* [PATCH v2 0/7] virtiofsd: Avoid potential deadlocks
@ 2021-03-12 9:22 ` Greg Kurz
0 siblings, 0 replies; 30+ messages in thread
From: Greg Kurz @ 2021-03-12 9:22 UTC (permalink / raw)
To: qemu-devel
Cc: Daniel P . Berrangé,
Michael S. Tsirkin, Dr. David Alan Gilbert, Greg Kurz, virtio-fs,
Stefan Hajnoczi, Vivek Goyal
A deadlock condition potentially exists if a vhost-user process needs
to request something to QEMU on the slave channel while processing a
vhost-user message.
This doesn't seem to affect any vhost-user implementation so far, but
this is currently biting the upcoming enablement of DAX with virtio-fs.
The issue is being observed when the guest does an emergency reboot while
a mapping still exits in the DAX window, which is very easy to get with
a busy enough workload (e.g. as simulated by blogbench [1]) :
- QEMU sends VHOST_USER_GET_VRING_BASE to virtiofsd.
- In order to complete the request, virtiofsd then asks QEMU to remove
the mapping on the slave channel.
All these dialogs are synchronous, hence the deadlock.
Another deadlock condition exists in the virtiofsd code itself, related
to the use of the vu_dispatch rwlock.
This series supercedes Vivek's previous tentative [1] to fix the deadlocks.
Basically, instead of introducing new vhost-user protocol message to
specifically shutdown the slave channel, this series introduces a nested
event loop in vhost_user_read() as suggested by Stefan Hajnoczi. This
allows to monitor and service requests on the slave channel while
waiting for virtiofsd to answer to a vhost-user request.
This was tested with the latest DAX patchset posted to the virtio-fs
list [2], rebased on top of the present series [3]. Testing scenario
is:
1) start VM with DAX capable vhost-user-fs device
2) mount -o dax in the guest
3) run Blogbench [4] in virtiofs mount
4) wait 10s, which is enough to have active mappings
5) echo b > /proc/sysrq-trigger
6) wait for the guest to reboot and start over from step 2
Without this series, only a couple of reboots ( < 5) are needed to
hit a deadlock. With this series applied, an overnight test could
reboot the guest 1500+ times without any issues.
[1] https://listman.redhat.com/archives/virtio-fs/2021-January/msg00073.html
[2] https://listman.redhat.com/archives/virtio-fs/2021-February/msg00058.html
[3] Tree with this series + DAX available at:
https://gitlab.com/gkurz/qemu/-/commits/virtio-fs-dax-no-deadlock
[4] https://github.com/jedisct1/Blogbench
Changes since v2:
- added some preliminary fixes and cleanups for the slave channel code
- re-factored some code and addressed comments (see individual patches)
- more testing
Greg Kurz (7):
vhost-user: Drop misleading EAGAIN checks in slave_read()
vhost-user: Fix double-close on slave_read() error path
vhost-user: Factor out duplicated slave_fd teardown code
vhost-user: Convert slave channel to QIOChannelSocket
vhost-user: Introduce nested event loop in vhost_user_read()
vhost-user: Monitor slave channel in vhost_user_read()
virtiofsd: Release vu_dispatch_lock when stopping queue
hw/virtio/vhost-user.c | 217 +++++++++++++++++++++-------------
tools/virtiofsd/fuse_virtio.c | 6 +
2 files changed, 144 insertions(+), 79 deletions(-)
--
2.26.2
^ permalink raw reply [flat|nested] 30+ messages in thread
* [Virtio-fs] [PATCH v2 0/7] virtiofsd: Avoid potential deadlocks
@ 2021-03-12 9:22 ` Greg Kurz
0 siblings, 0 replies; 30+ messages in thread
From: Greg Kurz @ 2021-03-12 9:22 UTC (permalink / raw)
To: qemu-devel
Cc: Daniel P . Berrangé, Michael S. Tsirkin, virtio-fs, Vivek Goyal
A deadlock condition potentially exists if a vhost-user process needs
to request something to QEMU on the slave channel while processing a
vhost-user message.
This doesn't seem to affect any vhost-user implementation so far, but
this is currently biting the upcoming enablement of DAX with virtio-fs.
The issue is being observed when the guest does an emergency reboot while
a mapping still exits in the DAX window, which is very easy to get with
a busy enough workload (e.g. as simulated by blogbench [1]) :
- QEMU sends VHOST_USER_GET_VRING_BASE to virtiofsd.
- In order to complete the request, virtiofsd then asks QEMU to remove
the mapping on the slave channel.
All these dialogs are synchronous, hence the deadlock.
Another deadlock condition exists in the virtiofsd code itself, related
to the use of the vu_dispatch rwlock.
This series supercedes Vivek's previous tentative [1] to fix the deadlocks.
Basically, instead of introducing new vhost-user protocol message to
specifically shutdown the slave channel, this series introduces a nested
event loop in vhost_user_read() as suggested by Stefan Hajnoczi. This
allows to monitor and service requests on the slave channel while
waiting for virtiofsd to answer to a vhost-user request.
This was tested with the latest DAX patchset posted to the virtio-fs
list [2], rebased on top of the present series [3]. Testing scenario
is:
1) start VM with DAX capable vhost-user-fs device
2) mount -o dax in the guest
3) run Blogbench [4] in virtiofs mount
4) wait 10s, which is enough to have active mappings
5) echo b > /proc/sysrq-trigger
6) wait for the guest to reboot and start over from step 2
Without this series, only a couple of reboots ( < 5) are needed to
hit a deadlock. With this series applied, an overnight test could
reboot the guest 1500+ times without any issues.
[1] https://listman.redhat.com/archives/virtio-fs/2021-January/msg00073.html
[2] https://listman.redhat.com/archives/virtio-fs/2021-February/msg00058.html
[3] Tree with this series + DAX available at:
https://gitlab.com/gkurz/qemu/-/commits/virtio-fs-dax-no-deadlock
[4] https://github.com/jedisct1/Blogbench
Changes since v2:
- added some preliminary fixes and cleanups for the slave channel code
- re-factored some code and addressed comments (see individual patches)
- more testing
Greg Kurz (7):
vhost-user: Drop misleading EAGAIN checks in slave_read()
vhost-user: Fix double-close on slave_read() error path
vhost-user: Factor out duplicated slave_fd teardown code
vhost-user: Convert slave channel to QIOChannelSocket
vhost-user: Introduce nested event loop in vhost_user_read()
vhost-user: Monitor slave channel in vhost_user_read()
virtiofsd: Release vu_dispatch_lock when stopping queue
hw/virtio/vhost-user.c | 217 +++++++++++++++++++++-------------
tools/virtiofsd/fuse_virtio.c | 6 +
2 files changed, 144 insertions(+), 79 deletions(-)
--
2.26.2
^ permalink raw reply [flat|nested] 30+ messages in thread
* [PATCH v2 1/7] vhost-user: Drop misleading EAGAIN checks in slave_read()
2021-03-12 9:22 ` [Virtio-fs] " Greg Kurz
@ 2021-03-12 9:22 ` Greg Kurz
-1 siblings, 0 replies; 30+ messages in thread
From: Greg Kurz @ 2021-03-12 9:22 UTC (permalink / raw)
To: qemu-devel
Cc: Daniel P . Berrangé,
Michael S. Tsirkin, Dr. David Alan Gilbert, Greg Kurz, virtio-fs,
Stefan Hajnoczi, Vivek Goyal
slave_read() checks EAGAIN when reading or writing to the socket
fails. This gives the impression that the slave channel is in
non-blocking mode, which is certainly not the case with the current
code base. And the rest of the code isn't actually ready to cope
with non-blocking I/O.
Just drop the checks everywhere in this function for the sake of
clarity.
Signed-off-by: Greg Kurz <groug@kaod.org>
---
hw/virtio/vhost-user.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/hw/virtio/vhost-user.c b/hw/virtio/vhost-user.c
index 2fdd5daf74bb..6af9b43a7232 100644
--- a/hw/virtio/vhost-user.c
+++ b/hw/virtio/vhost-user.c
@@ -1420,7 +1420,7 @@ static void slave_read(void *opaque)
do {
size = recvmsg(u->slave_fd, &msgh, 0);
- } while (size < 0 && (errno == EINTR || errno == EAGAIN));
+ } while (size < 0 && errno == EINTR);
if (size != VHOST_USER_HDR_SIZE) {
error_report("Failed to read from slave.");
@@ -1452,7 +1452,7 @@ static void slave_read(void *opaque)
/* Read payload */
do {
size = read(u->slave_fd, &payload, hdr.size);
- } while (size < 0 && (errno == EINTR || errno == EAGAIN));
+ } while (size < 0 && errno == EINTR);
if (size != hdr.size) {
error_report("Failed to read payload from slave.");
@@ -1503,7 +1503,7 @@ static void slave_read(void *opaque)
do {
size = writev(u->slave_fd, iovec, ARRAY_SIZE(iovec));
- } while (size < 0 && (errno == EINTR || errno == EAGAIN));
+ } while (size < 0 && errno == EINTR);
if (size != VHOST_USER_HDR_SIZE + hdr.size) {
error_report("Failed to send msg reply to slave.");
--
2.26.2
^ permalink raw reply related [flat|nested] 30+ messages in thread
* [Virtio-fs] [PATCH v2 1/7] vhost-user: Drop misleading EAGAIN checks in slave_read()
@ 2021-03-12 9:22 ` Greg Kurz
0 siblings, 0 replies; 30+ messages in thread
From: Greg Kurz @ 2021-03-12 9:22 UTC (permalink / raw)
To: qemu-devel
Cc: Daniel P . Berrangé, Michael S. Tsirkin, virtio-fs, Vivek Goyal
slave_read() checks EAGAIN when reading or writing to the socket
fails. This gives the impression that the slave channel is in
non-blocking mode, which is certainly not the case with the current
code base. And the rest of the code isn't actually ready to cope
with non-blocking I/O.
Just drop the checks everywhere in this function for the sake of
clarity.
Signed-off-by: Greg Kurz <groug@kaod.org>
---
hw/virtio/vhost-user.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/hw/virtio/vhost-user.c b/hw/virtio/vhost-user.c
index 2fdd5daf74bb..6af9b43a7232 100644
--- a/hw/virtio/vhost-user.c
+++ b/hw/virtio/vhost-user.c
@@ -1420,7 +1420,7 @@ static void slave_read(void *opaque)
do {
size = recvmsg(u->slave_fd, &msgh, 0);
- } while (size < 0 && (errno == EINTR || errno == EAGAIN));
+ } while (size < 0 && errno == EINTR);
if (size != VHOST_USER_HDR_SIZE) {
error_report("Failed to read from slave.");
@@ -1452,7 +1452,7 @@ static void slave_read(void *opaque)
/* Read payload */
do {
size = read(u->slave_fd, &payload, hdr.size);
- } while (size < 0 && (errno == EINTR || errno == EAGAIN));
+ } while (size < 0 && errno == EINTR);
if (size != hdr.size) {
error_report("Failed to read payload from slave.");
@@ -1503,7 +1503,7 @@ static void slave_read(void *opaque)
do {
size = writev(u->slave_fd, iovec, ARRAY_SIZE(iovec));
- } while (size < 0 && (errno == EINTR || errno == EAGAIN));
+ } while (size < 0 && errno == EINTR);
if (size != VHOST_USER_HDR_SIZE + hdr.size) {
error_report("Failed to send msg reply to slave.");
--
2.26.2
^ permalink raw reply related [flat|nested] 30+ messages in thread
* [PATCH v2 2/7] vhost-user: Fix double-close on slave_read() error path
2021-03-12 9:22 ` [Virtio-fs] " Greg Kurz
@ 2021-03-12 9:22 ` Greg Kurz
-1 siblings, 0 replies; 30+ messages in thread
From: Greg Kurz @ 2021-03-12 9:22 UTC (permalink / raw)
To: qemu-devel
Cc: Daniel P . Berrangé,
Michael S. Tsirkin, Dr. David Alan Gilbert, Greg Kurz, virtio-fs,
Stefan Hajnoczi, Vivek Goyal
Some message types, e.g. VHOST_USER_SLAVE_VRING_HOST_NOTIFIER_MSG,
can convey file descriptors. These must be closed before returning
from slave_read() to avoid being leaked. This can currently be done
in two different places:
[1] just after the request has been processed
[2] on the error path, under the goto label err:
These path are supposed to be mutually exclusive but they are not
actually. If the VHOST_USER_NEED_REPLY_MASK flag was passed and the
sending of the reply fails, both [1] and [2] are performed with the
same descriptor values. This can potentially cause subtle bugs if one
of the descriptor was recycled by some other thread in the meantime.
