- Upstream patches from Jan

5604f239-x86-PV-properly-populate-descriptor-tables.patch
  561bbc8b-VT-d-don-t-suppress-invalidation-address-write-when-0.patch
  561d2046-VT-d-use-proper-error-codes-in-iommu_enable_x2apic_IR.patch
  561d20a0-x86-hide-MWAITX-from-PV-domains.patch
  561e3283-x86-NUMA-fix-SRAT-table-processor-entry-handling.patch

- bsc#951845 - VUL-0: CVE-2015-7972: xen: x86: populate-on-demand
  balloon size inaccuracy can crash guests (XSA-153)
  xsa153-libxl.patch

- bsc#950703 - VUL-1: CVE-2015-7969: xen: leak of main per-domain
  vcpu pointer array (DoS) (XSA-149)
  xsa149.patch
- bsc#950705 - VUL-1: CVE-2015-7969: xen: x86: leak of per-domain
  profiling-related vcpu pointer array (DoS) (XSA-151)
  xsa151.patch
- bsc#950706 - VUL-0: CVE-2015-7971: xen: x86: some pmu and
  profiling hypercalls log without rate limiting (XSA-152)
  xsa152.patch
- Dropped
  55dc7937-x86-IO-APIC-don-t-create-pIRQ-mapping-from-masked-RTE.patch
  5604f239-x86-PV-properly-populate-descriptor-tables.patch

- bsc#932267 - VUL-1: CVE-2015-4037: qemu,kvm,xen: insecure
  temporary file use in /net/slirp.c
  CVE-2015-4037-qemuu-smb-config-dir-name.patch
  CVE-2015-4037-qemut-smb-config-dir-name.patch
- bsc#877642 - VUL-0: CVE-2014-0222: qemu: qcow1: validate L2 table
  size to avoid integer overflows

OBS-URL: https://build.opensuse.org/package/show/Virtualization/xen?expand=0&rev=382
This commit is contained in:
Charles Arnold 2015-10-29 22:28:05 +00:00 committed by Git OBS Bridge
parent 0883ce22a7
commit 9e9b5acb9c
29 changed files with 924 additions and 216 deletions

View File

@ -113,7 +113,7 @@ Reviewed-by: Jan Beulich <jbeulich@suse.com>
if ( idx != 0 )
--- a/xen/arch/x86/mm.c
+++ b/xen/arch/x86/mm.c
@@ -4592,7 +4592,7 @@ int xenmem_add_to_physmap_one(
@@ -4595,7 +4595,7 @@ int xenmem_add_to_physmap_one(
mfn = virt_to_mfn(d->shared_info);
break;
case XENMAPSPACE_grant_table:
@ -122,7 +122,7 @@ Reviewed-by: Jan Beulich <jbeulich@suse.com>
if ( d->grant_table->gt_version == 0 )
d->grant_table->gt_version = 1;
@@ -4614,7 +4614,7 @@ int xenmem_add_to_physmap_one(
@@ -4617,7 +4617,7 @@ int xenmem_add_to_physmap_one(
mfn = virt_to_mfn(d->grant_table->shared_raw[idx]);
}

View File

@ -104,7 +104,7 @@ Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>
u32 mask_bits;
u16 seg = entry->dev->seg;
u8 bus = entry->dev->bus;
@@ -703,13 +707,14 @@ static u64 read_pci_mem_bar(u16 seg, u8
@@ -701,13 +705,14 @@ static u64 read_pci_mem_bar(u16 seg, u8
* requested MSI-X entries with allocated irqs or non-zero for otherwise.
**/
static int msix_capability_init(struct pci_dev *dev,
@ -120,7 +120,7 @@ Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>
u16 control;
u64 table_paddr;
u32 table_offset;
@@ -721,7 +726,6 @@ static int msix_capability_init(struct p
@@ -719,7 +724,6 @@ static int msix_capability_init(struct p
ASSERT(spin_is_locked(&pcidevs_lock));
@ -128,7 +128,7 @@ Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>
control = pci_conf_read16(seg, bus, slot, func, msix_control_reg(pos));
msix_set_enable(dev, 0);/* Ensure msix is disabled as I set it up */
@@ -886,10 +890,9 @@ static int __pci_enable_msi(struct msi_i
@@ -884,10 +888,9 @@ static int __pci_enable_msi(struct msi_i
old_desc = find_msi_entry(pdev, msi->irq, PCI_CAP_ID_MSI);
if ( old_desc )
{
@ -142,7 +142,7 @@ Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>
*desc = old_desc;
return 0;
}
@@ -897,10 +900,10 @@ static int __pci_enable_msi(struct msi_i
@@ -895,10 +898,10 @@ static int __pci_enable_msi(struct msi_i
old_desc = find_msi_entry(pdev, -1, PCI_CAP_ID_MSIX);
if ( old_desc )
{
@ -157,7 +157,7 @@ Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>
}
return msi_capability_init(pdev, msi->irq, desc, msi->entry_nr);
@@ -914,7 +917,6 @@ static void __pci_disable_msi(struct msi
@@ -912,7 +915,6 @@ static void __pci_disable_msi(struct msi
msi_set_enable(dev, 0);
BUG_ON(list_empty(&dev->msi_list));
@ -165,7 +165,7 @@ Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>
}
/**
@@ -934,7 +936,7 @@ static void __pci_disable_msi(struct msi
@@ -932,7 +934,7 @@ static void __pci_disable_msi(struct msi
**/
static int __pci_enable_msix(struct msi_info *msi, struct msi_desc **desc)
{
@ -174,7 +174,7 @@ Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>
struct pci_dev *pdev;
u16 control;
u8 slot = PCI_SLOT(msi->devfn);
@@ -943,23 +945,22 @@ static int __pci_enable_msix(struct msi_
@@ -941,23 +943,22 @@ static int __pci_enable_msix(struct msi_
ASSERT(spin_is_locked(&pcidevs_lock));
pdev = pci_get_pdev(msi->seg, msi->bus, msi->devfn);
@ -204,7 +204,7 @@ Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>
*desc = old_desc;
return 0;
}
@@ -967,15 +968,13 @@ static int __pci_enable_msix(struct msi_
@@ -965,15 +966,13 @@ static int __pci_enable_msix(struct msi_
old_desc = find_msi_entry(pdev, -1, PCI_CAP_ID_MSI);
if ( old_desc )
{
@ -225,7 +225,7 @@ Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>
}
static void _pci_cleanup_msix(struct arch_msix *msix)
@@ -993,19 +992,16 @@ static void _pci_cleanup_msix(struct arc
@@ -991,19 +990,16 @@ static void _pci_cleanup_msix(struct arc
static void __pci_disable_msix(struct msi_desc *entry)
{
@ -254,7 +254,7 @@ Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>
msix_set_enable(dev, 0);
BUG_ON(list_empty(&dev->msi_list));
@@ -1047,7 +1043,7 @@ int pci_prepare_msix(u16 seg, u8 bus, u8
@@ -1045,7 +1041,7 @@ int pci_prepare_msix(u16 seg, u8 bus, u8
u16 control = pci_conf_read16(seg, bus, slot, func,
msix_control_reg(pos));
@ -263,7 +263,7 @@ Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>
multi_msix_capable(control));
}
spin_unlock(&pcidevs_lock);
@@ -1066,8 +1062,8 @@ int pci_enable_msi(struct msi_info *msi,
@@ -1064,8 +1060,8 @@ int pci_enable_msi(struct msi_info *msi,
if ( !use_msi )
return -EPERM;
@ -274,7 +274,7 @@ Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>
}
/*
@@ -1117,7 +1113,9 @@ int pci_restore_msi_state(struct pci_dev
@@ -1115,7 +1111,9 @@ int pci_restore_msi_state(struct pci_dev
if ( !pdev )
return -EINVAL;

