Series comparison

-[PULL 00/31] Block patches
+[Qemu-devel] [PULL v2 00/24] Block patches
-The following changes since commit 9ac5df20f51fabcba0d902025df4bd7ea987c158:
+The following changes since commit 56f9e46b841c7be478ca038d8d4085d776ab4b0d:
-  Merge remote-tracking branch 'remotes/pmaydell/tags/pull-target-arm-20200221-1' into staging (2020-02-21 16:18:38 +0000)
+  Merge remote-tracking branch 'remotes/armbru/tags/pull-qapi-2017-02-20' into staging (2017-02-20 17:42:47 +0000)
-are available in the Git repository at:
+are available in the git repository at:
-  https://github.com/stefanha/qemu.git tags/block-pull-request
+  git://github.com/stefanha/qemu.git tags/block-pull-request
-for you to fetch changes up to e5c59355ae9f724777c61c859292ec9db2c8c2ab:
+for you to fetch changes up to a7b91d35bab97a2d3e779d0c64c9b837b52a6cf7:
-  fuzz: add documentation to docs/devel/ (2020-02-22 08:26:48 +0000)
+  coroutine-lock: make CoRwlock thread-safe and fair (2017-02-21 11:39:40 +0000)
 ----------------------------------------------------------------
 Pull request
-This pull request contains a virtio-blk/scsi performance optimization, event
+v2:
-loop scalability improvements, and a qtest-based device fuzzing framework.  I
+ * Rebased to resolve scsi conflicts
 am including the fuzzing patches because I have reviewed them and Thomas Huth
 is currently away on leave.
 ----------------------------------------------------------------
-Alexander Bulekov (22):
+Paolo Bonzini (24):
-  softmmu: move vl.c to softmmu/
+  block: move AioContext, QEMUTimer, main-loop to libqemuutil
-  softmmu: split off vl.c:main() into main.c
+  aio: introduce aio_co_schedule and aio_co_wake
-  module: check module wasn't already initialized
+  block-backend: allow blk_prw from coroutine context
-  fuzz: add FUZZ_TARGET module type
+  test-thread-pool: use generic AioContext infrastructure
-  qtest: add qtest_server_send abstraction
+  io: add methods to set I/O handlers on AioContext
-  libqtest: add a layer of abstraction to send/recv
+  io: make qio_channel_yield aware of AioContexts
-  libqtest: make bufwrite rely on the TransportOps
+  nbd: convert to use qio_channel_yield
-  qtest: add in-process incoming command handler
+  coroutine-lock: reschedule coroutine on the AioContext it was running
-  libqos: rename i2c_send and i2c_recv
+    on
-  libqos: split qos-test and libqos makefile vars
+  blkdebug: reschedule coroutine on the AioContext it is running on
-  libqos: move useful qos-test funcs to qos_external
+  qed: introduce qed_aio_start_io and qed_aio_next_io_cb
-  fuzz: add fuzzer skeleton
+  aio: push aio_context_acquire/release down to dispatching
-  exec: keep ram block across fork when using qtest
+  block: explicitly acquire aiocontext in timers that need it
-  main: keep rcu_atfork callback enabled for qtest
+  block: explicitly acquire aiocontext in callbacks that need it
-  fuzz: support for fork-based fuzzing.
+  block: explicitly acquire aiocontext in bottom halves that need it
-  fuzz: add support for qos-assisted fuzz targets
+  block: explicitly acquire aiocontext in aio callbacks that need it
-  fuzz: add target/fuzz makefile rules
+  aio-posix: partially inline aio_dispatch into aio_poll
-  fuzz: add configure flag --enable-fuzzing
+  async: remove unnecessary inc/dec pairs
-  fuzz: add i440fx fuzz targets
+  block: document fields protected by AioContext lock
-  fuzz: add virtio-net fuzz target
+  coroutine-lock: make CoMutex thread-safe
-  fuzz: add virtio-scsi fuzz target
+  coroutine-lock: add limited spinning to CoMutex
-  fuzz: add documentation to docs/devel/
+  test-aio-multithread: add performance comparison with thread-based
     mutexes
   coroutine-lock: place CoMutex before CoQueue in header
   coroutine-lock: add mutex argument to CoQueue APIs
   coroutine-lock: make CoRwlock thread-safe and fair
-Denis Plotnikov (1):
+ Makefile.objs                       |   4 -
-  virtio: increase virtqueue size for virtio-scsi and virtio-blk
+ stubs/Makefile.objs                 |   1 +
+ tests/Makefile.include              |  19 +-
-Paolo Bonzini (1):
+ util/Makefile.objs                  |   6 +-
-  rcu_queue: add QSLIST functions
+ block/nbd-client.h                  |   2 +-
+ block/qed.h                         |   3 +
-Stefan Hajnoczi (7):
+ include/block/aio.h                 |  38 ++-
-  aio-posix: avoid reacquiring rcu_read_lock() when polling
+ include/block/block_int.h           |  64 +++--
-  util/async: make bh_aio_poll() O(1)
+ include/io/channel.h                |  72 +++++-
-  aio-posix: fix use after leaving scope in aio_poll()
+ include/qemu/coroutine.h            |  84 ++++---
-  aio-posix: don't pass ns timeout to epoll_wait()
+ include/qemu/coroutine_int.h        |  11 +-
-  qemu/queue.h: add QLIST_SAFE_REMOVE()
+ include/sysemu/block-backend.h      |  14 +-
-  aio-posix: make AioHandler deletion O(1)
+ tests/iothread.h                    |  25 ++
-  aio-posix: make AioHandler dispatch O(1) with epoll
+ block/backup.c                      |   2 +-
+ block/blkdebug.c                    |   9 +-
- MAINTAINERS                         |  11 +-
+ block/blkreplay.c                   |   2 +-
- Makefile                            |  15 +-
+ block/block-backend.c               |  13 +-
- Makefile.objs                       |   2 -
+ block/curl.c                        |  44 +++-
- Makefile.target                     |  19 ++-
+ block/gluster.c                     |   9 +-
- block.c                             |   5 +-
+ block/io.c                          |  42 +---
- chardev/spice.c                     |   4 +-
+ block/iscsi.c                       |  15 +-
- configure                           |  39 +++++
+ block/linux-aio.c                   |  10 +-
- docs/devel/fuzzing.txt              | 116 ++++++++++++++
+ block/mirror.c                      |  12 +-
- exec.c                              |  12 +-
+ block/nbd-client.c                  | 119 +++++----
- hw/block/virtio-blk.c               |   2 +-
+ block/nfs.c                         |   9 +-
- hw/core/machine.c                   |   2 +
+ block/qcow2-cluster.c               |   4 +-
- hw/scsi/virtio-scsi.c               |   2 +-
+ block/qed-cluster.c                 |   2 +
- include/block/aio.h                 |  26 ++-
+ block/qed-table.c                   |  12 +-
- include/qemu/module.h               |   4 +-
+ block/qed.c                         |  58 +++--
- include/qemu/queue.h                |  32 +++-
+ block/sheepdog.c                    |  31 +--
- include/qemu/rcu_queue.h            |  47 ++++++
+ block/ssh.c                         |  29 +--
- include/sysemu/qtest.h              |   4 +
+ block/throttle-groups.c             |   4 +-
- include/sysemu/sysemu.h             |   4 +
+ block/win32-aio.c                   |   9 +-
- qtest.c                             |  31 +++-
+ dma-helpers.c                       |   2 +
- scripts/checkpatch.pl               |   2 +-
+ hw/9pfs/9p.c                        |   2 +-
- scripts/get_maintainer.pl           |   3 +-
+ hw/block/virtio-blk.c               |  19 +-
- softmmu/Makefile.objs               |   3 +
+ hw/scsi/scsi-bus.c                  |   2 +
- softmmu/main.c                      |  53 +++++++
+ hw/scsi/scsi-disk.c                 |  15 ++
- vl.c => softmmu/vl.c                |  48 +++---
+ hw/scsi/scsi-generic.c              |  20 +-
- tests/Makefile.include              |   2 +
+ hw/scsi/virtio-scsi.c               |   7 +
- tests/qtest/Makefile.include        |  72 +++++----
+ io/channel-command.c                |  13 +
- tests/qtest/fuzz/Makefile.include   |  18 +++
+ io/channel-file.c                   |  11 +
- tests/qtest/fuzz/fork_fuzz.c        |  55 +++++++
+ io/channel-socket.c                 |  16 +-
- tests/qtest/fuzz/fork_fuzz.h        |  23 +++
+ io/channel-tls.c                    |  12 +
- tests/qtest/fuzz/fork_fuzz.ld       |  37 +++++
+ io/channel-watch.c                  |   6 +
- tests/qtest/fuzz/fuzz.c             | 179 +++++++++++++++++++++
+ io/channel.c                        |  97 ++++++--
- tests/qtest/fuzz/fuzz.h             |  95 +++++++++++
+ nbd/client.c                        |   2 +-
- tests/qtest/fuzz/i440fx_fuzz.c      | 193 ++++++++++++++++++++++
+ nbd/common.c                        |   9 +-
- tests/qtest/fuzz/qos_fuzz.c         | 234 +++++++++++++++++++++++++++
+ nbd/server.c                        |  94 +++-----
- tests/qtest/fuzz/qos_fuzz.h         |  33 ++++
+ stubs/linux-aio.c                   |  32 +++
- tests/qtest/fuzz/virtio_net_fuzz.c  | 198 +++++++++++++++++++++++
+ stubs/set-fd-handler.c              |  11 -
- tests/qtest/fuzz/virtio_scsi_fuzz.c | 213 +++++++++++++++++++++++++
+ tests/iothread.c                    |  91 +++++++
- tests/qtest/libqos/i2c.c            |  10 +-
+ tests/test-aio-multithread.c        | 463 ++++++++++++++++++++++++++++++++++++
- tests/qtest/libqos/i2c.h            |   4 +-
+ tests/test-thread-pool.c            |  12 +-
- tests/qtest/libqos/qos_external.c   | 168 ++++++++++++++++++++
+ aio-posix.c => util/aio-posix.c     |  62 ++---
- tests/qtest/libqos/qos_external.h   |  28 ++++
+ aio-win32.c => util/aio-win32.c     |  30 +--
- tests/qtest/libqtest.c              | 119 ++++++++++++--
+ util/aiocb.c                        |  55 +++++
- tests/qtest/libqtest.h              |   4 +
+ async.c => util/async.c             |  84 ++++++-
- tests/qtest/pca9552-test.c          |  10 +-
+ iohandler.c => util/iohandler.c     |   0
- tests/qtest/qos-test.c              | 132 +---------------
+ main-loop.c => util/main-loop.c     |   0
- tests/test-aio.c                    |   3 +-
+ util/qemu-coroutine-lock.c          | 254 ++++++++++++++++++--
- tests/test-rcu-list.c               |  16 ++
+ util/qemu-coroutine-sleep.c         |   2 +-
- tests/test-rcu-slist.c              |   2 +
+ util/qemu-coroutine.c               |   8 +
- util/aio-posix.c                    | 187 +++++++++++++++-------
+ qemu-timer.c => util/qemu-timer.c   |   0
- util/async.c                        | 237 ++++++++++++++++------------
+ thread-pool.c => util/thread-pool.c |   8 +-
- util/module.c                       |   7 +
+ trace-events                        |  11 -
-files changed, 2365 insertions(+), 400 deletions(-)
+ util/trace-events                   |  17 +-
- create mode 100644 docs/devel/fuzzing.txt
+files changed, 1712 insertions(+), 533 deletions(-)
- create mode 100644 softmmu/Makefile.objs
+ create mode 100644 tests/iothread.h
- create mode 100644 softmmu/main.c
+ create mode 100644 stubs/linux-aio.c
- rename vl.c => softmmu/vl.c (99%)
+ create mode 100644 tests/iothread.c
- create mode 100644 tests/qtest/fuzz/Makefile.include
+ create mode 100644 tests/test-aio-multithread.c
- create mode 100644 tests/qtest/fuzz/fork_fuzz.c
+ rename aio-posix.c => util/aio-posix.c (94%)
- create mode 100644 tests/qtest/fuzz/fork_fuzz.h
+ rename aio-win32.c => util/aio-win32.c (95%)
- create mode 100644 tests/qtest/fuzz/fork_fuzz.ld
+ create mode 100644 util/aiocb.c
- create mode 100644 tests/qtest/fuzz/fuzz.c
+ rename async.c => util/async.c (82%)
- create mode 100644 tests/qtest/fuzz/fuzz.h
+ rename iohandler.c => util/iohandler.c (100%)
- create mode 100644 tests/qtest/fuzz/i440fx_fuzz.c
+ rename main-loop.c => util/main-loop.c (100%)
- create mode 100644 tests/qtest/fuzz/qos_fuzz.c
+ rename qemu-timer.c => util/qemu-timer.c (100%)
- create mode 100644 tests/qtest/fuzz/qos_fuzz.h
+ rename thread-pool.c => util/thread-pool.c (97%)
  create mode 100644 tests/qtest/fuzz/virtio_net_fuzz.c
  create mode 100644 tests/qtest/fuzz/virtio_scsi_fuzz.c
  create mode 100644 tests/qtest/libqos/qos_external.c
  create mode 100644 tests/qtest/libqos/qos_external.h
  create mode 100644 tests/test-rcu-slist.c
 --
-.24.1
+.9.3

-[PULL 11/31] softmmu: split off vl.c:main() into main.c
+[Qemu-devel] [PULL v2 01/24] block: move AioContext, QEMUTimer, main-loop to libqemuutil
-From: Alexander Bulekov <alxndr@bu.edu>
+From: Paolo Bonzini <pbonzini@redhat.com>
-A program might rely on functions implemented in vl.c, but implement its
+AioContext is fairly self contained, the only dependency is QEMUTimer but
-own main(). By placing main into a separate source file, there are no
+that in turn doesn't need anything else.  So move them out of block-obj-y
-complaints about duplicate main()s when linking against vl.o. For
+to avoid introducing a dependency from io/ to block-obj-y.
-example, the virtual-device fuzzer uses a main() provided by libfuzzer,
-and needs to perform some initialization before running the softmmu
+main-loop and its dependency iohandler also need to be moved, because
-initialization. Now, main simply calls three vl.c functions which
+later in this series io/ will call iohandler_get_aio_context.
-handle the guest initialization, main loop and cleanup.
+[Changed copyright "the QEMU team" to "other QEMU contributors" as
-Signed-off-by: Alexander Bulekov <alxndr@bu.edu>
+suggested by Daniel Berrange and agreed by Paolo.
-Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
+--Stefan]
-Reviewed-by: Darren Kenny <darren.kenny@oracle.com>
-Message-id: 20200220041118.23264-3-alxndr@bu.edu
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
 Reviewed-by: Fam Zheng <famz@redhat.com>
 Message-id: 20170213135235.12274-2-pbonzini@redhat.com
 Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
 ---
- MAINTAINERS             |  1 +
+ Makefile.objs                       |  4 ---
- Makefile.target         |  2 +-
+ stubs/Makefile.objs                 |  1 +
- include/sysemu/sysemu.h |  4 ++++
+ tests/Makefile.include              | 11 ++++----
- softmmu/Makefile.objs   |  1 +
+ util/Makefile.objs                  |  6 +++-
- softmmu/main.c          | 53 +++++++++++++++++++++++++++++++++++++++++
+ block/io.c                          | 29 -------------------
- softmmu/vl.c            | 36 +++++++---------------------
+ stubs/linux-aio.c                   | 32 +++++++++++++++++++++
-files changed, 69 insertions(+), 28 deletions(-)
+ stubs/set-fd-handler.c              | 11 --------
- create mode 100644 softmmu/main.c
+ aio-posix.c => util/aio-posix.c     |  2 +-
+ aio-win32.c => util/aio-win32.c     |  0
-diff --git a/MAINTAINERS b/MAINTAINERS
+ util/aiocb.c                        | 55 +++++++++++++++++++++++++++++++++++++
-index XXXXXXX..XXXXXXX 100644
+ async.c => util/async.c             |  3 +-
---- a/MAINTAINERS
+ iohandler.c => util/iohandler.c     |  0
-+++ b/MAINTAINERS
+ main-loop.c => util/main-loop.c     |  0
-@@ -XXX,XX +XXX,XX @@ F: include/sysemu/runstate.h
+ qemu-timer.c => util/qemu-timer.c   |  0
- F: util/main-loop.c
+ thread-pool.c => util/thread-pool.c |  2 +-
- F: util/qemu-timer.c
+ trace-events                        | 11 --------
- F: softmmu/vl.c
+ util/trace-events                   | 11 ++++++++
-+F: softmmu/main.c
+files changed, 114 insertions(+), 64 deletions(-)
- F: qapi/run-state.json
+ create mode 100644 stubs/linux-aio.c
+ rename aio-posix.c => util/aio-posix.c (99%)
- Human Monitor (HMP)
+ rename aio-win32.c => util/aio-win32.c (100%)
-diff --git a/Makefile.target b/Makefile.target
+ create mode 100644 util/aiocb.c
-index XXXXXXX..XXXXXXX 100644
+ rename async.c => util/async.c (99%)
---- a/Makefile.target
+ rename iohandler.c => util/iohandler.c (100%)
-+++ b/Makefile.target
+ rename main-loop.c => util/main-loop.c (100%)
-@@ -XXX,XX +XXX,XX @@ endif
+ rename qemu-timer.c => util/qemu-timer.c (100%)
- COMMON_LDADDS = ../libqemuutil.a
+ rename thread-pool.c => util/thread-pool.c (99%)
- # build either PROG or PROGW
+diff --git a/Makefile.objs b/Makefile.objs
--$(QEMU_PROG_BUILD): $(all-obj-y) $(COMMON_LDADDS)
+index XXXXXXX..XXXXXXX 100644
-+$(QEMU_PROG_BUILD): $(all-obj-y) $(COMMON_LDADDS) $(softmmu-main-y)
+--- a/Makefile.objs
-     $(call LINK, $(filter-out %.mak, $^))
++++ b/Makefile.objs
- ifdef CONFIG_DARWIN
+@@ -XXX,XX +XXX,XX @@ chardev-obj-y = chardev/
-     $(call quiet-command,Rez -append $(SRC_PATH)/pc-bios/qemu.rsrc -o $@,"REZ","$(TARGET_DIR)$@")
+ #######################################################################
-diff --git a/include/sysemu/sysemu.h b/include/sysemu/sysemu.h
+ # block-obj-y is code used by both qemu system emulation and qemu-img
-index XXXXXXX..XXXXXXX 100644
---- a/include/sysemu/sysemu.h
+-block-obj-y = async.o thread-pool.o
-+++ b/include/sysemu/sysemu.h
+ block-obj-y += nbd/
-@@ -XXX,XX +XXX,XX @@ QemuOpts *qemu_get_machine_opts(void);
+ block-obj-y += block.o blockjob.o
+-block-obj-y += main-loop.o iohandler.o qemu-timer.o
- bool defaults_enabled(void);
+-block-obj-$(CONFIG_POSIX) += aio-posix.o
+-block-obj-$(CONFIG_WIN32) += aio-win32.o
-+void qemu_init(int argc, char **argv, char **envp);
+ block-obj-y += block/
-+void qemu_main_loop(void);
+ block-obj-y += qemu-io-cmds.o
-+void qemu_cleanup(void);
+ block-obj-$(CONFIG_REPLICATION) += replication.o
-+
+diff --git a/stubs/Makefile.objs b/stubs/Makefile.objs
- extern QemuOptsList qemu_legacy_drive_opts;
+index XXXXXXX..XXXXXXX 100644
- extern QemuOptsList qemu_common_drive_opts;
+--- a/stubs/Makefile.objs
- extern QemuOptsList qemu_drive_opts;
++++ b/stubs/Makefile.objs
-diff --git a/softmmu/Makefile.objs b/softmmu/Makefile.objs
+@@ -XXX,XX +XXX,XX @@ stub-obj-y += get-vm-name.o
-index XXXXXXX..XXXXXXX 100644
+ stub-obj-y += iothread.o
---- a/softmmu/Makefile.objs
+ stub-obj-y += iothread-lock.o
-+++ b/softmmu/Makefile.objs
+ stub-obj-y += is-daemonized.o
-@@ -XXX,XX +XXX,XX @@
++stub-obj-$(CONFIG_LINUX_AIO) += linux-aio.o
-+softmmu-main-y = softmmu/main.o
+ stub-obj-y += machine-init-done.o
- obj-y += vl.o
+ stub-obj-y += migr-blocker.o
- vl.o-cflags := $(GPROF_CFLAGS) $(SDL_CFLAGS)
+ stub-obj-y += monitor.o
-diff --git a/softmmu/main.c b/softmmu/main.c
+diff --git a/tests/Makefile.include b/tests/Makefile.include
 index XXXXXXX..XXXXXXX 100644
 --- a/tests/Makefile.include
 +++ b/tests/Makefile.include
@@ -XXX,XX +XXX,XX @@ check-unit-y += tests/test-visitor-serialization$(EXESUF)
  check-unit-y += tests/test-iov$(EXESUF)
  gcov-files-test-iov-y = util/iov.c
  check-unit-y += tests/test-aio$(EXESUF)
 +gcov-files-test-aio-y = util/async.c util/qemu-timer.o
 +gcov-files-test-aio-$(CONFIG_WIN32) += util/aio-win32.c
 +gcov-files-test-aio-$(CONFIG_POSIX) += util/aio-posix.c
  check-unit-y += tests/test-throttle$(EXESUF)
  gcov-files-test-aio-$(CONFIG_WIN32) = aio-win32.c
  gcov-files-test-aio-$(CONFIG_POSIX) = aio-posix.c
@@ -XXX,XX +XXX,XX @@ tests/check-qjson$(EXESUF): tests/check-qjson.o $(test-util-obj-y)
  tests/check-qom-interface$(EXESUF): tests/check-qom-interface.o $(test-qom-obj-y)
  tests/check-qom-proplist$(EXESUF): tests/check-qom-proplist.o $(test-qom-obj-y)
 -tests/test-char$(EXESUF): tests/test-char.o qemu-timer.o \
 -    $(test-util-obj-y) $(qtest-obj-y) $(test-block-obj-y) $(chardev-obj-y)
 +tests/test-char$(EXESUF): tests/test-char.o $(test-util-obj-y) $(qtest-obj-y) $(test-io-obj-y) $(chardev-obj-y)
  tests/test-coroutine$(EXESUF): tests/test-coroutine.o $(test-block-obj-y)
  tests/test-aio$(EXESUF): tests/test-aio.o $(test-block-obj-y)
  tests/test-throttle$(EXESUF): tests/test-throttle.o $(test-block-obj-y)
@@ -XXX,XX +XXX,XX @@ tests/test-vmstate$(EXESUF): tests/test-vmstate.o \
      migration/vmstate.o migration/qemu-file.o \
          migration/qemu-file-channel.o migration/qjson.o \
      $(test-io-obj-y)
 -tests/test-timed-average$(EXESUF): tests/test-timed-average.o qemu-timer.o \
 -    $(test-util-obj-y)
 +tests/test-timed-average$(EXESUF): tests/test-timed-average.o $(test-util-obj-y)
  tests/test-base64$(EXESUF): tests/test-base64.o \
      libqemuutil.a libqemustub.a
  tests/ptimer-test$(EXESUF): tests/ptimer-test.o tests/ptimer-test-stubs.o hw/core/ptimer.o libqemustub.a
@@ -XXX,XX +XXX,XX @@ tests/usb-hcd-ehci-test$(EXESUF): tests/usb-hcd-ehci-test.o $(libqos-usb-obj-y)
  tests/usb-hcd-xhci-test$(EXESUF): tests/usb-hcd-xhci-test.o $(libqos-usb-obj-y)
  tests/pc-cpu-test$(EXESUF): tests/pc-cpu-test.o
  tests/postcopy-test$(EXESUF): tests/postcopy-test.o
 -tests/vhost-user-test$(EXESUF): tests/vhost-user-test.o qemu-timer.o \
 +tests/vhost-user-test$(EXESUF): tests/vhost-user-test.o $(test-util-obj-y) \
      $(qtest-obj-y) $(test-io-obj-y) $(libqos-virtio-obj-y) $(libqos-pc-obj-y) \
      $(chardev-obj-y)
  tests/qemu-iotests/socket_scm_helper$(EXESUF): tests/qemu-iotests/socket_scm_helper.o
 diff --git a/util/Makefile.objs b/util/Makefile.objs
 index XXXXXXX..XXXXXXX 100644
 --- a/util/Makefile.objs
 +++ b/util/Makefile.objs
@@ -XXX,XX +XXX,XX @@
  util-obj-y = osdep.o cutils.o unicode.o qemu-timer-common.o
  util-obj-y += bufferiszero.o
  util-obj-y += lockcnt.o
 +util-obj-y += aiocb.o async.o thread-pool.o qemu-timer.o
 +util-obj-y += main-loop.o iohandler.o
 +util-obj-$(CONFIG_POSIX) += aio-posix.o
  util-obj-$(CONFIG_POSIX) += compatfd.o
  util-obj-$(CONFIG_POSIX) += event_notifier-posix.o
  util-obj-$(CONFIG_POSIX) += mmap-alloc.o
  util-obj-$(CONFIG_POSIX) += oslib-posix.o
  util-obj-$(CONFIG_POSIX) += qemu-openpty.o
  util-obj-$(CONFIG_POSIX) += qemu-thread-posix.o
 -util-obj-$(CONFIG_WIN32) += event_notifier-win32.o
  util-obj-$(CONFIG_POSIX) += memfd.o
 +util-obj-$(CONFIG_WIN32) += aio-win32.o
 +util-obj-$(CONFIG_WIN32) += event_notifier-win32.o
  util-obj-$(CONFIG_WIN32) += oslib-win32.o
  util-obj-$(CONFIG_WIN32) += qemu-thread-win32.o
  util-obj-y += envlist.o path.o module.o
 diff --git a/block/io.c b/block/io.c
 index XXXXXXX..XXXXXXX 100644
 --- a/block/io.c
 +++ b/block/io.c
@@ -XXX,XX +XXX,XX @@ BlockAIOCB *bdrv_aio_flush(BlockDriverState *bs,
      return &acb->common;
  }
 -void *qemu_aio_get(const AIOCBInfo *aiocb_info, BlockDriverState *bs,
 -                   BlockCompletionFunc *cb, void *opaque)
 -{
 -    BlockAIOCB *acb;
 -
 -    acb = g_malloc(aiocb_info->aiocb_size);
 -    acb->aiocb_info = aiocb_info;
 -    acb->bs = bs;
 -    acb->cb = cb;
 -    acb->opaque = opaque;
 -    acb->refcnt = 1;
 -    return acb;
 -}
 -
 -void qemu_aio_ref(void *p)
 -{
 -    BlockAIOCB *acb = p;
 -    acb->refcnt++;
 -}
 -
 -void qemu_aio_unref(void *p)
 -{
 -    BlockAIOCB *acb = p;
 -    assert(acb->refcnt > 0);
 -    if (--acb->refcnt == 0) {
 -        g_free(acb);
 -    }
 -}
 -
  /**************************************************************/
  /* Coroutine block device emulation */
 diff --git a/stubs/linux-aio.c b/stubs/linux-aio.c
 new file mode 100644
 index XXXXXXX..XXXXXXX
 --- /dev/null
-+++ b/softmmu/main.c
++++ b/stubs/linux-aio.c
 @@ -XXX,XX +XXX,XX @@
 +/*
-+ * QEMU System Emulator
++ * Linux native AIO support.
 + *
-+ * Copyright (c) 2003-2020 Fabrice Bellard
++ * Copyright (C) 2009 IBM, Corp.
 + * Copyright (C) 2009 Red Hat, Inc.
 + *
 + * This work is licensed under the terms of the GNU GPL, version 2 or later.
 + * See the COPYING file in the top-level directory.
 + */
 +#include "qemu/osdep.h"
 +#include "block/aio.h"
 +#include "block/raw-aio.h"
 +
 +void laio_detach_aio_context(LinuxAioState *s, AioContext *old_context)
 +{
 +    abort();
 +}
 +
 +void laio_attach_aio_context(LinuxAioState *s, AioContext *new_context)
 +{
 +    abort();
 +}
 +
 +LinuxAioState *laio_init(void)
 +{
 +    abort();
 +}
 +
 +void laio_cleanup(LinuxAioState *s)
 +{
 +    abort();
 +}
 diff --git a/stubs/set-fd-handler.c b/stubs/set-fd-handler.c
 index XXXXXXX..XXXXXXX 100644
 --- a/stubs/set-fd-handler.c
 +++ b/stubs/set-fd-handler.c
@@ -XXX,XX +XXX,XX @@ void qemu_set_fd_handler(int fd,
  {
      abort();
  }
 -
 -void aio_set_fd_handler(AioContext *ctx,
 -                        int fd,
 -                        bool is_external,
 -                        IOHandler *io_read,
 -                        IOHandler *io_write,
 -                        AioPollFn *io_poll,
 -                        void *opaque)
 -{
 -    abort();
 -}
 diff --git a/aio-posix.c b/util/aio-posix.c
 similarity index 99%
 rename from aio-posix.c
 rename to util/aio-posix.c
 index XXXXXXX..XXXXXXX 100644
 --- a/aio-posix.c
 +++ b/util/aio-posix.c
@@ -XXX,XX +XXX,XX @@
  #include "qemu/rcu_queue.h"
  #include "qemu/sockets.h"
  #include "qemu/cutils.h"
 -#include "trace-root.h"
 +#include "trace.h"
  #ifdef CONFIG_EPOLL_CREATE1
  #include <sys/epoll.h>
  #endif
 diff --git a/aio-win32.c b/util/aio-win32.c
 similarity index 100%
 rename from aio-win32.c
 rename to util/aio-win32.c
 diff --git a/util/aiocb.c b/util/aiocb.c
 new file mode 100644
 index XXXXXXX..XXXXXXX
 --- /dev/null
 +++ b/util/aiocb.c
@@ -XXX,XX +XXX,XX @@
 +/*
 + * BlockAIOCB allocation
 + *
 + * Copyright (c) 2003-2017 Fabrice Bellard and other QEMU contributors
 + *
 + * Permission is hereby granted, free of charge, to any person obtaining a copy
 + * of this software and associated documentation files (the "Software"), to deal
 + * in the Software without restriction, including without limitation the rights
 + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
 ...
 + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
 + * THE SOFTWARE.
 + */
 +
 +#include "qemu/osdep.h"
-+#include "qemu-common.h"
++#include "block/aio.h"
-+#include "sysemu/sysemu.h"
++
-+
++void *qemu_aio_get(const AIOCBInfo *aiocb_info, BlockDriverState *bs,
-+#ifdef CONFIG_SDL
++                   BlockCompletionFunc *cb, void *opaque)
-+#if defined(__APPLE__) || defined(main)
++{
-+#include <SDL.h>
++    BlockAIOCB *acb;
-+int main(int argc, char **argv)
++
-+{
++    acb = g_malloc(aiocb_info->aiocb_size);
-+    return qemu_main(argc, argv, NULL);
++    acb->aiocb_info = aiocb_info;
-+}
++    acb->bs = bs;
-+#undef main
++    acb->cb = cb;
-+#define main qemu_main
++    acb->opaque = opaque;
-+#endif
++    acb->refcnt = 1;
-+#endif /* CONFIG_SDL */
++    return acb;
-+
++}
-+#ifdef CONFIG_COCOA
++
-+#undef main
++void qemu_aio_ref(void *p)
-+#define main qemu_main
++{
-+#endif /* CONFIG_COCOA */
++    BlockAIOCB *acb = p;
-+
++    acb->refcnt++;
-+int main(int argc, char **argv, char **envp)
++}
-+{
++
-+    qemu_init(argc, argv, envp);
++void qemu_aio_unref(void *p)
-+    qemu_main_loop();
++{
-+    qemu_cleanup();
++    BlockAIOCB *acb = p;
-+
++    assert(acb->refcnt > 0);
-+    return 0;
++    if (--acb->refcnt == 0) {
-+}
++        g_free(acb);
-diff --git a/softmmu/vl.c b/softmmu/vl.c
++    }
-index XXXXXXX..XXXXXXX 100644
++}
---- a/softmmu/vl.c
+diff --git a/async.c b/util/async.c
-+++ b/softmmu/vl.c
+similarity index 99%
-@@ -XXX,XX +XXX,XX @@
+rename from async.c
- #include "sysemu/seccomp.h"
+rename to util/async.c
- #include "sysemu/tcg.h"
+index XXXXXXX..XXXXXXX 100644
+--- a/async.c
--#ifdef CONFIG_SDL
++++ b/util/async.c
--#if defined(__APPLE__) || defined(main)
+@@ -XXX,XX +XXX,XX @@
--#include <SDL.h>
+ /*
--int qemu_main(int argc, char **argv, char **envp);
+- * QEMU System Emulator
--int main(int argc, char **argv)
++ * Data plane event loop
--{
+  *
--    return qemu_main(argc, argv, NULL);
+  * Copyright (c) 2003-2008 Fabrice Bellard
--}
++ * Copyright (c) 2009-2017 QEMU contributors
--#undef main
+  *
--#define main qemu_main
+  * Permission is hereby granted, free of charge, to any person obtaining a copy
--#endif
+  * of this software and associated documentation files (the "Software"), to deal
--#endif /* CONFIG_SDL */
+diff --git a/iohandler.c b/util/iohandler.c
--
+similarity index 100%
--#ifdef CONFIG_COCOA
+rename from iohandler.c
--#undef main
+rename to util/iohandler.c
--#define main qemu_main
+diff --git a/main-loop.c b/util/main-loop.c
--#endif /* CONFIG_COCOA */
+similarity index 100%
--
+rename from main-loop.c
--
+rename to util/main-loop.c
- #include "qemu/error-report.h"
+diff --git a/qemu-timer.c b/util/qemu-timer.c
- #include "qemu/sockets.h"
+similarity index 100%
- #include "sysemu/accel.h"
+rename from qemu-timer.c
-@@ -XXX,XX +XXX,XX @@ static bool main_loop_should_exit(void)
+rename to util/qemu-timer.c
-     return false;
+diff --git a/thread-pool.c b/util/thread-pool.c
- }
+similarity index 99%
+rename from thread-pool.c
--static void main_loop(void)
+rename to util/thread-pool.c
-+void qemu_main_loop(void)
+index XXXXXXX..XXXXXXX 100644
- {
+--- a/thread-pool.c
- #ifdef CONFIG_PROFILER
++++ b/util/thread-pool.c
-     int64_t ti;
+@@ -XXX,XX +XXX,XX @@
-@@ -XXX,XX +XXX,XX @@ static void configure_accelerators(const char *progname)
+ #include "qemu/queue.h"
-     }
+ #include "qemu/thread.h"
- }
+ #include "qemu/coroutine.h"
+-#include "trace-root.h"
--int main(int argc, char **argv, char **envp)
++#include "trace.h"
-+void qemu_init(int argc, char **argv, char **envp)
+ #include "block/thread-pool.h"
- {
+ #include "qemu/main-loop.h"
-     int i;
-     int snapshot, linux_boot;
+diff --git a/trace-events b/trace-events
-@@ -XXX,XX +XXX,XX @@ int main(int argc, char **argv, char **envp)
+index XXXXXXX..XXXXXXX 100644
-             case QEMU_OPTION_watchdog:
+--- a/trace-events
-                 if (watchdog) {
++++ b/trace-events
-                     error_report("only one watchdog option may be given");
+@@ -XXX,XX +XXX,XX @@
--                    return 1;
+ #
-+                    exit(1);
+ # The <format-string> should be a sprintf()-compatible format string.
-                 }
-                 watchdog = optarg;
+-# aio-posix.c
-                 break;
+-run_poll_handlers_begin(void *ctx, int64_t max_ns) "ctx %p max_ns %"PRId64
-@@ -XXX,XX +XXX,XX @@ int main(int argc, char **argv, char **envp)
+-run_poll_handlers_end(void *ctx, bool progress) "ctx %p progress %d"
-     parse_numa_opts(current_machine);
+-poll_shrink(void *ctx, int64_t old, int64_t new) "ctx %p old %"PRId64" new %"PRId64
+-poll_grow(void *ctx, int64_t old, int64_t new) "ctx %p old %"PRId64" new %"PRId64
-     /* do monitor/qmp handling at preconfig state if requested */
+-
--    main_loop();
+-# thread-pool.c
-+    qemu_main_loop();
+-thread_pool_submit(void *pool, void *req, void *opaque) "pool %p req %p opaque %p"
+-thread_pool_complete(void *pool, void *req, void *opaque, int ret) "pool %p req %p opaque %p ret %d"
-     audio_init_audiodevs();
+-thread_pool_cancel(void *req, void *opaque) "req %p opaque %p"
+-
-@@ -XXX,XX +XXX,XX @@ int main(int argc, char **argv, char **envp)
+ # ioport.c
-     if (vmstate_dump_file) {
+ cpu_in(unsigned int addr, char size, unsigned int val) "addr %#x(%c) value %u"
-         /* dump and exit */
+ cpu_out(unsigned int addr, char size, unsigned int val) "addr %#x(%c) value %u"
-         dump_vmstate_json_to_file(vmstate_dump_file);
+diff --git a/util/trace-events b/util/trace-events
--        return 0;
+index XXXXXXX..XXXXXXX 100644
-+        exit(0);
+--- a/util/trace-events
-     }
++++ b/util/trace-events
+@@ -XXX,XX +XXX,XX @@
-     if (incoming) {
+ # See docs/tracing.txt for syntax documentation.
-@@ -XXX,XX +XXX,XX @@ int main(int argc, char **argv, char **envp)
-     accel_setup_post(current_machine);
++# util/aio-posix.c
-     os_setup_post();
++run_poll_handlers_begin(void *ctx, int64_t max_ns) "ctx %p max_ns %"PRId64
++run_poll_handlers_end(void *ctx, bool progress) "ctx %p progress %d"
--    main_loop();
++poll_shrink(void *ctx, int64_t old, int64_t new) "ctx %p old %"PRId64" new %"PRId64
-+    return;
++poll_grow(void *ctx, int64_t old, int64_t new) "ctx %p old %"PRId64" new %"PRId64
-+}
++
++# util/thread-pool.c
-+void qemu_cleanup(void)
++thread_pool_submit(void *pool, void *req, void *opaque) "pool %p req %p opaque %p"
-+{
++thread_pool_complete(void *pool, void *req, void *opaque, int ret) "pool %p req %p opaque %p ret %d"
-     gdbserver_cleanup();
++thread_pool_cancel(void *req, void *opaque) "req %p opaque %p"
++
-     /*
+ # util/buffer.c
-@@ -XXX,XX +XXX,XX @@ int main(int argc, char **argv, char **envp)
+ buffer_resize(const char *buf, size_t olen, size_t len) "%s: old %zd, new %zd"
-     qemu_chr_cleanup();
+ buffer_move_empty(const char *buf, size_t len, const char *from) "%s: %zd bytes from %s"
      user_creatable_cleanup();
      /* TODO: unref root container, check all devices are ok */
 -
 -    return 0;
  }
 --
-.24.1
+.9.3

-[PULL 21/31] fuzz: add fuzzer skeleton
+[Qemu-devel] [PULL v2 02/24] aio: introduce aio_co_schedule and aio_co_wake
-From: Alexander Bulekov <alxndr@bu.edu>
+From: Paolo Bonzini <pbonzini@redhat.com>
-tests/fuzz/fuzz.c serves as the entry point for the virtual-device
+aio_co_wake provides the infrastructure to start a coroutine on a "home"
-fuzzer. Namely, libfuzzer invokes the LLVMFuzzerInitialize and
+AioContext.  It will be used by CoMutex and CoQueue, so that coroutines
-LLVMFuzzerTestOneInput functions, both of which are defined in this
+don't jump from one context to another when they go to sleep on a
-file. This change adds a "FuzzTarget" struct, along with the
+mutex or waitqueue.  However, it can also be used as a more efficient
-fuzz_add_target function, which should be used to define new fuzz
+alternative to one-shot bottom halves, and saves the effort of tracking
-targets.
+which AioContext a coroutine is running on.
-Signed-off-by: Alexander Bulekov <alxndr@bu.edu>
+aio_co_schedule is the part of aio_co_wake that starts a coroutine
-Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
+on a remove AioContext, but it is also useful to implement e.g.
-Reviewed-by: Darren Kenny <darren.kenny@oracle.com>
+bdrv_set_aio_context callbacks.
-Message-id: 20200220041118.23264-13-alxndr@bu.edu
 The implementation of aio_co_schedule is based on a lock-free
 multiple-producer, single-consumer queue.  The multiple producers use
 cmpxchg to add to a LIFO stack.  The consumer (a per-AioContext bottom
 half) grabs all items added so far, inverts the list to make it FIFO,
 and goes through it one item at a time until it's empty.  The data
 structure was inspired by OSv, which uses it in the very code we'll
 "port" to QEMU for the thread-safe CoMutex.
 Most of the new code is really tests.
 Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
 Reviewed-by: Fam Zheng <famz@redhat.com>
 Message-id: 20170213135235.12274-3-pbonzini@redhat.com
 Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
 ---
- MAINTAINERS                       |   8 ++
+ tests/Makefile.include       |   8 +-
- tests/qtest/fuzz/Makefile.include |   6 +
+ include/block/aio.h          |  32 +++++++
- tests/qtest/fuzz/fuzz.c           | 179 ++++++++++++++++++++++++++++++
+ include/qemu/coroutine_int.h |  11 ++-
- tests/qtest/fuzz/fuzz.h           |  95 ++++++++++++++++
+ tests/iothread.h             |  25 +++++
-files changed, 288 insertions(+)
+ tests/iothread.c             |  91 ++++++++++++++++++
- create mode 100644 tests/qtest/fuzz/Makefile.include
+ tests/test-aio-multithread.c | 213 +++++++++++++++++++++++++++++++++++++++++++
- create mode 100644 tests/qtest/fuzz/fuzz.c
+ util/async.c                 |  65 +++++++++++++
- create mode 100644 tests/qtest/fuzz/fuzz.h
+ util/qemu-coroutine.c        |   8 ++
+ util/trace-events            |   4 +
-diff --git a/MAINTAINERS b/MAINTAINERS
+files changed, 453 insertions(+), 4 deletions(-)
  create mode 100644 tests/iothread.h
  create mode 100644 tests/iothread.c
  create mode 100644 tests/test-aio-multithread.c
 diff --git a/tests/Makefile.include b/tests/Makefile.include
 index XXXXXXX..XXXXXXX 100644
---- a/MAINTAINERS
+--- a/tests/Makefile.include
-+++ b/MAINTAINERS
++++ b/tests/Makefile.include
-@@ -XXX,XX +XXX,XX @@ F: qtest.c
+@@ -XXX,XX +XXX,XX @@ check-unit-y += tests/test-aio$(EXESUF)
- F: accel/qtest.c
+ gcov-files-test-aio-y = util/async.c util/qemu-timer.o
- F: tests/qtest/
+ gcov-files-test-aio-$(CONFIG_WIN32) += util/aio-win32.c
+ gcov-files-test-aio-$(CONFIG_POSIX) += util/aio-posix.c
-+Device Fuzzing
++check-unit-y += tests/test-aio-multithread$(EXESUF)
-+M: Alexander Bulekov <alxndr@bu.edu>
++gcov-files-test-aio-multithread-y = $(gcov-files-test-aio-y)
-+R: Paolo Bonzini <pbonzini@redhat.com>
++gcov-files-test-aio-multithread-y += util/qemu-coroutine.c tests/iothread.c
-+R: Bandan Das <bsd@redhat.com>
+ check-unit-y += tests/test-throttle$(EXESUF)
-+R: Stefan Hajnoczi <stefanha@redhat.com>
+-gcov-files-test-aio-$(CONFIG_WIN32) = aio-win32.c
-+S: Maintained
+-gcov-files-test-aio-$(CONFIG_POSIX) = aio-posix.c
-+F: tests/qtest/fuzz/
+ check-unit-y += tests/test-thread-pool$(EXESUF)
-+
+ gcov-files-test-thread-pool-y = thread-pool.c
- Register API
+ gcov-files-test-hbitmap-y = util/hbitmap.c
- M: Alistair Francis <alistair@alistair23.me>
+@@ -XXX,XX +XXX,XX @@ test-qapi-obj-y = tests/test-qapi-visit.o tests/test-qapi-types.o \
- S: Maintained
+     $(test-qom-obj-y)
-diff --git a/tests/qtest/fuzz/Makefile.include b/tests/qtest/fuzz/Makefile.include
+ test-crypto-obj-y = $(crypto-obj-y) $(test-qom-obj-y)
  test-io-obj-y = $(io-obj-y) $(test-crypto-obj-y)
 -test-block-obj-y = $(block-obj-y) $(test-io-obj-y)
 +test-block-obj-y = $(block-obj-y) $(test-io-obj-y) tests/iothread.o
  tests/check-qint$(EXESUF): tests/check-qint.o $(test-util-obj-y)
  tests/check-qstring$(EXESUF): tests/check-qstring.o $(test-util-obj-y)
@@ -XXX,XX +XXX,XX @@ tests/check-qom-proplist$(EXESUF): tests/check-qom-proplist.o $(test-qom-obj-y)
  tests/test-char$(EXESUF): tests/test-char.o $(test-util-obj-y) $(qtest-obj-y) $(test-io-obj-y) $(chardev-obj-y)
  tests/test-coroutine$(EXESUF): tests/test-coroutine.o $(test-block-obj-y)
  tests/test-aio$(EXESUF): tests/test-aio.o $(test-block-obj-y)
 +tests/test-aio-multithread$(EXESUF): tests/test-aio-multithread.o $(test-block-obj-y)
  tests/test-throttle$(EXESUF): tests/test-throttle.o $(test-block-obj-y)
  tests/test-blockjob$(EXESUF): tests/test-blockjob.o $(test-block-obj-y) $(test-util-obj-y)
  tests/test-blockjob-txn$(EXESUF): tests/test-blockjob-txn.o $(test-block-obj-y) $(test-util-obj-y)
 diff --git a/include/block/aio.h b/include/block/aio.h
 index XXXXXXX..XXXXXXX 100644
 --- a/include/block/aio.h
 +++ b/include/block/aio.h
@@ -XXX,XX +XXX,XX @@ typedef void QEMUBHFunc(void *opaque);
  typedef bool AioPollFn(void *opaque);
  typedef void IOHandler(void *opaque);
 +struct Coroutine;
  struct ThreadPool;
  struct LinuxAioState;
@@ -XXX,XX +XXX,XX @@ struct AioContext {
      bool notified;
      EventNotifier notifier;
 +    QSLIST_HEAD(, Coroutine) scheduled_coroutines;
 +    QEMUBH *co_schedule_bh;
 +
      /* Thread pool for performing work and receiving completion callbacks.
       * Has its own locking.
       */
@@ -XXX,XX +XXX,XX @@ static inline bool aio_node_check(AioContext *ctx, bool is_external)
  }
  /**
 + * aio_co_schedule:
 + * @ctx: the aio context
 + * @co: the coroutine
 + *
 + * Start a coroutine on a remote AioContext.
 + *
 + * The coroutine must not be entered by anyone else while aio_co_schedule()
 + * is active.  In addition the coroutine must have yielded unless ctx
 + * is the context in which the coroutine is running (i.e. the value of
 + * qemu_get_current_aio_context() from the coroutine itself).
 + */
 +void aio_co_schedule(AioContext *ctx, struct Coroutine *co);
 +
 +/**
 + * aio_co_wake:
 + * @co: the coroutine
 + *
 + * Restart a coroutine on the AioContext where it was running last, thus
 + * preventing coroutines from jumping from one context to another when they
 + * go to sleep.
 + *
 + * aio_co_wake may be executed either in coroutine or non-coroutine
 + * context.  The coroutine must not be entered by anyone else while
 + * aio_co_wake() is active.
 + */
 +void aio_co_wake(struct Coroutine *co);
 +
 +/**
   * Return the AioContext whose event loop runs in the current thread.
   *
   * If called from an IOThread this will be the IOThread's AioContext.  If
 diff --git a/include/qemu/coroutine_int.h b/include/qemu/coroutine_int.h
 index XXXXXXX..XXXXXXX 100644
 --- a/include/qemu/coroutine_int.h
 +++ b/include/qemu/coroutine_int.h
@@ -XXX,XX +XXX,XX @@ struct Coroutine {
      CoroutineEntry *entry;
      void *entry_arg;
      Coroutine *caller;
 +
 +    /* Only used when the coroutine has terminated.  */
      QSLIST_ENTRY(Coroutine) pool_next;
 +
      size_t locks_held;
 -    /* Coroutines that should be woken up when we yield or terminate */
 +    /* Coroutines that should be woken up when we yield or terminate.
 +     * Only used when the coroutine is running.
 +     */
      QSIMPLEQ_HEAD(, Coroutine) co_queue_wakeup;
 +
 +    /* Only used when the coroutine has yielded.  */
 +    AioContext *ctx;
      QSIMPLEQ_ENTRY(Coroutine) co_queue_next;
 +    QSLIST_ENTRY(Coroutine) co_scheduled_next;
  };
  Coroutine *qemu_coroutine_new(void);
 diff --git a/tests/iothread.h b/tests/iothread.h
 new file mode 100644
 index XXXXXXX..XXXXXXX
 --- /dev/null
-+++ b/tests/qtest/fuzz/Makefile.include
++++ b/tests/iothread.h
 @@ -XXX,XX +XXX,XX @@
-+QEMU_PROG_FUZZ=qemu-fuzz-$(TARGET_NAME)$(EXESUF)
++/*
-+
++ * Event loop thread implementation for unit tests
-+fuzz-obj-y += tests/qtest/libqtest.o
++ *
-+fuzz-obj-y += tests/qtest/fuzz/fuzz.o # Fuzzer skeleton
++ * Copyright Red Hat Inc., 2013, 2016
-+
++ *
-+FUZZ_CFLAGS += -I$(SRC_PATH)/tests -I$(SRC_PATH)/tests/qtest
++ * Authors:
-diff --git a/tests/qtest/fuzz/fuzz.c b/tests/qtest/fuzz/fuzz.c
++ *  Stefan Hajnoczi   <stefanha@redhat.com>
 + *  Paolo Bonzini     <pbonzini@redhat.com>
 + *
 + * This work is licensed under the terms of the GNU GPL, version 2 or later.
 + * See the COPYING file in the top-level directory.
 + */
 +#ifndef TEST_IOTHREAD_H
 +#define TEST_IOTHREAD_H
 +
 +#include "block/aio.h"
 +#include "qemu/thread.h"
 +
 +typedef struct IOThread IOThread;
 +
 +IOThread *iothread_new(void);
 +void iothread_join(IOThread *iothread);
 +AioContext *iothread_get_aio_context(IOThread *iothread);
 +
 +#endif
 diff --git a/tests/iothread.c b/tests/iothread.c
 new file mode 100644
 index XXXXXXX..XXXXXXX
 --- /dev/null
-+++ b/tests/qtest/fuzz/fuzz.c
++++ b/tests/iothread.c
 @@ -XXX,XX +XXX,XX @@
 +/*
-+ * fuzzing driver
++ * Event loop thread implementation for unit tests
 + *
-+ * Copyright Red Hat Inc., 2019
++ * Copyright Red Hat Inc., 2013, 2016
 + *
 + * Authors:
-+ *  Alexander Bulekov   <alxndr@bu.edu>
++ *  Stefan Hajnoczi   <stefanha@redhat.com>
 + *  Paolo Bonzini     <pbonzini@redhat.com>
 + *
 + * This work is licensed under the terms of the GNU GPL, version 2 or later.
 + * See the COPYING file in the top-level directory.
 + *
 + */
 +
 +#include "qemu/osdep.h"
-+
++#include "qapi/error.h"
-+#include <wordexp.h>
++#include "block/aio.h"
 +
 +#include "sysemu/qtest.h"
 +#include "sysemu/runstate.h"
 +#include "sysemu/sysemu.h"
 +#include "qemu/main-loop.h"
-+#include "tests/qtest/libqtest.h"
++#include "qemu/rcu.h"
-+#include "tests/qtest/libqos/qgraph.h"
++#include "iothread.h"
-+#include "fuzz.h"
++
-+
++struct IOThread {
-+#define MAX_EVENT_LOOPS 10
++    AioContext *ctx;
 +
-+typedef struct FuzzTargetState {
++    QemuThread thread;
-+        FuzzTarget *target;
++    QemuMutex init_done_lock;
-+        QSLIST_ENTRY(FuzzTargetState) target_list;
++    QemuCond init_done_cond;    /* is thread initialization done? */
-+} FuzzTargetState;
++    bool stopping;
-+
++};
-+typedef QSLIST_HEAD(, FuzzTargetState) FuzzTargetList;
++
-+
++static __thread IOThread *my_iothread;
-+static const char *fuzz_arch = TARGET_NAME;
++
-+
++AioContext *qemu_get_current_aio_context(void)
-+static FuzzTargetList *fuzz_target_list;
++{
-+static FuzzTarget *fuzz_target;
++    return my_iothread ? my_iothread->ctx : qemu_get_aio_context();
-+static QTestState *fuzz_qts;
++}
 +
-+
++static void *iothread_run(void *opaque)
-+
++{
-+void flush_events(QTestState *s)
++    IOThread *iothread = opaque;
-+{
++
-+    int i = MAX_EVENT_LOOPS;
++    rcu_register_thread();
-+    while (g_main_context_pending(NULL) && i-- > 0) {
++
-+        main_loop_wait(false);
++    my_iothread = iothread;
-+    }
++    qemu_mutex_lock(&iothread->init_done_lock);
-+}
++    iothread->ctx = aio_context_new(&error_abort);
-+
++    qemu_cond_signal(&iothread->init_done_cond);
-+static QTestState *qtest_setup(void)
++    qemu_mutex_unlock(&iothread->init_done_lock);
-+{
++
-+    qtest_server_set_send_handler(&qtest_client_inproc_recv, &fuzz_qts);
++    while (!atomic_read(&iothread->stopping)) {
-+    return qtest_inproc_init(&fuzz_qts, false, fuzz_arch,
++        aio_poll(iothread->ctx, true);
-+            &qtest_server_inproc_recv);
++    }
-+}
++
-+
++    rcu_unregister_thread();
 +void fuzz_add_target(const FuzzTarget *target)
 +{
 +    FuzzTargetState *tmp;
 +    FuzzTargetState *target_state;
 +    if (!fuzz_target_list) {
 +        fuzz_target_list = g_new0(FuzzTargetList, 1);
 +    }
 +
 +    QSLIST_FOREACH(tmp, fuzz_target_list, target_list) {
 +        if (g_strcmp0(tmp->target->name, target->name) == 0) {
 +            fprintf(stderr, "Error: Fuzz target name %s already in use\n",
 +                    target->name);
 +            abort();
 +        }
 +    }
 +    target_state = g_new0(FuzzTargetState, 1);
 +    target_state->target = g_new0(FuzzTarget, 1);
 +    *(target_state->target) = *target;
 +    QSLIST_INSERT_HEAD(fuzz_target_list, target_state, target_list);
 +}
 +
 +
 +
 +static void usage(char *path)
 +{
 +    printf("Usage: %s --fuzz-target=FUZZ_TARGET [LIBFUZZER ARGUMENTS]\n", path);
 +    printf("where FUZZ_TARGET is one of:\n");
 +    FuzzTargetState *tmp;
 +    if (!fuzz_target_list) {
 +        fprintf(stderr, "Fuzz target list not initialized\n");
 +        abort();
 +    }
 +    QSLIST_FOREACH(tmp, fuzz_target_list, target_list) {
 +        printf(" * %s  : %s\n", tmp->target->name,
 +                tmp->target->description);
 +    }
 +    exit(0);
 +}
 +
 +static FuzzTarget *fuzz_get_target(char* name)
 +{
 +    FuzzTargetState *tmp;
 +    if (!fuzz_target_list) {
 +        fprintf(stderr, "Fuzz target list not initialized\n");
 +        abort();
 +    }
 +
 +    QSLIST_FOREACH(tmp, fuzz_target_list, target_list) {
 +        if (strcmp(tmp->target->name, name) == 0) {
 +            return tmp->target;
 +        }
 +    }
 +    return NULL;
 +}
 +
-+
++void iothread_join(IOThread *iothread)
-+/* Executed for each fuzzing-input */
++{
-+int LLVMFuzzerTestOneInput(const unsigned char *Data, size_t Size)
++    iothread->stopping = true;
-+{
++    aio_notify(iothread->ctx);
-+    /*
++    qemu_thread_join(&iothread->thread);
-+     * Do the pre-fuzz-initialization before the first fuzzing iteration,
++    qemu_cond_destroy(&iothread->init_done_cond);
-+     * instead of before the actual fuzz loop. This is needed since libfuzzer
++    qemu_mutex_destroy(&iothread->init_done_lock);
-+     * may fork off additional workers, prior to the fuzzing loop, and if
++    aio_context_unref(iothread->ctx);
-+     * pre_fuzz() sets up e.g. shared memory, this should be done for the
++    g_free(iothread);
-+     * individual worker processes
++}
-+     */
++
-+    static int pre_fuzz_done;
++IOThread *iothread_new(void)
-+    if (!pre_fuzz_done && fuzz_target->pre_fuzz) {
++{
-+        fuzz_target->pre_fuzz(fuzz_qts);
++    IOThread *iothread = g_new0(IOThread, 1);
-+        pre_fuzz_done = true;
++
-+    }
++    qemu_mutex_init(&iothread->init_done_lock);
-+
++    qemu_cond_init(&iothread->init_done_cond);
-+    fuzz_target->fuzz(fuzz_qts, Data, Size);
++    qemu_thread_create(&iothread->thread, NULL, iothread_run,
-+    return 0;
++                       iothread, QEMU_THREAD_JOINABLE);
-+}
++
-+
++    /* Wait for initialization to complete */
-+/* Executed once, prior to fuzzing */
++    qemu_mutex_lock(&iothread->init_done_lock);
-+int LLVMFuzzerInitialize(int *argc, char ***argv, char ***envp)
++    while (iothread->ctx == NULL) {
-+{
++        qemu_cond_wait(&iothread->init_done_cond,
-+
++                       &iothread->init_done_lock);
-+    char *target_name;
++    }
-+
++    qemu_mutex_unlock(&iothread->init_done_lock);
-+    /* Initialize qgraph and modules */
++    return iothread;
-+    qos_graph_init();
++}
-+    module_call_init(MODULE_INIT_FUZZ_TARGET);
++
-+    module_call_init(MODULE_INIT_QOM);
++AioContext *iothread_get_aio_context(IOThread *iothread)
-+    module_call_init(MODULE_INIT_LIBQOS);
++{
-+
++    return iothread->ctx;
-+    if (*argc <= 1) {
++}
-+        usage(**argv);
+diff --git a/tests/test-aio-multithread.c b/tests/test-aio-multithread.c
 +    }
 +
 +    /* Identify the fuzz target */
 +    target_name = (*argv)[1];
 +    if (!strstr(target_name, "--fuzz-target=")) {
 +        usage(**argv);
 +    }
 +
 +    target_name += strlen("--fuzz-target=");
 +
 +    fuzz_target = fuzz_get_target(target_name);
 +    if (!fuzz_target) {
 +        usage(**argv);
 +    }
 +
 +    fuzz_qts = qtest_setup();
 +
 +    if (fuzz_target->pre_vm_init) {
 +        fuzz_target->pre_vm_init();
 +    }
 +
 +    /* Run QEMU's softmmu main with the fuzz-target dependent arguments */
 +    const char *init_cmdline = fuzz_target->get_init_cmdline(fuzz_target);
 +
 +    /* Split the runcmd into an argv and argc */
 +    wordexp_t result;
 +    wordexp(init_cmdline, &result, 0);
 +
 +    qemu_init(result.we_wordc, result.we_wordv, NULL);
 +
 +    return 0;
 +}
 diff --git a/tests/qtest/fuzz/fuzz.h b/tests/qtest/fuzz/fuzz.h
 new file mode 100644
 index XXXXXXX..XXXXXXX
 --- /dev/null
-+++ b/tests/qtest/fuzz/fuzz.h
++++ b/tests/test-aio-multithread.c
 @@ -XXX,XX +XXX,XX @@
 +/*
-+ * fuzzing driver
++ * AioContext multithreading tests
 + *
-+ * Copyright Red Hat Inc., 2019
++ * Copyright Red Hat, Inc. 2016
 + *
 + * Authors:
-+ *  Alexander Bulekov   <alxndr@bu.edu>
++ *  Paolo Bonzini    <pbonzini@redhat.com>
 + *
-+ * This work is licensed under the terms of the GNU GPL, version 2 or later.
++ * This work is licensed under the terms of the GNU LGPL, version 2 or later.
-+ * See the COPYING file in the top-level directory.
++ * See the COPYING.LIB file in the top-level directory.
 + *
 + */
 +
-+#ifndef FUZZER_H_
-+#define FUZZER_H_
-+
 +#include "qemu/osdep.h"
-+#include "qemu/units.h"
++#include <glib.h>
 +#include "block/aio.h"
 +#include "qapi/error.h"
-+
++#include "qemu/coroutine.h"
-+#include "tests/qtest/libqtest.h"
++#include "qemu/thread.h"
-+
++#include "qemu/error-report.h"
-+/**
++#include "iothread.h"
-+ * A libfuzzer fuzzing target
++
-+ *
++/* AioContext management */
-+ * The QEMU fuzzing binary is built with all available targets, each
++
-+ * with a unique @name that can be specified on the command-line to
++#define NUM_CONTEXTS 5
-+ * select which target should run.
++
-+ *
++static IOThread *threads[NUM_CONTEXTS];
-+ * A target must implement ->fuzz() to process a random input.  If QEMU
++static AioContext *ctx[NUM_CONTEXTS];
-+ * crashes in ->fuzz() then libfuzzer will record a failure.
++static __thread int id = -1;
-+ *
++
-+ * Fuzzing targets are registered with fuzz_add_target():
++static QemuEvent done_event;
-+ *
++
-+ *   static const FuzzTarget fuzz_target = {
++/* Run a function synchronously on a remote iothread. */
-+ *       .name = "my-device-fifo",
++
-+ *       .description = "Fuzz the FIFO buffer registers of my-device",
++typedef struct CtxRunData {
-+ *       ...
++    QEMUBHFunc *cb;
-+ *   };
++    void *arg;
-+ *
++} CtxRunData;
-+ *   static void register_fuzz_target(void)
++
-+ *   {
++static void ctx_run_bh_cb(void *opaque)
-+ *       fuzz_add_target(&fuzz_target);
++{
-+ *   }
++    CtxRunData *data = opaque;
-+ *   fuzz_target_init(register_fuzz_target);
++
-+ */
++    data->cb(data->arg);
-+typedef struct FuzzTarget {
++    qemu_event_set(&done_event);
-+    const char *name;         /* target identifier (passed to --fuzz-target=)*/
++}
-+    const char *description;  /* help text */
++
-+
++static void ctx_run(int i, QEMUBHFunc *cb, void *opaque)
-+
++{
-+    /*
++    CtxRunData data = {
-+     * returns the arg-list that is passed to qemu/softmmu init()
++        .cb = cb,
-+     * Cannot be NULL
++        .arg = opaque
 +    };
 +
 +    qemu_event_reset(&done_event);
 +    aio_bh_schedule_oneshot(ctx[i], ctx_run_bh_cb, &data);
 +    qemu_event_wait(&done_event);
 +}
 +
 +/* Starting the iothreads. */
 +
 +static void set_id_cb(void *opaque)
 +{
 +    int *i = opaque;
 +
 +    id = *i;
 +}
 +
 +static void create_aio_contexts(void)
 +{
 +    int i;
 +
 +    for (i = 0; i < NUM_CONTEXTS; i++) {
 +        threads[i] = iothread_new();
 +        ctx[i] = iothread_get_aio_context(threads[i]);
 +    }
 +
 +    qemu_event_init(&done_event, false);
 +    for (i = 0; i < NUM_CONTEXTS; i++) {
 +        ctx_run(i, set_id_cb, &i);
 +    }
 +}
 +
 +/* Stopping the iothreads. */
 +
 +static void join_aio_contexts(void)
 +{
 +    int i;
 +
 +    for (i = 0; i < NUM_CONTEXTS; i++) {
 +        aio_context_ref(ctx[i]);
 +    }
 +    for (i = 0; i < NUM_CONTEXTS; i++) {
 +        iothread_join(threads[i]);
 +    }
 +    for (i = 0; i < NUM_CONTEXTS; i++) {
 +        aio_context_unref(ctx[i]);
 +    }
 +    qemu_event_destroy(&done_event);
 +}
 +
 +/* Basic test for the stuff above. */
 +
 +static void test_lifecycle(void)
 +{
 +    create_aio_contexts();
 +    join_aio_contexts();
 +}
 +
 +/* aio_co_schedule test.  */
 +
 +static Coroutine *to_schedule[NUM_CONTEXTS];
 +
 +static bool now_stopping;
 +
 +static int count_retry;
 +static int count_here;
 +static int count_other;
 +
 +static bool schedule_next(int n)
 +{
 +    Coroutine *co;
 +
 +    co = atomic_xchg(&to_schedule[n], NULL);
 +    if (!co) {
 +        atomic_inc(&count_retry);
 +        return false;
 +    }
 +
 +    if (n == id) {
 +        atomic_inc(&count_here);
 +    } else {
 +        atomic_inc(&count_other);
 +    }
 +
 +    aio_co_schedule(ctx[n], co);
 +    return true;
 +}
 +
 +static void finish_cb(void *opaque)
 +{
 +    schedule_next(id);
 +}
 +
 +static coroutine_fn void test_multi_co_schedule_entry(void *opaque)
 +{
 +    g_assert(to_schedule[id] == NULL);
 +    atomic_mb_set(&to_schedule[id], qemu_coroutine_self());
 +
 +    while (!atomic_mb_read(&now_stopping)) {
 +        int n;
 +
 +        n = g_test_rand_int_range(0, NUM_CONTEXTS);
 +        schedule_next(n);
 +        qemu_coroutine_yield();
 +
 +        g_assert(to_schedule[id] == NULL);
 +        atomic_mb_set(&to_schedule[id], qemu_coroutine_self());
 +    }
 +}
 +
 +
 +static void test_multi_co_schedule(int seconds)
 +{
 +    int i;
 +
 +    count_here = count_other = count_retry = 0;
 +    now_stopping = false;
 +
 +    create_aio_contexts();
 +    for (i = 0; i < NUM_CONTEXTS; i++) {
 +        Coroutine *co1 = qemu_coroutine_create(test_multi_co_schedule_entry, NULL);
 +        aio_co_schedule(ctx[i], co1);
 +    }
 +
 +    g_usleep(seconds * 1000000);
 +
 +    atomic_mb_set(&now_stopping, true);
 +    for (i = 0; i < NUM_CONTEXTS; i++) {
 +        ctx_run(i, finish_cb, NULL);
 +        to_schedule[i] = NULL;
 +    }
 +
 +    join_aio_contexts();
 +    g_test_message("scheduled %d, queued %d, retry %d, total %d\n",
 +                  count_other, count_here, count_retry,
 +                  count_here + count_other + count_retry);
 +}
 +
 +static void test_multi_co_schedule_1(void)
 +{
 +    test_multi_co_schedule(1);
 +}
 +
 +static void test_multi_co_schedule_10(void)
 +{
 +    test_multi_co_schedule(10);
 +}
 +
 +/* End of tests.  */
 +
 +int main(int argc, char **argv)
 +{
 +    init_clocks();
 +
 +    g_test_init(&argc, &argv, NULL);
 +    g_test_add_func("/aio/multi/lifecycle", test_lifecycle);
 +    if (g_test_quick()) {
 +        g_test_add_func("/aio/multi/schedule", test_multi_co_schedule_1);
 +    } else {
 +        g_test_add_func("/aio/multi/schedule", test_multi_co_schedule_10);
 +    }
 +    return g_test_run();
 +}
 diff --git a/util/async.c b/util/async.c
 index XXXXXXX..XXXXXXX 100644
 --- a/util/async.c
 +++ b/util/async.c
@@ -XXX,XX +XXX,XX @@
  #include "qemu/main-loop.h"
  #include "qemu/atomic.h"
  #include "block/raw-aio.h"
 +#include "qemu/coroutine_int.h"
 +#include "trace.h"
  /***********************************************************/
  /* bottom halves (can be seen as timers which expire ASAP) */
@@ -XXX,XX +XXX,XX @@ aio_ctx_finalize(GSource     *source)
      }
  #endif
 +    assert(QSLIST_EMPTY(&ctx->scheduled_coroutines));
 +    qemu_bh_delete(ctx->co_schedule_bh);
 +
      qemu_lockcnt_lock(&ctx->list_lock);
      assert(!qemu_lockcnt_count(&ctx->list_lock));
      while (ctx->first_bh) {
@@ -XXX,XX +XXX,XX @@ static bool event_notifier_poll(void *opaque)
      return atomic_read(&ctx->notified);
  }
 +static void co_schedule_bh_cb(void *opaque)
 +{
 +    AioContext *ctx = opaque;
 +    QSLIST_HEAD(, Coroutine) straight, reversed;
 +
 +    QSLIST_MOVE_ATOMIC(&reversed, &ctx->scheduled_coroutines);
 +    QSLIST_INIT(&straight);
 +
 +    while (!QSLIST_EMPTY(&reversed)) {
 +        Coroutine *co = QSLIST_FIRST(&reversed);
 +        QSLIST_REMOVE_HEAD(&reversed, co_scheduled_next);
 +        QSLIST_INSERT_HEAD(&straight, co, co_scheduled_next);
 +    }
 +
 +    while (!QSLIST_EMPTY(&straight)) {
 +        Coroutine *co = QSLIST_FIRST(&straight);
 +        QSLIST_REMOVE_HEAD(&straight, co_scheduled_next);
 +        trace_aio_co_schedule_bh_cb(ctx, co);
 +        qemu_coroutine_enter(co);
 +    }
 +}
 +
  AioContext *aio_context_new(Error **errp)
  {
      int ret;
@@ -XXX,XX +XXX,XX @@ AioContext *aio_context_new(Error **errp)
      }
      g_source_set_can_recurse(&ctx->source, true);
      qemu_lockcnt_init(&ctx->list_lock);
 +
 +    ctx->co_schedule_bh = aio_bh_new(ctx, co_schedule_bh_cb, ctx);
 +    QSLIST_INIT(&ctx->scheduled_coroutines);
 +
      aio_set_event_notifier(ctx, &ctx->notifier,
                             false,
                             (EventNotifierHandler *)
@@ -XXX,XX +XXX,XX @@ fail:
      return NULL;
  }
 +void aio_co_schedule(AioContext *ctx, Coroutine *co)
 +{
 +    trace_aio_co_schedule(ctx, co);
 +    QSLIST_INSERT_HEAD_ATOMIC(&ctx->scheduled_coroutines,
 +                              co, co_scheduled_next);
 +    qemu_bh_schedule(ctx->co_schedule_bh);
 +}
 +
 +void aio_co_wake(struct Coroutine *co)
 +{
 +    AioContext *ctx;
 +
 +    /* Read coroutine before co->ctx.  Matches smp_wmb in
 +     * qemu_coroutine_enter.
 +     */
-+    const char* (*get_init_cmdline)(struct FuzzTarget *);
++    smp_read_barrier_depends();
-+
++    ctx = atomic_read(&co->ctx);
-+    /*
++
-+     * will run once, prior to running qemu/softmmu init.
++    if (ctx != qemu_get_current_aio_context()) {
-+     * eg: set up shared-memory for communication with the child-process
++        aio_co_schedule(ctx, co);
-+     * Can be NULL
++        return;
 +    }
 +
 +    if (qemu_in_coroutine()) {
 +        Coroutine *self = qemu_coroutine_self();
 +        assert(self != co);
 +        QSIMPLEQ_INSERT_TAIL(&self->co_queue_wakeup, co, co_queue_next);
 +    } else {
 +        aio_context_acquire(ctx);
 +        qemu_coroutine_enter(co);
 +        aio_context_release(ctx);
 +    }
 +}
 +
  void aio_context_ref(AioContext *ctx)
  {
      g_source_ref(&ctx->source);
 diff --git a/util/qemu-coroutine.c b/util/qemu-coroutine.c
 index XXXXXXX..XXXXXXX 100644
 --- a/util/qemu-coroutine.c
 +++ b/util/qemu-coroutine.c
@@ -XXX,XX +XXX,XX @@
  #include "qemu/atomic.h"
  #include "qemu/coroutine.h"
  #include "qemu/coroutine_int.h"
 +#include "block/aio.h"
  enum {
      POOL_BATCH_SIZE = 64,
@@ -XXX,XX +XXX,XX @@ void qemu_coroutine_enter(Coroutine *co)
      }
      co->caller = self;
 +    co->ctx = qemu_get_current_aio_context();
 +
 +    /* Store co->ctx before anything that stores co.  Matches
 +     * barrier in aio_co_wake.
 +     */
-+    void(*pre_vm_init)(void);
++    smp_wmb();
 +
-+    /*
+     ret = qemu_coroutine_switch(self, co, COROUTINE_ENTER);
-+     * will run once, after QEMU has been initialized, prior to the fuzz-loop.
-+     * eg: detect the memory map
+     qemu_co_queue_run_restart(co);
-+     * Can be NULL
+diff --git a/util/trace-events b/util/trace-events
-+     */
+index XXXXXXX..XXXXXXX 100644
-+    void(*pre_fuzz)(QTestState *);
+--- a/util/trace-events
-+
++++ b/util/trace-events
-+    /*
+@@ -XXX,XX +XXX,XX @@ run_poll_handlers_end(void *ctx, bool progress) "ctx %p progress %d"
-+     * accepts and executes an input from libfuzzer. this is repeatedly
+ poll_shrink(void *ctx, int64_t old, int64_t new) "ctx %p old %"PRId64" new %"PRId64
-+     * executed during the fuzzing loop. Its should handle setup, input
+ poll_grow(void *ctx, int64_t old, int64_t new) "ctx %p old %"PRId64" new %"PRId64
-+     * execution and cleanup.
-+     * Cannot be NULL
++# util/async.c
-+     */
++aio_co_schedule(void *ctx, void *co) "ctx %p co %p"
-+    void(*fuzz)(QTestState *, const unsigned char *, size_t);
++aio_co_schedule_bh_cb(void *ctx, void *co) "ctx %p co %p"
 +
-+} FuzzTarget;
+ # util/thread-pool.c
-+
+ thread_pool_submit(void *pool, void *req, void *opaque) "pool %p req %p opaque %p"
-+void flush_events(QTestState *);
+ thread_pool_complete(void *pool, void *req, void *opaque, int ret) "pool %p req %p opaque %p ret %d"
 +void reboot(QTestState *);
 +
 +/*
 + * makes a copy of *target and adds it to the target-list.
 + * i.e. fine to set up target on the caller's stack
 + */
 +void fuzz_add_target(const FuzzTarget *target);
 +
 +int LLVMFuzzerTestOneInput(const unsigned char *Data, size_t Size);
 +int LLVMFuzzerInitialize(int *argc, char ***argv, char ***envp);
 +
 +#endif
 +
 --
-.24.1
+.9.3

-[PULL 23/31] main: keep rcu_atfork callback enabled for qtest
+[Qemu-devel] [PULL v2 03/24] block-backend: allow blk_prw from coroutine context
-From: Alexander Bulekov <alxndr@bu.edu>
+From: Paolo Bonzini <pbonzini@redhat.com>
-The qtest-based fuzzer makes use of forking to reset-state between
+qcow2_create2 calls this.  Do not run a nested event loop, as that
-tests. Keep the callback enabled, so the call_rcu thread gets created
+breaks when aio_co_wake tries to queue the coroutine on the co_queue_wakeup
-within the child process.
+list of the currently running one.
-Signed-off-by: Alexander Bulekov <alxndr@bu.edu>
+Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
-Reviewed-by: Darren Kenny <darren.kenny@oracle.com>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
-Acked-by: Stefan Hajnoczi <stefanha@redhat.com>
+Reviewed-by: Fam Zheng <famz@redhat.com>
-Message-id: 20200220041118.23264-15-alxndr@bu.edu
+Message-id: 20170213135235.12274-4-pbonzini@redhat.com
 Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
 ---
- softmmu/vl.c | 12 +++++++++++-
+ block/block-backend.c | 12 ++++++++----
-file changed, 11 insertions(+), 1 deletion(-)
+file changed, 8 insertions(+), 4 deletions(-)
-diff --git a/softmmu/vl.c b/softmmu/vl.c
+diff --git a/block/block-backend.c b/block/block-backend.c
 index XXXXXXX..XXXXXXX 100644
---- a/softmmu/vl.c
+--- a/block/block-backend.c
-+++ b/softmmu/vl.c
++++ b/block/block-backend.c
-@@ -XXX,XX +XXX,XX @@ void qemu_init(int argc, char **argv, char **envp)
+@@ -XXX,XX +XXX,XX @@ static int blk_prw(BlockBackend *blk, int64_t offset, uint8_t *buf,
-     set_memory_options(&ram_slots, &maxram_size, machine_class);
+ {
+     QEMUIOVector qiov;
-     os_daemonize();
+     struct iovec iov;
--    rcu_disable_atfork();
+-    Coroutine *co;
-+
+     BlkRwCo rwco;
-+    /*
-+     * If QTest is enabled, keep the rcu_atfork enabled, since system processes
+     iov = (struct iovec) {
-+     * may be forked testing purposes (e.g. fork-server based fuzzing) The fork
+@@ -XXX,XX +XXX,XX @@ static int blk_prw(BlockBackend *blk, int64_t offset, uint8_t *buf,
-+     * should happen before a signle cpu instruction is executed, to prevent
+         .ret    = NOT_DONE,
-+     * deadlocks. See commit 73c6e40, rcu: "completely disable pthread_atfork
+     };
-+     * callbacks as soon as possible"
-+     */
+-    co = qemu_coroutine_create(co_entry, &rwco);
-+    if (!qtest_enabled()) {
+-    qemu_coroutine_enter(co);
-+        rcu_disable_atfork();
+-    BDRV_POLL_WHILE(blk_bs(blk), rwco.ret == NOT_DONE);
 +    if (qemu_in_coroutine()) {
 +        /* Fast-path if already in coroutine context */
 +        co_entry(&rwco);
 +    } else {
 +        Coroutine *co = qemu_coroutine_create(co_entry, &rwco);
 +        qemu_coroutine_enter(co);
 +        BDRV_POLL_WHILE(blk_bs(blk), rwco.ret == NOT_DONE);
 +    }
-     if (pid_file && !qemu_write_pidfile(pid_file, &err)) {
+     return rwco.ret;
-         error_reportf_err(err, "cannot create PID file: ");
+ }
 --
-.24.1
+.9.3

-[PULL 22/31] exec: keep ram block across fork when using qtest
+[Qemu-devel] [PULL v2 04/24] test-thread-pool: use generic AioContext infrastructure
-From: Alexander Bulekov <alxndr@bu.edu>
+From: Paolo Bonzini <pbonzini@redhat.com>
-Ram blocks were marked MADV_DONTFORK breaking fuzzing-tests which
+Once the thread pool starts using aio_co_wake, it will also need
-execute each test-input in a forked process.
+qemu_get_current_aio_context().  Make test-thread-pool create
 an AioContext with qemu_init_main_loop, so that stubs/iothread.c
 and tests/iothread.c can provide the rest.
-Signed-off-by: Alexander Bulekov <alxndr@bu.edu>
 Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
-Reviewed-by: Darren Kenny <darren.kenny@oracle.com>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
-Message-id: 20200220041118.23264-14-alxndr@bu.edu
+Reviewed-by: Fam Zheng <famz@redhat.com>
 Message-id: 20170213135235.12274-5-pbonzini@redhat.com
 Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
 ---
- exec.c | 12 ++++++++++--
+ tests/test-thread-pool.c | 12 +++---------
-file changed, 10 insertions(+), 2 deletions(-)
+file changed, 3 insertions(+), 9 deletions(-)
-diff --git a/exec.c b/exec.c
+diff --git a/tests/test-thread-pool.c b/tests/test-thread-pool.c
 index XXXXXXX..XXXXXXX 100644
---- a/exec.c
+--- a/tests/test-thread-pool.c
-+++ b/exec.c
++++ b/tests/test-thread-pool.c
 @@ -XXX,XX +XXX,XX @@
- #include "sysemu/kvm.h"
+ #include "qapi/error.h"
  #include "sysemu/sysemu.h"
  #include "sysemu/tcg.h"
 +#include "sysemu/qtest.h"
  #include "qemu/timer.h"
- #include "qemu/config-file.h"
  #include "qemu/error-report.h"
-@@ -XXX,XX +XXX,XX @@ static void ram_block_add(RAMBlock *new_block, Error **errp, bool shared)
++#include "qemu/main-loop.h"
-     if (new_block->host) {
-         qemu_ram_setup_dump(new_block->host, new_block->max_length);
+ static AioContext *ctx;
-         qemu_madvise(new_block->host, new_block->max_length, QEMU_MADV_HUGEPAGE);
+ static ThreadPool *pool;
--        /* MADV_DONTFORK is also needed by KVM in absence of synchronous MMU */
+@@ -XXX,XX +XXX,XX @@ static void test_cancel_async(void)
--        qemu_madvise(new_block->host, new_block->max_length, QEMU_MADV_DONTFORK);
+ int main(int argc, char **argv)
-+        /*
+ {
-+         * MADV_DONTFORK is also needed by KVM in absence of synchronous MMU
+     int ret;
-+         * Configure it unless the machine is a qtest server, in which case
+-    Error *local_error = NULL;
-+         * KVM is not used and it may be forked (eg for fuzzing purposes).
-+         */
+-    init_clocks();
-+        if (!qtest_enabled()) {
+-
-+            qemu_madvise(new_block->host, new_block->max_length,
+-    ctx = aio_context_new(&local_error);
-+                         QEMU_MADV_DONTFORK);
+-    if (!ctx) {
-+        }
+-        error_reportf_err(local_error, "Failed to create AIO Context: ");
-         ram_block_notify_add(new_block->host, new_block->max_length);
+-        exit(1);
-     }
+-    }
 +    qemu_init_main_loop(&error_abort);
 +    ctx = qemu_get_current_aio_context();
      pool = aio_get_thread_pool(ctx);
      g_test_init(&argc, &argv, NULL);
@@ -XXX,XX +XXX,XX @@ int main(int argc, char **argv)
      ret = g_test_run();
 -    aio_context_unref(ctx);
      return ret;
  }
 --
-.24.1
+.9.3

-[PULL 24/31] fuzz: support for fork-based fuzzing.
+[Qemu-devel] [PULL v2 05/24] io: add methods to set I/O handlers on AioContext
-From: Alexander Bulekov <alxndr@bu.edu>
+From: Paolo Bonzini <pbonzini@redhat.com>
-fork() is a simple way to ensure that state does not leak in between
+This is in preparation for making qio_channel_yield work on
-fuzzing runs. Unfortunately, the fuzzer mutation engine relies on
+AioContexts other than the main one.
-bitmaps which contain coverage information for each fuzzing run, and
-these bitmaps should be copied from the child to the parent(where the
+Reviewed-by: Daniel P. Berrange <berrange@redhat.com>
 mutation occurs). These bitmaps are created through compile-time
 instrumentation and they are not shared with fork()-ed processes, by
 default. To address this, we create a shared memory region, adjust its
 size and map it _over_ the counter region. Furthermore, libfuzzer
 doesn't generally expose the globals that specify the location of the
 counters/coverage bitmap. As a workaround, we rely on a custom linker
 script which forces all of the bitmaps we care about to be placed in a
 contiguous region, which is easy to locate and mmap over.
 Signed-off-by: Alexander Bulekov <alxndr@bu.edu>
 Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
-Reviewed-by: Darren Kenny <darren.kenny@oracle.com>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
-Message-id: 20200220041118.23264-16-alxndr@bu.edu
+Reviewed-by: Fam Zheng <famz@redhat.com>
 Message-id: 20170213135235.12274-6-pbonzini@redhat.com
 Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
 ---
- tests/qtest/fuzz/Makefile.include |  5 +++
+ include/io/channel.h | 25 +++++++++++++++++++++++++
- tests/qtest/fuzz/fork_fuzz.c      | 55 +++++++++++++++++++++++++++++++
+ io/channel-command.c | 13 +++++++++++++
- tests/qtest/fuzz/fork_fuzz.h      | 23 +++++++++++++
+ io/channel-file.c    | 11 +++++++++++
- tests/qtest/fuzz/fork_fuzz.ld     | 37 +++++++++++++++++++++
+ io/channel-socket.c  | 16 +++++++++++-----
-files changed, 120 insertions(+)
+ io/channel-tls.c     | 12 ++++++++++++
- create mode 100644 tests/qtest/fuzz/fork_fuzz.c
+ io/channel-watch.c   |  6 ++++++
- create mode 100644 tests/qtest/fuzz/fork_fuzz.h
+ io/channel.c         | 11 +++++++++++
- create mode 100644 tests/qtest/fuzz/fork_fuzz.ld
+files changed, 89 insertions(+), 5 deletions(-)
-diff --git a/tests/qtest/fuzz/Makefile.include b/tests/qtest/fuzz/Makefile.include
+diff --git a/include/io/channel.h b/include/io/channel.h
 index XXXXXXX..XXXXXXX 100644
---- a/tests/qtest/fuzz/Makefile.include
+--- a/include/io/channel.h
-+++ b/tests/qtest/fuzz/Makefile.include
++++ b/include/io/channel.h
@@ -XXX,XX +XXX,XX @@ QEMU_PROG_FUZZ=qemu-fuzz-$(TARGET_NAME)$(EXESUF)
  fuzz-obj-y += tests/qtest/libqtest.o
  fuzz-obj-y += tests/qtest/fuzz/fuzz.o # Fuzzer skeleton
 +fuzz-obj-y += tests/qtest/fuzz/fork_fuzz.o
  FUZZ_CFLAGS += -I$(SRC_PATH)/tests -I$(SRC_PATH)/tests/qtest
 +
 +# Linker Script to force coverage-counters into known regions which we can mark
 +# shared
 +FUZZ_LDFLAGS += -Xlinker -T$(SRC_PATH)/tests/qtest/fuzz/fork_fuzz.ld
 diff --git a/tests/qtest/fuzz/fork_fuzz.c b/tests/qtest/fuzz/fork_fuzz.c
 new file mode 100644
 index XXXXXXX..XXXXXXX
 --- /dev/null
 +++ b/tests/qtest/fuzz/fork_fuzz.c
 @@ -XXX,XX +XXX,XX @@
-+/*
-+ * Fork-based fuzzing helpers
+ #include "qemu-common.h"
  #include "qom/object.h"
 +#include "block/aio.h"
  #define TYPE_QIO_CHANNEL "qio-channel"
  #define QIO_CHANNEL(obj)                                    \
@@ -XXX,XX +XXX,XX @@ struct QIOChannelClass {
                       off_t offset,
                       int whence,
                       Error **errp);
 +    void (*io_set_aio_fd_handler)(QIOChannel *ioc,
 +                                  AioContext *ctx,
 +                                  IOHandler *io_read,
 +                                  IOHandler *io_write,
 +                                  void *opaque);
  };
  /* General I/O handling functions */
@@ -XXX,XX +XXX,XX @@ void qio_channel_yield(QIOChannel *ioc,
  void qio_channel_wait(QIOChannel *ioc,
                        GIOCondition condition);
 +/**
 + * qio_channel_set_aio_fd_handler:
 + * @ioc: the channel object
 + * @ctx: the AioContext to set the handlers on
 + * @io_read: the read handler
 + * @io_write: the write handler
 + * @opaque: the opaque value passed to the handler
 + *
-+ * Copyright Red Hat Inc., 2019
++ * This is used internally by qio_channel_yield().  It can
-+ *
++ * be used by channel implementations to forward the handlers
-+ * Authors:
++ * to another channel (e.g. from #QIOChannelTLS to the
-+ *  Alexander Bulekov   <alxndr@bu.edu>
++ * underlying socket).
 + *
 + * This work is licensed under the terms of the GNU GPL, version 2 or later.
 + * See the COPYING file in the top-level directory.
 + *
 + */
-+
++void qio_channel_set_aio_fd_handler(QIOChannel *ioc,
-+#include "qemu/osdep.h"
++                                    AioContext *ctx,
-+#include "fork_fuzz.h"
++                                    IOHandler *io_read,
-+
++                                    IOHandler *io_write,
-+
++                                    void *opaque);
-+void counter_shm_init(void)
++
-+{
+ #endif /* QIO_CHANNEL_H */
-+    char *shm_path = g_strdup_printf("/qemu-fuzz-cntrs.%d", getpid());
+diff --git a/io/channel-command.c b/io/channel-command.c
-+    int fd = shm_open(shm_path, O_CREAT | O_RDWR, S_IRUSR | S_IWUSR);
+index XXXXXXX..XXXXXXX 100644
-+    g_free(shm_path);
+--- a/io/channel-command.c
-+
++++ b/io/channel-command.c
-+    if (fd == -1) {
+@@ -XXX,XX +XXX,XX @@ static int qio_channel_command_close(QIOChannel *ioc,
-+        perror("Error: ");
+ }
-+        exit(1);
-+    }
-+    if (ftruncate(fd, &__FUZZ_COUNTERS_END - &__FUZZ_COUNTERS_START) == -1) {
++static void qio_channel_command_set_aio_fd_handler(QIOChannel *ioc,
-+        perror("Error: ");
++                                                   AioContext *ctx,
-+        exit(1);
++                                                   IOHandler *io_read,
-+    }
++                                                   IOHandler *io_write,
-+    /* Copy what's in the counter region to the shm.. */
++                                                   void *opaque)
-+    void *rptr = mmap(NULL ,
++{
-+            &__FUZZ_COUNTERS_END - &__FUZZ_COUNTERS_START,
++    QIOChannelCommand *cioc = QIO_CHANNEL_COMMAND(ioc);
-+            PROT_READ | PROT_WRITE, MAP_SHARED, fd, 0);
++    aio_set_fd_handler(ctx, cioc->readfd, false, io_read, NULL, NULL, opaque);
-+    memcpy(rptr,
++    aio_set_fd_handler(ctx, cioc->writefd, false, NULL, io_write, NULL, opaque);
-+           &__FUZZ_COUNTERS_START,
++}
-+           &__FUZZ_COUNTERS_END - &__FUZZ_COUNTERS_START);
++
 +
-+    munmap(rptr, &__FUZZ_COUNTERS_END - &__FUZZ_COUNTERS_START);
+ static GSource *qio_channel_command_create_watch(QIOChannel *ioc,
-+
+                                                  GIOCondition condition)
-+    /* And map the shm over the counter region */
+ {
-+    rptr = mmap(&__FUZZ_COUNTERS_START,
+@@ -XXX,XX +XXX,XX @@ static void qio_channel_command_class_init(ObjectClass *klass,
-+            &__FUZZ_COUNTERS_END - &__FUZZ_COUNTERS_START,
+     ioc_klass->io_set_blocking = qio_channel_command_set_blocking;
-+            PROT_READ | PROT_WRITE, MAP_SHARED | MAP_FIXED, fd, 0);
+     ioc_klass->io_close = qio_channel_command_close;
-+
+     ioc_klass->io_create_watch = qio_channel_command_create_watch;
-+    close(fd);
++    ioc_klass->io_set_aio_fd_handler = qio_channel_command_set_aio_fd_handler;
-+
+ }
-+    if (!rptr) {
-+        perror("Error: ");
+ static const TypeInfo qio_channel_command_info = {
-+        exit(1);
+diff --git a/io/channel-file.c b/io/channel-file.c
-+    }
+index XXXXXXX..XXXXXXX 100644
-+}
+--- a/io/channel-file.c
-+
++++ b/io/channel-file.c
-+
+@@ -XXX,XX +XXX,XX @@ static int qio_channel_file_close(QIOChannel *ioc,
-diff --git a/tests/qtest/fuzz/fork_fuzz.h b/tests/qtest/fuzz/fork_fuzz.h
+ }
-new file mode 100644
-index XXXXXXX..XXXXXXX
---- /dev/null
++static void qio_channel_file_set_aio_fd_handler(QIOChannel *ioc,
-+++ b/tests/qtest/fuzz/fork_fuzz.h
++                                                AioContext *ctx,
-@@ -XXX,XX +XXX,XX @@
++                                                IOHandler *io_read,
-+/*
++                                                IOHandler *io_write,
-+ * Fork-based fuzzing helpers
++                                                void *opaque)
-+ *
++{
-+ * Copyright Red Hat Inc., 2019
++    QIOChannelFile *fioc = QIO_CHANNEL_FILE(ioc);
-+ *
++    aio_set_fd_handler(ctx, fioc->fd, false, io_read, io_write, NULL, opaque);
-+ * Authors:
++}
-+ *  Alexander Bulekov   <alxndr@bu.edu>
++
-+ *
+ static GSource *qio_channel_file_create_watch(QIOChannel *ioc,
-+ * This work is licensed under the terms of the GNU GPL, version 2 or later.
+                                               GIOCondition condition)
-+ * See the COPYING file in the top-level directory.
+ {
-+ *
+@@ -XXX,XX +XXX,XX @@ static void qio_channel_file_class_init(ObjectClass *klass,
-+ */
+     ioc_klass->io_seek = qio_channel_file_seek;
-+
+     ioc_klass->io_close = qio_channel_file_close;
-+#ifndef FORK_FUZZ_H
+     ioc_klass->io_create_watch = qio_channel_file_create_watch;
-+#define FORK_FUZZ_H
++    ioc_klass->io_set_aio_fd_handler = qio_channel_file_set_aio_fd_handler;
-+
+ }
-+extern uint8_t __FUZZ_COUNTERS_START;
-+extern uint8_t __FUZZ_COUNTERS_END;
+ static const TypeInfo qio_channel_file_info = {
-+
+diff --git a/io/channel-socket.c b/io/channel-socket.c
-+void counter_shm_init(void);
+index XXXXXXX..XXXXXXX 100644
-+
+--- a/io/channel-socket.c
 +++ b/io/channel-socket.c
@@ -XXX,XX +XXX,XX @@ qio_channel_socket_set_blocking(QIOChannel *ioc,
          qemu_set_block(sioc->fd);
      } else {
          qemu_set_nonblock(sioc->fd);
 -#ifdef WIN32
 -        WSAEventSelect(sioc->fd, ioc->event,
 -                       FD_READ | FD_ACCEPT | FD_CLOSE |
 -                       FD_CONNECT | FD_WRITE | FD_OOB);
 -#endif
      }
      return 0;
  }
@@ -XXX,XX +XXX,XX @@ qio_channel_socket_shutdown(QIOChannel *ioc,
      return 0;
  }
 +static void qio_channel_socket_set_aio_fd_handler(QIOChannel *ioc,
 +                                                  AioContext *ctx,
 +                                                  IOHandler *io_read,
 +                                                  IOHandler *io_write,
 +                                                  void *opaque)
 +{
 +    QIOChannelSocket *sioc = QIO_CHANNEL_SOCKET(ioc);
 +    aio_set_fd_handler(ctx, sioc->fd, false, io_read, io_write, NULL, opaque);
 +}
 +
  static GSource *qio_channel_socket_create_watch(QIOChannel *ioc,
                                                  GIOCondition condition)
  {
@@ -XXX,XX +XXX,XX @@ static void qio_channel_socket_class_init(ObjectClass *klass,
      ioc_klass->io_set_cork = qio_channel_socket_set_cork;
      ioc_klass->io_set_delay = qio_channel_socket_set_delay;
      ioc_klass->io_create_watch = qio_channel_socket_create_watch;
 +    ioc_klass->io_set_aio_fd_handler = qio_channel_socket_set_aio_fd_handler;
  }
  static const TypeInfo qio_channel_socket_info = {
 diff --git a/io/channel-tls.c b/io/channel-tls.c
 index XXXXXXX..XXXXXXX 100644
 --- a/io/channel-tls.c
 +++ b/io/channel-tls.c
@@ -XXX,XX +XXX,XX @@ static int qio_channel_tls_close(QIOChannel *ioc,
      return qio_channel_close(tioc->master, errp);
  }
 +static void qio_channel_tls_set_aio_fd_handler(QIOChannel *ioc,
 +                                               AioContext *ctx,
 +                                               IOHandler *io_read,
 +                                               IOHandler *io_write,
 +                                               void *opaque)
 +{
 +    QIOChannelTLS *tioc = QIO_CHANNEL_TLS(ioc);
 +
 +    qio_channel_set_aio_fd_handler(tioc->master, ctx, io_read, io_write, opaque);
 +}
 +
  static GSource *qio_channel_tls_create_watch(QIOChannel *ioc,
                                               GIOCondition condition)
  {
@@ -XXX,XX +XXX,XX @@ static void qio_channel_tls_class_init(ObjectClass *klass,
      ioc_klass->io_close = qio_channel_tls_close;
      ioc_klass->io_shutdown = qio_channel_tls_shutdown;
      ioc_klass->io_create_watch = qio_channel_tls_create_watch;
 +    ioc_klass->io_set_aio_fd_handler = qio_channel_tls_set_aio_fd_handler;
  }
  static const TypeInfo qio_channel_tls_info = {
 diff --git a/io/channel-watch.c b/io/channel-watch.c
 index XXXXXXX..XXXXXXX 100644
 --- a/io/channel-watch.c
 +++ b/io/channel-watch.c
@@ -XXX,XX +XXX,XX @@ GSource *qio_channel_create_socket_watch(QIOChannel *ioc,
      GSource *source;
      QIOChannelSocketSource *ssource;
 +#ifdef WIN32
 +    WSAEventSelect(socket, ioc->event,
 +                   FD_READ | FD_ACCEPT | FD_CLOSE |
 +                   FD_CONNECT | FD_WRITE | FD_OOB);
 +#endif
 +
-diff --git a/tests/qtest/fuzz/fork_fuzz.ld b/tests/qtest/fuzz/fork_fuzz.ld
+     source = g_source_new(&qio_channel_socket_source_funcs,
-new file mode 100644
+                           sizeof(QIOChannelSocketSource));
-index XXXXXXX..XXXXXXX
+     ssource = (QIOChannelSocketSource *)source;
---- /dev/null
+diff --git a/io/channel.c b/io/channel.c
-+++ b/tests/qtest/fuzz/fork_fuzz.ld
+index XXXXXXX..XXXXXXX 100644
-@@ -XXX,XX +XXX,XX @@
+--- a/io/channel.c
-+/* We adjust linker script modification to place all of the stuff that needs to
++++ b/io/channel.c
-+ * persist across fuzzing runs into a contiguous seciton of memory. Then, it is
+@@ -XXX,XX +XXX,XX @@ GSource *qio_channel_create_watch(QIOChannel *ioc,
-+ * easy to re-map the counter-related memory as shared.
+ }
-+*/
-+
-+SECTIONS
++void qio_channel_set_aio_fd_handler(QIOChannel *ioc,
-+{
++                                    AioContext *ctx,
-+  .data.fuzz_start : ALIGN(4K)
++                                    IOHandler *io_read,
-+  {
++                                    IOHandler *io_write,
-+      __FUZZ_COUNTERS_START = .;
++                                    void *opaque)
-+      __start___sancov_cntrs = .;
++{
-+      *(_*sancov_cntrs);
++    QIOChannelClass *klass = QIO_CHANNEL_GET_CLASS(ioc);
-+      __stop___sancov_cntrs = .;
++
-+
++    klass->io_set_aio_fd_handler(ioc, ctx, io_read, io_write, opaque);
-+      /* Lowest stack counter */
++}
-+      *(__sancov_lowest_stack);
++
-+  }
+ guint qio_channel_add_watch(QIOChannel *ioc,
-+  .data.fuzz_ordered :
+                             GIOCondition condition,
-+  {
+                             QIOChannelFunc func,
 +      /* Coverage counters. They're not necessary for fuzzing, but are useful
 +       * for analyzing the fuzzing performance
 +       */
 +      __start___llvm_prf_cnts = .;
 +      *(*llvm_prf_cnts);
 +      __stop___llvm_prf_cnts = .;
 +
 +      /* Internal Libfuzzer TracePC object which contains the ValueProfileMap */
 +      FuzzerTracePC*(.bss*);
 +  }
 +  .data.fuzz_end : ALIGN(4K)
 +  {
 +      __FUZZ_COUNTERS_END = .;
 +  }
 +}
 +/* Dont overwrite the SECTIONS in the default linker script. Instead insert the
 + * above into the default script */
 +INSERT AFTER .data;
 --
-.24.1
+.9.3

-[PULL 12/31] module: check module wasn't already initialized
+[Qemu-devel] [PULL v2 06/24] io: make qio_channel_yield aware of AioContexts
-From: Alexander Bulekov <alxndr@bu.edu>
+From: Paolo Bonzini <pbonzini@redhat.com>
-The virtual-device fuzzer must initialize QOM, prior to running
+Support separate coroutines for reading and writing, and place the
-vl:qemu_init, so that it can use the qos_graph to identify the arguments
+read/write handlers on the AioContext that the QIOChannel is registered
-required to initialize a guest for libqos-assisted fuzzing. This change
+with.
-prevents errors when vl:qemu_init tries to (re)initialize the previously
-initialized QOM module.
+Reviewed-by: Daniel P. Berrange <berrange@redhat.com>
 Signed-off-by: Alexander Bulekov <alxndr@bu.edu>
 Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
-Reviewed-by: Darren Kenny <darren.kenny@oracle.com>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
-Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
+Reviewed-by: Fam Zheng <famz@redhat.com>
-Message-id: 20200220041118.23264-4-alxndr@bu.edu
+Message-id: 20170213135235.12274-7-pbonzini@redhat.com
 Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
 ---
- util/module.c | 7 +++++++
+ include/io/channel.h | 47 ++++++++++++++++++++++++++--
-file changed, 7 insertions(+)
+ io/channel.c         | 86 +++++++++++++++++++++++++++++++++++++++-------------
+files changed, 109 insertions(+), 24 deletions(-)
-diff --git a/util/module.c b/util/module.c
 diff --git a/include/io/channel.h b/include/io/channel.h
 index XXXXXXX..XXXXXXX 100644
---- a/util/module.c
+--- a/include/io/channel.h
-+++ b/util/module.c
++++ b/include/io/channel.h
-@@ -XXX,XX +XXX,XX @@ typedef struct ModuleEntry
+@@ -XXX,XX +XXX,XX @@
- typedef QTAILQ_HEAD(, ModuleEntry) ModuleTypeList;
+ #include "qemu-common.h"
- static ModuleTypeList init_type_list[MODULE_INIT_MAX];
+ #include "qom/object.h"
-+static bool modules_init_done[MODULE_INIT_MAX];
++#include "qemu/coroutine.h"
+ #include "block/aio.h"
- static ModuleTypeList dso_init_list;
+ #define TYPE_QIO_CHANNEL "qio-channel"
-@@ -XXX,XX +XXX,XX @@ void module_call_init(module_init_type type)
+@@ -XXX,XX +XXX,XX @@ struct QIOChannel {
-     ModuleTypeList *l;
+     Object parent;
-     ModuleEntry *e;
+     unsigned int features; /* bitmask of QIOChannelFeatures */
+     char *name;
-+    if (modules_init_done[type]) {
++    AioContext *ctx;
 +    Coroutine *read_coroutine;
 +    Coroutine *write_coroutine;
  #ifdef _WIN32
      HANDLE event; /* For use with GSource on Win32 */
  #endif
@@ -XXX,XX +XXX,XX @@ guint qio_channel_add_watch(QIOChannel *ioc,
  /**
 + * qio_channel_attach_aio_context:
 + * @ioc: the channel object
 + * @ctx: the #AioContext to set the handlers on
 + *
 + * Request that qio_channel_yield() sets I/O handlers on
 + * the given #AioContext.  If @ctx is %NULL, qio_channel_yield()
 + * uses QEMU's main thread event loop.
 + *
 + * You can move a #QIOChannel from one #AioContext to another even if
 + * I/O handlers are set for a coroutine.  However, #QIOChannel provides
 + * no synchronization between the calls to qio_channel_yield() and
 + * qio_channel_attach_aio_context().
 + *
 + * Therefore you should first call qio_channel_detach_aio_context()
 + * to ensure that the coroutine is not entered concurrently.  Then,
 + * while the coroutine has yielded, call qio_channel_attach_aio_context(),
 + * and then aio_co_schedule() to place the coroutine on the new
 + * #AioContext.  The calls to qio_channel_detach_aio_context()
 + * and qio_channel_attach_aio_context() should be protected with
 + * aio_context_acquire() and aio_context_release().
 + */
 +void qio_channel_attach_aio_context(QIOChannel *ioc,
 +                                    AioContext *ctx);
 +
 +/**
 + * qio_channel_detach_aio_context:
 + * @ioc: the channel object
 + *
 + * Disable any I/O handlers set by qio_channel_yield().  With the
 + * help of aio_co_schedule(), this allows moving a coroutine that was
 + * paused by qio_channel_yield() to another context.
 + */
 +void qio_channel_detach_aio_context(QIOChannel *ioc);
 +
 +/**
   * qio_channel_yield:
   * @ioc: the channel object
   * @condition: the I/O condition to wait for
   *
 - * Yields execution from the current coroutine until
 - * the condition indicated by @condition becomes
 - * available.
 + * Yields execution from the current coroutine until the condition
 + * indicated by @condition becomes available.  @condition must
 + * be either %G_IO_IN or %G_IO_OUT; it cannot contain both.  In
 + * addition, no two coroutine can be waiting on the same condition
 + * and channel at the same time.
   *
   * This must only be called from coroutine context
   */
 diff --git a/io/channel.c b/io/channel.c
 index XXXXXXX..XXXXXXX 100644
 --- a/io/channel.c
 +++ b/io/channel.c
@@ -XXX,XX +XXX,XX @@
  #include "qemu/osdep.h"
  #include "io/channel.h"
  #include "qapi/error.h"
 -#include "qemu/coroutine.h"
 +#include "qemu/main-loop.h"
  bool qio_channel_has_feature(QIOChannel *ioc,
                               QIOChannelFeature feature)
@@ -XXX,XX +XXX,XX @@ off_t qio_channel_io_seek(QIOChannel *ioc,
  }
 -typedef struct QIOChannelYieldData QIOChannelYieldData;
 -struct QIOChannelYieldData {
 -    QIOChannel *ioc;
 -    Coroutine *co;
 -};
 +static void qio_channel_set_aio_fd_handlers(QIOChannel *ioc);
 +static void qio_channel_restart_read(void *opaque)
 +{
 +    QIOChannel *ioc = opaque;
 +    Coroutine *co = ioc->read_coroutine;
 +
 +    ioc->read_coroutine = NULL;
 +    qio_channel_set_aio_fd_handlers(ioc);
 +    aio_co_wake(co);
 +}
 -static gboolean qio_channel_yield_enter(QIOChannel *ioc,
 -                                        GIOCondition condition,
 -                                        gpointer opaque)
 +static void qio_channel_restart_write(void *opaque)
  {
 -    QIOChannelYieldData *data = opaque;
 -    qemu_coroutine_enter(data->co);
 -    return FALSE;
 +    QIOChannel *ioc = opaque;
 +    Coroutine *co = ioc->write_coroutine;
 +
 +    ioc->write_coroutine = NULL;
 +    qio_channel_set_aio_fd_handlers(ioc);
 +    aio_co_wake(co);
  }
 +static void qio_channel_set_aio_fd_handlers(QIOChannel *ioc)
 +{
 +    IOHandler *rd_handler = NULL, *wr_handler = NULL;
 +    AioContext *ctx;
 +
 +    if (ioc->read_coroutine) {
 +        rd_handler = qio_channel_restart_read;
 +    }
 +    if (ioc->write_coroutine) {
 +        wr_handler = qio_channel_restart_write;
 +    }
 +
 +    ctx = ioc->ctx ? ioc->ctx : iohandler_get_aio_context();
 +    qio_channel_set_aio_fd_handler(ioc, ctx, rd_handler, wr_handler, ioc);
 +}
 +
 +void qio_channel_attach_aio_context(QIOChannel *ioc,
 +                                    AioContext *ctx)
 +{
 +    AioContext *old_ctx;
 +    if (ioc->ctx == ctx) {
 +        return;
 +    }
 +
-     l = find_type(type);
++    old_ctx = ioc->ctx ? ioc->ctx : iohandler_get_aio_context();
++    qio_channel_set_aio_fd_handler(ioc, old_ctx, NULL, NULL, NULL);
-     QTAILQ_FOREACH(e, l, node) {
++    ioc->ctx = ctx;
-         e->init();
++    qio_channel_set_aio_fd_handlers(ioc);
-     }
++}
 +
-+    modules_init_done[type] = true;
++void qio_channel_detach_aio_context(QIOChannel *ioc)
 +{
 +    ioc->read_coroutine = NULL;
 +    ioc->write_coroutine = NULL;
 +    qio_channel_set_aio_fd_handlers(ioc);
 +    ioc->ctx = NULL;
 +}
  void coroutine_fn qio_channel_yield(QIOChannel *ioc,
                                      GIOCondition condition)
  {
 -    QIOChannelYieldData data;
 -
      assert(qemu_in_coroutine());
 -    data.ioc = ioc;
 -    data.co = qemu_coroutine_self();
 -    qio_channel_add_watch(ioc,
 -                          condition,
 -                          qio_channel_yield_enter,
 -                          &data,
 -                          NULL);
 +    if (condition == G_IO_IN) {
 +        assert(!ioc->read_coroutine);
 +        ioc->read_coroutine = qemu_coroutine_self();
 +    } else if (condition == G_IO_OUT) {
 +        assert(!ioc->write_coroutine);
 +        ioc->write_coroutine = qemu_coroutine_self();
 +    } else {
 +        abort();
 +    }
 +    qio_channel_set_aio_fd_handlers(ioc);
      qemu_coroutine_yield();
  }
- #ifdef CONFIG_MODULES
 --
-.24.1
+.9.3

