update submodule and patches to QEMU 8.2.2

This version includes both the AioContext lock and the block graph
lock, so there might be some deadlocks lurking. It's not possible to
disable the block graph lock like was done in QEMU 8.1, because there
are no changes like the function bdrv_schedule_unref() that require
it. QEMU 9.0 will finally get rid of the AioContext locking.

During live-restore with a VirtIO SCSI drive with iothread there is a
known racy deadlock related to the AioContext lock. Not new [1], but
not sure if more likely now. Should be fixed in QEMU 9.0.

The block graph lock comes with annotations that can be checked by
clang's TSA. This required changes to the block drivers, i.e.
alloc-track, pbs, zeroinit as well as taking the appropriate locks
in pve-backup, savevm-async, vma-reader.

Local variable shadowing is prohibited via a compiler flag now,
required slight adaptation in vma.c.

Major changes only affect alloc-track:

* It is not possible to call a generated co-wrapper like
  bdrv_get_info() while holding the block graph lock exclusively [0],
  which does happen during initialization of alloc-track when the
  backing hd is set and the refresh_limits driver callback is invoked.

  The bdrv_get_info() call to get the cluster size is moved to
  directly after opening the file child in track_open().

  The important thing is that at least the request alignment for the
  write target is used, because then the RMW cycle in bdrv_pwritev
  will gather enough data from the backing file. Partial cluster
  allocations in the target are not a fundamental issue, because the
  driver returns its allocation status based on the bitmap, so any
  other data that maps to the same cluster will still be copied later
  by a stream job (or during writes to that cluster).

* Replacing the node cannot be done in the
  track_co_change_backing_file() callback, because it is a coroutine
  and cannot hold the block graph lock exclusively. So it is moved to
  the stream job itself with the auto-remove option not having an
  effect anymore (qemu-server would always set it anyways).

  In the future, there could either be a special option for the stream
  job, or maybe the upcoming blockdev-replace QMP command can be used.

  Replacing the backing child is actually already done in the stream
  job, so no need to do it in the track_co_change_backing_file()
  callback. It also cannot be called from a coroutine. Looking at the
  implementation in the qcow2 driver, it doesn't seem to be intended
  to change the backing child itself, just update driver-internal
  state.

Other changes:

* alloc-track: Error out early when used without auto-remove. Since
  replacing the node now happens in the stream job, where the option
  cannot be read from (it's internal to the driver), it will always be
  treated as 'on'. Makes sure to have users beside qemu-server notice
  the change (should they even exist). The option can be fully dropped
  in the future while adding a version guard in qemu-server.

* alloc-track: Avoid seemingly superfluous child permission update.
  Doesn't seem necessary nowadays (maybe after commit "alloc-track:
  fix deadlock during drop" where the dropping is not rescheduled and
  delayed anymore or some upstream change). Replacing the block node
  will already update the permissions of the new node (which was the
  file child before). Should there really be some issue, instead of
  having a drop state, this could also be just based off the fact
  whether there is still a backing child.

  Dumping the cumulative (shared) permissions for the BDS with a debug
  print yields the same values after this patch and with QEMU 8.1,
  namely 3 and 5.

* PBS block driver: compile unconditionally. Proxmox VE always needs
  it and something in the build process changed to make it not enabled
  by default. Probably would need to move the build option to meson
  otherwise.

* backup: job unreferencing during cleanup needs to happen outside of
  coroutine, so it was moved to before invoking the clean

* mirror: Cherry-pick stable fix to avoid potential deadlock.

* savevm-async: migrate_init now can fail, so propagate potential
  error.

* savevm-async: compression counters are not accessible outside
  migration/ram-compress now, so drop code that prophylactically set
  it to zero.

[0]: https://lore.kernel.org/qemu-devel/220be383-3b0d-4938-b584-69ad214e5d5d@proxmox.com/
[1]: https://lore.kernel.org/qemu-devel/e13b488e-bf13-44f2-acca-e724d14f43fd@proxmox.com/

Signed-off-by: Fiona Ebner <f.ebner@proxmox.com>

debian/patches/extra/0001-monitor-qmp-fix-race-with-clients-disconnecting-earl.patch

@@ -78,7 +78,7 @@ index 252de85681..8db28f9272 100644
  
  /**
 diff --git a/monitor/monitor.c b/monitor/monitor.c
-index dc352f9e9d..56e1307014 100644
+index 01ede1babd..5681bca346 100644
 --- a/monitor/monitor.c
 +++ b/monitor/monitor.c
 @@ -117,6 +117,21 @@ bool monitor_cur_is_qmp(void)

debian/patches/extra/0003-ide-avoid-potential-deadlock-when-draining-during-tr.patch

@@ -55,10 +55,10 @@ Signed-off-by: Fiona Ebner <f.ebner@proxmox.com>
  1 file changed, 6 insertions(+), 6 deletions(-)
 
 diff --git a/hw/ide/core.c b/hw/ide/core.c
-index c3508acbb1..289347af58 100644
+index 8a0579bff4..254255f8dc 100644
 --- a/hw/ide/core.c
 +++ b/hw/ide/core.c
-@@ -444,7 +444,7 @@ static void ide_trim_bh_cb(void *opaque)
+@@ -456,7 +456,7 @@ static void ide_trim_bh_cb(void *opaque)
      iocb->bh = NULL;
      qemu_aio_unref(iocb);
  
