Series comparison

-[PULL for-7.0 0/2] Block patches
+[Qemu-devel] [PULL for-2.11-rc1 v2 0/2] Block patches
-The following changes since commit 1d60bb4b14601e38ed17384277aa4c30c57925d3:
+The following changes since commit b0fbe46ad82982b289a44ee2495b59b0bad8a842:
-  Merge tag 'pull-request-2022-03-15v2' of https://gitlab.com/thuth/qemu into staging (2022-03-16 10:43:58 +0000)
+  Update version for v2.11.0-rc0 release (2017-11-07 16:05:28 +0000)
-are available in the Git repository at:
+are available in the git repository at:
-  https://gitlab.com/stefanha/qemu.git tags/block-pull-request
+  git://github.com/stefanha/qemu.git tags/block-pull-request
-for you to fetch changes up to fc8796465c6cd4091efe6a2f8b353f07324f49c7:
+for you to fetch changes up to ef6dada8b44e1e7c4bec5c1115903af9af415b50:
-  aio-posix: fix spurious ->poll_ready() callbacks in main loop (2022-03-17 11:23:18 +0000)
+  util/async: use atomic_mb_set in qemu_bh_cancel (2017-11-08 19:09:15 +0000)
 ----------------------------------------------------------------
 Pull request
-Bug fixes for 7.0.
+v2:
  * v1 emails 2/3 and 3/3 weren't sent due to an email failure
  * Included Sergio's updated wording in the commit description
 ----------------------------------------------------------------
-Haiyue Wang (1):
+Sergio Lopez (1):
-  aio-posix: fix build failure io_uring 2.2
+  util/async: use atomic_mb_set in qemu_bh_cancel
 Stefan Hajnoczi (1):
-  aio-posix: fix spurious ->poll_ready() callbacks in main loop
+  tests-aio-multithread: fix /aio/multi/schedule race condition
- util/aio-posix.h      |  1 +
+ tests/test-aio-multithread.c | 5 ++---
- util/aio-posix.c      | 32 ++++++++++++++++++--------------
+ util/async.c                 | 2 +-
- util/fdmon-io_uring.c |  4 ++++
+files changed, 3 insertions(+), 4 deletions(-)
 files changed, 23 insertions(+), 14 deletions(-)
 --
-.35.1
+.13.6

