GET

Patch Detail

get:
Show a patch.

patch:
Update a patch.

put:
Update a patch.

GET /api/1.1/patches/2225046/?format=api
HTTP 200 OK
Allow: GET, PUT, PATCH, HEAD, OPTIONS
Content-Type: application/json
Vary: Accept

{
    "id": 2225046,
    "url": "http://patchwork.ozlabs.org/api/1.1/patches/2225046/?format=api",
    "web_url": "http://patchwork.ozlabs.org/project/qemu-devel/patch/20260420100655.3318452-2-den@openvz.org/",
    "project": {
        "id": 14,
        "url": "http://patchwork.ozlabs.org/api/1.1/projects/14/?format=api",
        "name": "QEMU Development",
        "link_name": "qemu-devel",
        "list_id": "qemu-devel.nongnu.org",
        "list_email": "qemu-devel@nongnu.org",
        "web_url": "",
        "scm_url": "",
        "webscm_url": ""
    },
    "msgid": "<20260420100655.3318452-2-den@openvz.org>",
    "date": "2026-04-20T10:06:54",
    "name": "[1/1] block/linux-aio: bound ioq_submit() recursion depth #VSTOR-129345",
    "commit_ref": null,
    "pull_url": null,
    "state": "new",
    "archived": false,
    "hash": "87d406ca7965a3a6823f055c60aadf3183108925",
    "submitter": {
        "id": 71296,
        "url": "http://patchwork.ozlabs.org/api/1.1/people/71296/?format=api",
        "name": "Denis V. Lunev\" via qemu development",
        "email": "qemu-devel@nongnu.org"
    },
    "delegate": null,
    "mbox": "http://patchwork.ozlabs.org/project/qemu-devel/patch/20260420100655.3318452-2-den@openvz.org/mbox/",
    "series": [
        {
            "id": 500587,
            "url": "http://patchwork.ozlabs.org/api/1.1/series/500587/?format=api",
            "web_url": "http://patchwork.ozlabs.org/project/qemu-devel/list/?series=500587",
            "date": "2026-04-20T10:06:53",
            "name": "block/linux-aio: fix reproducible SIGSEGV from unbounded ioq_submit() recursion",
            "version": 1,
            "mbox": "http://patchwork.ozlabs.org/series/500587/mbox/"
        }
    ],
    "comments": "http://patchwork.ozlabs.org/api/patches/2225046/comments/",
    "check": "pending",
    "checks": "http://patchwork.ozlabs.org/api/patches/2225046/checks/",
    "tags": {},
    "headers": {
        "Return-Path": "<qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org>",
        "X-Original-To": "incoming@patchwork.ozlabs.org",
        "Delivered-To": "patchwork-incoming@legolas.ozlabs.org",
        "Authentication-Results": [
            "legolas.ozlabs.org;\n\tdkim=fail reason=\"signature verification failed\" (2048-bit key;\n secure) header.d=virtuozzo.com header.i=@virtuozzo.com header.a=rsa-sha256\n header.s=relay header.b=Rb0UMCQY;\n\tdkim-atps=neutral",
            "legolas.ozlabs.org;\n spf=pass (sender SPF authorized) smtp.mailfrom=nongnu.org\n (client-ip=209.51.188.17; helo=lists1p.gnu.org;\n envelope-from=qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org;\n receiver=patchwork.ozlabs.org)"
        ],
        "Received": [
            "from lists1p.gnu.org (lists1p.gnu.org [209.51.188.17])\n\t(using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits))\n\t(No client certificate requested)\n\tby legolas.ozlabs.org (Postfix) with ESMTPS id 4fzh5K192Vz1yD4\n\tfor <incoming@patchwork.ozlabs.org>; Mon, 20 Apr 2026 20:08:19 +1000 (AEST)",
            "from localhost ([::1] helo=lists1p.gnu.org)\n\tby lists1p.gnu.org with esmtp (Exim 4.90_1)\n\t(envelope-from <qemu-devel-bounces@nongnu.org>)\n\tid 1wElXR-0001iA-Gj; Mon, 20 Apr 2026 06:07:40 -0400",
            "from eggs.gnu.org ([2001:470:142:3::10])\n by lists1p.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)\n (Exim 4.90_1) (envelope-from <den@openvz.org>)\n id 1wElWy-0001g4-2N; Mon, 20 Apr 2026 06:07:05 -0400",
            "from relay.virtuozzo.com ([130.117.225.111])\n by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)\n (Exim 4.90_1) (envelope-from <den@openvz.org>)\n id 1wElWu-0000j2-QH; Mon, 20 Apr 2026 06:07:02 -0400",
