained_poll    = bdrv_child_cb_drained_poll,
1018    .drained_end     = bdrv_child_cb_drained_end,
1019    .attach          = bdrv_child_cb_attach,
1020    .detach          = bdrv_child_cb_detach,
1021    .inactivate      = bdrv_child_cb_inactivate,
1022    .can_set_aio_ctx = bdrv_child_cb_can_set_aio_ctx,
1023    .set_aio_ctx     = bdrv_child_cb_set_aio_ctx,
1024};
1025
1026/*
1027 * Returns the options and flags that bs->file should get if the use of formats
1028 * (and not only protocols) is permitted for it, based on the given options and
1029 * flags for the parent BDS
1030 */
1031static void bdrv_inherited_fmt_options(int *child_flags, QDict *child_options,
1032                                       int parent_flags, QDict *parent_options)
1033{
1034    child_file.inherit_options(child_flags, child_options,
1035                               parent_flags, parent_options);
1036
1037    *child_flags &= ~(BDRV_O_PROTOCOL | BDRV_O_NO_IO);
1038}
1039
1040const BdrvChildRole child_format = {
1041    .parent_is_bds   = true,
1042    .get_parent_desc = bdrv_child_get_parent_desc,
1043    .inherit_options = bdrv_inherited_fmt_options,
1044    .drained_begin   = bdrv_child_cb_drained_begin,
1045    .drained_poll    = bdrv_child_cb_drained_poll,
1046    .drained_end     = bdrv_child_cb_drained_end,
1047    .attach          = bdrv_child_cb_attach,
1048    .detach          = bdrv_child_cb_detach,
1049    .inactivate      = bdrv_child_cb_inactivate,
1050    .can_set_aio_ctx = bdrv_child_cb_can_set_aio_ctx,
1051    .set_aio_ctx     = bdrv_child_cb_set_aio_ctx,
1052};
1053
1054static void bdrv_backing_attach(BdrvChild *c)
1055{
1056    BlockDriverState *parent = c->opaque;
1057    BlockDriverState *backing_hd = c->bs;
1058
1059    assert(!parent->backing_blocker);
1060    error_setg(&parent->backing_blocker,
1061               "node is used as backing hd of '%s'",
1062               bdrv_get_device_or_node_name(parent));
1063
1064    bdrv_refresh_filename(backing_hd);
1065
1066    parent->open_flags &= ~BDRV_O_NO_BACKING;
1067    pstrcpy(parent->backing_file, sizeof(parent->backing_file),
1068            backing_hd->filename);
1069    pstrcpy(parent->backing_format, sizeof(parent->backing_format),
1070            backing_hd->drv ? backing_hd->drv->format_name : "");
1071
1072    bdrv_op_block_all(backing_hd, parent->backing_blocker);
1073    /* Otherwise we won't be able to commit or stream */
1074    bdrv_op_unblock(backing_hd, BLOCK_OP_TYPE_COMMIT_TARGET,
1075                    parent->backing_blocker);
1076    bdrv_op_unblock(backing_hd, BLOCK_OP_TYPE_STREAM,
1077                    parent->backing_blocker);
1078    /*
1079     * We do backup in 3 ways:
1080     * 1. drive backup
1081     *    The target bs is new opened, and the source is top BDS
1082     * 2. blockdev backup
1083     *    Both the source and the target are top BDSes.
1084     * 3. internal backup(used for block replication)
1085     *    Both the source and the target are backing file
1086     *
1087     * In case 1 and 2, neither the source nor the target is the backing file.
1088     * In case 3, we will block the top BDS, so there is only one block job
1089     * for the top BDS and its backing chain.
1090     */
1091    bdrv_op_unblock(backing_hd, BLOCK_OP_TYPE_BACKUP_SOURCE,
1092                    parent->backing_blocker);
1093    bdrv_op_unblock(backing_hd, BLOCK_OP_TYPE_BACKUP_TARGET,
1094                    parent->backing_blocker);
1095
1096    bdrv_child_cb_attach(c);
1097}
1098
1099static void bdrv_backing_detach(BdrvChild *c)
1100{
1101    BlockDriverState *parent = c->opaque;
1102
1103    assert(parent->backing_blocker);
1104    bdrv_op_unblock_all(c->bs, parent->backing_blocker);
1105    error_free(parent->backing_blocker);
1106    parent->backing_blocker = NULL;
1107
1108    bdrv_child_cb_detach(c);
1109}
1110
1111/*
1112 * Returns the options and flags that bs->backing should get, based on the
1113 * given options and flags for the parent BDS
1114 */
1115static void bdrv_backing_options(int *child_flags, QDict *child_options,
1116                                 int parent_flags, QDict *parent_options)
1117{
1118    int flags = parent_flags;
1119
1120    /* The cache mode is inherited unmodified for backing files; except WCE,
1121     * which is only applied on the top level (BlockBackend) */
1122    qdict_copy_default(child_options, parent_options, BDRV_OPT_CACHE_DIRECT);
1123    qdict_copy_default(child_options, parent_options, BDRV_OPT_CACHE_NO_FLUSH);
1124    qdict_copy_default(child_options, parent_options, BDRV_OPT_FORCE_SHARE);
1125
1126    /* backing files always opened read-only */
1127    qdict_set_default_str(child_options, BDRV_OPT_READ_ONLY, "on");
1128    qdict_set_default_str(child_options, BDRV_OPT_AUTO_READ_ONLY, "off");
1129    flags &= ~BDRV_O_COPY_ON_READ;
1130
1131    /* snapshot=on is handled on the top layer */
1132    flags &= ~(BDRV_O_SNAPSHOT | BDRV_O_TEMPORARY);
1133
1134    *child_flags = flags;
1135}
1136
1137static int bdrv_backing_update_filename(BdrvChild *c, BlockDriverState *base,
1138                                        const char *filename, Error **errp)
1139{
1140    BlockDriverState *parent = c->opaque;
1141    bool read_only = bdrv_is_read_only(parent);
1142    int ret;
1143
1144    if (read_only) {
1145        ret = bdrv_reopen_set_read_only(parent, false, errp);
1146        if (ret < 0) {
1147            return ret;
1148        }
1149    }
1150
1151    ret = bdrv_change_backing_file(parent, filename,
1152                                   base->drv ? base->drv->format_name : "");
1153    if (ret < 0) {
1154        error_setg_errno(errp, -ret, "Could not update backing file link");
1155    }
1156
1157    if (read_only) {
1158        bdrv_reopen_set_read_only(parent, true, NULL);
1159    }
1160
1161    return ret;
1162}
1163
1164const BdrvChildRole child_backing = {
1165    .parent_is_bds   = true,
1166    .get_parent_desc = bdrv_child_get_parent_desc,
1167    .attach          = bdrv_backing_attach,
1168    .detach          = bdrv_backing_detach,
1169    .inherit_options = bdrv_backing_options,
1170    .drained_begin   = bdrv_child_cb_drained_begin,
1171    .drained_poll    = bdrv_child_cb_drained_poll,
1172    .drained_end     = bdrv_child_cb_drained_end,
1173    .inactivate      = bdrv_child_cb_inactivate,
1174    .update_filename = bdrv_backing_update_filename,
1175    .can_set_aio_ctx = bdrv_child_cb_can_set_aio_ctx,
1176    .set_aio_ctx     = bdrv_child_cb_set_aio_ctx,
1177};
1178
1179static int bdrv_open_flags(BlockDriverState *bs, int flags)
1180{
1181    int open_flags = flags;
1182
1183    /*
1184     * Clear flags that are internal to the block layer before opening the
1185     * image.
1186     */
1187    open_flags &= ~(BDRV_O_SNAPSHOT | BDRV_O_NO_BACKING | BDRV_O_PROTOCOL);
1188
1189    return open_flags;
1190}
1191
1192static void update_flags_from_options(int *flags, QemuOpts *opts)
1193{
1194    *flags &= ~(BDRV_O_CACHE_MASK | BDRV_O_RDWR | BDRV_O_AUTO_RDONLY);
1195
1196    if (qemu_opt_get_bool_del(opts, BDRV_OPT_CACHE_NO_FLUSH, false)) {
1197        *flags |= BDRV_O_NO_FLUSH;
1198    }
1199
1200    if (qemu_opt_get_bool_del(opts, BDRV_OPT_CACHE_DIRECT, false)) {
1201        *flags |= BDRV_O_NOCACHE;
1202    }
1203
1204    if (!qemu_opt_get_bool_del(opts, BDRV_OPT_READ_ONLY, false)) {
1205        *flags |= BDRV_O_RDWR;
1206    }
1207
1208    if (qemu_opt_get_bool_del(opts, BDRV_OPT_AUTO_READ_ONLY, false)) {
1209        *flags |= BDRV_O_AUTO_RDONLY;
1210    }
1211}
1212
1213static void update_options_from_flags(QDict *options, int flags)
1214{
1215    if (!qdict_haskey(options, BDRV_OPT_CACHE_DIRECT)) {
1216        qdict_put_bool(options, BDRV_OPT_CACHE_DIRECT, flags & BDRV_O_NOCACHE);
1217    }
1218    if (!qdict_haskey(options, BDRV_OPT_CACHE_NO_FLUSH)) {
1219        qdict_put_bool(options, BDRV_OPT_CACHE_NO_FLUSH,
1220                       flags & BDRV_O_NO_FLUSH);
1221    }
1222    if (!qdict_haskey(options, BDRV_OPT_READ_ONLY)) {
1223        qdict_put_bool(options, BDRV_OPT_READ_ONLY, !(flags & BDRV_O_RDWR));
1224    }
1225    if (!qdict_haskey(options, BDRV_OPT_AUTO_READ_ONLY)) {
1226        qdict_put_bool(options, BDRV_OPT_AUTO_READ_ONLY,
1227                       flags & BDRV_O_AUTO_RDONLY);
1228    }
1229}
1230
1231static void bdrv_assign_node_name(BlockDriverState *bs,
1232                                  const char *node_name,
1233                                  Error **errp)
1234{
1235    char *gen_node_name = NULL;
1236
1237    if (!node_name) {
1238        node_name = gen_node_name = id_generate(ID_BLOCK);
1239    } else if (!id_wellformed(node_name)) {
1240        /*
1241         * Check for empty string or invalid characters, but not if it is
1242         * generated (generated names use characters not available to the user)
1243         */
1244        error_setg(errp, "Invalid node name");
1245        return;
1246    }
1247
1248    /* takes care of avoiding namespaces collisions */
1249    if (blk_by_name(node_name)) {
1250        error_setg(errp, "node-name=%s is conflicting with a device id",
1251                   node_name);
1252        goto out;
1253    }
1254
1255    /* takes care of avoiding duplicates node names */
1256    if (bdrv_find_node(node_name)) {
1257        error_setg(errp, "Duplicate node name");
1258        goto out;
1259    }
1260
1261    /* Make sure that the node name isn't truncated */
1262    if (strlen(node_name) >= sizeof(bs->node_name)) {
1263        error_setg(errp, "Node name too long");
1264        goto out;
1265    }
1266
1267    /* copy node name into the bs and insert it into the graph list */
1268    pstrcpy(bs->node_name, sizeof(bs->node_name), node_name);
1269    QTAILQ_INSERT_TAIL(&graph_bdrv_states, bs, node_list);
1270out:
1271    g_free(gen_node_name);
1272}
1273
1274static int bdrv_open_driver(BlockDriverState *bs, BlockDriver *drv,
1275                            const char *node_name, QDict *options,
1276                            int open_flags, Error **errp)
1277{
1278    Error *local_err = NULL;
1279    int i, ret;
1280
1281    bdrv_assign_node_name(bs, node_name, &local_err);
1282    if (local_err) {
1283        error_propagate(errp, local_err);
1284        return -EINVAL;
1285    }
1286
1287    bs->drv = drv;
1288    bs->read_only = !(bs->open_flags & BDRV_O_RDWR);
1289    bs->opaque = g_malloc0(drv->instance_size);
1290
1291    if (drv->bdrv_file_open) {
1292        assert(!drv->bdrv_needs_filename || bs->filename[0]);
1293        ret = drv->bdrv_file_open(bs, options, open_flags, &local_err);
1294    } else if (drv->bdrv_open) {
1295        ret = drv->bdrv_open(bs, options, open_flags, &local_err);
1296    } else {
1297        ret = 0;
1298    }
1299
1300    if (ret < 0) {
1301        if (local_err) {
1302            error_propagate(errp, local_err);
1303        } else if (bs->filename[0]) {
1304            error_setg_errno(errp, -ret, "Could not open '%s'", bs->filename);
1305        } else {
1306            error_setg_errno(errp, -ret, "Could not open image");
1307        }
1308        goto open_failed;
1309    }
1310
1311    ret = refresh_total_sectors(bs, bs->total_sectors);
1312    if (ret < 0) {
1313        error_setg_errno(errp, -ret, "Could not refresh total sector count");
1314        return ret;
1315    }
1316
1317    bdrv_refresh_limits(bs, &local_err);
1318    if (local_err) {
1319        error_propagate(errp, local_err);
1320        return -EINVAL;
1321    }
1322
1323    assert(bdrv_opt_mem_align(bs) != 0);
1324    assert(bdrv_min_mem_align(bs) != 0);
1325    assert(is_power_of_2(bs->bl.request_alignment));
1326
1327    for (i = 0; i < bs->quiesce_counter; i++) {
1328        if (drv->bdrv_co_drain_begin) {
1329            drv->bdrv_co_drain_begin(bs);
1330        }
1331    }
1332
1333    return 0;
1334open_failed:
1335    bs->drv = NULL;
1336    if (bs->file != NULL) {
1337        bdrv_unref_child(bs, bs->file);
1338        bs->file = NULL;
1339    }
1340    g_free(bs->opaque);
1341    bs->opaque = NULL;
1342    return ret;
1343}
1344
1345BlockDriverState *bdrv_new_open_driver(BlockDriver *drv, const char *node_name,
1346                                       int flags, Error **errp)
1347{
1348    BlockDriverState *bs;
1349    int ret;
1350
1351    bs = bdrv_new();
1352    bs->open_flags = flags;
1353    bs->explicit_options = qdict_new();
1354    bs->options = qdict_new();
1355    bs->opaque = NULL;
1356
1357    update_options_from_flags(bs->options, flags);
1358
1359    ret = bdrv_open_driver(bs, drv, node_name, bs->options, flags, errp);
1360    if (ret < 0) {
1361        qobject_unref(bs->explicit_options);
1362        bs->explicit_options = NULL;
1363        qobject_unref(bs->options);
1364        bs->options = NULL;
1365        bdrv_unref(bs);
1366        return NULL;
1367    }
1368
1369    return bs;
1370}
1371
1372QemuOptsList bdrv_runtime_opts = {
1373    .name = "bdrv_common",
1374    .head = QTAILQ_HEAD_INITIALIZER(bdrv_runtime_opts.head),
1375    .desc = {
1376        {
1377            .name = "node-name",
1378            .type = QEMU_OPT_STRING,
1379            .help = "Node name of the block device node",
1380        },
1381        {
1382            .name = "driver",
1383            .type = QEMU_OPT_STRING,
1384            .help = "Block driver to use for the node",
1385        },
1386        {
1387            .name = BDRV_OPT_CACHE_DIRECT,
1388            .type = QEMU_OPT_BOOL,
1389            .help = "Bypass software writeback cache on the host",
1390        },
1391        {
1392            .name = BDRV_OPT_CACHE_NO_FLUSH,
1393            .type = QEMU_OPT_BOOL,
1394            .help = "Ignore flush requests",
1395        },
1396        {
1397            .name = BDRV_OPT_READ_ONLY,
1398            .type = QEMU_OPT_BOOL,
1399            .help = "Node is opened in read-only mode",
1400        },
1401        {
1402            .name = BDRV_OPT_AUTO_READ_ONLY,
1403            .type = QEMU_OPT_BOOL,
1404            .help = "Node can become read-only if opening read-write fails",
1405        },
1406        {
1407            .name = "detect-zeroes",
1408            .type = QEMU_OPT_STRING,
1409            .help = "try to optimize zero writes (off, on, unmap)",
1410        },
1411        {
1412            .name = BDRV_OPT_DISCARD,
1413            .type = QEMU_OPT_STRING,
1414            .help = "discard operation (ignore/off, unmap/on)",
1415        },
1416        {
1417            .name = BDRV_OPT_FORCE_SHARE,
1418            .type = QEMU_OPT_BOOL,
1419            .help = "always accept other writers (default: off)",
1420        },
1421        { /* end of list */ }
1422    },
1423};
1424
1425/*
1426 * Common part for opening disk images and files
1427 *
1428 * Removes all processed options from *options.
1429 */
1430static int bdrv_open_common(BlockDriverState *bs, BlockBackend *file,
1431                            QDict *options, Error **errp)
1432{
1433    int ret, open_flags;
1434    const char *filename;
1435    const char *driver_name = NULL;
1436    const char *node_name = NULL;
1437    const char *discard;
1438    QemuOpts *opts;
1439    BlockDriver *drv;
1440    Error *local_err = NULL;
1441
1442    assert(bs->file == NULL);
1443    assert(options != NULL && bs->options != options);
1444
1445    opts = qemu_opts_create(&bdrv_runtime_opts, NULL, 0, &error_abort);
1446    qemu_opts_absorb_qdict(opts, options, &local_err);
1447    if (local_err) {
1448        error_propagate(errp, local_err);
1449        ret = -EINVAL;
1450        goto fail_opts;
1451    }
1452
1453    update_flags_from_options(&bs->open_flags, opts);
1454
1455    driver_name = qemu_opt_get(opts, "driver");
1456    drv = bdrv_find_format(driver_name);
1457    assert(drv != NULL);
1458
1459    bs->force_share = qemu_opt_get_bool(opts, BDRV_OPT_FORCE_SHARE, false);
1460
1461    if (bs->force_share && (bs->open_flags & BDRV_O_RDWR)) {
1462        error_setg(errp,
1463                   BDRV_OPT_FORCE_SHARE
1464                   "=on can only be used with read-only images");
1465        ret = -EINVAL;
1466        goto fail_opts;
1467    }
1468
1469    if (file != NULL) {
1470        bdrv_refresh_filename(blk_bs(file));
1471        filename = blk_bs(file)->filename;
1472    } else {
1473        /*
1474         * Caution: while qdict_get_try_str() is fine, getting
1475         * non-string types would require more care.  When @options
1476         * come from -blockdev or blockdev_add, its members are typed
1477         * according to the QAPI schema, but when they come from
1478         * -drive, they're all QString.
1479         */
1480        filename = qdict_get_try_str(options, "filename");
1481    }
1482
1483    if (drv->bdrv_needs_filename && (!filename || !filename[0])) {
1484        error_setg(errp, "The '%s' block driver requires a file name",
1485                   drv->format_name);
1486        ret = -EINVAL;
1487        goto fail_opts;
1488    }
1489
1490    trace_bdrv_open_common(bs, filename ?: "", bs->open_flags,
1491                           drv->format_name);
1492
1493    bs->read_only = !(bs->open_flags & BDRV_O_RDWR);
1494
1495    if (use_bdrv_whitelist && !bdrv_is_whitelisted(drv, bs->read_only)) {
1496        if (!bs->read_only && bdrv_is_whitelisted(drv, true)) {
1497            ret = bdrv_apply_auto_read_only(bs, NULL, NULL);
1498        } else {
1499            ret = -ENOTSUP;
1500        }
1501        if (ret < 0) {
1502            error_setg(errp,
1503                       !bs->read_only && bdrv_is_whitelisted(drv, true)
1504                       ? "Driver '%s' can only be used for read-only devices"
1505                       : "Driver '%s' is not whitelisted",
1506                       drv->format_name);
1507            goto fail_opts;
1508        }
1509    }
1510
1511    /* bdrv_new() and bdrv_close() make it so */
1512    assert(atomic_read(&bs->copy_on_read) == 0);
1513
1514    if (bs->open_flags & BDRV_O_COPY_ON_READ) {
1515        if (!bs->read_only) {
1516            bdrv_enable_copy_on_read(bs);
1517        } else {
1518            error_setg(errp, "Can't use copy-on-read on read-only device");
1519            ret = -EINVAL;
1520            goto fail_opts;
1521        }
1522    }
1523
1524    discard = qemu_opt_get(opts, BDRV_OPT_DISCARD);
1525    if (discard != NULL) {
1526        if (bdrv_parse_discard_flags(discard, &bs->open_flags) != 0) {
1527            error_setg(errp, "Invalid discard option");
1528            ret = -EINVAL;
1529            goto fail_opts;
1530        }
1531    }
1532
1533    bs->detect_zeroes =
1534        bdrv_parse_detect_zeroes(opts, bs->open_flags, &local_err);
1535    if (local_err) {
1536        error_propagate(errp, local_err);
1537        ret = -EINVAL;
1538        goto fail_opts;
1539    }
1540
1541    if (filename != NULL) {
1542        pstrcpy(bs->filename, sizeof(bs->filename), filename);
1543    } else {
1544        bs->filename[0] = '\0';
1545    }
1546    pstrcpy(bs->exact_filename, sizeof(bs->exact_filename), bs->filename);
1547
1548    /* Open the image, either directly or using a protocol */
1549    open_flags = bdrv_open_flags(bs, bs->open_flags);
1550    node_name = qemu_opt_get(opts, "node-name");
1551
1552    assert(!drv->bdrv_file_open || file == NULL);
1553    ret = bdrv_open_driver(bs, drv, node_name, options, open_flags, errp);
1554    if (ret < 0) {
1555        goto fail_opts;
1556    }
1557
1558    qemu_opts_del(opts);
1559    return 0;
1560
1561fail_opts:
1562    qemu_opts_del(opts);
1563    return ret;
1564}
1565
1566static QDict *parse_json_filename(const char *filename, Error **errp)
1567{
1568    QObject *options_obj;
1569    QDict *options;
1570    int ret;
1571
1572    ret = strstart(filename, "json:", &filename);
1573    assert(ret);
1574
1575    options_obj = qobject_from_json(filename, errp);
1576    if (!options_obj) {
1577        error_prepend(errp, "Could not parse the JSON options: ");
1578        return NULL;
1579    }
1580
1581    options = qobject_to(QDict, options_obj);
1582    if (!options) {
1583        qobject_unref(options_obj);
1584        error_setg(errp, "Invalid JSON object given");
1585        return NULL;
1586    }
1587
1588    qdict_flatten(options);
1589
1590    return options;
1591}
1592
1593static void parse_json_protocol(QDict *options, const char **pfilename,
1594                                Error **errp)
1595{
1596    QDict *json_options;
1597    Error *local_err = NULL;
1598
1599    /* Parse json: pseudo-protocol */
1600    if (!*pfilename || !g_str_has_prefix(*pfilename, "json:")) {
1601        return;
1602    }
1603
1604    json_options = parse_json_filename(*pfilename, &local_err);
1605    if (local_err) {
1606        error_propagate(errp, local_err);
1607        return;
1608    }
1609
1610    /* Options given in the filename have lower priority than options
1611     * specified directly */
1612    qdict_join(options, json_options, false);
1613    qobject_unref(json_options);
1614    *pfilename = NULL;
1615}
1616
1617/*
1618 * Fills in default options for opening images and converts the legacy
1619 * filename/flags pair to option QDict entries.
1620 * The BDRV_O_PROTOCOL flag in *flags will be set or cleared accordingly if a
1621 * block driver has been specified explicitly.
1622 */
1623static int bdrv_fill_options(QDict **options, const char *filename,
1624                             int *flags, Error **errp)
1625{
1626    const char *drvname;
1627    bool protocol = *flags & BDRV_O_PROTOCOL;
1628    bool parse_filename = false;
1629    BlockDriver *drv = NULL;
1630    Error *local_err = NULL;
1631
1632    /*
1633     * Caution: while qdict_get_try_str() is fine, getting non-string
1634     * types would require more care.  When @options come from
1635     * -blockdev or blockdev_add, its members are typed according to
1636     * the QAPI schema, but when they come from -drive, they're all
1637     * QString.