-[PULL for-7.0 2/2] aio-posix: fix spurious ->poll_ready() callbacks in main loop
+[Qemu-devel] [PULL for-2.11-rc1 v2 1/2] tests-aio-multithread: fix /aio/multi/schedule race condition
-When ->poll() succeeds the AioHandler is placed on the ready list with
+test_multi_co_schedule_entry() set to_schedule[id] in the final loop
-revents set to the magic value 0. This magic value causes
+iteration before terminating the coroutine.  There is a race condition
-aio_dispatch_handler() to invoke ->poll_ready() instead of ->io_read()
+where the main thread attempts to enter the terminating or terminated
-for G_IO_IN or ->io_write() for G_IO_OUT.
+coroutine when signalling coroutines to stop:
-This magic value 0 hack works for the IOThread where AioHandlers are
+  atomic_mb_set(&now_stopping, true);
-placed on ->ready_list and processed by aio_dispatch_ready_handlers().
+  for (i = 0; i < NUM_CONTEXTS; i++) {
-It does not work for the main loop where all AioHandlers are processed
+      ctx_run(i, finish_cb, NULL);  <--- enters dead coroutine!
-by aio_dispatch_handlers(), even those that are not ready and have a
+      to_schedule[i] = NULL;
-revents value of 0.
+  }
-As a result the main loop invokes ->poll_ready() on AioHandlers that are
+Make sure only to set to_schedule[id] if this coroutine really needs to
-not ready. These spurious ->poll_ready() calls waste CPU cycles and
+be scheduled!
 could lead to crashes if the code assumes ->poll() must have succeeded
 before ->poll_ready() is called (a reasonable asumption but I haven't
 seen it in practice).
-Stop using revents to track whether ->poll_ready() will be called on an
+Reported-by: "R.Nageswara Sastry" <nasastry@in.ibm.com>
 AioHandler. Introduce a separate AioHandler->poll_ready field instead.
 This eliminates spurious ->poll_ready() calls in the main loop.
 Fixes: 826cc32423db2a99d184dbf4f507c737d7e7a4ae ("aio-posix: split poll check from ready handler")
 Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
-Reported-by: Jason Wang <jasowang@redhat.com>
+Reviewed-by: Paolo Bonzini <pbonzini@redhat.com>
-Tested-by: Jason Wang <jasowang@redhat.com>
+Message-id: 20171106190233.1175-1-stefanha@redhat.com
 Message-id: 20220223155703.136833-1-stefanha@redhat.com
 Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
 ---
- util/aio-posix.h |  1 +
+ tests/test-aio-multithread.c | 5 ++---
- util/aio-posix.c | 32 ++++++++++++++++++--------------
+file changed, 2 insertions(+), 3 deletions(-)
 files changed, 19 insertions(+), 14 deletions(-)
-diff --git a/util/aio-posix.h b/util/aio-posix.h
+diff --git a/tests/test-aio-multithread.c b/tests/test-aio-multithread.c
 index XXXXXXX..XXXXXXX 100644
---- a/util/aio-posix.h
+--- a/tests/test-aio-multithread.c
-+++ b/util/aio-posix.h
++++ b/tests/test-aio-multithread.c
-@@ -XXX,XX +XXX,XX @@ struct AioHandler {
+@@ -XXX,XX +XXX,XX @@ static void finish_cb(void *opaque)
-     unsigned flags; /* see fdmon-io_uring.c */
+ static coroutine_fn void test_multi_co_schedule_entry(void *opaque)
- #endif
+ {
-     int64_t poll_idle_timeout; /* when to stop userspace polling */
+     g_assert(to_schedule[id] == NULL);
-+    bool poll_ready; /* has polling detected an event? */
+-    atomic_mb_set(&to_schedule[id], qemu_coroutine_self());
-     bool is_external;
- };
+     while (!atomic_mb_read(&now_stopping)) {
+         int n;
-diff --git a/util/aio-posix.c b/util/aio-posix.c
-index XXXXXXX..XXXXXXX 100644
+         n = g_test_rand_int_range(0, NUM_CONTEXTS);
---- a/util/aio-posix.c
+         schedule_next(n);
-+++ b/util/aio-posix.c
++
-@@ -XXX,XX +XXX,XX @@
++        atomic_mb_set(&to_schedule[id], qemu_coroutine_self());
- #include "trace.h"
+         qemu_coroutine_yield();
  #include "aio-posix.h"
 -/*
 - * G_IO_IN and G_IO_OUT are not appropriate revents values for polling, since
 - * the handler may not need to access the file descriptor. For example, the
 - * handler doesn't need to read from an EventNotifier if it polled a memory
