pool/xen
SHA256
4
0
Fork 1
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

- Update to Xen 4.5.2

Browse Source 
xen-4.5.2-testing-src.tar.bz2
- Drop the following
  xen-4.5.1-testing-src.tar.bz2
  552d0f49-x86-traps-identify-the-vcpu-in-context-when-dumping-regs.patch
  5576f178-kexec-add-more-pages-to-v1-environment.patch
  55780be1-x86-EFI-adjust-EFI_MEMORY_WP-handling-for-spec-version-2.5.patch
  558bfaa0-x86-traps-avoid-using-current-too-early.patch
  5592a116-nested-EPT-fix-the-handling-of-nested-EPT.patch
  559b9dd6-x86-p2m-ept-don-t-unmap-in-use-EPT-pagetable.patch
  559bc633-x86-cpupool-clear-proper-cpu_valid-bit-on-CPU-teardown.patch
  559bc64e-credit1-properly-deal-with-CPUs-not-in-any-pool.patch
  559bc87f-x86-hvmloader-avoid-data-corruption-with-xenstore-rw.patch
  559bdde5-pull-in-latest-linux-earlycpio.patch
  55a62eb0-xl-correct-handling-of-extra_config-in-main_cpupoolcreate.patch
  55a66a1e-make-rangeset_report_ranges-report-all-ranges.patch
  55a77e4f-dmar-device-scope-mem-leak-fix.patch
  55c1d83d-x86-gdt-Drop-write-only-xalloc-d-array.patch
  55c3232b-x86-mm-Make-hap-shadow-teardown-preemptible.patch
  55dc78e9-x86-amd_ucode-skip-updates-for-final-levels.patch
  55df2f76-IOMMU-skip-domains-without-page-tables-when-dumping.patch
  55e43fd8-x86-NUMA-fix-setup_node.patch
  55e43ff8-x86-NUMA-don-t-account-hotplug-regions.patch
  55e593f1-x86-NUMA-make-init_node_heap-respect-Xen-heap-limit.patch
  55f2e438-x86-hvm-fix-saved-pmtimer-and-hpet-values.patch
  55f9345b-x86-MSI-fail-if-no-hardware-support.patch
  5604f2e6-vt-d-fix-IM-bit-mask-and-unmask-of-FECTL_REG.patch
  560a4af9-x86-EPT-tighten-conditions-of-IOMMU-mapping-updates.patch
  560a7c36-x86-p2m-pt-delay-freeing-of-intermediate-page-tables.patch
  560a7c53-x86-p2m-pt-ignore-pt-share-flag-for-shadow-mode-guests.patch

OBS-URL: https://build.opensuse.org/package/show/Virtualization/xen?expand=0&rev=384
This commit is contained in:
Charles Arnold 2015-11-04 20:30:31 +00:00 committed by Git OBS Bridge
parent 9e9b5acb9c
commit f158f55e6a
94 changed files with 511 additions and 5255 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

22
54f4985f-libxl-fix-libvirtd-double-free.patch
View File

@ -18,11 +18,11 @@ Cc: Ian Campbell <ian.campbell@citrix.com>
Cc: Ian Jackson <ian.jackson@eu.citrix.com>
Acked-by: Ian Campbell <ian.campbell@citrix.com>
Index: xen-4.5.1-testing/tools/libxl/libxl.c
Index: xen-4.5.2-testing/tools/libxl/libxl.c
===================================================================
--- xen-4.5.1-testing.orig/tools/libxl/libxl.c
+++ xen-4.5.1-testing/tools/libxl/libxl.c
@@ -211,9 +211,12 @@ void libxl_string_list_dispose(libxl_str
--- xen-4.5.2-testing.orig/tools/libxl/libxl.c
+++ xen-4.5.2-testing/tools/libxl/libxl.c
@@ -218,9 +218,12 @@ void libxl_string_list_dispose(libxl_str
if (!sl)
return;
@ -36,7 +36,7 @@ Index: xen-4.5.1-testing/tools/libxl/libxl.c
}
void libxl_string_list_copy(libxl_ctx *ctx,
@@ -273,10 +276,14 @@ void libxl_key_value_list_dispose(libxl_
@@ -280,10 +283,14 @@ void libxl_key_value_list_dispose(libxl_
for (i = 0; kvl[i] != NULL; i += 2) {
free(kvl[i]);
@ -52,10 +52,10 @@ Index: xen-4.5.1-testing/tools/libxl/libxl.c
}
void libxl_key_value_list_copy(libxl_ctx *ctx,
Index: xen-4.5.1-testing/tools/libxl/libxl_cpuid.c
Index: xen-4.5.2-testing/tools/libxl/libxl_cpuid.c
===================================================================
--- xen-4.5.1-testing.orig/tools/libxl/libxl_cpuid.c
+++ xen-4.5.1-testing/tools/libxl/libxl_cpuid.c
--- xen-4.5.2-testing.orig/tools/libxl/libxl_cpuid.c
+++ xen-4.5.2-testing/tools/libxl/libxl_cpuid.c
@@ -28,10 +28,13 @@ void libxl_cpuid_dispose(libxl_cpuid_pol
return;
for (i = 0; cpuid_list[i].input[0] != XEN_CPUID_INPUT_UNUSED; i++) {
@ -71,10 +71,10 @@ Index: xen-4.5.1-testing/tools/libxl/libxl_cpuid.c
return;
}
Index: xen-4.5.1-testing/tools/libxl/libxl_utils.c
Index: xen-4.5.2-testing/tools/libxl/libxl_utils.c
===================================================================
--- xen-4.5.1-testing.orig/tools/libxl/libxl_utils.c
+++ xen-4.5.1-testing/tools/libxl/libxl_utils.c
--- xen-4.5.2-testing.orig/tools/libxl/libxl_utils.c
+++ xen-4.5.2-testing/tools/libxl/libxl_utils.c
@@ -604,7 +604,12 @@ void libxl_bitmap_init(libxl_bitmap *map
void libxl_bitmap_dispose(libxl_bitmap *map)

40
55103616-vm-assist-prepare-for-discontiguous-used-bit-numbers.patch
View File

@ -16,8 +16,10 @@ hence doesn't need that code).
Signed-off-by: Jan Beulich <jbeulich@suse.com>
Reviewed-by: Tim Deegan <tim@xen.org>
--- a/xen/common/compat/kernel.c
+++ b/xen/common/compat/kernel.c
Index: xen-4.5.2-testing/xen/common/compat/kernel.c
===================================================================
--- xen-4.5.2-testing.orig/xen/common/compat/kernel.c
+++ xen-4.5.2-testing/xen/common/compat/kernel.c
@@ -41,6 +41,11 @@ CHECK_TYPE(domain_handle);
#define xennmi_callback compat_nmi_callback
#define xennmi_callback_t compat_nmi_callback_t
@ -30,9 +32,11 @@ Reviewed-by: Tim Deegan <tim@xen.org>
#define DO(fn) int compat_##fn
#define COMPAT
--- a/xen/common/domain.c
+++ b/xen/common/domain.c
@@ -1325,9 +1325,11 @@ long do_vcpu_op(int cmd, int vcpuid, XEN
Index: xen-4.5.2-testing/xen/common/domain.c
===================================================================
--- xen-4.5.2-testing.orig/xen/common/domain.c
+++ xen-4.5.2-testing/xen/common/domain.c
@@ -1326,9 +1326,11 @@ long do_vcpu_op(int cmd, int vcpuid, XEN
return rc;
}
@ -46,7 +50,7 @@ Reviewed-by: Tim Deegan <tim@xen.org>
return -EINVAL;
switch ( cmd )
@@ -1342,6 +1344,7 @@ long vm_assist(struct domain *p, unsigne
@@ -1343,6 +1345,7 @@ long vm_assist(struct domain *p, unsigne
return -ENOSYS;
}
@ -54,8 +58,10 @@ Reviewed-by: Tim Deegan <tim@xen.org>
struct pirq *pirq_get_info(struct domain *d, int pirq)
{
--- a/xen/common/kernel.c
+++ b/xen/common/kernel.c
Index: xen-4.5.2-testing/xen/common/kernel.c
===================================================================
--- xen-4.5.2-testing.orig/xen/common/kernel.c
+++ xen-4.5.2-testing/xen/common/kernel.c
@@ -396,10 +396,12 @@ DO(nmi_op)(unsigned int cmd, XEN_GUEST_H
return rc;
}
@ -70,8 +76,10 @@ Reviewed-by: Tim Deegan <tim@xen.org>
DO(ni_hypercall)(void)
{
--- a/xen/include/asm-x86/config.h
+++ b/xen/include/asm-x86/config.h
Index: xen-4.5.2-testing/xen/include/asm-x86/config.h
===================================================================
--- xen-4.5.2-testing.orig/xen/include/asm-x86/config.h
+++ xen-4.5.2-testing/xen/include/asm-x86/config.h
@@ -327,6 +327,14 @@ extern unsigned long xen_phys_start;
#define ARG_XLAT_START(v) \
(ARG_XLAT_VIRT_START + ((v)->vcpu_id << ARG_XLAT_VA_SHIFT))
@ -87,8 +95,10 @@ Reviewed-by: Tim Deegan <tim@xen.org>
#define ELFSIZE 64
#define ARCH_CRASH_SAVE_VMCOREINFO
--- a/xen/include/public/xen.h
+++ b/xen/include/public/xen.h
Index: xen-4.5.2-testing/xen/include/public/xen.h
===================================================================
--- xen-4.5.2-testing.orig/xen/include/public/xen.h
+++ xen-4.5.2-testing/xen/include/public/xen.h
@@ -486,7 +486,9 @@ DEFINE_XEN_GUEST_HANDLE(mmuext_op_t);
/* x86/PAE guests: support PDPTs above 4GB. */
#define VMASST_TYPE_pae_extended_cr3 3
@ -99,8 +109,10 @@ Reviewed-by: Tim Deegan <tim@xen.org>
#ifndef __ASSEMBLY__
--- a/xen/include/xen/lib.h
+++ b/xen/include/xen/lib.h
Index: xen-4.5.2-testing/xen/include/xen/lib.h
===================================================================
--- xen-4.5.2-testing.orig/xen/include/xen/lib.h
+++ xen-4.5.2-testing/xen/include/xen/lib.h
@@ -92,7 +92,8 @@ extern void guest_printk(const struct do
__attribute__ ((format (printf, 2, 3)));
extern void noreturn panic(const char *format, ...)

48
551ac326-xentop-add-support-for-qdisk.patch
View File

@ -1,8 +1,8 @@
Index: xen-4.5.1-testing/tools/libxl/libxl_dm.c
Index: xen-4.5.2-testing/tools/libxl/libxl_dm.c
===================================================================
--- xen-4.5.1-testing.orig/tools/libxl/libxl_dm.c
+++ xen-4.5.1-testing/tools/libxl/libxl_dm.c
@@ -445,6 +445,15 @@ static char ** libxl__build_device_model
--- xen-4.5.2-testing.orig/tools/libxl/libxl_dm.c
+++ xen-4.5.2-testing/tools/libxl/libxl_dm.c
@@ -447,6 +447,15 @@ static char ** libxl__build_device_model
flexarray_append(dm_args, "-mon");
flexarray_append(dm_args, "chardev=libxl-cmd,mode=control");
@ -18,10 +18,10 @@ Index: xen-4.5.1-testing/tools/libxl/libxl_dm.c
for (i = 0; i < guest_config->num_channels; i++) {
connection = guest_config->channels[i].connection;
devid = guest_config->channels[i].devid;
Index: xen-4.5.1-testing/tools/libxl/libxl_qmp.c
Index: xen-4.5.2-testing/tools/libxl/libxl_qmp.c
===================================================================
--- xen-4.5.1-testing.orig/tools/libxl/libxl_qmp.c
+++ xen-4.5.1-testing/tools/libxl/libxl_qmp.c
--- xen-4.5.2-testing.orig/tools/libxl/libxl_qmp.c
+++ xen-4.5.2-testing/tools/libxl/libxl_qmp.c
@@ -723,6 +723,13 @@ void libxl__qmp_cleanup(libxl__gc *gc, u
LOGE(ERROR, "Failed to remove QMP socket file %s", qmp_socket);
}
@ -36,10 +36,10 @@ Index: xen-4.5.1-testing/tools/libxl/libxl_qmp.c
}
int libxl__qmp_query_serial(libxl__qmp_handler *qmp)
Index: xen-4.5.1-testing/tools/xenstat/libxenstat/Makefile
Index: xen-4.5.2-testing/tools/xenstat/libxenstat/Makefile
===================================================================
--- xen-4.5.1-testing.orig/tools/xenstat/libxenstat/Makefile
+++ xen-4.5.1-testing/tools/xenstat/libxenstat/Makefile
--- xen-4.5.2-testing.orig/tools/xenstat/libxenstat/Makefile
+++ xen-4.5.2-testing/tools/xenstat/libxenstat/Makefile
@@ -24,7 +24,7 @@ MINOR=0
LIB=src/libxenstat.a
SHLIB=src/libxenstat.so.$(MAJOR).$(MINOR)
@ -58,10 +58,10 @@ Index: xen-4.5.1-testing/tools/xenstat/libxenstat/Makefile
LDLIBS-y = $(LDLIBS_libxenstore) $(LDLIBS_libxenctrl)
LDLIBS-$(CONFIG_SunOS) += -lkstat
Index: xen-4.5.1-testing/tools/xenstat/xentop/Makefile
Index: xen-4.5.2-testing/tools/xenstat/xentop/Makefile
===================================================================
--- xen-4.5.1-testing.orig/tools/xenstat/xentop/Makefile
+++ xen-4.5.1-testing/tools/xenstat/xentop/Makefile
--- xen-4.5.2-testing.orig/tools/xenstat/xentop/Makefile
+++ xen-4.5.2-testing/tools/xenstat/xentop/Makefile
@@ -19,7 +19,7 @@ all install xentop:
else
@ -71,10 +71,10 @@ Index: xen-4.5.1-testing/tools/xenstat/xentop/Makefile
CFLAGS += -DHOST_$(XEN_OS)
# Include configure output (config.h) to headers search path
Index: xen-4.5.1-testing/tools/xenstat/libxenstat/src/xenstat_priv.h
Index: xen-4.5.2-testing/tools/xenstat/libxenstat/src/xenstat_priv.h
===================================================================
--- xen-4.5.1-testing.orig/tools/xenstat/libxenstat/src/xenstat_priv.h
+++ xen-4.5.1-testing/tools/xenstat/libxenstat/src/xenstat_priv.h
--- xen-4.5.2-testing.orig/tools/xenstat/libxenstat/src/xenstat_priv.h
+++ xen-4.5.2-testing/tools/xenstat/libxenstat/src/xenstat_priv.h
@@ -109,5 +109,7 @@ extern int xenstat_collect_networks(xens
extern void xenstat_uninit_networks(xenstat_handle * handle);
extern int xenstat_collect_vbds(xenstat_node * node);
@ -83,10 +83,10 @@ Index: xen-4.5.1-testing/tools/xenstat/libxenstat/src/xenstat_priv.h
+extern xenstat_vbd *xenstat_save_vbd(xenstat_domain * domain, xenstat_vbd * vbd);
#endif /* XENSTAT_PRIV_H */
Index: xen-4.5.1-testing/tools/xenstat/libxenstat/src/xenstat.c
Index: xen-4.5.2-testing/tools/xenstat/libxenstat/src/xenstat.c
===================================================================
--- xen-4.5.1-testing.orig/tools/xenstat/libxenstat/src/xenstat.c
+++ xen-4.5.1-testing/tools/xenstat/libxenstat/src/xenstat.c
--- xen-4.5.2-testing.orig/tools/xenstat/libxenstat/src/xenstat.c
+++ xen-4.5.2-testing/tools/xenstat/libxenstat/src/xenstat.c
@@ -657,6 +657,27 @@ static void xenstat_uninit_xen_version(x
* VBD functions
*/
@ -115,10 +115,10 @@ Index: xen-4.5.1-testing/tools/xenstat/libxenstat/src/xenstat.c
/* Free VBD information */
static void xenstat_free_vbds(xenstat_node * node)
{
Index: xen-4.5.1-testing/tools/xenstat/libxenstat/src/xenstat_linux.c
Index: xen-4.5.2-testing/tools/xenstat/libxenstat/src/xenstat_linux.c
===================================================================
--- xen-4.5.1-testing.orig/tools/xenstat/libxenstat/src/xenstat_linux.c
+++ xen-4.5.1-testing/tools/xenstat/libxenstat/src/xenstat_linux.c
--- xen-4.5.2-testing.orig/tools/xenstat/libxenstat/src/xenstat_linux.c
+++ xen-4.5.2-testing/tools/xenstat/libxenstat/src/xenstat_linux.c
@@ -417,6 +417,9 @@ int xenstat_collect_vbds(xenstat_node *
}
}
@ -151,10 +151,10 @@ Index: xen-4.5.1-testing/tools/xenstat/libxenstat/src/xenstat_linux.c
}
return 1;
Index: xen-4.5.1-testing/tools/xenstat/libxenstat/src/xenstat_qmp.c
Index: xen-4.5.2-testing/tools/xenstat/libxenstat/src/xenstat_qmp.c
===================================================================
--- /dev/null
+++ xen-4.5.1-testing/tools/xenstat/libxenstat/src/xenstat_qmp.c
+++ xen-4.5.2-testing/tools/xenstat/libxenstat/src/xenstat_qmp.c
@@ -0,0 +1,451 @@
+/* libxenstat: statistics-collection library for Xen
+ *

24
552d0f49-x86-traps-identify-the-vcpu-in-context-when-dumping-regs.patch
View File

@ -1,24 +0,0 @@
# Commit e59abf8c8c9c1d99a531292c6a548d6dfd0ceacc
# Date 2015-04-14 14:59:53 +0200
# Author Andrew Cooper <andrew.cooper3@citrix.com>
# Committer Jan Beulich <jbeulich@suse.com>
x86/traps: identify the vcpu in context when dumping registers
Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
--- a/xen/arch/x86/x86_64/traps.c
+++ b/xen/arch/x86/x86_64/traps.c
@@ -53,9 +53,11 @@ static void _show_registers(
printk("\nRFLAGS: %016lx ", regs->rflags);
if ( (context == CTXT_pv_guest) && v && v->vcpu_info )
printk("EM: %d ", !!vcpu_info(v, evtchn_upcall_mask));
- printk("CONTEXT: %s\n", context_names[context]);
+ printk("CONTEXT: %s", context_names[context]);
+ if ( v && !is_idle_vcpu(v) )
+ printk(" (%pv)", v);
- printk("rax: %016lx rbx: %016lx rcx: %016lx\n",
+ printk("\nrax: %016lx rbx: %016lx rcx: %016lx\n",
regs->rax, regs->rbx, regs->rcx);
printk("rdx: %016lx rsi: %016lx rdi: %016lx\n",
regs->rdx, regs->rsi, regs->rdi);

8
5537a4d8-libxl-use-DEBUG-log-level-instead-of-INFO.patch
View File

@ -12,11 +12,11 @@ Cc: Ian Campbell <ian.campbell@citrix.com>
Cc: Ian Jackson <ian.jackson@eu.citrix.com>
Acked-by: Ian Campbell <ian.campbell@citrix.com>
Index: xen-4.5.1-testing/tools/libxl/libxl.c
Index: xen-4.5.2-testing/tools/libxl/libxl.c
===================================================================
--- xen-4.5.1-testing.orig/tools/libxl/libxl.c
+++ xen-4.5.1-testing/tools/libxl/libxl.c
@@ -1695,7 +1695,7 @@ static void devices_destroy_cb(libxl__eg
--- xen-4.5.2-testing.orig/tools/libxl/libxl.c
+++ xen-4.5.2-testing/tools/libxl/libxl.c
@@ -1702,7 +1702,7 @@ static void devices_destroy_cb(libxl__eg
_exit(-1);
}
}

60
5548e95d-x86-allow-to-suppress-M2P-user-mode-exposure.patch
View File

@ -27,8 +27,10 @@ Signed-off-by: Jan Beulich <jbeulich@suse.com>
Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>
Reviewed-by: Tim Deegan <tim@xen.org>
--- a/xen/arch/x86/domain.c
+++ b/xen/arch/x86/domain.c
Index: xen-4.5.2-testing/xen/arch/x86/domain.c
===================================================================
--- xen-4.5.2-testing.orig/xen/arch/x86/domain.c
+++ xen-4.5.2-testing/xen/arch/x86/domain.c
@@ -338,7 +338,7 @@ static int setup_compat_l4(struct vcpu *
l4tab = __map_domain_page(pg);
@ -61,9 +63,11 @@ Reviewed-by: Tim Deegan <tim@xen.org>
break;
}
}
--- a/xen/arch/x86/domain_build.c
+++ b/xen/arch/x86/domain_build.c
@@ -1092,7 +1092,7 @@ int __init construct_dom0(
Index: xen-4.5.2-testing/xen/arch/x86/domain_build.c
===================================================================
--- xen-4.5.2-testing.orig/xen/arch/x86/domain_build.c
+++ xen-4.5.2-testing/xen/arch/x86/domain_build.c
@@ -1096,7 +1096,7 @@ int __init construct_dom0(
l3start = __va(mpt_alloc); mpt_alloc += PAGE_SIZE;
}
clear_page(l4tab);
@ -72,9 +76,11 @@ Reviewed-by: Tim Deegan <tim@xen.org>
v->arch.guest_table = pagetable_from_paddr(__pa(l4start));
if ( is_pv_32on64_domain(d) )
v->arch.guest_table_user = v->arch.guest_table;
--- a/xen/arch/x86/mm.c
+++ b/xen/arch/x86/mm.c
@@ -1380,7 +1380,8 @@ static int alloc_l3_table(struct page_in
Index: xen-4.5.2-testing/xen/arch/x86/mm.c
===================================================================
--- xen-4.5.2-testing.orig/xen/arch/x86/mm.c
+++ xen-4.5.2-testing/xen/arch/x86/mm.c
@@ -1383,7 +1383,8 @@ static int alloc_l3_table(struct page_in
return rc > 0 ? 0 : rc;
}
@ -84,7 +90,7 @@ Reviewed-by: Tim Deegan <tim@xen.org>
{
/* Xen private mappings. */
memcpy(&l4tab[ROOT_PAGETABLE_FIRST_XEN_SLOT],
@@ -1395,6 +1396,25 @@ void init_guest_l4_table(l4_pgentry_t l4
@@ -1398,6 +1399,25 @@ void init_guest_l4_table(l4_pgentry_t l4
l4e_from_pfn(domain_page_map_to_mfn(l4tab), __PAGE_HYPERVISOR);
l4tab[l4_table_offset(PERDOMAIN_VIRT_START)] =
l4e_from_page(d->arch.perdomain_l3_pg, __PAGE_HYPERVISOR);
@ -110,7 +116,7 @@ Reviewed-by: Tim Deegan <tim@xen.org>
}
static int alloc_l4_table(struct page_info *page)
@@ -1444,7 +1464,7 @@ static int alloc_l4_table(struct page_in
@@ -1447,7 +1467,7 @@ static int alloc_l4_table(struct page_in
adjust_guest_l4e(pl4e[i], d);
}
@ -119,7 +125,7 @@ Reviewed-by: Tim Deegan <tim@xen.org>
unmap_domain_page(pl4e);
return rc > 0 ? 0 : rc;
@@ -2755,6 +2775,8 @@ int new_guest_cr3(unsigned long mfn)
@@ -2761,6 +2781,8 @@ int new_guest_cr3(unsigned long mfn)
invalidate_shadow_ldt(curr, 0);
@ -128,7 +134,7 @@ Reviewed-by: Tim Deegan <tim@xen.org>
curr->arch.guest_table = pagetable_from_pfn(mfn);
update_cr3(curr);
@@ -3111,6 +3133,9 @@ long do_mmuext_op(
@@ -3117,6 +3139,9 @@ long do_mmuext_op(
op.arg1.mfn);
break;
}
@ -138,8 +144,10 @@ Reviewed-by: Tim Deegan <tim@xen.org>
}
curr->arch.guest_table_user = pagetable_from_pfn(op.arg1.mfn);
--- a/xen/arch/x86/mm/shadow/multi.c
+++ b/xen/arch/x86/mm/shadow/multi.c
Index: xen-4.5.2-testing/xen/arch/x86/mm/shadow/multi.c
===================================================================
--- xen-4.5.2-testing.orig/xen/arch/x86/mm/shadow/multi.c
+++ xen-4.5.2-testing/xen/arch/x86/mm/shadow/multi.c
@@ -1438,6 +1438,13 @@ void sh_install_xen_entries_in_l4(struct
shadow_l4e_from_mfn(page_to_mfn(d->arch.perdomain_l3_pg),
__PAGE_HYPERVISOR);
@ -172,8 +180,10 @@ Reviewed-by: Tim Deegan <tim@xen.org>
#else
#error This should never happen
#endif
--- a/xen/arch/x86/x86_64/mm.c
+++ b/xen/arch/x86/x86_64/mm.c
Index: xen-4.5.2-testing/xen/arch/x86/x86_64/mm.c
===================================================================
--- xen-4.5.2-testing.orig/xen/arch/x86/x86_64/mm.c
+++ xen-4.5.2-testing/xen/arch/x86/x86_64/mm.c
@@ -480,7 +480,7 @@ static int setup_m2p_table(struct mem_ho
l2_ro_mpt += l2_table_offset(va);
}
@ -201,8 +211,10 @@ Reviewed-by: Tim Deegan <tim@xen.org>
if ( l1_pg )
l2e_write(l2_ro_mpt, l2e_from_page(
l1_pg, /*_PAGE_GLOBAL|*/_PAGE_PSE|_PAGE_USER|_PAGE_PRESENT));
--- a/xen/include/asm-x86/config.h
+++ b/xen/include/asm-x86/config.h
Index: xen-4.5.2-testing/xen/include/asm-x86/config.h
===================================================================
--- xen-4.5.2-testing.orig/xen/include/asm-x86/config.h
+++ xen-4.5.2-testing/xen/include/asm-x86/config.h
@@ -330,7 +330,8 @@ extern unsigned long xen_phys_start;
#define NATIVE_VM_ASSIST_VALID ((1UL << VMASST_TYPE_4gb_segments) | \
(1UL << VMASST_TYPE_4gb_segments_notify) | \
@ -213,8 +225,10 @@ Reviewed-by: Tim Deegan <tim@xen.org>
#define VM_ASSIST_VALID NATIVE_VM_ASSIST_VALID
#define COMPAT_VM_ASSIST_VALID (NATIVE_VM_ASSIST_VALID & \
((1UL << COMPAT_BITS_PER_LONG) - 1))
--- a/xen/include/asm-x86/mm.h
+++ b/xen/include/asm-x86/mm.h
Index: xen-4.5.2-testing/xen/include/asm-x86/mm.h
===================================================================
--- xen-4.5.2-testing.orig/xen/include/asm-x86/mm.h
+++ xen-4.5.2-testing/xen/include/asm-x86/mm.h
@@ -314,7 +314,10 @@ static inline void *__page_to_virt(const
int free_page_type(struct page_info *page, unsigned long type,
int preemptible);
@ -227,8 +241,10 @@ Reviewed-by: Tim Deegan <tim@xen.org>
int is_iomem_page(unsigned long mfn);
--- a/xen/include/public/xen.h
+++ b/xen/include/public/xen.h
Index: xen-4.5.2-testing/xen/include/public/xen.h
===================================================================
--- xen-4.5.2-testing.orig/xen/include/public/xen.h
+++ xen-4.5.2-testing/xen/include/public/xen.h
@@ -486,6 +486,18 @@ DEFINE_XEN_GUEST_HANDLE(mmuext_op_t);
/* x86/PAE guests: support PDPTs above 4GB. */
#define VMASST_TYPE_pae_extended_cr3 3

44
554cc211-libxl-add-qxl.patch
View File

@ -20,11 +20,11 @@ Date: Wed Apr 29 11:20:28 2015 +0200
Acked-by: Ian Jackson <ian.jackson@eu.citrix.com>
Acked-by: George Dunlap <george.dunlap@eu.citrix.com>
Index: xen-4.5.1-testing/docs/man/xl.cfg.pod.5
Index: xen-4.5.2-testing/docs/man/xl.cfg.pod.5
===================================================================
--- xen-4.5.1-testing.orig/docs/man/xl.cfg.pod.5
+++ xen-4.5.1-testing/docs/man/xl.cfg.pod.5
@@ -1292,6 +1292,9 @@ qemu-xen-traditional device-model, the a
--- xen-4.5.2-testing.orig/docs/man/xl.cfg.pod.5
+++ xen-4.5.2-testing/docs/man/xl.cfg.pod.5
@@ -1294,6 +1294,9 @@ qemu-xen-traditional device-model, the a
which is sufficient for 1024x768 at 32 bpp. For the upstream qemu-xen
device-model, the default and minimum is 8 MB.
@ -34,7 +34,7 @@ Index: xen-4.5.1-testing/docs/man/xl.cfg.pod.5
=item B<stdvga=BOOLEAN>
Select a standard VGA card with VBE (VESA BIOS Extensions) as the
@@ -1303,9 +1306,14 @@ This option is deprecated, use vga="stdv
@@ -1305,9 +1308,14 @@ This option is deprecated, use vga="stdv
=item B<vga="STRING">
@ -50,10 +50,10 @@ Index: xen-4.5.1-testing/docs/man/xl.cfg.pod.5
=item B<vnc=BOOLEAN>
Allow access to the display via the VNC protocol. This enables the
Index: xen-4.5.1-testing/tools/libxl/libxl.h
Index: xen-4.5.2-testing/tools/libxl/libxl.h
===================================================================
--- xen-4.5.1-testing.orig/tools/libxl/libxl.h
+++ xen-4.5.1-testing/tools/libxl/libxl.h
--- xen-4.5.2-testing.orig/tools/libxl/libxl.h
+++ xen-4.5.2-testing/tools/libxl/libxl.h
@@ -506,6 +506,16 @@ typedef struct libxl__ctx libxl_ctx;
#define LIBXL_HAVE_DOMINFO_OUTSTANDING_MEMKB 1
@ -71,10 +71,10 @@ Index: xen-4.5.1-testing/tools/libxl/libxl.h
* LIBXL_HAVE_SPICE_VDAGENT
*
* If defined, then the libxl_spice_info structure will contain a boolean type:
Index: xen-4.5.1-testing/tools/libxl/libxl_create.c
Index: xen-4.5.2-testing/tools/libxl/libxl_create.c
===================================================================
--- xen-4.5.1-testing.orig/tools/libxl/libxl_create.c
+++ xen-4.5.1-testing/tools/libxl/libxl_create.c
--- xen-4.5.2-testing.orig/tools/libxl/libxl_create.c
+++ xen-4.5.2-testing/tools/libxl/libxl_create.c
@@ -240,6 +240,10 @@ int libxl__domain_build_info_setdefault(
if (b_info->video_memkb == LIBXL_MEMKB_DEFAULT)
b_info->video_memkb = 0;
@ -102,11 +102,11 @@ Index: xen-4.5.1-testing/tools/libxl/libxl_create.c
case LIBXL_VGA_INTERFACE_TYPE_STD:
if (b_info->video_memkb == LIBXL_MEMKB_DEFAULT)
b_info->video_memkb = 16 * 1024;
Index: xen-4.5.1-testing/tools/libxl/libxl_dm.c
Index: xen-4.5.2-testing/tools/libxl/libxl_dm.c
===================================================================
--- xen-4.5.1-testing.orig/tools/libxl/libxl_dm.c
+++ xen-4.5.1-testing/tools/libxl/libxl_dm.c
@@ -251,6 +251,8 @@ static char ** libxl__build_device_model
--- xen-4.5.2-testing.orig/tools/libxl/libxl_dm.c
+++ xen-4.5.2-testing/tools/libxl/libxl_dm.c
@@ -253,6 +253,8 @@ static char ** libxl__build_device_model
case LIBXL_VGA_INTERFACE_TYPE_NONE:
flexarray_append_pair(dm_args, "-vga", "none");
break;
@ -115,7 +115,7 @@ Index: xen-4.5.1-testing/tools/libxl/libxl_dm.c
}
if (b_info->u.hvm.boot) {
@@ -616,6 +618,12 @@ static char ** libxl__build_device_model
@@ -618,6 +620,12 @@ static char ** libxl__build_device_model
break;
case LIBXL_VGA_INTERFACE_TYPE_NONE:
break;
@ -128,10 +128,10 @@ Index: xen-4.5.1-testing/tools/libxl/libxl_dm.c
}
if (b_info->u.hvm.boot) {
Index: xen-4.5.1-testing/tools/libxl/libxl_types.idl
Index: xen-4.5.2-testing/tools/libxl/libxl_types.idl
===================================================================
--- xen-4.5.1-testing.orig/tools/libxl/libxl_types.idl
+++ xen-4.5.1-testing/tools/libxl/libxl_types.idl
--- xen-4.5.2-testing.orig/tools/libxl/libxl_types.idl
+++ xen-4.5.2-testing/tools/libxl/libxl_types.idl
@@ -181,6 +181,7 @@ libxl_vga_interface_type = Enumeration("
(1, "CIRRUS"),
(2, "STD"),
@ -140,10 +140,10 @@ Index: xen-4.5.1-testing/tools/libxl/libxl_types.idl
], init_val = "LIBXL_VGA_INTERFACE_TYPE_CIRRUS")
libxl_vendor_device = Enumeration("vendor_device", [
Index: xen-4.5.1-testing/tools/libxl/xl_cmdimpl.c
Index: xen-4.5.2-testing/tools/libxl/xl_cmdimpl.c
===================================================================
--- xen-4.5.1-testing.orig/tools/libxl/xl_cmdimpl.c
+++ xen-4.5.1-testing/tools/libxl/xl_cmdimpl.c
--- xen-4.5.2-testing.orig/tools/libxl/xl_cmdimpl.c
+++ xen-4.5.2-testing/tools/libxl/xl_cmdimpl.c
@@ -1910,6 +1910,8 @@ skip_vfb:
b_info->u.hvm.vga.kind = LIBXL_VGA_INTERFACE_TYPE_CIRRUS;
} else if (!strcmp(buf, "none")) {

28
5576f143-x86-adjust-PV-I-O-emulation-functions-types.patch
View File

@ -44,9 +44,11 @@ Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>
Backport stripped down to just the pci_cfg_ok() adjustments.
--- a/xen/arch/x86/traps.c
+++ b/xen/arch/x86/traps.c
@@ -1708,14 +1708,18 @@ static int admin_io_okay(
Index: xen-4.5.2-testing/xen/arch/x86/traps.c
===================================================================
--- xen-4.5.2-testing.orig/xen/arch/x86/traps.c
+++ xen-4.5.2-testing/xen/arch/x86/traps.c
@@ -1709,14 +1709,18 @@ static int admin_io_okay(
return ioports_access_permitted(v->domain, port, port + bytes - 1);
}
@ -69,7 +71,7 @@ Backport stripped down to just the pci_cfg_ok() adjustments.
if ( write )
{
const unsigned long *ro_map = pci_get_ro_map(0);
@@ -1723,9 +1727,9 @@ static int pci_cfg_ok(struct domain *d,
@@ -1724,9 +1728,9 @@ static int pci_cfg_ok(struct domain *d,
if ( ro_map && test_bit(machine_bdf, ro_map) )
return 0;
}
@ -81,7 +83,7 @@ Backport stripped down to just the pci_cfg_ok() adjustments.
boot_cpu_data.x86_vendor == X86_VENDOR_AMD &&
boot_cpu_data.x86 >= 0x10 && boot_cpu_data.x86 <= 0x17 )
{
@@ -1734,12 +1738,11 @@ static int pci_cfg_ok(struct domain *d,
@@ -1735,12 +1739,11 @@ static int pci_cfg_ok(struct domain *d,
if ( rdmsr_safe(MSR_AMD64_NB_CFG, msr_val) )
return 0;
if ( msr_val & (1ULL << AMD64_NB_CFG_CF8_EXT_ENABLE_BIT) )
@ -98,7 +100,7 @@ Backport stripped down to just the pci_cfg_ok() adjustments.
}
uint32_t guest_io_read(
@@ -1793,7 +1796,7 @@ uint32_t guest_io_read(
@@ -1794,7 +1797,7 @@ uint32_t guest_io_read(
size = min(bytes, 4 - (port & 3));
if ( size == 3 )
size = 2;
@ -107,7 +109,7 @@ Backport stripped down to just the pci_cfg_ok() adjustments.
sub_data = pci_conf_read(v->domain->arch.pci_cf8, port & 3, size);
}
@@ -1866,7 +1869,7 @@ void guest_io_write(
@@ -1867,7 +1870,7 @@ void guest_io_write(
size = min(bytes, 4 - (port & 3));
if ( size == 3 )
size = 2;
@ -116,8 +118,10 @@ Backport stripped down to just the pci_cfg_ok() adjustments.
pci_conf_write(v->domain->arch.pci_cf8, port & 3, size, data);
}
--- a/xen/arch/x86/hvm/hvm.c
+++ b/xen/arch/x86/hvm/hvm.c
Index: xen-4.5.2-testing/xen/arch/x86/hvm/hvm.c
===================================================================
--- xen-4.5.2-testing.orig/xen/arch/x86/hvm/hvm.c
+++ xen-4.5.2-testing/xen/arch/x86/hvm/hvm.c
@@ -2357,11 +2357,6 @@ void hvm_vcpu_down(struct vcpu *v)
static struct hvm_ioreq_server *hvm_select_ioreq_server(struct domain *d,
ioreq_t *p)
@ -142,8 +146,10 @@ Backport stripped down to just the pci_cfg_ok() adjustments.
}
int hvm_buffered_io_send(ioreq_t *p)
--- a/xen/include/asm-x86/pci.h
+++ b/xen/include/asm-x86/pci.h
Index: xen-4.5.2-testing/xen/include/asm-x86/pci.h
===================================================================
--- xen-4.5.2-testing.orig/xen/include/asm-x86/pci.h
+++ xen-4.5.2-testing/xen/include/asm-x86/pci.h
@@ -1,6 +1,11 @@
#ifndef __X86_PCI_H__
#define __X86_PCI_H__

62
5576f178-kexec-add-more-pages-to-v1-environment.patch
View File

@ -1,62 +0,0 @@
References: bsc#925466
# Commit 5cb57f4bddee1f11079e69bf43c193a8b104c476
# Date 2015-06-09 16:00:24 +0200
# Author Jan Beulich <jbeulich@suse.com>
# Committer Jan Beulich <jbeulich@suse.com>
kexec: add more pages to v1 environment
Destination pages need mappings to be added to the page tables in the
v1 case (where nothing else calls machine_kexec_add_page() for them).
Further, without the tools mapping the low 1Mb (expected by at least
some Linux version), we need to do so in the hypervisor in the v1 case.
Suggested-by: David Vrabel <david.vrabel@citrix.com>
Signed-off-by: Jan Beulich <jbeulich@suse.com>
Tested-by: Alan Robinson <alan.robinson@ts.fujitsu.com>
Reviewed-by: David Vrabel <david.vrabel@citrix.com>
Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>
--- a/xen/common/kexec.c
+++ b/xen/common/kexec.c
@@ -1003,6 +1003,24 @@ static int kexec_do_load_v1(xen_kexec_lo
if ( ret < 0 )
goto error;
+ if ( arch == EM_386 || arch == EM_X86_64 )
+ {
+ /*
+ * Ensure 0 - 1 MiB is mapped and accessible by the image.
+ *
+ * This allows access to VGA memory and the region purgatory copies
+ * in the crash case.
+ */
+ unsigned long addr;
+
+ for ( addr = 0; addr < MB(1); addr += PAGE_SIZE )
+ {
+ ret = machine_kexec_add_page(kimage, addr, addr);
+ if ( ret < 0 )
+ goto error;
+ }
+ }
+
ret = kexec_load_slot(kimage);
if ( ret < 0 )
goto error;
--- a/xen/common/kimage.c
+++ b/xen/common/kimage.c
@@ -923,6 +923,11 @@ int kimage_build_ind(struct kexec_image
ret = kimage_add_page(image, page_to_maddr(xen_page));
if ( ret < 0 )
goto done;
+
+ ret = machine_kexec_add_page(image, dest, dest);
+ if ( ret < 0 )
+ goto done;
+
dest += PAGE_SIZE;
break;
}

86
55780be1-x86-EFI-adjust-EFI_MEMORY_WP-handling-for-spec-version-2.5.patch
View File

