Series comparison

-[PULL for-6.0 0/6] Block patches
+[PULL for-6.1 0/1] Block patches
-The following changes since commit 6d40ce00c1166c317e298ad82ecf10e650c4f87d:
+The following changes since commit a2376507f615495b1d16685449ce0ea78c2caf9d:
-  Update version for v6.0.0-rc1 release (2021-03-30 18:19:07 +0100)
+  Merge remote-tracking branch 'remotes/bonzini-gitlab/tags/for-upstream' into staging (2021-07-24 11:04:57 +0100)
 are available in the Git repository at:
   https://gitlab.com/stefanha/qemu.git tags/block-pull-request
-for you to fetch changes up to b6489ac06695e257ea0a9841364577e247fdee30:
+for you to fetch changes up to 15a730e7a3aaac180df72cd5730e0617bcf44a5a:
-  test-coroutine: Add rwlock downgrade test (2021-03-31 10:44:21 +0100)
+  block/nvme: Fix VFIO_MAP_DMA failed: No space left on device (2021-07-26 09:38:12 +0100)
 ----------------------------------------------------------------
 Pull request
-A fix for VDI image files and more generally for CoRwlock.
+Phil's block/nvme.c ENOSPC fix for newer Linux kernels that return this errno.
 ----------------------------------------------------------------
-David Edmondson (4):
+Philippe Mathieu-Daudé (1):
-  block/vdi: When writing new bmap entry fails, don't leak the buffer
+  block/nvme: Fix VFIO_MAP_DMA failed: No space left on device
   block/vdi: Don't assume that blocks are larger than VdiHeader
   coroutine-lock: Store the coroutine in the CoWaitRecord only once
   test-coroutine: Add rwlock downgrade test
-Paolo Bonzini (2):
+ block/nvme.c | 22 ++++++++++++++++++++++
-  coroutine-lock: Reimplement CoRwlock to fix downgrade bug
+file changed, 22 insertions(+)
   test-coroutine: Add rwlock upgrade test
  include/qemu/coroutine.h    |  17 ++--
  block/vdi.c                 |  11 ++-
  tests/unit/test-coroutine.c | 161 +++++++++++++++++++++++++++++++++++
  util/qemu-coroutine-lock.c  | 165 +++++++++++++++++++++++-------------
 files changed, 282 insertions(+), 72 deletions(-)
 --
-.30.2
+.31.1

-[PULL for-6.0 1/6] block/vdi: When writing new bmap entry fails, don't leak the buffer
+Deleted patch
-From: David Edmondson <david.edmondson@oracle.com>
-If a new bitmap entry is allocated, requiring the entire block to be
-written, avoiding leaking the buffer allocated for the block should
-the write fail.
-Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
-Signed-off-by: David Edmondson <david.edmondson@oracle.com>
-Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
-Acked-by: Max Reitz <mreitz@redhat.com>
-Message-id: 20210325112941.365238-2-pbonzini@redhat.com
-Message-Id: <20210309144015.557477-2-david.edmondson@oracle.com>
-Acked-by: Max Reitz <mreitz@redhat.com>
-Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
-Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
----
- block/vdi.c | 1 +
-file changed, 1 insertion(+)
-diff --git a/block/vdi.c b/block/vdi.c
-index XXXXXXX..XXXXXXX 100644
---- a/block/vdi.c
-+++ b/block/vdi.c
-@@ -XXX,XX +XXX,XX @@ nonallocating_write:
-     logout("finished data write\n");
-     if (ret < 0) {
-+        g_free(block);
-         return ret;
-     }
---
-.30.2

-[PULL for-6.0 2/6] block/vdi: Don't assume that blocks are larger than VdiHeader
+Deleted patch
-From: David Edmondson <david.edmondson@oracle.com>
-Given that the block size is read from the header of the VDI file, a
-wide variety of sizes might be seen. Rather than re-using a block
-sized memory region when writing the VDI header, allocate an
-appropriately sized buffer.
-Signed-off-by: David Edmondson <david.edmondson@oracle.com>
-Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
-Acked-by: Max Reitz <mreitz@redhat.com>
-Message-id: 20210325112941.365238-3-pbonzini@redhat.com
-Message-Id: <20210309144015.557477-3-david.edmondson@oracle.com>
-Acked-by: Max Reitz <mreitz@redhat.com>
-Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
-Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
----
- block/vdi.c | 10 ++++++----
-file changed, 6 insertions(+), 4 deletions(-)
-diff --git a/block/vdi.c b/block/vdi.c
-index XXXXXXX..XXXXXXX 100644
---- a/block/vdi.c
-+++ b/block/vdi.c
-@@ -XXX,XX +XXX,XX @@ nonallocating_write:
-     if (block) {
-         /* One or more new blocks were allocated. */
--        VdiHeader *header = (VdiHeader *) block;
-+        VdiHeader *header;
-         uint8_t *base;
-         uint64_t offset;
-         uint32_t n_sectors;
-+        g_free(block);
-+        header = g_malloc(sizeof(*header));
-+
-         logout("now writing modified header\n");
-         assert(VDI_IS_ALLOCATED(bmap_first));
-         *header = s->header;
-         vdi_header_to_le(header);
--        ret = bdrv_pwrite(bs->file, 0, block, sizeof(VdiHeader));
--        g_free(block);
--        block = NULL;
-+        ret = bdrv_pwrite(bs->file, 0, header, sizeof(*header));
-+        g_free(header);
-         if (ret < 0) {
-             return ret;
---
-.30.2

-[PULL for-6.0 3/6] coroutine-lock: Store the coroutine in the CoWaitRecord only once
+Deleted patch
-From: David Edmondson <david.edmondson@oracle.com>
-When taking the slow path for mutex acquisition, set the coroutine
-value in the CoWaitRecord in push_waiter(), rather than both there and
-in the caller.
-Reviewed-by: Paolo Bonzini <pbonzini@redhat.com>
-Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
-Signed-off-by: David Edmondson <david.edmondson@oracle.com>
-Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
-Message-id: 20210325112941.365238-4-pbonzini@redhat.com
-Message-Id: <20210309144015.557477-4-david.edmondson@oracle.com>
-Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
-Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
----
- util/qemu-coroutine-lock.c | 1 -
-file changed, 1 deletion(-)
-diff --git a/util/qemu-coroutine-lock.c b/util/qemu-coroutine-lock.c
-index XXXXXXX..XXXXXXX 100644
---- a/util/qemu-coroutine-lock.c
-+++ b/util/qemu-coroutine-lock.c
-@@ -XXX,XX +XXX,XX @@ static void coroutine_fn qemu_co_mutex_lock_slowpath(AioContext *ctx,
-     unsigned old_handoff;
-     trace_qemu_co_mutex_lock_entry(mutex, self);
--    w.co = self;
-     push_waiter(mutex, &w);
-     /* This is the "Responsibility Hand-Off" protocol; a lock() picks from
---
-.30.2

