de1852f087
- kvm-scsi-protect-req-aiocb-with-AioContext-lock.patch [bz#2155748] - kvm-dma-helpers-prevent-dma_blk_cb-vs-dma_aio_cancel-rac.patch [bz#2155748] - kvm-virtio-scsi-reset-SCSI-devices-from-main-loop-thread.patch [bz#2155748] - kvm-qatomic-add-smp_mb__before-after_rmw.patch [bz#2175660] - kvm-qemu-thread-posix-cleanup-fix-document-QemuEvent.patch [bz#2175660] - kvm-qemu-thread-win32-cleanup-fix-document-QemuEvent.patch [bz#2175660] - kvm-edu-add-smp_mb__after_rmw.patch [bz#2175660] - kvm-aio-wait-switch-to-smp_mb__after_rmw.patch [bz#2175660] - kvm-qemu-coroutine-lock-add-smp_mb__after_rmw.patch [bz#2175660] - kvm-physmem-add-missing-memory-barrier.patch [bz#2175660] - kvm-async-update-documentation-of-the-memory-barriers.patch [bz#2175660] - kvm-async-clarify-usage-of-barriers-in-the-polling-case.patch [bz#2175660] - Resolves: bz#2155748 (qemu crash on void blk_drain(BlockBackend *): Assertion qemu_in_main_thread() failed) - Resolves: bz#2175660 (Guest hangs when starting or rebooting)
326 lines
10 KiB
Diff
326 lines
10 KiB
Diff
From c64027b1ff9856031c01009f4b5c3560d92cc998 Mon Sep 17 00:00:00 2001
|
|
From: Stefan Hajnoczi <stefanha@redhat.com>
|
|
Date: Tue, 21 Feb 2023 16:22:18 -0500
|
|
Subject: [PATCH 03/12] virtio-scsi: reset SCSI devices from main loop thread
|
|
|
|
RH-Author: Stefan Hajnoczi <stefanha@redhat.com>
|
|
RH-MergeRequest: 155: virtio-scsi: reset SCSI devices from main loop thread
|
|
RH-Bugzilla: 2155748
|
|
RH-Acked-by: Eric Blake <eblake@redhat.com>
|
|
RH-Acked-by: Kevin Wolf <kwolf@redhat.com>
|
|
RH-Acked-by: Laszlo Ersek <lersek@redhat.com>
|
|
RH-Commit: [3/3] 2a29cb9600709a799daadb4addb58a747ed2e3a3 (stefanha/centos-stream-qemu-kvm)
|
|
|
|
When an IOThread is configured, the ctrl virtqueue is processed in the
|
|
IOThread. TMFs that reset SCSI devices are currently called directly
|
|
from the IOThread and trigger an assertion failure in blk_drain() from
|
|
the following call stack:
|
|
|
|
virtio_scsi_handle_ctrl_req -> virtio_scsi_do_tmf -> device_code_reset
|
|
-> scsi_disk_reset -> scsi_device_purge_requests -> blk_drain
|
|
|
|
../block/block-backend.c:1780: void blk_drain(BlockBackend *): Assertion `qemu_in_main_thread()' failed.
|
|
|
|
The blk_drain() function is not designed to be called from an IOThread
|
|
because it needs the Big QEMU Lock (BQL).
|
|
|
|
This patch defers TMFs that reset SCSI devices to a Bottom Half (BH)
|
|
that runs in the main loop thread under the BQL. This way it's safe to
|
|
call blk_drain() and the assertion failure is avoided.
|
|
|
|
Introduce s->tmf_bh_list for tracking TMF requests that have been
|
|
deferred to the BH. When the BH runs it will grab the entire list and
|
|
process all requests. Care must be taken to clear the list when the
|
|
virtio-scsi device is reset or unrealized. Otherwise deferred TMF
|
|
requests could execute later and lead to use-after-free or other
|
|
undefined behavior.
|
|
|
|
The s->resetting counter that's used by TMFs that reset SCSI devices is
|
|
accessed from multiple threads. This patch makes that explicit by using
|
|
atomic accessor functions. With this patch applied the counter is only
|
|
modified by the main loop thread under the BQL but can be read by any
|
|
thread.
