diff --git a/54f4985f-libxl-fix-libvirtd-double-free.patch b/54f4985f-libxl-fix-libvirtd-double-free.patch index 2b04961..0e0d7be 100644 --- a/54f4985f-libxl-fix-libvirtd-double-free.patch +++ b/54f4985f-libxl-fix-libvirtd-double-free.patch @@ -18,11 +18,11 @@ Cc: Ian Campbell Cc: Ian Jackson Acked-by: Ian Campbell -Index: xen-4.5.1-testing/tools/libxl/libxl.c +Index: xen-4.5.2-testing/tools/libxl/libxl.c =================================================================== ---- xen-4.5.1-testing.orig/tools/libxl/libxl.c -+++ xen-4.5.1-testing/tools/libxl/libxl.c -@@ -211,9 +211,12 @@ void libxl_string_list_dispose(libxl_str +--- xen-4.5.2-testing.orig/tools/libxl/libxl.c ++++ xen-4.5.2-testing/tools/libxl/libxl.c +@@ -218,9 +218,12 @@ void libxl_string_list_dispose(libxl_str if (!sl) return; @@ -36,7 +36,7 @@ Index: xen-4.5.1-testing/tools/libxl/libxl.c } void libxl_string_list_copy(libxl_ctx *ctx, -@@ -273,10 +276,14 @@ void libxl_key_value_list_dispose(libxl_ +@@ -280,10 +283,14 @@ void libxl_key_value_list_dispose(libxl_ for (i = 0; kvl[i] != NULL; i += 2) { free(kvl[i]); @@ -52,10 +52,10 @@ Index: xen-4.5.1-testing/tools/libxl/libxl.c } void libxl_key_value_list_copy(libxl_ctx *ctx, -Index: xen-4.5.1-testing/tools/libxl/libxl_cpuid.c +Index: xen-4.5.2-testing/tools/libxl/libxl_cpuid.c =================================================================== ---- xen-4.5.1-testing.orig/tools/libxl/libxl_cpuid.c -+++ xen-4.5.1-testing/tools/libxl/libxl_cpuid.c +--- xen-4.5.2-testing.orig/tools/libxl/libxl_cpuid.c ++++ xen-4.5.2-testing/tools/libxl/libxl_cpuid.c @@ -28,10 +28,13 @@ void libxl_cpuid_dispose(libxl_cpuid_pol return; for (i = 0; cpuid_list[i].input[0] != XEN_CPUID_INPUT_UNUSED; i++) { @@ -71,10 +71,10 @@ Index: xen-4.5.1-testing/tools/libxl/libxl_cpuid.c return; } -Index: xen-4.5.1-testing/tools/libxl/libxl_utils.c +Index: xen-4.5.2-testing/tools/libxl/libxl_utils.c =================================================================== ---- xen-4.5.1-testing.orig/tools/libxl/libxl_utils.c -+++ xen-4.5.1-testing/tools/libxl/libxl_utils.c +--- xen-4.5.2-testing.orig/tools/libxl/libxl_utils.c ++++ xen-4.5.2-testing/tools/libxl/libxl_utils.c @@ -604,7 +604,12 @@ void libxl_bitmap_init(libxl_bitmap *map void libxl_bitmap_dispose(libxl_bitmap *map) diff --git a/55103616-vm-assist-prepare-for-discontiguous-used-bit-numbers.patch b/55103616-vm-assist-prepare-for-discontiguous-used-bit-numbers.patch index 07b9a58..5cc2ce6 100644 --- a/55103616-vm-assist-prepare-for-discontiguous-used-bit-numbers.patch +++ b/55103616-vm-assist-prepare-for-discontiguous-used-bit-numbers.patch @@ -16,8 +16,10 @@ hence doesn't need that code). Signed-off-by: Jan Beulich Reviewed-by: Tim Deegan ---- a/xen/common/compat/kernel.c -+++ b/xen/common/compat/kernel.c +Index: xen-4.5.2-testing/xen/common/compat/kernel.c +=================================================================== +--- xen-4.5.2-testing.orig/xen/common/compat/kernel.c ++++ xen-4.5.2-testing/xen/common/compat/kernel.c @@ -41,6 +41,11 @@ CHECK_TYPE(domain_handle); #define xennmi_callback compat_nmi_callback #define xennmi_callback_t compat_nmi_callback_t @@ -30,9 +32,11 @@ Reviewed-by: Tim Deegan #define DO(fn) int compat_##fn #define COMPAT ---- a/xen/common/domain.c -+++ b/xen/common/domain.c -@@ -1325,9 +1325,11 @@ long do_vcpu_op(int cmd, int vcpuid, XEN +Index: xen-4.5.2-testing/xen/common/domain.c +=================================================================== +--- xen-4.5.2-testing.orig/xen/common/domain.c ++++ xen-4.5.2-testing/xen/common/domain.c +@@ -1326,9 +1326,11 @@ long do_vcpu_op(int cmd, int vcpuid, XEN return rc; } @@ -46,7 +50,7 @@ Reviewed-by: Tim Deegan return -EINVAL; switch ( cmd ) -@@ -1342,6 +1344,7 @@ long vm_assist(struct domain *p, unsigne +@@ -1343,6 +1345,7 @@ long vm_assist(struct domain *p, unsigne return -ENOSYS; } @@ -54,8 +58,10 @@ Reviewed-by: Tim Deegan struct pirq *pirq_get_info(struct domain *d, int pirq) { ---- a/xen/common/kernel.c -+++ b/xen/common/kernel.c +Index: xen-4.5.2-testing/xen/common/kernel.c +=================================================================== +--- xen-4.5.2-testing.orig/xen/common/kernel.c ++++ xen-4.5.2-testing/xen/common/kernel.c @@ -396,10 +396,12 @@ DO(nmi_op)(unsigned int cmd, XEN_GUEST_H return rc; } @@ -70,8 +76,10 @@ Reviewed-by: Tim Deegan DO(ni_hypercall)(void) { ---- a/xen/include/asm-x86/config.h -+++ b/xen/include/asm-x86/config.h +Index: xen-4.5.2-testing/xen/include/asm-x86/config.h +=================================================================== +--- xen-4.5.2-testing.orig/xen/include/asm-x86/config.h ++++ xen-4.5.2-testing/xen/include/asm-x86/config.h @@ -327,6 +327,14 @@ extern unsigned long xen_phys_start; #define ARG_XLAT_START(v) \ (ARG_XLAT_VIRT_START + ((v)->vcpu_id << ARG_XLAT_VA_SHIFT)) @@ -87,8 +95,10 @@ Reviewed-by: Tim Deegan #define ELFSIZE 64 #define ARCH_CRASH_SAVE_VMCOREINFO ---- a/xen/include/public/xen.h -+++ b/xen/include/public/xen.h +Index: xen-4.5.2-testing/xen/include/public/xen.h +=================================================================== +--- xen-4.5.2-testing.orig/xen/include/public/xen.h ++++ xen-4.5.2-testing/xen/include/public/xen.h @@ -486,7 +486,9 @@ DEFINE_XEN_GUEST_HANDLE(mmuext_op_t); /* x86/PAE guests: support PDPTs above 4GB. */ #define VMASST_TYPE_pae_extended_cr3 3 @@ -99,8 +109,10 @@ Reviewed-by: Tim Deegan #ifndef __ASSEMBLY__ ---- a/xen/include/xen/lib.h -+++ b/xen/include/xen/lib.h +Index: xen-4.5.2-testing/xen/include/xen/lib.h +=================================================================== +--- xen-4.5.2-testing.orig/xen/include/xen/lib.h ++++ xen-4.5.2-testing/xen/include/xen/lib.h @@ -92,7 +92,8 @@ extern void guest_printk(const struct do __attribute__ ((format (printf, 2, 3))); extern void noreturn panic(const char *format, ...) diff --git a/551ac326-xentop-add-support-for-qdisk.patch b/551ac326-xentop-add-support-for-qdisk.patch index 811ac2b..ca21a9f 100644 --- a/551ac326-xentop-add-support-for-qdisk.patch +++ b/551ac326-xentop-add-support-for-qdisk.patch @@ -1,8 +1,8 @@ -Index: xen-4.5.1-testing/tools/libxl/libxl_dm.c +Index: xen-4.5.2-testing/tools/libxl/libxl_dm.c =================================================================== ---- xen-4.5.1-testing.orig/tools/libxl/libxl_dm.c -+++ xen-4.5.1-testing/tools/libxl/libxl_dm.c -@@ -445,6 +445,15 @@ static char ** libxl__build_device_model +--- xen-4.5.2-testing.orig/tools/libxl/libxl_dm.c ++++ xen-4.5.2-testing/tools/libxl/libxl_dm.c +@@ -447,6 +447,15 @@ static char ** libxl__build_device_model flexarray_append(dm_args, "-mon"); flexarray_append(dm_args, "chardev=libxl-cmd,mode=control"); @@ -18,10 +18,10 @@ Index: xen-4.5.1-testing/tools/libxl/libxl_dm.c for (i = 0; i < guest_config->num_channels; i++) { connection = guest_config->channels[i].connection; devid = guest_config->channels[i].devid; -Index: xen-4.5.1-testing/tools/libxl/libxl_qmp.c +Index: xen-4.5.2-testing/tools/libxl/libxl_qmp.c =================================================================== ---- xen-4.5.1-testing.orig/tools/libxl/libxl_qmp.c -+++ xen-4.5.1-testing/tools/libxl/libxl_qmp.c +--- xen-4.5.2-testing.orig/tools/libxl/libxl_qmp.c ++++ xen-4.5.2-testing/tools/libxl/libxl_qmp.c @@ -723,6 +723,13 @@ void libxl__qmp_cleanup(libxl__gc *gc, u LOGE(ERROR, "Failed to remove QMP socket file %s", qmp_socket); } @@ -36,10 +36,10 @@ Index: xen-4.5.1-testing/tools/libxl/libxl_qmp.c } int libxl__qmp_query_serial(libxl__qmp_handler *qmp) -Index: xen-4.5.1-testing/tools/xenstat/libxenstat/Makefile +Index: xen-4.5.2-testing/tools/xenstat/libxenstat/Makefile =================================================================== ---- xen-4.5.1-testing.orig/tools/xenstat/libxenstat/Makefile -+++ xen-4.5.1-testing/tools/xenstat/libxenstat/Makefile +--- xen-4.5.2-testing.orig/tools/xenstat/libxenstat/Makefile ++++ xen-4.5.2-testing/tools/xenstat/libxenstat/Makefile @@ -24,7 +24,7 @@ MINOR=0 LIB=src/libxenstat.a SHLIB=src/libxenstat.so.$(MAJOR).$(MINOR) @@ -58,10 +58,10 @@ Index: xen-4.5.1-testing/tools/xenstat/libxenstat/Makefile LDLIBS-y = $(LDLIBS_libxenstore) $(LDLIBS_libxenctrl) LDLIBS-$(CONFIG_SunOS) += -lkstat -Index: xen-4.5.1-testing/tools/xenstat/xentop/Makefile +Index: xen-4.5.2-testing/tools/xenstat/xentop/Makefile =================================================================== ---- xen-4.5.1-testing.orig/tools/xenstat/xentop/Makefile -+++ xen-4.5.1-testing/tools/xenstat/xentop/Makefile +--- xen-4.5.2-testing.orig/tools/xenstat/xentop/Makefile ++++ xen-4.5.2-testing/tools/xenstat/xentop/Makefile @@ -19,7 +19,7 @@ all install xentop: else @@ -71,10 +71,10 @@ Index: xen-4.5.1-testing/tools/xenstat/xentop/Makefile CFLAGS += -DHOST_$(XEN_OS) # Include configure output (config.h) to headers search path -Index: xen-4.5.1-testing/tools/xenstat/libxenstat/src/xenstat_priv.h +Index: xen-4.5.2-testing/tools/xenstat/libxenstat/src/xenstat_priv.h =================================================================== ---- xen-4.5.1-testing.orig/tools/xenstat/libxenstat/src/xenstat_priv.h -+++ xen-4.5.1-testing/tools/xenstat/libxenstat/src/xenstat_priv.h +--- xen-4.5.2-testing.orig/tools/xenstat/libxenstat/src/xenstat_priv.h ++++ xen-4.5.2-testing/tools/xenstat/libxenstat/src/xenstat_priv.h @@ -109,5 +109,7 @@ extern int xenstat_collect_networks(xens extern void xenstat_uninit_networks(xenstat_handle * handle); extern int xenstat_collect_vbds(xenstat_node * node); @@ -83,10 +83,10 @@ Index: xen-4.5.1-testing/tools/xenstat/libxenstat/src/xenstat_priv.h +extern xenstat_vbd *xenstat_save_vbd(xenstat_domain * domain, xenstat_vbd * vbd); #endif /* XENSTAT_PRIV_H */ -Index: xen-4.5.1-testing/tools/xenstat/libxenstat/src/xenstat.c +Index: xen-4.5.2-testing/tools/xenstat/libxenstat/src/xenstat.c =================================================================== ---- xen-4.5.1-testing.orig/tools/xenstat/libxenstat/src/xenstat.c -+++ xen-4.5.1-testing/tools/xenstat/libxenstat/src/xenstat.c +--- xen-4.5.2-testing.orig/tools/xenstat/libxenstat/src/xenstat.c ++++ xen-4.5.2-testing/tools/xenstat/libxenstat/src/xenstat.c @@ -657,6 +657,27 @@ static void xenstat_uninit_xen_version(x * VBD functions */ @@ -115,10 +115,10 @@ Index: xen-4.5.1-testing/tools/xenstat/libxenstat/src/xenstat.c /* Free VBD information */ static void xenstat_free_vbds(xenstat_node * node) { -Index: xen-4.5.1-testing/tools/xenstat/libxenstat/src/xenstat_linux.c +Index: xen-4.5.2-testing/tools/xenstat/libxenstat/src/xenstat_linux.c =================================================================== ---- xen-4.5.1-testing.orig/tools/xenstat/libxenstat/src/xenstat_linux.c -+++ xen-4.5.1-testing/tools/xenstat/libxenstat/src/xenstat_linux.c +--- xen-4.5.2-testing.orig/tools/xenstat/libxenstat/src/xenstat_linux.c ++++ xen-4.5.2-testing/tools/xenstat/libxenstat/src/xenstat_linux.c @@ -417,6 +417,9 @@ int xenstat_collect_vbds(xenstat_node * } } @@ -151,10 +151,10 @@ Index: xen-4.5.1-testing/tools/xenstat/libxenstat/src/xenstat_linux.c } return 1; -Index: xen-4.5.1-testing/tools/xenstat/libxenstat/src/xenstat_qmp.c +Index: xen-4.5.2-testing/tools/xenstat/libxenstat/src/xenstat_qmp.c =================================================================== --- /dev/null -+++ xen-4.5.1-testing/tools/xenstat/libxenstat/src/xenstat_qmp.c ++++ xen-4.5.2-testing/tools/xenstat/libxenstat/src/xenstat_qmp.c @@ -0,0 +1,451 @@ +/* libxenstat: statistics-collection library for Xen + * diff --git a/552d0f49-x86-traps-identify-the-vcpu-in-context-when-dumping-regs.patch b/552d0f49-x86-traps-identify-the-vcpu-in-context-when-dumping-regs.patch deleted file mode 100644 index b40f7e1..0000000 --- a/552d0f49-x86-traps-identify-the-vcpu-in-context-when-dumping-regs.patch +++ /dev/null @@ -1,24 +0,0 @@ -# Commit e59abf8c8c9c1d99a531292c6a548d6dfd0ceacc -# Date 2015-04-14 14:59:53 +0200 -# Author Andrew Cooper -# Committer Jan Beulich -x86/traps: identify the vcpu in context when dumping registers - -Signed-off-by: Andrew Cooper - ---- a/xen/arch/x86/x86_64/traps.c -+++ b/xen/arch/x86/x86_64/traps.c -@@ -53,9 +53,11 @@ static void _show_registers( - printk("\nRFLAGS: %016lx ", regs->rflags); - if ( (context == CTXT_pv_guest) && v && v->vcpu_info ) - printk("EM: %d ", !!vcpu_info(v, evtchn_upcall_mask)); -- printk("CONTEXT: %s\n", context_names[context]); -+ printk("CONTEXT: %s", context_names[context]); -+ if ( v && !is_idle_vcpu(v) ) -+ printk(" (%pv)", v); - -- printk("rax: %016lx rbx: %016lx rcx: %016lx\n", -+ printk("\nrax: %016lx rbx: %016lx rcx: %016lx\n", - regs->rax, regs->rbx, regs->rcx); - printk("rdx: %016lx rsi: %016lx rdi: %016lx\n", - regs->rdx, regs->rsi, regs->rdi); diff --git a/5537a4d8-libxl-use-DEBUG-log-level-instead-of-INFO.patch b/5537a4d8-libxl-use-DEBUG-log-level-instead-of-INFO.patch index 1736236..cec65e1 100644 --- a/5537a4d8-libxl-use-DEBUG-log-level-instead-of-INFO.patch +++ b/5537a4d8-libxl-use-DEBUG-log-level-instead-of-INFO.patch @@ -12,11 +12,11 @@ Cc: Ian Campbell Cc: Ian Jackson Acked-by: Ian Campbell -Index: xen-4.5.1-testing/tools/libxl/libxl.c +Index: xen-4.5.2-testing/tools/libxl/libxl.c =================================================================== ---- xen-4.5.1-testing.orig/tools/libxl/libxl.c -+++ xen-4.5.1-testing/tools/libxl/libxl.c -@@ -1695,7 +1695,7 @@ static void devices_destroy_cb(libxl__eg +--- xen-4.5.2-testing.orig/tools/libxl/libxl.c ++++ xen-4.5.2-testing/tools/libxl/libxl.c +@@ -1702,7 +1702,7 @@ static void devices_destroy_cb(libxl__eg _exit(-1); } } diff --git a/5548e95d-x86-allow-to-suppress-M2P-user-mode-exposure.patch b/5548e95d-x86-allow-to-suppress-M2P-user-mode-exposure.patch index ede6142..b689789 100644 --- a/5548e95d-x86-allow-to-suppress-M2P-user-mode-exposure.patch +++ b/5548e95d-x86-allow-to-suppress-M2P-user-mode-exposure.patch @@ -27,8 +27,10 @@ Signed-off-by: Jan Beulich Reviewed-by: Andrew Cooper Reviewed-by: Tim Deegan ---- a/xen/arch/x86/domain.c -+++ b/xen/arch/x86/domain.c +Index: xen-4.5.2-testing/xen/arch/x86/domain.c +=================================================================== +--- xen-4.5.2-testing.orig/xen/arch/x86/domain.c ++++ xen-4.5.2-testing/xen/arch/x86/domain.c @@ -338,7 +338,7 @@ static int setup_compat_l4(struct vcpu * l4tab = __map_domain_page(pg); @@ -61,9 +63,11 @@ Reviewed-by: Tim Deegan break; } } ---- a/xen/arch/x86/domain_build.c -+++ b/xen/arch/x86/domain_build.c -@@ -1092,7 +1092,7 @@ int __init construct_dom0( +Index: xen-4.5.2-testing/xen/arch/x86/domain_build.c +=================================================================== +--- xen-4.5.2-testing.orig/xen/arch/x86/domain_build.c ++++ xen-4.5.2-testing/xen/arch/x86/domain_build.c +@@ -1096,7 +1096,7 @@ int __init construct_dom0( l3start = __va(mpt_alloc); mpt_alloc += PAGE_SIZE; } clear_page(l4tab); @@ -72,9 +76,11 @@ Reviewed-by: Tim Deegan v->arch.guest_table = pagetable_from_paddr(__pa(l4start)); if ( is_pv_32on64_domain(d) ) v->arch.guest_table_user = v->arch.guest_table; ---- a/xen/arch/x86/mm.c -+++ b/xen/arch/x86/mm.c -@@ -1380,7 +1380,8 @@ static int alloc_l3_table(struct page_in +Index: xen-4.5.2-testing/xen/arch/x86/mm.c +=================================================================== +--- xen-4.5.2-testing.orig/xen/arch/x86/mm.c ++++ xen-4.5.2-testing/xen/arch/x86/mm.c +@@ -1383,7 +1383,8 @@ static int alloc_l3_table(struct page_in return rc > 0 ? 0 : rc; } @@ -84,7 +90,7 @@ Reviewed-by: Tim Deegan { /* Xen private mappings. */ memcpy(&l4tab[ROOT_PAGETABLE_FIRST_XEN_SLOT], -@@ -1395,6 +1396,25 @@ void init_guest_l4_table(l4_pgentry_t l4 +@@ -1398,6 +1399,25 @@ void init_guest_l4_table(l4_pgentry_t l4 l4e_from_pfn(domain_page_map_to_mfn(l4tab), __PAGE_HYPERVISOR); l4tab[l4_table_offset(PERDOMAIN_VIRT_START)] = l4e_from_page(d->arch.perdomain_l3_pg, __PAGE_HYPERVISOR); @@ -110,7 +116,7 @@ Reviewed-by: Tim Deegan } static int alloc_l4_table(struct page_info *page) -@@ -1444,7 +1464,7 @@ static int alloc_l4_table(struct page_in +@@ -1447,7 +1467,7 @@ static int alloc_l4_table(struct page_in adjust_guest_l4e(pl4e[i], d); } @@ -119,7 +125,7 @@ Reviewed-by: Tim Deegan unmap_domain_page(pl4e); return rc > 0 ? 0 : rc; -@@ -2755,6 +2775,8 @@ int new_guest_cr3(unsigned long mfn) +@@ -2761,6 +2781,8 @@ int new_guest_cr3(unsigned long mfn) invalidate_shadow_ldt(curr, 0); @@ -128,7 +134,7 @@ Reviewed-by: Tim Deegan curr->arch.guest_table = pagetable_from_pfn(mfn); update_cr3(curr); -@@ -3111,6 +3133,9 @@ long do_mmuext_op( +@@ -3117,6 +3139,9 @@ long do_mmuext_op( op.arg1.mfn); break; } @@ -138,8 +144,10 @@ Reviewed-by: Tim Deegan } curr->arch.guest_table_user = pagetable_from_pfn(op.arg1.mfn); ---- a/xen/arch/x86/mm/shadow/multi.c -+++ b/xen/arch/x86/mm/shadow/multi.c +Index: xen-4.5.2-testing/xen/arch/x86/mm/shadow/multi.c +=================================================================== +--- xen-4.5.2-testing.orig/xen/arch/x86/mm/shadow/multi.c ++++ xen-4.5.2-testing/xen/arch/x86/mm/shadow/multi.c @@ -1438,6 +1438,13 @@ void sh_install_xen_entries_in_l4(struct shadow_l4e_from_mfn(page_to_mfn(d->arch.perdomain_l3_pg), __PAGE_HYPERVISOR); @@ -172,8 +180,10 @@ Reviewed-by: Tim Deegan #else #error This should never happen #endif ---- a/xen/arch/x86/x86_64/mm.c -+++ b/xen/arch/x86/x86_64/mm.c +Index: xen-4.5.2-testing/xen/arch/x86/x86_64/mm.c +=================================================================== +--- xen-4.5.2-testing.orig/xen/arch/x86/x86_64/mm.c ++++ xen-4.5.2-testing/xen/arch/x86/x86_64/mm.c @@ -480,7 +480,7 @@ static int setup_m2p_table(struct mem_ho l2_ro_mpt += l2_table_offset(va); } @@ -201,8 +211,10 @@ Reviewed-by: Tim Deegan if ( l1_pg ) l2e_write(l2_ro_mpt, l2e_from_page( l1_pg, /*_PAGE_GLOBAL|*/_PAGE_PSE|_PAGE_USER|_PAGE_PRESENT)); ---- a/xen/include/asm-x86/config.h -+++ b/xen/include/asm-x86/config.h +Index: xen-4.5.2-testing/xen/include/asm-x86/config.h +=================================================================== +--- xen-4.5.2-testing.orig/xen/include/asm-x86/config.h ++++ xen-4.5.2-testing/xen/include/asm-x86/config.h @@ -330,7 +330,8 @@ extern unsigned long xen_phys_start; #define NATIVE_VM_ASSIST_VALID ((1UL << VMASST_TYPE_4gb_segments) | \ (1UL << VMASST_TYPE_4gb_segments_notify) | \ @@ -213,8 +225,10 @@ Reviewed-by: Tim Deegan #define VM_ASSIST_VALID NATIVE_VM_ASSIST_VALID #define COMPAT_VM_ASSIST_VALID (NATIVE_VM_ASSIST_VALID & \ ((1UL << COMPAT_BITS_PER_LONG) - 1)) ---- a/xen/include/asm-x86/mm.h -+++ b/xen/include/asm-x86/mm.h +Index: xen-4.5.2-testing/xen/include/asm-x86/mm.h +=================================================================== +--- xen-4.5.2-testing.orig/xen/include/asm-x86/mm.h ++++ xen-4.5.2-testing/xen/include/asm-x86/mm.h @@ -314,7 +314,10 @@ static inline void *__page_to_virt(const int free_page_type(struct page_info *page, unsigned long type, int preemptible); @@ -227,8 +241,10 @@ Reviewed-by: Tim Deegan int is_iomem_page(unsigned long mfn); ---- a/xen/include/public/xen.h -+++ b/xen/include/public/xen.h +Index: xen-4.5.2-testing/xen/include/public/xen.h +=================================================================== +--- xen-4.5.2-testing.orig/xen/include/public/xen.h ++++ xen-4.5.2-testing/xen/include/public/xen.h @@ -486,6 +486,18 @@ DEFINE_XEN_GUEST_HANDLE(mmuext_op_t); /* x86/PAE guests: support PDPTs above 4GB. */ #define VMASST_TYPE_pae_extended_cr3 3 diff --git