Bug Summary

File:block/qcow2-refcount.c
Location:line 760, column 21
Description:Dereference of null pointer

Annotated Source Code

1/*
2 * Block driver for the QCOW version 2 format
3 *
4 * Copyright (c) 2004-2006 Fabrice Bellard
5 *
6 * Permission is hereby granted, free of charge, to any person obtaining a copy
7 * of this software and associated documentation files (the "Software"), to deal
8 * in the Software without restriction, including without limitation the rights
9 * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
10 * copies of the Software, and to permit persons to whom the Software is
11 * furnished to do so, subject to the following conditions:
12 *
13 * The above copyright notice and this permission notice shall be included in
14 * all copies or substantial portions of the Software.
15 *
16 * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
17 * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
18 * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL
19 * THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
20 * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
21 * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
22 * THE SOFTWARE.
23 */
24
25#include "qemu-common.h"
26#include "block_int.h"
27#include "block/qcow2.h"
28
29static int64_t alloc_clusters_noref(BlockDriverState *bs, int64_t size);
30static int QEMU_WARN_UNUSED_RESULT__attribute__((warn_unused_result)) update_refcount(BlockDriverState *bs,
31 int64_t offset, int64_t length,
32 int addend);
33
34
35/*********************************************************/
36/* refcount handling */
37
38int qcow2_refcount_init(BlockDriverState *bs)
39{
40 BDRVQcowState *s = bs->opaque;
41 int ret, refcount_table_size2, i;
42
43 refcount_table_size2 = s->refcount_table_size * sizeof(uint64_t);
44 s->refcount_table = g_malloc(refcount_table_size2);
45 if (s->refcount_table_size > 0) {
46 BLKDBG_EVENT(bs->file, BLKDBG_REFTABLE_LOAD)bdrv_debug_event(bs->file, BLKDBG_REFTABLE_LOAD);
47 ret = bdrv_pread(bs->file, s->refcount_table_offset,
48 s->refcount_table, refcount_table_size2);
49 if (ret != refcount_table_size2)
50 goto fail;
51 for(i = 0; i < s->refcount_table_size; i++)
52 be64_to_cpus(&s->refcount_table[i]);
53 }
54 return 0;
55 fail:
56 return -ENOMEM12;
57}
58
59void qcow2_refcount_close(BlockDriverState *bs)
60{
61 BDRVQcowState *s = bs->opaque;
62 g_free(s->refcount_table);
63}
64
65
66static int load_refcount_block(BlockDriverState *bs,
67 int64_t refcount_block_offset,
68 void **refcount_block)
69{
70 BDRVQcowState *s = bs->opaque;
71 int ret;
72
73 BLKDBG_EVENT(bs->file, BLKDBG_REFBLOCK_LOAD)bdrv_debug_event(bs->file, BLKDBG_REFBLOCK_LOAD);
74 ret = qcow2_cache_get(bs, s->refcount_block_cache, refcount_block_offset,
75 refcount_block);
76
77 return ret;
78}
79
80/*
81 * Returns the refcount of the cluster given by its index. Any non-negative
82 * return value is the refcount of the cluster, negative values are -errno
83 * and indicate an error.
84 */
85static int get_refcount(BlockDriverState *bs, int64_t cluster_index)
86{
87 BDRVQcowState *s = bs->opaque;
88 int refcount_table_index, block_index;
89 int64_t refcount_block_offset;
90 int ret;
91 uint16_t *refcount_block;
92 uint16_t refcount;
93
94 refcount_table_index = cluster_index >> (s->cluster_bits - REFCOUNT_SHIFT1);
95 if (refcount_table_index >= s->refcount_table_size)
96 return 0;
97 refcount_block_offset = s->refcount_table[refcount_table_index];
98 if (!refcount_block_offset)
99 return 0;
100
101 ret = qcow2_cache_get(bs, s->refcount_block_cache, refcount_block_offset,
102 (void**) &refcount_block);
103 if (ret < 0) {
104 return ret;
105 }
106
107 block_index = cluster_index &
108 ((1 << (s->cluster_bits - REFCOUNT_SHIFT1)) - 1);
109 refcount = be16_to_cpu(refcount_block[block_index]);
110
111 ret = qcow2_cache_put(bs, s->refcount_block_cache,
112 (void**) &refcount_block);
113 if (ret < 0) {
114 return ret;
115 }
116
117 return refcount;
118}
119
120/*
121 * Rounds the refcount table size up to avoid growing the table for each single
122 * refcount block that is allocated.
123 */
124static unsigned int next_refcount_table_size(BDRVQcowState *s,
125 unsigned int min_size)
126{
127 unsigned int min_clusters = (min_size >> (s->cluster_bits - 3)) + 1;
128 unsigned int refcount_table_clusters =
129 MAX(1, s->refcount_table_size >> (s->cluster_bits - 3))(((1) > (s->refcount_table_size >> (s->cluster_bits
- 3))) ? (1) : (s->refcount_table_size >> (s->cluster_bits
- 3)));
130
131 while (min_clusters > refcount_table_clusters) {
132 refcount_table_clusters = (refcount_table_clusters * 3 + 1) / 2;
133 }
134
135 return refcount_table_clusters << (s->cluster_bits - 3);
136}
137
138
139/* Checks if two offsets are described by the same refcount block */
140static int in_same_refcount_block(BDRVQcowState *s, uint64_t offset_a,
141 uint64_t offset_b)
142{
143 uint64_t block_a = offset_a >> (2 * s->cluster_bits - REFCOUNT_SHIFT1);
144 uint64_t block_b = offset_b >> (2 * s->cluster_bits - REFCOUNT_SHIFT1);
145
146 return (block_a == block_b);
147}
148
149/*
150 * Loads a refcount block. If it doesn't exist yet, it is allocated first
151 * (including growing the refcount table if needed).