View File

@ -137,7 +137,7 @@ Acked-by: Ian Campbell <ian.campbell@citrix.com>
spin_unlock_irqrestore(&desc->lock, flags);
--- a/xen/arch/x86/irq.c
+++ b/xen/arch/x86/irq.c
@@ -2503,6 +2503,25 @@ int unmap_domain_pirq_emuirq(struct doma
@@ -2502,6 +2502,25 @@ int unmap_domain_pirq_emuirq(struct doma
return ret;
}
@ -230,7 +230,7 @@ Acked-by: Ian Campbell <ian.campbell@citrix.com>
.enable = unmask_msi_irq,
.disable = mask_msi_irq,
.ack = ack_maskable_msi_irq,
@@ -593,7 +605,8 @@ static int msi_capability_init(struct pc
@@ -591,7 +603,8 @@ static int msi_capability_init(struct pc
entry[i].msi_attrib.is_64 = is_64bit_address(control);
entry[i].msi_attrib.entry_nr = i;
entry[i].msi_attrib.maskbit = is_mask_bit_support(control);
@ -240,7 +240,7 @@ Acked-by: Ian Campbell <ian.campbell@citrix.com>
entry[i].msi_attrib.pos = pos;
if ( entry[i].msi_attrib.maskbit )
entry[i].msi.mpos = mpos;
@@ -819,7 +832,8 @@ static int msix_capability_init(struct p
@@ -817,7 +830,8 @@ static int msix_capability_init(struct p
entry->msi_attrib.is_64 = 1;
entry->msi_attrib.entry_nr = msi->entry_nr;
entry->msi_attrib.maskbit = 1;
@ -250,7 +250,7 @@ Acked-by: Ian Campbell <ian.campbell@citrix.com>
entry->msi_attrib.pos = pos;
entry->irq = msi->irq;
entry->dev = dev;
@@ -1154,7 +1168,8 @@ int pci_restore_msi_state(struct pci_dev
@@ -1152,7 +1166,8 @@ int pci_restore_msi_state(struct pci_dev
for ( i = 0; ; )
{
@ -260,7 +260,7 @@ Acked-by: Ian Campbell <ian.campbell@citrix.com>
if ( !--nr )
break;
@@ -1306,7 +1321,7 @@ static void dump_msi(unsigned char key)
@@ -1304,7 +1319,7 @@ static void dump_msi(unsigned char key)
else
mask = '?';
printk(" %-6s%4u vec=%02x%7s%6s%3sassert%5s%7s"
@ -269,7 +269,7 @@ Acked-by: Ian Campbell <ian.campbell@citrix.com>
type, irq,
(data & MSI_DATA_VECTOR_MASK) >> MSI_DATA_VECTOR_SHIFT,
data & MSI_DATA_DELIVERY_LOWPRI ? "lowest" : "fixed",
@@ -1314,7 +1329,10 @@ static void dump_msi(unsigned char key)
@@ -1312,7 +1327,10 @@ static void dump_msi(unsigned char key)
data & MSI_DATA_LEVEL_ASSERT ? "" : "de",
addr & MSI_ADDR_DESTMODE_LOGIC ? "log" : "phys",
addr & MSI_ADDR_REDIRECTION_LOWPRI ? "lowest" : "cpu",
@ -317,18 +317,18 @@ Acked-by: Ian Campbell <ian.campbell@citrix.com>
static unsigned int iommu_msi_startup(struct irq_desc *desc)
--- a/xen/drivers/passthrough/vtd/iommu.c
+++ b/xen/drivers/passthrough/vtd/iommu.c
@@ -999,7 +999,7 @@ static void dma_msi_unmask(struct irq_de
sts &= ~DMA_FECTL_IM;
dmar_writel(iommu->reg, DMAR_FECTL_REG, sts);
@@ -996,7 +996,7 @@ static void dma_msi_unmask(struct irq_de
spin_lock_irqsave(&iommu->register_lock, flags);
dmar_writel(iommu->reg, DMAR_FECTL_REG, 0);
spin_unlock_irqrestore(&iommu->register_lock, flags);
- iommu->msi.msi_attrib.masked = 0;
+ iommu->msi.msi_attrib.host_masked = 0;
}
static void dma_msi_mask(struct irq_desc *desc)
@@ -1014,7 +1014,7 @@ static void dma_msi_mask(struct irq_desc
sts |= DMA_FECTL_IM;
dmar_writel(iommu->reg, DMAR_FECTL_REG, sts);
@@ -1008,7 +1008,7 @@ static void dma_msi_mask(struct irq_desc
spin_lock_irqsave(&iommu->register_lock, flags);
dmar_writel(iommu->reg, DMAR_FECTL_REG, DMA_FECTL_IM);
spin_unlock_irqrestore(&iommu->register_lock, flags);
- iommu->msi.msi_attrib.masked = 1;
+ iommu->msi.msi_attrib.host_masked = 1;

View File

@ -14,7 +14,7 @@ Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>
--- a/xen/arch/x86/msi.c
+++ b/xen/arch/x86/msi.c
@@ -1110,6 +1110,12 @@ void pci_cleanup_msi(struct pci_dev *pde
@@ -1108,6 +1108,12 @@ void pci_cleanup_msi(struct pci_dev *pde
msi_free_irqs(pdev);
}

View File

@ -15,7 +15,7 @@ Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>
--- a/xen/arch/x86/msi.c
+++ b/xen/arch/x86/msi.c
@@ -845,6 +845,12 @@ static int msix_capability_init(struct p
@@ -843,6 +843,12 @@ static int msix_capability_init(struct p
if ( !msix->used_entries )
{
@ -28,7 +28,7 @@ Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>
if ( rangeset_add_range(mmio_ro_ranges, msix->table.first,
msix->table.last) )
WARN();
@@ -1113,6 +1119,34 @@ void pci_cleanup_msi(struct pci_dev *pde
@@ -1111,6 +1117,34 @@ void pci_cleanup_msi(struct pci_dev *pde
int pci_msi_conf_write_intercept(struct pci_dev *pdev, unsigned int reg,
unsigned int size, uint32_t *data)
{

View File

@ -283,7 +283,7 @@ Backporting note (largely to myself):
}
void ack_nonmaskable_msi_irq(struct irq_desc *desc)
@@ -742,6 +811,9 @@ static int msix_capability_init(struct p
@@ -740,6 +809,9 @@ static int msix_capability_init(struct p
control = pci_conf_read16(seg, bus, slot, func, msix_control_reg(pos));
msix_set_enable(dev, 0);/* Ensure msix is disabled as I set it up */
@ -293,7 +293,7 @@ Backporting note (largely to myself):
if ( desc )
{
entry = alloc_msi_entry(1);
@@ -881,7 +953,8 @@ static int msix_capability_init(struct p
@@ -879,7 +951,8 @@ static int msix_capability_init(struct p
++msix->used_entries;
/* Restore MSI-X enabled bits */
@ -303,7 +303,7 @@ Backporting note (largely to myself):
return 0;
}
@@ -1026,8 +1099,16 @@ static void __pci_disable_msix(struct ms
@@ -1024,8 +1097,16 @@ static void __pci_disable_msix(struct ms
BUG_ON(list_empty(&dev->msi_list));
@ -322,7 +322,7 @@ Backporting note (largely to myself):
pci_conf_write16(seg, bus, slot, func, msix_control_reg(pos), control);
_pci_cleanup_msix(dev->msix);
@@ -1201,15 +1282,24 @@ int pci_restore_msi_state(struct pci_dev
@@ -1199,15 +1280,24 @@ int pci_restore_msi_state(struct pci_dev
nr = entry->msi.nvec;
}
else if ( entry->msi_attrib.type == PCI_CAP_ID_MSIX )

View File

@ -171,7 +171,7 @@ Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>
}
int __setup_msi_irq(struct irq_desc *desc, struct msi_desc *msidesc,
@@ -805,20 +850,38 @@ static int msix_capability_init(struct p
@@ -803,20 +848,38 @@ static int msix_capability_init(struct p
u8 bus = dev->bus;
u8 slot = PCI_SLOT(dev->devfn);
u8 func = PCI_FUNC(dev->devfn);
@ -211,7 +211,7 @@ Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>
ASSERT(msi);
}
@@ -849,6 +912,8 @@ static int msix_capability_init(struct p
@@ -847,6 +910,8 @@ static int msix_capability_init(struct p
{
if ( !msi || !msi->table_base )
{
@ -220,7 +220,7 @@ Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>
xfree(entry);
return -ENXIO;
}
@@ -891,6 +956,8 @@ static int msix_capability_init(struct p
@@ -889,6 +954,8 @@ static int msix_capability_init(struct p
if ( idx < 0 )
{
@ -229,7 +229,7 @@ Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>
xfree(entry);
return idx;
}
@@ -917,7 +984,7 @@ static int msix_capability_init(struct p
@@ -915,7 +982,7 @@ static int msix_capability_init(struct p
if ( !msix->used_entries )
{
@ -238,7 +238,7 @@ Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>
if ( !msix->guest_maskall )
control &= ~PCI_MSIX_FLAGS_MASKALL;
else
@@ -953,8 +1020,8 @@ static int msix_capability_init(struct p
@@ -951,8 +1018,8 @@ static int msix_capability_init(struct p
++msix->used_entries;
/* Restore MSI-X enabled bits */
@ -249,7 +249,7 @@ Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>
return 0;
}
@@ -1094,8 +1161,15 @@ static void __pci_disable_msix(struct ms
@@ -1092,8 +1159,15 @@ static void __pci_disable_msix(struct ms
PCI_CAP_ID_MSIX);
u16 control = pci_conf_read16(seg, bus, slot, func,
msix_control_reg(entry->msi_attrib.pos));
@ -266,7 +266,7 @@ Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>
BUG_ON(list_empty(&dev->msi_list));
@@ -1107,8 +1181,11 @@ static void __pci_disable_msix(struct ms
@@ -1105,8 +1179,11 @@ static void __pci_disable_msix(struct ms
"cannot disable IRQ %d: masking MSI-X on %04x:%02x:%02x.%u\n",
entry->irq, dev->seg, dev->bus,
PCI_SLOT(dev->devfn), PCI_FUNC(dev->devfn));
@ -279,7 +279,7 @@ Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>
pci_conf_write16(seg, bus, slot, func, msix_control_reg(pos), control);
_pci_cleanup_msix(dev->msix);
@@ -1257,6 +1334,8 @@ int pci_restore_msi_state(struct pci_dev
@@ -1255,6 +1332,8 @@ int pci_restore_msi_state(struct pci_dev
list_for_each_entry_safe( entry, tmp, &pdev->msi_list, list )
{
unsigned int i = 0, nr = 1;
@ -288,7 +288,7 @@ Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>
irq = entry->irq;
desc = &irq_desc[irq];
@@ -1283,10 +1362,18 @@ int pci_restore_msi_state(struct pci_dev
@@ -1281,10 +1360,18 @@ int pci_restore_msi_state(struct pci_dev
}
else if ( entry->msi_attrib.type == PCI_CAP_ID_MSIX )
{
@ -308,7 +308,7 @@ Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>
return -ENXIO;
}
}
@@ -1316,11 +1403,9 @@ int pci_restore_msi_state(struct pci_dev
@@ -1314,11 +1401,9 @@ int pci_restore_msi_state(struct pci_dev
if ( entry->msi_attrib.type == PCI_CAP_ID_MSI )
{
unsigned int cpos = msi_control_reg(entry->msi_attrib.pos);
@ -322,7 +322,7 @@ Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>
multi_msi_enable(control, entry->msi.nvec);
pci_conf_write16(pdev->seg, pdev->bus, PCI_SLOT(pdev->devfn),
PCI_FUNC(pdev->devfn), cpos, control);
@@ -1328,7 +1413,9 @@ int pci_restore_msi_state(struct pci_dev
@@ -1326,7 +1411,9 @@ int pci_restore_msi_state(struct pci_dev
msi_set_enable(pdev, 1);
}
else if ( entry->msi_attrib.type == PCI_CAP_ID_MSIX )

View File

@ -15,7 +15,7 @@ Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>
--- a/xen/arch/x86/msi.c
+++ b/xen/arch/x86/msi.c
@@ -1305,6 +1305,37 @@ int pci_msi_conf_write_intercept(struct
@@ -1303,6 +1303,37 @@ int pci_msi_conf_write_intercept(struct
return 1;
}

