From c1cd6a6221e4322413c768e07995894f4ff012e8 Mon Sep 17 00:00:00 2001 From: Fiona Ebner Date: Wed, 29 May 2024 12:53:17 +0200 Subject: [PATCH] more stable fixes for QEMU 9.0 Most importantly the first one "Revert "monitor: use aio_co_reschedule_self()"", fixing a crash when doing hotplug+resize with a disk using io_uring. Other fixes (likely not too important) for TCG emulation of x86(_64) and ARM. Signed-off-by: Fiona Ebner --- ...t-monitor-use-aio_co_reschedule_self.patch | 53 ++++++++++++ ...ict-translation-disabled-alignment-c.patch | 51 ++++++++++++ ...-IRQs-a-chance-when-resetting-HF_INH.patch | 80 +++++++++++++++++++ ...r-v-Correct-kvm_hv_handle_exit-retur.patch | 60 ++++++++++++++ ...86-disable-jmp_opt-if-EFLAGS.RF-is-1.patch | 31 +++++++ ...ingle-step-exception-after-MOV-or-PO.patch | 30 +++++++ debian/patches/series | 6 ++ 7 files changed, 311 insertions(+) create mode 100644 debian/patches/extra/0013-Revert-monitor-use-aio_co_reschedule_self.patch create mode 100644 debian/patches/extra/0014-target-arm-Restrict-translation-disabled-alignment-c.patch create mode 100644 debian/patches/extra/0015-target-i386-Give-IRQs-a-chance-when-resetting-HF_INH.patch create mode 100644 debian/patches/extra/0016-target-i386-hyper-v-Correct-kvm_hv_handle_exit-retur.patch create mode 100644 debian/patches/extra/0017-target-i386-disable-jmp_opt-if-EFLAGS.RF-is-1.patch create mode 100644 debian/patches/extra/0018-target-i386-no-single-step-exception-after-MOV-or-PO.patch diff --git a/debian/patches/extra/0013-Revert-monitor-use-aio_co_reschedule_self.patch b/debian/patches/extra/0013-Revert-monitor-use-aio_co_reschedule_self.patch new file mode 100644 index 0000000..def305c --- /dev/null +++ b/debian/patches/extra/0013-Revert-monitor-use-aio_co_reschedule_self.patch @@ -0,0 +1,53 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Stefan Hajnoczi +Date: Mon, 6 May 2024 15:06:21 -0400 +Subject: [PATCH] Revert "monitor: use aio_co_reschedule_self()" + +Commit 1f25c172f837 ("monitor: use aio_co_reschedule_self()") was a code +cleanup that uses aio_co_reschedule_self() instead of open coding +coroutine rescheduling. + +Bug RHEL-34618 was reported and Kevin Wolf identified +the root cause. I missed that aio_co_reschedule_self() -> +qemu_get_current_aio_context() only knows about +qemu_aio_context/IOThread AioContexts and not about iohandler_ctx. It +does not function correctly when going back from the iohandler_ctx to +qemu_aio_context. + +Go back to open coding the AioContext transitions to avoid this bug. + +This reverts commit 1f25c172f83704e350c0829438d832384084a74d. + +Buglink: https://issues.redhat.com/browse/RHEL-34618 +Signed-off-by: Stefan Hajnoczi +(picked from: https://lists.nongnu.org/archive/html/qemu-devel/2024-05/msg01090.html) +Signed-off-by: Fiona Ebner +--- + qapi/qmp-dispatch.