[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Qemu-commits] [qemu/qemu] ea985d: pc_piix: remove pc-i440fx-1.4 up to p
From: |
Alex Bennée |
Subject: |
[Qemu-commits] [qemu/qemu] ea985d: pc_piix: remove pc-i440fx-1.4 up to pc-i440fx-1.7 |
Date: |
Wed, 27 Sep 2023 13:14:04 -0700 |
Branch: refs/heads/master
Home: https://github.com/qemu/qemu
Commit: ea985d235b868047cb4d8cb5657bcd8ad98c6ba2
https://github.com/qemu/qemu/commit/ea985d235b868047cb4d8cb5657bcd8ad98c6ba2
Author: Paolo Bonzini <pbonzini@redhat.com>
Date: 2023-09-25 (Mon, 25 Sep 2023)
Changed paths:
M docs/about/deprecated.rst
M docs/about/removed-features.rst
M hw/i386/pc.c
M hw/i386/pc_piix.c
M tests/qtest/test-x86-cpuid-compat.c
Log Message:
-----------
pc_piix: remove pc-i440fx-1.4 up to pc-i440fx-1.7
These are the last users of the 128K SeaBIOS blob in the i440FX family.
Removing them allows us to drop PCI support from the 128K blob,
thus making it easier to update SeaBIOS to newer versions.
Reviewed-by: Thomas Huth <thuth@redhat.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Commit: a1fadbcf482c38407a8ff488b0f9a3c4332802d9
https://github.com/qemu/qemu/commit/a1fadbcf482c38407a8ff488b0f9a3c4332802d9
Author: Paolo Bonzini <pbonzini@redhat.com>
Date: 2023-09-25 (Mon, 25 Sep 2023)
Changed paths:
M pc-bios/bios.bin
M roms/config.seabios-128k
Log Message:
-----------
seabios: remove PCI drivers from bios.bin
bios.bin is now used only by ISA PC, so PCI drivers are not necessary.
Reviewed-by: Thomas Huth <thuth@redhat.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Commit: 8a9fc82bac139f8814ed6ae338381a3992eb414c
https://github.com/qemu/qemu/commit/8a9fc82bac139f8814ed6ae338381a3992eb414c
Author: Paolo Bonzini <pbonzini@redhat.com>
Date: 2023-09-25 (Mon, 25 Sep 2023)
Changed paths:
M accel/tcg/user-exec-stub.c
Log Message:
-----------
user-exec-stub: remove unused variable
enable_cpu_pm is only used by softmmu-specific code, namely
target/i386/host-cpu.c
and target/i386/kvm/*. It does not need a stub definition anymore.
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Commit: 7cfcc79b0ab800959716738aff9419f53fc68c9c
https://github.com/qemu/qemu/commit/7cfcc79b0ab800959716738aff9419f53fc68c9c
Author: Thomas Huth <thuth@redhat.com>
Date: 2023-09-25 (Mon, 25 Sep 2023)
Changed paths:
M hw/scsi/scsi-disk.c
Log Message:
-----------
hw/scsi/scsi-disk: Disallow block sizes smaller than 512 [CVE-2023-42467]
We are doing things like
nb_sectors /= (s->qdev.blocksize / BDRV_SECTOR_SIZE);
in the code here (e.g. in scsi_disk_emulate_mode_sense()), so if
the blocksize is smaller than BDRV_SECTOR_SIZE (=512), this crashes
with a division by 0 exception. Thus disallow block sizes of 256
bytes to avoid this situation.
