From 3c4f941ac7d3c252b7251c69ad2f6bc7bd945473 Mon Sep 17 00:00:00 2001 From: Fiona Ebner Date: Thu, 9 Mar 2023 14:37:35 +0100 Subject: [PATCH] add more stable fixes The patches were selected from the recent "Patch Round-up for stable 7.2.1" [0]. Those that should be relevant for our supported use-cases (and the upcoming nvme use-case) were picked. Most of the patches added now have not been submitted to qemu-stable before. The follow-up for the virtio-rng-pci migration fix will break migration between versions with the fix and without the fix when a virtio-pci-rng(-non)-transitional device is used. Luckily Proxmox VE only uses the virtio-pci-rng device, and this was fixed by 0006-virtio-rng-pci-fix-migration-compat-for-vectors.patch which was applied before any public version of Proxmox VE's QEMU 7.2 package was released. [0]: https://lists.nongnu.org/archive/html/qemu-stable/2023-03/msg00010.html [1]: https://bugzilla.redhat.com/show_bug.cgi?id=2162569 Signed-off-by: Fiona Ebner --- ...ing-endian-conversions-for-doorbell-.patch | 67 +++++++++ ...fix-field-corruption-in-type-4-table.patch | 50 +++++++ ...ix-transitional-migration-compat-for.patch | 35 +++++ ...er-hpet-Fix-expiration-time-overflow.patch | 80 +++++++++++ ...vdpa-stop-all-svq-on-device-deletion.patch | 71 ++++++++++ ...tential-use-of-an-uninitialized-vari.patch | 132 ++++++++++++++++++ ...ket-set-s-listener-NULL-in-char_sock.patch | 70 ++++++++++ ...il-MAP-notifier-without-caching-mode.patch | 41 ++++++ ...-fail-DEVIOTLB_UNMAP-without-dt-mode.patch | 50 +++++++ debian/patches/series | 9 ++ 10 files changed, 605 insertions(+) create mode 100644 debian/patches/extra/0012-hw-nvme-fix-missing-endian-conversions-for-doorbell-.patch create mode 100644 debian/patches/extra/0013-hw-smbios-fix-field-corruption-in-type-4-table.patch create mode 100644 debian/patches/extra/0014-virtio-rng-pci-fix-transitional-migration-compat-for.patch create mode 100644 debian/patches/extra/0015-hw-timer-hpet-Fix-expiration-time-overflow.patch create mode 100644 debian/patches/extra/0016-vdpa-stop-all-svq-on-device-deletion.patch create mode 100644 debian/patches/extra/0017-vhost-avoid-a-potential-use-of-an-uninitialized-vari.patch create mode 100644 debian/patches/extra/0018-chardev-char-socket-set-s-listener-NULL-in-char_sock.patch create mode 100644 debian/patches/extra/0019-intel-iommu-fail-MAP-notifier-without-caching-mode.patch create mode 100644 debian/patches/extra/0020-intel-iommu-fail-DEVIOTLB_UNMAP-without-dt-mode.patch diff --git a/debian/patches/extra/0012-hw-nvme-fix-missing-endian-conversions-for-doorbell-.patch b/debian/patches/extra/0012-hw-nvme-fix-missing-endian-conversions-for-doorbell-.patch new file mode 100644 index 0000000..aa9d0b0 --- /dev/null +++ b/debian/patches/extra/0012-hw-nvme-fix-missing-endian-conversions-for-doorbell-.patch @@ -0,0 +1,67 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Klaus Jensen +Date: Wed, 8 Mar 2023 19:57:12 +0300 +Subject: [PATCH] hw/nvme: fix missing endian conversions for doorbell buffers + +The eventidx and doorbell value are not handling endianness correctly. +Fix this. + +Fixes: 3f7fe8de3d49 ("hw/nvme: Implement shadow doorbell buffer support") +Cc: qemu-stable@nongnu.org +Reported-by: Guenter Roeck +Reviewed-by: Keith Busch +Signed-off-by: Klaus Jensen +(cherry picked from commit 2fda0726e5149e032acfa5fe442db56cd6433c4c) +Signed-off-by: Michael Tokarev +Conflicts: hw/nvme/ctrl.c +(picked up from qemu-stable mailing list) +Signed-off-by: Fiona Ebner +--- + hw/nvme/ctrl.c | 22 ++++++++++++++++------ + 1 file