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +diff --git a/qapi/qmp-dispatch.c b/qapi/qmp-dispatch.c +index 2624eb3470..790bb7d1da 100644 +--- a/qapi/qmp-dispatch.c ++++ b/qapi/qmp-dispatch.c +@@ -224,7 +224,8 @@ QDict *coroutine_mixed_fn qmp_dispatch(const QmpCommandList *cmds, QObject *requ + * executing the command handler so that it can make progress if it + * involves an AIO_WAIT_WHILE(). + */ +- aio_co_reschedule_self(qemu_get_aio_context()); ++ aio_co_schedule(qemu_get_aio_context(), qemu_coroutine_self()); ++ qemu_coroutine_yield(); + } + + monitor_set_cur(qemu_coroutine_self(), cur_mon); +@@ -238,7 +239,9 @@ QDict *coroutine_mixed_fn qmp_dispatch(const QmpCommandList *cmds, QObject *requ + * Move back to iohandler_ctx so that nested event loops for + * qemu_aio_context don't start new monitor commands. + */ +- aio_co_reschedule_self(iohandler_get_aio_context()); ++ aio_co_schedule(iohandler_get_aio_context(), ++ qemu_coroutine_self()); ++ qemu_coroutine_yield(); + } + } else { + /* diff --git a/debian/patches/extra/0014-target-arm-Restrict-translation-disabled-alignment-c.patch b/debian/patches/extra/0014-target-arm-Restrict-translation-disabled-alignment-c.patch new file mode 100644 index 0000000..2475d34 --- /dev/null +++ b/debian/patches/extra/0014-target-arm-Restrict-translation-disabled-alignment-c.patch @@ -0,0 +1,51 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Richard Henderson +Date: Mon, 22 Apr 2024 10:07:22 -0700 +Subject: [PATCH] target/arm: Restrict translation disabled alignment check to + VMSA +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +For cpus using PMSA, when the MPU is disabled, the default memory +type is Normal, Non-cachable. This means that it should not +have alignment restrictions enforced. + +Cc: qemu-stable@nongnu.org +Fixes: 59754f85ed3 ("target/arm: Do memory type alignment check when translation disabled") +Reported-by: Clément Chigot +Signed-off-by: Richard Henderson +Reviewed-by: Philippe Mathieu-Daudé +Tested-by: Clément Chigot +Message-id: 20240422170722.117409-1-richard.henderson@linaro.org +[PMM: trivial comment, commit message tweaks] +Signed-off-by: Peter Maydell +(cherry picked from commit 7b19a3554d2df22d29c75319a1dac17615d1b20e) +Signed-off-by: Fiona Ebner +--- + target/arm/tcg/hflags.c | 12 ++++++++++-- + 1 file changed, 10 insertions(+), 2 deletions(-) + +diff --git a/target/arm/tcg/hflags.c b/target/arm/tcg/hflags.c +index 5da1b0fc1d..f03977b4b0 100644 +--- a/target/arm/tcg/hflags.c ++++ b/target/arm/tcg/hflags.c +@@ -38,8 +38,16 @@ static bool aprofile_require_alignment(CPUARMState *env, int el, uint64_t sctlr) + } + + /* +- * If translation is disabled, then the default memory type is +- * Device(-nGnRnE) instead of Normal, which requires that alignment ++ * With PMSA, when the MPU is disabled, all memory types in the ++ * default map are Normal, so don't need aligment enforcing. ++ */ ++ if (arm_feature(env, ARM_FEATURE_PMSA)) { ++ return false; ++ } ++ ++ /* ++ * With VMSA, if translation is disabled, then the default memory type ++ * is Device(-nGnRnE) instead of Normal, which requires that alignment + * be enforced. Since this affects all ram, it is most efficient + * to handle this during translation. + */ diff --git a/debian/patches/extra/0015-target-i386-Give-IRQs-a-chance-when-resetting-HF_INH.patch b/debian/patches/extra/0015-target-i386-Give-IRQs-a-chance-when-resetting-HF_INH.patch new file mode 100644 index 0000000..97501f5 --- /dev/null +++ b/debian/patches/extra/0015-target-i386-Give-IRQs-a-chance-when-resetting-HF_INH.patch @@ -0,0 +1,80 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Ruihan Li +Date: Mon, 15 Apr 2024 14:45:21 +0800 +Subject: [PATCH] target/i386: Give IRQs a chance when resetting + HF_INHIBIT_IRQ_MASK + +When emulated with QEMU, interrupts will never come in the following +loop. However, if the NOP instruction is uncommented, interrupts will +fire as normal. + + loop: + cli + call do_sti + jmp loop + + do_sti: + sti + # nop + ret + +This behavior is different from that of a real processor. For example, +if KVM is enabled, interrupts will always fire regardless of whether the +NOP instruction is commented or not. Also, the Intel Software Developer +Manual states that after the STI instruction is executed, the interrupt +inhibit should end as soon as the next instruction (e.g., the RET +instruction if the NOP instruction is commented) is executed. + +This problem is caused because the previous code may choose not to end +the TB even if the HF_INHIBIT_IRQ_MASK has just been reset (e.g., in the +case where the STI instruction is immediately followed by the RET +instruction), so that IRQs may not have a change to trigger. This commit +fixes the problem by always terminating the current TB to give IRQs a +chance to trigger when HF_INHIBIT_IRQ_MASK is reset. + +Reviewed-by: Richard Henderson +Signed-off-by: Ruihan Li +Message-ID: <20240415064518.4951-4-lrh2000@pku.edu.cn> +Signed-off-by: Paolo Bonzini +(cherry picked from commit 6a5a63f74ba5c5355b7a8468d3d814bfffe928fb) +Signed-off-by: Fiona Ebner +--- + target/i386/tcg/translate.c | 14 ++++++++++---- + 1 file changed, 10 insertions(+), 4 deletions(-) + +diff --git a/target/i386/tcg/translate.c b/target/i386/tcg/translate.c +index 3e949fe964..b5ebff2c89 100644 +--- a/target/i386/tcg/translate.c ++++ b/target/i386/tcg/translate.c +@@ -2798,13 +2798,17 @@ static void gen_bnd_jmp(DisasContext *s) + static void + do_gen_eob_worker(DisasContext *s, bool inhibit, bool recheck_tf, bool jr) + { ++ bool inhibit_reset; ++ + gen_update_cc_op(s); + + /* If several instructions disable interrupts, only the first does it. */ +- if (inhibit && !(s->flags & HF_INHIBIT_IRQ_MASK)) { +- gen_set_hflag(s, HF_INHIBIT_IRQ_MASK); +- } else { ++ inhibit_reset = false; ++ if (s->flags & HF_INHIBIT_IRQ_MASK) { + gen_reset_hflag(s, HF_INHIBIT_IRQ_MASK); ++ inhibit_reset = true; ++ } else if (inhibit) { ++ gen_set_hflag(s, HF_INHIBIT_IRQ_MASK); + } + + if (s->base.tb->flags & HF_RF_MASK) { +@@ -2815,7 +2819,9 @@ do_gen_eob_worker(DisasContext *s, bool inhibit, bool recheck_tf, bool jr) + tcg_gen_exit_tb(NULL, 0); + } else if (s->flags & HF_TF_MASK) { + gen_helper_single_step(tcg_env); +- } else if (jr) { ++ } else if (jr && ++ /* give irqs a chance to happen */ ++ !inhibit_reset) { + tcg_gen_lookup_and_goto_ptr(); + } else { + tcg_gen_exit_tb(NULL, 0); diff --git a/debian/patches/extra/0016-target-i386-hyper-v-Correct-kvm_hv_handle_exit-retur.patch b/debian/patches/extra/0016-target-i386-hyper-v-Correct-kvm_hv_handle_exit-retur.patch new file mode 100644 index 0000000..337c74c --- /dev/null +++ b/debian/patches/extra/0016-target-i386-hyper-v-Correct-kvm_hv_handle_exit-retur.patch @@ -0,0 +1,60 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: donsheng +Date: Wed, 22 May 2024 04:01:14 +0800 +Subject: [PATCH] target-i386: hyper-v: Correct kvm_hv_handle_exit return value +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +This bug fix