 - * location and a read syscall would be slow. Define our own unique revents
 - * value to indicate that polling determined this AioHandler is ready.
 - */
 -#define REVENTS_POLL_READY 0
 -
- /* Stop userspace polling on a handler if it isn't active for some time */
+         g_assert(to_schedule[id] == NULL);
- #define POLL_IDLE_INTERVAL_NS (7 * NANOSECONDS_PER_SECOND)
+-        atomic_mb_set(&to_schedule[id], qemu_coroutine_self());
+     }
@@ -XXX,XX +XXX,XX @@ void aio_add_ready_handler(AioHandlerList *ready_list,
      QLIST_INSERT_HEAD(ready_list, node, node_ready);
  }
-+static void aio_add_poll_ready_handler(AioHandlerList *ready_list,
-+                                       AioHandler *node)
-+{
-+    QLIST_SAFE_REMOVE(node, node_ready); /* remove from nested parent's list */
-+    node->poll_ready = true;
-+    QLIST_INSERT_HEAD(ready_list, node, node_ready);
-+}
-+
- static AioHandler *find_aio_handler(AioContext *ctx, int fd)
- {
-     AioHandler *node;
-@@ -XXX,XX +XXX,XX @@ static bool aio_remove_fd_handler(AioContext *ctx, AioHandler *node)
-     }
-     node->pfd.revents = 0;
-+    node->poll_ready = false;
-     /* If the fd monitor has already marked it deleted, leave it alone */
-     if (QLIST_IS_INSERTED(node, node_deleted)) {
-@@ -XXX,XX +XXX,XX @@ static bool poll_set_started(AioContext *ctx, AioHandlerList *ready_list,
-         /* Poll one last time in case ->io_poll_end() raced with the event */
-         if (!started && node->io_poll(node->opaque)) {
--            aio_add_ready_handler(ready_list, node, REVENTS_POLL_READY);
-+            aio_add_poll_ready_handler(ready_list, node);
-             progress = true;
-         }
-     }
-@@ -XXX,XX +XXX,XX @@ bool aio_pending(AioContext *ctx)
-     QLIST_FOREACH_RCU(node, &ctx->aio_handlers, node) {
-         int revents;
-+        /* TODO should this check poll ready? */
-         revents = node->pfd.revents & node->pfd.events;
-         if (revents & (G_IO_IN | G_IO_HUP | G_IO_ERR) && node->io_read &&
-             aio_node_check(ctx, node->is_external)) {
-@@ -XXX,XX +XXX,XX @@ static void aio_free_deleted_handlers(AioContext *ctx)
- static bool aio_dispatch_handler(AioContext *ctx, AioHandler *node)
- {
-     bool progress = false;
-+    bool poll_ready;
-     int revents;
-     revents = node->pfd.revents & node->pfd.events;
-     node->pfd.revents = 0;
-+    poll_ready = node->poll_ready;
-+    node->poll_ready = false;
-+
-     /*
-      * Start polling AioHandlers when they become ready because activity is
-      * likely to continue.  Note that starvation is theoretically possible when
-@@ -XXX,XX +XXX,XX @@ static bool aio_dispatch_handler(AioContext *ctx, AioHandler *node)
-         QLIST_INSERT_HEAD(&ctx->poll_aio_handlers, node, node_poll);
-     }
-     if (!QLIST_IS_INSERTED(node, node_deleted) &&
--        revents == 0 &&
-+        poll_ready && revents == 0 &&
-         aio_node_check(ctx, node->is_external) &&
-         node->io_poll_ready) {
-         node->io_poll_ready(node->opaque);
-@@ -XXX,XX +XXX,XX @@ static bool run_poll_handlers_once(AioContext *ctx,
-     QLIST_FOREACH_SAFE(node, &ctx->poll_aio_handlers, node_poll, tmp) {
-         if (aio_node_check(ctx, node->is_external) &&
-             node->io_poll(node->opaque)) {
--            aio_add_ready_handler(ready_list, node, REVENTS_POLL_READY);
-+            aio_add_poll_ready_handler(ready_list, node);
-             node->poll_idle_timeout = now + POLL_IDLE_INTERVAL_NS;
-@@ -XXX,XX +XXX,XX @@ static bool remove_idle_poll_handlers(AioContext *ctx,
-                  * this causes progress.
-                  */
-                 if (node->io_poll(node->opaque)) {
--                    aio_add_ready_handler(ready_list, node,
--                                          REVENTS_POLL_READY);
-+                    aio_add_poll_ready_handler(ready_list, node);
-                     progress = true;
-                 }
-             }
 --
-.35.1
+.13.6

