Ubuntu
qemu package

debian/changelog (+16/-0)
debian/patches/series (+7/-0)
debian/patches/ubuntu/lp-1891187-hw-net-net_tx_pkt-fix-assertion-failure-in-net_tx.patch (+45/-0)
debian/patches/ubuntu/lp1890881-linux-user-completely-re-write-init_guest_space.patch (+725/-0)
debian/patches/ubuntu/lp1890881-linux-user-deal-with-address-wrap-for-ARM_COMMPAGE-o.patch (+154/-0)
debian/patches/ubuntu/lp1890881-linux-user-don-t-use-MAP_FIXED-in-pgd_find_hole_fall.patch (+78/-0)
debian/patches/ubuntu/lp1890881-linux-user-elfload-use-MAP_FIXED_NOREPLACE-in-pgb_re.patch (+66/-0)
debian/patches/ubuntu/lp1890881-linux-user-limit-check-to-HOST_LONG_BITS-TARGET_ABI_.patch (+57/-0)
debian/patches/ubuntu/lp1890881-linux-user-provide-fallback-pgd_find_hole-for-bare-c.patch (+102/-0)

Related bugs:

Bug #1890881: qemu-user-static 1:5.0-5ubuntu4 in groovy does not start armhf container	Medium	Fix Released
Bug #1891187: qemu CVE-2020-16092	Undecided	Fix Released

Link a bug report

Reviewer	Date Requested	Status
Rafael David Tinoco (community)		Approve on 2020-08-19
Canonical Server	2020-08-19	Pending
Canonical Server packageset reviewers	2020-08-19	Pending
git-ubuntu developers	2020-08-19	Pending
Review via email: mp+389514@code.launchpad.net

Revision history for this message

Christian Ehrhardt  (paelzer) wrote on 2020-08-19:

PPA: https://launchpad.net/~ci-train-ppa-service/+archive/ubuntu/4214/+packages

Bugs:
- https://bugs.launchpad.net/ubuntu/+source/qemu/+bug/1891187
- https://bugs.launchpad.net/ubuntu/+source/qemu/+bug/1890881

Revision history for this message

Rafael David Tinoco (rafaeldtinoco) wrote on 2020-08-19:

Okay, for the 1st fix, you already opened the bug (security) and documenting LP number makes sense now. For the second fix (armhf container).. I followed all patchset and dependencies (including commit fixes) and it also makes sense to me. Apart from that, everything is very straightforward so I'm +1 with no further questions.

review: Approve

Revision history for this message

Christian Ehrhardt  (paelzer) wrote on 2020-08-19:

To ssh://git.launchpad.net/~usd-import-team/ubuntu/+source/qemu
* [new tag] upload/1%5.0-5ubuntu5 -> upload/1%5.0-5ubuntu5

Uploading to ubuntu (via ftp to upload.ubuntu.com):
  Uploading qemu_5.0-5ubuntu5.dsc: done.
  Uploading qemu_5.0-5ubuntu5.debian.tar.xz: done.
  Uploading qemu_5.0-5ubuntu5_source.buildinfo: done.
  Uploading qemu_5.0-5ubuntu5_source.changes: done.
Successfully uploaded packages.

Revision history for this message

Christian Ehrhardt  (paelzer) wrote on 2020-08-26:

this migrated

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk

Subscribers

People subscribed via source and target branches

to all changes:

Christian Ehrhardt 

git-ubuntu developers

Ubuntu
qemu package

Merge ~paelzer/ubuntu/+source/qemu:groovy-lp-1890881-lp-1891187 into ubuntu/+source/qemu:ubuntu/groovy-devel

