pool/xen
SHA256
2
0
Fork 1
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

- Update to Xen Version 4.6.1

Browse Source 
xen-4.6.1-testing-src.tar.bz2
- Dropped patches now contained in tarball or unnecessary
  xen-4.6.0-testing-src.tar.bz2
  5604f239-x86-PV-properly-populate-descriptor-tables.patch
  561bbc8b-VT-d-don-t-suppress-invalidation-address-write-when-it-is-zero.patch
  561d2046-VT-d-use-proper-error-codes-in-iommu_enable_x2apic_IR.patch
  561d20a0-x86-hide-MWAITX-from-PV-domains.patch
  561e3283-x86-NUMA-fix-SRAT-table-processor-entry-parsing-and-consumption.patch
  5632118e-arm-Support-hypercall_create_continuation-for-multicall.patch
  56321222-arm-rate-limit-logging-from-unimplemented-PHYSDEVOP-and-HVMOP.patch
  56321249-arm-handle-races-between-relinquish_memory-and-free_domheap_pages.patch
  5632127b-x86-guard-against-undue-super-page-PTE-creation.patch
  5632129c-free-domain-s-vcpu-array.patch
  563212c9-x86-PoD-Eager-sweep-for-zeroed-pages.patch
  563212e4-xenoprof-free-domain-s-vcpu-array.patch
  563212ff-x86-rate-limit-logging-in-do_xen-oprof-pmu-_op.patch
  56323737-libxl-adjust-PoD-target-by-memory-fudge-too.patch
  56377442-x86-PoD-Make-p2m_pod_empty_cache-restartable.patch
  5641ceec-x86-HVM-always-intercept-AC-and-DB.patch
  56549f24-x86-vPMU-document-as-unsupported.patch
  5677f350-x86-make-debug-output-consistent-in-hvm_set_callback_via.patch
  xen-4.6.0-testing-src.tar.bz2
  xsa155-qemut-qdisk-double-access.patch
  xsa155-qemut-xenfb.patch
  xsa155-qemuu-qdisk-double-access.patch
  xsa155-qemuu-xenfb.patch
  xsa159.patch
  xsa160.patch
  xsa162-qemut.patch

OBS-URL: https://build.opensuse.org/package/show/Virtualization/xen?expand=0&rev=399
This commit is contained in:
Charles Arnold 2016-02-12 16:58:27 +00:00 committed by Git OBS Bridge
parent 9b39a3d650
commit 31905d81fa
51 changed files with 445 additions and 2104 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

101
5604f239-x86-PV-properly-populate-descriptor-tables.patch
View File

@ -1,101 +0,0 @@
# Commit cf6d39f81992c29a637c603dbabf1e21a0ea563f
# Date 2015-09-25 09:05:29 +0200
# Author Jan Beulich <jbeulich@suse.com>
# Committer Jan Beulich <jbeulich@suse.com>
x86/PV: properly populate descriptor tables
Us extending the GDT limit past the Xen descriptors so far meant that
guests (including user mode programs) accessing any descriptor table
slot above the original OS'es limit but below the first Xen descriptor
caused a #PF, converted to a #GP in our #PF handler. Which is quite
different from the native behavior, where some of such accesses (LAR
and LSL) don't fault. Mimic that behavior by mapping a blank page into
unused slots.
While not strictly required, treat the LDT the same for consistency.
Reported-by: Andrew Cooper <andrew.cooper3@citrix.com>
Signed-off-by: Jan Beulich <jbeulich@suse.com>
Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>
# Commit 61031e64d3dafd2fb1953436444bf02eccb9b146
# Date 2015-10-27 14:46:12 +0100
# Author Jan Beulich <jbeulich@suse.com>
# Committer Jan Beulich <jbeulich@suse.com>
x86/PV: don't zero-map LDT
This effectvely reverts the LDT related part of commit cf6d39f819
("x86/PV: properly populate descriptor tables"), which broke demand
paged LDT handling in guests.
Reported-by: David Vrabel <david.vrabel@citrix.com>
Diagnosed-by: Andrew Cooper <andrew.cooper3@citrix.com>
Signed-off-by: Jan Beulich <jbeulich@suse.com>
Tested-by: David Vrabel <david.vrabel@citrix.com>
Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>
Index: xen-4.6.0-testing/xen/arch/x86/mm.c
===================================================================
--- xen-4.6.0-testing.orig/xen/arch/x86/mm.c
+++ xen-4.6.0-testing/xen/arch/x86/mm.c
@@ -502,12 +502,12 @@ void update_cr3(struct vcpu *v)
make_cr3(v, cr3_mfn);
}
+static const char __section(".bss.page_aligned") zero_page[PAGE_SIZE];
static void invalidate_shadow_ldt(struct vcpu *v, int flush)
{
l1_pgentry_t *pl1e;
- int i;
- unsigned long pfn;
+ unsigned int i;
struct page_info *page;
BUG_ON(unlikely(in_irq()));
@@ -522,10 +522,10 @@ static void invalidate_shadow_ldt(struct
for ( i = 16; i < 32; i++ )
{
- pfn = l1e_get_pfn(pl1e[i]);
- if ( pfn == 0 ) continue;
+ if ( !(l1e_get_flags(pl1e[i]) & _PAGE_PRESENT) )
+ continue;
+ page = l1e_get_page(pl1e[i]);
l1e_write(&pl1e[i], l1e_empty());
- page = mfn_to_page(pfn);
ASSERT_PAGE_IS_TYPE(page, PGT_seg_desc_page);
ASSERT_PAGE_IS_DOMAIN(page, v->domain);
put_page_and_type(page);
@@ -4420,16 +4420,18 @@ long do_update_va_mapping_otherdomain(un
void destroy_gdt(struct vcpu *v)
{
l1_pgentry_t *pl1e;
- int i;
- unsigned long pfn;
+ unsigned int i;
+ unsigned long pfn, zero_pfn = PFN_DOWN(__pa(zero_page));
v->arch.pv_vcpu.gdt_ents = 0;
pl1e = gdt_ldt_ptes(v->domain, v);
for ( i = 0; i < FIRST_RESERVED_GDT_PAGE; i++ )
{
- if ( (pfn = l1e_get_pfn(pl1e[i])) != 0 )
+ pfn = l1e_get_pfn(pl1e[i]);
+ if ( (l1e_get_flags(pl1e[i]) & _PAGE_PRESENT) && pfn != zero_pfn )
put_page_and_type(mfn_to_page(pfn));
- l1e_write(&pl1e[i], l1e_empty());
+ l1e_write(&pl1e[i],
+ l1e_from_pfn(zero_pfn, __PAGE_HYPERVISOR & ~_PAGE_RW));
v->arch.pv_vcpu.gdt_frames[i] = 0;
}
}
@@ -4442,7 +4444,7 @@ long set_gdt(struct vcpu *v,
struct domain *d = v->domain;
l1_pgentry_t *pl1e;
/* NB. There are 512 8-byte entries per GDT page. */
- int i, nr_pages = (entries + 511) / 512;
+ unsigned int i, nr_pages = (entries + 511) / 512;
if ( entries > FIRST_RESERVED_GDT_ENTRY )
return -EINVAL;

55
561bbc8b-VT-d-don-t-suppress-invalidation-address-write-when-it-is-zero.patch
View File

@ -1,55 +0,0 @@
# Commit 710942e57fb42ff8f344ca82f6b678f67e38ae63
# Date 2015-10-12 15:58:35 +0200
# Author Jan Beulich <jbeulich@suse.com>
# Committer Jan Beulich <jbeulich@suse.com>
VT-d: don't suppress invalidation address write when it is zero
GFN zero is a valid address, and hence may need invalidation done for
it just like for any other GFN.
Signed-off-by: Jan Beulich <jbeulich@suse.com>
Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>
Acked-by: Yang Zhang <yang.z.zhang@intel.com>
--- a/xen/drivers/passthrough/vtd/iommu.c
+++ b/xen/drivers/passthrough/vtd/iommu.c
@@ -414,7 +414,7 @@ static int flush_iotlb_reg(void *_iommu,
{
struct iommu *iommu = (struct iommu *) _iommu;
int tlb_offset = ecap_iotlb_offset(iommu->ecap);
- u64 val = 0, val_iva = 0;
+ u64 val = 0;
unsigned long flags;
/*
@@ -435,7 +435,6 @@ static int flush_iotlb_reg(void *_iommu,
switch ( type )
{
case DMA_TLB_GLOBAL_FLUSH:
- /* global flush doesn't need set IVA_REG */
val = DMA_TLB_GLOBAL_FLUSH|DMA_TLB_IVT;
break;
case DMA_TLB_DSI_FLUSH:
@@ -443,8 +442,6 @@ static int flush_iotlb_reg(void *_iommu,
break;
case DMA_TLB_PSI_FLUSH:
val = DMA_TLB_PSI_FLUSH|DMA_TLB_IVT|DMA_TLB_DID(did);
- /* Note: always flush non-leaf currently */
- val_iva = size_order | addr;
break;
default:
BUG();
@@ -457,8 +454,11 @@ static int flush_iotlb_reg(void *_iommu,
spin_lock_irqsave(&iommu->register_lock, flags);
/* Note: Only uses first TLB reg currently */
- if ( val_iva )
- dmar_writeq(iommu->reg, tlb_offset, val_iva);
+ if ( type == DMA_TLB_PSI_FLUSH )
+ {
+ /* Note: always flush non-leaf currently. */
+ dmar_writeq(iommu->reg, tlb_offset, size_order | addr);
+ }
dmar_writeq(iommu->reg, tlb_offset + 8, val);
/* Make sure hardware complete it */

119
561d2046-VT-d-use-proper-error-codes-in-iommu_enable_x2apic_IR.patch
View File

@ -1,119 +0,0 @@
# Commit 6851e979874ebc05d270ea94360c49d920d3eaf4
# Date 2015-10-13 17:16:22 +0200
# Author Jan Beulich <jbeulich@suse.com>
# Committer Jan Beulich <jbeulich@suse.com>
VT-d: use proper error codes in iommu_enable_x2apic_IR()
... allowing to suppress a confusing message combination: When
ACPI_DMAR_X2APIC_OPT_OUT is set, so far we first logged a message
that IR could not be enabled (hence not using x2APIC), followed by
one indicating successful initialization of IR (if no other problems
prevented that).
Also adjust the return type of iommu_supports_eim() and fix some
broken indentation in the function.
Signed-off-by: Jan Beulich <jbeulich@suse.com>
Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>
Acked-by: Yang Zhang <yang.z.zhang@intel.com>
Index: xen-4.6.0-testing/xen/arch/x86/apic.c
===================================================================
--- xen-4.6.0-testing.orig/xen/arch/x86/apic.c
+++ xen-4.6.0-testing/xen/arch/x86/apic.c
@@ -943,8 +943,18 @@ void __init x2apic_bsp_setup(void)
mask_8259A();
mask_IO_APIC_setup(ioapic_entries);
- if ( iommu_enable_x2apic_IR() )
+ switch ( iommu_enable_x2apic_IR() )
{
+ case 0:
+ break;
+ case -ENXIO: /* ACPI_DMAR_X2APIC_OPT_OUT set */
+ if ( !x2apic_enabled )
+ {
+ printk("Not enabling x2APIC (upon firmware request)\n");
+ goto restore_out;
+ }
+ /* fall through */
+ default:
if ( x2apic_enabled )
panic("Interrupt remapping could not be enabled while "
"x2APIC is already enabled by BIOS");
Index: xen-4.6.0-testing/xen/drivers/passthrough/vtd/intremap.c
===================================================================
--- xen-4.6.0-testing.orig/xen/drivers/passthrough/vtd/intremap.c
+++ xen-4.6.0-testing/xen/drivers/passthrough/vtd/intremap.c
@@ -143,10 +143,10 @@ static void set_hpet_source_id(unsigned
set_ire_sid(ire, SVT_VERIFY_SID_SQ, SQ_13_IGNORE_3, hpetid_to_bdf(id));
}
-int iommu_supports_eim(void)
+bool_t iommu_supports_eim(void)
{
struct acpi_drhd_unit *drhd;
- int apic;
+ unsigned int apic;
if ( !iommu_qinval || !iommu_intremap || list_empty(&acpi_drhd_units) )
return 0;
@@ -154,12 +154,12 @@ int iommu_supports_eim(void)
/* We MUST have a DRHD unit for each IOAPIC. */
for ( apic = 0; apic < nr_ioapics; apic++ )
if ( !ioapic_to_drhd(IO_APIC_ID(apic)) )
- {
+ {
dprintk(XENLOG_WARNING VTDPREFIX,
"There is not a DRHD for IOAPIC %#x (id: %#x)!\n",
apic, IO_APIC_ID(apic));
return 0;
- }
+ }
for_each_drhd_unit ( drhd )
if ( !ecap_queued_inval(drhd->iommu->ecap) ||
@@ -833,10 +833,10 @@ int iommu_enable_x2apic_IR(void)
struct iommu *iommu;
if ( !iommu_supports_eim() )
- return -1;
+ return -EOPNOTSUPP;
if ( !platform_supports_x2apic() )
- return -1;
+ return -ENXIO;
for_each_drhd_unit ( drhd )
{
@@ -861,7 +861,7 @@ int iommu_enable_x2apic_IR(void)
{
dprintk(XENLOG_INFO VTDPREFIX,
"Failed to enable Queued Invalidation!\n");
- return -1;
+ return -EIO;
}
}
@@ -873,7 +873,7 @@ int iommu_enable_x2apic_IR(void)
{
dprintk(XENLOG_INFO VTDPREFIX,
"Failed to enable Interrupt Remapping!\n");
- return -1;
+ return -EIO;
}
}
Index: xen-4.6.0-testing/xen/include/asm-x86/iommu.h
===================================================================
--- xen-4.6.0-testing.orig/xen/include/asm-x86/iommu.h
+++ xen-4.6.0-testing/xen/include/asm-x86/iommu.h
@@ -27,7 +27,7 @@ int iommu_setup_hpet_msi(struct msi_desc
/* While VT-d specific, this must get declared in a generic header. */
int adjust_vtd_irq_affinities(void);
void iommu_pte_flush(struct domain *d, u64 gfn, u64 *pte, int order, int present);
-int iommu_supports_eim(void);
+bool_t iommu_supports_eim(void);
int iommu_enable_x2apic_IR(void);
void iommu_disable_x2apic_IR(void);

32
561d20a0-x86-hide-MWAITX-from-PV-domains.patch
View File

@ -1,32 +0,0 @@
# Commit 941cd44324db7eddc46cba4596fa13d505066ccf
# Date 2015-10-13 17:17:52 +0200
# Author Jan Beulich <jbeulich@suse.com>
# Committer Jan Beulich <jbeulich@suse.com>
x86: hide MWAITX from PV domains
Since MWAIT is hidden too. (Linux starting with 4.3 is making use of
that feature, and is checking for it without looking at the MWAIT one.)
Signed-off-by: Jan Beulich <jbeulich@suse.com>
Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>
--- a/xen/arch/x86/traps.c
+++ b/xen/arch/x86/traps.c
@@ -967,6 +967,7 @@ void pv_cpuid(struct cpu_user_regs *regs
__clear_bit(X86_FEATURE_LWP % 32, &c);
__clear_bit(X86_FEATURE_NODEID_MSR % 32, &c);
__clear_bit(X86_FEATURE_TOPOEXT % 32, &c);
+ __clear_bit(X86_FEATURE_MWAITX % 32, &c);
break;
case 0x0000000a: /* Architectural Performance Monitor Features (Intel) */
--- a/xen/include/asm-x86/cpufeature.h
+++ b/xen/include/asm-x86/cpufeature.h
@@ -135,6 +135,7 @@
#define X86_FEATURE_TBM (6*32+21) /* trailing bit manipulations */
#define X86_FEATURE_TOPOEXT (6*32+22) /* topology extensions CPUID leafs */
#define X86_FEATURE_DBEXT (6*32+26) /* data breakpoint extension */
+#define X86_FEATURE_MWAITX (6*32+29) /* MWAIT extension (MONITORX/MWAITX) */
/* Intel-defined CPU features, CPUID level 0x00000007:0 (ebx), word 7 */
#define X86_FEATURE_FSGSBASE (7*32+ 0) /* {RD,WR}{FS,GS}BASE instructions */

114
561e3283-x86-NUMA-fix-SRAT-table-processor-entry-parsing-and-consumption.patch
View File