changed, 16 insertions(+), 6 deletions(-) + +diff --git a/hw/nvme/ctrl.c b/hw/nvme/ctrl.c +index e54276dc1d..98d8e34109 100644 +--- a/hw/nvme/ctrl.c ++++ b/hw/nvme/ctrl.c +@@ -1333,8 +1333,12 @@ static inline void nvme_blk_write(BlockBackend *blk, int64_t offset, + + static void nvme_update_cq_head(NvmeCQueue *cq) + { +- pci_dma_read(&cq->ctrl->parent_obj, cq->db_addr, &cq->head, +- sizeof(cq->head)); ++ uint32_t v; ++ ++ pci_dma_read(&cq->ctrl->parent_obj, cq->db_addr, &v, sizeof(v)); ++ ++ cq->head = le32_to_cpu(v); ++ + trace_pci_nvme_shadow_doorbell_cq(cq->cqid, cq->head); + } + +@@ -6141,15 +6145,21 @@ static uint16_t nvme_admin_cmd(NvmeCtrl *n, NvmeRequest *req) + + static void nvme_update_sq_eventidx(const NvmeSQueue *sq) + { +- pci_dma_write(&sq->ctrl->parent_obj, sq->ei_addr, &sq->tail, +- sizeof(sq->tail)); ++ uint32_t v = cpu_to_le32(sq->tail); ++ ++ pci_dma_write(&sq->ctrl->parent_obj, sq->ei_addr, &v, sizeof(v)); ++ + trace_pci_nvme_eventidx_sq(sq->sqid, sq->tail); + } + + static void nvme_update_sq_tail(NvmeSQueue *sq) + { +- pci_dma_read(&sq->ctrl->parent_obj, sq->db_addr, &sq->tail, +- sizeof(sq->tail)); ++ uint32_t v; ++ ++ pci_dma_read(&sq->ctrl->parent_obj, sq->db_addr, &v, sizeof(v)); ++ ++ sq->tail = le32_to_cpu(v); ++ + trace_pci_nvme_shadow_doorbell_sq(sq->sqid, sq->tail); + } + diff --git a/debian/patches/extra/0013-hw-smbios-fix-field-corruption-in-type-4-table.patch b/debian/patches/extra/0013-hw-smbios-fix-field-corruption-in-type-4-table.patch new file mode 100644 index 0000000..901dbfe --- /dev/null +++ b/debian/patches/extra/0013-hw-smbios-fix-field-corruption-in-type-4-table.patch @@ -0,0 +1,50 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Julia Suvorova +Date: Thu, 23 Feb 2023 13:57:47 +0100 +Subject: [PATCH] hw/smbios: fix field corruption in type 4 table + +Since table type 4 of SMBIOS version 2.6 is shorter than 3.0, the +strings which follow immediately after the struct fields have been +overwritten by unconditional filling of later fields such as core_count2. +Make these fields dependent on the SMBIOS version. + +Fixes: 05e27d74c7 ("hw/smbios: add core_count2 to smbios table type 4") +Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=2169904 + +Signed-off-by: Julia Suvorova +Message-Id: <20230223125747.254914-1-jusual@redhat.com> +Reviewed-by: Igor Mammedov +Reviewed-by: Ani Sinha +Reviewed-by: Igor Mammedov +Reviewed-by: Michael S. Tsirkin +Signed-off-by: Michael S. Tsirkin +(cherry-picked from commit 60d09b8dc7dd4256d664ad680795cb1327805b2b) +Signed-off-by: Fiona Ebner +--- + hw/smbios/smbios.c | 8 +++++--- + 1 file changed, 5 insertions(+), 3 deletions(-) + +diff --git a/hw/smbios/smbios.c b/hw/smbios/smbios.c +index b4243de735..66a020999b 100644 +--- a/hw/smbios/smbios.c ++++ b/hw/smbios/smbios.c +@@ -749,14 +749,16 @@ static void smbios_build_type_4_table(MachineState *ms, unsigned instance) + t->core_count = (ms->smp.cores > 255) ? 0xFF : ms->smp.cores; + t->core_enabled = t->core_count; + +- t->core_count2 = t->core_enabled2 = cpu_to_le16(ms->smp.cores); +- + t->thread_count = (ms->smp.threads > 255) ? 