@@ -67,7 +67,7 @@ index c3508acbb1..289347af58 100644
      blk_dec_in_flight(blk);
  }
  
-@@ -504,6 +504,8 @@ static void ide_issue_trim_cb(void *opaque, int ret)
+@@ -516,6 +516,8 @@ static void ide_issue_trim_cb(void *opaque, int ret)
  done:
      iocb->aiocb = NULL;
      if (iocb->bh) {
@@ -76,7 +76,7 @@ index c3508acbb1..289347af58 100644
          replay_bh_schedule_event(iocb->bh);
      }
  }
-@@ -516,9 +518,6 @@ BlockAIOCB *ide_issue_trim(
+@@ -528,9 +530,6 @@ BlockAIOCB *ide_issue_trim(
      IDEDevice *dev = s->unit ? s->bus->slave : s->bus->master;
      TrimAIOCB *iocb;
  
@@ -86,7 +86,7 @@ index c3508acbb1..289347af58 100644
      iocb = blk_aio_get(&trim_aiocb_info, s->blk, cb, cb_opaque);
      iocb->s = s;
      iocb->bh = qemu_bh_new_guarded(ide_trim_bh_cb, iocb,
-@@ -742,8 +741,9 @@ void ide_cancel_dma_sync(IDEState *s)
+@@ -754,8 +753,9 @@ void ide_cancel_dma_sync(IDEState *s)
       */
      if (s->bus->dma->aiocb) {
          trace_ide_cancel_dma_sync_remaining();

debian/patches/extra/0004-migration-block-dirty-bitmap-fix-loading-bitmap-when.patch

@@ -20,10 +20,10 @@ Signed-off-by: Fiona Ebner <f.ebner@proxmox.com>
  1 file changed, 6 insertions(+)
 
 diff --git a/migration/block-dirty-bitmap.c b/migration/block-dirty-bitmap.c
-index 032fc5f405..e1ae3b7316 100644
+index 24347ab0f7..0070b13b6f 100644
 --- a/migration/block-dirty-bitmap.c
 +++ b/migration/block-dirty-bitmap.c
-@@ -805,8 +805,11 @@ static int dirty_bitmap_load_start(QEMUFile *f, DBMLoadState *s)
+@@ -809,8 +809,11 @@ static int dirty_bitmap_load_start(QEMUFile *f, DBMLoadState *s)
                       "destination", bdrv_dirty_bitmap_name(s->bitmap));
          return -EINVAL;
      } else {
@@ -35,7 +35,7 @@ index 032fc5f405..e1ae3b7316 100644
          if (!s->bitmap) {
              error_report_err(local_err);
              return -EINVAL;
-@@ -833,7 +836,10 @@ static int dirty_bitmap_load_start(QEMUFile *f, DBMLoadState *s)
+@@ -837,7 +840,10 @@ static int dirty_bitmap_load_start(QEMUFile *f, DBMLoadState *s)
  
      bdrv_disable_dirty_bitmap(s->bitmap);
      if (flags & DIRTY_BITMAP_MIG_START_FLAG_ENABLED) {

