From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from firstgate.proxmox.com (firstgate.proxmox.com [212.224.123.68]) by lore.proxmox.com (Postfix) with ESMTPS id 8CFFE1FF141 for ; Tue, 05 May 2026 15:11:37 +0200 (CEST) Received: from firstgate.proxmox.com (localhost [127.0.0.1]) by firstgate.proxmox.com (Proxmox) with ESMTP id B769125EC; Tue, 5 May 2026 15:11:20 +0200 (CEST) From: Fiona Ebner To: pve-devel@lists.proxmox.com Subject: [PATCH qemu 2/3] stable fixes for QEMU 11.0.0 Date: Tue, 5 May 2026 15:10:16 +0200 Message-ID: <20260505131035.743948-3-f.ebner@proxmox.com> X-Mailer: git-send-email 2.47.3 In-Reply-To: <20260505131035.743948-1-f.ebner@proxmox.com> References: <20260505131035.743948-1-f.ebner@proxmox.com> MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-Bm-Milter-Handled: 55990f41-d878-4baa-be0a-ee34c49e34d2 X-Bm-Transport-Timestamp: 1777986533278 X-SPAM-LEVEL: Spam detection results: 0 AWL -0.116 Adjusted score from AWL reputation of From: address BAYES_00 -1.9 Bayes spam probability is 0 to 1% DMARC_MISSING 0.1 Missing DMARC policy KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment KAM_LOTSOFHASH 0.25 Emails with lots of hash-like gibberish SPF_HELO_NONE 0.001 SPF: HELO does not publish an SPF Record SPF_PASS -0.001 SPF: sender matches SPF record URIBL_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to URIBL was blocked. See http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block for more information. [gitlab.com,c.inc] Message-ID-Hash: YIXSFISZESYZBHRCPXV2K7KI4CL57EGS X-Message-ID-Hash: YIXSFISZESYZBHRCPXV2K7KI4CL57EGS X-MailFrom: f.ebner@proxmox.com X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; loop; banned-address; emergency; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header X-Mailman-Version: 3.3.10 Precedence: list List-Id: Proxmox VE development discussion List-Help: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: Most notably, a qcow2 corruption fix. Otherwise, some fixes for x86 HW/CPU targets, fix for a crash in a certain error path for migration, and a fix for a memory safety issue with VirGL display. Signed-off-by: Fiona Ebner --- ...fix-decoding-of-MOVBE-and-CRC32-in-1.patch | 84 ++++++++++ ...-accidentally-autofree-existing-virg.patch | 59 +++++++ ...store-IRQ-polling-for-non-kernel-irq.patch | 47 ++++++ ...tion-on-discard-during-write-with-CO.patch | 147 ++++++++++++++++++ ...strList-leak-in-x86_cpu_get_unavaila.patch | 36 +++++ ...-missing-PF_INSTR-in-SIGSEGV-context.patch | 43 +++++ ...e_save_state_v-fix-double-error_setg.patch | 46 ++++++ debian/patches/series | 7 + 8 files changed, 469 insertions(+) create mode 100644 debian/patches/extra/0005-target-i386-tcg-fix-decoding-of-MOVBE-and-CRC32-in-1.patch create mode 100644 debian/patches/extra/0006-hw-display-don-t-accidentally-autofree-existing-virg.patch create mode 100644 debian/patches/extra/0007-hw-i386-vapic-restore-IRQ-polling-for-non-kernel-irq.patch create mode 100644 debian/patches/extra/0008-qcow2-Fix-corruption-on-discard-during-write-with-CO.patch create mode 100644 debian/patches/extra/0009-target-i386-fix-strList-leak-in-x86_cpu_get_unavaila.patch create mode 100644 debian/patches/extra/0010-target-i386-fix-missing-PF_INSTR-in-SIGSEGV-context.patch create mode 100644 debian/patches/extra/0011-migration-vmstate_save_state_v-fix-double-error_setg.patch diff --git a/debian/patches/extra/0005-target-i386-tcg-fix-decoding-of-MOVBE-and-CRC32-in-1.patch