From c608e2383818fafdc1ed47dc4175cf62869e0136362bec909f20f141ffecc8c5 Mon Sep 17 00:00:00 2001 From: Charles Arnold Date: Tue, 24 Nov 2015 15:48:21 +0000 Subject: [PATCH] - fate#315712: XEN: Use the PVOPS kernel Turn off building the KMPs now that we are using the pvops kernel xen.spec - Upstream patches from Jan 561bbc8b-VT-d-don-t-suppress-invalidation-address-write-when-it-is-zero.patch 561d20a0-x86-hide-MWAITX-from-PV-domains.patch 561e3283-x86-NUMA-fix-SRAT-table-processor-entry-parsing-and-consumption.patch 5632118e-arm-Support-hypercall_create_continuation-for-multicall.patch 56321222-arm-rate-limit-logging-from-unimplemented-PHYSDEVOP-and-HVMOP.patch 56321249-arm-handle-races-between-relinquish_memory-and-free_domheap_pages.patch 5632127b-x86-guard-against-undue-super-page-PTE-creation.patch 5632129c-free-domain-s-vcpu-array.patch (Replaces CVE-2015-7969-xsa149.patch) 563212c9-x86-PoD-Eager-sweep-for-zeroed-pages.patch 563212e4-xenoprof-free-domain-s-vcpu-array.patch 563212ff-x86-rate-limit-logging-in-do_xen-oprof-pmu-_op.patch 56323737-libxl-adjust-PoD-target-by-memory-fudge-too.patch 56377442-x86-PoD-Make-p2m_pod_empty_cache-restartable.patch 5641ceec-x86-HVM-always-intercept-AC-and-DB.patch (Replaces CVE-2015-5307-xsa156.patch) 5644b756-x86-HVM-don-t-inject-DB-with-error-code.patch - Dropped 55b0a2db-x86-MSI-track-guest-masking.patch - Use upstream variants of block-iscsi and block-nbd - Remove xenalyze.hg, its part of xen-4.6 OBS-URL: https://build.opensuse.org/package/show/Virtualization/xen?expand=0&rev=389 --- 55b0a2db-x86-MSI-track-guest-masking.patch | 57 ----- ...dation-address-write-when-it-is-zero.patch | 55 +++++ ...20a0-x86-hide-MWAITX-from-PV-domains.patch | 32 +++ ...cessor-entry-parsing-and-consumption.patch | 114 ++++++++++ ...ll_create_continuation-for-multicall.patch | 49 +++++ ...om-unimplemented-PHYSDEVOP-and-HVMOP.patch | 42 ++++ ...nquish_memory-and-free_domheap_pages.patch | 40 ++++ ...gainst-undue-super-page-PTE-creation.patch | 44 ++++ 5632129c-free-domain-s-vcpu-array.patch | 25 +++ ...x86-PoD-Eager-sweep-for-zeroed-pages.patch | 205 ++++++++++++++++++ ...e4-xenoprof-free-domain-s-vcpu-array.patch | 32 +++ ...imit-logging-in-do_xen-oprof-pmu-_op.patch | 70 ++++++ ...djust-PoD-target-by-memory-fudge-too.patch | 77 +++++++ ...Make-p2m_pod_empty_cache-restartable.patch | 88 ++++++++ ...c-x86-HVM-always-intercept-AC-and-DB.patch | 31 ++- ...-HVM-don-t-inject-DB-with-error-code.patch | 20 ++ CVE-2015-7969-xsa149.patch | 22 -- block-iscsi | 76 ------- block-nbd | 34 --- tmp_build.patch | 9 +- xen-destdir.patch | 4 +- xen.changes | 38 ++++ xen.spec | 87 ++++---- xenalyze.hg.tar.bz2 | 3 - 24 files changed, 999 insertions(+), 255 deletions(-) delete mode 100644 55b0a2db-x86-MSI-track-guest-masking.patch create mode 100644 561bbc8b-VT-d-don-t-suppress-invalidation-address-write-when-it-is-zero.patch create mode 100644 561d20a0-x86-hide-MWAITX-from-PV-domains.patch create mode 100644 561e3283-x86-NUMA-fix-SRAT-table-processor-entry-parsing-and-consumption.patch create mode 100644 5632118e-arm-Support-hypercall_create_continuation-for-multicall.patch create mode 100644 56321222-arm-rate-limit-logging-from-unimplemented-PHYSDEVOP-and-HVMOP.patch create mode 100644 56321249-arm-handle-races-between-relinquish_memory-and-free_domheap_pages.patch create mode 100644 5632127b-x86-guard-against-undue-super-page-PTE-creation.patch create mode 100644 5632129c-free-domain-s-vcpu-array.patch create mode 100644 563212c9-x86-PoD-Eager-sweep-for-zeroed-pages.patch create mode 100644 563212e4-xenoprof-free-domain-s-vcpu-array.patch create mode 100644 563212ff-x86-rate-limit-logging-in-do_xen-oprof-pmu-_op.patch create mode 100644 56323737-libxl-adjust-PoD-target-by-memory-fudge-too.patch create mode 100644 56377442-x86-PoD-Make-p2m_pod_empty_cache-restartable.patch rename CVE-2015-5307-xsa156.patch => 5641ceec-x86-HVM-always-intercept-AC-and-DB.patch (86%) create mode 100644 5644b756-x86-HVM-don-t-inject-DB-with-error-code.patch delete mode 100644 CVE-2015-7969-xsa149.patch delete mode 100644 block-iscsi delete mode 100644 block-nbd delete mode 100644 xenalyze.hg.tar.bz2 diff --git a/55b0a2db-x86-MSI-track-guest-masking.patch b/55b0a2db-x86-MSI-track-guest-masking.patch deleted file mode 100644 index 1aceca2..0000000 --- a/55b0a2db-x86-MSI-track-guest-masking.patch +++ /dev/null @@ -1,57 +0,0 @@ -References: bsc#907514 bsc#910258 bsc#918984 bsc#923967 - -# Commit aa7c1fdf9dd04a1287f4770906b2c41b88a28228 -# Date 2015-07-23 10:16:27 +0200 -# Author Jan Beulich -# Committer Jan Beulich -x86/MSI: properly track guest masking requests - -... by monitoring writes to the mask register. - -This allows reverting the main effect of the XSA-129 patches in qemu. - -Signed-off-by: Jan Beulich -Reviewed-by: Andrew Cooper - -Index: xen-4.6.0-testing/xen/arch/x86/msi.c -=================================================================== ---- xen-4.6.0-testing.orig/xen/arch/x86/msi.c -+++ xen-4.6.0-testing/xen/arch/x86/msi.c -@@ -1336,6 +1336,37 @@ int pci_msi_conf_write_intercept(struct - return 1; - } - -+ entry = find_msi_entry(pdev, -1, PCI_CAP_ID_MSI); -+ if ( entry && entry->msi_attrib.maskbit ) -+ { -+ uint16_t cntl; -+ uint32_t unused; -+ -+ pos = entry->msi_attrib.pos; -+ if ( reg < pos || reg >= entry->msi.mpos + 8 ) -+ return 0; -+ -+ if ( reg == msi_control_reg(pos) ) -+ return size == 2 ? 1 : -EACCES; -+ if ( reg < entry->msi.mpos || reg >= entry->msi.mpos + 4 || size != 4 ) -+ return -EACCES; -+ -+ cntl = pci_conf_read16(seg, bus, slot, func, msi_control_reg(pos)); -+ unused = ~(uint32_t)0 >> (32 - multi_msi_capable(cntl)); -+ for ( pos = 0; pos < entry->msi.nvec; ++pos, ++entry ) -+ { -+ entry->msi_attrib.guest_masked = -+ *data >> entry->msi_attrib.entry_nr; -+ if ( entry->msi_attrib.host_masked ) -+ *data |= 1 << pos; -+ unused &= ~(1 << pos); -+ } -+ -+ *data |= unused; -+ -+ return 1; -+ } -+ - return 0; - } - diff --git a/561bbc8b-VT-d-don-t-suppress-invalidation-address-write-when-it-is-zero.patch b/561bbc8b-VT-d-don-t-suppress-invalidation-address-write-when-it-is-zero.patch new file mode 100644 index 0000000..8d71053 --- /dev/null +++ b/561bbc8b-VT-d-don-t-suppress-invalidation-address-write-when-it-is-zero.patch @@ -0,0 +1,55 @@ +# Commit 710942e57fb42ff8f344ca82f6b678f67e38ae63 +# Date 2015-10-12 15:58:35 +0200 +# Author Jan Beulich +# Committer Jan Beulich +VT-d: don't suppress invalidation address write when it is zero + +GFN zero is a valid address, and hence may need invalidation done for +it just like for any other GFN. + +Signed-off-by: Jan Beulich +Reviewed-by: Andrew Cooper +Acked-by: Yang Zhang + +--- a/xen/drivers/passthrough/vtd/iommu.c ++++ b/xen/drivers/passthrough/vtd/iommu.c +@@ -414,7 +414,7 @@ static int flush_iotlb_reg(void *_iommu, + { + struct iommu *iommu = (struct iommu *) _iommu; + int tlb_offset = ecap_iotlb_offset(iommu->ecap); +- u64 val = 0, val_iva = 0; ++ u64 val = 0; + unsigned long flags; + + /* +@@ -435,7 +435,6 @@ static