diff --git a/57580bbd-kexec-allow-relaxed-placement-via-cmdline.patch b/57580bbd-kexec-allow-relaxed-placement-via-cmdline.patch new file mode 100644 index 0000000..566bb27 --- /dev/null +++ b/57580bbd-kexec-allow-relaxed-placement-via-cmdline.patch @@ -0,0 +1,144 @@ +References: bsc#900418 + +# Commit cd42ccb27f4e364b6e75b6fecb06bb99ad8da988 +# Date 2016-06-08 14:12:45 +0200 +# Author Jan Beulich +# Committer Jan Beulich +kexec: allow relaxed placement specification via command line + +Rather than just allowing a fixed address or fully automatic placement, +also allow for specifying an upper bound. Especially on EFI systems, +where firmware memory use is commonly less predictable than on legacy +BIOS ones, this makes success of the reservation more likely when +automatic placement is not an option (e.g. because of special DMA +restrictions of devices involved in actually carrying out the dump). + +Also take the opportunity to actually add text to the "crashkernel" +entry in the command line option doc. + +Signed-off-by: Jan Beulich +Reviewed-by: Andrew Cooper +Reviewed-by: David Vrabel +Reviewed-by: Daniel Kiper + +--- a/docs/misc/xen-command-line.markdown ++++ b/docs/misc/xen-command-line.markdown +@@ -458,7 +458,18 @@ Specify the maximum address to allocate + combination with the `low_crashinfo` command line option. + + ### crashkernel +-> `= :[,...][@]` ++> `= :[,...][{@,<}]` ++> `= [{@,<}]` ++ ++Specify sizes and optionally placement of the crash kernel reservation ++area. The `:` pairs indicate how much memory to ++set aside for a crash kernel (``) for a given range of installed ++RAM (``). Each `` is of the form ++`-[]`. ++ ++A trailing `@` specifies the exact address this area should be ++placed at, whereas `<` in place of `@` just specifies an upper bound of ++the address range the area should fall into. + + ### credit2\_balance\_over + > `= ` +--- a/xen/arch/x86/setup.c ++++ b/xen/arch/x86/setup.c +@@ -1044,13 +1044,23 @@ void __init noreturn __start_xen(unsigne + } + + #ifdef CONFIG_KEXEC +- /* Don't overlap with modules. */ +- e = consider_modules(s, e, PAGE_ALIGN(kexec_crash_area.size), +- mod, mbi->mods_count, -1); +- if ( !kexec_crash_area.start && (s < e) ) ++ /* ++ * Looking backwards from the crash area limit, find a large ++ * enough range that does not overlap with modules. ++ */ ++ while ( !kexec_crash_area.start ) + { +- e = (e - kexec_crash_area.size) & PAGE_MASK; +- kexec_crash_area.start = e; ++ /* Don't overlap with modules. */ ++ e = consider_modules(s, e, PAGE_ALIGN(kexec_crash_area.size), ++ mod, mbi->mods_count, -1); ++ if ( s >= e ) ++ break; ++ if ( e > kexec_crash_area_limit ) ++ { ++ e = kexec_crash_area_limit & PAGE_MASK; ++ continue; ++ } ++ kexec_crash_area.start = (e - kexec_crash_area.size) & PAGE_MASK; + } + #endif + } +--- a/xen/common/kexec.c ++++ b/xen/common/kexec.c +@@ -60,6 +60,7 @@ static unsigned char vmcoreinfo_data[VMC + static size_t vmcoreinfo_size = 0; + + xen_kexec_reserve_t kexec_crash_area; ++paddr_t __initdata kexec_crash_area_limit = ~(paddr_t)0; + static struct { + u64 start, end; + unsigned long size; +@@ -86,7 +87,7 @@ static void *crash_heap_current = NULL, + /* + * Parse command lines in the format + * +- * crashkernel=:[,...][@] ++ * crashkernel=:[,...][{@,<}
] + * + * with being of form + * +@@ -94,7 +95,7 @@ static void *crash_heap_current = NULL, + * + * as well as the legacy ones in the format + * +- * crashkernel=[@] ++ * crashkernel=[{@,<}
] + */ + static void __init parse_crashkernel(const char *str) + { +@@ -109,7 +110,7 @@ static void __init parse_crashkernel(con + { + printk(XENLOG_WARNING "crashkernel: too many ranges\n"); + cur = NULL; +- str = strchr(str, '@'); ++ str = strpbrk(str, "@<"); + break; + } + +@@ -154,9 +155,16 @@ static void __init parse_crashkernel(con + } + else + kexec_crash_area.size = parse_size_and_unit(cur = str, &str); +- if ( cur != str && *str == '@' ) +- kexec_crash_area.start = parse_size_and_unit(cur = str + 1, &str); +- if ( cur == str ) ++ if ( cur != str ) ++ { ++ if ( *str == '@' ) ++ kexec_crash_area.start = parse_size_and_unit(cur = str + 1, &str); ++ else if ( *str == '<' ) ++ kexec_crash_area_limit = parse_size_and_unit(cur = str + 1, &str); ++ else ++ printk(XENLOG_WARNING "crashkernel: '%s' ignored\n", str); ++ } ++ if ( cur && cur == str ) + printk(XENLOG_WARNING "crashkernel: memory value expected\n"); + } + custom_param("crashkernel", parse_crashkernel); +--- a/xen/include/xen/kexec.h ++++ b/xen/include/xen/kexec.h +@@ -14,6 +14,7 @@ typedef struct xen_kexec_reserve { + } xen_kexec_reserve_t; + + extern xen_kexec_reserve_t kexec_crash_area; ++extern paddr_t kexec_crash_area_limit; + + extern bool_t kexecing; + diff --git a/575e9ca0-nested-vmx-Validate-host-VMX-MSRs-before-accessing-them.patch b/575e9ca0-nested-vmx-Validate-host-VMX-MSRs-before-accessing-them.patch new file mode 100644 index 0000000..0604975 --- /dev/null +++ b/575e9ca0-nested-vmx-Validate-host-VMX-MSRs-before-accessing-them.patch @@ -0,0 +1,62 @@ +# Commit 5e02972646132ad98c365ebfcfcb43b40a0dde36 +# Date 2016-06-13 12:44:32 +0100 +# Author Euan Harris +# Committer Andrew Cooper +nested vmx: Validate host VMX MSRs before accessing them + +Some VMX MSRs may not exist on certain processor models, or may +be disabled because of configuration settings. It is only safe to +access these MSRs if configuration flags in other MSRs are set. These +prerequisites are listed in the Intel 64 and IA-32 Architectures +Software Developer’s Manual, Vol 3, Appendix A. + +nvmx_msr_read_intercept() does not check the prerequisites before +accessing MSR_IA32_VMX_PROCBASED_CTLS2, MSR_IA32_VMX_EPT_VPID_CAP, +MSR_IA32_VMX_VMFUNC on the host. Accessing these MSRs from a nested +VMX guest running on a host which does not support them will cause +Xen to crash with a GPF. + +Signed-off-by: Euan Harris +Acked-by: Kevin Tian +Reviewed-by: Jan Beulich +Reviewed-by: Andrew Cooper + +--- a/xen/arch/x86/hvm/vmx/vvmx.c ++++ b/xen/arch/x86/hvm/vmx/vvmx.c +@@ -1820,11 +1820,22 @@ int nvmx_msr_read_intercept(unsigned int + return 0; + + /* +- * Those MSRs are available only when bit 55 of +- * MSR_IA32_VMX_BASIC is set. ++ * These MSRs are only available when flags in other MSRs are set. ++ * These prerequisites are listed in the Intel 64 and IA-32 ++ * Architectures Software Developer’s Manual, Vol 3, Appendix A. + */ + switch ( msr ) + { ++ case MSR_IA32_VMX_PROCBASED_CTLS2: ++ if ( !cpu_has_vmx_secondary_exec_control ) ++ return 0; ++ break; ++ ++ case MSR_IA32_VMX_EPT_VPID_CAP: ++ if ( !(cpu_has_vmx_ept || cpu_has_vmx_vpid) ) ++ return 0; ++ break; ++ + case MSR_IA32_VMX_TRUE_PINBASED_CTLS: + case MSR_IA32_VMX_TRUE_PROCBASED_CTLS: + case MSR_IA32_VMX_TRUE_EXIT_CTLS: +@@ -1832,6 +1843,11 @@ int nvmx_msr_read_intercept(unsigned int + if ( !(vmx_basic_msr & VMX_BASIC_DEFAULT1_ZERO) ) + return 0; + break; ++ ++ case MSR_IA32_VMX_VMFUNC: ++ if ( !cpu_has_vmx_vmfunc ) ++ return 0; ++ break; + } + + rdmsrl(msr, host_data); diff --git a/57640448-xen-sched-use-default-scheduler-upon-an-invalid-sched.patch b/57640448-xen-sched-use-default-scheduler-upon-an-invalid-sched.patch new file mode 100644 index 0000000..5eac44b --- /dev/null +++ b/57640448-xen-sched-use-default-scheduler-upon-an-invalid-sched.patch @@ -0,0 +1,32 @@ +# Commit 9dec2c47406f4ef31711656722f5f70d758d6160 +# Date 2016-06-17 15:08:08 +0100 +# Author Dario Faggioli +# Committer George Dunlap +xen: sched: use default scheduler upon an invalid "sched=" + +instead of just the first scheduler we find in the array. + +In fact, right now, if someone makes a typo when passing +the "sched=" command line option to Xen, we (with all +schedulers configured in) pick ARINC653, which is most +likely not what one would expect. + +Go for the default scheduler instead. + +Signed-off-by: Dario Faggioli +Acked-by: George Dunlap +Reviewed-by: Andrew Cooper +Reviewed-By: Jonathan Creekmore + +--- a/xen/common/schedule.c ++++ b/xen/common/schedule.c +@@ -1625,7 +1625,8 @@ void __init scheduler_init(void) + { + printk("Could not find scheduler: %s\n", opt_sched); + for ( i = 0; i < NUM_SCHEDULERS; i++ ) +- if ( schedulers[i] ) ++ if ( schedulers[i] && ++ !strcmp(schedulers[i]->opt_name, CONFIG_SCHED_DEFAULT) ) + { + ops = *schedulers[i]; + break; diff --git a/CVE-2014-3672-qemut-xsa180.patch b/CVE-2014-3672-qemut-xsa180.patch deleted file mode 100644 index 803cd86..0000000 --- a/CVE-2014-3672-qemut-xsa180.patch +++ /dev/null @@ -1,87 +0,0 @@ -References: bsc#981264 CVE-2014-3672 XSA-180 - -From 7490dab5c1a01b1623e9d87bdc653cb4f963dd8a Mon Sep 17 00:00:00 2001 -From: Ian Jackson -Date: Thu, 19 May 2016 19:38:35 +0100 -Subject: [PATCH] main loop: Big hammer to fix logfile disk DoS in Xen setups - -Each time round the main loop, we now fstat stderr. If it is too big, -we dup2 /dev/null onto it. This is not a very pretty patch but it is -very simple, easy to see that it's correct, and has a low risk of -collateral damage. - -The limit is 1Mby by default but can be adjusted by setting a new -environment variable. - -This fixes CVE-2014-3672. - -Signed-off-by: Ian Jackson -Tested-by: Ian Jackson ---- - vl.c | 46 ++++++++++++++++++++++++++++++++++++++++++++++ - 1 file changed, 46 insertions(+) - -Index: xen-4.7.0-testing/tools/qemu-xen-traditional-dir-remote/vl.c -=================================================================== ---- xen-4.7.0-testing.orig/tools/qemu-xen-traditional-dir-remote/vl.c -+++ xen-4.7.0-testing/tools/qemu-xen-traditional-dir-remote/vl.c -@@ -3752,6 +3752,50 @@ static void host_main_loop_wait(int *tim - } - #endif - -+static void check_cve_2014_3672_xen(void) -+{ -+ static unsigned long limit = ~0UL; -+ const int fd = 2; -+ struct stat stab; -+ -+ if (limit == ~0UL) { -+ const char *s = getenv("XEN_QEMU_CONSOLE_LIMIT"); -+ /* XEN_QEMU_CONSOLE_LIMIT=0 means no limit */ -+ limit = s ? strtoul(s,0,0) : 1*1024*1024; -+ } -+ if (limit == 0) -+ return; -+ -+ int r = fstat(fd, &stab); -+ if (r) { -+ perror("fstat stderr (for CVE-2014-3672 check)"); -+ exit(-1); -+ } -+ if (!S_ISREG(stab.st_mode)) -+ return; -+ if (stab.st_size <= limit) -+ return; -+ -+ /* oh dear */ -+ fprintf(stderr,"\r\n" -+ "Closing stderr due to CVE-2014-3672 limit. " -+ " Set XEN_QEMU_CONSOLE_LIMIT to number of bytes to override," -+ " or 0 for no limit.\n"); -+ fflush(stderr); -+ -+ int nfd = open("/dev/null", O_WRONLY); -+ if (nfd < 0) { -+ perror("open /dev/null (for CVE-2014-3672 check)"); -+ exit(-1); -+ } -+ r = dup2(nfd, fd); -+ if (r != fd) { -+ perror("dup2 /dev/null (for CVE-2014-3672 check)"); -+ exit(-1); -+ } -+ close(nfd); -+} -+ - void main_loop_wait(int timeout) - { - IOHandlerRecord *ioh; -@@ -3763,6 +3807,8 @@ void main_loop_wait(int timeout) - - host_main_loop_wait(&timeout); - -+ check_cve_2014_3672_xen(); -+ - /* poll any events */ - /* XXX: separate device handlers from system ones */ - nfds = -1; diff --git a/block-dmmd b/block-dmmd index 64475ed..f9cfb67 100644 --- a/block-dmmd +++ b/block-dmmd @@ -2,7 +2,7 @@ # Usage: block-dmmd [add args | remove args] # -# the dmmd device syntax (in xm commands/configs) is something like: +# the dmmd device syntax (in xm/xl commands/configs) is something like: # dmmd:md;/dev/md0;md;/dev/md1;lvm;/dev/vg1/lv1 # or # dmmd:lvm;/dev/vg1/lv1;lvm;/dev/vg1/lv2;md;/dev/md0 @@ -16,30 +16,49 @@ # dmmd:md;My-MD-name;lvm;/dev/vg1/lv1 # # History: +# 2016-05-27, mlatimer@suse.com: +# Merge improvements by loic.devulder@mpsa.com. Highlights include: +# - Re-write and simplification to speed up the script! +# - Add some (useful) logging messages and comments +# Minor tweaks and logging improvements +# 2016-05-26, mlatimer@suse.com: +# Verify MD activation if mdadm returns 2 +# 2016-05-20, mlatimer@suse.com: +# Strip leading "dmmd:" if present in xenstore params value # 2013-07-03, loic.devulder@mpsa.com: -# Partial rewrite of the script for supporting MD activation by name +# Partial rewrite of the script for supporting MD activation by name # 2009-06-09, mh@novell.com: -# Emit debugging messages into a temporary file; if no longer needed, -# just comment the exec I/O redirection below -# Make variables used in functions local to avoid global overridings -# Use vgscan and vgchange where required -# Use the C locale to avoid dealing with localized messages -# Assign output from