@ -1,86 +0,0 @@
# Commit 860313f0411d2dcc6b2fd78bfb834b39d05373a6
# Date 2015-06-10 12:05:21 +0200
# Author Jan Beulich <jbeulich@suse.com>
# Committer Jan Beulich <jbeulich@suse.com>
x86/EFI: adjust EFI_MEMORY_WP handling for spec version 2.5
That flag now means cachability rather than protection, and a new flag
EFI_MEMORY_RO got added in its place.
Along with EFI_MEMORY_RO also add the two other new EFI_MEMORY_*
definitions, even if we don't need them right away.
Signed-off-by: Jan Beulich <jbeulich@suse.com>
Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>
Reviewed-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
Index: xen-4.5.1-testing/xen/common/efi/boot.c
===================================================================
--- xen-4.5.1-testing.orig/xen/common/efi/boot.c
+++ xen-4.5.1-testing/xen/common/efi/boot.c
@@ -32,6 +32,8 @@
/* Using SetVirtualAddressMap() is incompatible with kexec: */
#undef USE_SET_VIRTUAL_ADDRESS_MAP
+#define EFI_REVISION(major, minor) (((major) << 16) | (minor))
+
#define SHIM_LOCK_PROTOCOL_GUID \
{ 0x605dab50, 0xe046, 0x4300, {0xab, 0xb6, 0x3d, 0xd8, 0x10, 0xdd, 0x8b, 0x23} }
@@ -76,6 +78,7 @@ static int set_color(u32 mask, int bpp,
static bool_t match_guid(const EFI_GUID *guid1, const EFI_GUID *guid2);
static const EFI_BOOT_SERVICES *__initdata efi_bs;
+static UINT32 __initdata efi_bs_revision;
static EFI_HANDLE __initdata efi_ih;
static SIMPLE_TEXT_OUTPUT_INTERFACE *__initdata StdOut;
@@ -714,6 +717,7 @@ efi_start(EFI_HANDLE ImageHandle, EFI_SY
efi_ih = ImageHandle;
efi_bs = SystemTable->BootServices;
+ efi_bs_revision = efi_bs->Hdr.Revision;
efi_rs = SystemTable->RuntimeServices;
efi_ct = SystemTable->ConfigurationTable;
efi_num_ct = SystemTable->NumberOfTableEntries;
@@ -1221,6 +1225,9 @@ void __init efi_init_memory(void)
prot |= _PAGE_PAT | MAP_SMALL_PAGES;
else if ( desc->Attribute & (EFI_MEMORY_UC | EFI_MEMORY_UCE) )
prot |= _PAGE_PWT | _PAGE_PCD | MAP_SMALL_PAGES;
+ else if ( efi_bs_revision >= EFI_REVISION(2, 5) &&
+ (desc->Attribute & EFI_MEMORY_WP) )
+ prot |= _PAGE_PAT | _PAGE_PWT | MAP_SMALL_PAGES;
else
{
printk(XENLOG_ERR "Unknown cachability for MFNs %#lx-%#lx%s\n",
@@ -1230,7 +1237,8 @@ void __init efi_init_memory(void)
prot |= _PAGE_PWT | _PAGE_PCD | MAP_SMALL_PAGES;
}
- if ( desc->Attribute & EFI_MEMORY_WP )
+ if ( desc->Attribute & (efi_bs_revision < EFI_REVISION(2, 5)
+ ? EFI_MEMORY_WP : EFI_MEMORY_RO) )
prot &= ~_PAGE_RW;
if ( (desc->Attribute & EFI_MEMORY_XP) && cpu_has_nx )
prot |= _PAGE_NX_BIT;
Index: xen-4.5.1-testing/xen/include/efi/efidef.h
===================================================================
--- xen-4.5.1-testing.orig/xen/include/efi/efidef.h
+++ xen-4.5.1-testing/xen/include/efi/efidef.h
@@ -156,11 +156,15 @@ typedef enum {
#define EFI_MEMORY_WT 0x0000000000000004
#define EFI_MEMORY_WB 0x0000000000000008
#define EFI_MEMORY_UCE 0x0000000000000010
+#define EFI_MEMORY_WP 0x0000000000001000
// physical memory protection on range
-#define EFI_MEMORY_WP 0x0000000000001000
#define EFI_MEMORY_RP 0x0000000000002000
#define EFI_MEMORY_XP 0x0000000000004000
+#define EFI_MEMORY_RO 0x0000000000020000
+
+#define EFI_MEMORY_NV 0x0000000000008000
+#define EFI_MEMORY_MORE_RELIABLE 0x0000000000010000
// range requires a runtime mapping
#define EFI_MEMORY_RUNTIME 0x8000000000000000

30
5583d9c5-x86-MSI-X-cleanup.patch
View File

@ -19,8 +19,10 @@ x86/MSI-X: cleanup
Signed-off-by: Jan Beulich <jbeulich@suse.com>
Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>
--- a/xen/arch/x86/msi.c
+++ b/xen/arch/x86/msi.c
Index: xen-4.5.2-testing/xen/arch/x86/msi.c
===================================================================
--- xen-4.5.2-testing.orig/xen/arch/x86/msi.c
+++ xen-4.5.2-testing/xen/arch/x86/msi.c
@@ -35,6 +35,8 @@
static s8 __read_mostly use_msi = -1;
boolean_param("msi", use_msi);
@ -104,7 +106,7 @@ Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>
u32 mask_bits;
u16 seg = entry->dev->seg;
u8 bus = entry->dev->bus;
@@ -701,13 +705,14 @@ static u64 read_pci_mem_bar(u16 seg, u8
@@ -703,13 +707,14 @@ static u64 read_pci_mem_bar(u16 seg, u8
* requested MSI-X entries with allocated irqs or non-zero for otherwise.
**/
static int msix_capability_init(struct pci_dev *dev,
@ -120,7 +122,7 @@ Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>
u16 control;
u64 table_paddr;
u32 table_offset;
@@ -719,7 +724,6 @@ static int msix_capability_init(struct p
@@ -721,7 +726,6 @@ static int msix_capability_init(struct p
ASSERT(spin_is_locked(&pcidevs_lock));
@ -128,7 +130,7 @@ Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>
control = pci_conf_read16(seg, bus, slot, func, msix_control_reg(pos));
msix_set_enable(dev, 0);/* Ensure msix is disabled as I set it up */
@@ -884,10 +888,9 @@ static int __pci_enable_msi(struct msi_i
@@ -886,10 +890,9 @@ static int __pci_enable_msi(struct msi_i
old_desc = find_msi_entry(pdev, msi->irq, PCI_CAP_ID_MSI);
if ( old_desc )
{
@ -142,7 +144,7 @@ Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>
*desc = old_desc;
return 0;
}
@@ -895,10 +898,10 @@ static int __pci_enable_msi(struct msi_i
@@ -897,10 +900,10 @@ static int __pci_enable_msi(struct msi_i
old_desc = find_msi_entry(pdev, -1, PCI_CAP_ID_MSIX);
if ( old_desc )
{
@ -157,7 +159,7 @@ Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>
}
return msi_capability_init(pdev, msi->irq, desc, msi->entry_nr);
@@ -912,7 +915,6 @@ static void __pci_disable_msi(struct msi
@@ -914,7 +917,6 @@ static void __pci_disable_msi(struct msi
msi_set_enable(dev, 0);
BUG_ON(list_empty(&dev->msi_list));
@ -165,7 +167,7 @@ Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>
}
/**
@@ -932,7 +934,7 @@ static void __pci_disable_msi(struct msi
@@ -934,7 +936,7 @@ static void __pci_disable_msi(struct msi
**/
static int __pci_enable_msix(struct msi_info *msi, struct msi_desc **desc)
{
@ -174,7 +176,7 @@ Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>
struct pci_dev *pdev;
u16 control;
u8 slot = PCI_SLOT(msi->devfn);
@@ -941,23 +943,22 @@ static int __pci_enable_msix(struct msi_
@@ -943,23 +945,22 @@ static int __pci_enable_msix(struct msi_
ASSERT(spin_is_locked(&pcidevs_lock));
pdev = pci_get_pdev(msi->seg, msi->bus, msi->devfn);
@ -204,7 +206,7 @@ Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>
*desc = old_desc;
return 0;
}
@@ -965,15 +966,13 @@ static int __pci_enable_msix(struct msi_
@@ -967,15 +968,13 @@ static int __pci_enable_msix(struct msi_
old_desc = find_msi_entry(pdev, -1, PCI_CAP_ID_MSI);
if ( old_desc )
{
@ -225,7 +227,7 @@ Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>
}
static void _pci_cleanup_msix(struct arch_msix *msix)
@@ -991,19 +990,16 @@ static void _pci_cleanup_msix(struct arc
@@ -993,19 +992,16 @@ static void _pci_cleanup_msix(struct arc
static void __pci_disable_msix(struct msi_desc *entry)
{
@ -254,7 +256,7 @@ Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>
msix_set_enable(dev, 0);
BUG_ON(list_empty(&dev->msi_list));
@@ -1045,7 +1041,7 @@ int pci_prepare_msix(u16 seg, u8 bus, u8
@@ -1047,7 +1043,7 @@ int pci_prepare_msix(u16 seg, u8 bus, u8
u16 control = pci_conf_read16(seg, bus, slot, func,
msix_control_reg(pos));
@ -263,7 +265,7 @@ Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>
multi_msix_capable(control));
}
spin_unlock(&pcidevs_lock);
@@ -1064,8 +1060,8 @@ int pci_enable_msi(struct msi_info *msi,
@@ -1066,8 +1062,8 @@ int pci_enable_msi(struct msi_info *msi,
if ( !use_msi )
return -EPERM;
@ -274,7 +276,7 @@ Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>
}
/*
@@ -1115,7 +1111,9 @@ int pci_restore_msi_state(struct pci_dev
@@ -1117,7 +1113,9 @@ int pci_restore_msi_state(struct pci_dev
if ( !pdev )
return -EINVAL;

84
5583da09-x86-MSI-track-host-and-guest-masking-separately.patch
View File

@ -33,8 +33,10 @@ Tested-by: Sander Eikelenboom <linux@eikelenboom.it>
Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>
Acked-by: Ian Campbell <ian.campbell@citrix.com>
--- a/xen/arch/x86/hpet.c
+++ b/xen/arch/x86/hpet.c
Index: xen-4.5.2-testing/xen/arch/x86/hpet.c
===================================================================
--- xen-4.5.2-testing.orig/xen/arch/x86/hpet.c
+++ xen-4.5.2-testing/xen/arch/x86/hpet.c
@@ -240,7 +240,7 @@ static void hpet_msi_unmask(struct irq_d
cfg = hpet_read32(HPET_Tn_CFG(ch->idx));
cfg |= HPET_TN_ENABLE;
@ -53,8 +55,10 @@ Acked-by: Ian Campbell <ian.campbell@citrix.com>
}
static int hpet_msi_write(struct hpet_event_channel *ch, struct msi_msg *msg)
--- a/xen/arch/x86/hvm/vmsi.c
+++ b/xen/arch/x86/hvm/vmsi.c
Index: xen-4.5.2-testing/xen/arch/x86/hvm/vmsi.c
===================================================================
--- xen-4.5.2-testing.orig/xen/arch/x86/hvm/vmsi.c
+++ xen-4.5.2-testing/xen/arch/x86/hvm/vmsi.c
@@ -219,7 +219,6 @@ static int msixtbl_read(
{
unsigned long offset;
@ -135,9 +139,11 @@ Acked-by: Ian Campbell <ian.campbell@citrix.com>
unlock:
spin_unlock_irqrestore(&desc->lock, flags);
--- a/xen/arch/x86/irq.c
+++ b/xen/arch/x86/irq.c
@@ -2502,6 +2502,25 @@ int unmap_domain_pirq_emuirq(struct doma
Index: xen-4.5.2-testing/xen/arch/x86/irq.c
===================================================================
--- xen-4.5.2-testing.orig/xen/arch/x86/irq.c
+++ xen-4.5.2-testing/xen/arch/x86/irq.c
@@ -2503,6 +2503,25 @@ int unmap_domain_pirq_emuirq(struct doma
return ret;
}
@ -163,8 +169,10 @@ Acked-by: Ian Campbell <ian.campbell@citrix.com>
bool_t hvm_domain_use_pirq(const struct domain *d, const struct pirq *pirq)
{
return is_hvm_domain(d) && pirq &&
--- a/xen/arch/x86/msi.c
+++ b/xen/arch/x86/msi.c
Index: xen-4.5.2-testing/xen/arch/x86/msi.c
===================================================================
--- xen-4.5.2-testing.orig/xen/arch/x86/msi.c
+++ xen-4.5.2-testing/xen/arch/x86/msi.c
@@ -349,9 +349,10 @@ int msi_maskable_irq(const struct msi_de
|| entry->msi_attrib.maskbit;
}
@ -230,7 +238,7 @@ Acked-by: Ian Campbell <ian.campbell@citrix.com>
.enable = unmask_msi_irq,
.disable = mask_msi_irq,
.ack = ack_maskable_msi_irq,
@@ -591,7 +603,8 @@ static int msi_capability_init(struct pc
@@ -593,7 +605,8 @@ static int msi_capability_init(struct pc
entry[i].msi_attrib.is_64 = is_64bit_address(control);
entry[i].msi_attrib.entry_nr = i;
entry[i].msi_attrib.maskbit = is_mask_bit_support(control);
@ -240,7 +248,7 @@ Acked-by: Ian Campbell <ian.campbell@citrix.com>
entry[i].msi_attrib.pos = pos;
if ( entry[i].msi_attrib.maskbit )
entry[i].msi.mpos = mpos;
@@ -817,7 +830,8 @@ static int msix_capability_init(struct p
@@ -819,7 +832,8 @@ static int msix_capability_init(struct p
entry->msi_attrib.is_64 = 1;
entry->msi_attrib.entry_nr = msi->entry_nr;
entry->msi_attrib.maskbit = 1;
@ -250,7 +258,7 @@ Acked-by: Ian Campbell <ian.campbell@citrix.com>
entry->msi_attrib.pos = pos;
entry->irq = msi->irq;
entry->dev = dev;
@@ -1152,7 +1166,8 @@ int pci_restore_msi_state(struct pci_dev
@@ -1154,7 +1168,8 @@ int pci_restore_msi_state(struct pci_dev
for ( i = 0; ; )
{
@ -260,7 +268,7 @@ Acked-by: Ian Campbell <ian.campbell@citrix.com>
if ( !--nr )
break;
@@ -1304,7 +1319,7 @@ static void dump_msi(unsigned char key)
@@ -1306,7 +1321,7 @@ static void dump_msi(unsigned char key)
else
mask = '?';
printk(" %-6s%4u vec=%02x%7s%6s%3sassert%5s%7s"
@ -269,7 +277,7 @@ Acked-by: Ian Campbell <ian.campbell@citrix.com>
type, irq,
(data & MSI_DATA_VECTOR_MASK) >> MSI_DATA_VECTOR_SHIFT,
data & MSI_DATA_DELIVERY_LOWPRI ? "lowest" : "fixed",
@@ -1312,7 +1327,10 @@ static void dump_msi(unsigned char key)
@@ -1314,7 +1329,10 @@ static void dump_msi(unsigned char key)
data & MSI_DATA_LEVEL_ASSERT ? "" : "de",
addr & MSI_ADDR_DESTMODE_LOGIC ? "log" : "phys",
addr & MSI_ADDR_REDIRECTION_LOWPRI ? "lowest" : "cpu",
@ -281,8 +289,10 @@ Acked-by: Ian Campbell <ian.campbell@citrix.com>
}
}
--- a/xen/common/event_channel.c
+++ b/xen/common/event_channel.c
Index: xen-4.5.2-testing/xen/common/event_channel.c
===================================================================
--- xen-4.5.2-testing.orig/xen/common/event_channel.c
+++ xen-4.5.2-testing/xen/common/event_channel.c
@@ -445,10 +445,7 @@ static long evtchn_bind_pirq(evtchn_bind
bind->port = port;
@ -295,8 +305,10 @@ Acked-by: Ian Campbell <ian.campbell@citrix.com>
out:
spin_unlock(&d->event_lock);
--- a/xen/drivers/passthrough/amd/iommu_init.c
+++ b/xen/drivers/passthrough/amd/iommu_init.c
Index: xen-4.5.2-testing/xen/drivers/passthrough/amd/iommu_init.c
===================================================================
--- xen-4.5.2-testing.orig/xen/drivers/passthrough/amd/iommu_init.c
+++ xen-4.5.2-testing/xen/drivers/passthrough/amd/iommu_init.c
@@ -451,7 +451,7 @@ static void iommu_msi_unmask(struct irq_
spin_lock_irqsave(&iommu->lock, flags);
amd_iommu_msi_enable(iommu, IOMMU_CONTROL_ENABLED);
@ -315,28 +327,32 @@ Acked-by: Ian Campbell <ian.campbell@citrix.com>
}
static unsigned int iommu_msi_startup(struct irq_desc *desc)
--- a/xen/drivers/passthrough/vtd/iommu.c
+++ b/xen/drivers/passthrough/vtd/iommu.c
@@ -996,7 +996,7 @@ static void dma_msi_unmask(struct irq_de
spin_lock_irqsave(&iommu->register_lock, flags);
dmar_writel(iommu->reg, DMAR_FECTL_REG, 0);
Index: xen-4.5.2-testing/xen/drivers/passthrough/vtd/iommu.c
===================================================================
--- xen-4.5.2-testing.orig/xen/drivers/passthrough/vtd/iommu.c
+++ xen-4.5.2-testing/xen/drivers/passthrough/vtd/iommu.c
@@ -999,7 +999,7 @@ static void dma_msi_unmask(struct irq_de
sts &= ~DMA_FECTL_IM;
dmar_writel(iommu->reg, DMAR_FECTL_REG, sts);
spin_unlock_irqrestore(&iommu->register_lock, flags);
- iommu->msi.msi_attrib.masked = 0;
+ iommu->msi.msi_attrib.host_masked = 0;
}
static void dma_msi_mask(struct irq_desc *desc)
@@ -1008,7 +1008,7 @@ static void dma_msi_mask(struct irq_desc
spin_lock_irqsave(&iommu->register_lock, flags);
dmar_writel(iommu->reg, DMAR_FECTL_REG, DMA_FECTL_IM);
@@ -1014,7 +1014,7 @@ static void dma_msi_mask(struct irq_desc
sts |= DMA_FECTL_IM;
dmar_writel(iommu->reg, DMAR_FECTL_REG, sts);
spin_unlock_irqrestore(&iommu->register_lock, flags);
- iommu->msi.msi_attrib.masked = 1;
+ iommu->msi.msi_attrib.host_masked = 1;
}
static unsigned int dma_msi_startup(struct irq_desc *desc)
--- a/xen/include/asm-arm/irq.h
+++ b/xen/include/asm-arm/irq.h
Index: xen-4.5.2-testing/xen/include/asm-arm/irq.h
===================================================================
--- xen-4.5.2-testing.orig/xen/include/asm-arm/irq.h
+++ xen-4.5.2-testing/xen/include/asm-arm/irq.h
@@ -44,6 +44,8 @@ int route_irq_to_guest(struct domain *d,
const char *devname);
void arch_move_irqs(struct vcpu *v);
@ -346,8 +362,10 @@ Acked-by: Ian Campbell <ian.campbell@citrix.com>
/* Set IRQ type for an SPI */
int irq_set_spi_type(unsigned int spi, unsigned int type);
--- a/xen/include/asm-x86/msi.h
+++ b/xen/include/asm-x86/msi.h
Index: xen-4.5.2-testing/xen/include/asm-x86/msi.h
===================================================================
--- xen-4.5.2-testing.orig/xen/include/asm-x86/msi.h
+++ xen-4.5.2-testing/xen/include/asm-x86/msi.h
@@ -90,12 +90,13 @@ extern unsigned int pci_msix_get_table_l
struct msi_desc {
@ -375,8 +393,10 @@ Acked-by: Ian Campbell <ian.campbell@citrix.com>
void ack_nonmaskable_msi_irq(struct irq_desc *);
void end_nonmaskable_msi_irq(struct irq_desc *, u8 vector);
void set_msi_affinity(struct irq_desc *, const cpumask_t *);
--- a/xen/include/xen/irq.h
+++ b/xen/include/xen/irq.h
Index: xen-4.5.2-testing/xen/include/xen/irq.h
===================================================================
--- xen-4.5.2-testing.orig/xen/include/xen/irq.h
+++ xen-4.5.2-testing/xen/include/xen/irq.h
@@ -172,4 +172,8 @@ unsigned int set_desc_affinity(struct ir
unsigned int arch_hwdom_irqs(domid_t);
#endif

23
558bfaa0-x86-traps-avoid-using-current-too-early.patch
View File

@ -1,23 +0,0 @@
# Commit 142473cfce41a565898e0fa33dc98a1f5e41abe4
# Date 2015-06-25 14:57:04 +0200
# Author Andrew Cooper <andrew.cooper3@citrix.com>
# Committer Jan Beulich <jbeulich@suse.com>
x86/traps: avoid using current too early on boot
Early on boot, current has the sentinel value 0xfffff000. Blindly using it in
show_registers() causes a nested failure and no useful information printed
from an early crash.
Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
--- a/xen/arch/x86/x86_64/traps.c
+++ b/xen/arch/x86/x86_64/traps.c
@@ -86,7 +86,7 @@ void show_registers(const struct cpu_use
struct cpu_user_regs fault_regs = *regs;
unsigned long fault_crs[8];
enum context context;
- struct vcpu *v = current;
+ struct vcpu *v = system_state >= SYS_STATE_smp_boot ? current : NULL;
if ( guest_mode(regs) && has_hvm_container_vcpu(v) )
{

50
5592a116-nested-EPT-fix-the-handling-of-nested-EPT.patch
View File

@ -1,50 +0,0 @@
# Commit 71bb7304e7a7a35ea6df4b0cedebc35028e4c159
# Date 2015-06-30 15:00:54 +0100
# Author Liang Li <liang.z.li@intel.com>
# Committer Ian Campbell <ian.campbell@citrix.com>
nested EPT: fix the handling of nested EPT
If the host EPT entry is changed, the nested EPT should be updated.
the current code does not do this, and it's wrong.
I have tested this patch, the L2 guest can boot and run as normal.
Signed-off-by: Liang Li <liang.z.li@intel.com>
Signed-off-by: Yang Zhang <yang.z.zhang@intel.com>
Reported-by: Tim Deegan <tim@xen.org>
Reviewed-by: Tim Deegan <tim@xen.org>
--- a/xen/arch/x86/mm/p2m-ept.c
+++ b/xen/arch/x86/mm/p2m-ept.c
@@ -26,6 +26,7 @@
#include <asm/p2m.h>
#include <asm/hvm/vmx/vmx.h>
#include <asm/hvm/vmx/vmcs.h>
+#include <asm/hvm/nestedhvm.h>
#include <xen/iommu.h>
#include <asm/mtrr.h>
#include <asm/hvm/cacheattr.h>
@@ -1040,6 +1041,9 @@ void ept_sync_domain(struct p2m_domain *
ASSERT(local_irq_is_enabled());
+ if ( nestedhvm_enabled(d) && !p2m_is_nestedp2m(p2m) )
+ p2m_flush_nestedp2m(d);
+
/*
* Flush active cpus synchronously. Flush others the next time this domain
* is scheduled onto them. We accept the race of other CPUs adding to
--- a/xen/arch/x86/mm/p2m.c
+++ b/xen/arch/x86/mm/p2m.c
@@ -1713,6 +1713,12 @@ p2m_flush_table(struct p2m_domain *p2m)
ASSERT(page_list_empty(&p2m->pod.super));
ASSERT(page_list_empty(&p2m->pod.single));
+ if ( p2m->np2m_base == P2M_BASE_EADDR )
+ {
+ p2m_unlock(p2m);
+ return;
+ }
+
/* This is no longer a valid nested p2m for any address space */
p2m->np2m_base = P2M_BASE_EADDR;

64
559b9dd6-x86-p2m-ept-don-t-unmap-in-use-EPT-pagetable.patch
View File

@ -1,64 +0,0 @@
# Commit e4e9d2d4e76bd8fe229c124bd57fc6ba824271b3
# Date 2015-07-07 11:37:26 +0200
# Author Andrew Cooper <andrew.cooper3@citrix.com>
# Committer Jan Beulich <jbeulich@suse.com>
x86/p2m-ept: don't unmap the EPT pagetable while it is still in use
The call to iommu_pte_flush() between the two hunks uses &ept_entry->epte
which is a pointer into the mapped page.
It is eventually passed to `clflush` instruction which will suffer a pagefault
if the virtual mapping has fallen out of the TLB.
(XEN) ----[ Xen-4.5.0-xs102594-d x86_64 debug=y Not tainted ]----
(XEN) CPU: 7
(XEN) RIP: e008:[<ffff82d0801572f0>] cacheline_flush+0x4/0x9
<snip>
(XEN) Xen call trace:
(XEN) [<ffff82d0801572f0>] cacheline_flush+0x4/0x9
(XEN) [<ffff82d08014ffff>] __iommu_flush_cache+0x4a/0x6a
(XEN) [<ffff82d0801532e2>] iommu_pte_flush+0x2b/0xd5
(XEN) [<ffff82d0801f909a>] ept_set_entry+0x4bc/0x61f
(XEN) [<ffff82d0801f0c25>] p2m_set_entry+0xd1/0x112
(XEN) [<ffff82d0801f25b1>] clear_mmio_p2m_entry+0x1a0/0x200
(XEN) [<ffff82d0801f4aac>] unmap_mmio_regions+0x49/0x73
(XEN) [<ffff82d080106292>] do_domctl+0x15bd/0x1edb
(XEN) [<ffff82d080234fcb>] syscall_enter+0xeb/0x145
(XEN)
(XEN) Pagetable walk from ffff820040004ae0:
(XEN) L4[0x104] = 00000008668a5063 ffffffffffffffff
(XEN) L3[0x001] = 00000008668a3063 ffffffffffffffff
(XEN) L2[0x000] = 000000086689c063 ffffffffffffffff
(XEN) L1[0x004] = 000000056f078063 000000000007f678
(XEN)
(XEN) ****************************************
(XEN) Panic on CPU 7:
(XEN) FATAL PAGE FAULT
(XEN) [error_code=0000]
(XEN) Faulting linear address: ffff820040004ae0
(XEN) ****************************************
Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
Reviewed-by: George Dunlap <george.dunlap@eu.citrix.com>
Reviewed-by: Jan Beulich <jbeulich@suse.com>
--- a/xen/arch/x86/mm/p2m-ept.c
+++ b/xen/arch/x86/mm/p2m-ept.c
@@ -764,8 +764,6 @@ ept_set_entry(struct p2m_domain *p2m, un
p2m->max_mapped_pfn = gfn + (1UL << order) - 1;
out:
- unmap_domain_page(table);
-
if ( needs_sync != sync_off )
ept_sync_domain(p2m);
@@ -788,6 +786,8 @@ out:
}
}
+ unmap_domain_page(table);
+
/* Release the old intermediate tables, if any. This has to be the
last thing we do, after the ept_sync_domain() and removal
from the iommu tables, so as to avoid a potential

88
559bc633-x86-cpupool-clear-proper-cpu_valid-bit-on-CPU-teardown.patch
View File

@ -1,88 +0,0 @@
# Commit 8022b05284dea80e24813d03180788ec7277a0bd
# Date 2015-07-07 14:29:39 +0200
# Author Dario Faggioli <dario.faggioli@citrix.com>
# Committer Jan Beulich <jbeulich@suse.com>
x86 / cpupool: clear the proper cpu_valid bit on pCPU teardown
In fact, when a pCPU goes down, we want to clear its
bit in the correct cpupool's valid mask, rather than
always in cpupool0's one.
Before this commit, all the pCPUs in the non-default
pool(s) will be considered immediately valid, during
system resume, even the one that have not been brought
up yet. As a result, the (Credit1) scheduler will attempt
to run its load balancing logic on them, causing the
following Oops:
# xl cpupool-cpu-remove Pool-0 8-15
# xl cpupool-create name=\"Pool-1\"
# xl cpupool-cpu-add Pool-1 8-15
--> suspend
--> resume
(XEN) ----[ Xen-4.6-unstable x86_64 debug=y Tainted: C ]----
(XEN) CPU: 8
(XEN) RIP: e008:[<ffff82d080123078>] csched_schedule+0x4be/0xb97
(XEN) RFLAGS: 0000000000010087 CONTEXT: hypervisor
(XEN) rax: 80007d2f7fccb780 rbx: 0000000000000009 rcx: 0000000000000000
(XEN) rdx: ffff82d08031ed40 rsi: ffff82d080334980 rdi: 0000000000000000
(XEN) rbp: ffff83010000fe20 rsp: ffff83010000fd40 r8: 0000000000000004
(XEN) r9: 0000ffff0000ffff r10: 00ff00ff00ff00ff r11: 0f0f0f0f0f0f0f0f
(XEN) r12: ffff8303191ea870 r13: ffff8303226aadf0 r14: 0000000000000009
(XEN) r15: 0000000000000008 cr0: 000000008005003b cr4: 00000000000026f0
(XEN) cr3: 00000000dba9d000 cr2: 0000000000000000
(XEN) ds: 0000 es: 0000 fs: 0000 gs: 0000 ss: 0000 cs: e008
(XEN) ... ... ...
(XEN) Xen call trace:
(XEN) [<ffff82d080123078>] csched_schedule+0x4be/0xb97
(XEN) [<ffff82d08012c732>] schedule+0x12a/0x63c
(XEN) [<ffff82d08012f8c8>] __do_softirq+0x82/0x8d
(XEN) [<ffff82d08012f920>] do_softirq+0x13/0x15
(XEN) [<ffff82d080164791>] idle_loop+0x5b/0x6b
(XEN)
(XEN) ****************************************
(XEN) Panic on CPU 8:
(XEN) GENERAL PROTECTION FAULT
(XEN) [error_code=0000]
(XEN) ****************************************
The reason why the error is a #GP fault is that, without
this commit, we try to access the per-cpu area of a not
yet allocated and initialized pCPU.
In fact, %rax, which is what is used as pointer, is
80007d2f7fccb780, and we also have this:
#define INVALID_PERCPU_AREA (0x8000000000000000L - (long)__per_cpu_start)
Signed-off-by: Dario Faggioli <dario.faggioli@citrix.com>
Acked-by: Andrew Cooper <andrew.cooper3@citrix.com>
Acked-by: Juergen Gross <jgross@suse.com>
--- a/xen/arch/x86/smpboot.c
+++ b/xen/arch/x86/smpboot.c
@@ -816,7 +816,6 @@ void __cpu_disable(void)
remove_siblinginfo(cpu);
/* It's now safe to remove this processor from the online map */
- cpumask_clear_cpu(cpu, cpupool0->cpu_valid);
cpumask_clear_cpu(cpu, &cpu_online_map);
fixup_irqs();
--- a/xen/common/cpupool.c
+++ b/xen/common/cpupool.c
@@ -529,6 +529,7 @@ static int cpupool_cpu_remove(unsigned i
if ( cpumask_test_cpu(cpu, (*c)->cpu_valid ) )
{
cpumask_set_cpu(cpu, (*c)->cpu_suspended);
+ cpumask_clear_cpu(cpu, (*c)->cpu_valid);
break;
}
}
@@ -551,6 +552,7 @@ static int cpupool_cpu_remove(unsigned i
* If we are not suspending, we are hot-unplugging cpu, and that is
* allowed only for CPUs in pool0.
*/
+ cpumask_clear_cpu(cpu, cpupool0->cpu_valid);
ret = 0;
}

141
559bc64e-credit1-properly-deal-with-CPUs-not-in-any-pool.patch
View File

@ -1,141 +0,0 @@
# Commit 02ea5031825d984d52eb9a982b8457e3434137f0
# Date 2015-07-07 14:30:06 +0200
# Author Dario Faggioli <dario.faggioli@citrix.com>
# Committer Jan Beulich <jbeulich@suse.com>
credit1: properly deal with pCPUs not in any cpupool
Ideally, the pCPUs that are 'free', i.e., not assigned
to any cpupool, should not be considred by the scheduler
for load balancing or anything. In Credit1, we fail at
this, because of how we use cpupool_scheduler_cpumask().
In fact, for a free pCPU, cpupool_scheduler_cpumask()
returns a pointer to cpupool_free_cpus, and hence, near
the top of csched_load_balance():
if ( unlikely(!cpumask_test_cpu(cpu, online)) )
goto out;
is false (the pCPU _is_ free!), and we therefore do not
jump to the end right away, as we should. This, causes
the following splat when resuming from ACPI S3 with
pCPUs not assigned to any pool:
(XEN) ----[ Xen-4.6-unstable x86_64 debug=y Tainted: C ]----
(XEN) ... ... ...
(XEN) Xen call trace:
(XEN) [<ffff82d080122eaa>] csched_load_balance+0x213/0x794
(XEN) [<ffff82d08012374c>] csched_schedule+0x321/0x452
(XEN) [<ffff82d08012c85e>] schedule+0x12a/0x63c
(XEN) [<ffff82d08012fa09>] __do_softirq+0x82/0x8d
(XEN) [<ffff82d08012fa61>] do_softirq+0x13/0x15
(XEN) [<ffff82d080164780>] idle_loop+0x5b/0x6b
(XEN)
(XEN)
(XEN) ****************************************
(XEN) Panic on CPU 8:
(XEN) GENERAL PROTECTION FAULT
(XEN) [error_code=0000]
(XEN) ****************************************
The cure is:
* use cpupool_online_cpumask(), as a better guard to the
case when the cpu is being offlined;
* explicitly check whether the cpu is free.
SEDF is in a similar situation, so fix it too.
Still in Credit1, we must make sure that free (or offline)
CPUs are not considered "ticklable". Not doing so would impair
the load balancing algorithm, making the scheduler think that
it is possible to 'ask' the pCPU to pick up some work, while
in reallity, that will never happen! Evidence of such behavior
is shown in this trace:
Name CPU list
Pool-0 0,1,2,3,4,5,6,7,8,9,10,11,12,13,14
0.112998198 | ||.|| -|x||-|- d0v0 runstate_change d0v4 offline->runnable
] 0.112998198 | ||.|| -|x||-|- d0v0 22006(2:2:6) 1 [ f ]
] 0.112999612 | ||.|| -|x||-|- d0v0 28004(2:8:4) 2 [ 0 4 ]
0.113003387 | ||.|| -||||-|x d32767v15 runstate_continue d32767v15 running->running
where "22006(2:2:6) 1 [ f ]" means that pCPU 15, which is
free from any pool, is tickled.
The cure, in this case, is to filter out the free pCPUs,
within __runq_tickle().
Signed-off-by: Dario Faggioli <dario.faggioli@citrix.com>
Acked-by: Juergen Gross <jgross@suse.com>
Reviewed-by: George Dunlap <george.dunlap@eu.citrix.com>
--- a/xen/common/sched_credit.c
+++ b/xen/common/sched_credit.c
@@ -350,12 +350,17 @@ __runq_tickle(unsigned int cpu, struct c
{
struct csched_vcpu * const cur = CSCHED_VCPU(curr_on_cpu(cpu));
struct csched_private *prv = CSCHED_PRIV(per_cpu(scheduler, cpu));
- cpumask_t mask, idle_mask;
+ cpumask_t mask, idle_mask, *online;
int balance_step, idlers_empty;
ASSERT(cur);
cpumask_clear(&mask);
- idlers_empty = cpumask_empty(prv->idlers);
+
+ /* cpu is vc->processor, so it must be in a cpupool. */
+ ASSERT(per_cpu(cpupool, cpu) != NULL);
+ online = cpupool_online_cpumask(per_cpu(cpupool, cpu));
+ cpumask_and(&idle_mask, prv->idlers, online);
+ idlers_empty = cpumask_empty(&idle_mask);
/*
@@ -392,8 +397,8 @@ __runq_tickle(unsigned int cpu, struct c
/* Are there idlers suitable for new (for this balance step)? */
csched_balance_cpumask(new->vcpu, balance_step,
csched_balance_mask);
- cpumask_and(&idle_mask, prv->idlers, csched_balance_mask);
- new_idlers_empty = cpumask_empty(&idle_mask);
+ cpumask_and(csched_balance_mask, csched_balance_mask, &idle_mask);
+ new_idlers_empty = cpumask_empty(csched_balance_mask);
/*
* Let's not be too harsh! If there aren't idlers suitable
@@ -1494,6 +1499,7 @@ static struct csched_vcpu *
csched_load_balance(struct csched_private *prv, int cpu,
struct csched_vcpu *snext, bool_t *stolen)
{
+ struct cpupool *c = per_cpu(cpupool, cpu);
struct csched_vcpu *speer;
cpumask_t workers;
cpumask_t *online;
@@ -1501,10 +1507,13 @@ csched_load_balance(struct csched_privat
int node = cpu_to_node(cpu);
BUG_ON( cpu != snext->vcpu->processor );
- online = cpupool_scheduler_cpumask(per_cpu(cpupool, cpu));
+ online = cpupool_online_cpumask(c);
- /* If this CPU is going offline we shouldn't steal work. */
- if ( unlikely(!cpumask_test_cpu(cpu, online)) )
+ /*
+ * If this CPU is going offline, or is not (yet) part of any cpupool
+ * (as it happens, e.g., during cpu bringup), we shouldn't steal work.
+ */
+ if ( unlikely(!cpumask_test_cpu(cpu, online) || c == NULL) )
goto out;
if ( snext->pri == CSCHED_PRI_IDLE )
--- a/xen/common/sched_sedf.c
+++ b/xen/common/sched_sedf.c
@@ -791,7 +791,8 @@ static struct task_slice sedf_do_schedul
if ( tasklet_work_scheduled ||
(list_empty(runq) && list_empty(waitq)) ||
unlikely(!cpumask_test_cpu(cpu,
- cpupool_scheduler_cpumask(per_cpu(cpupool, cpu)))) )
+ cpupool_online_cpumask(per_cpu(cpupool, cpu))) ||
+ per_cpu(cpupool, cpu) == NULL) )
{
ret.task = IDLETASK(cpu);
ret.time = SECONDS(1);

68
559bc87f-x86-hvmloader-avoid-data-corruption-with-xenstore-rw.patch
View File

@ -1,68 +0,0 @@
# Commit bbbe7e7157a964c485fb861765be291734676932
# Date 2015-07-07 14:39:27 +0200
# Author Andrew Cooper <andrew.cooper3@citrix.com>
# Committer Jan Beulich <jbeulich@suse.com>
x86/hvmloader: avoid data corruption with xenstore reads/writes
The functions ring_read and ring_write() have logic to try and deal with
partial reads and writes.
However, in all cases where the "while (len)" loop executed twice, data
corruption would occur as the second memcpy() starts from the beginning of
"data" again, rather than from where it got to.
This bug manifested itself as protocol corruption when a reply header crossed
the first wrap of the response ring. However, similar corruption would also
occur if hvmloader observed xenstored performing partial writes of the block
in question, or if hvmloader had to wait for xenstored to make space in either
ring.
Reported-by: Adam Kucia <djexit@o2.pl>
Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
--- a/tools/firmware/hvmloader/xenbus.c
+++ b/tools/firmware/hvmloader/xenbus.c
@@ -105,7 +105,7 @@ void xenbus_shutdown(void)
/* Helper functions: copy data in and out of the ring */
static void ring_write(const char *data, uint32_t len)
{
- uint32_t part;
+ uint32_t part, done = 0;
ASSERT(len <= XENSTORE_PAYLOAD_MAX);
@@ -122,16 +122,18 @@ static void ring_write(const char *data,
if ( part > len )
part = len;
- memcpy(rings->req + MASK_XENSTORE_IDX(rings->req_prod), data, part);
+ memcpy(rings->req + MASK_XENSTORE_IDX(rings->req_prod),
+ data + done, part);
barrier(); /* = wmb before prod write, rmb before next cons read */
rings->req_prod += part;
len -= part;
+ done += part;
}
}
static void ring_read(char *data, uint32_t len)
{
- uint32_t part;
+ uint32_t part, done = 0;
ASSERT(len <= XENSTORE_PAYLOAD_MAX);
@@ -148,10 +150,12 @@ static void ring_read(char *data, uint32
if ( part > len )
part = len;
- memcpy(data, rings->rsp + MASK_XENSTORE_IDX(rings->rsp_cons), part);
+ memcpy(data + done,
+ rings->rsp + MASK_XENSTORE_IDX(rings->rsp_cons), part);
barrier(); /* = wmb before cons write, rmb before next prod read */
rings->rsp_cons += part;
len -= part;
+ done += part;
}
}

102
559bdde5-pull-in-latest-linux-earlycpio.patch
View File

@ -1,102 +0,0 @@
# Commit 39c6664a0e6e1b4ed80660d545dff34ce41bee31
# Date 2015-07-07 15:10:45 +0100
# Author Ian Campbell <ian.campbell@citrix.com>
# Committer Ian Campbell <ian.campbell@citrix.com>
xen: earlycpio: Pull in latest linux earlycpio.[ch]
AFAICT our current version does not correspond to any version in the
Linux history. This commit resynchronised to the state in Linux
commit 598bae70c2a8e35c8d39b610cca2b32afcf047af.
Differences from upstream: find_cpio_data is __init, printk instead of
pr_*.
This appears to fix Debian bug #785187. "Appears" because my test box
happens to be AMD and the issue is that the (valid) cpio generated by
the Intel ucode is not liked by the old Xen code. I've tested by
hacking the hypervisor to look for the Intel path.
Reported-by: Stephan Seitz <stse+debianbugs@fsing.rootsland.net>
Signed-off-by: Ian Campbell <ian.campbell@citrix.com>
Cc: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
Cc: Jan Beulich <jbeulich@suse.com>
Cc: Stephan Seitz <stse+debianbugs@fsing.rootsland.net>
Cc: 785187@bugs.debian.org
Acked-by: Jan Beulich <jbeulich@suse.com>
--- a/xen/common/earlycpio.c
+++ b/xen/common/earlycpio.c
@@ -54,25 +54,26 @@ enum cpio_fields {
/**
* cpio_data find_cpio_data - Search for files in an uncompressed cpio
- * @path: The directory to search for, including a slash at the end
- * @data: Pointer to the the cpio archive or a header inside
- * @len: Remaining length of the cpio based on data pointer
- * @offset: When a matching file is found, this is the offset to the
- * beginning of the cpio. It can be used to iterate through
- * the cpio to find all files inside of a directory path
+ * @path: The directory to search for, including a slash at the end
+ * @data: Pointer to the the cpio archive or a header inside
+ * @len: Remaining length of the cpio based on data pointer
+ * @nextoff: When a matching file is found, this is the offset from the
+ * beginning of the cpio to the beginning of the next file, not the
+ * matching file itself. It can be used to iterate through the cpio
+ * to find all files inside of a directory path.
*
- * @return: struct cpio_data containing the address, length and
- * filename (with the directory path cut off) of the found file.
- * If you search for a filename and not for files in a directory,
- * pass the absolute path of the filename in the cpio and make sure
- * the match returned an empty filename string.
+ * @return: struct cpio_data containing the address, length and
+ * filename (with the directory path cut off) of the found file.
+ * If you search for a filename and not for files in a directory,
+ * pass the absolute path of the filename in the cpio and make sure
+ * the match returned an empty filename string.
*/
struct cpio_data __init find_cpio_data(const char *path, void *data,
- size_t len, long *offset)
+ size_t len, long *nextoff)
{
const size_t cpio_header_len = 8*C_NFIELDS - 2;
- struct cpio_data cd = { NULL, 0 };
+ struct cpio_data cd = { NULL, 0, "" };
const char *p, *dptr, *nptr;
unsigned int ch[C_NFIELDS], *chp, v;
unsigned char c, x;
@@ -129,17 +130,17 @@ struct cpio_data __init find_cpio_data(c
if ((ch[C_MODE] & 0170000) == 0100000 &&
ch[C_NAMESIZE] >= mypathsize &&
!memcmp(p, path, mypathsize)) {
- *offset = (long)nptr - (long)data;
+ *nextoff = (long)nptr - (long)data;
if (ch[C_NAMESIZE] - mypathsize >= MAX_CPIO_FILE_NAME) {
printk(
"File %s exceeding MAX_CPIO_FILE_NAME [%d]\n",
p, MAX_CPIO_FILE_NAME);
}
- if (ch[C_NAMESIZE] - 1 /* includes \0 */ == mypathsize) {
- cd.data = (void *)dptr;
- cd.size = ch[C_FILESIZE];
- return cd; /* Found it! */
- }
+ strlcpy(cd.name, p + mypathsize, MAX_CPIO_FILE_NAME);
+
+ cd.data = (void *)dptr;
+ cd.size = ch[C_FILESIZE];
+ return cd; /* Found it! */
}
len -= (nptr - p);
p = nptr;
--- a/xen/include/xen/earlycpio.h
+++ b/xen/include/xen/earlycpio.h
@@ -6,6 +6,7 @@
struct cpio_data {
void *data;
size_t size;
+ char name[MAX_CPIO_FILE_NAME];
};
struct cpio_data find_cpio_data(const char *path, void *data, size_t len,