Resolves: https://gitlab.com/qemu-project/qemu/-/issues/1813
CVE: 2023-42467
Signed-off-by: Thomas Huth <thuth@redhat.com>
Message-ID: <20230925091854.49198-1-thuth@redhat.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Commit: c431ffd47157ad4bd3a230570a31faa088c71260
https://github.com/qemu/qemu/commit/c431ffd47157ad4bd3a230570a31faa088c71260
Author: Paolo Bonzini <pbonzini@redhat.com>
Date: 2023-09-25 (Mon, 25 Sep 2023)
Changed paths:
M softmmu/vl.c
Log Message:
-----------
vl: remove shadowed local variables
Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Commit: 0cb9c5880e6b8dedc4e20026ce859dd1ea9aac84
https://github.com/qemu/qemu/commit/0cb9c5880e6b8dedc4e20026ce859dd1ea9aac84
Author: Paolo Bonzini <pbonzini@redhat.com>
Date: 2023-09-25 (Mon, 25 Sep 2023)
Changed paths:
M ui/vnc.c
Log Message:
-----------
ui/vnc: fix debug output for invalid audio message
The debug message was cut and pasted from the invalid audio format
case, but the audio message is at bytes 2-3.
Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Commit: 477b301000d665313217f65e3a368d2cb7769c42
https://github.com/qemu/qemu/commit/477b301000d665313217f65e3a368d2cb7769c42
Author: Paolo Bonzini <pbonzini@redhat.com>
Date: 2023-09-25 (Mon, 25 Sep 2023)
Changed paths:
M ui/vnc.c
Log Message:
-----------
ui/vnc: fix handling of VNC_FEATURE_XVP
VNC_FEATURE_XVP was not shifted left before adding it to vs->features,
so it was never enabled; but it was also checked the wrong way with
a logical AND instead of vnc_has_feature. Fix both places.
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Commit: 4c186847ee0080a76dfef874322d634c429d43ad
https://github.com/qemu/qemu/commit/4c186847ee0080a76dfef874322d634c429d43ad
Author: Paolo Bonzini <pbonzini@redhat.com>
Date: 2023-09-25 (Mon, 25 Sep 2023)
Changed paths:
M hw/scsi/mptsas.c
Log Message:
-----------
mptsas: avoid shadowed local variables
Rename the argument so that "addr" is only used inside the for loop.
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Commit: 973d3ea5a1c0573149b7004108276ca01cb05fd2
https://github.com/qemu/qemu/commit/973d3ea5a1c0573149b7004108276ca01cb05fd2
Author: Paolo Bonzini <pbonzini@redhat.com>
Date: 2023-09-26 (Tue, 26 Sep 2023)
Changed paths:
M hw/i2c/pm_smbus.c
Log Message:
-----------
pm_smbus: rename variable to avoid shadowing
Acked-by: Corey Minyard <cminyard@mvista.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Commit: 168d46749d19f4808022b9a88c0846b3286aed59
https://github.com/qemu/qemu/commit/168d46749d19f4808022b9a88c0846b3286aed59
Author: Paolo Bonzini <pbonzini@redhat.com>
Date: 2023-09-26 (Tue, 26 Sep 2023)
Changed paths:
M tests/qtest/m48t59-test.c
Log Message:
-----------
m48t59-test: avoid possible overflow on ABS
Originally meant to avoid a shadowed variable "s", which was fixed by
renaming the outer declaration to "qts". Avoid the chance of an overflow
in the computation of ABS(t - s).
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Commit: e0c3ef715baabbea6d59335bebfc7e40f1724d7e
https://github.com/qemu/qemu/commit/e0c3ef715baabbea6d59335bebfc7e40f1724d7e
Author: Paolo Bonzini <pbonzini@redhat.com>
Date: 2023-09-26 (Tue, 26 Sep 2023)
Changed paths:
M target/i386/kvm/kvm.c
Log Message:
-----------
target/i386/kvm: eliminate shadowed local variables
These are harmless are they die immediately after their use.
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Commit: 637123a21381b2c5833d9d663af06e3105d8caa9
https://github.com/qemu/qemu/commit/637123a21381b2c5833d9d663af06e3105d8caa9
Author: Paolo Bonzini <pbonzini@redhat.com>
Date: 2023-09-26 (Tue, 26 Sep 2023)
Changed paths:
M target/i386/cpu.c
Log Message:
-----------
target/i386/cpu: avoid shadowed local variables
Reuse the pointer variable used for the unversioned model.
