mirrors/qemu
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
abfcd2760b
qemu/softmmu
History
Stefan Hajnoczi abfcd2760b dma-helpers: prevent dma_blk_cb() vs dma_aio_cancel() race 
dma_blk_cb() only takes the AioContext lock around ->io_func(). That
means the rest of dma_blk_cb() is not protected. In particular, the
DMAAIOCB field accesses happen outside the lock.

There is a race when the main loop thread holds the AioContext lock and
invokes scsi_device_purge_requests() -> bdrv_aio_cancel() ->
dma_aio_cancel() while an IOThread executes dma_blk_cb(). The dbs->acb
field determines how cancellation proceeds. If dma_aio_cancel() sees
dbs->acb == NULL while dma_blk_cb() is still running, the request can be
completed twice (-ECANCELED and the actual return value).

The following assertion can occur with virtio-scsi when an IOThread is
used:

  ../hw/scsi/scsi-disk.c:368: scsi_dma_complete: Assertion `r->req.aiocb != NULL' failed.

Fix the race by holding the AioContext across dma_blk_cb(). Now
dma_aio_cancel() under the AioContext lock will not see
inconsistent/intermediate states.

Cc: Paolo Bonzini <pbonzini@redhat.com>
Reviewed-by: Eric Blake <eblake@redhat.com>
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
Message-Id: <20230221212218.1378734-3-stefanha@redhat.com>
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
2023-02-23 19:49:35 +01:00
..
arch_init.c softmmu: Add qemu_init_arch_modules() 2022-03-06 13:15:42 +01:00
balloon.c qapi: Restrict balloon-related commands to machine code 2020-09-29 15:41:35 +02:00
bootdevice.c machine: use QAPI struct for boot configuration 2022-05-12 12:29:43 +02:00
cpu-throttle.c Remove qemu-common.h include from most units 2022-04-06 14:31:55 +02:00
cpu-timers.c Remove qemu-common.h include from most units 2022-04-06 14:31:55 +02:00
cpus.c include/block: Untangle inclusion loops 2023-01-20 07:24:28 +01:00
datadir.c meson: Prefix each element of firmware path 2022-07-13 16:58:57 +02:00
device_tree.c device-tree: add re-randomization helper function 2022-10-27 11:34:31 +01:00
dirtylimit.c Drop duplicate #include 2023-02-08 07:28:05 +01:00
dma-helpers.c dma-helpers: prevent dma_blk_cb() vs dma_aio_cancel() race 2023-02-23 19:49:35 +01:00
globals.c ui: Switch "-display sdl" to use the QAPI parser 2022-06-03 08:03:28 +02:00
icount.c replay: rewrite async event handling 2022-06-06 09:26:53 +02:00
ioport.c softmmu: Add missing trace-events file 2020-09-09 17:15:18 +01:00
main.c ui/cocoa: Run qemu_init in the main thread 2022-09-23 14:36:33 +02:00
memory_mapping.c bulk: Rename TARGET_FMT_plx -> HWADDR_FMT_plx 2023-01-18 11:14:34 +01:00
memory.c bulk: Rename TARGET_FMT_plx -> HWADDR_FMT_plx 2023-01-18 11:14:34 +01:00
meson.build runstate: Move HMP commands from monitor/ to softmmu/ 2023-02-04 07:56:54 +01:00
physmem.c Header cleanup patches for 2023-01-20 2023-01-20 13:17:55 +00:00
qdev-monitor.c qdev: Move HMP command completion from monitor to softmmu/ 2023-02-04 07:56:54 +01:00
qemu-seccomp.c seccomp: Get actual errno value from failed seccomp functions 2022-10-26 13:32:58 +01:00
qtest.c module: add Error arguments to module_load and module_load_qom 2022-11-06 09:48:50 +01:00
rtc.c softmmu/rtc: Emit warning when using driftfix=slew on systems without mc146818 2023-01-13 16:22:57 +01:00
runstate-action.c runstate: cleanup reboot and panic actions 2021-01-21 13:00:41 +01:00
runstate-hmp-cmds.c runstate: Move HMP commands from monitor/ to softmmu/ 2023-02-04 07:56:54 +01:00
runstate.c Drop duplicate #include 2023-02-08 07:28:05 +01:00
timers-state.h qemu/atomic: Add aligned_{int64,uint64}_t types 2021-07-21 07:45:38 -10:00
tpm-hmp-cmds.c tpm: Move HMP commands from monitor/ to softmmu/ 2023-02-04 07:56:54 +01:00
tpm.c qapi: More complex uses of QAPI_LIST_APPEND 2021-01-28 08:08:45 +01:00
trace-events softmmu/dirtylimit: Implement virtual CPU throttle 2022-07-20 12:15:08 +01:00
trace.h softmmu: Add missing trace-events file 2020-09-09 17:15:18 +01:00
vl.c vl: catch [accel] entry without accelerator 2023-02-10 14:12:06 +01:00