Ubuntu
qemu package

Merge ~paelzer/ubuntu/+source/qemu:lp-1894942-s390x-set_ind_atomic-BIONIC into ubuntu/+source/qemu:ubuntu/bionic-devel

  1. Git
  2. lp:~paelzer/ubuntu/+source/qemu
  3. lp-1894942-s390x-set_ind_atomic-BIONIC
  4. Merge into ubuntu/bionic-devel
Proposed by Christian Ehrhardt 
Status: Merged
Approved by: Christian Ehrhardt 
Approved revision: 41ddd7f0bafd9f417b20d555c72a5aff2d70572f
Merged at revision: 41ddd7f0bafd9f417b20d555c72a5aff2d70572f
Proposed branch: ~paelzer/ubuntu/+source/qemu:lp-1894942-s390x-set_ind_atomic-BIONIC
Merge into: ubuntu/+source/qemu:ubuntu/bionic-devel
Diff against target: 173 lines (+145/-0)
4 files modified
debian/changelog (+6/-0)
debian/patches/series (+2/-0)
debian/patches/ubuntu/lp-1894942-s390x-pci-fix-set_ind_atomic.patch (+67/-0)
debian/patches/ubuntu/lp-1894942-virtio-ccw-fix-virtio_set_ind_atomic.patch (+70/-0)
Reviewer Review Type Date Requested Status
Lucas Kanashiro (community) Approve
Canonical Server packageset reviewers Pending
Canonical Server Pending
Review via email: mp+392164@code.launchpad.net
To post a comment you must log in.
Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

PPA: https://launchpad.net/~ci-train-ppa-service/+archive/ubuntu/4270/+packages

Revision history for this message
Lucas Kanashiro (lucaskanashiro) wrote :

* Changelog:
  - [-] old content and logical tag match as expected
  - [√] changelog entry correct version and targeted codename
  - [√] changelog entries correct
  - [√] update-maintainer has been run

* Actual changes:
  - [√] no upstream changes to consider
  - [√] no further upstream version to consider
  - [√] debian changes look safe

* Old Delta:
  - [-] dropped changes are ok to be dropped
  - [√] nothing else to drop
  - [√] changes forwarded upstream/debian (if appropriate)

* New Delta:
  - [-] no new patches added
  - [√] patches match what was proposed upstream
  - [√] patches correctly included in debian/patches/series
  - [√] patches have correct DEP3 metadata

* Build/Test:
  - [√] build is ok
  - [√] verified PPA package installs/uninstalls
  - [-] autopkgtest against the PPA package passes
  - [√] sanity checks test fine

LGTM, +1. I think you did not trigger the autopkgtest run in bileto, right? I have not tried to run autopkgtest myself. Apart from that the changes are good to go.

review: Approve
Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

qemu has no tests and no related packages worth pre-testing.
That is why I run the non-autopkgtest regression test suite (to be actually able to use KVM well).
That was fine.

Thanks for the review.

Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

To ssh://git.launchpad.net/~usd-import-team/ubuntu/+source/qemu
 * [new tag] upload/1%2.11+dfsg-1ubuntu7.33 -> upload/1%2.11+dfsg-1ubuntu7.33

Uploading to ubuntu (via ftp to upload.ubuntu.com):
  Uploading qemu_2.11+dfsg-1ubuntu7.33.dsc: done.
  Uploading qemu_2.11+dfsg-1ubuntu7.33.debian.tar.xz: done.
  Uploading qemu_2.11+dfsg-1ubuntu7.33_source.buildinfo: done.
  Uploading qemu_2.11+dfsg-1ubuntu7.33_source.changes: done.
Successfully uploaded packages.

