[PULL 0/3] Various fixes

[PULL 0/3] Various fixes

[Thomas Huth]

 Hi Richard!

The following changes since commit 7c18f2d663521f1b31b821a13358ce38075eaf7d:

  Merge tag 'for-upstream' of https://gitlab.com/bonzini/qemu into staging (2023-04-29 23:07:17 +0100)

are available in the Git repository at:

  https://gitlab.com/thuth/qemu.git tags/pull-request-2023-05-02

for you to fetch changes up to 7915bd06f25e1803778081161bf6fa10c42dc7cd:

  async: avoid use-after-free on re-entrancy guard (2023-05-02 10:03:26 +0200)

----------------------------------------------------------------
* Fix the failing FreeBSD job in our CI
* Run the tpm-tis-i2c-test only if TCG is enabled
* Fix a use-after-free problem in the new reentracy checking code

----------------------------------------------------------------
Alexander Bulekov (1):
      async: avoid use-after-free on re-entrancy guard

Fabiano Rosas (1):
      tests/qtest: Restrict tpm-tis-i2c-test to CONFIG_TCG

Thomas Huth (1):
      tests/qtest: Disable the spice test of readconfig-test on FreeBSD

 tests/qtest/readconfig-test.c |  6 +++---
 util/async.c                  | 14 ++++++++------
 tests/qtest/meson.build       |  3 ++-
 3 files changed, 13 insertions(+), 10 deletions(-)

[PULL 1/3] tests/qtest: Disable the spice test of readconfig-test on FreeBSD

[Thomas Huth]

The spice test is currently hanging on FreeBSD. It likely was
never working before, since in the past, our configure script
was failing to detect this feature due to a bug in the spice
package there (it just got enabled recently by the commit
https://cgit.freebsd.org/ports/commit/?id=cf16b1c9063351325f0 ).
To get the CI working again, let's disable the failing test for
now until someone has enough spare time to debug and fix the real
underlying problem.

Message-Id: <20230428151351.1365822-1-thuth@redhat.com>
Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com>
Signed-off-by: Thomas Huth <thuth@redhat.com>
---
 tests/qtest/readconfig-test.c | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/tests/qtest/readconfig-test.c b/tests/qtest/readconfig-test.c
index 2160603880..918d45684b 100644
--- a/tests/qtest/readconfig-test.c
+++ b/tests/qtest/readconfig-test.c
@@ -86,8 +86,8 @@ static void test_x86_memdev(void)
     qtest_quit(qts);
 }
 
-
-#ifdef CONFIG_SPICE
+/* FIXME: The test is currently broken on FreeBSD */
+#if defined(CONFIG_SPICE) && !defined(__FreeBSD__)
 static void test_spice_resp(QObject *res)
 {
     Visitor *v;
@@ -209,7 +209,7 @@ int main(int argc, char *argv[])
         qtest_add_func("readconfig/x86/memdev", test_x86_memdev);
         qtest_add_func("readconfig/x86/ich9-ehci-uhci", test_docs_config_ich9);
     }
-#ifdef CONFIG_SPICE
+#if defined(CONFIG_SPICE) && !defined(__FreeBSD__)
     qtest_add_func("readconfig/spice", test_spice);
 #endif
 
-- 
2.31.1

[PULL 2/3] tests/qtest: Restrict tpm-tis-i2c-test to CONFIG_TCG

[Thomas Huth]

From: Fabiano Rosas <farosas@suse.de>

The test set -accel tcg, so restrict it to when TCG is present.

Signed-off-by: Fabiano Rosas <farosas@suse.de>
Message-Id: <20230426180013.14814-13-farosas@suse.de>
Reviewed-by: Thomas Huth <thuth@redhat.com>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Signed-off-by: Thomas Huth <thuth@redhat.com>
---
 tests/qtest/meson.build | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/tests/qtest/meson.build b/tests/qtest/meson.build
index cfc66ade6f..48cd35b5b2 100644
--- a/tests/qtest/meson.build
+++ b/tests/qtest/meson.build
@@ -213,7 +213,8 @@ qtests_aarch64 = \
     ['tpm-tis-device-test', 'tpm-tis-device-swtpm-test'] : []) +                                         \
   (config_all_devices.has_key('CONFIG_XLNX_ZYNQMP_ARM') ? ['xlnx-can-test', 'fuzz-xlnx-dp-test'] : []) + \
   (config_all_devices.has_key('CONFIG_RASPI') ? ['bcm2835-dma-test'] : []) +  \
-  (config_all_devices.has_key('CONFIG_TPM_TIS_I2C') ? ['tpm-tis-i2c-test'] : []) + \
+  (config_all.has_key('CONFIG_TCG') and                                            \
+   config_all_devices.has_key('CONFIG_TPM_TIS_I2C') ? ['tpm-tis-i2c-test'] : []) + \
   ['arm-cpu-features',
    'numa-test',
    'boot-serial-test',
-- 
2.31.1