a/554cc211-libxl-add-qxl.patch b/554cc211-libxl-add-qxl.patch index 99ee3b3..e1a6ef3 100644 --- a/554cc211-libxl-add-qxl.patch +++ b/554cc211-libxl-add-qxl.patch @@ -20,11 +20,11 @@ Date: Wed Apr 29 11:20:28 2015 +0200 Acked-by: Ian Jackson Acked-by: George Dunlap -Index: xen-4.5.1-testing/docs/man/xl.cfg.pod.5 +Index: xen-4.5.2-testing/docs/man/xl.cfg.pod.5 =================================================================== ---- xen-4.5.1-testing.orig/docs/man/xl.cfg.pod.5 -+++ xen-4.5.1-testing/docs/man/xl.cfg.pod.5 -@@ -1292,6 +1292,9 @@ qemu-xen-traditional device-model, the a +--- xen-4.5.2-testing.orig/docs/man/xl.cfg.pod.5 ++++ xen-4.5.2-testing/docs/man/xl.cfg.pod.5 +@@ -1294,6 +1294,9 @@ qemu-xen-traditional device-model, the a which is sufficient for 1024x768 at 32 bpp. For the upstream qemu-xen device-model, the default and minimum is 8 MB. @@ -34,7 +34,7 @@ Index: xen-4.5.1-testing/docs/man/xl.cfg.pod.5 =item B Select a standard VGA card with VBE (VESA BIOS Extensions) as the -@@ -1303,9 +1306,14 @@ This option is deprecated, use vga="stdv +@@ -1305,9 +1308,14 @@ This option is deprecated, use vga="stdv =item B @@ -50,10 +50,10 @@ Index: xen-4.5.1-testing/docs/man/xl.cfg.pod.5 =item B Allow access to the display via the VNC protocol. This enables the -Index: xen-4.5.1-testing/tools/libxl/libxl.h +Index: xen-4.5.2-testing/tools/libxl/libxl.h =================================================================== ---- xen-4.5.1-testing.orig/tools/libxl/libxl.h -+++ xen-4.5.1-testing/tools/libxl/libxl.h +--- xen-4.5.2-testing.orig/tools/libxl/libxl.h ++++ xen-4.5.2-testing/tools/libxl/libxl.h @@ -506,6 +506,16 @@ typedef struct libxl__ctx libxl_ctx; #define LIBXL_HAVE_DOMINFO_OUTSTANDING_MEMKB 1 @@ -71,10 +71,10 @@ Index: xen-4.5.1-testing/tools/libxl/libxl.h * LIBXL_HAVE_SPICE_VDAGENT * * If defined, then the libxl_spice_info structure will contain a boolean type: -Index: xen-4.5.1-testing/tools/libxl/libxl_create.c +Index: xen-4.5.2-testing/tools/libxl/libxl_create.c =================================================================== ---- xen-4.5.1-testing.orig/tools/libxl/libxl_create.c -+++ xen-4.5.1-testing/tools/libxl/libxl_create.c +--- xen-4.5.2-testing.orig/tools/libxl/libxl_create.c ++++ xen-4.5.2-testing/tools/libxl/libxl_create.c @@ -240,6 +240,10 @@ int libxl__domain_build_info_setdefault( if (b_info->video_memkb == LIBXL_MEMKB_DEFAULT) b_info->video_memkb = 0; @@ -102,11 +102,11 @@ Index: xen-4.5.1-testing/tools/libxl/libxl_create.c case LIBXL_VGA_INTERFACE_TYPE_STD: if (b_info->video_memkb == LIBXL_MEMKB_DEFAULT) b_info->video_memkb = 16 * 1024; -Index: xen-4.5.1-testing/tools/libxl/libxl_dm.c +Index: xen-4.5.2-testing/tools/libxl/libxl_dm.c =================================================================== ---- xen-4.5.1-testing.orig/tools/libxl/libxl_dm.c -+++ xen-4.5.1-testing/tools/libxl/libxl_dm.c -@@ -251,6 +251,8 @@ static char ** libxl__build_device_model +--- xen-4.5.2-testing.orig/tools/libxl/libxl_dm.c ++++ xen-4.5.2-testing/tools/libxl/libxl_dm.c +@@ -253,6 +253,8 @@ static char ** libxl__build_device_model case LIBXL_VGA_INTERFACE_TYPE_NONE: flexarray_append_pair(dm_args, "-vga", "none"); break; @@ -115,7 +115,7 @@ Index: xen-4.5.1-testing/tools/libxl/libxl_dm.c } if (b_info->u.hvm.boot) { -@@ -616,6 +618,12 @@ static char ** libxl__build_device_model +@@ -618,6 +620,12 @@ static char ** libxl__build_device_model break; case LIBXL_VGA_INTERFACE_TYPE_NONE: break; @@ -128,10 +128,10 @@ Index: xen-4.5.1-testing/tools/libxl/libxl_dm.c } if (b_info->u.hvm.boot) { -Index: xen-4.5.1-testing/tools/libxl/libxl_types.idl +Index: xen-4.5.2-testing/tools/libxl/libxl_types.idl =================================================================== ---- xen-4.5.1-testing.orig/tools/libxl/libxl_types.idl -+++ xen-4.5.1-testing/tools/libxl/libxl_types.idl +--- xen-4.5.2-testing.orig/tools/libxl/libxl_types.idl ++++ xen-4.5.2-testing/tools/libxl/libxl_types.idl @@ -181,6 +181,7 @@ libxl_vga_interface_type = Enumeration(" (1, "CIRRUS"), (2, "STD"), @@ -140,10 +140,10 @@ Index: xen-4.5.1-testing/tools/libxl/libxl_types.idl ], init_val = "LIBXL_VGA_INTERFACE_TYPE_CIRRUS") libxl_vendor_device = Enumeration("vendor_device", [ -Index: xen-4.5.1-testing/tools/libxl/xl_cmdimpl.c +Index: xen-4.5.2-testing/tools/libxl/xl_cmdimpl.c =================================================================== ---- xen-4.5.1-testing.orig/tools/libxl/xl_cmdimpl.c -+++ xen-4.5.1-testing/tools/libxl/xl_cmdimpl.c +--- xen-4.5.2-testing.orig/tools/libxl/xl_cmdimpl.c ++++ xen-4.5.2-testing/tools/libxl/xl_cmdimpl.c @@ -1910,6 +1910,8 @@ skip_vfb: b_info->u.hvm.vga.kind = LIBXL_VGA_INTERFACE_TYPE_CIRRUS; } else if (!strcmp(buf, "none")) { diff --git a/5576f143-x86-adjust-PV-I-O-emulation-functions-types.patch b/5576f143-x86-adjust-PV-I-O-emulation-functions-types.patch index a01e004..282b301 100644 --- a/5576f143-x86-adjust-PV-I-O-emulation-functions-types.patch +++ b/5576f143-x86-adjust-PV-I-O-emulation-functions-types.patch @@ -44,9 +44,11 @@ Reviewed-by: Andrew Cooper Backport stripped down to just the pci_cfg_ok() adjustments. ---- a/xen/arch/x86/traps.c -+++ b/xen/arch/x86/traps.c -@@ -1708,14 +1708,18 @@ static int admin_io_okay( +Index: xen-4.5.2-testing/xen/arch/x86/traps.c +=================================================================== +--- xen-4.5.2-testing.orig/xen/arch/x86/traps.c ++++ xen-4.5.2-testing/xen/arch/x86/traps.c +@@ -1709,14 +1709,18 @@ static int admin_io_okay( return ioports_access_permitted(v->domain, port, port + bytes - 1); } @@ -69,7 +71,7 @@ Backport stripped down to just the pci_cfg_ok() adjustments. if ( write ) { const unsigned long *ro_map = pci_get_ro_map(0); -@@ -1723,9 +1727,9 @@ static int pci_cfg_ok(struct domain *d, +@@ -1724,9 +1728,9 @@ static int pci_cfg_ok(struct domain *d, if ( ro_map && test_bit(machine_bdf, ro_map) ) return 0; } @@ -81,7 +83,7 @@ Backport stripped down to just the pci_cfg_ok() adjustments. boot_cpu_data.x86_vendor == X86_VENDOR_AMD && boot_cpu_data.x86 >= 0x10 && boot_cpu_data.x86 <= 0x17 ) { -@@ -1734,12 +1738,11 @@ static int pci_cfg_ok(struct domain *d, +@@ -1735,12 +1739,11 @@ static int pci_cfg_ok(struct domain *d, if ( rdmsr_safe(MSR_AMD64_NB_CFG, msr_val) ) return 0; if ( msr_val & (1ULL << AMD64_NB_CFG_CF8_EXT_ENABLE_BIT) ) @@ -98,7 +100,7 @@ Backport stripped down to just the pci_cfg_ok() adjustments. } uint32_t guest_io_read( -@@ -1793,7 +1796,7 @@ uint32_t guest_io_read( +@@ -1794,7 +1797,7 @@ uint32_t guest_io_read( size = min(bytes, 4 - (port & 3)); if ( size == 3 ) size = 2; @@ -107,7 +109,7 @@ Backport stripped down to just the pci_cfg_ok() adjustments. sub_data = pci_conf_read(v->domain->arch.pci_cf8, port & 3, size); } -@@ -1866,7 +1869,7 @@ void guest_io_write( +@@ -1867,7 +1870,7 @@ void guest_io_write( size = min(bytes, 4 - (port & 3)); if ( size == 3 ) size = 2; @@ -116,8 +118,10 @@ Backport stripped down to just the pci_cfg_ok() adjustments. pci_conf_write(v->domain->arch.pci_cf8, port & 3, size, data); } ---- a/xen/arch/x86/hvm/hvm.c -+++ b/xen/arch/x86/hvm/hvm.c +Index: xen-4.5.2-testing/xen/arch/x86/hvm/hvm.c +=================================================================== +--- xen-4.5.2-testing.orig/xen/arch/x86/hvm/hvm.c ++++ xen-4.5.2-testing/xen/arch/x86/hvm/hvm.c @@ -2357,11 +2357,6 @@ void hvm_vcpu_down(struct vcpu *v) static struct hvm_ioreq_server *hvm_select_ioreq_server(struct domain *d, ioreq_t *p) @@ -142,8 +146,10 @@ Backport stripped down to just the pci_cfg_ok() adjustments. } int hvm_buffered_io_send(ioreq_t *p) ---- a/xen/include/asm-x86/pci.h -+++ b/xen/include/asm-x86/pci.h +Index: xen-4.5.2-testing/xen/include/asm-x86/pci.h +=================================================================== +--- xen-4.5.2-testing.orig/xen/include/asm-x86/pci.h ++++ xen-4.5.2-testing/xen/include/asm-x86/pci.h @@ -1,6 +1,11 @@ #ifndef __X86_PCI_H__ #define __X86_PCI_H__ diff --git a/5576f178-kexec-add-more-pages-to-v1-environment.patch b/5576f178-kexec-add-more-pages-to-v1-environment.patch deleted file mode 100644 index e71c7f1..0000000 --- a/5576f178-kexec-add-more-pages-to-v1-environment.patch +++ /dev/null @@ -1,62 +0,0 @@ -References: bsc#925466 - -# Commit 5cb57f4bddee1f11079e69bf43c193a8b104c476 -# Date 2015-06-09 16:00:24 +0200 -# Author Jan Beulich -# Committer Jan Beulich -kexec: add more pages to v1 environment - -Destination pages need mappings to be added to the page tables in the -v1 case (where nothing else calls machine_kexec_add_page() for them). - -Further, without the tools mapping the low 1Mb (expected by at least -some Linux version), we need to do so in the hypervisor in the v1 case. - -Suggested-by: David Vrabel -Signed-off-by: Jan Beulich -Tested-by: Alan Robinson -Reviewed-by: David Vrabel -Reviewed-by: Andrew Cooper - - ---- a/xen/common/kexec.c -+++ b/xen/common/kexec.c -@@ -1003,6 +1003,24 @@ static int kexec_do_load_v1(xen_kexec_lo - if ( ret < 0 ) - goto error; - -+ if ( arch == EM_386 || arch == EM_X86_64 ) -+ { -+ /* -+ * Ensure 0 - 1 MiB is mapped and accessible by the image. -+ * -+ * This allows access to VGA memory and the region purgatory copies -+ * in the crash case. -+ */ -+ unsigned long addr; -+ -+ for ( addr = 0; addr < MB(1); addr += PAGE_SIZE ) -+ { -+ ret = machine_kexec_add_page(kimage, addr, addr); -+ if ( ret < 0 ) -+ goto error; -+ } -+ } -+ - ret = kexec_load_slot(kimage); - if ( ret < 0 ) - goto error; ---- a/xen/common/kimage.c -+++ b/xen/common/kimage.c -@@ -923,6 +923,11 @@ int kimage_build_ind(struct kexec_image - ret = kimage_add_page(image, page_to_maddr(xen_page)); - if ( ret < 0 ) - goto done; -+ -+ ret = machine_kexec_add_page(image, dest, dest); -+ if ( ret < 0 ) -+ goto done; -+ - dest += PAGE_SIZE; - break; - } diff --git a/55780be1-x86-EFI-adjust-EFI_MEMORY_WP-handling-for-spec-version-2.5.patch b/55780be1-x86-EFI-adjust-EFI_MEMORY_WP-handling-for-spec-version-2.5.patch deleted file mode 100644 index 3e90003..0000000 --- a/55780be1-x86-EFI-adjust-EFI_MEMORY_WP-handling-for-spec-version-2.5.patch +++ /dev/null @@ -1,86 +0,0 @@ -# Commit 860313f0411d2dcc6b2fd78bfb834b39d05373a6 -# Date 2015-06-10 12:05:21 +0200 -# Author Jan Beulich -# Committer Jan Beulich -x86/EFI: adjust EFI_MEMORY_WP handling for spec version 2.5 - -That flag now means cachability rather than protection, and a new flag -EFI_MEMORY_RO got added in its place. - -Along with EFI_MEMORY_RO also add the two other new EFI_MEMORY_* -definitions, even if we don't need them right away. - -Signed-off-by: Jan Beulich -Reviewed-by: Andrew Cooper -Reviewed-by: Konrad Rzeszutek Wilk - -Index: xen-4.5.1-testing/xen/common/efi/boot.c -=================================================================== ---- xen-4.5.1-testing.orig/xen/common/efi/boot.c -+++ xen-4.5.1-testing/xen/common/efi/boot.c -@@ -32,6 +32,8 @@ - /* Using SetVirtualAddressMap() is incompatible with kexec: */ - #undef USE_SET_VIRTUAL_ADDRESS_MAP - -+#define EFI_REVISION(major, minor) (((major) << 16) | (minor)) -+ - #define SHIM_LOCK_PROTOCOL_GUID \ - { 0x605dab50, 0xe046, 0x4300, {0xab, 0xb6, 0x3d, 0xd8, 0x10, 0xdd, 0x8b, 0x23} } - -@@ -76,6 +78,7 @@ static int set_color(u32 mask, int bpp, - static bool_t match_guid(const EFI_GUID *guid1, const EFI_GUID *guid2); - - static const EFI_BOOT_SERVICES *__initdata efi_bs; -+static UINT32 __initdata efi_bs_revision; - static EFI_HANDLE __initdata efi_ih; - - static SIMPLE_TEXT_OUTPUT_INTERFACE *__initdata StdOut; -@@ -714,6 +717,7 @@ efi_start(EFI_HANDLE ImageHandle, EFI_SY - - efi_ih = ImageHandle; - efi_bs = SystemTable->BootServices; -+ efi_bs_revision = efi_bs->Hdr.Revision; - efi_rs = SystemTable->RuntimeServices; - efi_ct = SystemTable->ConfigurationTable; - efi_num_ct = SystemTable->NumberOfTableEntries; -@@ -1221,6 +1225,9 @@ void __init efi_init_memory(void) - prot |= _PAGE_PAT | MAP_SMALL_PAGES; - else if ( desc->Attribute & (EFI_MEMORY_UC | EFI_MEMORY_UCE) ) - prot |= _PAGE_PWT | _PAGE_PCD | MAP_SMALL_PAGES; -+ else if ( efi_bs_revision >= EFI_REVISION(2, 5) && -+ (desc->Attribute & EFI_MEMORY_WP) ) -+ prot |= _PAGE_PAT | _PAGE_PWT | MAP_SMALL_PAGES; - else - { - printk(XENLOG_ERR "Unknown cachability for MFNs %#lx-%#lx%s\n", -@@ -1230,7 +1237,8 @@ void __init efi_init_memory(void) - prot |= _PAGE_PWT | _PAGE_PCD | MAP_SMALL_PAGES; - } - -- if ( desc->Attribute & EFI_MEMORY_WP ) -+ if ( desc->Attribute & (efi_bs_revision < EFI_REVISION(2, 5) -+ ? EFI_MEMORY_WP : EFI_MEMORY_RO) ) - prot &= ~_PAGE_RW; - if ( (desc->Attribute & EFI_MEMORY_XP) && cpu_has_nx ) - prot |= _PAGE_NX_BIT; -Index: xen-4.5.1-testing/xen/include/efi/efidef.h -=================================================================== ---- xen-4.5.1-testing.orig/xen/include/efi/efidef.h -+++ xen-4.5.1-testing/xen/include/efi/efidef.h -@@ -156,11 +156,15 @@ typedef enum { - #define EFI_MEMORY_WT 0x0000000000000004 - #define EFI_MEMORY_WB 