* [pve-devel] applied: [PATCH qemu] more stable fixes for QEMU 9.0
@ 2024-05-29 14:18 Fiona Ebner
0 siblings, 0 replies; only message in thread
From: Fiona Ebner @ 2024-05-29 14:18 UTC (permalink / raw)
To: pve-devel
Most importantly the first one "Revert "monitor: use
aio_co_reschedule_self()"", fixing a crash when doing hotplug+resize
with a disk using io_uring.
Other fixes (likely not too important) for TCG emulation of x86(_64)
and ARM.
Signed-off-by: Fiona Ebner <f.ebner@proxmox.com>
---
...t-monitor-use-aio_co_reschedule_self.patch | 53 ++++++++++++
...ict-translation-disabled-alignment-c.patch | 51 ++++++++++++
...-IRQs-a-chance-when-resetting-HF_INH.patch | 80 +++++++++++++++++++
...r-v-Correct-kvm_hv_handle_exit-retur.patch | 60 ++++++++++++++
...86-disable-jmp_opt-if-EFLAGS.RF-is-1.patch | 31 +++++++
...ingle-step-exception-after-MOV-or-PO.patch | 30 +++++++
debian/patches/series | 6 ++
7 files changed, 311 insertions(+)
create mode 100644 debian/patches/extra/0013-Revert-monitor-use-aio_co_reschedule_self.patch
create mode 100644 debian/patches/extra/0014-target-arm-Restrict-translation-disabled-alignment-c.patch
create mode 100644 debian/patches/extra/0015-target-i386-Give-IRQs-a-chance-when-resetting-HF_INH.patch
create mode 100644 debian/patches/extra/0016-target-i386-hyper-v-Correct-kvm_hv_handle_exit-retur.patch
create mode 100644 debian/patches/extra/0017-target-i386-disable-jmp_opt-if-EFLAGS.RF-is-1.patch
create mode 100644 debian/patches/extra/0018-target-i386-no-single-step-exception-after-MOV-or-PO.patch
diff --git a/debian/patches/extra/0013-Revert-monitor-use-aio_co_reschedule_self.patch b/debian/patches/extra/0013-Revert-monitor-use-aio_co_reschedule_self.patch
new file mode 100644
index 0000000..def305c
--- /dev/null
+++ b/debian/patches/extra/0013-Revert-monitor-use-aio_co_reschedule_self.patch
@@ -0,0 +1,53 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Stefan Hajnoczi <stefanha@redhat.com>
+Date: Mon, 6 May 2024 15:06:21 -0400
+Subject: [PATCH] Revert "monitor: use aio_co_reschedule_self()"
+
+Commit 1f25c172f837 ("monitor: use aio_co_reschedule_self()") was a code
+cleanup that uses aio_co_reschedule_self() instead of open coding
+coroutine rescheduling.
+
+Bug RHEL-34618 was reported and Kevin Wolf <kwolf@redhat.com> identified
+the root cause. I missed that aio_co_reschedule_self() ->
+qemu_get_current_aio_context() only knows about
+qemu_aio_context/IOThread AioContexts and not about iohandler_ctx. It
+does not function correctly when going back from the iohandler_ctx to
+qemu_aio_context.
+
+Go back to open coding the AioContext transitions to avoid this bug.
+
+This reverts commit 1f25c172f83704e350c0829438d832384084a74d.
+
+Buglink: https://issues.redhat.com/browse/RHEL-34618
+Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
+(picked from: https://lists.nongnu.org/archive/html/qemu-devel/2024-05/msg01090.html)
+Signed-off-by: Fiona Ebner <f.ebner@proxmox.com>
+---
+ qapi/qmp-dispatch.c | 7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+diff --git a/qapi/qmp-dispatch.c b/qapi/qmp-dispatch.c
+index 2624eb3470..790bb7d1da 100644
+--- a/qapi/qmp-dispatch.c
++++ b/qapi/qmp-dispatch.c
+@@ -224,7 +224,8 @@ QDict *coroutine_mixed_fn qmp_dispatch(const QmpCommandList *cmds, QObject *requ
+ * executing the command handler so that it can make progress if it
+ * involves an AIO_WAIT_WHILE().
