* [PATCH 0/4] Clean up TSAN warnings
@ 2025-12-13 0:12 Marc Morcos
2025-12-13 0:12 ` [PATCH 1/4] apic: Resize APICBASE Marc Morcos
` (3 more replies)
0 siblings, 4 replies; 6+ messages in thread
From: Marc Morcos @ 2025-12-13 0:12 UTC (permalink / raw)
To: maintainer_email_from_script; +Cc: cc_list_from_script, qemu-devel, Marc Morcos
When running several tests with tsan, thread races were detected when reading certain variables. This should allieviate the problem.
Additionally, the apicbase member of APICCommonState has been updated to 64 bit to reflect its 36 bit contents.
Marc Morcos (4):
apic: Resize APICBASE
thread-pool: Fix thread race
qmp: Fix thread race
apic: Make apicbase accesses atomic to fix data race
hw/i386/kvm/apic.c | 12 ++++++++----
hw/intc/apic_common.c | 24 ++++++++++++++----------
include/hw/i386/apic_internal.h | 2 +-
monitor/monitor.c | 11 ++++++++++-
monitor/qmp.c | 6 ++++--
util/thread-pool.c | 30 ++++++++++++++++--------------
6 files changed, 53 insertions(+), 32 deletions(-)
--
2.52.0.239.gd5f0c6e74e-goog
^ permalink raw reply [flat|nested] 6+ messages in thread
* [PATCH 1/4] apic: Resize APICBASE
2025-12-13 0:12 [PATCH 0/4] Clean up TSAN warnings Marc Morcos
@ 2025-12-13 0:12 ` Marc Morcos
2025-12-13 0:12 ` [PATCH 2/4] thread-pool: Fix thread race Marc Morcos
` (2 subsequent siblings)
3 siblings, 0 replies; 6+ messages in thread
From: Marc Morcos @ 2025-12-13 0:12 UTC (permalink / raw)
To: maintainer_email_from_script; +Cc: cc_list_from_script, qemu-devel, Marc Morcos
APICBASE is 36-bits wide, so this commit resizes it to hold the full data.
Signed-off-by: Marc Morcos <marcmorcos@google.com>
---
hw/intc/apic_common.c | 4 ++--
include/hw/i386/apic_internal.h | 2 +-
2 files changed, 3 insertions(+), 3 deletions(-)
diff --git a/hw/intc/apic_common.c b/hw/intc/apic_common.c
index ec9e978b0b..1e9aba2e48 100644
--- a/hw/intc/apic_common.c
+++ b/hw/intc/apic_common.c
@@ -233,7 +233,7 @@ static void apic_reset_common(DeviceState *dev)
{
APICCommonState *s = APIC_COMMON(dev);
APICCommonClass *info = APIC_COMMON_GET_CLASS(s);
- uint32_t bsp;
+ uint64_t bsp;
bsp = s->apicbase & MSR_IA32_APICBASE_BSP;
s->apicbase = APIC_DEFAULT_ADDRESS | bsp | MSR_IA32_APICBASE_ENABLE;
@@ -363,7 +363,7 @@ static const VMStateDescription vmstate_apic_common = {
.post_load = apic_dispatch_post_load,
.priority = MIG_PRI_APIC,
.fields = (const VMStateField[]) {
- VMSTATE_UINT32(apicbase, APICCommonState),
+ VMSTATE_UINT64(apicbase, APICCommonState),
VMSTATE_UINT8(id, APICCommonState),
VMSTATE_UINT8(arb_id, APICCommonState),
VMSTATE_UINT8(tpr, APICCommonState),
diff --git a/include/hw/i386/apic_internal.h b/include/hw/i386/apic_internal.h
index 4a62fdceb4..c7ee65ce1d 100644
--- a/include/hw/i386/apic_internal.h
+++ b/include/hw/i386/apic_internal.h
@@ -158,7 +158,7 @@ struct APICCommonState {
MemoryRegion io_memory;
X86CPU *cpu;
- uint32_t apicbase;
+ uint64_t apicbase;
uint8_t id; /* legacy APIC ID */
uint32_t initial_apic_id;
uint8_t version;
--
2.52.0.239.gd5f0c6e74e-goog
^ permalink raw reply related [flat|nested] 6+ messages in thread
* [PATCH 2/4] thread-pool: Fix thread race
2025-12-13 0:12 [PATCH 0/4] Clean up TSAN warnings Marc Morcos
2025-12-13 0:12 ` [PATCH 1/4] apic: Resize APICBASE Marc Morcos
@ 2025-12-13 0:12 ` Marc Morcos
2025-12-13 0:12 ` [PATCH 3/4] qmp: " Marc Morcos
2025-12-13 0:12 ` [PATCH 4/4] apic: Make apicbase accesses atomic to fix data race Marc Morcos
3 siblings, 0 replies; 6+ messages in thread
From: Marc Morcos @ 2025-12-13 0:12 UTC (permalink / raw)
To: maintainer_email_from_script; +Cc: cc_list_from_script, qemu-devel, Marc Morcos
Fix a data race occurred between `worker_thread()` writing and
`thread_pool_completion_bh()` reading shared data in `util/thread-pool.c`.