Commit message

Description of the change

Preview Diff

Subscribers

 diff --git a/debian/changelog b/debian/changelog
 index ea3bc89..973aa23 100644
 --- a/debian/changelog
 +++ b/debian/changelog
@@ -1,3 +1,19 @@
++qemu (1:5.0-5ubuntu5) groovy; urgency=medium
++
++  * fix qemu-user-static initialization to allow executing systemd
++    (LP: #1890881)
++    - d/p/u/lp1890881-linux-user-completely-re-write-init_guest_space.patch
++    - d/p/u/lp1890881-linux-user-deal-with-address-wrap-for-ARM_COMMPAGE-o.patch
++    - d/p/u/lp1890881-linux-user-don-t-use-MAP_FIXED-in-pgd_find_hole_fall.patch
++    - d/p/u/lp1890881-linux-user-elfload-use-MAP_FIXED_NOREPLACE-in-pgb_re.patch
++    - d/p/u/lp1890881-linux-user-limit-check-to-HOST_LONG_BITS-TARGET_ABI_.patch
++    - d/p/u/lp1890881-linux-user-provide-fallback-pgd_find_hole-for-bare-c.patch
++  * fix assertion failue in net_tx_pkt_add_raw_fragment (LP: #1891187)
++    CVE-2020-16092
++    - d/p/u/lp-1891187-hw-net-net_tx_pkt-fix-assertion-failure-in-net_tx.patch
++
++ -- Christian Ehrhardt <christian.ehrhardt@canonical.com>  Wed, 19 Aug 2020 07:19:42 +0200
++
  qemu (1:5.0-5ubuntu4) groovy; urgency=medium
    * xen: provide compat links to what libxen-dev reports where to find
 diff --git a/debian/patches/series b/debian/patches/series
 index c1c26c4..a5e3921 100644
 --- a/debian/patches/series
 +++ b/debian/patches/series
@@ -73,3 +73,10 @@ ubuntu/lp-1887763-util-add-qemu_get_host_physmem-utility-function.patch
  ubuntu/lp-1887763-accel-tcg-better-handle-memory-constrained-systems.patch
  ubuntu/lp-1883984-target-s390x-Fix-SQXBR.patch
  lp-1890154-s390x-protvirt-allow-to-IPL-secure-guests-with-no-re.patch
++ubuntu/lp-1891187-hw-net-net_tx_pkt-fix-assertion-failure-in-net_tx.patch
++ubuntu/lp1890881-linux-user-completely-re-write-init_guest_space.patch
++ubuntu/lp1890881-linux-user-limit-check-to-HOST_LONG_BITS-TARGET_ABI_.patch
++ubuntu/lp1890881-linux-user-provide-fallback-pgd_find_hole-for-bare-c.patch
++ubuntu/lp1890881-linux-user-deal-with-address-wrap-for-ARM_COMMPAGE-o.patch
++ubuntu/lp1890881-linux-user-elfload-use-MAP_FIXED_NOREPLACE-in-pgb_re.patch
++ubuntu/lp1890881-linux-user-don-t-use-MAP_FIXED-in-pgd_find_hole_fall.patch
 diff --git a/debian/patches/ubuntu/lp-1891187-hw-net-net_tx_pkt-fix-assertion-failure-in-net_tx.patch b/debian/patches/ubuntu/lp-1891187-hw-net-net_tx_pkt-fix-assertion-failure-in-net_tx.patch
 new file mode 100644
 index 0000000..5492cfd
 --- /dev/null
 +++ b/debian/patches/ubuntu/lp-1891187-hw-net-net_tx_pkt-fix-assertion-failure-in-net_tx.patch
@@ -0,0 +1,45 @@
++From 035e69b063835a5fd23cacabd63690a3d84532a8 Mon Sep 17 00:00:00 2001
++From: Mauro Matteo Cascella <mcascell@redhat.com>
++Date: Sat, 1 Aug 2020 18:42:38 +0200
++Subject: [PATCH] hw/net/net_tx_pkt: fix assertion failure in
++ net_tx_pkt_add_raw_fragment()
++
++An assertion failure issue was found in the code that processes network packets
++while adding data fragments into the packet context. It could be abused by a
++malicious guest to abort the QEMU process on the host. This patch replaces the
++affected assert() with a conditional statement, returning false if the current
++data fragment exceeds max_raw_frags.
++
++Reported-by: Alexander Bulekov <alxndr@bu.edu>
++Reported-by: Ziming Zhang <ezrakiez@gmail.com>
++Reviewed-by: Dmitry Fleytman <dmitry.fleytman@gmail.com>
++Signed-off-by: Mauro Matteo Cascella <mcascell@redhat.com>
++Signed-off-by: Jason Wang <jasowang@redhat.com>
++
++Origin: upstream, https://git.qemu.org/?p=qemu.git;a=commit;h=035e69b063835
++Bug-Ubuntu: https://bugs.launchpad.net/bugs/1891187
++Last-Update: 2020-08-18
++
++---
++ hw/net/net_tx_pkt.c | 5 ++++-
++ 1 file changed, 4 insertions(+), 1 deletion(-)
++
++diff --git a/hw/net/net_tx_pkt.c b/hw/net/net_tx_pkt.c
++index 9560e4a49e..da262edc3e 100644
++--- a/hw/net/net_tx_pkt.c
+++++ b/hw/net/net_tx_pkt.c
++@@ -379,7 +379,10 @@ bool net_tx_pkt_add_raw_fragment(struct NetTxPkt *pkt, hwaddr pa,
++     hwaddr mapped_len = 0;
++     struct iovec *ventry;
++     assert(pkt);
++-    assert(pkt->max_raw_frags > pkt->raw_frags);
+++
+++    if (pkt->raw_frags >= pkt->max_raw_frags) {
+++        return false;
+++    }
++
++     if (!len) {
++         return true;
++--
++2.28.0
++
 diff --git a/debian/patches/ubuntu/lp1890881-linux-user-completely-re-write-init_guest_space.patch b/debian/patches/ubuntu/lp1890881-linux-user-completely-re-write-init_guest_space.patch
 new file mode 100644
 index 0000000..ea287eb
 --- /dev/null
 +++ b/debian/patches/ubuntu/lp1890881-linux-user-completely-re-write-init_guest_space.patch
@@ -0,0 +1,725 @@
++From ee94743034bfb443cf246eda4971bdc15d8ee066 Mon Sep 17 00:00:00 2001
++From: =?UTF-8?q?Alex=20Benn=C3=A9e?= <alex.bennee@linaro.org>
++Date: Wed, 13 May 2020 18:51:28 +0100
++Subject: [PATCH] linux-user: completely re-write init_guest_space
++MIME-Version: 1.0
++Content-Type: text/plain; charset=UTF-8
++Content-Transfer-Encoding: 8bit
++
++First we ensure all guest space initialisation logic comes through
++probe_guest_base once we understand the nature of the binary we are
++loading. The convoluted init_guest_space routine is removed and
++replaced with a number of pgb_* helpers which are called depending on
++what requirements we have when loading the binary.
++
++We first try to do what is requested by the host. Failing that we try
++and satisfy the guest requested base address. If all those options
++fail we fall back to finding a space in the memory map using our
++recently written read_self_maps() helper.
++
++There are some additional complications we try and take into account
++when looking for holes in the address space. We try not to go directly
++after the system brk() space so there is space for a little growth. We
++also don't want to have to use negative offsets which would result in
++slightly less efficient code on x86 when it's unable to use the
++segment offset register.
++
++Less mind-binding gotos and hopefully clearer logic throughout.
++
++Signed-off-by: Alex Bennée <alex.bennee@linaro.org>
++Acked-by: Laurent Vivier <laurent@vivier.eu>
++
++Message-Id: <20200513175134.19619-5-alex.bennee@linaro.org>
++
++Origin: upstream, https://git.qemu.org/?p=qemu.git;a=commit;h=ee947430
++Bug-Ubuntu: https://bugs.launchpad.net/bugs/1890881
++Last-Update: 2020-08-19
++
++---
++ linux-user/elfload.c  | 503 +++++++++++++++++++++---------------------
++ linux-user/flatload.c |   6 +
++ linux-user/main.c     |  23 +-
++ linux-user/qemu.h     |  31 ++-
++ 4 files changed, 277 insertions(+), 286 deletions(-)
++
++diff --git a/linux-user/elfload.c b/linux-user/elfload.c
++index 619c054cc4..01a9323a63 100644
++--- a/linux-user/elfload.c
+++++ b/linux-user/elfload.c
++@@ -11,6 +11,7 @@
++ #include "qemu/queue.h"
++ #include "qemu/guest-random.h"
++ #include "qemu/units.h"
+++#include "qemu/selfmap.h"
++
++ #ifdef _ARCH_PPC64
++ #undef ARCH_DLINFO
++@@ -382,68 +383,30 @@ enum {
++
++ /* The commpage only exists for 32 bit kernels */
++
++-/* Return 1 if the proposed guest space is suitable for the guest.
++- * Return 0 if the proposed guest space isn't suitable, but another
++- * address space should be tried.
++- * Return -1 if there is no way the proposed guest space can be
++- * valid regardless of the base.
++- * The guest code may leave a page mapped and populate it if the
++- * address is suitable.
++- */
++-static int init_guest_commpage(unsigned long guest_base,
++-                               unsigned long guest_size)
++-{
++-    unsigned long real_start, test_page_addr;
++-
++-    /* We need to check that we can force a fault on access to the
++-     * commpage at 0xffff0fxx
++-     */
++-    test_page_addr = guest_base + (0xffff0f00 & qemu_host_page_mask);
++-
++-    /* If the commpage lies within the already allocated guest space,
++-     * then there is no way we can allocate it.
