Ubuntu
qemu package

Merge ~paelzer/ubuntu/+source/qemu:lp-1749393-emu-sbrk-space-FOCAL into ubuntu/+source/qemu:ubuntu/focal-devel

  1. Git
  2. lp:~paelzer/ubuntu/+source/qemu
  3. lp-1749393-emu-sbrk-space-FOCAL
  4. Merge into ubuntu/focal-devel
Proposed by Christian Ehrhardt 
Status: Merged
Merge reported by: Christian Ehrhardt 
Merged at revision: 7bd0792adab4786f8b26ca6319fa83de71ccf282
Proposed branch: ~paelzer/ubuntu/+source/qemu:lp-1749393-emu-sbrk-space-FOCAL
Merge into: ubuntu/+source/qemu:ubuntu/focal-devel
Diff against target: 293 lines (+265/-0)
4 files modified
debian/changelog (+9/-0)
debian/patches/series (+2/-0)
debian/patches/ubuntu/lp-1749393-linux-user-Reserve-space-for-brk.patch (+158/-0)
debian/patches/ubuntu/lp-1929926-target-s390x-Fix-translation-exception-on-illegal-in.patch (+96/-0)
Reviewer Review Type Date Requested Status
Paride Legovini (community) Approve
Canonical Server packageset reviewers Pending
git-ubuntu developers Pending
Review via email: mp+401771@code.launchpad.net
To post a comment you must log in.
Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

PPA: https://launchpad.net/~ci-train-ppa-service/+archive/ubuntu/4535

Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

FYI: This is based on the current latest focal-proposed wich isn't imported yet.
The change/review is only for the last changelog stanza.

In a few hours this will resolve and the diff should also be correct here.

Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

Rebased and refreshed, working the same still.

New build of qemu_4.2-3ubuntu6.19~focalppa3_source.changes started in the PPA.
The tests all completed before and in a VM that I used to debug bug 1928075.

Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

PPA https://launchpad.net/~ci-train-ppa-service/+archive/ubuntu/4535
has a new build that also includes bug 1929926 which we wanted to piggy-back on another bug.

Revision history for this message
Paride Legovini (paride) wrote :

LGTM, both the upstream cherry-pick and the upstream backport look fully correct, with nice and complete DEP3 headers. The other debian/* changes are all good.

The PPA builds look fine. There are no autopkgtests but you reported the fixed package passes the KVM regression tests, which are even more meaningful.

Approve, but see my comment here:

https://bugs.launchpad.net/ubuntu/+source/qemu/+bug/1929926

review: Approve
Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

Uploaded to -unapproved

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
diff --git a/debian/changelog b/debian/changelog
index 20c9285..34da269 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,12 @@
1qemu (1:4.2-3ubuntu6.19) focal; urgency=medium
2
3 * d/p/u/lp-1749393-linux-user-Reserve-space-for-brk.patch: fix static
4 use cases needing a lot of brk space (LP: #1749393)
5 * d/p/u/lp-1929926-target-s390x-Fix-translation-exception-on-illegal-in.patch:
6 fix uretprobe in s390x TCG (LP: #1929926)
7
8 -- Christian Ehrhardt <christian.ehrhardt@canonical.com> Mon, 26 Apr 2021 11:11:19 +0200
9
1qemu (1:4.2-3ubuntu6.18) focal; urgency=medium10qemu (1:4.2-3ubuntu6.18) focal; urgency=medium
211
3 * enhance loading of old modules post upgrade (LP: #1913421)12 * enhance loading of old modules post upgrade (LP: #1913421)
diff --git a/debian/patches/series b/debian/patches/series
index 745af86..43a47e7 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -307,3 +307,5 @@ CVE-2021-3607.patch
307CVE-2021-3608.patch307CVE-2021-3608.patch
308CVE-2021-20221.patch308CVE-2021-20221.patch
309CVE-2021-20257.patch309CVE-2021-20257.patch
310ubuntu/lp-1749393-linux-user-Reserve-space-for-brk.patch
311ubuntu/lp-1929926-target-s390x-Fix-translation-exception-on-illegal-in.patch
diff --git a/debian/patches/ubuntu/lp-1749393-linux-user-Reserve-space-for-brk.patch b/debian/patches/ubuntu/lp-1749393-linux-user-Reserve-space-for-brk.patch
310new file mode 100644312new file mode 100644
index 0000000..71a89aa
--- /dev/null
+++ b/debian/patches/ubuntu/lp-1749393-linux-user-Reserve-space-for-brk.patch
@@ -0,0 +1,158 @@
1From 6fd5944980f4ccee728ce34bdaffc117db50b34d Mon Sep 17 00:00:00 2001
2From: Richard Henderson <richard.henderson@linaro.org>
3Date: Fri, 17 Jan 2020 13:02:45 -1000
4Subject: [PATCH] linux-user: Reserve space for brk
5MIME-Version: 1.0
6Content-Type: text/plain; charset=UTF-8
7Content-Transfer-Encoding: 8bit
8
9With bad luck, we can wind up with no space at all for brk,
10which will generally cause the guest malloc to fail.
11
12This bad luck is easier to come by with ET_DYN (PIE) binaries,
13where either the stack or the interpreter (ld.so) gets placed
14immediately after the main executable.
15
16But there's nothing preventing this same thing from happening
17with ET_EXEC (normal) binaries, during probe_guest_base().
18
19In both cases, reserve some extra space via mmap and release
20it back to the system after loading the interpreter and
21allocating the stack.
22
23The choice of 16MB is somewhat arbitrary. It's enough for libc
24to get going, but without being so large that 32-bit guests or
2532-bit hosts are in danger of running out of virtual address space.
26It is expected that libc will be able to fall back to mmap arenas
27after the limited brk space is exhausted.
28
29Launchpad: https://bugs.launchpad.net/qemu/+bug/1749393
30Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
31Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
32Tested-by: Alex Bennée <alex.bennee@linaro.org>
33Message-Id: <20200117230245.5040-1-richard.henderson@linaro.org>
34Signed-off-by: Laurent Vivier <laurent@vivier.eu>
35
36Origin: upstream, https://git.qemu.org/?p=qemu.git;a=commit;h=6fd5944980f4ccee728ce34bdaffc117db50b34d
37Bug-Ubuntu: https://bugs.launchpad.net/bugs/1749393
38Last-Update: 2021-04-26
39
40---
41 linux-user/elfload.c | 73 +++++++++++++++++++++++++++++++++-----------
42 linux-user/qemu.h | 1 +
43 2 files changed, 57 insertions(+), 17 deletions(-)
44
45diff --git a/linux-user/elfload.c b/linux-user/elfload.c
