[Qemu-commits] [qemu/qemu] e85ab8: vfio/pci: Disable INTx in vfio

qemu-commits
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Qemu-commits] [qemu/qemu] e85ab8: vfio/pci: Disable INTx in vfio_realiz

From:	mborgerson
Subject:	[Qemu-commits] [qemu/qemu] e85ab8: vfio/pci: Disable INTx in vfio_realize error path
Date:	Sat, 05 Aug 2023 12:40:10 -0700
  Branch: refs/heads/staging-8.0
  Home:   https://github.com/qemu/qemu
  Commit: e85ab8f753112c96f81fbd7cae08a5753b477b26
      
https://github.com/qemu/qemu/commit/e85ab8f753112c96f81fbd7cae08a5753b477b26
  Author: Zhenzhong Duan <zhenzhong.duan@intel.com>
  Date:   2023-08-05 (Sat, 05 Aug 2023)

  Changed paths:
    M hw/vfio/pci.c

  Log Message:
  -----------
  vfio/pci: Disable INTx in vfio_realize error path

When vfio realize fails, INTx isn't disabled if it has been enabled.
This may confuse host side with unhandled interrupt report.

Fixes: c5478fea27ac ("vfio/pci: Respond to KVM irqchip change notifier")
Signed-off-by: Zhenzhong Duan <zhenzhong.duan@intel.com>
Reviewed-by: Joao Martins <joao.m.martins@oracle.com>
Reviewed-by: Cédric Le Goater <clg@redhat.com>
Signed-off-by: Cédric Le Goater <clg@redhat.com>
(cherry picked from commit adee0da0368f50b3ee934cdeeb6076466dabb268)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>


  Commit: ade1bed2b7c2b64499d63a4f4ba445463dbc96f7
      
https://github.com/qemu/qemu/commit/ade1bed2b7c2b64499d63a4f4ba445463dbc96f7
  Author: Hawkins Jiawei <yin31149@gmail.com>
  Date:   2023-08-05 (Sat, 05 Aug 2023)

  Changed paths:
    M net/vhost-vdpa.c

  Log Message:
  -----------
  vdpa: Fix possible use-after-free for VirtQueueElement

QEMU uses vhost_handle_guest_kick() to forward guest's available
buffers to the vdpa device in SVQ avail ring.

In vhost_handle_guest_kick(), a `g_autofree` `elem` is used to
iterate through the available VirtQueueElements. This `elem` is
then passed to `svq->ops->avail_handler`, specifically to the
vhost_vdpa_net_handle_ctrl_avail(). If this handler fails to
process the CVQ command, vhost_handle_guest_kick() regains
ownership of the `elem`, and either frees it or requeues it.

Yet the problem is that, vhost_vdpa_net_handle_ctrl_avail()
mistakenly frees the `elem`, even if it fails to forward the
CVQ command to vdpa device. This can result in a use-after-free
for the `elem` in vhost_handle_guest_kick().

This patch solves this problem by refactoring
vhost_vdpa_net_handle_ctrl_avail() to only freeing the `elem` if
it owns it.

Fixes: bd907ae4b0 ("vdpa: manual forward CVQ buffers")
Signed-off-by: Hawkins Jiawei <yin31149@gmail.com>
Message-Id: 
<e3f2d7db477734afe5c6a5ab3fa8b8317514ea34.1688746840.git.yin31149@gmail.com>
Reviewed-by: Eugenio Pérez <eperezma@redhat.com>
Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
(cherry picked from commit 031b1abacbdb3f4e016b6b926f7e7876c05339bb)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>


  Commit: f43e4e2594195ba86ef8c2415f2e6ad826498104
      
https://github.com/qemu/qemu/commit/f43e4e2594195ba86ef8c2415f2e6ad826498104
  Author: Hawkins Jiawei <yin31149@gmail.com>
  Date:   2023-08-05 (Sat, 05 Aug 2023)

  Changed paths:
    M net/vhost-vdpa.c

  Log Message:
  -----------
  vdpa: Return -EIO if device ack is VIRTIO_NET_ERR in _load_mac()

According to VirtIO standard, "The class, command and
command-specific-data are set by the driver,
and the device sets the ack byte.
There is little it can do except issue a diagnostic
if ack is not VIRTIO_NET_OK."

Therefore, QEMU should stop sending the queued SVQ commands and
cancel the device startup if the device's ack is not VIRTIO_NET_OK.

