6d740fb0 | 02-May-2023 |
Stefan Hajnoczi <stefanha@redhat.com> |
aio-posix: do not nest poll handlers
QEMU's event loop supports nesting, which means that event handler functions may themselves call aio_poll(). The condition that triggered a handler must be reset
aio-posix: do not nest poll handlers
QEMU's event loop supports nesting, which means that event handler functions may themselves call aio_poll(). The condition that triggered a handler must be reset before the nested aio_poll() call, otherwise the same handler will be called and immediately re-enter aio_poll. This leads to an infinite loop and stack exhaustion.
Poll handlers are especially prone to this issue, because they typically reset their condition by finishing the processing of pending work. Unfortunately it is during the processing of pending work that nested aio_poll() calls typically occur and the condition has not yet been reset.
Disable a poll handler during ->io_poll_ready() so that a nested aio_poll() call cannot invoke ->io_poll_ready() again. As a result, the disabled poll handler and its associated fd handler do not run during the nested aio_poll(). Calling aio_set_fd_handler() from inside nested aio_poll() could cause it to run again. If the fd handler is pending inside nested aio_poll(), then it will also run again.
In theory fd handlers can be affected by the same issue, but they are more likely to reset the condition before calling nested aio_poll().
This is a special case and it's somewhat complex, but I don't see a way around it as long as nested aio_poll() is supported.
Cc: qemu-stable@nongnu.org Buglink: https://bugzilla.redhat.com/show_bug.cgi?id=2186181 Fixes: c38270692593 ("block: Mark bdrv_co_io_(un)plug() and callers GRAPH_RDLOCK") Cc: Kevin Wolf <kwolf@redhat.com> Cc: Emanuele Giuseppe Esposito <eesposit@redhat.com> Cc: Paolo Bonzini <pbonzini@redhat.com> Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com> Message-Id: <20230502184134.534703-2-stefanha@redhat.com> Reviewed-by: Kevin Wolf <kwolf@redhat.com> Signed-off-by: Kevin Wolf <kwolf@redhat.com>
show more ...
|
6739825a | 12-Oct-2022 |
Paolo Bonzini <pbonzini@redhat.com> |
build: move coroutine backend selection to meson
To simplify the code, rename coroutine-win32.c to match the option passed to configure.
Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com>
build: move coroutine backend selection to meson
To simplify the code, rename coroutine-win32.c to match the option passed to configure.
Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
show more ...
|
fc9a809e | 12-Oct-2022 |
Paolo Bonzini <pbonzini@redhat.com> |
build: move glib detection and workarounds to meson
QEMU adds the path to glib.h to all compilation commands. This is simpler due to the pervasive use of static_library, and was grandfathered in fr
build: move glib detection and workarounds to meson
QEMU adds the path to glib.h to all compilation commands. This is simpler due to the pervasive use of static_library, and was grandfathered in from the previous Make-based build system. Until Meson 0.63 the only way to do this was to detect glib in configure and use add_project_arguments, but now it is possible to use add_project_dependencies instead.
gmodule is detected in a separate variable, with export enabled for modules and disabled for plugin.
Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
show more ...
|
80bd81ca | 05-May-2023 |
Claudio Imbrenda <imbrenda@linux.ibm.com> |
util/async-teardown: wire up query-command-line-options
Add new -run-with option with an async-teardown=on|off parameter. It is visible in the output of query-command-line-options QMP command, so it
util/async-teardown: wire up query-command-line-options
Add new -run-with option with an async-teardown=on|off parameter. It is visible in the output of query-command-line-options QMP command, so it can be discovered and used by libvirt.
The option -async-teardown is now redundant, deprecate it.
Reported-by: Boris Fiuczynski <fiuczy@linux.ibm.com> Fixes: c891c24b1a ("os-posix: asynchronous teardown for shutdown on Linux") Signed-off-by: Claudio Imbrenda <imbrenda@linux.ibm.com> Message-Id: <20230505120051.36605-2-imbrenda@linux.ibm.com> [thuth: Add curly braces to fix error with GCC 8.5, fix bug in deprecated.rst] Signed-off-by: Thomas Huth <thuth@redhat.com>
show more ...
|
3edf660a | 04-Apr-2023 |
Stefan Hajnoczi <stefanha@redhat.com> |
aio-wait: avoid AioContext lock in aio_wait_bh_oneshot()
There is no need for the AioContext lock in aio_wait_bh_oneshot(). It's easy to remove the lock from existing callers and then switch from AI
aio-wait: avoid AioContext lock in aio_wait_bh_oneshot()
There is no need for the AioContext lock in aio_wait_bh_oneshot(). It's easy to remove the lock from existing callers and then switch from AIO_WAIT_WHILE() to AIO_WAIT_WHILE_UNLOCKED() in aio_wait_bh_oneshot().