37
55a62eb0-xl-correct-handling-of-extra_config-in-main_cpupoolcreate.patch
View File

@ -1,37 +0,0 @@
Subject: xl: correct handling of extra_config in main_cpupoolcreate
From: Wei Liu wei.liu2@citrix.com Tue Jul 14 17:41:10 2015 +0100
Date: Wed Jul 15 10:58:08 2015 +0100:
Git: 705c9e12426cba82804cb578fc70785281655d94
Don't dereference extra_config if it's NULL. Don't leak extra_config in
the end.
Also fixed a typo in error string while I was there.
Signed-off-by: Wei Liu <wei.liu2@citrix.com>
Acked-by: Ian Jackson <ian.jackson@eu.citrix.com>
Index: xen-4.5.1-testing/tools/libxl/xl_cmdimpl.c
===================================================================
--- xen-4.5.1-testing.orig/tools/libxl/xl_cmdimpl.c
+++ xen-4.5.1-testing/tools/libxl/xl_cmdimpl.c
@@ -7085,9 +7085,9 @@ int main_cpupoolcreate(int argc, char **
else
config_src="command line";
- if (strlen(extra_config)) {
+ if (extra_config && strlen(extra_config)) {
if (config_len > INT_MAX - (strlen(extra_config) + 2)) {
- fprintf(stderr, "Failed to attach extra configration\n");
+ fprintf(stderr, "Failed to attach extra configuration\n");
goto out;
}
config_data = xrealloc(config_data,
@@ -7211,6 +7211,7 @@ out_cfg:
out:
free(name);
free(config_data);
+ free(extra_config);
return rc;
}

24
55a66a1e-make-rangeset_report_ranges-report-all-ranges.patch
View File

@ -1,24 +0,0 @@
# Commit b1c780cd315eb4db06be3bbb5c6d80b1cabd27a9
# Date 2015-07-15 16:11:42 +0200
# Author Jan Beulich <jbeulich@suse.com>
# Committer Jan Beulich <jbeulich@suse.com>
make rangeset_report_ranges() report all ranges
find_range() returns NULL when s is below the lowest range, so we have
to use first_range() here (which is as good performance wise), or else
no range gets reported at all in that case.
Signed-off-by: Jan Beulich <jbeulich@suse.com>
Acked-by: Ian Campbell <ian.campbell@citrix.com>
--- a/xen/common/rangeset.c
+++ b/xen/common/rangeset.c
@@ -289,7 +289,7 @@ int rangeset_report_ranges(
read_lock(&r->lock);
- for ( x = find_range(r, s); x && (x->s <= e) && !rc; x = next_range(r, x) )
+ for ( x = first_range(r); x && (x->s <= e) && !rc; x = next_range(r, x) )
if ( x->e >= s )
rc = cb(max(x->s, s), min(x->e, e), ctxt);

135
55a77e4f-dmar-device-scope-mem-leak-fix.patch
View File

@ -1,135 +0,0 @@
# Commit a8bc99b981c5ad773bd646f5986e616d26fb94d7
# Date 2015-07-16 11:50:07 +0200
# Author Elena Ufimtseva <elena.ufimtseva@oracle.com>
# Committer Jan Beulich <jbeulich@suse.com>
dmar: device scope mem leak fix
Release memory allocated for scope.devices dmar units on various
failure paths and when disabling dmar. Set device count after
sucessfull memory allocation, not before, in device scope parsing function.
Signed-off-by: Elena Ufimtseva <elena.ufimtseva@oracle.com>
Reviewed-by: Jan Beulich <jbeulich@suse.com>
Acked-by: Yang Zhang <yang.z.zhang@intel.com>
# Commit 132231d10343608faf5892785a08acc500326d04
# Date 2015-07-16 15:23:37 +0200
# Author Andrew Cooper <andrew.cooper3@citrix.com>
# Committer Jan Beulich <jbeulich@suse.com>
dmar: fix double free in error paths following c/s a8bc99b
Several error paths would end up freeing scope->devices twice.
Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
Reviewed-by: Jan Beulich <jbeulich@suse.com>
--- a/xen/drivers/passthrough/vtd/dmar.c
+++ b/xen/drivers/passthrough/vtd/dmar.c
@@ -80,6 +80,16 @@ static int __init acpi_register_rmrr_uni
return 0;
}
+static void scope_devices_free(struct dmar_scope *scope)
+{
+ if ( !scope )
+ return;
+
+ scope->devices_cnt = 0;
+ xfree(scope->devices);
+ scope->devices = NULL;
+}
+
static void __init disable_all_dmar_units(void)
{
struct acpi_drhd_unit *drhd, *_drhd;
@@ -89,16 +99,19 @@ static void __init disable_all_dmar_unit
list_for_each_entry_safe ( drhd, _drhd, &acpi_drhd_units, list )
{
list_del(&drhd->list);
+ scope_devices_free(&drhd->scope);
xfree(drhd);
}
list_for_each_entry_safe ( rmrr, _rmrr, &acpi_rmrr_units, list )
{
list_del(&rmrr->list);
+ scope_devices_free(&rmrr->scope);
xfree(rmrr);
}
list_for_each_entry_safe ( atsr, _atsr, &acpi_atsr_units, list )
{
list_del(&atsr->list);
+ scope_devices_free(&atsr->scope);
xfree(atsr);
}
}
@@ -317,13 +330,13 @@ static int __init acpi_parse_dev_scope(
if ( (cnt = scope_device_count(start, end)) < 0 )
return cnt;
- scope->devices_cnt = cnt;
if ( cnt > 0 )
{
scope->devices = xzalloc_array(u16, cnt);
if ( !scope->devices )
return -ENOMEM;
}
+ scope->devices_cnt = cnt;
while ( start < end )
{
@@ -426,7 +439,7 @@ static int __init acpi_parse_dev_scope(
out:
if ( ret )
- xfree(scope->devices);
+ scope_devices_free(scope);
return ret;
}
@@ -541,6 +554,7 @@ acpi_parse_one_drhd(struct acpi_dmar_hea
" Workaround BIOS bug: ignore the DRHD due to all "
"devices under its scope are not PCI discoverable!\n");
+ scope_devices_free(&dmaru->scope);
iommu_free(dmaru);
xfree(dmaru);
}
@@ -561,9 +575,11 @@ acpi_parse_one_drhd(struct acpi_dmar_hea
out:
if ( ret )
{
+ scope_devices_free(&dmaru->scope);
iommu_free(dmaru);
xfree(dmaru);
}
+
return ret;
}
@@ -657,6 +673,7 @@ acpi_parse_one_rmrr(struct acpi_dmar_hea
" Ignore the RMRR (%"PRIx64", %"PRIx64") due to "
"devices under its scope are not PCI discoverable!\n",
rmrru->base_address, rmrru->end_address);
+ scope_devices_free(&rmrru->scope);
xfree(rmrru);
}
else if ( base_addr > end_addr )
@@ -664,6 +681,7 @@ acpi_parse_one_rmrr(struct acpi_dmar_hea
dprintk(XENLOG_WARNING VTDPREFIX,
" The RMRR (%"PRIx64", %"PRIx64") is incorrect!\n",
rmrru->base_address, rmrru->end_address);
+ scope_devices_free(&rmrru->scope);
xfree(rmrru);
ret = -EFAULT;
}
@@ -726,7 +744,10 @@ acpi_parse_one_atsr(struct acpi_dmar_hea
}
if ( ret )
+ {
+ scope_devices_free(&atsru->scope);
xfree(atsru);
+ }
else
acpi_register_atsr_unit(atsru);
return ret;

34
55b0a218-x86-PCI-CFG-write-intercept.patch
View File

@ -12,9 +12,11 @@ MMCFG accesses by Dom0.
Signed-off-by: Jan Beulich <jbeulich@suse.com>
Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>
--- a/xen/arch/x86/msi.c
+++ b/xen/arch/x86/msi.c
@@ -1108,6 +1108,12 @@ void pci_cleanup_msi(struct pci_dev *pde
Index: xen-4.5.2-testing/xen/arch/x86/msi.c
===================================================================
--- xen-4.5.2-testing.orig/xen/arch/x86/msi.c
+++ xen-4.5.2-testing/xen/arch/x86/msi.c
@@ -1110,6 +1110,12 @@ void pci_cleanup_msi(struct pci_dev *pde
msi_free_irqs(pdev);
}
@ -27,8 +29,10 @@ Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>
int pci_restore_msi_state(struct pci_dev *pdev)
{
unsigned long flags;
--- a/xen/arch/x86/pci.c
+++ b/xen/arch/x86/pci.c
Index: xen-4.5.2-testing/xen/arch/x86/pci.c
===================================================================
--- xen-4.5.2-testing.orig/xen/arch/x86/pci.c
+++ xen-4.5.2-testing/xen/arch/x86/pci.c
@@ -67,3 +67,28 @@ void pci_conf_write(uint32_t cf8, uint8_
spin_unlock_irqrestore(&pci_config_lock, flags);
@ -58,9 +62,11 @@ Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>
+
+ return rc;
+}
--- a/xen/arch/x86/traps.c
+++ b/xen/arch/x86/traps.c
@@ -1708,8 +1708,8 @@ static int admin_io_okay(
Index: xen-4.5.2-testing/xen/arch/x86/traps.c
===================================================================
--- xen-4.5.2-testing.orig/xen/arch/x86/traps.c
+++ xen-4.5.2-testing/xen/arch/x86/traps.c
@@ -1709,8 +1709,8 @@ static int admin_io_okay(
return ioports_access_permitted(v->domain, port, port + bytes - 1);
}
@ -71,7 +77,7 @@ Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>
{
uint32_t machine_bdf;
@@ -1741,8 +1741,12 @@ static bool_t pci_cfg_ok(struct domain *
@@ -1742,8 +1742,12 @@ static bool_t pci_cfg_ok(struct domain *
start |= CF8_ADDR_HI(currd->arch.pci_cf8);
}
@ -86,7 +92,7 @@ Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>
}
uint32_t guest_io_read(
@@ -1796,7 +1800,7 @@ uint32_t guest_io_read(
@@ -1797,7 +1801,7 @@ uint32_t guest_io_read(
size = min(bytes, 4 - (port & 3));
if ( size == 3 )
size = 2;
@ -95,7 +101,7 @@ Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>
sub_data = pci_conf_read(v->domain->arch.pci_cf8, port & 3, size);
}
@@ -1869,7 +1873,7 @@ void guest_io_write(
@@ -1870,7 +1874,7 @@ void guest_io_write(
size = min(bytes, 4 - (port & 3));
if ( size == 3 )
size = 2;
@ -104,8 +110,10 @@ Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>
pci_conf_write(v->domain->arch.pci_cf8, port & 3, size, data);
}
--- a/xen/include/asm-x86/pci.h
+++ b/xen/include/asm-x86/pci.h
Index: xen-4.5.2-testing/xen/include/asm-x86/pci.h
===================================================================
--- xen-4.5.2-testing.orig/xen/include/asm-x86/pci.h
+++ xen-4.5.2-testing/xen/include/asm-x86/pci.h
@@ -15,4 +15,11 @@ struct arch_pci_dev {
vmask_t used_vectors;
};

16
55b0a255-x86-MSI-X-maskall.patch
View File

@ -13,9 +13,11 @@ a guest).
Signed-off-by: Jan Beulich <jbeulich@suse.com>
Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>
--- a/xen/arch/x86/msi.c
+++ b/xen/arch/x86/msi.c
@@ -843,6 +843,12 @@ static int msix_capability_init(struct p
Index: xen-4.5.2-testing/xen/arch/x86/msi.c
===================================================================
--- xen-4.5.2-testing.orig/xen/arch/x86/msi.c
+++ xen-4.5.2-testing/xen/arch/x86/msi.c
@@ -845,6 +845,12 @@ static int msix_capability_init(struct p
if ( !msix->used_entries )
{
@ -28,7 +30,7 @@ Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>
if ( rangeset_add_range(mmio_ro_ranges, msix->table.first,
msix->table.last) )
WARN();
@@ -1111,6 +1117,34 @@ void pci_cleanup_msi(struct pci_dev *pde
@@ -1113,6 +1119,34 @@ void pci_cleanup_msi(struct pci_dev *pde
int pci_msi_conf_write_intercept(struct pci_dev *pdev, unsigned int reg,
unsigned int size, uint32_t *data)
{
@ -63,8 +65,10 @@ Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>
return 0;
}
--- a/xen/include/asm-x86/msi.h
+++ b/xen/include/asm-x86/msi.h
Index: xen-4.5.2-testing/xen/include/asm-x86/msi.h
===================================================================
--- xen-4.5.2-testing.orig/xen/include/asm-x86/msi.h
+++ xen-4.5.2-testing/xen/include/asm-x86/msi.h
@@ -228,6 +228,7 @@ struct arch_msix {
int table_refcnt[MAX_MSIX_TABLE_PAGES];
int table_idx[MAX_MSIX_TABLE_PAGES];

20
55b0a283-x86-MSI-X-teardown.patch
View File

@ -30,8 +30,10 @@ Backporting note (largely to myself):
"x86/MSI: drop workaround for insecure Dom0 kernels" (due to re-use
of struct arch_msix's warned field).
--- a/xen/arch/x86/irq.c
+++ b/xen/arch/x86/irq.c
Index: xen-4.5.2-testing/xen/arch/x86/irq.c
===================================================================
--- xen-4.5.2-testing.orig/xen/arch/x86/irq.c
+++ xen-4.5.2-testing/xen/arch/x86/irq.c
@@ -217,9 +217,9 @@ void destroy_irq(unsigned int irq)
}
@ -63,8 +65,10 @@ Backporting note (largely to myself):
/*
* Mark any remaining pending EOIs as ready to flush.
--- a/xen/arch/x86/msi.c
+++ b/xen/arch/x86/msi.c
Index: xen-4.5.2-testing/xen/arch/x86/msi.c
===================================================================
--- xen-4.5.2-testing.orig/xen/arch/x86/msi.c
+++ xen-4.5.2-testing/xen/arch/x86/msi.c
@@ -123,6 +123,27 @@ static void msix_put_fixmap(struct arch_
spin_unlock(&msix->table_lock);
}
@ -283,7 +287,7 @@ Backporting note (largely to myself):
}
void ack_nonmaskable_msi_irq(struct irq_desc *desc)
@@ -740,6 +809,9 @@ static int msix_capability_init(struct p
@@ -742,6 +811,9 @@ static int msix_capability_init(struct p
control = pci_conf_read16(seg, bus, slot, func, msix_control_reg(pos));
msix_set_enable(dev, 0);/* Ensure msix is disabled as I set it up */
@ -293,7 +297,7 @@ Backporting note (largely to myself):
if ( desc )
{
entry = alloc_msi_entry(1);
@@ -879,7 +951,8 @@ static int msix_capability_init(struct p
@@ -881,7 +953,8 @@ static int msix_capability_init(struct p
++msix->used_entries;
/* Restore MSI-X enabled bits */
@ -303,7 +307,7 @@ Backporting note (largely to myself):
return 0;
}
@@ -1024,8 +1097,16 @@ static void __pci_disable_msix(struct ms
@@ -1026,8 +1099,16 @@ static void __pci_disable_msix(struct ms
BUG_ON(list_empty(&dev->msi_list));
@ -322,7 +326,7 @@ Backporting note (largely to myself):
pci_conf_write16(seg, bus, slot, func, msix_control_reg(pos), control);
_pci_cleanup_msix(dev->msix);
@@ -1199,15 +1280,24 @@ int pci_restore_msi_state(struct pci_dev
@@ -1201,15 +1282,24 @@ int pci_restore_msi_state(struct pci_dev
nr = entry->msi.nvec;
}
else if ( entry->msi_attrib.type == PCI_CAP_ID_MSIX )

28
55b0a2ab-x86-MSI-X-enable.patch
View File

@ -14,8 +14,10 @@ instead to prevent interrupts from occurring.
Signed-off-by: Jan Beulich <jbeulich@suse.com>
Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>
--- a/xen/arch/x86/msi.c
+++ b/xen/arch/x86/msi.c
Index: xen-4.5.2-testing/xen/arch/x86/msi.c
===================================================================
--- xen-4.5.2-testing.orig/xen/arch/x86/msi.c
+++ xen-4.5.2-testing/xen/arch/x86/msi.c
@@ -144,6 +144,17 @@ static bool_t memory_decoded(const struc
PCI_COMMAND_MEMORY);
}
@ -171,7 +173,7 @@ Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>
}
int __setup_msi_irq(struct irq_desc *desc, struct msi_desc *msidesc,
@@ -803,20 +848,38 @@ static int msix_capability_init(struct p
@@ -805,20 +850,38 @@ static int msix_capability_init(struct p
u8 bus = dev->bus;
u8 slot = PCI_SLOT(dev->devfn);
u8 func = PCI_FUNC(dev->devfn);
@ -211,7 +213,7 @@ Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>
ASSERT(msi);
}
@@ -847,6 +910,8 @@ static int msix_capability_init(struct p
@@ -849,6 +912,8 @@ static int msix_capability_init(struct p
{
if ( !msi || !msi->table_base )
{
@ -220,7 +222,7 @@ Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>
xfree(entry);
return -ENXIO;
}
@@ -889,6 +954,8 @@ static int msix_capability_init(struct p
@@ -891,6 +956,8 @@ static int msix_capability_init(struct p
if ( idx < 0 )
{
@ -229,7 +231,7 @@ Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>
xfree(entry);
return idx;
}
@@ -915,7 +982,7 @@ static int msix_capability_init(struct p
@@ -917,7 +984,7 @@ static int msix_capability_init(struct p
if ( !msix->used_entries )
{
@ -238,7 +240,7 @@ Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>
if ( !msix->guest_maskall )
control &= ~PCI_MSIX_FLAGS_MASKALL;
else
@@ -951,8 +1018,8 @@ static int msix_capability_init(struct p
@@ -953,8 +1020,8 @@ static int msix_capability_init(struct p
++msix->used_entries;
/* Restore MSI-X enabled bits */
@ -249,7 +251,7 @@ Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>
return 0;
}
@@ -1092,8 +1159,15 @@ static void __pci_disable_msix(struct ms
@@ -1094,8 +1161,15 @@ static void __pci_disable_msix(struct ms
PCI_CAP_ID_MSIX);
u16 control = pci_conf_read16(seg, bus, slot, func,
msix_control_reg(entry->msi_attrib.pos));
@ -266,7 +268,7 @@ Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>
BUG_ON(list_empty(&dev->msi_list));
@@ -1105,8 +1179,11 @@ static void __pci_disable_msix(struct ms
@@ -1107,8 +1181,11 @@ static void __pci_disable_msix(struct ms
"cannot disable IRQ %d: masking MSI-X on %04x:%02x:%02x.%u\n",
entry->irq, dev->seg, dev->bus,
PCI_SLOT(dev->devfn), PCI_FUNC(dev->devfn));
@ -279,7 +281,7 @@ Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>
pci_conf_write16(seg, bus, slot, func, msix_control_reg(pos), control);
_pci_cleanup_msix(dev->msix);
@@ -1255,6 +1332,8 @@ int pci_restore_msi_state(struct pci_dev
@@ -1257,6 +1334,8 @@ int pci_restore_msi_state(struct pci_dev
list_for_each_entry_safe( entry, tmp, &pdev->msi_list, list )
{
unsigned int i = 0, nr = 1;
@ -288,7 +290,7 @@ Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>
irq = entry->irq;
desc = &irq_desc[irq];
@@ -1281,10 +1360,18 @@ int pci_restore_msi_state(struct pci_dev
@@ -1283,10 +1362,18 @@ int pci_restore_msi_state(struct pci_dev
}
else if ( entry->msi_attrib.type == PCI_CAP_ID_MSIX )
{
@ -308,7 +310,7 @@ Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>
return -ENXIO;
}
}
@@ -1314,11 +1401,9 @@ int pci_restore_msi_state(struct pci_dev
@@ -1316,11 +1403,9 @@ int pci_restore_msi_state(struct pci_dev
if ( entry->msi_attrib.type == PCI_CAP_ID_MSI )
{
unsigned int cpos = msi_control_reg(entry->msi_attrib.pos);
@ -322,7 +324,7 @@ Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>
multi_msi_enable(control, entry->msi.nvec);
pci_conf_write16(pdev->seg, pdev->bus, PCI_SLOT(pdev->devfn),
PCI_FUNC(pdev->devfn), cpos, control);
@@ -1326,7 +1411,9 @@ int pci_restore_msi_state(struct pci_dev
@@ -1328,7 +1413,9 @@ int pci_restore_msi_state(struct pci_dev
msi_set_enable(pdev, 1);
}
else if ( entry->msi_attrib.type == PCI_CAP_ID_MSIX )

8
55b0a2db-x86-MSI-track-guest-masking.patch
View File

@ -13,9 +13,11 @@ This allows reverting the main effect of the XSA-129 patches in qemu.
Signed-off-by: Jan Beulich <jbeulich@suse.com>
Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>
--- a/xen/arch/x86/msi.c
+++ b/xen/arch/x86/msi.c
@@ -1303,6 +1303,37 @@ int pci_msi_conf_write_intercept(struct
Index: xen-4.5.2-testing/xen/arch/x86/msi.c
===================================================================
--- xen-4.5.2-testing.orig/xen/arch/x86/msi.c
+++ xen-4.5.2-testing/xen/arch/x86/msi.c
@@ -1305,6 +1305,37 @@ int pci_msi_conf_write_intercept(struct
return 1;
}

63
55c1d83d-x86-gdt-Drop-write-only-xalloc-d-array.patch
View File

@ -1,63 +0,0 @@
# Commit a7bd9b1661304500cd18b7d216d616ecf053ebdb
# Date 2015-08-05 10:32:45 +0100
# Author Andrew Cooper <andrew.cooper3@citrix.com>
# Committer Ian Campbell <ian.campbell@citrix.com>
x86/gdt: Drop write-only, xalloc()'d array from set_gdt()
It is not used, and can cause a spurious failure of the set_gdt() hypercall in
low memory situations.
Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
Reviewed-by: Wei Liu <wei.liu2@citrix.com>
Reviewed-by: Ian Campbell <ian.campbell@citrix.com>
Reviewed-by: George Dunlap <george.dunlap@eu.citrix.com>
--- a/xen/arch/x86/mm.c
+++ b/xen/arch/x86/mm.c
@@ -4383,20 +4383,15 @@ long set_gdt(struct vcpu *v,
l1_pgentry_t *pl1e;
/* NB. There are 512 8-byte entries per GDT page. */
int i, nr_pages = (entries + 511) / 512;
- unsigned long mfn, *pfns;
if ( entries > FIRST_RESERVED_GDT_ENTRY )
return -EINVAL;
- pfns = xmalloc_array(unsigned long, nr_pages);
- if ( !pfns )
- return -ENOMEM;
-
/* Check the pages in the new GDT. */
for ( i = 0; i < nr_pages; i++ )
{
struct page_info *page;
- pfns[i] = frames[i];
+
page = get_page_from_gfn(d, frames[i], NULL, P2M_ALLOC);
if ( !page )
goto fail;
@@ -4405,7 +4400,7 @@ long set_gdt(struct vcpu *v,
put_page(page);
goto fail;
}
- mfn = frames[i] = page_to_mfn(page);
+ frames[i] = page_to_mfn(page);
}
/* Tear down the old GDT. */
@@ -4420,7 +4415,6 @@ long set_gdt(struct vcpu *v,
l1e_write(&pl1e[i], l1e_from_pfn(frames[i], __PAGE_HYPERVISOR));
}
- xfree(pfns);
return 0;
fail:
@@ -4428,7 +4422,6 @@ long set_gdt(struct vcpu *v,
{
put_page_and_type(mfn_to_page(frames[i]));
}
- xfree(pfns);
return -EINVAL;
}

169
55c3232b-x86-mm-Make-hap-shadow-teardown-preemptible.patch
View File

@ -1,169 +0,0 @@
# Commit 0174da5b79752e2d5d6ca0faed89536e8f3d91c7
# Date 2015-08-06 10:04:43 +0100
# Author Anshul Makkar <anshul.makkar@citrix.com>
# Committer Ian Campbell <ian.campbell@citrix.com>
x86/mm: Make {hap, shadow}_teardown() preemptible
A domain with sufficient shadow allocation can cause a watchdog timeout
during domain destruction. Expand the existing -ERESTART logic in
paging_teardown() to allow {hap/sh}_set_allocation() to become
restartable during the DOMCTL_destroydomain hypercall.
Signed-off-by: Anshul Makkar <anshul.makkar@citrix.com>
Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
Reviewed-by: Tim Deegan <tim@xen.org>
Reviewed-by: George Dunlap <george.dunlap@eu.citrix.com>
--- a/xen/arch/x86/mm/hap/hap.c
+++ b/xen/arch/x86/mm/hap/hap.c
@@ -503,7 +503,7 @@ void hap_final_teardown(struct domain *d
}
if ( d->arch.paging.hap.total_pages != 0 )
- hap_teardown(d);
+ hap_teardown(d, NULL);
p2m_teardown(p2m_get_hostp2m(d));
/* Free any memory that the p2m teardown released */
@@ -513,7 +513,7 @@ void hap_final_teardown(struct domain *d
paging_unlock(d);
}
-void hap_teardown(struct domain *d)
+void hap_teardown(struct domain *d, int *preempted)
{
struct vcpu *v;
mfn_t mfn;
@@ -541,18 +541,11 @@ void hap_teardown(struct domain *d)
if ( d->arch.paging.hap.total_pages != 0 )
{
- HAP_PRINTK("teardown of domain %u starts."
- " pages total = %u, free = %u, p2m=%u\n",
- d->domain_id,
- d->arch.paging.hap.total_pages,
- d->arch.paging.hap.free_pages,
- d->arch.paging.hap.p2m_pages);
- hap_set_allocation(d, 0, NULL);
- HAP_PRINTK("teardown done."
- " pages total = %u, free = %u, p2m=%u\n",
- d->arch.paging.hap.total_pages,
- d->arch.paging.hap.free_pages,
- d->arch.paging.hap.p2m_pages);
+ hap_set_allocation(d, 0, preempted);
+
+ if ( preempted && *preempted )
+ goto out;
+
ASSERT(d->arch.paging.hap.total_pages == 0);
}
@@ -561,6 +554,7 @@ void hap_teardown(struct domain *d)
xfree(d->arch.hvm_domain.dirty_vram);
d->arch.hvm_domain.dirty_vram = NULL;
+out:
paging_unlock(d);
}
--- a/xen/arch/x86/mm/paging.c
+++ b/xen/arch/x86/mm/paging.c
@@ -779,12 +779,15 @@ long paging_domctl_continuation(XEN_GUES
/* Call when destroying a domain */
int paging_teardown(struct domain *d)
{
- int rc;
+ int rc, preempted = 0;
if ( hap_enabled(d) )
- hap_teardown(d);
+ hap_teardown(d, &preempted);
else
- shadow_teardown(d);
+ shadow_teardown(d, &preempted);
+
+ if ( preempted )
+ return -ERESTART;
/* clean up log dirty resources. */
rc = paging_free_log_dirty_bitmap(d, 0);
--- a/xen/arch/x86/mm/shadow/common.c
+++ b/xen/arch/x86/mm/shadow/common.c
@@ -3030,7 +3030,7 @@ int shadow_enable(struct domain *d, u32
return rv;
}
-void shadow_teardown(struct domain *d)
+void shadow_teardown(struct domain *d, int *preempted)
/* Destroy the shadow pagetables of this domain and free its shadow memory.
* Should only be called for dying domains. */
{
@@ -3091,23 +3091,16 @@ void shadow_teardown(struct domain *d)
if ( d->arch.paging.shadow.total_pages != 0 )
{
- SHADOW_PRINTK("teardown of domain %u starts."
- " Shadow pages total = %u, free = %u, p2m=%u\n",
- d->domain_id,
- d->arch.paging.shadow.total_pages,
- d->arch.paging.shadow.free_pages,
- d->arch.paging.shadow.p2m_pages);
/* Destroy all the shadows and release memory to domheap */
- sh_set_allocation(d, 0, NULL);
+ sh_set_allocation(d, 0, preempted);
+
+ if ( preempted && *preempted )
+ goto out;
+
/* Release the hash table back to xenheap */
if (d->arch.paging.shadow.hash_table)
shadow_hash_teardown(d);
- /* Should not have any more memory held */
- SHADOW_PRINTK("teardown done."
- " Shadow pages total = %u, free = %u, p2m=%u\n",
- d->arch.paging.shadow.total_pages,
- d->arch.paging.shadow.free_pages,
- d->arch.paging.shadow.p2m_pages);
+
ASSERT(d->arch.paging.shadow.total_pages == 0);
}
@@ -3138,6 +3131,7 @@ void shadow_teardown(struct domain *d)
d->arch.hvm_domain.dirty_vram = NULL;
}
+out:
paging_unlock(d);
/* Must be called outside the lock */
@@ -3159,7 +3153,7 @@ void shadow_final_teardown(struct domain
* It is possible for a domain that never got domain_kill()ed
* to get here with its shadow allocation intact. */
if ( d->arch.paging.shadow.total_pages != 0 )
- shadow_teardown(d);
+ shadow_teardown(d, NULL);
/* It is now safe to pull down the p2m map. */
p2m_teardown(p2m_get_hostp2m(d));
--- a/xen/include/asm-x86/hap.h
+++ b/xen/include/asm-x86/hap.h
@@ -54,7 +54,7 @@ int hap_domctl(struct domain *d, xen_d
XEN_GUEST_HANDLE_PARAM(void) u_domctl);
int hap_enable(struct domain *d, u32 mode);
void hap_final_teardown(struct domain *d);
-void hap_teardown(struct domain *d);
+void hap_teardown(struct domain *d, int *preempted);
void hap_vcpu_init(struct vcpu *v);
int hap_track_dirty_vram(struct domain *d,
unsigned long begin_pfn,
--- a/xen/include/asm-x86/shadow.h
+++ b/xen/include/asm-x86/shadow.h
@@ -72,7 +72,7 @@ int shadow_domctl(struct domain *d,
XEN_GUEST_HANDLE_PARAM(void) u_domctl);
/* Call when destroying a domain */
-void shadow_teardown(struct domain *d);
+void shadow_teardown(struct domain *d, int *preempted);
/* Call once all of the references to the domain have gone away */
void shadow_final_teardown(struct domain *d);

96
55dc78e9-x86-amd_ucode-skip-updates-for-final-levels.patch
View File

@ -1,96 +0,0 @@
# Commit 22c5675877c8209adcfdb6bceddb561320374529
# Date 2015-08-25 16:17:13 +0200
# Author Aravind Gopalakrishnan <aravind.gopalakrishnan@amd.com>
# Committer Jan Beulich <jbeulich@suse.com>
x86, amd_ucode: skip microcode updates for final levels
Some of older[Fam10h] systems require that certain number of
applied microcode patch levels should not be overwritten by
the microcode loader. Otherwise, system hangs are known to occur.
The 'final_levels' of patch ids have been obtained empirically.
Refer bug https://bugzilla.suse.com/show_bug.cgi?id=913996
for details of the issue.
The short version is that people have predominantly noticed
system hang issues when trying to update microcode levels
beyond the patch IDs below.
[0x01000098, 0x0100009f, 0x010000af]
From internal discussions, we gathered that OS/hypervisor
cannot reliably perform microcode updates beyond these levels
due to hardware issues. Therefore, we need to abort microcode
update process if we hit any of these levels.
In this patch, we check for those microcode versions and abort
if the current core has one of those final patch levels applied
by the BIOS
A linux version of the patch has already made it into tip-
http://marc.info/?l=linux-kernel&m=143703405627170
Signed-off-by: Aravind Gopalakrishnan <aravind.gopalakrishnan@amd.com>
Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>
Reviewed-by: Boris Ostrovsky <boris.ostrovsky@oracle.com>
--- a/xen/arch/x86/microcode_amd.c
+++ b/xen/arch/x86/microcode_amd.c
@@ -347,6 +347,43 @@ static int container_fast_forward(const
return 0;
}
+/*
+ * The 'final_levels' of patch ids have been obtained empirically.
+ * Refer bug https://bugzilla.suse.com/show_bug.cgi?id=913996
+ * for details of the issue. The short version is that people
+ * using certain Fam10h systems noticed system hang issues when
+ * trying to update microcode levels beyond the patch IDs below.
+ * From internal discussions, we gathered that OS/hypervisor
+ * cannot reliably perform microcode updates beyond these levels
+ * due to hardware issues. Therefore, we need to abort microcode
+ * update process if we hit any of these levels.
+ */
+static const unsigned int final_levels[] = {
+ 0x01000098,
+ 0x0100009f,
+ 0x010000af
+};
+
+static bool_t check_final_patch_levels(unsigned int cpu)
+{
+ /*
+ * Check the current patch levels on the cpu. If they are equal to
+ * any of the 'final_levels', then we should not update the microcode
+ * patch on the cpu as system will hang otherwise.
+ */
+ struct ucode_cpu_info *uci = &per_cpu(ucode_cpu_info, cpu);
+ unsigned int i;
+
+ if ( boot_cpu_data.x86 != 0x10 )
+ return 0;
+
+ for ( i = 0; i < ARRAY_SIZE(final_levels); i++ )
+ if ( uci->cpu_sig.rev == final_levels[i] )
+ return 1;
+
+ return 0;
+}
+
static int cpu_request_microcode(int cpu, const void *buf, size_t bufsize)
{
struct microcode_amd *mc_amd, *mc_old;
@@ -369,6 +406,14 @@ static int cpu_request_microcode(int cpu
goto out;
}
+ if ( check_final_patch_levels(cpu) )
+ {
+ printk(XENLOG_INFO
+ "microcode: Cannot update microcode patch on the cpu as we hit a final level\n");
+ error = -EPERM;
+ goto out;
+ }
+
mc_amd = xmalloc(struct microcode_amd);
if ( !mc_amd )
{

21
55df2f76-IOMMU-skip-domains-without-page-tables-when-dumping.patch
View File

@ -1,21 +0,0 @@
# Commit 5f335544cf5b716b0af51223e33373c4a7d65e8c
# Date 2015-08-27 17:40:38 +0200
# Author Jan Beulich <jbeulich@suse.com>
# Committer Jan Beulich <jbeulich@suse.com>
IOMMU: skip domains without page tables when dumping
Reported-by: Roger Pau Monné <roger.pau@citrix.com>
Signed-off-by: Jan Beulich <jbeulich@suse.com>
Tested-by: Roger Pau Monné <roger.pau@citrix.com>
--- a/xen/drivers/passthrough/iommu.c
+++ b/xen/drivers/passthrough/iommu.c
@@ -368,7 +368,7 @@ static void iommu_dump_p2m_table(unsigne
ops = iommu_get_ops();
for_each_domain(d)
{
- if ( is_hardware_domain(d) )
+ if ( is_hardware_domain(d) || need_iommu(d) <= 0 )
continue;
if ( iommu_use_hap_pt(d) )

95
55e43fd8-x86-NUMA-fix-setup_node.patch
View File

@ -1,95 +0,0 @@
# Commit 8f945d36d9bddd5b589ba23c7322b30d623dd084
# Date 2015-08-31 13:51:52 +0200
# Author Jan Beulich <jbeulich@suse.com>
# Committer Jan Beulich <jbeulich@suse.com>
x86/NUMA: fix setup_node()
The function referenced an __initdata object (nodes_found). Since this
being a node mask was more complicated than needed, the variable gets
replaced by a simple counter. Check at once that the count of nodes
doesn't go beyond MAX_NUMNODES.
Also consolidate three printk()s related to the function's use into just
one.
Finally (quite the opposite of the above issue) __init-annotate
nodes_cover_memory().
Signed-off-by: Jan Beulich <jbeulich@suse.com>
Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>
--- a/xen/arch/x86/srat.c
+++ b/xen/arch/x86/srat.c
@@ -25,7 +25,6 @@ static struct acpi_table_slit *__read_mo
static nodemask_t memory_nodes_parsed __initdata;
static nodemask_t processor_nodes_parsed __initdata;
-static nodemask_t nodes_found __initdata;
static struct node nodes[MAX_NUMNODES] __initdata;
static u8 __read_mostly pxm2node[256] = { [0 ... 255] = NUMA_NO_NODE };
@@ -45,17 +44,25 @@ int pxm_to_node(int pxm)
return (signed char)pxm2node[pxm];
}
-__devinit int setup_node(int pxm)
+int setup_node(int pxm)
{
unsigned node = pxm2node[pxm];
- if (node == 0xff) {
- if (nodes_weight(nodes_found) >= MAX_NUMNODES)
+
+ if (node == NUMA_NO_NODE) {
+ static bool_t warned;
+ static unsigned nodes_found;
+
+ node = nodes_found++;
+ if (node >= MAX_NUMNODES) {
+ printk(KERN_WARNING
+ "SRAT: Too many proximity domains (%#x)\n",
+ pxm);
+ warned = 1;
return -1;
- node = first_unset_node(nodes_found);
- node_set(node, nodes_found);
+ }
pxm2node[pxm] = node;
}
- return pxm2node[pxm];
+ return node;
}
int valid_numa_range(u64 start, u64 end, int node)
@@ -176,7 +183,6 @@ acpi_numa_x2apic_affinity_init(struct ac
pxm = pa->proximity_domain;
node = setup_node(pxm);
if (node < 0) {
- printk(KERN_ERR "SRAT: Too many proximity domains %x\n", pxm);
bad_srat();
return;
}
@@ -209,7 +215,6 @@ acpi_numa_processor_affinity_init(struct
}
node = setup_node(pxm);
if (node < 0) {
- printk(KERN_ERR "SRAT: Too many proximity domains %x\n", pxm);
bad_srat();
return;
}
@@ -253,7 +258,6 @@ acpi_numa_memory_affinity_init(struct ac
pxm &= 0xff;
node = setup_node(pxm);
if (node < 0) {
- printk(KERN_ERR "SRAT: Too many proximity domains.\n");
bad_srat();
return;
}
@@ -295,7 +299,7 @@ acpi_numa_memory_affinity_init(struct ac
/* Sanity check to catch more bad SRATs (they are amazingly common).
Make sure the PXMs cover all memory. */
-static int nodes_cover_memory(void)
+static int __init nodes_cover_memory(void)
{
int i;

132
55e43ff8-x86-NUMA-don-t-account-hotplug-regions.patch
View File

@ -1,132 +0,0 @@
# Commit c011f470e6e79208f5baa071b4d072b78c88e2ba
# Date 2015-08-31 13:52:24 +0200
# Author Jan Beulich <jbeulich@suse.com>
# Committer Jan Beulich <jbeulich@suse.com>
x86/NUMA: don't account hotplug regions
... except in cases where they really matter: node_memblk_range[] now
is the only place all regions get stored. nodes[] and NODE_DATA() track
present memory only. This improves the reporting when nodes have
disjoint "normal" and hotplug regions, with the hotplug region sitting
above the highest populated page. In such cases a node's spanned-pages
value (visible in both XEN_SYSCTL_numainfo and 'u' debug key output)
covered all the way up to top of populated memory, giving quite
different a picture from what an otherwise identically configured
system without and hotplug regions would report. Note, however, that
the actual hotplug case (as well as cases of nodes with multiple
disjoint present regions) is still not being handled such that the
reported values would represent how much memory a node really has (but
that can be considered intentional).
Reported-by: Jim Fehlig <jfehlig@suse.com>
This at once makes nodes_cover_memory() no longer consider E820_RAM
regions covered by SRAT hotplug regions.
Also reject self-overlaps with mismatching hotplug flags.
Signed-off-by: Jan Beulich <jbeulich@suse.com>
Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>
Tested-by: Jim Fehlig <jfehlig@suse.com>
--- a/xen/arch/x86/srat.c
+++ b/xen/arch/x86/srat.c
@@ -32,7 +32,7 @@ static u8 __read_mostly pxm2node[256] =
static int num_node_memblks;
static struct node node_memblk_range[NR_NODE_MEMBLKS];
static int memblk_nodeid[NR_NODE_MEMBLKS];
-
+static __initdata DECLARE_BITMAP(memblk_hotplug, NR_NODE_MEMBLKS);
static int node_to_pxm(int n);
@@ -89,9 +89,9 @@ static __init int conflicting_memblks(u6
if (nd->start == nd->end)
continue;
if (nd->end > start && nd->start < end)
- return memblk_nodeid[i];
+ return i;
if (nd->end == end && nd->start == start)
- return memblk_nodeid[i];
+ return i;
}
return -1;
}
@@ -229,7 +229,6 @@ acpi_numa_processor_affinity_init(struct
void __init
acpi_numa_memory_affinity_init(struct acpi_srat_mem_affinity *ma)
{
- struct node *nd;
u64 start, end;
int node, pxm;
int i;
@@ -263,30 +262,40 @@ acpi_numa_memory_affinity_init(struct ac
}
/* It is fine to add this area to the nodes data it will be used later*/
i = conflicting_memblks(start, end);
- if (i == node) {
- printk(KERN_WARNING
- "SRAT: Warning: PXM %d (%"PRIx64"-%"PRIx64") overlaps with itself (%"
- PRIx64"-%"PRIx64")\n", pxm, start, end, nodes[i].start, nodes[i].end);
- } else if (i >= 0) {
+ if (i < 0)
+ /* everything fine */;
+ else if (memblk_nodeid[i] == node) {
+ bool_t mismatch = !(ma->flags & ACPI_SRAT_MEM_HOT_PLUGGABLE) !=
+ !test_bit(i, memblk_hotplug);
+
+ printk("%sSRAT: PXM %u (%"PRIx64"-%"PRIx64") overlaps with itself (%"PRIx64"-%"PRIx64")\n",
+ mismatch ? KERN_ERR : KERN_WARNING, pxm, start, end,
+ node_memblk_range[i].start, node_memblk_range[i].end);
+ if (mismatch) {
+ bad_srat();
+ return;
+ }
+ } else {
printk(KERN_ERR
- "SRAT: PXM %d (%"PRIx64"-%"PRIx64") overlaps with PXM %d (%"
- PRIx64"-%"PRIx64")\n", pxm, start, end, node_to_pxm(i),
- nodes[i].start, nodes[i].end);
+ "SRAT: PXM %u (%"PRIx64"-%"PRIx64") overlaps with PXM %u (%"PRIx64"-%"PRIx64")\n",
+ pxm, start, end, node_to_pxm(memblk_nodeid[i]),
+ node_memblk_range[i].start, node_memblk_range[i].end);
bad_srat();
return;
}
- nd = &nodes[node];
- if (!node_test_and_set(node, memory_nodes_parsed)) {
- nd->start = start;
- nd->end = end;
- } else {
- if (start < nd->start)
+ if (!(ma->flags & ACPI_SRAT_MEM_HOT_PLUGGABLE)) {
+ struct node *nd = &nodes[node];
+
+ if (!node_test_and_set(node, memory_nodes_parsed)) {
nd->start = start;
- if (nd->end < end)
nd->end = end;
+ } else {
+ if (start < nd->start)
+ nd->start = start;
+ if (nd->end < end)
+ nd->end = end;
+ }
}
- if ((ma->flags & ACPI_SRAT_MEM_HOT_PLUGGABLE) && end > mem_hotplug)
- mem_hotplug = end;
printk(KERN_INFO "SRAT: Node %u PXM %u %"PRIx64"-%"PRIx64"%s\n",
node, pxm, start, end,
ma->flags & ACPI_SRAT_MEM_HOT_PLUGGABLE ? " (hotplug)" : "");
@@ -294,6 +303,11 @@ acpi_numa_memory_affinity_init(struct ac
node_memblk_range[num_node_memblks].start = start;
node_memblk_range[num_node_memblks].end = end;
memblk_nodeid[num_node_memblks] = node;
+ if (ma->flags & ACPI_SRAT_MEM_HOT_PLUGGABLE) {
+ __set_bit(num_node_memblks, memblk_hotplug);
+ if (end > mem_hotplug)
+ mem_hotplug = end;
+ }
num_node_memblks++;
}