@ -1,114 +0,0 @@
# Commit 83281fc9b31396e94c0bfb6550b75c165037a0ad
# Date 2015-10-14 12:46:27 +0200
# Author Jan Beulich <jbeulich@suse.com>
# Committer Jan Beulich <jbeulich@suse.com>
x86/NUMA: fix SRAT table processor entry parsing and consumption
- don't overrun apicid_to_node[] (possible in the x2APIC case)
- don't limit number of processor related SRAT entries we can consume
- make acpi_numa_{processor,x2apic}_affinity_init() as similar to one
another as possible
- print APIC IDs in hex (to ease matching with other log messages), at
once making legacy and x2APIC ones distinguishable (by width)
Signed-off-by: Jan Beulich <jbeulich@suse.com>
Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>
--- a/xen/arch/x86/numa.c
+++ b/xen/arch/x86/numa.c
@@ -349,7 +349,7 @@ void __init init_cpu_to_node(void)
u32 apicid = x86_cpu_to_apicid[i];
if ( apicid == BAD_APICID )
continue;
- node = apicid_to_node[apicid];
+ node = apicid < MAX_LOCAL_APIC ? apicid_to_node[apicid] : NUMA_NO_NODE;
if ( node == NUMA_NO_NODE || !node_online(node) )
node = 0;
numa_set_node(i, node);
--- a/xen/arch/x86/setup.c
+++ b/xen/arch/x86/setup.c
@@ -200,7 +200,7 @@ void __devinit srat_detect_node(int cpu)
nodeid_t node;
u32 apicid = x86_cpu_to_apicid[cpu];
- node = apicid_to_node[apicid];
+ node = apicid < MAX_LOCAL_APIC ? apicid_to_node[apicid] : NUMA_NO_NODE;
if ( node == NUMA_NO_NODE )
node = 0;
--- a/xen/arch/x86/smpboot.c
+++ b/xen/arch/x86/smpboot.c
@@ -993,7 +993,8 @@ int cpu_add(uint32_t apic_id, uint32_t a
cpu = node;
goto out;
}
- apicid_to_node[apic_id] = node;
+ if ( apic_id < MAX_LOCAL_APIC )
+ apicid_to_node[apic_id] = node;
}
/* Physically added CPUs do not have synchronised TSC. */
--- a/xen/arch/x86/srat.c
+++ b/xen/arch/x86/srat.c
@@ -209,7 +209,6 @@ acpi_numa_x2apic_affinity_init(struct ac
{
unsigned pxm;
nodeid_t node;
- u32 apic_id;
if (srat_disabled())
return;
@@ -217,8 +216,13 @@ acpi_numa_x2apic_affinity_init(struct ac
bad_srat();
return;
}
- if ((pa->flags & ACPI_SRAT_CPU_ENABLED) == 0)
+ if (!(pa->flags & ACPI_SRAT_CPU_ENABLED))
+ return;
+ if (pa->apic_id >= MAX_LOCAL_APIC) {
+ printk(KERN_INFO "SRAT: APIC %08x ignored\n", pa->apic_id);
return;
+ }
+
pxm = pa->proximity_domain;
node = setup_node(pxm);
if (node == NUMA_NO_NODE) {
@@ -226,11 +230,11 @@ acpi_numa_x2apic_affinity_init(struct ac
return;
}
- apic_id = pa->apic_id;
- apicid_to_node[apic_id] = node;
+ apicid_to_node[pa->apic_id] = node;
+ node_set(node, processor_nodes_parsed);
acpi_numa = 1;
- printk(KERN_INFO "SRAT: PXM %u -> APIC %u -> Node %u\n",
- pxm, apic_id, node);
+ printk(KERN_INFO "SRAT: PXM %u -> APIC %08x -> Node %u\n",
+ pxm, pa->apic_id, node);
}
/* Callback for Proximity Domain -> LAPIC mapping */
@@ -262,7 +266,7 @@ acpi_numa_processor_affinity_init(struct
apicid_to_node[pa->apic_id] = node;
node_set(node, processor_nodes_parsed);
acpi_numa = 1;
- printk(KERN_INFO "SRAT: PXM %u -> APIC %u -> Node %u\n",
+ printk(KERN_INFO "SRAT: PXM %u -> APIC %02x -> Node %u\n",
pxm, pa->apic_id, node);
}
--- a/xen/drivers/acpi/numa.c
+++ b/xen/drivers/acpi/numa.c
@@ -198,9 +198,9 @@ int __init acpi_numa_init(void)
/* SRAT: Static Resource Affinity Table */
if (!acpi_table_parse(ACPI_SIG_SRAT, acpi_parse_srat)) {
acpi_table_parse_srat(ACPI_SRAT_TYPE_X2APIC_CPU_AFFINITY,
- acpi_parse_x2apic_affinity, NR_CPUS);
+ acpi_parse_x2apic_affinity, 0);
acpi_table_parse_srat(ACPI_SRAT_TYPE_CPU_AFFINITY,
- acpi_parse_processor_affinity, NR_CPUS);
+ acpi_parse_processor_affinity, 0);
acpi_table_parse_srat(ACPI_SRAT_TYPE_MEMORY_AFFINITY,
acpi_parse_memory_affinity,
NR_NODE_MEMBLKS);

49
5632118e-arm-Support-hypercall_create_continuation-for-multicall.patch
View File

@ -1,49 +0,0 @@
# Commit 29bcf64ce8bc0b1b7aacd00c8668f255c4f0686c
# Date 2015-10-29 13:31:10 +0100
# Author Julien Grall <julien.grall@citrix.com>
# Committer Jan Beulich <jbeulich@suse.com>
arm: Support hypercall_create_continuation for multicall
Multicall for ARM has been supported since commit f0dbdc6 "xen: arm: fully
implement multicall interface.". Although, if an hypercall in multicall
requires preemption, it will crash the host:
(XEN) Xen BUG at domain.c:347
(XEN) ----[ Xen-4.7-unstable arm64 debug=y Tainted: C ]----
[...]
(XEN) Xen call trace:
(XEN) [<00000000002420cc>] hypercall_create_continuation+0x64/0x380 (PC)
(XEN) [<0000000000217274>] do_memory_op+0x1b00/0x2334 (LR)
(XEN) [<0000000000250d2c>] do_multicall_call+0x114/0x124
(XEN) [<0000000000217ff0>] do_multicall+0x17c/0x23c
(XEN) [<000000000024f97c>] do_trap_hypercall+0x90/0x12c
(XEN) [<0000000000251ca8>] do_trap_hypervisor+0xd2c/0x1ba4
(XEN) [<00000000002582cc>] guest_sync+0x88/0xb8
(XEN)
(XEN)
(XEN) ****************************************
(XEN) Panic on CPU 5:
(XEN) Xen BUG at domain.c:347
(XEN) ****************************************
(XEN)
(XEN) Manual reset required ('noreboot' specified)
Looking to the code, the support of multicall looks valid to me, as we only
need to fill call.args[...]. So drop the BUG();
This is CVE-2015-7812 / XSA-145.
Signed-off-by: Julien Grall <julien.grall@citrix.com>
Acked-by: Ian Campbell <ian.campbell@citrix.com>
--- a/xen/arch/arm/domain.c
+++ b/xen/arch/arm/domain.c
@@ -344,8 +344,6 @@ unsigned long hypercall_create_continuat
if ( test_bit(_MCSF_in_multicall, &mcs->flags) )
{
- BUG(); /* XXX multicalls not implemented yet. */
-
__set_bit(_MCSF_call_preempted, &mcs->flags);
for ( i = 0; *p != '\0'; i++ )

42
56321222-arm-rate-limit-logging-from-unimplemented-PHYSDEVOP-and-HVMOP.patch
View File

@ -1,42 +0,0 @@
# Commit 1c0e59ff15764e7b0c59282365974f5b8924ce83
# Date 2015-10-29 13:33:38 +0100
# Author Ian Campbell <ian.campbell@citrix.com>
# Committer Jan Beulich <jbeulich@suse.com>
arm: rate-limit logging from unimplemented PHYSDEVOP and HVMOP.
These are guest accessible and should therefore be rate-limited.
Moreover, include them only in debug builds.
This is CVE-2015-7813 / XSA-146.
Signed-off-by: Ian Campbell <ian.campbell@citrix.com>
Reviewed-by: Jan Beulich <jbeulich@suse.com>
--- a/xen/arch/arm/hvm.c
+++ b/xen/arch/arm/hvm.c
@@ -57,7 +57,7 @@ long do_hvm_op(unsigned long op, XEN_GUE
default:
{
- printk("%s: Bad HVM op %ld.\n", __func__, op);
+ gdprintk(XENLOG_DEBUG, "HVMOP op=%lu: not implemented\n", op);
rc = -ENOSYS;
break;
}
--- a/xen/arch/arm/physdev.c
+++ b/xen/arch/arm/physdev.c
@@ -8,12 +8,13 @@
#include <xen/types.h>
#include <xen/lib.h>
#include <xen/errno.h>
+#include <xen/sched.h>
#include <asm/hypercall.h>
int do_physdev_op(int cmd, XEN_GUEST_HANDLE_PARAM(void) arg)
{
- printk("%s %d cmd=%d: not implemented yet\n", __func__, __LINE__, cmd);
+ gdprintk(XENLOG_DEBUG, "PHYSDEVOP cmd=%d: not implemented\n", cmd);
return -ENOSYS;
}

40
56321249-arm-handle-races-between-relinquish_memory-and-free_domheap_pages.patch
View File

@ -1,40 +0,0 @@
# Commit 1ef01396fdff88b1c3331a09ca5c69619b90f4ea
# Date 2015-10-29 13:34:17 +0100
# Author Ian Campbell <ian.campbell@citrix.com>
# Committer Jan Beulich <jbeulich@suse.com>
arm: handle races between relinquish_memory and free_domheap_pages
Primarily this means XENMEM_decrease_reservation from a toolstack
domain.
Unlike x86 we have no requirement right now to queue such pages onto
a separate list, if we hit this race then the other code has already
fully accepted responsibility for freeing this page and therefore
there is no more for relinquish_memory to do.
This is CVE-2015-7814 / XSA-147.
Signed-off-by: Ian Campbell <ian.campbell@citrix.com>
Reviewed-by: Julien Grall <julien.grall@citrix.com>
Reviewed-by: Jan Beulich <jbeulich@suse.com>
--- a/xen/arch/arm/domain.c
+++ b/xen/arch/arm/domain.c
@@ -768,8 +768,15 @@ static int relinquish_memory(struct doma
{
/* Grab a reference to the page so it won't disappear from under us. */
if ( unlikely(!get_page(page, d)) )
- /* Couldn't get a reference -- someone is freeing this page. */
- BUG();
+ /*
+ * Couldn't get a reference -- someone is freeing this page and
+ * has already committed to doing so, so no more to do here.
+ *
+ * Note that the page must be left on the list, a list_del
+ * here will clash with the list_del done by the other
+ * party in the race and corrupt the list head.
+ */
+ continue;
if ( test_and_clear_bit(_PGC_allocated, &page->count_info) )
put_page(page);

44
5632127b-x86-guard-against-undue-super-page-PTE-creation.patch
View File

@ -1,44 +0,0 @@
# Commit fe360c90ea13f309ef78810f1a2b92f2ae3b30b8
# Date 2015-10-29 13:35:07 +0100
# Author Jan Beulich <jbeulich@suse.com>
# Committer Jan Beulich <jbeulich@suse.com>
x86: guard against undue super page PTE creation
When optional super page support got added (commit bd1cd81d64 "x86: PV
support for hugepages"), two adjustments were missed: mod_l2_entry()
needs to consider the PSE and RW bits when deciding whether to use the
fast path, and the PSE bit must not be removed from L2_DISALLOW_MASK
unconditionally.
This is CVE-2015-7835 / XSA-148.
Reported-by: "栾尚聪(好风)" <shangcong.lsc@alibaba-inc.com>
Signed-off-by: Jan Beulich <jbeulich@suse.com>
Reviewed-by: Tim Deegan <tim@xen.org>
--- a/xen/arch/x86/mm.c
+++ b/xen/arch/x86/mm.c
@@ -160,7 +160,10 @@ static void put_superpage(unsigned long
static uint32_t base_disallow_mask;
/* Global bit is allowed to be set on L1 PTEs. Intended for user mappings. */
#define L1_DISALLOW_MASK ((base_disallow_mask | _PAGE_GNTTAB) & ~_PAGE_GLOBAL)
-#define L2_DISALLOW_MASK (base_disallow_mask & ~_PAGE_PSE)
+
+#define L2_DISALLOW_MASK (unlikely(opt_allow_superpage) \
+ ? base_disallow_mask & ~_PAGE_PSE \
+ : base_disallow_mask)
#define l3_disallow_mask(d) (!is_pv_32bit_domain(d) ? \
base_disallow_mask : 0xFFFFF198U)
@@ -1839,7 +1842,10 @@ static int mod_l2_entry(l2_pgentry_t *pl
}
/* Fast path for identical mapping and presence. */
- if ( !l2e_has_changed(ol2e, nl2e, _PAGE_PRESENT) )
+ if ( !l2e_has_changed(ol2e, nl2e,
+ unlikely(opt_allow_superpage)
+ ? _PAGE_PSE | _PAGE_RW | _PAGE_PRESENT
+ : _PAGE_PRESENT) )
{
adjust_guest_l2e(nl2e, d);
if ( UPDATE_ENTRY(l2, pl2e, ol2e, nl2e, pfn, vcpu, preserve_ad) )

25
5632129c-free-domain-s-vcpu-array.patch
View File

@ -1,25 +0,0 @@
# Commit d46896ebbb23f3a9fef2eb6066ae614fd1acfd96
# Date 2015-10-29 13:35:40 +0100
# Author Jan Beulich <jbeulich@suse.com>
# Committer Jan Beulich <jbeulich@suse.com>
free domain's vcpu array
This was overlooked in fb442e2171 ("x86_64: allow more vCPU-s per
guest").
This is CVE-2015-7969 / XSA-149.
Reported-by: Ian Campbell <ian.campbell@citrix.com>
Signed-off-by: Jan Beulich <jbeulich@suse.com>
Reviewed-by: Ian Campbell <ian.campbell@citrix.com>
--- a/xen/common/domain.c
+++ b/xen/common/domain.c
@@ -833,6 +833,7 @@ static void complete_domain_destroy(stru
xsm_free_security_domain(d);
free_cpumask_var(d->domain_dirty_cpumask);
+ xfree(d->vcpu);
free_domain_struct(d);
send_global_virq(VIRQ_DOM_EXC);

205
563212c9-x86-PoD-Eager-sweep-for-zeroed-pages.patch
View File

@ -1,205 +0,0 @@
# Commit 101ce53266866144e724ed593173bc4098b300b9
# Date 2015-10-29 13:36:25 +0100
# Author Andrew Cooper <andrew.cooper3@citrix.com>
# Committer Jan Beulich <jbeulich@suse.com>
x86/PoD: Eager sweep for zeroed pages
Based on the contents of a guests physical address space,
p2m_pod_emergency_sweep() could degrade into a linear memcmp() from 0 to
max_gfn, which runs non-preemptibly.
As p2m_pod_emergency_sweep() runs behind the scenes in a number of contexts,
making it preemptible is not feasible.
Instead, a different approach is taken. Recently-populated pages are eagerly
checked for reclaimation, which amortises the p2m_pod_emergency_sweep()
operation across each p2m_pod_demand_populate() operation.
Note that in the case that a 2M superpage can't be reclaimed as a superpage,
it is shattered if 4K pages of zeros can be reclaimed. This is unfortunate
but matches the previous behaviour, and is required to avoid regressions
(domain crash from PoD exhaustion) with VMs configured close to the limit.
This is CVE-2015-7970 / XSA-150.
Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
Reviewed-by: Jan Beulich <jbeulich@suse.com>
Reviewed-by: George Dunlap <george.dunlap@citrix.com>
--- a/xen/arch/x86/mm/p2m-pod.c
+++ b/xen/arch/x86/mm/p2m-pod.c
@@ -901,28 +901,6 @@ p2m_pod_zero_check(struct p2m_domain *p2
}
#define POD_SWEEP_LIMIT 1024
-
-/* When populating a new superpage, look at recently populated superpages
- * hoping that they've been zeroed. This will snap up zeroed pages as soon as
- * the guest OS is done with them. */
-static void
-p2m_pod_check_last_super(struct p2m_domain *p2m, unsigned long gfn_aligned)
-{
- unsigned long check_gfn;
-
- ASSERT(p2m->pod.last_populated_index < POD_HISTORY_MAX);
-
- check_gfn = p2m->pod.last_populated[p2m->pod.last_populated_index];
-
- p2m->pod.last_populated[p2m->pod.last_populated_index] = gfn_aligned;
-
- p2m->pod.last_populated_index =
- ( p2m->pod.last_populated_index + 1 ) % POD_HISTORY_MAX;
-
- p2m_pod_zero_check_superpage(p2m, check_gfn);
-}
-
-
#define POD_SWEEP_STRIDE 16
static void
p2m_pod_emergency_sweep(struct p2m_domain *p2m)
@@ -963,7 +941,7 @@ p2m_pod_emergency_sweep(struct p2m_domai
* NB that this is a zero-sum game; we're increasing our cache size
* by re-increasing our 'debt'. Since we hold the pod lock,
* (entry_count - count) must remain the same. */
- if ( p2m->pod.count > 0 && i < limit )
+ if ( i < limit && (p2m->pod.count > 0 || hypercall_preempt_check()) )
break;
}
@@ -975,6 +953,58 @@ p2m_pod_emergency_sweep(struct p2m_domai
}
+static void pod_eager_reclaim(struct p2m_domain *p2m)
+{
+ struct pod_mrp_list *mrp = &p2m->pod.mrp;
+ unsigned int i = 0;
+
+ /*
+ * Always check one page for reclaimation.
+ *
+ * If the PoD pool is empty, keep checking some space is found, or all
+ * entries have been exhaused.
+ */
+ do
+ {
+ unsigned int idx = (mrp->idx + i++) % ARRAY_SIZE(mrp->list);
+ unsigned long gfn = mrp->list[idx];
+
+ if ( gfn != INVALID_GFN )
+ {
+ if ( gfn & POD_LAST_SUPERPAGE )
+ {
+ gfn &= ~POD_LAST_SUPERPAGE;
+
+ if ( p2m_pod_zero_check_superpage(p2m, gfn) == 0 )
+ {
+ unsigned int x;
+
+ for ( x = 0; x < SUPERPAGE_PAGES; ++x, ++gfn )
+ p2m_pod_zero_check(p2m, &gfn, 1);
+ }
+ }
+ else
+ p2m_pod_zero_check(p2m, &gfn, 1);
+
+ mrp->list[idx] = INVALID_GFN;
+ }
+
+ } while ( (p2m->pod.count == 0) && (i < ARRAY_SIZE(mrp->list)) );
+}
+
+static void pod_eager_record(struct p2m_domain *p2m,
+ unsigned long gfn, unsigned int order)
+{
+ struct pod_mrp_list *mrp = &p2m->pod.mrp;
+
+ ASSERT(mrp->list[mrp->idx] == INVALID_GFN);
+ ASSERT(gfn != INVALID_GFN);
+
+ mrp->list[mrp->idx++] =
+ gfn | (order == PAGE_ORDER_2M ? POD_LAST_SUPERPAGE : 0);
+ mrp->idx %= ARRAY_SIZE(mrp->list);
+}
+
int
p2m_pod_demand_populate(struct p2m_domain *p2m, unsigned long gfn,
unsigned int order,
@@ -1015,6 +1045,8 @@ p2m_pod_demand_populate(struct p2m_domai
return 0;
}
+ pod_eager_reclaim(p2m);
+
/* Only sweep if we're actually out of memory. Doing anything else
* causes unnecessary time and fragmentation of superpages in the p2m. */
if ( p2m->pod.count == 0 )
@@ -1051,6 +1083,8 @@ p2m_pod_demand_populate(struct p2m_domai
p2m->pod.entry_count -= (1 << order);
BUG_ON(p2m->pod.entry_count < 0);
+ pod_eager_record(p2m, gfn_aligned, order);
+
if ( tb_init_done )
{
struct {
@@ -1066,12 +1100,6 @@ p2m_pod_demand_populate(struct p2m_domai
__trace_var(TRC_MEM_POD_POPULATE, 0, sizeof(t), &t);
}
- /* Check the last guest demand-populate */
- if ( p2m->pod.entry_count > p2m->pod.count
- && (order == PAGE_ORDER_2M)
- && (q & P2M_ALLOC) )
- p2m_pod_check_last_super(p2m, gfn_aligned);
-
pod_unlock(p2m);
return 0;
out_of_memory:
--- a/xen/arch/x86/mm/p2m.c
+++ b/xen/arch/x86/mm/p2m.c
@@ -60,6 +60,7 @@ boolean_param("hap_2mb", opt_hap_2mb);
/* Init the datastructures for later use by the p2m code */
static int p2m_initialise(struct domain *d, struct p2m_domain *p2m)
{
+ unsigned int i;
int ret = 0;
mm_rwlock_init(&p2m->lock);
@@ -75,6 +76,9 @@ static int p2m_initialise(struct domain
p2m->np2m_base = P2M_BASE_EADDR;
+ for ( i = 0; i < ARRAY_SIZE(p2m->pod.mrp.list); ++i )
+ p2m->pod.mrp.list[i] = INVALID_GFN;
+
if ( hap_enabled(d) && cpu_has_vmx )
ret = ept_p2m_init(p2m);
else
--- a/xen/include/asm-x86/p2m.h
+++ b/xen/include/asm-x86/p2m.h
@@ -292,10 +292,20 @@ struct p2m_domain {
entry_count; /* # of pages in p2m marked pod */
unsigned long reclaim_single; /* Last gpfn of a scan */
unsigned long max_guest; /* gpfn of max guest demand-populate */
-#define POD_HISTORY_MAX 128
- /* gpfn of last guest superpage demand-populated */
- unsigned long last_populated[POD_HISTORY_MAX];
- unsigned int last_populated_index;
+
+ /*
+ * Tracking of the most recently populated PoD pages, for eager
+ * reclamation.
+ */
+ struct pod_mrp_list {
+#define NR_POD_MRP_ENTRIES 32
+
+/* Encode ORDER_2M superpage in top bit of GFN */
+#define POD_LAST_SUPERPAGE (INVALID_GFN & ~(INVALID_GFN >> 1))
+
+ unsigned long list[NR_POD_MRP_ENTRIES];
+ unsigned int idx;
+ } mrp;
mm_lock_t lock; /* Locking of private pod structs, *
* not relying on the p2m lock. */
} pod;

