Fix "failed to set up stack guard page: Cannot allocate memory"

(rhbz#2143006)

0001-target-i386-the-sgx_epc_get_section-stub-is-reachabl.patch

@@ -1,10 +1,10 @@
+From 375a476bcdefe65057a38fe6ae3f50b941e63ddd Mon Sep 17 00:00:00 2001
 From: Paolo Bonzini <pbonzini@redhat.com>
 Date: Tue, 1 Feb 2022 20:09:37 +0100
 Subject: [PATCH] target/i386: the sgx_epc_get_section stub is reachable
 MIME-Version: 1.0
 Content-Type: text/plain; charset=UTF-8
 Content-Transfer-Encoding: 8bit
-Content-type: text/plain
 
 The sgx_epc_get_section stub is reachable from cpu_x86_cpuid.  It
 should not assert, instead it should just return true just like
@@ -28,3 +28,6 @@ index 26833eb233..16b1dfd90b 100644
 -    g_assert_not_reached();
 +    return true;
  }
+-- 
+2.37.0.rc2
+

0002-virtio-scsi-fix-ctrl-and-event-handler-functions-in-.patch

@@ -1,8 +1,8 @@
+From 7a5a6dbbf40f7d2313173573b99dd26069f7e309 Mon Sep 17 00:00:00 2001
 From: Stefan Hajnoczi <stefanha@redhat.com>
 Date: Wed, 27 Apr 2022 15:35:36 +0100
 Subject: [PATCH] virtio-scsi: fix ctrl and event handler functions in
  dataplane mode
-Content-type: text/plain
 
 Commit f34e8d8b8d48d73f36a67b6d5e492ef9784b5012 ("virtio-scsi: prepare
 virtio_scsi_handle_cmd for dataplane") prepared the virtio-scsi cmd
@@ -106,3 +106,6 @@ index 34a968ecfb..417fbc71d6 100644
      virtio_scsi_acquire(s);
      virtio_scsi_handle_event_vq(s, vq);
      virtio_scsi_release(s);
+-- 
+2.37.0.rc2
+

0003-virtio-scsi-don-t-waste-CPU-polling-the-event-virtqu.patch

@@ -1,7 +1,7 @@
+From 5a595325d84fe48fcef921b0810073906ff9284b Mon Sep 17 00:00:00 2001
 From: Stefan Hajnoczi <stefanha@redhat.com>
 Date: Tue, 17 May 2022 09:27:45 +0100
 Subject: [PATCH] virtio-scsi: don't waste CPU polling the event virtqueue
-Content-type: text/plain
 
 The virtio-scsi event virtqueue is not emptied by its handler function.
 This is typical for rx virtqueues where the device uses buffers when
@@ -89,3 +89,6 @@ index b31c4507f5..b62a35fdca 100644
  void virtio_queue_aio_detach_host_notifier(VirtQueue *vq, AioContext *ctx);
  VirtQueue *virtio_vector_first_queue(VirtIODevice *vdev, uint16_t vector);
  VirtQueue *virtio_vector_next_queue(VirtQueue *vq);
+-- 
+2.37.0.rc2
+

0004-virtio-scsi-clean-up-virtio_scsi_handle_event_vq.patch

@@ -1,7 +1,7 @@
+From 5edca84f63de972dd08e0c63c7c67003df237f23 Mon Sep 17 00:00:00 2001
 From: Stefan Hajnoczi <stefanha@redhat.com>
 Date: Tue, 17 May 2022 09:28:06 +0100
 Subject: [PATCH] virtio-scsi: clean up virtio_scsi_handle_event_vq()
-Content-type: text/plain
 
 virtio_scsi_handle_event_vq() is only called from hw/scsi/virtio-scsi.c
 now and its return value is no longer used. Remove the function
@@ -49,3 +49,6 @@ index 543681bc18..5957597825 100644
  bool virtio_scsi_handle_cmd_vq(VirtIOSCSI *s, VirtQueue *vq);
  bool virtio_scsi_handle_ctrl_vq(VirtIOSCSI *s, VirtQueue *vq);
  void virtio_scsi_init_req(VirtIOSCSI *s, VirtQueue *vq, VirtIOSCSIReq *req);
+-- 
+2.37.0.rc2
+