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
1diff --git a/debian/changelog b/debian/changelog
2index f1b8606..3dce226 100644
3--- a/debian/changelog
4+++ b/debian/changelog
5@@ -1,3 +1,9 @@
6+qemu (1:2.11+dfsg-1ubuntu7.33) bionic; urgency=medium
7+
8+ * d/p/u/lp-1894942-*: fix virtio-ccw host/guest notification (LP: #1894942)
9+
10+ -- Christian Ehrhardt <christian.ehrhardt@canonical.com> Mon, 21 Sep 2020 15:39:32 +0200
11+
12 qemu (1:2.11+dfsg-1ubuntu7.32) bionic-security; urgency=medium
13
14 * SECURITY UPDATE: out-of-bounds read/write in USB emulator
15diff --git a/debian/patches/series b/debian/patches/series
16index 36bef7e..191b104 100644
17--- a/debian/patches/series
18+++ b/debian/patches/series
19@@ -178,3 +178,5 @@ CVE-2020-12829-5.patch
20 CVE-2020-12829-6.patch
21 CVE-2020-12829-7.patch
22 CVE-2020-14364.patch
23+ubuntu/lp-1894942-virtio-ccw-fix-virtio_set_ind_atomic.patch
24+ubuntu/lp-1894942-s390x-pci-fix-set_ind_atomic.patch
25diff --git a/debian/patches/ubuntu/lp-1894942-s390x-pci-fix-set_ind_atomic.patch b/debian/patches/ubuntu/lp-1894942-s390x-pci-fix-set_ind_atomic.patch
26new file mode 100644
27index 0000000..90fd589
28--- /dev/null
29+++ b/debian/patches/ubuntu/lp-1894942-s390x-pci-fix-set_ind_atomic.patch
30@@ -0,0 +1,67 @@
31+From 45175361f1bfc2d3ccdcb4b22570c2352f3de754 Mon Sep 17 00:00:00 2001
32+From: Halil Pasic <pasic@linux.ibm.com>
33+Date: Tue, 16 Jun 2020 06:50:35 +0200
34+Subject: [PATCH] s390x/pci: fix set_ind_atomic
35+
36+The atomic_cmpxchg() loop is broken because we occasionally end up with
37+old and _old having different values (a legit compiler can generate code
38+that accessed *ind_addr again to pick up a value for _old instead of
39+using the value of old that was already fetched according to the
40+rules of the abstract machine). This means the underlying CS instruction
41+may use a different old (_old) than the one we intended to use if
42+atomic_cmpxchg() performed the xchg part.
43+
44+Let us use volatile to force the rules of the abstract machine for
45+accesses to *ind_addr. Let us also rewrite the loop so, we that the
46+new old is used to compute the new desired value if the xchg part
47+is not performed.
48+
49+Fixes: 8cba80c3a0 ("s390: Add PCI bus support")
50+Reported-by: Christian Borntraeger <borntraeger@de.ibm.com>
51+Signed-off-by: Halil Pasic <pasic@linux.ibm.com>
52+Reviewed-by: Christian Borntraeger <borntraeger@de.ibm.com>
53+Message-Id: <20200616045035.51641-3-pasic@linux.ibm.com>
54+Signed-off-by: Cornelia Huck <cohuck@redhat.com>
55+
56+Origin: backport, https://git.qemu.org/?p=qemu.git;a=commit;h=45175361f1
57+Bug-Ubuntu: https://bugs.launchpad.net/bugs/1894942
58+Last-Update: 2020-09-21
59+
60+---
61+ hw/s390x/s390-pci-bus.c | 16 +++++++++-------
62+ 1 file changed, 9 insertions(+), 7 deletions(-)
63+
64+--- a/hw/s390x/s390-pci-bus.c
65++++ b/hw/s390x/s390-pci-bus.c
66+@@ -637,22 +637,24 @@ static AddressSpace *s390_pci_dma_iommu(
67+
68+ static uint8_t set_ind_atomic(uint64_t ind_loc, uint8_t to_be_set)
69+ {
70+- uint8_t ind_old, ind_new;
71++ uint8_t expected, actual;
72+ hwaddr len = 1;
73+- uint8_t *ind_addr;
74++ /* avoid multiple fetches */
75++ uint8_t volatile *ind_addr;
76+
77+ ind_addr = cpu_physical_memory_map(ind_loc, &len, 1);
78+ if (!ind_addr) {
79+ s390_pci_generate_error_event(ERR_EVENT_AIRERR, 0, 0, 0, 0);
80+ return -1;
81+ }
82++ actual = *ind_addr;
83+ do {
84+- ind_old = *ind_addr;
85+- ind_new = ind_old | to_be_set;
86+- } while (atomic_cmpxchg(ind_addr, ind_old, ind_new) != ind_old);
87+- cpu_physical_memory_unmap(ind_addr, len, 1, len);
88++ expected = actual;