|
|
|
|
Reported-by: Qing Wang <qinwang@redhat.com>
|
|
Cc: Paolo Bonzini <pbonzini@redhat.com>
|
|
Reviewed-by: Eric Blake <eblake@redhat.com>
|
|
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
|
|
Message-Id: <20230221212218.1378734-4-stefanha@redhat.com>
|
|
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
|
|
(cherry picked from commit be2c42b97c3a3a395b2f05bad1b6c7de20ecf2a5)
|
|
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
|
|
---
|
|
hw/scsi/virtio-scsi.c | 169 +++++++++++++++++++++++++-------
|
|
include/hw/virtio/virtio-scsi.h | 11 ++-
|
|
2 files changed, 143 insertions(+), 37 deletions(-)
|
|
|
|
diff --git a/hw/scsi/virtio-scsi.c b/hw/scsi/virtio-scsi.c
|
|
index 6f6e2e32ba..7d27e4c2a1 100644
|
|
--- a/hw/scsi/virtio-scsi.c
|
|
+++ b/hw/scsi/virtio-scsi.c
|
|
@@ -42,13 +42,11 @@ typedef struct VirtIOSCSIReq {
|
|
QEMUSGList qsgl;
|
|
QEMUIOVector resp_iov;
|
|
|
|
- union {
|
|
- /* Used for two-stage request submission */
|
|
- QTAILQ_ENTRY(VirtIOSCSIReq) next;
|
|
+ /* Used for two-stage request submission and TMFs deferred to BH */
|
|
+ QTAILQ_ENTRY(VirtIOSCSIReq) next;
|
|
|
|
- /* Used for cancellation of request during TMFs */
|
|
- int remaining;
|
|
- };
|
|
+ /* Used for cancellation of request during TMFs */
|
|
+ int remaining;
|
|
|
|
SCSIRequest *sreq;
|
|
size_t resp_size;
|
|
@@ -293,6 +291,122 @@ static inline void virtio_scsi_ctx_check(VirtIOSCSI *s, SCSIDevice *d)
|
|
}
|
|
}
|
|
|
|
+static void virtio_scsi_do_one_tmf_bh(VirtIOSCSIReq *req)
|
|
+{
|
|
+ VirtIOSCSI *s = req->dev;
|
|
+ SCSIDevice *d = virtio_scsi_device_get(s, req->req.tmf.lun);
|
|
+ BusChild *kid;
|
|
+ int target;
|
|
+
|
|
+ switch (req->req.tmf.subtype) {
|
|
+ case VIRTIO_SCSI_T_TMF_LOGICAL_UNIT_RESET:
|
|
+ if (!d) {
|
|
+ req->resp.tmf.response = VIRTIO_SCSI_S_BAD_TARGET;
|
|
+ goto out;
|
|
+ }
|
|
+ if (d->lun != virtio_scsi_get_lun(req->req.tmf.lun)) {
|
|
+ req->resp.tmf.response = VIRTIO_SCSI_S_INCORRECT_LUN;
|
|
+ goto out;
|
|
+ }
|
|
+ qatomic_inc(&s->resetting);
|
|
+ device_cold_reset(&d->qdev);
|
|
+ qatomic_dec(&s->resetting);
|
|
+ break;
|
|
+
|
|
+ case VIRTIO_SCSI_T_TMF_I_T_NEXUS_RESET:
|
|
+ target = req->req.tmf.lun[1];
|
|
+ qatomic_inc(&s->resetting);
|
|
+
|
|
+ rcu_read_lock();
|
|
+ QTAILQ_FOREACH_RCU(kid, &s->bus.qbus.children, sibling) {
|
|
+ SCSIDevice *d1 = SCSI_DEVICE(kid->child);
|
|
+ if (d1->channel == 0 && d1->id == target) {
|
|
+ device_cold_reset(&d1->qdev);
|
|
+ }
|
|
+ }
|
|
+ rcu_read_unlock();
|
|
+
|
|
+ qatomic_dec(&s->resetting);
|
|
+ break;
|
|
+
|
|
+ default:
|
|
+ g_assert_not_reached();
|
|
+ break;
|
|
+ }
|
|
+
|
|
+out:
|
|
+ object_unref(OBJECT(d));
|
|
+
|
|
+ virtio_scsi_acquire(s);
|
|
+ virtio_scsi_complete_req(req);
|
|
+ virtio_scsi_release(s);
