[pve-devel] applied: [PATCH qemu] more stable fixes for QEMU 9.0
Fiona Ebner
f.ebner at proxmox.com
Wed May 29 16:18:15 CEST 2024
Most importantly the first one "Revert "monitor: use
aio_co_reschedule_self()"", fixing a crash when doing hotplug+resize
with a disk using io_uring.
Other fixes (likely not too important) for TCG emulation of x86(_64)
and ARM.
Signed-off-by: Fiona Ebner <f.ebner at proxmox.com>
---
...t-monitor-use-aio_co_reschedule_self.patch | 53 ++++++++++++
...ict-translation-disabled-alignment-c.patch | 51 ++++++++++++
...-IRQs-a-chance-when-resetting-HF_INH.patch | 80 +++++++++++++++++++
...r-v-Correct-kvm_hv_handle_exit-retur.patch | 60 ++++++++++++++
...86-disable-jmp_opt-if-EFLAGS.RF-is-1.patch | 31 +++++++
...ingle-step-exception-after-MOV-or-PO.patch | 30 +++++++
debian/patches/series | 6 ++
7 files changed, 311 insertions(+)
create mode 100644 debian/patches/extra/0013-Revert-monitor-use-aio_co_reschedule_self.patch
create mode 100644 debian/patches/extra/0014-target-arm-Restrict-translation-disabled-alignment-c.patch
create mode 100644 debian/patches/extra/0015-target-i386-Give-IRQs-a-chance-when-resetting-HF_INH.patch
create mode 100644 debian/patches/extra/0016-target-i386-hyper-v-Correct-kvm_hv_handle_exit-retur.patch
create mode 100644 debian/patches/extra/0017-target-i386-disable-jmp_opt-if-EFLAGS.RF-is-1.patch
create mode 100644 debian/patches/extra/0018-target-i386-no-single-step-exception-after-MOV-or-PO.patch
diff --git a/debian/patches/extra/0013-Revert-monitor-use-aio_co_reschedule_self.patch b/debian/patches/extra/0013-Revert-monitor-use-aio_co_reschedule_self.patch
new file mode 100644
index 0000000..def305c
--- /dev/null
+++ b/debian/patches/extra/0013-Revert-monitor-use-aio_co_reschedule_self.patch
@@ -0,0 +1,53 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Stefan Hajnoczi <stefanha at redhat.com>
+Date: Mon, 6 May 2024 15:06:21 -0400
+Subject: [PATCH] Revert "monitor: use aio_co_reschedule_self()"
+
+Commit 1f25c172f837 ("monitor: use aio_co_reschedule_self()") was a code
+cleanup that uses aio_co_reschedule_self() instead of open coding
+coroutine rescheduling.
+
+Bug RHEL-34618 was reported and Kevin Wolf <kwolf at redhat.com> identified
+the root cause. I missed that aio_co_reschedule_self() ->
+qemu_get_current_aio_context() only knows about
+qemu_aio_context/IOThread AioContexts and not about iohandler_ctx. It
+does not function correctly when going back from the iohandler_ctx to
+qemu_aio_context.
+
+Go back to open coding the AioContext transitions to avoid this bug.
+
+This reverts commit 1f25c172f83704e350c0829438d832384084a74d.
+
+Buglink: https://issues.redhat.com/browse/RHEL-34618
+Signed-off-by: Stefan Hajnoczi <stefanha at redhat.com>
+(picked from: https://lists.nongnu.org/archive/html/qemu-devel/2024-05/msg01090.html)
+Signed-off-by: Fiona Ebner <f.ebner at proxmox.com>
+---
+ qapi/qmp-dispatch.c | 7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+diff --git a/qapi/qmp-dispatch.c b/qapi/qmp-dispatch.c
+index 2624eb3470..790bb7d1da 100644
+--- a/qapi/qmp-dispatch.c
++++ b/qapi/qmp-dispatch.c
+@@ -224,7 +224,8 @@ QDict *coroutine_mixed_fn qmp_dispatch(const QmpCommandList *cmds, QObject *requ
+ * executing the command handler so that it can make progress if it
+ * involves an AIO_WAIT_WHILE().
