From nobody Tue Apr 7 21:59:09 2026 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org ARC-Seal: i=1; a=rsa-sha256; t=1773242026; cv=none; d=zohomail.com; s=zohoarc; b=FAwt5QxkgfjTX6IdaqVN/b1N5bvPvSpdmzphz0wWHIVkmWnGINQ4wt5NcAqG+Kr4WsHW21Pwtm4mIoBV7eMi9Y8KDgKBdNsDLXkVlIxbC4RjTdexU/2SPWoGEvTSORiqnordBg0yYMSAwKNNRcjNdAsEb+OfAEvLsjcJjmpjCCc= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1773242026; h=Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To; bh=k5cTb7UXGWAliksi+kRjSyJnKdFxAlUQlISTmgdJ5ow=; b=Ki9azp0EEbM9bMl8y4S8Z1BIISPvgyUzZHNhbj7Qg2y8yATgv+018eKOEV/JUV8d/nH6aiyJ8ZM1Pp2Zgf08rli2LxOHFbL8K1aM9IK/krpeaLucdjI/EQw9aSMyVuHvebRfAnZ180KHil7GbD/lzey1MVeVmoFh5x7jjxXSgDg= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org Return-Path: Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 1773242026737325.29006764502697; Wed, 11 Mar 2026 08:13:46 -0700 (PDT) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1w0LDy-0005pr-Gi; Wed, 11 Mar 2026 11:11:50 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1w0LCH-0002oo-8n; Wed, 11 Mar 2026 11:10:06 -0400 Received: from isrv.corpit.ru ([212.248.84.144]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1w0LCF-0005q8-AQ; Wed, 11 Mar 2026 11:10:05 -0400 Received: from tsrv.corpit.ru (tsrv.tls.msk.ru [192.168.177.2]) by isrv.corpit.ru (Postfix) with ESMTP id 8F0CA191EA6; Wed, 11 Mar 2026 18:04:43 +0300 (MSK) Received: from think4mjt.tls.msk.ru (mjtthink.wg.tls.msk.ru [192.168.177.146]) by tsrv.corpit.ru (Postfix) with ESMTP id 74CC337C2E7; Wed, 11 Mar 2026 18:05:21 +0300 (MSK) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=tls.msk.ru; s=202602; t=1773241483; bh=UGBbBxhOn8DTGsq59K6g9NwOYbkKfELTilKfS+WEXZI=; h=From:To:Cc:Subject:Date:In-Reply-To:References; b=EzwrkR56/40pnSSfQv2XlYk5u4DyCH6Yto9kdrLVBxoY29v3s1ZxjyIDj3VopMWqj klTo9QmXqpCLs6EY12uFqH4HgriLfSZnC293KejA/ovInkBJivDTF+M1c1dwxmTV6k G550kPvAEA6uAUZ/kzGqed/uWu6ep3CSVjTd9i6HvpXZ1B42FoA+1zxww1EDX9UTSE 2uSEnKX42Q02EJfv8h29GzNUhfs5WOvTdp/tbHYtmvRzwfVplH33NVlP9QCMHLjYxb Yl9L+Qw9t8yfVvtnNUMImOOziDYcWvAL1DcuLHw/JGaf2Z2+f1lVey+KsmeidoQOSR ie/bDXpbcqDew== From: Michael Tokarev To: qemu-devel@nongnu.org Cc: qemu-stable@nongnu.org, Dmitry Guryanov , Hanna Czenczek , Kevin Wolf , Michael Tokarev Subject: [Stable-10.1.5 35/46] block/throttle-groups: fix deadlock with iolimits and muliple iothreads Date: Wed, 11 Mar 2026 18:03:11 +0300 Message-ID: <20260311150327.1084669-35-mjt@tls.msk.ru> X-Mailer: git-send-email 2.47.3 In-Reply-To: References: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Received-SPF: pass client-ip=212.248.84.144; envelope-from=mjt@tls.msk.ru; helo=isrv.corpit.ru X-Spam_score_int: -2 X-Spam_score: -0.3 X-Spam_bar: / X-Spam_report: (-0.3 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.819, RCVD_IN_VALIDITY_SAFE_BLOCKED=0.903, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=no autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: qemu