+ */
+- aio_co_reschedule_self(qemu_get_aio_context());
++ aio_co_schedule(qemu_get_aio_context(), qemu_coroutine_self());
++ qemu_coroutine_yield();
+ }
+
+ monitor_set_cur(qemu_coroutine_self(), cur_mon);
+@@ -238,7 +239,9 @@ QDict *coroutine_mixed_fn qmp_dispatch(const QmpCommandList *cmds, QObject *requ
+ * Move back to iohandler_ctx so that nested event loops for
+ * qemu_aio_context don't start new monitor commands.
+ */
+- aio_co_reschedule_self(iohandler_get_aio_context());
++ aio_co_schedule(iohandler_get_aio_context(),
++ qemu_coroutine_self());
++ qemu_coroutine_yield();
+ }
+ } else {
+ /*
diff --git a/debian/patches/extra/0014-target-arm-Restrict-translation-disabled-alignment-c.patch b/debian/patches/extra/0014-target-arm-Restrict-translation-disabled-alignment-c.patch
new file mode 100644
index 0000000..2475d34
--- /dev/null
+++ b/debian/patches/extra/0014-target-arm-Restrict-translation-disabled-alignment-c.patch
@@ -0,0 +1,51 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Richard Henderson <richard.henderson@linaro.org>
+Date: Mon, 22 Apr 2024 10:07:22 -0700
+Subject: [PATCH] target/arm: Restrict translation disabled alignment check to
+ VMSA
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+For cpus using PMSA, when the MPU is disabled, the default memory
+type is Normal, Non-cachable. This means that it should not
+have alignment restrictions enforced.
+
+Cc: qemu-stable@nongnu.org
+Fixes: 59754f85ed3 ("target/arm: Do memory type alignment check when translation disabled")
+Reported-by: Clément Chigot <chigot@adacore.com>
+Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
+Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
+Tested-by: Clément Chigot <chigot@adacore.com>
+Message-id: 20240422170722.117409-1-richard.henderson@linaro.org
+[PMM: trivial comment, commit message tweaks]
+Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
+(cherry picked from commit 7b19a3554d2df22d29c75319a1dac17615d1b20e)
+Signed-off-by: Fiona Ebner <f.ebner@proxmox.com>
+---
+ target/arm/tcg/hflags.c | 12 ++++++++++--
+ 1 file changed, 10 insertions(+), 2 deletions(-)
+
+diff --git a/target/arm/tcg/hflags.c b/target/arm/tcg/hflags.c
+index 5da1b0fc1d..f03977b4b0 100644
+--- a/target/arm/tcg/hflags.c
++++ b/target/arm/tcg/hflags.c
+@@ -38,8 +38,16 @@ static bool aprofile_require_alignment(CPUARMState *env, int el, uint64_t sctlr)
+ }
+
+ /*
+- * If translation is disabled, then the default memory type is
+- * Device(-nGnRnE) instead of Normal, which requires that alignment
++ * With PMSA, when the MPU is disabled, all memory types in the
++ * default map are Normal, so don't need aligment enforcing.
++ */
++ if (arm_feature(env, ARM_FEATURE_PMSA)) {
++ return false;
++ }
++
++ /*
++ * With VMSA, if translation is disabled, then the default memory type
++ * is Device(-nGnRnE) instead of Normal, which requires that alignment
+ * be enforced. Since this affects all ram, it is most efficient
+ * to handle this during translation.
+ */
diff --git a/debian/patches/extra/0015-target-i386-Give-IRQs-a-chance-when-resetting-HF_INH.patch b/debian/patches/extra/0015-target-i386-Give-IRQs-a-chance-when-resetting-HF_INH.patch
new file mode 100644
index 0000000..97501f5
--- /dev/null
+++ b/debian/patches/extra/0015-target-i386-Give-IRQs-a-chance-when-resetting-HF_INH.patch
@@ -0,0 +1,80 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Ruihan Li <lrh2000@pku.edu.cn>
+Date: Mon, 15 Apr 2024 14:45:21 +0800
+Subject: [PATCH] target/i386: Give IRQs a chance when resetting
+ HF_INHIBIT_IRQ_MASK
+
+When emulated with QEMU, interrupts will never come in the following
+loop. However, if the NOP instruction is uncommented, interrupts will
+fire as normal.