0xFF : ms->smp.threads; +- t->thread_count2 = cpu_to_le16(ms->smp.threads); + + t->processor_characteristics = cpu_to_le16(0x02); /* Unknown */ + t->processor_family2 = cpu_to_le16(0x01); /* Other */ + ++ if (tbl_len == SMBIOS_TYPE_4_LEN_V30) { ++ t->core_count2 = t->core_enabled2 = cpu_to_le16(ms->smp.cores); ++ t->thread_count2 = cpu_to_le16(ms->smp.threads); ++ } ++ + SMBIOS_BUILD_TABLE_POST; + smbios_type4_count++; + } diff --git a/debian/patches/extra/0014-virtio-rng-pci-fix-transitional-migration-compat-for.patch b/debian/patches/extra/0014-virtio-rng-pci-fix-transitional-migration-compat-for.patch new file mode 100644 index 0000000..d44da6b --- /dev/null +++ b/debian/patches/extra/0014-virtio-rng-pci-fix-transitional-migration-compat-for.patch @@ -0,0 +1,35 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: "Dr. David Alan Gilbert" +Date: Tue, 7 Feb 2023 17:49:44 +0000 +Subject: [PATCH] virtio-rng-pci: fix transitional migration compat for vectors + +In bad9c5a516 ("virtio-rng-pci: fix migration compat for vectors") I +fixed the virtio-rng-pci migration compatibility, but it was discovered +that we also need to fix the other aliases of the device for the +transitional cases. + +Fixes: 9ea02e8f1 ('virtio-rng-pci: Allow setting nvectors, so we can use MSI-X') +bz: https://bugzilla.redhat.com/show_bug.cgi?id=2162569 +Signed-off-by: Dr. David Alan Gilbert +Message-Id: <20230207174944.138255-1-dgilbert@redhat.com> +Reviewed-by: Michael S. Tsirkin +Signed-off-by: Michael S. Tsirkin +(cherry-picked from commit 62bdb8871512076841f4464f7e26efdc7783f78d) +Signed-off-by: Fiona Ebner +--- + hw/core/machine.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/hw/core/machine.c b/hw/core/machine.c +index cd84579591..4297315984 100644 +--- a/hw/core/machine.c ++++ b/hw/core/machine.c +@@ -43,6 +43,8 @@ + GlobalProperty hw_compat_7_1[] = { + { "virtio-device", "queue_reset", "false" }, + { "virtio-rng-pci", "vectors", "0" }, ++ { "virtio-rng-pci-transitional", "vectors", "0" }, ++ { "virtio-rng-pci-non-transitional", "vectors", "0" }, + }; + const size_t hw_compat_7_1_len = G_N_ELEMENTS(hw_compat_7_1); + diff --git a/debian/patches/extra/0015-hw-timer-hpet-Fix-expiration-time-overflow.patch b/debian/patches/extra/0015-hw-timer-hpet-Fix-expiration-time-overflow.patch new file mode 100644 index 0000000..3c30764 --- /dev/null +++ b/debian/patches/extra/0015-hw-timer-hpet-Fix-expiration-time-overflow.patch @@ -0,0 +1,80 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Akihiko Odaki +Date: Tue, 31 Jan 2023 12:00:37 +0900 +Subject: [PATCH] hw/timer/hpet: Fix expiration time overflow + +The expiration time provided for timer_mod() can overflow if a +ridiculously large value is set to the comparator register. The +resulting value can represent a past time after rounded, forcing the +timer to fire immediately. If the timer is configured as periodic, it +will rearm the timer again, and form an endless loop. + +Check if the expiration value will overflow, and if it will, stop the +timer instead of rearming the timer with the overflowed time. + +This bug was found by Alexander Bulekov when fuzzing igb, a new +network device emulation: +https://patchew.org/QEMU/20230129053316.1071513-1-alxndr@bu.edu/ + +The fixed test case is: +fuzz/crash_2d7036941dcda1ad4380bb8a9174ed0c949bcefd + +Fixes: 16b29ae180 ("Add HPET emulation to qemu (Beth Kon)") +Signed-off-by: Akihiko Odaki +Acked-by: Michael S. Tsirkin +Message-Id: <20230131030037.18856-1-akihiko.odaki@daynix.com> +Reviewed-by: Michael S. Tsirkin +Signed-off-by: Michael S. Tsirkin +(cherry-picked from commit 37d2bcbc2a4e9c2e9061bec72a32c7e49b9f81ec) +Signed-off-by: Fiona Ebner +--- + hw/timer/hpet.c | 19 +++++++++++++------ + 1 file changed, 13 insertions(+), 6 deletions(-) + +diff --git a/hw/timer/hpet.c b/hw/timer/hpet.c +index 9520471be2..5f88ffdef8 100644 +--- a/hw/timer/hpet.c ++++ b/hw/timer/hpet.c +@@ -352,6 +352,16 @@ static const VMStateDescription vmstate_hpet = { + } + }; + ++static void hpet_arm(HPETTimer *t, uint64_t