-[PULL for-6.0 4/6] coroutine-lock: Reimplement CoRwlock to fix downgrade bug
+Deleted patch
-From: Paolo Bonzini <pbonzini@redhat.com>
-An invariant of the current rwlock is that if multiple coroutines hold a
-reader lock, all must be runnable. The unlock implementation relies on
-this, choosing to wake a single coroutine when the final read lock
-holder exits the critical section, assuming that it will wake a
-coroutine attempting to acquire a write lock.
-The downgrade implementation violates this assumption by creating a
-read lock owning coroutine that is exclusively runnable - any other
-coroutines that are waiting to acquire a read lock are *not* made
-runnable when the write lock holder converts its ownership to read
-only.
-More in general, the old implementation had lots of other fairness bugs.
-The root cause of the bugs was that CoQueue would wake up readers even
-if there were pending writers, and would wake up writers even if there
-were readers.  In that case, the coroutine would go back to sleep *at
-the end* of the CoQueue, losing its place at the head of the line.
-To fix this, keep the queue of waiters explicitly in the CoRwlock
-instead of using CoQueue, and store for each whether it is a
-potential reader or a writer.  This way, downgrade can look at the
-first queued coroutines and wake it only if it is a reader, causing
-all other readers in line to be released in turn.
-Reported-by: David Edmondson <david.edmondson@oracle.com>
-Reviewed-by: David Edmondson <david.edmondson@oracle.com>
-Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
-Message-id: 20210325112941.365238-5-pbonzini@redhat.com
-Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
----
- include/qemu/coroutine.h   |  17 ++--
- util/qemu-coroutine-lock.c | 164 +++++++++++++++++++++++--------------
-files changed, 114 insertions(+), 67 deletions(-)
-diff --git a/include/qemu/coroutine.h b/include/qemu/coroutine.h
-index XXXXXXX..XXXXXXX 100644
---- a/include/qemu/coroutine.h
-+++ b/include/qemu/coroutine.h
-@@ -XXX,XX +XXX,XX @@ bool qemu_co_enter_next_impl(CoQueue *queue, QemuLockable *lock);
- bool qemu_co_queue_empty(CoQueue *queue);
-+typedef struct CoRwTicket CoRwTicket;
- typedef struct CoRwlock {
--    int pending_writer;
--    int reader;
-     CoMutex mutex;
--    CoQueue queue;
-+
-+    /* Number of readers, or -1 if owned for writing.  */
-+    int owners;
-+
-+    /* Waiting coroutines.  */
-+    QSIMPLEQ_HEAD(, CoRwTicket) tickets;
- } CoRwlock;
- /**
-@@ -XXX,XX +XXX,XX @@ void qemu_co_rwlock_rdlock(CoRwlock *lock);
- /**
-  * Write Locks the CoRwlock from a reader.  This is a bit more efficient than
-  * @qemu_co_rwlock_unlock followed by a separate @qemu_co_rwlock_wrlock.
-- * However, if the lock cannot be upgraded immediately, control is transferred
-- * to the caller of the current coroutine.  Also, @qemu_co_rwlock_upgrade
-- * only overrides CoRwlock fairness if there are no concurrent readers, so
-- * another writer might run while @qemu_co_rwlock_upgrade blocks.
-+ * Note that if the lock cannot be upgraded immediately, control is transferred
-+ * to the caller of the current coroutine; another writer might run while
-+ * @qemu_co_rwlock_upgrade blocks.
-  */
- void qemu_co_rwlock_upgrade(CoRwlock *lock);
-diff --git a/util/qemu-coroutine-lock.c b/util/qemu-coroutine-lock.c
-index XXXXXXX..XXXXXXX 100644
---- a/util/qemu-coroutine-lock.c
-+++ b/util/qemu-coroutine-lock.c
-@@ -XXX,XX +XXX,XX @@ void coroutine_fn qemu_co_mutex_unlock(CoMutex *mutex)
-     trace_qemu_co_mutex_unlock_return(mutex, self);
- }
-+struct CoRwTicket {
-+    bool read;
-+    Coroutine *co;
-+    QSIMPLEQ_ENTRY(CoRwTicket) next;
-+};
-+
- void qemu_co_rwlock_init(CoRwlock *lock)
- {
--    memset(lock, 0, sizeof(*lock));
--    qemu_co_queue_init(&lock->queue);
-     qemu_co_mutex_init(&lock->mutex);
-+    lock->owners = 0;
-+    QSIMPLEQ_INIT(&lock->tickets);
-+}
-+
-+/* Releases the internal CoMutex.  */
-+static void qemu_co_rwlock_maybe_wake_one(CoRwlock *lock)
-+{
-+    CoRwTicket *tkt = QSIMPLEQ_FIRST(&lock->tickets);
-+    Coroutine *co = NULL;
-+
-+    /*
-+     * Setting lock->owners here prevents rdlock and wrlock from
-+     * sneaking in between unlock and wake.
-+     */
-+
-+    if (tkt) {
-+        if (tkt->read) {
-+            if (lock->owners >= 0) {
-+                lock->owners++;
-+                co = tkt->co;
-+            }
-+        } else {
-+            if (lock->owners == 0) {
-+                lock->owners = -1;
-+                co = tkt->co;
-+            }
-+        }
-+    }
-+
-+    if (co) {
-+        QSIMPLEQ_REMOVE_HEAD(&lock->tickets, next);
-+        qemu_co_mutex_unlock(&lock->mutex);
-+        aio_co_wake(co);
-+    } else {
-+        qemu_co_mutex_unlock(&lock->mutex);
-+    }
- }
- void qemu_co_rwlock_rdlock(CoRwlock *lock)
-@@ -XXX,XX +XXX,XX @@ void qemu_co_rwlock_rdlock(CoRwlock *lock)
-     qemu_co_mutex_lock(&lock->mutex);
-     /* For fairness, wait if a writer is in line.  */
--    while (lock->pending_writer) {
--        qemu_co_queue_wait(&lock->queue, &lock->mutex);
--    }
--    lock->reader++;
--    qemu_co_mutex_unlock(&lock->mutex);
--
--    /* The rest of the read-side critical section is run without the mutex.  */
--    self->locks_held++;
--}
--
--void qemu_co_rwlock_unlock(CoRwlock *lock)
--{
--    Coroutine *self = qemu_coroutine_self();
--
--    assert(qemu_in_coroutine());
--    if (!lock->reader) {
--        /* The critical section started in qemu_co_rwlock_wrlock.  */
--        qemu_co_queue_restart_all(&lock->queue);
-+    if (lock->owners == 0 || (lock->owners > 0 && QSIMPLEQ_EMPTY(&lock->tickets))) {
-+        lock->owners++;
-+        qemu_co_mutex_unlock(&lock->mutex);
-     } else {
--        self->locks_held--;
-+        CoRwTicket my_ticket = { true, self };
-+        QSIMPLEQ_INSERT_TAIL(&lock->tickets, &my_ticket, next);
-+        qemu_co_mutex_unlock(&lock->mutex);
-+        qemu_coroutine_yield();
-+        assert(lock->owners >= 1);
-+
-+        /* Possibly wake another reader, which will wake the next in line.  */
-         qemu_co_mutex_lock(&lock->mutex);
--        lock->reader--;
--        assert(lock->reader >= 0);
--        /* Wakeup only one waiting writer */
--        if (!lock->reader) {
--            qemu_co_queue_next(&lock->queue);
--        }
-+        qemu_co_rwlock_maybe_wake_one(lock);
-     }
--    qemu_co_mutex_unlock(&lock->mutex);
-+
-+    self->locks_held++;
-+}
-+
-+void qemu_co_rwlock_unlock(CoRwlock *lock)
-+{
-+    Coroutine *self = qemu_coroutine_self();
-+
-+    assert(qemu_in_coroutine());
-+    self->locks_held--;
-+
-+    qemu_co_mutex_lock(&lock->mutex);
-+    if (lock->owners > 0) {
-+        lock->owners--;
-+    } else {
-+        assert(lock->owners == -1);
-+        lock->owners = 0;
-+    }
-+
-+    qemu_co_rwlock_maybe_wake_one(lock);
- }
- void qemu_co_rwlock_downgrade(CoRwlock *lock)
- {
--    Coroutine *self = qemu_coroutine_self();
-+    qemu_co_mutex_lock(&lock->mutex);
-+    assert(lock->owners == -1);
-+    lock->owners = 1;
--    /* lock->mutex critical section started in qemu_co_rwlock_wrlock or
--     * qemu_co_rwlock_upgrade.
--     */
--    assert(lock->reader == 0);
--    lock->reader++;
--    qemu_co_mutex_unlock(&lock->mutex);
--
--    /* The rest of the read-side critical section is run without the mutex.  */
--    self->locks_held++;
-+    /* Possibly wake another reader, which will wake the next in line.  */
-+    qemu_co_rwlock_maybe_wake_one(lock);
- }
- void qemu_co_rwlock_wrlock(CoRwlock *lock)
- {
-+    Coroutine *self = qemu_coroutine_self();
-+
-     qemu_co_mutex_lock(&lock->mutex);
--    lock->pending_writer++;
--    while (lock->reader) {
--        qemu_co_queue_wait(&lock->queue, &lock->mutex);
-+    if (lock->owners == 0) {
-+        lock->owners = -1;
-+        qemu_co_mutex_unlock(&lock->mutex);
-+    } else {
-+        CoRwTicket my_ticket = { false, qemu_coroutine_self() };
-+
-+        QSIMPLEQ_INSERT_TAIL(&lock->tickets, &my_ticket, next);
-+        qemu_co_mutex_unlock(&lock->mutex);
-+        qemu_coroutine_yield();
-+        assert(lock->owners == -1);
-     }
--    lock->pending_writer--;
--    /* The rest of the write-side critical section is run with
--     * the mutex taken, so that lock->reader remains zero.
--     * There is no need to update self->locks_held.
--     */
-+    self->locks_held++;
- }
- void qemu_co_rwlock_upgrade(CoRwlock *lock)
- {
--    Coroutine *self = qemu_coroutine_self();
--
-     qemu_co_mutex_lock(&lock->mutex);
--    assert(lock->reader > 0);
--    lock->reader--;
--    lock->pending_writer++;
--    while (lock->reader) {
--        qemu_co_queue_wait(&lock->queue, &lock->mutex);
-+    assert(lock->owners > 0);
-+    /* For fairness, wait if a writer is in line.  */
-+    if (lock->owners == 1 && QSIMPLEQ_EMPTY(&lock->tickets)) {
-+        lock->owners = -1;
-+        qemu_co_mutex_unlock(&lock->mutex);
-+    } else {
-+        CoRwTicket my_ticket = { false, qemu_coroutine_self() };
-+
-+        lock->owners--;
-+        QSIMPLEQ_INSERT_TAIL(&lock->tickets, &my_ticket, next);
-+        qemu_co_rwlock_maybe_wake_one(lock);
-+        qemu_coroutine_yield();
-+        assert(lock->owners == -1);
-     }
--    lock->pending_writer--;
--
--    /* The rest of the write-side critical section is run with
--     * the mutex taken, similar to qemu_co_rwlock_wrlock.  Do
--     * not account for the lock twice in self->locks_held.
--     */
--    self->locks_held--;
- }
---
-.30.2

