From ace33a0e5a5191f79899397adb766dda7208cb93 Mon Sep 17 00:00:00 2001 From: David Woodhouse Date: Tue, 20 Jun 2023 18:58:55 +0100 Subject: [PATCH 1/5] hw/xen: Clarify (lack of) error handling in transaction_commit() Coverity was unhappy (CID 1508359) because we didn't check the return of init_walk_op() in transaction_commit(), despite doing so at every other call site. Strictly speaking, this is a false positive since it can never fail. It only fails for invalid user input (transaction ID or path), and both of those are hard-coded to known sane values in this invocation. But Coverity doesn't know that, and neither does the casual reader of the code. Returning an error here would be weird, since the transaction *is* committed by this point; all the walk_op is doing is firing watches on the newly-committed changed nodes. So make it a g_assert(!ret), since it really should never happen. Signed-off-by: David Woodhouse Reviewed-by: Paul Durrant Message-Id: <20076888f6bdf06a65aafc5cf954260965d45b97.camel@infradead.org> Signed-off-by: Anthony PERARD --- hw/i386/kvm/xenstore_impl.c | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-) diff --git a/hw/i386/kvm/xenstore_impl.c b/hw/i386/kvm/xenstore_impl.c index 305fe75519..d9732b567e 100644 --- a/hw/i386/kvm/xenstore_impl.c +++ b/hw/i386/kvm/xenstore_impl.c @@ -1022,6 +1022,7 @@ static int transaction_commit(XenstoreImplState *s, XsTransaction *tx) { struct walk_op op; XsNode **n; + int ret; if (s->root_tx != tx->base_tx) { return EAGAIN; @@ -1032,7 +1033,16 @@ static int transaction_commit(XenstoreImplState *s, XsTransaction *tx) s->root_tx = tx->tx_id; s->nr_nodes = tx->nr_nodes; - init_walk_op(s, &op, XBT_NULL, tx->dom_id, "/", &n); + ret = init_walk_op(s, &op, XBT_NULL, tx->dom_id, "/", &n); + /* + * There are two reasons why init_walk_op() may fail: an invalid tx_id, + * or an invalid path. We pass XBT_NULL and "/", and it cannot fail. + * If it does, the world is broken. And returning 'ret' would be weird + * because the transaction *was* committed, and all this tree walk is + * trying to do is fire the resulting watches on newly-committed nodes. + */ + g_assert(!ret); + op.deleted_in_tx = false; op.mutating = true; From aa36243514a777f76c8b8a19b1f8a71f27ec6c78 Mon Sep 17 00:00:00 2001 From: Anthony PERARD Date: Tue, 4 Jul 2023 18:18:19 +0100 Subject: [PATCH 2/5] xen-block: Avoid leaks on new error path Commit 189829399070 ("xen-block: Use specific blockdev driver") introduced a new error path, without taking care of allocated resources. So only allocate the qdicts after the error check, and free both `filename` and `driver` when we are about to return and thus taking care of both success and error path. Coverity only spotted the leak of qdicts (*_layer variables). Reported-by: Peter Maydell Fixes: Coverity CID 1508722, 1398649 Fixes: 189829399070 ("xen-block: Use specific blockdev driver") Signed-off-by: Anthony PERARD Reviewed-by: Paul Durrant Reviewed-by: Peter Maydell Message-Id: <20230704171819.42564-1-anthony.perard@citrix.com> Signed-off-by: Anthony PERARD --- hw/block/xen-block.c | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) diff --git a/hw/block/xen-block.c b/hw/block/xen-block.c index f099914831..3906b9058b 100644 --- a/hw/block/xen-block.c +++ b/hw/block/xen-block.c @@ -781,14 +781,15 @@ static XenBlockDrive *xen_block_drive_create(const char *id, drive = g_new0(XenBlockDrive, 1); drive->id = g_strdup(id); - file_layer = qdict_new(); - driver_layer = qdict_new(); - rc = stat(filename, &st); if (rc) { error_setg_errno(errp, errno, "Could not stat file '%s'", filename); goto done; } + + file_layer = qdict_new(); + driver_layer = qdict_new(); + if (S_ISBLK(st.st_mode)) { qdict_put_str(file_layer, "driver", "host_device"); } else { @@ -796,7 +797,6 @@ static XenBlockDrive *xen_block_drive_create(const char *id, } qdict_put_str(file_layer, "filename", filename); - g_free(filename); if (mode && *mode != 'w') { qdict_put_bool(file_layer, "read-only", true); @@ -831,7 +831,6 @@ static XenBlockDrive *xen_block_drive_create(const char *id, qdict_put_str(file_layer, "locking", "off"); qdict_put_str(driver_layer, "driver", driver); - g_free(driver); qdict_put(driver_layer, "file", file_layer); @@ -842,6 +841,8 @@ static XenBlockDrive *xen_block_drive_create(const char *id, qobject_unref(driver_layer); done: + g_free(filename); + g_free(driver); if (*errp) { xen_block_drive_destroy(drive, NULL); return NULL; From f4f71363fcdb1092ff64d2bba6f9af39570c2f2b Mon Sep 17 00:00:00 2001 From: Anthony PERARD Date: Fri, 14 Jul 2023 16:27:20 +0100 Subject: [PATCH 3/5] thread-pool: signal "request_cond" while locked thread_pool_free() might have been called on the `pool`, which would be a reason for worker_thread() to quit. In this case, `pool->request_cond` is been destroyed. If worker_thread() didn't managed to signal `request_cond` before it been destroyed by thread_pool_free(), we got: util/qemu-thread-posix.c:198: qemu_cond_signal: Assertion `cond->initialized' failed. One backtrace: __GI___assert_fail (assertion=0x55555614abcb "cond->initialized", file=0x55555614ab88 "util/qemu-thread-posix.c", line=198, function=0x55555614ad80 <__PRETTY_FUNCTION__.17104> "qemu_cond_signal") at assert.c:101 qemu_cond_signal (cond=0x7fffb800db30) at util/qemu-thread-posix.c:198 worker_thread (opaque=0x7fffb800dab0) at util/thread-pool.c:129 qemu_thread_start (args=0x7fffb8000b20) at util/qemu-thread-posix.c:505 start_thread (arg=) at pthread_create.c:486 Reported here: https://lore.kernel.org/all/ZJwoK50FcnTSfFZ8@MacBook-Air-de-Roger.local/T/#u To avoid issue, keep lock while sending a signal to `request_cond`. Fixes: 900fa208f506 ("thread-pool: replace semaphore with condition variable") Signed-off-by: Anthony PERARD Reviewed-by: Stefan Hajnoczi Message-Id: <20230714152720.5077-1-anthony.perard@citrix.com> Signed-off-by: Anthony PERARD --- util/thread-pool.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/util/thread-pool.c b/util/thread-pool.c index 0d97888df0..e3d8292d14 100644 --- a/util/thread-pool.c +++ b/util/thread-pool.c @@ -120,13 +120,13 @@ static void *worker_thread(void *opaque) pool->cur_threads--; qemu_cond_signal(&pool->worker_stopped); - qemu_mutex_unlock(&pool->lock); /* * Wake up another thread, in case we got a wakeup but decided * to exit due to pool->cur_threads > pool->max_threads. */ qemu_cond_signal(&pool->request_cond); + qemu_mutex_unlock(&pool->lock); return NULL; } From bcb40db010517120dfffccc77cef9e4fcd3235fa Mon Sep 17 00:00:00 2001 From: Peter Maydell Date: Tue, 18 Jul 2023 11:10:57 +0100 Subject: [PATCH 4/5] xen: Don't pass MemoryListener around by value MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Coverity points out (CID 1513106, 1513107) that MemoryListener is a 192 byte struct which we are passing around by value. Switch to passing a const pointer into xen_register_ioreq() and then