176
55e593f1-x86-NUMA-make-init_node_heap-respect-Xen-heap-limit.patch
View File

@ -1,176 +0,0 @@
# Commit 88e3ed61642bb393458acc7a9bd2f96edc337190
# Date 2015-09-01 14:02:57 +0200
# Author Jan Beulich <jbeulich@suse.com>
# Committer Jan Beulich <jbeulich@suse.com>
x86/NUMA: make init_node_heap() respect Xen heap limit
On NUMA systems, where we try to use node local memory for the basic
control structures of the buddy allocator, this special case needs to
take into consideration a possible address width limit placed on the
Xen heap. In turn this (but also other, more abstract considerations)
requires that xenheap_max_mfn() not be called more than once (at most
we might permit it to be called a second time with a larger value than
was passed the first time), and be called only before calling
end_boot_allocator().
While inspecting all the involved code, a couple of off-by-one issues
were found (and are being corrected here at once):
- arch_init_memory() cleared one too many page table slots
- the highmem_start based invocation of xenheap_max_mfn() passed too
big a value
- xenheap_max_mfn() calculated the wrong bit count in edge cases
Signed-off-by: Jan Beulich <jbeulich@suse.com>
Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>
Acked-by: Ian Campbell <ian.campbell@citrix.com>
# Commit 0a7167d9b20cdc48e6ea320fbbb920b3267c9757
# Date 2015-09-04 14:58:07 +0100
# Author Julien Grall <julien.grall@citrix.com>
# Committer Ian Campbell <ian.campbell@citrix.com>
xen/arm64: do not (incorrectly) limit size of xenheap
The commit 88e3ed61642bb393458acc7a9bd2f96edc337190 "x86/NUMA: make
init_node_heap() respect Xen heap limit" breaks boot on the arm64 board
X-Gene.
The xenheap bits variable is used to know the last RAM MFN always mapped
in Xen virtual memory. If the value is 0, it means that all the memory is
always mapped in Xen virtual memory.
On X-gene the RAM bank resides above 128GB and last xenheap MFN is
0x4400000. With the new way to calculate the number of bits, xenheap_bits
will be equal to 38 bits. This will result to hide all the RAM and the
impossibility to allocate xenheap memory.
Given that aarch64 have always all the memory mapped in Xen virtual
memory, it's not necessary to call xenheap_max_mfn which set the number
of bits.
Suggested-by: Jan Beulich <jbeulich@suse.com>
Signed-off-by: Julien Grall <julien.grall@citrix.com>
Acked-by: Ian Campbell <ian.campbell@citrix.com>
--- a/xen/arch/arm/setup.c
+++ b/xen/arch/arm/setup.c
@@ -664,7 +664,6 @@ static void __init setup_mm(unsigned lon
xenheap_virt_end = XENHEAP_VIRT_START + ram_end - ram_start;
xenheap_mfn_start = ram_start >> PAGE_SHIFT;
xenheap_mfn_end = ram_end >> PAGE_SHIFT;
- xenheap_max_mfn(xenheap_mfn_end);
/*
* Need enough mapped pages for copying the DTB.
--- a/xen/arch/x86/mm.c
+++ b/xen/arch/x86/mm.c
@@ -372,7 +372,7 @@ void __init arch_init_memory(void)
for ( i = 0; i < l3_table_offset(split_va); ++i )
l3tab[i] = l3idle[i];
- for ( ; i <= L3_PAGETABLE_ENTRIES; ++i )
+ for ( ; i < L3_PAGETABLE_ENTRIES; ++i )
l3tab[i] = l3e_empty();
split_l4e = l4e_from_pfn(virt_to_mfn(l3tab),
__PAGE_HYPERVISOR);
--- a/xen/arch/x86/setup.c
+++ b/xen/arch/x86/setup.c
@@ -970,7 +970,7 @@ void __init noreturn __start_xen(unsigne
setup_max_pdx(raw_max_page);
if ( highmem_start )
- xenheap_max_mfn(PFN_DOWN(highmem_start));
+ xenheap_max_mfn(PFN_DOWN(highmem_start - 1));
/*
* Walk every RAM region and map it in its entirety (on x86/64, at least)
@@ -1151,9 +1151,6 @@ void __init noreturn __start_xen(unsigne
numa_initmem_init(0, raw_max_page);
- end_boot_allocator();
- system_state = SYS_STATE_boot;
-
if ( max_page - 1 > virt_to_mfn(HYPERVISOR_VIRT_END - 1) )
{
unsigned long limit = virt_to_mfn(HYPERVISOR_VIRT_END - 1);
@@ -1162,6 +1159,8 @@ void __init noreturn __start_xen(unsigne
if ( !highmem_start )
xenheap_max_mfn(limit);
+ end_boot_allocator();
+
/* Pass the remaining memory to the allocator. */
for ( i = 0; i < boot_e820.nr_map; i++ )
{
@@ -1185,6 +1184,10 @@ void __init noreturn __start_xen(unsigne
opt_tmem = 0;
}
}
+ else
+ end_boot_allocator();
+
+ system_state = SYS_STATE_boot;
vm_init();
console_init_ring();
--- a/xen/common/page_alloc.c
+++ b/xen/common/page_alloc.c
@@ -405,13 +405,19 @@ void get_outstanding_claims(uint64_t *fr
spin_unlock(&heap_lock);
}
+static bool_t __read_mostly first_node_initialised;
+#ifndef CONFIG_SEPARATE_XENHEAP
+static unsigned int __read_mostly xenheap_bits;
+#else
+#define xenheap_bits 0
+#endif
+
static unsigned long init_node_heap(int node, unsigned long mfn,
unsigned long nr, bool_t *use_tail)
{
/* First node to be discovered has its heap metadata statically alloced. */
static heap_by_zone_and_order_t _heap_static;
static unsigned long avail_static[NR_ZONES];
- static int first_node_initialised;
unsigned long needed = (sizeof(**_heap) +
sizeof(**avail) * NR_ZONES +
PAGE_SIZE - 1) >> PAGE_SHIFT;
@@ -429,14 +435,18 @@ static unsigned long init_node_heap(int
}
#ifdef DIRECTMAP_VIRT_END
else if ( *use_tail && nr >= needed &&
- (mfn + nr) <= (virt_to_mfn(eva - 1) + 1) )
+ (mfn + nr) <= (virt_to_mfn(eva - 1) + 1) &&
+ (!xenheap_bits ||
+ !((mfn + nr - 1) >> (xenheap_bits - PAGE_SHIFT))) )
{
_heap[node] = mfn_to_virt(mfn + nr - needed);
avail[node] = mfn_to_virt(mfn + nr - 1) +
PAGE_SIZE - sizeof(**avail) * NR_ZONES;
}
else if ( nr >= needed &&
- (mfn + needed) <= (virt_to_mfn(eva - 1) + 1) )
+ (mfn + needed) <= (virt_to_mfn(eva - 1) + 1) &&
+ (!xenheap_bits ||
+ !((mfn + needed - 1) >> (xenheap_bits - PAGE_SHIFT))) )
{
_heap[node] = mfn_to_virt(mfn);
avail[node] = mfn_to_virt(mfn + needed - 1) +
@@ -1541,11 +1551,13 @@ void free_xenheap_pages(void *v, unsigne
#else
-static unsigned int __read_mostly xenheap_bits;
-
void __init xenheap_max_mfn(unsigned long mfn)
{
- xenheap_bits = fls(mfn) + PAGE_SHIFT;
+ ASSERT(!first_node_initialised);
+ ASSERT(!xenheap_bits);
+ BUILD_BUG_ON(PADDR_BITS >= BITS_PER_LONG);
+ xenheap_bits = min(fls(mfn + 1) - 1 + PAGE_SHIFT, PADDR_BITS);
+ printk(XENLOG_INFO "Xen heap: %u bits\n", xenheap_bits);
}
void init_xenheap_pages(paddr_t ps, paddr_t pe)

68
55f2e438-x86-hvm-fix-saved-pmtimer-and-hpet-values.patch
View File

@ -1,68 +0,0 @@
# Commit 244582a01dcb49fa30083725964a066937cc94f2
# Date 2015-09-11 16:24:56 +0200
# Author Kouya Shimura <kouya@jp.fujitsu.com>
# Committer Jan Beulich <jbeulich@suse.com>
x86/hvm: fix saved pmtimer and hpet values
The ACPI PM timer is sometimes broken on live migration.
Since vcpu->arch.hvm_vcpu.guest_time is always zero in other than
"delay for missed ticks mode". Even in "delay for missed ticks mode",
vcpu's guest_time field is not valid (i.e. zero) when
the state of vcpu is "blocked". (see pt_save_timer function)
The original author (Tim Deegan) of pmtimer_save() must have intended
that it saves the last scheduled time of the vcpu. Unfortunately it was
already implied this bug. FYI, there is no other timer mode than
"delay for missed ticks mode" then.
For consistency with HPET, pmtimer_save() should refer hvm_get_guest_time()
to update the counter as well as hpet_save() does.
Without this patch, the clock of windows server 2012R2 without HPET
might leap forward several minutes on live migration.
Signed-off-by: Kouya Shimura <kouya@jp.fujitsu.com>
Retain use of ->arch.hvm_vcpu.guest_time when non-zero. Do the inverse
adjustment for vHPET.
Signed-off-by: Jan Beulich <jbeulich@suse.com>
Reviewed-by: Tim Deegan <tim@xen.org>
Reviewed-by: Kouya Shimura <kouya@jp.fujitsu.com>
--- a/xen/arch/x86/hvm/hpet.c
+++ b/xen/arch/x86/hvm/hpet.c
@@ -506,11 +506,13 @@ const struct hvm_mmio_handler hpet_mmio_
static int hpet_save(struct domain *d, hvm_domain_context_t *h)
{
HPETState *hp = domain_vhpet(d);
+ struct vcpu *v = pt_global_vcpu_target(d);
int rc;
uint64_t guest_time;
write_lock(&hp->lock);
- guest_time = guest_time_hpet(hp);
+ guest_time = (v->arch.hvm_vcpu.guest_time ?: hvm_get_guest_time(v)) /
+ STIME_PER_HPET_TICK;
/* Write the proper value into the main counter */
if ( hpet_enabled(hp) )
--- a/xen/arch/x86/hvm/pmtimer.c
+++ b/xen/arch/x86/hvm/pmtimer.c
@@ -250,10 +250,12 @@ static int pmtimer_save(struct domain *d
spin_lock(&s->lock);
- /* Update the counter to the guest's current time. We always save
- * with the domain paused, so the saved time should be after the
- * last_gtime, but just in case, make sure we only go forwards */
- x = ((s->vcpu->arch.hvm_vcpu.guest_time - s->last_gtime) * s->scale) >> 32;
+ /*
+ * Update the counter to the guest's current time. Make sure it only
+ * goes forwards.
+ */
+ x = (((s->vcpu->arch.hvm_vcpu.guest_time ?: hvm_get_guest_time(s->vcpu)) -
+ s->last_gtime) * s->scale) >> 32;
if ( x < 1UL<<31 )
s->pm.tmr_val += x;
if ( (s->pm.tmr_val & TMR_VAL_MSB) != msb )

23
55f9345b-x86-MSI-fail-if-no-hardware-support.patch
View File

@ -1,23 +0,0 @@
# Commit c7d5d5d8ea1ecbd6ef8b47dace4dec825f0f6e48
# Date 2015-09-16 11:20:27 +0200
# Author Jan Beulich <jbeulich@suse.com>
# Committer Jan Beulich <jbeulich@suse.com>
x86/MSI: fail if no hardware support
This is to guard against buggy callers (luckily Dom0 only) invoking
the respective hypercall for a device not being MSI-capable.
Signed-off-by: Jan Beulich <jbeulich@suse.com>
Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>
--- a/xen/arch/x86/msi.c
+++ b/xen/arch/x86/msi.c
@@ -696,6 +696,8 @@ static int msi_capability_init(struct pc
ASSERT(spin_is_locked(&pcidevs_lock));
pos = pci_find_cap_offset(seg, bus, slot, func, PCI_CAP_ID_MSI);
+ if ( !pos )
+ return -ENODEV;
control = pci_conf_read16(seg, bus, slot, func, msi_control_reg(pos));
maxvec = multi_msi_capable(control);
if ( nvec > maxvec )

14
5604f239-x86-PV-properly-populate-descriptor-tables.patch
View File

@ -34,9 +34,11 @@ Signed-off-by: Jan Beulich <jbeulich@suse.com>
Tested-by: David Vrabel <david.vrabel@citrix.com>
Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>
--- a/xen/arch/x86/mm.c
+++ b/xen/arch/x86/mm.c
@@ -505,12 +505,12 @@ void update_cr3(struct vcpu *v)
Index: xen-4.5.2-testing/xen/arch/x86/mm.c
===================================================================
--- xen-4.5.2-testing.orig/xen/arch/x86/mm.c
+++ xen-4.5.2-testing/xen/arch/x86/mm.c
@@ -508,12 +508,12 @@ void update_cr3(struct vcpu *v)
make_cr3(v, cr3_mfn);
}
@ -51,7 +53,7 @@ Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>
struct page_info *page;
BUG_ON(unlikely(in_irq()));
@@ -525,10 +525,10 @@ static void invalidate_shadow_ldt(struct
@@ -528,10 +528,10 @@ static void invalidate_shadow_ldt(struct
for ( i = 16; i < 32; i++ )
{
@ -65,7 +67,7 @@ Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>
ASSERT_PAGE_IS_TYPE(page, PGT_seg_desc_page);
ASSERT_PAGE_IS_DOMAIN(page, v->domain);
put_page_and_type(page);
@@ -4360,16 +4360,18 @@ long do_update_va_mapping_otherdomain(un
@@ -4366,16 +4366,18 @@ long do_update_va_mapping_otherdomain(un
void destroy_gdt(struct vcpu *v)
{
l1_pgentry_t *pl1e;
@ -88,7 +90,7 @@ Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>
v->arch.pv_vcpu.gdt_frames[i] = 0;
}
}
@@ -4382,7 +4384,7 @@ long set_gdt(struct vcpu *v,
@@ -4388,7 +4390,7 @@ long set_gdt(struct vcpu *v,
struct domain *d = v->domain;
l1_pgentry_t *pl1e;
/* NB. There are 512 8-byte entries per GDT page. */

77
5604f2e6-vt-d-fix-IM-bit-mask-and-unmask-of-FECTL_REG.patch
View File

@ -1,77 +0,0 @@
# Commit 86f3ff9fc4cc3cb69b96c1de74bcc51f738fe2b9
# Date 2015-09-25 09:08:22 +0200
# Author Quan Xu <quan.xu@intel.com>
# Committer Jan Beulich <jbeulich@suse.com>
vt-d: fix IM bit mask and unmask of Fault Event Control Register
Bit 0:29 in Fault Event Control Register are 'Reserved and Preserved',
software cannot write 0 to it unconditionally. Software must preserve
the value read for writes.
Signed-off-by: Quan Xu <quan.xu@intel.com>
Acked-by: Yang Zhang <yang.z.zhang@intel.com>
# Commit 26b300bd727ef00a8f60329212a83c3b027a48f7
# Date 2015-09-25 18:03:04 +0200
# Author Quan Xu <quan.xu@intel.com>
# Committer Jan Beulich <jbeulich@suse.com>
vt-d: fix IM bit unmask of Fault Event Control Register in init_vtd_hw()
Bit 0:29 in Fault Event Control Register are 'Reserved and Preserved',
software cannot write 0 to it unconditionally. Software must preserve
the value read for writes.
Suggested-by: Jan Beulich <jbeulich@suse.com>
Signed-off-by: Quan Xu <quan.xu@intel.com>
--- a/xen/drivers/passthrough/vtd/iommu.c
+++ b/xen/drivers/passthrough/vtd/iommu.c
@@ -991,10 +991,13 @@ static void dma_msi_unmask(struct irq_de
{
struct iommu *iommu = desc->action->dev_id;
unsigned long flags;
+ u32 sts;
/* unmask it */
spin_lock_irqsave(&iommu->register_lock, flags);
- dmar_writel(iommu->reg, DMAR_FECTL_REG, 0);
+ sts = dmar_readl(iommu->reg, DMAR_FECTL_REG);
+ sts &= ~DMA_FECTL_IM;
+ dmar_writel(iommu->reg, DMAR_FECTL_REG, sts);
spin_unlock_irqrestore(&iommu->register_lock, flags);
iommu->msi.msi_attrib.host_masked = 0;
}
@@ -1003,10 +1006,13 @@ static void dma_msi_mask(struct irq_desc
{
unsigned long flags;
struct iommu *iommu = desc->action->dev_id;
+ u32 sts;
/* mask it */
spin_lock_irqsave(&iommu->register_lock, flags);
- dmar_writel(iommu->reg, DMAR_FECTL_REG, DMA_FECTL_IM);
+ sts = dmar_readl(iommu->reg, DMAR_FECTL_REG);
+ sts |= DMA_FECTL_IM;
+ dmar_writel(iommu->reg, DMAR_FECTL_REG, sts);
spin_unlock_irqrestore(&iommu->register_lock, flags);
iommu->msi.msi_attrib.host_masked = 1;
}
@@ -2002,6 +2008,7 @@ static int init_vtd_hw(void)
struct iommu_flush *flush = NULL;
int ret;
unsigned long flags;
+ u32 sts;
/*
* Basic VT-d HW init: set VT-d interrupt, clear VT-d faults.
@@ -2015,7 +2022,9 @@ static int init_vtd_hw(void)
clear_fault_bits(iommu);
spin_lock_irqsave(&iommu->register_lock, flags);
- dmar_writel(iommu->reg, DMAR_FECTL_REG, 0);
+ sts = dmar_readl(iommu->reg, DMAR_FECTL_REG);
+ sts &= ~DMA_FECTL_IM;
+ dmar_writel(iommu->reg, DMAR_FECTL_REG, sts);
spin_unlock_irqrestore(&iommu->register_lock, flags);
}

48
560a4af9-x86-EPT-tighten-conditions-of-IOMMU-mapping-updates.patch
View File

@ -1,48 +0,0 @@
# Commit 6c0e4ad60850032c9bbd5d18b8446421c97e08e4
# Date 2015-09-29 10:25:29 +0200
# Author Jan Beulich <jbeulich@suse.com>
# Committer Jan Beulich <jbeulich@suse.com>
x86/EPT: tighten conditions of IOMMU mapping updates
Permission changes should also result in updates or TLB flushes.
Signed-off-by: Jan Beulich <jbeulich@suse.com>
Acked-by: Kevin Tian <kevin.tian@intel.com>
Reviewed-by: George Dunlap <george.dunlap@citrix.com>
--- a/xen/arch/x86/mm/p2m-ept.c
+++ b/xen/arch/x86/mm/p2m-ept.c
@@ -619,6 +619,7 @@ ept_set_entry(struct p2m_domain *p2m, un
uint8_t ipat = 0;
int need_modify_vtd_table = 1;
int vtd_pte_present = 0;
+ unsigned int iommu_flags = p2m_get_iommu_flags(p2mt);
enum { sync_off, sync_on, sync_check } needs_sync = sync_check;
ept_entry_t old_entry = { .epte = 0 };
ept_entry_t new_entry = { .epte = 0 };
@@ -749,8 +750,9 @@ ept_set_entry(struct p2m_domain *p2m, un
new_entry.mfn = mfn_x(mfn);
/* Safe to read-then-write because we hold the p2m lock */
- if ( ept_entry->mfn == new_entry.mfn )
- need_modify_vtd_table = 0;
+ if ( ept_entry->mfn == new_entry.mfn &&
+ p2m_get_iommu_flags(ept_entry->sa_p2mt) == iommu_flags )
+ need_modify_vtd_table = 0;
ept_p2m_type_to_flags(&new_entry, p2mt, p2ma);
}
@@ -775,11 +777,9 @@ out:
iommu_pte_flush(d, gfn, &ept_entry->epte, order, vtd_pte_present);
else
{
- unsigned int flags = p2m_get_iommu_flags(p2mt);
-
- if ( flags != 0 )
+ if ( iommu_flags )
for ( i = 0; i < (1 << order); i++ )
- iommu_map_page(d, gfn + i, mfn_x(mfn) + i, flags);
+ iommu_map_page(d, gfn + i, mfn_x(mfn) + i, iommu_flags);
else
for ( i = 0; i < (1 << order); i++ )
iommu_unmap_page(d, gfn + i);

97
560a7c36-x86-p2m-pt-delay-freeing-of-intermediate-page-tables.patch
View File

@ -1,97 +0,0 @@
# Commit 960265fbd878cdc9841473b755e4ccc9eb1942d2
# Date 2015-09-29 13:55:34 +0200
# Author Jan Beulich <jbeulich@suse.com>
# Committer Jan Beulich <jbeulich@suse.com>
x86/p2m-pt: delay freeing of intermediate page tables
Old intermediate page tables must be freed only after IOMMU side
updates/flushes have got carried out.
Signed-off-by: Jan Beulich <jbeulich@suse.com>
Reviewed-by: George Dunlap <george.dunlap@citrix.com>
--- a/xen/arch/x86/mm/p2m-pt.c
+++ b/xen/arch/x86/mm/p2m-pt.c
@@ -486,8 +486,9 @@ p2m_pt_set_entry(struct p2m_domain *p2m,
/* XXX -- this might be able to be faster iff current->domain == d */
void *table;
unsigned long i, gfn_remainder = gfn;
- l1_pgentry_t *p2m_entry;
- l1_pgentry_t entry_content;
+ l1_pgentry_t *p2m_entry, entry_content;
+ /* Intermediate table to free if we're replacing it with a superpage. */
+ l1_pgentry_t intermediate_entry = l1e_empty();
l2_pgentry_t l2e_content;
l3_pgentry_t l3e_content;
int rc;
@@ -535,7 +536,6 @@ p2m_pt_set_entry(struct p2m_domain *p2m,
*/
if ( page_order == PAGE_ORDER_1G )
{
- l1_pgentry_t old_entry = l1e_empty();
p2m_entry = p2m_find_entry(table, &gfn_remainder, gfn,
L3_PAGETABLE_SHIFT - PAGE_SHIFT,
L3_PAGETABLE_ENTRIES);
@@ -545,7 +545,7 @@ p2m_pt_set_entry(struct p2m_domain *p2m,
{
/* We're replacing a non-SP page with a superpage. Make sure to
* handle freeing the table properly. */
- old_entry = *p2m_entry;
+ intermediate_entry = *p2m_entry;
}
ASSERT(!mfn_valid(mfn) || p2mt != p2m_mmio_direct);
@@ -563,10 +563,6 @@ p2m_pt_set_entry(struct p2m_domain *p2m,
p2m->write_p2m_entry(p2m, gfn, p2m_entry, entry_content, 3);
/* NB: paging_write_p2m_entry() handles tlb flushes properly */
-
- /* Free old intermediate tables if necessary */
- if ( l1e_get_flags(old_entry) & _PAGE_PRESENT )
- p2m_free_entry(p2m, &old_entry, page_order);
}
else
{
@@ -607,7 +603,6 @@ p2m_pt_set_entry(struct p2m_domain *p2m,
}
else if ( page_order == PAGE_ORDER_2M )
{
- l1_pgentry_t old_entry = l1e_empty();
p2m_entry = p2m_find_entry(table, &gfn_remainder, gfn,
L2_PAGETABLE_SHIFT - PAGE_SHIFT,
L2_PAGETABLE_ENTRIES);
@@ -619,7 +614,7 @@ p2m_pt_set_entry(struct p2m_domain *p2m,
{
/* We're replacing a non-SP page with a superpage. Make sure to
* handle freeing the table properly. */
- old_entry = *p2m_entry;
+ intermediate_entry = *p2m_entry;
}
ASSERT(!mfn_valid(mfn) || p2mt != p2m_mmio_direct);
@@ -640,10 +635,6 @@ p2m_pt_set_entry(struct p2m_domain *p2m,
p2m->write_p2m_entry(p2m, gfn, p2m_entry, entry_content, 2);
/* NB: paging_write_p2m_entry() handles tlb flushes properly */
-
- /* Free old intermediate tables if necessary */
- if ( l1e_get_flags(old_entry) & _PAGE_PRESENT )
- p2m_free_entry(p2m, &old_entry, page_order);
}
/* Track the highest gfn for which we have ever had a valid mapping */
@@ -671,6 +662,14 @@ p2m_pt_set_entry(struct p2m_domain *p2m,
}
}
+ /*
+ * Free old intermediate tables if necessary. This has to be the
+ * last thing we do, after removal from the IOMMU tables, so as to
+ * avoid a potential use-after-free.
+ */
+ if ( l1e_get_flags(intermediate_entry) & _PAGE_PRESENT )
+ p2m_free_entry(p2m, &intermediate_entry, page_order);
+
out:
unmap_domain_page(table);
return rc;

22
560a7c53-x86-p2m-pt-ignore-pt-share-flag-for-shadow-mode-guests.patch
View File

@ -1,22 +0,0 @@
# Commit c0a85795d864dd64c116af661bf676d66ddfd5fc
# Date 2015-09-29 13:56:03 +0200
# Author Jan Beulich <jbeulich@suse.com>
# Committer Jan Beulich <jbeulich@suse.com>
x86/p2m-pt: ignore pt-share flag for shadow mode guests
There is no page table sharing in shadow mode.
Signed-off-by: Jan Beulich <jbeulich@suse.com>
Reviewed-by: George Dunlap <george.dunlap@citrix.com>
--- a/xen/arch/x86/mm/p2m-pt.c
+++ b/xen/arch/x86/mm/p2m-pt.c
@@ -644,7 +644,7 @@ p2m_pt_set_entry(struct p2m_domain *p2m,
if ( iommu_enabled && need_iommu(p2m->domain) )
{
- if ( iommu_hap_pt_share )
+ if ( iommu_use_hap_pt(p2m->domain) )
{
if ( old_mfn && (old_mfn != mfn_x(mfn)) )
amd_iommu_flush_pages(p2m->domain, gfn, page_order);

104
560bd926-credit1-fix-tickling-when-it-happens-from-a-remote-pCPU.patch
View File

@ -1,104 +0,0 @@
# Commit ea5637968a09a81a64fa5fd73ce49b4ea9789e12
# Date 2015-09-30 14:44:22 +0200
# Author Dario Faggioli <dario.faggioli@citrix.com>
# Committer Jan Beulich <jbeulich@suse.com>
credit1: fix tickling when it happens from a remote pCPU
especially if that is also from a different cpupool than the
processor of the vCPU that triggered the tickling.
In fact, it is possible that we get as far as calling vcpu_unblock()-->
vcpu_wake()-->csched_vcpu_wake()-->__runq_tickle() for the vCPU 'vc',
but all while running on a pCPU that is different from 'vc->processor'.
For instance, this can happen when an HVM domain runs in a cpupool,
with a different scheduler than the default one, and issues IOREQs
to Dom0, running in Pool-0 with the default scheduler.
In fact, right in this case, the following crash can be observed:
(XEN) ----[ Xen-4.7-unstable x86_64 debug=y Tainted: C ]----
(XEN) CPU: 7
(XEN) RIP: e008:[<ffff82d0801230de>] __runq_tickle+0x18f/0x430
(XEN) RFLAGS: 0000000000010086 CONTEXT: hypervisor (d1v0)
(XEN) rax: 0000000000000001 rbx: ffff8303184fee00 rcx: 0000000000000000
(XEN) ... ... ...
(XEN) Xen stack trace from rsp=ffff83031fa57a08:
(XEN) ffff82d0801fe664 ffff82d08033c820 0000000100000002 0000000a00000001
(XEN) 0000000000006831 0000000000000000 0000000000000000 0000000000000000
(XEN) ... ... ...
(XEN) Xen call trace:
(XEN) [<ffff82d0801230de>] __runq_tickle+0x18f/0x430
(XEN) [<ffff82d08012348a>] csched_vcpu_wake+0x10b/0x110
(XEN) [<ffff82d08012b421>] vcpu_wake+0x20a/0x3ce
(XEN) [<ffff82d08012b91c>] vcpu_unblock+0x4b/0x4e
(XEN) [<ffff82d080167bd0>] vcpu_kick+0x17/0x61
(XEN) [<ffff82d080167c46>] vcpu_mark_events_pending+0x2c/0x2f
(XEN) [<ffff82d08010ac35>] evtchn_fifo_set_pending+0x381/0x3f6
(XEN) [<ffff82d08010a0f6>] notify_via_xen_event_channel+0xc9/0xd6
(XEN) [<ffff82d0801c29ed>] hvm_send_ioreq+0x3e9/0x441
(XEN) [<ffff82d0801bba7d>] hvmemul_do_io+0x23f/0x2d2
(XEN) [<ffff82d0801bbb43>] hvmemul_do_io_buffer+0x33/0x64
(XEN) [<ffff82d0801bc92b>] hvmemul_do_pio_buffer+0x35/0x37
(XEN) [<ffff82d0801cc49f>] handle_pio+0x58/0x14c
(XEN) [<ffff82d0801eabcb>] vmx_vmexit_handler+0x16b3/0x1bea
(XEN) [<ffff82d0801efd21>] vmx_asm_vmexit_handler+0x41/0xc0
In this case, pCPU 7 is not in Pool-0, while the (Dom0's) vCPU being
woken is. pCPU's 7 pool has a different scheduler than credit, but it
is, however, right from pCPU 7 that we are waking the Dom0's vCPUs.
Therefore, the current code tries to access csched_balance_mask for
pCPU 7, but that is not defined, and hence the Oops.
(Note that, in case the two pools run the same scheduler we see no
Oops, but things are still conceptually wrong.)
Cure things by making the csched_balance_mask macro accept a
parameter for fetching a specific pCPU's mask (instead than always
using smp_processor_id()).
Signed-off-by: Dario Faggioli <dario.faggioli@citrix.com>
Reviewed-by: Juergen Gross <jgross@suse.com>
Reviewed-by: George Dunlap <george.dunlap@citrix.com>
--- a/xen/common/sched_credit.c
+++ b/xen/common/sched_credit.c
@@ -154,10 +154,10 @@ struct csched_pcpu {
* Convenience macro for accessing the per-PCPU cpumask we need for
* implementing the two steps (soft and hard affinity) balancing logic.
* It is stored in csched_pcpu so that serialization is not an issue,
- * as there is a csched_pcpu for each PCPU and we always hold the
- * runqueue spin-lock when using this.
+ * as there is a csched_pcpu for each PCPU, and we always hold the
+ * runqueue lock for the proper PCPU when using this.
*/
-#define csched_balance_mask (CSCHED_PCPU(smp_processor_id())->balance_mask)
+#define csched_balance_mask(c) (CSCHED_PCPU(c)->balance_mask)
/*
* Virtual CPU
@@ -396,9 +396,10 @@ __runq_tickle(unsigned int cpu, struct c
/* Are there idlers suitable for new (for this balance step)? */
csched_balance_cpumask(new->vcpu, balance_step,
- csched_balance_mask);
- cpumask_and(csched_balance_mask, csched_balance_mask, &idle_mask);
- new_idlers_empty = cpumask_empty(csched_balance_mask);
+ csched_balance_mask(cpu));
+ cpumask_and(csched_balance_mask(cpu),
+ csched_balance_mask(cpu), &idle_mask);
+ new_idlers_empty = cpumask_empty(csched_balance_mask(cpu));
/*
* Let's not be too harsh! If there aren't idlers suitable
@@ -1475,8 +1476,9 @@ csched_runq_steal(int peer_cpu, int cpu,
&& !__vcpu_has_soft_affinity(vc, vc->cpu_hard_affinity) )
continue;
- csched_balance_cpumask(vc, balance_step, csched_balance_mask);
- if ( __csched_vcpu_is_migrateable(vc, cpu, csched_balance_mask) )
+ csched_balance_cpumask(vc, balance_step, csched_balance_mask(cpu));
+ if ( __csched_vcpu_is_migrateable(vc, cpu,
+ csched_balance_mask(cpu)) )
{
/* We got a candidate. Grab it! */
TRACE_3D(TRC_CSCHED_STOLEN_VCPU, peer_cpu,

159
560e6d34-x86-p2m-pt-tighten-conditions-of-IOMMU-mapping-updates.patch
View File

@ -1,159 +0,0 @@
# Commit 660fd65d5578a95ec5eac522128bba23325179eb
# Date 2015-10-02 13:40:36 +0200
# Author Jan Beulich <jbeulich@suse.com>
# Committer Jan Beulich <jbeulich@suse.com>
x86/p2m-pt: tighten conditions of IOMMU mapping updates
Whether the MFN changes does not depend on the new entry being valid
(but solely on the old one), and the need to update or TLB-flush also
depends on permission changes.
Signed-off-by: Jan Beulich <jbeulich@suse.com>
Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>
Reviewed-by: George Dunlap <george.dunlap@citrix.com>
--- a/xen/arch/x86/mm/p2m-pt.c
+++ b/xen/arch/x86/mm/p2m-pt.c
@@ -493,7 +493,18 @@ p2m_pt_set_entry(struct p2m_domain *p2m,
l3_pgentry_t l3e_content;
int rc;
unsigned int iommu_pte_flags = p2m_get_iommu_flags(p2mt);
- unsigned long old_mfn = 0;
+ /*
+ * old_mfn and iommu_old_flags control possible flush/update needs on the
+ * IOMMU: We need to flush when MFN or flags (i.e. permissions) change.
+ * iommu_old_flags being initialized to zero covers the case of the entry
+ * getting replaced being a non-present (leaf or intermediate) one. For
+ * present leaf entries the real value will get calculated below, while
+ * for present intermediate entries ~0 (guaranteed != iommu_pte_flags)
+ * will be used (to cover all cases of what the leaf entries underneath
+ * the intermediate one might be).
+ */
+ unsigned int flags, iommu_old_flags = 0;
+ unsigned long old_mfn = INVALID_MFN;
if ( tb_init_done )
{
@@ -540,12 +551,20 @@ p2m_pt_set_entry(struct p2m_domain *p2m,
L3_PAGETABLE_SHIFT - PAGE_SHIFT,
L3_PAGETABLE_ENTRIES);
ASSERT(p2m_entry);
- if ( (l1e_get_flags(*p2m_entry) & _PAGE_PRESENT) &&
- !(l1e_get_flags(*p2m_entry) & _PAGE_PSE) )
+ flags = l1e_get_flags(*p2m_entry);
+ if ( flags & _PAGE_PRESENT )
{
- /* We're replacing a non-SP page with a superpage. Make sure to
- * handle freeing the table properly. */
- intermediate_entry = *p2m_entry;
+ if ( flags & _PAGE_PSE )
+ {
+ iommu_old_flags =
+ p2m_get_iommu_flags(p2m_flags_to_type(flags));
+ old_mfn = l1e_get_pfn(*p2m_entry);
+ }
+ else
+ {
+ iommu_old_flags = ~0;
+ intermediate_entry = *p2m_entry;
+ }
}
ASSERT(!mfn_valid(mfn) || p2mt != p2m_mmio_direct);
@@ -556,10 +575,7 @@ p2m_pt_set_entry(struct p2m_domain *p2m,
entry_content.l1 = l3e_content.l3;
if ( entry_content.l1 != 0 )
- {
p2m_add_iommu_flags(&entry_content, 0, iommu_pte_flags);
- old_mfn = l1e_get_pfn(*p2m_entry);
- }
p2m->write_p2m_entry(p2m, gfn, p2m_entry, entry_content, 3);
/* NB: paging_write_p2m_entry() handles tlb flushes properly */
@@ -584,7 +600,10 @@ p2m_pt_set_entry(struct p2m_domain *p2m,
p2m_entry = p2m_find_entry(table, &gfn_remainder, gfn,
0, L1_PAGETABLE_ENTRIES);
ASSERT(p2m_entry);
-
+ iommu_old_flags =
+ p2m_get_iommu_flags(p2m_flags_to_type(l1e_get_flags(*p2m_entry)));
+ old_mfn = l1e_get_pfn(*p2m_entry);
+
if ( mfn_valid(mfn) || (p2mt == p2m_mmio_direct)
|| p2m_is_paging(p2mt) )
entry_content = p2m_l1e_from_pfn(mfn_x(mfn),
@@ -593,10 +612,8 @@ p2m_pt_set_entry(struct p2m_domain *p2m,
entry_content = l1e_empty();
if ( entry_content.l1 != 0 )
- {
p2m_add_iommu_flags(&entry_content, 0, iommu_pte_flags);
- old_mfn = l1e_get_pfn(*p2m_entry);
- }
+
/* level 1 entry */
p2m->write_p2m_entry(p2m, gfn, p2m_entry, entry_content, 1);
/* NB: paging_write_p2m_entry() handles tlb flushes properly */
@@ -607,14 +624,20 @@ p2m_pt_set_entry(struct p2m_domain *p2m,
L2_PAGETABLE_SHIFT - PAGE_SHIFT,
L2_PAGETABLE_ENTRIES);
ASSERT(p2m_entry);
-
- /* FIXME: Deal with 4k replaced by 2meg pages */
- if ( (l1e_get_flags(*p2m_entry) & _PAGE_PRESENT) &&
- !(l1e_get_flags(*p2m_entry) & _PAGE_PSE) )
- {
- /* We're replacing a non-SP page with a superpage. Make sure to
- * handle freeing the table properly. */
- intermediate_entry = *p2m_entry;
+ flags = l1e_get_flags(*p2m_entry);
+ if ( flags & _PAGE_PRESENT )
+ {
+ if ( flags & _PAGE_PSE )
+ {
+ iommu_old_flags =
+ p2m_get_iommu_flags(p2m_flags_to_type(flags));
+ old_mfn = l1e_get_pfn(*p2m_entry);
+ }
+ else
+ {
+ iommu_old_flags = ~0;
+ intermediate_entry = *p2m_entry;
+ }
}
ASSERT(!mfn_valid(mfn) || p2mt != p2m_mmio_direct);
@@ -628,10 +651,7 @@ p2m_pt_set_entry(struct p2m_domain *p2m,
entry_content.l1 = l2e_content.l2;
if ( entry_content.l1 != 0 )
- {
p2m_add_iommu_flags(&entry_content, 0, iommu_pte_flags);
- old_mfn = l1e_get_pfn(*p2m_entry);
- }
p2m->write_p2m_entry(p2m, gfn, p2m_entry, entry_content, 2);
/* NB: paging_write_p2m_entry() handles tlb flushes properly */
@@ -642,17 +662,17 @@ p2m_pt_set_entry(struct p2m_domain *p2m,
&& (gfn + (1UL << page_order) - 1 > p2m->max_mapped_pfn) )
p2m->max_mapped_pfn = gfn + (1UL << page_order) - 1;
- if ( iommu_enabled && need_iommu(p2m->domain) )
+ if ( iommu_enabled && need_iommu(p2m->domain) &&
+ (iommu_old_flags != iommu_pte_flags || old_mfn != mfn_x(mfn)) )
{
if ( iommu_use_hap_pt(p2m->domain) )
{
- if ( old_mfn && (old_mfn != mfn_x(mfn)) )
+ if ( iommu_old_flags )
amd_iommu_flush_pages(p2m->domain, gfn, page_order);
}
else
{
- unsigned int flags = p2m_get_iommu_flags(p2mt);
-
+ flags = p2m_get_iommu_flags(p2mt);
if ( flags != 0 )
for ( i = 0; i < (1UL << page_order); i++ )
iommu_map_page(p2m->domain, gfn+i, mfn_x(mfn)+i, flags);

55
561bbc8b-VT-d-don-t-suppress-invalidation-address-write-when-0.patch
View File

