From 66e0c5e2976efeb7ae6f5a40a3e2e74828a1336e52b9a7e86bbe9cff4243eec1 Mon Sep 17 00:00:00 2001 From: Charles Arnold Date: Thu, 1 May 2014 03:35:21 +0000 Subject: [PATCH] - When the xl command is used, check to see if the domain being modified is managed by libvirt and print warning if it is. xl-check-for-libvirt-managed-domain.patch - Upstream patches from Jan 53455585-x86-AMD-feature-masking-is-unavailable-on-Fam11.patch 5346a7a0-x86-AMD-support-further-feature-masking-MSRs.patch 534bbd90-x86-nested-HAP-don-t-BUG-on-legitimate-error.patch 534bdf47-x86-HAP-also-flush-TLB-when-altering-a-present-1G-or-intermediate-entry.patch 53563ea4-x86-MSI-drop-workaround-for-insecure-Dom0-kernels.patch 5357baff-x86-add-missing-break-in-dom0_pit_access.patch - XSA-92 xsa92.patch - Add # needssslcertforbuild to use the project's certificate when building in a home project. (bnc#872354) OBS-URL: https://build.opensuse.org/package/show/Virtualization/xen?expand=0&rev=312 --- ...ture-masking-is-unavailable-on-Fam11.patch | 31 ++++ ...support-further-feature-masking-MSRs.patch | 175 ++++++++++++++++++ ...ed-HAP-don-t-BUG-on-legitimate-error.patch | 24 +++ ...g-a-present-1G-or-intermediate-entry.patch | 23 +++ ...workaround-for-insecure-Dom0-kernels.patch | 82 ++++++++ ...add-missing-break-in-dom0_pit_access.patch | 21 +++ xen.changes | 26 +++ xen.spec | 20 +- xl-check-for-libvirt-managed-domain.patch | 68 +++++++ xsa92.patch | 36 ++++ 10 files changed, 505 insertions(+), 1 deletion(-) create mode 100644 53455585-x86-AMD-feature-masking-is-unavailable-on-Fam11.patch create mode 100644 5346a7a0-x86-AMD-support-further-feature-masking-MSRs.patch create mode 100644 534bbd90-x86-nested-HAP-don-t-BUG-on-legitimate-error.patch create mode 100644 534bdf47-x86-HAP-also-flush-TLB-when-altering-a-present-1G-or-intermediate-entry.patch create mode 100644 53563ea4-x86-MSI-drop-workaround-for-insecure-Dom0-kernels.patch create mode 100644 5357baff-x86-add-missing-break-in-dom0_pit_access.patch create mode 100644 xl-check-for-libvirt-managed-domain.patch create mode 100644 xsa92.patch diff --git a/53455585-x86-AMD-feature-masking-is-unavailable-on-Fam11.patch b/53455585-x86-AMD-feature-masking-is-unavailable-on-Fam11.patch new file mode 100644 index 0000000..a112808 --- /dev/null +++ b/53455585-x86-AMD-feature-masking-is-unavailable-on-Fam11.patch @@ -0,0 +1,31 @@ +# Commit 70e79fad6dc6f533ff83ee23b8d13de5a696d896 +# Date 2014-04-09 16:13:25 +0200 +# Author Jan Beulich +# Committer Jan Beulich +x86/AMD: feature masking is unavailable on Fam11 + +Reported-by: Aravind Gopalakrishnan +Signed-off-by: Jan Beulich +Reviewed-by: Andrew Cooper + +--- a/xen/arch/x86/cpu/amd.c ++++ b/xen/arch/x86/cpu/amd.c +@@ -107,6 +107,10 @@ static void __devinit set_cpuidmask(cons + ASSERT((status == not_parsed) && (smp_processor_id() == 0)); + status = no_mask; + ++ /* Fam11 doesn't support masking at all. */ ++ if (c->x86 == 0x11) ++ return; ++ + if (~(opt_cpuid_mask_ecx & opt_cpuid_mask_edx & + opt_cpuid_mask_ext_ecx & opt_cpuid_mask_ext_edx)) { + feat_ecx = opt_cpuid_mask_ecx; +@@ -176,7 +180,6 @@ static void __devinit set_cpuidmask(cons + extfeat_ecx, extfeat_edx); + + setmask: +- /* FIXME