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Commit: 19729affe1cd191f063db4b4d43058974cf43bc9
https://github.com/qemu/qemu/commit/19729affe1cd191f063db4b4d43058974cf43bc9
Author: Paolo Bonzini <pbonzini@redhat.com>
Date: 2023-09-26 (Tue, 26 Sep 2023)
Changed paths:
M target/i386/tcg/translate.c
Log Message:
-----------
target/i386/translate: avoid shadowed local variables
Just remove the declaration. There is nothing in the function after the
switch statement, so it is safe to do.
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Commit: a908985971a38d335114e36f0b8b42fd85816cbe
https://github.com/qemu/qemu/commit/a908985971a38d335114e36f0b8b42fd85816cbe
Author: Paolo Bonzini <pbonzini@redhat.com>
Date: 2023-09-26 (Tue, 26 Sep 2023)
Changed paths:
M target/i386/tcg/seg_helper.c
Log Message:
-----------
target/i386/seg_helper: introduce tss_set_busy
Eliminate a shadowed local variable in the process.
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Commit: 49958057a2ff7503357ce624da0cd3a94ab554bf
https://github.com/qemu/qemu/commit/49958057a2ff7503357ce624da0cd3a94ab554bf
Author: Paolo Bonzini <pbonzini@redhat.com>
Date: 2023-09-26 (Tue, 26 Sep 2023)
Changed paths:
M target/i386/tcg/seg_helper.c
Log Message:
-----------
target/i386/seg_helper: remove shadowed variable
Return the width of the new task directly from switch_tss_ra.
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Commit: 1bce34aaa9d324b6d4aaf681e634e1840ca5d04e
https://github.com/qemu/qemu/commit/1bce34aaa9d324b6d4aaf681e634e1840ca5d04e
Author: Paolo Bonzini <pbonzini@redhat.com>
Date: 2023-09-26 (Tue, 26 Sep 2023)
Changed paths:
M target/i386/tcg/sysemu/svm_helper.c
Log Message:
-----------
target/i386/svm_helper: eliminate duplicate local variable
This shadows an outer "cs" variable that is initialized to the
same expression.
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Commit: e2dbca033710efea20b0b0a26ca05570dcdabd49
https://github.com/qemu/qemu/commit/e2dbca033710efea20b0b0a26ca05570dcdabd49
Author: Paolo Bonzini <pbonzini@redhat.com>
Date: 2023-09-26 (Tue, 26 Sep 2023)
Changed paths:
M block/io.c
M block/qcow2.c
M block/qed.c
M block/throttle-groups.c
Log Message:
-----------
block: mark mixed functions that can suspend
The marking should be extended transitively to all functions that call
these ones, so that static analysis can be done much more efficiently.
However, this is a start and makes it possible to use vrc's path-based
searches to find potential bugs where coroutine_fns call blocking functions.
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Commit: d79b9202e45711e37e5ba5b3fbfccb4b9fff78a1
https://github.com/qemu/qemu/commit/d79b9202e45711e37e5ba5b3fbfccb4b9fff78a1
Author: Paolo Bonzini <pbonzini@redhat.com>
Date: 2023-09-26 (Tue, 26 Sep 2023)
Changed paths:
M include/qemu/compiler.h
M include/qemu/osdep.h
Log Message:
