From: "Michael S. Tsirkin" <mst@redhat.com>
To: qemu-devel@nongnu.org
Cc: Peter Maydell <peter.maydell@linaro.org>,
yaozhenguo <yaozhenguo1@gmail.com>,
yaozhenguo <yaozhenguo@jd.com>,
Stefano Garzarella <sgarzare@redhat.com>
Subject: [PULL 34/65] virtio/vhost-user: fix qemu abort when hotunplug vhost-user-net device
Date: Mon, 4 Nov 2024 16:07:49 -0500 [thread overview]
Message-ID: <963b02764537c66af88b82bd297c375b147e0756.1730754238.git.mst@redhat.com> (raw)
In-Reply-To: <cover.1730754238.git.mst@redhat.com>
From: yaozhenguo <yaozhenguo1@gmail.com>
During the hot-unplugging of vhost-user-net type network cards,
the vhost_user_cleanup function may add the same rcu node to
the rcu linked list. The function call in this case is as follows:
vhost_user_cleanup
->vhost_user_host_notifier_remove
->call_rcu(n, vhost_user_host_notifier_free, rcu);
->g_free_rcu(n, rcu);
When this happens, QEMU will abort in try_dequeue:
if (head == &dummy && qatomic_mb_read(&tail) == &dummy.next) {
abort();
}
backtrace is as follows:
0 __pthread_kill_implementation () at /usr/lib64/libc.so.6
1 raise () at /usr/lib64/libc.so.6
2 abort () at /usr/lib64/libc.so.6
3 try_dequeue () at ../util/rcu.c:235
4 call_rcu_thread (0) at ../util/rcu.c:288
5 qemu_thread_start (0) at ../util/qemu-thread-posix.c:541
6 start_thread () at /usr/lib64/libc.so.6
7 clone3 () at /usr/lib64/libc.so.6
The reason for the abort is that adding two identical nodes to
the rcu linked list will cause the rcu linked list to become a ring,
but when the dummy node is added after the two identical nodes,
the ring is opened. But only one node is added to list with
rcu_call_count added twice. This will cause rcu try_dequeue abort.
This happens when n->addr != 0. In some scenarios, this does happen.
For example, this situation will occur when using a 32-queue DPU
vhost-user-net type network card for hot-unplug testing, because
VhostUserHostNotifier->addr will be cleared during the processing of
VHOST_USER_BACKEND_VRING_HOST_NOTIFIER_MSG. However,it is asynchronous,
so we cannot guarantee that VhostUserHostNotifier->addr is zero in
vhost_user_cleanup. Therefore, it is necessary to merge g_free_rcu
and vhost_user_host_notifier_free into one rcu node.
Fixes: 503e355465 ("virtio/vhost-user: dynamically assign VhostUserHostNotifiers")
Signed-off-by: yaozhenguo <yaozhenguo@jd.com>
Message-Id: <20241011102913.45582-1-yaozhenguo@jd.com>
Reviewed-by: Stefano Garzarella <sgarzare@redhat.com>
Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
---
include/hw/virtio/vhost-user.h | 1 +
hw/virtio/vhost-user.c | 46 +++++++++++++++++++---------------
2 files changed, 27 insertions(+), 20 deletions(-)
diff --git a/include/hw/virtio/vhost-user.h b/include/hw/virtio/vhost-user.h
index 324cd8663a..9a3f238b43 100644
--- a/include/hw/virtio/vhost-user.h
+++ b/include/hw/virtio/vhost-user.h
@@ -54,6 +54,7 @@ typedef struct VhostUserHostNotifier {
void *addr;
void *unmap_addr;
int idx;
+ bool destroy;
} VhostUserHostNotifier;
/**
diff --git a/hw/virtio/vhost-user.c b/hw/virtio/vhost-user.c
index 00561daa06..d1b0893b4d 100644
--- a/hw/virtio/vhost-user.c
+++ b/hw/virtio/vhost-user.c
@@ -1185,9 +1185,16 @@ static int vhost_user_set_vring_num(struct vhost_dev *dev,
static void vhost_user_host_notifier_free(VhostUserHostNotifier *n)
{
- assert(n && n->unmap_addr);
- munmap(n->unmap_addr, qemu_real_host_page_size());
- n->unmap_addr = NULL;
+ if (n->unmap_addr) {
+ munmap(n->unmap_addr, qemu_real_host_page_size());
+ n->unmap_addr = NULL;
+ }
+ if (n->destroy) {
+ memory_region_transaction_begin();
+ object_unparent(OBJECT(&n->mr));
+ memory_region_transaction_commit();
+ g_free(n);
+ }
}
/*
@@ -1195,17 +1202,28 @@ static void vhost_user_host_notifier_free(VhostUserHostNotifier *n)
* under rcu.