32
563212e4-xenoprof-free-domain-s-vcpu-array.patch
View File

@ -1,32 +0,0 @@
# Commit 6e97c4b37386c2d09e09e9b5d5d232e37728b960
# Date 2015-10-29 13:36:52 +0100
# Author Jan Beulich <jbeulich@suse.com>
# Committer Jan Beulich <jbeulich@suse.com>
xenoprof: free domain's vcpu array
This was overlooked in fb442e2171 ("x86_64: allow more vCPU-s per
guest").
This is CVE-2015-7969 / XSA-151.
Signed-off-by: Jan Beulich <jbeulich@suse.com>
Reviewed-by: Ian Campbell <ian.campbell@citrix.com>
--- a/xen/common/xenoprof.c
+++ b/xen/common/xenoprof.c
@@ -239,6 +239,7 @@ static int alloc_xenoprof_struct(
d->xenoprof->rawbuf = alloc_xenheap_pages(get_order_from_pages(npages), 0);
if ( d->xenoprof->rawbuf == NULL )
{
+ xfree(d->xenoprof->vcpu);
xfree(d->xenoprof);
d->xenoprof = NULL;
return -ENOMEM;
@@ -286,6 +287,7 @@ void free_xenoprof_pages(struct domain *
free_xenheap_pages(x->rawbuf, order);
}
+ xfree(x->vcpu);
xfree(x);
d->xenoprof = NULL;
}

70
563212ff-x86-rate-limit-logging-in-do_xen-oprof-pmu-_op.patch
View File

@ -1,70 +0,0 @@
# Commit 95e7415843b94c346e5ba8682665f508f220e04b
# Date 2015-10-29 13:37:19 +0100
# Author Jan Beulich <jbeulich@suse.com>
# Committer Jan Beulich <jbeulich@suse.com>
x86: rate-limit logging in do_xen{oprof,pmu}_op()
Some of the sub-ops are acessible to all guests, and hence should be
rate-limited. In the xenoprof case, just like for XSA-146, include them
only in debug builds. Since the vPMU code is rather new, allow them to
be always present, but downgrade them to (rate limited) guest messages.
This is CVE-2015-7971 / XSA-152.
Signed-off-by: Jan Beulich <jbeulich@suse.com>
Reviewed-by: Ian Campbell <ian.campbell@citrix.com>
--- a/xen/arch/x86/cpu/vpmu.c
+++ b/xen/arch/x86/cpu/vpmu.c
@@ -682,8 +682,8 @@ long do_xenpmu_op(unsigned int op, XEN_G
vpmu_mode = pmu_params.val;
else if ( vpmu_mode != pmu_params.val )
{
- printk(XENLOG_WARNING
- "VPMU: Cannot change mode while active VPMUs exist\n");
+ gprintk(XENLOG_WARNING,
+ "VPMU: Cannot change mode while active VPMUs exist\n");
ret = -EBUSY;
}
@@ -714,8 +714,8 @@ long do_xenpmu_op(unsigned int op, XEN_G
vpmu_features = pmu_params.val;
else
{
- printk(XENLOG_WARNING "VPMU: Cannot change features while"
- " active VPMUs exist\n");
+ gprintk(XENLOG_WARNING,
+ "VPMU: Cannot change features while active VPMUs exist\n");
ret = -EBUSY;
}
--- a/xen/common/xenoprof.c
+++ b/xen/common/xenoprof.c
@@ -676,15 +676,13 @@ ret_t do_xenoprof_op(int op, XEN_GUEST_H
if ( (op < 0) || (op > XENOPROF_last_op) )
{
- printk("xenoprof: invalid operation %d for domain %d\n",
- op, current->domain->domain_id);
+ gdprintk(XENLOG_DEBUG, "invalid operation %d\n", op);
return -EINVAL;
}
if ( !NONPRIV_OP(op) && (current->domain != xenoprof_primary_profiler) )
{
- printk("xenoprof: dom %d denied privileged operation %d\n",
- current->domain->domain_id, op);
+ gdprintk(XENLOG_DEBUG, "denied privileged operation %d\n", op);
return -EPERM;
}
@@ -907,8 +905,7 @@ ret_t do_xenoprof_op(int op, XEN_GUEST_H
spin_unlock(&xenoprof_lock);
if ( ret < 0 )
- printk("xenoprof: operation %d failed for dom %d (status : %d)\n",
- op, current->domain->domain_id, ret);
+ gdprintk(XENLOG_DEBUG, "operation %d failed: %d\n", op, ret);
return ret;
}

77
56323737-libxl-adjust-PoD-target-by-memory-fudge-too.patch
View File

@ -1,77 +0,0 @@
# Commit e294a0c3af9f4443dc692b180fb1771b1cb075e8
# Date 2015-10-29 15:11:51 +0000
# Author Ian Jackson <ian.jackson@eu.citrix.com>
# Committer Ian Jackson <Ian.Jackson@eu.citrix.com>
libxl: adjust PoD target by memory fudge, too
PoD guests need to balloon at least as far as required by PoD, or risk
crashing. Currently they don't necessarily know what the right value
is, because our memory accounting is (at the very least) confusing.
Apply the memory limit fudge factor to the in-hypervisor PoD memory
target, too. This will increase the size of the guest's PoD cache by
the fudge factor LIBXL_MAXMEM_CONSTANT (currently 1Mby). This ensures
that even with a slightly-off balloon driver, the guest will be
stable even under memory pressure.
There are two call sites of xc_domain_set_pod_target that need fixing:
The one in libxl_set_memory_target is straightforward.
The one in xc_hvm_build_x86.c:setup_guest is more awkward. Simply
setting the PoD target differently does not work because the various
amounts of memory during domain construction no longer match up.
Instead, we adjust the guest memory target in xenstore (but only for
PoD guests).
This introduces a 1Mby discrepancy between the balloon target of a PoD
guest at boot, and the target set by an apparently-equivalent `xl
mem-set' (or similar) later. This approach is low-risk for a security
fix but we need to fix this up properly in xen.git#staging and
probably also in stable trees.
This is XSA-153.
Signed-off-by: Ian Jackson <Ian.Jackson@eu.citrix.com>
(cherry picked from commit 56fb5fd62320eb40a7517206f9706aa9188d6f7b)
--- a/tools/libxl/libxl.c
+++ b/tools/libxl/libxl.c
@@ -4815,7 +4815,7 @@ retry_transaction:
}
rc = xc_domain_set_pod_target(ctx->xch, domid,
- new_target_memkb / 4, NULL, NULL, NULL);
+ (new_target_memkb + LIBXL_MAXMEM_CONSTANT) / 4, NULL, NULL, NULL);
if (rc != 0) {
LIBXL__LOG_ERRNO(ctx, LIBXL__LOG_ERROR,
"xc_domain_set_pod_target domid=%d, memkb=%d "
--- a/tools/libxl/libxl_dom.c
+++ b/tools/libxl/libxl_dom.c
@@ -486,6 +486,7 @@ int libxl__build_post(libxl__gc *gc, uin
xs_transaction_t t;
char **ents;
int i, rc;
+ int64_t mem_target_fudge;
if (info->num_vnuma_nodes && !info->num_vcpu_soft_affinity) {
rc = set_vnuma_affinity(gc, domid, info);
@@ -518,11 +519,17 @@ int libxl__build_post(libxl__gc *gc, uin
}
}
+ mem_target_fudge =
+ (info->type == LIBXL_DOMAIN_TYPE_HVM &&
+ info->max_memkb > info->target_memkb)
+ ? LIBXL_MAXMEM_CONSTANT : 0;
+
ents = libxl__calloc(gc, 12 + (info->max_vcpus * 2) + 2, sizeof(char *));
ents[0] = "memory/static-max";
ents[1] = GCSPRINTF("%"PRId64, info->max_memkb);
ents[2] = "memory/target";
- ents[3] = GCSPRINTF("%"PRId64, info->target_memkb - info->video_memkb);
+ ents[3] = GCSPRINTF("%"PRId64, info->target_memkb - info->video_memkb
+ - mem_target_fudge);
ents[4] = "memory/videoram";
ents[5] = GCSPRINTF("%"PRId64, info->video_memkb);
ents[6] = "domid";

88
56377442-x86-PoD-Make-p2m_pod_empty_cache-restartable.patch
View File

@ -1,88 +0,0 @@
# Commit 59a5061723ba47c0028cf48487e5de551c42a378
# Date 2015-11-02 15:33:38 +0100
# Author Andrew Cooper <andrew.cooper3@citrix.com>
# Committer Jan Beulich <jbeulich@suse.com>
x86/PoD: Make p2m_pod_empty_cache() restartable
This avoids a long running operation when destroying a domain with a
large PoD cache.
Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
Reviewed-by: George Dunlap <george.dunlap@citrix.com>
--- a/xen/arch/x86/mm/p2m-pod.c
+++ b/xen/arch/x86/mm/p2m-pod.c
@@ -375,11 +375,11 @@ out:
return ret;
}
-void
-p2m_pod_empty_cache(struct domain *d)
+int p2m_pod_empty_cache(struct domain *d)
{
struct p2m_domain *p2m = p2m_get_hostp2m(d);
struct page_info *page;
+ unsigned int i;
/* After this barrier no new PoD activities can happen. */
BUG_ON(!d->is_dying);
@@ -389,8 +389,6 @@ p2m_pod_empty_cache(struct domain *d)
while ( (page = page_list_remove_head(&p2m->pod.super)) )
{
- int i;
-
for ( i = 0 ; i < SUPERPAGE_PAGES ; i++ )
{
BUG_ON(page_get_owner(page + i) != d);
@@ -398,19 +396,27 @@ p2m_pod_empty_cache(struct domain *d)
}
p2m->pod.count -= SUPERPAGE_PAGES;
+
+ if ( hypercall_preempt_check() )
+ goto out;
}
- while ( (page = page_list_remove_head(&p2m->pod.single)) )
+ for ( i = 0; (page = page_list_remove_head(&p2m->pod.single)); ++i )
{
BUG_ON(page_get_owner(page) != d);
page_list_add_tail(page, &d->page_list);
p2m->pod.count -= 1;
+
+ if ( i && !(i & 511) && hypercall_preempt_check() )
+ goto out;
}
BUG_ON(p2m->pod.count != 0);
+ out:
unlock_page_alloc(p2m);
+ return p2m->pod.count ? -ERESTART : 0;
}
int
--- a/xen/arch/x86/mm/paging.c
+++ b/xen/arch/x86/mm/paging.c
@@ -815,7 +815,7 @@ int paging_teardown(struct domain *d)
return rc;
/* Move populate-on-demand cache back to domain_list for destruction */
- p2m_pod_empty_cache(d);
+ rc = p2m_pod_empty_cache(d);
return rc;
}
--- a/xen/include/asm-x86/p2m.h
+++ b/xen/include/asm-x86/p2m.h
@@ -588,7 +588,7 @@ void p2m_pod_dump_data(struct domain *d)
/* Move all pages from the populate-on-demand cache to the domain page_list
* (usually in preparation for domain destruction) */
-void p2m_pod_empty_cache(struct domain *d);
+int p2m_pod_empty_cache(struct domain *d);
/* Set populate-on-demand cache size so that the total memory allocated to a
* domain matches target */

134
5641ceec-x86-HVM-always-intercept-AC-and-DB.patch
View File

@ -1,134 +0,0 @@
# Commit bd2239d9fa975a1ee5bcd27c218ae042cd0a57bc
# Date 2015-11-10 12:03:08 +0100
# Author Jan Beulich <jbeulich@suse.com>
# Committer Jan Beulich <jbeulich@suse.com>
x86/HVM: always intercept #AC and #DB
Both being benign exceptions, and both being possible to get triggered
by exception delivery, this is required to prevent a guest from locking
up a CPU (resulting from no other VM exits occurring once getting into
such a loop).
The specific scenarios:
1) #AC may be raised during exception delivery if the handler is set to
be a ring-3 one by a 32-bit guest, and the stack is misaligned.
This is CVE-2015-5307 / XSA-156.
Reported-by: Benjamin Serebrin <serebrin@google.com>
2) #DB may be raised during exception delivery when a breakpoint got
placed on a data structure involved in delivering the exception. This
can result in an endless loop when a 64-bit guest uses a non-zero IST
for the vector 1 IDT entry, but even without use of IST the time it
takes until a contributory fault would get raised (results depending
on the handler) may be quite long.
This is CVE-2015-8104 / XSA-156.
Signed-off-by: Jan Beulich <jbeulich@suse.com>
Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>
Tested-by: Andrew Cooper <andrew.cooper3@citrix.com>
--- a/xen/arch/x86/hvm/svm/svm.c
+++ b/xen/arch/x86/hvm/svm/svm.c
@@ -1043,10 +1043,11 @@ static void noreturn svm_do_resume(struc
unlikely(v->arch.hvm_vcpu.debug_state_latch != debug_state) )
{
uint32_t intercepts = vmcb_get_exception_intercepts(vmcb);
- uint32_t mask = (1U << TRAP_debug) | (1U << TRAP_int3);
+
v->arch.hvm_vcpu.debug_state_latch = debug_state;
vmcb_set_exception_intercepts(
- vmcb, debug_state ? (intercepts | mask) : (intercepts & ~mask));
+ vmcb, debug_state ? (intercepts | (1U << TRAP_int3))
+ : (intercepts & ~(1U << TRAP_int3)));
}
if ( v->arch.hvm_svm.launch_core != smp_processor_id() )
@@ -2434,8 +2435,9 @@ void svm_vmexit_handler(struct cpu_user_
case VMEXIT_EXCEPTION_DB:
if ( !v->domain->debugger_attached )
- goto unexpected_exit_type;
- domain_pause_for_debugger();
+ hvm_inject_hw_exception(TRAP_debug, HVM_DELIVER_NO_ERROR_CODE);
+ else
+ domain_pause_for_debugger();
break;
case VMEXIT_EXCEPTION_BP:
@@ -2483,6 +2485,11 @@ void svm_vmexit_handler(struct cpu_user_
break;
}
+ case VMEXIT_EXCEPTION_AC:
+ HVMTRACE_1D(TRAP, TRAP_alignment_check);
+ hvm_inject_hw_exception(TRAP_alignment_check, vmcb->exitinfo1);
+ break;
+
case VMEXIT_EXCEPTION_UD:
svm_vmexit_ud_intercept(regs);
break;
--- a/xen/arch/x86/hvm/vmx/vmx.c
+++ b/xen/arch/x86/hvm/vmx/vmx.c
@@ -1224,16 +1224,10 @@ static void vmx_update_host_cr3(struct v
void vmx_update_debug_state(struct vcpu *v)
{
- unsigned long mask;
-
- mask = 1u << TRAP_int3;
- if ( !cpu_has_monitor_trap_flag )
- mask |= 1u << TRAP_debug;
-
if ( v->arch.hvm_vcpu.debug_state_latch )
- v->arch.hvm_vmx.exception_bitmap |= mask;
+ v->arch.hvm_vmx.exception_bitmap |= 1U << TRAP_int3;
else
- v->arch.hvm_vmx.exception_bitmap &= ~mask;
+ v->arch.hvm_vmx.exception_bitmap &= ~(1U << TRAP_int3);
vmx_vmcs_enter(v);
vmx_update_exception_bitmap(v);
@@ -3041,9 +3035,10 @@ void vmx_vmexit_handler(struct cpu_user_
__vmread(EXIT_QUALIFICATION, &exit_qualification);
HVMTRACE_1D(TRAP_DEBUG, exit_qualification);
write_debugreg(6, exit_qualification | DR_STATUS_RESERVED_ONE);
- if ( !v->domain->debugger_attached || cpu_has_monitor_trap_flag )
- goto exit_and_crash;
- domain_pause_for_debugger();
+ if ( !v->domain->debugger_attached )
+ hvm_inject_hw_exception(vector, HVM_DELIVER_NO_ERROR_CODE);
+ else
+ domain_pause_for_debugger();
break;
case TRAP_int3:
{
@@ -3108,6 +3103,11 @@ void vmx_vmexit_handler(struct cpu_user_
hvm_inject_page_fault(regs->error_code, exit_qualification);
break;
+ case TRAP_alignment_check:
+ HVMTRACE_1D(TRAP, vector);
+ __vmread(VM_EXIT_INTR_ERROR_CODE, &ecode);
+ hvm_inject_hw_exception(vector, ecode);
+ break;
case TRAP_nmi:
if ( MASK_EXTR(intr_info, INTR_INFO_INTR_TYPE_MASK) !=
X86_EVENTTYPE_NMI )
--- a/xen/include/asm-x86/hvm/hvm.h
+++ b/xen/include/asm-x86/hvm/hvm.h
@@ -384,7 +384,10 @@ static inline int hvm_event_pending(stru
(X86_CR4_VMXE | X86_CR4_PAE | X86_CR4_MCE))
/* These exceptions must always be intercepted. */
-#define HVM_TRAP_MASK ((1U << TRAP_machine_check) | (1U << TRAP_invalid_op))
+#define HVM_TRAP_MASK ((1U << TRAP_debug) | \
+ (1U << TRAP_invalid_op) | \
+ (1U << TRAP_alignment_check) | \
+ (1U << TRAP_machine_check))
/*
* x86 event types. This enumeration is valid for:

25
56549f24-x86-vPMU-document-as-unsupported.patch
View File

@ -1,25 +0,0 @@
# Commit c03480cf5c4e96fb4afb2237ad0a3cac7162564a
# Date 2015-11-24 18:32:20 +0100
# Author Jan Beulich <jbeulich@suse.com>
# Committer Jan Beulich <jbeulich@suse.com>
x86/vPMU: document as unsupported
This is XSA-163.
Signed-off-by: Jan Beulich <jbeulich@suse.com>
Index: xen-4.6.0-testing/docs/misc/xen-command-line.markdown
===================================================================
--- xen-4.6.0-testing.orig/docs/misc/xen-command-line.markdown
+++ xen-4.6.0-testing/docs/misc/xen-command-line.markdown
@@ -1463,8 +1463,8 @@ feature is switched on on Intel processo
Note that if **watchdog** option is also specified vpmu will be turned off.
*Warning:*
-As the BTS virtualisation is not 100% safe and because of the nehalem quirk
-don't use the vpmu flag on production systems with Intel cpus!
+As the virtualisation is not 100% safe, don't use the vpmu flag on
+production systems (see http://xenbits.xen.org/xsa/advisory-163.html)!
### watchdog
> `= force | <boolean>`

40
5677f350-x86-make-debug-output-consistent-in-hvm_set_callback_via.patch
View File

@ -1,40 +0,0 @@
Reference: bsc#960093 CVE-2015-8615 XSA-169
Subject: x86: make debug output consistent in hvm_set_callback_via
From: Malcolm Crossley malcolm.crossley@citrix.com Mon Dec 21 13:40:48 2015 +0100
Date: Mon Dec 21 13:40:48 2015 +0100:
Git: 5c1048565ba5b240f47203bdb67572bee73d639e
The unconditional printks in the switch statement of the
hvm_set_callback_via function results in Xen log spam in non debug
versions of Xen. The printks are for debug output only so conditionally
compile the entire switch statement on debug versions of Xen only.
This is XSA-169.
Signed-off-by: Malcolm Crossley <malcolm.crossley@citrix.com>
Reviewed-by: Jan Beulich <jbeulich@suse.com>
Acked-by: Ian Campbell <ian.campbell@citrix.com>
Index: xen-4.6.0-testing/xen/arch/x86/hvm/irq.c
===================================================================
--- xen-4.6.0-testing.orig/xen/arch/x86/hvm/irq.c
+++ xen-4.6.0-testing/xen/arch/x86/hvm/irq.c
@@ -382,7 +382,8 @@ void hvm_set_callback_via(struct domain
spin_unlock(&d->arch.hvm_domain.irq_lock);
- dprintk(XENLOG_G_INFO, "Dom%u callback via changed to ", d->domain_id);
+#ifndef NDEBUG
+ printk(XENLOG_G_INFO "Dom%u callback via changed to ", d->domain_id);
switch ( via_type )
{
case HVMIRQ_callback_gsi:
@@ -398,6 +399,7 @@ void hvm_set_callback_via(struct domain
printk("None\n");
break;
}
+#endif
}
struct hvm_intack hvm_vcpu_has_pending_irq(struct vcpu *v)

8
CVE-2014-7815-qemut-vnc-sanitize-bits_per_pixel-from-the-client.patch
View File

@ -21,11 +21,11 @@ Signed-off-by: Petr Matousek <pmatouse@redhat.com>
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Index: xen-4.6.0-testing/tools/qemu-xen-traditional-dir-remote/vnc.c
Index: xen-4.6.1-testing/tools/qemu-xen-traditional-dir-remote/vnc.c
===================================================================
--- xen-4.6.0-testing.orig/tools/qemu-xen-traditional-dir-remote/vnc.c
+++ xen-4.6.0-testing/tools/qemu-xen-traditional-dir-remote/vnc.c
@@ -1633,6 +1633,16 @@ static void set_pixel_format(VncState *v
--- xen-4.6.1-testing.orig/tools/qemu-xen-traditional-dir-remote/vnc.c
+++ xen-4.6.1-testing/tools/qemu-xen-traditional-dir-remote/vnc.c
@@ -1643,6 +1643,16 @@ static void set_pixel_format(VncState *v
return;
}

140
CVE-2015-6855-qemuu-ide-divide-by-zero-issue.patch Normal file
View File

@ -0,0 +1,140 @@
References: bsc#965156 CVE-2015-6855
Subject: ide: fix ATAPI command permissions
From: John Snow jsnow@redhat.com Thu Sep 17 14:17:05 2015 -0400
Date: Fri Sep 18 10:58:56 2015 -0400:
Git: d9033e1d3aa666c5071580617a57bd853c5d794a
We're a little too lenient with what we'll let an ATAPI drive handle.
Clamp down on the IDE command execution table to remove CD_OK permissions
from commands that are not and have never been ATAPI commands.
For ATAPI command validity, please see:
- ATA4 Section 6.5 ("PACKET Command feature set")
- ATA8/ACS Section 4.3 ("The PACKET feature set")
- ACS3 Section 4.3 ("The PACKET feature set")
ACS3 has a historical command validity table in Table B.4
("Historical Command Assignments") that can be referenced to find when
a command was introduced, deprecated, obsoleted, etc.
The only reference for ATAPI command validity is by checking that
version's PACKET feature set section.
ATAPI was introduced by T13 into ATA4, all commands retired prior to ATA4
therefore are assumed to have never been ATAPI commands.
Mandatory commands, as listed in ATA8-ACS3, are:
- DEVICE RESET
- EXECUTE DEVICE DIAGNOSTIC
- IDENTIFY DEVICE
- IDENTIFY PACKET DEVICE
- NOP
- PACKET
- READ SECTOR(S)
- SET FEATURES
Optional commands as listed in ATA8-ACS3, are:
- FLUSH CACHE
- READ LOG DMA EXT
- READ LOG EXT
- WRITE LOG DMA EXT
- WRITE LOG EXT
All other commands are illegal to send to an ATAPI device and should
be rejected by the device.
CD_OK removal justifications:
0x06 WIN_DSM Defined in ACS2. Not valid for ATAPI.
0x21 WIN_READ_ONCE Retired in ATA5. Not ATAPI in ATA4.
0x94 WIN_STANDBYNOW2 Retired in ATA4. Did not coexist with ATAPI.
0x95 WIN_IDLEIMMEDIATE2 Retired in ATA4. Did not coexist with ATAPI.
0x96 WIN_STANDBY2 Retired in ATA4. Did not coexist with ATAPI.
0x97 WIN_SETIDLE2 Retired in ATA4. Did not coexist with ATAPI.
0x98 WIN_CHECKPOWERMODE2 Retired in ATA4. Did not coexist with ATAPI.
0x99 WIN_SLEEPNOW2 Retired in ATA4. Did not coexist with ATAPI.
0xE0 WIN_STANDBYNOW1 Not part of ATAPI in ATA4, ACS or ACS3.
0xE1 WIN_IDLEIMMDIATE Not part of ATAPI in ATA4, ACS or ACS3.
0xE2 WIN_STANDBY Not part of ATAPI in ATA4, ACS or ACS3.
0xE3 WIN_SETIDLE1 Not part of ATAPI in ATA4, ACS or ACS3.
0xE4 WIN_CHECKPOWERMODE1 Not part of ATAPI in ATA4, ACS or ACS3.
0xE5 WIN_SLEEPNOW1 Not part of ATAPI in ATA4, ACS or ACS3.
0xF8 WIN_READ_NATIVE_MAX Obsoleted in ACS3. Not ATAPI in ATA4 or ACS.
This patch fixes a divide by zero fault that can be caused by sending
the WIN_READ_NATIVE_MAX command to an ATAPI drive, which causes it to
attempt to use zeroed CHS values to perform sector arithmetic.
Reported-by: Qinghao Tang <luodalongde@gmail.com>
Signed-off-by: John Snow <jsnow@redhat.com>
Reviewed-by: Markus Armbruster <armbru@redhat.com>
Message-id: 1441816082-21031-1-git-send-email-jsnow@redhat.com
CC: qemu-stable@nongnu.org
Index: xen-4.6.0-testing/tools/qemu-xen-dir-remote/hw/ide/core.c
===================================================================
--- xen-4.6.0-testing.orig/tools/qemu-xen-dir-remote/hw/ide/core.c
+++ xen-4.6.0-testing/tools/qemu-xen-dir-remote/hw/ide/core.c
@@ -1739,11 +1739,11 @@ static const struct {
} ide_cmd_table[0x100] = {
/* NOP not implemented, mandatory for CD */
[CFA_REQ_EXT_ERROR_CODE] = { cmd_cfa_req_ext_error_code, CFA_OK },
- [WIN_DSM] = { cmd_data_set_management, ALL_OK },
+ [WIN_DSM] = { cmd_data_set_management, HD_CFA_OK },
[WIN_DEVICE_RESET] = { cmd_device_reset, CD_OK },
[WIN_RECAL] = { cmd_nop, HD_CFA_OK | SET_DSC},
[WIN_READ] = { cmd_read_pio, ALL_OK },
- [WIN_READ_ONCE] = { cmd_read_pio, ALL_OK },
+ [WIN_READ_ONCE] = { cmd_read_pio, HD_CFA_OK },
[WIN_READ_EXT] = { cmd_read_pio, HD_CFA_OK },
[WIN_READDMA_EXT] = { cmd_read_dma, HD_CFA_OK },
[WIN_READ_NATIVE_MAX_EXT] = { cmd_read_native_max, HD_CFA_OK | SET_DSC },
@@ -1762,12 +1762,12 @@ static const struct {
[CFA_TRANSLATE_SECTOR] = { cmd_cfa_translate_sector, CFA_OK },
[WIN_DIAGNOSE] = { cmd_exec_dev_diagnostic, ALL_OK },
[WIN_SPECIFY] = { cmd_nop, HD_CFA_OK | SET_DSC },
- [WIN_STANDBYNOW2] = { cmd_nop, ALL_OK },
- [WIN_IDLEIMMEDIATE2] = { cmd_nop, ALL_OK },
- [WIN_STANDBY2] = { cmd_nop, ALL_OK },
- [WIN_SETIDLE2] = { cmd_nop, ALL_OK },
- [WIN_CHECKPOWERMODE2] = { cmd_check_power_mode, ALL_OK | SET_DSC },
- [WIN_SLEEPNOW2] = { cmd_nop, ALL_OK },
+ [WIN_STANDBYNOW2] = { cmd_nop, HD_CFA_OK },
+ [WIN_IDLEIMMEDIATE2] = { cmd_nop, HD_CFA_OK },
+ [WIN_STANDBY2] = { cmd_nop, HD_CFA_OK },
+ [WIN_SETIDLE2] = { cmd_nop, HD_CFA_OK },
+ [WIN_CHECKPOWERMODE2] = { cmd_check_power_mode, HD_CFA_OK | SET_DSC },
+ [WIN_SLEEPNOW2] = { cmd_nop, HD_CFA_OK },
[WIN_PACKETCMD] = { cmd_packet, CD_OK },
[WIN_PIDENTIFY] = { cmd_identify_packet, CD_OK },
[WIN_SMART] = { cmd_smart, HD_CFA_OK | SET_DSC },
@@ -1781,19 +1781,19 @@ static const struct {
[WIN_WRITEDMA] = { cmd_write_dma, HD_CFA_OK },
[WIN_WRITEDMA_ONCE] = { cmd_write_dma, HD_CFA_OK },
[CFA_WRITE_MULTI_WO_ERASE] = { cmd_write_multiple, CFA_OK },
- [WIN_STANDBYNOW1] = { cmd_nop, ALL_OK },
- [WIN_IDLEIMMEDIATE] = { cmd_nop, ALL_OK },
- [WIN_STANDBY] = { cmd_nop, ALL_OK },
- [WIN_SETIDLE1] = { cmd_nop, ALL_OK },
- [WIN_CHECKPOWERMODE1] = { cmd_check_power_mode, ALL_OK | SET_DSC },
- [WIN_SLEEPNOW1] = { cmd_nop, ALL_OK },
+ [WIN_STANDBYNOW1] = { cmd_nop, HD_CFA_OK },
+ [WIN_IDLEIMMEDIATE] = { cmd_nop, HD_CFA_OK },
+ [WIN_STANDBY] = { cmd_nop, HD_CFA_OK },
+ [WIN_SETIDLE1] = { cmd_nop, HD_CFA_OK },
+ [WIN_CHECKPOWERMODE1] = { cmd_check_power_mode, HD_CFA_OK | SET_DSC },
+ [WIN_SLEEPNOW1] = { cmd_nop, HD_CFA_OK },
[WIN_FLUSH_CACHE] = { cmd_flush_cache, ALL_OK },
[WIN_FLUSH_CACHE_EXT] = { cmd_flush_cache, HD_CFA_OK },
[WIN_IDENTIFY] = { cmd_identify, ALL_OK },
[WIN_SETFEATURES] = { cmd_set_features, ALL_OK | SET_DSC },
[IBM_SENSE_CONDITION] = { cmd_ibm_sense_condition, CFA_OK | SET_DSC },
[CFA_WEAR_LEVEL] = { cmd_cfa_erase_sectors, HD_CFA_OK | SET_DSC },
- [WIN_READ_NATIVE_MAX] = { cmd_read_native_max, ALL_OK | SET_DSC },
+ [WIN_READ_NATIVE_MAX] = { cmd_read_native_max, HD_CFA_OK | SET_DSC },
};
static bool ide_cmd_permitted(IDEState *s, uint32_t cmd)

8
CVE-2015-8504-qemut-vnc-avoid-floating-point-exception.patch
View File

@ -1,10 +1,10 @@
References: bsc#958493 CVE-2015-8504
Index: xen-4.5.2-testing/tools/qemu-xen-traditional-dir-remote/vnc.c
Index: xen-4.6.1-testing/tools/qemu-xen-traditional-dir-remote/vnc.c
===================================================================
--- xen-4.5.2-testing.orig/tools/qemu-xen-traditional-dir-remote/vnc.c
+++ xen-4.5.2-testing/tools/qemu-xen-traditional-dir-remote/vnc.c
@@ -1634,15 +1634,15 @@ static void set_pixel_format(VncState *v
--- xen-4.6.1-testing.orig/tools/qemu-xen-traditional-dir-remote/vnc.c
+++ xen-4.6.1-testing/tools/qemu-xen-traditional-dir-remote/vnc.c
@@ -1644,15 +1644,15 @@ static void set_pixel_format(VncState *v
}
vs->clientds = vs->serverds;

115
CVE-2015-8619-qemuu-stack-based-OOB-write-in-hmp_sendkey-routine.patch Normal file
View File

@ -0,0 +1,115 @@
References: bsc#965269 CVE-2015-8619
Subject: hmp: fix sendkey out of bounds write (CVE-2015-8619)
From: Wolfgang Bumiller w.bumiller@proxmox.com Wed Jan 13 09:09:58 2016 +0100
Date: Wed Feb 3 10:13:06 2016 +0100:
Git: 64ffbe04eaafebf4045a3ace52a360c14959d196
When processing 'sendkey' command, hmp_sendkey routine null
terminates the 'keyname_buf' array. This results in an OOB
write issue, if 'keyname_len' was to fall outside of
'keyname_buf' array.
Since the keyname's length is known the keyname_buf can be
removed altogether by adding a length parameter to
index_from_key() and using it for the error output as well.
Reported-by: Ling Liu <liuling-it@360.cn>
Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
Message-Id: <20160113080958.GA18934@olga>
[Comparison with "<" dumbed down, test for junk after strtoul()
tweaked]
Signed-off-by: Markus Armbruster <armbru@redhat.com>
Index: xen-4.6.0-testing/tools/qemu-xen-dir-remote/hmp.c
===================================================================
--- xen-4.6.0-testing.orig/tools/qemu-xen-dir-remote/hmp.c
+++ xen-4.6.0-testing/tools/qemu-xen-dir-remote/hmp.c
@@ -1478,21 +1478,18 @@ void hmp_send_key(Monitor *mon, const QD
int has_hold_time = qdict_haskey(qdict, "hold-time");
int hold_time = qdict_get_try_int(qdict, "hold-time", -1);
Error *err = NULL;
- char keyname_buf[16];
char *separator;
int keyname_len;
while (1) {
separator = strchr(keys, '-');
keyname_len = separator ? separator - keys : strlen(keys);
- pstrcpy(keyname_buf, sizeof(keyname_buf), keys);
/* Be compatible with old interface, convert user inputted "<" */
- if (!strncmp(keyname_buf, "<", 1) && keyname_len == 1) {
- pstrcpy(keyname_buf, sizeof(keyname_buf), "less");
+ if (keys[0] == '<' && keyname_len == 1) {
+ keys = "less";
keyname_len = 4;
}
- keyname_buf[keyname_len] = 0;
keylist = g_malloc0(sizeof(*keylist));
keylist->value = g_malloc0(sizeof(*keylist->value));
@@ -1505,16 +1502,17 @@ void hmp_send_key(Monitor *mon, const QD
}
tmp = keylist;
- if (strstart(keyname_buf, "0x", NULL)) {
+ if (strstart(keys, "0x", NULL)) {
char *endp;
- int value = strtoul(keyname_buf, &endp, 0);
- if (*endp != '\0') {
+ int value = strtoul(keys, &endp, 0);
+ assert(endp <= keys + keyname_len);
+ if (endp != keys + keyname_len) {
goto err_out;
}
keylist->value->kind = KEY_VALUE_KIND_NUMBER;
keylist->value->number = value;
} else {
- int idx = index_from_key(keyname_buf);
+ int idx = index_from_key(keys, keyname_len);
if (idx == Q_KEY_CODE_MAX) {
goto err_out;
}
@@ -1536,7 +1534,7 @@ out:
return;
err_out:
- monitor_printf(mon, "invalid parameter: %s\n", keyname_buf);
+ monitor_printf(mon, "invalid parameter: %.*s\n", keyname_len, keys);
goto out;
}
Index: xen-4.6.0-testing/tools/qemu-xen-dir-remote/include/ui/console.h
===================================================================
--- xen-4.6.0-testing.orig/tools/qemu-xen-dir-remote/include/ui/console.h
+++ xen-4.6.0-testing/tools/qemu-xen-dir-remote/include/ui/console.h
@@ -349,7 +349,7 @@ static inline int vnc_display_pw_expire(
void curses_display_init(DisplayState *ds, int full_screen);
/* input.c */
-int index_from_key(const char *key);
+int index_from_key(const char *key, size_t key_length);
/* gtk.c */
void early_gtk_display_init(void);
Index: xen-4.6.0-testing/tools/qemu-xen-dir-remote/ui/input-legacy.c
===================================================================
--- xen-4.6.0-testing.orig/tools/qemu-xen-dir-remote/ui/input-legacy.c
+++ xen-4.6.0-testing/tools/qemu-xen-dir-remote/ui/input-legacy.c
@@ -60,12 +60,13 @@ static QTAILQ_HEAD(, QEMUPutLEDEntry) le
static QTAILQ_HEAD(, QEMUPutMouseEntry) mouse_handlers =
QTAILQ_HEAD_INITIALIZER(mouse_handlers);
-int index_from_key(const char *key)
+int index_from_key(const char *key, size_t key_length)
{
int i;
for (i = 0; QKeyCode_lookup[i] != NULL; i++) {
- if (!strcmp(key, QKeyCode_lookup[i])) {
+ if (!strncmp(key, QKeyCode_lookup[i], key_length) &&
+ !QKeyCode_lookup[i][key_length]) {
break;
}
}

