diff --git a/26129-ACPI-BGRT-invalidate.patch b/26129-ACPI-BGRT-invalidate.patch new file mode 100644 index 0000000..1303c3a --- /dev/null +++ b/26129-ACPI-BGRT-invalidate.patch @@ -0,0 +1,643 @@ +# HG changeset patch +# User Jan Beulich +# Date 1352368421 -3600 +# Node ID 92163b114076029842d0f2d1dbfaa445976c71a3 +# Parent aa2074529eb0183257b6f5f29821b0cd6dfd991a +x86/ACPI: invalidate BGRT if necessary + +Since the image pointed to may live in boot services memory (which we +add to the global memory pool long before ACPI tables get looked at), +we should prevent Dom0 from trying to retrieve the image data in that +case. + +The alternatives would be to +- not add boot services memory to the global pool at all, or +- defer adding boot services memory until Dom0 indicates it is safe to + do so, or +- find and parse the BGRT table in xen/arch/x86/efi/boot.c, and avoid + adding that specific region to the E820 table. +None of these are really attractive, and as Xen commonly prints to the +video console anyway (without trying to avoid any regions on the +screen), the invalidation would need to be done conditionally anyway. + +(xen/include/acpi/actbl3.h is a verbatim copy from Linux 3.7-rc4) + +Signed-off-by: Jan Beulich +Acked-by: Keir Fraser + +--- a/xen/arch/x86/acpi/boot.c ++++ b/xen/arch/x86/acpi/boot.c +@@ -28,6 +28,7 @@ + #include + #include + #include ++#include + #include + #include + #include +@@ -285,6 +286,27 @@ static int __init acpi_parse_hpet(struct + #define acpi_parse_hpet NULL + #endif + ++static int __init acpi_invalidate_bgrt(struct acpi_table_header *table) ++{ ++ struct acpi_table_bgrt *bgrt_tbl = ++ container_of(table, struct acpi_table_bgrt, header); ++ ++ if (table->length < sizeof(*bgrt_tbl)) ++ return -1; ++ ++ if (bgrt_tbl->version == 1 && bgrt_tbl->image_address ++ && !page_is_ram_type(PFN_DOWN(bgrt_tbl->image_address), ++ RAM_TYPE_CONVENTIONAL)) ++ return 0; ++ ++ printk(KERN_INFO PREFIX "BGRT: invalidating v%d image at %#"PRIx64"\n", ++ bgrt_tbl->version, bgrt_tbl->image_address); ++ bgrt_tbl->image_address = 0; ++ bgrt_tbl->status &= ~1; ++ ++ return 0; ++} ++ + #ifdef CONFIG_ACPI_SLEEP + #define acpi_fadt_copy_address(dst, src, len) do { \ + if (fadt->header.revision >= FADT2_REVISION_ID) \ +@@ -833,5 +855,7 @@ int __init acpi_boot_init(void) + + erst_init(); + ++ acpi_table_parse(ACPI_SIG_BGRT, acpi_invalidate_bgrt); ++ + return 0; + } +--- a/xen/include/acpi/actbl.h ++++ b/xen/include/acpi/actbl.h +@@ -314,6 +314,7 @@ enum acpi_prefered_pm_profiles { + + #include + #include ++#include + + /* + * Sizes of the various flavors of FADT. We need to look closely +--- /dev/null ++++ b/xen/include/acpi/actbl3.h +@@ -0,0 +1,557 @@ ++/****************************************************************************** ++ * ++ * Name: actbl3.h - ACPI Table Definitions ++ * ++ *****************************************************************************/ ++ ++/* ++ * Copyright (C) 2000 - 2012, Intel Corp. ++ * All rights reserved. ++ * ++ * Redistribution and use in source and binary forms, with or without ++ * modification, are permitted provided that the following conditions ++ * are met: ++ * 1. Redistributions of source code must retain the above copyright ++ * notice, this list of conditions, and the following disclaimer, ++ * without modification. ++ * 2. Redistributions in binary form must reproduce at minimum a disclaimer ++ * substantially similar to the "NO WARRANTY" disclaimer below ++ * ("Disclaimer") and any redistribution must be conditioned upon ++ * including a substantially similar Disclaimer requirement for further ++ * binary redistribution. ++ * 3. Neither the names of the above-listed copyright holders nor the names ++ * of any contributors may be used to endorse or promote products derived ++ * from this software without specific prior written permission. ++ * ++ * Alternatively, this software may be distributed under the terms of the ++ * GNU General Public License ("GPL") version 2 as published by the Free ++ * Software Foundation. ++ * ++ * NO WARRANTY ++ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS ++ * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT ++ * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR ++ * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT ++ * HOLDERS OR CONTRIBUTORS BE LIABLE FOR SPECIAL, EXEMPLARY, OR CONSEQUENTIAL ++ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS ++ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) ++ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, ++ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING ++ * IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE ++ * POSSIBILITY OF SUCH DAMAGES. ++ */ ++ ++#ifndef __ACTBL3_H__ ++#define __ACTBL3_H__ ++ ++/******************************************************************************* ++ * ++ * Additional ACPI Tables (3) ++ * ++ * These tables are not consumed directly by the ACPICA subsystem, but are ++ * included here to support device drivers and the AML disassembler. ++ * ++ * The tables in this file are fully defined within the ACPI specification. ++ * ++ ******************************************************************************/ ++ ++/* ++ * Values for description table header signatures for tables defined in this ++ * file. Useful because they make it more difficult to inadvertently type in ++ * the wrong signature. ++ */ ++#define ACPI_SIG_BGRT "BGRT" /* Boot Graphics Resource Table */ ++#define ACPI_SIG_DRTM "DRTM" /* Dynamic Root of Trust for Measurement table */ ++#define ACPI_SIG_FPDT "FPDT" /* Firmware Performance Data Table */ ++#define ACPI_SIG_GTDT "GTDT" /* Generic Timer Description Table */ ++#define ACPI_SIG_MPST "MPST" /* Memory Power State Table */ ++#define ACPI_SIG_PCCT "PCCT" /* Platform Communications Channel Table */ ++#define ACPI_SIG_PMTT "PMTT" /* Platform Memory Topology Table */ ++#define ACPI_SIG_RASF "RASF" /* RAS Feature table */ ++ ++#define ACPI_SIG_S3PT "S3PT" /* S3 Performance (sub)Table */ ++#define ACPI_SIG_PCCS "PCC" /* PCC Shared Memory Region */ ++ ++/* Reserved table signatures */ ++ ++#define ACPI_SIG_CSRT "CSRT" /* Core System Resources Table */ ++#define ACPI_SIG_MATR "MATR" /* Memory Address Translation Table */ ++#define ACPI_SIG_MSDM "MSDM" /* Microsoft Data Management Table */ ++#define ACPI_SIG_WPBT "WPBT" /* Windows Platform Binary Table */ ++ ++/* ++ * All tables must be byte-packed to match the ACPI specification, since ++ * the tables are provided by the system BIOS. ++ */ ++#pragma pack(1) ++ ++/* ++ * Note: C bitfields are not used for this reason: ++ * ++ * "Bitfields are great and easy to read, but unfortunately the C language ++ * does not specify the layout of bitfields in memory, which means they are ++ * essentially useless for dealing with packed data in on-disk formats or ++ * binary wire protocols." (Or ACPI tables and buffers.) "If you ask me, ++ * this decision was a design error in C. Ritchie could have picked an order ++ * and stuck with it." Norman Ramsey. ++ * See http://stackoverflow.com/a/1053662/41661 ++ */ ++ ++/******************************************************************************* ++ * ++ * BGRT - Boot Graphics Resource Table (ACPI 5.0) ++ * Version 1 ++ * ++ ******************************************************************************/ ++ ++struct acpi_table_bgrt { ++ struct acpi_table_header header; /* Common ACPI table header */ ++ u16 version; ++ u8 status; ++ u8 image_type; ++ u64 image_address; ++ u32 image_offset_x; ++ u32 image_offset_y; ++}; ++ ++/******************************************************************************* ++ * ++ * DRTM - Dynamic Root of Trust for Measurement table ++ * ++ ******************************************************************************/ ++ ++struct acpi_table_drtm { ++ struct acpi_table_header header; /* Common ACPI table header */ ++ u64 entry_base_address; ++ u64 entry_length; ++ u32 entry_address32; ++ u64 entry_address64; ++ u64 exit_address; ++ u64 log_area_address; ++ u32 log_area_length; ++ u64 arch_dependent_address; ++ u32 flags; ++}; ++ ++/* 1) Validated Tables List */ ++ ++struct acpi_drtm_vtl_list { ++ u32 validated_table_list_count; ++}; ++ ++/* 2) Resources List */ ++ ++struct acpi_drtm_resource_list { ++ u32 resource_list_count; ++}; ++ ++/* 3) Platform-specific Identifiers List */ ++ ++struct acpi_drtm_id_list { ++ u32 id_list_count; ++}; ++ ++/******************************************************************************* ++ * ++ * FPDT - Firmware Performance Data Table (ACPI 5.0) ++ * Version 1 ++ * ++ ******************************************************************************/ ++ ++struct acpi_table_fpdt { ++ struct acpi_table_header header; /* Common ACPI table header */ ++}; ++ ++/* FPDT subtable header */ ++ ++struct acpi_fpdt_header { ++ u16 type; ++ u8 length; ++ u8 revision; ++}; ++ ++/* Values for Type field above */ ++ ++enum acpi_fpdt_type { ++ ACPI_FPDT_TYPE_BOOT = 0, ++ ACPI_FPDT_TYPE_S3PERF = 1, ++}; ++ ++/* ++ * FPDT subtables ++ */ ++ ++/* 0: Firmware Basic Boot Performance Record */ ++ ++struct acpi_fpdt_boot { ++ struct acpi_fpdt_header header; ++ u8 reserved[4]; ++ u64 reset_end; ++ u64 load_start; ++ u64 startup_start; ++ u64 exit_services_entry; ++ u64 exit_services_exit; ++}; ++ ++/* 1: S3 Performance Table Pointer Record */ ++ ++struct acpi_fpdt_s3pt_ptr { ++ struct acpi_fpdt_header header; ++ u8 reserved[4]; ++ u64 address; ++}; ++ ++/* ++ * S3PT - S3 Performance Table. This table is pointed to by the ++ * FPDT S3 Pointer Record above. ++ */ ++struct acpi_table_s3pt { ++ u8 signature[4]; /* "S3PT" */ ++ u32 length; ++}; ++ ++/* ++ * S3PT Subtables ++ */ ++struct acpi_s3pt_header { ++ u16 type; ++ u8 length; ++ u8 revision; ++}; ++ ++/* Values for Type field above */ ++ ++enum acpi_s3pt_type { ++ ACPI_S3PT_TYPE_RESUME = 0, ++ ACPI_S3PT_TYPE_SUSPEND = 1, ++}; ++ ++struct acpi_s3pt_resume { ++ struct acpi_s3pt_header header; ++ u32 resume_count; ++ u64 full_resume; ++ u64 average_resume; ++}; ++ ++struct acpi_s3pt_suspend { ++ struct acpi_s3pt_header header; ++ u64 suspend_start; ++ u64 suspend_end; ++}; ++ ++/******************************************************************************* ++ * ++ * GTDT - Generic Timer Description Table (ACPI 5.0) ++ * Version 1 ++ * ++ ******************************************************************************/ ++ ++struct acpi_table_gtdt { ++ struct acpi_table_header header; /* Common ACPI table header */ ++ u64 address; ++ u32 flags; ++ u32 secure_pl1_interrupt; ++ u32 secure_pl1_flags; ++ u32 non_secure_pl1_interrupt; ++ u32 non_secure_pl1_flags; ++ u32 virtual_timer_interrupt; ++ u32 virtual_timer_flags; ++ u32 non_secure_pl2_interrupt; ++ u32 non_secure_pl2_flags; ++}; ++ ++/* Values for Flags field above */ ++ ++#define ACPI_GTDT_MAPPED_BLOCK_PRESENT 1 ++ ++/* Values for all "TimerFlags" fields above */ ++ ++#define ACPI_GTDT_INTERRUPT_MODE 1 ++#define ACPI_GTDT_INTERRUPT_POLARITY 2 ++ ++/******************************************************************************* ++ * ++ * MPST - Memory Power State Table (ACPI 5.0) ++ * Version 1 ++ * ++ ******************************************************************************/ ++ ++#define ACPI_MPST_CHANNEL_INFO \ ++ u16 reserved1; \ ++ u8 channel_id; \ ++ u8 reserved2; \ ++ u16 power_node_count; ++ ++/* Main table */ ++ ++struct acpi_table_mpst { ++ struct acpi_table_header header; /* Common ACPI table header */ ++ ACPI_MPST_CHANNEL_INFO /* Platform Communication Channel */ ++}; ++ ++/* Memory Platform Communication Channel Info */ ++ ++struct acpi_mpst_channel { ++ ACPI_MPST_CHANNEL_INFO /* Platform Communication Channel */ ++}; ++ ++/* Memory Power Node Structure */ ++ ++struct acpi_mpst_power_node { ++ u8 flags; ++ u8 reserved1; ++ u16 node_id; ++ u32 length; ++ u64 range_address; ++ u64 range_length; ++ u8 num_power_states; ++ u8 num_physical_components; ++ u16 reserved2; ++}; ++ ++/* Values for Flags field above */ ++ ++#define ACPI_MPST_ENABLED 1 ++#define ACPI_MPST_POWER_MANAGED 2 ++#define ACPI_MPST_HOT_PLUG_CAPABLE 4 ++ ++/* Memory Power State Structure (follows POWER_NODE above) */ ++ ++struct acpi_mpst_power_state { ++ u8 power_state; ++ u8 info_index; ++}; ++ ++/* Physical Component ID Structure (follows POWER_STATE above) */ ++ ++struct acpi_mpst_component { ++ u16 component_id; ++}; ++ ++/* Memory Power State Characteristics Structure (follows all POWER_NODEs) */ ++ ++struct acpi_mpst_data_hdr { ++ u16 characteristics_count; ++}; ++ ++struct acpi_mpst_power_data { ++ u8 revision; ++ u8 flags; ++ u16 reserved1; ++ u32 average_power; ++ u32 power_saving; ++ u64 exit_latency; ++ u64 reserved2; ++}; ++ ++/* Values for Flags field above */ ++ ++#define ACPI_MPST_PRESERVE 1 ++#define ACPI_MPST_AUTOENTRY 2 ++#define ACPI_MPST_AUTOEXIT 4 ++ ++/* Shared Memory Region (not part of an ACPI table) */ ++ ++struct acpi_mpst_shared { ++ u32 signature; ++ u16 pcc_command; ++ u16 pcc_status; ++ u16 command_register; ++ u16 status_register; ++ u16 power_state_id; ++ u16 power_node_id; ++ u64 energy_consumed; ++ u64 average_power; ++}; ++ ++/******************************************************************************* ++ * ++ * PCCT - Platform Communications Channel Table (ACPI 5.0) ++ * Version 1 ++ * ++ ******************************************************************************/ ++ ++struct acpi_table_pcct { ++ struct acpi_table_header header; /* Common ACPI table header */ ++ u32 flags; ++ u32 latency; ++ u32 reserved; ++}; ++ ++/* Values for Flags field above */ ++ ++#define ACPI_PCCT_DOORBELL 1 ++ ++/* ++ * PCCT subtables ++ */ ++ ++/* 0: Generic Communications Subspace */ ++ ++struct acpi_pcct_subspace { ++ struct acpi_subtable_header header; ++ u8 reserved[6]; ++ u64 base_address; ++ u64 length; ++ struct acpi_generic_address doorbell_register; ++ u64 preserve_mask; ++ u64 write_mask; ++}; ++ ++/* ++ * PCC memory structures (not part of the ACPI table) ++ */ ++ ++/* Shared Memory Region */ ++ ++struct acpi_pcct_shared_memory { ++ u32 signature; ++ u16 command; ++ u16 status; ++}; ++ ++/******************************************************************************* ++ * ++ * PMTT - Platform Memory Topology Table (ACPI 5.0) ++ * Version 1 ++ * ++ ******************************************************************************/ ++ ++struct acpi_table_pmtt { ++ struct acpi_table_header header; /* Common ACPI table header */ ++ u32 reserved; ++}; ++ ++/* Common header for PMTT subtables that follow main table */ ++ ++struct acpi_pmtt_header { ++ u8 type; ++ u8 reserved1; ++ u16 length; ++ u16 flags; ++ u16 reserved2; ++}; ++ ++/* Values for Type field above */ ++ ++#define ACPI_PMTT_TYPE_SOCKET 0 ++#define ACPI_PMTT_TYPE_CONTROLLER 1 ++#define ACPI_PMTT_TYPE_DIMM 2 ++#define ACPI_PMTT_TYPE_RESERVED 3 /* 0x03-0xFF are reserved */ ++ ++/* Values for Flags field above */ ++ ++#define ACPI_PMTT_TOP_LEVEL 0x0001 ++#define ACPI_PMTT_PHYSICAL 0x0002 ++#define ACPI_PMTT_MEMORY_TYPE 0x000C ++ ++/* ++ * PMTT subtables, correspond to Type in struct acpi_pmtt_header ++ */ ++ ++/* 0: Socket Structure */ ++ ++struct acpi_pmtt_socket { ++ struct acpi_pmtt_header header; ++ u16 socket_id; ++ u16 reserved; ++}; ++ ++/* 1: Memory Controller subtable */ ++ ++struct acpi_pmtt_controller { ++ struct acpi_pmtt_header header; ++ u32 read_latency; ++ u32 write_latency; ++ u32 read_bandwidth; ++ u32 write_bandwidth; ++ u16 access_width; ++ u16 alignment; ++ u16 reserved; ++ u16 domain_count; ++}; ++ ++/* 1a: Proximity Domain substructure */ ++ ++struct acpi_pmtt_domain { ++ u32 proximity_domain; ++}; ++ ++/* 2: Physical Component Identifier (DIMM) */ ++ ++struct acpi_pmtt_physical_component { ++ struct acpi_pmtt_header header; ++ u16 component_id; ++ u16 reserved; ++ u32 memory_size; ++ u32 bios_handle; ++}; ++ ++/******************************************************************************* ++ * ++ * RASF - RAS Feature Table (ACPI 5.0) ++ * Version 1 ++ * ++ ******************************************************************************/ ++ ++struct acpi_table_rasf { ++ struct acpi_table_header header; /* Common ACPI table header */ ++ u8 channel_id[12]; ++}; ++ ++/* RASF Platform Communication Channel Shared Memory Region */ ++ ++struct acpi_rasf_shared_memory { ++ u32 signature; ++ u16 command; ++ u16 status; ++ u64 requested_address; ++ u64 requested_length; ++ u64 actual_address; ++ u64 actual_length; ++ u16 flags; ++ u8 speed; ++}; ++ ++/* Masks for Flags and Speed fields above */ ++ ++#define ACPI_RASF_SCRUBBER_RUNNING 1 ++#define ACPI_RASF_SPEED (7<<1) ++ ++/* Channel Commands */ ++ ++enum acpi_rasf_commands { ++ ACPI_RASF_GET_RAS_CAPABILITIES = 1, ++ ACPI_RASF_GET_PATROL_PARAMETERS = 2, ++ ACPI_RASF_START_PATROL_SCRUBBER = 3, ++ ACPI_RASF_STOP_PATROL_SCRUBBER = 4 ++}; ++ ++/* Channel Command flags */ ++ ++#define ACPI_RASF_GENERATE_SCI (1<<15) ++ ++/* Status values */ ++ ++enum acpi_rasf_status { ++ ACPI_RASF_SUCCESS = 0, ++ ACPI_RASF_NOT_VALID = 1, ++ ACPI_RASF_NOT_SUPPORTED = 2, ++ ACPI_RASF_BUSY = 3, ++ ACPI_RASF_FAILED = 4, ++ ACPI_RASF_ABORTED = 5, ++ ACPI_RASF_INVALID_DATA = 6 ++}; ++ ++/* Status flags */ ++ ++#define ACPI_RASF_COMMAND_COMPLETE (1) ++#define ACPI_RASF_SCI_DOORBELL (1<<1) ++#define ACPI_RASF_ERROR (1<<2) ++#define ACPI_RASF_STATUS (0x1F<<3) ++ ++/* Reset to default packing */ ++ ++#pragma pack() ++ ++#endif /* __ACTBL3_H__ */ diff --git a/26132-tmem-save-NULL-check.patch b/26132-tmem-save-NULL-check.patch new file mode 100644 index 0000000..bd18e7f --- /dev/null +++ b/26132-tmem-save-NULL-check.patch @@ -0,0 +1,31 @@ +# HG changeset patch +# User Matthew Daley +# Date 1352709297 -3600 +# Node ID 286ef4ced2164f4e9bf52fd0c52248182e69a6e6 +# Parent 62885b3c34c84354ead017703a86f0465cb58cf7 +tmem: Prevent NULL dereference on error case + +If the client / pool IDs given to tmemc_save_get_next_page are invalid, +the calculation of pagesize will dereference NULL. + +Fix this by moving the calculation below the appropriate NULL check. + +Signed-off-by: Matthew Daley +Committed-by: Jan Beulich + +--- a/xen/common/tmem.c ++++ b/xen/common/tmem.c +@@ -2446,10 +2446,12 @@ static NOINLINE int tmemc_save_get_next_ + OID oid; + int ret = 0; + struct tmem_handle h; +- unsigned int pagesize = 1 << (pool->pageshift+12); ++ unsigned int pagesize; + + if ( pool == NULL || is_ephemeral(pool) ) + return -1; ++ ++ pagesize = 1 << (pool->pageshift + 12); + if ( bufsize < pagesize + sizeof(struct tmem_handle) ) + return -ENOMEM; + diff --git a/26134-x86-shadow-invlpg-check.patch b/26134-x86-shadow-invlpg-check.patch new file mode 100644 index 0000000..48f7ed1 --- /dev/null +++ b/26134-x86-shadow-invlpg-check.patch @@ -0,0 +1,22 @@ +# HG changeset patch +# User Matthew Daley +# Date 1352715420 0 +# Node ID 279bbf2a0b485fce18af26473eca5e60d794c17b +# Parent fdb69dd527cd01a46f87efb380050559dcf12d37 +x86/mm x86 shadow: Fix typo in sh_invlpg sl3 page presence check + +Signed-off-by: Matthew Daley +Acked-by: Tim Deegan +Committed-by: Tim Deegan + +--- a/xen/arch/x86/mm/shadow/multi.c ++++ b/xen/arch/x86/mm/shadow/multi.c +@@ -3665,7 +3665,7 @@ sh_invlpg(struct vcpu *v, unsigned long + perfc_incr(shadow_invlpg_fault); + return 0; + } +- if ( (!shadow_l3e_get_flags(sl3e) & _PAGE_PRESENT) ) ++ if ( !(shadow_l3e_get_flags(sl3e) & _PAGE_PRESENT) ) + return 0; + } + #else /* SHADOW_PAGING_LEVELS == 3 */ diff --git a/26139-cpumap-masking.patch b/26139-cpumap-masking.patch new file mode 100644 index 0000000..49afe5e --- /dev/null +++ b/26139-cpumap-masking.patch @@ -0,0 +1,39 @@ +# HG changeset patch +# User Matthew Daley +# Date 1352802490 -3600 +# Node ID 56400658f0962099988678487e525d12f869a96a +# Parent a3cde70320ada4a5424c37f65b8fe3753fc95205 +fix xenctl_cpumap_to_cpumask() buffer size check + +xenctl_cpumap_to_cpumask incorrectly uses sizeof when checking whether +bits should be masked off from the input cpumap bitmap or not. + +Fix by using the correct cpumask buffer size in place of sizeof. + +Signed-off-by: Matthew Daley + +Compare against copy_bytes instead, and use equality rather than less- +or-equal. + +Further, this issue (introduced with c/s 23991:a7ccbc79fc17) is not +security relevant (i.e. the bug could not cause memory corruption): +_xmalloc() never returns chunks of data smaller than the size of a +pointer, i.e. even if sizeof(void*) > guest_bytes > copy_bytes, the +piece of memory erroneously written to would still be inside the +allocation done at the top of the function. + +Signed-off-by: Jan Beulich +Acked-by: Keir Fraser +Committed-by: Jan Beulich + +--- a/xen/common/domctl.c ++++ b/xen/common/domctl.c +@@ -78,7 +78,7 @@ int xenctl_cpumap_to_cpumask( + { + if ( copy_from_guest(bytemap, xenctl_cpumap->bitmap, copy_bytes) ) + err = -EFAULT; +- if ( (xenctl_cpumap->nr_cpus & 7) && (guest_bytes <= sizeof(bytemap)) ) ++ if ( (xenctl_cpumap->nr_cpus & 7) && (guest_bytes == copy_bytes) ) + bytemap[guest_bytes-1] &= ~(0xff << (xenctl_cpumap->nr_cpus & 7)); + } + diff --git a/CVE-2012-4535-xsa20.patch b/26148-vcpu-timer-overflow.patch similarity index 76% rename from CVE-2012-4535-xsa20.patch rename to 26148-vcpu-timer-overflow.patch index dcc4357..29e2e8f 100644 --- a/CVE-2012-4535-xsa20.patch +++ b/26148-vcpu-timer-overflow.patch @@ -1,5 +1,10 @@ References: CVE-2012-4535 XSA-20 bnc#786516 +# HG changeset patch +# User Ian Jackson +# Date 1352892634 0 +# Node ID bf58b94b3cef4db8d9ad9c8686bf10910ccc0644 +# Parent 3186c04af5829a242059ffe4f6427853b7bfc408 VCPU/timers: Prevent overflow in calculations, leading to DoS vulnerability The timer action for a vcpu periodic timer is to calculate the next @@ -12,11 +17,10 @@ This is a security problem, XSA-20 / CVE-2012-4535. Signed-off-by: Andrew Cooper Acked-by: Ian Campbell +Committed-by: Ian Jackson -Index: xen-4.2.0-testing/xen/common/domain.c -=================================================================== ---- xen-4.2.0-testing.orig/xen/common/domain.c -+++ xen-4.2.0-testing/xen/common/domain.c +--- a/xen/common/domain.c ++++ b/xen/common/domain.c @@ -882,6 +882,9 @@ long do_vcpu_op(int cmd, int vcpuid, XEN if ( set.period_ns < MILLISECS(1) ) return -EINVAL; @@ -27,10 +31,8 @@ Index: xen-4.2.0-testing/xen/common/domain.c v->periodic_period = set.period_ns; vcpu_force_reschedule(v); -Index: xen-4.2.0-testing/xen/include/xen/time.h -=================================================================== ---- xen-4.2.0-testing.orig/xen/include/xen/time.h -+++ xen-4.2.0-testing/xen/include/xen/time.h +--- a/xen/include/xen/time.h ++++ b/xen/include/xen/time.h @@ -55,6 +55,8 @@ struct tm gmtime(unsigned long t); #define MILLISECS(_ms) ((s_time_t)((_ms) * 1000000ULL)) #define MICROSECS(_us) ((s_time_t)((_us) * 