more stable fixes for QEMU 9.0

Most importantly the first one "Revert "monitor: use aio_co_reschedule_self()"", fixing a crash when doing hotplug+resize with a disk using io_uring. Other fixes (likely not too important) for TCG emulation of x86(_64) and ARM. Signed-off-by: Fiona Ebner <f.ebner@proxmox.com>
2024-05-29 12:53:17 +02:00 · 2024-05-29 12:53:17 +02:00 · c1cd6a6221
commit c1cd6a6221
parent 16b7dfe03b
7 changed files with 311 additions and 0 deletions
--- a/debian/patches/extra/0013-Revert-monitor-use-aio_co_reschedule_self.patch
+++ b/debian/patches/extra/0013-Revert-monitor-use-aio_co_reschedule_self.patch
@ -0,0 +1,53 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Stefan Hajnoczi <stefanha@redhat.com>
+Date: Mon, 6 May 2024 15:06:21 -0400
+Subject: [PATCH] Revert "monitor: use aio_co_reschedule_self()"
+
+Commit 1f25c172f837 ("monitor: use aio_co_reschedule_self()") was a code
+cleanup that uses aio_co_reschedule_self() instead of open coding
+coroutine rescheduling.
+
+Bug RHEL-34618 was reported and Kevin Wolf <kwolf@redhat.com> identified
+the root cause. I missed that aio_co_reschedule_self() ->
+qemu_get_current_aio_context() only knows about
+qemu_aio_context/IOThread AioContexts and not about iohandler_ctx. It
+does not function correctly when going back from the iohandler_ctx to
+qemu_aio_context.
+
+Go back to open coding the AioContext transitions to avoid this bug.
+
+This reverts commit 1f25c172f83704e350c0829438d832384084a74d.
+
+Buglink: https://issues.redhat.com/browse/RHEL-34618
+Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
+(picked from: https://lists.nongnu.org/archive/html/qemu-devel/2024-05/msg01090.html)
+Signed-off-by: Fiona Ebner <f.ebner@proxmox.com>
+---
+ qapi/qmp-dispatch.c | 7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+diff --git a/qapi/qmp-dispatch.c b/qapi/qmp-dispatch.c
+index 2624eb3470..790bb7d1da 100644
+--- a/qapi/qmp-dispatch.c
+++ b/qapi/qmp-dispatch.c
+@@ -224,7 +224,8 @@ QDict *coroutine_mixed_fn qmp_dispatch(const QmpCommandList *cmds, QObject *requ
+              * executing the command handler so that it can make progress if it
+              * involves an AIO_WAIT_WHILE().
+              */
+-            aio_co_reschedule_self(qemu_get_aio_context());
+            aio_co_schedule(qemu_get_aio_context(), qemu_coroutine_self());
+            qemu_coroutine_yield();
+         }
+ 
+         monitor_set_cur(qemu_coroutine_self(), cur_mon);
+@@ -238,7 +239,9 @@ QDict *coroutine_mixed_fn qmp_dispatch(const QmpCommandList *cmds, QObject *requ
+              * Move back to iohandler_ctx so that nested event loops for
+              * qemu_aio_context don't start new monitor commands.
+              */
+-            aio_co_reschedule_self(iohandler_get_aio_context());
+            aio_co_schedule(iohandler_get_aio_context(),
+                            qemu_coroutine_self());
+            qemu_coroutine_yield();
+         }
+     } else {
+        /*
--- a/debian/patches/extra/0014-target-arm-Restrict-translation-disabled-alignment-c.patch
+++ b/debian/patches/extra/0014-target-arm-Restrict-translation-disabled-alignment-c.patch
@ -0,0 +1,51 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Richard Henderson <richard.henderson@linaro.org>
+Date: Mon, 22 Apr 2024 10:07:22 -0700
+Subject: [PATCH] target/arm: Restrict translation disabled alignment check to
+ VMSA
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+For cpus using PMSA, when the MPU is disabled, the default memory
+type is Normal, Non-cachable. This means that it should not
+have alignment restrictions enforced.
+
+Cc: qemu-stable@nongnu.org
+Fixes: 59754f85ed3 ("target/arm: Do memory type alignment check when translation disabled")
+Reported-by: Clément Chigot <chigot@adacore.com>
+Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
+Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
+Tested-by: Clément Chigot <chigot@adacore.com>
+Message-id: 20240422170722.117409-1-richard.henderson@linaro.org
+[PMM: trivial comment, commit message tweaks]
+Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
+(cherry picked from commit 7b19a3554d2df22d29c75319a1dac17615d1b20e)
+Signed-off-by: Fiona Ebner <f.ebner@proxmox.com>
+---
+ target/arm/tcg/hflags.c | 12 ++++++++++--
+ 1 file changed, 10 insertions(+), 2 deletions(-)
+
+diff --git a/target/arm/tcg/hflags.c b/target/arm/tcg/hflags.c
+index 5da1b0fc1d..f03977b4b0 100644
+--- a/target/arm/tcg/hflags.c
+++ b/target/arm/tcg/hflags.c
+@@ -38,8 +38,16 @@ static bool aprofile_require_alignment(CPUARMState *env, int el, uint64_t sctlr)
+     }
+ 
+     /*
+-     * If translation is disabled, then the default memory type is
+-     * Device(-nGnRnE) instead of Normal, which requires that alignment
+     * With PMSA, when the MPU is disabled, all memory types in the
+     * default map are Normal, so don't need aligment enforcing.
+     */
+    if (arm_feature(env, ARM_FEATURE_PMSA)) {
+        return false;
+    }
+
+    /*
+     * With VMSA, if translation is disabled, then the default memory type
+     * is Device(-nGnRnE) instead of Normal, which requires that alignment
+      * be enforced.  Since this affects all ram, it is most efficient
+      * to handle this during translation.
+      */
--- a/debian/patches/extra/0015-target-i386-Give-IRQs-a-chance-when-resetting-HF_INH.patch
+++ b/debian/patches/extra/0015-target-i386-Give-IRQs-a-chance-when-resetting-HF_INH.patch
@ -0,0 +1,80 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Ruihan Li <lrh2000@pku.edu.cn>
+Date: Mon, 15 Apr 2024 14:45:21 +0800
+Subject: [PATCH] target/i386: Give IRQs a chance when resetting
+ HF_INHIBIT_IRQ_MASK
+
+When emulated with QEMU, interrupts will never come in the following
+loop. However, if the NOP instruction is uncommented, interrupts will
+fire as normal.
+
+	loop:
+		cli
+    		call do_sti
+		jmp loop
+
+	do_sti:
+		sti
+		# nop
+		ret
+
+This behavior is different from that of a real processor. For example,
+if KVM is enabled, interrupts will always fire regardless of whether the
+NOP instruction is commented or not. Also, the Intel Software Developer
+Manual states that after the STI instruction is executed, the interrupt
+inhibit should end as soon as the next instruction (e.g., the RET
+instruction if the NOP instruction is commented) is executed.
+
+This problem is caused because the previous code may choose not to end
+the TB even if the HF_INHIBIT_IRQ_MASK has just been reset (e.g., in the
+case where the STI instruction is immediately followed by the RET
+instruction), so that IRQs may not have a change to trigger. This commit
+fixes the problem by always terminating the current TB to give IRQs a
+chance to trigger when HF_INHIBIT_IRQ_MASK is reset.
+
+Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
+Signed-off-by: Ruihan Li <lrh2000@pku.edu.cn>
+Message-ID: <20240415064518.4951-4-lrh2000@pku.edu.cn>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+(cherry picked from commit 6a5a63f74ba5c5355b7a8468d3d814bfffe928fb)
+Signed-off-by: Fiona Ebner <f.ebner@proxmox.com>
+---
+ target/i386/tcg/translate.c | 14 ++++++++++----
+ 1 file changed, 10 insertions(+), 4 deletions(-)
+
+diff --git a/target/i386/tcg/translate.c b/target/i386/tcg/translate.c
+index 3e949fe964..b5ebff2c89 100644
+--- a/target/i386/tcg/translate.c
+++ b/target/i386/tcg/translate.c
+@@ -2798,13 +2798,17 @@ static void gen_bnd_jmp(DisasContext *s)
+ static void
+ do_gen_eob_worker(DisasContext *s, bool inhibit, bool recheck_tf, bool jr)
+ {
+    bool inhibit_reset;
+
+     gen_update_cc_op(s);
+ 
+     /* If several instructions disable interrupts, only the first does it.  */
+-    if (inhibit && !(s->flags & HF_INHIBIT_IRQ_MASK)) {
+-        gen_set_hflag(s, HF_INHIBIT_IRQ_MASK);
+-    } else {
+    inhibit_reset = false;
+    if (s->flags & HF_INHIBIT_IRQ_MASK) {
+         gen_reset_hflag(s, HF_INHIBIT_IRQ_MASK);
+        inhibit_reset = true;
+    } else if (inhibit) {
+        gen_set_hflag(s, HF_INHIBIT_IRQ_MASK);
+     }
+ 
+     if (s->base.tb->flags & HF_RF_MASK) {
+@@ -2815,7 +2819,9 @@ do_gen_eob_worker(DisasContext *s, bool inhibit, bool recheck_tf, bool jr)
+         tcg_gen_exit_tb(NULL, 0);
+     } else if (s->flags & HF_TF_MASK) {
+         gen_helper_single_step(tcg_env);
+-    } else if (jr) {
+    } else if (jr &&
+               /* give irqs a chance to happen */
+               !inhibit_reset) {
+         tcg_gen_lookup_and_goto_ptr();
+     } else {
+         tcg_gen_exit_tb(NULL, 0);
--- a/debian/patches/extra/0016-target-i386-hyper-v-Correct-kvm_hv_handle_exit-retur.patch
+++ b/debian/patches/extra/0016-target-i386-hyper-v-Correct-kvm_hv_handle_exit-retur.patch
@ -0,0 +1,60 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: donsheng <dongsheng.x.zhang@intel.com>
+Date: Wed, 22 May 2024 04:01:14 +0800
+Subject: [PATCH] target-i386: hyper-v: Correct kvm_hv_handle_exit return value
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+This bug fix addresses the incorrect return value of kvm_hv_handle_exit for
+KVM_EXIT_HYPERV_SYNIC, which should be EXCP_INTERRUPT.
+
+Handling of KVM_EXIT_HYPERV_SYNIC in QEMU needs to be synchronous.
+This means that async_synic_update should run in the current QEMU vCPU
+thread before returning to KVM, returning EXCP_INTERRUPT to guarantee this.
+Returning 0 can cause async_synic_update to run asynchronously.
+
+One problem (kvm-unit-tests's hyperv_synic test fails with timeout error)
+caused by this bug:
+
+When a guest VM writes to the HV_X64_MSR_SCONTROL MSR to enable Hyper-V SynIC,
+a VM exit is triggered and processed by the kvm_hv_handle_exit function of the
+QEMU vCPU. This function then calls the async_synic_update function to set
+synic->sctl_enabled to true. A true value of synic->sctl_enabled is required
+before creating SINT routes using the hyperv_sint_route_new() function.
+
+If kvm_hv_handle_exit returns 0 for KVM_EXIT_HYPERV_SYNIC, the current QEMU
+vCPU thread may return to KVM and enter the guest VM before running
+async_synic_update. In such case, the hyperv_synic test’s subsequent call to
+synic_ctl(HV_TEST_DEV_SINT_ROUTE_CREATE, ...) immediately after writing to
+HV_X64_MSR_SCONTROL can cause QEMU’s hyperv_sint_route_new() function to return
+prematurely (because synic->sctl_enabled is false).
+
+If the SINT route is not created successfully, the SINT interrupt will not be
+fired, resulting in a timeout error in the hyperv_synic test.
+
+Fixes: 267e071bd6d6 (“hyperv: make overlay pages for SynIC”)
+Suggested-by: Chao Gao <chao.gao@intel.com>
+Signed-off-by: Dongsheng Zhang <dongsheng.x.zhang@intel.com>
+Message-ID: <20240521200114.11588-1-dongsheng.x.zhang@intel.com>
+Cc: qemu-stable@nongnu.org
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+(cherry picked from commit 84d4b72854869821eb89813c195927fdd3078c12)
+Signed-off-by: Fiona Ebner <f.ebner@proxmox.com>
+---
+ target/i386/kvm/hyperv.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/target/i386/kvm/hyperv.c b/target/i386/kvm/hyperv.c
+index f2a3fe650a..b94f12acc2 100644
+--- a/target/i386/kvm/hyperv.c
+++ b/target/i386/kvm/hyperv.c
+@@ -81,7 +81,7 @@ int kvm_hv_handle_exit(X86CPU *cpu, struct kvm_hyperv_exit *exit)
+          */
+         async_safe_run_on_cpu(CPU(cpu), async_synic_update, RUN_ON_CPU_NULL);
+ 
+-        return 0;
+        return EXCP_INTERRUPT;
+     case KVM_EXIT_HYPERV_HCALL: {
+         uint16_t code = exit->u.hcall.input & 0xffff;
+         bool fast = exit->u.hcall.input & HV_HYPERCALL_FAST;
--- a/debian/patches/extra/0017-target-i386-disable-jmp_opt-if-EFLAGS.RF-is-1.patch
+++ b/debian/patches/extra/0017-target-i386-disable-jmp_opt-if-EFLAGS.RF-is-1.patch
@ -0,0 +1,31 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Paolo Bonzini <pbonzini@redhat.com>
+Date: Fri, 24 May 2024 17:17:47 +0200
+Subject: [PATCH] target/i386: disable jmp_opt if EFLAGS.RF is 1
+
+If EFLAGS.RF is 1, special processing in gen_eob_worker() is needed and
+therefore goto_tb cannot be used.