++-     *
++-     * You may be thinking that that this check is redundant because
++-     * we already validated the guest size against MAX_RESERVED_VA;
++-     * but if qemu_host_page_mask is unusually large, then
++-     * test_page_addr may be lower.
++-     */
++-    if (test_page_addr >= guest_base
++-        && test_page_addr < (guest_base + guest_size)) {
++-        return -1;
++-    }
+++#define ARM_COMMPAGE (intptr_t)0xffff0f00u
++
++-    /* Note it needs to be writeable to let us initialise it */
++-    real_start = (unsigned long)
++-                 mmap((void *)test_page_addr, qemu_host_page_size,
++-                     PROT_READ | PROT_WRITE,
++-                     MAP_ANONYMOUS | MAP_PRIVATE | MAP_ANONYMOUS, -1, 0);
+++static bool init_guest_commpage(void)
+++{
+++    void *want = g2h(ARM_COMMPAGE & -qemu_host_page_size);
+++    void *addr = mmap(want, qemu_host_page_size, PROT_READ | PROT_WRITE,
+++                      MAP_ANONYMOUS | MAP_PRIVATE, -1, 0);
++
++-    /* If we can't map it then try another address */
++-    if (real_start == -1ul) {
++-        return 0;
+++    if (addr == MAP_FAILED) {
+++        perror("Allocating guest commpage");
+++        exit(EXIT_FAILURE);
++     }
++-
++-    if (real_start != test_page_addr) {
++-        /* OS didn't put the page where we asked - unmap and reject */
++-        munmap((void *)real_start, qemu_host_page_size);
++-        return 0;
+++    if (addr != want) {
+++        return false;
++     }
++
++-    /* Leave the page mapped
++-     * Populate it (mmap should have left it all 0'd)
++-     */
++-
++-    /* Kernel helper versions */
++-    __put_user(5, (uint32_t *)g2h(0xffff0ffcul));
+++    /* Set kernel helper versions; rest of page is 0.  */
+++    __put_user(5, (uint32_t *)g2h(0xffff0ffcu));
++
++-    /* Now it's populated make it RO */
++-    if (mprotect((void *)test_page_addr, qemu_host_page_size, PROT_READ)) {
+++    if (mprotect(addr, qemu_host_page_size, PROT_READ)) {
++         perror("Protecting guest commpage");
++-        exit(-1);
+++        exit(EXIT_FAILURE);
++     }
++-
++-    return 1; /* All good */
+++    return true;
++ }
++
++ #define ELF_HWCAP get_elf_hwcap()
++@@ -2075,239 +2038,267 @@ static abi_ulong create_elf_tables(abi_ulong p, int argc, int envc,
++     return sp;
++ }
++
++-unsigned long init_guest_space(unsigned long host_start,
++-                               unsigned long host_size,
++-                               unsigned long guest_start,
++-                               bool fixed)
++-{
++-    /* In order to use host shmat, we must be able to honor SHMLBA.  */
++-    unsigned long align = MAX(SHMLBA, qemu_host_page_size);
++-    unsigned long current_start, aligned_start;
++-    int flags;
++-
++-    assert(host_start || host_size);
++-
++-    /* If just a starting address is given, then just verify that
++-     * address.  */
++-    if (host_start && !host_size) {
++-#if defined(TARGET_ARM) && !defined(TARGET_AARCH64)
++-        if (init_guest_commpage(host_start, host_size) != 1) {
++-            return (unsigned long)-1;
++-        }
+++#ifndef ARM_COMMPAGE
+++#define ARM_COMMPAGE 0
+++#define init_guest_commpage() true
++ #endif
++-        return host_start;
++-    }
++
++-    /* Setup the initial flags and start address.  */
++-    current_start = host_start & -align;
++-    flags = MAP_ANONYMOUS | MAP_PRIVATE | MAP_NORESERVE;
++-    if (fixed) {
++-        flags |= MAP_FIXED;
++-    }
+++static void pgb_fail_in_use(const char *image_name)
+++{
+++    error_report("%s: requires virtual address space that is in use "
+++                 "(omit the -B option or choose a different value)",
+++                 image_name);
+++    exit(EXIT_FAILURE);
+++}
++
++-    /* Otherwise, a non-zero size region of memory needs to be mapped
++-     * and validated.  */
+++static void pgb_have_guest_base(const char *image_name, abi_ulong guest_loaddr,
+++                                abi_ulong guest_hiaddr, long align)
+++{
+++    const int flags = MAP_ANONYMOUS | MAP_PRIVATE | MAP_NORESERVE;
+++    void *addr, *test;
++
++-#if defined(TARGET_ARM) && !defined(TARGET_AARCH64)
++-    /* On 32-bit ARM, we need to map not just the usable memory, but
++-     * also the commpage.  Try to find a suitable place by allocating
++-     * a big chunk for all of it.  If host_start, then the naive
++-     * strategy probably does good enough.
++-     */
++-    if (!host_start) {
++-        unsigned long guest_full_size, host_full_size, real_start;
++-
++-        guest_full_size =
++-            (0xffff0f00 & qemu_host_page_mask) + qemu_host_page_size;
++-        host_full_size = guest_full_size - guest_start;
++-        real_start = (unsigned long)
++-            mmap(NULL, host_full_size, PROT_NONE, flags, -1, 0);
++-        if (real_start == (unsigned long)-1) {
++-            if (host_size < host_full_size - qemu_host_page_size) {
++-                /* We failed to map a continous segment, but we're
++-                 * allowed to have a gap between the usable memory and
++-                 * the commpage where other things can be mapped.
++-                 * This sparseness gives us more flexibility to find
++-                 * an address range.
++-                 */
++-                goto naive;
++-            }
++-            return (unsigned long)-1;
+++    if (!QEMU_IS_ALIGNED(guest_base, align)) {
+++        fprintf(stderr, "Requested guest base 0x%lx does not satisfy "
+++                "host minimum alignment (0x%lx)\n",
+++                guest_base, align);
+++        exit(EXIT_FAILURE);
+++    }
+++
+++    /* Sanity check the guest binary. */
+++    if (reserved_va) {
+++        if (guest_hiaddr > reserved_va) {
+++            error_report("%s: requires more than reserved virtual "
+++                         "address space (0x%" PRIx64 " > 0x%lx)",
+++                         image_name, (uint64_t)guest_hiaddr, reserved_va);
+++            exit(EXIT_FAILURE);
++         }
++-        munmap((void *)real_start, host_full_size);
++-        if (real_start & (align - 1)) {
++-            /* The same thing again, but with extra
++-             * so that we can shift around alignment.
++-             */
++-            unsigned long real_size = host_full_size + qemu_host_page_size;
++-            real_start = (unsigned long)
++-                mmap(NULL, real_size, PROT_NONE, flags, -1, 0);
++-            if (real_start == (unsigned long)-1) {
++-                if (host_size < host_full_size - qemu_host_page_size) {
++-                    goto naive;
++-                }
++-                return (unsigned long)-1;
++-            }
++-            munmap((void *)real_start, real_size);
++-            real_start = ROUND_UP(real_start, align);
+++    } else {
+++        if ((guest_hiaddr - guest_base) > ~(uintptr_t)0) {
+++            error_report("%s: requires more virtual address space "
+++                         "than the host can provide (0x%" PRIx64 ")",
+++                         image_name, (uint64_t)guest_hiaddr - guest_base);
+++            exit(EXIT_FAILURE);
++         }
++-        current_start = real_start;
++     }
++- naive:
++-#endif
++
++-    while (1) {
++-        unsigned long real_start, real_size, aligned_size;
++-        aligned_size = real_size = host_size;
+++    /*
+++     * Expand the allocation to the entire reserved_va.
+++     * Exclude the mmap_min_addr hole.
+++     */
+++    if (reserved_va) {
+++        guest_loaddr = (guest_base >= mmap_min_addr ? 0
+++                        : mmap_min_addr - guest_base);
+++        guest_hiaddr = reserved_va;
+++    }
++
++-        /* Do not use mmap_find_vma here because that is limited to the
++-         * guest address space.  We are going to make the
++-         * guest address space fit whatever we're given.