46index 511e450078..f3080a1635 100644
47--- a/linux-user/elfload.c
48+++ b/linux-user/elfload.c
49@@ -10,6 +10,7 @@
50 #include "qemu/path.h"
51 #include "qemu/queue.h"
52 #include "qemu/guest-random.h"
53+#include "qemu/units.h"
54
55 #ifdef _ARCH_PPC64
56 #undef ARCH_DLINFO
57@@ -2364,24 +2365,51 @@ static void load_elf_image(const char *image_name, int image_fd,
58 }
59 }
60
61- load_addr = loaddr;
62- if (ehdr->e_type == ET_DYN) {
63- /* The image indicates that it can be loaded anywhere. Find a
64- location that can hold the memory space required. If the
65- image is pre-linked, LOADDR will be non-zero. Since we do
66- not supply MAP_FIXED here we'll use that address if and
67- only if it remains available. */
68- load_addr = target_mmap(loaddr, hiaddr - loaddr, PROT_NONE,
69- MAP_PRIVATE | MAP_ANON | MAP_NORESERVE,
70- -1, 0);
71- if (load_addr == -1) {
72- goto exit_perror;
73+ if (pinterp_name != NULL) {
74+ /*
75+ * This is the main executable.
76+ *
77+ * Reserve extra space for brk.
78+ * We hold on to this space while placing the interpreter
79+ * and the stack, lest they be placed immediately after
80+ * the data segment and block allocation from the brk.
81+ *
82+ * 16MB is chosen as "large enough" without being so large
83+ * as to allow the result to not fit with a 32-bit guest on
84+ * a 32-bit host.
85+ */
86+ info->reserve_brk = 16 * MiB;
87+ hiaddr += info->reserve_brk;
88+
89+ if (ehdr->e_type == ET_EXEC) {
90+ /*
91+ * Make sure that the low address does not conflict with
92+ * MMAP_MIN_ADDR or the QEMU application itself.
93+ */
94+ probe_guest_base(image_name, loaddr, hiaddr);
95 }
96- } else if (pinterp_name != NULL) {
97- /* This is the main executable. Make sure that the low
98- address does not conflict with MMAP_MIN_ADDR or the
99- QEMU application itself. */
100- probe_guest_base(image_name, loaddr, hiaddr);
101+ }
102+
103+ /*
104+ * Reserve address space for all of this.
105+ *
106+ * In the case of ET_EXEC, we supply MAP_FIXED so that we get
107+ * exactly the address range that is required.
108+ *
109+ * Otherwise this is ET_DYN, and we are searching for a location
110+ * that can hold the memory space required. If the image is
111+ * pre-linked, LOADDR will be non-zero, and the kernel should
112+ * honor that address if it happens to be free.
113+ *
114+ * In both cases, we will overwrite pages in this range with mappings
115+ * from the executable.
116+ */
117+ load_addr = target_mmap(loaddr, hiaddr - loaddr, PROT_NONE,
118+ MAP_PRIVATE | MAP_ANON | MAP_NORESERVE |
119+ (ehdr->e_type == ET_EXEC ? MAP_FIXED : 0),
120+ -1, 0);
121+ if (load_addr == -1) {
122+ goto exit_perror;
123 }
124 load_bias = load_addr - loaddr;
125
126@@ -2860,6 +2888,17 @@ int load_elf_binary(struct linux_binprm *bprm, struct image_info *info)
127 bprm->core_dump = &elf_core_dump;
128 #endif
129
130+ /*
131+ * If we reserved extra space for brk, release it now.
132+ * The implementation of do_brk in syscalls.c expects to be able
133+ * to mmap pages in this space.
134+ */
135+ if (info->reserve_brk) {
136+ abi_ulong start_brk = HOST_PAGE_ALIGN(info->brk);
137+ abi_ulong end_brk = HOST_PAGE_ALIGN(info->brk + info->reserve_brk);
138+ target_munmap(start_brk, end_brk - start_brk);
139+ }
140+
141 return 0;
142 }
143
144diff --git a/linux-user/qemu.h b/linux-user/qemu.h
145index f6f5fe5fbb..560a68090e 100644
146--- a/linux-user/qemu.h
147+++ b/linux-user/qemu.h
148@@ -35,6 +35,7 @@ struct image_info {
149 abi_ulong end_data;
150 abi_ulong start_brk;
151 abi_ulong brk;
152+ abi_ulong reserve_brk;
153 abi_ulong start_mmap;
154 abi_ulong start_stack;
155 abi_ulong stack_limit;
156--
1572.31.1
158
