> On Tue, Nov 11, 2025 at 11:01:44PM +0800, Jie Song wrote: > > From: Jie Song <[email protected]> > > > > When starting a dummy QEMU process with virsh, monitor_init_qmp() enables > > IOThread monitoring of the QMP fd by default. However, a race condition > > exists during the initialization phase: the IOThread only removes the > > main thread's fd watch when it reaches > > qio_net_listener_set_client_func_full(), > > which may be delayed under high system load. > > > > This creates a window between monitor_qmp_setup_handlers_bh() and > > qio_net_listener_set_client_func_full() where both the main thread and > > IOThread are simultaneously monitoring the same fd and processing events. > > This race can cause either the main thread or the IOThread to hang and > > become unresponsive. > > > > Fix this by proactively cleaning up the listener's IO sources in > > monitor_init_qmp() before the IOThread initializes QMP monitoring, > > ensuring exclusive fd ownership and eliminating the race condition. > > > > The fix introduces socket_chr_listener_cleanup() to destroy and unref > > all existing IO sources on the socket chardev listener, guaranteeing > > that no concurrent fd monitoring occurs during the transition to > > IOThread handling. > > > > Signed-off-by: Jie Song <[email protected]> > > --- > > chardev/char-socket.c | 18 ++++++++++++++++++ > > include/chardev/char-socket.h | 2 ++ > > monitor/qmp.c | 6 ++++++ > > 3 files changed, 26 insertions(+) > > > > diff --git a/chardev/char-socket.c b/chardev/char-socket.c > > index 62852e3caf..073a9da855 100644 > > --- a/chardev/char-socket.c > > +++ b/chardev/char-socket.c > > @@ -656,6 +656,24 @@ static void tcp_chr_telnet_destroy(SocketChardev *s) > > } > > } > > > > +void socket_chr_listener_cleanup(Chardev *chr) > > +{ > > + SocketChardev *s = SOCKET_CHARDEV(chr); > > + > > + if (s->listener) { > > + QIONetListener *listener = s->listener; > > + size_t i; > > + > > + for (i = 0; i < listener->nsioc; i++) { > > This directly accesses listener->nsioc outside of net-listener.c. > I've got a pending patch that frowns on this type of usage (here's the > link to v2; v3 is coming soon): > > https://lore.kernel.org/qemu-devel/[email protected]/T/#m69a13da54c24ad55351b6a004ec1c0cba7a7b49c > > But it might be possible to do what you want without peeking inside > the listener; have you tested calling > qio_net_listener_set_client_func_full() to change the callback to NULL > prior to doing the handover to iothread, and then reregistering > tcp_chr_accept after that point? > > -- > Eric Blake, Principal Software Engineer > Red Hat, Inc. > Virtualization: qemu.org | libguestfs.org
Hi Eric, Thanks a lot for the detailed feedback! You're absolutely right—the current patch does have issues with encapsulation by directly accessing internal listener structures like nsioc. I took your advice and tested it: before the I/O thread initializes the QMP listener, call qio_net_listener_set_client_func_full() with the callback set to NULL. This effectively purges the main thread's fd watch without any new helper functions, and then the I/O thread can safely re-register tcp_chr_accept. Besides, Daniel also raised a solid concern in his reply: the chardev backend isn't guaranteed to be a SocketChardev type, so blindly calling a socket-specific cleanup could lead to crashes. https://lore.kernel.org/qemu-devel/[email protected]/ The v1 patch needs to be modified. I'll iterate on a v2 incorporating both your NULL-callback advice and Daniel's robustness improvements. Best regards, Jie Song
