diff options
Diffstat (limited to '')
| -rw-r--r-- | results/classifier/108/other/263 | 16 | ||||
| -rw-r--r-- | results/classifier/108/other/2630 | 16 | ||||
| -rw-r--r-- | results/classifier/108/other/2631 | 96 | ||||
| -rw-r--r-- | results/classifier/108/other/2633 | 41 | ||||
| -rw-r--r-- | results/classifier/108/other/2634 | 192 | ||||
| -rw-r--r-- | results/classifier/108/other/2635 | 27 | ||||
| -rw-r--r-- | results/classifier/108/other/2638 | 32 | ||||
| -rw-r--r-- | results/classifier/108/other/2639 | 37 |
8 files changed, 457 insertions, 0 deletions
diff --git a/results/classifier/108/other/263 b/results/classifier/108/other/263 new file mode 100644 index 000000000..0d722dbbc --- /dev/null +++ b/results/classifier/108/other/263 @@ -0,0 +1,16 @@ +device: 0.824 +performance: 0.773 +network: 0.601 +files: 0.372 +graphic: 0.316 +socket: 0.277 +PID: 0.253 +semantic: 0.233 +other: 0.231 +boot: 0.221 +debug: 0.218 +vnc: 0.193 +permissions: 0.062 +KVM: 0.009 + +readdir() returns NULL (errno=EOVERFLOW) for 32-bit user-static qemu on 64-bit host diff --git a/results/classifier/108/other/2630 b/results/classifier/108/other/2630 new file mode 100644 index 000000000..8dc782ade --- /dev/null +++ b/results/classifier/108/other/2630 @@ -0,0 +1,16 @@ +other: 0.609 +debug: 0.587 +boot: 0.481 +performance: 0.441 +graphic: 0.401 +device: 0.393 +permissions: 0.358 +KVM: 0.321 +PID: 0.318 +semantic: 0.312 +vnc: 0.281 +network: 0.186 +socket: 0.160 +files: 0.130 + +Issue template broken diff --git a/results/classifier/108/other/2631 b/results/classifier/108/other/2631 new file mode 100644 index 000000000..631032ca8 --- /dev/null +++ b/results/classifier/108/other/2631 @@ -0,0 +1,96 @@ +KVM: 0.889 +PID: 0.883 +device: 0.881 +debug: 0.865 +graphic: 0.863 +vnc: 0.861 +permissions: 0.853 +performance: 0.841 +other: 0.838 +semantic: 0.827 +boot: 0.816 +socket: 0.776 +network: 0.774 +files: 0.748 + +qemu-system-i386: void msix_vector_use(PCIDevice *, unsigned int): Assertion `vector < dev->msix_entries_nr' failed. +Description of problem: +While fuzzing, we observed a assertion failures in several virtio devices supporting msi-x functionality. +Steps to reproduce: +Here is qtest reproducer: +```bash +cat << EOF | qemu-system-i386 -display none -machine accel=qtest, -m 512M -machine pc -nodefaults \ +-device virtio-mouse-pci,vectors=19923041 -qtest stdio +outl 0xcf8 0x80001020 +outl 0xcfc 0xe0800000 +outl 0xcf8 0x80001004 +outw 0xcfc 0x02 +write 0xe0800010 0x4 0x6100 +EOF +``` + +and execution log: +``` +cat << EOF | qemu-system-i386 -display none -machine accel=qtest, -m 512M -machine pc -nodefaults \ +-device virtio-mouse-pci,vectors=19923041 -qtest stdio +outl 0xcf8 0x80001020 +outl 0xcfc 0xe0800000 +outl 0xcf8 0x80001004 +outw 0xcfc 0x02 +write 0xe0800010 0x4 0x6100 +EOF +[I 0.000001] OPENED +[R +0.067760] outl 0xcf8 0x80001020 +[S +0.067795] OK +OK +[R +0.067821] outl 0xcfc 0xe0800000 +[S +0.067959] OK +OK +[R +0.067993] outl 0xcf8 0x80001004 +[S +0.068005] OK +OK +[R +0.068020] outw 0xcfc 0x02 +[S +0.068520] OK +OK +[R +0.068554] write 0xe0800010 0x4 0x6100 +qemu-system-i386: ../hw/pci/msix.c:569: void msix_vector_use(PCIDevice *, unsigned int): Assertion `vector < dev->msix_entries_nr' failed. +Aborted +``` + +If you need more information, let me know so I can discuss more about this issue. +Additional information: +```c +int msix_init(PCIDevice *dev, unsigned short nentries, + MemoryRegion *table_bar, uint8_t table_bar_nr, + unsigned table_offset, MemoryRegion *pba_bar, + uint8_t pba_bar_nr, unsigned pba_offset, uint8_t cap_pos, + Error **errp); +int msix_init_exclusive_bar(PCIDevice *dev, unsigned short nentries, + uint8_t bar_nr, Error **errp); +``` + +`msix_init` accepts `nentries` as `unsigned short` type. + +```c +static void virtio_pci_device_plugged(DeviceState *d, Error **errp): + + ... + + if (proxy->nvectors) { + int err = msix_init_exclusive_bar(&proxy->pci_dev, proxy->nvectors, + proxy->msix_bar_idx, NULL); + if (err) { + /* Notice when a system that supports MSIx can't initialize it */ + if (err != -ENOTSUP) { + warn_report("unable to init msix vectors to %" PRIu32, + proxy->nvectors); + } + proxy->nvectors = 0; + } + } +``` + +When virtio-pci device is initialized, `proxy->nvectors` (`uint32_t` here) is casted into `unsigned short`. +This causes inconsistency between `msix_entries_nr` and `nvectors` and triggers the above crash. + +While this is due to setting invalid value to `nvectors`, we need proper handling of the wrong value in the configuration. diff --git a/results/classifier/108/other/2633 b/results/classifier/108/other/2633 new file mode 100644 index 000000000..2c6ffb5ab --- /dev/null +++ b/results/classifier/108/other/2633 @@ -0,0 +1,41 @@ +graphic: 0.864 +device: 0.812 +performance: 0.796 +PID: 0.787 +KVM: 0.769 +debug: 0.745 +semantic: 0.741 +socket: 0.732 +network: 0.716 +vnc: 0.677 +files: 0.676 +permissions: 0.664 +other: 0.663 +boot: 0.581 + +migration-test occassionally hangs with "Failed to peek at channel" +Description of problem: +Running the 'migration-test' qtest in a loop, eventually resulted in a hang. + +``` +# Running /x86_64/migration/multifd/tcp/plain/cancel +# Using machine type: pc-q35-9.2 +# starting QEMU: exec ./qemu-system-x86_64 -qtest unix:/tmp/qtest-75145.sock -qtest-log /dev/null -chardev socket,path=/tmp/qtest-75145.qmp,id=char0 -mon chardev=char0,mode=control -display none -audio none -accel kvm -accel tcg -machine pc-q35-9.2, -name source,debug-threads=on -m 150M -serial file:/tmp/migration-test-DJLYV2/src_serial -drive if=none,id=d0,file=/tmp/migration-test-DJLYV2/bootsect,format=raw -device ide-hd,drive=d0,secs=1,cyls=1,heads=1 2>/dev/null -accel qtest +# starting QEMU: exec ./qemu-system-x86_64 -qtest unix:/tmp/qtest-75145.sock -qtest-log /dev/null -chardev socket,path=/tmp/qtest-75145.qmp,id=char0 -mon chardev=char0,mode=control -display none -audio none -accel kvm -accel tcg -machine pc-q35-9.2, -name target,debug-threads=on -m 150M -serial file:/tmp/migration-test-DJLYV2/dest_serial -incoming defer -drive if=none,id=d0,file=/tmp/migration-test-DJLYV2/bootsect,format=raw -device ide-hd,drive=d0,secs=1,cyls=1,heads=1 2>/dev/null -accel qtest +# Using machine type: pc-q35-9.2 +# starting QEMU: exec ./qemu-system-x86_64 -qtest unix:/tmp/qtest-75145.sock -qtest-log /dev/null -chardev socket,path=/tmp/qtest-75145.qmp,id=char0 -mon chardev=char0,mode=control -display none -audio none -accel kvm -accel tcg -machine pc-q35-9.2, -name target,debug-threads=on -m 150M -serial file:/tmp/migration-test-DJLYV2/dest_serial -incoming defer -drive if=none,id=d0,file=/tmp/migration-test-DJLYV2/bootsect,format=raw -device ide-hd,drive=d0,secs=1,cyls=1,heads=1 -accel qtest +qemu-system-x86_64: Failed to peek at channel +....hang here.... +``` +Steps to reproduce: +In host run + +``` +make vm-build-openbsd DEBUG=1' +``` +when it is done and gives a shell account then run + +1. `cd /home/qemu/qemu-test.*/build` +2. `export QTEST_QEMU_BINARY=./qemu-system-x86_64` +3. `while true ; do ./tests/qtest/migration-test ; done` +4. ....wait some time until it shows the above hang.... diff --git a/results/classifier/108/other/2634 b/results/classifier/108/other/2634 new file mode 100644 index 000000000..8a0c3bcda --- /dev/null +++ b/results/classifier/108/other/2634 @@ -0,0 +1,192 @@ +other: 0.748 +graphic: 0.737 +device: 0.717 +semantic: 0.712 +debug: 0.697 +permissions: 0.668 +vnc: 0.655 +PID: 0.644 +KVM: 0.624 +network: 0.607 +performance: 0.596 +boot: 0.586 +files: 0.540 +socket: 0.529 + +Replay/record does not work with `rrsnapshot`/`loadvm` +Description of problem: +Qemu's record/replay feature does not properly work when using snapshots (like rrsnapshot). + +Record/replay without snapshotting works just fine, but when using `rrsnapshot=...` the replay is stuck at boot. `loadvm` monitor command also gets qemu stuck. + +Record command: + +``` +$ qemu-system-x86_64 \ + -cpu SandyBridge -smp 1 \ + -serial stdio -display none \ + -m 4096 \ + -drive file=./empty.qcow2,id=rr \ + -kernel ./boot/vmlinuz-lts \ + -initrd ./boot/initramfs-lts . + -monitor telnet::12345,server,nowait \ + -append "console=ttyS0 root=/dev/ram0 alpine_dev=cdrom:iso9660 modules=loop,squashfs,sd-mod,usb-storage quiet" \ + -icount shift=auto,rrfile=rr,rr=record,rrsnapshot=init +``` + +Broken replay command, which gets qemu stuck: + +``` +$ qemu-system-x86_64 \ + -cpu SandyBridge -smp 1 \ + -serial stdio -display none \ + -m 4096 \ + -drive file=./empty.qcow2,id=rr \ + -kernel ./boot/vmlinuz-lts \ + -initrd ./boot/initramfs-lts . + -monitor telnet::12345,server,nowait \ + -append "console=ttyS0 root=/dev/ram0 alpine_dev=cdrom:iso9660 modules=loop,squashfs,sd-mod,usb-storage quiet" \ + -icount shift=auto,rrfile=rr,rr=replay,rrsnapshot=init + +qemu-system-x86_64: warning: TCG doesn't support requested feature: CPUID.01H:ECX.tsc-deadline [bit 24] +``` + +Record/replay without `rrsnapshot`/`loadvm`/etc works as expected. +Steps to reproduce: +To reproduce i've used alpine linux kernel as the guest: + +``` +wget https://dl-cdn.alpinelinux.org/alpine/v3.20/releases/x86_64/alpine-standard-3.20.3-x86_64.iso +7z x