-[PULL 20/31] libqos: move useful qos-test funcs to qos_external
+[Qemu-devel] [PULL v2 07/24] nbd: convert to use qio_channel_yield
-From: Alexander Bulekov <alxndr@bu.edu>
+From: Paolo Bonzini <pbonzini@redhat.com>
-The moved functions are not specific to qos-test and might be useful
+In the client, read the reply headers from a coroutine, switching the
-elsewhere. For example the virtual-device fuzzer makes use of them for
+read side between the "read header" coroutine and the I/O coroutine that
-qos-assisted fuzz-targets.
+reads the body of the reply.
-Signed-off-by: Alexander Bulekov <alxndr@bu.edu>
+In the server, if the server can read more requests it will create a new
 "read request" coroutine as soon as a request has been read.  Otherwise,
 the new coroutine is created in nbd_request_put.
 Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
-Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
-Reviewed-by: Darren Kenny <darren.kenny@oracle.com>
+Reviewed-by: Fam Zheng <famz@redhat.com>
-Message-id: 20200220041118.23264-12-alxndr@bu.edu
+Reviewed-by: Daniel P. Berrange <berrange@redhat.com>
 Message-id: 20170213135235.12274-8-pbonzini@redhat.com
 Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
 ---
- tests/qtest/Makefile.include      |   1 +
+ block/nbd-client.h |   2 +-
- tests/qtest/libqos/qos_external.c | 168 ++++++++++++++++++++++++++++++
+ block/nbd-client.c | 117 ++++++++++++++++++++++++-----------------------------
- tests/qtest/libqos/qos_external.h |  28 +++++
+ nbd/client.c       |   2 +-
- tests/qtest/qos-test.c            | 132 +----------------------
+ nbd/common.c       |   9 +----
-files changed, 198 insertions(+), 131 deletions(-)
+ nbd/server.c       |  94 +++++++++++++-----------------------------
- create mode 100644 tests/qtest/libqos/qos_external.c
+files changed, 83 insertions(+), 141 deletions(-)
  create mode 100644 tests/qtest/libqos/qos_external.h
-diff --git a/tests/qtest/Makefile.include b/tests/qtest/Makefile.include
+diff --git a/block/nbd-client.h b/block/nbd-client.h
 index XXXXXXX..XXXXXXX 100644
---- a/tests/qtest/Makefile.include
+--- a/block/nbd-client.h
-+++ b/tests/qtest/Makefile.include
++++ b/block/nbd-client.h
-@@ -XXX,XX +XXX,XX @@ libqos-usb-obj-y = $(libqos-spapr-obj-y) $(libqos-pc-obj-y) tests/qtest/libqos/u
+@@ -XXX,XX +XXX,XX @@ typedef struct NBDClientSession {
- # qos devices:
- libqos-obj-y =  $(libqgraph-obj-y)
+     CoMutex send_mutex;
- libqos-obj-y += $(libqos-pc-obj-y) $(libqos-spapr-obj-y)
+     CoQueue free_sema;
-+libqos-obj-y += tests/qtest/libqos/qos_external.o
+-    Coroutine *send_coroutine;
- libqos-obj-y += tests/qtest/libqos/e1000e.o
++    Coroutine *read_reply_co;
- libqos-obj-y += tests/qtest/libqos/i2c.o
+     int in_flight;
- libqos-obj-y += tests/qtest/libqos/i2c-imx.o
-diff --git a/tests/qtest/libqos/qos_external.c b/tests/qtest/libqos/qos_external.c
+     Coroutine *recv_coroutine[MAX_NBD_REQUESTS];
-new file mode 100644
+diff --git a/block/nbd-client.c b/block/nbd-client.c
-index XXXXXXX..XXXXXXX
+index XXXXXXX..XXXXXXX 100644
---- /dev/null
+--- a/block/nbd-client.c
-+++ b/tests/qtest/libqos/qos_external.c
++++ b/block/nbd-client.c
 @@ -XXX,XX +XXX,XX @@
-+/*
+ #define HANDLE_TO_INDEX(bs, handle) ((handle) ^ ((uint64_t)(intptr_t)bs))
-+ * libqos driver framework
+ #define INDEX_TO_HANDLE(bs, index)  ((index)  ^ ((uint64_t)(intptr_t)bs))
-+ *
-+ * Copyright (c) 2018 Emanuele Giuseppe Esposito <e.emanuelegiuseppe@gmail.com>
+-static void nbd_recv_coroutines_enter_all(NBDClientSession *s)
-+ *
++static void nbd_recv_coroutines_enter_all(BlockDriverState *bs)
-+ * This library is free software; you can redistribute it and/or
+ {
-+ * modify it under the terms of the GNU Lesser General Public
++    NBDClientSession *s = nbd_get_client_session(bs);
-+ * License version 2 as published by the Free Software Foundation.
+     int i;
-+ *
-+ * This library is distributed in the hope that it will be useful,
+     for (i = 0; i < MAX_NBD_REQUESTS; i++) {
-+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+@@ -XXX,XX +XXX,XX @@ static void nbd_recv_coroutines_enter_all(NBDClientSession *s)
-+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+             qemu_coroutine_enter(s->recv_coroutine[i]);
-+ * Lesser General Public License for more details.
+         }
-+ *
+     }
-+ * You should have received a copy of the GNU Lesser General Public
++    BDRV_POLL_WHILE(bs, s->read_reply_co);
-+ * License along with this library; if not, see <http://www.gnu.org/licenses/>
+ }
-+ */
-+
+ static void nbd_teardown_connection(BlockDriverState *bs)
-+#include "qemu/osdep.h"
+@@ -XXX,XX +XXX,XX @@ static void nbd_teardown_connection(BlockDriverState *bs)
-+#include <getopt.h>
+     qio_channel_shutdown(client->ioc,
-+#include "libqtest.h"
+                          QIO_CHANNEL_SHUTDOWN_BOTH,
-+#include "qapi/qmp/qdict.h"
+                          NULL);
-+#include "qapi/qmp/qbool.h"
+-    nbd_recv_coroutines_enter_all(client);
-+#include "qapi/qmp/qstring.h"
++    nbd_recv_coroutines_enter_all(bs);
-+#include "qemu/module.h"
-+#include "qapi/qmp/qlist.h"
+     nbd_client_detach_aio_context(bs);
-+#include "libqos/malloc.h"
+     object_unref(OBJECT(client->sioc));
-+#include "libqos/qgraph.h"
+@@ -XXX,XX +XXX,XX @@ static void nbd_teardown_connection(BlockDriverState *bs)
-+#include "libqos/qgraph_internal.h"
+     client->ioc = NULL;
-+#include "libqos/qos_external.h"
+ }
-+
-+
+-static void nbd_reply_ready(void *opaque)
-+
++static coroutine_fn void nbd_read_reply_entry(void *opaque)
-+void apply_to_node(const char *name, bool is_machine, bool is_abstract)
+ {
-+{
+-    BlockDriverState *bs = opaque;
-+    char *machine_name = NULL;
+-    NBDClientSession *s = nbd_get_client_session(bs);
-+    if (is_machine) {
++    NBDClientSession *s = opaque;
-+        const char *arch = qtest_get_arch();
+     uint64_t i;
-+        machine_name = g_strconcat(arch, "/", name, NULL);
+     int ret;
-+        name = machine_name;
-+    }
+-    if (!s->ioc) { /* Already closed */
-+    qos_graph_node_set_availability(name, true);
+-        return;
-+    if (is_abstract) {
+-    }
-+        qos_delete_cmd_line(name);
+-
-+    }
+-    if (s->reply.handle == 0) {
-+    g_free(machine_name);
+-        /* No reply already in flight.  Fetch a header.  It is possible
-+}
+-         * that another thread has done the same thing in parallel, so
-+
+-         * the socket is not readable anymore.
-+/**
+-         */
 + * apply_to_qlist(): using QMP queries QEMU for a list of
 + * machines and devices available, and sets the respective node
 + * as true. If a node is found, also all its produced and contained
 + * child are marked available.
 + *
 + * See qos_graph_node_set_availability() for more info
 + */
 +void apply_to_qlist(QList *list, bool is_machine)
 +{
 +    const QListEntry *p;
 +    const char *name;
 +    bool abstract;
 +    QDict *minfo;
 +    QObject *qobj;
 +    QString *qstr;
 +    QBool *qbool;
 +
 +    for (p = qlist_first(list); p; p = qlist_next(p)) {
 +        minfo = qobject_to(QDict, qlist_entry_obj(p));
 +        qobj = qdict_get(minfo, "name");
 +        qstr = qobject_to(QString, qobj);
 +        name = qstring_get_str(qstr);
 +
 +        qobj = qdict_get(minfo, "abstract");
 +        if (qobj) {
 +            qbool = qobject_to(QBool, qobj);
 +            abstract = qbool_get_bool(qbool);
 +        } else {
 +            abstract = false;
 +        }
 +
 +        apply_to_node(name, is_machine, abstract);
 +        qobj = qdict_get(minfo, "alias");
 +        if (qobj) {
 +            qstr = qobject_to(QString, qobj);
 +            name = qstring_get_str(qstr);
 +            apply_to_node(name, is_machine, abstract);
 +        }
 +    }
 +}
 +
 +QGuestAllocator *get_machine_allocator(QOSGraphObject *obj)
 +{
 +    return obj->get_driver(obj, "memory");
 +}
 +
 +/**
 + * allocate_objects(): given an array of nodes @arg,
 + * walks the path invoking all constructors and
 + * passing the corresponding parameter in order to
 + * continue the objects allocation.
 + * Once the test is reached, return the object it consumes.
 + *
 + * Since the machine and QEDGE_CONSUMED_BY nodes allocate
 + * memory in the constructor, g_test_queue_destroy is used so
 + * that after execution they can be safely free'd.  (The test's
 + * ->before callback is also welcome to use g_test_queue_destroy).
 + *
 + * Note: as specified in walk_path() too, @arg is an array of
 + * char *, where arg[0] is a pointer to the command line
 + * string that will be used to properly start QEMU when executing
 + * the test, and the remaining elements represent the actual objects
 + * that will be allocated.
 + */
 +void *allocate_objects(QTestState *qts, char **path, QGuestAllocator **p_alloc)
 +{
 +    int current = 0;
 +    QGuestAllocator *alloc;
 +    QOSGraphObject *parent = NULL;
 +    QOSGraphEdge *edge;
 +    QOSGraphNode *node;
 +    void *edge_arg;
 +    void *obj;
 +
 +    node = qos_graph_get_node(path[current]);
 +    g_assert(node->type == QNODE_MACHINE);
 +
 +    obj = qos_machine_new(node, qts);
 +    qos_object_queue_destroy(obj);
 +
 +    alloc = get_machine_allocator(obj);
 +    if (p_alloc) {
 +        *p_alloc = alloc;
 +    }
 +
 +    for (;;) {
-+        if (node->type != QNODE_INTERFACE) {
++        assert(s->reply.handle == 0);
-+            qos_object_start_hw(obj);
+         ret = nbd_receive_reply(s->ioc, &s->reply);
-+            parent = obj;
+-        if (ret == -EAGAIN) {
-+        }
+-            return;
-+
+-        }
-+        /* follow edge and get object for next node constructor */
+         if (ret < 0) {
-+        current++;
+-            s->reply.handle = 0;
-+        edge = qos_graph_get_edge(path[current - 1], path[current]);
+-            goto fail;
 +        node = qos_graph_get_node(path[current]);
 +
 +        if (node->type == QNODE_TEST) {
 +            g_assert(qos_graph_edge_get_type(edge) == QEDGE_CONSUMED_BY);
 +            return obj;
 +        }
 +
 +        switch (qos_graph_edge_get_type(edge)) {
 +        case QEDGE_PRODUCES:
 +            obj = parent->get_driver(parent, path[current]);
 +            break;
-+
+         }
-+        case QEDGE_CONSUMED_BY:
+-    }
-+            edge_arg = qos_graph_edge_get_arg(edge);
-+            obj = qos_driver_new(node, obj, alloc, edge_arg);
+-    /* There's no need for a mutex on the receive side, because the
-+            qos_object_queue_destroy(obj);
+-     * handler acts as a synchronization point and ensures that only
-+            break;
+-     * one coroutine is called until the reply finishes.  */
-+
+-    i = HANDLE_TO_INDEX(s, s->reply.handle);
-+        case QEDGE_CONTAINS:
+-    if (i >= MAX_NBD_REQUESTS) {
-+            obj = parent->get_device(parent, path[current]);
+-        goto fail;
 -    }
 +        /* There's no need for a mutex on the receive side, because the
 +         * handler acts as a synchronization point and ensures that only
 +         * one coroutine is called until the reply finishes.
 +         */
 +        i = HANDLE_TO_INDEX(s, s->reply.handle);
 +        if (i >= MAX_NBD_REQUESTS || !s->recv_coroutine[i]) {
 +            break;
 +        }
-+    }
-+}
+-    if (s->recv_coroutine[i]) {
 -        qemu_coroutine_enter(s->recv_coroutine[i]);
 -        return;
 +        /* We're woken up by the recv_coroutine itself.  Note that there
 +         * is no race between yielding and reentering read_reply_co.  This
 +         * is because:
 +         *
 +         * - if recv_coroutine[i] runs on the same AioContext, it is only
 +         *   entered after we yield
 +         *
 +         * - if recv_coroutine[i] runs on a different AioContext, reentering
 +         *   read_reply_co happens through a bottom half, which can only
 +         *   run after we yield.
 +         */
 +        aio_co_wake(s->recv_coroutine[i]);
 +        qemu_coroutine_yield();
      }
 -
 -fail:
 -    nbd_teardown_connection(bs);
 -}
 -
 -static void nbd_restart_write(void *opaque)
 -{
 -    BlockDriverState *bs = opaque;
 -
 -    qemu_coroutine_enter(nbd_get_client_session(bs)->send_coroutine);
 +    s->read_reply_co = NULL;
  }
  static int nbd_co_send_request(BlockDriverState *bs,
@@ -XXX,XX +XXX,XX @@ static int nbd_co_send_request(BlockDriverState *bs,
                                 QEMUIOVector *qiov)
  {
      NBDClientSession *s = nbd_get_client_session(bs);
 -    AioContext *aio_context;
      int rc, ret, i;
      qemu_co_mutex_lock(&s->send_mutex);
@@ -XXX,XX +XXX,XX @@ static int nbd_co_send_request(BlockDriverState *bs,
          return -EPIPE;
      }
 -    s->send_coroutine = qemu_coroutine_self();
 -    aio_context = bdrv_get_aio_context(bs);
 -
 -    aio_set_fd_handler(aio_context, s->sioc->fd, false,
 -                       nbd_reply_ready, nbd_restart_write, NULL, bs);
      if (qiov) {
          qio_channel_set_cork(s->ioc, true);
          rc = nbd_send_request(s->ioc, request);
@@ -XXX,XX +XXX,XX @@ static int nbd_co_send_request(BlockDriverState *bs,
      } else {
          rc = nbd_send_request(s->ioc, request);
      }
 -    aio_set_fd_handler(aio_context, s->sioc->fd, false,
 -                       nbd_reply_ready, NULL, NULL, bs);
 -    s->send_coroutine = NULL;
      qemu_co_mutex_unlock(&s->send_mutex);
      return rc;
  }
@@ -XXX,XX +XXX,XX @@ static void nbd_co_receive_reply(NBDClientSession *s,
  {
      int ret;
 -    /* Wait until we're woken up by the read handler.  TODO: perhaps
 -     * peek at the next reply and avoid yielding if it's ours?  */
 +    /* Wait until we're woken up by nbd_read_reply_entry.  */
      qemu_coroutine_yield();
      *reply = s->reply;
      if (reply->handle != request->handle ||
@@ -XXX,XX +XXX,XX @@ static void nbd_coroutine_start(NBDClientSession *s,
      /* s->recv_coroutine[i] is set as soon as we get the send_lock.  */
  }
 -static void nbd_coroutine_end(NBDClientSession *s,
 +static void nbd_coroutine_end(BlockDriverState *bs,
                                NBDRequest *request)
  {
 +    NBDClientSession *s = nbd_get_client_session(bs);
      int i = HANDLE_TO_INDEX(s, request->handle);
 +
-diff --git a/tests/qtest/libqos/qos_external.h b/tests/qtest/libqos/qos_external.h
+     s->recv_coroutine[i] = NULL;
-new file mode 100644
+-    if (s->in_flight-- == MAX_NBD_REQUESTS) {
-index XXXXXXX..XXXXXXX
+-        qemu_co_queue_next(&s->free_sema);
---- /dev/null
++    s->in_flight--;
-+++ b/tests/qtest/libqos/qos_external.h
++    qemu_co_queue_next(&s->free_sema);
@@ -XXX,XX +XXX,XX @@
 +/*
 + * libqos driver framework
 + *
 + * Copyright (c) 2018 Emanuele Giuseppe Esposito <e.emanuelegiuseppe@gmail.com>
 + *
 + * This library is free software; you can redistribute it and/or
 + * modify it under the terms of the GNU Lesser General Public
 + * License version 2 as published by the Free Software Foundation.
 + *
 + * This library is distributed in the hope that it will be useful,
 + * but WITHOUT ANY WARRANTY; without even the implied warranty of
 + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
 + * Lesser General Public License for more details.
 + *
 + * You should have received a copy of the GNU Lesser General Public
 + * License along with this library; if not, see <http://www.gnu.org/licenses/>
 + */
 +
-+#ifndef QOS_EXTERNAL_H
++    /* Kick the read_reply_co to get the next reply.  */
-+#define QOS_EXTERNAL_H
++    if (s->read_reply_co) {
-+#include "libqos/qgraph.h"
++        aio_co_wake(s->read_reply_co);
      }
  }
@@ -XXX,XX +XXX,XX @@ int nbd_client_co_preadv(BlockDriverState *bs, uint64_t offset,
      } else {
          nbd_co_receive_reply(client, &request, &reply, qiov);
      }
 -    nbd_coroutine_end(client, &request);
 +    nbd_coroutine_end(bs, &request);
      return -reply.error;
  }
@@ -XXX,XX +XXX,XX @@ int nbd_client_co_pwritev(BlockDriverState *bs, uint64_t offset,
      } else {
          nbd_co_receive_reply(client, &request, &reply, NULL);
      }
 -    nbd_coroutine_end(client, &request);
 +    nbd_coroutine_end(bs, &request);
      return -reply.error;
  }
@@ -XXX,XX +XXX,XX @@ int nbd_client_co_pwrite_zeroes(BlockDriverState *bs, int64_t offset,
      } else {
          nbd_co_receive_reply(client, &request, &reply, NULL);
      }
 -    nbd_coroutine_end(client, &request);
 +    nbd_coroutine_end(bs, &request);
      return -reply.error;
  }
@@ -XXX,XX +XXX,XX @@ int nbd_client_co_flush(BlockDriverState *bs)
      } else {
          nbd_co_receive_reply(client, &request, &reply, NULL);
      }
 -    nbd_coroutine_end(client, &request);
 +    nbd_coroutine_end(bs, &request);
      return -reply.error;
  }
@@ -XXX,XX +XXX,XX @@ int nbd_client_co_pdiscard(BlockDriverState *bs, int64_t offset, int count)
      } else {
          nbd_co_receive_reply(client, &request, &reply, NULL);
      }
 -    nbd_coroutine_end(client, &request);
 +    nbd_coroutine_end(bs, &request);
      return -reply.error;
  }
  void nbd_client_detach_aio_context(BlockDriverState *bs)
  {
 -    aio_set_fd_handler(bdrv_get_aio_context(bs),
 -                       nbd_get_client_session(bs)->sioc->fd,
 -                       false, NULL, NULL, NULL, NULL);
 +    NBDClientSession *client = nbd_get_client_session(bs);
 +    qio_channel_detach_aio_context(QIO_CHANNEL(client->sioc));
  }
  void nbd_client_attach_aio_context(BlockDriverState *bs,
                                     AioContext *new_context)
  {
 -    aio_set_fd_handler(new_context, nbd_get_client_session(bs)->sioc->fd,
 -                       false, nbd_reply_ready, NULL, NULL, bs);
 +    NBDClientSession *client = nbd_get_client_session(bs);
 +    qio_channel_attach_aio_context(QIO_CHANNEL(client->sioc), new_context);
 +    aio_co_schedule(new_context, client->read_reply_co);
  }
  void nbd_client_close(BlockDriverState *bs)
@@ -XXX,XX +XXX,XX @@ int nbd_client_init(BlockDriverState *bs,
      /* Now that we're connected, set the socket to be non-blocking and
       * kick the reply mechanism.  */
      qio_channel_set_blocking(QIO_CHANNEL(sioc), false, NULL);
 -
 +    client->read_reply_co = qemu_coroutine_create(nbd_read_reply_entry, client);
      nbd_client_attach_aio_context(bs, bdrv_get_aio_context(bs));
      logout("Established connection with NBD server\n");
 diff --git a/nbd/client.c b/nbd/client.c
 index XXXXXXX..XXXXXXX 100644
 --- a/nbd/client.c
 +++ b/nbd/client.c
@@ -XXX,XX +XXX,XX @@ ssize_t nbd_receive_reply(QIOChannel *ioc, NBDReply *reply)
      ssize_t ret;
      ret = read_sync(ioc, buf, sizeof(buf));
 -    if (ret < 0) {
 +    if (ret <= 0) {
          return ret;
      }
 diff --git a/nbd/common.c b/nbd/common.c
 index XXXXXXX..XXXXXXX 100644
 --- a/nbd/common.c
 +++ b/nbd/common.c
@@ -XXX,XX +XXX,XX @@ ssize_t nbd_wr_syncv(QIOChannel *ioc,
          }
          if (len == QIO_CHANNEL_ERR_BLOCK) {
              if (qemu_in_coroutine()) {
 -                /* XXX figure out if we can create a variant on
 -                 * qio_channel_yield() that works with AIO contexts
 -                 * and consider using that in this branch */
 -                qemu_coroutine_yield();
 -            } else if (done) {
 -                /* XXX this is needed by nbd_reply_ready.  */
 -                qio_channel_wait(ioc,
 -                                 do_read ? G_IO_IN : G_IO_OUT);
 +                qio_channel_yield(ioc, do_read ? G_IO_IN : G_IO_OUT);
              } else {
                  return -EAGAIN;
              }
 diff --git a/nbd/server.c b/nbd/server.c
 index XXXXXXX..XXXXXXX 100644
 --- a/nbd/server.c
 +++ b/nbd/server.c
@@ -XXX,XX +XXX,XX @@ struct NBDClient {
      CoMutex send_lock;
      Coroutine *send_coroutine;
 -    bool can_read;
 -
      QTAILQ_ENTRY(NBDClient) next;
      int nb_requests;
      bool closing;
@@ -XXX,XX +XXX,XX @@ struct NBDClient {
  /* That's all folks */
 -static void nbd_set_handlers(NBDClient *client);
 -static void nbd_unset_handlers(NBDClient *client);
 -static void nbd_update_can_read(NBDClient *client);
 +static void nbd_client_receive_next_request(NBDClient *client);
  static gboolean nbd_negotiate_continue(QIOChannel *ioc,
                                         GIOCondition condition,
@@ -XXX,XX +XXX,XX @@ void nbd_client_put(NBDClient *client)
           */
          assert(client->closing);
 -        nbd_unset_handlers(client);
 +        qio_channel_detach_aio_context(client->ioc);
          object_unref(OBJECT(client->sioc));
          object_unref(OBJECT(client->ioc));
          if (client->tlscreds) {
@@ -XXX,XX +XXX,XX @@ static NBDRequestData *nbd_request_get(NBDClient *client)
      assert(client->nb_requests <= MAX_NBD_REQUESTS - 1);
      client->nb_requests++;
 -    nbd_update_can_read(client);
      req = g_new0(NBDRequestData, 1);
      nbd_client_get(client);
@@ -XXX,XX +XXX,XX @@ static void nbd_request_put(NBDRequestData *req)
      g_free(req);
      client->nb_requests--;
 -    nbd_update_can_read(client);
 +    nbd_client_receive_next_request(client);
 +
-+void apply_to_node(const char *name, bool is_machine, bool is_abstract);
+     nbd_client_put(client);
-+void apply_to_qlist(QList *list, bool is_machine);
+ }
-+QGuestAllocator *get_machine_allocator(QOSGraphObject *obj);
-+void *allocate_objects(QTestState *qts, char **path, QGuestAllocator **p_alloc);
+@@ -XXX,XX +XXX,XX @@ static void blk_aio_attached(AioContext *ctx, void *opaque)
-+
+     exp->ctx = ctx;
-+#endif
-diff --git a/tests/qtest/qos-test.c b/tests/qtest/qos-test.c
+     QTAILQ_FOREACH(client, &exp->clients, next) {
-index XXXXXXX..XXXXXXX 100644
+-        nbd_set_handlers(client);
---- a/tests/qtest/qos-test.c
++        qio_channel_attach_aio_context(client->ioc, ctx);
-+++ b/tests/qtest/qos-test.c
++        if (client->recv_coroutine) {
-@@ -XXX,XX +XXX,XX @@
++            aio_co_schedule(ctx, client->recv_coroutine);
- #include "libqos/malloc.h"
++        }
- #include "libqos/qgraph.h"
++        if (client->send_coroutine) {
- #include "libqos/qgraph_internal.h"
++            aio_co_schedule(ctx, client->send_coroutine);
-+#include "libqos/qos_external.h"
++        }
+     }
- static char *old_path;
+ }
--static void apply_to_node(const char *name, bool is_machine, bool is_abstract)
+@@ -XXX,XX +XXX,XX @@ static void blk_aio_detach(void *opaque)
--{
+     TRACE("Export %s: Detaching clients from AIO context %p\n", exp->name, exp->ctx);
--    char *machine_name = NULL;
--    if (is_machine) {
+     QTAILQ_FOREACH(client, &exp->clients, next) {
--        const char *arch = qtest_get_arch();
+-        nbd_unset_handlers(client);
--        machine_name = g_strconcat(arch, "/", name, NULL);
++        qio_channel_detach_aio_context(client->ioc);
--        name = machine_name;
+     }
--    }
--    qos_graph_node_set_availability(name, true);
+     exp->ctx = NULL;
--    if (is_abstract) {
+@@ -XXX,XX +XXX,XX @@ static ssize_t nbd_co_send_reply(NBDRequestData *req, NBDReply *reply,
--        qos_delete_cmd_line(name);
+     g_assert(qemu_in_coroutine());
--    }
+     qemu_co_mutex_lock(&client->send_lock);
--    g_free(machine_name);
+     client->send_coroutine = qemu_coroutine_self();
--}
+-    nbd_set_handlers(client);
--/**
+     if (!len) {
-- * apply_to_qlist(): using QMP queries QEMU for a list of
+         rc = nbd_send_reply(client->ioc, reply);
-- * machines and devices available, and sets the respective node
+@@ -XXX,XX +XXX,XX @@ static ssize_t nbd_co_send_reply(NBDRequestData *req, NBDReply *reply,
-- * as true. If a node is found, also all its produced and contained
+     }
-- * child are marked available.
-- *
+     client->send_coroutine = NULL;
-- * See qos_graph_node_set_availability() for more info
+-    nbd_set_handlers(client);
-- */
+     qemu_co_mutex_unlock(&client->send_lock);
--static void apply_to_qlist(QList *list, bool is_machine)
+     return rc;
--{
+ }
--    const QListEntry *p;
+@@ -XXX,XX +XXX,XX @@ static ssize_t nbd_co_receive_request(NBDRequestData *req,
--    const char *name;
+     ssize_t rc;
--    bool abstract;
--    QDict *minfo;
+     g_assert(qemu_in_coroutine());
--    QObject *qobj;
+-    client->recv_coroutine = qemu_coroutine_self();
--    QString *qstr;
+-    nbd_update_can_read(client);
--    QBool *qbool;
+-
--
++    assert(client->recv_coroutine == qemu_coroutine_self());
--    for (p = qlist_first(list); p; p = qlist_next(p)) {
+     rc = nbd_receive_request(client->ioc, request);
--        minfo = qobject_to(QDict, qlist_entry_obj(p));
+     if (rc < 0) {
--        qobj = qdict_get(minfo, "name");
+         if (rc != -EAGAIN) {
--        qstr = qobject_to(QString, qobj);
+@@ -XXX,XX +XXX,XX @@ static ssize_t nbd_co_receive_request(NBDRequestData *req,
--        name = qstring_get_str(qstr);
--
+ out:
--        qobj = qdict_get(minfo, "abstract");
+     client->recv_coroutine = NULL;
--        if (qobj) {
+-    nbd_update_can_read(client);
--            qbool = qobject_to(QBool, qobj);
++    nbd_client_receive_next_request(client);
--            abstract = qbool_get_bool(qbool);
--        } else {
+     return rc;
--            abstract = false;
+ }
--        }
--
+-static void nbd_trip(void *opaque)
--        apply_to_node(name, is_machine, abstract);
++/* Owns a reference to the NBDClient passed as opaque.  */
--        qobj = qdict_get(minfo, "alias");
++static coroutine_fn void nbd_trip(void *opaque)
--        if (qobj) {
+ {
--            qstr = qobject_to(QString, qobj);
+     NBDClient *client = opaque;
--            name = qstring_get_str(qstr);
+     NBDExport *exp = client->exp;
--            apply_to_node(name, is_machine, abstract);
+     NBDRequestData *req;
--        }
+-    NBDRequest request;
 +    NBDRequest request = { 0 };    /* GCC thinks it can be used uninitialized */
      NBDReply reply;
      ssize_t ret;
      int flags;
      TRACE("Reading request.");
      if (client->closing) {
 +        nbd_client_put(client);
          return;
      }
@@ -XXX,XX +XXX,XX @@ static void nbd_trip(void *opaque)
  done:
      nbd_request_put(req);
 +    nbd_client_put(client);
      return;
  out:
      nbd_request_put(req);
      client_close(client);
 +    nbd_client_put(client);
  }
 -static void nbd_read(void *opaque)
 +static void nbd_client_receive_next_request(NBDClient *client)
  {
 -    NBDClient *client = opaque;
 -
 -    if (client->recv_coroutine) {
 -        qemu_coroutine_enter(client->recv_coroutine);
 -    } else {
 -        qemu_coroutine_enter(qemu_coroutine_create(nbd_trip, client));
 -    }
 -}
+-
- /**
+-static void nbd_restart_write(void *opaque)
   * qos_set_machines_devices_available(): sets availability of qgraph
@@ -XXX,XX +XXX,XX @@ static void qos_set_machines_devices_available(void)
      qobject_unref(response);
  }
 -static QGuestAllocator *get_machine_allocator(QOSGraphObject *obj)
 -{
--    return obj->get_driver(obj, "memory");
+-    NBDClient *client = opaque;
 -
 -    qemu_coroutine_enter(client->send_coroutine);
 -}
+-
- static void restart_qemu_or_continue(char *path)
+-static void nbd_set_handlers(NBDClient *client)
  {
@@ -XXX,XX +XXX,XX @@ void qos_invalidate_command_line(void)
      old_path = NULL;
  }
 -/**
 - * allocate_objects(): given an array of nodes @arg,
 - * walks the path invoking all constructors and
 - * passing the corresponding parameter in order to
 - * continue the objects allocation.
 - * Once the test is reached, return the object it consumes.
 - *
 - * Since the machine and QEDGE_CONSUMED_BY nodes allocate
 - * memory in the constructor, g_test_queue_destroy is used so
 - * that after execution they can be safely free'd.  (The test's
 - * ->before callback is also welcome to use g_test_queue_destroy).
 - *
 - * Note: as specified in walk_path() too, @arg is an array of
 - * char *, where arg[0] is a pointer to the command line
 - * string that will be used to properly start QEMU when executing
 - * the test, and the remaining elements represent the actual objects
 - * that will be allocated.
 - */
 -static void *allocate_objects(QTestState *qts, char **path, QGuestAllocator **p_alloc)
 -{
--    int current = 0;
+-    if (client->exp && client->exp->ctx) {
--    QGuestAllocator *alloc;
+-        aio_set_fd_handler(client->exp->ctx, client->sioc->fd, true,
--    QOSGraphObject *parent = NULL;
+-                           client->can_read ? nbd_read : NULL,
--    QOSGraphEdge *edge;
+-                           client->send_coroutine ? nbd_restart_write : NULL,
--    QOSGraphNode *node;
+-                           NULL, client);
 -    void *edge_arg;
 -    void *obj;
 -
 -    node = qos_graph_get_node(path[current]);
 -    g_assert(node->type == QNODE_MACHINE);
 -
 -    obj = qos_machine_new(node, qts);
 -    qos_object_queue_destroy(obj);
 -
 -    alloc = get_machine_allocator(obj);
 -    if (p_alloc) {
 -        *p_alloc = alloc;
 -    }
 -
 -    for (;;) {
 -        if (node->type != QNODE_INTERFACE) {
 -            qos_object_start_hw(obj);
 -            parent = obj;
 -        }
 -
 -        /* follow edge and get object for next node constructor */
 -        current++;
 -        edge = qos_graph_get_edge(path[current - 1], path[current]);
 -        node = qos_graph_get_node(path[current]);
 -
 -        if (node->type == QNODE_TEST) {
 -            g_assert(qos_graph_edge_get_type(edge) == QEDGE_CONSUMED_BY);
 -            return obj;
 -        }
 -
 -        switch (qos_graph_edge_get_type(edge)) {
 -        case QEDGE_PRODUCES:
 -            obj = parent->get_driver(parent, path[current]);
 -            break;
 -
 -        case QEDGE_CONSUMED_BY:
 -            edge_arg = qos_graph_edge_get_arg(edge);
 -            obj = qos_driver_new(node, obj, alloc, edge_arg);
 -            qos_object_queue_destroy(obj);
 -            break;
 -
 -        case QEDGE_CONTAINS:
 -            obj = parent->get_device(parent, path[current]);
 -            break;
 -        }
 -    }
 -}
+-
- /* The argument to run_one_test, which is the test function that is registered
+-static void nbd_unset_handlers(NBDClient *client)
-  * with GTest, is a vector of strings.  The first item is the initial command
+-{
 -    if (client->exp && client->exp->ctx) {
 -        aio_set_fd_handler(client->exp->ctx, client->sioc->fd, true, NULL,
 -                           NULL, NULL, NULL);
 -    }
 -}
 -
 -static void nbd_update_can_read(NBDClient *client)
 -{
 -    bool can_read = client->recv_coroutine ||
 -                    client->nb_requests < MAX_NBD_REQUESTS;
 -
 -    if (can_read != client->can_read) {
 -        client->can_read = can_read;
 -        nbd_set_handlers(client);
 -
 -        /* There is no need to invoke aio_notify(), since aio_set_fd_handler()
 -         * in nbd_set_handlers() will have taken care of that */
 +    if (!client->recv_coroutine && client->nb_requests < MAX_NBD_REQUESTS) {
 +        nbd_client_get(client);
 +        client->recv_coroutine = qemu_coroutine_create(nbd_trip, client);
 +        aio_co_schedule(client->exp->ctx, client->recv_coroutine);
      }
  }
@@ -XXX,XX +XXX,XX @@ static coroutine_fn void nbd_co_client_start(void *opaque)
          goto out;
      }
      qemu_co_mutex_init(&client->send_lock);
 -    nbd_set_handlers(client);
      if (exp) {
          QTAILQ_INSERT_TAIL(&exp->clients, client, next);
      }
 +
 +    nbd_client_receive_next_request(client);
 +
  out:
      g_free(data);
  }
@@ -XXX,XX +XXX,XX @@ void nbd_client_new(NBDExport *exp,
      object_ref(OBJECT(client->sioc));
      client->ioc = QIO_CHANNEL(sioc);
      object_ref(OBJECT(client->ioc));
 -    client->can_read = true;
      client->close = close_fn;
      data->client = client;
 --
-.24.1
+.9.3

-[PULL 31/31] fuzz: add documentation to docs/devel/
+[Qemu-devel] [PULL v2 08/24] coroutine-lock: reschedule coroutine on the AioContext it was running on
-From: Alexander Bulekov <alxndr@bu.edu>
+From: Paolo Bonzini <pbonzini@redhat.com>
-Signed-off-by: Alexander Bulekov <alxndr@bu.edu>
+As a small step towards the introduction of multiqueue, we want
 coroutines to remain on the same AioContext that started them,
 unless they are moved explicitly with e.g. aio_co_schedule.  This patch
 avoids that coroutines switch AioContext when they use a CoMutex.
 For now it does not make much of a difference, because the CoMutex
 is not thread-safe and the AioContext itself is used to protect the
 CoMutex from concurrent access.  However, this is going to change.
 Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
-Reviewed-by: Darren Kenny <darren.kenny@oracle.com>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
-Message-id: 20200220041118.23264-23-alxndr@bu.edu
+Reviewed-by: Fam Zheng <famz@redhat.com>
 Reviewed-by: Daniel P. Berrange <berrange@redhat.com>
 Message-id: 20170213135235.12274-9-pbonzini@redhat.com
 Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
 ---
- docs/devel/fuzzing.txt | 116 +++++++++++++++++++++++++++++++++++++++++
+ util/qemu-coroutine-lock.c | 5 ++---
-file changed, 116 insertions(+)
+ util/trace-events          | 1 -
- create mode 100644 docs/devel/fuzzing.txt
+files changed, 2 insertions(+), 4 deletions(-)
-diff --git a/docs/devel/fuzzing.txt b/docs/devel/fuzzing.txt
+diff --git a/util/qemu-coroutine-lock.c b/util/qemu-coroutine-lock.c
-new file mode 100644
+index XXXXXXX..XXXXXXX 100644
-index XXXXXXX..XXXXXXX
+--- a/util/qemu-coroutine-lock.c
---- /dev/null
++++ b/util/qemu-coroutine-lock.c
 +++ b/docs/devel/fuzzing.txt
 @@ -XXX,XX +XXX,XX @@
-+= Fuzzing =
+ #include "qemu/coroutine.h"
-+
+ #include "qemu/coroutine_int.h"
-+== Introduction ==
+ #include "qemu/queue.h"
-+
++#include "block/aio.h"
-+This document describes the virtual-device fuzzing infrastructure in QEMU and
+ #include "trace.h"
-+how to use it to implement additional fuzzers.
-+
+ void qemu_co_queue_init(CoQueue *queue)
-+== Basics ==
+@@ -XXX,XX +XXX,XX @@ void qemu_co_queue_run_restart(Coroutine *co)
-+
-+Fuzzing operates by passing inputs to an entry point/target function. The
+ static bool qemu_co_queue_do_restart(CoQueue *queue, bool single)
-+fuzzer tracks the code coverage triggered by the input. Based on these
+ {
-+findings, the fuzzer mutates the input and repeats the fuzzing.
+-    Coroutine *self = qemu_coroutine_self();
-+
+     Coroutine *next;
-+To fuzz QEMU, we rely on libfuzzer. Unlike other fuzzers such as AFL, libfuzzer
-+is an _in-process_ fuzzer. For the developer, this means that it is their
+     if (QSIMPLEQ_EMPTY(&queue->entries)) {
-+responsibility to ensure that state is reset between fuzzing-runs.
+@@ -XXX,XX +XXX,XX @@ static bool qemu_co_queue_do_restart(CoQueue *queue, bool single)
-+
-+== Building the fuzzers ==
+     while ((next = QSIMPLEQ_FIRST(&queue->entries)) != NULL) {
-+
+         QSIMPLEQ_REMOVE_HEAD(&queue->entries, co_queue_next);
-+NOTE: If possible, build a 32-bit binary. When forking, the 32-bit fuzzer is
+-        QSIMPLEQ_INSERT_TAIL(&self->co_queue_wakeup, next, co_queue_next);
-+much faster, since the page-map has a smaller size. This is due to the fact that
+-        trace_qemu_co_queue_next(next);
-+AddressSanitizer mmaps ~20TB of memory, as part of its detection. This results
++        aio_co_wake(next);
-+in a large page-map, and a much slower fork().
+         if (single) {
-+
+             break;
-+To build the fuzzers, install a recent version of clang:
+         }
-+Configure with (substitute the clang binaries with the version you installed):
+diff --git a/util/trace-events b/util/trace-events
-+
+index XXXXXXX..XXXXXXX 100644
-+    CC=clang-8 CXX=clang++-8 /path/to/configure --enable-fuzzing
+--- a/util/trace-events
-+
++++ b/util/trace-events
-+Fuzz targets are built similarly to system/softmmu:
+@@ -XXX,XX +XXX,XX @@ qemu_coroutine_terminate(void *co) "self %p"
-+
-+    make i386-softmmu/fuzz
+ # util/qemu-coroutine-lock.c
-+
+ qemu_co_queue_run_restart(void *co) "co %p"
-+This builds ./i386-softmmu/qemu-fuzz-i386
+-qemu_co_queue_next(void *nxt) "next %p"
-+
+ qemu_co_mutex_lock_entry(void *mutex, void *self) "mutex %p self %p"
-+The first option to this command is: --fuzz_taget=FUZZ_NAME
+ qemu_co_mutex_lock_return(void *mutex, void *self) "mutex %p self %p"
-+To list all of the available fuzzers run qemu-fuzz-i386 with no arguments.
+ qemu_co_mutex_unlock_entry(void *mutex, void *self) "mutex %p self %p"
 +
 +eg:
 +    ./i386-softmmu/qemu-fuzz-i386 --fuzz-target=virtio-net-fork-fuzz
 +
 +Internally, libfuzzer parses all arguments that do not begin with "--".
 +Information about these is available by passing -help=1
 +
 +Now the only thing left to do is wait for the fuzzer to trigger potential
 +crashes.
 +
 +== Adding a new fuzzer ==
 +Coverage over virtual devices can be improved by adding additional fuzzers.
 +Fuzzers are kept in tests/qtest/fuzz/ and should be added to
 +tests/qtest/fuzz/Makefile.include
 +
 +Fuzzers can rely on both qtest and libqos to communicate with virtual devices.
 +
 +1. Create a new source file. For example ``tests/qtest/fuzz/foo-device-fuzz.c``.
 +
 +2. Write the fuzzing code using the libqtest/libqos API. See existing fuzzers
 +for reference.
 +
 +3. Register the fuzzer in ``tests/fuzz/Makefile.include`` by appending the
 +corresponding object to fuzz-obj-y
 +
 +Fuzzers can be more-or-less thought of as special qtest programs which can
 +modify the qtest commands and/or qtest command arguments based on inputs
 +provided by libfuzzer. Libfuzzer passes a byte array and length. Commonly the
 +fuzzer loops over the byte-array interpreting it as a list of qtest commands,
 +addresses, or values.
 +
 += Implementation Details =
 +
 +== The Fuzzer's Lifecycle ==
 +
 +The fuzzer has two entrypoints that libfuzzer calls. libfuzzer provides it's
 +own main(), which performs some setup, and calls the entrypoints:
 +
 +LLVMFuzzerInitialize: called prior to fuzzing. Used to initialize all of the
 +necessary state
 +
 +LLVMFuzzerTestOneInput: called for each fuzzing run. Processes the input and
 +resets the state at the end of each run.
 +
 +In more detail:
 +
 +LLVMFuzzerInitialize parses the arguments to the fuzzer (must start with two
 +dashes, so they are ignored by libfuzzer main()). Currently, the arguments
 +select the fuzz target. Then, the qtest client is initialized. If the target
 +requires qos, qgraph is set up and the QOM/LIBQOS modules are initialized.
 +Then the QGraph is walked and the QEMU cmd_line is determined and saved.
 +
 +After this, the vl.c:qemu__main is called to set up the guest. There are
 +target-specific hooks that can be called before and after qemu_main, for
 +additional setup(e.g. PCI setup, or VM snapshotting).
 +
 +LLVMFuzzerTestOneInput: Uses qtest/qos functions to act based on the fuzz
 +input. It is also responsible for manually calling the main loop/main_loop_wait
 +to ensure that bottom halves are executed and any cleanup required before the
 +next input.
 +
 +Since the same process is reused for many fuzzing runs, QEMU state needs to
 +be reset at the end of each run. There are currently two implemented
 +options for resetting state:
 +1. Reboot the guest between runs.
 +   Pros: Straightforward and fast for simple fuzz targets.
 +   Cons: Depending on the device, does not reset all device state. If the
 +   device requires some initialization prior to being ready for fuzzing
 +   (common for QOS-based targets), this initialization needs to be done after
 +   each reboot.
 +   Example target: i440fx-qtest-reboot-fuzz
 +2. Run each test case in a separate forked process and copy the coverage
 +   information back to the parent. This is fairly similar to AFL's "deferred"
 +   fork-server mode [3]
 +   Pros: Relatively fast. Devices only need to be initialized once. No need
 +   to do slow reboots or vmloads.
 +   Cons: Not officially supported by libfuzzer. Does not work well for devices
 +   that rely on dedicated threads.
 +   Example target: virtio-net-fork-fuzz
 --
-.24.1
+.9.3

-[PULL 27/31] fuzz: add configure flag --enable-fuzzing
+[Qemu-devel] [PULL v2 09/24] blkdebug: reschedule coroutine on the AioContext it is running on
-From: Alexander Bulekov <alxndr@bu.edu>
+From: Paolo Bonzini <pbonzini@redhat.com>
-Signed-off-by: Alexander Bulekov <alxndr@bu.edu>
+Keep the coroutine on the same AioContext.  Without this change,
 there would be a race between yielding the coroutine and reentering it.
 While the race cannot happen now, because the code only runs from a single
 AioContext, this will change with multiqueue support in the block layer.
 While doing the change, replace custom bottom half with aio_co_schedule.
 Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
 Reviewed-by: Fam Zheng <famz@redhat.com>
 Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
-Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
+Reviewed-by: Daniel P. Berrange <berrange@redhat.com>
-Reviewed-by: Darren Kenny <darren.kenny@oracle.com>
+Message-id: 20170213135235.12274-10-pbonzini@redhat.com
 Message-id: 20200220041118.23264-19-alxndr@bu.edu
 Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
 ---
- configure | 39 +++++++++++++++++++++++++++++++++++++++
+ block/blkdebug.c | 9 +--------
-file changed, 39 insertions(+)
+file changed, 1 insertion(+), 8 deletions(-)
-diff --git a/configure b/configure
+diff --git a/block/blkdebug.c b/block/blkdebug.c
-index XXXXXXX..XXXXXXX 100755
+index XXXXXXX..XXXXXXX 100644
---- a/configure
+--- a/block/blkdebug.c
-+++ b/configure
++++ b/block/blkdebug.c
-@@ -XXX,XX +XXX,XX @@ debug_mutex="no"
+@@ -XXX,XX +XXX,XX @@ out:
- libpmem=""
+     return ret;
  default_devices="yes"
  plugins="no"
 +fuzzing="no"
  supported_cpu="no"
  supported_os="no"
@@ -XXX,XX +XXX,XX @@ int main(void) { return 0; }
  EOF
  }
-+write_c_fuzzer_skeleton() {
+-static void error_callback_bh(void *opaque)
-+    cat > $TMPC <<EOF
+-{
-+#include <stdint.h>
+-    Coroutine *co = opaque;
-+#include <sys/types.h>
+-    qemu_coroutine_enter(co);
-+int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size);
+-}
-+int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) { return 0; }
+-
-+EOF
+ static int inject_error(BlockDriverState *bs, BlkdebugRule *rule)
-+}
+ {
-+
+     BDRVBlkdebugState *s = bs->opaque;
- if check_define __linux__ ; then
+@@ -XXX,XX +XXX,XX @@ static int inject_error(BlockDriverState *bs, BlkdebugRule *rule)
-   targetos="Linux"
+     }
- elif check_define _WIN32 ; then
-@@ -XXX,XX +XXX,XX @@ for opt do
+     if (!immediately) {
-   ;;
+-        aio_bh_schedule_oneshot(bdrv_get_aio_context(bs), error_callback_bh,
-   --disable-containers) use_containers="no"
+-                                qemu_coroutine_self());
-   ;;
++        aio_co_schedule(qemu_get_current_aio_context(), qemu_coroutine_self());
-+  --enable-fuzzing) fuzzing=yes
+         qemu_coroutine_yield();
-+  ;;
+     }
-+  --disable-fuzzing) fuzzing=no
 +  ;;
    *)
        echo "ERROR: unknown option $opt"
        echo "Try '$0 --help' for more information"
@@ -XXX,XX +XXX,XX @@ EOF
    fi
  fi
 +##########################################
 +# checks for fuzzer
 +if test "$fuzzing" = "yes" ; then
 +  write_c_fuzzer_skeleton
 +  if compile_prog "$CPU_CFLAGS -Werror -fsanitize=address,fuzzer" ""; then
 +      have_fuzzer=yes
 +  fi
 +fi
 +
  ##########################################
  # check for libpmem
@@ -XXX,XX +XXX,XX @@ echo "libpmem support   $libpmem"
  echo "libudev           $libudev"
  echo "default devices   $default_devices"
  echo "plugin support    $plugins"
 +echo "fuzzing support   $fuzzing"
  if test "$supported_cpu" = "no"; then
      echo
@@ -XXX,XX +XXX,XX @@ fi
  if test "$sheepdog" = "yes" ; then
    echo "CONFIG_SHEEPDOG=y" >> $config_host_mak
  fi
 +if test "$fuzzing" = "yes" ; then
 +  if test "$have_fuzzer" = "yes"; then
 +    FUZZ_LDFLAGS=" -fsanitize=address,fuzzer"
 +    FUZZ_CFLAGS=" -fsanitize=address,fuzzer"
 +    CFLAGS=" -fsanitize=address,fuzzer-no-link"
 +  else
 +    error_exit "Your compiler doesn't support -fsanitize=address,fuzzer"
 +    exit 1
 +  fi
 +fi
  if test "$plugins" = "yes" ; then
      echo "CONFIG_PLUGIN=y" >> $config_host_mak
@@ -XXX,XX +XXX,XX @@ if test "$libudev" != "no"; then
      echo "CONFIG_LIBUDEV=y" >> $config_host_mak
      echo "LIBUDEV_LIBS=$libudev_libs" >> $config_host_mak
  fi
 +if test "$fuzzing" != "no"; then
 +    echo "CONFIG_FUZZ=y" >> $config_host_mak
 +    echo "FUZZ_CFLAGS=$FUZZ_CFLAGS" >> $config_host_mak
 +    echo "FUZZ_LDFLAGS=$FUZZ_LDFLAGS" >> $config_host_mak
 +fi
  if test "$edk2_blobs" = "yes" ; then
    echo "DECOMPRESS_EDK2_BLOBS=y" >> $config_host_mak
 --
-.24.1
+.9.3

-[PULL 15/31] libqtest: add a layer of abstraction to send/recv
+[Qemu-devel] [PULL v2 10/24] qed: introduce qed_aio_start_io and qed_aio_next_io_cb
-From: Alexander Bulekov <alxndr@bu.edu>
+From: Paolo Bonzini <pbonzini@redhat.com>
-This makes it simple to swap the transport functions for qtest commands
+qed_aio_start_io and qed_aio_next_io will not have to acquire/release
-to and from the qtest client. For example, now it is possible to
+the AioContext, while qed_aio_next_io_cb will.  Split the functionality
-directly pass qtest commands to a server handler that exists within the
+and gain a little type-safety in the process.
 same process, without the standard way of writing to a file descriptor.
-Signed-off-by: Alexander Bulekov <alxndr@bu.edu>
 Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
-Reviewed-by: Darren Kenny <darren.kenny@oracle.com>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
-Message-id: 20200220041118.23264-7-alxndr@bu.edu
+Reviewed-by: Fam Zheng <famz@redhat.com>
 Reviewed-by: Daniel P. Berrange <berrange@redhat.com>
 Message-id: 20170213135235.12274-11-pbonzini@redhat.com
 Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
 ---
- tests/qtest/libqtest.c | 48 ++++++++++++++++++++++++++++++++++--------
+ block/qed.c | 39 +++++++++++++++++++++++++--------------
-file changed, 39 insertions(+), 9 deletions(-)
+file changed, 25 insertions(+), 14 deletions(-)
-diff --git a/tests/qtest/libqtest.c b/tests/qtest/libqtest.c
+diff --git a/block/qed.c b/block/qed.c
 index XXXXXXX..XXXXXXX 100644
---- a/tests/qtest/libqtest.c
+--- a/block/qed.c
-+++ b/tests/qtest/libqtest.c
++++ b/block/qed.c
-@@ -XXX,XX +XXX,XX @@
+@@ -XXX,XX +XXX,XX @@ static CachedL2Table *qed_new_l2_table(BDRVQEDState *s)
- #define SOCKET_TIMEOUT 50
+     return l2_table;
- #define SOCKET_MAX_FDS 16
+ }
 -static void qed_aio_next_io(void *opaque, int ret);
 +static void qed_aio_next_io(QEDAIOCB *acb, int ret);
 +
-+typedef void (*QTestSendFn)(QTestState *s, const char *buf);
++static void qed_aio_start_io(QEDAIOCB *acb)
-+typedef GString* (*QTestRecvFn)(QTestState *);
++{
 +    qed_aio_next_io(acb, 0);
 +}
 +
-+typedef struct QTestClientTransportOps {
++static void qed_aio_next_io_cb(void *opaque, int ret)
-+    QTestSendFn     send;      /* for sending qtest commands */
++{
-+    QTestRecvFn     recv_line; /* for receiving qtest command responses */
++    QEDAIOCB *acb = opaque;
 +} QTestTransportOps;
 +
- struct QTestState
++    qed_aio_next_io(acb, ret);
 +}
  static void qed_plug_allocating_write_reqs(BDRVQEDState *s)
  {
-     int fd;
+@@ -XXX,XX +XXX,XX @@ static void qed_unplug_allocating_write_reqs(BDRVQEDState *s)
-@@ -XXX,XX +XXX,XX @@ struct QTestState
-     bool big_endian;
+     acb = QSIMPLEQ_FIRST(&s->allocating_write_reqs);
-     bool irq_level[MAX_IRQ];
+     if (acb) {
-     GString *rx;
+-        qed_aio_next_io(acb, 0);
-+    QTestTransportOps ops;
++        qed_aio_start_io(acb);
  };
  static GHookList abrt_hooks;
@@ -XXX,XX +XXX,XX @@ static struct sigaction sigact_old;
  static int qtest_query_target_endianness(QTestState *s);
 +static void qtest_client_socket_send(QTestState*, const char *buf);
 +static void socket_send(int fd, const char *buf, size_t size);
 +
 +static GString *qtest_client_socket_recv_line(QTestState *);
 +
 +static void qtest_client_set_tx_handler(QTestState *s, QTestSendFn send);
 +static void qtest_client_set_rx_handler(QTestState *s, QTestRecvFn recv);
 +
  static int init_socket(const char *socket_path)
  {
      struct sockaddr_un addr;
@@ -XXX,XX +XXX,XX @@ QTestState *qtest_init_without_qmp_handshake(const char *extra_args)
      sock = init_socket(socket_path);
      qmpsock = init_socket(qmp_socket_path);
 +    qtest_client_set_rx_handler(s, qtest_client_socket_recv_line);
 +    qtest_client_set_tx_handler(s, qtest_client_socket_send);
 +
      qtest_add_abrt_handler(kill_qemu_hook_func, s);
      command = g_strdup_printf("exec %s "
@@ -XXX,XX +XXX,XX @@ static void socket_send(int fd, const char *buf, size_t size)
      }
  }
--static void socket_sendf(int fd, const char *fmt, va_list ap)
+@@ -XXX,XX +XXX,XX @@ static void qed_aio_complete(QEDAIOCB *acb, int ret)
-+static void qtest_client_socket_send(QTestState *s, const char *buf)
+         QSIMPLEQ_REMOVE_HEAD(&s->allocating_write_reqs, next);
          acb = QSIMPLEQ_FIRST(&s->allocating_write_reqs);
          if (acb) {
 -            qed_aio_next_io(acb, 0);
 +            qed_aio_start_io(acb);
          } else if (s->header.features & QED_F_NEED_CHECK) {
              qed_start_need_check_timer(s);
          }
@@ -XXX,XX +XXX,XX @@ static void qed_commit_l2_update(void *opaque, int ret)
      acb->request.l2_table = qed_find_l2_cache_entry(&s->l2_cache, l2_offset);
      assert(acb->request.l2_table != NULL);
 -    qed_aio_next_io(opaque, ret);
 +    qed_aio_next_io(acb, ret);
  }
  /**
@@ -XXX,XX +XXX,XX @@ static void qed_aio_write_l2_update(QEDAIOCB *acb, int ret, uint64_t offset)
      if (need_alloc) {
          /* Write out the whole new L2 table */
          qed_write_l2_table(s, &acb->request, 0, s->table_nelems, true,
 -                            qed_aio_write_l1_update, acb);
 +                           qed_aio_write_l1_update, acb);
      } else {
          /* Write out only the updated part of the L2 table */
          qed_write_l2_table(s, &acb->request, index, acb->cur_nclusters, false,
 -                            qed_aio_next_io, acb);
 +                           qed_aio_next_io_cb, acb);
      }
      return;
@@ -XXX,XX +XXX,XX @@ static void qed_aio_write_main(void *opaque, int ret)
      }
      if (acb->find_cluster_ret == QED_CLUSTER_FOUND) {
 -        next_fn = qed_aio_next_io;
 +        next_fn = qed_aio_next_io_cb;
      } else {
          if (s->bs->backing) {
              next_fn = qed_aio_write_flush_before_l2_update;
@@ -XXX,XX +XXX,XX @@ static void qed_aio_write_alloc(QEDAIOCB *acb, size_t len)
      if (acb->flags & QED_AIOCB_ZERO) {
          /* Skip ahead if the clusters are already zero */
          if (acb->find_cluster_ret == QED_CLUSTER_ZERO) {
 -            qed_aio_next_io(acb, 0);
 +            qed_aio_start_io(acb);
              return;
          }
@@ -XXX,XX +XXX,XX @@ static void qed_aio_read_data(void *opaque, int ret,
      /* Handle zero cluster and backing file reads */
      if (ret == QED_CLUSTER_ZERO) {
          qemu_iovec_memset(&acb->cur_qiov, 0, 0, acb->cur_qiov.size);
 -        qed_aio_next_io(acb, 0);
 +        qed_aio_start_io(acb);
          return;
      } else if (ret != QED_CLUSTER_FOUND) {
          qed_read_backing_file(s, acb->cur_pos, &acb->cur_qiov,
 -                              &acb->backing_qiov, qed_aio_next_io, acb);
 +                              &acb->backing_qiov, qed_aio_next_io_cb, acb);
          return;
      }
      BLKDBG_EVENT(bs->file, BLKDBG_READ_AIO);
      bdrv_aio_readv(bs->file, offset / BDRV_SECTOR_SIZE,
                     &acb->cur_qiov, acb->cur_qiov.size / BDRV_SECTOR_SIZE,
 -                   qed_aio_next_io, acb);
 +                   qed_aio_next_io_cb, acb);
      return;
  err:
@@ -XXX,XX +XXX,XX @@ err:
  /**
   * Begin next I/O or complete the request
   */
 -static void qed_aio_next_io(void *opaque, int ret)
 +static void qed_aio_next_io(QEDAIOCB *acb, int ret)
  {
--    gchar *str = g_strdup_vprintf(fmt, ap);
+-    QEDAIOCB *acb = opaque;
--    size_t size = strlen(str);
+     BDRVQEDState *s = acb_to_s(acb);
--
+     QEDFindClusterFunc *io_fn = (acb->flags & QED_AIOCB_WRITE) ?
--    socket_send(fd, str, size);
+                                 qed_aio_write_data : qed_aio_read_data;
--    g_free(str);
+@@ -XXX,XX +XXX,XX @@ static BlockAIOCB *qed_aio_setup(BlockDriverState *bs,
-+    socket_send(s->fd, buf, strlen(buf));
+     qemu_iovec_init(&acb->cur_qiov, qiov->niov);
      /* Start request */
 -    qed_aio_next_io(acb, 0);
 +    qed_aio_start_io(acb);
      return &acb->common;
  }
- static void GCC_FMT_ATTR(2, 3) qtest_sendf(QTestState *s, const char *fmt, ...)
-@@ -XXX,XX +XXX,XX @@ static void GCC_FMT_ATTR(2, 3) qtest_sendf(QTestState *s, const char *fmt, ...)
-     va_list ap;
-     va_start(ap, fmt);
--    socket_sendf(s->fd, fmt, ap);
-+    gchar *str = g_strdup_vprintf(fmt, ap);
-     va_end(ap);
-+
-+    s->ops.send(s, str);
-+    g_free(str);
- }
- /* Sends a message and file descriptors to the socket.
-@@ -XXX,XX +XXX,XX @@ static void socket_send_fds(int socket_fd, int *fds, size_t fds_num,
-     g_assert_cmpint(ret, >, 0);
- }
--static GString *qtest_recv_line(QTestState *s)
-+static GString *qtest_client_socket_recv_line(QTestState *s)
- {
-     GString *line;
-     size_t offset;
-@@ -XXX,XX +XXX,XX @@ static gchar **qtest_rsp(QTestState *s, int expected_args)
-     int i;
- redo:
--    line = qtest_recv_line(s);
-+    line = s->ops.recv_line(s);
-     words = g_strsplit(line->str, " ", 0);
-     g_string_free(line, TRUE);
-@@ -XXX,XX +XXX,XX @@ void qmp_assert_error_class(QDict *rsp, const char *class)
-     qobject_unref(rsp);
- }
-+
-+static void qtest_client_set_tx_handler(QTestState *s,
-+                    QTestSendFn send)
-+{
-+    s->ops.send = send;
-+}
-+static void qtest_client_set_rx_handler(QTestState *s, QTestRecvFn recv)
-+{
-+    s->ops.recv_line = recv;
-+}
 --
-.24.1
+.9.3

-[PULL 05/31] aio-posix: fix use after leaving scope in aio_poll()
+[Qemu-devel] [PULL v2 11/24] aio: push aio_context_acquire/release down to dispatching
-epoll_handler is a stack variable and must not be accessed after it goes
+From: Paolo Bonzini <pbonzini@redhat.com>
 out of scope:
-      if (aio_epoll_check_poll(ctx, pollfds, npfd, timeout)) {
+The AioContext data structures are now protected by list_lock and/or
-          AioHandler epoll_handler;
+they are walked with FOREACH_RCU primitives.  There is no need anymore
-          ...
+to acquire the AioContext for the entire duration of aio_dispatch.
-          add_pollfd(&epoll_handler);
+Instead, just acquire it before and after invoking the callbacks.
-          ret = aio_epoll(ctx, pollfds, npfd, timeout);
+The next step is then to push it further down.
       } ...
-  ...
+Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
-  /* if we have any readable fds, dispatch event */
+Reviewed-by: Fam Zheng <famz@redhat.com>
-  if (ret > 0) {
+Reviewed-by: Daniel P. Berrange <berrange@redhat.com>
-      for (i = 0; i < npfd; i++) {
+Message-id: 20170213135235.12274-12-pbonzini@redhat.com
           nodes[i]->pfd.revents = pollfds[i].revents;
       }
   }
 nodes[0] is &epoll_handler, which has already gone out of scope.
 There is no need to use pollfds[] for epoll.  We don't need an
 AioHandler for the epoll fd.
 Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
 Reviewed-by: Sergio Lopez <slp@redhat.com>
 Message-id: 20200214171712.541358-2-stefanha@redhat.com
 Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
 ---
- util/aio-posix.c | 20 ++++++++------------
+ util/aio-posix.c | 25 +++++++++++--------------
-file changed, 8 insertions(+), 12 deletions(-)
+ util/aio-win32.c | 15 +++++++--------
  util/async.c     |  2 ++
 files changed, 20 insertions(+), 22 deletions(-)
 diff --git a/util/aio-posix.c b/util/aio-posix.c
 index XXXXXXX..XXXXXXX 100644
 --- a/util/aio-posix.c
 +++ b/util/aio-posix.c
-@@ -XXX,XX +XXX,XX @@ static void aio_epoll_update(AioContext *ctx, AioHandler *node, bool is_new)
+@@ -XXX,XX +XXX,XX @@ static bool aio_dispatch_handlers(AioContext *ctx)
              (revents & (G_IO_IN | G_IO_HUP | G_IO_ERR)) &&
              aio_node_check(ctx, node->is_external) &&
              node->io_read) {
 +            aio_context_acquire(ctx);
              node->io_read(node->opaque);
 +            aio_context_release(ctx);
              /* aio_notify() does not count as progress */
              if (node->opaque != &ctx->notifier) {
@@ -XXX,XX +XXX,XX @@ static bool aio_dispatch_handlers(AioContext *ctx)
              (revents & (G_IO_OUT | G_IO_ERR)) &&
              aio_node_check(ctx, node->is_external) &&
              node->io_write) {
 +            aio_context_acquire(ctx);
              node->io_write(node->opaque);
 +            aio_context_release(ctx);
              progress = true;
          }
@@ -XXX,XX +XXX,XX @@ bool aio_dispatch(AioContext *ctx, bool dispatch_fds)
      }
+     /* Run our timers */
++    aio_context_acquire(ctx);
+     progress |= timerlistgroup_run_timers(&ctx->tlg);
++    aio_context_release(ctx);
+     return progress;
  }
+@@ -XXX,XX +XXX,XX @@ bool aio_poll(AioContext *ctx, bool blocking)
--static int aio_epoll(AioContext *ctx, GPollFD *pfds,
+     int64_t timeout;
--                     unsigned npfd, int64_t timeout)
+     int64_t start = 0;
-+static int aio_epoll(AioContext *ctx, int64_t timeout)
- {
+-    aio_context_acquire(ctx);
-+    GPollFD pfd = {
+-    progress = false;
-+        .fd = ctx->epollfd,
+-
-+        .events = G_IO_IN | G_IO_OUT | G_IO_HUP | G_IO_ERR,
+     /* aio_notify can avoid the expensive event_notifier_set if
-+    };
+      * everything (file descriptors, bottom halves, timers) will
-     AioHandler *node;
+      * be re-evaluated before the next blocking poll().  This is
-     int i, ret = 0;
+@@ -XXX,XX +XXX,XX @@ bool aio_poll(AioContext *ctx, bool blocking)
-     struct epoll_event events[128];
+         start = qemu_clock_get_ns(QEMU_CLOCK_REALTIME);
 -    assert(npfd == 1);
 -    assert(pfds[0].fd == ctx->epollfd);
      if (timeout > 0) {
 -        ret = qemu_poll_ns(pfds, npfd, timeout);
 +        ret = qemu_poll_ns(&pfd, 1, timeout);
      }
-     if (timeout <= 0 || ret > 0) {
-         ret = epoll_wait(ctx->epollfd, events,
+-    if (try_poll_mode(ctx, blocking)) {
 -        progress = true;
 -    } else {
 +    aio_context_acquire(ctx);
 +    progress = try_poll_mode(ctx, blocking);
 +    aio_context_release(ctx);
 +
 +    if (!progress) {
          assert(npfd == 0);
          /* fill pollfds */
 @@ -XXX,XX +XXX,XX @@ bool aio_poll(AioContext *ctx, bool blocking)
+         timeout = blocking ? aio_compute_timeout(ctx) : 0;
          /* wait until next event */
+-        if (timeout) {
+-            aio_context_release(ctx);
+-        }
          if (aio_epoll_check_poll(ctx, pollfds, npfd, timeout)) {
--            AioHandler epoll_handler;
+             AioHandler epoll_handler;
--
--            epoll_handler.pfd.fd = ctx->epollfd;
+@@ -XXX,XX +XXX,XX @@ bool aio_poll(AioContext *ctx, bool blocking)
 -            epoll_handler.pfd.events = G_IO_IN | G_IO_OUT | G_IO_HUP | G_IO_ERR;
 -            npfd = 0;
 -            add_pollfd(&epoll_handler);
 -            ret = aio_epoll(ctx, pollfds, npfd, timeout);
 +            npfd = 0; /* pollfds[] is not being used */
 +            ret = aio_epoll(ctx, timeout);
          } else  {
              ret = qemu_poll_ns(pollfds, npfd, timeout);
          }
+-        if (timeout) {
+-            aio_context_acquire(ctx);
+-        }
+     }
+     if (blocking) {
+@@ -XXX,XX +XXX,XX @@ bool aio_poll(AioContext *ctx, bool blocking)
+         progress = true;
+     }
+-    aio_context_release(ctx);
+-
+     return progress;
+ }
+diff --git a/util/aio-win32.c b/util/aio-win32.c
+index XXXXXXX..XXXXXXX 100644
+--- a/util/aio-win32.c
++++ b/util/aio-win32.c
+@@ -XXX,XX +XXX,XX @@ static bool aio_dispatch_handlers(AioContext *ctx, HANDLE event)
+             (revents || event_notifier_get_handle(node->e) == event) &&
+             node->io_notify) {
+             node->pfd.revents = 0;
++            aio_context_acquire(ctx);
+             node->io_notify(node->e);
++            aio_context_release(ctx);
+             /* aio_notify() does not count as progress */
+             if (node->e != &ctx->notifier) {
+@@ -XXX,XX +XXX,XX @@ static bool aio_dispatch_handlers(AioContext *ctx, HANDLE event)
+             (node->io_read || node->io_write)) {
+             node->pfd.revents = 0;
+             if ((revents & G_IO_IN) && node->io_read) {
++                aio_context_acquire(ctx);
+                 node->io_read(node->opaque);
++                aio_context_release(ctx);
+                 progress = true;
+             }
+             if ((revents & G_IO_OUT) && node->io_write) {
++                aio_context_acquire(ctx);
+                 node->io_write(node->opaque);
++                aio_context_release(ctx);
+                 progress = true;
+             }
+@@ -XXX,XX +XXX,XX @@ bool aio_poll(AioContext *ctx, bool blocking)
+     int count;
+     int timeout;
+-    aio_context_acquire(ctx);
+     progress = false;
+     /* aio_notify can avoid the expensive event_notifier_set if
+@@ -XXX,XX +XXX,XX @@ bool aio_poll(AioContext *ctx, bool blocking)
+         timeout = blocking && !have_select_revents
+             ? qemu_timeout_ns_to_ms(aio_compute_timeout(ctx)) : 0;
+-        if (timeout) {
+-            aio_context_release(ctx);
+-        }
+         ret = WaitForMultipleObjects(count, events, FALSE, timeout);
+         if (blocking) {
+             assert(first);
+             atomic_sub(&ctx->notify_me, 2);
+         }
+-        if (timeout) {
+-            aio_context_acquire(ctx);
+-        }
+         if (first) {
+             aio_notify_accept(ctx);
+@@ -XXX,XX +XXX,XX @@ bool aio_poll(AioContext *ctx, bool blocking)
+         progress |= aio_dispatch_handlers(ctx, event);
+     } while (count > 0);
++    aio_context_acquire(ctx);
+     progress |= timerlistgroup_run_timers(&ctx->tlg);
+-
+     aio_context_release(ctx);
+     return progress;
+ }
+diff --git a/util/async.c b/util/async.c
+index XXXXXXX..XXXXXXX 100644
+--- a/util/async.c
++++ b/util/async.c
+@@ -XXX,XX +XXX,XX @@ int aio_bh_poll(AioContext *ctx)
+                 ret = 1;
+             }
+             bh->idle = 0;
++            aio_context_acquire(ctx);
+             aio_bh_call(bh);
++            aio_context_release(ctx);
+         }
+         if (bh->deleted) {
+             deleted = true;
 --
-.24.1
+.9.3

-[PULL 02/31] aio-posix: avoid reacquiring rcu_read_lock() when polling
+[Qemu-devel] [PULL v2 12/24] block: explicitly acquire aiocontext in timers that need it
-The first rcu_read_lock/unlock() is expensive.  Nested calls are cheap.
+From: Paolo Bonzini <pbonzini@redhat.com>
-This optimization increases IOPS from 73k to 162k with a Linux guest
+Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
-that has 2 virtio-blk,num-queues=1 and 99 virtio-blk,num-queues=32
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
-devices.
+Reviewed-by: Fam Zheng <famz@redhat.com>
+Reviewed-by: Daniel P. Berrange <berrange@redhat.com>
-Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
+Message-id: 20170213135235.12274-13-pbonzini@redhat.com
 Reviewed-by: Paolo Bonzini <pbonzini@redhat.com>
 Message-id: 20200218182708.914552-1-stefanha@redhat.com
 Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
 ---
- util/aio-posix.c | 11 +++++++++++
+ block/qed.h                 |  3 +++
-file changed, 11 insertions(+)
+ block/curl.c                |  2 ++
+ block/io.c                  |  5 +++++
  block/iscsi.c               |  8 ++++++--
  block/null.c                |  4 ++++
  block/qed.c                 | 12 ++++++++++++
  block/throttle-groups.c     |  2 ++
  util/aio-posix.c            |  2 --
  util/aio-win32.c            |  2 --
  util/qemu-coroutine-sleep.c |  2 +-
 files changed, 35 insertions(+), 7 deletions(-)
 diff --git a/block/qed.h b/block/qed.h
 index XXXXXXX..XXXXXXX 100644
 --- a/block/qed.h
 +++ b/block/qed.h
@@ -XXX,XX +XXX,XX @@ enum {
   */
  typedef void QEDFindClusterFunc(void *opaque, int ret, uint64_t offset, size_t len);
 +void qed_acquire(BDRVQEDState *s);
 +void qed_release(BDRVQEDState *s);
 +
  /**
   * Generic callback for chaining async callbacks
   */
 diff --git a/block/curl.c b/block/curl.c
 index XXXXXXX..XXXXXXX 100644
 --- a/block/curl.c
 +++ b/block/curl.c
@@ -XXX,XX +XXX,XX @@ static void curl_multi_timeout_do(void *arg)
          return;
      }
 +    aio_context_acquire(s->aio_context);
      curl_multi_socket_action(s->multi, CURL_SOCKET_TIMEOUT, 0, &running);
      curl_multi_check_completion(s);
 +    aio_context_release(s->aio_context);
  #else
      abort();
  #endif
 diff --git a/block/io.c b/block/io.c
 index XXXXXXX..XXXXXXX 100644
 --- a/block/io.c
 +++ b/block/io.c
@@ -XXX,XX +XXX,XX @@ void bdrv_aio_cancel(BlockAIOCB *acb)
          if (acb->aiocb_info->get_aio_context) {
              aio_poll(acb->aiocb_info->get_aio_context(acb), true);
          } else if (acb->bs) {
 +            /* qemu_aio_ref and qemu_aio_unref are not thread-safe, so
 +             * assert that we're not using an I/O thread.  Thread-safe
 +             * code should use bdrv_aio_cancel_async exclusively.
 +             */
 +            assert(bdrv_get_aio_context(acb->bs) == qemu_get_aio_context());
              aio_poll(bdrv_get_aio_context(acb->bs), true);
          } else {
              abort();
 diff --git a/block/iscsi.c b/block/iscsi.c
 index XXXXXXX..XXXXXXX 100644
 --- a/block/iscsi.c
 +++ b/block/iscsi.c
@@ -XXX,XX +XXX,XX @@ static void iscsi_retry_timer_expired(void *opaque)
      struct IscsiTask *iTask = opaque;
      iTask->complete = 1;
      if (iTask->co) {
 -        qemu_coroutine_enter(iTask->co);
 +        aio_co_wake(iTask->co);
      }
  }
@@ -XXX,XX +XXX,XX @@ static void iscsi_nop_timed_event(void *opaque)
  {
      IscsiLun *iscsilun = opaque;
 +    aio_context_acquire(iscsilun->aio_context);
      if (iscsi_get_nops_in_flight(iscsilun->iscsi) >= MAX_NOP_FAILURES) {
          error_report("iSCSI: NOP timeout. Reconnecting...");
          iscsilun->request_timed_out = true;
      } else if (iscsi_nop_out_async(iscsilun->iscsi, NULL, NULL, 0, NULL) != 0) {
          error_report("iSCSI: failed to sent NOP-Out. Disabling NOP messages.");
 -        return;
 +        goto out;
      }
      timer_mod(iscsilun->nop_timer, qemu_clock_get_ms(QEMU_CLOCK_REALTIME) + NOP_INTERVAL);
      iscsi_set_events(iscsilun);
 +
 +out:
 +    aio_context_release(iscsilun->aio_context);
  }
  static void iscsi_readcapacity_sync(IscsiLun *iscsilun, Error **errp)
 diff --git a/block/null.c b/block/null.c
 index XXXXXXX..XXXXXXX 100644
 --- a/block/null.c
 +++ b/block/null.c
@@ -XXX,XX +XXX,XX @@ static void null_bh_cb(void *opaque)
  static void null_timer_cb(void *opaque)
  {
      NullAIOCB *acb = opaque;
 +    AioContext *ctx = bdrv_get_aio_context(acb->common.bs);
 +
 +    aio_context_acquire(ctx);
      acb->common.cb(acb->common.opaque, 0);
 +    aio_context_release(ctx);
      timer_deinit(&acb->timer);
      qemu_aio_unref(acb);
  }
 diff --git a/block/qed.c b/block/qed.c
 index XXXXXXX..XXXXXXX 100644
 --- a/block/qed.c
 +++ b/block/qed.c
@@ -XXX,XX +XXX,XX @@ static void qed_need_check_timer_cb(void *opaque)
      trace_qed_need_check_timer_cb(s);
 +    qed_acquire(s);
      qed_plug_allocating_write_reqs(s);
      /* Ensure writes are on disk before clearing flag */
      bdrv_aio_flush(s->bs->file->bs, qed_clear_need_check, s);
 +    qed_release(s);
 +}
 +
 +void qed_acquire(BDRVQEDState *s)
 +{
 +    aio_context_acquire(bdrv_get_aio_context(s->bs));
 +}
 +
 +void qed_release(BDRVQEDState *s)
 +{
 +    aio_context_release(bdrv_get_aio_context(s->bs));
  }
  static void qed_start_need_check_timer(BDRVQEDState *s)
 diff --git a/block/throttle-groups.c b/block/throttle-groups.c
 index XXXXXXX..XXXXXXX 100644
 --- a/block/throttle-groups.c
 +++ b/block/throttle-groups.c
@@ -XXX,XX +XXX,XX @@ static void timer_cb(BlockBackend *blk, bool is_write)
      qemu_mutex_unlock(&tg->lock);
      /* Run the request that was waiting for this timer */
 +    aio_context_acquire(blk_get_aio_context(blk));
      empty_queue = !qemu_co_enter_next(&blkp->throttled_reqs[is_write]);
 +    aio_context_release(blk_get_aio_context(blk));
      /* If the request queue was empty then we have to take care of
       * scheduling the next one */
 diff --git a/util/aio-posix.c b/util/aio-posix.c
 index XXXXXXX..XXXXXXX 100644
 --- a/util/aio-posix.c
 +++ b/util/aio-posix.c
-@@ -XXX,XX +XXX,XX @@
+@@ -XXX,XX +XXX,XX @@ bool aio_dispatch(AioContext *ctx, bool dispatch_fds)
+     }
- #include "qemu/osdep.h"
- #include "block/block.h"
+     /* Run our timers */
-+#include "qemu/rcu.h"
+-    aio_context_acquire(ctx);
- #include "qemu/rcu_queue.h"
+     progress |= timerlistgroup_run_timers(&ctx->tlg);
- #include "qemu/sockets.h"
+-    aio_context_release(ctx);
- #include "qemu/cutils.h"
-@@ -XXX,XX +XXX,XX @@ static bool run_poll_handlers_once(AioContext *ctx, int64_t *timeout)
+     return progress;
-     bool progress = false;
+ }
-     AioHandler *node;
+diff --git a/util/aio-win32.c b/util/aio-win32.c
+index XXXXXXX..XXXXXXX 100644
-+    /*
+--- a/util/aio-win32.c
-+     * Optimization: ->io_poll() handlers often contain RCU read critical
++++ b/util/aio-win32.c
-+     * sections and we therefore see many rcu_read_lock() -> rcu_read_unlock()
+@@ -XXX,XX +XXX,XX @@ bool aio_poll(AioContext *ctx, bool blocking)
-+     * -> rcu_read_lock() -> ... sequences with expensive memory
+         progress |= aio_dispatch_handlers(ctx, event);
-+     * synchronization primitives.  Make the entire polling loop an RCU
+     } while (count > 0);
-+     * critical section because nested rcu_read_lock()/rcu_read_unlock() calls
-+     * are cheap.
+-    aio_context_acquire(ctx);
-+     */
+     progress |= timerlistgroup_run_timers(&ctx->tlg);
-+    RCU_READ_LOCK_GUARD();
+-    aio_context_release(ctx);
-+
+     return progress;
-     QLIST_FOREACH_RCU(node, &ctx->aio_handlers, node) {
+ }
-         if (!node->deleted && node->io_poll &&
-             aio_node_check(ctx, node->is_external) &&
+diff --git a/util/qemu-coroutine-sleep.c b/util/qemu-coroutine-sleep.c
 index XXXXXXX..XXXXXXX 100644
 --- a/util/qemu-coroutine-sleep.c
 +++ b/util/qemu-coroutine-sleep.c
@@ -XXX,XX +XXX,XX @@ static void co_sleep_cb(void *opaque)
  {
      CoSleepCB *sleep_cb = opaque;
 -    qemu_coroutine_enter(sleep_cb->co);
 +    aio_co_wake(sleep_cb->co);
  }
  void coroutine_fn co_aio_sleep_ns(AioContext *ctx, QEMUClockType type,
 --
-.24.1
+.9.3

-[PULL 08/31] aio-posix: make AioHandler deletion O(1)
+[Qemu-devel] [PULL v2 13/24] block: explicitly acquire aiocontext in callbacks that need it
-It is not necessary to scan all AioHandlers for deletion.  Keep a list
+From: Paolo Bonzini <pbonzini@redhat.com>
 of deleted handlers instead of scanning the full list of all handlers.
-The AioHandler->deleted field can be dropped.  Let's check if the
+This covers both file descriptor callbacks and polling callbacks,
-handler has been inserted into the deleted list instead.  Add a new
+since they execute related code.
 QLIST_IS_INSERTED() API for this check.
-Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
+Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
-Reviewed-by: Sergio Lopez <slp@redhat.com>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
-Message-id: 20200214171712.541358-5-stefanha@redhat.com
+Reviewed-by: Fam Zheng <famz@redhat.com>
 Reviewed-by: Daniel P. Berrange <berrange@redhat.com>
 Message-id: 20170213135235.12274-14-pbonzini@redhat.com
 Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
 ---
- include/block/aio.h  |  6 ++++-
+ block/curl.c          | 16 +++++++++++++---
- include/qemu/queue.h |  3 +++
+ block/iscsi.c         |  4 ++++
- util/aio-posix.c     | 53 +++++++++++++++++++++++++++++---------------
+ block/linux-aio.c     |  4 ++++
-files changed, 43 insertions(+), 19 deletions(-)
+ block/nfs.c           |  6 ++++++
  block/sheepdog.c      | 29 +++++++++++++++--------------
  block/ssh.c           | 29 +++++++++--------------------
  block/win32-aio.c     | 10 ++++++----
  hw/block/virtio-blk.c |  5 ++++-
  hw/scsi/virtio-scsi.c |  7 +++++++
  util/aio-posix.c      |  7 -------
  util/aio-win32.c      |  6 ------
 files changed, 68 insertions(+), 55 deletions(-)
-diff --git a/include/block/aio.h b/include/block/aio.h
+diff --git a/block/curl.c b/block/curl.c
 index XXXXXXX..XXXXXXX 100644
---- a/include/block/aio.h
+--- a/block/curl.c
-+++ b/include/block/aio.h
++++ b/block/curl.c
-@@ -XXX,XX +XXX,XX @@ void qemu_aio_unref(void *p);
+@@ -XXX,XX +XXX,XX @@ static void curl_multi_check_completion(BDRVCURLState *s)
- void qemu_aio_ref(void *p);
+     }
+ }
- typedef struct AioHandler AioHandler;
-+typedef QLIST_HEAD(, AioHandler) AioHandlerList;
+-static void curl_multi_do(void *arg)
- typedef void QEMUBHFunc(void *opaque);
++static void curl_multi_do_locked(CURLState *s)
- typedef bool AioPollFn(void *opaque);
+ {
- typedef void IOHandler(void *opaque);
+-    CURLState *s = (CURLState *)arg;
-@@ -XXX,XX +XXX,XX @@ struct AioContext {
+     CURLSocket *socket, *next_socket;
-     QemuRecMutex lock;
+     int running;
+     int r;
-     /* The list of registered AIO handlers.  Protected by ctx->list_lock. */
+@@ -XXX,XX +XXX,XX @@ static void curl_multi_do(void *arg)
--    QLIST_HEAD(, AioHandler) aio_handlers;
+     }
-+    AioHandlerList aio_handlers;
+ }
-+
-+    /* The list of AIO handlers to be deleted.  Protected by ctx->list_lock. */
++static void curl_multi_do(void *arg)
-+    AioHandlerList deleted_aio_handlers;
++{
++    CURLState *s = (CURLState *)arg;
-     /* Used to avoid unnecessary event_notifier_set calls in aio_notify;
++
-      * accessed with atomic primitives.  If this field is 0, everything
++    aio_context_acquire(s->s->aio_context);
-diff --git a/include/qemu/queue.h b/include/qemu/queue.h
++    curl_multi_do_locked(s);
-index XXXXXXX..XXXXXXX 100644
++    aio_context_release(s->s->aio_context);
---- a/include/qemu/queue.h
++}
-+++ b/include/qemu/queue.h
++
-@@ -XXX,XX +XXX,XX @@ struct {                                                                \
+ static void curl_multi_read(void *arg)
-         }                                                               \
+ {
- } while (/*CONSTCOND*/0)
+     CURLState *s = (CURLState *)arg;
-+/* Is elm in a list? */
+-    curl_multi_do(arg);
-+#define QLIST_IS_INSERTED(elm, field) ((elm)->field.le_prev != NULL)
++    aio_context_acquire(s->s->aio_context);
-+
++    curl_multi_do_locked(s);
- #define QLIST_FOREACH(var, head, field)                                 \
+     curl_multi_check_completion(s->s);
-         for ((var) = ((head)->lh_first);                                \
++    aio_context_release(s->s->aio_context);
-                 (var);                                                  \
+ }
  static void curl_multi_timeout_do(void *arg)
 diff --git a/block/iscsi.c b/block/iscsi.c
 index XXXXXXX..XXXXXXX 100644
 --- a/block/iscsi.c
 +++ b/block/iscsi.c
@@ -XXX,XX +XXX,XX @@ iscsi_process_read(void *arg)
      IscsiLun *iscsilun = arg;
      struct iscsi_context *iscsi = iscsilun->iscsi;
 +    aio_context_acquire(iscsilun->aio_context);
      iscsi_service(iscsi, POLLIN);
      iscsi_set_events(iscsilun);
 +    aio_context_release(iscsilun->aio_context);
  }
  static void
@@ -XXX,XX +XXX,XX @@ iscsi_process_write(void *arg)
      IscsiLun *iscsilun = arg;
      struct iscsi_context *iscsi = iscsilun->iscsi;
 +    aio_context_acquire(iscsilun->aio_context);
      iscsi_service(iscsi, POLLOUT);
      iscsi_set_events(iscsilun);
 +    aio_context_release(iscsilun->aio_context);
  }
  static int64_t sector_lun2qemu(int64_t sector, IscsiLun *iscsilun)
 diff --git a/block/linux-aio.c b/block/linux-aio.c
 index XXXXXXX..XXXXXXX 100644
 --- a/block/linux-aio.c
 +++ b/block/linux-aio.c
@@ -XXX,XX +XXX,XX @@ static void qemu_laio_completion_cb(EventNotifier *e)
      LinuxAioState *s = container_of(e, LinuxAioState, e);
      if (event_notifier_test_and_clear(&s->e)) {
 +        aio_context_acquire(s->aio_context);
          qemu_laio_process_completions_and_submit(s);
 +        aio_context_release(s->aio_context);
      }
  }
@@ -XXX,XX +XXX,XX @@ static bool qemu_laio_poll_cb(void *opaque)
          return false;
      }
 +    aio_context_acquire(s->aio_context);
      qemu_laio_process_completions_and_submit(s);
 +    aio_context_release(s->aio_context);
      return true;
  }
 diff --git a/block/nfs.c b/block/nfs.c
 index XXXXXXX..XXXXXXX 100644
 --- a/block/nfs.c
 +++ b/block/nfs.c
@@ -XXX,XX +XXX,XX @@ static void nfs_set_events(NFSClient *client)
  static void nfs_process_read(void *arg)
  {
      NFSClient *client = arg;
 +
 +    aio_context_acquire(client->aio_context);
      nfs_service(client->context, POLLIN);
      nfs_set_events(client);
 +    aio_context_release(client->aio_context);
  }
  static void nfs_process_write(void *arg)
  {
      NFSClient *client = arg;
 +
 +    aio_context_acquire(client->aio_context);
      nfs_service(client->context, POLLOUT);
      nfs_set_events(client);
 +    aio_context_release(client->aio_context);
  }
  static void nfs_co_init_task(BlockDriverState *bs, NFSRPC *task)
 diff --git a/block/sheepdog.c b/block/sheepdog.c
 index XXXXXXX..XXXXXXX 100644
 --- a/block/sheepdog.c
 +++ b/block/sheepdog.c
@@ -XXX,XX +XXX,XX @@ static coroutine_fn int send_co_req(int sockfd, SheepdogReq *hdr, void *data,
      return ret;
  }
 -static void restart_co_req(void *opaque)
 -{
 -    Coroutine *co = opaque;
 -
 -    qemu_coroutine_enter(co);
 -}
 -
  typedef struct SheepdogReqCo {
      int sockfd;
      BlockDriverState *bs;
@@ -XXX,XX +XXX,XX @@ typedef struct SheepdogReqCo {
      unsigned int *rlen;
      int ret;
      bool finished;
 +    Coroutine *co;
  } SheepdogReqCo;
 +static void restart_co_req(void *opaque)
 +{
 +    SheepdogReqCo *srco = opaque;
 +
 +    aio_co_wake(srco->co);
 +}
 +
  static coroutine_fn void do_co_req(void *opaque)
  {
      int ret;
 -    Coroutine *co;
      SheepdogReqCo *srco = opaque;
      int sockfd = srco->sockfd;
      SheepdogReq *hdr = srco->hdr;
@@ -XXX,XX +XXX,XX @@ static coroutine_fn void do_co_req(void *opaque)
      unsigned int *wlen = srco->wlen;
      unsigned int *rlen = srco->rlen;
 -    co = qemu_coroutine_self();
 +    srco->co = qemu_coroutine_self();
      aio_set_fd_handler(srco->aio_context, sockfd, false,
 -                       NULL, restart_co_req, NULL, co);
 +                       NULL, restart_co_req, NULL, srco);
      ret = send_co_req(sockfd, hdr, data, wlen);
      if (ret < 0) {
@@ -XXX,XX +XXX,XX @@ static coroutine_fn void do_co_req(void *opaque)
      }
      aio_set_fd_handler(srco->aio_context, sockfd, false,
 -                       restart_co_req, NULL, NULL, co);
 +                       restart_co_req, NULL, NULL, srco);
      ret = qemu_co_recv(sockfd, hdr, sizeof(*hdr));
      if (ret != sizeof(*hdr)) {
@@ -XXX,XX +XXX,XX @@ out:
      aio_set_fd_handler(srco->aio_context, sockfd, false,
                         NULL, NULL, NULL, NULL);
 +    srco->co = NULL;
      srco->ret = ret;
      srco->finished = true;
      if (srco->bs) {
@@ -XXX,XX +XXX,XX @@ static void coroutine_fn aio_read_response(void *opaque)
           * We've finished all requests which belong to the AIOCB, so
           * we can switch back to sd_co_readv/writev now.
           */
 -        qemu_coroutine_enter(acb->coroutine);
 +        aio_co_wake(acb->coroutine);
      }
      return;
@@ -XXX,XX +XXX,XX @@ static void co_read_response(void *opaque)
          s->co_recv = qemu_coroutine_create(aio_read_response, opaque);
      }
 -    qemu_coroutine_enter(s->co_recv);
 +    aio_co_wake(s->co_recv);
  }
  static void co_write_request(void *opaque)
  {
      BDRVSheepdogState *s = opaque;
 -    qemu_coroutine_enter(s->co_send);
 +    aio_co_wake(s->co_send);
  }
  /*
 diff --git a/block/ssh.c b/block/ssh.c
 index XXXXXXX..XXXXXXX 100644
 --- a/block/ssh.c
 +++ b/block/ssh.c
@@ -XXX,XX +XXX,XX @@ static void restart_coroutine(void *opaque)
      DPRINTF("co=%p", co);
 -    qemu_coroutine_enter(co);
 +    aio_co_wake(co);
  }
 -static coroutine_fn void set_fd_handler(BDRVSSHState *s, BlockDriverState *bs)
 +/* A non-blocking call returned EAGAIN, so yield, ensuring the
 + * handlers are set up so that we'll be rescheduled when there is an
 + * interesting event on the socket.
 + */
 +static coroutine_fn void co_yield(BDRVSSHState *s, BlockDriverState *bs)
  {
      int r;
      IOHandler *rd_handler = NULL, *wr_handler = NULL;
@@ -XXX,XX +XXX,XX @@ static coroutine_fn void set_fd_handler(BDRVSSHState *s, BlockDriverState *bs)
      aio_set_fd_handler(bdrv_get_aio_context(bs), s->sock,
                         false, rd_handler, wr_handler, NULL, co);
 -}
 -
 -static coroutine_fn void clear_fd_handler(BDRVSSHState *s,
 -                                          BlockDriverState *bs)
 -{
 -    DPRINTF("s->sock=%d", s->sock);
 -    aio_set_fd_handler(bdrv_get_aio_context(bs), s->sock,
 -                       false, NULL, NULL, NULL, NULL);
 -}
 -
 -/* A non-blocking call returned EAGAIN, so yield, ensuring the
 - * handlers are set up so that we'll be rescheduled when there is an
 - * interesting event on the socket.
 - */
 -static coroutine_fn void co_yield(BDRVSSHState *s, BlockDriverState *bs)
 -{
 -    set_fd_handler(s, bs);
      qemu_coroutine_yield();
 -    clear_fd_handler(s, bs);
 +    DPRINTF("s->sock=%d - back", s->sock);
 +    aio_set_fd_handler(bdrv_get_aio_context(bs), s->sock, false,
 +                       NULL, NULL, NULL, NULL);
  }
  /* SFTP has a function `libssh2_sftp_seek64' which seeks to a position
 diff --git a/block/win32-aio.c b/block/win32-aio.c
 index XXXXXXX..XXXXXXX 100644
 --- a/block/win32-aio.c
 +++ b/block/win32-aio.c
@@ -XXX,XX +XXX,XX @@ struct QEMUWin32AIOState {
      HANDLE hIOCP;
      EventNotifier e;
      int count;
 -    bool is_aio_context_attached;
 +    AioContext *aio_ctx;
  };
  typedef struct QEMUWin32AIOCB {
@@ -XXX,XX +XXX,XX @@ static void win32_aio_process_completion(QEMUWin32AIOState *s,
      }
 +    aio_context_acquire(s->aio_ctx);
      waiocb->common.cb(waiocb->common.opaque, ret);
 +    aio_context_release(s->aio_ctx);
      qemu_aio_unref(waiocb);
  }
@@ -XXX,XX +XXX,XX @@ void win32_aio_detach_aio_context(QEMUWin32AIOState *aio,
                                    AioContext *old_context)
  {
      aio_set_event_notifier(old_context, &aio->e, false, NULL, NULL);
 -    aio->is_aio_context_attached = false;
 +    aio->aio_ctx = NULL;
  }
  void win32_aio_attach_aio_context(QEMUWin32AIOState *aio,
                                    AioContext *new_context)
  {
 -    aio->is_aio_context_attached = true;
 +    aio->aio_ctx = new_context;
      aio_set_event_notifier(new_context, &aio->e, false,
                             win32_aio_completion_cb, NULL);
  }
@@ -XXX,XX +XXX,XX @@ out_free_state:
  void win32_aio_cleanup(QEMUWin32AIOState *aio)
  {
 -    assert(!aio->is_aio_context_attached);
 +    assert(!aio->aio_ctx);
      CloseHandle(aio->hIOCP);
      event_notifier_cleanup(&aio->e);
      g_free(aio);
 diff --git a/hw/block/virtio-blk.c b/hw/block/virtio-blk.c
 index XXXXXXX..XXXXXXX 100644
 --- a/hw/block/virtio-blk.c
 +++ b/hw/block/virtio-blk.c
@@ -XXX,XX +XXX,XX @@ static void virtio_blk_ioctl_complete(void *opaque, int status)
  {
      VirtIOBlockIoctlReq *ioctl_req = opaque;
      VirtIOBlockReq *req = ioctl_req->req;
 -    VirtIODevice *vdev = VIRTIO_DEVICE(req->dev);
 +    VirtIOBlock *s = req->dev;
 +    VirtIODevice *vdev = VIRTIO_DEVICE(s);
      struct virtio_scsi_inhdr *scsi;
      struct sg_io_hdr *hdr;
@@ -XXX,XX +XXX,XX @@ bool virtio_blk_handle_vq(VirtIOBlock *s, VirtQueue *vq)
      MultiReqBuffer mrb = {};
      bool progress = false;
 +    aio_context_acquire(blk_get_aio_context(s->blk));
      blk_io_plug(s->blk);
      do {
@@ -XXX,XX +XXX,XX @@ bool virtio_blk_handle_vq(VirtIOBlock *s, VirtQueue *vq)
      }
      blk_io_unplug(s->blk);
 +    aio_context_release(blk_get_aio_context(s->blk));
      return progress;
  }
 diff --git a/hw/scsi/virtio-scsi.c b/hw/scsi/virtio-scsi.c
 index XXXXXXX..XXXXXXX 100644
 --- a/hw/scsi/virtio-scsi.c
 +++ b/hw/scsi/virtio-scsi.c
@@ -XXX,XX +XXX,XX @@ bool virtio_scsi_handle_ctrl_vq(VirtIOSCSI *s, VirtQueue *vq)
      VirtIOSCSIReq *req;
      bool progress = false;
 +    virtio_scsi_acquire(s);
      while ((req = virtio_scsi_pop_req(s, vq))) {
          progress = true;
          virtio_scsi_handle_ctrl_req(s, req);
      }
 +    virtio_scsi_release(s);
      return progress;
  }
@@ -XXX,XX +XXX,XX @@ bool virtio_scsi_handle_cmd_vq(VirtIOSCSI *s, VirtQueue *vq)
      QTAILQ_HEAD(, VirtIOSCSIReq) reqs = QTAILQ_HEAD_INITIALIZER(reqs);
 +    virtio_scsi_acquire(s);
      do {
          virtio_queue_set_notification(vq, 0);
@@ -XXX,XX +XXX,XX @@ bool virtio_scsi_handle_cmd_vq(VirtIOSCSI *s, VirtQueue *vq)
      QTAILQ_FOREACH_SAFE(req, &reqs, next, next) {
          virtio_scsi_handle_cmd_req_submit(s, req);
      }
 +    virtio_scsi_release(s);
      return progress;
  }
@@ -XXX,XX +XXX,XX @@ out:
  bool virtio_scsi_handle_event_vq(VirtIOSCSI *s, VirtQueue *vq)
  {
 +    virtio_scsi_acquire(s);
      if (s->events_dropped) {
          virtio_scsi_push_event(s, NULL, VIRTIO_SCSI_T_NO_EVENT, 0);
 +        virtio_scsi_release(s);
          return true;
      }
 +    virtio_scsi_release(s);
      return false;
  }
 diff --git a/util/aio-posix.c b/util/aio-posix.c
 index XXXXXXX..XXXXXXX 100644
 --- a/util/aio-posix.c
 +++ b/util/aio-posix.c
-@@ -XXX,XX +XXX,XX @@ struct AioHandler
-     AioPollFn *io_poll;
-     IOHandler *io_poll_begin;
-     IOHandler *io_poll_end;
--    int deleted;
-     void *opaque;
-     bool is_external;
-     QLIST_ENTRY(AioHandler) node;
-+    QLIST_ENTRY(AioHandler) node_deleted;
- };
- #ifdef CONFIG_EPOLL_CREATE1
-@@ -XXX,XX +XXX,XX @@ static bool aio_epoll_try_enable(AioContext *ctx)
-     QLIST_FOREACH_RCU(node, &ctx->aio_handlers, node) {
-         int r;
--        if (node->deleted || !node->pfd.events) {
-+        if (QLIST_IS_INSERTED(node, node_deleted) || !node->pfd.events) {
-             continue;
-         }
-         event.events = epoll_events_from_pfd(node->pfd.events);
-@@ -XXX,XX +XXX,XX @@ static AioHandler *find_aio_handler(AioContext *ctx, int fd)
-     AioHandler *node;
-     QLIST_FOREACH(node, &ctx->aio_handlers, node) {
--        if (node->pfd.fd == fd)
--            if (!node->deleted)
-+        if (node->pfd.fd == fd) {
-+            if (!QLIST_IS_INSERTED(node, node_deleted)) {
-                 return node;
-+            }
-+        }
-     }
-     return NULL;
-@@ -XXX,XX +XXX,XX @@ static bool aio_remove_fd_handler(AioContext *ctx, AioHandler *node)
-     /* If a read is in progress, just mark the node as deleted */
-     if (qemu_lockcnt_count(&ctx->list_lock)) {
--        node->deleted = 1;
-+        QLIST_INSERT_HEAD_RCU(&ctx->deleted_aio_handlers, node, node_deleted);
-         node->pfd.revents = 0;
-         return false;
-     }
-@@ -XXX,XX +XXX,XX @@ static void poll_set_started(AioContext *ctx, bool started)
-     QLIST_FOREACH_RCU(node, &ctx->aio_handlers, node) {
-         IOHandler *fn;
--        if (node->deleted) {
-+        if (QLIST_IS_INSERTED(node, node_deleted)) {
-             continue;
-         }
-@@ -XXX,XX +XXX,XX @@ bool aio_pending(AioContext *ctx)
-     return result;
- }
-+static void aio_free_deleted_handlers(AioContext *ctx)
-+{
-+    AioHandler *node;
-+
-+    if (QLIST_EMPTY_RCU(&ctx->deleted_aio_handlers)) {
-+        return;
-+    }
-+    if (!qemu_lockcnt_dec_if_lock(&ctx->list_lock)) {
-+        return; /* we are nested, let the parent do the freeing */
-+    }
-+
-+    while ((node = QLIST_FIRST_RCU(&ctx->deleted_aio_handlers))) {
-+        QLIST_REMOVE(node, node);
-+        QLIST_REMOVE(node, node_deleted);
-+        g_free(node);
-+    }
-+
-+    qemu_lockcnt_inc_and_unlock(&ctx->list_lock);
-+}
-+
- static bool aio_dispatch_handlers(AioContext *ctx)
- {
-     AioHandler *node, *tmp;
 @@ -XXX,XX +XXX,XX @@ static bool aio_dispatch_handlers(AioContext *ctx)
-         revents = node->pfd.revents & node->pfd.events;
-         node->pfd.revents = 0;
--        if (!node->deleted &&
-+        if (!QLIST_IS_INSERTED(node, node_deleted) &&
              (revents & (G_IO_IN | G_IO_HUP | G_IO_ERR)) &&
              aio_node_check(ctx, node->is_external) &&
              node->io_read) {
+-            aio_context_acquire(ctx);
+             node->io_read(node->opaque);
+-            aio_context_release(ctx);
+             /* aio_notify() does not count as progress */
+             if (node->opaque != &ctx->notifier) {
 @@ -XXX,XX +XXX,XX @@ static bool aio_dispatch_handlers(AioContext *ctx)
-                 progress = true;
-             }
-         }
--        if (!node->deleted &&
-+        if (!QLIST_IS_INSERTED(node, node_deleted) &&
              (revents & (G_IO_OUT | G_IO_ERR)) &&
              aio_node_check(ctx, node->is_external) &&
              node->io_write) {
+-            aio_context_acquire(ctx);
              node->io_write(node->opaque);
+-            aio_context_release(ctx);
              progress = true;
          }
+@@ -XXX,XX +XXX,XX @@ bool aio_poll(AioContext *ctx, bool blocking)
+         start = qemu_clock_get_ns(QEMU_CLOCK_REALTIME);
+     }
+-    aio_context_acquire(ctx);
+     progress = try_poll_mode(ctx, blocking);
+-    aio_context_release(ctx);
 -
--        if (node->deleted) {
+     if (!progress) {
--            if (qemu_lockcnt_dec_if_lock(&ctx->list_lock)) {
+         assert(npfd == 0);
--                QLIST_REMOVE(node, node);
--                g_free(node);
+diff --git a/util/aio-win32.c b/util/aio-win32.c
--                qemu_lockcnt_inc_and_unlock(&ctx->list_lock);
+index XXXXXXX..XXXXXXX 100644
--            }
+--- a/util/aio-win32.c
--        }
++++ b/util/aio-win32.c
-     }
+@@ -XXX,XX +XXX,XX @@ static bool aio_dispatch_handlers(AioContext *ctx, HANDLE event)
+             (revents || event_notifier_get_handle(node->e) == event) &&
-     return progress;
+             node->io_notify) {
-@@ -XXX,XX +XXX,XX @@ void aio_dispatch(AioContext *ctx)
+             node->pfd.revents = 0;
-     qemu_lockcnt_inc(&ctx->list_lock);
+-            aio_context_acquire(ctx);
-     aio_bh_poll(ctx);
+             node->io_notify(node->e);
-     aio_dispatch_handlers(ctx);
+-            aio_context_release(ctx);
-+    aio_free_deleted_handlers(ctx);
-     qemu_lockcnt_dec(&ctx->list_lock);
+             /* aio_notify() does not count as progress */
+             if (node->e != &ctx->notifier) {
-     timerlistgroup_run_timers(&ctx->tlg);
+@@ -XXX,XX +XXX,XX @@ static bool aio_dispatch_handlers(AioContext *ctx, HANDLE event)
-@@ -XXX,XX +XXX,XX @@ static bool run_poll_handlers_once(AioContext *ctx, int64_t *timeout)
+             (node->io_read || node->io_write)) {
-     RCU_READ_LOCK_GUARD();
+             node->pfd.revents = 0;
+             if ((revents & G_IO_IN) && node->io_read) {
-     QLIST_FOREACH_RCU(node, &ctx->aio_handlers, node) {
+-                aio_context_acquire(ctx);
--        if (!node->deleted && node->io_poll &&
+                 node->io_read(node->opaque);
-+        if (!QLIST_IS_INSERTED(node, node_deleted) && node->io_poll &&
+-                aio_context_release(ctx);
-             aio_node_check(ctx, node->is_external) &&
+                 progress = true;
-             node->io_poll(node->opaque)) {
+             }
-             /*
+             if ((revents & G_IO_OUT) && node->io_write) {
-@@ -XXX,XX +XXX,XX @@ bool aio_poll(AioContext *ctx, bool blocking)
+-                aio_context_acquire(ctx);
+                 node->io_write(node->opaque);
-         if (!aio_epoll_enabled(ctx)) {
+-                aio_context_release(ctx);
-             QLIST_FOREACH_RCU(node, &ctx->aio_handlers, node) {
+                 progress = true;
--                if (!node->deleted && node->pfd.events
+             }
-+                if (!QLIST_IS_INSERTED(node, node_deleted) && node->pfd.events
                      && aio_node_check(ctx, node->is_external)) {
                      add_pollfd(node);
                  }
@@ -XXX,XX +XXX,XX @@ bool aio_poll(AioContext *ctx, bool blocking)
          progress |= aio_dispatch_handlers(ctx);
      }
 +    aio_free_deleted_handlers(ctx);
 +
      qemu_lockcnt_dec(&ctx->list_lock);
      progress |= timerlistgroup_run_timers(&ctx->tlg);
 --
-.24.1
+.9.3