@ -1,55 +0,0 @@
# Commit 710942e57fb42ff8f344ca82f6b678f67e38ae63
# Date 2015-10-12 15:58:35 +0200
# Author Jan Beulich <jbeulich@suse.com>
# Committer Jan Beulich <jbeulich@suse.com>
VT-d: don't suppress invalidation address write when it is zero
GFN zero is a valid address, and hence may need invalidation done for
it just like for any other GFN.
Signed-off-by: Jan Beulich <jbeulich@suse.com>
Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>
Acked-by: Yang Zhang <yang.z.zhang@intel.com>
--- a/xen/drivers/passthrough/vtd/iommu.c
+++ b/xen/drivers/passthrough/vtd/iommu.c
@@ -414,7 +414,7 @@ static int flush_iotlb_reg(void *_iommu,
{
struct iommu *iommu = (struct iommu *) _iommu;
int tlb_offset = ecap_iotlb_offset(iommu->ecap);
- u64 val = 0, val_iva = 0;
+ u64 val = 0;
unsigned long flags;
/*
@@ -435,7 +435,6 @@ static int flush_iotlb_reg(void *_iommu,
switch ( type )
{
case DMA_TLB_GLOBAL_FLUSH:
- /* global flush doesn't need set IVA_REG */
val = DMA_TLB_GLOBAL_FLUSH|DMA_TLB_IVT;
break;
case DMA_TLB_DSI_FLUSH:
@@ -443,8 +442,6 @@ static int flush_iotlb_reg(void *_iommu,
break;
case DMA_TLB_PSI_FLUSH:
val = DMA_TLB_PSI_FLUSH|DMA_TLB_IVT|DMA_TLB_DID(did);
- /* Note: always flush non-leaf currently */
- val_iva = size_order | addr;
break;
default:
BUG();
@@ -457,8 +454,11 @@ static int flush_iotlb_reg(void *_iommu,
spin_lock_irqsave(&iommu->register_lock, flags);
/* Note: Only uses first TLB reg currently */
- if ( val_iva )
- dmar_writeq(iommu->reg, tlb_offset, val_iva);
+ if ( type == DMA_TLB_PSI_FLUSH )
+ {
+ /* Note: always flush non-leaf currently. */
+ dmar_writeq(iommu->reg, tlb_offset, size_order | addr);
+ }
dmar_writeq(iommu->reg, tlb_offset + 8, val);
/* Make sure hardware complete it */

32
561d20a0-x86-hide-MWAITX-from-PV-domains.patch
View File

@ -1,32 +0,0 @@
# Commit 941cd44324db7eddc46cba4596fa13d505066ccf
# Date 2015-10-13 17:17:52 +0200
# Author Jan Beulich <jbeulich@suse.com>
# Committer Jan Beulich <jbeulich@suse.com>
x86: hide MWAITX from PV domains
Since MWAIT is hidden too. (Linux starting with 4.3 is making use of
that feature, and is checking for it without looking at the MWAIT one.)
Signed-off-by: Jan Beulich <jbeulich@suse.com>
Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>
--- a/xen/arch/x86/traps.c
+++ b/xen/arch/x86/traps.c
@@ -904,6 +904,7 @@ void pv_cpuid(struct cpu_user_regs *regs
__clear_bit(X86_FEATURE_LWP % 32, &c);
__clear_bit(X86_FEATURE_NODEID_MSR % 32, &c);
__clear_bit(X86_FEATURE_TOPOEXT % 32, &c);
+ __clear_bit(X86_FEATURE_MWAITX % 32, &c);
break;
case 0x00000005: /* MONITOR/MWAIT */
--- a/xen/include/asm-x86/cpufeature.h
+++ b/xen/include/asm-x86/cpufeature.h
@@ -137,6 +137,7 @@
#define X86_FEATURE_TBM (6*32+21) /* trailing bit manipulations */
#define X86_FEATURE_TOPOEXT (6*32+22) /* topology extensions CPUID leafs */
#define X86_FEATURE_DBEXT (6*32+26) /* data breakpoint extension */
+#define X86_FEATURE_MWAITX (6*32+29) /* MWAIT extension (MONITORX/MWAITX) */
/* Intel-defined CPU features, CPUID level 0x00000007:0 (ebx), word 7 */
#define X86_FEATURE_FSGSBASE (7*32+ 0) /* {RD,WR}{FS,GS}BASE instructions */

114
561e3283-x86-NUMA-fix-SRAT-table-processor-entry-handling.patch
View File

@ -1,114 +0,0 @@
# Commit 83281fc9b31396e94c0bfb6550b75c165037a0ad
# Date 2015-10-14 12:46:27 +0200
# Author Jan Beulich <jbeulich@suse.com>
# Committer Jan Beulich <jbeulich@suse.com>
x86/NUMA: fix SRAT table processor entry parsing and consumption
- don't overrun apicid_to_node[] (possible in the x2APIC case)
- don't limit number of processor related SRAT entries we can consume
- make acpi_numa_{processor,x2apic}_affinity_init() as similar to one
another as possible
- print APIC IDs in hex (to ease matching with other log messages), at
once making legacy and x2APIC ones distinguishable (by width)
Signed-off-by: Jan Beulich <jbeulich@suse.com>
Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>
--- a/xen/arch/x86/numa.c
+++ b/xen/arch/x86/numa.c
@@ -347,7 +347,7 @@ void __init init_cpu_to_node(void)
u32 apicid = x86_cpu_to_apicid[i];
if ( apicid == BAD_APICID )
continue;
- node = apicid_to_node[apicid];
+ node = apicid < MAX_LOCAL_APIC ? apicid_to_node[apicid] : NUMA_NO_NODE;
if ( node == NUMA_NO_NODE || !node_online(node) )
node = 0;
numa_set_node(i, node);
--- a/xen/arch/x86/setup.c
+++ b/xen/arch/x86/setup.c
@@ -191,7 +191,7 @@ void __devinit srat_detect_node(int cpu)
unsigned node;
u32 apicid = x86_cpu_to_apicid[cpu];
- node = apicid_to_node[apicid];
+ node = apicid < MAX_LOCAL_APIC ? apicid_to_node[apicid] : NUMA_NO_NODE;
if ( node == NUMA_NO_NODE )
node = 0;
--- a/xen/arch/x86/smpboot.c
+++ b/xen/arch/x86/smpboot.c
@@ -885,7 +885,8 @@ int cpu_add(uint32_t apic_id, uint32_t a
cpu = node;
goto out;
}
- apicid_to_node[apic_id] = node;
+ if ( apic_id < MAX_LOCAL_APIC )
+ apicid_to_node[apic_id] = node;
}
/* Physically added CPUs do not have synchronised TSC. */
--- a/xen/arch/x86/srat.c
+++ b/xen/arch/x86/srat.c
@@ -170,7 +170,6 @@ void __init
acpi_numa_x2apic_affinity_init(struct acpi_srat_x2apic_cpu_affinity *pa)
{
int pxm, node;
- int apic_id;
if (srat_disabled())
return;
@@ -178,8 +177,13 @@ acpi_numa_x2apic_affinity_init(struct ac
bad_srat();
return;
}
- if ((pa->flags & ACPI_SRAT_CPU_ENABLED) == 0)
+ if (!(pa->flags & ACPI_SRAT_CPU_ENABLED))
+ return;
+ if (pa->apic_id >= MAX_LOCAL_APIC) {
+ printk(KERN_INFO "SRAT: APIC %08x ignored\n", pa->apic_id);
return;
+ }
+
pxm = pa->proximity_domain;
node = setup_node(pxm);
if (node < 0) {
@@ -187,11 +191,11 @@ acpi_numa_x2apic_affinity_init(struct ac
return;
}
- apic_id = pa->apic_id;
- apicid_to_node[apic_id] = node;
+ apicid_to_node[pa->apic_id] = node;
+ node_set(node, processor_nodes_parsed);
acpi_numa = 1;
- printk(KERN_INFO "SRAT: PXM %u -> APIC %u -> Node %u\n",
- pxm, apic_id, node);
+ printk(KERN_INFO "SRAT: PXM %u -> APIC %08x -> Node %u\n",
+ pxm, pa->apic_id, node);
}
/* Callback for Proximity Domain -> LAPIC mapping */
@@ -221,7 +225,7 @@ acpi_numa_processor_affinity_init(struct
apicid_to_node[pa->apic_id] = node;
node_set(node, processor_nodes_parsed);
acpi_numa = 1;
- printk(KERN_INFO "SRAT: PXM %u -> APIC %u -> Node %u\n",
+ printk(KERN_INFO "SRAT: PXM %u -> APIC %02x -> Node %u\n",
pxm, pa->apic_id, node);
}
--- a/xen/drivers/acpi/numa.c
+++ b/xen/drivers/acpi/numa.c
@@ -199,9 +199,9 @@ int __init acpi_numa_init(void)
/* SRAT: Static Resource Affinity Table */
if (!acpi_table_parse(ACPI_SIG_SRAT, acpi_parse_srat)) {
acpi_table_parse_srat(ACPI_SRAT_TYPE_X2APIC_CPU_AFFINITY,
- acpi_parse_x2apic_affinity, NR_CPUS);
+ acpi_parse_x2apic_affinity, 0);
acpi_table_parse_srat(ACPI_SRAT_TYPE_CPU_AFFINITY,
- acpi_parse_processor_affinity, NR_CPUS);
+ acpi_parse_processor_affinity, 0);
acpi_table_parse_srat(ACPI_SRAT_TYPE_MEMORY_AFFINITY,
acpi_parse_memory_affinity,
NR_NODE_MEMBLKS);

216
CVE-2015-3259-xsa137.patch
View File

@ -1,216 +0,0 @@
xl: Sane handling of extra config file arguments
Various xl sub-commands take additional parameters containing = as
additional config fragments.
The handling of these config fragments has a number of bugs:
1. Use of a static 1024-byte buffer. (If truncation would occur,
with semi-trusted input, a security risk arises due to quotes
being lost.)
2. Mishandling of the return value from snprintf, so that if
truncation occurs, the to-write pointer is updated with the
wanted-to-write length, resulting in stack corruption. (This is
XSA-137.)
3. Clone-and-hack of the code for constructing the appended
config file.
These are fixed here, by introducing a new function
`string_realloc_append' and using it everywhere. The `extra_info'
buffers are replaced by pointers, which start off NULL and are
explicitly freed on all return paths.
The separate variable which will become dom_info.extra_config is
abolished (which involves moving the clearing of dom_info).
Additional bugs I observe, not fixed here:
4. The functions which now call string_realloc_append use ad-hoc
error returns, with multiple calls to `return'. This currently
necessitates multiple new calls to `free'.
5. Many of the paths in xl call exit(-rc) where rc is a libxl status
code. This is a ridiculous exit status `convention'.
6. The loops for handling extra config data are clone-and-hacks.
7. Once the extra config buffer is accumulated, it must be combined
with the appropriate main config file. The code to do this
combining is clone-and-hacked too.
Signed-off-by: Ian Jackson <Ian.Jackson@eu.citrix.com>
Tested-by: Ian Jackson <Ian.Jackson@eu.citrix.com>
Acked-by: Ian Campbell <ian,campbell@citrix.com>
--- a/tools/libxl/xl_cmdimpl.c
+++ b/tools/libxl/xl_cmdimpl.c
@@ -151,7 +151,7 @@ struct domain_create {
int console_autoconnect;
int checkpointed_stream;
const char *config_file;
- const char *extra_config; /* extra config string */
+ char *extra_config; /* extra config string */
const char *restore_file;
int migrate_fd; /* -1 means none */
char **migration_domname_r; /* from malloc */
@@ -4572,11 +4572,25 @@ int main_vm_list(int argc, char **argv)
return 0;
}
+static void string_realloc_append(char **accumulate, const char *more)
+{
+ /* Appends more to accumulate. Accumulate is either NULL, or
+ * points (always) to a malloc'd nul-terminated string. */
+
+ size_t oldlen = *accumulate ? strlen(*accumulate) : 0;
+ size_t morelen = strlen(more) + 1/*nul*/;
+ if (oldlen > SSIZE_MAX || morelen > SSIZE_MAX - oldlen) {
+ fprintf(stderr,"Additional config data far too large\n");
+ exit(-ERROR_FAIL);
+ }
+
+ *accumulate = xrealloc(*accumulate, oldlen + morelen);
+ memcpy(*accumulate + oldlen, more, morelen);
+}
+
int main_create(int argc, char **argv)
{
const char *filename = NULL;
- char *p;
- char extra_config[1024];
struct domain_create dom_info;
int paused = 0, debug = 0, daemonize = 1, console_autoconnect = 0,
quiet = 0, monitor = 1, vnc = 0, vncautopass = 0;
@@ -4591,6 +4605,8 @@ int main_create(int argc, char **argv)
{0, 0, 0, 0}
};
+ dom_info.extra_config = NULL;
+
if (argv[1] && argv[1][0] != '-' && !strchr(argv[1], '=')) {
filename = argv[1];
argc--; argv++;
@@ -4630,20 +4646,21 @@ int main_create(int argc, char **argv)
break;
}
- extra_config[0] = '\0';
- for (p = extra_config; optind < argc; optind++) {
+ memset(&dom_info, 0, sizeof(dom_info));
+
+ for (; optind < argc; optind++) {
if (strchr(argv[optind], '=') != NULL) {
- p += snprintf(p, sizeof(extra_config) - (p - extra_config),
- "%s\n", argv[optind]);
+ string_realloc_append(&dom_info.extra_config, argv[optind]);
+ string_realloc_append(&dom_info.extra_config, "\n");
} else if (!filename) {
filename = argv[optind];
} else {
help("create");
+ free(dom_info.extra_config);
return 2;
}
}
- memset(&dom_info, 0, sizeof(dom_info));
dom_info.debug = debug;
dom_info.daemonize = daemonize;
dom_info.monitor = monitor;
@@ -4651,16 +4668,18 @@ int main_create(int argc, char **argv)
dom_info.dryrun = dryrun_only;
dom_info.quiet = quiet;
dom_info.config_file = filename;
- dom_info.extra_config = extra_config;
dom_info.migrate_fd = -1;
dom_info.vnc = vnc;
dom_info.vncautopass = vncautopass;
dom_info.console_autoconnect = console_autoconnect;
rc = create_domain(&dom_info);
- if (rc < 0)
+ if (rc < 0) {
+ free(dom_info.extra_config);
return -rc;
+ }
+ free(dom_info.extra_config);
return 0;
}
@@ -4668,8 +4687,7 @@ int main_config_update(int argc, char **
{
uint32_t domid;
const char *filename = NULL;
- char *p;
- char extra_config[1024];
+ char *extra_config = NULL;
void *config_data = 0;
int config_len = 0;
libxl_domain_config d_config;
@@ -4707,15 +4725,15 @@ int main_config_update(int argc, char **
break;
}
- extra_config[0] = '\0';
- for (p = extra_config; optind < argc; optind++) {
+ for (; optind < argc; optind++) {
if (strchr(argv[optind], '=') != NULL) {
- p += snprintf(p, sizeof(extra_config) - (p - extra_config),
- "%s\n", argv[optind]);
+ string_realloc_append(&extra_config, argv[optind]);
+ string_realloc_append(&extra_config, "\n");
} else if (!filename) {
filename = argv[optind];
} else {
help("create");
+ free(extra_config);
return 2;
}
}
@@ -4724,7 +4742,8 @@ int main_config_update(int argc, char **
rc = libxl_read_file_contents(ctx, filename,
&config_data, &config_len);
if (rc) { fprintf(stderr, "Failed to read config file: %s: %s\n",
- filename, strerror(errno)); return ERROR_FAIL; }
+ filename, strerror(errno));
+ free(extra_config); return ERROR_FAIL; }
if (strlen(extra_config)) {
if (config_len > INT_MAX - (strlen(extra_config) + 2 + 1)) {
fprintf(stderr, "Failed to attach extra configration\n");
@@ -4765,7 +4784,7 @@ int main_config_update(int argc, char **
libxl_domain_config_dispose(&d_config);
free(config_data);
-
+ free(extra_config);
return 0;
}
@@ -7022,7 +7041,7 @@ int main_cpupoolcreate(int argc, char **
{
const char *filename = NULL, *config_src=NULL;
const char *p;
- char extra_config[1024];
+ char *extra_config = NULL;
int opt;
static struct option opts[] = {
{"defconfig", 1, 0, 'f'},
@@ -7056,13 +7075,10 @@ int main_cpupoolcreate(int argc, char **
break;
}
- memset(extra_config, 0, sizeof(extra_config));
while (optind < argc) {
if ((p = strchr(argv[optind], '='))) {
- if (strlen(extra_config) + 1 + strlen(argv[optind]) < sizeof(extra_config)) {
- strcat(extra_config, "\n");
- strcat(extra_config, argv[optind]);
- }
+ string_realloc_append(&extra_config, "\n");
+ string_realloc_append(&extra_config, argv[optind]);
} else if (!filename) {
filename = argv[optind];
} else {

37
CVE-2015-4106-xsa131-9.patch
View File

@ -1,37 +0,0 @@
tools: libxl: allow permissive qemu-upstream pci passthrough
Since XSA-131 qemu-xen now restricts access to PCI cfg by default. In
order to allow local configuration of the existing libxl_device_pci
"permissive" flag needs to be plumbed through via the new QMP property
added by the XSA-131 patches.
Versions of QEMU prior to XSA-131 did not support this permissive
property, so we only pass it if it is true. Older versions only
supported permissive mode.
qemu-xen-traditional already supports the permissive mode setting via
xenstore.
Signed-off-by: Ian Campbell <ian.campbell@citrix.com>
--- a/tools/libxl/libxl_qmp.c
+++ b/tools/libxl/libxl_qmp.c
@@ -835,6 +835,18 @@ int libxl__qmp_pci_add(libxl__gc *gc, in
QMP_PARAMETERS_SPRINTF(&args, "addr", "%x.%x",
PCI_SLOT(pcidev->vdevfn), PCI_FUNC(pcidev->vdevfn));
}
+ /*
+ * Version of QEMU prior to the XSA-131 fix did not support this
+ * property and were effectively always in permissive mode. The
+ * fix for XSA-131 switched the default to be restricted by
+ * default and added the permissive property.
+ *
+ * Therefore in order to support both old and new QEMU we only set
+ * the permissive flag if it is true. Users of older QEMU have no
+ * reason to set the flag so this is ok.
+ */
+ if (pcidev->permissive)
+ qmp_parameters_add_bool(gc, &args, "permissive", true);
rc = qmp_synchronous_send(qmp, "device_add", args,
NULL, NULL, qmp->timeout);

74
CVE-2015-5154-qemut-check-array-bounds-before-writing-to-io_buffer.patch
View File

@ -1,74 +0,0 @@
From a9de14175548c04e0f8be7fae219246509ba46a9 Mon Sep 17 00:00:00 2001
From: Kevin Wolf <kwolf@redhat.com>
Date: Wed, 3 Jun 2015 14:13:31 +0200
Subject: [PATCH 1/3] ide: Check array bounds before writing to io_buffer
(CVE-2015-5154)
If the end_transfer_func of a command is called because enough data has
been read or written for the current PIO transfer, and it fails to
correctly call the command completion functions, the DRQ bit in the
status register and s->end_transfer_func may remain set. This allows the
guest to access further bytes in s->io_buffer beyond s->data_end, and
eventually overflowing the io_buffer.
One case where this currently happens is emulation of the ATAPI command
START STOP UNIT.
This patch fixes the problem by adding explicit array bounds checks
before accessing the buffer instead of relying on end_transfer_func to
function correctly.
Cc: qemu-stable@nongnu.org
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
---
hw/ide/core.c | 16 ++++++++++++++++
1 file changed, 16 insertions(+)
Index: xen-4.2.5-testing/tools/qemu-xen-traditional-dir-remote/hw/ide.c
===================================================================
--- xen-4.2.5-testing.orig/tools/qemu-xen-traditional-dir-remote/hw/ide.c
+++ xen-4.2.5-testing/tools/qemu-xen-traditional-dir-remote/hw/ide.c
@@ -3002,6 +3002,10 @@ static void ide_data_writew(void *opaque
buffered_pio_write(s, addr, 2);
p = s->data_ptr;
+ if (p + 2 > s->data_end) {
+ return;
+ }
+
*(uint16_t *)p = le16_to_cpu(val);
p += 2;
s->data_ptr = p;
@@ -3021,6 +3025,10 @@ static uint32_t ide_data_readw(void *opa
buffered_pio_read(s, addr, 2);
p = s->data_ptr;
+ if (p + 2 > s->data_end) {
+ return 0;
+ }
+
ret = cpu_to_le16(*(uint16_t *)p);
p += 2;
s->data_ptr = p;
@@ -3040,6 +3048,10 @@ static void ide_data_writel(void *opaque
buffered_pio_write(s, addr, 4);
p = s->data_ptr;
+ if (p + 4 > s->data_end) {
+ return;
+ }
+
*(uint32_t *)p = le32_to_cpu(val);
p += 4;
s->data_ptr = p;
@@ -3059,6 +3071,10 @@ static uint32_t ide_data_readl(void *opa
buffered_pio_read(s, addr, 4);
p = s->data_ptr;
+ if (p + 4 > s->data_end) {
+ return 0;
+ }
+
ret = cpu_to_le32(*(uint32_t *)p);
p += 4;
s->data_ptr = p;

68
CVE-2015-5154-qemut-clear-DRQ-after-handling-all-expected-accesses.patch
View File

@ -1,68 +0,0 @@
From 1d3c2268f8708126a34064c2e0c1000b40e6f3e5 Mon Sep 17 00:00:00 2001
From: Kevin Wolf <kwolf@redhat.com>
Date: Wed, 3 Jun 2015 14:41:27 +0200
Subject: [PATCH 3/3] ide: Clear DRQ after handling all expected accesses
This is additional hardening against an end_transfer_func that fails to
clear the DRQ status bit. The bit must be unset as soon as the PIO
transfer has completed, so it's better to do this in a central place
instead of duplicating the code in all commands (and forgetting it in
some).
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
---
hw/ide/core.c | 16 ++++++++++++----
1 file changed, 12 insertions(+), 4 deletions(-)
Index: xen-4.2.5-testing/tools/qemu-xen-traditional-dir-remote/hw/ide.c
===================================================================
--- xen-4.2.5-testing.orig/tools/qemu-xen-traditional-dir-remote/hw/ide.c
+++ xen-4.2.5-testing/tools/qemu-xen-traditional-dir-remote/hw/ide.c
@@ -3016,8 +3016,10 @@ static void ide_data_writew(void *opaque
*(uint16_t *)p = le16_to_cpu(val);
p += 2;
s->data_ptr = p;
- if (p >= s->data_end)
+ if (p >= s->data_end) {
+ s->status &= ~DRQ_STAT;
s->end_transfer_func(s);
+ }
}
static uint32_t ide_data_readw(void *opaque, uint32_t addr)
@@ -3039,8 +3041,10 @@ static uint32_t ide_data_readw(void *opa
ret = cpu_to_le16(*(uint16_t *)p);
p += 2;
s->data_ptr = p;
- if (p >= s->data_end)
+ if (p >= s->data_end) {
+ s->status &= ~DRQ_STAT;
s->end_transfer_func(s);
+ }
return ret;
}
@@ -3062,8 +3066,10 @@ static void ide_data_writel(void *opaque
*(uint32_t *)p = le32_to_cpu(val);
p += 4;
s->data_ptr = p;
- if (p >= s->data_end)
+ if (p >= s->data_end) {
+ s->status &= ~DRQ_STAT;
s->end_transfer_func(s);
+ }
}
static uint32_t ide_data_readl(void *opaque, uint32_t addr)
@@ -3085,8 +3091,10 @@ static uint32_t ide_data_readl(void *opa
ret = cpu_to_le32(*(uint32_t *)p);
p += 4;
s->data_ptr = p;
- if (p >= s->data_end)
+ if (p >= s->data_end) {
+ s->status &= ~DRQ_STAT;
s->end_transfer_func(s);
+ }
return ret;
}

54
CVE-2015-5154-qemut-fix-START-STOP-UNIT-command-completion.patch
View File

@ -1,54 +0,0 @@
Subject: ATAPI: STARTSTOPUNIT only eject/load media if powercondition is 0
From: Ronnie Sahlberg ronniesahlberg@gmail.com Tue Jul 31 11:28:26 2012 +1000
Date: Wed Sep 12 15:50:09 2012 +0200:
Git: ce560dcf20c14194db5ef3b9fc1ea592d4e68109
The START STOP UNIT command will only eject/load media if
power condition is zero.
If power condition is !0 then LOEJ and START will be ignored.
From MMC (sbc contains similar wordings too)
The Power Conditions field requests the block device to be placed
in the power condition defined in
Table 558. If this field has a value other than 0h then the Start
and LoEj bits shall be ignored.
Signed-off-by: Ronnie Sahlberg <ronniesahlberg@gmail.com>
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
From aa851d30acfbb9580098ac1dc82885530cb8b3c1 Mon Sep 17 00:00:00 2001
From: Kevin Wolf <kwolf@redhat.com>
Date: Wed, 3 Jun 2015 14:17:46 +0200
Subject: [PATCH 2/3] ide/atapi: Fix START STOP UNIT command completion
The command must be completed on all code paths. START STOP UNIT with
pwrcnd set should succeed without doing anything.
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
---
hw/ide/atapi.c | 1 +
1 file changed, 1 insertion(+)
Index: xen-4.2.5-testing/tools/qemu-xen-traditional-dir-remote/hw/ide.c
===================================================================
--- xen-4.2.5-testing.orig/tools/qemu-xen-traditional-dir-remote/hw/ide.c
+++ xen-4.2.5-testing/tools/qemu-xen-traditional-dir-remote/hw/ide.c
@@ -2095,9 +2095,16 @@ static void ide_atapi_cmd(IDEState *s)
break;
case GPCMD_START_STOP_UNIT:
{
- int start, eject;
+ int start, eject, pwrcnd;
start = packet[4] & 1;
eject = (packet[4] >> 1) & 1;
+ pwrcnd = buf[4] & 0xf0;
+
+ if (pwrcnd) {
+ /* eject/load only happens for power condition == 0 */
+ ide_atapi_cmd_ok(s);
+ return;
+ }
if (eject && !start) {
/* eject the disk */

74
CVE-2015-5154-qemuu-check-array-bounds-before-writing-to-io_buffer.patch
View File

@ -1,74 +0,0 @@
From a9de14175548c04e0f8be7fae219246509ba46a9 Mon Sep 17 00:00:00 2001
From: Kevin Wolf <kwolf@redhat.com>
Date: Wed, 3 Jun 2015 14:13:31 +0200
Subject: [PATCH 1/3] ide: Check array bounds before writing to io_buffer
(CVE-2015-5154)
If the end_transfer_func of a command is called because enough data has
been read or written for the current PIO transfer, and it fails to
correctly call the command completion functions, the DRQ bit in the
status register and s->end_transfer_func may remain set. This allows the
guest to access further bytes in s->io_buffer beyond s->data_end, and
eventually overflowing the io_buffer.
One case where this currently happens is emulation of the ATAPI command
START STOP UNIT.
This patch fixes the problem by adding explicit array bounds checks
before accessing the buffer instead of relying on end_transfer_func to
function correctly.
Cc: qemu-stable@nongnu.org
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
---
hw/ide/core.c | 16 ++++++++++++++++
1 file changed, 16 insertions(+)
Index: xen-4.5.1-testing/tools/qemu-xen-dir-remote/hw/ide/core.c
===================================================================
--- xen-4.5.1-testing.orig/tools/qemu-xen-dir-remote/hw/ide/core.c
+++ xen-4.5.1-testing/tools/qemu-xen-dir-remote/hw/ide/core.c
@@ -1901,6 +1901,10 @@ void ide_data_writew(void *opaque, uint3
}
p = s->data_ptr;
+ if (p + 2 > s->data_end) {
+ return;
+ }
+
*(uint16_t *)p = le16_to_cpu(val);
p += 2;
s->data_ptr = p;
@@ -1922,6 +1926,10 @@ uint32_t ide_data_readw(void *opaque, ui
}
p = s->data_ptr;
+ if (p + 2 > s->data_end) {
+ return 0;
+ }
+
ret = cpu_to_le16(*(uint16_t *)p);
p += 2;
s->data_ptr = p;
@@ -1943,6 +1951,10 @@ void ide_data_writel(void *opaque, uint3
}
p = s->data_ptr;
+ if (p + 4 > s->data_end) {
+ return;
+ }
+
*(uint32_t *)p = le32_to_cpu(val);
p += 4;
s->data_ptr = p;
@@ -1964,6 +1976,10 @@ uint32_t ide_data_readl(void *opaque, ui
}
p = s->data_ptr;
+ if (p + 4 > s->data_end) {
+ return 0;
+ }
+
ret = cpu_to_le32(*(uint32_t *)p);
p += 4;
s->data_ptr = p;

68
CVE-2015-5154-qemuu-clear-DRQ-after-handling-all-expected-accesses.patch
View File

@ -1,68 +0,0 @@
From 1d3c2268f8708126a34064c2e0c1000b40e6f3e5 Mon Sep 17 00:00:00 2001
From: Kevin Wolf <kwolf@redhat.com>
Date: Wed, 3 Jun 2015 14:41:27 +0200
Subject: [PATCH 3/3] ide: Clear DRQ after handling all expected accesses
This is additional hardening against an end_transfer_func that fails to
clear the DRQ status bit. The bit must be unset as soon as the PIO
transfer has completed, so it's better to do this in a central place
instead of duplicating the code in all commands (and forgetting it in
some).
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
---
hw/ide/core.c | 16 ++++++++++++----
1 file changed, 12 insertions(+), 4 deletions(-)
Index: xen-4.5.1-testing/tools/qemu-xen-dir-remote/hw/ide/core.c
===================================================================
--- xen-4.5.1-testing.orig/tools/qemu-xen-dir-remote/hw/ide/core.c
+++ xen-4.5.1-testing/tools/qemu-xen-dir-remote/hw/ide/core.c
@@ -1908,8 +1908,10 @@ void ide_data_writew(void *opaque, uint3
*(uint16_t *)p = le16_to_cpu(val);
p += 2;
s->data_ptr = p;
- if (p >= s->data_end)
+ if (p >= s->data_end) {
+ s->status &= ~DRQ_STAT;
s->end_transfer_func(s);
+ }
}
uint32_t ide_data_readw(void *opaque, uint32_t addr)
@@ -1933,8 +1935,10 @@ uint32_t ide_data_readw(void *opaque, ui
ret = cpu_to_le16(*(uint16_t *)p);
p += 2;
s->data_ptr = p;
- if (p >= s->data_end)
+ if (p >= s->data_end) {
+ s->status &= ~DRQ_STAT;
s->end_transfer_func(s);
+ }
return ret;
}
@@ -1958,8 +1962,10 @@ void ide_data_writel(void *opaque, uint3
*(uint32_t *)p = le32_to_cpu(val);
p += 4;
s->data_ptr = p;
- if (p >= s->data_end)
+ if (p >= s->data_end) {
+ s->status &= ~DRQ_STAT;
s->end_transfer_func(s);
+ }
}
uint32_t ide_data_readl(void *opaque, uint32_t addr)
@@ -1983,8 +1989,10 @@ uint32_t ide_data_readl(void *opaque, ui
ret = cpu_to_le32(*(uint32_t *)p);
p += 4;
s->data_ptr = p;
- if (p >= s->data_end)
+ if (p >= s->data_end) {
+ s->status &= ~DRQ_STAT;
s->end_transfer_func(s);
+ }
return ret;
}

25
CVE-2015-5154-qemuu-fix-START-STOP-UNIT-command-completion.patch
View File

@ -1,25 +0,0 @@
From aa851d30acfbb9580098ac1dc82885530cb8b3c1 Mon Sep 17 00:00:00 2001
From: Kevin Wolf <kwolf@redhat.com>
Date: Wed, 3 Jun 2015 14:17:46 +0200
Subject: [PATCH 2/3] ide/atapi: Fix START STOP UNIT command completion
The command must be completed on all code paths. START STOP UNIT with
pwrcnd set should succeed without doing anything.
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
---
hw/ide/atapi.c | 1 +
1 file changed, 1 insertion(+)
Index: xen-4.5.1-testing/tools/qemu-xen-dir-remote/hw/ide/atapi.c
===================================================================
--- xen-4.5.1-testing.orig/tools/qemu-xen-dir-remote/hw/ide/atapi.c
+++ xen-4.5.1-testing/tools/qemu-xen-dir-remote/hw/ide/atapi.c
@@ -879,6 +879,7 @@ static void cmd_start_stop_unit(IDEState
if (pwrcnd) {
/* eject/load only happens for power condition == 0 */
+ ide_atapi_cmd_ok(s);
return;
}

50
CVE-2015-5239-qemut-limit-client_cut_text-msg-payload-size.patch
View File

@ -1,50 +0,0 @@
References: bsc#944463
Subject: ui/vnc: limit client_cut_text msg payload size
From: Peter Lieven pl@kamp.de Mon Jun 30 10:07:54 2014 +0200
Date: Tue Jul 1 13:26:40 2014 +0200:
Git: f9a70e79391f6d7c2a912d785239ee8effc1922d
currently a malicious client could define a payload
size of 2^32 - 1 bytes and send up to that size of
data to the vnc server. The server would allocated
that amount of memory which could easily create an
out of memory condition.
This patch limits the payload size to 1MB max.
Please note that client_cut_text messages are currently
silently ignored.
Signed-off-by: Peter Lieven <pl@kamp.de>
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Index: xen-4.5.1-testing/tools/qemu-xen-traditional-dir-remote/vnc.c
===================================================================
--- xen-4.5.1-testing.orig/tools/qemu-xen-traditional-dir-remote/vnc.c
+++ xen-4.5.1-testing/tools/qemu-xen-traditional-dir-remote/vnc.c
@@ -1779,14 +1779,21 @@ static int protocol_client_msg(VncState
pointer_event(vs, read_u8(data, 1), read_u16(data, 2), read_u16(data, 4));
break;
case 6:
- if (len == 1)
+ if (len == 1) {
return 8;
-
+ }
if (len == 8) {
uint32_t v;
v = read_u32(data, 4);
- if (v)
+ if (v > (1 << 20)) {
+ VNC_DEBUG("vnc: client_cut_text msg payload has %u bytes"
+ " which exceeds our limit of 1MB.", v);
+ vnc_client_error(vs);
+ break;
+ }
+ if (v > 0) {
return 8 + v;
+ }
}
client_cut_text(vs, read_u32(data, 4), (char *)(data + 8));

49
CVE-2015-5239-qemuu-limit-client_cut_text-msg-payload-size.patch
View File

@ -1,49 +0,0 @@
References: bsc#944463
Subject: ui/vnc: limit client_cut_text msg payload size
From: Peter Lieven pl@kamp.de Mon Jun 30 10:07:54 2014 +0200
Date: Tue Jul 1 13:26:40 2014 +0200:
Git: f9a70e79391f6d7c2a912d785239ee8effc1922d
currently a malicious client could define a payload
size of 2^32 - 1 bytes and send up to that size of
data to the vnc server. The server would allocated
that amount of memory which could easily create an
out of memory condition.
This patch limits the payload size to 1MB max.
Please note that client_cut_text messages are currently
silently ignored.
Signed-off-by: Peter Lieven <pl@kamp.de>
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Index: xen-4.5.1-testing/tools/qemu-xen-dir-remote/ui/vnc.c
===================================================================
--- xen-4.5.1-testing.orig/tools/qemu-xen-dir-remote/ui/vnc.c
+++ xen-4.5.1-testing/tools/qemu-xen-dir-remote/ui/vnc.c
@@ -2149,13 +2149,20 @@ static int protocol_client_msg(VncState
pointer_event(vs, read_u8(data, 1), read_u16(data, 2), read_u16(data, 4));
break;
case VNC_MSG_CLIENT_CUT_TEXT:
- if (len == 1)
+ if (len == 1) {
return 8;
-
+ }
if (len == 8) {
uint32_t dlen = read_u32(data, 4);
- if (dlen > 0)
+ if (dlen > (1 << 20)) {
+ error_report("vnc: client_cut_text msg payload has %u bytes"
+ " which exceeds our limit of 1MB.", dlen);
+ vnc_client_error(vs);
+ break;
+ }
+ if (dlen > 0) {
return 8 + dlen;
+ }
}
client_cut_text(vs, read_u32(data, 4), data + 8);

31
CVE-2015-6815-qemut-e1000-fix-infinite-loop.patch
View File

@ -1,31 +0,0 @@
References: bsc#944697
From: P J P <address@hidden>
While processing transmit descriptors, it could lead to an infinite
loop if 'bytes' was to become zero; Add a check to avoid it.
[The guest can force 'bytes' to 0 by setting the hdr_len and mss
descriptor fields to 0.
--Stefan]
Signed-off-by: P J P <address@hidden>
Signed-off-by: Stefan Hajnoczi <address@hidden>
---
hw/net/e1000.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
Index: xen-4.5.1-testing/tools/qemu-xen-traditional-dir-remote/hw/e1000.c
===================================================================
--- xen-4.5.1-testing.orig/tools/qemu-xen-traditional-dir-remote/hw/e1000.c
+++ xen-4.5.1-testing/tools/qemu-xen-traditional-dir-remote/hw/e1000.c
@@ -470,7 +470,8 @@ process_tx_desc(E1000State *s, struct e1
memmove(tp->data, tp->header, hdr);
tp->size = hdr;
}
- } while (split_size -= bytes);
+ split_size -= bytes;
+ } while (bytes && split_size);
} else if (!tp->tse && tp->cptse) {
// context descriptor TSE is not set, while data descriptor TSE is set
DBGOUT(TXERR, "TCP segmentaion Error\n");

31
CVE-2015-6815-qemuu-e1000-fix-infinite-loop.patch
View File

@ -1,31 +0,0 @@
References: bsc#944697
From: P J P <address@hidden>
While processing transmit descriptors, it could lead to an infinite
loop if 'bytes' was to become zero; Add a check to avoid it.
[The guest can force 'bytes' to 0 by setting the hdr_len and mss
descriptor fields to 0.
--Stefan]
Signed-off-by: P J P <address@hidden>
Signed-off-by: Stefan Hajnoczi <address@hidden>
---
hw/net/e1000.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
Index: xen-4.5.1-testing/tools/qemu-xen-dir-remote/hw/net/e1000.c
===================================================================
--- xen-4.5.1-testing.orig/tools/qemu-xen-dir-remote/hw/net/e1000.c
+++ xen-4.5.1-testing/tools/qemu-xen-dir-remote/hw/net/e1000.c
@@ -707,7 +707,8 @@ process_tx_desc(E1000State *s, struct e1
memmove(tp->data, tp->header, tp->hdr_len);
tp->size = tp->hdr_len;
}
- } while (split_size -= bytes);
+ split_size -= bytes;
+ } while (bytes && split_size);
} else if (!tp->tse && tp->cptse) {
// context descriptor TSE is not set, while data descriptor TSE is set
DBGOUT(TXERR, "TCP segmentation error\n");

50
CVE-2015-7311-xsa142.patch
View File

@ -1,50 +0,0 @@
From 07ca00703f76ad392eda5ee52cce1197cf49c30a Mon Sep 17 00:00:00 2001
From: Stefano Stabellini <stefano.stabellini@eu.citrix.com>
Subject: [PATCH v2.1 for-4.5] libxl: handle read-only drives with qemu-xen
The current libxl code doesn't deal with read-only drives at all.
Upstream QEMU and qemu-xen only support read-only cdrom drives: make
sure to specify "readonly=on" for cdrom drives and return error in case
the user requested a non-cdrom read-only drive.
This is XSA-142, discovered by Lin Liu
(https://bugzilla.redhat.com/show_bug.cgi?id=1257893).
Signed-off-by: Stefano Stabellini <stefano.stabellini@eu.citrix.com>
Backport to Xen 4.5 and earlier, apropos of report and review from
Michael Young.
Signed-off-by: Ian Jackson <ian.jackson@eu.citrix.com>
---
tools/libxl/libxl_dm.c | 13 +++++++++----
1 file changed, 9 insertions(+), 4 deletions(-)
Index: xen-4.5.1-testing/tools/libxl/libxl_dm.c
===================================================================
--- xen-4.5.1-testing.orig/tools/libxl/libxl_dm.c
+++ xen-4.5.1-testing/tools/libxl/libxl_dm.c
@@ -812,13 +812,18 @@ static char ** libxl__build_device_model
if (disks[i].is_cdrom) {
if (disks[i].format == LIBXL_DISK_FORMAT_EMPTY)
drive = libxl__sprintf
- (gc, "if=ide,index=%d,media=cdrom,cache=writeback,id=ide-%i",
- disk, dev_number);
+ (gc, "if=ide,index=%d,readonly=%s,media=cdrom,cache=writeback,id=ide-%i",
+ disk, disks[i].readwrite ? "off" : "on", dev_number);
else
drive = libxl__sprintf
- (gc, "file=%s,if=ide,index=%d,media=cdrom,format=%s,cache=writeback,id=ide-%i",
- disks[i].pdev_path, disk, format, dev_number);
+ (gc, "file=%s,if=ide,index=%d,readonly=%s,media=cdrom,format=%s,cache=writeback,id=ide-%i",
+ disks[i].pdev_path, disk, disks[i].readwrite ? "off" : "on", format, dev_number);
} else {
+ if (!disks[i].readwrite) {
+ LIBXL__LOG(ctx, LIBXL__LOG_ERROR, "qemu-xen doesn't support read-only disk drivers");
+ return NULL;
+ }
+
if (disks[i].format == LIBXL_DISK_FORMAT_EMPTY) {
LIBXL__LOG(ctx, LIBXL__LOG_WARNING, "cannot support"
" empty disk format for %s", disks[i].vdev);