Yet the problem is that, vhost_vdpa_net_load_mac() returns 1 based on
`*s->status != VIRTIO_NET_OK` when the device's ack is VIRTIO_NET_ERR.
As a result, net->nc->info->load() also returns 1, this makes
vhost_net_start_one() incorrectly assume the device state is
successfully loaded by vhost_vdpa_net_load() and return 0, instead of
goto `fail` label to cancel the device startup, as vhost_net_start_one()
only cancels the device startup when net->nc->info->load() returns a
negative value.

This patch fixes this problem by returning -EIO when the device's
ack is not VIRTIO_NET_OK.

Fixes: f73c0c43ac ("vdpa: extract vhost_vdpa_net_load_mac from 
vhost_vdpa_net_load")
Signed-off-by: Hawkins Jiawei <yin31149@gmail.com>
Acked-by: Jason Wang <jasowang@redhat.com>
Acked-by: Eugenio Pérez <eperezma@redhat.com>
Message-Id: 
<a21731518644abbd0c495c5b7960527c5911f80d.1688438055.git.yin31149@gmail.com>
Tested-by: Lei Yang <leiyang@redhat.com>
Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
(cherry picked from commit b479bc3c9d5e473553137641fd31069c251f0d6e)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>


  Commit: 1d711f97a5fda98266ff8243028adfbc54233849
      
https://github.com/qemu/qemu/commit/1d711f97a5fda98266ff8243028adfbc54233849
  Author: Hawkins Jiawei <yin31149@gmail.com>
  Date:   2023-08-05 (Sat, 05 Aug 2023)

  Changed paths:
    M net/vhost-vdpa.c

  Log Message:
  -----------
  vdpa: Return -EIO if device ack is VIRTIO_NET_ERR in _load_mq()

According to VirtIO standard, "The class, command and
command-specific-data are set by the driver,
and the device sets the ack byte.
There is little it can do except issue a diagnostic
if ack is not VIRTIO_NET_OK."

Therefore, QEMU should stop sending the queued SVQ commands and
cancel the device startup if the device's ack is not VIRTIO_NET_OK.

Yet the problem is that, vhost_vdpa_net_load_mq() returns 1 based on
`*s->status != VIRTIO_NET_OK` when the device's ack is VIRTIO_NET_ERR.
As a result, net->nc->info->load() also returns 1, this makes
vhost_net_start_one() incorrectly assume the device state is
successfully loaded by vhost_vdpa_net_load() and return 0, instead of
goto `fail` label to cancel the device startup, as vhost_net_start_one()
only cancels the device startup when net->nc->info->load() returns a
negative value.

This patch fixes this problem by returning -EIO when the device's
ack is not VIRTIO_NET_OK.

Fixes: f64c7cda69 ("vdpa: Add vhost_vdpa_net_load_mq")
Signed-off-by: Hawkins Jiawei <yin31149@gmail.com>
Acked-by: Jason Wang <jasowang@redhat.com>
Acked-by: Eugenio Pérez <eperezma@redhat.com>
Message-Id: 
<ec515ebb0b4f56368751b9e318e245a5d994fa72.1688438055.git.yin31149@gmail.com>
Tested-by: Lei Yang <leiyang@redhat.com>
Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
(cherry picked from commit f45fd95ec9e8104f6af801c734375029dda0f542)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>


  Commit: bfe876cb303a9dc4fe60fe459eee1d5eb837773f
      
https://github.com/qemu/qemu/commit/bfe876cb303a9dc4fe60fe459eee1d5eb837773f
  Author: Nicholas Piggin <npiggin@gmail.com>
  Date:   2023-08-05 (Sat, 05 Aug 2023)

  Changed paths:
    M target/ppc/mmu-hash64.c

  Log Message:
  -----------
  target/ppc: Implement ASDR register for ISA v3.0 for HPT

The ASDR register was introduced in ISA v3.0. It has not been
implemented for HPT. With HPT, ASDR is the format of the slbmte RS
operand (containing VSID), which matches the ppc_slb_t field.