152 *
153 * Returns 0 on success or -errno in error case
154 */
155static int alloc_refcount_block(BlockDriverState *bs,
156 int64_t cluster_index, uint16_t **refcount_block)
157{
158 BDRVQcowState *s = bs->opaque;
159 unsigned int refcount_table_index;
160 int ret;
161
162 BLKDBG_EVENT(bs->file, BLKDBG_REFBLOCK_ALLOC)bdrv_debug_event(bs->file, BLKDBG_REFBLOCK_ALLOC);
163
164 /* Find the refcount block for the given cluster */
165 refcount_table_index = cluster_index >> (s->cluster_bits - REFCOUNT_SHIFT1);
166
167 if (refcount_table_index < s->refcount_table_size) {
168
169 uint64_t refcount_block_offset =
170 s->refcount_table[refcount_table_index] & REFT_OFFSET_MASK0xffffffffffffff00ULL;
171
172 /* If it's already there, we're done */
173 if (refcount_block_offset) {
174 return load_refcount_block(bs, refcount_block_offset,
175 (void**) refcount_block);
176 }
177 }
178
179 /*
180 * If we came here, we need to allocate something. Something is at least
181 * a cluster for the new refcount block. It may also include a new refcount
182 * table if the old refcount table is too small.
183 *
184 * Note that allocating clusters here needs some special care:
185 *
186 * - We can't use the normal qcow2_alloc_clusters(), it would try to
187 * increase the refcount and very likely we would end up with an endless
188 * recursion. Instead we must place the refcount blocks in a way that
189 * they can describe them themselves.
190 *
191 * - We need to consider that at this point we are inside update_refcounts
192 * and doing the initial refcount increase. This means that some clusters
193 * have already been allocated by the caller, but their refcount isn't
194 * accurate yet. free_cluster_index tells us where this allocation ends
195 * as long as we don't overwrite it by freeing clusters.
196 *
197 * - alloc_clusters_noref and qcow2_free_clusters may load a different
198 * refcount block into the cache
199 */
200
201 *refcount_block = NULL((void*)0);
202
203 /* We write to the refcount table, so we might depend on L2 tables */
204 qcow2_cache_flush(bs, s->l2_table_cache);
205
206 /* Allocate the refcount block itself and mark it as used */
207 int64_t new_block = alloc_clusters_noref(bs, s->cluster_size);
208 if (new_block < 0) {
209 return new_block;
210 }
211
212#ifdef DEBUG_ALLOC2
213 fprintf(stderrstderr, "qcow2: Allocate refcount block %d for %" PRIx64"l" "x"
214 " at %" PRIx64"l" "x" "\n",
215 refcount_table_index, cluster_index << s->cluster_bits, new_block);
216#endif
217
218 if (in_same_refcount_block(s, new_block, cluster_index << s->cluster_bits)) {
219 /* Zero the new refcount block before updating it */
220 ret = qcow2_cache_get_empty(bs, s->refcount_block_cache, new_block,
221 (void**) refcount_block);
222 if (ret < 0) {
223 goto fail_block;
224 }
225
226 memset(*refcount_block, 0, s->cluster_size);
227
228 /* The block describes itself, need to update the cache */
229 int block_index = (new_block >> s->cluster_bits) &
230 ((1 << (s->cluster_bits - REFCOUNT_SHIFT1)) - 1);
231 (*refcount_block)[block_index] = cpu_to_be16(1);
232 } else {
233 /* Described somewhere else. This can recurse at most twice before we
234 * arrive at a block that describes itself. */
235 ret = update_refcount(bs, new_block, s->cluster_size, 1);
236 if (ret < 0) {
237 goto fail_block;
238 }
239
240 bdrv_flush(bs->file);
241
242 /* Initialize the new refcount block only after updating its refcount,
243 * update_refcount uses the refcount cache itself */
244 ret = qcow2_cache_get_empty(bs, s->refcount_block_cache, new_block,
245 (void**) refcount_block);
246 if (ret < 0) {
247 goto fail_block;
248 }
249
250 memset(*refcount_block, 0, s->cluster_size);
251 }
252
253 /* Now the new refcount block needs to be written to disk */
254 BLKDBG_EVENT(bs->file, BLKDBG_REFBLOCK_ALLOC_WRITE)bdrv_debug_event(bs->file, BLKDBG_REFBLOCK_ALLOC_WRITE);
255 qcow2_cache_entry_mark_dirty(s->refcount_block_cache, *refcount_block);
256 ret = qcow2_cache_flush(bs, s->refcount_block_cache);
257 if (ret < 0) {
258 goto fail_block;
259 }
260
261 /* If the refcount table is big enough, just hook the block up there */
262 if (refcount_table_index < s->refcount_table_size) {
263 uint64_t data64 = cpu_to_be64(new_block);
264 BLKDBG_EVENT(bs->file, BLKDBG_REFBLOCK_ALLOC_HOOKUP)bdrv_debug_event(bs->file, BLKDBG_REFBLOCK_ALLOC_HOOKUP);
265 ret = bdrv_pwrite_sync(bs->file,
266 s->refcount_table_offset + refcount_table_index * sizeof(uint64_t),
267 &data64, sizeof(data64));
268 if (ret < 0) {
269 goto fail_block;
270 }
271
272 s->refcount_table[refcount_table_index] = new_block;
273 return 0;
274 }
275
276 ret = qcow2_cache_put(bs, s->refcount_block_cache, (void**) refcount_block);
277 if (ret < 0) {
278 goto fail_block;
279 }
280
281 /*
282 * If we come here, we need to grow the refcount table. Again, a new
283 * refcount table needs some space and we can't simply allocate to avoid
284 * endless recursion.
285 *
286 * Therefore let's grab new refcount blocks at the end of the image, which
287 * will describe themselves and the new refcount table. This way we can
288 * reference them only in the new table and do the switch to the new
289 * refcount table at once without producing an inconsistent state in
290 * between.
