From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from firstgate.proxmox.com (firstgate.proxmox.com [212.224.123.68]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by lists.proxmox.com (Postfix) with ESMTPS id 98AD49176F for ; Mon, 14 Nov 2022 11:26:27 +0100 (CET) Received: from firstgate.proxmox.com (localhost [127.0.0.1]) by firstgate.proxmox.com (Proxmox) with ESMTP id 5B4CE21D10 for ; Mon, 14 Nov 2022 11:26:27 +0100 (CET) Received: from proxmox-new.maurer-it.com (proxmox-new.maurer-it.com [94.136.29.106]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by firstgate.proxmox.com (Proxmox) with ESMTPS for ; Mon, 14 Nov 2022 11:26:24 +0100 (CET) Received: from proxmox-new.maurer-it.com (localhost.localdomain [127.0.0.1]) by proxmox-new.maurer-it.com (Proxmox) with ESMTP id 5234543CC9 for ; Mon, 14 Nov 2022 11:26:24 +0100 (CET) From: Fiona Ebner To: pve-devel@lists.proxmox.com Date: Mon, 14 Nov 2022 11:26:07 +0100 Message-Id: <20221114102607.64684-1-f.ebner@proxmox.com> X-Mailer: git-send-email 2.30.2 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-SPAM-LEVEL: Spam detection results: =?UTF-8?Q?0=0A=09?=AWL -0.098 Adjusted score from AWL reputation of From: =?UTF-8?Q?address=0A=09?=BAYES_00 -1.9 Bayes spam probability is 0 to 1% KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict =?UTF-8?Q?Alignment=0A=09?=KAM_LOTSOFHASH 0.25 Emails with lots of hash-like =?UTF-8?Q?gibberish=0A=09?=SPF_HELO_NONE 0.001 SPF: HELO does not publish an SPF =?UTF-8?Q?Record=0A=09?=SPF_PASS -0.001 SPF: sender matches SPF record Subject: [pve-devel] [PATCH qemu] cherry-pick two fixes coming in via qemu-stable X-BeenThere: pve-devel@lists.proxmox.com X-Mailman-Version: 2.1.29 Precedence: list List-Id: Proxmox VE development discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 14 Nov 2022 10:26:27 -0000 One for TCG and one for ERST devices (AFAIU from [0] the issue shouldn't be critical, but better be safe than sorry). [0]: https://lists.nongnu.org/archive/html/qemu-devel/2022-10/msg03844.html Signed-off-by: Fiona Ebner --- ...pi-erst.c-Fix-memory-handling-issues.patch | 61 ++++++++++++++ ...-Init-TCG-cflags-in-vCPU-thread-hand.patch | 83 +++++++++++++++++++ debian/patches/series | 2 + 3 files changed, 146 insertions(+) create mode 100644 debian/patches/extra/0006-hw-acpi-erst.c-Fix-memory-handling-issues.patch create mode 100644 debian/patches/extra/0007-Revert-accel-tcg-Init-TCG-cflags-in-vCPU-thread-hand.patch diff --git a/debian/patches/extra/0006-hw-acpi-erst.c-Fix-memory-handling-issues.patch b/debian/patches/extra/0006-hw-acpi-erst.c-Fix-memory-handling-issues.patch new file mode 100644 index 0000000..0277897 --- /dev/null +++ b/debian/patches/extra/0006-hw-acpi-erst.c-Fix-memory-handling-issues.patch @@ -0,0 +1,61 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: "Christian A. Ehrhardt" +Date: Mon, 24 Oct 2022 17:42:33 +0200 +Subject: [PATCH] hw/acpi/erst.c: Fix memory handling issues + +- Fix memset argument order: The second argument is + the value, the length goes last. +- Fix an integer overflow reported by Alexander Bulekov. + +Both issues allow the guest to overrun the host buffer +allocated for the ERST memory device. + +Cc: Eric DeVolder +Cc: qemu-stable@nongnu.org +Fixes: f7e26ffa590 ("ACPI ERST: support for ACPI ERST feature") +Tested-by: Alexander Bulekov +Signed-off-by: Christian A. Ehrhardt +Message-Id: <20221024154233.1043347-1-lk@c--e.de> +Fixes: https://gitlab.com/qemu-project/qemu/-/issues/1268 +Reviewed-by: Alexander Bulekov +Reviewed-by: Eric DeVolder +Reviewed-by: Michael S. Tsirkin +Signed-off-by: Michael S. Tsirkin +(cherry-picked from commit defb70980f6bed36100b74e84220f1764c0dd544) +Signed-off-by: Fiona Ebner +--- + hw/acpi/erst.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/hw/acpi/erst.c b/hw/acpi/erst.c +index df856b2669..aefcc03ad6 100644 +--- a/hw/acpi/erst.c ++++ b/hw/acpi/erst.c +@@ -635,7 +635,7 @@ static unsigned read_erst_record(ERSTDeviceState *s) + if (record_length < UEFI_CPER_RECORD_MIN_SIZE) { + rc = STATUS_FAILED; + } +- if ((s->record_offset + record_length) > exchange_length) { ++ if (record_length > exchange_length - s->record_offset) { + rc = STATUS_FAILED; + } + /* If all is ok, copy the record to the exchange buffer */ +@@ -684,7 +684,7 @@ static unsigned write_erst_record(ERSTDeviceState *s) + if (record_length < UEFI_CPER_RECORD_MIN_SIZE) { + return STATUS_FAILED; + } +- if ((s->record_offset + record_length) > exchange_length) { ++ if (record_length > exchange_length - s->record_offset) { + return STATUS_FAILED; + } + +@@ -716,7 +716,7 @@ static unsigned write_erst_record(ERSTDeviceState *s) + if (nvram) { + /* Write the record into the slot */ + memcpy(nvram, exchange, record_length); +- memset(nvram + record_length, exchange_length - record_length, 0xFF); ++ memset(nvram + record_length, 0xFF, exchange_length - record_length); + /* If a new record, increment the record_count */ + if (!record_found) { + uint32_t record_count; diff --git a/debian/patches/extra/0007-Revert-accel-tcg-Init-TCG-cflags-in-vCPU-thread-hand.patch b/debian/patches/extra/0007-Revert-accel-tcg-Init-TCG-cflags-in-vCPU-thread-hand.patch new file mode 100644 index 0000000..af131da --- /dev/null +++ b/debian/patches/extra/0007-Revert-accel-tcg-Init-TCG-cflags-in-vCPU-thread-hand.patch @@ -0,0 +1,83 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Peter Maydell +Date: Fri, 21 Oct 2022 17:34:09 +0100 +Subject: [PATCH] Revert "accel/tcg: Init TCG cflags in vCPU thread handler" +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Commit a82fd5a4ec24d was intended to be a code cleanup, but +unfortunately it has a bug. It moves the initialization of the +TCG cflags from the "start a new vcpu" function to the +thread handler; this is fine when each vcpu has its own thread, +but when we are doing round-robin of vcpus on a single thread +we end up only initializing the cflags for CPU 0, not for any +of the others. + +The most obvious effect of this bug is that running in icount +mode with more than one CPU is broken; typically the guest +hangs shortly after it brings up the secondary CPUs. + +This reverts commit a82fd5a4ec24d923ff1e6da128c0fd4a74079d99. + +Cc: qemu-stable@nongnu.org +Reviewed-by: Philippe Mathieu-Daudé +Reviewed-by: Richard Henderson +Signed-off-by: Peter Maydell +Message-Id: <20221021163409.3674911-1-peter.maydell@linaro.org> +Signed-off-by: Richard Henderson +(cherry-picked from commit 0585105c806d3bf301eebc33115a0790fcfc1d9c) +Signed-off-by: Fiona Ebner +--- + accel/tcg/tcg-accel-ops-mttcg.c | 5 +++-- + accel/tcg/tcg-accel-ops-rr.c | 7 ++++--- + 2 files changed, 7 insertions(+), 5 deletions(-) + +diff --git a/accel/tcg/tcg-accel-ops-mttcg.c b/accel/tcg/tcg-accel-ops-mttcg.c +index ba997f6cfe..d50239e0e2 100644 +--- a/accel/tcg/tcg-accel-ops-mttcg.c ++++ b/accel/tcg/tcg-accel-ops-mttcg.c +@@ -70,8 +70,6 @@ static void *mttcg_cpu_thread_fn(void *arg) + assert(tcg_enabled()); + g_assert(!icount_enabled()); + +- tcg_cpu_init_cflags(cpu, current_machine->smp.max_cpus > 1); +- + rcu_register_thread(); + force_rcu.notifier.notify = mttcg_force_rcu; + force_rcu.cpu = cpu; +@@ -141,6 +139,9 @@ void mttcg_start_vcpu_thread(CPUState *cpu) + { + char thread_name[VCPU_THREAD_NAME_SIZE]; + ++ g_assert(tcg_enabled()); ++ tcg_cpu_init_cflags(cpu, current_machine->smp.max_cpus > 1); ++ + cpu->thread = g_new0(QemuThread, 1); + cpu->halt_cond = g_malloc0(sizeof(QemuCond)); + qemu_cond_init(cpu->halt_cond); +diff --git a/accel/tcg/tcg-accel-ops-rr.c b/accel/tcg/tcg-accel-ops-rr.c +index cc8adc2380..1a72149f0e 100644 +--- a/accel/tcg/tcg-accel-ops-rr.c ++++ b/accel/tcg/tcg-accel-ops-rr.c +@@ -152,9 +152,7 @@ static void *rr_cpu_thread_fn(void *arg) + Notifier force_rcu; + CPUState *cpu = arg; + +- g_assert(tcg_enabled()); +- tcg_cpu_init_cflags(cpu, false); +- ++ assert(tcg_enabled()); + rcu_register_thread(); + force_rcu.notify = rr_force_rcu; + rcu_add_force_rcu_notifier(&force_rcu); +@@ -277,6 +275,9 @@ void rr_start_vcpu_thread(CPUState *cpu) + static QemuCond *single_tcg_halt_cond; + static QemuThread *single_tcg_cpu_thread; + ++ g_assert(tcg_enabled()); ++ tcg_cpu_init_cflags(cpu, false); ++ + if (!single_tcg_cpu_thread) { + cpu->thread = g_new0(QemuThread, 1); + cpu->halt_cond = g_new0(QemuCond, 1); diff --git a/debian/patches/series b/debian/patches/series index 6dbf2b1..f3a1c82 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -3,6 +3,8 @@ extra/0002-block-io_uring-revert-Use-io_uring_register_ring_fd-.patch extra/0003-virtiofsd-use-g_date_time_get_microsecond-to-get-sub.patch extra/0004-chardev-fix-segfault-in-finalize.patch extra/0005-init-daemonize-defuse-PID-file-resolve-error.patch +extra/0006-hw-acpi-erst.c-Fix-memory-handling-issues.patch +extra/0007-Revert-accel-tcg-Init-TCG-cflags-in-vCPU-thread-hand.patch bitmap-mirror/0001-drive-mirror-add-support-for-sync-bitmap-mode-never.patch bitmap-mirror/0002-drive-mirror-add-support-for-conditional-and-always-.patch bitmap-mirror/0003-mirror-add-check-for-bitmap-mode-without-bitmap.patch -- 2.30.2