+
+ loop:
+ cli
+ call do_sti
+ jmp loop
+
+ do_sti:
+ sti
+ # nop
+ ret
+
+This behavior is different from that of a real processor. For example,
+if KVM is enabled, interrupts will always fire regardless of whether the
+NOP instruction is commented or not. Also, the Intel Software Developer
+Manual states that after the STI instruction is executed, the interrupt
+inhibit should end as soon as the next instruction (e.g., the RET
+instruction if the NOP instruction is commented) is executed.
+
+This problem is caused because the previous code may choose not to end
+the TB even if the HF_INHIBIT_IRQ_MASK has just been reset (e.g., in the
+case where the STI instruction is immediately followed by the RET
+instruction), so that IRQs may not have a change to trigger. This commit
+fixes the problem by always terminating the current TB to give IRQs a
+chance to trigger when HF_INHIBIT_IRQ_MASK is reset.
+
+Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
+Signed-off-by: Ruihan Li <lrh2000@pku.edu.cn>
+Message-ID: <20240415064518.4951-4-lrh2000@pku.edu.cn>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+(cherry picked from commit 6a5a63f74ba5c5355b7a8468d3d814bfffe928fb)
+Signed-off-by: Fiona Ebner <f.ebner@proxmox.com>
+---
+ target/i386/tcg/translate.c | 14 ++++++++++----
+ 1 file changed, 10 insertions(+), 4 deletions(-)
+
+diff --git a/target/i386/tcg/translate.c b/target/i386/tcg/translate.c
+index 3e949fe964..b5ebff2c89 100644
+--- a/target/i386/tcg/translate.c
++++ b/target/i386/tcg/translate.c
+@@ -2798,13 +2798,17 @@ static void gen_bnd_jmp(DisasContext *s)
+ static void
+ do_gen_eob_worker(DisasContext *s, bool inhibit, bool recheck_tf, bool jr)
+ {
++ bool inhibit_reset;
++
+ gen_update_cc_op(s);
+
+ /* If several instructions disable interrupts, only the first does it. */
+- if (inhibit && !(s->flags & HF_INHIBIT_IRQ_MASK)) {
+- gen_set_hflag(s, HF_INHIBIT_IRQ_MASK);
+- } else {
++ inhibit_reset = false;
++ if (s->flags & HF_INHIBIT_IRQ_MASK) {
+ gen_reset_hflag(s, HF_INHIBIT_IRQ_MASK);
++ inhibit_reset = true;
++ } else if (inhibit) {
++ gen_set_hflag(s, HF_INHIBIT_IRQ_MASK);
+ }
+
+ if (s->base.tb->flags & HF_RF_MASK) {
+@@ -2815,7 +2819,9 @@ do_gen_eob_worker(DisasContext *s, bool inhibit, bool recheck_tf, bool jr)
+ tcg_gen_exit_tb(NULL, 0);
+ } else if (s->flags & HF_TF_MASK) {
+ gen_helper_single_step(tcg_env);
+- } else if (jr) {
++ } else if (jr &&
++ /* give irqs a chance to happen */
++ !inhibit_reset) {
+ tcg_gen_lookup_and_goto_ptr();
+ } else {
+ tcg_gen_exit_tb(NULL, 0);
diff --git a/debian/patches/extra/0016-target-i386-hyper-v-Correct-kvm_hv_handle_exit-retur.patch b/debian/patches/extra/0016-target-i386-hyper-v-Correct-kvm_hv_handle_exit-retur.patch
new file mode 100644
index 0000000..337c74c
--- /dev/null
+++ b/debian/patches/extra/0016-target-i386-hyper-v-Correct-kvm_hv_handle_exit-retur.patch
@@ -0,0 +1,60 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: donsheng <dongsheng.x.zhang@intel.com>
+Date: Wed, 22 May 2024 04:01:14 +0800
+Subject: [PATCH] target-i386: hyper-v: Correct kvm_hv_handle_exit return value
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+This bug fix addresses the incorrect return value of kvm_hv_handle_exit for
+KVM_EXIT_HYPERV_SYNIC, which should be EXCP_INTERRUPT.
+
+Handling of KVM_EXIT_HYPERV_SYNIC in QEMU needs to be synchronous.
+This means that async_synic_update should run in the current QEMU vCPU
+thread before returning to KVM, returning EXCP_INTERRUPT to guarantee this.
