[RFC,v2,05/14] block/mirror.c: use of job helpers in drivers to avoid TOC/TOU

Message ID	20211104145334.1346363-6-eesposit@redhat.com (mailing list archive)
State	New, archived
Headers	show Return-Path: <SRS0=RL9U=PX=nongnu.org=qemu-devel-bounces+qemu-devel=archiver.kernel.org@kernel.org> DMARC-Filter: OpenDMARC Filter v1.4.1 mail.kernel.org 70973611C4 From: Emanuele Giuseppe Esposito <eesposit@redhat.com> To: qemu-block@nongnu.org Subject: [RFC PATCH v2 05/14] block/mirror.c: use of job helpers in drivers to avoid TOC/TOU Date: Thu, 4 Nov 2021 10:53:25 -0400 Message-Id: <20211104145334.1346363-6-eesposit@redhat.com> In-Reply-To: <20211104145334.1346363-1-eesposit@redhat.com> References: <20211104145334.1346363-1-eesposit@redhat.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Content-Type: text/plain; charset="US-ASCII" Received-SPF: pass client-ip=170.10.133.124; envelope-from=eesposit@redhat.com; helo=us-smtp-delivery-124.mimecast.com X-Spam_score_int: -33 X-Spam_score: -3.4 X-Spam_bar: --- X-Spam_report: (-3.4 / 5.0 requ) BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.648, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=unavailable autolearn_force=no X-Spam_action: no action Precedence: list Cc: Kevin Wolf <kwolf@redhat.com>, Fam Zheng <fam@euphon.net>, Vladimir Sementsov-Ogievskiy <vsementsov@virtuozzo.com>, Wen Congyang <wencongyang2@huawei.com>, Xie Changlong <xiechanglong.d@gmail.com>, Emanuele Giuseppe Esposito <eesposit@redhat.com>, Markus Armbruster <armbru@redhat.com>, qemu-devel@nongnu.org, Hanna Reitz <hreitz@redhat.com>, Stefan Hajnoczi <stefanha@redhat.com>, Paolo Bonzini <pbonzini@redhat.com>, John Snow <jsnow@redhat.com> Errors-To: qemu-devel-bounces+qemu-devel=archiver.kernel.org@nongnu.org Sender: "Qemu-devel" <qemu-devel-bounces+qemu-devel=archiver.kernel.org@nongnu.org>
Series	job: replace AioContext lock with job_mutex \| expand [RFC,v2,00/14] job: replace AioContext lock with job_mutex [RFC,v2,01/14] job.c: make job_lock/unlock public [RFC,v2,02/14] job.h: categorize fields in struct Job [RFC,v2,03/14] job.h: define locked functions [RFC,v2,04/14] job.h: define unlocked functions [RFC,v2,05/14] block/mirror.c: use of job helpers in drivers to avoid TOC/TOU [RFC,v2,06/14] job.c: make job_event_* functions static [RFC,v2,07/14] job.c: move inner aiocontext lock in callbacks [RFC,v2,08/14] aio-wait.h: introduce AIO_WAIT_WHILE_UNLOCKED [RFC,v2,09/14] jobs: remove aiocontext locks since the functions are under BQL [RFC,v2,10/14] jobs: protect jobs with job_lock/unlock [RFC,v2,11/14] block_job_query: remove atomic read [RFC,v2,12/14] jobs: use job locks and helpers also in the unit tests [RFC,v2,13/14] jobs: add job lock in find_* functions [RFC,v2,14/14] job.c: enable job lock/unlock and remove Aiocontext locks

Message ID

20211104145334.1346363-6-eesposit@redhat.com (mailing list archive)

State

New, archived

Headers

DMARC-Filter: OpenDMARC Filter v1.4.1 mail.kernel.org 70973611C4
From: Emanuele Giuseppe Esposito <eesposit@redhat.com>
To: qemu-block@nongnu.org
Subject: [RFC PATCH v2 05/14] block/mirror.c: use of job helpers in drivers to
 avoid TOC/TOU
Date: Thu,  4 Nov 2021 10:53:25 -0400
Message-Id: <20211104145334.1346363-6-eesposit@redhat.com>
In-Reply-To: <20211104145334.1346363-1-eesposit@redhat.com>
References: <20211104145334.1346363-1-eesposit@redhat.com>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Content-Type: text/plain; charset="US-ASCII"
Received-SPF: pass client-ip=170.10.133.124;
 envelope-from=eesposit@redhat.com;
 helo=us-smtp-delivery-124.mimecast.com
X-Spam_score_int: -33
X-Spam_score: -3.4
X-Spam_bar: ---
X-Spam_report: (-3.4 / 5.0 requ) BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.648,
 DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1,
 RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001,
 SPF_PASS=-0.001 autolearn=unavailable autolearn_force=no
X-Spam_action: no action
X-BeenThere: qemu-devel@nongnu.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <https://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=subscribe>
Cc: Kevin Wolf <kwolf@redhat.com>, Fam Zheng <fam@euphon.net>,
 Vladimir Sementsov-Ogievskiy <vsementsov@virtuozzo.com>,
 Wen Congyang <wencongyang2@huawei.com>,
 Xie Changlong <xiechanglong.d@gmail.com>,
 Emanuele Giuseppe Esposito <eesposit@redhat.com>,
 Markus Armbruster <armbru@redhat.com>, qemu-devel@nongnu.org,
 Hanna Reitz <hreitz@redhat.com>, Stefan Hajnoczi <stefanha@redhat.com>,
 Paolo Bonzini <pbonzini@redhat.com>, John Snow <jsnow@redhat.com>
Errors-To: qemu-devel-bounces+qemu-devel=archiver.kernel.org@nongnu.org
Sender: "Qemu-devel"
 <qemu-devel-bounces+qemu-devel=archiver.kernel.org@nongnu.org>