+ */
+- aio_co_reschedule_self(qemu_get_aio_context());
++ aio_co_schedule(qemu_get_aio_context(), qemu_coroutine_self());
++ qemu_coroutine_yield();
+ }
+
+ monitor_set_cur(qemu_coroutine_self(), cur_mon);
+@@ -238,7 +239,9 @@ QDict *coroutine_mixed_fn qmp_dispatch(const QmpCommandList *cmds, QObject *requ
+ * Move back to iohandler_ctx so that nested event loops for
+ * qemu_aio_context don't start new monitor commands.
+ */
+- aio_co_reschedule_self(iohandler_get_aio_context());
++ aio_co_schedule(iohandler_get_aio_context(),
++ qemu_coroutine_self());
++ qemu_coroutine_yield();
+ }
+ } else {
+ /*
diff --git a/debian/patches/extra/0014-target-arm-Restrict-translation-disabled-alignment-c.patch b/debian/patches/extra/0014-target-arm-Restrict-translation-disabled-alignment-c.patch
new file mode 100644
index 0000000..2475d34
--- /dev/null
+++ b/debian/patches/extra/0014-target-arm-Restrict-translation-disabled-alignment-c.patch
@@ -0,0 +1,51 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Richard Henderson <richard.henderson at linaro.org>
+Date: Mon, 22 Apr 2024 10:07:22 -0700
+Subject: [PATCH] target/arm: Restrict translation disabled alignment check to
+ VMSA
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+For cpus using PMSA, when the MPU is disabled, the default memory
+type is Normal, Non-cachable. This means that it should not
+have alignment restrictions enforced.
+
+Cc: qemu-stable at nongnu.org
+Fixes: 59754f85ed3 ("target/arm: Do memory type alignment check when translation disabled")
+Reported-by: Clément Chigot <chigot at adacore.com>
+Signed-off-by: Richard Henderson <richard.henderson at linaro.org>
+Reviewed-by: Philippe Mathieu-Daudé <philmd at linaro.org>
+Tested-by: Clément Chigot <chigot at adacore.com>
+Message-id: 20240422170722.117409-1-richard.henderson at linaro.org
+[PMM: trivial comment, commit message tweaks]
+Signed-off-by: Peter Maydell <peter.maydell at linaro.org>
+(cherry picked from commit 7b19a3554d2df22d29c75319a1dac17615d1b20e)
+Signed-off-by: Fiona Ebner <f.ebner at proxmox.com>
+---
+ target/arm/tcg/hflags.c | 12 ++++++++++--
+ 1 file changed, 10 insertions(+), 2 deletions(-)
+
+diff --git a/target/arm/tcg/hflags.c b/target/arm/tcg/hflags.c
+index 5da1b0fc1d..f03977b4b0 100644
+--- a/target/arm/tcg/hflags.c
++++ b/target/arm/tcg/hflags.c
+@@ -38,8 +38,16 @@ static bool aprofile_require_alignment(CPUARMState *env, int el, uint64_t sctlr)
+ }
+
+ /*
+- * If translation is disabled, then the default memory type is
+- * Device(-nGnRnE) instead of Normal, which requires that alignment
++ * With PMSA, when the MPU is disabled, all memory types in the
++ * default map are Normal, so don't need aligment enforcing.
++ */
++ if (arm_feature(env, ARM_FEATURE_PMSA)) {
++ return false;
++ }
++
++ /*
++ * With VMSA, if translation is disabled, then the default memory type
++ * is Device(-nGnRnE) instead of Normal, which requires that alignment
+ * be enforced. Since this affects all ram, it is most efficient
+ * to handle this during translation.
+ */
diff --git a/debian/patches/extra/0015-target-i386-Give-IRQs-a-chance-when-resetting-HF_INH.patch b/debian/patches/extra/0015-target-i386-Give-IRQs-a-chance-when-resetting-HF_INH.patch
new file mode 100644
index 0000000..97501f5
--- /dev/null
+++ b/debian/patches/extra/0015-target-i386-Give-IRQs-a-chance-when-resetting-HF_INH.patch
@@ -0,0 +1,80 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Ruihan Li <lrh2000 at pku.edu.cn>
+Date: Mon, 15 Apr 2024 14:45:21 +0800
+Subject: [PATCH] target/i386: Give IRQs a chance when resetting
+ HF_INHIBIT_IRQ_MASK
+
+When emulated with QEMU, interrupts will never come in the following
+loop. However, if the NOP instruction is uncommented, interrupts will
+fire as normal.
