Ubuntu
qemu package

Merge ~paelzer/ubuntu/+source/qemu:lp-1929926-uretprobe-s390x-tcg-FOCAL into ubuntu/+source/qemu:ubuntu/focal-devel

  1. Git
  2. lp:~paelzer/ubuntu/+source/qemu
  3. lp-1929926-uretprobe-s390x-tcg-FOCAL
  4. Merge into ubuntu/focal-devel
Proposed by Christian Ehrhardt 
Status: Merged
Merge reported by: Christian Ehrhardt 
Merged at revision: 476688ea9c36adde617d1eaa9b2b74db835580bd
Proposed branch: ~paelzer/ubuntu/+source/qemu:lp-1929926-uretprobe-s390x-tcg-FOCAL
Merge into: ubuntu/+source/qemu:ubuntu/focal-devel
Diff against target: 126 lines (+104/-0)
3 files modified
debian/changelog (+7/-0)
debian/patches/series (+1/-0)
debian/patches/ubuntu/lp-1929926-target-s390x-Fix-translation-exception-on-illegal-in.patch (+96/-0)
Reviewer Review Type Date Requested Status
Sergio Durigan Junior (community) Approve
Canonical Server packageset reviewers Pending
Canonical Server Pending
Review via email: mp+410032@code.launchpad.net
To post a comment you must log in.
Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

PPA: https://launchpad.net/~ci-train-ppa-service/+archive/ubuntu/4682

Revision history for this message
Sergio Durigan Junior (sergiodj) wrote :

Thanks for the MP, Christian.

It LGTM. The backport is OK, the fix looks correct, and the debian/-specific bits are also good.

I noticed that the package is still building on the PPA, so there are no autopkgtest results yet. I'm approving this MP conditionally on the autopkgtest tests passing :-).

Thanks.

review: Approve
Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

This is now covered by https://code.launchpad.net/~paelzer/ubuntu/+source/qemu/+git/qemu/+merge/401771 which will have this as well.

Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

Merged

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
1diff --git a/debian/changelog b/debian/changelog
2index 20c9285..94ff656 100644
3--- a/debian/changelog
4+++ b/debian/changelog
5@@ -1,3 +1,10 @@
6+qemu (1:4.2-3ubuntu6.19) focal; urgency=medium
7+
8+ * d/p/u/lp-1929926-target-s390x-Fix-translation-exception-on-illegal-in.patch:
9+ fix uretprobe in s390x TCG (LP: #1929926)
10+
11+ -- Christian Ehrhardt <christian.ehrhardt@canonical.com> Tue, 12 Oct 2021 09:02:03 +0200
12+
13 qemu (1:4.2-3ubuntu6.18) focal; urgency=medium
14
15 * enhance loading of old modules post upgrade (LP: #1913421)
16diff --git a/debian/patches/series b/debian/patches/series
17index 745af86..9eb6858 100644
18--- a/debian/patches/series
19+++ b/debian/patches/series
20@@ -307,3 +307,4 @@ CVE-2021-3607.patch
21 CVE-2021-3608.patch
22 CVE-2021-20221.patch
23 CVE-2021-20257.patch
24+ubuntu/lp-1929926-target-s390x-Fix-translation-exception-on-illegal-in.patch
25diff --git a/debian/patches/ubuntu/lp-1929926-target-s390x-Fix-translation-exception-on-illegal-in.patch b/debian/patches/ubuntu/lp-1929926-target-s390x-Fix-translation-exception-on-illegal-in.patch
26new file mode 100644
27index 0000000..a151900
28--- /dev/null
29+++ b/debian/patches/ubuntu/lp-1929926-target-s390x-Fix-translation-exception-on-illegal-in.patch
30@@ -0,0 +1,96 @@
31+From 86131c71b13257e095d8c4f4453d52cbc6553c07 Mon Sep 17 00:00:00 2001
32+From: Ilya Leoshkevich <iii@linux.ibm.com>
33+Date: Fri, 16 Apr 2021 17:49:36 +0200
34+Subject: [PATCH] target/s390x: Fix translation exception on illegal
35+ instruction
36+
37+Hitting an uretprobe in a s390x TCG guest causes a SIGSEGV. What
38+happens is:
39+
40+* uretprobe maps a userspace page containing an invalid instruction.
41+* uretprobe replaces the target function's return address with the
42+ address of that page.
43+* When tb_gen_code() is called on that page, tb->size ends up being 0
44+ (because the page starts with the invalid instruction), which causes
45+ virt_page2 to point to the previous page.
46+* The previous page is not mapped, so this causes a spurious
47+ translation exception.
48+
49+tb->size must never be 0: even if there is an illegal instruction, the
50+instruction bytes that have been looked at must count towards tb->size.
51+So adjust s390x's translate_one() to act this way for both illegal
52+instructions and instructions that are known to generate exceptions.
53+
54+Signed-off-by: Ilya Leoshkevich <iii@linux.ibm.com>
55+Reviewed-by: David Hildenbrand <david@redhat.com>
56+Message-Id: <20210416154939.32404-2-iii@linux.ibm.com>
57+Signed-off-by: Cornelia Huck <cohuck@redhat.com>
58+
59+Origin: backport, https://git.qemu.org/?p=qemu.git;a=commit;h=86131c71b13257e095d8c4f4453d52cbc6553c07
60+Bug-Ubuntu: https://bugs.launchpad.net/bugs/1929926
61+Last-Update: 2021-10-12
62+
63+---
64+ target/s390x/translate.c | 16 +++++++++++-----
65+ 1 file changed, 11 insertions(+), 5 deletions(-)
66+
67+--- a/target/s390x/translate.c
68++++ b/target/s390x/translate.c
69+@@ -6317,7 +6317,8 @@ static DisasJumpType translate_one(CPUS3
70+ qemu_log_mask(LOG_UNIMP, "unimplemented opcode 0x%02x%02x\n",
71+ f.op, f.op2);
72+ gen_illegal_opcode(s);
73+- return DISAS_NORETURN;
74++ ret = DISAS_NORETURN;
75++ goto out;
76+ }
77+
78+ #ifndef CONFIG_USER_ONLY
79+@@ -6333,7 +6334,8 @@ static DisasJumpType translate_one(CPUS3
80+ /* privileged instruction */
81+ if ((s->base.tb->flags & FLAG_MASK_PSTATE) && (insn->flags & IF_PRIV)) {
82+ gen_program_exception(s, PGM_PRIVILEGED);
83+- return DISAS_NORETURN;
84++ ret = DISAS_NORETURN;
85++ goto out;
86+ }
87+
88+ /* if AFP is not enabled, instructions and registers are forbidden */
89+@@ -6360,7 +6362,8 @@ static DisasJumpType translate_one(CPUS3
90+ }
91+ if (dxc) {
92+ gen_data_exception(dxc);
93+- return DISAS_NORETURN;
94++ ret = DISAS_NORETURN;
95++ goto out;
96+ }
97+ }
98+
99+@@ -6368,7 +6371,8 @@ static DisasJumpType translate_one(CPUS3
100+ if (insn->flags & IF_VEC) {
101+ if (!((s->base.tb->flags & FLAG_MASK_VECTOR))) {
102+ gen_data_exception(0xfe);
103+- return DISAS_NORETURN;
104++ ret = DISAS_NORETURN;
105++ goto out;
106+ }
107+ }
108+ }
109+@@ -6381,7 +6385,8 @@ static DisasJumpType translate_one(CPUS3
110+ (insn->spec & SPEC_r1_f128 && !is_fp_pair(get_field(&f, r1))) ||
111+ (insn->spec & SPEC_r2_f128 && !is_fp_pair(get_field(&f, r2)))) {
112+ gen_program_exception(s, PGM_SPECIFICATION);
113+- return DISAS_NORETURN;
114++ ret = DISAS_NORETURN;
115++ goto out;
116+ }
117+ }
118+
119+@@ -6440,6 +6445,7 @@ static DisasJumpType translate_one(CPUS3
120+ }
121+ #endif
122+
123++out:
124+ /* Advance to the next instruction. */
125+ s->base.pc_next = s->pc_tmp;
126+ return ret;

Subscribers

People subscribed via source and target branches