more stable fixes for QEMU 9.0

Most importantly the first one "Revert "monitor: use aio_co_reschedule_self()"", fixing a crash when doing hotplug+resize with a disk using io_uring. Other fixes (likely not too important) for TCG emulation of x86(_64) and ARM. Signed-off-by: Fiona Ebner <f.ebner@proxmox.com>
2024-05-29 12:53:17 +02:00 · 2024-05-29 12:53:17 +02:00 · c1cd6a6221
commit c1cd6a6221
parent 16b7dfe03b
7 changed files with 311 additions and 0 deletions
--- a/debian/patches/extra/0013-Revert-monitor-use-aio_co_reschedule_self.patch
+++ b/debian/patches/extra/0013-Revert-monitor-use-aio_co_reschedule_self.patch
@ -0,0 +1,53 @@
 From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
 From: Stefan Hajnoczi <stefanha@redhat.com>
 Date: Mon, 6 May 2024 15:06:21 -0400
 Subject: [PATCH] Revert "monitor: use aio_co_reschedule_self()"
 Commit 1f25c172f837 ("monitor: use aio_co_reschedule_self()") was a code
 cleanup that uses aio_co_reschedule_self() instead of open coding
 coroutine rescheduling.
 Bug RHEL-34618 was reported and Kevin Wolf <kwolf@redhat.com> identified
 the root cause. I missed that aio_co_reschedule_self() ->
 qemu_get_current_aio_context() only knows about
 qemu_aio_context/IOThread AioContexts and not about iohandler_ctx. It
 does not function correctly when going back from the iohandler_ctx to
 qemu_aio_context.
 Go back to open coding the AioContext transitions to avoid this bug.
 This reverts commit 1f25c172f83704e350c0829438d832384084a74d.
 Buglink: https://issues.redhat.com/browse/RHEL-34618
 Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
 (picked from: https://lists.nongnu.org/archive/html/qemu-devel/2024-05/msg01090.html)
 Signed-off-by: Fiona Ebner <f.ebner@proxmox.com>
 ---
 qapi/qmp-dispatch.c | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)
 diff --git a/qapi/qmp-dispatch.c b/qapi/qmp-dispatch.c
 index 2624eb3470..790bb7d1da 100644
 --- a/qapi/qmp-dispatch.c
 +++ b/qapi/qmp-dispatch.c
@@ -224,7 +224,8 @@ QDict *coroutine_mixed_fn qmp_dispatch(const QmpCommandList *cmds, QObject *requ
              * executing the command handler so that it can make progress if it
              * involves an AIO_WAIT_WHILE().
              */
 -            aio_co_reschedule_self(qemu_get_aio_context());
 +            aio_co_schedule(qemu_get_aio_context(), qemu_coroutine_self());
 +            qemu_coroutine_yield();
         }
         monitor_set_cur(qemu_coroutine_self(), cur_mon);
@@ -238,7 +239,9 @@ QDict *coroutine_mixed_fn qmp_dispatch(const QmpCommandList *cmds, QObject *requ
              * Move back to iohandler_ctx so that nested event loops for
              * qemu_aio_context don't start new monitor commands.
              */
 -            aio_co_reschedule_self(iohandler_get_aio_context());
 +            aio_co_schedule(iohandler_get_aio_context(),
 +                            qemu_coroutine_self());
 +            qemu_coroutine_yield();
         }
     } else {
        /*
--- a/debian/patches/extra/0014-target-arm-Restrict-translation-disabled-alignment-c.patch
+++ b/debian/patches/extra/0014-target-arm-Restrict-translation-disabled-alignment-c.patch
@ -0,0 +1,51 @@
 From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
 From: Richard Henderson <richard.henderson@linaro.org>
 Date: Mon, 22 Apr 2024 10:07:22 -0700
 Subject: [PATCH] target/arm: Restrict translation disabled alignment check to
 VMSA
 MIME-Version: 1.0
 Content-Type: text/plain; charset=UTF-8
 Content-Transfer-Encoding: 8bit
 For cpus using PMSA, when the MPU is disabled, the default memory
 type is Normal, Non-cachable. This means that it should not
 have alignment restrictions enforced.