1000ULL)) diff --git a/CVE-2012-4537-xsa22.patch b/26149-x86-p2m-physmap-error-path.patch similarity index 80% rename from CVE-2012-4537-xsa22.patch rename to 26149-x86-p2m-physmap-error-path.patch index 93c9b4c..b6d6cbf 100644 --- a/CVE-2012-4537-xsa22.patch +++ b/26149-x86-p2m-physmap-error-path.patch @@ -1,5 +1,10 @@ References: CVE-2012-4537 XSA-22 bnc#786517 +# HG changeset patch +# User Ian Jackson +# Date 1352892962 0 +# Node ID 6b6a4007a6091610a29b71cc32908c74113b852b +# Parent bf58b94b3cef4db8d9ad9c8686bf10910ccc0644 x86/physmap: Prevent incorrect updates of m2p mappings In certain conditions, such as low memory, set_p2m_entry() can fail. @@ -17,11 +22,10 @@ This is a security problem, XSA-22 / CVE-2012-4537. Signed-off-by: Andrew Cooper Acked-by: Ian Campbell Acked-by: Ian Jackson +Committed-by: Ian Jackson -Index: xen-4.2.0-testing/xen/arch/x86/mm/p2m.c -=================================================================== ---- xen-4.2.0-testing.orig/xen/arch/x86/mm/p2m.c -+++ xen-4.2.0-testing/xen/arch/x86/mm/p2m.c +--- a/xen/arch/x86/mm/p2m.c ++++ b/xen/arch/x86/mm/p2m.c @@ -654,7 +654,10 @@ guest_physmap_add_entry(struct domain *d if ( mfn_valid(_mfn(mfn)) ) { diff --git a/CVE-2012-4538-xsa23.patch b/26150-x86-shadow-unhook-toplevel-check.patch similarity index 77% rename from CVE-2012-4538-xsa23.patch rename to 26150-x86-shadow-unhook-toplevel-check.patch index cf22858..4ee4e86 100644 --- a/CVE-2012-4538-xsa23.patch +++ b/26150-x86-shadow-unhook-toplevel-check.patch @@ -1,5 +1,10 @@ References: CVE-2012-4538 XSA-23 bnc#786519 +# HG changeset patch +# User Ian Jackson +# Date 1352893341 0 +# Node ID c7a01b6450e483ca839228bf1e1e44de692e3458 +# Parent 6b6a4007a6091610a29b71cc32908c74113b852b xen/mm/shadow: check toplevel pagetables are present before unhooking them. If the guest has not fully populated its top-level PAE entries when it calls @@ -13,11 +18,10 @@ This is a security problem, XSA-23 / CVE-2012-4538. Signed-off-by: Tim Deegan Tested-by: Andrew Cooper Acked-by: Ian Campbell +Committed-by: Ian Jackson -Index: xen-4.2.0-testing/xen/arch/x86/mm/shadow/multi.c -=================================================================== ---- xen-4.2.0-testing.orig/xen/arch/x86/mm/shadow/multi.c -+++ xen-4.2.0-testing/xen/arch/x86/mm/shadow/multi.c +--- a/xen/arch/x86/mm/shadow/multi.c ++++ b/xen/arch/x86/mm/shadow/multi.c @@ -4734,8 +4734,12 @@ static void sh_pagetable_dying(struct vc unsigned long gfn; mfn_t smfn, gmfn; diff --git a/CVE-2012-4539-xsa24.patch b/26151-gnttab-compat-get-status-frames.patch similarity index 72% rename from CVE-2012-4539-xsa24.patch rename to 26151-gnttab-compat-get-status-frames.patch index 3851920..fb6c2f1 100644 --- a/CVE-2012-4539-xsa24.patch +++ b/26151-gnttab-compat-get-status-frames.patch @@ -1,5 +1,10 @@ References: CVE-2012-4539 XSA-24 bnc#786520 +# HG changeset patch +# User Ian Jackson +# Date 1352893537 0 +# Node ID b64a7d868f06c730a444e990da1a4d816ce3f5dc +# Parent c7a01b6450e483ca839228bf1e1e44de692e3458 compat/gnttab: Prevent infinite loop in compat code c/s 20281:95ea2052b41b, which introduces Grant Table version 2 @@ -13,11 +18,10 @@ This is a security problem, XSA-24 / CVE-2012-4539. Signed-off-by: Andrew Cooper Acked-by: Jan Beulich Acked-by: Ian Jackson +Committed-by: Ian Jackson -Index: xen-4.2.0-testing/xen/common/compat/grant_table.c -=================================================================== ---- xen-4.2.0-testing.orig/xen/common/compat/grant_table.c -+++ xen-4.2.0-testing/xen/common/compat/grant_table.c +--- a/xen/common/compat/grant_table.c ++++ b/xen/common/compat/grant_table.c @@ -318,6 +318,8 @@ int compat_grant_table_op(unsigned int c #undef XLAT_gnttab_get_status_frames_HNDL_frame_list if ( unlikely(__copy_to_guest(cmp_uop, &cmp.get_status, 1)) ) diff --git a/26179-PCI-find-next-cap.patch b/26179-PCI-find-next-cap.patch new file mode 100644 index 0000000..8bf3e8c --- /dev/null +++ b/26179-PCI-find-next-cap.patch @@ -0,0 +1,59 @@ +# HG changeset patch +# User Jan Beulich +# Date 1353398311 -3600 +# Node ID ae6fb202b233af815466055d9f1a635802a50855 +# Parent 02b9d9a25feecd76d56143afa9bbb853fd01f602 +passthrough/PCI: replace improper uses of pci_find_next_cap() + +Using pci_find_next_cap() without prior pci_find_cap_offset() is bogus +(and possibly wrong, given that the latter doesn't check the +PCI_STATUS_CAP_LIST flag, which so far was checked in an open-coded way +only for the non-bridge case). + +Once at it, fold the two calls into one, as we need its result in any +case. + +Question is whether, without any caller left, pci_find_next_cap() +should be purged as well. + +Signed-off-by: Jan Beulich +Acked-by: Xiantao Zhang + +--- a/xen/drivers/passthrough/pci.c ++++ b/xen/drivers/passthrough/pci.c +@@ -565,16 +565,13 @@ void pci_release_devices(struct domain * + + int pdev_type(u16 seg, u8 bus, u8 devfn) + { +- u16 class_device; +- u16 status, creg; +- int pos; ++ u16 class_device, creg; + u8 d = PCI_SLOT(devfn), f = PCI_FUNC(devfn); ++ int pos = pci_find_cap_offset(seg, bus, d, f, PCI_CAP_ID_EXP); + + class_device = pci_conf_read16(seg, bus, d, f, PCI_CLASS_DEVICE); + if ( class_device == PCI_CLASS_BRIDGE_PCI ) + { +- pos = pci_find_next_cap(seg, bus, devfn, +- PCI_CAPABILITY_LIST, PCI_CAP_ID_EXP); + if ( !pos ) + return DEV_TYPE_LEGACY_PCI_BRIDGE; + creg = pci_conf_read16(seg, bus, d, f, pos + PCI_EXP_FLAGS); +@@ -582,15 +579,7 @@ int pdev_type(u16 seg, u8 bus, u8 devfn) + DEV_TYPE_PCIe2PCI_BRIDGE : DEV_TYPE_PCIe_BRIDGE; + } + +- status = pci_conf_read16(seg, bus, d, f, PCI_STATUS); +- if ( !(status & PCI_STATUS_CAP_LIST) ) +- return DEV_TYPE_PCI; +- +- if ( pci_find_next_cap(seg, bus, devfn, PCI_CAPABILITY_LIST, +- PCI_CAP_ID_EXP) ) +- return DEV_TYPE_PCIe_ENDPOINT; +- +- return DEV_TYPE_PCI; ++ return pos ? DEV_TYPE_PCIe_ENDPOINT : DEV_TYPE_PCI; + } + + /* diff --git a/26183-x86-HPET-masking.patch b/26183-x86-HPET-masking.patch new file mode 100644 index 0000000..c8cb5e0 --- /dev/null +++ b/26183-x86-HPET-masking.patch @@ -0,0 +1,88 @@ +# HG changeset patch +# User Jan Beulich +# Date 1353575003 -3600 +# Node ID c139ca92edca2fab8ec95deb7fd9e4246c3fe28d +# Parent af6b72a224e99a4a516fbc2eecc06ada569304e8 +x86/HPET: fix FSB interrupt masking + +HPET_TN_FSB is not really suitable for masking interrupts - it merely +switches between the two delivery methods. The right way of masking is +through the HPET_TN_ENABLE bit (which really is an interrupt enable, +not a counter enable or some such). This is even more so with certain +chip sets not even allowing HPET_TN_FSB to be cleared on some of the +channels. + +Further, all the setup of the channel should happen before actually +enabling the interrupt, which requires splitting legacy and FSB logic. + +Finally this also fixes an S3 resume problem (HPET_TN_FSB did not get +set in hpet_broadcast_resume(), and hpet_msi_unmask() doesn't get +called from the general resume code either afaict). + +Signed-off-by: Jan Beulich +Acked-by: Keir Fraser + +--- a/xen/arch/x86/hpet.c ++++ b/xen/arch/x86/hpet.c +@@ -236,7 +236,7 @@ static void hpet_msi_unmask(struct irq_d + struct hpet_event_channel *ch = desc->action->dev_id; + + cfg = hpet_read32(HPET_Tn_CFG(ch->idx)); +- cfg |= HPET_TN_FSB; ++ cfg |= HPET_TN_ENABLE; + hpet_write32(cfg, HPET_Tn_CFG(ch->idx)); + } + +@@ -246,7 +246,7 @@ static void hpet_msi_mask(struct irq_des + struct hpet_event_channel *ch = desc->action->dev_id; + + cfg = hpet_read32(HPET_Tn_CFG(ch->idx)); +- cfg &= ~HPET_TN_FSB; ++ cfg &= ~HPET_TN_ENABLE; + hpet_write32(cfg, HPET_Tn_CFG(ch->idx)); + } + +@@ -319,8 +319,14 @@ static void __hpet_setup_msi_irq(struct + static int __init hpet_setup_msi_irq(unsigned int irq, struct hpet_event_channel *ch) + { + int ret; ++ u32 cfg = hpet_read32(HPET_Tn_CFG(ch->idx)); + irq_desc_t *desc = irq_to_desc(irq); + ++ /* set HPET Tn as oneshot */ ++ cfg &= ~(HPET_TN_LEVEL | HPET_TN_PERIODIC); ++ cfg |= HPET_TN_FSB | HPET_TN_32BIT; ++ hpet_write32(cfg, HPET_Tn_CFG(ch->idx)); ++ + desc->handler = &hpet_msi_type; + ret = request_irq(irq, hpet_interrupt_handler, 0, "HPET", ch); + if ( ret < 0 ) +@@ -541,11 +547,14 @@ void __init hpet_broadcast_init(void) + + for ( i = 0; i < n; i++ ) + { +- /* set HPET Tn as oneshot */ +- cfg = hpet_read32(HPET_Tn_CFG(hpet_events[i].idx)); +- cfg &= ~(HPET_TN_LEVEL | HPET_TN_PERIODIC); +- cfg |= HPET_TN_ENABLE | HPET_TN_32BIT; +- hpet_write32(cfg, HPET_Tn_CFG(hpet_events[i].idx)); ++ if ( i == 0 && (cfg & HPET_CFG_LEGACY) ) ++ { ++ /* set HPET T0 as oneshot */ ++ cfg = hpet_read32(HPET_Tn_CFG(0)); ++ cfg &= ~(HPET_TN_LEVEL | HPET_TN_PERIODIC); ++ cfg |= HPET_TN_ENABLE | HPET_TN_32BIT; ++ hpet_write32(cfg, HPET_Tn_CFG(0)); ++ } + + /* + * The period is a femto seconds value. We need to calculate the scaled +@@ -602,6 +611,8 @@ void hpet_broadcast_resume(void) + cfg = hpet_read32(HPET_Tn_CFG(hpet_events[i].idx)); + cfg &= ~(HPET_TN_LEVEL | HPET_TN_PERIODIC); + cfg |= HPET_TN_ENABLE | HPET_TN_32BIT; ++ if ( !(hpet_events[i].flags & HPET_EVT_LEGACY) ) ++ cfg |= HPET_TN_FSB; + hpet_write32(cfg, HPET_Tn_CFG(hpet_events[i].idx)); + + hpet_events[i].next_event = STIME_MAX; diff --git a/26188-x86-time-scale-asm.patch b/26188-x86-time-scale-asm.patch new file mode 100644 index 0000000..5c720a4 --- /dev/null +++ b/26188-x86-time-scale-asm.patch @@ -0,0 +1,34 @@ +# HG changeset patch +# User Jan Beulich +# Date 1353946839 -3600 +# Node ID 16bf7f3069a77c8a15b785cfdb5f2f634661d7fc +# Parent 0049de3827bcfe3488dc6c7b7a60327a562aee5c +x86/time: fix scale_delta() inline assembly + +The way it was coded, it clobbered %rdx without telling the compiler. +This generally didn't cause any problems except when there are two back +to back invocations (as in plt_overflow()), as in that case the +compiler may validly assume that it can re-use for the second instance +the value loaded into %rdx before the first one. + +Once at it, also properly relax the second operand of "mul" (there's no +need for it to be in %rdx, or a register at all), and switch away from +using explicit register names in the instruction operands. + +Signed-off-by: Jan Beulich +Acked-by: Keir Fraser + +--- a/xen/arch/x86/time.c ++++ b/xen/arch/x86/time.c +@@ -142,8 +142,9 @@ static inline u64 scale_delta(u64 delta, + : "a" ((u32)delta), "1" ((u32)(delta >> 32)), "2" (scale->mul_frac) ); + #else + asm ( +- "mul %%rdx ; shrd $32,%%rdx,%%rax" +- : "=a" (product) : "0" (delta), "d" ((u64)scale->mul_frac) ); ++ "mul %2 ; shrd $32,%1,%0" ++ : "=a" (product), "=d" (delta) ++ : "rm" (delta), "0" ((u64)scale->mul_frac) ); + #endif + + return product; diff --git a/26189-xenstore-chmod.patch b/26189-xenstore-chmod.patch new file mode 100644 index 0000000..7fe1545 --- /dev/null +++ b/26189-xenstore-chmod.patch @@ -0,0 +1,85 @@ +# HG changeset patch +# Parent 8b93ac0c93f3fb8a140b4688ba71841ac927d4e3 +xenstore-chmod: handle arbitrary number of perms rather than MAX_PERMS constant + +Constant MAX_PERMS 16 is too small to use in some occasions, e.g. if +there are more than 16 domU(s) on one hypervisor (it's easy to +achieve) and one wants to do xenstore-chmod PATH to all domU(s). So, +remove MAX_PERMS limitation and make it as arbitrary number of perms. + +Signed-off-by: Chunyan Liu +Acked-by: Ian Campbell + +diff -r 8b93ac0c93f3 tools/xenstore/xenstore_client.c +--- a/tools/xenstore/xenstore_client.c Tue Nov 13 11:19:17 2012 +0000 ++++ b/tools/xenstore/xenstore_client.c Mon Nov 26 11:33:38 2012 +0800 +@@ -25,7 +25,6 @@ + #define PATH_SEP '/' + #define MAX_PATH_LEN 256 + +-#define MAX_PERMS 16 + + enum mode { + MODE_unknown, +@@ -407,44 +406,41 @@ perform(enum mode mode, int optind, int + output("%s\n", list[i]); + } + free(list); +- optind++; +- break; +- } +- case MODE_ls: { +- do_ls(xsh, argv[optind], 0, prefix); +- optind++; +- break; ++ optind++; ++ break; ++ } ++ case MODE_ls: { ++ do_ls(xsh, argv[optind], 0, prefix); ++ optind++; ++ break; + } + case MODE_chmod: { +- struct xs_permissions perms[MAX_PERMS]; +- int nperms = 0; + /* save path pointer: */ + char *path = argv[optind++]; +- for (; argv[optind]; optind++, nperms++) ++ int nperms = argc - optind; ++ struct xs_permissions perms[nperms]; ++ int i; ++ for (i = 0; argv[optind]; optind++, i++) + { +- if (MAX_PERMS <= nperms) +- errx(1, "Too many permissions specified. " +- "Maximum per invocation is %d.", MAX_PERMS); +- +- perms[nperms].id = atoi(argv[optind]+1); ++ perms[i].id = atoi(argv[optind]+1); + + switch (argv[optind][0]) + { + case 'n': +- perms[nperms].perms = XS_PERM_NONE; ++ perms[i].perms = XS_PERM_NONE; + break; + case 'r': +- perms[nperms].perms = XS_PERM_READ; ++ perms[i].perms = XS_PERM_READ; + break; + case 'w': +- perms[nperms].perms = XS_PERM_WRITE; ++ perms[i].perms = XS_PERM_WRITE; + break; + case 'b': +- perms[nperms].perms = XS_PERM_READ | XS_PERM_WRITE; ++ perms[i].perms = XS_PERM_READ | XS_PERM_WRITE; + break; + default: + errx(1, "Invalid permission specification: '%c'", +- argv[optind][0]); ++ argv[optind][0]); + } + } + diff --git a/CVE-2012-5510-xsa26.patch b/CVE-2012-5510-xsa26.patch new file mode 100644 index 0000000..57e7ac0 --- /dev/null +++ b/CVE-2012-5510-xsa26.patch @@ -0,0 +1,105 @@ +References: CVE-2012-5510 XSA-26 bnc#789945 + +gnttab: fix releasing of memory upon switches between versions + +gnttab_unpopulate_status_frames() incompletely freed the pages +previously used as status frame in that they did not get removed from +the domain's xenpage_list, thus causing subsequent list corruption +when those pages did get allocated again for the same or another purpose. + +Similarly, grant_table_create() and gnttab_grow_table() both improperly +clean up in the event of an error - pages already shared with the guest +can't be freed by just passing them to free_xenheap_page(). Fix this by +sharing the pages only after all allocations succeeded. + +This is CVE-2012-5510 / XSA-26. + +Signed-off-by: Jan Beulich +Acked-by: Ian Campbell + +--- a/xen/common/grant_table.c ++++ b/xen/common/grant_table.c +@@ -1170,12 +1170,13 @@ fault: + } + + static int +-gnttab_populate_status_frames(struct domain *d, struct grant_table *gt) ++gnttab_populate_status_frames(struct domain *d, struct grant_table *gt, ++ unsigned int req_nr_frames) + { + unsigned i; + unsigned req_status_frames; + +- req_status_frames = grant_to_status_frames(gt->nr_grant_frames); ++ req_status_frames = grant_to_status_frames(req_nr_frames); + for ( i = nr_status_frames(gt); i < req_status_frames; i++ ) + { + if ( (gt->status[i] = alloc_xenheap_page()) == NULL ) +@@ -1206,7 +1207,12 @@ gnttab_unpopulate_status_frames(struct d + + for ( i = 0; i < nr_status_frames(gt); i++ ) + { +- page_set_owner(virt_to_page(gt->status[i]), dom_xen); ++ struct page_info *pg = virt_to_page(gt->status[i]); ++ ++ BUG_ON(page_get_owner(pg) != d); ++ if ( test_and_clear_bit(_PGC_allocated, &pg->count_info) ) ++ put_page(pg); ++ BUG_ON(pg->count_info & ~PGC_xen_heap); + free_xenheap_page(gt->status[i]); + gt->status[i] = NULL; + } +@@ -1244,19 +1250,18 @@ gnttab_grow_table(struct domain *d, unsi + clear_page(gt->shared_raw[i]); + } + +- /* Share the new shared frames with the recipient domain */ +- for ( i = nr_grant_frames(gt); i < req_nr_frames; i++ ) +- gnttab_create_shared_page(d, gt, i); +- +- gt->nr_grant_frames = req_nr_frames; +- + /* Status pages - version 2 */ + if (gt->gt_version > 1) + { +- if ( gnttab_populate_status_frames(d, gt) ) ++ if ( gnttab_populate_status_frames(d, gt, req_nr_frames) ) + goto shared_alloc_failed; + } + ++ /* Share the new shared frames with the recipient domain */ ++ for ( i = nr_grant_frames(gt); i < req_nr_frames; i++ ) ++ gnttab_create_shared_page(d, gt, i); ++ gt->nr_grant_frames = req_nr_frames; ++ + return 1; + + shared_alloc_failed: +@@ -2154,7 +2159,7 @@ gnttab_set_version(XEN_GUEST_HANDLE(gntt + + if ( op.version == 2 && gt->gt_version < 2 ) + { +- res = gnttab_populate_status_frames(d, gt); ++ res = gnttab_populate_status_frames(d, gt, nr_grant_frames(gt)); + if ( res < 0) + goto out_unlock; + } +@@ -2597,14 +2602,15 @@ grant_table_create( + clear_page(t->shared_raw[i]); + } + +- for ( i = 0; i < INITIAL_NR_GRANT_FRAMES; i++ ) +- gnttab_create_shared_page(d, t, i); +- + /* Status pages for grant table - for version 2 */ + t->status = xzalloc_array(grant_status_t *, + grant_to_status_frames(max_nr_grant_frames)); + if ( t->status == NULL ) + goto no_mem_4; ++ ++ for ( i = 0; i < INITIAL_NR_GRANT_FRAMES; i++ ) ++ gnttab_create_shared_page(d, t, i); ++ + t->nr_status_frames = 0; + + /* Okay, install the structure. */ diff --git a/CVE-2012-5511-xsa27.patch b/CVE-2012-5511-xsa27.patch new file mode 100644 index 0000000..8ff2ec6 --- /dev/null +++ b/CVE-2012-5511-xsa27.patch @@ -0,0 +1,136 @@ +References: CVE-2012-5511 XSA-27 bnc#789944 + +hvm: Limit the size of large HVM op batches + +Doing large p2m updates for HVMOP_track_dirty_vram without preemption +ties up the physical processor. Integrating preemption into the p2m +updates is hard so simply limit to 1GB which is sufficient for a 15000 +* 15000 * 32bpp framebuffer. + +For HVMOP_modified_memory and HVMOP_set_mem_type preemptible add the +necessary machinery to handle preemption. + +This is CVE-2012-5511 / XSA-27. + +Signed-off-by: Tim Deegan +Signed-off-by: Ian Campbell +Acked-by: Ian Jackson + +v2: Provide definition of GB to fix x86-32 compile. + +Signed-off-by: Jan Beulich +Acked-by: Ian Jackson + + +--- a/xen/arch/x86/hvm/hvm.c ++++ b/xen/arch/x86/hvm/hvm.c +@@ -4033,6 +4033,9 @@ long do_hvm_op(unsigned long op, XEN_GUE + if ( !is_hvm_domain(d) ) + goto param_fail2; + ++ if ( a.nr > GB(1) >> PAGE_SHIFT ) ++ goto param_fail2; ++ + rc = xsm_hvm_param(d, op); + if ( rc ) + goto param_fail2; +@@ -4059,7 +4062,6 @@ long do_hvm_op(unsigned long op, XEN_GUE + { + struct xen_hvm_modified_memory a; + struct domain *d; +- unsigned long pfn; + + if ( copy_from_guest(&a, arg, 1) ) + return -EFAULT; +@@ -4086,9 +4088,11 @@ long do_hvm_op(unsigned long op, XEN_GUE + if ( !paging_mode_log_dirty(d) ) + goto param_fail3; + +- for ( pfn = a.first_pfn; pfn < a.first_pfn + a.nr; pfn++ ) ++ while ( a.nr > 0 ) + { ++ unsigned long pfn = a.first_pfn; + struct page_info *page; ++ + page = get_page_from_gfn(d, pfn, NULL, P2M_UNSHARE); + if ( page ) + { +@@ -4098,6 +4102,19 @@ long do_hvm_op(unsigned long op, XEN_GUE + sh_remove_shadows(d->vcpu[0], _mfn(page_to_mfn(page)), 1, 0); + put_page(page); + } ++ ++ a.first_pfn++; ++ a.nr--; ++ ++ /* Check for continuation if it's not the last interation */ ++ if ( a.nr > 0 && hypercall_preempt_check() ) ++ { ++ if ( copy_to_guest(arg, &a, 1) ) ++ rc = -EFAULT; ++ else ++ rc = -EAGAIN; ++ break; ++ } + } + + param_fail3: +@@ -4153,7 +4170,6 @@ long do_hvm_op(unsigned long op, XEN_GUE + { + struct xen_hvm_set_mem_type a; + struct domain *d; +- unsigned long pfn; + + /* Interface types to internal p2m types */ + p2m_type_t memtype[] = { +@@ -4186,8 +4202,9 @@ long do_hvm_op(unsigned long op, XEN_GUE + if ( a.hvmmem_type >= ARRAY_SIZE(memtype) ) + goto param_fail4; + +- for ( pfn = a.first_pfn; pfn < a.first_pfn + a.nr; pfn++ ) ++ while ( a.nr ) + { ++ unsigned long pfn = a.first_pfn; + p2m_type_t t; + p2m_type_t nt; + mfn_t mfn; +@@ -4227,6 +4244,19 @@ long do_hvm_op(unsigned long op, XEN_GUE + } + } + put_gfn(d, pfn); ++ ++ a.first_pfn++; ++ a.nr--; ++ ++ /* Check for continuation if it's not the last interation */ ++ if ( a.nr > 0 && hypercall_preempt_check() ) ++ { ++ if ( copy_to_guest(arg, &a, 1) ) ++ rc = -EFAULT; ++ else ++ rc = -EAGAIN; ++ goto param_fail4; ++ } + } + + rc = 0; +--- a/xen/include/asm-x86/config.h ++++ b/xen/include/asm-x86/config.h +@@ -119,6 +119,9 @@ extern char wakeup_start[]; + extern unsigned int video_mode, video_flags; + extern unsigned short boot_edid_caps; + extern unsigned char boot_edid_info[128]; ++ ++#define GB(_gb) (_gb ## UL << 30) ++ + #endif + + #define asmlinkage +@@ -134,7 +137,6 @@ extern unsigned char boot_edid_info[128] + #define PML4_ADDR(_slot) \ + ((((_slot ## UL) >> 8) * 0xffff000000000000UL) | \ + (_slot ## UL << PML4_ENTRY_BITS)) +-#define GB(_gb) (_gb ## UL << 30) + #else + #define PML4_ENTRY_BYTES (1 << PML4_ENTRY_BITS) + #define PML4_ADDR(_slot) \ diff --git a/CVE-2012-5513-xsa29.patch b/CVE-2012-5513-xsa29.patch new file mode 100644 index 0000000..3fd7c69 --- /dev/null +++ b/CVE-2012-5513-xsa29.patch @@ -0,0 +1,47 @@ +References: CVE-2012-5513 XSA-29 bnc#789951 + +xen: add missing guest address range checks to XENMEM_exchange handlers + +Ever since its existence (3.0.3 iirc) the handler for this has been +using non address range checking guest memory accessors (i.e. +the ones prefixed with two underscores) without first range +checking the accessed space (via guest_handle_okay()), allowing +a guest to access and overwrite hypervisor memory. + +This is XSA-29 / CVE-2012-5513. + +Signed-off-by: Jan Beulich +Acked-by: Ian Campbell +Acked-by: Ian Jackson + +--- a/xen/common/compat/memory.c ++++ b/xen/common/compat/memory.c +@@ -115,6 +115,12 @@ int compat_memory_op(unsigned int cmd, X + (cmp.xchg.out.nr_extents << cmp.xchg.out.extent_order)) ) + return -EINVAL; + ++ if ( !compat_handle_okay(cmp.xchg.in.extent_start, ++ cmp.xchg.in.nr_extents) || ++ !compat_handle_okay(cmp.xchg.out.extent_start, ++ cmp.xchg.out.nr_extents) ) ++ return -EFAULT; ++ + start_extent = cmp.xchg.nr_exchanged; + end_extent = (COMPAT_ARG_XLAT_SIZE - sizeof(*nat.xchg)) / + (((1U << ABS(order_delta)) + 1) * +--- a/xen/common/memory.c ++++ b/xen/common/memory.c +@@ -308,6 +308,13 @@ static long memory_exchange(XEN_GUEST_HA + goto fail_early; + } + ++ if ( !guest_handle_okay(exch.in.extent_start, exch.in.nr_extents) || ++ !guest_handle_okay(exch.out.extent_start, exch.out.nr_extents) ) ++ { ++ rc = -EFAULT; ++ goto fail_early; ++ } ++ + /* Only privileged guests can allocate multi-page contiguous extents. */ + if ( !multipage_allocation_permitted(current->domain, + exch.in.extent_order) || diff --git a/CVE-2012-5514-xsa30.patch b/CVE-2012-5514-xsa30.patch new file mode 100644 index 0000000..70b5650 --- /dev/null +++ b/CVE-2012-5514-xsa30.patch @@ -0,0 +1,57 @@ +References: CVE-2012-5514 XSA-30 bnc#789948 + +fix error handling of guest_physmap_mark_populate_on_demand() + +The only user of the "out" label bypasses a necessary unlock, thus +enabling the caller to lock up Xen. + +Also, the function was never meant to be called by a guest for itself, +so rather than inspecting the code paths in depth for potential other +problems this might cause, and adjusting e.g. the non-guest printk() +in the above error path, just disallow the guest access to it. + +Finally, the printk() (considering its potential of spamming the log, +the more that it's not using XENLOG_GUEST), is being converted to +P2M_DEBUG(), as debugging is what it apparently was added for in the +first place. + +This is XSA-30 / CVE-2012-5514. + +Signed-off-by: Jan Beulich +Acked-by: Ian Campbell +Acked-by: George Dunlap +Acked-by: Ian Jackson + +--- a/xen/arch/x86/mm/p2m-pod.c ++++ b/xen/arch/x86/mm/p2m-pod.c +@@ -1117,6 +1117,9 @@ guest_physmap_mark_populate_on_demand(st + mfn_t omfn; + int rc = 0; + ++ if ( !IS_PRIV_FOR(current->domain, d) ) ++ return -EPERM; ++ + if ( !paging_mode_translate(d) ) + return -EINVAL; + +@@ -1135,8 +1138,7 @@ guest_physmap_mark_populate_on_demand(st + omfn = p2m->get_entry(p2m, gfn + i, &ot, &a, 0, NULL); + if ( p2m_is_ram(ot) ) + { +- printk("%s: gfn_to_mfn returned type %d!