This code duplication complicates rollback for no real good benefit.
Do the closing in a unique place, under a new fdcleanup: goto label
at the end of the function.
Signed-off-by: Greg Kurz <groug@kaod.org>
---
hw/virtio/vhost-user.c | 11 +++--------
1 file changed, 3 insertions(+), 8 deletions(-)
diff --git a/hw/virtio/vhost-user.c b/hw/virtio/vhost-user.c
index 6af9b43a7232..acde1d293684 100644
--- a/hw/virtio/vhost-user.c
+++ b/hw/virtio/vhost-user.c
@@ -1475,13 +1475,6 @@ static void slave_read(void *opaque)
ret = -EINVAL;
}
- /* Close the remaining file descriptors. */
- for (i = 0; i < fdsize; i++) {
- if (fd[i] != -1) {
- close(fd[i]);
- }
- }
-
/*
* REPLY_ACK feature handling. Other reply types has to be managed
* directly in their request handlers.
@@ -1511,12 +1504,14 @@ static void slave_read(void *opaque)
}
}
- return;
+ goto fdcleanup;
err:
qemu_set_fd_handler(u->slave_fd, NULL, NULL, NULL);
close(u->slave_fd);
u->slave_fd = -1;
+
+fdcleanup:
for (i = 0; i < fdsize; i++) {
if (fd[i] != -1) {
close(fd[i]);
--
2.26.2
^ permalink raw reply related [flat|nested] 30+ messages in thread
* [Virtio-fs] [PATCH v2 2/7] vhost-user: Fix double-close on slave_read() error path
@ 2021-03-12 9:22 ` Greg Kurz
0 siblings, 0 replies; 30+ messages in thread
From: Greg Kurz @ 2021-03-12 9:22 UTC (permalink / raw)
To: qemu-devel
Cc: Daniel P . Berrangé, Michael S. Tsirkin, virtio-fs, Vivek Goyal
Some message types, e.g. VHOST_USER_SLAVE_VRING_HOST_NOTIFIER_MSG,
can convey file descriptors. These must be closed before returning
from slave_read() to avoid being leaked. This can currently be done
in two different places:
[1] just after the request has been processed
[2] on the error path, under the goto label err:
These path are supposed to be mutually exclusive but they are not
actually. If the VHOST_USER_NEED_REPLY_MASK flag was passed and the
sending of the reply fails, both [1] and [2] are performed with the
same descriptor values. This can potentially cause subtle bugs if one
of the descriptor was recycled by some other thread in the meantime.
This code duplication complicates rollback for no real good benefit.
Do the closing in a unique place, under a new fdcleanup: goto label
at the end of the function.
Signed-off-by: Greg Kurz <groug@kaod.org>
---
hw/virtio/vhost-user.c | 11 +++--------
1 file changed, 3 insertions(+), 8 deletions(-)
diff --git a/hw/virtio/vhost-user.c b/hw/virtio/vhost-user.c
index 6af9b43a7232..acde1d293684 100644
--- a/hw/virtio/vhost-user.c
+++ b/hw/virtio/vhost-user.c
@@ -1475,13 +1475,6 @@ static void slave_read(void *opaque)
ret = -EINVAL;
}
- /* Close the remaining file descriptors. */
- for (i = 0; i < fdsize; i++) {
- if (fd[i] != -1) {
- close(fd[i]);
- }
- }
-
/*
* REPLY_ACK feature handling. Other reply types has to be managed
* directly in their request handlers.
@@ -1511,12 +1504,14 @@ static void slave_read(void *opaque)
}
}
- return;
+ goto fdcleanup;
err:
qemu_set_fd_handler(u->slave_fd, NULL, NULL, NULL);
close(u->slave_fd);
u->slave_fd = -1;
+
+fdcleanup:
for (i = 0; i < fdsize; i++) {
if (fd[i] != -1) {
close(fd[i]);
--
2.26.2
^ permalink raw reply related [flat|nested] 30+ messages in thread
* [PATCH v2 3/7] vhost-user: Factor out duplicated slave_fd teardown code
2021-03-12 9:22 ` [Virtio-fs] " Greg Kurz
@ 2021-03-12 9:22 ` Greg Kurz
-1 siblings, 0 replies; 30+ messages in thread
From: Greg Kurz @ 2021-03-12 9:22 UTC (permalink / raw)
To: qemu-devel
Cc: Daniel P . Berrangé,
Michael S. Tsirkin, Dr. David Alan Gilbert, Greg Kurz, virtio-fs,
Stefan Hajnoczi, Vivek Goyal
Signed-off-by: Greg Kurz <groug@kaod.org>
---
hw/virtio/vhost-user.c | 19 ++++++++++---------
1 file changed, 10 insertions(+), 9 deletions(-)
diff --git a/hw/virtio/vhost-user.c b/hw/virtio/vhost-user.c
index acde1d293684..cb0c98f30a8d 100644
--- a/hw/virtio/vhost-user.c
+++ b/hw/virtio/vhost-user.c
@@ -1392,6 +1392,13 @@ static int vhost_user_slave_handle_vring_host_notifier(struct vhost_dev *dev,
return 0;
}
+static void close_slave_channel(struct vhost_user *u)
+{
+ qemu_set_fd_handler(u->slave_fd, NULL, NULL, NULL);
+ close(u->slave_fd);
+ u->slave_fd = -1;
+}
+
static void slave_read(void *opaque)
{
struct vhost_dev *dev = opaque;
@@ -1507,9 +1514,7 @@ static void slave_read(void *opaque)
goto fdcleanup;
err:
- qemu_set_fd_handler(u->slave_fd, NULL, NULL, NULL);
- close(u->slave_fd);
- u->slave_fd = -1;
+ close_slave_channel(u);
fdcleanup:
for (i = 0; i < fdsize; i++) {
@@ -1560,9 +1565,7 @@ static int vhost_setup_slave_channel(struct vhost_dev *dev)
out:
close(sv[1]);
if (ret) {
- qemu_set_fd_handler(u->slave_fd, NULL, NULL, NULL);
- close(u->slave_fd);
- u->slave_fd = -1;
+ close_slave_channel(u);
}
return ret;
@@ -1915,9 +1918,7 @@ static int vhost_user_backend_cleanup(struct vhost_dev *dev)
u->postcopy_fd.handler = NULL;
}
if (u->slave_fd >= 0) {
- qemu_set_fd_handler(u->slave_fd, NULL, NULL, NULL);
- close(u->slave_fd);
- u->slave_fd = -1;
+ close_slave_channel(u);
}
g_free(u->region_rb);
u->region_rb = NULL;
--
2.26.2
^ permalink raw reply related [flat|nested] 30+ messages in thread
* [Virtio-fs] [PATCH v2 3/7] vhost-user: Factor out duplicated slave_fd teardown code
@ 2021-03-12 9:22 ` Greg Kurz
0 siblings, 0 replies; 30+ messages in thread
From: Greg Kurz @ 2021-03-12 9:22 UTC (permalink / raw)
To: qemu-devel
Cc: Daniel P . Berrangé, Michael S. Tsirkin, virtio-fs, Vivek Goyal
Signed-off-by: Greg Kurz <groug@kaod.org>
---
hw/virtio/vhost-user.c | 19 ++++++++++---------
1 file changed, 10 insertions(+), 9 deletions(-)
diff --git a/hw/virtio/vhost-user.c b/hw/virtio/vhost-user.c
index acde1d293684..cb0c98f30a8d 100644
--- a/hw/virtio/vhost-user.c
+++ b/hw/virtio/vhost-user.c
@@ -1392,6 +1392,13 @@ static int vhost_user_slave_handle_vring_host_notifier(struct vhost_dev *dev,
return 0;
}
+static void close_slave_channel(struct vhost_user *u)
+{
+ qemu_set_fd_handler(u->slave_fd, NULL, NULL, NULL);
+ close(u->slave_fd);
+ u->slave_fd = -1;
+}
+
static void slave_read(void *opaque)
{
struct vhost_dev *dev = opaque;
@@ -1507,9 +1514,7 @@ static void slave_read(void *opaque)
goto fdcleanup;
err:
- qemu_set_fd_handler(u->slave_fd, NULL, NULL, NULL);
- close(u->slave_fd);
- u->slave_fd = -1;
+ close_slave_channel(u);
fdcleanup:
for (i = 0; i < fdsize; i++) {
@@ -1560,9 +1565,7 @@ static int vhost_setup_slave_channel(struct vhost_dev *dev)
out:
close(sv[1]);
if (ret) {
- qemu_set_fd_handler(u->slave_fd, NULL, NULL, NULL);
- close(u->slave_fd);
- u->slave_fd = -1;
+ close_slave_channel(u);
}
return ret;
@@ -1915,9 +1918,7 @@ static int vhost_user_backend_cleanup(struct vhost_dev *dev)
u->postcopy_fd.handler = NULL;
}
if (u->slave_fd >= 0) {
- qemu_set_fd_handler(u->slave_fd, NULL, NULL, NULL);
- close(u->slave_fd);
- u->slave_fd = -1;
+ close_slave_channel(u);
}
g_free(u->region_rb);
u->region_rb = NULL;
--
2.26.2
^ permalink raw reply related [flat|nested] 30+ messages in thread
* [PATCH v2 4/7] vhost-user: Convert slave channel to QIOChannelSocket
2021-03-12 9:22 ` [Virtio-fs] " Greg Kurz
@ 2021-03-12 9:22 ` Greg Kurz
-1 siblings, 0 replies; 30+ messages in thread
From: Greg Kurz @ 2021-03-12 9:22 UTC (permalink / raw)
To: qemu-devel
Cc: Daniel P . Berrangé,
Michael S. Tsirkin, Dr. David Alan Gilbert, Greg Kurz, virtio-fs,
Stefan Hajnoczi, Vivek Goyal
The slave channel is implemented with socketpair() : QEMU creates
the pair, passes one of the socket to virtiofsd and monitors the
other one with the main event loop using qemu_set_fd_handler().
In order to fix a potential deadlock between QEMU and a vhost-user
external process (e.g. virtiofsd with DAX), we want to be able to
monitor and service the slave channel while handling vhost-user
requests.
Prepare ground for this by converting the slave channel to be a
QIOChannelSocket. This will make monitoring of the slave channel
as simple as calling qio_channel_add_watch_source(). Since the
connection is already established between the two sockets, only
incoming I/O (G_IO_IN) and disconnect (G_IO_HUP) need to be
serviced.
This also allows to get rid of the ancillary data parsing since
QIOChannelSocket can do this for us. Note that the MSG_CTRUNC
check is dropped on the way because QIOChannelSocket ignores this
case. This isn't a problem since slave_read() provisions space for
8 file descriptors, but affected vhost-user slave protocol messages
generally only convey one. If for some reason a buggy implementation
passes more file descriptors, no need to break the connection, just
like we don't break it if some other type of ancillary data is
received : this isn't explicitely violating the protocol per-se so
it seems better to ignore it.
The current code errors out on short reads and writes. Use the
qio_channel_*_all() variants to address this on the way.
