From 5c85c564b583a693537cf19073c78736df48dcc9 Mon Sep 17 00:00:00 2001
From: Paolo Bonzini <pbonzini@redhat.com>
Date: Mon, 12 Feb 2018 20:59:51 -0500
Subject: [PATCH] exec: Atomic access to bounce buffer

There could be a race condition when two processes call
address_space_map concurrently and both want to use the bounce buffer.

Add an in_use flag in BounceBuffer to sync it.

Backports commit c2cba0ffe495b60c4cc58080281e99c7a6580d4b from qemu
---
 include/qemu.h | 1 +
 qemu/exec.c    | 3 ++-
 2 files changed, 3 insertions(+), 1 deletion(-)

diff --git a/include/qemu.h b/include/qemu.h
index 0d7b5dd2..05ef07fb 100644
--- a/include/qemu.h
+++ b/include/qemu.h
@@ -38,6 +38,7 @@ typedef struct {
     void *buffer;
     hwaddr addr;
     hwaddr len;
+    bool in_use;
 } BounceBuffer;
 
 typedef struct RAMList {
diff --git a/qemu/exec.c b/qemu/exec.c
index f0fc4511..1b5bf500 100644
--- a/qemu/exec.c
+++ b/qemu/exec.c
@@ -1891,7 +1891,7 @@ void *address_space_map(AddressSpace *as,
     l = len;
     mr = address_space_translate(as, addr, &xlat, &l, is_write);
     if (!memory_access_is_direct(mr, is_write)) {
-        if (as->uc->bounce.buffer) {
+        if (atomic_xchg(&as->uc->bounce.in_use, true)) {
             return NULL;
         }
         /* Avoid unbounded allocations */
@@ -1960,6 +1960,7 @@ void address_space_unmap(AddressSpace *as, void *buffer, hwaddr len,
     qemu_vfree(as->uc->bounce.buffer);
     as->uc->bounce.buffer = NULL;
     memory_region_unref(as->uc->bounce.mr);
+    atomic_mb_set(&as->uc->bounce.in_use, false);
 }
 
 void *cpu_physical_memory_map(AddressSpace *as, hwaddr addr,