Series

job: replace AioContext lock with job_mutex | expand

Commit Message

Emanuele Giuseppe Esposito Nov. 4, 2021, 2:53 p.m. UTC

Once job lock is used and aiocontext is removed, mirror has
to perform job operations under the same critical section,
using the helpers prepared in previous commit.

Note: at this stage, job_{lock/unlock} and job lock guard macros
are *nop*.

Signed-off-by: Emanuele Giuseppe Esposito <eesposit@redhat.com>
---
 block/mirror.c | 8 +++-----
 1 file changed, 3 insertions(+), 5 deletions(-)

Comments

Vladimir Sementsov-Ogievskiy Dec. 18, 2021, 11:53 a.m. UTC | #1

04.11.2021 17:53, Emanuele Giuseppe Esposito wrote:
> Once job lock is used and aiocontext is removed, mirror has
> to perform job operations under the same critical section,
> using the helpers prepared in previous commit.
> 
> Note: at this stage, job_{lock/unlock} and job lock guard macros
> are *nop*.
> 
> Signed-off-by: Emanuele Giuseppe Esposito <eesposit@redhat.com>
> ---
>   block/mirror.c | 8 +++-----
>   1 file changed, 3 insertions(+), 5 deletions(-)
> 
> diff --git a/block/mirror.c b/block/mirror.c
> index 00089e519b..f22fa7da6e 100644
> --- a/block/mirror.c
> +++ b/block/mirror.c
> @@ -653,7 +653,7 @@ static int mirror_exit_common(Job *job)
>       BlockDriverState *target_bs;
>       BlockDriverState *mirror_top_bs;
>       Error *local_err = NULL;
> -    bool abort = job->ret < 0;
> +    bool abort = job_has_failed(job);
>       int ret = 0;
>   
>       if (s->prepared) {
> @@ -1161,9 +1161,7 @@ static void mirror_complete(Job *job, Error **errp)
>       s->should_complete = true;
>   
>       /* If the job is paused, it will be re-entered when it is resumed */
> -    if (!job->paused) {
> -        job_enter(job);
> -    }
> +    job_enter_not_paused(job);
>   }
>   
>   static void coroutine_fn mirror_pause(Job *job)
> @@ -1182,7 +1180,7 @@ static bool mirror_drained_poll(BlockJob *job)
>        * from one of our own drain sections, to avoid a deadlock waiting for
>        * ourselves.
>        */
> -    if (!s->common.job.paused && !job_is_cancelled(&job->job) && !s->in_drain) {
> +    if (job_not_paused_nor_cancelled(&s->common.job) && !s->in_drain) {
>           return true;
>       }
>   
> 

Why to introduce a separate API function for every use case?

Could we instead just use WITH_JOB_LOCK_GUARD() ?