1638     */
1639    drvname = qdict_get_try_str(*options, "driver");
1640    if (drvname) {
1641        drv = bdrv_find_format(drvname);
1642        if (!drv) {
1643            error_setg(errp, "Unknown driver '%s'", drvname);
1644            return -ENOENT;
1645        }
1646        /* If the user has explicitly specified the driver, this choice should
1647         * override the BDRV_O_PROTOCOL flag */
1648        protocol = drv->bdrv_file_open;
1649    }
1650
1651    if (protocol) {
1652        *flags |= BDRV_O_PROTOCOL;
1653    } else {
1654        *flags &= ~BDRV_O_PROTOCOL;
1655    }
1656
1657    /* Translate cache options from flags into options */
1658    update_options_from_flags(*options, *flags);
1659
1660    /* Fetch the file name from the options QDict if necessary */
1661    if (protocol && filename) {
1662        if (!qdict_haskey(*options, "filename")) {
1663            qdict_put_str(*options, "filename", filename);
1664            parse_filename = true;
1665        } else {
1666            error_setg(errp, "Can't specify 'file' and 'filename' options at "
1667                             "the same time");
1668            return -EINVAL;
1669        }
1670    }
1671
1672    /* Find the right block driver */
1673    /* See cautionary note on accessing @options above */
1674    filename = qdict_get_try_str(*options, "filename");
1675
1676    if (!drvname && protocol) {
1677        if (filename) {
1678            drv = bdrv_find_protocol(filename, parse_filename, errp);
1679            if (!drv) {
1680                return -EINVAL;
1681            }
1682
1683            drvname = drv->format_name;
1684            qdict_put_str(*options, "driver", drvname);
1685        } else {
1686            error_setg(errp, "Must specify either driver or file");
1687            return -EINVAL;
1688        }
1689    }
1690
1691    assert(drv || !protocol);
1692
1693    /* Driver-specific filename parsing */
1694    if (drv && drv->bdrv_parse_filename && parse_filename) {
1695        drv->bdrv_parse_filename(filename, *options, &local_err);
1696        if (local_err) {
1697            error_propagate(errp, local_err);
1698            return -EINVAL;
1699        }
1700
1701        if (!drv->bdrv_needs_filename) {
1702            qdict_del(*options, "filename");
1703        }
1704    }
1705
1706    return 0;
1707}
1708
1709static int bdrv_child_check_perm(BdrvChild *c, BlockReopenQueue *q,
1710                                 uint64_t perm, uint64_t shared,
1711                                 GSList *ignore_children,
1712                                 bool *tighten_restrictions, Error **errp);
1713static void bdrv_child_abort_perm_update(BdrvChild *c);
1714static void bdrv_child_set_perm(BdrvChild *c, uint64_t perm, uint64_t shared);
1715static void bdrv_get_cumulative_perm(BlockDriverState *bs, uint64_t *perm,
1716                                     uint64_t *shared_perm);
1717
1718typedef struct BlockReopenQueueEntry {
1719     bool prepared;
1720     bool perms_checked;
1721     BDRVReopenState state;
1722     QTAILQ_ENTRY(BlockReopenQueueEntry) entry;
1723} BlockReopenQueueEntry;
1724
1725/*
1726 * Return the flags that @bs will have after the reopens in @q have
1727 * successfully completed. If @q is NULL (or @bs is not contained in @q),
1728 * return the current flags.
1729 */
1730static int bdrv_reopen_get_flags(BlockReopenQueue *q, BlockDriverState *bs)
1731{
1732    BlockReopenQueueEntry *entry;
1733
1734    if (q != NULL) {
1735        QTAILQ_FOREACH(entry, q, entry) {
1736            if (entry->state.bs == bs) {
1737                return entry->state.flags;
1738            }
1739        }
1740    }
1741
1742    return bs->open_flags;
1743}
1744
1745/* Returns whether the image file can be written to after the reopen queue @q
1746 * has been successfully applied, or right now if @q is NULL. */
1747static bool bdrv_is_writable_after_reopen(BlockDriverState *bs,
1748                                          BlockReopenQueue *q)
1749{
1750    int flags = bdrv_reopen_get_flags(q, bs);
1751
1752    return (flags & (BDRV_O_RDWR | BDRV_O_INACTIVE)) == BDRV_O_RDWR;
1753}
1754
1755/*
1756 * Return whether the BDS can be written to.  This is not necessarily
1757 * the same as !bdrv_is_read_only(bs), as inactivated images may not
1758 * be written to but do not count as read-only images.
1759 */
1760bool bdrv_is_writable(BlockDriverState *bs)
1761{
1762    return bdrv_is_writable_after_reopen(bs, NULL);
1763}
1764
1765static void bdrv_child_perm(BlockDriverState *bs, BlockDriverState *child_bs,
1766                            BdrvChild *c, const BdrvChildRole *role,
1767                            BlockReopenQueue *reopen_queue,
1768                            uint64_t parent_perm, uint64_t parent_shared,
1769                            uint64_t *nperm, uint64_t *nshared)
1770{
1771    assert(bs->drv && bs->drv->bdrv_child_perm);
1772    bs->drv->bdrv_child_perm(bs, c, role, reopen_queue,
1773                             parent_perm, parent_shared,
1774                             nperm, nshared);
1775    /* TODO Take force_share from reopen_queue */
1776    if (child_bs && child_bs->force_share) {
1777        *nshared = BLK_PERM_ALL;
1778    }
1779}
1780
1781/*
1782 * Check whether permissions on this node can be changed in a way that
1783 * @cumulative_perms and @cumulative_shared_perms are the new cumulative
1784 * permissions of all its parents. This involves checking whether all necessary
1785 * permission changes to child nodes can be performed.
1786 *
1787 * Will set *tighten_restrictions to true if and only if new permissions have to
1788 * be taken or currently shared permissions are to be unshared.  Otherwise,
1789 * errors are not fatal as long as the caller accepts that the restrictions
1790 * remain tighter than they need to be.  The caller still has to abort the
1791 * transaction.
1792 * @tighten_restrictions cannot be used together with @q: When reopening, we may
1793 * encounter fatal errors even though no restrictions are to be tightened.  For
1794 * example, changing a node from RW to RO will fail if the WRITE permission is
1795 * to be kept.
1796 *
1797 * A call to this function must always be followed by a call to bdrv_set_perm()
1798 * or bdrv_abort_perm_update().
1799 */
1800static int bdrv_check_perm(BlockDriverState *bs, BlockReopenQueue *q,
1801                           uint64_t cumulative_perms,
1802                           uint64_t cumulative_shared_perms,
1803                           GSList *ignore_children,
1804                           bool *tighten_restrictions, Error **errp)
1805{
1806    BlockDriver *drv = bs->drv;
1807    BdrvChild *c;
1808    int ret;
1809
1810    assert(!q || !tighten_restrictions);
1811
1812    if (tighten_restrictions) {
1813        uint64_t current_perms, current_shared;
1814        uint64_t added_perms, removed_shared_perms;
1815
1816        bdrv_get_cumulative_perm(bs, &current_perms, &current_shared);
1817
1818        added_perms = cumulative_perms & ~current_perms;
1819        removed_shared_perms = current_shared & ~cumulative_shared_perms;
1820
1821        *tighten_restrictions = added_perms || removed_shared_perms;
1822    }
1823
1824    /* Write permissions never work with read-only images */
1825    if ((cumulative_perms & (BLK_PERM_WRITE | BLK_PERM_WRITE_UNCHANGED)) &&
1826        !bdrv_is_writable_after_reopen(bs, q))
1827    {
1828        if (!bdrv_is_writable_after_reopen(bs, NULL)) {
1829            error_setg(errp, "Block node is read-only");
1830        } else {
1831            uint64_t current_perms, current_shared;
1832            bdrv_get_cumulative_perm(bs, &current_perms, &current_shared);
1833            if (current_perms & (BLK_PERM_WRITE | BLK_PERM_WRITE_UNCHANGED)) {
1834                error_setg(errp, "Cannot make block node read-only, there is "
1835                           "a writer on it");
1836            } else {
1837                error_setg(errp, "Cannot make block node read-only and create "
1838                           "a writer on it");
1839            }
1840        }
1841
1842        return -EPERM;
1843    }
1844
1845    /* Check this node */
1846    if (!drv) {
1847        return 0;
1848    }
1849
1850    if (drv->bdrv_check_perm) {
1851        return drv->bdrv_check_perm(bs, cumulative_perms,
1852                                    cumulative_shared_perms, errp);
1853    }
1854
1855    /* Drivers that never have children can omit .bdrv_child_perm() */
1856    if (!drv->bdrv_child_perm) {
1857        assert(QLIST_EMPTY(&bs->children));
1858        return 0;
1859    }
1860
1861    /* Check all children */
1862    QLIST_FOREACH(c, &bs->children, next) {
1863        uint64_t cur_perm, cur_shared;
1864        bool child_tighten_restr;
1865
1866        bdrv_child_perm(bs, c->bs, c, c->role, q,
1867                        cumulative_perms, cumulative_shared_perms,
1868                        &cur_perm, &cur_shared);
1869        ret = bdrv_child_check_perm(c, q, cur_perm, cur_shared, ignore_children,
1870                                    tighten_restrictions ? &child_tighten_restr
1871                                                         : NULL,
1872                                    errp);
1873        if (tighten_restrictions) {
1874            *tighten_restrictions |= child_tighten_restr;
1875        }
1876        if (ret < 0) {
1877            return ret;
1878        }
1879    }
1880
1881    return 0;
1882}
1883
1884/*
1885 * Notifies drivers that after a previous bdrv_check_perm() call, the
1886 * permission update is not performed and any preparations made for it (e.g.
1887 * taken file locks) need to be undone.
1888 *
1889 * This function recursively notifies all child nodes.
1890 */
1891static void bdrv_abort_perm_update(BlockDriverState *bs)
1892{
1893    BlockDriver *drv = bs->drv;
1894    BdrvChild *c;
1895
1896    if (!drv) {
1897        return;
1898    }
1899
1900    if (drv->bdrv_abort_perm_update) {
1901        drv->bdrv_abort_perm_update(bs);
1902    }
1903
1904    QLIST_FOREACH(c, &bs->children, next) {
1905        bdrv_child_abort_perm_update(c);
1906    }
1907}
1908
1909static void bdrv_set_perm(BlockDriverState *bs, uint64_t cumulative_perms,
1910                          uint64_t cumulative_shared_perms)
1911{
1912    BlockDriver *drv = bs->drv;
1913    BdrvChild *c;
1914
1915    if (!drv) {
1916        return;
1917    }
1918
1919    /* Update this node */
1920    if (drv->bdrv_set_perm) {
1921        drv->bdrv_set_perm(bs, cumulative_perms, cumulative_shared_perms);
1922    }
1923
1924    /* Drivers that never have children can omit .bdrv_child_perm() */
1925    if (!drv->bdrv_child_perm) {
1926        assert(QLIST_EMPTY(&bs->children));
1927        return;
1928    }
1929
1930    /* Update all children */
1931    QLIST_FOREACH(c, &bs->children, next) {
1932        uint64_t cur_perm, cur_shared;
1933        bdrv_child_perm(bs, c->bs, c, c->role, NULL,
1934                        cumulative_perms, cumulative_shared_perms,
1935                        &cur_perm, &cur_shared);
1936        bdrv_child_set_perm(c, cur_perm, cur_shared);
1937    }
1938}
1939
1940static void bdrv_get_cumulative_perm(BlockDriverState *bs, uint64_t *perm,
1941                                     uint64_t *shared_perm)
1942{
1943    BdrvChild *c;
1944    uint64_t cumulative_perms = 0;
1945    uint64_t cumulative_shared_perms = BLK_PERM_ALL;
1946
1947    QLIST_FOREACH(c, &bs->parents, next_parent) {
1948        cumulative_perms |= c->perm;
1949        cumulative_shared_perms &= c->shared_perm;
1950    }
1951
1952    *perm = cumulative_perms;
1953    *shared_perm = cumulative_shared_perms;
1954}
1955
1956static char *bdrv_child_user_desc(BdrvChild *c)
1957{
1958    if (c->role->get_parent_desc) {
1959        return c->role->get_parent_desc(c);
1960    }
1961
1962    return g_strdup("another user");
1963}
1964
1965char *bdrv_perm_names(uint64_t perm)
1966{
1967    struct perm_name {
1968        uint64_t perm;
1969        const char *name;
1970    } permissions[] = {
1971        { BLK_PERM_CONSISTENT_READ, "consistent read" },
1972        { BLK_PERM_WRITE,           "write" },
1973        { BLK_PERM_WRITE_UNCHANGED, "write unchanged" },
1974        { BLK_PERM_RESIZE,          "resize" },
1975        { BLK_PERM_GRAPH_MOD,       "change children" },
1976        { 0, NULL }
1977    };
1978
1979    char *result = g_strdup("");
1980    struct perm_name *p;
1981
1982    for (p = permissions; p->name; p++) {
1983        if (perm & p->perm) {
1984            char *old = result;
1985            result = g_strdup_printf("%s%s%s", old, *old ? ", " : "", p->name);
1986            g_free(old);
1987        }
1988    }
1989
1990    return result;
1991}
1992
1993/*
1994 * Checks whether a new reference to @bs can be added if the new user requires
1995 * @new_used_perm/@new_shared_perm as its permissions. If @ignore_children is
1996 * set, the BdrvChild objects in this list are ignored in the calculations;
1997 * this allows checking permission updates for an existing reference.
1998 *
1999 * See bdrv_check_perm() for the semantics of @tighten_restrictions.
2000 *
2001 * Needs to be followed by a call to either bdrv_set_perm() or
2002 * bdrv_abort_perm_update(). */
2003static int bdrv_check_update_perm(BlockDriverState *bs, BlockReopenQueue *q,
2004                                  uint64_t new_used_perm,
2005                                  uint64_t new_shared_perm,
2006                                  GSList *ignore_children,
2007                                  bool *tighten_restrictions,
2008                                  Error **errp)
2009{
2010    BdrvChild *c;
2011    uint64_t cumulative_perms = new_used_perm;
2012    uint64_t cumulative_shared_perms = new_shared_perm;
2013
2014    assert(!q || !tighten_restrictions);
2015
2016    /* There is no reason why anyone couldn't tolerate write_unchanged */
2017    assert(new_shared_perm & BLK_PERM_WRITE_UNCHANGED);
2018
2019    QLIST_FOREACH(c, &bs->parents, next_parent) {
2020        if (g_slist_find(ignore_children, c)) {
2021            continue;
2022        }
2023
2024        if ((new_used_perm & c->shared_perm) != new_used_perm) {
2025            char *user = bdrv_child_user_desc(c);
2026            char *perm_names = bdrv_perm_names(new_used_perm & ~c->shared_perm);
2027
2028            if (tighten_restrictions) {
2029                *tighten_restrictions = true;
2030            }
2031
2032            error_setg(errp, "Conflicts with use by %s as '%s', which does not "
2033                             "allow '%s' on %s",
2034                       user, c->name, perm_names, bdrv_get_node_name(c->bs));
2035            g_free(user);
2036            g_free(perm_names);
2037            return -EPERM;
2038        }
2039
2040        if ((c->perm & new_shared_perm) != c->perm) {
2041            char *user = bdrv_child_user_desc(c);
2042            char *perm_names = bdrv_perm_names(c->perm & ~new_shared_perm);
2043
2044            if (tighten_restrictions) {
2045                *tighten_restrictions = true;
2046            }
2047
2048            error_setg(errp, "Conflicts with use by %s as '%s', which uses "
2049                             "'%s' on %s",
2050                       user, c->name, perm_names, bdrv_get_node_name(c->bs));
2051            g_free(user);
2052            g_free(perm_names);
2053            return -EPERM;
2054        }
2055
2056        cumulative_perms |= c->perm;
2057        cumulative_shared_perms &= c->shared_perm;
2058    }
2059
2060    return bdrv_check_perm(bs, q, cumulative_perms, cumulative_shared_perms,
2061                           ignore_children, tighten_restrictions, errp);
2062}
2063
2064/* Needs to be followed by a call to either bdrv_child_set_perm() or
2065 * bdrv_child_abort_perm_update(). */
2066static int bdrv_child_check_perm(BdrvChild *c, BlockReopenQueue *q,
2067                                 uint64_t perm, uint64_t shared,
2068                                 GSList *ignore_children,
2069                                 bool *tighten_restrictions, Error **errp)
2070{
2071    int ret;
2072
2073    ignore_children = g_slist_prepend(g_slist_copy(ignore_children), c);
2074    ret = bdrv_check_update_perm(c->bs, q, perm, shared, ignore_children,
2075                                 tighten_restrictions, errp);
2076    g_slist_free(ignore_children);
2077
2078    if (ret < 0) {
2079        return ret;
2080    }
2081
2082    if (!c->has_backup_perm) {
2083        c->has_backup_perm = true;
2084        c->backup_perm = c->perm;
2085        c->backup_shared_perm = c->shared_perm;
2086    }
2087    /*
2088     * Note: it's OK if c->has_backup_perm was already set, as we can find the
2089     * same child twice during check_perm procedure
2090     */
2091
2092    c->perm = perm;
2093    c->shared_perm = shared;
2094
2095    return 0;
2096}
2097
2098static void bdrv_child_set_perm(BdrvChild *c, uint64_t perm, uint64_t shared)
2099{
2100    uint64_t cumulative_perms, cumulative_shared_perms;
2101
2102    c->has_backup_perm = false;
2103
2104    c->perm = perm;
2105    c->shared_perm = shared;
2106
2107    bdrv_get_cumulative_perm(c->bs, &cumulative_perms,
2108                             &cumulative_shared_perms);
2109    bdrv_set_perm(c->bs, cumulative_perms, cumulative_shared_perms);
2110}
2111
2112static void bdrv_child_abort_perm_update(BdrvChild *c)
2113{
2114    if (c->has_backup_perm) {
2115        c->perm = c->backup_perm;
2116        c->shared_perm = c->backup_shared_perm;
2117        c->has_backup_perm = false;
2118    }
2119
2120    bdrv_abort_perm_update(c->bs);
2121}
2122
2123int bdrv_child_try_set_perm(BdrvChild *c, uint64_t perm, uint64_t shared,
2124                            Error **errp)
2125{
2126    Error *local_err = NULL;
2127    int ret;
2128    bool tighten_restrictions;
2129
2130    ret = bdrv_child_check_perm(c, NULL, perm, shared, NULL,
2131                                &tighten_restrictions, &local_err);
2132    if (ret < 0) {
2133        bdrv_child_abort_perm_update(c);
2134        if (tighten_restrictions) {
2135            error_propagate(errp, local_err);
2136        } else {
2137            /*
2138             * Our caller may intend to only loosen restrictions and
2139             * does not expect this function to fail.  Errors are not
2140             * fatal in such a case, so we can just hide them from our
2141             * caller.
2142             */
2143            error_free(local_err);
2144            ret = 0;
2145        }
2146        return ret;
2147    }
2148
2149    bdrv_child_set_perm(c, perm, shared);
2150
2151    return 0;
2152}
2153
2154int bdrv_child_refresh_perms(BlockDriverState *bs, BdrvChild *c, Error **errp)
2155{
2156    uint64_t parent_perms, parent_shared;
2157    uint64_t perms, shared;
2158
2159    bdrv_get_cumulative_perm(bs, &parent_perms, &parent_shared);
2160    bdrv_child_perm(bs, c->bs, c, c->role, NULL, parent_perms, parent_shared,
2161                    &perms, &shared);
2162
2163    return bdrv_child_try_set_perm(c, perms, shared, errp);
2164}
2165
2166void bdrv_filter_default_perms(BlockDriverState *bs, BdrvChild *c,
2167                               const BdrvChildRole *role,
2168                               BlockReopenQueue *reopen_queue,
2169                               uint64_t perm, uint64_t shared,
2170                               uint64_t *nperm, uint64_t *nshared)
2171{
2172    *nperm = perm & DEFAULT_PERM_PASSTHROUGH;
2173    *nshared = (shared & DEFAULT_PERM_PASSTHROUGH) | DEFAULT_PERM_UNCHANGED;
2174}
2175
2176void bdrv_format_default_perms(BlockDriverState *bs, BdrvChild *c,
2177                               const BdrvChildRole *role,
2178                               BlockReopenQueue *reopen_queue,
2179                               uint64_t perm, uint64_t shared,
2180                               uint64_t *nperm, uint64_t *nshared)
2181{
2182    bool backing = (role == &child_backing);
2183    assert(role == &child_backing || role == &child_file);
2184
2185    if (!backing) {
2186        int flags = bdrv_reopen_get_flags(reopen_queue, bs);
2187
2188        /* Apart from the modifications below, the same permissions are
2189         * forwarded and left alone as for filters */
2190        bdrv_filter_default_perms(bs, c, role, reopen_queue, perm, shared,
2191                                  &perm, &shared);
2192
2193        /* Format drivers may touch metadata even if the guest doesn't write */
2194        if (bdrv_is_writable_after_reopen(bs, reopen_queue)) {
2195            perm |= BLK_PERM_WRITE | BLK_PERM_RESIZE;
2196        }
2197
2198        /* bs->file always needs to be consistent because of the metadata. We
2199         * can never allow other users to resize or write to it. */
2200        if (!(flags & BDRV_O_NO_IO)) {
2201            perm |= BLK_PERM_CONSISTENT_READ;
2202        }
2203        shared &= ~(BLK_PERM_WRITE | BLK_PERM_RESIZE);
2204    } else {
2205        /* We want consistent read from backing files if the parent needs it.
2206         * No other operations are performed on backing files. */
2207        perm &= BLK_PERM_CONSISTENT_READ;
2208
2209        /* If the parent can deal with changing data, we're okay with a
2210         * writable and resizable backing file. */
2211        /* TODO Require !(perm & BLK_PERM_CONSISTENT_READ), too? */
2212        if (shared & BLK_PERM_WRITE) {
2213            shared = BLK_PERM_WRITE | BLK_PERM_RESIZE;
2214        } else {
2215            shared = 0;
2216        }
2217
2218        shared |= BLK_PERM_CONSISTENT_READ | BLK_PERM_GRAPH_MOD |
2219                  BLK_PERM_WRITE_UNCHANGED;
2220    }
2221
2222    if (bs->open_flags & BDRV_O_INACTIVE) {
2223        shared |= BLK_PERM_WRITE | BLK_PERM_RESIZE;
2224    }
2225
2226    *nperm = perm;
2227    *nshared = shared;
2228}
2229
2230static void bdrv_replace_child_noperm(BdrvChild *child,
2231                                      BlockDriverState *new_bs)
2232{
2233    BlockDriverState *old_bs = child->bs;
2234    int new_bs_quiesce_counter;
2235    int drain_saldo;
2236
2237    assert(!child->frozen);
2238
2239    if (old_bs && new_bs) {
2240        assert(bdrv_get_aio_context(old_bs) == bdrv_get_aio_context(new_bs));
2241    }
2242
2243    new_bs_quiesce_counter = (new_bs ? new_bs->quiesce_counter : 0);
2244    drain_saldo = new_bs_quiesce_counter - child->parent_quiesce_counter;
2245
2246    /*
2247     * If the new child node is drained but the old one was not, flush
2248     * all outstanding requests to the old child node.
2249     */
2250    while (drain_saldo > 0 && child->role->drained_begin) {
2251        bdrv_parent_drained_begin_single(child, true);
2252        drain_saldo--;
2253    }
2254
2255    if (old_bs) {
2256        /* Detach first so that the recursive drain sections coming from @child
2257         * are already gone and we only end the drain sections that came from
2258         * elsewhere. */
2259        if (child->role->detach) {
2260            child->role->detach(child);
2261        }
2262        QLIST_REMOVE(child, next_parent);
2263    }
2264
2265    child->bs = new_bs;
2266
2267    if (new_bs) {
2268        QLIST_INSERT_HEAD(&new_bs->parents, child, next_parent);
2269
2270        /*
2271         * Detaching the old node may have led to the new node's
2272         * quiesce_counter having been decreased.  Not a problem, we
2273         * just need to recognize this here and then invoke
2274         * drained_end appropriately more often.