10
VNC-Support-for-ExtendedKeyEvent-client-message.patch
View File

@ -20,10 +20,10 @@ git-svn-id: svn://svn.savannah.nongnu.org/qemu/trunk@5076 c046a42c-6fe2-441c-8c8
vnc.c | 59 ++++++++++++++++++++++++++++++++++++++++++++++++++---------
1 files changed, 50 insertions(+), 9 deletions(-)
Index: xen-4.6.0-testing/tools/qemu-xen-traditional-dir-remote/vnc.c
Index: xen-4.6.1-testing/tools/qemu-xen-traditional-dir-remote/vnc.c
===================================================================
--- xen-4.6.0-testing.orig/tools/qemu-xen-traditional-dir-remote/vnc.c
+++ xen-4.6.0-testing/tools/qemu-xen-traditional-dir-remote/vnc.c
--- xen-4.6.1-testing.orig/tools/qemu-xen-traditional-dir-remote/vnc.c
+++ xen-4.6.1-testing/tools/qemu-xen-traditional-dir-remote/vnc.c
@@ -1285,35 +1285,22 @@ static void press_key_altgr_down(VncStat
}
}
@ -115,7 +115,7 @@ Index: xen-4.6.0-testing/tools/qemu-xen-traditional-dir-remote/vnc.c
case 0x574D5669:
vs->has_WMVi = 1;
default:
@@ -1780,6 +1797,24 @@ static int protocol_client_msg(VncState
@@ -1790,6 +1807,24 @@ static int protocol_client_msg(VncState
client_cut_text(vs, read_u32(data, 4), (char *)(data + 8));
break;
@ -140,7 +140,7 @@ Index: xen-4.6.0-testing/tools/qemu-xen-traditional-dir-remote/vnc.c
default:
printf("Msg: %d\n", data[0]);
vnc_client_error(vs);
@@ -2451,10 +2486,11 @@ void vnc_display_init(DisplayState *ds)
@@ -2461,10 +2496,11 @@ void vnc_display_init(DisplayState *ds)
vs->ds = ds;

12
bdrv_default_rwflag.patch
View File

@ -1,11 +1,11 @@
Subject: modify default read/write flag in bdrv_init.
Signed-off by Chunyan Liu <cyliu@novell.com>
Index: xen-4.2.0-testing/tools/qemu-xen-traditional-dir-remote/vl.c
Index: xen-4.6.1-testing/tools/qemu-xen-traditional-dir-remote/vl.c
===================================================================
--- xen-4.2.0-testing.orig/tools/qemu-xen-traditional-dir-remote/vl.c
+++ xen-4.2.0-testing/tools/qemu-xen-traditional-dir-remote/vl.c
@@ -2627,6 +2627,8 @@ int drive_init(struct drive_opt *arg, in
--- xen-4.6.1-testing.orig/tools/qemu-xen-traditional-dir-remote/vl.c
+++ xen-4.6.1-testing/tools/qemu-xen-traditional-dir-remote/vl.c
@@ -2626,6 +2626,8 @@ int drive_init(struct drive_opt *arg, in
strncpy(drives_table[nb_drives].serial, serial, sizeof(serial));
nb_drives++;
@ -14,7 +14,7 @@ Index: xen-4.2.0-testing/tools/qemu-xen-traditional-dir-remote/vl.c
switch(type) {
case IF_IDE:
case IF_XEN:
@@ -2640,6 +2642,7 @@ int drive_init(struct drive_opt *arg, in
@@ -2639,6 +2641,7 @@ int drive_init(struct drive_opt *arg, in
break;
case MEDIA_CDROM:
bdrv_set_type_hint(bdrv, BDRV_TYPE_CDROM);
@ -22,7 +22,7 @@ Index: xen-4.2.0-testing/tools/qemu-xen-traditional-dir-remote/vl.c
break;
}
break;
@@ -2660,7 +2663,6 @@ int drive_init(struct drive_opt *arg, in
@@ -2659,7 +2662,6 @@ int drive_init(struct drive_opt *arg, in
}
if (!file[0])
return -2;

20
ioemu-disable-emulated-ide-if-pv.patch
View File

@ -1,7 +1,7 @@
Index: xen-4.5.0-testing/tools/qemu-xen-traditional-dir-remote/qemu-xen.h
Index: xen-4.6.1-testing/tools/qemu-xen-traditional-dir-remote/qemu-xen.h
===================================================================
--- xen-4.5.0-testing.orig/tools/qemu-xen-traditional-dir-remote/qemu-xen.h
+++ xen-4.5.0-testing/tools/qemu-xen-traditional-dir-remote/qemu-xen.h
--- xen-4.6.1-testing.orig/tools/qemu-xen-traditional-dir-remote/qemu-xen.h
+++ xen-4.6.1-testing/tools/qemu-xen-traditional-dir-remote/qemu-xen.h
@@ -1,6 +1,8 @@
#ifndef QEMU_XEN_H
#define QEMU_XEN_H
@ -20,11 +20,11 @@ Index: xen-4.5.0-testing/tools/qemu-xen-traditional-dir-remote/qemu-xen.h
int xenstore_parse_disable_pf_config(void);
int xenstore_fd(void);
void xenstore_process_event(void *opaque);
Index: xen-4.5.0-testing/tools/qemu-xen-traditional-dir-remote/vl.c
Index: xen-4.6.1-testing/tools/qemu-xen-traditional-dir-remote/vl.c
===================================================================
--- xen-4.5.0-testing.orig/tools/qemu-xen-traditional-dir-remote/vl.c
+++ xen-4.5.0-testing/tools/qemu-xen-traditional-dir-remote/vl.c
@@ -5862,9 +5862,9 @@ int main(int argc, char **argv, char **e
--- xen-4.6.1-testing.orig/tools/qemu-xen-traditional-dir-remote/vl.c
+++ xen-4.6.1-testing/tools/qemu-xen-traditional-dir-remote/vl.c
@@ -5861,9 +5861,9 @@ int main(int argc, char **argv, char **e
if ((msg = xenbus_read(XBT_NIL, "domid", &domid_s)))
fprintf(stderr,"Can not read our own domid: %s\n", msg);
else
@ -36,10 +36,10 @@ Index: xen-4.5.0-testing/tools/qemu-xen-traditional-dir-remote/vl.c
#endif /* CONFIG_STUBDOM */
}
Index: xen-4.5.0-testing/tools/qemu-xen-traditional-dir-remote/xenstore.c
Index: xen-4.6.1-testing/tools/qemu-xen-traditional-dir-remote/xenstore.c
===================================================================
--- xen-4.5.0-testing.orig/tools/qemu-xen-traditional-dir-remote/xenstore.c
+++ xen-4.5.0-testing/tools/qemu-xen-traditional-dir-remote/xenstore.c
--- xen-4.6.1-testing.orig/tools/qemu-xen-traditional-dir-remote/xenstore.c
+++ xen-4.6.1-testing/tools/qemu-xen-traditional-dir-remote/xenstore.c
@@ -445,7 +445,7 @@ void xenstore_init(void)
}
}

8
ioemu-vnc-resize.patch
View File

@ -1,8 +1,8 @@
Index: xen-4.6.0-testing/tools/qemu-xen-traditional-dir-remote/vnc.c
Index: xen-4.6.1-testing/tools/qemu-xen-traditional-dir-remote/vnc.c
===================================================================
--- xen-4.6.0-testing.orig/tools/qemu-xen-traditional-dir-remote/vnc.c
+++ xen-4.6.0-testing/tools/qemu-xen-traditional-dir-remote/vnc.c
@@ -1761,6 +1761,25 @@ static int protocol_client_msg(VncState
--- xen-4.6.1-testing.orig/tools/qemu-xen-traditional-dir-remote/vnc.c
+++ xen-4.6.1-testing/tools/qemu-xen-traditional-dir-remote/vnc.c
@@ -1771,6 +1771,25 @@ static int protocol_client_msg(VncState
}
set_encodings(vs, (int32_t *)(data + 4), limit);

52
ioemu-watchdog-support.patch
View File

@ -10,10 +10,10 @@ everything that was raised about the previous version ...
Signed-off-by: Richard W.M. Jones <rjones@redhat.com>
Signed-off-by: Anthony Liguori <aliguori@us.ibm.com>
Index: xen-4.2.0-testing/tools/qemu-xen-traditional-dir-remote/Makefile.target
Index: xen-4.6.1-testing/tools/qemu-xen-traditional-dir-remote/Makefile.target
===================================================================
--- xen-4.2.0-testing.orig/tools/qemu-xen-traditional-dir-remote/Makefile.target
+++ xen-4.2.0-testing/tools/qemu-xen-traditional-dir-remote/Makefile.target
--- xen-4.6.1-testing.orig/tools/qemu-xen-traditional-dir-remote/Makefile.target
+++ xen-4.6.1-testing/tools/qemu-xen-traditional-dir-remote/Makefile.target
@@ -580,6 +580,10 @@ OBJS += e1000.o
# Serial mouse
OBJS += msmouse.o
@ -25,10 +25,10 @@ Index: xen-4.2.0-testing/tools/qemu-xen-traditional-dir-remote/Makefile.target
ifeq ($(TARGET_BASE_ARCH), i386)
# Hardware support
ifdef CONFIG_AUDIO
Index: xen-4.2.0-testing/tools/qemu-xen-traditional-dir-remote/hw/pc.c
Index: xen-4.6.1-testing/tools/qemu-xen-traditional-dir-remote/hw/pc.c
===================================================================
--- xen-4.2.0-testing.orig/tools/qemu-xen-traditional-dir-remote/hw/pc.c
+++ xen-4.2.0-testing/tools/qemu-xen-traditional-dir-remote/hw/pc.c
--- xen-4.6.1-testing.orig/tools/qemu-xen-traditional-dir-remote/hw/pc.c
+++ xen-4.6.1-testing/tools/qemu-xen-traditional-dir-remote/hw/pc.c
@@ -41,6 +41,7 @@
#include "virtio-balloon.h"
#include "virtio-console.h"
@ -37,7 +37,7 @@ Index: xen-4.2.0-testing/tools/qemu-xen-traditional-dir-remote/hw/pc.c
#ifdef CONFIG_PASSTHROUGH
#include "pass-through.h"
@@ -1050,6 +1051,8 @@ vga_bios_error:
@@ -1047,6 +1048,8 @@ vga_bios_error:
}
}
@ -46,10 +46,10 @@ Index: xen-4.2.0-testing/tools/qemu-xen-traditional-dir-remote/hw/pc.c
for(i = 0; i < nb_nics; i++) {
NICInfo *nd = &nd_table[i];
Index: xen-4.2.0-testing/tools/qemu-xen-traditional-dir-remote/hw/watchdog.c
Index: xen-4.6.1-testing/tools/qemu-xen-traditional-dir-remote/hw/watchdog.c
===================================================================
--- /dev/null
+++ xen-4.2.0-testing/tools/qemu-xen-traditional-dir-remote/hw/watchdog.c
+++ xen-4.6.1-testing/tools/qemu-xen-traditional-dir-remote/hw/watchdog.c
@@ -0,0 +1,136 @@
+/*
+ * Virtual hardware watchdog.
@ -187,10 +187,10 @@ Index: xen-4.2.0-testing/tools/qemu-xen-traditional-dir-remote/hw/watchdog.c
+ wdt_ib700_init();
+ wdt_i6300esb_init();
+}
Index: xen-4.2.0-testing/tools/qemu-xen-traditional-dir-remote/hw/watchdog.h
Index: xen-4.6.1-testing/tools/qemu-xen-traditional-dir-remote/hw/watchdog.h
===================================================================
--- /dev/null
+++ xen-4.2.0-testing/tools/qemu-xen-traditional-dir-remote/hw/watchdog.h
+++ xen-4.6.1-testing/tools/qemu-xen-traditional-dir-remote/hw/watchdog.h
@@ -0,0 +1,65 @@
+/*
+ * Virtual hardware watchdog.
@ -257,10 +257,10 @@ Index: xen-4.2.0-testing/tools/qemu-xen-traditional-dir-remote/hw/watchdog.h
+extern void register_watchdogs(void);
+
+#endif /* QEMU_WATCHDOG_H */
Index: xen-4.2.0-testing/tools/qemu-xen-traditional-dir-remote/hw/wdt_i6300esb.c
Index: xen-4.6.1-testing/tools/qemu-xen-traditional-dir-remote/hw/wdt_i6300esb.c
===================================================================
--- /dev/null
+++ xen-4.2.0-testing/tools/qemu-xen-traditional-dir-remote/hw/wdt_i6300esb.c
+++ xen-4.6.1-testing/tools/qemu-xen-traditional-dir-remote/hw/wdt_i6300esb.c
@@ -0,0 +1,470 @@
+/*
+ * Virtual hardware watchdog.
@ -732,10 +732,10 @@ Index: xen-4.2.0-testing/tools/qemu-xen-traditional-dir-remote/hw/wdt_i6300esb.c
+{
+ watchdog_add_model(&model);
+}
Index: xen-4.2.0-testing/tools/qemu-xen-traditional-dir-remote/hw/wdt_ib700.c
Index: xen-4.6.1-testing/tools/qemu-xen-traditional-dir-remote/hw/wdt_ib700.c
===================================================================
--- /dev/null
+++ xen-4.2.0-testing/tools/qemu-xen-traditional-dir-remote/hw/wdt_ib700.c
+++ xen-4.6.1-testing/tools/qemu-xen-traditional-dir-remote/hw/wdt_ib700.c
@@ -0,0 +1,112 @@
+/*
+ * Virtual hardware watchdog.
@ -849,10 +849,10 @@ Index: xen-4.2.0-testing/tools/qemu-xen-traditional-dir-remote/hw/wdt_ib700.c
+ watchdog_add_model(&model);
+ timer = qemu_new_timer(vm_clock, ib700_timer_expired, NULL);
+}
Index: xen-4.2.0-testing/tools/qemu-xen-traditional-dir-remote/monitor.c
Index: xen-4.6.1-testing/tools/qemu-xen-traditional-dir-remote/monitor.c
===================================================================
--- xen-4.2.0-testing.orig/tools/qemu-xen-traditional-dir-remote/monitor.c
+++ xen-4.2.0-testing/tools/qemu-xen-traditional-dir-remote/monitor.c
--- xen-4.6.1-testing.orig/tools/qemu-xen-traditional-dir-remote/monitor.c
+++ xen-4.6.1-testing/tools/qemu-xen-traditional-dir-remote/monitor.c
@@ -26,6 +26,7 @@
#include "hw/pcmcia.h"
#include "hw/pc.h"
@ -884,10 +884,10 @@ Index: xen-4.2.0-testing/tools/qemu-xen-traditional-dir-remote/monitor.c
{ "cpu_set", "is", do_cpu_set_nr,
"cpu [online|offline]", "change cpu state" },
{ NULL, NULL, },
Index: xen-4.2.0-testing/tools/qemu-xen-traditional-dir-remote/vl.c
Index: xen-4.6.1-testing/tools/qemu-xen-traditional-dir-remote/vl.c
===================================================================
--- xen-4.2.0-testing.orig/tools/qemu-xen-traditional-dir-remote/vl.c
+++ xen-4.2.0-testing/tools/qemu-xen-traditional-dir-remote/vl.c
--- xen-4.6.1-testing.orig/tools/qemu-xen-traditional-dir-remote/vl.c
+++ xen-4.6.1-testing/tools/qemu-xen-traditional-dir-remote/vl.c
@@ -30,6 +30,7 @@
#include "hw/isa.h"
#include "hw/baum.h"
@ -905,7 +905,7 @@ Index: xen-4.2.0-testing/tools/qemu-xen-traditional-dir-remote/vl.c
const char *option_rom[MAX_OPTION_ROMS];
int nb_option_roms;
int semihosting_enabled = 0;
@@ -4177,6 +4180,10 @@ static void help(int exitcode)
@@ -4176,6 +4179,10 @@ static void help(int exitcode)
"-startdate select initial date of the clock\n"
"-icount [N|auto]\n"
" enable virtual instruction counter with 2^N clock ticks per instruction\n"
@ -916,7 +916,7 @@ Index: xen-4.2.0-testing/tools/qemu-xen-traditional-dir-remote/vl.c
"-echr chr set terminal escape character instead of ctrl-a\n"
"-virtioconsole c\n"
" set virtio console\n"
@@ -4324,6 +4331,8 @@ enum {
@@ -4323,6 +4330,8 @@ enum {
QEMU_OPTION_localtime,
QEMU_OPTION_startdate,
QEMU_OPTION_icount,
@ -925,7 +925,7 @@ Index: xen-4.2.0-testing/tools/qemu-xen-traditional-dir-remote/vl.c
QEMU_OPTION_echr,
QEMU_OPTION_virtiocon,
QEMU_OPTION_show_cursor,
@@ -4450,6 +4459,8 @@ static const QEMUOption qemu_options[] =
@@ -4449,6 +4458,8 @@ static const QEMUOption qemu_options[] =
{ "localtime", 0, QEMU_OPTION_localtime },
{ "startdate", HAS_ARG, QEMU_OPTION_startdate },
{ "icount", HAS_ARG, QEMU_OPTION_icount },
@ -934,7 +934,7 @@ Index: xen-4.2.0-testing/tools/qemu-xen-traditional-dir-remote/vl.c
{ "echr", HAS_ARG, QEMU_OPTION_echr },
{ "virtioconsole", HAS_ARG, QEMU_OPTION_virtiocon },
{ "show-cursor", 0, QEMU_OPTION_show_cursor },
@@ -4951,6 +4962,8 @@ int main(int argc, char **argv, char **e
@@ -4950,6 +4961,8 @@ int main(int argc, char **argv, char **e
tb_size = 0;
autostart= 1;
@ -943,7 +943,7 @@ Index: xen-4.2.0-testing/tools/qemu-xen-traditional-dir-remote/vl.c
optind = 1;
for(;;) {
if (optind >= argc)
@@ -5325,6 +5338,17 @@ int main(int argc, char **argv, char **e
@@ -5324,6 +5337,17 @@ int main(int argc, char **argv, char **e
serial_devices[serial_device_index] = optarg;
serial_device_index++;
break;

