Ubuntu
qemu package

Merge ~paelzer/ubuntu/+source/qemu:lp-1929926-uretprobe-s390x-tcg-HIRSUTE into ubuntu/+source/qemu:ubuntu/hirsute-devel

  1. Git
  2. lp:~paelzer/ubuntu/+source/qemu
  3. lp-1929926-uretprobe-s390x-tcg-HIRSUTE
  4. Merge into ubuntu/hirsute-devel
Proposed by Christian Ehrhardt 
Status: Merged
Merge reported by: Christian Ehrhardt 
Merged at revision: 1d53d8ce054f6a4a2104d467e26959ad730bdd87
Proposed branch: ~paelzer/ubuntu/+source/qemu:lp-1929926-uretprobe-s390x-tcg-HIRSUTE
Merge into: ubuntu/+source/qemu:ubuntu/hirsute-devel
Diff against target: 131 lines (+109/-0)
3 files modified
debian/changelog (+7/-0)
debian/patches/series (+1/-0)
debian/patches/ubuntu/lp-1929926-target-s390x-Fix-translation-exception-on-illegal-in.patch (+101/-0)
Reviewer Review Type Date Requested Status
Sergio Durigan Junior (community) Approve
Canonical Server packageset reviewers Pending
Canonical Server Pending
Review via email: mp+410033@code.launchpad.net
To post a comment you must log in.
Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

PPA: https://launchpad.net/~ci-train-ppa-service/+archive/ubuntu/4682

Revision history for this message
Sergio Durigan Junior (sergiodj) wrote :

Thanks for the MP, Christian.

It LGTM. The backport is OK, the fix looks correct, and the debian/-specific bits are also good.

The package has successfully built on the PPA, there are no autopkgtest results available yet. I am approving this MP conditionally on the autopkgtest tests passing.

Thanks.