View File

@ -1,84 +0,0 @@
# Commit 669d4b85c433674ab3b52ef707af0d3a551c941f
# Date 2015-08-25 16:18:31 +0200
# Author Jan Beulich <jbeulich@suse.com>
# Committer Jan Beulich <jbeulich@suse.com>
x86/IO-APIC: don't create pIRQ mapping from masked RTE
While moving our XenoLinux patches to 4.2-rc I noticed bogus "already
mapped" messages resulting from Linux (legitimately) writing RTEs with
only the mask bit set. Clearly we shouldn't even attempt to create a
pIRQ <-> IRQ mapping from such RTEs.
In the course of this I also found that the respective message isn't
really useful without also printing the pre-existing mapping. And I
noticed that map_domain_pirq() allowed IRQ0 to get through, despite us
never allowing a domain to control that interrupt.
Signed-off-by: Jan Beulich <jbeulich@suse.com>
Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>
--- a/xen/arch/x86/io_apic.c
+++ b/xen/arch/x86/io_apic.c
@@ -2371,9 +2371,14 @@ int ioapic_guest_write(unsigned long phy
* pirq and irq mapping. Where the GSI is greater than 256, we assume
* that dom0 pirq == irq.
*/
- pirq = (irq >= 256) ? irq : rte.vector;
- if ( (pirq < 0) || (pirq >= hardware_domain->nr_pirqs) )
- return -EINVAL;
+ if ( !rte.mask )
+ {
+ pirq = (irq >= 256) ? irq : rte.vector;
+ if ( pirq >= hardware_domain->nr_pirqs )
+ return -EINVAL;
+ }
+ else
+ pirq = -1;
if ( desc->action )
{
@@ -2408,12 +2413,15 @@ int ioapic_guest_write(unsigned long phy
printk(XENLOG_INFO "allocated vector %02x for irq %d\n", ret, irq);
}
- spin_lock(&hardware_domain->event_lock);
- ret = map_domain_pirq(hardware_domain, pirq, irq,
- MAP_PIRQ_TYPE_GSI, NULL);
- spin_unlock(&hardware_domain->event_lock);
- if ( ret < 0 )
- return ret;
+ if ( pirq >= 0 )
+ {
+ spin_lock(&hardware_domain->event_lock);
+ ret = map_domain_pirq(hardware_domain, pirq, irq,
+ MAP_PIRQ_TYPE_GSI, NULL);
+ spin_unlock(&hardware_domain->event_lock);
+ if ( ret < 0 )
+ return ret;
+ }
spin_lock_irqsave(&ioapic_lock, flags);
/* Set the correct irq-handling type. */
--- a/xen/arch/x86/irq.c
+++ b/xen/arch/x86/irq.c
@@ -1906,7 +1906,7 @@ int map_domain_pirq(
if ( !irq_access_permitted(current->domain, irq))
return -EPERM;
- if ( pirq < 0 || pirq >= d->nr_pirqs || irq < 0 || irq >= nr_irqs )
+ if ( pirq < 0 || pirq >= d->nr_pirqs || irq <= 0 || irq >= nr_irqs )
{
dprintk(XENLOG_G_ERR, "dom%d: invalid pirq %d or irq %d\n",
d->domain_id, pirq, irq);
@@ -1919,8 +1919,9 @@ int map_domain_pirq(
if ( (old_irq > 0 && (old_irq != irq) ) ||
(old_pirq && (old_pirq != pirq)) )
{
- dprintk(XENLOG_G_WARNING, "dom%d: pirq %d or irq %d already mapped\n",
- d->domain_id, pirq, irq);
+ dprintk(XENLOG_G_WARNING,
+ "dom%d: pirq %d or irq %d already mapped (%d,%d)\n",
+ d->domain_id, pirq, irq, old_pirq, old_irq);
return 0;
}

View File

@ -12,7 +12,7 @@ Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>
--- a/xen/arch/x86/msi.c
+++ b/xen/arch/x86/msi.c
@@ -566,6 +566,8 @@ static int msi_capability_init(struct pc
@@ -696,6 +696,8 @@ static int msi_capability_init(struct pc
ASSERT(spin_is_locked(&pcidevs_lock));
pos = pci_find_cap_offset(seg, bus, slot, func, PCI_CAP_ID_MSI);

View File

@ -18,9 +18,25 @@ Reported-by: Andrew Cooper <andrew.cooper3@citrix.com>
Signed-off-by: Jan Beulich <jbeulich@suse.com>
Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>
# Commit 61031e64d3dafd2fb1953436444bf02eccb9b146
# Date 2015-10-27 14:46:12 +0100
# Author Jan Beulich <jbeulich@suse.com>
# Committer Jan Beulich <jbeulich@suse.com>
x86/PV: don't zero-map LDT
This effectvely reverts the LDT related part of commit cf6d39f819
("x86/PV: properly populate descriptor tables"), which broke demand
paged LDT handling in guests.
Reported-by: David Vrabel <david.vrabel@citrix.com>
Diagnosed-by: Andrew Cooper <andrew.cooper3@citrix.com>
Signed-off-by: Jan Beulich <jbeulich@suse.com>
Tested-by: David Vrabel <david.vrabel@citrix.com>
Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>
--- a/xen/arch/x86/mm.c
+++ b/xen/arch/x86/mm.c
@@ -505,12 +505,13 @@ void update_cr3(struct vcpu *v)
@@ -505,12 +505,12 @@ void update_cr3(struct vcpu *v)
make_cr3(v, cr3_mfn);
}
@ -32,24 +48,24 @@ Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>
- int i;
- unsigned long pfn;
+ unsigned int i;
+ unsigned long pfn, zero_pfn = PFN_DOWN(__pa(zero_page));
struct page_info *page;
BUG_ON(unlikely(in_irq()));
@@ -526,8 +527,10 @@ static void invalidate_shadow_ldt(struct
@@ -525,10 +525,10 @@ static void invalidate_shadow_ldt(struct
for ( i = 16; i < 32; i++ )
{
pfn = l1e_get_pfn(pl1e[i]);
- pfn = l1e_get_pfn(pl1e[i]);
- if ( pfn == 0 ) continue;
- l1e_write(&pl1e[i], l1e_empty());
+ if ( !(l1e_get_flags(pl1e[i]) & _PAGE_PRESENT) || pfn == zero_pfn )
+ if ( !(l1e_get_flags(pl1e[i]) & _PAGE_PRESENT) )
+ continue;
+ l1e_write(&pl1e[i],
+ l1e_from_pfn(zero_pfn, __PAGE_HYPERVISOR & ~_PAGE_RW));
page = mfn_to_page(pfn);
+ page = l1e_get_page(pl1e[i]);
l1e_write(&pl1e[i], l1e_empty());
- page = mfn_to_page(pfn);
ASSERT_PAGE_IS_TYPE(page, PGT_seg_desc_page);
ASSERT_PAGE_IS_DOMAIN(page, v->domain);
@@ -4360,16 +4363,18 @@ long do_update_va_mapping_otherdomain(un
put_page_and_type(page);
@@ -4360,16 +4360,18 @@ long do_update_va_mapping_otherdomain(un
void destroy_gdt(struct vcpu *v)
{
l1_pgentry_t *pl1e;
@ -72,7 +88,7 @@ Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>
v->arch.pv_vcpu.gdt_frames[i] = 0;
}
}
@@ -4382,7 +4387,7 @@ long set_gdt(struct vcpu *v,
@@ -4382,7 +4384,7 @@ long set_gdt(struct vcpu *v,
struct domain *d = v->domain;
l1_pgentry_t *pl1e;
/* NB. There are 512 8-byte entries per GDT page. */

View File

@ -39,7 +39,7 @@ Signed-off-by: Quan Xu <quan.xu@intel.com>
+ sts &= ~DMA_FECTL_IM;
+ dmar_writel(iommu->reg, DMAR_FECTL_REG, sts);
spin_unlock_irqrestore(&iommu->register_lock, flags);
iommu->msi.msi_attrib.masked = 0;
iommu->msi.msi_attrib.host_masked = 0;
}
@@ -1003,10 +1006,13 @@ static void dma_msi_mask(struct irq_desc
{
@ -54,7 +54,7 @@ Signed-off-by: Quan Xu <quan.xu@intel.com>
+ sts |= DMA_FECTL_IM;
+ dmar_writel(iommu->reg, DMAR_FECTL_REG, sts);
spin_unlock_irqrestore(&iommu->register_lock, flags);
iommu->msi.msi_attrib.masked = 1;
iommu->msi.msi_attrib.host_masked = 1;
}
@@ -2002,6 +2008,7 @@ static int init_vtd_hw(void)
struct iommu_flush *flush = NULL;

View File

@ -0,0 +1,55 @@
# Commit 710942e57fb42ff8f344ca82f6b678f67e38ae63
# Date 2015-10-12 15:58:35 +0200
# Author Jan Beulich <jbeulich@suse.com>
# Committer Jan Beulich <jbeulich@suse.com>
VT-d: don't suppress invalidation address write when it is zero
GFN zero is a valid address, and hence may need invalidation done for
it just like for any other GFN.
Signed-off-by: Jan Beulich <jbeulich@suse.com>
Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>
Acked-by: Yang Zhang <yang.z.zhang@intel.com>
--- a/xen/drivers/passthrough/vtd/iommu.c
+++ b/xen/drivers/passthrough/vtd/iommu.c
@@ -414,7 +414,7 @@ static int flush_iotlb_reg(void *_iommu,
{
struct iommu *iommu = (struct iommu *) _iommu;
int tlb_offset = ecap_iotlb_offset(iommu->ecap);
- u64 val = 0, val_iva = 0;
+ u64 val = 0;
unsigned long flags;
/*
@@ -435,7 +435,6 @@ static int flush_iotlb_reg(void *_iommu,
switch ( type )
{
case DMA_TLB_GLOBAL_FLUSH:
- /* global flush doesn't need set IVA_REG */
val = DMA_TLB_GLOBAL_FLUSH|DMA_TLB_IVT;
break;
case DMA_TLB_DSI_FLUSH:
@@ -443,8 +442,6 @@ static int flush_iotlb_reg(void *_iommu,
break;
case DMA_TLB_PSI_FLUSH:
val = DMA_TLB_PSI_FLUSH|DMA_TLB_IVT|DMA_TLB_DID(did);
- /* Note: always flush non-leaf currently */
- val_iva = size_order | addr;
break;
default:
BUG();
@@ -457,8 +454,11 @@ static int flush_iotlb_reg(void *_iommu,
spin_lock_irqsave(&iommu->register_lock, flags);
/* Note: Only uses first TLB reg currently */
- if ( val_iva )
- dmar_writeq(iommu->reg, tlb_offset, val_iva);
+ if ( type == DMA_TLB_PSI_FLUSH )
+ {
+ /* Note: always flush non-leaf currently. */
+ dmar_writeq(iommu->reg, tlb_offset, size_order | addr);
+ }
dmar_writeq(iommu->reg, tlb_offset + 8, val);
/* Make sure hardware complete it */