b/debian/patches/extra/0005-target-i386-tcg-fix-decoding-of-MOVBE-and-CRC32-in-1.patch new file mode 100644 index 0000000000..9874c26972 --- /dev/null +++ b/debian/patches/extra/0005-target-i386-tcg-fix-decoding-of-MOVBE-and-CRC32-in-1.patch @@ -0,0 +1,84 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Paolo Bonzini +Date: Tue, 31 Mar 2026 08:32:23 +0200 +Subject: [PATCH] target/i386/tcg: fix decoding of MOVBE and CRC32 in 16-bit + mode + +Table A-4 of the SDM shows + + F0 F1 +-------------------------------------------------------- + NP MOVBE Gy,My MOVBE My,Gy + 66 MOVBE Gw,Mw MOVBW Mw,Gw + F2 CRC32 Gd,Eb CRC32 Gd,Ey + 66+F2 CRC32 Gd,Eb CRC32 Gd,Ew + +However, this is incorrect. Both MOVBE and (for 0xF1) CRC32 +take Gv, Ev or Mv operands. In 16-bit mode therefore the +operand is of 16-bit size without prefix and 32-bit mode +with 0x66 (the data size override). + +For example, with NASM you get: + + bits 16 + 67 0F 38 F0 02 movbe ax, [edx] + 66 67 0F 38 F0 02 movbe eax, [edx] + + 67 F2 0F 38 F1 02 crc32 ax, word [edx] + 66 67 F2 0F 38 F1 02 crc32 eax, dword [edx] + +versus + + bits 32 + 66 0F 38 F0 02 movbe ax, [edx] + 0F 38 F0 02 movbe eax, [edx] + + 66 F2 0F 38 F1 02 crc32 eax, word [edx] + F2 0F 38 F1 02 crc32 eax, dword [edx] + +The instruction is listed correctly in the APX documentation +as "SCALABLE" (which means it has v-size operands). + +Cc: qemu-stable@nongnu.org +Reviewed-by: Richard Henderson +Signed-off-by: Paolo Bonzini +(cherry picked from commit 76ad26dd172d27aae9f1e76d1165b497167c36c2) +Signed-off-by: Fiona Ebner +--- + target/i386/tcg/decode-new.c.inc | 16 ++++++++++------ + 1 file changed, 10 insertions(+), 6 deletions(-) + +diff --git a/target/i386/tcg/decode-new.c.inc b/target/i386/tcg/decode-new.c.inc +index bc105aab9e..c8b5bd6ad2 100644 +--- a/target/i386/tcg/decode-new.c.inc ++++ b/target/i386/tcg/decode-new.c.inc +@@ -875,19 +875,23 @@ static const X86OpEntry opcodes_0F38_00toEF[240] = { + + /* five rows for no prefix, 66, F3, F2, 66+F2 */ + static const X86OpEntry opcodes_0F38_F0toFF[16][5] = { ++ /* ++ * MOVBE and CRC32 are incorrectly listed as always doing 32-bit operation ++ * without prefix and 16-bit operation with 0x66. ++ */ + [0] = { +- X86_OP_ENTRYwr(MOVBE, G,y, M,y, cpuid(MOVBE)), +- X86_OP_ENTRYwr(MOVBE, G,w, M,w, cpuid(MOVBE)), ++ X86_OP_ENTRYwr(MOVBE, G,v, M,v, cpuid(MOVBE)), ++ X86_OP_ENTRYwr(MOVBE, G,v, M,v, cpuid(MOVBE)), + {}, + X86_OP_ENTRY2(CRC32, G,d, E,b, cpuid(SSE42)), + X86_OP_ENTRY2(CRC32, G,d, E,b, cpuid(SSE42)), + }, + [1] = { +- X86_OP_ENTRYwr(MOVBE, M,y, G,y, cpuid(MOVBE)), +- X86_OP_ENTRYwr(MOVBE, M,w, G,w, cpuid(MOVBE)), ++ X86_OP_ENTRYwr(MOVBE, M,v, G,v, cpuid(MOVBE)), ++ X86_OP_ENTRYwr(MOVBE, M,v, G,v, cpuid(MOVBE)), + {}, +- X86_OP_ENTRY2(CRC32, G,d, E,y, cpuid(SSE42)), +- X86_OP_ENTRY2(CRC32, G,d, E,w, cpuid(SSE42)), ++ X86_OP_ENTRY2(CRC32, G,d, E,v, cpuid(SSE42)), ++ X86_OP_ENTRY2(CRC32, G,d, E,v, cpuid(SSE42)), + }, + [2] = { + X86_OP_ENTRY3(ANDN, G,y, B,y, E,y, vex13 cpuid(BMI1)), diff --git a/debian/patches/extra/0006-hw-display-don-t-accidentally-autofree-existing-virg.patch b/debian/patches/extra/0006-hw-display-don-t-accidentally-autofree-existing-virg.patch new file mode 100644 index 0000000000..b8f224e9be --- /dev/null +++ b/debian/patches/extra/0006-hw-display-don-t-accidentally-autofree-existing-virg.patch @@ -0,0 +1,59 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Alex=20Benn=C3=A9e?