addresses the incorrect return value of kvm_hv_handle_exit for +KVM_EXIT_HYPERV_SYNIC, which should be EXCP_INTERRUPT. + +Handling of KVM_EXIT_HYPERV_SYNIC in QEMU needs to be synchronous. +This means that async_synic_update should run in the current QEMU vCPU +thread before returning to KVM, returning EXCP_INTERRUPT to guarantee this. +Returning 0 can cause async_synic_update to run asynchronously. + +One problem (kvm-unit-tests's hyperv_synic test fails with timeout error) +caused by this bug: + +When a guest VM writes to the HV_X64_MSR_SCONTROL MSR to enable Hyper-V SynIC, +a VM exit is triggered and processed by the kvm_hv_handle_exit function of the +QEMU vCPU. This function then calls the async_synic_update function to set +synic->sctl_enabled to true. A true value of synic->sctl_enabled is required +before creating SINT routes using the hyperv_sint_route_new() function. + +If kvm_hv_handle_exit returns 0 for KVM_EXIT_HYPERV_SYNIC, the current QEMU +vCPU thread may return to KVM and enter the guest VM before running +async_synic_update. In such case, the hyperv_synic test’s subsequent call to +synic_ctl(HV_TEST_DEV_SINT_ROUTE_CREATE, ...) immediately after writing to +HV_X64_MSR_SCONTROL can cause QEMU’s hyperv_sint_route_new() function to return +prematurely (because synic->sctl_enabled is false). + +If the SINT route is not created successfully, the SINT interrupt will not be +fired, resulting in a timeout error in the hyperv_synic test. + +Fixes: 267e071bd6d6 (“hyperv: make overlay pages for SynIC”) +Suggested-by: Chao Gao +Signed-off-by: Dongsheng Zhang +Message-ID: <20240521200114.11588-1-dongsheng.x.zhang@intel.com> +Cc: qemu-stable@nongnu.org +Signed-off-by: Paolo Bonzini +(cherry picked from commit 84d4b72854869821eb89813c195927fdd3078c12) +Signed-off-by: Fiona Ebner +--- + target/i386/kvm/hyperv.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/target/i386/kvm/hyperv.c b/target/i386/kvm/hyperv.c +index f2a3fe650a..b94f12acc2 100644 +--- a/target/i386/kvm/hyperv.c ++++ b/target/i386/kvm/hyperv.c +@@ -81,7 +81,7 @@ int kvm_hv_handle_exit(X86CPU *cpu, struct kvm_hyperv_exit *exit) + */ + async_safe_run_on_cpu(CPU(cpu), async_synic_update, RUN_ON_CPU_NULL); + +- return 0; ++ return EXCP_INTERRUPT; + case KVM_EXIT_HYPERV_HCALL: { + uint16_t code = exit->u.hcall.input & 0xffff; + bool fast = exit->u.hcall.input & HV_HYPERCALL_FAST; diff --git a/debian/patches/extra/0017-target-i386-disable-jmp_opt-if-EFLAGS.RF-is-1.patch b/debian/patches/extra/0017-target-i386-disable-jmp_opt-if-EFLAGS.RF-is-1.patch new file mode 100644 index 0000000..42ed9cd --- /dev/null +++ b/debian/patches/extra/0017-target-i386-disable-jmp_opt-if-EFLAGS.RF-is-1.patch @@ -0,0 +1,31 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Paolo Bonzini +Date: Fri, 24 May 2024 17:17:47 +0200 +Subject: [PATCH] target/i386: disable jmp_opt if EFLAGS.RF is 1 + +If EFLAGS.RF is 1, special processing in gen_eob_worker() is needed and +therefore goto_tb cannot be used. + +Suggested-by: Richard Henderson +Reviewed-by: Richard Henderson +Cc: qemu-stable@nongnu.org +Signed-off-by: Paolo Bonzini +(cherry picked from commit 8225bff7c5db504f50e54ef66b079854635dba70) +Signed-off-by: Fiona Ebner +--- + target/i386/tcg/translate.