-----------
compiler: introduce QEMU_ANNOTATE
Allow a more shorter syntax when defining wrapper macros for
__attribute__((annotate(...))).
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Commit: 417f8c8ebfa32823b23fed957dcbc7108cb77dea
https://github.com/qemu/qemu/commit/417f8c8ebfa32823b23fed957dcbc7108cb77dea
Author: Paolo Bonzini <pbonzini@redhat.com>
Date: 2023-09-26 (Tue, 26 Sep 2023)
Changed paths:
M audio/audio.c
Log Message:
-----------
audio: remove shadowed locals
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Commit: 5dfd80e38b63dc5bf2202bc87a9b1a3e1460efb9
https://github.com/qemu/qemu/commit/5dfd80e38b63dc5bf2202bc87a9b1a3e1460efb9
Author: Stefan Hajnoczi <stefanha@redhat.com>
Date: 2023-09-27 (Wed, 27 Sep 2023)
Changed paths:
M accel/tcg/user-exec-stub.c
M audio/audio.c
M block/io.c
M block/qcow2.c
M block/qed.c
M block/throttle-groups.c
M docs/about/deprecated.rst
M docs/about/removed-features.rst
M hw/i2c/pm_smbus.c
M hw/i386/pc.c
M hw/i386/pc_piix.c
M hw/scsi/mptsas.c
M hw/scsi/scsi-disk.c
M include/qemu/compiler.h
M include/qemu/osdep.h
M pc-bios/bios.bin
M roms/config.seabios-128k
M softmmu/vl.c
M target/i386/cpu.c
M target/i386/kvm/kvm.c
M target/i386/tcg/seg_helper.c
M target/i386/tcg/sysemu/svm_helper.c
M target/i386/tcg/translate.c
M tests/qtest/m48t59-test.c
M tests/qtest/test-x86-cpuid-compat.c
M ui/vnc.c
Log Message:
-----------
Merge tag 'for-upstream' of https://gitlab.com/bonzini/qemu into staging
* new round of audio cleanups
* various shadowed local variable fixes in vl, mptsas, pm_smbus, target/i386
* remove deprecated pc-i440fx-1.4 up to pc-i440fx-1.7
* remove PCI drivers from 128K bios.bin
* remove unused variable in user-exec-stub.c
* small fixes for ui/vnc
* scsi-disk: Disallow block sizes smaller than 512 [CVE-2023-42467]
# -----BEGIN PGP SIGNATURE-----
#
# iQFIBAABCAAyFiEE8TM4V0tmI4mGbHaCv/vSX3jHroMFAmUTDaoUHHBib256aW5p
# QHJlZGhhdC5jb20ACgkQv/vSX3jHroMvEgf+NrSaP4pmHrYcVtm43fnKXoLHFrCx
# KYfoK9Lke/DDkTff6rrcfW/Wyqid6Pp9Ch4Rrpr/X71X5gi+c6xb5klC8cpSfLg4
# gtuGctj7WL7KR/067EsLqHvzBob/iebFhZwhtsBrI+z65X+J9pOK78efBTdhezq4
# EEHTWohMAg1I/MWBK5VnOk2fI4+9z9K9zP5AtWmJzwwJkQUoEyl+YDkVmIhMYoGn
# CapRO7i2wIvtoF4wuQUCGsOLmrcWTvRIOcV13k3b6PYCPC40/N9AOpiiyg3XqNah
# UKKM9CcgVnCzCc4Jar2QD+MzkTDxhmQSyLFJgtzrW7CQSE5YB3sUHj3CXg==
# =8nvs
# -----END PGP SIGNATURE-----
# gpg: Signature made Tue 26 Sep 2023 12:58:18 EDT
# gpg: using RSA key F13338574B662389866C7682BFFBD25F78C7AE83
# gpg: issuer "pbonzini@redhat.com"
# gpg: Good signature from "Paolo Bonzini <bonzini@gnu.org>" [full]
# gpg: aka "Paolo Bonzini <pbonzini@redhat.com>" [full]
# Primary key fingerprint: 46F5 9FBD 57D6 12E7 BFD4 E2F7 7E15 100C CD36 69B1
# Subkey fingerprint: F133 3857 4B66 2389 866C 7682 BFFB D25F 78C7 AE83
* tag 'for-upstream' of https://gitlab.com/bonzini/qemu:
audio: remove shadowed locals
compiler: introduce QEMU_ANNOTATE
block: mark mixed functions that can suspend
target/i386/svm_helper: eliminate duplicate local variable
target/i386/seg_helper: remove shadowed variable
target/i386/seg_helper: introduce tss_set_busy
target/i386/translate: avoid shadowed local variables
target/i386/cpu: avoid shadowed local variables
target/i386/kvm: eliminate shadowed local variables
m48t59-test: avoid possible overflow on ABS