development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org X-ZohoMail-DKIM: pass (identity @tls.msk.ru) X-ZM-MESSAGEID: 1773242027762158500 Content-Type: text/plain; charset="utf-8" From: Dmitry Guryanov Details: https://gitlab.com/qemu-project/qemu/-/issues/3144 The function schedule_next_request is called with tg->lock held and it may call throttle_group_co_restart_queue, which takes tgm->throttled_reqs_lock, qemu_co_mutex_lock may leave current coroutine if other iothread has taken the lock. If the next coroutine will call throttle_group_co_io_limits_intercept - it will try to take the mutex tg->lock which will never be released. Here is the backtrace of the iothread: Thread 30 (Thread 0x7f8aad1fd6c0 (LWP 24240) "IO iothread2"): #0 futex_wait (futex_word=3D0x5611adb7d828, expected=3D2, private=3D0) at= ../sysdeps/nptl/futex-internal.h:146 #1 __GI___lll_lock_wait (futex=3Dfutex@entry=3D0x5611adb7d828, private=3D= 0) at lowlevellock.c:49 #2 0x00007f8ab5a97501 in lll_mutex_lock_optimized (mutex=3D0x5611adb7d828= ) at pthread_mutex_lock.c:48 #3 ___pthread_mutex_lock (mutex=3D0x5611adb7d828) at pthread_mutex_lock.c= :93 #4 0x00005611823f5482 in qemu_mutex_lock_impl (mutex=3D0x5611adb7d828, fi= le=3D0x56118289daca "../block/throttle-groups.c", line=3D372) at ../util/qe= mu-thread-posix.c:94 #5 0x00005611822b0b39 in throttle_group_co_io_limits_intercept (tgm=3D0x5= 611af1bb4d8, bytes=3D4096, direction=3DTHROTTLE_READ) at ../block/throttle-= groups.c:372 #6 0x00005611822473b1 in blk_co_do_preadv_part (blk=3D0x5611af1bb490, off= set=3D15972311040, bytes=3D4096, qiov=3D0x7f8aa4000f98, qiov_offset=3D0, fl= ags=3DBDRV_REQ_REGISTERED_BUF) at ../block/block-backend.c:1354 #7 0x0000561182247fa0 in blk_aio_read_entry (opaque=3D0x7f8aa4005910) at = ../block/block-backend.c:1619 #8 0x000056118241952e in coroutine_trampoline (i0=3D-1543497424, i1=3D326= 50) at ../util/coroutine-ucontext.c:175 #9 0x00007f8ab5a56f70 in ?? () at ../sysdeps/unix/sysv/linux/x86_64/__sta= rt_context.S:66 from target:/lib64/libc.so.6 #10 0x00007f8aad1ef190 in ?? () #11 0x0000000000000000 in ?? () The lock is taken in line 386: (gdb) p tg.lock $1 =3D {lock =3D {__data =3D {__lock =3D 2, __count =3D 0, __owner =3D 2424= 0, __nusers =3D 1, __kind =3D 0, __spins =3D 0, __elision =3D 0, __list =3D= {__prev =3D 0x0, __next =3D 0x0}}, __size =3D "\002\000\000\000\000\000\000\000\260^\000\000\001", '\000' = , __align =3D 2}, file =3D 0x56118289daca "../block/throt= tle-groups.c", line =3D 386, initialized =3D true} The solution is to use tg->lock to protect both ThreadGroup fields and ThrottleGroupMember.throttled_reqs. It doesn't seem to be possible to use separate locks because we need to first manipulate ThrottleGroup fields, then schedule next coroutine using throttled_reqs and after than update token field from ThrottleGroup depending on the throttled_reqs state. Signed-off-by: Dmitry Guryanov Message-ID: <20251208085528.890098-1-dmitry.guryanov@gmail.com> Reviewed-by: Hanna Czenczek Signed-off-by: Kevin Wolf (cherry picked from commit d4816177654d59e26ce212c436513f01842eb410) Signed-off-by: Michael Tokarev diff --git a/block/throttle-groups.c b/block/throttle-groups.c index 66fdce9a90..5329ff1fdb 100644 --- a/block/throttle-groups.c +++ b/block/throttle-groups.c @@ -295,19 +295,15 @@ static bool throttle_group_schedule_timer(ThrottleGro= upMember *tgm, /* Start the next pending I/O request for a ThrottleGroupMember. Return wh= ether * any request was actually pending. * + * This assumes that tg->lock is held. + * * @tgm: the current ThrottleGroupMember * @direction: the ThrottleDirection */ static bool coroutine_fn throttle_group_co_restart_queue(ThrottleGroupMemb= er *tgm, ThrottleDirection= direction) { - bool ret; - - qemu_co_mutex_lock(&tgm->throttled_reqs_lock); - ret =3D qemu_co_queue_next(&tgm->throttled_reqs[direction]); - qemu_co_mutex_unlock(&tgm->throttled_reqs_lock); - - return ret; + return qemu_co_queue_next(&tgm->throttled_reqs[direction]); } =20 /* Look for the next pending I/O request and schedule it. @@ -378,12 +374,8 @@ void coroutine_fn throttle_group_co_io_limits_intercep= t(ThrottleGroupMember *tgm /* Wait if there's a timer set or queued requests of this type */ if (must_wait || tgm->pending_reqs[direction]) { tgm->pending_reqs[direction]++; - qemu_mutex_unlock(&tg->lock); - qemu_co_mutex_lock(&tgm->throttled_reqs_lock); qemu_co_queue_wait(&tgm->throttled_reqs[direction], - &tgm->throttled_reqs_lock); - qemu_co_mutex_unlock(&tgm->throttled_reqs_lock); - qemu_mutex_lock(&tg->lock); + &tg->lock); tgm->pending_reqs[direction]--; } =20 @@ -410,15 +402,15 @@ static void coroutine_fn throttle_group_restart_queue= _entry(void *opaque) ThrottleDirection direction =3D data->direction; bool empty_queue; =20 + qemu_mutex_lock(&tg->lock); empty_queue =3D !throttle_group_co_restart_queue(tgm, direction); =20 /* If the request queue was empty then we have to take care of * scheduling the next one */ if (empty_queue) { - qemu_mutex_lock(&tg->lock); schedule_next_request(tgm, direction); - qemu_mutex_unlock(&tg->lock); } + qemu_mutex_unlock(&tg->lock); =20 g_free(data); =20 @@ -569,7 +561,6 @@ void throttle_group_register_tgm(ThrottleGroupMember *t= gm, read_timer_cb, write_timer_cb, tgm); - qemu_co_mutex_init(&tgm->throttled_reqs_lock); } =20 /* Unregister a ThrottleGroupMember from its group, removing it from the l= ist, diff --git a/include/block/throttle-groups.h b/include/block/throttle-group= s.h index 2355e8d9de..7dfc81f7b5 100644 --- a/include/block/throttle-groups.h +++ b/include/block/throttle-groups.h @@ -35,8 +35,7 @@ =20 typedef struct ThrottleGroupMember { AioContext *aio_context; - /* throttled_reqs_lock protects the CoQueues for throttled requests. = */ - CoMutex throttled_reqs_lock; + /* Protected by ThrottleGroup.lock */ CoQueue throttled_reqs[THROTTLE_MAX]; =20 /* Nonzero if the I/O limits are currently being ignored; generally --=20 2.47.3