Document that the AioContext lock should not be held across aio_wait_bh_oneshot(). Holding a lock across aio_poll() can cause deadlock so we don't want callers to do that.
This is a step towards getting rid of the AioContext lock.
Cc: Paolo Bonzini <pbonzini@redhat.com> Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com> Message-Id: <20230404153307.458883-1-stefanha@redhat.com> Reviewed-by: Paolo Bonzini <pbonzini@redhat.com> Reviewed-by: Emanuele Giuseppe Esposito <eesposit@redhat.com> Reviewed-by: Kevin Wolf <kwolf@redhat.com> Signed-off-by: Kevin Wolf <kwolf@redhat.com>
show more ...
|
8f593ba9 | 03-Mar-2023 |
Paolo Bonzini <pbonzini@redhat.com> |
call_rcu: stop using mb_set/mb_read
Use a store-release when enqueuing a new call_rcu, and a load-acquire when dequeuing; and read the tail after checking that node->next is consistent, which is the
call_rcu: stop using mb_set/mb_read
Use a store-release when enqueuing a new call_rcu, and a load-acquire when dequeuing; and read the tail after checking that node->next is consistent, which is the standard message passing pattern and it is clearer than mb_read/mb_set.
Reviewed-by: Richard Henderson <richard.henderson@linaro.org> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
show more ...
|
6e288b00 | 03-Mar-2023 |
Paolo Bonzini <pbonzini@redhat.com> |
rcu: remove qatomic_mb_set, expand comments
Reviewed-by: Richard Henderson <richard.henderson@linaro.org> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> |
7ade2b18 | 24-Mar-2023 |
Eric Blake <eblake@redhat.com> |
systemd: Also clear LISTEN_FDNAMES during systemd socket activation
Some time after systemd documented LISTEN_PID and LISTEN_FDS for socket activation, they later added LISTEN_FDNAMES; now documente
systemd: Also clear LISTEN_FDNAMES during systemd socket activation
Some time after systemd documented LISTEN_PID and LISTEN_FDS for socket activation, they later added LISTEN_FDNAMES; now documented at: https://www.freedesktop.org/software/systemd/man/sd_listen_fds.html
In particular, look at the implementation of sd_listen_fds_with_names(): https://github.com/systemd/systemd/blob/main/src/libsystemd/sd-daemon/sd-daemon.c
If we ever pass LISTEN_PID=xxx and LISTEN_FDS=n to a child process, but leave LISTEN_FDNAMES=... unchanged as inherited from our parent process, then our child process using sd_listen_fds_with_names() might see a mismatch in the number of names (unexpected -EINVAL failure), or even if the number of names matches the values of those names may be unexpected (with even less predictable results).
Usually, this is not an issue - the point of LISTEN_PID is to tell systemd socket activation to ignore all other LISTEN_* if they were not directed to this particular pid. But if we end up consuming a socket directed to this qemu process, and later decide to spawn a child process that also needs systemd socket activation, we must ensure we are not leaking any stale systemd variables through to that child. The easiest way to do this is to wipe ALL LISTEN_* variables at the time we consume a socket, even if we do not yet care about a LISTEN_FDNAMES passed in from the parent process.
See also https://lists.freedesktop.org/archives/systemd-devel/2023-March/048920.html
Thanks: Laszlo Ersek <lersek@redhat.com> Signed-off-by: Eric Blake <eblake@redhat.com> Message-Id: <20230324153349.1123774-1-eblake@redhat.com> Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
show more ...
|
7915bd06 | 01-May-2023 |
Alexander Bulekov <alxndr@bu.edu> |
async: avoid use-after-free on re-entrancy guard
A BH callback can free the BH, causing a use-after-free in aio_bh_call. Fix that by keeping a local copy of the re-entrancy guard pointer.
Buglink:
async: avoid use-after-free on re-entrancy guard
A BH callback can free the BH, causing a use-after-free in aio_bh_call. Fix that by keeping a local copy of the re-entrancy guard pointer.