pm_smbus: rename variable to avoid shadowing
mptsas: avoid shadowed local variables
ui/vnc: fix handling of VNC_FEATURE_XVP
ui/vnc: fix debug output for invalid audio message
vl: remove shadowed local variables
hw/scsi/scsi-disk: Disallow block sizes smaller than 512 [CVE-2023-42467]
user-exec-stub: remove unused variable
seabios: remove PCI drivers from bios.bin
pc_piix: remove pc-i440fx-1.4 up to pc-i440fx-1.7
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
Commit: cf02f29e1e3843784630d04783e372fa541a77e5
https://github.com/qemu/qemu/commit/cf02f29e1e3843784630d04783e372fa541a77e5
Author: Peter Xu <peterx@redhat.com>
Date: 2023-09-27 (Wed, 27 Sep 2023)
Changed paths:
M migration/migration.c
M migration/migration.h
M migration/postcopy-ram.c
Log Message:
-----------
migration: Fix race that dest preempt thread close too early
We hit intermit CI issue on failing at migration-test over the unit test
preempt/plain:
qemu-system-x86_64: Unable to read from socket: Connection reset by peer
Memory content inconsistency at 5b43000 first_byte = bd last_byte = bc current
= 4f hit_edge = 1
**
ERROR:../tests/qtest/migration-test.c:300:check_guests_ram: assertion failed:
(bad == 0)
(test program exited with status code -6)
Fabiano debugged into it and found that the preempt thread can quit even
without receiving all the pages, which can cause guest not receiving all
the pages and corrupt the guest memory.
To make sure preempt thread finished receiving all the pages, we can rely
on the page_requested_count being zero because preempt channel will only
receive requested page faults. Note, not all the faulted pages are required
to be sent via the preempt channel/thread; imagine the case when a
requested page is just queued into the background main channel for
migration, the src qemu will just still send it via the background channel.
Here instead of spinning over reading the count, we add a condvar so the
main thread can wait on it if that unusual case happened, without burning
the cpu for no good reason, even if the duration is short; so even if we
spin in this rare case is probably fine. It's just better to not do so.
The condvar is only used when that special case is triggered. Some memory
ordering trick is needed to guarantee it from happening (against the
preempt thread status field), so the main thread will always get a kick
when that triggers correctly.
Closes: https://gitlab.com/qemu-project/qemu/-/issues/1886
Debugged-by: Fabiano Rosas <farosas@suse.de>
Signed-off-by: Peter Xu <peterx@redhat.com>
Signed-off-by: Fabiano Rosas <farosas@suse.de>
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
Message-ID: <20230918172822.19052-2-farosas@suse.de>
Commit: 28a8347281e24c2e7bba6d3301472eda41d4c096
https://github.com/qemu/qemu/commit/28a8347281e24c2e7bba6d3301472eda41d4c096
Author: Fabiano Rosas <farosas@suse.de>
Date: 2023-09-27 (Wed, 27 Sep 2023)
Changed paths:
M migration/migration.c
Log Message:
-----------
migration: Fix possible race when setting rp_state.error
We don't need to set the rp_state.error right after a shutdown because
qemu_file_shutdown() always sets the QEMUFile error, so the return
path thread would have seen it and set the rp error itself.
Setting the error outside of the thread is also racy because the
thread could clear it after we set it.