49
kernel-boot-hvm.patch
View File

@ -4,10 +4,10 @@ kernel and initrd, which could be accessed by hvmloader.
Signed-off-by: Chunyan Liu <cyliu@novell.com>
Index: xen-4.2.0-testing/tools/qemu-xen-traditional-dir-remote/block.c
Index: xen-4.6.1-testing/tools/qemu-xen-traditional-dir-remote/block.c
===================================================================
--- xen-4.2.0-testing.orig/tools/qemu-xen-traditional-dir-remote/block.c
+++ xen-4.2.0-testing/tools/qemu-xen-traditional-dir-remote/block.c
--- xen-4.6.1-testing.orig/tools/qemu-xen-traditional-dir-remote/block.c
+++ xen-4.6.1-testing/tools/qemu-xen-traditional-dir-remote/block.c
@@ -596,6 +596,16 @@ int bdrv_read(BlockDriverState *bs, int6
if (bdrv_check_request(bs, sector_num, nb_sectors))
@ -79,10 +79,10 @@ Index: xen-4.2.0-testing/tools/qemu-xen-traditional-dir-remote/block.c
ret = drv->bdrv_aio_write(bs, sector_num, buf, nb_sectors, cb, opaque);
if (ret) {
Index: xen-4.2.0-testing/tools/qemu-xen-traditional-dir-remote/block_int.h
Index: xen-4.6.1-testing/tools/qemu-xen-traditional-dir-remote/block_int.h
===================================================================
--- xen-4.2.0-testing.orig/tools/qemu-xen-traditional-dir-remote/block_int.h
+++ xen-4.2.0-testing/tools/qemu-xen-traditional-dir-remote/block_int.h
--- xen-4.6.1-testing.orig/tools/qemu-xen-traditional-dir-remote/block_int.h
+++ xen-4.6.1-testing/tools/qemu-xen-traditional-dir-remote/block_int.h
@@ -122,6 +122,9 @@ struct BlockDriverState {
BlockDriver *drv; /* NULL means no media */
void *opaque;
@ -93,11 +93,11 @@ Index: xen-4.2.0-testing/tools/qemu-xen-traditional-dir-remote/block_int.h
char filename[1024];
char backing_file[1024]; /* if non zero, the image is a diff of
this file image */
Index: xen-4.2.0-testing/tools/qemu-xen-traditional-dir-remote/hw/pc.c
Index: xen-4.6.1-testing/tools/qemu-xen-traditional-dir-remote/hw/pc.c
===================================================================
--- xen-4.2.0-testing.orig/tools/qemu-xen-traditional-dir-remote/hw/pc.c
+++ xen-4.2.0-testing/tools/qemu-xen-traditional-dir-remote/hw/pc.c
@@ -474,45 +474,28 @@ static void bochs_bios_init(void)
--- xen-4.6.1-testing.orig/tools/qemu-xen-traditional-dir-remote/hw/pc.c
+++ xen-4.6.1-testing/tools/qemu-xen-traditional-dir-remote/hw/pc.c
@@ -473,45 +473,28 @@ static void bochs_bios_init(void)
/* Generate an initial boot sector which sets state and jump to
a specified vector */
@ -110,7 +110,8 @@ Index: xen-4.2.0-testing/tools/qemu-xen-traditional-dir-remote/hw/pc.c
+ uint8_t bootsect[512], *p;
int i;
+ int hda;
+
- memset(rom, 0, sizeof(rom));
+ hda = drive_get_index(IF_IDE, 0, 0);
+ if (hda == -1) {
+ fprintf(stderr, "A disk image must be given for 'hda' when booting "
@ -119,8 +120,6 @@ Index: xen-4.2.0-testing/tools/qemu-xen-traditional-dir-remote/hw/pc.c
+ }
+ memset(bootsect, 0, sizeof(bootsect));
- memset(rom, 0, sizeof(rom));
-
- p = rom;
- /* Make sure we have an option rom signature */
- *p++ = 0x55;
@ -161,7 +160,7 @@ Index: xen-4.2.0-testing/tools/qemu-xen-traditional-dir-remote/hw/pc.c
*p++ = 0xfa; /* CLI */
*p++ = 0xfc; /* CLD */
@@ -542,13 +525,7 @@ static void generate_bootsect(uint8_t *o
@@ -541,13 +524,7 @@ static void generate_bootsect(uint8_t *o
*p++ = segs[1]; /* CS */
*p++ = segs[1] >> 8;
@ -176,7 +175,7 @@ Index: xen-4.2.0-testing/tools/qemu-xen-traditional-dir-remote/hw/pc.c
}
static long get_file_size(FILE *f)
@@ -565,8 +542,7 @@ static long get_file_size(FILE *f)
@@ -564,8 +541,7 @@ static long get_file_size(FILE *f)
return size;
}
@ -186,7 +185,7 @@ Index: xen-4.2.0-testing/tools/qemu-xen-traditional-dir-remote/hw/pc.c
const char *initrd_filename,
const char *kernel_cmdline)
{
@@ -632,7 +608,9 @@ static void load_linux(uint8_t *option_r
@@ -631,7 +607,9 @@ static void load_linux(uint8_t *option_r
/* Special pages are placed at end of low RAM: pick an arbitrary one and
* subtract a suitably large amount of padding (64kB) to skip BIOS data. */
@ -197,7 +196,7 @@ Index: xen-4.2.0-testing/tools/qemu-xen-traditional-dir-remote/hw/pc.c
end_low_ram = (end_low_ram << 12) - (64*1024);
/* highest address for loading the initrd */
@@ -721,7 +699,7 @@ static void load_linux(uint8_t *option_r
@@ -720,7 +698,7 @@ static void load_linux(uint8_t *option_r
memset(gpr, 0, sizeof gpr);
gpr[4] = cmdline_addr-real_addr-16; /* SP (-16 is paranoia) */
@ -206,7 +205,7 @@ Index: xen-4.2.0-testing/tools/qemu-xen-traditional-dir-remote/hw/pc.c
#endif
}
@@ -932,14 +910,6 @@ vga_bios_error:
@@ -930,14 +908,6 @@ vga_bios_error:
int size, offset;
offset = 0;
@ -221,20 +220,20 @@ Index: xen-4.2.0-testing/tools/qemu-xen-traditional-dir-remote/hw/pc.c
for (i = 0; i < nb_option_roms; i++) {
size = get_image_size(option_rom[i]);
@@ -973,6 +943,9 @@ vga_bios_error:
@@ -971,6 +941,9 @@ vga_bios_error:
bochs_bios_init();
+ if (linux_boot)
+ load_linux(kernel_filename, initrd_filename, kernel_cmdline);
+ load_linux(kernel_filename, initrd_filename, kernel_cmdline);
+
cpu_irq = qemu_allocate_irqs(pic_irq_request, NULL, 1);
i8259 = i8259_init(cpu_irq[0]);
i8259 = i8259_init(NULL);
ferr_irq = i8259[13];
Index: xen-4.2.0-testing/tools/qemu-xen-traditional-dir-remote/block.h
Index: xen-4.6.1-testing/tools/qemu-xen-traditional-dir-remote/block.h
===================================================================
--- xen-4.2.0-testing.orig/tools/qemu-xen-traditional-dir-remote/block.h
+++ xen-4.2.0-testing/tools/qemu-xen-traditional-dir-remote/block.h
--- xen-4.6.1-testing.orig/tools/qemu-xen-traditional-dir-remote/block.h
+++ xen-4.6.1-testing/tools/qemu-xen-traditional-dir-remote/block.h
@@ -82,6 +82,7 @@ int64_t bdrv_getlength(BlockDriverState
void bdrv_get_geometry(BlockDriverState *bs, uint64_t *nb_sectors_ptr);
void bdrv_guess_geometry(BlockDriverState *bs, int *pcyls, int *pheads, int *psecs);

49
qemu-dm-segfault.patch
View File

@ -1,8 +1,8 @@
Index: xen-4.2.0-testing/tools/qemu-xen-traditional-dir-remote/hw/ide.c
Index: xen-4.6.1-testing/tools/qemu-xen-traditional-dir-remote/hw/ide.c
===================================================================
--- xen-4.2.0-testing.orig/tools/qemu-xen-traditional-dir-remote/hw/ide.c
+++ xen-4.2.0-testing/tools/qemu-xen-traditional-dir-remote/hw/ide.c
@@ -935,8 +935,9 @@ static inline void ide_dma_submit_check(
--- xen-4.6.1-testing.orig/tools/qemu-xen-traditional-dir-remote/hw/ide.c
+++ xen-4.6.1-testing/tools/qemu-xen-traditional-dir-remote/hw/ide.c
@@ -937,8 +937,9 @@ static inline void ide_dma_submit_check(
static inline void ide_set_irq(IDEState *s)
{
@ -14,24 +14,7 @@ Index: xen-4.2.0-testing/tools/qemu-xen-traditional-dir-remote/hw/ide.c
if (!(s->cmd & IDE_CMD_DISABLE_IRQ)) {
if (bm) {
bm->status |= BM_STATUS_INT;
@@ -1224,14 +1225,14 @@ static void ide_read_dma_cb(void *opaque
int n;
int64_t sector_num;
+ if (!s || !s->bs) return; /* ouch! (see ide_flush_cb) */
+
if (ret < 0) {
dma_buf_commit(s, 1);
ide_dma_error(s);
return;
}
- if (!s->bs) return; /* ouch! (see ide_flush_cb) */
-
n = s->io_buffer_size >> 9;
sector_num = ide_get_sector(s);
if (n > 0) {
@@ -1335,6 +1336,8 @@ static void ide_write_flush_cb(void *opa
@@ -1338,6 +1339,8 @@ static void ide_write_flush_cb(void *opa
BMDMAState *bm = opaque;
IDEState *s = bm->ide_if;
@ -40,23 +23,7 @@ Index: xen-4.2.0-testing/tools/qemu-xen-traditional-dir-remote/hw/ide.c
if (ret != 0) {
ide_dma_error(s);
return;
@@ -1366,13 +1369,13 @@ static void ide_write_dma_cb(void *opaqu
int n;
int64_t sector_num;
+ if (!s || !s->bs) return; /* ouch! (see ide_flush_cb) */
+
if (ret < 0) {
if (ide_handle_write_error(s, -ret, BM_STATUS_DMA_RETRY))
return;
}
- if (!s->bs) return; /* ouch! (see ide_flush_cb) */
-
n = s->io_buffer_size >> 9;
sector_num = ide_get_sector(s);
if (n > 0) {
@@ -1429,7 +1432,7 @@ static void ide_flush_cb(void *opaque, i
@@ -1432,7 +1435,7 @@ static void ide_flush_cb(void *opaque, i
{
IDEState *s = opaque;
@ -65,7 +32,7 @@ Index: xen-4.2.0-testing/tools/qemu-xen-traditional-dir-remote/hw/ide.c
if (ret) {
/* We are completely doomed. The IDE spec does not permit us
@@ -1686,7 +1689,7 @@ static void ide_atapi_cmd_read_dma_cb(vo
@@ -1689,7 +1692,7 @@ static void ide_atapi_cmd_read_dma_cb(vo
IDEState *s = bm->ide_if;
int data_offset, n;
@ -74,7 +41,7 @@ Index: xen-4.2.0-testing/tools/qemu-xen-traditional-dir-remote/hw/ide.c
if (ret < 0) {
ide_atapi_io_error(s, ret);
@@ -2365,7 +2368,7 @@ static void cdrom_change_cb(void *opaque
@@ -2368,7 +2371,7 @@ static void cdrom_change_cb(void *opaque
IDEState *s = opaque;
uint64_t nb_sectors;

16
qemu-security-etch1.patch
View File

@ -1,7 +1,7 @@
Index: xen-4.2.0-testing/tools/qemu-xen-traditional-dir-remote/hw/ne2000.c
Index: xen-4.6.1-testing/tools/qemu-xen-traditional-dir-remote/hw/ne2000.c
===================================================================
--- xen-4.2.0-testing.orig/tools/qemu-xen-traditional-dir-remote/hw/ne2000.c
+++ xen-4.2.0-testing/tools/qemu-xen-traditional-dir-remote/hw/ne2000.c
--- xen-4.6.1-testing.orig/tools/qemu-xen-traditional-dir-remote/hw/ne2000.c
+++ xen-4.6.1-testing/tools/qemu-xen-traditional-dir-remote/hw/ne2000.c
@@ -218,7 +218,7 @@ static int ne2000_can_receive(void *opaq
NE2000State *s = opaque;
@ -11,11 +11,11 @@ Index: xen-4.2.0-testing/tools/qemu-xen-traditional-dir-remote/hw/ne2000.c
return !ne2000_buffer_full(s);
}
Index: xen-4.2.0-testing/tools/qemu-xen-traditional-dir-remote/hw/pc.c
Index: xen-4.6.1-testing/tools/qemu-xen-traditional-dir-remote/hw/pc.c
===================================================================
--- xen-4.2.0-testing.orig/tools/qemu-xen-traditional-dir-remote/hw/pc.c
+++ xen-4.2.0-testing/tools/qemu-xen-traditional-dir-remote/hw/pc.c
@@ -413,7 +413,8 @@ static void bochs_bios_write(void *opaqu
--- xen-4.6.1-testing.orig/tools/qemu-xen-traditional-dir-remote/hw/pc.c
+++ xen-4.6.1-testing/tools/qemu-xen-traditional-dir-remote/hw/pc.c
@@ -412,7 +412,8 @@ static void bochs_bios_write(void *opaqu
case 0x400:
case 0x401:
fprintf(stderr, "BIOS panic at rombios.c, line %d\n", val);
@ -25,7 +25,7 @@ Index: xen-4.2.0-testing/tools/qemu-xen-traditional-dir-remote/hw/pc.c
case 0x402:
case 0x403:
#ifdef DEBUG_BIOS
@@ -436,8 +437,9 @@ static void bochs_bios_write(void *opaqu
@@ -435,8 +436,9 @@ static void bochs_bios_write(void *opaqu
/* LGPL'ed VGA BIOS messages */
case 0x501:
case 0x502:

4
qemu-xen-dir-remote.tar.bz2
View File

@ -1,3 +1,3 @@
version https://git-lfs.github.com/spec/v1
oid sha256:a62686ff9b94dda2777a5b1b37b75ae0cbc861dff7bdcbd8789785551e351f45
size 8995267
oid sha256:00730e1f13bb4780e2f9e6e6dae3438558405e47e19d3843f22476be676fb86c
size 8995705

4
qemu-xen-traditional-dir-remote.tar.bz2
View File

@ -1,3 +1,3 @@
version https://git-lfs.github.com/spec/v1
oid sha256:c039f105aaa84cb17dd3c6efc65316e55dae6de47b19c3400bb469ee017cecd6
size 3214075
oid sha256:49b46fed34660b33f06539a82abc11421b6396cf9ec6bf1a8b6a2219e0beaa30
size 3213851

4
seabios-dir-remote.tar.bz2
View File

@ -1,3 +1,3 @@
version https://git-lfs.github.com/spec/v1
oid sha256:f763331c9616e2fb8e5ed815974a7c4bf142b0c1e5ad8c97b75ad5930f712c3d
size 445943
oid sha256:1cac2c7e38b87f2944ab6833a3e79540480456229ab9a187f16ea8231a4918c6
size 446291

8
stdvga-cache.patch
View File

@ -1,8 +1,8 @@
Index: xen-4.2.0-testing/xen/arch/x86/hvm/stdvga.c
Index: xen-4.6.1-testing/xen/arch/x86/hvm/stdvga.c
===================================================================
--- xen-4.2.0-testing.orig/xen/arch/x86/hvm/stdvga.c
+++ xen-4.2.0-testing/xen/arch/x86/hvm/stdvga.c
@@ -135,7 +135,10 @@ static int stdvga_outb(uint64_t addr, ui
--- xen-4.6.1-testing.orig/xen/arch/x86/hvm/stdvga.c
+++ xen-4.6.1-testing/xen/arch/x86/hvm/stdvga.c
@@ -166,7 +166,10 @@ static int stdvga_outb(uint64_t addr, ui
/* When in standard vga mode, emulate here all writes to the vram buffer
* so we can immediately satisfy reads without waiting for qemu. */

3
xen-4.6.0-testing-src.tar.bz2
View File

@ -1,3 +0,0 @@
version https://git-lfs.github.com/spec/v1
oid sha256:3930c6a8177865093ee27cc75e9d29f7ba0bf1d7084ea6886d1b6747bc60f0bf
size 4085311

3
xen-4.6.1-testing-src.tar.bz2 Normal file
View File

@ -0,0 +1,3 @@
version https://git-lfs.github.com/spec/v1
oid sha256:713e894ad35fde716ffb0c6987737954fe82e5e0a9adf66eeea491c27c6eabff
size 4088066

