Fix "failed to set up stack guard page: Cannot allocate memory"
(rhbz#2143006)
This commit is contained in:
parent
1176069249
commit
daaab58bcb
|
@ -1,10 +1,10 @@
|
|||
From 375a476bcdefe65057a38fe6ae3f50b941e63ddd Mon Sep 17 00:00:00 2001
|
||||
From: Paolo Bonzini <pbonzini@redhat.com>
|
||||
Date: Tue, 1 Feb 2022 20:09:37 +0100
|
||||
Subject: [PATCH] target/i386: the sgx_epc_get_section stub is reachable
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
Content-type: text/plain
|
||||
|
||||
The sgx_epc_get_section stub is reachable from cpu_x86_cpuid. It
|
||||
should not assert, instead it should just return true just like
|
||||
|
@ -28,3 +28,6 @@ index 26833eb233..16b1dfd90b 100644
|
|||
- g_assert_not_reached();
|
||||
+ return true;
|
||||
}
|
||||
--
|
||||
2.37.0.rc2
|
||||
|
||||
|
|
|
@ -1,8 +1,8 @@
|
|||
From 7a5a6dbbf40f7d2313173573b99dd26069f7e309 Mon Sep 17 00:00:00 2001
|
||||
From: Stefan Hajnoczi <stefanha@redhat.com>
|
||||
Date: Wed, 27 Apr 2022 15:35:36 +0100
|
||||
Subject: [PATCH] virtio-scsi: fix ctrl and event handler functions in
|
||||
dataplane mode
|
||||
Content-type: text/plain
|
||||
|
||||
Commit f34e8d8b8d48d73f36a67b6d5e492ef9784b5012 ("virtio-scsi: prepare
|
||||
virtio_scsi_handle_cmd for dataplane") prepared the virtio-scsi cmd
|
||||
|
@ -106,3 +106,6 @@ index 34a968ecfb..417fbc71d6 100644
|
|||
virtio_scsi_acquire(s);
|
||||
virtio_scsi_handle_event_vq(s, vq);
|
||||
virtio_scsi_release(s);
|
||||
--
|
||||
2.37.0.rc2
|
||||
|
||||
|
|
|
@ -1,7 +1,7 @@
|
|||
From 5a595325d84fe48fcef921b0810073906ff9284b Mon Sep 17 00:00:00 2001
|
||||
From: Stefan Hajnoczi <stefanha@redhat.com>
|
||||
Date: Tue, 17 May 2022 09:27:45 +0100
|
||||
Subject: [PATCH] virtio-scsi: don't waste CPU polling the event virtqueue
|
||||
Content-type: text/plain
|
||||
|
||||
The virtio-scsi event virtqueue is not emptied by its handler function.
|
||||
This is typical for rx virtqueues where the device uses buffers when
|
||||
|
@ -89,3 +89,6 @@ index b31c4507f5..b62a35fdca 100644
|
|||
void virtio_queue_aio_detach_host_notifier(VirtQueue *vq, AioContext *ctx);
|
||||
VirtQueue *virtio_vector_first_queue(VirtIODevice *vdev, uint16_t vector);
|
||||
VirtQueue *virtio_vector_next_queue(VirtQueue *vq);
|
||||
--
|
||||
2.37.0.rc2
|
||||
|
||||
|
|
|
@ -1,7 +1,7 @@
|
|||
From 5edca84f63de972dd08e0c63c7c67003df237f23 Mon Sep 17 00:00:00 2001
|
||||
From: Stefan Hajnoczi <stefanha@redhat.com>
|
||||
Date: Tue, 17 May 2022 09:28:06 +0100
|
||||