89++ actual = atomic_cmpxchg(ind_addr, expected, expected | to_be_set);
90++ } while (actual != expected);
91++ cpu_physical_memory_unmap((void *)ind_addr, len, 1, len);
92+
93+- return ind_old;
94++ return actual;
95+ }
96+
97+ static void s390_msi_ctrl_write(void *opaque, hwaddr addr, uint64_t data,
98diff --git a/debian/patches/ubuntu/lp-1894942-virtio-ccw-fix-virtio_set_ind_atomic.patch b/debian/patches/ubuntu/lp-1894942-virtio-ccw-fix-virtio_set_ind_atomic.patch
99new file mode 100644
100index 0000000..df9fac2
101--- /dev/null
102+++ b/debian/patches/ubuntu/lp-1894942-virtio-ccw-fix-virtio_set_ind_atomic.patch
103@@ -0,0 +1,70 @@
104+From 1a8242f7c3f53341dd66253b142ecd06ce1d2a97 Mon Sep 17 00:00:00 2001
105+From: Halil Pasic <pasic@linux.ibm.com>
106+Date: Tue, 16 Jun 2020 06:50:34 +0200
107+Subject: [PATCH] virtio-ccw: fix virtio_set_ind_atomic
108+
109+The atomic_cmpxchg() loop is broken because we occasionally end up with
110+old and _old having different values (a legit compiler can generate code
111+that accessed *ind_addr again to pick up a value for _old instead of
112+using the value of old that was already fetched according to the
113+rules of the abstract machine). This means the underlying CS instruction
114+may use a different old (_old) than the one we intended to use if
115+atomic_cmpxchg() performed the xchg part.
116+
117+Let us use volatile to force the rules of the abstract machine for
118+accesses to *ind_addr. Let us also rewrite the loop so, we that the
119+new old is used to compute the new desired value if the xchg part
120+is not performed.
121+
122+Fixes: 7e7494627f ("s390x/virtio-ccw: Adapter interrupt support.")
123+Reported-by: Andre Wild <Andre.Wild1@ibm.com>
124+Signed-off-by: Halil Pasic <pasic@linux.ibm.com>
125+Reviewed-by: Christian Borntraeger <borntraeger@de.ibm.com>
126+Message-Id: <20200616045035.51641-2-pasic@linux.ibm.com>
127+Signed-off-by: Cornelia Huck <cohuck@redhat.com>
128+
129+Origin: backport, https://git.qemu.org/?p=qemu.git;a=commit;h=1a8242f7c3
130+Bug-Ubuntu: https://bugs.launchpad.net/bugs/1894942
131+Last-Update: 2020-09-21
132+
133+---
134+ hw/s390x/virtio-ccw.c | 18 ++++++++++--------
135+ 1 file changed, 10 insertions(+), 8 deletions(-)
136+
137+--- a/hw/s390x/virtio-ccw.c
138++++ b/hw/s390x/virtio-ccw.c
139+@@ -786,9 +786,10 @@ static inline VirtioCcwDevice *to_virtio
140+ static uint8_t virtio_set_ind_atomic(SubchDev *sch, uint64_t ind_loc,
141+ uint8_t to_be_set)
142+ {
143+- uint8_t ind_old, ind_new;
144++ uint8_t expected, actual;
145+ hwaddr len = 1;
146+- uint8_t *ind_addr;
147++ /* avoid multiple fetches */
148++ uint8_t volatile *ind_addr;
149+
150+ ind_addr = cpu_physical_memory_map(ind_loc, &len, 1);
151+ if (!ind_addr) {
152+@@ -796,14 +797,15 @@ static uint8_t virtio_set_ind_atomic(Sub
153+ __func__, sch->cssid, sch->ssid, sch->schid);
154+ return -1;
155+ }
156++ actual = *ind_addr;
157+ do {
158+- ind_old = *ind_addr;
159+- ind_new = ind_old | to_be_set;
160+- } while (atomic_cmpxchg(ind_addr, ind_old, ind_new) != ind_old);
161+- trace_virtio_ccw_set_ind(ind_loc, ind_old, ind_new);
162+- cpu_physical_memory_unmap(ind_addr, len, 1, len);
163++ expected = actual;
164++ actual = atomic_cmpxchg(ind_addr, expected, expected | to_be_set);
165++ } while (actual != expected);
166++ trace_virtio_ccw_set_ind(ind_loc, actual, actual | to_be_set);
167++ cpu_physical_memory_unmap((void *)ind_addr, len, 1, len);
168+
169+- return ind_old;
170++ return actual;
171+ }
172+
173+ static void virtio_ccw_notify(DeviceState *d, uint16_t vector)

Subscribers

People subscribed via source and target branches