From nobody Fri Nov 14 19:42:13 2025
Delivered-To: importer@patchew.org
Authentication-Results: mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org;
	dmarc=pass(p=quarantine dis=none)  header.from=redhat.com
ARC-Seal: i=1; a=rsa-sha256; t=1761764094; cv=none;
	d=zohomail.com; s=zohoarc;
	b=NgHpd2U8S7GvYc14J4FhPlBFQVVrrUdaoj6zfz0icUPAKF5Fko836hLqg2CMWabYPonIBQHDxw2azqKn1wK3H8Dze8YxzJfH1joakKu505c6Tz2b2sLq++KdAJzQO4Ygtthue3KIIQTp6bHbjo3UlpdDnie9PnFzikvWdwzOD+8=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com;
 s=zohoarc;
	t=1761764094;
 h=Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:Sender:Subject:Subject:To:To:Message-Id:Reply-To;
	bh=9e/hObse3BAo5O3NWyShgmz3j/Vs/xAe45DGh6eVFeA=;
	b=iD8etS3h0XO9k6Xs3FnvqnMUfUZGCdU3AKcO3QR13IzmRUz3HJn/1eRgxP2prsscpet/wZ5hXeKCYOGibkgTip/lwsd1cL/yPGdOnRM1dGpWhyfD+YT5u6ff7YpPBF2zOUsjwFEU5ROUQhVKMue1BnsGQCBtYi8jjJcXhaHjbOg=
ARC-Authentication-Results: i=1; mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org;
	dmarc=pass header.from=<stefanha@redhat.com> (p=quarantine dis=none)
Return-Path: <qemu-devel-bounces+importer=patchew.org@nongnu.org>
Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by
 mx.zohomail.com
	with SMTPS id 1761764094800800.3176095924821;
 Wed, 29 Oct 2025 11:54:54 -0700 (PDT)
Received: from localhost ([::1] helo=lists1p.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.90_1)
	(envelope-from <qemu-devel-bounces@nongnu.org>)
	id 1vEBHz-0003Jk-DC; Wed, 29 Oct 2025 14:52:55 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10])
 by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <stefanha@redhat.com>)
 id 1vEBHw-0003JO-SG
 for qemu-devel@nongnu.org; Wed, 29 Oct 2025 14:52:52 -0400
Received: from us-smtp-delivery-124.mimecast.com ([170.10.133.124])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <stefanha@redhat.com>)
 id 1vEBHl-0008AV-E3
 for qemu-devel@nongnu.org; Wed, 29 Oct 2025 14:52:51 -0400
Received: from mx-prod-mc-02.mail-002.prod.us-west-2.aws.redhat.com
 (ec2-54-186-198-63.us-west-2.compute.amazonaws.com [54.186.198.63]) by
 relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3,
 cipher=TLS_AES_256_GCM_SHA384) id us-mta-248-dpF7ytEwMoq7ThCPHvLeJw-1; Wed,
 29 Oct 2025 14:52:27 -0400
Received: from mx-prod-int-01.mail-002.prod.us-west-2.aws.redhat.com
 (mx-prod-int-01.mail-002.prod.us-west-2.aws.redhat.com [10.30.177.4])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest
 SHA256)
 (No client certificate requested)
 by mx-prod-mc-02.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTPS
 id D8E44195609D; Wed, 29 Oct 2025 18:52:26 +0000 (UTC)
Received: from localhost (unknown [10.2.17.43])
 by mx-prod-int-01.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTP
 id DA37B30001A7; Wed, 29 Oct 2025 18:52:25 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com;
 s=mimecast20190719; t=1761763951;
 h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
 to:to:cc:cc:mime-version:mime-version:
 content-transfer-encoding:content-transfer-encoding;
 bh=9e/hObse3BAo5O3NWyShgmz3j/Vs/xAe45DGh6eVFeA=;
 b=Kso4m8E9WEz6S9FCSML7ZNo6/SwF1oWDaXgVtpms6WDYwlwmnjZ+D02uT37JcS4ZSU8meW
 jwZEIsh/ob1kEDcXd2pG1M1mdANLiYZSj9TtHRvEEUNMDeKF2aaKWHK8yXDYy1Blbpyk7s
 G3oCVOS+X1Ok7UsdhYeSQJ3toK0L+K4=
X-MC-Unique: dpF7ytEwMoq7ThCPHvLeJw-1
X-Mimecast-MFC-AGG-ID: dpF7ytEwMoq7ThCPHvLeJw_1761763947
From: Stefan Hajnoczi <stefanha@redhat.com>
To: qemu-devel@nongnu.org
Cc: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= <philmd@linaro.org>,
 David Hildenbrand <david@redhat.com>, Peter Xu <peterx@redhat.com>,
 Paolo Bonzini <pbonzini@redhat.com>, Stefan Hajnoczi <stefanha@redhat.com>,
 Peixiu Hou <phou@redhat.com>, Kevin Wolf <kwolf@redhat.com>
Subject: [PATCH] system/physmem: mark io_mem_unassigned lockless
Date: Wed, 29 Oct 2025 14:52:24 -0400
Message-ID: <20251029185224.420261-1-stefanha@redhat.com>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
X-Scanned-By: MIMEDefang 3.4.1 on 10.30.177.4
Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17
 as permitted sender) client-ip=209.51.188.17;
 envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org;
 helo=lists.gnu.org;
Received-SPF: pass client-ip=170.10.133.124;
 envelope-from=stefanha@redhat.com;
 helo=us-smtp-delivery-124.mimecast.com
X-Spam_score_int: -20
X-Spam_score: -2.1
X-Spam_bar: --
X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001,
 DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1,
 RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001,
 RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, RCVD_IN_VALIDITY_SAFE_BLOCKED=0.001,
 SPF_HELO_PASS=-0.001, SPF_PASS=-0.001,
 WEIRD_PORT=0.001 autolearn=ham autolearn_force=no
X-Spam_action: no action
X-BeenThere: qemu-devel@nongnu.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <https://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=subscribe>
Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org
Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org
X-ZohoMail-DKIM: pass (identity @redhat.com)
X-ZM-MESSAGEID: 1761764112904158500
Content-Type: text/plain; charset="utf-8"