 Cc: qemu-stable@nongnu.org
 Fixes: 59754f85ed3 ("target/arm: Do memory type alignment check when translation disabled")
 Reported-by: Clément Chigot <chigot@adacore.com>
 Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
 Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
 Tested-by: Clément Chigot <chigot@adacore.com>
 Message-id: 20240422170722.117409-1-richard.henderson@linaro.org
 [PMM: trivial comment, commit message tweaks]
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
 (cherry picked from commit 7b19a3554d2df22d29c75319a1dac17615d1b20e)
 Signed-off-by: Fiona Ebner <f.ebner@proxmox.com>
 ---
 target/arm/tcg/hflags.c | 12 ++++++++++--
 1 file changed, 10 insertions(+), 2 deletions(-)
 diff --git a/target/arm/tcg/hflags.c b/target/arm/tcg/hflags.c
 index 5da1b0fc1d..f03977b4b0 100644
 --- a/target/arm/tcg/hflags.c
 +++ b/target/arm/tcg/hflags.c
@@ -38,8 +38,16 @@ static bool aprofile_require_alignment(CPUARMState *env, int el, uint64_t sctlr)
     }
     /*
 -     * If translation is disabled, then the default memory type is
 -     * Device(-nGnRnE) instead of Normal, which requires that alignment
 +     * With PMSA, when the MPU is disabled, all memory types in the
 +     * default map are Normal, so don't need aligment enforcing.
 +     */
 +    if (arm_feature(env, ARM_FEATURE_PMSA)) {
 +        return false;
 +    }
 +
 +    /*
 +     * With VMSA, if translation is disabled, then the default memory type
 +     * is Device(-nGnRnE) instead of Normal, which requires that alignment
      * be enforced.  Since this affects all ram, it is most efficient
      * to handle this during translation.
      */
--- a/debian/patches/extra/0015-target-i386-Give-IRQs-a-chance-when-resetting-HF_INH.patch
+++ b/debian/patches/extra/0015-target-i386-Give-IRQs-a-chance-when-resetting-HF_INH.patch
@ -0,0 +1,80 @@
 From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
 From: Ruihan Li <lrh2000@pku.edu.cn>
 Date: Mon, 15 Apr 2024 14:45:21 +0800
 Subject: [PATCH] target/i386: Give IRQs a chance when resetting
 HF_INHIBIT_IRQ_MASK
 When emulated with QEMU, interrupts will never come in the following
 loop. However, if the NOP instruction is uncommented, interrupts will
 fire as normal.
 	loop:
 		cli
    		call do_sti
 		jmp loop
 	do_sti:
 		sti
 		# nop
 		ret
 This behavior is different from that of a real processor. For example,
 if KVM is enabled, interrupts will always fire regardless of whether the
 NOP instruction is commented or not. Also, the Intel Software Developer
 Manual states that after the STI instruction is executed, the interrupt
 inhibit should end as soon as the next instruction (e.g., the RET
 instruction if the NOP instruction is commented) is executed.
 This problem is caused because the previous code may choose not to end
 the TB even if the HF_INHIBIT_IRQ_MASK has just been reset (e.g., in the
 case where the STI instruction is immediately followed by the RET
 instruction), so that IRQs may not have a change to trigger. This commit
 fixes the problem by always terminating the current TB to give IRQs a
 chance to trigger when HF_INHIBIT_IRQ_MASK is reset.
 Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
 Signed-off-by: Ruihan Li <lrh2000@pku.edu.cn>
 Message-ID: <20240415064518.4951-4-lrh2000@pku.edu.cn>
 Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
 (cherry picked from commit 6a5a63f74ba5c5355b7a8468d3d814bfffe928fb)
 Signed-off-by: Fiona Ebner <f.ebner@proxmox.com>
 ---
 target/i386/tcg/translate.c | 14 ++++++++++----
 1 file changed, 10 insertions(+), 4 deletions(-)
 diff --git a/target/i386/tcg/translate.c b/target/i386/tcg/translate.c
 index 3e949fe964..b5ebff2c89 100644
 --- a/target/i386/tcg/translate.c
 +++ b/target/i386/tcg/translate.c
@@ -2798,13 +2798,17 @@ static void gen_bnd_jmp(DisasContext *s)
 static void
 do_gen_eob_worker(DisasContext *s, bool inhibit, bool recheck_tf, bool jr)
 {
 +    bool inhibit_reset;
 +
     gen_update_cc_op(s);
     /* If several instructions disable interrupts, only the first does it.  */
 -    if (inhibit && !(s->flags & HF_INHIBIT_IRQ_MASK)) {
 -        gen_set_hflag(s, HF_INHIBIT_IRQ_MASK);
 -    } else {
 +    inhibit_reset = false;
 +    if (s->flags & HF_INHIBIT_IRQ_MASK) {
         gen_reset_hflag(s, HF_INHIBIT_IRQ_MASK);
 +        inhibit_reset = true;
 +    } else if (inhibit) {
 +        gen_set_hflag(s, HF_INHIBIT_IRQ_MASK);
     }
     if (s->base.tb->flags & HF_RF_MASK) {
@@ -2815,7 +2819,9 @@ do_gen_eob_worker(DisasContext *s, bool inhibit, bool recheck_tf, bool jr)
         tcg_gen_exit_tb(NULL, 0);
     } else if (s->flags & HF_TF_MASK) {
         gen_helper_single_step(tcg_env);
 -    } else if (jr) {
 +    } else if (jr &&
 +               /* give irqs a chance to happen */
 +               !inhibit_reset) {
         tcg_gen_lookup_and_goto_ptr();
     } else {
         tcg_gen_exit_tb(NULL, 0);
--- a/debian/patches/extra/0016-target-i386-hyper-v-Correct-kvm_hv_handle_exit-retur.patch
+++ b/debian/patches/extra/0016-target-i386-hyper-v-Correct-kvm_hv_handle_exit-retur.patch
@ -0,0 +1,60 @@
 From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
 From: donsheng <dongsheng.x.zhang@intel.com>
 Date: Wed, 22 May 2024 04:01:14 +0800
 Subject: [PATCH] target-i386: hyper-v: Correct kvm_hv_handle_exit return value
 MIME-Version: 1.0
 Content-Type: text/plain; charset=UTF-8
 Content-Transfer-Encoding: 8bit
 This bug fix addresses the incorrect return value of kvm_hv_handle_exit for
 KVM_EXIT_HYPERV_SYNIC, which should be EXCP_INTERRUPT.