int flush_iotlb_reg(void *_iommu, + switch ( type ) + { + case DMA_TLB_GLOBAL_FLUSH: +- /* global flush doesn't need set IVA_REG */ + val = DMA_TLB_GLOBAL_FLUSH|DMA_TLB_IVT; + break; + case DMA_TLB_DSI_FLUSH: +@@ -443,8 +442,6 @@ static int flush_iotlb_reg(void *_iommu, + break; + case DMA_TLB_PSI_FLUSH: + val = DMA_TLB_PSI_FLUSH|DMA_TLB_IVT|DMA_TLB_DID(did); +- /* Note: always flush non-leaf currently */ +- val_iva = size_order | addr; + break; + default: + BUG(); +@@ -457,8 +454,11 @@ static int flush_iotlb_reg(void *_iommu, + + spin_lock_irqsave(&iommu->register_lock, flags); + /* Note: Only uses first TLB reg currently */ +- if ( val_iva ) +- dmar_writeq(iommu->reg, tlb_offset, val_iva); ++ if ( type == DMA_TLB_PSI_FLUSH ) ++ { ++ /* Note: always flush non-leaf currently. */ ++ dmar_writeq(iommu->reg, tlb_offset, size_order | addr); ++ } + dmar_writeq(iommu->reg, tlb_offset + 8, val); + + /* Make sure hardware complete it */ diff --git a/561d20a0-x86-hide-MWAITX-from-PV-domains.patch b/561d20a0-x86-hide-MWAITX-from-PV-domains.patch new file mode 100644 index 0000000..c6651fc --- /dev/null +++ b/561d20a0-x86-hide-MWAITX-from-PV-domains.patch @@ -0,0 +1,32 @@ +# Commit 941cd44324db7eddc46cba4596fa13d505066ccf +# Date 2015-10-13 17:17:52 +0200 +# Author Jan Beulich +# Committer Jan Beulich +x86: hide MWAITX from PV domains + +Since MWAIT is hidden too. (Linux starting with 4.3 is making use of +that feature, and is checking for it without looking at the MWAIT one.) + +Signed-off-by: Jan Beulich +Reviewed-by: Andrew Cooper + +--- a/xen/arch/x86/traps.c ++++ b/xen/arch/x86/traps.c +@@ -967,6 +967,7 @@ void pv_cpuid(struct cpu_user_regs *regs + __clear_bit(X86_FEATURE_LWP % 32, &c); + __clear_bit(X86_FEATURE_NODEID_MSR % 32, &c); + __clear_bit(X86_FEATURE_TOPOEXT % 32, &c); ++ __clear_bit(X86_FEATURE_MWAITX % 32, &c); + break; + + case 0x0000000a: /* Architectural Performance Monitor Features (Intel) */ +--- a/xen/include/asm-x86/cpufeature.h ++++ b/xen/include/asm-x86/cpufeature.h +@@ -135,6 +135,7 @@ + #define X86_FEATURE_TBM (6*32+21) /* trailing bit manipulations */ + #define X86_FEATURE_TOPOEXT (6*32+22) /* topology extensions CPUID leafs */ + #define X86_FEATURE_DBEXT (6*32+26) /* data breakpoint extension */ ++#define X86_FEATURE_MWAITX (6*32+29) /* MWAIT extension (MONITORX/MWAITX) */ + + /* Intel-defined CPU features, CPUID level 0x00000007:0 (ebx), word 7 */ + #define X86_FEATURE_FSGSBASE (7*32+ 0) /* {RD,WR}{FS,GS}BASE instructions */ diff --git a/561e3283-x86-NUMA-fix-SRAT-table-processor-entry-parsing-and-consumption.patch b/561e3283-x86-NUMA-fix-SRAT-table-processor-entry-parsing-and-consumption.patch new file mode 100644 index 0000000..c56c457 --- /dev/null +++ b/561e3283-x86-NUMA-fix-SRAT-table-processor-entry-parsing-and-consumption.patch @@ -0,0 +1,114 @@ +# Commit 83281fc9b31396e94c0bfb6550b75c165037a0ad +# Date 2015-10-14 12:46:27 +0200 +# Author Jan Beulich +# Committer Jan Beulich +x86/NUMA: fix SRAT table processor entry parsing and consumption + +- don't overrun apicid_to_node[] (possible in the x2APIC case) +- don't limit number of processor related SRAT entries we can consume +- make acpi_numa_{processor,x2apic}_affinity_init() as similar to one + another as possible +- print APIC IDs in hex (to ease matching with other log messages), at + once making legacy and x2APIC ones distinguishable (by width) + +Signed-off-by: Jan Beulich +Reviewed-by: Andrew Cooper + +--- a/xen/arch/x86/numa.c ++++ b/xen/arch/x86/numa.c +@@ -349,7 +349,7 @@ void __init init_cpu_to_node(void) + u32 apicid = x86_cpu_to_apicid[i]; + if ( apicid == BAD_APICID ) + continue; +- node = apicid_to_node[apicid]; ++ node = apicid < MAX_LOCAL_APIC ? apicid_to_node[apicid] : NUMA_NO_NODE; + if ( node == NUMA_NO_NODE || !node_online(node) ) + node = 0; + numa_set_node(i, node); +--- a/xen/arch/x86/setup.c ++++ b/xen/arch/x86/setup.c +@@ -200,7 +200,7 @@ void __devinit srat_detect_node(int cpu) + nodeid_t node; + u32 apicid = x86_cpu_to_apicid[cpu]; + +- node = apicid_to_node[apicid]; ++ node = apicid < MAX_LOCAL_APIC ? apicid_to_node[apicid] : NUMA_NO_NODE; + if ( node == NUMA_NO_NODE ) + node = 0; + +--- a/xen/arch/x86/smpboot.c ++++ b/xen/arch/x86/smpboot.c +@@ -993,7 +993,8 @@ int cpu_add(uint32_t apic_id, uint32_t a + cpu = node; + goto out; + } +- apicid_to_node[apic_id] = node; ++ if ( apic_id < MAX_LOCAL_APIC ) ++ apicid_to_node[apic_id] = node; + } + + /* Physically added CPUs do not have synchronised TSC. */ +--- a/xen/arch/x86/srat.c ++++ b/xen/arch/x86/srat.c +@@ -209,7 +209,6 @@ acpi_numa_x2apic_affinity_init(struct ac + { + unsigned pxm; + nodeid_t node; +- u32 apic_id; + + if (srat_disabled()) + return; +@@ -217,8 +216,13 @@ acpi_numa_x2apic_affinity_init(struct ac + bad_srat(); + return; + } +- if ((pa->flags & ACPI_SRAT_CPU_ENABLED) == 0) ++ if (!(pa->flags & ACPI_SRAT_CPU_ENABLED)) ++ return; ++ if (pa->apic_id >= MAX_LOCAL_APIC) { ++ printk(KERN_INFO "SRAT: APIC %08x ignored\n", pa->apic_id); + return; ++ } ++ + pxm = pa->proximity_domain; + node = setup_node(pxm); + if (node == NUMA_NO_NODE) { +@@ -226,11 +230,11 @@ acpi_numa_x2apic_affinity_init(struct ac + return; + } + +- apic_id = pa->apic_id; +- apicid_to_node[apic_id] = node; ++ apicid_to_node[pa->apic_id] = node; ++ node_set(node, processor_nodes_parsed); + acpi_numa = 1; +- printk(KERN_INFO "SRAT: PXM %u -> APIC %u -> Node %u\n", +- pxm, apic_id, node); ++ printk(KERN_INFO "SRAT: PXM %u -> APIC %08x -> Node %u\n", ++ pxm, pa->apic_id, node); + } + + /* Callback for Proximity Domain -> LAPIC mapping */ +@@ -262,7 +266,7 @@ acpi_numa_processor_affinity_init(struct + apicid_to_node[pa->apic_id] = node; + node_set(node, processor_nodes_parsed); + acpi_numa = 1; +- printk(KERN_INFO "SRAT: PXM %u -> APIC %u -> Node %u\n", ++ printk(KERN_INFO "SRAT: PXM %u -> APIC %02x -> Node %u\n", + pxm, pa->apic_id, node); + } + +--- a/xen/drivers/acpi/numa.c ++++ b/xen/drivers/acpi/numa.c +@@ -198,9 +198,9 @@ int __init acpi_numa_init(void) + /* SRAT: Static Resource Affinity Table */ + if (!acpi_table_parse(ACPI_SIG_SRAT, acpi_parse_srat)) { + acpi_table_parse_srat(ACPI_SRAT_TYPE_X2APIC_CPU_AFFINITY, +- acpi_parse_x2apic_affinity, NR_CPUS); ++ acpi_parse_x2apic_affinity, 0); + acpi_table_parse_srat(ACPI_SRAT_TYPE_CPU_AFFINITY, +- acpi_parse_processor_affinity, NR_CPUS); ++ acpi_parse_processor_affinity, 0); + acpi_table_parse_srat(ACPI_SRAT_TYPE_MEMORY_AFFINITY, + acpi_parse_memory_affinity, + NR_NODE_MEMBLKS); diff --git a/5632118e-arm-Support-hypercall_create_continuation-for-multicall.patch b/5632118e-arm-Support-hypercall_create_continuation-for-multicall.patch new file mode 100644 index 0000000..ba01aad --- /dev/null +++ b/5632118e-arm-Support-hypercall_create_continuation-for-multicall.patch @@ -0,0 +1,49 @@ +# Commit 29bcf64ce8bc0b1b7aacd00c8668f255c4f0686c +# Date 2015-10-29 13:31:10 +0100 +# Author Julien Grall +# Committer Jan Beulich +arm: Support hypercall_create_continuation for multicall + +Multicall for ARM has been supported since commit f0dbdc6 "xen: arm: fully +implement multicall interface.". Although, if an hypercall in multicall +requires preemption, it will crash the host: + +(XEN) Xen BUG at domain.c:347 +(XEN) ----[ Xen-4.7-unstable arm64 debug=y Tainted: C ]---- +[...] +(XEN) Xen call trace: +(XEN) [<00000000002420cc>] hypercall_create_continuation+0x64/0x380 (PC) +(XEN) [<0000000000217274>] do_memory_op+0x1b00/0x2334 (LR) +(XEN) [<0000000000250d2c>] do_multicall_call+0x114/0x124 +(XEN) [<0000000000217ff0>] do_multicall+0x17c/0x23c +(XEN) [<000000000024f97c>] do_trap_hypercall+0x90/0x12c +(XEN) [<0000000000251ca8>] do_trap_hypervisor+0xd2c/0x1ba4 +(XEN) [<00000000002582cc>] guest_sync+0x88/0xb8 +(XEN) +(XEN) +(XEN) **************************************** +(XEN) Panic on CPU 5: +(XEN) Xen BUG at domain.c:347 +(XEN) **************************************** +(XEN) +(XEN) Manual reset required ('noreboot' specified) + +Looking to the code, the support of multicall looks valid to me, as we only +need to fill call.args[...]