-[PULL for-7.0 1/2] aio-posix: fix build failure io_uring 2.2
+[Qemu-devel] [PULL for-2.11-rc1 v2 2/2] util/async: use atomic_mb_set in qemu_bh_cancel
-From: Haiyue Wang <haiyue.wang@intel.com>
+From: Sergio Lopez <slp@redhat.com>
-The io_uring fixed "Don't truncate addr fields to 32-bit on 32-bit":
+Commit b7a745d added a qemu_bh_cancel call to the completion function
-https://git.kernel.dk/cgit/liburing/commit/?id=d84c29b19ed0b130000619cff40141bb1fc3615b
+as an optimization to prevent it from unnecessarily rescheduling itself.
-This leads to build failure:
+This completion function is scheduled from worker_thread, after setting
-../util/fdmon-io_uring.c: In function ‘add_poll_remove_sqe’:
+the state of a ThreadPoolElement to THREAD_DONE.
 ../util/fdmon-io_uring.c:182:36: error: passing argument 2 of ‘io_uring_prep_poll_remove’ makes integer from pointer without a cast [-Werror=int-conversion]
 |     io_uring_prep_poll_remove(sqe, node);
       |                                    ^~~~
       |                                    |
       |                                    AioHandler *
 In file included from /root/io/qemu/include/block/aio.h:18,
                  from ../util/aio-posix.h:20,
                  from ../util/fdmon-io_uring.c:49:
 /usr/include/liburing.h:415:17: note: expected ‘__u64’ {aka ‘long long unsigned int’} but argument is of type ‘AioHandler *’
 |           __u64 user_data)
       |           ~~~~~~^~~~~~~~~
 cc1: all warnings being treated as errors
-Use LIBURING_HAVE_DATA64 to check whether the io_uring supports 64-bit
+This was considered to be safe, as the completion function restarts the
-variants of the get/set userdata, to convert the paramter to the right
+loop just after the call to qemu_bh_cancel. But, as this loop lacks a HW
-data type.
+memory barrier, the read of req->state may actually happen _before_ the
 call, seeing it still as THREAD_QUEUED, and ending the completion
 function without having processed a pending TPE linked at pool->head:
-Signed-off-by: Haiyue Wang <haiyue.wang@intel.com>
+         worker thread             |            I/O thread
-Message-Id: <20220221162401.45415-1-haiyue.wang@intel.com>
+------------------------------------------------------------------------
                                    | speculatively read req->state
 req->state = THREAD_DONE;          |
 qemu_bh_schedule(p->completion_bh) |
   bh->scheduled = 1;               |
                                    | qemu_bh_cancel(p->completion_bh)
                                    |   bh->scheduled = 0;
                                    | if (req->state == THREAD_DONE)
                                    |   // sees THREAD_QUEUED
 The source of the misunderstanding was that qemu_bh_cancel is now being
 used by the _consumer_ rather than the producer, and therefore now needs
 to have acquire semantics just like e.g. aio_bh_poll.
 In some situations, if there are no other independent requests in the
 same aio context that could eventually trigger the scheduling of the
 completion function, the omitted TPE and all operations pending on it
 will get stuck forever.
 [Added Sergio's updated wording about the HW memory barrier.
 --Stefan]
 Signed-off-by: Sergio Lopez <slp@redhat.com>
 Message-id: 20171108063447.2842-1-slp@redhat.com
 Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
 ---
- util/fdmon-io_uring.c | 4 ++++
+ util/async.c | 2 +-
-file changed, 4 insertions(+)
+file changed, 1 insertion(+), 1 deletion(-)
-diff --git a/util/fdmon-io_uring.c b/util/fdmon-io_uring.c
+diff --git a/util/async.c b/util/async.c
 index XXXXXXX..XXXXXXX 100644
---- a/util/fdmon-io_uring.c
+--- a/util/async.c
-+++ b/util/fdmon-io_uring.c
++++ b/util/async.c
-@@ -XXX,XX +XXX,XX @@ static void add_poll_remove_sqe(AioContext *ctx, AioHandler *node)
+@@ -XXX,XX +XXX,XX @@ void qemu_bh_schedule(QEMUBH *bh)
   */
  void qemu_bh_cancel(QEMUBH *bh)
  {
-     struct io_uring_sqe *sqe = get_sqe(ctx);
+-    bh->scheduled = 0;
++    atomic_mb_set(&bh->scheduled, 0);
 +#ifdef LIBURING_HAVE_DATA64
 +    io_uring_prep_poll_remove(sqe, (__u64)(uintptr_t)node);
 +#else
      io_uring_prep_poll_remove(sqe, node);
 +#endif
  }
- /* Add a timeout that self-cancels when another cqe becomes ready */
+ /* This func is async.The bottom half will do the delete action at the finial
 --
-.35.1
+.13.6

From: Haiyue Wang <haiyue.wang@intel.com>

The io_uring fixed "Don't truncate addr fields to 32-bit on 32-bit":
https://git.kernel.dk/cgit/liburing/commit/?id=d84c29b19ed0b130000619cff40141bb1fc3615b

This leads to build failure:
../util/fdmon-io_uring.c: In function ‘add_poll_remove_sqe’:
../util/fdmon-io_uring.c:182:36: error: passing argument 2 of ‘io_uring_prep_poll_remove’ makes integer from pointer without a cast [-Werror=int-conversion]
  182 |     io_uring_prep_poll_remove(sqe, node);
      |                                    ^~~~
      |                                    |
      |                                    AioHandler *
In file included from /root/io/qemu/include/block/aio.h:18,
                 from ../util/aio-posix.h:20,
                 from ../util/fdmon-io_uring.c:49:
/usr/include/liburing.h:415:17: note: expected ‘__u64’ {aka ‘long long unsigned int’} but argument is of type ‘AioHandler *’
  415 |           __u64 user_data)
      |           ~~~~~~^~~~~~~~~
cc1: all warnings being treated as errors

Use LIBURING_HAVE_DATA64 to check whether the io_uring supports 64-bit
variants of the get/set userdata, to convert the paramter to the right
data type.

Signed-off-by: Haiyue Wang <haiyue.wang@intel.com>
Message-Id: <20220221162401.45415-1-haiyue.wang@intel.com>
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
---
 util/fdmon-io_uring.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/util/fdmon-io_uring.c b/util/fdmon-io_uring.c
index XXXXXXX..XXXXXXX 100644
--- a/util/fdmon-io_uring.c
+++ b/util/fdmon-io_uring.c
@@ -XXX,XX +XXX,XX @@ static void add_poll_remove_sqe(AioContext *ctx, AioHandler *node)
 {
     struct io_uring_sqe *sqe = get_sqe(ctx);
 
+#ifdef LIBURING_HAVE_DATA64
+    io_uring_prep_poll_remove(sqe, (__u64)(uintptr_t)node);
+#else
     io_uring_prep_poll_remove(sqe, node);
+#endif
 }
 
 /* Add a timeout that self-cancels when another cqe becomes ready */
-- 
2.35.1

When ->poll() succeeds the AioHandler is placed on the ready list with
revents set to the magic value 0. This magic value causes
aio_dispatch_handler() to invoke ->poll_ready() instead of ->io_read()
for G_IO_IN or ->io_write() for G_IO_OUT.

This magic value 0 hack works for the IOThread where AioHandlers are
placed on ->ready_list and processed by aio_dispatch_ready_handlers().
It does not work for the main loop where all AioHandlers are processed
by aio_dispatch_handlers(), even those that are not ready and have a
revents value of 0.

As a result the main loop invokes ->poll_ready() on AioHandlers that are
not ready. These spurious ->poll_ready() calls waste CPU cycles and
could lead to crashes if the code assumes ->poll() must have succeeded
before ->poll_ready() is called (a reasonable asumption but I haven't
seen it in practice).

Stop using revents to track whether ->poll_ready() will be called on an
AioHandler. Introduce a separate AioHandler->poll_ready field instead.
This eliminates spurious ->poll_ready() calls in the main loop.

Fixes: 826cc32423db2a99d184dbf4f507c737d7e7a4ae ("aio-posix: split poll check from ready handler")
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
Reported-by: Jason Wang <jasowang@redhat.com>
Tested-by: Jason Wang <jasowang@redhat.com>
Message-id: 20220223155703.136833-1-stefanha@redhat.com
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
---
 util/aio-posix.h |  1 +
 util/aio-posix.c | 32 ++++++++++++++++++--------------
 2 files changed, 19 insertions(+), 14 deletions(-)

diff --git a/util/aio-posix.h b/util/aio-posix.h
index XXXXXXX..XXXXXXX 100644
--- a/util/aio-posix.h
+++ b/util/aio-posix.h
@@ -XXX,XX +XXX,XX @@ struct AioHandler {
     unsigned flags; /* see fdmon-io_uring.c */
 #endif
     int64_t poll_idle_timeout; /* when to stop userspace polling */
+    bool poll_ready; /* has polling detected an event? */
     bool is_external;
 };
 
diff --git a/util/aio-posix.c b/util/aio-posix.c
index XXXXXXX..XXXXXXX 100644
--- a/util/aio-posix.c
+++ b/util/aio-posix.c
@@ -XXX,XX +XXX,XX @@
 #include "trace.h"
 #include "aio-posix.h"
 