0005-virtio-scsi-clean-up-virtio_scsi_handle_ctrl_vq.patch

@@ -1,7 +1,7 @@
+From 4c4bec46e2ccbcb1e8360b118b46681369e3f05c Mon Sep 17 00:00:00 2001
 From: Stefan Hajnoczi <stefanha@redhat.com>
 Date: Tue, 17 May 2022 09:28:12 +0100
 Subject: [PATCH] virtio-scsi: clean up virtio_scsi_handle_ctrl_vq()
-Content-type: text/plain
 
 virtio_scsi_handle_ctrl_vq() is only called from hw/scsi/virtio-scsi.c
 now and its return value is no longer used. Remove the function
@@ -52,3 +52,6 @@ index 5957597825..44dc3b81ec 100644
  void virtio_scsi_init_req(VirtIOSCSI *s, VirtQueue *vq, VirtIOSCSIReq *req);
  void virtio_scsi_free_req(VirtIOSCSIReq *req);
  void virtio_scsi_push_event(VirtIOSCSI *s, SCSIDevice *dev,
+-- 
+2.37.0.rc2
+

0006-virtio-scsi-clean-up-virtio_scsi_handle_cmd_vq.patch

@@ -1,7 +1,7 @@
+From 67a97290efc0e89c7c48bba46ed68de35121b9de Mon Sep 17 00:00:00 2001
 From: Stefan Hajnoczi <stefanha@redhat.com>
 Date: Tue, 17 May 2022 09:28:19 +0100
 Subject: [PATCH] virtio-scsi: clean up virtio_scsi_handle_cmd_vq()
-Content-type: text/plain
 
 virtio_scsi_handle_cmd_vq() is only called from hw/scsi/virtio-scsi.c
 now and its return value is no longer used. Remove the function
@@ -64,3 +64,6 @@ index 44dc3b81ec..2497530064 100644
  void virtio_scsi_init_req(VirtIOSCSI *s, VirtQueue *vq, VirtIOSCSIReq *req);
  void virtio_scsi_free_req(VirtIOSCSIReq *req);
  void virtio_scsi_push_event(VirtIOSCSI *s, SCSIDevice *dev,
+-- 
+2.37.0.rc2
+

0007-virtio-scsi-move-request-related-items-from-.h-to-.c.patch

@@ -1,7 +1,7 @@
+From 8c2d952c608b15e188db90e26b7238d35f5cf289 Mon Sep 17 00:00:00 2001
 From: Stefan Hajnoczi <stefanha@redhat.com>
 Date: Tue, 17 May 2022 09:28:26 +0100
 Subject: [PATCH] virtio-scsi: move request-related items from .h to .c
-Content-type: text/plain
 
 There is no longer a need to expose the request and related APIs in
 virtio-scsi.h since there are no callers outside virtio-scsi.c.
@@ -155,3 +155,6 @@ index 2497530064..abdda2cbd0 100644
  
  void virtio_scsi_dataplane_setup(VirtIOSCSI *s, Error **errp);
  int virtio_scsi_dataplane_start(VirtIODevice *s);
+-- 
+2.37.0.rc2
+

0008-Disable-flakey-dbus-display-test.patch

@@ -1,7 +1,7 @@
+From 7bbf88bfd6b5200926294788386398193afe623f Mon Sep 17 00:00:00 2001
 From: Cole Robinson <crobinso@redhat.com>
 Date: Sat, 4 Jun 2022 20:28:58 -0400
 Subject: [PATCH] Disable flakey dbus-display-test
-Content-type: text/plain
 
 Signed-off-by: Cole Robinson <crobinso@redhat.com>
 ---
@@ -34,3 +34,6 @@ index d25f82bb5a..d085604727 100644
  qtest_executables = {}
  foreach dir : target_dirs
    if not dir.endswith('-softmmu')
+-- 
+2.37.0.rc2
+

0009-Fix-iotests-with-modules-and-qemu-system-s390x.patch

@@ -1,7 +1,7 @@
+From 1917ca47ce2234b7d279f16aa7ef1ff165902d1f Mon Sep 17 00:00:00 2001
 From: Cole Robinson <crobinso@redhat.com>
 Date: Sat, 4 Jun 2022 20:29:46 -0400
 Subject: [PATCH] Fix iotests with modules and qemu-system-s390x
-Content-type: text/plain
 