2275         */
2276        assert(new_bs->quiesce_counter <= new_bs_quiesce_counter);
2277        drain_saldo += new_bs->quiesce_counter - new_bs_quiesce_counter;
2278
2279        /* Attach only after starting new drained sections, so that recursive
2280         * drain sections coming from @child don't get an extra .drained_begin
2281         * callback. */
2282        if (child->role->attach) {
2283            child->role->attach(child);
2284        }
2285    }
2286
2287    /*
2288     * If the old child node was drained but the new one is not, allow
2289     * requests to come in only after the new node has been attached.
2290     */
2291    while (drain_saldo < 0 && child->role->drained_end) {
2292        bdrv_parent_drained_end_single(child);
2293        drain_saldo++;
2294    }
2295}
2296
2297/*
2298 * Updates @child to change its reference to point to @new_bs, including
2299 * checking and applying the necessary permisson updates both to the old node
2300 * and to @new_bs.
2301 *
2302 * NULL is passed as @new_bs for removing the reference before freeing @child.
2303 *
2304 * If @new_bs is not NULL, bdrv_check_perm() must be called beforehand, as this
2305 * function uses bdrv_set_perm() to update the permissions according to the new
2306 * reference that @new_bs gets.
2307 */
2308static void bdrv_replace_child(BdrvChild *child, BlockDriverState *new_bs)
2309{
2310    BlockDriverState *old_bs = child->bs;
2311    uint64_t perm, shared_perm;
2312
2313    bdrv_replace_child_noperm(child, new_bs);
2314
2315    /*
2316     * Start with the new node's permissions.  If @new_bs is a (direct
2317     * or indirect) child of @old_bs, we must complete the permission
2318     * update on @new_bs before we loosen the restrictions on @old_bs.
2319     * Otherwise, bdrv_check_perm() on @old_bs would re-initiate
2320     * updating the permissions of @new_bs, and thus not purely loosen
2321     * restrictions.
2322     */
2323    if (new_bs) {
2324        bdrv_get_cumulative_perm(new_bs, &perm, &shared_perm);
2325        bdrv_set_perm(new_bs, perm, shared_perm);
2326    }
2327
2328    if (old_bs) {
2329        /* Update permissions for old node. This is guaranteed to succeed
2330         * because we're just taking a parent away, so we're loosening
2331         * restrictions. */
2332        bool tighten_restrictions;
2333        int ret;
2334
2335        bdrv_get_cumulative_perm(old_bs, &perm, &shared_perm);
2336        ret = bdrv_check_perm(old_bs, NULL, perm, shared_perm, NULL,
2337                              &tighten_restrictions, NULL);
2338        assert(tighten_restrictions == false);
2339        if (ret < 0) {
2340            /* We only tried to loosen restrictions, so errors are not fatal */
2341            bdrv_abort_perm_update(old_bs);
2342        } else {
2343            bdrv_set_perm(old_bs, perm, shared_perm);
2344        }
2345
2346        /* When the parent requiring a non-default AioContext is removed, the
2347         * node moves back to the main AioContext */
2348        bdrv_try_set_aio_context(old_bs, qemu_get_aio_context(), NULL);
2349    }
2350}
2351
2352/*
2353 * This function steals the reference to child_bs from the caller.
2354 * That reference is later dropped by bdrv_root_unref_child().
2355 *
2356 * On failure NULL is returned, errp is set and the reference to
2357 * child_bs is also dropped.
2358 *
2359 * The caller must hold the AioContext lock @child_bs, but not that of @ctx
2360 * (unless @child_bs is already in @ctx).
2361 */
2362BdrvChild *bdrv_root_attach_child(BlockDriverState *child_bs,
2363                                  const char *child_name,
2364                                  const BdrvChildRole *child_role,
2365                                  AioContext *ctx,
2366                                  uint64_t perm, uint64_t shared_perm,
2367                                  void *opaque, Error **errp)
2368{
2369    BdrvChild *child;
2370    Error *local_err = NULL;
2371    int ret;
2372
2373    ret = bdrv_check_update_perm(child_bs, NULL, perm, shared_perm, NULL, NULL,
2374                                 errp);
2375    if (ret < 0) {
2376        bdrv_abort_perm_update(child_bs);
2377        bdrv_unref(child_bs);
2378        return NULL;
2379    }
2380
2381    child = g_new(BdrvChild, 1);
2382    *child = (BdrvChild) {
2383        .bs             = NULL,
2384        .name           = g_strdup(child_name),
2385        .role           = child_role,
2386        .perm           = perm,
2387        .shared_perm    = shared_perm,
2388        .opaque         = opaque,
2389    };
2390
2391    /* If the AioContexts don't match, first try to move the subtree of
2392     * child_bs into the AioContext of the new parent. If this doesn't work,
2393     * try moving the parent into the AioContext of child_bs instead. */
2394    if (bdrv_get_aio_context(child_bs) != ctx) {
2395        ret = bdrv_try_set_aio_context(child_bs, ctx, &local_err);
2396        if (ret < 0 && child_role->can_set_aio_ctx) {
2397            GSList *ignore = g_slist_prepend(NULL, child);;
2398            ctx = bdrv_get_aio_context(child_bs);
2399            if (child_role->can_set_aio_ctx(child, ctx, &ignore, NULL)) {
2400                error_free(local_err);
2401                ret = 0;
2402                g_slist_free(ignore);
2403                ignore = g_slist_prepend(NULL, child);;
2404                child_role->set_aio_ctx(child, ctx, &ignore);
2405            }
2406            g_slist_free(ignore);
2407        }
2408        if (ret < 0) {
2409            error_propagate(errp, local_err);
2410            g_free(child);
2411            bdrv_abort_perm_update(child_bs);
2412            return NULL;
2413        }
2414    }
2415
2416    /* This performs the matching bdrv_set_perm() for the above check. */
2417    bdrv_replace_child(child, child_bs);
2418
2419    return child;
2420}
2421
2422/*
2423 * This function transfers the reference to child_bs from the caller
2424 * to parent_bs. That reference is later dropped by parent_bs on
2425 * bdrv_close() or if someone calls bdrv_unref_child().
2426 *
2427 * On failure NULL is returned, errp is set and the reference to
2428 * child_bs is also dropped.
2429 *
2430 * If @parent_bs and @child_bs are in different AioContexts, the caller must
2431 * hold the AioContext lock for @child_bs, but not for @parent_bs.
2432 */
2433BdrvChild *bdrv_attach_child(BlockDriverState *parent_bs,
2434                             BlockDriverState *child_bs,
2435                             const char *child_name,
2436                             const BdrvChildRole *child_role,
2437                             Error **errp)
2438{
2439    BdrvChild *child;
2440    uint64_t perm, shared_perm;
2441
2442    bdrv_get_cumulative_perm(parent_bs, &perm, &shared_perm);
2443
2444    assert(parent_bs->drv);
2445    bdrv_child_perm(parent_bs, child_bs, NULL, child_role, NULL,
2446                    perm, shared_perm, &perm, &shared_perm);
2447
2448    child = bdrv_root_attach_child(child_bs, child_name, child_role,
2449                                   bdrv_get_aio_context(parent_bs),
2450                                   perm, shared_perm, parent_bs, errp);
2451    if (child == NULL) {
2452        return NULL;
2453    }
2454
2455    QLIST_INSERT_HEAD(&parent_bs->children, child, next);
2456    return child;
2457}
2458
2459static void bdrv_detach_child(BdrvChild *child)
2460{
2461    if (child->next.le_prev) {
2462        QLIST_REMOVE(child, next);
2463        child->next.le_prev = NULL;
2464    }
2465
2466    bdrv_replace_child(child, NULL);
2467
2468    g_free(child->name);
2469    g_free(child);
2470}
2471
2472void bdrv_root_unref_child(BdrvChild *child)
2473{
2474    BlockDriverState *child_bs;
2475
2476    child_bs = child->bs;
2477    bdrv_detach_child(child);
2478    bdrv_unref(child_bs);
2479}
2480
2481/**
2482 * Clear all inherits_from pointers from children and grandchildren of
2483 * @root that point to @root, where necessary.
2484 */
2485static void bdrv_unset_inherits_from(BlockDriverState *root, BdrvChild *child)
2486{
2487    BdrvChild *c;
2488
2489    if (child->bs->inherits_from == root) {
2490        /*
2491         * Remove inherits_from only when the last reference between root and
2492         * child->bs goes away.
2493         */
2494        QLIST_FOREACH(c, &root->children, next) {
2495            if (c != child && c->bs == child->bs) {
2496                break;
2497            }
2498        }
2499        if (c == NULL) {
2500            child->bs->inherits_from = NULL;
2501        }
2502    }
2503
2504    QLIST_FOREACH(c, &child->bs->children, next) {
2505        bdrv_unset_inherits_from(root, c);
2506    }
2507}
2508
2509void bdrv_unref_child(BlockDriverState *parent, BdrvChild *child)
2510{
2511    if (child == NULL) {
2512        return;
2513    }
2514
2515    bdrv_unset_inherits_from(parent, child);
2516    bdrv_root_unref_child(child);
2517}
2518
2519
2520static void bdrv_parent_cb_change_media(BlockDriverState *bs, bool load)
2521{
2522    BdrvChild *c;
2523    QLIST_FOREACH(c, &bs->parents, next_parent) {
2524        if (c->role->change_media) {
2525            c->role->change_media(c, load);
2526        }
2527    }
2528}
2529
2530/* Return true if you can reach parent going through child->inherits_from
2531 * recursively. If parent or child are NULL, return false */
2532static bool bdrv_inherits_from_recursive(BlockDriverState *child,
2533                                         BlockDriverState *parent)
2534{
2535    while (child && child != parent) {
2536        child = child->inherits_from;
2537    }
2538
2539    return child != NULL;
2540}
2541
2542/*
2543 * Sets the backing file link of a BDS. A new reference is created; callers
2544 * which don't need their own reference any more must call bdrv_unref().
2545 */
2546void bdrv_set_backing_hd(BlockDriverState *bs, BlockDriverState *backing_hd,
2547                         Error **errp)
2548{
2549    bool update_inherits_from = bdrv_chain_contains(bs, backing_hd) &&
2550        bdrv_inherits_from_recursive(backing_hd, bs);
2551
2552    if (bdrv_is_backing_chain_frozen(bs, backing_bs(bs), errp)) {
2553        return;
2554    }
2555
2556    if (backing_hd) {
2557        bdrv_ref(backing_hd);
2558    }
2559
2560    if (bs->backing) {
2561        bdrv_unref_child(bs, bs->backing);
2562    }
2563
2564    if (!backing_hd) {
2565        bs->backing = NULL;
2566        goto out;
2567    }
2568
2569    bs->backing = bdrv_attach_child(bs, backing_hd, "backing", &child_backing,
2570                                    errp);
2571    /* If backing_hd was already part of bs's backing chain, and
2572     * inherits_from pointed recursively to bs then let's update it to
2573     * point directly to bs (else it will become NULL). */
2574    if (bs->backing && update_inherits_from) {
2575        backing_hd->inherits_from = bs;
2576    }
2577
2578out:
2579    bdrv_refresh_limits(bs, NULL);
2580}
2581
2582/*
2583 * Opens the backing file for a BlockDriverState if not yet open
2584 *
2585 * bdref_key specifies the key for the image's BlockdevRef in the options QDict.
2586 * That QDict has to be flattened; therefore, if the BlockdevRef is a QDict
2587 * itself, all options starting with "${bdref_key}." are considered part of the
2588 * BlockdevRef.
2589 *
2590 * TODO Can this be unified with bdrv_open_image()?
2591 */
2592int bdrv_open_backing_file(BlockDriverState *bs, QDict *parent_options,
2593                           const char *bdref_key, Error **errp)
2594{
2595    char *backing_filename = NULL;
2596    char *bdref_key_dot;
2597    const char *reference = NULL;
2598    int ret = 0;
2599    bool implicit_backing = false;
2600    BlockDriverState *backing_hd;
2601    QDict *options;
2602    QDict *tmp_parent_options = NULL;
2603    Error *local_err = NULL;
2604
2605    if (bs->backing != NULL) {
2606        goto free_exit;
2607    }
2608
2609    /* NULL means an empty set of options */
2610    if (parent_options == NULL) {
2611        tmp_parent_options = qdict_new();
2612        parent_options = tmp_parent_options;
2613    }
2614
2615    bs->open_flags &= ~BDRV_O_NO_BACKING;
2616
2617    bdref_key_dot = g_strdup_printf("%s.", bdref_key);
2618    qdict_extract_subqdict(parent_options, &options, bdref_key_dot);
2619    g_free(bdref_key_dot);
2620
2621    /*
2622     * Caution: while qdict_get_try_str() is fine, getting non-string
2623     * types would require more care.  When @parent_options come from
2624     * -blockdev or blockdev_add, its members are typed according to
2625     * the QAPI schema, but when they come from -drive, they're all
2626     * QString.
2627     */
2628    reference = qdict_get_try_str(parent_options, bdref_key);
2629    if (reference || qdict_haskey(options, "file.filename")) {
2630        /* keep backing_filename NULL */
2631    } else if (bs->backing_file[0] == '\0' && qdict_size(options) == 0) {
2632        qobject_unref(options);
2633        goto free_exit;
2634    } else {
2635        if (qdict_size(options) == 0) {
2636            /* If the user specifies options that do not modify the
2637             * backing file's behavior, we might still consider it the
2638             * implicit backing file.  But it's easier this way, and
2639             * just specifying some of the backing BDS's options is
2640             * only possible with -drive anyway (otherwise the QAPI
2641             * schema forces the user to specify everything). */
2642            implicit_backing = !strcmp(bs->auto_backing_file, bs->backing_file);
2643        }
2644
2645        backing_filename = bdrv_get_full_backing_filename(bs, &local_err);
2646        if (local_err) {
2647            ret = -EINVAL;
2648            error_propagate(errp, local_err);
2649            qobject_unref(options);
2650            goto free_exit;
2651        }
2652    }
2653
2654    if (!bs->drv || !bs->drv->supports_backing) {
2655        ret = -EINVAL;
2656        error_setg(errp, "Driver doesn't support backing files");
2657        qobject_unref(options);
2658        goto free_exit;
2659    }
2660
2661    if (!reference &&
2662        bs->backing_format[0] != '\0' && !qdict_haskey(options, "driver")) {
2663        qdict_put_str(options, "driver", bs->backing_format);
2664    }
2665
2666    backing_hd = bdrv_open_inherit(backing_filename, reference, options, 0, bs,
2667                                   &child_backing, errp);
2668    if (!backing_hd) {
2669        bs->open_flags |= BDRV_O_NO_BACKING;
2670        error_prepend(errp, "Could not open backing file: ");
2671        ret = -EINVAL;
2672        goto free_exit;
2673    }
2674
2675    if (implicit_backing) {
2676        bdrv_refresh_filename(backing_hd);
2677        pstrcpy(bs->auto_backing_file, sizeof(bs->auto_backing_file),
2678                backing_hd->filename);
2679    }
2680
2681    /* Hook up the backing file link; drop our reference, bs owns the
2682     * backing_hd reference now */
2683    bdrv_set_backing_hd(bs, backing_hd, &local_err);
2684    bdrv_unref(backing_hd);
2685    if (local_err) {
2686        error_propagate(errp, local_err);
2687        ret = -EINVAL;
2688        goto free_exit;
2689    }
2690
2691    qdict_del(parent_options, bdref_key);
2692
2693free_exit:
2694    g_free(backing_filename);
2695    qobject_unref(tmp_parent_options);
2696    return ret;
2697}
2698
2699static BlockDriverState *
2700bdrv_open_child_bs(const char *filename, QDict *options, const char *bdref_key,
2701                   BlockDriverState *parent, const BdrvChildRole *child_role,
2702                   bool allow_none, Error **errp)
2703{
2704    BlockDriverState *bs = NULL;
2705    QDict *image_options;
2706    char *bdref_key_dot;
2707    const char *reference;
2708
2709    assert(child_role != NULL);
2710
2711    bdref_key_dot = g_strdup_printf("%s.", bdref_key);
2712    qdict_extract_subqdict(options, &image_options, bdref_key_dot);
2713    g_free(bdref_key_dot);
2714
2715    /*
2716     * Caution: while qdict_get_try_str() is fine, getting non-string
2717     * types would require more care.  When @options come from
2718     * -blockdev or blockdev_add, its members are typed according to
2719     * the QAPI schema, but when they come from -drive, they're all
2720     * QString.
2721     */
2722    reference = qdict_get_try_str(options, bdref_key);
2723    if (!filename && !reference && !qdict_size(image_options)) {
2724        if (!allow_none) {
2725            error_setg(errp, "A block device must be specified for \"%s\"",
2726                       bdref_key);
2727        }
2728        qobject_unref(image_options);
2729        goto done;
2730    }
2731
2732    bs = bdrv_open_inherit(filename, reference, image_options, 0,
2733                           parent, child_role, errp);
2734    if (!bs) {
2735        goto done;
2736    }
2737
2738done:
2739    qdict_del(options, bdref_key);
2740    return bs;
2741}
2742
2743/*
2744 * Opens a disk image whose options are given as BlockdevRef in another block
2745 * device's options.
2746 *
2747 * If allow_none is true, no image will be opened if filename is false and no
2748 * BlockdevRef is given. NULL will be returned, but errp remains unset.
2749 *
2750 * bdrev_key specifies the key for the image's BlockdevRef in the options QDict.
2751 * That QDict has to be flattened; therefore, if the BlockdevRef is a QDict
2752 * itself, all options starting with "${bdref_key}." are considered part of the
2753 * BlockdevRef.
2754 *
2755 * The BlockdevRef will be removed from the options QDict.
2756 */
2757BdrvChild *bdrv_open_child(const char *filename,
2758                           QDict *options, const char *bdref_key,
2759                           BlockDriverState *parent,
2760                           const BdrvChildRole *child_role,
2761                           bool allow_none, Error **errp)
2762{
2763    BlockDriverState *bs;
2764
2765    bs = bdrv_open_child_bs(filename, options, bdref_key, parent, child_role,
2766                            allow_none, errp);
2767    if (bs == NULL) {
2768        return NULL;
2769    }
2770
2771    return bdrv_attach_child(parent, bs, bdref_key, child_role, errp);
2772}
2773
2774/* TODO Future callers may need to specify parent/child_role in order for
2775 * option inheritance to work. Existing callers use it for the root node. */
2776BlockDriverState *bdrv_open_blockdev_ref(BlockdevRef *ref, Error **errp)
2777{
2778    BlockDriverState *bs = NULL;
2779    Error *local_err = NULL;
2780    QObject *obj = NULL;
2781    QDict *qdict = NULL;
2782    const char *reference = NULL;
2783    Visitor *v = NULL;
2784
2785    if (ref->type == QTYPE_QSTRING) {
2786        reference = ref->u.reference;
2787    } else {
2788        BlockdevOptions *options = &ref->u.definition;
2789        assert(ref->type == QTYPE_QDICT);
2790
2791        v = qobject_output_visitor_new(&obj);
2792        visit_type_BlockdevOptions(v, NULL, &options, &local_err);
2793        if (local_err) {
2794            error_propagate(errp, local_err);
2795            goto fail;
2796        }
2797        visit_complete(v, &obj);
2798
2799        qdict = qobject_to(QDict, obj);
2800        qdict_flatten(qdict);
2801
2802        /* bdrv_open_inherit() defaults to the values in bdrv_flags (for
2803         * compatibility with other callers) rather than what we want as the
2804         * real defaults. Apply the defaults here instead. */
2805        qdict_set_default_str(qdict, BDRV_OPT_CACHE_DIRECT, "off");
2806        qdict_set_default_str(qdict, BDRV_OPT_CACHE_NO_FLUSH, "off");
2807        qdict_set_default_str(qdict, BDRV_OPT_READ_ONLY, "off");
2808        qdict_set_default_str(qdict, BDRV_OPT_AUTO_READ_ONLY, "off");
2809
2810    }
2811
2812    bs = bdrv_open_inherit(NULL, reference, qdict, 0, NULL, NULL, errp);
2813    obj = NULL;
2814
2815fail:
2816    qobject_unref(obj);
2817    visit_free(v);
2818    return bs;
2819}
2820
2821static BlockDriverState *bdrv_append_temp_snapshot(BlockDriverState *bs,
2822                                                   int flags,
2823                                                   QDict *snapshot_options,
2824                                                   Error **errp)
2825{
2826    /* TODO: extra byte is a hack to ensure MAX_PATH space on Windows. */
2827    char *tmp_filename = g_malloc0(PATH_MAX + 1);
2828    int64_t total_size;
2829    QemuOpts *opts = NULL;
2830    BlockDriverState *bs_snapshot = NULL;
2831    Error *local_err = NULL;
2832    int ret;
2833
2834    /* if snapshot, we create a temporary backing file and open it
2835       instead of opening 'filename' directly */
2836
2837    /* Get the required size from the image */
2838    total_size = bdrv_getlength(bs);
2839    if (total_size < 0) {
2840        error_setg_errno(errp, -total_size, "Could not get image size");
2841        goto out;
2842    }
2843
2844    /* Create the temporary image */
2845    ret = get_tmp_filename(tmp_filename, PATH_MAX + 1);
2846    if (ret < 0) {
2847        error_setg_errno(errp, -ret, "Could not get temporary filename");
2848        goto out;
2849    }
2850
2851    opts = qemu_opts_create(bdrv_qcow2.create_opts, NULL, 0,
2852                            &error_abort);
2853    qemu_opt_set_number(opts, BLOCK_OPT_SIZE, total_size, &error_abort);
2854    ret = bdrv_create(&bdrv_qcow2, tmp_filename, opts, errp);
2855    qemu_opts_del(opts);
2856    if (ret < 0) {
2857        error_prepend(errp, "Could not create temporary overlay '%s': ",
2858                      tmp_filename);
2859        goto out;
2860    }
2861
2862    /* Prepare options QDict for the temporary file */
2863    qdict_put_str(snapshot_options, "file.driver", "file");
2864    qdict_put_str(snapshot_options, "file.filename", tmp_filename);
2865    qdict_put_str(snapshot_options, "driver", "qcow2");
2866
2867    bs_snapshot = bdrv_open(NULL, NULL, snapshot_options, flags, errp);
2868    snapshot_options = NULL;
2869    if (!bs_snapshot) {
2870        goto out;
2871    }
2872
2873    /* bdrv_append() consumes a strong reference to bs_snapshot
2874     * (i.e. it will call bdrv_unref() on it) even on error, so in
2875     * order to be able to return one, we have to increase
2876     * bs_snapshot's refcount here */
2877    bdrv_ref(bs_snapshot);
2878    bdrv_append(bs_snapshot, bs, &local_err);
2879    if (local_err) {
2880        error_propagate(errp, local_err);
2881        bs_snapshot = NULL;
2882        goto out;
2883    }
2884
2885out:
2886    qobject_unref(snapshot_options);
2887    g_free(tmp_filename);
2888    return bs_snapshot;
2889}
2890
2891/*
2892 * Opens a disk image (raw, qcow2, vmdk, ...)
2893 *
2894 * options is a QDict of options to pass to the block drivers, or NULL for an
2895 * empty set of options. The reference to the QDict belongs to the block layer
2896 * after the call (even on failure), so if the caller intends to reuse the
2897 * dictionary, it needs to use qobject_ref() before calling bdrv_open.
2898 *
2899 * If *pbs is NULL, a new BDS will be created with a pointer to it stored there.
2900 * If it is not NULL, the referenced BDS will be reused.
2901 *
2902 * The reference parameter may be used to specify an existing block device which
2903 * should be opened. If specified, neither options nor a filename may be given,
2904 * nor can an existing BDS be reused (that is, *pbs has to be NULL).