-/*
- * G_IO_IN and G_IO_OUT are not appropriate revents values for polling, since
- * the handler may not need to access the file descriptor. For example, the
- * handler doesn't need to read from an EventNotifier if it polled a memory
- * location and a read syscall would be slow. Define our own unique revents
- * value to indicate that polling determined this AioHandler is ready.
- */
-#define REVENTS_POLL_READY 0
-
 /* Stop userspace polling on a handler if it isn't active for some time */
 #define POLL_IDLE_INTERVAL_NS (7 * NANOSECONDS_PER_SECOND)
 
@@ -XXX,XX +XXX,XX @@ void aio_add_ready_handler(AioHandlerList *ready_list,
     QLIST_INSERT_HEAD(ready_list, node, node_ready);
 }
 
+static void aio_add_poll_ready_handler(AioHandlerList *ready_list,
+                                       AioHandler *node)
+{
+    QLIST_SAFE_REMOVE(node, node_ready); /* remove from nested parent's list */
+    node->poll_ready = true;
+    QLIST_INSERT_HEAD(ready_list, node, node_ready);
+}
+
 static AioHandler *find_aio_handler(AioContext *ctx, int fd)
 {
     AioHandler *node;
@@ -XXX,XX +XXX,XX @@ static bool aio_remove_fd_handler(AioContext *ctx, AioHandler *node)
     }
 
     node->pfd.revents = 0;
+    node->poll_ready = false;
 
     /* If the fd monitor has already marked it deleted, leave it alone */
     if (QLIST_IS_INSERTED(node, node_deleted)) {
@@ -XXX,XX +XXX,XX @@ static bool poll_set_started(AioContext *ctx, AioHandlerList *ready_list,
 
         /* Poll one last time in case ->io_poll_end() raced with the event */
         if (!started && node->io_poll(node->opaque)) {
-            aio_add_ready_handler(ready_list, node, REVENTS_POLL_READY);
+            aio_add_poll_ready_handler(ready_list, node);
             progress = true;
         }
     }
@@ -XXX,XX +XXX,XX @@ bool aio_pending(AioContext *ctx)
     QLIST_FOREACH_RCU(node, &ctx->aio_handlers, node) {
         int revents;
 
+        /* TODO should this check poll ready? */
         revents = node->pfd.revents & node->pfd.events;
         if (revents & (G_IO_IN | G_IO_HUP | G_IO_ERR) && node->io_read &&
             aio_node_check(ctx, node->is_external)) {
@@ -XXX,XX +XXX,XX @@ static void aio_free_deleted_handlers(AioContext *ctx)
 static bool aio_dispatch_handler(AioContext *ctx, AioHandler *node)
 {
     bool progress = false;
+    bool poll_ready;
     int revents;
 
     revents = node->pfd.revents & node->pfd.events;
     node->pfd.revents = 0;
 
+    poll_ready = node->poll_ready;
+    node->poll_ready = false;
+
     /*
      * Start polling AioHandlers when they become ready because activity is
      * likely to continue.  Note that starvation is theoretically possible when
@@ -XXX,XX +XXX,XX @@ static bool aio_dispatch_handler(AioContext *ctx, AioHandler *node)
         QLIST_INSERT_HEAD(&ctx->poll_aio_handlers, node, node_poll);
     }
     if (!QLIST_IS_INSERTED(node, node_deleted) &&
-        revents == 0 &&
+        poll_ready && revents == 0 &&
         aio_node_check(ctx, node->is_external) &&
         node->io_poll_ready) {
         node->io_poll_ready(node->opaque);
@@ -XXX,XX +XXX,XX @@ static bool run_poll_handlers_once(AioContext *ctx,
     QLIST_FOREACH_SAFE(node, &ctx->poll_aio_handlers, node_poll, tmp) {
         if (aio_node_check(ctx, node->is_external) &&
             node->io_poll(node->opaque)) {
-            aio_add_ready_handler(ready_list, node, REVENTS_POLL_READY);
+            aio_add_poll_ready_handler(ready_list, node);
 
             node->poll_idle_timeout = now + POLL_IDLE_INTERVAL_NS;
 