assembling an MD device to a variable to aid debugging +# Emit debugging messages into a temporary file; if no longer needed, +# just comment the exec I/O redirection below +# Make variables used in functions local to avoid global overridings +# Use vgscan and vgchange where required +# Use the C locale to avoid dealing with localized messages +# Assign output from assembling an MD device to a variable to aid +# debugging -# We do not want to deal with localized messages: -LANG=C -LC_MESSAGES=C -export LANG LC_MESSAGES +# We do not want to deal with localized messages +# We use LC_ALL because LC_ALL superse LANG +# But we also use LANG because some applications may still use LANG... +export LC_ALL=C +export LANG=${LC_ALL} -dir=$(dirname "$0") -. "$dir/block-common.sh" +# Loading common libraries +. $(dirname $0)/block-common.sh -#exec >> /tmp/block-dmmd-`date +%F_%T.%N`.log 2>&1 -#echo shell-flags: $- +# Constants +typeset -rx MDADM_BIN=/sbin/mdadm +typeset -rx LVCHANGE_BIN=/sbin/lvchange +typeset -rx PVSCAN_BIN=/sbin/pvscan +typeset -rx VGSCAN_BIN=/sbin/vgscan +typeset -rx VGCHANGE_BIN=/sbin/vgchange +typeset -rx DATE_LOG="date +%F_%T.%N" +typeset -rx DATE_SEC="date +%s" -command=$1 +# Uncomment for debugging purposes +# exec >> /tmp/block-dmmd-$(${DATE_LOG}).log 2>&1 +# echo shell-flags: $- -# We check for errors ourselves: +# We check for errors ourselves set +e function run_mdadm() @@ -48,21 +67,24 @@ function run_mdadm() local msg local rc - msg="$(/sbin/mdadm $mdadm_cmd 2>&1)" + msg="$(${MDADM_BIN} ${mdadm_cmd} 2>&1)" rc=$? - case "$msg" in - *"has been started"* | *"already active"* ) - return 0 - ;; - *"is already in use"* ) - # hmm, might be used by another device in this domU - # leave it to upper layers to detect a real error - return 2 - ;; - * ) - return $rc - ;; + case "${msg}" in + *"has been started"* | *"already active"*) + return 0 + ;; + *"is already in use"*) + # Hmm, might be used by another device in this domU + # Leave it to upper layers to detect a real error + return 2 + ;; + *) + return ${rc} + ;; esac + + # Normally we should not get here, but if this happens + # we have to return an error return 1 } @@ -72,36 +94,49 @@ function activate_md() local par=$1 local cfg dev dev_path rc t mdadm_opts - if [ ${par} = ${par%%(*} ]; then + if [[ ${par} == ${par%%(*} ]]; then # No configuration file specified - dev=$par - cfg= + dev=${par} + cfg="" else - dev=${par%%(*} - t=${par#*(} - cfg="-c ${t%%)*}" + dev=${par%%(*} + t=${par#*(} + cfg="-c ${t%%)*}" fi # Looking for device name or aliase - if [ ${dev:0:1} = / ]; then - dev_path=${dev%/*} - mdadm_opts= + if [[ ${dev:0:1} == / ]]; then + dev_path=${dev%/*} + mdadm_opts="" else - dev_path=/dev/md - mdadm_opts="-s -N" + dev_path=/dev/md + mdadm_opts="-s -N" fi - # Is md device already active? + # Logging message + echo "[$(${DATE_LOG})] activate MD device ${dev}..." >&2 + + # Is MD device already active? # We need to use full path name, aliase is not possible... if [ -e $dev_path/${dev##*/} ]; then - /sbin/mdadm -Q -D $dev_path/${dev##*/} 2>/dev/null | grep -iq state.*\:.*inactive || return 0 + ${MDADM_BIN} -Q -D $dev_path/${dev##*/} 2>/dev/null \ + | grep -iq state.*\:.*inactive || return 0 fi - run_mdadm "-A $mdadm_opts $dev $cfg" + # Activate MD device + run_mdadm "-A ${mdadm_opts} ${dev} ${cfg}" rc=$? - [ $rc -eq 2 ] && return 0 + # A return code of 2 can indicate the array configuration was incorrect + if [[ ${rc} == 2 ]]; then + # Logging message + echo "[$(${DATE_LOG})] verifying MD device ${dev} activation..." >&2 - return $rc + # If the array is active, return 0, otherwise return an error + ${MDADM_BIN} -Q -D $dev_path/${dev##*/} &>/dev/null && return 0 \ + || return 1 + fi + + return ${rc} } function deactivate_md() @@ -109,22 +144,25 @@ function deactivate_md() local par=$1 local dev - if [ ${par} = ${par%%(*} ]; then + if [[ ${par} == ${par%%(*} ]]; then # No configuration file specified - dev=${par} + dev=${par} else - dev=${par%%(*} + dev=${par%%(*} fi # Looking for device name or aliase - if [ ${dev:0:1} = / ]; then - dev_path=${dev%/*} + if [[ ${dev:0:1} == / ]]; then + dev_path=${dev%/*} else - dev_path=/dev/md + dev_path=/dev/md fi + # Logging message + echo "[$(${DATE_LOG})] deactivate MD device ${dev}..." >&2 + # We need the device name only while deactivating - /sbin/mdadm -S ${dev_path}/${dev##*/} > /dev/null 2>&1 + ${MDADM_BIN} -S ${dev_path}/${dev##*/} > /dev/null 2>&1 return $? } @@ -132,169 +170,200 @@ function deactivate_md() function activate_lvm() { local run_timeout=90 + local parsed_timeout local end_time + # If /etc/xen/xend-config.sxp exists (e.g. SLES11), use + # device-create-timeout, instead of the default setting + if [[ -f /etc/xen/xend-config.sxp ]]; then + parsed_timeout=$(grep -v "^[ \t]*#.*" /etc/xen/xend-config.sxp \ + |sed -n 's/(device-create-timeout \+\([0-9]\+\))/\1/p') + if [[ ! -z $parsed_timeout ]]; then + run_timeout=$((${parsed_timeout}*9/10)) + fi + fi + # First scan for PVs and VGs - # We need this for using md device as PV - /sbin/pvscan > /dev/null 2>&1 -# /sbin/vgscan --mknodes > /dev/null 2>&1 + # We need this for using MD device as PV + ${PVSCAN_BIN} > /dev/null 2>&1 +# ${VGSCAN_BIN} --mknodes > /dev/null 2>&1 + + # Logging message + echo "[$(${DATE_LOG})] activate LVM device ${dev}..." >&2 + + # Set end_time for the loop + (( end_time = $(${DATE_SEC}) + run_timeout )) - end_time=$(($(date +%s)+${run_timeout})) while true; do - /sbin/lvchange -aey $1 > /dev/null 2>&1 + ${LVCHANGE_BIN} -aey $1 > /dev/null 2>&1 - if [ $? -eq 0 -a -e $1 ]; then - return 0 - fi + if [ $? -eq 0 -a -e $1 ]; then + return 0 + fi - sleep 0.1 - if [ $(date +%s) -ge ${end_time} ]; then - log err "Failed to activate $1 within ${run_timeout} seconds" - return 1 - fi + sleep 0.1 + # If it takes too long we need to return an error + if (( $(${DATE_SEC}) >= end_time )); then + log err "Failed to activate $1 within ${run_timeout} seconds" + return 1 + fi done + + # Normally we should not get here, but if this happens + # we have to return an error return 1 } function deactivate_lvm() { - /sbin/lvchange -aen $1 > /dev/null 2>&1 + # Logging message + echo "[$(${DATE_LOG})] deactivate LVM device ${dev}..." >&2 + + ${LVCHANGE_BIN} -aen $1 > /dev/null 2>&1 if [ $? -eq 0 ]; then - # We may have to deactivate the VG now, but can ignore errors: -# /sbin/vgchange -an ${1%/*} || : + # We may have to deactivate the VG now, but can ignore errors: +# ${VGCHANGE_BIN} -an ${1%/*} || : # Maybe we need to cleanup the LVM cache: -# /sbin/vgscan --mknodes || : - return 0 +# ${VGSCAN_BIN} --mknodes || : + return 0 fi return 1 } -BP=100 -SP=$BP -VBD= +# Variables +typeset command=$1 +typeset BP=100 +typeset SP=${BP} +typeset VBD +typeset -a stack -declare -a stack function push() { - if [ -z "$1" ]; then - return - fi - let "SP -= 1" - stack[$SP]="${1}" + local value="$1" + + [[ -n "${value}" ]] \ + && stack[$((--SP))]="${value}" + + return 0 } function pop() { - VBD= + [[ "${SP}" != "${BP}" ]] \ + && VBD=${stack[$((SP++))]} \ + || VBD="" - if [ "$SP" -eq "$BP" ]; then - return - fi - - VBD=${stack[$SP]} - let "SP += 1" + return 0 } function activate_dmmd() { - case $1 in - md) + case "$1" in + "md") activate_md $2 - return + return $? ;; - lvm) + "lvm") activate_lvm $2 - return + return $? ;; esac + + # Normally we should not get here, but if this happens + # we have to return an error + return 1 } function deactivate_dmmd() { case "$1" in - md) + "md") deactivate_md $2 - return + return $? ;; - lvm) + "lvm") deactivate_lvm $2 - return + return $? ;; esac + + # Normally we should not get here, but if this happens + # we have to return an error + return 1 } function cleanup_stack() { - while [ 1 ]; do + while true; do pop - if [ -z "$VBD" ]; then - break - fi - deactivate_dmmd $VBD + [[ -z "${VBD}" ]] && break + deactivate_dmmd ${VBD} done } function parse_par() { - local ac par rc s t # Make these explicitly local vars + # Make these vars explicitly local + local ac par rc s t ac=$1 par="$2" - par="$par;" - while [ 1 ]; do + par="${par};" + while true; do t=${par%%;*} - if [ -z "$t" ]; then - return 0 - fi + + [[ -z "${t}" ]] && return 0 par=${par#*;} s=${par%%;*} - if [ -z "$s" ]; then - return 