Fixes: 3367c62f522b ("target/ppc: Support for POWER9 native hash")
Signed-off-by: Nicholas Piggin <npiggin@gmail.com>
Reviewed-by: Cédric Le Goater <clg@kaod.org>
Message-ID: <20230726182230.433945-2-npiggin@gmail.com>
Signed-off-by: Daniel Henrique Barboza <danielhb413@gmail.com>
(cherry picked from commit 9201af096962a1967ce5d0b270ed16ae4edd3db6)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>


  Commit: b96bb74e3a472bb7cf80789ba0a663f065534bc9
      
https://github.com/qemu/qemu/commit/b96bb74e3a472bb7cf80789ba0a663f065534bc9
  Author: Nicholas Piggin <npiggin@gmail.com>
  Date:   2023-08-05 (Sat, 05 Aug 2023)

  Changed paths:
    M target/ppc/excp_helper.c

  Log Message:
  -----------
  target/ppc: Fix pending HDEC when entering PM state

HDEC is defined to not wake from PM state. There is a check in the HDEC
timer to avoid setting the interrupt if we are in a PM state, but no
check on PM entry to lower HDEC if it already fired. This can cause a
HDECR wake up and  QEMU abort with unsupported exception in Power Save
mode.

Fixes: 4b236b621bf ("ppc: Initial HDEC support")
Signed-off-by: Nicholas Piggin <npiggin@gmail.com>
Reviewed-by: Cédric Le Goater <clg@kaod.org>
Message-ID: <20230726182230.433945-4-npiggin@gmail.com>
Signed-off-by: Daniel Henrique Barboza <danielhb413@gmail.com>
(cherry picked from commit 9915dac4847f3cc5ffd36e4c374a4eec83fe09b5)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>


  Commit: 979cdfbbfd72bb8a74a420048082990b9da7cc60
      
https://github.com/qemu/qemu/commit/979cdfbbfd72bb8a74a420048082990b9da7cc60
  Author: Nicholas Piggin <npiggin@gmail.com>
  Date:   2023-08-05 (Sat, 05 Aug 2023)

  Changed paths:
    M target/ppc/mmu-hash64.c
    M target/ppc/mmu-hash64.h

  Log Message:
  -----------
  target/ppc: Fix VRMA page size for ISA v3.0

Until v2.07s, the VRMA page size (L||LP) was encoded in LPCR[VRMASD].
In v3.0 that moved to the partition table PS field.

The powernv machine can now run KVM HPT guests on POWER9/10 CPUs with
this fix and the patch to add ASDR.

Fixes: 3367c62f522b ("target/ppc: Support for POWER9 native hash")
Signed-off-by: Nicholas Piggin <npiggin@gmail.com>
Reviewed-by: Cédric Le Goater <clg@kaod.org>
Message-ID: <20230730111842.39292-1-npiggin@gmail.com>
Signed-off-by: Daniel Henrique Barboza <danielhb413@gmail.com>
(cherry picked from commit 0e2a3ec36885f6d79a96230f582d4455878c6373)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>


  Commit: 7cb0210fcc50606e1096d315cedf0a3adb2d5243
      
https://github.com/qemu/qemu/commit/7cb0210fcc50606e1096d315cedf0a3adb2d5243
  Author: Matt Borgerson <contact@mborgerson.com>
  Date:   2023-08-05 (Sat, 05 Aug 2023)

  Changed paths:
    M target/i386/tcg/decode-new.c.inc

  Log Message:
  -----------
  target/i386: Check CR0.TS before enter_mmx

When CR0.TS=1, execution of x87 FPU, MMX, and some SSE instructions will
cause a Device Not Available (DNA) exception (#NM). System software uses
this exception event to lazily context switch FPU state.

Before this patch, enter_mmx helpers may be generated just before #NM
generation, prematurely resetting FPU state before the guest has a
chance to save it.

Signed-off-by: Matt Borgerson <contact@mborgerson.com>
Message-ID: <CADc=-s5F10muEhLs4f3mxqsEPAHWj0XFfOC2sfFMVHrk9fcpMg@mail.gmail.com>
Cc: qemu-stable@nongnu.org
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
(cherry picked from commit b2ea6450d8e1336a33eb958ccc64604bc35a43dd)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>


Compare: https://github.com/qemu/qemu/compare/48be003029f1...7cb0210fcc50
[Prev in Thread]
Current Thread
[Next in Thread]
[Qemu-commits] [qemu/qemu] e85ab8: vfio/pci: Disable INTx in vfio_realize error path, mborgerson <=
Prev by Date: [Qemu-commits] [qemu/qemu] 988eeb: vfio/pci: Disable INTx in vfio_realize error path
Next by Date: [Qemu-commits] [qemu/qemu] 196685: accel/tcg: Adjust parameters and locking with do_{...
Previous by thread: [Qemu-commits] [qemu/qemu] 988eeb: vfio/pci: Disable INTx in vfio_realize error path
Next by thread: [Qemu-commits] [qemu/qemu] 196685: accel/tcg: Adjust parameters and locking with do_{...
Index(es):
- Date
- Thread