= +Date: Fri, 17 Apr 2026 13:27:03 +0100 +Subject: [PATCH] hw/display: don't accidentally autofree existing virgl + resources +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +While sanity checking a create blob operation the use of the auto +freed res variable could lead to inadvertently freeing an existing +blob. + +Avoid this by in-lining the virtio_gpu_virgl_find_resource() check as +the value is not needed anyway. + +While at it add a comment to the end and use g_steal_pointer to make +it clearer the object lifetime exceeds the function bounds if we pass +all the checks. + +Fixes: CVE-2026-6502 +Fixes: 7c092f17cce (virtio-gpu: Handle resource blob commands) +Message-ID: 20260417094443.785462-1-alex.bennee@linaro.org +Reviewed-by: Manos Pitsidianakis +Cc: qemu-stable@nongnu.org +Message-ID: <20260417122703.845442-1-alex.bennee@linaro.org> +Signed-off-by: Alex Bennée +Reviewed-by: Dmitry Osipenko +(cherry picked from commit 30fad722ce68316d22b926ba0e6017f0440465df) +Signed-off-by: Fiona Ebner +--- + hw/display/virtio-gpu-virgl.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/hw/display/virtio-gpu-virgl.c b/hw/display/virtio-gpu-virgl.c +index b7a2d160dd..add85bd4e6 100644 +--- a/hw/display/virtio-gpu-virgl.c ++++ b/hw/display/virtio-gpu-virgl.c +@@ -830,8 +830,7 @@ static void virgl_cmd_resource_create_blob(VirtIOGPU *g, + return; + } + +- res = virtio_gpu_virgl_find_resource(g, cblob.resource_id); +- if (res) { ++ if (virtio_gpu_virgl_find_resource(g, cblob.resource_id)) { + qemu_log_mask(LOG_GUEST_ERROR, "%s: resource already exists %d\n", + __func__, cblob.resource_id); + cmd->error = VIRTIO_GPU_RESP_ERR_INVALID_RESOURCE_ID; +@@ -884,8 +883,9 @@ static void virgl_cmd_resource_create_blob(VirtIOGPU *g, + + res->base.dmabuf_fd = info.fd; + ++ /* Now live, cleaned up in virtio_gpu_virgl_resource_unref */ + QTAILQ_INSERT_HEAD(&g->reslist, &res->base, next); +- res = NULL; ++ g_steal_pointer(&res); + } + + static void virgl_cmd_resource_map_blob(VirtIOGPU *g, diff --git a/debian/patches/extra/0007-hw-i386-vapic-restore-IRQ-polling-for-non-kernel-irq.patch b/debian/patches/extra/0007-hw-i386-vapic-restore-IRQ-polling-for-non-kernel-irq.patch new file mode 100644 index 0000000000..88f899f85f --- /dev/null +++ b/debian/patches/extra/0007-hw-i386-vapic-restore-IRQ-polling-for-non-kernel-irq.patch @@ -0,0 +1,47 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: rickgcn +Date: Sat, 18 Apr 2026 14:14:29 +0800 +Subject: [PATCH] hw: i386: vapic: restore IRQ polling for non-kernel irqchip + backends + +69dfc078 extended vAPIC handling for WHPX with user-mode irqchip, but it +also changed vapic_write() case 4 in a way that excludes TCG from +apic_poll_irq(). + +Before that change, IRQ polling happened whenever no in-kernel irqchip +was active. After the change, it only happened for KVM or WHPX with a +user-mode irqchip. Under TCG, both kvm_enabled() and whpx_enabled() are +false, so the poll never happens. + +This regresses 32-bit Windows XP guests on a Windows host with +-machine pc-i440fx-10.0,accel=tcg, causing a STOP 0x0000000A during boot. + +Fix it by making the decision depend on whether KVM or WHPX is using an +in-kernel irqchip, instead of whether either accelerator is enabled. + +Fixes: 69dfc078a6f0 ("hw: i386: vapic: enable on WHPX with user-mode irqchip") + +Signed-off-by: rickgcn +Link: https://lore.kernel.org/r/20260418061429.16898-1-rickgcn@gmail.com +Cc: qemu-stable@nongnu.org +Signed-off-by: Paolo Bonzini +(cherry picked from commit c906c2337058bd467e6ac0176c2966d1eeb6f8f5) +Signed-off-by: Fiona Ebner +--- + hw/i386/vapic.