Signed-off-by: Marc Morcos <marcmorcos@google.com>
---
util/thread-pool.c | 30 ++++++++++++++++--------------
1 file changed, 16 insertions(+), 14 deletions(-)
diff --git a/util/thread-pool.c b/util/thread-pool.c
index d2ead6b728..1ced3bd371 100644
--- a/util/thread-pool.c
+++ b/util/thread-pool.c
@@ -18,6 +18,7 @@
#include "qemu/defer-call.h"
#include "qemu/queue.h"
#include "qemu/thread.h"
+#include "qemu/atomic.h"
#include "qemu/coroutine.h"
#include "trace.h"
#include "block/thread-pool.h"
@@ -39,9 +40,13 @@ struct ThreadPoolElementAio {
ThreadPoolFunc *func;
void *arg;
- /* Moving state out of THREAD_QUEUED is protected by lock. After
- * that, only the worker thread can write to it. Reads and writes
- * of state and ret are ordered with memory barriers.
+ /*
+ * Accessed with atomics. Moving state out of THREAD_QUEUED is
+ * protected by pool->lock and only the worker thread can move
+ * the state from THREAD_ACTIVE to THREAD_DONE.
+ *
+ * When state is THREAD_DONE, ret must have been written already.
+ * Use acquire/release ordering when reading/writing ret as well.
*/
enum ThreadState state;
int ret;
@@ -105,15 +110,14 @@ static void *worker_thread(void *opaque)
req = QTAILQ_FIRST(&pool->request_list);
QTAILQ_REMOVE(&pool->request_list, req, reqs);
- req->state = THREAD_ACTIVE;
+ qatomic_set(&req->state, THREAD_ACTIVE);
qemu_mutex_unlock(&pool->lock);
ret = req->func(req->arg);
req->ret = ret;
- /* Write ret before state. */
- smp_wmb();
- req->state = THREAD_DONE;
+ /* _release to write ret before state. */
+ qatomic_store_release(&req->state, THREAD_DONE);
qemu_bh_schedule(pool->completion_bh);
qemu_mutex_lock(&pool->lock);
@@ -180,7 +184,8 @@ static void thread_pool_completion_bh(void *opaque)
restart:
QLIST_FOREACH_SAFE(elem, &pool->head, all, next) {
- if (elem->state != THREAD_DONE) {
+ /* _acquire to read state before ret. */
+ if (qatomic_load_acquire(&elem->state) != THREAD_DONE) {
continue;
}
@@ -189,9 +194,6 @@ restart:
QLIST_REMOVE(elem, all);
if (elem->common.cb) {
- /* Read state before ret. */
- smp_rmb();
-
/* Schedule ourselves in case elem->common.cb() calls aio_poll() to
* wait for another request that completed at the same time.
