One for TCG and one for ERST devices (AFAIU from [0] the issue shouldn't be critical, but better be safe than sorry).
[0]: https://lists.nongnu.org/archive/html/qemu-devel/2022-10/msg03844.html Signed-off-by: Fiona Ebner <f.eb...@proxmox.com> --- ...pi-erst.c-Fix-memory-handling-issues.patch | 61 ++++++++++++++ ...-Init-TCG-cflags-in-vCPU-thread-hand.patch | 83 +++++++++++++++++++ debian/patches/series | 2 + 3 files changed, 146 insertions(+) create mode 100644 debian/patches/extra/0006-hw-acpi-erst.c-Fix-memory-handling-issues.patch create mode 100644 debian/patches/extra/0007-Revert-accel-tcg-Init-TCG-cflags-in-vCPU-thread-hand.patch diff --git a/debian/patches/extra/0006-hw-acpi-erst.c-Fix-memory-handling-issues.patch b/debian/patches/extra/0006-hw-acpi-erst.c-Fix-memory-handling-issues.patch new file mode 100644 index 0000000..0277897 --- /dev/null +++ b/debian/patches/extra/0006-hw-acpi-erst.c-Fix-memory-handling-issues.patch @@ -0,0 +1,61 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: "Christian A. Ehrhardt" <l...@c--e.de> +Date: Mon, 24 Oct 2022 17:42:33 +0200 +Subject: [PATCH] hw/acpi/erst.c: Fix memory handling issues + +- Fix memset argument order: The second argument is + the value, the length goes last. +- Fix an integer overflow reported by Alexander Bulekov. + +Both issues allow the guest to overrun the host buffer +allocated for the ERST memory device. + +Cc: Eric DeVolder <eric.devol...@oracle.com +Cc: Alexander Bulekov <alx...@bu.edu> +Cc: qemu-sta...@nongnu.org +Fixes: f7e26ffa590 ("ACPI ERST: support for ACPI ERST feature") +Tested-by: Alexander Bulekov <alx...@bu.edu> +Signed-off-by: Christian A. Ehrhardt <l...@c--e.de> +Message-Id: <20221024154233.1043347-1...@c--e.de> +Fixes: https://gitlab.com/qemu-project/qemu/-/issues/1268 +Reviewed-by: Alexander Bulekov <alx...@bu.edu> +Reviewed-by: Eric DeVolder <eric.devol...@oracle.com> +Reviewed-by: Michael S. Tsirkin <m...@redhat.com> +Signed-off-by: Michael S. Tsirkin <m...@redhat.com> +(cherry-picked from commit defb70980f6bed36100b74e84220f1764c0dd544) +Signed-off-by: Fiona Ebner <f.eb...@proxmox.com> +--- + hw/acpi/erst.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/hw/acpi/erst.c b/hw/acpi/erst.c +index df856b2669..aefcc03ad6 100644 +--- a/hw/acpi/erst.c ++++ b/hw/acpi/erst.c +@@ -635,7 +635,7 @@ static unsigned read_erst_record(ERSTDeviceState *s) + if (record_length < UEFI_CPER_RECORD_MIN_SIZE) { + rc = STATUS_FAILED; + } +- if ((s->record_offset + record_length) > exchange_length) { ++ if (record_length > exchange_length - s->record_offset) { + rc = STATUS_FAILED; + } + /* If all is ok, copy the record to the exchange buffer */ +@@ -684,7 +684,7 @@ static unsigned write_erst_record(ERSTDeviceState *s) + if (record_length < UEFI_CPER_RECORD_MIN_SIZE) { + return STATUS_FAILED; + } +- if ((s->record_offset + record_length) > exchange_length) { ++ if (record_length > exchange_length - s->record_offset) { + return STATUS_FAILED; + } + +@@ -716,7 +716,7 @@ static unsigned write_erst_record(ERSTDeviceState *s) + if (nvram) { + /* Write the record into the slot */ + memcpy(nvram, exchange, record_length); +- memset(nvram + record_length, exchange_length - record_length, 0xFF); ++ memset(nvram + record_length, 0xFF, exchange_length - record_length); + /* If a new record, increment the record_count */ + if (!record_found) { + uint32_t record_count; diff --git a/debian/patches/extra/0007-Revert-accel-tcg-Init-TCG-cflags-in-vCPU-thread-hand.patch b/debian/patches/extra/0007-Revert-accel-tcg-Init-TCG-cflags-in-vCPU-thread-hand.patch new file mode 100644 index 0000000..af131da --- /dev/null +++ b/debian/patches/extra/0007-Revert-accel-tcg-Init-TCG-cflags-in-vCPU-thread-hand.patch @@ -0,0 +1,83 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Peter Maydell <peter.mayd...