-[PULL for-6.0 5/6] test-coroutine: Add rwlock upgrade test
+Deleted patch
-From: Paolo Bonzini <pbonzini@redhat.com>
-Test that rwlock upgrade is fair, and that readers go back to sleep if
-a writer is in line.
-Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
-Message-id: 20210325112941.365238-6-pbonzini@redhat.com
-Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
----
- tests/unit/test-coroutine.c | 62 +++++++++++++++++++++++++++++++++++++
-file changed, 62 insertions(+)
-diff --git a/tests/unit/test-coroutine.c b/tests/unit/test-coroutine.c
-index XXXXXXX..XXXXXXX 100644
---- a/tests/unit/test-coroutine.c
-+++ b/tests/unit/test-coroutine.c
-@@ -XXX,XX +XXX,XX @@ static void test_co_mutex_lockable(void)
-     g_assert(QEMU_MAKE_LOCKABLE(null_pointer) == NULL);
- }
-+static CoRwlock rwlock;
-+
-+/* Test that readers are properly sent back to the queue when upgrading,
-+ * even if they are the sole readers.  The test scenario is as follows:
-+ *
-+ *
-+ * | c1           | c2         |
-+ * |--------------+------------+
-+ * | rdlock       |            |
-+ * | yield        |            |
-+ * |              | wrlock     |
-+ * |              | <queued>   |
-+ * | upgrade      |            |
-+ * | <queued>     | <dequeued> |
-+ * |              | unlock     |
-+ * | <dequeued>   |            |
-+ * | unlock       |            |
-+ */
-+
-+static void coroutine_fn rwlock_yield_upgrade(void *opaque)
-+{
-+    qemu_co_rwlock_rdlock(&rwlock);
-+    qemu_coroutine_yield();
-+
-+    qemu_co_rwlock_upgrade(&rwlock);
-+    qemu_co_rwlock_unlock(&rwlock);
-+
-+    *(bool *)opaque = true;
-+}
-+
-+static void coroutine_fn rwlock_wrlock_yield(void *opaque)
-+{
-+    qemu_co_rwlock_wrlock(&rwlock);
-+    qemu_coroutine_yield();
-+
-+    qemu_co_rwlock_unlock(&rwlock);
-+    *(bool *)opaque = true;
-+}
-+
-+static void test_co_rwlock_upgrade(void)
-+{
-+    bool c1_done = false;
-+    bool c2_done = false;
-+    Coroutine *c1, *c2;
-+
-+    qemu_co_rwlock_init(&rwlock);
-+    c1 = qemu_coroutine_create(rwlock_yield_upgrade, &c1_done);
-+    c2 = qemu_coroutine_create(rwlock_wrlock_yield, &c2_done);
-+
-+    qemu_coroutine_enter(c1);
-+    qemu_coroutine_enter(c2);
-+
-+    /* c1 now should go to sleep.  */
-+    qemu_coroutine_enter(c1);
-+    g_assert(!c1_done);
-+
-+    qemu_coroutine_enter(c2);
-+    g_assert(c1_done);
-+    g_assert(c2_done);
-+}
-+
- /*
-  * Check that creation, enter, and return work
-  */
-@@ -XXX,XX +XXX,XX @@ int main(int argc, char **argv)
-     g_test_add_func("/basic/order", test_order);
-     g_test_add_func("/locking/co-mutex", test_co_mutex);
-     g_test_add_func("/locking/co-mutex/lockable", test_co_mutex_lockable);
-+    g_test_add_func("/locking/co-rwlock/upgrade", test_co_rwlock_upgrade);
-     if (g_test_perf()) {
-         g_test_add_func("/perf/lifecycle", perf_lifecycle);
-         g_test_add_func("/perf/nesting", perf_nesting);
---
-.30.2

-[PULL for-6.0 6/6] test-coroutine: Add rwlock downgrade test
+[PULL for-6.1 1/1] block/nvme: Fix VFIO_MAP_DMA failed: No space left on device
-From: David Edmondson <david.edmondson@oracle.com>
+From: Philippe Mathieu-Daudé <philmd@redhat.com>
-Test that downgrading an rwlock does not result in a failure to
+When the NVMe block driver was introduced (see commit bdd6a90a9e5,
-schedule coroutines queued on the rwlock.
+January 2018), Linux VFIO_IOMMU_MAP_DMA ioctl was only returning
 -ENOMEM in case of error. The driver was correctly handling the
 error path to recycle its volatile IOVA mappings.
-The diagram associated with test_co_rwlock_downgrade() describes the
+To fix CVE-2019-3882, Linux commit 492855939bdb ("vfio/type1: Limit
-intended behaviour, but what was observed previously corresponds to:
+DMA mappings per container", April 2019) added the -ENOSPC error to
 signal the user exhausted the DMA mappings available for a container.
-| c1     | c2         | c3         | c4       |
+The block driver started to mis-behave:
 |--------+------------+------------+----------|
 | rdlock |            |            |          |
 | yield  |            |            |          |
 |        | wrlock     |            |          |
 |        | <queued>   |            |          |
 |        |            | rdlock     |          |
 |        |            | <queued>   |          |
 |        |            |            | wrlock   |
 |        |            |            | <queued> |
 | unlock |            |            |          |
 | yield  |            |            |          |
 |        | <dequeued> |            |          |
 |        | downgrade  |            |          |
 |        | ...        |            |          |
 |        | unlock     |            |          |
 |        |            | <dequeued> |          |
 |        |            | <queued>   |          |
-This results in a failure...
+  qemu-system-x86_64: VFIO_MAP_DMA failed: No space left on device
   (qemu)
   (qemu) info status
   VM status: paused (io-error)
   (qemu) c
   VFIO_MAP_DMA failed: No space left on device
   (qemu) c
   VFIO_MAP_DMA failed: No space left on device
-ERROR:../tests/test-coroutine.c:369:test_co_rwlock_downgrade: assertion failed: (c3_done)
+(The VM is not resumable from here, hence stuck.)
 Bail out! ERROR:../tests/test-coroutine.c:369:test_co_rwlock_downgrade: assertion failed: (c3_done)
-...as a result of the c3 coroutine failing to run to completion.
+Fix by handling the new -ENOSPC error (when DMA mappings are
 exhausted) without any distinction to the current -ENOMEM error,
 so we don't change the behavior on old kernels where the CVE-2019-3882
 fix is not present.
-Signed-off-by: David Edmondson <david.edmondson@oracle.com>
+An easy way to reproduce this bug is to restrict the DMA mapping
-Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+limit (65535 by default) when loading the VFIO IOMMU module:
-Message-id: 20210325112941.365238-7-pbonzini@redhat.com
-Message-Id: <20210309144015.557477-5-david.edmondson@oracle.com>
+  # modprobe vfio_iommu_type1 dma_entry_limit=666
-Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
 Cc: qemu-stable@nongnu.org
 Cc: Fam Zheng <fam@euphon.net>
 Cc: Maxim Levitsky <mlevitsk@redhat.com>
 Cc: Alex Williamson <alex.williamson@redhat.com>
 Reported-by: Michal Prívozník <mprivozn@redhat.com>
 Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com>
 Message-id: 20210723195843.1032825-1-philmd@redhat.com
 Fixes: bdd6a90a9e5 ("block: Add VFIO based NVMe driver")
 Buglink: https://bugs.launchpad.net/qemu/+bug/1863333
 Resolves: https://gitlab.com/qemu-project/qemu/-/issues/65
 Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com>
 Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
 ---
- tests/unit/test-coroutine.c | 99 +++++++++++++++++++++++++++++++++++++
+ block/nvme.c | 22 ++++++++++++++++++++++
-file changed, 99 insertions(+)
+file changed, 22 insertions(+)
-diff --git a/tests/unit/test-coroutine.c b/tests/unit/test-coroutine.c
+diff --git a/block/nvme.c b/block/nvme.c
 index XXXXXXX..XXXXXXX 100644
---- a/tests/unit/test-coroutine.c
+--- a/block/nvme.c
-+++ b/tests/unit/test-coroutine.c
++++ b/block/nvme.c
-@@ -XXX,XX +XXX,XX @@ static void test_co_rwlock_upgrade(void)
+@@ -XXX,XX +XXX,XX @@ try_map:
-     g_assert(c2_done);
+         r = qemu_vfio_dma_map(s->vfio,
- }
+                               qiov->iov[i].iov_base,
+                               len, true, &iova);
-+static void coroutine_fn rwlock_rdlock_yield(void *opaque)
++        if (r == -ENOSPC) {
-+{
++            /*
-+    qemu_co_rwlock_rdlock(&rwlock);
++             * In addition to the -ENOMEM error, the VFIO_IOMMU_MAP_DMA
-+    qemu_coroutine_yield();
++             * ioctl returns -ENOSPC to signal the user exhausted the DMA
-+
++             * mappings available for a container since Linux kernel commit
-+    qemu_co_rwlock_unlock(&rwlock);
++             * 492855939bdb ("vfio/type1: Limit DMA mappings per container",
-+    qemu_coroutine_yield();
++             * April 2019, see CVE-2019-3882).
-+
++             *
-+    *(bool *)opaque = true;
++             * This block driver already handles this error path by checking
-+}
++             * for the -ENOMEM error, so we directly replace -ENOSPC by
-+
++             * -ENOMEM. Beside, -ENOSPC has a specific meaning for blockdev
-+static void coroutine_fn rwlock_wrlock_downgrade(void *opaque)
++             * coroutines: it triggers BLOCKDEV_ON_ERROR_ENOSPC and
-+{
++             * BLOCK_ERROR_ACTION_STOP which stops the VM, asking the operator
-+    qemu_co_rwlock_wrlock(&rwlock);
++             * to add more storage to the blockdev. Not something we can do
-+
++             * easily with an IOMMU :)
-+    qemu_co_rwlock_downgrade(&rwlock);
++             */
-+    qemu_co_rwlock_unlock(&rwlock);
++            r = -ENOMEM;
-+    *(bool *)opaque = true;
++        }
-+}
+         if (r == -ENOMEM && retry) {
-+
++            /*
-+static void coroutine_fn rwlock_rdlock(void *opaque)
++             * We exhausted the DMA mappings available for our container:
-+{
++             * recycle the volatile IOVA mappings.
-+    qemu_co_rwlock_rdlock(&rwlock);
++             */
-+
+             retry = false;
-+    qemu_co_rwlock_unlock(&rwlock);
+             trace_nvme_dma_flush_queue_wait(s);
-+    *(bool *)opaque = true;
+             if (s->dma_map_count) {
 +}
 +
 +static void coroutine_fn rwlock_wrlock(void *opaque)
 +{
 +    qemu_co_rwlock_wrlock(&rwlock);
 +
 +    qemu_co_rwlock_unlock(&rwlock);
 +    *(bool *)opaque = true;
 +}
 +
 +/*
 + * Check that downgrading a reader-writer lock does not cause a hang.
 + *
 + * Four coroutines are used to produce a situation where there are
 + * both reader and writer hopefuls waiting to acquire an rwlock that
 + * is held by a reader.
 + *
 + * The correct sequence of operations we aim to provoke can be
 + * represented as:
 + *
 + * | c1     | c2         | c3         | c4         |
 + * |--------+------------+------------+------------|
 + * | rdlock |            |            |            |
 + * | yield  |            |            |            |
 + * |        | wrlock     |            |            |
 + * |        | <queued>   |            |            |
 + * |        |            | rdlock     |            |
 + * |        |            | <queued>   |            |
 + * |        |            |            | wrlock     |
 + * |        |            |            | <queued>   |
 + * | unlock |            |            |            |
 + * | yield  |            |            |            |
 + * |        | <dequeued> |            |            |
 + * |        | downgrade  |            |            |
 + * |        |            | <dequeued> |            |
 + * |        |            | unlock     |            |
 + * |        | ...        |            |            |
 + * |        | unlock     |            |            |
 + * |        |            |            | <dequeued> |
 + * |        |            |            | unlock     |
 + */
 +static void test_co_rwlock_downgrade(void)
 +{
 +    bool c1_done = false;
 +    bool c2_done = false;
 +    bool c3_done = false;
 +    bool c4_done = false;
 +    Coroutine *c1, *c2, *c3, *c4;
 +
 +    qemu_co_rwlock_init(&rwlock);
 +
 +    c1 = qemu_coroutine_create(rwlock_rdlock_yield, &c1_done);
 +    c2 = qemu_coroutine_create(rwlock_wrlock_downgrade, &c2_done);
 +    c3 = qemu_coroutine_create(rwlock_rdlock, &c3_done);
 +    c4 = qemu_coroutine_create(rwlock_wrlock, &c4_done);
 +
 +    qemu_coroutine_enter(c1);
 +    qemu_coroutine_enter(c2);
 +    qemu_coroutine_enter(c3);
 +    qemu_coroutine_enter(c4);
 +
 +    qemu_coroutine_enter(c1);
 +
 +    g_assert(c2_done);
 +    g_assert(c3_done);
 +    g_assert(c4_done);
 +
 +    qemu_coroutine_enter(c1);
 +
 +    g_assert(c1_done);
 +}
 +
  /*
   * Check that creation, enter, and return work
   */
@@ -XXX,XX +XXX,XX @@ int main(int argc, char **argv)
      g_test_add_func("/locking/co-mutex", test_co_mutex);
      g_test_add_func("/locking/co-mutex/lockable", test_co_mutex_lockable);
      g_test_add_func("/locking/co-rwlock/upgrade", test_co_rwlock_upgrade);
 +    g_test_add_func("/locking/co-rwlock/downgrade", test_co_rwlock_downgrade);
      if (g_test_perf()) {
          g_test_add_func("/perf/lifecycle", perf_lifecycle);
          g_test_add_func("/perf/nesting", perf_nesting);
 --
-.30.2
+.31.1