 Handling of KVM_EXIT_HYPERV_SYNIC in QEMU needs to be synchronous.
 This means that async_synic_update should run in the current QEMU vCPU
 thread before returning to KVM, returning EXCP_INTERRUPT to guarantee this.
 Returning 0 can cause async_synic_update to run asynchronously.
 One problem (kvm-unit-tests's hyperv_synic test fails with timeout error)
 caused by this bug:
 When a guest VM writes to the HV_X64_MSR_SCONTROL MSR to enable Hyper-V SynIC,
 a VM exit is triggered and processed by the kvm_hv_handle_exit function of the
 QEMU vCPU. This function then calls the async_synic_update function to set
 synic->sctl_enabled to true. A true value of synic->sctl_enabled is required
 before creating SINT routes using the hyperv_sint_route_new() function.
 If kvm_hv_handle_exit returns 0 for KVM_EXIT_HYPERV_SYNIC, the current QEMU
 vCPU thread may return to KVM and enter the guest VM before running
 async_synic_update. In such case, the hyperv_synic test’s subsequent call to
 synic_ctl(HV_TEST_DEV_SINT_ROUTE_CREATE, ...) immediately after writing to
 HV_X64_MSR_SCONTROL can cause QEMU’s hyperv_sint_route_new() function to return
 prematurely (because synic->sctl_enabled is false).
 If the SINT route is not created successfully, the SINT interrupt will not be
 fired, resulting in a timeout error in the hyperv_synic test.
 Fixes: 267e071bd6d6 (“hyperv: make overlay pages for SynIC”)
 Suggested-by: Chao Gao <chao.gao@intel.com>
 Signed-off-by: Dongsheng Zhang <dongsheng.x.zhang@intel.com>
 Message-ID: <20240521200114.11588-1-dongsheng.x.zhang@intel.com>
 Cc: qemu-stable@nongnu.org
 Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
 (cherry picked from commit 84d4b72854869821eb89813c195927fdd3078c12)
 Signed-off-by: Fiona Ebner <f.ebner@proxmox.com>
 ---
 target/i386/kvm/hyperv.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
 diff --git a/target/i386/kvm/hyperv.c b/target/i386/kvm/hyperv.c
 index f2a3fe650a..b94f12acc2 100644
 --- a/target/i386/kvm/hyperv.c
 +++ b/target/i386/kvm/hyperv.c
@@ -81,7 +81,7 @@ int kvm_hv_handle_exit(X86CPU *cpu, struct kvm_hyperv_exit *exit)
          */
         async_safe_run_on_cpu(CPU(cpu), async_synic_update, RUN_ON_CPU_NULL);
 -        return 0;
 +        return EXCP_INTERRUPT;
     case KVM_EXIT_HYPERV_HCALL: {
         uint16_t code = exit->u.hcall.input & 0xffff;
         bool fast = exit->u.hcall.input & HV_HYPERCALL_FAST;
--- a/debian/patches/extra/0017-target-i386-disable-jmp_opt-if-EFLAGS.RF-is-1.patch
+++ b/debian/patches/extra/0017-target-i386-disable-jmp_opt-if-EFLAGS.RF-is-1.patch
@ -0,0 +1,31 @@
 From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
 From: Paolo Bonzini <pbonzini@redhat.com>
 Date: Fri, 24 May 2024 17:17:47 +0200
 Subject: [PATCH] target/i386: disable jmp_opt if EFLAGS.RF is 1
 If EFLAGS.RF is 1, special processing in gen_eob_worker() is needed and
 therefore goto_tb cannot be used.