\n", +- __func__, ot); ++ P2M_DEBUG("gfn_to_mfn returned type %d!\n", ot); + rc = -EBUSY; + goto out; + } +@@ -1160,9 +1162,9 @@ guest_physmap_mark_populate_on_demand(st + pod_unlock(p2m); + } + ++out: + gfn_unlock(p2m, gfn, order); + +-out: + return rc; + } + diff --git a/CVE-2012-5515-xsa31.patch b/CVE-2012-5515-xsa31.patch new file mode 100644 index 0000000..f4e6fc6 --- /dev/null +++ b/CVE-2012-5515-xsa31.patch @@ -0,0 +1,50 @@ +References: CVE-2012-5515 XSA-31 bnc#789950 + +memop: limit guest specified extent order + +Allowing unbounded order values here causes almost unbounded loops +and/or partially incomplete requests, particularly in PoD code. + +The added range checks in populate_physmap(), decrease_reservation(), +and the "in" one in memory_exchange() architecturally all could use +PADDR_BITS - PAGE_SHIFT, and are being artificially constrained to +MAX_ORDER. + +This is XSA-31 / CVE-2012-5515. + +Signed-off-by: Jan Beulich +Acked-by: Tim Deegan +Acked-by: Ian Jackson + +--- a/xen/common/memory.c ++++ b/xen/common/memory.c +@@ -115,7 +115,8 @@ static void populate_physmap(struct memo + + if ( a->memflags & MEMF_populate_on_demand ) + { +- if ( guest_physmap_mark_populate_on_demand(d, gpfn, ++ if ( a->extent_order > MAX_ORDER || ++ guest_physmap_mark_populate_on_demand(d, gpfn, + a->extent_order) < 0 ) + goto out; + } +@@ -235,7 +236,8 @@ static void decrease_reservation(struct + xen_pfn_t gmfn; + + if ( !guest_handle_subrange_okay(a->extent_list, a->nr_done, +- a->nr_extents-1) ) ++ a->nr_extents-1) || ++ a->extent_order > MAX_ORDER ) + return; + + for ( i = a->nr_done; i < a->nr_extents; i++ ) +@@ -297,6 +299,9 @@ static long memory_exchange(XEN_GUEST_HA + if ( (exch.nr_exchanged > exch.in.nr_extents) || + /* Input and output domain identifiers match? */ + (exch.in.domid != exch.out.domid) || ++ /* Extent orders are sensible? */ ++ (exch.in.extent_order > MAX_ORDER) || ++ (exch.out.extent_order > MAX_ORDER) || + /* Sizes of input and output lists do not overflow a long? */ + ((~0UL >> exch.in.extent_order) < exch.in.nr_extents) || + ((~0UL >> exch.out.extent_order) < exch.out.nr_extents) || diff --git a/CVE-2012-5525-xsa32.patch b/CVE-2012-5525-xsa32.patch new file mode 100644 index 0000000..9722c07 --- /dev/null +++ b/CVE-2012-5525-xsa32.patch @@ -0,0 +1,22 @@ +References: CVE-2012-5525 XSA-32 bnc#789952 + +x86: get_page_from_gfn() must return NULL for invalid GFNs + +... also in the non-translated case. + +This is XSA-32 / CVE-2012-5525. + +Signed-off-by: Jan Beulich +Acked-by: Tim Deegan + +--- a/xen/include/asm-x86/p2m.h ++++ b/xen/include/asm-x86/p2m.h +@@ -400,7 +400,7 @@ static inline struct page_info *get_page + if (t) + *t = p2m_ram_rw; + page = __mfn_to_page(gfn); +- return get_page(page, d) ? page : NULL; ++ return mfn_valid(gfn) && get_page(page, d) ? page : NULL; + } + + diff --git a/reverse-24757-use-grant-references.patch b/reverse-24757-use-grant-references.patch new file mode 100644 index 0000000..96d000d --- /dev/null +++ b/reverse-24757-use-grant-references.patch @@ -0,0 +1,145 @@ +Reverse c/s 24757. Breaks booting NetWare. + +# HG changeset patch +# User Alex Zeffertt +# Date 1328812412 0 +# Node ID aae516b78fce679f9c367231b7a3891814fcfdbb +# Parent 585caf50a9260d3fc6a4ece0450d10d34e73489f + +xenstored: use grant references instead of map_foreign_range + +make xenstored use grantref rather than map_foreign_range (which can +only be used by privileged domains) + +This patch modifies the xenstore daemon to use xc_gnttab_map_grant_ref +instead of xc_map_foreign_range where available. + +Previous versions of this patch have been sent to xen-devel. See +http://lists.xensource.com/archives/html/xen-devel/2008-07/msg00610.html +http://lists.xensource.com/archives/html/xen-devel/2009-03/msg01492.html + +Signed-off-by: Diego Ongaro +Signed-off-by: Alex Zeffertt +Signed-off-by: Daniel De Graaf +Acked-by: Ian Campbell +Cc: Ian Jackson +Cc: Stefano Stabellini +Committed-by: Ian Jackson + +Index: xen-4.2.0-testing/tools/xenstore/xenstored_domain.c +=================================================================== +--- xen-4.2.0-testing.orig/tools/xenstore/xenstored_domain.c ++++ xen-4.2.0-testing/tools/xenstore/xenstored_domain.c +@@ -32,10 +32,8 @@ + #include "xenstored_watch.h" + + #include +-#include + + static xc_interface **xc_handle; +-xc_gnttab **xcg_handle; + static evtchn_port_t virq_port; + + xc_evtchn *xce_handle = NULL; +@@ -165,26 +163,6 @@ static int readchn(struct connection *co + return len; + } + +-static void *map_interface(domid_t domid, unsigned long mfn) +-{ +- if (*xcg_handle != NULL) { +- /* this is the preferred method */ +- return xc_gnttab_map_grant_ref(*xcg_handle, domid, +- GNTTAB_RESERVED_XENSTORE, PROT_READ|PROT_WRITE); +- } else { +- return xc_map_foreign_range(*xc_handle, domid, +- getpagesize(), PROT_READ|PROT_WRITE, mfn); +- } +-} +- +-static void unmap_interface(void *interface) +-{ +- if (*xcg_handle != NULL) +- xc_gnttab_munmap(*xcg_handle, interface, 1); +- else +- munmap(interface, getpagesize()); +-} +- + static int destroy_domain(void *_domain) + { + struct domain *domain = _domain; +@@ -196,14 +174,8 @@ static int destroy_domain(void *_domain) + eprintf("> Unbinding port %i failed!\n", domain->port); + } + +- if (domain->interface) { +- /* Domain 0 was mapped by dom0_init, so it must be unmapped +- using munmap() and not the grant unmap call. */ +- if (domain->domid == 0) +- unmap_xenbus(domain->interface); +- else +- unmap_interface(domain->interface); +- } ++ if (domain->interface) ++ munmap(domain->interface, getpagesize()); + + fire_watches(NULL, "@releaseDomain", false); + +@@ -372,7 +344,9 @@ void do_introduce(struct connection *con + domain = find_domain_by_domid(domid); + + if (domain == NULL) { +- interface = map_interface(domid, mfn); ++ interface = xc_map_foreign_range( ++ *xc_handle, domid, ++ getpagesize(), PROT_READ|PROT_WRITE, mfn); + if (!interface) { + send_error(conn, errno); + return; +@@ -380,7 +354,7 @@ void do_introduce(struct connection *con + /* Hang domain off "in" until we're finished. */ + domain = new_domain(in, domid, port); + if (!domain) { +- unmap_interface(interface); ++ munmap(interface, getpagesize()); + send_error(conn, errno); + return; + } +@@ -572,18 +546,6 @@ void do_reset_watches(struct connection + send_ack(conn, XS_RESET_WATCHES); + } + +-static int close_xc_handle(void *_handle) +-{ +- xc_interface_close(*(xc_interface**)_handle); +- return 0; +-} +- +-static int close_xcg_handle(void *_handle) +-{ +- xc_gnttab_close(*(xc_gnttab **)_handle); +- return 0; +-} +- + /* Returns the implicit path of a connection (only domains have this) */ + const char *get_implicit_path(const struct connection *conn) + { +@@ -633,18 +595,6 @@ void domain_init(void) + if (!