|
|
+}
|
|
+
|
|
+/* Some TMFs must be processed from the main loop thread */
|
|
+static void virtio_scsi_do_tmf_bh(void *opaque)
|
|
+{
|
|
+ VirtIOSCSI *s = opaque;
|
|
+ QTAILQ_HEAD(, VirtIOSCSIReq) reqs = QTAILQ_HEAD_INITIALIZER(reqs);
|
|
+ VirtIOSCSIReq *req;
|
|
+ VirtIOSCSIReq *tmp;
|
|
+
|
|
+ GLOBAL_STATE_CODE();
|
|
+
|
|
+ virtio_scsi_acquire(s);
|
|
+
|
|
+ QTAILQ_FOREACH_SAFE(req, &s->tmf_bh_list, next, tmp) {
|
|
+ QTAILQ_REMOVE(&s->tmf_bh_list, req, next);
|
|
+ QTAILQ_INSERT_TAIL(&reqs, req, next);
|
|
+ }
|
|
+
|
|
+ qemu_bh_delete(s->tmf_bh);
|
|
+ s->tmf_bh = NULL;
|
|
+
|
|
+ virtio_scsi_release(s);
|
|
+
|
|
+ QTAILQ_FOREACH_SAFE(req, &reqs, next, tmp) {
|
|
+ QTAILQ_REMOVE(&reqs, req, next);
|
|
+ virtio_scsi_do_one_tmf_bh(req);
|
|
+ }
|
|
+}
|
|
+
|
|
+static void virtio_scsi_reset_tmf_bh(VirtIOSCSI *s)
|
|
+{
|
|
+ VirtIOSCSIReq *req;
|
|
+ VirtIOSCSIReq *tmp;
|
|
+
|
|
+ GLOBAL_STATE_CODE();
|
|
+
|
|
+ virtio_scsi_acquire(s);
|
|
+
|
|
+ if (s->tmf_bh) {
|
|
+ qemu_bh_delete(s->tmf_bh);
|
|
+ s->tmf_bh = NULL;
|
|
+ }
|
|
+
|
|
+ QTAILQ_FOREACH_SAFE(req, &s->tmf_bh_list, next, tmp) {
|
|
+ QTAILQ_REMOVE(&s->tmf_bh_list, req, next);
|
|
+
|
|
+ /* SAM-6 6.3.2 Hard reset */
|
|
+ req->resp.tmf.response = VIRTIO_SCSI_S_TARGET_FAILURE;
|
|
+ virtio_scsi_complete_req(req);
|
|
+ }
|
|
+
|
|
+ virtio_scsi_release(s);
|
|
+}
|
|
+
|
|
+static void virtio_scsi_defer_tmf_to_bh(VirtIOSCSIReq *req)
|
|
+{
|
|
+ VirtIOSCSI *s = req->dev;
|
|
+
|
|
+ QTAILQ_INSERT_TAIL(&s->tmf_bh_list, req, next);
|
|
+
|
|
+ if (!s->tmf_bh) {
|
|
+ s->tmf_bh = qemu_bh_new(virtio_scsi_do_tmf_bh, s);
|
|
+ qemu_bh_schedule(s->tmf_bh);
|
|
+ }
|
|
+}
|
|
+
|
|
/* Return 0 if the request is ready to be completed and return to guest;
|
|
* -EINPROGRESS if the request is submitted and will be completed later, in the
|
|
* case of async cancellation. */
|
|
@@ -300,8 +414,6 @@ static int virtio_scsi_do_tmf(VirtIOSCSI *s, VirtIOSCSIReq *req)
|
|
{
|
|
SCSIDevice *d = virtio_scsi_device_get(s, req->req.tmf.lun);
|
|
SCSIRequest *r, *next;
|
|
- BusChild *kid;
|
|
- int target;
|
|
int ret = 0;
|
|
|
|
virtio_scsi_ctx_check(s, d);
|
|
@@ -358,15 +470,9 @@ static int virtio_scsi_do_tmf(VirtIOSCSI *s, VirtIOSCSIReq *req)
|
|
break;
|
|
|
|
case VIRTIO_SCSI_T_TMF_LOGICAL_UNIT_RESET:
|
|
- if (!d) {
|
|
- goto fail;
|
|
- }
|
|
- if (d->lun != virtio_scsi_get_lun(req->req.tmf.lun)) {
|
|
- goto incorrect_lun;
|
|
- }
|
|
- s->resetting++;
|
|
- device_cold_reset(&d->qdev);
|
|
- s->resetting--;
|
|
+ case VIRTIO_SCSI_T_TMF_I_T_NEXUS_RESET:
|
|
+ virtio_scsi_defer_tmf_to_bh(req);
|
|
+ ret = -EINPROGRESS;
|
|
break;
|
|
|
|
case VIRTIO_SCSI_T_TMF_ABORT_TASK_SET:
|
|
@@ -409,22 +515,6 @@ static int virtio_scsi_do_tmf(VirtIOSCSI *s, VirtIOSCSIReq *req)