View File

@ -0,0 +1,113 @@
# Commit 6851e979874ebc05d270ea94360c49d920d3eaf4
# Date 2015-10-13 17:16:22 +0200
# Author Jan Beulich <jbeulich@suse.com>
# Committer Jan Beulich <jbeulich@suse.com>
VT-d: use proper error codes in iommu_enable_x2apic_IR()
... allowing to suppress a confusing message combination: When
ACPI_DMAR_X2APIC_OPT_OUT is set, so far we first logged a message
that IR could not be enabled (hence not using x2APIC), followed by
one indicating successful initialization of IR (if no other problems
prevented that).
Also adjust the return type of iommu_supports_eim() and fix some
broken indentation in the function.
Signed-off-by: Jan Beulich <jbeulich@suse.com>
Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>
Acked-by: Yang Zhang <yang.z.zhang@intel.com>
--- a/xen/arch/x86/apic.c
+++ b/xen/arch/x86/apic.c
@@ -946,8 +946,18 @@ void __init x2apic_bsp_setup(void)
mask_8259A();
mask_IO_APIC_setup(ioapic_entries);
- if ( iommu_enable_x2apic_IR() )
+ switch ( iommu_enable_x2apic_IR() )
{
+ case 0:
+ break;
+ case -ENXIO: /* ACPI_DMAR_X2APIC_OPT_OUT set */
+ if ( !x2apic_enabled )
+ {
+ printk("Not enabling x2APIC (upon firmware request)\n");
+ goto restore_out;
+ }
+ /* fall through */
+ default:
if ( x2apic_enabled )
panic("Interrupt remapping could not be enabled while "
"x2APIC is already enabled by BIOS");
--- a/xen/drivers/passthrough/vtd/intremap.c
+++ b/xen/drivers/passthrough/vtd/intremap.c
@@ -144,10 +144,10 @@ static void set_hpet_source_id(unsigned
set_ire_sid(ire, SVT_VERIFY_SID_SQ, SQ_13_IGNORE_3, hpetid_to_bdf(id));
}
-int iommu_supports_eim(void)
+bool_t iommu_supports_eim(void)
{
struct acpi_drhd_unit *drhd;
- int apic;
+ unsigned int apic;
if ( !iommu_qinval || !iommu_intremap || list_empty(&acpi_drhd_units) )
return 0;
@@ -155,12 +155,12 @@ int iommu_supports_eim(void)
/* We MUST have a DRHD unit for each IOAPIC. */
for ( apic = 0; apic < nr_ioapics; apic++ )
if ( !ioapic_to_drhd(IO_APIC_ID(apic)) )
- {
+ {
dprintk(XENLOG_WARNING VTDPREFIX,
"There is not a DRHD for IOAPIC %#x (id: %#x)!\n",
apic, IO_APIC_ID(apic));
return 0;
- }
+ }
for_each_drhd_unit ( drhd )
if ( !ecap_queued_inval(drhd->iommu->ecap) ||
@@ -834,10 +834,10 @@ int iommu_enable_x2apic_IR(void)
struct iommu *iommu;
if ( !iommu_supports_eim() )
- return -1;
+ return -EOPNOTSUPP;
if ( !platform_supports_x2apic() )
- return -1;
+ return -ENXIO;
for_each_drhd_unit ( drhd )
{
@@ -862,7 +862,7 @@ int iommu_enable_x2apic_IR(void)
{
dprintk(XENLOG_INFO VTDPREFIX,
"Failed to enable Queued Invalidation!\n");
- return -1;
+ return -EIO;
}
}
@@ -874,7 +874,7 @@ int iommu_enable_x2apic_IR(void)
{
dprintk(XENLOG_INFO VTDPREFIX,
"Failed to enable Interrupt Remapping!\n");
- return -1;
+ return -EIO;
}
}
--- a/xen/include/asm-x86/iommu.h
+++ b/xen/include/asm-x86/iommu.h
@@ -28,7 +28,7 @@ int iommu_setup_hpet_msi(struct msi_desc
/* While VT-d specific, this must get declared in a generic header. */
int adjust_vtd_irq_affinities(void);
void iommu_pte_flush(struct domain *d, u64 gfn, u64 *pte, int order, int present);
-int iommu_supports_eim(void);
+bool_t iommu_supports_eim(void);
int iommu_enable_x2apic_IR(void);
void iommu_disable_x2apic_IR(void);

View File

@ -0,0 +1,32 @@
# Commit 941cd44324db7eddc46cba4596fa13d505066ccf
# Date 2015-10-13 17:17:52 +0200
# Author Jan Beulich <jbeulich@suse.com>
# Committer Jan Beulich <jbeulich@suse.com>
x86: hide MWAITX from PV domains
Since MWAIT is hidden too. (Linux starting with 4.3 is making use of
that feature, and is checking for it without looking at the MWAIT one.)
Signed-off-by: Jan Beulich <jbeulich@suse.com>
Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>
--- a/xen/arch/x86/traps.c
+++ b/xen/arch/x86/traps.c
@@ -904,6 +904,7 @@ void pv_cpuid(struct cpu_user_regs *regs
__clear_bit(X86_FEATURE_LWP % 32, &c);
__clear_bit(X86_FEATURE_NODEID_MSR % 32, &c);
__clear_bit(X86_FEATURE_TOPOEXT % 32, &c);
+ __clear_bit(X86_FEATURE_MWAITX % 32, &c);
break;
case 0x00000005: /* MONITOR/MWAIT */
--- a/xen/include/asm-x86/cpufeature.h
+++ b/xen/include/asm-x86/cpufeature.h
@@ -137,6 +137,7 @@
#define X86_FEATURE_TBM (6*32+21) /* trailing bit manipulations */
#define X86_FEATURE_TOPOEXT (6*32+22) /* topology extensions CPUID leafs */
#define X86_FEATURE_DBEXT (6*32+26) /* data breakpoint extension */
+#define X86_FEATURE_MWAITX (6*32+29) /* MWAIT extension (MONITORX/MWAITX) */
/* Intel-defined CPU features, CPUID level 0x00000007:0 (ebx), word 7 */
#define X86_FEATURE_FSGSBASE (7*32+ 0) /* {RD,WR}{FS,GS}BASE instructions */

View File

@ -0,0 +1,114 @@
# Commit 83281fc9b31396e94c0bfb6550b75c165037a0ad
# Date 2015-10-14 12:46:27 +0200
# Author Jan Beulich <jbeulich@suse.com>
# Committer Jan Beulich <jbeulich@suse.com>
x86/NUMA: fix SRAT table processor entry parsing and consumption
- don't overrun apicid_to_node[] (possible in the x2APIC case)
- don't limit number of processor related SRAT entries we can consume
- make acpi_numa_{processor,x2apic}_affinity_init() as similar to one
another as possible
- print APIC IDs in hex (to ease matching with other log messages), at
once making legacy and x2APIC ones distinguishable (by width)
Signed-off-by: Jan Beulich <jbeulich@suse.com>
Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>
--- a/xen/arch/x86/numa.c
+++ b/xen/arch/x86/numa.c
@@ -347,7 +347,7 @@ void __init init_cpu_to_node(void)
u32 apicid = x86_cpu_to_apicid[i];
if ( apicid == BAD_APICID )
continue;
- node = apicid_to_node[apicid];
+ node = apicid < MAX_LOCAL_APIC ? apicid_to_node[apicid] : NUMA_NO_NODE;
if ( node == NUMA_NO_NODE || !node_online(node) )
node = 0;
numa_set_node(i, node);
--- a/xen/arch/x86/setup.c
+++ b/xen/arch/x86/setup.c
@@ -191,7 +191,7 @@ void __devinit srat_detect_node(int cpu)
unsigned node;
u32 apicid = x86_cpu_to_apicid[cpu];
- node = apicid_to_node[apicid];
+ node = apicid < MAX_LOCAL_APIC ? apicid_to_node[apicid] : NUMA_NO_NODE;
if ( node == NUMA_NO_NODE )
node = 0;
--- a/xen/arch/x86/smpboot.c
+++ b/xen/arch/x86/smpboot.c
@@ -885,7 +885,8 @@ int cpu_add(uint32_t apic_id, uint32_t a
cpu = node;
goto out;
}
- apicid_to_node[apic_id] = node;
+ if ( apic_id < MAX_LOCAL_APIC )
+ apicid_to_node[apic_id] = node;
}
/* Physically added CPUs do not have synchronised TSC. */
--- a/xen/arch/x86/srat.c
+++ b/xen/arch/x86/srat.c
@@ -170,7 +170,6 @@ void __init
acpi_numa_x2apic_affinity_init(struct acpi_srat_x2apic_cpu_affinity *pa)
{
int pxm, node;
- int apic_id;
if (srat_disabled())
return;
@@ -178,8 +177,13 @@ acpi_numa_x2apic_affinity_init(struct ac
bad_srat();
return;
}
- if ((pa->flags & ACPI_SRAT_CPU_ENABLED) == 0)
+ if (!(pa->flags & ACPI_SRAT_CPU_ENABLED))
+ return;
+ if (pa->apic_id >= MAX_LOCAL_APIC) {
+ printk(KERN_INFO "SRAT: APIC %08x ignored\n", pa->apic_id);
return;
+ }
+
pxm = pa->proximity_domain;
node = setup_node(pxm);
if (node < 0) {
@@ -187,11 +191,11 @@ acpi_numa_x2apic_affinity_init(struct ac
return;
}
- apic_id = pa->apic_id;
- apicid_to_node[apic_id] = node;
+ apicid_to_node[pa->apic_id] = node;
+ node_set(node, processor_nodes_parsed);
acpi_numa = 1;
- printk(KERN_INFO "SRAT: PXM %u -> APIC %u -> Node %u\n",
- pxm, apic_id, node);
+ printk(KERN_INFO "SRAT: PXM %u -> APIC %08x -> Node %u\n",
+ pxm, pa->apic_id, node);
}
/* Callback for Proximity Domain -> LAPIC mapping */
@@ -221,7 +225,7 @@ acpi_numa_processor_affinity_init(struct
apicid_to_node[pa->apic_id] = node;
node_set(node, processor_nodes_parsed);
acpi_numa = 1;
- printk(KERN_INFO "SRAT: PXM %u -> APIC %u -> Node %u\n",
+ printk(KERN_INFO "SRAT: PXM %u -> APIC %02x -> Node %u\n",
pxm, pa->apic_id, node);
}
--- a/xen/drivers/acpi/numa.c
+++ b/xen/drivers/acpi/numa.c
@@ -199,9 +199,9 @@ int __init acpi_numa_init(void)
/* SRAT: Static Resource Affinity Table */
if (!acpi_table_parse(ACPI_SIG_SRAT, acpi_parse_srat)) {
acpi_table_parse_srat(ACPI_SRAT_TYPE_X2APIC_CPU_AFFINITY,
- acpi_parse_x2apic_affinity, NR_CPUS);
+ acpi_parse_x2apic_affinity, 0);
acpi_table_parse_srat(ACPI_SRAT_TYPE_CPU_AFFINITY,
- acpi_parse_processor_affinity, NR_CPUS);
+ acpi_parse_processor_affinity, 0);
acpi_table_parse_srat(ACPI_SRAT_TYPE_MEMORY_AFFINITY,
acpi_parse_memory_affinity,
NR_NODE_MEMBLKS);

