* fix use-after-free issue

* fix i386 TLB issue * fix crash with wrong -M confidential-guest-support argument * fix NULL pointer dereference in x86 MCE injection -----BEGIN PGP SIGNATURE----- iQFIBAABCAAyFiEE8TM4V0tmI4mGbHaCv/vSX3jHroMFAmX6uvYUHHBib256aW5p QHJlZGhhdC5jb20ACgkQv/vSX3jHroOBPgf/b9i2aQx42PeBbftlOpDlzV0q/Cqw PnONSOKeE4By0qzhehwYdL0e4E63u8f3yvPKBAoQrikBZS68fo4e3wCOc+CkeVfc lcIsoGLgIaEoKpMUdxN9+jkyjurpplG79b/LFYXVMCOENnomHV0oYeSxfOXL/L8c y4yvZ9C6VQSFnemqp+YyzrRad+oRD2hOuc+1RVp+3rxXprkgyfRJAtLvh73MZcvS CaAd2a8ajm2kmQLVv6FeqEr3fgMqbpr2Yeny3n/+T5TdTI2vEODI1JxH2VR/mzYN uiyWS8urQx5P99ICRSOX43WDU5SaUzVYEka8gELf3I5twDudFHtHjKieLA== =UFlw -----END PGP SIGNATURE----- Merge tag 'for-upstream' of https://gitlab.com/bonzini/qemu into staging * fix use-after-free issue * fix i386 TLB issue * fix crash with wrong -M confidential-guest-support argument * fix NULL pointer dereference in x86 MCE injection # -----BEGIN PGP SIGNATURE----- # # iQFIBAABCAAyFiEE8TM4V0tmI4mGbHaCv/vSX3jHroMFAmX6uvYUHHBib256aW5p # QHJlZGhhdC5jb20ACgkQv/vSX3jHroOBPgf/b9i2aQx42PeBbftlOpDlzV0q/Cqw # PnONSOKeE4By0qzhehwYdL0e4E63u8f3yvPKBAoQrikBZS68fo4e3wCOc+CkeVfc # lcIsoGLgIaEoKpMUdxN9+jkyjurpplG79b/LFYXVMCOENnomHV0oYeSxfOXL/L8c # y4yvZ9C6VQSFnemqp+YyzrRad+oRD2hOuc+1RVp+3rxXprkgyfRJAtLvh73MZcvS # CaAd2a8ajm2kmQLVv6FeqEr3fgMqbpr2Yeny3n/+T5TdTI2vEODI1JxH2VR/mzYN # uiyWS8urQx5P99ICRSOX43WDU5SaUzVYEka8gELf3I5twDudFHtHjKieLA== # =UFlw # -----END PGP SIGNATURE----- # gpg: Signature made Wed 20 Mar 2024 10:31:18 GMT # gpg: using RSA key F13338574B662389866C7682BFFBD25F78C7AE83 # gpg: issuer "pbonzini@redhat.com" # gpg: Good signature from "Paolo Bonzini <bonzini@gnu.org>" [full] # gpg: aka "Paolo Bonzini <pbonzini@redhat.com>" [full] # Primary key fingerprint: 46F5 9FBD 57D6 12E7 BFD4 E2F7 7E15 100C CD36 69B1 # Subkey fingerprint: F133 3857 4B66 2389 866C 7682 BFFB D25F 78C7 AE83 * tag 'for-upstream' of https://gitlab.com/bonzini/qemu: meson: remove dead dictionary access tests/plugins: fix use-after-free bug target/i386: Revert monitor_puts() in do_inject_x86_mce() vl: do not assert if sev-guest is used together with TCG vl: convert qemu_machine_creation_done() to Error ** target/i386: fix direction of "32-bit MMU" test Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2024-03-20 15:05:51 +00:00 · 2024-03-20 15:05:51 +00:00 · a1d86c4d70
commit a1d86c4d70
parent 3d5befc97f 05007258f0
6 changed files with 16 additions and 13 deletions
--- a/contrib/plugins/howvec.c
+++ b/contrib/plugins/howvec.c
@ -167,9 +167,9 @@ static gint cmp_exec_count(gconstpointer a, gconstpointer b)
 static void free_record(gpointer data)
 {
    InsnExecCount *rec = (InsnExecCount *) data;
+    qemu_plugin_scoreboard_free(rec->count.score);
    g_free(rec->insn);
    g_free(rec);
-    qemu_plugin_scoreboard_free(rec->count.score);
 }

 static void plugin_exit(qemu_plugin_id_t id, void *p)
--- a/meson.build
+++ b/meson.build
@ -3951,7 +3951,7 @@ foreach target : target_dirs
               c_args: c_args,
               dependencies: arch_deps + deps + exe['dependencies'],
               objects: lib.extract_all_objects(recursive: true),
-               link_depends: [block_syms, qemu_syms] + exe.get('link_depends', []),
+               link_depends: [block_syms, qemu_syms],
               link_args: link_args,
               win_subsystem: exe['win_subsystem'])