-[PULL 30/31] fuzz: add virtio-scsi fuzz target
+[Qemu-devel] [PULL v2 14/24] block: explicitly acquire aiocontext in bottom halves that need it
-From: Alexander Bulekov <alxndr@bu.edu>
+From: Paolo Bonzini <pbonzini@redhat.com>
-The virtio-scsi fuzz target sets up and fuzzes the available virtio-scsi
+Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
-queues. After an element is placed on a queue, the fuzzer can select
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
-whether to perform a kick, or continue adding elements.
+Reviewed-by: Fam Zheng <famz@redhat.com>
+Reviewed-by: Daniel P. Berrange <berrange@redhat.com>
-Signed-off-by: Alexander Bulekov <alxndr@bu.edu>
+Message-id: 20170213135235.12274-15-pbonzini@redhat.com
 Reviewed-by: Darren Kenny <darren.kenny@oracle.com>
 Message-id: 20200220041118.23264-22-alxndr@bu.edu
 Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
 ---
- tests/qtest/fuzz/Makefile.include   |   1 +
+ block/archipelago.c   |  3 +++
- tests/qtest/fuzz/virtio_scsi_fuzz.c | 213 ++++++++++++++++++++++++++++
+ block/blkreplay.c     |  2 +-
-files changed, 214 insertions(+)
+ block/block-backend.c |  6 ++++++
- create mode 100644 tests/qtest/fuzz/virtio_scsi_fuzz.c
+ block/curl.c          | 26 ++++++++++++++++++--------
  block/gluster.c       |  9 +--------
  block/io.c            |  6 +++++-
  block/iscsi.c         |  6 +++++-
  block/linux-aio.c     | 15 +++++++++------
  block/nfs.c           |  3 ++-
  block/null.c          |  4 ++++
  block/qed.c           |  3 +++
  block/rbd.c           |  4 ++++
  dma-helpers.c         |  2 ++
  hw/block/virtio-blk.c |  2 ++
  hw/scsi/scsi-bus.c    |  2 ++
  util/async.c          |  4 ++--
  util/thread-pool.c    |  2 ++
 files changed, 71 insertions(+), 28 deletions(-)
-diff --git a/tests/qtest/fuzz/Makefile.include b/tests/qtest/fuzz/Makefile.include
+diff --git a/block/archipelago.c b/block/archipelago.c
 index XXXXXXX..XXXXXXX 100644
---- a/tests/qtest/fuzz/Makefile.include
+--- a/block/archipelago.c
-+++ b/tests/qtest/fuzz/Makefile.include
++++ b/block/archipelago.c
-@@ -XXX,XX +XXX,XX @@ fuzz-obj-y += tests/qtest/fuzz/qos_fuzz.o
+@@ -XXX,XX +XXX,XX @@ static void qemu_archipelago_complete_aio(void *opaque)
- # Targets
+ {
- fuzz-obj-y += tests/qtest/fuzz/i440fx_fuzz.o
+     AIORequestData *reqdata = (AIORequestData *) opaque;
- fuzz-obj-y += tests/qtest/fuzz/virtio_net_fuzz.o
+     ArchipelagoAIOCB *aio_cb = (ArchipelagoAIOCB *) reqdata->aio_cb;
-+fuzz-obj-y += tests/qtest/fuzz/virtio_scsi_fuzz.o
++    AioContext *ctx = bdrv_get_aio_context(aio_cb->common.bs);
- FUZZ_CFLAGS += -I$(SRC_PATH)/tests -I$(SRC_PATH)/tests/qtest
++    aio_context_acquire(ctx);
+     aio_cb->common.cb(aio_cb->common.opaque, aio_cb->ret);
-diff --git a/tests/qtest/fuzz/virtio_scsi_fuzz.c b/tests/qtest/fuzz/virtio_scsi_fuzz.c
++    aio_context_release(ctx);
-new file mode 100644
+     aio_cb->status = 0;
-index XXXXXXX..XXXXXXX
---- /dev/null
+     qemu_aio_unref(aio_cb);
-+++ b/tests/qtest/fuzz/virtio_scsi_fuzz.c
+diff --git a/block/blkreplay.c b/block/blkreplay.c
-@@ -XXX,XX +XXX,XX @@
+index XXXXXXX..XXXXXXX 100755
-+/*
+--- a/block/blkreplay.c
-+ * virtio-serial Fuzzing Target
++++ b/block/blkreplay.c
-+ *
+@@ -XXX,XX +XXX,XX @@ static int64_t blkreplay_getlength(BlockDriverState *bs)
-+ * Copyright Red Hat Inc., 2019
+ static void blkreplay_bh_cb(void *opaque)
-+ *
+ {
-+ * Authors:
+     Request *req = opaque;
-+ *  Alexander Bulekov   <alxndr@bu.edu>
+-    qemu_coroutine_enter(req->co);
-+ *
++    aio_co_wake(req->co);
-+ * This work is licensed under the terms of the GNU GPL, version 2 or later.
+     qemu_bh_delete(req->bh);
-+ * See the COPYING file in the top-level directory.
+     g_free(req);
-+ */
+ }
-+
+diff --git a/block/block-backend.c b/block/block-backend.c
-+#include "qemu/osdep.h"
+index XXXXXXX..XXXXXXX 100644
-+
+--- a/block/block-backend.c
-+#include "tests/qtest/libqtest.h"
++++ b/block/block-backend.c
-+#include "libqos/virtio-scsi.h"
+@@ -XXX,XX +XXX,XX @@ int blk_make_zero(BlockBackend *blk, BdrvRequestFlags flags)
-+#include "libqos/virtio.h"
+ static void error_callback_bh(void *opaque)
-+#include "libqos/virtio-pci.h"
+ {
-+#include "standard-headers/linux/virtio_ids.h"
+     struct BlockBackendAIOCB *acb = opaque;
-+#include "standard-headers/linux/virtio_pci.h"
++    AioContext *ctx = bdrv_get_aio_context(acb->common.bs);
-+#include "standard-headers/linux/virtio_scsi.h"
-+#include "fuzz.h"
+     bdrv_dec_in_flight(acb->common.bs);
-+#include "fork_fuzz.h"
++    aio_context_acquire(ctx);
-+#include "qos_fuzz.h"
+     acb->common.cb(acb->common.opaque, acb->ret);
-+
++    aio_context_release(ctx);
-+#define PCI_SLOT                0x02
+     qemu_aio_unref(acb);
-+#define PCI_FN                  0x00
+ }
-+#define QVIRTIO_SCSI_TIMEOUT_US (1 * 1000 * 1000)
-+
+@@ -XXX,XX +XXX,XX @@ static void blk_aio_complete(BlkAioEmAIOCB *acb)
-+#define MAX_NUM_QUEUES 64
+ static void blk_aio_complete_bh(void *opaque)
-+
+ {
-+/* Based on tests/virtio-scsi-test.c */
+     BlkAioEmAIOCB *acb = opaque;
-+typedef struct {
++    AioContext *ctx = bdrv_get_aio_context(acb->common.bs);
-+    int num_queues;
-+    QVirtQueue *vq[MAX_NUM_QUEUES + 2];
+     assert(acb->has_returned);
-+} QVirtioSCSIQueues;
++    aio_context_acquire(ctx);
-+
+     blk_aio_complete(acb);
-+static QVirtioSCSIQueues *qvirtio_scsi_init(QVirtioDevice *dev, uint64_t mask)
++    aio_context_release(ctx);
-+{
+ }
-+    QVirtioSCSIQueues *vs;
-+    uint64_t feat;
+ static BlockAIOCB *blk_aio_prwv(BlockBackend *blk, int64_t offset, int bytes,
-+    int i;
+diff --git a/block/curl.c b/block/curl.c
-+
+index XXXXXXX..XXXXXXX 100644
-+    vs = g_new0(QVirtioSCSIQueues, 1);
+--- a/block/curl.c
-+
++++ b/block/curl.c
-+    feat = qvirtio_get_features(dev);
+@@ -XXX,XX +XXX,XX @@ static void curl_readv_bh_cb(void *p)
-+    if (mask) {
+ {
-+        feat &= ~QVIRTIO_F_BAD_FEATURE | mask;
+     CURLState *state;
-+    } else {
+     int running;
-+        feat &= ~(QVIRTIO_F_BAD_FEATURE | (1ull << VIRTIO_RING_F_EVENT_IDX));
++    int ret = -EINPROGRESS;
      CURLAIOCB *acb = p;
 -    BDRVCURLState *s = acb->common.bs->opaque;
 +    BlockDriverState *bs = acb->common.bs;
 +    BDRVCURLState *s = bs->opaque;
 +    AioContext *ctx = bdrv_get_aio_context(bs);
      size_t start = acb->sector_num * BDRV_SECTOR_SIZE;
      size_t end;
 +    aio_context_acquire(ctx);
 +
      // In case we have the requested data already (e.g. read-ahead),
      // we can just call the callback and be done.
      switch (curl_find_buf(s, start, acb->nb_sectors * BDRV_SECTOR_SIZE, acb)) {
@@ -XXX,XX +XXX,XX @@ static void curl_readv_bh_cb(void *p)
              qemu_aio_unref(acb);
              // fall through
          case FIND_RET_WAIT:
 -            return;
 +            goto out;
          default:
              break;
      }
@@ -XXX,XX +XXX,XX @@ static void curl_readv_bh_cb(void *p)
      // No cache found, so let's start a new request
      state = curl_init_state(acb->common.bs, s);
      if (!state) {
 -        acb->common.cb(acb->common.opaque, -EIO);
 -        qemu_aio_unref(acb);
 -        return;
 +        ret = -EIO;
 +        goto out;
      }
      acb->start = 0;
@@ -XXX,XX +XXX,XX @@ static void curl_readv_bh_cb(void *p)
      state->orig_buf = g_try_malloc(state->buf_len);
      if (state->buf_len && state->orig_buf == NULL) {
          curl_clean_state(state);
 -        acb->common.cb(acb->common.opaque, -ENOMEM);
 -        qemu_aio_unref(acb);
 -        return;
 +        ret = -ENOMEM;
 +        goto out;
      }
      state->acb[0] = acb;
@@ -XXX,XX +XXX,XX @@ static void curl_readv_bh_cb(void *p)
      /* Tell curl it needs to kick things off */
      curl_multi_socket_action(s->multi, CURL_SOCKET_TIMEOUT, 0, &running);
 +
 +out:
 +    if (ret != -EINPROGRESS) {
 +        acb->common.cb(acb->common.opaque, ret);
 +        qemu_aio_unref(acb);
 +    }
-+    qvirtio_set_features(dev, feat);
++    aio_context_release(ctx);
-+
+ }
-+    vs->num_queues = qvirtio_config_readl(dev, 0);
-+
+ static BlockAIOCB *curl_aio_readv(BlockDriverState *bs,
-+    for (i = 0; i < vs->num_queues + 2; i++) {
+diff --git a/block/gluster.c b/block/gluster.c
-+        vs->vq[i] = qvirtqueue_setup(dev, fuzz_qos_alloc, i);
+index XXXXXXX..XXXXXXX 100644
-+    }
+--- a/block/gluster.c
-+
++++ b/block/gluster.c
-+    qvirtio_set_driver_ok(dev);
+@@ -XXX,XX +XXX,XX @@ static struct glfs *qemu_gluster_init(BlockdevOptionsGluster *gconf,
-+
+     return qemu_gluster_glfs_init(gconf, errp);
-+    return vs;
+ }
-+}
-+
+-static void qemu_gluster_complete_aio(void *opaque)
-+static void virtio_scsi_fuzz(QTestState *s, QVirtioSCSIQueues* queues,
+-{
-+        const unsigned char *Data, size_t Size)
+-    GlusterAIOCB *acb = (GlusterAIOCB *)opaque;
-+{
+-
-+    /*
+-    qemu_coroutine_enter(acb->coroutine);
-+     * Data is a sequence of random bytes. We split them up into "actions",
+-}
-+     * followed by data:
+-
-+     * [vqa][dddddddd][vqa][dddd][vqa][dddddddddddd] ...
+ /*
-+     * The length of the data is specified by the preceding vqa.length
+  * AIO callback routine called from GlusterFS thread.
-+     */
+  */
-+    typedef struct vq_action {
+@@ -XXX,XX +XXX,XX @@ static void gluster_finish_aiocb(struct glfs_fd *fd, ssize_t ret, void *arg)
-+        uint8_t queue;
+         acb->ret = -EIO; /* Partial read/write - fail it */
-+        uint8_t length;
+     }
-+        uint8_t write;
-+        uint8_t next;
+-    aio_bh_schedule_oneshot(acb->aio_context, qemu_gluster_complete_aio, acb);
-+        uint8_t kick;
++    aio_co_schedule(acb->aio_context, acb->coroutine);
-+    } vq_action;
+ }
-+
-+    /* Keep track of the free head for each queue we interact with */
+ static void qemu_gluster_parse_flags(int bdrv_flags, int *open_flags)
-+    bool vq_touched[MAX_NUM_QUEUES + 2] = {0};
+diff --git a/block/io.c b/block/io.c
-+    uint32_t free_head[MAX_NUM_QUEUES + 2];
+index XXXXXXX..XXXXXXX 100644
-+
+--- a/block/io.c
-+    QGuestAllocator *t_alloc = fuzz_qos_alloc;
++++ b/block/io.c
-+
+@@ -XXX,XX +XXX,XX @@ static void bdrv_co_drain_bh_cb(void *opaque)
-+    QVirtioSCSI *scsi = fuzz_qos_obj;
+     bdrv_dec_in_flight(bs);
-+    QVirtioDevice *dev = scsi->vdev;
+     bdrv_drained_begin(bs);
-+    QVirtQueue *q;
+     data->done = true;
-+    vq_action vqa;
+-    qemu_coroutine_enter(co);
-+    while (Size >= sizeof(vqa)) {
++    aio_co_wake(co);
-+        /* Copy the action, so we can normalize length, queue and flags */
+ }
-+        memcpy(&vqa, Data, sizeof(vqa));
-+
+ static void coroutine_fn bdrv_co_yield_to_drain(BlockDriverState *bs)
-+        Data += sizeof(vqa);
+@@ -XXX,XX +XXX,XX @@ static void bdrv_co_complete(BlockAIOCBCoroutine *acb)
-+        Size -= sizeof(vqa);
+ static void bdrv_co_em_bh(void *opaque)
-+
+ {
-+        vqa.queue = vqa.queue % queues->num_queues;
+     BlockAIOCBCoroutine *acb = opaque;
-+        /* Cap length at the number of remaining bytes in data */
++    BlockDriverState *bs = acb->common.bs;
-+        vqa.length = vqa.length >= Size ? Size : vqa.length;
++    AioContext *ctx = bdrv_get_aio_context(bs);
-+        vqa.write = vqa.write & 1;
-+        vqa.next = vqa.next & 1;
+     assert(!acb->need_bh);
-+        vqa.kick = vqa.kick & 1;
++    aio_context_acquire(ctx);
-+
+     bdrv_co_complete(acb);
-+
++    aio_context_release(ctx);
-+        q = queues->vq[vqa.queue];
+ }
-+
-+        /* Copy the data into ram, and place it on the virtqueue */
+ static void bdrv_co_maybe_schedule_bh(BlockAIOCBCoroutine *acb)
-+        uint64_t req_addr = guest_alloc(t_alloc, vqa.length);
+diff --git a/block/iscsi.c b/block/iscsi.c
-+        qtest_memwrite(s, req_addr, Data, vqa.length);
+index XXXXXXX..XXXXXXX 100644
-+        if (vq_touched[vqa.queue] == 0) {
+--- a/block/iscsi.c
-+            vq_touched[vqa.queue] = 1;
++++ b/block/iscsi.c
-+            free_head[vqa.queue] = qvirtqueue_add(s, q, req_addr, vqa.length,
+@@ -XXX,XX +XXX,XX @@ static void
-+                    vqa.write, vqa.next);
+ iscsi_bh_cb(void *p)
-+        } else {
+ {
-+            qvirtqueue_add(s, q, req_addr, vqa.length, vqa.write , vqa.next);
+     IscsiAIOCB *acb = p;
-+        }
++    AioContext *ctx = bdrv_get_aio_context(acb->common.bs);
-+
-+        if (vqa.kick) {
+     qemu_bh_delete(acb->bh);
-+            qvirtqueue_kick(s, dev, q, free_head[vqa.queue]);
-+            free_head[vqa.queue] = 0;
+     g_free(acb->buf);
-+        }
+     acb->buf = NULL;
-+        Data += vqa.length;
-+        Size -= vqa.length;
++    aio_context_acquire(ctx);
-+    }
+     acb->common.cb(acb->common.opaque, acb->status);
-+    /* In the end, kick each queue we interacted with */
++    aio_context_release(ctx);
-+    for (int i = 0; i < MAX_NUM_QUEUES + 2; i++) {
-+        if (vq_touched[i]) {
+     if (acb->task != NULL) {
-+            qvirtqueue_kick(s, dev, queues->vq[i], free_head[i]);
+         scsi_free_scsi_task(acb->task);
-+        }
+@@ -XXX,XX +XXX,XX @@ iscsi_schedule_bh(IscsiAIOCB *acb)
-+    }
+ static void iscsi_co_generic_bh_cb(void *opaque)
-+}
+ {
-+
+     struct IscsiTask *iTask = opaque;
-+static void virtio_scsi_fork_fuzz(QTestState *s,
++
-+        const unsigned char *Data, size_t Size)
+     iTask->complete = 1;
-+{
+-    qemu_coroutine_enter(iTask->co);
-+    QVirtioSCSI *scsi = fuzz_qos_obj;
++    aio_co_wake(iTask->co);
-+    static QVirtioSCSIQueues *queues;
+ }
-+    if (!queues) {
-+        queues = qvirtio_scsi_init(scsi->vdev, 0);
+ static void iscsi_retry_timer_expired(void *opaque)
-+    }
+diff --git a/block/linux-aio.c b/block/linux-aio.c
-+    if (fork() == 0) {
+index XXXXXXX..XXXXXXX 100644
-+        virtio_scsi_fuzz(s, queues, Data, Size);
+--- a/block/linux-aio.c
-+        flush_events(s);
++++ b/block/linux-aio.c
-+        _Exit(0);
+@@ -XXX,XX +XXX,XX @@ struct LinuxAioState {
-+    } else {
+     io_context_t ctx;
-+        wait(NULL);
+     EventNotifier e;
-+    }
-+}
+-    /* io queue for submit at batch */
-+
++    /* io queue for submit at batch.  Protected by AioContext lock. */
-+static void virtio_scsi_with_flag_fuzz(QTestState *s,
+     LaioQueue io_q;
-+        const unsigned char *Data, size_t Size)
-+{
+-    /* I/O completion processing */
-+    QVirtioSCSI *scsi = fuzz_qos_obj;
++    /* I/O completion processing.  Only runs in I/O thread.  */
-+    static QVirtioSCSIQueues *queues;
+     QEMUBH *completion_bh;
-+
+     int event_idx;
-+    if (fork() == 0) {
+     int event_max;
-+        if (Size >= sizeof(uint64_t)) {
+@@ -XXX,XX +XXX,XX @@ static inline ssize_t io_event_ret(struct io_event *ev)
-+            queues = qvirtio_scsi_init(scsi->vdev, *(uint64_t *)Data);
+  */
-+            virtio_scsi_fuzz(s, queues,
+ static void qemu_laio_process_completion(struct qemu_laiocb *laiocb)
-+                             Data + sizeof(uint64_t), Size - sizeof(uint64_t));
+ {
-+            flush_events(s);
++    LinuxAioState *s = laiocb->ctx;
-+        }
+     int ret;
-+        _Exit(0);
-+    } else {
+     ret = laiocb->ret;
-+        wait(NULL);
+@@ -XXX,XX +XXX,XX @@ static void qemu_laio_process_completion(struct qemu_laiocb *laiocb)
-+    }
+     }
-+}
-+
+     laiocb->ret = ret;
-+static void virtio_scsi_pre_fuzz(QTestState *s)
++    aio_context_acquire(s->aio_context);
-+{
+     if (laiocb->co) {
-+    qos_init_path(s);
+         /* If the coroutine is already entered it must be in ioq_submit() and
-+    counter_shm_init();
+          * will notice laio->ret has been filled in when it eventually runs
-+}
+@@ -XXX,XX +XXX,XX @@ static void qemu_laio_process_completion(struct qemu_laiocb *laiocb)
-+
+         laiocb->common.cb(laiocb->common.opaque, ret);
-+static void *virtio_scsi_test_setup(GString *cmd_line, void *arg)
+         qemu_aio_unref(laiocb);
-+{
+     }
-+    g_string_append(cmd_line,
++    aio_context_release(s->aio_context);
-+                    " -drive file=blkdebug::null-co://,"
+ }
-+                    "file.image.read-zeroes=on,"
-+                    "if=none,id=dr1,format=raw,file.align=4k "
+ /**
-+                    "-device scsi-hd,drive=dr1,lun=0,scsi-id=1");
+@@ -XXX,XX +XXX,XX @@ static void qemu_laio_process_completions(LinuxAioState *s)
-+    return arg;
+ static void qemu_laio_process_completions_and_submit(LinuxAioState *s)
-+}
+ {
-+
+     qemu_laio_process_completions(s);
 +
-+static void register_virtio_scsi_fuzz_targets(void)
++    aio_context_acquire(s->aio_context);
-+{
+     if (!s->io_q.plugged && !QSIMPLEQ_EMPTY(&s->io_q.pending)) {
-+    fuzz_add_qos_target(&(FuzzTarget){
+         ioq_submit(s);
-+                .name = "virtio-scsi-fuzz",
+     }
-+                .description = "Fuzz the virtio-scsi virtual queues, forking"
++    aio_context_release(s->aio_context);
-+                                "for each fuzz run",
+ }
-+                .pre_vm_init = &counter_shm_init,
-+                .pre_fuzz = &virtio_scsi_pre_fuzz,
+ static void qemu_laio_completion_bh(void *opaque)
-+                .fuzz = virtio_scsi_fork_fuzz,},
+@@ -XXX,XX +XXX,XX @@ static void qemu_laio_completion_cb(EventNotifier *e)
-+                "virtio-scsi",
+     LinuxAioState *s = container_of(e, LinuxAioState, e);
-+                &(QOSGraphTestOptions){.before = virtio_scsi_test_setup}
-+                );
+     if (event_notifier_test_and_clear(&s->e)) {
-+
+-        aio_context_acquire(s->aio_context);
-+    fuzz_add_qos_target(&(FuzzTarget){
+         qemu_laio_process_completions_and_submit(s);
-+                .name = "virtio-scsi-flags-fuzz",
+-        aio_context_release(s->aio_context);
-+                .description = "Fuzz the virtio-scsi virtual queues, forking"
+     }
-+                "for each fuzz run (also fuzzes the virtio flags)",
+ }
-+                .pre_vm_init = &counter_shm_init,
-+                .pre_fuzz = &virtio_scsi_pre_fuzz,
+@@ -XXX,XX +XXX,XX @@ static bool qemu_laio_poll_cb(void *opaque)
-+                .fuzz = virtio_scsi_with_flag_fuzz,},
+         return false;
-+                "virtio-scsi",
+     }
-+                &(QOSGraphTestOptions){.before = virtio_scsi_test_setup}
-+                );
+-    aio_context_acquire(s->aio_context);
-+}
+     qemu_laio_process_completions_and_submit(s);
-+
+-    aio_context_release(s->aio_context);
-+fuzz_target_init(register_virtio_scsi_fuzz_targets);
+     return true;
  }
@@ -XXX,XX +XXX,XX @@ void laio_detach_aio_context(LinuxAioState *s, AioContext *old_context)
  {
      aio_set_event_notifier(old_context, &s->e, false, NULL, NULL);
      qemu_bh_delete(s->completion_bh);
 +    s->aio_context = NULL;
  }
  void laio_attach_aio_context(LinuxAioState *s, AioContext *new_context)
 diff --git a/block/nfs.c b/block/nfs.c
 index XXXXXXX..XXXXXXX 100644
 --- a/block/nfs.c
 +++ b/block/nfs.c
@@ -XXX,XX +XXX,XX @@ static void nfs_co_init_task(BlockDriverState *bs, NFSRPC *task)
  static void nfs_co_generic_bh_cb(void *opaque)
  {
      NFSRPC *task = opaque;
 +
      task->complete = 1;
 -    qemu_coroutine_enter(task->co);
 +    aio_co_wake(task->co);
  }
  static void
 diff --git a/block/null.c b/block/null.c
 index XXXXXXX..XXXXXXX 100644
 --- a/block/null.c
 +++ b/block/null.c
@@ -XXX,XX +XXX,XX @@ static const AIOCBInfo null_aiocb_info = {
  static void null_bh_cb(void *opaque)
  {
      NullAIOCB *acb = opaque;
 +    AioContext *ctx = bdrv_get_aio_context(acb->common.bs);
 +
 +    aio_context_acquire(ctx);
      acb->common.cb(acb->common.opaque, 0);
 +    aio_context_release(ctx);
      qemu_aio_unref(acb);
  }
 diff --git a/block/qed.c b/block/qed.c
 index XXXXXXX..XXXXXXX 100644
 --- a/block/qed.c
 +++ b/block/qed.c
@@ -XXX,XX +XXX,XX @@ static void qed_update_l2_table(BDRVQEDState *s, QEDTable *table, int index,
  static void qed_aio_complete_bh(void *opaque)
  {
      QEDAIOCB *acb = opaque;
 +    BDRVQEDState *s = acb_to_s(acb);
      BlockCompletionFunc *cb = acb->common.cb;
      void *user_opaque = acb->common.opaque;
      int ret = acb->bh_ret;
@@ -XXX,XX +XXX,XX @@ static void qed_aio_complete_bh(void *opaque)
      qemu_aio_unref(acb);
      /* Invoke callback */
 +    qed_acquire(s);
      cb(user_opaque, ret);
 +    qed_release(s);
  }
  static void qed_aio_complete(QEDAIOCB *acb, int ret)
 diff --git a/block/rbd.c b/block/rbd.c
 index XXXXXXX..XXXXXXX 100644
 --- a/block/rbd.c
 +++ b/block/rbd.c
@@ -XXX,XX +XXX,XX @@ shutdown:
  static void qemu_rbd_complete_aio(RADOSCB *rcb)
  {
      RBDAIOCB *acb = rcb->acb;
 +    AioContext *ctx = bdrv_get_aio_context(acb->common.bs);
      int64_t r;
      r = rcb->ret;
@@ -XXX,XX +XXX,XX @@ static void qemu_rbd_complete_aio(RADOSCB *rcb)
          qemu_iovec_from_buf(acb->qiov, 0, acb->bounce, acb->qiov->size);
      }
      qemu_vfree(acb->bounce);
 +
 +    aio_context_acquire(ctx);
      acb->common.cb(acb->common.opaque, (acb->ret > 0 ? 0 : acb->ret));
 +    aio_context_release(ctx);
      qemu_aio_unref(acb);
  }
 diff --git a/dma-helpers.c b/dma-helpers.c
 index XXXXXXX..XXXXXXX 100644
 --- a/dma-helpers.c
 +++ b/dma-helpers.c
@@ -XXX,XX +XXX,XX @@ static void dma_blk_cb(void *opaque, int ret)
                                  QEMU_ALIGN_DOWN(dbs->iov.size, dbs->align));
      }
 +    aio_context_acquire(dbs->ctx);
      dbs->acb = dbs->io_func(dbs->offset, &dbs->iov,
                              dma_blk_cb, dbs, dbs->io_func_opaque);
 +    aio_context_release(dbs->ctx);
      assert(dbs->acb);
  }
 diff --git a/hw/block/virtio-blk.c b/hw/block/virtio-blk.c
 index XXXXXXX..XXXXXXX 100644
 --- a/hw/block/virtio-blk.c
 +++ b/hw/block/virtio-blk.c
@@ -XXX,XX +XXX,XX @@ static void virtio_blk_dma_restart_bh(void *opaque)
      s->rq = NULL;
 +    aio_context_acquire(blk_get_aio_context(s->conf.conf.blk));
      while (req) {
          VirtIOBlockReq *next = req->next;
          if (virtio_blk_handle_request(req, &mrb)) {
@@ -XXX,XX +XXX,XX @@ static void virtio_blk_dma_restart_bh(void *opaque)
      if (mrb.num_reqs) {
          virtio_blk_submit_multireq(s->blk, &mrb);
      }
 +    aio_context_release(blk_get_aio_context(s->conf.conf.blk));
  }
  static void virtio_blk_dma_restart_cb(void *opaque, int running,
 diff --git a/hw/scsi/scsi-bus.c b/hw/scsi/scsi-bus.c
 index XXXXXXX..XXXXXXX 100644
 --- a/hw/scsi/scsi-bus.c
 +++ b/hw/scsi/scsi-bus.c
@@ -XXX,XX +XXX,XX @@ static void scsi_dma_restart_bh(void *opaque)
      qemu_bh_delete(s->bh);
      s->bh = NULL;
 +    aio_context_acquire(blk_get_aio_context(s->conf.blk));
      QTAILQ_FOREACH_SAFE(req, &s->requests, next, next) {
          scsi_req_ref(req);
          if (req->retry) {
@@ -XXX,XX +XXX,XX @@ static void scsi_dma_restart_bh(void *opaque)
          }
          scsi_req_unref(req);
      }
 +    aio_context_release(blk_get_aio_context(s->conf.blk));
  }
  void scsi_req_retry(SCSIRequest *req)
 diff --git a/util/async.c b/util/async.c
 index XXXXXXX..XXXXXXX 100644
 --- a/util/async.c
 +++ b/util/async.c
@@ -XXX,XX +XXX,XX @@ int aio_bh_poll(AioContext *ctx)
                  ret = 1;
              }
              bh->idle = 0;
 -            aio_context_acquire(ctx);
              aio_bh_call(bh);
 -            aio_context_release(ctx);
          }
          if (bh->deleted) {
              deleted = true;
@@ -XXX,XX +XXX,XX @@ static void co_schedule_bh_cb(void *opaque)
          Coroutine *co = QSLIST_FIRST(&straight);
          QSLIST_REMOVE_HEAD(&straight, co_scheduled_next);
          trace_aio_co_schedule_bh_cb(ctx, co);
 +        aio_context_acquire(ctx);
          qemu_coroutine_enter(co);
 +        aio_context_release(ctx);
      }
  }
 diff --git a/util/thread-pool.c b/util/thread-pool.c
 index XXXXXXX..XXXXXXX 100644
 --- a/util/thread-pool.c
 +++ b/util/thread-pool.c
@@ -XXX,XX +XXX,XX @@ static void thread_pool_completion_bh(void *opaque)
      ThreadPool *pool = opaque;
      ThreadPoolElement *elem, *next;
 +    aio_context_acquire(pool->ctx);
  restart:
      QLIST_FOREACH_SAFE(elem, &pool->head, all, next) {
          if (elem->state != THREAD_DONE) {
@@ -XXX,XX +XXX,XX @@ restart:
              qemu_aio_unref(elem);
          }
      }
 +    aio_context_release(pool->ctx);
  }
  static void thread_pool_cancel(BlockAIOCB *acb)
 --
-.24.1
+.9.3

-[PULL 01/31] virtio: increase virtqueue size for virtio-scsi and virtio-blk
+[Qemu-devel] [PULL v2 15/24] block: explicitly acquire aiocontext in aio callbacks that need it
-From: Denis Plotnikov <dplotnikov@virtuozzo.com>
+From: Paolo Bonzini <pbonzini@redhat.com>
-The goal is to reduce the amount of requests issued by a guest on
+Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
-M reads/writes. This rises the performance up to 4% on that kind of
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
-disk access pattern.
+Reviewed-by: Fam Zheng <famz@redhat.com>
+Reviewed-by: Daniel P. Berrange <berrange@redhat.com>
-The maximum chunk size to be used for the guest disk accessing is
+Message-id: 20170213135235.12274-16-pbonzini@redhat.com
 limited with seg_max parameter, which represents the max amount of
 pices in the scatter-geather list in one guest disk request.
 Since seg_max is virqueue_size dependent, increasing the virtqueue
 size increases seg_max, which, in turn, increases the maximum size
 of data to be read/write from a guest disk.
 More details in the original problem statment:
 https://lists.gnu.org/archive/html/qemu-devel/2017-12/msg03721.html
 Suggested-by: Denis V. Lunev <den@openvz.org>
 Signed-off-by: Denis Plotnikov <dplotnikov@virtuozzo.com>
 Message-id: 20200214074648.958-1-dplotnikov@virtuozzo.com
 Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
 ---
- hw/block/virtio-blk.c | 2 +-
+ block/archipelago.c    |  3 ---
- hw/core/machine.c     | 2 ++
+ block/block-backend.c  |  7 -------
- hw/scsi/virtio-scsi.c | 2 +-
+ block/curl.c           |  2 +-
-files changed, 4 insertions(+), 2 deletions(-)
+ block/io.c             |  6 +-----
  block/iscsi.c          |  3 ---
  block/linux-aio.c      |  5 +----
  block/mirror.c         | 12 +++++++++---
  block/null.c           |  8 --------
  block/qed-cluster.c    |  2 ++
  block/qed-table.c      | 12 ++++++++++--
  block/qed.c            |  4 ++--
  block/rbd.c            |  4 ----
  block/win32-aio.c      |  3 ---
  hw/block/virtio-blk.c  | 12 +++++++++++-
  hw/scsi/scsi-disk.c    | 15 +++++++++++++++
  hw/scsi/scsi-generic.c | 20 +++++++++++++++++---
  util/thread-pool.c     |  4 +++-
 files changed, 72 insertions(+), 50 deletions(-)
+diff --git a/block/archipelago.c b/block/archipelago.c
+index XXXXXXX..XXXXXXX 100644
+--- a/block/archipelago.c
++++ b/block/archipelago.c
+@@ -XXX,XX +XXX,XX @@ static void qemu_archipelago_complete_aio(void *opaque)
+ {
+     AIORequestData *reqdata = (AIORequestData *) opaque;
+     ArchipelagoAIOCB *aio_cb = (ArchipelagoAIOCB *) reqdata->aio_cb;
+-    AioContext *ctx = bdrv_get_aio_context(aio_cb->common.bs);
+-    aio_context_acquire(ctx);
+     aio_cb->common.cb(aio_cb->common.opaque, aio_cb->ret);
+-    aio_context_release(ctx);
+     aio_cb->status = 0;
+     qemu_aio_unref(aio_cb);
+diff --git a/block/block-backend.c b/block/block-backend.c
+index XXXXXXX..XXXXXXX 100644
+--- a/block/block-backend.c
++++ b/block/block-backend.c
+@@ -XXX,XX +XXX,XX @@ int blk_make_zero(BlockBackend *blk, BdrvRequestFlags flags)
+ static void error_callback_bh(void *opaque)
+ {
+     struct BlockBackendAIOCB *acb = opaque;
+-    AioContext *ctx = bdrv_get_aio_context(acb->common.bs);
+     bdrv_dec_in_flight(acb->common.bs);
+-    aio_context_acquire(ctx);
+     acb->common.cb(acb->common.opaque, acb->ret);
+-    aio_context_release(ctx);
+     qemu_aio_unref(acb);
+ }
+@@ -XXX,XX +XXX,XX @@ static void blk_aio_complete(BlkAioEmAIOCB *acb)
+ static void blk_aio_complete_bh(void *opaque)
+ {
+     BlkAioEmAIOCB *acb = opaque;
+-    AioContext *ctx = bdrv_get_aio_context(acb->common.bs);
+-
+     assert(acb->has_returned);
+-    aio_context_acquire(ctx);
+     blk_aio_complete(acb);
+-    aio_context_release(ctx);
+ }
+ static BlockAIOCB *blk_aio_prwv(BlockBackend *blk, int64_t offset, int bytes,
+diff --git a/block/curl.c b/block/curl.c
+index XXXXXXX..XXXXXXX 100644
+--- a/block/curl.c
++++ b/block/curl.c
+@@ -XXX,XX +XXX,XX @@ static void curl_readv_bh_cb(void *p)
+     curl_multi_socket_action(s->multi, CURL_SOCKET_TIMEOUT, 0, &running);
+ out:
++    aio_context_release(ctx);
+     if (ret != -EINPROGRESS) {
+         acb->common.cb(acb->common.opaque, ret);
+         qemu_aio_unref(acb);
+     }
+-    aio_context_release(ctx);
+ }
+ static BlockAIOCB *curl_aio_readv(BlockDriverState *bs,
+diff --git a/block/io.c b/block/io.c
+index XXXXXXX..XXXXXXX 100644
+--- a/block/io.c
++++ b/block/io.c
+@@ -XXX,XX +XXX,XX @@ static void bdrv_co_io_em_complete(void *opaque, int ret)
+     CoroutineIOCompletion *co = opaque;
+     co->ret = ret;
+-    qemu_coroutine_enter(co->coroutine);
++    aio_co_wake(co->coroutine);
+ }
+ static int coroutine_fn bdrv_driver_preadv(BlockDriverState *bs,
+@@ -XXX,XX +XXX,XX @@ static void bdrv_co_complete(BlockAIOCBCoroutine *acb)
+ static void bdrv_co_em_bh(void *opaque)
+ {
+     BlockAIOCBCoroutine *acb = opaque;
+-    BlockDriverState *bs = acb->common.bs;
+-    AioContext *ctx = bdrv_get_aio_context(bs);
+     assert(!acb->need_bh);
+-    aio_context_acquire(ctx);
+     bdrv_co_complete(acb);
+-    aio_context_release(ctx);
+ }
+ static void bdrv_co_maybe_schedule_bh(BlockAIOCBCoroutine *acb)
+diff --git a/block/iscsi.c b/block/iscsi.c
+index XXXXXXX..XXXXXXX 100644
+--- a/block/iscsi.c
++++ b/block/iscsi.c
+@@ -XXX,XX +XXX,XX @@ static void
+ iscsi_bh_cb(void *p)
+ {
+     IscsiAIOCB *acb = p;
+-    AioContext *ctx = bdrv_get_aio_context(acb->common.bs);
+     qemu_bh_delete(acb->bh);
+     g_free(acb->buf);
+     acb->buf = NULL;
+-    aio_context_acquire(ctx);
+     acb->common.cb(acb->common.opaque, acb->status);
+-    aio_context_release(ctx);
+     if (acb->task != NULL) {
+         scsi_free_scsi_task(acb->task);
+diff --git a/block/linux-aio.c b/block/linux-aio.c
+index XXXXXXX..XXXXXXX 100644
+--- a/block/linux-aio.c
++++ b/block/linux-aio.c
+@@ -XXX,XX +XXX,XX @@ static inline ssize_t io_event_ret(struct io_event *ev)
+  */
+ static void qemu_laio_process_completion(struct qemu_laiocb *laiocb)
+ {
+-    LinuxAioState *s = laiocb->ctx;
+     int ret;
+     ret = laiocb->ret;
+@@ -XXX,XX +XXX,XX @@ static void qemu_laio_process_completion(struct qemu_laiocb *laiocb)
+     }
+     laiocb->ret = ret;
+-    aio_context_acquire(s->aio_context);
+     if (laiocb->co) {
+         /* If the coroutine is already entered it must be in ioq_submit() and
+          * will notice laio->ret has been filled in when it eventually runs
+@@ -XXX,XX +XXX,XX @@ static void qemu_laio_process_completion(struct qemu_laiocb *laiocb)
+          * that!
+          */
+         if (!qemu_coroutine_entered(laiocb->co)) {
+-            qemu_coroutine_enter(laiocb->co);
++            aio_co_wake(laiocb->co);
+         }
+     } else {
+         laiocb->common.cb(laiocb->common.opaque, ret);
+         qemu_aio_unref(laiocb);
+     }
+-    aio_context_release(s->aio_context);
+ }
+ /**
+diff --git a/block/mirror.c b/block/mirror.c
+index XXXXXXX..XXXXXXX 100644
+--- a/block/mirror.c
++++ b/block/mirror.c
+@@ -XXX,XX +XXX,XX @@ static void mirror_write_complete(void *opaque, int ret)
+ {
+     MirrorOp *op = opaque;
+     MirrorBlockJob *s = op->s;
++
++    aio_context_acquire(blk_get_aio_context(s->common.blk));
+     if (ret < 0) {
+         BlockErrorAction action;
+@@ -XXX,XX +XXX,XX @@ static void mirror_write_complete(void *opaque, int ret)
+         }
+     }
+     mirror_iteration_done(op, ret);
++    aio_context_release(blk_get_aio_context(s->common.blk));
+ }
+ static void mirror_read_complete(void *opaque, int ret)
+ {
+     MirrorOp *op = opaque;
+     MirrorBlockJob *s = op->s;
++
++    aio_context_acquire(blk_get_aio_context(s->common.blk));
+     if (ret < 0) {
+         BlockErrorAction action;
+@@ -XXX,XX +XXX,XX @@ static void mirror_read_complete(void *opaque, int ret)
+         }
+         mirror_iteration_done(op, ret);
+-        return;
++    } else {
++        blk_aio_pwritev(s->target, op->sector_num * BDRV_SECTOR_SIZE, &op->qiov,
++                        0, mirror_write_complete, op);
+     }
+-    blk_aio_pwritev(s->target, op->sector_num * BDRV_SECTOR_SIZE, &op->qiov,
+-                    0, mirror_write_complete, op);
++    aio_context_release(blk_get_aio_context(s->common.blk));
+ }
+ static inline void mirror_clip_sectors(MirrorBlockJob *s,
+diff --git a/block/null.c b/block/null.c
+index XXXXXXX..XXXXXXX 100644
+--- a/block/null.c
++++ b/block/null.c
+@@ -XXX,XX +XXX,XX @@ static const AIOCBInfo null_aiocb_info = {
+ static void null_bh_cb(void *opaque)
+ {
+     NullAIOCB *acb = opaque;
+-    AioContext *ctx = bdrv_get_aio_context(acb->common.bs);
+-
+-    aio_context_acquire(ctx);
+     acb->common.cb(acb->common.opaque, 0);
+-    aio_context_release(ctx);
+     qemu_aio_unref(acb);
+ }
+ static void null_timer_cb(void *opaque)
+ {
+     NullAIOCB *acb = opaque;
+-    AioContext *ctx = bdrv_get_aio_context(acb->common.bs);
+-
+-    aio_context_acquire(ctx);
+     acb->common.cb(acb->common.opaque, 0);
+-    aio_context_release(ctx);
+     timer_deinit(&acb->timer);
+     qemu_aio_unref(acb);
+ }
+diff --git a/block/qed-cluster.c b/block/qed-cluster.c
+index XXXXXXX..XXXXXXX 100644
+--- a/block/qed-cluster.c
++++ b/block/qed-cluster.c
+@@ -XXX,XX +XXX,XX @@ static void qed_find_cluster_cb(void *opaque, int ret)
+     unsigned int index;
+     unsigned int n;
++    qed_acquire(s);
+     if (ret) {
+         goto out;
+     }
+@@ -XXX,XX +XXX,XX @@ static void qed_find_cluster_cb(void *opaque, int ret)
+ out:
+     find_cluster_cb->cb(find_cluster_cb->opaque, ret, offset, len);
++    qed_release(s);
+     g_free(find_cluster_cb);
+ }
+diff --git a/block/qed-table.c b/block/qed-table.c
+index XXXXXXX..XXXXXXX 100644
+--- a/block/qed-table.c
++++ b/block/qed-table.c
+@@ -XXX,XX +XXX,XX @@ static void qed_read_table_cb(void *opaque, int ret)
+ {
+     QEDReadTableCB *read_table_cb = opaque;
+     QEDTable *table = read_table_cb->table;
++    BDRVQEDState *s = read_table_cb->s;
+     int noffsets = read_table_cb->qiov.size / sizeof(uint64_t);
+     int i;
+@@ -XXX,XX +XXX,XX @@ static void qed_read_table_cb(void *opaque, int ret)
+     }
+     /* Byteswap offsets */
++    qed_acquire(s);
+     for (i = 0; i < noffsets; i++) {
+         table->offsets[i] = le64_to_cpu(table->offsets[i]);
+     }
++    qed_release(s);
+ out:
+     /* Completion */
+-    trace_qed_read_table_cb(read_table_cb->s, read_table_cb->table, ret);
++    trace_qed_read_table_cb(s, read_table_cb->table, ret);
+     gencb_complete(&read_table_cb->gencb, ret);
+ }
+@@ -XXX,XX +XXX,XX @@ typedef struct {
+ static void qed_write_table_cb(void *opaque, int ret)
+ {
+     QEDWriteTableCB *write_table_cb = opaque;
++    BDRVQEDState *s = write_table_cb->s;
+-    trace_qed_write_table_cb(write_table_cb->s,
++    trace_qed_write_table_cb(s,
+                              write_table_cb->orig_table,
+                              write_table_cb->flush,
+                              ret);
+@@ -XXX,XX +XXX,XX @@ static void qed_write_table_cb(void *opaque, int ret)
+     if (write_table_cb->flush) {
+         /* We still need to flush first */
+         write_table_cb->flush = false;
++        qed_acquire(s);
+         bdrv_aio_flush(write_table_cb->s->bs, qed_write_table_cb,
+                        write_table_cb);
++        qed_release(s);
+         return;
+     }
+@@ -XXX,XX +XXX,XX @@ static void qed_read_l2_table_cb(void *opaque, int ret)
+     CachedL2Table *l2_table = request->l2_table;
+     uint64_t l2_offset = read_l2_table_cb->l2_offset;
++    qed_acquire(s);
+     if (ret) {
+         /* can't trust loaded L2 table anymore */
+         qed_unref_l2_cache_entry(l2_table);
+@@ -XXX,XX +XXX,XX @@ static void qed_read_l2_table_cb(void *opaque, int ret)
+         request->l2_table = qed_find_l2_cache_entry(&s->l2_cache, l2_offset);
+         assert(request->l2_table != NULL);
+     }
++    qed_release(s);
+     gencb_complete(&read_l2_table_cb->gencb, ret);
+ }
+diff --git a/block/qed.c b/block/qed.c
+index XXXXXXX..XXXXXXX 100644
+--- a/block/qed.c
++++ b/block/qed.c
+@@ -XXX,XX +XXX,XX @@ static void qed_is_allocated_cb(void *opaque, int ret, uint64_t offset, size_t l
+     }
+     if (cb->co) {
+-        qemu_coroutine_enter(cb->co);
++        aio_co_wake(cb->co);
+     }
+ }
+@@ -XXX,XX +XXX,XX @@ static void coroutine_fn qed_co_pwrite_zeroes_cb(void *opaque, int ret)
+     cb->done = true;
+     cb->ret = ret;
+     if (cb->co) {
+-        qemu_coroutine_enter(cb->co);
++        aio_co_wake(cb->co);
+     }
+ }
+diff --git a/block/rbd.c b/block/rbd.c
+index XXXXXXX..XXXXXXX 100644
+--- a/block/rbd.c
++++ b/block/rbd.c
+@@ -XXX,XX +XXX,XX @@ shutdown:
+ static void qemu_rbd_complete_aio(RADOSCB *rcb)
+ {
+     RBDAIOCB *acb = rcb->acb;
+-    AioContext *ctx = bdrv_get_aio_context(acb->common.bs);
+     int64_t r;
+     r = rcb->ret;
+@@ -XXX,XX +XXX,XX @@ static void qemu_rbd_complete_aio(RADOSCB *rcb)
+         qemu_iovec_from_buf(acb->qiov, 0, acb->bounce, acb->qiov->size);
+     }
+     qemu_vfree(acb->bounce);
+-
+-    aio_context_acquire(ctx);
+     acb->common.cb(acb->common.opaque, (acb->ret > 0 ? 0 : acb->ret));
+-    aio_context_release(ctx);
+     qemu_aio_unref(acb);
+ }
+diff --git a/block/win32-aio.c b/block/win32-aio.c
+index XXXXXXX..XXXXXXX 100644
+--- a/block/win32-aio.c
++++ b/block/win32-aio.c
+@@ -XXX,XX +XXX,XX @@ static void win32_aio_process_completion(QEMUWin32AIOState *s,
+         qemu_vfree(waiocb->buf);
+     }
+-
+-    aio_context_acquire(s->aio_ctx);
+     waiocb->common.cb(waiocb->common.opaque, ret);
+-    aio_context_release(s->aio_ctx);
+     qemu_aio_unref(waiocb);
+ }
 diff --git a/hw/block/virtio-blk.c b/hw/block/virtio-blk.c
 index XXXXXXX..XXXXXXX 100644
 --- a/hw/block/virtio-blk.c
 +++ b/hw/block/virtio-blk.c
-@@ -XXX,XX +XXX,XX @@ static Property virtio_blk_properties[] = {
+@@ -XXX,XX +XXX,XX @@ static int virtio_blk_handle_rw_error(VirtIOBlockReq *req, int error,
-     DEFINE_PROP_BIT("request-merging", VirtIOBlock, conf.request_merging, 0,
+ static void virtio_blk_rw_complete(void *opaque, int ret)
-                     true),
+ {
-     DEFINE_PROP_UINT16("num-queues", VirtIOBlock, conf.num_queues, 1),
+     VirtIOBlockReq *next = opaque;
--    DEFINE_PROP_UINT16("queue-size", VirtIOBlock, conf.queue_size, 128),
++    VirtIOBlock *s = next->dev;
-+    DEFINE_PROP_UINT16("queue-size", VirtIOBlock, conf.queue_size, 256),
-     DEFINE_PROP_BOOL("seg-max-adjust", VirtIOBlock, conf.seg_max_adjust, true),
++    aio_context_acquire(blk_get_aio_context(s->conf.conf.blk));
-     DEFINE_PROP_LINK("iothread", VirtIOBlock, conf.iothread, TYPE_IOTHREAD,
+     while (next) {
-                      IOThread *),
+         VirtIOBlockReq *req = next;
-diff --git a/hw/core/machine.c b/hw/core/machine.c
+         next = req->mr_next;
-index XXXXXXX..XXXXXXX 100644
+@@ -XXX,XX +XXX,XX @@ static void virtio_blk_rw_complete(void *opaque, int ret)
---- a/hw/core/machine.c
+         block_acct_done(blk_get_stats(req->dev->blk), &req->acct);
-+++ b/hw/core/machine.c
+         virtio_blk_free_request(req);
-@@ -XXX,XX +XXX,XX @@
+     }
- #include "hw/mem/nvdimm.h"
++    aio_context_release(blk_get_aio_context(s->conf.conf.blk));
+ }
- GlobalProperty hw_compat_4_2[] = {
-+    { "virtio-blk-device", "queue-size", "128"},
+ static void virtio_blk_flush_complete(void *opaque, int ret)
-+    { "virtio-scsi-device", "virtqueue_size", "128"},
+ {
-     { "virtio-blk-device", "x-enable-wce-if-config-wce", "off" },
+     VirtIOBlockReq *req = opaque;
-     { "virtio-blk-device", "seg-max-adjust", "off"},
++    VirtIOBlock *s = req->dev;
-     { "virtio-scsi-device", "seg_max_adjust", "off"},
-diff --git a/hw/scsi/virtio-scsi.c b/hw/scsi/virtio-scsi.c
++    aio_context_acquire(blk_get_aio_context(s->conf.conf.blk));
-index XXXXXXX..XXXXXXX 100644
+     if (ret) {
---- a/hw/scsi/virtio-scsi.c
+         if (virtio_blk_handle_rw_error(req, -ret, 0)) {
-+++ b/hw/scsi/virtio-scsi.c
+-            return;
-@@ -XXX,XX +XXX,XX @@ static void virtio_scsi_device_unrealize(DeviceState *dev, Error **errp)
++            goto out;
- static Property virtio_scsi_properties[] = {
+         }
-     DEFINE_PROP_UINT32("num_queues", VirtIOSCSI, parent_obj.conf.num_queues, 1),
+     }
-     DEFINE_PROP_UINT32("virtqueue_size", VirtIOSCSI,
--                                         parent_obj.conf.virtqueue_size, 128),
+     virtio_blk_req_complete(req, VIRTIO_BLK_S_OK);
-+                                         parent_obj.conf.virtqueue_size, 256),
+     block_acct_done(blk_get_stats(req->dev->blk), &req->acct);
-     DEFINE_PROP_BOOL("seg_max_adjust", VirtIOSCSI,
+     virtio_blk_free_request(req);
-                       parent_obj.conf.seg_max_adjust, true),
++
-     DEFINE_PROP_UINT32("max_sectors", VirtIOSCSI, parent_obj.conf.max_sectors,
++out:
 +    aio_context_release(blk_get_aio_context(s->conf.conf.blk));
  }
  #ifdef __linux__
@@ -XXX,XX +XXX,XX @@ static void virtio_blk_ioctl_complete(void *opaque, int status)
      virtio_stl_p(vdev, &scsi->data_len, hdr->dxfer_len);
  out:
 +    aio_context_acquire(blk_get_aio_context(s->conf.conf.blk));
      virtio_blk_req_complete(req, status);
      virtio_blk_free_request(req);
 +    aio_context_release(blk_get_aio_context(s->conf.conf.blk));
      g_free(ioctl_req);
  }
 diff --git a/hw/scsi/scsi-disk.c b/hw/scsi/scsi-disk.c
 index XXXXXXX..XXXXXXX 100644
 --- a/hw/scsi/scsi-disk.c
 +++ b/hw/scsi/scsi-disk.c
@@ -XXX,XX +XXX,XX @@ static void scsi_aio_complete(void *opaque, int ret)
      assert(r->req.aiocb != NULL);
      r->req.aiocb = NULL;
 +    aio_context_acquire(blk_get_aio_context(s->qdev.conf.blk));
      if (scsi_disk_req_check_error(r, ret, true)) {
          goto done;
      }
@@ -XXX,XX +XXX,XX @@ static void scsi_aio_complete(void *opaque, int ret)
      scsi_req_complete(&r->req, GOOD);
  done:
 +    aio_context_release(blk_get_aio_context(s->qdev.conf.blk));
      scsi_req_unref(&r->req);
  }
@@ -XXX,XX +XXX,XX @@ static void scsi_dma_complete(void *opaque, int ret)
      assert(r->req.aiocb != NULL);
      r->req.aiocb = NULL;
 +    aio_context_acquire(blk_get_aio_context(s->qdev.conf.blk));
      if (ret < 0) {
          block_acct_failed(blk_get_stats(s->qdev.conf.blk), &r->acct);
      } else {
          block_acct_done(blk_get_stats(s->qdev.conf.blk), &r->acct);
      }
      scsi_dma_complete_noio(r, ret);
 +    aio_context_release(blk_get_aio_context(s->qdev.conf.blk));
  }
  static void scsi_read_complete(void * opaque, int ret)
@@ -XXX,XX +XXX,XX @@ static void scsi_read_complete(void * opaque, int ret)
      assert(r->req.aiocb != NULL);
      r->req.aiocb = NULL;
 +    aio_context_acquire(blk_get_aio_context(s->qdev.conf.blk));
      if (scsi_disk_req_check_error(r, ret, true)) {
          goto done;
      }
@@ -XXX,XX +XXX,XX @@ static void scsi_read_complete(void * opaque, int ret)
  done:
      scsi_req_unref(&r->req);
 +    aio_context_release(blk_get_aio_context(s->qdev.conf.blk));
  }
  /* Actually issue a read to the block device.  */
@@ -XXX,XX +XXX,XX @@ static void scsi_do_read_cb(void *opaque, int ret)
      assert (r->req.aiocb != NULL);
      r->req.aiocb = NULL;
 +    aio_context_acquire(blk_get_aio_context(s->qdev.conf.blk));
      if (ret < 0) {
          block_acct_failed(blk_get_stats(s->qdev.conf.blk), &r->acct);
      } else {
          block_acct_done(blk_get_stats(s->qdev.conf.blk), &r->acct);
      }
      scsi_do_read(opaque, ret);
 +    aio_context_release(blk_get_aio_context(s->qdev.conf.blk));
  }
  /* Read more data from scsi device into buffer.  */
@@ -XXX,XX +XXX,XX @@ static void scsi_write_complete(void * opaque, int ret)
      assert (r->req.aiocb != NULL);
      r->req.aiocb = NULL;
 +    aio_context_acquire(blk_get_aio_context(s->qdev.conf.blk));
      if (ret < 0) {
          block_acct_failed(blk_get_stats(s->qdev.conf.blk), &r->acct);
      } else {
          block_acct_done(blk_get_stats(s->qdev.conf.blk), &r->acct);
      }
      scsi_write_complete_noio(r, ret);
 +    aio_context_release(blk_get_aio_context(s->qdev.conf.blk));
  }
  static void scsi_write_data(SCSIRequest *req)
@@ -XXX,XX +XXX,XX @@ static void scsi_unmap_complete(void *opaque, int ret)
  {
      UnmapCBData *data = opaque;
      SCSIDiskReq *r = data->r;
 +    SCSIDiskState *s = DO_UPCAST(SCSIDiskState, qdev, r->req.dev);
      assert(r->req.aiocb != NULL);
      r->req.aiocb = NULL;
 +    aio_context_acquire(blk_get_aio_context(s->qdev.conf.blk));
      scsi_unmap_complete_noio(data, ret);
 +    aio_context_release(blk_get_aio_context(s->qdev.conf.blk));
  }
  static void scsi_disk_emulate_unmap(SCSIDiskReq *r, uint8_t *inbuf)
@@ -XXX,XX +XXX,XX @@ static void scsi_write_same_complete(void *opaque, int ret)
      assert(r->req.aiocb != NULL);
      r->req.aiocb = NULL;
 +    aio_context_acquire(blk_get_aio_context(s->qdev.conf.blk));
      if (scsi_disk_req_check_error(r, ret, true)) {
          goto done;
      }
@@ -XXX,XX +XXX,XX @@ done:
      scsi_req_unref(&r->req);
      qemu_vfree(data->iov.iov_base);
      g_free(data);
 +    aio_context_release(blk_get_aio_context(s->qdev.conf.blk));
  }
  static void scsi_disk_emulate_write_same(SCSIDiskReq *r, uint8_t *inbuf)
 diff --git a/hw/scsi/scsi-generic.c b/hw/scsi/scsi-generic.c
 index XXXXXXX..XXXXXXX 100644
 --- a/hw/scsi/scsi-generic.c
 +++ b/hw/scsi/scsi-generic.c
@@ -XXX,XX +XXX,XX @@ done:
  static void scsi_command_complete(void *opaque, int ret)
  {
      SCSIGenericReq *r = (SCSIGenericReq *)opaque;
 +    SCSIDevice *s = r->req.dev;
      assert(r->req.aiocb != NULL);
      r->req.aiocb = NULL;
 +
 +    aio_context_acquire(blk_get_aio_context(s->conf.blk));
      scsi_command_complete_noio(r, ret);
 +    aio_context_release(blk_get_aio_context(s->conf.blk));
  }
  static int execute_command(BlockBackend *blk,
@@ -XXX,XX +XXX,XX @@ static void scsi_read_complete(void * opaque, int ret)
      assert(r->req.aiocb != NULL);
      r->req.aiocb = NULL;
 +    aio_context_acquire(blk_get_aio_context(s->conf.blk));
 +
      if (ret || r->req.io_canceled) {
          scsi_command_complete_noio(r, ret);
 -        return;
 +        goto done;
      }
      len = r->io_header.dxfer_len - r->io_header.resid;
@@ -XXX,XX +XXX,XX @@ static void scsi_read_complete(void * opaque, int ret)
      r->len = -1;
      if (len == 0) {
          scsi_command_complete_noio(r, 0);
 -        return;
 +        goto done;
      }
      /* Snoop READ CAPACITY output to set the blocksize.  */
@@ -XXX,XX +XXX,XX @@ static void scsi_read_complete(void * opaque, int ret)
      }
      scsi_req_data(&r->req, len);
      scsi_req_unref(&r->req);
 +
 +done:
 +    aio_context_release(blk_get_aio_context(s->conf.blk));
  }
  /* Read more data from scsi device into buffer.  */
@@ -XXX,XX +XXX,XX @@ static void scsi_write_complete(void * opaque, int ret)
      assert(r->req.aiocb != NULL);
      r->req.aiocb = NULL;
 +    aio_context_acquire(blk_get_aio_context(s->conf.blk));
 +
      if (ret || r->req.io_canceled) {
          scsi_command_complete_noio(r, ret);
 -        return;
 +        goto done;
      }
      if (r->req.cmd.buf[0] == MODE_SELECT && r->req.cmd.buf[4] == 12 &&
@@ -XXX,XX +XXX,XX @@ static void scsi_write_complete(void * opaque, int ret)
      }
      scsi_command_complete_noio(r, ret);
 +
 +done:
 +    aio_context_release(blk_get_aio_context(s->conf.blk));
  }
  /* Write data to a scsi device.  Returns nonzero on failure.
 diff --git a/util/thread-pool.c b/util/thread-pool.c
 index XXXXXXX..XXXXXXX 100644
 --- a/util/thread-pool.c
 +++ b/util/thread-pool.c
@@ -XXX,XX +XXX,XX @@ restart:
               */
              qemu_bh_schedule(pool->completion_bh);
 +            aio_context_release(pool->ctx);
              elem->common.cb(elem->common.opaque, elem->ret);
 +            aio_context_acquire(pool->ctx);
              qemu_aio_unref(elem);
              goto restart;
          } else {
@@ -XXX,XX +XXX,XX @@ static void thread_pool_co_cb(void *opaque, int ret)
      ThreadPoolCo *co = opaque;
      co->ret = ret;
 -    qemu_coroutine_enter(co->co);
 +    aio_co_wake(co->co);
  }
  int coroutine_fn thread_pool_submit_co(ThreadPool *pool, ThreadPoolFunc *func,
 --
-.24.1
+.9.3

-[PULL 04/31] util/async: make bh_aio_poll() O(1)
+[Qemu-devel] [PULL v2 16/24] aio-posix: partially inline aio_dispatch into aio_poll
-The ctx->first_bh list contains all created BHs, including those that
+From: Paolo Bonzini <pbonzini@redhat.com>
 are not scheduled.  The list is iterated by the event loop and therefore
 has O(n) time complexity with respected to the number of created BHs.
-Rewrite BHs so that only scheduled or deleted BHs are enqueued.
+This patch prepares for the removal of unnecessary lockcnt inc/dec pairs.
-Only BHs that actually require action will be iterated.
+Extract the dispatching loop for file descriptor handlers into a new
 function aio_dispatch_handlers, and then inline aio_dispatch into
 aio_poll.
-One semantic change is required: qemu_bh_delete() enqueues the BH and
+aio_dispatch can now become void.
 therefore invokes aio_notify().  The
 tests/test-aio.c:test_source_bh_delete_from_cb() test case assumed that
 g_main_context_iteration(NULL, false) returns false after
 qemu_bh_delete() but it now returns true for one iteration.  Fix up the
 test case.
-This patch makes aio_compute_timeout() and aio_bh_poll() drop from a CPU
+Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
-profile reported by perf-top(1).  Previously they combined to 9% CPU
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
-utilization when AioContext polling is commented out and the guest has 2
+Reviewed-by: Fam Zheng <famz@redhat.com>
-virtio-blk,num-queues=1 and 99 virtio-blk,num-queues=32 devices.
+Reviewed-by: Daniel P. Berrange <berrange@redhat.com>
+Message-id: 20170213135235.12274-17-pbonzini@redhat.com
 Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
 Reviewed-by: Paolo Bonzini <pbonzini@redhat.com>
 Message-id: 20200221093951.1414693-1-stefanha@redhat.com
 Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
 ---
- include/block/aio.h |  20 +++-
+ include/block/aio.h |  6 +-----
- tests/test-aio.c    |   3 +-
+ util/aio-posix.c    | 44 ++++++++++++++------------------------------
- util/async.c        | 237 ++++++++++++++++++++++++++------------------
+ util/aio-win32.c    | 13 ++++---------
-files changed, 158 insertions(+), 102 deletions(-)
+ util/async.c        |  2 +-
 files changed, 20 insertions(+), 45 deletions(-)
 diff --git a/include/block/aio.h b/include/block/aio.h
 index XXXXXXX..XXXXXXX 100644
 --- a/include/block/aio.h
 +++ b/include/block/aio.h
-@@ -XXX,XX +XXX,XX @@ struct ThreadPool;
+@@ -XXX,XX +XXX,XX @@ bool aio_pending(AioContext *ctx);
- struct LinuxAioState;
+ /* Dispatch any pending callbacks from the GSource attached to the AioContext.
- struct LuringState;
+  *
+  * This is used internally in the implementation of the GSource.
-+/*
+- *
-+ * Each aio_bh_poll() call carves off a slice of the BH list, so that newly
+- * @dispatch_fds: true to process fds, false to skip them
-+ * scheduled BHs are not processed until the next aio_bh_poll() call.  All
+- *                (can be used as an optimization by callers that know there
-+ * active aio_bh_poll() calls chain their slices together in a list, so that
+- *                are no fds ready)
-+ * nested aio_bh_poll() calls process all scheduled bottom halves.
+  */
-+ */
+-bool aio_dispatch(AioContext *ctx, bool dispatch_fds);
-+typedef QSLIST_HEAD(, QEMUBH) BHList;
++void aio_dispatch(AioContext *ctx);
-+typedef struct BHListSlice BHListSlice;
-+struct BHListSlice {
+ /* Progress in completing AIO work to occur.  This can issue new pending
-+    BHList bh_list;
+  * aio as a result of executing I/O completion or bh callbacks.
-+    QSIMPLEQ_ENTRY(BHListSlice) next;
+diff --git a/util/aio-posix.c b/util/aio-posix.c
-+};
+index XXXXXXX..XXXXXXX 100644
 --- a/util/aio-posix.c
 +++ b/util/aio-posix.c
@@ -XXX,XX +XXX,XX @@ static bool aio_dispatch_handlers(AioContext *ctx)
      AioHandler *node, *tmp;
      bool progress = false;
 -    /*
 -     * We have to walk very carefully in case aio_set_fd_handler is
 -     * called while we're walking.
 -     */
 -    qemu_lockcnt_inc(&ctx->list_lock);
 -
      QLIST_FOREACH_SAFE_RCU(node, &ctx->aio_handlers, node, tmp) {
          int revents;
@@ -XXX,XX +XXX,XX @@ static bool aio_dispatch_handlers(AioContext *ctx)
          }
      }
 -    qemu_lockcnt_dec(&ctx->list_lock);
      return progress;
  }
 -/*
 - * Note that dispatch_fds == false has the side-effect of post-poning the
 - * freeing of deleted handlers.
 - */
 -bool aio_dispatch(AioContext *ctx, bool dispatch_fds)
 +void aio_dispatch(AioContext *ctx)
  {
 -    bool progress;
 +    aio_bh_poll(ctx);
 -    /*
 -     * If there are callbacks left that have been queued, we need to call them.
 -     * Do not call select in this case, because it is possible that the caller
 -     * does not need a complete flush (as is the case for aio_poll loops).
 -     */
 -    progress = aio_bh_poll(ctx);
 +    qemu_lockcnt_inc(&ctx->list_lock);
 +    aio_dispatch_handlers(ctx);
 +    qemu_lockcnt_dec(&ctx->list_lock);
 -    if (dispatch_fds) {
 -        progress |= aio_dispatch_handlers(ctx);
 -    }
 -
 -    /* Run our timers */
 -    progress |= timerlistgroup_run_timers(&ctx->tlg);
 -
 -    return progress;
 +    timerlistgroup_run_timers(&ctx->tlg);
  }
  /* These thread-local variables are used only in a small part of aio_poll
@@ -XXX,XX +XXX,XX @@ bool aio_poll(AioContext *ctx, bool blocking)
      npfd = 0;
      qemu_lockcnt_dec(&ctx->list_lock);
 -    /* Run dispatch even if there were no readable fds to run timers */
 -    if (aio_dispatch(ctx, ret > 0)) {
 -        progress = true;
 +    progress |= aio_bh_poll(ctx);
 +
- struct AioContext {
++    if (ret > 0) {
-     GSource source;
++        qemu_lockcnt_inc(&ctx->list_lock);
++        progress |= aio_dispatch_handlers(ctx);
-@@ -XXX,XX +XXX,XX @@ struct AioContext {
++        qemu_lockcnt_dec(&ctx->list_lock);
-      */
+     }
-     QemuLockCnt list_lock;
++    progress |= timerlistgroup_run_timers(&ctx->tlg);
 -    /* Anchor of the list of Bottom Halves belonging to the context */
 -    struct QEMUBH *first_bh;
 +    /* Bottom Halves pending aio_bh_poll() processing */
 +    BHList bh_list;
 +
-+    /* Chained BH list slices for each nested aio_bh_poll() call */
+     return progress;
-+    QSIMPLEQ_HEAD(, BHListSlice) bh_slice_list;
+ }
-     /* Used by aio_notify.
+diff --git a/util/aio-win32.c b/util/aio-win32.c
       *
 diff --git a/tests/test-aio.c b/tests/test-aio.c
 index XXXXXXX..XXXXXXX 100644
---- a/tests/test-aio.c
+--- a/util/aio-win32.c
-+++ b/tests/test-aio.c
++++ b/util/aio-win32.c
-@@ -XXX,XX +XXX,XX @@ static void test_source_bh_delete_from_cb(void)
+@@ -XXX,XX +XXX,XX @@ static bool aio_dispatch_handlers(AioContext *ctx, HANDLE event)
-     g_assert_cmpint(data1.n, ==, data1.max);
+     return progress;
      g_assert(data1.bh == NULL);
 -    g_assert(!g_main_context_iteration(NULL, false));
 +    assert(g_main_context_iteration(NULL, false));
 +    assert(!g_main_context_iteration(NULL, false));
  }
- static void test_source_bh_delete_from_cb_many(void)
+-bool aio_dispatch(AioContext *ctx, bool dispatch_fds)
 +void aio_dispatch(AioContext *ctx)
  {
 -    bool progress;
 -
 -    progress = aio_bh_poll(ctx);
 -    if (dispatch_fds) {
 -        progress |= aio_dispatch_handlers(ctx, INVALID_HANDLE_VALUE);
 -    }
 -    progress |= timerlistgroup_run_timers(&ctx->tlg);
 -    return progress;
 +    aio_bh_poll(ctx);
 +    aio_dispatch_handlers(ctx, INVALID_HANDLE_VALUE);
 +    timerlistgroup_run_timers(&ctx->tlg);
  }
  bool aio_poll(AioContext *ctx, bool blocking)
 diff --git a/util/async.c b/util/async.c
 index XXXXXXX..XXXXXXX 100644
 --- a/util/async.c
 +++ b/util/async.c
-@@ -XXX,XX +XXX,XX @@
+@@ -XXX,XX +XXX,XX @@ aio_ctx_dispatch(GSource     *source,
- #include "block/thread-pool.h"
+     AioContext *ctx = (AioContext *) source;
- #include "qemu/main-loop.h"
- #include "qemu/atomic.h"
+     assert(callback == NULL);
-+#include "qemu/rcu_queue.h"
+-    aio_dispatch(ctx, true);
- #include "block/raw-aio.h"
++    aio_dispatch(ctx);
- #include "qemu/coroutine_int.h"
+     return true;
  #include "trace.h"
@@ -XXX,XX +XXX,XX @@
  /***********************************************************/
  /* bottom halves (can be seen as timers which expire ASAP) */
 +/* QEMUBH::flags values */
 +enum {
 +    /* Already enqueued and waiting for aio_bh_poll() */
 +    BH_PENDING   = (1 << 0),
 +
 +    /* Invoke the callback */
 +    BH_SCHEDULED = (1 << 1),
 +
 +    /* Delete without invoking callback */
 +    BH_DELETED   = (1 << 2),
 +
 +    /* Delete after invoking callback */
 +    BH_ONESHOT   = (1 << 3),
 +
 +    /* Schedule periodically when the event loop is idle */
 +    BH_IDLE      = (1 << 4),
 +};
 +
  struct QEMUBH {
      AioContext *ctx;
      QEMUBHFunc *cb;
      void *opaque;
 -    QEMUBH *next;
 -    bool scheduled;
 -    bool idle;
 -    bool deleted;
 +    QSLIST_ENTRY(QEMUBH) next;
 +    unsigned flags;
  };
 +/* Called concurrently from any thread */
 +static void aio_bh_enqueue(QEMUBH *bh, unsigned new_flags)
 +{
 +    AioContext *ctx = bh->ctx;
 +    unsigned old_flags;
 +
 +    /*
 +     * The memory barrier implicit in atomic_fetch_or makes sure that:
 +     * 1. idle & any writes needed by the callback are done before the
 +     *    locations are read in the aio_bh_poll.
 +     * 2. ctx is loaded before the callback has a chance to execute and bh
 +     *    could be freed.
 +     */
 +    old_flags = atomic_fetch_or(&bh->flags, BH_PENDING | new_flags);
 +    if (!(old_flags & BH_PENDING)) {
 +        QSLIST_INSERT_HEAD_ATOMIC(&ctx->bh_list, bh, next);
 +    }
 +
 +    aio_notify(ctx);
 +}
 +
 +/* Only called from aio_bh_poll() and aio_ctx_finalize() */
 +static QEMUBH *aio_bh_dequeue(BHList *head, unsigned *flags)
 +{
 +    QEMUBH *bh = QSLIST_FIRST_RCU(head);
 +
 +    if (!bh) {
 +        return NULL;
 +    }
 +
 +    QSLIST_REMOVE_HEAD(head, next);
 +
 +    /*
 +     * The atomic_and is paired with aio_bh_enqueue().  The implicit memory
 +     * barrier ensures that the callback sees all writes done by the scheduling
 +     * thread.  It also ensures that the scheduling thread sees the cleared
 +     * flag before bh->cb has run, and thus will call aio_notify again if
 +     * necessary.
 +     */
 +    *flags = atomic_fetch_and(&bh->flags,
 +                              ~(BH_PENDING | BH_SCHEDULED | BH_IDLE));
 +    return bh;
 +}
 +
  void aio_bh_schedule_oneshot(AioContext *ctx, QEMUBHFunc *cb, void *opaque)
  {
      QEMUBH *bh;
@@ -XXX,XX +XXX,XX @@ void aio_bh_schedule_oneshot(AioContext *ctx, QEMUBHFunc *cb, void *opaque)
          .cb = cb,
          .opaque = opaque,
      };
 -    qemu_lockcnt_lock(&ctx->list_lock);
 -    bh->next = ctx->first_bh;
 -    bh->scheduled = 1;
 -    bh->deleted = 1;
 -    /* Make sure that the members are ready before putting bh into list */
 -    smp_wmb();
 -    ctx->first_bh = bh;
 -    qemu_lockcnt_unlock(&ctx->list_lock);
 -    aio_notify(ctx);
 +    aio_bh_enqueue(bh, BH_SCHEDULED | BH_ONESHOT);
  }
- QEMUBH *aio_bh_new(AioContext *ctx, QEMUBHFunc *cb, void *opaque)
-@@ -XXX,XX +XXX,XX @@ QEMUBH *aio_bh_new(AioContext *ctx, QEMUBHFunc *cb, void *opaque)
-         .cb = cb,
-         .opaque = opaque,
-     };
--    qemu_lockcnt_lock(&ctx->list_lock);
--    bh->next = ctx->first_bh;
--    /* Make sure that the members are ready before putting bh into list */
--    smp_wmb();
--    ctx->first_bh = bh;
--    qemu_lockcnt_unlock(&ctx->list_lock);
-     return bh;
- }
-@@ -XXX,XX +XXX,XX @@ void aio_bh_call(QEMUBH *bh)
-     bh->cb(bh->opaque);
- }
--/* Multiple occurrences of aio_bh_poll cannot be called concurrently.
-- * The count in ctx->list_lock is incremented before the call, and is
-- * not affected by the call.
-- */
-+/* Multiple occurrences of aio_bh_poll cannot be called concurrently. */
- int aio_bh_poll(AioContext *ctx)
- {
--    QEMUBH *bh, **bhp, *next;
--    int ret;
--    bool deleted = false;
--
--    ret = 0;
--    for (bh = atomic_rcu_read(&ctx->first_bh); bh; bh = next) {
--        next = atomic_rcu_read(&bh->next);
--        /* The atomic_xchg is paired with the one in qemu_bh_schedule.  The
--         * implicit memory barrier ensures that the callback sees all writes
--         * done by the scheduling thread.  It also ensures that the scheduling
--         * thread sees the zero before bh->cb has run, and thus will call
--         * aio_notify again if necessary.
--         */
--        if (atomic_xchg(&bh->scheduled, 0)) {
-+    BHListSlice slice;
-+    BHListSlice *s;
-+    int ret = 0;
-+
-+    QSLIST_MOVE_ATOMIC(&slice.bh_list, &ctx->bh_list);
-+    QSIMPLEQ_INSERT_TAIL(&ctx->bh_slice_list, &slice, next);
-+
-+    while ((s = QSIMPLEQ_FIRST(&ctx->bh_slice_list))) {
-+        QEMUBH *bh;
-+        unsigned flags;
-+
-+        bh = aio_bh_dequeue(&s->bh_list, &flags);
-+        if (!bh) {
-+            QSIMPLEQ_REMOVE_HEAD(&ctx->bh_slice_list, next);
-+            continue;
-+        }
-+
-+        if ((flags & (BH_SCHEDULED | BH_DELETED)) == BH_SCHEDULED) {
-             /* Idle BHs don't count as progress */
--            if (!bh->idle) {
-+            if (!(flags & BH_IDLE)) {
-                 ret = 1;
-             }
--            bh->idle = 0;
-             aio_bh_call(bh);
-         }
--        if (bh->deleted) {
--            deleted = true;
-+        if (flags & (BH_DELETED | BH_ONESHOT)) {
-+            g_free(bh);
-         }
-     }
--    /* remove deleted bhs */
--    if (!deleted) {
--        return ret;
--    }
--
--    if (qemu_lockcnt_dec_if_lock(&ctx->list_lock)) {
--        bhp = &ctx->first_bh;
--        while (*bhp) {
--            bh = *bhp;
--            if (bh->deleted && !bh->scheduled) {
--                *bhp = bh->next;
--                g_free(bh);
--            } else {
--                bhp = &bh->next;
--            }
--        }
--        qemu_lockcnt_inc_and_unlock(&ctx->list_lock);
--    }
-     return ret;
- }
- void qemu_bh_schedule_idle(QEMUBH *bh)
- {
--    bh->idle = 1;
--    /* Make sure that idle & any writes needed by the callback are done
--     * before the locations are read in the aio_bh_poll.
--     */
--    atomic_mb_set(&bh->scheduled, 1);
-+    aio_bh_enqueue(bh, BH_SCHEDULED | BH_IDLE);
- }
- void qemu_bh_schedule(QEMUBH *bh)
- {
--    AioContext *ctx;
--
--    ctx = bh->ctx;
--    bh->idle = 0;
--    /* The memory barrier implicit in atomic_xchg makes sure that:
--     * 1. idle & any writes needed by the callback are done before the
--     *    locations are read in the aio_bh_poll.
--     * 2. ctx is loaded before scheduled is set and the callback has a chance
--     *    to execute.
--     */
--    if (atomic_xchg(&bh->scheduled, 1) == 0) {
--        aio_notify(ctx);
--    }
-+    aio_bh_enqueue(bh, BH_SCHEDULED);
- }
--
- /* This func is async.
-  */
- void qemu_bh_cancel(QEMUBH *bh)
- {
--    atomic_mb_set(&bh->scheduled, 0);
-+    atomic_and(&bh->flags, ~BH_SCHEDULED);
- }
- /* This func is async.The bottom half will do the delete action at the finial
-@@ -XXX,XX +XXX,XX @@ void qemu_bh_cancel(QEMUBH *bh)
-  */
- void qemu_bh_delete(QEMUBH *bh)
- {
--    bh->scheduled = 0;
--    bh->deleted = 1;
-+    aio_bh_enqueue(bh, BH_DELETED);
- }
--int64_t
--aio_compute_timeout(AioContext *ctx)
-+static int64_t aio_compute_bh_timeout(BHList *head, int timeout)
- {
--    int64_t deadline;
--    int timeout = -1;
-     QEMUBH *bh;
--    for (bh = atomic_rcu_read(&ctx->first_bh); bh;
--         bh = atomic_rcu_read(&bh->next)) {
--        if (bh->scheduled) {
--            if (bh->idle) {
-+    QSLIST_FOREACH_RCU(bh, head, next) {
-+        if ((bh->flags & (BH_SCHEDULED | BH_DELETED)) == BH_SCHEDULED) {
-+            if (bh->flags & BH_IDLE) {
-                 /* idle bottom halves will be polled at least
-                  * every 10ms */
-                 timeout = 10000000;
-@@ -XXX,XX +XXX,XX @@ aio_compute_timeout(AioContext *ctx)
-         }
-     }
-+    return timeout;
-+}
-+
-+int64_t
-+aio_compute_timeout(AioContext *ctx)
-+{
-+    BHListSlice *s;
-+    int64_t deadline;
-+    int timeout = -1;
-+
-+    timeout = aio_compute_bh_timeout(&ctx->bh_list, timeout);
-+    if (timeout == 0) {
-+        return 0;
-+    }
-+
-+    QSIMPLEQ_FOREACH(s, &ctx->bh_slice_list, next) {
-+        timeout = aio_compute_bh_timeout(&s->bh_list, timeout);
-+        if (timeout == 0) {
-+            return 0;
-+        }
-+    }
-+
-     deadline = timerlistgroup_deadline_ns(&ctx->tlg);
-     if (deadline == 0) {
-         return 0;
-@@ -XXX,XX +XXX,XX @@ aio_ctx_check(GSource *source)
- {
-     AioContext *ctx = (AioContext *) source;
-     QEMUBH *bh;
-+    BHListSlice *s;
-     atomic_and(&ctx->notify_me, ~1);
-     aio_notify_accept(ctx);
--    for (bh = ctx->first_bh; bh; bh = bh->next) {
--        if (bh->scheduled) {
-+    QSLIST_FOREACH_RCU(bh, &ctx->bh_list, next) {
-+        if ((bh->flags & (BH_SCHEDULED | BH_DELETED)) == BH_SCHEDULED) {
-             return true;
-         }
-     }
-+
-+    QSIMPLEQ_FOREACH(s, &ctx->bh_slice_list, next) {
-+        QSLIST_FOREACH_RCU(bh, &s->bh_list, next) {
-+            if ((bh->flags & (BH_SCHEDULED | BH_DELETED)) == BH_SCHEDULED) {
-+                return true;
-+            }
-+        }
-+    }
-     return aio_pending(ctx) || (timerlistgroup_deadline_ns(&ctx->tlg) == 0);
- }
-@@ -XXX,XX +XXX,XX @@ static void
- aio_ctx_finalize(GSource     *source)
- {
-     AioContext *ctx = (AioContext *) source;
-+    QEMUBH *bh;
-+    unsigned flags;
-     thread_pool_free(ctx->thread_pool);
-@@ -XXX,XX +XXX,XX @@ aio_ctx_finalize(GSource     *source)
-     assert(QSLIST_EMPTY(&ctx->scheduled_coroutines));
-     qemu_bh_delete(ctx->co_schedule_bh);
--    qemu_lockcnt_lock(&ctx->list_lock);
--    assert(!qemu_lockcnt_count(&ctx->list_lock));
--    while (ctx->first_bh) {
--        QEMUBH *next = ctx->first_bh->next;
-+    /* There must be no aio_bh_poll() calls going on */
-+    assert(QSIMPLEQ_EMPTY(&ctx->bh_slice_list));
-+    while ((bh = aio_bh_dequeue(&ctx->bh_list, &flags))) {
-         /* qemu_bh_delete() must have been called on BHs in this AioContext */
--        assert(ctx->first_bh->deleted);
-+        assert(flags & BH_DELETED);
--        g_free(ctx->first_bh);
--        ctx->first_bh = next;
-+        g_free(bh);
-     }
--    qemu_lockcnt_unlock(&ctx->list_lock);
-     aio_set_event_notifier(ctx, &ctx->notifier, false, NULL, NULL);
-     event_notifier_cleanup(&ctx->notifier);
-@@ -XXX,XX +XXX,XX @@ AioContext *aio_context_new(Error **errp)
-     AioContext *ctx;
-     ctx = (AioContext *) g_source_new(&aio_source_funcs, sizeof(AioContext));
-+    QSLIST_INIT(&ctx->bh_list);
-+    QSIMPLEQ_INIT(&ctx->bh_slice_list);
-     aio_context_setup(ctx);
-     ret = event_notifier_init(&ctx->notifier, false);
 --
-.24.1
+.9.3

-[PULL 09/31] aio-posix: make AioHandler dispatch O(1) with epoll
+[Qemu-devel] [PULL v2 17/24] async: remove unnecessary inc/dec pairs
-File descriptor monitoring is O(1) with epoll(7), but
+From: Paolo Bonzini <pbonzini@redhat.com>
 aio_dispatch_handlers() still scans all AioHandlers instead of
 dispatching just those that are ready.  This makes aio_poll() O(n) with
 respect to the total number of registered handlers.
-Add a local ready_list to aio_poll() so that each nested aio_poll()
+Pull the increment/decrement pair out of aio_bh_poll and into the
-builds a list of handlers ready to be dispatched.  Since file descriptor
+callers.
 polling is level-triggered, nested aio_poll() calls also see fds that
 were ready in the parent but not yet dispatched.  This guarantees that
 nested aio_poll() invocations will dispatch all fds, even those that
 became ready before the nested invocation.
-Since only handlers ready to be dispatched are placed onto the
+Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
-ready_list, the new aio_dispatch_ready_handlers() function provides O(1)
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
-dispatch.
+Reviewed-by: Fam Zheng <famz@redhat.com>
+Reviewed-by: Daniel P. Berrange <berrange@redhat.com>
-Note that AioContext polling is still O(n) and currently cannot be fully
+Message-id: 20170213135235.12274-18-pbonzini@redhat.com
 disabled.  This still needs to be fixed before aio_poll() is fully O(1).
 Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
 Reviewed-by: Sergio Lopez <slp@redhat.com>
 Message-id: 20200214171712.541358-6-stefanha@redhat.com
 [Fix compilation error on macOS where there is no epoll(87).  The
 aio_epoll() prototype was out of date and aio_add_ready_list() needed to
 be moved outside the ifdef.
 --Stefan]
 Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
 ---
- util/aio-posix.c | 110 +++++++++++++++++++++++++++++++++--------------
+ util/aio-posix.c |  8 +++-----
-file changed, 78 insertions(+), 32 deletions(-)
+ util/aio-win32.c |  8 ++++----
  util/async.c     | 12 ++++++------
 files changed, 13 insertions(+), 15 deletions(-)
 diff --git a/util/aio-posix.c b/util/aio-posix.c
 index XXXXXXX..XXXXXXX 100644
 --- a/util/aio-posix.c
 +++ b/util/aio-posix.c
-@@ -XXX,XX +XXX,XX @@ struct AioHandler
+@@ -XXX,XX +XXX,XX @@ static bool aio_dispatch_handlers(AioContext *ctx)
-     void *opaque;
-     bool is_external;
+ void aio_dispatch(AioContext *ctx)
-     QLIST_ENTRY(AioHandler) node;
+ {
-+    QLIST_ENTRY(AioHandler) node_ready; /* only used during aio_poll() */
++    qemu_lockcnt_inc(&ctx->list_lock);
-     QLIST_ENTRY(AioHandler) node_deleted;
+     aio_bh_poll(ctx);
- };
+-
+-    qemu_lockcnt_inc(&ctx->list_lock);
-+/* Add a handler to a ready list */
+     aio_dispatch_handlers(ctx);
-+static void add_ready_handler(AioHandlerList *ready_list,
+     qemu_lockcnt_dec(&ctx->list_lock);
-+                              AioHandler *node,
-+                              int revents)
+@@ -XXX,XX +XXX,XX @@ bool aio_poll(AioContext *ctx, bool blocking)
-+{
+     }
-+    QLIST_SAFE_REMOVE(node, node_ready); /* remove from nested parent's list */
-+    node->pfd.revents = revents;
+     npfd = 0;
-+    QLIST_INSERT_HEAD(ready_list, node, node_ready);
+-    qemu_lockcnt_dec(&ctx->list_lock);
-+}
      progress |= aio_bh_poll(ctx);
      if (ret > 0) {
 -        qemu_lockcnt_inc(&ctx->list_lock);
          progress |= aio_dispatch_handlers(ctx);
 -        qemu_lockcnt_dec(&ctx->list_lock);
      }
 +    qemu_lockcnt_dec(&ctx->list_lock);
 +
- #ifdef CONFIG_EPOLL_CREATE1
+     progress |= timerlistgroup_run_timers(&ctx->tlg);
- /* The fd number threshold to switch to epoll */
+     return progress;
-@@ -XXX,XX +XXX,XX @@ static void aio_epoll_update(AioContext *ctx, AioHandler *node, bool is_new)
+diff --git a/util/aio-win32.c b/util/aio-win32.c
-     }
+index XXXXXXX..XXXXXXX 100644
- }
+--- a/util/aio-win32.c
++++ b/util/aio-win32.c
--static int aio_epoll(AioContext *ctx, int64_t timeout)
+@@ -XXX,XX +XXX,XX @@ static bool aio_dispatch_handlers(AioContext *ctx, HANDLE event)
-+static int aio_epoll(AioContext *ctx, AioHandlerList *ready_list,
+     bool progress = false;
-+                     int64_t timeout)
+     AioHandler *tmp;
- {
-     GPollFD pfd = {
+-    qemu_lockcnt_inc(&ctx->list_lock);
-         .fd = ctx->epollfd,
+-
-@@ -XXX,XX +XXX,XX @@ static int aio_epoll(AioContext *ctx, int64_t timeout)
+     /*
-         }
+      * We have to walk very carefully in case aio_set_fd_handler is
-         for (i = 0; i < ret; i++) {
+      * called while we're walking.
-             int ev = events[i].events;
+@@ -XXX,XX +XXX,XX @@ static bool aio_dispatch_handlers(AioContext *ctx, HANDLE event)
 +            int revents = (ev & EPOLLIN ? G_IO_IN : 0) |
 +                          (ev & EPOLLOUT ? G_IO_OUT : 0) |
 +                          (ev & EPOLLHUP ? G_IO_HUP : 0) |
 +                          (ev & EPOLLERR ? G_IO_ERR : 0);
 +
              node = events[i].data.ptr;
 -            node->pfd.revents = (ev & EPOLLIN ? G_IO_IN : 0) |
 -                (ev & EPOLLOUT ? G_IO_OUT : 0) |
 -                (ev & EPOLLHUP ? G_IO_HUP : 0) |
 -                (ev & EPOLLERR ? G_IO_ERR : 0);
 +            add_ready_handler(ready_list, node, revents);
          }
      }
- out:
-@@ -XXX,XX +XXX,XX @@ static void aio_epoll_update(AioContext *ctx, AioHandler *node, bool is_new)
+-    qemu_lockcnt_dec(&ctx->list_lock);
      return progress;
  }
  void aio_dispatch(AioContext *ctx)
  {
++    qemu_lockcnt_inc(&ctx->list_lock);
+     aio_bh_poll(ctx);
+     aio_dispatch_handlers(ctx, INVALID_HANDLE_VALUE);
++    qemu_lockcnt_dec(&ctx->list_lock);
+     timerlistgroup_run_timers(&ctx->tlg);
  }
--static int aio_epoll(AioContext *ctx, GPollFD *pfds,
+@@ -XXX,XX +XXX,XX @@ bool aio_poll(AioContext *ctx, bool blocking)
 -                     unsigned npfd, int64_t timeout)
 +static int aio_epoll(AioContext *ctx, AioHandlerList *ready_list,
 +                     int64_t timeout)
  {
      assert(false);
  }
@@ -XXX,XX +XXX,XX @@ static void aio_free_deleted_handlers(AioContext *ctx)
      qemu_lockcnt_inc_and_unlock(&ctx->list_lock);
  }
 -static bool aio_dispatch_handlers(AioContext *ctx)
 +static bool aio_dispatch_handler(AioContext *ctx, AioHandler *node)
  {
 -    AioHandler *node, *tmp;
      bool progress = false;
 +    int revents;
 -    QLIST_FOREACH_SAFE_RCU(node, &ctx->aio_handlers, node, tmp) {
 -        int revents;
 +    revents = node->pfd.revents & node->pfd.events;
 +    node->pfd.revents = 0;
 -        revents = node->pfd.revents & node->pfd.events;
 -        node->pfd.revents = 0;
 +    if (!QLIST_IS_INSERTED(node, node_deleted) &&
 +        (revents & (G_IO_IN | G_IO_HUP | G_IO_ERR)) &&
 +        aio_node_check(ctx, node->is_external) &&
 +        node->io_read) {
 +        node->io_read(node->opaque);
 -        if (!QLIST_IS_INSERTED(node, node_deleted) &&
 -            (revents & (G_IO_IN | G_IO_HUP | G_IO_ERR)) &&
 -            aio_node_check(ctx, node->is_external) &&
 -            node->io_read) {
 -            node->io_read(node->opaque);
 -
 -            /* aio_notify() does not count as progress */
 -            if (node->opaque != &ctx->notifier) {
 -                progress = true;
 -            }
 -        }
 -        if (!QLIST_IS_INSERTED(node, node_deleted) &&
 -            (revents & (G_IO_OUT | G_IO_ERR)) &&
 -            aio_node_check(ctx, node->is_external) &&
 -            node->io_write) {
 -            node->io_write(node->opaque);
 +        /* aio_notify() does not count as progress */
 +        if (node->opaque != &ctx->notifier) {
              progress = true;
          }
      }
-+    if (!QLIST_IS_INSERTED(node, node_deleted) &&
-+        (revents & (G_IO_OUT | G_IO_ERR)) &&
+-    qemu_lockcnt_dec(&ctx->list_lock);
-+        aio_node_check(ctx, node->is_external) &&
+     first = true;
-+        node->io_write) {
-+        node->io_write(node->opaque);
+     /* ctx->notifier is always registered.  */
-+        progress = true;
+@@ -XXX,XX +XXX,XX @@ bool aio_poll(AioContext *ctx, bool blocking)
-+    }
+         progress |= aio_dispatch_handlers(ctx, event);
      } while (count > 0);
 +    qemu_lockcnt_dec(&ctx->list_lock);
 +
-+    return progress;
+     progress |= timerlistgroup_run_timers(&ctx->tlg);
 +}
 +
 +/*
 + * If we have a list of ready handlers then this is more efficient than
 + * scanning all handlers with aio_dispatch_handlers().
 + */
 +static bool aio_dispatch_ready_handlers(AioContext *ctx,
 +                                        AioHandlerList *ready_list)
 +{
 +    bool progress = false;
 +    AioHandler *node;
 +
 +    while ((node = QLIST_FIRST(ready_list))) {
 +        QLIST_SAFE_REMOVE(node, node_ready);
 +        progress = aio_dispatch_handler(ctx, node) || progress;
 +    }
 +
 +    return progress;
 +}
 +
 +/* Slower than aio_dispatch_ready_handlers() but only used via glib */
 +static bool aio_dispatch_handlers(AioContext *ctx)
 +{
 +    AioHandler *node, *tmp;
 +    bool progress = false;
 +
 +    QLIST_FOREACH_SAFE_RCU(node, &ctx->aio_handlers, node, tmp) {
 +        progress = aio_dispatch_handler(ctx, node) || progress;
 +    }
      return progress;
  }
-@@ -XXX,XX +XXX,XX @@ static bool try_poll_mode(AioContext *ctx, int64_t *timeout)
+diff --git a/util/async.c b/util/async.c
+index XXXXXXX..XXXXXXX 100644
- bool aio_poll(AioContext *ctx, bool blocking)
+--- a/util/async.c
 +++ b/util/async.c
@@ -XXX,XX +XXX,XX @@ void aio_bh_call(QEMUBH *bh)
      bh->cb(bh->opaque);
  }
 -/* Multiple occurrences of aio_bh_poll cannot be called concurrently */
 +/* Multiple occurrences of aio_bh_poll cannot be called concurrently.
 + * The count in ctx->list_lock is incremented before the call, and is
 + * not affected by the call.
 + */
  int aio_bh_poll(AioContext *ctx)
  {
-+    AioHandlerList ready_list = QLIST_HEAD_INITIALIZER(ready_list);
+     QEMUBH *bh, **bhp, *next;
-     AioHandler *node;
+     int ret;
-     int i;
+     bool deleted = false;
-     int ret = 0;
-@@ -XXX,XX +XXX,XX @@ bool aio_poll(AioContext *ctx, bool blocking)
+-    qemu_lockcnt_inc(&ctx->list_lock);
-         /* wait until next event */
+-
-         if (aio_epoll_check_poll(ctx, pollfds, npfd, timeout)) {
+     ret = 0;
-             npfd = 0; /* pollfds[] is not being used */
+     for (bh = atomic_rcu_read(&ctx->first_bh); bh; bh = next) {
--            ret = aio_epoll(ctx, timeout);
+         next = atomic_rcu_read(&bh->next);
-+            ret = aio_epoll(ctx, &ready_list, timeout);
+@@ -XXX,XX +XXX,XX @@ int aio_bh_poll(AioContext *ctx)
-         } else  {
-             ret = qemu_poll_ns(pollfds, npfd, timeout);
+     /* remove deleted bhs */
      if (!deleted) {
 -        qemu_lockcnt_dec(&ctx->list_lock);
          return ret;
      }
 -    if (qemu_lockcnt_dec_and_lock(&ctx->list_lock)) {
 +    if (qemu_lockcnt_dec_if_lock(&ctx->list_lock)) {
          bhp = &ctx->first_bh;
          while (*bhp) {
              bh = *bhp;
@@ -XXX,XX +XXX,XX @@ int aio_bh_poll(AioContext *ctx)
                  bhp = &bh->next;
              }
          }
-@@ -XXX,XX +XXX,XX @@ bool aio_poll(AioContext *ctx, bool blocking)
+-        qemu_lockcnt_unlock(&ctx->list_lock);
-     /* if we have any readable fds, dispatch event */
++        qemu_lockcnt_inc_and_unlock(&ctx->list_lock);
      if (ret > 0) {
          for (i = 0; i < npfd; i++) {
 -            nodes[i]->pfd.revents = pollfds[i].revents;
 +            int revents = pollfds[i].revents;
 +
 +            if (revents) {
 +                add_ready_handler(&ready_list, nodes[i], revents);
 +            }
          }
      }
+     return ret;
-@@ -XXX,XX +XXX,XX @@ bool aio_poll(AioContext *ctx, bool blocking)
+ }
      progress |= aio_bh_poll(ctx);
      if (ret > 0) {
 -        progress |= aio_dispatch_handlers(ctx);
 +        progress |= aio_dispatch_ready_handlers(ctx, &ready_list);
      }
      aio_free_deleted_handlers(ctx);
 --
-.24.1
+.9.3

-[PULL 29/31] fuzz: add virtio-net fuzz target
+[Qemu-devel] [PULL v2 18/24] block: document fields protected by AioContext lock
-From: Alexander Bulekov <alxndr@bu.edu>
+From: Paolo Bonzini <pbonzini@redhat.com>
-The virtio-net fuzz target feeds inputs to all three virtio-net
-virtqueues, and uses forking to avoid leaking state between fuzz runs.
-Signed-off-by: Alexander Bulekov <alxndr@bu.edu>
 Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
-Reviewed-by: Darren Kenny <darren.kenny@oracle.com>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
-Message-id: 20200220041118.23264-21-alxndr@bu.edu
+Reviewed-by: Fam Zheng <famz@redhat.com>
 Reviewed-by: Daniel P. Berrange <berrange@redhat.com>
 Message-id: 20170213135235.12274-19-pbonzini@redhat.com
 Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
 ---
- tests/qtest/fuzz/Makefile.include  |   1 +
+ include/block/block_int.h      | 64 +++++++++++++++++++++++++-----------------
- tests/qtest/fuzz/virtio_net_fuzz.c | 198 +++++++++++++++++++++++++++++
+ include/sysemu/block-backend.h | 14 ++++++---
-files changed, 199 insertions(+)
+files changed, 49 insertions(+), 29 deletions(-)
  create mode 100644 tests/qtest/fuzz/virtio_net_fuzz.c
-diff --git a/tests/qtest/fuzz/Makefile.include b/tests/qtest/fuzz/Makefile.include
+diff --git a/include/block/block_int.h b/include/block/block_int.h
 index XXXXXXX..XXXXXXX 100644
---- a/tests/qtest/fuzz/Makefile.include
+--- a/include/block/block_int.h
-+++ b/tests/qtest/fuzz/Makefile.include
++++ b/include/block/block_int.h
-@@ -XXX,XX +XXX,XX @@ fuzz-obj-y += tests/qtest/fuzz/qos_fuzz.o
+@@ -XXX,XX +XXX,XX @@ struct BdrvChild {
+  * copied as well.
- # Targets
+  */
- fuzz-obj-y += tests/qtest/fuzz/i440fx_fuzz.o
+ struct BlockDriverState {
-+fuzz-obj-y += tests/qtest/fuzz/virtio_net_fuzz.o
+-    int64_t total_sectors; /* if we are reading a disk image, give its
+-                              size in sectors */
- FUZZ_CFLAGS += -I$(SRC_PATH)/tests -I$(SRC_PATH)/tests/qtest
++    /* Protected by big QEMU lock or read-only after opening.  No special
++     * locking needed during I/O...
-diff --git a/tests/qtest/fuzz/virtio_net_fuzz.c b/tests/qtest/fuzz/virtio_net_fuzz.c
++     */
-new file mode 100644
+     int open_flags; /* flags used to open the file, re-used for re-open */
-index XXXXXXX..XXXXXXX
+     bool read_only; /* if true, the media is read only */
---- /dev/null
+     bool encrypted; /* if true, the media is encrypted */
-+++ b/tests/qtest/fuzz/virtio_net_fuzz.c
+@@ -XXX,XX +XXX,XX @@ struct BlockDriverState {
-@@ -XXX,XX +XXX,XX @@
+     bool sg;        /* if true, the device is a /dev/sg* */
-+/*
+     bool probed;    /* if true, format was probed rather than specified */
-+ * virtio-net Fuzzing Target
-+ *
+-    int copy_on_read; /* if nonzero, copy read backing sectors into image.
-+ * Copyright Red Hat Inc., 2019
+-                         note this is a reference count */
-+ *
+-
-+ * Authors:
+-    CoQueue flush_queue;            /* Serializing flush queue */
-+ *  Alexander Bulekov   <alxndr@bu.edu>
+-    bool active_flush_req;          /* Flush request in flight? */
-+ *
+-    unsigned int write_gen;         /* Current data generation */
-+ * This work is licensed under the terms of the GNU GPL, version 2 or later.
+-    unsigned int flushed_gen;       /* Flushed write generation */
-+ * See the COPYING file in the top-level directory.
+-
-+ */
+     BlockDriver *drv; /* NULL means no media */
      void *opaque;
@@ -XXX,XX +XXX,XX @@ struct BlockDriverState {
      BdrvChild *backing;
      BdrvChild *file;
 -    /* Callback before write request is processed */
 -    NotifierWithReturnList before_write_notifiers;
 -
 -    /* number of in-flight requests; overall and serialising */
 -    unsigned int in_flight;
 -    unsigned int serialising_in_flight;
 -
 -    bool wakeup;
 -
 -    /* Offset after the highest byte written to */
 -    uint64_t wr_highest_offset;
 -
      /* I/O Limits */
      BlockLimits bl;
@@ -XXX,XX +XXX,XX @@ struct BlockDriverState {
      QTAILQ_ENTRY(BlockDriverState) bs_list;
      /* element of the list of monitor-owned BDS */
      QTAILQ_ENTRY(BlockDriverState) monitor_list;
 -    QLIST_HEAD(, BdrvDirtyBitmap) dirty_bitmaps;
      int refcnt;
 -    QLIST_HEAD(, BdrvTrackedRequest) tracked_requests;
 -
      /* operation blockers */
      QLIST_HEAD(, BdrvOpBlocker) op_blockers[BLOCK_OP_TYPE_MAX];
@@ -XXX,XX +XXX,XX @@ struct BlockDriverState {
      /* The error object in use for blocking operations on backing_hd */
      Error *backing_blocker;
 +    /* Protected by AioContext lock */
 +
-+#include "qemu/osdep.h"
++    /* If true, copy read backing sectors into image.  Can be >1 if more
 +     * than one client has requested copy-on-read.
 +     */
 +    int copy_on_read;
 +
-+#include "standard-headers/linux/virtio_config.h"
++    /* If we are reading a disk image, give its size in sectors.
-+#include "tests/qtest/libqtest.h"
++     * Generally read-only; it is written to by load_vmstate and save_vmstate,
-+#include "tests/qtest/libqos/virtio-net.h"
++     * but the block layer is quiescent during those.
-+#include "fuzz.h"
++     */
-+#include "fork_fuzz.h"
++    int64_t total_sectors;
 +#include "qos_fuzz.h"
 +
++    /* Callback before write request is processed */
++    NotifierWithReturnList before_write_notifiers;
 +
-+#define QVIRTIO_NET_TIMEOUT_US (30 * 1000 * 1000)
++    /* number of in-flight requests; overall and serialising */
-+#define QVIRTIO_RX_VQ 0
++    unsigned int in_flight;
-+#define QVIRTIO_TX_VQ 1
++    unsigned int serialising_in_flight;
 +#define QVIRTIO_CTRL_VQ 2
 +
-+static int sockfds[2];
++    bool wakeup;
 +static bool sockfds_initialized;
 +
-+static void virtio_net_fuzz_multi(QTestState *s,
++    /* Offset after the highest byte written to */
-+        const unsigned char *Data, size_t Size, bool check_used)
++    uint64_t wr_highest_offset;
 +{
 +    typedef struct vq_action {
 +        uint8_t queue;
 +        uint8_t length;
 +        uint8_t write;
 +        uint8_t next;
 +        uint8_t rx;
 +    } vq_action;
 +
-+    uint32_t free_head = 0;
+     /* threshold limit for writes, in bytes. "High water mark". */
      uint64_t write_threshold_offset;
      NotifierWithReturn write_threshold_notifier;
@@ -XXX,XX +XXX,XX @@ struct BlockDriverState {
      /* counter for nested bdrv_io_plug */
      unsigned io_plugged;
 +    QLIST_HEAD(, BdrvTrackedRequest) tracked_requests;
 +    CoQueue flush_queue;                  /* Serializing flush queue */
 +    bool active_flush_req;                /* Flush request in flight? */
 +    unsigned int write_gen;               /* Current data generation */
 +    unsigned int flushed_gen;             /* Flushed write generation */
 +
-+    QGuestAllocator *t_alloc = fuzz_qos_alloc;
++    QLIST_HEAD(, BdrvDirtyBitmap) dirty_bitmaps;
 +
-+    QVirtioNet *net_if = fuzz_qos_obj;
++    /* do we need to tell the quest if we have a volatile write cache? */
-+    QVirtioDevice *dev = net_if->vdev;
++    int enable_write_cache;
 +    QVirtQueue *q;
 +    vq_action vqa;
 +    while (Size >= sizeof(vqa)) {
 +        memcpy(&vqa, Data, sizeof(vqa));
 +        Data += sizeof(vqa);
 +        Size -= sizeof(vqa);
 +
-+        q = net_if->queues[vqa.queue % 3];
+     int quiesce_counter;
  };
 diff --git a/include/sysemu/block-backend.h b/include/sysemu/block-backend.h
 index XXXXXXX..XXXXXXX 100644
 --- a/include/sysemu/block-backend.h
 +++ b/include/sysemu/block-backend.h
@@ -XXX,XX +XXX,XX @@ typedef struct BlockDevOps {
   * fields that must be public. This is in particular for QLIST_ENTRY() and
   * friends so that BlockBackends can be kept in lists outside block-backend.c */
  typedef struct BlockBackendPublic {
 -    /* I/O throttling.
 -     * throttle_state tells us if this BlockBackend has I/O limits configured.
 -     * io_limits_disabled tells us if they are currently being enforced */
 +    /* I/O throttling has its own locking, but also some fields are
 +     * protected by the AioContext lock.
 +     */
 +
-+        vqa.length = vqa.length >= Size ? Size :  vqa.length;
++    /* Protected by AioContext lock.  */
      CoQueue      throttled_reqs[2];
 +
-+        /*
++    /* Nonzero if the I/O limits are currently being ignored; generally
-+         * Only attempt to write incoming packets, when using the socket
++     * it is zero.  */
-+         * backend. Otherwise, always place the input on a virtqueue.
+     unsigned int io_limits_disabled;
-+         */
-+        if (vqa.rx && sockfds_initialized) {
+     /* The following fields are protected by the ThrottleGroup lock.
-+            write(sockfds[0], Data, vqa.length);
+-     * See the ThrottleGroup documentation for details. */
-+        } else {
++     * See the ThrottleGroup documentation for details.
-+            vqa.rx = 0;
++     * throttle_state tells us if I/O limits are configured. */
-+            uint64_t req_addr = guest_alloc(t_alloc, vqa.length);
+     ThrottleState *throttle_state;
-+            /*
+     ThrottleTimers throttle_timers;
-+             * If checking used ring, ensure that the fuzzer doesn't trigger
+     unsigned       pending_reqs[2];
 +             * trivial asserion failure on zero-zied buffer
 +             */
 +            qtest_memwrite(s, req_addr, Data, vqa.length);
 +
 +
 +            free_head = qvirtqueue_add(s, q, req_addr, vqa.length,
 +                    vqa.write, vqa.next);
 +            qvirtqueue_add(s, q, req_addr, vqa.length, vqa.write , vqa.next);
 +            qvirtqueue_kick(s, dev, q, free_head);
 +        }
 +
 +        /* Run the main loop */
 +        qtest_clock_step(s, 100);
 +        flush_events(s);
 +
 +        /* Wait on used descriptors */
 +        if (check_used && !vqa.rx) {
 +            gint64 start_time = g_get_monotonic_time();
 +            /*
 +             * normally, we could just use qvirtio_wait_used_elem, but since we
 +             * must manually run the main-loop for all the bhs to run, we use
 +             * this hack with flush_events(), to run the main_loop
 +             */
 +            while (!vqa.rx && q != net_if->queues[QVIRTIO_RX_VQ]) {
 +                uint32_t got_desc_idx;
 +                /* Input led to a virtio_error */
 +                if (dev->bus->get_status(dev) & VIRTIO_CONFIG_S_NEEDS_RESET) {
 +                    break;
 +                }
 +                if (dev->bus->get_queue_isr_status(dev, q) &&
 +                        qvirtqueue_get_buf(s, q, &got_desc_idx, NULL)) {
 +                    g_assert_cmpint(got_desc_idx, ==, free_head);
 +                    break;
 +                }
 +                g_assert(g_get_monotonic_time() - start_time
 +                        <= QVIRTIO_NET_TIMEOUT_US);
 +
 +                /* Run the main loop */
 +                qtest_clock_step(s, 100);
 +                flush_events(s);
 +            }
 +        }
 +        Data += vqa.length;
 +        Size -= vqa.length;
 +    }
 +}
 +
 +static void virtio_net_fork_fuzz(QTestState *s,
 +        const unsigned char *Data, size_t Size)
 +{
 +    if (fork() == 0) {
 +        virtio_net_fuzz_multi(s, Data, Size, false);
 +        flush_events(s);
 +        _Exit(0);
 +    } else {
 +        wait(NULL);
 +    }
 +}
 +
 +static void virtio_net_fork_fuzz_check_used(QTestState *s,
 +        const unsigned char *Data, size_t Size)
 +{
 +    if (fork() == 0) {
 +        virtio_net_fuzz_multi(s, Data, Size, true);
 +        flush_events(s);
 +        _Exit(0);
 +    } else {
 +        wait(NULL);
 +    }
 +}
 +
 +static void virtio_net_pre_fuzz(QTestState *s)
 +{
 +    qos_init_path(s);
 +    counter_shm_init();
 +}
 +
 +static void *virtio_net_test_setup_socket(GString *cmd_line, void *arg)
 +{
 +    int ret = socketpair(PF_UNIX, SOCK_STREAM, 0, sockfds);
 +    g_assert_cmpint(ret, !=, -1);
 +    fcntl(sockfds[0], F_SETFL, O_NONBLOCK);
 +    sockfds_initialized = true;
 +    g_string_append_printf(cmd_line, " -netdev socket,fd=%d,id=hs0 ",
 +                           sockfds[1]);
 +    return arg;
 +}
 +
 +static void *virtio_net_test_setup_user(GString *cmd_line, void *arg)
 +{
 +    g_string_append_printf(cmd_line, " -netdev user,id=hs0 ");
 +    return arg;
 +}
 +
 +static void register_virtio_net_fuzz_targets(void)
 +{
 +    fuzz_add_qos_target(&(FuzzTarget){
 +            .name = "virtio-net-socket",
 +            .description = "Fuzz the virtio-net virtual queues. Fuzz incoming "
 +            "traffic using the socket backend",
 +            .pre_fuzz = &virtio_net_pre_fuzz,
 +            .fuzz = virtio_net_fork_fuzz,},
 +            "virtio-net",
 +            &(QOSGraphTestOptions){.before = virtio_net_test_setup_socket}
 +            );
 +
 +    fuzz_add_qos_target(&(FuzzTarget){
 +            .name = "virtio-net-socket-check-used",
 +            .description = "Fuzz the virtio-net virtual queues. Wait for the "
 +            "descriptors to be used. Timeout may indicate improperly handled "
 +            "input",
 +            .pre_fuzz = &virtio_net_pre_fuzz,
 +            .fuzz = virtio_net_fork_fuzz_check_used,},
 +            "virtio-net",
 +            &(QOSGraphTestOptions){.before = virtio_net_test_setup_socket}
 +            );
 +    fuzz_add_qos_target(&(FuzzTarget){
 +            .name = "virtio-net-slirp",
 +            .description = "Fuzz the virtio-net virtual queues with the slirp "
 +            " backend. Warning: May result in network traffic emitted from the "
 +            " process. Run in an isolated network environment.",
 +            .pre_fuzz = &virtio_net_pre_fuzz,
 +            .fuzz = virtio_net_fork_fuzz,},
 +            "virtio-net",
 +            &(QOSGraphTestOptions){.before = virtio_net_test_setup_user}
 +            );
 +}
 +
 +fuzz_target_init(register_virtio_net_fuzz_targets);
 --
-.24.1
+.9.3

-[PULL 25/31] fuzz: add support for qos-assisted fuzz targets
+[Qemu-devel] [PULL v2 19/24] coroutine-lock: make CoMutex thread-safe
-From: Alexander Bulekov <alxndr@bu.edu>
+From: Paolo Bonzini <pbonzini@redhat.com>
-Signed-off-by: Alexander Bulekov <alxndr@bu.edu>
+This uses the lock-free mutex described in the paper '"Blocking without
-Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
+Locking", or LFTHREADS: A lock-free thread library' by Gidenstam and
-Reviewed-by: Darren Kenny <darren.kenny@oracle.com>
+Papatriantafilou.  The same technique is used in OSv, and in fact
-Message-id: 20200220041118.23264-17-alxndr@bu.edu
+the code is essentially a conversion to C of OSv's code.
 [Added missing coroutine_fn in tests/test-aio-multithread.c.
 --Stefan]
 Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
 Reviewed-by: Fam Zheng <famz@redhat.com>
 Message-id: 20170213181244.16297-2-pbonzini@redhat.com
 Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
 ---
- tests/qtest/fuzz/Makefile.include |   2 +
+ include/qemu/coroutine.h     |  17 ++++-
- tests/qtest/fuzz/qos_fuzz.c       | 234 ++++++++++++++++++++++++++++++
+ tests/test-aio-multithread.c |  86 ++++++++++++++++++++++++
- tests/qtest/fuzz/qos_fuzz.h       |  33 +++++
+ util/qemu-coroutine-lock.c   | 155 ++++++++++++++++++++++++++++++++++++++++---
-files changed, 269 insertions(+)
+ util/trace-events            |   1 +
- create mode 100644 tests/qtest/fuzz/qos_fuzz.c
+files changed, 246 insertions(+), 13 deletions(-)
- create mode 100644 tests/qtest/fuzz/qos_fuzz.h
+diff --git a/include/qemu/coroutine.h b/include/qemu/coroutine.h
 diff --git a/tests/qtest/fuzz/Makefile.include b/tests/qtest/fuzz/Makefile.include
 index XXXXXXX..XXXXXXX 100644
---- a/tests/qtest/fuzz/Makefile.include
+--- a/include/qemu/coroutine.h
-+++ b/tests/qtest/fuzz/Makefile.include
++++ b/include/qemu/coroutine.h
@@ -XXX,XX +XXX,XX @@ bool qemu_co_queue_empty(CoQueue *queue);
  /**
   * Provides a mutex that can be used to synchronise coroutines
   */
 +struct CoWaitRecord;
  typedef struct CoMutex {
 -    bool locked;
 +    /* Count of pending lockers; 0 for a free mutex, 1 for an
 +     * uncontended mutex.
 +     */
 +    unsigned locked;
 +
 +    /* A queue of waiters.  Elements are added atomically in front of
 +     * from_push.  to_pop is only populated, and popped from, by whoever
 +     * is in charge of the next wakeup.  This can be an unlocker or,
 +     * through the handoff protocol, a locker that is about to go to sleep.
 +     */
 +    QSLIST_HEAD(, CoWaitRecord) from_push, to_pop;
 +
 +    unsigned handoff, sequence;
 +
      Coroutine *holder;
 -    CoQueue queue;
  } CoMutex;
  /**
 diff --git a/tests/test-aio-multithread.c b/tests/test-aio-multithread.c
 index XXXXXXX..XXXXXXX 100644
 --- a/tests/test-aio-multithread.c
 +++ b/tests/test-aio-multithread.c
@@ -XXX,XX +XXX,XX @@ static void test_multi_co_schedule_10(void)
      test_multi_co_schedule(10);
  }
 +/* CoMutex thread-safety.  */
 +
 +static uint32_t atomic_counter;
 +static uint32_t running;
 +static uint32_t counter;
 +static CoMutex comutex;
 +
 +static void coroutine_fn test_multi_co_mutex_entry(void *opaque)
 +{
 +    while (!atomic_mb_read(&now_stopping)) {
 +        qemu_co_mutex_lock(&comutex);
 +        counter++;
 +        qemu_co_mutex_unlock(&comutex);
 +
 +        /* Increase atomic_counter *after* releasing the mutex.  Otherwise
 +         * there is a chance (it happens about 1 in 3 runs) that the iothread
 +         * exits before the coroutine is woken up, causing a spurious
 +         * assertion failure.
 +         */
 +        atomic_inc(&atomic_counter);
 +    }
 +    atomic_dec(&running);
 +}
 +
 +static void test_multi_co_mutex(int threads, int seconds)
 +{
 +    int i;
 +
 +    qemu_co_mutex_init(&comutex);
 +    counter = 0;
 +    atomic_counter = 0;
 +    now_stopping = false;
 +
 +    create_aio_contexts();
 +    assert(threads <= NUM_CONTEXTS);
 +    running = threads;
 +    for (i = 0; i < threads; i++) {
 +        Coroutine *co1 = qemu_coroutine_create(test_multi_co_mutex_entry, NULL);
 +        aio_co_schedule(ctx[i], co1);
 +    }
 +
 +    g_usleep(seconds * 1000000);
 +
 +    atomic_mb_set(&now_stopping, true);
 +    while (running > 0) {
 +        g_usleep(100000);
 +    }
 +
 +    join_aio_contexts();
 +    g_test_message("%d iterations/second\n", counter / seconds);
 +    g_assert_cmpint(counter, ==, atomic_counter);
 +}
 +
 +/* Testing with NUM_CONTEXTS threads focuses on the queue.  The mutex however
 + * is too contended (and the threads spend too much time in aio_poll)
 + * to actually stress the handoff protocol.
 + */
 +static void test_multi_co_mutex_1(void)
 +{
 +    test_multi_co_mutex(NUM_CONTEXTS, 1);
 +}
 +
 +static void test_multi_co_mutex_10(void)
 +{
 +    test_multi_co_mutex(NUM_CONTEXTS, 10);
 +}
 +
 +/* Testing with fewer threads stresses the handoff protocol too.  Still, the
 + * case where the locker _can_ pick up a handoff is very rare, happening
 + * about 10 times in 1 million, so increase the runtime a bit compared to
 + * other "quick" testcases that only run for 1 second.
 + */
 +static void test_multi_co_mutex_2_3(void)
 +{
 +    test_multi_co_mutex(2, 3);
 +}
 +
 +static void test_multi_co_mutex_2_30(void)
 +{
 +    test_multi_co_mutex(2, 30);
 +}
 +
  /* End of tests.  */
  int main(int argc, char **argv)
@@ -XXX,XX +XXX,XX @@ int main(int argc, char **argv)
      g_test_add_func("/aio/multi/lifecycle", test_lifecycle);
      if (g_test_quick()) {
          g_test_add_func("/aio/multi/schedule", test_multi_co_schedule_1);
 +        g_test_add_func("/aio/multi/mutex/contended", test_multi_co_mutex_1);
 +        g_test_add_func("/aio/multi/mutex/handoff", test_multi_co_mutex_2_3);
      } else {
          g_test_add_func("/aio/multi/schedule", test_multi_co_schedule_10);
 +        g_test_add_func("/aio/multi/mutex/contended", test_multi_co_mutex_10);
 +        g_test_add_func("/aio/multi/mutex/handoff", test_multi_co_mutex_2_30);
      }
      return g_test_run();
  }
 diff --git a/util/qemu-coroutine-lock.c b/util/qemu-coroutine-lock.c
 index XXXXXXX..XXXXXXX 100644
 --- a/util/qemu-coroutine-lock.c
 +++ b/util/qemu-coroutine-lock.c
 @@ -XXX,XX +XXX,XX @@
- QEMU_PROG_FUZZ=qemu-fuzz-$(TARGET_NAME)$(EXESUF)
+  * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+  * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
- fuzz-obj-y += tests/qtest/libqtest.o
+  * THE SOFTWARE.
 +fuzz-obj-y += $(libqos-obj-y)
  fuzz-obj-y += tests/qtest/fuzz/fuzz.o # Fuzzer skeleton
  fuzz-obj-y += tests/qtest/fuzz/fork_fuzz.o
 +fuzz-obj-y += tests/qtest/fuzz/qos_fuzz.o
  FUZZ_CFLAGS += -I$(SRC_PATH)/tests -I$(SRC_PATH)/tests/qtest
 diff --git a/tests/qtest/fuzz/qos_fuzz.c b/tests/qtest/fuzz/qos_fuzz.c
 new file mode 100644
 index XXXXXXX..XXXXXXX
 --- /dev/null
 +++ b/tests/qtest/fuzz/qos_fuzz.c
@@ -XXX,XX +XXX,XX @@
 +/*
 + * QOS-assisted fuzzing helpers
 + *
-+ * Copyright (c) 2018 Emanuele Giuseppe Esposito <e.emanuelegiuseppe@gmail.com>
++ * The lock-free mutex implementation is based on OSv
 + * (core/lfmutex.cc, include/lockfree/mutex.hh).
 + * Copyright (C) 2013 Cloudius Systems, Ltd.
   */
  #include "qemu/osdep.h"
@@ -XXX,XX +XXX,XX @@ bool qemu_co_queue_empty(CoQueue *queue)
      return QSIMPLEQ_FIRST(&queue->entries) == NULL;
  }
 +/* The wait records are handled with a multiple-producer, single-consumer
 + * lock-free queue.  There cannot be two concurrent pop_waiter() calls
 + * because pop_waiter() can only be called while mutex->handoff is zero.
 + * This can happen in three cases:
 + * - in qemu_co_mutex_unlock, before the hand-off protocol has started.
 + *   In this case, qemu_co_mutex_lock will see mutex->handoff == 0 and
 + *   not take part in the handoff.
 + * - in qemu_co_mutex_lock, if it steals the hand-off responsibility from
 + *   qemu_co_mutex_unlock.  In this case, qemu_co_mutex_unlock will fail
 + *   the cmpxchg (it will see either 0 or the next sequence value) and
 + *   exit.  The next hand-off cannot begin until qemu_co_mutex_lock has
 + *   woken up someone.
 + * - in qemu_co_mutex_unlock, if it takes the hand-off token itself.
 + *   In this case another iteration starts with mutex->handoff == 0;
 + *   a concurrent qemu_co_mutex_lock will fail the cmpxchg, and
 + *   qemu_co_mutex_unlock will go back to case (1).
 + *
-+ * This library is free software; you can redistribute it and/or
++ * The following functions manage this queue.
 + * modify it under the terms of the GNU Lesser General Public
 + * License version 2 as published by the Free Software Foundation.
 + *
 + * This library is distributed in the hope that it will be useful,
 + * but WITHOUT ANY WARRANTY; without even the implied warranty of
 + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
 + * Lesser General Public License for more details.
 + *
 + * You should have received a copy of the GNU Lesser General Public
 + * License along with this library; if not, see <http://www.gnu.org/licenses/>
 + */
-+
++typedef struct CoWaitRecord {
-+#include "qemu/osdep.h"
++    Coroutine *co;
-+#include "qemu/units.h"
++    QSLIST_ENTRY(CoWaitRecord) next;
-+#include "qapi/error.h"
++} CoWaitRecord;
-+#include "qemu-common.h"
++
-+#include "exec/memory.h"
++static void push_waiter(CoMutex *mutex, CoWaitRecord *w)
-+#include "exec/address-spaces.h"
++{
-+#include "sysemu/sysemu.h"
++    w->co = qemu_coroutine_self();
-+#include "qemu/main-loop.h"
++    QSLIST_INSERT_HEAD_ATOMIC(&mutex->from_push, w, next);
-+
++}
-+#include "tests/qtest/libqtest.h"
++
-+#include "tests/qtest/libqos/malloc.h"
++static void move_waiters(CoMutex *mutex)
-+#include "tests/qtest/libqos/qgraph.h"
++{
-+#include "tests/qtest/libqos/qgraph_internal.h"
++    QSLIST_HEAD(, CoWaitRecord) reversed;
-+#include "tests/qtest/libqos/qos_external.h"
++    QSLIST_MOVE_ATOMIC(&reversed, &mutex->from_push);
-+
++    while (!QSLIST_EMPTY(&reversed)) {
-+#include "fuzz.h"
++        CoWaitRecord *w = QSLIST_FIRST(&reversed);
-+#include "qos_fuzz.h"
++        QSLIST_REMOVE_HEAD(&reversed, next);
-+
++        QSLIST_INSERT_HEAD(&mutex->to_pop, w, next);
-+#include "qapi/qapi-commands-machine.h"
++    }
-+#include "qapi/qapi-commands-qom.h"
++}
-+#include "qapi/qmp/qlist.h"
++
-+
++static CoWaitRecord *pop_waiter(CoMutex *mutex)
-+
++{
-+void *fuzz_qos_obj;
++    CoWaitRecord *w;
-+QGuestAllocator *fuzz_qos_alloc;
++
-+
++    if (QSLIST_EMPTY(&mutex->to_pop)) {
-+static const char *fuzz_target_name;
++        move_waiters(mutex);
-+static char **fuzz_path_vec;
++        if (QSLIST_EMPTY(&mutex->to_pop)) {
-+
++            return NULL;
-+/*
++        }
-+ * Replaced the qmp commands with direct qmp_marshal calls.
++    }
-+ * Probably there is a better way to do this
++    w = QSLIST_FIRST(&mutex->to_pop);
-+ */
++    QSLIST_REMOVE_HEAD(&mutex->to_pop, next);
-+static void qos_set_machines_devices_available(void)
++    return w;
-+{
++}
-+    QDict *req = qdict_new();
++
-+    QObject *response;
++static bool has_waiters(CoMutex *mutex)
-+    QDict *args = qdict_new();
++{
-+    QList *lst;
++    return QSLIST_EMPTY(&mutex->to_pop) || QSLIST_EMPTY(&mutex->from_push);
-+    Error *err = NULL;
++}
 +
-+    qmp_marshal_query_machines(NULL, &response, &err);
+ void qemu_co_mutex_init(CoMutex *mutex)
-+    assert(!err);
+ {
-+    lst = qobject_to(QList, response);
+     memset(mutex, 0, sizeof(*mutex));
-+    apply_to_qlist(lst, true);
+-    qemu_co_queue_init(&mutex->queue);
-+
+ }
-+    qobject_unref(response);
-+
+-void coroutine_fn qemu_co_mutex_lock(CoMutex *mutex)
-+
++static void coroutine_fn qemu_co_mutex_lock_slowpath(CoMutex *mutex)
-+    qdict_put_str(req, "execute", "qom-list-types");
+ {
-+    qdict_put_str(args, "implements", "device");
+     Coroutine *self = qemu_coroutine_self();
-+    qdict_put_bool(args, "abstract", true);
++    CoWaitRecord w;
-+    qdict_put_obj(req, "arguments", (QObject *) args);
++    unsigned old_handoff;
-+
-+    qmp_marshal_qom_list_types(args, &response, &err);
+     trace_qemu_co_mutex_lock_entry(mutex, self);
-+    assert(!err);
++    w.co = self;
-+    lst = qobject_to(QList, response);
++    push_waiter(mutex, &w);
-+    apply_to_qlist(lst, false);
-+    qobject_unref(response);
+-    while (mutex->locked) {
-+    qobject_unref(req);
+-        qemu_co_queue_wait(&mutex->queue);
-+}
++    /* This is the "Responsibility Hand-Off" protocol; a lock() picks from
-+
++     * a concurrent unlock() the responsibility of waking somebody up.
-+static char **current_path;
++     */
-+
++    old_handoff = atomic_mb_read(&mutex->handoff);
-+void *qos_allocate_objects(QTestState *qts, QGuestAllocator **p_alloc)
++    if (old_handoff &&
-+{
++        has_waiters(mutex) &&
-+    return allocate_objects(qts, current_path + 1, p_alloc);
++        atomic_cmpxchg(&mutex->handoff, old_handoff, 0) == old_handoff) {
-+}
++        /* There can be no concurrent pops, because there can be only
-+
++         * one active handoff at a time.
-+static const char *qos_build_main_args(void)
++         */
-+{
++        CoWaitRecord *to_wake = pop_waiter(mutex);
-+    char **path = fuzz_path_vec;
++        Coroutine *co = to_wake->co;
-+    QOSGraphNode *test_node;
++        if (co == self) {
-+    GString *cmd_line = g_string_new(path[0]);
++            /* We got the lock ourselves!  */
-+    void *test_arg;
++            assert(to_wake == &w);
-+
++            return;
-+    if (!path) {
++        }
-+        fprintf(stderr, "QOS Path not found\n");
++
-+        abort();
++        aio_co_wake(co);
-+    }
+     }
-+
-+    /* Before test */
+-    mutex->locked = true;
-+    current_path = path;
+-    mutex->holder = self;
-+    test_node = qos_graph_get_node(path[(g_strv_length(path) - 1)]);
+-    self->locks_held++;
-+    test_arg = test_node->u.test.arg;
+-
-+    if (test_node->u.test.before) {
++    qemu_coroutine_yield();
-+        test_arg = test_node->u.test.before(cmd_line, test_arg);
+     trace_qemu_co_mutex_lock_return(mutex, self);
-+    }
+ }
-+    /* Prepend the arguments that we need */
-+    g_string_prepend(cmd_line,
++void coroutine_fn qemu_co_mutex_lock(CoMutex *mutex)
-+            TARGET_NAME " -display none -machine accel=qtest -m 64 ");
++{
-+    return cmd_line->str;
++    Coroutine *self = qemu_coroutine_self();
-+}
++
-+
++    if (atomic_fetch_inc(&mutex->locked) == 0) {
-+/*
++        /* Uncontended.  */
-+ * This function is largely a copy of qos-test.c:walk_path. Since walk_path
++        trace_qemu_co_mutex_lock_uncontended(mutex, self);
-+ * is itself a callback, its a little annoying to add another argument/layer of
++    } else {
-+ * indirection
++        qemu_co_mutex_lock_slowpath(mutex);
-+ */
++    }
-+static void walk_path(QOSGraphNode *orig_path, int len)
++    mutex->holder = self;
-+{
++    self->locks_held++;
-+    QOSGraphNode *path;
++}
-+    QOSGraphEdge *edge;
++
-+
+ void coroutine_fn qemu_co_mutex_unlock(CoMutex *mutex)
-+    /* etype set to QEDGE_CONSUMED_BY so that machine can add to the command line */
+ {
-+    QOSEdgeType etype = QEDGE_CONSUMED_BY;
+     Coroutine *self = qemu_coroutine_self();
-+
-+    /* twice QOS_PATH_MAX_ELEMENT_SIZE since each edge can have its arg */
+     trace_qemu_co_mutex_unlock_entry(mutex, self);
-+    char **path_vec = g_new0(char *, (QOS_PATH_MAX_ELEMENT_SIZE * 2));
-+    int path_vec_size = 0;
+-    assert(mutex->locked == true);
-+
++    assert(mutex->locked);
-+    char *after_cmd, *before_cmd, *after_device;
+     assert(mutex->holder == self);
-+    GString *after_device_str = g_string_new("");
+     assert(qemu_in_coroutine());
-+    char *node_name = orig_path->name, *path_str;
-+
+-    mutex->locked = false;
-+    GString *cmd_line = g_string_new("");
+     mutex->holder = NULL;
-+    GString *cmd_line2 = g_string_new("");
+     self->locks_held--;
-+
+-    qemu_co_queue_next(&mutex->queue);
-+    path = qos_graph_get_node(node_name); /* root */
++    if (atomic_fetch_dec(&mutex->locked) == 1) {
-+    node_name = qos_graph_edge_get_dest(path->path_edge); /* machine name */
++        /* No waiting qemu_co_mutex_lock().  Pfew, that was easy!  */
-+
++        return;
-+    path_vec[path_vec_size++] = node_name;
++    }
 +    path_vec[path_vec_size++] = qos_get_machine_type(node_name);
 +
 +    for (;;) {
-+        path = qos_graph_get_node(node_name);
++        CoWaitRecord *to_wake = pop_waiter(mutex);
-+        if (!path->path_edge) {
++        unsigned our_handoff;
 +
 +        if (to_wake) {
 +            Coroutine *co = to_wake->co;
 +            aio_co_wake(co);
 +            break;
 +        }
 +
-+        node_name = qos_graph_edge_get_dest(path->path_edge);
++        /* Some concurrent lock() is in progress (we know this because
-+
++         * mutex->locked was >1) but it hasn't yet put itself on the wait
-+        /* append node command line + previous edge command line */
++         * queue.  Pick a sequence number for the handoff protocol (not 0).
 +        if (path->command_line && etype == QEDGE_CONSUMED_BY) {
 +            g_string_append(cmd_line, path->command_line);
 +            g_string_append(cmd_line, after_device_str->str);
 +            g_string_truncate(after_device_str, 0);
 +        }
 +
 +        path_vec[path_vec_size++] = qos_graph_edge_get_name(path->path_edge);
 +        /* detect if edge has command line args */
 +        after_cmd = qos_graph_edge_get_after_cmd_line(path->path_edge);
 +        after_device = qos_graph_edge_get_extra_device_opts(path->path_edge);
 +        before_cmd = qos_graph_edge_get_before_cmd_line(path->path_edge);
 +        edge = qos_graph_get_edge(path->name, node_name);
 +        etype = qos_graph_edge_get_type(edge);
 +
 +        if (before_cmd) {
 +            g_string_append(cmd_line, before_cmd);
 +        }
 +        if (after_cmd) {
 +            g_string_append(cmd_line2, after_cmd);
 +        }
 +        if (after_device) {
 +            g_string_append(after_device_str, after_device);
 +        }
 +    }
 +
 +    path_vec[path_vec_size++] = NULL;
 +    g_string_append(cmd_line, after_device_str->str);
 +    g_string_free(after_device_str, true);
 +
 +    g_string_append(cmd_line, cmd_line2->str);
 +    g_string_free(cmd_line2, true);
 +
 +    /*
 +     * here position 0 has <arch>/<machine>, position 1 has <machine>.
 +     * The path must not have the <arch>, qtest_add_data_func adds it.
 +     */
 +    path_str = g_strjoinv("/", path_vec + 1);
 +
 +    /* Check that this is the test we care about: */
 +    char *test_name = strrchr(path_str, '/') + 1;
 +    if (strcmp(test_name, fuzz_target_name) == 0) {
 +        /*
 +         * put arch/machine in position 1 so run_one_test can do its work
 +         * and add the command line at position 0.
 +         */
-+        path_vec[1] = path_vec[0];
++        if (++mutex->sequence == 0) {
-+        path_vec[0] = g_string_free(cmd_line, false);
++            mutex->sequence = 1;
-+
++        }
-+        fuzz_path_vec = path_vec;
++
-+    } else {
++        our_handoff = mutex->sequence;
-+        g_free(path_vec);
++        atomic_mb_set(&mutex->handoff, our_handoff);
-+    }
++        if (!has_waiters(mutex)) {
-+
++            /* The concurrent lock has not added itself yet, so it
-+    g_free(path_str);
++             * will be able to pick our handoff.
-+}
++             */
-+
++            break;
-+static const char *qos_get_cmdline(FuzzTarget *t)
++        }
-+{
++
-+    /*
++        /* Try to do the handoff protocol ourselves; if somebody else has
-+     * Set a global variable that we use to identify the qos_path for our
++         * already taken it, however, we're done and they're responsible.
-+     * fuzz_target
++         */
-+     */
++        if (atomic_cmpxchg(&mutex->handoff, our_handoff, 0) != our_handoff) {
-+    fuzz_target_name = t->name;
++            break;
-+    qos_set_machines_devices_available();
++        }
-+    qos_graph_foreach_test_path(walk_path);
++    }
-+    return qos_build_main_args();
-+}
+     trace_qemu_co_mutex_unlock_return(mutex, self);
-+
+ }
-+void fuzz_add_qos_target(
+diff --git a/util/trace-events b/util/trace-events
-+        FuzzTarget *fuzz_opts,
+index XXXXXXX..XXXXXXX 100644
-+        const char *interface,
+--- a/util/trace-events
-+        QOSGraphTestOptions *opts
++++ b/util/trace-events
-+        )
+@@ -XXX,XX +XXX,XX @@ qemu_coroutine_terminate(void *co) "self %p"
-+{
-+    qos_add_test(fuzz_opts->name, interface, NULL, opts);
+ # util/qemu-coroutine-lock.c
-+    fuzz_opts->get_init_cmdline = qos_get_cmdline;
+ qemu_co_queue_run_restart(void *co) "co %p"
-+    fuzz_add_target(fuzz_opts);
++qemu_co_mutex_lock_uncontended(void *mutex, void *self) "mutex %p self %p"
-+}
+ qemu_co_mutex_lock_entry(void *mutex, void *self) "mutex %p self %p"
-+
+ qemu_co_mutex_lock_return(void *mutex, void *self) "mutex %p self %p"
-+void qos_init_path(QTestState *s)
+ qemu_co_mutex_unlock_entry(void *mutex, void *self) "mutex %p self %p"
 +{
 +    fuzz_qos_obj = qos_allocate_objects(s , &fuzz_qos_alloc);
 +}
 diff --git a/tests/qtest/fuzz/qos_fuzz.h b/tests/qtest/fuzz/qos_fuzz.h
 new file mode 100644
 index XXXXXXX..XXXXXXX
 --- /dev/null
 +++ b/tests/qtest/fuzz/qos_fuzz.h
@@ -XXX,XX +XXX,XX @@
 +/*
 + * QOS-assisted fuzzing helpers
 + *
 + * Copyright Red Hat Inc., 2019
 + *
 + * Authors:
 + *  Alexander Bulekov   <alxndr@bu.edu>
 + *
 + * This work is licensed under the terms of the GNU GPL, version 2 or later.
 + * See the COPYING file in the top-level directory.
 + */
 +
 +#ifndef _QOS_FUZZ_H_
 +#define _QOS_FUZZ_H_
 +
 +#include "tests/qtest/fuzz/fuzz.h"
 +#include "tests/qtest/libqos/qgraph.h"
 +
 +int qos_fuzz(const unsigned char *Data, size_t Size);
 +void qos_setup(void);
 +
 +extern void *fuzz_qos_obj;
 +extern QGuestAllocator *fuzz_qos_alloc;
 +
 +void fuzz_add_qos_target(
 +        FuzzTarget *fuzz_opts,
 +        const char *interface,
 +        QOSGraphTestOptions *opts
 +        );
 +
 +void qos_init_path(QTestState *);
 +
 +#endif
 --
-.24.1
+.9.3

-[PULL 28/31] fuzz: add i440fx fuzz targets
+[Qemu-devel] [PULL v2 20/24] coroutine-lock: add limited spinning to CoMutex
-From: Alexander Bulekov <alxndr@bu.edu>
+From: Paolo Bonzini <pbonzini@redhat.com>
-These three targets should simply fuzz reads/writes to a couple ioports,
+Running a very small critical section on pthread_mutex_t and CoMutex
-but they mostly serve as examples of different ways to write targets.
+shows that pthread_mutex_t is much faster because it doesn't actually
-They demonstrate using qtest and qos for fuzzing, as well as using
+go to sleep.  What happens is that the critical section is shorter
-rebooting and forking to reset state, or not resetting it at all.
+than the latency of entering the kernel and thus FUTEX_WAIT always
 fails.  With CoMutex there is no such latency but you still want to
 avoid wait and wakeup.  So introduce it artificially.
-Signed-off-by: Alexander Bulekov <alxndr@bu.edu>
+This only works with one waiters; because CoMutex is fair, it will
-Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
+always have more waits and wakeups than a pthread_mutex_t.
-Reviewed-by: Darren Kenny <darren.kenny@oracle.com>
-Message-id: 20200220041118.23264-20-alxndr@bu.edu
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
 Reviewed-by: Fam Zheng <famz@redhat.com>
 Message-id: 20170213181244.16297-3-pbonzini@redhat.com
 Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
 ---
- tests/qtest/fuzz/Makefile.include |   3 +
+ include/qemu/coroutine.h   |  5 +++++
- tests/qtest/fuzz/i440fx_fuzz.c    | 193 ++++++++++++++++++++++++++++++
+ util/qemu-coroutine-lock.c | 51 ++++++++++++++++++++++++++++++++++++++++------
-files changed, 196 insertions(+)
+ util/qemu-coroutine.c      |  2 +-
- create mode 100644 tests/qtest/fuzz/i440fx_fuzz.c
+files changed, 51 insertions(+), 7 deletions(-)
-diff --git a/tests/qtest/fuzz/Makefile.include b/tests/qtest/fuzz/Makefile.include
+diff --git a/include/qemu/coroutine.h b/include/qemu/coroutine.h
 index XXXXXXX..XXXXXXX 100644
---- a/tests/qtest/fuzz/Makefile.include
+--- a/include/qemu/coroutine.h
-+++ b/tests/qtest/fuzz/Makefile.include
++++ b/include/qemu/coroutine.h
-@@ -XXX,XX +XXX,XX @@ fuzz-obj-y += tests/qtest/fuzz/fuzz.o # Fuzzer skeleton
+@@ -XXX,XX +XXX,XX @@ typedef struct CoMutex {
- fuzz-obj-y += tests/qtest/fuzz/fork_fuzz.o
+      */
- fuzz-obj-y += tests/qtest/fuzz/qos_fuzz.o
+     unsigned locked;
-+# Targets
++    /* Context that is holding the lock.  Useful to avoid spinning
-+fuzz-obj-y += tests/qtest/fuzz/i440fx_fuzz.o
++     * when two coroutines on the same AioContext try to get the lock. :)
 +     */
 +    AioContext *ctx;
 +
- FUZZ_CFLAGS += -I$(SRC_PATH)/tests -I$(SRC_PATH)/tests/qtest
+     /* A queue of waiters.  Elements are added atomically in front of
+      * from_push.  to_pop is only populated, and popped from, by whoever
- # Linker Script to force coverage-counters into known regions which we can mark
+      * is in charge of the next wakeup.  This can be an unlocker or,
-diff --git a/tests/qtest/fuzz/i440fx_fuzz.c b/tests/qtest/fuzz/i440fx_fuzz.c
+diff --git a/util/qemu-coroutine-lock.c b/util/qemu-coroutine-lock.c
-new file mode 100644
+index XXXXXXX..XXXXXXX 100644
-index XXXXXXX..XXXXXXX
+--- a/util/qemu-coroutine-lock.c
---- /dev/null
++++ b/util/qemu-coroutine-lock.c
 +++ b/tests/qtest/fuzz/i440fx_fuzz.c
 @@ -XXX,XX +XXX,XX @@
-+/*
+ #include "qemu-common.h"
-+ * I440FX Fuzzing Target
+ #include "qemu/coroutine.h"
-+ *
+ #include "qemu/coroutine_int.h"
-+ * Copyright Red Hat Inc., 2019
++#include "qemu/processor.h"
-+ *
+ #include "qemu/queue.h"
-+ * Authors:
+ #include "block/aio.h"
-+ *  Alexander Bulekov   <alxndr@bu.edu>
+ #include "trace.h"
-+ *
+@@ -XXX,XX +XXX,XX @@ void qemu_co_mutex_init(CoMutex *mutex)
-+ * This work is licensed under the terms of the GNU GPL, version 2 or later.
+     memset(mutex, 0, sizeof(*mutex));
-+ * See the COPYING file in the top-level directory.
+ }
-+ */
-+
+-static void coroutine_fn qemu_co_mutex_lock_slowpath(CoMutex *mutex)
-+#include "qemu/osdep.h"
++static void coroutine_fn qemu_co_mutex_wake(CoMutex *mutex, Coroutine *co)
-+
++{
-+#include "qemu/main-loop.h"
++    /* Read co before co->ctx; pairs with smp_wmb() in
-+#include "tests/qtest/libqtest.h"
++     * qemu_coroutine_enter().
 +#include "tests/qtest/libqos/pci.h"
 +#include "tests/qtest/libqos/pci-pc.h"
 +#include "fuzz.h"
 +#include "fuzz/qos_fuzz.h"
 +#include "fuzz/fork_fuzz.h"
 +
 +
 +#define I440FX_PCI_HOST_BRIDGE_CFG 0xcf8
 +#define I440FX_PCI_HOST_BRIDGE_DATA 0xcfc
 +
 +/*
 + * the input to the fuzzing functions below is a buffer of random bytes. we
 + * want to convert these bytes into a sequence of qtest or qos calls. to do
 + * this we define some opcodes:
 + */
 +enum action_id {
 +    WRITEB,
 +    WRITEW,
 +    WRITEL,
 +    READB,
 +    READW,
 +    READL,
 +    ACTION_MAX
 +};
 +
 +static void i440fx_fuzz_qtest(QTestState *s,
 +        const unsigned char *Data, size_t Size) {
 +    /*
 +     * loop over the Data, breaking it up into actions. each action has an
 +     * opcode, address offset and value
 +     */
-+    typedef struct QTestFuzzAction {
++    smp_read_barrier_depends();
-+        uint8_t opcode;
++    mutex->ctx = co->ctx;
-+        uint8_t addr;
++    aio_co_wake(co);
 +        uint32_t value;
 +    } QTestFuzzAction;
 +    QTestFuzzAction a;
 +
 +    while (Size >= sizeof(a)) {
 +        /* make a copy of the action so we can normalize the values in-place */
 +        memcpy(&a, Data, sizeof(a));
 +        /* select between two i440fx Port IO addresses */
 +        uint16_t addr = a.addr % 2 ? I440FX_PCI_HOST_BRIDGE_CFG :
 +                                      I440FX_PCI_HOST_BRIDGE_DATA;
 +        switch (a.opcode % ACTION_MAX) {
 +        case WRITEB:
 +            qtest_outb(s, addr, (uint8_t)a.value);
 +            break;
 +        case WRITEW:
 +            qtest_outw(s, addr, (uint16_t)a.value);
 +            break;
 +        case WRITEL:
 +            qtest_outl(s, addr, (uint32_t)a.value);
 +            break;
 +        case READB:
 +            qtest_inb(s, addr);
 +            break;
 +        case READW:
 +            qtest_inw(s, addr);
 +            break;
 +        case READL:
 +            qtest_inl(s, addr);
 +            break;
 +        }
 +        /* Move to the next operation */
 +        Size -= sizeof(a);
 +        Data += sizeof(a);
 +    }
 +    flush_events(s);
 +}
 +
-+static void i440fx_fuzz_qos(QTestState *s,
++static void coroutine_fn qemu_co_mutex_lock_slowpath(AioContext *ctx,
-+        const unsigned char *Data, size_t Size) {
++                                                     CoMutex *mutex)
-+    /*
+ {
-+     * Same as i440fx_fuzz_qtest, but using QOS. devfn is incorporated into the
+     Coroutine *self = qemu_coroutine_self();
-+     * value written over Port IO
+     CoWaitRecord w;
@@ -XXX,XX +XXX,XX @@ static void coroutine_fn qemu_co_mutex_lock_slowpath(CoMutex *mutex)
          if (co == self) {
              /* We got the lock ourselves!  */
              assert(to_wake == &w);
 +            mutex->ctx = ctx;
              return;
          }
 -        aio_co_wake(co);
 +        qemu_co_mutex_wake(mutex, co);
      }
      qemu_coroutine_yield();
@@ -XXX,XX +XXX,XX @@ static void coroutine_fn qemu_co_mutex_lock_slowpath(CoMutex *mutex)
  void coroutine_fn qemu_co_mutex_lock(CoMutex *mutex)
  {
 +    AioContext *ctx = qemu_get_current_aio_context();
      Coroutine *self = qemu_coroutine_self();
 +    int waiters, i;
 -    if (atomic_fetch_inc(&mutex->locked) == 0) {
 +    /* Running a very small critical section on pthread_mutex_t and CoMutex
 +     * shows that pthread_mutex_t is much faster because it doesn't actually
 +     * go to sleep.  What happens is that the critical section is shorter
 +     * than the latency of entering the kernel and thus FUTEX_WAIT always
 +     * fails.  With CoMutex there is no such latency but you still want to
 +     * avoid wait and wakeup.  So introduce it artificially.
 +     */
-+    typedef struct QOSFuzzAction {
++    i = 0;
-+        uint8_t opcode;
++retry_fast_path:
-+        uint8_t offset;
++    waiters = atomic_cmpxchg(&mutex->locked, 0, 1);
-+        int devfn;
++    if (waiters != 0) {
-+        uint32_t value;
++        while (waiters == 1 && ++i < 1000) {
-+    } QOSFuzzAction;
++            if (atomic_read(&mutex->ctx) == ctx) {
-+
++                break;
-+    static QPCIBus *bus;
++            }
-+    if (!bus) {
++            if (atomic_read(&mutex->locked) == 0) {
-+        bus = qpci_new_pc(s, fuzz_qos_alloc);
++                goto retry_fast_path;
 +            }
 +            cpu_relax();
 +        }
 +        waiters = atomic_fetch_inc(&mutex->locked);
 +    }
 +
-+    QOSFuzzAction a;
++    if (waiters == 0) {
-+    while (Size >= sizeof(a)) {
+         /* Uncontended.  */
-+        memcpy(&a, Data, sizeof(a));
+         trace_qemu_co_mutex_lock_uncontended(mutex, self);
-+        switch (a.opcode % ACTION_MAX) {
++        mutex->ctx = ctx;
-+        case WRITEB:
+     } else {
-+            bus->config_writeb(bus, a.devfn, a.offset, (uint8_t)a.value);
+-        qemu_co_mutex_lock_slowpath(mutex);
-+            break;
++        qemu_co_mutex_lock_slowpath(ctx, mutex);
-+        case WRITEW:
+     }
-+            bus->config_writew(bus, a.devfn, a.offset, (uint16_t)a.value);
+     mutex->holder = self;
-+            break;
+     self->locks_held++;
-+        case WRITEL:
+@@ -XXX,XX +XXX,XX @@ void coroutine_fn qemu_co_mutex_unlock(CoMutex *mutex)
-+            bus->config_writel(bus, a.devfn, a.offset, (uint32_t)a.value);
+     assert(mutex->holder == self);
-+            break;
+     assert(qemu_in_coroutine());
-+        case READB:
-+            bus->config_readb(bus, a.devfn, a.offset);
++    mutex->ctx = NULL;
-+            break;
+     mutex->holder = NULL;
-+        case READW:
+     self->locks_held--;
-+            bus->config_readw(bus, a.devfn, a.offset);
+     if (atomic_fetch_dec(&mutex->locked) == 1) {
-+            break;
+@@ -XXX,XX +XXX,XX @@ void coroutine_fn qemu_co_mutex_unlock(CoMutex *mutex)
-+        case READL:
+         unsigned our_handoff;
-+            bus->config_readl(bus, a.devfn, a.offset);
-+            break;
+         if (to_wake) {
-+        }
+-            Coroutine *co = to_wake->co;
-+        Size -= sizeof(a);
+-            aio_co_wake(co);
-+        Data += sizeof(a);
++            qemu_co_mutex_wake(mutex, to_wake->co);
-+    }
+             break;
-+    flush_events(s);
+         }
-+}
-+
+diff --git a/util/qemu-coroutine.c b/util/qemu-coroutine.c
-+static void i440fx_fuzz_qos_fork(QTestState *s,
+index XXXXXXX..XXXXXXX 100644
-+        const unsigned char *Data, size_t Size) {
+--- a/util/qemu-coroutine.c
-+    if (fork() == 0) {
++++ b/util/qemu-coroutine.c
-+        i440fx_fuzz_qos(s, Data, Size);
+@@ -XXX,XX +XXX,XX @@ void qemu_coroutine_enter(Coroutine *co)
-+        _Exit(0);
+     co->ctx = qemu_get_current_aio_context();
-+    } else {
-+        wait(NULL);
+     /* Store co->ctx before anything that stores co.  Matches
-+    }
+-     * barrier in aio_co_wake.
-+}
++     * barrier in aio_co_wake and qemu_co_mutex_wake.
-+
+      */
-+static const char *i440fx_qtest_argv = TARGET_NAME " -machine accel=qtest"
+     smp_wmb();
-+                                       "-m 0 -display none";
 +static const char *i440fx_argv(FuzzTarget *t)
 +{
 +    return i440fx_qtest_argv;
 +}
 +
 +static void fork_init(void)
 +{
 +    counter_shm_init();
 +}
 +
 +static void register_pci_fuzz_targets(void)
 +{
 +    /* Uses simple qtest commands and reboots to reset state */
 +    fuzz_add_target(&(FuzzTarget){
 +                .name = "i440fx-qtest-reboot-fuzz",
 +                .description = "Fuzz the i440fx using raw qtest commands and"
 +                               "rebooting after each run",
 +                .get_init_cmdline = i440fx_argv,
 +                .fuzz = i440fx_fuzz_qtest});
 +
 +    /* Uses libqos and forks to prevent state leakage */
 +    fuzz_add_qos_target(&(FuzzTarget){
 +                .name = "i440fx-qos-fork-fuzz",
 +                .description = "Fuzz the i440fx using raw qtest commands and"
 +                               "rebooting after each run",
 +                .pre_vm_init = &fork_init,
 +                .fuzz = i440fx_fuzz_qos_fork,},
 +                "i440FX-pcihost",
 +                &(QOSGraphTestOptions){}
 +                );
 +
 +    /*
 +     * Uses libqos. Doesn't do anything to reset state. Note that if we were to
 +     * reboot after each run, we would also have to redo the qos-related
 +     * initialization (qos_init_path)
 +     */
 +    fuzz_add_qos_target(&(FuzzTarget){
 +                .name = "i440fx-qos-noreset-fuzz",
 +                .description = "Fuzz the i440fx using raw qtest commands and"
 +                               "rebooting after each run",
 +                .fuzz = i440fx_fuzz_qos,},
 +                "i440FX-pcihost",
 +                &(QOSGraphTestOptions){}
 +                );
 +}
 +
 +fuzz_target_init(register_pci_fuzz_targets);
 --
-.24.1
+.9.3

-[PULL 03/31] rcu_queue: add QSLIST functions
+[Qemu-devel] [PULL v2 21/24] test-aio-multithread: add performance comparison with thread-based mutexes
 From: Paolo Bonzini <pbonzini@redhat.com>
-QSLIST is the only family of lists for which we do not have RCU-friendly accessors,
+Add two implementations of the same benchmark as the previous patch,
-add them.
+but using pthreads.  One uses a normal QemuMutex, the other is Linux
 only and implements a fair mutex based on MCS locks and futexes.
 This shows that the slower performance of the 5-thread case is due to
 the fairness of CoMutex, rather than to coroutines.  If fairness does
 not matter, as is the case with two threads, CoMutex can actually be
 faster than pthreads.
 Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
-Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
+Reviewed-by: Fam Zheng <famz@redhat.com>
-Message-id: 20200220103828.24525-1-pbonzini@redhat.com
+Message-id: 20170213181244.16297-4-pbonzini@redhat.com
 Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
 ---
- include/qemu/queue.h     | 15 +++++++++++--
+ tests/test-aio-multithread.c | 164 +++++++++++++++++++++++++++++++++++++++++++
- include/qemu/rcu_queue.h | 47 ++++++++++++++++++++++++++++++++++++++++
+file changed, 164 insertions(+)
- tests/Makefile.include   |  2 ++
- tests/test-rcu-list.c    | 16 ++++++++++++++
+diff --git a/tests/test-aio-multithread.c b/tests/test-aio-multithread.c
  tests/test-rcu-slist.c   |  2 ++
 files changed, 80 insertions(+), 2 deletions(-)
  create mode 100644 tests/test-rcu-slist.c
 diff --git a/include/qemu/queue.h b/include/qemu/queue.h
 index XXXXXXX..XXXXXXX 100644
---- a/include/qemu/queue.h
+--- a/tests/test-aio-multithread.c
-+++ b/include/qemu/queue.h
++++ b/tests/test-aio-multithread.c
-@@ -XXX,XX +XXX,XX @@ struct {                                                                \
+@@ -XXX,XX +XXX,XX @@ static void test_multi_co_mutex_2_30(void)
-         (head)->slh_first = (head)->slh_first->field.sle_next;          \
+     test_multi_co_mutex(2, 30);
- } while (/*CONSTCOND*/0)
+ }
--#define QSLIST_REMOVE_AFTER(slistelm, field) do {                        \
++/* Same test with fair mutexes, for performance comparison.  */
-+#define QSLIST_REMOVE_AFTER(slistelm, field) do {                       \
++
-         (slistelm)->field.sle_next =                                    \
++#ifdef CONFIG_LINUX
--            QSLIST_NEXT(QSLIST_NEXT((slistelm), field), field);           \
++#include "qemu/futex.h"
-+            QSLIST_NEXT(QSLIST_NEXT((slistelm), field), field);         \
++
-+} while (/*CONSTCOND*/0)
++/* The nodes for the mutex reside in this structure (on which we try to avoid
-+
++ * false sharing).  The head of the mutex is in the "mutex_head" variable.
 +#define QSLIST_REMOVE(head, elm, type, field) do {                      \
 +    if ((head)->slh_first == (elm)) {                                   \
 +        QSLIST_REMOVE_HEAD((head), field);                              \
 +    } else {                                                            \
 +        struct type *curelm = (head)->slh_first;                        \
 +        while (curelm->field.sle_next != (elm))                         \
 +            curelm = curelm->field.sle_next;                            \
 +        curelm->field.sle_next = curelm->field.sle_next->field.sle_next; \
 +    }                                                                   \
  } while (/*CONSTCOND*/0)
  #define QSLIST_FOREACH(var, head, field)                                 \
 diff --git a/include/qemu/rcu_queue.h b/include/qemu/rcu_queue.h
 index XXXXXXX..XXXXXXX 100644
 --- a/include/qemu/rcu_queue.h
 +++ b/include/qemu/rcu_queue.h
@@ -XXX,XX +XXX,XX @@ extern "C" {
           (var) && ((next) = atomic_rcu_read(&(var)->field.tqe_next), 1); \
           (var) = (next))
 +/*
 + * RCU singly-linked list
 + */
-+
++static struct {
-+/* Singly-linked list access methods */
++    int next, locked;
-+#define QSLIST_EMPTY_RCU(head)      (atomic_read(&(head)->slh_first) == NULL)
++    int padding[14];
-+#define QSLIST_FIRST_RCU(head)       atomic_rcu_read(&(head)->slh_first)
++} nodes[NUM_CONTEXTS] __attribute__((__aligned__(64)));
-+#define QSLIST_NEXT_RCU(elm, field)  atomic_rcu_read(&(elm)->field.sle_next)
++
-+
++static int mutex_head = -1;
-+/* Singly-linked list functions */
++
-+#define QSLIST_INSERT_HEAD_RCU(head, elm, field) do {           \
++static void mcs_mutex_lock(void)
-+    (elm)->field.sle_next = (head)->slh_first;                  \
++{
-+    atomic_rcu_set(&(head)->slh_first, (elm));                  \
++    int prev;
-+} while (/*CONSTCOND*/0)
++
-+
++    nodes[id].next = -1;
-+#define QSLIST_INSERT_AFTER_RCU(head, listelm, elm, field) do {         \
++    nodes[id].locked = 1;
-+    (elm)->field.sle_next = (listelm)->field.sle_next;                  \
++    prev = atomic_xchg(&mutex_head, id);
-+    atomic_rcu_set(&(listelm)->field.sle_next, (elm));                  \
++    if (prev != -1) {
-+} while (/*CONSTCOND*/0)
++        atomic_set(&nodes[prev].next, id);
-+
++        qemu_futex_wait(&nodes[id].locked, 1);
-+#define QSLIST_REMOVE_HEAD_RCU(head, field) do {                       \
++    }
-+    atomic_set(&(head)->slh_first, (head)->slh_first->field.sle_next); \
++}
-+} while (/*CONSTCOND*/0)
++
-+
++static void mcs_mutex_unlock(void)
-+#define QSLIST_REMOVE_RCU(head, elm, type, field) do {              \
++{
-+    if ((head)->slh_first == (elm)) {                               \
++    int next;
-+        QSLIST_REMOVE_HEAD_RCU((head), field);                      \
++    if (nodes[id].next == -1) {
-+    } else {                                                        \
++        if (atomic_read(&mutex_head) == id &&
-+        struct type *curr = (head)->slh_first;                      \
++            atomic_cmpxchg(&mutex_head, id, -1) == id) {
-+        while (curr->field.sle_next != (elm)) {                     \
++            /* Last item in the list, exit.  */
-+            curr = curr->field.sle_next;                            \
++            return;
-+        }                                                           \
++        }
-+        atomic_set(&curr->field.sle_next,                           \
++        while (atomic_read(&nodes[id].next) == -1) {
-+                   curr->field.sle_next->field.sle_next);           \
++            /* mcs_mutex_lock did the xchg, but has not updated
-+    }                                                               \
++             * nodes[prev].next yet.
-+} while (/*CONSTCOND*/0)
++             */
-+
++        }
-+#define QSLIST_FOREACH_RCU(var, head, field)                          \
++    }
-+    for ((var) = atomic_rcu_read(&(head)->slh_first);                   \
++
-+         (var);                                                         \
++    /* Wake up the next in line.  */
-+         (var) = atomic_rcu_read(&(var)->field.sle_next))
++    next = nodes[id].next;
-+
++    nodes[next].locked = 0;
-+#define QSLIST_FOREACH_SAFE_RCU(var, head, field, next)                \
++    qemu_futex_wake(&nodes[next].locked, 1);
-+    for ((var) = atomic_rcu_read(&(head)->slh_first);                    \
++}
-+         (var) && ((next) = atomic_rcu_read(&(var)->field.sle_next), 1); \
++
-+         (var) = (next))
++static void test_multi_fair_mutex_entry(void *opaque)
-+
++{
- #ifdef __cplusplus
++    while (!atomic_mb_read(&now_stopping)) {
 +        mcs_mutex_lock();
 +        counter++;
 +        mcs_mutex_unlock();
 +        atomic_inc(&atomic_counter);
 +    }
 +    atomic_dec(&running);
 +}
 +
 +static void test_multi_fair_mutex(int threads, int seconds)
 +{
 +    int i;
 +
 +    assert(mutex_head == -1);
 +    counter = 0;
 +    atomic_counter = 0;
 +    now_stopping = false;
 +
 +    create_aio_contexts();
 +    assert(threads <= NUM_CONTEXTS);
 +    running = threads;
 +    for (i = 0; i < threads; i++) {
 +        Coroutine *co1 = qemu_coroutine_create(test_multi_fair_mutex_entry, NULL);
 +        aio_co_schedule(ctx[i], co1);
 +    }
 +
 +    g_usleep(seconds * 1000000);
 +
 +    atomic_mb_set(&now_stopping, true);
 +    while (running > 0) {
 +        g_usleep(100000);
 +    }
 +
 +    join_aio_contexts();
 +    g_test_message("%d iterations/second\n", counter / seconds);
 +    g_assert_cmpint(counter, ==, atomic_counter);
 +}
 +
 +static void test_multi_fair_mutex_1(void)
 +{
 +    test_multi_fair_mutex(NUM_CONTEXTS, 1);
 +}
 +
 +static void test_multi_fair_mutex_10(void)
 +{
 +    test_multi_fair_mutex(NUM_CONTEXTS, 10);
 +}
 +#endif
 +
 +/* Same test with pthread mutexes, for performance comparison and
 + * portability.  */
 +
 +static QemuMutex mutex;
 +
 +static void test_multi_mutex_entry(void *opaque)
 +{
 +    while (!atomic_mb_read(&now_stopping)) {
 +        qemu_mutex_lock(&mutex);
 +        counter++;
 +        qemu_mutex_unlock(&mutex);
 +        atomic_inc(&atomic_counter);
 +    }
 +    atomic_dec(&running);
 +}
 +
 +static void test_multi_mutex(int threads, int seconds)
 +{
 +    int i;
 +
 +    qemu_mutex_init(&mutex);
 +    counter = 0;
 +    atomic_counter = 0;
 +    now_stopping = false;
 +
 +    create_aio_contexts();
 +    assert(threads <= NUM_CONTEXTS);
 +    running = threads;
 +    for (i = 0; i < threads; i++) {
 +        Coroutine *co1 = qemu_coroutine_create(test_multi_mutex_entry, NULL);
 +        aio_co_schedule(ctx[i], co1);
 +    }
 +
 +    g_usleep(seconds * 1000000);
 +
 +    atomic_mb_set(&now_stopping, true);
 +    while (running > 0) {
 +        g_usleep(100000);
 +    }
 +
 +    join_aio_contexts();
 +    g_test_message("%d iterations/second\n", counter / seconds);
 +    g_assert_cmpint(counter, ==, atomic_counter);
 +}
 +
 +static void test_multi_mutex_1(void)
 +{
 +    test_multi_mutex(NUM_CONTEXTS, 1);
 +}
 +
 +static void test_multi_mutex_10(void)
 +{
 +    test_multi_mutex(NUM_CONTEXTS, 10);
 +}
 +
  /* End of tests.  */
  int main(int argc, char **argv)
@@ -XXX,XX +XXX,XX @@ int main(int argc, char **argv)
          g_test_add_func("/aio/multi/schedule", test_multi_co_schedule_1);
          g_test_add_func("/aio/multi/mutex/contended", test_multi_co_mutex_1);
          g_test_add_func("/aio/multi/mutex/handoff", test_multi_co_mutex_2_3);
 +#ifdef CONFIG_LINUX
 +        g_test_add_func("/aio/multi/mutex/mcs", test_multi_fair_mutex_1);
 +#endif
 +        g_test_add_func("/aio/multi/mutex/pthread", test_multi_mutex_1);
      } else {
          g_test_add_func("/aio/multi/schedule", test_multi_co_schedule_10);
          g_test_add_func("/aio/multi/mutex/contended", test_multi_co_mutex_10);
          g_test_add_func("/aio/multi/mutex/handoff", test_multi_co_mutex_2_30);
 +#ifdef CONFIG_LINUX
 +        g_test_add_func("/aio/multi/mutex/mcs", test_multi_fair_mutex_10);
 +#endif
 +        g_test_add_func("/aio/multi/mutex/pthread", test_multi_mutex_10);
      }
      return g_test_run();
  }
- #endif
-diff --git a/tests/Makefile.include b/tests/Makefile.include
-index XXXXXXX..XXXXXXX 100644
---- a/tests/Makefile.include
-+++ b/tests/Makefile.include
-@@ -XXX,XX +XXX,XX @@ check-unit-y += tests/rcutorture$(EXESUF)
- check-unit-y += tests/test-rcu-list$(EXESUF)
- check-unit-y += tests/test-rcu-simpleq$(EXESUF)
- check-unit-y += tests/test-rcu-tailq$(EXESUF)
-+check-unit-y += tests/test-rcu-slist$(EXESUF)
- check-unit-y += tests/test-qdist$(EXESUF)
- check-unit-y += tests/test-qht$(EXESUF)
- check-unit-y += tests/test-qht-par$(EXESUF)
-@@ -XXX,XX +XXX,XX @@ tests/rcutorture$(EXESUF): tests/rcutorture.o $(test-util-obj-y)
- tests/test-rcu-list$(EXESUF): tests/test-rcu-list.o $(test-util-obj-y)
- tests/test-rcu-simpleq$(EXESUF): tests/test-rcu-simpleq.o $(test-util-obj-y)
- tests/test-rcu-tailq$(EXESUF): tests/test-rcu-tailq.o $(test-util-obj-y)
-+tests/test-rcu-slist$(EXESUF): tests/test-rcu-slist.o $(test-util-obj-y)
- tests/test-qdist$(EXESUF): tests/test-qdist.o $(test-util-obj-y)
- tests/test-qht$(EXESUF): tests/test-qht.o $(test-util-obj-y)
- tests/test-qht-par$(EXESUF): tests/test-qht-par.o tests/qht-bench$(EXESUF) $(test-util-obj-y)
-diff --git a/tests/test-rcu-list.c b/tests/test-rcu-list.c
-index XXXXXXX..XXXXXXX 100644
---- a/tests/test-rcu-list.c
-+++ b/tests/test-rcu-list.c
-@@ -XXX,XX +XXX,XX @@ struct list_element {
-     QSIMPLEQ_ENTRY(list_element) entry;
- #elif TEST_LIST_TYPE == 3
-     QTAILQ_ENTRY(list_element) entry;
-+#elif TEST_LIST_TYPE == 4
-+    QSLIST_ENTRY(list_element) entry;
- #else
- #error Invalid TEST_LIST_TYPE
- #endif
-@@ -XXX,XX +XXX,XX @@ static QTAILQ_HEAD(, list_element) Q_list_head;
- #define TEST_LIST_INSERT_HEAD_RCU   QTAILQ_INSERT_HEAD_RCU
- #define TEST_LIST_FOREACH_RCU       QTAILQ_FOREACH_RCU
- #define TEST_LIST_FOREACH_SAFE_RCU  QTAILQ_FOREACH_SAFE_RCU
-+
-+#elif TEST_LIST_TYPE == 4
-+static QSLIST_HEAD(, list_element) Q_list_head;
-+
-+#define TEST_NAME "qslist"
-+#define TEST_LIST_REMOVE_RCU(el, f)                              \
-+     QSLIST_REMOVE_RCU(&Q_list_head, el, list_element, f)
-+
-+#define TEST_LIST_INSERT_AFTER_RCU(list_el, el, f)               \
-+         QSLIST_INSERT_AFTER_RCU(&Q_list_head, list_el, el, f)
-+
-+#define TEST_LIST_INSERT_HEAD_RCU   QSLIST_INSERT_HEAD_RCU
-+#define TEST_LIST_FOREACH_RCU       QSLIST_FOREACH_RCU
-+#define TEST_LIST_FOREACH_SAFE_RCU  QSLIST_FOREACH_SAFE_RCU
- #else
- #error Invalid TEST_LIST_TYPE
- #endif
-diff --git a/tests/test-rcu-slist.c b/tests/test-rcu-slist.c
-new file mode 100644
-index XXXXXXX..XXXXXXX
---- /dev/null
-+++ b/tests/test-rcu-slist.c
-@@ -XXX,XX +XXX,XX @@
-+#define TEST_LIST_TYPE 4
-+#include "test-rcu-list.c"
 --
-.24.1
+.9.3

-[PULL 06/31] aio-posix: don't pass ns timeout to epoll_wait()
+Deleted patch
-Don't pass the nanosecond timeout into epoll_wait(), which expects
-milliseconds.
-The epoll_wait() timeout value does not matter if qemu_poll_ns()
-determined that the poll fd is ready, but passing a value in the wrong
-units is still ugly.  Pass a 0 timeout to epoll_wait() instead.
-Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
-Reviewed-by: Sergio Lopez <slp@redhat.com>
-Message-id: 20200214171712.541358-3-stefanha@redhat.com
-Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
----
- util/aio-posix.c | 3 +++
-file changed, 3 insertions(+)
-diff --git a/util/aio-posix.c b/util/aio-posix.c
-index XXXXXXX..XXXXXXX 100644
---- a/util/aio-posix.c
-+++ b/util/aio-posix.c
-@@ -XXX,XX +XXX,XX @@ static int aio_epoll(AioContext *ctx, int64_t timeout)
-     if (timeout > 0) {
-         ret = qemu_poll_ns(&pfd, 1, timeout);
-+        if (ret > 0) {
-+            timeout = 0;
-+        }
-     }
-     if (timeout <= 0 || ret > 0) {
-         ret = epoll_wait(ctx->epollfd, events,
---
-.24.1

-[PULL 07/31] qemu/queue.h: add QLIST_SAFE_REMOVE()
+Deleted patch
-QLIST_REMOVE() assumes the element is in a list.  It also leaves the
-element's linked list pointers dangling.
-Introduce a safe version of QLIST_REMOVE() and convert open-coded
-instances of this pattern.
-Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
-Reviewed-by: Sergio Lopez <slp@redhat.com>
-Message-id: 20200214171712.541358-4-stefanha@redhat.com
-Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
----
- block.c              |  5 +----
- chardev/spice.c      |  4 +---
- include/qemu/queue.h | 14 ++++++++++++++
-files changed, 16 insertions(+), 7 deletions(-)
-diff --git a/block.c b/block.c
-index XXXXXXX..XXXXXXX 100644
---- a/block.c
-+++ b/block.c
-@@ -XXX,XX +XXX,XX @@ BdrvChild *bdrv_attach_child(BlockDriverState *parent_bs,
- static void bdrv_detach_child(BdrvChild *child)
- {
--    if (child->next.le_prev) {
--        QLIST_REMOVE(child, next);
--        child->next.le_prev = NULL;
--    }
-+    QLIST_SAFE_REMOVE(child, next);
-     bdrv_replace_child(child, NULL);
-diff --git a/chardev/spice.c b/chardev/spice.c
-index XXXXXXX..XXXXXXX 100644
---- a/chardev/spice.c
-+++ b/chardev/spice.c
-@@ -XXX,XX +XXX,XX @@ static void char_spice_finalize(Object *obj)
-     vmc_unregister_interface(s);
--    if (s->next.le_prev) {
--        QLIST_REMOVE(s, next);
--    }
-+    QLIST_SAFE_REMOVE(s, next);
-     g_free((char *)s->sin.subtype);
-     g_free((char *)s->sin.portname);
-diff --git a/include/qemu/queue.h b/include/qemu/queue.h
-index XXXXXXX..XXXXXXX 100644
---- a/include/qemu/queue.h
-+++ b/include/qemu/queue.h
-@@ -XXX,XX +XXX,XX @@ struct {                                                                \
-         *(elm)->field.le_prev = (elm)->field.le_next;                   \
- } while (/*CONSTCOND*/0)
-+/*
-+ * Like QLIST_REMOVE() but safe to call when elm is not in a list
-+ */
-+#define QLIST_SAFE_REMOVE(elm, field) do {                              \
-+        if ((elm)->field.le_prev != NULL) {                             \
-+                if ((elm)->field.le_next != NULL)                       \
-+                        (elm)->field.le_next->field.le_prev =           \
-+                            (elm)->field.le_prev;                       \
-+                *(elm)->field.le_prev = (elm)->field.le_next;           \
-+                (elm)->field.le_next = NULL;                            \
-+                (elm)->field.le_prev = NULL;                            \
-+        }                                                               \
-+} while (/*CONSTCOND*/0)
-+
- #define QLIST_FOREACH(var, head, field)                                 \
-         for ((var) = ((head)->lh_first);                                \
-                 (var);                                                  \
---
-.24.1

-[PULL 10/31] softmmu: move vl.c to softmmu/
+Deleted patch
-From: Alexander Bulekov <alxndr@bu.edu>
-Move vl.c to a separate directory, similar to linux-user/
-Update the chechpatch and get_maintainer scripts, since they relied on
-/vl.c for top_of_tree checks.
-Signed-off-by: Alexander Bulekov <alxndr@bu.edu>
-Reviewed-by: Darren Kenny <darren.kenny@oracle.com>
-Message-id: 20200220041118.23264-2-alxndr@bu.edu
-Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
----
- MAINTAINERS               | 2 +-
- Makefile.objs             | 2 --
- Makefile.target           | 1 +
- scripts/checkpatch.pl     | 2 +-
- scripts/get_maintainer.pl | 3 ++-
- softmmu/Makefile.objs     | 2 ++
- vl.c => softmmu/vl.c      | 0
-files changed, 7 insertions(+), 5 deletions(-)
- create mode 100644 softmmu/Makefile.objs
- rename vl.c => softmmu/vl.c (100%)
-diff --git a/MAINTAINERS b/MAINTAINERS
-index XXXXXXX..XXXXXXX 100644
---- a/MAINTAINERS
-+++ b/MAINTAINERS
-@@ -XXX,XX +XXX,XX @@ F: include/qemu/main-loop.h
- F: include/sysemu/runstate.h
- F: util/main-loop.c
- F: util/qemu-timer.c
--F: vl.c
-+F: softmmu/vl.c
- F: qapi/run-state.json
- Human Monitor (HMP)
-diff --git a/Makefile.objs b/Makefile.objs
-index XXXXXXX..XXXXXXX 100644
---- a/Makefile.objs
-+++ b/Makefile.objs
-@@ -XXX,XX +XXX,XX @@ common-obj-y += ui/
- common-obj-m += ui/
- common-obj-y += dma-helpers.o
--common-obj-y += vl.o
--vl.o-cflags := $(GPROF_CFLAGS) $(SDL_CFLAGS)
- common-obj-$(CONFIG_TPM) += tpm.o
- common-obj-y += backends/
-diff --git a/Makefile.target b/Makefile.target
-index XXXXXXX..XXXXXXX 100644
---- a/Makefile.target
-+++ b/Makefile.target
-@@ -XXX,XX +XXX,XX @@ obj-y += qapi/
- obj-y += memory.o
- obj-y += memory_mapping.o
- obj-y += migration/ram.o
-+obj-y += softmmu/
- LIBS := $(libs_softmmu) $(LIBS)
- # Hardware support
-diff --git a/scripts/checkpatch.pl b/scripts/checkpatch.pl
-index XXXXXXX..XXXXXXX 100755
---- a/scripts/checkpatch.pl
-+++ b/scripts/checkpatch.pl
-@@ -XXX,XX +XXX,XX @@ sub top_of_kernel_tree {
-     my @tree_check = (
-         "COPYING", "MAINTAINERS", "Makefile",
-         "README.rst", "docs", "VERSION",
--        "vl.c"
-+        "linux-user", "softmmu"
-     );
-     foreach my $check (@tree_check) {
-diff --git a/scripts/get_maintainer.pl b/scripts/get_maintainer.pl
-index XXXXXXX..XXXXXXX 100755
---- a/scripts/get_maintainer.pl
-+++ b/scripts/get_maintainer.pl
-@@ -XXX,XX +XXX,XX @@ sub top_of_tree {
-         && (-f "${lk_path}Makefile")
-         && (-d "${lk_path}docs")
-         && (-f "${lk_path}VERSION")
--        && (-f "${lk_path}vl.c")) {
-+        && (-d "${lk_path}linux-user/")
-+        && (-d "${lk_path}softmmu/")) {
-     return 1;
-     }
-     return 0;
-diff --git a/softmmu/Makefile.objs b/softmmu/Makefile.objs
-new file mode 100644
-index XXXXXXX..XXXXXXX
---- /dev/null
-+++ b/softmmu/Makefile.objs
-@@ -XXX,XX +XXX,XX @@
-+obj-y += vl.o
-+vl.o-cflags := $(GPROF_CFLAGS) $(SDL_CFLAGS)
-diff --git a/vl.c b/softmmu/vl.c
-similarity index 100%
-rename from vl.c
-rename to softmmu/vl.c
---
-.24.1

-[PULL 13/31] fuzz: add FUZZ_TARGET module type
+Deleted patch
-From: Alexander Bulekov <alxndr@bu.edu>
-Signed-off-by: Alexander Bulekov <alxndr@bu.edu>
-Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
-Reviewed-by: Darren Kenny <darren.kenny@oracle.com>
-Message-id: 20200220041118.23264-5-alxndr@bu.edu
-Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
----
- include/qemu/module.h | 4 +++-
-file changed, 3 insertions(+), 1 deletion(-)
-diff --git a/include/qemu/module.h b/include/qemu/module.h
-index XXXXXXX..XXXXXXX 100644
---- a/include/qemu/module.h
-+++ b/include/qemu/module.h
-@@ -XXX,XX +XXX,XX @@ typedef enum {
-     MODULE_INIT_TRACE,
-     MODULE_INIT_XEN_BACKEND,
-     MODULE_INIT_LIBQOS,
-+    MODULE_INIT_FUZZ_TARGET,
-     MODULE_INIT_MAX
- } module_init_type;
-@@ -XXX,XX +XXX,XX @@ typedef enum {
- #define xen_backend_init(function) module_init(function, \
-                                                MODULE_INIT_XEN_BACKEND)
- #define libqos_init(function) module_init(function, MODULE_INIT_LIBQOS)
--
-+#define fuzz_target_init(function) module_init(function, \
-+                                               MODULE_INIT_FUZZ_TARGET)
- #define block_module_load_one(lib) module_load_one("block-", lib)
- #define ui_module_load_one(lib) module_load_one("ui-", lib)
- #define audio_module_load_one(lib) module_load_one("audio-", lib)
---
-.24.1

-[PULL 14/31] qtest: add qtest_server_send abstraction
+Deleted patch
-From: Alexander Bulekov <alxndr@bu.edu>
-qtest_server_send is a function pointer specifying the handler used to
-transmit data to the qtest client. In the standard configuration, this
-calls the CharBackend handler, but now it is possible for other types of
-handlers, e.g direct-function calls if the qtest client and server
-exist within the same process (inproc)
-Signed-off-by: Alexander Bulekov <alxndr@bu.edu>
-Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
-Reviewed-by: Darren Kenny <darren.kenny@oracle.com>
-Acked-by: Thomas Huth <thuth@redhat.com>
-Message-id: 20200220041118.23264-6-alxndr@bu.edu
-Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
----
- include/sysemu/qtest.h |  3 +++
- qtest.c                | 18 ++++++++++++++++--
-files changed, 19 insertions(+), 2 deletions(-)
-diff --git a/include/sysemu/qtest.h b/include/sysemu/qtest.h
-index XXXXXXX..XXXXXXX 100644
---- a/include/sysemu/qtest.h
-+++ b/include/sysemu/qtest.h
-@@ -XXX,XX +XXX,XX @@ bool qtest_driver(void);
- void qtest_server_init(const char *qtest_chrdev, const char *qtest_log, Error **errp);
-+void qtest_server_set_send_handler(void (*send)(void *, const char *),
-+                                 void *opaque);
-+
- #endif
-diff --git a/qtest.c b/qtest.c
-index XXXXXXX..XXXXXXX 100644
---- a/qtest.c
-+++ b/qtest.c
-@@ -XXX,XX +XXX,XX @@ static GString *inbuf;
- static int irq_levels[MAX_IRQ];
- static qemu_timeval start_time;
- static bool qtest_opened;
-+static void (*qtest_server_send)(void*, const char*);
-+static void *qtest_server_send_opaque;
- #define FMT_timeval "%ld.%06ld"
-@@ -XXX,XX +XXX,XX @@ static void GCC_FMT_ATTR(1, 2) qtest_log_send(const char *fmt, ...)
-     va_end(ap);
- }
--static void do_qtest_send(CharBackend *chr, const char *str, size_t len)
-+static void qtest_server_char_be_send(void *opaque, const char *str)
- {
-+    size_t len = strlen(str);
-+    CharBackend* chr = (CharBackend *)opaque;
-     qemu_chr_fe_write_all(chr, (uint8_t *)str, len);
-     if (qtest_log_fp && qtest_opened) {
-         fprintf(qtest_log_fp, "%s", str);
-@@ -XXX,XX +XXX,XX @@ static void do_qtest_send(CharBackend *chr, const char *str, size_t len)
- static void qtest_send(CharBackend *chr, const char *str)
- {
--    do_qtest_send(chr, str, strlen(str));
-+    qtest_server_send(qtest_server_send_opaque, str);
- }
- static void GCC_FMT_ATTR(2, 3) qtest_sendf(CharBackend *chr,
-@@ -XXX,XX +XXX,XX @@ void qtest_server_init(const char *qtest_chrdev, const char *qtest_log, Error **
-     qemu_chr_fe_set_echo(&qtest_chr, true);
-     inbuf = g_string_new("");
-+
-+    if (!qtest_server_send) {
-+        qtest_server_set_send_handler(qtest_server_char_be_send, &qtest_chr);
-+    }
-+}
-+
-+void qtest_server_set_send_handler(void (*send)(void*, const char*), void *opaque)
-+{
-+    qtest_server_send = send;
-+    qtest_server_send_opaque = opaque;
- }
- bool qtest_driver(void)
---
-.24.1

-[PULL 26/31] fuzz: add target/fuzz makefile rules
+[Qemu-devel] [PULL v2 22/24] coroutine-lock: place CoMutex before CoQueue in header
-From: Alexander Bulekov <alxndr@bu.edu>
+From: Paolo Bonzini <pbonzini@redhat.com>
-Signed-off-by: Alexander Bulekov <alxndr@bu.edu>
+This will avoid forward references in the next patch.  It is also
-Reviewed-by: Darren Kenny <darren.kenny@oracle.com>
+more logical because CoQueue is not anymore the basic primitive.
-Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
-Message-id: 20200220041118.23264-18-alxndr@bu.edu
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
 Reviewed-by: Fam Zheng <famz@redhat.com>
 Message-id: 20170213181244.16297-5-pbonzini@redhat.com
 Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
 ---
- Makefile        | 15 ++++++++++++++-
+ include/qemu/coroutine.h | 89 ++++++++++++++++++++++++------------------------
- Makefile.target | 16 ++++++++++++++++
+file changed, 44 insertions(+), 45 deletions(-)
 files changed, 30 insertions(+), 1 deletion(-)
-diff --git a/Makefile b/Makefile
+diff --git a/include/qemu/coroutine.h b/include/qemu/coroutine.h
 index XXXXXXX..XXXXXXX 100644
---- a/Makefile
+--- a/include/qemu/coroutine.h
-+++ b/Makefile
++++ b/include/qemu/coroutine.h
-@@ -XXX,XX +XXX,XX @@ config-host.h-timestamp: config-host.mak
+@@ -XXX,XX +XXX,XX @@ bool qemu_in_coroutine(void);
- qemu-options.def: $(SRC_PATH)/qemu-options.hx $(SRC_PATH)/scripts/hxtool
+  */
-     $(call quiet-command,sh $(SRC_PATH)/scripts/hxtool -h < $< > $@,"GEN","$@")
+ bool qemu_coroutine_entered(Coroutine *co);
--TARGET_DIRS_RULES := $(foreach t, all clean install, $(addsuffix /$(t), $(TARGET_DIRS)))
+-
-+TARGET_DIRS_RULES := $(foreach t, all fuzz clean install, $(addsuffix /$(t), $(TARGET_DIRS)))
+-/**
+- * CoQueues are a mechanism to queue coroutines in order to continue executing
- SOFTMMU_ALL_RULES=$(filter %-softmmu/all, $(TARGET_DIRS_RULES))
+- * them later. They provide the fundamental primitives on which coroutine locks
- $(SOFTMMU_ALL_RULES): $(authz-obj-y)
+- * are built.
-@@ -XXX,XX +XXX,XX @@ ifdef DECOMPRESS_EDK2_BLOBS
+- */
- $(SOFTMMU_ALL_RULES): $(edk2-decompressed)
+-typedef struct CoQueue {
- endif
+-    QSIMPLEQ_HEAD(, Coroutine) entries;
+-} CoQueue;
-+SOFTMMU_FUZZ_RULES=$(filter %-softmmu/fuzz, $(TARGET_DIRS_RULES))
+-
-+$(SOFTMMU_FUZZ_RULES): $(authz-obj-y)
+-/**
-+$(SOFTMMU_FUZZ_RULES): $(block-obj-y)
+- * Initialise a CoQueue. This must be called before any other operation is used
-+$(SOFTMMU_FUZZ_RULES): $(chardev-obj-y)
+- * on the CoQueue.
-+$(SOFTMMU_FUZZ_RULES): $(crypto-obj-y)
+- */
-+$(SOFTMMU_FUZZ_RULES): $(io-obj-y)
+-void qemu_co_queue_init(CoQueue *queue);
-+$(SOFTMMU_FUZZ_RULES): config-all-devices.mak
+-
-+$(SOFTMMU_FUZZ_RULES): $(edk2-decompressed)
+-/**
 - * Adds the current coroutine to the CoQueue and transfers control to the
 - * caller of the coroutine.
 - */
 -void coroutine_fn qemu_co_queue_wait(CoQueue *queue);
 -
 -/**
 - * Restarts the next coroutine in the CoQueue and removes it from the queue.
 - *
 - * Returns true if a coroutine was restarted, false if the queue is empty.
 - */
 -bool coroutine_fn qemu_co_queue_next(CoQueue *queue);
 -
 -/**
 - * Restarts all coroutines in the CoQueue and leaves the queue empty.
 - */
 -void coroutine_fn qemu_co_queue_restart_all(CoQueue *queue);
 -
 -/**
 - * Enter the next coroutine in the queue
 - */
 -bool qemu_co_enter_next(CoQueue *queue);
 -
 -/**
 - * Checks if the CoQueue is empty.
 - */
 -bool qemu_co_queue_empty(CoQueue *queue);
 -
 -
  /**
   * Provides a mutex that can be used to synchronise coroutines
   */
@@ -XXX,XX +XXX,XX @@ void coroutine_fn qemu_co_mutex_lock(CoMutex *mutex);
   */
  void coroutine_fn qemu_co_mutex_unlock(CoMutex *mutex);
 +
- .PHONY: $(TARGET_DIRS_RULES)
++/**
- # The $(TARGET_DIRS_RULES) are of the form SUBDIR/GOAL, so that
++ * CoQueues are a mechanism to queue coroutines in order to continue executing
- # $(dir $@) yields the sub-directory, and $(notdir $@) yields the sub-goal
++ * them later.
-@@ -XXX,XX +XXX,XX @@ subdir-slirp: slirp/all
++ */
- $(filter %/all, $(TARGET_DIRS_RULES)): libqemuutil.a $(common-obj-y) \
++typedef struct CoQueue {
-     $(qom-obj-y)
++    QSIMPLEQ_HEAD(, Coroutine) entries;
++} CoQueue;
 +$(filter %/fuzz, $(TARGET_DIRS_RULES)): libqemuutil.a $(common-obj-y) \
 +    $(qom-obj-y) $(crypto-user-obj-$(CONFIG_USER_ONLY))
 +
- ROM_DIRS = $(addprefix pc-bios/, $(ROMS))
++/**
- ROM_DIRS_RULES=$(foreach t, all clean, $(addsuffix /$(t), $(ROM_DIRS)))
++ * Initialise a CoQueue. This must be called before any other operation is used
- # Only keep -O and -g cflags
++ * on the CoQueue.
-@@ -XXX,XX +XXX,XX @@ $(ROM_DIRS_RULES):
++ */
++void qemu_co_queue_init(CoQueue *queue);
  .PHONY: recurse-all recurse-clean recurse-install
  recurse-all: $(addsuffix /all, $(TARGET_DIRS) $(ROM_DIRS))
 +recurse-fuzz: $(addsuffix /fuzz, $(TARGET_DIRS) $(ROM_DIRS))
  recurse-clean: $(addsuffix /clean, $(TARGET_DIRS) $(ROM_DIRS))
  recurse-install: $(addsuffix /install, $(TARGET_DIRS))
  $(addsuffix /install, $(TARGET_DIRS)): all
 diff --git a/Makefile.target b/Makefile.target
 index XXXXXXX..XXXXXXX 100644
 --- a/Makefile.target
 +++ b/Makefile.target
@@ -XXX,XX +XXX,XX @@ ifdef CONFIG_TRACE_SYSTEMTAP
      rm -f *.stp
  endif
 +ifdef CONFIG_FUZZ
 +include $(SRC_PATH)/tests/qtest/fuzz/Makefile.include
 +include $(SRC_PATH)/tests/qtest/Makefile.include
 +
-+fuzz: fuzz-vars
++/**
-+fuzz-vars: QEMU_CFLAGS := $(FUZZ_CFLAGS) $(QEMU_CFLAGS)
++ * Adds the current coroutine to the CoQueue and transfers control to the
-+fuzz-vars: QEMU_LDFLAGS := $(FUZZ_LDFLAGS) $(QEMU_LDFLAGS)
++ * caller of the coroutine.
-+fuzz-vars: $(QEMU_PROG_FUZZ)
++ */
-+dummy := $(call unnest-vars,, fuzz-obj-y)
++void coroutine_fn qemu_co_queue_wait(CoQueue *queue);
 +
 +/**
 + * Restarts the next coroutine in the CoQueue and removes it from the queue.
 + *
 + * Returns true if a coroutine was restarted, false if the queue is empty.
 + */
 +bool coroutine_fn qemu_co_queue_next(CoQueue *queue);
 +
 +/**
 + * Restarts all coroutines in the CoQueue and leaves the queue empty.
 + */
 +void coroutine_fn qemu_co_queue_restart_all(CoQueue *queue);
 +
 +/**
 + * Enter the next coroutine in the queue
 + */
 +bool qemu_co_enter_next(CoQueue *queue);
 +
 +/**
 + * Checks if the CoQueue is empty.
 + */
 +bool qemu_co_queue_empty(CoQueue *queue);
 +
 +
-+$(QEMU_PROG_FUZZ): config-devices.mak $(all-obj-y) $(COMMON_LDADDS) $(fuzz-obj-y)
+ typedef struct CoRwlock {
-+    $(call LINK, $(filter-out %.mak, $^))
+     bool writer;
-+
+     int reader;
 +endif
 +
  install: all
  ifneq ($(PROGS),)
      $(call install-prog,$(PROGS),$(DESTDIR)$(bindir))
 --
-.24.1
+.9.3

-[PULL 16/31] libqtest: make bufwrite rely on the TransportOps
+[Qemu-devel] [PULL v2 23/24] coroutine-lock: add mutex argument to CoQueue APIs
-From: Alexander Bulekov <alxndr@bu.edu>
+From: Paolo Bonzini <pbonzini@redhat.com>
-When using qtest "in-process" communication, qtest_sendf directly calls
+All that CoQueue needs in order to become thread-safe is help
-a function in the server (qtest.c). Previously, bufwrite used
+from an external mutex.  Add this to the API.
-socket_send, which bypasses the TransportOps enabling the call into
-qtest.c. This change replaces the socket_send calls with ops->send,
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
-maintaining the benefits of the direct socket_send call, while adding
+Reviewed-by: Fam Zheng <famz@redhat.com>
-support for in-process qtest calls.
+Message-id: 20170213181244.16297-6-pbonzini@redhat.com
 Signed-off-by: Alexander Bulekov <alxndr@bu.edu>
 Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
 Reviewed-by: Darren Kenny <darren.kenny@oracle.com>
 Message-id: 20200220041118.23264-8-alxndr@bu.edu
 Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
 ---
- tests/qtest/libqtest.c | 71 ++++++++++++++++++++++++++++++++++++++++--
+ include/qemu/coroutine.h   |  8 +++++---
- tests/qtest/libqtest.h |  4 +++
+ block/backup.c             |  2 +-
-files changed, 73 insertions(+), 2 deletions(-)
+ block/io.c                 |  4 ++--
+ block/nbd-client.c         |  2 +-
-diff --git a/tests/qtest/libqtest.c b/tests/qtest/libqtest.c
+ block/qcow2-cluster.c      |  4 +---
-index XXXXXXX..XXXXXXX 100644
+ block/sheepdog.c           |  2 +-
---- a/tests/qtest/libqtest.c
+ block/throttle-groups.c    |  2 +-
-+++ b/tests/qtest/libqtest.c
+ hw/9pfs/9p.c               |  2 +-
-@@ -XXX,XX +XXX,XX @@
+ util/qemu-coroutine-lock.c | 24 +++++++++++++++++++++---
+files changed, 34 insertions(+), 16 deletions(-)
- typedef void (*QTestSendFn)(QTestState *s, const char *buf);
+diff --git a/include/qemu/coroutine.h b/include/qemu/coroutine.h
-+typedef void (*ExternalSendFn)(void *s, const char *buf);
+index XXXXXXX..XXXXXXX 100644
- typedef GString* (*QTestRecvFn)(QTestState *);
+--- a/include/qemu/coroutine.h
++++ b/include/qemu/coroutine.h
- typedef struct QTestClientTransportOps {
+@@ -XXX,XX +XXX,XX @@ void coroutine_fn qemu_co_mutex_unlock(CoMutex *mutex);
-     QTestSendFn     send;      /* for sending qtest commands */
  /**
   * CoQueues are a mechanism to queue coroutines in order to continue executing
 - * them later.
 + * them later.  They are similar to condition variables, but they need help
 + * from an external mutex in order to maintain thread-safety.
   */
  typedef struct CoQueue {
      QSIMPLEQ_HEAD(, Coroutine) entries;
@@ -XXX,XX +XXX,XX @@ void qemu_co_queue_init(CoQueue *queue);
  /**
   * Adds the current coroutine to the CoQueue and transfers control to the
 - * caller of the coroutine.
 + * caller of the coroutine.  The mutex is unlocked during the wait and
 + * locked again afterwards.
   */
 -void coroutine_fn qemu_co_queue_wait(CoQueue *queue);
 +void coroutine_fn qemu_co_queue_wait(CoQueue *queue, CoMutex *mutex);
  /**
   * Restarts the next coroutine in the CoQueue and removes it from the queue.
 diff --git a/block/backup.c b/block/backup.c
 index XXXXXXX..XXXXXXX 100644
 --- a/block/backup.c
 +++ b/block/backup.c
@@ -XXX,XX +XXX,XX @@ static void coroutine_fn wait_for_overlapping_requests(BackupBlockJob *job,
          retry = false;
          QLIST_FOREACH(req, &job->inflight_reqs, list) {
              if (end > req->start && start < req->end) {
 -                qemu_co_queue_wait(&req->wait_queue);
 +                qemu_co_queue_wait(&req->wait_queue, NULL);
                  retry = true;
                  break;
              }
 diff --git a/block/io.c b/block/io.c
 index XXXXXXX..XXXXXXX 100644
 --- a/block/io.c
 +++ b/block/io.c
@@ -XXX,XX +XXX,XX @@ static bool coroutine_fn wait_serialising_requests(BdrvTrackedRequest *self)
                   * (instead of producing a deadlock in the former case). */
                  if (!req->waiting_for) {
                      self->waiting_for = req;
 -                    qemu_co_queue_wait(&req->wait_queue);
 +                    qemu_co_queue_wait(&req->wait_queue, NULL);
                      self->waiting_for = NULL;
                      retry = true;
                      waited = true;
@@ -XXX,XX +XXX,XX @@ int coroutine_fn bdrv_co_flush(BlockDriverState *bs)
      /* Wait until any previous flushes are completed */
      while (bs->active_flush_req) {
 -        qemu_co_queue_wait(&bs->flush_queue);
 +        qemu_co_queue_wait(&bs->flush_queue, NULL);
      }
      bs->active_flush_req = true;
 diff --git a/block/nbd-client.c b/block/nbd-client.c
 index XXXXXXX..XXXXXXX 100644
 --- a/block/nbd-client.c
 +++ b/block/nbd-client.c
@@ -XXX,XX +XXX,XX @@ static void nbd_coroutine_start(NBDClientSession *s,
      /* Poor man semaphore.  The free_sema is locked when no other request
       * can be accepted, and unlocked after receiving one reply.  */
      if (s->in_flight == MAX_NBD_REQUESTS) {
 -        qemu_co_queue_wait(&s->free_sema);
 +        qemu_co_queue_wait(&s->free_sema, NULL);
          assert(s->in_flight < MAX_NBD_REQUESTS);
      }
      s->in_flight++;
 diff --git a/block/qcow2-cluster.c b/block/qcow2-cluster.c
 index XXXXXXX..XXXXXXX 100644
 --- a/block/qcow2-cluster.c
 +++ b/block/qcow2-cluster.c
@@ -XXX,XX +XXX,XX @@ static int handle_dependencies(BlockDriverState *bs, uint64_t guest_offset,
              if (bytes == 0) {
                  /* Wait for the dependency to complete. We need to recheck
                   * the free/allocated clusters when we continue. */
 -                qemu_co_mutex_unlock(&s->lock);
 -                qemu_co_queue_wait(&old_alloc->dependent_requests);
 -                qemu_co_mutex_lock(&s->lock);
 +                qemu_co_queue_wait(&old_alloc->dependent_requests, &s->lock);
                  return -EAGAIN;
              }
          }
 diff --git a/block/sheepdog.c b/block/sheepdog.c
 index XXXXXXX..XXXXXXX 100644
 --- a/block/sheepdog.c
 +++ b/block/sheepdog.c
@@ -XXX,XX +XXX,XX @@ static void wait_for_overlapping_aiocb(BDRVSheepdogState *s, SheepdogAIOCB *acb)
  retry:
      QLIST_FOREACH(cb, &s->inflight_aiocb_head, aiocb_siblings) {
          if (AIOCBOverlapping(acb, cb)) {
 -            qemu_co_queue_wait(&s->overlapping_queue);
 +            qemu_co_queue_wait(&s->overlapping_queue, NULL);
              goto retry;
          }
      }
 diff --git a/block/throttle-groups.c b/block/throttle-groups.c
 index XXXXXXX..XXXXXXX 100644
 --- a/block/throttle-groups.c
 +++ b/block/throttle-groups.c
@@ -XXX,XX +XXX,XX @@ void coroutine_fn throttle_group_co_io_limits_intercept(BlockBackend *blk,
      if (must_wait || blkp->pending_reqs[is_write]) {
          blkp->pending_reqs[is_write]++;
          qemu_mutex_unlock(&tg->lock);
 -        qemu_co_queue_wait(&blkp->throttled_reqs[is_write]);
 +        qemu_co_queue_wait(&blkp->throttled_reqs[is_write], NULL);
          qemu_mutex_lock(&tg->lock);
          blkp->pending_reqs[is_write]--;
      }
 diff --git a/hw/9pfs/9p.c b/hw/9pfs/9p.c
 index XXXXXXX..XXXXXXX 100644
 --- a/hw/9pfs/9p.c
 +++ b/hw/9pfs/9p.c
@@ -XXX,XX +XXX,XX @@ static void coroutine_fn v9fs_flush(void *opaque)
          /*
           * Wait for pdu to complete.
           */
 -        qemu_co_queue_wait(&cancel_pdu->complete);
 +        qemu_co_queue_wait(&cancel_pdu->complete, NULL);
          cancel_pdu->cancelled = 0;
          pdu_free(cancel_pdu);
      }
 diff --git a/util/qemu-coroutine-lock.c b/util/qemu-coroutine-lock.c
 index XXXXXXX..XXXXXXX 100644
 --- a/util/qemu-coroutine-lock.c
 +++ b/util/qemu-coroutine-lock.c
@@ -XXX,XX +XXX,XX @@ void qemu_co_queue_init(CoQueue *queue)
      QSIMPLEQ_INIT(&queue->entries);
  }
 -void coroutine_fn qemu_co_queue_wait(CoQueue *queue)
 +void coroutine_fn qemu_co_queue_wait(CoQueue *queue, CoMutex *mutex)
  {
      Coroutine *self = qemu_coroutine_self();
      QSIMPLEQ_INSERT_TAIL(&queue->entries, self, co_queue_next);
 +
-+    /*
++    if (mutex) {
-+     * use external_send to send qtest command strings through functions which
++        qemu_co_mutex_unlock(mutex);
 +     * do not accept a QTestState as the first parameter.
 +     */
 +    ExternalSendFn  external_send;
 +
      QTestRecvFn     recv_line; /* for receiving qtest command responses */
  } QTestTransportOps;
@@ -XXX,XX +XXX,XX @@ void qtest_bufwrite(QTestState *s, uint64_t addr, const void *data, size_t size)
      bdata = g_base64_encode(data, size);
      qtest_sendf(s, "b64write 0x%" PRIx64 " 0x%zx ", addr, size);
 -    socket_send(s->fd, bdata, strlen(bdata));
 -    socket_send(s->fd, "\n", 1);
 +    s->ops.send(s, bdata);
 +    s->ops.send(s, "\n");
      qtest_rsp(s, 0);
      g_free(bdata);
  }
@@ -XXX,XX +XXX,XX @@ static void qtest_client_set_rx_handler(QTestState *s, QTestRecvFn recv)
  {
      s->ops.recv_line = recv;
  }
 +/* A type-safe wrapper for s->send() */
 +static void send_wrapper(QTestState *s, const char *buf)
 +{
 +    s->ops.external_send(s, buf);
 +}
 +
 +static GString *qtest_client_inproc_recv_line(QTestState *s)
 +{
 +    GString *line;
 +    size_t offset;
 +    char *eol;
 +
 +    eol = strchr(s->rx->str, '\n');
 +    offset = eol - s->rx->str;
 +    line = g_string_new_len(s->rx->str, offset);
 +    g_string_erase(s->rx, 0, offset + 1);
 +    return line;
 +}
 +
 +QTestState *qtest_inproc_init(QTestState **s, bool log, const char* arch,
 +                    void (*send)(void*, const char*))
 +{
 +    QTestState *qts;
 +    qts = g_new0(QTestState, 1);
 +    *s = qts; /* Expose qts early on, since the query endianness relies on it */
 +    qts->wstatus = 0;
 +    for (int i = 0; i < MAX_IRQ; i++) {
 +        qts->irq_level[i] = false;
 +    }
 +
-+    qtest_client_set_rx_handler(qts, qtest_client_inproc_recv_line);
++    /* There is no race condition here.  Other threads will call
 +     * aio_co_schedule on our AioContext, which can reenter this
 +     * coroutine but only after this yield and after the main loop
 +     * has gone through the next iteration.
 +     */
      qemu_coroutine_yield();
      assert(qemu_in_coroutine());
 +
-+    /* send() may not have a matching protoype, so use a type-safe wrapper */
++    /* TODO: OSv implements wait morphing here, where the wakeup
-+    qts->ops.external_send = send;
++     * primitive automatically places the woken coroutine on the
-+    qtest_client_set_tx_handler(qts, send_wrapper);
++     * mutex's queue.  This avoids the thundering herd effect.
 +
 +    qts->big_endian = qtest_query_target_endianness(qts);
 +
 +    /*
 +     * Set a dummy path for QTEST_QEMU_BINARY. Doesn't need to exist, but this
 +     * way, qtest_get_arch works for inproc qtest.
 +     */
-+    gchar *bin_path = g_strconcat("/qemu-system-", arch, NULL);
++    if (mutex) {
-+    setenv("QTEST_QEMU_BINARY", bin_path, 0);
++        qemu_co_mutex_lock(mutex);
 +    g_free(bin_path);
 +
 +    return qts;
 +}
 +
 +void qtest_client_inproc_recv(void *opaque, const char *str)
 +{
 +    QTestState *qts = *(QTestState **)opaque;
 +
 +    if (!qts->rx) {
 +        qts->rx = g_string_new(NULL);
 +    }
-+    g_string_append(qts->rx, str);
+ }
-+    return;
-+}
+ /**
-diff --git a/tests/qtest/libqtest.h b/tests/qtest/libqtest.h
+@@ -XXX,XX +XXX,XX @@ void qemu_co_rwlock_rdlock(CoRwlock *lock)
-index XXXXXXX..XXXXXXX 100644
+     Coroutine *self = qemu_coroutine_self();
---- a/tests/qtest/libqtest.h
-+++ b/tests/qtest/libqtest.h
+     while (lock->writer) {
-@@ -XXX,XX +XXX,XX @@ bool qtest_probe_child(QTestState *s);
+-        qemu_co_queue_wait(&lock->queue);
-  */
++        qemu_co_queue_wait(&lock->queue, NULL);
- void qtest_set_expected_status(QTestState *s, int status);
+     }
+     lock->reader++;
-+QTestState *qtest_inproc_init(QTestState **s, bool log, const char* arch,
+     self->locks_held++;
-+                    void (*send)(void*, const char*));
+@@ -XXX,XX +XXX,XX @@ void qemu_co_rwlock_wrlock(CoRwlock *lock)
-+
+     Coroutine *self = qemu_coroutine_self();
-+void qtest_client_inproc_recv(void *opaque, const char *str);
- #endif
+     while (lock->writer || lock->reader) {
 -        qemu_co_queue_wait(&lock->queue);
 +        qemu_co_queue_wait(&lock->queue, NULL);
      }
      lock->writer = true;
      self->locks_held++;
 --
-.24.1
+.9.3

-[PULL 17/31] qtest: add in-process incoming command handler
+Deleted patch
-From: Alexander Bulekov <alxndr@bu.edu>
-The handler allows a qtest client to send commands to the server by
-directly calling a function, rather than using a file/CharBackend
-Signed-off-by: Alexander Bulekov <alxndr@bu.edu>
-Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
-Reviewed-by: Darren Kenny <darren.kenny@oracle.com>
-Message-id: 20200220041118.23264-9-alxndr@bu.edu
-Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
----
- include/sysemu/qtest.h |  1 +
- qtest.c                | 13 +++++++++++++
-files changed, 14 insertions(+)
-diff --git a/include/sysemu/qtest.h b/include/sysemu/qtest.h
-index XXXXXXX..XXXXXXX 100644
---- a/include/sysemu/qtest.h
-+++ b/include/sysemu/qtest.h
-@@ -XXX,XX +XXX,XX @@ void qtest_server_init(const char *qtest_chrdev, const char *qtest_log, Error **
- void qtest_server_set_send_handler(void (*send)(void *, const char *),
-                                  void *opaque);
-+void qtest_server_inproc_recv(void *opaque, const char *buf);
- #endif
-diff --git a/qtest.c b/qtest.c
-index XXXXXXX..XXXXXXX 100644
---- a/qtest.c
-+++ b/qtest.c
-@@ -XXX,XX +XXX,XX @@ bool qtest_driver(void)
- {
-     return qtest_chr.chr != NULL;
- }
-+
-+void qtest_server_inproc_recv(void *dummy, const char *buf)
-+{
-+    static GString *gstr;
-+    if (!gstr) {
-+        gstr = g_string_new(NULL);
-+    }
-+    g_string_append(gstr, buf);
-+    if (gstr->str[gstr->len - 1] == '\n') {
-+        qtest_process_inbuf(NULL, gstr);
-+        g_string_truncate(gstr, 0);
-+    }
-+}
---
-.24.1

-[PULL 18/31] libqos: rename i2c_send and i2c_recv
+[Qemu-devel] [PULL v2 24/24] coroutine-lock: make CoRwlock thread-safe and fair
-From: Alexander Bulekov <alxndr@bu.edu>
+From: Paolo Bonzini <pbonzini@redhat.com>
-The names i2c_send and i2c_recv collide with functions defined in
+This adds a CoMutex around the existing CoQueue.  Because the write-side
-hw/i2c/core.c. This causes an error when linking against libqos and
+can just take CoMutex, the old "writer" field is not necessary anymore.
-softmmu simultaneously (for example when using qtest inproc). Rename the
+Instead of removing it altogether, count the number of pending writers
-libqos functions to avoid this.
+during a read-side critical section and forbid further readers from
 entering.
-Signed-off-by: Alexander Bulekov <alxndr@bu.edu>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
-Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
+Reviewed-by: Fam Zheng <famz@redhat.com>
-Reviewed-by: Darren Kenny <darren.kenny@oracle.com>
+Message-id: 20170213181244.16297-7-pbonzini@redhat.com
 Acked-by: Thomas Huth <thuth@redhat.com>
 Message-id: 20200220041118.23264-10-alxndr@bu.edu
 Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
 ---
- tests/qtest/libqos/i2c.c   | 10 +++++-----
+ include/qemu/coroutine.h   |  3 ++-
- tests/qtest/libqos/i2c.h   |  4 ++--
+ util/qemu-coroutine-lock.c | 35 ++++++++++++++++++++++++-----------
- tests/qtest/pca9552-test.c | 10 +++++-----
+files changed, 26 insertions(+), 12 deletions(-)
 files changed, 12 insertions(+), 12 deletions(-)
-diff --git a/tests/qtest/libqos/i2c.c b/tests/qtest/libqos/i2c.c
+diff --git a/include/qemu/coroutine.h b/include/qemu/coroutine.h
 index XXXXXXX..XXXXXXX 100644
---- a/tests/qtest/libqos/i2c.c
+--- a/include/qemu/coroutine.h
-+++ b/tests/qtest/libqos/i2c.c
++++ b/include/qemu/coroutine.h
-@@ -XXX,XX +XXX,XX @@
+@@ -XXX,XX +XXX,XX @@ bool qemu_co_queue_empty(CoQueue *queue);
- #include "libqos/i2c.h"
- #include "libqtest.h"
+ typedef struct CoRwlock {
--void i2c_send(QI2CDevice *i2cdev, const uint8_t *buf, uint16_t len)
+-    bool writer;
-+void qi2c_send(QI2CDevice *i2cdev, const uint8_t *buf, uint16_t len)
++    int pending_writer;
      int reader;
 +    CoMutex mutex;
      CoQueue queue;
  } CoRwlock;
 diff --git a/util/qemu-coroutine-lock.c b/util/qemu-coroutine-lock.c
 index XXXXXXX..XXXXXXX 100644
 --- a/util/qemu-coroutine-lock.c
 +++ b/util/qemu-coroutine-lock.c
@@ -XXX,XX +XXX,XX @@ void qemu_co_rwlock_init(CoRwlock *lock)
  {
-     i2cdev->bus->send(i2cdev->bus, i2cdev->addr, buf, len);
+     memset(lock, 0, sizeof(*lock));
      qemu_co_queue_init(&lock->queue);
 +    qemu_co_mutex_init(&lock->mutex);
  }
--void i2c_recv(QI2CDevice *i2cdev, uint8_t *buf, uint16_t len)
+ void qemu_co_rwlock_rdlock(CoRwlock *lock)
 +void qi2c_recv(QI2CDevice *i2cdev, uint8_t *buf, uint16_t len)
  {
-     i2cdev->bus->recv(i2cdev->bus, i2cdev->addr, buf, len);
+     Coroutine *self = qemu_coroutine_self();
 -    while (lock->writer) {
 -        qemu_co_queue_wait(&lock->queue, NULL);
 +    qemu_co_mutex_lock(&lock->mutex);
 +    /* For fairness, wait if a writer is in line.  */
 +    while (lock->pending_writer) {
 +        qemu_co_queue_wait(&lock->queue, &lock->mutex);
      }
      lock->reader++;
 +    qemu_co_mutex_unlock(&lock->mutex);
 +
 +    /* The rest of the read-side critical section is run without the mutex.  */
      self->locks_held++;
  }
-@@ -XXX,XX +XXX,XX @@ void i2c_recv(QI2CDevice *i2cdev, uint8_t *buf, uint16_t len)
- void i2c_read_block(QI2CDevice *i2cdev, uint8_t reg,
+@@ -XXX,XX +XXX,XX @@ void qemu_co_rwlock_unlock(CoRwlock *lock)
-                     uint8_t *buf, uint16_t len)
+     Coroutine *self = qemu_coroutine_self();
      assert(qemu_in_coroutine());
 -    if (lock->writer) {
 -        lock->writer = false;
 +    if (!lock->reader) {
 +        /* The critical section started in qemu_co_rwlock_wrlock.  */
          qemu_co_queue_restart_all(&lock->queue);
      } else {
 +        self->locks_held--;
 +
 +        qemu_co_mutex_lock(&lock->mutex);
          lock->reader--;
          assert(lock->reader >= 0);
          /* Wakeup only one waiting writer */
@@ -XXX,XX +XXX,XX @@ void qemu_co_rwlock_unlock(CoRwlock *lock)
              qemu_co_queue_next(&lock->queue);
          }
      }
 -    self->locks_held--;
 +    qemu_co_mutex_unlock(&lock->mutex);
  }
  void qemu_co_rwlock_wrlock(CoRwlock *lock)
  {
--    i2c_send(i2cdev, &reg, 1);
+-    Coroutine *self = qemu_coroutine_self();
--    i2c_recv(i2cdev, buf, len);
+-
-+    qi2c_send(i2cdev, &reg, 1);
+-    while (lock->writer || lock->reader) {
-+    qi2c_recv(i2cdev, buf, len);
+-        qemu_co_queue_wait(&lock->queue, NULL);
 +    qemu_co_mutex_lock(&lock->mutex);
 +    lock->pending_writer++;
 +    while (lock->reader) {
 +        qemu_co_queue_wait(&lock->queue, &lock->mutex);
      }
 -    lock->writer = true;
 -    self->locks_held++;
 +    lock->pending_writer--;
 +
 +    /* The rest of the write-side critical section is run with
 +     * the mutex taken, so that lock->reader remains zero.
 +     * There is no need to update self->locks_held.
 +     */
  }
- void i2c_write_block(QI2CDevice *i2cdev, uint8_t reg,
-@@ -XXX,XX +XXX,XX @@ void i2c_write_block(QI2CDevice *i2cdev, uint8_t reg,
-     uint8_t *cmd = g_malloc(len + 1);
-     cmd[0] = reg;
-     memcpy(&cmd[1], buf, len);
--    i2c_send(i2cdev, cmd, len + 1);
-+    qi2c_send(i2cdev, cmd, len + 1);
-     g_free(cmd);
- }
-diff --git a/tests/qtest/libqos/i2c.h b/tests/qtest/libqos/i2c.h
-index XXXXXXX..XXXXXXX 100644
---- a/tests/qtest/libqos/i2c.h
-+++ b/tests/qtest/libqos/i2c.h
-@@ -XXX,XX +XXX,XX @@ struct QI2CDevice {
- void *i2c_device_create(void *i2c_bus, QGuestAllocator *alloc, void *addr);
- void add_qi2c_address(QOSGraphEdgeOptions *opts, QI2CAddress *addr);
--void i2c_send(QI2CDevice *dev, const uint8_t *buf, uint16_t len);
--void i2c_recv(QI2CDevice *dev, uint8_t *buf, uint16_t len);
-+void qi2c_send(QI2CDevice *dev, const uint8_t *buf, uint16_t len);
-+void qi2c_recv(QI2CDevice *dev, uint8_t *buf, uint16_t len);
- void i2c_read_block(QI2CDevice *dev, uint8_t reg,
-                     uint8_t *buf, uint16_t len);
-diff --git a/tests/qtest/pca9552-test.c b/tests/qtest/pca9552-test.c
-index XXXXXXX..XXXXXXX 100644
---- a/tests/qtest/pca9552-test.c
-+++ b/tests/qtest/pca9552-test.c
-@@ -XXX,XX +XXX,XX @@ static void receive_autoinc(void *obj, void *data, QGuestAllocator *alloc)
-     pca9552_init(i2cdev);
--    i2c_send(i2cdev, &reg, 1);
-+    qi2c_send(i2cdev, &reg, 1);
-     /* PCA9552_LS0 */
--    i2c_recv(i2cdev, &resp, 1);
-+    qi2c_recv(i2cdev, &resp, 1);
-     g_assert_cmphex(resp, ==, 0x54);
-     /* PCA9552_LS1 */
--    i2c_recv(i2cdev, &resp, 1);
-+    qi2c_recv(i2cdev, &resp, 1);
-     g_assert_cmphex(resp, ==, 0x55);
-     /* PCA9552_LS2 */
--    i2c_recv(i2cdev, &resp, 1);
-+    qi2c_recv(i2cdev, &resp, 1);
-     g_assert_cmphex(resp, ==, 0x55);
-     /* PCA9552_LS3 */
--    i2c_recv(i2cdev, &resp, 1);
-+    qi2c_recv(i2cdev, &resp, 1);
-     g_assert_cmphex(resp, ==, 0x54);
- }
 --
-.24.1
+.9.3

-[PULL 19/31] libqos: split qos-test and libqos makefile vars
+Deleted patch
-From: Alexander Bulekov <alxndr@bu.edu>
-Most qos-related objects were specified in the qos-test-obj-y variable.
-qos-test-obj-y also included qos-test.o which defines a main().
-This made it difficult to repurpose qos-test-obj-y to link anything
-beside tests/qos-test against libqos. This change separates objects that
-are libqos-specific and ones that are qos-test specific into different
-variables.
-Signed-off-by: Alexander Bulekov <alxndr@bu.edu>
-Reviewed-by: Darren Kenny <darren.kenny@oracle.com>
-Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
-Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
-Message-id: 20200220041118.23264-11-alxndr@bu.edu
-Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
----
- tests/qtest/Makefile.include | 71 ++++++++++++++++++------------------
-file changed, 36 insertions(+), 35 deletions(-)
-diff --git a/tests/qtest/Makefile.include b/tests/qtest/Makefile.include
-index XXXXXXX..XXXXXXX 100644
---- a/tests/qtest/Makefile.include
-+++ b/tests/qtest/Makefile.include
-@@ -XXX,XX +XXX,XX @@ check-qtest-s390x-y += migration-test
- # libqos / qgraph :
- libqgraph-obj-y = tests/qtest/libqos/qgraph.o
--libqos-obj-y = $(libqgraph-obj-y) tests/qtest/libqos/pci.o tests/qtest/libqos/fw_cfg.o
--libqos-obj-y += tests/qtest/libqos/malloc.o
--libqos-obj-y += tests/qtest/libqos/libqos.o
--libqos-spapr-obj-y = $(libqos-obj-y) tests/qtest/libqos/malloc-spapr.o
-+libqos-core-obj-y = $(libqgraph-obj-y) tests/qtest/libqos/pci.o tests/qtest/libqos/fw_cfg.o
-+libqos-core-obj-y += tests/qtest/libqos/malloc.o
-+libqos-core-obj-y += tests/qtest/libqos/libqos.o
-+libqos-spapr-obj-y = $(libqos-core-obj-y) tests/qtest/libqos/malloc-spapr.o
- libqos-spapr-obj-y += tests/qtest/libqos/libqos-spapr.o
- libqos-spapr-obj-y += tests/qtest/libqos/rtas.o
- libqos-spapr-obj-y += tests/qtest/libqos/pci-spapr.o
--libqos-pc-obj-y = $(libqos-obj-y) tests/qtest/libqos/pci-pc.o
-+libqos-pc-obj-y = $(libqos-core-obj-y) tests/qtest/libqos/pci-pc.o
- libqos-pc-obj-y += tests/qtest/libqos/malloc-pc.o tests/qtest/libqos/libqos-pc.o
- libqos-pc-obj-y += tests/qtest/libqos/ahci.o
- libqos-usb-obj-y = $(libqos-spapr-obj-y) $(libqos-pc-obj-y) tests/qtest/libqos/usb.o
- # qos devices:
--qos-test-obj-y = tests/qtest/qos-test.o $(libqgraph-obj-y)
--qos-test-obj-y += $(libqos-pc-obj-y) $(libqos-spapr-obj-y)
--qos-test-obj-y += tests/qtest/libqos/e1000e.o
--qos-test-obj-y += tests/qtest/libqos/i2c.o
--qos-test-obj-y += tests/qtest/libqos/i2c-imx.o
--qos-test-obj-y += tests/qtest/libqos/i2c-omap.o
--qos-test-obj-y += tests/qtest/libqos/sdhci.o
--qos-test-obj-y += tests/qtest/libqos/tpci200.o
--qos-test-obj-y += tests/qtest/libqos/virtio.o
--qos-test-obj-$(CONFIG_VIRTFS) += tests/qtest/libqos/virtio-9p.o
--qos-test-obj-y += tests/qtest/libqos/virtio-balloon.o
--qos-test-obj-y += tests/qtest/libqos/virtio-blk.o
--qos-test-obj-y += tests/qtest/libqos/virtio-mmio.o
--qos-test-obj-y += tests/qtest/libqos/virtio-net.o
--qos-test-obj-y += tests/qtest/libqos/virtio-pci.o
--qos-test-obj-y += tests/qtest/libqos/virtio-pci-modern.o
--qos-test-obj-y += tests/qtest/libqos/virtio-rng.o
--qos-test-obj-y += tests/qtest/libqos/virtio-scsi.o
--qos-test-obj-y += tests/qtest/libqos/virtio-serial.o
-+libqos-obj-y =  $(libqgraph-obj-y)
-+libqos-obj-y += $(libqos-pc-obj-y) $(libqos-spapr-obj-y)
-+libqos-obj-y += tests/qtest/libqos/e1000e.o
-+libqos-obj-y += tests/qtest/libqos/i2c.o
-+libqos-obj-y += tests/qtest/libqos/i2c-imx.o
-+libqos-obj-y += tests/qtest/libqos/i2c-omap.o
-+libqos-obj-y += tests/qtest/libqos/sdhci.o
-+libqos-obj-y += tests/qtest/libqos/tpci200.o
-+libqos-obj-y += tests/qtest/libqos/virtio.o
-+libqos-obj-$(CONFIG_VIRTFS) += tests/qtest/libqos/virtio-9p.o
-+libqos-obj-y += tests/qtest/libqos/virtio-balloon.o
-+libqos-obj-y += tests/qtest/libqos/virtio-blk.o
-+libqos-obj-y += tests/qtest/libqos/virtio-mmio.o
-+libqos-obj-y += tests/qtest/libqos/virtio-net.o
-+libqos-obj-y += tests/qtest/libqos/virtio-pci.o
-+libqos-obj-y += tests/qtest/libqos/virtio-pci-modern.o
-+libqos-obj-y += tests/qtest/libqos/virtio-rng.o
-+libqos-obj-y += tests/qtest/libqos/virtio-scsi.o
-+libqos-obj-y += tests/qtest/libqos/virtio-serial.o
- # qos machines:
--qos-test-obj-y += tests/qtest/libqos/aarch64-xlnx-zcu102-machine.o
--qos-test-obj-y += tests/qtest/libqos/arm-imx25-pdk-machine.o
--qos-test-obj-y += tests/qtest/libqos/arm-n800-machine.o
--qos-test-obj-y += tests/qtest/libqos/arm-raspi2-machine.o
--qos-test-obj-y += tests/qtest/libqos/arm-sabrelite-machine.o
--qos-test-obj-y += tests/qtest/libqos/arm-smdkc210-machine.o
--qos-test-obj-y += tests/qtest/libqos/arm-virt-machine.o
--qos-test-obj-y += tests/qtest/libqos/arm-xilinx-zynq-a9-machine.o
--qos-test-obj-y += tests/qtest/libqos/ppc64_pseries-machine.o
--qos-test-obj-y += tests/qtest/libqos/x86_64_pc-machine.o
-+libqos-obj-y += tests/qtest/libqos/aarch64-xlnx-zcu102-machine.o
-+libqos-obj-y += tests/qtest/libqos/arm-imx25-pdk-machine.o
-+libqos-obj-y += tests/qtest/libqos/arm-n800-machine.o
-+libqos-obj-y += tests/qtest/libqos/arm-raspi2-machine.o
-+libqos-obj-y += tests/qtest/libqos/arm-sabrelite-machine.o
-+libqos-obj-y += tests/qtest/libqos/arm-smdkc210-machine.o
-+libqos-obj-y += tests/qtest/libqos/arm-virt-machine.o
-+libqos-obj-y += tests/qtest/libqos/arm-xilinx-zynq-a9-machine.o
-+libqos-obj-y += tests/qtest/libqos/ppc64_pseries-machine.o
-+libqos-obj-y += tests/qtest/libqos/x86_64_pc-machine.o
- # qos tests:
-+qos-test-obj-y += tests/qtest/qos-test.o
- qos-test-obj-y += tests/qtest/ac97-test.o
- qos-test-obj-y += tests/qtest/ds1338-test.o
- qos-test-obj-y += tests/qtest/e1000-test.o
-@@ -XXX,XX +XXX,XX @@ check-unit-y += tests/test-qgraph$(EXESUF)
- tests/test-qgraph$(EXESUF): tests/test-qgraph.o $(libqgraph-obj-y)
- check-qtest-generic-y += qos-test
--tests/qtest/qos-test$(EXESUF): $(qos-test-obj-y)
-+tests/qtest/qos-test$(EXESUF): $(qos-test-obj-y) $(libqos-obj-y)
- # QTest dependencies:
- tests/qtest/qmp-test$(EXESUF): tests/qtest/qmp-test.o
---
-.24.1

The following changes since commit 9ac5df20f51fabcba0d902025df4bd7ea987c158:

Merge remote-tracking branch 'remotes/pmaydell/tags/pull-target-arm-20200221-1' into staging (2020-02-21 16:18:38 +0000)

are available in the Git repository at:

https://github.com/stefanha/qemu.git tags/block-pull-request

for you to fetch changes up to e5c59355ae9f724777c61c859292ec9db2c8c2ab:

fuzz: add documentation to docs/devel/ (2020-02-22 08:26:48 +0000)

----------------------------------------------------------------
Pull request

This pull request contains a virtio-blk/scsi performance optimization, event
loop scalability improvements, and a qtest-based device fuzzing framework.  I
am including the fuzzing patches because I have reviewed them and Thomas Huth
is currently away on leave.

----------------------------------------------------------------

Alexander Bulekov (22):
  softmmu: move vl.c to softmmu/
  softmmu: split off vl.c:main() into main.c
  module: check module wasn't already initialized
  fuzz: add FUZZ_TARGET module type
  qtest: add qtest_server_send abstraction
  libqtest: add a layer of abstraction to send/recv
  libqtest: make bufwrite rely on the TransportOps
  qtest: add in-process incoming command handler
  libqos: rename i2c_send and i2c_recv
  libqos: split qos-test and libqos makefile vars
  libqos: move useful qos-test funcs to qos_external
  fuzz: add fuzzer skeleton
  exec: keep ram block across fork when using qtest
  main: keep rcu_atfork callback enabled for qtest
  fuzz: support for fork-based fuzzing.
  fuzz: add support for qos-assisted fuzz targets
  fuzz: add target/fuzz makefile rules
  fuzz: add configure flag --enable-fuzzing
  fuzz: add i440fx fuzz targets
  fuzz: add virtio-net fuzz target
  fuzz: add virtio-scsi fuzz target
  fuzz: add documentation to docs/devel/

Denis Plotnikov (1):
  virtio: increase virtqueue size for virtio-scsi and virtio-blk

Paolo Bonzini (1):
  rcu_queue: add QSLIST functions

Stefan Hajnoczi (7):
  aio-posix: avoid reacquiring rcu_read_lock() when polling
  util/async: make bh_aio_poll() O(1)
  aio-posix: fix use after leaving scope in aio_poll()
  aio-posix: don't pass ns timeout to epoll_wait()
  qemu/queue.h: add QLIST_SAFE_REMOVE()
  aio-posix: make AioHandler deletion O(1)
  aio-posix: make AioHandler dispatch O(1) with epoll

MAINTAINERS                         |  11 +-
 Makefile                            |  15 +-
 Makefile.objs                       |   2 -
 Makefile.target                     |  19 ++-
 block.c                             |   5 +-
 chardev/spice.c                     |   4 +-
 configure                           |  39 +++++
 docs/devel/fuzzing.txt              | 116 ++++++++++++++
 exec.c                              |  12 +-
 hw/block/virtio-blk.c               |   2 +-
 hw/core/machine.c                   |   2 +
 hw/scsi/virtio-scsi.c               |   2 +-
 include/block/aio.h                 |  26 ++-
 include/qemu/module.h               |   4 +-
 include/qemu/queue.h                |  32 +++-
 include/qemu/rcu_queue.h            |  47 ++++++
 include/sysemu/qtest.h              |   4 +
 include/sysemu/sysemu.h             |   4 +
 qtest.c                             |  31 +++-
 scripts/checkpatch.pl               |   2 +-
 scripts/get_maintainer.pl           |   3 +-
 softmmu/Makefile.objs               |   3 +
 softmmu/main.c                      |  53 +++++++
 vl.c => softmmu/vl.c                |  48 +++---
 tests/Makefile.include              |   2 +
 tests/qtest/Makefile.include        |  72 +++++----
 tests/qtest/fuzz/Makefile.include   |  18 +++
 tests/qtest/fuzz/fork_fuzz.c        |  55 +++++++
 tests/qtest/fuzz/fork_fuzz.h        |  23 +++
 tests/qtest/fuzz/fork_fuzz.ld       |  37 +++++
 tests/qtest/fuzz/fuzz.c             | 179 +++++++++++++++++++++
 tests/qtest/fuzz/fuzz.h             |  95 +++++++++++
 tests/qtest/fuzz/i440fx_fuzz.c      | 193 ++++++++++++++++++++++
 tests/qtest/fuzz/qos_fuzz.c         | 234 +++++++++++++++++++++++++++
 tests/qtest/fuzz/qos_fuzz.h         |  33 ++++
 tests/qtest/fuzz/virtio_net_fuzz.c  | 198 +++++++++++++++++++++++
 tests/qtest/fuzz/virtio_scsi_fuzz.c | 213 +++++++++++++++++++++++++
 tests/qtest/libqos/i2c.c            |  10 +-
 tests/qtest/libqos/i2c.h            |   4 +-
 tests/qtest/libqos/qos_external.c   | 168 ++++++++++++++++++++
 tests/qtest/libqos/qos_external.h   |  28 ++++
 tests/qtest/libqtest.c              | 119 ++++++++++++--
 tests/qtest/libqtest.h              |   4 +
 tests/qtest/pca9552-test.c          |  10 +-
 tests/qtest/qos-test.c              | 132 +---------------
 tests/test-aio.c                    |   3 +-
 tests/test-rcu-list.c               |  16 ++
 tests/test-rcu-slist.c              |   2 +
 util/aio-posix.c                    | 187 +++++++++++++++-------
 util/async.c                        | 237 ++++++++++++++++------------
 util/module.c                       |   7 +
 51 files changed, 2365 insertions(+), 400 deletions(-)
 create mode 100644 docs/devel/fuzzing.txt
 create mode 100644 softmmu/Makefile.objs
 create mode 100644 softmmu/main.c
 rename vl.c => softmmu/vl.c (99%)
 create mode 100644 tests/qtest/fuzz/Makefile.include
 create mode 100644 tests/qtest/fuzz/fork_fuzz.c
 create mode 100644 tests/qtest/fuzz/fork_fuzz.h
 create mode 100644 tests/qtest/fuzz/fork_fuzz.ld
 create mode 100644 tests/qtest/fuzz/fuzz.c
 create mode 100644 tests/qtest/fuzz/fuzz.h
 create mode 100644 tests/qtest/fuzz/i440fx_fuzz.c
 create mode 100644 tests/qtest/fuzz/qos_fuzz.c
 create mode 100644 tests/qtest/fuzz/qos_fuzz.h
 create mode 100644 tests/qtest/fuzz/virtio_net_fuzz.c
 create mode 100644 tests/qtest/fuzz/virtio_scsi_fuzz.c
 create mode 100644 tests/qtest/libqos/qos_external.c
 create mode 100644 tests/qtest/libqos/qos_external.h
 create mode 100644 tests/test-rcu-slist.c

-- 
2.24.1

From: Denis Plotnikov <dplotnikov@virtuozzo.com>

The goal is to reduce the amount of requests issued by a guest on
1M reads/writes. This rises the performance up to 4% on that kind of
disk access pattern.

The maximum chunk size to be used for the guest disk accessing is
limited with seg_max parameter, which represents the max amount of
pices in the scatter-geather list in one guest disk request.

Since seg_max is virqueue_size dependent, increasing the virtqueue
size increases seg_max, which, in turn, increases the maximum size
of data to be read/write from a guest disk.

More details in the original problem statment:
https://lists.gnu.org/archive/html/qemu-devel/2017-12/msg03721.html

Suggested-by: Denis V. Lunev <den@openvz.org>
Signed-off-by: Denis Plotnikov <dplotnikov@virtuozzo.com>
Message-id: 20200214074648.958-1-dplotnikov@virtuozzo.com
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
---
 hw/block/virtio-blk.c | 2 +-
 hw/core/machine.c     | 2 ++
 hw/scsi/virtio-scsi.c | 2 +-
 3 files changed, 4 insertions(+), 2 deletions(-)

diff --git a/hw/block/virtio-blk.c b/hw/block/virtio-blk.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/block/virtio-blk.c
+++ b/hw/block/virtio-blk.c
@@ -XXX,XX +XXX,XX @@ static Property virtio_blk_properties[] = {
     DEFINE_PROP_BIT("request-merging", VirtIOBlock, conf.request_merging, 0,
                     true),
     DEFINE_PROP_UINT16("num-queues", VirtIOBlock, conf.num_queues, 1),
-    DEFINE_PROP_UINT16("queue-size", VirtIOBlock, conf.queue_size, 128),
+    DEFINE_PROP_UINT16("queue-size", VirtIOBlock, conf.queue_size, 256),
     DEFINE_PROP_BOOL("seg-max-adjust", VirtIOBlock, conf.seg_max_adjust, true),
     DEFINE_PROP_LINK("iothread", VirtIOBlock, conf.iothread, TYPE_IOTHREAD,
                      IOThread *),
diff --git a/hw/core/machine.c b/hw/core/machine.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/core/machine.c
+++ b/hw/core/machine.c
@@ -XXX,XX +XXX,XX @@
 #include "hw/mem/nvdimm.h"
 
 GlobalProperty hw_compat_4_2[] = {
+    { "virtio-blk-device", "queue-size", "128"},
+    { "virtio-scsi-device", "virtqueue_size", "128"},
     { "virtio-blk-device", "x-enable-wce-if-config-wce", "off" },
     { "virtio-blk-device", "seg-max-adjust", "off"},
     { "virtio-scsi-device", "seg_max_adjust", "off"},
diff --git a/hw/scsi/virtio-scsi.c b/hw/scsi/virtio-scsi.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/scsi/virtio-scsi.c
+++ b/hw/scsi/virtio-scsi.c
@@ -XXX,XX +XXX,XX @@ static void virtio_scsi_device_unrealize(DeviceState *dev, Error **errp)
 static Property virtio_scsi_properties[] = {
     DEFINE_PROP_UINT32("num_queues", VirtIOSCSI, parent_obj.conf.num_queues, 1),
     DEFINE_PROP_UINT32("virtqueue_size", VirtIOSCSI,
-                                         parent_obj.conf.virtqueue_size, 128),
+                                         parent_obj.conf.virtqueue_size, 256),
     DEFINE_PROP_BOOL("seg_max_adjust", VirtIOSCSI,
                       parent_obj.conf.seg_max_adjust, true),
     DEFINE_PROP_UINT32("max_sectors", VirtIOSCSI, parent_obj.conf.max_sectors,
-- 
2.24.1

The first rcu_read_lock/unlock() is expensive.  Nested calls are cheap.

This optimization increases IOPS from 73k to 162k with a Linux guest
that has 2 virtio-blk,num-queues=1 and 99 virtio-blk,num-queues=32
devices.

Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
Reviewed-by: Paolo Bonzini <pbonzini@redhat.com>
Message-id: 20200218182708.914552-1-stefanha@redhat.com
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
---
 util/aio-posix.c | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/util/aio-posix.c b/util/aio-posix.c
index XXXXXXX..XXXXXXX 100644
--- a/util/aio-posix.c
+++ b/util/aio-posix.c
@@ -XXX,XX +XXX,XX @@
 
 #include "qemu/osdep.h"
 #include "block/block.h"
+#include "qemu/rcu.h"
 #include "qemu/rcu_queue.h"
 #include "qemu/sockets.h"
 #include "qemu/cutils.h"
@@ -XXX,XX +XXX,XX @@ static bool run_poll_handlers_once(AioContext *ctx, int64_t *timeout)
     bool progress = false;
     AioHandler *node;
 
+    /*
+     * Optimization: ->io_poll() handlers often contain RCU read critical
+     * sections and we therefore see many rcu_read_lock() -> rcu_read_unlock()
+     * -> rcu_read_lock() -> ... sequences with expensive memory
+     * synchronization primitives.  Make the entire polling loop an RCU
+     * critical section because nested rcu_read_lock()/rcu_read_unlock() calls
+     * are cheap.
+     */
+    RCU_READ_LOCK_GUARD();
+
     QLIST_FOREACH_RCU(node, &ctx->aio_handlers, node) {
         if (!node->deleted && node->io_poll &&
             aio_node_check(ctx, node->is_external) &&
-- 
2.24.1

From: Paolo Bonzini <pbonzini@redhat.com>

QSLIST is the only family of lists for which we do not have RCU-friendly accessors,
add them.

Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
Message-id: 20200220103828.24525-1-pbonzini@redhat.com
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
---
 include/qemu/queue.h     | 15 +++++++++++--
 include/qemu/rcu_queue.h | 47 ++++++++++++++++++++++++++++++++++++++++
 tests/Makefile.include   |  2 ++
 tests/test-rcu-list.c    | 16 ++++++++++++++
 tests/test-rcu-slist.c   |  2 ++
 5 files changed, 80 insertions(+), 2 deletions(-)
 create mode 100644 tests/test-rcu-slist.c

diff --git a/include/qemu/queue.h b/include/qemu/queue.h
index XXXXXXX..XXXXXXX 100644
--- a/include/qemu/queue.h
+++ b/include/qemu/queue.h
@@ -XXX,XX +XXX,XX @@ struct {                                                                \
         (head)->slh_first = (head)->slh_first->field.sle_next;          \
 } while (/*CONSTCOND*/0)
 
-#define QSLIST_REMOVE_AFTER(slistelm, field) do {                        \
+#define QSLIST_REMOVE_AFTER(slistelm, field) do {                       \
         (slistelm)->field.sle_next =                                    \
-            QSLIST_NEXT(QSLIST_NEXT((slistelm), field), field);           \
+            QSLIST_NEXT(QSLIST_NEXT((slistelm), field), field);         \
+} while (/*CONSTCOND*/0)
+
+#define QSLIST_REMOVE(head, elm, type, field) do {                      \
+    if ((head)->slh_first == (elm)) {                                   \
+        QSLIST_REMOVE_HEAD((head), field);                              \
+    } else {                                                            \
+        struct type *curelm = (head)->slh_first;                        \
+        while (curelm->field.sle_next != (elm))                         \
+            curelm = curelm->field.sle_next;                            \
+        curelm->field.sle_next = curelm->field.sle_next->field.sle_next; \
+    }                                                                   \
 } while (/*CONSTCOND*/0)
 
 #define QSLIST_FOREACH(var, head, field)                                 \
diff --git a/include/qemu/rcu_queue.h b/include/qemu/rcu_queue.h
index XXXXXXX..XXXXXXX 100644
--- a/include/qemu/rcu_queue.h
+++ b/include/qemu/rcu_queue.h
@@ -XXX,XX +XXX,XX @@ extern "C" {
          (var) && ((next) = atomic_rcu_read(&(var)->field.tqe_next), 1); \
          (var) = (next))
 
+/*
+ * RCU singly-linked list
+ */
+
+/* Singly-linked list access methods */
+#define QSLIST_EMPTY_RCU(head)      (atomic_read(&(head)->slh_first) == NULL)
+#define QSLIST_FIRST_RCU(head)       atomic_rcu_read(&(head)->slh_first)
+#define QSLIST_NEXT_RCU(elm, field)  atomic_rcu_read(&(elm)->field.sle_next)
+
+/* Singly-linked list functions */
+#define QSLIST_INSERT_HEAD_RCU(head, elm, field) do {           \
+    (elm)->field.sle_next = (head)->slh_first;                  \
+    atomic_rcu_set(&(head)->slh_first, (elm));                  \
+} while (/*CONSTCOND*/0)
+
+#define QSLIST_INSERT_AFTER_RCU(head, listelm, elm, field) do {         \
+    (elm)->field.sle_next = (listelm)->field.sle_next;                  \
+    atomic_rcu_set(&(listelm)->field.sle_next, (elm));                  \
+} while (/*CONSTCOND*/0)
+
+#define QSLIST_REMOVE_HEAD_RCU(head, field) do {                       \
+    atomic_set(&(head)->slh_first, (head)->slh_first->field.sle_next); \
+} while (/*CONSTCOND*/0)
+
+#define QSLIST_REMOVE_RCU(head, elm, type, field) do {              \
+    if ((head)->slh_first == (elm)) {                               \
+        QSLIST_REMOVE_HEAD_RCU((head), field);                      \
+    } else {                                                        \
+        struct type *curr = (head)->slh_first;                      \
+        while (curr->field.sle_next != (elm)) {                     \
+            curr = curr->field.sle_next;                            \
+        }                                                           \
+        atomic_set(&curr->field.sle_next,                           \
+                   curr->field.sle_next->field.sle_next);           \
+    }                                                               \
+} while (/*CONSTCOND*/0)
+
+#define QSLIST_FOREACH_RCU(var, head, field)                          \
+    for ((var) = atomic_rcu_read(&(head)->slh_first);                   \
+         (var);                                                         \
+         (var) = atomic_rcu_read(&(var)->field.sle_next))
+
+#define QSLIST_FOREACH_SAFE_RCU(var, head, field, next)                \
+    for ((var) = atomic_rcu_read(&(head)->slh_first);                    \
+         (var) && ((next) = atomic_rcu_read(&(var)->field.sle_next), 1); \
+         (var) = (next))
+
 #ifdef __cplusplus
 }
 #endif
diff --git a/tests/Makefile.include b/tests/Makefile.include
index XXXXXXX..XXXXXXX 100644
--- a/tests/Makefile.include
+++ b/tests/Makefile.include
@@ -XXX,XX +XXX,XX @@ check-unit-y += tests/rcutorture$(EXESUF)
 check-unit-y += tests/test-rcu-list$(EXESUF)
 check-unit-y += tests/test-rcu-simpleq$(EXESUF)
 check-unit-y += tests/test-rcu-tailq$(EXESUF)
+check-unit-y += tests/test-rcu-slist$(EXESUF)
 check-unit-y += tests/test-qdist$(EXESUF)
 check-unit-y += tests/test-qht$(EXESUF)
 check-unit-y += tests/test-qht-par$(EXESUF)
@@ -XXX,XX +XXX,XX @@ tests/rcutorture$(EXESUF): tests/rcutorture.o $(test-util-obj-y)
 tests/test-rcu-list$(EXESUF): tests/test-rcu-list.o $(test-util-obj-y)
 tests/test-rcu-simpleq$(EXESUF): tests/test-rcu-simpleq.o $(test-util-obj-y)
 tests/test-rcu-tailq$(EXESUF): tests/test-rcu-tailq.o $(test-util-obj-y)
+tests/test-rcu-slist$(EXESUF): tests/test-rcu-slist.o $(test-util-obj-y)
 tests/test-qdist$(EXESUF): tests/test-qdist.o $(test-util-obj-y)
 tests/test-qht$(EXESUF): tests/test-qht.o $(test-util-obj-y)
 tests/test-qht-par$(EXESUF): tests/test-qht-par.o tests/qht-bench$(EXESUF) $(test-util-obj-y)
diff --git a/tests/test-rcu-list.c b/tests/test-rcu-list.c
index XXXXXXX..XXXXXXX 100644
--- a/tests/test-rcu-list.c
+++ b/tests/test-rcu-list.c
@@ -XXX,XX +XXX,XX @@ struct list_element {
     QSIMPLEQ_ENTRY(list_element) entry;
 #elif TEST_LIST_TYPE == 3
     QTAILQ_ENTRY(list_element) entry;
+#elif TEST_LIST_TYPE == 4
+    QSLIST_ENTRY(list_element) entry;
 #else
 #error Invalid TEST_LIST_TYPE
 #endif
@@ -XXX,XX +XXX,XX @@ static QTAILQ_HEAD(, list_element) Q_list_head;
 #define TEST_LIST_INSERT_HEAD_RCU   QTAILQ_INSERT_HEAD_RCU
 #define TEST_LIST_FOREACH_RCU       QTAILQ_FOREACH_RCU
 #define TEST_LIST_FOREACH_SAFE_RCU  QTAILQ_FOREACH_SAFE_RCU
+
+#elif TEST_LIST_TYPE == 4
+static QSLIST_HEAD(, list_element) Q_list_head;
+
+#define TEST_NAME "qslist"
+#define TEST_LIST_REMOVE_RCU(el, f)                              \
+	 QSLIST_REMOVE_RCU(&Q_list_head, el, list_element, f)
+
+#define TEST_LIST_INSERT_AFTER_RCU(list_el, el, f)               \
+         QSLIST_INSERT_AFTER_RCU(&Q_list_head, list_el, el, f)
+
+#define TEST_LIST_INSERT_HEAD_RCU   QSLIST_INSERT_HEAD_RCU
+#define TEST_LIST_FOREACH_RCU       QSLIST_FOREACH_RCU
+#define TEST_LIST_FOREACH_SAFE_RCU  QSLIST_FOREACH_SAFE_RCU
 #else
 #error Invalid TEST_LIST_TYPE
 #endif
diff --git a/tests/test-rcu-slist.c b/tests/test-rcu-slist.c
new file mode 100644
index XXXXXXX..XXXXXXX
--- /dev/null
+++ b/tests/test-rcu-slist.c
@@ -XXX,XX +XXX,XX @@
+#define TEST_LIST_TYPE 4
+#include "test-rcu-list.c"
-- 
2.24.1

The ctx->first_bh list contains all created BHs, including those that
are not scheduled.  The list is iterated by the event loop and therefore
has O(n) time complexity with respected to the number of created BHs.

Rewrite BHs so that only scheduled or deleted BHs are enqueued.
Only BHs that actually require action will be iterated.

One semantic change is required: qemu_bh_delete() enqueues the BH and
therefore invokes aio_notify().  The
tests/test-aio.c:test_source_bh_delete_from_cb() test case assumed that
g_main_context_iteration(NULL, false) returns false after
qemu_bh_delete() but it now returns true for one iteration.  Fix up the
test case.

This patch makes aio_compute_timeout() and aio_bh_poll() drop from a CPU
profile reported by perf-top(1).  Previously they combined to 9% CPU
utilization when AioContext polling is commented out and the guest has 2
virtio-blk,num-queues=1 and 99 virtio-blk,num-queues=32 devices.

Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
Reviewed-by: Paolo Bonzini <pbonzini@redhat.com>
Message-id: 20200221093951.1414693-1-stefanha@redhat.com
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
---
 include/block/aio.h |  20 +++-
 tests/test-aio.c    |   3 +-
 util/async.c        | 237 ++++++++++++++++++++++++++------------------
 3 files changed, 158 insertions(+), 102 deletions(-)

diff --git a/include/block/aio.h b/include/block/aio.h
index XXXXXXX..XXXXXXX 100644
--- a/include/block/aio.h
+++ b/include/block/aio.h
@@ -XXX,XX +XXX,XX @@ struct ThreadPool;
 struct LinuxAioState;
 struct LuringState;
 
+/*
+ * Each aio_bh_poll() call carves off a slice of the BH list, so that newly
+ * scheduled BHs are not processed until the next aio_bh_poll() call.  All
+ * active aio_bh_poll() calls chain their slices together in a list, so that
+ * nested aio_bh_poll() calls process all scheduled bottom halves.
+ */
+typedef QSLIST_HEAD(, QEMUBH) BHList;
+typedef struct BHListSlice BHListSlice;
+struct BHListSlice {
+    BHList bh_list;
+    QSIMPLEQ_ENTRY(BHListSlice) next;
+};
+
 struct AioContext {
     GSource source;
 
@@ -XXX,XX +XXX,XX @@ struct AioContext {
      */
     QemuLockCnt list_lock;
 
-    /* Anchor of the list of Bottom Halves belonging to the context */
-    struct QEMUBH *first_bh;
+    /* Bottom Halves pending aio_bh_poll() processing */
+    BHList bh_list;
+
+    /* Chained BH list slices for each nested aio_bh_poll() call */
+    QSIMPLEQ_HEAD(, BHListSlice) bh_slice_list;
 
     /* Used by aio_notify.
      *
diff --git a/tests/test-aio.c b/tests/test-aio.c
index XXXXXXX..XXXXXXX 100644
--- a/tests/test-aio.c
+++ b/tests/test-aio.c
@@ -XXX,XX +XXX,XX @@ static void test_source_bh_delete_from_cb(void)
     g_assert_cmpint(data1.n, ==, data1.max);
     g_assert(data1.bh == NULL);
 
-    g_assert(!g_main_context_iteration(NULL, false));
+    assert(g_main_context_iteration(NULL, false));
+    assert(!g_main_context_iteration(NULL, false));
 }
 
 static void test_source_bh_delete_from_cb_many(void)
diff --git a/util/async.c b/util/async.c
index XXXXXXX..XXXXXXX 100644
--- a/util/async.c
+++ b/util/async.c
@@ -XXX,XX +XXX,XX @@
 #include "block/thread-pool.h"
 #include "qemu/main-loop.h"
 #include "qemu/atomic.h"
+#include "qemu/rcu_queue.h"
 #include "block/raw-aio.h"
 #include "qemu/coroutine_int.h"
 #include "trace.h"
@@ -XXX,XX +XXX,XX @@
 /***********************************************************/
 /* bottom halves (can be seen as timers which expire ASAP) */
 
+/* QEMUBH::flags values */
+enum {
+    /* Already enqueued and waiting for aio_bh_poll() */
+    BH_PENDING   = (1 << 0),
+
+    /* Invoke the callback */
+    BH_SCHEDULED = (1 << 1),
+
+    /* Delete without invoking callback */
+    BH_DELETED   = (1 << 2),
+
+    /* Delete after invoking callback */
+    BH_ONESHOT   = (1 << 3),
+
+    /* Schedule periodically when the event loop is idle */
+    BH_IDLE      = (1 << 4),
+};
+
 struct QEMUBH {
     AioContext *ctx;
     QEMUBHFunc *cb;
     void *opaque;
-    QEMUBH *next;
-    bool scheduled;
-    bool idle;
-    bool deleted;
+    QSLIST_ENTRY(QEMUBH) next;
+    unsigned flags;
 };
 
+/* Called concurrently from any thread */
+static void aio_bh_enqueue(QEMUBH *bh, unsigned new_flags)
+{
+    AioContext *ctx = bh->ctx;
+    unsigned old_flags;
+
+    /*
+     * The memory barrier implicit in atomic_fetch_or makes sure that:
+     * 1. idle & any writes needed by the callback are done before the
+     *    locations are read in the aio_bh_poll.
+     * 2. ctx is loaded before the callback has a chance to execute and bh
+     *    could be freed.
+     */
+    old_flags = atomic_fetch_or(&bh->flags, BH_PENDING | new_flags);
+    if (!(old_flags & BH_PENDING)) {
+        QSLIST_INSERT_HEAD_ATOMIC(&ctx->bh_list, bh, next);
+    }
+
+    aio_notify(ctx);
+}
+
+/* Only called from aio_bh_poll() and aio_ctx_finalize() */
+static QEMUBH *aio_bh_dequeue(BHList *head, unsigned *flags)
+{
+    QEMUBH *bh = QSLIST_FIRST_RCU(head);
+
+    if (!bh) {
+        return NULL;
+    }
+
+    QSLIST_REMOVE_HEAD(head, next);
+
+    /*
+     * The atomic_and is paired with aio_bh_enqueue().  The implicit memory
+     * barrier ensures that the callback sees all writes done by the scheduling
+     * thread.  It also ensures that the scheduling thread sees the cleared
+     * flag before bh->cb has run, and thus will call aio_notify again if
+     * necessary.
+     */
+    *flags = atomic_fetch_and(&bh->flags,
+                              ~(BH_PENDING | BH_SCHEDULED | BH_IDLE));
+    return bh;
+}
+
 void aio_bh_schedule_oneshot(AioContext *ctx, QEMUBHFunc *cb, void *opaque)
 {
     QEMUBH *bh;
@@ -XXX,XX +XXX,XX @@ void aio_bh_schedule_oneshot(AioContext *ctx, QEMUBHFunc *cb, void *opaque)
         .cb = cb,
         .opaque = opaque,
     };
-    qemu_lockcnt_lock(&ctx->list_lock);
-    bh->next = ctx->first_bh;
-    bh->scheduled = 1;
-    bh->deleted = 1;
-    /* Make sure that the members are ready before putting bh into list */
-    smp_wmb();
-    ctx->first_bh = bh;
-    qemu_lockcnt_unlock(&ctx->list_lock);
-    aio_notify(ctx);
+    aio_bh_enqueue(bh, BH_SCHEDULED | BH_ONESHOT);
 }
 
 QEMUBH *aio_bh_new(AioContext *ctx, QEMUBHFunc *cb, void *opaque)
@@ -XXX,XX +XXX,XX @@ QEMUBH *aio_bh_new(AioContext *ctx, QEMUBHFunc *cb, void *opaque)
         .cb = cb,
         .opaque = opaque,
     };
-    qemu_lockcnt_lock(&ctx->list_lock);
-    bh->next = ctx->first_bh;
-    /* Make sure that the members are ready before putting bh into list */
-    smp_wmb();
-    ctx->first_bh = bh;
-    qemu_lockcnt_unlock(&ctx->list_lock);
     return bh;
 }
 
@@ -XXX,XX +XXX,XX @@ void aio_bh_call(QEMUBH *bh)
     bh->cb(bh->opaque);
 }
 
-/* Multiple occurrences of aio_bh_poll cannot be called concurrently.
- * The count in ctx->list_lock is incremented before the call, and is
- * not affected by the call.
- */
+/* Multiple occurrences of aio_bh_poll cannot be called concurrently. */
 int aio_bh_poll(AioContext *ctx)
 {
-    QEMUBH *bh, **bhp, *next;
-    int ret;
-    bool deleted = false;
-
-    ret = 0;
-    for (bh = atomic_rcu_read(&ctx->first_bh); bh; bh = next) {
-        next = atomic_rcu_read(&bh->next);
-        /* The atomic_xchg is paired with the one in qemu_bh_schedule.  The
-         * implicit memory barrier ensures that the callback sees all writes
-         * done by the scheduling thread.  It also ensures that the scheduling
-         * thread sees the zero before bh->cb has run, and thus will call
-         * aio_notify again if necessary.
-         */
-        if (atomic_xchg(&bh->scheduled, 0)) {
+    BHListSlice slice;
+    BHListSlice *s;
+    int ret = 0;
+
+    QSLIST_MOVE_ATOMIC(&slice.bh_list, &ctx->bh_list);
+    QSIMPLEQ_INSERT_TAIL(&ctx->bh_slice_list, &slice, next);
+
+    while ((s = QSIMPLEQ_FIRST(&ctx->bh_slice_list))) {
+        QEMUBH *bh;
+        unsigned flags;
+
+        bh = aio_bh_dequeue(&s->bh_list, &flags);
+        if (!bh) {
+            QSIMPLEQ_REMOVE_HEAD(&ctx->bh_slice_list, next);
+            continue;
+        }
+
+        if ((flags & (BH_SCHEDULED | BH_DELETED)) == BH_SCHEDULED) {
             /* Idle BHs don't count as progress */
-            if (!bh->idle) {
+            if (!(flags & BH_IDLE)) {
                 ret = 1;
             }
-            bh->idle = 0;
             aio_bh_call(bh);
         }
-        if (bh->deleted) {
-            deleted = true;
+        if (flags & (BH_DELETED | BH_ONESHOT)) {
+            g_free(bh);
         }
     }
 
-    /* remove deleted bhs */
-    if (!deleted) {
-        return ret;
-    }
-
-    if (qemu_lockcnt_dec_if_lock(&ctx->list_lock)) {
-        bhp = &ctx->first_bh;
-        while (*bhp) {
-            bh = *bhp;
-            if (bh->deleted && !bh->scheduled) {
-                *bhp = bh->next;
-                g_free(bh);
-            } else {
-                bhp = &bh->next;
-            }
-        }
-        qemu_lockcnt_inc_and_unlock(&ctx->list_lock);
-    }
     return ret;
 }
 
 void qemu_bh_schedule_idle(QEMUBH *bh)
 {
-    bh->idle = 1;
-    /* Make sure that idle & any writes needed by the callback are done
-     * before the locations are read in the aio_bh_poll.
-     */
-    atomic_mb_set(&bh->scheduled, 1);
+    aio_bh_enqueue(bh, BH_SCHEDULED | BH_IDLE);
 }
 
 void qemu_bh_schedule(QEMUBH *bh)
 {
-    AioContext *ctx;
-
-    ctx = bh->ctx;
-    bh->idle = 0;
-    /* The memory barrier implicit in atomic_xchg makes sure that:
-     * 1. idle & any writes needed by the callback are done before the
-     *    locations are read in the aio_bh_poll.
-     * 2. ctx is loaded before scheduled is set and the callback has a chance
-     *    to execute.
-     */
-    if (atomic_xchg(&bh->scheduled, 1) == 0) {
-        aio_notify(ctx);
-    }
+    aio_bh_enqueue(bh, BH_SCHEDULED);
 }
 
-
 /* This func is async.
  */
 void qemu_bh_cancel(QEMUBH *bh)
 {
-    atomic_mb_set(&bh->scheduled, 0);
+    atomic_and(&bh->flags, ~BH_SCHEDULED);
 }
 
 /* This func is async.The bottom half will do the delete action at the finial
@@ -XXX,XX +XXX,XX @@ void qemu_bh_cancel(QEMUBH *bh)
  */
 void qemu_bh_delete(QEMUBH *bh)
 {
-    bh->scheduled = 0;
-    bh->deleted = 1;
+    aio_bh_enqueue(bh, BH_DELETED);
 }
 
-int64_t
-aio_compute_timeout(AioContext *ctx)
+static int64_t aio_compute_bh_timeout(BHList *head, int timeout)
 {
-    int64_t deadline;
-    int timeout = -1;
     QEMUBH *bh;
 
-    for (bh = atomic_rcu_read(&ctx->first_bh); bh;
-         bh = atomic_rcu_read(&bh->next)) {
-        if (bh->scheduled) {
-            if (bh->idle) {
+    QSLIST_FOREACH_RCU(bh, head, next) {
+        if ((bh->flags & (BH_SCHEDULED | BH_DELETED)) == BH_SCHEDULED) {
+            if (bh->flags & BH_IDLE) {
                 /* idle bottom halves will be polled at least
                  * every 10ms */
                 timeout = 10000000;
@@ -XXX,XX +XXX,XX @@ aio_compute_timeout(AioContext *ctx)
         }
     }
 
+    return timeout;
+}
+
+int64_t
+aio_compute_timeout(AioContext *ctx)
+{
+    BHListSlice *s;
+    int64_t deadline;
+    int timeout = -1;
+
+    timeout = aio_compute_bh_timeout(&ctx->bh_list, timeout);
+    if (timeout == 0) {
+        return 0;
+    }
+
+    QSIMPLEQ_FOREACH(s, &ctx->bh_slice_list, next) {
+        timeout = aio_compute_bh_timeout(&s->bh_list, timeout);
+        if (timeout == 0) {
+            return 0;
+        }
+    }
+
     deadline = timerlistgroup_deadline_ns(&ctx->tlg);
     if (deadline == 0) {
         return 0;
@@ -XXX,XX +XXX,XX @@ aio_ctx_check(GSource *source)
 {
     AioContext *ctx = (AioContext *) source;
     QEMUBH *bh;
+    BHListSlice *s;
 
     atomic_and(&ctx->notify_me, ~1);
     aio_notify_accept(ctx);
 
-    for (bh = ctx->first_bh; bh; bh = bh->next) {
-        if (bh->scheduled) {
+    QSLIST_FOREACH_RCU(bh, &ctx->bh_list, next) {
+        if ((bh->flags & (BH_SCHEDULED | BH_DELETED)) == BH_SCHEDULED) {
             return true;
         }
     }
+
+    QSIMPLEQ_FOREACH(s, &ctx->bh_slice_list, next) {
+        QSLIST_FOREACH_RCU(bh, &s->bh_list, next) {
+            if ((bh->flags & (BH_SCHEDULED | BH_DELETED)) == BH_SCHEDULED) {
+                return true;
+            }
+        }
+    }
     return aio_pending(ctx) || (timerlistgroup_deadline_ns(&ctx->tlg) == 0);
 }
 
@@ -XXX,XX +XXX,XX @@ static void
 aio_ctx_finalize(GSource     *source)
 {
     AioContext *ctx = (AioContext *) source;
+    QEMUBH *bh;
+    unsigned flags;
 
     thread_pool_free(ctx->thread_pool);
 
@@ -XXX,XX +XXX,XX @@ aio_ctx_finalize(GSource     *source)
     assert(QSLIST_EMPTY(&ctx->scheduled_coroutines));
     qemu_bh_delete(ctx->co_schedule_bh);
 
-    qemu_lockcnt_lock(&ctx->list_lock);
-    assert(!qemu_lockcnt_count(&ctx->list_lock));
-    while (ctx->first_bh) {
-        QEMUBH *next = ctx->first_bh->next;
+    /* There must be no aio_bh_poll() calls going on */
+    assert(QSIMPLEQ_EMPTY(&ctx->bh_slice_list));
 
+    while ((bh = aio_bh_dequeue(&ctx->bh_list, &flags))) {
         /* qemu_bh_delete() must have been called on BHs in this AioContext */
-        assert(ctx->first_bh->deleted);
+        assert(flags & BH_DELETED);
 
-        g_free(ctx->first_bh);
-        ctx->first_bh = next;
+        g_free(bh);
     }
-    qemu_lockcnt_unlock(&ctx->list_lock);
 
     aio_set_event_notifier(ctx, &ctx->notifier, false, NULL, NULL);
     event_notifier_cleanup(&ctx->notifier);
@@ -XXX,XX +XXX,XX @@ AioContext *aio_context_new(Error **errp)
     AioContext *ctx;
 
     ctx = (AioContext *) g_source_new(&aio_source_funcs, sizeof(AioContext));
+    QSLIST_INIT(&ctx->bh_list);
+    QSIMPLEQ_INIT(&ctx->bh_slice_list);
     aio_context_setup(ctx);
 
     ret = event_notifier_init(&ctx->notifier, false);
-- 
2.24.1

epoll_handler is a stack variable and must not be accessed after it goes
out of scope:

if (aio_epoll_check_poll(ctx, pollfds, npfd, timeout)) {
          AioHandler epoll_handler;
          ...
          add_pollfd(&epoll_handler);
          ret = aio_epoll(ctx, pollfds, npfd, timeout);
      } ...

...

/* if we have any readable fds, dispatch event */
  if (ret > 0) {
      for (i = 0; i < npfd; i++) {
          nodes[i]->pfd.revents = pollfds[i].revents;
      }
  }

nodes[0] is &epoll_handler, which has already gone out of scope.

There is no need to use pollfds[] for epoll.  We don't need an
AioHandler for the epoll fd.

Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
Reviewed-by: Sergio Lopez <slp@redhat.com>
Message-id: 20200214171712.541358-2-stefanha@redhat.com
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
---
 util/aio-posix.c | 20 ++++++++------------
 1 file changed, 8 insertions(+), 12 deletions(-)

diff --git a/util/aio-posix.c b/util/aio-posix.c
index XXXXXXX..XXXXXXX 100644
--- a/util/aio-posix.c
+++ b/util/aio-posix.c
@@ -XXX,XX +XXX,XX @@ static void aio_epoll_update(AioContext *ctx, AioHandler *node, bool is_new)
     }
 }
 
-static int aio_epoll(AioContext *ctx, GPollFD *pfds,
-                     unsigned npfd, int64_t timeout)
+static int aio_epoll(AioContext *ctx, int64_t timeout)
 {
+    GPollFD pfd = {
+        .fd = ctx->epollfd,
+        .events = G_IO_IN | G_IO_OUT | G_IO_HUP | G_IO_ERR,
+    };
     AioHandler *node;
     int i, ret = 0;
     struct epoll_event events[128];
 
-    assert(npfd == 1);
-    assert(pfds[0].fd == ctx->epollfd);
     if (timeout > 0) {
-        ret = qemu_poll_ns(pfds, npfd, timeout);
+        ret = qemu_poll_ns(&pfd, 1, timeout);
     }
     if (timeout <= 0 || ret > 0) {
         ret = epoll_wait(ctx->epollfd, events,
@@ -XXX,XX +XXX,XX @@ bool aio_poll(AioContext *ctx, bool blocking)
 
         /* wait until next event */
         if (aio_epoll_check_poll(ctx, pollfds, npfd, timeout)) {
-            AioHandler epoll_handler;
-
-            epoll_handler.pfd.fd = ctx->epollfd;
-            epoll_handler.pfd.events = G_IO_IN | G_IO_OUT | G_IO_HUP | G_IO_ERR;
-            npfd = 0;
-            add_pollfd(&epoll_handler);
-            ret = aio_epoll(ctx, pollfds, npfd, timeout);
+            npfd = 0; /* pollfds[] is not being used */
+            ret = aio_epoll(ctx, timeout);
         } else  {
             ret = qemu_poll_ns(pollfds, npfd, timeout);
         }
-- 
2.24.1

QLIST_REMOVE() assumes the element is in a list.  It also leaves the
element's linked list pointers dangling.

Introduce a safe version of QLIST_REMOVE() and convert open-coded
instances of this pattern.

Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
Reviewed-by: Sergio Lopez <slp@redhat.com>
Message-id: 20200214171712.541358-4-stefanha@redhat.com
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
---
 block.c              |  5 +----
 chardev/spice.c      |  4 +---
 include/qemu/queue.h | 14 ++++++++++++++
 3 files changed, 16 insertions(+), 7 deletions(-)

diff --git a/block.c b/block.c
index XXXXXXX..XXXXXXX 100644
--- a/block.c
+++ b/block.c
@@ -XXX,XX +XXX,XX @@ BdrvChild *bdrv_attach_child(BlockDriverState *parent_bs,
 
 static void bdrv_detach_child(BdrvChild *child)
 {
-    if (child->next.le_prev) {
-        QLIST_REMOVE(child, next);
-        child->next.le_prev = NULL;
-    }
+    QLIST_SAFE_REMOVE(child, next);
 
     bdrv_replace_child(child, NULL);
 
diff --git a/chardev/spice.c b/chardev/spice.c
index XXXXXXX..XXXXXXX 100644
--- a/chardev/spice.c
+++ b/chardev/spice.c
@@ -XXX,XX +XXX,XX @@ static void char_spice_finalize(Object *obj)
 
     vmc_unregister_interface(s);
 
-    if (s->next.le_prev) {
-        QLIST_REMOVE(s, next);
-    }
+    QLIST_SAFE_REMOVE(s, next);
 
     g_free((char *)s->sin.subtype);
     g_free((char *)s->sin.portname);
diff --git a/include/qemu/queue.h b/include/qemu/queue.h
index XXXXXXX..XXXXXXX 100644
--- a/include/qemu/queue.h
+++ b/include/qemu/queue.h
@@ -XXX,XX +XXX,XX @@ struct {                                                                \
         *(elm)->field.le_prev = (elm)->field.le_next;                   \
 } while (/*CONSTCOND*/0)
 
+/*
+ * Like QLIST_REMOVE() but safe to call when elm is not in a list
+ */
+#define QLIST_SAFE_REMOVE(elm, field) do {                              \
+        if ((elm)->field.le_prev != NULL) {                             \
+                if ((elm)->field.le_next != NULL)                       \
+                        (elm)->field.le_next->field.le_prev =           \
+                            (elm)->field.le_prev;                       \
+                *(elm)->field.le_prev = (elm)->field.le_next;           \
+                (elm)->field.le_next = NULL;                            \
+                (elm)->field.le_prev = NULL;                            \
+        }                                                               \
+} while (/*CONSTCOND*/0)
+
 #define QLIST_FOREACH(var, head, field)                                 \
         for ((var) = ((head)->lh_first);                                \
                 (var);                                                  \
-- 
2.24.1

It is not necessary to scan all AioHandlers for deletion.  Keep a list
of deleted handlers instead of scanning the full list of all handlers.

The AioHandler->deleted field can be dropped.  Let's check if the
handler has been inserted into the deleted list instead.  Add a new
QLIST_IS_INSERTED() API for this check.

Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
Reviewed-by: Sergio Lopez <slp@redhat.com>
Message-id: 20200214171712.541358-5-stefanha@redhat.com
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
---
 include/block/aio.h  |  6 ++++-
 include/qemu/queue.h |  3 +++
 util/aio-posix.c     | 53 +++++++++++++++++++++++++++++---------------
 3 files changed, 43 insertions(+), 19 deletions(-)

diff --git a/include/block/aio.h b/include/block/aio.h
index XXXXXXX..XXXXXXX 100644
--- a/include/block/aio.h
+++ b/include/block/aio.h
@@ -XXX,XX +XXX,XX @@ void qemu_aio_unref(void *p);
 void qemu_aio_ref(void *p);
 
 typedef struct AioHandler AioHandler;
+typedef QLIST_HEAD(, AioHandler) AioHandlerList;
 typedef void QEMUBHFunc(void *opaque);
 typedef bool AioPollFn(void *opaque);
 typedef void IOHandler(void *opaque);
@@ -XXX,XX +XXX,XX @@ struct AioContext {
     QemuRecMutex lock;
 
     /* The list of registered AIO handlers.  Protected by ctx->list_lock. */
-    QLIST_HEAD(, AioHandler) aio_handlers;
+    AioHandlerList aio_handlers;
+
+    /* The list of AIO handlers to be deleted.  Protected by ctx->list_lock. */
+    AioHandlerList deleted_aio_handlers;
 
     /* Used to avoid unnecessary event_notifier_set calls in aio_notify;
      * accessed with atomic primitives.  If this field is 0, everything
diff --git a/include/qemu/queue.h b/include/qemu/queue.h
index XXXXXXX..XXXXXXX 100644
--- a/include/qemu/queue.h
+++ b/include/qemu/queue.h
@@ -XXX,XX +XXX,XX @@ struct {                                                                \
         }                                                               \
 } while (/*CONSTCOND*/0)
 
+/* Is elm in a list? */
+#define QLIST_IS_INSERTED(elm, field) ((elm)->field.le_prev != NULL)
+
 #define QLIST_FOREACH(var, head, field)                                 \
         for ((var) = ((head)->lh_first);                                \
                 (var);                                                  \
diff --git a/util/aio-posix.c b/util/aio-posix.c
index XXXXXXX..XXXXXXX 100644
--- a/util/aio-posix.c
+++ b/util/aio-posix.c
@@ -XXX,XX +XXX,XX @@ struct AioHandler
     AioPollFn *io_poll;
     IOHandler *io_poll_begin;
     IOHandler *io_poll_end;
-    int deleted;
     void *opaque;
     bool is_external;
     QLIST_ENTRY(AioHandler) node;
+    QLIST_ENTRY(AioHandler) node_deleted;
 };
 
 #ifdef CONFIG_EPOLL_CREATE1
@@ -XXX,XX +XXX,XX @@ static bool aio_epoll_try_enable(AioContext *ctx)
 
     QLIST_FOREACH_RCU(node, &ctx->aio_handlers, node) {
         int r;
-        if (node->deleted || !node->pfd.events) {
+        if (QLIST_IS_INSERTED(node, node_deleted) || !node->pfd.events) {
             continue;
         }
         event.events = epoll_events_from_pfd(node->pfd.events);
@@ -XXX,XX +XXX,XX @@ static AioHandler *find_aio_handler(AioContext *ctx, int fd)
     AioHandler *node;
 
     QLIST_FOREACH(node, &ctx->aio_handlers, node) {
-        if (node->pfd.fd == fd)
-            if (!node->deleted)
+        if (node->pfd.fd == fd) {
+            if (!QLIST_IS_INSERTED(node, node_deleted)) {
                 return node;
+            }
+        }
     }
 
     return NULL;
@@ -XXX,XX +XXX,XX @@ static bool aio_remove_fd_handler(AioContext *ctx, AioHandler *node)
 
     /* If a read is in progress, just mark the node as deleted */
     if (qemu_lockcnt_count(&ctx->list_lock)) {
-        node->deleted = 1;
+        QLIST_INSERT_HEAD_RCU(&ctx->deleted_aio_handlers, node, node_deleted);
         node->pfd.revents = 0;
         return false;
     }
@@ -XXX,XX +XXX,XX @@ static void poll_set_started(AioContext *ctx, bool started)
     QLIST_FOREACH_RCU(node, &ctx->aio_handlers, node) {
         IOHandler *fn;
 
-        if (node->deleted) {
+        if (QLIST_IS_INSERTED(node, node_deleted)) {
             continue;
         }
 
@@ -XXX,XX +XXX,XX @@ bool aio_pending(AioContext *ctx)
     return result;
 }
 
+static void aio_free_deleted_handlers(AioContext *ctx)
+{
+    AioHandler *node;
+
+    if (QLIST_EMPTY_RCU(&ctx->deleted_aio_handlers)) {
+        return;
+    }
+    if (!qemu_lockcnt_dec_if_lock(&ctx->list_lock)) {
+        return; /* we are nested, let the parent do the freeing */
+    }
+
+    while ((node = QLIST_FIRST_RCU(&ctx->deleted_aio_handlers))) {
+        QLIST_REMOVE(node, node);
+        QLIST_REMOVE(node, node_deleted);
+        g_free(node);
+    }
+
+    qemu_lockcnt_inc_and_unlock(&ctx->list_lock);
+}
+
 static bool aio_dispatch_handlers(AioContext *ctx)
 {
     AioHandler *node, *tmp;
@@ -XXX,XX +XXX,XX @@ static bool aio_dispatch_handlers(AioContext *ctx)
         revents = node->pfd.revents & node->pfd.events;
         node->pfd.revents = 0;
 
-        if (!node->deleted &&
+        if (!QLIST_IS_INSERTED(node, node_deleted) &&
             (revents & (G_IO_IN | G_IO_HUP | G_IO_ERR)) &&
             aio_node_check(ctx, node->is_external) &&
             node->io_read) {
@@ -XXX,XX +XXX,XX @@ static bool aio_dispatch_handlers(AioContext *ctx)
                 progress = true;
             }
         }
-        if (!node->deleted &&
+        if (!QLIST_IS_INSERTED(node, node_deleted) &&
             (revents & (G_IO_OUT | G_IO_ERR)) &&
             aio_node_check(ctx, node->is_external) &&
             node->io_write) {
             node->io_write(node->opaque);
             progress = true;
         }
-
-        if (node->deleted) {
-            if (qemu_lockcnt_dec_if_lock(&ctx->list_lock)) {
-                QLIST_REMOVE(node, node);
-                g_free(node);
-                qemu_lockcnt_inc_and_unlock(&ctx->list_lock);
-            }
-        }
     }
 
     return progress;
@@ -XXX,XX +XXX,XX @@ void aio_dispatch(AioContext *ctx)
     qemu_lockcnt_inc(&ctx->list_lock);
     aio_bh_poll(ctx);
     aio_dispatch_handlers(ctx);
+    aio_free_deleted_handlers(ctx);
     qemu_lockcnt_dec(&ctx->list_lock);
 
     timerlistgroup_run_timers(&ctx->tlg);
@@ -XXX,XX +XXX,XX @@ static bool run_poll_handlers_once(AioContext *ctx, int64_t *timeout)
     RCU_READ_LOCK_GUARD();
 
     QLIST_FOREACH_RCU(node, &ctx->aio_handlers, node) {
-        if (!node->deleted && node->io_poll &&
+        if (!QLIST_IS_INSERTED(node, node_deleted) && node->io_poll &&
             aio_node_check(ctx, node->is_external) &&
             node->io_poll(node->opaque)) {
             /*
@@ -XXX,XX +XXX,XX @@ bool aio_poll(AioContext *ctx, bool blocking)
 
         if (!aio_epoll_enabled(ctx)) {
             QLIST_FOREACH_RCU(node, &ctx->aio_handlers, node) {
-                if (!node->deleted && node->pfd.events
+                if (!QLIST_IS_INSERTED(node, node_deleted) && node->pfd.events
                     && aio_node_check(ctx, node->is_external)) {
                     add_pollfd(node);
                 }
@@ -XXX,XX +XXX,XX @@ bool aio_poll(AioContext *ctx, bool blocking)
         progress |= aio_dispatch_handlers(ctx);
     }
 
+    aio_free_deleted_handlers(ctx);
+
     qemu_lockcnt_dec(&ctx->list_lock);
 
     progress |= timerlistgroup_run_timers(&ctx->tlg);
-- 
2.24.1

File descriptor monitoring is O(1) with epoll(7), but
aio_dispatch_handlers() still scans all AioHandlers instead of
dispatching just those that are ready.  This makes aio_poll() O(n) with
respect to the total number of registered handlers.

Add a local ready_list to aio_poll() so that each nested aio_poll()
builds a list of handlers ready to be dispatched.  Since file descriptor
polling is level-triggered, nested aio_poll() calls also see fds that
were ready in the parent but not yet dispatched.  This guarantees that
nested aio_poll() invocations will dispatch all fds, even those that
became ready before the nested invocation.

Since only handlers ready to be dispatched are placed onto the
ready_list, the new aio_dispatch_ready_handlers() function provides O(1)
dispatch.

Note that AioContext polling is still O(n) and currently cannot be fully
disabled.  This still needs to be fixed before aio_poll() is fully O(1).

Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
Reviewed-by: Sergio Lopez <slp@redhat.com>
Message-id: 20200214171712.541358-6-stefanha@redhat.com
[Fix compilation error on macOS where there is no epoll(87).  The
aio_epoll() prototype was out of date and aio_add_ready_list() needed to
be moved outside the ifdef.
--Stefan]
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
---
 util/aio-posix.c | 110 +++++++++++++++++++++++++++++++++--------------
 1 file changed, 78 insertions(+), 32 deletions(-)

diff --git a/util/aio-posix.c b/util/aio-posix.c
index XXXXXXX..XXXXXXX 100644
--- a/util/aio-posix.c
+++ b/util/aio-posix.c
@@ -XXX,XX +XXX,XX @@ struct AioHandler
     void *opaque;
     bool is_external;
     QLIST_ENTRY(AioHandler) node;
+    QLIST_ENTRY(AioHandler) node_ready; /* only used during aio_poll() */
     QLIST_ENTRY(AioHandler) node_deleted;
 };
 
+/* Add a handler to a ready list */
+static void add_ready_handler(AioHandlerList *ready_list,
+                              AioHandler *node,
+                              int revents)
+{
+    QLIST_SAFE_REMOVE(node, node_ready); /* remove from nested parent's list */
+    node->pfd.revents = revents;
+    QLIST_INSERT_HEAD(ready_list, node, node_ready);
+}
+
 #ifdef CONFIG_EPOLL_CREATE1
 
 /* The fd number threshold to switch to epoll */
@@ -XXX,XX +XXX,XX @@ static void aio_epoll_update(AioContext *ctx, AioHandler *node, bool is_new)
     }
 }
 
-static int aio_epoll(AioContext *ctx, int64_t timeout)
+static int aio_epoll(AioContext *ctx, AioHandlerList *ready_list,
+                     int64_t timeout)
 {
     GPollFD pfd = {
         .fd = ctx->epollfd,
@@ -XXX,XX +XXX,XX @@ static int aio_epoll(AioContext *ctx, int64_t timeout)
         }
         for (i = 0; i < ret; i++) {
             int ev = events[i].events;
+            int revents = (ev & EPOLLIN ? G_IO_IN : 0) |
+                          (ev & EPOLLOUT ? G_IO_OUT : 0) |
+                          (ev & EPOLLHUP ? G_IO_HUP : 0) |
+                          (ev & EPOLLERR ? G_IO_ERR : 0);
+
             node = events[i].data.ptr;
-            node->pfd.revents = (ev & EPOLLIN ? G_IO_IN : 0) |
-                (ev & EPOLLOUT ? G_IO_OUT : 0) |
-                (ev & EPOLLHUP ? G_IO_HUP : 0) |
-                (ev & EPOLLERR ? G_IO_ERR : 0);
+            add_ready_handler(ready_list, node, revents);
         }
     }
 out:
@@ -XXX,XX +XXX,XX @@ static void aio_epoll_update(AioContext *ctx, AioHandler *node, bool is_new)
 {
 }
 
-static int aio_epoll(AioContext *ctx, GPollFD *pfds,
-                     unsigned npfd, int64_t timeout)
+static int aio_epoll(AioContext *ctx, AioHandlerList *ready_list,
+                     int64_t timeout)
 {
     assert(false);
 }
@@ -XXX,XX +XXX,XX @@ static void aio_free_deleted_handlers(AioContext *ctx)
     qemu_lockcnt_inc_and_unlock(&ctx->list_lock);
 }
 
-static bool aio_dispatch_handlers(AioContext *ctx)
+static bool aio_dispatch_handler(AioContext *ctx, AioHandler *node)
 {
-    AioHandler *node, *tmp;
     bool progress = false;
+    int revents;
 
-    QLIST_FOREACH_SAFE_RCU(node, &ctx->aio_handlers, node, tmp) {
-        int revents;
+    revents = node->pfd.revents & node->pfd.events;
+    node->pfd.revents = 0;
 
-        revents = node->pfd.revents & node->pfd.events;
-        node->pfd.revents = 0;
+    if (!QLIST_IS_INSERTED(node, node_deleted) &&
+        (revents & (G_IO_IN | G_IO_HUP | G_IO_ERR)) &&
+        aio_node_check(ctx, node->is_external) &&
+        node->io_read) {
+        node->io_read(node->opaque);
 
-        if (!QLIST_IS_INSERTED(node, node_deleted) &&
-            (revents & (G_IO_IN | G_IO_HUP | G_IO_ERR)) &&
-            aio_node_check(ctx, node->is_external) &&
-            node->io_read) {
-            node->io_read(node->opaque);
-
-            /* aio_notify() does not count as progress */
-            if (node->opaque != &ctx->notifier) {
-                progress = true;
-            }
-        }
-        if (!QLIST_IS_INSERTED(node, node_deleted) &&
-            (revents & (G_IO_OUT | G_IO_ERR)) &&
-            aio_node_check(ctx, node->is_external) &&
-            node->io_write) {
-            node->io_write(node->opaque);
+        /* aio_notify() does not count as progress */
+        if (node->opaque != &ctx->notifier) {
             progress = true;
         }
     }
+    if (!QLIST_IS_INSERTED(node, node_deleted) &&
+        (revents & (G_IO_OUT | G_IO_ERR)) &&
+        aio_node_check(ctx, node->is_external) &&
+        node->io_write) {
+        node->io_write(node->opaque);
+        progress = true;
+    }
+
+    return progress;
+}
+
+/*
+ * If we have a list of ready handlers then this is more efficient than
+ * scanning all handlers with aio_dispatch_handlers().
+ */
+static bool aio_dispatch_ready_handlers(AioContext *ctx,
+                                        AioHandlerList *ready_list)
+{
+    bool progress = false;
+    AioHandler *node;
+
+    while ((node = QLIST_FIRST(ready_list))) {
+        QLIST_SAFE_REMOVE(node, node_ready);
+        progress = aio_dispatch_handler(ctx, node) || progress;
+    }
+
+    return progress;
+}
+
+/* Slower than aio_dispatch_ready_handlers() but only used via glib */
+static bool aio_dispatch_handlers(AioContext *ctx)
+{
+    AioHandler *node, *tmp;
+    bool progress = false;
+
+    QLIST_FOREACH_SAFE_RCU(node, &ctx->aio_handlers, node, tmp) {
+        progress = aio_dispatch_handler(ctx, node) || progress;
+    }
 
     return progress;
 }
@@ -XXX,XX +XXX,XX @@ static bool try_poll_mode(AioContext *ctx, int64_t *timeout)
 
 bool aio_poll(AioContext *ctx, bool blocking)
 {
+    AioHandlerList ready_list = QLIST_HEAD_INITIALIZER(ready_list);
     AioHandler *node;
     int i;
     int ret = 0;
@@ -XXX,XX +XXX,XX @@ bool aio_poll(AioContext *ctx, bool blocking)
         /* wait until next event */
         if (aio_epoll_check_poll(ctx, pollfds, npfd, timeout)) {
             npfd = 0; /* pollfds[] is not being used */
-            ret = aio_epoll(ctx, timeout);
+            ret = aio_epoll(ctx, &ready_list, timeout);
         } else  {
             ret = qemu_poll_ns(pollfds, npfd, timeout);
         }
@@ -XXX,XX +XXX,XX @@ bool aio_poll(AioContext *ctx, bool blocking)
     /* if we have any readable fds, dispatch event */
     if (ret > 0) {
         for (i = 0; i < npfd; i++) {
-            nodes[i]->pfd.revents = pollfds[i].revents;
+            int revents = pollfds[i].revents;
+
+            if (revents) {
+                add_ready_handler(&ready_list, nodes[i], revents);
+            }
         }
     }
 
@@ -XXX,XX +XXX,XX @@ bool aio_poll(AioContext *ctx, bool blocking)
     progress |= aio_bh_poll(ctx);
 
     if (ret > 0) {
-        progress |= aio_dispatch_handlers(ctx);
+        progress |= aio_dispatch_ready_handlers(ctx, &ready_list);
     }
 
     aio_free_deleted_handlers(ctx);
-- 
2.24.1

From: Alexander Bulekov <alxndr@bu.edu>

Move vl.c to a separate directory, similar to linux-user/
Update the chechpatch and get_maintainer scripts, since they relied on
/vl.c for top_of_tree checks.

Signed-off-by: Alexander Bulekov <alxndr@bu.edu>
Reviewed-by: Darren Kenny <darren.kenny@oracle.com>
Message-id: 20200220041118.23264-2-alxndr@bu.edu
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
---
 MAINTAINERS               | 2 +-
 Makefile.objs             | 2 --
 Makefile.target           | 1 +
 scripts/checkpatch.pl     | 2 +-
 scripts/get_maintainer.pl | 3 ++-
 softmmu/Makefile.objs     | 2 ++
 vl.c => softmmu/vl.c      | 0
 7 files changed, 7 insertions(+), 5 deletions(-)
 create mode 100644 softmmu/Makefile.objs
 rename vl.c => softmmu/vl.c (100%)

diff --git a/MAINTAINERS b/MAINTAINERS
index XXXXXXX..XXXXXXX 100644
--- a/MAINTAINERS
+++ b/MAINTAINERS
@@ -XXX,XX +XXX,XX @@ F: include/qemu/main-loop.h
 F: include/sysemu/runstate.h
 F: util/main-loop.c
 F: util/qemu-timer.c
-F: vl.c
+F: softmmu/vl.c
 F: qapi/run-state.json
 
 Human Monitor (HMP)
diff --git a/Makefile.objs b/Makefile.objs
index XXXXXXX..XXXXXXX 100644
--- a/Makefile.objs
+++ b/Makefile.objs
@@ -XXX,XX +XXX,XX @@ common-obj-y += ui/
 common-obj-m += ui/
 
 common-obj-y += dma-helpers.o
-common-obj-y += vl.o
-vl.o-cflags := $(GPROF_CFLAGS) $(SDL_CFLAGS)
 common-obj-$(CONFIG_TPM) += tpm.o
 
 common-obj-y += backends/
diff --git a/Makefile.target b/Makefile.target
index XXXXXXX..XXXXXXX 100644
--- a/Makefile.target
+++ b/Makefile.target
@@ -XXX,XX +XXX,XX @@ obj-y += qapi/
 obj-y += memory.o
 obj-y += memory_mapping.o
 obj-y += migration/ram.o
+obj-y += softmmu/
 LIBS := $(libs_softmmu) $(LIBS)
 
 # Hardware support
diff --git a/scripts/checkpatch.pl b/scripts/checkpatch.pl
index XXXXXXX..XXXXXXX 100755
--- a/scripts/checkpatch.pl
+++ b/scripts/checkpatch.pl
@@ -XXX,XX +XXX,XX @@ sub top_of_kernel_tree {
 	my @tree_check = (
 		"COPYING", "MAINTAINERS", "Makefile",
 		"README.rst", "docs", "VERSION",
-		"vl.c"
+		"linux-user", "softmmu"
 	);
 
 	foreach my $check (@tree_check) {
diff --git a/scripts/get_maintainer.pl b/scripts/get_maintainer.pl
index XXXXXXX..XXXXXXX 100755
--- a/scripts/get_maintainer.pl
+++ b/scripts/get_maintainer.pl
@@ -XXX,XX +XXX,XX @@ sub top_of_tree {
         && (-f "${lk_path}Makefile")
         && (-d "${lk_path}docs")
         && (-f "${lk_path}VERSION")
-        && (-f "${lk_path}vl.c")) {
+        && (-d "${lk_path}linux-user/")
+        && (-d "${lk_path}softmmu/")) {
 	return 1;
     }
     return 0;
diff --git a/softmmu/Makefile.objs b/softmmu/Makefile.objs
new file mode 100644
index XXXXXXX..XXXXXXX
--- /dev/null
+++ b/softmmu/Makefile.objs
@@ -XXX,XX +XXX,XX @@
+obj-y += vl.o
+vl.o-cflags := $(GPROF_CFLAGS) $(SDL_CFLAGS)
diff --git a/vl.c b/softmmu/vl.c
similarity index 100%
rename from vl.c
rename to softmmu/vl.c
-- 
2.24.1

From: Alexander Bulekov <alxndr@bu.edu>

A program might rely on functions implemented in vl.c, but implement its
own main(). By placing main into a separate source file, there are no
complaints about duplicate main()s when linking against vl.o. For
example, the virtual-device fuzzer uses a main() provided by libfuzzer,
and needs to perform some initialization before running the softmmu
initialization. Now, main simply calls three vl.c functions which
handle the guest initialization, main loop and cleanup.

Signed-off-by: Alexander Bulekov <alxndr@bu.edu>
Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
Reviewed-by: Darren Kenny <darren.kenny@oracle.com>
Message-id: 20200220041118.23264-3-alxndr@bu.edu
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
---
 MAINTAINERS             |  1 +
 Makefile.target         |  2 +-
 include/sysemu/sysemu.h |  4 ++++
 softmmu/Makefile.objs   |  1 +
 softmmu/main.c          | 53 +++++++++++++++++++++++++++++++++++++++++
 softmmu/vl.c            | 36 +++++++---------------------
 6 files changed, 69 insertions(+), 28 deletions(-)
 create mode 100644 softmmu/main.c

diff --git a/MAINTAINERS b/MAINTAINERS
index XXXXXXX..XXXXXXX 100644
--- a/MAINTAINERS
+++ b/MAINTAINERS
@@ -XXX,XX +XXX,XX @@ F: include/sysemu/runstate.h
 F: util/main-loop.c
 F: util/qemu-timer.c
 F: softmmu/vl.c
+F: softmmu/main.c
 F: qapi/run-state.json
 
 Human Monitor (HMP)
diff --git a/Makefile.target b/Makefile.target
index XXXXXXX..XXXXXXX 100644
--- a/Makefile.target
+++ b/Makefile.target
@@ -XXX,XX +XXX,XX @@ endif
 COMMON_LDADDS = ../libqemuutil.a
 
 # build either PROG or PROGW
-$(QEMU_PROG_BUILD): $(all-obj-y) $(COMMON_LDADDS)
+$(QEMU_PROG_BUILD): $(all-obj-y) $(COMMON_LDADDS) $(softmmu-main-y)
 	$(call LINK, $(filter-out %.mak, $^))
 ifdef CONFIG_DARWIN
 	$(call quiet-command,Rez -append $(SRC_PATH)/pc-bios/qemu.rsrc -o $@,"REZ","$(TARGET_DIR)$@")
diff --git a/include/sysemu/sysemu.h b/include/sysemu/sysemu.h
index XXXXXXX..XXXXXXX 100644
--- a/include/sysemu/sysemu.h
+++ b/include/sysemu/sysemu.h
@@ -XXX,XX +XXX,XX @@ QemuOpts *qemu_get_machine_opts(void);
 
 bool defaults_enabled(void);
 
+void qemu_init(int argc, char **argv, char **envp);
+void qemu_main_loop(void);
+void qemu_cleanup(void);
+
 extern QemuOptsList qemu_legacy_drive_opts;
 extern QemuOptsList qemu_common_drive_opts;
 extern QemuOptsList qemu_drive_opts;
diff --git a/softmmu/Makefile.objs b/softmmu/Makefile.objs
index XXXXXXX..XXXXXXX 100644
--- a/softmmu/Makefile.objs
+++ b/softmmu/Makefile.objs
@@ -XXX,XX +XXX,XX @@
+softmmu-main-y = softmmu/main.o
 obj-y += vl.o
 vl.o-cflags := $(GPROF_CFLAGS) $(SDL_CFLAGS)
diff --git a/softmmu/main.c b/softmmu/main.c
new file mode 100644
index XXXXXXX..XXXXXXX
--- /dev/null
+++ b/softmmu/main.c
@@ -XXX,XX +XXX,XX @@
+/*
+ * QEMU System Emulator
+ *
+ * Copyright (c) 2003-2020 Fabrice Bellard
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
+ * of this software and associated documentation files (the "Software"), to deal
+ * in the Software without restriction, including without limitation the rights
+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+ * copies of the Software, and to permit persons to whom the Software is
+ * furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in
+ * all copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL
+ * THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+ * THE SOFTWARE.
+ */
+
+#include "qemu/osdep.h"
+#include "qemu-common.h"
+#include "sysemu/sysemu.h"
+
+#ifdef CONFIG_SDL
+#if defined(__APPLE__) || defined(main)
+#include <SDL.h>
+int main(int argc, char **argv)
+{
+    return qemu_main(argc, argv, NULL);
+}
+#undef main
+#define main qemu_main
+#endif
+#endif /* CONFIG_SDL */
+
+#ifdef CONFIG_COCOA
+#undef main
+#define main qemu_main
+#endif /* CONFIG_COCOA */
+
+int main(int argc, char **argv, char **envp)
+{
+    qemu_init(argc, argv, envp);
+    qemu_main_loop();
+    qemu_cleanup();
+
+    return 0;
+}
diff --git a/softmmu/vl.c b/softmmu/vl.c
index XXXXXXX..XXXXXXX 100644
--- a/softmmu/vl.c
+++ b/softmmu/vl.c
@@ -XXX,XX +XXX,XX @@
 #include "sysemu/seccomp.h"
 #include "sysemu/tcg.h"
 
-#ifdef CONFIG_SDL
-#if defined(__APPLE__) || defined(main)
-#include <SDL.h>
-int qemu_main(int argc, char **argv, char **envp);
-int main(int argc, char **argv)
-{
-    return qemu_main(argc, argv, NULL);
-}
-#undef main
-#define main qemu_main
-#endif
-#endif /* CONFIG_SDL */
-
-#ifdef CONFIG_COCOA
-#undef main
-#define main qemu_main
-#endif /* CONFIG_COCOA */
-
-
 #include "qemu/error-report.h"
 #include "qemu/sockets.h"
 #include "sysemu/accel.h"
@@ -XXX,XX +XXX,XX @@ static bool main_loop_should_exit(void)
     return false;
 }
 
-static void main_loop(void)
+void qemu_main_loop(void)
 {
 #ifdef CONFIG_PROFILER
     int64_t ti;
@@ -XXX,XX +XXX,XX @@ static void configure_accelerators(const char *progname)
     }
 }
 
-int main(int argc, char **argv, char **envp)
+void qemu_init(int argc, char **argv, char **envp)
 {
     int i;
     int snapshot, linux_boot;
@@ -XXX,XX +XXX,XX @@ int main(int argc, char **argv, char **envp)
             case QEMU_OPTION_watchdog:
                 if (watchdog) {
                     error_report("only one watchdog option may be given");
-                    return 1;
+                    exit(1);
                 }
                 watchdog = optarg;
                 break;
@@ -XXX,XX +XXX,XX @@ int main(int argc, char **argv, char **envp)
     parse_numa_opts(current_machine);
 
     /* do monitor/qmp handling at preconfig state if requested */
-    main_loop();
+    qemu_main_loop();
 
     audio_init_audiodevs();
 
@@ -XXX,XX +XXX,XX @@ int main(int argc, char **argv, char **envp)
     if (vmstate_dump_file) {
         /* dump and exit */
         dump_vmstate_json_to_file(vmstate_dump_file);
-        return 0;
+        exit(0);
     }
 
     if (incoming) {
@@ -XXX,XX +XXX,XX @@ int main(int argc, char **argv, char **envp)
     accel_setup_post(current_machine);
     os_setup_post();
 
-    main_loop();
+    return;
+}
 
+void qemu_cleanup(void)
+{
     gdbserver_cleanup();
 
     /*
@@ -XXX,XX +XXX,XX @@ int main(int argc, char **argv, char **envp)
     qemu_chr_cleanup();
     user_creatable_cleanup();
     /* TODO: unref root container, check all devices are ok */
-
-    return 0;
 }
-- 
2.24.1

From: Alexander Bulekov <alxndr@bu.edu>

The virtual-device fuzzer must initialize QOM, prior to running
vl:qemu_init, so that it can use the qos_graph to identify the arguments
required to initialize a guest for libqos-assisted fuzzing. This change
prevents errors when vl:qemu_init tries to (re)initialize the previously
initialized QOM module.

Signed-off-by: Alexander Bulekov <alxndr@bu.edu>
Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
Reviewed-by: Darren Kenny <darren.kenny@oracle.com>
Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Message-id: 20200220041118.23264-4-alxndr@bu.edu
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
---
 util/module.c | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/util/module.c b/util/module.c
index XXXXXXX..XXXXXXX 100644
--- a/util/module.c
+++ b/util/module.c
@@ -XXX,XX +XXX,XX @@ typedef struct ModuleEntry
 typedef QTAILQ_HEAD(, ModuleEntry) ModuleTypeList;
 
 static ModuleTypeList init_type_list[MODULE_INIT_MAX];
+static bool modules_init_done[MODULE_INIT_MAX];
 
 static ModuleTypeList dso_init_list;
 
@@ -XXX,XX +XXX,XX @@ void module_call_init(module_init_type type)
     ModuleTypeList *l;
     ModuleEntry *e;
 
+    if (modules_init_done[type]) {
+        return;
+    }
+
     l = find_type(type);
 
     QTAILQ_FOREACH(e, l, node) {
         e->init();
     }
+
+    modules_init_done[type] = true;
 }
 
 #ifdef CONFIG_MODULES
-- 
2.24.1

From: Alexander Bulekov <alxndr@bu.edu>

diff --git a/include/qemu/module.h b/include/qemu/module.h
index XXXXXXX..XXXXXXX 100644
--- a/include/qemu/module.h
+++ b/include/qemu/module.h
@@ -XXX,XX +XXX,XX @@ typedef enum {
     MODULE_INIT_TRACE,
     MODULE_INIT_XEN_BACKEND,
     MODULE_INIT_LIBQOS,
+    MODULE_INIT_FUZZ_TARGET,
     MODULE_INIT_MAX
 } module_init_type;
 
@@ -XXX,XX +XXX,XX @@ typedef enum {
 #define xen_backend_init(function) module_init(function, \
                                                MODULE_INIT_XEN_BACKEND)
 #define libqos_init(function) module_init(function, MODULE_INIT_LIBQOS)
-
+#define fuzz_target_init(function) module_init(function, \
+                                               MODULE_INIT_FUZZ_TARGET)
 #define block_module_load_one(lib) module_load_one("block-", lib)
 #define ui_module_load_one(lib) module_load_one("ui-", lib)
 #define audio_module_load_one(lib) module_load_one("audio-", lib)
-- 
2.24.1

From: Alexander Bulekov <alxndr@bu.edu>

qtest_server_send is a function pointer specifying the handler used to
transmit data to the qtest client. In the standard configuration, this
calls the CharBackend handler, but now it is possible for other types of
handlers, e.g direct-function calls if the qtest client and server
exist within the same process (inproc)

Signed-off-by: Alexander Bulekov <alxndr@bu.edu>
Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
Reviewed-by: Darren Kenny <darren.kenny@oracle.com>
Acked-by: Thomas Huth <thuth@redhat.com>
Message-id: 20200220041118.23264-6-alxndr@bu.edu
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
---
 include/sysemu/qtest.h |  3 +++
 qtest.c                | 18 ++++++++++++++++--
 2 files changed, 19 insertions(+), 2 deletions(-)

diff --git a/include/sysemu/qtest.h b/include/sysemu/qtest.h
index XXXXXXX..XXXXXXX 100644
--- a/include/sysemu/qtest.h
+++ b/include/sysemu/qtest.h
@@ -XXX,XX +XXX,XX @@ bool qtest_driver(void);
 
 void qtest_server_init(const char *qtest_chrdev, const char *qtest_log, Error **errp);
 
+void qtest_server_set_send_handler(void (*send)(void *, const char *),
+                                 void *opaque);
+
 #endif
diff --git a/qtest.c b/qtest.c
index XXXXXXX..XXXXXXX 100644
--- a/qtest.c
+++ b/qtest.c
@@ -XXX,XX +XXX,XX @@ static GString *inbuf;
 static int irq_levels[MAX_IRQ];
 static qemu_timeval start_time;
 static bool qtest_opened;
+static void (*qtest_server_send)(void*, const char*);
+static void *qtest_server_send_opaque;
 
 #define FMT_timeval "%ld.%06ld"
 
@@ -XXX,XX +XXX,XX @@ static void GCC_FMT_ATTR(1, 2) qtest_log_send(const char *fmt, ...)
     va_end(ap);
 }
 
-static void do_qtest_send(CharBackend *chr, const char *str, size_t len)
+static void qtest_server_char_be_send(void *opaque, const char *str)
 {
+    size_t len = strlen(str);
+    CharBackend* chr = (CharBackend *)opaque;
     qemu_chr_fe_write_all(chr, (uint8_t *)str, len);
     if (qtest_log_fp && qtest_opened) {
         fprintf(qtest_log_fp, "%s", str);
@@ -XXX,XX +XXX,XX @@ static void do_qtest_send(CharBackend *chr, const char *str, size_t len)
 
 static void qtest_send(CharBackend *chr, const char *str)
 {
-    do_qtest_send(chr, str, strlen(str));
+    qtest_server_send(qtest_server_send_opaque, str);
 }
 
 static void GCC_FMT_ATTR(2, 3) qtest_sendf(CharBackend *chr,
@@ -XXX,XX +XXX,XX @@ void qtest_server_init(const char *qtest_chrdev, const char *qtest_log, Error **
     qemu_chr_fe_set_echo(&qtest_chr, true);
 
     inbuf = g_string_new("");
+
+    if (!qtest_server_send) {
+        qtest_server_set_send_handler(qtest_server_char_be_send, &qtest_chr);
+    }
+}
+
+void qtest_server_set_send_handler(void (*send)(void*, const char*), void *opaque)
+{
+    qtest_server_send = send;
+    qtest_server_send_opaque = opaque;
 }
 
 bool qtest_driver(void)
-- 
2.24.1

From: Alexander Bulekov <alxndr@bu.edu>

This makes it simple to swap the transport functions for qtest commands
to and from the qtest client. For example, now it is possible to
directly pass qtest commands to a server handler that exists within the
same process, without the standard way of writing to a file descriptor.

diff --git a/tests/qtest/libqtest.c b/tests/qtest/libqtest.c
index XXXXXXX..XXXXXXX 100644
--- a/tests/qtest/libqtest.c
+++ b/tests/qtest/libqtest.c
@@ -XXX,XX +XXX,XX @@
 #define SOCKET_TIMEOUT 50
 #define SOCKET_MAX_FDS 16
 
+
+typedef void (*QTestSendFn)(QTestState *s, const char *buf);
+typedef GString* (*QTestRecvFn)(QTestState *);
+
+typedef struct QTestClientTransportOps {
+    QTestSendFn     send;      /* for sending qtest commands */
+    QTestRecvFn     recv_line; /* for receiving qtest command responses */
+} QTestTransportOps;
+
 struct QTestState
 {
     int fd;
@@ -XXX,XX +XXX,XX @@ struct QTestState
     bool big_endian;
     bool irq_level[MAX_IRQ];
     GString *rx;
+    QTestTransportOps ops;
 };
 
 static GHookList abrt_hooks;
@@ -XXX,XX +XXX,XX @@ static struct sigaction sigact_old;
 
 static int qtest_query_target_endianness(QTestState *s);
 
+static void qtest_client_socket_send(QTestState*, const char *buf);
+static void socket_send(int fd, const char *buf, size_t size);
+
+static GString *qtest_client_socket_recv_line(QTestState *);
+
+static void qtest_client_set_tx_handler(QTestState *s, QTestSendFn send);
+static void qtest_client_set_rx_handler(QTestState *s, QTestRecvFn recv);
+
 static int init_socket(const char *socket_path)
 {
     struct sockaddr_un addr;
@@ -XXX,XX +XXX,XX @@ QTestState *qtest_init_without_qmp_handshake(const char *extra_args)
     sock = init_socket(socket_path);
     qmpsock = init_socket(qmp_socket_path);
 
+    qtest_client_set_rx_handler(s, qtest_client_socket_recv_line);
+    qtest_client_set_tx_handler(s, qtest_client_socket_send);
+
     qtest_add_abrt_handler(kill_qemu_hook_func, s);
 
     command = g_strdup_printf("exec %s "
@@ -XXX,XX +XXX,XX @@ static void socket_send(int fd, const char *buf, size_t size)
     }
 }
 
-static void socket_sendf(int fd, const char *fmt, va_list ap)
+static void qtest_client_socket_send(QTestState *s, const char *buf)
 {
-    gchar *str = g_strdup_vprintf(fmt, ap);
-    size_t size = strlen(str);
-
-    socket_send(fd, str, size);
-    g_free(str);
+    socket_send(s->fd, buf, strlen(buf));
 }
 
 static void GCC_FMT_ATTR(2, 3) qtest_sendf(QTestState *s, const char *fmt, ...)
@@ -XXX,XX +XXX,XX @@ static void GCC_FMT_ATTR(2, 3) qtest_sendf(QTestState *s, const char *fmt, ...)
     va_list ap;
 
     va_start(ap, fmt);
-    socket_sendf(s->fd, fmt, ap);
+    gchar *str = g_strdup_vprintf(fmt, ap);
     va_end(ap);
+
+    s->ops.send(s, str);
+    g_free(str);
 }
 
 /* Sends a message and file descriptors to the socket.
@@ -XXX,XX +XXX,XX @@ static void socket_send_fds(int socket_fd, int *fds, size_t fds_num,
     g_assert_cmpint(ret, >, 0);
 }
 
-static GString *qtest_recv_line(QTestState *s)
+static GString *qtest_client_socket_recv_line(QTestState *s)
 {
     GString *line;
     size_t offset;
@@ -XXX,XX +XXX,XX @@ static gchar **qtest_rsp(QTestState *s, int expected_args)
     int i;
 
 redo:
-    line = qtest_recv_line(s);
+    line = s->ops.recv_line(s);
     words = g_strsplit(line->str, " ", 0);
     g_string_free(line, TRUE);
 
@@ -XXX,XX +XXX,XX @@ void qmp_assert_error_class(QDict *rsp, const char *class)
 
     qobject_unref(rsp);
 }
+
+static void qtest_client_set_tx_handler(QTestState *s,
+                    QTestSendFn send)
+{
+    s->ops.send = send;
+}
+static void qtest_client_set_rx_handler(QTestState *s, QTestRecvFn recv)
+{
+    s->ops.recv_line = recv;
+}
-- 
2.24.1

From: Alexander Bulekov <alxndr@bu.edu>

When using qtest "in-process" communication, qtest_sendf directly calls
a function in the server (qtest.c). Previously, bufwrite used
socket_send, which bypasses the TransportOps enabling the call into
qtest.c. This change replaces the socket_send calls with ops->send,
maintaining the benefits of the direct socket_send call, while adding
support for in-process qtest calls.

diff --git a/tests/qtest/libqtest.c b/tests/qtest/libqtest.c
index XXXXXXX..XXXXXXX 100644
--- a/tests/qtest/libqtest.c
+++ b/tests/qtest/libqtest.c
@@ -XXX,XX +XXX,XX @@
 
 
 typedef void (*QTestSendFn)(QTestState *s, const char *buf);
+typedef void (*ExternalSendFn)(void *s, const char *buf);
 typedef GString* (*QTestRecvFn)(QTestState *);
 
 typedef struct QTestClientTransportOps {
     QTestSendFn     send;      /* for sending qtest commands */
+
+    /*
+     * use external_send to send qtest command strings through functions which
+     * do not accept a QTestState as the first parameter.
+     */
+    ExternalSendFn  external_send;
+
     QTestRecvFn     recv_line; /* for receiving qtest command responses */
 } QTestTransportOps;
 
@@ -XXX,XX +XXX,XX @@ void qtest_bufwrite(QTestState *s, uint64_t addr, const void *data, size_t size)
 
     bdata = g_base64_encode(data, size);
     qtest_sendf(s, "b64write 0x%" PRIx64 " 0x%zx ", addr, size);
-    socket_send(s->fd, bdata, strlen(bdata));
-    socket_send(s->fd, "\n", 1);
+    s->ops.send(s, bdata);
+    s->ops.send(s, "\n");
     qtest_rsp(s, 0);
     g_free(bdata);
 }
@@ -XXX,XX +XXX,XX @@ static void qtest_client_set_rx_handler(QTestState *s, QTestRecvFn recv)
 {
     s->ops.recv_line = recv;
 }
+/* A type-safe wrapper for s->send() */
+static void send_wrapper(QTestState *s, const char *buf)
+{
+    s->ops.external_send(s, buf);
+}
+
+static GString *qtest_client_inproc_recv_line(QTestState *s)
+{
+    GString *line;
+    size_t offset;
+    char *eol;
+
+    eol = strchr(s->rx->str, '\n');
+    offset = eol - s->rx->str;
+    line = g_string_new_len(s->rx->str, offset);
+    g_string_erase(s->rx, 0, offset + 1);
+    return line;
+}
+
+QTestState *qtest_inproc_init(QTestState **s, bool log, const char* arch,
+                    void (*send)(void*, const char*))
+{
+    QTestState *qts;
+    qts = g_new0(QTestState, 1);
+    *s = qts; /* Expose qts early on, since the query endianness relies on it */
+    qts->wstatus = 0;
+    for (int i = 0; i < MAX_IRQ; i++) {
+        qts->irq_level[i] = false;
+    }
+
+    qtest_client_set_rx_handler(qts, qtest_client_inproc_recv_line);
+
+    /* send() may not have a matching protoype, so use a type-safe wrapper */
+    qts->ops.external_send = send;
+    qtest_client_set_tx_handler(qts, send_wrapper);
+
+    qts->big_endian = qtest_query_target_endianness(qts);
+
+    /*
+     * Set a dummy path for QTEST_QEMU_BINARY. Doesn't need to exist, but this
+     * way, qtest_get_arch works for inproc qtest.
+     */
+    gchar *bin_path = g_strconcat("/qemu-system-", arch, NULL);
+    setenv("QTEST_QEMU_BINARY", bin_path, 0);
+    g_free(bin_path);
+
+    return qts;
+}
+
+void qtest_client_inproc_recv(void *opaque, const char *str)
+{
+    QTestState *qts = *(QTestState **)opaque;
+
+    if (!qts->rx) {
+        qts->rx = g_string_new(NULL);
+    }
+    g_string_append(qts->rx, str);
+    return;
+}
diff --git a/tests/qtest/libqtest.h b/tests/qtest/libqtest.h
index XXXXXXX..XXXXXXX 100644
--- a/tests/qtest/libqtest.h
+++ b/tests/qtest/libqtest.h
@@ -XXX,XX +XXX,XX @@ bool qtest_probe_child(QTestState *s);
  */
 void qtest_set_expected_status(QTestState *s, int status);
 
+QTestState *qtest_inproc_init(QTestState **s, bool log, const char* arch,
+                    void (*send)(void*, const char*));
+
+void qtest_client_inproc_recv(void *opaque, const char *str);
 #endif
-- 
2.24.1

From: Alexander Bulekov <alxndr@bu.edu>

The handler allows a qtest client to send commands to the server by
directly calling a function, rather than using a file/CharBackend

From: Alexander Bulekov <alxndr@bu.edu>

The names i2c_send and i2c_recv collide with functions defined in
hw/i2c/core.c. This causes an error when linking against libqos and
softmmu simultaneously (for example when using qtest inproc). Rename the
libqos functions to avoid this.

Signed-off-by: Alexander Bulekov <alxndr@bu.edu>
Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
Reviewed-by: Darren Kenny <darren.kenny@oracle.com>
Acked-by: Thomas Huth <thuth@redhat.com>
Message-id: 20200220041118.23264-10-alxndr@bu.edu
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
---
 tests/qtest/libqos/i2c.c   | 10 +++++-----
 tests/qtest/libqos/i2c.h   |  4 ++--
 tests/qtest/pca9552-test.c | 10 +++++-----
 3 files changed, 12 insertions(+), 12 deletions(-)

diff --git a/tests/qtest/libqos/i2c.c b/tests/qtest/libqos/i2c.c
index XXXXXXX..XXXXXXX 100644
--- a/tests/qtest/libqos/i2c.c
+++ b/tests/qtest/libqos/i2c.c
@@ -XXX,XX +XXX,XX @@
 #include "libqos/i2c.h"
 #include "libqtest.h"
 
-void i2c_send(QI2CDevice *i2cdev, const uint8_t *buf, uint16_t len)
+void qi2c_send(QI2CDevice *i2cdev, const uint8_t *buf, uint16_t len)
 {
     i2cdev->bus->send(i2cdev->bus, i2cdev->addr, buf, len);
 }
 
-void i2c_recv(QI2CDevice *i2cdev, uint8_t *buf, uint16_t len)
+void qi2c_recv(QI2CDevice *i2cdev, uint8_t *buf, uint16_t len)
 {
     i2cdev->bus->recv(i2cdev->bus, i2cdev->addr, buf, len);
 }
@@ -XXX,XX +XXX,XX @@ void i2c_recv(QI2CDevice *i2cdev, uint8_t *buf, uint16_t len)
 void i2c_read_block(QI2CDevice *i2cdev, uint8_t reg,
                     uint8_t *buf, uint16_t len)
 {
-    i2c_send(i2cdev, &reg, 1);
-    i2c_recv(i2cdev, buf, len);
+    qi2c_send(i2cdev, &reg, 1);
+    qi2c_recv(i2cdev, buf, len);
 }
 
 void i2c_write_block(QI2CDevice *i2cdev, uint8_t reg,
@@ -XXX,XX +XXX,XX @@ void i2c_write_block(QI2CDevice *i2cdev, uint8_t reg,
     uint8_t *cmd = g_malloc(len + 1);
     cmd[0] = reg;
     memcpy(&cmd[1], buf, len);
-    i2c_send(i2cdev, cmd, len + 1);
+    qi2c_send(i2cdev, cmd, len + 1);
     g_free(cmd);
 }
 
diff --git a/tests/qtest/libqos/i2c.h b/tests/qtest/libqos/i2c.h
index XXXXXXX..XXXXXXX 100644
--- a/tests/qtest/libqos/i2c.h
+++ b/tests/qtest/libqos/i2c.h
@@ -XXX,XX +XXX,XX @@ struct QI2CDevice {
 void *i2c_device_create(void *i2c_bus, QGuestAllocator *alloc, void *addr);
 void add_qi2c_address(QOSGraphEdgeOptions *opts, QI2CAddress *addr);
 
-void i2c_send(QI2CDevice *dev, const uint8_t *buf, uint16_t len);
-void i2c_recv(QI2CDevice *dev, uint8_t *buf, uint16_t len);
+void qi2c_send(QI2CDevice *dev, const uint8_t *buf, uint16_t len);
+void qi2c_recv(QI2CDevice *dev, uint8_t *buf, uint16_t len);
 
 void i2c_read_block(QI2CDevice *dev, uint8_t reg,
                     uint8_t *buf, uint16_t len);
diff --git a/tests/qtest/pca9552-test.c b/tests/qtest/pca9552-test.c
index XXXXXXX..XXXXXXX 100644
--- a/tests/qtest/pca9552-test.c
+++ b/tests/qtest/pca9552-test.c
@@ -XXX,XX +XXX,XX @@ static void receive_autoinc(void *obj, void *data, QGuestAllocator *alloc)
 
     pca9552_init(i2cdev);
 
-    i2c_send(i2cdev, &reg, 1);
+    qi2c_send(i2cdev, &reg, 1);
 
     /* PCA9552_LS0 */
-    i2c_recv(i2cdev, &resp, 1);
+    qi2c_recv(i2cdev, &resp, 1);
     g_assert_cmphex(resp, ==, 0x54);
 
     /* PCA9552_LS1 */
-    i2c_recv(i2cdev, &resp, 1);
+    qi2c_recv(i2cdev, &resp, 1);
     g_assert_cmphex(resp, ==, 0x55);
 
     /* PCA9552_LS2 */
-    i2c_recv(i2cdev, &resp, 1);
+    qi2c_recv(i2cdev, &resp, 1);
     g_assert_cmphex(resp, ==, 0x55);
 
     /* PCA9552_LS3 */
-    i2c_recv(i2cdev, &resp, 1);
+    qi2c_recv(i2cdev, &resp, 1);
     g_assert_cmphex(resp, ==, 0x54);
 }
 
-- 
2.24.1

From: Alexander Bulekov <alxndr@bu.edu>

Most qos-related objects were specified in the qos-test-obj-y variable.
qos-test-obj-y also included qos-test.o which defines a main().
This made it difficult to repurpose qos-test-obj-y to link anything
beside tests/qos-test against libqos. This change separates objects that
are libqos-specific and ones that are qos-test specific into different
variables.

Signed-off-by: Alexander Bulekov <alxndr@bu.edu>
Reviewed-by: Darren Kenny <darren.kenny@oracle.com>
Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Message-id: 20200220041118.23264-11-alxndr@bu.edu
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
---
 tests/qtest/Makefile.include | 71 ++++++++++++++++++------------------
 1 file changed, 36 insertions(+), 35 deletions(-)

From: Alexander Bulekov <alxndr@bu.edu>

The moved functions are not specific to qos-test and might be useful
elsewhere. For example the virtual-device fuzzer makes use of them for
qos-assisted fuzz-targets.

Signed-off-by: Alexander Bulekov <alxndr@bu.edu>
Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Reviewed-by: Darren Kenny <darren.kenny@oracle.com>
Message-id: 20200220041118.23264-12-alxndr@bu.edu
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
---
 tests/qtest/Makefile.include      |   1 +
 tests/qtest/libqos/qos_external.c | 168 ++++++++++++++++++++++++++++++
 tests/qtest/libqos/qos_external.h |  28 +++++
 tests/qtest/qos-test.c            | 132 +----------------------
 4 files changed, 198 insertions(+), 131 deletions(-)
 create mode 100644 tests/qtest/libqos/qos_external.c
 create mode 100644 tests/qtest/libqos/qos_external.h

diff --git a/tests/qtest/Makefile.include b/tests/qtest/Makefile.include
index XXXXXXX..XXXXXXX 100644
--- a/tests/qtest/Makefile.include
+++ b/tests/qtest/Makefile.include
@@ -XXX,XX +XXX,XX @@ libqos-usb-obj-y = $(libqos-spapr-obj-y) $(libqos-pc-obj-y) tests/qtest/libqos/u
 # qos devices:
 libqos-obj-y =  $(libqgraph-obj-y)
 libqos-obj-y += $(libqos-pc-obj-y) $(libqos-spapr-obj-y)
+libqos-obj-y += tests/qtest/libqos/qos_external.o
 libqos-obj-y += tests/qtest/libqos/e1000e.o
 libqos-obj-y += tests/qtest/libqos/i2c.o
 libqos-obj-y += tests/qtest/libqos/i2c-imx.o
diff --git a/tests/qtest/libqos/qos_external.c b/tests/qtest/libqos/qos_external.c
new file mode 100644
index XXXXXXX..XXXXXXX
--- /dev/null
+++ b/tests/qtest/libqos/qos_external.c
@@ -XXX,XX +XXX,XX @@
+/*
+ * libqos driver framework
+ *
+ * Copyright (c) 2018 Emanuele Giuseppe Esposito <e.emanuelegiuseppe@gmail.com>
+ *
+ * This library is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License version 2 as published by the Free Software Foundation.
+ *
+ * This library is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this library; if not, see <http://www.gnu.org/licenses/>
+ */
+
+#include "qemu/osdep.h"
+#include <getopt.h>
+#include "libqtest.h"
+#include "qapi/qmp/qdict.h"
+#include "qapi/qmp/qbool.h"
+#include "qapi/qmp/qstring.h"
+#include "qemu/module.h"
+#include "qapi/qmp/qlist.h"
+#include "libqos/malloc.h"
+#include "libqos/qgraph.h"
+#include "libqos/qgraph_internal.h"
+#include "libqos/qos_external.h"
+
+
+
+void apply_to_node(const char *name, bool is_machine, bool is_abstract)
+{
+    char *machine_name = NULL;
+    if (is_machine) {
+        const char *arch = qtest_get_arch();
+        machine_name = g_strconcat(arch, "/", name, NULL);
+        name = machine_name;
+    }
+    qos_graph_node_set_availability(name, true);
+    if (is_abstract) {
+        qos_delete_cmd_line(name);
+    }
+    g_free(machine_name);
+}
+
+/**
+ * apply_to_qlist(): using QMP queries QEMU for a list of
+ * machines and devices available, and sets the respective node
+ * as true. If a node is found, also all its produced and contained
+ * child are marked available.
+ *
+ * See qos_graph_node_set_availability() for more info
+ */
+void apply_to_qlist(QList *list, bool is_machine)
+{
+    const QListEntry *p;
+    const char *name;
+    bool abstract;
+    QDict *minfo;
+    QObject *qobj;
+    QString *qstr;
+    QBool *qbool;
+
+    for (p = qlist_first(list); p; p = qlist_next(p)) {
+        minfo = qobject_to(QDict, qlist_entry_obj(p));
+        qobj = qdict_get(minfo, "name");
+        qstr = qobject_to(QString, qobj);
+        name = qstring_get_str(qstr);
+
+        qobj = qdict_get(minfo, "abstract");
+        if (qobj) {
+            qbool = qobject_to(QBool, qobj);
+            abstract = qbool_get_bool(qbool);
+        } else {
+            abstract = false;
+        }
+
+        apply_to_node(name, is_machine, abstract);
+        qobj = qdict_get(minfo, "alias");
+        if (qobj) {
+            qstr = qobject_to(QString, qobj);
+            name = qstring_get_str(qstr);
+            apply_to_node(name, is_machine, abstract);
+        }
+    }
+}
+
+QGuestAllocator *get_machine_allocator(QOSGraphObject *obj)
+{
+    return obj->get_driver(obj, "memory");
+}
+
+/**
+ * allocate_objects(): given an array of nodes @arg,
+ * walks the path invoking all constructors and
+ * passing the corresponding parameter in order to
+ * continue the objects allocation.
+ * Once the test is reached, return the object it consumes.
+ *
+ * Since the machine and QEDGE_CONSUMED_BY nodes allocate
+ * memory in the constructor, g_test_queue_destroy is used so
+ * that after execution they can be safely free'd.  (The test's
+ * ->before callback is also welcome to use g_test_queue_destroy).
+ *
+ * Note: as specified in walk_path() too, @arg is an array of
+ * char *, where arg[0] is a pointer to the command line
+ * string that will be used to properly start QEMU when executing
+ * the test, and the remaining elements represent the actual objects
+ * that will be allocated.
+ */
+void *allocate_objects(QTestState *qts, char **path, QGuestAllocator **p_alloc)
+{
+    int current = 0;
+    QGuestAllocator *alloc;
+    QOSGraphObject *parent = NULL;
+    QOSGraphEdge *edge;
+    QOSGraphNode *node;
+    void *edge_arg;
+    void *obj;
+
+    node = qos_graph_get_node(path[current]);
+    g_assert(node->type == QNODE_MACHINE);
+
+    obj = qos_machine_new(node, qts);
+    qos_object_queue_destroy(obj);
+
+    alloc = get_machine_allocator(obj);
+    if (p_alloc) {
+        *p_alloc = alloc;
+    }
+
+    for (;;) {
+        if (node->type != QNODE_INTERFACE) {
+            qos_object_start_hw(obj);
+            parent = obj;
+        }
+
+        /* follow edge and get object for next node constructor */
+        current++;
+        edge = qos_graph_get_edge(path[current - 1], path[current]);
+        node = qos_graph_get_node(path[current]);
+
+        if (node->type == QNODE_TEST) {
+            g_assert(qos_graph_edge_get_type(edge) == QEDGE_CONSUMED_BY);
+            return obj;
+        }
+
+        switch (qos_graph_edge_get_type(edge)) {
+        case QEDGE_PRODUCES:
+            obj = parent->get_driver(parent, path[current]);
+            break;
+
+        case QEDGE_CONSUMED_BY:
+            edge_arg = qos_graph_edge_get_arg(edge);
+            obj = qos_driver_new(node, obj, alloc, edge_arg);
+            qos_object_queue_destroy(obj);
+            break;
+
+        case QEDGE_CONTAINS:
+            obj = parent->get_device(parent, path[current]);
+            break;
+        }
+    }
+}
+
diff --git a/tests/qtest/libqos/qos_external.h b/tests/qtest/libqos/qos_external.h
new file mode 100644
index XXXXXXX..XXXXXXX
--- /dev/null
+++ b/tests/qtest/libqos/qos_external.h
@@ -XXX,XX +XXX,XX @@
+/*
+ * libqos driver framework
+ *
+ * Copyright (c) 2018 Emanuele Giuseppe Esposito <e.emanuelegiuseppe@gmail.com>
+ *
+ * This library is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License version 2 as published by the Free Software Foundation.
+ *
+ * This library is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this library; if not, see <http://www.gnu.org/licenses/>
+ */
+
+#ifndef QOS_EXTERNAL_H
+#define QOS_EXTERNAL_H
+#include "libqos/qgraph.h"
+
+void apply_to_node(const char *name, bool is_machine, bool is_abstract);
+void apply_to_qlist(QList *list, bool is_machine);
+QGuestAllocator *get_machine_allocator(QOSGraphObject *obj);
+void *allocate_objects(QTestState *qts, char **path, QGuestAllocator **p_alloc);
+
+#endif
diff --git a/tests/qtest/qos-test.c b/tests/qtest/qos-test.c
index XXXXXXX..XXXXXXX 100644
--- a/tests/qtest/qos-test.c
+++ b/tests/qtest/qos-test.c
@@ -XXX,XX +XXX,XX @@
 #include "libqos/malloc.h"
 #include "libqos/qgraph.h"
 #include "libqos/qgraph_internal.h"
+#include "libqos/qos_external.h"
 
 static char *old_path;
 
-static void apply_to_node(const char *name, bool is_machine, bool is_abstract)
-{
-    char *machine_name = NULL;
-    if (is_machine) {
-        const char *arch = qtest_get_arch();
-        machine_name = g_strconcat(arch, "/", name, NULL);
-        name = machine_name;
-    }
-    qos_graph_node_set_availability(name, true);
-    if (is_abstract) {
-        qos_delete_cmd_line(name);
-    }
-    g_free(machine_name);
-}
 
-/**
- * apply_to_qlist(): using QMP queries QEMU for a list of
- * machines and devices available, and sets the respective node
- * as true. If a node is found, also all its produced and contained
- * child are marked available.
- *
- * See qos_graph_node_set_availability() for more info
- */
-static void apply_to_qlist(QList *list, bool is_machine)
-{
-    const QListEntry *p;
-    const char *name;
-    bool abstract;
-    QDict *minfo;
-    QObject *qobj;
-    QString *qstr;
-    QBool *qbool;
-
-    for (p = qlist_first(list); p; p = qlist_next(p)) {
-        minfo = qobject_to(QDict, qlist_entry_obj(p));
-        qobj = qdict_get(minfo, "name");
-        qstr = qobject_to(QString, qobj);
-        name = qstring_get_str(qstr);
-
-        qobj = qdict_get(minfo, "abstract");
-        if (qobj) {
-            qbool = qobject_to(QBool, qobj);
-            abstract = qbool_get_bool(qbool);
-        } else {
-            abstract = false;
-        }
-
-        apply_to_node(name, is_machine, abstract);
-        qobj = qdict_get(minfo, "alias");
-        if (qobj) {
-            qstr = qobject_to(QString, qobj);
-            name = qstring_get_str(qstr);
-            apply_to_node(name, is_machine, abstract);
-        }
-    }
-}
 
 /**
  * qos_set_machines_devices_available(): sets availability of qgraph
@@ -XXX,XX +XXX,XX @@ static void qos_set_machines_devices_available(void)
     qobject_unref(response);
 }
 
-static QGuestAllocator *get_machine_allocator(QOSGraphObject *obj)
-{
-    return obj->get_driver(obj, "memory");
-}
 
 static void restart_qemu_or_continue(char *path)
 {
@@ -XXX,XX +XXX,XX @@ void qos_invalidate_command_line(void)
     old_path = NULL;
 }
 
-/**
- * allocate_objects(): given an array of nodes @arg,
- * walks the path invoking all constructors and
- * passing the corresponding parameter in order to
- * continue the objects allocation.
- * Once the test is reached, return the object it consumes.
- *
- * Since the machine and QEDGE_CONSUMED_BY nodes allocate
- * memory in the constructor, g_test_queue_destroy is used so
- * that after execution they can be safely free'd.  (The test's
- * ->before callback is also welcome to use g_test_queue_destroy).
- *
- * Note: as specified in walk_path() too, @arg is an array of
- * char *, where arg[0] is a pointer to the command line
- * string that will be used to properly start QEMU when executing
- * the test, and the remaining elements represent the actual objects
- * that will be allocated.
- */
-static void *allocate_objects(QTestState *qts, char **path, QGuestAllocator **p_alloc)
-{
-    int current = 0;
-    QGuestAllocator *alloc;
-    QOSGraphObject *parent = NULL;
-    QOSGraphEdge *edge;
-    QOSGraphNode *node;
-    void *edge_arg;
-    void *obj;
-
-    node = qos_graph_get_node(path[current]);
-    g_assert(node->type == QNODE_MACHINE);
-
-    obj = qos_machine_new(node, qts);
-    qos_object_queue_destroy(obj);
-
-    alloc = get_machine_allocator(obj);
-    if (p_alloc) {
-        *p_alloc = alloc;
-    }
-
-    for (;;) {
-        if (node->type != QNODE_INTERFACE) {
-            qos_object_start_hw(obj);
-            parent = obj;
-        }
-
-        /* follow edge and get object for next node constructor */
-        current++;
-        edge = qos_graph_get_edge(path[current - 1], path[current]);
-        node = qos_graph_get_node(path[current]);
-
-        if (node->type == QNODE_TEST) {
-            g_assert(qos_graph_edge_get_type(edge) == QEDGE_CONSUMED_BY);
-            return obj;
-        }
-
-        switch (qos_graph_edge_get_type(edge)) {
-        case QEDGE_PRODUCES:
-            obj = parent->get_driver(parent, path[current]);
-            break;
-
-        case QEDGE_CONSUMED_BY:
-            edge_arg = qos_graph_edge_get_arg(edge);
-            obj = qos_driver_new(node, obj, alloc, edge_arg);
-            qos_object_queue_destroy(obj);
-            break;
-
-        case QEDGE_CONTAINS:
-            obj = parent->get_device(parent, path[current]);
-            break;
-        }
-    }
-}
 
 /* The argument to run_one_test, which is the test function that is registered
  * with GTest, is a vector of strings.  The first item is the initial command
-- 
2.24.1

From: Alexander Bulekov <alxndr@bu.edu>

tests/fuzz/fuzz.c serves as the entry point for the virtual-device
fuzzer. Namely, libfuzzer invokes the LLVMFuzzerInitialize and
LLVMFuzzerTestOneInput functions, both of which are defined in this
file. This change adds a "FuzzTarget" struct, along with the
fuzz_add_target function, which should be used to define new fuzz
targets.

Signed-off-by: Alexander Bulekov <alxndr@bu.edu>
Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
Reviewed-by: Darren Kenny <darren.kenny@oracle.com>
Message-id: 20200220041118.23264-13-alxndr@bu.edu
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
---
 MAINTAINERS                       |   8 ++
 tests/qtest/fuzz/Makefile.include |   6 +
 tests/qtest/fuzz/fuzz.c           | 179 ++++++++++++++++++++++++++++++
 tests/qtest/fuzz/fuzz.h           |  95 ++++++++++++++++
 4 files changed, 288 insertions(+)
 create mode 100644 tests/qtest/fuzz/Makefile.include
 create mode 100644 tests/qtest/fuzz/fuzz.c
 create mode 100644 tests/qtest/fuzz/fuzz.h

diff --git a/MAINTAINERS b/MAINTAINERS
index XXXXXXX..XXXXXXX 100644
--- a/MAINTAINERS
+++ b/MAINTAINERS
@@ -XXX,XX +XXX,XX @@ F: qtest.c
 F: accel/qtest.c
 F: tests/qtest/
 
+Device Fuzzing
+M: Alexander Bulekov <alxndr@bu.edu>
+R: Paolo Bonzini <pbonzini@redhat.com>
+R: Bandan Das <bsd@redhat.com>
+R: Stefan Hajnoczi <stefanha@redhat.com>
+S: Maintained
+F: tests/qtest/fuzz/
+
 Register API
 M: Alistair Francis <alistair@alistair23.me>
 S: Maintained
diff --git a/tests/qtest/fuzz/Makefile.include b/tests/qtest/fuzz/Makefile.include
new file mode 100644
index XXXXXXX..XXXXXXX
--- /dev/null
+++ b/tests/qtest/fuzz/Makefile.include
@@ -XXX,XX +XXX,XX @@
+QEMU_PROG_FUZZ=qemu-fuzz-$(TARGET_NAME)$(EXESUF)
+
+fuzz-obj-y += tests/qtest/libqtest.o
+fuzz-obj-y += tests/qtest/fuzz/fuzz.o # Fuzzer skeleton
+
+FUZZ_CFLAGS += -I$(SRC_PATH)/tests -I$(SRC_PATH)/tests/qtest
diff --git a/tests/qtest/fuzz/fuzz.c b/tests/qtest/fuzz/fuzz.c
new file mode 100644
index XXXXXXX..XXXXXXX
--- /dev/null
+++ b/tests/qtest/fuzz/fuzz.c
@@ -XXX,XX +XXX,XX @@
+/*
+ * fuzzing driver
+ *
+ * Copyright Red Hat Inc., 2019
+ *
+ * Authors:
+ *  Alexander Bulekov   <alxndr@bu.edu>
+ *
+ * This work is licensed under the terms of the GNU GPL, version 2 or later.
+ * See the COPYING file in the top-level directory.
+ *
+ */
+
+#include "qemu/osdep.h"
+
+#include <wordexp.h>
+
+#include "sysemu/qtest.h"
+#include "sysemu/runstate.h"
+#include "sysemu/sysemu.h"
+#include "qemu/main-loop.h"
+#include "tests/qtest/libqtest.h"
+#include "tests/qtest/libqos/qgraph.h"
+#include "fuzz.h"
+
+#define MAX_EVENT_LOOPS 10
+
+typedef struct FuzzTargetState {
+        FuzzTarget *target;
+        QSLIST_ENTRY(FuzzTargetState) target_list;
+} FuzzTargetState;
+
+typedef QSLIST_HEAD(, FuzzTargetState) FuzzTargetList;
+
+static const char *fuzz_arch = TARGET_NAME;
+
+static FuzzTargetList *fuzz_target_list;
+static FuzzTarget *fuzz_target;
+static QTestState *fuzz_qts;
+
+
+
+void flush_events(QTestState *s)
+{
+    int i = MAX_EVENT_LOOPS;
+    while (g_main_context_pending(NULL) && i-- > 0) {
+        main_loop_wait(false);
+    }
+}
+
+static QTestState *qtest_setup(void)
+{
+    qtest_server_set_send_handler(&qtest_client_inproc_recv, &fuzz_qts);
+    return qtest_inproc_init(&fuzz_qts, false, fuzz_arch,
+            &qtest_server_inproc_recv);
+}
+
+void fuzz_add_target(const FuzzTarget *target)
+{
+    FuzzTargetState *tmp;
+    FuzzTargetState *target_state;
+    if (!fuzz_target_list) {
+        fuzz_target_list = g_new0(FuzzTargetList, 1);
+    }
+
+    QSLIST_FOREACH(tmp, fuzz_target_list, target_list) {
+        if (g_strcmp0(tmp->target->name, target->name) == 0) {
+            fprintf(stderr, "Error: Fuzz target name %s already in use\n",
+                    target->name);
+            abort();
+        }
+    }
+    target_state = g_new0(FuzzTargetState, 1);
+    target_state->target = g_new0(FuzzTarget, 1);
+    *(target_state->target) = *target;
+    QSLIST_INSERT_HEAD(fuzz_target_list, target_state, target_list);
+}
+
+
+
+static void usage(char *path)
+{
+    printf("Usage: %s --fuzz-target=FUZZ_TARGET [LIBFUZZER ARGUMENTS]\n", path);
+    printf("where FUZZ_TARGET is one of:\n");
+    FuzzTargetState *tmp;
+    if (!fuzz_target_list) {
+        fprintf(stderr, "Fuzz target list not initialized\n");
+        abort();
+    }
+    QSLIST_FOREACH(tmp, fuzz_target_list, target_list) {
+        printf(" * %s  : %s\n", tmp->target->name,
+                tmp->target->description);
+    }
+    exit(0);
+}
+
+static FuzzTarget *fuzz_get_target(char* name)
+{
+    FuzzTargetState *tmp;
+    if (!fuzz_target_list) {
+        fprintf(stderr, "Fuzz target list not initialized\n");
+        abort();
+    }
+
+    QSLIST_FOREACH(tmp, fuzz_target_list, target_list) {
+        if (strcmp(tmp->target->name, name) == 0) {
+            return tmp->target;
+        }
+    }
+    return NULL;
+}
+
+
+/* Executed for each fuzzing-input */
+int LLVMFuzzerTestOneInput(const unsigned char *Data, size_t Size)
+{
+    /*
+     * Do the pre-fuzz-initialization before the first fuzzing iteration,
+     * instead of before the actual fuzz loop. This is needed since libfuzzer
+     * may fork off additional workers, prior to the fuzzing loop, and if
+     * pre_fuzz() sets up e.g. shared memory, this should be done for the
+     * individual worker processes
+     */
+    static int pre_fuzz_done;
+    if (!pre_fuzz_done && fuzz_target->pre_fuzz) {
+        fuzz_target->pre_fuzz(fuzz_qts);
+        pre_fuzz_done = true;
+    }
+
+    fuzz_target->fuzz(fuzz_qts, Data, Size);
+    return 0;
+}
+
+/* Executed once, prior to fuzzing */
+int LLVMFuzzerInitialize(int *argc, char ***argv, char ***envp)
+{
+
+    char *target_name;
+
+    /* Initialize qgraph and modules */
+    qos_graph_init();
+    module_call_init(MODULE_INIT_FUZZ_TARGET);
+    module_call_init(MODULE_INIT_QOM);
+    module_call_init(MODULE_INIT_LIBQOS);
+
+    if (*argc <= 1) {
+        usage(**argv);
+    }
+
+    /* Identify the fuzz target */
+    target_name = (*argv)[1];
+    if (!strstr(target_name, "--fuzz-target=")) {
+        usage(**argv);
+    }
+
+    target_name += strlen("--fuzz-target=");
+
+    fuzz_target = fuzz_get_target(target_name);
+    if (!fuzz_target) {
+        usage(**argv);
+    }
+
+    fuzz_qts = qtest_setup();
+
+    if (fuzz_target->pre_vm_init) {
+        fuzz_target->pre_vm_init();
+    }
+
+    /* Run QEMU's softmmu main with the fuzz-target dependent arguments */
+    const char *init_cmdline = fuzz_target->get_init_cmdline(fuzz_target);
+
+    /* Split the runcmd into an argv and argc */
+    wordexp_t result;
+    wordexp(init_cmdline, &result, 0);
+
+    qemu_init(result.we_wordc, result.we_wordv, NULL);
+
+    return 0;
+}
diff --git a/tests/qtest/fuzz/fuzz.h b/tests/qtest/fuzz/fuzz.h
new file mode 100644
index XXXXXXX..XXXXXXX
--- /dev/null
+++ b/tests/qtest/fuzz/fuzz.h
@@ -XXX,XX +XXX,XX @@
+/*
+ * fuzzing driver
+ *
+ * Copyright Red Hat Inc., 2019
+ *
+ * Authors:
+ *  Alexander Bulekov   <alxndr@bu.edu>
+ *
+ * This work is licensed under the terms of the GNU GPL, version 2 or later.
+ * See the COPYING file in the top-level directory.
+ *
+ */
+
+#ifndef FUZZER_H_
+#define FUZZER_H_
+
+#include "qemu/osdep.h"
+#include "qemu/units.h"
+#include "qapi/error.h"
+
+#include "tests/qtest/libqtest.h"
+
+/**
+ * A libfuzzer fuzzing target
+ *
+ * The QEMU fuzzing binary is built with all available targets, each
+ * with a unique @name that can be specified on the command-line to
+ * select which target should run.
+ *
+ * A target must implement ->fuzz() to process a random input.  If QEMU
+ * crashes in ->fuzz() then libfuzzer will record a failure.
+ *
+ * Fuzzing targets are registered with fuzz_add_target():
+ *
+ *   static const FuzzTarget fuzz_target = {
+ *       .name = "my-device-fifo",
+ *       .description = "Fuzz the FIFO buffer registers of my-device",
+ *       ...
+ *   };
+ *
+ *   static void register_fuzz_target(void)
+ *   {
+ *       fuzz_add_target(&fuzz_target);
+ *   }
+ *   fuzz_target_init(register_fuzz_target);
+ */
+typedef struct FuzzTarget {
+    const char *name;         /* target identifier (passed to --fuzz-target=)*/
+    const char *description;  /* help text */
+
+
+    /*
+     * returns the arg-list that is passed to qemu/softmmu init()
+     * Cannot be NULL
+     */
+    const char* (*get_init_cmdline)(struct FuzzTarget *);
+
+    /*
+     * will run once, prior to running qemu/softmmu init.
+     * eg: set up shared-memory for communication with the child-process
+     * Can be NULL
+     */
+    void(*pre_vm_init)(void);
+
+    /*
+     * will run once, after QEMU has been initialized, prior to the fuzz-loop.
+     * eg: detect the memory map
+     * Can be NULL
+     */
+    void(*pre_fuzz)(QTestState *);
+
+    /*
+     * accepts and executes an input from libfuzzer. this is repeatedly
+     * executed during the fuzzing loop. Its should handle setup, input
+     * execution and cleanup.
+     * Cannot be NULL
+     */
+    void(*fuzz)(QTestState *, const unsigned char *, size_t);
+
+} FuzzTarget;
+
+void flush_events(QTestState *);
+void reboot(QTestState *);
+
+/*
+ * makes a copy of *target and adds it to the target-list.
+ * i.e. fine to set up target on the caller's stack
+ */
+void fuzz_add_target(const FuzzTarget *target);
+
+int LLVMFuzzerTestOneInput(const unsigned char *Data, size_t Size);
+int LLVMFuzzerInitialize(int *argc, char ***argv, char ***envp);
+
+#endif
+
-- 
2.24.1

From: Alexander Bulekov <alxndr@bu.edu>

Ram blocks were marked MADV_DONTFORK breaking fuzzing-tests which
execute each test-input in a forked process.

diff --git a/exec.c b/exec.c
index XXXXXXX..XXXXXXX 100644
--- a/exec.c
+++ b/exec.c
@@ -XXX,XX +XXX,XX @@
 #include "sysemu/kvm.h"
 #include "sysemu/sysemu.h"
 #include "sysemu/tcg.h"
+#include "sysemu/qtest.h"
 #include "qemu/timer.h"
 #include "qemu/config-file.h"
 #include "qemu/error-report.h"
@@ -XXX,XX +XXX,XX @@ static void ram_block_add(RAMBlock *new_block, Error **errp, bool shared)
     if (new_block->host) {
         qemu_ram_setup_dump(new_block->host, new_block->max_length);
         qemu_madvise(new_block->host, new_block->max_length, QEMU_MADV_HUGEPAGE);
-        /* MADV_DONTFORK is also needed by KVM in absence of synchronous MMU */
-        qemu_madvise(new_block->host, new_block->max_length, QEMU_MADV_DONTFORK);
+        /*
+         * MADV_DONTFORK is also needed by KVM in absence of synchronous MMU
+         * Configure it unless the machine is a qtest server, in which case
+         * KVM is not used and it may be forked (eg for fuzzing purposes).
+         */
+        if (!qtest_enabled()) {
+            qemu_madvise(new_block->host, new_block->max_length,
+                         QEMU_MADV_DONTFORK);
+        }
         ram_block_notify_add(new_block->host, new_block->max_length);
     }
 }
-- 
2.24.1

From: Alexander Bulekov <alxndr@bu.edu>

The qtest-based fuzzer makes use of forking to reset-state between
tests. Keep the callback enabled, so the call_rcu thread gets created
within the child process.

Signed-off-by: Alexander Bulekov <alxndr@bu.edu>
Reviewed-by: Darren Kenny <darren.kenny@oracle.com>
Acked-by: Stefan Hajnoczi <stefanha@redhat.com>
Message-id: 20200220041118.23264-15-alxndr@bu.edu
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
---
 softmmu/vl.c | 12 +++++++++++-
 1 file changed, 11 insertions(+), 1 deletion(-)

diff --git a/softmmu/vl.c b/softmmu/vl.c
index XXXXXXX..XXXXXXX 100644
--- a/softmmu/vl.c
+++ b/softmmu/vl.c
@@ -XXX,XX +XXX,XX @@ void qemu_init(int argc, char **argv, char **envp)
     set_memory_options(&ram_slots, &maxram_size, machine_class);
 
     os_daemonize();
-    rcu_disable_atfork();
+
+    /*
+     * If QTest is enabled, keep the rcu_atfork enabled, since system processes
+     * may be forked testing purposes (e.g. fork-server based fuzzing) The fork
+     * should happen before a signle cpu instruction is executed, to prevent
+     * deadlocks. See commit 73c6e40, rcu: "completely disable pthread_atfork
+     * callbacks as soon as possible"
+     */
+    if (!qtest_enabled()) {
+        rcu_disable_atfork();
+    }
 
     if (pid_file && !qemu_write_pidfile(pid_file, &err)) {
         error_reportf_err(err, "cannot create PID file: ");
-- 
2.24.1

From: Alexander Bulekov <alxndr@bu.edu>

fork() is a simple way to ensure that state does not leak in between
fuzzing runs. Unfortunately, the fuzzer mutation engine relies on
bitmaps which contain coverage information for each fuzzing run, and
these bitmaps should be copied from the child to the parent(where the
mutation occurs). These bitmaps are created through compile-time
instrumentation and they are not shared with fork()-ed processes, by
default. To address this, we create a shared memory region, adjust its
size and map it _over_ the counter region. Furthermore, libfuzzer
doesn't generally expose the globals that specify the location of the
counters/coverage bitmap. As a workaround, we rely on a custom linker
script which forces all of the bitmaps we care about to be placed in a
contiguous region, which is easy to locate and mmap over.

Signed-off-by: Alexander Bulekov <alxndr@bu.edu>
Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
Reviewed-by: Darren Kenny <darren.kenny@oracle.com>
Message-id: 20200220041118.23264-16-alxndr@bu.edu
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
---
 tests/qtest/fuzz/Makefile.include |  5 +++
 tests/qtest/fuzz/fork_fuzz.c      | 55 +++++++++++++++++++++++++++++++
 tests/qtest/fuzz/fork_fuzz.h      | 23 +++++++++++++
 tests/qtest/fuzz/fork_fuzz.ld     | 37 +++++++++++++++++++++
 4 files changed, 120 insertions(+)
 create mode 100644 tests/qtest/fuzz/fork_fuzz.c
 create mode 100644 tests/qtest/fuzz/fork_fuzz.h
 create mode 100644 tests/qtest/fuzz/fork_fuzz.ld

From: Alexander Bulekov <alxndr@bu.edu>

Signed-off-by: Alexander Bulekov <alxndr@bu.edu>
Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
Reviewed-by: Darren Kenny <darren.kenny@oracle.com>
Message-id: 20200220041118.23264-17-alxndr@bu.edu
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
---
 tests/qtest/fuzz/Makefile.include |   2 +
 tests/qtest/fuzz/qos_fuzz.c       | 234 ++++++++++++++++++++++++++++++
 tests/qtest/fuzz/qos_fuzz.h       |  33 +++++
 3 files changed, 269 insertions(+)
 create mode 100644 tests/qtest/fuzz/qos_fuzz.c
 create mode 100644 tests/qtest/fuzz/qos_fuzz.h

diff --git a/tests/qtest/fuzz/Makefile.include b/tests/qtest/fuzz/Makefile.include
index XXXXXXX..XXXXXXX 100644
--- a/tests/qtest/fuzz/Makefile.include
+++ b/tests/qtest/fuzz/Makefile.include
@@ -XXX,XX +XXX,XX @@
 QEMU_PROG_FUZZ=qemu-fuzz-$(TARGET_NAME)$(EXESUF)
 
 fuzz-obj-y += tests/qtest/libqtest.o
+fuzz-obj-y += $(libqos-obj-y)
 fuzz-obj-y += tests/qtest/fuzz/fuzz.o # Fuzzer skeleton
 fuzz-obj-y += tests/qtest/fuzz/fork_fuzz.o
+fuzz-obj-y += tests/qtest/fuzz/qos_fuzz.o
 
 FUZZ_CFLAGS += -I$(SRC_PATH)/tests -I$(SRC_PATH)/tests/qtest
 
diff --git a/tests/qtest/fuzz/qos_fuzz.c b/tests/qtest/fuzz/qos_fuzz.c
new file mode 100644
index XXXXXXX..XXXXXXX
--- /dev/null
+++ b/tests/qtest/fuzz/qos_fuzz.c
@@ -XXX,XX +XXX,XX @@
+/*
+ * QOS-assisted fuzzing helpers
+ *
+ * Copyright (c) 2018 Emanuele Giuseppe Esposito <e.emanuelegiuseppe@gmail.com>
+ *
+ * This library is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License version 2 as published by the Free Software Foundation.
+ *
+ * This library is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this library; if not, see <http://www.gnu.org/licenses/>
+ */
+
+#include "qemu/osdep.h"
+#include "qemu/units.h"
+#include "qapi/error.h"
+#include "qemu-common.h"
+#include "exec/memory.h"
+#include "exec/address-spaces.h"
+#include "sysemu/sysemu.h"
+#include "qemu/main-loop.h"
+
+#include "tests/qtest/libqtest.h"
+#include "tests/qtest/libqos/malloc.h"
+#include "tests/qtest/libqos/qgraph.h"
+#include "tests/qtest/libqos/qgraph_internal.h"
+#include "tests/qtest/libqos/qos_external.h"
+
+#include "fuzz.h"
+#include "qos_fuzz.h"
+
+#include "qapi/qapi-commands-machine.h"
+#include "qapi/qapi-commands-qom.h"
+#include "qapi/qmp/qlist.h"
+
+
+void *fuzz_qos_obj;
+QGuestAllocator *fuzz_qos_alloc;
+
+static const char *fuzz_target_name;
+static char **fuzz_path_vec;
+
+/*
+ * Replaced the qmp commands with direct qmp_marshal calls.
+ * Probably there is a better way to do this
+ */
+static void qos_set_machines_devices_available(void)
+{
+    QDict *req = qdict_new();
+    QObject *response;
+    QDict *args = qdict_new();
+    QList *lst;
+    Error *err = NULL;
+
+    qmp_marshal_query_machines(NULL, &response, &err);
+    assert(!err);
+    lst = qobject_to(QList, response);
+    apply_to_qlist(lst, true);
+
+    qobject_unref(response);
+
+
+    qdict_put_str(req, "execute", "qom-list-types");
+    qdict_put_str(args, "implements", "device");
+    qdict_put_bool(args, "abstract", true);
+    qdict_put_obj(req, "arguments", (QObject *) args);
+
+    qmp_marshal_qom_list_types(args, &response, &err);
+    assert(!err);
+    lst = qobject_to(QList, response);
+    apply_to_qlist(lst, false);
+    qobject_unref(response);
+    qobject_unref(req);
+}
+
+static char **current_path;
+
+void *qos_allocate_objects(QTestState *qts, QGuestAllocator **p_alloc)
+{
+    return allocate_objects(qts, current_path + 1, p_alloc);
+}
+
+static const char *qos_build_main_args(void)
+{
+    char **path = fuzz_path_vec;
+    QOSGraphNode *test_node;
+    GString *cmd_line = g_string_new(path[0]);
+    void *test_arg;
+
+    if (!path) {
+        fprintf(stderr, "QOS Path not found\n");
+        abort();
+    }
+
+    /* Before test */
+    current_path = path;
+    test_node = qos_graph_get_node(path[(g_strv_length(path) - 1)]);
+    test_arg = test_node->u.test.arg;
+    if (test_node->u.test.before) {
+        test_arg = test_node->u.test.before(cmd_line, test_arg);
+    }
+    /* Prepend the arguments that we need */
+    g_string_prepend(cmd_line,
+            TARGET_NAME " -display none -machine accel=qtest -m 64 ");
+    return cmd_line->str;
+}
+
+/*
+ * This function is largely a copy of qos-test.c:walk_path. Since walk_path
+ * is itself a callback, its a little annoying to add another argument/layer of
+ * indirection
+ */
+static void walk_path(QOSGraphNode *orig_path, int len)
+{
+    QOSGraphNode *path;
+    QOSGraphEdge *edge;
+
+    /* etype set to QEDGE_CONSUMED_BY so that machine can add to the command line */
+    QOSEdgeType etype = QEDGE_CONSUMED_BY;
+
+    /* twice QOS_PATH_MAX_ELEMENT_SIZE since each edge can have its arg */
+    char **path_vec = g_new0(char *, (QOS_PATH_MAX_ELEMENT_SIZE * 2));
+    int path_vec_size = 0;
+
+    char *after_cmd, *before_cmd, *after_device;
+    GString *after_device_str = g_string_new("");
+    char *node_name = orig_path->name, *path_str;
+
+    GString *cmd_line = g_string_new("");
+    GString *cmd_line2 = g_string_new("");
+
+    path = qos_graph_get_node(node_name); /* root */
+    node_name = qos_graph_edge_get_dest(path->path_edge); /* machine name */
+
+    path_vec[path_vec_size++] = node_name;
+    path_vec[path_vec_size++] = qos_get_machine_type(node_name);
+
+    for (;;) {
+        path = qos_graph_get_node(node_name);
+        if (!path->path_edge) {
+            break;
+        }
+
+        node_name = qos_graph_edge_get_dest(path->path_edge);
+
+        /* append node command line + previous edge command line */
+        if (path->command_line && etype == QEDGE_CONSUMED_BY) {
+            g_string_append(cmd_line, path->command_line);
+            g_string_append(cmd_line, after_device_str->str);
+            g_string_truncate(after_device_str, 0);
+        }
+
+        path_vec[path_vec_size++] = qos_graph_edge_get_name(path->path_edge);
+        /* detect if edge has command line args */
+        after_cmd = qos_graph_edge_get_after_cmd_line(path->path_edge);
+        after_device = qos_graph_edge_get_extra_device_opts(path->path_edge);
+        before_cmd = qos_graph_edge_get_before_cmd_line(path->path_edge);
+        edge = qos_graph_get_edge(path->name, node_name);
+        etype = qos_graph_edge_get_type(edge);
+
+        if (before_cmd) {
+            g_string_append(cmd_line, before_cmd);
+        }
+        if (after_cmd) {
+            g_string_append(cmd_line2, after_cmd);
+        }
+        if (after_device) {
+            g_string_append(after_device_str, after_device);
+        }
+    }
+
+    path_vec[path_vec_size++] = NULL;
+    g_string_append(cmd_line, after_device_str->str);
+    g_string_free(after_device_str, true);
+
+    g_string_append(cmd_line, cmd_line2->str);
+    g_string_free(cmd_line2, true);
+
+    /*
+     * here position 0 has <arch>/<machine>, position 1 has <machine>.
+     * The path must not have the <arch>, qtest_add_data_func adds it.
+     */
+    path_str = g_strjoinv("/", path_vec + 1);
+
+    /* Check that this is the test we care about: */
+    char *test_name = strrchr(path_str, '/') + 1;
+    if (strcmp(test_name, fuzz_target_name) == 0) {
+        /*
+         * put arch/machine in position 1 so run_one_test can do its work
+         * and add the command line at position 0.
+         */
+        path_vec[1] = path_vec[0];
+        path_vec[0] = g_string_free(cmd_line, false);
+
+        fuzz_path_vec = path_vec;
+    } else {
+        g_free(path_vec);
+    }
+
+    g_free(path_str);
+}
+
+static const char *qos_get_cmdline(FuzzTarget *t)
+{
+    /*
+     * Set a global variable that we use to identify the qos_path for our
+     * fuzz_target
+     */
+    fuzz_target_name = t->name;
+    qos_set_machines_devices_available();
+    qos_graph_foreach_test_path(walk_path);
+    return qos_build_main_args();
+}
+
+void fuzz_add_qos_target(
+        FuzzTarget *fuzz_opts,
+        const char *interface,
+        QOSGraphTestOptions *opts
+        )
+{
+    qos_add_test(fuzz_opts->name, interface, NULL, opts);
+    fuzz_opts->get_init_cmdline = qos_get_cmdline;
+    fuzz_add_target(fuzz_opts);
+}
+
+void qos_init_path(QTestState *s)
+{
+    fuzz_qos_obj = qos_allocate_objects(s , &fuzz_qos_alloc);
+}
diff --git a/tests/qtest/fuzz/qos_fuzz.h b/tests/qtest/fuzz/qos_fuzz.h
new file mode 100644
index XXXXXXX..XXXXXXX
--- /dev/null
+++ b/tests/qtest/fuzz/qos_fuzz.h
@@ -XXX,XX +XXX,XX @@
+/*
+ * QOS-assisted fuzzing helpers
+ *
+ * Copyright Red Hat Inc., 2019
+ *
+ * Authors:
+ *  Alexander Bulekov   <alxndr@bu.edu>
+ *
+ * This work is licensed under the terms of the GNU GPL, version 2 or later.
+ * See the COPYING file in the top-level directory.
+ */
+
+#ifndef _QOS_FUZZ_H_
+#define _QOS_FUZZ_H_
+
+#include "tests/qtest/fuzz/fuzz.h"
+#include "tests/qtest/libqos/qgraph.h"
+
+int qos_fuzz(const unsigned char *Data, size_t Size);
+void qos_setup(void);
+
+extern void *fuzz_qos_obj;
+extern QGuestAllocator *fuzz_qos_alloc;
+
+void fuzz_add_qos_target(
+        FuzzTarget *fuzz_opts,
+        const char *interface,
+        QOSGraphTestOptions *opts
+        );
+
+void qos_init_path(QTestState *);
+
+#endif
-- 
2.24.1

From: Alexander Bulekov <alxndr@bu.edu>

Signed-off-by: Alexander Bulekov <alxndr@bu.edu>
Reviewed-by: Darren Kenny <darren.kenny@oracle.com>
Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
Message-id: 20200220041118.23264-18-alxndr@bu.edu
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
---
 Makefile        | 15 ++++++++++++++-
 Makefile.target | 16 ++++++++++++++++
 2 files changed, 30 insertions(+), 1 deletion(-)

diff --git a/Makefile b/Makefile
index XXXXXXX..XXXXXXX 100644
--- a/Makefile
+++ b/Makefile
@@ -XXX,XX +XXX,XX @@ config-host.h-timestamp: config-host.mak
 qemu-options.def: $(SRC_PATH)/qemu-options.hx $(SRC_PATH)/scripts/hxtool
 	$(call quiet-command,sh $(SRC_PATH)/scripts/hxtool -h < $< > $@,"GEN","$@")
 
-TARGET_DIRS_RULES := $(foreach t, all clean install, $(addsuffix /$(t), $(TARGET_DIRS)))
+TARGET_DIRS_RULES := $(foreach t, all fuzz clean install, $(addsuffix /$(t), $(TARGET_DIRS)))
 
 SOFTMMU_ALL_RULES=$(filter %-softmmu/all, $(TARGET_DIRS_RULES))
 $(SOFTMMU_ALL_RULES): $(authz-obj-y)
@@ -XXX,XX +XXX,XX @@ ifdef DECOMPRESS_EDK2_BLOBS
 $(SOFTMMU_ALL_RULES): $(edk2-decompressed)
 endif
 
+SOFTMMU_FUZZ_RULES=$(filter %-softmmu/fuzz, $(TARGET_DIRS_RULES))
+$(SOFTMMU_FUZZ_RULES): $(authz-obj-y)
+$(SOFTMMU_FUZZ_RULES): $(block-obj-y)
+$(SOFTMMU_FUZZ_RULES): $(chardev-obj-y)
+$(SOFTMMU_FUZZ_RULES): $(crypto-obj-y)
+$(SOFTMMU_FUZZ_RULES): $(io-obj-y)
+$(SOFTMMU_FUZZ_RULES): config-all-devices.mak
+$(SOFTMMU_FUZZ_RULES): $(edk2-decompressed)
+
 .PHONY: $(TARGET_DIRS_RULES)
 # The $(TARGET_DIRS_RULES) are of the form SUBDIR/GOAL, so that
 # $(dir $@) yields the sub-directory, and $(notdir $@) yields the sub-goal
@@ -XXX,XX +XXX,XX @@ subdir-slirp: slirp/all
 $(filter %/all, $(TARGET_DIRS_RULES)): libqemuutil.a $(common-obj-y) \
 	$(qom-obj-y)
 
+$(filter %/fuzz, $(TARGET_DIRS_RULES)): libqemuutil.a $(common-obj-y) \
+	$(qom-obj-y) $(crypto-user-obj-$(CONFIG_USER_ONLY))
+
 ROM_DIRS = $(addprefix pc-bios/, $(ROMS))
 ROM_DIRS_RULES=$(foreach t, all clean, $(addsuffix /$(t), $(ROM_DIRS)))
 # Only keep -O and -g cflags
@@ -XXX,XX +XXX,XX @@ $(ROM_DIRS_RULES):
 
 .PHONY: recurse-all recurse-clean recurse-install
 recurse-all: $(addsuffix /all, $(TARGET_DIRS) $(ROM_DIRS))
+recurse-fuzz: $(addsuffix /fuzz, $(TARGET_DIRS) $(ROM_DIRS))
 recurse-clean: $(addsuffix /clean, $(TARGET_DIRS) $(ROM_DIRS))
 recurse-install: $(addsuffix /install, $(TARGET_DIRS))
 $(addsuffix /install, $(TARGET_DIRS)): all
diff --git a/Makefile.target b/Makefile.target
index XXXXXXX..XXXXXXX 100644
--- a/Makefile.target
+++ b/Makefile.target
@@ -XXX,XX +XXX,XX @@ ifdef CONFIG_TRACE_SYSTEMTAP
 	rm -f *.stp
 endif
 
+ifdef CONFIG_FUZZ
+include $(SRC_PATH)/tests/qtest/fuzz/Makefile.include
+include $(SRC_PATH)/tests/qtest/Makefile.include
+
+fuzz: fuzz-vars
+fuzz-vars: QEMU_CFLAGS := $(FUZZ_CFLAGS) $(QEMU_CFLAGS)
+fuzz-vars: QEMU_LDFLAGS := $(FUZZ_LDFLAGS) $(QEMU_LDFLAGS)
+fuzz-vars: $(QEMU_PROG_FUZZ)
+dummy := $(call unnest-vars,, fuzz-obj-y)
+
+
+$(QEMU_PROG_FUZZ): config-devices.mak $(all-obj-y) $(COMMON_LDADDS) $(fuzz-obj-y)
+	$(call LINK, $(filter-out %.mak, $^))
+
+endif
+
 install: all
 ifneq ($(PROGS),)
 	$(call install-prog,$(PROGS),$(DESTDIR)$(bindir))
-- 
2.24.1

From: Alexander Bulekov <alxndr@bu.edu>

diff --git a/configure b/configure
index XXXXXXX..XXXXXXX 100755
--- a/configure
+++ b/configure
@@ -XXX,XX +XXX,XX @@ debug_mutex="no"
 libpmem=""
 default_devices="yes"
 plugins="no"
+fuzzing="no"
 
 supported_cpu="no"
 supported_os="no"
@@ -XXX,XX +XXX,XX @@ int main(void) { return 0; }
 EOF
 }
 
+write_c_fuzzer_skeleton() {
+    cat > $TMPC <<EOF
+#include <stdint.h>
+#include <sys/types.h>
+int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size);
+int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) { return 0; }
+EOF
+}
+
 if check_define __linux__ ; then
   targetos="Linux"
 elif check_define _WIN32 ; then
@@ -XXX,XX +XXX,XX @@ for opt do
   ;;
   --disable-containers) use_containers="no"
   ;;
+  --enable-fuzzing) fuzzing=yes
+  ;;
+  --disable-fuzzing) fuzzing=no
+  ;;
   *)
       echo "ERROR: unknown option $opt"
       echo "Try '$0 --help' for more information"
@@ -XXX,XX +XXX,XX @@ EOF
   fi
 fi
 
+##########################################
+# checks for fuzzer
+if test "$fuzzing" = "yes" ; then
+  write_c_fuzzer_skeleton
+  if compile_prog "$CPU_CFLAGS -Werror -fsanitize=address,fuzzer" ""; then
+      have_fuzzer=yes
+  fi
+fi
+
 ##########################################
 # check for libpmem
 
@@ -XXX,XX +XXX,XX @@ echo "libpmem support   $libpmem"
 echo "libudev           $libudev"
 echo "default devices   $default_devices"
 echo "plugin support    $plugins"
+echo "fuzzing support   $fuzzing"
 
 if test "$supported_cpu" = "no"; then
     echo
@@ -XXX,XX +XXX,XX @@ fi
 if test "$sheepdog" = "yes" ; then
   echo "CONFIG_SHEEPDOG=y" >> $config_host_mak
 fi
+if test "$fuzzing" = "yes" ; then
+  if test "$have_fuzzer" = "yes"; then
+    FUZZ_LDFLAGS=" -fsanitize=address,fuzzer"
+    FUZZ_CFLAGS=" -fsanitize=address,fuzzer"
+    CFLAGS=" -fsanitize=address,fuzzer-no-link"
+  else
+    error_exit "Your compiler doesn't support -fsanitize=address,fuzzer"
+    exit 1
+  fi
+fi
 
 if test "$plugins" = "yes" ; then
     echo "CONFIG_PLUGIN=y" >> $config_host_mak
@@ -XXX,XX +XXX,XX @@ if test "$libudev" != "no"; then
     echo "CONFIG_LIBUDEV=y" >> $config_host_mak
     echo "LIBUDEV_LIBS=$libudev_libs" >> $config_host_mak
 fi
+if test "$fuzzing" != "no"; then
+    echo "CONFIG_FUZZ=y" >> $config_host_mak
+    echo "FUZZ_CFLAGS=$FUZZ_CFLAGS" >> $config_host_mak
+    echo "FUZZ_LDFLAGS=$FUZZ_LDFLAGS" >> $config_host_mak
+fi
 
 if test "$edk2_blobs" = "yes" ; then
   echo "DECOMPRESS_EDK2_BLOBS=y" >> $config_host_mak
-- 
2.24.1

From: Alexander Bulekov <alxndr@bu.edu>

These three targets should simply fuzz reads/writes to a couple ioports,
but they mostly serve as examples of different ways to write targets.
They demonstrate using qtest and qos for fuzzing, as well as using
rebooting and forking to reset state, or not resetting it at all.

diff --git a/tests/qtest/fuzz/Makefile.include b/tests/qtest/fuzz/Makefile.include
index XXXXXXX..XXXXXXX 100644
--- a/tests/qtest/fuzz/Makefile.include
+++ b/tests/qtest/fuzz/Makefile.include
@@ -XXX,XX +XXX,XX @@ fuzz-obj-y += tests/qtest/fuzz/fuzz.o # Fuzzer skeleton
 fuzz-obj-y += tests/qtest/fuzz/fork_fuzz.o
 fuzz-obj-y += tests/qtest/fuzz/qos_fuzz.o
 
+# Targets
+fuzz-obj-y += tests/qtest/fuzz/i440fx_fuzz.o
+
 FUZZ_CFLAGS += -I$(SRC_PATH)/tests -I$(SRC_PATH)/tests/qtest
 
 # Linker Script to force coverage-counters into known regions which we can mark
diff --git a/tests/qtest/fuzz/i440fx_fuzz.c b/tests/qtest/fuzz/i440fx_fuzz.c
new file mode 100644
index XXXXXXX..XXXXXXX
--- /dev/null
+++ b/tests/qtest/fuzz/i440fx_fuzz.c
@@ -XXX,XX +XXX,XX @@
+/*
+ * I440FX Fuzzing Target
+ *
+ * Copyright Red Hat Inc., 2019
+ *
+ * Authors:
+ *  Alexander Bulekov   <alxndr@bu.edu>
+ *
+ * This work is licensed under the terms of the GNU GPL, version 2 or later.
+ * See the COPYING file in the top-level directory.
+ */
+
+#include "qemu/osdep.h"
+
+#include "qemu/main-loop.h"
+#include "tests/qtest/libqtest.h"
+#include "tests/qtest/libqos/pci.h"
+#include "tests/qtest/libqos/pci-pc.h"
+#include "fuzz.h"
+#include "fuzz/qos_fuzz.h"
+#include "fuzz/fork_fuzz.h"
+
+
+#define I440FX_PCI_HOST_BRIDGE_CFG 0xcf8
+#define I440FX_PCI_HOST_BRIDGE_DATA 0xcfc
+
+/*
+ * the input to the fuzzing functions below is a buffer of random bytes. we
+ * want to convert these bytes into a sequence of qtest or qos calls. to do
+ * this we define some opcodes:
+ */
+enum action_id {
+    WRITEB,
+    WRITEW,
+    WRITEL,
+    READB,
+    READW,
+    READL,
+    ACTION_MAX
+};
+
+static void i440fx_fuzz_qtest(QTestState *s,
+        const unsigned char *Data, size_t Size) {
+    /*
+     * loop over the Data, breaking it up into actions. each action has an
+     * opcode, address offset and value
+     */
+    typedef struct QTestFuzzAction {
+        uint8_t opcode;
+        uint8_t addr;
+        uint32_t value;
+    } QTestFuzzAction;
+    QTestFuzzAction a;
+
+    while (Size >= sizeof(a)) {
+        /* make a copy of the action so we can normalize the values in-place */
+        memcpy(&a, Data, sizeof(a));
+        /* select between two i440fx Port IO addresses */
+        uint16_t addr = a.addr % 2 ? I440FX_PCI_HOST_BRIDGE_CFG :
+                                      I440FX_PCI_HOST_BRIDGE_DATA;
+        switch (a.opcode % ACTION_MAX) {
+        case WRITEB:
+            qtest_outb(s, addr, (uint8_t)a.value);
+            break;
+        case WRITEW:
+            qtest_outw(s, addr, (uint16_t)a.value);
+            break;
+        case WRITEL:
+            qtest_outl(s, addr, (uint32_t)a.value);
+            break;
+        case READB:
+            qtest_inb(s, addr);
+            break;
+        case READW:
+            qtest_inw(s, addr);
+            break;
+        case READL:
+            qtest_inl(s, addr);
+            break;
+        }
+        /* Move to the next operation */
+        Size -= sizeof(a);
+        Data += sizeof(a);
+    }
+    flush_events(s);
+}
+
+static void i440fx_fuzz_qos(QTestState *s,
+        const unsigned char *Data, size_t Size) {
+    /*
+     * Same as i440fx_fuzz_qtest, but using QOS. devfn is incorporated into the
+     * value written over Port IO
+     */
+    typedef struct QOSFuzzAction {
+        uint8_t opcode;
+        uint8_t offset;
+        int devfn;
+        uint32_t value;
+    } QOSFuzzAction;
+
+    static QPCIBus *bus;
+    if (!bus) {
+        bus = qpci_new_pc(s, fuzz_qos_alloc);
+    }
+
+    QOSFuzzAction a;
+    while (Size >= sizeof(a)) {
+        memcpy(&a, Data, sizeof(a));
+        switch (a.opcode % ACTION_MAX) {
+        case WRITEB:
+            bus->config_writeb(bus, a.devfn, a.offset, (uint8_t)a.value);
+            break;
+        case WRITEW:
+            bus->config_writew(bus, a.devfn, a.offset, (uint16_t)a.value);
+            break;
+        case WRITEL:
+            bus->config_writel(bus, a.devfn, a.offset, (uint32_t)a.value);
+            break;
+        case READB:
+            bus->config_readb(bus, a.devfn, a.offset);
+            break;
+        case READW:
+            bus->config_readw(bus, a.devfn, a.offset);
+            break;
+        case READL:
+            bus->config_readl(bus, a.devfn, a.offset);
+            break;
+        }
+        Size -= sizeof(a);
+        Data += sizeof(a);
+    }
+    flush_events(s);
+}
+
+static void i440fx_fuzz_qos_fork(QTestState *s,
+        const unsigned char *Data, size_t Size) {
+    if (fork() == 0) {
+        i440fx_fuzz_qos(s, Data, Size);
+        _Exit(0);
+    } else {
+        wait(NULL);
+    }
+}
+
+static const char *i440fx_qtest_argv = TARGET_NAME " -machine accel=qtest"
+                                       "-m 0 -display none";
+static const char *i440fx_argv(FuzzTarget *t)
+{
+    return i440fx_qtest_argv;
+}
+
+static void fork_init(void)
+{
+    counter_shm_init();
+}
+
+static void register_pci_fuzz_targets(void)
+{
+    /* Uses simple qtest commands and reboots to reset state */
+    fuzz_add_target(&(FuzzTarget){
+                .name = "i440fx-qtest-reboot-fuzz",
+                .description = "Fuzz the i440fx using raw qtest commands and"
+                               "rebooting after each run",
+                .get_init_cmdline = i440fx_argv,
+                .fuzz = i440fx_fuzz_qtest});
+
+    /* Uses libqos and forks to prevent state leakage */
+    fuzz_add_qos_target(&(FuzzTarget){
+                .name = "i440fx-qos-fork-fuzz",
+                .description = "Fuzz the i440fx using raw qtest commands and"
+                               "rebooting after each run",
+                .pre_vm_init = &fork_init,
+                .fuzz = i440fx_fuzz_qos_fork,},
+                "i440FX-pcihost",
+                &(QOSGraphTestOptions){}
+                );
+
+    /*
+     * Uses libqos. Doesn't do anything to reset state. Note that if we were to
+     * reboot after each run, we would also have to redo the qos-related
+     * initialization (qos_init_path)
+     */
+    fuzz_add_qos_target(&(FuzzTarget){
+                .name = "i440fx-qos-noreset-fuzz",
+                .description = "Fuzz the i440fx using raw qtest commands and"
+                               "rebooting after each run",
+                .fuzz = i440fx_fuzz_qos,},
+                "i440FX-pcihost",
+                &(QOSGraphTestOptions){}
+                );
+}
+
+fuzz_target_init(register_pci_fuzz_targets);
-- 
2.24.1

From: Alexander Bulekov <alxndr@bu.edu>

The virtio-net fuzz target feeds inputs to all three virtio-net
virtqueues, and uses forking to avoid leaking state between fuzz runs.

diff --git a/tests/qtest/fuzz/Makefile.include b/tests/qtest/fuzz/Makefile.include
index XXXXXXX..XXXXXXX 100644
--- a/tests/qtest/fuzz/Makefile.include
+++ b/tests/qtest/fuzz/Makefile.include
@@ -XXX,XX +XXX,XX @@ fuzz-obj-y += tests/qtest/fuzz/qos_fuzz.o
 
 # Targets
 fuzz-obj-y += tests/qtest/fuzz/i440fx_fuzz.o
+fuzz-obj-y += tests/qtest/fuzz/virtio_net_fuzz.o
 
 FUZZ_CFLAGS += -I$(SRC_PATH)/tests -I$(SRC_PATH)/tests/qtest
 
diff --git a/tests/qtest/fuzz/virtio_net_fuzz.c b/tests/qtest/fuzz/virtio_net_fuzz.c
new file mode 100644
index XXXXXXX..XXXXXXX
--- /dev/null
+++ b/tests/qtest/fuzz/virtio_net_fuzz.c
@@ -XXX,XX +XXX,XX @@
+/*
+ * virtio-net Fuzzing Target
+ *
+ * Copyright Red Hat Inc., 2019
+ *
+ * Authors:
+ *  Alexander Bulekov   <alxndr@bu.edu>
+ *
+ * This work is licensed under the terms of the GNU GPL, version 2 or later.
+ * See the COPYING file in the top-level directory.
+ */
+
+#include "qemu/osdep.h"
+
+#include "standard-headers/linux/virtio_config.h"
+#include "tests/qtest/libqtest.h"
+#include "tests/qtest/libqos/virtio-net.h"
+#include "fuzz.h"
+#include "fork_fuzz.h"
+#include "qos_fuzz.h"
+
+
+#define QVIRTIO_NET_TIMEOUT_US (30 * 1000 * 1000)
+#define QVIRTIO_RX_VQ 0
+#define QVIRTIO_TX_VQ 1
+#define QVIRTIO_CTRL_VQ 2
+
+static int sockfds[2];
+static bool sockfds_initialized;
+
+static void virtio_net_fuzz_multi(QTestState *s,
+        const unsigned char *Data, size_t Size, bool check_used)
+{
+    typedef struct vq_action {
+        uint8_t queue;
+        uint8_t length;
+        uint8_t write;
+        uint8_t next;
+        uint8_t rx;
+    } vq_action;
+
+    uint32_t free_head = 0;
+
+    QGuestAllocator *t_alloc = fuzz_qos_alloc;
+
+    QVirtioNet *net_if = fuzz_qos_obj;
+    QVirtioDevice *dev = net_if->vdev;
+    QVirtQueue *q;
+    vq_action vqa;
+    while (Size >= sizeof(vqa)) {
+        memcpy(&vqa, Data, sizeof(vqa));
+        Data += sizeof(vqa);
+        Size -= sizeof(vqa);
+
+        q = net_if->queues[vqa.queue % 3];
+
+        vqa.length = vqa.length >= Size ? Size :  vqa.length;
+
+        /*
+         * Only attempt to write incoming packets, when using the socket
+         * backend. Otherwise, always place the input on a virtqueue.
+         */
+        if (vqa.rx && sockfds_initialized) {
+            write(sockfds[0], Data, vqa.length);
+        } else {
+            vqa.rx = 0;
+            uint64_t req_addr = guest_alloc(t_alloc, vqa.length);
+            /*
+             * If checking used ring, ensure that the fuzzer doesn't trigger
+             * trivial asserion failure on zero-zied buffer
+             */
+            qtest_memwrite(s, req_addr, Data, vqa.length);
+
+
+            free_head = qvirtqueue_add(s, q, req_addr, vqa.length,
+                    vqa.write, vqa.next);
+            qvirtqueue_add(s, q, req_addr, vqa.length, vqa.write , vqa.next);
+            qvirtqueue_kick(s, dev, q, free_head);
+        }
+
+        /* Run the main loop */
+        qtest_clock_step(s, 100);
+        flush_events(s);
+
+        /* Wait on used descriptors */
+        if (check_used && !vqa.rx) {
+            gint64 start_time = g_get_monotonic_time();
+            /*
+             * normally, we could just use qvirtio_wait_used_elem, but since we
+             * must manually run the main-loop for all the bhs to run, we use
+             * this hack with flush_events(), to run the main_loop
+             */
+            while (!vqa.rx && q != net_if->queues[QVIRTIO_RX_VQ]) {
+                uint32_t got_desc_idx;
+                /* Input led to a virtio_error */
+                if (dev->bus->get_status(dev) & VIRTIO_CONFIG_S_NEEDS_RESET) {
+                    break;
+                }
+                if (dev->bus->get_queue_isr_status(dev, q) &&
+                        qvirtqueue_get_buf(s, q, &got_desc_idx, NULL)) {
+                    g_assert_cmpint(got_desc_idx, ==, free_head);
+                    break;
+                }
+                g_assert(g_get_monotonic_time() - start_time
+                        <= QVIRTIO_NET_TIMEOUT_US);
+
+                /* Run the main loop */
+                qtest_clock_step(s, 100);
+                flush_events(s);
+            }
+        }
+        Data += vqa.length;
+        Size -= vqa.length;
+    }
+}
+
+static void virtio_net_fork_fuzz(QTestState *s,
+        const unsigned char *Data, size_t Size)
+{
+    if (fork() == 0) {
+        virtio_net_fuzz_multi(s, Data, Size, false);
+        flush_events(s);
+        _Exit(0);
+    } else {
+        wait(NULL);
+    }
+}
+
+static void virtio_net_fork_fuzz_check_used(QTestState *s,
+        const unsigned char *Data, size_t Size)
+{
+    if (fork() == 0) {
+        virtio_net_fuzz_multi(s, Data, Size, true);
+        flush_events(s);
+        _Exit(0);
+    } else {
+        wait(NULL);
+    }
+}
+
+static void virtio_net_pre_fuzz(QTestState *s)
+{
+    qos_init_path(s);
+    counter_shm_init();
+}
+
+static void *virtio_net_test_setup_socket(GString *cmd_line, void *arg)
+{
+    int ret = socketpair(PF_UNIX, SOCK_STREAM, 0, sockfds);
+    g_assert_cmpint(ret, !=, -1);
+    fcntl(sockfds[0], F_SETFL, O_NONBLOCK);
+    sockfds_initialized = true;
+    g_string_append_printf(cmd_line, " -netdev socket,fd=%d,id=hs0 ",
+                           sockfds[1]);
+    return arg;
+}
+
+static void *virtio_net_test_setup_user(GString *cmd_line, void *arg)
+{
+    g_string_append_printf(cmd_line, " -netdev user,id=hs0 ");
+    return arg;
+}
+
+static void register_virtio_net_fuzz_targets(void)
+{
+    fuzz_add_qos_target(&(FuzzTarget){
+            .name = "virtio-net-socket",
+            .description = "Fuzz the virtio-net virtual queues. Fuzz incoming "
+            "traffic using the socket backend",
+            .pre_fuzz = &virtio_net_pre_fuzz,
+            .fuzz = virtio_net_fork_fuzz,},
+            "virtio-net",
+            &(QOSGraphTestOptions){.before = virtio_net_test_setup_socket}
+            );
+
+    fuzz_add_qos_target(&(FuzzTarget){
+            .name = "virtio-net-socket-check-used",
+            .description = "Fuzz the virtio-net virtual queues. Wait for the "
+            "descriptors to be used. Timeout may indicate improperly handled "
+            "input",
+            .pre_fuzz = &virtio_net_pre_fuzz,
+            .fuzz = virtio_net_fork_fuzz_check_used,},
+            "virtio-net",
+            &(QOSGraphTestOptions){.before = virtio_net_test_setup_socket}
+            );
+    fuzz_add_qos_target(&(FuzzTarget){
+            .name = "virtio-net-slirp",
+            .description = "Fuzz the virtio-net virtual queues with the slirp "
+            " backend. Warning: May result in network traffic emitted from the "
+            " process. Run in an isolated network environment.",
+            .pre_fuzz = &virtio_net_pre_fuzz,
+            .fuzz = virtio_net_fork_fuzz,},
+            "virtio-net",
+            &(QOSGraphTestOptions){.before = virtio_net_test_setup_user}
+            );
+}
+
+fuzz_target_init(register_virtio_net_fuzz_targets);
-- 
2.24.1

From: Alexander Bulekov <alxndr@bu.edu>

The virtio-scsi fuzz target sets up and fuzzes the available virtio-scsi
queues. After an element is placed on a queue, the fuzzer can select
whether to perform a kick, or continue adding elements.

Signed-off-by: Alexander Bulekov <alxndr@bu.edu>
Reviewed-by: Darren Kenny <darren.kenny@oracle.com>
Message-id: 20200220041118.23264-22-alxndr@bu.edu
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
---
 tests/qtest/fuzz/Makefile.include   |   1 +
 tests/qtest/fuzz/virtio_scsi_fuzz.c | 213 ++++++++++++++++++++++++++++
 2 files changed, 214 insertions(+)
 create mode 100644 tests/qtest/fuzz/virtio_scsi_fuzz.c

diff --git a/tests/qtest/fuzz/Makefile.include b/tests/qtest/fuzz/Makefile.include
index XXXXXXX..XXXXXXX 100644
--- a/tests/qtest/fuzz/Makefile.include
+++ b/tests/qtest/fuzz/Makefile.include
@@ -XXX,XX +XXX,XX @@ fuzz-obj-y += tests/qtest/fuzz/qos_fuzz.o
 # Targets
 fuzz-obj-y += tests/qtest/fuzz/i440fx_fuzz.o
 fuzz-obj-y += tests/qtest/fuzz/virtio_net_fuzz.o
+fuzz-obj-y += tests/qtest/fuzz/virtio_scsi_fuzz.o
 
 FUZZ_CFLAGS += -I$(SRC_PATH)/tests -I$(SRC_PATH)/tests/qtest
 
diff --git a/tests/qtest/fuzz/virtio_scsi_fuzz.c b/tests/qtest/fuzz/virtio_scsi_fuzz.c
new file mode 100644
index XXXXXXX..XXXXXXX
--- /dev/null
+++ b/tests/qtest/fuzz/virtio_scsi_fuzz.c
@@ -XXX,XX +XXX,XX @@
+/*
+ * virtio-serial Fuzzing Target
+ *
+ * Copyright Red Hat Inc., 2019
+ *
+ * Authors:
+ *  Alexander Bulekov   <alxndr@bu.edu>
+ *
+ * This work is licensed under the terms of the GNU GPL, version 2 or later.
+ * See the COPYING file in the top-level directory.
+ */
+
+#include "qemu/osdep.h"
+
+#include "tests/qtest/libqtest.h"
+#include "libqos/virtio-scsi.h"
+#include "libqos/virtio.h"
+#include "libqos/virtio-pci.h"
+#include "standard-headers/linux/virtio_ids.h"
+#include "standard-headers/linux/virtio_pci.h"
+#include "standard-headers/linux/virtio_scsi.h"
+#include "fuzz.h"
+#include "fork_fuzz.h"
+#include "qos_fuzz.h"
+
+#define PCI_SLOT                0x02
+#define PCI_FN                  0x00
+#define QVIRTIO_SCSI_TIMEOUT_US (1 * 1000 * 1000)
+
+#define MAX_NUM_QUEUES 64
+
+/* Based on tests/virtio-scsi-test.c */
+typedef struct {
+    int num_queues;
+    QVirtQueue *vq[MAX_NUM_QUEUES + 2];
+} QVirtioSCSIQueues;
+
+static QVirtioSCSIQueues *qvirtio_scsi_init(QVirtioDevice *dev, uint64_t mask)
+{
+    QVirtioSCSIQueues *vs;
+    uint64_t feat;
+    int i;
+
+    vs = g_new0(QVirtioSCSIQueues, 1);
+
+    feat = qvirtio_get_features(dev);
+    if (mask) {
+        feat &= ~QVIRTIO_F_BAD_FEATURE | mask;
+    } else {
+        feat &= ~(QVIRTIO_F_BAD_FEATURE | (1ull << VIRTIO_RING_F_EVENT_IDX));
+    }
+    qvirtio_set_features(dev, feat);
+
+    vs->num_queues = qvirtio_config_readl(dev, 0);
+
+    for (i = 0; i < vs->num_queues + 2; i++) {
+        vs->vq[i] = qvirtqueue_setup(dev, fuzz_qos_alloc, i);
+    }
+
+    qvirtio_set_driver_ok(dev);
+
+    return vs;
+}
+
+static void virtio_scsi_fuzz(QTestState *s, QVirtioSCSIQueues* queues,
+        const unsigned char *Data, size_t Size)
+{
+    /*
+     * Data is a sequence of random bytes. We split them up into "actions",
+     * followed by data:
+     * [vqa][dddddddd][vqa][dddd][vqa][dddddddddddd] ...
+     * The length of the data is specified by the preceding vqa.length
+     */
+    typedef struct vq_action {
+        uint8_t queue;
+        uint8_t length;
+        uint8_t write;
+        uint8_t next;
+        uint8_t kick;
+    } vq_action;
+
+    /* Keep track of the free head for each queue we interact with */
+    bool vq_touched[MAX_NUM_QUEUES + 2] = {0};
+    uint32_t free_head[MAX_NUM_QUEUES + 2];
+
+    QGuestAllocator *t_alloc = fuzz_qos_alloc;
+
+    QVirtioSCSI *scsi = fuzz_qos_obj;
+    QVirtioDevice *dev = scsi->vdev;
+    QVirtQueue *q;
+    vq_action vqa;
+    while (Size >= sizeof(vqa)) {
+        /* Copy the action, so we can normalize length, queue and flags */
+        memcpy(&vqa, Data, sizeof(vqa));
+
+        Data += sizeof(vqa);
+        Size -= sizeof(vqa);
+
+        vqa.queue = vqa.queue % queues->num_queues;
+        /* Cap length at the number of remaining bytes in data */
+        vqa.length = vqa.length >= Size ? Size : vqa.length;
+        vqa.write = vqa.write & 1;
+        vqa.next = vqa.next & 1;
+        vqa.kick = vqa.kick & 1;
+
+
+        q = queues->vq[vqa.queue];
+
+        /* Copy the data into ram, and place it on the virtqueue */
+        uint64_t req_addr = guest_alloc(t_alloc, vqa.length);
+        qtest_memwrite(s, req_addr, Data, vqa.length);
+        if (vq_touched[vqa.queue] == 0) {
+            vq_touched[vqa.queue] = 1;
+            free_head[vqa.queue] = qvirtqueue_add(s, q, req_addr, vqa.length,
+                    vqa.write, vqa.next);
+        } else {
+            qvirtqueue_add(s, q, req_addr, vqa.length, vqa.write , vqa.next);
+        }
+
+        if (vqa.kick) {
+            qvirtqueue_kick(s, dev, q, free_head[vqa.queue]);
+            free_head[vqa.queue] = 0;
+        }
+        Data += vqa.length;
+        Size -= vqa.length;
+    }
+    /* In the end, kick each queue we interacted with */
+    for (int i = 0; i < MAX_NUM_QUEUES + 2; i++) {
+        if (vq_touched[i]) {
+            qvirtqueue_kick(s, dev, queues->vq[i], free_head[i]);
+        }
+    }
+}
+
+static void virtio_scsi_fork_fuzz(QTestState *s,
+        const unsigned char *Data, size_t Size)
+{
+    QVirtioSCSI *scsi = fuzz_qos_obj;
+    static QVirtioSCSIQueues *queues;
+    if (!queues) {
+        queues = qvirtio_scsi_init(scsi->vdev, 0);
+    }
+    if (fork() == 0) {
+        virtio_scsi_fuzz(s, queues, Data, Size);
+        flush_events(s);
+        _Exit(0);
+    } else {
+        wait(NULL);
+    }
+}
+
+static void virtio_scsi_with_flag_fuzz(QTestState *s,
+        const unsigned char *Data, size_t Size)
+{
+    QVirtioSCSI *scsi = fuzz_qos_obj;
+    static QVirtioSCSIQueues *queues;
+
+    if (fork() == 0) {
+        if (Size >= sizeof(uint64_t)) {
+            queues = qvirtio_scsi_init(scsi->vdev, *(uint64_t *)Data);
+            virtio_scsi_fuzz(s, queues,
+                             Data + sizeof(uint64_t), Size - sizeof(uint64_t));
+            flush_events(s);
+        }
+        _Exit(0);
+    } else {
+        wait(NULL);
+    }
+}
+
+static void virtio_scsi_pre_fuzz(QTestState *s)
+{
+    qos_init_path(s);
+    counter_shm_init();
+}
+
+static void *virtio_scsi_test_setup(GString *cmd_line, void *arg)
+{
+    g_string_append(cmd_line,
+                    " -drive file=blkdebug::null-co://,"
+                    "file.image.read-zeroes=on,"
+                    "if=none,id=dr1,format=raw,file.align=4k "
+                    "-device scsi-hd,drive=dr1,lun=0,scsi-id=1");
+    return arg;
+}
+
+
+static void register_virtio_scsi_fuzz_targets(void)
+{
+    fuzz_add_qos_target(&(FuzzTarget){
+                .name = "virtio-scsi-fuzz",
+                .description = "Fuzz the virtio-scsi virtual queues, forking"
+                                "for each fuzz run",
+                .pre_vm_init = &counter_shm_init,
+                .pre_fuzz = &virtio_scsi_pre_fuzz,
+                .fuzz = virtio_scsi_fork_fuzz,},
+                "virtio-scsi",
+                &(QOSGraphTestOptions){.before = virtio_scsi_test_setup}
+                );
+
+    fuzz_add_qos_target(&(FuzzTarget){
+                .name = "virtio-scsi-flags-fuzz",
+                .description = "Fuzz the virtio-scsi virtual queues, forking"
+                "for each fuzz run (also fuzzes the virtio flags)",
+                .pre_vm_init = &counter_shm_init,
+                .pre_fuzz = &virtio_scsi_pre_fuzz,
+                .fuzz = virtio_scsi_with_flag_fuzz,},
+                "virtio-scsi",
+                &(QOSGraphTestOptions){.before = virtio_scsi_test_setup}
+                );
+}
+
+fuzz_target_init(register_virtio_scsi_fuzz_targets);
-- 
2.24.1

From: Alexander Bulekov <alxndr@bu.edu>

diff --git a/docs/devel/fuzzing.txt b/docs/devel/fuzzing.txt
new file mode 100644
index XXXXXXX..XXXXXXX
--- /dev/null
+++ b/docs/devel/fuzzing.txt
@@ -XXX,XX +XXX,XX @@
+= Fuzzing =
+
+== Introduction ==
+
+This document describes the virtual-device fuzzing infrastructure in QEMU and
+how to use it to implement additional fuzzers.
+
+== Basics ==
+
+Fuzzing operates by passing inputs to an entry point/target function. The
+fuzzer tracks the code coverage triggered by the input. Based on these
+findings, the fuzzer mutates the input and repeats the fuzzing.
+
+To fuzz QEMU, we rely on libfuzzer. Unlike other fuzzers such as AFL, libfuzzer
+is an _in-process_ fuzzer. For the developer, this means that it is their
+responsibility to ensure that state is reset between fuzzing-runs.
+
+== Building the fuzzers ==
+
+NOTE: If possible, build a 32-bit binary. When forking, the 32-bit fuzzer is
+much faster, since the page-map has a smaller size. This is due to the fact that
+AddressSanitizer mmaps ~20TB of memory, as part of its detection. This results
+in a large page-map, and a much slower fork().
+
+To build the fuzzers, install a recent version of clang:
+Configure with (substitute the clang binaries with the version you installed):
+
+    CC=clang-8 CXX=clang++-8 /path/to/configure --enable-fuzzing
+
+Fuzz targets are built similarly to system/softmmu:
+
+    make i386-softmmu/fuzz
+
+This builds ./i386-softmmu/qemu-fuzz-i386
+
+The first option to this command is: --fuzz_taget=FUZZ_NAME
+To list all of the available fuzzers run qemu-fuzz-i386 with no arguments.
+
+eg:
+    ./i386-softmmu/qemu-fuzz-i386 --fuzz-target=virtio-net-fork-fuzz
+
+Internally, libfuzzer parses all arguments that do not begin with "--".
+Information about these is available by passing -help=1
+
+Now the only thing left to do is wait for the fuzzer to trigger potential
+crashes.
+
+== Adding a new fuzzer ==
+Coverage over virtual devices can be improved by adding additional fuzzers.
+Fuzzers are kept in tests/qtest/fuzz/ and should be added to
+tests/qtest/fuzz/Makefile.include
+
+Fuzzers can rely on both qtest and libqos to communicate with virtual devices.
+
+1. Create a new source file. For example ``tests/qtest/fuzz/foo-device-fuzz.c``.
+
+2. Write the fuzzing code using the libqtest/libqos API. See existing fuzzers
+for reference.
+
+3. Register the fuzzer in ``tests/fuzz/Makefile.include`` by appending the
+corresponding object to fuzz-obj-y
+
+Fuzzers can be more-or-less thought of as special qtest programs which can
+modify the qtest commands and/or qtest command arguments based on inputs
+provided by libfuzzer. Libfuzzer passes a byte array and length. Commonly the
+fuzzer loops over the byte-array interpreting it as a list of qtest commands,
+addresses, or values.
+
+= Implementation Details =
+
+== The Fuzzer's Lifecycle ==
+
+The fuzzer has two entrypoints that libfuzzer calls. libfuzzer provides it's
+own main(), which performs some setup, and calls the entrypoints:
+
+LLVMFuzzerInitialize: called prior to fuzzing. Used to initialize all of the
+necessary state
+
+LLVMFuzzerTestOneInput: called for each fuzzing run. Processes the input and
+resets the state at the end of each run.
+
+In more detail:
+
+LLVMFuzzerInitialize parses the arguments to the fuzzer (must start with two
+dashes, so they are ignored by libfuzzer main()). Currently, the arguments
+select the fuzz target. Then, the qtest client is initialized. If the target
+requires qos, qgraph is set up and the QOM/LIBQOS modules are initialized.
+Then the QGraph is walked and the QEMU cmd_line is determined and saved.
+
+After this, the vl.c:qemu__main is called to set up the guest. There are
+target-specific hooks that can be called before and after qemu_main, for
+additional setup(e.g. PCI setup, or VM snapshotting).
+
+LLVMFuzzerTestOneInput: Uses qtest/qos functions to act based on the fuzz
+input. It is also responsible for manually calling the main loop/main_loop_wait
+to ensure that bottom halves are executed and any cleanup required before the
+next input.
+
+Since the same process is reused for many fuzzing runs, QEMU state needs to
+be reset at the end of each run. There are currently two implemented
+options for resetting state:
+1. Reboot the guest between runs.
+   Pros: Straightforward and fast for simple fuzz targets.
+   Cons: Depending on the device, does not reset all device state. If the
+   device requires some initialization prior to being ready for fuzzing
+   (common for QOS-based targets), this initialization needs to be done after
+   each reboot.
+   Example target: i440fx-qtest-reboot-fuzz
+2. Run each test case in a separate forked process and copy the coverage
+   information back to the parent. This is fairly similar to AFL's "deferred"
+   fork-server mode [3]
+   Pros: Relatively fast. Devices only need to be initialized once. No need
+   to do slow reboots or vmloads.
+   Cons: Not officially supported by libfuzzer. Does not work well for devices
+   that rely on dedicated threads.
+   Example target: virtio-net-fork-fuzz
-- 
2.24.1

The following changes since commit 56f9e46b841c7be478ca038d8d4085d776ab4b0d:

Merge remote-tracking branch 'remotes/armbru/tags/pull-qapi-2017-02-20' into staging (2017-02-20 17:42:47 +0000)

are available in the git repository at:

git://github.com/stefanha/qemu.git tags/block-pull-request

for you to fetch changes up to a7b91d35bab97a2d3e779d0c64c9b837b52a6cf7:

coroutine-lock: make CoRwlock thread-safe and fair (2017-02-21 11:39:40 +0000)

----------------------------------------------------------------
Pull request

v2:
 * Rebased to resolve scsi conflicts

----------------------------------------------------------------

Paolo Bonzini (24):
  block: move AioContext, QEMUTimer, main-loop to libqemuutil
  aio: introduce aio_co_schedule and aio_co_wake
  block-backend: allow blk_prw from coroutine context
  test-thread-pool: use generic AioContext infrastructure
  io: add methods to set I/O handlers on AioContext
  io: make qio_channel_yield aware of AioContexts
  nbd: convert to use qio_channel_yield
  coroutine-lock: reschedule coroutine on the AioContext it was running
    on
  blkdebug: reschedule coroutine on the AioContext it is running on
  qed: introduce qed_aio_start_io and qed_aio_next_io_cb
  aio: push aio_context_acquire/release down to dispatching
  block: explicitly acquire aiocontext in timers that need it
  block: explicitly acquire aiocontext in callbacks that need it
  block: explicitly acquire aiocontext in bottom halves that need it
  block: explicitly acquire aiocontext in aio callbacks that need it
  aio-posix: partially inline aio_dispatch into aio_poll
  async: remove unnecessary inc/dec pairs
  block: document fields protected by AioContext lock
  coroutine-lock: make CoMutex thread-safe
  coroutine-lock: add limited spinning to CoMutex
  test-aio-multithread: add performance comparison with thread-based
    mutexes
  coroutine-lock: place CoMutex before CoQueue in header
  coroutine-lock: add mutex argument to CoQueue APIs
  coroutine-lock: make CoRwlock thread-safe and fair

-- 
2.9.3

From: Paolo Bonzini <pbonzini@redhat.com>

AioContext is fairly self contained, the only dependency is QEMUTimer but
that in turn doesn't need anything else.  So move them out of block-obj-y
to avoid introducing a dependency from io/ to block-obj-y.

main-loop and its dependency iohandler also need to be moved, because
later in this series io/ will call iohandler_get_aio_context.

[Changed copyright "the QEMU team" to "other QEMU contributors" as
suggested by Daniel Berrange and agreed by Paolo.
--Stefan]

Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Reviewed-by: Fam Zheng <famz@redhat.com>
Message-id: 20170213135235.12274-2-pbonzini@redhat.com
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
---
 Makefile.objs                       |  4 ---
 stubs/Makefile.objs                 |  1 +
 tests/Makefile.include              | 11 ++++----
 util/Makefile.objs                  |  6 +++-
 block/io.c                          | 29 -------------------
 stubs/linux-aio.c                   | 32 +++++++++++++++++++++
 stubs/set-fd-handler.c              | 11 --------
 aio-posix.c => util/aio-posix.c     |  2 +-
 aio-win32.c => util/aio-win32.c     |  0
 util/aiocb.c                        | 55 +++++++++++++++++++++++++++++++++++++
 async.c => util/async.c             |  3 +-
 iohandler.c => util/iohandler.c     |  0
 main-loop.c => util/main-loop.c     |  0
 qemu-timer.c => util/qemu-timer.c   |  0
 thread-pool.c => util/thread-pool.c |  2 +-
 trace-events                        | 11 --------
 util/trace-events                   | 11 ++++++++
 17 files changed, 114 insertions(+), 64 deletions(-)
 create mode 100644 stubs/linux-aio.c
 rename aio-posix.c => util/aio-posix.c (99%)
 rename aio-win32.c => util/aio-win32.c (100%)
 create mode 100644 util/aiocb.c
 rename async.c => util/async.c (99%)
 rename iohandler.c => util/iohandler.c (100%)
 rename main-loop.c => util/main-loop.c (100%)
 rename qemu-timer.c => util/qemu-timer.c (100%)
 rename thread-pool.c => util/thread-pool.c (99%)

diff --git a/Makefile.objs b/Makefile.objs
index XXXXXXX..XXXXXXX 100644
--- a/Makefile.objs
+++ b/Makefile.objs
@@ -XXX,XX +XXX,XX @@ chardev-obj-y = chardev/
 #######################################################################
 # block-obj-y is code used by both qemu system emulation and qemu-img
 
-block-obj-y = async.o thread-pool.o
 block-obj-y += nbd/
 block-obj-y += block.o blockjob.o
-block-obj-y += main-loop.o iohandler.o qemu-timer.o
-block-obj-$(CONFIG_POSIX) += aio-posix.o
-block-obj-$(CONFIG_WIN32) += aio-win32.o
 block-obj-y += block/
 block-obj-y += qemu-io-cmds.o
 block-obj-$(CONFIG_REPLICATION) += replication.o
diff --git a/stubs/Makefile.objs b/stubs/Makefile.objs
index XXXXXXX..XXXXXXX 100644
--- a/stubs/Makefile.objs
+++ b/stubs/Makefile.objs
@@ -XXX,XX +XXX,XX @@ stub-obj-y += get-vm-name.o
 stub-obj-y += iothread.o
 stub-obj-y += iothread-lock.o
 stub-obj-y += is-daemonized.o
+stub-obj-$(CONFIG_LINUX_AIO) += linux-aio.o
 stub-obj-y += machine-init-done.o
 stub-obj-y += migr-blocker.o
 stub-obj-y += monitor.o
diff --git a/tests/Makefile.include b/tests/Makefile.include
index XXXXXXX..XXXXXXX 100644
--- a/tests/Makefile.include
+++ b/tests/Makefile.include
@@ -XXX,XX +XXX,XX @@ check-unit-y += tests/test-visitor-serialization$(EXESUF)
 check-unit-y += tests/test-iov$(EXESUF)
 gcov-files-test-iov-y = util/iov.c
 check-unit-y += tests/test-aio$(EXESUF)
+gcov-files-test-aio-y = util/async.c util/qemu-timer.o
+gcov-files-test-aio-$(CONFIG_WIN32) += util/aio-win32.c
+gcov-files-test-aio-$(CONFIG_POSIX) += util/aio-posix.c
 check-unit-y += tests/test-throttle$(EXESUF)
 gcov-files-test-aio-$(CONFIG_WIN32) = aio-win32.c
 gcov-files-test-aio-$(CONFIG_POSIX) = aio-posix.c
@@ -XXX,XX +XXX,XX @@ tests/check-qjson$(EXESUF): tests/check-qjson.o $(test-util-obj-y)
 tests/check-qom-interface$(EXESUF): tests/check-qom-interface.o $(test-qom-obj-y)
 tests/check-qom-proplist$(EXESUF): tests/check-qom-proplist.o $(test-qom-obj-y)
 
-tests/test-char$(EXESUF): tests/test-char.o qemu-timer.o \
-	$(test-util-obj-y) $(qtest-obj-y) $(test-block-obj-y) $(chardev-obj-y)
+tests/test-char$(EXESUF): tests/test-char.o $(test-util-obj-y) $(qtest-obj-y) $(test-io-obj-y) $(chardev-obj-y)
 tests/test-coroutine$(EXESUF): tests/test-coroutine.o $(test-block-obj-y)
 tests/test-aio$(EXESUF): tests/test-aio.o $(test-block-obj-y)
 tests/test-throttle$(EXESUF): tests/test-throttle.o $(test-block-obj-y)
@@ -XXX,XX +XXX,XX @@ tests/test-vmstate$(EXESUF): tests/test-vmstate.o \
 	migration/vmstate.o migration/qemu-file.o \
         migration/qemu-file-channel.o migration/qjson.o \
 	$(test-io-obj-y)
-tests/test-timed-average$(EXESUF): tests/test-timed-average.o qemu-timer.o \
-	$(test-util-obj-y)
+tests/test-timed-average$(EXESUF): tests/test-timed-average.o $(test-util-obj-y)
 tests/test-base64$(EXESUF): tests/test-base64.o \
 	libqemuutil.a libqemustub.a
 tests/ptimer-test$(EXESUF): tests/ptimer-test.o tests/ptimer-test-stubs.o hw/core/ptimer.o libqemustub.a
@@ -XXX,XX +XXX,XX @@ tests/usb-hcd-ehci-test$(EXESUF): tests/usb-hcd-ehci-test.o $(libqos-usb-obj-y)
 tests/usb-hcd-xhci-test$(EXESUF): tests/usb-hcd-xhci-test.o $(libqos-usb-obj-y)
 tests/pc-cpu-test$(EXESUF): tests/pc-cpu-test.o
 tests/postcopy-test$(EXESUF): tests/postcopy-test.o
-tests/vhost-user-test$(EXESUF): tests/vhost-user-test.o qemu-timer.o \
+tests/vhost-user-test$(EXESUF): tests/vhost-user-test.o $(test-util-obj-y) \
 	$(qtest-obj-y) $(test-io-obj-y) $(libqos-virtio-obj-y) $(libqos-pc-obj-y) \
 	$(chardev-obj-y)
 tests/qemu-iotests/socket_scm_helper$(EXESUF): tests/qemu-iotests/socket_scm_helper.o
diff --git a/util/Makefile.objs b/util/Makefile.objs
index XXXXXXX..XXXXXXX 100644
--- a/util/Makefile.objs
+++ b/util/Makefile.objs
@@ -XXX,XX +XXX,XX @@
 util-obj-y = osdep.o cutils.o unicode.o qemu-timer-common.o
 util-obj-y += bufferiszero.o
 util-obj-y += lockcnt.o
+util-obj-y += aiocb.o async.o thread-pool.o qemu-timer.o
+util-obj-y += main-loop.o iohandler.o
+util-obj-$(CONFIG_POSIX) += aio-posix.o
 util-obj-$(CONFIG_POSIX) += compatfd.o
 util-obj-$(CONFIG_POSIX) += event_notifier-posix.o
 util-obj-$(CONFIG_POSIX) += mmap-alloc.o
 util-obj-$(CONFIG_POSIX) += oslib-posix.o
 util-obj-$(CONFIG_POSIX) += qemu-openpty.o
 util-obj-$(CONFIG_POSIX) += qemu-thread-posix.o
-util-obj-$(CONFIG_WIN32) += event_notifier-win32.o
 util-obj-$(CONFIG_POSIX) += memfd.o
+util-obj-$(CONFIG_WIN32) += aio-win32.o
+util-obj-$(CONFIG_WIN32) += event_notifier-win32.o
 util-obj-$(CONFIG_WIN32) += oslib-win32.o
 util-obj-$(CONFIG_WIN32) += qemu-thread-win32.o
 util-obj-y += envlist.o path.o module.o
diff --git a/block/io.c b/block/io.c
index XXXXXXX..XXXXXXX 100644
--- a/block/io.c
+++ b/block/io.c
@@ -XXX,XX +XXX,XX @@ BlockAIOCB *bdrv_aio_flush(BlockDriverState *bs,
     return &acb->common;
 }
 
-void *qemu_aio_get(const AIOCBInfo *aiocb_info, BlockDriverState *bs,
-                   BlockCompletionFunc *cb, void *opaque)
-{
-    BlockAIOCB *acb;
-
-    acb = g_malloc(aiocb_info->aiocb_size);
-    acb->aiocb_info = aiocb_info;
-    acb->bs = bs;
-    acb->cb = cb;
-    acb->opaque = opaque;
-    acb->refcnt = 1;
-    return acb;
-}
-
-void qemu_aio_ref(void *p)
-{
-    BlockAIOCB *acb = p;
-    acb->refcnt++;
-}
-
-void qemu_aio_unref(void *p)
-{
-    BlockAIOCB *acb = p;
-    assert(acb->refcnt > 0);
-    if (--acb->refcnt == 0) {
-        g_free(acb);
-    }
-}
-
 /**************************************************************/
 /* Coroutine block device emulation */
 
diff --git a/stubs/linux-aio.c b/stubs/linux-aio.c
new file mode 100644
index XXXXXXX..XXXXXXX
--- /dev/null
+++ b/stubs/linux-aio.c
@@ -XXX,XX +XXX,XX @@
+/*
+ * Linux native AIO support.
+ *
+ * Copyright (C) 2009 IBM, Corp.
+ * Copyright (C) 2009 Red Hat, Inc.
+ *
+ * This work is licensed under the terms of the GNU GPL, version 2 or later.
+ * See the COPYING file in the top-level directory.
+ */
+#include "qemu/osdep.h"
+#include "block/aio.h"
+#include "block/raw-aio.h"
+
+void laio_detach_aio_context(LinuxAioState *s, AioContext *old_context)
+{
+    abort();
+}
+
+void laio_attach_aio_context(LinuxAioState *s, AioContext *new_context)
+{
+    abort();
+}
+
+LinuxAioState *laio_init(void)
+{
+    abort();
+}
+
+void laio_cleanup(LinuxAioState *s)
+{
+    abort();
+}
diff --git a/stubs/set-fd-handler.c b/stubs/set-fd-handler.c
index XXXXXXX..XXXXXXX 100644
--- a/stubs/set-fd-handler.c
+++ b/stubs/set-fd-handler.c
@@ -XXX,XX +XXX,XX @@ void qemu_set_fd_handler(int fd,
 {
     abort();
 }
-
-void aio_set_fd_handler(AioContext *ctx,
-                        int fd,
-                        bool is_external,
-                        IOHandler *io_read,
-                        IOHandler *io_write,
-                        AioPollFn *io_poll,
-                        void *opaque)
-{
-    abort();
-}
diff --git a/aio-posix.c b/util/aio-posix.c
similarity index 99%
rename from aio-posix.c
rename to util/aio-posix.c
index XXXXXXX..XXXXXXX 100644
--- a/aio-posix.c
+++ b/util/aio-posix.c
@@ -XXX,XX +XXX,XX @@
 #include "qemu/rcu_queue.h"
 #include "qemu/sockets.h"
 #include "qemu/cutils.h"
-#include "trace-root.h"
+#include "trace.h"
 #ifdef CONFIG_EPOLL_CREATE1
 #include <sys/epoll.h>
 #endif
diff --git a/aio-win32.c b/util/aio-win32.c
similarity index 100%
rename from aio-win32.c
rename to util/aio-win32.c
diff --git a/util/aiocb.c b/util/aiocb.c
new file mode 100644
index XXXXXXX..XXXXXXX
--- /dev/null
+++ b/util/aiocb.c
@@ -XXX,XX +XXX,XX @@
+/*
+ * BlockAIOCB allocation
+ *
+ * Copyright (c) 2003-2017 Fabrice Bellard and other QEMU contributors
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
+ * of this software and associated documentation files (the "Software"), to deal
+ * in the Software without restriction, including without limitation the rights
+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+ * copies of the Software, and to permit persons to whom the Software is
+ * furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in
+ * all copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL
+ * THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+ * THE SOFTWARE.
+ */
+
+#include "qemu/osdep.h"
+#include "block/aio.h"
+
+void *qemu_aio_get(const AIOCBInfo *aiocb_info, BlockDriverState *bs,
+                   BlockCompletionFunc *cb, void *opaque)
+{
+    BlockAIOCB *acb;
+
+    acb = g_malloc(aiocb_info->aiocb_size);
+    acb->aiocb_info = aiocb_info;
+    acb->bs = bs;
+    acb->cb = cb;
+    acb->opaque = opaque;
+    acb->refcnt = 1;
+    return acb;
+}
+
+void qemu_aio_ref(void *p)
+{
+    BlockAIOCB *acb = p;
+    acb->refcnt++;
+}
+
+void qemu_aio_unref(void *p)
+{
+    BlockAIOCB *acb = p;
+    assert(acb->refcnt > 0);
+    if (--acb->refcnt == 0) {
+        g_free(acb);
+    }
+}
diff --git a/async.c b/util/async.c
similarity index 99%
rename from async.c
rename to util/async.c
index XXXXXXX..XXXXXXX 100644
--- a/async.c
+++ b/util/async.c
@@ -XXX,XX +XXX,XX @@
 /*
- * QEMU System Emulator
+ * Data plane event loop
  *
  * Copyright (c) 2003-2008 Fabrice Bellard
+ * Copyright (c) 2009-2017 QEMU contributors
  *
  * Permission is hereby granted, free of charge, to any person obtaining a copy
  * of this software and associated documentation files (the "Software"), to deal
diff --git a/iohandler.c b/util/iohandler.c
similarity index 100%
rename from iohandler.c
rename to util/iohandler.c
diff --git a/main-loop.c b/util/main-loop.c
similarity index 100%
rename from main-loop.c
rename to util/main-loop.c
diff --git a/qemu-timer.c b/util/qemu-timer.c
similarity index 100%
rename from qemu-timer.c
rename to util/qemu-timer.c
diff --git a/thread-pool.c b/util/thread-pool.c
similarity index 99%
rename from thread-pool.c
rename to util/thread-pool.c
index XXXXXXX..XXXXXXX 100644
--- a/thread-pool.c
+++ b/util/thread-pool.c
@@ -XXX,XX +XXX,XX @@
 #include "qemu/queue.h"
 #include "qemu/thread.h"
 #include "qemu/coroutine.h"
-#include "trace-root.h"
+#include "trace.h"
 #include "block/thread-pool.h"
 #include "qemu/main-loop.h"
 
diff --git a/trace-events b/trace-events
index XXXXXXX..XXXXXXX 100644
--- a/trace-events
+++ b/trace-events
@@ -XXX,XX +XXX,XX @@
 #
 # The <format-string> should be a sprintf()-compatible format string.
 
-# aio-posix.c
-run_poll_handlers_begin(void *ctx, int64_t max_ns) "ctx %p max_ns %"PRId64
-run_poll_handlers_end(void *ctx, bool progress) "ctx %p progress %d"
-poll_shrink(void *ctx, int64_t old, int64_t new) "ctx %p old %"PRId64" new %"PRId64
-poll_grow(void *ctx, int64_t old, int64_t new) "ctx %p old %"PRId64" new %"PRId64
-
-# thread-pool.c
-thread_pool_submit(void *pool, void *req, void *opaque) "pool %p req %p opaque %p"
-thread_pool_complete(void *pool, void *req, void *opaque, int ret) "pool %p req %p opaque %p ret %d"
-thread_pool_cancel(void *req, void *opaque) "req %p opaque %p"
-
 # ioport.c
 cpu_in(unsigned int addr, char size, unsigned int val) "addr %#x(%c) value %u"
 cpu_out(unsigned int addr, char size, unsigned int val) "addr %#x(%c) value %u"
diff --git a/util/trace-events b/util/trace-events
index XXXXXXX..XXXXXXX 100644
--- a/util/trace-events
+++ b/util/trace-events
@@ -XXX,XX +XXX,XX @@
 # See docs/tracing.txt for syntax documentation.
 
