Control: found -1 1:2.8+dfsg-7 Control: tags -1 + patch fixed-upstream Hi,
After staring at GDB for ungodly spans of time I managed to track down this bug, ipso facto discovering that it was already fixed upstream quite some time ago... I think you took upstream commit 04bf2526ce87f21b32c9acba1c5518708c243ad0 (exec: use qemu_ram_ptr_length to access guest ram) from v2.10.0-rc0. That patch introduced the bug. It was fixed about a month ago in v2.10.0-rc1; see: - https://patchwork.ozlabs.org/patch/794015/ - https://git.qemu.org/gitweb.cgi?p=qemu.git;a=commit;f=exec.c;h=f5aa69bdc3418773f26747ca282c291519626ece I include an easy backport of that patch (very minor tweaks needed for it to apply to v2.8.1) that you can drop at the end of debian/patches/series. I tested this in a trial amd64 build and it seems to have solved the problem for me. Suggestion: merge these threads: tags 871648 - moreinfo unreproducible tags 871648 + confirmed merge 871648 871702 872257 Cheers.
From: astian <ast...@eclipso.at> Date: Thu, 31 Aug 2017 11:02:10 +0000 Subject: [PATCH] exec: Add lock parameter to qemu_ram_ptr_length This patch is a simple backport of upstream commit f5aa69bdc3418773f26747ca282c291519626ece, which was included in v2.10.0-rc1 (and later in the final v2.10.0), to the v2.8.1 branch currently packaged in Debian unstable. See: - https://patchwork.ozlabs.org/patch/794015/ - https://git.qemu.org/gitweb.cgi?p=qemu.git;a=commit;f=exec.c;h=f5aa69bdc3418773f26747ca282c291519626ece The original patch: From f5aa69bdc3418773f26747ca282c291519626ece Mon Sep 17 00:00:00 2001 From: Anthony PERARD <anthony.per...@citrix.com> Date: Wed, 26 Jul 2017 17:53:26 +0100 Subject: [PATCH] exec: Add lock parameter to qemu_ram_ptr_length Commit 04bf2526ce87f21b32c9acba1c5518708c243ad0 (exec: use qemu_ram_ptr_length to access guest ram) start using qemu_ram_ptr_length instead of qemu_map_ram_ptr, but when used with Xen, the behavior of both function is different. They both call xen_map_cache, but one with "lock", meaning the mapping of guest memory is never released implicitly, and the second one without, which means, mapping can be release later, when needed. In the context of address_space_{read,write}_continue, the ptr to those mapping should not be locked because it is used immediatly and never used again. The lock parameter make it explicit in which context qemu_ram_ptr_length is called. Signed-off-by: Anthony PERARD <anthony.per...@citrix.com> Message-Id: <20170726165326.10327-1-anthony.per...@citrix.com> Reviewed-by: Stefano Stabellini <sstabell...@kernel.org> Signed-off-by: Paolo Bonzini <pbonz...@redhat.com> --- exec.c | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/exec.c b/exec.c index 44df5f0fcb..814baa43a1 100644 --- a/exec.c +++ b/exec.c @@ -1879,7 +1879,7 @@ void *qemu_map_ram_ptr(RAMBlock *ram_block, ram_addr_t addr) * Called within RCU critical section. */ static void *qemu_ram_ptr_length(RAMBlock *ram_block, ram_addr_t addr, - hwaddr *size) + hwaddr *size, bool lock) { RAMBlock *block = ram_block; if (*size == 0) { @@ -1898,7 +1898,7 @@ static void *qemu_ram_ptr_length(RAMBlock *ram_block, ram_addr_t addr, * In that case just map the requested area. */ if (block->offset == 0) { - return xen_map_cache(addr, *size, 1); + return xen_map_cache(addr, *size, lock); } block->host = xen_map_cache(block->offset, block->max_length, 1); @@ -2613,7 +2613,7 @@ static MemTxResult address_space_write_continue(AddressSpace *as, hwaddr addr, } } else { /* RAM case */ - ptr = qemu_ram_ptr_length(mr->ram_block, addr1, &l); + ptr = qemu_ram_ptr_length(mr->ram_block, addr1, &l, false); memcpy(ptr, buf, l); invalidate_and_set_dirty(mr, addr1, l); } @@ -2704,7 +2704,7 @@ MemTxResult address_space_read_continue(AddressSpace *as, hwaddr addr, } } else { /* RAM case */ - ptr = qemu_ram_ptr_length(mr->ram_block, addr1, &l); + ptr = qemu_ram_ptr_length(mr->ram_block, addr1, &l, false); memcpy(buf, ptr, l); } @@ -3007,7 +3007,7 @@ void *address_space_map(AddressSpace *as, memory_region_ref(mr); *plen = done; - ptr = qemu_ram_ptr_length(mr->ram_block, base, plen); + ptr = qemu_ram_ptr_length(mr->ram_block, base, plen, true); rcu_read_unlock(); return ptr;