++-         */
++-        real_start = (unsigned long)
++-            mmap((void *)current_start, host_size, PROT_NONE, flags, -1, 0);
++-        if (real_start == (unsigned long)-1) {
++-            return (unsigned long)-1;
++-        }
+++    /* Reserve the address space for the binary, or reserved_va. */
+++    test = g2h(guest_loaddr);
+++    addr = mmap(test, guest_hiaddr - guest_loaddr, PROT_NONE, flags, -1, 0);
+++    if (test != addr) {
+++        pgb_fail_in_use(image_name);
+++    }
+++}
++
++-        /* Check to see if the address is valid.  */
++-        if (host_start && real_start != current_start) {
++-            qemu_log_mask(CPU_LOG_PAGE, "invalid %lx && %lx != %lx\n",
++-                          host_start, real_start, current_start);
++-            goto try_again;
+++/* Return value for guest_base, or -1 if no hole found. */
+++static uintptr_t pgb_find_hole(uintptr_t guest_loaddr, uintptr_t guest_size,
+++                               long align)
+++{
+++    GSList *maps, *iter;
+++    uintptr_t this_start, this_end, next_start, brk;
+++    intptr_t ret = -1;
+++
+++    assert(QEMU_IS_ALIGNED(guest_loaddr, align));
+++
+++    maps = read_self_maps();
+++
+++    /* Read brk after we've read the maps, which will malloc. */
+++    brk = (uintptr_t)sbrk(0);
+++
+++    /* The first hole is before the first map entry. */
+++    this_start = mmap_min_addr;
+++
+++    for (iter = maps; iter;
+++         this_start = next_start, iter = g_slist_next(iter)) {
+++        uintptr_t align_start, hole_size;
+++
+++        this_end = ((MapInfo *)iter->data)->start;
+++        next_start = ((MapInfo *)iter->data)->end;
+++        align_start = ROUND_UP(this_start, align);
+++
+++        /* Skip holes that are too small. */
+++        if (align_start >= this_end) {
+++            continue;
+++        }
+++        hole_size = this_end - align_start;
+++        if (hole_size < guest_size) {
+++            continue;
++         }
++
++-        /* Ensure the address is properly aligned.  */
++-        if (real_start & (align - 1)) {
++-            /* Ideally, we adjust like
++-             *
++-             *    pages: [  ][  ][  ][  ][  ]
++-             *      old:   [   real   ]
++-             *             [ aligned  ]
++-             *      new:   [     real     ]
++-             *               [ aligned  ]
++-             *
++-             * But if there is something else mapped right after it,
++-             * then obviously it won't have room to grow, and the
++-             * kernel will put the new larger real someplace else with
++-             * unknown alignment (if we made it to here, then
++-             * fixed=false).  Which is why we grow real by a full page
++-             * size, instead of by part of one; so that even if we get
++-             * moved, we can still guarantee alignment.  But this does
++-             * mean that there is a padding of < 1 page both before
++-             * and after the aligned range; the "after" could could
++-             * cause problems for ARM emulation where it could butt in
++-             * to where we need to put the commpage.
++-             */
++-            munmap((void *)real_start, host_size);
++-            real_size = aligned_size + align;
++-            real_start = (unsigned long)
++-                mmap((void *)real_start, real_size, PROT_NONE, flags, -1, 0);
++-            if (real_start == (unsigned long)-1) {
++-                return (unsigned long)-1;
+++        /* If this hole contains brk, give ourselves some room to grow. */
+++        if (this_start <= brk && brk < this_end) {
+++            hole_size -= guest_size;
+++            if (sizeof(uintptr_t) == 8 && hole_size >= 1 * GiB) {
+++                align_start += 1 * GiB;
+++            } else if (hole_size >= 16 * MiB) {
+++                align_start += 16 * MiB;
+++            } else {
+++                align_start = (this_end - guest_size) & -align;
+++                if (align_start < this_start) {
+++                    continue;
+++                }
++             }
++-            aligned_start = ROUND_UP(real_start, align);
++-        } else {
++-            aligned_start = real_start;
++         }
++
++-#if defined(TARGET_ARM) && !defined(TARGET_AARCH64)
++-        /* On 32-bit ARM, we need to also be able to map the commpage.  */
++-        int valid = init_guest_commpage(aligned_start - guest_start,
++-                                        aligned_size + guest_start);
++-        if (valid == -1) {
++-            munmap((void *)real_start, real_size);
++-            return (unsigned long)-1;
++-        } else if (valid == 0) {
++-            goto try_again;
+++        /* Record the lowest successful match. */
+++        if (ret < 0) {
+++            ret = align_start - guest_loaddr;
++         }
++-#endif
++-
++-        /* If nothing has said `return -1` or `goto try_again` yet,
++-         * then the address we have is good.
++-         */
++-        break;
++-
++-    try_again:
++-        /* That address didn't work.  Unmap and try a different one.
++-         * The address the host picked because is typically right at
++-         * the top of the host address space and leaves the guest with
++-         * no usable address space.  Resort to a linear search.  We
++-         * already compensated for mmap_min_addr, so this should not
++-         * happen often.  Probably means we got unlucky and host
++-         * address space randomization put a shared library somewhere
++-         * inconvenient.
++-         *
++-         * This is probably a good strategy if host_start, but is
++-         * probably a bad strategy if not, which means we got here
++-         * because of trouble with ARM commpage setup.
++-         */
++-        if (munmap((void *)real_start, real_size) != 0) {
++-            error_report("%s: failed to unmap %lx:%lx (%s)", __func__,
++-                         real_start, real_size, strerror(errno));
++-            abort();
+++        /* If this hole contains the identity map, select it. */
+++        if (align_start <= guest_loaddr &&
+++            guest_loaddr + guest_size <= this_end) {
+++            ret = 0;
++         }
++-        current_start += align;
++-        if (host_start == current_start) {
++-            /* Theoretically possible if host doesn't have any suitably
++-             * aligned areas.  Normally the first mmap will fail.
++-             */
++-            return (unsigned long)-1;
+++        /* If this hole ends above the identity map, stop looking. */
+++        if (this_end >= guest_loaddr) {
+++            break;
++         }
++     }
+++    free_self_maps(maps);
++
++-    qemu_log_mask(CPU_LOG_PAGE, "Reserved 0x%lx bytes of guest address space\n", host_size);
++-
++-    return aligned_start;
+++    return ret;
++ }
++
++-static void probe_guest_base(const char *image_name,
++-                             abi_ulong loaddr, abi_ulong hiaddr)
+++static void pgb_static(const char *image_name, abi_ulong orig_loaddr,
+++                       abi_ulong orig_hiaddr, long align)
++ {
++-    /* Probe for a suitable guest base address, if the user has not set
++-     * it explicitly, and set guest_base appropriately.
++-     * In case of error we will print a suitable message and exit.
++-     */
++-    const char *errmsg;
++-    if (!have_guest_base && !reserved_va) {
++-        unsigned long host_start, real_start, host_size;
+++    uintptr_t loaddr = orig_loaddr;
+++    uintptr_t hiaddr = orig_hiaddr;
+++    uintptr_t addr;
++
++-        /* Round addresses to page boundaries.  */
++-        loaddr &= qemu_host_page_mask;
++-        hiaddr = HOST_PAGE_ALIGN(hiaddr);
+++    if (hiaddr != orig_hiaddr) {
+++        error_report("%s: requires virtual address space that the "
+++                     "host cannot provide (0x%" PRIx64 ")",