*/
@@ -223,12 +225,12 @@ static void thread_pool_cancel(BlockAIOCB *acb)
trace_thread_pool_cancel_aio(elem, elem->common.opaque);
QEMU_LOCK_GUARD(&pool->lock);
- if (elem->state == THREAD_QUEUED) {
+ if (qatomic_read(&elem->state) == THREAD_QUEUED) {
QTAILQ_REMOVE(&pool->request_list, elem, reqs);
qemu_bh_schedule(pool->completion_bh);
- elem->state = THREAD_DONE;
- elem->ret = -ECANCELED;
+ qatomic_set(&elem->ret, -ECANCELED);
+ qatomic_store_release(&elem->state, THREAD_DONE);
}
}
--
2.52.0.239.gd5f0c6e74e-goog
^ permalink raw reply related [flat|nested] 6+ messages in thread
* [PATCH 3/4] qmp: Fix thread race
2025-12-13 0:12 [PATCH 0/4] Clean up TSAN warnings Marc Morcos
2025-12-13 0:12 ` [PATCH 1/4] apic: Resize APICBASE Marc Morcos
2025-12-13 0:12 ` [PATCH 2/4] thread-pool: Fix thread race Marc Morcos
@ 2025-12-13 0:12 ` Marc Morcos
2025-12-13 0:12 ` [PATCH 4/4] apic: Make apicbase accesses atomic to fix data race Marc Morcos
3 siblings, 0 replies; 6+ messages in thread
From: Marc Morcos @ 2025-12-13 0:12 UTC (permalink / raw)
To: maintainer_email_from_script; +Cc: cc_list_from_script, qemu-devel, Marc Morcos
This fixes a thread race involving the monitor in monitor_qmp_event and monitor_qapi_event_emit .
Signed-off-by: Marc Morcos <marcmorcos@google.com>
---
monitor/monitor.c | 11 ++++++++++-
monitor/qmp.c | 6 ++++--
2 files changed, 14 insertions(+), 3 deletions(-)
diff --git a/monitor/monitor.c b/monitor/monitor.c
index c5a5d30877..4bfd72939d 100644
--- a/monitor/monitor.c
+++ b/monitor/monitor.c
@@ -338,6 +338,7 @@ static void monitor_qapi_event_emit(QAPIEvent event, QDict *qdict)
{
Monitor *mon;
MonitorQMP *qmp_mon;
+ bool do_send = false;
trace_monitor_protocol_event_emit(event, qdict);
QTAILQ_FOREACH(mon, &mon_list, entry) {
@@ -346,7 +347,15 @@ static void monitor_qapi_event_emit(QAPIEvent event, QDict *qdict)
}
qmp_mon = container_of(mon, MonitorQMP, common);
- if (qmp_mon->commands != &qmp_cap_negotiation_commands) {
+ do_send = false;
+
+ WITH_QEMU_LOCK_GUARD(&mon->mon_lock) {
+ if (qmp_mon->commands != &qmp_cap_negotiation_commands) {
+ do_send = true;
+ }
+ }
+
+ if (do_send) {
qmp_send_response(qmp_mon, qdict);
}
}
diff --git a/monitor/qmp.c b/monitor/qmp.c
index cb99a12d94..e1419a9efa 100644
--- a/monitor/qmp.c
+++ b/monitor/qmp.c
@@ -462,8 +462,10 @@ static void monitor_qmp_event(void *opaque, QEMUChrEvent event)
switch (event) {
case CHR_EVENT_OPENED:
- mon->commands = &qmp_cap_negotiation_commands;
- monitor_qmp_caps_reset(mon);
+ WITH_QEMU_LOCK_GUARD(&mon->common.mon_lock) {
+ mon->commands = &qmp_cap_negotiation_commands;
+ monitor_qmp_caps_reset(mon);
+ }
data = qmp_greeting(mon);
qmp_send_response(mon, data);
qobject_unref(data);
--
2.52.0.239.gd5f0c6e74e-goog
^ permalink raw reply related [flat|nested] 6+ messages in thread
* [PATCH 4/4] apic: Make apicbase accesses atomic to fix data race
2025-12-13 0:12 [PATCH 0/4] Clean up TSAN warnings Marc Morcos
` (2 preceding siblings ...)