Signed-off-by: Greg Kurz <groug@kaod.org>
---
v2: - also monitor G_IO_HUP (Stefan)
- use the qio_channel_*_all() variants (Daniel)
- simplified thanks to previous refactoring
---
hw/virtio/vhost-user.c | 99 +++++++++++++++++-------------------------
1 file changed, 39 insertions(+), 60 deletions(-)
diff --git a/hw/virtio/vhost-user.c b/hw/virtio/vhost-user.c
index cb0c98f30a8d..3c1e1611b087 100644
--- a/hw/virtio/vhost-user.c
+++ b/hw/virtio/vhost-user.c
@@ -16,6 +16,7 @@
#include "hw/virtio/virtio.h"
#include "hw/virtio/virtio-net.h"
#include "chardev/char-fe.h"
+#include "io/channel-socket.h"
#include "sysemu/kvm.h"
#include "qemu/error-report.h"
#include "qemu/main-loop.h"
@@ -237,7 +238,8 @@ struct vhost_user {
struct vhost_dev *dev;
/* Shared between vhost devs of the same virtio device */
VhostUserState *user;
- int slave_fd;
+ QIOChannel *slave_ioc;
+ GSource *slave_src;
NotifierWithReturn postcopy_notifier;
struct PostCopyFD postcopy_fd;
uint64_t postcopy_client_bases[VHOST_USER_MAX_RAM_SLOTS];
@@ -1394,61 +1396,37 @@ static int vhost_user_slave_handle_vring_host_notifier(struct vhost_dev *dev,
static void close_slave_channel(struct vhost_user *u)
{
- qemu_set_fd_handler(u->slave_fd, NULL, NULL, NULL);
- close(u->slave_fd);
- u->slave_fd = -1;
+ g_source_destroy(u->slave_src);
+ g_source_unref(u->slave_src);
+ u->slave_src = NULL;
+ object_unref(OBJECT(u->slave_ioc));
+ u->slave_ioc = NULL;
}
-static void slave_read(void *opaque)
+static gboolean slave_read(QIOChannel *ioc, GIOCondition condition,
+ gpointer opaque)
{
struct vhost_dev *dev = opaque;
struct vhost_user *u = dev->opaque;
VhostUserHeader hdr = { 0, };
VhostUserPayload payload = { 0, };
- int size, ret = 0;
+ Error *local_err = NULL;
+ gboolean rc = G_SOURCE_CONTINUE;
+ int ret = 0;
struct iovec iov;
- struct msghdr msgh;
- int fd[VHOST_USER_SLAVE_MAX_FDS];
- char control[CMSG_SPACE(sizeof(fd))];
- struct cmsghdr *cmsg;
- int i, fdsize = 0;
-
- memset(&msgh, 0, sizeof(msgh));
- msgh.msg_iov = &iov;
- msgh.msg_iovlen = 1;
- msgh.msg_control = control;
- msgh.msg_controllen = sizeof(control);
-
- memset(fd, -1, sizeof(fd));
+ g_autofree int *fd = NULL;
+ size_t fdsize = 0;
+ int i;
/* Read header */
iov.iov_base = &hdr;
iov.iov_len = VHOST_USER_HDR_SIZE;
- do {
- size = recvmsg(u->slave_fd, &msgh, 0);
- } while (size < 0 && errno == EINTR);
-
- if (size != VHOST_USER_HDR_SIZE) {
- error_report("Failed to read from slave.");
+ if (qio_channel_readv_full_all(ioc, &iov, 1, &fd, &fdsize, &local_err)) {
+ error_report_err(local_err);
goto err;
}
- if (msgh.msg_flags & MSG_CTRUNC) {
- error_report("Truncated message.");
- goto err;
- }
-
- for (cmsg = CMSG_FIRSTHDR(&msgh); cmsg != NULL;
- cmsg = CMSG_NXTHDR(&msgh, cmsg)) {
- if (cmsg->cmsg_level == SOL_SOCKET &&
- cmsg->cmsg_type == SCM_RIGHTS) {
- fdsize = cmsg->cmsg_len - CMSG_LEN(0);
- memcpy(fd, CMSG_DATA(cmsg), fdsize);
- break;
- }
- }
-
if (hdr.size > VHOST_USER_PAYLOAD_SIZE) {
error_report("Failed to read msg header."
" Size %d exceeds the maximum %zu.", hdr.size,
@@ -1457,12 +1435,8 @@ static void slave_read(void *opaque)
}
/* Read payload */
- do {
- size = read(u->slave_fd, &payload, hdr.size);
- } while (size < 0 && errno == EINTR);
-
- if (size != hdr.size) {
- error_report("Failed to read payload from slave.");
+ if (qio_channel_read_all(ioc, (char *) &payload, hdr.size, &local_err)) {
+ error_report_err(local_err);
goto err;
}
@@ -1475,7 +1449,7 @@ static void slave_read(void *opaque)
break;
case VHOST_USER_SLAVE_VRING_HOST_NOTIFIER_MSG:
ret = vhost_user_slave_handle_vring_host_notifier(dev, &payload.area,
- fd[0]);
+ fd ? fd[0] : -1);
break;
default:
error_report("Received unexpected msg type: %d.", hdr.request);
@@ -1501,12 +1475,8 @@ static void slave_read(void *opaque)
iovec[1].iov_base = &payload;
iovec[1].iov_len = hdr.size;
- do {
- size = writev(u->slave_fd, iovec, ARRAY_SIZE(iovec));
- } while (size < 0 && errno == EINTR);
-
- if (size != VHOST_USER_HDR_SIZE + hdr.size) {
- error_report("Failed to send msg reply to slave.");
+ if (qio_channel_writev_all(ioc, iovec, ARRAY_SIZE(iovec), &local_err)) {
+ error_report_err(local_err);
goto err;
}
}
@@ -1515,14 +1485,15 @@ static void slave_read(void *opaque)
err:
close_slave_channel(u);
+ rc = G_SOURCE_REMOVE;
fdcleanup:
- for (i = 0; i < fdsize; i++) {
- if (fd[i] != -1) {
+ if (fd) {
+ for (i = 0; i < fdsize; i++) {
close(fd[i]);
}
}
- return;
+ return rc;
}
static int vhost_setup_slave_channel(struct vhost_dev *dev)
@@ -1535,6 +1506,8 @@ static int vhost_setup_slave_channel(struct vhost_dev *dev)
int sv[2], ret = 0;
bool reply_supported = virtio_has_feature(dev->protocol_features,
VHOST_USER_PROTOCOL_F_REPLY_ACK);
+ Error *local_err = NULL;
+ QIOChannel *ioc;
if (!virtio_has_feature(dev->protocol_features,
VHOST_USER_PROTOCOL_F_SLAVE_REQ)) {
@@ -1546,8 +1519,15 @@ static int vhost_setup_slave_channel(struct vhost_dev *dev)
return -1;
}
- u->slave_fd = sv[0];
- qemu_set_fd_handler(u->slave_fd, slave_read, NULL, dev);
+ ioc = QIO_CHANNEL(qio_channel_socket_new_fd(sv[0], &local_err));
+ if (!ioc) {
+ error_report_err(local_err);
+ return -1;
+ }
+ u->slave_ioc = ioc;
+ u->slave_src = qio_channel_add_watch_source(u->slave_ioc,
+ G_IO_IN | G_IO_HUP,
+ slave_read, dev, NULL, NULL);
if (reply_supported) {
msg.hdr.flags |= VHOST_USER_NEED_REPLY_MASK;
@@ -1802,7 +1782,6 @@ static int vhost_user_backend_init(struct vhost_dev *dev, void *opaque)
u = g_new0(struct vhost_user, 1);
u->user = opaque;
- u->slave_fd = -1;
u->dev = dev;
dev->opaque = u;
@@ -1917,7 +1896,7 @@ static int vhost_user_backend_cleanup(struct vhost_dev *dev)
close(u->postcopy_fd.fd);
u->postcopy_fd.handler = NULL;
}
- if (u->slave_fd >= 0) {
+ if (u->slave_ioc) {
close_slave_channel(u);
}
g_free(u->region_rb);
--
2.26.2
^ permalink raw reply related [flat|nested] 30+ messages in thread
* [Virtio-fs] [PATCH v2 4/7] vhost-user: Convert slave channel to QIOChannelSocket
@ 2021-03-12 9:22 ` Greg Kurz
0 siblings, 0 replies; 30+ messages in thread
From: Greg Kurz @ 2021-03-12 9:22 UTC (permalink / raw)
To: qemu-devel
Cc: Daniel P . Berrangé, Michael S. Tsirkin, virtio-fs, Vivek Goyal
The slave channel is implemented with socketpair() : QEMU creates
the pair, passes one of the socket to virtiofsd and monitors the
other one with the main event loop using qemu_set_fd_handler().
In order to fix a potential deadlock between QEMU and a vhost-user
external process (e.g. virtiofsd with DAX), we want to be able to
monitor and service the slave channel while handling vhost-user
requests.
Prepare ground for this by converting the slave channel to be a
QIOChannelSocket. This will make monitoring of the slave channel
as simple as calling qio_channel_add_watch_source(). Since the
connection is already established between the two sockets, only
incoming I/O (G_IO_IN) and disconnect (G_IO_HUP) need to be
serviced.
This also allows to get rid of the ancillary data parsing since
QIOChannelSocket can do this for us. Note that the MSG_CTRUNC
check is dropped on the way because QIOChannelSocket ignores this
case. This isn't a problem since slave_read() provisions space for
8 file descriptors, but affected vhost-user slave protocol messages
generally only convey one. If for some reason a buggy implementation
passes more file descriptors, no need to break the connection, just
like we don't break it if some other type of ancillary data is
received : this isn't explicitely violating the protocol per-se so
it seems better to ignore it.
The current code errors out on short reads and writes. Use the
qio_channel_*_all() variants to address this on the way.
Signed-off-by: Greg Kurz <groug@kaod.org>
---
v2: - also monitor G_IO_HUP (Stefan)
- use the qio_channel_*_all() variants (Daniel)
- simplified thanks to previous refactoring
---
hw/virtio/vhost-user.c | 99 +++++++++++++++++-------------------------
1 file changed, 39 insertions(+), 60 deletions(-)
diff --git a/hw/virtio/vhost-user.c b/hw/virtio/vhost-user.c
index cb0c98f30a8d..3c1e1611b087 100644
--- a/hw/virtio/vhost-user.c
+++ b/hw/virtio/vhost-user.c
@@ -16,6 +16,7 @@
#include "hw/virtio/virtio.h"
#include "hw/virtio/virtio-net.h"
#include "chardev/char-fe.h"
+#include "io/channel-socket.h"
#include "sysemu/kvm.h"
#include "qemu/error-report.h"
#include "qemu/main-loop.h"
@@ -237,7 +238,8 @@ struct vhost_user {
struct vhost_dev *dev;
/* Shared between vhost devs of the same virtio device */
VhostUserState *user;
- int slave_fd;
+ QIOChannel *slave_ioc;
+ GSource *slave_src;
NotifierWithReturn postcopy_notifier;
struct PostCopyFD postcopy_fd;
uint64_t postcopy_client_bases[VHOST_USER_MAX_RAM_SLOTS];
@@ -1394,61 +1396,37 @@ static int vhost_user_slave_handle_vring_host_notifier(struct vhost_dev *dev,
static void close_slave_channel(struct vhost_user *u)
{
- qemu_set_fd_handler(u->slave_fd, NULL, NULL, NULL);
- close(u->slave_fd);
- u->slave_fd = -1;
+ g_source_destroy(u->slave_src);
+ g_source_unref(u->slave_src);
+ u->slave_src = NULL;
+ object_unref(OBJECT(u->slave_ioc));
+ u->slave_ioc = NULL;
}
-static void slave_read(void *opaque)
+static gboolean slave_read(QIOChannel *ioc, GIOCondition condition,
+ gpointer opaque)
{
struct vhost_dev *dev = opaque;
struct vhost_user *u = dev->opaque;
VhostUserHeader hdr = { 0, };
VhostUserPayload payload = { 0, };
- int size, ret = 0;
+ Error *local_err = NULL;
+ gboolean rc = G_SOURCE_CONTINUE;
+ int ret = 0;
struct iovec iov;
- struct msghdr msgh;
- int fd[VHOST_USER_SLAVE_MAX_FDS];
- char control[CMSG_SPACE(sizeof(fd))];
- struct cmsghdr *cmsg;
- int i, fdsize = 0;
-
- memset(&msgh, 0, sizeof(msgh));
- msgh.msg_iov = &iov;
- msgh.msg_iovlen = 1;
- msgh.msg_control = control;
- msgh.msg_controllen = sizeof(control);
-
- memset(fd, -1, sizeof(fd));
+ g_autofree int *fd = NULL;
+ size_t fdsize = 0;
+ int i;
/* Read header */
iov.iov_base = &hdr;
iov.iov_len = VHOST_USER_HDR_SIZE;
- do {
- size = recvmsg(u->slave_fd, &msgh, 0);
- } while (size < 0 && errno == EINTR);
-
- if (size != VHOST_USER_HDR_SIZE) {
- error_report("Failed to read from slave.");
+ if (qio_channel_readv_full_all(ioc, &iov, 1, &fd, &fdsize, &local_err)) {
+ error_report_err(local_err);
goto err;
}
- if (msgh.msg_flags & MSG_CTRUNC) {
- error_report("Truncated message.");
- goto err;
- }
-
- for (cmsg = CMSG_FIRSTHDR(&msgh); cmsg != NULL;
- cmsg = CMSG_NXTHDR(&msgh, cmsg)) {
- if (cmsg->cmsg_level == SOL_SOCKET &&
- cmsg->cmsg_type == SCM_RIGHTS) {
- fdsize = cmsg->cmsg_len - CMSG_LEN(0);
- memcpy(fd, CMSG_DATA(cmsg), fdsize);
- break;
- }
- }
-
if (hdr.size > VHOST_USER_PAYLOAD_SIZE) {
error_report("Failed to read msg header."