2905 */
2906static BlockDriverState *bdrv_open_inherit(const char *filename,
2907                                           const char *reference,
2908                                           QDict *options, int flags,
2909                                           BlockDriverState *parent,
2910                                           const BdrvChildRole *child_role,
2911                                           Error **errp)
2912{
2913    int ret;
2914    BlockBackend *file = NULL;
2915    BlockDriverState *bs;
2916    BlockDriver *drv = NULL;
2917    BdrvChild *child;
2918    const char *drvname;
2919    const char *backing;
2920    Error *local_err = NULL;
2921    QDict *snapshot_options = NULL;
2922    int snapshot_flags = 0;
2923
2924    assert(!child_role || !flags);
2925    assert(!child_role == !parent);
2926
2927    if (reference) {
2928        bool options_non_empty = options ? qdict_size(options) : false;
2929        qobject_unref(options);
2930
2931        if (filename || options_non_empty) {
2932            error_setg(errp, "Cannot reference an existing block device with "
2933                       "additional options or a new filename");
2934            return NULL;
2935        }
2936
2937        bs = bdrv_lookup_bs(reference, reference, errp);
2938        if (!bs) {
2939            return NULL;
2940        }
2941
2942        bdrv_ref(bs);
2943        return bs;
2944    }
2945
2946    bs = bdrv_new();
2947
2948    /* NULL means an empty set of options */
2949    if (options == NULL) {
2950        options = qdict_new();
2951    }
2952
2953    /* json: syntax counts as explicit options, as if in the QDict */
2954    parse_json_protocol(options, &filename, &local_err);
2955    if (local_err) {
2956        goto fail;
2957    }
2958
2959    bs->explicit_options = qdict_clone_shallow(options);
2960
2961    if (child_role) {
2962        bs->inherits_from = parent;
2963        child_role->inherit_options(&flags, options,
2964                                    parent->open_flags, parent->options);
2965    }
2966
2967    ret = bdrv_fill_options(&options, filename, &flags, &local_err);
2968    if (local_err) {
2969        goto fail;
2970    }
2971
2972    /*
2973     * Set the BDRV_O_RDWR and BDRV_O_ALLOW_RDWR flags.
2974     * Caution: getting a boolean member of @options requires care.
2975     * When @options come from -blockdev or blockdev_add, members are
2976     * typed according to the QAPI schema, but when they come from
2977     * -drive, they're all QString.
2978     */
2979    if (g_strcmp0(qdict_get_try_str(options, BDRV_OPT_READ_ONLY), "on") &&
2980        !qdict_get_try_bool(options, BDRV_OPT_READ_ONLY, false)) {
2981        flags |= (BDRV_O_RDWR | BDRV_O_ALLOW_RDWR);
2982    } else {
2983        flags &= ~BDRV_O_RDWR;
2984    }
2985
2986    if (flags & BDRV_O_SNAPSHOT) {
2987        snapshot_options = qdict_new();
2988        bdrv_temp_snapshot_options(&snapshot_flags, snapshot_options,
2989                                   flags, options);
2990        /* Let bdrv_backing_options() override "read-only" */
2991        qdict_del(options, BDRV_OPT_READ_ONLY);
2992        bdrv_backing_options(&flags, options, flags, options);
2993    }
2994
2995    bs->open_flags = flags;
2996    bs->options = options;
2997    options = qdict_clone_shallow(options);
2998
2999    /* Find the right image format driver */
3000    /* See cautionary note on accessing @options above */
3001    drvname = qdict_get_try_str(options, "driver");
3002    if (drvname) {
3003        drv = bdrv_find_format(drvname);
3004        if (!drv) {
3005            error_setg(errp, "Unknown driver: '%s'", drvname);
3006            goto fail;
3007        }
3008    }
3009
3010    assert(drvname || !(flags & BDRV_O_PROTOCOL));
3011
3012    /* See cautionary note on accessing @options above */
3013    backing = qdict_get_try_str(options, "backing");
3014    if (qobject_to(QNull, qdict_get(options, "backing")) != NULL ||
3015        (backing && *backing == '\0'))
3016    {
3017        if (backing) {
3018            warn_report("Use of \"backing\": \"\" is deprecated; "
3019                        "use \"backing\": null instead");
3020        }
3021        flags |= BDRV_O_NO_BACKING;
3022        qdict_del(bs->explicit_options, "backing");
3023        qdict_del(bs->options, "backing");
3024        qdict_del(options, "backing");
3025    }
3026
3027    /* Open image file without format layer. This BlockBackend is only used for
3028     * probing, the block drivers will do their own bdrv_open_child() for the
3029     * same BDS, which is why we put the node name back into options. */
3030    if ((flags & BDRV_O_PROTOCOL) == 0) {
3031        BlockDriverState *file_bs;
3032
3033        file_bs = bdrv_open_child_bs(filename, options, "file", bs,
3034                                     &child_file, true, &local_err);
3035        if (local_err) {
3036            goto fail;
3037        }
3038        if (file_bs != NULL) {
3039            /* Not requesting BLK_PERM_CONSISTENT_READ because we're only
3040             * looking at the header to guess the image format. This works even
3041             * in cases where a guest would not see a consistent state. */
3042            file = blk_new(bdrv_get_aio_context(file_bs), 0, BLK_PERM_ALL);
3043            blk_insert_bs(file, file_bs, &local_err);
3044            bdrv_unref(file_bs);
3045            if (local_err) {
3046                goto fail;
3047            }
3048
3049            qdict_put_str(options, "file", bdrv_get_node_name(file_bs));
3050        }
3051    }
3052
3053    /* Image format probing */
3054    bs->probed = !drv;
3055    if (!drv && file) {
3056        ret = find_image_format(file, filename, &drv, &local_err);
3057        if (ret < 0) {
3058            goto fail;
3059        }
3060        /*
3061         * This option update would logically belong in bdrv_fill_options(),
3062         * but we first need to open bs->file for the probing to work, while
3063         * opening bs->file already requires the (mostly) final set of options
3064         * so that cache mode etc. can be inherited.
3065         *
3066         * Adding the driver later is somewhat ugly, but it's not an option
3067         * that would ever be inherited, so it's correct. We just need to make
3068         * sure to update both bs->options (which has the full effective
3069         * options for bs) and options (which has file.* already removed).
3070         */
3071        qdict_put_str(bs->options, "driver", drv->format_name);
3072        qdict_put_str(options, "driver", drv->format_name);
3073    } else if (!drv) {
3074        error_setg(errp, "Must specify either driver or file");
3075        goto fail;
3076    }
3077
3078    /* BDRV_O_PROTOCOL must be set iff a protocol BDS is about to be created */
3079    assert(!!(flags & BDRV_O_PROTOCOL) == !!drv->bdrv_file_open);
3080    /* file must be NULL if a protocol BDS is about to be created
3081     * (the inverse results in an error message from bdrv_open_common()) */
3082    assert(!(flags & BDRV_O_PROTOCOL) || !file);
3083
3084    /* Open the image */
3085    ret = bdrv_open_common(bs, file, options, &local_err);
3086    if (ret < 0) {
3087        goto fail;
3088    }
3089
3090    if (file) {
3091        blk_unref(file);
3092        file = NULL;
3093    }
3094
3095    /* If there is a backing file, use it */
3096    if ((flags & BDRV_O_NO_BACKING) == 0) {
3097        ret = bdrv_open_backing_file(bs, options, "backing", &local_err);
3098        if (ret < 0) {
3099            goto close_and_fail;
3100        }
3101    }
3102
3103    /* Remove all children options and references
3104     * from bs->options and bs->explicit_options */
3105    QLIST_FOREACH(child, &bs->children, next) {
3106        char *child_key_dot;
3107        child_key_dot = g_strdup_printf("%s.", child->name);
3108        qdict_extract_subqdict(bs->explicit_options, NULL, child_key_dot);
3109        qdict_extract_subqdict(bs->options, NULL, child_key_dot);
3110        qdict_del(bs->explicit_options, child->name);
3111        qdict_del(bs->options, child->name);
3112        g_free(child_key_dot);
3113    }
3114
3115    /* Check if any unknown options were used */
3116    if (qdict_size(options) != 0) {
3117        const QDictEntry *entry = qdict_first(options);
3118        if (flags & BDRV_O_PROTOCOL) {
3119            error_setg(errp, "Block protocol '%s' doesn't support the option "
3120                       "'%s'", drv->format_name, entry->key);
3121        } else {
3122            error_setg(errp,
3123                       "Block format '%s' does not support the option '%s'",
3124                       drv->format_name, entry->key);
3125        }
3126
3127        goto close_and_fail;
3128    }
3129
3130    bdrv_parent_cb_change_media(bs, true);
3131
3132    qobject_unref(options);
3133    options = NULL;
3134
3135    /* For snapshot=on, create a temporary qcow2 overlay. bs points to the
3136     * temporary snapshot afterwards. */
3137    if (snapshot_flags) {
3138        BlockDriverState *snapshot_bs;
3139        snapshot_bs = bdrv_append_temp_snapshot(bs, snapshot_flags,
3140                                                snapshot_options, &local_err);
3141        snapshot_options = NULL;
3142        if (local_err) {
3143            goto close_and_fail;
3144        }
3145        /* We are not going to return bs but the overlay on top of it
3146         * (snapshot_bs); thus, we have to drop the strong reference to bs
3147         * (which we obtained by calling bdrv_new()). bs will not be deleted,
3148         * though, because the overlay still has a reference to it. */
3149        bdrv_unref(bs);
3150        bs = snapshot_bs;
3151    }
3152
3153    return bs;
3154
3155fail:
3156    blk_unref(file);
3157    qobject_unref(snapshot_options);
3158    qobject_unref(bs->explicit_options);
3159    qobject_unref(bs->options);
3160    qobject_unref(options);
3161    bs->options = NULL;
3162    bs->explicit_options = NULL;
3163    bdrv_unref(bs);
3164    error_propagate(errp, local_err);
3165    return NULL;
3166
3167close_and_fail:
3168    bdrv_unref(bs);
3169    qobject_unref(snapshot_options);
3170    qobject_unref(options);
3171    error_propagate(errp, local_err);
3172    return NULL;
3173}
3174
3175BlockDriverState *bdrv_open(const char *filename, const char *reference,
3176                            QDict *options, int flags, Error **errp)
3177{
3178    return bdrv_open_inherit(filename, reference, options, flags, NULL,
3179                             NULL, errp);
3180}
3181
3182/* Return true if the NULL-terminated @list contains @str */
3183static bool is_str_in_list(const char *str, const char *const *list)
3184{
3185    if (str && list) {
3186        int i;
3187        for (i = 0; list[i] != NULL; i++) {
3188            if (!strcmp(str, list[i])) {
3189                return true;
3190            }
3191        }
3192    }
3193    return false;
3194}
3195
3196/*
3197 * Check that every option set in @bs->options is also set in
3198 * @new_opts.
3199 *
3200 * Options listed in the common_options list and in
3201 * @bs->drv->mutable_opts are skipped.
3202 *
3203 * Return 0 on success, otherwise return -EINVAL and set @errp.
3204 */
3205static int bdrv_reset_options_allowed(BlockDriverState *bs,
3206                                      const QDict *new_opts, Error **errp)
3207{
3208    const QDictEntry *e;
3209    /* These options are common to all block drivers and are handled
3210     * in bdrv_reopen_prepare() so they can be left out of @new_opts */
3211    const char *const common_options[] = {
3212        "node-name", "discard", "cache.direct", "cache.no-flush",
3213        "read-only", "auto-read-only", "detect-zeroes", NULL
3214    };
3215
3216    for (e = qdict_first(bs->options); e; e = qdict_next(bs->options, e)) {
3217        if (!qdict_haskey(new_opts, e->key) &&
3218            !is_str_in_list(e->key, common_options) &&
3219            !is_str_in_list(e->key, bs->drv->mutable_opts)) {
3220            error_setg(errp, "Option '%s' cannot be reset "
3221                       "to its default value", e->key);
3222            return -EINVAL;
3223        }
3224    }
3225
3226    return 0;
3227}
3228
3229/*
3230 * Returns true if @child can be reached recursively from @bs
3231 */
3232static bool bdrv_recurse_has_child(BlockDriverState *bs,
3233                                   BlockDriverState *child)
3234{
3235    BdrvChild *c;
3236
3237    if (bs == child) {
3238        return true;
3239    }
3240
3241    QLIST_FOREACH(c, &bs->children, next) {
3242        if (bdrv_recurse_has_child(c->bs, child)) {
3243            return true;
3244        }
3245    }
3246
3247    return false;
3248}
3249
3250/*
3251 * Adds a BlockDriverState to a simple queue for an atomic, transactional
3252 * reopen of multiple devices.
3253 *
3254 * bs_queue can either be an existing BlockReopenQueue that has had QTAILQ_INIT
3255 * already performed, or alternatively may be NULL a new BlockReopenQueue will
3256 * be created and initialized. This newly created BlockReopenQueue should be
3257 * passed back in for subsequent calls that are intended to be of the same
3258 * atomic 'set'.
3259 *
3260 * bs is the BlockDriverState to add to the reopen queue.
3261 *
3262 * options contains the changed options for the associated bs
3263 * (the BlockReopenQueue takes ownership)
3264 *
3265 * flags contains the open flags for the associated bs
3266 *
3267 * returns a pointer to bs_queue, which is either the newly allocated
3268 * bs_queue, or the existing bs_queue being used.
3269 *
3270 * bs must be drained between bdrv_reopen_queue() and bdrv_reopen_multiple().
3271 */
3272static BlockReopenQueue *bdrv_reopen_queue_child(BlockReopenQueue *bs_queue,
3273                                                 BlockDriverState *bs,
3274                                                 QDict *options,
3275                                                 const BdrvChildRole *role,
3276                                                 QDict *parent_options,
3277                                                 int parent_flags,
3278                                                 bool keep_old_opts)
3279{
3280    assert(bs != NULL);
3281
3282    BlockReopenQueueEntry *bs_entry;
3283    BdrvChild *child;
3284    QDict *old_options, *explicit_options, *options_copy;
3285    int flags;
3286    QemuOpts *opts;
3287
3288    /* Make sure that the caller remembered to use a drained section. This is
3289     * important to avoid graph changes between the recursive queuing here and
3290     * bdrv_reopen_multiple(). */
3291    assert(bs->quiesce_counter > 0);
3292
3293    if (bs_queue == NULL) {
3294        bs_queue = g_new0(BlockReopenQueue, 1);
3295        QTAILQ_INIT(bs_queue);
3296    }
3297
3298    if (!options) {
3299        options = qdict_new();
3300    }
3301
3302    /* Check if this BlockDriverState is already in the queue */
3303    QTAILQ_FOREACH(bs_entry, bs_queue, entry) {
3304        if (bs == bs_entry->state.bs) {
3305            break;
3306        }
3307    }
3308
3309    /*
3310     * Precedence of options:
3311     * 1. Explicitly passed in options (highest)
3312     * 2. Retained from explicitly set options of bs
3313     * 3. Inherited from parent node
3314     * 4. Retained from effective options of bs
3315     */
3316
3317    /* Old explicitly set values (don't overwrite by inherited value) */
3318    if (bs_entry || keep_old_opts) {
3319        old_options = qdict_clone_shallow(bs_entry ?
3320                                          bs_entry->state.explicit_options :
3321                                          bs->explicit_options);
3322        bdrv_join_options(bs, options, old_options);
3323        qobject_unref(old_options);
3324    }
3325
3326    explicit_options = qdict_clone_shallow(options);
3327
3328    /* Inherit from parent node */
3329    if (parent_options) {
3330        flags = 0;
3331        role->inherit_options(&flags, options, parent_flags, parent_options);
3332    } else {
3333        flags = bdrv_get_flags(bs);
3334    }
3335
3336    if (keep_old_opts) {
3337        /* Old values are used for options that aren't set yet */
3338        old_options = qdict_clone_shallow(bs->options);
3339        bdrv_join_options(bs, options, old_options);
3340        qobject_unref(old_options);
3341    }
3342
3343    /* We have the final set of options so let's update the flags */
3344    options_copy = qdict_clone_shallow(options);
3345    opts = qemu_opts_create(&bdrv_runtime_opts, NULL, 0, &error_abort);
3346    qemu_opts_absorb_qdict(opts, options_copy, NULL);
3347    update_flags_from_options(&flags, opts);
3348    qemu_opts_del(opts);
3349    qobject_unref(options_copy);
3350
3351    /* bdrv_open_inherit() sets and clears some additional flags internally */
3352    flags &= ~BDRV_O_PROTOCOL;
3353    if (flags & BDRV_O_RDWR) {
3354        flags |= BDRV_O_ALLOW_RDWR;
3355    }
3356
3357    if (!bs_entry) {
3358        bs_entry = g_new0(BlockReopenQueueEntry, 1);
3359        QTAILQ_INSERT_TAIL(bs_queue, bs_entry, entry);
3360    } else {
3361        qobject_unref(bs_entry->state.options);
3362        qobject_unref(bs_entry->state.explicit_options);
3363    }
3364
3365    bs_entry->state.bs = bs;
3366    bs_entry->state.options = options;
3367    bs_entry->state.explicit_options = explicit_options;
3368    bs_entry->state.flags = flags;
3369
3370    /* This needs to be overwritten in bdrv_reopen_prepare() */
3371    bs_entry->state.perm = UINT64_MAX;
3372    bs_entry->state.shared_perm = 0;
3373
3374    /*
3375     * If keep_old_opts is false then it means that unspecified
3376     * options must be reset to their original value. We don't allow
3377     * resetting 'backing' but we need to know if the option is
3378     * missing in order to decide if we have to return an error.
3379     */
3380    if (!keep_old_opts) {
3381        bs_entry->state.backing_missing =
3382            !qdict_haskey(options, "backing") &&
3383            !qdict_haskey(options, "backing.driver");
3384    }
3385
3386    QLIST_FOREACH(child, &bs->children, next) {
3387        QDict *new_child_options = NULL;
3388        bool child_keep_old = keep_old_opts;
3389
3390        /* reopen can only change the options of block devices that were
3391         * implicitly created and inherited options. For other (referenced)
3392         * block devices, a syntax like "backing.foo" results in an error. */
3393        if (child->bs->inherits_from != bs) {
3394            continue;
3395        }
3396
3397        /* Check if the options contain a child reference */
3398        if (qdict_haskey(options, child->name)) {
3399            const char *childref = qdict_get_try_str(options, child->name);
3400            /*
3401             * The current child must not be reopened if the child
3402             * reference is null or points to a different node.
3403             */
3404            if (g_strcmp0(childref, child->bs->node_name)) {
3405                continue;
3406            }
3407            /*
3408             * If the child reference points to the current child then
3409             * reopen it with its existing set of options (note that
3410             * it can still inherit new options from the parent).
3411             */
3412            child_keep_old = true;
3413        } else {
3414            /* Extract child options ("child-name.*") */
3415            char *child_key_dot = g_strdup_printf("%s.", child->name);
3416            qdict_extract_subqdict(explicit_options, NULL, child_key_dot);
3417            qdict_extract_subqdict(options, &new_child_options, child_key_dot);
3418            g_free(child_key_dot);
3419        }
3420
3421        bdrv_reopen_queue_child(bs_queue, child->bs, new_child_options,
3422                                child->role, options, flags, child_keep_old);
3423    }
3424
3425    return bs_queue;
3426}
3427
3428BlockReopenQueue *bdrv_reopen_queue(BlockReopenQueue *bs_queue,
3429                                    BlockDriverState *bs,
3430                                    QDict *options, bool keep_old_opts)
3431{
3432    return bdrv_reopen_queue_child(bs_queue, bs, options, NULL, NULL, 0,
3433                                   keep_old_opts);
3434}
3435
3436/*
3437 * Reopen multiple BlockDriverStates atomically & transactionally.
3438 *
3439 * The queue passed in (bs_queue) must have been built up previous
3440 * via bdrv_reopen_queue().
3441 *
3442 * Reopens all BDS specified in the queue, with the appropriate
3443 * flags.  All devices are prepared for reopen, and failure of any
3444 * device will cause all device changes to be abandoned, and intermediate
3445 * data cleaned up.
3446 *
3447 * If all devices prepare successfully, then the changes are committed
3448 * to all devices.
3449 *
3450 * All affected nodes must be drained between bdrv_reopen_queue() and
3451 * bdrv_reopen_multiple().
3452 */
3453int bdrv_reopen_multiple(BlockReopenQueue *bs_queue, Error **errp)
3454{
3455    int ret = -1;
3456    BlockReopenQueueEntry *bs_entry, *next;
3457
3458    assert(bs_queue != NULL);
3459
3460    QTAILQ_FOREACH(bs_entry, bs_queue, entry) {
3461        assert(bs_entry->state.bs->quiesce_counter > 0);
3462        if (bdrv_reopen_prepare(&bs_entry->state, bs_queue, errp)) {
3463            goto cleanup;
3464        }
3465        bs_entry->prepared = true;
3466    }
3467
3468    QTAILQ_FOREACH(bs_entry, bs_queue, entry) {
3469        BDRVReopenState *state = &bs_entry->state;
3470        ret = bdrv_check_perm(state->bs, bs_queue, state->perm,
3471                              state->shared_perm, NULL, NULL, errp);
3472        if (ret < 0) {
3473            goto cleanup_perm;
3474        }
3475        /* Check if new_backing_bs would accept the new permissions */
3476        if (state->replace_backing_bs && state->new_backing_bs) {
3477            uint64_t nperm, nshared;
3478            bdrv_child_perm(state->bs, state->new_backing_bs,
3479                            NULL, &child_backing, bs_queue,
3480                            state->perm, state->shared_perm,
3481                            &nperm, &nshared);
3482            ret = bdrv_check_update_perm(state->new_backing_bs, NULL,
3483                                         nperm, nshared, NULL, NULL, errp);
3484            if (ret < 0) {
3485                goto cleanup_perm;
3486            }
3487        }
3488        bs_entry->perms_checked = true;
3489    }
3490
3491    /*
3492     * If we reach this point, we have success and just need to apply the
3493     * changes.
3494     *
3495     * Reverse order is used to comfort qcow2 driver: on commit it need to write
3496     * IN_USE flag to the image, to mark bitmaps in the image as invalid. But
3497     * children are usually goes after parents in reopen-queue, so go from last
3498     * to first element.
3499     */
3500    QTAILQ_FOREACH_REVERSE(bs_entry, bs_queue, entry) {
3501        bdrv_reopen_commit(&bs_entry->state);
3502    }
3503
3504    ret = 0;
3505cleanup_perm:
3506    QTAILQ_FOREACH_SAFE(bs_entry, bs_queue, entry, next) {
3507        BDRVReopenState *state = &bs_entry->state;
3508
3509        if (!bs_entry->perms_checked) {
3510            continue;
3511        }
3512
3513        if (ret == 0) {
3514            bdrv_set_perm(state->bs, state->perm, state->shared_perm);
3515        } else {
3516            bdrv_abort_perm_update(state->bs);
3517            if (state->replace_backing_bs && state->new_backing_bs) {
3518                bdrv_abort_perm_update(state->new_backing_bs);
3519            }
3520        }
3521    }
3522cleanup:
3523    QTAILQ_FOREACH_SAFE(bs_entry, bs_queue, entry, next) {
3524        if (ret) {
3525            if (bs_entry->prepared) {
3526                bdrv_reopen_abort(&bs_entry->state);
3527            }
3528            qobject_unref(bs_entry->state.explicit_options);
3529            qobject_unref(bs_entry->state.options);
3530        }
3531        if (bs_entry->state.new_backing_bs) {
3532            bdrv_unref(bs_entry->state.new_backing_bs);
3533        }
3534        g_free(bs_entry);
3535    }
3536    g_free(bs_queue);
3537
3538    return ret;
3539}
3540
3541int bdrv_reopen_set_read_only(BlockDriverState *bs, bool read_only,
3542                              Error **errp)
3543{
3544    int ret;
3545    BlockReopenQueue *queue;
3546    QDict *opts = qdict_new();
3547
3548    qdict_put_bool(opts, BDRV_OPT_READ_ONLY, read_only);
3549
3550    bdrv_subtree_drained_begin(bs);
3551    queue = bdrv_reopen_queue(NULL, bs, opts, true);
3552    ret = bdrv_reopen_multiple(queue, errp);
3553    bdrv_subtree_drained_end(bs);
3554
3555    return ret;
3556}
3557
3558static BlockReopenQueueEntry *find_parent_in_reopen_queue(BlockReopenQueue *q,
3559                                                          BdrvChild *c)
3560{
3561    BlockReopenQueueEntry *entry;
3562
3563    QTAILQ_FOREACH(entry, q, entry) {
3564        BlockDriverState *bs = entry->state.bs;
3565        BdrvChild *child;
3566
3567        QLIST_FOREACH(child, &bs->children, next) {
3568            if (child == c) {
3569                return entry;
3570            }
3571        }
3572    }
3573
3574    return NULL;
3575}
3576
3577static void bdrv_reopen_perm(BlockReopenQueue *q, BlockDriverState *bs,
3578                             uint64_t *perm, uint64_t *shared)
3579{
3580    BdrvChild *c;
3581    BlockReopenQueueEntry *parent;
3582    uint64_t cumulative_perms = 0;
3583    uint64_t cumulative_shared_perms = BLK_PERM_ALL;
3584
3585    QLIST_FOREACH(c, &bs->parents, next_parent) {
3586        parent = find_parent_in_reopen_queue(q, c);
3587        if (!parent) {
3588            cumulative_perms |= c->perm;
3589            cumulative_shared_perms &= c->shared_perm;
3590        } else {
3591            uint64_t nperm, nshared;
3592
3593            bdrv_child_perm(parent->state.bs, bs, c, c->role, q,
3594                            parent->state.perm, parent->state.shared_perm,
3595                            &nperm, &nshared);
3596
3597            cumulative_perms |= nperm;
3598            cumulative_shared_perms &= nshared;
3599        }
3600    }
3601    *perm = cumulative_perms;
3602    *shared = cumulative_shared_perms;
3603}
3604
3605/*
3606 * Take a BDRVReopenState and check if the value of 'backing' in the
3607 * reopen_state->options QDict is valid or not.
