From daaab58bcbd09f4fbac85d7b35545dd71b4a4a71 Mon Sep 17 00:00:00 2001 From: "Richard W.M. Jones" Date: Wed, 16 Nov 2022 11:33:35 +0000 Subject: [PATCH] Fix "failed to set up stack guard page: Cannot allocate memory" (rhbz#2143006) --- ...sgx_epc_get_section-stub-is-reachabl.patch | 5 +- ...ctrl-and-event-handler-functions-in-.patch | 5 +- ...t-waste-CPU-polling-the-event-virtqu.patch | 5 +- ...clean-up-virtio_scsi_handle_event_vq.patch | 5 +- ...-clean-up-virtio_scsi_handle_ctrl_vq.patch | 5 +- ...i-clean-up-virtio_scsi_handle_cmd_vq.patch | 5 +- ...-request-related-items-from-.h-to-.c.patch | 5 +- 0008-Disable-flakey-dbus-display-test.patch | 5 +- ...s-with-modules-and-qemu-system-s390x.patch | 5 +- 0010-Skip-iotests-entirely.patch | 5 +- ...x-compat-with-glibc-2.36-sys-mount.h.patch | 10 +- ...a-avoid-crash-if-no-default-vga-card.patch | 6 +- ...-fix-use-after-free-in-lsi_do_msgout.patch | 10 +- ...-fix-integer-underflow-in-vnc_client.patch | 6 +- ...ame-qemu_coroutine_inc-dec_pool_size.patch | 92 +++++++++++++ ...outine-Revert-to-constant-batch-size.patch | 123 ++++++++++++++++++ qemu.spec | 10 +- 17 files changed, 286 insertions(+), 21 deletions(-) create mode 100644 0015-coroutine-Rename-qemu_coroutine_inc-dec_pool_size.patch create mode 100644 0016-coroutine-Revert-to-constant-batch-size.patch diff --git a/0001-target-i386-the-sgx_epc_get_section-stub-is-reachabl.patch b/0001-target-i386-the-sgx_epc_get_section-stub-is-reachabl.patch index cc5ada9..681a6cc 100644 --- a/0001-target-i386-the-sgx_epc_get_section-stub-is-reachabl.patch +++ b/0001-target-i386-the-sgx_epc_get_section-stub-is-reachabl.patch @@ -1,10 +1,10 @@ +From 375a476bcdefe65057a38fe6ae3f50b941e63ddd Mon Sep 17 00:00:00 2001 From: Paolo Bonzini Date: Tue, 1 Feb 2022 20:09:37 +0100 Subject: [PATCH] target/i386: the sgx_epc_get_section stub is reachable MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit -Content-type: text/plain The sgx_epc_get_section stub is reachable from cpu_x86_cpuid. It should not assert, instead it should just return true just like @@ -28,3 +28,6 @@ index 26833eb233..16b1dfd90b 100644 - g_assert_not_reached(); + return true; } +-- +2.37.0.rc2 + diff --git a/0002-virtio-scsi-fix-ctrl-and-event-handler-functions-in-.patch b/0002-virtio-scsi-fix-ctrl-and-event-handler-functions-in-.patch index 32c90a1..7e14e27 100644 --- a/0002-virtio-scsi-fix-ctrl-and-event-handler-functions-in-.patch +++ b/0002-virtio-scsi-fix-ctrl-and-event-handler-functions-in-.patch @@ -1,8 +1,8 @@ +From 7a5a6dbbf40f7d2313173573b99dd26069f7e309 Mon Sep 17 00:00:00 2001 From: Stefan Hajnoczi Date: Wed, 27 Apr 2022 15:35:36 +0100 Subject: [PATCH] virtio-scsi: fix ctrl and event handler functions in dataplane mode -Content-type: text/plain Commit f34e8d8b8d48d73f36a67b6d5e492ef9784b5012 ("virtio-scsi: prepare virtio_scsi_handle_cmd for dataplane") prepared the virtio-scsi cmd @@ -106,3 +106,6 @@ index 34a968ecfb..417fbc71d6 100644 virtio_scsi_acquire(s); virtio_scsi_handle_event_vq(s, vq); virtio_scsi_release(s); +-- +2.37.0.rc2 + diff --git a/0003-virtio-scsi-don-t-waste-CPU-polling-the-event-virtqu.patch