*/
static void vhost_user_host_notifier_remove(VhostUserHostNotifier *n,
- VirtIODevice *vdev)
+ VirtIODevice *vdev, bool destroy)
{
+ /*
+ * if destroy == false and n->addr == NULL, we have nothing to do.
+ * so, just return.
+ */
+ if (!n || (!destroy && !n->addr)) {
+ return;
+ }
+
if (n->addr) {
if (vdev) {
+ memory_region_transaction_begin();
virtio_queue_set_host_notifier_mr(vdev, n->idx, &n->mr, false);
+ memory_region_transaction_commit();
}
assert(!n->unmap_addr);
n->unmap_addr = n->addr;
n->addr = NULL;
- call_rcu(n, vhost_user_host_notifier_free, rcu);
}
+ n->destroy = destroy;
+ call_rcu(n, vhost_user_host_notifier_free, rcu);
}
static int vhost_user_set_vring_base(struct vhost_dev *dev,
@@ -1279,9 +1297,7 @@ static int vhost_user_get_vring_base(struct vhost_dev *dev,
struct vhost_user *u = dev->opaque;
VhostUserHostNotifier *n = fetch_notifier(u->user, ring->index);
- if (n) {
- vhost_user_host_notifier_remove(n, dev->vdev);
- }
+ vhost_user_host_notifier_remove(n, dev->vdev, false);
ret = vhost_user_write(dev, &msg, NULL, 0);
if (ret < 0) {
@@ -1562,7 +1578,7 @@ static int vhost_user_backend_handle_vring_host_notifier(struct vhost_dev *dev,
* new mapped address.
*/
n = fetch_or_create_notifier(user, queue_idx);
- vhost_user_host_notifier_remove(n, vdev);
+ vhost_user_host_notifier_remove(n, vdev, false);
if (area->u64 & VHOST_USER_VRING_NOFD_MASK) {
return 0;
@@ -2736,15 +2752,7 @@ static int vhost_user_set_inflight_fd(struct vhost_dev *dev,
static void vhost_user_state_destroy(gpointer data)
{
VhostUserHostNotifier *n = (VhostUserHostNotifier *) data;
- if (n) {
- vhost_user_host_notifier_remove(n, NULL);
- object_unparent(OBJECT(&n->mr));
- /*
- * We can't free until vhost_user_host_notifier_remove has
- * done it's thing so schedule the free with RCU.
- */
- g_free_rcu(n, rcu);
- }
+ vhost_user_host_notifier_remove(n, NULL, true);
}
bool vhost_user_init(VhostUserState *user, CharBackend *chr, Error **errp)
@@ -2765,9 +2773,7 @@ void vhost_user_cleanup(VhostUserState *user)
if (!user->chr) {
return;
}
- memory_region_transaction_begin();
user->notifiers = (GPtrArray *) g_ptr_array_free(user->notifiers, true);
- memory_region_transaction_commit();
user->chr = NULL;
}
--
MST
next prev parent reply other threads:[~2024-11-04 21:09 UTC|newest]
Thread overview: 80+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-11-04 21:05 [PULL 00/65] virtio,pc,pci: features, fixes, cleanups Michael S. Tsirkin
2024-11-04 21:05 ` [PULL 01/65] softmmu: Expand comments describing max_bounce_buffer_size Michael S. Tsirkin
2024-11-04 21:05 ` [PULL 02/65] docs: fix vhost-user protocol doc Michael S. Tsirkin
2024-11-04 21:05 ` [PULL 03/65] hw/acpi: Fix ordering of BDF in Generic Initiator PCI Device Handle Michael S. Tsirkin
2024-11-04 21:05 ` [PULL 04/65] hw/acpi/GI: Fix trivial parameter alignment issue Michael S. Tsirkin
2024-11-04 21:05 ` [PULL 05/65] hw/acpi: Move AML building code for Generic Initiators to aml_build.c Michael S. Tsirkin
2024-11-04 21:05 ` [PULL 06/65] hw/acpi: Rename build_all_acpi_generic_initiators() to build_acpi_generic_initiator() Michael S. Tsirkin
2024-11-04 21:05 ` [PULL 07/65] hw/pci: Add a busnr property to pci_props and use for acpi/gi Michael S. Tsirkin
2024-11-04 21:05 ` [PULL 08/65] acpi/pci: Move Generic Initiator object handling into acpi/pci.* Michael S. Tsirkin
2024-11-04 21:06 ` [PULL 09/65] hw/pci-bridge: Add acpi_uid property to TYPE_PXB_BUS Michael S. Tsirkin