ticks) ++{ ++ if (ticks < ns_to_ticks(INT64_MAX / 2)) { ++ timer_mod(t->qemu_timer, ++ qemu_clock_get_ns(QEMU_CLOCK_VIRTUAL) + ticks_to_ns(ticks)); ++ } else { ++ timer_del(t->qemu_timer); ++ } ++} ++ + /* + * timer expiration callback + */ +@@ -374,13 +384,11 @@ static void hpet_timer(void *opaque) + } + } + diff = hpet_calculate_diff(t, cur_tick); +- timer_mod(t->qemu_timer, +- qemu_clock_get_ns(QEMU_CLOCK_VIRTUAL) + (int64_t)ticks_to_ns(diff)); ++ hpet_arm(t, diff); + } else if (t->config & HPET_TN_32BIT && !timer_is_periodic(t)) { + if (t->wrap_flag) { + diff = hpet_calculate_diff(t, cur_tick); +- timer_mod(t->qemu_timer, qemu_clock_get_ns(QEMU_CLOCK_VIRTUAL) + +- (int64_t)ticks_to_ns(diff)); ++ hpet_arm(t, diff); + t->wrap_flag = 0; + } + } +@@ -407,8 +415,7 @@ static void hpet_set_timer(HPETTimer *t) + t->wrap_flag = 1; + } + } +- timer_mod(t->qemu_timer, +- qemu_clock_get_ns(QEMU_CLOCK_VIRTUAL) + (int64_t)ticks_to_ns(diff)); ++ hpet_arm(t, diff); + } + + static void hpet_del_timer(HPETTimer *t) diff --git a/debian/patches/extra/0016-vdpa-stop-all-svq-on-device-deletion.patch b/debian/patches/extra/0016-vdpa-stop-all-svq-on-device-deletion.patch new file mode 100644 index 0000000..07166db --- /dev/null +++ b/debian/patches/extra/0016-vdpa-stop-all-svq-on-device-deletion.patch @@ -0,0 +1,71 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Eugenio=20P=C3=A9rez?= +Date: Thu, 9 Feb 2023 18:00:04 +0100 +Subject: [PATCH] vdpa: stop all svq on device deletion +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Not stopping them leave the device in a bad state when virtio-net +fronted device is unplugged with device_del monitor command. + +This is not triggable in regular poweroff or qemu forces shutdown +because cleanup is called right after vhost_vdpa_dev_start(false). But +devices hot unplug does not call vdpa device cleanups. This lead to all +the vhost_vdpa devices without stop the SVQ but the last. + +Fix it and clean the code, making it symmetric with +vhost_vdpa_svqs_start. + +Fixes: dff4426fa656 ("vhost: Add Shadow VirtQueue kick forwarding capabilities") +Reported-by: Lei Yang +Signed-off-by: Eugenio Pérez +Message-Id: <20230209170004.899472-1-eperezma@redhat.com> +Tested-by: Laurent Vivier +Acked-by: Jason Wang +(cherry-picked from commit 2e1a9de96b487cf818a22d681cad8d3f5d18dcca) +Signed-off-by: Fiona Ebner +--- + hw/virtio/vhost-vdpa.c | 17 ++--------------- + 1 file changed, 2 insertions(+), 15 deletions(-) + +diff --git a/hw/virtio/vhost-vdpa.c b/hw/virtio/vhost-vdpa.c +index 7468e44b87..03c78d25d8 100644 +--- a/hw/virtio/vhost-vdpa.c ++++ b/hw/virtio/vhost-vdpa.c +@@ -707,26 +707,11 @@ static int vhost_vdpa_get_device_id(struct vhost_dev *dev, + return ret; + } + +-static void vhost_vdpa_reset_svq(struct vhost_vdpa *v) +-{ +- if (!v->shadow_vqs_enabled) { +- return; +- } +- +- for (unsigned i = 0; i < v->shadow_vqs->len; ++i) { +- VhostShadowVirtqueue *svq = g_ptr_array_index(v->shadow_vqs, i); +- vhost_svq_stop(svq); +- } +-} +- + static int vhost_vdpa_reset_device(struct vhost_dev *dev) + { +- struct vhost_vdpa *v = dev->opaque; + int ret; + uint8_t status = 0; + +- vhost_vdpa_reset_svq(v); +- + ret = vhost_vdpa_call(dev, VHOST_VDPA_SET_STATUS, &status); + trace_vhost_vdpa_reset_device(dev, status); + return ret; +@@ -1088,6 +1073,8 @@ static void vhost_vdpa_svqs_stop(struct vhost_dev *dev) + + for (unsigned i = 0; i < v->shadow_vqs->len; ++i) { + VhostShadowVirtqueue *svq = g_ptr_array_index(v->shadow_vqs, i); ++ ++ vhost_svq_stop(svq); + vhost_vdpa_svq_unmap_rings(dev, svq); + } + } diff --git a/debian/patches/extra/0017-vhost-avoid-a-potential-use-of-an-uninitialized-vari.patch b/debian/patches/extra/0017-vhost-avoid-a-potential-use-of-an-uninitialized-vari.patch new file mode 100644 index 0000000..8ce1973 --- /dev/null +++ b/debian/patches/extra/0017-vhost-avoid-a-potential-use-of-an-uninitialized-vari.patch @@ -0,0 +1,132 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Carlos=20L=C3=B3pez?