Subject: [PATCH] virtio-scsi: clean up virtio_scsi_handle_event_vq()
|
||||
Content-type: text/plain
|
||||
|
||||
virtio_scsi_handle_event_vq() is only called from hw/scsi/virtio-scsi.c
|
||||
now and its return value is no longer used. Remove the function
|
||||
|
@ -49,3 +49,6 @@ index 543681bc18..5957597825 100644
|
|||
bool virtio_scsi_handle_cmd_vq(VirtIOSCSI *s, VirtQueue *vq);
|
||||
bool virtio_scsi_handle_ctrl_vq(VirtIOSCSI *s, VirtQueue *vq);
|
||||
void virtio_scsi_init_req(VirtIOSCSI *s, VirtQueue *vq, VirtIOSCSIReq *req);
|
||||
--
|
||||
2.37.0.rc2
|
||||
|
||||
|
|
|
@ -1,7 +1,7 @@
|
|||
From 4c4bec46e2ccbcb1e8360b118b46681369e3f05c Mon Sep 17 00:00:00 2001
|
||||
From: Stefan Hajnoczi <stefanha@redhat.com>
|
||||
Date: Tue, 17 May 2022 09:28:12 +0100
|
||||
Subject: [PATCH] virtio-scsi: clean up virtio_scsi_handle_ctrl_vq()
|
||||
Content-type: text/plain
|
||||
|
||||
virtio_scsi_handle_ctrl_vq() is only called from hw/scsi/virtio-scsi.c
|
||||
now and its return value is no longer used. Remove the function
|
||||
|
@ -52,3 +52,6 @@ index 5957597825..44dc3b81ec 100644
|
|||
void virtio_scsi_init_req(VirtIOSCSI *s, VirtQueue *vq, VirtIOSCSIReq *req);
|
||||
void virtio_scsi_free_req(VirtIOSCSIReq *req);
|
||||
void virtio_scsi_push_event(VirtIOSCSI *s, SCSIDevice *dev,
|
||||
--
|
||||
2.37.0.rc2
|
||||
|
||||
|
|
|
@ -1,7 +1,7 @@
|
|||
From 67a97290efc0e89c7c48bba46ed68de35121b9de Mon Sep 17 00:00:00 2001
|
||||
From: Stefan Hajnoczi <stefanha@redhat.com>
|
||||
Date: Tue, 17 May 2022 09:28:19 +0100
|
||||
Subject: [PATCH] virtio-scsi: clean up virtio_scsi_handle_cmd_vq()
|
||||
Content-type: text/plain
|
||||
|
||||
virtio_scsi_handle_cmd_vq() is only called from hw/scsi/virtio-scsi.c
|
||||
now and its return value is no longer used. Remove the function
|
||||
|
@ -64,3 +64,6 @@ index 44dc3b81ec..2497530064 100644
|
|||
void virtio_scsi_init_req(VirtIOSCSI *s, VirtQueue *vq, VirtIOSCSIReq *req);
|
||||
void virtio_scsi_free_req(VirtIOSCSIReq *req);
|
||||
void virtio_scsi_push_event(VirtIOSCSI *s, SCSIDevice *dev,
|
||||
--
|
||||
2.37.0.rc2
|
||||
|
||||
|
|
|
@ -1,7 +1,7 @@
|
|||
From 8c2d952c608b15e188db90e26b7238d35f5cf289 Mon Sep 17 00:00:00 2001
|
||||
From: Stefan Hajnoczi <stefanha@redhat.com>
|
||||
Date: Tue, 17 May 2022 09:28:26 +0100
|
||||
Subject: [PATCH] virtio-scsi: move request-related items from .h to .c
|
||||
Content-type: text/plain
|
||||
|
||||
There is no longer a need to expose the request and related APIs in
|
||||
virtio-scsi.h since there are no callers outside virtio-scsi.c.