b/0003-virtio-scsi-don-t-waste-CPU-polling-the-event-virtqu.patch index 03acef6..3be1acd 100644 --- a/0003-virtio-scsi-don-t-waste-CPU-polling-the-event-virtqu.patch +++ b/0003-virtio-scsi-don-t-waste-CPU-polling-the-event-virtqu.patch @@ -1,7 +1,7 @@ +From 5a595325d84fe48fcef921b0810073906ff9284b Mon Sep 17 00:00:00 2001 From: Stefan Hajnoczi Date: Tue, 17 May 2022 09:27:45 +0100 Subject: [PATCH] virtio-scsi: don't waste CPU polling the event virtqueue -Content-type: text/plain The virtio-scsi event virtqueue is not emptied by its handler function. This is typical for rx virtqueues where the device uses buffers when @@ -89,3 +89,6 @@ index b31c4507f5..b62a35fdca 100644 void virtio_queue_aio_detach_host_notifier(VirtQueue *vq, AioContext *ctx); VirtQueue *virtio_vector_first_queue(VirtIODevice *vdev, uint16_t vector); VirtQueue *virtio_vector_next_queue(VirtQueue *vq); +-- +2.37.0.rc2 + diff --git a/0004-virtio-scsi-clean-up-virtio_scsi_handle_event_vq.patch b/0004-virtio-scsi-clean-up-virtio_scsi_handle_event_vq.patch index d3eff90..41428ae 100644 --- a/0004-virtio-scsi-clean-up-virtio_scsi_handle_event_vq.patch +++ b/0004-virtio-scsi-clean-up-virtio_scsi_handle_event_vq.patch @@ -1,7 +1,7 @@ +From 5edca84f63de972dd08e0c63c7c67003df237f23 Mon Sep 17 00:00:00 2001 From: Stefan Hajnoczi Date: Tue, 17 May 2022 09:28:06 +0100 Subject: [PATCH] virtio-scsi: clean up virtio_scsi_handle_event_vq() -Content-type: text/plain virtio_scsi_handle_event_vq() is only called from hw/scsi/virtio-scsi.c now and its return value is no longer used. Remove the function @@ -49,3 +49,6 @@ index 543681bc18..5957597825 100644 bool virtio_scsi_handle_cmd_vq(VirtIOSCSI *s, VirtQueue *vq); bool virtio_scsi_handle_ctrl_vq(VirtIOSCSI *s, VirtQueue *vq); void virtio_scsi_init_req(VirtIOSCSI *s, VirtQueue *vq, VirtIOSCSIReq *req); +-- +2.37.0.rc2 + diff --git a/0005-virtio-scsi-clean-up-virtio_scsi_handle_ctrl_vq.patch b/0005-virtio-scsi-clean-up-virtio_scsi_handle_ctrl_vq.patch index bde9298..a4fb245 100644 --- a/0005-virtio-scsi-clean-up-virtio_scsi_handle_ctrl_vq.patch +++ b/0005-virtio-scsi-clean-up-virtio_scsi_handle_ctrl_vq.patch @@ -1,7 +1,7 @@ +From 4c4bec46e2ccbcb1e8360b118b46681369e3f05c Mon Sep 17 00:00:00 2001 From: Stefan Hajnoczi Date: Tue, 17 May 2022 09:28:12 +0100 Subject: [PATCH] virtio-scsi: clean up virtio_scsi_handle_ctrl_vq() -Content-type: text/plain virtio_scsi_handle_ctrl_vq() is only called from hw/scsi/virtio-scsi.c now and its return value is no longer used. Remove the function @@ -52,3 +52,6 @@ index 5957597825..44dc3b81ec 100644 void virtio_scsi_init_req(VirtIOSCSI *s, VirtQueue *vq, VirtIOSCSIReq *req); void virtio_scsi_free_req(VirtIOSCSIReq *req); void virtio_scsi_push_event(VirtIOSCSI *s, SCSIDevice *dev, +-- +2.37.0.rc2 + diff --git a/0006-virtio-scsi-clean-up-virtio_scsi_handle_cmd_vq.patch b/0006-virtio-scsi-clean-up-virtio_scsi_handle_cmd_vq.patch index 89c5e58..50e2b72 100644 --- a/0006-virtio-scsi-clean-up-virtio_scsi_handle_cmd_vq.patch +++ b/0006-virtio-scsi-clean-up-virtio_scsi_handle_cmd_vq.patch @@ -1,7 +1,7 @@ +From 67a97290efc0e89c7c48bba46ed68de35121b9de Mon Sep 17 00:00:00 2001 From: Stefan Hajnoczi Date: Tue, 17 