When the Bus Master bit is disabled in a PCI device's Command Register,
the device's DMA address space becomes unassigned memory (i.e. the
io_mem_unassigned MemoryRegion).

This can lead to deadlocks with IOThreads since io_mem_unassigned
accesses attempt to acquire the Big QEMU Lock (BQL). For example,
virtio-pci devices deadlock in virtio_write_config() ->
virtio_pci_stop_ioeventfd() when waiting for the IOThread while holding
the BQL. The IOThread is unable to acquire the BQL but the vcpu thread
won't release the BQL while waiting for the IOThread.

io_mem_unassigned is trivially thread-safe since it has no state, it
simply rejects all load/store accesses. Therefore it is safe to enable
lockless I/O on io_mem_unassigned to eliminate this deadlock.

Here is the backtrace described above:

  Thread 9 (Thread 0x7fccfcdff6c0 (LWP 247832) "CPU 4/KVM"):
  #0  0x00007fcd11529d46 in ppoll () from target:/lib64/libc.so.6
  #1  0x000056468a1a9bad in ppoll (__fds=3D<optimized out>, __nfds=3D<optim=
ized out>, __timeout=3D0x0, __ss=3D0x0) at /usr/include/bits/poll2.h:88
  #2  0x000056468a18f9d9 in fdmon_poll_wait (ctx=3D0x5646c6a1dc30, ready_li=
st=3D0x7fccfcdfb310, timeout=3D-1) at ../util/fdmon-poll.c:79
  #3  0x000056468a18f14f in aio_poll (ctx=3D<optimized out>, blocking=3Dblo=
cking@entry=3Dtrue) at ../util/aio-posix.c:730
  #4  0x000056468a1ad842 in aio_wait_bh_oneshot (ctx=3D<optimized out>, cb=
=3Dcb@entry=3D0x564689faa420 <virtio_blk_ioeventfd_stop_vq_bh>, opaque=3D<o=
ptimized out>) at ../util/aio-wait.c:85
  #5  0x0000564689faaa89 in virtio_blk_stop_ioeventfd (vdev=3D0x5646c8fd7e9=
0) at ../hw/block/virtio-blk.c:1644
  #6  0x0000564689d77880 in virtio_bus_stop_ioeventfd (bus=3Dbus@entry=3D0x=
5646c8fd7e08) at ../hw/virtio/virtio-bus.c:264
  #7  0x0000564689d780db in virtio_bus_stop_ioeventfd (bus=3Dbus@entry=3D0x=
5646c8fd7e08) at ../hw/virtio/virtio-bus.c:256
  #8  0x0000564689d7d98a in virtio_pci_stop_ioeventfd (proxy=3D0x5646c8fcf8=
e0) at ../hw/virtio/virtio-pci.c:413
  #9  virtio_write_config (pci_dev=3D0x5646c8fcf8e0, address=3D4, val=3D<op=
timized out>, len=3D<optimized out>) at ../hw/virtio/virtio-pci.c:803
  #10 0x0000564689dcb45a in memory_region_write_accessor (mr=3Dmr@entry=3D0=