|
||||
|
@ -155,3 +155,6 @@ index 2497530064..abdda2cbd0 100644
|
|||
|
||||
void virtio_scsi_dataplane_setup(VirtIOSCSI *s, Error **errp);
|
||||
int virtio_scsi_dataplane_start(VirtIODevice *s);
|
||||
--
|
||||
2.37.0.rc2
|
||||
|
||||
|
|
|
@ -1,7 +1,7 @@
|
|||
From 7bbf88bfd6b5200926294788386398193afe623f Mon Sep 17 00:00:00 2001
|
||||
From: Cole Robinson <crobinso@redhat.com>
|
||||
Date: Sat, 4 Jun 2022 20:28:58 -0400
|
||||
Subject: [PATCH] Disable flakey dbus-display-test
|
||||
Content-type: text/plain
|
||||
|
||||
Signed-off-by: Cole Robinson <crobinso@redhat.com>
|
||||
---
|
||||
|
@ -34,3 +34,6 @@ index d25f82bb5a..d085604727 100644
|
|||
qtest_executables = {}
|
||||
foreach dir : target_dirs
|
||||
if not dir.endswith('-softmmu')
|
||||
--
|
||||
2.37.0.rc2
|
||||
|
||||
|
|
|
@ -1,7 +1,7 @@
|
|||
From 1917ca47ce2234b7d279f16aa7ef1ff165902d1f Mon Sep 17 00:00:00 2001
|
||||
From: Cole Robinson <crobinso@redhat.com>
|
||||
Date: Sat, 4 Jun 2022 20:29:46 -0400
|
||||
Subject: [PATCH] Fix iotests with modules and qemu-system-s390x
|
||||
Content-type: text/plain
|
||||
|
||||
Signed-off-by: Cole Robinson <crobinso@redhat.com>
|
||||
---
|
||||
|
@ -30,3 +30,6 @@ index 227e0a5be9..97f8e0a15f 100644
|
|||
grep ^name | sed -e 's/^name "//' -e 's/".*$//')
|
||||
for device
|
||||
do
|
||||
--
|
||||
2.37.0.rc2
|
||||
|
||||
|
|
|
@ -1,7 +1,7 @@
|
|||
From 830cda479ec661b752c9c2566bcca0ac22bb478b Mon Sep 17 00:00:00 2001
|
||||
From: Cole Robinson <crobinso@redhat.com>
|
||||
Date: Sun, 5 Jun 2022 12:48:29 -0400
|
||||
Subject: [PATCH] Skip iotests entirely
|
||||
Content-type: text/plain
|
||||
|
||||
Getting sporadic failures like described here:
|
||||
https://www.mail-archive.com/qemu-devel@nongnu.org/msg887683.html
|
||||
|
@ -24,3 +24,6 @@ index f59496396c..09cc735da4 100755
|
|||
# QEMU_CHECK_BLOCK_AUTO is used to disable some unstable sub-tests
|
||||
export QEMU_CHECK_BLOCK_AUTO=1
|
||||
export PYTHONUTF8=1
|
||||
--
|
||||
2.37.0.rc2
|
||||
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
From a7f14aae85022007a4c77e0792a1abb0509a08eb Mon Sep 17 00:00:00 2001
|
||||
From 7605dc625bfd03c4f6bb8daddde909aac3e4badb Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= <berrange@redhat.com>
|
||||
Date: Tue, 2 Aug 2022 12:34:23 -0400
|
||||
Subject: [PATCH] linux-user: fix compat with glibc >= 2.36 sys/mount.h
|
||||
|
@ -53,7 +53,7 @@ Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
|
|||
2 files changed, 20 insertions(+)
|
||||
|
||||
diff --git a/linux-user/syscall.c b/linux-user/syscall.c
|
||||
index b27a6552aa..52d178afe7 100644
|
||||
index f65045efe6..834a86183c 100644
|
||||
--- a/linux-user/syscall.c
|
||||
+++ b/linux-user/syscall.c
|
||||
@@ -95,7 +95,25 @@
|
||||
|
@ -83,10 +83,10 @@ index b27a6552aa..52d178afe7 100644
|
|||
#if defined(CONFIG_FIEMAP)
|
||||
#include <linux/fiemap.h>
|
||||
diff --git a/meson.build b/meson.build
|
||||
index 294e9a8f32..30a380752c 100644
|
||||
index 861de93c4f..8ca99671ec 100644
|
||||