View File

@ -0,0 +1,38 @@
References: bsc#877642
Subject: qcow1: Validate L2 table size (CVE-2014-0222)
From: Kevin Wolf kwolf@redhat.com Thu May 15 16:10:11 2014 +0200
Date: Mon May 19 11:36:49 2014 +0200:
Git: 42eb58179b3b215bb507da3262b682b8a2ec10b5
Too large L2 table sizes cause unbounded allocations. Images actually
created by qemu-img only have 512 byte or 4k L2 tables.
To keep things consistent with cluster sizes, allow ranges between 512
bytes and 64k (in fact, down to 1 entry = 8 bytes is technically
working, but L2 table sizes smaller than a cluster don't make a lot of
sense).
This also means that the number of bytes on the virtual disk that are
described by the same L2 table is limited to at most 8k * 64k or 2^29,
preventively avoiding any integer overflows.
Cc: qemu-stable@nongnu.org
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
Reviewed-by: Benoit Canet <benoit@irqsave.net>
Index: xen-4.5.1-testing/tools/qemu-xen-traditional-dir-remote/block-qcow.c
===================================================================
--- xen-4.5.1-testing.orig/tools/qemu-xen-traditional-dir-remote/block-qcow.c
+++ xen-4.5.1-testing/tools/qemu-xen-traditional-dir-remote/block-qcow.c
@@ -126,6 +126,10 @@ static int qcow_open(BlockDriverState *b
goto fail;
if (header.size <= 1 || header.cluster_bits < 9)
goto fail;
+ /* l2_bits specifies number of entries; storing a uint64_t in each entry,
+ * so bytes = num_entries << 3. */
+ if (header.l2_bits < 9 - 3 || header.l2_bits > 16 - 3)
+ goto fail;
if (header.crypt_method > QCOW_CRYPT_AES)
goto fail;
s->crypt_method_header = header.crypt_method;

View File

@ -0,0 +1,42 @@
References: bsc#877642
Subject: qcow1: Validate L2 table size (CVE-2014-0222)
From: Kevin Wolf kwolf@redhat.com Thu May 15 16:10:11 2014 +0200
Date: Mon May 19 11:36:49 2014 +0200:
Git: 42eb58179b3b215bb507da3262b682b8a2ec10b5
Too large L2 table sizes cause unbounded allocations. Images actually
created by qemu-img only have 512 byte or 4k L2 tables.
To keep things consistent with cluster sizes, allow ranges between 512
bytes and 64k (in fact, down to 1 entry = 8 bytes is technically
working, but L2 table sizes smaller than a cluster don't make a lot of
sense).
This also means that the number of bytes on the virtual disk that are
described by the same L2 table is limited to at most 8k * 64k or 2^29,
preventively avoiding any integer overflows.
Cc: qemu-stable@nongnu.org
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
Reviewed-by: Benoit Canet <benoit@irqsave.net>
Index: xen-4.5.1-testing/tools/qemu-xen-dir-remote/block/qcow.c
===================================================================
--- xen-4.5.1-testing.orig/tools/qemu-xen-dir-remote/block/qcow.c
+++ xen-4.5.1-testing/tools/qemu-xen-dir-remote/block/qcow.c
@@ -147,6 +147,14 @@ static int qcow_open(BlockDriverState *b
goto fail;
}
+ /* l2_bits specifies number of entries; storing a uint64_t in each entry,
+ * so bytes = num_entries << 3. */
+ if (header.l2_bits < 9 - 3 || header.l2_bits > 16 - 3) {
+ error_setg(errp, "L2 table size must be between 512 and 64k");
+ ret = -EINVAL;
+ goto fail;
+ }
+
if (header.crypt_method > QCOW_CRYPT_AES) {
error_setg(errp, "invalid encryption method in qcow header");
ret = -EINVAL;

View File

@ -0,0 +1,39 @@
References: bsc#932267
Subject: slirp: use less predictable directory name in /tmp for smb config (CVE-2015-4037)
From: Michael Tokarev mjt@tls.msk.ru Thu May 28 14:12:26 2015 +0300
Date: Wed Jun 3 14:21:45 2015 +0300:
Git: 8b8f1c7e9ddb2e88a144638f6527bf70e32343e3
In this version I used mkdtemp(3) which is:
_BSD_SOURCE
|| /* Since glibc 2.10: */
(_POSIX_C_SOURCE >= 200809L || _XOPEN_SOURCE >= 700)
(POSIX.1-2008), so should be available on systems we care about.
While at it, reset the resulting directory name within smb structure
on error so cleanup function wont try to remove directory which we
failed to create.
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
Reviewed-by: Markus Armbruster <armbru@redhat.com>
Index: xen-4.5.1-testing/tools/qemu-xen-traditional-dir-remote/net.c
===================================================================
--- xen-4.5.1-testing.orig/tools/qemu-xen-traditional-dir-remote/net.c
+++ xen-4.5.1-testing/tools/qemu-xen-traditional-dir-remote/net.c
@@ -624,9 +624,10 @@ void net_slirp_smb(const char *exported_
}
/* XXX: better tmp dir construction */
- snprintf(smb_dir, sizeof(smb_dir), "/tmp/qemu-smb.%d", getpid());
- if (mkdir(smb_dir, 0700) < 0) {
+ snprintf(smb_dir, sizeof(smb_dir), "/tmp/qemu-smb.XXXXXX");
+ if (!mkdtemp(smb_dir)) {
fprintf(stderr, "qemu: could not create samba server dir '%s'\n", smb_dir);
+ smb_dir[0] = 0;
exit(1);
}
snprintf(smb_conf, sizeof(smb_conf), "%s/%s", smb_dir, "smb.conf");

View File

@ -0,0 +1,48 @@
References: bsc#932267
Subject: slirp: use less predictable directory name in /tmp for smb config (CVE-2015-4037)
From: Michael Tokarev mjt@tls.msk.ru Thu May 28 14:12:26 2015 +0300
Date: Wed Jun 3 14:21:45 2015 +0300:
Git: 8b8f1c7e9ddb2e88a144638f6527bf70e32343e3
In this version I used mkdtemp(3) which is:
_BSD_SOURCE
|| /* Since glibc 2.10: */
(_POSIX_C_SOURCE >= 200809L || _XOPEN_SOURCE >= 700)
(POSIX.1-2008), so should be available on systems we care about.
While at it, reset the resulting directory name within smb structure
on error so cleanup function wont try to remove directory which we
failed to create.
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
Reviewed-by: Markus Armbruster <armbru@redhat.com>
Index: xen-4.5.1-testing/tools/qemu-xen-dir-remote/net/slirp.c
===================================================================
--- xen-4.5.1-testing.orig/tools/qemu-xen-dir-remote/net/slirp.c
+++ xen-4.5.1-testing/tools/qemu-xen-dir-remote/net/slirp.c
@@ -481,7 +481,6 @@ static void slirp_smb_cleanup(SlirpState
static int slirp_smb(SlirpState* s, const char *exported_dir,
struct in_addr vserver_addr)
{
- static int instance;
char smb_conf[128];
char smb_cmdline[128];
struct passwd *passwd;
@@ -505,10 +504,10 @@ static int slirp_smb(SlirpState* s, cons
return -1;
}
- snprintf(s->smb_dir, sizeof(s->smb_dir), "/tmp/qemu-smb.%ld-%d",
- (long)getpid(), instance++);
- if (mkdir(s->smb_dir, 0700) < 0) {
+ snprintf(s->smb_dir, sizeof(s->smb_dir), "/tmp/qemu-smb.XXXXXX");
+ if (!mkdtemp(s->smb_dir)) {
error_report("could not create samba server dir '%s'", s->smb_dir);
+ s->smb_dir[0] = 0;
return -1;
}
snprintf(smb_conf, sizeof(smb_conf), "%s/%s", s->smb_dir, "smb.conf");