 Signed-off-by: Cole Robinson <crobinso@redhat.com>
 ---
@@ -30,3 +30,6 @@ index 227e0a5be9..97f8e0a15f 100644
                  grep ^name | sed -e 's/^name "//' -e 's/".*$//')
      for device
      do
+-- 
+2.37.0.rc2
+

0010-Skip-iotests-entirely.patch

@@ -1,7 +1,7 @@
+From 830cda479ec661b752c9c2566bcca0ac22bb478b Mon Sep 17 00:00:00 2001
 From: Cole Robinson <crobinso@redhat.com>
 Date: Sun, 5 Jun 2022 12:48:29 -0400
 Subject: [PATCH] Skip iotests entirely
-Content-type: text/plain
 
 Getting sporadic failures like described here:
 https://www.mail-archive.com/qemu-devel@nongnu.org/msg887683.html
@@ -24,3 +24,6 @@ index f59496396c..09cc735da4 100755
  # QEMU_CHECK_BLOCK_AUTO is used to disable some unstable sub-tests
  export QEMU_CHECK_BLOCK_AUTO=1
  export PYTHONUTF8=1
+-- 
+2.37.0.rc2
+

0011-linux-user-fix-compat-with-glibc-2.36-sys-mount.h.patch

@@ -1,4 +1,4 @@
-From a7f14aae85022007a4c77e0792a1abb0509a08eb Mon Sep 17 00:00:00 2001
+From 7605dc625bfd03c4f6bb8daddde909aac3e4badb Mon Sep 17 00:00:00 2001
 From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= <berrange@redhat.com>
 Date: Tue, 2 Aug 2022 12:34:23 -0400
 Subject: [PATCH] linux-user: fix compat with glibc >= 2.36 sys/mount.h
@@ -53,7 +53,7 @@ Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
  2 files changed, 20 insertions(+)
 
 diff --git a/linux-user/syscall.c b/linux-user/syscall.c
-index b27a6552aa..52d178afe7 100644
+index f65045efe6..834a86183c 100644
 --- a/linux-user/syscall.c
 +++ b/linux-user/syscall.c
 @@ -95,7 +95,25 @@
@@ -83,10 +83,10 @@ index b27a6552aa..52d178afe7 100644
  #if defined(CONFIG_FIEMAP)
  #include <linux/fiemap.h>
 diff --git a/meson.build b/meson.build
-index 294e9a8f32..30a380752c 100644
+index 861de93c4f..8ca99671ec 100644
 --- a/meson.build
 +++ b/meson.build
-@@ -1963,6 +1963,8 @@ config_host_data.set('HAVE_OPTRESET',
+@@ -1686,6 +1686,8 @@ config_host_data.set('HAVE_OPTRESET',
                       cc.has_header_symbol('getopt.h', 'optreset'))
  config_host_data.set('HAVE_IPPROTO_MPTCP',
                       cc.has_header_symbol('netinet/in.h', 'IPPROTO_MPTCP'))
@@ -96,5 +96,5 @@ index 294e9a8f32..30a380752c 100644
  # has_member
  config_host_data.set('HAVE_SIGEV_NOTIFY_THREAD_ID',
 -- 
-2.37.1
+2.37.0.rc2
 

0012-vga-avoid-crash-if-no-default-vga-card.patch

@@ -1,3 +1,4 @@
+From ac42f1e87f4f963836461691be22e39128b4eff2 Mon Sep 17 00:00:00 2001
 From: Guo Zhi <qtxuning1999@sjtu.edu.cn>
 Date: Tue, 3 May 2022 17:17:24 +0800
 Subject: [PATCH] vga: avoid crash if no default vga card
@@ -21,7 +22,7 @@ index 6f646531a0..b16c1c48fa 100644
 --- a/softmmu/vl.c
 +++ b/softmmu/vl.c
 @@ -974,7 +974,8 @@ static void select_vgahw(const MachineClass *machine_class, const char *p)
-
+ 
              if (vga_interface_available(t) && ti->opt_name) {
                  printf("%-20s %s%s\n", ti->opt_name, ti->name ?: "",
 -                       g_str_equal(ti->opt_name, def) ? " (default)" : "");
@@ -30,3 +31,6 @@ index 6f646531a0..b16c1c48fa 100644
              }
          }
          exit(0);
+-- 
+2.37.0.rc2
+