Emanuele Giuseppe Esposito Dec. 20, 2021, 10:34 a.m. UTC | #2

On 18/12/2021 12:53, Vladimir Sementsov-Ogievskiy wrote:
> 04.11.2021 17:53, Emanuele Giuseppe Esposito wrote:
>> Once job lock is used and aiocontext is removed, mirror has
>> to perform job operations under the same critical section,
>> using the helpers prepared in previous commit.
>>
>> Note: at this stage, job_{lock/unlock} and job lock guard macros
>> are *nop*.
>>
>> Signed-off-by: Emanuele Giuseppe Esposito <eesposit@redhat.com>
>> ---
>>   block/mirror.c | 8 +++-----
>>   1 file changed, 3 insertions(+), 5 deletions(-)
>>
>> diff --git a/block/mirror.c b/block/mirror.c
>> index 00089e519b..f22fa7da6e 100644
>> --- a/block/mirror.c
>> +++ b/block/mirror.c
>> @@ -653,7 +653,7 @@ static int mirror_exit_common(Job *job)
>>       BlockDriverState *target_bs;
>>       BlockDriverState *mirror_top_bs;
>>       Error *local_err = NULL;
>> -    bool abort = job->ret < 0;
>> +    bool abort = job_has_failed(job);
>>       int ret = 0;
>>       if (s->prepared) {
>> @@ -1161,9 +1161,7 @@ static void mirror_complete(Job *job, Error **errp)
>>       s->should_complete = true;
>>       /* If the job is paused, it will be re-entered when it is 
>> resumed */
>> -    if (!job->paused) {
>> -        job_enter(job);
>> -    }
>> +    job_enter_not_paused(job);
>>   }
>>   static void coroutine_fn mirror_pause(Job *job)
>> @@ -1182,7 +1180,7 @@ static bool mirror_drained_poll(BlockJob *job)
>>        * from one of our own drain sections, to avoid a deadlock 
>> waiting for
>>        * ourselves.
>>        */
>> -    if (!s->common.job.paused && !job_is_cancelled(&job->job) && 
>> !s->in_drain) {
>> +    if (job_not_paused_nor_cancelled(&s->common.job) && !s->in_drain) {
>>           return true;
>>       }
>>
> 
> Why to introduce a separate API function for every use case?
> 
> Could we instead just use WITH_JOB_LOCK_GUARD() ?
> 

This implies making the struct job_mutex public. Is that ok for you?

Thank you,
Emanuele

Vladimir Sementsov-Ogievskiy Dec. 20, 2021, 10:47 a.m. UTC | #3

20.12.2021 13:34, Emanuele Giuseppe Esposito wrote:
> 
> 
> On 18/12/2021 12:53, Vladimir Sementsov-Ogievskiy wrote:
>> 04.11.2021 17:53, Emanuele Giuseppe Esposito wrote:
>>> Once job lock is used and aiocontext is removed, mirror has
>>> to perform job operations under the same critical section,
>>> using the helpers prepared in previous commit.
>>>
>>> Note: at this stage, job_{lock/unlock} and job lock guard macros
>>> are *nop*.
>>>
>>> Signed-off-by: Emanuele Giuseppe Esposito <eesposit@redhat.com>
>>> ---
>>>   block/mirror.c | 8 +++-----
>>>   1 file changed, 3 insertions(+), 5 deletions(-)
>>>
>>> diff --git a/block/mirror.c b/block/mirror.c
>>> index 00089e519b..f22fa7da6e 100644
>>> --- a/block/mirror.c
>>> +++ b/block/mirror.c
>>> @@ -653,7 +653,7 @@ static int mirror_exit_common(Job *job)
>>>       BlockDriverState *target_bs;
>>>       BlockDriverState *mirror_top_bs;
>>>       Error *local_err = NULL;
>>> -    bool abort = job->ret < 0;
>>> +    bool abort = job_has_failed(job);
>>>       int ret = 0;
>>>       if (s->prepared) {
>>> @@ -1161,9 +1161,7 @@ static void mirror_complete(Job *job, Error **errp)
>>>       s->should_complete = true;
>>>       /* If the job is paused, it will be re-entered when it is resumed */
>>> -    if (!job->paused) {
>>> -        job_enter(job);
>>> -    }
>>> +    job_enter_not_paused(job);
>>>   }
>>>   static void coroutine_fn mirror_pause(Job *job)
>>> @@ -1182,7 +1180,7 @@ static bool mirror_drained_poll(BlockJob *job)
>>>        * from one of our own drain sections, to avoid a deadlock waiting for
>>>        * ourselves.
>>>        */
>>> -    if (!s->common.job.paused && !job_is_cancelled(&job->job) && !s->in_drain) {
>>> +    if (job_not_paused_nor_cancelled(&s->common.job) && !s->in_drain) {
>>>           return true;
>>>       }
>>>
>>
>> Why to introduce a separate API function for every use case?
>>
>> Could we instead just use WITH_JOB_LOCK_GUARD() ?
>>
> 
> This implies making the struct job_mutex public. Is that ok for you?
> 

Yes, I think it's OK.

Alternatively, you can use job_lock() / job_unlock(), or even rewrite WITH_JOB_LOCK_GUARD() macro using job_lock/job_unlock, to keep mutex private.. But I don't think it really worth it now.

Note that struct Job is already public, so if we'll use per-job mutex in future it still is not a problem. Only when we decide to make struct Job private, we'll have to decide something about JOB_LOCK_GUARD(), and at this point we'll just rewrite it to work through some helper function instead of directly touching the mutex.