[PULL 3/3] async: avoid use-after-free on re-entrancy guard

[Thomas Huth]

From: Alexander Bulekov <alxndr@bu.edu>

A BH callback can free the BH, causing a use-after-free in aio_bh_call.
Fix that by keeping a local copy of the re-entrancy guard pointer.

Buglink: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=58513
Fixes: 9c86c97f12 ("async: Add an optional reentrancy guard to the BH API")
Signed-off-by: Alexander Bulekov <alxndr@bu.edu>
Message-Id: <20230501141956.3444868-1-alxndr@bu.edu>
Reviewed-by: Thomas Huth <thuth@redhat.com>
Signed-off-by: Thomas Huth <thuth@redhat.com>
---
 util/async.c | 14 ++++++++------
 1 file changed, 8 insertions(+), 6 deletions(-)

diff --git a/util/async.c b/util/async.c
index 9df7674b4e..055070ffbd 100644
--- a/util/async.c
+++ b/util/async.c
@@ -156,18 +156,20 @@ void aio_bh_call(QEMUBH *bh)
 {
     bool last_engaged_in_io = false;
 
-    if (bh->reentrancy_guard) {
-        last_engaged_in_io = bh->reentrancy_guard->engaged_in_io;
-        if (bh->reentrancy_guard->engaged_in_io) {
+    /* Make a copy of the guard-pointer as cb may free the bh */
+    MemReentrancyGuard *reentrancy_guard = bh->reentrancy_guard;
+    if (reentrancy_guard) {
+        last_engaged_in_io = reentrancy_guard->engaged_in_io;
+        if (reentrancy_guard->engaged_in_io) {
             trace_reentrant_aio(bh->ctx, bh->name);
         }
-        bh->reentrancy_guard->engaged_in_io = true;
+        reentrancy_guard->engaged_in_io = true;
     }
 
     bh->cb(bh->opaque);
 
-    if (bh->reentrancy_guard) {
-        bh->reentrancy_guard->engaged_in_io = last_engaged_in_io;
+    if (reentrancy_guard) {
+        reentrancy_guard->engaged_in_io = last_engaged_in_io;
     }
 }
 
-- 
2.31.1

Re: [PULL 0/3] Various fixes

[Richard Henderson]

On 5/2/23 11:18, Thomas Huth wrote:
>   Hi Richard!
> 
> The following changes since commit 7c18f2d663521f1b31b821a13358ce38075eaf7d:
> 
>    Merge tag 'for-upstream' of https://gitlab.com/bonzini/qemu into staging (2023-04-29 23:07:17 +0100)
> 
> are available in the Git repository at:
> 
>    https://gitlab.com/thuth/qemu.git tags/pull-request-2023-05-02
> 
> for you to fetch changes up to 7915bd06f25e1803778081161bf6fa10c42dc7cd:
> 
>    async: avoid use-after-free on re-entrancy guard (2023-05-02 10:03:26 +0200)
> 
> ----------------------------------------------------------------
> * Fix the failing FreeBSD job in our CI
> * Run the tpm-tis-i2c-test only if TCG is enabled
> * Fix a use-after-free problem in the new reentracy checking code
> 
> ----------------------------------------------------------------
> Alexander Bulekov (1):
>        async: avoid use-after-free on re-entrancy guard
> 
> Fabiano Rosas (1):
>        tests/qtest: Restrict tpm-tis-i2c-test to CONFIG_TCG
> 
> Thomas Huth (1):
>        tests/qtest: Disable the spice test of readconfig-test on FreeBSD
> 
>   tests/qtest/readconfig-test.c |  6 +++---
>   util/async.c                  | 14 ++++++++------
>   tests/qtest/meson.build       |  3 ++-
>   3 files changed, 13 insertions(+), 10 deletions(-)
> 

Applied, thanks.  Please update https://wiki.qemu.org/ChangeLog/8.1 as appropriate.


r~