2024-11-04 21:06 ` [PULL 10/65] hw/i386/acpi: Use TYPE_PXB_BUS property acpi_uid for DSDT Michael S. Tsirkin
2024-11-04 21:06 ` [PULL 11/65] hw/pci-host/gpex-acpi: Use acpi_uid property Michael S. Tsirkin
2024-11-04 21:06 ` [PULL 12/65] hw/acpi: Generic Port Affinity Structure support Michael S. Tsirkin
2024-11-05 9:06 ` Daniel P. Berrangé
2024-11-06 7:20 ` Michael S. Tsirkin
2024-11-04 21:06 ` [PULL 13/65] hw/acpi: Make storage of node id uint32_t to reduce fragility Michael S. Tsirkin
2024-11-04 21:06 ` [PULL 14/65] hw/acpi: Generic Initiator - add missing object class property descriptions Michael S. Tsirkin
2024-11-04 21:06 ` [PULL 15/65] hw/pci-bridge/cxl_root_port: Provide x-speed and x-width properties Michael S. Tsirkin
2024-11-04 21:06 ` [PULL 16/65] hw/pci-bridge/cxl_upstream: " Michael S. Tsirkin
2024-11-04 21:06 ` [PULL 17/65] hw/pcie: Factor out PCI Express link register filling common to EP Michael S. Tsirkin
2024-11-04 21:06 ` [PULL 18/65] hw/pcie: Provide a utility function for control of EP / SW USP link Michael S. Tsirkin
2024-11-04 21:06 ` [PULL 19/65] hw/mem/cxl-type3: Add properties to control link speed and width Michael S. Tsirkin
2024-11-04 21:06 ` [PULL 20/65] hw/pci-bridge/cxl-upstream: " Michael S. Tsirkin
2024-11-04 21:06 ` [PULL 21/65] qdev-monitor: add option to report GenericError from find_device_state Michael S. Tsirkin
2024-11-04 21:06 ` [PULL 22/65] vhost-user-blk: split vhost_user_blk_sync_config() Michael S. Tsirkin
2024-11-04 21:07 ` [PULL 23/65] qapi: introduce device-sync-config Michael S. Tsirkin
2024-11-05 9:10 ` Daniel P. Berrangé
2024-11-06 7:19 ` Michael S. Tsirkin
2024-11-04 21:07 ` [PULL 24/65] acpi/disassemle-aml.sh: fix up after dir reorg Michael S. Tsirkin
2024-11-04 21:07 ` [PULL 25/65] tests/acpi: pc: allow DSDT acpi table changes Michael S. Tsirkin
2024-11-04 21:07 ` [PULL 26/65] hw/i386/acpi-build: return a non-var package from _PRT() Michael S. Tsirkin
2024-11-04 21:07 ` [PULL 27/65] tests/acpi: pc: update golden masters for DSDT Michael S. Tsirkin
2024-11-04 21:07 ` [PULL 28/65] amd_iommu: Rename variable mmio to mr_mmio Michael S. Tsirkin
2024-11-04 21:07 ` [PULL 29/65] amd_iommu: Add support for pass though mode Michael S. Tsirkin
2024-11-04 21:07 ` [PULL 30/65] amd_iommu: Use shared memory region for Interrupt Remapping Michael S. Tsirkin
2024-11-04 21:07 ` [PULL 31/65] amd_iommu: Send notification when invalidate interrupt entry cache Michael S. Tsirkin
2024-11-04 21:07 ` [PULL 32/65] amd_iommu: Check APIC ID > 255 for XTSup Michael S. Tsirkin
2024-11-10 11:06 ` Phil Dennis-Jordan
2024-11-11 5:39 ` Shukla, Santosh
2024-11-13 10:53 ` Phil Dennis-Jordan
2024-11-04 21:07 ` [PULL 33/65] virtio-pci: fix memory_region_find for VirtIOPCIRegion's MR Michael S. Tsirkin
2024-11-04 21:07 ` Michael S. Tsirkin [this message]
2024-11-04 21:07 ` [PULL 35/65] hw/cxl: Fix uint32 overflow cxl-mailbox-utils.c Michael S. Tsirkin
2024-11-04 21:07 ` [PULL 36/65] hw/cxl: Fix background completion percentage calculation Michael S. Tsirkin
2024-11-04 21:08 ` [PULL 37/65] mem/cxl_type3: Fix overlapping region validation error Michael S. Tsirkin
2024-11-04 21:08 ` [PULL 38/65] hw/mem/cxl_type3: Fix More flag setting for dynamic capacity event records Michael S. Tsirkin
2024-11-04 21:08 ` [PULL 39/65] hw/cxl/cxl-mailbox-utils: Fix for device DDR5 ECS control feature tables Michael S. Tsirkin
2024-11-04 21:08 ` [PULL 40/65] hw/cxl: Fix indent of structure member Michael S. Tsirkin
2024-11-04 21:08 ` [PULL 41/65] hw/pci-bridge: Make pxb_dev_realize_common() return if it succeeded Michael S. Tsirkin