" Size %d exceeds the maximum %zu.", hdr.size,
@@ -1457,12 +1435,8 @@ static void slave_read(void *opaque)
}
/* Read payload */
- do {
- size = read(u->slave_fd, &payload, hdr.size);
- } while (size < 0 && errno == EINTR);
-
- if (size != hdr.size) {
- error_report("Failed to read payload from slave.");
+ if (qio_channel_read_all(ioc, (char *) &payload, hdr.size, &local_err)) {
+ error_report_err(local_err);
goto err;
}
@@ -1475,7 +1449,7 @@ static void slave_read(void *opaque)
break;
case VHOST_USER_SLAVE_VRING_HOST_NOTIFIER_MSG:
ret = vhost_user_slave_handle_vring_host_notifier(dev, &payload.area,
- fd[0]);
+ fd ? fd[0] : -1);
break;
default:
error_report("Received unexpected msg type: %d.", hdr.request);
@@ -1501,12 +1475,8 @@ static void slave_read(void *opaque)
iovec[1].iov_base = &payload;
iovec[1].iov_len = hdr.size;
- do {
- size = writev(u->slave_fd, iovec, ARRAY_SIZE(iovec));
- } while (size < 0 && errno == EINTR);
-
- if (size != VHOST_USER_HDR_SIZE + hdr.size) {
- error_report("Failed to send msg reply to slave.");
+ if (qio_channel_writev_all(ioc, iovec, ARRAY_SIZE(iovec), &local_err)) {
+ error_report_err(local_err);
goto err;
}
}
@@ -1515,14 +1485,15 @@ static void slave_read(void *opaque)
err:
close_slave_channel(u);
+ rc = G_SOURCE_REMOVE;
fdcleanup:
- for (i = 0; i < fdsize; i++) {
- if (fd[i] != -1) {
+ if (fd) {
+ for (i = 0; i < fdsize; i++) {
close(fd[i]);
}
}
- return;
+ return rc;
}
static int vhost_setup_slave_channel(struct vhost_dev *dev)
@@ -1535,6 +1506,8 @@ static int vhost_setup_slave_channel(struct vhost_dev *dev)
int sv[2], ret = 0;
bool reply_supported = virtio_has_feature(dev->protocol_features,
VHOST_USER_PROTOCOL_F_REPLY_ACK);
+ Error *local_err = NULL;
+ QIOChannel *ioc;
if (!virtio_has_feature(dev->protocol_features,
VHOST_USER_PROTOCOL_F_SLAVE_REQ)) {
@@ -1546,8 +1519,15 @@ static int vhost_setup_slave_channel(struct vhost_dev *dev)
return -1;
}
- u->slave_fd = sv[0];
- qemu_set_fd_handler(u->slave_fd, slave_read, NULL, dev);
+ ioc = QIO_CHANNEL(qio_channel_socket_new_fd(sv[0], &local_err));
+ if (!ioc) {
+ error_report_err(local_err);
+ return -1;
+ }
+ u->slave_ioc = ioc;
+ u->slave_src = qio_channel_add_watch_source(u->slave_ioc,
+ G_IO_IN | G_IO_HUP,
+ slave_read, dev, NULL, NULL);
if (reply_supported) {
msg.hdr.flags |= VHOST_USER_NEED_REPLY_MASK;
@@ -1802,7 +1782,6 @@ static int vhost_user_backend_init(struct vhost_dev *dev, void *opaque)
u = g_new0(struct vhost_user, 1);
u->user = opaque;
- u->slave_fd = -1;
u->dev = dev;
dev->opaque = u;
@@ -1917,7 +1896,7 @@ static int vhost_user_backend_cleanup(struct vhost_dev *dev)
close(u->postcopy_fd.fd);
u->postcopy_fd.handler = NULL;
}
- if (u->slave_fd >= 0) {
+ if (u->slave_ioc) {
close_slave_channel(u);
}
g_free(u->region_rb);
--
2.26.2
^ permalink raw reply related [flat|nested] 30+ messages in thread
* [PATCH v2 5/7] vhost-user: Introduce nested event loop in vhost_user_read()
2021-03-12 9:22 ` [Virtio-fs] " Greg Kurz
@ 2021-03-12 9:22 ` Greg Kurz
-1 siblings, 0 replies; 30+ messages in thread
From: Greg Kurz @ 2021-03-12 9:22 UTC (permalink / raw)
To: qemu-devel
Cc: Daniel P . Berrangé,
Michael S. Tsirkin, Dr. David Alan Gilbert, Greg Kurz, virtio-fs,
Stefan Hajnoczi, Vivek Goyal
A deadlock condition potentially exists if a vhost-user process needs
to request something to QEMU on the slave channel while processing a
vhost-user message.
This doesn't seem to affect any vhost-user implementation so far, but
this is currently biting the upcoming enablement of DAX with virtio-fs.
The issue is being observed when the guest does an emergency reboot while
a mapping still exits in the DAX window, which is very easy to get with
a busy enough workload (e.g. as simulated by blogbench [1]) :
- QEMU sends VHOST_USER_GET_VRING_BASE to virtiofsd.
- In order to complete the request, virtiofsd then asks QEMU to remove
the mapping on the slave channel.
All these dialogs are synchronous, hence the deadlock.
As pointed out by Stefan Hajnoczi:
When QEMU's vhost-user master implementation sends a vhost-user protocol
message, vhost_user_read() does a "blocking" read during which slave_fd
is not monitored by QEMU.
The natural solution for this issue is an event loop. The main event
loop cannot be nested though since we have no guarantees that its
fd handlers are prepared for re-entrancy.
Introduce a new event loop that only monitors the chardev I/O for now
in vhost_user_read() and push the actual reading to a one-shot handler.
A subsequent patch will teach the loop to monitor and process messages
from the slave channel as well.
[1] https://github.com/jedisct1/Blogbench
Suggested-by: Stefan Hajnoczi <stefanha@redhat.com>
Signed-off-by: Greg Kurz <groug@kaod.org>
---
v2: - Document why a nested loop is needed in vhost_user_read() (Stefan)
---
hw/virtio/vhost-user.c | 65 ++++++++++++++++++++++++++++++++++++++----
1 file changed, 60 insertions(+), 5 deletions(-)
diff --git a/hw/virtio/vhost-user.c b/hw/virtio/vhost-user.c
index 3c1e1611b087..00256fa318a6 100644
--- a/hw/virtio/vhost-user.c
+++ b/hw/virtio/vhost-user.c
@@ -296,15 +296,27 @@ static int vhost_user_read_header(struct vhost_dev *dev, VhostUserMsg *msg)
return 0;
}
-static int vhost_user_read(struct vhost_dev *dev, VhostUserMsg *msg)
+struct vhost_user_read_cb_data {
+ struct vhost_dev *dev;
+ VhostUserMsg *msg;
+ GMainLoop *loop;
+ int ret;
+};
+
+static gboolean vhost_user_read_cb(GIOChannel *source, GIOCondition condition,
+ gpointer opaque)
{
+ struct vhost_user_read_cb_data *data = opaque;
+ struct vhost_dev *dev = data->dev;
+ VhostUserMsg *msg = data->msg;
struct vhost_user *u = dev->opaque;
CharBackend *chr = u->user->chr;
uint8_t *p = (uint8_t *) msg;
int r, size;
if (vhost_user_read_header(dev, msg) < 0) {
- return -1;
+ data->ret = -1;
+ goto end;
}
/* validate message size is sane */
@@ -312,7 +324,8 @@ static int vhost_user_read(struct vhost_dev *dev, VhostUserMsg *msg)
error_report("Failed to read msg header."
" Size %d exceeds the maximum %zu.", msg->hdr.size,
VHOST_USER_PAYLOAD_SIZE);
- return -1;
+ data->ret = -1;
+ goto end;
}
if (msg->hdr.size) {
@@ -322,11 +335,53 @@ static int vhost_user_read(struct vhost_dev *dev, VhostUserMsg *msg)
if (r != size) {
error_report("Failed to read msg payload."
" Read %d instead of %d.", r, msg->hdr.size);
- return -1;
+ data->ret = -1;
+ goto end;
}
}
- return 0;
+end:
+ g_main_loop_quit(data->loop);
+ return G_SOURCE_REMOVE;
+}
+
+static int vhost_user_read(struct vhost_dev *dev, VhostUserMsg *msg)
+{
+ struct vhost_user *u = dev->opaque;
+ CharBackend *chr = u->user->chr;
+ GMainContext *prev_ctxt = chr->chr->gcontext;
+ GMainContext *ctxt = g_main_context_new();
+ GMainLoop *loop = g_main_loop_new(ctxt, FALSE);
+ struct vhost_user_read_cb_data data = {
+ .dev = dev,
+ .loop = loop,
+ .msg = msg,
+ .ret = 0
+ };
+
+ /*
+ * We want to be able to monitor the slave channel fd while waiting
+ * for chr I/O. This requires an event loop, but we can't nest the
+ * one to which chr is currently attached : its fd handlers might not
+ * be prepared for re-entrancy. So we create a new one and switch chr
+ * to use it.
+ */
+ qemu_chr_be_update_read_handlers(chr->chr, ctxt);
+ qemu_chr_fe_add_watch(chr, G_IO_IN | G_IO_HUP, vhost_user_read_cb, &data);
+
+ g_main_loop_run(loop);
+
+ /*
+ * Restore the previous event loop context. This also destroys/recreates
+ * event sources : this guarantees that all pending events in the original
+ * context that have been processed by the nested loop are purged.
+ */
+ qemu_chr_be_update_read_handlers(chr->chr, prev_ctxt);
+
+ g_main_loop_unref(loop);
+ g_main_context_unref(ctxt);
+
+ return data.ret;
}
static int process_message_reply(struct vhost_dev *dev,
--
2.26.2
^ permalink raw reply related [flat|nested] 30+ messages in thread
* [Virtio-fs] [PATCH v2 5/7] vhost-user: Introduce nested event loop in vhost_user_read()
@ 2021-03-12 9:22 ` Greg Kurz
0 siblings, 0 replies; 30+ messages in thread
From: Greg Kurz @ 2021-03-12 9:22 UTC (permalink / raw)
To: qemu-devel
Cc: Daniel P . Berrangé, Michael S. Tsirkin, virtio-fs, Vivek Goyal
A deadlock condition potentially exists if a vhost-user process needs
to request something to QEMU on the slave channel while processing a
vhost-user message.
This doesn't seem to affect any vhost-user implementation so far, but
this is currently biting the upcoming enablement of DAX with virtio-fs.
The issue is being observed when the guest does an emergency reboot while
a mapping still exits in the DAX window, which is very easy to get with
a busy enough workload (e.g. as simulated by blogbench [1]) :
- QEMU sends VHOST_USER_GET_VRING_BASE to virtiofsd.
- In order to complete the request, virtiofsd then asks QEMU to remove
the mapping on the slave channel.
All these dialogs are synchronous, hence the deadlock.
As pointed out by Stefan Hajnoczi:
When QEMU's vhost-user master implementation sends a vhost-user protocol
message, vhost_user_read() does a "blocking" read during which slave_fd
is not monitored by QEMU.
The natural solution for this issue is an event loop. The main event
loop cannot be nested though since we have no guarantees that its
fd handlers are prepared for re-entrancy.
Introduce a new event loop that only monitors the chardev I/O for now
in vhost_user_read() and push the actual reading to a one-shot handler.