@linaro.org> +Date: Fri, 21 Oct 2022 17:34:09 +0100 +Subject: [PATCH] Revert "accel/tcg: Init TCG cflags in vCPU thread handler" +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Commit a82fd5a4ec24d was intended to be a code cleanup, but +unfortunately it has a bug. It moves the initialization of the +TCG cflags from the "start a new vcpu" function to the +thread handler; this is fine when each vcpu has its own thread, +but when we are doing round-robin of vcpus on a single thread +we end up only initializing the cflags for CPU 0, not for any +of the others. + +The most obvious effect of this bug is that running in icount +mode with more than one CPU is broken; typically the guest +hangs shortly after it brings up the secondary CPUs. + +This reverts commit a82fd5a4ec24d923ff1e6da128c0fd4a74079d99. + +Cc: qemu-sta...@nongnu.org +Reviewed-by: Philippe Mathieu-Daudé <phi...@linaro.org> +Reviewed-by: Richard Henderson <richard.hender...@linaro.org> +Signed-off-by: Peter Maydell <peter.mayd...@linaro.org> +Message-Id: <20221021163409.3674911-1-peter.mayd...@linaro.org> +Signed-off-by: Richard Henderson <richard.hender...@linaro.org> +(cherry-picked from commit 0585105c806d3bf301eebc33115a0790fcfc1d9c) +Signed-off-by: Fiona Ebner <f.eb...@proxmox.com> +--- + accel/tcg/tcg-accel-ops-mttcg.c | 5 +++-- + accel/tcg/tcg-accel-ops-rr.c | 7 ++++--- + 2 files changed, 7 insertions(+), 5 deletions(-) + +diff --git a/accel/tcg/tcg-accel-ops-mttcg.c b/accel/tcg/tcg-accel-ops-mttcg.c +index ba997f6cfe..d50239e0e2 100644 +--- a/accel/tcg/tcg-accel-ops-mttcg.c ++++ b/accel/tcg/tcg-accel-ops-mttcg.c +@@ -70,8 +70,6 @@ static void *mttcg_cpu_thread_fn(void *arg) + assert(tcg_enabled()); + g_assert(!icount_enabled()); + +- tcg_cpu_init_cflags(cpu, current_machine->smp.max_cpus > 1); +- + rcu_register_thread(); + force_rcu.notifier.notify = mttcg_force_rcu; + force_rcu.cpu = cpu; +@@ -141,6 +139,9 @@ void mttcg_start_vcpu_thread(CPUState *cpu) + { + char thread_name[VCPU_THREAD_NAME_SIZE]; + ++ g_assert(tcg_enabled()); ++ tcg_cpu_init_cflags(cpu, current_machine->smp.max_cpus > 1); ++ + cpu->thread = g_new0(QemuThread, 1); + cpu->halt_cond = g_malloc0(sizeof(QemuCond)); + qemu_cond_init(cpu->halt_cond); +diff --git a/accel/tcg/tcg-accel-ops-rr.c b/accel/tcg/tcg-accel-ops-rr.c +index cc8adc2380..1a72149f0e 100644 +--- a/accel/tcg/tcg-accel-ops-rr.c ++++ b/accel/tcg/tcg-accel-ops-rr.c +@@ -152,9 +152,7 @@ static void *rr_cpu_thread_fn(void *arg) + Notifier force_rcu; + CPUState *cpu = arg; + +- g_assert(tcg_enabled()); +- tcg_cpu_init_cflags(cpu, false); +- ++ assert(tcg_enabled()); + rcu_register_thread(); + force_rcu.notify = rr_force_rcu; + rcu_add_force_rcu_notifier(&force_rcu); +@@ -277,6 +275,9 @@ void rr_start_vcpu_thread(CPUState *cpu) + static QemuCond *single_tcg_halt_cond; + static QemuThread *single_tcg_cpu_thread; + ++ g_assert(tcg_enabled()); ++ tcg_cpu_init_cflags(cpu, false); ++ + if (!single_tcg_cpu_thread) { + cpu->thread = g_new0(QemuThread, 1); + cpu->halt_cond = g_new0(QemuCond, 1); diff --git a/debian/patches/series b/debian/patches/series index 6dbf2b1..f3a1c82 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -3,6 +3,8 @@ extra/0002-block-io_uring-revert-Use-io_uring_register_ring_fd-.patch extra/0003-virtiofsd-use-g_date_time_get_microsecond-to-get-sub.patch extra/0004-chardev-fix-segfault-in-finalize.patch extra/0005-init-daemonize-defuse-PID-file-resolve-error.patch +extra/0006-hw-acpi-erst.c-Fix-memory-handling-issues.patch +extra/0007-Revert-accel-tcg-Init-TCG-cflags-in-vCPU-thread-hand.patch bitmap-mirror/0001-drive-mirror-add-support-for-sync-bitmap-mode-never.patch bitmap-mirror/0002-drive-mirror-add-support-for-conditional-and-always-.patch bitmap-mirror/0003-mirror-add-check-for-bitmap-mode-without-bitmap.patch -- 2.30.2 _______________________________________________ pve-devel mailing list pve-devel@lists.proxmox.com https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