2024-11-04 21:08 ` [PULL 42/65] vhost-user: fix shared object return values Michael S. Tsirkin
2024-11-04 21:24 ` Michael S. Tsirkin
2024-11-04 21:08 ` [PULL 44/65] pcie: enable Extended tag field support Michael S. Tsirkin
2024-11-04 21:08 ` [PULL 45/65] cxl/cxl-mailbox-utils: Fix size check for cmd_firmware_update_get_info Michael S. Tsirkin
2024-11-04 21:08 ` [PULL 46/65] hw/cxl/cxl-mailbox-util: Fix output buffer index update when retrieving DC extents Michael S. Tsirkin
2024-11-04 21:08 ` [PULL 47/65] hw/cxl: Check size of input data to dynamic capacity mailbox commands Michael S. Tsirkin
2024-11-04 21:08 ` [PULL 48/65] hw/cxl: Check input includes at least the header in cmd_features_set_feature() Michael S. Tsirkin
2024-11-04 21:08 ` [PULL 49/65] hw/cxl: Check input length is large enough in cmd_events_clear_records() Michael S. Tsirkin
2024-11-04 21:08 ` [PULL 50/65] hw/cxl: Check enough data in cmd_firmware_update_transfer() Michael S. Tsirkin
2024-11-04 21:23 ` Michael S. Tsirkin
2024-11-04 21:09 ` [PULL 53/65] hw/cxl: Ensuring enough data to read parameters in cmd_tunnel_management_cmd() Michael S. Tsirkin
2024-11-04 21:09 ` [PULL 54/65] hw/cxl: Check that writes do not go beyond end of target attributes Michael S. Tsirkin
2024-11-04 21:09 ` [PULL 55/65] hw/cxl: Ensure there is enough data for the header in cmd_ccls_set_lsa() Michael S. Tsirkin
2024-11-04 21:09 ` [PULL 56/65] hw/cxl: Ensure there is enough data to read the input header in cmd_get_physical_port_state() Michael S. Tsirkin
2024-11-04 21:09 ` [PULL 57/65] hw/pci: Add parenthesis to PCI_BUILD_BDF macro Michael S. Tsirkin
2024-11-04 21:09 ` [PULL 58/65] hw/acpi: Make CPUs ACPI `presence` conditional during vCPU hot-unplug Michael S. Tsirkin
2024-11-04 21:09 ` [PULL 59/65] qtest: allow ACPI DSDT Table changes Michael S. Tsirkin
2024-11-04 21:09 ` [PULL 60/65] hw/acpi: Update ACPI `_STA` method with QOM vCPU ACPI Hotplug states Michael S. Tsirkin
2024-11-05 12:50 ` Igor Mammedov
2024-11-05 21:12 ` Salil Mehta via
2024-11-06 9:00 ` Igor Mammedov
2024-11-06 10:34 ` Salil Mehta via
2024-11-04 21:09 ` [PULL 61/65] tests/qtest/bios-tables-test: Update DSDT golden masters for x86/{pc,q35} Michael S. Tsirkin
2024-11-04 21:09 ` [PULL 62/65] hw/acpi: Update GED with vCPU Hotplug VMSD for migration Michael S. Tsirkin
2024-11-04 21:09 ` [PULL 63/65] intel_iommu: Send IQE event when setting reserved bit in IQT_TAIL Michael S. Tsirkin
2024-11-04 21:09 ` [PULL 64/65] intel_iommu: Add missed sanity check for 256-bit invalidation queue Michael S. Tsirkin
2024-11-04 21:09 ` [PULL 65/65] intel_iommu: Add missed reserved bit check for IEC descriptor Michael S. Tsirkin
2024-11-04 21:23 ` [PULL 51/65] hw/cxl: Check the length of data requested fits in get_log() Michael S. Tsirkin
2024-11-04 21:23 ` [PULL 52/65] hw/cxl: Avoid accesses beyond the end of cel_log Michael S. Tsirkin
2024-11-04 21:24 ` [PULL 43/65] intel_iommu: Introduce property "stale-tm" to control Transient Mapping (TM) field Michael S. Tsirkin
2024-11-05 21:26 ` [PULL 00/65] virtio,pc,pci: features, fixes, cleanups Peter Maydell
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=963b02764537c66af88b82bd297c375b147e0756.1730754238.git.mst@redhat.com \
--to=mst@redhat.com \
--cc=peter.maydell@linaro.org \
--cc=qemu-devel@nongnu.org \
--cc=sgarzare@redhat.com \
--cc=yaozhenguo1@gmail.com \
--cc=yaozhenguo@jd.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).