. So drop the BUG(); + +This is CVE-2015-7812 / XSA-145. + +Signed-off-by: Julien Grall +Acked-by: Ian Campbell + +--- a/xen/arch/arm/domain.c ++++ b/xen/arch/arm/domain.c +@@ -344,8 +344,6 @@ unsigned long hypercall_create_continuat + + if ( test_bit(_MCSF_in_multicall, &mcs->flags) ) + { +- BUG(); /* XXX multicalls not implemented yet. */ +- + __set_bit(_MCSF_call_preempted, &mcs->flags); + + for ( i = 0; *p != '\0'; i++ ) diff --git a/56321222-arm-rate-limit-logging-from-unimplemented-PHYSDEVOP-and-HVMOP.patch b/56321222-arm-rate-limit-logging-from-unimplemented-PHYSDEVOP-and-HVMOP.patch new file mode 100644 index 0000000..861eead --- /dev/null +++ b/56321222-arm-rate-limit-logging-from-unimplemented-PHYSDEVOP-and-HVMOP.patch @@ -0,0 +1,42 @@ +# Commit 1c0e59ff15764e7b0c59282365974f5b8924ce83 +# Date 2015-10-29 13:33:38 +0100 +# Author Ian Campbell +# Committer Jan Beulich +arm: rate-limit logging from unimplemented PHYSDEVOP and HVMOP. + +These are guest accessible and should therefore be rate-limited. +Moreover, include them only in debug builds. + +This is CVE-2015-7813 / XSA-146. + +Signed-off-by: Ian Campbell +Reviewed-by: Jan Beulich + +--- a/xen/arch/arm/hvm.c ++++ b/xen/arch/arm/hvm.c +@@ -57,7 +57,7 @@ long do_hvm_op(unsigned long op, XEN_GUE + + default: + { +- printk("%s: Bad HVM op %ld.\n", __func__, op); ++ gdprintk(XENLOG_DEBUG, "HVMOP op=%lu: not implemented\n", op); + rc = -ENOSYS; + break; + } +--- a/xen/arch/arm/physdev.c ++++ b/xen/arch/arm/physdev.c +@@ -8,12 +8,13 @@ + #include + #include + #include ++#include + #include + + + int do_physdev_op(int cmd, XEN_GUEST_HANDLE_PARAM(void) arg) + { +- printk("%s %d cmd=%d: not implemented yet\n", __func__, __LINE__, cmd); ++ gdprintk(XENLOG_DEBUG, "PHYSDEVOP cmd=%d: not implemented\n", cmd); + return -ENOSYS; + } + diff --git a/56321249-arm-handle-races-between-relinquish_memory-and-free_domheap_pages.patch b/56321249-arm-handle-races-between-relinquish_memory-and-free_domheap_pages.patch new file mode 100644 index 0000000..0e154e5 --- /dev/null +++ b/56321249-arm-handle-races-between-relinquish_memory-and-free_domheap_pages.patch @@ -0,0 +1,40 @@ +# Commit 1ef01396fdff88b1c3331a09ca5c69619b90f4ea +# Date 2015-10-29 13:34:17 +0100 +# Author Ian Campbell +# Committer Jan Beulich +arm: handle races between relinquish_memory and free_domheap_pages + +Primarily this means XENMEM_decrease_reservation from a toolstack +domain. + +Unlike x86 we have no requirement right now to queue such pages onto +a separate list, if we hit this race then the other code has already +fully accepted responsibility for freeing this page and therefore +there is no more for relinquish_memory to do. + +This is CVE-2015-7814 / XSA-147. + +Signed-off-by: Ian Campbell +Reviewed-by: Julien Grall +Reviewed-by: Jan Beulich + +--- a/xen/arch/arm/domain.c ++++ b/xen/arch/arm/domain.c +@@ -768,8 +768,15 @@ static int relinquish_memory(struct doma + { + /* Grab a reference to the page so it won't disappear from under us. */ + if ( unlikely(!get_page(page, d)) ) +- /* Couldn't get a reference -- someone is freeing this page. */ +- BUG(); ++ /* ++ * Couldn't get a reference -- someone is freeing this page and ++ * has already committed to doing so, so no more to do here. ++ * ++ * Note that the page must be left on the list, a list_del ++ * here will clash with the list_del done by the other ++ * party in the race and corrupt the list head. ++ */ ++ continue; + + if ( test_and_clear_bit(_PGC_allocated, &page->count_info) ) + put_page(page); diff --git a/5632127b-x86-guard-against-undue-super-page-PTE-creation.patch b/5632127b-x86-guard-against-undue-super-page-PTE-creation.patch new file mode 100644 index 0000000..2eb947a --- /dev/null +++ b/5632127b-x86-guard-against-undue-super-page-PTE-creation.patch @@ -0,0 +1,44 @@ +# Commit fe360c90ea13f309ef78810f1a2b92f2ae3b30b8 +# Date 2015-10-29 13:35:07 +0100 +# Author Jan Beulich +# Committer Jan Beulich +x86: guard against undue super page PTE creation + +When optional super page support got added (commit bd1cd81d64 "x86: PV +support for hugepages"), two adjustments were missed: mod_l2_entry() +needs to consider the PSE and RW bits when deciding whether to use the +fast path, and the PSE bit must not be removed from L2_DISALLOW_MASK +unconditionally. + +This is CVE-2015-7835 / XSA-148. + +Reported-by: "栾尚聪(好风)" +Signed-off-by: Jan Beulich +Reviewed-by: Tim Deegan + +--- a/xen/arch/x86/mm.c ++++ b/xen/arch/x86/mm.c +@@ -160,7 +160,10 @@ static void put_superpage(unsigned long + static uint32_t base_disallow_mask; + /* Global bit is allowed to be set on L1 PTEs. Intended for user mappings. */ + #define L1_DISALLOW_MASK ((base_disallow_mask | _PAGE_GNTTAB) & ~_PAGE_GLOBAL) +-#define L2_DISALLOW_MASK (base_disallow_mask & ~_PAGE_PSE) ++ ++#define L2_DISALLOW_MASK (unlikely(opt_allow_superpage) \ ++ ? base_disallow_mask & ~_PAGE_PSE \ ++ : base_disallow_mask) + + #define l3_disallow_mask(d) (!is_pv_32bit_domain(d) ? \ + base_disallow_mask : 0xFFFFF198U) +@@ -1839,7 +1842,10 @@ static int mod_l2_entry(l2_pgentry_t *pl + } + + /* Fast path for identical mapping and presence. */ +- if ( !l2e_has_changed(ol2e, nl2e, _PAGE_PRESENT) ) ++ if ( !l2e_has_changed(ol2e, nl2e, ++ unlikely(opt_allow_superpage) ++ ? _PAGE_PSE | _PAGE_RW | _PAGE_PRESENT ++ : _PAGE_PRESENT) ) + { + adjust_guest_l2e(nl2e, d); + if ( UPDATE_ENTRY(l2, pl2e, ol2e, nl2e, pfn, vcpu, preserve_ad) ) diff --git a/5632129c-free-domain-s-vcpu-array.patch b/5632129c-free-domain-s-vcpu-array.patch new file mode 100644 index 0000000..0ee9468 --- /dev/null +++ b/5632129c-free-domain-s-vcpu-array.patch @@ -0,0 +1,25 @@ +# Commit d46896ebbb23f3a9fef2eb6066ae614fd1acfd96 +# Date 2015-10-29 13:35:40 +0100 +# Author Jan Beulich +# Committer Jan Beulich +free domain's vcpu array + +This was overlooked in fb442e2171 ("x86_64: allow more vCPU-s per +guest"). + +This is CVE-2015-7969 / XSA-149. + +Reported-by: Ian Campbell +Signed-off-by: Jan