Hi Steve, Same patch I've submitted for dunfell. Please revert it, if it is failing.
Thanks & Regards, Vijay On Fri, Sep 15, 2023 at 8:56 PM Steve Sakoman <[email protected]> wrote: > On Wed, Sep 13, 2023 at 4:44 AM Steve Sakoman via > lists.openembedded.org <[email protected]> > wrote: > > > > Unfortunately this change breaks the qemux86 and qemux86-64 tests on > > the autobuilder: > > The versions of this patch for both mickledore and kirkstone break > qemux86 and qemux86-64 in the same way, so I can't take the patch for > either branch. > > Steve > > > > > https://errors.yoctoproject.org/Errors/Details/736394/ > > https://errors.yoctoproject.org/Errors/Details/736395/ > > > > In both cases: > > > > Failed: qemux86-64 does not shutdown within timeout(120) > > > > There was recently an issue fixed in the master branch where x86 was > > broken after a version upgrade: > > > > > https://git.openembedded.org/openembedded-core/commit/?id=3d3fa94ee6d7ea58e3ec64d28bd6414437806cfd > > > > Not sure if it is related, since the commit message indicates "won't > > boot" as the symptom and this appears to be a shutdown issue. Perhaps > > Richard can comment. > > > > Steve > > > > On Tue, Sep 12, 2023 at 10:02 PM Urade, Yogita via > > lists.openembedded.org > > <[email protected]> wrote: > > > > > > From: Yogita Urade <[email protected]> > > > > > > A DMA-MMIO reentrancy problem may lead to memory corruption bugs > > > like stack overflow or use-after-free. > > > > > > Summary of the problem from Peter Maydell: > > > > https://lore.kernel.org/qemu-devel/cafeaca_23vc7he3iam-jva6w38lk4hjowae5kcknhprd5fp...@mail.gmail.com > > > > > > Reference: > > > https://gitlab.com/qemu-project/qemu/-/issues/556 > > > > > > qemu.git$ git log --no-merges --oneline --grep CVE-2023-0330 > > > b987718bbb hw/scsi/lsi53c895a: Fix reentrancy issues in the LSI > controller (CVE-2023-0330) > > > a2e1753b80 memory: prevent dma-reentracy issues > > > > > > Included second commit as well as commit log of a2e1753b80 says it > > > resolves CVE-2023-0330 > > > > > > Signed-off-by: Yogita Urade <[email protected]> > > > --- > > > meta/recipes-devtools/qemu/qemu.inc | 3 +- > > > ...23-0330.patch => CVE-2023-0330-0001.patch} | 0 > > > .../qemu/qemu/CVE-2023-0330-0002.patch | 136 ++++++++++++++++++ > > > 3 files changed, 138 insertions(+), 1 deletion(-) > > > rename meta/recipes-devtools/qemu/qemu/{CVE-2023-0330.patch => > CVE-2023-0330-0001.patch} (100%) > > > create mode 100644 > meta/recipes-devtools/qemu/qemu/CVE-2023-0330-0002.patch > > > > > > diff --git a/meta/recipes-devtools/qemu/qemu.inc > b/meta/recipes-devtools/qemu/qemu.inc > > > index 2efe63cdc0..1a50e4d524 100644 > > > --- a/meta/recipes-devtools/qemu/qemu.inc > > > +++ b/meta/recipes-devtools/qemu/qemu.inc > > > @@ -36,7 +36,8 @@ SRC_URI = " > https://download.qemu.org/${BPN}-${PV}.tar.xz \ > > > file://qemu-guest-agent.init \ > > > file://qemu-guest-agent.udev \ > > > file://ppc.patch \ > > > - file://CVE-2023-0330.patch \ > > > + file://CVE-2023-0330-0001.patch \ > > > + file://CVE-2023-0330-0002.patch \ > > > file://CVE-2023-3301.patch \ > > > file://CVE-2023-3255.patch \ > > > file://CVE-2023-2861.patch \ > > > diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2023-0330.patch > b/meta/recipes-devtools/qemu/qemu/CVE-2023-0330-0001.patch > > > similarity index 100% > > > rename from meta/recipes-devtools/qemu/qemu/CVE-2023-0330.patch > > > rename to meta/recipes-devtools/qemu/qemu/CVE-2023-0330-0001.patch > > > diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2023-0330-0002.patch > b/meta/recipes-devtools/qemu/qemu/CVE-2023-0330-0002.patch > > > new file mode 100644 > > > index 0000000000..a21b01bd25 > > > --- /dev/null > > > +++ b/meta/recipes-devtools/qemu/qemu/CVE-2023-0330-0002.patch > > > @@ -0,0 +1,136 @@ > > > +From a2e1753b8054344f32cf94f31c6399a58794a380 Mon Sep 17 00:00:00 2001 > > > +From: Alexander Bulekov <[email protected]> > > > +Date: Tue, 12 Sep 2023 10:49:46 +0000 > > > +Subject: [PATCH] memory: prevent dma-reentracy issues > > > + > > > +Add a flag to the DeviceState, when a device is engaged in > PIO/MMIO/DMA. > > > +This flag is set/checked prior to calling a device's MemoryRegion > > > +handlers, and set when device code initiates DMA. The purpose of this > > > +flag is to prevent two types of DMA-based reentrancy issues: > > > + > > > +1.) mmio -> dma -> mmio case > > > +2.) bh -> dma write -> mmio case > > > + > > > +These issues have led to problems such as stack-exhaustion and > > > +use-after-frees. > > > + > > > +Summary of the problem from Peter Maydell: > > > + > https://lore.kernel.org/qemu-devel/cafeaca_23vc7he3iam-jva6w38lk4hjowae5kcknhprd5fp...@mail.gmail.com > > > + > > > +Resolves: https://gitlab.com/qemu-project/qemu/-/issues/62 > > > +Resolves: https://gitlab.com/qemu-project/qemu/-/issues/540 > > > +Resolves: https://gitlab.com/qemu-project/qemu/-/issues/541 > > > +Resolves: https://gitlab.com/qemu-project/qemu/-/issues/556 > > > +Resolves: https://gitlab.com/qemu-project/qemu/-/issues/557 > > > +Resolves: https://gitlab.com/qemu-project/qemu/-/issues/827 > > > +Resolves: https://gitlab.com/qemu-project/qemu/-/issues/1282 > > > +Resolves: CVE-2023-0330 > > > + > > > +Signed-off-by: Alexander Bulekov <[email protected]> > > > +Reviewed-by: Thomas Huth <[email protected]> > > > +Message-Id: <[email protected]> > > > +[thuth: Replace warn_report() with warn_report_once()] > > > +Signed-off-by: Thomas Huth <[email protected]> > > > + > > > +CVE: CVE-2023-0330 > > > + > > > +Upstream-Status: Backport [ > https://gitlab.com/qemu-project/qemu/-/commit/a2e1753b8054344f32cf94f31c6399a58794a380 > ] > > > + > > > +Signed-off-by: Yogita Urade <[email protected]> > > > +--- > > > + include/exec/memory.h | 5 +++++ > > > + include/hw/qdev-core.h | 7 +++++++ > > > + softmmu/memory.c | 16 ++++++++++++++++ > > > + 3 files changed, 28 insertions(+) > > > + > > > +diff --git a/include/exec/memory.h b/include/exec/memory.h > > > +index 91f8a2395..124628ada 100644 > > > +--- a/include/exec/memory.h > > > ++++ b/include/exec/memory.h > > > +@@ -741,6 +741,8 @@ struct MemoryRegion { > > > + bool is_iommu; > > > + RAMBlock *ram_block; > > > + Object *owner; > > > ++ /* owner as TYPE_DEVICE. Used for re-entrancy checks in MR > access hotpath */ > > > ++ DeviceState *dev; > > > + > > > + const