+# util/aio-posix.c
+run_poll_handlers_begin(void *ctx, int64_t max_ns) "ctx %p max_ns %"PRId64
+run_poll_handlers_end(void *ctx, bool progress) "ctx %p progress %d"
+poll_shrink(void *ctx, int64_t old, int64_t new) "ctx %p old %"PRId64" new %"PRId64
+poll_grow(void *ctx, int64_t old, int64_t new) "ctx %p old %"PRId64" new %"PRId64
+
+# util/thread-pool.c
+thread_pool_submit(void *pool, void *req, void *opaque) "pool %p req %p opaque %p"
+thread_pool_complete(void *pool, void *req, void *opaque, int ret) "pool %p req %p opaque %p ret %d"
+thread_pool_cancel(void *req, void *opaque) "req %p opaque %p"
+
 # util/buffer.c
 buffer_resize(const char *buf, size_t olen, size_t len) "%s: old %zd, new %zd"
 buffer_move_empty(const char *buf, size_t len, const char *from) "%s: %zd bytes from %s"
-- 
2.9.3

From: Paolo Bonzini <pbonzini@redhat.com>

aio_co_wake provides the infrastructure to start a coroutine on a "home"
AioContext.  It will be used by CoMutex and CoQueue, so that coroutines
don't jump from one context to another when they go to sleep on a
mutex or waitqueue.  However, it can also be used as a more efficient
alternative to one-shot bottom halves, and saves the effort of tracking
which AioContext a coroutine is running on.

aio_co_schedule is the part of aio_co_wake that starts a coroutine
on a remove AioContext, but it is also useful to implement e.g.
bdrv_set_aio_context callbacks.

The implementation of aio_co_schedule is based on a lock-free
multiple-producer, single-consumer queue.  The multiple producers use
cmpxchg to add to a LIFO stack.  The consumer (a per-AioContext bottom
half) grabs all items added so far, inverts the list to make it FIFO,
and goes through it one item at a time until it's empty.  The data
structure was inspired by OSv, which uses it in the very code we'll
"port" to QEMU for the thread-safe CoMutex.

Most of the new code is really tests.

Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Reviewed-by: Fam Zheng <famz@redhat.com>
Message-id: 20170213135235.12274-3-pbonzini@redhat.com
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
---
 tests/Makefile.include       |   8 +-
 include/block/aio.h          |  32 +++++++
 include/qemu/coroutine_int.h |  11 ++-
 tests/iothread.h             |  25 +++++
 tests/iothread.c             |  91 ++++++++++++++++++
 tests/test-aio-multithread.c | 213 +++++++++++++++++++++++++++++++++++++++++++
 util/async.c                 |  65 +++++++++++++
 util/qemu-coroutine.c        |   8 ++
 util/trace-events            |   4 +
 9 files changed, 453 insertions(+), 4 deletions(-)
 create mode 100644 tests/iothread.h
 create mode 100644 tests/iothread.c
 create mode 100644 tests/test-aio-multithread.c

diff --git a/tests/Makefile.include b/tests/Makefile.include
index XXXXXXX..XXXXXXX 100644
--- a/tests/Makefile.include
+++ b/tests/Makefile.include
@@ -XXX,XX +XXX,XX @@ check-unit-y += tests/test-aio$(EXESUF)
 gcov-files-test-aio-y = util/async.c util/qemu-timer.o
 gcov-files-test-aio-$(CONFIG_WIN32) += util/aio-win32.c
 gcov-files-test-aio-$(CONFIG_POSIX) += util/aio-posix.c
+check-unit-y += tests/test-aio-multithread$(EXESUF)
+gcov-files-test-aio-multithread-y = $(gcov-files-test-aio-y)
+gcov-files-test-aio-multithread-y += util/qemu-coroutine.c tests/iothread.c
 check-unit-y += tests/test-throttle$(EXESUF)
-gcov-files-test-aio-$(CONFIG_WIN32) = aio-win32.c
-gcov-files-test-aio-$(CONFIG_POSIX) = aio-posix.c
 check-unit-y += tests/test-thread-pool$(EXESUF)
 gcov-files-test-thread-pool-y = thread-pool.c
 gcov-files-test-hbitmap-y = util/hbitmap.c
@@ -XXX,XX +XXX,XX @@ test-qapi-obj-y = tests/test-qapi-visit.o tests/test-qapi-types.o \
 	$(test-qom-obj-y)
 test-crypto-obj-y = $(crypto-obj-y) $(test-qom-obj-y)
 test-io-obj-y = $(io-obj-y) $(test-crypto-obj-y)
-test-block-obj-y = $(block-obj-y) $(test-io-obj-y)
+test-block-obj-y = $(block-obj-y) $(test-io-obj-y) tests/iothread.o
 
 tests/check-qint$(EXESUF): tests/check-qint.o $(test-util-obj-y)
 tests/check-qstring$(EXESUF): tests/check-qstring.o $(test-util-obj-y)
@@ -XXX,XX +XXX,XX @@ tests/check-qom-proplist$(EXESUF): tests/check-qom-proplist.o $(test-qom-obj-y)
 tests/test-char$(EXESUF): tests/test-char.o $(test-util-obj-y) $(qtest-obj-y) $(test-io-obj-y) $(chardev-obj-y)
 tests/test-coroutine$(EXESUF): tests/test-coroutine.o $(test-block-obj-y)
 tests/test-aio$(EXESUF): tests/test-aio.o $(test-block-obj-y)
+tests/test-aio-multithread$(EXESUF): tests/test-aio-multithread.o $(test-block-obj-y)
 tests/test-throttle$(EXESUF): tests/test-throttle.o $(test-block-obj-y)
 tests/test-blockjob$(EXESUF): tests/test-blockjob.o $(test-block-obj-y) $(test-util-obj-y)
 tests/test-blockjob-txn$(EXESUF): tests/test-blockjob-txn.o $(test-block-obj-y) $(test-util-obj-y)
diff --git a/include/block/aio.h b/include/block/aio.h
index XXXXXXX..XXXXXXX 100644
--- a/include/block/aio.h
+++ b/include/block/aio.h
@@ -XXX,XX +XXX,XX @@ typedef void QEMUBHFunc(void *opaque);
 typedef bool AioPollFn(void *opaque);
 typedef void IOHandler(void *opaque);
 
+struct Coroutine;
 struct ThreadPool;
 struct LinuxAioState;
 
@@ -XXX,XX +XXX,XX @@ struct AioContext {
     bool notified;
     EventNotifier notifier;
 
+    QSLIST_HEAD(, Coroutine) scheduled_coroutines;
+    QEMUBH *co_schedule_bh;
+
     /* Thread pool for performing work and receiving completion callbacks.
      * Has its own locking.
      */
@@ -XXX,XX +XXX,XX @@ static inline bool aio_node_check(AioContext *ctx, bool is_external)
 }
 
 /**
+ * aio_co_schedule:
+ * @ctx: the aio context
+ * @co: the coroutine
+ *
+ * Start a coroutine on a remote AioContext.
+ *
+ * The coroutine must not be entered by anyone else while aio_co_schedule()
+ * is active.  In addition the coroutine must have yielded unless ctx
+ * is the context in which the coroutine is running (i.e. the value of
+ * qemu_get_current_aio_context() from the coroutine itself).
+ */
+void aio_co_schedule(AioContext *ctx, struct Coroutine *co);
+
+/**
+ * aio_co_wake:
+ * @co: the coroutine
+ *
+ * Restart a coroutine on the AioContext where it was running last, thus
+ * preventing coroutines from jumping from one context to another when they
+ * go to sleep.
+ *
+ * aio_co_wake may be executed either in coroutine or non-coroutine
+ * context.  The coroutine must not be entered by anyone else while
+ * aio_co_wake() is active.
+ */
+void aio_co_wake(struct Coroutine *co);
+
+/**
  * Return the AioContext whose event loop runs in the current thread.
  *
  * If called from an IOThread this will be the IOThread's AioContext.  If
diff --git a/include/qemu/coroutine_int.h b/include/qemu/coroutine_int.h
index XXXXXXX..XXXXXXX 100644
--- a/include/qemu/coroutine_int.h
+++ b/include/qemu/coroutine_int.h
@@ -XXX,XX +XXX,XX @@ struct Coroutine {
     CoroutineEntry *entry;
     void *entry_arg;
     Coroutine *caller;
+
+    /* Only used when the coroutine has terminated.  */
     QSLIST_ENTRY(Coroutine) pool_next;
+
     size_t locks_held;
 
-    /* Coroutines that should be woken up when we yield or terminate */
+    /* Coroutines that should be woken up when we yield or terminate.
+     * Only used when the coroutine is running.
+     */
     QSIMPLEQ_HEAD(, Coroutine) co_queue_wakeup;
+
+    /* Only used when the coroutine has yielded.  */
+    AioContext *ctx;
     QSIMPLEQ_ENTRY(Coroutine) co_queue_next;
+    QSLIST_ENTRY(Coroutine) co_scheduled_next;
 };
 
 Coroutine *qemu_coroutine_new(void);
diff --git a/tests/iothread.h b/tests/iothread.h
new file mode 100644
index XXXXXXX..XXXXXXX
--- /dev/null
+++ b/tests/iothread.h
@@ -XXX,XX +XXX,XX @@
+/*
+ * Event loop thread implementation for unit tests
+ *
+ * Copyright Red Hat Inc., 2013, 2016
+ *
+ * Authors:
+ *  Stefan Hajnoczi   <stefanha@redhat.com>
+ *  Paolo Bonzini     <pbonzini@redhat.com>
+ *
+ * This work is licensed under the terms of the GNU GPL, version 2 or later.
+ * See the COPYING file in the top-level directory.
+ */
+#ifndef TEST_IOTHREAD_H
+#define TEST_IOTHREAD_H
+
+#include "block/aio.h"
+#include "qemu/thread.h"
+
+typedef struct IOThread IOThread;
+
+IOThread *iothread_new(void);
+void iothread_join(IOThread *iothread);
+AioContext *iothread_get_aio_context(IOThread *iothread);
+
+#endif
diff --git a/tests/iothread.c b/tests/iothread.c
new file mode 100644
index XXXXXXX..XXXXXXX
--- /dev/null
+++ b/tests/iothread.c
@@ -XXX,XX +XXX,XX @@
+/*
+ * Event loop thread implementation for unit tests
+ *
+ * Copyright Red Hat Inc., 2013, 2016
+ *
+ * Authors:
+ *  Stefan Hajnoczi   <stefanha@redhat.com>
+ *  Paolo Bonzini     <pbonzini@redhat.com>
+ *
+ * This work is licensed under the terms of the GNU GPL, version 2 or later.
+ * See the COPYING file in the top-level directory.
+ *
+ */
+
+#include "qemu/osdep.h"
+#include "qapi/error.h"
+#include "block/aio.h"
+#include "qemu/main-loop.h"
+#include "qemu/rcu.h"
+#include "iothread.h"
+
+struct IOThread {
+    AioContext *ctx;
+
+    QemuThread thread;
+    QemuMutex init_done_lock;
+    QemuCond init_done_cond;    /* is thread initialization done? */
+    bool stopping;
+};
+
+static __thread IOThread *my_iothread;
+
+AioContext *qemu_get_current_aio_context(void)
+{
+    return my_iothread ? my_iothread->ctx : qemu_get_aio_context();
+}
+
+static void *iothread_run(void *opaque)
+{
+    IOThread *iothread = opaque;
+
+    rcu_register_thread();
+
+    my_iothread = iothread;
+    qemu_mutex_lock(&iothread->init_done_lock);
+    iothread->ctx = aio_context_new(&error_abort);
+    qemu_cond_signal(&iothread->init_done_cond);
+    qemu_mutex_unlock(&iothread->init_done_lock);
+
+    while (!atomic_read(&iothread->stopping)) {
+        aio_poll(iothread->ctx, true);
+    }
+
+    rcu_unregister_thread();
+    return NULL;
+}
+
+void iothread_join(IOThread *iothread)
+{
+    iothread->stopping = true;
+    aio_notify(iothread->ctx);
+    qemu_thread_join(&iothread->thread);
+    qemu_cond_destroy(&iothread->init_done_cond);
+    qemu_mutex_destroy(&iothread->init_done_lock);
+    aio_context_unref(iothread->ctx);
+    g_free(iothread);
+}
+
+IOThread *iothread_new(void)
+{
+    IOThread *iothread = g_new0(IOThread, 1);
+
+    qemu_mutex_init(&iothread->init_done_lock);
+    qemu_cond_init(&iothread->init_done_cond);
+    qemu_thread_create(&iothread->thread, NULL, iothread_run,
+                       iothread, QEMU_THREAD_JOINABLE);
+
+    /* Wait for initialization to complete */
+    qemu_mutex_lock(&iothread->init_done_lock);
+    while (iothread->ctx == NULL) {
+        qemu_cond_wait(&iothread->init_done_cond,
+                       &iothread->init_done_lock);
+    }
+    qemu_mutex_unlock(&iothread->init_done_lock);
+    return iothread;
+}
+
+AioContext *iothread_get_aio_context(IOThread *iothread)
+{
+    return iothread->ctx;
+}
diff --git a/tests/test-aio-multithread.c b/tests/test-aio-multithread.c
new file mode 100644
index XXXXXXX..XXXXXXX
--- /dev/null
+++ b/tests/test-aio-multithread.c
@@ -XXX,XX +XXX,XX @@
+/*
+ * AioContext multithreading tests
+ *
+ * Copyright Red Hat, Inc. 2016
+ *
+ * Authors:
+ *  Paolo Bonzini    <pbonzini@redhat.com>
+ *
+ * This work is licensed under the terms of the GNU LGPL, version 2 or later.
+ * See the COPYING.LIB file in the top-level directory.
+ */
+
+#include "qemu/osdep.h"
+#include <glib.h>
+#include "block/aio.h"
+#include "qapi/error.h"
+#include "qemu/coroutine.h"
+#include "qemu/thread.h"
+#include "qemu/error-report.h"
+#include "iothread.h"
+
+/* AioContext management */
+
+#define NUM_CONTEXTS 5
+
+static IOThread *threads[NUM_CONTEXTS];
+static AioContext *ctx[NUM_CONTEXTS];
+static __thread int id = -1;
+
+static QemuEvent done_event;
+
+/* Run a function synchronously on a remote iothread. */
+
+typedef struct CtxRunData {
+    QEMUBHFunc *cb;
+    void *arg;
+} CtxRunData;
+
+static void ctx_run_bh_cb(void *opaque)
+{
+    CtxRunData *data = opaque;
+
+    data->cb(data->arg);
+    qemu_event_set(&done_event);
+}
+
+static void ctx_run(int i, QEMUBHFunc *cb, void *opaque)
+{
+    CtxRunData data = {
+        .cb = cb,
+        .arg = opaque
+    };
+
+    qemu_event_reset(&done_event);
+    aio_bh_schedule_oneshot(ctx[i], ctx_run_bh_cb, &data);
+    qemu_event_wait(&done_event);
+}
+
+/* Starting the iothreads. */
+
+static void set_id_cb(void *opaque)
+{
+    int *i = opaque;
+
+    id = *i;
+}
+
+static void create_aio_contexts(void)
+{
+    int i;
+
+    for (i = 0; i < NUM_CONTEXTS; i++) {
+        threads[i] = iothread_new();
+        ctx[i] = iothread_get_aio_context(threads[i]);
+    }
+
+    qemu_event_init(&done_event, false);
+    for (i = 0; i < NUM_CONTEXTS; i++) {
+        ctx_run(i, set_id_cb, &i);
+    }
+}
+
+/* Stopping the iothreads. */
+
+static void join_aio_contexts(void)
+{
+    int i;
+
+    for (i = 0; i < NUM_CONTEXTS; i++) {
+        aio_context_ref(ctx[i]);
+    }
+    for (i = 0; i < NUM_CONTEXTS; i++) {
+        iothread_join(threads[i]);
+    }
+    for (i = 0; i < NUM_CONTEXTS; i++) {
+        aio_context_unref(ctx[i]);
+    }
+    qemu_event_destroy(&done_event);
+}
+
+/* Basic test for the stuff above. */
+
+static void test_lifecycle(void)
+{
+    create_aio_contexts();
+    join_aio_contexts();
+}
+
+/* aio_co_schedule test.  */
+
+static Coroutine *to_schedule[NUM_CONTEXTS];
+
+static bool now_stopping;
+
+static int count_retry;
+static int count_here;
+static int count_other;
+
+static bool schedule_next(int n)
+{
+    Coroutine *co;
+
+    co = atomic_xchg(&to_schedule[n], NULL);
+    if (!co) {
+        atomic_inc(&count_retry);
+        return false;
+    }
+
+    if (n == id) {
+        atomic_inc(&count_here);
+    } else {
+        atomic_inc(&count_other);
+    }
+
+    aio_co_schedule(ctx[n], co);
+    return true;
+}
+
+static void finish_cb(void *opaque)
+{
+    schedule_next(id);
+}
+
+static coroutine_fn void test_multi_co_schedule_entry(void *opaque)
+{
+    g_assert(to_schedule[id] == NULL);
+    atomic_mb_set(&to_schedule[id], qemu_coroutine_self());
+
+    while (!atomic_mb_read(&now_stopping)) {
+        int n;
+
+        n = g_test_rand_int_range(0, NUM_CONTEXTS);
+        schedule_next(n);
+        qemu_coroutine_yield();
+
+        g_assert(to_schedule[id] == NULL);
+        atomic_mb_set(&to_schedule[id], qemu_coroutine_self());
+    }
+}
+
+
+static void test_multi_co_schedule(int seconds)
+{
+    int i;
+
+    count_here = count_other = count_retry = 0;
+    now_stopping = false;
+
+    create_aio_contexts();
+    for (i = 0; i < NUM_CONTEXTS; i++) {
+        Coroutine *co1 = qemu_coroutine_create(test_multi_co_schedule_entry, NULL);
+        aio_co_schedule(ctx[i], co1);
+    }
+
+    g_usleep(seconds * 1000000);
+
+    atomic_mb_set(&now_stopping, true);
+    for (i = 0; i < NUM_CONTEXTS; i++) {
+        ctx_run(i, finish_cb, NULL);
+        to_schedule[i] = NULL;
+    }
+
+    join_aio_contexts();
+    g_test_message("scheduled %d, queued %d, retry %d, total %d\n",
+                  count_other, count_here, count_retry,
+                  count_here + count_other + count_retry);
+}
+
+static void test_multi_co_schedule_1(void)
+{
+    test_multi_co_schedule(1);
+}
+
+static void test_multi_co_schedule_10(void)
+{
+    test_multi_co_schedule(10);
+}
+
+/* End of tests.  */
+
+int main(int argc, char **argv)
+{
+    init_clocks();
+
+    g_test_init(&argc, &argv, NULL);
+    g_test_add_func("/aio/multi/lifecycle", test_lifecycle);
+    if (g_test_quick()) {
+        g_test_add_func("/aio/multi/schedule", test_multi_co_schedule_1);
+    } else {
+        g_test_add_func("/aio/multi/schedule", test_multi_co_schedule_10);
+    }
+    return g_test_run();
+}
diff --git a/util/async.c b/util/async.c
index XXXXXXX..XXXXXXX 100644
--- a/util/async.c
+++ b/util/async.c
@@ -XXX,XX +XXX,XX @@
 #include "qemu/main-loop.h"
 #include "qemu/atomic.h"
 #include "block/raw-aio.h"
+#include "qemu/coroutine_int.h"
+#include "trace.h"
 
 /***********************************************************/
 /* bottom halves (can be seen as timers which expire ASAP) */
@@ -XXX,XX +XXX,XX @@ aio_ctx_finalize(GSource     *source)
     }
 #endif
 
+    assert(QSLIST_EMPTY(&ctx->scheduled_coroutines));
+    qemu_bh_delete(ctx->co_schedule_bh);
+
     qemu_lockcnt_lock(&ctx->list_lock);
     assert(!qemu_lockcnt_count(&ctx->list_lock));
     while (ctx->first_bh) {
@@ -XXX,XX +XXX,XX @@ static bool event_notifier_poll(void *opaque)
     return atomic_read(&ctx->notified);
 }
 
+static void co_schedule_bh_cb(void *opaque)
+{
+    AioContext *ctx = opaque;
+    QSLIST_HEAD(, Coroutine) straight, reversed;
+
+    QSLIST_MOVE_ATOMIC(&reversed, &ctx->scheduled_coroutines);
+    QSLIST_INIT(&straight);
+
+    while (!QSLIST_EMPTY(&reversed)) {
+        Coroutine *co = QSLIST_FIRST(&reversed);
+        QSLIST_REMOVE_HEAD(&reversed, co_scheduled_next);
+        QSLIST_INSERT_HEAD(&straight, co, co_scheduled_next);
+    }
+
+    while (!QSLIST_EMPTY(&straight)) {
+        Coroutine *co = QSLIST_FIRST(&straight);
+        QSLIST_REMOVE_HEAD(&straight, co_scheduled_next);
+        trace_aio_co_schedule_bh_cb(ctx, co);
+        qemu_coroutine_enter(co);
+    }
+}
+
 AioContext *aio_context_new(Error **errp)
 {
     int ret;
@@ -XXX,XX +XXX,XX @@ AioContext *aio_context_new(Error **errp)
     }
     g_source_set_can_recurse(&ctx->source, true);
     qemu_lockcnt_init(&ctx->list_lock);
+
+    ctx->co_schedule_bh = aio_bh_new(ctx, co_schedule_bh_cb, ctx);
+    QSLIST_INIT(&ctx->scheduled_coroutines);
+
     aio_set_event_notifier(ctx, &ctx->notifier,
                            false,
                            (EventNotifierHandler *)
@@ -XXX,XX +XXX,XX @@ fail:
     return NULL;
 }
 
+void aio_co_schedule(AioContext *ctx, Coroutine *co)
+{
+    trace_aio_co_schedule(ctx, co);
+    QSLIST_INSERT_HEAD_ATOMIC(&ctx->scheduled_coroutines,
+                              co, co_scheduled_next);
+    qemu_bh_schedule(ctx->co_schedule_bh);
+}
+
+void aio_co_wake(struct Coroutine *co)
+{
+    AioContext *ctx;
+
+    /* Read coroutine before co->ctx.  Matches smp_wmb in
+     * qemu_coroutine_enter.
+     */
+    smp_read_barrier_depends();
+    ctx = atomic_read(&co->ctx);
+
+    if (ctx != qemu_get_current_aio_context()) {
+        aio_co_schedule(ctx, co);
+        return;
+    }
+
+    if (qemu_in_coroutine()) {
+        Coroutine *self = qemu_coroutine_self();
+        assert(self != co);
+        QSIMPLEQ_INSERT_TAIL(&self->co_queue_wakeup, co, co_queue_next);
+    } else {
+        aio_context_acquire(ctx);
+        qemu_coroutine_enter(co);
+        aio_context_release(ctx);
+    }
+}
+
 void aio_context_ref(AioContext *ctx)
 {
     g_source_ref(&ctx->source);
diff --git a/util/qemu-coroutine.c b/util/qemu-coroutine.c
index XXXXXXX..XXXXXXX 100644
--- a/util/qemu-coroutine.c
+++ b/util/qemu-coroutine.c
@@ -XXX,XX +XXX,XX @@
 #include "qemu/atomic.h"
 #include "qemu/coroutine.h"
 #include "qemu/coroutine_int.h"
+#include "block/aio.h"
 
 enum {
     POOL_BATCH_SIZE = 64,
@@ -XXX,XX +XXX,XX @@ void qemu_coroutine_enter(Coroutine *co)
     }
 
     co->caller = self;
+    co->ctx = qemu_get_current_aio_context();
+
+    /* Store co->ctx before anything that stores co.  Matches
+     * barrier in aio_co_wake.
+     */
+    smp_wmb();
+
     ret = qemu_coroutine_switch(self, co, COROUTINE_ENTER);
 
     qemu_co_queue_run_restart(co);
diff --git a/util/trace-events b/util/trace-events
index XXXXXXX..XXXXXXX 100644
--- a/util/trace-events
+++ b/util/trace-events
@@ -XXX,XX +XXX,XX @@ run_poll_handlers_end(void *ctx, bool progress) "ctx %p progress %d"
 poll_shrink(void *ctx, int64_t old, int64_t new) "ctx %p old %"PRId64" new %"PRId64
 poll_grow(void *ctx, int64_t old, int64_t new) "ctx %p old %"PRId64" new %"PRId64
 
+# util/async.c
+aio_co_schedule(void *ctx, void *co) "ctx %p co %p"
+aio_co_schedule_bh_cb(void *ctx, void *co) "ctx %p co %p"
+
 # util/thread-pool.c
 thread_pool_submit(void *pool, void *req, void *opaque) "pool %p req %p opaque %p"
 thread_pool_complete(void *pool, void *req, void *opaque, int ret) "pool %p req %p opaque %p ret %d"
-- 
2.9.3

From: Paolo Bonzini <pbonzini@redhat.com>

qcow2_create2 calls this.  Do not run a nested event loop, as that
breaks when aio_co_wake tries to queue the coroutine on the co_queue_wakeup
list of the currently running one.

Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Reviewed-by: Fam Zheng <famz@redhat.com>
Message-id: 20170213135235.12274-4-pbonzini@redhat.com
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
---
 block/block-backend.c | 12 ++++++++----
 1 file changed, 8 insertions(+), 4 deletions(-)

diff --git a/block/block-backend.c b/block/block-backend.c
index XXXXXXX..XXXXXXX 100644
--- a/block/block-backend.c
+++ b/block/block-backend.c
@@ -XXX,XX +XXX,XX @@ static int blk_prw(BlockBackend *blk, int64_t offset, uint8_t *buf,
 {
     QEMUIOVector qiov;
     struct iovec iov;
-    Coroutine *co;
     BlkRwCo rwco;
 
     iov = (struct iovec) {
@@ -XXX,XX +XXX,XX @@ static int blk_prw(BlockBackend *blk, int64_t offset, uint8_t *buf,
         .ret    = NOT_DONE,
     };
 
-    co = qemu_coroutine_create(co_entry, &rwco);
-    qemu_coroutine_enter(co);
-    BDRV_POLL_WHILE(blk_bs(blk), rwco.ret == NOT_DONE);
+    if (qemu_in_coroutine()) {
+        /* Fast-path if already in coroutine context */
+        co_entry(&rwco);
+    } else {
+        Coroutine *co = qemu_coroutine_create(co_entry, &rwco);
+        qemu_coroutine_enter(co);
+        BDRV_POLL_WHILE(blk_bs(blk), rwco.ret == NOT_DONE);
+    }
 
     return rwco.ret;
 }
-- 
2.9.3

From: Paolo Bonzini <pbonzini@redhat.com>

Once the thread pool starts using aio_co_wake, it will also need
qemu_get_current_aio_context().  Make test-thread-pool create
an AioContext with qemu_init_main_loop, so that stubs/iothread.c
and tests/iothread.c can provide the rest.

Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Reviewed-by: Fam Zheng <famz@redhat.com>
Message-id: 20170213135235.12274-5-pbonzini@redhat.com
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
---
 tests/test-thread-pool.c | 12 +++---------
 1 file changed, 3 insertions(+), 9 deletions(-)

diff --git a/tests/test-thread-pool.c b/tests/test-thread-pool.c
index XXXXXXX..XXXXXXX 100644
--- a/tests/test-thread-pool.c
+++ b/tests/test-thread-pool.c
@@ -XXX,XX +XXX,XX @@
 #include "qapi/error.h"
 #include "qemu/timer.h"
 #include "qemu/error-report.h"
+#include "qemu/main-loop.h"
 
 static AioContext *ctx;
 static ThreadPool *pool;
@@ -XXX,XX +XXX,XX @@ static void test_cancel_async(void)
 int main(int argc, char **argv)
 {
     int ret;
-    Error *local_error = NULL;
 
-    init_clocks();
-
-    ctx = aio_context_new(&local_error);
-    if (!ctx) {
-        error_reportf_err(local_error, "Failed to create AIO Context: ");
-        exit(1);
-    }
+    qemu_init_main_loop(&error_abort);
+    ctx = qemu_get_current_aio_context();
     pool = aio_get_thread_pool(ctx);
 
     g_test_init(&argc, &argv, NULL);
@@ -XXX,XX +XXX,XX @@ int main(int argc, char **argv)
 
     ret = g_test_run();
 
-    aio_context_unref(ctx);
     return ret;
 }
-- 
2.9.3

From: Paolo Bonzini <pbonzini@redhat.com>

This is in preparation for making qio_channel_yield work on
AioContexts other than the main one.

Reviewed-by: Daniel P. Berrange <berrange@redhat.com>
Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Reviewed-by: Fam Zheng <famz@redhat.com>
Message-id: 20170213135235.12274-6-pbonzini@redhat.com
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
---
 include/io/channel.h | 25 +++++++++++++++++++++++++
 io/channel-command.c | 13 +++++++++++++
 io/channel-file.c    | 11 +++++++++++
 io/channel-socket.c  | 16 +++++++++++-----
 io/channel-tls.c     | 12 ++++++++++++
 io/channel-watch.c   |  6 ++++++
 io/channel.c         | 11 +++++++++++
 7 files changed, 89 insertions(+), 5 deletions(-)

diff --git a/include/io/channel.h b/include/io/channel.h
index XXXXXXX..XXXXXXX 100644
--- a/include/io/channel.h
+++ b/include/io/channel.h
@@ -XXX,XX +XXX,XX @@
 
 #include "qemu-common.h"
 #include "qom/object.h"
+#include "block/aio.h"
 
 #define TYPE_QIO_CHANNEL "qio-channel"
 #define QIO_CHANNEL(obj)                                    \
@@ -XXX,XX +XXX,XX @@ struct QIOChannelClass {
                      off_t offset,
                      int whence,
                      Error **errp);
+    void (*io_set_aio_fd_handler)(QIOChannel *ioc,
+                                  AioContext *ctx,
+                                  IOHandler *io_read,
+                                  IOHandler *io_write,
+                                  void *opaque);
 };
 
 /* General I/O handling functions */
@@ -XXX,XX +XXX,XX @@ void qio_channel_yield(QIOChannel *ioc,
 void qio_channel_wait(QIOChannel *ioc,
                       GIOCondition condition);
 
+/**
+ * qio_channel_set_aio_fd_handler:
+ * @ioc: the channel object
+ * @ctx: the AioContext to set the handlers on
+ * @io_read: the read handler
+ * @io_write: the write handler
+ * @opaque: the opaque value passed to the handler
+ *
+ * This is used internally by qio_channel_yield().  It can
+ * be used by channel implementations to forward the handlers
+ * to another channel (e.g. from #QIOChannelTLS to the
+ * underlying socket).
+ */
+void qio_channel_set_aio_fd_handler(QIOChannel *ioc,
+                                    AioContext *ctx,
+                                    IOHandler *io_read,
+                                    IOHandler *io_write,
+                                    void *opaque);
+
 #endif /* QIO_CHANNEL_H */
diff --git a/io/channel-command.c b/io/channel-command.c
index XXXXXXX..XXXXXXX 100644
--- a/io/channel-command.c
+++ b/io/channel-command.c
@@ -XXX,XX +XXX,XX @@ static int qio_channel_command_close(QIOChannel *ioc,
 }
 
 
+static void qio_channel_command_set_aio_fd_handler(QIOChannel *ioc,
+                                                   AioContext *ctx,
+                                                   IOHandler *io_read,
+                                                   IOHandler *io_write,
+                                                   void *opaque)
+{
+    QIOChannelCommand *cioc = QIO_CHANNEL_COMMAND(ioc);
+    aio_set_fd_handler(ctx, cioc->readfd, false, io_read, NULL, NULL, opaque);
+    aio_set_fd_handler(ctx, cioc->writefd, false, NULL, io_write, NULL, opaque);
+}
+
+
 static GSource *qio_channel_command_create_watch(QIOChannel *ioc,
                                                  GIOCondition condition)
 {
@@ -XXX,XX +XXX,XX @@ static void qio_channel_command_class_init(ObjectClass *klass,
     ioc_klass->io_set_blocking = qio_channel_command_set_blocking;
     ioc_klass->io_close = qio_channel_command_close;
     ioc_klass->io_create_watch = qio_channel_command_create_watch;
+    ioc_klass->io_set_aio_fd_handler = qio_channel_command_set_aio_fd_handler;
 }
 
 static const TypeInfo qio_channel_command_info = {
diff --git a/io/channel-file.c b/io/channel-file.c
index XXXXXXX..XXXXXXX 100644
--- a/io/channel-file.c
+++ b/io/channel-file.c
@@ -XXX,XX +XXX,XX @@ static int qio_channel_file_close(QIOChannel *ioc,
 }
 
 
+static void qio_channel_file_set_aio_fd_handler(QIOChannel *ioc,
+                                                AioContext *ctx,
+                                                IOHandler *io_read,
+                                                IOHandler *io_write,
+                                                void *opaque)
+{
+    QIOChannelFile *fioc = QIO_CHANNEL_FILE(ioc);
+    aio_set_fd_handler(ctx, fioc->fd, false, io_read, io_write, NULL, opaque);
+}
+
 static GSource *qio_channel_file_create_watch(QIOChannel *ioc,
                                               GIOCondition condition)
 {
@@ -XXX,XX +XXX,XX @@ static void qio_channel_file_class_init(ObjectClass *klass,
     ioc_klass->io_seek = qio_channel_file_seek;
     ioc_klass->io_close = qio_channel_file_close;
     ioc_klass->io_create_watch = qio_channel_file_create_watch;
+    ioc_klass->io_set_aio_fd_handler = qio_channel_file_set_aio_fd_handler;
 }
 
 static const TypeInfo qio_channel_file_info = {
diff --git a/io/channel-socket.c b/io/channel-socket.c
index XXXXXXX..XXXXXXX 100644
--- a/io/channel-socket.c
+++ b/io/channel-socket.c
@@ -XXX,XX +XXX,XX @@ qio_channel_socket_set_blocking(QIOChannel *ioc,
         qemu_set_block(sioc->fd);
     } else {
         qemu_set_nonblock(sioc->fd);
-#ifdef WIN32
-        WSAEventSelect(sioc->fd, ioc->event,
-                       FD_READ | FD_ACCEPT | FD_CLOSE |
-                       FD_CONNECT | FD_WRITE | FD_OOB);
-#endif
     }
     return 0;
 }
@@ -XXX,XX +XXX,XX @@ qio_channel_socket_shutdown(QIOChannel *ioc,
     return 0;
 }
 
+static void qio_channel_socket_set_aio_fd_handler(QIOChannel *ioc,
+                                                  AioContext *ctx,
+                                                  IOHandler *io_read,
+                                                  IOHandler *io_write,
+                                                  void *opaque)
+{
+    QIOChannelSocket *sioc = QIO_CHANNEL_SOCKET(ioc);
+    aio_set_fd_handler(ctx, sioc->fd, false, io_read, io_write, NULL, opaque);
+}
+
 static GSource *qio_channel_socket_create_watch(QIOChannel *ioc,
                                                 GIOCondition condition)
 {
@@ -XXX,XX +XXX,XX @@ static void qio_channel_socket_class_init(ObjectClass *klass,
     ioc_klass->io_set_cork = qio_channel_socket_set_cork;
     ioc_klass->io_set_delay = qio_channel_socket_set_delay;
     ioc_klass->io_create_watch = qio_channel_socket_create_watch;
+    ioc_klass->io_set_aio_fd_handler = qio_channel_socket_set_aio_fd_handler;
 }
 
 static const TypeInfo qio_channel_socket_info = {
diff --git a/io/channel-tls.c b/io/channel-tls.c
index XXXXXXX..XXXXXXX 100644
--- a/io/channel-tls.c
+++ b/io/channel-tls.c
@@ -XXX,XX +XXX,XX @@ static int qio_channel_tls_close(QIOChannel *ioc,
     return qio_channel_close(tioc->master, errp);
 }
 
+static void qio_channel_tls_set_aio_fd_handler(QIOChannel *ioc,
+                                               AioContext *ctx,
+                                               IOHandler *io_read,
+                                               IOHandler *io_write,
+                                               void *opaque)
+{
+    QIOChannelTLS *tioc = QIO_CHANNEL_TLS(ioc);
+
+    qio_channel_set_aio_fd_handler(tioc->master, ctx, io_read, io_write, opaque);
+}
+
 static GSource *qio_channel_tls_create_watch(QIOChannel *ioc,
                                              GIOCondition condition)
 {
@@ -XXX,XX +XXX,XX @@ static void qio_channel_tls_class_init(ObjectClass *klass,
     ioc_klass->io_close = qio_channel_tls_close;
     ioc_klass->io_shutdown = qio_channel_tls_shutdown;
     ioc_klass->io_create_watch = qio_channel_tls_create_watch;
+    ioc_klass->io_set_aio_fd_handler = qio_channel_tls_set_aio_fd_handler;
 }
 
 static const TypeInfo qio_channel_tls_info = {
diff --git a/io/channel-watch.c b/io/channel-watch.c
index XXXXXXX..XXXXXXX 100644
--- a/io/channel-watch.c
+++ b/io/channel-watch.c
@@ -XXX,XX +XXX,XX @@ GSource *qio_channel_create_socket_watch(QIOChannel *ioc,
     GSource *source;
     QIOChannelSocketSource *ssource;
 
+#ifdef WIN32
+    WSAEventSelect(socket, ioc->event,
+                   FD_READ | FD_ACCEPT | FD_CLOSE |
+                   FD_CONNECT | FD_WRITE | FD_OOB);
+#endif
+
     source = g_source_new(&qio_channel_socket_source_funcs,
                           sizeof(QIOChannelSocketSource));
     ssource = (QIOChannelSocketSource *)source;
diff --git a/io/channel.c b/io/channel.c
index XXXXXXX..XXXXXXX 100644
--- a/io/channel.c
+++ b/io/channel.c
@@ -XXX,XX +XXX,XX @@ GSource *qio_channel_create_watch(QIOChannel *ioc,
 }
 
 
+void qio_channel_set_aio_fd_handler(QIOChannel *ioc,
+                                    AioContext *ctx,
+                                    IOHandler *io_read,
+                                    IOHandler *io_write,
+                                    void *opaque)
+{
+    QIOChannelClass *klass = QIO_CHANNEL_GET_CLASS(ioc);
+
+    klass->io_set_aio_fd_handler(ioc, ctx, io_read, io_write, opaque);
+}
+
 guint qio_channel_add_watch(QIOChannel *ioc,
                             GIOCondition condition,
                             QIOChannelFunc func,
-- 
2.9.3

From: Paolo Bonzini <pbonzini@redhat.com>

Support separate coroutines for reading and writing, and place the
read/write handlers on the AioContext that the QIOChannel is registered
with.

Reviewed-by: Daniel P. Berrange <berrange@redhat.com>
Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Reviewed-by: Fam Zheng <famz@redhat.com>
Message-id: 20170213135235.12274-7-pbonzini@redhat.com
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
---
 include/io/channel.h | 47 ++++++++++++++++++++++++++--
 io/channel.c         | 86 +++++++++++++++++++++++++++++++++++++++-------------
 2 files changed, 109 insertions(+), 24 deletions(-)

diff --git a/include/io/channel.h b/include/io/channel.h
index XXXXXXX..XXXXXXX 100644
--- a/include/io/channel.h
+++ b/include/io/channel.h
@@ -XXX,XX +XXX,XX @@
 
 #include "qemu-common.h"
 #include "qom/object.h"
+#include "qemu/coroutine.h"
 #include "block/aio.h"
 
 #define TYPE_QIO_CHANNEL "qio-channel"
@@ -XXX,XX +XXX,XX @@ struct QIOChannel {
     Object parent;
     unsigned int features; /* bitmask of QIOChannelFeatures */
     char *name;
+    AioContext *ctx;
+    Coroutine *read_coroutine;
+    Coroutine *write_coroutine;
 #ifdef _WIN32
     HANDLE event; /* For use with GSource on Win32 */
 #endif
@@ -XXX,XX +XXX,XX @@ guint qio_channel_add_watch(QIOChannel *ioc,
 
 
 /**
+ * qio_channel_attach_aio_context:
+ * @ioc: the channel object
+ * @ctx: the #AioContext to set the handlers on
+ *
+ * Request that qio_channel_yield() sets I/O handlers on
+ * the given #AioContext.  If @ctx is %NULL, qio_channel_yield()
+ * uses QEMU's main thread event loop.
+ *
+ * You can move a #QIOChannel from one #AioContext to another even if
+ * I/O handlers are set for a coroutine.  However, #QIOChannel provides
+ * no synchronization between the calls to qio_channel_yield() and
+ * qio_channel_attach_aio_context().
+ *
+ * Therefore you should first call qio_channel_detach_aio_context()
+ * to ensure that the coroutine is not entered concurrently.  Then,
+ * while the coroutine has yielded, call qio_channel_attach_aio_context(),
+ * and then aio_co_schedule() to place the coroutine on the new
+ * #AioContext.  The calls to qio_channel_detach_aio_context()
+ * and qio_channel_attach_aio_context() should be protected with
+ * aio_context_acquire() and aio_context_release().
+ */
+void qio_channel_attach_aio_context(QIOChannel *ioc,
+                                    AioContext *ctx);
+
+/**
+ * qio_channel_detach_aio_context:
+ * @ioc: the channel object
+ *
+ * Disable any I/O handlers set by qio_channel_yield().  With the
+ * help of aio_co_schedule(), this allows moving a coroutine that was
+ * paused by qio_channel_yield() to another context.
+ */
+void qio_channel_detach_aio_context(QIOChannel *ioc);
+
+/**
  * qio_channel_yield:
  * @ioc: the channel object
  * @condition: the I/O condition to wait for
  *
- * Yields execution from the current coroutine until
- * the condition indicated by @condition becomes
- * available.
+ * Yields execution from the current coroutine until the condition
+ * indicated by @condition becomes available.  @condition must
+ * be either %G_IO_IN or %G_IO_OUT; it cannot contain both.  In
+ * addition, no two coroutine can be waiting on the same condition
+ * and channel at the same time.
  *
  * This must only be called from coroutine context
  */
diff --git a/io/channel.c b/io/channel.c
index XXXXXXX..XXXXXXX 100644
--- a/io/channel.c
+++ b/io/channel.c
@@ -XXX,XX +XXX,XX @@
 #include "qemu/osdep.h"
 #include "io/channel.h"
 #include "qapi/error.h"
-#include "qemu/coroutine.h"
+#include "qemu/main-loop.h"
 
 bool qio_channel_has_feature(QIOChannel *ioc,
                              QIOChannelFeature feature)
@@ -XXX,XX +XXX,XX @@ off_t qio_channel_io_seek(QIOChannel *ioc,
 }
 
 
-typedef struct QIOChannelYieldData QIOChannelYieldData;
-struct QIOChannelYieldData {
-    QIOChannel *ioc;
-    Coroutine *co;
-};
+static void qio_channel_set_aio_fd_handlers(QIOChannel *ioc);
 
+static void qio_channel_restart_read(void *opaque)
+{
+    QIOChannel *ioc = opaque;
+    Coroutine *co = ioc->read_coroutine;
+
+    ioc->read_coroutine = NULL;
+    qio_channel_set_aio_fd_handlers(ioc);
+    aio_co_wake(co);
+}
 
-static gboolean qio_channel_yield_enter(QIOChannel *ioc,
-                                        GIOCondition condition,
-                                        gpointer opaque)
+static void qio_channel_restart_write(void *opaque)
 {
-    QIOChannelYieldData *data = opaque;
-    qemu_coroutine_enter(data->co);
-    return FALSE;
+    QIOChannel *ioc = opaque;
+    Coroutine *co = ioc->write_coroutine;
+
+    ioc->write_coroutine = NULL;
+    qio_channel_set_aio_fd_handlers(ioc);
+    aio_co_wake(co);
 }
 
+static void qio_channel_set_aio_fd_handlers(QIOChannel *ioc)
+{
+    IOHandler *rd_handler = NULL, *wr_handler = NULL;
+    AioContext *ctx;
+
+    if (ioc->read_coroutine) {
+        rd_handler = qio_channel_restart_read;
+    }
+    if (ioc->write_coroutine) {
+        wr_handler = qio_channel_restart_write;
+    }
+
+    ctx = ioc->ctx ? ioc->ctx : iohandler_get_aio_context();
+    qio_channel_set_aio_fd_handler(ioc, ctx, rd_handler, wr_handler, ioc);
+}
+
+void qio_channel_attach_aio_context(QIOChannel *ioc,
+                                    AioContext *ctx)
+{
+    AioContext *old_ctx;
+    if (ioc->ctx == ctx) {
+        return;
+    }
+
+    old_ctx = ioc->ctx ? ioc->ctx : iohandler_get_aio_context();
+    qio_channel_set_aio_fd_handler(ioc, old_ctx, NULL, NULL, NULL);
+    ioc->ctx = ctx;
+    qio_channel_set_aio_fd_handlers(ioc);
+}
+
+void qio_channel_detach_aio_context(QIOChannel *ioc)
+{
+    ioc->read_coroutine = NULL;
+    ioc->write_coroutine = NULL;
+    qio_channel_set_aio_fd_handlers(ioc);
+    ioc->ctx = NULL;
+}
 
 void coroutine_fn qio_channel_yield(QIOChannel *ioc,
                                     GIOCondition condition)
 {
-    QIOChannelYieldData data;
-
     assert(qemu_in_coroutine());
-    data.ioc = ioc;
-    data.co = qemu_coroutine_self();
-    qio_channel_add_watch(ioc,
-                          condition,
-                          qio_channel_yield_enter,
-                          &data,
-                          NULL);
+    if (condition == G_IO_IN) {
+        assert(!ioc->read_coroutine);
+        ioc->read_coroutine = qemu_coroutine_self();
+    } else if (condition == G_IO_OUT) {
+        assert(!ioc->write_coroutine);
+        ioc->write_coroutine = qemu_coroutine_self();
+    } else {
+        abort();
+    }
+    qio_channel_set_aio_fd_handlers(ioc);
     qemu_coroutine_yield();
 }
 
-- 
2.9.3

From: Paolo Bonzini <pbonzini@redhat.com>

In the client, read the reply headers from a coroutine, switching the
read side between the "read header" coroutine and the I/O coroutine that
reads the body of the reply.

In the server, if the server can read more requests it will create a new
"read request" coroutine as soon as a request has been read.  Otherwise,
the new coroutine is created in nbd_request_put.

diff --git a/block/nbd-client.h b/block/nbd-client.h
index XXXXXXX..XXXXXXX 100644
--- a/block/nbd-client.h
+++ b/block/nbd-client.h
@@ -XXX,XX +XXX,XX @@ typedef struct NBDClientSession {
 
     CoMutex send_mutex;
     CoQueue free_sema;
-    Coroutine *send_coroutine;
+    Coroutine *read_reply_co;
     int in_flight;
 
     Coroutine *recv_coroutine[MAX_NBD_REQUESTS];
diff --git a/block/nbd-client.c b/block/nbd-client.c
index XXXXXXX..XXXXXXX 100644
--- a/block/nbd-client.c
+++ b/block/nbd-client.c
@@ -XXX,XX +XXX,XX @@
 #define HANDLE_TO_INDEX(bs, handle) ((handle) ^ ((uint64_t)(intptr_t)bs))
 #define INDEX_TO_HANDLE(bs, index)  ((index)  ^ ((uint64_t)(intptr_t)bs))
 
-static void nbd_recv_coroutines_enter_all(NBDClientSession *s)
+static void nbd_recv_coroutines_enter_all(BlockDriverState *bs)
 {
+    NBDClientSession *s = nbd_get_client_session(bs);
     int i;
 
     for (i = 0; i < MAX_NBD_REQUESTS; i++) {
@@ -XXX,XX +XXX,XX @@ static void nbd_recv_coroutines_enter_all(NBDClientSession *s)
             qemu_coroutine_enter(s->recv_coroutine[i]);
         }
     }
+    BDRV_POLL_WHILE(bs, s->read_reply_co);
 }
 
 static void nbd_teardown_connection(BlockDriverState *bs)
@@ -XXX,XX +XXX,XX @@ static void nbd_teardown_connection(BlockDriverState *bs)
     qio_channel_shutdown(client->ioc,
                          QIO_CHANNEL_SHUTDOWN_BOTH,
                          NULL);
-    nbd_recv_coroutines_enter_all(client);
+    nbd_recv_coroutines_enter_all(bs);
 
     nbd_client_detach_aio_context(bs);
     object_unref(OBJECT(client->sioc));
@@ -XXX,XX +XXX,XX @@ static void nbd_teardown_connection(BlockDriverState *bs)
     client->ioc = NULL;
 }
 
-static void nbd_reply_ready(void *opaque)
+static coroutine_fn void nbd_read_reply_entry(void *opaque)
 {
-    BlockDriverState *bs = opaque;
-    NBDClientSession *s = nbd_get_client_session(bs);
+    NBDClientSession *s = opaque;
     uint64_t i;
     int ret;
 
-    if (!s->ioc) { /* Already closed */
-        return;
-    }
-
-    if (s->reply.handle == 0) {
-        /* No reply already in flight.  Fetch a header.  It is possible
-         * that another thread has done the same thing in parallel, so
-         * the socket is not readable anymore.
-         */
+    for (;;) {
+        assert(s->reply.handle == 0);
         ret = nbd_receive_reply(s->ioc, &s->reply);
-        if (ret == -EAGAIN) {
-            return;
-        }
         if (ret < 0) {
-            s->reply.handle = 0;
-            goto fail;
+            break;
         }
-    }
 
-    /* There's no need for a mutex on the receive side, because the
-     * handler acts as a synchronization point and ensures that only
-     * one coroutine is called until the reply finishes.  */
-    i = HANDLE_TO_INDEX(s, s->reply.handle);
-    if (i >= MAX_NBD_REQUESTS) {
-        goto fail;
-    }
+        /* There's no need for a mutex on the receive side, because the
+         * handler acts as a synchronization point and ensures that only
+         * one coroutine is called until the reply finishes.
+         */
+        i = HANDLE_TO_INDEX(s, s->reply.handle);
+        if (i >= MAX_NBD_REQUESTS || !s->recv_coroutine[i]) {
+            break;
+        }
 
-    if (s->recv_coroutine[i]) {
-        qemu_coroutine_enter(s->recv_coroutine[i]);
-        return;
+        /* We're woken up by the recv_coroutine itself.  Note that there
+         * is no race between yielding and reentering read_reply_co.  This
+         * is because:
+         *
+         * - if recv_coroutine[i] runs on the same AioContext, it is only
+         *   entered after we yield
+         *
+         * - if recv_coroutine[i] runs on a different AioContext, reentering
+         *   read_reply_co happens through a bottom half, which can only
+         *   run after we yield.
+         */
+        aio_co_wake(s->recv_coroutine[i]);
+        qemu_coroutine_yield();
     }
-
-fail:
-    nbd_teardown_connection(bs);
-}
-
-static void nbd_restart_write(void *opaque)
-{
-    BlockDriverState *bs = opaque;
-
-    qemu_coroutine_enter(nbd_get_client_session(bs)->send_coroutine);
+    s->read_reply_co = NULL;
 }
 
 static int nbd_co_send_request(BlockDriverState *bs,
@@ -XXX,XX +XXX,XX @@ static int nbd_co_send_request(BlockDriverState *bs,
                                QEMUIOVector *qiov)
 {
     NBDClientSession *s = nbd_get_client_session(bs);
-    AioContext *aio_context;
     int rc, ret, i;
 
     qemu_co_mutex_lock(&s->send_mutex);
@@ -XXX,XX +XXX,XX @@ static int nbd_co_send_request(BlockDriverState *bs,
         return -EPIPE;
     }
 
-    s->send_coroutine = qemu_coroutine_self();
-    aio_context = bdrv_get_aio_context(bs);
-
-    aio_set_fd_handler(aio_context, s->sioc->fd, false,
-                       nbd_reply_ready, nbd_restart_write, NULL, bs);
     if (qiov) {
         qio_channel_set_cork(s->ioc, true);
         rc = nbd_send_request(s->ioc, request);
@@ -XXX,XX +XXX,XX @@ static int nbd_co_send_request(BlockDriverState *bs,
     } else {
         rc = nbd_send_request(s->ioc, request);
     }
-    aio_set_fd_handler(aio_context, s->sioc->fd, false,
-                       nbd_reply_ready, NULL, NULL, bs);
-    s->send_coroutine = NULL;
     qemu_co_mutex_unlock(&s->send_mutex);
     return rc;
 }
@@ -XXX,XX +XXX,XX @@ static void nbd_co_receive_reply(NBDClientSession *s,
 {
     int ret;
 
-    /* Wait until we're woken up by the read handler.  TODO: perhaps
-     * peek at the next reply and avoid yielding if it's ours?  */
+    /* Wait until we're woken up by nbd_read_reply_entry.  */
     qemu_coroutine_yield();
     *reply = s->reply;
     if (reply->handle != request->handle ||
@@ -XXX,XX +XXX,XX @@ static void nbd_coroutine_start(NBDClientSession *s,
     /* s->recv_coroutine[i] is set as soon as we get the send_lock.  */
 }
 
-static void nbd_coroutine_end(NBDClientSession *s,
+static void nbd_coroutine_end(BlockDriverState *bs,
                               NBDRequest *request)
 {
+    NBDClientSession *s = nbd_get_client_session(bs);
     int i = HANDLE_TO_INDEX(s, request->handle);
+
     s->recv_coroutine[i] = NULL;
-    if (s->in_flight-- == MAX_NBD_REQUESTS) {
-        qemu_co_queue_next(&s->free_sema);
+    s->in_flight--;
+    qemu_co_queue_next(&s->free_sema);
+
+    /* Kick the read_reply_co to get the next reply.  */
+    if (s->read_reply_co) {
+        aio_co_wake(s->read_reply_co);
     }
 }
 
@@ -XXX,XX +XXX,XX @@ int nbd_client_co_preadv(BlockDriverState *bs, uint64_t offset,
     } else {
         nbd_co_receive_reply(client, &request, &reply, qiov);
     }
-    nbd_coroutine_end(client, &request);
+    nbd_coroutine_end(bs, &request);
     return -reply.error;
 }
 
@@ -XXX,XX +XXX,XX @@ int nbd_client_co_pwritev(BlockDriverState *bs, uint64_t offset,
     } else {
         nbd_co_receive_reply(client, &request, &reply, NULL);
     }
-    nbd_coroutine_end(client, &request);
+    nbd_coroutine_end(bs, &request);
     return -reply.error;
 }
 
@@ -XXX,XX +XXX,XX @@ int nbd_client_co_pwrite_zeroes(BlockDriverState *bs, int64_t offset,
     } else {
         nbd_co_receive_reply(client, &request, &reply, NULL);
     }
-    nbd_coroutine_end(client, &request);
+    nbd_coroutine_end(bs, &request);
     return -reply.error;
 }
 
@@ -XXX,XX +XXX,XX @@ int nbd_client_co_flush(BlockDriverState *bs)
     } else {
         nbd_co_receive_reply(client, &request, &reply, NULL);
     }
-    nbd_coroutine_end(client, &request);
+    nbd_coroutine_end(bs, &request);
     return -reply.error;
 }
 
@@ -XXX,XX +XXX,XX @@ int nbd_client_co_pdiscard(BlockDriverState *bs, int64_t offset, int count)
     } else {
         nbd_co_receive_reply(client, &request, &reply, NULL);
     }
-    nbd_coroutine_end(client, &request);
+    nbd_coroutine_end(bs, &request);
     return -reply.error;
 
 }
 
 void nbd_client_detach_aio_context(BlockDriverState *bs)
 {
-    aio_set_fd_handler(bdrv_get_aio_context(bs),
-                       nbd_get_client_session(bs)->sioc->fd,
-                       false, NULL, NULL, NULL, NULL);
+    NBDClientSession *client = nbd_get_client_session(bs);
+    qio_channel_detach_aio_context(QIO_CHANNEL(client->sioc));
 }
 
 void nbd_client_attach_aio_context(BlockDriverState *bs,
                                    AioContext *new_context)
 {
-    aio_set_fd_handler(new_context, nbd_get_client_session(bs)->sioc->fd,
-                       false, nbd_reply_ready, NULL, NULL, bs);
+    NBDClientSession *client = nbd_get_client_session(bs);
+    qio_channel_attach_aio_context(QIO_CHANNEL(client->sioc), new_context);
+    aio_co_schedule(new_context, client->read_reply_co);
 }
 
 void nbd_client_close(BlockDriverState *bs)
@@ -XXX,XX +XXX,XX @@ int nbd_client_init(BlockDriverState *bs,
     /* Now that we're connected, set the socket to be non-blocking and
      * kick the reply mechanism.  */
     qio_channel_set_blocking(QIO_CHANNEL(sioc), false, NULL);
-
+    client->read_reply_co = qemu_coroutine_create(nbd_read_reply_entry, client);
     nbd_client_attach_aio_context(bs, bdrv_get_aio_context(bs));
 
     logout("Established connection with NBD server\n");
diff --git a/nbd/client.c b/nbd/client.c
index XXXXXXX..XXXXXXX 100644
--- a/nbd/client.c
+++ b/nbd/client.c
@@ -XXX,XX +XXX,XX @@ ssize_t nbd_receive_reply(QIOChannel *ioc, NBDReply *reply)
     ssize_t ret;
 
     ret = read_sync(ioc, buf, sizeof(buf));
-    if (ret < 0) {
+    if (ret <= 0) {
         return ret;
     }
 
diff --git a/nbd/common.c b/nbd/common.c
index XXXXXXX..XXXXXXX 100644
--- a/nbd/common.c
+++ b/nbd/common.c
@@ -XXX,XX +XXX,XX @@ ssize_t nbd_wr_syncv(QIOChannel *ioc,
         }
         if (len == QIO_CHANNEL_ERR_BLOCK) {
             if (qemu_in_coroutine()) {
-                /* XXX figure out if we can create a variant on
-                 * qio_channel_yield() that works with AIO contexts
-                 * and consider using that in this branch */
-                qemu_coroutine_yield();
-            } else if (done) {
-                /* XXX this is needed by nbd_reply_ready.  */
-                qio_channel_wait(ioc,
-                                 do_read ? G_IO_IN : G_IO_OUT);
+                qio_channel_yield(ioc, do_read ? G_IO_IN : G_IO_OUT);
             } else {
                 return -EAGAIN;
             }
diff --git a/nbd/server.c b/nbd/server.c
index XXXXXXX..XXXXXXX 100644
--- a/nbd/server.c
+++ b/nbd/server.c
@@ -XXX,XX +XXX,XX @@ struct NBDClient {
     CoMutex send_lock;
     Coroutine *send_coroutine;
 
-    bool can_read;
-
     QTAILQ_ENTRY(NBDClient) next;
     int nb_requests;
     bool closing;
@@ -XXX,XX +XXX,XX @@ struct NBDClient {
 
 /* That's all folks */
 
-static void nbd_set_handlers(NBDClient *client);
-static void nbd_unset_handlers(NBDClient *client);
-static void nbd_update_can_read(NBDClient *client);
+static void nbd_client_receive_next_request(NBDClient *client);
 
 static gboolean nbd_negotiate_continue(QIOChannel *ioc,
                                        GIOCondition condition,
@@ -XXX,XX +XXX,XX @@ void nbd_client_put(NBDClient *client)
          */
         assert(client->closing);
 
-        nbd_unset_handlers(client);
+        qio_channel_detach_aio_context(client->ioc);
         object_unref(OBJECT(client->sioc));
         object_unref(OBJECT(client->ioc));
         if (client->tlscreds) {
@@ -XXX,XX +XXX,XX @@ static NBDRequestData *nbd_request_get(NBDClient *client)
 
     assert(client->nb_requests <= MAX_NBD_REQUESTS - 1);
     client->nb_requests++;
-    nbd_update_can_read(client);
 
     req = g_new0(NBDRequestData, 1);
     nbd_client_get(client);
@@ -XXX,XX +XXX,XX @@ static void nbd_request_put(NBDRequestData *req)
     g_free(req);
 
     client->nb_requests--;
-    nbd_update_can_read(client);
+    nbd_client_receive_next_request(client);
+
     nbd_client_put(client);
 }
 
@@ -XXX,XX +XXX,XX @@ static void blk_aio_attached(AioContext *ctx, void *opaque)
     exp->ctx = ctx;
 
     QTAILQ_FOREACH(client, &exp->clients, next) {
-        nbd_set_handlers(client);
+        qio_channel_attach_aio_context(client->ioc, ctx);
+        if (client->recv_coroutine) {
+            aio_co_schedule(ctx, client->recv_coroutine);
+        }
+        if (client->send_coroutine) {
+            aio_co_schedule(ctx, client->send_coroutine);
+        }
     }
 }
 
@@ -XXX,XX +XXX,XX @@ static void blk_aio_detach(void *opaque)
     TRACE("Export %s: Detaching clients from AIO context %p\n", exp->name, exp->ctx);
 
     QTAILQ_FOREACH(client, &exp->clients, next) {
-        nbd_unset_handlers(client);
+        qio_channel_detach_aio_context(client->ioc);
     }
 
     exp->ctx = NULL;
@@ -XXX,XX +XXX,XX @@ static ssize_t nbd_co_send_reply(NBDRequestData *req, NBDReply *reply,
     g_assert(qemu_in_coroutine());
     qemu_co_mutex_lock(&client->send_lock);
     client->send_coroutine = qemu_coroutine_self();
-    nbd_set_handlers(client);
 
     if (!len) {
         rc = nbd_send_reply(client->ioc, reply);
@@ -XXX,XX +XXX,XX @@ static ssize_t nbd_co_send_reply(NBDRequestData *req, NBDReply *reply,
     }
 
     client->send_coroutine = NULL;
-    nbd_set_handlers(client);
     qemu_co_mutex_unlock(&client->send_lock);
     return rc;
 }
@@ -XXX,XX +XXX,XX @@ static ssize_t nbd_co_receive_request(NBDRequestData *req,
     ssize_t rc;
 
     g_assert(qemu_in_coroutine());
-    client->recv_coroutine = qemu_coroutine_self();
-    nbd_update_can_read(client);
-
+    assert(client->recv_coroutine == qemu_coroutine_self());
     rc = nbd_receive_request(client->ioc, request);
     if (rc < 0) {
         if (rc != -EAGAIN) {
@@ -XXX,XX +XXX,XX @@ static ssize_t nbd_co_receive_request(NBDRequestData *req,
 
 out:
     client->recv_coroutine = NULL;
-    nbd_update_can_read(client);
+    nbd_client_receive_next_request(client);
 
     return rc;
 }
 
-static void nbd_trip(void *opaque)
+/* Owns a reference to the NBDClient passed as opaque.  */
+static coroutine_fn void nbd_trip(void *opaque)
 {
     NBDClient *client = opaque;
     NBDExport *exp = client->exp;
     NBDRequestData *req;
-    NBDRequest request;
+    NBDRequest request = { 0 };    /* GCC thinks it can be used uninitialized */
     NBDReply reply;
     ssize_t ret;
     int flags;
 
     TRACE("Reading request.");
     if (client->closing) {
+        nbd_client_put(client);
         return;
     }
 
@@ -XXX,XX +XXX,XX @@ static void nbd_trip(void *opaque)
 
 done:
     nbd_request_put(req);
+    nbd_client_put(client);
     return;
 
 out:
     nbd_request_put(req);
     client_close(client);
+    nbd_client_put(client);
 }
 
-static void nbd_read(void *opaque)
+static void nbd_client_receive_next_request(NBDClient *client)
 {
-    NBDClient *client = opaque;
-
-    if (client->recv_coroutine) {
-        qemu_coroutine_enter(client->recv_coroutine);
-    } else {
-        qemu_coroutine_enter(qemu_coroutine_create(nbd_trip, client));
-    }
-}
-
-static void nbd_restart_write(void *opaque)
-{
-    NBDClient *client = opaque;
-
-    qemu_coroutine_enter(client->send_coroutine);
-}
-
-static void nbd_set_handlers(NBDClient *client)
-{
-    if (client->exp && client->exp->ctx) {
-        aio_set_fd_handler(client->exp->ctx, client->sioc->fd, true,
-                           client->can_read ? nbd_read : NULL,
-                           client->send_coroutine ? nbd_restart_write : NULL,
-                           NULL, client);
-    }
-}
-
-static void nbd_unset_handlers(NBDClient *client)
-{
-    if (client->exp && client->exp->ctx) {
-        aio_set_fd_handler(client->exp->ctx, client->sioc->fd, true, NULL,
-                           NULL, NULL, NULL);
-    }
-}
-
-static void nbd_update_can_read(NBDClient *client)
-{
-    bool can_read = client->recv_coroutine ||
-                    client->nb_requests < MAX_NBD_REQUESTS;
-
-    if (can_read != client->can_read) {
-        client->can_read = can_read;
-        nbd_set_handlers(client);
-
-        /* There is no need to invoke aio_notify(), since aio_set_fd_handler()
-         * in nbd_set_handlers() will have taken care of that */
+    if (!client->recv_coroutine && client->nb_requests < MAX_NBD_REQUESTS) {
+        nbd_client_get(client);
+        client->recv_coroutine = qemu_coroutine_create(nbd_trip, client);
+        aio_co_schedule(client->exp->ctx, client->recv_coroutine);
     }
 }
 
@@ -XXX,XX +XXX,XX @@ static coroutine_fn void nbd_co_client_start(void *opaque)
         goto out;
     }
     qemu_co_mutex_init(&client->send_lock);
-    nbd_set_handlers(client);
 
     if (exp) {
         QTAILQ_INSERT_TAIL(&exp->clients, client, next);
     }
+
+    nbd_client_receive_next_request(client);
+
 out:
     g_free(data);
 }
@@ -XXX,XX +XXX,XX @@ void nbd_client_new(NBDExport *exp,
     object_ref(OBJECT(client->sioc));
     client->ioc = QIO_CHANNEL(sioc);
     object_ref(OBJECT(client->ioc));
-    client->can_read = true;
     client->close = close_fn;
 
     data->client = client;
-- 
2.9.3

From: Paolo Bonzini <pbonzini@redhat.com>

As a small step towards the introduction of multiqueue, we want
coroutines to remain on the same AioContext that started them,
unless they are moved explicitly with e.g. aio_co_schedule.  This patch
avoids that coroutines switch AioContext when they use a CoMutex.
For now it does not make much of a difference, because the CoMutex
is not thread-safe and the AioContext itself is used to protect the
CoMutex from concurrent access.  However, this is going to change.

diff --git a/util/qemu-coroutine-lock.c b/util/qemu-coroutine-lock.c
index XXXXXXX..XXXXXXX 100644
--- a/util/qemu-coroutine-lock.c
+++ b/util/qemu-coroutine-lock.c
@@ -XXX,XX +XXX,XX @@
 #include "qemu/coroutine.h"
 #include "qemu/coroutine_int.h"
 #include "qemu/queue.h"
+#include "block/aio.h"
 #include "trace.h"
 
 void qemu_co_queue_init(CoQueue *queue)
@@ -XXX,XX +XXX,XX @@ void qemu_co_queue_run_restart(Coroutine *co)
 
 static bool qemu_co_queue_do_restart(CoQueue *queue, bool single)
 {
-    Coroutine *self = qemu_coroutine_self();
     Coroutine *next;
 
     if (QSIMPLEQ_EMPTY(&queue->entries)) {
@@ -XXX,XX +XXX,XX @@ static bool qemu_co_queue_do_restart(CoQueue *queue, bool single)
 
     while ((next = QSIMPLEQ_FIRST(&queue->entries)) != NULL) {
         QSIMPLEQ_REMOVE_HEAD(&queue->entries, co_queue_next);
-        QSIMPLEQ_INSERT_TAIL(&self->co_queue_wakeup, next, co_queue_next);
-        trace_qemu_co_queue_next(next);
+        aio_co_wake(next);
         if (single) {
             break;
         }
diff --git a/util/trace-events b/util/trace-events
index XXXXXXX..XXXXXXX 100644
--- a/util/trace-events
+++ b/util/trace-events
@@ -XXX,XX +XXX,XX @@ qemu_coroutine_terminate(void *co) "self %p"
 
 # util/qemu-coroutine-lock.c
 qemu_co_queue_run_restart(void *co) "co %p"
-qemu_co_queue_next(void *nxt) "next %p"
 qemu_co_mutex_lock_entry(void *mutex, void *self) "mutex %p self %p"
 qemu_co_mutex_lock_return(void *mutex, void *self) "mutex %p self %p"
 qemu_co_mutex_unlock_entry(void *mutex, void *self) "mutex %p self %p"
-- 
2.9.3

From: Paolo Bonzini <pbonzini@redhat.com>

Keep the coroutine on the same AioContext.  Without this change,
there would be a race between yielding the coroutine and reentering it.
While the race cannot happen now, because the code only runs from a single
AioContext, this will change with multiqueue support in the block layer.

While doing the change, replace custom bottom half with aio_co_schedule.

Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Reviewed-by: Fam Zheng <famz@redhat.com>
Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
Reviewed-by: Daniel P. Berrange <berrange@redhat.com>
Message-id: 20170213135235.12274-10-pbonzini@redhat.com
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
---
 block/blkdebug.c | 9 +--------
 1 file changed, 1 insertion(+), 8 deletions(-)

diff --git a/block/blkdebug.c b/block/blkdebug.c
index XXXXXXX..XXXXXXX 100644
--- a/block/blkdebug.c
+++ b/block/blkdebug.c
@@ -XXX,XX +XXX,XX @@ out:
     return ret;
 }
 
-static void error_callback_bh(void *opaque)
-{
-    Coroutine *co = opaque;
-    qemu_coroutine_enter(co);
-}
-
 static int inject_error(BlockDriverState *bs, BlkdebugRule *rule)
 {
     BDRVBlkdebugState *s = bs->opaque;
@@ -XXX,XX +XXX,XX @@ static int inject_error(BlockDriverState *bs, BlkdebugRule *rule)
     }
 
     if (!immediately) {
-        aio_bh_schedule_oneshot(bdrv_get_aio_context(bs), error_callback_bh,
-                                qemu_coroutine_self());
+        aio_co_schedule(qemu_get_current_aio_context(), qemu_coroutine_self());
         qemu_coroutine_yield();
     }
 
-- 
2.9.3

From: Paolo Bonzini <pbonzini@redhat.com>

qed_aio_start_io and qed_aio_next_io will not have to acquire/release
the AioContext, while qed_aio_next_io_cb will.  Split the functionality
and gain a little type-safety in the process.

diff --git a/block/qed.c b/block/qed.c
index XXXXXXX..XXXXXXX 100644
--- a/block/qed.c
+++ b/block/qed.c
@@ -XXX,XX +XXX,XX @@ static CachedL2Table *qed_new_l2_table(BDRVQEDState *s)
     return l2_table;
 }
 
-static void qed_aio_next_io(void *opaque, int ret);
+static void qed_aio_next_io(QEDAIOCB *acb, int ret);
+
+static void qed_aio_start_io(QEDAIOCB *acb)
+{
+    qed_aio_next_io(acb, 0);
+}
+
+static void qed_aio_next_io_cb(void *opaque, int ret)
+{
+    QEDAIOCB *acb = opaque;
+
+    qed_aio_next_io(acb, ret);
+}
 
 static void qed_plug_allocating_write_reqs(BDRVQEDState *s)
 {
@@ -XXX,XX +XXX,XX @@ static void qed_unplug_allocating_write_reqs(BDRVQEDState *s)
 
     acb = QSIMPLEQ_FIRST(&s->allocating_write_reqs);
     if (acb) {
-        qed_aio_next_io(acb, 0);
+        qed_aio_start_io(acb);
     }
 }
 
@@ -XXX,XX +XXX,XX @@ static void qed_aio_complete(QEDAIOCB *acb, int ret)
         QSIMPLEQ_REMOVE_HEAD(&s->allocating_write_reqs, next);
         acb = QSIMPLEQ_FIRST(&s->allocating_write_reqs);
         if (acb) {
-            qed_aio_next_io(acb, 0);
+            qed_aio_start_io(acb);
         } else if (s->header.features & QED_F_NEED_CHECK) {
             qed_start_need_check_timer(s);
         }
@@ -XXX,XX +XXX,XX @@ static void qed_commit_l2_update(void *opaque, int ret)
     acb->request.l2_table = qed_find_l2_cache_entry(&s->l2_cache, l2_offset);
     assert(acb->request.l2_table != NULL);
 
-    qed_aio_next_io(opaque, ret);
+    qed_aio_next_io(acb, ret);
 }
 
 /**
@@ -XXX,XX +XXX,XX @@ static void qed_aio_write_l2_update(QEDAIOCB *acb, int ret, uint64_t offset)
     if (need_alloc) {
         /* Write out the whole new L2 table */
         qed_write_l2_table(s, &acb->request, 0, s->table_nelems, true,
-                            qed_aio_write_l1_update, acb);
+                           qed_aio_write_l1_update, acb);
     } else {
         /* Write out only the updated part of the L2 table */
         qed_write_l2_table(s, &acb->request, index, acb->cur_nclusters, false,
-                            qed_aio_next_io, acb);
+                           qed_aio_next_io_cb, acb);
     }
     return;
 
@@ -XXX,XX +XXX,XX @@ static void qed_aio_write_main(void *opaque, int ret)
     }
 
     if (acb->find_cluster_ret == QED_CLUSTER_FOUND) {
-        next_fn = qed_aio_next_io;
+        next_fn = qed_aio_next_io_cb;
     } else {
         if (s->bs->backing) {
             next_fn = qed_aio_write_flush_before_l2_update;
@@ -XXX,XX +XXX,XX @@ static void qed_aio_write_alloc(QEDAIOCB *acb, size_t len)
     if (acb->flags & QED_AIOCB_ZERO) {
         /* Skip ahead if the clusters are already zero */
         if (acb->find_cluster_ret == QED_CLUSTER_ZERO) {
-            qed_aio_next_io(acb, 0);
+            qed_aio_start_io(acb);
             return;
         }
 
@@ -XXX,XX +XXX,XX @@ static void qed_aio_read_data(void *opaque, int ret,
     /* Handle zero cluster and backing file reads */
     if (ret == QED_CLUSTER_ZERO) {
         qemu_iovec_memset(&acb->cur_qiov, 0, 0, acb->cur_qiov.size);
-        qed_aio_next_io(acb, 0);
+        qed_aio_start_io(acb);
         return;
     } else if (ret != QED_CLUSTER_FOUND) {
         qed_read_backing_file(s, acb->cur_pos, &acb->cur_qiov,
-                              &acb->backing_qiov, qed_aio_next_io, acb);
+                              &acb->backing_qiov, qed_aio_next_io_cb, acb);
         return;
     }
 
     BLKDBG_EVENT(bs->file, BLKDBG_READ_AIO);
     bdrv_aio_readv(bs->file, offset / BDRV_SECTOR_SIZE,
                    &acb->cur_qiov, acb->cur_qiov.size / BDRV_SECTOR_SIZE,
-                   qed_aio_next_io, acb);
+                   qed_aio_next_io_cb, acb);
     return;
 
 err:
@@ -XXX,XX +XXX,XX @@ err:
 /**
  * Begin next I/O or complete the request
  */
-static void qed_aio_next_io(void *opaque, int ret)
+static void qed_aio_next_io(QEDAIOCB *acb, int ret)
 {
-    QEDAIOCB *acb = opaque;
     BDRVQEDState *s = acb_to_s(acb);
     QEDFindClusterFunc *io_fn = (acb->flags & QED_AIOCB_WRITE) ?
                                 qed_aio_write_data : qed_aio_read_data;
@@ -XXX,XX +XXX,XX @@ static BlockAIOCB *qed_aio_setup(BlockDriverState *bs,
     qemu_iovec_init(&acb->cur_qiov, qiov->niov);
 
     /* Start request */
-    qed_aio_next_io(acb, 0);
+    qed_aio_start_io(acb);
     return &acb->common;
 }
 
-- 
2.9.3

From: Paolo Bonzini <pbonzini@redhat.com>

The AioContext data structures are now protected by list_lock and/or
they are walked with FOREACH_RCU primitives.  There is no need anymore
to acquire the AioContext for the entire duration of aio_dispatch.
Instead, just acquire it before and after invoking the callbacks.
The next step is then to push it further down.

diff --git a/util/aio-posix.c b/util/aio-posix.c
index XXXXXXX..XXXXXXX 100644
--- a/util/aio-posix.c
+++ b/util/aio-posix.c
@@ -XXX,XX +XXX,XX @@ static bool aio_dispatch_handlers(AioContext *ctx)
             (revents & (G_IO_IN | G_IO_HUP | G_IO_ERR)) &&
             aio_node_check(ctx, node->is_external) &&
             node->io_read) {
+            aio_context_acquire(ctx);
             node->io_read(node->opaque);
+            aio_context_release(ctx);
 
             /* aio_notify() does not count as progress */
             if (node->opaque != &ctx->notifier) {
@@ -XXX,XX +XXX,XX @@ static bool aio_dispatch_handlers(AioContext *ctx)
             (revents & (G_IO_OUT | G_IO_ERR)) &&
             aio_node_check(ctx, node->is_external) &&
             node->io_write) {
+            aio_context_acquire(ctx);
             node->io_write(node->opaque);
+            aio_context_release(ctx);
             progress = true;
         }
 
@@ -XXX,XX +XXX,XX @@ bool aio_dispatch(AioContext *ctx, bool dispatch_fds)
     }
 
     /* Run our timers */
+    aio_context_acquire(ctx);
     progress |= timerlistgroup_run_timers(&ctx->tlg);
+    aio_context_release(ctx);
 
     return progress;
 }
@@ -XXX,XX +XXX,XX @@ bool aio_poll(AioContext *ctx, bool blocking)
     int64_t timeout;
     int64_t start = 0;
 
-    aio_context_acquire(ctx);
-    progress = false;
-
     /* aio_notify can avoid the expensive event_notifier_set if
      * everything (file descriptors, bottom halves, timers) will
      * be re-evaluated before the next blocking poll().  This is
@@ -XXX,XX +XXX,XX @@ bool aio_poll(AioContext *ctx, bool blocking)
         start = qemu_clock_get_ns(QEMU_CLOCK_REALTIME);
     }
 
-    if (try_poll_mode(ctx, blocking)) {
-        progress = true;
-    } else {
+    aio_context_acquire(ctx);
+    progress = try_poll_mode(ctx, blocking);
+    aio_context_release(ctx);
+
+    if (!progress) {
         assert(npfd == 0);
 
         /* fill pollfds */
@@ -XXX,XX +XXX,XX @@ bool aio_poll(AioContext *ctx, bool blocking)
         timeout = blocking ? aio_compute_timeout(ctx) : 0;
 
         /* wait until next event */
-        if (timeout) {
-            aio_context_release(ctx);
-        }
         if (aio_epoll_check_poll(ctx, pollfds, npfd, timeout)) {
             AioHandler epoll_handler;
 
@@ -XXX,XX +XXX,XX @@ bool aio_poll(AioContext *ctx, bool blocking)
         } else  {
             ret = qemu_poll_ns(pollfds, npfd, timeout);
         }
-        if (timeout) {
-            aio_context_acquire(ctx);
-        }
     }
 
     if (blocking) {
@@ -XXX,XX +XXX,XX @@ bool aio_poll(AioContext *ctx, bool blocking)
         progress = true;
     }
 
-    aio_context_release(ctx);
-
     return progress;
 }
 
diff --git a/util/aio-win32.c b/util/aio-win32.c
index XXXXXXX..XXXXXXX 100644
--- a/util/aio-win32.c
+++ b/util/aio-win32.c
@@ -XXX,XX +XXX,XX @@ static bool aio_dispatch_handlers(AioContext *ctx, HANDLE event)
             (revents || event_notifier_get_handle(node->e) == event) &&
             node->io_notify) {
             node->pfd.revents = 0;
+            aio_context_acquire(ctx);
             node->io_notify(node->e);
+            aio_context_release(ctx);
 
             /* aio_notify() does not count as progress */
             if (node->e != &ctx->notifier) {
@@ -XXX,XX +XXX,XX @@ static bool aio_dispatch_handlers(AioContext *ctx, HANDLE event)
             (node->io_read || node->io_write)) {
             node->pfd.revents = 0;
             if ((revents & G_IO_IN) && node->io_read) {
+                aio_context_acquire(ctx);
                 node->io_read(node->opaque);
+                aio_context_release(ctx);
                 progress = true;
             }
             if ((revents & G_IO_OUT) && node->io_write) {
+                aio_context_acquire(ctx);
                 node->io_write(node->opaque);
+                aio_context_release(ctx);
                 progress = true;
             }
 
@@ -XXX,XX +XXX,XX @@ bool aio_poll(AioContext *ctx, bool blocking)
     int count;
     int timeout;
 
-    aio_context_acquire(ctx);
     progress = false;
 
     /* aio_notify can avoid the expensive event_notifier_set if
@@ -XXX,XX +XXX,XX @@ bool aio_poll(AioContext *ctx, bool blocking)
 
         timeout = blocking && !have_select_revents
             ? qemu_timeout_ns_to_ms(aio_compute_timeout(ctx)) : 0;
-        if (timeout) {
-            aio_context_release(ctx);
-        }
         ret = WaitForMultipleObjects(count, events, FALSE, timeout);
         if (blocking) {
             assert(first);
             atomic_sub(&ctx->notify_me, 2);
         }
-        if (timeout) {
-            aio_context_acquire(ctx);
-        }
 
         if (first) {
             aio_notify_accept(ctx);
@@ -XXX,XX +XXX,XX @@ bool aio_poll(AioContext *ctx, bool blocking)
         progress |= aio_dispatch_handlers(ctx, event);
     } while (count > 0);
 
+    aio_context_acquire(ctx);
     progress |= timerlistgroup_run_timers(&ctx->tlg);
-
     aio_context_release(ctx);
     return progress;
 }
diff --git a/util/async.c b/util/async.c
index XXXXXXX..XXXXXXX 100644
--- a/util/async.c
+++ b/util/async.c
@@ -XXX,XX +XXX,XX @@ int aio_bh_poll(AioContext *ctx)
                 ret = 1;
             }
             bh->idle = 0;
+            aio_context_acquire(ctx);
             aio_bh_call(bh);
+            aio_context_release(ctx);
         }
         if (bh->deleted) {
             deleted = true;
-- 
2.9.3

From: Paolo Bonzini <pbonzini@redhat.com>

Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Reviewed-by: Fam Zheng <famz@redhat.com>
Reviewed-by: Daniel P. Berrange <berrange@redhat.com>
Message-id: 20170213135235.12274-13-pbonzini@redhat.com
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
---
 block/qed.h                 |  3 +++
 block/curl.c                |  2 ++
 block/io.c                  |  5 +++++
 block/iscsi.c               |  8 ++++++--
 block/null.c                |  4 ++++
 block/qed.c                 | 12 ++++++++++++
 block/throttle-groups.c     |  2 ++
 util/aio-posix.c            |  2 --
 util/aio-win32.c            |  2 --
 util/qemu-coroutine-sleep.c |  2 +-
 10 files changed, 35 insertions(+), 7 deletions(-)

diff --git a/block/qed.h b/block/qed.h
index XXXXXXX..XXXXXXX 100644
--- a/block/qed.h
+++ b/block/qed.h
@@ -XXX,XX +XXX,XX @@ enum {
  */
 typedef void QEDFindClusterFunc(void *opaque, int ret, uint64_t offset, size_t len);
 
+void qed_acquire(BDRVQEDState *s);
+void qed_release(BDRVQEDState *s);
+
 /**
  * Generic callback for chaining async callbacks
  */
diff --git a/block/curl.c b/block/curl.c
index XXXXXXX..XXXXXXX 100644
--- a/block/curl.c
+++ b/block/curl.c
@@ -XXX,XX +XXX,XX @@ static void curl_multi_timeout_do(void *arg)
         return;
     }
 
+    aio_context_acquire(s->aio_context);
     curl_multi_socket_action(s->multi, CURL_SOCKET_TIMEOUT, 0, &running);
 
     curl_multi_check_completion(s);
+    aio_context_release(s->aio_context);
 #else
     abort();
 #endif
diff --git a/block/io.c b/block/io.c
index XXXXXXX..XXXXXXX 100644
--- a/block/io.c
+++ b/block/io.c
@@ -XXX,XX +XXX,XX @@ void bdrv_aio_cancel(BlockAIOCB *acb)
         if (acb->aiocb_info->get_aio_context) {
             aio_poll(acb->aiocb_info->get_aio_context(acb), true);
         } else if (acb->bs) {
+            /* qemu_aio_ref and qemu_aio_unref are not thread-safe, so
+             * assert that we're not using an I/O thread.  Thread-safe
+             * code should use bdrv_aio_cancel_async exclusively.
+             */
+            assert(bdrv_get_aio_context(acb->bs) == qemu_get_aio_context());
             aio_poll(bdrv_get_aio_context(acb->bs), true);
         } else {
             abort();
diff --git a/block/iscsi.c b/block/iscsi.c
index XXXXXXX..XXXXXXX 100644
--- a/block/iscsi.c
+++ b/block/iscsi.c
@@ -XXX,XX +XXX,XX @@ static void iscsi_retry_timer_expired(void *opaque)
     struct IscsiTask *iTask = opaque;
     iTask->complete = 1;
     if (iTask->co) {
-        qemu_coroutine_enter(iTask->co);
+        aio_co_wake(iTask->co);
     }
 }
 
@@ -XXX,XX +XXX,XX @@ static void iscsi_nop_timed_event(void *opaque)
 {
     IscsiLun *iscsilun = opaque;
 
+    aio_context_acquire(iscsilun->aio_context);
     if (iscsi_get_nops_in_flight(iscsilun->iscsi) >= MAX_NOP_FAILURES) {
         error_report("iSCSI: NOP timeout. Reconnecting...");
         iscsilun->request_timed_out = true;
     } else if (iscsi_nop_out_async(iscsilun->iscsi, NULL, NULL, 0, NULL) != 0) {
         error_report("iSCSI: failed to sent NOP-Out. Disabling NOP messages.");
-        return;
+        goto out;
     }
 
     timer_mod(iscsilun->nop_timer, qemu_clock_get_ms(QEMU_CLOCK_REALTIME) + NOP_INTERVAL);
     iscsi_set_events(iscsilun);
+
+out:
+    aio_context_release(iscsilun->aio_context);
 }
 
 static void iscsi_readcapacity_sync(IscsiLun *iscsilun, Error **errp)
diff --git a/block/null.c b/block/null.c
index XXXXXXX..XXXXXXX 100644
--- a/block/null.c
+++ b/block/null.c
@@ -XXX,XX +XXX,XX @@ static void null_bh_cb(void *opaque)
 static void null_timer_cb(void *opaque)
 {
     NullAIOCB *acb = opaque;
+    AioContext *ctx = bdrv_get_aio_context(acb->common.bs);
+
+    aio_context_acquire(ctx);
     acb->common.cb(acb->common.opaque, 0);
+    aio_context_release(ctx);
     timer_deinit(&acb->timer);
     qemu_aio_unref(acb);
 }
diff --git a/block/qed.c b/block/qed.c
index XXXXXXX..XXXXXXX 100644
--- a/block/qed.c
+++ b/block/qed.c
@@ -XXX,XX +XXX,XX @@ static void qed_need_check_timer_cb(void *opaque)
 
     trace_qed_need_check_timer_cb(s);
 
+    qed_acquire(s);
     qed_plug_allocating_write_reqs(s);
 
     /* Ensure writes are on disk before clearing flag */
     bdrv_aio_flush(s->bs->file->bs, qed_clear_need_check, s);
+    qed_release(s);
+}
+
+void qed_acquire(BDRVQEDState *s)
+{
+    aio_context_acquire(bdrv_get_aio_context(s->bs));
+}
+
+void qed_release(BDRVQEDState *s)
+{
+    aio_context_release(bdrv_get_aio_context(s->bs));
 }
 
 static void qed_start_need_check_timer(BDRVQEDState *s)
diff --git a/block/throttle-groups.c b/block/throttle-groups.c
index XXXXXXX..XXXXXXX 100644
--- a/block/throttle-groups.c
+++ b/block/throttle-groups.c
@@ -XXX,XX +XXX,XX @@ static void timer_cb(BlockBackend *blk, bool is_write)
     qemu_mutex_unlock(&tg->lock);
 
     /* Run the request that was waiting for this timer */
+    aio_context_acquire(blk_get_aio_context(blk));
     empty_queue = !qemu_co_enter_next(&blkp->throttled_reqs[is_write]);
+    aio_context_release(blk_get_aio_context(blk));
 
     /* If the request queue was empty then we have to take care of
      * scheduling the next one */
diff --git a/util/aio-posix.c b/util/aio-posix.c
index XXXXXXX..XXXXXXX 100644
--- a/util/aio-posix.c
+++ b/util/aio-posix.c
@@ -XXX,XX +XXX,XX @@ bool aio_dispatch(AioContext *ctx, bool dispatch_fds)
     }
 
     /* Run our timers */
-    aio_context_acquire(ctx);
     progress |= timerlistgroup_run_timers(&ctx->tlg);
-    aio_context_release(ctx);
 
     return progress;
 }
diff --git a/util/aio-win32.c b/util/aio-win32.c
index XXXXXXX..XXXXXXX 100644
--- a/util/aio-win32.c
+++ b/util/aio-win32.c
@@ -XXX,XX +XXX,XX @@ bool aio_poll(AioContext *ctx, bool blocking)
         progress |= aio_dispatch_handlers(ctx, event);
     } while (count > 0);
 
-    aio_context_acquire(ctx);
     progress |= timerlistgroup_run_timers(&ctx->tlg);
-    aio_context_release(ctx);
     return progress;
 }
 
diff --git a/util/qemu-coroutine-sleep.c b/util/qemu-coroutine-sleep.c
index XXXXXXX..XXXXXXX 100644
--- a/util/qemu-coroutine-sleep.c
+++ b/util/qemu-coroutine-sleep.c
@@ -XXX,XX +XXX,XX @@ static void co_sleep_cb(void *opaque)
 {
     CoSleepCB *sleep_cb = opaque;
 
-    qemu_coroutine_enter(sleep_cb->co);
+    aio_co_wake(sleep_cb->co);
 }
 
 void coroutine_fn co_aio_sleep_ns(AioContext *ctx, QEMUClockType type,
-- 
2.9.3

From: Paolo Bonzini <pbonzini@redhat.com>

This covers both file descriptor callbacks and polling callbacks,
since they execute related code.

Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Reviewed-by: Fam Zheng <famz@redhat.com>
Reviewed-by: Daniel P. Berrange <berrange@redhat.com>
Message-id: 20170213135235.12274-14-pbonzini@redhat.com
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
---
 block/curl.c          | 16 +++++++++++++---
 block/iscsi.c         |  4 ++++
 block/linux-aio.c     |  4 ++++
 block/nfs.c           |  6 ++++++
 block/sheepdog.c      | 29 +++++++++++++++--------------
 block/ssh.c           | 29 +++++++++--------------------
 block/win32-aio.c     | 10 ++++++----
 hw/block/virtio-blk.c |  5 ++++-
 hw/scsi/virtio-scsi.c |  7 +++++++
 util/aio-posix.c      |  7 -------
 util/aio-win32.c      |  6 ------
 11 files changed, 68 insertions(+), 55 deletions(-)

diff --git a/block/curl.c b/block/curl.c
index XXXXXXX..XXXXXXX 100644
--- a/block/curl.c
+++ b/block/curl.c
@@ -XXX,XX +XXX,XX @@ static void curl_multi_check_completion(BDRVCURLState *s)
     }
 }
 
-static void curl_multi_do(void *arg)
+static void curl_multi_do_locked(CURLState *s)
 {
-    CURLState *s = (CURLState *)arg;
     CURLSocket *socket, *next_socket;
     int running;
     int r;
@@ -XXX,XX +XXX,XX @@ static void curl_multi_do(void *arg)
     }
 }
 
+static void curl_multi_do(void *arg)
+{
+    CURLState *s = (CURLState *)arg;
+
+    aio_context_acquire(s->s->aio_context);
+    curl_multi_do_locked(s);
+    aio_context_release(s->s->aio_context);
+}
+
 static void curl_multi_read(void *arg)
 {
     CURLState *s = (CURLState *)arg;
 
-    curl_multi_do(arg);
+    aio_context_acquire(s->s->aio_context);
+    curl_multi_do_locked(s);
     curl_multi_check_completion(s->s);
+    aio_context_release(s->s->aio_context);
 }
 
 static void curl_multi_timeout_do(void *arg)
diff --git a/block/iscsi.c b/block/iscsi.c
index XXXXXXX..XXXXXXX 100644
--- a/block/iscsi.c
+++ b/block/iscsi.c
@@ -XXX,XX +XXX,XX @@ iscsi_process_read(void *arg)
     IscsiLun *iscsilun = arg;
     struct iscsi_context *iscsi = iscsilun->iscsi;
 
+    aio_context_acquire(iscsilun->aio_context);
     iscsi_service(iscsi, POLLIN);
     iscsi_set_events(iscsilun);
+    aio_context_release(iscsilun->aio_context);
 }
 
 static void
@@ -XXX,XX +XXX,XX @@ iscsi_process_write(void *arg)
     IscsiLun *iscsilun = arg;
     struct iscsi_context *iscsi = iscsilun->iscsi;
 
+    aio_context_acquire(iscsilun->aio_context);
     iscsi_service(iscsi, POLLOUT);
     iscsi_set_events(iscsilun);
+    aio_context_release(iscsilun->aio_context);
 }
 
 static int64_t sector_lun2qemu(int64_t sector, IscsiLun *iscsilun)
diff --git a/block/linux-aio.c b/block/linux-aio.c
index XXXXXXX..XXXXXXX 100644
--- a/block/linux-aio.c
+++ b/block/linux-aio.c
@@ -XXX,XX +XXX,XX @@ static void qemu_laio_completion_cb(EventNotifier *e)
     LinuxAioState *s = container_of(e, LinuxAioState, e);
 
     if (event_notifier_test_and_clear(&s->e)) {
+        aio_context_acquire(s->aio_context);
         qemu_laio_process_completions_and_submit(s);
+        aio_context_release(s->aio_context);
     }
 }
 
@@ -XXX,XX +XXX,XX @@ static bool qemu_laio_poll_cb(void *opaque)
         return false;
     }
 
+    aio_context_acquire(s->aio_context);
     qemu_laio_process_completions_and_submit(s);
+    aio_context_release(s->aio_context);
     return true;
 }
 
diff --git a/block/nfs.c b/block/nfs.c
index XXXXXXX..XXXXXXX 100644
--- a/block/nfs.c
+++ b/block/nfs.c
@@ -XXX,XX +XXX,XX @@ static void nfs_set_events(NFSClient *client)
 static void nfs_process_read(void *arg)
 {
     NFSClient *client = arg;
+
+    aio_context_acquire(client->aio_context);
     nfs_service(client->context, POLLIN);
     nfs_set_events(client);
+    aio_context_release(client->aio_context);
 }
 
 static void nfs_process_write(void *arg)
 {
     NFSClient *client = arg;
+
+    aio_context_acquire(client->aio_context);
     nfs_service(client->context, POLLOUT);
     nfs_set_events(client);
+    aio_context_release(client->aio_context);
 }
 
 static void nfs_co_init_task(BlockDriverState *bs, NFSRPC *task)
diff --git a/block/sheepdog.c b/block/sheepdog.c
index XXXXXXX..XXXXXXX 100644
--- a/block/sheepdog.c
+++ b/block/sheepdog.c
@@ -XXX,XX +XXX,XX @@ static coroutine_fn int send_co_req(int sockfd, SheepdogReq *hdr, void *data,
     return ret;
 }
 
-static void restart_co_req(void *opaque)
-{
-    Coroutine *co = opaque;
-
-    qemu_coroutine_enter(co);
-}
-
 typedef struct SheepdogReqCo {
     int sockfd;
     BlockDriverState *bs;
@@ -XXX,XX +XXX,XX @@ typedef struct SheepdogReqCo {
     unsigned int *rlen;
     int ret;
     bool finished;
+    Coroutine *co;
 } SheepdogReqCo;
 
+static void restart_co_req(void *opaque)
+{
+    SheepdogReqCo *srco = opaque;
+
+    aio_co_wake(srco->co);
+}
+
 static coroutine_fn void do_co_req(void *opaque)
 {
     int ret;
-    Coroutine *co;
     SheepdogReqCo *srco = opaque;
     int sockfd = srco->sockfd;
     SheepdogReq *hdr = srco->hdr;
@@ -XXX,XX +XXX,XX @@ static coroutine_fn void do_co_req(void *opaque)
     unsigned int *wlen = srco->wlen;
     unsigned int *rlen = srco->rlen;
 
-    co = qemu_coroutine_self();
+    srco->co = qemu_coroutine_self();
     aio_set_fd_handler(srco->aio_context, sockfd, false,
-                       NULL, restart_co_req, NULL, co);
+                       NULL, restart_co_req, NULL, srco);
 
     ret = send_co_req(sockfd, hdr, data, wlen);
     if (ret < 0) {
@@ -XXX,XX +XXX,XX @@ static coroutine_fn void do_co_req(void *opaque)
     }
 
     aio_set_fd_handler(srco->aio_context, sockfd, false,
-                       restart_co_req, NULL, NULL, co);
+                       restart_co_req, NULL, NULL, srco);
 
     ret = qemu_co_recv(sockfd, hdr, sizeof(*hdr));
     if (ret != sizeof(*hdr)) {
@@ -XXX,XX +XXX,XX @@ out:
     aio_set_fd_handler(srco->aio_context, sockfd, false,
                        NULL, NULL, NULL, NULL);
 
+    srco->co = NULL;
     srco->ret = ret;
     srco->finished = true;
     if (srco->bs) {
@@ -XXX,XX +XXX,XX @@ static void coroutine_fn aio_read_response(void *opaque)
          * We've finished all requests which belong to the AIOCB, so
          * we can switch back to sd_co_readv/writev now.
          */
-        qemu_coroutine_enter(acb->coroutine);
+        aio_co_wake(acb->coroutine);
     }
 
     return;
@@ -XXX,XX +XXX,XX @@ static void co_read_response(void *opaque)
         s->co_recv = qemu_coroutine_create(aio_read_response, opaque);
     }
 
-    qemu_coroutine_enter(s->co_recv);
+    aio_co_wake(s->co_recv);
 }
 
 static void co_write_request(void *opaque)
 {
     BDRVSheepdogState *s = opaque;
 
-    qemu_coroutine_enter(s->co_send);
+    aio_co_wake(s->co_send);
 }
 
 /*
diff --git a/block/ssh.c b/block/ssh.c
index XXXXXXX..XXXXXXX 100644
--- a/block/ssh.c
+++ b/block/ssh.c
@@ -XXX,XX +XXX,XX @@ static void restart_coroutine(void *opaque)
 
     DPRINTF("co=%p", co);
 
-    qemu_coroutine_enter(co);
+    aio_co_wake(co);
 }
 
-static coroutine_fn void set_fd_handler(BDRVSSHState *s, BlockDriverState *bs)
+/* A non-blocking call returned EAGAIN, so yield, ensuring the
+ * handlers are set up so that we'll be rescheduled when there is an
+ * interesting event on the socket.
+ */
+static coroutine_fn void co_yield(BDRVSSHState *s, BlockDriverState *bs)
 {
     int r;
     IOHandler *rd_handler = NULL, *wr_handler = NULL;
@@ -XXX,XX +XXX,XX @@ static coroutine_fn void set_fd_handler(BDRVSSHState *s, BlockDriverState *bs)
 
     aio_set_fd_handler(bdrv_get_aio_context(bs), s->sock,
                        false, rd_handler, wr_handler, NULL, co);
-}
-
-static coroutine_fn void clear_fd_handler(BDRVSSHState *s,
-                                          BlockDriverState *bs)
-{
-    DPRINTF("s->sock=%d", s->sock);
-    aio_set_fd_handler(bdrv_get_aio_context(bs), s->sock,
-                       false, NULL, NULL, NULL, NULL);
-}
-
-/* A non-blocking call returned EAGAIN, so yield, ensuring the
- * handlers are set up so that we'll be rescheduled when there is an
- * interesting event on the socket.
- */
-static coroutine_fn void co_yield(BDRVSSHState *s, BlockDriverState *bs)
-{
-    set_fd_handler(s, bs);
     qemu_coroutine_yield();
-    clear_fd_handler(s, bs);
+    DPRINTF("s->sock=%d - back", s->sock);
+    aio_set_fd_handler(bdrv_get_aio_context(bs), s->sock, false,
+                       NULL, NULL, NULL, NULL);
 }
 
 /* SFTP has a function `libssh2_sftp_seek64' which seeks to a position
diff --git a/block/win32-aio.c b/block/win32-aio.c
index XXXXXXX..XXXXXXX 100644
--- a/block/win32-aio.c
+++ b/block/win32-aio.c
@@ -XXX,XX +XXX,XX @@ struct QEMUWin32AIOState {
     HANDLE hIOCP;
     EventNotifier e;
     int count;
-    bool is_aio_context_attached;
+    AioContext *aio_ctx;
 };
 
 typedef struct QEMUWin32AIOCB {
@@ -XXX,XX +XXX,XX @@ static void win32_aio_process_completion(QEMUWin32AIOState *s,
     }
 
 
+    aio_context_acquire(s->aio_ctx);
     waiocb->common.cb(waiocb->common.opaque, ret);
+    aio_context_release(s->aio_ctx);
     qemu_aio_unref(waiocb);
 }
 
@@ -XXX,XX +XXX,XX @@ void win32_aio_detach_aio_context(QEMUWin32AIOState *aio,
                                   AioContext *old_context)
 {
     aio_set_event_notifier(old_context, &aio->e, false, NULL, NULL);
-    aio->is_aio_context_attached = false;
+    aio->aio_ctx = NULL;
 }
 
 void win32_aio_attach_aio_context(QEMUWin32AIOState *aio,
                                   AioContext *new_context)
 {
-    aio->is_aio_context_attached = true;
+    aio->aio_ctx = new_context;
     aio_set_event_notifier(new_context, &aio->e, false,
                            win32_aio_completion_cb, NULL);
 }
@@ -XXX,XX +XXX,XX @@ out_free_state:
 
 void win32_aio_cleanup(QEMUWin32AIOState *aio)
 {
-    assert(!aio->is_aio_context_attached);
+    assert(!aio->aio_ctx);
     CloseHandle(aio->hIOCP);
     event_notifier_cleanup(&aio->e);
     g_free(aio);
diff --git a/hw/block/virtio-blk.c b/hw/block/virtio-blk.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/block/virtio-blk.c
+++ b/hw/block/virtio-blk.c
@@ -XXX,XX +XXX,XX @@ static void virtio_blk_ioctl_complete(void *opaque, int status)
 {
     VirtIOBlockIoctlReq *ioctl_req = opaque;
     VirtIOBlockReq *req = ioctl_req->req;
-    VirtIODevice *vdev = VIRTIO_DEVICE(req->dev);
+    VirtIOBlock *s = req->dev;
+    VirtIODevice *vdev = VIRTIO_DEVICE(s);
     struct virtio_scsi_inhdr *scsi;
     struct sg_io_hdr *hdr;
 
@@ -XXX,XX +XXX,XX @@ bool virtio_blk_handle_vq(VirtIOBlock *s, VirtQueue *vq)
     MultiReqBuffer mrb = {};
     bool progress = false;
 
+    aio_context_acquire(blk_get_aio_context(s->blk));
     blk_io_plug(s->blk);
 
     do {
@@ -XXX,XX +XXX,XX @@ bool virtio_blk_handle_vq(VirtIOBlock *s, VirtQueue *vq)
     }
 
     blk_io_unplug(s->blk);
+    aio_context_release(blk_get_aio_context(s->blk));
     return progress;
 }
 
diff --git a/hw/scsi/virtio-scsi.c b/hw/scsi/virtio-scsi.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/scsi/virtio-scsi.c
+++ b/hw/scsi/virtio-scsi.c
@@ -XXX,XX +XXX,XX @@ bool virtio_scsi_handle_ctrl_vq(VirtIOSCSI *s, VirtQueue *vq)
     VirtIOSCSIReq *req;
     bool progress = false;
 
+    virtio_scsi_acquire(s);
     while ((req = virtio_scsi_pop_req(s, vq))) {
         progress = true;
         virtio_scsi_handle_ctrl_req(s, req);
     }
+    virtio_scsi_release(s);
     return progress;
 }
 
@@ -XXX,XX +XXX,XX @@ bool virtio_scsi_handle_cmd_vq(VirtIOSCSI *s, VirtQueue *vq)
 
     QTAILQ_HEAD(, VirtIOSCSIReq) reqs = QTAILQ_HEAD_INITIALIZER(reqs);
 
+    virtio_scsi_acquire(s);
     do {
         virtio_queue_set_notification(vq, 0);
 
@@ -XXX,XX +XXX,XX @@ bool virtio_scsi_handle_cmd_vq(VirtIOSCSI *s, VirtQueue *vq)
     QTAILQ_FOREACH_SAFE(req, &reqs, next, next) {
         virtio_scsi_handle_cmd_req_submit(s, req);
     }
+    virtio_scsi_release(s);
     return progress;
 }
 
@@ -XXX,XX +XXX,XX @@ out:
 
 bool virtio_scsi_handle_event_vq(VirtIOSCSI *s, VirtQueue *vq)
 {
+    virtio_scsi_acquire(s);
     if (s->events_dropped) {
         virtio_scsi_push_event(s, NULL, VIRTIO_SCSI_T_NO_EVENT, 0);
+        virtio_scsi_release(s);
         return true;
     }
+    virtio_scsi_release(s);
     return false;
 }
 
diff --git a/util/aio-posix.c b/util/aio-posix.c
index XXXXXXX..XXXXXXX 100644
--- a/util/aio-posix.c
+++ b/util/aio-posix.c
@@ -XXX,XX +XXX,XX @@ static bool aio_dispatch_handlers(AioContext *ctx)
             (revents & (G_IO_IN | G_IO_HUP | G_IO_ERR)) &&
             aio_node_check(ctx, node->is_external) &&
             node->io_read) {
-            aio_context_acquire(ctx);
             node->io_read(node->opaque);
-            aio_context_release(ctx);
 
             /* aio_notify() does not count as progress */
             if (node->opaque != &ctx->notifier) {
@@ -XXX,XX +XXX,XX @@ static bool aio_dispatch_handlers(AioContext *ctx)
             (revents & (G_IO_OUT | G_IO_ERR)) &&
             aio_node_check(ctx, node->is_external) &&
             node->io_write) {
-            aio_context_acquire(ctx);
             node->io_write(node->opaque);
-            aio_context_release(ctx);
             progress = true;
         }
 
@@ -XXX,XX +XXX,XX @@ bool aio_poll(AioContext *ctx, bool blocking)
         start = qemu_clock_get_ns(QEMU_CLOCK_REALTIME);
     }
 