debian/patches/extra/0005-Revert-Revert-graph-lock-Disable-locking-for-now.patch

@@ -1,140 +0,0 @@
-From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
-From: Fiona Ebner <f.ebner@proxmox.com>
-Date: Thu, 28 Sep 2023 10:07:03 +0200
-Subject: [PATCH] Revert "Revert "graph-lock: Disable locking for now""
-
-This reverts commit 3cce22defb4b0e47cf135444e30cc673cff5ebad.
-
-There are still some issues with graph locking, e.g. deadlocks during
-backup canceling [0]. Because the AioContext locks still exist, it
-should be safe to disable locking again.
-
-From the original 80fc5d2600 ("graph-lock: Disable locking for now"):
-
-> We don't currently rely on graph locking yet. It is supposed to replace
-> the AioContext lock eventually to enable multiqueue support, but as long
-> as we still have the AioContext lock, it is sufficient without the graph
-> lock. Once the AioContext lock goes away, the deadlock doesn't exist any
-> more either and this commit can be reverted. (Of course, it can also be
-> reverted while the AioContext lock still exists if the callers have been
-> fixed.)
-
-[0]: https://lists.nongnu.org/archive/html/qemu-devel/2023-09/msg00729.html
-
-Signed-off-by: Fiona Ebner <f.ebner@proxmox.com>
----
- block/graph-lock.c | 24 ++++++++++++++++++++++++
- 1 file changed, 24 insertions(+)
-
-diff --git a/block/graph-lock.c b/block/graph-lock.c
-index 5e66f01ae8..5c2873262a 100644
---- a/block/graph-lock.c
-+++ b/block/graph-lock.c
-@@ -30,8 +30,10 @@ BdrvGraphLock graph_lock;
- /* Protects the list of aiocontext and orphaned_reader_count */
- static QemuMutex aio_context_list_lock;
- 
-+#if 0
- /* Written and read with atomic operations. */
- static int has_writer;
-+#endif
- 
- /*
-  * A reader coroutine could move from an AioContext to another.
-@@ -88,6 +90,7 @@ void unregister_aiocontext(AioContext *ctx)
-     g_free(ctx->bdrv_graph);
- }
- 
-+#if 0
- static uint32_t reader_count(void)
- {
-     BdrvGraphRWlock *brdv_graph;
-@@ -105,12 +108,19 @@ static uint32_t reader_count(void)
-     assert((int32_t)rd >= 0);
-     return rd;
- }
-+#endif
- 
- void bdrv_graph_wrlock(BlockDriverState *bs)
- {
-+#if 0
-     AioContext *ctx = NULL;
- 
-     GLOBAL_STATE_CODE();
-+    /*
-+     * TODO Some callers hold an AioContext lock when this is called, which
-+     * causes deadlocks. Reenable once the AioContext locking is cleaned up (or
-+     * AioContext locks are gone).
-+     */
-     assert(!qatomic_read(&has_writer));
- 
-     /*
-@@ -158,11 +168,13 @@ void bdrv_graph_wrlock(BlockDriverState *bs)
-     if (ctx) {
-         aio_context_acquire(bdrv_get_aio_context(bs));
-     }
-+#endif
- }
- 
- void bdrv_graph_wrunlock(void)
- {
-     GLOBAL_STATE_CODE();
-+#if 0
-     QEMU_LOCK_GUARD(&aio_context_list_lock);
-     assert(qatomic_read(&has_writer));
- 
-@@ -174,10 +186,13 @@ void bdrv_graph_wrunlock(void)
- 
-     /* Wake up all coroutine that are waiting to read the graph */
-     qemu_co_enter_all(&reader_queue, &aio_context_list_lock);
-+#endif
- }
- 
- void coroutine_fn bdrv_graph_co_rdlock(void)
- {
-+    /* TODO Reenable when wrlock is reenabled */
-+#if 0
-     BdrvGraphRWlock *bdrv_graph;
-     bdrv_graph = qemu_get_current_aio_context()->bdrv_graph;
- 
-@@ -237,10 +252,12 @@ void coroutine_fn bdrv_graph_co_rdlock(void)
-             qemu_co_queue_wait(&reader_queue, &aio_context_list_lock);
-         }
-     }
-+#endif
- }
- 
- void coroutine_fn bdrv_graph_co_rdunlock(void)
- {
-+#if 0
-     BdrvGraphRWlock *bdrv_graph;
-     bdrv_graph = qemu_get_current_aio_context()->bdrv_graph;
- 
-@@ -258,6 +275,7 @@ void coroutine_fn bdrv_graph_co_rdunlock(void)
-     if (qatomic_read(&has_writer)) {
-         aio_wait_kick();
-     }
-+#endif
- }
- 
- void bdrv_graph_rdlock_main_loop(void)
-@@ -275,13 +293,19 @@ void bdrv_graph_rdunlock_main_loop(void)
- void assert_bdrv_graph_readable(void)
- {
-     /* reader_count() is slow due to aio_context_list_lock lock contention */
-+    /* TODO Reenable when wrlock is reenabled */
-+#if 0
- #ifdef CONFIG_DEBUG_GRAPH_LOCK
-     assert(qemu_in_main_thread() || reader_count());
- #endif
-+#endif
- }
- 
- void assert_bdrv_graph_writable(void)
- {
-     assert(qemu_in_main_thread());
-+    /* TODO Reenable when wrlock is reenabled */
-+#if 0
-     assert(qatomic_read(&has_writer));
-+#endif
- }

debian/patches/extra/0005-Revert-x86-acpi-workaround-Windows-not-handling-name.patch

@@ -24,10 +24,10 @@ Signed-off-by: Fiona Ebner <f.ebner@proxmox.com>
  1 file changed, 2 insertions(+), 6 deletions(-)
 
 diff --git a/hw/i386/acpi-build.c b/hw/i386/acpi-build.c
-index bb12b0ad43..de14d3c3da 100644
+index 1e178341de..d8694b338e 100644
 --- a/hw/i386/acpi-build.c
 +++ b/hw/i386/acpi-build.c
-@@ -362,13 +362,9 @@ Aml *aml_pci_device_dsm(void)
+@@ -357,13 +357,9 @@ Aml *aml_pci_device_dsm(void)
      {
          Aml *params = aml_local(0);
          Aml *pkg = aml_package(2);

debian/patches/extra/0006-migration-states-workaround-snapshot-performance-reg.patch

@@ -1,57 +0,0 @@
-From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
-From: Fiona Ebner <f.ebner@proxmox.com>
-Date: Thu, 28 Sep 2023 11:19:14 +0200
-Subject: [PATCH] migration states: workaround snapshot performance regression
-
-Commit 813cd616 ("migration: Use migration_transferred_bytes() to
-calculate rate_limit") introduced a prohibitive performance regression
-when taking a snapshot [0]. The reason turns out to be the flushing
-done by migration_transferred_bytes()
-
-Just use a _noflush version of the relevant function as a workaround
-until upstream fixes the issue. This is inspired by a not-applied
-upstream series [1], but doing the very minimum to avoid the
-regression.
-
-[0]: https://gitlab.com/qemu-project/qemu/-/issues/1821
-[1]: https://lists.nongnu.org/archive/html/qemu-devel/2023-05/msg07708.html
-
-Signed-off-by: Fiona Ebner <f.ebner@proxmox.com>
----
- migration/migration-stats.c | 16 +++++++++++++++-
- 1 file changed, 15 insertions(+), 1 deletion(-)
-
-diff --git a/migration/migration-stats.c b/migration/migration-stats.c
-index 095d6d75bb..8073c8ebaa 100644
---- a/migration/migration-stats.c
-+++ b/migration/migration-stats.c
-@@ -18,6 +18,20 @@
- 
- MigrationAtomicStats mig_stats;
- 
-+/*
-+ * Same as migration_transferred_bytes below, but using the _noflush
-+ * variant of qemu_file_transferred() to avoid a performance
-+ * regression in migration_rate_exceeded().
-+ */
-+static uint64_t migration_transferred_bytes_noflush(QEMUFile *f)
-+{
-+    uint64_t multifd = stat64_get(&mig_stats.multifd_bytes);
-+    uint64_t qemu_file = qemu_file_transferred_noflush(f);
-+
-+    trace_migration_transferred_bytes(qemu_file, multifd);
-+    return qemu_file + multifd;
-+}
-+
- bool migration_rate_exceeded(QEMUFile *f)
- {
-     if (qemu_file_get_error(f)) {
-@@ -25,7 +39,7 @@ bool migration_rate_exceeded(QEMUFile *f)
-     }
- 
-     uint64_t rate_limit_start = stat64_get(&mig_stats.rate_limit_start);
--    uint64_t rate_limit_current = migration_transferred_bytes(f);
-+    uint64_t rate_limit_current = migration_transferred_bytes_noflush(f);
-     uint64_t rate_limit_used = rate_limit_current - rate_limit_start;
-     uint64_t rate_limit_max = stat64_get(&mig_stats.rate_limit_max);
- 

debian/patches/extra/0006-qemu_init-increase-NOFILE-soft-limit-on-POSIX.patch

@@ -33,26 +33,26 @@ Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
  include/sysemu/os-posix.h |  1 +
  include/sysemu/os-win32.h |  5 +++++
  os-posix.c                | 22 ++++++++++++++++++++++
- softmmu/vl.c              |  2 ++
+ system/vl.c               |  2 ++
  4 files changed, 30 insertions(+)
 
 diff --git a/include/sysemu/os-posix.h b/include/sysemu/os-posix.h
-index 1030d39904..edc415aff5 100644
+index dff32ae185..b881ac6c6f 100644
 --- a/include/sysemu/os-posix.h
 +++ b/include/sysemu/os-posix.h
-@@ -48,6 +48,7 @@ void os_setup_early_signal_handling(void);
- void os_set_proc_name(const char *s);
- void os_setup_signal_handling(void);
+@@ -51,6 +51,7 @@ bool is_daemonized(void);
  void os_daemonize(void);
+ bool os_set_runas(const char *user_id);
+ void os_set_chroot(const char *path);
 +void os_setup_limits(void);
  void os_setup_post(void);
  int os_mlock(void);
  
 diff --git a/include/sysemu/os-win32.h b/include/sysemu/os-win32.h
-index 91aa0d7ec0..f6e23fe01e 100644
+index 1047d260cb..106f155037 100644
 --- a/include/sysemu/os-win32.h
 +++ b/include/sysemu/os-win32.h
-@@ -129,6 +129,11 @@ static inline int os_mlock(void)
+@@ -128,6 +128,11 @@ static inline int os_mlock(void)
      return -ENOSYS;
  }
  
@@ -65,7 +65,7 @@ index 91aa0d7ec0..f6e23fe01e 100644
  
  #if !defined(lseek)
 diff --git a/os-posix.c b/os-posix.c
-index cfcb96533c..0cc1d991b1 100644
+index 52ef6990ff..a4284e2c07 100644
 --- a/os-posix.c
 +++ b/os-posix.c
 @@ -24,6 +24,7 @@
@@ -76,7 +76,7 @@ index cfcb96533c..0cc1d991b1 100644
  #include <sys/wait.h>
  #include <pwd.h>
  #include <grp.h>
-@@ -286,6 +287,27 @@ void os_daemonize(void)
+@@ -256,6 +257,27 @@ void os_daemonize(void)
      }
  }
  
@@ -104,11 +104,11 @@ index cfcb96533c..0cc1d991b1 100644
  void os_setup_post(void)
  {
      int fd = 0;
-diff --git a/softmmu/vl.c b/softmmu/vl.c
-index c9e9ede237..ba6ad8a8df 100644
---- a/softmmu/vl.c
-+++ b/softmmu/vl.c
-@@ -2713,6 +2713,8 @@ void qemu_init(int argc, char **argv)
+diff --git a/system/vl.c b/system/vl.c
+index e18fa3ce46..d2a3b3f457 100644
+--- a/system/vl.c
++++ b/system/vl.c
+@@ -2782,6 +2782,8 @@ void qemu_init(int argc, char **argv)
      error_init(argv[0]);
      qemu_init_exec_dir(argv[0]);
  

debian/patches/extra/0007-mirror-Don-t-call-job_pause_point-under-graph-lock.patch

