From nobody Tue Apr 7 21:45:21 2026 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org ARC-Seal: i=1; a=rsa-sha256; t=1773241707; cv=none; d=zohomail.com; s=zohoarc; b=WxAMXk9EKurT3idU0Hht5ofP4aHnd/bdDknrdbc1Dr0/ucHRzN8F5AcoP8cPaLDJIFkfFwuRanpCwQkvnsfkRPAMIYBoU6uV5llKcLgcSZaNCdPq9k8ekqgzaYMU+w9gNMQY7bPo2MSzeUu9oe+aJ4jkeAkelsRYyh4TaaHrpck= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1773241707; h=Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To; bh=x9Pv267DKgPrCgfQ6hyl65Cfs9xdlx7shs2KekCtLHQ=; b=UUULvR3EsV1m0dhG57wms+DHcuoabguci/ZAI6APKwG793TD5m2kMB/3XOCE76ssMTaX4N2nCgda++aB6yKfwq2Jao7s830taYe6U4k1ibSYSPY4v6+ZV7ikKAvvZJuogT0embGEiwgc6XmICGcDdZcuIT+dNAnnSPKn1C6oMLw= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org Return-Path: Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 1773241707031634.7683678295684; Wed, 11 Mar 2026 08:08:27 -0700 (PDT) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1w0LAS-0005PA-0q; Wed, 11 Mar 2026 11:08:12 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1w0L7j-00008P-8t; Wed, 11 Mar 2026 11:05:25 -0400 Received: from isrv.corpit.ru ([212.248.84.144]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1w0L7c-0004Zp-8J; Wed, 11 Mar 2026 11:05:23 -0400 Received: from tsrv.corpit.ru (tsrv.tls.msk.ru [192.168.177.2]) by isrv.corpit.ru (Postfix) with ESMTP id C3C5F191E5F; Wed, 11 Mar 2026 18:01:45 +0300 (MSK) Received: from think4mjt.tls.msk.ru (mjtthink.wg.tls.msk.ru [192.168.177.146]) by tsrv.corpit.ru (Postfix) with ESMTP id AF9DB37C2B1; Wed, 11 Mar 2026 18:02:23 +0300 (MSK) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=tls.msk.ru; s=202602; t=1773241305; bh=IWzwU49V5a1A0MEg9tth+bQYl9/AuKMtjnmErL6ohqM=; h=From:To:Cc:Subject:Date:In-Reply-To:References; b=BHvDwdqR/FbAMvohnpSMYGtY7UvVKnGd8xUPAENnuYmFdjF8Em6eFC2ejA9VNxp73 HrzkruMTYL4T5BmSeimrzA73HD3Gm3X2R7pmF66bXPpaG63MWvgBguPh7zrQsmIFTo ql3xmST2+wX2Dr84N3cVOoOty+IdQ75QvfmB3WgeK+wEW1HzKb32Doo/LKE1jqXJOx NykhDtP304+sPdOe6rAl5vuuPXx5+13t3jbsYajXo6upSmRQ6LnU1MfCnm7lEYTVTo JKfnEwxavroVIe1fcvVgzjw85jazdTygGB0FBsN/eLsC+jsj4LC6PjU1sPF/mh9QHv jOHc+55stAhMw== From: Michael Tokarev To: qemu-devel@nongnu.org Cc: qemu-stable@nongnu.org, Dmitry Guryanov , Hanna Czenczek , Kevin Wolf , Michael Tokarev Subject: [Stable-10.0.9 33/44] block/throttle-groups: fix deadlock with iolimits and muliple iothreads Date: Wed, 11 Mar 2026 18:02:05 +0300 Message-ID: <20260311150221.1084186-33-mjt@tls.msk.ru> X-Mailer: git-send-email 2.47.3 In-Reply-To: References: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Received-SPF: pass client-ip=212.248.84.144; envelope-from=mjt@tls.msk.ru; helo=isrv.corpit.ru X-Spam_score_int: -2 X-Spam_score: -0.3 X-Spam_bar: / X-Spam_report: (-0.3 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.819, RCVD_IN_VALIDITY_SAFE_BLOCKED=0.903, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=no autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: qemu development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org X-ZohoMail-DKIM: pass (identity @tls.msk.ru) X-ZM-MESSAGEID: 1773241707411158500 Content-Type: text/plain; charset="utf-8" From: Dmitry Guryanov Details: https://gitlab.com/qemu-project/qemu/-/issues/3144 The function schedule_next_request is called with tg->lock held and it may call throttle_group_co_restart_queue, which takes tgm->throttled_reqs_lock, qemu_co_mutex_lock may leave current coroutine if other iothread has taken the lock. If the next coroutine will call throttle_group_co_io_limits_intercept - it will try to take the mutex tg->lock which will never be released. Here is the backtrace of the iothread: Thread 30 (Thread 0x7f8aad1fd6c0 (LWP 24240) "IO iothread2"): #0 futex_wait (futex_word=3D0x5611adb7d828, expected=3D2, private=3D0) at= ../sysdeps/nptl/futex-internal.h:146 #1 __GI___lll_lock_wait (futex=3Dfutex@entry=3D0x5611adb7d828, private=3D= 0) at lowlevellock.c:49 #2 0x00007f8ab5a97501 in lll_mutex_lock_optimized (mutex=3D0x5611adb7d828= ) at pthread_mutex_lock.c:48 #3 ___pthread_mutex_lock (mutex=3D0x5611adb7d828) at pthread_mutex_lock.c= :93 #4 0x00005611823f5482 in qemu_mutex_lock_impl (mutex=3D0x5611adb7d828, fi= le=3D0x56118289daca "../block/throttle-groups.c", line=3D372) at ../util/qe= mu-thread-posix.c:94 #5 0x00005611822b0b39 in throttle_group_co_io_limits_intercept (tgm=3D0x5= 611af1bb4d8, bytes=3D4096, direction=3DTHROTTLE_READ) at ../block/throttle-= groups.c:372 #6 0x00005611822473b1 