0x0000000000000008 - #define EFI_MEMORY_UCE 0x0000000000000010 -+#define EFI_MEMORY_WP 0x0000000000001000 - - // physical memory protection on range --#define EFI_MEMORY_WP 0x0000000000001000 - #define EFI_MEMORY_RP 0x0000000000002000 - #define EFI_MEMORY_XP 0x0000000000004000 -+#define EFI_MEMORY_RO 0x0000000000020000 -+ -+#define EFI_MEMORY_NV 0x0000000000008000 -+#define EFI_MEMORY_MORE_RELIABLE 0x0000000000010000 - - // range requires a runtime mapping - #define EFI_MEMORY_RUNTIME 0x8000000000000000 diff --git a/5583d9c5-x86-MSI-X-cleanup.patch b/5583d9c5-x86-MSI-X-cleanup.patch index 15688c5..11bbeed 100644 --- a/5583d9c5-x86-MSI-X-cleanup.patch +++ b/5583d9c5-x86-MSI-X-cleanup.patch @@ -19,8 +19,10 @@ x86/MSI-X: cleanup Signed-off-by: Jan Beulich Reviewed-by: Andrew Cooper ---- a/xen/arch/x86/msi.c -+++ b/xen/arch/x86/msi.c +Index: xen-4.5.2-testing/xen/arch/x86/msi.c +=================================================================== +--- xen-4.5.2-testing.orig/xen/arch/x86/msi.c ++++ xen-4.5.2-testing/xen/arch/x86/msi.c @@ -35,6 +35,8 @@ static s8 __read_mostly use_msi = -1; boolean_param("msi", use_msi); @@ -104,7 +106,7 @@ Reviewed-by: Andrew Cooper u32 mask_bits; u16 seg = entry->dev->seg; u8 bus = entry->dev->bus; -@@ -701,13 +705,14 @@ static u64 read_pci_mem_bar(u16 seg, u8 +@@ -703,13 +707,14 @@ static u64 read_pci_mem_bar(u16 seg, u8 * requested MSI-X entries with allocated irqs or non-zero for otherwise. **/ static int msix_capability_init(struct pci_dev *dev, @@ -120,7 +122,7 @@ Reviewed-by: Andrew Cooper u16 control; u64 table_paddr; u32 table_offset; -@@ -719,7 +724,6 @@ static int msix_capability_init(struct p +@@ -721,7 +726,6 @@ static int msix_capability_init(struct p ASSERT(spin_is_locked(&pcidevs_lock)); @@ -128,7 +130,7 @@ Reviewed-by: Andrew Cooper control = pci_conf_read16(seg, bus, slot, func, msix_control_reg(pos)); msix_set_enable(dev, 0);/* Ensure msix is disabled as I set it up */ -@@ -884,10 +888,9 @@ static int __pci_enable_msi(struct msi_i +@@ -886,10 +890,9 @@ static int __pci_enable_msi(struct msi_i old_desc = find_msi_entry(pdev, msi->irq, PCI_CAP_ID_MSI); if ( old_desc ) { @@ -142,7 +144,7 @@ Reviewed-by: Andrew Cooper *desc = old_desc; return 0; } -@@ -895,10 +898,10 @@ static int __pci_enable_msi(struct msi_i +@@ -897,10 +900,10 @@ static int __pci_enable_msi(struct msi_i old_desc = find_msi_entry(pdev, -1, PCI_CAP_ID_MSIX); if ( old_desc ) { @@ -157,7 +159,7 @@ Reviewed-by: Andrew Cooper } return msi_capability_init(pdev, msi->irq, desc, msi->entry_nr); -@@ -912,7 +915,6 @@ static void __pci_disable_msi(struct msi +@@ -914,7 +917,6 @@ static void __pci_disable_msi(struct msi msi_set_enable(dev, 0); BUG_ON(list_empty(&dev->msi_list)); @@ -165,7 +167,7 @@ Reviewed-by: Andrew Cooper } /** -@@ -932,7 +934,7 @@ static void __pci_disable_msi(struct msi +@@ -934,7 +936,7 @@ static void __pci_disable_msi(struct msi **/ static int __pci_enable_msix(struct msi_info *msi, struct msi_desc **desc) { @@ -174,7 +176,7 @@ Reviewed-by: Andrew Cooper struct pci_dev *pdev; u16 control; u8 slot = PCI_SLOT(msi->devfn); -@@ -941,23 +943,22 @@ static int __pci_enable_msix(struct msi_ +@@ -943,23 +945,22 @@ static int __pci_enable_msix(struct msi_ ASSERT(spin_is_locked(&pcidevs_lock)); pdev = pci_get_pdev(msi->seg, msi->bus, msi->devfn); @@ -204,7 +206,7 @@ Reviewed-by: Andrew Cooper *desc = old_desc; return 0; } -@@ -965,15 +966,13 @@ static int __pci_enable_msix(struct msi_ +@@ -967,15 +968,13 @@ static int __pci_enable_msix(struct msi_ old_desc = find_msi_entry(pdev, -1, PCI_CAP_ID_MSI); if ( old_desc ) { @@ -225,7 +227,7 @@ Reviewed-by: Andrew Cooper } static void _pci_cleanup_msix(struct arch_msix *msix) -@@ -991,19 +990,16 @@ static void _pci_cleanup_msix(struct arc +@@ -993,19 +992,16 @@ static void _pci_cleanup_msix(struct arc static void __pci_disable_msix(struct msi_desc *entry) { @@ -254,7 +256,7 @@ Reviewed-by: Andrew Cooper msix_set_enable(dev, 0); BUG_ON(list_empty(&dev->msi_list)); -@@ -1045,7 +1041,7 @@ int pci_prepare_msix(u16 seg, u8 bus, u8 +@@ -1047,7 +1043,7 @@ int pci_prepare_msix(u16 seg, u8 bus, u8 u16 control = pci_conf_read16(seg, bus, slot, func, msix_control_reg(pos)); @@ -263,7 +265,7 @@ Reviewed-by: Andrew Cooper multi_msix_capable(control)); } spin_unlock(&pcidevs_lock); -@@ -1064,8 +1060,8 @@ int pci_enable_msi(struct msi_info *msi, +@@ -1066,8 +1062,8 @@ int pci_enable_msi(struct msi_info *msi, if ( !use_msi ) return -EPERM; @@ -274,7 +276,7 @@ Reviewed-by: Andrew Cooper } /* -@@ -1115,7 +1111,9 @@ int pci_restore_msi_state(struct pci_dev +@@ -1117,7 +1113,9 @@ int pci_restore_msi_state(struct pci_dev if ( !pdev ) return -EINVAL; diff --git a/5583da09-x86-MSI-track-host-and-guest-masking-separately.patch b/5583da09-x86-MSI-track-host-and-guest-masking-separately.patch index 3f889ab..23c0dcb 100644 --- a/5583da09-x86-MSI-track-host-and-guest-masking-separately.patch +++ b/5583da09-x86-MSI-track-host-and-guest-masking-separately.patch @@ -33,8 +33,10 @@ Tested-by: Sander Eikelenboom Reviewed-by: Andrew Cooper Acked-by: Ian Campbell ---- a/xen/arch/x86/hpet.c -+++ b/xen/arch/x86/hpet.c +Index: xen-4.5.2-testing/xen/arch/x86/hpet.c +=================================================================== +--- xen-4.5.2-testing.orig/xen/arch/x86/hpet.c ++++ xen-4.5.2-testing/xen/arch/x86/hpet.c @@ -240,7 +240,7 @@ static void hpet_msi_unmask(struct irq_d cfg = hpet_read32(HPET_Tn_CFG(ch->idx)); cfg |= HPET_TN_ENABLE; @@ -53,8 +55,10 @@ Acked-by: Ian Campbell } static int hpet_msi_write(struct hpet_event_channel *ch, struct msi_msg *msg) ---- a/xen/arch/x86/hvm/vmsi.c -+++ b/xen/arch/x86/hvm/vmsi.c +Index: xen-4.5.2-testing/xen/arch/x86/hvm/vmsi.c +=================================================================== +--- xen-4.5.2-testing.orig/xen/arch/x86/hvm/vmsi.c ++++ xen-4.5.2-testing/xen/arch/x86/hvm/vmsi.c @@ -219,7 +219,6 @@ static int msixtbl_read( { unsigned long offset; @@ -135,9 +139,11 @@ Acked-by: Ian Campbell unlock: spin_unlock_irqrestore(&desc->lock, flags); ---- a/xen/arch/x86/irq.c -+++ b/xen/arch/x86/irq.c -@@ -2502,6 +2502,25 @@ int unmap_domain_pirq_emuirq(struct doma +Index: xen-4.5.2-testing/xen/arch/x86/irq.c +=================================================================== +--- xen-4.5.2-testing.orig/xen/arch/x86/irq.c ++++ xen-4.5.2-testing/xen/arch/x86/irq.c +@@ -2503,6 +2503,25 @@ int unmap_domain_pirq_emuirq(struct doma return ret; } @@ -163,8 +169,10 @@ Acked-by: Ian Campbell bool_t hvm_domain_use_pirq(const struct domain *d, const struct pirq *pirq) { return is_hvm_domain(d) && pirq && ---- a/xen/arch/x86/msi.c -+++ b/xen/arch/x86/msi.c +Index: xen-4.5.2-testing/xen/arch/x86/msi.c +=================================================================== +--- xen-4.5.2-testing.orig/xen/arch/x86/msi.c ++++ xen-4.5.2-testing/xen/arch/x86/msi.c @@ -349,9 +349,10 @@ int msi_maskable_irq(const struct msi_de || entry->msi_attrib.maskbit; } @@ -230,7 +238,7 @@ Acked-by: Ian Campbell .enable = unmask_msi_irq, .disable = mask_msi_irq, .ack = ack_maskable_msi_irq, -@@ -591,7 +603,8 @@ static int msi_capability_init(struct pc +@@ -593,7 +605,8 @@ static int msi_capability_init(struct pc entry[i].msi_attrib.is_64 = is_64bit_address(control); entry[i].msi_attrib.entry_nr = i; entry[i].msi_attrib.maskbit = is_mask_bit_support(control); @@ -240,7 +248,7 @@ Acked-by: Ian Campbell entry[i].msi_attrib.pos = pos; if ( entry[i].msi_attrib.maskbit ) entry[i].msi.mpos = mpos; -@@ -817,7 +830,8 @@ static int msix_capability_init(struct p +@@ -819,7 +832,8 @@ static int msix_capability_init(struct p entry->msi_attrib.is_64 = 1; entry->msi_attrib.entry_nr = msi->entry_nr; entry->msi_attrib.maskbit = 1; @@ -250,7 +258,7 @@ Acked-by: Ian Campbell entry->msi_attrib.pos = pos; entry->irq = msi->irq; entry->dev = dev; -@@ -1152,7 +1166,8 @@ int pci_restore_msi_state(struct pci_dev +@@ -1154,7 +1168,8 @@ int pci_restore_msi_state(struct pci_dev for ( i = 0; ; ) { @@ -260,7 +268,7 @@ Acked-by: Ian Campbell if ( !--nr ) break; -@@ -1304,7 +1319,7 @@ static void dump_msi(unsigned char key) +@@ -1306,7 +1321,7 @@ static void dump_msi(unsigned char key) else mask = '?'; printk(" %-6s%4u vec=%02x%7s%6s%3sassert%5s%7s" @@ -269,7 +277,7 @@ Acked-by: Ian Campbell type, irq, (data & MSI_DATA_VECTOR_MASK) >> MSI_DATA_VECTOR_SHIFT, data & MSI_DATA_DELIVERY_LOWPRI ? "lowest" : "fixed", -@@ -1312,7 +1327,10 @@ static void dump_msi(unsigned char key) +@@ -1314,7 +1329,10 @@ static void dump_msi(unsigned char key) data & MSI_DATA_LEVEL_ASSERT ? "" : "de", addr & MSI_ADDR_DESTMODE_LOGIC ? "log" : "phys", addr & MSI_ADDR_REDIRECTION_LOWPRI ? "lowest" : "cpu", @@ -281,8 +289,10 @@ Acked-by: Ian Campbell } } ---- a/xen/common/event_channel.c -+++ b/xen/common/event_channel.c +Index: xen-4.5.2-testing/xen/common/event_channel.c +=================================================================== +--- xen-4.5.2-testing.orig/xen/common/event_channel.c ++++ xen-4.5.2-testing/xen/common/event_channel.c @@ -445,10 +445,7 @@ static long evtchn_bind_pirq(evtchn_bind bind->port = port; @@ -295,8 +305,10 @@ Acked-by: Ian Campbell out: spin_unlock(&d->event_lock); ---- a/xen/drivers/passthrough/amd/iommu_init.c -+++ b/xen/drivers/passthrough/amd/iommu_init.c +Index: xen-4.5.2-testing/xen/drivers/passthrough/amd/iommu_init.c +=================================================================== +--- xen-4.5.2-testing.orig/xen/drivers/passthrough/amd/iommu_init.c ++++ xen-4.5.2-testing/xen/drivers/passthrough/amd/iommu_init.c @@ -451,7 +451,7 @@ static void iommu_msi_unmask(struct irq_ spin_lock_irqsave(&iommu->lock, flags); amd_iommu_msi_enable(iommu, IOMMU_CONTROL_ENABLED); @@ -315,28 +327,32 @@ Acked-by: Ian Campbell } static unsigned int iommu_msi_startup(struct irq_desc *desc) ---- a/xen/drivers/passthrough/vtd/iommu.c -+++ b/xen/drivers/passthrough/vtd/iommu.c -@@ -996,7 +996,7 @@ static void dma_msi_unmask(struct irq_de - spin_lock_irqsave(&iommu->register_lock, flags); - dmar_writel(iommu->reg, DMAR_FECTL_REG, 0); +Index: xen-4.5.2-testing/xen/drivers/passthrough/vtd/iommu.c +=================================================================== +--- xen-4.5.2-testing.orig/xen/drivers/passthrough/vtd/iommu.c ++++ xen-4.5.2-testing/xen/drivers/passthrough/vtd/iommu.c +@@ -999,7 +999,7 @@ static void dma_msi_unmask(struct irq_de + sts &= ~DMA_FECTL_IM; + dmar_writel(iommu->reg, DMAR_FECTL_REG, sts); spin_unlock_irqrestore(&iommu->register_lock, flags); - iommu->msi.msi_attrib.masked = 0; + iommu->msi.msi_attrib.host_masked = 0; } static void dma_msi_mask(struct irq_desc *desc) -@@ -1008,7 +1008,7 @@ static void dma_msi_mask(struct irq_desc - spin_lock_irqsave(&iommu->register_lock, flags); - dmar_writel(iommu->reg, DMAR_FECTL_REG, DMA_FECTL_IM); +@@ -1014,7 +1014,7 @@ static void dma_msi_mask(struct irq_desc + sts |= DMA_FECTL_IM; + dmar_writel(iommu->reg, DMAR_FECTL_REG, sts); spin_unlock_irqrestore(&iommu->register_lock, flags); - iommu->msi.msi_attrib.masked = 1; + iommu->msi.msi_attrib.host_masked = 1; } static unsigned int dma_msi_startup(struct irq_desc *desc) ---- a/xen/include/asm-arm/irq.h -+++ b/xen/include/asm-arm/irq.h +Index: xen-4.5.2-testing/xen/include/asm-arm/irq.h +=================================================================== +--- xen-4.5.2-testing.orig/xen/include/asm-arm/irq.h ++++ xen-4.5.2-testing/xen/include/asm-arm/irq.h @@ -44,6 +44,8 @@ int route_irq_to_guest(struct domain *d, const char *devname); void arch_move_irqs(struct vcpu *v); @@ -346,8 +362,10 @@ Acked-by: Ian Campbell /* Set IRQ type for an SPI */ int irq_set_spi_type(unsigned int spi, unsigned int type); ---- a/xen/include/asm-x86/msi.h -+++ b/xen/include/asm-x86/msi.h +Index: xen-4.5.2-testing/xen/include/asm-x86/msi.h +=================================================================== +--- xen-4.5.2-testing.orig/xen/include/asm-x86/msi.h ++++ xen-4.5.2-testing/xen/include/asm-x86/msi.h @@ -90,12 +90,13 @@ extern unsigned int pci_msix_get_table_l struct msi_desc { @@ -375,8 +393,10 @@ Acked-by: Ian Campbell void ack_nonmaskable_msi_irq(struct irq_desc *); void end_nonmaskable_msi_irq(struct irq_desc *, u8 vector); void set_msi_affinity(struct irq_desc *, const cpumask_t *); ---- a/xen/include/xen/irq.h -+++ b/xen/include/xen/irq.h +Index: xen-4.5.2-testing/xen/include/xen/irq.h +=================================================================== +--- xen-4.5.2-testing.orig/xen/include/xen/irq.h ++++ xen-4.5.2-testing/xen/include/xen/irq.h @@ -172,4 +172,8 @@ unsigned int set_desc_affinity(struct ir unsigned int arch_hwdom_irqs(domid_t); #endif diff --git a/558bfaa0-x86-traps-avoid-using-current-too-early.patch b/558bfaa0-x86-traps-avoid-using-current-too-early.patch deleted file mode 100644 index 87ec2c8..0000000 --- a/558bfaa0-x86-traps-avoid-using-current-too-early.patch +++ /dev/null @@ -1,23 +0,0 @@ -# Commit 