43
CVE-2015-7835-xsa148.patch
View File

@ -1,43 +0,0 @@
References: bsc#950367 CVE-2015-7835 XSA-148
x86: guard against undue super page PTE creation
When optional super page support got added (commit bd1cd81d64 "x86: PV
support for hugepages"), two adjustments were missed: mod_l2_entry()
needs to consider the PSE and RW bits when deciding whether to use the
fast path, and the PSE bit must not be removed from L2_DISALLOW_MASK
unconditionally.
This is CVE-2015-7835 / XSA-148.
Signed-off-by: Jan Beulich <jbeulich@suse.com>
Reviewed-by: Tim Deegan <tim@xen.org>
Index: xen-4.5.1-testing/xen/arch/x86/mm.c
===================================================================
--- xen-4.5.1-testing.orig/xen/arch/x86/mm.c
+++ xen-4.5.1-testing/xen/arch/x86/mm.c
@@ -162,7 +162,10 @@ static void put_superpage(unsigned long
static uint32_t base_disallow_mask;
/* Global bit is allowed to be set on L1 PTEs. Intended for user mappings. */
#define L1_DISALLOW_MASK ((base_disallow_mask | _PAGE_GNTTAB) & ~_PAGE_GLOBAL)
-#define L2_DISALLOW_MASK (base_disallow_mask & ~_PAGE_PSE)
+
+#define L2_DISALLOW_MASK (unlikely(opt_allow_superpage) \
+ ? base_disallow_mask & ~_PAGE_PSE \
+ : base_disallow_mask)
#define l3_disallow_mask(d) (!is_pv_32on64_domain(d) ? \
base_disallow_mask : \
@@ -1790,7 +1793,10 @@ static int mod_l2_entry(l2_pgentry_t *pl
}
/* Fast path for identical mapping and presence. */
- if ( !l2e_has_changed(ol2e, nl2e, _PAGE_PRESENT) )
+ if ( !l2e_has_changed(ol2e, nl2e,
+ unlikely(opt_allow_superpage)
+ ? _PAGE_PSE | _PAGE_RW | _PAGE_PRESENT
+ : _PAGE_PRESENT) )
{
adjust_guest_l2e(nl2e, d);
if ( UPDATE_ENTRY(l2, pl2e, ol2e, nl2e, pfn, vcpu, preserve_ad) )

10
VNC-Support-for-ExtendedKeyEvent-client-message.patch
View File

@ -20,10 +20,10 @@ git-svn-id: svn://svn.savannah.nongnu.org/qemu/trunk@5076 c046a42c-6fe2-441c-8c8
vnc.c | 59 ++++++++++++++++++++++++++++++++++++++++++++++++++---------
1 files changed, 50 insertions(+), 9 deletions(-)
Index: xen-4.2.0-testing/tools/qemu-xen-traditional-dir-remote/vnc.c
Index: xen-4.5.2-testing/tools/qemu-xen-traditional-dir-remote/vnc.c
===================================================================
--- xen-4.2.0-testing.orig/tools/qemu-xen-traditional-dir-remote/vnc.c
+++ xen-4.2.0-testing/tools/qemu-xen-traditional-dir-remote/vnc.c
--- xen-4.5.2-testing.orig/tools/qemu-xen-traditional-dir-remote/vnc.c
+++ xen-4.5.2-testing/tools/qemu-xen-traditional-dir-remote/vnc.c
@@ -1285,35 +1285,22 @@ static void press_key_altgr_down(VncStat
}
}
@ -115,7 +115,7 @@ Index: xen-4.2.0-testing/tools/qemu-xen-traditional-dir-remote/vnc.c
case 0x574D5669:
vs->has_WMVi = 1;
default:
@@ -1774,6 +1791,24 @@ static int protocol_client_msg(VncState
@@ -1780,6 +1797,24 @@ static int protocol_client_msg(VncState
client_cut_text(vs, read_u32(data, 4), (char *)(data + 8));
break;
@ -140,7 +140,7 @@ Index: xen-4.2.0-testing/tools/qemu-xen-traditional-dir-remote/vnc.c
default:
printf("Msg: %d\n", data[0]);
vnc_client_error(vs);
@@ -2445,10 +2480,11 @@ void vnc_display_init(DisplayState *ds)
@@ -2451,10 +2486,11 @@ void vnc_display_init(DisplayState *ds)
vs->ds = ds;

4
ipxe.tar.bz2
View File

@ -1,3 +1,3 @@
version https://git-lfs.github.com/spec/v1
oid sha256:6fcae87011b70d922b3532ca8ba9aa649f60068fbece975abdf2b419a4fd7826
size 2877505
oid sha256:a7b3bed4f4132e9b65970b89a23e7d234728b44ae9c7a3c068ff33ea86fa48f5
size 2877798

32
libxl.add-option-to-disable-disk-cache-flushes-in-qdisk.patch
View File

@ -7,11 +7,11 @@ https://bugzilla.novell.com/show_bug.cgi?id=879425
tools/libxl/libxlu_disk_l.l | 1 +
5 files changed, 18 insertions(+), 1 deletion(-)
Index: xen-4.5.1-testing/tools/libxl/libxl.c
Index: xen-4.5.2-testing/tools/libxl/libxl.c
===================================================================
--- xen-4.5.1-testing.orig/tools/libxl/libxl.c
+++ xen-4.5.1-testing/tools/libxl/libxl.c
@@ -2825,6 +2825,8 @@ static void device_disk_add(libxl__egc *
--- xen-4.5.2-testing.orig/tools/libxl/libxl.c
+++ xen-4.5.2-testing/tools/libxl/libxl.c
@@ -2832,6 +2832,8 @@ static void device_disk_add(libxl__egc *
flexarray_append_pair(back, "discard-enable",
libxl_defbool_val(disk->discard_enable) ?
"1" : "0");
@ -20,10 +20,10 @@ Index: xen-4.5.1-testing/tools/libxl/libxl.c
flexarray_append(front, "backend-id");
flexarray_append(front, libxl__sprintf(gc, "%d", disk->backend_domid));
Index: xen-4.5.1-testing/tools/libxl/libxl.h
Index: xen-4.5.2-testing/tools/libxl/libxl.h
===================================================================
--- xen-4.5.1-testing.orig/tools/libxl/libxl.h
+++ xen-4.5.1-testing/tools/libxl/libxl.h
--- xen-4.5.2-testing.orig/tools/libxl/libxl.h
+++ xen-4.5.2-testing/tools/libxl/libxl.h
@@ -163,6 +163,18 @@
#define LIBXL_HAVE_BUILDINFO_HVM_MMIO_HOLE_MEMKB 1
@ -43,10 +43,10 @@ Index: xen-4.5.1-testing/tools/libxl/libxl.h
* libxl ABI compatibility
*
* The only guarantee which libxl makes regarding ABI compatibility
Index: xen-4.5.1-testing/tools/libxl/libxlu_disk.c
Index: xen-4.5.2-testing/tools/libxl/libxlu_disk.c
===================================================================
--- xen-4.5.1-testing.orig/tools/libxl/libxlu_disk.c
+++ xen-4.5.1-testing/tools/libxl/libxlu_disk.c
--- xen-4.5.2-testing.orig/tools/libxl/libxlu_disk.c
+++ xen-4.5.2-testing/tools/libxl/libxlu_disk.c
@@ -79,6 +79,8 @@ int xlu_disk_parse(XLU_Config *cfg,
if (!disk->pdev_path || !strcmp(disk->pdev_path, ""))
disk->format = LIBXL_DISK_FORMAT_EMPTY;
@ -56,10 +56,10 @@ Index: xen-4.5.1-testing/tools/libxl/libxlu_disk.c
if (!disk->vdev) {
xlu__disk_err(&dpc,0, "no vdev specified");
Index: xen-4.5.1-testing/tools/libxl/libxlu_disk_i.h
Index: xen-4.5.2-testing/tools/libxl/libxlu_disk_i.h
===================================================================
--- xen-4.5.1-testing.orig/tools/libxl/libxlu_disk_i.h
+++ xen-4.5.1-testing/tools/libxl/libxlu_disk_i.h
--- xen-4.5.2-testing.orig/tools/libxl/libxlu_disk_i.h
+++ xen-4.5.2-testing/tools/libxl/libxlu_disk_i.h
@@ -10,7 +10,7 @@ typedef struct {
void *scanner;
YY_BUFFER_STATE buf;
@ -69,10 +69,10 @@ Index: xen-4.5.1-testing/tools/libxl/libxlu_disk_i.h
const char *spec;
} DiskParseContext;
Index: xen-4.5.1-testing/tools/libxl/libxlu_disk_l.l
Index: xen-4.5.2-testing/tools/libxl/libxlu_disk_l.l
===================================================================
--- xen-4.5.1-testing.orig/tools/libxl/libxlu_disk_l.l
+++ xen-4.5.1-testing/tools/libxl/libxlu_disk_l.l
--- xen-4.5.2-testing.orig/tools/libxl/libxlu_disk_l.l
+++ xen-4.5.2-testing/tools/libxl/libxlu_disk_l.l
@@ -176,6 +176,7 @@ script=[^,]*,? { STRIP(','); SAVESTRING(
direct-io-safe,? { DPC->disk->direct_io_safe = 1; }
discard,? { libxl_defbool_set(&DPC->disk->discard_enable, true); }

90
libxl.pvscsi.patch
View File

@ -31,10 +31,10 @@ ee2e7e5 Merge pull request #1 from aaannz/pvscsi
7de6f49 support character devices too
c84381b allow /dev/sda as scsi devspec
f11e3a2 pvscsi
Index: xen-4.5.1-testing/docs/man/xl.cfg.pod.5
Index: xen-4.5.2-testing/docs/man/xl.cfg.pod.5
===================================================================
--- xen-4.5.1-testing.orig/docs/man/xl.cfg.pod.5
+++ xen-4.5.1-testing/docs/man/xl.cfg.pod.5
--- xen-4.5.2-testing.orig/docs/man/xl.cfg.pod.5
+++ xen-4.5.2-testing/docs/man/xl.cfg.pod.5
@@ -448,6 +448,36 @@ value is optional if this is a guest dom
=back
@ -72,10 +72,10 @@ Index: xen-4.5.1-testing/docs/man/xl.cfg.pod.5
=item B<vfb=[ "VFB_SPEC_STRING", "VFB_SPEC_STRING", ...]>
Specifies the paravirtual framebuffer devices which should be supplied
Index: xen-4.5.1-testing/docs/man/xl.pod.1
Index: xen-4.5.2-testing/docs/man/xl.pod.1
===================================================================
--- xen-4.5.1-testing.orig/docs/man/xl.pod.1
+++ xen-4.5.1-testing/docs/man/xl.pod.1
--- xen-4.5.2-testing.orig/docs/man/xl.pod.1
+++ xen-4.5.2-testing/docs/man/xl.pod.1
@@ -1323,6 +1323,26 @@ List virtual trusted platform modules fo
=back
@ -103,11 +103,11 @@ Index: xen-4.5.1-testing/docs/man/xl.pod.1
=head1 PCI PASS-THROUGH
=over 4
Index: xen-4.5.1-testing/tools/libxl/libxl.c
Index: xen-4.5.2-testing/tools/libxl/libxl.c
===================================================================
--- xen-4.5.1-testing.orig/tools/libxl/libxl.c
+++ xen-4.5.1-testing/tools/libxl/libxl.c
@@ -2317,6 +2317,273 @@ int libxl_devid_to_device_vtpm(libxl_ctx
--- xen-4.5.2-testing.orig/tools/libxl/libxl.c
+++ xen-4.5.2-testing/tools/libxl/libxl.c
@@ -2324,6 +2324,273 @@ int libxl_devid_to_device_vtpm(libxl_ctx
return rc;
}
@ -381,7 +381,7 @@ Index: xen-4.5.1-testing/tools/libxl/libxl.c
/******************************************************************************/
@@ -4192,6 +4459,8 @@ out:
@@ -4199,6 +4466,8 @@ out:
* libxl_device_vkb_destroy
* libxl_device_vfb_remove
* libxl_device_vfb_destroy
@ -390,7 +390,7 @@ Index: xen-4.5.1-testing/tools/libxl/libxl.c
*/
#define DEFINE_DEVICE_REMOVE(type, removedestroy, f) \
int libxl_device_##type##_##removedestroy(libxl_ctx *ctx, \
@@ -4247,6 +4516,10 @@ DEFINE_DEVICE_REMOVE(vtpm, destroy, 1)
@@ -4254,6 +4523,10 @@ DEFINE_DEVICE_REMOVE(vtpm, destroy, 1)
* 1. add support for secondary consoles to xenconsoled
* 2. dynamically add/remove qemu chardevs via qmp messages. */
@ -401,7 +401,7 @@ Index: xen-4.5.1-testing/tools/libxl/libxl.c
#undef DEFINE_DEVICE_REMOVE
/******************************************************************************/
@@ -4256,6 +4529,7 @@ DEFINE_DEVICE_REMOVE(vtpm, destroy, 1)
@@ -4263,6 +4536,7 @@ DEFINE_DEVICE_REMOVE(vtpm, destroy, 1)
* libxl_device_disk_add
* libxl_device_nic_add
* libxl_device_vtpm_add
@ -409,7 +409,7 @@ Index: xen-4.5.1-testing/tools/libxl/libxl.c
*/
#define DEFINE_DEVICE_ADD(type) \
@@ -4287,6 +4561,9 @@ DEFINE_DEVICE_ADD(nic)
@@ -4294,6 +4568,9 @@ DEFINE_DEVICE_ADD(nic)
/* vtpm */
DEFINE_DEVICE_ADD(vtpm)
@ -419,7 +419,7 @@ Index: xen-4.5.1-testing/tools/libxl/libxl.c
#undef DEFINE_DEVICE_ADD
/******************************************************************************/
@@ -6829,6 +7106,20 @@ out:
@@ -6836,6 +7113,20 @@ out:
return rc;
}
@ -440,10 +440,10 @@ Index: xen-4.5.1-testing/tools/libxl/libxl.c
/*
* Local variables:
* mode: C
Index: xen-4.5.1-testing/tools/libxl/libxl.h
Index: xen-4.5.2-testing/tools/libxl/libxl.h
===================================================================
--- xen-4.5.1-testing.orig/tools/libxl/libxl.h
+++ xen-4.5.1-testing/tools/libxl/libxl.h
--- xen-4.5.2-testing.orig/tools/libxl/libxl.h
+++ xen-4.5.2-testing/tools/libxl/libxl.h
@@ -1238,6 +1238,26 @@ libxl_device_vtpm *libxl_device_vtpm_lis
int libxl_device_vtpm_getinfo(libxl_ctx *ctx, uint32_t domid,
libxl_device_vtpm *vtpm, libxl_vtpminfo *vtpminfo);
@ -499,10 +499,10 @@ Index: xen-4.5.1-testing/tools/libxl/libxl.h
#endif /* LIBXL_H */
/*
Index: xen-4.5.1-testing/tools/libxl/libxl_create.c
Index: xen-4.5.2-testing/tools/libxl/libxl_create.c
===================================================================
--- xen-4.5.1-testing.orig/tools/libxl/libxl_create.c
+++ xen-4.5.1-testing/tools/libxl/libxl_create.c
--- xen-4.5.2-testing.orig/tools/libxl/libxl_create.c
+++ xen-4.5.2-testing/tools/libxl/libxl_create.c
@@ -1141,6 +1141,7 @@ static void domcreate_rebuild_done(libxl
libxl__multidev_begin(ao, &dcs->multidev);
dcs->multidev.callback = domcreate_launch_dm;
@ -511,10 +511,10 @@ Index: xen-4.5.1-testing/tools/libxl/libxl_create.c
libxl__multidev_prepared(egc, &dcs->multidev, 0);
return;
Index: xen-4.5.1-testing/tools/libxl/libxl_device.c
Index: xen-4.5.2-testing/tools/libxl/libxl_device.c
===================================================================
--- xen-4.5.1-testing.orig/tools/libxl/libxl_device.c
+++ xen-4.5.1-testing/tools/libxl/libxl_device.c
--- xen-4.5.2-testing.orig/tools/libxl/libxl_device.c
+++ xen-4.5.2-testing/tools/libxl/libxl_device.c
@@ -541,6 +541,7 @@ void libxl__multidev_prepared(libxl__egc
* The following functions are defined:
* libxl__add_disks
@ -556,11 +556,11 @@ Index: xen-4.5.1-testing/tools/libxl/libxl_device.c
/******************************************************************************/
int libxl__device_destroy(libxl__gc *gc, libxl__device *dev)
Index: xen-4.5.1-testing/tools/libxl/libxl_internal.h
Index: xen-4.5.2-testing/tools/libxl/libxl_internal.h
===================================================================
--- xen-4.5.1-testing.orig/tools/libxl/libxl_internal.h
+++ xen-4.5.1-testing/tools/libxl/libxl_internal.h
@@ -1079,6 +1079,7 @@ _hidden int libxl__device_disk_setdefaul
--- xen-4.5.2-testing.orig/tools/libxl/libxl_internal.h
+++ xen-4.5.2-testing/tools/libxl/libxl_internal.h
@@ -1094,6 +1094,7 @@ _hidden int libxl__device_disk_setdefaul
_hidden int libxl__device_nic_setdefault(libxl__gc *gc, libxl_device_nic *nic,
uint32_t domid);
_hidden int libxl__device_vtpm_setdefault(libxl__gc *gc, libxl_device_vtpm *vtpm);
@ -568,7 +568,7 @@ Index: xen-4.5.1-testing/tools/libxl/libxl_internal.h
_hidden int libxl__device_vfb_setdefault(libxl__gc *gc, libxl_device_vfb *vfb);
_hidden int libxl__device_vkb_setdefault(libxl__gc *gc, libxl_device_vkb *vkb);
_hidden int libxl__device_pci_setdefault(libxl__gc *gc, libxl_device_pci *pci);
@@ -2390,6 +2391,10 @@ _hidden void libxl__device_vtpm_add(libx
@@ -2405,6 +2406,10 @@ _hidden void libxl__device_vtpm_add(libx
libxl_device_vtpm *vtpm,
libxl__ao_device *aodev);
@ -579,7 +579,7 @@ Index: xen-4.5.1-testing/tools/libxl/libxl_internal.h
/* Internal function to connect a vkb device */
_hidden int libxl__device_vkb_add(libxl__gc *gc, uint32_t domid,
libxl_device_vkb *vkb);
@@ -3014,6 +3019,10 @@ _hidden void libxl__add_vtpms(libxl__egc
@@ -3029,6 +3034,10 @@ _hidden void libxl__add_vtpms(libxl__egc
libxl_domain_config *d_config,
libxl__multidev *multidev);
@ -590,10 +590,10 @@ Index: xen-4.5.1-testing/tools/libxl/libxl_internal.h
/*----- device model creation -----*/
/* First layer; wraps libxl__spawn_spawn. */
Index: xen-4.5.1-testing/tools/libxl/libxl_types.idl
Index: xen-4.5.2-testing/tools/libxl/libxl_types.idl
===================================================================
--- xen-4.5.1-testing.orig/tools/libxl/libxl_types.idl
+++ xen-4.5.1-testing/tools/libxl/libxl_types.idl
--- xen-4.5.2-testing.orig/tools/libxl/libxl_types.idl
+++ xen-4.5.2-testing/tools/libxl/libxl_types.idl
@@ -540,6 +540,26 @@ libxl_device_channel = Struct("device_ch
])),
])
@ -659,10 +659,10 @@ Index: xen-4.5.1-testing/tools/libxl/libxl_types.idl
libxl_vcpuinfo = Struct("vcpuinfo", [
("vcpuid", uint32),
("cpu", uint32),
Index: xen-4.5.1-testing/tools/libxl/libxl_types_internal.idl
Index: xen-4.5.2-testing/tools/libxl/libxl_types_internal.idl
===================================================================
--- xen-4.5.1-testing.orig/tools/libxl/libxl_types_internal.idl
+++ xen-4.5.1-testing/tools/libxl/libxl_types_internal.idl
--- xen-4.5.2-testing.orig/tools/libxl/libxl_types_internal.idl
+++ xen-4.5.2-testing/tools/libxl/libxl_types_internal.idl
@@ -22,6 +22,7 @@ libxl__device_kind = Enumeration("device
(6, "VKBD"),
(7, "CONSOLE"),
@ -671,10 +671,10 @@ Index: xen-4.5.1-testing/tools/libxl/libxl_types_internal.idl
])
libxl__console_backend = Enumeration("console_backend", [
Index: xen-4.5.1-testing/tools/libxl/xl.h
Index: xen-4.5.2-testing/tools/libxl/xl.h
===================================================================
--- xen-4.5.1-testing.orig/tools/libxl/xl.h
+++ xen-4.5.1-testing/tools/libxl/xl.h
--- xen-4.5.2-testing.orig/tools/libxl/xl.h
+++ xen-4.5.2-testing/tools/libxl/xl.h
@@ -83,6 +83,9 @@ int main_channellist(int argc, char **ar
int main_blockattach(int argc, char **argv);
int main_blocklist(int argc, char **argv);
@ -685,10 +685,10 @@ Index: xen-4.5.1-testing/tools/libxl/xl.h
int main_vtpmattach(int argc, char **argv);
int main_vtpmlist(int argc, char **argv);
int main_vtpmdetach(int argc, char **argv);
Index: xen-4.5.1-testing/tools/libxl/xl_cmdimpl.c
Index: xen-4.5.2-testing/tools/libxl/xl_cmdimpl.c
===================================================================
--- xen-4.5.1-testing.orig/tools/libxl/xl_cmdimpl.c
+++ xen-4.5.1-testing/tools/libxl/xl_cmdimpl.c
--- xen-4.5.2-testing.orig/tools/libxl/xl_cmdimpl.c
+++ xen-4.5.2-testing/tools/libxl/xl_cmdimpl.c
@@ -17,6 +17,7 @@
#include "libxl_osdeps.h"
@ -1161,10 +1161,10 @@ Index: xen-4.5.1-testing/tools/libxl/xl_cmdimpl.c
int main_vtpmattach(int argc, char **argv)
{
int opt;
Index: xen-4.5.1-testing/tools/libxl/xl_cmdtable.c
Index: xen-4.5.2-testing/tools/libxl/xl_cmdtable.c
===================================================================
--- xen-4.5.1-testing.orig/tools/libxl/xl_cmdtable.c
+++ xen-4.5.1-testing/tools/libxl/xl_cmdtable.c
--- xen-4.5.2-testing.orig/tools/libxl/xl_cmdtable.c
+++ xen-4.5.2-testing/tools/libxl/xl_cmdtable.c
@@ -372,6 +372,21 @@ struct cmd_spec cmd_table[] = {
"Destroy a domain's virtual block device",
"<Domain> <DevId>",

80
libxl.set-migration-constraints-from-cmdline.patch
View File

@ -88,10 +88,10 @@ Signed-off-by: Olaf Hering <olaf@aepfle.de>
tools/libxl/xl_cmdtable.c | 23 ++++++++++++++-------
12 files changed, 159 insertions(+), 21 deletions(-)
Index: xen-4.5.1-testing/docs/man/xl.pod.1
Index: xen-4.5.2-testing/docs/man/xl.pod.1
===================================================================
--- xen-4.5.1-testing.orig/docs/man/xl.pod.1
+++ xen-4.5.1-testing/docs/man/xl.pod.1
--- xen-4.5.2-testing.orig/docs/man/xl.pod.1
+++ xen-4.5.2-testing/docs/man/xl.pod.1
@@ -428,6 +428,26 @@ Send <config> instead of config file fro
Print huge (!) amount of debug during the migration process.
@ -119,10 +119,10 @@ Index: xen-4.5.1-testing/docs/man/xl.pod.1
=back
=item B<remus> [I<OPTIONS>] I<domain-id> I<host>
Index: xen-4.5.1-testing/tools/libxc/include/xenguest.h
Index: xen-4.5.2-testing/tools/libxc/include/xenguest.h
===================================================================
--- xen-4.5.1-testing.orig/tools/libxc/include/xenguest.h
+++ xen-4.5.1-testing/tools/libxc/include/xenguest.h
--- xen-4.5.2-testing.orig/tools/libxc/include/xenguest.h
+++ xen-4.5.2-testing/tools/libxc/include/xenguest.h
@@ -28,6 +28,7 @@
#define XCFLAGS_HVM (1 << 2)
#define XCFLAGS_STDVGA (1 << 3)
@ -143,10 +143,10 @@ Index: xen-4.5.1-testing/tools/libxc/include/xenguest.h
/* callbacks provided by xc_domain_restore */
struct restore_callbacks {
Index: xen-4.5.1-testing/tools/libxc/xc_domain_save.c
Index: xen-4.5.2-testing/tools/libxc/xc_domain_save.c
===================================================================
--- xen-4.5.1-testing.orig/tools/libxc/xc_domain_save.c
+++ xen-4.5.1-testing/tools/libxc/xc_domain_save.c
--- xen-4.5.2-testing.orig/tools/libxc/xc_domain_save.c
+++ xen-4.5.2-testing/tools/libxc/xc_domain_save.c
@@ -44,6 +44,7 @@
*/
#define DEF_MAX_ITERS 29 /* limit us to 30 times round loop */
@ -219,10 +219,10 @@ Index: xen-4.5.1-testing/tools/libxc/xc_domain_save.c
/*
* Local variables:
* mode: C
Index: xen-4.5.1-testing/tools/libxc/xc_nomigrate.c
Index: xen-4.5.2-testing/tools/libxc/xc_nomigrate.c
===================================================================
--- xen-4.5.1-testing.orig/tools/libxc/xc_nomigrate.c
+++ xen-4.5.1-testing/tools/libxc/xc_nomigrate.c
--- xen-4.5.2-testing.orig/tools/libxc/xc_nomigrate.c
+++ xen-4.5.2-testing/tools/libxc/xc_nomigrate.c
@@ -21,6 +21,15 @@
#include <xenctrl.h>
#include <xenguest.h>
@ -239,11 +239,11 @@ Index: xen-4.5.1-testing/tools/libxc/xc_nomigrate.c
int xc_domain_save(xc_interface *xch, int io_fd, uint32_t dom, uint32_t max_iters,
uint32_t max_factor, uint32_t flags,
struct save_callbacks* callbacks, int hvm)
Index: xen-4.5.1-testing/tools/libxl/libxl.c
Index: xen-4.5.2-testing/tools/libxl/libxl.c
===================================================================
--- xen-4.5.1-testing.orig/tools/libxl/libxl.c
+++ xen-4.5.1-testing/tools/libxl/libxl.c
@@ -951,7 +951,8 @@ static void domain_suspend_cb(libxl__egc
--- xen-4.5.2-testing.orig/tools/libxl/libxl.c
+++ xen-4.5.2-testing/tools/libxl/libxl.c
@@ -958,7 +958,8 @@ static void domain_suspend_cb(libxl__egc
}
@ -253,7 +253,7 @@ Index: xen-4.5.1-testing/tools/libxl/libxl.c
const libxl_asyncop_how *ao_how)
{
AO_CREATE(ctx, domid, ao_how);
@@ -972,8 +973,14 @@ int libxl_domain_suspend(libxl_ctx *ctx,
@@ -979,8 +980,14 @@ int libxl_domain_suspend(libxl_ctx *ctx,
dss->domid = domid;
dss->fd = fd;
dss->type = type;
@ -270,7 +270,7 @@ Index: xen-4.5.1-testing/tools/libxl/libxl.c
libxl__domain_suspend(egc, dss);
return AO_INPROGRESS;
@@ -982,6 +989,20 @@ int libxl_domain_suspend(libxl_ctx *ctx,
@@ -989,6 +996,20 @@ int libxl_domain_suspend(libxl_ctx *ctx,
return AO_ABORT(rc);
}
@ -291,10 +291,10 @@ Index: xen-4.5.1-testing/tools/libxl/libxl.c
int libxl_domain_pause(libxl_ctx *ctx, uint32_t domid)
{
int ret;
Index: xen-4.5.1-testing/tools/libxl/libxl.h
Index: xen-4.5.2-testing/tools/libxl/libxl.h
===================================================================
--- xen-4.5.1-testing.orig/tools/libxl/libxl.h
+++ xen-4.5.1-testing/tools/libxl/libxl.h
--- xen-4.5.2-testing.orig/tools/libxl/libxl.h
+++ xen-4.5.2-testing/tools/libxl/libxl.h
@@ -959,8 +959,23 @@ int libxl_domain_suspend(libxl_ctx *ctx,
int flags, /* LIBXL_SUSPEND_* */
const libxl_asyncop_how *ao_how)
@ -319,10 +319,10 @@ Index: xen-4.5.1-testing/tools/libxl/libxl.h
/* @param suspend_cancel [from xenctrl.h:xc_domain_resume( @param fast )]
* If this parameter is true, use co-operative resume. The guest
Index: xen-4.5.1-testing/tools/libxl/libxl_dom.c
Index: xen-4.5.2-testing/tools/libxl/libxl_dom.c
===================================================================
--- xen-4.5.1-testing.orig/tools/libxl/libxl_dom.c
+++ xen-4.5.1-testing/tools/libxl/libxl_dom.c
--- xen-4.5.2-testing.orig/tools/libxl/libxl_dom.c
+++ xen-4.5.2-testing/tools/libxl/libxl_dom.c
@@ -1815,6 +1815,7 @@ void libxl__domain_suspend(libxl__egc *e
dss->xcflags = (live ? XCFLAGS_LIVE : 0)
@ -331,11 +331,11 @@ Index: xen-4.5.1-testing/tools/libxl/libxl_dom.c
| (dss->hvm ? XCFLAGS_HVM : 0);
dss->guest_evtchn.port = -1;
Index: xen-4.5.1-testing/tools/libxl/libxl_internal.h
Index: xen-4.5.2-testing/tools/libxl/libxl_internal.h
===================================================================
--- xen-4.5.1-testing.orig/tools/libxl/libxl_internal.h
+++ xen-4.5.1-testing/tools/libxl/libxl_internal.h
@@ -2803,6 +2803,10 @@ struct libxl__domain_suspend_state {
--- xen-4.5.2-testing.orig/tools/libxl/libxl_internal.h
+++ xen-4.5.2-testing/tools/libxl/libxl_internal.h
@@ -2818,6 +2818,10 @@ struct libxl__domain_suspend_state {
libxl__ev_evtchn guest_evtchn;
int guest_evtchn_lockfd;
int hvm;
@ -346,10 +346,10 @@ Index: xen-4.5.1-testing/tools/libxl/libxl_internal.h
int xcflags;
int guest_responded;
libxl__xswait_state pvcontrol;
Index: xen-4.5.1-testing/tools/libxl/libxl_save_callout.c
Index: xen-4.5.2-testing/tools/libxl/libxl_save_callout.c
===================================================================
--- xen-4.5.1-testing.orig/tools/libxl/libxl_save_callout.c
+++ xen-4.5.1-testing/tools/libxl/libxl_save_callout.c
--- xen-4.5.2-testing.orig/tools/libxl/libxl_save_callout.c
+++ xen-4.5.2-testing/tools/libxl/libxl_save_callout.c
@@ -110,7 +110,9 @@ void libxl__xc_domain_save(libxl__egc *e
}
@ -361,10 +361,10 @@ Index: xen-4.5.1-testing/tools/libxl/libxl_save_callout.c
toolstack_data_fd, toolstack_data_len,
cbflags,
};
Index: xen-4.5.1-testing/tools/libxl/libxl_save_helper.c
Index: xen-4.5.2-testing/tools/libxl/libxl_save_helper.c
===================================================================
--- xen-4.5.1-testing.orig/tools/libxl/libxl_save_helper.c
+++ xen-4.5.1-testing/tools/libxl/libxl_save_helper.c
--- xen-4.5.2-testing.orig/tools/libxl/libxl_save_helper.c
+++ xen-4.5.2-testing/tools/libxl/libxl_save_helper.c
@@ -215,6 +215,7 @@ int main(int argc, char **argv)
uint32_t dom = strtoul(NEXTARG,0,10);
uint32_t max_iters = strtoul(NEXTARG,0,10);
@ -383,10 +383,10 @@ Index: xen-4.5.1-testing/tools/libxl/libxl_save_helper.c
&helper_save_callbacks, hvm);
complete(r);
Index: xen-4.5.1-testing/tools/libxl/xl_cmdimpl.c
Index: xen-4.5.2-testing/tools/libxl/xl_cmdimpl.c
===================================================================
--- xen-4.5.1-testing.orig/tools/libxl/xl_cmdimpl.c
+++ xen-4.5.1-testing/tools/libxl/xl_cmdimpl.c
--- xen-4.5.2-testing.orig/tools/libxl/xl_cmdimpl.c
+++ xen-4.5.2-testing/tools/libxl/xl_cmdimpl.c
@@ -3880,6 +3880,8 @@ static void migrate_do_preamble(int send
}
@ -477,10 +477,10 @@ Index: xen-4.5.1-testing/tools/libxl/xl_cmdimpl.c
return 0;
}
#endif
Index: xen-4.5.1-testing/tools/libxl/xl_cmdtable.c
Index: xen-4.5.2-testing/tools/libxl/xl_cmdtable.c
===================================================================
--- xen-4.5.1-testing.orig/tools/libxl/xl_cmdtable.c
+++ xen-4.5.1-testing/tools/libxl/xl_cmdtable.c
--- xen-4.5.2-testing.orig/tools/libxl/xl_cmdtable.c
+++ xen-4.5.2-testing/tools/libxl/xl_cmdtable.c
@@ -155,14 +155,21 @@ struct cmd_spec cmd_table[] = {
&main_migrate, 0, 1,
"Migrate a domain to another host",

14
local_attach_support_for_phy.patch
View File

@ -10,11 +10,11 @@ Date: Wed Feb 12 11:15:17 2014 +0100
Suggested-by: Ian Campbell <ian.campbell@xxxxxxxxxx>
Index: xen-4.5.1-testing/tools/libxl/libxl.c
Index: xen-4.5.2-testing/tools/libxl/libxl.c
===================================================================
--- xen-4.5.1-testing.orig/tools/libxl/libxl.c
+++ xen-4.5.1-testing/tools/libxl/libxl.c
@@ -3060,6 +3060,16 @@ void libxl__device_disk_local_initiate_a
--- xen-4.5.2-testing.orig/tools/libxl/libxl.c
+++ xen-4.5.2-testing/tools/libxl/libxl.c
@@ -3067,6 +3067,16 @@ void libxl__device_disk_local_initiate_a
switch (disk->backend) {
case LIBXL_DISK_BACKEND_PHY:
@ -31,7 +31,7 @@ Index: xen-4.5.1-testing/tools/libxl/libxl.c
LIBXL__LOG(ctx, LIBXL__LOG_DEBUG, "locally attaching PHY disk %s",
disk->pdev_path);
dev = disk->pdev_path;
@@ -3139,7 +3149,7 @@ static void local_device_attach_cb(libxl
@@ -3146,7 +3156,7 @@ static void local_device_attach_cb(libxl
}
dev = GCSPRINTF("/dev/%s", disk->vdev);
@ -40,7 +40,7 @@ Index: xen-4.5.1-testing/tools/libxl/libxl.c
rc = libxl__device_from_disk(gc, LIBXL_TOOLSTACK_DOMID, disk, &device);
if (rc < 0)
@@ -3179,6 +3189,7 @@ void libxl__device_disk_local_initiate_d
@@ -3186,6 +3196,7 @@ void libxl__device_disk_local_initiate_d
if (!dls->diskpath) goto out;
switch (disk->backend) {
@ -48,7 +48,7 @@ Index: xen-4.5.1-testing/tools/libxl/libxl.c
case LIBXL_DISK_BACKEND_QDISK:
if (disk->vdev != NULL) {
GCNEW(device);
@@ -3196,7 +3207,6 @@ void libxl__device_disk_local_initiate_d
@@ -3203,7 +3214,6 @@ void libxl__device_disk_local_initiate_d
/* disk->vdev == NULL; fall through */
default:
/*

8
qemu-dm-segfault.patch
View File

@ -1,7 +1,7 @@
Index: xen-4.5.1-testing/tools/qemu-xen-traditional-dir-remote/hw/ide.c
Index: xen-4.5.2-testing/tools/qemu-xen-traditional-dir-remote/hw/ide.c
===================================================================
--- xen-4.5.1-testing.orig/tools/qemu-xen-traditional-dir-remote/hw/ide.c
+++ xen-4.5.1-testing/tools/qemu-xen-traditional-dir-remote/hw/ide.c
--- xen-4.5.2-testing.orig/tools/qemu-xen-traditional-dir-remote/hw/ide.c
+++ xen-4.5.2-testing/tools/qemu-xen-traditional-dir-remote/hw/ide.c
@@ -935,8 +935,9 @@ static inline void ide_dma_submit_check(
static inline void ide_set_irq(IDEState *s)
@ -74,7 +74,7 @@ Index: xen-4.5.1-testing/tools/qemu-xen-traditional-dir-remote/hw/ide.c
if (ret < 0) {
ide_atapi_io_error(s, ret);
@@ -2372,7 +2375,7 @@ static void cdrom_change_cb(void *opaque
@@ -2365,7 +2368,7 @@ static void cdrom_change_cb(void *opaque
IDEState *s = opaque;
uint64_t nb_sectors;

4
qemu-xen-dir-remote.tar.bz2
View File

@ -1,3 +1,3 @@
version https://git-lfs.github.com/spec/v1
oid sha256:c1f3014c64957d0943cdef7b63bc57e2b753f9be658a031b441f6231814e6ba4
size 8191253
oid sha256:22d2fccd2c9f323897279d5adefaaf21e8c3eb61670f4bb4937a5c993b012643
size 8167861

4
qemu-xen-traditional-dir-remote.tar.bz2
View File

@ -1,3 +1,3 @@
version https://git-lfs.github.com/spec/v1
oid sha256:1d948c7524aee977d46bee0cb7666fd5fd6871ea5e201fcdc0680440d5b9b2b5
size 3231835
oid sha256:d08a4031b593048672772d438366f2242ca09a792949935293de5d663042f587
size 3230082

4
seabios-dir-remote.tar.bz2
View File

@ -1,3 +1,3 @@
version https://git-lfs.github.com/spec/v1
oid sha256:886bc593d99d6c7d7c1bf23cd9ea1254edcbc603a6ca300bcd96fa6961dc8df3
size 444471
oid sha256:772e5efd44072d44438d7e0b93ce9dec70823d6affc516249e3aabe65ebd607d
size 444597

4
stubdom.tar.bz2
View File

@ -1,3 +1,3 @@
version https://git-lfs.github.com/spec/v1
oid sha256:fe87c8073c4c8ccb0a1d9bf955fbace904018f3e52b80bc29b48de511175dfcc
size 17477740
oid sha256:990c3470aa76d9106da860b0e67b1fb36c33281a3e26e58ec89df6f44a0be037
size 17477301

3
xen-4.5.1-testing-src.tar.bz2
View File

@ -1,3 +0,0 @@
version https://git-lfs.github.com/spec/v1
oid sha256:f8a182d001a54238b2420b7e0160e9f5827b4bf802fa958d31e8a44ec697fe7b
size 4119504

3
xen-4.5.2-testing-src.tar.bz2 Normal file
View File

@ -0,0 +1,3 @@
version https://git-lfs.github.com/spec/v1
oid sha256:ef9016f97076f85298500a01a3d4b4f6a4a3d608780233ef8bc78bd80ee71734
size 4124919

65
xen.changes
View File

@ -1,3 +1,68 @@
-------------------------------------------------------------------
Wed Nov 4 10:33:59 MST 2015 - carnold@suse.com
- Update to Xen 4.5.2
xen-4.5.2-testing-src.tar.bz2
- Drop the following
xen-4.5.1-testing-src.tar.bz2
552d0f49-x86-traps-identify-the-vcpu-in-context-when-dumping-regs.patch
5576f178-kexec-add-more-pages-to-v1-environment.patch
55780be1-x86-EFI-adjust-EFI_MEMORY_WP-handling-for-spec-version-2.5.patch
558bfaa0-x86-traps-avoid-using-current-too-early.patch
5592a116-nested-EPT-fix-the-handling-of-nested-EPT.patch
559b9dd6-x86-p2m-ept-don-t-unmap-in-use-EPT-pagetable.patch
559bc633-x86-cpupool-clear-proper-cpu_valid-bit-on-CPU-teardown.patch
559bc64e-credit1-properly-deal-with-CPUs-not-in-any-pool.patch
559bc87f-x86-hvmloader-avoid-data-corruption-with-xenstore-rw.patch
559bdde5-pull-in-latest-linux-earlycpio.patch
55a62eb0-xl-correct-handling-of-extra_config-in-main_cpupoolcreate.patch
55a66a1e-make-rangeset_report_ranges-report-all-ranges.patch
55a77e4f-dmar-device-scope-mem-leak-fix.patch
55c1d83d-x86-gdt-Drop-write-only-xalloc-d-array.patch
55c3232b-x86-mm-Make-hap-shadow-teardown-preemptible.patch
55dc78e9-x86-amd_ucode-skip-updates-for-final-levels.patch
55df2f76-IOMMU-skip-domains-without-page-tables-when-dumping.patch
55e43fd8-x86-NUMA-fix-setup_node.patch
55e43ff8-x86-NUMA-don-t-account-hotplug-regions.patch
55e593f1-x86-NUMA-make-init_node_heap-respect-Xen-heap-limit.patch
55f2e438-x86-hvm-fix-saved-pmtimer-and-hpet-values.patch
55f9345b-x86-MSI-fail-if-no-hardware-support.patch
5604f2e6-vt-d-fix-IM-bit-mask-and-unmask-of-FECTL_REG.patch
560a4af9-x86-EPT-tighten-conditions-of-IOMMU-mapping-updates.patch
560a7c36-x86-p2m-pt-delay-freeing-of-intermediate-page-tables.patch
560a7c53-x86-p2m-pt-ignore-pt-share-flag-for-shadow-mode-guests.patch
560bd926-credit1-fix-tickling-when-it-happens-from-a-remote-pCPU.patch
560e6d34-x86-p2m-pt-tighten-conditions-of-IOMMU-mapping-updates.patch
561bbc8b-VT-d-don-t-suppress-invalidation-address-write-when-0.patch
561d20a0-x86-hide-MWAITX-from-PV-domains.patch
561e3283-x86-NUMA-fix-SRAT-table-processor-entry-handling.patch
563212c9-x86-PoD-Eager-sweep-for-zeroed-pages.patch
CVE-2015-4106-xsa131-9.patch CVE-2015-3259-xsa137.patch
CVE-2015-7311-xsa142.patch CVE-2015-7835-xsa148.patch
xsa139-qemuu.patch xsa140-qemuu-1.patch xsa140-qemuu-2.patch
xsa140-qemuu-3.patch xsa140-qemuu-4.patch xsa140-qemuu-5.patch
xsa140-qemuu-6.patch xsa140-qemuu-7.patch xsa140-qemut-1.patch
xsa140-qemut-2.patch xsa140-qemut-3.patch xsa140-qemut-4.patch
xsa140-qemut-5.patch xsa140-qemut-6.patch xsa140-qemut-7.patch
xsa151.patch xsa152.patch xsa153-libxl.patch
CVE-2015-5154-qemuu-check-array-bounds-before-writing-to-io_buffer.patch
CVE-2015-5154-qemuu-fix-START-STOP-UNIT-command-completion.patch
CVE-2015-5154-qemuu-clear-DRQ-after-handling-all-expected-accesses.patch
CVE-2015-5154-qemut-check-array-bounds-before-writing-to-io_buffer.patch
CVE-2015-5154-qemut-fix-START-STOP-UNIT-command-completion.patch
CVE-2015-5154-qemut-clear-DRQ-after-handling-all-expected-accesses.patch
CVE-2015-6815-qemuu-e1000-fix-infinite-loop.patch
CVE-2015-6815-qemut-e1000-fix-infinite-loop.patch
CVE-2015-5239-qemuu-limit-client_cut_text-msg-payload-size.patch
CVE-2015-5239-qemut-limit-client_cut_text-msg-payload-size.patch"
-------------------------------------------------------------------
Mon Nov 2 11:21:15 MST 2015 - carnold@suse.com
- bsc#950704 - CVE-2015-7970 VUL-1: xen: x86: Long latency
populate-on-demand operation is not preemptible (XSA-150)
563212c9-x86-PoD-Eager-sweep-for-zeroed-pages.patch
-------------------------------------------------------------------
Wed Oct 28 09:47:38 MDT 2015 - carnold@suse.com