3608 *
3609 * If 'backing' is missing from the QDict then return 0.
3610 *
3611 * If 'backing' contains the node name of the backing file of
3612 * reopen_state->bs then return 0.
3613 *
3614 * If 'backing' contains a different node name (or is null) then check
3615 * whether the current backing file can be replaced with the new one.
3616 * If that's the case then reopen_state->replace_backing_bs is set to
3617 * true and reopen_state->new_backing_bs contains a pointer to the new
3618 * backing BlockDriverState (or NULL).
3619 *
3620 * Return 0 on success, otherwise return < 0 and set @errp.
3621 */
3622static int bdrv_reopen_parse_backing(BDRVReopenState *reopen_state,
3623                                     Error **errp)
3624{
3625    BlockDriverState *bs = reopen_state->bs;
3626    BlockDriverState *overlay_bs, *new_backing_bs;
3627    QObject *value;
3628    const char *str;
3629
3630    value = qdict_get(reopen_state->options, "backing");
3631    if (value == NULL) {
3632        return 0;
3633    }
3634
3635    switch (qobject_type(value)) {
3636    case QTYPE_QNULL:
3637        new_backing_bs = NULL;
3638        break;
3639    case QTYPE_QSTRING:
3640        str = qobject_get_try_str(value);
3641        new_backing_bs = bdrv_lookup_bs(NULL, str, errp);
3642        if (new_backing_bs == NULL) {
3643            return -EINVAL;
3644        } else if (bdrv_recurse_has_child(new_backing_bs, bs)) {
3645            error_setg(errp, "Making '%s' a backing file of '%s' "
3646                       "would create a cycle", str, bs->node_name);
3647            return -EINVAL;
3648        }
3649        break;
3650    default:
3651        /* 'backing' does not allow any other data type */
3652        g_assert_not_reached();
3653    }
3654
3655    /*
3656     * TODO: before removing the x- prefix from x-blockdev-reopen we
3657     * should move the new backing file into the right AioContext
3658     * instead of returning an error.
3659     */
3660    if (new_backing_bs) {
3661        if (bdrv_get_aio_context(new_backing_bs) != bdrv_get_aio_context(bs)) {
3662            error_setg(errp, "Cannot use a new backing file "
3663                       "with a different AioContext");
3664            return -EINVAL;
3665        }
3666    }
3667
3668    /*
3669     * Find the "actual" backing file by skipping all links that point
3670     * to an implicit node, if any (e.g. a commit filter node).
3671     */
3672    overlay_bs = bs;
3673    while (backing_bs(overlay_bs) && backing_bs(overlay_bs)->implicit) {
3674        overlay_bs = backing_bs(overlay_bs);
3675    }
3676
3677    /* If we want to replace the backing file we need some extra checks */
3678    if (new_backing_bs != backing_bs(overlay_bs)) {
3679        /* Check for implicit nodes between bs and its backing file */
3680        if (bs != overlay_bs) {
3681            error_setg(errp, "Cannot change backing link if '%s' has "
3682                       "an implicit backing file", bs->node_name);
3683            return -EPERM;
3684        }
3685        /* Check if the backing link that we want to replace is frozen */
3686        if (bdrv_is_backing_chain_frozen(overlay_bs, backing_bs(overlay_bs),
3687                                         errp)) {
3688            return -EPERM;
3689        }
3690        reopen_state->replace_backing_bs = true;
3691        if (new_backing_bs) {
3692            bdrv_ref(new_backing_bs);
3693            reopen_state->new_backing_bs = new_backing_bs;
3694        }
3695    }
3696
3697    return 0;
3698}
3699
3700/*
3701 * Prepares a BlockDriverState for reopen. All changes are staged in the
3702 * 'opaque' field of the BDRVReopenState, which is used and allocated by
3703 * the block driver layer .bdrv_reopen_prepare()
3704 *
3705 * bs is the BlockDriverState to reopen
3706 * flags are the new open flags
3707 * queue is the reopen queue
3708 *
3709 * Returns 0 on success, non-zero on error.  On error errp will be set
3710 * as well.
3711 *
3712 * On failure, bdrv_reopen_abort() will be called to clean up any data.
3713 * It is the responsibility of the caller to then call the abort() or
3714 * commit() for any other BDS that have been left in a prepare() state
3715 *
3716 */
3717int bdrv_reopen_prepare(BDRVReopenState *reopen_state, BlockReopenQueue *queue,
3718                        Error **errp)
3719{
3720    int ret = -1;
3721    int old_flags;
3722    Error *local_err = NULL;
3723    BlockDriver *drv;
3724    QemuOpts *opts;
3725    QDict *orig_reopen_opts;
3726    char *discard = NULL;
3727    bool read_only;
3728    bool drv_prepared = false;
3729
3730    assert(reopen_state != NULL);
3731    assert(reopen_state->bs->drv != NULL);
3732    drv = reopen_state->bs->drv;
3733
3734    /* This function and each driver's bdrv_reopen_prepare() remove
3735     * entries from reopen_state->options as they are processed, so
3736     * we need to make a copy of the original QDict. */
3737    orig_reopen_opts = qdict_clone_shallow(reopen_state->options);
3738
3739    /* Process generic block layer options */
3740    opts = qemu_opts_create(&bdrv_runtime_opts, NULL, 0, &error_abort);
3741    qemu_opts_absorb_qdict(opts, reopen_state->options, &local_err);
3742    if (local_err) {
3743        error_propagate(errp, local_err);
3744        ret = -EINVAL;
3745        goto error;
3746    }
3747
3748    /* This was already called in bdrv_reopen_queue_child() so the flags
3749     * are up-to-date. This time we simply want to remove the options from
3750     * QemuOpts in order to indicate that they have been processed. */
3751    old_flags = reopen_state->flags;
3752    update_flags_from_options(&reopen_state->flags, opts);
3753    assert(old_flags == reopen_state->flags);
3754
3755    discard = qemu_opt_get_del(opts, BDRV_OPT_DISCARD);
3756    if (discard != NULL) {
3757        if (bdrv_parse_discard_flags(discard, &reopen_state->flags) != 0) {
3758            error_setg(errp, "Invalid discard option");
3759            ret = -EINVAL;
3760            goto error;
3761        }
3762    }
3763
3764    reopen_state->detect_zeroes =
3765        bdrv_parse_detect_zeroes(opts, reopen_state->flags, &local_err);
3766    if (local_err) {
3767        error_propagate(errp, local_err);
3768        ret = -EINVAL;
3769        goto error;
3770    }
3771
3772    /* All other options (including node-name and driver) must be unchanged.
3773     * Put them back into the QDict, so that they are checked at the end
3774     * of this function. */
3775    qemu_opts_to_qdict(opts, reopen_state->options);
3776
3777    /* If we are to stay read-only, do not allow permission change
3778     * to r/w. Attempting to set to r/w may fail if either BDRV_O_ALLOW_RDWR is
3779     * not set, or if the BDS still has copy_on_read enabled */
3780    read_only = !(reopen_state->flags & BDRV_O_RDWR);
3781    ret = bdrv_can_set_read_only(reopen_state->bs, read_only, true, &local_err);
3782    if (local_err) {
3783        error_propagate(errp, local_err);
3784        goto error;
3785    }
3786
3787    /* Calculate required permissions after reopening */
3788    bdrv_reopen_perm(queue, reopen_state->bs,
3789                     &reopen_state->perm, &reopen_state->shared_perm);
3790
3791    ret = bdrv_flush(reopen_state->bs);
3792    if (ret) {
3793        error_setg_errno(errp, -ret, "Error flushing drive");
3794        goto error;
3795    }
3796
3797    if (drv->bdrv_reopen_prepare) {
3798        /*
3799         * If a driver-specific option is missing, it means that we
3800         * should reset it to its default value.
3801         * But not all options allow that, so we need to check it first.
3802         */
3803        ret = bdrv_reset_options_allowed(reopen_state->bs,
3804                                         reopen_state->options, errp);
3805        if (ret) {
3806            goto error;
3807        }
3808
3809        ret = drv->bdrv_reopen_prepare(reopen_state, queue, &local_err);
3810        if (ret) {
3811            if (local_err != NULL) {
3812                error_propagate(errp, local_err);
3813            } else {
3814                bdrv_refresh_filename(reopen_state->bs);
3815                error_setg(errp, "failed while preparing to reopen image '%s'",
3816                           reopen_state->bs->filename);
3817            }
3818            goto error;
3819        }
3820    } else {
3821        /* It is currently mandatory to have a bdrv_reopen_prepare()
3822         * handler for each supported drv. */
3823        error_setg(errp, "Block format '%s' used by node '%s' "
3824                   "does not support reopening files", drv->format_name,
3825                   bdrv_get_device_or_node_name(reopen_state->bs));
3826        ret = -1;
3827        goto error;
3828    }
3829
3830    drv_prepared = true;
3831
3832    /*
3833     * We must provide the 'backing' option if the BDS has a backing
3834     * file or if the image file has a backing file name as part of
3835     * its metadata. Otherwise the 'backing' option can be omitted.
3836     */
3837    if (drv->supports_backing && reopen_state->backing_missing &&
3838        (backing_bs(reopen_state->bs) || reopen_state->bs->backing_file[0])) {
3839        error_setg(errp, "backing is missing for '%s'",
3840                   reopen_state->bs->node_name);
3841        ret = -EINVAL;
3842        goto error;
3843    }
3844
3845    /*
3846     * Allow changing the 'backing' option. The new value can be
3847     * either a reference to an existing node (using its node name)
3848     * or NULL to simply detach the current backing file.
3849     */
3850    ret = bdrv_reopen_parse_backing(reopen_state, errp);
3851    if (ret < 0) {
3852        goto error;
3853    }
3854    qdict_del(reopen_state->options, "backing");
3855
3856    /* Options that are not handled are only okay if they are unchanged
3857     * compared to the old state. It is expected that some options are only
3858     * used for the initial open, but not reopen (e.g. filename) */
3859    if (qdict_size(reopen_state->options)) {
3860        const QDictEntry *entry = qdict_first(reopen_state->options);
3861
3862        do {
3863            QObject *new = entry->value;
3864            QObject *old = qdict_get(reopen_state->bs->options, entry->key);
3865
3866            /* Allow child references (child_name=node_name) as long as they
3867             * point to the current child (i.e. everything stays the same). */
3868            if (qobject_type(new) == QTYPE_QSTRING) {
3869                BdrvChild *child;
3870                QLIST_FOREACH(child, &reopen_state->bs->children, next) {
3871                    if (!strcmp(child->name, entry->key)) {
3872                        break;
3873                    }
3874                }
3875
3876                if (child) {
3877                    const char *str = qobject_get_try_str(new);
3878                    if (!strcmp(child->bs->node_name, str)) {
3879                        continue; /* Found child with this name, skip option */
3880                    }
3881                }
3882            }
3883
3884            /*
3885             * TODO: When using -drive to specify blockdev options, all values
3886             * will be strings; however, when using -blockdev, blockdev-add or
3887             * filenames using the json:{} pseudo-protocol, they will be
3888             * correctly typed.
3889             * In contrast, reopening options are (currently) always strings
3890             * (because you can only specify them through qemu-io; all other
3891             * callers do not specify any options).
3892             * Therefore, when using anything other than -drive to create a BDS,
3893             * this cannot detect non-string options as unchanged, because
3894             * qobject_is_equal() always returns false for objects of different
3895             * type.  In the future, this should be remedied by correctly typing
3896             * all options.  For now, this is not too big of an issue because
3897             * the user can simply omit options which cannot be changed anyway,
3898             * so they will stay unchanged.
3899             */
3900            if (!qobject_is_equal(new, old)) {
3901                error_setg(errp, "Cannot change the option '%s'", entry->key);
3902                ret = -EINVAL;
3903                goto error;
3904            }
3905        } while ((entry = qdict_next(reopen_state->options, entry)));
3906    }
3907
3908    ret = 0;
3909
3910    /* Restore the original reopen_state->options QDict */
3911    qobject_unref(reopen_state->options);
3912    reopen_state->options = qobject_ref(orig_reopen_opts);
3913
3914error:
3915    if (ret < 0 && drv_prepared) {
3916        /* drv->bdrv_reopen_prepare() has succeeded, so we need to
3917         * call drv->bdrv_reopen_abort() before signaling an error
3918         * (bdrv_reopen_multiple() will not call bdrv_reopen_abort()
3919         * when the respective bdrv_reopen_prepare() has failed) */
3920        if (drv->bdrv_reopen_abort) {
3921            drv->bdrv_reopen_abort(reopen_state);
3922        }
3923    }
3924    qemu_opts_del(opts);
3925    qobject_unref(orig_reopen_opts);
3926    g_free(discard);
3927    return ret;
3928}
3929
3930/*
3931 * Takes the staged changes for the reopen from bdrv_reopen_prepare(), and
3932 * makes them final by swapping the staging BlockDriverState contents into
3933 * the active BlockDriverState contents.
3934 */
3935void bdrv_reopen_commit(BDRVReopenState *reopen_state)
3936{
3937    BlockDriver *drv;
3938    BlockDriverState *bs;
3939    BdrvChild *child;
3940
3941    assert(reopen_state != NULL);
3942    bs = reopen_state->bs;
3943    drv = bs->drv;
3944    assert(drv != NULL);
3945
3946    /* If there are any driver level actions to take */
3947    if (drv->bdrv_reopen_commit) {
3948        drv->bdrv_reopen_commit(reopen_state);
3949    }
3950
3951    /* set BDS specific flags now */
3952    qobject_unref(bs->explicit_options);
3953    qobject_unref(bs->options);
3954
3955    bs->explicit_options   = reopen_state->explicit_options;
3956    bs->options            = reopen_state->options;
3957    bs->open_flags         = reopen_state->flags;
3958    bs->read_only = !(reopen_state->flags & BDRV_O_RDWR);
3959    bs->detect_zeroes      = reopen_state->detect_zeroes;
3960
3961    if (reopen_state->replace_backing_bs) {
3962        qdict_del(bs->explicit_options, "backing");
3963        qdict_del(bs->options, "backing");
3964    }
3965
3966    /* Remove child references from bs->options and bs->explicit_options.
3967     * Child options were already removed in bdrv_reopen_queue_child() */
3968    QLIST_FOREACH(child, &bs->children, next) {
3969        qdict_del(bs->explicit_options, child->name);
3970        qdict_del(bs->options, child->name);
3971    }
3972
3973    /*
3974     * Change the backing file if a new one was specified. We do this
3975     * after updating bs->options, so bdrv_refresh_filename() (called
3976     * from bdrv_set_backing_hd()) has the new values.
3977     */
3978    if (reopen_state->replace_backing_bs) {
3979        BlockDriverState *old_backing_bs = backing_bs(bs);
3980        assert(!old_backing_bs || !old_backing_bs->implicit);
3981        /* Abort the permission update on the backing bs we're detaching */
3982        if (old_backing_bs) {
3983            bdrv_abort_perm_update(old_backing_bs);
3984        }
3985        bdrv_set_backing_hd(bs, reopen_state->new_backing_bs, &error_abort);
3986    }
3987
3988    bdrv_refresh_limits(bs, NULL);
3989}
3990
3991/*
3992 * Abort the reopen, and delete and free the staged changes in
3993 * reopen_state
3994 */
3995void bdrv_reopen_abort(BDRVReopenState *reopen_state)
3996{
3997    BlockDriver *drv;
3998
3999    assert(reopen_state != NULL);
4000    drv = reopen_state->bs->drv;
4001    assert(drv != NULL);
4002
4003    if (drv->bdrv_reopen_abort) {
4004        drv->bdrv_reopen_abort(reopen_state);
4005    }
4006}
4007
4008
4009static void bdrv_close(BlockDriverState *bs)
4010{
4011    BdrvAioNotifier *ban, *ban_next;
4012    BdrvChild *child, *next;
4013
4014    assert(!bs->refcnt);
4015
4016    bdrv_drained_begin(bs); /* complete I/O */
4017    bdrv_flush(bs);
4018    bdrv_drain(bs); /* in case flush left pending I/O */
4019
4020    if (bs->drv) {
4021        if (bs->drv->bdrv_close) {
4022            bs->drv->bdrv_close(bs);
4023        }
4024        bs->drv = NULL;
4025    }
4026
4027    QLIST_FOREACH_SAFE(child, &bs->children, next, next) {
4028        bdrv_unref_child(bs, child);
4029    }
4030
4031    bs->backing = NULL;
4032    bs->file = NULL;
4033    g_free(bs->opaque);
4034    bs->opaque = NULL;
4035    atomic_set(&bs->copy_on_read, 0);
4036    bs->backing_file[0] = '\0';
4037    bs->backing_format[0] = '\0';
4038    bs->total_sectors = 0;
4039    bs->encrypted = false;
4040    bs->sg = false;
4041    qobject_unref(bs->options);
4042    qobject_unref(bs->explicit_options);
4043    bs->options = NULL;
4044    bs->explicit_options = NULL;
4045    qobject_unref(bs->full_open_options);
4046    bs->full_open_options = NULL;
4047
4048    bdrv_release_named_dirty_bitmaps(bs);
4049    assert(QLIST_EMPTY(&bs->dirty_bitmaps));
4050
4051    QLIST_FOREACH_SAFE(ban, &bs->aio_notifiers, list, ban_next) {
4052        g_free(ban);
4053    }
4054    QLIST_INIT(&bs->aio_notifiers);
4055    bdrv_drained_end(bs);
4056}
4057
4058void bdrv_close_all(void)
4059{
4060    assert(job_next(NULL) == NULL);
4061    nbd_export_close_all();
4062
4063    /* Drop references from requests still in flight, such as canceled block
4064     * jobs whose AIO context has not been polled yet */
4065    bdrv_drain_all();
4066
4067    blk_remove_all_bs();
4068    blockdev_close_all_bdrv_states();
4069
4070    assert(QTAILQ_EMPTY(&all_bdrv_states));
4071}
4072
4073static bool should_update_child(BdrvChild *c, BlockDriverState *to)
4074{
4075    GQueue *queue;
4076    GHashTable *found;
4077    bool ret;
4078
4079    if (c->role->stay_at_node) {
4080        return false;
4081    }
4082
4083    /* If the child @c belongs to the BDS @to, replacing the current
4084     * c->bs by @to would mean to create a loop.
4085     *
4086     * Such a case occurs when appending a BDS to a backing chain.
4087     * For instance, imagine the following chain:
4088     *
4089     *   guest device -> node A -> further backing chain...
4090     *
4091     * Now we create a new BDS B which we want to put on top of this
4092     * chain, so we first attach A as its backing node:
4093     *
4094     *                   node B
4095     *                     |
4096     *                     v
4097     *   guest device -> node A -> further backing chain...
4098     *
4099     * Finally we want to replace A by B.  When doing that, we want to
4100     * replace all pointers to A by pointers to B -- except for the
4101     * pointer from B because (1) that would create a loop, and (2)
4102     * that pointer should simply stay intact:
4103     *
4104     *   guest device -> node B
4105     *                     |
4106     *                     v
4107     *                   node A -> further backing chain...
4108     *
4109     * In general, when replacing a node A (c->bs) by a node B (@to),
4110     * if A is a child of B, that means we cannot replace A by B there
4111     * because that would create a loop.  Silently detaching A from B
4112     * is also not really an option.  So overall just leaving A in
4113     * place there is the most sensible choice.
4114     *
4115     * We would also create a loop in any cases where @c is only
4116     * indirectly referenced by @to. Prevent this by returning false
4117     * if @c is found (by breadth-first search) anywhere in the whole
4118     * subtree of @to.
4119     */
4120
4121    ret = true;
4122    found = g_hash_table_new(NULL, NULL);
4123    g_hash_table_add(found, to);
4124    queue = g_queue_new();
4125    g_queue_push_tail(queue, to);
4126
4127    while (!g_queue_is_empty(queue)) {
4128        BlockDriverState *v = g_queue_pop_head(queue);
4129        BdrvChild *c2;
4130
4131        QLIST_FOREACH(c2, &v->children, next) {
4132            if (c2 == c) {
4133                ret = false;
4134                break;
4135            }
4136
4137            if (g_hash_table_contains(found, c2->bs)) {
4138                continue;
4139            }
4140
4141            g_queue_push_tail(queue, c2->bs);
4142            g_hash_table_add(found, c2->bs);
4143        }
4144    }
4145
4146    g_queue_free(queue);
4147    g_hash_table_destroy(found);
4148
4149    return ret;
4150}
4151
4152void bdrv_replace_node(BlockDriverState *from, BlockDriverState *to,
4153                       Error **errp)
4154{
4155    BdrvChild *c, *next;
4156    GSList *list = NULL, *p;
4157    uint64_t perm = 0, shared = BLK_PERM_ALL;
4158    int ret;
4159
4160    /* Make sure that @from doesn't go away until we have successfully attached
4161     * all of its parents to @to. */
4162    bdrv_ref(from);
4163
4164    assert(qemu_get_current_aio_context() == qemu_get_aio_context());
4165    bdrv_drained_begin(from);
4166
4167    /* Put all parents into @list and calculate their cumulative permissions */
4168    QLIST_FOREACH_SAFE(c, &from->parents, next_parent, next) {
4169        assert(c->bs == from);
4170        if (!should_update_child(c, to)) {
4171            continue;
4172        }
4173        if (c->frozen) {
4174            error_setg(errp, "Cannot change '%s' link to '%s'",
4175                       c->name, from->node_name);
4176            goto out;
4177        }
4178        list = g_slist_prepend(list, c);
4179        perm |= c->perm;
4180        shared &= c->shared_perm;
4181    }
4182
4183    /* Check whether the required permissions can be granted on @to, ignoring
4184     * all BdrvChild in @list so that they can't block themselves. */
4185    ret = bdrv_check_update_perm(to, NULL, perm, shared, list, NULL, errp);
4186    if (ret < 0) {
4187        bdrv_abort_perm_update(to);
4188        goto out;
4189    }
4190
4191    /* Now actually perform the change. We performed the permission check for
4192     * all elements of @list at once, so set the permissions all at once at the
4193     * very end. */
4194    for (p = list; p != NULL; p = p->next) {
4195        c = p->data;
4196
4197        bdrv_ref(to);
4198        bdrv_replace_child_noperm(c, to);
4199        bdrv_unref(from);
4200    }
4201
4202    bdrv_get_cumulative_perm(to, &perm, &shared);
4203    bdrv_set_perm(to, perm, shared);
4204
4205out:
4206    g_slist_free(list);
4207    bdrv_drained_end(from);
4208    bdrv_unref(from);
4209}
4210
4211/*
4212 * Add new bs contents at the top of an image chain while the chain is
4213 * live, while keeping required fields on the top layer.