View File

@ -0,0 +1,43 @@
References: bsc#950367 CVE-2015-7835 XSA-148
x86: guard against undue super page PTE creation
When optional super page support got added (commit bd1cd81d64 "x86: PV
support for hugepages"), two adjustments were missed: mod_l2_entry()
needs to consider the PSE and RW bits when deciding whether to use the
fast path, and the PSE bit must not be removed from L2_DISALLOW_MASK
unconditionally.
This is CVE-2015-7835 / XSA-148.
Signed-off-by: Jan Beulich <jbeulich@suse.com>
Reviewed-by: Tim Deegan <tim@xen.org>
Index: xen-4.5.1-testing/xen/arch/x86/mm.c
===================================================================
--- xen-4.5.1-testing.orig/xen/arch/x86/mm.c
+++ xen-4.5.1-testing/xen/arch/x86/mm.c
@@ -162,7 +162,10 @@ static void put_superpage(unsigned long
static uint32_t base_disallow_mask;
/* Global bit is allowed to be set on L1 PTEs. Intended for user mappings. */
#define L1_DISALLOW_MASK ((base_disallow_mask | _PAGE_GNTTAB) & ~_PAGE_GLOBAL)
-#define L2_DISALLOW_MASK (base_disallow_mask & ~_PAGE_PSE)
+
+#define L2_DISALLOW_MASK (unlikely(opt_allow_superpage) \
+ ? base_disallow_mask & ~_PAGE_PSE \
+ : base_disallow_mask)
#define l3_disallow_mask(d) (!is_pv_32on64_domain(d) ? \
base_disallow_mask : \
@@ -1790,7 +1793,10 @@ static int mod_l2_entry(l2_pgentry_t *pl
}
/* Fast path for identical mapping and presence. */
- if ( !l2e_has_changed(ol2e, nl2e, _PAGE_PRESENT) )
+ if ( !l2e_has_changed(ol2e, nl2e,
+ unlikely(opt_allow_superpage)
+ ? _PAGE_PSE | _PAGE_RW | _PAGE_PRESENT
+ : _PAGE_PRESENT) )
{
adjust_guest_l2e(nl2e, d);
if ( UPDATE_ENTRY(l2, pl2e, ol2e, nl2e, pfn, vcpu, preserve_ad) )

View File

@ -323,7 +323,7 @@ Index: xen-4.5.1-testing/tools/libxl/libxl_dom.c
===================================================================
--- xen-4.5.1-testing.orig/tools/libxl/libxl_dom.c
+++ xen-4.5.1-testing/tools/libxl/libxl_dom.c
@@ -1808,6 +1808,7 @@ void libxl__domain_suspend(libxl__egc *e
@@ -1815,6 +1815,7 @@ void libxl__domain_suspend(libxl__egc *e
dss->xcflags = (live ? XCFLAGS_LIVE : 0)
| (debug ? XCFLAGS_DEBUG : 0)

View File

@ -1,7 +1,7 @@
Index: xen-4.2.3-testing/tools/qemu-xen-traditional-dir-remote/net.h
Index: xen-4.5.1-testing/tools/qemu-xen-traditional-dir-remote/net.h
===================================================================
--- xen-4.2.3-testing.orig/tools/qemu-xen-traditional-dir-remote/net.h
+++ xen-4.2.3-testing/tools/qemu-xen-traditional-dir-remote/net.h
--- xen-4.5.1-testing.orig/tools/qemu-xen-traditional-dir-remote/net.h
+++ xen-4.5.1-testing/tools/qemu-xen-traditional-dir-remote/net.h
@@ -107,8 +107,8 @@ void net_host_device_add(const char *dev
void net_host_device_remove(int vlan_id, const char *device);
@ -13,11 +13,11 @@ Index: xen-4.2.3-testing/tools/qemu-xen-traditional-dir-remote/net.h
#endif
#ifdef __sun__
#define SMBD_COMMAND "/usr/sfw/sbin/smbd"
Index: xen-4.2.3-testing/tools/qemu-xen-traditional-dir-remote/net.c
Index: xen-4.5.1-testing/tools/qemu-xen-traditional-dir-remote/net.c
===================================================================
--- xen-4.2.3-testing.orig/tools/qemu-xen-traditional-dir-remote/net.c
+++ xen-4.2.3-testing/tools/qemu-xen-traditional-dir-remote/net.c
@@ -1764,9 +1764,10 @@ int net_client_init(const char *device,
--- xen-4.5.1-testing.orig/tools/qemu-xen-traditional-dir-remote/net.c
+++ xen-4.5.1-testing/tools/qemu-xen-traditional-dir-remote/net.c
@@ -1765,9 +1765,10 @@ int net_client_init(const char *device,
}
if (get_param_value(script_arg, sizeof(script_arg), "scriptarg", p) == 0 &&
get_param_value(script_arg, sizeof(script_arg), "bridge", p) == 0) { /* deprecated; for xend compatibility */
@ -30,10 +30,10 @@ Index: xen-4.2.3-testing/tools/qemu-xen-traditional-dir-remote/net.c
}
} else
#endif
Index: xen-4.2.3-testing/tools/qemu-xen-traditional-dir-remote/i386-dm/qemu-ifup-Linux
Index: xen-4.5.1-testing/tools/qemu-xen-traditional-dir-remote/i386-dm/qemu-ifup-Linux
===================================================================
--- xen-4.2.3-testing.orig/tools/qemu-xen-traditional-dir-remote/i386-dm/qemu-ifup-Linux
+++ xen-4.2.3-testing/tools/qemu-xen-traditional-dir-remote/i386-dm/qemu-ifup-Linux
--- xen-4.5.1-testing.orig/tools/qemu-xen-traditional-dir-remote/i386-dm/qemu-ifup-Linux
+++ xen-4.5.1-testing/tools/qemu-xen-traditional-dir-remote/i386-dm/qemu-ifup-Linux
@@ -1,36 +1,22 @@
#!/bin/sh

View File

@ -1,3 +1,55 @@
-------------------------------------------------------------------
Wed Oct 28 09:47:38 MDT 2015 - carnold@suse.com
- Upstream patches from Jan
5604f239-x86-PV-properly-populate-descriptor-tables.patch
561bbc8b-VT-d-don-t-suppress-invalidation-address-write-when-0.patch
561d2046-VT-d-use-proper-error-codes-in-iommu_enable_x2apic_IR.patch
561d20a0-x86-hide-MWAITX-from-PV-domains.patch
561e3283-x86-NUMA-fix-SRAT-table-processor-entry-handling.patch
-------------------------------------------------------------------
Fri Oct 23 13:35:59 MDT 2015 - carnold@suse.com
- bsc#951845 - VUL-0: CVE-2015-7972: xen: x86: populate-on-demand
balloon size inaccuracy can crash guests (XSA-153)
xsa153-libxl.patch
-------------------------------------------------------------------
Fri Oct 16 08:40:31 MDT 2015 - carnold@suse.com
- bsc#950703 - VUL-1: CVE-2015-7969: xen: leak of main per-domain
vcpu pointer array (DoS) (XSA-149)
xsa149.patch
- bsc#950705 - VUL-1: CVE-2015-7969: xen: x86: leak of per-domain
profiling-related vcpu pointer array (DoS) (XSA-151)
xsa151.patch
- bsc#950706 - VUL-0: CVE-2015-7971: xen: x86: some pmu and
profiling hypercalls log without rate limiting (XSA-152)
xsa152.patch
- Dropped
55dc7937-x86-IO-APIC-don-t-create-pIRQ-mapping-from-masked-RTE.patch
5604f239-x86-PV-properly-populate-descriptor-tables.patch
-------------------------------------------------------------------
Thu Oct 15 11:43:23 MDT 2015 - carnold@suse.com
- bsc#932267 - VUL-1: CVE-2015-4037: qemu,kvm,xen: insecure
temporary file use in /net/slirp.c
CVE-2015-4037-qemuu-smb-config-dir-name.patch
CVE-2015-4037-qemut-smb-config-dir-name.patch
- bsc#877642 - VUL-0: CVE-2014-0222: qemu: qcow1: validate L2 table
size to avoid integer overflows
CVE-2014-0222-qemuu-qcow1-validate-l2-table-size.patch
CVE-2014-0222-qemut-qcow1-validate-l2-table-size.patch
-------------------------------------------------------------------
Wed Oct 14 10:24:15 MDT 2015 - carnold@suse.com
- bsc#950367 - VUL-0: CVE-2015-7835: xen: x86: Uncontrolled
creation of large page mappings by PV guests (XSA-148)
CVE-2015-7835-xsa148.patch
-------------------------------------------------------------------
Tue Oct 6 14:52:30 MDT 2015 - jfehlig@suse.com