180
xen.spec
View File

@ -20,7 +20,7 @@
Name: xen
ExclusiveArch: %ix86 x86_64 %arm aarch64
%define changeset 30152
%define xen_build_dir xen-4.5.1-testing
%define xen_build_dir xen-4.5.2-testing
#
%define with_kmp 0
%define with_debug 0
@ -31,7 +31,7 @@ ExclusiveArch: %ix86 x86_64 %arm aarch64
%define with_oxenstored 0
#
%ifarch x86_64
%define with_kmp 1
%define with_kmp 0
%define with_debug 1
%define with_stubdom 1
%define with_gdbsx 1
@ -158,12 +158,12 @@ BuildRequires: xorg-x11-util-devel
%endif
%endif
Version: 4.5.1_13
Version: 4.5.2_01
Release: 0
Summary: Xen Virtualization: Hypervisor (aka VMM aka Microkernel)
License: GPL-2.0
Group: System/Kernel
Source0: xen-4.5.1-testing-src.tar.bz2
Source0: xen-4.5.2-testing-src.tar.bz2
Source1: stubdom.tar.bz2
Source2: qemu-xen-traditional-dir-remote.tar.bz2
Source3: qemu-xen-dir-remote.tar.bz2
@ -204,79 +204,26 @@ Source20000: xenalyze.hg.tar.bz2
Patch1: 54f4985f-libxl-fix-libvirtd-double-free.patch
Patch2: 55103616-vm-assist-prepare-for-discontiguous-used-bit-numbers.patch
Patch3: 551ac326-xentop-add-support-for-qdisk.patch
Patch4: 552d0f49-x86-traps-identify-the-vcpu-in-context-when-dumping-regs.patch
Patch5: 552d293b-x86-vMSI-X-honor-all-mask-requests.patch
Patch6: 552d2966-x86-vMSI-X-add-valid-bits-for-read-acceleration.patch
Patch7: 5537a4d8-libxl-use-DEBUG-log-level-instead-of-INFO.patch
Patch8: 5548e903-domctl-don-t-truncate-XEN_DOMCTL_max_mem-requests.patch
Patch9: 5548e95d-x86-allow-to-suppress-M2P-user-mode-exposure.patch
Patch10: 554cc211-libxl-add-qxl.patch
Patch11: 556d973f-unmodified-drivers-tolerate-IRQF_DISABLED-being-undefined.patch
Patch12: 5576f143-x86-adjust-PV-I-O-emulation-functions-types.patch
Patch13: 5576f178-kexec-add-more-pages-to-v1-environment.patch
Patch14: 55780be1-x86-EFI-adjust-EFI_MEMORY_WP-handling-for-spec-version-2.5.patch
Patch15: 55795a52-x86-vMSI-X-support-qword-MMIO-access.patch
Patch16: 5583d9c5-x86-MSI-X-cleanup.patch
Patch17: 5583da09-x86-MSI-track-host-and-guest-masking-separately.patch
Patch18: 558bfaa0-x86-traps-avoid-using-current-too-early.patch
Patch19: 5592a116-nested-EPT-fix-the-handling-of-nested-EPT.patch
Patch20: 559b9dd6-x86-p2m-ept-don-t-unmap-in-use-EPT-pagetable.patch
Patch21: 559bc633-x86-cpupool-clear-proper-cpu_valid-bit-on-CPU-teardown.patch
Patch22: 559bc64e-credit1-properly-deal-with-CPUs-not-in-any-pool.patch
Patch23: 559bc87f-x86-hvmloader-avoid-data-corruption-with-xenstore-rw.patch
Patch24: 559bdde5-pull-in-latest-linux-earlycpio.patch
Patch25: 55a62eb0-xl-correct-handling-of-extra_config-in-main_cpupoolcreate.patch
Patch26: 55a66a1e-make-rangeset_report_ranges-report-all-ranges.patch
Patch27: 55a77e4f-dmar-device-scope-mem-leak-fix.patch
Patch28: 55b0a218-x86-PCI-CFG-write-intercept.patch
Patch29: 55b0a255-x86-MSI-X-maskall.patch
Patch30: 55b0a283-x86-MSI-X-teardown.patch
Patch31: 55b0a2ab-x86-MSI-X-enable.patch
Patch32: 55b0a2db-x86-MSI-track-guest-masking.patch
Patch33: 55c1d83d-x86-gdt-Drop-write-only-xalloc-d-array.patch
Patch34: 55c3232b-x86-mm-Make-hap-shadow-teardown-preemptible.patch
Patch35: 55dc78e9-x86-amd_ucode-skip-updates-for-final-levels.patch
Patch36: 55df2f76-IOMMU-skip-domains-without-page-tables-when-dumping.patch
Patch37: 55e43fd8-x86-NUMA-fix-setup_node.patch
Patch38: 55e43ff8-x86-NUMA-don-t-account-hotplug-regions.patch
Patch39: 55e593f1-x86-NUMA-make-init_node_heap-respect-Xen-heap-limit.patch
Patch40: 55f2e438-x86-hvm-fix-saved-pmtimer-and-hpet-values.patch
Patch41: 55f7f9d2-libxl-slightly-refine-pci-assignable-add-remove-handling.patch
Patch42: 55f9345b-x86-MSI-fail-if-no-hardware-support.patch
Patch43: 5604f239-x86-PV-properly-populate-descriptor-tables.patch
Patch44: 5604f2e6-vt-d-fix-IM-bit-mask-and-unmask-of-FECTL_REG.patch
Patch45: 560a4af9-x86-EPT-tighten-conditions-of-IOMMU-mapping-updates.patch
Patch46: 560a7c36-x86-p2m-pt-delay-freeing-of-intermediate-page-tables.patch
Patch47: 560a7c53-x86-p2m-pt-ignore-pt-share-flag-for-shadow-mode-guests.patch
Patch48: 560bd926-credit1-fix-tickling-when-it-happens-from-a-remote-pCPU.patch
Patch49: 560e6d34-x86-p2m-pt-tighten-conditions-of-IOMMU-mapping-updates.patch
Patch50: 561bbc8b-VT-d-don-t-suppress-invalidation-address-write-when-0.patch
Patch51: 561d2046-VT-d-use-proper-error-codes-in-iommu_enable_x2apic_IR.patch
Patch52: 561d20a0-x86-hide-MWAITX-from-PV-domains.patch
Patch53: 561e3283-x86-NUMA-fix-SRAT-table-processor-entry-handling.patch
Patch131: CVE-2015-4106-xsa131-9.patch
Patch137: CVE-2015-3259-xsa137.patch
Patch139: xsa139-qemuu.patch
Patch14001: xsa140-qemuu-1.patch
Patch14002: xsa140-qemuu-2.patch
Patch14003: xsa140-qemuu-3.patch
Patch14004: xsa140-qemuu-4.patch
Patch14005: xsa140-qemuu-5.patch
Patch14006: xsa140-qemuu-6.patch
Patch14007: xsa140-qemuu-7.patch
Patch14011: xsa140-qemut-1.patch
Patch14012: xsa140-qemut-2.patch
Patch14013: xsa140-qemut-3.patch
Patch14014: xsa140-qemut-4.patch
Patch14015: xsa140-qemut-5.patch
Patch14016: xsa140-qemut-6.patch
Patch14017: xsa140-qemut-7.patch
Patch142: CVE-2015-7311-xsa142.patch
Patch148: CVE-2015-7835-xsa148.patch
Patch4: 552d293b-x86-vMSI-X-honor-all-mask-requests.patch
Patch5: 552d2966-x86-vMSI-X-add-valid-bits-for-read-acceleration.patch
Patch6: 5537a4d8-libxl-use-DEBUG-log-level-instead-of-INFO.patch
Patch7: 5548e903-domctl-don-t-truncate-XEN_DOMCTL_max_mem-requests.patch
Patch8: 5548e95d-x86-allow-to-suppress-M2P-user-mode-exposure.patch
Patch9: 554cc211-libxl-add-qxl.patch
Patch10: 556d973f-unmodified-drivers-tolerate-IRQF_DISABLED-being-undefined.patch
Patch11: 5576f143-x86-adjust-PV-I-O-emulation-functions-types.patch
Patch12: 55795a52-x86-vMSI-X-support-qword-MMIO-access.patch
Patch13: 5583d9c5-x86-MSI-X-cleanup.patch
Patch14: 5583da09-x86-MSI-track-host-and-guest-masking-separately.patch
Patch15: 55b0a218-x86-PCI-CFG-write-intercept.patch
Patch16: 55b0a255-x86-MSI-X-maskall.patch
Patch17: 55b0a283-x86-MSI-X-teardown.patch
Patch18: 55b0a2ab-x86-MSI-X-enable.patch
Patch19: 55b0a2db-x86-MSI-track-guest-masking.patch
Patch20: 55f7f9d2-libxl-slightly-refine-pci-assignable-add-remove-handling.patch
Patch21: 5604f239-x86-PV-properly-populate-descriptor-tables.patch
Patch22: 561d2046-VT-d-use-proper-error-codes-in-iommu_enable_x2apic_IR.patch
Patch149: xsa149.patch
Patch151: xsa151.patch
Patch152: xsa152.patch
Patch153: xsa153-libxl.patch
# Upstream qemu
Patch250: VNC-Support-for-ExtendedKeyEvent-client-message.patch
Patch251: 0001-net-move-the-tap-buffer-into-TAPState.patch
@ -287,20 +234,10 @@ Patch255: 0005-e1000-multi-buffer-packet-support.patch
Patch256: 0006-e1000-clear-EOP-for-multi-buffer-descriptors.patch
Patch257: 0007-e1000-verify-we-have-buffers-upfront.patch
Patch258: 0008-e1000-check-buffer-availability.patch
Patch259: CVE-2015-5154-qemuu-check-array-bounds-before-writing-to-io_buffer.patch
Patch260: CVE-2015-5154-qemuu-fix-START-STOP-UNIT-command-completion.patch
Patch261: CVE-2015-5154-qemuu-clear-DRQ-after-handling-all-expected-accesses.patch
Patch262: CVE-2015-5154-qemut-check-array-bounds-before-writing-to-io_buffer.patch
Patch263: CVE-2015-5154-qemut-fix-START-STOP-UNIT-command-completion.patch
Patch264: CVE-2015-5154-qemut-clear-DRQ-after-handling-all-expected-accesses.patch
Patch265: CVE-2015-6815-qemuu-e1000-fix-infinite-loop.patch
Patch266: CVE-2015-6815-qemut-e1000-fix-infinite-loop.patch
Patch267: CVE-2015-5239-qemuu-limit-client_cut_text-msg-payload-size.patch
Patch268: CVE-2015-5239-qemut-limit-client_cut_text-msg-payload-size.patch
Patch269: CVE-2015-4037-qemuu-smb-config-dir-name.patch
Patch270: CVE-2015-4037-qemut-smb-config-dir-name.patch
Patch271: CVE-2014-0222-qemuu-qcow1-validate-l2-table-size.patch
Patch272: CVE-2014-0222-qemut-qcow1-validate-l2-table-size.patch
Patch259: CVE-2015-4037-qemuu-smb-config-dir-name.patch
Patch260: CVE-2015-4037-qemut-smb-config-dir-name.patch
Patch261: CVE-2014-0222-qemuu-qcow1-validate-l2-table-size.patch
Patch262: CVE-2014-0222-qemut-qcow1-validate-l2-table-size.patch
# Our platform specific patches
Patch301: xen-destdir.patch
Patch302: vif-bridge-no-iptables.patch
@ -642,60 +579,7 @@ Authors:
%patch20 -p1
%patch21 -p1
%patch22 -p1
%patch23 -p1
%patch24 -p1
%patch25 -p1
%patch26 -p1
%patch27 -p1
%patch28 -p1
%patch29 -p1
%patch30 -p1
%patch31 -p1
%patch32 -p1
%patch33 -p1
%patch34 -p1
%patch35 -p1
%patch36 -p1
%patch37 -p1
%patch38 -p1
%patch39 -p1
%patch40 -p1
%patch41 -p1
%patch42 -p1
%patch43 -p1
%patch44 -p1
%patch45 -p1
%patch46 -p1
%patch47 -p1
%patch48 -p1
%patch49 -p1
%patch50 -p1
%patch51 -p1
%patch52 -p1
%patch53 -p1
%patch131 -p1
%patch137 -p1
%patch139 -p1
%patch14001 -p1
%patch14002 -p1
%patch14003 -p1
%patch14004 -p1
%patch14005 -p1
%patch14006 -p1
%patch14007 -p1
%patch14011 -p1
%patch14012 -p1
%patch14013 -p1
%patch14014 -p1
%patch14015 -p1
%patch14016 -p1
%patch14017 -p1
%patch142 -p1
%patch148 -p1
%patch149 -p1
%patch151 -p1
%patch152 -p1
%patch153 -p1
# Upstream qemu patches
%patch250 -p1
%patch251 -p1
@ -710,16 +594,6 @@ Authors:
%patch260 -p1
%patch261 -p1
%patch262 -p1
%patch263 -p1
%patch264 -p1
%patch265 -p1
%patch266 -p1
%patch267 -p1
%patch268 -p1
%patch269 -p1
%patch270 -p1
%patch271 -p1
%patch272 -p1
# Our platform specific patches
%patch301 -p1
%patch302 -p1

37
xsa139-qemuu.patch
View File

@ -1,37 +0,0 @@
References: bsc#939709 XSA-139
pci_piix3_xen_ide_unplug should completely unhook the unplugged
IDEDevice from the corresponding BlockBackend, otherwise the next call
to release_drive will try to detach the drive again.
Suggested-by: Kevin Wolf <kwolf@redhat.com>
Signed-off-by: Stefano Stabellini <stefano.stabellini@eu.citrix.com>
---
hw/ide/piix.c | 7 +++++++
1 file changed, 7 insertions(+)
Index: xen-4.5.1-testing/tools/qemu-xen-dir-remote/hw/ide/piix.c
===================================================================
--- xen-4.5.1-testing.orig/tools/qemu-xen-dir-remote/hw/ide/piix.c
+++ xen-4.5.1-testing/tools/qemu-xen-dir-remote/hw/ide/piix.c
@@ -172,6 +172,7 @@ int pci_piix3_xen_ide_unplug(DeviceState
PCIIDEState *pci_ide;
DriveInfo *di;
int i = 0;
+ IDEDevice *idedev;
pci_ide = PCI_IDE(dev);
@@ -184,6 +185,12 @@ int pci_piix3_xen_ide_unplug(DeviceState
}
bdrv_close(di->bdrv);
pci_ide->bus[di->bus].ifs[di->unit].bs = NULL;
+ if (!(i % 2)) {
+ idedev = pci_ide->bus[di->bus].master;
+ } else {
+ idedev = pci_ide->bus[di->bus].slave;
+ }
+ idedev->conf.bs = NULL;
drive_put_ref(di);
}
}

78
xsa140-qemut-1.patch
View File

@ -1,78 +0,0 @@
References: bsc#939712 XSA-140
From 5e0c290415b9d57077a86e70c8e6a058868334d3 Mon Sep 17 00:00:00 2001
From: Stefan Hajnoczi <stefanha@redhat.com>
Date: Wed, 15 Jul 2015 18:16:58 +0100
Subject: [PATCH 1/7] rtl8139: avoid nested ifs in IP header parsing
Transmit offload needs to parse packet headers. If header fields have
unexpected values the offload processing is skipped.
The code currently uses nested ifs because there is relatively little
input validation. The next patches will add missing input validation
and a goto label is more appropriate to avoid deep if statement nesting.
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
---
hw/rtl8139.c | 41 ++++++++++++++++++++++-------------------
1 file changed, 22 insertions(+), 19 deletions(-)
Index: xen-4.5.1-testing/tools/qemu-xen-traditional-dir-remote/hw/rtl8139.c
===================================================================
--- xen-4.5.1-testing.orig/tools/qemu-xen-traditional-dir-remote/hw/rtl8139.c
+++ xen-4.5.1-testing/tools/qemu-xen-traditional-dir-remote/hw/rtl8139.c
@@ -2113,26 +2113,30 @@ static int rtl8139_cplus_transmit_one(RT
size_t eth_payload_len = 0;
int proto = be16_to_cpu(*(uint16_t *)(saved_buffer + 12));
- if (proto == ETH_P_IP)
+ if (proto != ETH_P_IP)
{
- DEBUG_PRINT(("RTL8139: +++ C+ mode has IP packet\n"));
+ goto skip_offload;
+ }
- /* not aligned */
- eth_payload_data = saved_buffer + ETH_HLEN;
- eth_payload_len = saved_size - ETH_HLEN;
-
- ip = (ip_header*)eth_payload_data;
-
- if (IP_HEADER_VERSION(ip) != IP_HEADER_VERSION_4) {
- DEBUG_PRINT(("RTL8139: +++ C+ mode packet has bad IP version %d expected %d\n", IP_HEADER_VERSION(ip), IP_HEADER_VERSION_4));
- ip = NULL;
- } else {
- hlen = IP_HEADER_LENGTH(ip);
- ip_protocol = ip->ip_p;
- ip_data_len = be16_to_cpu(ip->ip_len) - hlen;
- }
+ DEBUG_PRINT(("RTL8139: +++ C+ mode has IP packet\n"));
+
+ /* not aligned */
+ eth_payload_data = saved_buffer + ETH_HLEN;
+ eth_payload_len = saved_size - ETH_HLEN;
+
+ ip = (ip_header*)eth_payload_data;
+
+ if (IP_HEADER_VERSION(ip) != IP_HEADER_VERSION_4) {
+ DEBUG_PRINT(("RTL8139: +++ C+ mode packet has bad IP version %d "
+ "expected %d\n", IP_HEADER_VERSION(ip),
+ IP_HEADER_VERSION_4));
+ goto skip_offload;
}
+ hlen = IP_HEADER_LENGTH(ip);
+ ip_protocol = ip->ip_p;
+ ip_data_len = be16_to_cpu(ip->ip_len) - hlen;
+
if (ip)
{
if (txdw0 & CP_TX_IPCS)
@@ -2315,6 +2319,7 @@ static int rtl8139_cplus_transmit_one(RT
}
}
+skip_offload:
/* update tally counter */
++s->tally_counters.TxOk;

339
xsa140-qemut-2.patch
View File

@ -1,339 +0,0 @@
References: bsc#939712 XSA-140
From 2d7d80e8dc160904fa7276cc05da26c062a50066 Mon Sep 17 00:00:00 2001
From: Stefan Hajnoczi <stefanha@redhat.com>
Date: Wed, 15 Jul 2015 18:16:59 +0100
Subject: [PATCH 2/7] rtl8139: drop tautologous if (ip) {...} statement
The previous patch stopped using the ip pointer as an indicator that the
IP header is present. When we reach the if (ip) {...} statement we know
ip is always non-NULL.
Remove the if statement to reduce nesting.
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
---
hw/rtl8139.c | 305 +++++++++++++++++++++++++++----------------------------
1 file changed, 151 insertions(+), 154 deletions(-)
Index: xen-4.5.1-testing/tools/qemu-xen-traditional-dir-remote/hw/rtl8139.c
===================================================================
--- xen-4.5.1-testing.orig/tools/qemu-xen-traditional-dir-remote/hw/rtl8139.c
+++ xen-4.5.1-testing/tools/qemu-xen-traditional-dir-remote/hw/rtl8139.c
@@ -2137,187 +2137,184 @@ static int rtl8139_cplus_transmit_one(RT
ip_protocol = ip->ip_p;
ip_data_len = be16_to_cpu(ip->ip_len) - hlen;
- if (ip)
+ if (txdw0 & CP_TX_IPCS)
{
- if (txdw0 & CP_TX_IPCS)
- {
- DEBUG_PRINT(("RTL8139: +++ C+ mode need IP checksum\n"));
+ DEBUG_PRINT(("RTL8139: +++ C+ mode need IP checksum\n"));
- if (hlen<sizeof(ip_header) || hlen>eth_payload_len) {/* min header length */
- /* bad packet header len */
- /* or packet too short */
- }
- else
- {
- ip->ip_sum = 0;
- ip->ip_sum = ip_checksum(ip, hlen);
- DEBUG_PRINT(("RTL8139: +++ C+ mode IP header len=%d checksum=%04x\n", hlen, ip->ip_sum));
- }
+ if (hlen<sizeof(ip_header) || hlen>eth_payload_len) {/* min header length */
+ /* bad packet header len */
+ /* or packet too short */
}
-
- if ((txdw0 & CP_TX_LGSEN) && ip_protocol == IP_PROTO_TCP)
+ else
{
-#if defined (DEBUG_RTL8139)
- int large_send_mss = (txdw0 >> 16) & CP_TC_LGSEN_MSS_MASK;
-#endif
- DEBUG_PRINT(("RTL8139: +++ C+ mode offloaded task TSO MTU=%d IP data %d frame data %d specified MSS=%d\n",
- ETH_MTU, ip_data_len, saved_size - ETH_HLEN, large_send_mss));
-
- int tcp_send_offset = 0;
- int send_count = 0;
+ ip->ip_sum = 0;
+ ip->ip_sum = ip_checksum(ip, hlen);
+ DEBUG_PRINT(("RTL8139: +++ C+ mode IP header len=%d checksum=%04x\n", hlen, ip->ip_sum));
+ }
+ }
- /* maximum IP header length is 60 bytes */
- uint8_t saved_ip_header[60];
+ if ((txdw0 & CP_TX_LGSEN) && ip_protocol == IP_PROTO_TCP)
+ {
+ int large_send_mss = (txdw0 >> 16) & CP_TC_LGSEN_MSS_MASK;
- /* save IP header template; data area is used in tcp checksum calculation */
- memcpy(saved_ip_header, eth_payload_data, hlen);
+ DEBUG_PRINT(("RTL8139: +++ C+ mode offloaded task TSO MTU=%d IP data %d frame data %d specified MSS=%d\n",
+ ETH_MTU, ip_data_len, saved_size - ETH_HLEN, large_send_mss));
- /* a placeholder for checksum calculation routine in tcp case */
- uint8_t *data_to_checksum = eth_payload_data + hlen - 12;
- // size_t data_to_checksum_len = eth_payload_len - hlen + 12;
+ int tcp_send_offset = 0;
+ int send_count = 0;
- /* pointer to TCP header */
- tcp_header *p_tcp_hdr = (tcp_header*)(eth_payload_data + hlen);
+ /* maximum IP header length is 60 bytes */
+ uint8_t saved_ip_header[60];
- int tcp_hlen = TCP_HEADER_DATA_OFFSET(p_tcp_hdr);
+ /* save IP header template; data area is used in tcp checksum calculation */
+ memcpy(saved_ip_header, eth_payload_data, hlen);
- /* ETH_MTU = ip header len + tcp header len + payload */
- int tcp_data_len = ip_data_len - tcp_hlen;
- int tcp_chunk_size = ETH_MTU - hlen - tcp_hlen;
+ /* a placeholder for checksum calculation routine in tcp case */
+ uint8_t *data_to_checksum = eth_payload_data + hlen - 12;
+ // size_t data_to_checksum_len = eth_payload_len - hlen + 12;
- DEBUG_PRINT(("RTL8139: +++ C+ mode TSO IP data len %d TCP hlen %d TCP data len %d TCP chunk size %d\n",
- ip_data_len, tcp_hlen, tcp_data_len, tcp_chunk_size));
+ /* pointer to TCP header */
+ tcp_header *p_tcp_hdr = (tcp_header*)(eth_payload_data + hlen);
- /* note the cycle below overwrites IP header data,
- but restores it from saved_ip_header before sending packet */
+ int tcp_hlen = TCP_HEADER_DATA_OFFSET(p_tcp_hdr);
- int is_last_frame = 0;
+ /* ETH_MTU = ip header len + tcp header len + payload */
+ int tcp_data_len = ip_data_len - tcp_hlen;
+ int tcp_chunk_size = ETH_MTU - hlen - tcp_hlen;
- for (tcp_send_offset = 0; tcp_send_offset < tcp_data_len; tcp_send_offset += tcp_chunk_size)
- {
- uint16_t chunk_size = tcp_chunk_size;
+ DEBUG_PRINT(("RTL8139: +++ C+ mode TSO IP data len %d TCP hlen %d TCP data len %d TCP chunk size %d\n",
+ ip_data_len, tcp_hlen, tcp_data_len, tcp_chunk_size));
- /* check if this is the last frame */
- if (tcp_send_offset + tcp_chunk_size >= tcp_data_len)
- {
- is_last_frame = 1;
- chunk_size = tcp_data_len - tcp_send_offset;
- }
+ /* note the cycle below overwrites IP header data,
+ but restores it from saved_ip_header before sending packet */
- DEBUG_PRINT(("RTL8139: +++ C+ mode TSO TCP seqno %08x\n", be32_to_cpu(p_tcp_hdr->th_seq)));
+ int is_last_frame = 0;
- /* add 4 TCP pseudoheader fields */
- /* copy IP source and destination fields */
- memcpy(data_to_checksum, saved_ip_header + 12, 8);
+ for (tcp_send_offset = 0; tcp_send_offset < tcp_data_len; tcp_send_offset += tcp_chunk_size)
+ {
+ uint16_t chunk_size = tcp_chunk_size;
- DEBUG_PRINT(("RTL8139: +++ C+ mode TSO calculating TCP checksum for packet with %d bytes data\n", tcp_hlen + chunk_size));
+ /* check if this is the last frame */
+ if (tcp_send_offset + tcp_chunk_size >= tcp_data_len)
+ {
+ is_last_frame = 1;
+ chunk_size = tcp_data_len - tcp_send_offset;
+ }
- if (tcp_send_offset)
- {
- memcpy((uint8_t*)p_tcp_hdr + tcp_hlen, (uint8_t*)p_tcp_hdr + tcp_hlen + tcp_send_offset, chunk_size);
- }
+ DEBUG_PRINT(("RTL8139: +++ C+ mode TSO TCP seqno %08x\n", be32_to_cpu(p_tcp_hdr->th_seq)));
- /* keep PUSH and FIN flags only for the last frame */
- if (!is_last_frame)
- {
- TCP_HEADER_CLEAR_FLAGS(p_tcp_hdr, TCP_FLAG_PUSH|TCP_FLAG_FIN);
- }
+ /* add 4 TCP pseudoheader fields */
+ /* copy IP source and destination fields */
+ memcpy(data_to_checksum, saved_ip_header + 12, 8);
- /* recalculate TCP checksum */
- ip_pseudo_header *p_tcpip_hdr = (ip_pseudo_header *)data_to_checksum;
- p_tcpip_hdr->zeros = 0;
- p_tcpip_hdr->ip_proto = IP_PROTO_TCP;
- p_tcpip_hdr->ip_payload = cpu_to_be16(tcp_hlen + chunk_size);
+ DEBUG_PRINT(("RTL8139: +++ C+ mode TSO calculating TCP checksum for packet with %d bytes data\n", tcp_hlen + chunk_size));
- p_tcp_hdr->th_sum = 0;
+ if (tcp_send_offset)
+ {
+ DEBUG_PRINT(("RTL8139: +++ C+ mode calculating TCP checksum for packet with %d bytes data\n", ip_data_len));
+ memcpy((uint8_t*)p_tcp_hdr + tcp_hlen, (uint8_t*)p_tcp_hdr + tcp_hlen + tcp_send_offset, chunk_size);
+ }
- int tcp_checksum = ip_checksum(data_to_checksum, tcp_hlen + chunk_size + 12);
- DEBUG_PRINT(("RTL8139: +++ C+ mode TSO TCP checksum %04x\n", tcp_checksum));
+ /* keep PUSH and FIN flags only for the last frame */
+ if (!is_last_frame)
+ {
+ TCP_HEADER_CLEAR_FLAGS(p_tcp_hdr, TCP_FLAG_PUSH|TCP_FLAG_FIN);
+ }
- p_tcp_hdr->th_sum = tcp_checksum;
+ /* recalculate TCP checksum */
+ ip_pseudo_header *p_tcpip_hdr = (ip_pseudo_header *)data_to_checksum;
+ p_tcpip_hdr->zeros = 0;
+ p_tcpip_hdr->ip_proto = IP_PROTO_TCP;
+ p_tcpip_hdr->ip_payload = cpu_to_be16(tcp_hlen + chunk_size);
- /* restore IP header */
- memcpy(eth_payload_data, saved_ip_header, hlen);
+ p_tcp_hdr->th_sum = 0;
- /* set IP data length and recalculate IP checksum */
- ip->ip_len = cpu_to_be16(hlen + tcp_hlen + chunk_size);
+ int tcp_checksum = ip_checksum(data_to_checksum, tcp_hlen + chunk_size + 12);
+ DEBUG_PRINT(("RTL8139: +++ C+ mode TSO TCP checksum %04x\n", tcp_checksum));
- /* increment IP id for subsequent frames */
- ip->ip_id = cpu_to_be16(tcp_send_offset/tcp_chunk_size + be16_to_cpu(ip->ip_id));
+ p_tcp_hdr->th_sum = tcp_checksum;
- ip->ip_sum = 0;
- ip->ip_sum = ip_checksum(eth_payload_data, hlen);
- DEBUG_PRINT(("RTL8139: +++ C+ mode TSO IP header len=%d checksum=%04x\n", hlen, ip->ip_sum));
+ /* restore IP header */
+ memcpy(eth_payload_data, saved_ip_header, hlen);
- int tso_send_size = ETH_HLEN + hlen + tcp_hlen + chunk_size;
- DEBUG_PRINT(("RTL8139: +++ C+ mode TSO transferring packet size %d\n", tso_send_size));
- rtl8139_transfer_frame(s, saved_buffer, tso_send_size, 0);
+ /* set IP data length and recalculate IP checksum */
+ ip->ip_len = cpu_to_be16(hlen + tcp_hlen + chunk_size);
- /* add transferred count to TCP sequence number */
- p_tcp_hdr->th_seq = cpu_to_be32(chunk_size + be32_to_cpu(p_tcp_hdr->th_seq));
- ++send_count;
- }
+ /* increment IP id for subsequent frames */
+ ip->ip_id = cpu_to_be16(tcp_send_offset/tcp_chunk_size + be16_to_cpu(ip->ip_id));
- /* Stop sending this frame */
- saved_size = 0;
+ ip->ip_sum = 0;
+ ip->ip_sum = ip_checksum(eth_payload_data, hlen);
+ DEBUG_PRINT(("RTL8139: +++ C+ mode TSO IP header len=%d checksum=%04x\n", hlen, ip->ip_sum));
+
+ int tso_send_size = ETH_HLEN + hlen + tcp_hlen + chunk_size;
+ DEBUG_PRINT(("RTL8139: +++ C+ mode TSO transferring packet size %d\n", tso_send_size));
+ rtl8139_transfer_frame(s, saved_buffer, tso_send_size, 0);
+
+ /* add transferred count to TCP sequence number */
+ p_tcp_hdr->th_seq = cpu_to_be32(chunk_size + be32_to_cpu(p_tcp_hdr->th_seq));
+ ++send_count;
}
- else if (txdw0 & (CP_TX_TCPCS|CP_TX_UDPCS))
- {
- DEBUG_PRINT(("RTL8139: +++ C+ mode need TCP or UDP checksum\n"));
- /* maximum IP header length is 60 bytes */
- uint8_t saved_ip_header[60];
- memcpy(saved_ip_header, eth_payload_data, hlen);
+ /* Stop sending this frame */
+ saved_size = 0;
+ }
+ else if (txdw0 & (CP_TX_TCPCS|CP_TX_UDPCS))
+ {
+ DEBUG_PRINT(("RTL8139: +++ C+ mode need TCP or UDP checksum\n"));
- uint8_t *data_to_checksum = eth_payload_data + hlen - 12;
- // size_t data_to_checksum_len = eth_payload_len - hlen + 12;
+ /* maximum IP header length is 60 bytes */
+ uint8_t saved_ip_header[60];
+ memcpy(saved_ip_header, eth_payload_data, hlen);
- /* add 4 TCP pseudoheader fields */
- /* copy IP source and destination fields */
- memcpy(data_to_checksum, saved_ip_header + 12, 8);
+ uint8_t *data_to_checksum = eth_payload_data + hlen - 12;
+ // size_t data_to_checksum_len = eth_payload_len - hlen + 12;
- if ((txdw0 & CP_TX_TCPCS) && ip_protocol == IP_PROTO_TCP)
- {
- DEBUG_PRINT(("RTL8139: +++ C+ mode calculating TCP checksum for packet with %d bytes data\n", ip_data_len));
+ /* add 4 TCP pseudoheader fields */
+ /* copy IP source and destination fields */
+ memcpy(data_to_checksum, saved_ip_header + 12, 8);
- ip_pseudo_header *p_tcpip_hdr = (ip_pseudo_header *)data_to_checksum;
- p_tcpip_hdr->zeros = 0;
- p_tcpip_hdr->ip_proto = IP_PROTO_TCP;
- p_tcpip_hdr->ip_payload = cpu_to_be16(ip_data_len);
+ if ((txdw0 & CP_TX_TCPCS) && ip_protocol == IP_PROTO_TCP)
+ {
+ DEBUG_PRINT(("RTL8139: +++ C+ mode calculating TCP checksum for packet with %d bytes data\n", ip_data_len));
- tcp_header* p_tcp_hdr = (tcp_header *) (data_to_checksum+12);
+ ip_pseudo_header *p_tcpip_hdr = (ip_pseudo_header *)data_to_checksum;
+ p_tcpip_hdr->zeros = 0;
+ p_tcpip_hdr->ip_proto = IP_PROTO_TCP;
+ p_tcpip_hdr->ip_payload = cpu_to_be16(ip_data_len);
- p_tcp_hdr->th_sum = 0;
+ tcp_header* p_tcp_hdr = (tcp_header *) (data_to_checksum+12);
- int tcp_checksum = ip_checksum(data_to_checksum, ip_data_len + 12);
- DEBUG_PRINT(("RTL8139: +++ C+ mode TCP checksum %04x\n", tcp_checksum));
+ p_tcp_hdr->th_sum = 0;
- p_tcp_hdr->th_sum = tcp_checksum;
- }
- else if ((txdw0 & CP_TX_UDPCS) && ip_protocol == IP_PROTO_UDP)
- {
- DEBUG_PRINT(("RTL8139: +++ C+ mode calculating UDP checksum for packet with %d bytes data\n", ip_data_len));
+ int tcp_checksum = ip_checksum(data_to_checksum, ip_data_len + 12);
+ DEBUG_PRINT(("RTL8139: +++ C+ mode TCP checksum %04x\n", tcp_checksum));
- ip_pseudo_header *p_udpip_hdr = (ip_pseudo_header *)data_to_checksum;
- p_udpip_hdr->zeros = 0;
- p_udpip_hdr->ip_proto = IP_PROTO_UDP;
- p_udpip_hdr->ip_payload = cpu_to_be16(ip_data_len);
+ p_tcp_hdr->th_sum = tcp_checksum;
+ }
+ else if ((txdw0 & CP_TX_UDPCS) && ip_protocol == IP_PROTO_UDP)
+ {
+ DEBUG_PRINT(("RTL8139: +++ C+ mode calculating UDP checksum for packet with %d bytes data\n", ip_data_len));
- udp_header *p_udp_hdr = (udp_header *) (data_to_checksum+12);
+ ip_pseudo_header *p_udpip_hdr = (ip_pseudo_header *)data_to_checksum;
+ p_udpip_hdr->zeros = 0;
+ p_udpip_hdr->ip_proto = IP_PROTO_UDP;
+ p_udpip_hdr->ip_payload = cpu_to_be16(ip_data_len);
- p_udp_hdr->uh_sum = 0;
+ udp_header *p_udp_hdr = (udp_header *) (data_to_checksum+12);
- int udp_checksum = ip_checksum(data_to_checksum, ip_data_len + 12);
- DEBUG_PRINT(("RTL8139: +++ C+ mode UDP checksum %04x\n", udp_checksum));
+ p_udp_hdr->uh_sum = 0;
- p_udp_hdr->uh_sum = udp_checksum;
- }
+ int udp_checksum = ip_checksum(data_to_checksum, ip_data_len + 12);
+ DEBUG_PRINT(("RTL8139: +++ C+ mode UDP checksum %04x\n", udp_checksum));
- /* restore IP header */
- memcpy(eth_payload_data, saved_ip_header, hlen);
+ p_udp_hdr->uh_sum = udp_checksum;
}
+
+ /* restore IP header */
+ memcpy(eth_payload_data, saved_ip_header, hlen);
}
- }
+ }
skip_offload:
/* update tally counter */

38
xsa140-qemut-3.patch
View File

@ -1,38 +0,0 @@
References: bsc#939712 XSA-140
From 043d28507ef7c5fdc34866f5e3b27a72bd0cd072 Mon Sep 17 00:00:00 2001
From: Stefan Hajnoczi <stefanha@redhat.com>
Date: Wed, 15 Jul 2015 18:17:00 +0100
Subject: [PATCH 3/7] rtl8139: skip offload on short Ethernet/IP header
Transmit offload features access Ethernet and IP headers the packet. If
the packet is too short we must not attempt to access header fields:
int proto = be16_to_cpu(*(uint16_t *)(saved_buffer + 12));
...
eth_payload_data = saved_buffer + ETH_HLEN;
...
ip = (ip_header*)eth_payload_data;
if (IP_HEADER_VERSION(ip) != IP_HEADER_VERSION_4) {
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
---
hw/rtl8139.c | 5 +++++
1 file changed, 5 insertions(+)
Index: xen-4.5.1-testing/tools/qemu-xen-traditional-dir-remote/hw/rtl8139.c
===================================================================
--- xen-4.5.1-testing.orig/tools/qemu-xen-traditional-dir-remote/hw/rtl8139.c
+++ xen-4.5.1-testing/tools/qemu-xen-traditional-dir-remote/hw/rtl8139.c
@@ -2103,6 +2103,11 @@ static int rtl8139_cplus_transmit_one(RT
#define ETH_HLEN 14
#define ETH_MTU 1500
+ /* Large enough for Ethernet and IP headers? */
+ if (saved_size < ETH_HLEN + sizeof(ip_header)) {
+ goto skip_offload;
+ }
+
/* ip packet header */
ip_header *ip = 0;
int hlen = 0;

50
xsa140-qemut-4.patch
View File

@ -1,50 +0,0 @@
References: bsc#939712 XSA-140
From 5a75d242fe019d05b46ef9bc330a6892525c84a7 Mon Sep 17 00:00:00 2001
From: Stefan Hajnoczi <stefanha@redhat.com>
Date: Wed, 15 Jul 2015 18:17:01 +0100
Subject: [PATCH 4/7] rtl8139: check IP Header Length field
The IP Header Length field was only checked in the IP checksum case, but
is used in other cases too.
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
---
hw/rtl8139.c | 19 ++++++++-----------
1 file changed, 8 insertions(+), 11 deletions(-)
Index: xen-4.5.1-testing/tools/qemu-xen-traditional-dir-remote/hw/rtl8139.c
===================================================================
--- xen-4.5.1-testing.orig/tools/qemu-xen-traditional-dir-remote/hw/rtl8139.c
+++ xen-4.5.1-testing/tools/qemu-xen-traditional-dir-remote/hw/rtl8139.c
@@ -2139,6 +2139,10 @@ static int rtl8139_cplus_transmit_one(RT
}
hlen = IP_HEADER_LENGTH(ip);
+ if (hlen < sizeof(ip_header) || hlen > eth_payload_len) {
+ goto skip_offload;
+ }
+
ip_protocol = ip->ip_p;
ip_data_len = be16_to_cpu(ip->ip_len) - hlen;
@@ -2146,16 +2150,9 @@ static int rtl8139_cplus_transmit_one(RT
{
DEBUG_PRINT(("RTL8139: +++ C+ mode need IP checksum\n"));
- if (hlen<sizeof(ip_header) || hlen>eth_payload_len) {/* min header length */
- /* bad packet header len */
- /* or packet too short */
- }
- else
- {
- ip->ip_sum = 0;
- ip->ip_sum = ip_checksum(ip, hlen);
- DEBUG_PRINT(("RTL8139: +++ C+ mode IP header len=%d checksum=%04x\n", hlen, ip->ip_sum));
- }
+ ip->ip_sum = 0;
+ ip->ip_sum = ip_checksum(ip, hlen);
+ DEBUG_PRINT(("RTL8139: +++ C+ mode IP header len=%d checksum=%04x\n", hlen, ip->ip_sum));
}
if ((txdw0 & CP_TX_LGSEN) && ip_protocol == IP_PROTO_TCP)