alpine-standard-3.20.3-x86_64.iso +``` + +Prerequisites - an empty qcow2 file for snapshots: + +``` +qemu-img create -f qcow2 empty.qcow2 1G +``` + +Running an alpine linux kernel with `rr=record` - works just fine, kernel boots, accepts input. + +``` +$ qemu-system-x86_64 \ + -cpu SandyBridge -smp 1 \ + -serial stdio -display none \ + -m 4096 \ + -drive file=./empty.qcow2,id=rr \ + -kernel ./boot/vmlinuz-lts \ + -initrd ./boot/initramfs-lts . + -monitor telnet::12345,server,nowait \ + -append "console=ttyS0 root=/dev/ram0 alpine_dev=cdrom:iso9660 modules=loop,squashfs,sd-mod,usb-storage quiet" \ + -icount shift=auto,rrfile=rr,rr=record,rrsnapshot=init + +qemu-system-x86_64: warning: TCG doesn't support requested feature: CPUID.01H:ECX.tsc-deadline [bit 24] +mount: mounting /dev/ram0 on /sysroot failed: Invalid argument +Mounting root failed. +initramfs emergency recovery shell launched. Type 'exit' to continue boot +sh: can't access tty; job control turned off +~ # ls -alh +total 32K +drwx------ 18 root root 0 Oct 21 13:02 . +drwx------ 18 root root 0 Oct 21 13:02 .. +-rw------- 1 root root 8 Oct 21 13:02 .ash_history +drwxr-xr-x 2 root root 0 Jun 18 12:44 .modloop +drwxr-xr-x 2 root root 0 Oct 21 13:02 bin +drwxr-xr-x 9 root root 2.5K Oct 21 13:02 dev +drwxr-xr-x 4 root root 0 Oct 21 13:02 etc +-rwxr-xr-x 1 root root 25.9K Jun 18 12:44 init +drwxr-xr-x 5 root root 0 Jun 18 12:44 lib +drwxr-xr-x 5 root root 0 Jun 18 12:44 media +drwxr-xr-x 2 root root 0 Jun 18 12:44 newroot +dr-xr-xr-x 114 root root 0 Oct 21 13:02 proc +drwx------ 2 root root 0 Sep 4 12:53 root +drwxr-xr-x 3 root root 0 Oct 21 13:02 run +drwxr-xr-x 2 root root 0 Oct 21 13:02 sbin +dr-xr-xr-x 13 root root 0 Oct 21 13:02 sys +drwxr-xr-x 2 root root 0 Oct 21 13:02 sysroot +drwxr-xr-x 2 root root 0 Oct 21 13:02 tmp +drwxr-xr-x 5 root root 0 Oct 21 13:02 usr +drwxr-xr-x 3 root root 0 Jun 18 12:44 var +~ # echo "AAAAAAAA?" +AAAAAAAA? +~ # +``` + +`rr`-file is produced, which can be used for replaying **without** `rrsnapshot`-option: + +``` +$ qemu-system-x86_64 \ + -cpu SandyBridge -smp 1 \ + -serial stdio -display none \ + -m 4096 \ + -drive file=./empty.qcow2,id=rr \ + -kernel ./boot/vmlinuz-lts \ + -initrd ./boot/initramfs-lts . + -monitor telnet::12345,server,nowait \ + -append "console=ttyS0 root=/dev/ram0 alpine_dev=cdrom:iso9660 modules=loop,squashfs,sd-mod,usb-storage quiet" \ + -icount shift=auto,rrfile=rr,rr=replay + +qemu-system-x86_64: warning: TCG doesn't support requested feature: CPUID.01H:ECX.tsc-deadline [bit 24] +mount: mounting /dev/ram0 on /sysroot failed: Invalid argument +Mounting root failed. +initramfs emergency recovery shell launched. Type 'exit' to continue boot +sh: can't access tty; job control turned off +~ # ls -alh +total 32K +drwx------ 18 root root 0 Oct 21 13:02 . +drwx------ 18 root root 0 Oct 21 13:02 .. +-rw------- 1 root root 8 Oct 21 13:02 .ash_history +drwxr-xr-x 2 root root 0 Jun 18 12:44 .modloop +drwxr-xr-x 2 root root 0 Oct 21 13:02 bin +drwxr-xr-x 9 root root 2.5K Oct 21 13:02 dev +drwxr-xr-x 4 root