+Returning 0 can cause async_synic_update to run asynchronously.
+
+One problem (kvm-unit-tests's hyperv_synic test fails with timeout error)
+caused by this bug:
+
+When a guest VM writes to the HV_X64_MSR_SCONTROL MSR to enable Hyper-V SynIC,
+a VM exit is triggered and processed by the kvm_hv_handle_exit function of the
+QEMU vCPU. This function then calls the async_synic_update function to set
+synic->sctl_enabled to true. A true value of synic->sctl_enabled is required
+before creating SINT routes using the hyperv_sint_route_new() function.
+
+If kvm_hv_handle_exit returns 0 for KVM_EXIT_HYPERV_SYNIC, the current QEMU
+vCPU thread may return to KVM and enter the guest VM before running
+async_synic_update. In such case, the hyperv_synic test’s subsequent call to
+synic_ctl(HV_TEST_DEV_SINT_ROUTE_CREATE, ...) immediately after writing to
+HV_X64_MSR_SCONTROL can cause QEMU’s hyperv_sint_route_new() function to return
+prematurely (because synic->sctl_enabled is false).
+
+If the SINT route is not created successfully, the SINT interrupt will not be
+fired, resulting in a timeout error in the hyperv_synic test.
+
+Fixes: 267e071bd6d6 (“hyperv: make overlay pages for SynIC”)
+Suggested-by: Chao Gao <chao.gao@intel.com>
+Signed-off-by: Dongsheng Zhang <dongsheng.x.zhang@intel.com>
+Message-ID: <20240521200114.11588-1-dongsheng.x.zhang@intel.com>
+Cc: qemu-stable@nongnu.org
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+(cherry picked from commit 84d4b72854869821eb89813c195927fdd3078c12)
+Signed-off-by: Fiona Ebner <f.ebner@proxmox.com>
+---
+ target/i386/kvm/hyperv.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/target/i386/kvm/hyperv.c b/target/i386/kvm/hyperv.c
+index f2a3fe650a..b94f12acc2 100644
+--- a/target/i386/kvm/hyperv.c
++++ b/target/i386/kvm/hyperv.c
+@@ -81,7 +81,7 @@ int kvm_hv_handle_exit(X86CPU *cpu, struct kvm_hyperv_exit *exit)
+ */
+ async_safe_run_on_cpu(CPU(cpu), async_synic_update, RUN_ON_CPU_NULL);
+
+- return 0;
++ return EXCP_INTERRUPT;
+ case KVM_EXIT_HYPERV_HCALL: {
+ uint16_t code = exit->u.hcall.input & 0xffff;
+ bool fast = exit->u.hcall.input & HV_HYPERCALL_FAST;
diff --git a/debian/patches/extra/0017-target-i386-disable-jmp_opt-if-EFLAGS.RF-is-1.patch b/debian/patches/extra/0017-target-i386-disable-jmp_opt-if-EFLAGS.RF-is-1.patch
new file mode 100644
index 0000000..42ed9cd
--- /dev/null
+++ b/debian/patches/extra/0017-target-i386-disable-jmp_opt-if-EFLAGS.RF-is-1.patch
@@ -0,0 +1,31 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Paolo Bonzini <pbonzini@redhat.com>
+Date: Fri, 24 May 2024 17:17:47 +0200
+Subject: [PATCH] target/i386: disable jmp_opt if EFLAGS.RF is 1
+
+If EFLAGS.RF is 1, special processing in gen_eob_worker() is needed and
+therefore goto_tb cannot be used.
+
+Suggested-by: Richard Henderson <richard.henderson@linaro.org>
+Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
+Cc: qemu-stable@nongnu.org
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+(cherry picked from commit 8225bff7c5db504f50e54ef66b079854635dba70)
+Signed-off-by: Fiona Ebner <f.ebner@proxmox.com>
+---
+ target/i386/tcg/translate.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/target/i386/tcg/translate.c b/target/i386/tcg/translate.c
+index b5ebff2c89..c2c5e73b3f 100644
+--- a/target/i386/tcg/translate.c
++++ b/target/i386/tcg/translate.c
+@@ -6971,7 +6971,7 @@ static void i386_tr_init_disas_context(DisasContextBase *dcbase, CPUState *cpu)
+ dc->cpuid_7_1_eax_features = env->features[FEAT_7_1_EAX];
+ dc->cpuid_xsave_features = env->features[FEAT_XSAVE];
+ dc->jmp_opt = !((cflags & CF_NO_GOTO_TB) ||
+- (flags & (HF_TF_MASK | HF_INHIBIT_IRQ_MASK)));
++ (flags & (HF_RF_MASK | HF_TF_MASK | HF_INHIBIT_IRQ_MASK)));
+ /*
+ * If jmp_opt, we want to handle each string instruction individually.