--- a/meson.build
|
||||
+++ b/meson.build
|
||||
@@ -1963,6 +1963,8 @@ config_host_data.set('HAVE_OPTRESET',
|
||||
@@ -1686,6 +1686,8 @@ config_host_data.set('HAVE_OPTRESET',
|
||||
cc.has_header_symbol('getopt.h', 'optreset'))
|
||||
config_host_data.set('HAVE_IPPROTO_MPTCP',
|
||||
cc.has_header_symbol('netinet/in.h', 'IPPROTO_MPTCP'))
|
||||
|
@ -96,5 +96,5 @@ index 294e9a8f32..30a380752c 100644
|
|||
# has_member
|
||||
config_host_data.set('HAVE_SIGEV_NOTIFY_THREAD_ID',
|
||||
--
|
||||
2.37.1
|
||||
2.37.0.rc2
|
||||
|
||||
|
|
|
@ -1,3 +1,4 @@
|
|||
From ac42f1e87f4f963836461691be22e39128b4eff2 Mon Sep 17 00:00:00 2001
|
||||
From: Guo Zhi <qtxuning1999@sjtu.edu.cn>
|
||||
Date: Tue, 3 May 2022 17:17:24 +0800
|
||||
Subject: [PATCH] vga: avoid crash if no default vga card
|
||||
|
@ -21,7 +22,7 @@ index 6f646531a0..b16c1c48fa 100644
|
|||
--- a/softmmu/vl.c
|
||||
+++ b/softmmu/vl.c
|
||||
@@ -974,7 +974,8 @@ static void select_vgahw(const MachineClass *machine_class, const char *p)
|
||||
|
||||
|
||||
if (vga_interface_available(t) && ti->opt_name) {
|
||||
printf("%-20s %s%s\n", ti->opt_name, ti->name ?: "",
|
||||
- g_str_equal(ti->opt_name, def) ? " (default)" : "");
|
||||
|
@ -30,3 +31,6 @@ index 6f646531a0..b16c1c48fa 100644
|
|||
}
|
||||
}
|
||||
exit(0);
|
||||
--
|
||||
2.37.0.rc2
|
||||
|
||||
|
|
|
@ -1,3 +1,4 @@
|
|||
From 754371b1f2f872156dda4cb4aa16b510c142c381 Mon Sep 17 00:00:00 2001
|
||||
From: Mauro Matteo Cascella <mcascell@redhat.com>
|
||||
Date: Tue, 5 Jul 2022 22:05:43 +0200
|
||||
Subject: [PATCH] scsi/lsi53c895a: fix use-after-free in lsi_do_msgout
|
||||
|
@ -39,7 +40,7 @@ index c8773f73f7..ad5f5e5f39 100644
|
|||
scsi_req_cancel(s->current->req);
|
||||
+ current_req = NULL;
|
||||
}
|
||||
|
||||
|
||||
/* As the current implemented devices scsi_disk and scsi_generic
|
||||
diff --git a/tests/qtest/fuzz-lsi53c895a-test.c b/tests/qtest/fuzz-lsi53c895a-test.c
|
||||
index ba5d468970..0f968024c8 100644
|
||||
|
@ -48,7 +49,7 @@ index ba5d468970..0f968024c8 100644
|
|||
@@ -8,6 +8,79 @@
|
||||
#include "qemu/osdep.h"
|
||||
#include "libqos/libqtest.h"
|
||||
|
||||
|
||||
+/*
|
||||
+ * This used to trigger a UAF in lsi_do_msgout()
|
||||
+ * https://gitlab.com/qemu-project/qemu/-/issues/972
|
||||
|
@ -132,5 +133,8 @@ index ba5d468970..0f968024c8 100644
|
|||
+ qtest_add_func("fuzz/lsi53c895a/lsi_do_msgout_cancel_req",
|
||||
+ test_lsi_do_msgout_cancel_req);
|
||||
}
|
||||
|
||||
|
||||
return g_test_run();
|
||||
--
|
||||
2.37.0.rc2
|
||||
|
||||
|
|
|
@ -1,3 +1,4 @@
|
|||
From effa979582e34687688df36c9a10b33862f2581f Mon Sep 17 00:00:00 2001
|
||||
From: Mauro Matteo Cascella <mcascell@redhat.com>
|
||||
Date: Sun, 25 Sep 2022 22:45:11 +0200
|
||||
Subject: [PATCH] ui/vnc-clipboard: fix integer underflow in
|
||||
|
@ -35,7 +36,7 @@ index 310a873c21..8a2e176b64 100644
|
|||
" which exceeds our limit of 1MB.", dlen);
|
||||
@@ -2456,8 +2456,13 @@ static int protocol_client_msg(VncState *vs, uint8_t *data, size_t len)