@@ -XXX,XX +XXX,XX @@ static bool remove_idle_poll_handlers(AioContext *ctx,
                  * this causes progress.
                  */
                 if (node->io_poll(node->opaque)) {
-                    aio_add_ready_handler(ready_list, node,
-                                          REVENTS_POLL_READY);
+                    aio_add_poll_ready_handler(ready_list, node);
                     progress = true;
                 }
             }
-- 
2.35.1

test_multi_co_schedule_entry() set to_schedule[id] in the final loop
iteration before terminating the coroutine.  There is a race condition
where the main thread attempts to enter the terminating or terminated
coroutine when signalling coroutines to stop:

atomic_mb_set(&now_stopping, true);
  for (i = 0; i < NUM_CONTEXTS; i++) {
      ctx_run(i, finish_cb, NULL);  <--- enters dead coroutine!
      to_schedule[i] = NULL;
  }

Make sure only to set to_schedule[id] if this coroutine really needs to
be scheduled!

Reported-by: "R.Nageswara Sastry" <nasastry@in.ibm.com>
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
Reviewed-by: Paolo Bonzini <pbonzini@redhat.com>
Message-id: 20171106190233.1175-1-stefanha@redhat.com
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
---
 tests/test-aio-multithread.c | 5 ++---
 1 file changed, 2 insertions(+), 3 deletions(-)

diff --git a/tests/test-aio-multithread.c b/tests/test-aio-multithread.c
index XXXXXXX..XXXXXXX 100644
--- a/tests/test-aio-multithread.c
+++ b/tests/test-aio-multithread.c
@@ -XXX,XX +XXX,XX @@ static void finish_cb(void *opaque)
 static coroutine_fn void test_multi_co_schedule_entry(void *opaque)
 {
     g_assert(to_schedule[id] == NULL);
-    atomic_mb_set(&to_schedule[id], qemu_coroutine_self());
 
     while (!atomic_mb_read(&now_stopping)) {
         int n;
 
         n = g_test_rand_int_range(0, NUM_CONTEXTS);
         schedule_next(n);
+
+        atomic_mb_set(&to_schedule[id], qemu_coroutine_self());
         qemu_coroutine_yield();
-
         g_assert(to_schedule[id] == NULL);
-        atomic_mb_set(&to_schedule[id], qemu_coroutine_self());
     }
 }
 
-- 
2.13.6

From: Sergio Lopez <slp@redhat.com>

Commit b7a745d added a qemu_bh_cancel call to the completion function
as an optimization to prevent it from unnecessarily rescheduling itself.

This completion function is scheduled from worker_thread, after setting
the state of a ThreadPoolElement to THREAD_DONE.

This was considered to be safe, as the completion function restarts the
loop just after the call to qemu_bh_cancel. But, as this loop lacks a HW
memory barrier, the read of req->state may actually happen _before_ the
call, seeing it still as THREAD_QUEUED, and ending the completion
function without having processed a pending TPE linked at pool->head:

The source of the misunderstanding was that qemu_bh_cancel is now being
used by the _consumer_ rather than the producer, and therefore now needs
to have acquire semantics just like e.g. aio_bh_poll.

In some situations, if there are no other independent requests in the
same aio context that could eventually trigger the scheduling of the
completion function, the omitted TPE and all operations pending on it
will get stuck forever.

[Added Sergio's updated wording about the HW memory barrier.
--Stefan]

Signed-off-by: Sergio Lopez <slp@redhat.com>
Message-id: 20171108063447.2842-1-slp@redhat.com
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
---
 util/async.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/util/async.c b/util/async.c
index XXXXXXX..XXXXXXX 100644
--- a/util/async.c
+++ b/util/async.c
@@ -XXX,XX +XXX,XX @@ void qemu_bh_schedule(QEMUBH *bh)
  */
 void qemu_bh_cancel(QEMUBH *bh)
 {
-    bh->scheduled = 0;
+    atomic_mb_set(&bh->scheduled, 0);
 }
 
 /* This func is async.The bottom half will do the delete action at the finial
-- 
2.13.6