spapr: fix possible Negative array index read
[qemu/rayw.git] / async.c
blobb4bf205a0ce64b493c623ef7c806dce012aa3b05
1 /*
2 * QEMU System Emulator
4 * Copyright (c) 2003-2008 Fabrice Bellard
6 * Permission is hereby granted, free of charge, to any person obtaining a copy
7 * of this software and associated documentation files (the "Software"), to deal
8 * in the Software without restriction, including without limitation the rights
9 * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
10 * copies of the Software, and to permit persons to whom the Software is
11 * furnished to do so, subject to the following conditions:
13 * The above copyright notice and this permission notice shall be included in
14 * all copies or substantial portions of the Software.
16 * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
17 * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
18 * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL
19 * THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
20 * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
21 * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
22 * THE SOFTWARE.
25 #include "qemu/osdep.h"
26 #include "qapi/error.h"
27 #include "qemu-common.h"
28 #include "block/aio.h"
29 #include "block/thread-pool.h"
30 #include "qemu/main-loop.h"
31 #include "qemu/atomic.h"
33 /***********************************************************/
34 /* bottom halves (can be seen as timers which expire ASAP) */
36 struct QEMUBH {
37 AioContext *ctx;
38 QEMUBHFunc *cb;
39 void *opaque;
40 QEMUBH *next;
41 bool scheduled;
42 bool idle;
43 bool deleted;
46 QEMUBH *aio_bh_new(AioContext *ctx, QEMUBHFunc *cb, void *opaque)
48 QEMUBH *bh;
49 bh = g_new(QEMUBH, 1);
50 *bh = (QEMUBH){
51 .ctx = ctx,
52 .cb = cb,
53 .opaque = opaque,
55 qemu_mutex_lock(&ctx->bh_lock);
56 bh->next = ctx->first_bh;
57 /* Make sure that the members are ready before putting bh into list */
58 smp_wmb();
59 ctx->first_bh = bh;
60 qemu_mutex_unlock(&ctx->bh_lock);
61 return bh;
64 void aio_bh_call(QEMUBH *bh)
66 bh->cb(bh->opaque);
69 /* Multiple occurrences of aio_bh_poll cannot be called concurrently */
70 int aio_bh_poll(AioContext *ctx)
72 QEMUBH *bh, **bhp, *next;
73 int ret;
75 ctx->walking_bh++;
77 ret = 0;
78 for (bh = ctx->first_bh; bh; bh = next) {
79 /* Make sure that fetching bh happens before accessing its members */
80 smp_read_barrier_depends();
81 next = bh->next;
82 /* The atomic_xchg is paired with the one in qemu_bh_schedule. The
83 * implicit memory barrier ensures that the callback sees all writes
84 * done by the scheduling thread. It also ensures that the scheduling
85 * thread sees the zero before bh->cb has run, and thus will call
86 * aio_notify again if necessary.
88 if (!bh->deleted && atomic_xchg(&bh->scheduled, 0)) {
89 /* Idle BHs and the notify BH don't count as progress */
90 if (!bh->idle && bh != ctx->notify_dummy_bh) {
91 ret = 1;
93 bh->idle = 0;
94 aio_bh_call(bh);
98 ctx->walking_bh--;
100 /* remove deleted bhs */
101 if (!ctx->walking_bh) {
102 qemu_mutex_lock(&ctx->bh_lock);
103 bhp = &ctx->first_bh;
104 while (*bhp) {
105 bh = *bhp;
106 if (bh->deleted) {
107 *bhp = bh->next;
108 g_free(bh);
109 } else {
110 bhp = &bh->next;
113 qemu_mutex_unlock(&ctx->bh_lock);
116 return ret;
119 void qemu_bh_schedule_idle(QEMUBH *bh)
121 bh->idle = 1;
122 /* Make sure that idle & any writes needed by the callback are done
123 * before the locations are read in the aio_bh_poll.
125 atomic_mb_set(&bh->scheduled, 1);
128 void qemu_bh_schedule(QEMUBH *bh)
130 AioContext *ctx;
132 ctx = bh->ctx;
133 bh->idle = 0;
134 /* The memory barrier implicit in atomic_xchg makes sure that:
135 * 1. idle & any writes needed by the callback are done before the
136 * locations are read in the aio_bh_poll.
137 * 2. ctx is loaded before scheduled is set and the callback has a chance
138 * to execute.
140 if (atomic_xchg(&bh->scheduled, 1) == 0) {
141 aio_notify(ctx);
146 /* This func is async.
148 void qemu_bh_cancel(QEMUBH *bh)
150 bh->scheduled = 0;
153 /* This func is async.The bottom half will do the delete action at the finial
154 * end.