142
xen.spec
View File

@ -158,7 +158,7 @@ BuildRequires: xorg-x11-util-devel
%endif
%endif
Version: 4.5.1_10
Version: 4.5.1_13
Release: 0
Summary: Xen Virtualization: Hypervisor (aka VMM aka Microkernel)
License: GPL-2.0
@ -205,41 +205,55 @@ Patch1: 54f4985f-libxl-fix-libvirtd-double-free.patch
Patch2: 55103616-vm-assist-prepare-for-discontiguous-used-bit-numbers.patch
Patch3: 551ac326-xentop-add-support-for-qdisk.patch
Patch4: 552d0f49-x86-traps-identify-the-vcpu-in-context-when-dumping-regs.patch
Patch5: 5537a4d8-libxl-use-DEBUG-log-level-instead-of-INFO.patch
Patch6: 5548e903-domctl-don-t-truncate-XEN_DOMCTL_max_mem-requests.patch
Patch7: 5548e95d-x86-allow-to-suppress-M2P-user-mode-exposure.patch
Patch8: 554cc211-libxl-add-qxl.patch
Patch9: 556d973f-unmodified-drivers-tolerate-IRQF_DISABLED-being-undefined.patch
Patch10: 5576f178-kexec-add-more-pages-to-v1-environment.patch
Patch11: 55780be1-x86-EFI-adjust-EFI_MEMORY_WP-handling-for-spec-version-2.5.patch
Patch12: 558bfaa0-x86-traps-avoid-using-current-too-early.patch
Patch13: 5592a116-nested-EPT-fix-the-handling-of-nested-EPT.patch
Patch14: 559b9dd6-x86-p2m-ept-don-t-unmap-in-use-EPT-pagetable.patch
Patch15: 559bc633-x86-cpupool-clear-proper-cpu_valid-bit-on-CPU-teardown.patch
Patch16: 559bc64e-credit1-properly-deal-with-CPUs-not-in-any-pool.patch
Patch17: 559bc87f-x86-hvmloader-avoid-data-corruption-with-xenstore-rw.patch
Patch18: 559bdde5-pull-in-latest-linux-earlycpio.patch
Patch19: 55a62eb0-xl-correct-handling-of-extra_config-in-main_cpupoolcreate.patch
Patch20: 55a66a1e-make-rangeset_report_ranges-report-all-ranges.patch
Patch21: 55a77e4f-dmar-device-scope-mem-leak-fix.patch
Patch22: 55c1d83d-x86-gdt-Drop-write-only-xalloc-d-array.patch
Patch23: 55c3232b-x86-mm-Make-hap-shadow-teardown-preemptible.patch
Patch24: 55dc78e9-x86-amd_ucode-skip-updates-for-final-levels.patch
Patch25: 55dc7937-x86-IO-APIC-don-t-create-pIRQ-mapping-from-masked-RTE.patch
Patch26: 55df2f76-IOMMU-skip-domains-without-page-tables-when-dumping.patch
Patch27: 55e43fd8-x86-NUMA-fix-setup_node.patch
Patch28: 55e43ff8-x86-NUMA-don-t-account-hotplug-regions.patch
Patch29: 55e593f1-x86-NUMA-make-init_node_heap-respect-Xen-heap-limit.patch
Patch30: 55f2e438-x86-hvm-fix-saved-pmtimer-and-hpet-values.patch
Patch31: 55f7f9d2-libxl-slightly-refine-pci-assignable-add-remove-handling.patch
Patch32: 55f9345b-x86-MSI-fail-if-no-hardware-support.patch
Patch33: 5604f239-x86-PV-properly-populate-descriptor-tables.patch
Patch34: 5604f2e6-vt-d-fix-IM-bit-mask-and-unmask-of-FECTL_REG.patch
Patch35: 560a4af9-x86-EPT-tighten-conditions-of-IOMMU-mapping-updates.patch
Patch36: 560a7c36-x86-p2m-pt-delay-freeing-of-intermediate-page-tables.patch
Patch37: 560a7c53-x86-p2m-pt-ignore-pt-share-flag-for-shadow-mode-guests.patch
Patch38: 560bd926-credit1-fix-tickling-when-it-happens-from-a-remote-pCPU.patch
Patch39: 560e6d34-x86-p2m-pt-tighten-conditions-of-IOMMU-mapping-updates.patch
Patch5: 552d293b-x86-vMSI-X-honor-all-mask-requests.patch
Patch6: 552d2966-x86-vMSI-X-add-valid-bits-for-read-acceleration.patch
Patch7: 5537a4d8-libxl-use-DEBUG-log-level-instead-of-INFO.patch
Patch8: 5548e903-domctl-don-t-truncate-XEN_DOMCTL_max_mem-requests.patch
Patch9: 5548e95d-x86-allow-to-suppress-M2P-user-mode-exposure.patch
Patch10: 554cc211-libxl-add-qxl.patch
Patch11: 556d973f-unmodified-drivers-tolerate-IRQF_DISABLED-being-undefined.patch
Patch12: 5576f143-x86-adjust-PV-I-O-emulation-functions-types.patch
Patch13: 5576f178-kexec-add-more-pages-to-v1-environment.patch
Patch14: 55780be1-x86-EFI-adjust-EFI_MEMORY_WP-handling-for-spec-version-2.5.patch
Patch15: 55795a52-x86-vMSI-X-support-qword-MMIO-access.patch
Patch16: 5583d9c5-x86-MSI-X-cleanup.patch
Patch17: 5583da09-x86-MSI-track-host-and-guest-masking-separately.patch
Patch18: 558bfaa0-x86-traps-avoid-using-current-too-early.patch
Patch19: 5592a116-nested-EPT-fix-the-handling-of-nested-EPT.patch
Patch20: 559b9dd6-x86-p2m-ept-don-t-unmap-in-use-EPT-pagetable.patch
Patch21: 559bc633-x86-cpupool-clear-proper-cpu_valid-bit-on-CPU-teardown.patch
Patch22: 559bc64e-credit1-properly-deal-with-CPUs-not-in-any-pool.patch
Patch23: 559bc87f-x86-hvmloader-avoid-data-corruption-with-xenstore-rw.patch
Patch24: 559bdde5-pull-in-latest-linux-earlycpio.patch
Patch25: 55a62eb0-xl-correct-handling-of-extra_config-in-main_cpupoolcreate.patch
Patch26: 55a66a1e-make-rangeset_report_ranges-report-all-ranges.patch
Patch27: 55a77e4f-dmar-device-scope-mem-leak-fix.patch
Patch28: 55b0a218-x86-PCI-CFG-write-intercept.patch
Patch29: 55b0a255-x86-MSI-X-maskall.patch
Patch30: 55b0a283-x86-MSI-X-teardown.patch
Patch31: 55b0a2ab-x86-MSI-X-enable.patch
Patch32: 55b0a2db-x86-MSI-track-guest-masking.patch
Patch33: 55c1d83d-x86-gdt-Drop-write-only-xalloc-d-array.patch
Patch34: 55c3232b-x86-mm-Make-hap-shadow-teardown-preemptible.patch
Patch35: 55dc78e9-x86-amd_ucode-skip-updates-for-final-levels.patch
Patch36: 55df2f76-IOMMU-skip-domains-without-page-tables-when-dumping.patch
Patch37: 55e43fd8-x86-NUMA-fix-setup_node.patch
Patch38: 55e43ff8-x86-NUMA-don-t-account-hotplug-regions.patch
Patch39: 55e593f1-x86-NUMA-make-init_node_heap-respect-Xen-heap-limit.patch
Patch40: 55f2e438-x86-hvm-fix-saved-pmtimer-and-hpet-values.patch
Patch41: 55f7f9d2-libxl-slightly-refine-pci-assignable-add-remove-handling.patch
Patch42: 55f9345b-x86-MSI-fail-if-no-hardware-support.patch
Patch43: 5604f239-x86-PV-properly-populate-descriptor-tables.patch
Patch44: 5604f2e6-vt-d-fix-IM-bit-mask-and-unmask-of-FECTL_REG.patch
Patch45: 560a4af9-x86-EPT-tighten-conditions-of-IOMMU-mapping-updates.patch
Patch46: 560a7c36-x86-p2m-pt-delay-freeing-of-intermediate-page-tables.patch
Patch47: 560a7c53-x86-p2m-pt-ignore-pt-share-flag-for-shadow-mode-guests.patch
Patch48: 560bd926-credit1-fix-tickling-when-it-happens-from-a-remote-pCPU.patch
Patch49: 560e6d34-x86-p2m-pt-tighten-conditions-of-IOMMU-mapping-updates.patch
Patch50: 561bbc8b-VT-d-don-t-suppress-invalidation-address-write-when-0.patch
Patch51: 561d2046-VT-d-use-proper-error-codes-in-iommu_enable_x2apic_IR.patch
Patch52: 561d20a0-x86-hide-MWAITX-from-PV-domains.patch
Patch53: 561e3283-x86-NUMA-fix-SRAT-table-processor-entry-handling.patch
Patch131: CVE-2015-4106-xsa131-9.patch
Patch137: CVE-2015-3259-xsa137.patch
Patch139: xsa139-qemuu.patch
@ -258,6 +272,11 @@ Patch14015: xsa140-qemut-5.patch
Patch14016: xsa140-qemut-6.patch
Patch14017: xsa140-qemut-7.patch
Patch142: CVE-2015-7311-xsa142.patch
Patch148: CVE-2015-7835-xsa148.patch
Patch149: xsa149.patch
Patch151: xsa151.patch
Patch152: xsa152.patch
Patch153: xsa153-libxl.patch
# Upstream qemu
Patch250: VNC-Support-for-ExtendedKeyEvent-client-message.patch
Patch251: 0001-net-move-the-tap-buffer-into-TAPState.patch
@ -278,6 +297,10 @@ Patch265: CVE-2015-6815-qemuu-e1000-fix-infinite-loop.patch
Patch266: CVE-2015-6815-qemut-e1000-fix-infinite-loop.patch
Patch267: CVE-2015-5239-qemuu-limit-client_cut_text-msg-payload-size.patch
Patch268: CVE-2015-5239-qemut-limit-client_cut_text-msg-payload-size.patch
Patch269: CVE-2015-4037-qemuu-smb-config-dir-name.patch
Patch270: CVE-2015-4037-qemut-smb-config-dir-name.patch
Patch271: CVE-2014-0222-qemuu-qcow1-validate-l2-table-size.patch
Patch272: CVE-2014-0222-qemut-qcow1-validate-l2-table-size.patch
# Our platform specific patches
Patch301: xen-destdir.patch
Patch302: vif-bridge-no-iptables.patch
@ -363,18 +386,6 @@ Patch605: xen.build-compare.vgabios.patch
Patch606: xen.build-compare.seabios.patch
Patch607: xen.build-compare.man.patch
Patch608: ipxe-no-error-logical-not-parentheses.patch
# MSI issues (bsc#907514 bsc#910258 bsc#918984 bsc#923967)
Patch700: 552d293b-x86-vMSI-X-honor-all-mask-requests.patch
Patch701: 552d2966-x86-vMSI-X-add-valid-bits-for-read-acceleration.patch
Patch702: 5576f143-x86-adjust-PV-I-O-emulation-functions-types.patch
Patch703: 55795a52-x86-vMSI-X-support-qword-MMIO-access.patch
Patch704: 5583d9c5-x86-MSI-X-cleanup.patch
Patch705: 5583da09-x86-MSI-track-host-and-guest-masking-separately.patch
Patch706: 55b0a218-x86-PCI-CFG-write-intercept.patch
Patch707: 55b0a255-x86-MSI-X-maskall.patch
Patch708: 55b0a283-x86-MSI-X-teardown.patch
Patch709: 55b0a2ab-x86-MSI-X-enable.patch
Patch710: 55b0a2db-x86-MSI-track-guest-masking.patch
# grant table performance improvements
Patch715: 54c2553c-grant-table-use-uint16_t-consistently-for-offset-and-length.patch
Patch716: 54ca33bc-grant-table-refactor-grant-copy-to-reduce-duplicate-code.patch
@ -648,6 +659,20 @@ Authors:
%patch37 -p1
%patch38 -p1
%patch39 -p1
%patch40 -p1
%patch41 -p1
%patch42 -p1
%patch43 -p1
%patch44 -p1
%patch45 -p1
%patch46 -p1
%patch47 -p1
%patch48 -p1
%patch49 -p1
%patch50 -p1
%patch51 -p1
%patch52 -p1
%patch53 -p1
%patch131 -p1
%patch137 -p1
%patch139 -p1
@ -666,6 +691,11 @@ Authors:
%patch14016 -p1
%patch14017 -p1
%patch142 -p1
%patch148 -p1
%patch149 -p1
%patch151 -p1
%patch152 -p1
%patch153 -p1
# Upstream qemu patches
%patch250 -p1
%patch251 -p1
@ -686,6 +716,10 @@ Authors:
%patch266 -p1
%patch267 -p1
%patch268 -p1
%patch269 -p1
%patch270 -p1
%patch271 -p1
%patch272 -p1
# Our platform specific patches
%patch301 -p1
%patch302 -p1
@ -770,18 +804,6 @@ Authors:
%patch606 -p1
%patch607 -p1
%patch608 -p1
# MSI issues (bsc#907514 bsc#910258 bsc#918984 bsc#923967)
%patch700 -p1
%patch701 -p1
%patch702 -p1
%patch703 -p1
%patch704 -p1
%patch705 -p1
%patch706 -p1
%patch707 -p1
%patch708 -p1
%patch709 -p1
%patch710 -p1
# grant table performance improvements
%patch715 -p1
%patch716 -p1