A subsequent patch will teach the loop to monitor and process messages
from the slave channel as well.
[1] https://github.com/jedisct1/Blogbench
Suggested-by: Stefan Hajnoczi <stefanha@redhat.com>
Signed-off-by: Greg Kurz <groug@kaod.org>
---
v2: - Document why a nested loop is needed in vhost_user_read() (Stefan)
---
hw/virtio/vhost-user.c | 65 ++++++++++++++++++++++++++++++++++++++----
1 file changed, 60 insertions(+), 5 deletions(-)
diff --git a/hw/virtio/vhost-user.c b/hw/virtio/vhost-user.c
index 3c1e1611b087..00256fa318a6 100644
--- a/hw/virtio/vhost-user.c
+++ b/hw/virtio/vhost-user.c
@@ -296,15 +296,27 @@ static int vhost_user_read_header(struct vhost_dev *dev, VhostUserMsg *msg)
return 0;
}
-static int vhost_user_read(struct vhost_dev *dev, VhostUserMsg *msg)
+struct vhost_user_read_cb_data {
+ struct vhost_dev *dev;
+ VhostUserMsg *msg;
+ GMainLoop *loop;
+ int ret;
+};
+
+static gboolean vhost_user_read_cb(GIOChannel *source, GIOCondition condition,
+ gpointer opaque)
{
+ struct vhost_user_read_cb_data *data = opaque;
+ struct vhost_dev *dev = data->dev;
+ VhostUserMsg *msg = data->msg;
struct vhost_user *u = dev->opaque;
CharBackend *chr = u->user->chr;
uint8_t *p = (uint8_t *) msg;
int r, size;
if (vhost_user_read_header(dev, msg) < 0) {
- return -1;
+ data->ret = -1;
+ goto end;
}
/* validate message size is sane */
@@ -312,7 +324,8 @@ static int vhost_user_read(struct vhost_dev *dev, VhostUserMsg *msg)
error_report("Failed to read msg header."
" Size %d exceeds the maximum %zu.", msg->hdr.size,
VHOST_USER_PAYLOAD_SIZE);
- return -1;
+ data->ret = -1;
+ goto end;
}
if (msg->hdr.size) {
@@ -322,11 +335,53 @@ static int vhost_user_read(struct vhost_dev *dev, VhostUserMsg *msg)
if (r != size) {
error_report("Failed to read msg payload."
" Read %d instead of %d.", r, msg->hdr.size);
- return -1;
+ data->ret = -1;
+ goto end;
}
}
- return 0;
+end:
+ g_main_loop_quit(data->loop);
+ return G_SOURCE_REMOVE;
+}
+
+static int vhost_user_read(struct vhost_dev *dev, VhostUserMsg *msg)
+{
+ struct vhost_user *u = dev->opaque;
+ CharBackend *chr = u->user->chr;
+ GMainContext *prev_ctxt = chr->chr->gcontext;
+ GMainContext *ctxt = g_main_context_new();
+ GMainLoop *loop = g_main_loop_new(ctxt, FALSE);
+ struct vhost_user_read_cb_data data = {
+ .dev = dev,
+ .loop = loop,
+ .msg = msg,
+ .ret = 0
+ };
+
+ /*
+ * We want to be able to monitor the slave channel fd while waiting
+ * for chr I/O. This requires an event loop, but we can't nest the
+ * one to which chr is currently attached : its fd handlers might not
+ * be prepared for re-entrancy. So we create a new one and switch chr
+ * to use it.
+ */
+ qemu_chr_be_update_read_handlers(chr->chr, ctxt);
+ qemu_chr_fe_add_watch(chr, G_IO_IN | G_IO_HUP, vhost_user_read_cb, &data);
+
+ g_main_loop_run(loop);
+
+ /*
+ * Restore the previous event loop context. This also destroys/recreates
+ * event sources : this guarantees that all pending events in the original
+ * context that have been processed by the nested loop are purged.
+ */
+ qemu_chr_be_update_read_handlers(chr->chr, prev_ctxt);
+
+ g_main_loop_unref(loop);
+ g_main_context_unref(ctxt);
+
+ return data.ret;
}
static int process_message_reply(struct vhost_dev *dev,
--
2.26.2
^ permalink raw reply related [flat|nested] 30+ messages in thread
* [PATCH v2 6/7] vhost-user: Monitor slave channel in vhost_user_read()
2021-03-12 9:22 ` [Virtio-fs] " Greg Kurz
@ 2021-03-12 9:22 ` Greg Kurz
-1 siblings, 0 replies; 30+ messages in thread
From: Greg Kurz @ 2021-03-12 9:22 UTC (permalink / raw)
To: qemu-devel
Cc: Daniel P . Berrangé,
Michael S. Tsirkin, Dr. David Alan Gilbert, Greg Kurz, virtio-fs,
Stefan Hajnoczi, Vivek Goyal
Now that everything is in place, have the nested event loop to monitor
the slave channel. The source in the main event loop is destroyed and
recreated to ensure any pending even for the slave channel that was
previously detected is purged. This guarantees that the main loop
wont invoke slave_read() based on an event that was already handled
by the nested loop.
Signed-off-by: Greg Kurz <groug@kaod.org>
---
v2: - also monitor G_IO_HUP (Stefan)
- refactored the code a bit
---
hw/virtio/vhost-user.c | 35 ++++++++++++++++++++++++++++++++---
1 file changed, 32 insertions(+), 3 deletions(-)
diff --git a/hw/virtio/vhost-user.c b/hw/virtio/vhost-user.c
index 00256fa318a6..ded0c1045309 100644
--- a/hw/virtio/vhost-user.c
+++ b/hw/virtio/vhost-user.c
@@ -345,6 +345,35 @@ end:
return G_SOURCE_REMOVE;
}
+static gboolean slave_read(QIOChannel *ioc, GIOCondition condition,
+ gpointer opaque);
+
+/*
+ * This updates the read handler to use a new event loop context.
+ * Event sources are removed from the previous context : this ensures
+ * that events detected in the previous context are purged. They will
+ * be re-detected and processed in the new context.
+ */
+static void slave_update_read_handler(struct vhost_dev *dev,
+ GMainContext *ctxt)
+{
+ struct vhost_user *u = dev->opaque;
+
+ if (!u->slave_ioc) {
+ return;
+ }
+
+ if (u->slave_src) {
+ g_source_destroy(u->slave_src);
+ g_source_unref(u->slave_src);
+ }
+
+ u->slave_src = qio_channel_add_watch_source(u->slave_ioc,
+ G_IO_IN | G_IO_HUP,
+ slave_read, dev, NULL,
+ ctxt);
+}
+
static int vhost_user_read(struct vhost_dev *dev, VhostUserMsg *msg)
{
struct vhost_user *u = dev->opaque;
@@ -366,6 +395,7 @@ static int vhost_user_read(struct vhost_dev *dev, VhostUserMsg *msg)
* be prepared for re-entrancy. So we create a new one and switch chr
* to use it.
*/
+ slave_update_read_handler(dev, ctxt);
qemu_chr_be_update_read_handlers(chr->chr, ctxt);
qemu_chr_fe_add_watch(chr, G_IO_IN | G_IO_HUP, vhost_user_read_cb, &data);
@@ -377,6 +407,7 @@ static int vhost_user_read(struct vhost_dev *dev, VhostUserMsg *msg)
* context that have been processed by the nested loop are purged.
*/
qemu_chr_be_update_read_handlers(chr->chr, prev_ctxt);
+ slave_update_read_handler(dev, NULL);
g_main_loop_unref(loop);
g_main_context_unref(ctxt);
@@ -1580,9 +1611,7 @@ static int vhost_setup_slave_channel(struct vhost_dev *dev)
return -1;
}
u->slave_ioc = ioc;
- u->slave_src = qio_channel_add_watch_source(u->slave_ioc,
- G_IO_IN | G_IO_HUP,
- slave_read, dev, NULL, NULL);
+ slave_update_read_handler(dev, NULL);
if (reply_supported) {
msg.hdr.flags |= VHOST_USER_NEED_REPLY_MASK;
--
2.26.2
^ permalink raw reply related [flat|nested] 30+ messages in thread
* [Virtio-fs] [PATCH v2 6/7] vhost-user: Monitor slave channel in vhost_user_read()
@ 2021-03-12 9:22 ` Greg Kurz
0 siblings, 0 replies; 30+ messages in thread
From: Greg Kurz @ 2021-03-12 9:22 UTC (permalink / raw)
To: qemu-devel
Cc: Daniel P . Berrangé, Michael S. Tsirkin, virtio-fs, Vivek Goyal
Now that everything is in place, have the nested event loop to monitor
the slave channel. The source in the main event loop is destroyed and
recreated to ensure any pending even for the slave channel that was
previously detected is purged. This guarantees that the main loop
wont invoke slave_read() based on an event that was already handled
by the nested loop.
Signed-off-by: Greg Kurz <groug@kaod.org>
---
v2: - also monitor G_IO_HUP (Stefan)
- refactored the code a bit
---
hw/virtio/vhost-user.c | 35 ++++++++++++++++++++++++++++++++---
1 file changed, 32 insertions(+), 3 deletions(-)
diff --git a/hw/virtio/vhost-user.c b/hw/virtio/vhost-user.c
index 00256fa318a6..ded0c1045309 100644
--- a/hw/virtio/vhost-user.c
+++ b/hw/virtio/vhost-user.c
@@ -345,6 +345,35 @@ end:
return G_SOURCE_REMOVE;
}
+static gboolean slave_read(QIOChannel *ioc, GIOCondition condition,
+ gpointer opaque);
+
+/*
+ * This updates the read handler to use a new event loop context.
+ * Event sources are removed from the previous context : this ensures
+ * that events detected in the previous context are purged. They will
+ * be re-detected and processed in the new context.
+ */
+static void slave_update_read_handler(struct vhost_dev *dev,
+ GMainContext *ctxt)
+{
+ struct vhost_user *u = dev->opaque;
+
+ if (!u->slave_ioc) {
+ return;
+ }
+
+ if (u->slave_src) {
+ g_source_destroy(u->slave_src);
+ g_source_unref(u->slave_src);
+ }
+
+ u->slave_src = qio_channel_add_watch_source(u->slave_ioc,
+ G_IO_IN | G_IO_HUP,
+ slave_read, dev, NULL,
+ ctxt);
+}
+
static int vhost_user_read(struct vhost_dev *dev, VhostUserMsg *msg)
{
struct vhost_user *u = dev->opaque;
@@ -366,6 +395,7 @@ static int vhost_user_read(struct vhost_dev *dev, VhostUserMsg *msg)
* be prepared for re-entrancy. So we create a new one and switch chr
* to use it.
*/
+ slave_update_read_handler(dev, ctxt);
qemu_chr_be_update_read_handlers(chr->chr, ctxt);
qemu_chr_fe_add_watch(chr, G_IO_IN | G_IO_HUP, vhost_user_read_cb, &data);
@@ -377,6 +407,7 @@ static int vhost_user_read(struct vhost_dev *dev, VhostUserMsg *msg)
* context that have been processed by the nested loop are purged.
*/
qemu_chr_be_update_read_handlers(chr->chr, prev_ctxt);
+ slave_update_read_handler(dev, NULL);
g_main_loop_unref(loop);
g_main_context_unref(ctxt);
@@ -1580,9 +1611,7 @@ static int vhost_setup_slave_channel(struct vhost_dev *dev)
return -1;
}
u->slave_ioc = ioc;
- u->slave_src = qio_channel_add_watch_source(u->slave_ioc,
- G_IO_IN | G_IO_HUP,
- slave_read, dev, NULL, NULL);
+ slave_update_read_handler(dev, NULL);
if (reply_supported) {
msg.hdr.flags |= VHOST_USER_NEED_REPLY_MASK;
--
2.26.2
^ permalink raw reply related [flat|nested] 30+ messages in thread
* [PATCH v2 7/7] virtiofsd: Release vu_dispatch_lock when stopping queue
2021-03-12 9:22 ` [Virtio-fs] " Greg Kurz
@ 2021-03-12 9:22 ` Greg Kurz
-1 siblings, 0 replies; 30+ messages in thread
From: Greg Kurz @ 2021-03-12 9:22 UTC (permalink / raw)
To: qemu-devel
Cc: Daniel P . Berrangé,
Michael S. Tsirkin, Dr. David Alan Gilbert, Greg Kurz, virtio-fs,
Stefan Hajnoczi, Vivek Goyal
QEMU can stop a virtqueue by sending a VHOST_USER_GET_VRING_BASE request
to virtiofsd. As with all other vhost-user protocol messages, the thread
that runs the main event loop in virtiofsd takes the vu_dispatch lock in
write mode. This ensures that no other thread can access virtqueues or
memory tables at the same time.