156 void qemu_bh_delete(QEMUBH *bh)
158 bh->scheduled = 0;
159 bh->deleted = 1;
162 int64_t
163 aio_compute_timeout(AioContext *ctx)
165 int64_t deadline;
166 int timeout = -1;
167 QEMUBH *bh;
169 for (bh = ctx->first_bh; bh; bh = bh->next) {
170 if (!bh->deleted && bh->scheduled) {
171 if (bh->idle) {
172 /* idle bottom halves will be polled at least
173 * every 10ms */
174 timeout = 10000000;
175 } else {
176 /* non-idle bottom halves will be executed
177 * immediately */
178 return 0;
183 deadline = timerlistgroup_deadline_ns(&ctx->tlg);
184 if (deadline == 0) {
185 return 0;
186 } else {
187 return qemu_soonest_timeout(timeout, deadline);
191 static gboolean
192 aio_ctx_prepare(GSource *source, gint *timeout)
194 AioContext *ctx = (AioContext *) source;
196 atomic_or(&ctx->notify_me, 1);
198 /* We assume there is no timeout already supplied */
199 *timeout = qemu_timeout_ns_to_ms(aio_compute_timeout(ctx));
201 if (aio_prepare(ctx)) {
202 *timeout = 0;
205 return *timeout == 0;
208 static gboolean
209 aio_ctx_check(GSource *source)
211 AioContext *ctx = (AioContext *) source;
212 QEMUBH *bh;
214 atomic_and(&ctx->notify_me, ~1);
215 aio_notify_accept(ctx);
217 for (bh = ctx->first_bh; bh; bh = bh->next) {
218 if (!bh->deleted && bh->scheduled) {
219 return true;
222 return aio_pending(ctx) || (timerlistgroup_deadline_ns(&ctx->tlg) == 0);
225 static gboolean
226 aio_ctx_dispatch(GSource *source,
227 GSourceFunc callback,
228 gpointer user_data)
230 AioContext *ctx = (AioContext *) source;
232 assert(callback == NULL);
233 aio_dispatch(ctx);
234 return true;
237 static void
238 aio_ctx_finalize(GSource *source)
240 AioContext *ctx = (AioContext *) source;
242 qemu_bh_delete(ctx->notify_dummy_bh);
243 thread_pool_free(ctx->thread_pool);
245 qemu_mutex_lock(&ctx->bh_lock);
246 while (ctx->first_bh) {
247 QEMUBH *next = ctx->first_bh->next;
249 /* qemu_bh_delete() must have been called on BHs in this AioContext */
250 assert(ctx->first_bh->deleted);
252 g_free(ctx->first_bh);
253 ctx->first_bh = next;
255 qemu_mutex_unlock(&ctx->bh_lock);
257 aio_set_event_notifier(ctx, &ctx->notifier, false, NULL);
258 event_notifier_cleanup(&ctx->notifier);
259 rfifolock_destroy(&ctx->lock);
260 qemu_mutex_destroy(&ctx->bh_lock);
261 timerlistgroup_deinit(&ctx->tlg);
264 static GSourceFuncs aio_source_funcs = {
265 aio_ctx_prepare,
266 aio_ctx_check,
267 aio_ctx_dispatch,
268 aio_ctx_finalize
271 GSource *aio_get_g_source(AioContext *ctx)
273 g_source_ref(&ctx->source);
274 return &ctx->source;
277 ThreadPool *aio_get_thread_pool(AioContext *ctx)
279 if (!ctx->thread_pool) {
280 ctx->thread_pool = thread_pool_new(ctx);
282 return ctx->thread_pool;
285 void aio_notify(AioContext *ctx)
287 /* Write e.g. bh->scheduled before reading ctx->notify_me. Pairs
288 * with atomic_or in aio_ctx_prepare or atomic_add in aio_poll.
290 smp_mb();
291 if (ctx->notify_me) {
292 event_notifier_set(&ctx->notifier);
293 atomic_mb_set(&ctx->notified, true);
297 void aio_notify_accept(AioContext *ctx)
299 if (atomic_xchg(&ctx->notified, false)) {
300 event_notifier_test_and_clear(&ctx->notifier);
304 static void aio_timerlist_notify(void *opaque)
306 aio_notify(opaque);
309 static void aio_rfifolock_cb(void *opaque)
311 AioContext *ctx = opaque;
313 /* Kick owner thread in case they are blocked in aio_poll() */
314 qemu_bh_schedule(ctx->notify_dummy_bh);
317 static void notify_dummy_bh(void *opaque)
319 /* Do nothing, we were invoked just to force the event loop to iterate */
322 static void event_notifier_dummy_cb(EventNotifier *e)
326 AioContext *aio_context_new(Error **errp)
328 int ret;
329 AioContext *ctx;
330 Error *local_err = NULL;
332 ctx = (AioContext *) g_source_new(&aio_source_funcs, sizeof(AioContext));
333 aio_context_setup(ctx, &local_err);
334 if (local_err) {
335 error_propagate(errp, local_err);
336 goto fail;
338 ret = event_notifier_init(&ctx->notifier, false);
339 if (ret < 0) {
340 error_setg_errno(errp, -ret, "Failed to initialize event notifier");
341 goto fail;
343 g_source_set_can_recurse(&ctx->source, true);
344 aio_set_event_notifier(ctx, &ctx->notifier,
345 false,
346 (EventNotifierHandler *)
347 event_notifier_dummy_cb);
348 ctx->thread_pool = NULL;
349 qemu_mutex_init(&ctx->bh_lock);
350 rfifolock_init(&ctx->lock, aio_rfifolock_cb, ctx);
351 timerlistgroup_init(&ctx->tlg, aio_timerlist_notify, ctx);
353 ctx->notify_dummy_bh = aio_bh_new(ctx, notify_dummy_bh, NULL);
355 return ctx;
356 fail:
357 g_source_destroy(&ctx->source);
358 return NULL;
361 void aio_context_ref(AioContext *ctx)
363 g_source_ref(&ctx->source);
366 void aio_context_unref(AioContext *ctx)
368 g_source_unref(&ctx->source);
371 void aio_context_acquire(AioContext *ctx)
373 rfifolock_lock(&ctx->lock);
376 void aio_context_release(AioContext *ctx)
378 rfifolock_unlock(&ctx->lock);