root 0 Oct 21 13:02 etc +-rwxr-xr-x 1 root root 25.9K Jun 18 12:44 init +drwxr-xr-x 5 root root 0 Jun 18 12:44 lib +drwxr-xr-x 5 root root 0 Jun 18 12:44 media +drwxr-xr-x 2 root root 0 Jun 18 12:44 newroot +dr-xr-xr-x 114 root root 0 Oct 21 13:02 proc +drwx------ 2 root root 0 Sep 4 12:53 root +drwxr-xr-x 3 root root 0 Oct 21 13:02 run +drwxr-xr-x 2 root root 0 Oct 21 13:02 sbin +dr-xr-xr-x 13 root root 0 Oct 21 13:02 sys +drwxr-xr-x 2 root root 0 Oct 21 13:02 sysroot +drwxr-xr-x 2 root root 0 Oct 21 13:02 tmp +drwxr-xr-x 5 root root 0 Oct 21 13:02 usr +drwxr-xr-x 3 root root 0 Jun 18 12:44 var +~ # echo "AAAAAAAA?" +AAAAAAAA? +~ # +``` + +As you can see, replaying emulation session works as expected. How ever, if I add the `rrsnapshot`-option, it gets stuck: + +``` +$ qemu-system-x86_64 \ + -cpu SandyBridge -smp 1 \ + -serial stdio -display none \ + -m 4096 \ + -drive file=./empty.qcow2,id=rr \ + -kernel ./boot/vmlinuz-lts \ + -initrd ./boot/initramfs-lts . + -monitor telnet::12345,server,nowait \ + -append "console=ttyS0 root=/dev/ram0 alpine_dev=cdrom:iso9660 modules=loop,squashfs,sd-mod,usb-storage quiet" \ + -icount shift=auto,rrfile=rr,rr=replay,rrsnapshot=init + +qemu-system-x86_64: warning: TCG doesn't support requested feature: CPUID.01H:ECX.tsc-deadline [bit 24] +``` + +This also can be reproduced without `rrsnapshot` option, by issuing `loadvm init` from qemu monitor: + +``` +$ telnet localhost 12345 +qemu> loadvm init +... +``` + +Or, by using `gdb` and issuing reverse-commands that require `loadvm` to load previous state, like `reverse-stepi` or `reverse-continue`. + +Attaching a debugger & using debug-prints shows some thread being stuck in the [`rcu.c`](https://gitlab.com/qemu-project/qemu/-/blob/master/util/rcu.c), near the `qemu_event_wait(&rcu_call_ready_event);`. I've tried to wait for quite some time (about an hour) and there was no result. +Additional information: +**Qemu build.** Qemu binary built from sources of 9.1.0 with `--target-list=x86_64-softmmu`. + +**Host machine.** An almost clean Ubuntu 20.04 with necessary packages for building qemu from the latest release sources. diff --git a/results/classifier/108/other/2635 b/results/classifier/108/other/2635 new file mode 100644 index 000000000..9d1320c97 --- /dev/null +++ b/results/classifier/108/other/2635 @@ -0,0 +1,27 @@ +graphic: 0.867 +device: 0.809 +files: 0.771 +network: 0.701 +PID: 0.696 +vnc: 0.690 +socket: 0.614 +performance: 0.569 +semantic: 0.568 +boot: 0.517 +debug: 0.467 +permissions: 0.419 +KVM: 0.244 +other: 0.196 + +A use-after-free bug in pflash_cfi01 snapshot implementation +Description of problem: +The flash snapshot restore does not function correctly. Basically when you use “if=pflash,format=raw,unit=0,file=OVMF_VAR.fd", it crashes when trying to restore a snapshot. + +The root cause is: + +1. In system/runstate.c, function vm_state_notify loops through vm_change_state_head list and calls the callback function for each entry. +2. One of the callback function pointer points to function postload_update_cb in