From: Kevin Wolf <kwolf@redhat.com>
To: qemu-block@nongnu.org
Cc: kwolf@redhat.com, peter.maydell@linaro.org, qemu-devel@nongnu.org
Subject: [PULL 25/29] dma-helpers: prevent dma_blk_cb() vs dma_aio_cancel() race
Date: Thu, 23 Feb 2023 19:51:42 +0100 [thread overview]
Message-ID: <20230223185146.306454-26-kwolf@redhat.com> (raw)
In-Reply-To: <20230223185146.306454-1-kwolf@redhat.com>
From: Stefan Hajnoczi <stefanha@redhat.com>
dma_blk_cb() only takes the AioContext lock around ->io_func(). That
means the rest of dma_blk_cb() is not protected. In particular, the
DMAAIOCB field accesses happen outside the lock.
There is a race when the main loop thread holds the AioContext lock and
invokes scsi_device_purge_requests() -> bdrv_aio_cancel() ->
dma_aio_cancel() while an IOThread executes dma_blk_cb(). The dbs->acb
field determines how cancellation proceeds. If dma_aio_cancel() sees
dbs->acb == NULL while dma_blk_cb() is still running, the request can be
completed twice (-ECANCELED and the actual return value).
The following assertion can occur with virtio-scsi when an IOThread is
used:
../hw/scsi/scsi-disk.c:368: scsi_dma_complete: Assertion `r->req.aiocb != NULL' failed.
Fix the race by holding the AioContext across dma_blk_cb(). Now
dma_aio_cancel() under the AioContext lock will not see
inconsistent/intermediate states.
Cc: Paolo Bonzini <pbonzini@redhat.com>
Reviewed-by: Eric Blake <eblake@redhat.com>
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
Message-Id: <20230221212218.1378734-3-stefanha@redhat.com>
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
---
hw/scsi/scsi-disk.c | 4 +---
softmmu/dma-helpers.c | 12 +++++++-----
2 files changed, 8 insertions(+), 8 deletions(-)
diff --git a/hw/scsi/scsi-disk.c b/hw/scsi/scsi-disk.c
index 115584f8b9..97c9b1c8cd 100644
--- a/hw/scsi/scsi-disk.c
+++ b/hw/scsi/scsi-disk.c
@@ -354,13 +354,12 @@ done:
scsi_req_unref(&r->req);
}
+/* Called with AioContext lock held */
static void scsi_dma_complete(void *opaque, int ret)
{
SCSIDiskReq *r = (SCSIDiskReq *)opaque;
SCSIDiskState *s = DO_UPCAST(SCSIDiskState, qdev, r->req.dev);
- aio_context_acquire(blk_get_aio_context(s->qdev.conf.blk));
-
assert(r->req.aiocb != NULL);
r->req.aiocb = NULL;
@@ -370,7 +369,6 @@ static void scsi_dma_complete(void *opaque, int ret)
block_acct_done(blk_get_stats(s->qdev.conf.blk), &r->acct);
}
scsi_dma_complete_noio(r, ret);
- aio_context_release(blk_get_aio_context(s->qdev.conf.blk));
}
static void scsi_read_complete_noio(SCSIDiskReq *r, int ret)
diff --git a/softmmu/dma-helpers.c b/softmmu/dma-helpers.c
index 7820fec54c..2463964805 100644
--- a/softmmu/dma-helpers.c
+++ b/softmmu/dma-helpers.c
@@ -113,17 +113,19 @@ static void dma_complete(DMAAIOCB *dbs, int ret)
static void dma_blk_cb(void *opaque, int ret)
{
DMAAIOCB *dbs = (DMAAIOCB *)opaque;
+ AioContext *ctx = dbs->ctx;
dma_addr_t cur_addr, cur_len;
void *mem;
trace_dma_blk_cb(dbs, ret);
+ aio_context_acquire(ctx);
dbs->acb = NULL;
dbs->offset += dbs->iov.size;
if (dbs->sg_cur_index == dbs->sg->nsg || ret < 0) {
dma_complete(dbs, ret);
- return;
+ goto out;
}
dma_blk_unmap(dbs);
@@ -164,9 +166,9 @@ static void dma_blk_cb(void *opaque, int ret)
if (dbs->iov.size == 0) {
trace_dma_map_wait(dbs);
- dbs->bh = aio_bh_new(dbs->ctx, reschedule_dma, dbs);
+ dbs->bh = aio_bh_new(ctx, reschedule_dma, dbs);
cpu_register_map_client(dbs->bh);
- return;
+ goto out;
}
if (!QEMU_IS_ALIGNED(dbs->iov.size, dbs->align)) {
@@ -174,11 +176,11 @@ static void dma_blk_cb(void *opaque, int ret)