Buglink: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=58513 Fixes: 9c86c97f12 ("async: Add an optional reentrancy guard to the BH API") Signed-off-by: Alexander Bulekov <alxndr@bu.edu> Message-Id: <20230501141956.3444868-1-alxndr@bu.edu> Reviewed-by: Thomas Huth <thuth@redhat.com> Signed-off-by: Thomas Huth <thuth@redhat.com>
show more ...
|
7c18f2d6 | 29-Apr-2023 |
Richard Henderson <richard.henderson@linaro.org> |
Merge tag 'for-upstream' of https://gitlab.com/bonzini/qemu into staging
* Fix compilation issues under Debian 10 * Update kernel headers to 6.3rc5 * Suppress GCC13 false positive in aio_bh_poll() *
Merge tag 'for-upstream' of https://gitlab.com/bonzini/qemu into staging
* Fix compilation issues under Debian 10 * Update kernel headers to 6.3rc5 * Suppress GCC13 false positive in aio_bh_poll() * Add new x86 feature bits * Coverity fixes * More steps towards removing qatomic_mb_set/read * Fix reduced-phys-bits value for AMD SEV
# -----BEGIN PGP SIGNATURE----- # # iQFIBAABCAAyFiEE8TM4V0tmI4mGbHaCv/vSX3jHroMFAmRNC0IUHHBib256aW5p # QHJlZGhhdC5jb20ACgkQv/vSX3jHroNo0wgArWNGKZpbmQ0e5L6ajMvaaPmg4mVL # a2SJGU0TwTp0fUgZr14z2iwzIpSqQrsqhzTIAzOTs0OICDBPBuNvnRucMa+SVQGO # Tc89YAwBVDo66dAKhWi+WR9tx7sTFCso0nbsBfczzdnwAw3g1MJ87Ueqc5tlPGBK # E7YSAD6l4UuogoN5BLU7bSsG/X7bwcyzeUXRB4ik+Z9abWd4DH9qiROnBKLMmBLK # nAi47h8b8MltWORpO+wf6HtkMKi37SAzl9VLHVuHcRhIdY/JhWCRhYSo0HXhgX66 # JLVkyxFpIndT0dUW/xnqATGez92FRZyTxHbxbAcWM0SoC1jOVfUXB+7Gdw== # =vxou # -----END PGP SIGNATURE----- # gpg: Signature made Sat 29 Apr 2023 01:19:14 PM BST # gpg: using RSA key F13338574B662389866C7682BFFBD25F78C7AE83 # gpg: issuer "pbonzini@redhat.com" # gpg: Good signature from "Paolo Bonzini <bonzini@gnu.org>" [undefined] # gpg: aka "Paolo Bonzini <pbonzini@redhat.com>" [undefined] # gpg: WARNING: This key is not certified with a trusted signature! # gpg: There is no indication that the signature belongs to the owner. # Primary key fingerprint: 46F5 9FBD 57D6 12E7 BFD4 E2F7 7E15 100C CD36 69B1 # Subkey fingerprint: F133 3857 4B66 2389 866C 7682 BFFB D25F 78C7 AE83
* tag 'for-upstream' of https://gitlab.com/bonzini/qemu: cpus-common: stop using mb_set/mb_read async: Suppress GCC13 false positive in aio_bh_poll() tests: vhost-user-test: release mutex on protocol violation Update linux headers to v6.3rc5 update-linux-headers.sh: Add missing kernel headers. Fix libvhost-user.c compilation. target/i386: Add support for PREFETCHIT0/1 in CPUID enumeration target/i386: Add support for AVX-NE-CONVERT in CPUID enumeration target/i386: Add support for AVX-VNNI-INT8 in CPUID enumeration target/i386: Add support for AVX-IFMA in CPUID enumeration target/i386: Add support for AMX-FP16 in CPUID enumeration target/i386: Add support for CMPCCXADD in CPUID enumeration i386/cpu: Update how the EBX register of CPUID 0x8000001F is set i386/sev: Update checks and information related to reduced-phys-bits qemu-options.hx: Update the reduced-phys-bits documentation qapi, i386/sev: Change the reduced-phys-bits value from 5 to 1
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
show more ...
