public inbox for pve-devel@lists.proxmox.com
 help / color / mirror / Atom feed
* [pve-devel] [PATCH qemu] cherry-pick two fixes coming in via qemu-stable
@ 2022-11-14 10:26 Fiona Ebner
  0 siblings, 0 replies; only message in thread
From: Fiona Ebner @ 2022-11-14 10:26 UTC (permalink / raw)
  To: pve-devel

One for TCG and one for ERST devices (AFAIU from [0] the issue
shouldn't be critical, but better be safe than sorry).

[0]: https://lists.nongnu.org/archive/html/qemu-devel/2022-10/msg03844.html

Signed-off-by: Fiona Ebner <f.ebner@proxmox.com>
---
 ...pi-erst.c-Fix-memory-handling-issues.patch | 61 ++++++++++++++
 ...-Init-TCG-cflags-in-vCPU-thread-hand.patch | 83 +++++++++++++++++++
 debian/patches/series                         |  2 +
 3 files changed, 146 insertions(+)
 create mode 100644 debian/patches/extra/0006-hw-acpi-erst.c-Fix-memory-handling-issues.patch
 create mode 100644 debian/patches/extra/0007-Revert-accel-tcg-Init-TCG-cflags-in-vCPU-thread-hand.patch

diff --git a/debian/patches/extra/0006-hw-acpi-erst.c-Fix-memory-handling-issues.patch b/debian/patches/extra/0006-hw-acpi-erst.c-Fix-memory-handling-issues.patch
new file mode 100644
index 0000000..0277897
--- /dev/null
+++ b/debian/patches/extra/0006-hw-acpi-erst.c-Fix-memory-handling-issues.patch
@@ -0,0 +1,61 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: "Christian A. Ehrhardt" <lk@c--e.de>
+Date: Mon, 24 Oct 2022 17:42:33 +0200
+Subject: [PATCH] hw/acpi/erst.c: Fix memory handling issues
+
+- Fix memset argument order: The second argument is
+  the value, the length goes last.
+- Fix an integer overflow reported by Alexander Bulekov.
+
+Both issues allow the guest to overrun the host buffer
+allocated for the ERST memory device.
+
+Cc: Eric DeVolder <eric.devolder@oracle.com
+Cc: Alexander Bulekov <alxndr@bu.edu>
+Cc: qemu-stable@nongnu.org
+Fixes: f7e26ffa590 ("ACPI ERST: support for ACPI ERST feature")
+Tested-by: Alexander Bulekov <alxndr@bu.edu>
+Signed-off-by: Christian A. Ehrhardt <lk@c--e.de>
+Message-Id: <20221024154233.1043347-1-lk@c--e.de>
+Fixes: https://gitlab.com/qemu-project/qemu/-/issues/1268
+Reviewed-by: Alexander Bulekov <alxndr@bu.edu>
+Reviewed-by: Eric DeVolder <eric.devolder@oracle.com>
+Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
+Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
+(cherry-picked from commit defb70980f6bed36100b74e84220f1764c0dd544)
+Signed-off-by: Fiona Ebner <f.ebner@proxmox.com>
+---
+ hw/acpi/erst.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/hw/acpi/erst.c b/hw/acpi/erst.c
+index df856b2669..aefcc03ad6 100644
+--- a/hw/acpi/erst.c
++++ b/hw/acpi/erst.c
+@@ -635,7 +635,7 @@ static unsigned read_erst_record(ERSTDeviceState *s)
+         if (record_length < UEFI_CPER_RECORD_MIN_SIZE) {
+             rc = STATUS_FAILED;
+         }
+-        if ((s->record_offset + record_length) > exchange_length) {
++        if (record_length > exchange_length - s->record_offset) {
+             rc = STATUS_FAILED;
+         }
+         /* If all is ok, copy the record to the exchange buffer */
+@@ -684,7 +684,7 @@ static unsigned write_erst_record(ERSTDeviceState *s)
+     if (record_length < UEFI_CPER_RECORD_MIN_SIZE) {
+         return STATUS_FAILED;
+     }
+-    if ((s->record_offset + record_length) > exchange_length) {
++    if (record_length > exchange_length - s->record_offset) {
+         return STATUS_FAILED;
+     }
+ 
+@@ -716,7 +716,7 @@ static unsigned write_erst_record(ERSTDeviceState *s)
+     if (nvram) {
+         /* Write the record into the slot */
+         memcpy(nvram, exchange, record_length);
+-        memset(nvram + record_length, exchange_length - record_length, 0xFF);
++        memset(nvram + record_length, 0xFF, exchange_length - record_length);
+         /* If a new record, increment the record_count */
+         if (!record_found) {
+             uint32_t record_count;
diff --git a/debian/patches/extra/0007-Revert-accel-tcg-Init-TCG-cflags-in-vCPU-thread-hand.patch b/debian/patches/extra/0007-Revert-accel-tcg-Init-TCG-cflags-in-vCPU-thread-hand.patch
new file mode 100644
index 0000000..af131da
--- /dev/null
+++ b/debian/patches/extra/0007-Revert-accel-tcg-Init-TCG-cflags-in-vCPU-thread-hand.patch
@@ -0,0 +1,83 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Peter Maydell <peter.maydell@linaro.org>