+++                     image_name, (uint64_t)orig_hiaddr);
+++        exit(EXIT_FAILURE);
+++    }
++
++-        if (loaddr < mmap_min_addr) {
++-            host_start = HOST_PAGE_ALIGN(mmap_min_addr);
+++    loaddr &= -align;
+++    if (ARM_COMMPAGE) {
+++        /*
+++         * Extend the allocation to include the commpage.
+++         * For a 64-bit host, this is just 4GiB; for a 32-bit host,
+++         * the address arithmetic will wrap around, but the difference
+++         * will produce the correct allocation size.
+++         */
+++        if (sizeof(uintptr_t) == 8 || loaddr >= 0x80000000u) {
+++            hiaddr = (uintptr_t)4 << 30;
++         } else {
++-            host_start = loaddr;
++-            if (host_start != loaddr) {
++-                errmsg = "Address overflow loading ELF binary";
++-                goto exit_errmsg;
++-            }
+++            loaddr = ARM_COMMPAGE & -align;
++         }
++-        host_size = hiaddr - loaddr;
+++    }
++
++-        /* Setup the initial guest memory space with ranges gleaned from
++-         * the ELF image that is being loaded.
+++    addr = pgb_find_hole(loaddr, hiaddr - loaddr, align);
+++    if (addr == -1) {
+++        /*
+++         * If ARM_COMMPAGE, there *might* be a non-consecutive allocation
+++         * that can satisfy both.  But as the normal arm32 link base address
+++         * is ~32k, and we extend down to include the commpage, making the
+++         * overhead only ~96k, this is unlikely.
++          */
++-        real_start = init_guest_space(host_start, host_size, loaddr, false);
++-        if (real_start == (unsigned long)-1) {
++-            errmsg = "Unable to find space for application";
++-            goto exit_errmsg;
++-        }
++-        guest_base = real_start - loaddr;
+++        error_report("%s: Unable to allocate %#zx bytes of "
+++                     "virtual address space", image_name,
+++                     (size_t)(hiaddr - loaddr));
+++        exit(EXIT_FAILURE);
+++    }
+++
+++    guest_base = addr;
+++}
+++
+++static void pgb_dynamic(const char *image_name, long align)
+++{
+++    /*
+++     * The executable is dynamic and does not require a fixed address.
+++     * All we need is a commpage that satisfies align.
+++     * If we do not need a commpage, leave guest_base == 0.
+++     */
+++    if (ARM_COMMPAGE) {
+++        uintptr_t addr, commpage;
++
++-        qemu_log_mask(CPU_LOG_PAGE, "Relocating guest address space from 0x"
++-                      TARGET_ABI_FMT_lx " to 0x%lx\n",
++-                      loaddr, real_start);
+++        /* 64-bit hosts should have used reserved_va. */
+++        assert(sizeof(uintptr_t) == 4);
+++
+++        /*
+++         * By putting the commpage at the first hole, that puts guest_base
+++         * just above that, and maximises the positive guest addresses.
+++         */
+++        commpage = ARM_COMMPAGE & -align;
+++        addr = pgb_find_hole(commpage, -commpage, align);
+++        assert(addr != -1);
+++        guest_base = addr;
++     }
++-    return;
+++}
++
++-exit_errmsg:
++-    fprintf(stderr, "%s: %s\n", image_name, errmsg);
++-    exit(-1);
+++static void pgb_reserved_va(const char *image_name, abi_ulong guest_loaddr,
+++                            abi_ulong guest_hiaddr, long align)
+++{
+++    const int flags = MAP_ANONYMOUS | MAP_PRIVATE | MAP_NORESERVE;
+++    void *addr, *test;
+++
+++    if (guest_hiaddr > reserved_va) {
+++        error_report("%s: requires more than reserved virtual "
+++                     "address space (0x%" PRIx64 " > 0x%lx)",
+++                     image_name, (uint64_t)guest_hiaddr, reserved_va);
+++        exit(EXIT_FAILURE);
+++    }
+++
+++    /* Widen the "image" to the entire reserved address space. */
+++    pgb_static(image_name, 0, reserved_va, align);
+++
+++    /* Reserve the memory on the host. */
+++    assert(guest_base != 0);
+++    test = g2h(0);
+++    addr = mmap(test, reserved_va, PROT_NONE, flags, -1, 0);
+++    if (addr == MAP_FAILED) {
+++        error_report("Unable to reserve 0x%lx bytes of virtual address "
+++                     "space for use as guest address space (check your "
+++                     "virtual memory ulimit setting or reserve less "
+++                     "using -R option)", reserved_va);
+++        exit(EXIT_FAILURE);
+++    }
+++    assert(addr == test);
++ }
++
+++void probe_guest_base(const char *image_name, abi_ulong guest_loaddr,
+++                      abi_ulong guest_hiaddr)
+++{
+++    /* In order to use host shmat, we must be able to honor SHMLBA.  */
+++    uintptr_t align = MAX(SHMLBA, qemu_host_page_size);
+++
+++    if (have_guest_base) {
+++        pgb_have_guest_base(image_name, guest_loaddr, guest_hiaddr, align);
+++    } else if (reserved_va) {
+++        pgb_reserved_va(image_name, guest_loaddr, guest_hiaddr, align);
+++    } else if (guest_loaddr) {
+++        pgb_static(image_name, guest_loaddr, guest_hiaddr, align);
+++    } else {
+++        pgb_dynamic(image_name, align);
+++    }
+++
+++    /* Reserve and initialize the commpage. */
+++    if (!init_guest_commpage()) {
+++        /*
+++         * With have_guest_base, the user has selected the address and
+++         * we are trying to work with that.  Otherwise, we have selected
+++         * free space and init_guest_commpage must succeeded.
+++         */
+++        assert(have_guest_base);
+++        pgb_fail_in_use(image_name);
+++    }
+++
+++    assert(QEMU_IS_ALIGNED(guest_base, align));
+++    qemu_log_mask(CPU_LOG_PAGE, "Locating guest address space "
+++                  "@ 0x%" PRIx64 "\n", (uint64_t)guest_base);
+++}
++
++ /* Load an ELF image into the address space.
++
++@@ -2399,6 +2390,12 @@ static void load_elf_image(const char *image_name, int image_fd,
++              * MMAP_MIN_ADDR or the QEMU application itself.
++              */
++             probe_guest_base(image_name, loaddr, hiaddr);
+++        } else {
+++            /*
+++             * The binary is dynamic, but we still need to
+++             * select guest_base.  In this case we pass a size.
+++             */
+++            probe_guest_base(image_name, 0, hiaddr - loaddr);
++         }
++     }
++
++diff --git a/linux-user/flatload.c b/linux-user/flatload.c
++index 66901f39cc..8fb448f0bf 100644
++--- a/linux-user/flatload.c
+++++ b/linux-user/flatload.c
++@@ -441,6 +441,12 @@ static int load_flat_file(struct linux_binprm * bprm,
++     indx_len = MAX_SHARED_LIBS * sizeof(abi_ulong);
++     indx_len = (indx_len + 15) & ~(abi_ulong)15;
++
+++    /*
+++     * Alloate the address space.
+++     */
+++    probe_guest_base(bprm->filename, 0,
+++                     text_len + data_len + extra + indx_len);
+++
++     /*
++      * there are a couple of cases here,  the separate code/data
++      * case,  and then the fully copied to RAM case which lumps
++diff --git a/linux-user/main.c b/linux-user/main.c
++index 2cd443237d..e18c1fb952 100644
++--- a/linux-user/main.c
+++++ b/linux-user/main.c
++@@ -24,6 +24,7 @@
++ #include "qemu-version.h"
++ #include <sys/syscall.h>
++ #include <sys/resource.h>
+++#include <sys/shm.h>
++
++ #include "qapi/error.h"
++ #include "qemu.h"
++@@ -747,28 +748,6 @@ int main(int argc, char **argv, char **envp)
++     target_environ = envlist_to_environ(envlist, NULL);
++     envlist_free(envlist);
++
++-    /*
++-     * Now that page sizes are configured in tcg_exec_init() we can do
++-     * proper page alignment for guest_base.
++-     */
++-    guest_base = HOST_PAGE_ALIGN(guest_base);
++-
++-    if (reserved_va || have_guest_base) {
++-        guest_base = init_guest_space(guest_base, reserved_va, 0,
++-                                      have_guest_base);
++-        if (guest_base == (unsigned long)-1) {
++-            fprintf(stderr, "Unable to reserve 0x%lx bytes of virtual address "