@@ -0,0 +1,79 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Kevin Wolf <kwolf@redhat.com>
+Date: Wed, 13 Mar 2024 16:30:00 +0100
+Subject: [PATCH] mirror: Don't call job_pause_point() under graph lock
+
+Calling job_pause_point() while holding the graph reader lock
+potentially results in a deadlock: bdrv_graph_wrlock() first drains
+everything, including the mirror job, which pauses it. The job is only
+unpaused at the end of the drain section, which is when the graph writer
+lock has been successfully taken. However, if the job happens to be
+paused at a pause point where it still holds the reader lock, the writer
+lock can't be taken as long as the job is still paused.
+
+Mark job_pause_point() as GRAPH_UNLOCKED and fix mirror accordingly.
+
+Cc: qemu-stable@nongnu.org
+Buglink: https://issues.redhat.com/browse/RHEL-28125
+Fixes: 004915a96a7a ("block: Protect bs->backing with graph_lock")
+Signed-off-by: Kevin Wolf <kwolf@redhat.com>
+Message-ID: <20240313153000.33121-1-kwolf@redhat.com>
+Reviewed-by: Eric Blake <eblake@redhat.com>
+Signed-off-by: Kevin Wolf <kwolf@redhat.com>
+(cherry picked from commit ae5a40e8581185654a667fbbf7e4adbc2a2a3e45)
+Signed-off-by: Fiona Ebner <f.ebner@proxmox.com>
+---
+ block/mirror.c     | 10 ++++++----
+ include/qemu/job.h |  2 +-
+ 2 files changed, 7 insertions(+), 5 deletions(-)
+
+diff --git a/block/mirror.c b/block/mirror.c
+index cd9d3ad4a8..abbddb39e4 100644
+--- a/block/mirror.c
++++ b/block/mirror.c
+@@ -479,9 +479,9 @@ static unsigned mirror_perform(MirrorBlockJob *s, int64_t offset,
+     return bytes_handled;
+ }
+ 
+-static void coroutine_fn GRAPH_RDLOCK mirror_iteration(MirrorBlockJob *s)
++static void coroutine_fn GRAPH_UNLOCKED mirror_iteration(MirrorBlockJob *s)
+ {
+-    BlockDriverState *source = s->mirror_top_bs->backing->bs;
++    BlockDriverState *source;
+     MirrorOp *pseudo_op;
+     int64_t offset;
+     /* At least the first dirty chunk is mirrored in one iteration. */
+@@ -489,6 +489,10 @@ static void coroutine_fn GRAPH_RDLOCK mirror_iteration(MirrorBlockJob *s)
+     bool write_zeroes_ok = bdrv_can_write_zeroes_with_unmap(blk_bs(s->target));
+     int max_io_bytes = MAX(s->buf_size / MAX_IN_FLIGHT, MAX_IO_BYTES);
+ 
++    bdrv_graph_co_rdlock();
++    source = s->mirror_top_bs->backing->bs;
++    bdrv_graph_co_rdunlock();
++
+     bdrv_dirty_bitmap_lock(s->dirty_bitmap);
+     offset = bdrv_dirty_iter_next(s->dbi);
+     if (offset < 0) {
+@@ -1078,9 +1082,7 @@ static int coroutine_fn mirror_run(Job *job, Error **errp)
+                 mirror_wait_for_free_in_flight_slot(s);
+                 continue;
+             } else if (cnt != 0) {
+-                bdrv_graph_co_rdlock();
+                 mirror_iteration(s);
+-                bdrv_graph_co_rdunlock();
+             }
+         }
+ 
+diff --git a/include/qemu/job.h b/include/qemu/job.h
+index e502787dd8..b4bc2e174b 100644
+--- a/include/qemu/job.h
++++ b/include/qemu/job.h
+@@ -503,7 +503,7 @@ void job_enter(Job *job);
+  *
+  * Called with job_mutex *not* held.
+  */
+-void coroutine_fn job_pause_point(Job *job);
++void coroutine_fn GRAPH_UNLOCKED job_pause_point(Job *job);
+ 
+ /**
+  * @job: The job that calls the function.

debian/patches/extra/0008-target-i386-the-sgx_epc_get_section-stub-is-reachabl.patch

@@ -1,34 +0,0 @@
-From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
-From: Paolo Bonzini <pbonzini@redhat.com>
-Date: Tue, 1 Feb 2022 20:09:41 +0100
-Subject: [PATCH] target/i386: the sgx_epc_get_section stub is reachable
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-The sgx_epc_get_section stub is reachable from cpu_x86_cpuid.  It
-should not assert, instead it should just return true just like
-the "real" sgx_epc_get_section does when SGX is disabled.
-
-Reported-by: Vladimír Beneš <vbenes@redhat.com>
-Cc: qemu-stable@nongnu.org
-Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
-Message-ID: <20220201190941.106001-1-pbonzini@redhat.com>
-Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
-(cherry-picked from commit 219615740425d9683588207b40a365e6741691a6)
-Signed-off-by: Fiona Ebner <f.ebner@proxmox.com>
----
- hw/i386/sgx-stub.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/hw/i386/sgx-stub.c b/hw/i386/sgx-stub.c
-index 26833eb233..16b1dfd90b 100644
---- a/hw/i386/sgx-stub.c
-+++ b/hw/i386/sgx-stub.c
-@@ -34,5 +34,5 @@ void pc_machine_init_sgx_epc(PCMachineState *pcms)
- 
- bool sgx_epc_get_section(int section_nr, uint64_t *addr, uint64_t *size)
- {
--    g_assert_not_reached();
-+    return true;
- }

debian/patches/extra/0009-ui-clipboard-mark-type-as-not-available-when-there-i.patch