0013-scsi-lsi53c895a-fix-use-after-free-in-lsi_do_msgout.patch

@@ -1,3 +1,4 @@
+From 754371b1f2f872156dda4cb4aa16b510c142c381 Mon Sep 17 00:00:00 2001
 From: Mauro Matteo Cascella <mcascell@redhat.com>
 Date: Tue, 5 Jul 2022 22:05:43 +0200
 Subject: [PATCH] scsi/lsi53c895a: fix use-after-free in lsi_do_msgout
@@ -39,7 +40,7 @@ index c8773f73f7..ad5f5e5f39 100644
                  scsi_req_cancel(s->current->req);
 +                current_req = NULL;
              }
-
+ 
              /* As the current implemented devices scsi_disk and scsi_generic
 diff --git a/tests/qtest/fuzz-lsi53c895a-test.c b/tests/qtest/fuzz-lsi53c895a-test.c
 index ba5d468970..0f968024c8 100644
@@ -48,7 +49,7 @@ index ba5d468970..0f968024c8 100644
 @@ -8,6 +8,79 @@
  #include "qemu/osdep.h"
  #include "libqos/libqtest.h"
-
+ 
 +/*
 + * This used to trigger a UAF in lsi_do_msgout()
 + * https://gitlab.com/qemu-project/qemu/-/issues/972
@@ -132,5 +133,8 @@ index ba5d468970..0f968024c8 100644
 +        qtest_add_func("fuzz/lsi53c895a/lsi_do_msgout_cancel_req",
 +                       test_lsi_do_msgout_cancel_req);
      }
-
+ 
      return g_test_run();
+-- 
+2.37.0.rc2
+

0014-ui-vnc-clipboard-fix-integer-underflow-in-vnc_client.patch

@@ -1,3 +1,4 @@
+From effa979582e34687688df36c9a10b33862f2581f Mon Sep 17 00:00:00 2001
 From: Mauro Matteo Cascella <mcascell@redhat.com>
 Date: Sun, 25 Sep 2022 22:45:11 +0200
 Subject: [PATCH] ui/vnc-clipboard: fix integer underflow in
@@ -35,7 +36,7 @@ index 310a873c21..8a2e176b64 100644
                               " which exceeds our limit of 1MB.", dlen);
 @@ -2456,8 +2456,13 @@ static int protocol_client_msg(VncState *vs, uint8_t *data, size_t len)
          }
-
+ 
          if (read_s32(data, 4) < 0) {
 -            vnc_client_cut_text_ext(vs, abs(read_s32(data, 4)),
 -                                    read_u32(data, 8), data + 12);
@@ -49,3 +50,6 @@ index 310a873c21..8a2e176b64 100644
              break;
          }
          vnc_client_cut_text(vs, read_u32(data, 4), data + 8);
+-- 
+2.37.0.rc2
+