Beulich +Reviewed-by: Ian Campbell + +--- a/xen/common/domain.c ++++ b/xen/common/domain.c +@@ -833,6 +833,7 @@ static void complete_domain_destroy(stru + + xsm_free_security_domain(d); + free_cpumask_var(d->domain_dirty_cpumask); ++ xfree(d->vcpu); + free_domain_struct(d); + + send_global_virq(VIRQ_DOM_EXC); diff --git a/563212c9-x86-PoD-Eager-sweep-for-zeroed-pages.patch b/563212c9-x86-PoD-Eager-sweep-for-zeroed-pages.patch new file mode 100644 index 0000000..4b4458f --- /dev/null +++ b/563212c9-x86-PoD-Eager-sweep-for-zeroed-pages.patch @@ -0,0 +1,205 @@ +# Commit 101ce53266866144e724ed593173bc4098b300b9 +# Date 2015-10-29 13:36:25 +0100 +# Author Andrew Cooper +# Committer Jan Beulich +x86/PoD: Eager sweep for zeroed pages + +Based on the contents of a guests physical address space, +p2m_pod_emergency_sweep() could degrade into a linear memcmp() from 0 to +max_gfn, which runs non-preemptibly. + +As p2m_pod_emergency_sweep() runs behind the scenes in a number of contexts, +making it preemptible is not feasible. + +Instead, a different approach is taken. Recently-populated pages are eagerly +checked for reclaimation, which amortises the p2m_pod_emergency_sweep() +operation across each p2m_pod_demand_populate() operation. + +Note that in the case that a 2M superpage can't be reclaimed as a superpage, +it is shattered if 4K pages of zeros can be reclaimed. This is unfortunate +but matches the previous behaviour, and is required to avoid regressions +(domain crash from PoD exhaustion) with VMs configured close to the limit. + +This is CVE-2015-7970 / XSA-150. + +Signed-off-by: Andrew Cooper +Reviewed-by: Jan Beulich +Reviewed-by: George Dunlap + +--- a/xen/arch/x86/mm/p2m-pod.c ++++ b/xen/arch/x86/mm/p2m-pod.c +@@ -901,28 +901,6 @@ p2m_pod_zero_check(struct p2m_domain *p2 + } + + #define POD_SWEEP_LIMIT 1024 +- +-/* When populating a new superpage, look at recently populated superpages +- * hoping that they've been zeroed. This will snap up zeroed pages as soon as +- * the guest OS is done with them. */ +-static void +-p2m_pod_check_last_super(struct p2m_domain *p2m, unsigned long gfn_aligned) +-{ +- unsigned long check_gfn; +- +- ASSERT(p2m->pod.last_populated_index < POD_HISTORY_MAX); +- +- check_gfn = p2m->pod.last_populated[p2m->pod.last_populated_index]; +- +- p2m->pod.last_populated[p2m->pod.last_populated_index] = gfn_aligned; +- +- p2m->pod.last_populated_index = +- ( p2m->pod.last_populated_index + 1 ) % POD_HISTORY_MAX; +- +- p2m_pod_zero_check_superpage(p2m, check_gfn); +-} +- +- + #define POD_SWEEP_STRIDE 16 + static void + p2m_pod_emergency_sweep(struct p2m_domain *p2m) +@@ -963,7 +941,7 @@ p2m_pod_emergency_sweep(struct p2m_domai + * NB that this is a zero-sum game; we're increasing our cache size + * by re-increasing our 'debt'. Since we hold the pod lock, + * (entry_count - count) must remain the same. */ +- if ( p2m->pod.count > 0 && i < limit ) ++ if ( i < limit && (p2m->pod.count > 0 || hypercall_preempt_check()) ) + break; + } + +@@ -975,6 +953,58 @@ p2m_pod_emergency_sweep(struct p2m_domai + + } + ++static void pod_eager_reclaim(struct p2m_domain *p2m) ++{ ++ struct pod_mrp_list *mrp = &p2m->pod.mrp; ++ unsigned int i = 0; ++ ++ /* ++ * Always check one page for reclaimation. ++ * ++ * If the PoD pool is empty, keep checking some space is found, or all ++ * entries have been exhaused. ++ */ ++ do ++ { ++ unsigned int idx = (mrp->idx + i++) % ARRAY_SIZE(mrp->list); ++ unsigned long gfn = mrp->list[idx]; ++ ++ if ( gfn != INVALID_GFN ) ++ { ++ if ( gfn & POD_LAST_SUPERPAGE ) ++ { ++ gfn &= ~POD_LAST_SUPERPAGE; ++ ++ if ( p2m_pod_zero_check_superpage(p2m, gfn) == 0 ) ++ { ++ unsigned int x; ++ ++ for ( x = 0; x < SUPERPAGE_PAGES; ++x, ++gfn ) ++ p2m_pod_zero_check(p2m, &gfn, 1); ++ } ++ } ++ else ++ p2m_pod_zero_check(p2m, &gfn, 1); ++ ++ mrp->list[idx] = INVALID_GFN; ++ } ++ ++ } while ( (p2m->pod.count == 0) && (i < ARRAY_SIZE(mrp->list)) ); ++} ++ ++static void pod_eager_record(struct p2m_domain *p2m, ++ unsigned long gfn, unsigned int order) ++{ ++ struct pod_mrp_list *mrp = &p2m->pod.mrp; ++ ++ ASSERT(mrp->list[mrp->idx] == INVALID_GFN); ++ ASSERT(gfn != INVALID_GFN); ++ ++ mrp->list[mrp->idx++] = ++ gfn | (order == PAGE_ORDER_2M ? POD_LAST_SUPERPAGE : 0); ++ mrp->idx %= ARRAY_SIZE(mrp->list); ++} ++ + int + p2m_pod_demand_populate(struct p2m_domain *p2m, unsigned long gfn, + unsigned int order, +@@ -1015,6 +1045,8 @@ p2m_pod_demand_populate(struct p2m_domai + return 0; + } + ++ pod_eager_reclaim(p2m); ++ + /* Only sweep if we're actually out of memory. Doing anything else + * causes unnecessary time and fragmentation of superpages in the p2m. */ + if ( p2m->pod.count == 0 ) +@@ -1051,6 +1083,8 @@ p2m_pod_demand_populate(struct p2m_domai + p2m->pod.entry_count -= (1 << order); + BUG_ON(p2m->pod.entry_count < 0); + ++ pod_eager_record(p2m, gfn_aligned, order); ++ + if ( tb_init_done ) + { + struct { +@@ -1066,12 +1100,6 @@ p2m_pod_demand_populate(struct p2m_domai + __trace_var(TRC_MEM_POD_POPULATE, 0, sizeof(t), &t); + } + +- /* Check the last guest demand-populate */ +- if ( p2m->pod.entry_count > p2m->pod.count +- && (order == PAGE_ORDER_2M) +- && (q & P2M_ALLOC) ) +- p2m_pod_check_last_super(p2m, gfn_aligned); +- + pod_unlock(p2m); + return 0; + out_of_memory: +--- a/xen/arch/x86/mm/p2m.c ++++ b/xen/arch/x86/mm/p2m.c +@@ -60,6 +60,7 @@ boolean_param("hap_2mb", opt_hap_2mb); + /* Init the datastructures for later use by the p2m code */ + static int p2m_initialise(struct domain *d, struct p2m_domain *p2m) + { ++ unsigned int i; + int ret = 0; + + mm_rwlock_init(&p2m->lock); +@@ -75,6 +76,9 @@ static int p2m_initialise(struct domain + + p2m->np2m_base = P2M_BASE_EADDR; + ++ for ( i = 0; i < ARRAY_SIZE(p2m->pod.mrp.list); ++i ) ++ p2m->pod.mrp.list[i] = INVALID_GFN; ++ + if ( hap_enabled(d) && cpu_has_vmx ) + ret = ept_p2m_init(p2m); + else +--- a/xen/include/asm-x86/p2m.h ++++ b/xen/include/asm-x86/p2m.h +@@ -292,10 +292,20 @@ struct p2m_domain { + entry_count; /* # of pages in p2m marked pod */ + unsigned long reclaim_single; /* Last gpfn of a scan */ + unsigned long max_guest; /* gpfn of max guest demand-populate */ +-#define POD_HISTORY_MAX 128 +- /* gpfn of last guest superpage demand-populated */ +- unsigned long last_populated[POD_HISTORY_MAX]; +- unsigned int last_populated_index; ++ ++ /* ++ * Tracking of the most recently populated PoD pages, for eager ++ * reclamation. ++ */ ++ struct pod_mrp_list { ++#define NR_POD_MRP_ENTRIES 32 ++ ++/* Encode ORDER_2M superpage in top bit of GFN */ ++#define POD_LAST_SUPERPAGE (INVALID_GFN & ~(INVALID_GFN >> 1)) ++ ++ unsigned long list[NR_POD_MRP_ENTRIES]; ++ unsigned int idx; ++ } mrp; + mm_lock_t lock; /* Locking of private pod structs, * + * not relying on the p2m lock. */ + } pod; diff --git a/563212e4-xenoprof-free-domain-s-vcpu-array.patch b/563212e4-xenoprof-free-domain-s-vcpu-array.patch new file mode 100644 index 0000000..02e233e --- /dev/null +++ b/563212e4-xenoprof-free-domain-s-vcpu-array.patch @@ -0,0 +1,32 @@ +# Commit 6e97c4b37386c2d09e09e9b5d5d232e37728b960 +# Date 2015-10-29 13:36:52 +0100 +# Author Jan Beulich +# Committer Jan Beulich +xenoprof: free domain's vcpu array + +This was overlooked in fb442e2171 ("x86_64: allow more vCPU-s per +guest"). + +This is CVE-2015-7969 / XSA-151. + +Signed-off-by: Jan Beulich +Reviewed-by: Ian Campbell + +--- a/xen/common/xenoprof.c ++++ b/xen/common/xenoprof.c +@@ -239,6 +239,7 @@ static int alloc_xenoprof_struct( + d->xenoprof->rawbuf = alloc_xenheap_pages(get_order_from_pages(npages), 0); + if ( d->xenoprof->rawbuf == NULL ) + { ++ xfree(d->xenoprof->vcpu); + xfree(d->xenoprof); + d->xenoprof = NULL; + return -ENOMEM; +@@ -286,6 +287,7 @@ void free_xenoprof_pages(struct domain * + free_xenheap_pages(x->rawbuf, order); + } + ++ xfree(x->vcpu); + xfree(x); + d->xenoprof = NULL; + } diff --git a/563212ff-x86-rate-limit-logging-in-do_xen-oprof-pmu-_op.patch b/563212ff-x86-rate-limit-logging-in-do_xen-oprof-pmu-_op.patch new file mode 100644 index 0000000..dc2c271 --- /dev/null +++ b/563212ff-x86-rate-limit-logging-in-do_xen-oprof-pmu-_op.patch @@ -0,0 +1,70 @@ +# Commit 95e7415843b94c346e5ba8682665f508f220e04b +# Date 2015-10-29 13:37:19 +0100 +# Author Jan Beulich +# Committer Jan Beulich +x86: rate-limit logging in do_xen{oprof,pmu}_op() + +Some of the sub-ops are acessible to all guests, and hence should be +rate-limited. In the xenoprof case, just like for XSA-146, include them +only in debug builds. Since the vPMU code is rather new, allow them to +be always present, but downgrade them to (rate limited) guest messages. + +This is CVE-2015-7971 / XSA-152. + +Signed-off-by: Jan Beulich +Reviewed-by: Ian Campbell + +--- a/xen/arch/x86/cpu/vpmu.c ++++ b/xen/arch/x86/cpu/vpmu.c +@@ -682,8 +682,8 @@ long do_xenpmu_op(unsigned int op, XEN_G + vpmu_mode = pmu_params.val; + else if ( vpmu_mode != pmu_params.val ) + { +- printk(XENLOG_WARNING +- "VPMU: Cannot change mode while active VPMUs exist\n"); ++ gprintk(XENLOG_WARNING, ++ "VPMU: Cannot change mode while active VPMUs exist\n"); + ret = -EBUSY; + } + +@@ -714,8 +714,8 @@ long do_xenpmu_op(unsigned int op, XEN_G + vpmu_features = pmu_params.val; + else + { +- printk(XENLOG_WARNING "VPMU: Cannot change features while" +- " active VPMUs exist\n"); ++ gprintk(XENLOG_WARNING, ++ "VPMU: Cannot change features while active VPMUs exist\n"); + ret = -EBUSY; + } + +--- a/xen/common/xenoprof.c ++++ b/xen/common/xenoprof.c +@@ -676,15 +676,13 @@ ret_t do_xenoprof_op(int op, XEN_GUEST_H + + if ( (op < 0) || (op > XENOPROF_last_op) ) + { +- printk("xenoprof: invalid operation %d for domain %d\n", +- op, current->domain->domain_id); ++ gdprintk(XENLOG_DEBUG, "invalid operation %d\n", op); + return -EINVAL; + } + + if ( !NONPRIV_OP(op) && (current->domain != xenoprof_primary_profiler) ) + { +- printk("xenoprof: dom %d denied privileged operation %d\n", +- current->domain->domain_id, op); ++ gdprintk(XENLOG_DEBUG, "denied privileged operation %d\n", op); + return -EPERM; + } + +@@ -907,8 +905,7 @@ ret_t do_xenoprof_op(int op, XEN_GUEST_H + spin_unlock(&xenoprof_lock); + + if ( ret < 0 ) +- printk("xenoprof: operation %d failed for dom %d (status : %d)\n", +- op, current->domain->domain_id, ret); ++ gdprintk(XENLOG_DEBUG, "operation %d failed: %d\n", op, ret); + + return ret; + } diff --git a/56323737-libxl-adjust-PoD-target-by-memory-fudge-too.patch b/56323737-libxl-adjust-PoD-target-by-memory-fudge-too.patch new file mode 100644 index 0000000..4c115dd --- /dev/null +++ b/56323737-libxl-adjust-PoD-target-by-memory-fudge-too.patch @@ -0,0 +1,77 @@ +# Commit e294a0c3af9f4443dc692b180fb1771b1cb075e8 +# Date 2015-10-29 15:11:51 +0000 +# Author Ian Jackson +# Committer Ian Jackson +libxl: adjust PoD target by memory fudge, too + +PoD guests need to balloon at least as far as required by PoD, or risk +crashing. Currently they don't necessarily know what the right value +is, because our memory accounting is (at the very least) confusing. + +Apply the memory limit fudge factor to the in-hypervisor PoD memory +target, too. This will increase the size of the guest's PoD cache by +the fudge factor LIBXL_MAXMEM_CONSTANT (currently 1Mby). This ensures +that even with a slightly-off balloon driver, the guest will be +stable even under memory pressure. + +There are two call sites of xc_domain_set_pod_target that need fixing: + +The one in libxl_set_memory_target is straightforward. + +The one in xc_hvm_build_x86.c:setup_guest is more awkward. Simply +setting the PoD target differently does not work because the various +amounts of memory during domain construction no longer match up. +Instead, we adjust the guest memory target in xenstore (but only for +PoD guests). + +This introduces a 1Mby discrepancy between the balloon target of a PoD +guest at boot, and the target set by an apparently-equivalent `xl +mem-set' (or similar) later. This approach is low-risk for a security +fix but we need to fix this up properly in xen.git#staging and +probably also in stable trees. + +This is XSA-153. + +Signed-off-by: Ian Jackson +(cherry picked from commit 56fb5fd62320eb40a7517206f9706aa9188d6f7b) + +--- a/tools/libxl/libxl.c ++++ b/tools/libxl/libxl.c +@@ -4815,7 +4815,7 @@ retry_transaction: + } + + rc = xc_domain_set_pod_target(ctx->xch, domid, +- new_target_memkb / 4, NULL, NULL, NULL); ++ (new_target_memkb + LIBXL_MAXMEM_CONSTANT) / 4, NULL, NULL, NULL); + if (rc != 0) { + LIBXL__LOG_ERRNO(ctx, LIBXL__LOG_ERROR, + "xc_domain_set_pod_target domid=%d, memkb=%d " +--- a/tools/libxl/libxl_dom.c ++++ b/tools/libxl/libxl_dom.c +@@ -486,6 +486,7 @@ int libxl__build_post(libxl__gc *gc, uin + xs_transaction_t t; + char **ents; + int i, rc; ++ int64_t mem_target_fudge; + + if (info->num_vnuma_nodes && !info->num_vcpu_soft_affinity) { + rc = set_vnuma_affinity(gc, domid, info); +@@ -518,11 +519,17 @@ int libxl__build_post(libxl__gc *gc, uin + } + } + ++ mem_target_fudge = ++ (info->type == LIBXL_DOMAIN_TYPE_HVM && ++ info->max_memkb > info->target_memkb) ++ ? LIBXL_MAXMEM_CONSTANT : 0; ++ + ents = libxl__calloc(gc, 12 + (info->max_vcpus * 2) + 2, sizeof(char *)); + ents[0] = "memory/static-max"; + ents[1] = GCSPRINTF("%"PRId64, info->max_memkb); + ents[2] = "memory/target"; +- ents[3] = GCSPRINTF("%"PRId64, info->target_memkb - info->video_memkb); ++ ents[3] = GCSPRINTF("%"PRId64, info->target_memkb - info->video_memkb ++ - mem_target_fudge); + ents[4] = "memory/videoram"; + ents[5] = GCSPRINTF("%"PRId64, info->video_memkb); + ents[6] = "domid"; diff --git a/56377442-x86-PoD-Make-p2m_pod_empty_cache-restartable.patch b/56377442-x86-PoD-Make-p2m_pod_empty_cache-restartable.patch new file mode 100644 index 0000000..367b1b7 --- /dev/null +++ b/56377442-x86-PoD-Make-p2m_pod_empty_cache-restartable.patch @@ -0,0 +1,88 @@ +# Commit 59a5061723ba47c0028cf48487e5de551c42a378 +# Date 2015-11-02 15:33:38 +0100 +# Author Andrew Cooper +# Committer Jan Beulich +x86/PoD: Make p2m_pod_empty_cache() restartable + +This avoids a