[Qemu-commits] [qemu/qemu] 7abba7: virtio-mmio : fix the crash in the vm

qemu-commits
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Qemu-commits] [qemu/qemu] 7abba7: virtio-mmio : fix the crash in the vm

From:	Richard Henderson
Subject:	[Qemu-commits] [qemu/qemu] 7abba7: virtio-mmio : fix the crash in the vm shutdown
Date:	Mon, 29 Nov 2021 06:24:07 -0800
  Branch: refs/heads/staging
  Home:   https://github.com/qemu/qemu
  Commit: 7abba7c638ab809e626f379617cb8590a733eabf
      
https://github.com/qemu/qemu/commit/7abba7c638ab809e626f379617cb8590a733eabf
  Author: Cindy Lu <lulu@redhat.com>
  Date:   2021-11-28 (Sun, 28 Nov 2021)

  Changed paths:
    M hw/virtio/virtio-mmio.c

  Log Message:
  -----------
  virtio-mmio : fix the crash in the vm shutdown

The root cause for this crash is the ioeventfd not stopped while the VM stop.
The callback for vmstate_change was not implement in virtio-mmio bus

Reproduce step
load the vm with
 -M microvm \
  -netdev tap,id=net0,vhostforce,script=no,downscript=no  \
  -device virtio-net-device,netdev=net0\

After the VM boot, login the vm and then shutdown the vm

System will crash
[Current thread is 1 (Thread 0x7ffff6edde00 (LWP 374378))]
(gdb) bt
0  0x00005555558f18b4 in qemu_flush_or_purge_queued_packets (purge=false, 
nc=0x55500252e850) at ../net/net.c:636
1  qemu_flush_queued_packets (nc=0x55500252e850) at ../net/net.c:656
2  0x0000555555b6c363 in virtio_queue_notify_vq (vq=0x7fffe7e2b010) at 
../hw/virtio/virtio.c:2339
3  virtio_queue_host_notifier_read (n=0x7fffe7e2b08c) at 
../hw/virtio/virtio.c:3583
4  0x0000555555de7b5a in aio_dispatch_handler (ctx=ctx@entry=0x5555567c5780, 
node=0x555556b83fd0) at ../util/aio-posix.c:329
5  0x0000555555de8454 in aio_dispatch_ready_handlers (ready_list=<optimized 
out>, ctx=<optimized out>) at ../util/aio-posix.c:359
6  aio_poll (ctx=0x5555567c5780, blocking=blocking@entry=false) at 
../util/aio-posix.c:662
7  0x0000555555cce0cc in monitor_cleanup () at ../monitor/monitor.c:645
8  0x0000555555b06bd2 in qemu_cleanup () at ../softmmu/runstate.c:822
9  0x000055555586e693 in main (argc=<optimized out>, argv=<optimized out>, 
envp=<optimized out>) at ../softmmu/main.c:51

Signed-off-by: Cindy Lu <lulu@redhat.com>
Message-Id: <20211109023744.22387-1-lulu@redhat.com>
Acked-by: Jason Wang <jasowang@redhat.com
Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>


  Commit: 9323f892b39d133eb69b301484bf7b2f3f49737d
      
https://github.com/qemu/qemu/commit/9323f892b39d133eb69b301484bf7b2f3f49737d
  Author: Laurent Vivier <lvivier@redhat.com>
  Date:   2021-11-28 (Sun, 28 Nov 2021)

  Changed paths:
    M hw/acpi/pcihp.c

  Log Message:
  -----------
  failover: fix unplug pending detection

Failover needs to detect the end of the PCI unplug to start migration
after the VFIO card has been unplugged.

To do that, a flag is set in pcie_cap_slot_unplug_request_cb() and reset in
pcie_unplug_device().

But since
    17858a169508 ("hw/acpi/ich9: Set ACPI PCI hot-plug as default on Q35")
we have switched to ACPI unplug and these functions are not called anymore
and the flag not set. So failover migration is not able to detect if card
is really unplugged and acts as it's done as soon as it's started. So it
doesn't wait the end of the unplug to start the migration. We don't see any
problem when we test that because ACPI unplug is faster than PCIe native
hotplug and when the migration really starts the unplug operation is
already done.

See c000a9bd06ea ("pci: mark device having guest unplug request pending")
    a99c4da9fc2a ("pci: mark devices partially unplugged")

Signed-off-by: Laurent Vivier <lvivier@redhat.com>
Reviewed-by: Ani Sinha <ani@anisinha.ca>
Message-Id: <20211118133225.324937-4-lvivier@redhat.com>
Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>


  Commit: 846a1e85da646c6006db429648389fc110f92d75
      
https://github.com/qemu/qemu/commit/846a1e85da646c6006db429648389fc110f92d75
  Author: Eugenio Pérez <eperezma@redhat.com>
  Date:   2021-11-28 (Sun, 28 Nov 2021)

  Changed paths:
    M net/vhost-vdpa.c

  Log Message:
  -----------
  vdpa: Add dummy receive callback

Qemu falls back on userland handlers even if vhost-user and vhost-vdpa
cases. These assumes a tap device can handle the packets.

If a vdpa device fail to start, it can trigger a sigsegv because of
that. Add dummy receiver that returns no progress so it can keep
running.

Fixes: 1e0a84ea49 ("vhost-vdpa: introduce vhost-vdpa net client")
Signed-off-by: Eugenio Pérez <eperezma@redhat.com>
Message-Id: <20211125101614.76927-2-eperezma@redhat.com>
Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Acked-by: Jason Wang <jasowang@redhat.com>


  Commit: 0fe7245d8b938f371556c100b0b6ec1d2b41e584
      
https://github.com/qemu/qemu/commit/0fe7245d8b938f371556c100b0b6ec1d2b41e584
  Author: Jason Wang <jasowang@redhat.com>
  Date:   2021-11-29 (Mon, 29 Nov 2021)

  Changed paths:
    M hw/virtio/virtio-balloon.c

  Log Message:
  -----------
  virtio-balloon: process all in sgs for free_page_vq

We only process the first in sg which may lead to the bitmap of the
pages belongs to following sgs were not cleared. This may result more
pages to be migrated. Fixing this by process all in sgs for
free_page_vq.

Acked-by: David Hildenbrand <david@redhat.com>
Signed-off-by: Jason Wang <jasowang@redhat.com>
Message-Id: <20211129030841.3611-1-jasowang@redhat.com>
Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>


  Commit: d3f1f940ebe43403feb1d12e4b5b9236aba50cb9
      
https://github.com/qemu/qemu/commit/d3f1f940ebe43403feb1d12e4b5b9236aba50cb9
  Author: Jason Wang <jasowang@redhat.com>
  Date:   2021-11-29 (Mon, 29 Nov 2021)

  Changed paths:
    M hw/virtio/virtio-balloon.c

  Log Message:
  -----------
  virtio-balloon: correct used length

Spec said:

"and len the total of bytes written into the buffer."

For inflateq, deflateq and statsq, we don't process in_sg so the used
length should be zero. For free_page_vq, tough the pages could be
changed by the device (in the destination), spec said:

"Note: len is particularly useful for drivers using untrusted buffers:
if a driver does not know exactly how much has been written by the
device, the driver would have to zero the buffer in advance to ensure
no data leakage occurs."

So 0 should be used as well here.

Signed-off-by: Jason Wang <jasowang@redhat.com>
Message-Id: <20211129030841.3611-2-jasowang@redhat.com>
Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Reviewed-by: David Hildenbrand <david@redhat.com>


  Commit: 0192d6677c383d812fb23f572fda4e449e89d3f1
      
https://github.com/qemu/qemu/commit/0192d6677c383d812fb23f572fda4e449e89d3f1
  Author: Jason Wang <jasowang@redhat.com>
  Date:   2021-11-29 (Mon, 29 Nov 2021)

  Changed paths:
    M hw/i386/intel_iommu.c
    M hw/i386/intel_iommu_internal.h

  Log Message:
  -----------
  intel-iommu: ignore leaf SNP bit in scalable mode

When booting with scalable mode, I hit this error:

qemu-system-x86_64: vtd_iova_to_slpte: detected splte reserve non-zero 
iova=0xfffff002, level=0x1slpte=0x102681803)
qemu-system-x86_64: vtd_iommu_translate: detected translation failure 
(dev=01:00:00, iova=0xfffff002)
qemu-system-x86_64: New fault is not recorded due to compression of faults

This is because the SNP bit is set for second level page table since
Linux kernel commit 6c00612d0cba1 ("iommu/vt-d: Report right snoop
capability when using FL for IOVA") even if SC is not supported by the
hardware.

To unbreak the guest, ignore the leaf SNP bit for scalable mode
first. In the future we may consider to add SC support.

Signed-off-by: Jason Wang <jasowang@redhat.com>
Message-Id: <20211129033618.3857-1-jasowang@redhat.com>
Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Reviewed-by: Peter Xu <peterx@redhat.com>


  Commit: bacf58ca18f06f0b464466bf8c19945f19791feb
      
https://github.com/qemu/qemu/commit/bacf58ca18f06f0b464466bf8c19945f19791feb
  Author: Daniella Lee <daniellalee111@gmail.com>
  Date:   2021-11-29 (Mon, 29 Nov 2021)

  Changed paths:
    M hw/pci/pcie.c

  Log Message:
  -----------
  Fix bad overflow check in hw/pci/pcie.c

Orginal qemu commit hash:14d02cfbe4adaeebe7cb833a8cc71191352cf03b

In function pcie_add_capability, an assert contains the
"offset < offset + size" expression.
Both variable offset and variable size are uint16_t,
the comparison is always true due to type promotion.
The next expression may be the same.

It might be like this:
Thread 1 "qemu-system-x86" hit Breakpoint 1, pcie_add_capability (
    dev=0x555557ce5f10, cap_id=1, cap_ver=2 '\002', offset=256, size=72)
    at ../hw/pci/pcie.c:930
930     {
(gdb) n
931         assert(offset >= PCI_CONFIG_SPACE_SIZE);
(gdb) n
932         assert(offset < offset + size);
(gdb) p offset
$1 = 256
(gdb) p offset < offset + size
$2 = 1
(gdb) set offset=65533
(gdb) p offset < offset + size
$3 = 1
(gdb) p offset < (uint16_t)(offset + size)
$4 = 0

Signed-off-by: Daniella Lee <daniellalee111@gmail.com>
Message-Id: <20211126061324.47331-1-daniellalee111@gmail.com>
Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>


  Commit: b1641c50975c5f9e5fdbd651ab63386716a0eb38
      
https://github.com/qemu/qemu/commit/b1641c50975c5f9e5fdbd651ab63386716a0eb38
  Author: Richard Henderson <richard.henderson@linaro.org>
  Date:   2021-11-29 (Mon, 29 Nov 2021)

  Changed paths:
    M hw/acpi/pcihp.c
    M hw/i386/intel_iommu.c
    M hw/i386/intel_iommu_internal.h
    M hw/pci/pcie.c
    M hw/virtio/virtio-balloon.c
    M hw/virtio/virtio-mmio.c
    M net/vhost-vdpa.c

  Log Message:
  -----------
  Merge tag 'for_upstream' of git://git.kernel.org/pub/scm/virt/kvm/mst/qemu 
into staging

virtio,pci,pc: bugfixes

Lots of small fixes all over the place.

Signed-off-by: Michael S. Tsirkin <mst@redhat.com>

# gpg: Signature made Mon 29 Nov 2021 02:50:06 PM CET
# gpg:                using RSA key 5D09FD0871C8F85B94CA8A0D281F0DB8D28D5469
# gpg:                issuer "mst@redhat.com"
# gpg: Good signature from "Michael S. Tsirkin <mst@kernel.org>" [full]
# gpg:                 aka "Michael S. Tsirkin <mst@redhat.com>" [full]

* tag 'for_upstream' of git://git.kernel.org/pub/scm/virt/kvm/mst/qemu:
  Fix bad overflow check in hw/pci/pcie.c
  intel-iommu: ignore leaf SNP bit in scalable mode
  virtio-balloon: correct used length
  virtio-balloon: process all in sgs for free_page_vq
  vdpa: Add dummy receive callback
  failover: fix unplug pending detection
  virtio-mmio : fix the crash in the vm shutdown

Signed-off-by: Richard Henderson <richard.henderson@linaro.org>


Compare: https://github.com/qemu/qemu/compare/e750c10167fa...b1641c50975c
[Prev in Thread]
Current Thread
[Next in Thread]
[Qemu-commits] [qemu/qemu] 7abba7: virtio-mmio : fix the crash in the vm shutdown, Richard Henderson <=
- [Qemu-commits] [qemu/qemu] 7abba7: virtio-mmio : fix the crash in the vm shutdown, Richard Henderson, 2021/11/29
Prev by Date: [Qemu-commits] [qemu/qemu] bede01: hw/arm/virt: Extend nested and mte checks to hvf
Next by Date: [Qemu-commits] [qemu/qemu] 7abba7: virtio-mmio : fix the crash in the vm shutdown
Previous by thread: [Qemu-commits] [qemu/qemu] bede01: hw/arm/virt: Extend nested and mte checks to hvf
Next by thread: [Qemu-commits] [qemu/qemu] 7abba7: virtio-mmio : fix the crash in the vm shutdown
Index(es):
- Date
- Thread