The following changes since commit 6d40ce00c1166c317e298ad82ecf10e650c4f87d:

Update version for v6.0.0-rc1 release (2021-03-30 18:19:07 +0100)

are available in the Git repository at:

https://gitlab.com/stefanha/qemu.git tags/block-pull-request

for you to fetch changes up to b6489ac06695e257ea0a9841364577e247fdee30:

test-coroutine: Add rwlock downgrade test (2021-03-31 10:44:21 +0100)

----------------------------------------------------------------
Pull request

A fix for VDI image files and more generally for CoRwlock.

----------------------------------------------------------------

David Edmondson (4):
  block/vdi: When writing new bmap entry fails, don't leak the buffer
  block/vdi: Don't assume that blocks are larger than VdiHeader
  coroutine-lock: Store the coroutine in the CoWaitRecord only once
  test-coroutine: Add rwlock downgrade test

Paolo Bonzini (2):
  coroutine-lock: Reimplement CoRwlock to fix downgrade bug
  test-coroutine: Add rwlock upgrade test

include/qemu/coroutine.h    |  17 ++--
 block/vdi.c                 |  11 ++-
 tests/unit/test-coroutine.c | 161 +++++++++++++++++++++++++++++++++++
 util/qemu-coroutine-lock.c  | 165 +++++++++++++++++++++++-------------
 4 files changed, 282 insertions(+), 72 deletions(-)

-- 
2.30.2

From: David Edmondson <david.edmondson@oracle.com>

If a new bitmap entry is allocated, requiring the entire block to be
written, avoiding leaking the buffer allocated for the block should
the write fail.

Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Signed-off-by: David Edmondson <david.edmondson@oracle.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Acked-by: Max Reitz <mreitz@redhat.com>
Message-id: 20210325112941.365238-2-pbonzini@redhat.com
Message-Id: <20210309144015.557477-2-david.edmondson@oracle.com>
Acked-by: Max Reitz <mreitz@redhat.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
---
 block/vdi.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/block/vdi.c b/block/vdi.c
index XXXXXXX..XXXXXXX 100644
--- a/block/vdi.c
+++ b/block/vdi.c
@@ -XXX,XX +XXX,XX @@ nonallocating_write:
 
     logout("finished data write\n");
     if (ret < 0) {
+        g_free(block);
         return ret;
     }
 
-- 
2.30.2

From: David Edmondson <david.edmondson@oracle.com>

Given that the block size is read from the header of the VDI file, a
wide variety of sizes might be seen. Rather than re-using a block
sized memory region when writing the VDI header, allocate an
appropriately sized buffer.

Signed-off-by: David Edmondson <david.edmondson@oracle.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Acked-by: Max Reitz <mreitz@redhat.com>
Message-id: 20210325112941.365238-3-pbonzini@redhat.com
Message-Id: <20210309144015.557477-3-david.edmondson@oracle.com>
Acked-by: Max Reitz <mreitz@redhat.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
---
 block/vdi.c | 10 ++++++----
 1 file changed, 6 insertions(+), 4 deletions(-)

diff --git a/block/vdi.c b/block/vdi.c
index XXXXXXX..XXXXXXX 100644
--- a/block/vdi.c
+++ b/block/vdi.c
@@ -XXX,XX +XXX,XX @@ nonallocating_write:
 
     if (block) {
         /* One or more new blocks were allocated. */
-        VdiHeader *header = (VdiHeader *) block;
+        VdiHeader *header;
         uint8_t *base;
         uint64_t offset;
         uint32_t n_sectors;
 
+        g_free(block);
+        header = g_malloc(sizeof(*header));
+
         logout("now writing modified header\n");
         assert(VDI_IS_ALLOCATED(bmap_first));
         *header = s->header;
         vdi_header_to_le(header);
-        ret = bdrv_pwrite(bs->file, 0, block, sizeof(VdiHeader));
-        g_free(block);
-        block = NULL;
+        ret = bdrv_pwrite(bs->file, 0, header, sizeof(*header));
+        g_free(header);
 
         if (ret < 0) {
             return ret;
-- 
2.30.2

From: David Edmondson <david.edmondson@oracle.com>

When taking the slow path for mutex acquisition, set the coroutine
value in the CoWaitRecord in push_waiter(), rather than both there and
in the caller.

Reviewed-by: Paolo Bonzini <pbonzini@redhat.com>
Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Signed-off-by: David Edmondson <david.edmondson@oracle.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Message-id: 20210325112941.365238-4-pbonzini@redhat.com
Message-Id: <20210309144015.557477-4-david.edmondson@oracle.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
---
 util/qemu-coroutine-lock.c | 1 -
 1 file changed, 1 deletion(-)

diff --git a/util/qemu-coroutine-lock.c b/util/qemu-coroutine-lock.c
index XXXXXXX..XXXXXXX 100644
--- a/util/qemu-coroutine-lock.c
+++ b/util/qemu-coroutine-lock.c
@@ -XXX,XX +XXX,XX @@ static void coroutine_fn qemu_co_mutex_lock_slowpath(AioContext *ctx,
     unsigned old_handoff;
 
     trace_qemu_co_mutex_lock_entry(mutex, self);
-    w.co = self;
     push_waiter(mutex, &w);
 
     /* This is the "Responsibility Hand-Off" protocol; a lock() picks from
-- 
2.30.2

From: Paolo Bonzini <pbonzini@redhat.com>

An invariant of the current rwlock is that if multiple coroutines hold a
reader lock, all must be runnable. The unlock implementation relies on
this, choosing to wake a single coroutine when the final read lock
holder exits the critical section, assuming that it will wake a
coroutine attempting to acquire a write lock.

The downgrade implementation violates this assumption by creating a
read lock owning coroutine that is exclusively runnable - any other
coroutines that are waiting to acquire a read lock are *not* made
runnable when the write lock holder converts its ownership to read
only.

More in general, the old implementation had lots of other fairness bugs.
The root cause of the bugs was that CoQueue would wake up readers even
if there were pending writers, and would wake up writers even if there
were readers.  In that case, the coroutine would go back to sleep *at
the end* of the CoQueue, losing its place at the head of the line.