4214 *
4215 * This will modify the BlockDriverState fields, and swap contents
4216 * between bs_new and bs_top. Both bs_new and bs_top are modified.
4217 *
4218 * bs_new must not be attached to a BlockBackend.
4219 *
4220 * This function does not create any image files.
4221 *
4222 * bdrv_append() takes ownership of a bs_new reference and unrefs it because
4223 * that's what the callers commonly need. bs_new will be referenced by the old
4224 * parents of bs_top after bdrv_append() returns. If the caller needs to keep a
4225 * reference of its own, it must call bdrv_ref().
4226 */
4227void bdrv_append(BlockDriverState *bs_new, BlockDriverState *bs_top,
4228                 Error **errp)
4229{
4230    Error *local_err = NULL;
4231
4232    bdrv_set_backing_hd(bs_new, bs_top, &local_err);
4233    if (local_err) {
4234        error_propagate(errp, local_err);
4235        goto out;
4236    }
4237
4238    bdrv_replace_node(bs_top, bs_new, &local_err);
4239    if (local_err) {
4240        error_propagate(errp, local_err);
4241        bdrv_set_backing_hd(bs_new, NULL, &error_abort);
4242        goto out;
4243    }
4244
4245    /* bs_new is now referenced by its new parents, we don't need the
4246     * additional reference any more. */
4247out:
4248    bdrv_unref(bs_new);
4249}
4250
4251static void bdrv_delete(BlockDriverState *bs)
4252{
4253    assert(bdrv_op_blocker_is_empty(bs));
4254    assert(!bs->refcnt);
4255
4256    /* remove from list, if necessary */
4257    if (bs->node_name[0] != '\0') {
4258        QTAILQ_REMOVE(&graph_bdrv_states, bs, node_list);
4259    }
4260    QTAILQ_REMOVE(&all_bdrv_states, bs, bs_list);
4261
4262    bdrv_close(bs);
4263
4264    g_free(bs);
4265}
4266
4267/*
4268 * Run consistency checks on an image
4269 *
4270 * Returns 0 if the check could be completed (it doesn't mean that the image is
4271 * free of errors) or -errno when an internal error occurred. The results of the
4272 * check are stored in res.
4273 */
4274static int coroutine_fn bdrv_co_check(BlockDriverState *bs,
4275                                      BdrvCheckResult *res, BdrvCheckMode fix)
4276{
4277    if (bs->drv == NULL) {
4278        return -ENOMEDIUM;
4279    }
4280    if (bs->drv->bdrv_co_check == NULL) {
4281        return -ENOTSUP;
4282    }
4283
4284    memset(res, 0, sizeof(*res));
4285    return bs->drv->bdrv_co_check(bs, res, fix);
4286}
4287
4288typedef struct CheckCo {
4289    BlockDriverState *bs;
4290    BdrvCheckResult *res;
4291    BdrvCheckMode fix;
4292    int ret;
4293} CheckCo;
4294
4295static void coroutine_fn bdrv_check_co_entry(void *opaque)
4296{
4297    CheckCo *cco = opaque;
4298    cco->ret = bdrv_co_check(cco->bs, cco->res, cco->fix);
4299    aio_wait_kick();
4300}
4301
4302int bdrv_check(BlockDriverState *bs,
4303               BdrvCheckResult *res, BdrvCheckMode fix)
4304{
4305    Coroutine *co;
4306    CheckCo cco = {
4307        .bs = bs,
4308        .res = res,
4309        .ret = -EINPROGRESS,
4310        .fix = fix,
4311    };
4312
4313    if (qemu_in_coroutine()) {
4314        /* Fast-path if already in coroutine context */
4315        bdrv_check_co_entry(&cco);
4316    } else {
4317        co = qemu_coroutine_create(bdrv_check_co_entry, &cco);
4318        bdrv_coroutine_enter(bs, co);
4319        BDRV_POLL_WHILE(bs, cco.ret == -EINPROGRESS);
4320    }
4321
4322    return cco.ret;
4323}
4324
4325/*
4326 * Return values:
4327 * 0        - success
4328 * -EINVAL  - backing format specified, but no file
4329 * -ENOSPC  - can't update the backing file because no space is left in the
4330 *            image file header
4331 * -ENOTSUP - format driver doesn't support changing the backing file
4332 */
4333int bdrv_change_backing_file(BlockDriverState *bs,
4334    const char *backing_file, const char *backing_fmt)
4335{
4336    BlockDriver *drv = bs->drv;
4337    int ret;
4338
4339    if (!drv) {
4340        return -ENOMEDIUM;
4341    }
4342
4343    /* Backing file format doesn't make sense without a backing file */
4344    if (backing_fmt && !backing_file) {
4345        return -EINVAL;
4346    }
4347
4348    if (drv->bdrv_change_backing_file != NULL) {
4349        ret = drv->bdrv_change_backing_file(bs, backing_file, backing_fmt);
4350    } else {
4351        ret = -ENOTSUP;
4352    }
4353
4354    if (ret == 0) {
4355        pstrcpy(bs->backing_file, sizeof(bs->backing_file), backing_file ?: "");
4356        pstrcpy(bs->backing_format, sizeof(bs->backing_format), backing_fmt ?: "");
4357        pstrcpy(bs->auto_backing_file, sizeof(bs->auto_backing_file),
4358                backing_file ?: "");
4359    }
4360    return ret;
4361}
4362
4363/*
4364 * Finds the image layer in the chain that has 'bs' as its backing file.
4365 *
4366 * active is the current topmost image.
4367 *
4368 * Returns NULL if bs is not found in active's image chain,
4369 * or if active == bs.
4370 *
4371 * Returns the bottommost base image if bs == NULL.
4372 */
4373BlockDriverState *bdrv_find_overlay(BlockDriverState *active,
4374                                    BlockDriverState *bs)
4375{
4376    while (active && bs != backing_bs(active)) {
4377        active = backing_bs(active);
4378    }
4379
4380    return active;
4381}
4382
4383/* Given a BDS, searches for the base layer. */
4384BlockDriverState *bdrv_find_base(BlockDriverState *bs)
4385{
4386    return bdrv_find_overlay(bs, NULL);
4387}
4388
4389/*
4390 * Return true if at least one of the backing links between @bs and
4391 * @base is frozen. @errp is set if that's the case.
4392 * @base must be reachable from @bs, or NULL.
4393 */
4394bool bdrv_is_backing_chain_frozen(BlockDriverState *bs, BlockDriverState *base,
4395                                  Error **errp)
4396{
4397    BlockDriverState *i;
4398
4399    for (i = bs; i != base; i = backing_bs(i)) {
4400        if (i->backing && i->backing->frozen) {
4401            error_setg(errp, "Cannot change '%s' link from '%s' to '%s'",
4402                       i->backing->name, i->node_name,
4403                       backing_bs(i)->node_name);
4404            return true;
4405        }
4406    }
4407
4408    return false;
4409}
4410
4411/*
4412 * Freeze all backing links between @bs and @base.
4413 * If any of the links is already frozen the operation is aborted and
4414 * none of the links are modified.
4415 * @base must be reachable from @bs, or NULL.
4416 * Returns 0 on success. On failure returns < 0 and sets @errp.
4417 */
4418int bdrv_freeze_backing_chain(BlockDriverState *bs, BlockDriverState *base,
4419                              Error **errp)
4420{
4421    BlockDriverState *i;
4422
4423    if (bdrv_is_backing_chain_frozen(bs, base, errp)) {
4424        return -EPERM;
4425    }
4426
4427    for (i = bs; i != base; i = backing_bs(i)) {
4428        if (i->backing && backing_bs(i)->never_freeze) {
4429            error_setg(errp, "Cannot freeze '%s' link to '%s'",
4430                       i->backing->name, backing_bs(i)->node_name);
4431            return -EPERM;
4432        }
4433    }
4434
4435    for (i = bs; i != base; i = backing_bs(i)) {
4436        if (i->backing) {
4437            i->backing->frozen = true;
4438        }
4439    }
4440
4441    return 0;
4442}
4443
4444/*
4445 * Unfreeze all backing links between @bs and @base. The caller must
4446 * ensure that all links are frozen before using this function.
4447 * @base must be reachable from @bs, or NULL.
4448 */
4449void bdrv_unfreeze_backing_chain(BlockDriverState *bs, BlockDriverState *base)
4450{
4451    BlockDriverState *i;
4452
4453    for (i = bs; i != base; i = backing_bs(i)) {
4454        if (i->backing) {
4455            assert(i->backing->frozen);
4456            i->backing->frozen = false;
4457        }
4458    }
4459}
4460
4461/*
4462 * Drops images above 'base' up to and including 'top', and sets the image
4463 * above 'top' to have base as its backing file.
4464 *
4465 * Requires that the overlay to 'top' is opened r/w, so that the backing file
4466 * information in 'bs' can be properly updated.
4467 *
4468 * E.g., this will convert the following chain:
4469 * bottom <- base <- intermediate <- top <- active
4470 *
4471 * to
4472 *
4473 * bottom <- base <- active
4474 *
4475 * It is allowed for bottom==base, in which case it converts:
4476 *
4477 * base <- intermediate <- top <- active
4478 *
4479 * to
4480 *
4481 * base <- active
4482 *
4483 * If backing_file_str is non-NULL, it will be used when modifying top's
4484 * overlay image metadata.
4485 *
4486 * Error conditions:
4487 *  if active == top, that is considered an error
4488 *
4489 */
4490int bdrv_drop_intermediate(BlockDriverState *top, BlockDriverState *base,
4491                           const char *backing_file_str)
4492{
4493    BlockDriverState *explicit_top = top;
4494    bool update_inherits_from;
4495    BdrvChild *c, *next;
4496    Error *local_err = NULL;
4497    int ret = -EIO;
4498
4499    bdrv_ref(top);
4500    bdrv_subtree_drained_begin(top);
4501
4502    if (!top->drv || !base->drv) {
4503        goto exit;
4504    }
4505
4506    /* Make sure that base is in the backing chain of top */
4507    if (!bdrv_chain_contains(top, base)) {
4508        goto exit;
4509    }
4510
4511    /* This function changes all links that point to top and makes
4512     * them point to base. Check that none of them is frozen. */
4513    QLIST_FOREACH(c, &top->parents, next_parent) {
4514        if (c->frozen) {
4515            goto exit;
4516        }
4517    }
4518
4519    /* If 'base' recursively inherits from 'top' then we should set
4520     * base->inherits_from to top->inherits_from after 'top' and all
4521     * other intermediate nodes have been dropped.
4522     * If 'top' is an implicit node (e.g. "commit_top") we should skip
4523     * it because no one inherits from it. We use explicit_top for that. */
4524    while (explicit_top && explicit_top->implicit) {
4525        explicit_top = backing_bs(explicit_top);
4526    }
4527    update_inherits_from = bdrv_inherits_from_recursive(base, explicit_top);
4528
4529    /* success - we can delete the intermediate states, and link top->base */
4530    /* TODO Check graph modification op blockers (BLK_PERM_GRAPH_MOD) once
4531     * we've figured out how they should work. */
4532    if (!backing_file_str) {
4533        bdrv_refresh_filename(base);
4534        backing_file_str = base->filename;
4535    }
4536
4537    QLIST_FOREACH_SAFE(c, &top->parents, next_parent, next) {
4538        /* Check whether we are allowed to switch c from top to base */
4539        GSList *ignore_children = g_slist_prepend(NULL, c);
4540        ret = bdrv_check_update_perm(base, NULL, c->perm, c->shared_perm,
4541                                     ignore_children, NULL, &local_err);
4542        g_slist_free(ignore_children);
4543        if (ret < 0) {
4544            error_report_err(local_err);
4545            goto exit;
4546        }
4547
4548        /* If so, update the backing file path in the image file */
4549        if (c->role->update_filename) {
4550            ret = c->role->update_filename(c, base, backing_file_str,
4551                                           &local_err);
4552            if (ret < 0) {
4553                bdrv_abort_perm_update(base);
4554                error_report_err(local_err);
4555                goto exit;
4556            }
4557        }
4558
4559        /* Do the actual switch in the in-memory graph.
4560         * Completes bdrv_check_update_perm() transaction internally. */
4561        bdrv_ref(base);
4562        bdrv_replace_child(c, base);
4563        bdrv_unref(top);
4564    }
4565
4566    if (update_inherits_from) {
4567        base->inherits_from = explicit_top->inherits_from;
4568    }
4569
4570    ret = 0;
4571exit:
4572    bdrv_subtree_drained_end(top);
4573    bdrv_unref(top);
4574    return ret;
4575}
4576
4577/**
4578 * Length of a allocated file in bytes. Sparse files are counted by actual
4579 * allocated space. Return < 0 if error or unknown.
4580 */
4581int64_t bdrv_get_allocated_file_size(BlockDriverState *bs)
4582{
4583    BlockDriver *drv = bs->drv;
4584    if (!drv) {
4585        return -ENOMEDIUM;
4586    }
4587    if (drv->bdrv_get_allocated_file_size) {
4588        return drv->bdrv_get_allocated_file_size(bs);
4589    }
4590    if (bs->file) {
4591        return bdrv_get_allocated_file_size(bs->file->bs);
4592    }
4593    return -ENOTSUP;
4594}
4595
4596/*
4597 * bdrv_measure:
4598 * @drv: Format driver
4599 * @opts: Creation options for new image
4600 * @in_bs: Existing image containing data for new image (may be NULL)
4601 * @errp: Error object
4602 * Returns: A #BlockMeasureInfo (free using qapi_free_BlockMeasureInfo())
4603 *          or NULL on error
4604 *
4605 * Calculate file size required to create a new image.
4606 *
4607 * If @in_bs is given then space for allocated clusters and zero clusters
4608 * from that image are included in the calculation.  If @opts contains a
4609 * backing file that is shared by @in_bs then backing clusters may be omitted
4610 * from the calculation.
4611 *
4612 * If @in_bs is NULL then the calculation includes no allocated clusters
4613 * unless a preallocation option is given in @opts.
4614 *
4615 * Note that @in_bs may use a different BlockDriver from @drv.
4616 *
4617 * If an error occurs the @errp pointer is set.
4618 */
4619BlockMeasureInfo *bdrv_measure(BlockDriver *drv, QemuOpts *opts,
4620                               BlockDriverState *in_bs, Error **errp)
4621{
4622    if (!drv->bdrv_measure) {
4623        error_setg(errp, "Block driver '%s' does not support size measurement",
4624                   drv->format_name);
4625        return NULL;
4626    }
4627
4628    return drv->bdrv_measure(opts, in_bs, errp);
4629}
4630
4631/**
4632 * Return number of sectors on success, -errno on error.
4633 */
4634int64_t bdrv_nb_sectors(BlockDriverState *bs)
4635{
4636    BlockDriver *drv = bs->drv;
4637
4638    if (!drv)
4639        return -ENOMEDIUM;
4640
4641    if (drv->has_variable_length) {
4642        int ret = refresh_total_sectors(bs, bs->total_sectors);
4643        if (ret < 0) {
4644            return ret;
4645        }
4646    }
4647    return bs->total_sectors;
4648}
4649
4650/**
4651 * Return length in bytes on success, -errno on error.
4652 * The length is always a multiple of BDRV_SECTOR_SIZE.
4653 */
4654int64_t bdrv_getlength(BlockDriverState *bs)
4655{
4656    int64_t ret = bdrv_nb_sectors(bs);
4657
4658    ret = ret > INT64_MAX / BDRV_SECTOR_SIZE ? -EFBIG : ret;
4659    return ret < 0 ? ret : ret * BDRV_SECTOR_SIZE;
4660}
4661
4662/* return 0 as number of sectors if no device present or error */
4663void bdrv_get_geometry(BlockDriverState *bs, uint64_t *nb_sectors_ptr)
4664{
4665    int64_t nb_sectors = bdrv_nb_sectors(bs);
4666
4667    *nb_sectors_ptr = nb_sectors < 0 ? 0 : nb_sectors;
4668}
4669
4670bool bdrv_is_sg(BlockDriverState *bs)
4671{
4672    return bs->sg;
4673}
4674
4675bool bdrv_is_encrypted(BlockDriverState *bs)
4676{
4677    if (bs->backing && bs->backing->bs->encrypted) {
4678        return true;
4679    }
4680    return bs->encrypted;
4681}
4682
4683const char *bdrv_get_format_name(BlockDriverState *bs)
4684{
4685    return bs->drv ? bs->drv->format_name : NULL;
4686}
4687
4688static int qsort_strcmp(const void *a, const void *b)
4689{
4690    return strcmp(*(char *const *)a, *(char *const *)b);
4691}
4692
4693void bdrv_iterate_format(void (*it)(void *opaque, const char *name),
4694                         void *opaque, bool read_only)
4695{
4696    BlockDriver *drv;
4697    int count = 0;
4698    int i;
4699    const char **formats = NULL;
4700
4701    QLIST_FOREACH(drv, &bdrv_drivers, list) {
4702        if (drv->format_name) {
4703            bool found = false;
4704            int i = count;
4705
4706            if (use_bdrv_whitelist && !bdrv_is_whitelisted(drv, read_only)) {
4707                continue;
4708            }
4709
4710            while (formats && i && !found) {
4711                found = !strcmp(formats[--i], drv->format_name);
4712            }
4713
4714            if (!found) {
4715                formats = g_renew(const char *, formats, count + 1);
4716                formats[count++] = drv->format_name;
4717            }
4718        }
4719    }
4720
4721    for (i = 0; i < (int)ARRAY_SIZE(block_driver_modules); i++) {
4722        const char *format_name = block_driver_modules[i].format_name;
4723
4724        if (format_name) {
4725            bool found = false;
4726            int j = count;
4727
4728            if (use_bdrv_whitelist &&
4729                !bdrv_format_is_whitelisted(format_name, read_only)) {
4730                continue;
4731            }
4732
4733            while (formats && j && !found) {
4734                found = !strcmp(formats[--j], format_name);
4735            }
4736
4737            if (!found) {
4738                formats = g_renew(const char *, formats, count + 1);
4739                formats[count++] = format_name;
4740            }
4741        }
4742    }
4743
4744    qsort(formats, count, sizeof(formats[0]), qsort_strcmp);
4745
4746    for (i = 0; i < count; i++) {
4747        it(opaque, formats[i]);
4748    }
4749
4750    g_free(formats);
4751}
4752
4753/* This function is to find a node in the bs graph */
4754BlockDriverState *bdrv_find_node(const char *node_name)
4755{
4756    BlockDriverState *bs;
4757
4758    assert(node_name);
4759
4760    QTAILQ_FOREACH(bs, &graph_bdrv_states, node_list) {
4761        if (!strcmp(node_name, bs->node_name)) {
4762            return bs;
4763        }
4764    }
4765    return NULL;
4766}
4767
4768/* Put this QMP function here so it can access the static graph_bdrv_states. */
4769BlockDeviceInfoList *bdrv_named_nodes_list(Error **errp)
4770{
4771    BlockDeviceInfoList *list, *entry;
4772    BlockDriverState *bs;
4773
4774    list = NULL;
4775    QTAILQ_FOREACH(bs, &graph_bdrv_states, node_list) {
4776        BlockDeviceInfo *info = bdrv_block_device_info(NULL, bs, errp);
4777        if (!info) {
4778            qapi_free_BlockDeviceInfoList(list);
4779            return NULL;
4780        }
4781        entry = g_malloc0(sizeof(*entry));
4782        entry->value = info;
4783        entry->next = list;
4784        list = entry;
4785    }
4786
4787    return list;
4788}
4789
4790#define QAPI_LIST_ADD(list, element) do { \
4791    typeof(list) _tmp = g_new(typeof(*(list)), 1); \
4792    _tmp->value = (element); \
4793    _tmp->next = (list); \
4794    (list) = _tmp; \
4795} while (0)
4796
4797typedef struct XDbgBlockGraphConstructor {
4798    XDbgBlockGraph *graph;
4799    GHashTable *graph_nodes;
4800} XDbgBlockGraphConstructor;
4801
4802static XDbgBlockGraphConstructor *xdbg_graph_new(void)
4803{
4804    XDbgBlockGraphConstructor *gr = g_new(XDbgBlockGraphConstructor, 1);
4805
4806    gr->graph = g_new0(XDbgBlockGraph, 1);
4807    gr->graph_nodes = g_hash_table_new(NULL, NULL);
4808
4809    return gr;
4810}
4811
4812static XDbgBlockGraph *xdbg_graph_finalize(XDbgBlockGraphConstructor *gr)
4813{
4814    XDbgBlockGraph *graph = gr->graph;
4815
4816    g_hash_table_destroy(gr->graph_nodes);
4817    g_free(gr);
4818
4819    return graph;
4820}
4821
4822static uintptr_t xdbg_graph_node_num(XDbgBlockGraphConstructor *gr, void *node)
4823{
4824    uintptr_t ret = (uintptr_t)g_hash_table_lookup(gr->graph_nodes, node);
4825
4826    if (ret != 0) {
4827        return ret;
4828    }
4829
4830    /*
4831     * Start counting from 1, not 0, because 0 interferes with not-found (NULL)
4832     * answer of g_hash_table_lookup.
