From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from eggs.gnu.org ([2001:4830:134:3::10]:48481)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <famz@redhat.com>) id 1YXNd9-0006c6-Vf
	for qemu-devel@nongnu.org; Mon, 16 Mar 2015 01:32:01 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <famz@redhat.com>) id 1YXNd6-0003cN-Oh
	for qemu-devel@nongnu.org; Mon, 16 Mar 2015 01:31:59 -0400
Received: from mx1.redhat.com ([209.132.183.28]:54366)
	by eggs.gnu.org with esmtp (Exim 4.71)
	(envelope-from <famz@redhat.com>) id 1YXNd6-0003cB-JG
	for qemu-devel@nongnu.org; Mon, 16 Mar 2015 01:31:56 -0400
Received: from int-mx09.intmail.prod.int.phx2.redhat.com
	(int-mx09.intmail.prod.int.phx2.redhat.com [10.5.11.22])
	by mx1.redhat.com (Postfix) with ESMTPS id 6C9C68EFC1
	for <qemu-devel@nongnu.org>; Mon, 16 Mar 2015 05:31:55 +0000 (UTC)
From: Fam Zheng <famz@redhat.com>
Date: Mon, 16 Mar 2015 13:31:46 +0800
Message-Id: <1426483910-24597-1-git-send-email-famz@redhat.com>
Subject: [Qemu-devel] [PATCH v3 0/4] exec: Make bounce buffer thread safe
List-Id: <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <http://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=subscribe>
To: qemu-devel@nongnu.org
Cc: Paolo Bonzini <pbonzini@redhat.com>

v3: Address Paolo's comments:
    Use atomic_xchg for bounce buffer.
    Use mutex and BH for map_client_list.

The global bounce buffer used for non-direct memory access is not thread-safe:

 1) Access to "bounce" is not atomic.

 2) Access to "map_client_list" is not atomic.

 3) In dma_blk_cb, there is a race condition between:

        mem = dma_memory_map(...
    and
        cpu_register_map_client(...

    Bounce may become available after dma_memory_map failed but before
    cpu_register_map_client is called.

 4) The reschedule_dma is not in the right AioContext;
    continue_after_map_failure called from other threads will race with
    dma_aio_cancel.

This series fixes these issues respectively.


Fam Zheng (4):
  exec: Atomic access to bounce buffer
  exec: Protect map_client_list with mutex
  exec: Notify cpu_register_map_client caller if the bounce buffer is
    available
  dma-helpers: Fix race condition of continue_after_map_failure and
    dma_aio_cancel

 dma-helpers.c             | 17 +++++------
 exec.c                    | 77 ++++++++++++++++++++++++++++++++---------------
 include/exec/cpu-common.h |  3 +-
 3 files changed, 62 insertions(+), 35 deletions(-)

-- 
1.9.3