diff options
| author | Paolo Bonzini <pbonzini@redhat.com> | 2024-11-06 08:59:07 +0100 |
|---|---|---|
| committer | Paolo Bonzini <pbonzini@redhat.com> | 2024-12-10 18:49:25 +0100 |
| commit | 37fb26601dd156369ebb84096c2ecfbe89f0a83b (patch) | |
| tree | fd230a0b955edccb1b6dea0d87d4a2ff739b4954 | |
| parent | 281305d3e08ac7330dfe7cf7b3978c119a888bad (diff) | |
| download | qemu-37fb26601dd156369ebb84096c2ecfbe89f0a83b.zip qemu-37fb26601dd156369ebb84096c2ecfbe89f0a83b.tar.gz qemu-37fb26601dd156369ebb84096c2ecfbe89f0a83b.tar.bz2 | |
bql: check that the BQL is not dropped within marked sections
The Big QEMU Lock (BQL) is used to provide interior mutability to Rust
code. While BqlCell performs indivisible accesses, an equivalent of
RefCell will allow the borrower to hold to the interior content for a
long time. If the BQL is dropped, another thread could come and mutate
the data from C code (Rust code would panic on borrow_mut() instead).
In order to prevent this, add a new BQL primitive that can mark
BQL-atomic sections and aborts if the BQL is dropped within them.
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
| -rw-r--r-- | include/qemu/main-loop.h | 15 | ||||
| -rw-r--r-- | stubs/iothread-lock.c | 15 | ||||
| -rw-r--r-- | system/cpus.c | 15 |
3 files changed, 45 insertions, 0 deletions
diff --git a/include/qemu/main-loop.h b/include/qemu/main-loop.h index 5764db1..646306c 100644 --- a/include/qemu/main-loop.h +++ b/include/qemu/main-loop.h @@ -263,6 +263,21 @@ AioContext *iohandler_get_aio_context(void); bool bql_locked(void); /** + * bql_block: Allow/deny releasing the BQL + * + * The Big QEMU Lock (BQL) is used to provide interior mutability to + * Rust code, but this only works if other threads cannot run while + * the Rust code has an active borrow. This is because C code in + * other threads could come in and mutate data under the Rust code's + * feet. + * + * @increase: Whether to increase or decrease the blocking counter. + * Releasing the BQL while the counter is nonzero triggers + * an assertion failure. + */ +void bql_block_unlock(bool increase); + +/** * qemu_in_main_thread: return whether it's possible to safely access * the global state of the block layer. * diff --git a/stubs/iothread-lock.c b/stubs/iothread-lock.c index d7890e5..5467659 100644 --- a/stubs/iothread-lock.c +++ b/stubs/iothread-lock.c @@ -1,6 +1,8 @@ #include "qemu/osdep.h" #include "qemu/main-loop.h" +static uint32_t bql_unlock_blocked; + bool bql_locked(void) { return false; @@ -12,4 +14,17 @@ void bql_lock_impl(const char *file, int line) void bql_unlock(void) { + assert(!bql_unlock_blocked); +} + +void bql_block_unlock(bool increase) +{ + uint32_t new_value; + + assert(bql_locked()); + + /* check for overflow! */ + new_value = bql_unlock_blocked + increase - !increase; + assert((new_value > bql_unlock_blocked) == increase); + bql_unlock_blocked = new_value; } diff --git a/system/cpus.c b/system/cpus.c index 1c818ff..ba633c7 100644 --- a/system/cpus.c +++ b/system/cpus.c @@ -514,6 +514,20 @@ bool qemu_in_vcpu_thread(void) QEMU_DEFINE_STATIC_CO_TLS(bool, bql_locked) +static uint32_t bql_unlock_blocked; + +void bql_block_unlock(bool increase) +{ + uint32_t new_value; + + assert(bql_locked()); + + /* check for overflow! */ + new_value = bql_unlock_blocked + increase - !increase; + assert((new_value > bql_unlock_blocked) == increase); + bql_unlock_blocked = new_value; +} + bool bql_locked(void) { return get_bql_locked(); @@ -540,6 +554,7 @@ void bql_lock_impl(const char *file, int line) void bql_unlock(void) { g_assert(bql_locked()); + g_assert(!bql_unlock_blocked); set_bql_locked(false); qemu_mutex_unlock(&bql); } |