{"id":2225045,"url":"http://patchwork.ozlabs.org/api/1.1/covers/2225045/?format=json","web_url":"http://patchwork.ozlabs.org/project/qemu-devel/cover/20260420100655.3318452-1-den@openvz.org/","project":{"id":14,"url":"http://patchwork.ozlabs.org/api/1.1/projects/14/?format=json","name":"QEMU Development","link_name":"qemu-devel","list_id":"qemu-devel.nongnu.org","list_email":"qemu-devel@nongnu.org","web_url":"","scm_url":"","webscm_url":""},"msgid":"<20260420100655.3318452-1-den@openvz.org>","date":"2026-04-20T10:06:53","name":"[hci-8.0,0/1] block/linux-aio: fix reproducible SIGSEGV from unbounded ioq_submit() recursion","submitter":{"id":71296,"url":"http://patchwork.ozlabs.org/api/1.1/people/71296/?format=json","name":"Denis V. Lunev\" via qemu development","email":"qemu-devel@nongnu.org"},"mbox":"http://patchwork.ozlabs.org/project/qemu-devel/cover/20260420100655.3318452-1-den@openvz.org/mbox/","series":[{"id":500587,"url":"http://patchwork.ozlabs.org/api/1.1/series/500587/?format=json","web_url":"http://patchwork.ozlabs.org/project/qemu-devel/list/?series=500587","date":"2026-04-20T10:06:53","name":"block/linux-aio: fix reproducible SIGSEGV from unbounded ioq_submit() recursion","version":1,"mbox":"http://patchwork.ozlabs.org/series/500587/mbox/"}],"comments":"http://patchwork.ozlabs.org/api/covers/2225045/comments/","headers":{"Return-Path":"","X-Original-To":"incoming@patchwork.ozlabs.org","Delivered-To":"patchwork-incoming@legolas.ozlabs.org","Authentication-Results":["legolas.ozlabs.org;\n\tdkim=fail reason=\"signature verification failed\" (2048-bit key;\n secure) header.d=virtuozzo.com header.i=@virtuozzo.com header.a=rsa-sha256\n header.s=relay header.b=Vl3ZIExU;\n\tdkim-atps=neutral","legolas.ozlabs.org;\n spf=pass (sender SPF authorized) smtp.mailfrom=nongnu.org\n (client-ip=209.51.188.17; helo=lists1p.gnu.org;\n envelope-from=qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org;\n receiver=patchwork.ozlabs.org)"],"Received":["from lists1p.gnu.org (lists1p.gnu.org [209.51.188.17])\n\t(using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits))\n\t(No client certificate requested)\n\tby legolas.ozlabs.org (Postfix) with ESMTPS id 4fzh5K42Zpz1yHr\n\tfor ; Mon, 20 Apr 2026 20:08:21 +1000 (AEST)","from localhost ([::1] helo=lists1p.gnu.org)\n\tby lists1p.gnu.org with esmtp (Exim 4.90_1)\n\t(envelope-from )\n\tid 1wElXo-0001mt-Iz; Mon, 20 Apr 2026 06:07:58 -0400","from eggs.gnu.org ([2001:470:142:3::10])\n by lists1p.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)\n (Exim 4.90_1) (envelope-from )\n id 1wElWy-0001g3-22; Mon, 20 Apr 2026 06:07:05 -0400","from relay.virtuozzo.com ([130.117.225.111])\n by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)\n (Exim 4.90_1) (envelope-from )\n id 1wElWu-0000j3-PC; Mon, 20 Apr 2026 06:07:02 -0400","from ch-demo-asa.virtuozzo.com ([130.117.225.8] helo=iris.sw.ru)\n by relay.virtuozzo.com with esmtp (Exim 4.96)\n (envelope-from ) id 1wElUE-007lFH-0R;\n Mon, 20 Apr 2026 12:06:47 +0200"],"DKIM-Signature":"v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;\n d=virtuozzo.com; s=relay; h=MIME-Version:Message-ID:Date:Subject:From:\n Content-Type; bh=pMGvy2zFiin+ZU8TdoW+2tV7tQOPHIfRfBdsSlKwizc=; b=Vl3ZIExUIWWF\n ojptat4EdQ89RS38irwoKsJ+1PgjER/9pbsQgF4TlFM+3jJsOhZmQOolClymYQ4WLbuCKv0jAFdci\n mfKvdxbgnFmHBqimnuhLoXtxRhrXlzpwpkILj5jBro15g5QeaQz79nZSsFuEtcJeL1tLjdGNFXc/l\n OO/WCiJiW896GYKzkEKbgpKwJb6755pQIamaSAKtL/PA4clYlBY/aLAklEHw+61WnvmIo2apVYFzg\n DOWiplQ1ykoJF1TDSsCpriVj+vpHlAZSKoT1lWmoRRNyEPoaGQWpW7RRl2M/JbEABmc+/11d3RXl8\n RhjYpFaK1JQZ+h3sxkX5zg==;","To":"qemu-devel@nongnu.org,\n\tqemu-block@nongnu.org,\n\tqemu-stable@nongnu.org","Cc":"kwolf@redhat.com, hreitz@redhat.com, stefanha@redhat.com,\n pbonzini@redhat.com, \"Denis V. Lunev\" ","Subject":"[PATCH hci-8.0 0/1] block/linux-aio: fix reproducible SIGSEGV from\n unbounded ioq_submit() recursion","Date":"Mon, 20 Apr 2026 12:06:53 +0200","Message-ID":"<20260420100655.3318452-1-den@openvz.org>","X-Mailer":"git-send-email 2.51.0","MIME-Version":"1.0","Content-Transfer-Encoding":"8bit","Received-SPF":"softfail client-ip=130.117.225.111;\n envelope-from=den@openvz.org;\n helo=relay.virtuozzo.com","X-Spam_score_int":"-34","X-Spam_score":"-3.5","X-Spam_bar":"---","X-Spam_report":"(-3.5 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,\n DKIM_VALID=-0.1, RCVD_IN_DNSWL_MED=-2.3, SPF_HELO_NONE=0.001,\n SPF_SOFTFAIL=0.665 autolearn=ham autolearn_force=no","X-Spam_action":"no action","X-BeenThere":"qemu-devel@nongnu.org","X-Mailman-Version":"2.1.29","Precedence":"list","List-Id":"qemu development ","List-Unsubscribe":",\n ","List-Archive":"","List-Post":"","List-Help":"","List-Subscribe":",\n ","Reply-to":"\"Denis V. Lunev\" ","From":"\"Denis V. Lunev\" via qemu development ","Errors-To":"qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org","Sender":"qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org"},"content":"Observed in production where a cached-I/O backup path was driven\nthrough aio=native, making io_submit(2) complete synchronously and\nclosing the recursion cycle. On the supported aio=native + cache=none\n+ qcow2 configuration the cycle stays bounded by accident rather than\nby construction; this patch bounds it explicitly.\n\nBisect:\n\n v8.1.0 (forward edge only) no crash / 20\n 84d61e5f36^ no crash / 20\n 84d61e5f36 (backward edge in) crash at attempt 17\n v8.2.0 crash at attempt 4\n master + this patch no crash / 80\n\nThe closing commit is 84d61e5f36 (\"virtio: use defer_call() in\nvirtio_irqfd_notify()\").\n\nNo iotest: crash rate is 6..17 per 20 on unpatched master; a formal\ntest would be flaky. The vmdk + aio=native + cache=none shape is\nnot otherwise exercised by the suite.\n\n--- gen-workload.py -----------------------------------------------\n#!/usr/bin/env python3\nimport random, sys\nREGION = 32 * 1024 * 1024\nCLUSTER = 64 * 1024\nSEED = 0xC0FFEE\ndef main(out):\n r = random.Random(SEED); ops = []\n for _ in range(10000):\n off = r.randrange(0, REGION - 4096) & ~4095\n ops.append(\"aio_write -q %d 4k\" % off)\n for i in range(10000):\n size, n = (\"64k\", 65536) if i < 5000 else (\"128k\", 131072)\n off = r.randrange(0, REGION - n) & ~(CLUSTER - 1)\n ops.append(\"aio_write -q -z -u %d %s\" % (off, size))\n r.shuffle(ops); ops.append(\"aio_flush\")\n open(out, \"w\").write(\"\\n\".join(ops) + \"\\n\")\nif __name__ == \"__main__\":\n main(sys.argv[1] if len(sys.argv) > 1 else \"t.cmds\")\n-------------------------------------------------------------------\n\n--- repro.sh ------------------------------------------------------\n#!/bin/bash\nset -u\nqimg=$1; qio=$2; label=$3; attempts=${4:-20}\ncmds=${5:-$(dirname \"$0\")/t.cmds}\nvmdk=/tmp/t.$label.vmdk; log=/tmp/repro_$label.log\n: > \"$log\"\nfor i in $(seq 1 \"$attempts\"); do\n rm -f \"$vmdk\"\n \"$qimg\" create -f vmdk \"$vmdk\" 256M >/dev/null 2>&1\n \"$qio\" -f vmdk -n --cache=none --aio=native \"$vmdk\" < \"$cmds\" \\\n >>\"$log\" 2>&1\n rc=$?\n [ $rc -ge 128 ] && { echo \"CRASH attempt $i rc=$rc\" >>\"$log\"; break; }\ndone\necho \"DONE $label rc=$rc attempt=$i\" >> \"$log\"\n-------------------------------------------------------------------\n\n python3 gen-workload.py t.cmds\n ./repro.sh /path/to/qemu-img /path/to/qemu-io test 20\n\nNotes:\n\n * IOQ_SUBMIT_MAX_DEPTH = 8. Round headroom over the bounded depth\n of the supported async-completion path.\n * Per-thread __thread counter, matching util/defer-call.c's storage.\n A per-LinuxAioState field would let multiple devices on one\n thread recurse independently.\n\nDenis V. Lunev (1):\n block/linux-aio: bound ioq_submit() recursion depth\n\n block/linux-aio.c | 23 +++++++++++++++++++++++\n 1 file changed, 23 insertions(+)\n\nSigned-off-by: Denis V. Lunev \nCC: Kevin Wolf \nCC: Hanna Reitz \nCC: Stefan Hajnoczi \nCC: Paolo Bonzini \n--\n2.51.0"}