2025-12-13 0:12 ` [PATCH 3/4] qmp: " Marc Morcos
@ 2025-12-13 0:12 ` Marc Morcos
3 siblings, 0 replies; 6+ messages in thread
From: Marc Morcos @ 2025-12-13 0:12 UTC (permalink / raw)
To: maintainer_email_from_script; +Cc: cc_list_from_script, qemu-devel, Marc Morcos
A data race on APICCommonState->apicbase was detected by ThreadSanitizer.
To resolve this race, direct accesses to s->apicbase are converted
to use the appropriate qatomic_*__nocheck() atomic operations. This
ensures that reads and writes are properly ordered and visible across threads.
This patch depends on the previous commit changing the type of `apicbase`
to `uint64_t`.
The race was identified by the following TSAN report:
==================
WARNING: ThreadSanitizer: data race
Read of size 8 at ... by main thread:
#0 cpu_is_apic_enabled hw/intc/apic_common.c:75:15
...
#15 main_loop_wait util/main-loop.c:600:5
...
Previous write of size 8 at ... by thread T7 'CPU 0/KVM':
#0 kvm_apic_set_base hw/i386/kvm/apic.c:101:17
#1 cpu_set_apic_base hw/intc/apic_common.c:47:16
#2 kvm_arch_post_run target/i386/kvm/kvm.c:5621:5
#3 kvm_cpu_exec accel/kvm/kvm-all.c:3229:17
#4 kvm_vcpu_thread_fn accel/kvm/kvm-accel-ops.c:51:17
...
SUMMARY: ThreadSanitizer: data race hw/intc/apic_common.c:75:15 in cpu_is_apic_enabled
==================
Signed-off-by: Marc Morcos <marcmorcos@google.com>
---
hw/i386/kvm/apic.c | 12 ++++++++----
hw/intc/apic_common.c | 20 ++++++++++++--------
2 files changed, 20 insertions(+), 12 deletions(-)
diff --git a/hw/i386/kvm/apic.c b/hw/i386/kvm/apic.c
index 82355f0463..b9b03c529f 100644
--- a/hw/i386/kvm/apic.c
+++ b/hw/i386/kvm/apic.c
@@ -34,9 +34,10 @@ static inline uint32_t kvm_apic_get_reg(struct kvm_lapic_state *kapic,
static void kvm_put_apic_state(APICCommonState *s, struct kvm_lapic_state *kapic)
{
int i;
+ uint64_t apicbase = qatomic_read__nocheck(&s->apicbase);
memset(kapic, 0, sizeof(*kapic));
- if (kvm_has_x2apic_api() && s->apicbase & MSR_IA32_APICBASE_EXTD) {
+ if (kvm_has_x2apic_api() && apicbase & MSR_IA32_APICBASE_EXTD) {
kvm_apic_set_reg(kapic, 0x2, s->initial_apic_id);
} else {
kvm_apic_set_reg(kapic, 0x2, s->id << 24);
@@ -63,8 +64,9 @@ static void kvm_put_apic_state(APICCommonState *s, struct kvm_lapic_state *kapic
void kvm_get_apic_state(APICCommonState *s, struct kvm_lapic_state *kapic)
{
int i, v;
+ uint64_t apicbase = qatomic_read__nocheck(&s->apicbase);
- if (kvm_has_x2apic_api() && s->apicbase & MSR_IA32_APICBASE_EXTD) {
+ if (kvm_has_x2apic_api() && apicbase & MSR_IA32_APICBASE_EXTD) {
assert(kvm_apic_get_reg(kapic, 0x2) == s->initial_apic_id);
} else {
s->id = kvm_apic_get_reg(kapic, 0x2) >> 24;