|
|
}
|
|
break;
|
|
|
|
- case VIRTIO_SCSI_T_TMF_I_T_NEXUS_RESET:
|
|
- target = req->req.tmf.lun[1];
|
|
- s->resetting++;
|
|
-
|
|
- rcu_read_lock();
|
|
- QTAILQ_FOREACH_RCU(kid, &s->bus.qbus.children, sibling) {
|
|
- SCSIDevice *d1 = SCSI_DEVICE(kid->child);
|
|
- if (d1->channel == 0 && d1->id == target) {
|
|
- device_cold_reset(&d1->qdev);
|
|
- }
|
|
- }
|
|
- rcu_read_unlock();
|
|
-
|
|
- s->resetting--;
|
|
- break;
|
|
-
|
|
case VIRTIO_SCSI_T_TMF_CLEAR_ACA:
|
|
default:
|
|
req->resp.tmf.response = VIRTIO_SCSI_S_FUNCTION_REJECTED;
|
|
@@ -654,7 +744,7 @@ static void virtio_scsi_request_cancelled(SCSIRequest *r)
|
|
if (!req) {
|
|
return;
|
|
}
|
|
- if (req->dev->resetting) {
|
|
+ if (qatomic_read(&req->dev->resetting)) {
|
|
req->resp.cmd.response = VIRTIO_SCSI_S_RESET;
|
|
} else {
|
|
req->resp.cmd.response = VIRTIO_SCSI_S_ABORTED;
|
|
@@ -830,9 +920,12 @@ static void virtio_scsi_reset(VirtIODevice *vdev)
|
|
VirtIOSCSICommon *vs = VIRTIO_SCSI_COMMON(vdev);
|
|
|
|
assert(!s->dataplane_started);
|
|
- s->resetting++;
|
|
+
|
|
+ virtio_scsi_reset_tmf_bh(s);
|
|
+
|
|
+ qatomic_inc(&s->resetting);
|
|
bus_cold_reset(BUS(&s->bus));
|
|
- s->resetting--;
|
|
+ qatomic_dec(&s->resetting);
|
|
|
|
vs->sense_size = VIRTIO_SCSI_SENSE_DEFAULT_SIZE;
|
|
vs->cdb_size = VIRTIO_SCSI_CDB_DEFAULT_SIZE;
|
|
@@ -1052,6 +1145,8 @@ static void virtio_scsi_device_realize(DeviceState *dev, Error **errp)
|
|
VirtIOSCSI *s = VIRTIO_SCSI(dev);
|
|
Error *err = NULL;
|
|
|
|
+ QTAILQ_INIT(&s->tmf_bh_list);
|
|
+
|
|
virtio_scsi_common_realize(dev,
|
|
virtio_scsi_handle_ctrl,
|
|
virtio_scsi_handle_event,
|
|
@@ -1089,6 +1184,8 @@ static void virtio_scsi_device_unrealize(DeviceState *dev)
|
|
{
|
|
VirtIOSCSI *s = VIRTIO_SCSI(dev);
|
|
|
|
+ virtio_scsi_reset_tmf_bh(s);
|
|
+
|
|
qbus_set_hotplug_handler(BUS(&s->bus), NULL);
|
|
virtio_scsi_common_unrealize(dev);
|
|
}
|
|
diff --git a/include/hw/virtio/virtio-scsi.h b/include/hw/virtio/virtio-scsi.h
|
|
index a36aad9c86..1c1cd77d6e 100644
|
|
--- a/include/hw/virtio/virtio-scsi.h
|
|
+++ b/include/hw/virtio/virtio-scsi.h
|
|
@@ -75,13 +75,22 @@ struct VirtIOSCSICommon {
|
|
VirtQueue **cmd_vqs;
|
|
};
|
|
|
|
+struct VirtIOSCSIReq;
|
|
+
|
|
struct VirtIOSCSI {
|
|
VirtIOSCSICommon parent_obj;
|
|
|
|
SCSIBus bus;
|
|
- int resetting;
|
|
+ int resetting; /* written from main loop thread, read from any thread */
|
|
bool events_dropped;
|
|
|
|
+ /*
|
|
+ * TMFs deferred to main loop BH. These fields are protected by
|
|
+ * virtio_scsi_acquire().
|
|
+ */
|
|
+ QEMUBH *tmf_bh;
|
|
+ QTAILQ_HEAD(, VirtIOSCSIReq) tmf_bh_list;
|
|
+
|
|
/* Fields for dataplane below */
|
|
AioContext *ctx; /* one iothread per virtio-scsi-pci for now */
|
|
|
|
--
|
|
2.39.1
|
|
|