long running operation when destroying a domain with a +large PoD cache. + +Signed-off-by: Andrew Cooper +Reviewed-by: George Dunlap + +--- a/xen/arch/x86/mm/p2m-pod.c ++++ b/xen/arch/x86/mm/p2m-pod.c +@@ -375,11 +375,11 @@ out: + return ret; + } + +-void +-p2m_pod_empty_cache(struct domain *d) ++int p2m_pod_empty_cache(struct domain *d) + { + struct p2m_domain *p2m = p2m_get_hostp2m(d); + struct page_info *page; ++ unsigned int i; + + /* After this barrier no new PoD activities can happen. */ + BUG_ON(!d->is_dying); +@@ -389,8 +389,6 @@ p2m_pod_empty_cache(struct domain *d) + + while ( (page = page_list_remove_head(&p2m->pod.super)) ) + { +- int i; +- + for ( i = 0 ; i < SUPERPAGE_PAGES ; i++ ) + { + BUG_ON(page_get_owner(page + i) != d); +@@ -398,19 +396,27 @@ p2m_pod_empty_cache(struct domain *d) + } + + p2m->pod.count -= SUPERPAGE_PAGES; ++ ++ if ( hypercall_preempt_check() ) ++ goto out; + } + +- while ( (page = page_list_remove_head(&p2m->pod.single)) ) ++ for ( i = 0; (page = page_list_remove_head(&p2m->pod.single)); ++i ) + { + BUG_ON(page_get_owner(page) != d); + page_list_add_tail(page, &d->page_list); + + p2m->pod.count -= 1; ++ ++ if ( i && !(i & 511) && hypercall_preempt_check() ) ++ goto out; + } + + BUG_ON(p2m->pod.count != 0); + ++ out: + unlock_page_alloc(p2m); ++ return p2m->pod.count ? -ERESTART : 0; + } + + int +--- a/xen/arch/x86/mm/paging.c ++++ b/xen/arch/x86/mm/paging.c +@@ -815,7 +815,7 @@ int paging_teardown(struct domain *d) + return rc; + + /* Move populate-on-demand cache back to domain_list for destruction */ +- p2m_pod_empty_cache(d); ++ rc = p2m_pod_empty_cache(d); + + return rc; + } +--- a/xen/include/asm-x86/p2m.h ++++ b/xen/include/asm-x86/p2m.h +@@ -588,7 +588,7 @@ void p2m_pod_dump_data(struct domain *d) + + /* Move all pages from the populate-on-demand cache to the domain page_list + * (usually in preparation for domain destruction) */ +-void p2m_pod_empty_cache(struct domain *d); ++int p2m_pod_empty_cache(struct domain *d); + + /* Set populate-on-demand cache size so that the total memory allocated to a + * domain matches target */ diff --git a/CVE-2015-5307-xsa156.patch b/5641ceec-x86-HVM-always-intercept-AC-and-DB.patch similarity index 86% rename from CVE-2015-5307-xsa156.patch rename to 5641ceec-x86-HVM-always-intercept-AC-and-DB.patch index d872399..467b486 100644 --- a/CVE-2015-5307-xsa156.patch +++ b/5641ceec-x86-HVM-always-intercept-AC-and-DB.patch @@ -1,5 +1,7 @@ -References: bsc#953527 CVE-2015-5307 XSA-156 - +# Commit bd2239d9fa975a1ee5bcd27c218ae042cd0a57bc +# Date 2015-11-10 12:03:08 +0100 +# Author Jan Beulich +# Committer Jan Beulich x86/HVM: always intercept #AC and #DB Both being benign exceptions, and both being possible to get triggered @@ -12,6 +14,10 @@ The specific scenarios: 1) #AC may be raised during exception delivery if the handler is set to be a ring-3 one by a 32-bit guest, and the stack is misaligned. +This is CVE-2015-5307 / XSA-156. + +Reported-by: Benjamin Serebrin + 2) #DB may be raised during exception delivery when a breakpoint got placed on a data structure involved in delivering the exception. This can result in an endless loop when a 64-bit guest uses a non-zero IST @@ -19,17 +25,14 @@ for the vector 1 IDT entry, but even without use of IST the time it takes until a contributory fault would get raised (results depending on the handler) may be quite long. -This is XSA-156. +This is CVE-2015-8104 / XSA-156. -Reported-by: Benjamin Serebrin Signed-off-by: Jan Beulich Reviewed-by: Andrew Cooper Tested-by: Andrew Cooper -Index: xen-4.6.0-testing/xen/arch/x86/hvm/svm/svm.c -=================================================================== ---- xen-4.6.0-testing.orig/xen/arch/x86/hvm/svm/svm.c -+++ xen-4.6.0-testing/xen/arch/x86/hvm/svm/svm.c +--- a/xen/arch/x86/hvm/svm/svm.c ++++ b/xen/arch/x86/hvm/svm/svm.c @@ -1043,10 +1043,11 @@ static void noreturn svm_do_resume(struc unlikely(v->arch.hvm_vcpu.debug_state_latch != debug_state) ) { @@ -68,10 +71,8 @@ Index: xen-4.6.0-testing/xen/arch/x86/hvm/svm/svm.c case VMEXIT_EXCEPTION_UD: svm_vmexit_ud_intercept(regs); break; -Index: xen-4.6.0-testing/xen/arch/x86/hvm/vmx/vmx.c -=================================================================== ---- xen-4.6.0-testing.orig/xen/arch/x86/hvm/vmx/vmx.c -+++ xen-4.6.0-testing/xen/arch/x86/hvm/vmx/vmx.c +--- a/xen/arch/x86/hvm/vmx/vmx.c ++++ b/xen/arch/x86/hvm/vmx/vmx.c @@ -1224,16 +1224,10 @@ static void vmx_update_host_cr3(struct v void vmx_update_debug_state(struct vcpu *v) @@ -117,10 +118,8 @@ Index: xen-4.6.0-testing/xen/arch/x86/hvm/vmx/vmx.c case TRAP_nmi: if ( MASK_EXTR(intr_info, INTR_INFO_INTR_TYPE_MASK) != X86_EVENTTYPE_NMI ) -Index: xen-4.6.0-testing/xen/include/asm-x86/hvm/hvm.h -=================================================================== ---- xen-4.6.0-testing.orig/xen/include/asm-x86/hvm/hvm.h -+++ xen-4.6.0-testing/xen/include/asm-x86/hvm/hvm.h +--- a/xen/include/asm-x86/hvm/hvm.h ++++ b/xen/include/asm-x86/hvm/hvm.h @@ -384,7 +384,10 @@ static inline int hvm_event_pending(stru (X86_CR4_VMXE | X86_CR4_PAE | X86_CR4_MCE)) diff --git a/5644b756-x86-HVM-don-t-inject-DB-with-error-code.patch b/5644b756-x86-HVM-don-t-inject-DB-with-error-code.patch new file mode 100644 index 0000000..3f5734e --- /dev/null +++ b/5644b756-x86-HVM-don-t-inject-DB-with-error-code.patch @@ -0,0 +1,20 @@ +# Commit 057e0e72d2a5d598087c5f167ec6a13203a3cf65 +# Date 2015-11-12 16:59:18 +0100 +# Author Jan Beulich +# Committer Jan Beulich +x86/HVM: don't inject #DB with error code + +Signed-off-by: Jan Beulich +Reviewed-by: Andrew Cooper + +--- a/xen/arch/x86/hvm/hvm.c ++++ b/xen/arch/x86/hvm/hvm.c +@@ -4071,7 +4071,7 @@ void hvm_task_switch( + goto out; + + if ( (tss.trace & 1) && !exn_raised ) +- hvm_inject_hw_exception(TRAP_debug, tss_sel & 0xfff8); ++ hvm_inject_hw_exception(TRAP_debug, HVM_DELIVER_NO_ERROR_CODE); + + tr.attr.fields.type = 0xb; /* busy 32-bit tss */ + hvm_set_segment_register(v, x86_seg_tr, &tr); diff --git a/CVE-2015-7969-xsa149.patch b/CVE-2015-7969-xsa149.patch deleted file mode 100644 index db4291d..0000000 --- a/CVE-2015-7969-xsa149.patch +++ /dev/null @@ -1,22 +0,0 @@ -xen: free domain's vcpu array - -This was overlooked in fb442e2171 ("x86_64: allow more vCPU-s per -guest"). - -This is XSA-149. - -Signed-off-by: Jan Beulich -Reviewed-by: Ian Campbell - -Index: xen-4.6.0-testing/xen/common/domain.c -=================================================================== ---- xen-4.6.0-testing.orig/xen/common/domain.c -+++ xen-4.6.0-testing/xen/common/domain.c -@@ -412,6 +412,7 @@ struct domain *domain_create(domid_t dom - if ( init_status & INIT_xsm ) - xsm_free_security_domain(d); - free_cpumask_var(d->domain_dirty_cpumask); -+ xfree(d->vcpu); - free_domain_struct(d); - return ERR_PTR(err); - } diff --git a/block-iscsi b/block-iscsi deleted file mode 100644 index bc2ead6..0000000 --- a/block-iscsi +++ /dev/null @@ -1,76 +0,0 @@ -#!