+
+Suggested-by: Richard Henderson <richard.henderson@linaro.org>
+Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
+Cc: qemu-stable@nongnu.org
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+(cherry picked from commit 8225bff7c5db504f50e54ef66b079854635dba70)
+Signed-off-by: Fiona Ebner <f.ebner@proxmox.com>
+---
+ target/i386/tcg/translate.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/target/i386/tcg/translate.c b/target/i386/tcg/translate.c
+index b5ebff2c89..c2c5e73b3f 100644
+--- a/target/i386/tcg/translate.c
+++ b/target/i386/tcg/translate.c
+@@ -6971,7 +6971,7 @@ static void i386_tr_init_disas_context(DisasContextBase *dcbase, CPUState *cpu)
+     dc->cpuid_7_1_eax_features = env->features[FEAT_7_1_EAX];
+     dc->cpuid_xsave_features = env->features[FEAT_XSAVE];
+     dc->jmp_opt = !((cflags & CF_NO_GOTO_TB) ||
+-                    (flags & (HF_TF_MASK | HF_INHIBIT_IRQ_MASK)));
+                    (flags & (HF_RF_MASK | HF_TF_MASK | HF_INHIBIT_IRQ_MASK)));
+     /*
+      * If jmp_opt, we want to handle each string instruction individually.
+      * For icount also disable repz optimization so that each iteration
--- a/debian/patches/extra/0018-target-i386-no-single-step-exception-after-MOV-or-PO.patch
+++ b/debian/patches/extra/0018-target-i386-no-single-step-exception-after-MOV-or-PO.patch
@ -0,0 +1,30 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Paolo Bonzini <pbonzini@redhat.com>
+Date: Sat, 25 May 2024 10:03:22 +0200
+Subject: [PATCH] target/i386: no single-step exception after MOV or POP SS
+
+Intel SDM 18.3.1.4 "If an occurrence of the MOV or POP instruction
+loads the SS register executes with EFLAGS.TF = 1, no single-step debug
+exception occurs following the MOV or POP instruction."
+
+Cc: qemu-stable@nongnu.org
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+(cherry picked from commit f0f0136abba688a6516647a79cc91e03fad6d5d7)
+Signed-off-by: Fiona Ebner <f.ebner@proxmox.com>
+---
+ target/i386/tcg/translate.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/target/i386/tcg/translate.c b/target/i386/tcg/translate.c
+index c2c5e73b3f..a55df176c6 100644
+--- a/target/i386/tcg/translate.c
+++ b/target/i386/tcg/translate.c
+@@ -2817,7 +2817,7 @@ do_gen_eob_worker(DisasContext *s, bool inhibit, bool recheck_tf, bool jr)
+     if (recheck_tf) {
+         gen_helper_rechecking_single_step(tcg_env);
+         tcg_gen_exit_tb(NULL, 0);
+-    } else if (s->flags & HF_TF_MASK) {
+    } else if ((s->flags & HF_TF_MASK) && !inhibit) {
+         gen_helper_single_step(tcg_env);
+     } else if (jr &&
+                /* give irqs a chance to happen */
--- a/debian/patches/series
+++ b/debian/patches/series
@ -10,6 +10,12 @@ extra/0009-target-i386-rdpkru-wrpkru-are-no-prefix-instructions.patch
 extra/0010-target-i386-fix-feature-dependency-for-WAITPKG.patch
 extra/0011-Revert-virtio-pci-fix-use-of-a-released-vector.patch
 extra/0012-hw-core-machine-move-compatibility-flags-for-VirtIO-.patch
+extra/0013-Revert-monitor-use-aio_co_reschedule_self.patch
+extra/0014-target-arm-Restrict-translation-disabled-alignment-c.patch
+extra/0015-target-i386-Give-IRQs-a-chance-when-resetting-HF_INH.patch
+extra/0016-target-i386-hyper-v-Correct-kvm_hv_handle_exit-retur.patch
+extra/0017-target-i386-disable-jmp_opt-if-EFLAGS.RF-is-1.patch
+extra/0018-target-i386-no-single-step-exception-after-MOV-or-PO.patch
 bitmap-mirror/0001-drive-mirror-add-support-for-sync-bitmap-mode-never.patch
 bitmap-mirror/0002-drive-mirror-add-support-for-conditional-and-always-.patch
 bitmap-mirror/0003-mirror-add-check-for-bitmap-mode-without-bitmap.patch