May 2022 09:28:19 +0100 Subject: [PATCH] virtio-scsi: clean up virtio_scsi_handle_cmd_vq() -Content-type: text/plain virtio_scsi_handle_cmd_vq() is only called from hw/scsi/virtio-scsi.c now and its return value is no longer used. Remove the function @@ -64,3 +64,6 @@ index 44dc3b81ec..2497530064 100644 void virtio_scsi_init_req(VirtIOSCSI *s, VirtQueue *vq, VirtIOSCSIReq *req); void virtio_scsi_free_req(VirtIOSCSIReq *req); void virtio_scsi_push_event(VirtIOSCSI *s, SCSIDevice *dev, +-- +2.37.0.rc2 + diff --git a/0007-virtio-scsi-move-request-related-items-from-.h-to-.c.patch b/0007-virtio-scsi-move-request-related-items-from-.h-to-.c.patch index 89377c8..b4d1722 100644 --- a/0007-virtio-scsi-move-request-related-items-from-.h-to-.c.patch +++ b/0007-virtio-scsi-move-request-related-items-from-.h-to-.c.patch @@ -1,7 +1,7 @@ +From 8c2d952c608b15e188db90e26b7238d35f5cf289 Mon Sep 17 00:00:00 2001 From: Stefan Hajnoczi Date: Tue, 17 May 2022 09:28:26 +0100 Subject: [PATCH] virtio-scsi: move request-related items from .h to .c -Content-type: text/plain There is no longer a need to expose the request and related APIs in virtio-scsi.h since there are no callers outside virtio-scsi.c. @@ -155,3 +155,6 @@ index 2497530064..abdda2cbd0 100644 void virtio_scsi_dataplane_setup(VirtIOSCSI *s, Error **errp); int virtio_scsi_dataplane_start(VirtIODevice *s); +-- +2.37.0.rc2 + diff --git a/0008-Disable-flakey-dbus-display-test.patch b/0008-Disable-flakey-dbus-display-test.patch index 01bae39..274beae 100644 --- a/0008-Disable-flakey-dbus-display-test.patch +++ b/0008-Disable-flakey-dbus-display-test.patch @@ -1,7 +1,7 @@ +From 7bbf88bfd6b5200926294788386398193afe623f Mon Sep 17 00:00:00 2001 From: Cole Robinson Date: Sat, 4 Jun 2022 20:28:58 -0400 Subject: [PATCH] Disable flakey dbus-display-test -Content-type: text/plain Signed-off-by: Cole Robinson --- @@ -34,3 +34,6 @@ index d25f82bb5a..d085604727 100644 qtest_executables = {} foreach dir : target_dirs if not dir.endswith('-softmmu') +-- +2.37.0.rc2 + diff --git a/0009-Fix-iotests-with-modules-and-qemu-system-s390x.patch b/0009-Fix-iotests-with-modules-and-qemu-system-s390x.patch index d4f84a0..5aef53a 100644 --- a/0009-Fix-iotests-with-modules-and-qemu-system-s390x.patch +++ b/0009-Fix-iotests-with-modules-and-qemu-system-s390x.patch @@ -1,7 +1,7 @@ +From 1917ca47ce2234b7d279f16aa7ef1ff165902d1f Mon Sep 17 00:00:00 2001 From: Cole Robinson Date: Sat, 4 Jun 2022 20:29:46 -0400 Subject: [PATCH] Fix iotests with modules and qemu-system-s390x -Content-type: text/plain Signed-off-by: Cole Robinson --- @@ -30,3 +30,6 @@ index 227e0a5be9..97f8e0a15f 100644 grep ^name | sed -e 's/^name "//' -e 's/".*$//') for device do +-- +2.37.0.rc2 + diff --git a/0010-Skip-iotests-entirely.patch b/0010-Skip-iotests-entirely.patch index 8586d6f..6b89e7b 100644 --- a/0010-Skip-iotests-entirely.patch +++ b/0010-Skip-iotests-entirely.patch @@ -1,7 +1,7 @@ +From 830cda479ec661b752c9c2566bcca0ac22bb478b Mon Sep 17 00:00:00 2001 From: Cole Robinson Date: Sun, 5 Jun 2022 12:48:29 -0400 Subject: [PATCH] Skip iotests entirely -Content-type: text/plain Getting sporadic failures like described