x5646c6dc2d30, addr=3D3145732, value=3Dvalue@entry=3D0x7fccfcdfb528, size=
=3Dsize@entry=3D2, shift=3D<optimized out>, mask=3Dmask@entry=3D65535, attr=
s=3D...) at ../system/memory.c:491
  #11 0x0000564689dcaeb0 in access_with_adjusted_size (addr=3Daddr@entry=3D=
3145732, value=3Dvalue@entry=3D0x7fccfcdfb528, size=3Dsize@entry=3D2, acces=
s_size_min=3D<optimized out>, access_size_max=3D<optimized out>, access_fn=
=3D0x564689dcb3f0 <memory_region_write_accessor>, mr=3D0x5646c6dc2d30, attr=
s=3D...) at ../system/memory.c:567
  #12 0x0000564689dcb156 in memory_region_dispatch_write (mr=3Dmr@entry=3D0=
x5646c6dc2d30, addr=3Daddr@entry=3D3145732, data=3D<optimized out>, op=3D<o=
ptimized out>, attrs=3Dattrs@entry=3D...) at ../system/memory.c:1554
  #13 0x0000564689dd389a in flatview_write_continue_step (attrs=3D..., attr=
s@entry=3D..., buf=3Dbuf@entry=3D0x7fcd05b87028 "", mr_addr=3D3145732, l=3D=
l@entry=3D0x7fccfcdfb5f0, mr=3D0x5646c6dc2d30, len=3D2) at ../system/physme=
m.c:3266
  #14 0x0000564689dd3adb in flatview_write_continue (fv=3D0x7fcadc0d8930, a=
ddr=3D3761242116, attrs=3D..., ptr=3D0xe0300004, len=3D2, mr_addr=3D<optimi=
zed out>, l=3D<optimized out>, mr=3D<optimized out>) at ../system/physmem.c=
:3296
  #15 flatview_write (fv=3D0x7fcadc0d8930, addr=3Daddr@entry=3D3761242116, =
attrs=3Dattrs@entry=3D..., buf=3Dbuf@entry=3D0x7fcd05b87028, len=3Dlen@entr=
y=3D2) at ../system/physmem.c:3327
  #16 0x0000564689dd7191 in address_space_write (as=3D0x56468b433600 <addre=
ss_space_memory>, addr=3D3761242116, attrs=3D..., buf=3D0x7fcd05b87028, len=
=3D2) at ../system/physmem.c:3447
  #17 address_space_rw (as=3D0x56468b433600 <address_space_memory>, addr=3D=
3761242116, attrs=3Dattrs@entry=3D..., buf=3Dbuf@entry=3D0x7fcd05b87028, le=
n=3D2, is_write=3D<optimized out>) at ../system/physmem.c:3457
  #18 0x0000564689ff1ef6 in kvm_cpu_exec (cpu=3Dcpu@entry=3D0x5646c6dab810)=
 at ../accel/kvm/kvm-all.c:3248
  #19 0x0000564689ff32f5 in kvm_vcpu_thread_fn (arg=3Darg@entry=3D0x5646c6d=
ab810) at ../accel/kvm/kvm-accel-ops.c:53
  #20 0x000056468a19225c in qemu_thread_start (args=3D0x5646c6db6190) at ..=
/util/qemu-thread-posix.c:393
  #21 0x00007fcd114c5b68 in start_thread () from target:/lib64/libc.so.6
  #22 0x00007fcd115364e4 in clone () from target:/lib64/libc.so.6

  Thread 3 (Thread 0x7fcd0503a6c0 (LWP 247825) "IO iothread1"):
  #0  0x00007fcd114c2d30 in __lll_lock_wait () from target:/lib64/libc.so.6
  #1  0x00007fcd114c8fe2 in pthread_mutex_lock@@GLIBC_2.2.5 () from target:=
/lib64/libc.so.6
  #2  0x000056468a192538 in qemu_mutex_lock_impl (mutex=3D0x56468b432e60 <b=
ql>, file=3D0x56468a1e26a5 "../system/physmem.c", line=3D3198) at ../util/q=
emu-thread-posix.c:94
  #3  0x0000564689dc12e2 in bql_lock_impl (file=3Dfile@entry=3D0x56468a1e26=
a5 "../system/physmem.c", line=3Dline@entry=3D3198) at ../system/cpus.c:566
  #4  0x0000564689ddc151 in prepare_mmio_access (mr=3D0x56468b433800 <io_me=
m_unassigned>) at ../system/physmem.c:3198
  #5  address_space_lduw_internal_cached_slow (cache=3D<optimized out>, add=
r=3D2, attrs=3D..., result=3D0x0, endian=3DDEVICE_LITTLE_ENDIAN) at ../syst=
em/memory_ldst.c.inc:211
  #6  address_space_lduw_le_cached_slow (cache=3D<optimized out>, addr=3Dad=
dr@entry=3D2, attrs=3Dattrs@entry=3D..., result=3Dresult@entry=3D0x0) at ..=
/system/memory_ldst.c.inc:253
  #7  0x0000564689fd692c in address_space_lduw_le_cached (result=3D0x0, cac=
he=3D<optimized out>, addr=3D2, attrs=3D...) at /var/tmp/qemu/include/exec/=
memory_ldst_cached.h.inc:35
  #8  lduw_le_phys_cached (cache=3D<optimized out>, addr=3D2) at /var/tmp/q=
emu/include/exec/memory_ldst_phys.h.inc:66
  #9  virtio_lduw_phys_cached (vdev=3D<optimized out>, cache=3D<optimized o=
ut>, pa=3D2) at /var/tmp/qemu/include/hw/virtio/virtio-access.h:166
  #10 vring_avail_idx (vq=3D0x5646c8fe2470) at ../hw/virtio/virtio.c:396
  #11 virtio_queue_split_set_notification (vq=3D0x5646c8fe2470, enable=3D0)=
 at ../hw/virtio/virtio.c:534
  #12 virtio_queue_set_notification (vq=3D0x5646c8fe2470, enable=3D0) at ..=
/hw/virtio/virtio.c:595
  #13 0x000056468a18e7a8 in poll_set_started (ctx=3Dctx@entry=3D0x5646c6c74=
e30, ready_list=3Dready_list@entry=3D0x7fcd050366a0, started=3Dstarted@entr=
y=3Dtrue) at ../util/aio-posix.c:247
  #14 0x000056468a18f2bb in poll_set_started (ctx=3D0x5646c6c74e30, ready_l=
ist=3D0x7fcd050366a0, started=3Dtrue) at ../util/aio-posix.c:226
  #15 try_poll_mode (ctx=3D0x5646c6c74e30, ready_list=3D0x7fcd050366a0, tim=
eout=3D<synthetic pointer>) at ../util/aio-posix.c:612
  #16 aio_poll (ctx=3D0x5646c6c74e30, blocking=3Dblocking@entry=3Dtrue) at =
../util/aio-posix.c:689
  #17 0x000056468a032c26 in iothread_run (opaque=3Dopaque@entry=3D0x5646c69=
f3380) at ../iothread.c:63
  #18 0x000056468a19225c in qemu_thread_start (args=3D0x5646c6c75410) at ..=
/util/qemu-thread-posix.c:393
  #19 0x00007fcd114c5b68 in start_thread () from target:/lib64/libc.so.6
  #20 0x00007fcd115364e4 in clone () from target:/lib64/libc.so.6

Buglink: https://issues.redhat.com/browse/RHEL-71933
Reported-by: Peixiu Hou <phou@redhat.com>
Cc: Kevin Wolf <kwolf@redhat.com>
Cc: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
Reviewed-by: Philippe Mathieu-Daud=C3=A9 <philmd@linaro.org>
---
 system/physmem.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/system/physmem.c b/system/physmem.c
index a340ca3e61..1dc2b46e12 100644
--- a/system/physmem.c
+++ b/system/physmem.c
@@ -3011,6 +3011,9 @@ static void io_mem_init(void)
 {
     memory_region_init_io(&io_mem_unassigned, NULL, &unassigned_mem_ops, N=
ULL,
                           NULL, UINT64_MAX);
+
+    /* Trivially thread-safe since memory accesses are rejected */
+    memory_region_enable_lockless_io(&io_mem_unassigned);
 }
=20
 AddressSpaceDispatch *address_space_dispatch_new(FlatView *fv)
--=20
2.51.0