Emanuele Giuseppe Esposito Dec. 23, 2021, 11:37 a.m. UTC | #4

On 20/12/2021 11:47, Vladimir Sementsov-Ogievskiy wrote:
> 20.12.2021 13:34, Emanuele Giuseppe Esposito wrote:
>>
>>
>> On 18/12/2021 12:53, Vladimir Sementsov-Ogievskiy wrote:
>>> 04.11.2021 17:53, Emanuele Giuseppe Esposito wrote:
>>>> Once job lock is used and aiocontext is removed, mirror has
>>>> to perform job operations under the same critical section,
>>>> using the helpers prepared in previous commit.
>>>>
>>>> Note: at this stage, job_{lock/unlock} and job lock guard macros
>>>> are *nop*.
>>>>
>>>> Signed-off-by: Emanuele Giuseppe Esposito <eesposit@redhat.com>
>>>> ---
>>>>   block/mirror.c | 8 +++-----
>>>>   1 file changed, 3 insertions(+), 5 deletions(-)
>>>>
>>>> diff --git a/block/mirror.c b/block/mirror.c
>>>> index 00089e519b..f22fa7da6e 100644
>>>> --- a/block/mirror.c
>>>> +++ b/block/mirror.c
>>>> @@ -653,7 +653,7 @@ static int mirror_exit_common(Job *job)
>>>>       BlockDriverState *target_bs;
>>>>       BlockDriverState *mirror_top_bs;
>>>>       Error *local_err = NULL;
>>>> -    bool abort = job->ret < 0;
>>>> +    bool abort = job_has_failed(job);
>>>>       int ret = 0;
>>>>       if (s->prepared) {
>>>> @@ -1161,9 +1161,7 @@ static void mirror_complete(Job *job, Error 
>>>> **errp)
>>>>       s->should_complete = true;
>>>>       /* If the job is paused, it will be re-entered when it is 
>>>> resumed */
>>>> -    if (!job->paused) {
>>>> -        job_enter(job);
>>>> -    }
>>>> +    job_enter_not_paused(job);
>>>>   }
>>>>   static void coroutine_fn mirror_pause(Job *job)
>>>> @@ -1182,7 +1180,7 @@ static bool mirror_drained_poll(BlockJob *job)
>>>>        * from one of our own drain sections, to avoid a deadlock 
>>>> waiting for
>>>>        * ourselves.
>>>>        */
>>>> -    if (!s->common.job.paused && !job_is_cancelled(&job->job) && 
>>>> !s->in_drain) {
>>>> +    if (job_not_paused_nor_cancelled(&s->common.job) && 
>>>> !s->in_drain) {
>>>>           return true;
>>>>       }
>>>>
>>>
>>> Why to introduce a separate API function for every use case?
>>>
>>> Could we instead just use WITH_JOB_LOCK_GUARD() ?
>>>
>>
>> This implies making the struct job_mutex public. Is that ok for you?
>>
> 
> Yes, I think it's OK.
> 
> Alternatively, you can use job_lock() / job_unlock(), or even rewrite 
> WITH_JOB_LOCK_GUARD() macro using job_lock/job_unlock, to keep mutex 
> private.. But I don't think it really worth it now.
> 
> Note that struct Job is already public, so if we'll use per-job mutex in 
> future it still is not a problem. Only when we decide to make struct Job 
> private, we'll have to decide something about JOB_LOCK_GUARD(), and at 
> this point we'll just rewrite it to work through some helper function 
> instead of directly touching the mutex.
> 
> 

Ok I will do that. Just FYI the initial idea was that drivers like 
monitor would not need to know about job_mutex lock, that is why I made 
the helpers in mirror.c.

Thank you,
Emanuele

diff --git a/block/mirror.c b/block/mirror.c
index 00089e519b..f22fa7da6e 100644
--- a/block/mirror.c
+++ b/block/mirror.c
@@ -653,7 +653,7 @@  static int mirror_exit_common(Job *job)
     BlockDriverState *target_bs;
     BlockDriverState *mirror_top_bs;
     Error *local_err = NULL;
-    bool abort = job->ret < 0;
+    bool abort = job_has_failed(job);
     int ret = 0;
 
     if (s->prepared) {
@@ -1161,9 +1161,7 @@  static void mirror_complete(Job *job, Error **errp)
     s->should_complete = true;
 
     /* If the job is paused, it will be re-entered when it is resumed */
-    if (!job->paused) {
-        job_enter(job);
-    }
+    job_enter_not_paused(job);
 }
 
 static void coroutine_fn mirror_pause(Job *job)
@@ -1182,7 +1180,7 @@  static bool mirror_drained_poll(BlockJob *job)
      * from one of our own drain sections, to avoid a deadlock waiting for
      * ourselves.
      */
-    if (!s->common.job.paused && !job_is_cancelled(&job->job) && !s->in_drain) {
+    if (job_not_paused_nor_cancelled(&s->common.job) && !s->in_drain) {
         return true;
     }

[RFC,v2,05/14] block/mirror.c: use of job helpers in drivers to avoid TOC/TOU

Commit Message

Comments

Patch