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/hw/i386/vapic.c b/hw/i386/vapic.c +index 41e5ca26df..1acb9f91b2 100644 +--- a/hw/i386/vapic.c ++++ b/hw/i386/vapic.c +@@ -716,8 +716,7 @@ static void vapic_write(void *opaque, hwaddr addr, uint64_t data, + break; + default: + case 4: +- if ((kvm_enabled() && !kvm_irqchip_in_kernel()) +- || (whpx_enabled() && !whpx_irqchip_in_kernel())) { ++ if (!kvm_irqchip_in_kernel() && !whpx_irqchip_in_kernel()) { + apic_poll_irq(cpu->apic_state); + } + break; diff --git a/debian/patches/extra/0008-qcow2-Fix-corruption-on-discard-during-write-with-CO.patch b/debian/patches/extra/0008-qcow2-Fix-corruption-on-discard-during-write-with-CO.patch new file mode 100644 index 0000000000..2bc59ea236 --- /dev/null +++ b/debian/patches/extra/0008-qcow2-Fix-corruption-on-discard-during-write-with-CO.patch @@ -0,0 +1,147 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Kevin Wolf +Date: Mon, 27 Apr 2026 19:05:19 +0200 +Subject: [PATCH] qcow2: Fix corruption on discard during write with COW + +Most code in qcow2 that accesses (and potentially modifies) L2 tables +does so while holding s->lock. + +There is one exception, which is allocating writes. They hold the lock +initially while allocating clusters, but drop it for writing the guest +payload before taking the lock again for updating the L2 tables. This +allows concurrent requests that touch other parts of the image file to +continue in parallel and is an important performance optimisation. + +However, this means that other requests that run while the lock is +dropped for writing guest data must synchronise with the list of +allocating requests in s->cluster_allocs and wait if they would overlap. +For writes, this is done in handle_dependencies(), but discard and write +zeros operations neglect to synchronise with s->cluster_allocs. + +This means that discard can free a cluster whose L2 entry will already +be modified in qcow2_alloc_cluster_link_l2() by a previously started +write. In the case of a pre-allocated zero cluster that is in the +process of being overwritten, this means that discard can lead to a +situation where the cluster is still mapped (because the write will +restore the L2 entry just without the zero flag), but its refcount has +been decreased, resulting in a corrupted image. + +Add the missing synchronisation to qcow2_cluster_discard() and +qcow2_subcluster_zeroize() to fix the problem. + +Cc: qemu-stable@nongnu.org +Reported-by: Denis V. Lunev +Signed-off-by: Kevin Wolf +Reviewed-by: Denis V. Lunev +Tested-by: Denis V. Lunev +(picked from https://lore.kernel.org/qemu-devel/20260427170520.101242-4-kwolf@redhat.com/) +Signed-off-by: Fiona Ebner +--- + block/qcow2-cluster.c | 52 ++++++++++++++++++++++++++++++++++++++++--- + 1 file changed, 49 insertions(+), 3 deletions(-) + +diff --git a/block/qcow2-cluster.c b/block/qcow2-cluster.c +index c655bf6df4..8b1e80bd0b 100644 +--- a/block/qcow2-cluster.c ++++ b/block/qcow2-cluster.c +@@ -1392,6 +1392,9 @@ count_single_write_clusters(BlockDriverState *bs, int nb_clusters, + * the same cluster. In this case we need to wait until the previous + * request has completed and updated the L2 table accordingly. + * ++ * If allow_shortening == true, instead of waiting for a dependency, *cur_bytes ++ * can be shortened so that the cluster allocations don't overlap. ++ * + * Returns: + * 0 if there was no dependency. *cur_bytes indicates the number of + * bytes from guest_offset that can be read before the next +@@ -1403,7 +1406,9 @@ count_single_write_clusters(BlockDriverState *bs, int nb_clusters, + */ + static int coroutine_fn handle_dependencies(BlockDriverState *bs, + uint64_t guest_offset, +- uint64_t *cur_bytes, QCowL2Meta **m) ++ uint64_t *cur_bytes, ++ bool allow_shortening, ++ QCowL2Meta **m) + { + BDRVQcow2State *s = bs->opaque; + QCowL2Meta *old_alloc; +@@ -1434,7 +1439,7 @@ static int coroutine_fn handle_dependencies(BlockDriverState *bs, + + /* Conflict */ + +- if (start < old_start) { ++ if (start < old_start && allow_shortening) { + /* Stop at the start of a running allocation */ + bytes = old_start - start; + } else { +@@ -1469,6 +1474,29 @@ static int coroutine_fn handle_dependencies(BlockDriverState *bs, + return 0; + } + ++static void coroutine_mixed_fn wait_for_dependencies(BlockDriverState *bs, ++ uint64_t guest_offset, ++ uint64_t bytes) ++{ ++ BDRVQcow2State *s = bs->opaque; ++ QCowL2Meta *m = NULL; ++ int ret; ++ ++ /* ++ * Discard has some non-coroutine callers (creating internal snapshots and ++ * make empty). They are calling from qemu-img or in a drained section, so ++ * we know that no writes can be in progress. ++ */ ++ if (!qemu_in_coroutine()) { ++ assert(QLIST_EMPTY(&s->cluster_allocs)); ++ return; ++ } ++ ++ do { ++ ret = handle_dependencies(bs, guest_offset, &bytes, false, &m); ++ } while (ret == -EAGAIN); ++} ++ + /* + * Checks how many already allocated clusters that don't require a new + * allocation there are at the given guest_offset (up to *bytes). +@@ -1840,7 +1868,7 @@ again: + * the right synchronisation between the in-flight request and + * the new one. + */ +- ret = handle_dependencies(bs, start, &cur_bytes, m); ++ ret = handle_dependencies(bs, start, &cur_bytes, true, m); + if (ret == -EAGAIN) { + /* Currently handle_dependencies() doesn't yield if we already had + * an allocation. If it did, we would have to clean up the L2Meta +@@ -2000,6 +2028,15 @@ int qcow2_cluster_discard(BlockDriverState *bs, uint64_t offset, + int64_t cleared; + int ret; + ++ /* ++ * If we're touching a cluster for which allocating writes are in flight, ++ * wait for them to complete to avoid conflicting metadata updates. ++ * ++ * We don't need to allocate a QCowL2Meta for the discard operation because ++ * s->lock is held for the duration of the whole operation. ++ */ ++ wait_for_dependencies(bs, offset, bytes); ++ + /* Caller must pass aligned values, except at image end */ + assert(QEMU_IS_ALIGNED(offset, s->cluster_size)); + assert(QEMU_IS_ALIGNED(end_offset, s->cluster_size) || +@@ -2160,6 +2197,15 @@ int coroutine_fn qcow2_subcluster_zeroize(BlockDriverState *bs, uint64_t offset, + int64_t cleared; + int ret; + ++ /* ++ * If we're touching a cluster for which allocating writes are in flight, ++ * wait for them to complete to avoid conflicting metadata updates. ++ * ++ * We don't need to allocate a QCowL2Meta for the zeroize operation because ++ * s->lock is held for the duration of the whole operation. ++ */ ++ wait_for_dependencies(bs, offset, bytes); ++ + /* If we have to stay in sync with an external data file, zero out + * s->data_file first. */ + if (data_file_is_raw(bs)) { diff --git a/debian/patches/extra/0009-target-i386-fix-strList-leak-in-x86_cpu_get_unavaila.patch b/debian/patches/extra/0009-target-i386-fix-strList-leak-in-x86_cpu_get_unavaila.patch new file mode 100644 index 0000000000..a9975bbb3b --- /dev/null +++ b/debian/patches/extra/0009-target-i386-fix-strList-leak-in-x86_cpu_get_unavaila.patch @@ -0,0 +1,36 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Marc-Andr=C3=A9=20Lureau?