291 */
292 BLKDBG_EVENT(bs->file, BLKDBG_REFTABLE_GROW)bdrv_debug_event(bs->file, BLKDBG_REFTABLE_GROW);
293
294 /* Calculate the number of refcount blocks needed so far */
295 uint64_t refcount_block_clusters = 1 << (s->cluster_bits - REFCOUNT_SHIFT1);
296 uint64_t blocks_used = (s->free_cluster_index +
297 refcount_block_clusters - 1) / refcount_block_clusters;
298
299 /* And now we need at least one block more for the new metadata */
300 uint64_t table_size = next_refcount_table_size(s, blocks_used + 1);
301 uint64_t last_table_size;
302 uint64_t blocks_clusters;
303 do {
304 uint64_t table_clusters = size_to_clusters(s, table_size);
305 blocks_clusters = 1 +
306 ((table_clusters + refcount_block_clusters - 1)
307 / refcount_block_clusters);
308 uint64_t meta_clusters = table_clusters + blocks_clusters;
309
310 last_table_size = table_size;
311 table_size = next_refcount_table_size(s, blocks_used +
312 ((meta_clusters + refcount_block_clusters - 1)
313 / refcount_block_clusters));
314
315 } while (last_table_size != table_size);
316
317#ifdef DEBUG_ALLOC2
318 fprintf(stderrstderr, "qcow2: Grow refcount table %" PRId32"d" " => %" PRId64"l" "d" "\n",
319 s->refcount_table_size, table_size);
320#endif
321
322 /* Create the new refcount table and blocks */
323 uint64_t meta_offset = (blocks_used * refcount_block_clusters) *
324 s->cluster_size;
325 uint64_t table_offset = meta_offset + blocks_clusters * s->cluster_size;
326 uint16_t *new_blocks = g_malloc0(blocks_clusters * s->cluster_size);
327 uint64_t *new_table = g_malloc0(table_size * sizeof(uint64_t));
328
329 assert(meta_offset >= (s->free_cluster_index * s->cluster_size))((meta_offset >= (s->free_cluster_index * s->cluster_size
)) ? (void) (0) : __assert_fail ("meta_offset >= (s->free_cluster_index * s->cluster_size)"
, "/home/stefan/src/qemu/qemu.org/qemu/block/qcow2-refcount.c"
, 329, __PRETTY_FUNCTION__));
330
331 /* Fill the new refcount table */
332 memcpy(new_table, s->refcount_table,
333 s->refcount_table_size * sizeof(uint64_t));
334 new_table[refcount_table_index] = new_block;
335
336 int i;
337 for (i = 0; i < blocks_clusters; i++) {
338 new_table[blocks_used + i] = meta_offset + (i * s->cluster_size);
339 }
340
341 /* Fill the refcount blocks */
342 uint64_t table_clusters = size_to_clusters(s, table_size * sizeof(uint64_t));
343 int block = 0;
344 for (i = 0; i < table_clusters + blocks_clusters; i++) {
345 new_blocks[block++] = cpu_to_be16(1);
346 }
347
348 /* Write refcount blocks to disk */
349 BLKDBG_EVENT(bs->file, BLKDBG_REFBLOCK_ALLOC_WRITE_BLOCKS)bdrv_debug_event(bs->file, BLKDBG_REFBLOCK_ALLOC_WRITE_BLOCKS
);
350 ret = bdrv_pwrite_sync(bs->file, meta_offset, new_blocks,
351 blocks_clusters * s->cluster_size);
352 g_free(new_blocks);
353 if (ret < 0) {
354 goto fail_table;
355 }
356
357 /* Write refcount table to disk */
358 for(i = 0; i < table_size; i++) {
359 cpu_to_be64s(&new_table[i]);
360 }
361
362 BLKDBG_EVENT(bs->file, BLKDBG_REFBLOCK_ALLOC_WRITE_TABLE)bdrv_debug_event(bs->file, BLKDBG_REFBLOCK_ALLOC_WRITE_TABLE
);
363 ret = bdrv_pwrite_sync(bs->file, table_offset, new_table,
364 table_size * sizeof(uint64_t));
365 if (ret < 0) {
366 goto fail_table;
367 }
368
369 for(i = 0; i < table_size; i++) {
370 be64_to_cpus(&new_table[i]);
371 }
372
373 /* Hook up the new refcount table in the qcow2 header */
374 uint8_t data[12];
375 cpu_to_be64w((uint64_t*)data, table_offset);
376 cpu_to_be32w((uint32_t*)(data + 8), table_clusters);
377 BLKDBG_EVENT(bs->file, BLKDBG_REFBLOCK_ALLOC_SWITCH_TABLE)bdrv_debug_event(bs->file, BLKDBG_REFBLOCK_ALLOC_SWITCH_TABLE
);
378 ret = bdrv_pwrite_sync(bs->file, offsetof(QCowHeader, refcount_table_offset)__builtin_offsetof(QCowHeader, refcount_table_offset),
379 data, sizeof(data));
380 if (ret < 0) {
381 goto fail_table;
382 }
383
384 /* And switch it in memory */
385 uint64_t old_table_offset = s->refcount_table_offset;
386 uint64_t old_table_size = s->refcount_table_size;
387
388 g_free(s->refcount_table);
389 s->refcount_table = new_table;
390 s->refcount_table_size = table_size;
391 s->refcount_table_offset = table_offset;
392
393 /* Free old table. Remember, we must not change free_cluster_index */
394 uint64_t old_free_cluster_index = s->free_cluster_index;
395 qcow2_free_clusters(bs, old_table_offset, old_table_size * sizeof(uint64_t));
396 s->free_cluster_index = old_free_cluster_index;
397
398 ret = load_refcount_block(bs, new_block, (void**) refcount_block);
399 if (ret < 0) {
400 return ret;
401 }
402
403 return 0;
404
405fail_table:
406 g_free(new_table);
407fail_block:
408 if (*refcount_block != NULL((void*)0)) {
409 qcow2_cache_put(bs, s->refcount_block_cache, (void**) refcount_block);
410 }
411 return ret;
412}
413
414/* XXX: cache several refcount block clusters ? */
415static int QEMU_WARN_UNUSED_RESULT__attribute__((warn_unused_result)) update_refcount(BlockDriverState *bs,
416 int64_t offset, int64_t length, int addend)
