On 28.06.20 13:02, Alberto Garcia wrote: > This patch adds QCow2SubclusterType, which is the subcluster-level > version of QCow2ClusterType. All QCOW2_SUBCLUSTER_* values have the > the same meaning as their QCOW2_CLUSTER_* equivalents (when they > exist). See below for details and caveats. > > In images without extended L2 entries clusters are treated as having > exactly one subcluster so it is possible to replace one data type with > the other while keeping the exact same semantics. > > With extended L2 entries there are new possible values, and every > subcluster in the same cluster can obviously have a different > QCow2SubclusterType so functions need to be adapted to work on the > subcluster level. > > There are several things that have to be taken into account: > > a) QCOW2_SUBCLUSTER_COMPRESSED means that the whole cluster is > compressed. We do not support compression at the subcluster > level. > > b) There are two different values for unallocated subclusters: > QCOW2_SUBCLUSTER_UNALLOCATED_PLAIN which means that the whole > cluster is unallocated, and QCOW2_SUBCLUSTER_UNALLOCATED_ALLOC > which means that the cluster is allocated but the subcluster is > not. The latter can only happen in images with extended L2 > entries. > > c) QCOW2_SUBCLUSTER_INVALID is used to detect the cases where an L2 > entry has a value that violates the specification. The caller is > responsible for handling these situations. > > To prevent compatibility problems with images that have invalid > values but are currently being read by QEMU without causing side > effects, QCOW2_SUBCLUSTER_INVALID is only returned for images > with extended L2 entries. > > qcow2_cluster_to_subcluster_type() is added as a separate function > from qcow2_get_subcluster_type(), but this is only temporary and both > will be merged in a subsequent patch. > > Signed-off-by: Alberto Garcia > Reviewed-by: Eric Blake > --- > block/qcow2.h | 126 +++++++++++++++++++++++++++++++++++++++++++++++++- > 1 file changed, 125 insertions(+), 1 deletion(-) > > diff --git a/block/qcow2.h b/block/qcow2.h > index 82b86f6cec..3aec6f452a 100644 > --- a/block/qcow2.h > +++ b/block/qcow2.h [...] > @@ -634,9 +686,11 @@ static inline int64_t qcow2_vm_state_offset(BDRVQcow2State *s) > static inline QCow2ClusterType qcow2_get_cluster_type(BlockDriverState *bs, > uint64_t l2_entry) > { > + BDRVQcow2State *s = bs->opaque; > + > if (l2_entry & QCOW_OFLAG_COMPRESSED) { > return QCOW2_CLUSTER_COMPRESSED; > - } else if (l2_entry & QCOW_OFLAG_ZERO) { > + } else if ((l2_entry & QCOW_OFLAG_ZERO) && !has_subclusters(s)) { OK, so now qcow2_get_cluster_type() reports zero clusters to be normal or unallocated clusters when there are subclusters. Seems weird to me, because zero clusters are invalid clusters then. I preferred just reporting them as zero clusters and letting the caller deal with it, because it does mean an error in the image and so it should be reported. So... > if (l2_entry & L2E_OFFSET_MASK) { > return QCOW2_CLUSTER_ZERO_ALLOC; > } [...] > +/* > + * In an image without subsclusters @l2_bitmap is ignored and > + * @sc_index must be 0. > + * Return QCOW2_SUBCLUSTER_INVALID if an invalid l2 entry is detected > + * (this checks the whole entry and bitmap, not only the bits related > + * to subcluster @sc_index). > + */ > +static inline > +QCow2SubclusterType qcow2_get_subcluster_type(BlockDriverState *bs, > + uint64_t l2_entry, > + uint64_t l2_bitmap, > + unsigned sc_index) > +{ > + BDRVQcow2State *s = bs->opaque; > + QCow2ClusterType type = qcow2_get_cluster_type(bs, l2_entry); > + assert(sc_index < s->subclusters_per_cluster); > + > + if (has_subclusters(s)) { > + switch (type) { > + case QCOW2_CLUSTER_COMPRESSED: > + return QCOW2_SUBCLUSTER_COMPRESSED; > + case QCOW2_CLUSTER_NORMAL: > + if ((l2_bitmap >> 32) & l2_bitmap) { > + return QCOW2_SUBCLUSTER_INVALID; > + } else if (l2_bitmap & QCOW_OFLAG_SUB_ZERO(sc_index)) { > + return QCOW2_SUBCLUSTER_ZERO_ALLOC; > + } else if (l2_bitmap & QCOW_OFLAG_SUB_ALLOC(sc_index)) { > + return QCOW2_SUBCLUSTER_NORMAL; > + } else { > + return QCOW2_SUBCLUSTER_UNALLOCATED_ALLOC; > + } > + case QCOW2_CLUSTER_UNALLOCATED: > + if (l2_bitmap & QCOW_L2_BITMAP_ALL_ALLOC) { > + return QCOW2_SUBCLUSTER_INVALID; > + } else if (l2_bitmap & QCOW_OFLAG_SUB_ZERO(sc_index)) { > + return QCOW2_SUBCLUSTER_ZERO_PLAIN; > + } else { > + return QCOW2_SUBCLUSTER_UNALLOCATED_PLAIN; > + } ...consequentially, this function no longer reports clusters which have the zero flag set as invalid (which it did in v4, when I last looked at it). I see this was a conscious choice of yours in v5. I don’t really see the justification for it, though. As far as I can understand, you seem to argue that no corruption detection is better than incomplete corruption detection, and that a complete and thorough detection would warrant its own series, do I understand that correctly? Max > + default: > + g_assert_not_reached(); > + } > + } else { > + return qcow2_cluster_to_subcluster_type(type); > + } > +} > + > /* Check whether refcounts are eager or lazy */ > static inline bool qcow2_need_accurate_refcounts(BDRVQcow2State *s) > { >