here: https://www.mail-archive.com/qemu-devel@nongnu.org/msg887683.html @@ -24,3 +24,6 @@ index f59496396c..09cc735da4 100755 # QEMU_CHECK_BLOCK_AUTO is used to disable some unstable sub-tests export QEMU_CHECK_BLOCK_AUTO=1 export PYTHONUTF8=1 +-- +2.37.0.rc2 + diff --git a/0011-linux-user-fix-compat-with-glibc-2.36-sys-mount.h.patch b/0011-linux-user-fix-compat-with-glibc-2.36-sys-mount.h.patch index 8718405..ecab4f0 100644 --- a/0011-linux-user-fix-compat-with-glibc-2.36-sys-mount.h.patch +++ b/0011-linux-user-fix-compat-with-glibc-2.36-sys-mount.h.patch @@ -1,4 +1,4 @@ -From a7f14aae85022007a4c77e0792a1abb0509a08eb Mon Sep 17 00:00:00 2001 +From 7605dc625bfd03c4f6bb8daddde909aac3e4badb Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= Date: Tue, 2 Aug 2022 12:34:23 -0400 Subject: [PATCH] linux-user: fix compat with glibc >= 2.36 sys/mount.h @@ -53,7 +53,7 @@ Signed-off-by: Daniel P. Berrangé 2 files changed, 20 insertions(+) diff --git a/linux-user/syscall.c b/linux-user/syscall.c -index b27a6552aa..52d178afe7 100644 +index f65045efe6..834a86183c 100644 --- a/linux-user/syscall.c +++ b/linux-user/syscall.c @@ -95,7 +95,25 @@ @@ -83,10 +83,10 @@ index b27a6552aa..52d178afe7 100644 #if defined(CONFIG_FIEMAP) #include diff --git a/meson.build b/meson.build -index 294e9a8f32..30a380752c 100644 +index 861de93c4f..8ca99671ec 100644 --- a/meson.build +++ b/meson.build -@@ -1963,6 +1963,8 @@ config_host_data.set('HAVE_OPTRESET', +@@ -1686,6 +1686,8 @@ config_host_data.set('HAVE_OPTRESET', cc.has_header_symbol('getopt.h', 'optreset')) config_host_data.set('HAVE_IPPROTO_MPTCP', cc.has_header_symbol('netinet/in.h', 'IPPROTO_MPTCP')) @@ -96,5 +96,5 @@ index 294e9a8f32..30a380752c 100644 # has_member config_host_data.set('HAVE_SIGEV_NOTIFY_THREAD_ID', -- -2.37.1 +2.37.0.rc2 diff --git a/0012-vga-avoid-crash-if-no-default-vga-card.patch b/0012-vga-avoid-crash-if-no-default-vga-card.patch index 36f64ea..0de45d5 100644 --- a/0012-vga-avoid-crash-if-no-default-vga-card.patch +++ b/0012-vga-avoid-crash-if-no-default-vga-card.patch @@ -1,3 +1,4 @@ +From ac42f1e87f4f963836461691be22e39128b4eff2 Mon Sep 17 00:00:00 2001 From: Guo Zhi Date: Tue, 3 May 2022 17:17:24 +0800 Subject: [PATCH] vga: avoid crash if no default vga card @@ -21,7 +22,7 @@ index 6f646531a0..b16c1c48fa 100644 --- a/softmmu/vl.c +++ b/softmmu/vl.c @@ -974,7 +974,8 @@ static void select_vgahw(const MachineClass *machine_class, const char *p) - + if (vga_interface_available(t) && ti->opt_name) { printf("%-20s %s%s\n", ti->opt_name, ti->name ?: "", - g_str_equal(ti->opt_name, def) ? " (default)" : ""); @@ -30,3 +31,6 @@ index 6f646531a0..b16c1c48fa 100644 } } exit(0); +-- +2.37.0.rc2 + diff --git a/0013-scsi-lsi53c895a-fix-use-after-free-in-lsi_do_msgout.patch b/0013-scsi-lsi53c895a-fix-use-after-free-in-lsi_do_msgout.patch index 6cd55ee..40619a5 100644 --- a/0013-scsi-lsi53c895a-fix-use-after-free-in-lsi_do_msgout.patch +++ b/0013-scsi-lsi53c895a-fix-use-after-free-in-lsi_do_msgout.patch @@ -1,3 +1,4 @@ +From 754371b1f2f872156dda4cb4aa16b510c142c381 Mon Sep 17 00:00:00 2001 From: Mauro Matteo Cascella Date: Tue, 5 Jul 2022 22:05:43 +0200 Subject: [PATCH] scsi/lsi53c895a: fix use-after-free in lsi_do_msgout @@ -39,7 +40,7 @@ index c8773f73f7..ad5f5e5f39 100644 scsi_req_cancel(s->current->req); + current_req = NULL; } - + /* As the current implemented devices scsi_disk and scsi_generic diff --git a/tests/qtest/fuzz-lsi53c895a-test.c b/tests/qtest/fuzz-lsi53c895a-test.c index ba5d468970..0f968024c8 100644 @@ -48,7 +49,7 @@ index ba5d468970..0f968024c8 100644 @@ -8,6 +8,79 @@ #include "qemu/osdep.h" #include "libqos/libqtest.h" - + +/* + * This used to trigger a UAF in lsi_do_msgout() + * https://gitlab.com/qemu-project/qemu/-/issues/972 @@ -132,5 +133,8 @@ index ba5d468970..0f968024c8 100644 + qtest_add_func("fuzz/lsi53c895a/lsi_do_msgout_cancel_req", + test_lsi_do_msgout_cancel_req); } - + return g_test_run(); +-- +2.37.0.rc2 + diff --git a/0014-ui-vnc-clipboard-fix-integer-underflow-in-vnc_client.patch b/0014-ui-vnc-clipboard-fix-integer-underflow-in-vnc_client.patch index 8bd37ef..eb69047 100644 --- a/0014-ui-vnc-clipboard-fix-integer-underflow-in-vnc_client.patch +++ b/0014-ui-vnc-clipboard-fix-integer-underflow-in-vnc_client.patch @@ -1,3 +1,4 @@ +From effa979582e34687688df36c9a10b33862f2581f Mon Sep 17 00:00:00 2001 From: Mauro Matteo Cascella Date: Sun, 25 Sep 2022 22:45:11 +0200 Subject: [PATCH] ui/vnc-clipboard: fix integer underflow in @@ -35,7 +36,7 @@ index 310a873c21..8a2e176b64 100644 " which exceeds our limit of 1MB.", dlen); @@ -2456,8 +2456,13 @@ static int protocol_client_msg(VncState *vs, uint8_t *data, size_t len) } - + if (read_s32(data, 4) < 0) { - vnc_client_cut_text_ext(vs, abs(read_s32(data, 4)), - read_u32(data, 8), data + 12); @@ -49,3 +50,6 @@ index 310a873c21..8a2e176b64 100644 break; } vnc_client_cut_text(vs, read_u32(data, 4), data + 8); +-- +2.37.0.rc2 + diff --git a/0015-coroutine-Rename-qemu_coroutine_inc-dec_pool_size.patch b/0015-coroutine-Rename-qemu_coroutine_inc-dec_pool_size.patch new file mode 100644 index 0000000..05f80fd --- /dev/null +++ b/0015-coroutine-Rename-qemu_coroutine_inc-dec_pool_size.patch @@ -0,0 +1,92 @@ +From 9be9b8e36940756582c453c6bf08daa6955f916e Mon Sep 17 00:00:00 2001 +From: Kevin Wolf +Date: Tue, 10 May 2022 17:10:19 +0200 +Subject: [PATCH] coroutine: Rename qemu_coroutine_inc/dec_pool_size() + +It's true that these functions currently affect the batch size in which +coroutines are reused (i.e. moved from the global release pool to the +allocation pool of a specific thread), but this is a bug and will be +fixed in a separate patch. + +In fact, the comment in the header file already just promises that it +influences the pool size, so reflect this in the name of the functions. +As a nice side effect, the shorter function name makes some line +wrapping unnecessary. + +Cc: qemu-stable@nongnu.org +Signed-off-by: Kevin Wolf +Message-Id: <20220510151020.105528-2-kwolf@redhat.com> +Signed-off-by: Kevin Wolf +(cherry picked from commit 98e3ab35054b946f7c2aba5408822532b0920b53) +--- + hw/block/virtio-blk.c | 6 ++---- + include/qemu/coroutine.h | 6 +++--- + util/qemu-coroutine.c | 4 ++-- + 3 files changed, 7 insertions(+), 9 deletions(-) + +diff --git a/hw/block/virtio-blk.c b/hw/block/virtio-blk.c +index 540c38f829..6a1cc41877 100644 +--- a/hw/block/virtio-blk.c ++++ b/hw/block/virtio-blk.c +@@ -1215,8 +1215,7 @@ static void virtio_blk_device_realize(DeviceState *dev, Error **errp) + for (i = 0; i < conf->num_queues; i++) { + virtio_add_queue(vdev, conf->queue_size, virtio_blk_handle_output); + } +- qemu_coroutine_increase_pool_batch_size(conf->num_queues * conf->queue_size +- / 2); ++ qemu_coroutine_inc_pool_size(conf->num_queues * conf->queue_size / 2); + virtio_blk_data_plane_create(vdev, conf, &s->dataplane, &err); + if (err != NULL) { + error_propagate(errp, err); +@@ -1253,8 +1252,7 @@ static void virtio_blk_device_unrealize(DeviceState *dev) + for (i = 0; i < conf->num_queues; i++) { + virtio_del_queue(vdev, i); + } +- qemu_coroutine_decrease_pool_batch_size(conf->num_queues * conf->queue_size +- / 2); ++ qemu_coroutine_dec_pool_size(conf->num_queues * conf->queue_size / 2); + qemu_del_vm_change_state_handler(s->change); + blockdev_mark_auto_del(s->blk); + virtio_cleanup(vdev); +diff --git a/include/qemu/coroutine.h b/include/qemu/coroutine.h +index c828a95ee0..5b621d1295 100644 +--- a/include/qemu/coroutine.h ++++ b/include/qemu/coroutine.h +@@ -334,12 +334,12 @@ void coroutine_fn yield_until_fd_readable(int fd); + /** + * Increase coroutine pool size + */ +-void qemu_coroutine_increase_pool_batch_size(unsigned int additional_pool_size); ++void qemu_coroutine_inc_pool_size(unsigned int additional_pool_size); + + /** +- * Devcrease coroutine pool size ++ * Decrease coroutine pool size + */ +-void qemu_coroutine_decrease_pool_batch_size(unsigned int additional_pool_size); ++void qemu_coroutine_dec_pool_size(unsigned int additional_pool_size); + + #include "qemu/lockable.h" + +diff --git a/util/qemu-coroutine.c b/util/qemu-coroutine.c +index c03b2422ff..faca0ca97c 100644 +--- a/util/qemu-coroutine.c ++++ b/util/qemu-coroutine.c +@@ -205,12 +205,12 @@ AioContext *coroutine_fn qemu_coroutine_get_aio_context(Coroutine *co) + return co->ctx; + } + +-void qemu_coroutine_increase_pool_batch_size(unsigned int additional_pool_size) ++void qemu_coroutine_inc_pool_size(unsigned int additional_pool_size) + { + qatomic_add(&pool_batch_size, additional_pool_size); + } + +-void qemu_coroutine_decrease_pool_batch_size(unsigned int removing_pool_size) ++void qemu_coroutine_dec_pool_size(unsigned int removing_pool_size) + { + qatomic_sub(&pool_batch_size, removing_pool_size); + } +-- +2.37.0.rc2 + diff --git a/0016-coroutine-Revert-to-constant-batch-size.patch b/0016-coroutine-Revert-to-constant-batch-size.patch new file mode 100644 index 0000000..00c61db --- /dev/null +++ b/0016-coroutine-Revert-to-constant-batch-size.patch @@ -0,0 +1,123 @@ +From f1ea4c55f0e9bb05db980f27b392617ef6615954 Mon Sep 17 00:00:00 2001 +From: Kevin Wolf +Date: Tue, 10 May 2022 17:10:20 +0200 +Subject: [PATCH] coroutine: Revert to constant batch size + +Commit 4c41c69e changed the way the coroutine pool is sized because for +virtio-blk devices with a large queue size and heavy I/O, it was just +too small and caused coroutines to be deleted and reallocated soon +afterwards. The change made the size dynamic based on the number