--- a/system/vl.c
+++ b/system/vl.c
@ -2653,7 +2653,7 @@ static void qemu_create_cli_devices(void)
    rom_reset_order_override();
 }

-static void qemu_machine_creation_done(void)
+static bool qemu_machine_creation_done(Error **errp)
 {
    MachineState *machine = MACHINE(qdev_get_machine());

@ -2676,15 +2676,15 @@ static void qemu_machine_creation_done(void)

    qdev_machine_creation_done();

-    if (machine->cgs) {
-        /*
-         * Verify that Confidential Guest Support has actually been initialized
-         */
-        assert(machine->cgs->ready);
+    if (machine->cgs && !machine->cgs->ready) {
+        error_setg(errp, "accelerator does not support confidential guest %s",
+                   object_get_typename(OBJECT(machine->cgs)));
+        exit(1);
    }

    if (foreach_device_config(DEV_GDB, gdbserver_start) < 0) {
-        exit(1);
+        error_setg(errp, "could not start gdbserver");
+        return false;
    }
    if (!vga_interface_created && !default_vga &&
        vga_interface_type != VGA_NONE) {
@ -2692,6 +2692,7 @@ static void qemu_machine_creation_done(void)
                    "type does not use that option; "
                    "No VGA device has been created");
    }
+    return true;
 }

 void qmp_x_exit_preconfig(Error **errp)
@ -2703,7 +2704,9 @@ void qmp_x_exit_preconfig(Error **errp)

    qemu_init_board();
    qemu_create_cli_devices();
-    qemu_machine_creation_done();
+    if (!qemu_machine_creation_done(errp)) {
+        return;
+    }

    if (loadvm) {
        RunState state = autostart ? RUN_STATE_RUNNING : runstate_get();
--- a/target/i386/cpu.c
+++ b/target/i386/cpu.c
@ -7735,7 +7735,7 @@ static bool x86_cpu_has_work(CPUState *cs)
 static int x86_cpu_mmu_index(CPUState *cs, bool ifetch)
 {
    CPUX86State *env = cpu_env(cs);
-    int mmu_index_32 = (env->hflags & HF_CS64_MASK) ? 1 : 0;
+    int mmu_index_32 = (env->hflags & HF_CS64_MASK) ? 0 : 1;
    int mmu_index_base =
        (env->hflags & HF_CPL_MASK) == 3 ? MMU_USER64_IDX :
        !(env->hflags & HF_SMAP_MASK) ? MMU_KNOSMAP64_IDX :
--- a/target/i386/cpu.h
+++ b/target/i386/cpu.h
@ -2334,7 +2334,7 @@ static inline bool is_mmu_index_32(int mmu_index)

 static inline int cpu_mmu_index_kernel(CPUX86State *env)
 {
-    int mmu_index_32 = (env->hflags & HF_LMA_MASK) ? 1 : 0;
+    int mmu_index_32 = (env->hflags & HF_LMA_MASK) ? 0 : 1;
    int mmu_index_base =
        !(env->hflags & HF_SMAP_MASK) ? MMU_KNOSMAP64_IDX :
        ((env->hflags & HF_CPL_MASK) < 3 && (env->eflags & AC_MASK)) ? MMU_KNOSMAP64_IDX : MMU_KSMAP64_IDX;
--- a/target/i386/helper.c
+++ b/target/i386/helper.c
@ -430,7 +430,7 @@ static void do_inject_x86_mce(CPUState *cs, run_on_cpu_data data)
        if (need_reset) {
            emit_guest_memory_failure(MEMORY_FAILURE_ACTION_RESET, ar,
                                      recursive);
-            monitor_puts(params->mon, msg);
+            monitor_printf(params->mon, "%s", msg);
            qemu_log_mask(CPU_LOG_RESET, "%s\n", msg);
            qemu_system_reset_request(SHUTDOWN_CAUSE_GUEST_RESET);
            return;