From: Ryan Harper <ryanh@us.ibm.com>
To: Markus Armbruster <armbru@redhat.com>
Cc: Stefan Hajnoczi <stefan.hajnoczi@uk.ibm.com>,
Anthony Liguori <aliguori@linux.vnet.ibm.com>,
Ryan Harper <ryanh@us.ibm.com>,
qemu-devel@nongnu.org, Kevin Wolf <kwolf@redhat.com>
Subject: Re: [Qemu-devel] [PATCH 2/3] v2 Fix Block Hotplug race with drive_unplug()
Date: Mon, 1 Nov 2010 16:06:14 -0500 [thread overview]
Message-ID: <20101101210614.GF22904@us.ibm.com> (raw)
In-Reply-To: <m34oc5ksia.fsf@blackfin.pond.sub.org>
* Markus Armbruster <armbru@redhat.com> [2010-10-29 09:08]:
> Ryan Harper <ryanh@us.ibm.com> writes:
>
> > Block hot unplug is racy since the guest is required to acknowlege the ACPI
> > unplug event; this may not happen synchronously with the device removal command
> >
> > This series aims to close a gap where by mgmt applications that assume the
> > block resource has been removed without confirming that the guest has
> > acknowledged the removal may re-assign the underlying device to a second guest
> > leading to data leakage.
> >
> > This series introduces a new montor command to decouple asynchornous device
> > removal from restricting guest access to a block device. We do this by creating
> > a new monitor command drive_unplug which maps to a bdrv_unplug() command which
> > does a qemu_aio_flush; bdrv_flush() and bdrv_close(). Once complete, subsequent
> > IO is rejected from the device and the guest will get IO errors but continue to
> > function.
> >
> > A subsequent device removal command can be issued to remove the device, to which
> > the guest may or maynot respond, but as long as the unplugged bit is set, no IO
> > will be sumbitted.
> >
> > Changes since v1:
> > - Added qemu_aio_flush() before bdrv_flush() to wait on pending io
> >
> > Signed-off-by: Ryan Harper <ryanh@us.ibm.com>
> > ---
> > block.c | 7 +++++++
> > block.h | 1 +
> > blockdev.c | 26 ++++++++++++++++++++++++++
> > blockdev.h | 1 +
> > hmp-commands.hx | 15 +++++++++++++++
> > 5 files changed, 50 insertions(+), 0 deletions(-)
> >
> > diff --git a/block.c b/block.c
> > index a19374d..be47655 100644
> > --- a/block.c
> > +++ b/block.c
> > @@ -1328,6 +1328,13 @@ void bdrv_set_removable(BlockDriverState *bs, int removable)
> > }
> > }
> >
> > +void bdrv_unplug(BlockDriverState *bs)
> > +{
> > + qemu_aio_flush();
> > + bdrv_flush(bs);
> > + bdrv_close(bs);
> > +}
>
> Stupid question: why doesn't bdrv_close() flush automatically?
>
> And why do we have to flush here, but not before other uses of
> bdrv_close(), such as eject_device()?
>
> > +
> > int bdrv_is_removable(BlockDriverState *bs)
> > {
> > return bs->removable;
> > diff --git a/block.h b/block.h
> > index 5f64380..732f63e 100644
> > --- a/block.h
> > +++ b/block.h
> > @@ -171,6 +171,7 @@ void bdrv_set_on_error(BlockDriverState *bs, BlockErrorAction on_read_error,
> > BlockErrorAction on_write_error);
> > BlockErrorAction bdrv_get_on_error(BlockDriverState *bs, int is_read);
> > void bdrv_set_removable(BlockDriverState *bs, int removable);
> > +void bdrv_unplug(BlockDriverState *bs);
> > int bdrv_is_removable(BlockDriverState *bs);
> > int bdrv_is_read_only(BlockDriverState *bs);
> > int bdrv_is_sg(BlockDriverState *bs);
> > diff --git a/blockdev.c b/blockdev.c
> > index 5fc3b9b..68eb329 100644
> > --- a/blockdev.c
> > +++ b/blockdev.c
> > @@ -610,3 +610,29 @@ int do_change_block(Monitor *mon, const char *device,
> > }
> > return monitor_read_bdrv_key_start(mon, bs, NULL, NULL);
> > }
> > +
> > +int do_drive_unplug(Monitor *mon, const QDict *qdict, QObject **ret_data)
> > +{
> > + DriveInfo *dinfo;
> > + BlockDriverState *bs;
> > + const char *id;
> > +
> > + if (!qdict_haskey(qdict, "id")) {
> > + qerror_report(QERR_MISSING_PARAMETER, "id");
> > + return -1;
> > + }
>
> As Luiz pointed out, this check is redundant.
