From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from eggs.gnu.org ([2001:4830:134:3::10]:54363)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <famz@redhat.com>) id 1YXQw8-0003BB-18
	for qemu-devel@nongnu.org; Mon, 16 Mar 2015 05:03:48 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <famz@redhat.com>) id 1YXQw2-0000Mh-92
	for qemu-devel@nongnu.org; Mon, 16 Mar 2015 05:03:47 -0400
Received: from mx1.redhat.com ([209.132.183.28]:49183)
	by eggs.gnu.org with esmtp (Exim 4.71)
	(envelope-from <famz@redhat.com>) id 1YXQw2-0000Mb-1o
	for qemu-devel@nongnu.org; Mon, 16 Mar 2015 05:03:42 -0400
Received: from int-mx11.intmail.prod.int.phx2.redhat.com
	(int-mx11.intmail.prod.int.phx2.redhat.com [10.5.11.24])
	by mx1.redhat.com (Postfix) with ESMTPS id 6BAF98EFD8
	for <qemu-devel@nongnu.org>; Mon, 16 Mar 2015 09:03:41 +0000 (UTC)
From: Fam Zheng <famz@redhat.com>
Date: Mon, 16 Mar 2015 17:03:32 +0800
Message-Id: <1426496617-10702-1-git-send-email-famz@redhat.com>
Subject: [Qemu-devel] [PATCH v4 0/5] exec: Make bounce buffer thread safe
List-Id: <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <http://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=subscribe>
To: qemu-devel@nongnu.org
Cc: Paolo Bonzini <pbonzini@redhat.com>

v4: Remove smp_mb() in patch 1.
    Remove two cpu_exec_init_all() calls.
    Rename cpu_notify_map_clients_unlocked -> cpu_notify_map_clients_locked.
    Add Paolo's rev-by in patch 5.

v3: Address Paolo's comments:
    Use atomic_xchg for bounce buffer.
    Use mutex and BH for map_client_list.

The global bounce buffer used for non-direct memory access is not thread-safe:

 1) Access to "bounce" is not atomic.

 2) Access to "map_client_list" is not atomic.

 3) In dma_blk_cb, there is a race condition between:

        mem = dma_memory_map(...
    and
        cpu_register_map_client(...

    Bounce may become available after dma_memory_map failed but before
    cpu_register_map_client is called.

 4) The reschedule_dma is not in the right AioContext;
    continue_after_map_failure called from other threads will race with
    dma_aio_cancel.

This series fixes these issues respectively.

Fam Zheng (5):
  exec: Atomic access to bounce buffer
  linux-user, bsd-user: Remove two calls to cpu_exec_init_all
  exec: Protect map_client_list with mutex
  exec: Notify cpu_register_map_client caller if the bounce buffer is
    available
  dma-helpers: Fix race condition of continue_after_map_failure and
    dma_aio_cancel

 bsd-user/main.c           |  1 -
 dma-helpers.c             | 17 +++++------
 exec.c                    | 76 +++++++++++++++++++++++++++++++----------------
 include/exec/cpu-common.h |  3 +-
 linux-user/main.c         |  1 -
 5 files changed, 61 insertions(+), 37 deletions(-)

-- 
1.9.3