22
xsa149.patch Normal file
View File

@ -0,0 +1,22 @@
xen: free domain's vcpu array
This was overlooked in fb442e2171 ("x86_64: allow more vCPU-s per
guest").
This is XSA-149.
Signed-off-by: Jan Beulich <jbeulich@suse.com>
Reviewed-by: Ian Campbell <ian.campbell@citrix.com>
Index: xen-4.5.1-testing/xen/common/domain.c
===================================================================
--- xen-4.5.1-testing.orig/xen/common/domain.c
+++ xen-4.5.1-testing/xen/common/domain.c
@@ -831,6 +831,7 @@ static void complete_domain_destroy(stru
xsm_free_security_domain(d);
free_cpumask_var(d->domain_dirty_cpumask);
+ xfree(d->vcpu);
free_domain_struct(d);
send_global_virq(VIRQ_DOM_EXC);

30
xsa151.patch Normal file
View File

@ -0,0 +1,30 @@
xenoprof: free domain's vcpu array
This was overlooked in fb442e2171 ("x86_64: allow more vCPU-s per
guest").
This is XSA-151.
Signed-off-by: Jan Beulich <jbeulich@suse.com>
Reviewed-by: Ian Campbell <ian.campbell@citrix.com>
Index: xen-4.5.1-testing/xen/common/xenoprof.c
===================================================================
--- xen-4.5.1-testing.orig/xen/common/xenoprof.c
+++ xen-4.5.1-testing/xen/common/xenoprof.c
@@ -239,6 +239,7 @@ static int alloc_xenoprof_struct(
d->xenoprof->rawbuf = alloc_xenheap_pages(get_order_from_pages(npages), 0);
if ( d->xenoprof->rawbuf == NULL )
{
+ xfree(d->xenoprof->vcpu);
xfree(d->xenoprof);
d->xenoprof = NULL;
return -ENOMEM;
@@ -286,6 +287,7 @@ void free_xenoprof_pages(struct domain *
free_xenheap_pages(x->rawbuf, order);
}
+ xfree(x->vcpu);
xfree(x);
d->xenoprof = NULL;
}

43
xsa152.patch Normal file
View File

@ -0,0 +1,43 @@
x86: rate-limit logging in do_xen{oprof,pmu}_op()
Some of the sub-ops are acessible to all guests, and hence should be
rate-limited. In the xenoprof case, just like for XSA-146, include them
only in debug builds. Since the vPMU code is rather new, allow them to
be always present, but downgrade them to (rate limited) guest messages.
This is XSA-152.
Signed-off-by: Jan Beulich <jbeulich@suse.com>
Index: xen-4.5.1-testing/xen/common/xenoprof.c
===================================================================
--- xen-4.5.1-testing.orig/xen/common/xenoprof.c
+++ xen-4.5.1-testing/xen/common/xenoprof.c
@@ -676,15 +676,13 @@ ret_t do_xenoprof_op(int op, XEN_GUEST_H
if ( (op < 0) || (op > XENOPROF_last_op) )
{
- printk("xenoprof: invalid operation %d for domain %d\n",
- op, current->domain->domain_id);
+ gdprintk(XENLOG_DEBUG, "invalid operation %d\n", op);
return -EINVAL;
}
if ( !NONPRIV_OP(op) && (current->domain != xenoprof_primary_profiler) )
{
- printk("xenoprof: dom %d denied privileged operation %d\n",
- current->domain->domain_id, op);
+ gdprintk(XENLOG_DEBUG, "denied privileged operation %d\n", op);
return -EPERM;
}
@@ -907,8 +905,7 @@ ret_t do_xenoprof_op(int op, XEN_GUEST_H
spin_unlock(&xenoprof_lock);
if ( ret < 0 )
- printk("xenoprof: operation %d failed for dom %d (status : %d)\n",
- op, current->domain->domain_id, ret);
+ gdprintk(XENLOG_DEBUG, "operation %d failed: %d\n", op, ret);
return ret;
}

83
xsa153-libxl.patch Normal file
View File

@ -0,0 +1,83 @@
From 27593ec62bdad8621df910931349d964a6dbaa8c Mon Sep 17 00:00:00 2001
From: Ian Jackson <ian.jackson@eu.citrix.com>
Date: Wed, 21 Oct 2015 16:18:30 +0100
Subject: [PATCH XSA-153 v3] libxl: adjust PoD target by memory fudge, too
PoD guests need to balloon at least as far as required by PoD, or risk
crashing. Currently they don't necessarily know what the right value
is, because our memory accounting is (at the very least) confusing.
Apply the memory limit fudge factor to the in-hypervisor PoD memory
target, too. This will increase the size of the guest's PoD cache by
the fudge factor LIBXL_MAXMEM_CONSTANT (currently 1Mby). This ensures
that even with a slightly-off balloon driver, the guest will be
stable even under memory pressure.
There are two call sites of xc_domain_set_pod_target that need fixing:
The one in libxl_set_memory_target is straightforward.
The one in xc_hvm_build_x86.c:setup_guest is more awkward. Simply
setting the PoD target differently does not work because the various
amounts of memory during domain construction no longer match up.
Instead, we adjust the guest memory target in xenstore (but only for
PoD guests).
This introduces a 1Mby discrepancy between the balloon target of a PoD
guest at boot, and the target set by an apparently-equivalent `xl
mem-set' (or similar) later. This approach is low-risk for a security
fix but we need to fix this up properly in xen.git#staging and
probably also in stable trees.
This is XSA-153.
Signed-off-by: Ian Jackson <Ian.Jackson@eu.citrix.com>
---
tools/libxl/libxl.c | 2 +-
tools/libxl/libxl_dom.c | 9 ++++++++-
2 files changed, 9 insertions(+), 2 deletions(-)
Index: xen-4.5.1-testing/tools/libxl/libxl.c
===================================================================
--- xen-4.5.1-testing.orig/tools/libxl/libxl.c
+++ xen-4.5.1-testing/tools/libxl/libxl.c
@@ -4859,7 +4859,7 @@ retry_transaction:
new_target_memkb -= videoram;
rc = xc_domain_set_pod_target(ctx->xch, domid,
- new_target_memkb / 4, NULL, NULL, NULL);
+ (new_target_memkb + LIBXL_MAXMEM_CONSTANT) / 4, NULL, NULL, NULL);
if (rc != 0) {
LIBXL__LOG_ERRNO(ctx, LIBXL__LOG_ERROR,
"xc_domain_set_pod_target domid=%d, memkb=%d "
Index: xen-4.5.1-testing/tools/libxl/libxl_dom.c
===================================================================
--- xen-4.5.1-testing.orig/tools/libxl/libxl_dom.c
+++ xen-4.5.1-testing/tools/libxl/libxl_dom.c
@@ -446,6 +446,7 @@ int libxl__build_post(libxl__gc *gc, uin
xs_transaction_t t;
char **ents;
int i, rc;
+ int64_t mem_target_fudge;
rc = libxl_domain_sched_params_set(CTX, domid, &info->sched_params);
if (rc)
@@ -472,11 +473,17 @@ int libxl__build_post(libxl__gc *gc, uin
}
}
+ mem_target_fudge =
+ (info->type == LIBXL_DOMAIN_TYPE_HVM &&
+ info->max_memkb > info->target_memkb)
+ ? LIBXL_MAXMEM_CONSTANT : 0;
+
ents = libxl__calloc(gc, 12 + (info->max_vcpus * 2) + 2, sizeof(char *));
ents[0] = "memory/static-max";
ents[1] = GCSPRINTF("%"PRId64, info->max_memkb);
ents[2] = "memory/target";
- ents[3] = GCSPRINTF("%"PRId64, info->target_memkb - info->video_memkb);
+ ents[3] = GCSPRINTF("%"PRId64, info->target_memkb - info->video_memkb
+ - mem_target_fudge);
ents[4] = "memory/videoram";
ents[5] = GCSPRINTF("%"PRId64, info->video_memkb);
ents[6] = "domid";