= +Date: Mon, 13 Apr 2026 16:50:40 +0400 +Subject: [PATCH] target/i386: fix strList leak in + x86_cpu_get_unavailable_features +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +The result list built by x86_cpu_list_feature_names() was never freed +after being visited, causing a memory leak detected by ASan. +(the getter visitor is VISITOR_OUTPUT kind and doesn't own data) + +Fixes: 506174bf8219 ("i386: "unavailable-features" QOM property") +Signed-off-by: Marc-André Lureau +Link: https://lore.kernel.org/r/20260413125040.3842686-1-marcandre.lureau@redhat.com +Cc: qemu-stable@nongnu.org +Signed-off-by: Paolo Bonzini +(cherry picked from commit 87e1226e6f6844845ac407d50198d84205e7ed7f) +Signed-off-by: Fiona Ebner +--- + target/i386/cpu.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/target/i386/cpu.c b/target/i386/cpu.c +index c6fd1dc00e..9d126600c0 100644 +--- a/target/i386/cpu.c ++++ b/target/i386/cpu.c +@@ -7842,6 +7842,7 @@ static void x86_cpu_get_unavailable_features(Object *obj, Visitor *v, + + x86_cpu_list_feature_names(xc->filtered_features, &result); + visit_type_strList(v, "unavailable-features", &result, errp); ++ qapi_free_strList(result); + } + + /* Print all cpuid feature names in featureset diff --git a/debian/patches/extra/0010-target-i386-fix-missing-PF_INSTR-in-SIGSEGV-context.patch b/debian/patches/extra/0010-target-i386-fix-missing-PF_INSTR-in-SIGSEGV-context.patch new file mode 100644 index 0000000000..dfa3f4c20a --- /dev/null +++ b/debian/patches/extra/0010-target-i386-fix-missing-PF_INSTR-in-SIGSEGV-context.patch @@ -0,0 +1,43 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Simon Scherer +Date: Mon, 13 Apr 2026 13:56:22 +0200 +Subject: [PATCH] target/i386: fix missing PF_INSTR in SIGSEGV context + +When running linux-user emulation, the SIGSEGV handler does not +correctly set the 4th bit (PF_INSTR) in the error_code variable of +the context argument (context->uc_mcontext.gregs[REG_ERR]). + +Because this bit is never set, guest applications cannot distinguish +if a fault was due to missing executable permissions. This patch +ensures that when a page fault occurs during an instruction fetch, +the PF_INSTR flag is properly populated in the signal context. + +Resolves: https://gitlab.com/qemu-project/qemu/-/work_items/3384 +Signed-off-by: Simon Scherer +Link: https://lore.kernel.org/r/20260413115622.160212-1-scherer.simon89@gmail.com +Cc: qemu-stable@nongnu.org +Signed-off-by: Paolo Bonzini +(cherry picked from commit 3eae91a8b93a35f194a39ab5b894ae405def9270) +Signed-off-by: Fiona Ebner +--- + target/i386/tcg/user/excp_helper.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +diff --git a/target/i386/tcg/user/excp_helper.c b/target/i386/tcg/user/excp_helper.c +index 98fab4cbc3..6c5df5e0e8 100644 +--- a/target/i386/tcg/user/excp_helper.c ++++ b/target/i386/tcg/user/excp_helper.c +@@ -36,9 +36,10 @@ void x86_cpu_record_sigsegv(CPUState *cs, vaddr addr, + * signal and set exception_index to EXCP_INTERRUPT. + */ + env->cr[2] = addr; +- env->error_code = ((access_type == MMU_DATA_STORE) << PG_ERROR_W_BIT) +- | (maperr ? 0 : PG_ERROR_P_MASK) +- | PG_ERROR_U_MASK; ++ env->error_code = (maperr ? 0 : PG_ERROR_P_MASK) ++ | ((access_type == MMU_DATA_STORE) << PG_ERROR_W_BIT) ++ | PG_ERROR_U_MASK ++ | ((access_type == MMU_INST_FETCH) ? PG_ERROR_I_D_MASK : 0); + cs->exception_index = EXCP0E_PAGE; + + /* Disable do_interrupt_user. */ diff --git a/debian/patches/extra/0011-migration-vmstate_save_state_v-fix-double-error_setg.patch b/debian/patches/extra/0011-migration-vmstate_save_state_v-fix-double-error_setg.patch new file mode 100644 index 0000000000..a4faa8635c --- /dev/null +++ b/debian/patches/extra/0011-migration-vmstate_save_state_v-fix-double-error_setg.patch @@ -0,0 +1,46 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Vladimir Sementsov-Ogievskiy +Date: Thu, 5 Mar 2026 00:22:45 +0300 +Subject: [PATCH] migration: vmstate_save_state_v: fix double error_setg + +We may call error_setg twice on same errp if inner +vmstate_save_state_v() or vmstate_save_state() call fails. Next we will +crash on assertion in error_setv(). + +Fixes: 848a0503422d043 "migration: Update error description outside migration.c" +Signed-off-by: Vladimir Sementsov-Ogievskiy +Reviewed-by: Fabiano Rosas +Reviewed-by: Peter Xu +Link: https://lore.kernel.org/qemu-devel/20260304212303.667141-2-vsementsov@yandex-team.ru +Signed-off-by: Fabiano Rosas +(cherry picked from commit d41ce10d0f5a3d6e497e4b75807a8e675033c597) +Signed-off-by: Fiona Ebner +--- + migration/vmstate.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +diff --git a/migration/vmstate.c b/migration/vmstate.c +index 4d28364f7b..fccd030dfd 100644 +--- a/migration/vmstate.c ++++ b/migration/vmstate.c +@@ -539,6 +539,9 @@ int vmstate_save_state_v(QEMUFile *f, const VMStateDescription *vmsd, + } else { + ret = inner_field->info->put(f, curr_elem, size, + inner_field, vmdesc_loop); ++ if (ret < 0) { ++ error_setg(errp, "put failed"); ++ } + } + + written_bytes = qemu_file_transferred(f) - old_offset; +@@ -551,8 +554,8 @@ int vmstate_save_state_v(QEMUFile *f, const VMStateDescription *vmsd, + } + + if (ret) { +- error_setg(errp, "Save of field %s/%s failed", +- vmsd->name, field->name); ++ error_prepend(errp, "Save of field %s/%s failed: ", ++ vmsd->name, field->name); + if (vmsd->post_save) { + vmsd->post_save(opaque); + } diff --git a/debian/patches/series b/debian/patches/series index e33133ff90..8553c8ed8c 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -2,6 +2,13 @@ extra/0001-monitor-qmp-fix-race-with-clients-disconnecting-earl.patch extra/0002-ide-avoid-potential-deadlock-when-draining-during-tr.patch extra/0003-block-io-fallback-to-bounce-buffer-if-BLKZEROOUT-is-.patch extra/0004-fdmon-io_uring-avoid-idle-event-loop-being-accounted.patch +extra/0005-target-i386-tcg-fix-decoding-of-MOVBE-and-CRC32-in-1.patch +extra/0006-hw-display-don-t-accidentally-autofree-existing-virg.patch +extra/0007-hw-i386-vapic-restore-IRQ-polling-for-non-kernel-irq.patch +extra/0008-qcow2-Fix-corruption-on-discard-during-write-with-CO.patch +extra/0009-target-i386-fix-strList-leak-in-x86_cpu_get_unavaila.patch +extra/0010-target-i386-fix-missing-PF_INSTR-in-SIGSEGV-context.patch +extra/0011-migration-vmstate_save_state_v-fix-double-error_setg.patch bitmap-mirror/0001-drive-mirror-add-support-for-sync-bitmap-mode-never.patch bitmap-mirror/0002-drive-mirror-add-support-for-conditional-and-always-.patch bitmap-mirror/0003-mirror-add-check-for-bitmap-mode-without-bitmap.patch -- 2.47.3