>
> > +
> > + id = qdict_get_str(qdict, "id");
> > + dinfo = drive_get_by_id(id);
> > + if (!dinfo) {
> > + qerror_report(QERR_DEVICE_NOT_FOUND, id);
> > + return -1;
> > + }
> > +
> > + /* mark block device unplugged */
> > + bs = dinfo->bdrv;
> > + bdrv_unplug(bs);
> > +
> > + return 0;
> > +}
> > +
>
> What about:
>
> const char *id = qdict_get_str(qdict, "id");
> BlockDriverState *bs;
>
> bs = bdrv_find(id);
> if (!bs) {
> qerror_report(QERR_DEVICE_NOT_FOUND, id);
> return -1;
> }
>
> bdrv_unplug(bs);
>
> return 0;
>
> Precedence: commit f8b6cc00 replaced uses of drive_get_by_id() by
> bdrv_find().
That works out nicely; and I can drop the drive_get_by_id() patch as
well. Thanks.
>
> > diff --git a/blockdev.h b/blockdev.h
> > index 19c6915..ecb9ac8 100644
> > --- a/blockdev.h
> > +++ b/blockdev.h
> > @@ -52,5 +52,6 @@ int do_eject(Monitor *mon, const QDict *qdict, QObject **ret_data);
> > int do_block_set_passwd(Monitor *mon, const QDict *qdict, QObject **ret_data);
> > int do_change_block(Monitor *mon, const char *device,
> > const char *filename, const char *fmt);
> > +int do_drive_unplug(Monitor *mon, const QDict *qdict, QObject **ret_data);
> >
> > #endif
> > diff --git a/hmp-commands.hx b/hmp-commands.hx
> > index 81999aa..7a32a2e 100644
> > --- a/hmp-commands.hx
> > +++ b/hmp-commands.hx
> > @@ -68,6 +68,21 @@ Eject a removable medium (use -f to force it).
> > ETEXI
> >
> > {
> > + .name = "drive_unplug",
> > + .args_type = "id:s",
> > + .params = "device",
> > + .help = "unplug block device",
> > + .user_print = monitor_user_noop,
> > + .mhandler.cmd_new = do_drive_unplug,
> > + },
> > +
> > +STEXI
> > +@item unplug @var{device}
> > +@findex unplug
> > +Unplug block device.
>
> A bit terse, isn't it? What does it mean to unplug a block device?
> What's its observable effect on the guest? Does it look like disk gone
> completely south, perhaps?
Well, most of the info in here is rather sparse as well, so there is
clear precedence for it's terseness; I'll be a bit more verbose in the
next version.