*xc_handle) + barf_perror("Failed to open connection to hypervisor"); + +- talloc_set_destructor(xc_handle, close_xc_handle); +- +- xcg_handle = talloc(talloc_autofree_context(), xc_gnttab*); +- if (!xcg_handle) +- barf_perror("Failed to allocate domain gnttab handle"); +- +- *xcg_handle = xc_gnttab_open(NULL, 0); +- if (*xcg_handle < 0) +- xprintf("WARNING: Failed to open connection to gnttab\n"); +- else +- talloc_set_destructor(xcg_handle, close_xcg_handle); +- + xce_handle = xc_evtchn_open(NULL, 0); + + if (xce_handle == NULL) diff --git a/xen-max-free-mem.diff b/xen-max-free-mem.diff index 2c17d03..7d5a0e5 100644 --- a/xen-max-free-mem.diff +++ b/xen-max-free-mem.diff @@ -71,7 +71,7 @@ Index: xen-4.2.0-testing/tools/python/xen/xend/balloon.py +def get_dom0_min_target(): + """Returns the minimum amount of memory (in KiB) that dom0 will accept.""" + -+ kb = _get_proc_balloon(labels['min-target']) ++ kb = _get_proc_balloon('min-target') + if kb == None: + raise VmError('Failed to query minimum target memory allocation of dom0.') + return kb @@ -80,7 +80,7 @@ Index: xen-4.2.0-testing/tools/python/xen/xend/balloon.py + """Returns the maximum amount of memory (in KiB) that is potentially + visible to dom0.""" + -+ kb = _get_proc_balloon(labels['max-target']) ++ kb = _get_proc_balloon('max-target') + if kb == None: + raise VmError('Failed to query maximum target memory allocation of dom0.') + return kb @@ -133,3 +133,16 @@ Index: xen-4.2.0-testing/tools/python/xen/xend/server/SrvDomain.py [['target', 'int']], req) +Index: xen-4.2.0-testing/tools/python/xen/xend/osdep.py +=================================================================== +--- xen-4.2.0-testing.orig/tools/python/xen/xend/osdep.py ++++ xen-4.2.0-testing/tools/python/xen/xend/osdep.py +@@ -42,6 +42,8 @@ def _linux_balloon_stat_proc(label): + + xend2linux_labels = { 'current' : 'Current allocation', + 'target' : 'Requested target', ++ 'min-target' : 'Minimum target', ++ 'max-target' : 'Maximum target', + 'low-balloon' : 'Low-mem balloon', + 'high-balloon' : 'High-mem balloon', + 'limit' : 'Xen hard limit' } diff --git a/xen.changes b/xen.changes index 3ed04e7..99db64c 100644 --- a/xen.changes +++ b/xen.changes @@ -1,3 +1,49 @@ +------------------------------------------------------------------- +Thu Dec 6 10:56:26 MST 2012 - carnold@novell.com + +- NetWare will not boot or install on Xen 4.2 + reverse-24757-use-grant-references.patch + +------------------------------------------------------------------- +Fri Nov 30 10:30:10 CST 2012 - cyliu@suse.com + +- fate#313222 - xenstore-chmod should support 256 permissions + 26189-xenstore-chmod.patch + +------------------------------------------------------------------- +Tue Nov 27 09:17:17 MST 2012 - carnold@novell.com + +- bnc#789945 - VUL-0: CVE-2012-5510: xen: Grant table version + switch list corruption vulnerability (XSA-26) + CVE-2012-5510-xsa26.patch +- bnc#789944 - VUL-0: CVE-2012-5511: xen: Several HVM operations do + not validate the range of their inputs (XSA-27) + CVE-2012-5511-xsa27.patch +- bnc#789951 - VUL-0: CVE-2012-5513: xen: XENMEM_exchange may + overwrite hypervisor memory (XSA-29) + CVE-2012-5513-xsa29.patch +- bnc#789948 - VUL-0: CVE-2012-5514: xen: Missing unlock in + guest_physmap_mark_populate_on_demand() (XSA-30) + CVE-2012-5514-xsa30.patch +- bnc#789950 - VUL-0: CVE-2012-5515: xen: Several memory hypercall + operations allow invalid extent order values (XSA-31) + CVE-2012-5515-xsa31.patch +- bnc#789952 - VUL-0: CVE-2012-5525: xen: Several hypercalls do not + validate input GFNs (XSA-32) + CVE-2012-5525-xsa32.patch +- Upstream patches from Jan + 26129-ACPI-BGRT-invalidate.patch + 26132-tmem-save-NULL-check.patch + 26134-x86-shadow-invlpg-check.patch + 26139-cpumap-masking.patch + 26148-vcpu-timer-overflow.patch (Replaces CVE-2012-4535-xsa20.patch) + 26149-x86-p2m-physmap-error-path.patch (Replaces CVE-2012-4537-xsa22.patch) + 26150-x86-shadow-unhook-toplevel-check.patch (Replaces CVE-2012-4538-xsa23.patch) + 26151-gnttab-compat-get-status-frames.patch (Replaces CVE-2012-4539-xsa24.patch) + 26179-PCI-find-next-cap.patch + 26183-x86-HPET-masking.patch + 26188-x86-time-scale-asm.patch + ------------------------------------------------------------------- Wed Nov 21 20:57:56 CET 2012 - ohering@suse.de @@ -15,6 +61,19 @@ Tue Nov 13 16:35:55 MST 2012 - jfehlig@suse.com - bnc#777628 - guest "disappears" after live migration Updated block-dmmd script +------------------------------------------------------------------- +Fri Nov 9 10:29:51 MST 2012 - carnold@novell.com + +- Fix exception in balloon.py and osdep.py + xen-max-free-mem.diff + +------------------------------------------------------------------- +Tue Nov 6 17:41:34 MDT 2012 - carnold@novell.com + +- fate#311966: Fix XEN VNC implementation to correctly map keyboard + layouts + VNC-Support-for-ExtendedKeyEvent-client-message.patch + ------------------------------------------------------------------- Tue Oct 30 15:28:27 CET 2012 - ohering@suse.de diff --git a/xen.spec b/xen.spec index c610f7e..6d02f15 100644 --- a/xen.spec +++ b/xen.spec @@ -114,7 +114,7 @@ BuildRequires: kernel-syms BuildRequires: module-init-tools BuildRequires: xorg-x11 %endif -Version: 4.2.0_03 +Version: 4.2.0_04 Release: 0 PreReq: %insserv_prereq %fillup_prereq Summary: Xen Virtualization: Hypervisor (aka VMM aka Microkernel) @@ -232,11 +232,25 @@ Patch26096: 26096-SVM-nested-vmexit-emul.patch Patch26098: 26098-perfc-build.patch Patch26102: 26102-x86-IOAPIC-legacy-not-first.patch Patch26114: 26114-pygrub-list-entries.patch -Patch20: CVE-2012-4535-xsa20.patch -Patch22: CVE-2012-4537-xsa22.patch -Patch23: CVE-2012-4538-xsa23.patch -Patch24: CVE-2012-4539-xsa24.patch +Patch26129: 26129-ACPI-BGRT-invalidate.patch +Patch26132: 26132-tmem-save-NULL-check.patch +Patch26134: 26134-x86-shadow-invlpg-check.patch +Patch26139: 26139-cpumap-masking.patch +Patch26148: 26148-vcpu-timer-overflow.patch +Patch26149: 26149-x86-p2m-physmap-error-path.patch +Patch26150: 26150-x86-shadow-unhook-toplevel-check.patch +Patch26151: 26151-gnttab-compat-get-status-frames.patch +Patch26179: 26179-PCI-find-next-cap.patch +Patch26183: 26183-x86-HPET-masking.patch +Patch26188: 26188-x86-time-scale-asm.patch +Patch26189: 26189-xenstore-chmod.patch Patch25: CVE-2012-4544-xsa25.patch +Patch26: CVE-2012-5510-xsa26.patch +Patch27: CVE-2012-5511-xsa27.patch +Patch29: CVE-2012-5513-xsa29.patch +Patch30: CVE-2012-5514-xsa30.patch +Patch31: CVE-2012-5515-xsa31.patch +Patch32: CVE-2012-5525-xsa32.patch # Upstream qemu patches Patch100: VNC-Support-for-ExtendedKeyEvent-client-message.patch # Our patches @@ -330,6 +344,7 @@ Patch458: ipxe-enable-nics.patch Patch459: blktap-close-fifos.patch Patch460: blktap-disable-debug-printf.patch Patch461: xen-glibc217.patch +Patch462: reverse-24757-use-grant-references.patch # Jim's domain lock patch Patch480: xend-domain-lock.patch Patch481: xend-domain-lock-sfex.patch @@ -758,11 +773,25 @@ tar xfj %{SOURCE6} -C $RPM_BUILD_DIR/%{xen_build_dir}/tools %patch26098 -p1 %patch26102 -p1 %patch26114 -p1 -%patch20 -p1 -%patch22 -p1 -%patch23 -p1 -%patch24 -p1 +%patch26129 -p1 +%patch26132 -p1 +%patch26134 -p1 +%patch26139 -p1 +%patch26148 -p1 +%patch26149 -p1 +%patch26150 -p1 +%patch26151 -p1 +%patch26179 -p1 +%patch26183 -p1 +%patch26188 -p1 +%patch26189 -p1 %patch25 -p1 +%patch26 -p1 +%patch27 -p1 +%patch29 -p1 +%patch30 -p1 +%patch31 -p1 +%patch32 -p1 # Qemu %patch100 -p1 # Our patches @@ -853,6 +882,7 @@ tar xfj %{SOURCE6} -C $RPM_BUILD_DIR/%{xen_build_dir}/tools %patch459 -p1 %patch460 -p1 %patch461 -p1 +%patch462 -p1 %patch480 -p1 %patch481 -p1 %patch500 -p1