diff --git a/5604f239-x86-PV-properly-populate-descriptor-tables.patch b/5604f239-x86-PV-properly-populate-descriptor-tables.patch deleted file mode 100644 index ca455fc..0000000 --- a/5604f239-x86-PV-properly-populate-descriptor-tables.patch +++ /dev/null @@ -1,101 +0,0 @@ -# Commit cf6d39f81992c29a637c603dbabf1e21a0ea563f -# Date 2015-09-25 09:05:29 +0200 -# Author Jan Beulich -# Committer Jan Beulich -x86/PV: properly populate descriptor tables - -Us extending the GDT limit past the Xen descriptors so far meant that -guests (including user mode programs) accessing any descriptor table -slot above the original OS'es limit but below the first Xen descriptor -caused a #PF, converted to a #GP in our #PF handler. Which is quite -different from the native behavior, where some of such accesses (LAR -and LSL) don't fault. Mimic that behavior by mapping a blank page into -unused slots. - -While not strictly required, treat the LDT the same for consistency. - -Reported-by: Andrew Cooper -Signed-off-by: Jan Beulich -Reviewed-by: Andrew Cooper - -# Commit 61031e64d3dafd2fb1953436444bf02eccb9b146 -# Date 2015-10-27 14:46:12 +0100 -# Author Jan Beulich -# Committer Jan Beulich -x86/PV: don't zero-map LDT - -This effectvely reverts the LDT related part of commit cf6d39f819 -("x86/PV: properly populate descriptor tables"), which broke demand -paged LDT handling in guests. - -Reported-by: David Vrabel -Diagnosed-by: Andrew Cooper -Signed-off-by: Jan Beulich -Tested-by: David Vrabel -Reviewed-by: Andrew Cooper - -Index: xen-4.6.0-testing/xen/arch/x86/mm.c -=================================================================== ---- xen-4.6.0-testing.orig/xen/arch/x86/mm.c -+++ xen-4.6.0-testing/xen/arch/x86/mm.c -@@ -502,12 +502,12 @@ void update_cr3(struct vcpu *v) - make_cr3(v, cr3_mfn); - } - -+static const char __section(".bss.page_aligned") zero_page[PAGE_SIZE]; - - static void invalidate_shadow_ldt(struct vcpu *v, int flush) - { - l1_pgentry_t *pl1e; -- int i; -- unsigned long pfn; -+ unsigned int i; - struct page_info *page; - - BUG_ON(unlikely(in_irq())); -@@ -522,10 +522,10 @@ static void invalidate_shadow_ldt(struct - - for ( i = 16; i < 32; i++ ) - { -- pfn = l1e_get_pfn(pl1e[i]); -- if ( pfn == 0 ) continue; -+ if ( !(l1e_get_flags(pl1e[i]) & _PAGE_PRESENT) ) -+ continue; -+ page = l1e_get_page(pl1e[i]); - l1e_write(&pl1e[i], l1e_empty()); -- page = mfn_to_page(pfn); - ASSERT_PAGE_IS_TYPE(page, PGT_seg_desc_page); - ASSERT_PAGE_IS_DOMAIN(page, v->domain); - put_page_and_type(page); -@@ -4420,16 +4420,18 @@ long do_update_va_mapping_otherdomain(un - void destroy_gdt(struct vcpu *v) - { - l1_pgentry_t *pl1e; -- int i; -- unsigned long pfn; -+ unsigned int i; -+ unsigned long pfn, zero_pfn = PFN_DOWN(__pa(zero_page)); - - v->arch.pv_vcpu.gdt_ents = 0; - pl1e = gdt_ldt_ptes(v->domain, v); - for ( i = 0; i < FIRST_RESERVED_GDT_PAGE; i++ ) - { -- if ( (pfn = l1e_get_pfn(pl1e[i])) != 0 ) -+ pfn = l1e_get_pfn(pl1e[i]); -+ if ( (l1e_get_flags(pl1e[i]) & _PAGE_PRESENT) && pfn != zero_pfn ) - put_page_and_type(mfn_to_page(pfn)); -- l1e_write(&pl1e[i], l1e_empty()); -+ l1e_write(&pl1e[i], -+ l1e_from_pfn(zero_pfn, __PAGE_HYPERVISOR & ~_PAGE_RW)); - v->arch.pv_vcpu.gdt_frames[i] = 0; - } - } -@@ -4442,7 +4444,7 @@ long set_gdt(struct vcpu *v, - struct domain *d = v->domain; - l1_pgentry_t *pl1e; - /* NB. There are 512 8-byte entries per GDT page. */ -- int i, nr_pages = (entries + 511) / 512; -+ unsigned int i, nr_pages = (entries + 511) / 512; - - if ( entries > FIRST_RESERVED_GDT_ENTRY ) - return -EINVAL; diff --git a/561bbc8b-VT-d-don-t-suppress-invalidation-address-write-when-it-is-zero.patch b/561bbc8b-VT-d-don-t-suppress-invalidation-address-write-when-it-is-zero.patch deleted file mode 100644 index 8d71053..0000000 --- a/561bbc8b-VT-d-don-t-suppress-invalidation-address-write-when-it-is-zero.patch +++ /dev/null @@ -1,55 +0,0 @@ -# Commit 710942e57fb42ff8f344ca82f6b678f67e38ae63 -# Date 2015-10-12 15:58:35 +0200 -# Author Jan Beulich -# Committer Jan Beulich -VT-d: don't suppress invalidation address write when it is zero - -GFN zero is a valid address, and hence may need invalidation done for -it just like for any other GFN. - -Signed-off-by: Jan Beulich -Reviewed-by: Andrew Cooper -Acked-by: Yang Zhang - ---- a/xen/drivers/passthrough/vtd/iommu.c -+++ b/xen/drivers/passthrough/vtd/iommu.c -@@ -414,7 +414,7 @@ static int flush_iotlb_reg(void *_iommu, - { - struct iommu *iommu = (struct iommu *) _iommu; - int tlb_offset = ecap_iotlb_offset(iommu->ecap); -- u64 val = 0, val_iva = 0; -+ u64 val = 0; - unsigned long flags; - - /* -@@ -435,7 +435,6 @@ static int flush_iotlb_reg(void *_iommu, - switch ( type ) - { - case DMA_TLB_GLOBAL_FLUSH: -- /* global flush doesn't need set IVA_REG */ - val = DMA_TLB_GLOBAL_FLUSH|DMA_TLB_IVT; - break; - case DMA_TLB_DSI_FLUSH: -@@ -443,8 +442,6 @@ static int flush_iotlb_reg(void *_iommu, - break; - case DMA_TLB_PSI_FLUSH: - val = DMA_TLB_PSI_FLUSH|DMA_TLB_IVT|DMA_TLB_DID(did); -- /* Note: always flush non-leaf currently */ -- val_iva = size_order | addr; - break; - default: - BUG(); -@@ -457,8 +454,11 @@ static int flush_iotlb_reg(void *_iommu, - - spin_lock_irqsave(&iommu->register_lock, flags); - /* Note: Only uses first TLB reg currently */ -- if ( val_iva ) -- dmar_writeq(iommu->reg, tlb_offset, val_iva); -+ if ( type == DMA_TLB_PSI_FLUSH ) -+ { -+ /* Note: always flush non-leaf currently. */ -+ dmar_writeq(iommu->reg, tlb_offset, size_order | addr); -+ } - dmar_writeq(iommu->reg, tlb_offset + 8, val); - - /* Make sure hardware complete it */ diff --git a/561d2046-VT-d-use-proper-error-codes-in-iommu_enable_x2apic_IR.patch b/561d2046-VT-d-use-proper-error-codes-in-iommu_enable_x2apic_IR.patch deleted file mode 100644 index 73da078..0000000 --- a/561d2046-VT-d-use-proper-error-codes-in-iommu_enable_x2apic_IR.patch +++ /dev/null @@ -1,119 +0,0 @@ -# Commit 6851e979874ebc05d270ea94360c49d920d3eaf4 -# Date 2015-10-13 17:16:22 +0200 -# Author Jan Beulich -# Committer Jan Beulich -VT-d: use proper error codes in iommu_enable_x2apic_IR() - -... allowing to suppress a confusing message combination: When -ACPI_DMAR_X2APIC_OPT_OUT is set, so far we first logged a message -that IR could not be enabled (hence not using x2APIC), followed by -one indicating successful initialization of IR (if no other problems -prevented that). - -Also adjust the return type of iommu_supports_eim() and fix some -broken indentation in the function. - -Signed-off-by: Jan Beulich -Reviewed-by: Andrew Cooper -Acked-by: Yang Zhang - -Index: xen-4.6.0-testing/xen/arch/x86/apic.c -=================================================================== ---- xen-4.6.0-testing.orig/xen/arch/x86/apic.c -+++ xen-4.6.0-testing/xen/arch/x86/apic.c -@@ -943,8 +943,18 @@ void __init x2apic_bsp_setup(void) - mask_8259A(); - mask_IO_APIC_setup(ioapic_entries); - -- if ( iommu_enable_x2apic_IR() ) -+ switch ( iommu_enable_x2apic_IR() ) - { -+ case 0: -+ break; -+ case -ENXIO: /* ACPI_DMAR_X2APIC_OPT_OUT set */ -+ if ( !x2apic_enabled ) -+ { -+ printk("Not enabling x2APIC (upon firmware request)\n"); -+ goto restore_out; -+ } -+ /* fall through */ -+ default: - if ( x2apic_enabled ) - panic("Interrupt remapping could not be enabled while " - "x2APIC is already enabled by BIOS"); -Index: xen-4.6.0-testing/xen/drivers/passthrough/vtd/intremap.c -=================================================================== ---- xen-4.6.0-testing.orig/xen/drivers/passthrough/vtd/intremap.c -+++ xen-4.6.0-testing/xen/drivers/passthrough/vtd/intremap.c -@@ -143,10 +143,10 @@ static void set_hpet_source_id(unsigned - set_ire_sid(ire, SVT_VERIFY_SID_SQ, SQ_13_IGNORE_3, hpetid_to_bdf(id)); - } - --int iommu_supports_eim(void) -+bool_t iommu_supports_eim(void) - { - struct acpi_drhd_unit *drhd; -- int apic; -+ unsigned int apic; - - if ( !iommu_qinval || !iommu_intremap || list_empty(&acpi_drhd_units) ) - return 0; -@@ -154,12 +154,12 @@ int iommu_supports_eim(void) - /* We MUST have a DRHD unit for each IOAPIC. */ - for ( apic = 0; apic < nr_ioapics; apic++ ) - if ( !ioapic_to_drhd(IO_APIC_ID(apic)) ) -- { -+ { - dprintk(XENLOG_WARNING VTDPREFIX, - "There is not a DRHD for IOAPIC %#x (id: %#x)!\n", - apic, IO_APIC_ID(apic)); - return 0; -- } -+ } - - for_each_drhd_unit ( drhd ) - if ( !ecap_queued_inval(drhd->iommu->ecap) || -@@ -833,10 +833,10 @@ int iommu_enable_x2apic_IR(void) - struct iommu *iommu; - - if ( !iommu_supports_eim() ) -- return -1; -+ return -EOPNOTSUPP; - - if ( !platform_supports_x2apic() ) -- return -1; -+ return -ENXIO; - - for_each_drhd_unit ( drhd ) - { -@@ -861,7 +861,7 @@ int iommu_enable_x2apic_IR(void) - { - dprintk(XENLOG_INFO VTDPREFIX, - "Failed to enable Queued Invalidation!\n"); -- return -1; -+ return -EIO; - } - } - -@@ -873,7 +873,7 @@ int iommu_enable_x2apic_IR(void) - { - dprintk(XENLOG_INFO VTDPREFIX, - "Failed to enable Interrupt Remapping!\n"); -- return -1; -+ return -EIO; - } - } - -Index: xen-4.6.0-testing/xen/include/asm-x86/iommu.h -=================================================================== ---- xen-4.6.0-testing.orig/xen/include/asm-x86/iommu.h -+++ xen-4.6.0-testing/xen/include/asm-x86/iommu.h -@@ -27,7 +27,7 @@ int iommu_setup_hpet_msi(struct msi_desc - /* While VT-d specific, this must get declared in a generic header. */ - int adjust_vtd_irq_affinities(void); - void iommu_pte_flush(struct domain *d, u64 gfn, u64 *pte, int order, int present); --int iommu_supports_eim(void); -+bool_t iommu_supports_eim(void); - int iommu_enable_x2apic_IR(void); - void iommu_disable_x2apic_IR(void); - diff --git a/561d20a0-x86-hide-MWAITX-from-PV-domains.patch b/561d20a0-x86-hide-MWAITX-from-PV-domains.patch deleted file mode 100644 index c6651fc..0000000 --- a/561d20a0-x86-hide-MWAITX-from-PV-domains.patch +++ /dev/null @@ -1,32 +0,0 @@ -# Commit 941cd44324db7eddc46cba4596fa13d505066ccf -# Date 2015-10-13 17:17:52 +0200 -# Author Jan Beulich -# Committer Jan Beulich -x86: hide MWAITX from PV domains - -Since MWAIT is hidden too. (Linux starting with 4.3 is making use of -that feature, and is checking for it without looking at the MWAIT one.) - -Signed-off-by: Jan Beulich -Reviewed-by: Andrew Cooper - ---- a/xen/arch/x86/traps.c -+++ b/xen/arch/x86/traps.c -@@ -967,6 +967,7 @@ void pv_cpuid(struct cpu_user_regs *regs - __clear_bit(X86_FEATURE_LWP % 32, &c); - __clear_bit(X86_FEATURE_NODEID_MSR % 32, &c); - __clear_bit(X86_FEATURE_TOPOEXT % 32, &c); -+ __clear_bit(X86_FEATURE_MWAITX % 32, &c); - break; - - case 0x0000000a: /* Architectural Performance Monitor Features (Intel) */ ---- a/xen/include/asm-x86/cpufeature.h -+++ b/xen/include/asm-x86/cpufeature.h -@@ -135,6 +135,7 @@ - #define X86_FEATURE_TBM (6*32+21) /* trailing bit manipulations */ - #define X86_FEATURE_TOPOEXT (6*32+22) /* topology extensions CPUID leafs */ - #define X86_FEATURE_DBEXT (6*32+26) /* data breakpoint extension */ -+#define X86_FEATURE_MWAITX (6*32+29) /* MWAIT extension (MONITORX/MWAITX) */ - - /* Intel-defined CPU features, CPUID level 0x00000007:0 (ebx), word 7 */ - #define X86_FEATURE_FSGSBASE (7*32+ 0) /* {RD,WR}{FS,GS}BASE instructions */ diff --git a/561e3283-x86-NUMA-fix-SRAT-table-processor-entry-parsing-and-consumption.patch b/561e3283-x86-NUMA-fix-SRAT-table-processor-entry-parsing-and-consumption.patch deleted file mode 100644 index c56c457..0000000 --- a/561e3283-x86-NUMA-fix-SRAT-table-processor-entry-parsing-and-consumption.patch +++ /dev/null @@ -1,114 +0,0 @@ -# Commit 83281fc9b31396e94c0bfb6550b75c165037a0ad -# Date 2015-10-14 12:46:27 +0200 -# Author Jan Beulich -# Committer Jan Beulich -x86/NUMA: fix SRAT table processor entry parsing and consumption - -- don't overrun apicid_to_node[] (possible in the x2APIC case) -- don't limit number of processor related SRAT entries we can consume -- make acpi_numa_{processor,x2apic}_affinity_init() as similar to one - another as possible -- print APIC IDs in hex (to ease matching with other log messages), at - once making legacy and x2APIC ones distinguishable (by width) - -Signed-off-by: Jan Beulich -Reviewed-by: Andrew Cooper - ---- a/xen/arch/x86/numa.c -+++ b/xen/arch/x86/numa.c -@@ -349,7 +349,7 @@ void __init init_cpu_to_node(void) - u32 apicid = x86_cpu_to_apicid[i]; - if ( apicid == BAD_APICID ) - continue; -- node = apicid_to_node[apicid]; -+ node = apicid < MAX_LOCAL_APIC ? apicid_to_node[apicid] : NUMA_NO_NODE; - if ( node == NUMA_NO_NODE || !node_online(node) ) - node = 0; - numa_set_node(i, node); ---- a/xen/arch/x86/setup.c -+++ b/xen/arch/x86/setup.c -@@ -200,7 +200,7 @@ void __devinit srat_detect_node(int cpu) - nodeid_t node; - u32 apicid = x86_cpu_to_apicid[cpu]; - -- node = apicid_to_node[apicid]; -+ node = apicid < MAX_LOCAL_APIC ? apicid_to_node[apicid] : NUMA_NO_NODE; - if ( node == NUMA_NO_NODE ) - node = 0; - ---- a/xen/arch/x86/smpboot.c -+++ b/xen/arch/x86/smpboot.c -@@ -993,7 +993,8 @@ int cpu_add(uint32_t apic_id, uint32_t a - cpu = node; - goto out; - } -- apicid_to_node[apic_id] = node; -+ if ( apic_id < MAX_LOCAL_APIC ) -+ apicid_to_node[apic_id] = node; - } - - /* Physically added CPUs do not have synchronised TSC. */ ---- a/xen/arch/x86/srat.c -+++ b/xen/arch/x86/srat.c -@@ -209,7 +209,6 @@ acpi_numa_x2apic_affinity_init(struct ac - { - unsigned pxm; - nodeid_t node; -- u32 apic_id; - - if (srat_disabled()) - return; -@@ -217,8 +216,13 @@ acpi_numa_x2apic_affinity_init(struct ac - bad_srat(); - return; - } -- if ((pa->flags & ACPI_SRAT_CPU_ENABLED) == 0) -+ if (!