1 - fi + [[ -z "${s}" ]] && return 1 par=${par#*;} - if [ "$ac" = "activate" ]; then - activate_dmmd $t $s - rc=$? - if [ $rc -ne 0 ]; then - return 1 - fi + if [[ "${ac}" == "activate" ]]; then + activate_dmmd ${t} ${s} \ + || return 1 fi - push "$t $s" + push "${t} ${s}" done } +case "${command}" in + "add") + p=$(xenstore-read ${XENBUS_PATH}/params) || true + claim_lock "dmmd" + dmmd=${p#dmmd:} -case "$command" in - add) - p=`xenstore-read $XENBUS_PATH/params` || true - claim_lock "dmmd" - dmmd=${p#dmmd:} - parse_par activate "$dmmd" - rc=$? - if [ $rc -ne 0 ]; then - cleanup_stack - release_lock "dmmd" - exit 1 - fi - lastparam=${dmmd##*;} - usedevice=${lastparam%(*} - xenstore-write $XENBUS_PATH/node "$usedevice" - write_dev "$usedevice" - release_lock "dmmd" - exit 0 - ;; + if ! parse_par activate "${dmmd}"; then + cleanup_stack + release_lock "dmmd" + exit 1 + fi - remove) - p=`xenstore-read $XENBUS_PATH/params` || true - claim_lock "dmmd" - dmmd=${p#dmmd:} - parse_par noactivate "$dmmd" - cleanup_stack - release_lock "dmmd" - exit 0 - ;; + lastparam=${dmmd##*;} + usedevice=${lastparam%(*} + xenstore-write ${XENBUS_PATH}/node "${usedevice}" + write_dev "${usedevice}" + release_lock "dmmd" + + exit 0 + ;; + + "remove") + p=$(xenstore-read ${XENBUS_PATH}/params) || true + claim_lock "dmmd" + dmmd=${p#dmmd:} + + parse_par noactivate "${dmmd}" + + cleanup_stack + release_lock "dmmd" + + exit 0 + ;; esac + +# Normally we should not get here, but if this happens +# we have to return an error +return 1 diff --git a/ipxe.tar.bz2 b/ipxe.tar.bz2 index 0c0393c..1f0b3a3 100644 --- a/ipxe.tar.bz2 +++ b/ipxe.tar.bz2 @@ -1,3 +1,3 @@ version https://git-lfs.github.com/spec/v1 -oid sha256:cedb8a940072948d3c94933f75d48749ca5f3f7b4b103fab2146d86e7a04250e -size 2877499 +oid sha256:9e738814a69408e6fd725adaebfe61f17013520b46852204ad0c7f3c7ced142f +size 2877771 diff --git a/qemu-xen-traditional-dir-remote.tar.bz2 b/qemu-xen-traditional-dir-remote.tar.bz2 index 980eaee..9396619 100644 --- a/qemu-xen-traditional-dir-remote.tar.bz2 +++ b/qemu-xen-traditional-dir-remote.tar.bz2 @@ -1,3 +1,3 @@ version https://git-lfs.github.com/spec/v1 -oid sha256:5b687988f256884ff76fa098b9e80b35f6b6a4fb1657b9a1b397cfb1cf803a81 -size 3237484 +oid sha256:56d11699417995deec758fa53f0015683a856c78f8fe88ef9f4ee535d115e55b +size 3237180 diff --git a/stubdom.tar.bz2 b/stubdom.tar.bz2 index d25ac86..8df22c3 100644 --- a/stubdom.tar.bz2 +++ b/stubdom.tar.bz2 @@ -1,3 +1,3 @@ version https://git-lfs.github.com/spec/v1 -oid sha256:668c2c85b21a02203ccd8a559a0f8c7e01ca7f60ef4b12576e35490ec705b5f4 -size 17477020 +oid sha256:b7fce018fbbf4c4c678ee81b79934be92aa60aa7a091126fd43552a1bdb1c92c +size 17477558 diff --git a/xen-4.7.0-testing-src.tar.bz2 b/xen-4.7.0-testing-src.tar.bz2 index 70d86dc..6424f85 100644 --- a/xen-4.7.0-testing-src.tar.bz2 +++ b/xen-4.7.0-testing-src.tar.bz2 @@ -1,3 +1,3 @@ version https://git-lfs.github.com/spec/v1 -oid sha256:d53bd33cf3e5fe1d7ac3145f6cc9a75829e1690fcc26ac9df113c212361dfcb7 -size 4465808 +oid sha256:b7d642a7d1c3e0c423f7cd66ddff9e173135a6bd4e4f7b36cd7fefe20065a6e8 +size 4472864 diff --git a/xen.changes b/xen.changes index 43ba451..7bc16e1 100644 --- a/xen.changes +++ b/xen.changes @@ -1,3 +1,46 @@ +------------------------------------------------------------------- +Thu Jun 23 09:45:38 MDT 2016 - carnold@suse.com + +- bsc#900418 - Dump cannot be performed on SLES12 XEN + 57580bbd-kexec-allow-relaxed-placement-via-cmdline.patch +- Upstream patches from Jan + 575e9ca0-nested-vmx-Validate-host-VMX-MSRs-before-accessing-them.patch + 57640448-xen-sched-use-default-scheduler-upon-an-invalid-sched.patch + +------------------------------------------------------------------- +Tue Jun 21 08:26:51 MDT 2016 - carnold@suse.com + +- fate#319989 - Update to Xen 4.7 FCS + xen-4.7.0-testing-src.tar.bz2 +- Drop CVE-2014-3672-qemut-xsa180.patch + +------------------------------------------------------------------- +Thu Jun 16 16:27:25 MDT 2016 - carnold@suse.com + +- bsc#954872 - script block-dmmd not working as expected - libxl: + error: libxl_dm.c (Additional