To fix this, keep the queue of waiters explicitly in the CoRwlock
instead of using CoQueue, and store for each whether it is a
potential reader or a writer.  This way, downgrade can look at the
first queued coroutines and wake it only if it is a reader, causing
all other readers in line to be released in turn.

Reported-by: David Edmondson <david.edmondson@oracle.com>
Reviewed-by: David Edmondson <david.edmondson@oracle.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Message-id: 20210325112941.365238-5-pbonzini@redhat.com
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
---
 include/qemu/coroutine.h   |  17 ++--
 util/qemu-coroutine-lock.c | 164 +++++++++++++++++++++++--------------
 2 files changed, 114 insertions(+), 67 deletions(-)

diff --git a/include/qemu/coroutine.h b/include/qemu/coroutine.h
index XXXXXXX..XXXXXXX 100644
--- a/include/qemu/coroutine.h
+++ b/include/qemu/coroutine.h
@@ -XXX,XX +XXX,XX @@ bool qemu_co_enter_next_impl(CoQueue *queue, QemuLockable *lock);
 bool qemu_co_queue_empty(CoQueue *queue);
 
 
+typedef struct CoRwTicket CoRwTicket;
 typedef struct CoRwlock {
-    int pending_writer;
-    int reader;
     CoMutex mutex;
-    CoQueue queue;
+
+    /* Number of readers, or -1 if owned for writing.  */
+    int owners;
+
+    /* Waiting coroutines.  */
+    QSIMPLEQ_HEAD(, CoRwTicket) tickets;
 } CoRwlock;
 
 /**
@@ -XXX,XX +XXX,XX @@ void qemu_co_rwlock_rdlock(CoRwlock *lock);
 /**
  * Write Locks the CoRwlock from a reader.  This is a bit more efficient than
  * @qemu_co_rwlock_unlock followed by a separate @qemu_co_rwlock_wrlock.
- * However, if the lock cannot be upgraded immediately, control is transferred
- * to the caller of the current coroutine.  Also, @qemu_co_rwlock_upgrade
- * only overrides CoRwlock fairness if there are no concurrent readers, so
- * another writer might run while @qemu_co_rwlock_upgrade blocks.
+ * Note that if the lock cannot be upgraded immediately, control is transferred
+ * to the caller of the current coroutine; another writer might run while
+ * @qemu_co_rwlock_upgrade blocks.
  */
 void qemu_co_rwlock_upgrade(CoRwlock *lock);
 
diff --git a/util/qemu-coroutine-lock.c b/util/qemu-coroutine-lock.c
index XXXXXXX..XXXXXXX 100644
--- a/util/qemu-coroutine-lock.c
+++ b/util/qemu-coroutine-lock.c
@@ -XXX,XX +XXX,XX @@ void coroutine_fn qemu_co_mutex_unlock(CoMutex *mutex)
     trace_qemu_co_mutex_unlock_return(mutex, self);
 }
 
+struct CoRwTicket {
+    bool read;
+    Coroutine *co;
+    QSIMPLEQ_ENTRY(CoRwTicket) next;
+};
+
 void qemu_co_rwlock_init(CoRwlock *lock)
 {
-    memset(lock, 0, sizeof(*lock));
-    qemu_co_queue_init(&lock->queue);
     qemu_co_mutex_init(&lock->mutex);
+    lock->owners = 0;
+    QSIMPLEQ_INIT(&lock->tickets);
+}
+
+/* Releases the internal CoMutex.  */
+static void qemu_co_rwlock_maybe_wake_one(CoRwlock *lock)
+{
+    CoRwTicket *tkt = QSIMPLEQ_FIRST(&lock->tickets);
+    Coroutine *co = NULL;
+
+    /*
+     * Setting lock->owners here prevents rdlock and wrlock from
+     * sneaking in between unlock and wake.
+     */
+
+    if (tkt) {
+        if (tkt->read) {
+            if (lock->owners >= 0) {
+                lock->owners++;
+                co = tkt->co;
+            }
+        } else {
+            if (lock->owners == 0) {
+                lock->owners = -1;
+                co = tkt->co;
+            }
+        }
+    }
+
+    if (co) {
+        QSIMPLEQ_REMOVE_HEAD(&lock->tickets, next);
+        qemu_co_mutex_unlock(&lock->mutex);
+        aio_co_wake(co);
+    } else {
+        qemu_co_mutex_unlock(&lock->mutex);
+    }
 }
 
 void qemu_co_rwlock_rdlock(CoRwlock *lock)
@@ -XXX,XX +XXX,XX @@ void qemu_co_rwlock_rdlock(CoRwlock *lock)
 
     qemu_co_mutex_lock(&lock->mutex);
     /* For fairness, wait if a writer is in line.  */
-    while (lock->pending_writer) {
-        qemu_co_queue_wait(&lock->queue, &lock->mutex);
-    }
-    lock->reader++;
-    qemu_co_mutex_unlock(&lock->mutex);
-
-    /* The rest of the read-side critical section is run without the mutex.  */
-    self->locks_held++;
-}
-
-void qemu_co_rwlock_unlock(CoRwlock *lock)
-{
-    Coroutine *self = qemu_coroutine_self();
-
-    assert(qemu_in_coroutine());
-    if (!lock->reader) {
-        /* The critical section started in qemu_co_rwlock_wrlock.  */
-        qemu_co_queue_restart_all(&lock->queue);
+    if (lock->owners == 0 || (lock->owners > 0 && QSIMPLEQ_EMPTY(&lock->tickets))) {
+        lock->owners++;
+        qemu_co_mutex_unlock(&lock->mutex);
     } else {
-        self->locks_held--;
+        CoRwTicket my_ticket = { true, self };
 
+        QSIMPLEQ_INSERT_TAIL(&lock->tickets, &my_ticket, next);
+        qemu_co_mutex_unlock(&lock->mutex);
+        qemu_coroutine_yield();
+        assert(lock->owners >= 1);
+
+        /* Possibly wake another reader, which will wake the next in line.  */
         qemu_co_mutex_lock(&lock->mutex);
-        lock->reader--;
-        assert(lock->reader >= 0);
-        /* Wakeup only one waiting writer */
-        if (!lock->reader) {
-            qemu_co_queue_next(&lock->queue);
-        }
+        qemu_co_rwlock_maybe_wake_one(lock);
     }
-    qemu_co_mutex_unlock(&lock->mutex);
+
+    self->locks_held++;
+}
+
+void qemu_co_rwlock_unlock(CoRwlock *lock)
+{
+    Coroutine *self = qemu_coroutine_self();
+
+    assert(qemu_in_coroutine());
+    self->locks_held--;
+
+    qemu_co_mutex_lock(&lock->mutex);
+    if (lock->owners > 0) {
+        lock->owners--;
+    } else {
+        assert(lock->owners == -1);
+        lock->owners = 0;
+    }
+
+    qemu_co_rwlock_maybe_wake_one(lock);
 }
 
 void qemu_co_rwlock_downgrade(CoRwlock *lock)
 {
-    Coroutine *self = qemu_coroutine_self();
+    qemu_co_mutex_lock(&lock->mutex);
+    assert(lock->owners == -1);
+    lock->owners = 1;
 