MemoryRegionOps *ops; > > > + void *opaque; > > > +@@ -765,6 +767,9 @@ struct MemoryRegion { > > > + unsigned ioeventfd_nb; > > > + MemoryRegionIoeventfd *ioeventfds; > > > + RamDiscardManager *rdm; /* Only for RAM */ > > > ++ > > > ++ /* For devices designed to perform re-entrant IO into their own > IO MRs */ > > > ++ bool disable_reentrancy_guard; > > > + }; > > > + > > > + struct IOMMUMemoryRegion { > > > +diff --git a/include/hw/qdev-core.h b/include/hw/qdev-core.h > > > +index 785dd5a56..886f6bb79 100644 > > > +--- a/include/hw/qdev-core.h > > > ++++ b/include/hw/qdev-core.h > > > +@@ -162,6 +162,10 @@ struct NamedClockList { > > > + QLIST_ENTRY(NamedClockList) node; > > > + }; > > > + > > > ++typedef struct { > > > ++ bool engaged_in_io; > > > ++} MemReentrancyGuard; > > > ++ > > > + /** > > > + * DeviceState: > > > + * @realized: Indicates whether the device has been fully > constructed. > > > +@@ -194,6 +198,9 @@ struct DeviceState { > > > + int alias_required_for_version; > > > + ResettableState reset; > > > + GSList *unplug_blockers; > > > ++ > > > ++ /* Is the device currently in mmio/pio/dma? Used to prevent > re-entrancy */ > > > ++ MemReentrancyGuard mem_reentrancy_guard; > > > + }; > > > + > > > + struct DeviceListener { > > > +diff --git a/softmmu/memory.c b/softmmu/memory.c > > > +index bc0be3f62..0ad556b5b 100644 > > > +--- a/softmmu/memory.c > > > ++++ b/softmmu/memory.c > > > +@@ -541,6 +541,18 @@ static MemTxResult > access_with_adjusted_size(hwaddr addr, > > > + if (!access_size_max) { > > > + access_size_max = 4; > > > + } > > > ++ > > > ++ /* Do not allow more than one simultaneous access to a device's > IO Regions */ > > > ++ if (mr->dev && !mr->disable_reentrancy_guard && > > > ++ !mr->ram_device && !mr->ram && !mr->rom_device && > !mr->readonly) { > > > ++ if (mr->dev->mem_reentrancy_guard.engaged_in_io) { > > > ++ warn_report_once("Blocked re-entrant IO on MemoryRegion: > " > > > ++ "%s at addr: 0x%" HWADDR_PRIX, > > > ++ memory_region_name(mr), addr); > > > ++ return MEMTX_ACCESS_ERROR; > > > ++ } > > > ++ mr->dev->mem_reentrancy_guard.engaged_in_io = true; > > > ++ } > > > + > > > + /* FIXME: support unaligned access? */ > > > + access_size = MAX(MIN(size, access_size_max), access_size_min); > > > +@@ -556,6 +568,9 @@ static MemTxResult > access_with_adjusted_size(hwaddr addr, > > > + access_mask, attrs); > > > + } > > > + } > > > ++ if (mr->dev) { > > > ++ mr->dev->mem_reentrancy_guard.engaged_in_io = false; > > > ++ } > > > + return r; > > > + } > > > + > > > +@@ -1170,6 +1185,7 @@ static void memory_region_do_init(MemoryRegion > *mr, > > > + } > > > + mr->name = g_strdup(name); > > > + mr->owner = owner; > > > ++ mr->dev = (DeviceState *) object_dynamic_cast(mr->owner, > TYPE_DEVICE); > > > + mr->ram_block = NULL; > > > + > > > + if (name) { > > > +-- > > > +2.35.5 > > > -- > > > 2.40.0 > > > > > > > > > > > > > > > > > > > > > >
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#187803): https://lists.openembedded.org/g/openembedded-core/message/187803 Mute This Topic: https://lists.openembedded.org/mt/101332759/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