417{
418 BDRVQcowState *s = bs->opaque;
419 int64_t start, last, cluster_offset;
420 uint16_t *refcount_block = NULL((void*)0);
421 int64_t old_table_index = -1;
422 int ret;
423
424#ifdef DEBUG_ALLOC2
425 fprintf(stderrstderr, "update_refcount: offset=%" PRId64"l" "d" " size=%" PRId64"l" "d" " addend=%d\n",
426 offset, length, addend);
427#endif
428 if (length < 0) {
429 return -EINVAL22;
430 } else if (length == 0) {
431 return 0;
432 }
433
434 if (addend < 0) {
435 qcow2_cache_set_dependency(bs, s->refcount_block_cache,
436 s->l2_table_cache);
437 }
438
439 start = offset & ~(s->cluster_size - 1);
440 last = (offset + length - 1) & ~(s->cluster_size - 1);
441 for(cluster_offset = start; cluster_offset <= last;
442 cluster_offset += s->cluster_size)
443 {
444 int block_index, refcount;
445 int64_t cluster_index = cluster_offset >> s->cluster_bits;
446 int64_t table_index =
447 cluster_index >> (s->cluster_bits - REFCOUNT_SHIFT1);
448
449 /* Load the refcount block and allocate it if needed */
450 if (table_index != old_table_index) {
451 if (refcount_block) {
452 ret = qcow2_cache_put(bs, s->refcount_block_cache,
453 (void**) &refcount_block);
454 if (ret < 0) {
455 goto fail;
456 }
457 }
458
459 ret = alloc_refcount_block(bs, cluster_index, &refcount_block);
460 if (ret < 0) {
461 goto fail;
462 }
463 }
464 old_table_index = table_index;
465
466 qcow2_cache_entry_mark_dirty(s->refcount_block_cache, refcount_block);
467
468 /* we can update the count and save it */
469 block_index = cluster_index &
470 ((1 << (s->cluster_bits - REFCOUNT_SHIFT1)) - 1);
471
472 refcount = be16_to_cpu(refcount_block[block_index]);
473 refcount += addend;
474 if (refcount < 0 || refcount > 0xffff) {
475 ret = -EINVAL22;
476 goto fail;
477 }
478 if (refcount == 0 && cluster_index < s->free_cluster_index) {
479 s->free_cluster_index = cluster_index;
480 }
481 refcount_block[block_index] = cpu_to_be16(refcount);
482 }
483
484 ret = 0;
485fail:
486 /* Write last changed block to disk */
487 if (refcount_block) {
488 int wret;
489 wret = qcow2_cache_put(bs, s->refcount_block_cache,
490 (void**) &refcount_block);
491 if (wret < 0) {
492 return ret < 0 ? ret : wret;
493 }
494 }
495
496 /*
497 * Try do undo any updates if an error is returned (This may succeed in
498 * some cases like ENOSPC for allocating a new refcount block)
499 */
500 if (ret < 0) {
501 int dummy;
502 dummy = update_refcount(bs, offset, cluster_offset - offset, -addend);
503 (void)dummy;
504 }
505
506 return ret;
507}
508
509/*
510 * Increases or decreases the refcount of a given cluster by one.
511 * addend must be 1 or -1.
512 *
513 * If the return value is non-negative, it is the new refcount of the cluster.
514 * If it is negative, it is -errno and indicates an error.
515 */
516static int update_cluster_refcount(BlockDriverState *bs,
517 int64_t cluster_index,
518 int addend)
519{
520 BDRVQcowState *s = bs->opaque;
521 int ret;
522
523 ret = update_refcount(bs, cluster_index << s->cluster_bits, 1, addend);
524 if (ret < 0) {
525 return ret;
526 }
527
528 bdrv_flush(bs->file);
529
530 return get_refcount(bs, cluster_index);
531}
532
533
534
535/*********************************************************/
536/* cluster allocation functions */
537
538
539
540/* return < 0 if error */
541static int64_t alloc_clusters_noref(BlockDriverState *bs, int64_t size)
542{
543 BDRVQcowState *s = bs->opaque;
544 int i, nb_clusters, refcount;
545
546 nb_clusters = size_to_clusters(s, size);
547retry:
548 for(i = 0; i < nb_clusters; i++) {
549 int64_t next_cluster_index = s->free_cluster_index++;
550 refcount = get_refcount(bs, next_cluster_index);
551
552 if (refcount < 0) {
553 return refcount;
554 } else if (refcount != 0) {
555 goto retry;
556 }
557 }
558#ifdef DEBUG_ALLOC2
559 fprintf(stderrstderr, "alloc_clusters: size=%" PRId64"l" "d" " -> %" PRId64"l" "d" "\n",
560 size,
561 (s->free_cluster_index - nb_clusters) << s->cluster_bits);
562#endif
563 return (s->free_cluster_index - nb_clusters) << s->cluster_bits;
564}
565
566int64_t qcow2_alloc_clusters(BlockDriverState *bs, int64_t size)
567{
568 int64_t offset;
569 int ret;
570
571 BLKDBG_EVENT(bs->file, BLKDBG_CLUSTER_ALLOC)bdrv_debug_event(bs->file, BLKDBG_CLUSTER_ALLOC);
572 offset = alloc_clusters_noref(bs, size);
573 if (offset < 0) {
574 return offset;
575 }
576
577 ret = update_refcount(bs, offset, size, 1);
578 if (ret < 0) {
579 return ret;
580 }
581
582 return offset;
583}
584
585int qcow2_alloc_clusters_at(BlockDriverState *bs, uint64_t offset,
586 int nb_clusters)
587{
588 BDRVQcowState *s = bs->opaque;
589 uint64_t cluster_index;
590 uint64_t old_free_cluster_index;
591 int i, refcount, ret;
592
593 /* Check how many clusters there are free */
594 cluster_index = offset >> s->cluster_bits;
595 for(i = 0; i < nb_clusters; i++) {
596 refcount = get_refcount(bs, cluster_index++);
597
598 if (refcount < 0) {