check if processor supports CPUID masking */ + /* AMD processors prior to family 10h required a 32-bit password */ + if (c->x86 >= 0x10) { + wrmsr(MSR_K8_FEATURE_MASK, feat_edx, feat_ecx); diff --git a/5346a7a0-x86-AMD-support-further-feature-masking-MSRs.patch b/5346a7a0-x86-AMD-support-further-feature-masking-MSRs.patch new file mode 100644 index 0000000..9b91a35 --- /dev/null +++ b/5346a7a0-x86-AMD-support-further-feature-masking-MSRs.patch @@ -0,0 +1,175 @@ +# Commit e74de9c0b19f9bd16d658a96bf6c9ab9a2a639e9 +# Date 2014-04-10 16:16:00 +0200 +# Author Jan Beulich +# Committer Jan Beulich +x86/AMD: support further feature masking MSRs + +Newer AMD CPUs also allow masking CPUID leaf 6 ECX and CPUID leaf 7 +sub-leaf 0 EAX and EBX. + +Signed-off-by: Jan Beulich +Reviewed-by: Aravind Gopalakrishnan + +--- a/docs/misc/xen-command-line.markdown ++++ b/docs/misc/xen-command-line.markdown +@@ -320,24 +320,42 @@ Indicate where the responsibility for dr + ### cpuid\_mask\_cpu (AMD only) + > `= fam_0f_rev_c | fam_0f_rev_d | fam_0f_rev_e | fam_0f_rev_f | fam_0f_rev_g | fam_10_rev_b | fam_10_rev_c | fam_11_rev_b` + +-If the other **cpuid\_mask\_{,ext\_}e{c,d}x** options are fully set +-(unspecified on the command line), specify a pre-canned cpuid mask to +-mask the current processor down to appear as the specified processor. +-It is important to ensure that all hosts in a pool appear the same to +-guests to allow successful live migration. ++If the other **cpuid\_mask\_{,ext\_,thermal\_,l7s0\_}e{a,b,c,d}x** ++options are fully set (unspecified on the command line), specify a ++pre-canned cpuid mask to mask the current processor down to appear as ++the specified processor. It is important to ensure that all hosts in a ++pool appear the same to guests to allow successful live migration. + +-### cpuid\_mask\_ ecx,edx,ext\_ecx,ext\_edx,xsave_eax ++### cpuid\_mask\_{{,ext\_}ecx,edx} + > `= ` + + > Default: `~0` (all bits set) + +-These five command line parameters are used to specify cpuid masks to ++These four command line parameters are used to specify cpuid masks to + help with cpuid levelling across a pool of hosts. Setting a bit in + the mask indicates that the feature should be enabled, while clearing + a bit in the mask indicates that the feature should be disabled. It + is important to ensure that all hosts in a pool appear the same to + guests to allow successful live migration. + ++### cpuid\_mask\_xsave\_eax (Intel only) ++> `= ` ++ ++> Default: `~0` (all bits set) ++ ++This command line parameter is also used to specify a cpuid mask to ++help with cpuid levelling across a pool of hosts. See the description ++of the other respective options above. ++ ++### cpuid\_mask\_{l7s0\_{eax,ebx},thermal\_ecx} (AMD only) ++> `= ` ++ ++> Default: `~0` (all bits set) ++ ++These three command line parameters are also used to specify cpuid ++masks to help with cpuid levelling across a pool of hosts. See the ++description of the other respective options above. ++ + ### cpuidle + > `= ` + +--- a/xen/arch/x86/cpu/amd.c ++++ b/xen/arch/x86/cpu/amd.c +@@ -30,9 +30,17 @@ + * "fam_10_rev_c" + * "fam_11_rev_b" + */ +-static char opt_famrev[14]; ++static char __initdata