hw/block/pflash_cfi01.c. +3. In function postload_update_cb, it calls qemu_del_vm_change_state_handler in which the entry element memory is freed. +4. Note that, it is still running in the loop, the entry will be visited and get executed, the function pointer may point to a wide memory. +Additional information: + diff --git a/results/classifier/108/other/2638 b/results/classifier/108/other/2638 new file mode 100644 index 000000000..c8e818a57 --- /dev/null +++ b/results/classifier/108/other/2638 @@ -0,0 +1,32 @@ +device: 0.777 +socket: 0.720 +network: 0.704 +permissions: 0.626 +graphic: 0.587 +semantic: 0.586 +files: 0.580 +debug: 0.489 +KVM: 0.489 +performance: 0.454 +PID: 0.436 +boot: 0.424 +other: 0.312 +vnc: 0.210 + +Incorrect SPDX license expression +Description of problem: +In the source code, the syntax of license expressions after the keyword SPDX-License-Identifier is not always correct. + +"GPL-2.0" should be "GPL-2.0-only" + +"GPL-2.0 WITH Linux-syscall-note" should be "GPL-2.0-only WITH Linux-syscall-note" + +"GPL-2.0+" should be "GPL-2.0-or-later" + +"GPL-2.0+ WITH Linux-syscall-note" should be "GPL-2.0-or-later WITH Linux-syscall-note" + +"GPL-v2-only" should be "GPL-2.0-only" + +"LGPL-2.1+" should be "LGPL-2.1-or-later" + +"MIT CC0-1.0" should be "MIT" diff --git a/results/classifier/108/other/2639 b/results/classifier/108/other/2639 new file mode 100644 index 000000000..a6c971e67 --- /dev/null +++ b/results/classifier/108/other/2639 @@ -0,0 +1,37 @@ +debug: 0.828 +graphic: 0.697 +device: 0.599 +performance: 0.371 +vnc: 0.360 +semantic: 0.351 +socket: 0.307 +PID: 0.271 +network: 0.250 +files: 0.206 +permissions: 0.202 +other: 0.169 +boot: 0.094 +KVM: 0.071 + +[Regression] v9.1.1: hw/audio/hda audio output stream closes (SPICE) +Description of problem: +Beginning with QEMU 9.1.1, SPICE is unable to route audio from the guest to host. This affects `virt-viewer` as well as `Looking Glass`. Reverting packages to 9.1.0 restores functionality. + +Reported at [Arch Linux forums](https://bbs.archlinux.org/viewtopic.php?id=300475) and [Looking Glass discord](https://discord.com/channels/804108879436316733/1298405109210022038) + +---- + +I've confirmed https://gitlab.com/qemu-project/qemu/-/commit/6d03242a7e47815ed56687ecd13f683d8da3f2fe caused the regression, applying reverse patch to 9.1.1 resolves the issue +Additional information: +Debugging output from the [Looking Glass discord](https://discord.com/channels/804108879436316733/1298405109210022038/1298669405118664767): +``` +00:00:00.633 [I] main.c:1735 | lg_run | Starting session +[New Thread 0x7fffd12006c0 (LWP 10071)] +[New Thread 0x7fffc7e006c0 (LWP 10072)] +00:00:00.633 [I] main.c:553 | main_frameThread | Using DMA buffer support +00:00:01.339 [I] main.c:710 | main_frameThread | Format: FRAME_TYPE_BGRA 2560x1400 (2560x1400) stride:2560 pitch:10240 rotation:0 hdr:0 pq:0 + +Thread 2 "spiceThread" received signal SIGPIPE, Broken pipe. +[Switching to Thread 0x7fffdba006c0 (LWP 10024)] +0x00007ffff712a6ea in send () from /usr/lib/libc.so.6 +``` |