of +queues and the queue size of virtio-blk devices. + +There are two important numbers here: Slightly simplified, when a +coroutine terminates, it is generally stored in the global release pool +up to a certain pool size, and if the pool is full, it is freed. +Conversely, when allocating a new coroutine, the coroutines in the +release pool are reused if the pool already has reached a certain +minimum size (the batch size), otherwise we allocate new coroutines. + +The problem after commit 4c41c69e is that it not only increases the +maximum pool size (which is the intended effect), but also the batch +size for reusing coroutines (which is a bug). It means that in cases +with many devices and/or a large queue size (which defaults to the +number of vcpus for virtio-blk-pci), many thousand coroutines could be +sitting in the release pool without being reused. + +This is not only a waste of memory and allocations, but it actually +makes the QEMU process likely to hit the vm.max_map_count limit on Linux +because each coroutine requires two mappings (its stack and the guard +page for the stack), causing it to abort() in qemu_alloc_stack() because +when the limit is hit, mprotect() starts to fail with ENOMEM. + +In order to fix the problem, change the batch size back to 64 to avoid +uselessly accumulating coroutines in the release pool, but keep the +dynamic maximum pool size so that coroutines aren't freed too early +in heavy I/O scenarios. + +Note that this fix doesn't strictly make it impossible to hit the limit, +but this would only happen if most of the coroutines are actually in use +at the same time, not just sitting in a pool. This is the same behaviour +as we already had before commit 4c41c69e. Fully preventing this would +require allowing qemu_coroutine_create() to return an error, but it +doesn't seem to be a scenario that people hit in practice. + +Cc: qemu-stable@nongnu.org +Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=2079938 +Fixes: 4c41c69e05fe28c0f95f8abd2ebf407e95a4f04b +Signed-off-by: Kevin Wolf +Message-Id: <20220510151020.105528-3-kwolf@redhat.com> +Tested-by: Hiroki Narukawa +Signed-off-by: Kevin Wolf +(cherry picked from commit 9ec7a59b5aad4b736871c378d30f5ef5ec51cb52) +--- + util/qemu-coroutine.c | 22 ++++++++++++++-------- + 1 file changed, 14 insertions(+), 8 deletions(-) + +diff --git a/util/qemu-coroutine.c b/util/qemu-coroutine.c +index faca0ca97c..804f672e0a 100644 +--- a/util/qemu-coroutine.c ++++ b/util/qemu-coroutine.c +@@ -20,14 +20,20 @@ + #include "qemu/coroutine_int.h" + #include "block/aio.h" + +-/** Initial batch size is 64, and is increased on demand */ ++/** ++ * The minimal batch size is always 64, coroutines from the release_pool are ++ * reused as soon as there are 64 coroutines in it. The maximum pool size starts ++ * with 64 and is increased on demand so that coroutines are not deleted even if ++ * they are not immediately reused. ++ */ + enum { +- POOL_INITIAL_BATCH_SIZE = 64, ++ POOL_MIN_BATCH_SIZE = 64, ++ POOL_INITIAL_MAX_SIZE = 64, + }; + + /** Free list to speed up creation */ + static QSLIST_HEAD(, Coroutine) release_pool = QSLIST_HEAD_INITIALIZER(pool); +-static