4833     */
4834    ret = g_hash_table_size(gr->graph_nodes) + 1;
4835    g_hash_table_insert(gr->graph_nodes, node, (void *)ret);
4836
4837    return ret;
4838}
4839
4840static void xdbg_graph_add_node(XDbgBlockGraphConstructor *gr, void *node,
4841                                XDbgBlockGraphNodeType type, const char *name)
4842{
4843    XDbgBlockGraphNode *n;
4844
4845    n = g_new0(XDbgBlockGraphNode, 1);
4846
4847    n->id = xdbg_graph_node_num(gr, node);
4848    n->type = type;
4849    n->name = g_strdup(name);
4850
4851    QAPI_LIST_ADD(gr->graph->nodes, n);
4852}
4853
4854static void xdbg_graph_add_edge(XDbgBlockGraphConstructor *gr, void *parent,
4855                                const BdrvChild *child)
4856{
4857    typedef struct {
4858        unsigned int flag;
4859        BlockPermission num;
4860    } PermissionMap;
4861
4862    static const PermissionMap permissions[] = {
4863        { BLK_PERM_CONSISTENT_READ, BLOCK_PERMISSION_CONSISTENT_READ },
4864        { BLK_PERM_WRITE,           BLOCK_PERMISSION_WRITE },
4865        { BLK_PERM_WRITE_UNCHANGED, BLOCK_PERMISSION_WRITE_UNCHANGED },
4866        { BLK_PERM_RESIZE,          BLOCK_PERMISSION_RESIZE },
4867        { BLK_PERM_GRAPH_MOD,       BLOCK_PERMISSION_GRAPH_MOD },
4868        { 0, 0 }
4869    };
4870    const PermissionMap *p;
4871    XDbgBlockGraphEdge *edge;
4872
4873    QEMU_BUILD_BUG_ON(1UL << (ARRAY_SIZE(permissions) - 1) != BLK_PERM_ALL + 1);
4874
4875    edge = g_new0(XDbgBlockGraphEdge, 1);
4876
4877    edge->parent = xdbg_graph_node_num(gr, parent);
4878    edge->child = xdbg_graph_node_num(gr, child->bs);
4879    edge->name = g_strdup(child->name);
4880
4881    for (p = permissions; p->flag; p++) {
4882        if (p->flag & child->perm) {
4883            QAPI_LIST_ADD(edge->perm, p->num);
4884        }
4885        if (p->flag & child->shared_perm) {
4886            QAPI_LIST_ADD(edge->shared_perm, p->num);
4887        }
4888    }
4889
4890    QAPI_LIST_ADD(gr->graph->edges, edge);
4891}
4892
4893
4894XDbgBlockGraph *bdrv_get_xdbg_block_graph(Error **errp)
4895{
4896    BlockBackend *blk;
4897    BlockJob *job;
4898    BlockDriverState *bs;
4899    BdrvChild *child;
4900    XDbgBlockGraphConstructor *gr = xdbg_graph_new();
4901
4902    for (blk = blk_all_next(NULL); blk; blk = blk_all_next(blk)) {
4903        char *allocated_name = NULL;
4904        const char *name = blk_name(blk);
4905
4906        if (!*name) {
4907            name = allocated_name = blk_get_attached_dev_id(blk);
4908        }
4909        xdbg_graph_add_node(gr, blk, X_DBG_BLOCK_GRAPH_NODE_TYPE_BLOCK_BACKEND,
4910                           name);
4911        g_free(allocated_name);
4912        if (blk_root(blk)) {
4913            xdbg_graph_add_edge(gr, blk, blk_root(blk));
4914        }
4915    }
4916
4917    for (job = block_job_next(NULL); job; job = block_job_next(job)) {
4918        GSList *el;
4919
4920        xdbg_graph_add_node(gr, job, X_DBG_BLOCK_GRAPH_NODE_TYPE_BLOCK_JOB,
4921                           job->job.id);
4922        for (el = job->nodes; el; el = el->next) {
4923            xdbg_graph_add_edge(gr, job, (BdrvChild *)el->data);
4924        }
4925    }
4926
4927    QTAILQ_FOREACH(bs, &graph_bdrv_states, node_list) {
4928        xdbg_graph_add_node(gr, bs, X_DBG_BLOCK_GRAPH_NODE_TYPE_BLOCK_DRIVER,
4929                           bs->node_name);
4930        QLIST_FOREACH(child, &bs->children, next) {
4931            xdbg_graph_add_edge(gr, bs, child);
4932        }
4933    }
4934
4935    return xdbg_graph_finalize(gr);
4936}
4937
4938BlockDriverState *bdrv_lookup_bs(const char *device,
4939                                 const char *node_name,
4940                                 Error **errp)
4941{
4942    BlockBackend *blk;
4943    BlockDriverState *bs;
4944
4945    if (device) {
4946        blk = blk_by_name(device);
4947
4948        if (blk) {
4949            bs = blk_bs(blk);
4950            if (!bs) {
4951                error_setg(errp, "Device '%s' has no medium", device);
4952            }
4953
4954            return bs;
4955        }
4956    }
4957
4958    if (node_name) {
4959        bs = bdrv_find_node(node_name);
4960
4961        if (bs) {
4962            return bs;
4963        }
4964    }
4965
4966    error_setg(errp, "Cannot find device=%s nor node_name=%s",
4967                     device ? device : "",
4968                     node_name ? node_name : "");
4969    return NULL;
4970}
4971
4972/* If 'base' is in the same chain as 'top', return true. Otherwise,
4973 * return false.  If either argument is NULL, return false. */
4974bool bdrv_chain_contains(BlockDriverState *top, BlockDriverState *base)
4975{
4976    while (top && top != base) {
4977        top = backing_bs(top);
4978    }
4979
4980    return top != NULL;
4981}
4982
4983BlockDriverState *bdrv_next_node(BlockDriverState *bs)
4984{
4985    if (!bs) {
4986        return QTAILQ_FIRST(&graph_bdrv_states);
4987    }
4988    return QTAILQ_NEXT(bs, node_list);
4989}
4990
4991BlockDriverState *bdrv_next_all_states(BlockDriverState *bs)
4992{
4993    if (!bs) {
4994        return QTAILQ_FIRST(&all_bdrv_states);
4995    }
4996    return QTAILQ_NEXT(bs, bs_list);
4997}
4998
4999const char *bdrv_get_node_name(const BlockDriverState *bs)
5000{
5001    return bs->node_name;
5002}
5003
5004const char *bdrv_get_parent_name(const BlockDriverState *bs)
5005{
5006    BdrvChild *c;
5007    const char *name;
5008
5009    /* If multiple parents have a name, just pick the first one. */
5010    QLIST_FOREACH(c, &bs->parents, next_parent) {
5011        if (c->role->get_name) {
5012            name = c->role->get_name(c);
5013            if (name && *name) {
5014                return name;
5015            }
5016        }
5017    }
5018
5019    return NULL;
5020}
5021
5022/* TODO check what callers really want: bs->node_name or blk_name() */
5023const char *bdrv_get_device_name(const BlockDriverState *bs)
5024{
5025    return bdrv_get_parent_name(bs) ?: "";
5026}
5027
5028/* This can be used to identify nodes that might not have a device
5029 * name associated. Since node and device names live in the same
5030 * namespace, the result is unambiguous. The exception is if both are
5031 * absent, then this returns an empty (non-null) string. */
5032const char *bdrv_get_device_or_node_name(const BlockDriverState *bs)
5033{
5034    return bdrv_get_parent_name(bs) ?: bs->node_name;
5035}
5036
5037int bdrv_get_flags(BlockDriverState *bs)
5038{
5039    return bs->open_flags;
5040}
5041
5042int bdrv_has_zero_init_1(BlockDriverState *bs)
5043{
5044    return 1;
5045}
5046
5047int bdrv_has_zero_init(BlockDriverState *bs)
5048{
5049    if (!bs->drv) {
5050        return 0;
5051    }
5052
5053    /* If BS is a copy on write image, it is initialized to
5054       the contents of the base image, which may not be zeroes.  */
5055    if (bs->backing) {
5056        return 0;
5057    }
5058    if (bs->drv->bdrv_has_zero_init) {
5059        return bs->drv->bdrv_has_zero_init(bs);
5060    }
5061    if (bs->file && bs->drv->is_filter) {
5062        return bdrv_has_zero_init(bs->file->bs);
5063    }
5064
5065    /* safe default */
5066    return 0;
5067}
5068
5069int bdrv_has_zero_init_truncate(BlockDriverState *bs)
5070{
5071    if (!bs->drv) {
5072        return 0;
5073    }
5074
5075    if (bs->backing) {
5076        /* Depends on the backing image length, but better safe than sorry */
5077        return 0;
5078    }
5079    if (bs->drv->bdrv_has_zero_init_truncate) {
5080        return bs->drv->bdrv_has_zero_init_truncate(bs);
5081    }
5082    if (bs->file && bs->drv->is_filter) {
5083        return bdrv_has_zero_init_truncate(bs->file->bs);
5084    }
5085
5086    /* safe default */
5087    return 0;
5088}
5089
5090bool bdrv_unallocated_blocks_are_zero(BlockDriverState *bs)
5091{
5092    BlockDriverInfo bdi;
5093
5094    if (bs->backing) {
5095        return false;
5096    }
5097
5098    if (bdrv_get_info(bs, &bdi) == 0) {
5099        return bdi.unallocated_blocks_are_zero;
5100    }
5101
5102    return false;
5103}
5104
5105bool bdrv_can_write_zeroes_with_unmap(BlockDriverState *bs)
5106{
5107    if (!(bs->open_flags & BDRV_O_UNMAP)) {
5108        return false;
5109    }
5110
5111    return bs->supported_zero_flags & BDRV_REQ_MAY_UNMAP;
5112}
5113
5114void bdrv_get_backing_filename(BlockDriverState *bs,
5115                               char *filename, int filename_size)
5116{
5117    pstrcpy(filename, filename_size, bs->backing_file);
5118}
5119
5120int bdrv_get_info(BlockDriverState *bs, BlockDriverInfo *bdi)
5121{
5122    BlockDriver *drv = bs->drv;
5123    /* if bs->drv == NULL, bs is closed, so there's nothing to do here */
5124    if (!drv) {
5125        return -ENOMEDIUM;
5126    }
5127    if (!drv->bdrv_get_info) {
5128        if (bs->file && drv->is_filter) {
5129            return bdrv_get_info(bs->file->bs, bdi);
5130        }
5131        return -ENOTSUP;
5132    }
5133    memset(bdi, 0, sizeof(*bdi));
5134    return drv->bdrv_get_info(bs, bdi);
5135}
5136
5137ImageInfoSpecific *bdrv_get_specific_info(BlockDriverState *bs,
5138                                          Error **errp)
5139{
5140    BlockDriver *drv = bs->drv;
5141    if (drv && drv->bdrv_get_specific_info) {
5142        return drv->bdrv_get_specific_info(bs, errp);
5143    }
5144    return NULL;
5145}
5146
5147BlockStatsSpecific *bdrv_get_specific_stats(BlockDriverState *bs)
5148{
5149    BlockDriver *drv = bs->drv;
5150    if (!drv || !drv->bdrv_get_specific_stats) {
5151        return NULL;
5152    }
5153    return drv->bdrv_get_specific_stats(bs);
5154}
5155
5156void bdrv_debug_event(BlockDriverState *bs, BlkdebugEvent event)
5157{
5158    if (!bs || !bs->drv || !bs->drv->bdrv_debug_event) {
5159        return;
5160    }
5161
5162    bs->drv->bdrv_debug_event(bs, event);
5163}
5164
5165static BlockDriverState *bdrv_find_debug_node(BlockDriverState *bs)
5166{
5167    while (bs && bs->drv && !bs->drv->bdrv_debug_breakpoint) {
5168        if (bs->file) {
5169            bs = bs->file->bs;
5170            continue;
5171        }
5172
5173        if (bs->drv->is_filter && bs->backing) {
5174            bs = bs->backing->bs;
5175            continue;
5176        }
5177
5178        break;
5179    }
5180
5181    if (bs && bs->drv && bs->drv->bdrv_debug_breakpoint) {
5182        assert(bs->drv->bdrv_debug_remove_breakpoint);
5183        return bs;
5184    }
5185
5186    return NULL;
5187}
5188
5189int bdrv_debug_breakpoint(BlockDriverState *bs, const char *event,
5190                          const char *tag)
5191{
5192    bs = bdrv_find_debug_node(bs);
5193    if (bs) {
5194        return bs->drv->bdrv_debug_breakpoint(bs, event, tag);
5195    }
5196
5197    return -ENOTSUP;
5198}
5199
5200int bdrv_debug_remove_breakpoint(BlockDriverState *bs, const char *tag)
5201{
5202    bs = bdrv_find_debug_node(bs);
5203    if (bs) {
5204        return bs->drv->bdrv_debug_remove_breakpoint(bs, tag);
5205    }
5206
5207    return -ENOTSUP;
5208}
5209
5210int bdrv_debug_resume(BlockDriverState *bs, const char *tag)
5211{
5212    while (bs && (!bs->drv || !bs->drv->bdrv_debug_resume)) {
5213        bs = bs->file ? bs->file->bs : NULL;
5214    }
5215
5216    if (bs && bs->drv && bs->drv->bdrv_debug_resume) {
5217        return bs->drv->bdrv_debug_resume(bs, tag);
5218    }
5219
5220    return -ENOTSUP;
5221}
5222
5223bool bdrv_debug_is_suspended(BlockDriverState *bs, const char *tag)
5224{
5225    while (bs && bs->drv && !bs->drv->bdrv_debug_is_suspended) {
5226        bs = bs->file ? bs->file->bs : NULL;
5227    }
5228
5229    if (bs && bs->drv && bs->drv->bdrv_debug_is_suspended) {
5230        return bs->drv->bdrv_debug_is_suspended(bs, tag);
5231    }
5232
5233    return false;
5234}
5235
5236/* backing_file can either be relative, or absolute, or a protocol.  If it is
5237 * relative, it must be relative to the chain.  So, passing in bs->filename
5238 * from a BDS as backing_file should not be done, as that may be relative to
5239 * the CWD rather than the chain. */
5240BlockDriverState *bdrv_find_backing_image(BlockDriverState *bs,
5241        const char *backing_file)
5242{
5243    char *filename_full = NULL;
5244    char *backing_file_full = NULL;
5245    char *filename_tmp = NULL;
5246    int is_protocol = 0;
5247    BlockDriverState *curr_bs = NULL;
5248    BlockDriverState *retval = NULL;
5249
5250    if (!bs || !bs->drv || !backing_file) {
5251        return NULL;
5252    }
5253
5254    filename_full     = g_malloc(PATH_MAX);
5255    backing_file_full = g_malloc(PATH_MAX);
5256
5257    is_protocol = path_has_protocol(backing_file);
5258
5259    for (curr_bs = bs; curr_bs->backing; curr_bs = curr_bs->backing->bs) {
5260
5261        /* If either of the filename paths is actually a protocol, then
5262         * compare unmodified paths; otherwise make paths relative */
5263        if (is_protocol || path_has_protocol(curr_bs->backing_file)) {
5264            char *backing_file_full_ret;
5265
5266            if (strcmp(backing_file, curr_bs->backing_file) == 0) {
5267                retval = curr_bs->backing->bs;
5268                break;
5269            }
5270            /* Also check against the full backing filename for the image */
5271            backing_file_full_ret = bdrv_get_full_backing_filename(curr_bs,
5272                                                                   NULL);
5273            if (backing_file_full_ret) {
5274                bool equal = strcmp(backing_file, backing_file_full_ret) == 0;
5275                g_free(backing_file_full_ret);
5276                if (equal) {
5277                    retval = curr_bs->backing->bs;
5278                    break;
5279                }
5280            }
5281        } else {
5282            /* If not an absolute filename path, make it relative to the current
5283             * image's filename path */
5284            filename_tmp = bdrv_make_absolute_filename(curr_bs, backing_file,
5285                                                       NULL);
5286            /* We are going to compare canonicalized absolute pathnames */
5287            if (!filename_tmp || !realpath(filename_tmp, filename_full)) {
5288                g_free(filename_tmp);
5289                continue;
5290            }
5291            g_free(filename_tmp);
5292
5293            /* We need to make sure the backing filename we are comparing against
5294             * is relative to the current image filename (or absolute) */
5295            filename_tmp = bdrv_get_full_backing_filename(curr_bs, NULL);
5296            if (!filename_tmp || !realpath(filename_tmp, backing_file_full)) {
5297                g_free(filename_tmp);
5298                continue;
5299            }
5300            g_free(filename_tmp);
5301
5302            if (strcmp(backing_file_full, filename_full) == 0) {
5303                retval = curr_bs->backing->bs;
5304                break;
5305            }
5306        }
5307    }
5308
5309    g_free(filename_full);
5310    g_free(backing_file_full);
5311    return retval;
5312}
5313
5314void bdrv_init(void)
5315{
5316    module_call_init(MODULE_INIT_BLOCK);
5317}
5318
5319void bdrv_init_with_whitelist(void)
5320{
5321    use_bdrv_whitelist = 1;
5322    bdrv_init();
5323}
5324
5325static void coroutine_fn bdrv_co_invalidate_cache(BlockDriverState *bs,
5326                                                  Error **errp)
5327{
5328    BdrvChild *child, *parent;
5329    uint64_t perm, shared_perm;
5330    Error *local_err = NULL;
5331    int ret;
5332    BdrvDirtyBitmap *bm;
5333
5334    if (!bs->drv)  {
5335        return;
5336    }
5337
5338    if (!(bs->open_flags & BDRV_O_INACTIVE)) {
5339        return;
5340    }
5341
5342    QLIST_FOREACH(child, &bs->children, next) {
5343        bdrv_co_invalidate_cache(child->bs, &local_err);
5344        if (local_err) {
5345            error_propagate(errp, local_err);
5346            return;
5347        }
5348    }
5349
5350    /*
5351     * Update permissions, they may differ for inactive nodes.
5352     *
5353     * Note that the required permissions of inactive images are always a
5354     * subset of the permissions required after activating the image. This
5355     * allows us to just get the permissions upfront without restricting
5356     * drv->bdrv_invalidate_cache().
5357     *
5358     * It also means that in error cases, we don't have to try and revert to
5359     * the old permissions (which is an operation that could fail, too). We can
5360     * just keep the extended permissions for the next time that an activation
5361     * of the image is tried.
5362     */
5363    bs->open_flags &= ~BDRV_O_INACTIVE;
5364    bdrv_get_cumulative_perm(bs, &perm, &shared_perm);
5365    ret = bdrv_check_perm(bs, NULL, perm, shared_perm, NULL, NULL, &local_err);
5366    if (ret < 0) {
5367        bs->open_flags |= BDRV_O_INACTIVE;
5368        error_propagate(errp, local_err);
5369        return;
5370    }
5371    bdrv_set_perm(bs, perm, shared_perm);
5372
5373    if (bs->drv->bdrv_co_invalidate_cache) {
5374        bs->drv->bdrv_co_invalidate_cache(bs, &local_err);
5375        if (local_err) {
5376            bs->open_flags |= BDRV_O_INACTIVE;
5377            error_propagate(errp, local_err);
5378            return;
5379        }
5380    }
5381
5382    FOR_EACH_DIRTY_BITMAP(bs, bm) {
5383        bdrv_dirty_bitmap_skip_store(bm, false);
5384    }
5385
5386    ret = refresh_total_sectors(bs, bs->total_sectors);
5387    if (ret < 0) {
5388        bs->open_flags |= BDRV_O_INACTIVE;
5389        error_setg_errno(errp, -ret, "Could not refresh total sector count");
5390        return;
5391    }
5392
5393    QLIST_FOREACH(parent, &bs->parents, next_parent) {
5394        if (parent->role->activate) {
5395            parent->role->activate(parent, &local_err);
5396            if (local_err) {
5397                bs->open_flags |= BDRV_O_INACTIVE;
5398                error_propagate(errp, local_err);
5399                return;
5400            }
5401        }
5402    }
5403}
5404
5405typedef struct InvalidateCacheCo {
5406    BlockDriverState *bs;
5407    Error **errp;
5408    bool done;
5409} InvalidateCacheCo;
5410
5411static void coroutine_fn bdrv_invalidate_cache_co_entry(void *opaque)
5412{
5413    InvalidateCacheCo *ico = opaque;
5414    bdrv_co_invalidate_cache(ico->bs, ico->errp);
5415    ico->done = true;
5416    aio_wait_kick();
5417}
5418
5419void bdrv_invalidate_cache(BlockDriverState *bs, Error **errp)
5420{
5421    Coroutine *co;
5422    InvalidateCacheCo ico = {
5423        .bs = bs,
5424        .done = false,
5425        .errp = errp
5426    };
5427
5428    if (qemu_in_coroutine()) {
5429        /* Fast-path if already in coroutine context */
5430        bdrv_invalidate_cache_co_entry(&ico);
5431    } else {
5432        co = qemu_coroutine_create(bdrv_invalidate_cache_co_entry, &ico);
5433        bdrv_coroutine_enter(bs, co);
5434        BDRV_POLL_WHILE(bs, !ico.done);
5435    }
5436}
5437
5438void bdrv_invalidate_cache_all(Error **errp)
5439{
5440    BlockDriverState *bs;
5441    Error *local_err = NULL;
5442    BdrvNextIterator it;
5443
5444    for (bs = bdrv_first(&it); bs; bs = bdrv_next(&it)) {
5445        AioContext *aio_context = bdrv_get_aio_context(bs);
5446
5447        aio_context_acquire(aio_context);
5448        bdrv_invalidate_cache(bs, &local_err);
5449        aio_context_release(aio_context);
5450        if (local_err) {
5451            error_propagate(errp, local_err);
5452            bdrv_next_cleanup(&it);
5453            return;
5454        }
5455    }
5456}
5457
5458static bool bdrv_has_bds_parent(BlockDriverState *bs, bool only_active)
5459{
5460    BdrvChild *parent;
5461
5462    QLIST_FOREACH(parent, &bs->parents, next_parent) {
5463        if (parent->role->parent_is_bds) {
5464            BlockDriverState *parent_bs = parent->opaque;
5465            if (!only_active || !(parent_bs->open_flags & BDRV_O_INACTIVE)) {
5466                return true;
5467            }
5468        }
5469    }
5470
5471    return false;
5472}
5473
5474static int bdrv_inactivate_recurse(BlockDriverState *bs)
5475{
5476    BdrvChild *child, *parent;
5477    bool tighten_restrictions;
5478    uint64_t perm, shared_perm;
5479    int ret;
5480
5481    if (!bs->drv) {
5482        return -ENOMEDIUM;
5483    }
5484
5485    /* Make sure that we don't inactivate a child before its parent.
5486     * It will be covered by recursion from the yet active parent. */
5487    if (bdrv_has_bds_parent(bs, true)) {
5488        return 0;
5489    }
5490
5491    assert(!(bs->open_flags & BDRV_O_INACTIVE));
5492
5493    /* Inactivate this node */
5494    if (bs->drv->bdrv_inactivate) {
5495        ret = bs->drv->bdrv_inactivate(bs);
5496        if (ret < 0) {
5497            return ret;
5498        }
5499    }
5500
5501    QLIST_FOREACH(parent, &bs->parents, next_parent) {
5502        if (parent->role->inactivate) {
5503            ret = parent->role->inactivate(parent);
5504            if (ret < 0) {
5505                return ret;
5506            }
5507        }
5508    }
5509
5510    bs->open_flags |= BDRV_O_INACTIVE;
5511
5512    /* Update permissions, they may differ for inactive nodes */
5513    bdrv_get_cumulative_perm(bs, &perm, &shared_perm);
5514    ret = bdrv_check_perm(bs, NULL, perm, shared_perm, NULL,
5515                          &tighten_restrictions, NULL);
5516    assert(tighten_restrictions == false);
5517    if (ret < 0) {
5518        /* We only tried to loosen restrictions, so errors are not fatal */
5519        bdrv_abort_perm_update(bs);
5520    } else {
5521        bdrv_set_perm(bs, perm, shared_perm);
5522    }
5523
5524
5525    /* Recursively inactivate children */
5526    QLIST_FOREACH(child, &bs->children, next) {
5527        ret = bdrv_inactivate_recurse(child->bs);
5528        if (ret < 0) {
5529            return ret;
5530        }
5531    }
5532
5533    return 0;
5534}
5535
5536int bdrv_inactivate_all(void)
5537{
5538    BlockDriverState *bs = NULL;
5539    BdrvNextIterator it;
5540    int ret = 0;
5541    GSList *aio_ctxs = NULL, *ctx;
5542
5543    for (bs = bdrv_first(&it); bs; bs = bdrv_next(&it)) {
5544        AioContext *aio_context = bdrv_get_aio_context(bs);
5545
5546        if (!g_slist_find(aio_ctxs, aio_context)) {
5547            aio_ctxs = g_slist_prepend(aio_ctxs, aio_context);
5548            aio_context_acquire(aio_context);
5549        }
5550    }
5551
5552    for (bs = bdrv_first(&it); bs; bs = bdrv_next(&it)) {
5553        /* Nodes with BDS parents are covered by recursion from the last
5554         * parent that gets inactivated. Don't inactivate them a second
5555         * time if that has already happened. */
5556        if (bdrv_has_bds_parent(bs, false)) {
5557            continue;
5558        }
5559        ret = bdrv_inactivate_recurse(bs);
5560        if (ret < 0) {
5561            bdrv_next_cleanup(&it);
5562            goto out;
5563        }
5564    }
5565
5566out:
5567    for (ctx = aio_ctxs; ctx != NULL; ctx = ctx->next) {
5568        AioContext *aio_context = ctx->data;
5569        aio_context_release(aio_context);
5570    }
5571    g_slist_free(aio_ctxs);
5572
5573    return ret;
5574}
5575
5576/**************************************************************/
5577/* removable device support */
5578
5579/**
5580 * Return TRUE if the media is present
5581 */
5582bool bdrv_is_inserted(BlockDriverState *bs)
5583{
5584    BlockDriver *drv = bs->drv;
5585    BdrvChild *child;
5586
5587    if (!drv) {
5588        return false;
5589    }
5590    if (drv->bdrv_is_inserted) {
5591        return drv->bdrv_is_inserted(bs);
5592    }
5593    QLIST_FOREACH(child, &bs->children, next) {
5594        if (!bdrv_is_inserted(child->bs)) {
5595            return false;
5596        }
5597    }
5598    return true;
5599}
5600
5601/**
5602 * If eject_flag is TRUE, eject the media. Otherwise, close the tray
5603 */
5604void bdrv_eject(BlockDriverState *bs, bool eject_flag)
5605{
5606    BlockDriver *drv = bs->drv;
5607
5608    if (drv && drv->bdrv_eject) {
5609        drv->bdrv_eject(bs, eject_flag);
5610    }
5611}
5612
5613/**
5614 * Lock or unlock the media (if it is locked, the user won't be able
5615 * to eject it manually).