@@ -97,7 +99,7 @@ void kvm_get_apic_state(APICCommonState *s, struct kvm_lapic_state *kapic)
static int kvm_apic_set_base(APICCommonState *s, uint64_t val)
{
- s->apicbase = val;
+ qatomic_set__nocheck(&s->apicbase, val);
return 0;
}
@@ -140,12 +142,14 @@ static void kvm_apic_put(CPUState *cs, run_on_cpu_data data)
APICCommonState *s = data.host_ptr;
struct kvm_lapic_state kapic;
int ret;
+ uint64_t apicbase;
if (is_tdx_vm()) {
return;
}
- kvm_put_apicbase(s->cpu, s->apicbase);
+ apicbase = qatomic_read__nocheck(&s->apicbase);
+ kvm_put_apicbase(s->cpu, apicbase);
kvm_put_apic_state(s, &kapic);
ret = kvm_vcpu_ioctl(CPU(s->cpu), KVM_SET_LAPIC, &kapic);
diff --git a/hw/intc/apic_common.c b/hw/intc/apic_common.c
index 1e9aba2e48..9e42189d8a 100644
--- a/hw/intc/apic_common.c
+++ b/hw/intc/apic_common.c
@@ -19,6 +19,7 @@
*/
#include "qemu/osdep.h"
+#include "qemu/atomic.h"
#include "qemu/error-report.h"
#include "qemu/module.h"
#include "qapi/error.h"
@@ -52,8 +53,9 @@ int cpu_set_apic_base(APICCommonState *s, uint64_t val)
uint64_t cpu_get_apic_base(APICCommonState *s)
{
if (s) {
- trace_cpu_get_apic_base((uint64_t)s->apicbase);
- return s->apicbase;
+ uint64_t apicbase = qatomic_read__nocheck(&s->apicbase);
+ trace_cpu_get_apic_base(apicbase);
+ return apicbase;
} else {
trace_cpu_get_apic_base(MSR_IA32_APICBASE_BSP);
return MSR_IA32_APICBASE_BSP;
@@ -66,7 +68,7 @@ bool cpu_is_apic_enabled(APICCommonState *s)
return false;
}
- return s->apicbase & MSR_IA32_APICBASE_ENABLE;
+ return qatomic_read__nocheck(&s->apicbase) & MSR_IA32_APICBASE_ENABLE;
}
void cpu_set_apic_tpr(APICCommonState *s, uint8_t val)
@@ -223,9 +225,9 @@ void apic_designate_bsp(APICCommonState *s, bool bsp)
}
if (bsp) {
- s->apicbase |= MSR_IA32_APICBASE_BSP;
+ qatomic_fetch_or(&s->apicbase, MSR_IA32_APICBASE_BSP);
} else {
- s->apicbase &= ~MSR_IA32_APICBASE_BSP;
+ qatomic_fetch_and(&s->apicbase, ~MSR_IA32_APICBASE_BSP);
}
}
@@ -235,8 +237,9 @@ static void apic_reset_common(DeviceState *dev)
APICCommonClass *info = APIC_COMMON_GET_CLASS(s);
uint64_t bsp;
- bsp = s->apicbase & MSR_IA32_APICBASE_BSP;
- s->apicbase = APIC_DEFAULT_ADDRESS | bsp | MSR_IA32_APICBASE_ENABLE;
+ bsp = qatomic_read__nocheck(&s->apicbase) & MSR_IA32_APICBASE_BSP;
+ qatomic_set__nocheck(&s->apicbase,
+ APIC_DEFAULT_ADDRESS | bsp | MSR_IA32_APICBASE_ENABLE);
s->id = s->initial_apic_id;
kvm_reset_irq_delivered();
@@ -405,7 +408,8 @@ static void apic_common_get_id(Object *obj, Visitor *v, const char *name,
APICCommonState *s = APIC_COMMON(obj);
uint32_t value;
- value = s->apicbase & MSR_IA32_APICBASE_EXTD ? s->initial_apic_id : s->id;
+ value = qatomic_read__nocheck(&s->apicbase) & MSR_IA32_APICBASE_EXTD ?