20
xen-hvm-default-bridge.patch
View File

@ -1,7 +1,7 @@
Index: xen-4.6.0-testing/tools/qemu-xen-traditional-dir-remote/net.h
Index: xen-4.6.1-testing/tools/qemu-xen-traditional-dir-remote/net.h
===================================================================
--- xen-4.6.0-testing.orig/tools/qemu-xen-traditional-dir-remote/net.h
+++ xen-4.6.0-testing/tools/qemu-xen-traditional-dir-remote/net.h
--- xen-4.6.1-testing.orig/tools/qemu-xen-traditional-dir-remote/net.h
+++ xen-4.6.1-testing/tools/qemu-xen-traditional-dir-remote/net.h
@@ -107,8 +107,8 @@ void net_host_device_add(const char *dev
void net_host_device_remove(int vlan_id, const char *device);
@ -13,11 +13,11 @@ Index: xen-4.6.0-testing/tools/qemu-xen-traditional-dir-remote/net.h
#endif
#ifdef __sun__
#define SMBD_COMMAND "/usr/sfw/sbin/smbd"
Index: xen-4.6.0-testing/tools/qemu-xen-traditional-dir-remote/net.c
Index: xen-4.6.1-testing/tools/qemu-xen-traditional-dir-remote/net.c
===================================================================
--- xen-4.6.0-testing.orig/tools/qemu-xen-traditional-dir-remote/net.c
+++ xen-4.6.0-testing/tools/qemu-xen-traditional-dir-remote/net.c
@@ -1765,9 +1765,10 @@ int net_client_init(const char *device,
--- xen-4.6.1-testing.orig/tools/qemu-xen-traditional-dir-remote/net.c
+++ xen-4.6.1-testing/tools/qemu-xen-traditional-dir-remote/net.c
@@ -1774,9 +1774,10 @@ int net_client_init(const char *device,
}
if (get_param_value(script_arg, sizeof(script_arg), "scriptarg", p) == 0 &&
get_param_value(script_arg, sizeof(script_arg), "bridge", p) == 0) { /* deprecated; for xend compatibility */
@ -30,10 +30,10 @@ Index: xen-4.6.0-testing/tools/qemu-xen-traditional-dir-remote/net.c
}
} else
#endif
Index: xen-4.6.0-testing/tools/qemu-xen-traditional-dir-remote/i386-dm/qemu-ifup-Linux
Index: xen-4.6.1-testing/tools/qemu-xen-traditional-dir-remote/i386-dm/qemu-ifup-Linux
===================================================================
--- xen-4.6.0-testing.orig/tools/qemu-xen-traditional-dir-remote/i386-dm/qemu-ifup-Linux
+++ xen-4.6.0-testing/tools/qemu-xen-traditional-dir-remote/i386-dm/qemu-ifup-Linux
--- xen-4.6.1-testing.orig/tools/qemu-xen-traditional-dir-remote/i386-dm/qemu-ifup-Linux
+++ xen-4.6.1-testing/tools/qemu-xen-traditional-dir-remote/i386-dm/qemu-ifup-Linux
@@ -1,36 +1,22 @@
#!/bin/sh

51
xen.changes
View File

@ -1,3 +1,54 @@
-------------------------------------------------------------------
Thu Feb 11 09:29:01 MST 2016 - carnold@suse.com
- Update to Xen Version 4.6.1
xen-4.6.1-testing-src.tar.bz2
- Dropped patches now contained in tarball or unnecessary
xen-4.6.0-testing-src.tar.bz2
5604f239-x86-PV-properly-populate-descriptor-tables.patch
561bbc8b-VT-d-don-t-suppress-invalidation-address-write-when-it-is-zero.patch
561d2046-VT-d-use-proper-error-codes-in-iommu_enable_x2apic_IR.patch
561d20a0-x86-hide-MWAITX-from-PV-domains.patch
561e3283-x86-NUMA-fix-SRAT-table-processor-entry-parsing-and-consumption.patch
5632118e-arm-Support-hypercall_create_continuation-for-multicall.patch
56321222-arm-rate-limit-logging-from-unimplemented-PHYSDEVOP-and-HVMOP.patch
56321249-arm-handle-races-between-relinquish_memory-and-free_domheap_pages.patch
5632127b-x86-guard-against-undue-super-page-PTE-creation.patch
5632129c-free-domain-s-vcpu-array.patch
563212c9-x86-PoD-Eager-sweep-for-zeroed-pages.patch
563212e4-xenoprof-free-domain-s-vcpu-array.patch
563212ff-x86-rate-limit-logging-in-do_xen-oprof-pmu-_op.patch
56323737-libxl-adjust-PoD-target-by-memory-fudge-too.patch
56377442-x86-PoD-Make-p2m_pod_empty_cache-restartable.patch
5641ceec-x86-HVM-always-intercept-AC-and-DB.patch
56549f24-x86-vPMU-document-as-unsupported.patch
5677f350-x86-make-debug-output-consistent-in-hvm_set_callback_via.patch
xen-4.6.0-testing-src.tar.bz2
xsa155-qemut-qdisk-double-access.patch
xsa155-qemut-xenfb.patch
xsa155-qemuu-qdisk-double-access.patch
xsa155-qemuu-xenfb.patch
xsa159.patch
xsa160.patch
xsa162-qemut.patch
xsa165.patch
xsa166.patch
xsa167.patch
xsa168.patch
-------------------------------------------------------------------
Fri Feb 5 08:51:16 MST 2016 - carnold@suse.com
- bsc#965269 - VUL-1: CVE-2015-8619: xen: stack based OOB write in
hmp_sendkey routine
CVE-2015-8619-qemuu-stack-based-OOB-write-in-hmp_sendkey-routine.patch
-------------------------------------------------------------------
Thu Feb 4 09:26:34 MST 2016 - carnold@suse.com
- bsc#965156 - VUL-0: CVE-2015-6855: xen: ide: divide by zero issue
CVE-2015-6855-qemuu-ide-divide-by-zero-issue.patch
-------------------------------------------------------------------
Wed Feb 3 10:47:41 MST 2016 - carnold@suse.com

80
xen.spec
View File

@ -1,7 +1,7 @@
#
# spec file for package xen
#
# Copyright (c) 2016 SUSE LINUX Products GmbH, Nuernberg, Germany.
# Copyright (c) 2016 SUSE LINUX GmbH, Nuernberg, Germany.
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
@ -21,7 +21,7 @@
Name: xen
ExclusiveArch: %ix86 x86_64 %arm aarch64
%define changeset 31594
%define xen_build_dir xen-4.6.0-testing
%define xen_build_dir xen-4.6.1-testing
#
%define with_kmp 0
%define with_debug 0
@ -163,12 +163,12 @@ BuildRequires: xorg-x11-util-devel
%endif
%endif
Version: 4.6.0_08
Version: 4.6.1_01
Release: 0
Summary: Xen Virtualization: Hypervisor (aka VMM aka Microkernel)
License: GPL-2.0
Group: System/Kernel
Source0: xen-4.6.0-testing-src.tar.bz2
Source0: xen-4.6.1-testing-src.tar.bz2
Source1: stubdom.tar.bz2
Source2: qemu-xen-traditional-dir-remote.tar.bz2
Source3: qemu-xen-dir-remote.tar.bz2
@ -204,43 +204,14 @@ Source57: xen-utils-0.1.tar.bz2
Source99: baselibs.conf
# Upstream patches
Patch1: 55f7f9d2-libxl-slightly-refine-pci-assignable-add-remove-handling.patch
Patch2: 5604f239-x86-PV-properly-populate-descriptor-tables.patch
Patch3: 561bbc8b-VT-d-don-t-suppress-invalidation-address-write-when-it-is-zero.patch
Patch4: 561d2046-VT-d-use-proper-error-codes-in-iommu_enable_x2apic_IR.patch
Patch5: 561d20a0-x86-hide-MWAITX-from-PV-domains.patch
Patch6: 561e3283-x86-NUMA-fix-SRAT-table-processor-entry-parsing-and-consumption.patch
Patch7: 5628fc67-libxl-No-emulated-disk-driver-for-xvdX-disk.patch
Patch8: 5632118e-arm-Support-hypercall_create_continuation-for-multicall.patch
Patch9: 56321222-arm-rate-limit-logging-from-unimplemented-PHYSDEVOP-and-HVMOP.patch
Patch10: 56321249-arm-handle-races-between-relinquish_memory-and-free_domheap_pages.patch
Patch11: 5632127b-x86-guard-against-undue-super-page-PTE-creation.patch
Patch12: 5632129c-free-domain-s-vcpu-array.patch
Patch13: 563212c9-x86-PoD-Eager-sweep-for-zeroed-pages.patch
Patch14: 563212e4-xenoprof-free-domain-s-vcpu-array.patch
Patch15: 563212ff-x86-rate-limit-logging-in-do_xen-oprof-pmu-_op.patch
Patch16: 56323737-libxl-adjust-PoD-target-by-memory-fudge-too.patch
Patch17: 56377442-x86-PoD-Make-p2m_pod_empty_cache-restartable.patch
Patch18: 5641ceec-x86-HVM-always-intercept-AC-and-DB.patch
Patch19: 5644b756-x86-HVM-don-t-inject-DB-with-error-code.patch
Patch20: 5649bcbe-libxl-relax-readonly-check-introduced-by-XSA-142-fix.patch
Patch21: 56549f24-x86-vPMU-document-as-unsupported.patch
Patch22: 5677f350-x86-make-debug-output-consistent-in-hvm_set_callback_via.patch
Patch2: 5628fc67-libxl-No-emulated-disk-driver-for-xvdX-disk.patch
Patch3: 5644b756-x86-HVM-don-t-inject-DB-with-error-code.patch
Patch4: 5649bcbe-libxl-relax-readonly-check-introduced-by-XSA-142-fix.patch
Patch15501: xsa155-xen-0001-xen-Add-RING_COPY_REQUEST.patch
Patch15502: xsa155-xen-0002-blktap2-Use-RING_COPY_REQUEST.patch
Patch15503: xsa155-xen-0003-libvchan-Read-prod-cons-only-once.patch
Patch15504: xsa155-qemuu-qdisk-double-access.patch
Patch15505: xsa155-qemut-qdisk-double-access.patch
Patch15506: xsa155-qemuu-xenfb.patch
Patch15507: xsa155-qemut-xenfb.patch
Patch159: xsa159.patch
Patch160: xsa160.patch
Patch16201: xsa162-qemuu.patch
Patch16202: xsa162-qemut.patch
Patch162: xsa162-qemuu.patch
Patch164: xsa164.patch
Patch165: xsa165.patch
Patch166: xsa166.patch
Patch167: xsa167.patch
Patch168: xsa168.patch
# Upstream qemu
Patch250: VNC-Support-for-ExtendedKeyEvent-client-message.patch
Patch251: 0001-net-move-the-tap-buffer-into-TAPState.patch
@ -281,6 +252,8 @@ Patch286: CVE-2016-1981-qemut-e1000-eliminate-infinite-loops-on-out-of-bou
Patch287: CVE-2016-2198-qemuu-usb-ehci-null-pointer-dereference-in-ehci_caps_write.patch
Patch288: CVE-2013-4533-qemut-pxa2xx-buffer-overrun-on-incoming-migration.patch
Patch289: CVE-2015-5278-qemut-Infinite-loop-in-ne2000_receive-function.patch
Patch290: CVE-2015-6855-qemuu-ide-divide-by-zero-issue.patch
Patch291: CVE-2015-8619-qemuu-stack-based-OOB-write-in-hmp_sendkey-routine.patch
# Our platform specific patches
Patch321: xen-destdir.patch
Patch322: vif-bridge-no-iptables.patch
@ -555,40 +528,11 @@ Authors:
%patch2 -p1
%patch3 -p1
%patch4 -p1
%patch5 -p1
%patch6 -p1
%patch7 -p1
%patch8 -p1
%patch9 -p1
%patch10 -p1
%patch11 -p1
%patch12 -p1
%patch13 -p1
%patch14 -p1
%patch15 -p1
%patch16 -p1
%patch17 -p1
%patch18 -p1
%patch19 -p1
%patch20 -p1
%patch21 -p1
%patch22 -p1
%patch15501 -p1
%patch15502 -p1
%patch15503 -p1
%patch15504 -p1
%patch15505 -p1
%patch15506 -p1
%patch15507 -p1
%patch159 -p1
%patch160 -p1
%patch16201 -p1
%patch16202 -p1
%patch162 -p1
%patch164 -p1
%patch165 -p1
%patch166 -p1
%patch167 -p1
%patch168 -p1
# Upstream qemu patches
%patch250 -p1
%patch251 -p1
@ -629,6 +573,8 @@ Authors:
%patch287 -p1
%patch288 -p1
%patch289 -p1
%patch290 -p1
%patch291 -p1
# Our platform specific patches
%patch321 -p1
%patch322 -p1

52
xsa155-qemut-qdisk-double-access.patch
View File

@ -1,52 +0,0 @@
References: bsc#957988
From 27942b0cb2327e93deb12326bbe7b36c81f9fa7b Mon Sep 17 00:00:00 2001
From: Stefano Stabellini <stefano.stabellini@eu.citrix.com>
Date: Fri, 20 Nov 2015 10:56:00 -0500
Subject: [PATCH] blkif: Avoid double access to src->nr_segments
src is stored in shared memory and src->nr_segments is dereferenced
twice at the end of the function. If a compiler decides to compile this
into two separate memory accesses then the size limitation could be
bypassed.
Fix it by removing the double access to src->nr_segments.
This is part of XSA-155.
Signed-off-by: Stefano Stabellini <stefano.stabellini@eu.citrix.com>
Signed-off-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
---
hw/xen_blkif.h | 12 ++++++++----
1 file changed, 8 insertions(+), 4 deletions(-)
Index: xen-4.6.0-testing/tools/qemu-xen-traditional-dir-remote/hw/xen_blkif.h
===================================================================
--- xen-4.6.0-testing.orig/tools/qemu-xen-traditional-dir-remote/hw/xen_blkif.h
+++ xen-4.6.0-testing/tools/qemu-xen-traditional-dir-remote/hw/xen_blkif.h
@@ -79,8 +79,10 @@ static inline void blkif_get_x86_32_req(
dst->handle = src->handle;
dst->id = src->id;
dst->sector_number = src->sector_number;
- if (n > src->nr_segments)
- n = src->nr_segments;
+ /* prevent the compiler from optimizing the code and using src->nr_segments instead */
+ xen_mb();
+ if (n > dst->nr_segments)
+ n = dst->nr_segments;
for (i = 0; i < n; i++)
dst->seg[i] = src->seg[i];
}
@@ -94,8 +96,10 @@ static inline void blkif_get_x86_64_req(
dst->handle = src->handle;
dst->id = src->id;
dst->sector_number = src->sector_number;
- if (n > src->nr_segments)
- n = src->nr_segments;
+ /* prevent the compiler from optimizing the code and using src->nr_segments instead */
+ xen_mb();
+ if (n > dst->nr_segments)
+ n = dst->nr_segments;
for (i = 0; i < n; i++)
dst->seg[i] = src->seg[i];
}

49
xsa155-qemut-xenfb.patch
View File

@ -1,49 +0,0 @@
References: bsc#957988
From 0ffd4547665d2fec648ab2c9ff856c5d9db9b07c Mon Sep 17 00:00:00 2001
From: Stefano Stabellini <stefano.stabellini@eu.citrix.com>
Date: Fri, 20 Nov 2015 10:37:08 -0500
Subject: [PATCH 2/2] xenfb: avoid reading twice the same fields from the
shared page
Reading twice the same field could give the guest an attack of
opportunity. In the case of event->type, gcc could compile the switch
statement into a jump table, effectively ending up reading the type
field multiple times.
This is part of XSA-155.
Signed-off-by: Stefano Stabellini <stefano.stabellini@eu.citrix.com>
---
hw/xenfb.c | 10 ++++++----
1 file changed, 6 insertions(+), 4 deletions(-)
Index: xen-4.6.0-testing/tools/qemu-xen-traditional-dir-remote/hw/xenfb.c
===================================================================
--- xen-4.6.0-testing.orig/tools/qemu-xen-traditional-dir-remote/hw/xenfb.c
+++ xen-4.6.0-testing/tools/qemu-xen-traditional-dir-remote/hw/xenfb.c
@@ -827,18 +827,20 @@ static void xenfb_invalidate(void *opaqu
static void xenfb_handle_events(struct XenFB *xenfb)
{
- uint32_t prod, cons;
+ uint32_t prod, cons, out_cons;
struct xenfb_page *page = xenfb->c.page;
prod = page->out_prod;
- if (prod == page->out_cons)
+ out_cons = page->out_cons;
+ if (prod == out_cons)
return;
xen_rmb(); /* ensure we see ring contents up to prod */
- for (cons = page->out_cons; cons != prod; cons++) {
+ for (cons = out_cons; cons != prod; cons++) {
union xenfb_out_event *event = &XENFB_OUT_RING_REF(page, cons);
+ uint8_t type = event->type;
int x, y, w, h;
- switch (event->type) {
+ switch (type) {
case XENFB_TYPE_UPDATE:
if (xenfb->up_count == UP_QUEUE)
xenfb->up_fullscreen = 1;

43
xsa155-qemuu-qdisk-double-access.patch
View File

@ -1,43 +0,0 @@
xen/blkif: Avoid double access to src->nr_segments
src is stored in shared memory and src->nr_segments is dereferenced
twice at the end of the function. If a compiler decides to compile this
into two separate memory accesses then the size limitation could be
bypassed.
Fix it by removing the double access to src->nr_segments.
This is part of XSA-155.
Signed-off-by: Stefano Stabellini <stefano.stabellini@eu.citrix.com>
Index: xen-4.6.0-testing/tools/qemu-xen-dir-remote/hw/block/xen_blkif.h
===================================================================
--- xen-4.6.0-testing.orig/tools/qemu-xen-dir-remote/hw/block/xen_blkif.h
+++ xen-4.6.0-testing/tools/qemu-xen-dir-remote/hw/block/xen_blkif.h
@@ -85,8 +85,10 @@ static inline void blkif_get_x86_32_req(
d->nr_sectors = s->nr_sectors;
return;
}
- if (n > src->nr_segments)
- n = src->nr_segments;
+ /* prevent the compiler from optimizing the code and using src->nr_segments instead */
+ barrier();
+ if (n > dst->nr_segments)
+ n = dst->nr_segments;
for (i = 0; i < n; i++)
dst->seg[i] = src->seg[i];
}
@@ -106,8 +108,10 @@ static inline void blkif_get_x86_64_req(
d->nr_sectors = s->nr_sectors;
return;
}
- if (n > src->nr_segments)
- n = src->nr_segments;
+ /* prevent the compiler from optimizing the code and using src->nr_segments instead */
+ barrier();
+ if (n > dst->nr_segments)
+ n = dst->nr_segments;
for (i = 0; i < n; i++)
dst->seg[i] = src->seg[i];
}