+Date: Fri, 21 Oct 2022 17:34:09 +0100
+Subject: [PATCH] Revert "accel/tcg: Init TCG cflags in vCPU thread handler"
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Commit a82fd5a4ec24d was intended to be a code cleanup, but
+unfortunately it has a bug. It moves the initialization of the
+TCG cflags from the "start a new vcpu" function to the
+thread handler; this is fine when each vcpu has its own thread,
+but when we are doing round-robin of vcpus on a single thread
+we end up only initializing the cflags for CPU 0, not for any
+of the others.
+
+The most obvious effect of this bug is that running in icount
+mode with more than one CPU is broken; typically the guest
+hangs shortly after it brings up the secondary CPUs.
+
+This reverts commit a82fd5a4ec24d923ff1e6da128c0fd4a74079d99.
+
+Cc: qemu-stable@nongnu.org
+Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
+Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
+Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
+Message-Id: <20221021163409.3674911-1-peter.maydell@linaro.org>
+Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
+(cherry-picked from commit 0585105c806d3bf301eebc33115a0790fcfc1d9c)
+Signed-off-by: Fiona Ebner <f.ebner@proxmox.com>
+---
+ accel/tcg/tcg-accel-ops-mttcg.c | 5 +++--
+ accel/tcg/tcg-accel-ops-rr.c    | 7 ++++---
+ 2 files changed, 7 insertions(+), 5 deletions(-)
+
+diff --git a/accel/tcg/tcg-accel-ops-mttcg.c b/accel/tcg/tcg-accel-ops-mttcg.c
+index ba997f6cfe..d50239e0e2 100644
+--- a/accel/tcg/tcg-accel-ops-mttcg.c
++++ b/accel/tcg/tcg-accel-ops-mttcg.c
+@@ -70,8 +70,6 @@ static void *mttcg_cpu_thread_fn(void *arg)
+     assert(tcg_enabled());
+     g_assert(!icount_enabled());
+ 
+-    tcg_cpu_init_cflags(cpu, current_machine->smp.max_cpus > 1);
+-
+     rcu_register_thread();
+     force_rcu.notifier.notify = mttcg_force_rcu;
+     force_rcu.cpu = cpu;
+@@ -141,6 +139,9 @@ void mttcg_start_vcpu_thread(CPUState *cpu)
+ {
+     char thread_name[VCPU_THREAD_NAME_SIZE];
+ 
++    g_assert(tcg_enabled());
++    tcg_cpu_init_cflags(cpu, current_machine->smp.max_cpus > 1);
++
+     cpu->thread = g_new0(QemuThread, 1);
+     cpu->halt_cond = g_malloc0(sizeof(QemuCond));
+     qemu_cond_init(cpu->halt_cond);
+diff --git a/accel/tcg/tcg-accel-ops-rr.c b/accel/tcg/tcg-accel-ops-rr.c
+index cc8adc2380..1a72149f0e 100644
+--- a/accel/tcg/tcg-accel-ops-rr.c
++++ b/accel/tcg/tcg-accel-ops-rr.c
+@@ -152,9 +152,7 @@ static void *rr_cpu_thread_fn(void *arg)
+     Notifier force_rcu;
+     CPUState *cpu = arg;
+ 
+-    g_assert(tcg_enabled());
+-    tcg_cpu_init_cflags(cpu, false);
+-
++    assert(tcg_enabled());
+     rcu_register_thread();
+     force_rcu.notify = rr_force_rcu;
+     rcu_add_force_rcu_notifier(&force_rcu);
+@@ -277,6 +275,9 @@ void rr_start_vcpu_thread(CPUState *cpu)
+     static QemuCond *single_tcg_halt_cond;
+     static QemuThread *single_tcg_cpu_thread;
+ 
++    g_assert(tcg_enabled());
++    tcg_cpu_init_cflags(cpu, false);
++
+     if (!single_tcg_cpu_thread) {
+         cpu->thread = g_new0(QemuThread, 1);
+         cpu->halt_cond = g_new0(QemuCond, 1);
diff --git a/debian/patches/series b/debian/patches/series
index 6dbf2b1..f3a1c82 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -3,6 +3,8 @@ extra/0002-block-io_uring-revert-Use-io_uring_register_ring_fd-.patch
 extra/0003-virtiofsd-use-g_date_time_get_microsecond-to-get-sub.patch
 extra/0004-chardev-fix-segfault-in-finalize.patch
 extra/0005-init-daemonize-defuse-PID-file-resolve-error.patch
+extra/0006-hw-acpi-erst.c-Fix-memory-handling-issues.patch
+extra/0007-Revert-accel-tcg-Init-TCG-cflags-in-vCPU-thread-hand.patch
 bitmap-mirror/0001-drive-mirror-add-support-for-sync-bitmap-mode-never.patch
 bitmap-mirror/0002-drive-mirror-add-support-for-conditional-and-always-.patch
 bitmap-mirror/0003-mirror-add-check-for-bitmap-mode-without-bitmap.patch
-- 
2.30.2





^ permalink raw reply	[flat|nested] only message in thread

only message in thread, other threads:[~2022-11-14 10:26 UTC | newest]

Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2022-11-14 10:26 [pve-devel] [PATCH qemu] cherry-pick two fixes coming in via qemu-stable Fiona Ebner

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox
Service provided by Proxmox Server Solutions GmbH | Privacy | Legal