++-                    "space for use as guest address space (check your virtual "
++-                    "memory ulimit setting or reserve less using -R option)\n",
++-                    reserved_va);
++-            exit(EXIT_FAILURE);
++-        }
++-
++-        if (reserved_va) {
++-            mmap_next_start = reserved_va;
++-        }
++-    }
++-
++     /*
++      * Read in mmap_min_addr kernel parameter.  This value is used
++      * When loading the ELF image to determine whether guest_base
++diff --git a/linux-user/qemu.h b/linux-user/qemu.h
++index 792c74290f..ce902f5132 100644
++--- a/linux-user/qemu.h
+++++ b/linux-user/qemu.h
++@@ -219,18 +219,27 @@ void init_qemu_uname_release(void);
++ void fork_start(void);
++ void fork_end(int child);
++
++-/* Creates the initial guest address space in the host memory space using
++- * the given host start address hint and size.  The guest_start parameter
++- * specifies the start address of the guest space.  guest_base will be the
++- * difference between the host start address computed by this function and
++- * guest_start.  If fixed is specified, then the mapped address space must
++- * start at host_start.  The real start address of the mapped memory space is
++- * returned or -1 if there was an error.
+++/**
+++ * probe_guest_base:
+++ * @image_name: the executable being loaded
+++ * @loaddr: the lowest fixed address in the executable
+++ * @hiaddr: the highest fixed address in the executable
+++ *
+++ * Creates the initial guest address space in the host memory space.
+++ *
+++ * If @loaddr == 0, then no address in the executable is fixed,
+++ * i.e. it is fully relocatable.  In that case @hiaddr is the size
+++ * of the executable.
+++ *
+++ * This function will not return if a valid value for guest_base
+++ * cannot be chosen.  On return, the executable loader can expect
+++ *
+++ *    target_mmap(loaddr, hiaddr - loaddr, ...)
+++ *
+++ * to succeed.
++  */
++-unsigned long init_guest_space(unsigned long host_start,
++-                               unsigned long host_size,
++-                               unsigned long guest_start,
++-                               bool fixed);
+++void probe_guest_base(const char *image_name,
+++                      abi_ulong loaddr, abi_ulong hiaddr);
++
++ #include "qemu/log.h"
++
++--
++2.28.0
++
 diff --git a/debian/patches/ubuntu/lp1890881-linux-user-deal-with-address-wrap-for-ARM_COMMPAGE-o.patch b/debian/patches/ubuntu/lp1890881-linux-user-deal-with-address-wrap-for-ARM_COMMPAGE-o.patch
 new file mode 100644
 index 0000000..7733e6a
 --- /dev/null
 +++ b/debian/patches/ubuntu/lp1890881-linux-user-deal-with-address-wrap-for-ARM_COMMPAGE-o.patch
@@ -0,0 +1,154 @@
++From 5c3e87f345ac93de9260f12c408d2afd87a6ab3b Mon Sep 17 00:00:00 2001
++From: =?UTF-8?q?Alex=20Benn=C3=A9e?= <alex.bennee@linaro.org>
++Date: Fri, 5 Jun 2020 16:49:27 +0100
++Subject: [PATCH] linux-user: deal with address wrap for ARM_COMMPAGE on 32 bit
++MIME-Version: 1.0
++Content-Type: text/plain; charset=UTF-8
++Content-Transfer-Encoding: 8bit
++
++We rely on the pointer to wrap when accessing the high address of the
++COMMPAGE so it lands somewhere reasonable. However on 32 bit hosts we
++cannot afford just to map the entire 4gb address range. The old mmap
++trial and error code handled this by just checking we could map both
++the guest_base and the computed COMMPAGE address.
++
++We can't just manipulate loadaddr to get what we want so we introduce
++an offset which pgb_find_hole can apply when looking for a gap for
++guest_base that ensures there is space left to map the COMMPAGE
++afterwards.
++
++This is arguably a little inefficient for the one 32 bit
++value (kuser_helper_version) we need to keep there given all the
++actual code entries are picked up during the translation phase.
++
++Fixes: ee94743034b
++Bug: https://bugs.launchpad.net/qemu/+bug/1880225
++Cc: Bug 1880225 <1880225@bugs.launchpad.net>
++Signed-off-by: Alex Bennée <alex.bennee@linaro.org>
++Tested-by: Aleksandar Markovic <aleksandar.qemu.devel@gmail.com>
++Cc: Richard Henderson <richard.henderson@linaro.org>
++Cc: Peter Maydell <peter.maydell@linaro.org>
++Message-Id: <20200605154929.26910-13-alex.bennee@linaro.org>
++
++Origin: upstream, https://git.qemu.org/?p=qemu.git;a=commit;h=5c3e87f345ac93de9260f12c408d2afd87a6ab3b
++Bug-Ubuntu: https://bugs.launchpad.net/bugs/1890881
++Last-Update: 2020-08-19
++
++---
++ linux-user/elfload.c | 31 +++++++++++++++++--------------
++ 1 file changed, 17 insertions(+), 14 deletions(-)
++
++diff --git a/linux-user/elfload.c b/linux-user/elfload.c
++index 475d243f3b..b5cb21384a 100644
++--- a/linux-user/elfload.c
+++++ b/linux-user/elfload.c
++@@ -389,7 +389,7 @@ static bool init_guest_commpage(void)
++ {
++     void *want = g2h(ARM_COMMPAGE & -qemu_host_page_size);
++     void *addr = mmap(want, qemu_host_page_size, PROT_READ | PROT_WRITE,
++-                      MAP_ANONYMOUS | MAP_PRIVATE, -1, 0);
+++                      MAP_ANONYMOUS | MAP_PRIVATE | MAP_FIXED, -1, 0);
++
++     if (addr == MAP_FAILED) {
++         perror("Allocating guest commpage");
++@@ -2113,7 +2113,8 @@ static void pgb_have_guest_base(const char *image_name, abi_ulong guest_loaddr,
++  * only dumbly iterate up the host address space seeing if the
++  * allocation would work.
++  */
++-static uintptr_t pgd_find_hole_fallback(uintptr_t guest_size, uintptr_t brk, long align)
+++static uintptr_t pgd_find_hole_fallback(uintptr_t guest_size, uintptr_t brk,
+++                                        long align, uintptr_t offset)
++ {
++     uintptr_t base;
++
++@@ -2123,7 +2124,7 @@ static uintptr_t pgd_find_hole_fallback(uintptr_t guest_size, uintptr_t brk, lon
++     while (true) {
++         uintptr_t align_start, end;
++         align_start = ROUND_UP(base, align);
++-        end = align_start + guest_size;
+++        end = align_start + guest_size + offset;
++
++         /* if brk is anywhere in the range give ourselves some room to grow. */
++         if (align_start <= brk && brk < end) {
++@@ -2138,7 +2139,7 @@ static uintptr_t pgd_find_hole_fallback(uintptr_t guest_size, uintptr_t brk, lon
++                                      PROT_NONE, flags, -1, 0);
++             if (mmap_start != MAP_FAILED) {
++                 munmap((void *) align_start, guest_size);
++-                return (uintptr_t) mmap_start;
+++                return (uintptr_t) mmap_start + offset;
++             }
++             base += qemu_host_page_size;
++         }
++@@ -2147,7 +2148,7 @@ static uintptr_t pgd_find_hole_fallback(uintptr_t guest_size, uintptr_t brk, lon
++
++ /* Return value for guest_base, or -1 if no hole found. */
++ static uintptr_t pgb_find_hole(uintptr_t guest_loaddr, uintptr_t guest_size,
++-                               long align)
+++                               long align, uintptr_t offset)
++ {
++     GSList *maps, *iter;
++     uintptr_t this_start, this_end, next_start, brk;
++@@ -2161,7 +2162,7 @@ static uintptr_t pgb_find_hole(uintptr_t guest_loaddr, uintptr_t guest_size,
++     brk = (uintptr_t)sbrk(0);
++
++     if (!maps) {
++-        return pgd_find_hole_fallback(guest_size, brk, align);
+++        return pgd_find_hole_fallback(guest_size, brk, align, offset);
++     }
++
++     /* The first hole is before the first map entry. */
++@@ -2173,7 +2174,7 @@ static uintptr_t pgb_find_hole(uintptr_t guest_loaddr, uintptr_t guest_size,
++
++         this_end = ((MapInfo *)iter->data)->start;
++         next_start = ((MapInfo *)iter->data)->end;
++-        align_start = ROUND_UP(this_start, align);
+++        align_start = ROUND_UP(this_start + offset, align);
++
++         /* Skip holes that are too small. */
++         if (align_start >= this_end) {
++@@ -2223,6 +2224,7 @@ static void pgb_static(const char *image_name, abi_ulong orig_loaddr,