@@ -1,86 +0,0 @@
-From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
-From: Fiona Ebner <f.ebner@proxmox.com>
-Date: Wed, 24 Jan 2024 11:57:48 +0100
-Subject: [PATCH] ui/clipboard: mark type as not available when there is no
- data
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-With VNC, a client can send a non-extended VNC_MSG_CLIENT_CUT_TEXT
-message with len=0. In qemu_clipboard_set_data(), the clipboard info
-will be updated setting data to NULL (because g_memdup(data, size)
-returns NULL when size is 0). If the client does not set the
-VNC_ENCODING_CLIPBOARD_EXT feature when setting up the encodings, then
-the 'request' callback for the clipboard peer is not initialized.
-Later, because data is NULL, qemu_clipboard_request() can be reached
-via vdagent_chr_write() and vdagent_clipboard_recv_request() and
-there, the clipboard owner's 'request' callback will be attempted to
-be called, but that is a NULL pointer.
-
-In particular, this can happen when using the KRDC (22.12.3) VNC
-client.
-
-Another scenario leading to the same issue is with two clients (say
-noVNC and KRDC):
-
-The noVNC client sets the extension VNC_FEATURE_CLIPBOARD_EXT and
-initializes its cbpeer.
-
-The KRDC client does not, but triggers a vnc_client_cut_text() (note
-it's not the _ext variant)). There, a new clipboard info with it as
-the 'owner' is created and via qemu_clipboard_set_data() is called,
-which in turn calls qemu_clipboard_update() with that info.
-
-In qemu_clipboard_update(), the notifier for the noVNC client will be
-called, i.e. vnc_clipboard_notify() and also set vs->cbinfo for the
-noVNC client. The 'owner' in that clipboard info is the clipboard peer
-for the KRDC client, which did not initialize the 'request' function.
-That sounds correct to me, it is the owner of that clipboard info.
-
-Then when noVNC sends a VNC_MSG_CLIENT_CUT_TEXT message (it did set
-the VNC_FEATURE_CLIPBOARD_EXT feature correctly, so a check for it
-passes), that clipboard info is passed to qemu_clipboard_request() and
-the original segfault still happens.
-
-Fix the issue by handling updates with size 0 differently. In
-particular, mark in the clipboard info that the type is not available.
-
-While at it, switch to g_memdup2(), because g_memdup() is deprecated.
-
-Cc: qemu-stable@nongnu.org
-Fixes: CVE-2023-6683
-Reported-by: Markus Frank <m.frank@proxmox.com>
-Suggested-by: Marc-André Lureau <marcandre.lureau@redhat.com>
-Signed-off-by: Fiona Ebner <f.ebner@proxmox.com>
-Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com>
-Tested-by: Markus Frank <m.frank@proxmox.com>
-(picked from https://lists.nongnu.org/archive/html/qemu-stable/2024-01/msg00228.html)
-Signed-off-by: Fiona Ebner <f.ebner@proxmox.com>
----
- ui/clipboard.c | 12 +++++++++---
- 1 file changed, 9 insertions(+), 3 deletions(-)
-
-diff --git a/ui/clipboard.c b/ui/clipboard.c
-index 3d14bffaf8..b3f6fa3c9e 100644
---- a/ui/clipboard.c
-+++ b/ui/clipboard.c
-@@ -163,9 +163,15 @@ void qemu_clipboard_set_data(QemuClipboardPeer *peer,
-     }
- 
-     g_free(info->types[type].data);
--    info->types[type].data = g_memdup(data, size);
--    info->types[type].size = size;
--    info->types[type].available = true;
-+    if (size) {
-+        info->types[type].data = g_memdup2(data, size);
-+        info->types[type].size = size;
-+        info->types[type].available = true;
-+    } else {
-+        info->types[type].data = NULL;
-+        info->types[type].size = 0;
-+        info->types[type].available = false;
-+    }
- 
-     if (update) {
-         qemu_clipboard_update(info);

debian/patches/extra/0010-virtio-scsi-Attach-event-vq-notifier-with-no_poll.patch

@@ -1,65 +0,0 @@
-From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
-From: Hanna Czenczek <hreitz@redhat.com>
-Date: Fri, 2 Feb 2024 16:31:56 +0100
-Subject: [PATCH] virtio-scsi: Attach event vq notifier with no_poll
-
-As of commit 38738f7dbbda90fbc161757b7f4be35b52205552 ("virtio-scsi:
-don't waste CPU polling the event virtqueue"), we only attach an io_read
-notifier for the virtio-scsi event virtqueue instead, and no polling
-notifiers.  During operation, the event virtqueue is typically
-non-empty, but none of the buffers are intended to be used immediately.
-Instead, they only get used when certain events occur.  Therefore, it
-makes no sense to continuously poll it when non-empty, because it is
-supposed to be and stay non-empty.
-
-We do this by using virtio_queue_aio_attach_host_notifier_no_poll()
-instead of virtio_queue_aio_attach_host_notifier() for the event
-virtqueue.
-
-Commit 766aa2de0f29b657148e04599320d771c36fd126 ("virtio-scsi: implement
-BlockDevOps->drained_begin()") however has virtio_scsi_drained_end() use
-virtio_queue_aio_attach_host_notifier() for all virtqueues, including
-the event virtqueue.  This can lead to it being polled again, undoing
-the benefit of commit 38738f7dbbda90fbc161757b7f4be35b52205552.
-
-Fix it by using virtio_queue_aio_attach_host_notifier_no_poll() for the
-event virtqueue.
-
-       ("virtio-scsi: implement BlockDevOps->drained_begin()")
-
-Reported-by: Fiona Ebner <f.ebner@proxmox.com>
-Fixes: 766aa2de0f29b657148e04599320d771c36fd126
-Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
-Tested-by: Fiona Ebner <f.ebner@proxmox.com>
-Reviewed-by: Fiona Ebner <f.ebner@proxmox.com>
-Signed-off-by: Hanna Czenczek <hreitz@redhat.com>
-Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
----
- hw/scsi/virtio-scsi.c | 7 ++++++-
- 1 file changed, 6 insertions(+), 1 deletion(-)
-
-diff --git a/hw/scsi/virtio-scsi.c b/hw/scsi/virtio-scsi.c
-index 45b95ea070..ad24a882fd 100644
---- a/hw/scsi/virtio-scsi.c
-+++ b/hw/scsi/virtio-scsi.c
-@@ -1148,6 +1148,7 @@ static void virtio_scsi_drained_begin(SCSIBus *bus)
- static void virtio_scsi_drained_end(SCSIBus *bus)
- {
-     VirtIOSCSI *s = container_of(bus, VirtIOSCSI, bus);
-+    VirtIOSCSICommon *vs = VIRTIO_SCSI_COMMON(s);
-     VirtIODevice *vdev = VIRTIO_DEVICE(s);
-     uint32_t total_queues = VIRTIO_SCSI_VQ_NUM_FIXED +
-                             s->parent_obj.conf.num_queues;
-@@ -1165,7 +1166,11 @@ static void virtio_scsi_drained_end(SCSIBus *bus)
- 
-     for (uint32_t i = 0; i < total_queues; i++) {
-         VirtQueue *vq = virtio_get_queue(vdev, i);
--        virtio_queue_aio_attach_host_notifier(vq, s->ctx);
-+        if (vq == vs->event_vq) {
-+            virtio_queue_aio_attach_host_notifier_no_poll(vq, s->ctx);
-+        } else {
-+            virtio_queue_aio_attach_host_notifier(vq, s->ctx);
-+        }
-     }
- }
- 

debian/patches/extra/0011-virtio-Re-enable-notifications-after-drain.patch

@@ -1,125 +0,0 @@
-From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
-From: Hanna Czenczek <hreitz@redhat.com>
-Date: Fri, 2 Feb 2024 16:31:57 +0100
-Subject: [PATCH] virtio: Re-enable notifications after drain
-
-During drain, we do not care about virtqueue notifications, which is why
-we remove the handlers on it.  When removing those handlers, whether vq
-notifications are enabled or not depends on whether we were in polling
-mode or not; if not, they are enabled (by default); if so, they have
-been disabled by the io_poll_start callback.
-
-Because we do not care about those notifications after removing the
-handlers, this is fine.  However, we have to explicitly ensure they are
-enabled when re-attaching the handlers, so we will resume receiving
-notifications.  We do this in virtio_queue_aio_attach_host_notifier*().
-If such a function is called while we are in a polling section,
-attaching the notifiers will then invoke the io_poll_start callback,
-re-disabling notifications.
-
-Because we will always miss virtqueue updates in the drained section, we
-also need to poll the virtqueue once after attaching the notifiers.
-
-Buglink: https://issues.redhat.com/browse/RHEL-3934
-Signed-off-by: Hanna Czenczek <hreitz@redhat.com>
-Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
----
- hw/virtio/virtio.c  | 42 ++++++++++++++++++++++++++++++++++++++++++
- include/block/aio.h |  7 ++++++-
- 2 files changed, 48 insertions(+), 1 deletion(-)
-
-diff --git a/hw/virtio/virtio.c b/hw/virtio/virtio.c
-index 969c25f4cf..02cce83111 100644
---- a/hw/virtio/virtio.c
-+++ b/hw/virtio/virtio.c
-@@ -3526,6 +3526,17 @@ static void virtio_queue_host_notifier_aio_poll_end(EventNotifier *n)
- 
- void virtio_queue_aio_attach_host_notifier(VirtQueue *vq, AioContext *ctx)
- {
-+    /*
-+     * virtio_queue_aio_detach_host_notifier() can leave notifications disabled.
-+     * Re-enable them.  (And if detach has not been used before, notifications
-+     * being enabled is still the default state while a notifier is attached;
-+     * see virtio_queue_host_notifier_aio_poll_end(), which will always leave
-+     * notifications enabled once the polling section is left.)
-+     */
-+    if (!virtio_queue_get_notification(vq)) {
-+        virtio_queue_set_notification(vq, 1);
-+    }
-+
-     aio_set_event_notifier(ctx, &vq->host_notifier,
-                            virtio_queue_host_notifier_read,
-                            virtio_queue_host_notifier_aio_poll,
-@@ -3533,6 +3544,13 @@ void virtio_queue_aio_attach_host_notifier(VirtQueue *vq, AioContext *ctx)
-     aio_set_event_notifier_poll(ctx, &vq->host_notifier,
-                                 virtio_queue_host_notifier_aio_poll_begin,
-                                 virtio_queue_host_notifier_aio_poll_end);
-+
-+    /*
-+     * We will have ignored notifications about new requests from the guest
-+     * while no notifiers were attached, so "kick" the virt queue to process
-+     * those requests now.
-+     */
-+    event_notifier_set(&vq->host_notifier);
- }
- 
- /*
-@@ -3543,14 +3561,38 @@ void virtio_queue_aio_attach_host_notifier(VirtQueue *vq, AioContext *ctx)
-  */
- void virtio_queue_aio_attach_host_notifier_no_poll(VirtQueue *vq, AioContext *ctx)
- {
-+    /* See virtio_queue_aio_attach_host_notifier() */
-+    if (!virtio_queue_get_notification(vq)) {
-+        virtio_queue_set_notification(vq, 1);
-+    }
-+
-     aio_set_event_notifier(ctx, &vq->host_notifier,
-                            virtio_queue_host_notifier_read,
-                            NULL, NULL);
-+
-+    /*
-+     * See virtio_queue_aio_attach_host_notifier().
-+     * Note that this may be unnecessary for the type of virtqueues this
-+     * function is used for.  Still, it will not hurt to have a quick look into
-+     * whether we can/should process any of the virtqueue elements.
-+     */
-+    event_notifier_set(&vq->host_notifier);
- }
- 
- void virtio_queue_aio_detach_host_notifier(VirtQueue *vq, AioContext *ctx)
- {
-     aio_set_event_notifier(ctx, &vq->host_notifier, NULL, NULL, NULL);
-+
-+    /*
-+     * aio_set_event_notifier_poll() does not guarantee whether io_poll_end()
-+     * will run after io_poll_begin(), so by removing the notifier, we do not
-+     * know whether virtio_queue_host_notifier_aio_poll_end() has run after a
-+     * previous virtio_queue_host_notifier_aio_poll_begin(), i.e. whether
-+     * notifications are enabled or disabled.  It does not really matter anyway;
-+     * we just removed the notifier, so we do not care about notifications until
-+     * we potentially re-attach it.  The attach_host_notifier functions will
-+     * ensure that notifications are enabled again when they are needed.
-+     */
- }
- 
- void virtio_queue_host_notifier_read(EventNotifier *n)
-diff --git a/include/block/aio.h b/include/block/aio.h
-index 32042e8905..79efadfa48 100644
---- a/include/block/aio.h
-+++ b/include/block/aio.h
-@@ -498,9 +498,14 @@ void aio_set_event_notifier(AioContext *ctx,
-                             AioPollFn *io_poll,
-                             EventNotifierHandler *io_poll_ready);
- 
--/* Set polling begin/end callbacks for an event notifier that has already been
-+/*
-+ * Set polling begin/end callbacks for an event notifier that has already been
-  * registered with aio_set_event_notifier.  Do nothing if the event notifier is
-  * not registered.
-+ *
-+ * Note that if the io_poll_end() callback (or the entire notifier) is removed
-+ * during polling, it will not be called, so an io_poll_begin() is not
-+ * necessarily always followed by an io_poll_end().
-  */
- void aio_set_event_notifier_poll(AioContext *ctx,
-                                  EventNotifier *notifier,