|
d66ba6dc | 20-Apr-2023 |
Cédric Le Goater <clg@redhat.com> |
async: Suppress GCC13 false positive in aio_bh_poll()
GCC13 reports an error :
../util/async.c: In function ‘aio_bh_poll’: include/qemu/queue.h:303:22: error: storing the address of local variable
async: Suppress GCC13 false positive in aio_bh_poll()
GCC13 reports an error :
../util/async.c: In function ‘aio_bh_poll’: include/qemu/queue.h:303:22: error: storing the address of local variable ‘slice’ in ‘*ctx.bh_slice_list.sqh_last’ [-Werror=dangling-pointer=] 303 | (head)->sqh_last = &(elm)->field.sqe_next; \ | ~~~~~~~~~~~~~~~~~^~~~~~~~~~~~~~~~~~~~~~~~ ../util/async.c:169:5: note: in expansion of macro ‘QSIMPLEQ_INSERT_TAIL’ 169 | QSIMPLEQ_INSERT_TAIL(&ctx->bh_slice_list, &slice, next); | ^~~~~~~~~~~~~~~~~~~~ ../util/async.c:161:17: note: ‘slice’ declared here 161 | BHListSlice slice; | ^~~~~ ../util/async.c:161:17: note: ‘ctx’ declared here
But the local variable 'slice' is removed from the global context list in following loop of the same routine. Add a pragma to silent GCC.
Cc: Stefan Hajnoczi <stefanha@redhat.com> Cc: Paolo Bonzini <pbonzini@redhat.com> Cc: Daniel P. Berrangé <berrange@redhat.com> Signed-off-by: Cédric Le Goater <clg@redhat.com> Reviewed-by: Daniel Henrique Barboza <danielhb413@gmail.com> Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org> Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com> Reviewed-by: Thomas Huth <thuth@redhat.com> Tested-by: Daniel Henrique Barboza <danielhb413@gmail.com> Message-Id: <20230420202939.1982044-1-clg@kaod.org> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
show more ...
|
2074424e | 28-Apr-2023 |
Richard Henderson <richard.henderson@linaro.org> |
Merge tag 'pull-request-2023-04-28' of https://gitlab.com/thuth/qemu into staging
* Prevent reentrant DMA accesses by default * Only compile hw/rdma code when necessary * Fix a potential locking iss
Merge tag 'pull-request-2023-04-28' of https://gitlab.com/thuth/qemu into staging
* Prevent reentrant DMA accesses by default * Only compile hw/rdma code when necessary * Fix a potential locking issue in the vhost-user-test * Offer more registers in GDB for s390x TCG
# -----BEGIN PGP SIGNATURE----- # # iQJFBAABCAAvFiEEJ7iIR+7gJQEY8+q5LtnXdP5wLbUFAmRLlDkRHHRodXRoQHJl # ZGhhdC5jb20ACgkQLtnXdP5wLbU98RAApVbehXIXMF4lm0B4/pTRlP7CEjbKvNdQ # Ca/xuqiCctjisJWQMLf8WDdymzaA02ycSYo0X9diO4uisKog4kN4uYje3VTbSJnx # 7a0MlOpUqP6AR3hZYy5y/wv1M7Yjfhnj7yTUsAo/mQYoZmvqRviNwJ6ekdIU9J4W # V2EfY+R/ebNami9VvuHTqudcZxmmR+4S5m5JipeHvjFE0DJucES0S8sN3W+iSCxG # ydqG02CUoZtoorkJZccy3FPyeTVHgvcNqJbhAA5pFBgo30L+mx0llqztzLnWnLCe # GWvpW2lZ2jC5MOg8oEpbiR807eB3ITpzCu9SX0IUOxMUHpGtl49sx1WNFrrlgD4Z # b+mZSwJx4grwkU8iD/nF0apQoqEIAH6VSyRAIq1yLAsq1H4/K4c8M+bZ/jAD+gw+ # +DujZIPJ6Gcu3BeqWgOcOY1rRol3ksmRYlU8GrHTR/zIU+q3h7Gk3aH4+Ore1qnE # hI/YzyyZlQgFMvENqakPJIS9IH+h41gCltwE8YxqJyUWIBfRs7iBMzdxQuUW+c2b # n6OPYqeDlQt4hEpq4mUtZ+aJV1ey6kyk5ESLTj8QaJiZtcT1+lmvZX2ug2oeyrJm # ys2458ulKZu0rGjXWWXNFB8u3MM9xN/PLqeD/wKShyLzkit5Nfx4azw5LPbmjrbj # Twmf1HGeUiY= # =v84A # -----END PGP SIGNATURE----- # gpg: Signature made Fri 28 Apr 2023 10:39:05 AM BST # gpg: using RSA key 27B88847EEE0250118F3EAB92ED9D774FE702DB5 # gpg: issuer "thuth@redhat.com" # gpg: Good signature from "Thomas Huth <th.huth@gmx.de>" [undefined] # gpg: aka "Thomas Huth <thuth@redhat.com>" [undefined] # gpg: aka "Thomas Huth <th.huth@posteo.de>" [unknown] # gpg: aka "Thomas Huth <huth@tuxfamily.org>" [undefined] # gpg: WARNING: This key is not certified with a trusted signature! # gpg: There is no indication that the signature belongs to the owner. # Primary key fingerprint: 27B8 8847 EEE0 2501 18F3 EAB9 2ED9 D774 FE70 2DB5