33
xsa140-qemut-5.patch
View File

@ -1,33 +0,0 @@
References: bsc#939712 XSA-140
From 6c79ea275d72bc1fd88bdcf1e7d231b2c9c865de Mon Sep 17 00:00:00 2001
From: Stefan Hajnoczi <stefanha@redhat.com>
Date: Wed, 15 Jul 2015 18:17:02 +0100
Subject: [PATCH 5/7] rtl8139: check IP Total Length field
The IP Total Length field includes the IP header and data. Make sure it
is valid and does not exceed the Ethernet payload size.
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
---
hw/rtl8139.c | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)
Index: xen-4.5.1-testing/tools/qemu-xen-traditional-dir-remote/hw/rtl8139.c
===================================================================
--- xen-4.5.1-testing.orig/tools/qemu-xen-traditional-dir-remote/hw/rtl8139.c
+++ xen-4.5.1-testing/tools/qemu-xen-traditional-dir-remote/hw/rtl8139.c
@@ -2144,7 +2144,12 @@ static int rtl8139_cplus_transmit_one(RT
}
ip_protocol = ip->ip_p;
- ip_data_len = be16_to_cpu(ip->ip_len) - hlen;
+
+ ip_data_len = be16_to_cpu(ip->ip_len);
+ if (ip_data_len < hlen || ip_data_len > eth_payload_len) {
+ goto skip_offload;
+ }
+ ip_data_len -= hlen;
if (txdw0 & CP_TX_IPCS)
{

34
xsa140-qemut-6.patch
View File

@ -1,34 +0,0 @@
References: bsc#939712 XSA-140
From 30aa7be430e7c982e9163f3bcc745d3aa57b6aa4 Mon Sep 17 00:00:00 2001
From: Stefan Hajnoczi <stefanha@redhat.com>
Date: Wed, 15 Jul 2015 18:17:03 +0100
Subject: [PATCH 6/7] rtl8139: skip offload on short TCP header
TCP Large Segment Offload accesses the TCP header in the packet. If the
packet is too short we must not attempt to access header fields:
tcp_header *p_tcp_hdr = (tcp_header*)(eth_payload_data + hlen);
int tcp_hlen = TCP_HEADER_DATA_OFFSET(p_tcp_hdr);
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
---
hw/rtl8139.c | 5 +++++
1 file changed, 5 insertions(+)
Index: xen-4.5.1-testing/tools/qemu-xen-traditional-dir-remote/hw/rtl8139.c
===================================================================
--- xen-4.5.1-testing.orig/tools/qemu-xen-traditional-dir-remote/hw/rtl8139.c
+++ xen-4.5.1-testing/tools/qemu-xen-traditional-dir-remote/hw/rtl8139.c
@@ -2162,6 +2162,11 @@ static int rtl8139_cplus_transmit_one(RT
if ((txdw0 & CP_TX_LGSEN) && ip_protocol == IP_PROTO_TCP)
{
+ /* Large enough for the TCP header? */
+ if (ip_data_len < sizeof(tcp_header)) {
+ goto skip_offload;
+ }
+
int large_send_mss = (txdw0 >> 16) & CP_TC_LGSEN_MSS_MASK;
DEBUG_PRINT(("RTL8139: +++ C+ mode offloaded task TSO MTU=%d IP data %d frame data %d specified MSS=%d\n",

31
xsa140-qemut-7.patch
View File

@ -1,31 +0,0 @@
References: bsc#939712 XSA-140
From 9a084807bf6ca7c16d997a236d304111894a6539 Mon Sep 17 00:00:00 2001
From: Stefan Hajnoczi <stefanha@redhat.com>
Date: Wed, 15 Jul 2015 18:17:04 +0100
Subject: [PATCH 7/7] rtl8139: check TCP Data Offset field
The TCP Data Offset field contains the length of the header. Make sure
it is valid and does not exceed the IP data length.
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
---
hw/rtl8139.c | 5 +++++
1 file changed, 5 insertions(+)
Index: xen-4.5.1-testing/tools/qemu-xen-traditional-dir-remote/hw/rtl8139.c
===================================================================
--- xen-4.5.1-testing.orig/tools/qemu-xen-traditional-dir-remote/hw/rtl8139.c
+++ xen-4.5.1-testing/tools/qemu-xen-traditional-dir-remote/hw/rtl8139.c
@@ -2190,6 +2190,11 @@ static int rtl8139_cplus_transmit_one(RT
int tcp_hlen = TCP_HEADER_DATA_OFFSET(p_tcp_hdr);
+ /* Invalid TCP data offset? */
+ if (tcp_hlen < sizeof(tcp_header) || tcp_hlen > ip_data_len) {
+ goto skip_offload;
+ }
+
/* ETH_MTU = ip header len + tcp header len + payload */
int tcp_data_len = ip_data_len - tcp_hlen;
int tcp_chunk_size = ETH_MTU - hlen - tcp_hlen;

80
xsa140-qemuu-1.patch
View File

@ -1,80 +0,0 @@
References: bsc#939712 XSA-140
From 5e0c290415b9d57077a86e70c8e6a058868334d3 Mon Sep 17 00:00:00 2001
From: Stefan Hajnoczi <stefanha@redhat.com>
Date: Wed, 15 Jul 2015 18:16:58 +0100
Subject: [PATCH 1/7] rtl8139: avoid nested ifs in IP header parsing
Transmit offload needs to parse packet headers. If header fields have
unexpected values the offload processing is skipped.
The code currently uses nested ifs because there is relatively little
input validation. The next patches will add missing input validation
and a goto label is more appropriate to avoid deep if statement nesting.
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
---
hw/net/rtl8139.c | 41 ++++++++++++++++++++++-------------------
1 file changed, 22 insertions(+), 19 deletions(-)
Index: xen-4.5.1-testing/tools/qemu-xen-dir-remote/hw/net/rtl8139.c
===================================================================
--- xen-4.5.1-testing.orig/tools/qemu-xen-dir-remote/hw/net/rtl8139.c
+++ xen-4.5.1-testing/tools/qemu-xen-dir-remote/hw/net/rtl8139.c
@@ -2171,28 +2171,30 @@ static int rtl8139_cplus_transmit_one(RT
size_t eth_payload_len = 0;
int proto = be16_to_cpu(*(uint16_t *)(saved_buffer + 12));
- if (proto == ETH_P_IP)
+ if (proto != ETH_P_IP)
{
- DPRINTF("+++ C+ mode has IP packet\n");
+ goto skip_offload;
+ }
- /* not aligned */
- eth_payload_data = saved_buffer + ETH_HLEN;
- eth_payload_len = saved_size - ETH_HLEN;
-
- ip = (ip_header*)eth_payload_data;
-
- if (IP_HEADER_VERSION(ip) != IP_HEADER_VERSION_4) {
- DPRINTF("+++ C+ mode packet has bad IP version %d "
- "expected %d\n", IP_HEADER_VERSION(ip),
- IP_HEADER_VERSION_4);
- ip = NULL;
- } else {
- hlen = IP_HEADER_LENGTH(ip);
- ip_protocol = ip->ip_p;
- ip_data_len = be16_to_cpu(ip->ip_len) - hlen;
- }
+ DPRINTF("+++ C+ mode has IP packet\n");
+
+ /* not aligned */
+ eth_payload_data = saved_buffer + ETH_HLEN;
+ eth_payload_len = saved_size - ETH_HLEN;
+
+ ip = (ip_header*)eth_payload_data;
+
+ if (IP_HEADER_VERSION(ip) != IP_HEADER_VERSION_4) {
+ DPRINTF("+++ C+ mode packet has bad IP version %d "
+ "expected %d\n", IP_HEADER_VERSION(ip),
+ IP_HEADER_VERSION_4);
+ goto skip_offload;
}
+ hlen = IP_HEADER_LENGTH(ip);
+ ip_protocol = ip->ip_p;
+ ip_data_len = be16_to_cpu(ip->ip_len) - hlen;
+
if (ip)
{
if (txdw0 & CP_TX_IPCS)
@@ -2388,6 +2390,7 @@ static int rtl8139_cplus_transmit_one(RT
}
}
+skip_offload:
/* update tally counter */
++s->tally_counters.TxOk;

372
xsa140-qemuu-2.patch
View File

@ -1,372 +0,0 @@
References: bsc#939712 XSA-140
From 2d7d80e8dc160904fa7276cc05da26c062a50066 Mon Sep 17 00:00:00 2001
From: Stefan Hajnoczi <stefanha@redhat.com>
Date: Wed, 15 Jul 2015 18:16:59 +0100
Subject: [PATCH 2/7] rtl8139: drop tautologous if (ip) {...} statement
The previous patch stopped using the ip pointer as an indicator that the
IP header is present. When we reach the if (ip) {...} statement we know
ip is always non-NULL.
Remove the if statement to reduce nesting.
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
---
hw/net/rtl8139.c | 305 +++++++++++++++++++++++++++----------------------------
1 file changed, 151 insertions(+), 154 deletions(-)
Index: xen-4.5.1-testing/tools/qemu-xen-dir-remote/hw/net/rtl8139.c
===================================================================
--- xen-4.5.1-testing.orig/tools/qemu-xen-dir-remote/hw/net/rtl8139.c
+++ xen-4.5.1-testing/tools/qemu-xen-dir-remote/hw/net/rtl8139.c
@@ -2195,198 +2195,195 @@ static int rtl8139_cplus_transmit_one(RT
ip_protocol = ip->ip_p;
ip_data_len = be16_to_cpu(ip->ip_len) - hlen;
- if (ip)
+ if (txdw0 & CP_TX_IPCS)
{
- if (txdw0 & CP_TX_IPCS)
- {
- DPRINTF("+++ C+ mode need IP checksum\n");
+ DPRINTF("+++ C+ mode need IP checksum\n");
- if (hlen<sizeof(ip_header) || hlen>eth_payload_len) {/* min header length */
- /* bad packet header len */
- /* or packet too short */
- }
- else
- {
- ip->ip_sum = 0;
- ip->ip_sum = ip_checksum(ip, hlen);
- DPRINTF("+++ C+ mode IP header len=%d checksum=%04x\n",
- hlen, ip->ip_sum);
- }
+ if (hlen<sizeof(ip_header) || hlen>eth_payload_len) {/* min header length */
+ /* bad packet header len */
+ /* or packet too short */
}
-
- if ((txdw0 & CP_TX_LGSEN) && ip_protocol == IP_PROTO_TCP)
+ else
{
- int large_send_mss = (txdw0 >> 16) & CP_TC_LGSEN_MSS_MASK;
-
- DPRINTF("+++ C+ mode offloaded task TSO MTU=%d IP data %d "
- "frame data %d specified MSS=%d\n", ETH_MTU,
- ip_data_len, saved_size - ETH_HLEN, large_send_mss);
+ ip->ip_sum = 0;
+ ip->ip_sum = ip_checksum(ip, hlen);
+ DPRINTF("+++ C+ mode IP header len=%d checksum=%04x\n",
+ hlen, ip->ip_sum);
+ }
+ }
- int tcp_send_offset = 0;
- int send_count = 0;
+ if ((txdw0 & CP_TX_LGSEN) && ip_protocol == IP_PROTO_TCP)
+ {
+ int large_send_mss = (txdw0 >> 16) & CP_TC_LGSEN_MSS_MASK;
- /* maximum IP header length is 60 bytes */
- uint8_t saved_ip_header[60];
+ DPRINTF("+++ C+ mode offloaded task TSO MTU=%d IP data %d "
+ "frame data %d specified MSS=%d\n", ETH_MTU,
+ ip_data_len, saved_size - ETH_HLEN, large_send_mss);
- /* save IP header template; data area is used in tcp checksum calculation */
- memcpy(saved_ip_header, eth_payload_data, hlen);
+ int tcp_send_offset = 0;
+ int send_count = 0;
- /* a placeholder for checksum calculation routine in tcp case */
- uint8_t *data_to_checksum = eth_payload_data + hlen - 12;
- // size_t data_to_checksum_len = eth_payload_len - hlen + 12;
+ /* maximum IP header length is 60 bytes */
+ uint8_t saved_ip_header[60];
- /* pointer to TCP header */
- tcp_header *p_tcp_hdr = (tcp_header*)(eth_payload_data + hlen);
+ /* save IP header template; data area is used in tcp checksum calculation */
+ memcpy(saved_ip_header, eth_payload_data, hlen);
- int tcp_hlen = TCP_HEADER_DATA_OFFSET(p_tcp_hdr);
+ /* a placeholder for checksum calculation routine in tcp case */
+ uint8_t *data_to_checksum = eth_payload_data + hlen - 12;
+ // size_t data_to_checksum_len = eth_payload_len - hlen + 12;
- /* ETH_MTU = ip header len + tcp header len + payload */
- int tcp_data_len = ip_data_len - tcp_hlen;
- int tcp_chunk_size = ETH_MTU - hlen - tcp_hlen;
+ /* pointer to TCP header */
+ tcp_header *p_tcp_hdr = (tcp_header*)(eth_payload_data + hlen);
- DPRINTF("+++ C+ mode TSO IP data len %d TCP hlen %d TCP "
- "data len %d TCP chunk size %d\n", ip_data_len,
- tcp_hlen, tcp_data_len, tcp_chunk_size);
+ int tcp_hlen = TCP_HEADER_DATA_OFFSET(p_tcp_hdr);
- /* note the cycle below overwrites IP header data,
- but restores it from saved_ip_header before sending packet */
+ /* ETH_MTU = ip header len + tcp header len + payload */
+ int tcp_data_len = ip_data_len - tcp_hlen;
+ int tcp_chunk_size = ETH_MTU - hlen - tcp_hlen;
- int is_last_frame = 0;
+ DPRINTF("+++ C+ mode TSO IP data len %d TCP hlen %d TCP "
+ "data len %d TCP chunk size %d\n", ip_data_len,
+ tcp_hlen, tcp_data_len, tcp_chunk_size);
- for (tcp_send_offset = 0; tcp_send_offset < tcp_data_len; tcp_send_offset += tcp_chunk_size)
- {
- uint16_t chunk_size = tcp_chunk_size;
+ /* note the cycle below overwrites IP header data,
+ but restores it from saved_ip_header before sending packet */
- /* check if this is the last frame */
- if (tcp_send_offset + tcp_chunk_size >= tcp_data_len)
- {
- is_last_frame = 1;
- chunk_size = tcp_data_len - tcp_send_offset;
- }
-
- DPRINTF("+++ C+ mode TSO TCP seqno %08x\n",
- be32_to_cpu(p_tcp_hdr->th_seq));
-
- /* add 4 TCP pseudoheader fields */
- /* copy IP source and destination fields */
- memcpy(data_to_checksum, saved_ip_header + 12, 8);
-
- DPRINTF("+++ C+ mode TSO calculating TCP checksum for "
- "packet with %d bytes data\n", tcp_hlen +
- chunk_size);
-
- if (tcp_send_offset)
- {
- memcpy((uint8_t*)p_tcp_hdr + tcp_hlen, (uint8_t*)p_tcp_hdr + tcp_hlen + tcp_send_offset, chunk_size);
- }
-
- /* keep PUSH and FIN flags only for the last frame */
- if (!is_last_frame)
- {
- TCP_HEADER_CLEAR_FLAGS(p_tcp_hdr, TCP_FLAG_PUSH|TCP_FLAG_FIN);
- }
-
- /* recalculate TCP checksum */
- ip_pseudo_header *p_tcpip_hdr = (ip_pseudo_header *)data_to_checksum;
- p_tcpip_hdr->zeros = 0;
- p_tcpip_hdr->ip_proto = IP_PROTO_TCP;
- p_tcpip_hdr->ip_payload = cpu_to_be16(tcp_hlen + chunk_size);
-
- p_tcp_hdr->th_sum = 0;
-
- int tcp_checksum = ip_checksum(data_to_checksum, tcp_hlen + chunk_size + 12);
- DPRINTF("+++ C+ mode TSO TCP checksum %04x\n",
- tcp_checksum);
-
- p_tcp_hdr->th_sum = tcp_checksum;
-
- /* restore IP header */
- memcpy(eth_payload_data, saved_ip_header, hlen);
-
- /* set IP data length and recalculate IP checksum */
- ip->ip_len = cpu_to_be16(hlen + tcp_hlen + chunk_size);
-
- /* increment IP id for subsequent frames */
- ip->ip_id = cpu_to_be16(tcp_send_offset/tcp_chunk_size + be16_to_cpu(ip->ip_id));
-
- ip->ip_sum = 0;
- ip->ip_sum = ip_checksum(eth_payload_data, hlen);
- DPRINTF("+++ C+ mode TSO IP header len=%d "
- "checksum=%04x\n", hlen, ip->ip_sum);
-
- int tso_send_size = ETH_HLEN + hlen + tcp_hlen + chunk_size;
- DPRINTF("+++ C+ mode TSO transferring packet size "
- "%d\n", tso_send_size);
- rtl8139_transfer_frame(s, saved_buffer, tso_send_size,
- 0, (uint8_t *) dot1q_buffer);
-
- /* add transferred count to TCP sequence number */
- p_tcp_hdr->th_seq = cpu_to_be32(chunk_size + be32_to_cpu(p_tcp_hdr->th_seq));
- ++send_count;
- }
+ int is_last_frame = 0;
- /* Stop sending this frame */
- saved_size = 0;
- }
- else if (txdw0 & (CP_TX_TCPCS|CP_TX_UDPCS))
+ for (tcp_send_offset = 0; tcp_send_offset < tcp_data_len; tcp_send_offset += tcp_chunk_size)
{
- DPRINTF("+++ C+ mode need TCP or UDP checksum\n");
+ uint16_t chunk_size = tcp_chunk_size;
- /* maximum IP header length is 60 bytes */
- uint8_t saved_ip_header[60];
- memcpy(saved_ip_header, eth_payload_data, hlen);
+ /* check if this is the last frame */
+ if (tcp_send_offset + tcp_chunk_size >= tcp_data_len)
+ {
+ is_last_frame = 1;
+ chunk_size = tcp_data_len - tcp_send_offset;
+ }
- uint8_t *data_to_checksum = eth_payload_data + hlen - 12;
- // size_t data_to_checksum_len = eth_payload_len - hlen + 12;
+ DPRINTF("+++ C+ mode TSO TCP seqno %08x\n",
+ be32_to_cpu(p_tcp_hdr->th_seq));
/* add 4 TCP pseudoheader fields */
/* copy IP source and destination fields */
memcpy(data_to_checksum, saved_ip_header + 12, 8);
- if ((txdw0 & CP_TX_TCPCS) && ip_protocol == IP_PROTO_TCP)
+ DPRINTF("+++ C+ mode TSO calculating TCP checksum for "
+ "packet with %d bytes data\n", tcp_hlen +
+ chunk_size);
+
+ if (tcp_send_offset)
{
- DPRINTF("+++ C+ mode calculating TCP checksum for "
- "packet with %d bytes data\n", ip_data_len);
+ memcpy((uint8_t*)p_tcp_hdr + tcp_hlen, (uint8_t*)p_tcp_hdr + tcp_hlen + tcp_send_offset, chunk_size);
+ }
- ip_pseudo_header *p_tcpip_hdr = (ip_pseudo_header *)data_to_checksum;
- p_tcpip_hdr->zeros = 0;
- p_tcpip_hdr->ip_proto = IP_PROTO_TCP;
- p_tcpip_hdr->ip_payload = cpu_to_be16(ip_data_len);
+ /* keep PUSH and FIN flags only for the last frame */
+ if (!is_last_frame)
+ {
+ TCP_HEADER_CLEAR_FLAGS(p_tcp_hdr, TCP_FLAG_PUSH|TCP_FLAG_FIN);
+ }
- tcp_header* p_tcp_hdr = (tcp_header *) (data_to_checksum+12);
+ /* recalculate TCP checksum */
+ ip_pseudo_header *p_tcpip_hdr = (ip_pseudo_header *)data_to_checksum;
+ p_tcpip_hdr->zeros = 0;
+ p_tcpip_hdr->ip_proto = IP_PROTO_TCP;
+ p_tcpip_hdr->ip_payload = cpu_to_be16(tcp_hlen + chunk_size);
+
+ p_tcp_hdr->th_sum = 0;
+
+ int tcp_checksum = ip_checksum(data_to_checksum, tcp_hlen + chunk_size + 12);
+ DPRINTF("+++ C+ mode TSO TCP checksum %04x\n",
+ tcp_checksum);
- p_tcp_hdr->th_sum = 0;
+ p_tcp_hdr->th_sum = tcp_checksum;
- int tcp_checksum = ip_checksum(data_to_checksum, ip_data_len + 12);
- DPRINTF("+++ C+ mode TCP checksum %04x\n",
- tcp_checksum);
+ /* restore IP header */
+ memcpy(eth_payload_data, saved_ip_header, hlen);
- p_tcp_hdr->th_sum = tcp_checksum;
- }
- else if ((txdw0 & CP_TX_UDPCS) && ip_protocol == IP_PROTO_UDP)
- {
- DPRINTF("+++ C+ mode calculating UDP checksum for "
- "packet with %d bytes data\n", ip_data_len);
+ /* set IP data length and recalculate IP checksum */
+ ip->ip_len = cpu_to_be16(hlen + tcp_hlen + chunk_size);
- ip_pseudo_header *p_udpip_hdr = (ip_pseudo_header *)data_to_checksum;
- p_udpip_hdr->zeros = 0;
- p_udpip_hdr->ip_proto = IP_PROTO_UDP;
- p_udpip_hdr->ip_payload = cpu_to_be16(ip_data_len);
+ /* increment IP id for subsequent frames */
+ ip->ip_id = cpu_to_be16(tcp_send_offset/tcp_chunk_size + be16_to_cpu(ip->ip_id));
- udp_header *p_udp_hdr = (udp_header *) (data_to_checksum+12);
+ ip->ip_sum = 0;
+ ip->ip_sum = ip_checksum(eth_payload_data, hlen);
+ DPRINTF("+++ C+ mode TSO IP header len=%d "
+ "checksum=%04x\n", hlen, ip->ip_sum);
+
+ int tso_send_size = ETH_HLEN + hlen + tcp_hlen + chunk_size;
+ DPRINTF("+++ C+ mode TSO transferring packet size "
+ "%d\n", tso_send_size);
+ rtl8139_transfer_frame(s, saved_buffer, tso_send_size,
+ 0, (uint8_t *) dot1q_buffer);
+
+ /* add transferred count to TCP sequence number */
+ p_tcp_hdr->th_seq = cpu_to_be32(chunk_size + be32_to_cpu(p_tcp_hdr->th_seq));
+ ++send_count;
+ }
- p_udp_hdr->uh_sum = 0;
+ /* Stop sending this frame */
+ saved_size = 0;
+ }
+ else if (txdw0 & (CP_TX_TCPCS|CP_TX_UDPCS))
+ {
+ DPRINTF("+++ C+ mode need TCP or UDP checksum\n");
- int udp_checksum = ip_checksum(data_to_checksum, ip_data_len + 12);
- DPRINTF("+++ C+ mode UDP checksum %04x\n",
- udp_checksum);
+ /* maximum IP header length is 60 bytes */
+ uint8_t saved_ip_header[60];
+ memcpy(saved_ip_header, eth_payload_data, hlen);
- p_udp_hdr->uh_sum = udp_checksum;
- }
+ uint8_t *data_to_checksum = eth_payload_data + hlen - 12;
+ // size_t data_to_checksum_len = eth_payload_len - hlen + 12;
- /* restore IP header */
- memcpy(eth_payload_data, saved_ip_header, hlen);
+ /* add 4 TCP pseudoheader fields */
+ /* copy IP source and destination fields */
+ memcpy(data_to_checksum, saved_ip_header + 12, 8);
+
+ if ((txdw0 & CP_TX_TCPCS) && ip_protocol == IP_PROTO_TCP)
+ {
+ DPRINTF("+++ C+ mode calculating TCP checksum for "
+ "packet with %d bytes data\n", ip_data_len);
+
+ ip_pseudo_header *p_tcpip_hdr = (ip_pseudo_header *)data_to_checksum;
+ p_tcpip_hdr->zeros = 0;
+ p_tcpip_hdr->ip_proto = IP_PROTO_TCP;
+ p_tcpip_hdr->ip_payload = cpu_to_be16(ip_data_len);
+
+ tcp_header* p_tcp_hdr = (tcp_header *) (data_to_checksum+12);
+
+ p_tcp_hdr->th_sum = 0;
+
+ int tcp_checksum = ip_checksum(data_to_checksum, ip_data_len + 12);
+ DPRINTF("+++ C+ mode TCP checksum %04x\n",
+ tcp_checksum);
+
+ p_tcp_hdr->th_sum = tcp_checksum;
+ }
+ else if ((txdw0 & CP_TX_UDPCS) && ip_protocol == IP_PROTO_UDP)
+ {
+ DPRINTF("+++ C+ mode calculating UDP checksum for "
+ "packet with %d bytes data\n", ip_data_len);
+
+ ip_pseudo_header *p_udpip_hdr = (ip_pseudo_header *)data_to_checksum;
+ p_udpip_hdr->zeros = 0;
+ p_udpip_hdr->ip_proto = IP_PROTO_UDP;
+ p_udpip_hdr->ip_payload = cpu_to_be16(ip_data_len);
+
+ udp_header *p_udp_hdr = (udp_header *) (data_to_checksum+12);
+
+ p_udp_hdr->uh_sum = 0;
+
+ int udp_checksum = ip_checksum(data_to_checksum, ip_data_len + 12);
+ DPRINTF("+++ C+ mode UDP checksum %04x\n",
+ udp_checksum);
+
+ p_udp_hdr->uh_sum = udp_checksum;
}
+
+ /* restore IP header */
+ memcpy(eth_payload_data, saved_ip_header, hlen);
}
}

38
xsa140-qemuu-3.patch
View File

@ -1,38 +0,0 @@
References: bsc#939712 XSA-140
From 043d28507ef7c5fdc34866f5e3b27a72bd0cd072 Mon Sep 17 00:00:00 2001
From: Stefan Hajnoczi <stefanha@redhat.com>
Date: Wed, 15 Jul 2015 18:17:00 +0100
Subject: [PATCH 3/7] rtl8139: skip offload on short Ethernet/IP header
Transmit offload features access Ethernet and IP headers the packet. If
the packet is too short we must not attempt to access header fields:
int proto = be16_to_cpu(*(uint16_t *)(saved_buffer + 12));
...
eth_payload_data = saved_buffer + ETH_HLEN;
...
ip = (ip_header*)eth_payload_data;
if (IP_HEADER_VERSION(ip) != IP_HEADER_VERSION_4) {
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
---
hw/net/rtl8139.c | 5 +++++
1 file changed, 5 insertions(+)
Index: xen-4.5.1-testing/tools/qemu-xen-dir-remote/hw/net/rtl8139.c
===================================================================
--- xen-4.5.1-testing.orig/tools/qemu-xen-dir-remote/hw/net/rtl8139.c
+++ xen-4.5.1-testing/tools/qemu-xen-dir-remote/hw/net/rtl8139.c
@@ -2161,6 +2161,11 @@ static int rtl8139_cplus_transmit_one(RT
{
DPRINTF("+++ C+ mode offloaded task checksum\n");
+ /* Large enough for Ethernet and IP headers? */
+ if (saved_size < ETH_HLEN + sizeof(ip_header)) {
+ goto skip_offload;
+ }
+
/* ip packet header */
ip_header *ip = NULL;
int hlen = 0;

52
xsa140-qemuu-4.patch
View File

@ -1,52 +0,0 @@
References: bsc#939712 XSA-140
From 5a75d242fe019d05b46ef9bc330a6892525c84a7 Mon Sep 17 00:00:00 2001
From: Stefan Hajnoczi <stefanha@redhat.com>
Date: Wed, 15 Jul 2015 18:17:01 +0100
Subject: [PATCH 4/7] rtl8139: check IP Header Length field
The IP Header Length field was only checked in the IP checksum case, but
is used in other cases too.
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
---
hw/net/rtl8139.c | 19 ++++++++-----------
1 file changed, 8 insertions(+), 11 deletions(-)
Index: xen-4.5.1-testing/tools/qemu-xen-dir-remote/hw/net/rtl8139.c
===================================================================
--- xen-4.5.1-testing.orig/tools/qemu-xen-dir-remote/hw/net/rtl8139.c
+++ xen-4.5.1-testing/tools/qemu-xen-dir-remote/hw/net/rtl8139.c
@@ -2197,6 +2197,10 @@ static int rtl8139_cplus_transmit_one(RT
}
hlen = IP_HEADER_LENGTH(ip);
+ if (hlen < sizeof(ip_header) || hlen > eth_payload_len) {
+ goto skip_offload;
+ }
+
ip_protocol = ip->ip_p;
ip_data_len = be16_to_cpu(ip->ip_len) - hlen;
@@ -2204,17 +2208,10 @@ static int rtl8139_cplus_transmit_one(RT
{
DPRINTF("+++ C+ mode need IP checksum\n");
- if (hlen<sizeof(ip_header) || hlen>eth_payload_len) {/* min header length */
- /* bad packet header len */
- /* or packet too short */
- }
- else
- {
- ip->ip_sum = 0;
- ip->ip_sum = ip_checksum(ip, hlen);
- DPRINTF("+++ C+ mode IP header len=%d checksum=%04x\n",
- hlen, ip->ip_sum);
- }
+ ip->ip_sum = 0;
+ ip->ip_sum = ip_checksum(ip, hlen);
+ DPRINTF("+++ C+ mode IP header len=%d checksum=%04x\n",
+ hlen, ip->ip_sum);
}
if ((txdw0 & CP_TX_LGSEN) && ip_protocol == IP_PROTO_TCP)

33
xsa140-qemuu-5.patch
View File

@ -1,33 +0,0 @@
References: bsc#939712 XSA-140
From 6c79ea275d72bc1fd88bdcf1e7d231b2c9c865de Mon Sep 17 00:00:00 2001
From: Stefan Hajnoczi <stefanha@redhat.com>
Date: Wed, 15 Jul 2015 18:17:02 +0100
Subject: [PATCH 5/7] rtl8139: check IP Total Length field
The IP Total Length field includes the IP header and data. Make sure it
is valid and does not exceed the Ethernet payload size.
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
---
hw/net/rtl8139.c | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)
Index: xen-4.5.1-testing/tools/qemu-xen-dir-remote/hw/net/rtl8139.c
===================================================================
--- xen-4.5.1-testing.orig/tools/qemu-xen-dir-remote/hw/net/rtl8139.c
+++ xen-4.5.1-testing/tools/qemu-xen-dir-remote/hw/net/rtl8139.c
@@ -2202,7 +2202,12 @@ static int rtl8139_cplus_transmit_one(RT
}
ip_protocol = ip->ip_p;
- ip_data_len = be16_to_cpu(ip->ip_len) - hlen;
+
+ ip_data_len = be16_to_cpu(ip->ip_len);
+ if (ip_data_len < hlen || ip_data_len > eth_payload_len) {
+ goto skip_offload;
+ }
+ ip_data_len -= hlen;
if (txdw0 & CP_TX_IPCS)
{

34
xsa140-qemuu-6.patch
View File

@ -1,34 +0,0 @@
References: bsc#939712 XSA-140
From 30aa7be430e7c982e9163f3bcc745d3aa57b6aa4 Mon Sep 17 00:00:00 2001
From: Stefan Hajnoczi <stefanha@redhat.com>
Date: Wed, 15 Jul 2015 18:17:03 +0100
Subject: [PATCH 6/7] rtl8139: skip offload on short TCP header
TCP Large Segment Offload accesses the TCP header in the packet. If the
packet is too short we must not attempt to access header fields:
tcp_header *p_tcp_hdr = (tcp_header*)(eth_payload_data + hlen);
int tcp_hlen = TCP_HEADER_DATA_OFFSET(p_tcp_hdr);
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
---
hw/net/rtl8139.c | 5 +++++
1 file changed, 5 insertions(+)
Index: xen-4.5.1-testing/tools/qemu-xen-dir-remote/hw/net/rtl8139.c
===================================================================
--- xen-4.5.1-testing.orig/tools/qemu-xen-dir-remote/hw/net/rtl8139.c
+++ xen-4.5.1-testing/tools/qemu-xen-dir-remote/hw/net/rtl8139.c
@@ -2221,6 +2221,11 @@ static int rtl8139_cplus_transmit_one(RT
if ((txdw0 & CP_TX_LGSEN) && ip_protocol == IP_PROTO_TCP)
{
+ /* Large enough for the TCP header? */
+ if (ip_data_len < sizeof(tcp_header)) {
+ goto skip_offload;
+ }
+
int large_send_mss = (txdw0 >> 16) & CP_TC_LGSEN_MSS_MASK;
DPRINTF("+++ C+ mode offloaded task TSO MTU=%d IP data %d "

31
xsa140-qemuu-7.patch
View File

@ -1,31 +0,0 @@
References: bsc#939712 XSA-140
From 9a084807bf6ca7c16d997a236d304111894a6539 Mon Sep 17 00:00:00 2001
From: Stefan Hajnoczi <stefanha@redhat.com>
Date: Wed, 15 Jul 2015 18:17:04 +0100
Subject: [PATCH 7/7] rtl8139: check TCP Data Offset field
The TCP Data Offset field contains the length of the header. Make sure
it is valid and does not exceed the IP data length.
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
---
hw/net/rtl8139.c | 5 +++++
1 file changed, 5 insertions(+)
Index: xen-4.5.1-testing/tools/qemu-xen-dir-remote/hw/net/rtl8139.c
===================================================================
--- xen-4.5.1-testing.orig/tools/qemu-xen-dir-remote/hw/net/rtl8139.c
+++ xen-4.5.1-testing/tools/qemu-xen-dir-remote/hw/net/rtl8139.c
@@ -2250,6 +2250,11 @@ static int rtl8139_cplus_transmit_one(RT
int tcp_hlen = TCP_HEADER_DATA_OFFSET(p_tcp_hdr);
+ /* Invalid TCP data offset? */
+ if (tcp_hlen < sizeof(tcp_header) || tcp_hlen > ip_data_len) {
+ goto skip_offload;
+ }
+
/* ETH_MTU = ip header len + tcp header len + payload */
int tcp_data_len = ip_data_len - tcp_hlen;
int tcp_chunk_size = ETH_MTU - hlen - tcp_hlen;

16
xsa149.patch
View File

@ -8,15 +8,15 @@ This is XSA-149.
Signed-off-by: Jan Beulich <jbeulich@suse.com>
Reviewed-by: Ian Campbell <ian.campbell@citrix.com>
Index: xen-4.5.1-testing/xen/common/domain.c
Index: xen-4.5.2-testing/xen/common/domain.c
===================================================================
--- xen-4.5.1-testing.orig/xen/common/domain.c
+++ xen-4.5.1-testing/xen/common/domain.c
@@ -831,6 +831,7 @@ static void complete_domain_destroy(stru
xsm_free_security_domain(d);
--- xen-4.5.2-testing.orig/xen/common/domain.c
+++ xen-4.5.2-testing/xen/common/domain.c
@@ -406,6 +406,7 @@ struct domain *domain_create(
if ( init_status & INIT_xsm )
xsm_free_security_domain(d);
free_cpumask_var(d->domain_dirty_cpumask);
+ xfree(d->vcpu);
free_domain_struct(d);
send_global_virq(VIRQ_DOM_EXC);
return ERR_PTR(err);
}

30
xsa151.patch
View File

@ -1,30 +0,0 @@
xenoprof: free domain's vcpu array
This was overlooked in fb442e2171 ("x86_64: allow more vCPU-s per
guest").
This is XSA-151.
Signed-off-by: Jan Beulich <jbeulich@suse.com>
Reviewed-by: Ian Campbell <ian.campbell@citrix.com>
Index: xen-4.5.1-testing/xen/common/xenoprof.c
===================================================================
--- xen-4.5.1-testing.orig/xen/common/xenoprof.c
+++ xen-4.5.1-testing/xen/common/xenoprof.c
@@ -239,6 +239,7 @@ static int alloc_xenoprof_struct(
d->xenoprof->rawbuf = alloc_xenheap_pages(get_order_from_pages(npages), 0);
if ( d->xenoprof->rawbuf == NULL )
{
+ xfree(d->xenoprof->vcpu);
xfree(d->xenoprof);
d->xenoprof = NULL;
return -ENOMEM;
@@ -286,6 +287,7 @@ void free_xenoprof_pages(struct domain *
free_xenheap_pages(x->rawbuf, order);
}
+ xfree(x->vcpu);
xfree(x);
d->xenoprof = NULL;
}

43
xsa152.patch
View File

@ -1,43 +0,0 @@
x86: rate-limit logging in do_xen{oprof,pmu}_op()
Some of the sub-ops are acessible to all guests, and hence should be
rate-limited. In the xenoprof case, just like for XSA-146, include them
only in debug builds. Since the vPMU code is rather new, allow them to
be always present, but downgrade them to (rate limited) guest messages.
This is XSA-152.
Signed-off-by: Jan Beulich <jbeulich@suse.com>
Index: xen-4.5.1-testing/xen/common/xenoprof.c
===================================================================
--- xen-4.5.1-testing.orig/xen/common/xenoprof.c
+++ xen-4.5.1-testing/xen/common/xenoprof.c
@@ -676,15 +676,13 @@ ret_t do_xenoprof_op(int op, XEN_GUEST_H
if ( (op < 0) || (op > XENOPROF_last_op) )
{
- printk("xenoprof: invalid operation %d for domain %d\n",
- op, current->domain->domain_id);
+ gdprintk(XENLOG_DEBUG, "invalid operation %d\n", op);
return -EINVAL;
}
if ( !NONPRIV_OP(op) && (current->domain != xenoprof_primary_profiler) )
{
- printk("xenoprof: dom %d denied privileged operation %d\n",
- current->domain->domain_id, op);
+ gdprintk(XENLOG_DEBUG, "denied privileged operation %d\n", op);
return -EPERM;
}
@@ -907,8 +905,7 @@ ret_t do_xenoprof_op(int op, XEN_GUEST_H
spin_unlock(&xenoprof_lock);
if ( ret < 0 )
- printk("xenoprof: operation %d failed for dom %d (status : %d)\n",
- op, current->domain->domain_id, ret);
+ gdprintk(XENLOG_DEBUG, "operation %d failed: %d\n", op, ret);
return ret;
}

83
xsa153-libxl.patch
View File

@ -1,83 +0,0 @@
From 27593ec62bdad8621df910931349d964a6dbaa8c Mon Sep 17 00:00:00 2001
From: Ian Jackson <ian.jackson@eu.citrix.com>
Date: Wed, 21 Oct 2015 16:18:30 +0100
Subject: [PATCH XSA-153 v3] libxl: adjust PoD target by memory fudge, too
PoD guests need to balloon at least as far as required by PoD, or risk
crashing. Currently they don't necessarily know what the right value
is, because our memory accounting is (at the very least) confusing.
Apply the memory limit fudge factor to the in-hypervisor PoD memory
target, too. This will increase the size of the guest's PoD cache by
the fudge factor LIBXL_MAXMEM_CONSTANT (currently 1Mby). This ensures
that even with a slightly-off balloon driver, the guest will be
stable even under memory pressure.
There are two call sites of xc_domain_set_pod_target that need fixing:
The one in libxl_set_memory_target is straightforward.
The one in xc_hvm_build_x86.c:setup_guest is more awkward. Simply
setting the PoD target differently does not work because the various
amounts of memory during domain construction no longer match up.
Instead, we adjust the guest memory target in xenstore (but only for
PoD guests).
This introduces a 1Mby discrepancy between the balloon target of a PoD
guest at boot, and the target set by an apparently-equivalent `xl
mem-set' (or similar) later. This approach is low-risk for a security
fix but we need to fix this up properly in xen.git#staging and
probably also in stable trees.
This is XSA-153.
Signed-off-by: Ian Jackson <Ian.Jackson@eu.citrix.com>
---
tools/libxl/libxl.c | 2 +-
tools/libxl/libxl_dom.c | 9 ++++++++-
2 files changed, 9 insertions(+), 2 deletions(-)
Index: xen-4.5.1-testing/tools/libxl/libxl.c
===================================================================
--- xen-4.5.1-testing.orig/tools/libxl/libxl.c
+++ xen-4.5.1-testing/tools/libxl/libxl.c
@@ -4859,7 +4859,7 @@ retry_transaction:
new_target_memkb -= videoram;
rc = xc_domain_set_pod_target(ctx->xch, domid,
- new_target_memkb / 4, NULL, NULL, NULL);
+ (new_target_memkb + LIBXL_MAXMEM_CONSTANT) / 4, NULL, NULL, NULL);
if (rc != 0) {
LIBXL__LOG_ERRNO(ctx, LIBXL__LOG_ERROR,
"xc_domain_set_pod_target domid=%d, memkb=%d "
Index: xen-4.5.1-testing/tools/libxl/libxl_dom.c
===================================================================
--- xen-4.5.1-testing.orig/tools/libxl/libxl_dom.c
+++ xen-4.5.1-testing/tools/libxl/libxl_dom.c
@@ -446,6 +446,7 @@ int libxl__build_post(libxl__gc *gc, uin
xs_transaction_t t;
char **ents;
int i, rc;
+ int64_t mem_target_fudge;
rc = libxl_domain_sched_params_set(CTX, domid, &info->sched_params);
if (rc)
@@ -472,11 +473,17 @@ int libxl__build_post(libxl__gc *gc, uin
}
}
+ mem_target_fudge =
+ (info->type == LIBXL_DOMAIN_TYPE_HVM &&
+ info->max_memkb > info->target_memkb)
+ ? LIBXL_MAXMEM_CONSTANT : 0;
+
ents = libxl__calloc(gc, 12 + (info->max_vcpus * 2) + 2, sizeof(char *));
ents[0] = "memory/static-max";
ents[1] = GCSPRINTF("%"PRId64, info->max_memkb);
ents[2] = "memory/target";
- ents[3] = GCSPRINTF("%"PRId64, info->target_memkb - info->video_memkb);
+ ents[3] = GCSPRINTF("%"PRId64, info->target_memkb - info->video_memkb
+ - mem_target_fudge);
ents[4] = "memory/videoram";
ents[5] = GCSPRINTF("%"PRId64, info->video_memkb);
ents[6] = "domid";