= +Date: Mon, 13 Feb 2023 09:57:47 +0100 +Subject: [PATCH] vhost: avoid a potential use of an uninitialized variable in + vhost_svq_poll() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +In vhost_svq_poll(), if vhost_svq_get_buf() fails due to a device +providing invalid descriptors, len is left uninitialized and returned +to the caller, potentally leaking stack data or causing undefined +behavior. + +Fix this by initializing len to 0. + +Found with GCC 13 and -fanalyzer (abridged): + +../hw/virtio/vhost-shadow-virtqueue.c: In function ‘vhost_svq_poll’: +../hw/virtio/vhost-shadow-virtqueue.c:538:12: warning: use of uninitialized value ‘len’ [CWE-457] [-Wanalyzer-use-of-uninitialized-value] + 538 | return len; + | ^~~ + ‘vhost_svq_poll’: events 1-4 + | + | 522 | size_t vhost_svq_poll(VhostShadowVirtqueue *svq) + | | ^~~~~~~~~~~~~~ + | | | + | | (1) entry to ‘vhost_svq_poll’ + |...... + | 525 | uint32_t len; + | | ~~~ + | | | + | | (2) region created on stack here + | | (3) capacity: 4 bytes + |...... + | 528 | if (vhost_svq_more_used(svq)) { + | | ~ + | | | + | | (4) inlined call to ‘vhost_svq_more_used’ from ‘vhost_svq_poll’ + + (...) + + | 528 | if (vhost_svq_more_used(svq)) { + | | ^~~~~~~~~~~~~~~~~~~~~~~~~ + | | || + | | |(8) ...to here + | | (7) following ‘true’ branch... + |...... + | 537 | vhost_svq_get_buf(svq, &len); + | | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + | | | + | | (9) calling ‘vhost_svq_get_buf’ from ‘vhost_svq_poll’ + | + +--> ‘vhost_svq_get_buf’: events 10-11 + | + | 416 | static VirtQueueElement *vhost_svq_get_buf(VhostShadowVirtqueue *svq, + | | ^~~~~~~~~~~~~~~~~ + | | | + | | (10) entry to ‘vhost_svq_get_buf’ + |...... + | 423 | if (!vhost_svq_more_used(svq)) { + | | ~ + | | | + | | (11) inlined call to ‘vhost_svq_more_used’ from ‘vhost_svq_get_buf’ + | + + (...) + + | + ‘vhost_svq_get_buf’: event 14 + | + | 423 | if (!vhost_svq_more_used(svq)) { + | | ^ + | | | + | | (14) following ‘false’ branch... + | + ‘vhost_svq_get_buf’: event 15 + | + |cc1: + | (15): ...to here + | + <------+ + | + ‘vhost_svq_poll’: events 16-17 + | + | 537 | vhost_svq_get_buf(svq, &len); + | | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~ + | | | + | | (16) returning to ‘vhost_svq_poll’ from ‘vhost_svq_get_buf’ + | 538 | return len; + | | ~~~ + | | | + | | (17) use of uninitialized value ‘len’ here + +Note by Laurent Vivier : + + The return value is only used to detect an error: + + vhost_svq_poll + vhost_vdpa_net_cvq_add + vhost_vdpa_net_load_cmd + vhost_vdpa_net_load_mac + -> a negative return is only used to detect error + vhost_vdpa_net_load_mq + -> a negative return is only used to detect error + vhost_vdpa_net_handle_ctrl_avail + -> a negative return is only used to detect error + +Fixes: d368c0b052ad ("vhost: Do not depend on !NULL VirtQueueElement on vhost_svq_flush") +Signed-off-by: Carlos López +Message-Id: <20230213085747.19956-1-clopez@suse.de> +Reviewed-by: Michael S. Tsirkin +Signed-off-by: Michael S. Tsirkin +(cherry-picked from commit e4dd39c699b7d63a06f686ec06ded8adbee989c1) +Signed-off-by: Fiona Ebner +--- + hw/virtio/vhost-shadow-virtqueue.