in blk_co_do_preadv_part (blk=3D0x5611af1bb490, off= set=3D15972311040, bytes=3D4096, qiov=3D0x7f8aa4000f98, qiov_offset=3D0, fl= ags=3DBDRV_REQ_REGISTERED_BUF) at ../block/block-backend.c:1354 #7 0x0000561182247fa0 in blk_aio_read_entry (opaque=3D0x7f8aa4005910) at = ../block/block-backend.c:1619 #8 0x000056118241952e in coroutine_trampoline (i0=3D-1543497424, i1=3D326= 50) at ../util/coroutine-ucontext.c:175 #9 0x00007f8ab5a56f70 in ?? () at ../sysdeps/unix/sysv/linux/x86_64/__sta= rt_context.S:66 from target:/lib64/libc.so.6 #10 0x00007f8aad1ef190 in ?? () #11 0x0000000000000000 in ?? () The lock is taken in line 386: (gdb) p tg.lock $1 =3D {lock =3D {__data =3D {__lock =3D 2, __count =3D 0, __owner =3D 2424= 0, __nusers =3D 1, __kind =3D 0, __spins =3D 0, __elision =3D 0, __list =3D= {__prev =3D 0x0, __next =3D 0x0}}, __size =3D "\002\000\000\000\000\000\000\000\260^\000\000\001", '\000' = , __align =3D 2}, file =3D 0x56118289daca "../block/throt= tle-groups.c", line =3D 386, initialized =3D true} The solution is to use tg->lock to protect both ThreadGroup fields and ThrottleGroupMember.throttled_reqs. It doesn't seem to be possible to use separate locks because we need to first manipulate ThrottleGroup fields, then schedule next coroutine using throttled_reqs and after than update token field from ThrottleGroup depending on the throttled_reqs state. Signed-off-by: Dmitry Guryanov Message-ID: <20251208085528.890098-1-dmitry.guryanov@gmail.com> Reviewed-by: Hanna Czenczek Signed-off-by: Kevin Wolf (cherry picked from commit d4816177654d59e26ce212c436513f01842eb410) Signed-off-by: Michael Tokarev diff --git a/block/throttle-groups.c b/block/throttle-groups.c index 32553b39e3..4385748bbf 100644 --- a/block/throttle-groups.c +++ b/block/throttle-groups.c @@ -295,19 +295,15 @@ static bool throttle_group_schedule_timer(ThrottleGro= upMember *tgm, /* Start the next pending I/O request for a ThrottleGroupMember. Return wh= ether * any request was actually pending. * + * This assumes that tg->lock is held. + * * @tgm: the current ThrottleGroupMember * @direction: the ThrottleDirection */ static bool coroutine_fn throttle_group_co_restart_queue(ThrottleGroupMemb= er *tgm, ThrottleDirection= direction) { - bool ret; - - qemu_co_mutex_lock(&tgm->throttled_reqs_lock); - ret =3D qemu_co_queue_next(&tgm->throttled_reqs[direction]); - qemu_co_mutex_unlock(&tgm->throttled_reqs_lock); - - return ret; + return qemu_co_queue_next(&tgm->throttled_reqs[direction]); } =20 /* Look for the next pending I/O request and schedule it. @@ -378,12 +374,8 @@ void coroutine_fn throttle_group_co_io_limits_intercep= t(ThrottleGroupMember *tgm /* Wait if there's a timer set or queued requests of this type */ if (must_wait || tgm->pending_reqs[direction]) { tgm->pending_reqs[direction]++; - qemu_mutex_unlock(&tg->lock); - qemu_co_mutex_lock(&tgm->throttled_reqs_lock); qemu_co_queue_wait(&tgm->throttled_reqs[direction], - &tgm->throttled_reqs_lock); - qemu_co_mutex_unlock(&tgm->throttled_reqs_lock); - qemu_mutex_lock(&tg->lock); + &tg->lock); tgm->pending_reqs[direction]--; } =20 @@ -410,15 +402,15 @@ static void coroutine_fn throttle_group_restart_queue= _entry(void *opaque) ThrottleDirection direction =3D data->direction; bool empty_queue; =20 + qemu_mutex_lock(&tg->lock); empty_queue =3D !throttle_group_co_restart_queue(tgm, direction); =20 /* If the request queue was empty then we have to take care of * scheduling the next one */ if (empty_queue) { - qemu_mutex_lock(&tg->lock); schedule_next_request(tgm, direction); - qemu_mutex_unlock(&tg->lock); } + qemu_mutex_unlock(&tg->lock); =20 g_free(data); =20 @@ -569,7 +561,6 @@ void throttle_group_register_tgm(ThrottleGroupMember *t= gm, read_timer_cb, write_timer_cb, tgm); - qemu_co_mutex_init(&tgm->throttled_reqs_lock); } =20 /* Unregister a ThrottleGroupMember from its group, removing it from the l= ist, diff --git a/include/block/throttle-groups.h b/include/block/throttle-group= s.h index 2355e8d9de..7dfc81f7b5 100644 --- a/include/block/throttle-groups.h +++ b/include/block/throttle-groups.h @@ -35,8 +35,7 @@ =20 typedef struct ThrottleGroupMember { AioContext *aio_context; - /* throttled_reqs_lock protects the CoQueues for throttled requests. = */ - CoMutex throttled_reqs_lock; + /* Protected by ThrottleGroup.lock */ CoQueue throttled_reqs[THROTTLE_MAX]; =20 /* Nonzero if the I/O limits are currently being ignored; generally --=20 2.47.3