opt_famrev[14]; + string_param("cpuid_mask_cpu", opt_famrev); + ++static unsigned int __initdata opt_cpuid_mask_l7s0_eax = ~0u; ++integer_param("cpuid_mask_l7s0_eax", opt_cpuid_mask_l7s0_eax); ++static unsigned int __initdata opt_cpuid_mask_l7s0_ebx = ~0u; ++integer_param("cpuid_mask_l7s0_ebx", opt_cpuid_mask_l7s0_ebx); ++ ++static unsigned int __initdata opt_cpuid_mask_thermal_ecx = ~0u; ++integer_param("cpuid_mask_thermal_ecx", opt_cpuid_mask_thermal_ecx); ++ + /* 1 = allow, 0 = don't allow guest creation, -1 = don't allow boot */ + s8 __read_mostly opt_allow_unsafe; + boolean_param("allow_unsafe", opt_allow_unsafe); +@@ -96,7 +104,11 @@ static void __devinit set_cpuidmask(cons + { + static unsigned int feat_ecx, feat_edx; + static unsigned int extfeat_ecx, extfeat_edx; ++ static unsigned int l7s0_eax, l7s0_ebx; ++ static unsigned int thermal_ecx; ++ static bool_t skip_l7s0_eax_ebx, skip_thermal_ecx; + static enum { not_parsed, no_mask, set_mask } status; ++ unsigned int eax, ebx, ecx, edx; + + if (status == no_mask) + return; +@@ -104,7 +116,7 @@ static void __devinit set_cpuidmask(cons + if (status == set_mask) + goto setmask; + +- ASSERT((status == not_parsed) && (smp_processor_id() == 0)); ++ ASSERT((status == not_parsed) && (c == &boot_cpu_data)); + status = no_mask; + + /* Fam11 doesn't support masking at all. */ +@@ -112,11 +124,16 @@ static void __devinit set_cpuidmask(cons + return; + + if (~(opt_cpuid_mask_ecx & opt_cpuid_mask_edx & +- opt_cpuid_mask_ext_ecx & opt_cpuid_mask_ext_edx)) { ++ opt_cpuid_mask_ext_ecx & opt_cpuid_mask_ext_edx & ++ opt_cpuid_mask_l7s0_eax & opt_cpuid_mask_l7s0_ebx & ++ opt_cpuid_mask_thermal_ecx)) { + feat_ecx = opt_cpuid_mask_ecx; + feat_edx = opt_cpuid_mask_edx; + extfeat_ecx = opt_cpuid_mask_ext_ecx; + extfeat_edx = opt_cpuid_mask_ext_edx; ++ l7s0_eax = opt_cpuid_mask_l7s0_eax; ++ l7s0_ebx = opt_cpuid_mask_l7s0_ebx; ++ thermal_ecx = opt_cpuid_mask_thermal_ecx; + } else if (*opt_famrev == '\0') { + return; + } else if (!strcmp(opt_famrev, "fam_0f_rev_c")) { +@@ -179,11 +196,39 @@ static void __devinit set_cpuidmask(cons + printk("Writing CPUID extended feature mask ECX:EDX -> %08Xh:%08Xh\n", + extfeat_ecx, extfeat_edx); + ++ if (c->cpuid_level >= 7) ++ cpuid_count(7, 0, &eax, &ebx, &ecx, &edx); ++ else ++ ebx = eax = 0; ++ if ((eax | ebx) && ~(l7s0_eax & l7s0_ebx)) { ++ if (l7s0_eax > eax) ++ l7s0_eax = eax; ++ l7s0_ebx &= ebx; ++ printk("Writing CPUID leaf 7 subleaf 0 feature mask EAX:EBX -> %08Xh:%08Xh\n", ++ l7s0_eax, l7s0_ebx); ++ } else ++ skip_l7s0_eax_ebx = 1; ++ ++ /* Only Fam15 has the respective MSR. */ ++ ecx = c->x86 == 0x15 && c->cpuid_level >= 6 ? cpuid_ecx(6) : 0; ++ if (ecx && ~thermal_ecx) { ++ thermal_ecx &= ecx; ++ printk("Writing CPUID thermal/power feature mask ECX -> %08Xh\n", ++ thermal_ecx); ++ } else ++ skip_thermal_ecx = 1; ++ + setmask: + /* AMD processors prior to family 10h required a 32-bit password */ + if (c->x86 >= 0x10) { + wrmsr(MSR_K8_FEATURE_MASK, feat_edx, feat_ecx); + wrmsr(MSR_K8_EXT_FEATURE_MASK, extfeat_edx, extfeat_ecx); ++ if (!skip_l7s0_eax_ebx) ++ wrmsr(MSR_AMD_L7S0_FEATURE_MASK, l7s0_ebx, l7s0_eax); ++ if (!skip_thermal_ecx) { ++ rdmsr(MSR_AMD_THRM_FEATURE_MASK, eax, edx); ++ wrmsr(MSR_AMD_THRM_FEATURE_MASK, thermal_ecx, edx); ++ } + } else { + wrmsr_amd(MSR_K8_FEATURE_MASK, feat_edx, feat_ecx); + wrmsr_amd(MSR_K8_EXT_FEATURE_MASK, extfeat_edx, extfeat_ecx); +--- a/xen/include/asm-x86/msr-index.h ++++ b/xen/include/asm-x86/msr-index.h +@@ -204,6 +204,8 @@ + #define MSR_AMD_FAM15H_EVNTSEL5 0xc001020a + #define MSR_AMD_FAM15H_PERFCTR5 0xc001020b + ++#define MSR_AMD_L7S0_FEATURE_MASK 0xc0011002 ++#define MSR_AMD_THRM_FEATURE_MASK 0xc0011003 + #define MSR_K8_FEATURE_MASK 0xc0011004 + #define MSR_K8_EXT_FEATURE_MASK 0xc0011005 + diff --git a/534bbd90-x86-nested-HAP-don-t-BUG-on-legitimate-error.patch b/534bbd90-x86-nested-HAP-don-t-BUG-on-legitimate-error.patch new file mode 100644 index 0000000..748d6fa --- /dev/null +++ b/534bbd90-x86-nested-HAP-don-t-BUG-on-legitimate-error.patch @@ -0,0 +1,24 @@ +# Commit 1ca73aaf51eba14256794bf045c2eb01e88e1324 +# Date 2014-04-14 12:50:56 +0200 +# Author Jan Beulich +# Committer Jan Beulich +x86/nested HAP: don't BUG() on legitimate error + +p2m_set_entry() can fail without there being a bug in the code - crash +the domain rather than the host in that case. + +Signed-off-by: Jan Beulich +Reviewed-by: Andrew Cooper +Acked-by: Tim Deegan + +--- a/xen/arch/x86/mm/hap/nested_hap.c ++++ b/xen/arch/x86/mm/hap/nested_hap.c +@@ -133,7 +133,7 @@ nestedhap_fix_p2m(struct vcpu *v, struct + gdprintk(XENLOG_ERR, + "failed to set entry for %#"PRIx64" -> %#"PRIx64"\n", + L2_gpa, L0_gpa); +- BUG(); ++ domain_crash(p2m->domain); + } + } + diff --git a/534bdf47-x86-HAP-also-flush-TLB-when-altering-a-present-1G-or-intermediate-entry.patch b/534bdf47-x86-HAP-also-flush-TLB-when-altering-a-present-1G-or-intermediate-entry.patch new file mode 100644 index 0000000..407ce22 --- /dev/null +++ b/534bdf47-x86-HAP-also-flush-TLB-when-altering-a-present-1G-or-intermediate-entry.patch @@ -0,0 +1,23 @@ +# Commit c82fbfe6ec8be597218eb943641d1f7a81c4c01e +# Date 2014-04-14 15:14:47 +0200 +# Author Jan Beulich +# Committer Jan Beulich +x86/HAP: also flush TLB when altering a present 1G or intermediate entry + +Signed-off-by: Jan Beulich +Acked-by: Tim Deegan + +--- a/xen/arch/x86/mm/hap/hap.c ++++ b/xen/arch/x86/mm/hap/hap.c +@@ -711,9 +711,8 @@ hap_write_p2m_entry(struct vcpu *v, unsi + } + + safe_write_pte(p, new); +- if ( (old_flags & _PAGE_PRESENT) +- && (level == 1 || (level == 2 && (old_flags & _PAGE_PSE))) ) +- flush_tlb_mask(d->domain_dirty_cpumask); ++ if ( old_flags & _PAGE_PRESENT ) ++ flush_tlb_mask(d->domain_dirty_cpumask); + + paging_unlock(d); + diff --git a/53563ea4-x86-MSI-drop-workaround-for-insecure-Dom0-kernels.patch b/53563ea4-x86-MSI-drop-workaround-for-insecure-Dom0-kernels.patch new file mode 100644 index 0000000..684ed92 --- /dev/null +++ b/53563ea4-x86-MSI-drop-workaround-for-insecure-Dom0-kernels.patch @@ -0,0 +1,82 @@ +# Commit 061eebe0e99ad45c9c3b1a778b06140de4a91f25 +# Date 2014-04-22 12:04:20 +0200 +# Author Jan Beulich +# Committer Jan Beulich +x86/MSI: drop workaround for insecure Dom0 kernels + +Considering that +- the workaround is expensive (iterating through the entire P2M space + of a domain), +- the planned elimination of the expensiveness (by propagating the type + change step by step to the individual P2M leaves) wouldn't address + the IOMMU side of things (as for it to obey to the changed + permissions the adjustments must be pushed down immediately through + the entire tree) +- the proper solution (PHYSDEVOP_msix_prepare) should by now be + implemented by all security conscious Dom0 kernels +remove the workaround, killing eventual guests that would be known to +become a security risk instead. + +Signed-off-by: Jan Beulich +Acked-by: Kevin Tian + +--- a/xen/arch/x86/mm/p2m-ept.c ++++ b/xen/arch/x86/mm/p2m-ept.c +@@ -679,7 +679,7 @@ static void ept_change_entry_type_global + return; + + BUG_ON(p2m_is_grant(ot) || p2m_is_grant(nt)); +- BUG_ON(ot != nt && (ot == p2m_mmio_direct || nt == p2m_mmio_direct)); ++ BUG_ON(p2m_is_mmio(ot) || p2m_is_mmio(nt)); + + ept_change_entry_type_page(_mfn(ept_get_asr(ept)), + ept_get_wl(ept), ot, nt); +--- a/xen/arch/x86/msi.c ++++ b/xen/arch/x86/msi.c +@@ -825,32 +825,22 @@ static int msix_capability_init(struct p + msix->pba.last) ) + WARN(); + +- if ( dev->domain ) +- p2m_change_entry_type_global(dev->domain, +- p2m_mmio_direct, p2m_mmio_direct); +- if ( desc && (!dev->domain || !paging_mode_translate(dev->domain)) ) ++ if ( desc ) + { +- struct domain *d = dev->domain; ++ struct domain *currd = current->domain; ++ struct domain *d = dev->domain ?: currd; + +- if ( !d ) +- for_each_domain(d) +- if ( !paging_mode_translate(d) && +- (iomem_access_permitted(d, msix->table.first, +- msix->table.last) || +- iomem_access_permitted(d, msix->pba.first, +- msix->pba.last)) ) +- break; +- if ( d ) +- { +- if ( !is_hardware_domain(d) && msix->warned != d->domain_id ) +- { +- msix->warned = d->domain_id; +- printk(XENLOG_ERR +- "Potentially insecure use of MSI-X on %04x:%02x:%02x.%u by Dom%d\n", +- seg, bus, slot, func, d->domain_id); +- } +- /* XXX How to deal with existing mappings? */ +- } ++ if ( !is_hardware_domain(currd) || d != currd ) ++ printk("%s use of MSI-X on %04x:%02x:%02x.%u by Dom%d\n", ++ is_hardware_domain(currd) ++ ? XENLOG_WARNING "Potentially insecure" ++ : XENLOG_ERR "Insecure", ++ seg, bus, slot, func, d->domain_id); ++ if ( !is_hardware_domain(d) && ++ /* Assume a domain without memory has no mappings yet. */ ++ (!is_hardware_domain(currd) || d->tot_pages) ) ++ domain_crash(d); ++ /* XXX How to deal with existing mappings? */ + } + } + WARN_ON(msix->nr_entries != nr_entries); diff --git a/5357baff-x86-add-missing-break-in-dom0_pit_access.patch b/5357baff-x86-add-missing-break-in-dom0_pit_access.patch new file mode 100644 index 0000000..a3a1e61 --- /dev/null +++ b/5357baff-x86-add-missing-break-in-dom0_pit_access.patch @@ -0,0 +1,21 @@ +# Commit 815dc9f1dba5782dcef77d8a002a11f5b1e5cc37 +# Date 2014-04-23 15:07:11 +0200 +# Author Jan Beulich +# Committer Jan Beulich +x86: add missing break in dom0_pit_access() + +Coverity ID 1203045 + +Signed-off-by: Jan Beulich +Reviewed-by: Andrew Cooper + +--- a/xen/arch/x86/time.c ++++ b/xen/arch/x86/time.c +@@ -1632,6 +1632,7 @@ int dom0_pit_access(struct ioreq *ioreq) + outb(ioreq->data, PIT_MODE); + return 1; + } ++ break; + + case 0x61: + if ( ioreq->dir == IOREQ_READ ) diff --git a/xen.changes