* tag 'pull-request-2023-04-28' of https://gitlab.com/thuth/qemu: apic: disable reentrancy detection for apic-msi raven: disable reentrancy detection for iomem bcm2835_property: disable reentrancy detection for iomem lsi53c895a: disable reentrancy detection for script RAM hw: replace most qemu_bh_new calls with qemu_bh_new_guarded checkpatch: add qemu_bh_new/aio_bh_new checks async: Add an optional reentrancy guard to the BH API memory: prevent dma-reentracy issues tests: vhost-user-test: release mutex on protocol violation hw/rdma: VMW_PVRDMA should depend on VMXNET3_PCI hw/rdma: Compile target-independent parts of the rdma code only once hw/rdma: Remove unused macros PG_DIR_SZ and PG_TBL_SZ s390x/gdb: Split s390-virt.xml
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
show more ...
|
9c86c97f | 27-Apr-2023 |
Alexander Bulekov <alxndr@bu.edu> |
async: Add an optional reentrancy guard to the BH API
Devices can pass their MemoryReentrancyGuard (from their DeviceState), when creating new BHes. Then, the async API will toggle the guard before/
async: Add an optional reentrancy guard to the BH API
Devices can pass their MemoryReentrancyGuard (from their DeviceState), when creating new BHes. Then, the async API will toggle the guard before/after calling the BH call-back. This prevents bh->mmio reentrancy issues.
Signed-off-by: Alexander Bulekov <alxndr@bu.edu> Reviewed-by: Darren Kenny <darren.kenny@oracle.com> Message-Id: <20230427211013.2994127-3-alxndr@bu.edu> [thuth: Fix "line over 90 characters" checkpatch.pl error] Signed-off-by: Thomas Huth <thuth@redhat.com>
show more ...
|
7757b55e | 27-Apr-2023 |
Paolo Bonzini <pbonzini@redhat.com> |
stat64: Add stat64_set() operation
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> Reviewed-by: Juan Quintela <quintela@redhat.com> Reviewed-by: Richard Henderson <richard.henderson@linaro.org> S
stat64: Add stat64_set() operation
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> Reviewed-by: Juan Quintela <quintela@redhat.com> Reviewed-by: Richard Henderson <richard.henderson@linaro.org> Signed-off-by: Juan Quintela <quintela@redhat.com>
show more ...
|
aef04fc7 | 03-Feb-2023 |
Emanuele Giuseppe Esposito <eesposit@redhat.com> |
thread-pool: avoid passing the pool parameter every time
thread_pool_submit_aio() is always called on a pool taken from qemu_get_current_aio_context(), and that is the only intended use: each pool r
thread-pool: avoid passing the pool parameter every time
thread_pool_submit_aio() is always called on a pool taken from qemu_get_current_aio_context(), and that is the only intended use: each pool runs only in the same thread that is submitting work to it, it can't run anywhere else.
Therefore simplify the thread_pool_submit* API and remove the ThreadPool function parameter.
Signed-off-by: Emanuele Giuseppe Esposito <eesposit@redhat.com> Message-Id: <20230203131731.851116-5-eesposit@redhat.com> Reviewed-by: Kevin Wolf <kwolf@redhat.com> Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com> Signed-off-by: Kevin Wolf <kwolf@redhat.com>
show more ...
|
0fdb7311 | 03-Feb-2023 |
Emanuele Giuseppe Esposito <eesposit@redhat.com> |
thread-pool: use ThreadPool from the running thread
Use qemu_get_current_aio_context() where possible, since we always submit work to the current thread anyways.
We want to also be sure that the th
thread-pool: use ThreadPool from the running thread
Use qemu_get_current_aio_context() where possible, since we always submit work to the current thread anyways.
We want to also be sure that the thread submitting the work is the same as the one processing the pool, to avoid adding synchronization to the pool list.