-    aio_context_acquire(ctx);
     progress = try_poll_mode(ctx, blocking);
-    aio_context_release(ctx);
-
     if (!progress) {
         assert(npfd == 0);
 
diff --git a/util/aio-win32.c b/util/aio-win32.c
index XXXXXXX..XXXXXXX 100644
--- a/util/aio-win32.c
+++ b/util/aio-win32.c
@@ -XXX,XX +XXX,XX @@ static bool aio_dispatch_handlers(AioContext *ctx, HANDLE event)
             (revents || event_notifier_get_handle(node->e) == event) &&
             node->io_notify) {
             node->pfd.revents = 0;
-            aio_context_acquire(ctx);
             node->io_notify(node->e);
-            aio_context_release(ctx);
 
             /* aio_notify() does not count as progress */
             if (node->e != &ctx->notifier) {
@@ -XXX,XX +XXX,XX @@ static bool aio_dispatch_handlers(AioContext *ctx, HANDLE event)
             (node->io_read || node->io_write)) {
             node->pfd.revents = 0;
             if ((revents & G_IO_IN) && node->io_read) {
-                aio_context_acquire(ctx);
                 node->io_read(node->opaque);
-                aio_context_release(ctx);
                 progress = true;
             }
             if ((revents & G_IO_OUT) && node->io_write) {
-                aio_context_acquire(ctx);
                 node->io_write(node->opaque);
-                aio_context_release(ctx);
                 progress = true;
             }
 
-- 
2.9.3

From: Paolo Bonzini <pbonzini@redhat.com>

Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Reviewed-by: Fam Zheng <famz@redhat.com>
Reviewed-by: Daniel P. Berrange <berrange@redhat.com>
Message-id: 20170213135235.12274-15-pbonzini@redhat.com
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
---
 block/archipelago.c   |  3 +++
 block/blkreplay.c     |  2 +-
 block/block-backend.c |  6 ++++++
 block/curl.c          | 26 ++++++++++++++++++--------
 block/gluster.c       |  9 +--------
 block/io.c            |  6 +++++-
 block/iscsi.c         |  6 +++++-
 block/linux-aio.c     | 15 +++++++++------
 block/nfs.c           |  3 ++-
 block/null.c          |  4 ++++
 block/qed.c           |  3 +++
 block/rbd.c           |  4 ++++
 dma-helpers.c         |  2 ++
 hw/block/virtio-blk.c |  2 ++
 hw/scsi/scsi-bus.c    |  2 ++
 util/async.c          |  4 ++--
 util/thread-pool.c    |  2 ++
 17 files changed, 71 insertions(+), 28 deletions(-)

diff --git a/block/archipelago.c b/block/archipelago.c
index XXXXXXX..XXXXXXX 100644
--- a/block/archipelago.c
+++ b/block/archipelago.c
@@ -XXX,XX +XXX,XX @@ static void qemu_archipelago_complete_aio(void *opaque)
 {
     AIORequestData *reqdata = (AIORequestData *) opaque;
     ArchipelagoAIOCB *aio_cb = (ArchipelagoAIOCB *) reqdata->aio_cb;
+    AioContext *ctx = bdrv_get_aio_context(aio_cb->common.bs);
 
+    aio_context_acquire(ctx);
     aio_cb->common.cb(aio_cb->common.opaque, aio_cb->ret);
+    aio_context_release(ctx);
     aio_cb->status = 0;
 
     qemu_aio_unref(aio_cb);
diff --git a/block/blkreplay.c b/block/blkreplay.c
index XXXXXXX..XXXXXXX 100755
--- a/block/blkreplay.c
+++ b/block/blkreplay.c
@@ -XXX,XX +XXX,XX @@ static int64_t blkreplay_getlength(BlockDriverState *bs)
 static void blkreplay_bh_cb(void *opaque)
 {
     Request *req = opaque;
-    qemu_coroutine_enter(req->co);
+    aio_co_wake(req->co);
     qemu_bh_delete(req->bh);
     g_free(req);
 }
diff --git a/block/block-backend.c b/block/block-backend.c
index XXXXXXX..XXXXXXX 100644
--- a/block/block-backend.c
+++ b/block/block-backend.c
@@ -XXX,XX +XXX,XX @@ int blk_make_zero(BlockBackend *blk, BdrvRequestFlags flags)
 static void error_callback_bh(void *opaque)
 {
     struct BlockBackendAIOCB *acb = opaque;
+    AioContext *ctx = bdrv_get_aio_context(acb->common.bs);
 
     bdrv_dec_in_flight(acb->common.bs);
+    aio_context_acquire(ctx);
     acb->common.cb(acb->common.opaque, acb->ret);
+    aio_context_release(ctx);
     qemu_aio_unref(acb);
 }
 
@@ -XXX,XX +XXX,XX @@ static void blk_aio_complete(BlkAioEmAIOCB *acb)
 static void blk_aio_complete_bh(void *opaque)
 {
     BlkAioEmAIOCB *acb = opaque;
+    AioContext *ctx = bdrv_get_aio_context(acb->common.bs);
 
     assert(acb->has_returned);
+    aio_context_acquire(ctx);
     blk_aio_complete(acb);
+    aio_context_release(ctx);
 }
 
 static BlockAIOCB *blk_aio_prwv(BlockBackend *blk, int64_t offset, int bytes,
diff --git a/block/curl.c b/block/curl.c
index XXXXXXX..XXXXXXX 100644
--- a/block/curl.c
+++ b/block/curl.c
@@ -XXX,XX +XXX,XX @@ static void curl_readv_bh_cb(void *p)
 {
     CURLState *state;
     int running;
+    int ret = -EINPROGRESS;
 
     CURLAIOCB *acb = p;
-    BDRVCURLState *s = acb->common.bs->opaque;
+    BlockDriverState *bs = acb->common.bs;
+    BDRVCURLState *s = bs->opaque;
+    AioContext *ctx = bdrv_get_aio_context(bs);
 
     size_t start = acb->sector_num * BDRV_SECTOR_SIZE;
     size_t end;
 
+    aio_context_acquire(ctx);
+
     // In case we have the requested data already (e.g. read-ahead),
     // we can just call the callback and be done.
     switch (curl_find_buf(s, start, acb->nb_sectors * BDRV_SECTOR_SIZE, acb)) {
@@ -XXX,XX +XXX,XX @@ static void curl_readv_bh_cb(void *p)
             qemu_aio_unref(acb);
             // fall through
         case FIND_RET_WAIT:
-            return;
+            goto out;
         default:
             break;
     }
@@ -XXX,XX +XXX,XX @@ static void curl_readv_bh_cb(void *p)
     // No cache found, so let's start a new request
     state = curl_init_state(acb->common.bs, s);
     if (!state) {
-        acb->common.cb(acb->common.opaque, -EIO);
-        qemu_aio_unref(acb);
-        return;
+        ret = -EIO;
+        goto out;
     }
 
     acb->start = 0;
@@ -XXX,XX +XXX,XX @@ static void curl_readv_bh_cb(void *p)
     state->orig_buf = g_try_malloc(state->buf_len);
     if (state->buf_len && state->orig_buf == NULL) {
         curl_clean_state(state);
-        acb->common.cb(acb->common.opaque, -ENOMEM);
-        qemu_aio_unref(acb);
-        return;
+        ret = -ENOMEM;
+        goto out;
     }
     state->acb[0] = acb;
 
@@ -XXX,XX +XXX,XX @@ static void curl_readv_bh_cb(void *p)
 
     /* Tell curl it needs to kick things off */
     curl_multi_socket_action(s->multi, CURL_SOCKET_TIMEOUT, 0, &running);
+
+out:
+    if (ret != -EINPROGRESS) {
+        acb->common.cb(acb->common.opaque, ret);
+        qemu_aio_unref(acb);
+    }
+    aio_context_release(ctx);
 }
 
 static BlockAIOCB *curl_aio_readv(BlockDriverState *bs,
diff --git a/block/gluster.c b/block/gluster.c
index XXXXXXX..XXXXXXX 100644
--- a/block/gluster.c
+++ b/block/gluster.c
@@ -XXX,XX +XXX,XX @@ static struct glfs *qemu_gluster_init(BlockdevOptionsGluster *gconf,
     return qemu_gluster_glfs_init(gconf, errp);
 }
 
-static void qemu_gluster_complete_aio(void *opaque)
-{
-    GlusterAIOCB *acb = (GlusterAIOCB *)opaque;
-
-    qemu_coroutine_enter(acb->coroutine);
-}
-
 /*
  * AIO callback routine called from GlusterFS thread.
  */
@@ -XXX,XX +XXX,XX @@ static void gluster_finish_aiocb(struct glfs_fd *fd, ssize_t ret, void *arg)
         acb->ret = -EIO; /* Partial read/write - fail it */
     }
 
-    aio_bh_schedule_oneshot(acb->aio_context, qemu_gluster_complete_aio, acb);
+    aio_co_schedule(acb->aio_context, acb->coroutine);
 }
 
 static void qemu_gluster_parse_flags(int bdrv_flags, int *open_flags)
diff --git a/block/io.c b/block/io.c
index XXXXXXX..XXXXXXX 100644
--- a/block/io.c
+++ b/block/io.c
@@ -XXX,XX +XXX,XX @@ static void bdrv_co_drain_bh_cb(void *opaque)
     bdrv_dec_in_flight(bs);
     bdrv_drained_begin(bs);
     data->done = true;
-    qemu_coroutine_enter(co);
+    aio_co_wake(co);
 }
 
 static void coroutine_fn bdrv_co_yield_to_drain(BlockDriverState *bs)
@@ -XXX,XX +XXX,XX @@ static void bdrv_co_complete(BlockAIOCBCoroutine *acb)
 static void bdrv_co_em_bh(void *opaque)
 {
     BlockAIOCBCoroutine *acb = opaque;
+    BlockDriverState *bs = acb->common.bs;
+    AioContext *ctx = bdrv_get_aio_context(bs);
 
     assert(!acb->need_bh);
+    aio_context_acquire(ctx);
     bdrv_co_complete(acb);
+    aio_context_release(ctx);
 }
 
 static void bdrv_co_maybe_schedule_bh(BlockAIOCBCoroutine *acb)
diff --git a/block/iscsi.c b/block/iscsi.c
index XXXXXXX..XXXXXXX 100644
--- a/block/iscsi.c
+++ b/block/iscsi.c
@@ -XXX,XX +XXX,XX @@ static void
 iscsi_bh_cb(void *p)
 {
     IscsiAIOCB *acb = p;
+    AioContext *ctx = bdrv_get_aio_context(acb->common.bs);
 
     qemu_bh_delete(acb->bh);
 
     g_free(acb->buf);
     acb->buf = NULL;
 
+    aio_context_acquire(ctx);
     acb->common.cb(acb->common.opaque, acb->status);
+    aio_context_release(ctx);
 
     if (acb->task != NULL) {
         scsi_free_scsi_task(acb->task);
@@ -XXX,XX +XXX,XX @@ iscsi_schedule_bh(IscsiAIOCB *acb)
 static void iscsi_co_generic_bh_cb(void *opaque)
 {
     struct IscsiTask *iTask = opaque;
+
     iTask->complete = 1;
-    qemu_coroutine_enter(iTask->co);
+    aio_co_wake(iTask->co);
 }
 
 static void iscsi_retry_timer_expired(void *opaque)
diff --git a/block/linux-aio.c b/block/linux-aio.c
index XXXXXXX..XXXXXXX 100644
--- a/block/linux-aio.c
+++ b/block/linux-aio.c
@@ -XXX,XX +XXX,XX @@ struct LinuxAioState {
     io_context_t ctx;
     EventNotifier e;
 
-    /* io queue for submit at batch */
+    /* io queue for submit at batch.  Protected by AioContext lock. */
     LaioQueue io_q;
 
-    /* I/O completion processing */
+    /* I/O completion processing.  Only runs in I/O thread.  */
     QEMUBH *completion_bh;
     int event_idx;
     int event_max;
@@ -XXX,XX +XXX,XX @@ static inline ssize_t io_event_ret(struct io_event *ev)
  */
 static void qemu_laio_process_completion(struct qemu_laiocb *laiocb)
 {
+    LinuxAioState *s = laiocb->ctx;
     int ret;
 
     ret = laiocb->ret;
@@ -XXX,XX +XXX,XX @@ static void qemu_laio_process_completion(struct qemu_laiocb *laiocb)
     }
 
     laiocb->ret = ret;
+    aio_context_acquire(s->aio_context);
     if (laiocb->co) {
         /* If the coroutine is already entered it must be in ioq_submit() and
          * will notice laio->ret has been filled in when it eventually runs
@@ -XXX,XX +XXX,XX @@ static void qemu_laio_process_completion(struct qemu_laiocb *laiocb)
         laiocb->common.cb(laiocb->common.opaque, ret);
         qemu_aio_unref(laiocb);
     }
+    aio_context_release(s->aio_context);
 }
 
 /**
@@ -XXX,XX +XXX,XX @@ static void qemu_laio_process_completions(LinuxAioState *s)
 static void qemu_laio_process_completions_and_submit(LinuxAioState *s)
 {
     qemu_laio_process_completions(s);
+
+    aio_context_acquire(s->aio_context);
     if (!s->io_q.plugged && !QSIMPLEQ_EMPTY(&s->io_q.pending)) {
         ioq_submit(s);
     }
+    aio_context_release(s->aio_context);
 }
 
 static void qemu_laio_completion_bh(void *opaque)
@@ -XXX,XX +XXX,XX @@ static void qemu_laio_completion_cb(EventNotifier *e)
     LinuxAioState *s = container_of(e, LinuxAioState, e);
 
     if (event_notifier_test_and_clear(&s->e)) {
-        aio_context_acquire(s->aio_context);
         qemu_laio_process_completions_and_submit(s);
-        aio_context_release(s->aio_context);
     }
 }
 
@@ -XXX,XX +XXX,XX @@ static bool qemu_laio_poll_cb(void *opaque)
         return false;
     }
 
-    aio_context_acquire(s->aio_context);
     qemu_laio_process_completions_and_submit(s);
-    aio_context_release(s->aio_context);
     return true;
 }
 
@@ -XXX,XX +XXX,XX @@ void laio_detach_aio_context(LinuxAioState *s, AioContext *old_context)
 {
     aio_set_event_notifier(old_context, &s->e, false, NULL, NULL);
     qemu_bh_delete(s->completion_bh);
+    s->aio_context = NULL;
 }
 
 void laio_attach_aio_context(LinuxAioState *s, AioContext *new_context)
diff --git a/block/nfs.c b/block/nfs.c
index XXXXXXX..XXXXXXX 100644
--- a/block/nfs.c
+++ b/block/nfs.c
@@ -XXX,XX +XXX,XX @@ static void nfs_co_init_task(BlockDriverState *bs, NFSRPC *task)
 static void nfs_co_generic_bh_cb(void *opaque)
 {
     NFSRPC *task = opaque;
+
     task->complete = 1;
-    qemu_coroutine_enter(task->co);
+    aio_co_wake(task->co);
 }
 
 static void
diff --git a/block/null.c b/block/null.c
index XXXXXXX..XXXXXXX 100644
--- a/block/null.c
+++ b/block/null.c
@@ -XXX,XX +XXX,XX @@ static const AIOCBInfo null_aiocb_info = {
 static void null_bh_cb(void *opaque)
 {
     NullAIOCB *acb = opaque;
+    AioContext *ctx = bdrv_get_aio_context(acb->common.bs);
+
+    aio_context_acquire(ctx);
     acb->common.cb(acb->common.opaque, 0);
+    aio_context_release(ctx);
     qemu_aio_unref(acb);
 }
 
diff --git a/block/qed.c b/block/qed.c
index XXXXXXX..XXXXXXX 100644
--- a/block/qed.c
+++ b/block/qed.c
@@ -XXX,XX +XXX,XX @@ static void qed_update_l2_table(BDRVQEDState *s, QEDTable *table, int index,
 static void qed_aio_complete_bh(void *opaque)
 {
     QEDAIOCB *acb = opaque;
+    BDRVQEDState *s = acb_to_s(acb);
     BlockCompletionFunc *cb = acb->common.cb;
     void *user_opaque = acb->common.opaque;
     int ret = acb->bh_ret;
@@ -XXX,XX +XXX,XX @@ static void qed_aio_complete_bh(void *opaque)
     qemu_aio_unref(acb);
 
     /* Invoke callback */
+    qed_acquire(s);
     cb(user_opaque, ret);
+    qed_release(s);
 }
 
 static void qed_aio_complete(QEDAIOCB *acb, int ret)
diff --git a/block/rbd.c b/block/rbd.c
index XXXXXXX..XXXXXXX 100644
--- a/block/rbd.c
+++ b/block/rbd.c
@@ -XXX,XX +XXX,XX @@ shutdown:
 static void qemu_rbd_complete_aio(RADOSCB *rcb)
 {
     RBDAIOCB *acb = rcb->acb;
+    AioContext *ctx = bdrv_get_aio_context(acb->common.bs);
     int64_t r;
 
     r = rcb->ret;
@@ -XXX,XX +XXX,XX @@ static void qemu_rbd_complete_aio(RADOSCB *rcb)
         qemu_iovec_from_buf(acb->qiov, 0, acb->bounce, acb->qiov->size);
     }
     qemu_vfree(acb->bounce);
+
+    aio_context_acquire(ctx);
     acb->common.cb(acb->common.opaque, (acb->ret > 0 ? 0 : acb->ret));
+    aio_context_release(ctx);
 
     qemu_aio_unref(acb);
 }
diff --git a/dma-helpers.c b/dma-helpers.c
index XXXXXXX..XXXXXXX 100644
--- a/dma-helpers.c
+++ b/dma-helpers.c
@@ -XXX,XX +XXX,XX @@ static void dma_blk_cb(void *opaque, int ret)
                                 QEMU_ALIGN_DOWN(dbs->iov.size, dbs->align));
     }
 
+    aio_context_acquire(dbs->ctx);
     dbs->acb = dbs->io_func(dbs->offset, &dbs->iov,
                             dma_blk_cb, dbs, dbs->io_func_opaque);
+    aio_context_release(dbs->ctx);
     assert(dbs->acb);
 }
 
diff --git a/hw/block/virtio-blk.c b/hw/block/virtio-blk.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/block/virtio-blk.c
+++ b/hw/block/virtio-blk.c
@@ -XXX,XX +XXX,XX @@ static void virtio_blk_dma_restart_bh(void *opaque)
 
     s->rq = NULL;
 
+    aio_context_acquire(blk_get_aio_context(s->conf.conf.blk));
     while (req) {
         VirtIOBlockReq *next = req->next;
         if (virtio_blk_handle_request(req, &mrb)) {
@@ -XXX,XX +XXX,XX @@ static void virtio_blk_dma_restart_bh(void *opaque)
     if (mrb.num_reqs) {
         virtio_blk_submit_multireq(s->blk, &mrb);
     }
+    aio_context_release(blk_get_aio_context(s->conf.conf.blk));
 }
 
 static void virtio_blk_dma_restart_cb(void *opaque, int running,
diff --git a/hw/scsi/scsi-bus.c b/hw/scsi/scsi-bus.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/scsi/scsi-bus.c
+++ b/hw/scsi/scsi-bus.c
@@ -XXX,XX +XXX,XX @@ static void scsi_dma_restart_bh(void *opaque)
     qemu_bh_delete(s->bh);
     s->bh = NULL;
 
+    aio_context_acquire(blk_get_aio_context(s->conf.blk));
     QTAILQ_FOREACH_SAFE(req, &s->requests, next, next) {
         scsi_req_ref(req);
         if (req->retry) {
@@ -XXX,XX +XXX,XX @@ static void scsi_dma_restart_bh(void *opaque)
         }
         scsi_req_unref(req);
     }
+    aio_context_release(blk_get_aio_context(s->conf.blk));
 }
 
 void scsi_req_retry(SCSIRequest *req)
diff --git a/util/async.c b/util/async.c
index XXXXXXX..XXXXXXX 100644
--- a/util/async.c
+++ b/util/async.c
@@ -XXX,XX +XXX,XX @@ int aio_bh_poll(AioContext *ctx)
                 ret = 1;
             }
             bh->idle = 0;
-            aio_context_acquire(ctx);
             aio_bh_call(bh);
-            aio_context_release(ctx);
         }
         if (bh->deleted) {
             deleted = true;
@@ -XXX,XX +XXX,XX @@ static void co_schedule_bh_cb(void *opaque)
         Coroutine *co = QSLIST_FIRST(&straight);
         QSLIST_REMOVE_HEAD(&straight, co_scheduled_next);
         trace_aio_co_schedule_bh_cb(ctx, co);
+        aio_context_acquire(ctx);
         qemu_coroutine_enter(co);
+        aio_context_release(ctx);
     }
 }
 
diff --git a/util/thread-pool.c b/util/thread-pool.c
index XXXXXXX..XXXXXXX 100644
--- a/util/thread-pool.c
+++ b/util/thread-pool.c
@@ -XXX,XX +XXX,XX @@ static void thread_pool_completion_bh(void *opaque)
     ThreadPool *pool = opaque;
     ThreadPoolElement *elem, *next;
 
+    aio_context_acquire(pool->ctx);
 restart:
     QLIST_FOREACH_SAFE(elem, &pool->head, all, next) {
         if (elem->state != THREAD_DONE) {
@@ -XXX,XX +XXX,XX @@ restart:
             qemu_aio_unref(elem);
         }
     }
+    aio_context_release(pool->ctx);
 }
 
 static void thread_pool_cancel(BlockAIOCB *acb)
-- 
2.9.3

From: Paolo Bonzini <pbonzini@redhat.com>

Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Reviewed-by: Fam Zheng <famz@redhat.com>
Reviewed-by: Daniel P. Berrange <berrange@redhat.com>
Message-id: 20170213135235.12274-16-pbonzini@redhat.com
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
---
 block/archipelago.c    |  3 ---
 block/block-backend.c  |  7 -------
 block/curl.c           |  2 +-
 block/io.c             |  6 +-----
 block/iscsi.c          |  3 ---
 block/linux-aio.c      |  5 +----
 block/mirror.c         | 12 +++++++++---
 block/null.c           |  8 --------
 block/qed-cluster.c    |  2 ++
 block/qed-table.c      | 12 ++++++++++--
 block/qed.c            |  4 ++--
 block/rbd.c            |  4 ----
 block/win32-aio.c      |  3 ---
 hw/block/virtio-blk.c  | 12 +++++++++++-
 hw/scsi/scsi-disk.c    | 15 +++++++++++++++
 hw/scsi/scsi-generic.c | 20 +++++++++++++++++---
 util/thread-pool.c     |  4 +++-
 17 files changed, 72 insertions(+), 50 deletions(-)

diff --git a/block/archipelago.c b/block/archipelago.c
index XXXXXXX..XXXXXXX 100644
--- a/block/archipelago.c
+++ b/block/archipelago.c
@@ -XXX,XX +XXX,XX @@ static void qemu_archipelago_complete_aio(void *opaque)
 {
     AIORequestData *reqdata = (AIORequestData *) opaque;
     ArchipelagoAIOCB *aio_cb = (ArchipelagoAIOCB *) reqdata->aio_cb;
-    AioContext *ctx = bdrv_get_aio_context(aio_cb->common.bs);
 
-    aio_context_acquire(ctx);
     aio_cb->common.cb(aio_cb->common.opaque, aio_cb->ret);
-    aio_context_release(ctx);
     aio_cb->status = 0;
 
     qemu_aio_unref(aio_cb);
diff --git a/block/block-backend.c b/block/block-backend.c
index XXXXXXX..XXXXXXX 100644
--- a/block/block-backend.c
+++ b/block/block-backend.c
@@ -XXX,XX +XXX,XX @@ int blk_make_zero(BlockBackend *blk, BdrvRequestFlags flags)
 static void error_callback_bh(void *opaque)
 {
     struct BlockBackendAIOCB *acb = opaque;
-    AioContext *ctx = bdrv_get_aio_context(acb->common.bs);
 
     bdrv_dec_in_flight(acb->common.bs);
-    aio_context_acquire(ctx);
     acb->common.cb(acb->common.opaque, acb->ret);
-    aio_context_release(ctx);
     qemu_aio_unref(acb);
 }
 
@@ -XXX,XX +XXX,XX @@ static void blk_aio_complete(BlkAioEmAIOCB *acb)
 static void blk_aio_complete_bh(void *opaque)
 {
     BlkAioEmAIOCB *acb = opaque;
-    AioContext *ctx = bdrv_get_aio_context(acb->common.bs);
-
     assert(acb->has_returned);
-    aio_context_acquire(ctx);
     blk_aio_complete(acb);
-    aio_context_release(ctx);
 }
 
 static BlockAIOCB *blk_aio_prwv(BlockBackend *blk, int64_t offset, int bytes,
diff --git a/block/curl.c b/block/curl.c
index XXXXXXX..XXXXXXX 100644
--- a/block/curl.c
+++ b/block/curl.c
@@ -XXX,XX +XXX,XX @@ static void curl_readv_bh_cb(void *p)
     curl_multi_socket_action(s->multi, CURL_SOCKET_TIMEOUT, 0, &running);
 
 out:
+    aio_context_release(ctx);
     if (ret != -EINPROGRESS) {
         acb->common.cb(acb->common.opaque, ret);
         qemu_aio_unref(acb);
     }
-    aio_context_release(ctx);
 }
 
 static BlockAIOCB *curl_aio_readv(BlockDriverState *bs,
diff --git a/block/io.c b/block/io.c
index XXXXXXX..XXXXXXX 100644
--- a/block/io.c
+++ b/block/io.c
@@ -XXX,XX +XXX,XX @@ static void bdrv_co_io_em_complete(void *opaque, int ret)
     CoroutineIOCompletion *co = opaque;
 
     co->ret = ret;
-    qemu_coroutine_enter(co->coroutine);
+    aio_co_wake(co->coroutine);
 }
 
 static int coroutine_fn bdrv_driver_preadv(BlockDriverState *bs,
@@ -XXX,XX +XXX,XX @@ static void bdrv_co_complete(BlockAIOCBCoroutine *acb)
 static void bdrv_co_em_bh(void *opaque)
 {
     BlockAIOCBCoroutine *acb = opaque;
-    BlockDriverState *bs = acb->common.bs;
-    AioContext *ctx = bdrv_get_aio_context(bs);
 
     assert(!acb->need_bh);
-    aio_context_acquire(ctx);
     bdrv_co_complete(acb);
-    aio_context_release(ctx);
 }
 
 static void bdrv_co_maybe_schedule_bh(BlockAIOCBCoroutine *acb)
diff --git a/block/iscsi.c b/block/iscsi.c
index XXXXXXX..XXXXXXX 100644
--- a/block/iscsi.c
+++ b/block/iscsi.c
@@ -XXX,XX +XXX,XX @@ static void
 iscsi_bh_cb(void *p)
 {
     IscsiAIOCB *acb = p;
-    AioContext *ctx = bdrv_get_aio_context(acb->common.bs);
 
     qemu_bh_delete(acb->bh);
 
     g_free(acb->buf);
     acb->buf = NULL;
 
-    aio_context_acquire(ctx);
     acb->common.cb(acb->common.opaque, acb->status);
-    aio_context_release(ctx);
 
     if (acb->task != NULL) {
         scsi_free_scsi_task(acb->task);
diff --git a/block/linux-aio.c b/block/linux-aio.c
index XXXXXXX..XXXXXXX 100644
--- a/block/linux-aio.c
+++ b/block/linux-aio.c
@@ -XXX,XX +XXX,XX @@ static inline ssize_t io_event_ret(struct io_event *ev)
  */
 static void qemu_laio_process_completion(struct qemu_laiocb *laiocb)
 {
-    LinuxAioState *s = laiocb->ctx;
     int ret;
 
     ret = laiocb->ret;
@@ -XXX,XX +XXX,XX @@ static void qemu_laio_process_completion(struct qemu_laiocb *laiocb)
     }
 
     laiocb->ret = ret;
-    aio_context_acquire(s->aio_context);
     if (laiocb->co) {
         /* If the coroutine is already entered it must be in ioq_submit() and
          * will notice laio->ret has been filled in when it eventually runs
@@ -XXX,XX +XXX,XX @@ static void qemu_laio_process_completion(struct qemu_laiocb *laiocb)
          * that!
          */
         if (!qemu_coroutine_entered(laiocb->co)) {
-            qemu_coroutine_enter(laiocb->co);
+            aio_co_wake(laiocb->co);
         }
     } else {
         laiocb->common.cb(laiocb->common.opaque, ret);
         qemu_aio_unref(laiocb);
     }
-    aio_context_release(s->aio_context);
 }
 
 /**
diff --git a/block/mirror.c b/block/mirror.c
index XXXXXXX..XXXXXXX 100644
--- a/block/mirror.c
+++ b/block/mirror.c
@@ -XXX,XX +XXX,XX @@ static void mirror_write_complete(void *opaque, int ret)
 {
     MirrorOp *op = opaque;
     MirrorBlockJob *s = op->s;
+
+    aio_context_acquire(blk_get_aio_context(s->common.blk));
     if (ret < 0) {
         BlockErrorAction action;
 
@@ -XXX,XX +XXX,XX @@ static void mirror_write_complete(void *opaque, int ret)
         }
     }
     mirror_iteration_done(op, ret);
+    aio_context_release(blk_get_aio_context(s->common.blk));
 }
 
 static void mirror_read_complete(void *opaque, int ret)
 {
     MirrorOp *op = opaque;
     MirrorBlockJob *s = op->s;
+
+    aio_context_acquire(blk_get_aio_context(s->common.blk));
     if (ret < 0) {
         BlockErrorAction action;
 
@@ -XXX,XX +XXX,XX @@ static void mirror_read_complete(void *opaque, int ret)
         }
 
         mirror_iteration_done(op, ret);
-        return;
+    } else {
+        blk_aio_pwritev(s->target, op->sector_num * BDRV_SECTOR_SIZE, &op->qiov,
+                        0, mirror_write_complete, op);
     }
-    blk_aio_pwritev(s->target, op->sector_num * BDRV_SECTOR_SIZE, &op->qiov,
-                    0, mirror_write_complete, op);
+    aio_context_release(blk_get_aio_context(s->common.blk));
 }
 
 static inline void mirror_clip_sectors(MirrorBlockJob *s,
diff --git a/block/null.c b/block/null.c
index XXXXXXX..XXXXXXX 100644
--- a/block/null.c
+++ b/block/null.c
@@ -XXX,XX +XXX,XX @@ static const AIOCBInfo null_aiocb_info = {
 static void null_bh_cb(void *opaque)
 {
     NullAIOCB *acb = opaque;
-    AioContext *ctx = bdrv_get_aio_context(acb->common.bs);
-
-    aio_context_acquire(ctx);
     acb->common.cb(acb->common.opaque, 0);
-    aio_context_release(ctx);
     qemu_aio_unref(acb);
 }
 
 static void null_timer_cb(void *opaque)
 {
     NullAIOCB *acb = opaque;
-    AioContext *ctx = bdrv_get_aio_context(acb->common.bs);
-
-    aio_context_acquire(ctx);
     acb->common.cb(acb->common.opaque, 0);
-    aio_context_release(ctx);
     timer_deinit(&acb->timer);
     qemu_aio_unref(acb);
 }
diff --git a/block/qed-cluster.c b/block/qed-cluster.c
index XXXXXXX..XXXXXXX 100644
--- a/block/qed-cluster.c
+++ b/block/qed-cluster.c
@@ -XXX,XX +XXX,XX @@ static void qed_find_cluster_cb(void *opaque, int ret)
     unsigned int index;
     unsigned int n;
 
+    qed_acquire(s);
     if (ret) {
         goto out;
     }
@@ -XXX,XX +XXX,XX @@ static void qed_find_cluster_cb(void *opaque, int ret)
 
 out:
     find_cluster_cb->cb(find_cluster_cb->opaque, ret, offset, len);
+    qed_release(s);
     g_free(find_cluster_cb);
 }
 
diff --git a/block/qed-table.c b/block/qed-table.c
index XXXXXXX..XXXXXXX 100644
--- a/block/qed-table.c
+++ b/block/qed-table.c
@@ -XXX,XX +XXX,XX @@ static void qed_read_table_cb(void *opaque, int ret)
 {
     QEDReadTableCB *read_table_cb = opaque;
     QEDTable *table = read_table_cb->table;
+    BDRVQEDState *s = read_table_cb->s;
     int noffsets = read_table_cb->qiov.size / sizeof(uint64_t);
     int i;
 
@@ -XXX,XX +XXX,XX @@ static void qed_read_table_cb(void *opaque, int ret)
     }
 
     /* Byteswap offsets */
+    qed_acquire(s);
     for (i = 0; i < noffsets; i++) {
         table->offsets[i] = le64_to_cpu(table->offsets[i]);
     }
+    qed_release(s);
 
 out:
     /* Completion */
-    trace_qed_read_table_cb(read_table_cb->s, read_table_cb->table, ret);
+    trace_qed_read_table_cb(s, read_table_cb->table, ret);
     gencb_complete(&read_table_cb->gencb, ret);
 }
 
@@ -XXX,XX +XXX,XX @@ typedef struct {
 static void qed_write_table_cb(void *opaque, int ret)
 {
     QEDWriteTableCB *write_table_cb = opaque;
+    BDRVQEDState *s = write_table_cb->s;
 
-    trace_qed_write_table_cb(write_table_cb->s,
+    trace_qed_write_table_cb(s,
                              write_table_cb->orig_table,
                              write_table_cb->flush,
                              ret);
@@ -XXX,XX +XXX,XX @@ static void qed_write_table_cb(void *opaque, int ret)
     if (write_table_cb->flush) {
         /* We still need to flush first */
         write_table_cb->flush = false;
+        qed_acquire(s);
         bdrv_aio_flush(write_table_cb->s->bs, qed_write_table_cb,
                        write_table_cb);
+        qed_release(s);
         return;
     }
 
@@ -XXX,XX +XXX,XX @@ static void qed_read_l2_table_cb(void *opaque, int ret)
     CachedL2Table *l2_table = request->l2_table;
     uint64_t l2_offset = read_l2_table_cb->l2_offset;
 
+    qed_acquire(s);
     if (ret) {
         /* can't trust loaded L2 table anymore */
         qed_unref_l2_cache_entry(l2_table);
@@ -XXX,XX +XXX,XX @@ static void qed_read_l2_table_cb(void *opaque, int ret)
         request->l2_table = qed_find_l2_cache_entry(&s->l2_cache, l2_offset);
         assert(request->l2_table != NULL);
     }
+    qed_release(s);
 
     gencb_complete(&read_l2_table_cb->gencb, ret);
 }
diff --git a/block/qed.c b/block/qed.c
index XXXXXXX..XXXXXXX 100644
--- a/block/qed.c
+++ b/block/qed.c
@@ -XXX,XX +XXX,XX @@ static void qed_is_allocated_cb(void *opaque, int ret, uint64_t offset, size_t l
     }
 
     if (cb->co) {
-        qemu_coroutine_enter(cb->co);
+        aio_co_wake(cb->co);
     }
 }
 
@@ -XXX,XX +XXX,XX @@ static void coroutine_fn qed_co_pwrite_zeroes_cb(void *opaque, int ret)
     cb->done = true;
     cb->ret = ret;
     if (cb->co) {
-        qemu_coroutine_enter(cb->co);
+        aio_co_wake(cb->co);
     }
 }
 
diff --git a/block/rbd.c b/block/rbd.c
index XXXXXXX..XXXXXXX 100644
--- a/block/rbd.c
+++ b/block/rbd.c
@@ -XXX,XX +XXX,XX @@ shutdown:
 static void qemu_rbd_complete_aio(RADOSCB *rcb)
 {
     RBDAIOCB *acb = rcb->acb;
-    AioContext *ctx = bdrv_get_aio_context(acb->common.bs);
     int64_t r;
 
     r = rcb->ret;
@@ -XXX,XX +XXX,XX @@ static void qemu_rbd_complete_aio(RADOSCB *rcb)
         qemu_iovec_from_buf(acb->qiov, 0, acb->bounce, acb->qiov->size);
     }
     qemu_vfree(acb->bounce);
-
-    aio_context_acquire(ctx);
     acb->common.cb(acb->common.opaque, (acb->ret > 0 ? 0 : acb->ret));
-    aio_context_release(ctx);
 
     qemu_aio_unref(acb);
 }
diff --git a/block/win32-aio.c b/block/win32-aio.c
index XXXXXXX..XXXXXXX 100644
--- a/block/win32-aio.c
+++ b/block/win32-aio.c
@@ -XXX,XX +XXX,XX @@ static void win32_aio_process_completion(QEMUWin32AIOState *s,
         qemu_vfree(waiocb->buf);
     }
 
-
-    aio_context_acquire(s->aio_ctx);
     waiocb->common.cb(waiocb->common.opaque, ret);
-    aio_context_release(s->aio_ctx);
     qemu_aio_unref(waiocb);
 }
 
diff --git a/hw/block/virtio-blk.c b/hw/block/virtio-blk.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/block/virtio-blk.c
+++ b/hw/block/virtio-blk.c
@@ -XXX,XX +XXX,XX @@ static int virtio_blk_handle_rw_error(VirtIOBlockReq *req, int error,
 static void virtio_blk_rw_complete(void *opaque, int ret)
 {
     VirtIOBlockReq *next = opaque;
+    VirtIOBlock *s = next->dev;
 
+    aio_context_acquire(blk_get_aio_context(s->conf.conf.blk));
     while (next) {
         VirtIOBlockReq *req = next;
         next = req->mr_next;
@@ -XXX,XX +XXX,XX @@ static void virtio_blk_rw_complete(void *opaque, int ret)
         block_acct_done(blk_get_stats(req->dev->blk), &req->acct);
         virtio_blk_free_request(req);
     }
+    aio_context_release(blk_get_aio_context(s->conf.conf.blk));
 }
 
 static void virtio_blk_flush_complete(void *opaque, int ret)
 {
     VirtIOBlockReq *req = opaque;
+    VirtIOBlock *s = req->dev;
 
+    aio_context_acquire(blk_get_aio_context(s->conf.conf.blk));
     if (ret) {
         if (virtio_blk_handle_rw_error(req, -ret, 0)) {
-            return;
+            goto out;
         }
     }
 
     virtio_blk_req_complete(req, VIRTIO_BLK_S_OK);
     block_acct_done(blk_get_stats(req->dev->blk), &req->acct);
     virtio_blk_free_request(req);
+
+out:
+    aio_context_release(blk_get_aio_context(s->conf.conf.blk));
 }
 
 #ifdef __linux__
@@ -XXX,XX +XXX,XX @@ static void virtio_blk_ioctl_complete(void *opaque, int status)
     virtio_stl_p(vdev, &scsi->data_len, hdr->dxfer_len);
 
 out:
+    aio_context_acquire(blk_get_aio_context(s->conf.conf.blk));
     virtio_blk_req_complete(req, status);
     virtio_blk_free_request(req);
+    aio_context_release(blk_get_aio_context(s->conf.conf.blk));
     g_free(ioctl_req);
 }
 
diff --git a/hw/scsi/scsi-disk.c b/hw/scsi/scsi-disk.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/scsi/scsi-disk.c
+++ b/hw/scsi/scsi-disk.c
@@ -XXX,XX +XXX,XX @@ static void scsi_aio_complete(void *opaque, int ret)
 
     assert(r->req.aiocb != NULL);
     r->req.aiocb = NULL;
+    aio_context_acquire(blk_get_aio_context(s->qdev.conf.blk));
     if (scsi_disk_req_check_error(r, ret, true)) {
         goto done;
     }
@@ -XXX,XX +XXX,XX @@ static void scsi_aio_complete(void *opaque, int ret)
     scsi_req_complete(&r->req, GOOD);
 
 done:
+    aio_context_release(blk_get_aio_context(s->qdev.conf.blk));
     scsi_req_unref(&r->req);
 }
 
@@ -XXX,XX +XXX,XX @@ static void scsi_dma_complete(void *opaque, int ret)
     assert(r->req.aiocb != NULL);
     r->req.aiocb = NULL;
 
+    aio_context_acquire(blk_get_aio_context(s->qdev.conf.blk));
     if (ret < 0) {
         block_acct_failed(blk_get_stats(s->qdev.conf.blk), &r->acct);
     } else {
         block_acct_done(blk_get_stats(s->qdev.conf.blk), &r->acct);
     }
     scsi_dma_complete_noio(r, ret);
+    aio_context_release(blk_get_aio_context(s->qdev.conf.blk));
 }
 
 static void scsi_read_complete(void * opaque, int ret)
@@ -XXX,XX +XXX,XX @@ static void scsi_read_complete(void * opaque, int ret)
 
     assert(r->req.aiocb != NULL);
     r->req.aiocb = NULL;
+    aio_context_acquire(blk_get_aio_context(s->qdev.conf.blk));
     if (scsi_disk_req_check_error(r, ret, true)) {
         goto done;
     }
@@ -XXX,XX +XXX,XX @@ static void scsi_read_complete(void * opaque, int ret)
 
 done:
     scsi_req_unref(&r->req);
+    aio_context_release(blk_get_aio_context(s->qdev.conf.blk));
 }
 
 /* Actually issue a read to the block device.  */
@@ -XXX,XX +XXX,XX @@ static void scsi_do_read_cb(void *opaque, int ret)
     assert (r->req.aiocb != NULL);
     r->req.aiocb = NULL;
 
+    aio_context_acquire(blk_get_aio_context(s->qdev.conf.blk));
     if (ret < 0) {
         block_acct_failed(blk_get_stats(s->qdev.conf.blk), &r->acct);
     } else {
         block_acct_done(blk_get_stats(s->qdev.conf.blk), &r->acct);
     }
     scsi_do_read(opaque, ret);
+    aio_context_release(blk_get_aio_context(s->qdev.conf.blk));
 }
 
 /* Read more data from scsi device into buffer.  */
@@ -XXX,XX +XXX,XX @@ static void scsi_write_complete(void * opaque, int ret)
     assert (r->req.aiocb != NULL);
     r->req.aiocb = NULL;
 
+    aio_context_acquire(blk_get_aio_context(s->qdev.conf.blk));
     if (ret < 0) {
         block_acct_failed(blk_get_stats(s->qdev.conf.blk), &r->acct);
     } else {
         block_acct_done(blk_get_stats(s->qdev.conf.blk), &r->acct);
     }
     scsi_write_complete_noio(r, ret);
+    aio_context_release(blk_get_aio_context(s->qdev.conf.blk));
 }
 
 static void scsi_write_data(SCSIRequest *req)
@@ -XXX,XX +XXX,XX @@ static void scsi_unmap_complete(void *opaque, int ret)
 {
     UnmapCBData *data = opaque;
     SCSIDiskReq *r = data->r;
+    SCSIDiskState *s = DO_UPCAST(SCSIDiskState, qdev, r->req.dev);
 
     assert(r->req.aiocb != NULL);
     r->req.aiocb = NULL;
 
+    aio_context_acquire(blk_get_aio_context(s->qdev.conf.blk));
     scsi_unmap_complete_noio(data, ret);
+    aio_context_release(blk_get_aio_context(s->qdev.conf.blk));
 }
 
 static void scsi_disk_emulate_unmap(SCSIDiskReq *r, uint8_t *inbuf)
@@ -XXX,XX +XXX,XX @@ static void scsi_write_same_complete(void *opaque, int ret)
 
     assert(r->req.aiocb != NULL);
     r->req.aiocb = NULL;
+    aio_context_acquire(blk_get_aio_context(s->qdev.conf.blk));
     if (scsi_disk_req_check_error(r, ret, true)) {
         goto done;
     }
@@ -XXX,XX +XXX,XX @@ done:
     scsi_req_unref(&r->req);
     qemu_vfree(data->iov.iov_base);
     g_free(data);
+    aio_context_release(blk_get_aio_context(s->qdev.conf.blk));
 }
 
 static void scsi_disk_emulate_write_same(SCSIDiskReq *r, uint8_t *inbuf)
diff --git a/hw/scsi/scsi-generic.c b/hw/scsi/scsi-generic.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/scsi/scsi-generic.c
+++ b/hw/scsi/scsi-generic.c
@@ -XXX,XX +XXX,XX @@ done:
 static void scsi_command_complete(void *opaque, int ret)
 {
     SCSIGenericReq *r = (SCSIGenericReq *)opaque;
+    SCSIDevice *s = r->req.dev;
 
     assert(r->req.aiocb != NULL);
     r->req.aiocb = NULL;
+
+    aio_context_acquire(blk_get_aio_context(s->conf.blk));
     scsi_command_complete_noio(r, ret);
+    aio_context_release(blk_get_aio_context(s->conf.blk));
 }
 
 static int execute_command(BlockBackend *blk,
@@ -XXX,XX +XXX,XX @@ static void scsi_read_complete(void * opaque, int ret)
     assert(r->req.aiocb != NULL);
     r->req.aiocb = NULL;
 
+    aio_context_acquire(blk_get_aio_context(s->conf.blk));
+
     if (ret || r->req.io_canceled) {
         scsi_command_complete_noio(r, ret);
-        return;
+        goto done;
     }
 
     len = r->io_header.dxfer_len - r->io_header.resid;
@@ -XXX,XX +XXX,XX @@ static void scsi_read_complete(void * opaque, int ret)
     r->len = -1;
     if (len == 0) {
         scsi_command_complete_noio(r, 0);
-        return;
+        goto done;
     }
 
     /* Snoop READ CAPACITY output to set the blocksize.  */
@@ -XXX,XX +XXX,XX @@ static void scsi_read_complete(void * opaque, int ret)
     }
     scsi_req_data(&r->req, len);
     scsi_req_unref(&r->req);
+
+done:
+    aio_context_release(blk_get_aio_context(s->conf.blk));
 }
 
 /* Read more data from scsi device into buffer.  */
@@ -XXX,XX +XXX,XX @@ static void scsi_write_complete(void * opaque, int ret)
     assert(r->req.aiocb != NULL);
     r->req.aiocb = NULL;
 
+    aio_context_acquire(blk_get_aio_context(s->conf.blk));
+
     if (ret || r->req.io_canceled) {
         scsi_command_complete_noio(r, ret);
-        return;
+        goto done;
     }
 
     if (r->req.cmd.buf[0] == MODE_SELECT && r->req.cmd.buf[4] == 12 &&
@@ -XXX,XX +XXX,XX @@ static void scsi_write_complete(void * opaque, int ret)
     }
 
     scsi_command_complete_noio(r, ret);
+
+done:
+    aio_context_release(blk_get_aio_context(s->conf.blk));
 }
 
 /* Write data to a scsi device.  Returns nonzero on failure.
diff --git a/util/thread-pool.c b/util/thread-pool.c
index XXXXXXX..XXXXXXX 100644
--- a/util/thread-pool.c
+++ b/util/thread-pool.c
@@ -XXX,XX +XXX,XX @@ restart:
              */
             qemu_bh_schedule(pool->completion_bh);
 
+            aio_context_release(pool->ctx);
             elem->common.cb(elem->common.opaque, elem->ret);
+            aio_context_acquire(pool->ctx);
             qemu_aio_unref(elem);
             goto restart;
         } else {
@@ -XXX,XX +XXX,XX @@ static void thread_pool_co_cb(void *opaque, int ret)
     ThreadPoolCo *co = opaque;
 
     co->ret = ret;
-    qemu_coroutine_enter(co->co);
+    aio_co_wake(co->co);
 }
 
 int coroutine_fn thread_pool_submit_co(ThreadPool *pool, ThreadPoolFunc *func,
-- 
2.9.3

From: Paolo Bonzini <pbonzini@redhat.com>

This patch prepares for the removal of unnecessary lockcnt inc/dec pairs.
Extract the dispatching loop for file descriptor handlers into a new
function aio_dispatch_handlers, and then inline aio_dispatch into
aio_poll.

aio_dispatch can now become void.

diff --git a/include/block/aio.h b/include/block/aio.h
index XXXXXXX..XXXXXXX 100644
--- a/include/block/aio.h
+++ b/include/block/aio.h
@@ -XXX,XX +XXX,XX @@ bool aio_pending(AioContext *ctx);
 /* Dispatch any pending callbacks from the GSource attached to the AioContext.
  *
  * This is used internally in the implementation of the GSource.
- *
- * @dispatch_fds: true to process fds, false to skip them
- *                (can be used as an optimization by callers that know there
- *                are no fds ready)
  */
-bool aio_dispatch(AioContext *ctx, bool dispatch_fds);
+void aio_dispatch(AioContext *ctx);
 
 /* Progress in completing AIO work to occur.  This can issue new pending
  * aio as a result of executing I/O completion or bh callbacks.
diff --git a/util/aio-posix.c b/util/aio-posix.c
index XXXXXXX..XXXXXXX 100644
--- a/util/aio-posix.c
+++ b/util/aio-posix.c
@@ -XXX,XX +XXX,XX @@ static bool aio_dispatch_handlers(AioContext *ctx)
     AioHandler *node, *tmp;
     bool progress = false;
 
-    /*
-     * We have to walk very carefully in case aio_set_fd_handler is
-     * called while we're walking.
-     */
-    qemu_lockcnt_inc(&ctx->list_lock);
-
     QLIST_FOREACH_SAFE_RCU(node, &ctx->aio_handlers, node, tmp) {
         int revents;
 
@@ -XXX,XX +XXX,XX @@ static bool aio_dispatch_handlers(AioContext *ctx)
         }
     }
 
-    qemu_lockcnt_dec(&ctx->list_lock);
     return progress;
 }
 
-/*
- * Note that dispatch_fds == false has the side-effect of post-poning the
- * freeing of deleted handlers.
- */
-bool aio_dispatch(AioContext *ctx, bool dispatch_fds)
+void aio_dispatch(AioContext *ctx)
 {
-    bool progress;
+    aio_bh_poll(ctx);
 
-    /*
-     * If there are callbacks left that have been queued, we need to call them.
-     * Do not call select in this case, because it is possible that the caller
-     * does not need a complete flush (as is the case for aio_poll loops).
-     */
-    progress = aio_bh_poll(ctx);
+    qemu_lockcnt_inc(&ctx->list_lock);
+    aio_dispatch_handlers(ctx);
+    qemu_lockcnt_dec(&ctx->list_lock);
 
-    if (dispatch_fds) {
-        progress |= aio_dispatch_handlers(ctx);
-    }
-
-    /* Run our timers */
-    progress |= timerlistgroup_run_timers(&ctx->tlg);
-
-    return progress;
+    timerlistgroup_run_timers(&ctx->tlg);
 }
 
 /* These thread-local variables are used only in a small part of aio_poll
@@ -XXX,XX +XXX,XX @@ bool aio_poll(AioContext *ctx, bool blocking)
     npfd = 0;
     qemu_lockcnt_dec(&ctx->list_lock);
 
-    /* Run dispatch even if there were no readable fds to run timers */
-    if (aio_dispatch(ctx, ret > 0)) {
-        progress = true;
+    progress |= aio_bh_poll(ctx);
+
+    if (ret > 0) {
+        qemu_lockcnt_inc(&ctx->list_lock);
+        progress |= aio_dispatch_handlers(ctx);
+        qemu_lockcnt_dec(&ctx->list_lock);
     }
 
+    progress |= timerlistgroup_run_timers(&ctx->tlg);
+
     return progress;
 }
 
diff --git a/util/aio-win32.c b/util/aio-win32.c
index XXXXXXX..XXXXXXX 100644
--- a/util/aio-win32.c
+++ b/util/aio-win32.c
@@ -XXX,XX +XXX,XX @@ static bool aio_dispatch_handlers(AioContext *ctx, HANDLE event)
     return progress;
 }
 
-bool aio_dispatch(AioContext *ctx, bool dispatch_fds)
+void aio_dispatch(AioContext *ctx)
 {
-    bool progress;
-
-    progress = aio_bh_poll(ctx);
-    if (dispatch_fds) {
-        progress |= aio_dispatch_handlers(ctx, INVALID_HANDLE_VALUE);
-    }
-    progress |= timerlistgroup_run_timers(&ctx->tlg);
-    return progress;
+    aio_bh_poll(ctx);
+    aio_dispatch_handlers(ctx, INVALID_HANDLE_VALUE);
+    timerlistgroup_run_timers(&ctx->tlg);
 }
 
 bool aio_poll(AioContext *ctx, bool blocking)
diff --git a/util/async.c b/util/async.c
index XXXXXXX..XXXXXXX 100644
--- a/util/async.c
+++ b/util/async.c
@@ -XXX,XX +XXX,XX @@ aio_ctx_dispatch(GSource     *source,
     AioContext *ctx = (AioContext *) source;
 
     assert(callback == NULL);
-    aio_dispatch(ctx, true);
+    aio_dispatch(ctx);
     return true;
 }
 
-- 
2.9.3

From: Paolo Bonzini <pbonzini@redhat.com>

Pull the increment/decrement pair out of aio_bh_poll and into the
callers.

diff --git a/util/aio-posix.c b/util/aio-posix.c
index XXXXXXX..XXXXXXX 100644
--- a/util/aio-posix.c
+++ b/util/aio-posix.c
@@ -XXX,XX +XXX,XX @@ static bool aio_dispatch_handlers(AioContext *ctx)
 
 void aio_dispatch(AioContext *ctx)
 {
+    qemu_lockcnt_inc(&ctx->list_lock);
     aio_bh_poll(ctx);
-
-    qemu_lockcnt_inc(&ctx->list_lock);
     aio_dispatch_handlers(ctx);
     qemu_lockcnt_dec(&ctx->list_lock);
 
@@ -XXX,XX +XXX,XX @@ bool aio_poll(AioContext *ctx, bool blocking)
     }
 
     npfd = 0;
-    qemu_lockcnt_dec(&ctx->list_lock);
 
     progress |= aio_bh_poll(ctx);
 
     if (ret > 0) {
-        qemu_lockcnt_inc(&ctx->list_lock);
         progress |= aio_dispatch_handlers(ctx);
-        qemu_lockcnt_dec(&ctx->list_lock);
     }
 
+    qemu_lockcnt_dec(&ctx->list_lock);
+
     progress |= timerlistgroup_run_timers(&ctx->tlg);
 
     return progress;
diff --git a/util/aio-win32.c b/util/aio-win32.c
index XXXXXXX..XXXXXXX 100644
--- a/util/aio-win32.c
+++ b/util/aio-win32.c
@@ -XXX,XX +XXX,XX @@ static bool aio_dispatch_handlers(AioContext *ctx, HANDLE event)
     bool progress = false;
     AioHandler *tmp;
 
-    qemu_lockcnt_inc(&ctx->list_lock);
-
     /*
      * We have to walk very carefully in case aio_set_fd_handler is
      * called while we're walking.
@@ -XXX,XX +XXX,XX @@ static bool aio_dispatch_handlers(AioContext *ctx, HANDLE event)
         }
     }
 
-    qemu_lockcnt_dec(&ctx->list_lock);
     return progress;
 }
 
 void aio_dispatch(AioContext *ctx)
 {
+    qemu_lockcnt_inc(&ctx->list_lock);
     aio_bh_poll(ctx);
     aio_dispatch_handlers(ctx, INVALID_HANDLE_VALUE);
+    qemu_lockcnt_dec(&ctx->list_lock);
     timerlistgroup_run_timers(&ctx->tlg);
 }
 
@@ -XXX,XX +XXX,XX @@ bool aio_poll(AioContext *ctx, bool blocking)
         }
     }
 
-    qemu_lockcnt_dec(&ctx->list_lock);
     first = true;
 
     /* ctx->notifier is always registered.  */
@@ -XXX,XX +XXX,XX @@ bool aio_poll(AioContext *ctx, bool blocking)
         progress |= aio_dispatch_handlers(ctx, event);
     } while (count > 0);
 
+    qemu_lockcnt_dec(&ctx->list_lock);
+
     progress |= timerlistgroup_run_timers(&ctx->tlg);
     return progress;
 }
diff --git a/util/async.c b/util/async.c
index XXXXXXX..XXXXXXX 100644
--- a/util/async.c
+++ b/util/async.c
@@ -XXX,XX +XXX,XX @@ void aio_bh_call(QEMUBH *bh)
     bh->cb(bh->opaque);
 }
 
-/* Multiple occurrences of aio_bh_poll cannot be called concurrently */
+/* Multiple occurrences of aio_bh_poll cannot be called concurrently.
+ * The count in ctx->list_lock is incremented before the call, and is
+ * not affected by the call.
+ */
 int aio_bh_poll(AioContext *ctx)
 {
     QEMUBH *bh, **bhp, *next;
     int ret;
     bool deleted = false;
 
-    qemu_lockcnt_inc(&ctx->list_lock);
-
     ret = 0;
     for (bh = atomic_rcu_read(&ctx->first_bh); bh; bh = next) {
         next = atomic_rcu_read(&bh->next);
@@ -XXX,XX +XXX,XX @@ int aio_bh_poll(AioContext *ctx)
 
     /* remove deleted bhs */
     if (!deleted) {
-        qemu_lockcnt_dec(&ctx->list_lock);
         return ret;
     }
 
-    if (qemu_lockcnt_dec_and_lock(&ctx->list_lock)) {
+    if (qemu_lockcnt_dec_if_lock(&ctx->list_lock)) {
         bhp = &ctx->first_bh;
         while (*bhp) {
             bh = *bhp;
@@ -XXX,XX +XXX,XX @@ int aio_bh_poll(AioContext *ctx)
                 bhp = &bh->next;
             }
         }
-        qemu_lockcnt_unlock(&ctx->list_lock);
+        qemu_lockcnt_inc_and_unlock(&ctx->list_lock);
     }
     return ret;
 }
-- 
2.9.3

From: Paolo Bonzini <pbonzini@redhat.com>

diff --git a/include/block/block_int.h b/include/block/block_int.h
index XXXXXXX..XXXXXXX 100644
--- a/include/block/block_int.h
+++ b/include/block/block_int.h
@@ -XXX,XX +XXX,XX @@ struct BdrvChild {
  * copied as well.
  */
 struct BlockDriverState {
-    int64_t total_sectors; /* if we are reading a disk image, give its
-                              size in sectors */
+    /* Protected by big QEMU lock or read-only after opening.  No special
+     * locking needed during I/O...
+     */
     int open_flags; /* flags used to open the file, re-used for re-open */
     bool read_only; /* if true, the media is read only */
     bool encrypted; /* if true, the media is encrypted */
@@ -XXX,XX +XXX,XX @@ struct BlockDriverState {
     bool sg;        /* if true, the device is a /dev/sg* */
     bool probed;    /* if true, format was probed rather than specified */
 
-    int copy_on_read; /* if nonzero, copy read backing sectors into image.
-                         note this is a reference count */
-
-    CoQueue flush_queue;            /* Serializing flush queue */
-    bool active_flush_req;          /* Flush request in flight? */
-    unsigned int write_gen;         /* Current data generation */
-    unsigned int flushed_gen;       /* Flushed write generation */
-
     BlockDriver *drv; /* NULL means no media */
     void *opaque;
 
@@ -XXX,XX +XXX,XX @@ struct BlockDriverState {
     BdrvChild *backing;
     BdrvChild *file;
 
-    /* Callback before write request is processed */
-    NotifierWithReturnList before_write_notifiers;
-
-    /* number of in-flight requests; overall and serialising */
-    unsigned int in_flight;
-    unsigned int serialising_in_flight;
-
-    bool wakeup;
-
-    /* Offset after the highest byte written to */
-    uint64_t wr_highest_offset;
-
     /* I/O Limits */
     BlockLimits bl;
 
@@ -XXX,XX +XXX,XX @@ struct BlockDriverState {
     QTAILQ_ENTRY(BlockDriverState) bs_list;
     /* element of the list of monitor-owned BDS */
     QTAILQ_ENTRY(BlockDriverState) monitor_list;
-    QLIST_HEAD(, BdrvDirtyBitmap) dirty_bitmaps;
     int refcnt;
 
-    QLIST_HEAD(, BdrvTrackedRequest) tracked_requests;
-
     /* operation blockers */
     QLIST_HEAD(, BdrvOpBlocker) op_blockers[BLOCK_OP_TYPE_MAX];
 
@@ -XXX,XX +XXX,XX @@ struct BlockDriverState {
     /* The error object in use for blocking operations on backing_hd */
     Error *backing_blocker;
 
+    /* Protected by AioContext lock */
+
+    /* If true, copy read backing sectors into image.  Can be >1 if more
+     * than one client has requested copy-on-read.
+     */
+    int copy_on_read;
+
+    /* If we are reading a disk image, give its size in sectors.
+     * Generally read-only; it is written to by load_vmstate and save_vmstate,
+     * but the block layer is quiescent during those.
+     */
+    int64_t total_sectors;
+
+    /* Callback before write request is processed */
+    NotifierWithReturnList before_write_notifiers;
+
+    /* number of in-flight requests; overall and serialising */
+    unsigned int in_flight;
+    unsigned int serialising_in_flight;
+
+    bool wakeup;
+
+    /* Offset after the highest byte written to */
+    uint64_t wr_highest_offset;
+
     /* threshold limit for writes, in bytes. "High water mark". */
     uint64_t write_threshold_offset;
     NotifierWithReturn write_threshold_notifier;
@@ -XXX,XX +XXX,XX @@ struct BlockDriverState {
     /* counter for nested bdrv_io_plug */
     unsigned io_plugged;
 
+    QLIST_HEAD(, BdrvTrackedRequest) tracked_requests;
+    CoQueue flush_queue;                  /* Serializing flush queue */
+    bool active_flush_req;                /* Flush request in flight? */
+    unsigned int write_gen;               /* Current data generation */
+    unsigned int flushed_gen;             /* Flushed write generation */
+
+    QLIST_HEAD(, BdrvDirtyBitmap) dirty_bitmaps;
+
+    /* do we need to tell the quest if we have a volatile write cache? */
+    int enable_write_cache;
+
     int quiesce_counter;
 };
 
diff --git a/include/sysemu/block-backend.h b/include/sysemu/block-backend.h
index XXXXXXX..XXXXXXX 100644
--- a/include/sysemu/block-backend.h
+++ b/include/sysemu/block-backend.h
@@ -XXX,XX +XXX,XX @@ typedef struct BlockDevOps {
  * fields that must be public. This is in particular for QLIST_ENTRY() and
  * friends so that BlockBackends can be kept in lists outside block-backend.c */
 typedef struct BlockBackendPublic {
-    /* I/O throttling.
-     * throttle_state tells us if this BlockBackend has I/O limits configured.
-     * io_limits_disabled tells us if they are currently being enforced */
+    /* I/O throttling has its own locking, but also some fields are
+     * protected by the AioContext lock.
+     */
+
+    /* Protected by AioContext lock.  */
     CoQueue      throttled_reqs[2];
+
+    /* Nonzero if the I/O limits are currently being ignored; generally
+     * it is zero.  */
     unsigned int io_limits_disabled;
 
     /* The following fields are protected by the ThrottleGroup lock.
-     * See the ThrottleGroup documentation for details. */
+     * See the ThrottleGroup documentation for details.
+     * throttle_state tells us if I/O limits are configured. */
     ThrottleState *throttle_state;
     ThrottleTimers throttle_timers;
     unsigned       pending_reqs[2];
-- 
2.9.3

From: Paolo Bonzini <pbonzini@redhat.com>

This uses the lock-free mutex described in the paper '"Blocking without
Locking", or LFTHREADS: A lock-free thread library' by Gidenstam and
Papatriantafilou.  The same technique is used in OSv, and in fact
the code is essentially a conversion to C of OSv's code.

[Added missing coroutine_fn in tests/test-aio-multithread.c.
--Stefan]

Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Reviewed-by: Fam Zheng <famz@redhat.com>
Message-id: 20170213181244.16297-2-pbonzini@redhat.com
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
---
 include/qemu/coroutine.h     |  17 ++++-
 tests/test-aio-multithread.c |  86 ++++++++++++++++++++++++
 util/qemu-coroutine-lock.c   | 155 ++++++++++++++++++++++++++++++++++++++++---
 util/trace-events            |   1 +
 4 files changed, 246 insertions(+), 13 deletions(-)

diff --git a/include/qemu/coroutine.h b/include/qemu/coroutine.h
index XXXXXXX..XXXXXXX 100644
--- a/include/qemu/coroutine.h
+++ b/include/qemu/coroutine.h
@@ -XXX,XX +XXX,XX @@ bool qemu_co_queue_empty(CoQueue *queue);
 /**
  * Provides a mutex that can be used to synchronise coroutines
  */
+struct CoWaitRecord;
 typedef struct CoMutex {
-    bool locked;
+    /* Count of pending lockers; 0 for a free mutex, 1 for an
+     * uncontended mutex.
+     */
+    unsigned locked;
+
+    /* A queue of waiters.  Elements are added atomically in front of
+     * from_push.  to_pop is only populated, and popped from, by whoever
+     * is in charge of the next wakeup.  This can be an unlocker or,
+     * through the handoff protocol, a locker that is about to go to sleep.
+     */
+    QSLIST_HEAD(, CoWaitRecord) from_push, to_pop;
+
+    unsigned handoff, sequence;
+
     Coroutine *holder;
-    CoQueue queue;
 } CoMutex;
 
 /**
diff --git a/tests/test-aio-multithread.c b/tests/test-aio-multithread.c
index XXXXXXX..XXXXXXX 100644
--- a/tests/test-aio-multithread.c
+++ b/tests/test-aio-multithread.c
@@ -XXX,XX +XXX,XX @@ static void test_multi_co_schedule_10(void)
     test_multi_co_schedule(10);
 }
 
+/* CoMutex thread-safety.  */
+
+static uint32_t atomic_counter;
+static uint32_t running;
+static uint32_t counter;
+static CoMutex comutex;
+
+static void coroutine_fn test_multi_co_mutex_entry(void *opaque)
+{
+    while (!atomic_mb_read(&now_stopping)) {
+        qemu_co_mutex_lock(&comutex);
+        counter++;
+        qemu_co_mutex_unlock(&comutex);
+
+        /* Increase atomic_counter *after* releasing the mutex.  Otherwise
+         * there is a chance (it happens about 1 in 3 runs) that the iothread
+         * exits before the coroutine is woken up, causing a spurious
+         * assertion failure.
+         */
+        atomic_inc(&atomic_counter);
+    }
+    atomic_dec(&running);
+}
+
+static void test_multi_co_mutex(int threads, int seconds)
+{
+    int i;
+
+    qemu_co_mutex_init(&comutex);
+    counter = 0;
+    atomic_counter = 0;
+    now_stopping = false;
+
+    create_aio_contexts();
+    assert(threads <= NUM_CONTEXTS);
+    running = threads;
+    for (i = 0; i < threads; i++) {
+        Coroutine *co1 = qemu_coroutine_create(test_multi_co_mutex_entry, NULL);
+        aio_co_schedule(ctx[i], co1);
+    }
+
+    g_usleep(seconds * 1000000);
+
+    atomic_mb_set(&now_stopping, true);
+    while (running > 0) {
+        g_usleep(100000);
+    }
+
+    join_aio_contexts();
+    g_test_message("%d iterations/second\n", counter / seconds);
+    g_assert_cmpint(counter, ==, atomic_counter);
+}
+
+/* Testing with NUM_CONTEXTS threads focuses on the queue.  The mutex however
+ * is too contended (and the threads spend too much time in aio_poll)
+ * to actually stress the handoff protocol.
+ */
+static void test_multi_co_mutex_1(void)
+{
+    test_multi_co_mutex(NUM_CONTEXTS, 1);
+}
+
+static void test_multi_co_mutex_10(void)
+{
+    test_multi_co_mutex(NUM_CONTEXTS, 10);
+}
+
+/* Testing with fewer threads stresses the handoff protocol too.  Still, the
+ * case where the locker _can_ pick up a handoff is very rare, happening
+ * about 10 times in 1 million, so increase the runtime a bit compared to
+ * other "quick" testcases that only run for 1 second.
+ */
+static void test_multi_co_mutex_2_3(void)
+{
+    test_multi_co_mutex(2, 3);
+}
+
+static void test_multi_co_mutex_2_30(void)
+{
+    test_multi_co_mutex(2, 30);
+}
+
 /* End of tests.  */
 
 int main(int argc, char **argv)
@@ -XXX,XX +XXX,XX @@ int main(int argc, char **argv)
     g_test_add_func("/aio/multi/lifecycle", test_lifecycle);
     if (g_test_quick()) {
         g_test_add_func("/aio/multi/schedule", test_multi_co_schedule_1);
+        g_test_add_func("/aio/multi/mutex/contended", test_multi_co_mutex_1);
+        g_test_add_func("/aio/multi/mutex/handoff", test_multi_co_mutex_2_3);
     } else {
         g_test_add_func("/aio/multi/schedule", test_multi_co_schedule_10);
+        g_test_add_func("/aio/multi/mutex/contended", test_multi_co_mutex_10);
+        g_test_add_func("/aio/multi/mutex/handoff", test_multi_co_mutex_2_30);
     }
     return g_test_run();
 }
diff --git a/util/qemu-coroutine-lock.c b/util/qemu-coroutine-lock.c
index XXXXXXX..XXXXXXX 100644
--- a/util/qemu-coroutine-lock.c
+++ b/util/qemu-coroutine-lock.c
@@ -XXX,XX +XXX,XX @@
  * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
  * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
  * THE SOFTWARE.
+ *
+ * The lock-free mutex implementation is based on OSv
+ * (core/lfmutex.cc, include/lockfree/mutex.hh).
+ * Copyright (C) 2013 Cloudius Systems, Ltd.
  */
 
 #include "qemu/osdep.h"
@@ -XXX,XX +XXX,XX @@ bool qemu_co_queue_empty(CoQueue *queue)
     return QSIMPLEQ_FIRST(&queue->entries) == NULL;
 }
 
+/* The wait records are handled with a multiple-producer, single-consumer
+ * lock-free queue.  There cannot be two concurrent pop_waiter() calls
+ * because pop_waiter() can only be called while mutex->handoff is zero.
+ * This can happen in three cases:
+ * - in qemu_co_mutex_unlock, before the hand-off protocol has started.
+ *   In this case, qemu_co_mutex_lock will see mutex->handoff == 0 and
+ *   not take part in the handoff.
+ * - in qemu_co_mutex_lock, if it steals the hand-off responsibility from
+ *   qemu_co_mutex_unlock.  In this case, qemu_co_mutex_unlock will fail
+ *   the cmpxchg (it will see either 0 or the next sequence value) and
+ *   exit.  The next hand-off cannot begin until qemu_co_mutex_lock has
+ *   woken up someone.
+ * - in qemu_co_mutex_unlock, if it takes the hand-off token itself.
+ *   In this case another iteration starts with mutex->handoff == 0;
+ *   a concurrent qemu_co_mutex_lock will fail the cmpxchg, and
+ *   qemu_co_mutex_unlock will go back to case (1).
+ *
+ * The following functions manage this queue.
+ */
+typedef struct CoWaitRecord {
+    Coroutine *co;
+    QSLIST_ENTRY(CoWaitRecord) next;
+} CoWaitRecord;
+
+static void push_waiter(CoMutex *mutex, CoWaitRecord *w)
+{
+    w->co = qemu_coroutine_self();
+    QSLIST_INSERT_HEAD_ATOMIC(&mutex->from_push, w, next);
+}
+
+static void move_waiters(CoMutex *mutex)
+{
+    QSLIST_HEAD(, CoWaitRecord) reversed;
+    QSLIST_MOVE_ATOMIC(&reversed, &mutex->from_push);
+    while (!QSLIST_EMPTY(&reversed)) {
+        CoWaitRecord *w = QSLIST_FIRST(&reversed);
+        QSLIST_REMOVE_HEAD(&reversed, next);
+        QSLIST_INSERT_HEAD(&mutex->to_pop, w, next);
+    }
+}
+
+static CoWaitRecord *pop_waiter(CoMutex *mutex)
+{
+    CoWaitRecord *w;
+
+    if (QSLIST_EMPTY(&mutex->to_pop)) {
+        move_waiters(mutex);
+        if (QSLIST_EMPTY(&mutex->to_pop)) {
+            return NULL;
+        }
+    }
+    w = QSLIST_FIRST(&mutex->to_pop);
+    QSLIST_REMOVE_HEAD(&mutex->to_pop, next);
+    return w;
+}
+
+static bool has_waiters(CoMutex *mutex)
+{
+    return QSLIST_EMPTY(&mutex->to_pop) || QSLIST_EMPTY(&mutex->from_push);
+}
+
 void qemu_co_mutex_init(CoMutex *mutex)
 {
     memset(mutex, 0, sizeof(*mutex));
-    qemu_co_queue_init(&mutex->queue);
 }
 
-void coroutine_fn qemu_co_mutex_lock(CoMutex *mutex)
+static void coroutine_fn qemu_co_mutex_lock_slowpath(CoMutex *mutex)
 {
     Coroutine *self = qemu_coroutine_self();
+    CoWaitRecord w;
+    unsigned old_handoff;
 
     trace_qemu_co_mutex_lock_entry(mutex, self);
+    w.co = self;
+    push_waiter(mutex, &w);
 
-    while (mutex->locked) {
-        qemu_co_queue_wait(&mutex->queue);
+    /* This is the "Responsibility Hand-Off" protocol; a lock() picks from
+     * a concurrent unlock() the responsibility of waking somebody up.
+     */
+    old_handoff = atomic_mb_read(&mutex->handoff);
+    if (old_handoff &&
+        has_waiters(mutex) &&
+        atomic_cmpxchg(&mutex->handoff, old_handoff, 0) == old_handoff) {
+        /* There can be no concurrent pops, because there can be only
+         * one active handoff at a time.
+         */
+        CoWaitRecord *to_wake = pop_waiter(mutex);
+        Coroutine *co = to_wake->co;
+        if (co == self) {
+            /* We got the lock ourselves!  */
+            assert(to_wake == &w);
+            return;
+        }
+
+        aio_co_wake(co);
     }
 
-    mutex->locked = true;
-    mutex->holder = self;
-    self->locks_held++;
-
+    qemu_coroutine_yield();
     trace_qemu_co_mutex_lock_return(mutex, self);
 }
 
+void coroutine_fn qemu_co_mutex_lock(CoMutex *mutex)
+{
+    Coroutine *self = qemu_coroutine_self();
+
+    if (atomic_fetch_inc(&mutex->locked) == 0) {
+        /* Uncontended.  */
+        trace_qemu_co_mutex_lock_uncontended(mutex, self);
+    } else {
+        qemu_co_mutex_lock_slowpath(mutex);
+    }
+    mutex->holder = self;
+    self->locks_held++;
+}
+
 void coroutine_fn qemu_co_mutex_unlock(CoMutex *mutex)
 {
     Coroutine *self = qemu_coroutine_self();
 
     trace_qemu_co_mutex_unlock_entry(mutex, self);
 
-    assert(mutex->locked == true);
+    assert(mutex->locked);
     assert(mutex->holder == self);
     assert(qemu_in_coroutine());
 
-    mutex->locked = false;
     mutex->holder = NULL;
     self->locks_held--;
-    qemu_co_queue_next(&mutex->queue);
+    if (atomic_fetch_dec(&mutex->locked) == 1) {
+        /* No waiting qemu_co_mutex_lock().  Pfew, that was easy!  */
+        return;
+    }
+
+    for (;;) {
+        CoWaitRecord *to_wake = pop_waiter(mutex);
+        unsigned our_handoff;
+
+        if (to_wake) {
+            Coroutine *co = to_wake->co;
+            aio_co_wake(co);
+            break;
+        }
+
+        /* Some concurrent lock() is in progress (we know this because
+         * mutex->locked was >1) but it hasn't yet put itself on the wait
+         * queue.  Pick a sequence number for the handoff protocol (not 0).
+         */
+        if (++mutex->sequence == 0) {
+            mutex->sequence = 1;
+        }
+
+        our_handoff = mutex->sequence;
+        atomic_mb_set(&mutex->handoff, our_handoff);
+        if (!has_waiters(mutex)) {
+            /* The concurrent lock has not added itself yet, so it
+             * will be able to pick our handoff.
+             */
+            break;
+        }
+
+        /* Try to do the handoff protocol ourselves; if somebody else has
+         * already taken it, however, we're done and they're responsible.
+         */
+        if (atomic_cmpxchg(&mutex->handoff, our_handoff, 0) != our_handoff) {
+            break;
+        }
+    }
 
     trace_qemu_co_mutex_unlock_return(mutex, self);
 }
diff --git a/util/trace-events b/util/trace-events
index XXXXXXX..XXXXXXX 100644
--- a/util/trace-events
+++ b/util/trace-events
@@ -XXX,XX +XXX,XX @@ qemu_coroutine_terminate(void *co) "self %p"
 
 # util/qemu-coroutine-lock.c
 qemu_co_queue_run_restart(void *co) "co %p"
+qemu_co_mutex_lock_uncontended(void *mutex, void *self) "mutex %p self %p"
 qemu_co_mutex_lock_entry(void *mutex, void *self) "mutex %p self %p"
 qemu_co_mutex_lock_return(void *mutex, void *self) "mutex %p self %p"
 qemu_co_mutex_unlock_entry(void *mutex, void *self) "mutex %p self %p"
-- 
2.9.3

From: Paolo Bonzini <pbonzini@redhat.com>

Running a very small critical section on pthread_mutex_t and CoMutex
shows that pthread_mutex_t is much faster because it doesn't actually
go to sleep.  What happens is that the critical section is shorter
than the latency of entering the kernel and thus FUTEX_WAIT always
fails.  With CoMutex there is no such latency but you still want to
avoid wait and wakeup.  So introduce it artificially.

This only works with one waiters; because CoMutex is fair, it will
always have more waits and wakeups than a pthread_mutex_t.

Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Reviewed-by: Fam Zheng <famz@redhat.com>
Message-id: 20170213181244.16297-3-pbonzini@redhat.com
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
---
 include/qemu/coroutine.h   |  5 +++++
 util/qemu-coroutine-lock.c | 51 ++++++++++++++++++++++++++++++++++++++++------
 util/qemu-coroutine.c      |  2 +-
 3 files changed, 51 insertions(+), 7 deletions(-)

diff --git a/include/qemu/coroutine.h b/include/qemu/coroutine.h
index XXXXXXX..XXXXXXX 100644
--- a/include/qemu/coroutine.h
+++ b/include/qemu/coroutine.h
@@ -XXX,XX +XXX,XX @@ typedef struct CoMutex {
      */
     unsigned locked;
 
+    /* Context that is holding the lock.  Useful to avoid spinning
+     * when two coroutines on the same AioContext try to get the lock. :)
+     */
+    AioContext *ctx;
+
     /* A queue of waiters.  Elements are added atomically in front of
      * from_push.  to_pop is only populated, and popped from, by whoever
      * is in charge of the next wakeup.  This can be an unlocker or,
diff --git a/util/qemu-coroutine-lock.c b/util/qemu-coroutine-lock.c
index XXXXXXX..XXXXXXX 100644
--- a/util/qemu-coroutine-lock.c
+++ b/util/qemu-coroutine-lock.c
@@ -XXX,XX +XXX,XX @@
 #include "qemu-common.h"
 #include "qemu/coroutine.h"
 #include "qemu/coroutine_int.h"
+#include "qemu/processor.h"
 #include "qemu/queue.h"
 #include "block/aio.h"
 #include "trace.h"
@@ -XXX,XX +XXX,XX @@ void qemu_co_mutex_init(CoMutex *mutex)
     memset(mutex, 0, sizeof(*mutex));
 }
 
-static void coroutine_fn qemu_co_mutex_lock_slowpath(CoMutex *mutex)
+static void coroutine_fn qemu_co_mutex_wake(CoMutex *mutex, Coroutine *co)
+{
+    /* Read co before co->ctx; pairs with smp_wmb() in
+     * qemu_coroutine_enter().
+     */
+    smp_read_barrier_depends();
+    mutex->ctx = co->ctx;
+    aio_co_wake(co);
+}
+
+static void coroutine_fn qemu_co_mutex_lock_slowpath(AioContext *ctx,
+                                                     CoMutex *mutex)
 {
     Coroutine *self = qemu_coroutine_self();
     CoWaitRecord w;
@@ -XXX,XX +XXX,XX @@ static void coroutine_fn qemu_co_mutex_lock_slowpath(CoMutex *mutex)
         if (co == self) {
             /* We got the lock ourselves!  */
             assert(to_wake == &w);
+            mutex->ctx = ctx;
             return;
         }
 
-        aio_co_wake(co);
+        qemu_co_mutex_wake(mutex, co);
     }
 
     qemu_coroutine_yield();
@@ -XXX,XX +XXX,XX @@ static void coroutine_fn qemu_co_mutex_lock_slowpath(CoMutex *mutex)
 
 void coroutine_fn qemu_co_mutex_lock(CoMutex *mutex)
 {
+    AioContext *ctx = qemu_get_current_aio_context();
     Coroutine *self = qemu_coroutine_self();
+    int waiters, i;
 
-    if (atomic_fetch_inc(&mutex->locked) == 0) {
+    /* Running a very small critical section on pthread_mutex_t and CoMutex
+     * shows that pthread_mutex_t is much faster because it doesn't actually
+     * go to sleep.  What happens is that the critical section is shorter
+     * than the latency of entering the kernel and thus FUTEX_WAIT always
+     * fails.  With CoMutex there is no such latency but you still want to
+     * avoid wait and wakeup.  So introduce it artificially.
+     */
+    i = 0;
+retry_fast_path:
+    waiters = atomic_cmpxchg(&mutex->locked, 0, 1);
+    if (waiters != 0) {
+        while (waiters == 1 && ++i < 1000) {
+            if (atomic_read(&mutex->ctx) == ctx) {
+                break;
+            }
+            if (atomic_read(&mutex->locked) == 0) {
+                goto retry_fast_path;
+            }
+            cpu_relax();
+        }
+        waiters = atomic_fetch_inc(&mutex->locked);
+    }
+
+    if (waiters == 0) {
         /* Uncontended.  */
         trace_qemu_co_mutex_lock_uncontended(mutex, self);
+        mutex->ctx = ctx;
     } else {
-        qemu_co_mutex_lock_slowpath(mutex);
+        qemu_co_mutex_lock_slowpath(ctx, mutex);
     }
     mutex->holder = self;
     self->locks_held++;
@@ -XXX,XX +XXX,XX @@ void coroutine_fn qemu_co_mutex_unlock(CoMutex *mutex)
     assert(mutex->holder == self);
     assert(qemu_in_coroutine());
 
+    mutex->ctx = NULL;
     mutex->holder = NULL;
     self->locks_held--;
     if (atomic_fetch_dec(&mutex->locked) == 1) {
@@ -XXX,XX +XXX,XX @@ void coroutine_fn qemu_co_mutex_unlock(CoMutex *mutex)
         unsigned our_handoff;
 
         if (to_wake) {
-            Coroutine *co = to_wake->co;
-            aio_co_wake(co);
+            qemu_co_mutex_wake(mutex, to_wake->co);
             break;
         }
 
diff --git a/util/qemu-coroutine.c b/util/qemu-coroutine.c
index XXXXXXX..XXXXXXX 100644
--- a/util/qemu-coroutine.c
+++ b/util/qemu-coroutine.c
@@ -XXX,XX +XXX,XX @@ void qemu_coroutine_enter(Coroutine *co)
     co->ctx = qemu_get_current_aio_context();
 
     /* Store co->ctx before anything that stores co.  Matches
-     * barrier in aio_co_wake.
+     * barrier in aio_co_wake and qemu_co_mutex_wake.
      */
     smp_wmb();
 
-- 
2.9.3

From: Paolo Bonzini <pbonzini@redhat.com>

Add two implementations of the same benchmark as the previous patch,
but using pthreads.  One uses a normal QemuMutex, the other is Linux
only and implements a fair mutex based on MCS locks and futexes.
This shows that the slower performance of the 5-thread case is due to
the fairness of CoMutex, rather than to coroutines.  If fairness does
not matter, as is the case with two threads, CoMutex can actually be
faster than pthreads.

Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Reviewed-by: Fam Zheng <famz@redhat.com>
Message-id: 20170213181244.16297-4-pbonzini@redhat.com
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
---
 tests/test-aio-multithread.c | 164 +++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 164 insertions(+)

diff --git a/tests/test-aio-multithread.c b/tests/test-aio-multithread.c
index XXXXXXX..XXXXXXX 100644
--- a/tests/test-aio-multithread.c
+++ b/tests/test-aio-multithread.c
@@ -XXX,XX +XXX,XX @@ static void test_multi_co_mutex_2_30(void)
     test_multi_co_mutex(2, 30);
 }
 
+/* Same test with fair mutexes, for performance comparison.  */
+
+#ifdef CONFIG_LINUX
+#include "qemu/futex.h"
+
+/* The nodes for the mutex reside in this structure (on which we try to avoid
+ * false sharing).  The head of the mutex is in the "mutex_head" variable.
+ */
+static struct {
+    int next, locked;
+    int padding[14];
+} nodes[NUM_CONTEXTS] __attribute__((__aligned__(64)));
+
+static int mutex_head = -1;
+
+static void mcs_mutex_lock(void)
+{
+    int prev;
+
+    nodes[id].next = -1;
+    nodes[id].locked = 1;
+    prev = atomic_xchg(&mutex_head, id);
+    if (prev != -1) {
+        atomic_set(&nodes[prev].next, id);
+        qemu_futex_wait(&nodes[id].locked, 1);
+    }
+}
+
+static void mcs_mutex_unlock(void)
+{
+    int next;
+    if (nodes[id].next == -1) {
+        if (atomic_read(&mutex_head) == id &&
+            atomic_cmpxchg(&mutex_head, id, -1) == id) {
+            /* Last item in the list, exit.  */
+            return;
+        }
+        while (atomic_read(&nodes[id].next) == -1) {
+            /* mcs_mutex_lock did the xchg, but has not updated
+             * nodes[prev].next yet.
+             */
+        }
+    }
+
+    /* Wake up the next in line.  */
+    next = nodes[id].next;
+    nodes[next].locked = 0;
+    qemu_futex_wake(&nodes[next].locked, 1);
+}
+
+static void test_multi_fair_mutex_entry(void *opaque)
+{
+    while (!atomic_mb_read(&now_stopping)) {
+        mcs_mutex_lock();
+        counter++;
+        mcs_mutex_unlock();
+        atomic_inc(&atomic_counter);
+    }
+    atomic_dec(&running);
+}
+
+static void test_multi_fair_mutex(int threads, int seconds)
+{
+    int i;
+
+    assert(mutex_head == -1);
+    counter = 0;
+    atomic_counter = 0;
+    now_stopping = false;
+
+    create_aio_contexts();
+    assert(threads <= NUM_CONTEXTS);
+    running = threads;
+    for (i = 0; i < threads; i++) {
+        Coroutine *co1 = qemu_coroutine_create(test_multi_fair_mutex_entry, NULL);
+        aio_co_schedule(ctx[i], co1);
+    }
+
+    g_usleep(seconds * 1000000);
+
+    atomic_mb_set(&now_stopping, true);
+    while (running > 0) {
+        g_usleep(100000);
+    }
+
+    join_aio_contexts();
+    g_test_message("%d iterations/second\n", counter / seconds);
+    g_assert_cmpint(counter, ==, atomic_counter);
+}
+
+static void test_multi_fair_mutex_1(void)
+{
+    test_multi_fair_mutex(NUM_CONTEXTS, 1);
+}
+
+static void test_multi_fair_mutex_10(void)
+{
+    test_multi_fair_mutex(NUM_CONTEXTS, 10);
+}
+#endif
+
+/* Same test with pthread mutexes, for performance comparison and
+ * portability.  */
+
+static QemuMutex mutex;
+
+static void test_multi_mutex_entry(void *opaque)
+{
+    while (!atomic_mb_read(&now_stopping)) {
+        qemu_mutex_lock(&mutex);
+        counter++;
+        qemu_mutex_unlock(&mutex);
+        atomic_inc(&atomic_counter);
+    }
+    atomic_dec(&running);
+}
+
+static void test_multi_mutex(int threads, int seconds)
+{
+    int i;
+
+    qemu_mutex_init(&mutex);
+    counter = 0;
+    atomic_counter = 0;
+    now_stopping = false;
+
+    create_aio_contexts();
+    assert(threads <= NUM_CONTEXTS);
+    running = threads;
+    for (i = 0; i < threads; i++) {
+        Coroutine *co1 = qemu_coroutine_create(test_multi_mutex_entry, NULL);
+        aio_co_schedule(ctx[i], co1);
+    }
+
+    g_usleep(seconds * 1000000);
+
+    atomic_mb_set(&now_stopping, true);
+    while (running > 0) {
+        g_usleep(100000);
+    }
+
+    join_aio_contexts();
+    g_test_message("%d iterations/second\n", counter / seconds);
+    g_assert_cmpint(counter, ==, atomic_counter);
+}
+
+static void test_multi_mutex_1(void)
+{
+    test_multi_mutex(NUM_CONTEXTS, 1);
+}
+
+static void test_multi_mutex_10(void)
+{
+    test_multi_mutex(NUM_CONTEXTS, 10);
+}
+
 /* End of tests.  */
 
 int main(int argc, char **argv)
@@ -XXX,XX +XXX,XX @@ int main(int argc, char **argv)
         g_test_add_func("/aio/multi/schedule", test_multi_co_schedule_1);
         g_test_add_func("/aio/multi/mutex/contended", test_multi_co_mutex_1);
         g_test_add_func("/aio/multi/mutex/handoff", test_multi_co_mutex_2_3);
+#ifdef CONFIG_LINUX
+        g_test_add_func("/aio/multi/mutex/mcs", test_multi_fair_mutex_1);
+#endif
+        g_test_add_func("/aio/multi/mutex/pthread", test_multi_mutex_1);
     } else {
         g_test_add_func("/aio/multi/schedule", test_multi_co_schedule_10);
         g_test_add_func("/aio/multi/mutex/contended", test_multi_co_mutex_10);
         g_test_add_func("/aio/multi/mutex/handoff", test_multi_co_mutex_2_30);
+#ifdef CONFIG_LINUX
+        g_test_add_func("/aio/multi/mutex/mcs", test_multi_fair_mutex_10);
+#endif
+        g_test_add_func("/aio/multi/mutex/pthread", test_multi_mutex_10);
     }
     return g_test_run();
 }
-- 
2.9.3

From: Paolo Bonzini <pbonzini@redhat.com>

This will avoid forward references in the next patch.  It is also
more logical because CoQueue is not anymore the basic primitive.

Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Reviewed-by: Fam Zheng <famz@redhat.com>
Message-id: 20170213181244.16297-5-pbonzini@redhat.com
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
---
 include/qemu/coroutine.h | 89 ++++++++++++++++++++++++------------------------
 1 file changed, 44 insertions(+), 45 deletions(-)

diff --git a/include/qemu/coroutine.h b/include/qemu/coroutine.h
index XXXXXXX..XXXXXXX 100644
--- a/include/qemu/coroutine.h
+++ b/include/qemu/coroutine.h
@@ -XXX,XX +XXX,XX @@ bool qemu_in_coroutine(void);
  */
 bool qemu_coroutine_entered(Coroutine *co);
 
-
-/**
- * CoQueues are a mechanism to queue coroutines in order to continue executing
- * them later. They provide the fundamental primitives on which coroutine locks
- * are built.
- */
-typedef struct CoQueue {
-    QSIMPLEQ_HEAD(, Coroutine) entries;
-} CoQueue;
-
-/**
- * Initialise a CoQueue. This must be called before any other operation is used
- * on the CoQueue.
- */
-void qemu_co_queue_init(CoQueue *queue);
-
-/**
- * Adds the current coroutine to the CoQueue and transfers control to the
- * caller of the coroutine.
- */
-void coroutine_fn qemu_co_queue_wait(CoQueue *queue);
-
-/**
- * Restarts the next coroutine in the CoQueue and removes it from the queue.
- *
- * Returns true if a coroutine was restarted, false if the queue is empty.
- */
-bool coroutine_fn qemu_co_queue_next(CoQueue *queue);
-
-/**
- * Restarts all coroutines in the CoQueue and leaves the queue empty.
- */
-void coroutine_fn qemu_co_queue_restart_all(CoQueue *queue);
-
-/**
- * Enter the next coroutine in the queue
- */
-bool qemu_co_enter_next(CoQueue *queue);
-
-/**
- * Checks if the CoQueue is empty.
- */
-bool qemu_co_queue_empty(CoQueue *queue);
-
-
 /**
  * Provides a mutex that can be used to synchronise coroutines
  */
@@ -XXX,XX +XXX,XX @@ void coroutine_fn qemu_co_mutex_lock(CoMutex *mutex);
  */
 void coroutine_fn qemu_co_mutex_unlock(CoMutex *mutex);
 
+
+/**
+ * CoQueues are a mechanism to queue coroutines in order to continue executing
+ * them later.
+ */
+typedef struct CoQueue {
+    QSIMPLEQ_HEAD(, Coroutine) entries;
+} CoQueue;
+
+/**
+ * Initialise a CoQueue. This must be called before any other operation is used
+ * on the CoQueue.
+ */
+void qemu_co_queue_init(CoQueue *queue);
+
+/**
+ * Adds the current coroutine to the CoQueue and transfers control to the
+ * caller of the coroutine.
+ */
+void coroutine_fn qemu_co_queue_wait(CoQueue *queue);
+
+/**
+ * Restarts the next coroutine in the CoQueue and removes it from the queue.
+ *
+ * Returns true if a coroutine was restarted, false if the queue is empty.
+ */
+bool coroutine_fn qemu_co_queue_next(CoQueue *queue);
+
+/**
+ * Restarts all coroutines in the CoQueue and leaves the queue empty.
+ */
+void coroutine_fn qemu_co_queue_restart_all(CoQueue *queue);
+
+/**
+ * Enter the next coroutine in the queue
+ */
+bool qemu_co_enter_next(CoQueue *queue);
+
+/**
+ * Checks if the CoQueue is empty.
+ */
+bool qemu_co_queue_empty(CoQueue *queue);
+
+
 typedef struct CoRwlock {
     bool writer;
     int reader;
-- 
2.9.3

From: Paolo Bonzini <pbonzini@redhat.com>

All that CoQueue needs in order to become thread-safe is help
from an external mutex.  Add this to the API.

Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Reviewed-by: Fam Zheng <famz@redhat.com>
Message-id: 20170213181244.16297-6-pbonzini@redhat.com
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
---
 include/qemu/coroutine.h   |  8 +++++---
 block/backup.c             |  2 +-
 block/io.c                 |  4 ++--
 block/nbd-client.c         |  2 +-
 block/qcow2-cluster.c      |  4 +---
 block/sheepdog.c           |  2 +-
 block/throttle-groups.c    |  2 +-
 hw/9pfs/9p.c               |  2 +-
 util/qemu-coroutine-lock.c | 24 +++++++++++++++++++++---
 9 files changed, 34 insertions(+), 16 deletions(-)

diff --git a/include/qemu/coroutine.h b/include/qemu/coroutine.h
index XXXXXXX..XXXXXXX 100644
--- a/include/qemu/coroutine.h
+++ b/include/qemu/coroutine.h
@@ -XXX,XX +XXX,XX @@ void coroutine_fn qemu_co_mutex_unlock(CoMutex *mutex);
 
 /**
  * CoQueues are a mechanism to queue coroutines in order to continue executing
- * them later.
+ * them later.  They are similar to condition variables, but they need help
+ * from an external mutex in order to maintain thread-safety.
  */
 typedef struct CoQueue {
     QSIMPLEQ_HEAD(, Coroutine) entries;
@@ -XXX,XX +XXX,XX @@ void qemu_co_queue_init(CoQueue *queue);
 
 /**
  * Adds the current coroutine to the CoQueue and transfers control to the
- * caller of the coroutine.
+ * caller of the coroutine.  The mutex is unlocked during the wait and
+ * locked again afterwards.
  */
-void coroutine_fn qemu_co_queue_wait(CoQueue *queue);
+void coroutine_fn qemu_co_queue_wait(CoQueue *queue, CoMutex *mutex);
 
 /**
  * Restarts the next coroutine in the CoQueue and removes it from the queue.
diff --git a/block/backup.c b/block/backup.c
index XXXXXXX..XXXXXXX 100644
--- a/block/backup.c
+++ b/block/backup.c
@@ -XXX,XX +XXX,XX @@ static void coroutine_fn wait_for_overlapping_requests(BackupBlockJob *job,
         retry = false;
         QLIST_FOREACH(req, &job->inflight_reqs, list) {
             if (end > req->start && start < req->end) {
-                qemu_co_queue_wait(&req->wait_queue);
+                qemu_co_queue_wait(&req->wait_queue, NULL);
                 retry = true;
                 break;
             }
diff --git a/block/io.c b/block/io.c
index XXXXXXX..XXXXXXX 100644
--- a/block/io.c
+++ b/block/io.c
@@ -XXX,XX +XXX,XX @@ static bool coroutine_fn wait_serialising_requests(BdrvTrackedRequest *self)
                  * (instead of producing a deadlock in the former case). */
                 if (!req->waiting_for) {
                     self->waiting_for = req;
-                    qemu_co_queue_wait(&req->wait_queue);
+                    qemu_co_queue_wait(&req->wait_queue, NULL);
                     self->waiting_for = NULL;
                     retry = true;
                     waited = true;
@@ -XXX,XX +XXX,XX @@ int coroutine_fn bdrv_co_flush(BlockDriverState *bs)
 
     /* Wait until any previous flushes are completed */
     while (bs->active_flush_req) {
-        qemu_co_queue_wait(&bs->flush_queue);
+        qemu_co_queue_wait(&bs->flush_queue, NULL);
     }
 
     bs->active_flush_req = true;
diff --git a/block/nbd-client.c b/block/nbd-client.c
index XXXXXXX..XXXXXXX 100644
--- a/block/nbd-client.c
+++ b/block/nbd-client.c
@@ -XXX,XX +XXX,XX @@ static void nbd_coroutine_start(NBDClientSession *s,
     /* Poor man semaphore.  The free_sema is locked when no other request
      * can be accepted, and unlocked after receiving one reply.  */
     if (s->in_flight == MAX_NBD_REQUESTS) {
-        qemu_co_queue_wait(&s->free_sema);
+        qemu_co_queue_wait(&s->free_sema, NULL);
         assert(s->in_flight < MAX_NBD_REQUESTS);
     }
     s->in_flight++;
diff --git a/block/qcow2-cluster.c b/block/qcow2-cluster.c
index XXXXXXX..XXXXXXX 100644
--- a/block/qcow2-cluster.c
+++ b/block/qcow2-cluster.c
@@ -XXX,XX +XXX,XX @@ static int handle_dependencies(BlockDriverState *bs, uint64_t guest_offset,
             if (bytes == 0) {
                 /* Wait for the dependency to complete. We need to recheck
                  * the free/allocated clusters when we continue. */
-                qemu_co_mutex_unlock(&s->lock);
-                qemu_co_queue_wait(&old_alloc->dependent_requests);
-                qemu_co_mutex_lock(&s->lock);
+                qemu_co_queue_wait(&old_alloc->dependent_requests, &s->lock);
                 return -EAGAIN;
             }
         }
diff --git a/block/sheepdog.c b/block/sheepdog.c
index XXXXXXX..XXXXXXX 100644
--- a/block/sheepdog.c
+++ b/block/sheepdog.c
@@ -XXX,XX +XXX,XX @@ static void wait_for_overlapping_aiocb(BDRVSheepdogState *s, SheepdogAIOCB *acb)
 retry:
     QLIST_FOREACH(cb, &s->inflight_aiocb_head, aiocb_siblings) {
         if (AIOCBOverlapping(acb, cb)) {
-            qemu_co_queue_wait(&s->overlapping_queue);
+            qemu_co_queue_wait(&s->overlapping_queue, NULL);
             goto retry;
         }
     }
diff --git a/block/throttle-groups.c b/block/throttle-groups.c
index XXXXXXX..XXXXXXX 100644
--- a/block/throttle-groups.c
+++ b/block/throttle-groups.c
@@ -XXX,XX +XXX,XX @@ void coroutine_fn throttle_group_co_io_limits_intercept(BlockBackend *blk,
     if (must_wait || blkp->pending_reqs[is_write]) {
         blkp->pending_reqs[is_write]++;
         qemu_mutex_unlock(&tg->lock);
-        qemu_co_queue_wait(&blkp->throttled_reqs[is_write]);
+        qemu_co_queue_wait(&blkp->throttled_reqs[is_write], NULL);
         qemu_mutex_lock(&tg->lock);
         blkp->pending_reqs[is_write]--;
     }
diff --git a/hw/9pfs/9p.c b/hw/9pfs/9p.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/9pfs/9p.c
+++ b/hw/9pfs/9p.c
@@ -XXX,XX +XXX,XX @@ static void coroutine_fn v9fs_flush(void *opaque)
         /*
          * Wait for pdu to complete.
          */
-        qemu_co_queue_wait(&cancel_pdu->complete);
+        qemu_co_queue_wait(&cancel_pdu->complete, NULL);
         cancel_pdu->cancelled = 0;
         pdu_free(cancel_pdu);
     }
diff --git a/util/qemu-coroutine-lock.c b/util/qemu-coroutine-lock.c
index XXXXXXX..XXXXXXX 100644
--- a/util/qemu-coroutine-lock.c
+++ b/util/qemu-coroutine-lock.c
@@ -XXX,XX +XXX,XX @@ void qemu_co_queue_init(CoQueue *queue)
     QSIMPLEQ_INIT(&queue->entries);
 }
 
-void coroutine_fn qemu_co_queue_wait(CoQueue *queue)
+void coroutine_fn qemu_co_queue_wait(CoQueue *queue, CoMutex *mutex)
 {
     Coroutine *self = qemu_coroutine_self();
     QSIMPLEQ_INSERT_TAIL(&queue->entries, self, co_queue_next);
+
+    if (mutex) {
+        qemu_co_mutex_unlock(mutex);
+    }
+
+    /* There is no race condition here.  Other threads will call
+     * aio_co_schedule on our AioContext, which can reenter this
+     * coroutine but only after this yield and after the main loop
+     * has gone through the next iteration.
+     */
     qemu_coroutine_yield();
     assert(qemu_in_coroutine());
+
+    /* TODO: OSv implements wait morphing here, where the wakeup
+     * primitive automatically places the woken coroutine on the
+     * mutex's queue.  This avoids the thundering herd effect.
+     */
+    if (mutex) {
+        qemu_co_mutex_lock(mutex);
+    }
 }
 
 /**
@@ -XXX,XX +XXX,XX @@ void qemu_co_rwlock_rdlock(CoRwlock *lock)
     Coroutine *self = qemu_coroutine_self();
 
     while (lock->writer) {
-        qemu_co_queue_wait(&lock->queue);
+        qemu_co_queue_wait(&lock->queue, NULL);
     }
     lock->reader++;
     self->locks_held++;
@@ -XXX,XX +XXX,XX @@ void qemu_co_rwlock_wrlock(CoRwlock *lock)
     Coroutine *self = qemu_coroutine_self();
 
     while (lock->writer || lock->reader) {
-        qemu_co_queue_wait(&lock->queue);
+        qemu_co_queue_wait(&lock->queue, NULL);
     }
     lock->writer = true;
     self->locks_held++;
-- 
2.9.3

From: Paolo Bonzini <pbonzini@redhat.com>

This adds a CoMutex around the existing CoQueue.  Because the write-side
can just take CoMutex, the old "writer" field is not necessary anymore.
Instead of removing it altogether, count the number of pending writers
during a read-side critical section and forbid further readers from
entering.

Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Reviewed-by: Fam Zheng <famz@redhat.com>
Message-id: 20170213181244.16297-7-pbonzini@redhat.com
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
---
 include/qemu/coroutine.h   |  3 ++-
 util/qemu-coroutine-lock.c | 35 ++++++++++++++++++++++++-----------
 2 files changed, 26 insertions(+), 12 deletions(-)

diff --git a/include/qemu/coroutine.h b/include/qemu/coroutine.h
index XXXXXXX..XXXXXXX 100644
--- a/include/qemu/coroutine.h
+++ b/include/qemu/coroutine.h
@@ -XXX,XX +XXX,XX @@ bool qemu_co_queue_empty(CoQueue *queue);
 
 
 typedef struct CoRwlock {
-    bool writer;
+    int pending_writer;
     int reader;
+    CoMutex mutex;
     CoQueue queue;
 } CoRwlock;
 
diff --git a/util/qemu-coroutine-lock.c b/util/qemu-coroutine-lock.c
index XXXXXXX..XXXXXXX 100644
--- a/util/qemu-coroutine-lock.c
+++ b/util/qemu-coroutine-lock.c
@@ -XXX,XX +XXX,XX @@ void qemu_co_rwlock_init(CoRwlock *lock)
 {
     memset(lock, 0, sizeof(*lock));
     qemu_co_queue_init(&lock->queue);
+    qemu_co_mutex_init(&lock->mutex);
 }
 
 void qemu_co_rwlock_rdlock(CoRwlock *lock)
 {
     Coroutine *self = qemu_coroutine_self();
 
-    while (lock->writer) {
-        qemu_co_queue_wait(&lock->queue, NULL);
+    qemu_co_mutex_lock(&lock->mutex);
+    /* For fairness, wait if a writer is in line.  */
+    while (lock->pending_writer) {
+        qemu_co_queue_wait(&lock->queue, &lock->mutex);
     }
     lock->reader++;
+    qemu_co_mutex_unlock(&lock->mutex);
+
+    /* The rest of the read-side critical section is run without the mutex.  */
     self->locks_held++;
 }
 
@@ -XXX,XX +XXX,XX @@ void qemu_co_rwlock_unlock(CoRwlock *lock)
     Coroutine *self = qemu_coroutine_self();
 
     assert(qemu_in_coroutine());
-    if (lock->writer) {
-        lock->writer = false;
+    if (!lock->reader) {
+        /* The critical section started in qemu_co_rwlock_wrlock.  */
         qemu_co_queue_restart_all(&lock->queue);
     } else {
+        self->locks_held--;
+
+        qemu_co_mutex_lock(&lock->mutex);
         lock->reader--;
         assert(lock->reader >= 0);
         /* Wakeup only one waiting writer */
@@ -XXX,XX +XXX,XX @@ void qemu_co_rwlock_unlock(CoRwlock *lock)
             qemu_co_queue_next(&lock->queue);
         }
     }
-    self->locks_held--;
+    qemu_co_mutex_unlock(&lock->mutex);
 }
 
 void qemu_co_rwlock_wrlock(CoRwlock *lock)
 {
-    Coroutine *self = qemu_coroutine_self();
-
-    while (lock->writer || lock->reader) {
-        qemu_co_queue_wait(&lock->queue, NULL);
+    qemu_co_mutex_lock(&lock->mutex);
+    lock->pending_writer++;
+    while (lock->reader) {
+        qemu_co_queue_wait(&lock->queue, &lock->mutex);
     }
-    lock->writer = true;
-    self->locks_held++;
+    lock->pending_writer--;
+
+    /* The rest of the write-side critical section is run with
+     * the mutex taken, so that lock->reader remains zero.
+     * There is no need to update self->locks_held.
+     */
 }
-- 
2.9.3