Reviewed-by: Peter Xu <peterx@redhat.com>
Signed-off-by: Fabiano Rosas <farosas@suse.de>
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
Message-ID: <20230918172822.19052-3-farosas@suse.de>
Commit: 639decf529793fc544c8055b82be8abe77fa48fa
https://github.com/qemu/qemu/commit/639decf529793fc544c8055b82be8abe77fa48fa
Author: Fabiano Rosas <farosas@suse.de>
Date: 2023-09-27 (Wed, 27 Sep 2023)
Changed paths:
M migration/migration.c
Log Message:
-----------
migration: Fix possible races when shutting down the return path
We cannot call qemu_file_shutdown() on the return path file without
taking the file lock. The return path thread could be running it's
cleanup code and have just cleared the from_dst_file pointer.
Checking ms->to_dst_file for errors could also race with
migrate_fd_cleanup() which clears the to_dst_file pointer.
Protect both accesses by taking the file lock.
This was caught by inspection, it should be rare, but the next patches
will start calling this code from other places, so let's do the
correct thing.
Reviewed-by: Peter Xu <peterx@redhat.com>
Signed-off-by: Fabiano Rosas <farosas@suse.de>
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
Message-ID: <20230918172822.19052-4-farosas@suse.de>
Commit: 7478fb0df914f0a5ab551ff74b1df62dd250500e
https://github.com/qemu/qemu/commit/7478fb0df914f0a5ab551ff74b1df62dd250500e
Author: Fabiano Rosas <farosas@suse.de>
Date: 2023-09-27 (Wed, 27 Sep 2023)
Changed paths:
M migration/migration.c
Log Message:
-----------
migration: Fix possible race when shutting down to_dst_file
It's not safe to call qemu_file_shutdown() on the to_dst_file without
first checking for the file's presence under the lock. The cleanup of
this file happens at postcopy_pause() and migrate_fd_cleanup() which
are not necessarily running in the same thread as migrate_fd_cancel().
Reviewed-by: Peter Xu <peterx@redhat.com>
Signed-off-by: Fabiano Rosas <farosas@suse.de>
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
Message-ID: <20230918172822.19052-5-farosas@suse.de>
Commit: b3b101157d4651f12e6b3361af2de6bace7f9b4a
https://github.com/qemu/qemu/commit/b3b101157d4651f12e6b3361af2de6bace7f9b4a
Author: Fabiano Rosas <farosas@suse.de>
Date: 2023-09-27 (Wed, 27 Sep 2023)
Changed paths:
M migration/migration.c
Log Message:
-----------
migration: Remove redundant cleanup of postcopy_qemufile_src
This file is owned by the return path thread which is already doing
cleanup.
Reviewed-by: Peter Xu <peterx@redhat.com>
Signed-off-by: Fabiano Rosas <farosas@suse.de>
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
Message-ID: <20230918172822.19052-6-farosas@suse.de>
Commit: d50f5dc075cbb891bfe4a9378600a4871264468a
https://github.com/qemu/qemu/commit/d50f5dc075cbb891bfe4a9378600a4871264468a
Author: Fabiano Rosas <farosas@suse.de>
Date: 2023-09-27 (Wed, 27 Sep 2023)
Changed paths:
M migration/migration.c
Log Message:
-----------
migration: Consolidate return path closing code
We'll start calling the await_return_path_close_on_source() function
from other parts of the code, so move all of the related checks and
tracepoints into it.
Reviewed-by: Peter Xu <peterx@redhat.com>
Signed-off-by: Fabiano Rosas <farosas@suse.de>
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
Message-ID: <20230918172822.19052-7-farosas@suse.de>
Commit: ef796ee93b313ed2f0b427ef30320417387d2ad5
https://github.com/qemu/qemu/commit/ef796ee93b313ed2f0b427ef30320417387d2ad5
Author: Fabiano Rosas <farosas@suse.de>
Date: 2023-09-27 (Wed, 27 Sep 2023)
Changed paths:
M migration/migration.c
M migration/migration.h
Log Message:
-----------
migration: Replace the return path retry logic
Replace the return path retry logic with finishing and restarting the
thread. This fixes a race when resuming the migration that leads to a
segfault.