(pa->flags & ACPI_SRAT_CPU_ENABLED)) -+ return; -+ if (pa->apic_id >= MAX_LOCAL_APIC) { -+ printk(KERN_INFO "SRAT: APIC %08x ignored\n", pa->apic_id); - return; -+ } -+ - pxm = pa->proximity_domain; - node = setup_node(pxm); - if (node == NUMA_NO_NODE) { -@@ -226,11 +230,11 @@ acpi_numa_x2apic_affinity_init(struct ac - return; - } - -- apic_id = pa->apic_id; -- apicid_to_node[apic_id] = node; -+ apicid_to_node[pa->apic_id] = node; -+ node_set(node, processor_nodes_parsed); - acpi_numa = 1; -- printk(KERN_INFO "SRAT: PXM %u -> APIC %u -> Node %u\n", -- pxm, apic_id, node); -+ printk(KERN_INFO "SRAT: PXM %u -> APIC %08x -> Node %u\n", -+ pxm, pa->apic_id, node); - } - - /* Callback for Proximity Domain -> LAPIC mapping */ -@@ -262,7 +266,7 @@ acpi_numa_processor_affinity_init(struct - apicid_to_node[pa->apic_id] = node; - node_set(node, processor_nodes_parsed); - acpi_numa = 1; -- printk(KERN_INFO "SRAT: PXM %u -> APIC %u -> Node %u\n", -+ printk(KERN_INFO "SRAT: PXM %u -> APIC %02x -> Node %u\n", - pxm, pa->apic_id, node); - } - ---- a/xen/drivers/acpi/numa.c -+++ b/xen/drivers/acpi/numa.c -@@ -198,9 +198,9 @@ int __init acpi_numa_init(void) - /* SRAT: Static Resource Affinity Table */ - if (!acpi_table_parse(ACPI_SIG_SRAT, acpi_parse_srat)) { - acpi_table_parse_srat(ACPI_SRAT_TYPE_X2APIC_CPU_AFFINITY, -- acpi_parse_x2apic_affinity, NR_CPUS); -+ acpi_parse_x2apic_affinity, 0); - acpi_table_parse_srat(ACPI_SRAT_TYPE_CPU_AFFINITY, -- acpi_parse_processor_affinity, NR_CPUS); -+ acpi_parse_processor_affinity, 0); - acpi_table_parse_srat(ACPI_SRAT_TYPE_MEMORY_AFFINITY, - acpi_parse_memory_affinity, - NR_NODE_MEMBLKS); diff --git a/5632118e-arm-Support-hypercall_create_continuation-for-multicall.patch b/5632118e-arm-Support-hypercall_create_continuation-for-multicall.patch deleted file mode 100644 index ba01aad..0000000 --- a/5632118e-arm-Support-hypercall_create_continuation-for-multicall.patch +++ /dev/null @@ -1,49 +0,0 @@ -# Commit 29bcf64ce8bc0b1b7aacd00c8668f255c4f0686c -# Date 2015-10-29 13:31:10 +0100 -# Author Julien Grall -# Committer Jan Beulich -arm: Support hypercall_create_continuation for multicall - -Multicall for ARM has been supported since commit f0dbdc6 "xen: arm: fully -implement multicall interface.". Although, if an hypercall in multicall -requires preemption, it will crash the host: - -(XEN) Xen BUG at domain.c:347 -(XEN) ----[ Xen-4.7-unstable arm64 debug=y Tainted: C ]---- -[...] -(XEN) Xen call trace: -(XEN) [<00000000002420cc>] hypercall_create_continuation+0x64/0x380 (PC) -(XEN) [<0000000000217274>] do_memory_op+0x1b00/0x2334 (LR) -(XEN) [<0000000000250d2c>] do_multicall_call+0x114/0x124 -(XEN) [<0000000000217ff0>] do_multicall+0x17c/0x23c -(XEN) [<000000000024f97c>] do_trap_hypercall+0x90/0x12c -(XEN) [<0000000000251ca8>] do_trap_hypervisor+0xd2c/0x1ba4 -(XEN) [<00000000002582cc>] guest_sync+0x88/0xb8 -(XEN) -(XEN) -(XEN) **************************************** -(XEN) Panic on CPU 5: -(XEN) Xen BUG at domain.c:347 -(XEN) **************************************** -(XEN) -(XEN) Manual reset required ('noreboot' specified) - -Looking to the code, the support of multicall looks valid to me, as we only -need to fill call.args[...]. So drop the BUG(); - -This is CVE-2015-7812 / XSA-145. - -Signed-off-by: Julien Grall -Acked-by: Ian Campbell - ---- a/xen/arch/arm/domain.c -+++ b/xen/arch/arm/domain.c -@@ -344,8 +344,6 @@ unsigned long hypercall_create_continuat - - if ( test_bit(_MCSF_in_multicall, &mcs->flags) ) - { -- BUG(); /* XXX multicalls not implemented yet. */ -- - __set_bit(_MCSF_call_preempted, &mcs->flags); - - for ( i = 0; *p != '\0'; i++ ) diff --git a/56321222-arm-rate-limit-logging-from-unimplemented-PHYSDEVOP-and-HVMOP.patch b/56321222-arm-rate-limit-logging-from-unimplemented-PHYSDEVOP-and-HVMOP.patch deleted file mode 100644 index 861eead..0000000 --- a/56321222-arm-rate-limit-logging-from-unimplemented-PHYSDEVOP-and-HVMOP.patch +++ /dev/null @@ -1,42 +0,0 @@ -# Commit 1c0e59ff15764e7b0c59282365974f5b8924ce83 -# Date 2015-10-29 13:33:38 +0100 -# Author Ian Campbell -# Committer Jan Beulich -arm: rate-limit logging from unimplemented PHYSDEVOP and HVMOP. - -These are guest accessible and should therefore be rate-limited. -Moreover, include them only in debug builds. - -This is CVE-2015-7813 / XSA-146. - -Signed-off-by: Ian Campbell -Reviewed-by: Jan Beulich - ---- a/xen/arch/arm/hvm.c -+++ b/xen/arch/arm/hvm.c -@@ -57,7 +57,7 @@ long do_hvm_op(unsigned long op, XEN_GUE - - default: - { -- printk("%s: Bad HVM op %ld.\n", __func__, op); -+ gdprintk(XENLOG_DEBUG, "HVMOP op=%lu: not implemented\n", op); - rc = -ENOSYS; - break; - } ---- a/xen/arch/arm/physdev.c -+++ b/xen/arch/arm/physdev.c -@@ -8,12 +8,13 @@ - #include - #include - #include -+#include - #include - - - int do_physdev_op(int cmd, XEN_GUEST_HANDLE_PARAM(void) arg) - { -- printk("%s %d cmd=%d: not implemented yet\n", __func__, __LINE__, cmd); -+ gdprintk(XENLOG_DEBUG, "PHYSDEVOP cmd=%d: not implemented\n", cmd); - return -ENOSYS; - } - diff --git a/56321249-arm-handle-races-between-relinquish_memory-and-free_domheap_pages.patch b/56321249-arm-handle-races-between-relinquish_memory-and-free_domheap_pages.patch deleted file mode 100644 index 0e154e5..0000000 --- a/56321249-arm-handle-races-between-relinquish_memory-and-free_domheap_pages.patch +++ /dev/null @@ -1,40 +0,0 @@ -# Commit 1ef01396fdff88b1c3331a09ca5c69619b90f4ea -# Date 2015-10-29 13:34:17 +0100 -# Author Ian Campbell -# Committer Jan Beulich -arm: handle races between relinquish_memory and free_domheap_pages - -Primarily this means XENMEM_decrease_reservation from a toolstack -domain. - -Unlike x86 we have no requirement right now to queue such pages onto -a separate list, if we hit this race then the other code has already -fully accepted responsibility for freeing this page and therefore -there is no more for relinquish_memory to do. - -This is CVE-2015-7814 / XSA-147. - -Signed-off-by: Ian Campbell -Reviewed-by: Julien Grall -Reviewed-by: Jan Beulich - ---- a/xen/arch/arm/domain.c -+++ b/xen/arch/arm/domain.c -@@ -768,8 +768,15 @@ static int relinquish_memory(struct doma - { - /* Grab a reference to the page so it won't disappear from under us. */ - if ( unlikely(!get_page(page, d)) ) -- /* Couldn't get a reference -- someone is freeing this page. */ -- BUG(); -+ /* -+ * Couldn't get a reference -- someone is freeing this page and -+ * has already committed to doing so, so no more to do here. -+ * -+ * Note that the page must be left on the list, a list_del -+ * here will clash with the list_del done by the other -+ * party in the race and corrupt the list head. -+ */ -+ continue; - - if ( test_and_clear_bit(_PGC_allocated, &page->count_info) ) - put_page(page); diff --git a/5632127b-x86-guard-against-undue-super-page-PTE-creation.patch b/5632127b-x86-guard-against-undue-super-page-PTE-creation.patch deleted file mode 100644 index 2eb947a..0000000 --- a/5632127b-x86-guard-against-undue-super-page-PTE-creation.patch +++ /dev/null @@ -1,44 +0,0 @@ -# Commit fe360c90ea13f309ef78810f1a2b92f2ae3b30b8 -# Date 2015-10-29 13:35:07 +0100 -# Author Jan Beulich -# Committer Jan Beulich -x86: guard against undue super page PTE creation - -When optional super page support got added (commit bd1cd81d64 "x86: PV -support for hugepages"), two adjustments were missed: mod_l2_entry() -needs to consider the PSE and RW bits when deciding whether to use the -fast path, and the PSE bit must not be removed from L2_DISALLOW_MASK -unconditionally. - -This is CVE-2015-7835 / XSA-148. - -Reported-by: "栾尚聪(好风)" -Signed-off-by: Jan Beulich -Reviewed-by: Tim Deegan - ---- a/xen/arch/x86/mm.c -+++ b/xen/arch/x86/mm.c -@@ -160,7 +160,10 @@ static void put_superpage(unsigned long - static uint32_t base_disallow_mask; - /* Global bit is allowed to be set on L1 PTEs. Intended for user mappings. */ - #define L1_DISALLOW_MASK ((base_disallow_mask | _PAGE_GNTTAB) & ~_PAGE_GLOBAL) --#define L2_DISALLOW_MASK (base_disallow_mask & ~_PAGE_PSE) -+ -+#define L2_DISALLOW_MASK (unlikely(opt_allow_superpage) \ -+ ? base_disallow_mask & ~_PAGE_PSE \ -+ : base_disallow_mask) - - #define l3_disallow_mask(d) (!is_pv_32bit_domain(d) ? \ - base_disallow_mask : 0xFFFFF198U) -@@ -1839,7 +1842,10 @@ static int mod_l2_entry(l2_pgentry_t *pl - } - - /* Fast path for identical mapping and presence. */ -- if ( !l2e_has_changed(ol2e, nl2e, _PAGE_PRESENT) ) -+ if ( !l2e_has_changed(ol2e, nl2e, -+ unlikely(opt_allow_superpage) -+ ? _PAGE_PSE | _PAGE_RW | _PAGE_PRESENT -+ : _PAGE_PRESENT) ) - { - adjust_guest_l2e(nl2e, d); - if ( UPDATE_ENTRY(l2, pl2e, ol2e, nl2e, pfn, vcpu, preserve_ad) ) diff --git a/5632129c-free-domain-s-vcpu-array.patch b/5632129c-free-domain-s-vcpu-array.patch deleted file mode 100644 index 0ee9468..0000000 --- a/5632129c-free-domain-s-vcpu-array.patch +++ /dev/null @@ -1,25 +0,0 @@ -# Commit d46896ebbb23f3a9fef2eb6066ae614fd1acfd96 -# Date 2015-10-29 13:35:40 +0100 -# Author Jan Beulich -# Committer Jan Beulich -free domain's vcpu array - -This was overlooked in fb442e2171 ("x86_64: allow more vCPU-s per -guest"). - -This is CVE-2015-7969 / XSA-149. - -Reported-by: Ian Campbell -Signed-off-by: Jan Beulich -Reviewed-by: Ian Campbell - ---- a/xen/common/domain.c -+++ b/xen/common/domain.c -@@ -833,6 +833,7 @@ static void complete_domain_destroy(stru - - xsm_free_security_domain(d); - free_cpumask_var(d->domain_dirty_cpumask); -+ xfree(d->vcpu); - free_domain_struct(d); - - send_global_virq(VIRQ_DOM_EXC); diff --git a/563212c9-x86-PoD-Eager-sweep-for-zeroed-pages.patch b/563212c9-x86-PoD-Eager-sweep-for-zeroed-pages.patch deleted file mode 100644 index 4b4458f..0000000 --- a/563212c9-x86-PoD-Eager-sweep-for-zeroed-pages.patch +++ /dev/null @@ -1,205 +0,0 @@ -# Commit 101ce53266866144e724ed593173bc4098b300b9 -# Date 2015-10-29 13:36:25 +0100 -# Author Andrew Cooper -# Committer Jan Beulich -x86/PoD: Eager sweep for zeroed pages - -Based on the contents of a guests physical address space, -p2m_pod_emergency_sweep() could degrade into a linear memcmp() from 0 to -max_gfn, which runs non-preemptibly. - -As p2m_pod_emergency_sweep() runs behind the scenes in a number of contexts, -making it preemptible is not feasible. - -Instead, a different approach is taken. Recently-populated pages are eagerly -checked for reclaimation, which amortises the p2m_pod_emergency_sweep() -operation across each p2m_pod_demand_populate() operation. - -Note that in the case that a 2M superpage can't be reclaimed as a superpage, -it is shattered if 4K pages of zeros can be reclaimed. This is unfortunate -but matches the previous behaviour, and is required to avoid regressions -(domain crash from PoD exhaustion) with VMs configured close to the limit. - -This is CVE-2015-7970 / XSA-150. - -Signed-off-by: Andrew Cooper -Reviewed-by: Jan Beulich -Reviewed-by: George Dunlap - ---- a/xen/arch/x86/mm/p2m-pod.c -+++ b/xen/arch/x86/mm/p2m-pod.c -@@ -901,28 +901,6 @@ p2m_pod_zero_check(struct p2m_domain *p2 - } - - #define POD_SWEEP_LIMIT 1024 -- --/* When populating a new superpage, look at recently populated superpages -- * hoping that they've been zeroed. This will snap up zeroed pages as soon as -- * the guest OS is done with them. */ --static void --p2m_pod_check_last_super(struct p2m_domain *p2m, unsigned long gfn_aligned) --{ -- unsigned long check_gfn; -- -- ASSERT(p2m->pod.last_populated_index < POD_HISTORY_MAX); -- -- check_gfn = p2m->pod.last_populated[p2m->pod.last_populated_index]; -- -- p2m->pod.last_populated[p2m->pod.last_populated_index] = gfn_aligned; -- -- p2m->pod.last_populated_index = -- ( p2m->pod.last_populated_index + 1 ) % POD_HISTORY_MAX; -- -- p2m_pod_zero_check_superpage(p2m, check_gfn); --} -- -- - #define POD_SWEEP_STRIDE 16 - static void - p2m_pod_emergency_sweep(struct p2m_domain *p2m) -@@ -963,7 +941,7 @@ p2m_pod_emergency_sweep(struct p2m_domai - * NB that this is a zero-sum game; we're increasing our cache size - * by re-increasing our 'debt'. Since we hold the pod lock, - * (entry_count - count) must remain the same. */ -- if ( p2m->pod.count > 0 && i < limit ) -+ if ( i < limit && (p2m->pod.count > 0 || hypercall_preempt_check()) ) - break; - } - -@@ -975,6 +953,58 @@ p2m_pod_emergency_sweep(struct p2m_domai - - } - -+static void pod_eager_reclaim(struct p2m_domain *p2m) -+{ -+ struct pod_mrp_list *mrp = &p2m->pod.mrp; -+ unsigned int i = 0; -+ -+ /* -+ * Always check one page for reclaimation. -+ * -+ * If the PoD pool is empty, keep checking some space is found, or all -+ * entries have been exhaused. -+ */ -+ do -+ { -+ unsigned int idx = (mrp->idx + i++) % ARRAY_SIZE(mrp->list); -+ unsigned long gfn = mrp->list[idx]; -+ -+ if ( gfn != INVALID_GFN ) -+ { -+ if ( gfn & POD_LAST_SUPERPAGE ) -+ { -+ gfn &= ~POD_LAST_SUPERPAGE; -+ -+ if ( p2m_pod_zero_check_superpage(p2m, gfn) == 0 ) -+ { -+ unsigned int x; -+ -+ for ( x = 0; x < SUPERPAGE_PAGES; ++x, ++gfn ) -+ p2m_pod_zero_check(p2m, &gfn, 1); -+ } -+ } -+ else -+ p2m_pod_zero_check(p2m, &gfn, 1); -+ -+ mrp->list[idx] = INVALID_GFN; -+ } -+ -+ } while ( (p2m->pod.count == 0) && (i < ARRAY_SIZE(mrp->list)) ); -+} -+ -+static void pod_eager_record(struct p2m_domain *p2m, -+ unsigned long gfn, unsigned int order) -+{ -+ struct pod_mrp_list *mrp = &p2m->pod.mrp; -+ -+ ASSERT(mrp->list[mrp->idx] == INVALID_GFN); -+ ASSERT(gfn != INVALID_GFN); -+ -+ mrp->list[mrp->idx++] = -+ gfn | (order == PAGE_ORDER_2M ? POD_LAST_SUPERPAGE : 0); -+ mrp->idx %= ARRAY_SIZE(mrp->list); -+} -+ - int - p2m_pod_demand_populate(struct p2m_domain *p2m, unsigned long gfn, - unsigned int order, -@@ -1015,6 +1045,8 @@ p2m_pod_demand_populate(struct p2m_domai - return 0; - } - -+ pod_eager_reclaim(p2m); -+ - /* Only sweep if we're actually out of memory. Doing anything else - * causes unnecessary time and fragmentation of superpages in the p2m. */ - if ( p2m->pod.count == 0 ) -@@ -1051,6 +1083,8 @@ p2m_pod_demand_populate(struct p2m_domai - p2m->pod.entry_count -= (1 << order); - BUG_ON(p2m->pod.entry_count < 0); - -+ pod_eager_record(p2m, gfn_aligned, order); -+ - if ( tb_init_done ) - { - struct { -@@ -1066,12 +1100,6 @@ p2m_pod_demand_populate(struct p2m_domai - __trace_var(TRC_MEM_POD_POPULATE, 0, sizeof(t), &t); - } - -- /* Check the last guest demand-populate */ -- if ( p2m->pod.entry_count > p2m->pod.count -- && (order == PAGE_ORDER_2M) -- && (q & P2M_ALLOC) ) -- p2m_pod_check_last_super(p2m, gfn_aligned); -- - pod_unlock(p2m); - return 0; - out_of_memory: ---- a/xen/arch/x86/mm/p2m.c -+++ b/xen/arch/x86/mm/p2m.c -@@ -60,6 +60,7 @@ boolean_param("hap_2mb", opt_hap_2mb); - /* Init the datastructures for later use by the p2m code */ - static int p2m_initialise(struct domain *d, struct p2m_domain *p2m) - { -+ unsigned int i; - int ret = 0; - - mm_rwlock_init(&p2m->lock); -@@ -75,6 +76,9 @@ static int p2m_initialise(struct domain - - p2m->np2m_base = P2M_BASE_EADDR; - -+ for ( i = 0; i < ARRAY_SIZE(p2m->pod.mrp.list); ++i ) -+ p2m->pod.mrp.list[i] = INVALID_GFN; -+ - if ( hap_enabled(d) && cpu_has_vmx ) - ret = ept_p2m_init(p2m); - else ---- a/xen/include/asm-x86/p2m.h -+++ b/xen/include/asm-x86/p2m.h -@@ -292,10 +292,20 @@ struct p2m_domain { - entry_count; /* # of pages in p2m marked pod */ - unsigned long reclaim_single; /* Last gpfn of a scan */ - unsigned long max_guest; /* gpfn of max guest demand-populate */ --#define POD_HISTORY_MAX 128 -- /* gpfn of last guest superpage demand-populated */ -- unsigned long last_populated[POD_HISTORY_MAX]; -- unsigned int last_populated_index; -+ -+ /* -+ * Tracking of the most recently populated PoD pages, for eager -+ * reclamation. -+ */ -+ struct pod_mrp_list { -+#define NR_POD_MRP_ENTRIES 32 -+ -+/* Encode ORDER_2M superpage in top bit of GFN */ -+#define POD_LAST_SUPERPAGE (INVALID_GFN & ~(INVALID_GFN >> 1)) -+ -+ unsigned long list[NR_POD_MRP_ENTRIES]; -+ unsigned int idx; -+ } mrp; - mm_lock_t lock; /* Locking of private pod structs, * - * not relying on the p2m lock. */ - } pod; diff --git a/563212e4-xenoprof-free-domain-s-vcpu-array.patch b/563212e4-xenoprof-free-domain-s-vcpu-array.patch deleted file mode 100644 index 02e233e..0000000 --- a/563212e4-xenoprof-free-domain-s-vcpu-array.patch +++ /dev/null @@ -1,32 +0,0 @@ -# Commit 6e97c4b37386c2d09e09e9b5d5d232e37728b960 -# Date 2015-10-29 13:36:52 +0100 -# Author Jan Beulich -# Committer Jan Beulich -xenoprof: free domain's vcpu array - -This was overlooked in fb442e2171 ("x86_64: allow more vCPU-s per -guest"). - -This is CVE-2015-7969 / XSA-151. - -Signed-off-by: Jan Beulich -Reviewed-by: Ian Campbell - ---- a/xen/common/xenoprof.c -+++ b/xen/common/xenoprof.c -@@ -239,6 +239,7 @@ static int alloc_xenoprof_struct( - d->xenoprof->rawbuf = alloc_xenheap_pages(get_order_from_pages(npages), 0); - if ( d->xenoprof->rawbuf == NULL ) - { -+ xfree(d->xenoprof->vcpu); - xfree(d->xenoprof); - d->xenoprof = NULL; - return -ENOMEM; -@@ -286,6 +287,7 @@ void free_xenoprof_pages(struct domain * - free_xenheap_pages(x->rawbuf, order); - } - -+ xfree(x->vcpu); - xfree(x); - d->xenoprof = NULL; - } diff --git a/563212ff-x86-rate-limit-logging-in-do_xen-oprof-pmu-_op.patch b/563212ff-x86-rate-limit-logging-in-do_xen-oprof-pmu-_op.patch deleted file mode 100644 index dc2c271..0000000 --- a/563212ff-x86-rate-limit-logging-in-do_xen-oprof-pmu-_op.patch +++ /dev/null @@ -1,70 +0,0 @@ -# Commit 95e7415843b94c346e5ba8682665f508f220e04b -# Date 2015-10-29 13:37:19 +0100 -# Author Jan Beulich -# Committer Jan Beulich -x86: rate-limit logging in do_xen{oprof,pmu}_op() - -Some of the sub-ops are acessible to all guests, and hence should be -rate-limited. In the xenoprof case, just like for XSA-146, include them -only in debug builds. Since the vPMU code is rather new, allow them to -be always present, but downgrade them to (rate limited) guest messages. - -This is CVE-2015-7971 / XSA-152. - -Signed-off-by: Jan Beulich -Reviewed-by: Ian Campbell - ---- a/xen/arch/x86/cpu/vpmu.c -+++ b/xen/arch/x86/cpu/vpmu.c -@@ -682,8 +682,8 @@ long do_xenpmu_op(unsigned int op, XEN_G - vpmu_mode = pmu_params.val; - else if ( vpmu_mode != pmu_params.val ) - { -- printk(XENLOG_WARNING -- "VPMU: Cannot change mode while active VPMUs exist\n"); -+ gprintk(XENLOG_WARNING, -+ "VPMU: Cannot change mode while active VPMUs exist\n"); - ret = -EBUSY; - } - -@@ -714,8 +714,8 @@ long do_xenpmu_op(unsigned int op, XEN_G - vpmu_features = pmu_params.val; - else - { -- printk(XENLOG_WARNING "VPMU: Cannot change features while" -- " active VPMUs exist\n"); -+ gprintk(XENLOG_WARNING, -+ "VPMU: Cannot change features while active VPMUs exist\n"); - ret = -EBUSY; - } - ---- a/xen/common/xenoprof.c -+++ b/xen/common/xenoprof.c -@@ -676,15 +676,13 @@ ret_t do_xenoprof_op(int op, XEN_GUEST_H - - if ( (op < 0) || (op > XENOPROF_last_op) ) - { -- printk("xenoprof: invalid operation %d for domain %d\n", -- op, current->domain->domain_id); -+ gdprintk(XENLOG_DEBUG, "invalid operation %d\n", op); - return -EINVAL; - } - - if ( !NONPRIV_OP(op) && (current->domain != xenoprof_primary_profiler) ) - { -- printk("xenoprof: dom %d denied privileged operation %d\n", -- current->domain->domain_id, op); -+ gdprintk(XENLOG_DEBUG, "denied privileged operation %d\n", op); - return -EPERM; - } - -@@ -907,8 +905,7 @@ ret_t do_xenoprof_op(int op, XEN_GUEST_H - spin_unlock(&xenoprof_lock); - - if ( ret < 0 ) -- printk("xenoprof: operation %d failed for dom %d (status : %d)\n", -- op, current->domain->domain_id, ret); -+ gdprintk(XENLOG_DEBUG, "operation %d failed: %d\n", op, ret); - - return ret; - } diff --git a/56323737-libxl-adjust-PoD-target-by-memory-fudge-too.patch b/56323737-libxl-adjust-PoD-target-by-memory-fudge-too.patch deleted file mode 100644 index 4c115dd..0000000 --- a/56323737-libxl-adjust-PoD-target-by-memory-fudge-too.patch +++ /dev/null @@ -1,77 +0,0 @@ -# Commit e294a0c3af9f4443dc692b180fb1771b1cb075e8 -# Date 2015-10-29 15:11:51 +0000 -# Author Ian Jackson -# Committer Ian Jackson -libxl: adjust PoD target by memory fudge, too - -PoD guests need to balloon at least as far as required by PoD, or risk -crashing. Currently they don't necessarily know what the right value -is, because our memory accounting is (at the very least) confusing. - -Apply the memory limit fudge factor to the in-hypervisor PoD memory -target, too. This will increase the size of the guest's PoD cache by -the fudge factor LIBXL_MAXMEM_CONSTANT (currently 1Mby). This ensures -that even with a slightly-off balloon driver, the guest will be -stable even under memory pressure. - -There are two call sites of xc_domain_set_pod_target that need fixing: - -The one in libxl_set_memory_target is straightforward. - -The one in xc_hvm_build_x86.c:setup_guest is more awkward. Simply -setting the PoD target differently does not work because the various -amounts of memory during domain construction no longer match up. -Instead, we adjust the guest memory target in xenstore (but only for -PoD guests). - -This introduces a 1Mby discrepancy between the balloon target of a PoD -guest at boot, and the target set by an apparently-equivalent `xl -mem-set' (or similar) later. This approach is low-risk for a security -fix but we need to fix this up properly in xen.git#staging and -probably also in stable trees. - -This is XSA-153. - -Signed-off-by: Ian Jackson -(cherry picked from commit 56fb5fd62320eb40a7517206f9706aa9188d6f7b) - ---- a/tools/libxl/libxl.c -+++ b/tools/libxl/libxl.c -@@ -4815,7 +4815,7 @@ retry_transaction: - } - - rc = xc_domain_set_pod_target(ctx->xch, domid, -- new_target_memkb / 4, NULL, NULL, NULL); -+ (new_target_memkb + LIBXL_MAXMEM_CONSTANT) / 4, NULL, NULL, NULL); - if (rc != 0) { - LIBXL__LOG_ERRNO(ctx, LIBXL__LOG_ERROR, - "xc_domain_set_pod_target domid=%d, memkb=%d " ---- a/tools/libxl/libxl_dom.c -+++ b/tools/libxl/libxl_dom.c -@@ -486,6 +486,7 @@ int libxl__build_post(libxl__gc *gc, uin - xs_transaction_t t; - char **ents; - int i, rc; -+ int64_t mem_target_fudge; - - if (info->num_vnuma_nodes && !info->num_vcpu_soft_affinity) { - rc = set_vnuma_affinity(gc, domid, info); -@@ -518,11 +519,17 @@ int libxl__build_post(libxl__gc *gc, uin - } - } - -+ mem_target_fudge = -+ (info->type == LIBXL_DOMAIN_TYPE_HVM && -+ info->max_memkb > info->target_memkb) -+ ? LIBXL_MAXMEM_CONSTANT : 0; -+ - ents = libxl__calloc(gc, 12 + (info->max_vcpus * 2) + 2, sizeof(char *)); - ents[0] = "memory/static-max"; - ents[1] = GCSPRINTF("%"PRId64, info->max_memkb); - ents[2] = "memory/target"; -- ents[3] = GCSPRINTF("%"PRId64, info->target_memkb - info->video_memkb); -+ ents[3] = GCSPRINTF("%"PRId64, info->target_memkb - info->video_memkb -+ - mem_target_fudge); - ents[4] = "memory/videoram"; - ents[5] = GCSPRINTF("%"PRId64, info->video_memkb); - ents[6] = "domid"; diff --git a/56377442-x86-PoD-Make-p2m_pod_empty_cache-restartable.patch b/56377442-x86-PoD-Make-p2m_pod_empty_cache-restartable.patch deleted file mode 100644 index 367b1b7..0000000 --- a/56377442-x86-PoD-Make-p2m_pod_empty_cache-restartable.patch +++ /dev/null @@ -1,88 +0,0 @@ -# Commit 59a5061723ba47c0028cf48487e5de551c42a378 -# Date 2015-11-02 15:33:38 +0100 -# Author Andrew Cooper -# Committer Jan Beulich -x86/PoD: Make p2m_pod_empty_cache() restartable - -This avoids a long running operation when destroying a domain with a -large PoD cache. - -Signed-off-by: Andrew Cooper -Reviewed-by: George Dunlap - ---- a/xen/arch/x86/mm/p2m-pod.c -+++ b/xen/arch/x86/mm/p2m-pod.c -@@ -375,11 +375,11 @@ out: - return ret; - } - --void --p2m_pod_empty_cache(struct domain *d) -+int p2m_pod_empty_cache(struct domain *d) - { - struct p2m_domain *p2m = p2m_get_hostp2m(d); - struct page_info *page; -+ unsigned int i; - - /* After this barrier no new PoD activities can happen. */ - BUG_ON(!d->is_dying); -@@ -389,8 +389,6 @@ p2m_pod_empty_cache(struct domain *d) - - while ( (page = page_list_remove_head(&p2m->pod.super)) ) - { -- int i; -- - for ( i = 0 ; i < SUPERPAGE_PAGES ; i++ ) - { - BUG_ON(page_get_owner(page + i) != d); -@@ -398,19 +396,27 @@ p2m_pod_empty_cache(struct domain *d) - } - - p2m->pod.count -= SUPERPAGE_PAGES; -+ -+ if ( hypercall_preempt_check() ) -+ goto out; - } - -- while ( (page = page_list_remove_head(&p2m->pod.single)) ) -+ for ( i = 0; (page = page_list_remove_head(&p2m->pod.single)); ++i ) - { - BUG_ON(page_get_owner(page) != d); - page_list_add_tail(page, &d->page_list); - - p2m->pod.count -= 1; -+ -+ if ( i && !(i & 511) && hypercall_preempt_check() ) -+ goto out; - } - - BUG_ON(p2m->pod.count != 0); - -+ out: - unlock_page_alloc(p2m); -+ return p2m->pod.count ? -ERESTART : 0; - } - - int ---- a/xen/arch/x86/mm/paging.c -+++ b/xen/arch/x86/mm/paging.c -@@ -815,7 +815,7 @@ int paging_teardown(struct domain *d) - return rc; - - /* Move populate-on-demand cache back to domain_list for destruction */ -- p2m_pod_empty_cache(d); -+ rc = p2m_pod_empty_cache(d); - - return rc; - } ---- a/xen/include/asm-x86/p2m.h -+++ b/xen/include/asm-x86/p2m.h -@@ -588,7 +588,7 @@ void p2m_pod_dump_data(struct domain *d) - - /* Move all pages from the populate-on-demand cache to the domain page_list - * (usually in preparation for domain destruction) */ --void p2m_pod_empty_cache(struct domain *d); -+int p2m_pod_empty_cache(struct domain *d); - - /* Set populate-on-demand cache size so that the total memory allocated to a - * domain matches target */ diff --git a/5641ceec-x86-HVM-always-intercept-AC-and-DB.patch b/5641ceec-x86-HVM-always-intercept-AC-and-DB.patch deleted file mode 100644 index 467b486..0000000 --- a/5641ceec-x86-HVM-always-intercept-AC-and-DB.patch +++ /dev/null @@ -1,134 +0,0 @@ -# Commit bd2239d9fa975a1ee5bcd27c218ae042cd0a57bc -# Date 2015-11-10 12:03:08 +0100 -# Author Jan Beulich -# Committer Jan Beulich -x86/HVM: always intercept #AC and #DB - -Both being benign exceptions, and both being possible to get triggered -by exception delivery, this is required to prevent a guest from locking -up a CPU (resulting from no other VM exits occurring once getting into -such a loop). - -The specific scenarios: - -1) #AC may be raised during exception delivery if the handler is set to -be a ring-3 one by a 32-bit guest, and the stack is misaligned. - -This is CVE-2015-5307 / XSA-156. - -Reported-by: Benjamin Serebrin - -2) #DB may be raised during exception delivery when a breakpoint got -placed on a data structure involved in delivering the exception. This -can result in an endless loop when a 64-bit guest uses a non-zero IST -for the vector 1 IDT entry, but even without use of IST the time it -takes until a contributory fault would get raised (results depending -on the handler) may be quite long. - -This is CVE-2015-8104 / XSA-156. - -Signed-off-by: Jan Beulich -Reviewed-by: Andrew Cooper -Tested-by: Andrew Cooper - ---- a/xen/arch/x86/hvm/svm/svm.c -+++ b/xen/arch/x86/hvm/svm/svm.c -@@ -1043,10 +1043,11 @@ static void noreturn svm_do_resume(struc - unlikely(v->arch.hvm_vcpu.debug_state_latch != debug_state) ) - { - uint32_t intercepts = vmcb_get_exception_intercepts(vmcb); -- uint32_t mask = (1U << TRAP_debug) | (1U << TRAP_int3); -+ - v->arch.hvm_vcpu.debug_state_latch = debug_state; - vmcb_set_exception_intercepts( -- vmcb, debug_state ? (intercepts | mask) : (intercepts & ~mask)); -+ vmcb, debug_state ? (intercepts | (1U << TRAP_int3)) -+ : (intercepts & ~(1U << TRAP_int3))); - } - - if ( v->arch.hvm_svm.launch_core != smp_processor_id() ) -@@ -2434,8 +2435,9 @@ void svm_vmexit_handler(struct cpu_user_ - - case VMEXIT_EXCEPTION_DB: - if ( !v->domain->debugger_attached ) -- goto unexpected_exit_type; -- domain_pause_for_debugger(); -+ hvm_inject_hw_exception(TRAP_debug, HVM_DELIVER_NO_ERROR_CODE); -+ else -+ domain_pause_for_debugger(); - break; - - case VMEXIT_EXCEPTION_BP: -@@ -2483,6 +2485,11 @@ void svm_vmexit_handler(struct cpu_user_ - break; - } - -+ case VMEXIT_EXCEPTION_AC: -+ HVMTRACE_1D(TRAP, TRAP_alignment_check); -+ hvm_inject_hw_exception(TRAP_alignment_check, vmcb->exitinfo1); -+ break; -+ - case VMEXIT_EXCEPTION_UD: - svm_vmexit_ud_intercept(regs); - break; ---- a/xen/arch/x86/hvm/vmx/vmx.c -+++ b/xen/arch/x86/hvm/vmx/vmx.c -@@ -1224,16 +1224,10 @@ static void vmx_update_host_cr3(struct v - - void vmx_update_debug_state(struct vcpu *v) - { -- unsigned long mask; -- -- mask = 1u << TRAP_int3; -- if ( !cpu_has_monitor_trap_flag ) -- mask |= 1u << TRAP_debug; -- - if ( v->arch.hvm_vcpu.debug_state_latch ) -- v->arch.hvm_vmx.exception_bitmap |= mask; -+ v->arch.hvm_vmx.exception_bitmap |= 1U << TRAP_int3; - else -- v->arch.hvm_vmx.exception_bitmap &= ~mask; -+ v->arch.hvm_vmx.exception_bitmap &= ~(1U << TRAP_int3); - - vmx_vmcs_enter(v); - vmx_update_exception_bitmap(v); -@@ -3041,9 +3035,10 @@ void vmx_vmexit_handler(struct cpu_user_ - __vmread(EXIT_QUALIFICATION, &exit_qualification); - HVMTRACE_1D(TRAP_DEBUG, exit_qualification); - write_debugreg(6, exit_qualification | DR_STATUS_RESERVED_ONE); -- if ( !v->domain->debugger_attached || cpu_has_monitor_trap_flag ) -- goto exit_and_crash; -- domain_pause_for_debugger(); -+ if ( !v->domain->debugger_attached ) -+ hvm_inject_hw_exception(vector, HVM_DELIVER_NO_ERROR_CODE); -+ else -+ domain_pause_for_debugger(); - break; - case TRAP_int3: - { -@@ -3108,6 +3103,11 @@ void vmx_vmexit_handler(struct cpu_user_ - - hvm_inject_page_fault(regs->error_code, exit_qualification); - break; -+ case TRAP_alignment_check: -+ HVMTRACE_1D(TRAP, vector); -+ __vmread(VM_EXIT_INTR_ERROR_CODE, &ecode); -+ hvm_inject_hw_exception(vector, ecode); -+ break; - case TRAP_nmi: - if ( MASK_EXTR(intr_info, INTR_INFO_INTR_TYPE_MASK) != - X86_EVENTTYPE_NMI ) ---- a/xen/include/asm-x86/hvm/hvm.h -+++ b/xen/include/asm-x86/hvm/hvm.h -@@ -384,7 +384,10 @@ static inline int hvm_event_pending(stru - (X86_CR4_VMXE | X86_CR4_PAE | X86_CR4_MCE)) - - /* These exceptions must always be intercepted. */ --#define HVM_TRAP_MASK ((1U << TRAP_machine_check) | (1U << TRAP_invalid_op)) -+#define HVM_TRAP_MASK ((1U << TRAP_debug) | \ -+ (1U << TRAP_invalid_op) | \ -+ (1U << TRAP_alignment_check) | \ -+ (1U << TRAP_machine_check)) - - /* - * x86 event types. This enumeration is valid for: diff --git a/56549f24-x86-vPMU-document-as-unsupported.patch b/56549f24-x86-vPMU-document-as-unsupported.patch deleted file mode 100644 index 7097986..0000000 --- a/56549f24-x86-vPMU-document-as-unsupported.patch +++ /dev/null @@ -1,25 +0,0 @@ -# Commit c03480cf5c4e96fb4afb2237ad0a3cac7162564a -# Date 2015-11-24 18:32:20 +0100 -# Author Jan Beulich -# Committer Jan Beulich -x86/vPMU: document as unsupported - -This is XSA-163. - -Signed-off-by: Jan Beulich - -Index: xen-4.6.0-testing/docs/misc/xen-command-line.markdown -=================================================================== ---- xen-4.6.0-testing.orig/docs/misc/xen-command-line.markdown -+++ xen-4.6.0-testing/docs/misc/xen-command-line.markdown -@@ -1463,8 +1463,8 @@ feature is switched on on Intel processo - Note that if **watchdog** option is also specified vpmu will be turned off. - - *Warning:* --As