From: Kevin Wolf <kwolf@redhat.com>
To: Fiona Ebner <f.ebner@proxmox.com>
Cc: qemu-devel@nongnu.org, qemu-block@nongnu.org,
qemu-stable@nongnu.org, hreitz@redhat.com, fam@euphon.net,
stefanha@redhat.com, t.lamprecht@proxmox.com,
w.bumiller@proxmox.com
Subject: Re: [PATCH v3 2/4] block-backend: fix edge case in bdrv_next() where BDS associated to BB changes
Date: Tue, 26 Mar 2024 13:44:01 +0100 [thread overview]
Message-ID: <ZgLDEdmI0rBcJcGh@redhat.com> (raw)
In-Reply-To: <20240322095009.346989-3-f.ebner@proxmox.com>
Am 22.03.2024 um 10:50 hat Fiona Ebner geschrieben:
> The old_bs variable in bdrv_next() is currently determined by looking
> at the old block backend. However, if the block graph changes before
> the next bdrv_next() call, it might be that the associated BDS is not
> the same that was referenced previously. In that case, the wrong BDS
> is unreferenced, leading to an assertion failure later:
>
> > bdrv_unref: Assertion `bs->refcnt > 0' failed.
Your change makes sense, but in theory it shouldn't make a difference.
The real bug is in the caller, you can't allow graph modifications while
iterating the list of nodes. Even if it doesn't crash (like after your
patch), you don't have any guarantee that you will have seen every node
that exists that the end - and maybe not even that you don't get the
same node twice.
> In particular, this can happen in the context of bdrv_flush_all(),
> when polling for bdrv_co_flush() in the generated co-wrapper leads to
> a graph change (for example with a stream block job [0]).
The whole locking around this case is a bit tricky and would deserve
some cleanup.
The basic rule for bdrv_next() callers is that they need to hold the
graph reader lock as long as they are iterating the graph, otherwise
it's not safe. This implies that the ref/unref pairs in it should never
make a difference either - which is important, because at least
releasing the last reference is forbidden while holding the graph lock.
I intended to remove the ref/unref for bdrv_next(), but I didn't because
I realised that the callers need to be audited first that they really
obey the rules. You found one that would be problematic.
The thing that bdrv_flush_all() gets wrong is that it promises to follow
the graph lock rules with GRAPH_RDLOCK_GUARD_MAINLOOP(), but then calls
something that polls. The compiler can't catch this because bdrv_flush()
is a co_wrapper_mixed_bdrv_rdlock. The behaviour for these functions is:
- If called outside of coroutine context, they are GRAPH_UNLOCKED
- If called in coroutine context, they are GRAPH_RDLOCK
We should probably try harder to get rid of the mixed functions, because
a synchronous co_wrapper_bdrv_rdlock could actually be marked
GRAPH_UNLOCKED in the code and then the compiler could catch this case.
The fix for bdrv_flush_all() is probably to make it bdrv_co_flush_all()
with a coroutine wrapper so that the graph lock is held for the whole
function. Then calling bdrv_co_flush() while iterating the list is safe
and doesn't allow concurrent graph modifications.
Kevin
next prev parent reply other threads:[~2024-03-26 12:44 UTC|newest]
Thread overview: 17+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-03-22 9:50 [PATCH v3 0/4] fix two edge cases related to stream block jobs Fiona Ebner
2024-03-22 9:50 ` [PATCH v3 1/4] block/io: accept NULL qiov in bdrv_pad_request Fiona Ebner
2024-03-25 19:56 ` Stefan Hajnoczi
2024-03-22 9:50 ` [PATCH v3 2/4] block-backend: fix edge case in bdrv_next() where BDS associated to BB changes Fiona Ebner
2024-03-25 20:06 ` Stefan Hajnoczi
2024-03-26 12:44 ` Kevin Wolf [this message]
2024-06-03 14:17 ` Fiona Ebner
2024-06-03 16:21 ` Kevin Wolf
2024-06-04 7:58 ` Fiona Ebner
2024-06-04 15:28 ` Kevin Wolf
2024-06-05 14:14 ` Fiona Ebner
2024-03-22 9:50 ` [PATCH v3 3/4] block-backend: fix edge case in bdrv_next_cleanup() " Fiona Ebner
2024-03-25 20:07 ` Stefan Hajnoczi
2024-03-22 9:50 ` [PATCH v3 4/4] iotests: add test for stream job with an unaligned prefetch read Fiona Ebner
2024-03-25 20:09 ` Stefan Hajnoczi
2024-03-25 20:11 ` [PATCH v3 0/4] fix two edge cases related to stream block jobs Stefan Hajnoczi
2024-03-26 12:53 ` Kevin Wolf
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=ZgLDEdmI0rBcJcGh@redhat.com \
--to=kwolf@redhat.com \
--cc=f.ebner@proxmox.com \
--cc=fam@euphon.net \
--cc=hreitz@redhat.com \
--cc=qemu-block@nongnu.org \
--cc=qemu-devel@nongnu.org \
--cc=qemu-stable@nongnu.org \
--cc=stefanha@redhat.com \
--cc=t.lamprecht@proxmox.com \
--cc=w.bumiller@proxmox.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).