--
Ryan Harper
Software Engineer; Linux Technology Center
IBM Corp., Austin, Tx
ryanh@us.ibm.com
next prev parent reply other threads:[~2010-11-01 21:06 UTC|newest]
Thread overview: 60+ messages / expand[flat|nested] mbox.gz Atom feed top
2010-10-25 18:22 [Qemu-devel] [PATCH 0/3] v4 Decouple block device removal from device removal Ryan Harper
2010-10-25 18:22 ` [Qemu-devel] [PATCH 1/3] v2 Add drive_get_by_id Ryan Harper
2010-10-29 13:18 ` Markus Armbruster
2010-10-25 18:22 ` [Qemu-devel] [PATCH 2/3] v2 Fix Block Hotplug race with drive_unplug() Ryan Harper
2010-10-29 14:01 ` Markus Armbruster
2010-10-29 14:15 ` Anthony Liguori
2010-10-29 14:29 ` Kevin Wolf
2010-10-29 14:40 ` Anthony Liguori
2010-10-29 14:57 ` Kevin Wolf
2010-10-29 15:28 ` Anthony Liguori
2010-10-29 16:08 ` Kevin Wolf
2010-10-30 13:25 ` Christoph Hellwig
2010-10-29 15:28 ` Markus Armbruster
2010-11-01 21:06 ` Ryan Harper [this message]
2010-10-25 18:22 ` [Qemu-devel] [PATCH 3/3] Add qmp version of drive_unplug Ryan Harper
2010-10-29 14:12 ` [Qemu-devel] [PATCH 0/3] v4 Decouple block device removal from device removal Markus Armbruster
2010-10-29 15:03 ` Ryan Harper
2010-10-29 16:10 ` Markus Armbruster
2010-10-29 16:50 ` Ryan Harper
2010-11-02 9:40 ` Markus Armbruster
2010-11-02 13:22 ` Michael S. Tsirkin
2010-11-02 13:41 ` Kevin Wolf
2010-11-02 13:46 ` Ryan Harper
2010-11-02 13:58 ` Michael S. Tsirkin
2010-11-02 14:22 ` Ryan Harper
2010-11-02 15:46 ` Michael S. Tsirkin
2010-11-02 16:53 ` Ryan Harper
2010-11-02 17:59 ` Michael S. Tsirkin
2010-11-02 19:01 ` Ryan Harper
2010-11-02 19:17 ` Michael S. Tsirkin
2010-11-02 20:23 ` Ryan Harper
2010-11-03 7:21 ` Michael S. Tsirkin
2010-11-03 12:04 ` Ryan Harper
2010-11-03 16:41 ` Markus Armbruster
2010-11-03 17:29 ` Ryan Harper
2010-11-03 18:02 ` Michael S. Tsirkin
2010-11-03 20:59 ` Ryan Harper
2010-11-03 21:26 ` Michael S. Tsirkin
2010-11-04 16:45 ` Ryan Harper
2010-11-04 17:04 ` Michael S. Tsirkin
2010-11-05 13:27 ` Markus Armbruster
2010-11-05 14:17 ` Michael S. Tsirkin
2010-11-05 14:29 ` Ryan Harper
2010-11-05 16:01 ` Markus Armbruster
2010-11-08 21:02 ` Michael S. Tsirkin
2010-11-05 14:25 ` Ryan Harper
2010-11-05 16:10 ` Markus Armbruster
2010-11-05 16:22 ` Ryan Harper
2010-11-06 8:18 ` Markus Armbruster
2010-11-08 2:19 ` Ryan Harper
2010-11-08 10:32 ` Markus Armbruster
2010-11-08 10:49 ` Michael S. Tsirkin
2010-11-08 12:03 ` Markus Armbruster
2010-11-08 14:02 ` Ryan Harper
2010-11-08 16:56 ` Michael S. Tsirkin
2010-11-08 17:04 ` Daniel P. Berrange
2010-11-08 18:41 ` Ryan Harper
2010-11-08 18:39 ` Ryan Harper
2010-11-08 19:06 ` Daniel P. Berrange
2010-11-08 16:34 ` Michael S. Tsirkin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20101101210614.GF22904@us.ibm.com \
--to=ryanh@us.ibm.com \
--cc=aliguori@linux.vnet.ibm.com \
--cc=armbru@redhat.com \
--cc=kwolf@redhat.com \
--cc=qemu-devel@nongnu.org \
--cc=stefan.hajnoczi@uk.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.