to xen_do_ioreq_register(). We can also make the file-scope MemoryListener variables const, since nothing changes them. Signed-off-by: Peter Maydell Acked-by: Anthony PERARD Reviewed-by: Philippe Mathieu-Daudé Message-Id: <20230718101057.1110979-1-peter.maydell@linaro.org> Signed-off-by: Anthony PERARD --- hw/arm/xen_arm.c | 4 ++-- hw/i386/xen/xen-hvm.c | 4 ++-- hw/xen/xen-hvm-common.c | 8 ++++---- include/hw/xen/xen-hvm-common.h | 2 +- 4 files changed, 9 insertions(+), 9 deletions(-) diff --git a/hw/arm/xen_arm.c b/hw/arm/xen_arm.c index 044093fec7..1d3e6d481a 100644 --- a/hw/arm/xen_arm.c +++ b/hw/arm/xen_arm.c @@ -37,7 +37,7 @@ #define TYPE_XEN_ARM MACHINE_TYPE_NAME("xenpvh") OBJECT_DECLARE_SIMPLE_TYPE(XenArmState, XEN_ARM) -static MemoryListener xen_memory_listener = { +static const MemoryListener xen_memory_listener = { .region_add = xen_region_add, .region_del = xen_region_del, .log_start = NULL, @@ -108,7 +108,7 @@ static void xen_arm_init(MachineState *machine) xam->state = g_new0(XenIOState, 1); - xen_register_ioreq(xam->state, machine->smp.cpus, xen_memory_listener); + xen_register_ioreq(xam->state, machine->smp.cpus, &xen_memory_listener); #ifdef CONFIG_TPM if (xam->cfg.tpm_base_addr) { diff --git a/hw/i386/xen/xen-hvm.c b/hw/i386/xen/xen-hvm.c index 3da5a2b23f..f42621e674 100644 --- a/hw/i386/xen/xen-hvm.c +++ b/hw/i386/xen/xen-hvm.c @@ -458,7 +458,7 @@ static void xen_log_global_stop(MemoryListener *listener) xen_in_migration = false; } -static MemoryListener xen_memory_listener = { +static const MemoryListener xen_memory_listener = { .name = "xen-memory", .region_add = xen_region_add, .region_del = xen_region_del, @@ -582,7 +582,7 @@ void xen_hvm_init_pc(PCMachineState *pcms, MemoryRegion **ram_memory) state = g_new0(XenIOState, 1); - xen_register_ioreq(state, max_cpus, xen_memory_listener); + xen_register_ioreq(state, max_cpus, &xen_memory_listener); QLIST_INIT(&xen_physmap); xen_read_physmap(state); diff --git a/hw/xen/xen-hvm-common.c b/hw/xen/xen-hvm-common.c index 886c3ee944..565dc39c8f 100644 --- a/hw/xen/xen-hvm-common.c +++ b/hw/xen/xen-hvm-common.c @@ -765,8 +765,8 @@ void xen_shutdown_fatal_error(const char *fmt, ...) } static void xen_do_ioreq_register(XenIOState *state, - unsigned int max_cpus, - MemoryListener xen_memory_listener) + unsigned int max_cpus, + const MemoryListener *xen_memory_listener) { int i, rc; @@ -824,7 +824,7 @@ static void xen_do_ioreq_register(XenIOState *state, qemu_add_vm_change_state_handler(xen_hvm_change_state_handler, state); - state->memory_listener = xen_memory_listener; + state->memory_listener = *xen_memory_listener; memory_listener_register(&state->memory_listener, &address_space_memory); state->io_listener = xen_io_listener; @@ -842,7 +842,7 @@ err: } void xen_register_ioreq(XenIOState *state, unsigned int max_cpus, - MemoryListener xen_memory_listener) + const MemoryListener *xen_memory_listener) { int rc; diff --git a/include/hw/xen/xen-hvm-common.h b/include/hw/xen/xen-hvm-common.h index f9559e2885..4e9904f1a6 100644 --- a/include/hw/xen/xen-hvm-common.h +++ b/include/hw/xen/xen-hvm-common.h @@ -93,7 +93,7 @@ void xen_device_unrealize(DeviceListener *listener, DeviceState *dev); void xen_hvm_change_state_handler(void *opaque, bool running, RunState rstate); void xen_register_ioreq(XenIOState *state, unsigned int max_cpus, - MemoryListener xen_memory_listener); + const MemoryListener *xen_memory_listener); void