+
+ loop:
+ cli
+ call do_sti
+ jmp loop
+
+ do_sti:
+ sti
+ # nop
+ ret
+
+This behavior is different from that of a real processor. For example,
+if KVM is enabled, interrupts will always fire regardless of whether the
+NOP instruction is commented or not. Also, the Intel Software Developer
+Manual states that after the STI instruction is executed, the interrupt
+inhibit should end as soon as the next instruction (e.g., the RET
+instruction if the NOP instruction is commented) is executed.
+
+This problem is caused because the previous code may choose not to end
+the TB even if the HF_INHIBIT_IRQ_MASK has just been reset (e.g., in the
+case where the STI instruction is immediately followed by the RET
+instruction), so that IRQs may not have a change to trigger. This commit
+fixes the problem by always terminating the current TB to give IRQs a
+chance to trigger when HF_INHIBIT_IRQ_MASK is reset.
+
+Reviewed-by: Richard Henderson <richard.henderson at linaro.org>
+Signed-off-by: Ruihan Li <lrh2000 at pku.edu.cn>
+Message-ID: <20240415064518.4951-4-lrh2000 at pku.edu.cn>
+Signed-off-by: Paolo Bonzini <pbonzini at redhat.com>
+(cherry picked from commit 6a5a63f74ba5c5355b7a8468d3d814bfffe928fb)
+Signed-off-by: Fiona Ebner <f.ebner at proxmox.com>
+---
+ target/i386/tcg/translate.c | 14 ++++++++++----
+ 1 file changed, 10 insertions(+), 4 deletions(-)
+
+diff --git a/target/i386/tcg/translate.c b/target/i386/tcg/translate.c
+index 3e949fe964..b5ebff2c89 100644
+--- a/target/i386/tcg/translate.c
++++ b/target/i386/tcg/translate.c
+@@ -2798,13 +2798,17 @@ static void gen_bnd_jmp(DisasContext *s)
+ static void
+ do_gen_eob_worker(DisasContext *s, bool inhibit, bool recheck_tf, bool jr)
+ {
++ bool inhibit_reset;
++
+ gen_update_cc_op(s);
+
+ /* If several instructions disable interrupts, only the first does it. */
+- if (inhibit && !(s->flags & HF_INHIBIT_IRQ_MASK)) {
+- gen_set_hflag(s, HF_INHIBIT_IRQ_MASK);
+- } else {
++ inhibit_reset = false;
++ if (s->flags & HF_INHIBIT_IRQ_MASK) {
+ gen_reset_hflag(s, HF_INHIBIT_IRQ_MASK);
++ inhibit_reset = true;
++ } else if (inhibit) {
++ gen_set_hflag(s, HF_INHIBIT_IRQ_MASK);
+ }
+
+ if (s->base.tb->flags & HF_RF_MASK) {
+@@ -2815,7 +2819,9 @@ do_gen_eob_worker(DisasContext *s, bool inhibit, bool recheck_tf, bool jr)
+ tcg_gen_exit_tb(NULL, 0);
+ } else if (s->flags & HF_TF_MASK) {
+ gen_helper_single_step(tcg_env);
+- } else if (jr) {
++ } else if (jr &&
++ /* give irqs a chance to happen */
++ !inhibit_reset) {
+ tcg_gen_lookup_and_goto_ptr();
+ } else {
+ tcg_gen_exit_tb(NULL, 0);
diff --git a/debian/patches/extra/0016-target-i386-hyper-v-Correct-kvm_hv_handle_exit-retur.patch b/debian/patches/extra/0016-target-i386-hyper-v-Correct-kvm_hv_handle_exit-retur.patch
new file mode 100644
index 0000000..337c74c
--- /dev/null
+++ b/debian/patches/extra/0016-target-i386-hyper-v-Correct-kvm_hv_handle_exit-retur.patch
@@ -0,0 +1,60 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: donsheng <dongsheng.x.zhang at intel.com>
+Date: Wed, 22 May 2024 04:01:14 +0800
+Subject: [PATCH] target-i386: hyper-v: Correct kvm_hv_handle_exit return value
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+This bug fix addresses the incorrect return value of kvm_hv_handle_exit for
+KVM_EXIT_HYPERV_SYNIC, which should be EXCP_INTERRUPT.
+
+Handling of KVM_EXIT_HYPERV_SYNIC in QEMU needs to be synchronous.
+This means that async_synic_update should run in the current QEMU vCPU
+thread before returning to KVM, returning EXCP_INTERRUPT to guarantee this.
+Returning 0 can cause async_synic_update to run asynchronously.
+
+One problem (kvm-unit-tests's hyperv_synic test fails with timeout error)
+caused by this bug:
+
+When a guest VM writes to the HV_X64_MSR_SCONTROL MSR to enable Hyper-V SynIC,
+a VM exit is triggered and processed by the kvm_hv_handle_exit function of the
+QEMU vCPU. This function then calls the async_synic_update function to set
+synic->sctl_enabled to true. A true value of synic->sctl_enabled is required
+before creating SINT routes using the hyperv_sint_route_new() function.
+
+If kvm_hv_handle_exit returns 0 for KVM_EXIT_HYPERV_SYNIC, the current QEMU
+vCPU thread may return to KVM and enter the guest VM before running
+async_synic_update. In such case, the hyperv_synic test’s subsequent call to
+synic_ctl(HV_TEST_DEV_SINT_ROUTE_CREATE, ...) immediately after writing to
+HV_X64_MSR_SCONTROL can cause QEMU’s hyperv_sint_route_new() function to return
+prematurely (because synic->sctl_enabled is false).
+
+If the SINT route is not created successfully, the SINT interrupt will not be
+fired, resulting in a timeout error in the hyperv_synic test.
+
+Fixes: 267e071bd6d6 (“hyperv: make overlay pages for SynIC”)
+Suggested-by: Chao Gao <chao.gao at intel.com>
+Signed-off-by: Dongsheng Zhang <dongsheng.x.zhang at intel.com>
+Message-ID: <20240521200114.11588-1-dongsheng.x.zhang at intel.com>
+Cc: qemu-stable at nongnu.org
+Signed-off-by: Paolo Bonzini <pbonzini at redhat.com>
+(cherry picked from commit 84d4b72854869821eb89813c195927fdd3078c12)
+Signed-off-by: Fiona Ebner <f.ebner at proxmox.com>
+---
+ target/i386/kvm/hyperv.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/target/i386/kvm/hyperv.c b/target/i386/kvm/hyperv.c
+index f2a3fe650a..b94f12acc2 100644
+--- a/target/i386/kvm/hyperv.c
++++ b/target/i386/kvm/hyperv.c
+@@ -81,7 +81,7 @@ int kvm_hv_handle_exit(X86CPU *cpu, struct kvm_hyperv_exit *exit)
+ */
+ async_safe_run_on_cpu(CPU(cpu), async_synic_update, RUN_ON_CPU_NULL);
+
+- return 0;
++ return EXCP_INTERRUPT;
+ case KVM_EXIT_HYPERV_HCALL: {
+ uint16_t code = exit->u.hcall.input & 0xffff;
+ bool fast = exit->u.hcall.input & HV_HYPERCALL_FAST;
diff --git a/debian/patches/extra/0017-target-i386-disable-jmp_opt-if-EFLAGS.RF-is-1.patch b/debian/patches/extra/0017-target-i386-disable-jmp_opt-if-EFLAGS.RF-is-1.patch
new file mode 100644
index 0000000..42ed9cd
--- /dev/null
+++ b/debian/patches/extra/0017-target-i386-disable-jmp_opt-if-EFLAGS.RF-is-1.patch
@@ -0,0 +1,31 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Paolo Bonzini <pbonzini at redhat.com>
+Date: Fri, 24 May 2024 17:17:47 +0200
+Subject: [PATCH] target/i386: disable jmp_opt if EFLAGS.RF is 1
+
+If EFLAGS.RF is 1, special processing in gen_eob_worker() is needed and
+therefore goto_tb cannot be used.
+
+Suggested-by: Richard Henderson <richard.henderson at linaro.org>
+Reviewed-by: Richard Henderson <richard.henderson at linaro.org>
+Cc: qemu-stable at nongnu.org
+Signed-off-by: Paolo Bonzini <pbonzini at redhat.com>
+(cherry picked from commit 8225bff7c5db504f50e54ef66b079854635dba70)
+Signed-off-by: Fiona Ebner <f.ebner at proxmox.com>
+---
+ target/i386/tcg/translate.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/target/i386/tcg/translate.c b/target/i386/tcg/translate.c
+index b5ebff2c89..c2c5e73b3f 100644
+--- a/target/i386/tcg/translate.c
++++ b/target/i386/tcg/translate.c
+@@ -6971,7 +6971,7 @@ static void i386_tr_init_disas_context(DisasContextBase *dcbase, CPUState *cpu)
+ dc->cpuid_7_1_eax_features = env->features[FEAT_7_1_EAX];
+ dc->cpuid_xsave_features = env->features[FEAT_XSAVE];
+ dc->jmp_opt = !((cflags & CF_NO_GOTO_TB) ||
+- (flags & (HF_TF_MASK | HF_INHIBIT_IRQ_MASK)));
++ (flags & (HF_RF_MASK | HF_TF_MASK | HF_INHIBIT_IRQ_MASK)));
+ /*
+ * If jmp_opt, we want to handle each string instruction individually.
+ * For icount also disable repz optimization so that each iteration
diff --git a/debian/patches/extra/0018-target-i386-no-single-step-exception-after-MOV-or-PO.patch b/debian/patches/extra/0018-target-i386-no-single-step-exception-after-MOV-or-PO.patch
new file mode 100644
index 0000000..0de3f4a
--- /dev/null
+++ b/debian/patches/extra/0018-target-i386-no-single-step-exception-after-MOV-or-PO.patch
@@ -0,0 +1,30 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Paolo Bonzini <pbonzini at redhat.com>
+Date: Sat, 25 May 2024 10:03:22 +0200
+Subject: [PATCH] target/i386: no single-step exception after MOV or POP SS
+
+Intel SDM 18.3.1.4 "If an occurrence of the MOV or POP instruction
+loads the SS register executes with EFLAGS.TF = 1, no single-step debug
+exception occurs following the MOV or POP instruction."
+
+Cc: qemu-stable at nongnu.org
+Signed-off-by: Paolo Bonzini <pbonzini at redhat.com>
+(cherry picked from commit f0f0136abba688a6516647a79cc91e03fad6d5d7)
+Signed-off-by: Fiona Ebner <f.ebner at proxmox.com>
+---
+ target/i386/tcg/translate.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/target/i386/tcg/translate.c b/target/i386/tcg/translate.c
+index c2c5e73b3f..a55df176c6 100644
+--- a/target/i386/tcg/translate.c
++++ b/target/i386/tcg/translate.c
+@@ -2817,7 +2817,7 @@ do_gen_eob_worker(DisasContext *s, bool inhibit, bool recheck_tf, bool jr)
+ if (recheck_tf) {
+ gen_helper_rechecking_single_step(tcg_env);
+ tcg_gen_exit_tb(NULL, 0);
+- } else if (s->flags & HF_TF_MASK) {
++ } else if ((s->flags & HF_TF_MASK) && !inhibit) {
+ gen_helper_single_step(tcg_env);
+ } else if (jr &&
+ /* give irqs a chance to happen */
diff --git a/debian/patches/series b/debian/patches/series
index 6352df7..4bd5e46 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -10,6 +10,12 @@ extra/0009-target-i386-rdpkru-wrpkru-are-no-prefix-instructions.patch
extra/0010-target-i386-fix-feature-dependency-for-WAITPKG.patch
extra/0011-Revert-virtio-pci-fix-use-of-a-released-vector.patch
extra/0012-hw-core-machine-move-compatibility-flags-for-VirtIO-.patch
+extra/0013-Revert-monitor-use-aio_co_reschedule_self.patch
+extra/0014-target-arm-Restrict-translation-disabled-alignment-c.patch
+extra/0015-target-i386-Give-IRQs-a-chance-when-resetting-HF_INH.patch
+extra/0016-target-i386-hyper-v-Correct-kvm_hv_handle_exit-retur.patch
+extra/0017-target-i386-disable-jmp_opt-if-EFLAGS.RF-is-1.patch
+extra/0018-target-i386-no-single-step-exception-after-MOV-or-PO.patch
bitmap-mirror/0001-drive-mirror-add-support-for-sync-bitmap-mode-never.patch
bitmap-mirror/0002-drive-mirror-add-support-for-conditional-and-always-.patch
bitmap-mirror/0003-mirror-add-check-for-bitmap-mode-without-bitmap.patch
--
2.39.2
More information about the pve-devel
mailing list