|
||||
}
|
||||
|
||||
|
||||
if (read_s32(data, 4) < 0) {
|
||||
- vnc_client_cut_text_ext(vs, abs(read_s32(data, 4)),
|
||||
- read_u32(data, 8), data + 12);
|
||||
|
@ -49,3 +50,6 @@ index 310a873c21..8a2e176b64 100644
|
|||
break;
|
||||
}
|
||||
vnc_client_cut_text(vs, read_u32(data, 4), data + 8);
|
||||
--
|
||||
2.37.0.rc2
|
||||
|
||||
|
|
|
@ -0,0 +1,92 @@
|
|||
From 9be9b8e36940756582c453c6bf08daa6955f916e Mon Sep 17 00:00:00 2001
|
||||
From: Kevin Wolf <kwolf@redhat.com>
|
||||
Date: Tue, 10 May 2022 17:10:19 +0200
|
||||
Subject: [PATCH] coroutine: Rename qemu_coroutine_inc/dec_pool_size()
|
||||
|
||||
It's true that these functions currently affect the batch size in which
|
||||
coroutines are reused (i.e. moved from the global release pool to the
|
||||
allocation pool of a specific thread), but this is a bug and will be
|
||||
fixed in a separate patch.
|
||||
|
||||
In fact, the comment in the header file already just promises that it
|
||||
influences the pool size, so reflect this in the name of the functions.
|
||||
As a nice side effect, the shorter function name makes some line
|
||||
wrapping unnecessary.
|
||||
|
||||
Cc: qemu-stable@nongnu.org
|
||||
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
|
||||
Message-Id: <20220510151020.105528-2-kwolf@redhat.com>
|
||||
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
|
||||
(cherry picked from commit 98e3ab35054b946f7c2aba5408822532b0920b53)
|
||||
---
|
||||
hw/block/virtio-blk.c | 6 ++----
|
||||
include/qemu/coroutine.h | 6 +++---
|
||||
util/qemu-coroutine.c | 4 ++--
|
||||
3 files changed, 7 insertions(+), 9 deletions(-)
|
||||
|
||||
diff --git a/hw/block/virtio-blk.c b/hw/block/virtio-blk.c
|
||||
index 540c38f829..6a1cc41877 100644
|
||||
--- a/hw/block/virtio-blk.c
|
||||
+++ b/hw/block/virtio-blk.c
|
||||
@@ -1215,8 +1215,7 @@ static void virtio_blk_device_realize(DeviceState *dev, Error **errp)
|
||||
for (i = 0; i < conf->num_queues; i++) {
|
||||
virtio_add_queue(vdev, conf->queue_size, virtio_blk_handle_output);
|
||||
}
|
||||
- qemu_coroutine_increase_pool_batch_size(conf->num_queues * conf->queue_size
|
||||
- / 2);
|
||||
+ qemu_coroutine_inc_pool_size(conf->num_queues * conf->queue_size / 2);
|
||||
virtio_blk_data_plane_create(vdev, conf, &s->dataplane, &err);
|
||||
if (err != NULL) {
|
||||
error_propagate(errp, err);
|
||||
@@ -1253,8 +1252,7 @@ static void virtio_blk_device_unrealize(DeviceState *dev)
|
||||
for (i = 0; i < conf->num_queues; i++) {
|
||||
virtio_del_queue(vdev, i);
|
||||
}
|
||||
- qemu_coroutine_decrease_pool_batch_size(conf->num_queues * conf->queue_size
|
||||
- / 2);
|
||||
+ qemu_coroutine_dec_pool_size(conf->num_queues * conf->queue_size / 2);
|
||||
qemu_del_vm_change_state_handler(s->change);
|
||||
blockdev_mark_auto_del(s->blk);
|
||||
virtio_cleanup(vdev);
|
||||
diff --git a/include/qemu/coroutine.h b/include/qemu/coroutine.h
|
||||
index c828a95ee0..5b621d1295 100644
|
||||
--- a/include/qemu/coroutine.h
|
||||