43
xsa155-qemuu-xenfb.patch
View File

@ -1,43 +0,0 @@
References: bsc#957988
xenfb: avoid reading twice the same fields from the shared page
Reading twice the same field could give the guest an attack of
opportunity. In the case of event->type, gcc could compile the switch
statement into a jump table, effectively ending up reading the type
field multiple times.
This is part of XSA-155.
Signed-off-by: Stefano Stabellini <stefano.stabellini@eu.citrix.com>
Index: xen-4.6.0-testing/tools/qemu-xen-dir-remote/hw/display/xenfb.c
===================================================================
--- xen-4.6.0-testing.orig/tools/qemu-xen-dir-remote/hw/display/xenfb.c
+++ xen-4.6.0-testing/tools/qemu-xen-dir-remote/hw/display/xenfb.c
@@ -779,18 +779,20 @@ static void xenfb_invalidate(void *opaqu
static void xenfb_handle_events(struct XenFB *xenfb)
{
- uint32_t prod, cons;
+ uint32_t prod, cons, out_cons;
struct xenfb_page *page = xenfb->c.page;
prod = page->out_prod;
- if (prod == page->out_cons)
+ out_cons = page->out_cons;
+ if (prod == out_cons)
return;
xen_rmb(); /* ensure we see ring contents up to prod */
- for (cons = page->out_cons; cons != prod; cons++) {
+ for (cons = out_cons; cons != prod; cons++) {
union xenfb_out_event *event = &XENFB_OUT_RING_REF(page, cons);
+ uint8_t type = event->type;
int x, y, w, h;
- switch (event->type) {
+ switch (type) {
case XENFB_TYPE_UPDATE:
if (xenfb->up_count == UP_QUEUE)
xenfb->up_fullscreen = 1;

48
xsa159.patch
View File

@ -1,48 +0,0 @@
memory: fix XENMEM_exchange error handling
assign_pages() can fail due to the domain getting killed in parallel,
which should not result in a hypervisor crash.
Also delete a redundant put_gfn() - all relevant paths leading to the
"fail" label already do this (and there are also paths where it was
plain wrong). All of the put_gfn()-s got introduced by 51032ca058
("Modify naming of queries into the p2m"), including the otherwise
unneeded initializer for k (with even a kind of misleading comment -
the compiler warning could actually have served as a hint that the use
is wrong).
This is XSA-159.
Signed-off-by: Jan Beulich <jbeulich@suse.com>
Acked-by: Ian Campbell <ian.campbell@citrix.com>
Index: xen-4.6.0-testing/xen/common/memory.c
===================================================================
--- xen-4.6.0-testing.orig/xen/common/memory.c
+++ xen-4.6.0-testing/xen/common/memory.c
@@ -328,7 +328,7 @@ static long memory_exchange(XEN_GUEST_HA
PAGE_LIST_HEAD(out_chunk_list);
unsigned long in_chunk_order, out_chunk_order;
xen_pfn_t gpfn, gmfn, mfn;
- unsigned long i, j, k = 0; /* gcc ... */
+ unsigned long i, j, k;
unsigned int memflags = 0;
long rc = 0;
struct domain *d;
@@ -566,11 +566,12 @@ static long memory_exchange(XEN_GUEST_HA
fail:
/* Reassign any input pages we managed to steal. */
while ( (page = page_list_remove_head(&in_chunk_list)) )
- {
- put_gfn(d, gmfn + k--);
if ( assign_pages(d, page, 0, MEMF_no_refcount) )
- BUG();
- }
+ {
+ BUG_ON(!d->is_dying);
+ if ( test_and_clear_bit(_PGC_allocated, &page->count_info) )
+ put_page(page);
+ }
dying:
rcu_unlock_domain(d);

63
xsa160.patch
View File

@ -1,63 +0,0 @@
From adcbd15b1aec8367f790774c998db199c9b577bf Mon Sep 17 00:00:00 2001
From: Ian Jackson <ian.jackson@eu.citrix.com>
Date: Wed, 18 Nov 2015 15:34:54 +0000
Subject: [PATCH] libxl: Fix bootloader-related virtual memory leak on pv
build failure
The bootloader may call libxl__file_reference_map(), which mmap's the
pv_kernel and pv_ramdisk into process memory. This was only unmapped,
however, on the success path of libxl__build_pv(). If there were a
failure anywhere between libxl_bootloader.c:parse_bootloader_result()
and the end of libxl__build_pv(), the calls to
libxl__file_reference_unmap() would be skipped, leaking the mapped
virtual memory.
Ideally this would be fixed by adding the unmap calls to the
destruction path for libxl__domain_build_state. Unfortunately the
lifetime of the libxl__domain_build_state is opaque, and it doesn't
have a proper destruction path. But, the only thing in it that isn't
from the gc are these bootloader references, and they are only ever
set for one libxl__domain_build_state, the one which is
libxl__domain_create_state.build_state.
So we can clean up in the exit path from libxl__domain_create_*, which
always comes through domcreate_complete.
Remove the now-redundant unmaps in libxl__build_pv's success path.
This is XSA-160.
Acked-by: Ian Campbell <ian.campbell@citrix.com>
---
tools/libxl/libxl_create.c | 3 +++
tools/libxl/libxl_dom.c | 3 ---
2 files changed, 3 insertions(+), 3 deletions(-)
Index: xen-4.6.0-testing/tools/libxl/libxl_create.c
===================================================================
--- xen-4.6.0-testing.orig/tools/libxl/libxl_create.c
+++ xen-4.6.0-testing/tools/libxl/libxl_create.c
@@ -1484,6 +1484,9 @@ static void domcreate_complete(libxl__eg
libxl_domain_config *const d_config = dcs->guest_config;
libxl_domain_config *d_config_saved = &dcs->guest_config_saved;
+ libxl__file_reference_unmap(&dcs->build_state.pv_kernel);
+ libxl__file_reference_unmap(&dcs->build_state.pv_ramdisk);
+
if (!rc && d_config->b_info.exec_ssidref)
rc = xc_flask_relabel_domain(CTX->xch, dcs->guest_domid, d_config->b_info.exec_ssidref);
Index: xen-4.6.0-testing/tools/libxl/libxl_dom.c
===================================================================
--- xen-4.6.0-testing.orig/tools/libxl/libxl_dom.c
+++ xen-4.6.0-testing/tools/libxl/libxl_dom.c
@@ -750,9 +750,6 @@ int libxl__build_pv(libxl__gc *gc, uint3
state->store_mfn = xc_dom_p2m_host(dom, dom->xenstore_pfn);
}
- libxl__file_reference_unmap(&state->pv_kernel);
- libxl__file_reference_unmap(&state->pv_ramdisk);
-
ret = 0;
out:
xc_dom_release(dom);

43
xsa162-qemut.patch
View File

@ -1,43 +0,0 @@
net: pcnet: add check to validate receive data size(CVE-2015-7504)
In loopback mode, pcnet_receive routine appends CRC code to the
receive buffer. If the data size given is same as the buffer size,
the appended CRC code overwrites 4 bytes after s->buffer. Added a
check to avoid that.
---
hw/net/pcnet.c | 10 ++++++----
1 file changed, 6 insertions(+), 4 deletions(-)
Index: xen-4.5.2-testing/tools/qemu-xen-traditional-dir-remote/hw/pcnet.c
===================================================================
--- xen-4.5.2-testing.orig/tools/qemu-xen-traditional-dir-remote/hw/pcnet.c
+++ xen-4.5.2-testing/tools/qemu-xen-traditional-dir-remote/hw/pcnet.c
@@ -1153,7 +1153,7 @@ static void pcnet_receive(void *opaque,
uint32_t fcs = ~0;
uint8_t *p = src;
- while (p != &src[size-4])
+ while (p != &src[size])
CRC(fcs, *p++);
crc_err = (*(uint32_t *)p != htonl(fcs));
}
@@ -1284,12 +1284,13 @@ static void pcnet_transmit(PCNetState *s
bcnt = 4096 - GET_FIELD(tmd.length, TMDL, BCNT);
/* if multi-tmd packet outsizes s->buffer then skip it silently.
- Note: this is not what real hw does */
- if (s->xmit_pos + bcnt > sizeof(s->buffer)) {
- s->xmit_pos = -1;
- goto txdone;
+ * Note: this is not what real hw does.
+ * Last four bytes of s->buffer are used to store CRC FCS code.
+ */
+ if (s->xmit_pos + bcnt > sizeof(s->buffer) - 4) {
+ s->xmit_pos = -1;
+ goto txdone;
}
-
s->phys_mem_read(s->dma_opaque, PHYSADDR(s, tmd.tbadr),
s->buffer + s->xmit_pos, bcnt, CSR_BSWP(s));
s->xmit_pos += bcnt;

8
xsa164.patch
View File

@ -17,11 +17,11 @@ This is XSA-164.
Signed-off-by: Jan Beulich <jbeulich@suse.com>
Index: xen-4.6.0-testing/tools/qemu-xen-traditional-dir-remote/hw/pt-msi.c
Index: xen-4.6.1-testing/tools/qemu-xen-traditional-dir-remote/hw/pt-msi.c
===================================================================
--- xen-4.6.0-testing.orig/tools/qemu-xen-traditional-dir-remote/hw/pt-msi.c
+++ xen-4.6.0-testing/tools/qemu-xen-traditional-dir-remote/hw/pt-msi.c
@@ -440,6 +440,13 @@ static void pci_msix_writel(void *opaque
--- xen-4.6.1-testing.orig/tools/qemu-xen-traditional-dir-remote/hw/pt-msi.c
+++ xen-4.6.1-testing/tools/qemu-xen-traditional-dir-remote/hw/pt-msi.c
@@ -447,6 +447,13 @@ static void pci_msix_writel(void *opaque
return;
}

89
xsa165.patch
View File

@ -1,89 +0,0 @@
x86: don't leak ST(n)/XMMn values to domains first using them
FNINIT doesn't alter these registers, and hence using it is
insufficient to initialize a guest's initial state.
This is XSA-165.
Signed-off-by: Jan Beulich <jbeulich@suse.com>
Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>
Index: xen-4.6.0-testing/xen/arch/x86/domain.c
===================================================================
--- xen-4.6.0-testing.orig/xen/arch/x86/domain.c
+++ xen-4.6.0-testing/xen/arch/x86/domain.c
@@ -851,6 +851,17 @@ int arch_set_info_guest(
if ( v->arch.xsave_area )
v->arch.xsave_area->xsave_hdr.xstate_bv = XSTATE_FP_SSE;
}
+ else if ( v->arch.xsave_area )
+ memset(&v->arch.xsave_area->xsave_hdr, 0,
+ sizeof(v->arch.xsave_area->xsave_hdr));
+ else
+ {
+ typeof(v->arch.xsave_area->fpu_sse) *fpu_sse = v->arch.fpu_ctxt;
+
+ memset(fpu_sse, 0, sizeof(*fpu_sse));
+ fpu_sse->fcw = FCW_DEFAULT;
+ fpu_sse->mxcsr = MXCSR_DEFAULT;
+ }
if ( !compat )
{
Index: xen-4.6.0-testing/xen/arch/x86/i387.c
===================================================================
--- xen-4.6.0-testing.orig/xen/arch/x86/i387.c
+++ xen-4.6.0-testing/xen/arch/x86/i387.c
@@ -17,19 +17,6 @@
#include <asm/xstate.h>
#include <asm/asm_defns.h>
-static void fpu_init(void)
-{
- unsigned long val;
-
- asm volatile ( "fninit" );
- if ( cpu_has_xmm )
- {
- /* load default value into MXCSR control/status register */
- val = MXCSR_DEFAULT;
- asm volatile ( "ldmxcsr %0" : : "m" (val) );
- }
-}
-
/*******************************/
/* FPU Restore Functions */
/*******************************/
@@ -248,15 +235,8 @@ void vcpu_restore_fpu_lazy(struct vcpu *
if ( cpu_has_xsave )
fpu_xrstor(v, XSTATE_LAZY);
- else if ( v->fpu_initialised )
- {
- if ( cpu_has_fxsr )
- fpu_fxrstor(v);
- else
- fpu_frstor(v);
- }
else
- fpu_init();
+ fpu_fxrstor(v);
v->fpu_initialised = 1;
v->fpu_dirtied = 1;
@@ -313,7 +293,14 @@ int vcpu_init_fpu(struct vcpu *v)
else
{
v->arch.fpu_ctxt = _xzalloc(sizeof(v->arch.xsave_area->fpu_sse), 16);
- if ( !v->arch.fpu_ctxt )
+ if ( v->arch.fpu_ctxt )
+ {
+ typeof(v->arch.xsave_area->fpu_sse) *fpu_sse = v->arch.fpu_ctxt;
+
+ fpu_sse->fcw = FCW_DEFAULT;
+ fpu_sse->mxcsr = MXCSR_DEFAULT;
+ }
+ else
rc = -ENOMEM;
}

48
xsa166.patch
View File

@ -1,48 +0,0 @@
x86/HVM: avoid reading ioreq state more than once
Otherwise, especially when the compiler chooses to translate the
switch() to a jump table, unpredictable behavior (and in the jump table
case arbitrary code execution) can result.
This is XSA-166.
Signed-off-by: Jan Beulich <jbeulich@suse.com>
Acked-by: Ian Campbell <ian.campbell@citrix.com>
Index: xen-4.6.0-testing/xen/arch/x86/hvm/hvm.c
===================================================================
--- xen-4.6.0-testing.orig/xen/arch/x86/hvm/hvm.c
+++ xen-4.6.0-testing/xen/arch/x86/hvm/hvm.c
@@ -448,7 +448,10 @@ static bool_t hvm_wait_for_io(struct hvm
{
while ( sv->pending )
{
- switch ( p->state )
+ unsigned int state = p->state;
+
+ rmb();
+ switch ( state )
{
case STATE_IOREQ_NONE:
/*
@@ -459,18 +462,15 @@ static bool_t hvm_wait_for_io(struct hvm
hvm_io_assist(sv, ~0ul);
break;
case STATE_IORESP_READY: /* IORESP_READY -> NONE */
- rmb(); /* see IORESP_READY /then/ read contents of ioreq */
p->state = STATE_IOREQ_NONE;
hvm_io_assist(sv, p->data);
break;
case STATE_IOREQ_READY: /* IOREQ_{READY,INPROCESS} -> IORESP_READY */
case STATE_IOREQ_INPROCESS:
- wait_on_xen_event_channel(sv->ioreq_evtchn,
- (p->state != STATE_IOREQ_READY) &&
- (p->state != STATE_IOREQ_INPROCESS));
+ wait_on_xen_event_channel(sv->ioreq_evtchn, p->state != state);
break;
default:
- gdprintk(XENLOG_ERR, "Weird HVM iorequest state %d.\n", p->state);
+ gdprintk(XENLOG_ERR, "Weird HVM iorequest state %u\n", state);
sv->pending = 0;
domain_crash(sv->vcpu->domain);
return 0; /* bail */

78
xsa167.patch
View File

@ -1,78 +0,0 @@
x86/mm: PV superpage handling lacks sanity checks
MMUEXT_{,UN}MARK_SUPER fail to check the input MFN for validity before
dereferencing pointers into the superpage frame table.
get_superpage() has a similar issue.
This is XSA-167.
Signed-off-by: Jan Beulich <jbeulich@suse.com>
Acked-by: Ian Campbell <ian.campbell@citrix.com>
Index: xen-4.6.0-testing/xen/arch/x86/mm.c
===================================================================
--- xen-4.6.0-testing.orig/xen/arch/x86/mm.c
+++ xen-4.6.0-testing/xen/arch/x86/mm.c
@@ -2624,6 +2624,9 @@ int get_superpage(unsigned long mfn, str
ASSERT(opt_allow_superpage);
+ if ( !mfn_valid(mfn | (L1_PAGETABLE_ENTRIES - 1)) )
+ return -EINVAL;
+
spage = mfn_to_spage(mfn);
y = spage->type_info;
do {
@@ -3401,42 +3404,26 @@ long do_mmuext_op(
}
case MMUEXT_MARK_SUPER:
+ case MMUEXT_UNMARK_SUPER:
{
unsigned long mfn = op.arg1.mfn;
- if ( unlikely(d != pg_owner) )
- rc = -EPERM;
- else if ( mfn & (L1_PAGETABLE_ENTRIES-1) )
- {
- MEM_LOG("Unaligned superpage reference mfn %lx", mfn);
- okay = 0;
- }
- else if ( !opt_allow_superpage )
+ if ( !opt_allow_superpage )
{
MEM_LOG("Superpages disallowed");
rc = -ENOSYS;
}
- else
- rc = mark_superpage(mfn_to_spage(mfn), d);
- break;
- }
-
- case MMUEXT_UNMARK_SUPER:
- {
- unsigned long mfn = op.arg1.mfn;
-
- if ( unlikely(d != pg_owner) )
+ else if ( unlikely(d != pg_owner) )
rc = -EPERM;
- else if ( mfn & (L1_PAGETABLE_ENTRIES-1) )
+ else if ( mfn & (L1_PAGETABLE_ENTRIES - 1) )
{
MEM_LOG("Unaligned superpage reference mfn %lx", mfn);
- okay = 0;
- }
- else if ( !opt_allow_superpage )
- {
- MEM_LOG("Superpages disallowed");
- rc = -ENOSYS;
+ rc = -EINVAL;
}
+ else if ( !mfn_valid(mfn | (L1_PAGETABLE_ENTRIES - 1)) )
+ rc = -EINVAL;
+ else if ( op.cmd == MMUEXT_MARK_SUPER )
+ rc = mark_superpage(mfn_to_spage(mfn), d);
else
rc = unmark_superpage(mfn_to_spage(mfn));
break;

29
xsa168.patch
View File

@ -1,29 +0,0 @@
x86/VMX: prevent INVVPID failure due to non-canonical guest address
While INVLPG (and on SVM INVLPGA) don't fault on non-canonical
addresses, INVVPID fails (in the "individual address" case) when passed
such an address.
Since such intercepted INVLPG are effectively no-ops anyway, don't fix
this in vmx_invlpg_intercept(), but instead have paging_invlpg() never
return true in such a case.
This is XSA-168.
Signed-off-by: Jan Beulich <jbeulich@suse.com>
Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>
Acked-by: Ian Campbell <ian.campbell@citrix.com>
Index: xen-4.6.0-testing/xen/include/asm-x86/paging.h
===================================================================
--- xen-4.6.0-testing.orig/xen/include/asm-x86/paging.h
+++ xen-4.6.0-testing/xen/include/asm-x86/paging.h
@@ -245,7 +245,7 @@ paging_fault(unsigned long va, struct cp
* or 0 if it's safe not to do so. */
static inline int paging_invlpg(struct vcpu *v, unsigned long va)
{
- return paging_get_hostmode(v)->invlpg(v, va);
+ return is_canonical_address(va) && paging_get_hostmode(v)->invlpg(v, va);
}
/* Translate a guest virtual address to the frame number that the