review: Approve
Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

Uploaded to -unapproved

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
1diff --git a/debian/changelog b/debian/changelog
2index f7983b9..ec5c1f7 100644
3--- a/debian/changelog
4+++ b/debian/changelog
5@@ -1,3 +1,10 @@
6+qemu (1:5.2+dfsg-9ubuntu3.3) hirsute; urgency=medium
7+
8+ * d/p/u/lp-1929926-target-s390x-Fix-translation-exception-on-illegal-in.patch:
9+ fix uretprobe in s390x TCG (LP: #1929926)
10+
11+ -- Christian Ehrhardt <christian.ehrhardt@canonical.com> Tue, 12 Oct 2021 09:04:44 +0200
12+
13 qemu (1:5.2+dfsg-9ubuntu3.2) hirsute; urgency=medium
14
15 * d/rules fix microvm default machine type for a new build system
16diff --git a/debian/patches/series b/debian/patches/series
17index 30500b2..525e25c 100644
18--- a/debian/patches/series
19+++ b/debian/patches/series
20@@ -74,3 +74,4 @@ CVE-2021-3544-8.patch
21 CVE-2021-3582.patch
22 CVE-2021-3607.patch
23 CVE-2021-3608.patch
24+ubuntu/lp-1929926-target-s390x-Fix-translation-exception-on-illegal-in.patch
25diff --git a/debian/patches/ubuntu/lp-1929926-target-s390x-Fix-translation-exception-on-illegal-in.patch b/debian/patches/ubuntu/lp-1929926-target-s390x-Fix-translation-exception-on-illegal-in.patch
26new file mode 100644
27index 0000000..07027af
28--- /dev/null
29+++ b/debian/patches/ubuntu/lp-1929926-target-s390x-Fix-translation-exception-on-illegal-in.patch
30@@ -0,0 +1,101 @@
31+From 86131c71b13257e095d8c4f4453d52cbc6553c07 Mon Sep 17 00:00:00 2001
32+From: Ilya Leoshkevich <iii@linux.ibm.com>
33+Date: Fri, 16 Apr 2021 17:49:36 +0200
34+Subject: [PATCH] target/s390x: Fix translation exception on illegal
35+ instruction
36+
37+Hitting an uretprobe in a s390x TCG guest causes a SIGSEGV. What
38+happens is:
39+
40+* uretprobe maps a userspace page containing an invalid instruction.
41+* uretprobe replaces the target function's return address with the
42+ address of that page.
43+* When tb_gen_code() is called on that page, tb->size ends up being 0
44+ (because the page starts with the invalid instruction), which causes
45+ virt_page2 to point to the previous page.
46+* The previous page is not mapped, so this causes a spurious
47+ translation exception.
48+
49+tb->size must never be 0: even if there is an illegal instruction, the
50+instruction bytes that have been looked at must count towards tb->size.
51+So adjust s390x's translate_one() to act this way for both illegal
52+instructions and instructions that are known to generate exceptions.
53+
54+Signed-off-by: Ilya Leoshkevich <iii@linux.ibm.com>
55+Reviewed-by: David Hildenbrand <david@redhat.com>
56+Message-Id: <20210416154939.32404-2-iii@linux.ibm.com>
57+Signed-off-by: Cornelia Huck <cohuck@redhat.com>
58+
59+Origin: upstream, https://git.qemu.org/?p=qemu.git;a=commit;h=86131c71b13257e095d8c4f4453d52cbc6553c07
60+Bug-Ubuntu: https://bugs.launchpad.net/bugs/1929926
61+Last-Update: 2021-10-12
62+
63+---
64+ target/s390x/translate.c | 16 +++++++++++-----
65+ 1 file changed, 11 insertions(+), 5 deletions(-)
66+
67+diff --git a/target/s390x/translate.c b/target/s390x/translate.c
68+index 4f953ddfba..e243624d2a 100644
69+--- a/target/s390x/translate.c
70++++ b/target/s390x/translate.c
71+@@ -6412,7 +6412,8 @@ static DisasJumpType translate_one(CPUS390XState *env, DisasContext *s)
72+ qemu_log_mask(LOG_UNIMP, "unimplemented opcode 0x%02x%02x\n",
73+ s->fields.op, s->fields.op2);
74+ gen_illegal_opcode(s);
75+- return DISAS_NORETURN;
76++ ret = DISAS_NORETURN;
77++ goto out;
78+ }
79+
80+ #ifndef CONFIG_USER_ONLY
81+@@ -6428,7 +6429,8 @@ static DisasJumpType translate_one(CPUS390XState *env, DisasContext *s)
82+ /* privileged instruction */
83+ if ((s->base.tb->flags & FLAG_MASK_PSTATE) && (insn->flags & IF_PRIV)) {
84+ gen_program_exception(s, PGM_PRIVILEGED);
85+- return DISAS_NORETURN;
86++ ret = DISAS_NORETURN;
87++ goto out;
88+ }
89+
90+ /* if AFP is not enabled, instructions and registers are forbidden */
91+@@ -6455,7 +6457,8 @@ static DisasJumpType translate_one(CPUS390XState *env, DisasContext *s)
92+ }
93+ if (dxc) {
94+ gen_data_exception(dxc);
95+- return DISAS_NORETURN;
96++ ret = DISAS_NORETURN;
97++ goto out;
98+ }
99+ }
100+
101+@@ -6463,7 +6466,8 @@ static DisasJumpType translate_one(CPUS390XState *env, DisasContext *s)
102+ if (insn->flags & IF_VEC) {
103+ if (!((s->base.tb->flags & FLAG_MASK_VECTOR))) {
104+ gen_data_exception(0xfe);
105+- return DISAS_NORETURN;
106++ ret = DISAS_NORETURN;
107++ goto out;
108+ }
109+ }
110+
111+@@ -6484,7 +6488,8 @@ static DisasJumpType translate_one(CPUS390XState *env, DisasContext *s)
112+ (insn->spec & SPEC_r1_f128 && !is_fp_pair(get_field(s, r1))) ||
113+ (insn->spec & SPEC_r2_f128 && !is_fp_pair(get_field(s, r2)))) {
114+ gen_program_exception(s, PGM_SPECIFICATION);
115+- return DISAS_NORETURN;
116++ ret = DISAS_NORETURN;
117++ goto out;
118+ }
119+ }
120+
121+@@ -6544,6 +6549,7 @@ static DisasJumpType translate_one(CPUS390XState *env, DisasContext *s)
122+ }
123+ #endif
124+
125++out:
126+ /* Advance to the next instruction. */
127+ s->base.pc_next = s->pc_tmp;
128+ return ret;
129+--
130+2.33.0
131+

Subscribers

People subscribed via source and target branches