In the case of VHOST_USER_GET_VRING_BASE, the main thread basically
notifies the queue thread that it should terminate and waits for its
termination:
main()
virtio_loop()
vu_dispatch_wrlock()
vu_dispatch()
vu_process_message()
vu_get_vring_base_exec()
fv_queue_cleanup_thread()
pthread_join()
Unfortunately, the queue thread ends up calling virtio_send_msg()
at some point, which itself needs to grab the lock:
fv_queue_thread()
g_list_foreach()
fv_queue_worker()
fuse_session_process_buf_int()
do_release()
lo_release()
fuse_reply_err()
send_reply()
send_reply_iov()
fuse_send_reply_iov_nofree()
fuse_send_msg()
virtio_send_msg()
vu_dispatch_rdlock() <-- Deadlock !
Simply have the main thread to release the lock before going to
sleep and take it back afterwards. A very similar patch was already
sent by Vivek Goyal sometime back:
https://listman.redhat.com/archives/virtio-fs/2021-January/msg00073.html
The only difference here is that this done in fv_queue_set_started()
because fv_queue_cleanup_thread() can also be called from virtio_loop()
without the lock being held.
Signed-off-by: Greg Kurz <groug@kaod.org>
Reviewed-by: Vivek Goyal <vgoyal@redhat.com>
Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
---
tools/virtiofsd/fuse_virtio.c | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/tools/virtiofsd/fuse_virtio.c b/tools/virtiofsd/fuse_virtio.c
index 523ee64fb7ae..3e13997406bf 100644
--- a/tools/virtiofsd/fuse_virtio.c
+++ b/tools/virtiofsd/fuse_virtio.c
@@ -792,7 +792,13 @@ static void fv_queue_set_started(VuDev *dev, int qidx, bool started)
assert(0);
}
} else {
+ /*
+ * Temporarily drop write-lock taken in virtio_loop() so that
+ * the queue thread doesn't block in virtio_send_msg().
+ */
+ vu_dispatch_unlock(vud);
fv_queue_cleanup_thread(vud, qidx);
+ vu_dispatch_wrlock(vud);
}
}
--
2.26.2
^ permalink raw reply related [flat|nested] 30+ messages in thread
* [Virtio-fs] [PATCH v2 7/7] virtiofsd: Release vu_dispatch_lock when stopping queue
@ 2021-03-12 9:22 ` Greg Kurz
0 siblings, 0 replies; 30+ messages in thread
From: Greg Kurz @ 2021-03-12 9:22 UTC (permalink / raw)
To: qemu-devel
Cc: Daniel P . Berrangé, Michael S. Tsirkin, virtio-fs, Vivek Goyal
QEMU can stop a virtqueue by sending a VHOST_USER_GET_VRING_BASE request
to virtiofsd. As with all other vhost-user protocol messages, the thread
that runs the main event loop in virtiofsd takes the vu_dispatch lock in
write mode. This ensures that no other thread can access virtqueues or
memory tables at the same time.
In the case of VHOST_USER_GET_VRING_BASE, the main thread basically
notifies the queue thread that it should terminate and waits for its
termination:
main()
virtio_loop()
vu_dispatch_wrlock()
vu_dispatch()
vu_process_message()
vu_get_vring_base_exec()
fv_queue_cleanup_thread()
pthread_join()
Unfortunately, the queue thread ends up calling virtio_send_msg()
at some point, which itself needs to grab the lock:
fv_queue_thread()
g_list_foreach()
fv_queue_worker()
fuse_session_process_buf_int()
do_release()
lo_release()
fuse_reply_err()
send_reply()
send_reply_iov()
fuse_send_reply_iov_nofree()
fuse_send_msg()
virtio_send_msg()
vu_dispatch_rdlock() <-- Deadlock !
Simply have the main thread to release the lock before going to
sleep and take it back afterwards. A very similar patch was already
sent by Vivek Goyal sometime back:
https://listman.redhat.com/archives/virtio-fs/2021-January/msg00073.html
The only difference here is that this done in fv_queue_set_started()
because fv_queue_cleanup_thread() can also be called from virtio_loop()
without the lock being held.
Signed-off-by: Greg Kurz <groug@kaod.org>
Reviewed-by: Vivek Goyal <vgoyal@redhat.com>
Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
---
tools/virtiofsd/fuse_virtio.c | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/tools/virtiofsd/fuse_virtio.c b/tools/virtiofsd/fuse_virtio.c
index 523ee64fb7ae..3e13997406bf 100644
--- a/tools/virtiofsd/fuse_virtio.c
+++ b/tools/virtiofsd/fuse_virtio.c
@@ -792,7 +792,13 @@ static void fv_queue_set_started(VuDev *dev, int qidx, bool started)
assert(0);
}
} else {
+ /*
+ * Temporarily drop write-lock taken in virtio_loop() so that
+ * the queue thread doesn't block in virtio_send_msg().
+ */
+ vu_dispatch_unlock(vud);
fv_queue_cleanup_thread(vud, qidx);
+ vu_dispatch_wrlock(vud);
}
}
--
2.26.2
^ permalink raw reply related [flat|nested] 30+ messages in thread
* Re: [PATCH v2 1/7] vhost-user: Drop misleading EAGAIN checks in slave_read()
2021-03-12 9:22 ` [Virtio-fs] " Greg Kurz
@ 2021-03-15 10:34 ` Stefan Hajnoczi
-1 siblings, 0 replies; 30+ messages in thread
From: Stefan Hajnoczi @ 2021-03-15 10:34 UTC (permalink / raw)
To: Greg Kurz
Cc: Daniel P . Berrangé,
Michael S. Tsirkin, qemu-devel, Dr. David Alan Gilbert,
virtio-fs, Vivek Goyal
[-- Attachment #1: Type: text/plain, Size: 642 bytes --]
On Fri, Mar 12, 2021 at 10:22:06AM +0100, Greg Kurz wrote:
> slave_read() checks EAGAIN when reading or writing to the socket
> fails. This gives the impression that the slave channel is in
> non-blocking mode, which is certainly not the case with the current
> code base. And the rest of the code isn't actually ready to cope
> with non-blocking I/O.
>
> Just drop the checks everywhere in this function for the sake of
> clarity.
>
> Signed-off-by: Greg Kurz <groug@kaod.org>
> ---
> hw/virtio/vhost-user.c | 6 +++---
> 1 file changed, 3 insertions(+), 3 deletions(-)
Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 488 bytes --]
^ permalink raw reply [flat|nested] 30+ messages in thread
* Re: [Virtio-fs] [PATCH v2 1/7] vhost-user: Drop misleading EAGAIN checks in slave_read()
@ 2021-03-15 10:34 ` Stefan Hajnoczi
0 siblings, 0 replies; 30+ messages in thread
From: Stefan Hajnoczi @ 2021-03-15 10:34 UTC (permalink / raw)
To: Greg Kurz
Cc: Daniel P . Berrangé,
Michael S. Tsirkin, qemu-devel, virtio-fs, Vivek Goyal
[-- Attachment #1: Type: text/plain, Size: 642 bytes --]
On Fri, Mar 12, 2021 at 10:22:06AM +0100, Greg Kurz wrote:
> slave_read() checks EAGAIN when reading or writing to the socket
> fails. This gives the impression that the slave channel is in
> non-blocking mode, which is certainly not the case with the current
> code base. And the rest of the code isn't actually ready to cope
> with non-blocking I/O.
>
> Just drop the checks everywhere in this function for the sake of
> clarity.
>
> Signed-off-by: Greg Kurz <groug@kaod.org>
> ---
> hw/virtio/vhost-user.c | 6 +++---
> 1 file changed, 3 insertions(+), 3 deletions(-)
Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 488 bytes --]
^ permalink raw reply [flat|nested] 30+ messages in thread
* Re: [PATCH v2 2/7] vhost-user: Fix double-close on slave_read() error path
2021-03-12 9:22 ` [Virtio-fs] " Greg Kurz
@ 2021-03-15 10:36 ` Stefan Hajnoczi
-1 siblings, 0 replies; 30+ messages in thread
From: Stefan Hajnoczi @ 2021-03-15 10:36 UTC (permalink / raw)
To: Greg Kurz
Cc: Daniel P . Berrangé,
Michael S. Tsirkin, qemu-devel, Dr. David Alan Gilbert,
virtio-fs, Vivek Goyal
[-- Attachment #1: Type: text/plain, Size: 1152 bytes --]
On Fri, Mar 12, 2021 at 10:22:07AM +0100, Greg Kurz wrote:
> Some message types, e.g. VHOST_USER_SLAVE_VRING_HOST_NOTIFIER_MSG,
> can convey file descriptors. These must be closed before returning
> from slave_read() to avoid being leaked. This can currently be done
> in two different places:
>
> [1] just after the request has been processed
>
> [2] on the error path, under the goto label err:
>
> These path are supposed to be mutually exclusive but they are not
> actually. If the VHOST_USER_NEED_REPLY_MASK flag was passed and the
> sending of the reply fails, both [1] and [2] are performed with the
> same descriptor values. This can potentially cause subtle bugs if one
> of the descriptor was recycled by some other thread in the meantime.
>
> This code duplication complicates rollback for no real good benefit.
> Do the closing in a unique place, under a new fdcleanup: goto label
> at the end of the function.
>
> Signed-off-by: Greg Kurz <groug@kaod.org>
> ---
> hw/virtio/vhost-user.c | 11 +++--------
> 1 file changed, 3 insertions(+), 8 deletions(-)
Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 488 bytes --]
^ permalink raw reply [flat|nested] 30+ messages in thread
* Re: [Virtio-fs] [PATCH v2 2/7] vhost-user: Fix double-close on slave_read() error path
@ 2021-03-15 10:36 ` Stefan Hajnoczi
0 siblings, 0 replies; 30+ messages in thread
From: Stefan Hajnoczi @ 2021-03-15 10:36 UTC (permalink / raw)
To: Greg Kurz
Cc: Daniel P . Berrangé,
Michael S. Tsirkin, qemu-devel, virtio-fs, Vivek Goyal
[-- Attachment #1: Type: text/plain, Size: 1152 bytes --]
On Fri, Mar 12, 2021 at 10:22:07AM +0100, Greg Kurz wrote:
> Some message types, e.g. VHOST_USER_SLAVE_VRING_HOST_NOTIFIER_MSG,
> can convey file descriptors. These must be closed before returning
> from slave_read() to avoid being leaked. This can currently be done
> in two different places:
>
> [1] just after the request has been processed
>
> [2] on the error path, under the goto label err:
>
> These path are supposed to be mutually exclusive but they are not
> actually. If the VHOST_USER_NEED_REPLY_MASK flag was passed and the
> sending of the reply fails, both [1] and [2] are performed with the
> same descriptor values. This can potentially cause subtle bugs if one
> of the descriptor was recycled by some other thread in the meantime.
>
> This code duplication complicates rollback for no real good benefit.
> Do the closing in a unique place, under a new fdcleanup: goto label
> at the end of the function.
