From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from eggs.gnu.org ([140.186.70.92]:35692) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1QzULX-0000w3-FB for qemu-devel@nongnu.org; Fri, 02 Sep 2011 10:03:52 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1QzULW-0000hm-FW for qemu-devel@nongnu.org; Fri, 02 Sep 2011 10:03:51 -0400 Received: from mail-yx0-f173.google.com ([209.85.213.173]:61048) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1QzULW-0000hh-D4 for qemu-devel@nongnu.org; Fri, 02 Sep 2011 10:03:50 -0400 Received: by yxt3 with SMTP id 3so1302351yxt.4 for ; Fri, 02 Sep 2011 07:03:49 -0700 (PDT) Message-ID: <4E60E243.8070303@codemonkey.ws> Date: Fri, 02 Sep 2011 09:03:47 -0500 From: Anthony Liguori MIME-Version: 1.0 References: <20110901163545.71ba1515@doriath> <4E6032AB.8080804@codemonkey.ws> <4E60DC77.5020300@redhat.com> In-Reply-To: <4E60DC77.5020300@redhat.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Subject: Re: [Qemu-devel] [PATCH] monitor: Protect outbuf from concurrent access List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , To: Gerd Hoffmann Cc: Marian Krcmarik , Alon Levy , qemu-devel , spice-devel , Luiz Capitulino On 09/02/2011 08:39 AM, Gerd Hoffmann wrote: > Hi, > >>> After some investigation, I found out that the problem is that different >>> SPICE threads are calling monitor functions (such as >>> monitor_protocol_event()) in parallel which causes concurrent access >>> to the monitor's internal buffer outbuf[]. > > [ adding spice-list to Cc, see qemu-devel for the rest of the thread ] > > spice isn't supposed to do that. > > /me just added a assert in channel_event() and saw it trigger in display > channel disconnects. > > #0 0x0000003ceba32a45 in raise () from /lib64/libc.so.6 > #1 0x0000003ceba34225 in abort () from /lib64/libc.so.6 > #2 0x0000003ceba2b9d5 in __assert_fail () from /lib64/libc.so.6 > #3 0x0000000000503759 in channel_event (event=3, info=0x35e9340) > at /home/kraxel/projects/qemu/ui/spice-core.c:223 > #4 0x00007f9a77a9921b in reds_channel_event (s=0x35e92c0) at reds.c:400 > #5 reds_stream_free (s=0x35e92c0) at reds.c:4981 > #6 0x00007f9a77aac8b0 in red_disconnect_channel (channel=0x7f9a24069a80) > at red_worker.c:8489 > #7 0x00007f9a77ab53a8 in handle_dev_input (listener=0x7f9a3211ab20, > events=) > at red_worker.c:10062 > #8 0x00007f9a77ab436d in red_worker_main (arg=) at > red_worker.c:10304 > #9 0x0000003cec2077e1 in start_thread () from /lib64/libpthread.so.0 > #10 0x0000003cebae68ed in clone () from /lib64/libc.so.6 > > IMHO spice server should handle the display channel tear-down in the > dispatcher instead of the worker thread. Alon? > >>> Anyways, this commit fixes the problem at hand. > > Not really. channel_event() itself isn't thread-safe too, it does > unlocked list operations which can also blow up when called from > different threads. > > A patch like the attached (warning: untested) should do as quick&dirty > fix for stable. But IMO we really should fix spice instead. Spice should not be calling *any* QEMU code without holding the global mutex. That includes all of the QObject interactions. Regards, Anthony Liguori > > cheers, > Gerd >