the BTS virtualisation is not 100% safe and because of the nehalem quirk --don't use the vpmu flag on production systems with Intel cpus! -+As the virtualisation is not 100% safe, don't use the vpmu flag on -+production systems (see http://xenbits.xen.org/xsa/advisory-163.html)! - - ### watchdog - > `= force | ` diff --git a/5677f350-x86-make-debug-output-consistent-in-hvm_set_callback_via.patch b/5677f350-x86-make-debug-output-consistent-in-hvm_set_callback_via.patch deleted file mode 100644 index dffe6db..0000000 --- a/5677f350-x86-make-debug-output-consistent-in-hvm_set_callback_via.patch +++ /dev/null @@ -1,40 +0,0 @@ -Reference: bsc#960093 CVE-2015-8615 XSA-169 - -Subject: x86: make debug output consistent in hvm_set_callback_via -From: Malcolm Crossley malcolm.crossley@citrix.com Mon Dec 21 13:40:48 2015 +0100 -Date: Mon Dec 21 13:40:48 2015 +0100: -Git: 5c1048565ba5b240f47203bdb67572bee73d639e - -The unconditional printks in the switch statement of the -hvm_set_callback_via function results in Xen log spam in non debug -versions of Xen. The printks are for debug output only so conditionally -compile the entire switch statement on debug versions of Xen only. - -This is XSA-169. - -Signed-off-by: Malcolm Crossley -Reviewed-by: Jan Beulich -Acked-by: Ian Campbell - -Index: xen-4.6.0-testing/xen/arch/x86/hvm/irq.c -=================================================================== ---- xen-4.6.0-testing.orig/xen/arch/x86/hvm/irq.c -+++ xen-4.6.0-testing/xen/arch/x86/hvm/irq.c -@@ -382,7 +382,8 @@ void hvm_set_callback_via(struct domain - - spin_unlock(&d->arch.hvm_domain.irq_lock); - -- dprintk(XENLOG_G_INFO, "Dom%u callback via changed to ", d->domain_id); -+#ifndef NDEBUG -+ printk(XENLOG_G_INFO "Dom%u callback via changed to ", d->domain_id); - switch ( via_type ) - { - case HVMIRQ_callback_gsi: -@@ -398,6 +399,7 @@ void hvm_set_callback_via(struct domain - printk("None\n"); - break; - } -+#endif - } - - struct hvm_intack hvm_vcpu_has_pending_irq(struct vcpu *v) diff --git a/CVE-2014-7815-qemut-vnc-sanitize-bits_per_pixel-from-the-client.patch b/CVE-2014-7815-qemut-vnc-sanitize-bits_per_pixel-from-the-client.patch index 667ab73..b2023ca 100644 --- a/CVE-2014-7815-qemut-vnc-sanitize-bits_per_pixel-from-the-client.patch +++ b/CVE-2014-7815-qemut-vnc-sanitize-bits_per_pixel-from-the-client.patch @@ -21,11 +21,11 @@ Signed-off-by: Petr Matousek Signed-off-by: Gerd Hoffmann -Index: xen-4.6.0-testing/tools/qemu-xen-traditional-dir-remote/vnc.c +Index: xen-4.6.1-testing/tools/qemu-xen-traditional-dir-remote/vnc.c =================================================================== ---- xen-4.6.0-testing.orig/tools/qemu-xen-traditional-dir-remote/vnc.c -+++ xen-4.6.0-testing/tools/qemu-xen-traditional-dir-remote/vnc.c -@@ -1633,6 +1633,16 @@ static void set_pixel_format(VncState *v +--- xen-4.6.1-testing.orig/tools/qemu-xen-traditional-dir-remote/vnc.c ++++ xen-4.6.1-testing/tools/qemu-xen-traditional-dir-remote/vnc.c +@@ -1643,6 +1643,16 @@ static void set_pixel_format(VncState *v return; } diff --git a/CVE-2015-6855-qemuu-ide-divide-by-zero-issue.patch b/CVE-2015-6855-qemuu-ide-divide-by-zero-issue.patch new file mode 100644 index 0000000..ffa1906 --- /dev/null +++ b/CVE-2015-6855-qemuu-ide-divide-by-zero-issue.patch @@ -0,0 +1,140 @@ +References: bsc#965156 CVE-2015-6855 + +Subject: ide: fix ATAPI command permissions +From: John Snow jsnow@redhat.com Thu Sep 17 14:17:05 2015 -0400 +Date: Fri Sep 18 10:58:56 2015 -0400: +Git: d9033e1d3aa666c5071580617a57bd853c5d794a + +We're a little too lenient with what we'll let an ATAPI drive handle. +Clamp down on the IDE command execution table to remove CD_OK permissions +from commands that are not and have never been ATAPI commands. + +For ATAPI command validity, please see: +- ATA4 Section 6.5 ("PACKET Command feature set") +- ATA8/ACS Section 4.3 ("The PACKET feature set") +- ACS3 Section 4.3 ("The PACKET feature set") + +ACS3 has a historical command validity table in Table B.4 +("Historical Command Assignments") that can be referenced to find when +a command was introduced, deprecated, obsoleted, etc. + +The only reference for ATAPI command validity is by checking that +version's PACKET feature set section. + +ATAPI was introduced by T13 into ATA4, all commands retired prior to ATA4 +therefore are assumed to have never been ATAPI commands. + +Mandatory commands, as listed in ATA8-ACS3, are: + +- DEVICE RESET +- EXECUTE DEVICE DIAGNOSTIC +- IDENTIFY DEVICE +- IDENTIFY PACKET DEVICE +- NOP +- PACKET +- READ SECTOR(S) +- SET FEATURES + +Optional commands as listed in ATA8-ACS3, are: + +- FLUSH CACHE +- READ LOG DMA EXT +- READ LOG EXT +- WRITE LOG DMA EXT +- WRITE LOG EXT + +All other commands are illegal to send to an ATAPI device and should +be rejected by the device. + +CD_OK removal justifications: + +0x06 WIN_DSM Defined in ACS2. Not valid for ATAPI. +0x21 WIN_READ_ONCE Retired in ATA5. Not ATAPI in ATA4. +0x94 WIN_STANDBYNOW2 Retired in ATA4. Did not coexist with ATAPI. +0x95 WIN_IDLEIMMEDIATE2 Retired in ATA4. Did not coexist with ATAPI. +0x96 WIN_STANDBY2 Retired in ATA4. Did not coexist with ATAPI. +0x97 WIN_SETIDLE2 Retired in ATA4. Did not coexist with ATAPI. +0x98 WIN_CHECKPOWERMODE2 Retired in ATA4. Did not coexist with ATAPI. +0x99 WIN_SLEEPNOW2 Retired in ATA4. Did not coexist with ATAPI. +0xE0 WIN_STANDBYNOW1 Not part of ATAPI in ATA4, ACS or ACS3. +0xE1 WIN_IDLEIMMDIATE Not part of ATAPI in ATA4, ACS or ACS3. +0xE2 WIN_STANDBY Not part of ATAPI in ATA4, ACS or ACS3. +0xE3 WIN_SETIDLE1 Not part of ATAPI in ATA4, ACS or ACS3. +0xE4 WIN_CHECKPOWERMODE1 Not part of ATAPI in ATA4, ACS or ACS3. +0xE5 WIN_SLEEPNOW1 Not part of ATAPI in ATA4, ACS or ACS3. +0xF8 WIN_READ_NATIVE_MAX Obsoleted in ACS3. Not ATAPI in ATA4 or ACS. + +This patch fixes a divide by zero fault that can be caused by sending +the WIN_READ_NATIVE_MAX command to an ATAPI drive, which causes it to +attempt to use zeroed CHS values to perform sector arithmetic. + +Reported-by: Qinghao Tang +Signed-off-by: John Snow +Reviewed-by: Markus Armbruster +Message-id: 1441816082-21031-1-git-send-email-jsnow@redhat.com +CC: qemu-stable@nongnu.org + +Index: xen-4.6.0-testing/tools/qemu-xen-dir-remote/hw/ide/core.c +=================================================================== +--- xen-4.6.0-testing.orig/tools/qemu-xen-dir-remote/hw/ide/core.c ++++ xen-4.6.0-testing/tools/qemu-xen-dir-remote/hw/ide/core.c +@@ -1739,11 +1739,11 @@ static const struct { + } ide_cmd_table[0x100] = { + /* NOP not implemented, mandatory for CD */ + [CFA_REQ_EXT_ERROR_CODE] = { cmd_cfa_req_ext_error_code, CFA_OK }, +- [WIN_DSM] = { cmd_data_set_management, ALL_OK }, ++ [WIN_DSM] = { cmd_data_set_management, HD_CFA_OK }, + [WIN_DEVICE_RESET] = { cmd_device_reset, CD_OK }, + [WIN_RECAL] = { cmd_nop, HD_CFA_OK | SET_DSC}, + [WIN_READ] = { cmd_read_pio, ALL_OK }, +- [WIN_READ_ONCE] = { cmd_read_pio, ALL_OK }, ++ [WIN_READ_ONCE] = { cmd_read_pio, HD_CFA_OK }, + [WIN_READ_EXT] = { cmd_read_pio, HD_CFA_OK }, + [WIN_READDMA_EXT] = { cmd_read_dma, HD_CFA_OK }, + [WIN_READ_NATIVE_MAX_EXT] = { cmd_read_native_max, HD_CFA_OK | SET_DSC }, +@@ -1762,12 +1762,12 @@ static const struct { + [CFA_TRANSLATE_SECTOR] = { cmd_cfa_translate_sector, CFA_OK }, + [WIN_DIAGNOSE] = { cmd_exec_dev_diagnostic, ALL_OK }, + [WIN_SPECIFY] = { cmd_nop, HD_CFA_OK | SET_DSC }, +- [WIN_STANDBYNOW2] = { cmd_nop, ALL_OK }, +- [WIN_IDLEIMMEDIATE2] = { cmd_nop, ALL_OK }, +- [WIN_STANDBY2] = { cmd_nop, ALL_OK }, +- [WIN_SETIDLE2] = { cmd_nop, ALL_OK }, +- [WIN_CHECKPOWERMODE2] = { cmd_check_power_mode, ALL_OK | SET_DSC }, +- [WIN_SLEEPNOW2] = { cmd_nop, ALL_OK }, ++ [WIN_STANDBYNOW2] = { cmd_nop, HD_CFA_OK }, ++ [WIN_IDLEIMMEDIATE2] = { cmd_nop, HD_CFA_OK }, ++ [WIN_STANDBY2] = { cmd_nop, HD_CFA_OK }, ++ [WIN_SETIDLE2] = { cmd_nop, HD_CFA_OK }, ++ [WIN_CHECKPOWERMODE2] = { cmd_check_power_mode, HD_CFA_OK | SET_DSC }, ++ [WIN_SLEEPNOW2] = { cmd_nop, HD_CFA_OK }, + [WIN_PACKETCMD] = { cmd_packet, CD_OK }, + [WIN_PIDENTIFY] = { cmd_identify_packet, CD_OK }, + [WIN_SMART] = { cmd_smart, HD_CFA_OK | SET_DSC }, +@@ -1781,19 +1781,19 @@ static const struct { + [WIN_WRITEDMA] = { cmd_write_dma, HD_CFA_OK }, + [WIN_WRITEDMA_ONCE] = { cmd_write_dma, HD_CFA_OK }, + [CFA_WRITE_MULTI_WO_ERASE] = { cmd_write_multiple, CFA_OK }, +- [WIN_STANDBYNOW1] = { cmd_nop, ALL_OK }, +- [WIN_IDLEIMMEDIATE] = { cmd_nop, ALL_OK }, +- [WIN_STANDBY] = { cmd_nop, ALL_OK }, +- [WIN_SETIDLE1] = { cmd_nop, ALL_OK }, +- [WIN_CHECKPOWERMODE1] = { cmd_check_power_mode, ALL_OK | SET_DSC }, +- [WIN_SLEEPNOW1] = { cmd_nop, ALL_OK }, ++ [WIN_STANDBYNOW1] = { cmd_nop, HD_CFA_OK }, ++ [WIN_IDLEIMMEDIATE] = { cmd_nop, HD_CFA_OK }, ++ [WIN_STANDBY] = { cmd_nop, HD_CFA_OK }, ++ [WIN_SETIDLE1] = { cmd_nop, HD_CFA_OK }, ++ [WIN_CHECKPOWERMODE1] = { cmd_check_power_mode, HD_CFA_OK | SET_DSC }, ++ [WIN_SLEEPNOW1] = { cmd_nop, HD_CFA_OK }, + [WIN_FLUSH_CACHE] = { cmd_flush_cache, ALL_OK }, + [WIN_FLUSH_CACHE_EXT] = { cmd_flush_cache, HD_CFA_OK }, + [WIN_IDENTIFY] = { cmd_identify, ALL_OK }, + [WIN_SETFEATURES] = { cmd_set_features, ALL_OK | SET_DSC }, + [IBM_SENSE_CONDITION] = { cmd_ibm_sense_condition, CFA_OK | SET_DSC }, + [CFA_WEAR_LEVEL] = { cmd_cfa_erase_sectors, HD_CFA_OK | SET_DSC }, +- [WIN_READ_NATIVE_MAX] = { cmd_read_native_max, ALL_OK | SET_DSC }, ++ [WIN_READ_NATIVE_MAX] = { cmd_read_native_max, HD_CFA_OK | SET_DSC }, + }; + + static bool ide_cmd_permitted(IDEState *s, uint32_t cmd) diff --git a/CVE-2015-8504-qemut-vnc-avoid-floating-point-exception.patch b/CVE-2015-8504-qemut-vnc-avoid-floating-point-exception.patch index d358c5e..2b047db 100644 --- a/CVE-2015-8504-qemut-vnc-avoid-floating-point-exception.patch +++ b/CVE-2015-8504-qemut-vnc-avoid-floating-point-exception.patch @@ -1,10 +1,10 @@ References: bsc#958493 CVE-2015-8504 -Index: xen-4.5.2-testing/tools/qemu-xen-traditional-dir-remote/vnc.c +Index: xen-4.6.1-testing/tools/qemu-xen-traditional-dir-remote/vnc.c =================================================================== ---- xen-4.5.2-testing.orig/tools/qemu-xen-traditional-dir-remote/vnc.c -+++ xen-4.5.2-testing/tools/qemu-xen-traditional-dir-remote/vnc.c -@@ -1634,15 +1634,15 @@ static void set_pixel_format(VncState *v +--- xen-4.6.1-testing.orig/tools/qemu-xen-traditional-dir-remote/vnc.c ++++ xen-4.6.1-testing/tools/qemu-xen-traditional-dir-remote/vnc.c +@@ -1644,15 +1644,15 @@ static void set_pixel_format(VncState *v } vs->clientds = vs->serverds; diff --git a/CVE-2015-8619-qemuu-stack-based-OOB-write-in-hmp_sendkey-routine.patch b/CVE-2015-8619-qemuu-stack-based-OOB-write-in-hmp_sendkey-routine.patch new file mode 100644 index 0000000..07402d3 --- /dev/null +++ b/CVE-2015-8619-qemuu-stack-based-OOB-write-in-hmp_sendkey-routine.patch @@ -0,0 +1,115 @@ +References: bsc#965269 CVE-2015-8619 + +Subject: hmp: fix sendkey out of bounds write (CVE-2015-8619) +From: Wolfgang Bumiller w.bumiller@proxmox.com Wed Jan 13 09:09:58 2016 +0100 +Date: Wed Feb 3 10:13:06 2016 +0100: +Git: 64ffbe04eaafebf4045a3ace52a360c14959d196 + +When processing 'sendkey' command, hmp_sendkey routine null +terminates the 'keyname_buf' array. This results in an OOB +write issue, if 'keyname_len' was to fall outside of +'keyname_buf' array. + +Since the keyname's length is known the keyname_buf can be +removed altogether by adding a length parameter to +index_from_key() and using it for the error output as well. + +Reported-by: Ling Liu +Signed-off-by: Wolfgang Bumiller +Message-Id: <20160113080958.GA18934@olga> +[Comparison with "<" dumbed down, test for junk after strtoul() +tweaked] +Signed-off-by: Markus Armbruster + +Index: xen-4.6.0-testing/tools/qemu-xen-dir-remote/hmp.c +=================================================================== +--- xen-4.6.0-testing.orig/tools/qemu-xen-dir-remote/hmp.c ++++ xen-4.6.0-testing/tools/qemu-xen-dir-remote/hmp.c +@@ -1478,21 +1478,18 @@ void hmp_send_key(Monitor *mon, const QD + int has_hold_time = qdict_haskey(qdict, "hold-time"); + int hold_time = qdict_get_try_int(qdict, "hold-time", -1); + Error *err = NULL; +- char keyname_buf[16]; + char *separator; + int keyname_len; + + while (1) { + separator = strchr(keys, '-'); + keyname_len = separator ? separator - keys : strlen(keys); +- pstrcpy(keyname_buf, sizeof(keyname_buf), keys); + + /* Be compatible with old interface, convert user inputted "<" */ +- if (!strncmp(keyname_buf, "<", 1) && keyname_len == 1) { +- pstrcpy(keyname_buf, sizeof(keyname_buf), "less"); ++ if (keys[0] == '<' && keyname_len == 1) { ++ keys = "less"; + keyname_len = 4; + } +- keyname_buf[keyname_len] = 0; + + keylist = g_malloc0(sizeof(*keylist)); + keylist->value = g_malloc0(sizeof(*keylist->value)); +@@ -1505,16 +1502,17 @@ void hmp_send_key(Monitor *mon, const QD + } + tmp = keylist; + +- if (strstart(keyname_buf, "0x", NULL)) { ++ if (strstart(keys, "0x", NULL)) { + char *endp; +- int value = strtoul(keyname_buf, &endp, 0); +- if (*endp != '\0') { ++ int value = strtoul(keys, &endp, 0); ++ assert(endp <= keys + keyname_len); ++ if (endp != keys + keyname_len) { + goto err_out; + } + keylist->value->kind = KEY_VALUE_KIND_NUMBER; + keylist->value->number = value; + } else { +- int idx = index_from_key(keyname_buf); ++ int idx = index_from_key(keys, keyname_len); + if (idx == Q_KEY_CODE_MAX) { + goto err_out; + } +@@ -1536,7 +1534,7 @@ out: + return; + + err_out: +- monitor_printf(mon, "invalid parameter: %s\n", keyname_buf); ++ monitor_printf(mon, "invalid parameter: %.