debian/patches/extra/0013-virtio-blk-avoid-using-ioeventfd-state-in-irqfd-cond.patch

@@ -1,61 +0,0 @@
-From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
-From: Stefan Hajnoczi <stefanha@redhat.com>
-Date: Mon, 22 Jan 2024 12:26:25 -0500
-Subject: [PATCH] virtio-blk: avoid using ioeventfd state in irqfd conditional
-
-Requests that complete in an IOThread use irqfd to notify the guest
-while requests that complete in the main loop thread use the traditional
-qdev irq code path. The reason for this conditional is that the irq code
-path requires the BQL:
-
-  if (s->ioeventfd_started && !s->ioeventfd_disabled) {
-      virtio_notify_irqfd(vdev, req->vq);
-  } else {
-      virtio_notify(vdev, req->vq);
-  }
-
-There is a corner case where the conditional invokes the irq code path
-instead of the irqfd code path:
-
-  static void virtio_blk_stop_ioeventfd(VirtIODevice *vdev)
-  {
-      ...
-      /*
-       * Set ->ioeventfd_started to false before draining so that host notifiers
-       * are not detached/attached anymore.
-       */
-      s->ioeventfd_started = false;
-
-      /* Wait for virtio_blk_dma_restart_bh() and in flight I/O to complete */
-      blk_drain(s->conf.conf.blk);
-
-During blk_drain() the conditional produces the wrong result because
-ioeventfd_started is false.
-
-Use qemu_in_iothread() instead of checking the ioeventfd state.
-
-Cc: qemu-stable@nongnu.org
-Buglink: https://issues.redhat.com/browse/RHEL-15394
-Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
-Message-ID: <20240122172625.415386-1-stefanha@redhat.com>
-Reviewed-by: Kevin Wolf <kwolf@redhat.com>
-Signed-off-by: Kevin Wolf <kwolf@redhat.com>
-[FE: backport: dataplane -> ioeventfd rework didn't happen yet]
-Signed-off-by: Fiona Ebner <f.ebner@proxmox.com>
----
- hw/block/virtio-blk.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/hw/block/virtio-blk.c b/hw/block/virtio-blk.c
-index 39e7f23fab..61bd1f6859 100644
---- a/hw/block/virtio-blk.c
-+++ b/hw/block/virtio-blk.c
-@@ -64,7 +64,7 @@ static void virtio_blk_req_complete(VirtIOBlockReq *req, unsigned char status)
-     iov_discard_undo(&req->inhdr_undo);
-     iov_discard_undo(&req->outhdr_undo);
-     virtqueue_push(req->vq, &req->elem, req->in_len);
--    if (s->dataplane_started && !s->dataplane_disabled) {
-+    if (qemu_in_iothread()) {
-         virtio_blk_data_plane_notify(s->dataplane, req->vq);
-     } else {
-         virtio_notify(vdev, req->vq);