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/hw/virtio/vhost-shadow-virtqueue.c b/hw/virtio/vhost-shadow-virtqueue.c +index 5bd14cad96..a723073747 100644 +--- a/hw/virtio/vhost-shadow-virtqueue.c ++++ b/hw/virtio/vhost-shadow-virtqueue.c +@@ -522,7 +522,7 @@ static void vhost_svq_flush(VhostShadowVirtqueue *svq, + size_t vhost_svq_poll(VhostShadowVirtqueue *svq) + { + int64_t start_us = g_get_monotonic_time(); +- uint32_t len; ++ uint32_t len = 0; + + do { + if (vhost_svq_more_used(svq)) { diff --git a/debian/patches/extra/0018-chardev-char-socket-set-s-listener-NULL-in-char_sock.patch b/debian/patches/extra/0018-chardev-char-socket-set-s-listener-NULL-in-char_sock.patch new file mode 100644 index 0000000..449bca8 --- /dev/null +++ b/debian/patches/extra/0018-chardev-char-socket-set-s-listener-NULL-in-char_sock.patch @@ -0,0 +1,70 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Yajun Wu +Date: Tue, 14 Feb 2023 10:14:30 +0800 +Subject: [PATCH] chardev/char-socket: set s->listener = NULL in + char_socket_finalize +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +After live migration with virtio block device, qemu crash at: + + #0 0x000055914f46f795 in object_dynamic_cast_assert (obj=0x559151b7b090, typename=0x55914f80fbc4 "qio-channel", file=0x55914f80fb90 "/images/testvfe/sw/qemu.gerrit/include/io/channel.h", line=30, func=0x55914f80fcb8 <__func__.17257> "QIO_CHANNEL") at ../qom/object.c:872 + #1 0x000055914f480d68 in QIO_CHANNEL (obj=0x559151b7b090) at /images/testvfe/sw/qemu.gerrit/include/io/channel.h:29 + #2 0x000055914f4812f8 in qio_net_listener_set_client_func_full (listener=0x559151b7a720, func=0x55914f580b97 , data=0x5591519f4ea0, notify=0x0, context=0x0) at ../io/net-listener.c:166 + #3 0x000055914f580059 in tcp_chr_update_read_handler (chr=0x5591519f4ea0) at ../chardev/char-socket.c:637 + #4 0x000055914f583dca in qemu_chr_be_update_read_handlers (s=0x5591519f4ea0, context=0x0) at ../chardev/char.c:226 + #5 0x000055914f57b7c9 in qemu_chr_fe_set_handlers_full (b=0x559152bf23a0, fd_can_read=0x0, fd_read=0x0, fd_event=0x0, be_change=0x0, opaque=0x0, context=0x0, set_open=false, sync_state=true) at ../chardev/char-fe.c:279 + #6 0x000055914f57b86d in qemu_chr_fe_set_handlers (b=0x559152bf23a0, fd_can_read=0x0, fd_read=0x0, fd_event=0x0, be_change=0x0, opaque=0x0, context=0x0, set_open=false) at ../chardev/char-fe.c:304 + #7 0x000055914f378caf in vhost_user_async_close (d=0x559152bf21a0, chardev=0x559152bf23a0, vhost=0x559152bf2420, cb=0x55914f2fb8c1 ) at ../hw/virtio/vhost-user.c:2725 + #8 0x000055914f2fba40 in vhost_user_blk_event (opaque=0x559152bf21a0, event=CHR_EVENT_CLOSED) at ../hw/block/vhost-user-blk.c:395 + #9 0x000055914f58388c in chr_be_event (s=0x5591519f4ea0, event=CHR_EVENT_CLOSED) at ../chardev/char.c:61 + #10 0x000055914f583905 in qemu_chr_be_event (s=0x5591519f4ea0, event=CHR_EVENT_CLOSED) at ../chardev/char.c:81 + #11 0x000055914f581275 in char_socket_finalize (obj=0x5591519f4ea0) at ../chardev/char-socket.c:1083 + #12 0x000055914f46f073 in object_deinit (obj=0x5591519f4ea0, type=0x5591519055c0) at ../qom/object.c:680 + #13 0x000055914f46f0e5 in object_finalize (data=0x5591519f4ea0) at ../qom/object.c:694 + #14 0x000055914f46ff06 in object_unref (objptr=0x5591519f4ea0) at ../qom/object.c:1202 + #15 0x000055914f4715a4 in object_finalize_child_property (obj=0x559151b76c50, name=0x559151b7b250 "char3", opaque=0x5591519f4ea0) at ../qom/object.c:1747 + #16 0x000055914f46ee86 in object_property_del_all (obj=0x559151b76c50) at ../qom/object.c:632 + #17 0x000055914f46f0d2 in object_finalize (data=0x559151b76c50) at ../qom/object.c:693 + #18 0x000055914f46ff06 in object_unref (objptr=0x559151b76c50) at ../qom/object.c:1202 + #19 0x000055914f4715a4 in object_finalize_child_property (obj=0x559151b6b560, name=0x559151b76630 "chardevs", opaque=0x559151b76c50) at ../qom/object.c:1747 + #20 0x000055914f46ef67 in object_property_del_child (obj=0x559151b6b560, child=0x559151b76c50) at ../qom/object.c:654 + #21 0x000055914f46f042 in object_unparent (obj=0x559151b76c50) at ../qom/object.c:673 + #22 0x000055914f58632a in qemu_chr_cleanup () at ../chardev/char.c:1189 + #23 0x000055914f16c66c in qemu_cleanup () at ../softmmu/runstate.c:830 + #24 0x000055914eee7b9e in qemu_default_main () at ../softmmu/main.c:38 + #25 0x000055914eee7bcc in main (argc=86, argv=0x7ffc97cb8d88) at ../softmmu/main.c:48 + +In char_socket_finalize after s->listener freed, event callback function +vhost_user_blk_event will be called to handle CHR_EVENT_CLOSED. +vhost_user_blk_event is calling qio_net_listener_set_client_func_full which +is still using s->listener. + +Setting s->listener = NULL after object_unref(OBJECT(s->listener)) can +solve this issue. + +Signed-off-by: Yajun Wu +Acked-by: Jiri Pirko +Message-Id: <20230214021430.3638579-1-yajunw@nvidia.com> +Reviewed-by: Marc-André Lureau +Reviewed-by: Michael S. Tsirkin +Signed-off-by: Michael S. Tsirkin +(cherry-picked from commit b8a7f51f59e28d5a8e0c07ed3919cc9695560ed2) +Signed-off-by: Fiona Ebner +--- + chardev/char-socket.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/chardev/char-socket.c b/chardev/char-socket.c +index 879564aa8a..b00efb1482 100644 +--- a/chardev/char-socket.c ++++ b/chardev/char-socket.c +@@ -1065,6 +1065,7 @@ static void char_socket_finalize(Object *obj) + qio_net_listener_set_client_func_full(s->listener, NULL, NULL, + NULL, chr->gcontext); + object_unref(OBJECT(s->listener)); ++ s->listener = NULL; + } + if (s->tls_creds) { + object_unref(OBJECT(s->tls_creds)); diff --git a/debian/patches/extra/0019-intel-iommu-fail-MAP-notifier-without-caching-mode.patch b/debian/patches/extra/0019-intel-iommu-fail-MAP-notifier-without-caching-mode.patch new file mode 100644 index 0000000..f0f2d21 --- /dev/null +++ b/debian/patches/extra/0019-intel-iommu-fail-MAP-notifier-without-caching-mode.patch @@ -0,0 +1,41 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Jason Wang +Date: Thu, 23 Feb 2023 14:59:20 +0800 +Subject: [PATCH] intel-iommu: fail MAP notifier without caching mode + +Without caching mode, MAP notifier won't work correctly since guest +won't send IOTLB update event when it establishes new mappings in the +I/O page tables. Let's fail the IOMMU notifiers early instead of +misbehaving silently. + +Reviewed-by: Eric Auger +Tested-by: Viktor Prutyanov +Signed-off-by: Jason Wang +Message-Id: <20230223065924.42503-2-jasowang@redhat.com> +Reviewed-by: Peter Xu +Reviewed-by: Michael S. Tsirkin +Signed-off-by: Michael S. Tsirkin +(cherry-picked from commit b8d78277c091f26fdd64f239bc8bb7e55d74cecf) +Signed-off-by: Fiona Ebner +--- + hw/i386/intel_iommu.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/hw/i386/intel_iommu.c b/hw/i386/intel_iommu.c +index a08ee85edf..9143376677 100644 +--- a/hw/i386/intel_iommu.c ++++ b/hw/i386/intel_iommu.c +@@ -3186,6 +3186,13 @@ static int vtd_iommu_notify_flag_changed(IOMMUMemoryRegion *iommu, + "Snoop Control with vhost or VFIO is not supported"); + return -ENOTSUP; + } ++ if (!s->caching_mode && (new & IOMMU_NOTIFIER_MAP)) { ++ error_setg_errno(errp, ENOTSUP, ++ "device %02x.%02x.