*s\n", keyname_len, keys); + goto out; + } + +Index: xen-4.6.0-testing/tools/qemu-xen-dir-remote/include/ui/console.h +=================================================================== +--- xen-4.6.0-testing.orig/tools/qemu-xen-dir-remote/include/ui/console.h ++++ xen-4.6.0-testing/tools/qemu-xen-dir-remote/include/ui/console.h +@@ -349,7 +349,7 @@ static inline int vnc_display_pw_expire( + void curses_display_init(DisplayState *ds, int full_screen); + + /* input.c */ +-int index_from_key(const char *key); ++int index_from_key(const char *key, size_t key_length); + + /* gtk.c */ + void early_gtk_display_init(void); +Index: xen-4.6.0-testing/tools/qemu-xen-dir-remote/ui/input-legacy.c +=================================================================== +--- xen-4.6.0-testing.orig/tools/qemu-xen-dir-remote/ui/input-legacy.c ++++ xen-4.6.0-testing/tools/qemu-xen-dir-remote/ui/input-legacy.c +@@ -60,12 +60,13 @@ static QTAILQ_HEAD(, QEMUPutLEDEntry) le + static QTAILQ_HEAD(, QEMUPutMouseEntry) mouse_handlers = + QTAILQ_HEAD_INITIALIZER(mouse_handlers); + +-int index_from_key(const char *key) ++int index_from_key(const char *key, size_t key_length) + { + int i; + + for (i = 0; QKeyCode_lookup[i] != NULL; i++) { +- if (!strcmp(key, QKeyCode_lookup[i])) { ++ if (!strncmp(key, QKeyCode_lookup[i], key_length) && ++ !QKeyCode_lookup[i][key_length]) { + break; + } + } diff --git a/VNC-Support-for-ExtendedKeyEvent-client-message.patch b/VNC-Support-for-ExtendedKeyEvent-client-message.patch index 6a89466..436ae49 100644 --- a/VNC-Support-for-ExtendedKeyEvent-client-message.patch +++ b/VNC-Support-for-ExtendedKeyEvent-client-message.patch @@ -20,10 +20,10 @@ git-svn-id: svn://svn.savannah.nongnu.org/qemu/trunk@5076 c046a42c-6fe2-441c-8c8 vnc.c | 59 ++++++++++++++++++++++++++++++++++++++++++++++++++--------- 1 files changed, 50 insertions(+), 9 deletions(-) -Index: xen-4.6.0-testing/tools/qemu-xen-traditional-dir-remote/vnc.c +Index: xen-4.6.1-testing/tools/qemu-xen-traditional-dir-remote/vnc.c =================================================================== ---- xen-4.6.0-testing.orig/tools/qemu-xen-traditional-dir-remote/vnc.c -+++ xen-4.6.0-testing/tools/qemu-xen-traditional-dir-remote/vnc.c +--- xen-4.6.1-testing.orig/tools/qemu-xen-traditional-dir-remote/vnc.c ++++ xen-4.6.1-testing/tools/qemu-xen-traditional-dir-remote/vnc.c @@ -1285,35 +1285,22 @@ static void press_key_altgr_down(VncStat } } @@ -115,7 +115,7 @@ Index: xen-4.6.0-testing/tools/qemu-xen-traditional-dir-remote/vnc.c case 0x574D5669: vs->has_WMVi = 1; default: -@@ -1780,6 +1797,24 @@ static int protocol_client_msg(VncState +@@ -1790,6 +1807,24 @@ static int protocol_client_msg(VncState client_cut_text(vs, read_u32(data, 4), (char *)(data + 8)); break; @@ -140,7 +140,7 @@ Index: xen-4.6.0-testing/tools/qemu-xen-traditional-dir-remote/vnc.c default: printf("Msg: %d\n", data[0]); vnc_client_error(vs); -@@ -2451,10 +2486,11 @@ void vnc_display_init(DisplayState *ds) +@@ -2461,10 +2496,11 @@ void vnc_display_init(DisplayState *ds) vs->ds = ds; diff --git a/bdrv_default_rwflag.patch b/bdrv_default_rwflag.patch index c94a69f..fae27e9 100644 --- a/bdrv_default_rwflag.patch +++ b/bdrv_default_rwflag.patch @@ -1,11 +1,11 @@ Subject: modify default read/write flag in bdrv_init. Signed-off by Chunyan Liu -Index: xen-4.2.0-testing/tools/qemu-xen-traditional-dir-remote/vl.c +Index: xen-4.6.1-testing/tools/qemu-xen-traditional-dir-remote/vl.c =================================================================== ---- xen-4.2.0-testing.orig/tools/qemu-xen-traditional-dir-remote/vl.c -+++ xen-4.2.0-testing/tools/qemu-xen-traditional-dir-remote/vl.c -@@ -2627,6 +2627,8 @@ int drive_init(struct drive_opt *arg, in +--- xen-4.6.1-testing.orig/tools/qemu-xen-traditional-dir-remote/vl.c ++++ xen-4.6.1-testing/tools/qemu-xen-traditional-dir-remote/vl.c +@@ -2626,6 +2626,8 @@ int drive_init(struct drive_opt *arg, in strncpy(drives_table[nb_drives].serial, serial, sizeof(serial)); nb_drives++; @@ -14,7 +14,7 @@ Index: xen-4.2.0-testing/tools/qemu-xen-traditional-dir-remote/vl.c switch(type) { case IF_IDE: case IF_XEN: -@@ -2640,6 +2642,7 @@ int drive_init(struct drive_opt *arg, in +@@ -2639,6 +2641,7 @@ int drive_init(struct drive_opt *arg, in break; case MEDIA_CDROM: bdrv_set_type_hint(bdrv, BDRV_TYPE_CDROM); @@ -22,7 +22,7 @@ Index: xen-4.2.0-testing/tools/qemu-xen-traditional-dir-remote/vl.c break; } break; -@@ -2660,7 +2663,6 @@ int drive_init(struct drive_opt *arg, in +@@ -2659,7 +2662,6 @@ int drive_init(struct drive_opt *arg, in } if (!file[0]) return -2; diff --git a/ioemu-disable-emulated-ide-if-pv.patch b/ioemu-disable-emulated-ide-if-pv.patch index 6aada8b..8398c2b 100644 --- a/ioemu-disable-emulated-ide-if-pv.patch +++ b/ioemu-disable-emulated-ide-if-pv.patch @@ -1,7 +1,7 @@ -Index: xen-4.5.0-testing/tools/qemu-xen-traditional-dir-remote/qemu-xen.h +Index: xen-4.6.1-testing/tools/qemu-xen-traditional-dir-remote/qemu-xen.h =================================================================== ---- xen-4.5.0-testing.orig/tools/qemu-xen-traditional-dir-remote/qemu-xen.h -+++ xen-4.5.0-testing/tools/qemu-xen-traditional-dir-remote/qemu-xen.h +--- xen-4.6.1-testing.orig/tools/qemu-xen-traditional-dir-remote/qemu-xen.h ++++ xen-4.6.1-testing/tools/qemu-xen-traditional-dir-remote/qemu-xen.h @@ -1,6 +1,8 @@ #ifndef QEMU_XEN_H #define QEMU_XEN_H @@ -20,11 +20,11 @@ Index: xen-4.5.0-testing/tools/qemu-xen-traditional-dir-remote/qemu-xen.h int xenstore_parse_disable_pf_config(void); int xenstore_fd(void); void xenstore_process_event(void *opaque); -Index: xen-4.5.0-testing/tools/qemu-xen-traditional-dir-remote/vl.c +Index: xen-4.6.1-testing/tools/qemu-xen-traditional-dir-remote/vl.c =================================================================== ---- xen-4.5.0-testing.orig/tools/qemu-xen-traditional-dir-remote/vl.c -+++ xen-4.5.0-testing/tools/qemu-xen-traditional-dir-remote/vl.c -@@ -5862,9 +5862,9 @@ int main(int argc, char **argv, char **e +--- xen-4.6.1-testing.orig/tools/qemu-xen-traditional-dir-remote/vl.c ++++ xen-4.6.1-testing/tools/qemu-xen-traditional-dir-remote/vl.c +@@ -5861,9 +5861,9 @@ int main(int argc, char **argv, char **e if ((msg = xenbus_read(XBT_NIL, "domid", &domid_s))) fprintf(stderr,"Can not read our own domid: %s\n", msg); else @@ -36,10 +36,10 @@ Index: xen-4.5.0-testing/tools/qemu-xen-traditional-dir-remote/vl.c #endif /* CONFIG_STUBDOM */ } -Index: xen-4.5.0-testing/tools/qemu-xen-traditional-dir-remote/xenstore.c +Index: xen-4.6.1-testing/tools/qemu-xen-traditional-dir-remote/xenstore.c =================================================================== ---- xen-4.5.0-testing.orig/tools/qemu-xen-traditional-dir-remote/xenstore.c -+++ xen-4.5.0-testing/tools/qemu-xen-traditional-dir-remote/xenstore.c +--- xen-4.6.1-testing.orig/tools/qemu-xen-traditional-dir-remote/xenstore.c ++++ xen-4.6.1-testing/tools/qemu-xen-traditional-dir-remote/xenstore.c @@ -445,7 +445,7 @@ void xenstore_init(void) } } diff --git a/ioemu-vnc-resize.patch b/ioemu-vnc-resize.patch index 12b8385..43b5fb9 100644 --- a/ioemu-vnc-resize.patch +++ b/ioemu-vnc-resize.patch @@ -1,8 +1,8 @@ -Index: xen-4.6.0-testing/tools/qemu-xen-traditional-dir-remote/vnc.c +Index: xen-4.6.1-testing/tools/qemu-xen-traditional-dir-remote/vnc.c =================================================================== ---- xen-4.6.0-testing.orig/tools/qemu-xen-traditional-dir-remote/vnc.c -+++ xen-4.6.0-testing/tools/qemu-xen-traditional-dir-remote/vnc.c -@@ -1761,6 +1761,25 @@ static int protocol_client_msg(VncState +--- xen-4.6.1-testing.orig/tools/qemu-xen-traditional-dir-remote/vnc.c ++++ xen-4.6.1-testing/tools/qemu-xen-traditional-dir-remote/vnc.c +@@ -1771,6 +1771,25 @@ static int protocol_client_msg(VncState } set_encodings(vs, (int32_t *)(data + 4), limit); diff --git a/ioemu-watchdog-support.patch b/ioemu-watchdog-support.patch index 7bb5266..d790b89 100644 --- a/ioemu-watchdog-support.patch +++ b/ioemu-watchdog-support.patch @@ -10,10 +10,10 @@ everything that was raised about the previous version ... Signed-off-by: Richard W.M. Jones Signed-off-by: Anthony Liguori -Index: xen-4.2.0-testing/tools/qemu-xen-traditional-dir-remote/Makefile.target +Index: xen-4.6.1-testing/tools/qemu-xen-traditional-dir-remote/Makefile.target =================================================================== ---- xen-4.2.0-testing.orig/tools/qemu-xen-traditional-dir-remote/Makefile.target -+++ xen-4.2.0-testing/tools/qemu-xen-traditional-dir-remote/Makefile.target +--- xen-4.6.1-testing.orig/tools/qemu-xen-traditional-dir-remote/Makefile.target ++++ xen-4.6.1-testing/tools/qemu-xen-traditional-dir-remote/Makefile.target @@ -580,6 +580,10 @@ OBJS += e1000.o # Serial mouse OBJS += msmouse.o @@ -25,10 +25,10 @@ Index: xen-4.2.0-testing/tools/qemu-xen-traditional-dir-remote/Makefile.target ifeq ($(TARGET_BASE_ARCH), i386) # Hardware support ifdef CONFIG_AUDIO -Index: xen-4.2.0-testing/tools/qemu-xen-traditional-dir-remote/hw/pc.c +Index: xen-4.6.1-testing/tools/qemu-xen-traditional-dir-remote/hw/pc.c =================================================================== ---- xen-4.2.0-testing.orig/tools/qemu-xen-traditional-dir-remote/hw/pc.c -+++ xen-4.2.0-testing/tools/qemu-xen-traditional-dir-remote/hw/pc.c +--- xen-4.6.1-testing.orig/tools/qemu-xen-traditional-dir-remote/hw/pc.c ++++ xen-4.6.1-testing/tools/qemu-xen-traditional-dir-remote/hw/pc.c @@ -41,6 +41,7 @@ #include "virtio-balloon.h" #include "virtio-console.h" @@ -37,7 +37,7 @@ Index: xen-4.2.0-testing/tools/qemu-xen-traditional-dir-remote/hw/pc.c #ifdef CONFIG_PASSTHROUGH #include "pass-through.h" -@@ -1050,6 +1051,8 @@ vga_bios_error: +@@ -1047,6 +1048,8 @@ vga_bios_error: } } @@ -46,10 +46,10 @@ Index: xen-4.2.0-testing/tools/qemu-xen-traditional-dir-remote/hw/pc.c for(i = 0; i < nb_nics; i++) { NICInfo *nd = &nd_table[i]; -Index: xen-4.2.0-testing/tools/qemu-xen-traditional-dir-remote/hw/watchdog.c +Index: xen-4.6.1-testing/tools/qemu-xen-traditional-dir-remote/hw/watchdog.c =================================================================== --- /dev/null -+++ xen-4.2.0-testing/tools/qemu-xen-traditional-dir-remote/hw/watchdog.c ++++ xen-4.6.1-testing/tools/qemu-xen-traditional-dir-remote/hw/watchdog.c @@ -0,0 +1,136 @@ +/* + * Virtual hardware watchdog. @@ -187,10 +187,10 @@ Index: xen-4.2.0-testing/tools/qemu-xen-traditional-dir-remote/hw/watchdog.c + wdt_ib700_init(); + wdt_i6300esb_init(); +} -Index: xen-4.2.0-testing/tools/qemu-xen-traditional-dir-remote/hw/watchdog.h +Index: xen-4.6.1-testing/tools/qemu-xen-traditional-dir-remote/hw/watchdog.h =================================================================== --- /dev/null -+++ xen-4.2.0-testing/tools/qemu-xen-traditional-dir-remote/hw/watchdog.h ++++ xen-4.6.1-testing/tools/qemu-xen-traditional-dir-remote/hw/watchdog.h @@ -0,0 +1,65 @@ +/* + * Virtual hardware watchdog. @@ -257,10 +257,10 @@ Index: xen-4.2.0-testing/tools/qemu-xen-traditional-dir-remote/hw/watchdog.h +extern void register_watchdogs(void); + +#endif /* QEMU_WATCHDOG_H */ -Index: xen-4.2.0-testing/tools/qemu-xen-traditional-dir-remote/hw/wdt_i6300esb.c +Index: xen-4.6.1-testing/tools/qemu-xen-traditional-dir-remote/hw/wdt_i6300esb.c =================================================================== --- /dev/null -+++ xen-4.2.0-testing/tools/qemu-xen-traditional-dir-remote/hw/wdt_i6300esb.c ++++ xen-4.6.1-testing/tools/qemu-xen-traditional-dir-remote/hw/wdt_i6300esb.c @@ -0,0 +1,470 @@ +/* + * Virtual hardware watchdog. @@ -732,10 +732,10 @@ Index: xen-4.2.0-testing/tools/qemu-xen-traditional-dir-remote/hw/wdt_i6300esb.c +{ + watchdog_add_model(&model); +} -Index: xen-4.2.0-testing/tools/qemu-xen-traditional-dir-remote/hw/wdt_ib700.c +Index: xen-4.6.1-testing/tools/qemu-xen-traditional-dir-remote/hw/wdt_ib700.c =================================================================== --- /dev/null -+++ xen-4.2.0-testing/tools/qemu-xen-traditional-dir-remote/hw/wdt_ib700.c ++++ xen-4.6.1-testing/tools/qemu-xen-traditional-dir-remote/hw/wdt_ib700.c @@ -0,0 +1,112 @@ +/* + * Virtual hardware watchdog. @@ -849,10 +849,10 @@ Index: xen-4.2.0-testing/tools/qemu-xen-traditional-dir-remote/hw/wdt_ib700.c + watchdog_add_model(&model); + timer = qemu_new_timer(vm_clock, ib700_timer_expired, NULL); +} -Index: xen-4.2.0-testing/tools/qemu-xen-traditional-dir-remote/monitor.c +Index: xen-4.6.1-testing/tools/qemu-xen-traditional-dir-remote/monitor.c =================================================================== ---- xen-4.2.0-testing.orig/tools/qemu-xen-traditional-dir-remote/monitor.c -+++ xen-4.2.0-testing/tools/qemu-xen-traditional-dir-remote/monitor.c +--- xen-4.6.1-testing.orig/tools/qemu-xen-traditional-dir-remote/monitor.c ++++ xen-4.6.1-testing/tools/qemu-xen-traditional-dir-remote/monitor.c @@ -26,6 +26,7 @@ #include "hw/pcmcia.h" #include "hw/pc.h" @@ -884,10 +884,10 @@ Index: xen-4.2.0-testing/tools/qemu-xen-traditional-dir-remote/monitor.c { "cpu_set", "is", do_cpu_set_nr, "cpu [online|offline]", "change cpu state" }, { NULL, NULL, }, -Index: xen-4.2.0-testing/tools/qemu-xen-traditional-dir-remote/vl.c +Index: xen-4.6.1-testing/tools/qemu-xen-traditional-dir-remote/vl.c =================================================================== ---- xen-4.2.0-testing.orig/tools/qemu-xen-traditional-dir-remote/vl.c -+++ xen-4.2.0-testing/tools/qemu-xen-traditional-dir-remote/vl.c +--- xen-4.6.1-testing.orig/tools/qemu-xen-traditional-dir-remote/vl.c ++++ xen-4.6.1-testing/tools/qemu-xen-traditional-dir-remote/vl.c @@ -30,6 +30,7 @@ #include "hw/isa.h" #include "hw/baum.h" @@ -905,7 +905,7 @@ Index: xen-4.2.0-testing/tools/qemu-xen-traditional-dir-remote/vl.c const char *option_rom[MAX_OPTION_ROMS]; int nb_option_roms; int semihosting_enabled = 0; -@@ -4177,6 +4180,10 @@ static void help(int exitcode) +@@ -4176,6 +4179,10 @@ static void help(int exitcode) "-startdate select initial date of the clock\n" "-icount [N|auto]\n" " enable virtual instruction counter with 2^N clock ticks per instruction\n" @@ -916,7 +916,7 @@ Index: xen-4.2.0-testing/tools/qemu-xen-traditional-dir-remote/vl.c "-echr chr set terminal escape character instead of ctrl-a\n" "-virtioconsole c\n" " set virtio console\n" -@@ -4324,6 +4331,8 @@ enum { +@@ -4323,6 +4330,8 @@ enum { QEMU_OPTION_localtime, QEMU_OPTION_startdate, QEMU_OPTION_icount, @@ -925,7 +925,7 @@ Index: xen-4.2.0-testing/tools/qemu-xen-traditional-dir-remote/vl.c QEMU_OPTION_echr, QEMU_OPTION_virtiocon, QEMU_OPTION_show_cursor, -@@ -4450,6 +4459,8 @@ static const QEMUOption qemu_options[] = +@@ -4449,6 +4458,8 @@ static const QEMUOption qemu_options[] = { "localtime", 0, QEMU_OPTION_localtime }, { "startdate", HAS_ARG, QEMU_OPTION_startdate }, { "icount", HAS_ARG, QEMU_OPTION_icount }, @@ -934,7 +934,7 @@ Index: xen-4.2.0-testing/tools/qemu-xen-traditional-dir-remote/vl.c { "echr", HAS_ARG, QEMU_OPTION_echr }, { "virtioconsole", HAS_ARG, QEMU_OPTION_virtiocon }, { "show-cursor", 0, QEMU_OPTION_show_cursor }, -@@ -4951,6 +4962,8 @@ int main(int argc, char **argv, char **e +@@ -4950,6 +4961,8 @@ int main(int argc, char **argv, char **e tb_size = 0; autostart= 1; @@ -943,7 +943,7 @@ Index: xen-4.2.0-testing/tools/qemu-xen-traditional-dir-remote/vl.c optind = 1; for(;;) { if (optind >= argc) -@@ -5325,6 +5338,17 @@ int main(int argc, char **argv, char **e +@@ -5324,6 +5337,17 @@ int main(int argc, char **argv, char **e serial_devices[serial_device_index] = optarg; serial_device_index++; break; diff --git a/kernel-boot-hvm.patch b/kernel-boot-hvm.patch index 969f4c5..4e47a0d 100644 --- a/kernel-boot-hvm.patch +++ b/kernel-boot-hvm.patch @@ -4,10 +4,10 @@ kernel and initrd, which could be accessed by hvmloader. Signed-off-by: Chunyan Liu -Index: xen-4.2.0-testing/tools/qemu-xen-traditional-dir-remote/block.c +Index: xen-4.6.1-testing/tools/qemu-xen-traditional-dir-remote/block.c =================================================================== ---- xen-4.2.0-testing.orig/tools/qemu-xen-traditional-dir-remote/block.c -+++ xen-4.2.0-testing/tools/qemu-xen-traditional-dir-remote/block.c +--- xen-4.6.1-testing.orig/tools/qemu-xen-traditional-dir-remote/block.c ++++ xen-4.6.1-testing/tools/qemu-xen-traditional-dir-remote/block.c @@ -596,6 +596,16 @@ int bdrv_read(BlockDriverState *bs, int6 if (bdrv_check_request(bs, sector_num, nb_sectors)) @@ -79,10 +79,10 @@ Index: xen-4.2.0-testing/tools/qemu-xen-traditional-dir-remote/block.c ret = drv->bdrv_aio_write(bs, sector_num, buf, nb_sectors, cb, opaque); if (ret) { -Index: xen-4.2.0-testing/tools/qemu-xen-traditional-dir-remote/block_int.h +Index: xen-4.6.1-testing/tools/qemu-xen-traditional-dir-remote/block_int.h =================================================================== ---- xen-4.2.0-testing.orig/tools/qemu-xen-traditional-dir-remote/block_int.h -+++ xen-4.2.0-testing/tools/qemu-xen-traditional-dir-remote/block_int.h +--- xen-4.6.1-testing.orig/tools/qemu-xen-traditional-dir-remote/block_int.h ++++ xen-4.6.1-testing/tools/qemu-xen-traditional-dir-remote/block_int.h @@ -122,6 +122,9 @@ struct BlockDriverState { BlockDriver *drv; /* NULL means no media */ void *opaque; @@ -93,11 +93,11 @@ Index: xen-4.2.0-testing/tools/qemu-xen-traditional-dir-remote/block_int.h char filename[1024]; char backing_file[1024]; /* if non zero, the image is a diff of this file image */ -Index: xen-4.2.0-testing/tools/qemu-xen-traditional-dir-remote/hw/pc.c +Index: xen-4.6.1-testing/tools/qemu-xen-traditional-dir-remote/hw/pc.c =================================================================== ---- xen-4.2.0-testing.orig/tools/qemu-xen-traditional-dir-remote/hw/pc.c -+++ xen-4.2.0-testing/tools/qemu-xen-traditional-dir-remote/hw/pc.c -@@ -474,45 +474,28 @@ static void bochs_bios_init(void) +--- xen-4.6.1-testing.orig/tools/qemu-xen-traditional-dir-remote/hw/pc.c ++++ xen-4.6.1-testing/tools/qemu-xen-traditional-dir-remote/hw/pc.c +@@ -473,45 +473,28 @@ static void bochs_bios_init(void) /* Generate an initial boot sector which sets state and jump to a specified vector */ @@ -110,7 +110,8 @@ Index: xen-4.2.0-testing/tools/qemu-xen-traditional-dir-remote/hw/pc.c + uint8_t bootsect[512], *p; int i; + int hda; -+ + +- memset(rom, 0, sizeof(rom)); + hda = drive_get_index(IF_IDE, 0, 0); + if (hda == -1) { + fprintf(stderr, "A disk image must be given for 'hda' when booting " @@ -119,8 +120,6 @@ Index: xen-4.2.0-testing/tools/qemu-xen-traditional-dir-remote/hw/pc.c + } + memset(bootsect, 0, sizeof(bootsect)); -- memset(rom, 0, sizeof(rom)); -- - p = rom; - /* Make sure we have an option rom signature */ - *p++ = 0x55; @@ -161,7 +160,7 @@ Index: xen-4.2.0-testing/tools/qemu-xen-traditional-dir-remote/hw/pc.c *p++ = 0xfa; /* CLI */ *p++ = 0xfc; /* CLD */ -@@ -542,13 +525,7 @@ static void generate_bootsect(uint8_t *o +@@ -541,13 +524,7 @@ static void generate_bootsect(uint8_t *o *p++ = segs[1]; /* CS */ *p++ = segs[1] >> 8; @@ -176,7 +175,7 @@ Index: xen-4.2.0-testing/tools/qemu-xen-traditional-dir-remote/hw/pc.c } static long get_file_size(FILE *f) -@@ -565,8 +542,7 @@ static long get_file_size(FILE *f) +@@ -564,8 +541,7 @@ static long get_file_size(FILE *f) return size; } @@ -186,7 +185,7 @@ Index: xen-4.2.0-testing/tools/qemu-xen-traditional-dir-remote/hw/pc.c const char *initrd_filename, const char *kernel_cmdline) { -@@ -632,7 +608,9 @@ static void load_linux(uint8_t *option_r +@@ -631,7 +607,9 @@ static void load_linux(uint8_t *option_r /* Special pages are placed at end of low RAM: pick an arbitrary one and * subtract a suitably large amount of padding (64kB) to skip BIOS data. */ @@ -197,7 +196,7 @@ Index: xen-4.2.0-testing/tools/qemu-xen-traditional-dir-remote/hw/pc.c end_low_ram = (end_low_ram << 12) - (64*1024); /* highest address for loading the initrd */ -@@ -721,7 +699,7 @@ static void load_linux(uint8_t *option_r +@@ -720,7 +698,7 @@ static void load_linux(uint8_t *option_r memset(gpr, 0, sizeof gpr); gpr[4] = cmdline_addr-real_addr-16; /* SP (-16 is paranoia) */ @@ -206,7 +205,7 @@ Index: xen-4.2.0-testing/tools/qemu-xen-traditional-dir-remote/hw/pc.c #endif } -@@ -932,14 +910,6 @@ vga_bios_error: +@@ -930,14 +908,6 @@ vga_bios_error: int size, offset; offset = 0; @@ -221,20 +220,20 @@ Index: xen-4.2.0-testing/tools/qemu-xen-traditional-dir-remote/hw/pc.c for (i = 0; i < nb_option_roms; i++) { size = get_image_size(option_rom[i]); -@@ -973,6 +943,9 @@ vga_bios_error: +@@ -971,6 +941,9 @@ vga_bios_error: bochs_bios_init(); + if (linux_boot) -+ load_linux(kernel_filename, initrd_filename, kernel_cmdline); ++ load_linux(kernel_filename, initrd_filename, kernel_cmdline); + - cpu_irq = qemu_allocate_irqs(pic_irq_request, NULL, 1); - i8259 = i8259_init(cpu_irq[0]); + i8259 = i8259_init(NULL); ferr_irq = i8259[13]; -Index: xen-4.2.0-testing/tools/qemu-xen-traditional-dir-remote/block.h + +Index: xen-4.6.1-testing/tools/qemu-xen-traditional-dir-remote/block.h =================================================================== ---- xen-4.2.0-testing.orig/tools/qemu-xen-traditional-dir-remote/block.h -+++ xen-4.2.0-testing/tools/qemu-xen-traditional-dir-remote/block.h +--- xen-4.6.1-testing.orig/tools/qemu-xen-traditional-dir-remote/block.h ++++ xen-4.6.1-testing/tools/qemu-xen-traditional-dir-remote/block.h @@ -82,6 +82,7 @@ int64_t bdrv_getlength(BlockDriverState void bdrv_get_geometry(BlockDriverState *bs, uint64_t *nb_sectors_ptr); void bdrv_guess_geometry(BlockDriverState *bs, int *pcyls, int *pheads, int *psecs); diff --git a/qemu-dm-segfault.patch b/qemu-dm-segfault.patch index 307a881..85a48f4 100644 --- a/qemu-dm-segfault.patch +++ b/qemu-dm-segfault.patch @@ -1,8 +1,8 @@ -Index: xen-4.2.0-testing/tools/qemu-xen-traditional-dir-remote/hw/ide.c +Index: xen-4.6.1-testing/tools/qemu-xen-traditional-dir-remote/hw/ide.c =================================================================== ---- xen-4.2.0-testing.orig/tools/qemu-xen-traditional-dir-remote/hw/ide.c -+++ xen-4.2.0-testing/tools/qemu-xen-traditional-dir-remote/hw/ide.c -@@ -935,8 +935,9 @@ static inline void ide_dma_submit_check( +--- xen-4.6.1-testing.orig/tools/qemu-xen-traditional-dir-remote/hw/ide.c ++++ xen-4.6.1-testing/tools/qemu-xen-traditional-dir-remote/hw/ide.c +@@ -937,8 +937,9 @@ static inline void ide_dma_submit_check( static inline void ide_set_irq(IDEState *s) { @@ -14,24 +14,7 @@ Index: xen-4.2.0-testing/tools/qemu-xen-traditional-dir-remote/hw/ide.c if (!(s->cmd & IDE_CMD_DISABLE_IRQ)) { if (bm) { bm->status |= BM_STATUS_INT; -@@ -1224,14 +1225,14 @@ static void ide_read_dma_cb(void *opaque - int n; - int64_t sector_num; - -+ if (!s || !s->bs) return; /* ouch! (see ide_flush_cb) */ -+ - if (ret < 0) { - dma_buf_commit(s, 1); - ide_dma_error(s); - return; - } - -- if (!s->bs) return; /* ouch! (see ide_flush_cb) */ -- - n = s->io_buffer_size >> 9; - sector_num = ide_get_sector(s); - if (n > 0) { -@@ -1335,6 +1336,8 @@ static void ide_write_flush_cb(void *opa +@@ -1338,6 +1339,8 @@ static void ide_write_flush_cb(void *opa BMDMAState *bm = opaque; IDEState *s = bm->ide_if; @@ -40,23 +23,7 @@ Index: xen-4.2.0-testing/tools/qemu-xen-traditional-dir-remote/hw/ide.c if (ret != 0) { ide_dma_error(s); return; -@@ -1366,13 +1369,13 @@ static void ide_write_dma_cb(void *opaqu - int n; - int64_t sector_num; - -+ if (!s || !s->bs) return; /* ouch! (see ide_flush_cb) */ -+ - if (ret < 0) { - if (ide_handle_write_error(s, -ret, BM_STATUS_DMA_RETRY)) - return; - } - -- if (!s->bs) return; /* ouch! (see ide_flush_cb) */ -- - n = s->io_buffer_size >> 9; - sector_num = ide_get_sector(s); - if (n > 0) { -@@ -1429,7 +1432,7 @@ static void ide_flush_cb(void *opaque, i +@@ -1432,7 +1435,7 @@ static void ide_flush_cb(void *opaque, i { IDEState *s = opaque; @@ -65,7 +32,7 @@ Index: xen-4.2.0-testing/tools/qemu-xen-traditional-dir-remote/hw/ide.c if (ret) { /* We are completely doomed. The IDE spec does not permit us -@@ -1686,7 +1689,7 @@ static void ide_atapi_cmd_read_dma_cb(vo +@@ -1689,7 +1692,7 @@ static void ide_atapi_cmd_read_dma_cb(vo IDEState *s = bm->ide_if; int data_offset, n; @@ -74,7 +41,7 @@ Index: xen-4.2.0-testing/tools/qemu-xen-traditional-dir-remote/hw/ide.c if (ret < 0) { ide_atapi_io_error(s, ret); -@@ -2365,7 +2368,7 @@ static void cdrom_change_cb(void *opaque +@@ -2368,7 +2371,7 @@ static void cdrom_change_cb(void *opaque IDEState *s = opaque; uint64_t nb_sectors; diff --git a/qemu-security-etch1.patch b/qemu-security-etch1.patch index e01992f..bcfb352 100644 --- a/qemu-security-etch1.patch +++ b/qemu-security-etch1.patch @@ -1,7 +1,7 @@ -Index: xen-4.2.0-testing/tools/qemu-xen-traditional-dir-remote/hw/ne2000.c +Index: xen-4.6.1-testing/tools/qemu-xen-traditional-dir-remote/hw/ne2000.c =================================================================== ---- xen-4.2.0-testing.orig/tools/qemu-xen-traditional-dir-remote/hw/ne2000.c -+++ xen-4.2.0-testing/tools/qemu-xen-traditional-dir-remote/hw/ne2000.c +--- xen-4.6.1-testing.orig/tools/qemu-xen-traditional-dir-remote/hw/ne2000.c ++++ xen-4.6.1-testing/tools/qemu-xen-traditional-dir-remote/hw/ne2000.c @@ -218,7 +218,7 @@ static int ne2000_can_receive(void *opaq NE2000State *s = opaque; @@ -11,11 +11,11 @@ Index: xen-4.2.0-testing/tools/qemu-xen-traditional-dir-remote/hw/ne2000.c return !ne2000_buffer_full(s); } -Index: xen-4.2.0-testing/tools/qemu-xen-traditional-dir-remote/hw/pc.c +Index: xen-4.6.1-testing/tools/qemu-xen-traditional-dir-remote/hw/pc.c =================================================================== ---- xen-4.2.0-testing.orig/tools/qemu-xen-traditional-dir-remote/hw/pc.c -+++ xen-4.2.0-testing/tools/qemu-xen-traditional-dir-remote/hw/pc.c -@@ -413,7 +413,8 @@ static void bochs_bios_write(void *opaqu +--- xen-4.6.1-testing.orig/tools/qemu-xen-traditional-dir-remote/hw/pc.c ++++ xen-4.6.1-testing/tools/qemu-xen-traditional-dir-remote/hw/pc.c +@@ -412,7 +412,8 @@ static void bochs_bios_write(void *opaqu case 0x400: case 0x401: fprintf(stderr, "BIOS panic at rombios.c, line %d\n", val); @@ -25,7 +25,7 @@ Index: xen-4.2.0-testing/tools/qemu-xen-traditional-dir-remote/hw/pc.c case 0x402: case 0x403: #ifdef DEBUG_BIOS -@@ -436,8 +437,9 @@ static void bochs_bios_write(void *opaqu +@@ -435,8 +436,9 @@ static void bochs_bios_write(void *opaqu /* LGPL'ed VGA BIOS messages */ case 0x501: case 0x502: diff --git a/qemu-xen-dir-remote.tar.bz2 b/qemu-xen-dir-remote.tar.bz2 index 7863160..8121ee6 100644 --- a/qemu-xen-dir-remote.tar.bz2 +++ b/qemu-xen-dir-remote.tar.bz2 @@ -1,3 +1,3 @@ version https://git-lfs.github.com/spec/v1 -oid sha256:a62686ff9b94dda2777a5b1b37b75ae0cbc861dff7bdcbd8789785551e351f45 -size 8995267 +oid sha256:00730e1f13bb4780e2f9e6e6dae3438558405e47e19d3843f22476be676fb86c +size 8995705 diff --git a/qemu-xen-traditional-dir-remote.tar.bz2 b/qemu-xen-traditional-dir-remote.tar.bz2 index 3713668..29a86ca 100644 --- a/qemu-xen-traditional-dir-remote.tar.bz2 +++ b/qemu-xen-traditional-dir-remote.tar.bz2 @@ -1,3 +1,3 @@ version https://git-lfs.github.com/spec/v1 -oid sha256:c039f105aaa84cb17dd3c6efc65316e55dae6de47b19c3400bb469ee017cecd6 -size 3214075 +oid sha256:49b46fed34660b33f06539a82abc11421b6396cf9ec6bf1a8b6a2219e0beaa30 +size 3213851 diff --git a/seabios-dir-remote.tar.bz2 b/seabios-dir-remote.tar.bz2 index d5c04f7..9183e1e 100644 --- a/seabios-dir-remote.tar.bz2 +++ b/seabios-dir-remote.tar.bz2 @@ -1,3 +1,3 @@ version https://git-lfs.github.com/spec/v1 -oid sha256:f763331c9616e2fb8e5ed815974a7c4bf142b0c1e5ad8c97b75ad5930f712c3d -size 445943 +oid sha256:1cac2c7e38b87f2944ab6833a3e79540480456229ab9a187f16ea8231a4918c6 +size 446291 diff --git a/stdvga-cache.patch b/stdvga-cache.patch index bbaf726..822da51 100644 --- a/stdvga-cache.patch +++ b/stdvga-cache.patch @@ -1,8 +1,8 @@ -Index: xen-4.2.0-testing/xen/arch/x86/hvm/stdvga.c +Index: xen-4.6.1-testing/xen/arch/x86/hvm/stdvga.c =================================================================== ---- xen-4.2.0-testing.orig/xen/arch/x86/hvm/stdvga.c -+++ xen-4.2.0-testing/xen/arch/x86/hvm/stdvga.c -@@ -135,7 +135,10 @@ static int stdvga_outb(uint64_t addr, ui +--- xen-4.6.1-testing.orig/xen/arch/x86/hvm/stdvga.c ++++ xen-4.6.1-testing/xen/arch/x86/hvm/stdvga.c +@@ -166,7 +166,10 @@ static int stdvga_outb(uint64_t addr, ui /* When in standard vga mode, emulate here all writes to the vram buffer * so we can immediately satisfy reads without waiting for qemu. */ diff --git a/xen-4.6.0-testing-src.tar.bz2 b/xen-4.6.0-testing-src.tar.bz2 deleted file mode 100644 index 7f53bda..0000000 --- a/xen-4.6.0-testing-src.tar.bz2 +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:3930c6a8177865093ee27cc75e9d29f7ba0bf1d7084ea6886d1b6747bc60f0bf -size 4085311 diff --git a/xen-4.6.1-testing-src.tar.bz2 b/xen-4.6.1-testing-src.tar.bz2 new file mode 100644 index 0000000..df073f8 --- /dev/null +++ b/xen-4.6.1-testing-src.tar.bz2 @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:713e894ad35fde716ffb0c6987737954fe82e5e0a9adf66eeea491c27c6eabff +size 4088066 diff --git a/xen-hvm-default-bridge.patch b/xen-hvm-default-bridge.patch index 99e569d..6693b5c 100644 --- a/xen-hvm-default-bridge.patch +++ b/xen-hvm-default-bridge.patch @@ -1,7 +1,7 @@ -Index: xen-4.6.0-testing/tools/qemu-xen-traditional-dir-remote/net.h +Index: xen-4.6.1-testing/tools/qemu-xen-traditional-dir-remote/net.h =================================================================== ---- xen-4.6.0-testing.orig/tools/qemu-xen-traditional-dir-remote/net.h -+++ xen-4.6.0-testing/tools/qemu-xen-traditional-dir-remote/net.h +--- xen-4.6.1-testing.orig/tools/qemu-xen-traditional-dir-remote/net.h ++++ xen-4.6.1-testing/tools/qemu-xen-traditional-dir-remote/net.h @@ -107,8 +107,8 @@ void net_host_device_add(const char *dev void net_host_device_remove(int vlan_id, const char *device); @@ -13,11 +13,11 @@ Index: xen-4.6.0-testing/tools/qemu-xen-traditional-dir-remote/net.h #endif #ifdef __sun__ #define SMBD_COMMAND "/usr/sfw/sbin/smbd" -Index: xen-4.6.0-testing/tools/qemu-xen-traditional-dir-remote/net.c +Index: xen-4.6.1-testing/tools/qemu-xen-traditional-dir-remote/net.c =================================================================== ---- xen-4.6.0-testing.orig/tools/qemu-xen-traditional-dir-remote/net.c -+++ xen-4.6.0-testing/tools/qemu-xen-traditional-dir-remote/net.c -@@ -1765,9 +1765,10 @@ int net_client_init(const char *device, +--- xen-4.6.1-testing.orig/tools/qemu-xen-traditional-dir-remote/net.c ++++ xen-4.6.1-testing/tools/qemu-xen-traditional-dir-remote/net.c +@@ -1774,9 +1774,10 @@ int net_client_init(const char *device, } if (get_param_value(script_arg, sizeof(script_arg), "scriptarg", p) == 0 && get_param_value(script_arg, sizeof(script_arg), "bridge", p) == 0) { /* deprecated; for xend compatibility */ @@ -30,10 +30,10 @@ Index: xen-4.6.0-testing/tools/qemu-xen-traditional-dir-remote/net.c } } else #endif -Index: xen-4.6.0-testing/tools/qemu-xen-traditional-dir-remote/i386-dm/qemu-ifup-Linux +Index: xen-4.6.1-testing/tools/qemu-xen-traditional-dir-remote/i386-dm/qemu-ifup-Linux =================================================================== ---- xen-4.6.0-testing.orig/tools/qemu-xen-traditional-dir-remote/i386-dm/qemu-ifup-Linux -+++ xen-4.6.0-testing/tools/qemu-xen-traditional-dir-remote/i386-dm/qemu-ifup-Linux +--- xen-4.6.1-testing.orig/tools/qemu-xen-traditional-dir-remote/i386-dm/qemu-ifup-Linux ++++ xen-4.6.1-testing/tools/qemu-xen-traditional-dir-remote/i386-dm/qemu-ifup-Linux @@ -1,36 +1,22 @@ #!