 Suggested-by: Richard Henderson <richard.henderson@linaro.org>
 Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
 Cc: qemu-stable@nongnu.org
 Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
 (cherry picked from commit 8225bff7c5db504f50e54ef66b079854635dba70)
 Signed-off-by: Fiona Ebner <f.ebner@proxmox.com>
 ---
 target/i386/tcg/translate.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
 diff --git a/target/i386/tcg/translate.c b/target/i386/tcg/translate.c
 index b5ebff2c89..c2c5e73b3f 100644
 --- a/target/i386/tcg/translate.c
 +++ b/target/i386/tcg/translate.c
@@ -6971,7 +6971,7 @@ static void i386_tr_init_disas_context(DisasContextBase *dcbase, CPUState *cpu)
     dc->cpuid_7_1_eax_features = env->features[FEAT_7_1_EAX];
     dc->cpuid_xsave_features = env->features[FEAT_XSAVE];
     dc->jmp_opt = !((cflags & CF_NO_GOTO_TB) ||
 -                    (flags & (HF_TF_MASK | HF_INHIBIT_IRQ_MASK)));
 +                    (flags & (HF_RF_MASK | HF_TF_MASK | HF_INHIBIT_IRQ_MASK)));
     /*
      * If jmp_opt, we want to handle each string instruction individually.
      * For icount also disable repz optimization so that each iteration
--- a/debian/patches/extra/0018-target-i386-no-single-step-exception-after-MOV-or-PO.patch
+++ b/debian/patches/extra/0018-target-i386-no-single-step-exception-after-MOV-or-PO.patch
@ -0,0 +1,30 @@
 From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
 From: Paolo Bonzini <pbonzini@redhat.com>
 Date: Sat, 25 May 2024 10:03:22 +0200
 Subject: [PATCH] target/i386: no single-step exception after MOV or POP SS
 Intel SDM 18.3.1.4 "If an occurrence of the MOV or POP instruction
 loads the SS register executes with EFLAGS.TF = 1, no single-step debug
 exception occurs following the MOV or POP instruction."
 Cc: qemu-stable@nongnu.org
 Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
 (cherry picked from commit f0f0136abba688a6516647a79cc91e03fad6d5d7)
 Signed-off-by: Fiona Ebner <f.ebner@proxmox.com>
 ---
 target/i386/tcg/translate.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
 diff --git a/target/i386/tcg/translate.c b/target/i386/tcg/translate.c
 index c2c5e73b3f..a55df176c6 100644
 --- a/target/i386/tcg/translate.c
 +++ b/target/i386/tcg/translate.c
@@ -2817,7 +2817,7 @@ do_gen_eob_worker(DisasContext *s, bool inhibit, bool recheck_tf, bool jr)
     if (recheck_tf) {
         gen_helper_rechecking_single_step(tcg_env);
         tcg_gen_exit_tb(NULL, 0);
 -    } else if (s->flags & HF_TF_MASK) {
 +    } else if ((s->flags & HF_TF_MASK) && !inhibit) {
         gen_helper_single_step(tcg_env);
     } else if (jr &&
                /* give irqs a chance to happen */
--- a/debian/patches/series
+++ b/debian/patches/series
@ -10,6 +10,12 @@ extra/0009-target-i386-rdpkru-wrpkru-are-no-prefix-instructions.patch
 extra/0010-target-i386-fix-feature-dependency-for-WAITPKG.patch
 extra/0011-Revert-virtio-pci-fix-use-of-a-released-vector.patch
 extra/0012-hw-core-machine-move-compatibility-flags-for-VirtIO-.patch
 extra/0013-Revert-monitor-use-aio_co_reschedule_self.patch
 extra/0014-target-arm-Restrict-translation-disabled-alignment-c.patch
 extra/0015-target-i386-Give-IRQs-a-chance-when-resetting-HF_INH.patch
 extra/0016-target-i386-hyper-v-Correct-kvm_hv_handle_exit-retur.patch
 extra/0017-target-i386-disable-jmp_opt-if-EFLAGS.RF-is-1.patch
 extra/0018-target-i386-no-single-step-exception-after-MOV-or-PO.patch
 bitmap-mirror/0001-drive-mirror-add-support-for-sync-bitmap-mode-never.patch
 bitmap-mirror/0002-drive-mirror-add-support-for-conditional-and-always-.patch
 bitmap-mirror/0003-mirror-add-check-for-bitmap-mode-without-bitmap.patch