b/xen.changes index 9490a29..05b70a9 100644 --- a/xen.changes +++ b/xen.changes @@ -1,3 +1,29 @@ +------------------------------------------------------------------- +Sat Apr 26 09:56:36 MDT 2014 - carnold@suse.com + +- When the xl command is used, check to see if the domain being + modified is managed by libvirt and print warning if it is. + xl-check-for-libvirt-managed-domain.patch + +------------------------------------------------------------------- +Thu Apr 24 08:17:36 MDT 2014 - carnold@suse.com + +- Upstream patches from Jan + 53455585-x86-AMD-feature-masking-is-unavailable-on-Fam11.patch + 5346a7a0-x86-AMD-support-further-feature-masking-MSRs.patch + 534bbd90-x86-nested-HAP-don-t-BUG-on-legitimate-error.patch + 534bdf47-x86-HAP-also-flush-TLB-when-altering-a-present-1G-or-intermediate-entry.patch + 53563ea4-x86-MSI-drop-workaround-for-insecure-Dom0-kernels.patch + 5357baff-x86-add-missing-break-in-dom0_pit_access.patch +- XSA-92 + xsa92.patch + +------------------------------------------------------------------- +Sat Apr 12 20:48:21 UTC 2014 - mmarek@suse.cz + +- Add # needssslcertforbuild to use the project's certificate when + building in a home project. (bnc#872354) + ------------------------------------------------------------------- Wed Apr 9 08:07:03 MDT 2014 - carnold@suse.com diff --git a/xen.spec b/xen.spec index eaa6667..d3321c3 100644 --- a/xen.spec +++ b/xen.spec @@ -16,6 +16,8 @@ # +# needssslcertforbuild + Name: xen ExclusiveArch: %ix86 x86_64 %arm aarch64 %define xvers 4.4 @@ -152,7 +154,7 @@ BuildRequires: xorg-x11-util-devel %endif %endif -Version: 4.4.0_14 +Version: 4.4.0_16 Release: 0 PreReq: %insserv_prereq %fillup_prereq Summary: Xen Virtualization: Hypervisor (aka VMM aka Microkernel) @@ -235,6 +237,13 @@ Patch21: 5331917d-x86-enforce-preemption-in-HVM_set_mem_access-p2m_set_me Patch22: 53356c1e-x86-HVM-correct-CPUID-leaf-80000008-handling.patch Patch23: 533ad1ee-VMX-fix-PAT-value-seen-by-guest.patch Patch24: 533d413b-x86-mm-fix-checks-against-max_mapped_pfn.patch +Patch25: 53455585-x86-AMD-feature-masking-is-unavailable-on-Fam11.patch +Patch26: 5346a7a0-x86-AMD-support-further-feature-masking-MSRs.patch +Patch27: 534bbd90-x86-nested-HAP-don-t-BUG-on-legitimate-error.patch +Patch28: 534bdf47-x86-HAP-also-flush-TLB-when-altering-a-present-1G-or-intermediate-entry.patch +Patch29: 53563ea4-x86-MSI-drop-workaround-for-insecure-Dom0-kernels.patch +Patch30: 5357baff-x86-add-missing-break-in-dom0_pit_access.patch +Patch92: xsa92.patch # Upstream qemu Patch250: VNC-Support-for-ExtendedKeyEvent-client-message.patch Patch251: 0001-net-move-the-tap-buffer-into-TAPState.patch @@ -356,6 +365,7 @@ Patch463: blktap-pv-cdrom.patch Patch464: set-mtu-from-bridge-for-tap-interface.patch Patch465: libxl.add-option-for-discard-support-to-xl-disk-conf.patch Patch466: aarch64-rename-PSR_MODE_ELxx-to-match-linux-headers.patch +Patch467: xl-check-for-libvirt-managed-domain.patch # Hypervisor and PV driver Patches Patch501: x86-ioapic-ack-default.patch Patch502: x86-cpufreq-report.patch @@ -617,6 +627,13 @@ Authors: %patch22 -p1 %patch23 -p1 %patch24 -p1 +%patch25 -p1 +%patch26 -p1 +%patch27 -p1 +%patch28 -p1 +%patch29 -p1 +%patch30 -p1 +%patch92 -p1 # Upstream qemu patches %patch250 -p1 %patch251 -p1 @@ -737,6 +754,7 @@ Authors: %patch464 -p1 %patch465 -p1 %patch466 -p1 +%patch467 -p1 # Hypervisor and PV driver Patches %patch501 -p1 %patch502 -p1 diff --git a/xl-check-for-libvirt-managed-domain.patch b/xl-check-for-libvirt-managed-domain.patch new file mode 100644 index 0000000..eb2a675 --- /dev/null +++ b/xl-check-for-libvirt-managed-domain.patch @@ -0,0 +1,68 @@ +Index: xen-4.4.0-testing/tools/libxl/xl.c +=================================================================== +--- xen-4.4.0-testing.orig/tools/libxl/xl.c ++++ xen-4.4.0-testing/tools/libxl/xl.c +@@ -282,6 +282,44 @@ static void xl_ctx_free(void) + } + } + ++/* ++ Return 0 if domain is managed by libvirt ++*/ ++static int xl_lookup_libvirt_managed_domains(int argc, char **argv) ++{ ++ FILE *fp; ++ int i; ++ char line[1024]; ++ char *libvirt_sock = "/run/libvirt/libvirt-sock"; ++ ++ /* Check for the libvirt socket file */ ++ if (access(libvirt_sock, F_OK) != 0) { ++ return 1; ++ } ++ ++ /* Run virsh to get a list of running domains managed by libvirt */ ++ fp = popen("/usr/bin/virsh list --name 2>&1", "r"); ++ if (fp == NULL) { ++ return 1; ++ } ++ ++ /* Read the list of domains looking for each name in the xl command */ ++ while (fgets(line, sizeof(line)-1, fp) != NULL) { ++ line[strlen(line)-1] = '\0'; ++ for (i=0; imodifies && !dryrun_only) { ++ if (!force_execution) { ++ if (!xl_lookup_libvirt_managed_domains(argc, argv)) { ++ fprintf(stderr, ++"Warning: This domain is managed by libvirt. Using xl commands to modify this\n" ++"domain will result in errors when virsh or virt-manager is used.\n" ++"Please use only virsh or virt-manager to manage this domain.\n\n" ++"(This check can be overridden with the -f option.)\n" ++ ); ++ ret = 1; ++ goto xit; ++ } ++ } + for (int i = 0; i < sizeof(locks)/sizeof(locks[0]); i++) { + if (!access(locks[i], F_OK) && !force_execution) { + fprintf(stderr, diff --git a/xsa92.patch b/xsa92.patch new file mode 100644 index 0000000..2969992 --- /dev/null +++ b/xsa92.patch @@ -0,0 +1,36 @@ +x86/HVM: restrict HVMOP_set_mem_type + +Permitting arbitrary type changes here has the potential of creating +present P2M (and hence EPT/NPT/IOMMU) entries pointing to an invalid +MFN (INVALID_MFN truncated to the respective hardware structure field's +width). This would become a problem the latest when something real sat +at the end of the physical address space; I'm suspecting though that +other things might break with such bogus entries. + +Along with that drop a bogus (and otherwise becoming stale) log +message. + +Afaict the similar operation in p2m_set_mem_access() is safe. + +This is XSA-92. + +Signed-off-by: Jan Beulich +Reviewed-by: Tim Deegan + +--- a/xen/arch/x86/hvm/hvm.c ++++ b/xen/arch/x86/hvm/hvm.c +@@ -4410,12 +4410,10 @@ long do_hvm_op(unsigned long op, XEN_GUE + rc = -EINVAL; + goto param_fail4; + } +- if ( p2m_is_grant(t) ) ++ if ( !p2m_is_ram(t) && ++ (!p2m_is_hole(t) || a.hvmmem_type != HVMMEM_mmio_dm) ) + { + put_gfn(d, pfn); +- gdprintk(XENLOG_WARNING, +- "type for pfn %#lx changed to grant while " +- "we were working?\n", pfn); + goto param_fail4; + } + else