Signed-off-by: Emanuele Giuseppe Esposito <eesposit@redhat.com> Message-Id: <20230203131731.851116-4-eesposit@redhat.com> Reviewed-by: Kevin Wolf <kwolf@redhat.com> Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com> Signed-off-by: Kevin Wolf <kwolf@redhat.com>
show more ...
|
fa45f8da | 19-Apr-2023 |
Peter Xu <peterx@redhat.com> |
util/mmap-alloc: qemu_fd_getfs()
This new helper fetches file system type for a fd. Only Linux is implemented so far. Currently only tmpfs and hugetlbfs are defined, but it can grow as needed.
Si
util/mmap-alloc: qemu_fd_getfs()
This new helper fetches file system type for a fd. Only Linux is implemented so far. Currently only tmpfs and hugetlbfs are defined, but it can grow as needed.
Signed-off-by: Peter Xu <peterx@redhat.com> Reviewed-by: David Hildenbrand <david@redhat.com> Reviewed-by: Juan Quintela <quintela@redhat.com> Signed-off-by: Juan Quintela <quintela@redhat.com>
show more ...
|
512c90c9 | 03-Mar-2023 |
Paolo Bonzini <pbonzini@redhat.com> |
qemu-coroutine: remove qatomic_mb_read()
Replace with an explicit barrier and a comment.
Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> |
64f1c63d | 10-Apr-2023 |
Peter Maydell <peter.maydell@linaro.org> |
Merge tag 'pull_error_handle_fix_use_after_free.v1' of https://github.com/stefanberger/qemu-tpm into staging
Fix use-after-free in util/error.c
# -----BEGIN PGP SIGNATURE----- # # iQEzBAABCAAdFiEEu
Merge tag 'pull_error_handle_fix_use_after_free.v1' of https://github.com/stefanberger/qemu-tpm into staging
Fix use-after-free in util/error.c
# -----BEGIN PGP SIGNATURE----- # # iQEzBAABCAAdFiEEuBi5yt+QicLVzsZrda1lgCoLQhEFAmQu9xYACgkQda1lgCoL # QhFX2ggAnZZF2KgvVSRh67X+3VdVsg+ifFc/k7kMq74UhTr4lXojPCcgSPu8PaRZ # Mv0I+xNv9pjEU7frwi6vc9DXyhWrVTLgW4TugVBgsB75CnjvFN3lw3T9goCc1h4m # eO7c6SMdUpyQG7ar1mqt2m0bjVz85OAsNYBiAjxfyrKzX6B/mHyru5re/8VC3Hho # IJWGlS51IxrVq44qjB8Lh3voXiEru7dX/y86fWqAiy61pON6+A43rBDIb9JOVv8q # QiHqXVjs9/ax9ZNRudlgJ7bAlUFp6vD9xBm6ztlABI9MCYZeibU6jPMLCBYnGiJq # f//Sqqd4WsqnhOJOLYeMNfFMElIXEw== # =uu4l # -----END PGP SIGNATURE----- # gpg: Signature made Thu 06 Apr 2023 17:45:10 BST # gpg: using RSA key B818B9CADF9089C2D5CEC66B75AD65802A0B4211 # gpg: Good signature from "Stefan Berger <stefanb@linux.vnet.ibm.com>" [unknown] # gpg: WARNING: This key is not certified with a trusted signature! # gpg: There is no indication that the signature belongs to the owner. # Primary key fingerprint: B818 B9CA DF90 89C2 D5CE C66B 75AD 6580 2A0B 4211
* tag 'pull_error_handle_fix_use_after_free.v1' of https://github.com/stefanberger/qemu-tpm: util/error: Fix use-after-free errors reported by Coverity
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
show more ...
|
cc40b8b8 | 06-Apr-2023 |
Stefan Berger <stefanb@linux.ibm.com> |
util/error: Fix use-after-free errors reported by Coverity
Fix use-after-free errors in the code path that called error_handle(). A call to error_handle() will now either free the passed Error 'err'
util/error: Fix use-after-free errors reported by Coverity
Fix use-after-free errors in the code path that called error_handle(). A call to error_handle() will now either free the passed Error 'err' or assign it to '*errp' if '*errp' is currently NULL. This ensures that 'err' either has been freed or is assigned to '*errp' if this function returns. Adjust the two callers of this function to not assign the 'err' to '*errp' themselves, since this is now handled by error_handle().
Fixes: commit 3ffef1a55ca3 ("error: add global &error_warn destination") Signed-off-by: Stefan Berger <stefanb@linux.ibm.com> Reviewed-by: Peter Maydell <peter.maydell@linaro.org> Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org> Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com> Message-id: 20230406154347.4100700-1-stefanb@linux.ibm.com
show more ...
|
1ff4a81b | 05-Feb-2023 |
Emilio Cota <cota@braap.org> |
tcg: use QTree instead of GTree
qemu-user can hang in a multi-threaded fork. One common reason is that when creating a TB, between fork and exec we manipulate a GTree whose memory allocator (GSlice)
tcg: use QTree instead of GTree
qemu-user can hang in a multi-threaded fork. One common reason is that when creating a TB, between fork and exec we manipulate a GTree whose memory allocator (GSlice) is not fork-safe.
Although POSIX does not mandate it, the system's allocator (e.g. tcmalloc, libc malloc) is probably fork-safe.
Fix some of these hangs by using QTree, which uses the system's allocator regardless of the Glib version that we used at configuration time.
Tested with the test program in the original bug report, i.e.: ```
void garble() { int pid = fork(); if (pid == 0) { exit(0); } else { int wstatus; waitpid(pid, &wstatus, 0); } }
void supragarble(unsigned depth) { if (depth == 0) return ;
std::thread a(supragarble, depth-1); std::thread b(supragarble, depth-1); garble(); a.join(); b.join(); }
int main() { supragarble(10); } ```
Resolves: https://gitlab.com/qemu-project/qemu/-/issues/285 Reported-by: Valentin David <me@valentindavid.com> Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org> Signed-off-by: Emilio Cota <cota@braap.org> Message-Id: <20230205163758.416992-3-cota@braap.org> [rth: Add QEMU_DISABLE_CFI for all callback using functions.] Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
show more ...
|
e3feb2cc | 05-Feb-2023 |
Emilio Cota <cota@braap.org> |
util: import GTree as QTree
The only reason to add this implementation is to control the memory allocator used. Some users (e.g. TCG) cannot work reliably in multi-threaded environments (e.g. forkin
util: import GTree as QTree
The only reason to add this implementation is to control the memory allocator used. Some users (e.g. TCG) cannot work reliably in multi-threaded environments (e.g. forking in user-mode) with GTree's allocator, GSlice. See https://gitlab.com/qemu-project/qemu/-/issues/285 for details.
Importing GTree is a temporary workaround until GTree migrates away from GSlice.
This implementation is identical to that in glib v2.75.0, except that we don't import recent additions to the API nor deprecated API calls, none of which are used in QEMU.
I've imported tests from glib and added a benchmark just to make sure that performance is similar. Note: it cannot be identical because (1) we are not using GSlice, (2) we use different compilation flags (e.g. -fPIC) and (3) we're linking statically.
$ cat /proc/cpuinfo| grep 'model name' | head -1 model name : AMD Ryzen 7 PRO 5850U with Radeon Graphics $ echo '0' | sudo tee /sys/devices/system/cpu/cpufreq/boost $ tests/bench/qtree-bench
Tree Op 32 1024 4096 131072 1048576 ------------------------------------------------------------------------------------------------ GTree Lookup 83.23 43.08 25.31 19.40 16.22 QTree Lookup 113.42 (1.36x) 53.83 (1.25x) 28.38 (1.12x) 17.64 (0.91x) 13.04 (0.80x) GTree Insert 44.23 29.37 25.83 19.49 17.03 QTree Insert 46.87 (1.06x) 25.62 (0.87x) 24.29 (0.94x) 16.83 (0.86x) 12.97 (0.76x) GTree Remove 53.27 35.15 31.43 24.64 16.70 QTree Remove 57.32 (1.08x) 41.76 (1.19x) 38.37 (1.22x) 29.30 (1.19x) 15.07 (0.90x) GTree RemoveAll 135.44 127.52 126.72 120.11 64.34 QTree RemoveAll 127.15 (0.94x) 110.37 (0.87x) 107.97 (0.85x) 97.13 (0.81x) 55.10 (0.86x) GTree Traverse 277.71 276.09 272.78 246.72 98.47 QTree Traverse 370.33 (1.33x) 411.97 (1.49x) 400.23 (1.47x) 262.82 (1.07x) 78.52 (0.80x) ------------------------------------------------------------------------------------------------