0015-coroutine-Rename-qemu_coroutine_inc-dec_pool_size.patch

@@ -0,0 +1,92 @@
+From 9be9b8e36940756582c453c6bf08daa6955f916e Mon Sep 17 00:00:00 2001
+From: Kevin Wolf <kwolf@redhat.com>
+Date: Tue, 10 May 2022 17:10:19 +0200
+Subject: [PATCH] coroutine: Rename qemu_coroutine_inc/dec_pool_size()
+
+It's true that these functions currently affect the batch size in which
+coroutines are reused (i.e. moved from the global release pool to the
+allocation pool of a specific thread), but this is a bug and will be
+fixed in a separate patch.
+
+In fact, the comment in the header file already just promises that it
+influences the pool size, so reflect this in the name of the functions.
+As a nice side effect, the shorter function name makes some line
+wrapping unnecessary.
+
+Cc: qemu-stable@nongnu.org
+Signed-off-by: Kevin Wolf <kwolf@redhat.com>
+Message-Id: <20220510151020.105528-2-kwolf@redhat.com>
+Signed-off-by: Kevin Wolf <kwolf@redhat.com>
+(cherry picked from commit 98e3ab35054b946f7c2aba5408822532b0920b53)
+---
+ hw/block/virtio-blk.c    | 6 ++----
+ include/qemu/coroutine.h | 6 +++---
+ util/qemu-coroutine.c    | 4 ++--
+ 3 files changed, 7 insertions(+), 9 deletions(-)
+
+diff --git a/hw/block/virtio-blk.c b/hw/block/virtio-blk.c
+index 540c38f829..6a1cc41877 100644
+--- a/hw/block/virtio-blk.c
++++ b/hw/block/virtio-blk.c
+@@ -1215,8 +1215,7 @@ static void virtio_blk_device_realize(DeviceState *dev, Error **errp)
+     for (i = 0; i < conf->num_queues; i++) {
+         virtio_add_queue(vdev, conf->queue_size, virtio_blk_handle_output);
+     }
+-    qemu_coroutine_increase_pool_batch_size(conf->num_queues * conf->queue_size
+-                                            / 2);
++    qemu_coroutine_inc_pool_size(conf->num_queues * conf->queue_size / 2);
+     virtio_blk_data_plane_create(vdev, conf, &s->dataplane, &err);
+     if (err != NULL) {
+         error_propagate(errp, err);
+@@ -1253,8 +1252,7 @@ static void virtio_blk_device_unrealize(DeviceState *dev)
+     for (i = 0; i < conf->num_queues; i++) {
+         virtio_del_queue(vdev, i);
+     }
+-    qemu_coroutine_decrease_pool_batch_size(conf->num_queues * conf->queue_size
+-                                            / 2);
++    qemu_coroutine_dec_pool_size(conf->num_queues * conf->queue_size / 2);
+     qemu_del_vm_change_state_handler(s->change);
+     blockdev_mark_auto_del(s->blk);
+     virtio_cleanup(vdev);
+diff --git a/include/qemu/coroutine.h b/include/qemu/coroutine.h
+index c828a95ee0..5b621d1295 100644
+--- a/include/qemu/coroutine.h
++++ b/include/qemu/coroutine.h
+@@ -334,12 +334,12 @@ void coroutine_fn yield_until_fd_readable(int fd);
+ /**
+  * Increase coroutine pool size
+  */
+-void qemu_coroutine_increase_pool_batch_size(unsigned int additional_pool_size);
++void qemu_coroutine_inc_pool_size(unsigned int additional_pool_size);
+ 
+ /**
+- * Devcrease coroutine pool size
++ * Decrease coroutine pool size
+  */
+-void qemu_coroutine_decrease_pool_batch_size(unsigned int additional_pool_size);
++void qemu_coroutine_dec_pool_size(unsigned int additional_pool_size);
+ 
+ #include "qemu/lockable.h"
+ 
+diff --git a/util/qemu-coroutine.c b/util/qemu-coroutine.c
+index c03b2422ff..faca0ca97c 100644
+--- a/util/qemu-coroutine.c
++++ b/util/qemu-coroutine.c
+@@ -205,12 +205,12 @@ AioContext *coroutine_fn qemu_coroutine_get_aio_context(Coroutine *co)
+     return co->ctx;
+ }
+ 
+-void qemu_coroutine_increase_pool_batch_size(unsigned int additional_pool_size)
++void qemu_coroutine_inc_pool_size(unsigned int additional_pool_size)
+ {
+     qatomic_add(&pool_batch_size, additional_pool_size);
+ }
+ 
+-void qemu_coroutine_decrease_pool_batch_size(unsigned int removing_pool_size)
++void qemu_coroutine_dec_pool_size(unsigned int removing_pool_size)
+ {
+     qatomic_sub(&pool_batch_size, removing_pool_size);
+ }
+-- 
+2.37.0.rc2
+