5616 */
5617void bdrv_lock_medium(BlockDriverState *bs, bool locked)
5618{
5619    BlockDriver *drv = bs->drv;
5620
5621    trace_bdrv_lock_medium(bs, locked);
5622
5623    if (drv && drv->bdrv_lock_medium) {
5624        drv->bdrv_lock_medium(bs, locked);
5625    }
5626}
5627
5628/* Get a reference to bs */
5629void bdrv_ref(BlockDriverState *bs)
5630{
5631    bs->refcnt++;
5632}
5633
5634/* Release a previously grabbed reference to bs.
5635 * If after releasing, reference count is zero, the BlockDriverState is
5636 * deleted. */
5637void bdrv_unref(BlockDriverState *bs)
5638{
5639    if (!bs) {
5640        return;
5641    }
5642    assert(bs->refcnt > 0);
5643    if (--bs->refcnt == 0) {
5644        bdrv_delete(bs);
5645    }
5646}
5647
5648struct BdrvOpBlocker {
5649    Error *reason;
5650    QLIST_ENTRY(BdrvOpBlocker) list;
5651};
5652
5653bool bdrv_op_is_blocked(BlockDriverState *bs, BlockOpType op, Error **errp)
5654{
5655    BdrvOpBlocker *blocker;
5656    assert((int) op >= 0 && op < BLOCK_OP_TYPE_MAX);
5657    if (!QLIST_EMPTY(&bs->op_blockers[op])) {
5658        blocker = QLIST_FIRST(&bs->op_blockers[op]);
5659        error_propagate_prepend(errp, error_copy(blocker->reason),
5660                                "Node '%s' is busy: ",
5661                                bdrv_get_device_or_node_name(bs));
5662        return true;
5663    }
5664    return false;
5665}
5666
5667void bdrv_op_block(BlockDriverState *bs, BlockOpType op, Error *reason)
5668{
5669    BdrvOpBlocker *blocker;
5670    assert((int) op >= 0 && op < BLOCK_OP_TYPE_MAX);
5671
5672    blocker = g_new0(BdrvOpBlocker, 1);
5673    blocker->reason = reason;
5674    QLIST_INSERT_HEAD(&bs->op_blockers[op], blocker, list);
5675}
5676
5677void bdrv_op_unblock(BlockDriverState *bs, BlockOpType op, Error *reason)
5678{
5679    BdrvOpBlocker *blocker, *next;
5680    assert((int) op >= 0 && op < BLOCK_OP_TYPE_MAX);
5681    QLIST_FOREACH_SAFE(blocker, &bs->op_blockers[op], list, next) {
5682        if (blocker->reason == reason) {
5683            QLIST_REMOVE(blocker, list);
5684            g_free(blocker);
5685        }
5686    }
5687}
5688
5689void bdrv_op_block_all(BlockDriverState *bs, Error *reason)
5690{
5691    int i;
5692    for (i = 0; i < BLOCK_OP_TYPE_MAX; i++) {
5693        bdrv_op_block(bs, i, reason);
5694    }
5695}
5696
5697void bdrv_op_unblock_all(BlockDriverState *bs, Error *reason)
5698{
5699    int i;
5700    for (i = 0; i < BLOCK_OP_TYPE_MAX; i++) {
5701        bdrv_op_unblock(bs, i, reason);
5702    }
5703}
5704
5705bool bdrv_op_blocker_is_empty(BlockDriverState *bs)
5706{
5707    int i;
5708
5709    for (i = 0; i < BLOCK_OP_TYPE_MAX; i++) {
5710        if (!QLIST_EMPTY(&bs->op_blockers[i])) {
5711            return false;
5712        }
5713    }
5714    return true;
5715}
5716
5717void bdrv_img_create(const char *filename, const char *fmt,
5718                     const char *base_filename, const char *base_fmt,
5719                     char *options, uint64_t img_size, int flags, bool quiet,
5720                     Error **errp)
5721{
5722    QemuOptsList *create_opts = NULL;
5723    QemuOpts *opts = NULL;
5724    const char *backing_fmt, *backing_file;
5725    int64_t size;
5726    BlockDriver *drv, *proto_drv;
5727    Error *local_err = NULL;
5728    int ret = 0;
5729
5730    /* Find driver and parse its options */
5731    drv = bdrv_find_format(fmt);
5732    if (!drv) {
5733        error_setg(errp, "Unknown file format '%s'", fmt);
5734        return;
5735    }
5736
5737    proto_drv = bdrv_find_protocol(filename, true, errp);
5738    if (!proto_drv) {
5739        return;
5740    }
5741
5742    if (!drv->create_opts) {
5743        error_setg(errp, "Format driver '%s' does not support image creation",
5744                   drv->format_name);
5745        return;
5746    }
5747
5748    if (!proto_drv->create_opts) {
5749        error_setg(errp, "Protocol driver '%s' does not support image creation",
5750                   proto_drv->format_name);
5751        return;
5752    }
5753
5754    create_opts = qemu_opts_append(create_opts, drv->create_opts);
5755    create_opts = qemu_opts_append(create_opts, proto_drv->create_opts);
5756
5757    /* Create parameter list with default values */
5758    opts = qemu_opts_create(create_opts, NULL, 0, &error_abort);
5759    qemu_opt_set_number(opts, BLOCK_OPT_SIZE, img_size, &error_abort);
5760
5761    /* Parse -o options */
5762    if (options) {
5763        qemu_opts_do_parse(opts, options, NULL, &local_err);
5764        if (local_err) {
5765            goto out;
5766        }
5767    }
5768
5769    if (base_filename) {
5770        qemu_opt_set(opts, BLOCK_OPT_BACKING_FILE, base_filename, &local_err);
5771        if (local_err) {
5772            error_setg(errp, "Backing file not supported for file format '%s'",
5773                       fmt);
5774            goto out;
5775        }
5776    }
5777
5778    if (base_fmt) {
5779        qemu_opt_set(opts, BLOCK_OPT_BACKING_FMT, base_fmt, &local_err);
5780        if (local_err) {
5781            error_setg(errp, "Backing file format not supported for file "
5782                             "format '%s'", fmt);
5783            goto out;
5784        }
5785    }
5786
5787    backing_file = qemu_opt_get(opts, BLOCK_OPT_BACKING_FILE);
5788    if (backing_file) {
5789        if (!strcmp(filename, backing_file)) {
5790            error_setg(errp, "Error: Trying to create an image with the "
5791                             "same filename as the backing file");
5792            goto out;
5793        }
5794    }
5795
5796    backing_fmt = qemu_opt_get(opts, BLOCK_OPT_BACKING_FMT);
5797
5798    /* The size for the image must always be specified, unless we have a backing
5799     * file and we have not been forbidden from opening it. */
5800    size = qemu_opt_get_size(opts, BLOCK_OPT_SIZE, img_size);
5801    if (backing_file && !(flags & BDRV_O_NO_BACKING)) {
5802        BlockDriverState *bs;
5803        char *full_backing;
5804        int back_flags;
5805        QDict *backing_options = NULL;
5806
5807        full_backing =
5808            bdrv_get_full_backing_filename_from_filename(filename, backing_file,
5809                                                         &local_err);
5810        if (local_err) {
5811            goto out;
5812        }
5813        assert(full_backing);
5814
5815        /* backing files always opened read-only */
5816        back_flags = flags;
5817        back_flags &= ~(BDRV_O_RDWR | BDRV_O_SNAPSHOT | BDRV_O_NO_BACKING);
5818
5819        backing_options = qdict_new();
5820        if (backing_fmt) {
5821            qdict_put_str(backing_options, "driver", backing_fmt);
5822        }
5823        qdict_put_bool(backing_options, BDRV_OPT_FORCE_SHARE, true);
5824
5825        bs = bdrv_open(full_backing, NULL, backing_options, back_flags,
5826                       &local_err);
5827        g_free(full_backing);
5828        if (!bs && size != -1) {
5829            /* Couldn't open BS, but we have a size, so it's nonfatal */
5830            warn_reportf_err(local_err,
5831                            "Could not verify backing image. "
5832                            "This may become an error in future versions.\n");
5833            local_err = NULL;
5834        } else if (!bs) {
5835            /* Couldn't open bs, do not have size */
5836            error_append_hint(&local_err,
5837                              "Could not open backing image to determine size.\n");
5838            goto out;
5839        } else {
5840            if (size == -1) {
5841                /* Opened BS, have no size */
5842                size = bdrv_getlength(bs);
5843                if (size < 0) {
5844                    error_setg_errno(errp, -size, "Could not get size of '%s'",
5845                                     backing_file);
5846                    bdrv_unref(bs);
5847                    goto out;
5848                }
5849                qemu_opt_set_number(opts, BLOCK_OPT_SIZE, size, &error_abort);
5850            }
5851            bdrv_unref(bs);
5852        }
5853    } /* (backing_file && !(flags & BDRV_O_NO_BACKING)) */
5854
5855    if (size == -1) {
5856        error_setg(errp, "Image creation needs a size parameter");
5857        goto out;
5858    }
5859
5860    if (!quiet) {
5861        printf("Formatting '%s', fmt=%s ", filename, fmt);
5862        qemu_opts_print(opts, " ");
5863        puts("");
5864    }
5865
5866    ret = bdrv_create(drv, filename, opts, &local_err);
5867
5868    if (ret == -EFBIG) {
5869        /* This is generally a better message than whatever the driver would
5870         * deliver (especially because of the cluster_size_hint), since that
5871         * is most probably not much different from "image too large". */
5872        const char *cluster_size_hint = "";
5873        if (qemu_opt_get_size(opts, BLOCK_OPT_CLUSTER_SIZE, 0)) {
5874            cluster_size_hint = " (try using a larger cluster size)";
5875        }
5876        error_setg(errp, "The image size is too large for file format '%s'"
5877                   "%s", fmt, cluster_size_hint);
5878        error_free(local_err);
5879        local_err = NULL;
5880    }
5881
5882out:
5883    qemu_opts_del(opts);
5884    qemu_opts_free(create_opts);
5885    error_propagate(errp, local_err);
5886}
5887
5888AioContext *bdrv_get_aio_context(BlockDriverState *bs)
5889{
5890    return bs ? bs->aio_context : qemu_get_aio_context();
5891}
5892
5893void bdrv_coroutine_enter(BlockDriverState *bs, Coroutine *co)
5894{
5895    aio_co_enter(bdrv_get_aio_context(bs), co);
5896}
5897
5898static void bdrv_do_remove_aio_context_notifier(BdrvAioNotifier *ban)
5899{
5900    QLIST_REMOVE(ban, list);
5901    g_free(ban);
5902}
5903
5904static void bdrv_detach_aio_context(BlockDriverState *bs)
5905{
5906    BdrvAioNotifier *baf, *baf_tmp;
5907
5908    assert(!bs->walking_aio_notifiers);
5909    bs->walking_aio_notifiers = true;
5910    QLIST_FOREACH_SAFE(baf, &bs->aio_notifiers, list, baf_tmp) {
5911        if (baf->deleted) {
5912            bdrv_do_remove_aio_context_notifier(baf);
5913        } else {
5914            baf->detach_aio_context(baf->opaque);
5915        }
5916    }
5917    /* Never mind iterating again to check for ->deleted.  bdrv_close() will
5918     * remove remaining aio notifiers if we aren't called again.
5919     */
5920    bs->walking_aio_notifiers = false;
5921
5922    if (bs->drv && bs->drv->bdrv_detach_aio_context) {
5923        bs->drv->bdrv_detach_aio_context(bs);
5924    }
5925
5926    if (bs->quiesce_counter) {
5927        aio_enable_external(bs->aio_context);
5928    }
5929    bs->aio_context = NULL;
5930}
5931
5932static void bdrv_attach_aio_context(BlockDriverState *bs,
5933                                    AioContext *new_context)
5934{
5935    BdrvAioNotifier *ban, *ban_tmp;
5936
5937    if (bs->quiesce_counter) {
5938        aio_disable_external(new_context);
5939    }
5940
5941    bs->aio_context = new_context;
5942
5943    if (bs->drv && bs->drv->bdrv_attach_aio_context) {
5944        bs->drv->bdrv_attach_aio_context(bs, new_context);
5945    }
5946
5947    assert(!bs->walking_aio_notifiers);
5948    bs->walking_aio_notifiers = true;
5949    QLIST_FOREACH_SAFE(ban, &bs->aio_notifiers, list, ban_tmp) {
5950        if (ban->deleted) {
5951            bdrv_do_remove_aio_context_notifier(ban);
5952        } else {
5953            ban->attached_aio_context(new_context, ban->opaque);
5954        }
5955    }
5956    bs->walking_aio_notifiers = false;
5957}
5958
5959/*
5960 * Changes the AioContext used for fd handlers, timers, and BHs by this
5961 * BlockDriverState and all its children and parents.
5962 *
5963 * Must be called from the main AioContext.
5964 *
5965 * The caller must own the AioContext lock for the old AioContext of bs, but it
5966 * must not own the AioContext lock for new_context (unless new_context is the
5967 * same as the current context of bs).
5968 *
5969 * @ignore will accumulate all visited BdrvChild object. The caller is
5970 * responsible for freeing the list afterwards.
5971 */
5972void bdrv_set_aio_context_ignore(BlockDriverState *bs,
5973                                 AioContext *new_context, GSList **ignore)
5974{
5975    AioContext *old_context = bdrv_get_aio_context(bs);
5976    BdrvChild *child;
5977
5978    g_assert(qemu_get_current_aio_context() == qemu_get_aio_context());
5979
5980    if (old_context == new_context) {
5981        return;
5982    }
5983
5984    bdrv_drained_begin(bs);
5985
5986    QLIST_FOREACH(child, &bs->children, next) {
5987        if (g_slist_find(*ignore, child)) {
5988            continue;
5989        }
5990        *ignore = g_slist_prepend(*ignore, child);
5991        bdrv_set_aio_context_ignore(child->bs, new_context, ignore);
5992    }
5993    QLIST_FOREACH(child, &bs->parents, next_parent) {
5994        if (g_slist_find(*ignore, child)) {
5995            continue;
5996        }
5997        assert(child->role->set_aio_ctx);
5998        *ignore = g_slist_prepend(*ignore, child);
5999        child->role->set_aio_ctx(child, new_context, ignore);
6000    }
6001
6002    bdrv_detach_aio_context(bs);
6003
6004    /* Acquire the new context, if necessary */
6005    if (qemu_get_aio_context() != new_context) {
6006        aio_context_acquire(new_context);
6007    }
6008
6009    bdrv_attach_aio_context(bs, new_context);
6010
6011    /*
6012     * If this function was recursively called from
6013     * bdrv_set_aio_context_ignore(), there may be nodes in the
6014     * subtree that have not yet been moved to the new AioContext.
6015     * Release the old one so bdrv_drained_end() can poll them.
6016     */
6017    if (qemu_get_aio_context() != old_context) {
6018        aio_context_release(old_context);
6019    }
6020
6021    bdrv_drained_end(bs);
6022
6023    if (qemu_get_aio_context() != old_context) {
6024        aio_context_acquire(old_context);
6025    }
6026    if (qemu_get_aio_context() != new_context) {
6027        aio_context_release(new_context);
6028    }
6029}
6030
6031static bool bdrv_parent_can_set_aio_context(BdrvChild *c, AioContext *ctx,
6032                                            GSList **ignore, Error **errp)
6033{
6034    if (g_slist_find(*ignore, c)) {
6035        return true;
6036    }
6037    *ignore = g_slist_prepend(*ignore, c);
6038
6039    /* A BdrvChildRole that doesn't handle AioContext changes cannot
6040     * tolerate any AioContext changes */
6041    if (!c->role->can_set_aio_ctx) {
6042        char *user = bdrv_child_user_desc(c);
6043        error_setg(errp, "Changing iothreads is not supported by %s", user);
6044        g_free(user);
6045        return false;
6046    }
6047    if (!c->role->can_set_aio_ctx(c, ctx, ignore, errp)) {
6048        assert(!errp || *errp);
6049        return false;
6050    }
6051    return true;
6052}
6053
6054bool bdrv_child_can_set_aio_context(BdrvChild *c, AioContext *ctx,
6055                                    GSList **ignore, Error **errp)
6056{
6057    if (g_slist_find(*ignore, c)) {
6058        return true;
6059    }
6060    *ignore = g_slist_prepend(*ignore, c);
6061    return bdrv_can_set_aio_context(c->bs, ctx, ignore, errp);
6062}
6063
6064/* @ignore will accumulate all visited BdrvChild object. The caller is
6065 * responsible for freeing the list afterwards. */
6066bool bdrv_can_set_aio_context(BlockDriverState *bs, AioContext *ctx,
6067                              GSList **ignore, Error **errp)
6068{
6069    BdrvChild *c;
6070
6071    if (bdrv_get_aio_context(bs) == ctx) {
6072        return true;
6073    }
6074
6075    QLIST_FOREACH(c, &bs->parents, next_parent) {
6076        if (!bdrv_parent_can_set_aio_context(c, ctx, ignore, errp)) {
6077            return false;
6078        }
6079    }
6080    QLIST_FOREACH(c, &bs->children, next) {
6081        if (!bdrv_child_can_set_aio_context(c, ctx, ignore, errp)) {
6082            return false;
6083        }
6084    }
6085
6086    return true;
6087}
6088
6089int bdrv_child_try_set_aio_context(BlockDriverState *bs, AioContext *ctx,
6090                                   BdrvChild *ignore_child, Error **errp)
6091{
6092    GSList *ignore;
6093    bool ret;
6094
6095    ignore = ignore_child ? g_slist_prepend(NULL, ignore_child) : NULL;
6096    ret = bdrv_can_set_aio_context(bs, ctx, &ignore, errp);
6097    g_slist_free(ignore);
6098
6099    if (!ret) {
6100        return -EPERM;
6101    }
6102
6103    ignore = ignore_child ? g_slist_prepend(NULL, ignore_child) : NULL;
6104    bdrv_set_aio_context_ignore(bs, ctx, &ignore);
6105    g_slist_free(ignore);
6106
6107    return 0;
6108}
6109
6110int bdrv_try_set_aio_context(BlockDriverState *bs, AioContext *ctx,
6111                             Error **errp)
6112{
6113    return bdrv_child_try_set_aio_context(bs, ctx, NULL, errp);
6114}
6115
6116void bdrv_add_aio_context_notifier(BlockDriverState *bs,
6117        void (*attached_aio_context)(AioContext *new_context, void *opaque),
6118        void (*detach_aio_context)(void *opaque), void *opaque)
6119{
6120    BdrvAioNotifier *ban = g_new(BdrvAioNotifier, 1);
6121    *ban = (BdrvAioNotifier){
6122        .attached_aio_context = attached_aio_context,
6123        .detach_aio_context   = detach_aio_context,
6124        .opaque               = opaque
6125    };
6126
6127    QLIST_INSERT_HEAD(&bs->aio_notifiers, ban, list);
6128}
6129
6130void bdrv_remove_aio_context_notifier(BlockDriverState *bs,
6131                                      void (*attached_aio_context)(AioContext *,
6132                                                                   void *),
6133                                      void (*detach_aio_context)(void *),
6134                                      void *opaque)
6135{
6136    BdrvAioNotifier *ban, *ban_next;
6137
6138    QLIST_FOREACH_SAFE(ban, &bs->aio_notifiers, list, ban_next) {
6139        if (ban->attached_aio_context == attached_aio_context &&
6140            ban->detach_aio_context   == detach_aio_context   &&
6141            ban->opaque               == opaque               &&
6142            ban->deleted              == false)
6143        {
6144            if (bs->walking_aio_notifiers) {
6145                ban->deleted = true;
6146            } else {
6147                bdrv_do_remove_aio_context_notifier(ban);
6148            }
6149            return;
6150        }
6151    }
6152
6153    abort();
6154}
6155
6156int bdrv_amend_options(BlockDriverState *bs, QemuOpts *opts,
6157                       BlockDriverAmendStatusCB *status_cb, void *cb_opaque,
6158                       Error **errp)
6159{
6160    if (!bs->drv) {
6161        error_setg(errp, "Node is ejected");
6162        return -ENOMEDIUM;
6163    }
6164    if (!bs->drv->bdrv_amend_options) {
6165        error_setg(errp, "Block driver '%s' does not support option amendment",
6166                   bs->drv->format_name);
6167        return -ENOTSUP;
6168    }
6169    return bs->drv->bdrv_amend_options(bs, opts, status_cb, cb_opaque, errp);
6170}
6171
6172/* This function will be called by the bdrv_recurse_is_first_non_filter method
6173 * of block filter and by bdrv_is_first_non_filter.
6174 * It is used to test if the given bs is the candidate or recurse more in the
6175 * node graph.
6176 */
6177bool bdrv_recurse_is_first_non_filter(BlockDriverState *bs,
6178                                      BlockDriverState *candidate)
6179{
6180    /* return false if basic checks fails */
6181    if (!bs || !bs->drv) {
6182        return false;
6183    }
6184
6185    /* the code reached a non block filter driver -> check if the bs is
6186     * the same as the candidate. It's the recursion termination condition.
6187     */
6188    if (!bs->drv->is_filter) {
6189        return bs == candidate;
6190    }
6191    /* Down this path the driver is a block filter driver */
6192
6193    /* If the block filter recursion method is defined use it to recurse down
6194     * the node graph.
6195     */
6196    if (bs->drv->bdrv_recurse_is_first_non_filter) {
6197        return bs->drv->bdrv_recurse_is_first_non_filter(bs, candidate);
6198    }
6199
6200    /* the driver is a block filter but don't allow to recurse -> return false
6201     */
6202    return false;
6203}
6204
6205/* This function checks if the candidate is the first non filter bs down it's
6206 * bs chain. Since we don't have pointers to parents it explore all bs chains
6207 * from the top. Some filters can choose not to pass down the recursion.
6208 */
6209bool bdrv_is_first_non_filter(BlockDriverState *candidate)
6210{
6211    BlockDriverState *bs;
6212    BdrvNextIterator it;
6213
6214    /* walk down the bs forest recursively */
6215    for (bs = bdrv_first(&it); bs; bs = bdrv_next(&it)) {
6216        bool perm;
6217
6218        /* try to recurse in this top level bs */
6219        perm = bdrv_recurse_is_first_non_filter(bs, candidate);
6220
6221        /* candidate is the first non filter */
6222        if (perm) {
6223            bdrv_next_cleanup(&it);
6224            return true;
6225        }
6226    }
6227
6228    return false;
6229}
6230
6231BlockDriverState *check_to_replace_node(BlockDriverState *parent_bs,
6232                                        const char *node_name, Error **errp)
6233{
6234    BlockDriverState *to_replace_bs = bdrv_find_node(node_name);
6235    AioContext *aio_context;
6236
6237    if (!to_replace_bs) {
6238        error_setg(errp, "Node name '%s' not found", node_name);
6239        return NULL;
6240    }
6241
6242    aio_context = bdrv_get_aio_context(to_replace_bs);
6243    aio_context_acquire(aio_context);
6244
6245    if (bdrv_op_is_blocked(to_replace_bs, BLOCK_OP_TYPE_REPLACE, errp)) {
6246        to_replace_bs = NULL;
6247        goto out;
6248    }
6249
6250    /* We don't want arbitrary node of the BDS chain to be replaced only the top
6251     * most non filter in order to prevent data corruption.
6252     * Another benefit is that this tests exclude backing files which are
6253     * blocked by the backing blockers.
6254     */
6255    if (!bdrv_recurse_is_first_non_filter(parent_bs, to_replace_bs)) {
6256        error_setg(errp, "Only top most non filter can be replaced");
6257        to_replace_bs = NULL;
6258        goto out;
6259    }
6260
6261out:
6262    aio_context_release(aio_context);
6263    return to_replace_bs;
6264}
6265
6266/**
6267 * Iterates through the list of runtime option keys that are said to
6268 * be "strong" for a BDS.  An option is called "strong" if it changes
6269 * a BDS's data.  For example, the null block driver's "size" and
6270 * "read-zeroes" options are strong, but its "latency-ns" option is
6271 * not.
6272 *
6273 * If a key returned by this function ends with a dot, all options
6274 * starting with that prefix are strong.
6275 */
6276static const char *const *strong_options(BlockDriverState *bs,
6277