++ {
++     uintptr_t loaddr = orig_loaddr;
++     uintptr_t hiaddr = orig_hiaddr;
+++    uintptr_t offset = 0;
++     uintptr_t addr;
++
++     if (hiaddr != orig_hiaddr) {
++@@ -2236,18 +2238,19 @@ static void pgb_static(const char *image_name, abi_ulong orig_loaddr,
++     if (ARM_COMMPAGE) {
++         /*
++          * Extend the allocation to include the commpage.
++-         * For a 64-bit host, this is just 4GiB; for a 32-bit host,
++-         * the address arithmetic will wrap around, but the difference
++-         * will produce the correct allocation size.
+++         * For a 64-bit host, this is just 4GiB; for a 32-bit host we
+++         * need to ensure there is space bellow the guest_base so we
+++         * can map the commpage in the place needed when the address
+++         * arithmetic wraps around.
++          */
++         if (sizeof(uintptr_t) == 8 || loaddr >= 0x80000000u) {
++-            hiaddr = (uintptr_t)4 << 30;
+++            hiaddr = (uintptr_t) 4 << 30;
++         } else {
++-            loaddr = ARM_COMMPAGE & -align;
+++            offset = -(ARM_COMMPAGE & -align);
++         }
++     }
++
++-    addr = pgb_find_hole(loaddr, hiaddr - loaddr, align);
+++    addr = pgb_find_hole(loaddr, hiaddr - loaddr, align, offset);
++     if (addr == -1) {
++         /*
++          * If ARM_COMMPAGE, there *might* be a non-consecutive allocation
++@@ -2282,7 +2285,7 @@ static void pgb_dynamic(const char *image_name, long align)
++          * just above that, and maximises the positive guest addresses.
++          */
++         commpage = ARM_COMMPAGE & -align;
++-        addr = pgb_find_hole(commpage, -commpage, align);
+++        addr = pgb_find_hole(commpage, -commpage, align, 0);
++         assert(addr != -1);
++         guest_base = addr;
++     }
++--
++2.28.0
++
 diff --git a/debian/patches/ubuntu/lp1890881-linux-user-don-t-use-MAP_FIXED-in-pgd_find_hole_fall.patch b/debian/patches/ubuntu/lp1890881-linux-user-don-t-use-MAP_FIXED-in-pgd_find_hole_fall.patch
 new file mode 100644
 index 0000000..97cd189
 --- /dev/null
 +++ b/debian/patches/ubuntu/lp1890881-linux-user-don-t-use-MAP_FIXED-in-pgd_find_hole_fall.patch
@@ -0,0 +1,78 @@
++From 2667e069e7b5807c69f32109d930967bc1b222cb Mon Sep 17 00:00:00 2001
++From: =?UTF-8?q?Alex=20Benn=C3=A9e?= <alex.bennee@linaro.org>
++Date: Fri, 24 Jul 2020 07:45:01 +0100
++Subject: [PATCH] linux-user: don't use MAP_FIXED in pgd_find_hole_fallback
++MIME-Version: 1.0
++Content-Type: text/plain; charset=UTF-8
++Content-Transfer-Encoding: 8bit
++
++Plain MAP_FIXED has the undesirable behaviour of splatting exiting
++maps so we don't actually achieve what we want when looking for gaps.
++We should be using MAP_FIXED_NOREPLACE. As this isn't always available
++we need to potentially check the returned address to see if the kernel
++gave us what we asked for.
++
++Fixes: ad592e37dfc ("linux-user: provide fallback pgd_find_hole for bare chroots")
++Signed-off-by: Alex Bennée <alex.bennee@linaro.org>
++Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
++Message-Id: <20200724064509.331-9-alex.bennee@linaro.org>
++
++Origin: upstream, https://git.qemu.org/?p=qemu.git;a=commit;h=2667e069e7b5807c69f32109d930967bc1b222cb
++Bug-Ubuntu: https://bugs.launchpad.net/bugs/1890881
++Last-Update: 2020-08-19
++
++---
++ include/qemu/osdep.h |  3 +++
++ linux-user/elfload.c | 10 ++++++----
++ 2 files changed, 9 insertions(+), 4 deletions(-)
++
++diff --git a/include/qemu/osdep.h b/include/qemu/osdep.h
++index 0b1298b3c9..20872e793e 100644
++--- a/include/qemu/osdep.h
+++++ b/include/qemu/osdep.h
++@@ -173,6 +173,9 @@ extern int daemon(int, int);
++ #ifndef MAP_ANONYMOUS
++ #define MAP_ANONYMOUS MAP_ANON
++ #endif
+++#ifndef MAP_FIXED_NOREPLACE
+++#define MAP_FIXED_NOREPLACE 0
+++#endif
++ #ifndef ENOMEDIUM
++ #define ENOMEDIUM ENODEV
++ #endif
++diff --git a/linux-user/elfload.c b/linux-user/elfload.c
++index 7e7f642332..fe9dfe795d 100644
++--- a/linux-user/elfload.c
+++++ b/linux-user/elfload.c
++@@ -2134,12 +2134,15 @@ static uintptr_t pgd_find_hole_fallback(uintptr_t guest_size, uintptr_t brk,
++             /* we have run out of space */
++             return -1;
++         } else {
++-            int flags = MAP_ANONYMOUS | MAP_PRIVATE | MAP_NORESERVE | MAP_FIXED;
+++            int flags = MAP_ANONYMOUS | MAP_PRIVATE | MAP_NORESERVE |
+++                MAP_FIXED_NOREPLACE;
++             void * mmap_start = mmap((void *) align_start, guest_size,
++                                      PROT_NONE, flags, -1, 0);
++             if (mmap_start != MAP_FAILED) {
++                 munmap((void *) align_start, guest_size);
++-                return (uintptr_t) mmap_start + offset;
+++                if (MAP_FIXED_NOREPLACE || mmap_start == (void *) align_start) {
+++                    return (uintptr_t) mmap_start + offset;
+++                }
++             }
++             base += qemu_host_page_size;
++         }
++@@ -2307,9 +2310,8 @@ static void pgb_reserved_va(const char *image_name, abi_ulong guest_loaddr,
++     /* Widen the "image" to the entire reserved address space. */
++     pgb_static(image_name, 0, reserved_va, align);
++
++-#ifdef MAP_FIXED_NOREPLACE
+++    /* osdep.h defines this as 0 if it's missing */
++     flags |= MAP_FIXED_NOREPLACE;
++-#endif
++
++     /* Reserve the memory on the host. */
++     assert(guest_base != 0);
++--
++2.28.0
++
 diff --git a/debian/patches/ubuntu/lp1890881-linux-user-elfload-use-MAP_FIXED_NOREPLACE-in-pgb_re.patch b/debian/patches/ubuntu/lp1890881-linux-user-elfload-use-MAP_FIXED_NOREPLACE-in-pgb_re.patch
 new file mode 100644
 index 0000000..4f365f2
 --- /dev/null
 +++ b/debian/patches/ubuntu/lp1890881-linux-user-elfload-use-MAP_FIXED_NOREPLACE-in-pgb_re.patch
@@ -0,0 +1,66 @@
++From c1f6ad798c7bb328a6f387f2509bf86305383d37 Mon Sep 17 00:00:00 2001
++From: =?UTF-8?q?Alex=20Benn=C3=A9e?= <alex.bennee@linaro.org>
++Date: Wed, 1 Jul 2020 14:56:45 +0100
++Subject: [PATCH] linux-user/elfload: use MAP_FIXED_NOREPLACE in
++ pgb_reserved_va
++MIME-Version: 1.0
++Content-Type: text/plain; charset=UTF-8
++Content-Transfer-Encoding: 8bit
++
++Given we assert the requested address matches what we asked we should
++also make that clear in the mmap flags. Otherwise we see failures in
++the GitLab environment for some currently unknown but allowable
++reason. We use MAP_FIXED_NOREPLACE if we can so we don't just clobber
++an existing mapping. Also include the strerror string for a bit more
++info on failure.
++
++Signed-off-by: Alex Bennée <alex.bennee@linaro.org>
++
++Message-Id: <20200701135652.1366-34-alex.bennee@linaro.org>
++
++Origin: upstream, https://git.qemu.org/?p=qemu.git;a=commit;h=c1f6ad798c7bb328a6f387f2509bf86305383d37
++Bug-Ubuntu: https://bugs.launchpad.net/bugs/1890881
++Last-Update: 2020-08-19
++
++---
++ linux-user/elfload.c | 10 +++++++---
++ 1 file changed, 7 insertions(+), 3 deletions(-)
++
++diff --git a/linux-user/elfload.c b/linux-user/elfload.c
++index b5cb21384a..7e7f642332 100644
++--- a/linux-user/elfload.c
+++++ b/linux-user/elfload.c
++@@ -2294,7 +2294,7 @@ static void pgb_dynamic(const char *image_name, long align)
++ static void pgb_reserved_va(const char *image_name, abi_ulong guest_loaddr,
++                             abi_ulong guest_hiaddr, long align)
++ {
++-    const int flags = MAP_ANONYMOUS | MAP_PRIVATE | MAP_NORESERVE;
+++    int flags = MAP_ANONYMOUS | MAP_PRIVATE | MAP_NORESERVE;
++     void *addr, *test;
++
++     if (guest_hiaddr > reserved_va) {
++@@ -2307,15 +2307,19 @@ static void pgb_reserved_va(const char *image_name, abi_ulong guest_loaddr,
++     /* Widen the "image" to the entire reserved address space. */
++     pgb_static(image_name, 0, reserved_va, align);
++
+++#ifdef MAP_FIXED_NOREPLACE
+++    flags |= MAP_FIXED_NOREPLACE;
+++#endif
+++
++     /* Reserve the memory on the host. */
++     assert(guest_base != 0);
++     test = g2h(0);
++     addr = mmap(test, reserved_va, PROT_NONE, flags, -1, 0);
++     if (addr == MAP_FAILED) {
++         error_report("Unable to reserve 0x%lx bytes of virtual address "
++-                     "space for use as guest address space (check your "
+++                     "space (%s) for use as guest address space (check your "
++                      "virtual memory ulimit setting or reserve less "
++-                     "using -R option)", reserved_va);
+++                     "using -R option)", reserved_va, strerror(errno));
++         exit(EXIT_FAILURE);
++     }
++     assert(addr == test);
++--
++2.28.0
++
 diff --git a/debian/patches/ubuntu/lp1890881-linux-user-limit-check-to-HOST_LONG_BITS-TARGET_ABI_.patch b/debian/patches/ubuntu/lp1890881-linux-user-limit-check-to-HOST_LONG_BITS-TARGET_ABI_.patch
 new file mode 100644
 index 0000000..0d95c34
 --- /dev/null
 +++ b/debian/patches/ubuntu/lp1890881-linux-user-limit-check-to-HOST_LONG_BITS-TARGET_ABI_.patch
@@ -0,0 +1,57 @@
++From a932eec49d9ec106c7952314ad1adc28f0986076 Mon Sep 17 00:00:00 2001
++From: =?UTF-8?q?Alex=20Benn=C3=A9e?= <alex.bennee@linaro.org>
++Date: Thu, 21 May 2020 14:57:48 +0100
++Subject: [PATCH] linux-user: limit check to HOST_LONG_BITS < TARGET_ABI_BITS
++MIME-Version: 1.0
++Content-Type: text/plain; charset=UTF-8
++Content-Transfer-Encoding: 8bit
++
++Newer clangs rightly spot that you can never exceed the full address
++space of 64 bit hosts with:
++
++  linux-user/elfload.c:2076:41: error: result of comparison 'unsigned
++  long' > 18446744073709551615 is always false
++  [-Werror,-Wtautological-type-limit-compare]
++  4685         if ((guest_hiaddr - guest_base) > ~(uintptr_t)0) {
++  4686             ~~~~~~~~~~~~~~~~~~~~~~~~~~~ ^ ~~~~~~~~~~~~~
++  4687 1 error generated.
++
++So lets limit the check to 32 bit hosts only.
++
++Fixes: ee94743034bf
++Reported-by: Thomas Huth <thuth@redhat.com>
++Signed-off-by: Alex Bennée <alex.bennee@linaro.org>
++Message-Id: <20200525131823.715-8-thuth@redhat.com>
++[thuth: Use HOST_LONG_BITS < TARGET_ABI_BITS instead of HOST_LONG_BITS == 32]
++Signed-off-by: Thomas Huth <thuth@redhat.com>
++
++Origin: upstream, https://git.qemu.org/?p=qemu.git;a=commit;h=a932eec49d9ec106c7952314ad1adc28f0986076
++Bug-Ubuntu: https://bugs.launchpad.net/bugs/1890881
++Last-Update: 2020-08-19
++
++---
++ linux-user/elfload.c | 2 ++
++ 1 file changed, 2 insertions(+)
++
++diff --git a/linux-user/elfload.c b/linux-user/elfload.c
++index 01a9323a63..ebc663ea0b 100644
++--- a/linux-user/elfload.c
+++++ b/linux-user/elfload.c
++@@ -2073,12 +2073,14 @@ static void pgb_have_guest_base(const char *image_name, abi_ulong guest_loaddr,
++             exit(EXIT_FAILURE);
++         }
++     } else {
+++#if HOST_LONG_BITS < TARGET_ABI_BITS
++         if ((guest_hiaddr - guest_base) > ~(uintptr_t)0) {
++             error_report("%s: requires more virtual address space "
++                          "than the host can provide (0x%" PRIx64 ")",
++                          image_name, (uint64_t)guest_hiaddr - guest_base);
++             exit(EXIT_FAILURE);
++         }
+++#endif
++     }
++
++     /*
++--
++2.28.0
++
 diff --git a/debian/patches/ubuntu/lp1890881-linux-user-provide-fallback-pgd_find_hole-for-bare-c.patch b/debian/patches/ubuntu/lp1890881-linux-user-provide-fallback-pgd_find_hole-for-bare-c.patch
 new file mode 100644
 index 0000000..4b124c3
 --- /dev/null
 +++ b/debian/patches/ubuntu/lp1890881-linux-user-provide-fallback-pgd_find_hole-for-bare-c.patch
@@ -0,0 +1,102 @@
++From ad592e37dfccf730378a44c5fa79acb603a7678d Mon Sep 17 00:00:00 2001
++From: =?UTF-8?q?Alex=20Benn=C3=A9e?= <alex.bennee@linaro.org>
++Date: Fri, 5 Jun 2020 16:49:26 +0100
++Subject: [PATCH] linux-user: provide fallback pgd_find_hole for bare chroots
++MIME-Version: 1.0
++Content-Type: text/plain; charset=UTF-8
++Content-Transfer-Encoding: 8bit
++
++When running QEMU out of a chroot environment we may not have access
++to /proc/self/maps. As there is no other "official" way to introspect
++our memory map we need to fall back to the original technique of
++repeatedly trying to mmap an address range until we find one that
++works.
++
++Fortunately it's not quite as ugly as the original code given we
++already re-factored the complications of dealing with the
++ARM_COMMPAGE. We do make an attempt to skip over brk() which is about
++the only concrete piece of information we have about the address map
++at this moment.
++
++Fixes: ee9474303
++Reported-by: Peter Maydell <peter.maydell@linaro.org>
++Signed-off-by: Alex Bennée <alex.bennee@linaro.org>
++Message-Id: <20200605154929.26910-12-alex.bennee@linaro.org>
++
++Origin: upstream, https://git.qemu.org/?p=qemu.git;a=commit;h=ad592e37dfccf730378a44c5fa79acb603a7678d
++Bug-Ubuntu: https://bugs.launchpad.net/bugs/1890881
++Last-Update: 2020-08-19
++
++---
++ linux-user/elfload.c | 48 ++++++++++++++++++++++++++++++++++++++++++++
++ 1 file changed, 48 insertions(+)
++
++diff --git a/linux-user/elfload.c b/linux-user/elfload.c
++index ebc663ea0b..475d243f3b 100644
++--- a/linux-user/elfload.c
+++++ b/linux-user/elfload.c
++@@ -2101,6 +2101,50 @@ static void pgb_have_guest_base(const char *image_name, abi_ulong guest_loaddr,
++     }
++ }
++
+++/**
+++ * pgd_find_hole_fallback: potential mmap address
+++ * @guest_size: size of available space
+++ * @brk: location of break
+++ * @align: memory alignment
+++ *
+++ * This is a fallback method for finding a hole in the host address
+++ * space if we don't have the benefit of being able to access
+++ * /proc/self/map. It can potentially take a very long time as we can
+++ * only dumbly iterate up the host address space seeing if the
+++ * allocation would work.
+++ */
+++static uintptr_t pgd_find_hole_fallback(uintptr_t guest_size, uintptr_t brk, long align)
+++{
+++    uintptr_t base;
+++
+++    /* Start (aligned) at the bottom and work our way up */
+++    base = ROUND_UP(mmap_min_addr, align);
+++
+++    while (true) {
+++        uintptr_t align_start, end;
+++        align_start = ROUND_UP(base, align);
+++        end = align_start + guest_size;
+++
+++        /* if brk is anywhere in the range give ourselves some room to grow. */
+++        if (align_start <= brk && brk < end) {
+++            base = brk + (16 * MiB);
+++            continue;
+++        } else if (align_start + guest_size < align_start) {
+++            /* we have run out of space */
+++            return -1;
+++        } else {
+++            int flags = MAP_ANONYMOUS | MAP_PRIVATE | MAP_NORESERVE | MAP_FIXED;
+++            void * mmap_start = mmap((void *) align_start, guest_size,
+++                                     PROT_NONE, flags, -1, 0);
+++            if (mmap_start != MAP_FAILED) {
+++                munmap((void *) align_start, guest_size);
+++                return (uintptr_t) mmap_start;
+++            }
+++            base += qemu_host_page_size;
+++        }
+++    }
+++}
+++
++ /* Return value for guest_base, or -1 if no hole found. */
++ static uintptr_t pgb_find_hole(uintptr_t guest_loaddr, uintptr_t guest_size,
++                                long align)
++@@ -2116,6 +2160,10 @@ static uintptr_t pgb_find_hole(uintptr_t guest_loaddr, uintptr_t guest_size,
++     /* Read brk after we've read the maps, which will malloc. */
++     brk = (uintptr_t)sbrk(0);
++
+++    if (!maps) {
+++        return pgd_find_hole_fallback(guest_size, brk, align);
+++    }
+++
++     /* The first hole is before the first map entry. */
++     this_start = mmap_min_addr;
++
++--
++2.28.0
++

Ubuntuqemu package

Merge ~paelzer/ubuntu/+source/qemu:groovy-lp-1890881-lp-1891187 into ubuntu/+source/qemu:ubuntu/groovy-devel

Commit message

Description of the change

Preview Diff

Subscribers

Ubuntu
qemu package