fixes) + block-dmmd + +------------------------------------------------------------------- +Fri Jun 10 14:23:51 UTC 2016 - ohering@suse.de + +- Convert with_stubdom into build_conditional to allow adjusting + via prjconf +- Convert with_debug into build_conditional to allow adjusting + via prjconf + +------------------------------------------------------------------- +Fri Jun 10 13:36:32 UTC 2016 - ohering@suse.de + +- bsc#979002 - add 60-persistent-xvd.rules and helper script to + xen-tools-domU to simplify transition to pvops based kernels + +------------------------------------------------------------------- +Fri Jun 10 13:18:13 UTC 2016 - ohering@suse.de + +- Convert with_oxenstored into build_conditional to allow + adjusting via prjconf (fate#320836) + ------------------------------------------------------------------- Thu Jun 9 11:10:33 MDT 2016 - carnold@suse.com @@ -109,7 +152,7 @@ Tue May 3 07:31:28 UTC 2016 - ohering@suse.de ------------------------------------------------------------------- Fri Apr 29 16:50:33 MDT 2016 - carnold@suse.com -- Update to the latest Xen 4.7 pre-release c2994f86 (fate#319989) +- Update to the latest Xen 4.7 pre-release c2994f86 Drop libxl.migrate-legacy-stream-read.patch ------------------------------------------------------------------- diff --git a/xen.spec b/xen.spec index 0e168b3..c124ead 100644 --- a/xen.spec +++ b/xen.spec @@ -24,17 +24,20 @@ ExclusiveArch: %ix86 x86_64 %arm aarch64 %define xen_build_dir xen-4.7.0-testing # %define with_kmp 0 -%define with_debug 0 -%define with_stubdom 0 %define with_gdbsx 0 %define with_dom0_support 0 %define with_qemu_traditional 0 -%define with_oxenstored 0 +%bcond_with xen_oxenstored +%ifarch x86_64 +%bcond_without xen_debug +%bcond_without xen_stubdom +%else +%bcond_with xen_debug +%bcond_with xen_stubdom +%endif # %ifarch x86_64 %define with_kmp 0 -%define with_debug 1 -%define with_stubdom 1 %define with_gdbsx 1 %define with_dom0_support 1 %define with_qemu_traditional 1 @@ -108,7 +111,7 @@ BuildRequires: libyajl-devel BuildRequires: SDL-devel BuildRequires: pciutils-devel %endif -%if %{?with_stubdom}0 +%if %{with xen_stubdom} %if 0%{?suse_version} < 1230 BuildRequires: texinfo %else @@ -116,13 +119,15 @@ BuildRequires: makeinfo %endif %endif BuildRequires: ncurses-devel -%if %{?with_oxenstored}0 +%if %{?with_dom0_support}0 +%if %{with xen_oxenstored} BuildRequires: ocaml BuildRequires: ocaml-compiler-libs BuildRequires: ocaml-findlib BuildRequires: ocaml-ocamldoc BuildRequires: ocaml-runtime %endif +%endif BuildRequires: openssl-devel BuildRequires: python-devel %if %{?with_systemd}0 @@ -160,7 +165,7 @@ BuildRequires: xorg-x11-util-devel %endif %endif -Version: 4.7.0_06 +Version: 4.7.0_08 Release: 0 Summary: Xen Virtualization: Hypervisor (aka VMM aka Microkernel) License: GPL-2.0 @@ -198,6 +203,9 @@ Source57: xen-utils-0.1.tar.bz2 # For xen-libs Source99: baselibs.conf # Upstream patches +Patch1: 57580bbd-kexec-allow-relaxed-placement-via-cmdline.patch +Patch2: 575e9ca0-nested-vmx-Validate-host-VMX-MSRs-before-accessing-them.patch +Patch3: 57640448-xen-sched-use-default-scheduler-upon-an-invalid-sched.patch # Upstream qemu-traditional patches Patch250: VNC-Support-for-ExtendedKeyEvent-client-message.patch Patch251: 0001-net-move-the-tap-buffer-into-TAPState.patch @@ -228,9 +236,8 @@ Patch275: CVE-2016-2391-qemut-usb-null-pointer-dereference-in-ohci-module. Patch276: CVE-2016-2841-qemut-ne2000-infinite-loop-in-ne2000_receive.patch Patch277: CVE-2016-4439-qemut-scsi-esp-OOB-write-while-writing-to-cmdbuf-in-esp_reg_write.patch Patch278: CVE-2016-4441-qemut-scsi-esp-OOB-write-while-writing-to-cmdbuf-in-get_cmd.patch -Patch279: CVE-2014-3672-qemut-xsa180.patch -Patch280: CVE-2016-5238-qemut-scsi-esp-OOB-write-when-using-non-DMA-mode-in-get_cmd.patch -Patch281: CVE-2016-5338-qemut-scsi-esp-OOB-rw-access-while-processing-ESP_FIFO.patch +Patch279: CVE-2016-5238-qemut-scsi-esp-OOB-write-when-using-non-DMA-mode-in-get_cmd.patch +Patch280: CVE-2016-5338-qemut-scsi-esp-OOB-rw-access-while-processing-ESP_FIFO.patch # qemu-traditional patches that are not upstream