Currently when doing postcopy we consider that an IO error on the
return path file could be due to a network intermittency. We then keep
the thread alive but have it do cleanup of the 'from_dst_file' and
wait on the 'postcopy_pause_rp' semaphore. When the user issues a
migrate resume, a new return path is opened and the thread is allowed
to continue.
There's a race condition in the above mechanism. It is possible for
the new return path file to be setup *before* the cleanup code in the
return path thread has had a chance to run, leading to the *new* file
being closed and the pointer set to NULL. When the thread is released
after the resume, it tries to dereference 'from_dst_file' and crashes:
Thread 7 "return path" received signal SIGSEGV, Segmentation fault.
[Switching to Thread 0x7fffd1dbf700 (LWP 9611)]
0x00005555560e4893 in qemu_file_get_error_obj (f=0x0, errp=0x0) at
../migration/qemu-file.c:154
154 return f->last_error;
(gdb) bt
#0 0x00005555560e4893 in qemu_file_get_error_obj (f=0x0, errp=0x0) at
../migration/qemu-file.c:154
#1 0x00005555560e4983 in qemu_file_get_error (f=0x0) at
../migration/qemu-file.c:206
#2 0x0000555555b9a1df in source_return_path_thread (opaque=0x555556e06000) at
../migration/migration.c:1876
#3 0x000055555602e14f in qemu_thread_start (args=0x55555782e780) at
../util/qemu-thread-posix.c:541
#4 0x00007ffff38d76ea in start_thread (arg=0x7fffd1dbf700) at
pthread_create.c:477
#5 0x00007ffff35efa6f in clone () at
../sysdeps/unix/sysv/linux/x86_64/clone.S:95
Here's the race (important bit is open_return_path happening before
migration_release_dst_files):
migration | qmp | return path
--------------------------+-----------------------------+---------------------------------
qmp_migrate_pause()
shutdown(ms->to_dst_file)
f->last_error = -EIO
migrate_detect_error()
postcopy_pause()
set_state(PAUSED)
wait(postcopy_pause_sem)
qmp_migrate(resume)
migrate_fd_connect()
resume = state == PAUSED
open_return_path <-- TOO SOON!
set_state(RECOVER)
post(postcopy_pause_sem)
(incoming closes
to_src_file)
res =
qemu_file_get_error(rp)
migration_release_dst_files()
ms->rp_state.from_dst_file = NULL
post(postcopy_pause_rp_sem)
postcopy_pause_return_path_thread()
wait(postcopy_pause_rp_sem)
rp =
ms->rp_state.from_dst_file
goto retry
qemu_file_get_error(rp)
SIGSEGV
-------------------------------------------------------------------------------------------
We can keep the retry logic without having the thread alive and
waiting. The only piece of data used by it is the 'from_dst_file' and
it is only allowed to proceed after a migrate resume is issued and the
semaphore released at migrate_fd_connect().
Move the retry logic to outside the thread by waiting for the thread
to finish before pausing the migration.
Reviewed-by: Peter Xu <peterx@redhat.com>
Signed-off-by: Fabiano Rosas <farosas@suse.de>
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
Message-ID: <20230918172822.19052-8-farosas@suse.de>
Commit: 36e9aab3c569d4c9ad780473596e18479838d1aa
https://github.com/qemu/qemu/commit/36e9aab3c569d4c9ad780473596e18479838d1aa
Author: Fabiano Rosas <farosas@suse.de>
Date: 2023-09-27 (Wed, 27 Sep 2023)
Changed paths:
M migration/migration.c
Log Message:
-----------
migration: Move return path cleanup to main migration thread
Now that the return path thread is allowed to finish during a paused
migration, we can move the cleanup of the QEMUFiles to the main
migration thread.
Reviewed-by: Peter Xu <peterx@redhat.com>
Signed-off-by: Fabiano Rosas <farosas@suse.de>
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
Message-ID: <20230918172822.19052-9-farosas@suse.de>
Compare: https://github.com/qemu/qemu/compare/11a629d246e4...36e9aab3c569