QEMU_ALIGN_DOWN(dbs->iov.size, dbs->align));
}
- aio_context_acquire(dbs->ctx);
dbs->acb = dbs->io_func(dbs->offset, &dbs->iov,
dma_blk_cb, dbs, dbs->io_func_opaque);
- aio_context_release(dbs->ctx);
assert(dbs->acb);
+out:
+ aio_context_release(ctx);
}
static void dma_aio_cancel(BlockAIOCB *acb)
--
2.39.2
next prev parent reply other threads:[~2023-02-23 18:53 UTC|newest]
Thread overview: 34+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-02-23 18:51 [PULL 00/29] Block layer patches Kevin Wolf
2023-02-23 18:51 ` [PULL 01/29] block: Make bdrv_can_set_read_only() static Kevin Wolf
2023-02-23 18:51 ` [PULL 02/29] mirror: Fix access of uninitialised fields during start Kevin Wolf
2023-02-23 18:51 ` [PULL 03/29] block: Mark bdrv_co_truncate() and callers GRAPH_RDLOCK Kevin Wolf
2023-02-23 18:51 ` [PULL 04/29] block: Mark bdrv_co_block_status() " Kevin Wolf
2023-02-23 18:51 ` [PULL 05/29] block: Mark bdrv_co_ioctl() " Kevin Wolf
2023-02-23 18:51 ` [PULL 06/29] block/qed: add missing graph rdlock in qed_need_check_timer_entry Kevin Wolf
2023-02-23 18:51 ` [PULL 07/29] block: Mark bdrv_co_flush() and callers GRAPH_RDLOCK Kevin Wolf
2023-02-23 18:51 ` [PULL 08/29] block: Mark bdrv_co_pdiscard() " Kevin Wolf
2023-02-23 18:51 ` [PULL 09/29] block: Mark bdrv_co_pwrite_zeroes() " Kevin Wolf
2023-02-23 18:51 ` [PULL 10/29] block: Mark read/write in block/io.c GRAPH_RDLOCK Kevin Wolf
2023-02-23 18:51 ` [PULL 11/29] block: Mark public read/write functions GRAPH_RDLOCK Kevin Wolf
2023-02-23 18:51 ` [PULL 12/29] block: Mark bdrv_co_pwrite_sync() and callers GRAPH_RDLOCK Kevin Wolf
2023-02-23 18:51 ` [PULL 13/29] block: Mark bdrv_co_do_pwrite_zeroes() GRAPH_RDLOCK Kevin Wolf
2023-02-23 18:51 ` [PULL 14/29] block: Mark bdrv_co_copy_range() GRAPH_RDLOCK Kevin Wolf
2023-02-23 18:51 ` [PULL 15/29] block: Mark preadv_snapshot/snapshot_block_status GRAPH_RDLOCK Kevin Wolf
2023-02-23 18:51 ` [PULL 16/29] block: Mark bdrv_co_create() and callers GRAPH_RDLOCK Kevin Wolf
2023-02-23 18:51 ` [PULL 17/29] block: Mark bdrv_co_io_(un)plug() " Kevin Wolf
2023-02-23 18:51 ` [PULL 18/29] block: Mark bdrv_co_is_inserted() " Kevin Wolf
2023-02-23 18:51 ` [PULL 19/29] block: Mark bdrv_co_eject/lock_medium() " Kevin Wolf
2023-02-23 18:51 ` [PULL 20/29] block: Mark bdrv_(un)register_buf() GRAPH_RDLOCK Kevin Wolf
2023-02-23 18:51 ` [PULL 21/29] block: Mark bdrv_co_delete_file() and callers GRAPH_RDLOCK Kevin Wolf
2023-02-23 18:51 ` [PULL 22/29] block: Mark bdrv_*_dirty_bitmap() " Kevin Wolf
2023-02-23 18:51 ` [PULL 23/29] block: Mark bdrv_co_refresh_total_sectors() " Kevin Wolf
2023-02-23 18:51 ` [PULL 24/29] scsi: protect req->aiocb with AioContext lock Kevin Wolf
2023-02-23 18:51 ` Kevin Wolf [this message]
2023-02-23 18:51 ` [PULL 26/29] virtio-scsi: reset SCSI devices from main loop thread Kevin Wolf
2023-02-23 18:51 ` [PULL 27/29] block/rbd: Remove redundant stack variable passphrase_len Kevin Wolf
2023-02-23 18:51 ` [PULL 28/29] block/rbd: Add luks-any encryption opening option Kevin Wolf
2023-02-23 18:51 ` [PULL 29/29] block/rbd: Add support for layered encryption Kevin Wolf
2023-02-24 18:50 ` [PULL 00/29] Block layer patches Peter Maydell
2023-02-24 21:35 ` Philippe Mathieu-Daudé
2023-02-27 9:12 ` Thomas Huth
2023-02-27 11:22 ` Peter Maydell
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20230223185146.306454-26-kwolf@redhat.com \
--to=kwolf@redhat.com \
--cc=peter.maydell@linaro.org \
--cc=qemu-block@nongnu.org \
--cc=qemu-devel@nongnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).