>
> Signed-off-by: Greg Kurz <groug@kaod.org>
> ---
> hw/virtio/vhost-user.c | 11 +++--------
> 1 file changed, 3 insertions(+), 8 deletions(-)
Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 488 bytes --]
^ permalink raw reply [flat|nested] 30+ messages in thread
* Re: [PATCH v2 3/7] vhost-user: Factor out duplicated slave_fd teardown code
2021-03-12 9:22 ` [Virtio-fs] " Greg Kurz
@ 2021-03-15 10:36 ` Stefan Hajnoczi
-1 siblings, 0 replies; 30+ messages in thread
From: Stefan Hajnoczi @ 2021-03-15 10:36 UTC (permalink / raw)
To: Greg Kurz
Cc: Daniel P . Berrangé,
Michael S. Tsirkin, qemu-devel, Dr. David Alan Gilbert,
virtio-fs, Vivek Goyal
[-- Attachment #1: Type: text/plain, Size: 264 bytes --]
On Fri, Mar 12, 2021 at 10:22:08AM +0100, Greg Kurz wrote:
> Signed-off-by: Greg Kurz <groug@kaod.org>
> ---
> hw/virtio/vhost-user.c | 19 ++++++++++---------
> 1 file changed, 10 insertions(+), 9 deletions(-)
Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 488 bytes --]
^ permalink raw reply [flat|nested] 30+ messages in thread
* Re: [Virtio-fs] [PATCH v2 3/7] vhost-user: Factor out duplicated slave_fd teardown code
@ 2021-03-15 10:36 ` Stefan Hajnoczi
0 siblings, 0 replies; 30+ messages in thread
From: Stefan Hajnoczi @ 2021-03-15 10:36 UTC (permalink / raw)
To: Greg Kurz
Cc: Daniel P . Berrangé,
Michael S. Tsirkin, qemu-devel, virtio-fs, Vivek Goyal
[-- Attachment #1: Type: text/plain, Size: 264 bytes --]
On Fri, Mar 12, 2021 at 10:22:08AM +0100, Greg Kurz wrote:
> Signed-off-by: Greg Kurz <groug@kaod.org>
> ---
> hw/virtio/vhost-user.c | 19 ++++++++++---------
> 1 file changed, 10 insertions(+), 9 deletions(-)
Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 488 bytes --]
^ permalink raw reply [flat|nested] 30+ messages in thread
* Re: [PATCH v2 4/7] vhost-user: Convert slave channel to QIOChannelSocket
2021-03-12 9:22 ` [Virtio-fs] " Greg Kurz
@ 2021-03-15 10:37 ` Stefan Hajnoczi
-1 siblings, 0 replies; 30+ messages in thread
From: Stefan Hajnoczi @ 2021-03-15 10:37 UTC (permalink / raw)
To: Greg Kurz
Cc: Daniel P . Berrangé,
Michael S. Tsirkin, qemu-devel, Dr. David Alan Gilbert,
virtio-fs, Vivek Goyal
[-- Attachment #1: Type: text/plain, Size: 2015 bytes --]
On Fri, Mar 12, 2021 at 10:22:09AM +0100, Greg Kurz wrote:
> The slave channel is implemented with socketpair() : QEMU creates
> the pair, passes one of the socket to virtiofsd and monitors the
> other one with the main event loop using qemu_set_fd_handler().
>
> In order to fix a potential deadlock between QEMU and a vhost-user
> external process (e.g. virtiofsd with DAX), we want to be able to
> monitor and service the slave channel while handling vhost-user
> requests.
>
> Prepare ground for this by converting the slave channel to be a
> QIOChannelSocket. This will make monitoring of the slave channel
> as simple as calling qio_channel_add_watch_source(). Since the
> connection is already established between the two sockets, only
> incoming I/O (G_IO_IN) and disconnect (G_IO_HUP) need to be
> serviced.
>
> This also allows to get rid of the ancillary data parsing since
> QIOChannelSocket can do this for us. Note that the MSG_CTRUNC
> check is dropped on the way because QIOChannelSocket ignores this
> case. This isn't a problem since slave_read() provisions space for
> 8 file descriptors, but affected vhost-user slave protocol messages
> generally only convey one. If for some reason a buggy implementation
> passes more file descriptors, no need to break the connection, just
> like we don't break it if some other type of ancillary data is
> received : this isn't explicitely violating the protocol per-se so
> it seems better to ignore it.
>
> The current code errors out on short reads and writes. Use the
> qio_channel_*_all() variants to address this on the way.
>
> Signed-off-by: Greg Kurz <groug@kaod.org>
> ---
> v2: - also monitor G_IO_HUP (Stefan)
> - use the qio_channel_*_all() variants (Daniel)
> - simplified thanks to previous refactoring
> ---
> hw/virtio/vhost-user.c | 99 +++++++++++++++++-------------------------
> 1 file changed, 39 insertions(+), 60 deletions(-)
Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 488 bytes --]
^ permalink raw reply [flat|nested] 30+ messages in thread
* Re: [Virtio-fs] [PATCH v2 4/7] vhost-user: Convert slave channel to QIOChannelSocket
@ 2021-03-15 10:37 ` Stefan Hajnoczi
0 siblings, 0 replies; 30+ messages in thread
From: Stefan Hajnoczi @ 2021-03-15 10:37 UTC (permalink / raw)
To: Greg Kurz
Cc: Daniel P . Berrangé,
Michael S. Tsirkin, qemu-devel, virtio-fs, Vivek Goyal
[-- Attachment #1: Type: text/plain, Size: 2015 bytes --]
On Fri, Mar 12, 2021 at 10:22:09AM +0100, Greg Kurz wrote:
> The slave channel is implemented with socketpair() : QEMU creates
> the pair, passes one of the socket to virtiofsd and monitors the
> other one with the main event loop using qemu_set_fd_handler().
>
> In order to fix a potential deadlock between QEMU and a vhost-user
> external process (e.g. virtiofsd with DAX), we want to be able to
> monitor and service the slave channel while handling vhost-user
> requests.
>
> Prepare ground for this by converting the slave channel to be a
> QIOChannelSocket. This will make monitoring of the slave channel
> as simple as calling qio_channel_add_watch_source(). Since the
> connection is already established between the two sockets, only
> incoming I/O (G_IO_IN) and disconnect (G_IO_HUP) need to be
> serviced.
>
> This also allows to get rid of the ancillary data parsing since
> QIOChannelSocket can do this for us. Note that the MSG_CTRUNC
> check is dropped on the way because QIOChannelSocket ignores this
> case. This isn't a problem since slave_read() provisions space for
> 8 file descriptors, but affected vhost-user slave protocol messages
> generally only convey one. If for some reason a buggy implementation
> passes more file descriptors, no need to break the connection, just
> like we don't break it if some other type of ancillary data is
> received : this isn't explicitely violating the protocol per-se so
> it seems better to ignore it.
>
> The current code errors out on short reads and writes. Use the
> qio_channel_*_all() variants to address this on the way.
>
> Signed-off-by: Greg Kurz <groug@kaod.org>
> ---
> v2: - also monitor G_IO_HUP (Stefan)
> - use the qio_channel_*_all() variants (Daniel)
> - simplified thanks to previous refactoring
> ---
> hw/virtio/vhost-user.c | 99 +++++++++++++++++-------------------------
> 1 file changed, 39 insertions(+), 60 deletions(-)
Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 488 bytes --]
^ permalink raw reply [flat|nested] 30+ messages in thread
* Re: [PATCH v2 5/7] vhost-user: Introduce nested event loop in vhost_user_read()
2021-03-12 9:22 ` [Virtio-fs] " Greg Kurz
@ 2021-03-15 10:38 ` Stefan Hajnoczi
-1 siblings, 0 replies; 30+ messages in thread
From: Stefan Hajnoczi @ 2021-03-15 10:38 UTC (permalink / raw)
To: Greg Kurz
Cc: Daniel P . Berrangé,
Michael S. Tsirkin, qemu-devel, Dr. David Alan Gilbert,
virtio-fs, Vivek Goyal
[-- Attachment #1: Type: text/plain, Size: 1938 bytes --]
On Fri, Mar 12, 2021 at 10:22:10AM +0100, Greg Kurz wrote:
> A deadlock condition potentially exists if a vhost-user process needs
> to request something to QEMU on the slave channel while processing a
> vhost-user message.
>
> This doesn't seem to affect any vhost-user implementation so far, but
> this is currently biting the upcoming enablement of DAX with virtio-fs.
> The issue is being observed when the guest does an emergency reboot while
> a mapping still exits in the DAX window, which is very easy to get with
> a busy enough workload (e.g. as simulated by blogbench [1]) :
>
> - QEMU sends VHOST_USER_GET_VRING_BASE to virtiofsd.
>
> - In order to complete the request, virtiofsd then asks QEMU to remove
> the mapping on the slave channel.
>
> All these dialogs are synchronous, hence the deadlock.
>
> As pointed out by Stefan Hajnoczi:
>
> When QEMU's vhost-user master implementation sends a vhost-user protocol
> message, vhost_user_read() does a "blocking" read during which slave_fd
> is not monitored by QEMU.
>
> The natural solution for this issue is an event loop. The main event
> loop cannot be nested though since we have no guarantees that its
> fd handlers are prepared for re-entrancy.
>
> Introduce a new event loop that only monitors the chardev I/O for now
> in vhost_user_read() and push the actual reading to a one-shot handler.
> A subsequent patch will teach the loop to monitor and process messages
> from the slave channel as well.
>
> [1] https://github.com/jedisct1/Blogbench
>
> Suggested-by: Stefan Hajnoczi <stefanha@redhat.com>
> Signed-off-by: Greg Kurz <groug@kaod.org>
> ---
> v2: - Document why a nested loop is needed in vhost_user_read() (Stefan)
> ---
> hw/virtio/vhost-user.c | 65 ++++++++++++++++++++++++++++++++++++++----
> 1 file changed, 60 insertions(+), 5 deletions(-)
Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 488 bytes --]
^ permalink raw reply [flat|nested] 30+ messages in thread
* Re: [Virtio-fs] [PATCH v2 5/7] vhost-user: Introduce nested event loop in vhost_user_read()
@ 2021-03-15 10:38 ` Stefan Hajnoczi
0 siblings, 0 replies; 30+ messages in thread
From: Stefan Hajnoczi @ 2021-03-15 10:38 UTC (permalink / raw)
To: Greg Kurz
Cc: Daniel P . Berrangé,
Michael S. Tsirkin, qemu-devel, virtio-fs, Vivek Goyal
[-- Attachment #1: Type: text/plain, Size: 1938 bytes --]
On Fri, Mar 12, 2021 at 10:22:10AM +0100, Greg Kurz wrote:
> A deadlock condition potentially exists if a vhost-user process needs
> to request something to QEMU on the slave channel while processing a
> vhost-user message.
>
> This doesn't seem to affect any vhost-user implementation so far, but
> this is currently biting the upcoming enablement of DAX with virtio-fs.
> The issue is being observed when the guest does an emergency reboot while
> a mapping still exits in the DAX window, which is very easy to get with
> a busy enough workload (e.g. as simulated by blogbench [1]) :
>
> - QEMU sends VHOST_USER_GET_VRING_BASE to virtiofsd.
>
> - In order to complete the request, virtiofsd then asks QEMU to remove
> the mapping on the slave channel.
>
> All these dialogs are synchronous, hence the deadlock.
>
> As pointed out by Stefan Hajnoczi:
>
> When QEMU's vhost-user master implementation sends a vhost-user protocol
> message, vhost_user_read() does a "blocking" read during which slave_fd
> is not monitored by QEMU.
>
> The natural solution for this issue is an event loop. The main event
> loop cannot be nested though since we have no guarantees that its
> fd handlers are prepared for re-entrancy.
>
> Introduce a new event loop that only monitors the chardev I/O for now
> in vhost_user_read() and push the actual reading to a one-shot handler.
> A subsequent patch will teach the loop to monitor and process messages
> from the slave channel as well.
>
> [1] https://github.com/jedisct1/Blogbench
>
> Suggested-by: Stefan Hajnoczi <stefanha@redhat.com>
> Signed-off-by: Greg Kurz <groug@kaod.org>
> ---
> v2: - Document why a nested loop is needed in vhost_user_read() (Stefan)
> ---
> hw/virtio/vhost-user.c | 65 ++++++++++++++++++++++++++++++++++++++----
> 1 file changed, 60 insertions(+), 5 deletions(-)
Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 488 bytes --]
^ permalink raw reply [flat|nested] 30+ messages in thread
* Re: [PATCH v2 6/7] vhost-user: Monitor slave channel in vhost_user_read()
2021-03-12 9:22 ` [Virtio-fs] " Greg Kurz
@ 2021-03-15 12:20 ` Stefan Hajnoczi
-1 siblings, 0 replies; 30+ messages in thread
From: Stefan Hajnoczi @ 2021-03-15 12:20 UTC (permalink / raw)
To: Greg Kurz
Cc: Daniel P . Berrangé,
Michael S. Tsirkin, qemu-devel, Dr. David Alan Gilbert,
virtio-fs, Vivek Goyal
[-- Attachment #1: Type: text/plain, Size: 754 bytes --]
On Fri, Mar 12, 2021 at 10:22:11AM +0100, Greg Kurz wrote:
> Now that everything is in place, have the nested event loop to monitor
> the slave channel. The source in the main event loop is destroyed and
> recreated to ensure any pending even for the slave channel that was
> previously detected is purged. This guarantees that the main loop
> wont invoke slave_read() based on an event that was already handled
> by the nested loop.