unsigned int pool_batch_size = POOL_INITIAL_BATCH_SIZE; ++static unsigned int pool_max_size = POOL_INITIAL_MAX_SIZE; + static unsigned int release_pool_size; + static __thread QSLIST_HEAD(, Coroutine) alloc_pool = QSLIST_HEAD_INITIALIZER(pool); + static __thread unsigned int alloc_pool_size; +@@ -51,7 +57,7 @@ Coroutine *qemu_coroutine_create(CoroutineEntry *entry, void *opaque) + if (CONFIG_COROUTINE_POOL) { + co = QSLIST_FIRST(&alloc_pool); + if (!co) { +- if (release_pool_size > qatomic_read(&pool_batch_size)) { ++ if (release_pool_size > POOL_MIN_BATCH_SIZE) { + /* Slow path; a good place to register the destructor, too. */ + if (!coroutine_pool_cleanup_notifier.notify) { + coroutine_pool_cleanup_notifier.notify = coroutine_pool_cleanup; +@@ -88,12 +94,12 @@ static void coroutine_delete(Coroutine *co) + co->caller = NULL; + + if (CONFIG_COROUTINE_POOL) { +- if (release_pool_size < qatomic_read(&pool_batch_size) * 2) { ++ if (release_pool_size < qatomic_read(&pool_max_size) * 2) { + QSLIST_INSERT_HEAD_ATOMIC(&release_pool, co, pool_next); + qatomic_inc(&release_pool_size); + return; + } +- if (alloc_pool_size < qatomic_read(&pool_batch_size)) { ++ if (alloc_pool_size < qatomic_read(&pool_max_size)) { + QSLIST_INSERT_HEAD(&alloc_pool, co, pool_next); + alloc_pool_size++; + return; +@@ -207,10 +213,10 @@ AioContext *coroutine_fn qemu_coroutine_get_aio_context(Coroutine *co) + + void qemu_coroutine_inc_pool_size(unsigned int additional_pool_size) + { +- qatomic_add(&pool_batch_size, additional_pool_size); ++ qatomic_add(&pool_max_size, additional_pool_size); + } + + void qemu_coroutine_dec_pool_size(unsigned int removing_pool_size) + { +- qatomic_sub(&pool_batch_size, removing_pool_size); ++ qatomic_sub(&pool_max_size, removing_pool_size); + } +-- +2.37.0.rc2 + diff --git a/qemu.spec b/qemu.spec index 1de1866..17174e5 100644 --- a/qemu.spec +++ b/qemu.spec @@ -317,7 +317,7 @@ Obsoletes: %{name}-system-unicore32-core <= %{epoch}:%{version}-%{release} %endif # To prevent rpmdev-bumpspec breakage -%global baserelease 10 +%global baserelease 11 Summary: QEMU is a FAST! processor emulator Name: qemu @@ -360,6 +360,10 @@ Patch: 0012-vga-avoid-crash-if-no-default-vga-card.patch Patch: 0013-scsi-lsi53c895a-fix-use-after-free-in-lsi_do_msgout.patch # vnc-clipboard: fix integer underflow (CVE-2022-3165) Patch: 0014-ui-vnc-clipboard-fix-integer-underflow-in-vnc_client.patch +# Fix "failed to set up stack guard page: Cannot allocate memory" +# https://bugzilla.redhat.com/show_bug.cgi?id=2143006 +Patch: 0015-coroutine-Rename-qemu_coroutine_inc-dec_pool_size.patch +Patch: 0016-coroutine-Revert-to-constant-batch-size.patch BuildRequires: meson >= %{meson_version} BuildRequires: zlib-devel @@ -2724,6 +2728,10 @@ useradd -r -u 107 -g qemu -G kvm -d / -s /sbin/nologin \ %changelog +* Wed Nov 16 2022 Richard W.M. Jones - 7.0.0-11 +- Fix "failed to set up stack guard page: Cannot allocate memory" + (rhbz#2143006) + * Tue Oct 18 2022 Mauro Matteo Cascella - 2:7.0.0-10 - vga: avoid crash if no default vga card (rhbz#2095639) - lsi53c895a: fix use-after-free in lsi_do_msgout (CVE-2022-0216) (rhbz#2070902)