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/target/i386/tcg/translate.c b/target/i386/tcg/translate.c +index b5ebff2c89..c2c5e73b3f 100644 +--- a/target/i386/tcg/translate.c ++++ b/target/i386/tcg/translate.c +@@ -6971,7 +6971,7 @@ static void i386_tr_init_disas_context(DisasContextBase *dcbase, CPUState *cpu) + dc->cpuid_7_1_eax_features = env->features[FEAT_7_1_EAX]; + dc->cpuid_xsave_features = env->features[FEAT_XSAVE]; + dc->jmp_opt = !((cflags & CF_NO_GOTO_TB) || +- (flags & (HF_TF_MASK | HF_INHIBIT_IRQ_MASK))); ++ (flags & (HF_RF_MASK | HF_TF_MASK | HF_INHIBIT_IRQ_MASK))); + /* + * If jmp_opt, we want to handle each string instruction individually. + * For icount also disable repz optimization so that each iteration diff --git a/debian/patches/extra/0018-target-i386-no-single-step-exception-after-MOV-or-PO.patch b/debian/patches/extra/0018-target-i386-no-single-step-exception-after-MOV-or-PO.patch new file mode 100644 index 0000000..0de3f4a --- /dev/null +++ b/debian/patches/extra/0018-target-i386-no-single-step-exception-after-MOV-or-PO.patch @@ -0,0 +1,30 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Paolo Bonzini +Date: Sat, 25 May 2024 10:03:22 +0200 +Subject: [PATCH] target/i386: no single-step exception after MOV or POP SS + +Intel SDM 18.3.1.4 "If an occurrence of the MOV or POP instruction +loads the SS register executes with EFLAGS.TF = 1, no single-step debug +exception occurs following the MOV or POP instruction." + +Cc: qemu-stable@nongnu.org +Signed-off-by: Paolo Bonzini +(cherry picked from commit f0f0136abba688a6516647a79cc91e03fad6d5d7) +Signed-off-by: Fiona Ebner +--- + target/i386/tcg/translate.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/target/i386/tcg/translate.c b/target/i386/tcg/translate.c +index c2c5e73b3f..a55df176c6 100644 +--- a/target/i386/tcg/translate.c ++++ b/target/i386/tcg/translate.c +@@ -2817,7 +2817,7 @@ do_gen_eob_worker(DisasContext *s, bool inhibit, bool recheck_tf, bool jr) + if (recheck_tf) { + gen_helper_rechecking_single_step(tcg_env); + tcg_gen_exit_tb(NULL, 0); +- } else if (s->flags & HF_TF_MASK) { ++ } else if ((s->flags & HF_TF_MASK) && !inhibit) { + gen_helper_single_step(tcg_env); + } else if (jr && + /* give irqs a chance to happen */ diff --git a/debian/patches/series b/debian/patches/series index 6352df7..4bd5e46 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -10,6 +10,12 @@ extra/0009-target-i386-rdpkru-wrpkru-are-no-prefix-instructions.patch extra/0010-target-i386-fix-feature-dependency-for-WAITPKG.patch extra/0011-Revert-virtio-pci-fix-use-of-a-released-vector.patch extra/0012-hw-core-machine-move-compatibility-flags-for-VirtIO-.patch +extra/0013-Revert-monitor-use-aio_co_reschedule_self.patch +extra/0014-target-arm-Restrict-translation-disabled-alignment-c.patch +extra/0015-target-i386-Give-IRQs-a-chance-when-resetting-HF_INH.patch +extra/0016-target-i386-hyper-v-Correct-kvm_hv_handle_exit-retur.patch +extra/0017-target-i386-disable-jmp_opt-if-EFLAGS.RF-is-1.patch +extra/0018-target-i386-no-single-step-exception-after-MOV-or-PO.patch bitmap-mirror/0001-drive-mirror-add-support-for-sync-bitmap-mode-never.patch bitmap-mirror/0002-drive-mirror-add-support-for-conditional-and-always-.patch bitmap-mirror/0003-mirror-add-check-for-bitmap-mode-without-bitmap.patch