            "from ch-demo-asa.virtuozzo.com ([130.117.225.8] helo=iris.sw.ru)\n by relay.virtuozzo.com with esmtp (Exim 4.96)\n (envelope-from <den@openvz.org>) id 1wElUE-007lFH-1U;\n Mon, 20 Apr 2026 12:06:47 +0200"
        ],
        "DKIM-Signature": "v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;\n d=virtuozzo.com; s=relay; h=MIME-Version:Message-ID:Date:Subject:From:\n Content-Type; bh=6O2UHfGRuvNhWUJoGzsFLzbU32nwuB6gpukG2dUoRm4=; b=Rb0UMCQYqo8v\n gqiMVcT2wSNCXi7pWVDM4s/eUSyghqTBj4x8vJj/I/6MWpSIpYGdfK+lF7eGfW8/NujnrCInyTjPD\n /m/83lYsjxa2a49lzLBvBP0Kv3DHnc1rZTxICn6WHaiZujl9XogqaTcj43thV57WBX/lg4nlAN0XV\n c394gsla2CpQGHwp5qtrQ73V/csD2xi1UVo9SoDtMtFPgLW1SDso0OZhigj8WqQbJLglX3Y3M2E3l\n 0/+g3Y1x/B6Ot2HkmZQ0X+ZSlpFUJlQg3eRN/HzqztTEynbHFl3u4b1mjm4j1lOeFlZkjfvVFi7fp\n BGZpdi6qaOPCphK8SXZeUA==;",
        "To": "qemu-devel@nongnu.org,\n\tqemu-block@nongnu.org,\n\tqemu-stable@nongnu.org",
        "Cc": "kwolf@redhat.com, hreitz@redhat.com, stefanha@redhat.com,\n pbonzini@redhat.com, \"Denis V. Lunev\" <den@openvz.org>",
        "Subject": "[PATCH 1/1] block/linux-aio: bound ioq_submit() recursion depth\n #VSTOR-129345",
        "Date": "Mon, 20 Apr 2026 12:06:54 +0200",
        "Message-ID": "<20260420100655.3318452-2-den@openvz.org>",
        "X-Mailer": "git-send-email 2.51.0",
        "In-Reply-To": "<20260420100655.3318452-1-den@openvz.org>",
        "References": "<20260420100655.3318452-1-den@openvz.org>",
        "MIME-Version": "1.0",
        "Content-Transfer-Encoding": "8bit",
        "Received-SPF": "softfail client-ip=130.117.225.111;\n envelope-from=den@openvz.org;\n helo=relay.virtuozzo.com",
        "X-Spam_score_int": "-34",
        "X-Spam_score": "-3.5",
        "X-Spam_bar": "---",
        "X-Spam_report": "(-3.5 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,\n DKIM_VALID=-0.1, RCVD_IN_DNSWL_MED=-2.3, SPF_HELO_NONE=0.001,\n SPF_SOFTFAIL=0.665 autolearn=ham autolearn_force=no",
        "X-Spam_action": "no action",
        "X-BeenThere": "qemu-devel@nongnu.org",
        "X-Mailman-Version": "2.1.29",
        "Precedence": "list",
        "List-Id": "qemu development <qemu-devel.nongnu.org>",
        "List-Unsubscribe": "<https://lists.nongnu.org/mailman/options/qemu-devel>,\n <mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>",
        "List-Archive": "<https://lists.nongnu.org/archive/html/qemu-devel>",
        "List-Post": "<mailto:qemu-devel@nongnu.org>",
        "List-Help": "<mailto:qemu-devel-request@nongnu.org?subject=help>",
        "List-Subscribe": "<https://lists.nongnu.org/mailman/listinfo/qemu-devel>,\n <mailto:qemu-devel-request@nongnu.org?subject=subscribe>",
        "Reply-to": "\"Denis V. Lunev\" <den@openvz.org>",
        "From": "\"Denis V. Lunev\" via qemu development <qemu-devel@nongnu.org>",
        "Errors-To": "qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org",
        "Sender": "qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org"
    },
    "content": "qemu_laio_process_completions() wraps its body in defer_call_begin /\ndefer_call_end. Inside the section, completion callbacks wake coroutines\nthat queue new aiocbs; laio_do_submit() defers laio_deferred_fn. At the\nbottom of qemu_laio_process_completions() the defer_call_end() fires\nlaio_deferred_fn, which calls ioq_submit(), closing the cycle:\n\n  ioq_submit\n    -> io_submit(2)                           // some sync completions\n    -> qemu_laio_process_completions          // defer_call_begin\n         -> aio_co_wake                       // resumes coroutine\n              -> laio_do_submit\n                   -> defer_call(laio_deferred_fn, s)   // enqueued\n         -> defer_call_end                    // nesting drops to 0\n              -> laio_deferred_fn\n                   -> ioq_submit              // +1 stack frame, loop\n\nWhen io_submit(2) returns asynchronously (O_DIRECT) the cycle\nterminates in one extra frame: the fresh aiocb is still in flight, no\ncompletion is drained, no coroutine wakes, no new submission queues.