blockdev: Refuse to drive_del something added with blockdev-add

For some device models, the guest can prevent unplug. Some users need a way to forcibly revoke device model access to the block backend then, so the underlying images can be safely used for something else. drive_del lets you do that. Unfortunately, it conflates revoking access with destroying the backend. Commit 9063f814 made drive_del immediately destroy the root BDS. Nice: the device name becomes available for reuse immediately. Not so nice: the device model's pointer to the root BDS dangles, and we're prone to crash when the memory gets reused. Commit d22b2f41 fixed that by hiding the root BDS instead of destroying it. Destruction only happens on unplug. "Hiding" means removing it from bdrv_states and graph_bdrv_states; see bdrv_make_anon(). This "destroy on revoke" is a misfeature we don't want to carry forward to blockdev-add, just like "destroy on unplug" (commit 2d246f01). So make drive_del fail on anything added with blockdev-add. We'll add separate QMP commands to revoke device model access and to destroy backends. Signed-off-by: Markus Armbruster <armbru@redhat.com> Signed-off-by: Kevin Wolf <kwolf@redhat.com>

blockdev: Refuse to drive_del something added with blockdev-add
For some device models, the guest can prevent unplug. Some users need a way to forcibly revoke device model access to the block backend then, so the underlying images can be safely used for something else. drive_del lets you do that. Unfortunately, it conflates revoking access with destroying the backend. Commit 9063f814 made drive_del immediately destroy the root BDS. Nice: the device name becomes available for reuse immediately. Not so nice: the device model's pointer to the root BDS dangles, and we're prone to crash when the memory gets reused. Commit d22b2f41 fixed that by hiding the root BDS instead of destroying it. Destruction only happens on unplug. "Hiding" means removing it from bdrv_states and graph_bdrv_states; see bdrv_make_anon(). This "destroy on revoke" is a misfeature we don't want to carry forward to blockdev-add, just like "destroy on unplug" (commit 2d246f01). So make drive_del fail on anything added with blockdev-add. We'll add separate QMP commands to revoke device model access and to destroy backends. Signed-off-by: Markus Armbruster <armbru@redhat.com> Signed-off-by: Kevin Wolf <kwolf@redhat.com>
48f364dd · Markus Armbruster · Kevin Wolf · 624ff573 · 48f364dd
Commit 48f364dd authored 10 years ago by Markus Armbruster Committed by Kevin Wolf 10 years ago
--- a/blockdev.c
+++ b/blockdev.c
@@ -1739,6 +1739,7 @@ int do_drive_del(Monitor *mon, const QDict *qdict, QObject **ret_data)
 {
    const char *id = qdict_get_str(qdict, "id");
    BlockDriverState *bs;
+    DriveInfo *dinfo;
    AioContext *aio_context;
    Error *local_err = NULL;

@@ -1748,6 +1749,13 @@ int do_drive_del(Monitor *mon, const QDict *qdict, QObject **ret_data)
        return -1;
    }

+    dinfo = drive_get_by_blockdev(bs);
+    if (dinfo && !dinfo->enable_auto_del) {
+        error_report("Deleting device added with blockdev-add"
+                     " is not supported");
+        return -1;
+    }
+
    aio_context = bdrv_get_aio_context(bs);
    aio_context_acquire(aio_context);

@@ -1775,7 +1783,7 @@ int do_drive_del(Monitor *mon, const QDict *qdict, QObject **ret_data)
        bdrv_set_on_error(bs, BLOCKDEV_ON_ERROR_REPORT,
                          BLOCKDEV_ON_ERROR_REPORT);
    } else {
-        drive_del(drive_get_by_blockdev(bs));
+        drive_del(dinfo);
    }

    aio_context_release(aio_context);