>
> Signed-off-by: Greg Kurz <groug@kaod.org>
> ---
> v2: - also monitor G_IO_HUP (Stefan)
> - refactored the code a bit
> ---
> hw/virtio/vhost-user.c | 35 ++++++++++++++++++++++++++++++++---
> 1 file changed, 32 insertions(+), 3 deletions(-)
Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 488 bytes --]
^ permalink raw reply [flat|nested] 30+ messages in thread
* Re: [Virtio-fs] [PATCH v2 6/7] vhost-user: Monitor slave channel in vhost_user_read()
@ 2021-03-15 12:20 ` Stefan Hajnoczi
0 siblings, 0 replies; 30+ messages in thread
From: Stefan Hajnoczi @ 2021-03-15 12:20 UTC (permalink / raw)
To: Greg Kurz
Cc: Daniel P . Berrangé,
Michael S. Tsirkin, qemu-devel, virtio-fs, Vivek Goyal
[-- Attachment #1: Type: text/plain, Size: 754 bytes --]
On Fri, Mar 12, 2021 at 10:22:11AM +0100, Greg Kurz wrote:
> Now that everything is in place, have the nested event loop to monitor
> the slave channel. The source in the main event loop is destroyed and
> recreated to ensure any pending even for the slave channel that was
> previously detected is purged. This guarantees that the main loop
> wont invoke slave_read() based on an event that was already handled
> by the nested loop.
>
> Signed-off-by: Greg Kurz <groug@kaod.org>
> ---
> v2: - also monitor G_IO_HUP (Stefan)
> - refactored the code a bit
> ---
> hw/virtio/vhost-user.c | 35 ++++++++++++++++++++++++++++++++---
> 1 file changed, 32 insertions(+), 3 deletions(-)
Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 488 bytes --]
^ permalink raw reply [flat|nested] 30+ messages in thread
* Re: [PATCH v2 7/7] virtiofsd: Release vu_dispatch_lock when stopping queue
2021-03-12 9:22 ` [Virtio-fs] " Greg Kurz
@ 2021-03-15 14:57 ` Dr. David Alan Gilbert
-1 siblings, 0 replies; 30+ messages in thread
From: Dr. David Alan Gilbert @ 2021-03-15 14:57 UTC (permalink / raw)
To: Greg Kurz
Cc: Daniel P . Berrangé,
Michael S. Tsirkin, qemu-devel, virtio-fs, Stefan Hajnoczi,
Vivek Goyal
* Greg Kurz (groug@kaod.org) wrote:
> QEMU can stop a virtqueue by sending a VHOST_USER_GET_VRING_BASE request
> to virtiofsd. As with all other vhost-user protocol messages, the thread
> that runs the main event loop in virtiofsd takes the vu_dispatch lock in
> write mode. This ensures that no other thread can access virtqueues or
> memory tables at the same time.
>
> In the case of VHOST_USER_GET_VRING_BASE, the main thread basically
> notifies the queue thread that it should terminate and waits for its
> termination:
>
> main()
> virtio_loop()
> vu_dispatch_wrlock()
> vu_dispatch()
> vu_process_message()
> vu_get_vring_base_exec()
> fv_queue_cleanup_thread()
> pthread_join()
>
> Unfortunately, the queue thread ends up calling virtio_send_msg()
> at some point, which itself needs to grab the lock:
>
> fv_queue_thread()
> g_list_foreach()
> fv_queue_worker()
> fuse_session_process_buf_int()
> do_release()
> lo_release()
> fuse_reply_err()
> send_reply()
> send_reply_iov()
> fuse_send_reply_iov_nofree()
> fuse_send_msg()
> virtio_send_msg()
> vu_dispatch_rdlock() <-- Deadlock !
>
> Simply have the main thread to release the lock before going to
> sleep and take it back afterwards. A very similar patch was already
> sent by Vivek Goyal sometime back:
>
> https://listman.redhat.com/archives/virtio-fs/2021-January/msg00073.html
>
> The only difference here is that this done in fv_queue_set_started()
> because fv_queue_cleanup_thread() can also be called from virtio_loop()
> without the lock being held.
>
> Signed-off-by: Greg Kurz <groug@kaod.org>
> Reviewed-by: Vivek Goyal <vgoyal@redhat.com>
> Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
I've queued just this 7/7 in the virtiofsd pull I'm just making at the
moment. I'll leave the rest to ride the vhost-user train.
Dave
> ---
> tools/virtiofsd/fuse_virtio.c | 6 ++++++
> 1 file changed, 6 insertions(+)
>
> diff --git a/tools/virtiofsd/fuse_virtio.c b/tools/virtiofsd/fuse_virtio.c
> index 523ee64fb7ae..3e13997406bf 100644
> --- a/tools/virtiofsd/fuse_virtio.c
> +++ b/tools/virtiofsd/fuse_virtio.c
> @@ -792,7 +792,13 @@ static void fv_queue_set_started(VuDev *dev, int qidx, bool started)
> assert(0);
> }
> } else {
> + /*
> + * Temporarily drop write-lock taken in virtio_loop() so that
> + * the queue thread doesn't block in virtio_send_msg().
> + */
> + vu_dispatch_unlock(vud);
> fv_queue_cleanup_thread(vud, qidx);
> + vu_dispatch_wrlock(vud);
> }
> }
>
> --
> 2.26.2
>
--
Dr. David Alan Gilbert / dgilbert@redhat.com / Manchester, UK
^ permalink raw reply [flat|nested] 30+ messages in thread
* Re: [Virtio-fs] [PATCH v2 7/7] virtiofsd: Release vu_dispatch_lock when stopping queue
@ 2021-03-15 14:57 ` Dr. David Alan Gilbert
0 siblings, 0 replies; 30+ messages in thread
From: Dr. David Alan Gilbert @ 2021-03-15 14:57 UTC (permalink / raw)
To: Greg Kurz
Cc: Daniel P . Berrangé,
Michael S. Tsirkin, qemu-devel, virtio-fs, Vivek Goyal
* Greg Kurz (groug@kaod.org) wrote:
> QEMU can stop a virtqueue by sending a VHOST_USER_GET_VRING_BASE request
> to virtiofsd. As with all other vhost-user protocol messages, the thread
> that runs the main event loop in virtiofsd takes the vu_dispatch lock in
> write mode. This ensures that no other thread can access virtqueues or
> memory tables at the same time.
>
> In the case of VHOST_USER_GET_VRING_BASE, the main thread basically
> notifies the queue thread that it should terminate and waits for its
> termination:
>
> main()
> virtio_loop()
> vu_dispatch_wrlock()
> vu_dispatch()
> vu_process_message()
> vu_get_vring_base_exec()
> fv_queue_cleanup_thread()
> pthread_join()
>
> Unfortunately, the queue thread ends up calling virtio_send_msg()
> at some point, which itself needs to grab the lock:
>
> fv_queue_thread()
> g_list_foreach()
> fv_queue_worker()
> fuse_session_process_buf_int()
> do_release()
> lo_release()
> fuse_reply_err()
> send_reply()
> send_reply_iov()
> fuse_send_reply_iov_nofree()
> fuse_send_msg()
> virtio_send_msg()
> vu_dispatch_rdlock() <-- Deadlock !
>
> Simply have the main thread to release the lock before going to
> sleep and take it back afterwards. A very similar patch was already
> sent by Vivek Goyal sometime back:
>
> https://listman.redhat.com/archives/virtio-fs/2021-January/msg00073.html
>
> The only difference here is that this done in fv_queue_set_started()
> because fv_queue_cleanup_thread() can also be called from virtio_loop()
> without the lock being held.
>
> Signed-off-by: Greg Kurz <groug@kaod.org>
> Reviewed-by: Vivek Goyal <vgoyal@redhat.com>
> Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
I've queued just this 7/7 in the virtiofsd pull I'm just making at the
moment. I'll leave the rest to ride the vhost-user train.
Dave
> ---
> tools/virtiofsd/fuse_virtio.c | 6 ++++++
> 1 file changed, 6 insertions(+)
>
> diff --git a/tools/virtiofsd/fuse_virtio.c b/tools/virtiofsd/fuse_virtio.c
> index 523ee64fb7ae..3e13997406bf 100644
> --- a/tools/virtiofsd/fuse_virtio.c
> +++ b/tools/virtiofsd/fuse_virtio.c
> @@ -792,7 +792,13 @@ static void fv_queue_set_started(VuDev *dev, int qidx, bool started)
> assert(0);
> }
> } else {
> + /*
> + * Temporarily drop write-lock taken in virtio_loop() so that
> + * the queue thread doesn't block in virtio_send_msg().
> + */
> + vu_dispatch_unlock(vud);
> fv_queue_cleanup_thread(vud, qidx);
> + vu_dispatch_wrlock(vud);
> }
> }
>
> --
> 2.26.2
>
--
Dr. David Alan Gilbert / dgilbert@redhat.com / Manchester, UK
^ permalink raw reply [flat|nested] 30+ messages in thread
end of thread, other threads:[~2021-03-15 14:59 UTC | newest]
Thread overview: 30+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-03-12 9:22 [PATCH v2 0/7] virtiofsd: Avoid potential deadlocks Greg Kurz
2021-03-12 9:22 ` [Virtio-fs] " Greg Kurz
2021-03-12 9:22 ` [PATCH v2 1/7] vhost-user: Drop misleading EAGAIN checks in slave_read() Greg Kurz
2021-03-12 9:22 ` [Virtio-fs] " Greg Kurz
2021-03-15 10:34 ` Stefan Hajnoczi
2021-03-15 10:34 ` [Virtio-fs] " Stefan Hajnoczi
2021-03-12 9:22 ` [PATCH v2 2/7] vhost-user: Fix double-close on slave_read() error path Greg Kurz
2021-03-12 9:22 ` [Virtio-fs] " Greg Kurz
2021-03-15 10:36 ` Stefan Hajnoczi
2021-03-15 10:36 ` [Virtio-fs] " Stefan Hajnoczi
2021-03-12 9:22 ` [PATCH v2 3/7] vhost-user: Factor out duplicated slave_fd teardown code Greg Kurz
2021-03-12 9:22 ` [Virtio-fs] " Greg Kurz
2021-03-15 10:36 ` Stefan Hajnoczi
2021-03-15 10:36 ` [Virtio-fs] " Stefan Hajnoczi
2021-03-12 9:22 ` [PATCH v2 4/7] vhost-user: Convert slave channel to QIOChannelSocket Greg Kurz
2021-03-12 9:22 ` [Virtio-fs] " Greg Kurz
2021-03-15 10:37 ` Stefan Hajnoczi
2021-03-15 10:37 ` [Virtio-fs] " Stefan Hajnoczi
2021-03-12 9:22 ` [PATCH v2 5/7] vhost-user: Introduce nested event loop in vhost_user_read() Greg Kurz
2021-03-12 9:22 ` [Virtio-fs] " Greg Kurz
2021-03-15 10:38 ` Stefan Hajnoczi
2021-03-15 10:38 ` [Virtio-fs] " Stefan Hajnoczi
2021-03-12 9:22 ` [PATCH v2 6/7] vhost-user: Monitor slave channel " Greg Kurz
2021-03-12 9:22 ` [Virtio-fs] " Greg Kurz
2021-03-15 12:20 ` Stefan Hajnoczi
2021-03-15 12:20 ` [Virtio-fs] " Stefan Hajnoczi
2021-03-12 9:22 ` [PATCH v2 7/7] virtiofsd: Release vu_dispatch_lock when stopping queue Greg Kurz
2021-03-12 9:22 ` [Virtio-fs] " Greg Kurz
2021-03-15 14:57 ` Dr. David Alan Gilbert
2021-03-15 14:57 ` [Virtio-fs] " Dr. David Alan Gilbert
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.