599 return refcount;
600 } else if (refcount != 0) {
601 break;
602 }
603 }
604
605 /* And then allocate them */
606 old_free_cluster_index = s->free_cluster_index;
607 s->free_cluster_index = cluster_index + i;
608
609 ret = update_refcount(bs, offset, i << s->cluster_bits, 1);
610 if (ret < 0) {
611 return ret;
612 }
613
614 s->free_cluster_index = old_free_cluster_index;
615
616 return i;
617}
618
619/* only used to allocate compressed sectors. We try to allocate
620 contiguous sectors. size must be <= cluster_size */
621int64_t qcow2_alloc_bytes(BlockDriverState *bs, int size)
622{
623 BDRVQcowState *s = bs->opaque;
624 int64_t offset, cluster_offset;
625 int free_in_cluster;
626
627 BLKDBG_EVENT(bs->file, BLKDBG_CLUSTER_ALLOC_BYTES)bdrv_debug_event(bs->file, BLKDBG_CLUSTER_ALLOC_BYTES);
628 assert(size > 0 && size <= s->cluster_size)((size > 0 && size <= s->cluster_size) ? (void
) (0) : __assert_fail ("size > 0 && size <= s->cluster_size"
, "/home/stefan/src/qemu/qemu.org/qemu/block/qcow2-refcount.c"
, 628, __PRETTY_FUNCTION__));
629 if (s->free_byte_offset == 0) {
630 s->free_byte_offset = qcow2_alloc_clusters(bs, s->cluster_size);
631 if (s->free_byte_offset < 0) {
632 return s->free_byte_offset;
633 }
634 }
635 redo:
636 free_in_cluster = s->cluster_size -
637 (s->free_byte_offset & (s->cluster_size - 1));
638 if (size <= free_in_cluster) {
639 /* enough space in current cluster */
640 offset = s->free_byte_offset;
641 s->free_byte_offset += size;
642 free_in_cluster -= size;
643 if (free_in_cluster == 0)
644 s->free_byte_offset = 0;
645 if ((offset & (s->cluster_size - 1)) != 0)
646 update_cluster_refcount(bs, offset >> s->cluster_bits, 1);
647 } else {
648 offset = qcow2_alloc_clusters(bs, s->cluster_size);
649 if (offset < 0) {
650 return offset;
651 }
652 cluster_offset = s->free_byte_offset & ~(s->cluster_size - 1);
653 if ((cluster_offset + s->cluster_size) == offset) {
654 /* we are lucky: contiguous data */
655 offset = s->free_byte_offset;
656 update_cluster_refcount(bs, offset >> s->cluster_bits, 1);
657 s->free_byte_offset += size;
658 } else {
659 s->free_byte_offset = offset;
660 goto redo;
661 }
662 }
663
664 bdrv_flush(bs->file);
665 return offset;
666}
667
668void qcow2_free_clusters(BlockDriverState *bs,
669 int64_t offset, int64_t size)
670{
671 int ret;
672
673 BLKDBG_EVENT(bs->file, BLKDBG_CLUSTER_FREE)bdrv_debug_event(bs->file, BLKDBG_CLUSTER_FREE);
674 ret = update_refcount(bs, offset, size, -1);
675 if (ret < 0) {
676 fprintf(stderrstderr, "qcow2_free_clusters failed: %s\n", strerror(-ret));
677 /* TODO Remember the clusters to free them later and avoid leaking */
678 }
679}
680
681/*
682 * Free a cluster using its L2 entry (handles clusters of all types, e.g.
683 * normal cluster, compressed cluster, etc.)
684 */
685void qcow2_free_any_clusters(BlockDriverState *bs,
686 uint64_t l2_entry, int nb_clusters)
687{
688 BDRVQcowState *s = bs->opaque;
689
690 switch (qcow2_get_cluster_type(l2_entry)) {
691 case QCOW2_CLUSTER_COMPRESSED:
692 {
693 int nb_csectors;
694 nb_csectors = ((l2_entry >> s->csize_shift) &
695 s->csize_mask) + 1;
696 qcow2_free_clusters(bs,
697 (l2_entry & s->cluster_offset_mask) & ~511,
698 nb_csectors * 512);
699 }
700 break;
701 case QCOW2_CLUSTER_NORMAL:
702 qcow2_free_clusters(bs, l2_entry & L2E_OFFSET_MASK0x00ffffffffffff00ULL,
703 nb_clusters << s->cluster_bits);
704 break;
705 case QCOW2_CLUSTER_UNALLOCATED:
706 case QCOW2_CLUSTER_ZERO:
707 break;
708 default:
709 abort();
710 }
711}
712
713
714
715/*********************************************************/
716/* snapshots and image creation */
717
718
719
720/* update the refcounts of snapshots and the copied flag */
721int qcow2_update_snapshot_refcount(BlockDriverState *bs,
722 int64_t l1_table_offset, int l1_size, int addend)
723{
724 BDRVQcowState *s = bs->opaque;
725 uint64_t *l1_table, *l2_table, l2_offset, offset, l1_size2, l1_allocated;
726 int64_t old_offset, old_l2_offset;
727 int i, j, l1_modified = 0, nb_csectors, refcount;
728 int ret;
729
730 l2_table = NULL((void*)0);
731 l1_table = NULL((void*)0);
732 l1_size2 = l1_size * sizeof(uint64_t);
733
734 /* WARNING: qcow2_snapshot_goto relies on this function not using the
735 * l1_table_offset when it is the current s->l1_table_offset! Be careful
736 * when changing this! */
737 if (l1_table_offset != s->l1_table_offset) {
1
Taking true branch
738 if (l1_size2 != 0) {
2
Taking false branch
739 l1_table = g_malloc0(align_offset(l1_size2, 512));
740 } else {
741 l1_table = NULL((void*)0);
3
Null pointer value stored to 'l1_table'
742 }
743 l1_allocated = 1;
744 if (bdrv_pread(bs->file, l1_table_offset,
4
Taking false branch
745 l1_table, l1_size2) != l1_size2)
746 {
747 ret = -EIO5;
748 goto fail;
749 }
750
751 for(i = 0;i < l1_size; i++)
5
Loop condition is true. Entering loop body
6
Loop condition is false. Execution continues on line 759
752 be64_to_cpus(&l1_table[i]);
753 } else {
754 assert(l1_size == s->l1_size)((l1_size == s->l1_size) ? (void) (0) : __assert_fail ("l1_size == s->l1_size"
, "/home/stefan/src/qemu/qemu.org/qemu/block/qcow2-refcount.c"
, 754, __PRETTY_FUNCTION__));
755 l1_table = s->l1_table;
756 l1_allocated = 0;
757 }
758
759 for(i = 0; i < l1_size; i++) {
7
Loop condition is true. Entering loop body
760 l2_offset = l1_table[i];
8
Dereference of null pointer
761 if (l2_offset) {
762 old_l2_offset = l2_offset;
763 l2_offset &= L1E_OFFSET_MASK0x00ffffffffffff00ULL;
764
765 ret = qcow2_cache_get(bs, s->l2_table_cache, l2_offset,
766 (void**) &l2_table);
767 if (ret < 0) {
768 goto fail;
769 }
770
771 for(j = 0; j < s->l2_size; j++) {
772 offset = be64_to_cpu(l2_table[j]);
773 if (offset != 0) {
774 old_offset = offset;
775 offset &= ~QCOW_OFLAG_COPIED(1LL << 63);
776 if (offset & QCOW_OFLAG_COMPRESSED(1LL << 62)) {
777 nb_csectors = ((offset >> s->csize_shift) &
778 s->csize_mask) + 1;
779 if (addend != 0) {
780 int ret;
781 ret = update_refcount(bs,
782 (offset & s->cluster_offset_mask) & ~511,
783 nb_csectors * 512, addend);
784 if (ret < 0) {
785 goto fail;
786 }
787
788 /* TODO Flushing once for the whole function should
789 * be enough */
790 bdrv_flush(bs->file);
791 }
792 /* compressed clusters are never modified */
793 refcount = 2;
794 } else {
795 uint64_t cluster_index = (offset & L2E_OFFSET_MASK0x00ffffffffffff00ULL) >> s->cluster_bits;
796 if (addend != 0) {
797 refcount = update_cluster_refcount(bs, cluster_index, addend);
798 } else {
799 refcount = get_refcount(bs, cluster_index);
800 }
801
802 if (refcount < 0) {
803 ret = -EIO5;
804 goto fail;
805 }
806 }
807
808 if (refcount == 1) {
809 offset |= QCOW_OFLAG_COPIED(1LL << 63);
810 }
811 if (offset != old_offset) {
812 if (addend > 0) {
813 qcow2_cache_set_dependency(bs, s->l2_table_cache,
814 s->refcount_block_cache);
815 }
816 l2_table[j] = cpu_to_be64(offset);
817 qcow2_cache_entry_mark_dirty(s->l2_table_cache, l2_table);
818 }
819 }
820 }
821
822 ret = qcow2_cache_put(bs, s->l2_table_cache, (void**) &l2_table);
823 if (ret < 0) {
824 goto fail;
825 }
826
827
828 if (addend != 0) {
829 refcount = update_cluster_refcount(bs, l2_offset >> s->cluster_bits, addend);
830 } else {
831 refcount = get_refcount(bs, l2_offset >> s->cluster_bits);
832 }
833 if (refcount < 0) {
834 ret = -EIO5;
835 goto fail;
836 } else if (refcount == 1) {
837 l2_offset |= QCOW_OFLAG_COPIED(1LL << 63);
838 }
839 if (l2_offset != old_l2_offset) {
840 l1_table[i] = l2_offset;
841 l1_modified = 1;
842 }
843 }
844 }
845
846 ret = 0;
847fail:
848 if (l2_table) {
849 qcow2_cache_put(bs, s->l2_table_cache, (void**) &l2_table);
850 }
851
852 /* Update L1 only if it isn't deleted anyway (addend = -1) */
853 if (addend >= 0 && l1_modified) {
854 for(i = 0; i < l1_size; i++)
855 cpu_to_be64s(&l1_table[i]);
856 if (bdrv_pwrite_sync(bs->file, l1_table_offset, l1_table,
857 l1_size2) < 0)
858 goto fail;
859 for(i = 0; i < l1_size; i++)
860 be64_to_cpus(&l1_table[i]);
861 }
862 if (l1_allocated)
863 g_free(l1_table);
864 return ret;
865}
866
867
868
869
870/*********************************************************/
871/* refcount checking functions */
872
873
874
875/*
876 * Increases the refcount for a range of clusters in a given refcount table.
877 * This is used to construct a temporary refcount table out of L1 and L2 tables
878 * which can be compared the the refcount table saved in the image.
879 *
880 * Modifies the number of errors in res.
881 */
882static void inc_refcounts(BlockDriverState *bs,
883 BdrvCheckResult *res,
884 uint16_t *refcount_table,
885 int refcount_table_size,
886 int64_t offset, int64_t size)
887{
888 BDRVQcowState *s = bs->opaque;
889 int64_t start, last, cluster_offset;
890 int k;
891
892 if (size <= 0)
893 return;
894
895 start = offset & ~(s->cluster_size - 1);
896 last = (offset + size - 1) & ~(s->cluster_size - 1);
897 for(cluster_offset = start; cluster_offset <= last;
898 cluster_offset += s->cluster_size) {
899 k = cluster_offset >> s->cluster_bits;
900 if (k < 0) {
901 fprintf(stderrstderr, "ERROR: invalid cluster offset=0x%" PRIx64"l" "x" "\n",
902 cluster_offset);
903 res->corruptions++;
904 } else if (k >= refcount_table_size) {
905 fprintf(stderrstderr, "Warning: cluster offset=0x%" PRIx64"l" "x" " is after "
906 "the end of the image file, can't properly check refcounts.\n",
907 cluster_offset);
908 res->check_errors++;
909 } else {
910 if (++refcount_table[k] == 0) {
911 fprintf(stderrstderr, "ERROR: overflow cluster offset=0x%" PRIx64"l" "x"
912 "\n", cluster_offset);
913 res->corruptions++;
914 }
915 }
916 }
917}
918
919/*
920 * Increases the refcount in the given refcount table for the all clusters
921 * referenced in the L2 table. While doing so, performs some checks on L2
922 * entries.
923 *
924 * Returns the number of errors found by the checks or -errno if an internal
925 * error occurred.