As a sanity check, the same benchmark when Glib's version is >= $glib_dropped_gslice_version (i.e. QTree == GTree):
Tree Op 32 1024 4096 131072 1048576 ------------------------------------------------------------------------------------------------ GTree Lookup 82.72 43.09 24.18 19.73 16.09 QTree Lookup 81.82 (0.99x) 43.10 (1.00x) 24.20 (1.00x) 19.76 (1.00x) 16.26 (1.01x) GTree Insert 45.07 29.62 26.34 19.90 17.18 QTree Insert 45.72 (1.01x) 29.60 (1.00x) 26.38 (1.00x) 19.71 (0.99x) 17.20 (1.00x) GTree Remove 54.48 35.36 31.77 24.97 16.95 QTree Remove 54.46 (1.00x) 35.32 (1.00x) 31.77 (1.00x) 24.91 (1.00x) 17.15 (1.01x) GTree RemoveAll 140.68 127.36 125.43 121.45 68.20 QTree RemoveAll 140.65 (1.00x) 127.64 (1.00x) 125.01 (1.00x) 121.73 (1.00x) 67.06 (0.98x) GTree Traverse 278.68 276.05 266.75 251.65 104.93 QTree Traverse 278.31 (1.00x) 275.78 (1.00x) 266.42 (1.00x) 247.89 (0.99x) 104.58 (1.00x) ------------------------------------------------------------------------------------------------
Signed-off-by: Emilio Cota <cota@braap.org> Message-Id: <20230205163758.416992-2-cota@braap.org> Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
show more ...
|
e62da985 | 23-Mar-2023 |
Stefan Hajnoczi <stefanha@redhat.com> |
aio-posix: fix race between epoll upgrade and aio_set_fd_handler()
If another thread calls aio_set_fd_handler() while the IOThread event loop is upgrading from ppoll(2) to epoll(7) then we might mis
aio-posix: fix race between epoll upgrade and aio_set_fd_handler()
If another thread calls aio_set_fd_handler() while the IOThread event loop is upgrading from ppoll(2) to epoll(7) then we might miss new AioHandlers. The epollfd will not monitor the new AioHandler's fd, resulting in hangs.
Take the AioHandler list lock while upgrading to epoll. This prevents AioHandlers from changing while epoll is being set up. If we cannot lock because we're in a nested event loop, then don't upgrade to epoll (it will happen next time we're not in a nested call).
The downside to taking the lock is that the aio_set_fd_handler() thread has to wait until the epoll upgrade is finished, which involves many epoll_ctl(2) system calls. However, this scenario is rare and I couldn't think of another solution that is still simple.
Reported-by: Qing Wang <qinwang@redhat.com> Buglink: https://bugzilla.redhat.com/show_bug.cgi?id=2090998 Cc: Paolo Bonzini <pbonzini@redhat.com> Cc: Fam Zheng <fam@euphon.net> Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com> Message-Id: <20230323144859.1338495-1-stefanha@redhat.com> Reviewed-by: Kevin Wolf <kwolf@redhat.com> Signed-off-by: Kevin Wolf <kwolf@redhat.com>
show more ...
|
2957dc40 | 23-Mar-2023 |
Stefan Hajnoczi <stefanha@redhat.com> |
block/export: only acquire AioContext once for vhost_user_server_stop()
vhost_user_server_stop() uses AIO_WAIT_WHILE(). AIO_WAIT_WHILE() requires that AioContext is only acquired once.
Since blk_ex
block/export: only acquire AioContext once for vhost_user_server_stop()
vhost_user_server_stop() uses AIO_WAIT_WHILE(). AIO_WAIT_WHILE() requires that AioContext is only acquired once.
Since blk_exp_request_shutdown() already acquires the AioContext it shouldn't be acquired again in vhost_user_server_stop().
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com> Message-Id: <20230323145853.1345527-1-stefanha@redhat.com> Reviewed-by: Kevin Wolf <kwolf@redhat.com> Signed-off-by: Kevin Wolf <kwolf@redhat.com>
show more ...
|
f3ab43ac | 20-Mar-2023 |
Marc-André Lureau <marcandre.lureau@redhat.com> |
win32: add qemu_close_socket_osfhandle()
Close the given file descriptor, but returns the underlying SOCKET.
Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com> Reviewed-by: Daniel P. Be
win32: add qemu_close_socket_osfhandle()
Close the given file descriptor, but returns the underlying SOCKET.
Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com> Reviewed-by: Daniel P. Berrangé <berrange@redhat.com> Message-Id: <20230320133643.1618437-2-marcandre.lureau@redhat.com>
show more ...
|