\nWhen submissions complete synchronously (non-O_DIRECT, or per-descriptor\ndrivers such as vmdk) each level enqueues more work for the next\ndefer_call_end() to drain, so recursion grows without bound and QEMU\ncrashes with SIGSEGV on the thread guard page.\n\nThe cycle was closed by two performance commits, each correct in\nisolation:\n\n  076682885d (\"block/linux-aio: convert to blk_io_plug_call() API\")\n    -- introduced laio_deferred_fn and wired\n       laio_do_submit -> defer_call(laio_deferred_fn, s).\n\n  84d61e5f36 (\"virtio: use defer_call() in virtio_irqfd_notify()\")\n    -- added defer_call_begin/end around qemu_laio_process_completions\n       so virtio-irqfd notifications batch across a completion pass.\n\nThe supported aio=native + cache=none pairing keeps submissions\nasynchronous, so the cycle stays bounded; nothing in the code enforces\nthat contract. Observed in production as a SIGSEGV during a backup job\nconfigured with --cached + aio=native; reproducible on upstream with\nqemu-io against vmdk.\n\nCap ioq_submit() recursion with a per-thread counter. On overflow,\nreturn without submitting. The pending work is drained by\ns->completion_bh, which qemu_laio_process_completions() has already\nscheduled on entry -- no work is lost; one event-loop round-trip of\nlatency is paid only when the bound is hit, which cannot happen on a\nsupported configuration.\n\nSigned-off-by: Denis V. Lunev <den@openvz.org>\nCC: Kevin Wolf <kwolf@redhat.com>\nCC: Hanna Reitz <hreitz@redhat.com>\nCC: Stefan Hajnoczi <stefanha@redhat.com>\nCC: Paolo Bonzini <pbonzini@redhat.com>\n---\n block/linux-aio.c | 23 +++++++++++++++++++++++\n 1 file changed, 23 insertions(+)",
    "diff": "diff --git a/block/linux-aio.c b/block/linux-aio.c\nindex 0a7424fbb3..f98bb6e766 100644\n--- a/block/linux-aio.c\n+++ b/block/linux-aio.c\n@@ -36,6 +36,19 @@\n /* Maximum number of requests in a batch. (default value) */\n #define DEFAULT_MAX_BATCH 32\n \n+/*\n+ * Bound on how deep ioq_submit() may recurse on a single thread via the\n+ * ioq_submit -> qemu_laio_process_completions -> defer_call_end ->\n+ * laio_deferred_fn -> ioq_submit cycle. The cycle terminates naturally\n+ * when io_submit(2) returns asynchronously (O_DIRECT), but can grow\n+ * without bound when submissions complete synchronously. On overflow\n+ * the caller returns without submitting; the outermost\n+ * qemu_laio_process_completions() has already scheduled s->completion_bh\n+ * (via qemu_bh_schedule() at the top of that function), which resumes\n+ * submission from the next event-loop dispatch.\n+ */\n+#define IOQ_SUBMIT_MAX_DEPTH 8\n+\n struct qemu_laiocb {\n     Coroutine *co;\n     LinuxAioState *ctx;\n@@ -80,6 +93,9 @@ struct LinuxAioState {\n static void ioq_submit(LinuxAioState *s);\n static int laio_do_submit(struct qemu_laiocb *laiocb);\n \n+/* Per-thread recursion counter for ioq_submit(). See IOQ_SUBMIT_MAX_DEPTH. */\n+static __thread unsigned ioq_submit_depth;\n+\n static inline ssize_t io_event_ret(struct io_event *ev)\n {\n     return (ssize_t)(((uint64_t)ev->res2 << 32) | ev->res);\n@@ -340,6 +356,11 @@ static void ioq_submit(LinuxAioState *s)\n     QEMU_UNINITIALIZED struct iocb *iocbs[MAX_EVENTS];\n     QSIMPLEQ_HEAD(, qemu_laiocb) completed;\n \n+    if (ioq_submit_depth >= IOQ_SUBMIT_MAX_DEPTH) {\n+        return;\n+    }\n+    ioq_submit_depth++;\n+\n     do {\n         if (s->io_q.in_flight >= MAX_EVENTS) {\n             break;\n@@ -385,6 +406,8 @@ static void ioq_submit(LinuxAioState *s)\n          * pended requests will be submitted from there.\n          */\n     }\n+\n+    ioq_submit_depth--;\n }\n \n static uint64_t laio_max_batch(LinuxAioState *s, uint64_t dev_max_batch)\n",
    "prefixes": [
        "1/1"
    ]
}