-    /* lock->mutex critical section started in qemu_co_rwlock_wrlock or
-     * qemu_co_rwlock_upgrade.
-     */
-    assert(lock->reader == 0);
-    lock->reader++;
-    qemu_co_mutex_unlock(&lock->mutex);
-
-    /* The rest of the read-side critical section is run without the mutex.  */
-    self->locks_held++;
+    /* Possibly wake another reader, which will wake the next in line.  */
+    qemu_co_rwlock_maybe_wake_one(lock);
 }
 
 void qemu_co_rwlock_wrlock(CoRwlock *lock)
 {
+    Coroutine *self = qemu_coroutine_self();
+
     qemu_co_mutex_lock(&lock->mutex);
-    lock->pending_writer++;
-    while (lock->reader) {
-        qemu_co_queue_wait(&lock->queue, &lock->mutex);
+    if (lock->owners == 0) {
+        lock->owners = -1;
+        qemu_co_mutex_unlock(&lock->mutex);
+    } else {
+        CoRwTicket my_ticket = { false, qemu_coroutine_self() };
+
+        QSIMPLEQ_INSERT_TAIL(&lock->tickets, &my_ticket, next);
+        qemu_co_mutex_unlock(&lock->mutex);
+        qemu_coroutine_yield();
+        assert(lock->owners == -1);
     }
-    lock->pending_writer--;
 
-    /* The rest of the write-side critical section is run with
-     * the mutex taken, so that lock->reader remains zero.
-     * There is no need to update self->locks_held.
-     */
+    self->locks_held++;
 }
 
 void qemu_co_rwlock_upgrade(CoRwlock *lock)
 {
-    Coroutine *self = qemu_coroutine_self();
-
     qemu_co_mutex_lock(&lock->mutex);
-    assert(lock->reader > 0);
-    lock->reader--;
-    lock->pending_writer++;
-    while (lock->reader) {
-        qemu_co_queue_wait(&lock->queue, &lock->mutex);
+    assert(lock->owners > 0);
+    /* For fairness, wait if a writer is in line.  */
+    if (lock->owners == 1 && QSIMPLEQ_EMPTY(&lock->tickets)) {
+        lock->owners = -1;
+        qemu_co_mutex_unlock(&lock->mutex);
+    } else {
+        CoRwTicket my_ticket = { false, qemu_coroutine_self() };
+
+        lock->owners--;
+        QSIMPLEQ_INSERT_TAIL(&lock->tickets, &my_ticket, next);
+        qemu_co_rwlock_maybe_wake_one(lock);
+        qemu_coroutine_yield();
+        assert(lock->owners == -1);
     }
-    lock->pending_writer--;
-
-    /* The rest of the write-side critical section is run with
-     * the mutex taken, similar to qemu_co_rwlock_wrlock.  Do
-     * not account for the lock twice in self->locks_held.
-     */
-    self->locks_held--;
 }
-- 
2.30.2

From: Paolo Bonzini <pbonzini@redhat.com>

Test that rwlock upgrade is fair, and that readers go back to sleep if
a writer is in line.

Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Message-id: 20210325112941.365238-6-pbonzini@redhat.com
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
---
 tests/unit/test-coroutine.c | 62 +++++++++++++++++++++++++++++++++++++
 1 file changed, 62 insertions(+)

diff --git a/tests/unit/test-coroutine.c b/tests/unit/test-coroutine.c
index XXXXXXX..XXXXXXX 100644
--- a/tests/unit/test-coroutine.c
+++ b/tests/unit/test-coroutine.c
@@ -XXX,XX +XXX,XX @@ static void test_co_mutex_lockable(void)
     g_assert(QEMU_MAKE_LOCKABLE(null_pointer) == NULL);
 }
 
+static CoRwlock rwlock;
+
+/* Test that readers are properly sent back to the queue when upgrading,
+ * even if they are the sole readers.  The test scenario is as follows:
+ *
+ *
+ * | c1           | c2         |
+ * |--------------+------------+
+ * | rdlock       |            |
+ * | yield        |            |
+ * |              | wrlock     |
+ * |              | <queued>   |
+ * | upgrade      |            |
+ * | <queued>     | <dequeued> |
+ * |              | unlock     |
+ * | <dequeued>   |            |
+ * | unlock       |            |
+ */
+
+static void coroutine_fn rwlock_yield_upgrade(void *opaque)
+{
+    qemu_co_rwlock_rdlock(&rwlock);
+    qemu_coroutine_yield();
+
+    qemu_co_rwlock_upgrade(&rwlock);
+    qemu_co_rwlock_unlock(&rwlock);
+
+    *(bool *)opaque = true;
+}
+
+static void coroutine_fn rwlock_wrlock_yield(void *opaque)
+{
+    qemu_co_rwlock_wrlock(&rwlock);
+    qemu_coroutine_yield();
+
+    qemu_co_rwlock_unlock(&rwlock);
+    *(bool *)opaque = true;
+}
+
+static void test_co_rwlock_upgrade(void)
+{
+    bool c1_done = false;
+    bool c2_done = false;
+    Coroutine *c1, *c2;
+
+    qemu_co_rwlock_init(&rwlock);
+    c1 = qemu_coroutine_create(rwlock_yield_upgrade, &c1_done);
+    c2 = qemu_coroutine_create(rwlock_wrlock_yield, &c2_done);
+
+    qemu_coroutine_enter(c1);
+    qemu_coroutine_enter(c2);
+
+    /* c1 now should go to sleep.  */
+    qemu_coroutine_enter(c1);
+    g_assert(!c1_done);
+
+    qemu_coroutine_enter(c2);
+    g_assert(c1_done);
+    g_assert(c2_done);
+}
+
 /*
  * Check that creation, enter, and return work
  */
@@ -XXX,XX +XXX,XX @@ int main(int argc, char **argv)
     g_test_add_func("/basic/order", test_order);
     g_test_add_func("/locking/co-mutex", test_co_mutex);
     g_test_add_func("/locking/co-mutex/lockable", test_co_mutex_lockable);
+    g_test_add_func("/locking/co-rwlock/upgrade", test_co_rwlock_upgrade);
     if (g_test_perf()) {
         g_test_add_func("/perf/lifecycle", perf_lifecycle);
         g_test_add_func("/perf/nesting", perf_nesting);
-- 
2.30.2

From: David Edmondson <david.edmondson@oracle.com>

Test that downgrading an rwlock does not result in a failure to
schedule coroutines queued on the rwlock.

The diagram associated with test_co_rwlock_downgrade() describes the
intended behaviour, but what was observed previously corresponds to:

| c1     | c2         | c3         | c4       |
|--------+------------+------------+----------|
| rdlock |            |            |          |
| yield  |            |            |          |
|        | wrlock     |            |          |
|        | <queued>   |            |          |
|        |            | rdlock     |          |
|        |            | <queued>   |          |
|        |            |            | wrlock   |
|        |            |            | <queued> |
| unlock |            |            |          |
| yield  |            |            |          |
|        | <dequeued> |            |          |
|        | downgrade  |            |          |
|        | ...        |            |          |
|        | unlock     |            |          |
|        |            | <dequeued> |          |
|        |            | <queued>   |          |

This results in a failure...

ERROR:../tests/test-coroutine.c:369:test_co_rwlock_downgrade: assertion failed: (c3_done)
Bail out! ERROR:../tests/test-coroutine.c:369:test_co_rwlock_downgrade: assertion failed: (c3_done)

...as a result of the c3 coroutine failing to run to completion.

