Re: [Qemu-devel] [PATCH] Disk image shared and exclusive locks.

[Kevin Wolf]

Am 07.12.2009 15:31, schrieb Richard W.M. Jones:
> On Mon, Dec 07, 2009 at 08:22:24AM -0600, Anthony Liguori wrote:
>> Richard W.M. Jones wrote:
>>> On Mon, Dec 07, 2009 at 07:39:11AM -0600, Anthony Liguori wrote:
>>>   
>>>> Richard W.M. Jones wrote:
>>>>     
>>>>> Also if we only acquire the lock during the commit operation then
>>>>> we'll end up with disk corruption.
>>>>>       
>>>> Why do we end up with disk corruption?
>>>>     
>>>
>>> Forget about locking for a minute, I don't think this is safe
>>> currently.  If you have two VMs set up like:
>>>
>>>   qemu-img create -b backing.img foo.img
>>>   qemu-img create -b backing.img bar.img
>>>
>>>   qemu -drive file=foo.img     # VM1
>>>   qemu -drive file=bar.img     # VM2
>>>
>>> If VM1 does a commit to the backing image, then VM2 may be caching (in
>>> its kernel memory) bits of the old backing image, and will
>>> subsequently fetch bits of the new backing image, so it'll see a
>>> mixture of old and new data.  How is VM2 supposed to cope with this?
>>> It sounds like massive disk corruption to me ...
>>>   
>>
>> Yes, this will cause corruption.  Implementing locking in the fashion  
>> I've previously described will prevent 'commit' from being run (since  
>> you can't upgrade the lock since someone else is holding a read-lock).
> 
> So to be clear, the use case is that all the other VMs must be shut
> down, then the VM which wants to commit will upgrade its lock and
> commit, and then all the other VMs will restart?  I agree this should
> avoid corruption, although it sounds like something which is fairly
> unlikely to be done in practice.

I can't see how the file system of VM2 could possibly survive if VM1
commits its changes. Even if VM2 or even both VMs are shut down while
we're corrupting the base image.

Basically, you must not commit to a backing file unless your COW file is
the only user of this backing file.

Kevin