/bin/sh diff --git a/xen.changes b/xen.changes index ae922b5..a7f1cd6 100644 --- a/xen.changes +++ b/xen.changes @@ -1,3 +1,54 @@ +------------------------------------------------------------------- +Thu Feb 11 09:29:01 MST 2016 - carnold@suse.com + +- Update to Xen Version 4.6.1 + xen-4.6.1-testing-src.tar.bz2 +- Dropped patches now contained in tarball or unnecessary + xen-4.6.0-testing-src.tar.bz2 + 5604f239-x86-PV-properly-populate-descriptor-tables.patch + 561bbc8b-VT-d-don-t-suppress-invalidation-address-write-when-it-is-zero.patch + 561d2046-VT-d-use-proper-error-codes-in-iommu_enable_x2apic_IR.patch + 561d20a0-x86-hide-MWAITX-from-PV-domains.patch + 561e3283-x86-NUMA-fix-SRAT-table-processor-entry-parsing-and-consumption.patch + 5632118e-arm-Support-hypercall_create_continuation-for-multicall.patch + 56321222-arm-rate-limit-logging-from-unimplemented-PHYSDEVOP-and-HVMOP.patch + 56321249-arm-handle-races-between-relinquish_memory-and-free_domheap_pages.patch + 5632127b-x86-guard-against-undue-super-page-PTE-creation.patch + 5632129c-free-domain-s-vcpu-array.patch + 563212c9-x86-PoD-Eager-sweep-for-zeroed-pages.patch + 563212e4-xenoprof-free-domain-s-vcpu-array.patch + 563212ff-x86-rate-limit-logging-in-do_xen-oprof-pmu-_op.patch + 56323737-libxl-adjust-PoD-target-by-memory-fudge-too.patch + 56377442-x86-PoD-Make-p2m_pod_empty_cache-restartable.patch + 5641ceec-x86-HVM-always-intercept-AC-and-DB.patch + 56549f24-x86-vPMU-document-as-unsupported.patch + 5677f350-x86-make-debug-output-consistent-in-hvm_set_callback_via.patch + xen-4.6.0-testing-src.tar.bz2 + xsa155-qemut-qdisk-double-access.patch + xsa155-qemut-xenfb.patch + xsa155-qemuu-qdisk-double-access.patch + xsa155-qemuu-xenfb.patch + xsa159.patch + xsa160.patch + xsa162-qemut.patch + xsa165.patch + xsa166.patch + xsa167.patch + xsa168.patch + +------------------------------------------------------------------- +Fri Feb 5 08:51:16 MST 2016 - carnold@suse.com + +- bsc#965269 - VUL-1: CVE-2015-8619: xen: stack based OOB write in + hmp_sendkey routine + CVE-2015-8619-qemuu-stack-based-OOB-write-in-hmp_sendkey-routine.patch + +------------------------------------------------------------------- +Thu Feb 4 09:26:34 MST 2016 - carnold@suse.com + +- bsc#965156 - VUL-0: CVE-2015-6855: xen: ide: divide by zero issue + CVE-2015-6855-qemuu-ide-divide-by-zero-issue.patch + ------------------------------------------------------------------- Wed Feb 3 10:47:41 MST 2016 - carnold@suse.com diff --git a/xen.spec b/xen.spec index c40d2bd..e13b442 100644 --- a/xen.spec +++ b/xen.spec @@ -1,7 +1,7 @@ # # spec file for package xen # -# Copyright (c) 2016 SUSE LINUX Products GmbH, Nuernberg, Germany. +# Copyright (c) 2016 SUSE LINUX GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -21,7 +21,7 @@ Name: xen ExclusiveArch: %ix86 x86_64 %arm aarch64 %define changeset 31594 -%define xen_build_dir xen-4.6.0-testing +%define xen_build_dir xen-4.6.1-testing # %define with_kmp 0 %define with_debug 0 @@ -163,12 +163,12 @@ BuildRequires: xorg-x11-util-devel %endif %endif -Version: 4.6.0_08 +Version: 4.6.1_01 Release: 0 Summary: Xen Virtualization: Hypervisor (aka VMM aka Microkernel) License: GPL-2.0 Group: System/Kernel -Source0: xen-4.6.0-testing-src.tar.bz2 +Source0: xen-4.6.1-testing-src.tar.bz2 Source1: stubdom.tar.bz2 Source2: qemu-xen-traditional-dir-remote.tar.bz2 Source3: qemu-xen-dir-remote.tar.bz2 @@ -204,43 +204,14 @@ Source57: xen-utils-0.1.tar.bz2 Source99: baselibs.conf # Upstream patches Patch1: 55f7f9d2-libxl-slightly-refine-pci-assignable-add-remove-handling.patch -Patch2: 5604f239-x86-PV-properly-populate-descriptor-tables.patch -Patch3: 561bbc8b-VT-d-don-t-suppress-invalidation-address-write-when-it-is-zero.patch -Patch4: 561d2046-VT-d-use-proper-error-codes-in-iommu_enable_x2apic_IR.patch -Patch5: 561d20a0-x86-hide-MWAITX-from-PV-domains.patch -Patch6: 561e3283-x86-NUMA-fix-SRAT-table-processor-entry-parsing-and-consumption.patch -Patch7: 5628fc67-libxl-No-emulated-disk-driver-for-xvdX-disk.patch -Patch8: 5632118e-arm-Support-hypercall_create_continuation-for-multicall.patch -Patch9: 56321222-arm-rate-limit-logging-from-unimplemented-PHYSDEVOP-and-HVMOP.patch -Patch10: 56321249-arm-handle-races-between-relinquish_memory-and-free_domheap_pages.patch -Patch11: 5632127b-x86-guard-against-undue-super-page-PTE-creation.patch -Patch12: 5632129c-free-domain-s-vcpu-array.patch -Patch13: 563212c9-x86-PoD-Eager-sweep-for-zeroed-pages.patch -Patch14: 563212e4-xenoprof-free-domain-s-vcpu-array.patch -Patch15: 563212ff-x86-rate-limit-logging-in-do_xen-oprof-pmu-_op.patch -Patch16: 56323737-libxl-adjust-PoD-target-by-memory-fudge-too.patch -Patch17: 56377442-x86-PoD-Make-p2m_pod_empty_cache-restartable.patch -Patch18: 5641ceec-x86-HVM-always-intercept-AC-and-DB.patch -Patch19: 5644b756-x86-HVM-don-t-inject-DB-with-error-code.patch -Patch20: 5649bcbe-libxl-relax-readonly-check-introduced-by-XSA-142-fix.patch -Patch21: 56549f24-x86-vPMU-document-as-unsupported.patch -Patch22: 5677f350-x86-make-debug-output-consistent-in-hvm_set_callback_via.patch +Patch2: 5628fc67-libxl-No-emulated-disk-driver-for-xvdX-disk.patch +Patch3: 5644b756-x86-HVM-don-t-inject-DB-with-error-code.patch +Patch4: 5649bcbe-libxl-relax-readonly-check-introduced-by-XSA-142-fix.patch Patch15501: xsa155-xen-0001-xen-Add-RING_COPY_REQUEST.patch Patch15502: xsa155-xen-0002-blktap2-Use-RING_COPY_REQUEST.patch Patch15503: xsa155-xen-0003-libvchan-Read-prod-cons-only-once.patch -Patch15504: xsa155-qemuu-qdisk-double-access.patch -Patch15505: xsa155-qemut-qdisk-double-access.patch -Patch15506: xsa155-qemuu-xenfb.patch -Patch15507: xsa155-qemut-xenfb.patch -Patch159: xsa159.patch -Patch160: xsa160.patch -Patch16201: xsa162-qemuu.patch -Patch16202: xsa162-qemut.patch +Patch162: xsa162-qemuu.patch Patch164: xsa164.patch -Patch165: xsa165.patch -Patch166: xsa166.patch -Patch167: xsa167.patch -Patch168: xsa168.patch # Upstream qemu Patch250: VNC-Support-for-ExtendedKeyEvent-client-message.patch Patch251: 0001-net-move-the-tap-buffer-into-TAPState.patch @@ -281,6 +252,8 @@ Patch286: CVE-2016-1981-qemut-e1000-eliminate-infinite-loops-on-out-of-bou Patch287: CVE-2016-2198-qemuu-usb-ehci-null-pointer-dereference-in-ehci_caps_write.patch Patch288: CVE-2013-4533-qemut-pxa2xx-buffer-overrun-on-incoming-migration.patch Patch289: CVE-2015-5278-qemut-Infinite-loop-in-ne2000_receive-function.patch +Patch290: CVE-2015-6855-qemuu-ide-divide-by-zero-issue.patch +Patch291: CVE-2015-8619-qemuu-stack-based-OOB-write-in-hmp_sendkey-routine.patch # Our platform specific patches Patch321: xen-destdir.patch Patch322: vif-bridge-no-iptables.patch @@ -555,40 +528,11 @@ Authors: %patch2 -p1 %patch3 -p1 %patch4 -p1 -%patch5 -p1 -%patch6 -p1 -%patch7 -p1 -%patch8 -p1 -%patch9 -p1 -%patch10 -p1 -%patch11 -p1 -%patch12 -p1 -%patch13 -p1 -%patch14 -p1 -%patch15 -p1 -%patch16 -p1 -%patch17 -p1 -%patch18 -p1 -%patch19 -p1 -%patch20 -p1 -%patch21 -p1 -%patch22 -p1 %patch15501 -p1 %patch15502 -p1 %patch15503 -p1 -%patch15504 -p1 -%patch15505 -p1 -%patch15506 -p1 -%patch15507 -p1 -%patch159 -p1 -%patch160 -p1 -%patch16201 -p1 -%patch16202 -p1 +%patch162 -p1 %patch164 -p1 -%patch165 -p1 -%patch166 -p1 -%patch167 -p1 -%patch168 -p1 # Upstream qemu patches %patch250 -p1 %patch251 -p1 @@ -629,6 +573,8 @@ Authors: %patch287 -p1 %patch288 -p1 %patch289 -p1 +%patch290 -p1 +%patch291 -p1 # Our platform specific patches %patch321 -p1 %patch322 -p1 diff --git a/xsa155-qemut-qdisk-double-access.patch b/xsa155-qemut-qdisk-double-access.patch deleted file mode 100644 index 64169a7..0000000 --- a/xsa155-qemut-qdisk-double-access.patch +++ /dev/null @@ -1,52 +0,0 @@ -References: bsc#957988 - -From 27942b0cb2327e93deb12326bbe7b36c81f9fa7b Mon Sep 17 00:00:00 2001 -From: Stefano Stabellini -Date: Fri, 20 Nov 2015 10:56:00 -0500 -Subject: [PATCH] blkif: Avoid double access to src->nr_segments - -src is stored in shared memory and src->nr_segments is dereferenced -twice at the end of the function. If a compiler decides to compile this -into two separate memory accesses then the size limitation could be -bypassed. - -Fix it by removing the double access to src->nr_segments. - -This is part of XSA-155. - -Signed-off-by: Stefano Stabellini -Signed-off-by: Konrad Rzeszutek Wilk ---- - hw/xen_blkif.h | 12 ++++++++---- - 1 file changed, 8 insertions(+), 4 deletions(-) - -Index: xen-4.6.0-testing/tools/qemu-xen-traditional-dir-remote/hw/xen_blkif.h -=================================================================== ---- xen-4.6.0-testing.orig/tools/qemu-xen-traditional-dir-remote/hw/xen_blkif.h -+++ xen-4.6.0-testing/tools/qemu-xen-traditional-dir-remote/hw/xen_blkif.h -@@ -79,8 +79,10 @@ static inline void blkif_get_x86_32_req( - dst->handle = src->handle; - dst->id = src->id; - dst->sector_number = src->sector_number; -- if (n > src->nr_segments) -- n = src->nr_segments; -+ /* prevent the compiler from optimizing the code and using src->nr_segments instead */ -+ xen_mb(); -+ if (n > dst->nr_segments) -+ n = dst->nr_segments; - for (i = 0; i < n; i++) - dst->seg[i] = src->seg[i]; - } -@@ -94,8 +96,10 @@ static inline void blkif_get_x86_64_req( - dst->handle = src->handle; - dst->id = src->id; - dst->sector_number = src->sector_number; -- if (n > src->nr_segments) -- n = src->nr_segments; -+ /* prevent the compiler from optimizing the code and using src->nr_segments instead */ -+ xen_mb(); -+ if (n > dst->nr_segments) -+ n = dst->nr_segments; - for (i = 0; i < n; i++) - dst->seg[i] = src->seg[i]; - } diff --git a/xsa155-qemut-xenfb.patch b/xsa155-qemut-xenfb.patch deleted file mode 100644 index 3c81ec8..0000000 --- a/xsa155-qemut-xenfb.patch +++ /dev/null @@ -1,49 +0,0 @@ -References: bsc#957988 - -From 0ffd4547665d2fec648ab2c9ff856c5d9db9b07c Mon Sep 17 00:00:00 2001 -From: Stefano Stabellini -Date: Fri, 20 Nov 2015 10:37:08 -0500 -Subject: [PATCH 2/2] xenfb: avoid reading twice the same fields from the - shared page - -Reading twice the same field could give the guest an attack of -opportunity. In the case of event->type, gcc could compile the switch -statement into a jump table, effectively ending up reading the type -field multiple times. - -This is part of XSA-155. - -Signed-off-by: Stefano Stabellini ---- - hw/xenfb.c | 10 ++++++---- - 1 file changed, 6 insertions(+), 4 deletions(-) - -Index: xen-4.6.0-testing/tools/qemu-xen-traditional-dir-remote/hw/xenfb.c -=================================================================== ---- xen-4.6.0-testing.orig/tools/qemu-xen-traditional-dir-remote/hw/xenfb.c -+++ xen-4.6.0-testing/tools/qemu-xen-traditional-dir-remote/hw/xenfb.c -@@ -827,18 +827,20 @@ static void xenfb_invalidate(void *opaqu - - static void xenfb_handle_events(struct XenFB *xenfb) - { -- uint32_t prod, cons; -+ uint32_t prod, cons, out_cons; - struct xenfb_page *page = xenfb->c.page; - - prod = page->out_prod; -- if (prod == page->out_cons) -+ out_cons = page->out_cons; -+ if (prod == out_cons) - return; - xen_rmb(); /* ensure we see ring contents up to prod */ -- for (cons = page->out_cons; cons != prod; cons++) { -+ for (cons = out_cons; cons != prod; cons++) { - union xenfb_out_event *event = &XENFB_OUT_RING_REF(page, cons); -+ uint8_t type = event->type; - int x, y, w, h; - -- switch (event->type) { -+ switch (type) { - case XENFB_TYPE_UPDATE: - if (xenfb->up_count == UP_QUEUE) - xenfb->up_fullscreen = 1; diff --git a/xsa155-qemuu-qdisk-double-access.patch b/xsa155-qemuu-qdisk-double-access.patch deleted file mode 100644 index 1bc2329..0000000 --- a/xsa155-qemuu-qdisk-double-access.patch +++ /dev/null @@ -1,43 +0,0 @@ -xen/blkif: Avoid double access to src->nr_segments - -src is stored in shared memory and src->nr_segments is dereferenced -twice at the end of the function. If a compiler decides to compile this -into two separate memory accesses then the size limitation could be -bypassed. - -Fix it by removing the double access to src->nr_segments. - -This is part of XSA-155. - -Signed-off-by: Stefano Stabellini - -Index: xen-4.6.0-testing/tools/qemu-xen-dir-remote/hw/block/xen_blkif.h -=================================================================== ---- xen-4.6.0-testing.orig/tools/qemu-xen-dir-remote/hw/block/xen_blkif.h -+++ xen-4.6.0-testing/tools/qemu-xen-dir-remote/hw/block/xen_blkif.h -@@ -85,8 +85,10 @@ static inline void blkif_get_x86_32_req( - d->nr_sectors = s->nr_sectors; - return; - } -- if (n > src->nr_segments) -- n = src->nr_segments; -+ /* prevent the compiler from optimizing the code and using src->nr_segments instead */ -+ barrier(); -+ if (n > dst->nr_segments) -+ n = dst->nr_segments; - for (i = 0; i < n; i++) - dst->seg[i] = src->seg[i]; - } -@@ -106,8 +108,10 @@ static inline void blkif_get_x86_64_req( - d->nr_sectors = s->nr_sectors; - return; - } -- if (n > src->nr_segments) -- n = src->nr_segments; -+ /* prevent the compiler from optimizing the code and using src->nr_segments instead */ -+ barrier(); -+ if (n > dst->nr_segments) -+ n = dst->nr_segments; - for (i = 0; i < n; i++) - dst->seg[i] = src->seg[i]; - } diff --git a/xsa155-qemuu-xenfb.patch b/xsa155-qemuu-xenfb.patch deleted file mode 100644 index 1793506..0000000 --- a/xsa155-qemuu-xenfb.patch +++ /dev/null @@ -1,43 +0,0 @@ -References: bsc#957988 - -xenfb: avoid reading twice the same fields from the shared page - -Reading twice the same field could give the guest an attack of -opportunity. In the case of event->type, gcc could compile the switch -statement into a jump table, effectively ending up reading the type -field multiple times. - -This is part of XSA-155. - -Signed-off-by: Stefano Stabellini - - -Index: xen-4.6.0-testing/tools/qemu-xen-dir-remote/hw/display/xenfb.c -=================================================================== ---- xen-4.6.0-testing.orig/tools/qemu-xen-dir-remote/hw/display/xenfb.c -+++ xen-4.6.0-testing/tools/qemu-xen-dir-remote/hw/display/xenfb.c -@@ -779,18 +779,20 @@ static void xenfb_invalidate(void *opaqu - - static void xenfb_handle_events(struct XenFB *xenfb) - { -- uint32_t prod, cons; -+ uint32_t prod, cons, out_cons; - struct xenfb_page *page = xenfb->c.page; - - prod = page->out_prod; -- if (prod == page->out_cons) -+ out_cons = page->out_cons; -+ if (prod == out_cons) - return; - xen_rmb(); /* ensure we see ring contents up to prod */ -- for (cons = page->out_cons; cons != prod; cons++) { -+ for (cons = out_cons; cons != prod; cons++) { - union xenfb_out_event *event = &XENFB_OUT_RING_REF(page, cons); -+ uint8_t type = event->type; - int x, y, w, h; - -- switch (event->type) { -+ switch (type) { - case XENFB_TYPE_UPDATE: - if (xenfb->up_count == UP_QUEUE) - xenfb->up_fullscreen = 1; diff --git a/xsa159.patch b/xsa159.patch deleted file mode 100644 index 2353e1d..0000000 --- a/xsa159.patch +++ /dev/null @@ -1,48 +0,0 @@ -memory: fix XENMEM_exchange error handling - -assign_pages() can fail due to the domain getting killed in parallel, -which should not result in a hypervisor crash. - -Also delete a redundant put_gfn() - all relevant paths leading to the -"fail" label already do this (and there are also paths where it was -plain wrong). All of the put_gfn()-s got introduced by 51032ca058 -("Modify naming of queries into the p2m"), including the otherwise -unneeded initializer for k (with even a kind of misleading comment - -the compiler warning could actually have served as a hint that the use -is wrong). - -This is XSA-159. - -Signed-off-by: Jan Beulich -Acked-by: Ian Campbell - -Index: xen-4.6.0-testing/xen/common/memory.c -=================================================================== ---- xen-4.6.0-testing.orig/xen/common/memory.c -+++ xen-4.6.0-testing/xen/common/memory.c -@@ -328,7 +328,7 @@ static long memory_exchange(XEN_GUEST_HA - PAGE_LIST_HEAD(out_chunk_list); - unsigned long in_chunk_order, out_chunk_order; - xen_pfn_t gpfn, gmfn, mfn; -- unsigned long i, j, k = 0; /* gcc ... */ -+ unsigned long i, j, k; - unsigned int memflags = 0; - long rc = 0; - struct domain *d; -@@ -566,11 +566,12 @@ static long memory_exchange(XEN_GUEST_HA - fail: - /* Reassign any input pages we managed to steal. */ - while ( (page = page_list_remove_head(&in_chunk_list)) ) -- { -- put_gfn(d, gmfn + k--); - if ( assign_pages(d, page, 0, MEMF_no_refcount) ) -- BUG(); -- } -+ { -+ BUG_ON(!d->is_dying); -+ if ( test_and_clear_bit(_PGC_allocated, &page->count_info) ) -+ put_page(page); -+ } - - dying: - rcu_unlock_domain(d); diff --git a/xsa160.patch b/xsa160.patch deleted file mode 100644 index 56f5aad..0000000 --- a/xsa160.patch +++ /dev/null @@ -1,63 +0,0 @@ -From adcbd15b1aec8367f790774c998db199c9b577bf Mon Sep 17 00:00:00 2001 -From: Ian Jackson -Date: Wed, 18 Nov 2015 15:34:54 +0000 -Subject: [PATCH] libxl: Fix bootloader-related virtual memory leak on pv - build failure - -The bootloader may call libxl__file_reference_map(), which mmap's the -pv_kernel and pv_ramdisk into process memory. This was only unmapped, -however, on the success path of libxl__build_pv(). If there were a -failure anywhere between libxl_bootloader.c:parse_bootloader_result() -and the end of libxl__build_pv(), the calls to -libxl__file_reference_unmap() would be skipped, leaking the mapped -virtual memory. - -Ideally this would be fixed by adding the unmap calls to the -destruction path for libxl__domain_build_state. Unfortunately the -lifetime of the libxl__domain_build_state is opaque, and it doesn't -have a proper destruction path. But, the only thing in it that isn't -from the gc are these bootloader references, and they are only ever -set for one libxl__domain_build_state, the one which is -libxl__domain_create_state.build_state. - -So we can clean up in the exit path from libxl__domain_create_*, which -always comes through domcreate_complete. - -Remove the now-redundant unmaps in libxl__build_pv's success path. - -This is XSA-160. - -Acked-by: Ian Campbell ---- - tools/libxl/libxl_create.c | 3 +++ - tools/libxl/libxl_dom.c | 3 --- - 2 files changed, 3 insertions(+), 3 deletions(-) - -Index: xen-4.6.0-testing/tools/libxl/libxl_create.c -=================================================================== ---- xen-4.6.0-testing.orig/tools/libxl/libxl_create.c -+++ xen-4.6.0-testing/tools/libxl/libxl_create.c -@@ -1484,6 +1484,9 @@ static void domcreate_complete(libxl__eg - libxl_domain_config *const d_config = dcs->guest_config; - libxl_domain_config *d_config_saved = &dcs->guest_config_saved; - -+ libxl__file_reference_unmap(&dcs->build_state.pv_kernel); -+ libxl__file_reference_unmap(&dcs->build_state.pv_ramdisk); -+ - if (!rc && d_config->b_info.exec_ssidref) - rc = xc_flask_relabel_domain(CTX->xch, dcs->guest_domid, d_config->b_info.exec_ssidref); - -Index: xen-4.6.0-testing/tools/libxl/libxl_dom.c -=================================================================== ---- xen-4.6.0-testing.orig/tools/libxl/libxl_dom.c -+++ xen-4.6.0-testing/tools/libxl/libxl_dom.c -@@ -750,9 +750,6 @@ int libxl__build_pv(libxl__gc *gc, uint3 - state->store_mfn = xc_dom_p2m_host(dom, dom->xenstore_pfn); - } - -- libxl__file_reference_unmap(&state->pv_kernel); -- libxl__file_reference_unmap(&state->pv_ramdisk); -- - ret = 0; - out: - xc_dom_release(dom); diff --git a/xsa162-qemut.patch b/xsa162-qemut.patch deleted file mode 100644 index 26d9a75..0000000 --- a/xsa162-qemut.patch +++ /dev/null @@ -1,43 +0,0 @@ -net: pcnet: add check to validate receive data size(CVE-2015-7504) - -In loopback mode, pcnet_receive routine appends CRC code to the -receive buffer. If the data size given is same as the buffer size, -the appended CRC code overwrites 4 bytes after s->buffer. Added a -check to avoid that. - ---- - hw/net/pcnet.c | 10 ++++++---- - 1 file changed, 6 insertions(+), 4 deletions(-) - -Index: xen-4.5.2-testing/tools/qemu-xen-traditional-dir-remote/hw/pcnet.c -=================================================================== ---- xen-4.5.2-testing.orig/tools/qemu-xen-traditional-dir-remote/hw/pcnet.c -+++ xen-4.5.2-testing/tools/qemu-xen-traditional-dir-remote/hw/pcnet.c -@@ -1153,7 +1153,7 @@ static void pcnet_receive(void *opaque, - uint32_t fcs = ~0; - uint8_t *p = src; - -- while (p != &src[size-4]) -+ while (p != &src[size]) - CRC(fcs, *p++); - crc_err = (*(uint32_t *)p != htonl(fcs)); - } -@@ -1284,12 +1284,13 @@ static void pcnet_transmit(PCNetState *s - bcnt = 4096 - GET_FIELD(tmd.length, TMDL, BCNT); - - /* if multi-tmd packet outsizes s->buffer then skip it silently. -- Note: this is not what real hw does */ -- if (s->xmit_pos + bcnt > sizeof(s->buffer)) { -- s->xmit_pos = -1; -- goto txdone; -+ * Note: this is not what real hw does. -+ * Last four bytes of s->buffer are used to store CRC FCS code. -+ */ -+ if (s->xmit_pos + bcnt > sizeof(s->buffer) - 4) { -+ s->xmit_pos = -1; -+ goto txdone; - } -- - s->phys_mem_read(s->dma_opaque, PHYSADDR(s, tmd.tbadr), - s->buffer + s->xmit_pos, bcnt, CSR_BSWP(s)); - s->xmit_pos += bcnt; diff --git a/xsa164.patch b/xsa164.patch index 0ad2714..d916d16 100644 --- a/xsa164.patch +++ b/xsa164.patch @@ -17,11 +17,11 @@ This is XSA-164. Signed-off-by: Jan Beulich -Index: xen-4.6.0-testing/tools/qemu-xen-traditional-dir-remote/hw/pt-msi.c +Index: xen-4.6.1-testing/tools/qemu-xen-traditional-dir-remote/hw/pt-msi.c =================================================================== ---- xen-4.6.0-testing.orig/tools/qemu-xen-traditional-dir-remote/hw/pt-msi.c -+++ xen-4.6.0-testing/tools/qemu-xen-traditional-dir-remote/hw/pt-msi.c -@@ -440,6 +440,13 @@ static void pci_msix_writel(void *opaque +--- xen-4.6.1-testing.orig/tools/qemu-xen-traditional-dir-remote/hw/pt-msi.c ++++ xen-4.6.1-testing/tools/qemu-xen-traditional-dir-remote/hw/pt-msi.c +@@ -447,6 +447,13 @@ static void pci_msix_writel(void *opaque return; } diff --git a/xsa165.patch b/xsa165.patch deleted file mode 100644 index 8692b01..0000000 --- a/xsa165.patch +++ /dev/null @@ -1,89 +0,0 @@ -x86: don't leak ST(n)/XMMn values to domains first using them - -FNINIT doesn't alter these registers, and hence using it is -insufficient to initialize a guest's initial state. - -This is XSA-165. - -Signed-off-by: Jan Beulich -Reviewed-by: Andrew Cooper - -Index: xen-4.6.0-testing/xen/arch/x86/domain.c -=================================================================== ---- xen-4.6.0-testing.orig/xen/arch/x86/domain.c -+++ xen-4.6.0-testing/xen/arch/x86/domain.c -@@ -851,6 +851,17 @@ int arch_set_info_guest( - if ( v->arch.xsave_area ) - v->arch.xsave_area->xsave_hdr.xstate_bv = XSTATE_FP_SSE; - } -+ else if ( v->arch.xsave_area ) -+ memset(&v->arch.xsave_area->xsave_hdr, 0, -+ sizeof(v->arch.xsave_area->xsave_hdr)); -+ else -+ { -+ typeof(v->arch.xsave_area->fpu_sse) *fpu_sse = v->arch.fpu_ctxt; -+ -+ memset(fpu_sse, 0, sizeof(*fpu_sse)); -+ fpu_sse->fcw = FCW_DEFAULT; -+ fpu_sse->mxcsr = MXCSR_DEFAULT; -+ } - - if ( !compat ) - { -Index: xen-4.6.0-testing/xen/arch/x86/i387.c -=================================================================== ---- xen-4.6.0-testing.orig/xen/arch/x86/i387.c -+++ xen-4.6.0-testing/xen/arch/x86/i387.c -@@ -17,19 +17,6 @@ - #include - #include - --static void fpu_init(void) --{ -- unsigned long val; -- -- asm volatile ( "fninit" ); -- if ( cpu_has_xmm ) -- { -- /* load default value into MXCSR control/status register */ -- val = MXCSR_DEFAULT; -- asm volatile ( "ldmxcsr %0" : : "m" (val) ); -- } --} -- - /*******************************/ - /* FPU Restore Functions */ - /*******************************/ -@@ -248,15 +235,8 @@ void vcpu_restore_fpu_lazy(struct vcpu * - - if ( cpu_has_xsave ) - fpu_xrstor(v, XSTATE_LAZY); -- else if ( v->fpu_initialised ) -- { -- if ( cpu_has_fxsr ) -- fpu_fxrstor(v); -- else -- fpu_frstor(v); -- } - else -- fpu_init(); -+ fpu_fxrstor(v); - - v->fpu_initialised = 1; - v->fpu_dirtied = 1; -@@ -313,7 +293,14 @@ int vcpu_init_fpu(struct vcpu *v) - else - { - v->arch.fpu_ctxt = _xzalloc(sizeof(v->arch.xsave_area->fpu_sse), 16); -- if ( !v->arch.fpu_ctxt ) -+ if ( v->arch.fpu_ctxt ) -+ { -+ typeof(v->arch.xsave_area->fpu_sse) *fpu_sse = v->arch.fpu_ctxt; -+ -+ fpu_sse->fcw = FCW_DEFAULT; -+ fpu_sse->mxcsr = MXCSR_DEFAULT; -+ } -+ else - rc = -ENOMEM; - } - diff --git a/xsa166.patch b/xsa166.patch deleted file mode 100644 index 56bf4a0..0000000 --- a/xsa166.patch +++ /dev/null @@ -1,48 +0,0 @@ -x86/HVM: avoid reading ioreq state more than once - -Otherwise, especially when the compiler chooses to translate the -switch() to a jump table, unpredictable behavior (and in the jump table -case arbitrary code execution) can result. - -This is XSA-166. - -Signed-off-by: Jan Beulich -Acked-by: Ian Campbell - -Index: xen-4.6.0-testing/xen/arch/x86/hvm/hvm.c -=================================================================== ---- xen-4.6.0-testing.orig/xen/arch/x86/hvm/hvm.c -+++ xen-4.6.0-testing/xen/arch/x86/hvm/hvm.c -@@ -448,7 +448,10 @@ static bool_t hvm_wait_for_io(struct hvm - { - while ( sv->pending ) - { -- switch ( p->state ) -+ unsigned int state = p->state; -+ -+ rmb(); -+ switch ( state ) - { - case STATE_IOREQ_NONE: - /* -@@ -459,18 +462,15 @@ static bool_t hvm_wait_for_io(struct hvm - hvm_io_assist(sv, ~0ul); - break; - case STATE_IORESP_READY: /* IORESP_READY -> NONE */ -- rmb(); /* see IORESP_READY /then/ read contents of ioreq */ - p->state = STATE_IOREQ_NONE; - hvm_io_assist(sv, p->data); - break; - case STATE_IOREQ_READY: /* IOREQ_{READY,INPROCESS} -> IORESP_READY */ - case STATE_IOREQ_INPROCESS: -- wait_on_xen_event_channel(sv->ioreq_evtchn, -- (p->state != STATE_IOREQ_READY) && -- (p->state != STATE_IOREQ_INPROCESS)); -+ wait_on_xen_event_channel(sv->ioreq_evtchn, p->state != state); - break; - default: -- gdprintk(XENLOG_ERR, "Weird HVM iorequest state %d.\n", p->state); -+ gdprintk(XENLOG_ERR, "Weird HVM iorequest state %u\n", state); - sv->pending = 0; - domain_crash(sv->vcpu->domain); - return 0; /* bail */ diff --git a/xsa167.patch b/xsa167.patch deleted file mode 100644 index 54ea44e..0000000 --- a/xsa167.patch +++ /dev/null @@ -1,78 +0,0 @@ -x86/mm: PV superpage handling lacks sanity checks - -MMUEXT_{,UN}MARK_SUPER fail to check the input MFN for validity before -dereferencing pointers into the superpage frame table. - -get_superpage() has a similar issue. - -This is XSA-167. - -Signed-off-by: Jan Beulich -Acked-by: Ian Campbell - -Index: xen-4.6.0-testing/xen/arch/x86/mm.c -=================================================================== ---- xen-4.6.0-testing.orig/xen/arch/x86/mm.c -+++ xen-4.6.0-testing/xen/arch/x86/mm.c -@@ -2624,6 +2624,9 @@ int get_superpage(unsigned long mfn, str - - ASSERT(opt_allow_superpage); - -+ if ( !mfn_valid(mfn | (L1_PAGETABLE_ENTRIES - 1)) ) -+ return -EINVAL; -+ - spage = mfn_to_spage(mfn); - y = spage->type_info; - do { -@@ -3401,42 +3404,26 @@ long do_mmuext_op( - } - - case MMUEXT_MARK_SUPER: -+ case MMUEXT_UNMARK_SUPER: - { - unsigned long mfn = op.arg1.mfn; - -- if ( unlikely(d != pg_owner) ) -- rc = -EPERM; -- else if ( mfn & (L1_PAGETABLE_ENTRIES-1) ) -- { -- MEM_LOG("Unaligned superpage reference mfn %lx", mfn); -- okay = 0; -- } -- else if ( !opt_allow_superpage ) -+ if ( !opt_allow_superpage ) - { - MEM_LOG("Superpages disallowed"); - rc = -ENOSYS; - } -- else -- rc = mark_superpage(mfn_to_spage(mfn), d); -- break; -- } -- -- case MMUEXT_UNMARK_SUPER: -- { -- unsigned long mfn = op.arg1.mfn; -- -- if ( unlikely(d != pg_owner) ) -+ else if ( unlikely(d != pg_owner) ) - rc = -EPERM; -- else if ( mfn & (L1_PAGETABLE_ENTRIES-1) ) -+ else if ( mfn & (L1_PAGETABLE_ENTRIES - 1) ) - { - MEM_LOG("Unaligned superpage reference mfn %lx", mfn); -- okay = 0; -- } -- else if ( !opt_allow_superpage ) -- { -- MEM_LOG("Superpages disallowed"); -- rc = -ENOSYS; -+ rc = -EINVAL; - } -+ else if ( !mfn_valid(mfn | (L1_PAGETABLE_ENTRIES - 1)) ) -+ rc = -EINVAL; -+ else if ( op.cmd == MMUEXT_MARK_SUPER ) -+ rc = mark_superpage(mfn_to_spage(mfn), d); - else - rc = unmark_superpage(mfn_to_spage(mfn)); - break; diff --git a/xsa168.patch b/xsa168.patch deleted file mode 100644 index 522a2d5..0000000 --- a/xsa168.patch +++ /dev/null @@ -1,29 +0,0 @@ -x86/VMX: prevent INVVPID failure due to non-canonical guest address - -While INVLPG (and on SVM INVLPGA) don't fault on non-canonical -addresses, INVVPID fails (in the "individual address" case) when passed -such an address. - -Since such intercepted INVLPG are effectively no-ops anyway, don't fix -this in vmx_invlpg_intercept(), but instead have paging_invlpg() never -return true in such a case. - -This is XSA-168. - -Signed-off-by: Jan Beulich -Reviewed-by: Andrew Cooper -Acked-by: Ian Campbell - -Index: xen-4.6.0-testing/xen/include/asm-x86/paging.h -=================================================================== ---- xen-4.6.0-testing.orig/xen/include/asm-x86/paging.h -+++ xen-4.6.0-testing/xen/include/asm-x86/paging.h -@@ -245,7 +245,7 @@ paging_fault(unsigned long va, struct cp - * or 0 if it's safe not to do so. */ - static inline int paging_invlpg(struct vcpu *v, unsigned long va) - { -- return paging_get_hostmode(v)->invlpg(v, va); -+ return is_canonical_address(va) && paging_get_hostmode(v)->invlpg(v, va); - } - - /* Translate a guest virtual address to the frame number that the