From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.lore.kernel.org (Postfix) with ESMTPS id D072EC433F5 for ; Wed, 1 Jun 2022 00:22:16 +0000 (UTC) Received: from localhost ([::1]:52712 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1nwC7r-0002fm-HD for qemu-devel@archiver.kernel.org; Tue, 31 May 2022 20:22:15 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:34334) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1nwC6O-0001xc-L3 for qemu-devel@nongnu.org; Tue, 31 May 2022 20:20:44 -0400 Received: from mail-yw1-x1130.google.com ([2607:f8b0:4864:20::1130]:44482) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1nwC6A-0003Jh-L9 for qemu-devel@nongnu.org; Tue, 31 May 2022 20:20:44 -0400 Received: by mail-yw1-x1130.google.com with SMTP id 00721157ae682-30ec2aa3b6cso1801647b3.11 for ; Tue, 31 May 2022 17:20:29 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=YyocxuZ3gIOE9E53oVRN/zfshiHMA8NVQVAnlP7fNrM=; b=cHrRi3e1bmkBOmlWVr5wdMHOgUrfeCW/J1nnK1QYhVnIh/8gktxjtuCWTM7u9Cf04d zUA4C6cggKpe5BfW9SzMObY7YRxmfqU9poiNBoKS1GaL8fWR3jZHEexXPBtXnyNwHCv9 UtpjpsT7JiKcXu/cXl6IwZHyhBh8TBuXtJzIQGNIVwyPV6lw0EXm0PWXZVkaV109kj+3 EiNhNc+wGthYn+JMPNMQSg37ZDmc5duRC3w8tLuBeFaoLm7vta+ItYfNSCLenAYI+Fa5 Oju2uOEjaMkkxgIG/Fdvr/Fk3yLTAtF3C36VmnjuKsXt3oQNDuSBxMJrNAFn+9/jMxxa zQzA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=YyocxuZ3gIOE9E53oVRN/zfshiHMA8NVQVAnlP7fNrM=; b=X4NBYXTcRYGfb/7dJAK25PywJnZRxPowetuDgQ9Jz/udx2WOl9ShQpAiSogLMpMopf RR2OCQvKguzYDxjsad+xKgt3+qMT+54YMcNeUbddQp2VQSJ+0iFGi7hvOJ08Dg/fgLTP ucQs9qvCnTdKQ2G4L0/S5VOnPC4jpzvAzXqjiPJrkFLlBoKE3nKOyfQf5Qq0dazUsrhr cpCWwKszP5d3IPmkmX/mUSAg83w7jH5E7Y2iHu7r0SVzY7/FwC+ahxK+FdhOh/5N5hXx LTwrs94jNZ/eLBbR/eeeNvZNbp0NPb78vs+8HKMzNVOR/LRsMpKX9GBdPxM4qKESuUIG +a3g== X-Gm-Message-State: AOAM531u1qmfaJso9XmOK3FeBYW25E02JjSH8jWiVIQz1KekvA2A6J20 Zs+/0hSaRAJXH2Wwe6qjVidv291qsomVn1KlAeY= X-Google-Smtp-Source: ABdhPJwfaih/3apd2bW2nhCAq2RS8h1SCimAMmg8nz+r/KpTRgOMXLgQwNo4ZphCFJr1Ak6A5D06QHBxTspFp9V5L1U= X-Received: by 2002:a81:6d93:0:b0:30c:3f88:506f with SMTP id i141-20020a816d93000000b0030c3f88506fmr15876387ywc.92.1654042829162; Tue, 31 May 2022 17:20:29 -0700 (PDT) MIME-Version: 1.0 References: <20220427205056.2522-1-t.zhang2@samsung.com> In-Reply-To: From: Tong Zhang Date: Tue, 31 May 2022 17:20:18 -0700 Message-ID: Subject: Re: [RESEND PATCH] hw/dma: fix crash caused by race condition To: David Hildenbrand Cc: Tong Zhang , Paolo Bonzini , Peter Xu , =?UTF-8?Q?Philippe_Mathieu=2DDaud=C3=A9?= , "qemu-devel@nongnu.org" , Francisco Londono Content-Type: text/plain; charset="UTF-8" Received-SPF: pass client-ip=2607:f8b0:4864:20::1130; envelope-from=ztong0001@gmail.com; helo=mail-yw1-x1130.google.com X-Spam_score_int: -18 X-Spam_score: -1.9 X-Spam_bar: - X-Spam_report: (-1.9 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_ENVFROM_END_DIGIT=0.25, FREEMAIL_FROM=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+qemu-devel=archiver.kernel.org@nongnu.org Sender: "Qemu-devel" Hi David, On Mon, May 30, 2022 at 9:19 AM David Hildenbrand wrote: > > On 27.04.22 22:51, Tong Zhang wrote: > > assert(dbs->acb) is meant to check the return value of io_func per > > documented in commit 6bee44ea34 ("dma: the passed io_func does not > > return NULL"). However, there is a chance that after calling > > aio_context_release(dbs->ctx); the dma_blk_cb function is called before > > the assertion and dbs->acb is set to NULL again at line 121. Thus when > > we run assert at line 181 it will fail. > > > > softmmu/dma-helpers.c:181: dma_blk_cb: Assertion `dbs->acb' failed. > > > > Reported-by: Francisco Londono > > Signed-off-by: Tong Zhang > > --- > > softmmu/dma-helpers.c | 2 +- > > 1 file changed, 1 insertion(+), 1 deletion(-) > > > > diff --git a/softmmu/dma-helpers.c b/softmmu/dma-helpers.c > > index 7820fec54c..cb81017928 100644 > > --- a/softmmu/dma-helpers.c > > +++ b/softmmu/dma-helpers.c > > @@ -177,8 +177,8 @@ static void dma_blk_cb(void *opaque, int ret) > > aio_context_acquire(dbs->ctx); > > dbs->acb = dbs->io_func(dbs->offset, &dbs->iov, > > dma_blk_cb, dbs, dbs->io_func_opaque); > > - aio_context_release(dbs->ctx); > > assert(dbs->acb); > > + aio_context_release(dbs->ctx); > > } > > > > static void dma_aio_cancel(BlockAIOCB *acb) > > I'm fairly new to that code, but I wonder what prevents dma_blk_cb() to > run after you reshuffled the code? > IMO if the assert is to test whether io_func returns a non-NULL value shouldn't it be immediately after calling io_func. Also... as suggested by commit 6bee44ea346aed24e12d525daf10542d695508db > dma: the passed io_func does not return NULL Thanks, - Tong > After all, acquire/release is only around the dbs->io_func() call, so I > don't immediately see how it interacts with re-entrance? > > -- > Thanks, > > David / dhildenb >