926 */
927static int check_refcounts_l2(BlockDriverState *bs, BdrvCheckResult *res,
928 uint16_t *refcount_table, int refcount_table_size, int64_t l2_offset,
929 int check_copied)
930{
931 BDRVQcowState *s = bs->opaque;
932 uint64_t *l2_table, l2_entry;
933 int i, l2_size, nb_csectors, refcount;
934
935 /* Read L2 table from disk */
936 l2_size = s->l2_size * sizeof(uint64_t);
937 l2_table = g_malloc(l2_size);
938
939 if (bdrv_pread(bs->file, l2_offset, l2_table, l2_size) != l2_size)
940 goto fail;
941
942 /* Do the actual checks */
943 for(i = 0; i < s->l2_size; i++) {
944 l2_entry = be64_to_cpu(l2_table[i]);
945
946 switch (qcow2_get_cluster_type(l2_entry)) {
947 case QCOW2_CLUSTER_COMPRESSED:
948 /* Compressed clusters don't have QCOW_OFLAG_COPIED */
949 if (l2_entry & QCOW_OFLAG_COPIED(1LL << 63)) {
950 fprintf(stderrstderr, "ERROR: cluster %" PRId64"l" "d" ": "
951 "copied flag must never be set for compressed "
952 "clusters\n", l2_entry >> s->cluster_bits);
953 l2_entry &= ~QCOW_OFLAG_COPIED(1LL << 63);
954 res->corruptions++;
955 }
956
957 /* Mark cluster as used */
958 nb_csectors = ((l2_entry >> s->csize_shift) &
959 s->csize_mask) + 1;
960 l2_entry &= s->cluster_offset_mask;
961 inc_refcounts(bs, res, refcount_table, refcount_table_size,
962 l2_entry & ~511, nb_csectors * 512);
963 break;
964
965 case QCOW2_CLUSTER_ZERO:
966 if ((l2_entry & L2E_OFFSET_MASK0x00ffffffffffff00ULL) == 0) {
967 break;
968 }
969 /* fall through */
970
971 case QCOW2_CLUSTER_NORMAL:
972 {
973 /* QCOW_OFLAG_COPIED must be set if refcount == 1 */
974 uint64_t offset = l2_entry & L2E_OFFSET_MASK0x00ffffffffffff00ULL;
975
976 if (check_copied) {
977 refcount = get_refcount(bs, offset >> s->cluster_bits);
978 if (refcount < 0) {
979 fprintf(stderrstderr, "Can't get refcount for offset %"
980 PRIx64"l" "x" ": %s\n", l2_entry, strerror(-refcount));
981 goto fail;
982 }
983 if ((refcount == 1) != ((l2_entry & QCOW_OFLAG_COPIED(1LL << 63)) != 0)) {
984 fprintf(stderrstderr, "ERROR OFLAG_COPIED: offset=%"
985 PRIx64"l" "x" " refcount=%d\n", l2_entry, refcount);
986 res->corruptions++;
987 }
988 }
989
990 /* Mark cluster as used */
991 inc_refcounts(bs, res, refcount_table,refcount_table_size,
992 offset, s->cluster_size);
993
994 /* Correct offsets are cluster aligned */
995 if (offset & (s->cluster_size - 1)) {
996 fprintf(stderrstderr, "ERROR offset=%" PRIx64"l" "x" ": Cluster is not "
997 "properly aligned; L2 entry corrupted.\n", offset);
998 res->corruptions++;
999 }
1000 break;
1001 }
1002
1003 case QCOW2_CLUSTER_UNALLOCATED:
1004 break;
1005
1006 default:
1007 abort();
1008 }
1009 }
1010
1011 g_free(l2_table);
1012 return 0;
1013
1014fail:
1015 fprintf(stderrstderr, "ERROR: I/O error in check_refcounts_l2\n");
1016 g_free(l2_table);
1017 return -EIO5;
1018}
1019
1020/*
1021 * Increases the refcount for the L1 table, its L2 tables and all referenced
1022 * clusters in the given refcount table. While doing so, performs some checks
1023 * on L1 and L2 entries.
1024 *
1025 * Returns the number of errors found by the checks or -errno if an internal
1026 * error occurred.
1027 */
1028static int check_refcounts_l1(BlockDriverState *bs,
1029 BdrvCheckResult *res,
1030 uint16_t *refcount_table,
1031 int refcount_table_size,
1032 int64_t l1_table_offset, int l1_size,
1033 int check_copied)
1034{
1035 BDRVQcowState *s = bs->opaque;
1036 uint64_t *l1_table, l2_offset, l1_size2;
1037 int i, refcount, ret;
1038
1039 l1_size2 = l1_size * sizeof(uint64_t);
1040
1041 /* Mark L1 table as used */
1042 inc_refcounts(bs, res, refcount_table, refcount_table_size,
1043 l1_table_offset, l1_size2);
1044
1045 /* Read L1 table entries from disk */
1046 if (l1_size2 == 0) {
1047 l1_table = NULL((void*)0);
1048 } else {
1049 l1_table = g_malloc(l1_size2);
1050 if (bdrv_pread(bs->file, l1_table_offset,
1051 l1_table, l1_size2) != l1_size2)
1052 goto fail;
1053 for(i = 0;i < l1_size; i++)
1054 be64_to_cpus(&l1_table[i]);
1055 }
1056
1057 /* Do the actual checks */
1058 for(i = 0; i < l1_size; i++) {
1059 l2_offset = l1_table[i];
1060 if (l2_offset) {
1061 /* QCOW_OFLAG_COPIED must be set if refcount == 1 */
1062 if (check_copied) {
1063 refcount = get_refcount(bs, (l2_offset & ~QCOW_OFLAG_COPIED(1LL << 63))
1064 >> s->cluster_bits);
1065 if (refcount < 0) {
1066 fprintf(stderrstderr, "Can't get refcount for l2_offset %"
1067 PRIx64"l" "x" ": %s\n", l2_offset, strerror(-refcount));
1068 goto fail;
1069 }
1070 if ((refcount == 1) != ((l2_offset & QCOW_OFLAG_COPIED(1LL << 63)) != 0)) {
1071 fprintf(stderrstderr, "ERROR OFLAG_COPIED: l2_offset=%" PRIx64"l" "x"
1072 " refcount=%d\n", l2_offset, refcount);
1073 res->corruptions++;
1074 }
1075 }
1076
1077 /* Mark L2 table as used */
1078 l2_offset &= L1E_OFFSET_MASK0x00ffffffffffff00ULL;
1079 inc_refcounts(bs, res, refcount_table, refcount_table_size,
1080 l2_offset, s->cluster_size);
1081
1082 /* L2 tables are cluster aligned */
1083 if (l2_offset & (s->cluster_size - 1)) {
1084 fprintf(stderrstderr, "ERROR l2_offset=%" PRIx64"l" "x" ": Table is not "
1085 "cluster aligned; L1 entry corrupted\n", l2_offset);
1086 res->corruptions++;
1087 }
1088
1089 /* Process and check L2 entries */
1090 ret = check_refcounts_l2(bs, res, refcount_table,
1091 refcount_table_size, l2_offset, check_copied);
1092 if (ret < 0) {
1093 goto fail;
1094 }
1095 }
1096 }
1097 g_free(l1_table);
1098 return 0;
1099
1100fail:
1101 fprintf(stderrstderr, "ERROR: I/O error in check_refcounts_l1\n");
1102 res->check_errors++;
1103 g_free(l1_table);
1104 return -EIO5;
1105}
1106
1107/*
1108 * Checks an image for refcount consistency.