diff --git a/debian/patches/ubuntu/lp-1929926-target-s390x-Fix-translation-exception-on-illegal-in.patch b/debian/patches/ubuntu/lp-1929926-target-s390x-Fix-translation-exception-on-illegal-in.patch
0new file mode 100644159new file mode 100644
index 0000000..a151900
--- /dev/null
+++ b/debian/patches/ubuntu/lp-1929926-target-s390x-Fix-translation-exception-on-illegal-in.patch
@@ -0,0 +1,96 @@
1From 86131c71b13257e095d8c4f4453d52cbc6553c07 Mon Sep 17 00:00:00 2001
2From: Ilya Leoshkevich <iii@linux.ibm.com>
3Date: Fri, 16 Apr 2021 17:49:36 +0200
4Subject: [PATCH] target/s390x: Fix translation exception on illegal
5 instruction
6
7Hitting an uretprobe in a s390x TCG guest causes a SIGSEGV. What
8happens is:
9
10* uretprobe maps a userspace page containing an invalid instruction.
11* uretprobe replaces the target function's return address with the
12 address of that page.
13* When tb_gen_code() is called on that page, tb->size ends up being 0
14 (because the page starts with the invalid instruction), which causes
15 virt_page2 to point to the previous page.
16* The previous page is not mapped, so this causes a spurious
17 translation exception.
18
19tb->size must never be 0: even if there is an illegal instruction, the
20instruction bytes that have been looked at must count towards tb->size.
21So adjust s390x's translate_one() to act this way for both illegal
22instructions and instructions that are known to generate exceptions.
23
24Signed-off-by: Ilya Leoshkevich <iii@linux.ibm.com>
25Reviewed-by: David Hildenbrand <david@redhat.com>
26Message-Id: <20210416154939.32404-2-iii@linux.ibm.com>
27Signed-off-by: Cornelia Huck <cohuck@redhat.com>
28
29Origin: backport, https://git.qemu.org/?p=qemu.git;a=commit;h=86131c71b13257e095d8c4f4453d52cbc6553c07
30Bug-Ubuntu: https://bugs.launchpad.net/bugs/1929926
31Last-Update: 2021-10-12
32
33---
34 target/s390x/translate.c | 16 +++++++++++-----
35 1 file changed, 11 insertions(+), 5 deletions(-)
36
37--- a/target/s390x/translate.c
38+++ b/target/s390x/translate.c
39@@ -6317,7 +6317,8 @@ static DisasJumpType translate_one(CPUS3
40 qemu_log_mask(LOG_UNIMP, "unimplemented opcode 0x%02x%02x\n",
41 f.op, f.op2);
42 gen_illegal_opcode(s);
43- return DISAS_NORETURN;
44+ ret = DISAS_NORETURN;
45+ goto out;
46 }
47
48 #ifndef CONFIG_USER_ONLY
49@@ -6333,7 +6334,8 @@ static DisasJumpType translate_one(CPUS3
50 /* privileged instruction */
51 if ((s->base.tb->flags & FLAG_MASK_PSTATE) && (insn->flags & IF_PRIV)) {
52 gen_program_exception(s, PGM_PRIVILEGED);
53- return DISAS_NORETURN;
54+ ret = DISAS_NORETURN;
55+ goto out;
56 }
57
58 /* if AFP is not enabled, instructions and registers are forbidden */
59@@ -6360,7 +6362,8 @@ static DisasJumpType translate_one(CPUS3
60 }
61 if (dxc) {
62 gen_data_exception(dxc);
63- return DISAS_NORETURN;
64+ ret = DISAS_NORETURN;
65+ goto out;
66 }
67 }
68
69@@ -6368,7 +6371,8 @@ static DisasJumpType translate_one(CPUS3
70 if (insn->flags & IF_VEC) {
71 if (!((s->base.tb->flags & FLAG_MASK_VECTOR))) {
72 gen_data_exception(0xfe);
73- return DISAS_NORETURN;
74+ ret = DISAS_NORETURN;
75+ goto out;
76 }
77 }
78 }
79@@ -6381,7 +6385,8 @@ static DisasJumpType translate_one(CPUS3
80 (insn->spec & SPEC_r1_f128 && !is_fp_pair(get_field(&f, r1))) ||
81 (insn->spec & SPEC_r2_f128 && !is_fp_pair(get_field(&f, r2)))) {
82 gen_program_exception(s, PGM_SPECIFICATION);
83- return DISAS_NORETURN;
84+ ret = DISAS_NORETURN;
85+ goto out;
86 }
87 }
88
89@@ -6440,6 +6445,7 @@ static DisasJumpType translate_one(CPUS3
90 }
91 #endif
92
93+out:
94 /* Advance to the next instruction. */
95 s->base.pc_next = s->pc_tmp;
96 return ret;

Subscribers

People subscribed via source and target branches