+++ b/include/qemu/coroutine.h
|
||||
@@ -334,12 +334,12 @@ void coroutine_fn yield_until_fd_readable(int fd);
|
||||
/**
|
||||
* Increase coroutine pool size
|
||||
*/
|
||||
-void qemu_coroutine_increase_pool_batch_size(unsigned int additional_pool_size);
|
||||
+void qemu_coroutine_inc_pool_size(unsigned int additional_pool_size);
|
||||
|
||||
/**
|
||||
- * Devcrease coroutine pool size
|
||||
+ * Decrease coroutine pool size
|
||||
*/
|
||||
-void qemu_coroutine_decrease_pool_batch_size(unsigned int additional_pool_size);
|
||||
+void qemu_coroutine_dec_pool_size(unsigned int additional_pool_size);
|
||||
|
||||
#include "qemu/lockable.h"
|
||||
|
||||
diff --git a/util/qemu-coroutine.c b/util/qemu-coroutine.c
|
||||
index c03b2422ff..faca0ca97c 100644
|
||||
--- a/util/qemu-coroutine.c
|
||||
+++ b/util/qemu-coroutine.c
|
||||
@@ -205,12 +205,12 @@ AioContext *coroutine_fn qemu_coroutine_get_aio_context(Coroutine *co)
|
||||
return co->ctx;
|
||||
}
|
||||
|
||||
-void qemu_coroutine_increase_pool_batch_size(unsigned int additional_pool_size)
|
||||
+void qemu_coroutine_inc_pool_size(unsigned int additional_pool_size)
|
||||
{
|
||||
qatomic_add(&pool_batch_size, additional_pool_size);
|
||||
}
|
||||
|
||||
-void qemu_coroutine_decrease_pool_batch_size(unsigned int removing_pool_size)
|
||||
+void qemu_coroutine_dec_pool_size(unsigned int removing_pool_size)
|
||||
{
|
||||
qatomic_sub(&pool_batch_size, removing_pool_size);
|
||||
}
|
||||
--
|
||||
2.37.0.rc2
|
||||
|
|
@ -0,0 +1,123 @@
|
|||
From f1ea4c55f0e9bb05db980f27b392617ef6615954 Mon Sep 17 00:00:00 2001
|
||||
From: Kevin Wolf <kwolf@redhat.com>
|
||||
Date: Tue, 10 May 2022 17:10:20 +0200
|
||||
Subject: [PATCH] coroutine: Revert to constant batch size
|
||||
|
||||
Commit 4c41c69e changed the way the coroutine pool is sized because for
|
||||
virtio-blk devices with a large queue size and heavy I/O, it was just
|
||||
too small and caused coroutines to be deleted and reallocated soon
|
||||
afterwards. The change made the size dynamic based on the number of
|
||||
queues and the queue size of virtio-blk devices.
|
||||
|
||||
There are two important numbers here: Slightly simplified, when a
|
||||
coroutine terminates, it is generally stored in the global release pool
|
||||
up to a certain pool size, and if the pool is full, it is freed.
|
||||
Conversely, when allocating a new coroutine, the coroutines in the
|
||||
release pool are reused if the pool already has reached a certain
|
||||
minimum size (the batch size), otherwise we allocate new coroutines.
|
||||
|
||||
The problem after commit 4c41c69e is that it not only increases the
|
||||
maximum pool size (which is the intended effect), but also the batch
|
||||
size for reusing coroutines (which is a bug). It means that in cases
|
||||
with many devices and/or a large queue size (which defaults to the
|
||||
number of vcpus for virtio-blk-pci), many thousand coroutines could be
|
||||
sitting in the release pool without being reused.