Patch350: blktap.patch Patch351: cdrom-removable.patch @@ -517,6 +524,9 @@ Authors: %prep %setup -q -n %xen_build_dir -a 1 -a 2 -a 5 -a 6 -a 57 # Upstream patches +%patch1 -p1 +%patch2 -p1 +%patch3 -p1 # Upstream qemu patches %patch250 -p1 %patch251 -p1 @@ -549,7 +559,6 @@ Authors: %patch278 -p1 %patch279 -p1 %patch280 -p1 -%patch281 -p1 # Qemu traditional %patch350 -p1 %patch351 -p1 @@ -687,7 +696,7 @@ then : no changes? fi configure_flags= -%if %{?with_stubdom}0 +%if %{with xen_stubdom} configure_flags=--enable-stubdom %else configure_flags=--disable-stubdom @@ -713,9 +722,11 @@ configure_flags="${configure_flags} --disable-qemu-traditional" --includedir=%{_includedir} \ --docdir=%{_defaultdocdir}/xen \ --with-initddir=%{_initddir} \ -%if %{?with_oxenstored}0 +%if %{?with_dom0_support}0 +%if %{with xen_oxenstored} --with-xenstored=oxenstored \ %endif +%endif %if %{?with_systemd}0 --enable-systemd \ --with-systemd=%{_unitdir} \ @@ -763,6 +774,54 @@ for i in $RPM_BUILD_ROOT/var/adm/fillup-templates/* do mv -v $i ${i%/*}/sysconfig.${i##*/} done + +%if %{?with_systemd}0 +udev_rulesdir=$RPM_BUILD_ROOT%{_udevrulesdir} +mkdir -p ${udev_rulesdir} +tee ${udev_rulesdir}/60-persistent-xvd.rules <<'_EOR_' +ACTION=="remove", GOTO="xvd_aliases_end" +SUBSYSTEM!="block", GOTO="xvd_aliases_end" +KERNEL=="xvd*[!0-9]", IMPORT{program}=="%{name}-tools-domU.sh --devpath %%p --devtype $env{DEVTYPE}" +KERNEL=="xvd*[0-9]", IMPORT{program}=="%{name}-tools-domU.sh --devpath %%p --devtype $env{DEVTYPE}" +KERNEL=="xvd*[!0-9]", ENV{VBD_HD_SYMLINK}=="hd[a-d]", SYMLINK+="$env{VBD_HD_SYMLINK}" +KERNEL=="xvd*[0-9]", ENV{VBD_HD_SYMLINK}=="hd[a-d]", SYMLINK+="$env{VBD_HD_SYMLINK}%%n" +LABEL="xvd_aliases_end" +_EOR_ +# +udev_programdir=$RPM_BUILD_ROOT/usr/lib/udev +mkdir -p ${udev_programdir} +tee ${udev_programdir}/%{name}-tools-domU.sh <<'_EOS_' +#!/bin/bash +set -e +devpath= +devtype= +dev= +while test "$#" -gt 0 +do + : "$1" + case "$1" in + --devpath) devpath=$2 ; shift ;; + --devtype) devtype=$2 ; shift ;; + *) echo "$0: Unknown option $1" >&2 ; exit 1 ;; + esac + shift +done +test -n "${devpath}" || exit 1 +test -n "${devtype}" || exit 1 +cd "/sys/${devpath}" +case "${devtype}" in + partition) cd .. ;; +esac +cd -P device +d="${PWD##*/}" +d="${d/-/\/}" +backend="`xenstore-read device/${d}/backend`" +dev="`xenstore-read \"${backend}\"/dev`" +test -n "${dev}" && echo "VBD_HD_SYMLINK=${dev}" +_EOS_ +chmod 755 ${udev_programdir}/*.sh +%endif + # EFI %if %{?with_dom0_support}0 export BRP_PESIGN_FILES="*.ko *.efi /lib/firmware" @@ -794,7 +853,7 @@ install_xen() ln -sf xen-syms${ext}-${XEN_FULLVERSION} $RPM_BUILD_ROOT/boot/xen-syms${ext} find $RPM_BUILD_ROOT/boot -ls } -%if %{?with_debug}0 +%if %{with xen_debug} make -C xen install max_phys_cpus=%{max_cpus} debug=y crash_debug=y DEBUG_DIR=/boot DESTDIR=$RPM_BUILD_ROOT %{?_smp_mflags} install_xen dbg make -C xen clean @@ -958,6 +1017,7 @@ rm -rf $RPM_BUILD_ROOT/%{_datadir}/doc rm -rf $RPM_BUILD_ROOT/%{_datadir}/man rm -rf $RPM_BUILD_ROOT/%{_libdir}/xen rm -rf $RPM_BUILD_ROOT/%{_libdir}/python* +rm -rf $RPM_BUILD_ROOT/%{_libdir}/ocaml* rm -rf $RPM_BUILD_ROOT%{_unitdir} rm -rf $RPM_BUILD_ROOT%{with_systemd_modules_load} rm -rf $RPM_BUILD_ROOT/usr/sbin @@ -1142,7 +1202,7 @@ rm -f $RPM_BUILD_ROOT/usr/libexec/qemu-bridge-helper %{_mandir}/man8/*.8.gz %{_mandir}/man1/xen-list.1.gz -%if %{?with_oxenstored}0 +%if %{with xen_oxenstored} /usr/sbin/oxenstored /etc/xen/oxenstored.conf %dir %{_libdir}/ocaml @@ -1194,12 +1254,16 @@ rm -f $RPM_BUILD_ROOT/usr/libexec/qemu-bridge-helper %endif /bin/domu-xenstore /bin/xenstore-* +%if %{?with_systemd}0 +/usr/lib/udev +%endif %files devel %defattr(-,root,root) %{_libdir}/*.a %{_libdir}/*.so -%if %{?with_oxenstored}0 +%if %{?with_dom0_support}0 +%if %{with xen_oxenstored} %{_libdir}/ocaml/xenbus/*.a %{_libdir}/ocaml/xenbus/*.cmx* %{_libdir}/ocaml/xenctrl/*.a @@ -1215,6 +1279,7 @@ rm -f $RPM_BUILD_ROOT/usr/libexec/qemu-bridge-helper %{_libdir}/ocaml/xentoollog/*.a %{_libdir}/ocaml/xentoollog/*.cmx* %endif +%endif /usr/include/* %{_datadir}/pkgconfig/xenlight.pc %{_datadir}/pkgconfig/xlutil.pc