%x requires caching mode", ++ pci_bus_num(vtd_as->bus), PCI_SLOT(vtd_as->devfn), ++ PCI_FUNC(vtd_as->devfn)); ++ return -ENOTSUP; ++ } + + /* Update per-address-space notifier flags */ + vtd_as->notifier_flags = new; diff --git a/debian/patches/extra/0020-intel-iommu-fail-DEVIOTLB_UNMAP-without-dt-mode.patch b/debian/patches/extra/0020-intel-iommu-fail-DEVIOTLB_UNMAP-without-dt-mode.patch new file mode 100644 index 0000000..ce87ea5 --- /dev/null +++ b/debian/patches/extra/0020-intel-iommu-fail-DEVIOTLB_UNMAP-without-dt-mode.patch @@ -0,0 +1,50 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Jason Wang +Date: Thu, 23 Feb 2023 14:59:21 +0800 +Subject: [PATCH] intel-iommu: fail DEVIOTLB_UNMAP without dt mode + +Without dt mode, device IOTLB notifier won't work since guest won't +send device IOTLB invalidation descriptor in this case. Let's fail +early instead of misbehaving silently. + +Reviewed-by: Laurent Vivier +Tested-by: Laurent Vivier +Tested-by: Viktor Prutyanov +Buglink: https://bugzilla.redhat.com/2156876 +Signed-off-by: Jason Wang +Message-Id: <20230223065924.42503-3-jasowang@redhat.com> +Reviewed-by: Peter Xu +Reviewed-by: Michael S. Tsirkin +Signed-off-by: Michael S. Tsirkin +(cherry-picked from commit 09adb0e021207b60a0c51a68939b4539d98d3ef3) +Signed-off-by: Fiona Ebner +--- + hw/i386/intel_iommu.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/hw/i386/intel_iommu.c b/hw/i386/intel_iommu.c +index 9143376677..d025ef2873 100644 +--- a/hw/i386/intel_iommu.c ++++ b/hw/i386/intel_iommu.c +@@ -3179,6 +3179,7 @@ static int vtd_iommu_notify_flag_changed(IOMMUMemoryRegion *iommu, + { + VTDAddressSpace *vtd_as = container_of(iommu, VTDAddressSpace, iommu); + IntelIOMMUState *s = vtd_as->iommu_state; ++ X86IOMMUState *x86_iommu = X86_IOMMU_DEVICE(s); + + /* TODO: add support for VFIO and vhost users */ + if (s->snoop_control) { +@@ -3193,6 +3194,13 @@ static int vtd_iommu_notify_flag_changed(IOMMUMemoryRegion *iommu, + PCI_FUNC(vtd_as->devfn)); + return -ENOTSUP; + } ++ if (!x86_iommu->dt_supported && (new & IOMMU_NOTIFIER_DEVIOTLB_UNMAP)) { ++ error_setg_errno(errp, ENOTSUP, ++ "device %02x.%02x.%x requires device IOTLB mode", ++ pci_bus_num(vtd_as->bus), PCI_SLOT(vtd_as->devfn), ++ PCI_FUNC(vtd_as->devfn)); ++ return -ENOTSUP; ++ } + + /* Update per-address-space notifier flags */ + vtd_as->notifier_flags = new; diff --git a/debian/patches/series b/debian/patches/series index eca4614..ba3279e 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -9,6 +9,15 @@ extra/0008-memory-prevent-dma-reentracy-issues.patch extra/0009-block-iscsi-fix-double-free-on-BUSY-or-similar-statu.patch extra/0010-scsi-megasas-Internal-cdbs-have-16-byte-length.patch extra/0011-ide-avoid-potential-deadlock-when-draining-during-tr.patch +extra/0012-hw-nvme-fix-missing-endian-conversions-for-doorbell-.patch +extra/0013-hw-smbios-fix-field-corruption-in-type-4-table.patch +extra/0014-virtio-rng-pci-fix-transitional-migration-compat-for.patch +extra/0015-hw-timer-hpet-Fix-expiration-time-overflow.patch +extra/0016-vdpa-stop-all-svq-on-device-deletion.patch +extra/0017-vhost-avoid-a-potential-use-of-an-uninitialized-vari.patch +extra/0018-chardev-char-socket-set-s-listener-NULL-in-char_sock.patch +extra/0019-intel-iommu-fail-MAP-notifier-without-caching-mode.patch +extra/0020-intel-iommu-fail-DEVIOTLB_UNMAP-without-dt-mode.patch bitmap-mirror/0001-drive-mirror-add-support-for-sync-bitmap-mode-never.patch bitmap-mirror/0002-drive-mirror-add-support-for-conditional-and-always-.patch bitmap-mirror/0003-mirror-add-check-for-bitmap-mode-without-bitmap.patch -- 2.39.5