|
||||
|
||||
This is not only a waste of memory and allocations, but it actually
|
||||
makes the QEMU process likely to hit the vm.max_map_count limit on Linux
|
||||
because each coroutine requires two mappings (its stack and the guard
|
||||
page for the stack), causing it to abort() in qemu_alloc_stack() because
|
||||
when the limit is hit, mprotect() starts to fail with ENOMEM.
|
||||
|
||||
In order to fix the problem, change the batch size back to 64 to avoid
|
||||
uselessly accumulating coroutines in the release pool, but keep the
|
||||
dynamic maximum pool size so that coroutines aren't freed too early
|
||||
in heavy I/O scenarios.
|
||||
|
||||
Note that this fix doesn't strictly make it impossible to hit the limit,
|
||||
but this would only happen if most of the coroutines are actually in use
|
||||
at the same time, not just sitting in a pool. This is the same behaviour
|
||||
as we already had before commit 4c41c69e. Fully preventing this would
|
||||
require allowing qemu_coroutine_create() to return an error, but it
|
||||
doesn't seem to be a scenario that people hit in practice.
|
||||
|
||||
Cc: qemu-stable@nongnu.org
|
||||
Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=2079938
|
||||
Fixes: 4c41c69e05fe28c0f95f8abd2ebf407e95a4f04b
|
||||
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
|
||||
Message-Id: <20220510151020.105528-3-kwolf@redhat.com>
|
||||
Tested-by: Hiroki Narukawa <hnarukaw@yahoo-corp.jp>
|
||||
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
|
||||
(cherry picked from commit 9ec7a59b5aad4b736871c378d30f5ef5ec51cb52)
|
||||
---
|
||||
util/qemu-coroutine.c | 22 ++++++++++++++--------
|
||||
1 file changed, 14 insertions(+), 8 deletions(-)
|
||||
|
||||
diff --git a/util/qemu-coroutine.c b/util/qemu-coroutine.c
|
||||
index faca0ca97c..804f672e0a 100644
|
||||
--- a/util/qemu-coroutine.c
|
||||
+++ b/util/qemu-coroutine.c
|
||||
@@ -20,14 +20,20 @@
|
||||
#include "qemu/coroutine_int.h"
|
||||
#include "block/aio.h"
|
||||
|
||||
-/** Initial batch size is 64, and is increased on demand */
|
||||
+/**
|
||||
+ * The minimal batch size is always 64, coroutines from the release_pool are
|
||||
+ * reused as soon as there are 64 coroutines in it. The maximum pool size starts
|
||||
+ * with 64 and is increased on demand so that coroutines are not deleted even if
|
||||
+ * they are not immediately reused.
|
||||
+ */
|
||||
enum {
|
||||
- POOL_INITIAL_BATCH_SIZE = 64,
|
||||
+ POOL_MIN_BATCH_SIZE = 64,
|
||||
+ POOL_INITIAL_MAX_SIZE = 64,
|
||||
};
|
||||
|
||||
/** Free list to speed up creation */
|
||||
static QSLIST_HEAD(, Coroutine) release_pool = QSLIST_HEAD_INITIALIZER(pool);
|
||||
-static unsigned int pool_batch_size = POOL_INITIAL_BATCH_SIZE;
|
||||
+static unsigned int pool_max_size = POOL_INITIAL_MAX_SIZE;
|
||||
static unsigned int release_pool_size;
|
||||
static __thread QSLIST_HEAD(, Coroutine) alloc_pool = QSLIST_HEAD_INITIALIZER(pool);
|
||||
static __thread unsigned int alloc_pool_size;
|
||||
@@ -51,7 +57,7 @@ Coroutine *qemu_coroutine_create(CoroutineEntry *entry, void *opaque)
|
||||
if (CONFIG_COROUTINE_POOL) {