+ s->initial_apic_id : s->id;
visit_type_uint32(v, name, &value, errp);
}
--
2.52.0.239.gd5f0c6e74e-goog
^ permalink raw reply related [flat|nested] 6+ messages in thread
* [PATCH 3/4] qmp: Fix thread race
2025-12-13 0:14 [PATCH 0/4] Clean up TSAN warnings Marc Morcos
@ 2025-12-13 0:14 ` Marc Morcos
0 siblings, 0 replies; 6+ messages in thread
From: Marc Morcos @ 2025-12-13 0:14 UTC (permalink / raw)
To: Paolo Bonzini, Richard Henderson, Eduardo Habkost,
Dr . David Alan Gilbert
Cc: Michael S . Tsirkin, Marcel Apfelbaum, Markus Armbruster,
Marcelo Tosatti, qemu-devel, kvm, Marc Morcos
This fixes a thread race involving the monitor in monitor_qmp_event and monitor_qapi_event_emit .
Signed-off-by: Marc Morcos <marcmorcos@google.com>
---
monitor/monitor.c | 11 ++++++++++-
monitor/qmp.c | 6 ++++--
2 files changed, 14 insertions(+), 3 deletions(-)
diff --git a/monitor/monitor.c b/monitor/monitor.c
index c5a5d30877..4bfd72939d 100644
--- a/monitor/monitor.c
+++ b/monitor/monitor.c
@@ -338,6 +338,7 @@ static void monitor_qapi_event_emit(QAPIEvent event, QDict *qdict)
{
Monitor *mon;
MonitorQMP *qmp_mon;
+ bool do_send = false;
trace_monitor_protocol_event_emit(event, qdict);
QTAILQ_FOREACH(mon, &mon_list, entry) {
@@ -346,7 +347,15 @@ static void monitor_qapi_event_emit(QAPIEvent event, QDict *qdict)
}
qmp_mon = container_of(mon, MonitorQMP, common);
- if (qmp_mon->commands != &qmp_cap_negotiation_commands) {
+ do_send = false;
+
+ WITH_QEMU_LOCK_GUARD(&mon->mon_lock) {
+ if (qmp_mon->commands != &qmp_cap_negotiation_commands) {
+ do_send = true;
+ }
+ }
+
+ if (do_send) {
qmp_send_response(qmp_mon, qdict);
}
}
diff --git a/monitor/qmp.c b/monitor/qmp.c
index cb99a12d94..e1419a9efa 100644
--- a/monitor/qmp.c
+++ b/monitor/qmp.c
@@ -462,8 +462,10 @@ static void monitor_qmp_event(void *opaque, QEMUChrEvent event)
switch (event) {
case CHR_EVENT_OPENED:
- mon->commands = &qmp_cap_negotiation_commands;
- monitor_qmp_caps_reset(mon);
+ WITH_QEMU_LOCK_GUARD(&mon->common.mon_lock) {
+ mon->commands = &qmp_cap_negotiation_commands;
+ monitor_qmp_caps_reset(mon);
+ }
data = qmp_greeting(mon);
qmp_send_response(mon, data);
qobject_unref(data);
--
2.52.0.239.gd5f0c6e74e-goog
^ permalink raw reply related [flat|nested] 6+ messages in thread
end of thread, other threads:[~2025-12-13 0:15 UTC | newest]
Thread overview: 6+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2025-12-13 0:12 [PATCH 0/4] Clean up TSAN warnings Marc Morcos
2025-12-13 0:12 ` [PATCH 1/4] apic: Resize APICBASE Marc Morcos
2025-12-13 0:12 ` [PATCH 2/4] thread-pool: Fix thread race Marc Morcos
2025-12-13 0:12 ` [PATCH 3/4] qmp: " Marc Morcos
2025-12-13 0:12 ` [PATCH 4/4] apic: Make apicbase accesses atomic to fix data race Marc Morcos
-- strict thread matches above, loose matches on Subject: below --
2025-12-13 0:14 [PATCH 0/4] Clean up TSAN warnings Marc Morcos
2025-12-13 0:14 ` [PATCH 3/4] qmp: Fix thread race Marc Morcos
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).