+ * For icount also disable repz optimization so that each iteration
diff --git a/debian/patches/extra/0018-target-i386-no-single-step-exception-after-MOV-or-PO.patch b/debian/patches/extra/0018-target-i386-no-single-step-exception-after-MOV-or-PO.patch
new file mode 100644
index 0000000..0de3f4a
--- /dev/null
+++ b/debian/patches/extra/0018-target-i386-no-single-step-exception-after-MOV-or-PO.patch
@@ -0,0 +1,30 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Paolo Bonzini <pbonzini@redhat.com>
+Date: Sat, 25 May 2024 10:03:22 +0200
+Subject: [PATCH] target/i386: no single-step exception after MOV or POP SS
+
+Intel SDM 18.3.1.4 "If an occurrence of the MOV or POP instruction
+loads the SS register executes with EFLAGS.TF = 1, no single-step debug
+exception occurs following the MOV or POP instruction."
+
+Cc: qemu-stable@nongnu.org
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+(cherry picked from commit f0f0136abba688a6516647a79cc91e03fad6d5d7)
+Signed-off-by: Fiona Ebner <f.ebner@proxmox.com>
+---
+ target/i386/tcg/translate.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/target/i386/tcg/translate.c b/target/i386/tcg/translate.c
+index c2c5e73b3f..a55df176c6 100644
+--- a/target/i386/tcg/translate.c
++++ b/target/i386/tcg/translate.c
+@@ -2817,7 +2817,7 @@ do_gen_eob_worker(DisasContext *s, bool inhibit, bool recheck_tf, bool jr)
+ if (recheck_tf) {
+ gen_helper_rechecking_single_step(tcg_env);
+ tcg_gen_exit_tb(NULL, 0);
+- } else if (s->flags & HF_TF_MASK) {
++ } else if ((s->flags & HF_TF_MASK) && !inhibit) {
+ gen_helper_single_step(tcg_env);
+ } else if (jr &&
+ /* give irqs a chance to happen */
diff --git a/debian/patches/series b/debian/patches/series
index 6352df7..4bd5e46 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -10,6 +10,12 @@ extra/0009-target-i386-rdpkru-wrpkru-are-no-prefix-instructions.patch
extra/0010-target-i386-fix-feature-dependency-for-WAITPKG.patch
extra/0011-Revert-virtio-pci-fix-use-of-a-released-vector.patch
extra/0012-hw-core-machine-move-compatibility-flags-for-VirtIO-.patch
+extra/0013-Revert-monitor-use-aio_co_reschedule_self.patch
+extra/0014-target-arm-Restrict-translation-disabled-alignment-c.patch
+extra/0015-target-i386-Give-IRQs-a-chance-when-resetting-HF_INH.patch
+extra/0016-target-i386-hyper-v-Correct-kvm_hv_handle_exit-retur.patch
+extra/0017-target-i386-disable-jmp_opt-if-EFLAGS.RF-is-1.patch
+extra/0018-target-i386-no-single-step-exception-after-MOV-or-PO.patch
bitmap-mirror/0001-drive-mirror-add-support-for-sync-bitmap-mode-never.patch
bitmap-mirror/0002-drive-mirror-add-support-for-conditional-and-always-.patch
bitmap-mirror/0003-mirror-add-check-for-bitmap-mode-without-bitmap.patch
--
2.39.2
_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
^ permalink raw reply [flat|nested] only message in thread
only message in thread, other threads:[~2024-05-29 14:18 UTC | newest]
Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2024-05-29 14:18 [pve-devel] applied: [PATCH qemu] more stable fixes for QEMU 9.0 Fiona Ebner
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.
Service provided by Proxmox Server Solutions GmbH | Privacy | Legal