0016-coroutine-Revert-to-constant-batch-size.patch

@@ -0,0 +1,123 @@
+From f1ea4c55f0e9bb05db980f27b392617ef6615954 Mon Sep 17 00:00:00 2001
+From: Kevin Wolf <kwolf@redhat.com>
+Date: Tue, 10 May 2022 17:10:20 +0200
+Subject: [PATCH] coroutine: Revert to constant batch size
+
+Commit 4c41c69e changed the way the coroutine pool is sized because for
+virtio-blk devices with a large queue size and heavy I/O, it was just
+too small and caused coroutines to be deleted and reallocated soon
+afterwards. The change made the size dynamic based on the number of
+queues and the queue size of virtio-blk devices.
+
+There are two important numbers here: Slightly simplified, when a
+coroutine terminates, it is generally stored in the global release pool
+up to a certain pool size, and if the pool is full, it is freed.
+Conversely, when allocating a new coroutine, the coroutines in the
+release pool are reused if the pool already has reached a certain
+minimum size (the batch size), otherwise we allocate new coroutines.
+
+The problem after commit 4c41c69e is that it not only increases the
+maximum pool size (which is the intended effect), but also the batch
+size for reusing coroutines (which is a bug). It means that in cases
+with many devices and/or a large queue size (which defaults to the
+number of vcpus for virtio-blk-pci), many thousand coroutines could be
+sitting in the release pool without being reused.
+
+This is not only a waste of memory and allocations, but it actually
+makes the QEMU process likely to hit the vm.max_map_count limit on Linux
+because each coroutine requires two mappings (its stack and the guard
+page for the stack), causing it to abort() in qemu_alloc_stack() because
+when the limit is hit, mprotect() starts to fail with ENOMEM.
+
+In order to fix the problem, change the batch size back to 64 to avoid
+uselessly accumulating coroutines in the release pool, but keep the
+dynamic maximum pool size so that coroutines aren't freed too early
+in heavy I/O scenarios.
+
+Note that this fix doesn't strictly make it impossible to hit the limit,
+but this would only happen if most of the coroutines are actually in use
+at the same time, not just sitting in a pool. This is the same behaviour
+as we already had before commit 4c41c69e. Fully preventing this would
+require allowing qemu_coroutine_create() to return an error, but it
+doesn't seem to be a scenario that people hit in practice.
+
+Cc: qemu-stable@nongnu.org
+Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=2079938
+Fixes: 4c41c69e05fe28c0f95f8abd2ebf407e95a4f04b
+Signed-off-by: Kevin Wolf <kwolf@redhat.com>
+Message-Id: <20220510151020.105528-3-kwolf@redhat.com>
+Tested-by: Hiroki Narukawa <hnarukaw@yahoo-corp.jp>
+Signed-off-by: Kevin Wolf <kwolf@redhat.com>
+(cherry picked from commit 9ec7a59b5aad4b736871c378d30f5ef5ec51cb52)
+---
+ util/qemu-coroutine.c | 22 ++++++++++++++--------
+ 1 file changed, 14 insertions(+), 8 deletions(-)
+
+diff --git a/util/qemu-coroutine.c b/util/qemu-coroutine.c
+index faca0ca97c..804f672e0a 100644
+--- a/util/qemu-coroutine.c
++++ b/util/qemu-coroutine.c
+@@ -20,14 +20,20 @@
+ #include "qemu/coroutine_int.h"
+ #include "block/aio.h"
+ 
+-/** Initial batch size is 64, and is increased on demand */
++/**
++ * The minimal batch size is always 64, coroutines from the release_pool are
++ * reused as soon as there are 64 coroutines in it. The maximum pool size starts
++ * with 64 and is increased on demand so that coroutines are not deleted even if
++ * they are not immediately reused.
++ */
+ enum {
+-    POOL_INITIAL_BATCH_SIZE = 64,
++    POOL_MIN_BATCH_SIZE = 64,
++    POOL_INITIAL_MAX_SIZE = 64,
+ };
+ 
+ /** Free list to speed up creation */
+ static QSLIST_HEAD(, Coroutine) release_pool = QSLIST_HEAD_INITIALIZER(pool);
+-static unsigned int pool_batch_size = POOL_INITIAL_BATCH_SIZE;
++static unsigned int pool_max_size = POOL_INITIAL_MAX_SIZE;
+ static unsigned int release_pool_size;
+ static __thread QSLIST_HEAD(, Coroutine) alloc_pool = QSLIST_HEAD_INITIALIZER(pool);
+ static __thread unsigned int alloc_pool_size;
+@@ -51,7 +57,7 @@ Coroutine *qemu_coroutine_create(CoroutineEntry *entry, void *opaque)
+     if (CONFIG_COROUTINE_POOL) {
+         co = QSLIST_FIRST(&alloc_pool);
+         if (!co) {
+-            if (release_pool_size > qatomic_read(&pool_batch_size)) {
++            if (release_pool_size > POOL_MIN_BATCH_SIZE) {
+                 /* Slow path; a good place to register the destructor, too.  */
+                 if (!coroutine_pool_cleanup_notifier.notify) {
+                     coroutine_pool_cleanup_notifier.notify = coroutine_pool_cleanup;
+@@ -88,12 +94,12 @@ static void coroutine_delete(Coroutine *co)
+     co->caller = NULL;
+ 
+     if (CONFIG_COROUTINE_POOL) {
+-        if (release_pool_size < qatomic_read(&pool_batch_size) * 2) {
++        if (release_pool_size < qatomic_read(&pool_max_size) * 2) {
+             QSLIST_INSERT_HEAD_ATOMIC(&release_pool, co, pool_next);
+             qatomic_inc(&release_pool_size);
+             return;
+         }
+-        if (alloc_pool_size < qatomic_read(&pool_batch_size)) {
++        if (alloc_pool_size < qatomic_read(&pool_max_size)) {
+             QSLIST_INSERT_HEAD(&alloc_pool, co, pool_next);
+             alloc_pool_size++;
+             return;
+@@ -207,10 +213,10 @@ AioContext *coroutine_fn qemu_coroutine_get_aio_context(Coroutine *co)
+ 
+ void qemu_coroutine_inc_pool_size(unsigned int additional_pool_size)
+ {
+-    qatomic_add(&pool_batch_size, additional_pool_size);
++    qatomic_add(&pool_max_size, additional_pool_size);
+ }
+ 
+ void qemu_coroutine_dec_pool_size(unsigned int removing_pool_size)
+ {
+-    qatomic_sub(&pool_batch_size, removing_pool_size);
++    qatomic_sub(&pool_max_size, removing_pool_size);
+ }
+-- 
+2.37.0.rc2
+