cpu_ioreq_pio(ioreq_t *req); #endif /* HW_XEN_HVM_COMMON_H */ From 856ca10f9ce1fcffeab18546b36a64f79017c905 Mon Sep 17 00:00:00 2001 From: Olaf Hering Date: Thu, 20 Jul 2023 09:29:50 +0200 Subject: [PATCH 5/5] xen-platform: do full PCI reset during unplug of IDE devices The IDE unplug function needs to reset the entire PCI device, to make sure all state is initialized to defaults. This is done by calling pci_device_reset, which resets not only the chip specific registers, but also all PCI state. This fixes "unplug" in a Xen HVM domU with the modular legacy xenlinux PV drivers. Commit ee358e919e38 ("hw/ide/piix: Convert reset handler to DeviceReset") changed the way how the the disks are unplugged. Prior this commit the PCI device remained unchanged. After this change, piix_ide_reset is exercised after the "unplug" command, which was not the case prior that commit. This function resets the command register. As a result the ata_piix driver inside the domU will see a disabled PCI device. The generic PCI code will reenable the PCI device. On the qemu side, this runs pci_default_write_config/pci_update_mappings. Here a changed address is returned by pci_bar_address, this is the address which was truncated in piix_ide_reset. In case of a Xen HVM domU, the address changes from 0xc120 to 0xc100. This truncation was a bug in piix_ide_reset, which was fixed in commit 230dfd9257 ("hw/ide/piix: properly initialize the BMIBA register"). If pci_xen_ide_unplug had used pci_device_reset, the PCI registers would have been properly reset, and commit ee358e919e38 would have not introduced a regression for this specific domU environment. While the unplug is supposed to hide the IDE disks, the changed BMIBA address broke the UHCI device. In case the domU has an USB tablet configured, to recive absolute pointer coordinates for the GUI, it will cause a hang during device discovery of the partly discovered USB hid device. Reading the USBSTS word size register will fail. The access ends up in the QEMU piix-bmdma device, instead of the expected uhci device. Here a byte size request is expected, and a value of ~0 is returned. As a result the UCHI driver sees an error state in the register, and turns off the UHCI controller. Signed-off-by: Olaf Hering Reviewed-by: Paul Durrant Message-Id: <20230720072950.20198-1-olaf@aepfle.de> Signed-off-by: Anthony PERARD --- hw/i386/xen/xen_platform.c | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/hw/i386/xen/xen_platform.c b/hw/i386/xen/xen_platform.c index 57f1d742c1..17457ff3de 100644 --- a/hw/i386/xen/xen_platform.c +++ b/hw/i386/xen/xen_platform.c @@ -164,8 +164,9 @@ static void pci_unplug_nics(PCIBus *bus) * * [1] https://xenbits.xen.org/gitweb/?p=xen.git;a=blob;f=docs/misc/hvm-emulated-unplug.pandoc */ -static void pci_xen_ide_unplug(DeviceState *dev, bool aux) +static void pci_xen_ide_unplug(PCIDevice *d, bool aux) { + DeviceState *dev = DEVICE(d); PCIIDEState *pci_ide; int i; IDEDevice *idedev; @@ -195,7 +196,7 @@ static void pci_xen_ide_unplug(DeviceState *dev, bool aux) blk_unref(blk); } } - device_cold_reset(dev); + pci_device_reset(d); } static void unplug_disks(PCIBus *b, PCIDevice *d, void *opaque) @@ -210,7 +211,7 @@ static void unplug_disks(PCIBus *b, PCIDevice *d, void *opaque) switch (pci_get_word(d->config + PCI_CLASS_DEVICE)) { case PCI_CLASS_STORAGE_IDE: - pci_xen_ide_unplug(DEVICE(d), aux); + pci_xen_ide_unplug(d, aux); break; case PCI_CLASS_STORAGE_SCSI: