From nobody Mon Feb 9 08:57:47 2026 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org Return-Path: Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 1669913505036524.8952996781045; Thu, 1 Dec 2022 08:51:45 -0800 (PST) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1p0mlj-00008L-Rh; Thu, 01 Dec 2022 11:50:40 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1p0mle-000050-Eb; Thu, 01 Dec 2022 11:50:34 -0500 Received: from out3-smtp.messagingengine.com ([66.111.4.27]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1p0mlc-00010r-C1; Thu, 01 Dec 2022 11:50:34 -0500 Received: from compute5.internal (compute5.nyi.internal [10.202.2.45]) by mailout.nyi.internal (Postfix) with ESMTP id 67B8D5C0196; Thu, 1 Dec 2022 11:50:31 -0500 (EST) Received: from mailfrontend2 ([10.202.2.163]) by compute5.internal (MEProxy); Thu, 01 Dec 2022 11:50:31 -0500 Received: by mail.messagingengine.com (Postfix) with ESMTPA; Thu, 1 Dec 2022 11:50:29 -0500 (EST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=irrelevant.dk; h=cc:cc:content-transfer-encoding:date:date:from:from :in-reply-to:in-reply-to:message-id:mime-version:references :reply-to:sender:subject:subject:to:to; s=fm3; t=1669913431; x= 1669999831; bh=7CgD1ROYjnt50Y1SYrZ71snDk8kbGY2eFrwxVc383X4=; b=j zEibpbxCK8ETlLf2BdfdsMniAnQKladxwg1hZVvvhO8WdQldTlhuGw36Ui1Kb9Io 2Y47UInpQYz+iYroAm0UFJO5diiJsQtqaHdF29CzUoNbHPLhOfzRF5CTjzNVx0vM d6ky3uXC36pZiWeyCqIs5DtKNeLmQ1WCXZMRU256VU51gESFQCmneFsgk1Eesfbm OJz9HGsRMtJltoz5T1bfg+HUPjTNbd8N+cskAjD4Drlk6m6B/m8DWd2KMPWxZgFN xxCOa9JMWD+N2GAXK+i10TkaXvTfuiqA5g5pAneM/yRZS6oqtPhq1Wf1vCAmM66Y iNztcpnPFEHDnzSvH/CHg== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:cc:content-transfer-encoding:date:date :feedback-id:feedback-id:from:from:in-reply-to:in-reply-to :message-id:mime-version:references:reply-to:sender:subject :subject:to:to:x-me-proxy:x-me-proxy:x-me-sender:x-me-sender :x-sasl-enc; s=fm1; t=1669913431; x=1669999831; bh=7CgD1ROYjnt50 Y1SYrZ71snDk8kbGY2eFrwxVc383X4=; b=O/6eP9skoG0yvo6ZkaW+vFJiMzFEs BaO48Uakl2P5d2tWJGku/xvWO2GO09BN1P71UaP3hm9rsXFziBr7F8MgNGVCJnSI oAETvl8ZB9bJYsOoC+oTm7KX7wu58NtksBiiHmAGVx+Sn9ROgXsgGpdpBstNNUmo J83esfjuPeXrgrc/AJRiYxJrohFK5jGswby7wZ6TEyVHqI1BRAdHwzbi1SkMIhwl qV8lUT8ggpiED33oMYVz5Jsf13WQw3Whlf0I0b6p8qPqAhZl5C48ZI66qz28QMcz Jw2gfEkczaU86LH8VoqK76XntGn+AUOqM2TmWLMyIQ5Yl0TI1XRUCX9hQ== X-ME-Sender: X-ME-Received: X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedvhedrtdehgdelgecutefuodetggdotefrodftvf curfhrohhfihhlvgemucfhrghsthforghilhdpqfgfvfdpuffrtefokffrpgfnqfghnecu uegrihhlohhuthemuceftddtnecusecvtfgvtghiphhivghnthhsucdlqddutddtmdenuc fjughrpefhvfevufffkffojghfggfgsedtkeertdertddtnecuhfhrohhmpefmlhgruhhs