Signed-off-by: David Edmondson <david.edmondson@oracle.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Message-id: 20210325112941.365238-7-pbonzini@redhat.com
Message-Id: <20210309144015.557477-5-david.edmondson@oracle.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
---
 tests/unit/test-coroutine.c | 99 +++++++++++++++++++++++++++++++++++++
 1 file changed, 99 insertions(+)

diff --git a/tests/unit/test-coroutine.c b/tests/unit/test-coroutine.c
index XXXXXXX..XXXXXXX 100644
--- a/tests/unit/test-coroutine.c
+++ b/tests/unit/test-coroutine.c
@@ -XXX,XX +XXX,XX @@ static void test_co_rwlock_upgrade(void)
     g_assert(c2_done);
 }
 
+static void coroutine_fn rwlock_rdlock_yield(void *opaque)
+{
+    qemu_co_rwlock_rdlock(&rwlock);
+    qemu_coroutine_yield();
+
+    qemu_co_rwlock_unlock(&rwlock);
+    qemu_coroutine_yield();
+
+    *(bool *)opaque = true;
+}
+
+static void coroutine_fn rwlock_wrlock_downgrade(void *opaque)
+{
+    qemu_co_rwlock_wrlock(&rwlock);
+
+    qemu_co_rwlock_downgrade(&rwlock);
+    qemu_co_rwlock_unlock(&rwlock);
+    *(bool *)opaque = true;
+}
+
+static void coroutine_fn rwlock_rdlock(void *opaque)
+{
+    qemu_co_rwlock_rdlock(&rwlock);
+
+    qemu_co_rwlock_unlock(&rwlock);
+    *(bool *)opaque = true;
+}
+
+static void coroutine_fn rwlock_wrlock(void *opaque)
+{
+    qemu_co_rwlock_wrlock(&rwlock);
+
+    qemu_co_rwlock_unlock(&rwlock);
+    *(bool *)opaque = true;
+}
+
+/*
+ * Check that downgrading a reader-writer lock does not cause a hang.
+ *
+ * Four coroutines are used to produce a situation where there are
+ * both reader and writer hopefuls waiting to acquire an rwlock that
+ * is held by a reader.
+ *
+ * The correct sequence of operations we aim to provoke can be
+ * represented as:
+ *
+ * | c1     | c2         | c3         | c4         |
+ * |--------+------------+------------+------------|
+ * | rdlock |            |            |            |
+ * | yield  |            |            |            |
+ * |        | wrlock     |            |            |
+ * |        | <queued>   |            |            |
+ * |        |            | rdlock     |            |
+ * |        |            | <queued>   |            |
+ * |        |            |            | wrlock     |
+ * |        |            |            | <queued>   |
+ * | unlock |            |            |            |
+ * | yield  |            |            |            |
+ * |        | <dequeued> |            |            |
+ * |        | downgrade  |            |            |
+ * |        |            | <dequeued> |            |
+ * |        |            | unlock     |            |
+ * |        | ...        |            |            |
+ * |        | unlock     |            |            |
+ * |        |            |            | <dequeued> |
+ * |        |            |            | unlock     |
+ */
+static void test_co_rwlock_downgrade(void)
+{
+    bool c1_done = false;
+    bool c2_done = false;
+    bool c3_done = false;
+    bool c4_done = false;
+    Coroutine *c1, *c2, *c3, *c4;
+
+    qemu_co_rwlock_init(&rwlock);
+
+    c1 = qemu_coroutine_create(rwlock_rdlock_yield, &c1_done);
+    c2 = qemu_coroutine_create(rwlock_wrlock_downgrade, &c2_done);
+    c3 = qemu_coroutine_create(rwlock_rdlock, &c3_done);
+    c4 = qemu_coroutine_create(rwlock_wrlock, &c4_done);
+
+    qemu_coroutine_enter(c1);
+    qemu_coroutine_enter(c2);
+    qemu_coroutine_enter(c3);
+    qemu_coroutine_enter(c4);
+
+    qemu_coroutine_enter(c1);
+
+    g_assert(c2_done);
+    g_assert(c3_done);
+    g_assert(c4_done);
+
+    qemu_coroutine_enter(c1);
+
+    g_assert(c1_done);
+}
+
 /*
  * Check that creation, enter, and return work
  */
@@ -XXX,XX +XXX,XX @@ int main(int argc, char **argv)
     g_test_add_func("/locking/co-mutex", test_co_mutex);
     g_test_add_func("/locking/co-mutex/lockable", test_co_mutex_lockable);
     g_test_add_func("/locking/co-rwlock/upgrade", test_co_rwlock_upgrade);
+    g_test_add_func("/locking/co-rwlock/downgrade", test_co_rwlock_downgrade);
     if (g_test_perf()) {
         g_test_add_func("/perf/lifecycle", perf_lifecycle);
         g_test_add_func("/perf/nesting", perf_nesting);
-- 
2.30.2

From: Philippe Mathieu-Daudé <philmd@redhat.com>

When the NVMe block driver was introduced (see commit bdd6a90a9e5,
January 2018), Linux VFIO_IOMMU_MAP_DMA ioctl was only returning
-ENOMEM in case of error. The driver was correctly handling the
error path to recycle its volatile IOVA mappings.

To fix CVE-2019-3882, Linux commit 492855939bdb ("vfio/type1: Limit
DMA mappings per container", April 2019) added the -ENOSPC error to
signal the user exhausted the DMA mappings available for a container.

The block driver started to mis-behave:

qemu-system-x86_64: VFIO_MAP_DMA failed: No space left on device
  (qemu)
  (qemu) info status
  VM status: paused (io-error)
  (qemu) c
  VFIO_MAP_DMA failed: No space left on device
  (qemu) c
  VFIO_MAP_DMA failed: No space left on device

(The VM is not resumable from here, hence stuck.)

Fix by handling the new -ENOSPC error (when DMA mappings are
exhausted) without any distinction to the current -ENOMEM error,
so we don't change the behavior on old kernels where the CVE-2019-3882
fix is not present.

An easy way to reproduce this bug is to restrict the DMA mapping
limit (65535 by default) when loading the VFIO IOMMU module:

# modprobe vfio_iommu_type1 dma_entry_limit=666

Cc: qemu-stable@nongnu.org
Cc: Fam Zheng <fam@euphon.net>
Cc: Maxim Levitsky <mlevitsk@redhat.com>
Cc: Alex Williamson <alex.williamson@redhat.com>
Reported-by: Michal Prívozník <mprivozn@redhat.com>
Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Message-id: 20210723195843.1032825-1-philmd@redhat.com
Fixes: bdd6a90a9e5 ("block: Add VFIO based NVMe driver")
Buglink: https://bugs.launchpad.net/qemu/+bug/1863333
Resolves: https://gitlab.com/qemu-project/qemu/-/issues/65
Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
---
 block/nvme.c | 22 ++++++++++++++++++++++
 1 file changed, 22 insertions(+)

diff --git a/block/nvme.c b/block/nvme.c
index XXXXXXX..XXXXXXX 100644
--- a/block/nvme.c
+++ b/block/nvme.c
@@ -XXX,XX +XXX,XX @@ try_map:
         r = qemu_vfio_dma_map(s->vfio,
                               qiov->iov[i].iov_base,
                               len, true, &iova);
+        if (r == -ENOSPC) {
+            /*
+             * In addition to the -ENOMEM error, the VFIO_IOMMU_MAP_DMA
+             * ioctl returns -ENOSPC to signal the user exhausted the DMA
+             * mappings available for a container since Linux kernel commit
+             * 492855939bdb ("vfio/type1: Limit DMA mappings per container",
+             * April 2019, see CVE-2019-3882).
+             *
+             * This block driver already handles this error path by checking
+             * for the -ENOMEM error, so we directly replace -ENOSPC by
+             * -ENOMEM. Beside, -ENOSPC has a specific meaning for blockdev
+             * coroutines: it triggers BLOCKDEV_ON_ERROR_ENOSPC and
+             * BLOCK_ERROR_ACTION_STOP which stops the VM, asking the operator
+             * to add more storage to the blockdev. Not something we can do
+             * easily with an IOMMU :)
+             */
+            r = -ENOMEM;
+        }
         if (r == -ENOMEM && retry) {
+            /*
+             * We exhausted the DMA mappings available for our container:
+             * recycle the volatile IOVA mappings.
+             */
             retry = false;
             trace_nvme_dma_flush_queue_wait(s);
             if (s->dma_map_count) {
-- 
2.31.1