1109 *
1110 * Returns 0 if no errors are found, the number of errors in case the image is
1111 * detected as corrupted, and -errno when an internal error occurred.
1112 */
1113int qcow2_check_refcounts(BlockDriverState *bs, BdrvCheckResult *res,
1114 BdrvCheckMode fix)
1115{
1116 BDRVQcowState *s = bs->opaque;
1117 int64_t size, i;
1118 int nb_clusters, refcount1, refcount2;
1119 QCowSnapshot *sn;
1120 uint16_t *refcount_table;
1121 int ret;
1122
1123 size = bdrv_getlength(bs->file);
1124 nb_clusters = size_to_clusters(s, size);
1125 refcount_table = g_malloc0(nb_clusters * sizeof(uint16_t));
1126
1127 /* header */
1128 inc_refcounts(bs, res, refcount_table, nb_clusters,
1129 0, s->cluster_size);
1130
1131 /* current L1 table */
1132 ret = check_refcounts_l1(bs, res, refcount_table, nb_clusters,
1133 s->l1_table_offset, s->l1_size, 1);
1134 if (ret < 0) {
1135 goto fail;
1136 }
1137
1138 /* snapshots */
1139 for(i = 0; i < s->nb_snapshots; i++) {
1140 sn = s->snapshots + i;
1141 ret = check_refcounts_l1(bs, res, refcount_table, nb_clusters,
1142 sn->l1_table_offset, sn->l1_size, 0);
1143 if (ret < 0) {
1144 goto fail;
1145 }
1146 }
1147 inc_refcounts(bs, res, refcount_table, nb_clusters,
1148 s->snapshots_offset, s->snapshots_size);
1149
1150 /* refcount data */
1151 inc_refcounts(bs, res, refcount_table, nb_clusters,
1152 s->refcount_table_offset,
1153 s->refcount_table_size * sizeof(uint64_t));
1154
1155 for(i = 0; i < s->refcount_table_size; i++) {
1156 uint64_t offset, cluster;
1157 offset = s->refcount_table[i];
1158 cluster = offset >> s->cluster_bits;
1159
1160 /* Refcount blocks are cluster aligned */
1161 if (offset & (s->cluster_size - 1)) {
1162 fprintf(stderrstderr, "ERROR refcount block %" PRId64"l" "d" " is not "
1163 "cluster aligned; refcount table entry corrupted\n", i);
1164 res->corruptions++;
1165 continue;
1166 }
1167
1168 if (cluster >= nb_clusters) {
1169 fprintf(stderrstderr, "ERROR refcount block %" PRId64"l" "d"
1170 " is outside image\n", i);
1171 res->corruptions++;
1172 continue;
1173 }
1174
1175 if (offset != 0) {
1176 inc_refcounts(bs, res, refcount_table, nb_clusters,
1177 offset, s->cluster_size);
1178 if (refcount_table[cluster] != 1) {
1179 fprintf(stderrstderr, "ERROR refcount block %" PRId64"l" "d"
1180 " refcount=%d\n",
1181 i, refcount_table[cluster]);
1182 res->corruptions++;
1183 }
1184 }
1185 }
1186
1187 /* compare ref counts */
1188 for(i = 0; i < nb_clusters; i++) {
1189 refcount1 = get_refcount(bs, i);
1190 if (refcount1 < 0) {
1191 fprintf(stderrstderr, "Can't get refcount for cluster %" PRId64"l" "d" ": %s\n",
1192 i, strerror(-refcount1));
1193 res->check_errors++;
1194 continue;
1195 }
1196
1197 refcount2 = refcount_table[i];
1198 if (refcount1 != refcount2) {
1199
1200 /* Check if we're allowed to fix the mismatch */
1201 int *num_fixed = NULL((void*)0);
1202 if (refcount1 > refcount2 && (fix & BDRV_FIX_LEAKS)) {
1203 num_fixed = &res->leaks_fixed;
1204 } else if (refcount1 < refcount2 && (fix & BDRV_FIX_ERRORS)) {
1205 num_fixed = &res->corruptions_fixed;
1206 }
1207
1208 fprintf(stderrstderr, "%s cluster %" PRId64"l" "d" " refcount=%d reference=%d\n",
1209 num_fixed != NULL((void*)0) ? "Repairing" :
1210 refcount1 < refcount2 ? "ERROR" :
1211 "Leaked",
1212 i, refcount1, refcount2);
1213
1214 if (num_fixed) {
1215 ret = update_refcount(bs, i << s->cluster_bits, 1,
1216 refcount2 - refcount1);
1217 if (ret >= 0) {
1218 (*num_fixed)++;
1219 continue;
1220 }
1221 }
1222
1223 /* And if we couldn't, print an error */
1224 if (refcount1 < refcount2) {
1225 res->corruptions++;
1226 } else {
1227 res->leaks++;
1228 }
1229 }
1230 }
1231
1232 ret = 0;
1233
1234fail:
1235 g_free(refcount_table);
1236
1237 return ret;
1238}
1239