qemu.spec

@@ -317,7 +317,7 @@ Obsoletes: %{name}-system-unicore32-core <= %{epoch}:%{version}-%{release}
 %endif
 
 # To prevent rpmdev-bumpspec breakage
-%global baserelease 10
+%global baserelease 11
 
 Summary: QEMU is a FAST! processor emulator
 Name: qemu
@@ -360,6 +360,10 @@ Patch: 0012-vga-avoid-crash-if-no-default-vga-card.patch
 Patch: 0013-scsi-lsi53c895a-fix-use-after-free-in-lsi_do_msgout.patch
 # vnc-clipboard: fix integer underflow (CVE-2022-3165)
 Patch: 0014-ui-vnc-clipboard-fix-integer-underflow-in-vnc_client.patch
+# Fix "failed to set up stack guard page: Cannot allocate memory"
+# https://bugzilla.redhat.com/show_bug.cgi?id=2143006
+Patch: 0015-coroutine-Rename-qemu_coroutine_inc-dec_pool_size.patch
+Patch: 0016-coroutine-Revert-to-constant-batch-size.patch
 
 BuildRequires: meson >= %{meson_version}
 BuildRequires: zlib-devel
@@ -2724,6 +2728,10 @@ useradd -r -u 107 -g qemu -G kvm -d / -s /sbin/nologin \
 
 
 %changelog
+* Wed Nov 16 2022 Richard W.M. Jones <rjones@redhat.com> - 7.0.0-11
+- Fix "failed to set up stack guard page: Cannot allocate memory"
+  (rhbz#2143006)
+
 * Tue Oct 18 2022 Mauro Matteo Cascella <mcascell@redhat.com> - 2:7.0.0-10
 - vga: avoid crash if no default vga card (rhbz#2095639)
 - lsi53c895a: fix use-after-free in lsi_do_msgout (CVE-2022-0216) (rhbz#2070902)