|
||||
co = QSLIST_FIRST(&alloc_pool);
|
||||
if (!co) {
|
||||
- if (release_pool_size > qatomic_read(&pool_batch_size)) {
|
||||
+ if (release_pool_size > POOL_MIN_BATCH_SIZE) {
|
||||
/* Slow path; a good place to register the destructor, too. */
|
||||
if (!coroutine_pool_cleanup_notifier.notify) {
|
||||
coroutine_pool_cleanup_notifier.notify = coroutine_pool_cleanup;
|
||||
@@ -88,12 +94,12 @@ static void coroutine_delete(Coroutine *co)
|
||||
co->caller = NULL;
|
||||
|
||||
if (CONFIG_COROUTINE_POOL) {
|
||||
- if (release_pool_size < qatomic_read(&pool_batch_size) * 2) {
|
||||
+ if (release_pool_size < qatomic_read(&pool_max_size) * 2) {
|
||||
QSLIST_INSERT_HEAD_ATOMIC(&release_pool, co, pool_next);
|
||||
qatomic_inc(&release_pool_size);
|
||||
return;
|
||||
}
|
||||
- if (alloc_pool_size < qatomic_read(&pool_batch_size)) {
|
||||
+ if (alloc_pool_size < qatomic_read(&pool_max_size)) {
|
||||
QSLIST_INSERT_HEAD(&alloc_pool, co, pool_next);
|
||||
alloc_pool_size++;
|
||||
return;
|
||||
@@ -207,10 +213,10 @@ AioContext *coroutine_fn qemu_coroutine_get_aio_context(Coroutine *co)
|
||||
|
||||
void qemu_coroutine_inc_pool_size(unsigned int additional_pool_size)
|
||||
{
|
||||
- qatomic_add(&pool_batch_size, additional_pool_size);
|
||||
+ qatomic_add(&pool_max_size, additional_pool_size);
|
||||
}
|
||||
|
||||
void qemu_coroutine_dec_pool_size(unsigned int removing_pool_size)
|
||||
{
|
||||
- qatomic_sub(&pool_batch_size, removing_pool_size);
|
||||
+ qatomic_sub(&pool_max_size, removing_pool_size);
|
||||
}
|
||||
--
|
||||
2.37.0.rc2
|
||||
|
10
qemu.spec
10
qemu.spec
|
@ -317,7 +317,7 @@ Obsoletes: %{name}-system-unicore32-core <= %{epoch}:%{version}-%{release}
|
|||
%endif
|
||||
|
||||
# To prevent rpmdev-bumpspec breakage
|
||||
%global baserelease 10
|
||||
%global baserelease 11
|
||||
|
||||
Summary: QEMU is a FAST! processor emulator
|
||||
Name: qemu
|
||||
|
@ -360,6 +360,10 @@ Patch: 0012-vga-avoid-crash-if-no-default-vga-card.patch
|
|||
Patch: 0013-scsi-lsi53c895a-fix-use-after-free-in-lsi_do_msgout.patch
|
||||
# vnc-clipboard: fix integer underflow (CVE-2022-3165)
|
||||
Patch: 0014-ui-vnc-clipboard-fix-integer-underflow-in-vnc_client.patch
|
||||
# Fix "failed to set up stack guard page: Cannot allocate memory"
|
||||
# https://bugzilla.redhat.com/show_bug.cgi?id=2143006
|
||||
Patch: 0015-coroutine-Rename-qemu_coroutine_inc-dec_pool_size.patch
|
||||
Patch: 0016-coroutine-Revert-to-constant-batch-size.patch
|
||||
|
||||
BuildRequires: meson >= %{meson_version}
|
||||
BuildRequires: zlib-devel
|
||||
|
@ -2724,6 +2728,10 @@ useradd -r -u 107 -g qemu -G kvm -d / -s /sbin/nologin \
|
|||
|
||||
|
||||
%changelog
|
||||
* Wed Nov 16 2022 Richard W.M. Jones <rjones@redhat.com> - 7.0.0-11
|
||||
- Fix "failed to set up stack guard page: Cannot allocate memory"
|
||||
(rhbz#2143006)
|
||||
|
||||
* Tue Oct 18 2022 Mauro Matteo Cascella <mcascell@redhat.com> - 2:7.0.0-10
|
||||
- vga: avoid crash if no default vga card (rhbz#2095639)
|
||||
- lsi53c895a: fix use-after-free in lsi_do_msgout (CVE-2022-0216) (rhbz#2070902)
|
||||
|
|
Loading…
Reference in New Issue