ucflvghnshgvnhcuoehithhssehirhhrvghlvghvrghnthdrughkqeenucggtffrrghtth gvrhhnpeejgfeilefgieevheekueevheehkeefveegiefgheefgfejjeehffefgedujedu geenucevlhhushhtvghrufhiiigvpedtnecurfgrrhgrmhepmhgrihhlfhhrohhmpehith hssehirhhrvghlvghvrghnthdrughk X-ME-Proxy: Feedback-ID: idc91472f:Fastmail From: Klaus Jensen To: qemu-devel@nongnu.org Cc: qemu-block@nongnu.org, Keith Busch , Klaus Jensen , Klaus Jensen , Jonathan Derrick Subject: [PULL for-7.2 1/5] hw/nvme: fix aio cancel in format Date: Thu, 1 Dec 2022 17:50:20 +0100 Message-Id: <20221201165024.51018-2-its@irrelevant.dk> X-Mailer: git-send-email 2.38.1 In-Reply-To: <20221201165024.51018-1-its@irrelevant.dk> References: <20221201165024.51018-1-its@irrelevant.dk> MIME-Version: 1.0 X-Developer-Signature: v=1; a=openpgp-sha256; l=3896; i=k.jensen@samsung.com; h=from:subject; bh=xDv6JgPX2pJUd/Z1/825ymV6rZNZamjT491djcIWwOo=; b=owJ4nAFtAZL+kA0DAAoBTeGvMW1PDekByyZiAGOI21DKWp8TT/yntJaHHyUdAlqCDQ4ShEstFyt+ 7yfPwJpWIYkBMwQAAQoAHRYhBFIoM6p14tzmokdmwE3hrzFtTw3pBQJjiNtQAAoJEE3hrzFtTw3pxM kIAKrA2l6zvFdE+l5FaeAcKNYYYreMUTTH9I77jtK4io0FMZb5smC/DSiJg9i5+yPRLC6Tg+ZKN+UL b6TH4S0C6KRMUQsKnAzT43ChZQCnBGRkXBwBYbZM565z4TphU83eiL/+r5aWNyjiyYGcWIA2hkrAPh +jw2GOPDw3uKpZTuiEw46xtHUrkDPvqW+D7rB31ZURtgiO7UKUd5HPJEldFaCNJvrRsohfQJFnIngY yK0ath/7dj8BxzgFsSM1aJPl5EXpFdk0FjJrAeRzpcwvFkcC5bqKRf1NtUOhKgyb47AR165ZSjgx2d JGvbDQt4Ju6juizlh6qqHcKmRK5GxztM3qHab7 X-Developer-Key: i=k.jensen@samsung.com; a=openpgp; fpr=DDCA4D9C9EF931CC3468427263D56FC5E55DA838 Content-Transfer-Encoding: quoted-printable Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Received-SPF: pass client-ip=66.111.4.27; envelope-from=its@irrelevant.dk; helo=out3-smtp.messagingengine.com X-Spam_score_int: -27 X-Spam_score: -2.8 X-Spam_bar: -- X-Spam_report: (-2.8 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org X-ZM-MESSAGEID: 1669913506796100001 Content-Type: text/plain; charset="utf-8" From: Klaus Jensen There are several bugs in the async cancel code for the Format command. Firstly, cancelling a format operation neglects to set iocb->ret as well as clearing the iocb->aiocb after cancelling the underlying aiocb which causes the aio callback to ignore the cancellation. Trivial fix. Secondly, and worse, because the request is queued up for posting to the CQ in a bottom half, if the cancellation is due to the submission queue being deleted (which calls blk_aio_cancel), the req structure is deallocated in nvme_del_sq prior to the bottom half being schedulued. Fix this by simply removing the bottom half, there is no reason to defer it anyway. Fixes: 3bcf26d3d619 ("hw/nvme: reimplement format nvm to allow cancellation= ") Reported-by: Jonathan Derrick Reviewed-by: Keith Busch Signed-off-by: Klaus Jensen --- hw/nvme/ctrl.c | 28 ++++++++++++---------------- 1 file changed, 12 insertions(+), 16 deletions(-) diff --git a/hw/nvme/ctrl.c b/hw/nvme/ctrl.c index ac3885ce5079..9bc56075f66f 100644 --- a/hw/nvme/ctrl.c +++ b/hw/nvme/ctrl.c @@ -5741,7 +5741,6 @@ static uint16_t nvme_ns_attachment(NvmeCtrl *n, NvmeR= equest *req) typedef struct NvmeFormatAIOCB { BlockAIOCB common; BlockAIOCB *aiocb; - QEMUBH *bh; NvmeRequest *req; int ret; =20 @@ -5756,14 +5755,15 @@ typedef struct NvmeFormatAIOCB { uint8_t pil; } NvmeFormatAIOCB; =20 -static void nvme_format_bh(void *opaque); - static void nvme_format_cancel(BlockAIOCB *aiocb) { NvmeFormatAIOCB *iocb =3D container_of(aiocb, NvmeFormatAIOCB, common); =20 + iocb->ret =3D -ECANCELED; + if (iocb->aiocb) { blk_aio_cancel_async(iocb->aiocb); + iocb->aiocb =3D NULL; } } =20 @@ -5787,13 +5787,17 @@ static void nvme_format_set(NvmeNamespace *ns, uint= 8_t lbaf, uint8_t mset, nvme_ns_init_format(ns); } =20 +static void nvme_do_format(NvmeFormatAIOCB *iocb); + static void nvme_format_ns_cb(void *opaque, int ret) { NvmeFormatAIOCB *iocb =3D opaque; NvmeNamespace *ns =3D iocb->ns; int bytes; =20 - if (ret < 0) { + if (iocb->ret < 0) { + goto done; + } else if (ret < 0) { iocb->ret =3D ret; goto done; } @@ -5817,8 +5821,7 @@ static void nvme_format_ns_cb(void *opaque, int ret) iocb->offset =3D 0; =20 done: - iocb->aiocb =3D NULL; - qemu_bh_schedule(iocb->bh); + nvme_do_format(iocb); } =20 static uint16_t nvme_format_check(NvmeNamespace *ns, uint8_t lbaf, uint8_t= pi) @@ -5842,9 +5845,8 @@ static uint16_t nvme_format_check(NvmeNamespace *ns, = uint8_t lbaf, uint8_t pi) return NVME_SUCCESS; } =20 -static void nvme_format_bh(void *opaque) +static void nvme_do_format(NvmeFormatAIOCB *iocb) { - NvmeFormatAIOCB *iocb =3D opaque; NvmeRequest *req =3D iocb->req; NvmeCtrl *n =3D nvme_ctrl(req); uint32_t dw10 =3D le32_to_cpu(req->cmd.cdw10); @@ -5882,11 +5884,7 @@ static void nvme_format_bh(void *opaque) return; =20 done: - qemu_bh_delete(iocb->bh); - iocb->bh =3D NULL; - iocb->common.cb(iocb->common.opaque, iocb->ret); - qemu_aio_unref(iocb); } =20 @@ -5905,7 +5903,6 @@ static uint16_t nvme_format(NvmeCtrl *n, NvmeRequest = *req) iocb =3D qemu_aio_get(&nvme_format_aiocb_info, NULL, nvme_misc_cb, req= ); =20 iocb->req =3D req; - iocb->bh =3D qemu_bh_new(nvme_format_bh, iocb); iocb->ret =3D 0; iocb->ns =3D NULL; iocb->nsid =3D 0; @@ -5934,14 +5931,13 @@ static uint16_t nvme_format(NvmeCtrl *n, NvmeReques= t *req) } =20 req->aiocb =3D &iocb->common; - qemu_bh_schedule(iocb->bh); + nvme_do_format(iocb); =20 return NVME_NO_COMPLETE; =20 out: - qemu_bh_delete(iocb->bh); - iocb->bh =3D NULL; qemu_aio_unref(iocb); + return status; } =20 --=20 2.38.1