/bin/bash - -# Usage: block-iscsi [add tgtname | remove dev] -# -# This assumes you're running a correctly configured -# iscsi target (server) at the other end! -# Note that we assume that the passwords for discovery (if needed) -# are in /etc/iscsid.conf -# and the node session passwords (if required) in the -# open-iscsi database below /var/lib/open-iscsi/node.db -# -# (c) Kurt Garloff , 2006-09-04, GNU GPL -# Contributors: Jim Fehlig -# Stefan de Konink - -dir=$(dirname "$0") -. "$dir/block-common.sh" - -# echo "DBG:xen/scripts/block-iscsi $1 $2 XENBUS_PATH=$XENBUS_PATH $par $node" - -find_sdev() -{ - unset dev - for session in /sys/class/iscsi_session/session*; do - if [ "$1" = "`cat $session/targetname 2>/dev/null`" ]; then - dev=`basename $session/device/target*/*:0:*/block*/*` - return - fi - done -} - -find_sdev_rev() -{ - unset tgt - for session in /sys/class/iscsi_session/session*; do - dev=`basename $session/device/target*/*:0:*/block*/*` - if [ "$dev" = "$1" ]; then - tgt=`cat $session/targetname 2>/dev/null` - return - fi - done -} - -case "$command" in - add) - # load modules and start iscsid - /etc/init.d/open-iscsi status >/dev/null 2>&1 || - { /etc/init.d/open-iscsi start >/dev/null 2>&1; sleep 1; } - par=`xenstore-read $XENBUS_PATH/params` || true - TGTID=`echo $par | sed "s/\/\///g"` - while read rec uuid; do - if [ "$uuid" = "$TGTID" ]; then - find_sdev $TGTID - if [ -z "$dev" ]; then - /sbin/iscsiadm -m node -T $uuid -p $rec --login || exit 2 - sleep 4 - find_sdev $TGTID - fi - xenstore-write $XENBUS_PATH/node /dev/$dev - write_dev /dev/$dev - exit 0 - fi - done < <(/sbin/iscsiadm -m node) - exit 1 - ;; - - remove) - node=`xenstore-read $XENBUS_PATH/node` || true - dev=$node; dev=${dev#/dev/} - find_sdev_rev $dev - if [ -x /sbin/blockdev -a -n "$node" ]; then blockdev --flushbufs "$node"; fi - test -z "$tgt" && exit 2 - /sbin/iscsiadm -m node -T $tgt --logout - exit 1 - ;; -esac diff --git a/block-nbd b/block-nbd deleted file mode 100644 index 9538103..0000000 --- a/block-nbd +++ /dev/null @@ -1,34 +0,0 @@ -#!/bin/sh - -# Usage: block-nbd [bind server ctl_port |unbind node] -# -# The node argument to unbind is the name of the device node we are to -# unbind. -# -# This assumes you're running a correctly configured server at the other end! - -dir=$(dirname "$0") -. "$dir/block-common.sh" - -#set -x -par=`xenstore-read $XENBUS_PATH/params` || true -#echo $par - -case "$command" in - add) - modprobe nbd - for dev in /dev/nbd*; do - if nbd-client $par $dev; then - xenstore-write $XENBUS_PATH/node $dev - write_dev $dev - exit 0 - fi - done - exit 1 - ;; - remove) - node=`xenstore-read $XENBUS_PATH/node` || true - nbd-client -d $node - exit 0 - ;; -esac diff --git a/tmp_build.patch b/tmp_build.patch index 7afbaf2..ecafbdd 100644 --- a/tmp_build.patch +++ b/tmp_build.patch @@ -14,7 +14,7 @@ Index: xen-4.6.0-testing/tools/xenstore/Makefile xenstore-control: xenstore_control.o $(LIBXENSTORE) $(CC) $< $(LDFLAGS) $(LDLIBS_libxenstore) $(SOCKET_LIBS) -o $@ $(APPEND_LDFLAGS) -@@ -145,12 +146,13 @@ endif +@@ -145,10 +146,11 @@ endif $(INSTALL_PROG) xenstore-control $(DESTDIR)$(bindir) $(INSTALL_PROG) xenstore $(DESTDIR)$(bindir) set -e ; for c in $(CLIENTS) ; do \ @@ -23,11 +23,8 @@ Index: xen-4.6.0-testing/tools/xenstore/Makefile done + $(INSTALL_PROG) domu-xenstore $(DESTDIR)/bin for client in $(CLIENTS_DOMU); do \ -- $(INSTALL_PROG) $$client $(DESTDIR)/bin/$${client/domu-}; \ +- $(INSTALL_PROG) $$client $(DESTDIR)$(bindir)/$${client/domu-}; \ + ln -fs domu-xenstore $(DESTDIR)/bin/$${client/domu-}; \ done -- $(INSTALL_DIR) $(DESTDIR)$(libdir) -+ $(INSTALL_DIR) $(DESTDIR)$(libdir) + $(INSTALL_DIR) $(DESTDIR)$(libdir) $(INSTALL_SHLIB) libxenstore.so.$(MAJOR).$(MINOR) $(DESTDIR)$(libdir) - ln -sf libxenstore.so.$(MAJOR).$(MINOR) $(DESTDIR)$(libdir)/libxenstore.so.$(MAJOR) - ln -sf libxenstore.so.$(MAJOR) $(DESTDIR)$(libdir)/libxenstore.so diff --git a/xen-destdir.patch b/xen-destdir.patch index 054e294..cef833c 100644 --- a/xen-destdir.patch +++ b/xen-destdir.patch @@ -51,9 +51,9 @@ Index: xen-4.6.0-testing/tools/xenstore/Makefile done - $(INSTALL_DIR) $(DESTDIR)$(libdir) + for client in $(CLIENTS_DOMU); do \ -+ $(INSTALL_PROG) $$client $(DESTDIR)/bin/$${client/domu-}; \ ++ $(INSTALL_PROG) $$client $(DESTDIR)$(bindir)/$${client/domu-}; \ + done -+ $(INSTALL_DIR) $(DESTDIR)$(libdir) ++ $(INSTALL_DIR) $(DESTDIR)$(libdir) $(INSTALL_SHLIB) libxenstore.so.$(MAJOR).$(MINOR) $(DESTDIR)$(libdir) ln -sf libxenstore.so.$(MAJOR).$(MINOR) $(DESTDIR)$(libdir)/libxenstore.so.$(MAJOR) ln -sf libxenstore.so.$(MAJOR) $(DESTDIR)$(libdir)/libxenstore.so diff --git a/xen.changes b/xen.changes index ee0167c..6312ebc 100644 --- a/xen.changes +++ b/xen.changes @@ -1,3 +1,41 @@ +------------------------------------------------------------------- +Tue Nov 24 08:44:57 MST 2015 - carnold@suse.com + +- fate#315712: XEN: Use the PVOPS kernel + Turn off building the KMPs now that we are using the pvops kernel + xen.spec + +------------------------------------------------------------------- +Thu Nov 19 11:18:03 MST 2015 - carnold@suse.com + +- Upstream patches from Jan + 561bbc8b-VT-d-don-t-suppress-invalidation-address-write-when-it-is-zero.patch + 561d20a0-x86-hide-MWAITX-from-PV-domains.patch + 561e3283-x86-NUMA-fix-SRAT-table-processor-entry-parsing-and-consumption.patch + 5632118e-arm-Support-hypercall_create_continuation-for-multicall.patch + 56321222-arm-rate-limit-logging-from-unimplemented-PHYSDEVOP-and-HVMOP.patch + 56321249-arm-handle-races-between-relinquish_memory-and-free_domheap_pages.patch + 5632127b-x86-guard-against-undue-super-page-PTE-creation.patch + 5632129c-free-domain-s-vcpu-array.patch (Replaces CVE-2015-7969-xsa149.patch) + 563212c9-x86-PoD-Eager-sweep-for-zeroed-pages.patch + 563212e4-xenoprof-free-domain-s-vcpu-array.patch + 563212ff-x86-rate-limit-logging-in-do_xen-oprof-pmu-_op.patch + 56323737-libxl-adjust-PoD-target-by-memory-fudge-too.patch + 56377442-x86-PoD-Make-p2m_pod_empty_cache-restartable.patch + 5641ceec-x86-HVM-always-intercept-AC-and-DB.patch (Replaces CVE-2015-5307-xsa156.patch) + 5644b756-x86-HVM-don-t-inject-DB-with-error-code.patch +- Dropped 55b0a2db-x86-MSI-track-guest-masking.patch + +------------------------------------------------------------------- +Thu Nov 19 07:47:47 UTC 2015 - ohering@suse.de + +- Use upstream variants of block-iscsi and block-nbd + +------------------------------------------------------------------- +Thu Nov 19 07:38:06 UTC 2015 - ohering@suse.de + +- Remove xenalyze.hg, its part of xen-4.6 + ------------------------------------------------------------------- Wed Nov 10 16:16:24 MDT 2015 - carnold@suse.com diff --git a/xen.spec b/xen.spec index 7a9b438..f9a3b32 100644 --- a/xen.spec +++ b/xen.spec @@ -31,7 +31,7 @@ ExclusiveArch: %ix86 x86_64 %arm aarch64 %define with_oxenstored 0 # %ifarch x86_64 -%define with_kmp 1 +%define with_kmp 0 %define with_debug 1 %define with_stubdom 1 %define with_gdbsx 1 @@ -59,11 +59,12 @@ ExclusiveArch: %ix86 x86_64 %arm aarch64 # EFI requires gcc 4.6 or newer # gcc46 is available in 12.1 or sles11sp2 # gcc47 is available in sles11sp3 +# gcc48 is available in sles11sp4 # 12.2+ have gcc 4.7 as default compiler -%if %suse_version == 1110 -%define with_gcc47 1 -%else %define with_gcc47 0 +%define with_gcc48 0 +%if %suse_version == 1110 +%define with_gcc48 1 %endif %define _fwdefdir /etc/sysconfig/SuSEfirewall2.d/services %define with_systemd 0 @@ -143,6 +144,9 @@ BuildRequires: acpica %if %{?with_gcc47}0 BuildRequires: gcc47 %endif +%if %{?with_gcc48}0 +BuildRequires: gcc48 +%endif BuildRequires: glibc-32bit BuildRequires: glibc-devel-32bit %endif @@ -158,7 +162,7 @@ BuildRequires: xorg-x11-util-devel %endif %endif -Version: 4.6.0_02 +Version: 4.6.0_04 Release: 0 Summary: Xen Virtualization: Hypervisor (aka VMM aka Microkernel) License: GPL-2.0 @@ -175,8 +179,6 @@ Source10: README.SUSE Source11: boot.xen Source12: boot.local.xenU Source15: logrotate.conf -Source19: block-nbd -Source20: block-iscsi Source21: block-npiv-common.sh Source22: block-npiv Source23: block-npiv-vport @@ -199,15 +201,25 @@ Source42: xen-dom0-modules.service Source57: xen-utils-0.1.tar.bz2 # For xen-libs Source99: baselibs.conf -# http://xenbits.xensource.com/ext/xenalyze -Source20000: xenalyze.hg.tar.bz2 # Upstream patches -Patch1: 55b0a2db-x86-MSI-track-guest-masking.patch -Patch2: 55f7f9d2-libxl-slightly-refine-pci-assignable-add-remove-handling.patch -Patch3: 5604f239-x86-PV-properly-populate-descriptor-tables.patch +Patch1: 55f7f9d2-libxl-slightly-refine-pci-assignable-add-remove-handling.patch +Patch2: 5604f239-x86-PV-properly-populate-descriptor-tables.patch +Patch3: 561bbc8b-VT-d-don-t-suppress-invalidation-address-write-when-it-is-zero.patch Patch4: 561d2046-VT-d-use-proper-error-codes-in-iommu_enable_x2apic_IR.patch -Patch149: CVE-2015-7969-xsa149.patch -Patch158: CVE-2015-5307-xsa156.patch +Patch5: 561d20a0-x86-hide-MWAITX-from-PV-domains.patch +Patch6: 561e3283-x86-NUMA-fix-SRAT-table-processor-entry-parsing-and-consumption.patch +Patch7: 5632118e-arm-Support-hypercall_create_continuation-for-multicall.patch +Patch8: 56321222-arm-rate-limit-logging-from-unimplemented-PHYSDEVOP-and-HVMOP.patch +Patch9: 56321249-arm-handle-races-between-relinquish_memory-and-free_domheap_pages.patch +Patch10: 5632127b-x86-guard-against-undue-super-page-PTE-creation.patch +Patch11: 5632129c-free-domain-s-vcpu-array.patch +Patch12: 563212c9-x86-PoD-Eager-sweep-for-zeroed-pages.patch +Patch13: 563212e4-xenoprof-free-domain-s-vcpu-array.patch +Patch14: 563212ff-x86-rate-limit-logging-in-do_xen-oprof-pmu-_op.patch +Patch15: 56323737-libxl-adjust-PoD-target-by-memory-fudge-too.patch +Patch16: 56377442-x86-PoD-Make-p2m_pod_empty_cache-restartable.patch +Patch17: 5641ceec-x86-HVM-always-intercept-AC-and-DB.patch +Patch18: 5644b756-x86-HVM-don-t-inject-DB-with-error-code.patch # Upstream qemu Patch250: VNC-Support-for-ExtendedKeyEvent-client-message.patch Patch251: 0001-net-move-the-tap-buffer-into-TAPState.patch @@ -489,14 +501,26 @@ Authors: %endif %prep -%setup -q -n %xen_build_dir -a 1 -a 2 -a 3 -a 4 -a 5 -a 6 -a 57 -a 20000 +%setup -q -n %xen_build_dir -a 1 -a 2 -a 3 -a 4 -a 5 -a 6 -a 57 # Upstream patches %patch1 -p1 %patch2 -p1 %patch3 -p1 %patch4 -p1 -%patch149 -p1 -%patch158 -p1 +%patch5 -p1 +%patch6 -p1 +%patch7 -p1 +%patch8 -p1 +%patch9 -p1 +%patch10 -p1 +%patch11 -p1 +%patch12 -p1 +%patch13 -p1 +%patch14 -p1 +%patch15 -p1 +%patch16 -p1 +%patch17 -p1 +%patch18 -p1 # Upstream qemu patches %patch250 -p1 %patch251 -p1 @@ -652,11 +676,6 @@ configure_flags="${configure_flags} --enable-qemu-traditional" %else configure_flags="${configure_flags} --disable-qemu-traditional" %endif -%if %{?with_qemu_traditional}0 -configure_flags="${configure_flags} --enable-blktap1" -%else -configure_flags="${configure_flags} --disable-blktap1" -%endif ./configure \ --disable-xen \ --enable-tools \ @@ -687,9 +706,6 @@ configure_flags="${configure_flags} --disable-blktap1" make -C tools/include/xen-foreign %{?_smp_mflags} make %{?_smp_mflags} %if %{?with_dom0_support}0 -%ifarch %ix86 x86_64 -make -C xenalyze.hg CC="gcc -I../xen/include -DMAX_CPUS=%{max_cpus} ${RPM_OPT_FLAGS}" %{?_smp_mflags} -k -%endif make -C tools/xen-utils-0.1 XEN_INTREE_BUILD=yes XEN_ROOT=$PWD %endif # @@ -730,7 +746,10 @@ make -C xen install \ %if %{?with_gcc47}0 CC=gcc-4.7 \ %endif - max_phys_cpus=%{max_cpus} debug=n crash_debug=n DESTDIR=$RPM_BUILD_ROOT %{?_smp_mflags} +%if %{?with_gcc48}0 + CC=gcc-4.8 \ +%endif + max_phys_cpus=%{max_cpus} debug=n crash_debug=n DEBUG_DIR=/boot DESTDIR=$RPM_BUILD_ROOT %{?_smp_mflags} make -C xen clean install_xen() { @@ -740,11 +759,6 @@ install_xen() ext="-$1" mv $RPM_BUILD_ROOT/boot/xen-${XEN_FULLVERSION}%{xen_install_suffix} \ $RPM_BUILD_ROOT/boot/xen${ext}-${XEN_FULLVERSION}%{xen_install_suffix} - mv $RPM_BUILD_ROOT/usr/lib/debug/xen-syms-${XEN_FULLVERSION} \ - $RPM_BUILD_ROOT/boot/xen-syms${ext}-${XEN_FULLVERSION} - else - mv $RPM_BUILD_ROOT/usr/lib/debug/xen-syms-${XEN_FULLVERSION} \ - $RPM_BUILD_ROOT/boot/xen-syms-${XEN_FULLVERSION} fi rm $RPM_BUILD_ROOT/boot/xen-$XEN_VERSION.$XEN_SUBVERSION%{xen_install_suffix} rm $RPM_BUILD_ROOT/boot/xen-$XEN_VERSION%{xen_install_suffix} @@ -757,11 +771,11 @@ install_xen() find $RPM_BUILD_ROOT/boot -ls } %if %{?with_debug}0 -make -C xen install max_phys_cpus=%{max_cpus} debug=y crash_debug=y DESTDIR=$RPM_BUILD_ROOT %{?_smp_mflags} +make -C xen install max_phys_cpus=%{max_cpus} debug=y crash_debug=y DEBUG_DIR=/boot DESTDIR=$RPM_BUILD_ROOT %{?_smp_mflags} install_xen dbg make -C xen clean %endif -make -C xen install max_phys_cpus=%{max_cpus} debug=n crash_debug=n DESTDIR=$RPM_BUILD_ROOT %{?_smp_mflags} +make -C xen install max_phys_cpus=%{max_cpus} debug=n crash_debug=n DEBUG_DIR=/boot DESTDIR=$RPM_BUILD_ROOT %{?_smp_mflags} install_xen make -C xen clean echo > xen.files.txt @@ -770,10 +784,6 @@ if test -d $RPM_BUILD_ROOT%{_libdir}/efi then echo %{_libdir}/efi >> xen.files.txt fi -%ifarch x86_64 -cp -avL xenalyze.hg/dump-raw $RPM_BUILD_ROOT/%{_bindir}/xenalyze.dump-raw -cp -avL xenalyze.hg/xenalyze $RPM_BUILD_ROOT/%{_bindir} -%endif %endif # PV driver modules @@ -814,7 +824,7 @@ install -m644 tools/xentrace/formats $RPM_BUILD_ROOT/etc/xen/examples/xentrace_f # Scripts rm -f $RPM_BUILD_ROOT/etc/xen/scripts/block-*nbd -install -m755 %SOURCE19 %SOURCE20 %SOURCE21 %SOURCE22 %SOURCE23 %SOURCE29 $RPM_BUILD_ROOT/etc/xen/scripts/ +install -m755 %SOURCE21 %SOURCE22 %SOURCE23 %SOURCE29 $RPM_BUILD_ROOT/etc/xen/scripts/ # Xen API remote authentication files install -d $RPM_BUILD_ROOT/etc/pam.d @@ -946,7 +956,6 @@ rm -f $RPM_BUILD_ROOT/usr/libexec/qemu-bridge-helper %defattr(-,root,root) %ifarch %ix86 x86_64 /usr/bin/xenalyze -/usr/bin/xenalyze.dump-raw %endif /usr/bin/xencons /usr/bin/xenstore* diff --git a/xenalyze.hg.tar.bz2 b/xenalyze.hg.tar.bz2 deleted file mode 100644 index 2dd1142..0000000 --- a/xenalyze.hg.tar.bz2 +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:36aabe13da4b7ca0e0f9b61fa1442823e437585ef56b604ab077af20bb93ef67 -size 126674