142473cfce41a565898e0fa33dc98a1f5e41abe4 -# Date 2015-06-25 14:57:04 +0200 -# Author Andrew Cooper -# Committer Jan Beulich -x86/traps: avoid using current too early on boot - -Early on boot, current has the sentinel value 0xfffff000. Blindly using it in -show_registers() causes a nested failure and no useful information printed -from an early crash. - -Signed-off-by: Andrew Cooper - ---- a/xen/arch/x86/x86_64/traps.c -+++ b/xen/arch/x86/x86_64/traps.c -@@ -86,7 +86,7 @@ void show_registers(const struct cpu_use - struct cpu_user_regs fault_regs = *regs; - unsigned long fault_crs[8]; - enum context context; -- struct vcpu *v = current; -+ struct vcpu *v = system_state >= SYS_STATE_smp_boot ? current : NULL; - - if ( guest_mode(regs) && has_hvm_container_vcpu(v) ) - { diff --git a/5592a116-nested-EPT-fix-the-handling-of-nested-EPT.patch b/5592a116-nested-EPT-fix-the-handling-of-nested-EPT.patch deleted file mode 100644 index ee57a2d..0000000 --- a/5592a116-nested-EPT-fix-the-handling-of-nested-EPT.patch +++ /dev/null @@ -1,50 +0,0 @@ -# Commit 71bb7304e7a7a35ea6df4b0cedebc35028e4c159 -# Date 2015-06-30 15:00:54 +0100 -# Author Liang Li -# Committer Ian Campbell -nested EPT: fix the handling of nested EPT - -If the host EPT entry is changed, the nested EPT should be updated. -the current code does not do this, and it's wrong. -I have tested this patch, the L2 guest can boot and run as normal. - -Signed-off-by: Liang Li -Signed-off-by: Yang Zhang -Reported-by: Tim Deegan -Reviewed-by: Tim Deegan - ---- a/xen/arch/x86/mm/p2m-ept.c -+++ b/xen/arch/x86/mm/p2m-ept.c -@@ -26,6 +26,7 @@ - #include - #include - #include -+#include - #include - #include - #include -@@ -1040,6 +1041,9 @@ void ept_sync_domain(struct p2m_domain * - - ASSERT(local_irq_is_enabled()); - -+ if ( nestedhvm_enabled(d) && !p2m_is_nestedp2m(p2m) ) -+ p2m_flush_nestedp2m(d); -+ - /* - * Flush active cpus synchronously. Flush others the next time this domain - * is scheduled onto them. We accept the race of other CPUs adding to ---- a/xen/arch/x86/mm/p2m.c -+++ b/xen/arch/x86/mm/p2m.c -@@ -1713,6 +1713,12 @@ p2m_flush_table(struct p2m_domain *p2m) - ASSERT(page_list_empty(&p2m->pod.super)); - ASSERT(page_list_empty(&p2m->pod.single)); - -+ if ( p2m->np2m_base == P2M_BASE_EADDR ) -+ { -+ p2m_unlock(p2m); -+ return; -+ } -+ - /* This is no longer a valid nested p2m for any address space */ - p2m->np2m_base = P2M_BASE_EADDR; - diff --git a/559b9dd6-x86-p2m-ept-don-t-unmap-in-use-EPT-pagetable.patch b/559b9dd6-x86-p2m-ept-don-t-unmap-in-use-EPT-pagetable.patch deleted file mode 100644 index df473a2..0000000 --- a/559b9dd6-x86-p2m-ept-don-t-unmap-in-use-EPT-pagetable.patch +++ /dev/null @@ -1,64 +0,0 @@ -# Commit e4e9d2d4e76bd8fe229c124bd57fc6ba824271b3 -# Date 2015-07-07 11:37:26 +0200 -# Author Andrew Cooper -# Committer Jan Beulich -x86/p2m-ept: don't unmap the EPT pagetable while it is still in use - -The call to iommu_pte_flush() between the two hunks uses &ept_entry->epte -which is a pointer into the mapped page. - -It is eventually passed to `clflush` instruction which will suffer a pagefault -if the virtual mapping has fallen out of the TLB. - - (XEN) ----[ Xen-4.5.0-xs102594-d x86_64 debug=y Not tainted ]---- - (XEN) CPU: 7 - (XEN) RIP: e008:[] cacheline_flush+0x4/0x9 - - (XEN) Xen call trace: - (XEN) [] cacheline_flush+0x4/0x9 - (XEN) [] __iommu_flush_cache+0x4a/0x6a - (XEN) [] iommu_pte_flush+0x2b/0xd5 - (XEN) [] ept_set_entry+0x4bc/0x61f - (XEN) [] p2m_set_entry+0xd1/0x112 - (XEN) [] clear_mmio_p2m_entry+0x1a0/0x200 - (XEN) [] unmap_mmio_regions+0x49/0x73 - (XEN) [] do_domctl+0x15bd/0x1edb - (XEN) [] syscall_enter+0xeb/0x145 - (XEN) - (XEN) Pagetable walk from ffff820040004ae0: - (XEN) L4[0x104] = 00000008668a5063 ffffffffffffffff - (XEN) L3[0x001] = 00000008668a3063 ffffffffffffffff - (XEN) L2[0x000] = 000000086689c063 ffffffffffffffff - (XEN) L1[0x004] = 000000056f078063 000000000007f678 - (XEN) - (XEN) **************************************** - (XEN) Panic on CPU 7: - (XEN) FATAL PAGE FAULT - (XEN) [error_code=0000] - (XEN) Faulting linear address: ffff820040004ae0 - (XEN) **************************************** - -Signed-off-by: Andrew Cooper -Reviewed-by: George Dunlap -Reviewed-by: Jan Beulich - ---- a/xen/arch/x86/mm/p2m-ept.c -+++ b/xen/arch/x86/mm/p2m-ept.c -@@ -764,8 +764,6 @@ ept_set_entry(struct p2m_domain *p2m, un - p2m->max_mapped_pfn = gfn + (1UL << order) - 1; - - out: -- unmap_domain_page(table); -- - if ( needs_sync != sync_off ) - ept_sync_domain(p2m); - -@@ -788,6 +786,8 @@ out: - } - } - -+ unmap_domain_page(table); -+ - /* Release the old intermediate tables, if any. This has to be the - last thing we do, after the ept_sync_domain() and removal - from the iommu tables, so as to avoid a potential diff --git a/559bc633-x86-cpupool-clear-proper-cpu_valid-bit-on-CPU-teardown.patch b/559bc633-x86-cpupool-clear-proper-cpu_valid-bit-on-CPU-teardown.patch deleted file mode 100644 index 943d97b..0000000 --- a/559bc633-x86-cpupool-clear-proper-cpu_valid-bit-on-CPU-teardown.patch +++ /dev/null @@ -1,88 +0,0 @@ -# Commit 8022b05284dea80e24813d03180788ec7277a0bd -# Date 2015-07-07 14:29:39 +0200 -# Author Dario Faggioli -# Committer Jan Beulich -x86 / cpupool: clear the proper cpu_valid bit on pCPU teardown - -In fact, when a pCPU goes down, we want to clear its -bit in the correct cpupool's valid mask, rather than -always in cpupool0's one. - -Before this commit, all the pCPUs in the non-default -pool(s) will be considered immediately valid, during -system resume, even the one that have not been brought -up yet. As a result, the (Credit1) scheduler will attempt -to run its load balancing logic on them, causing the -following Oops: - -# xl cpupool-cpu-remove Pool-0 8-15 -# xl cpupool-create name=\"Pool-1\" -# xl cpupool-cpu-add Pool-1 8-15 ---> suspend ---> resume -(XEN) ----[ Xen-4.6-unstable x86_64 debug=y Tainted: C ]---- -(XEN) CPU: 8 -(XEN) RIP: e008:[] csched_schedule+0x4be/0xb97 -(XEN) RFLAGS: 0000000000010087 CONTEXT: hypervisor -(XEN) rax: 80007d2f7fccb780 rbx: 0000000000000009 rcx: 0000000000000000 -(XEN) rdx: ffff82d08031ed40 rsi: ffff82d080334980 rdi: 0000000000000000 -(XEN) rbp: ffff83010000fe20 rsp: ffff83010000fd40 r8: 0000000000000004 -(XEN) r9: 0000ffff0000ffff r10: 00ff00ff00ff00ff r11: 0f0f0f0f0f0f0f0f -(XEN) r12: ffff8303191ea870 r13: ffff8303226aadf0 r14: 0000000000000009 -(XEN) r15: 0000000000000008 cr0: 000000008005003b cr4: 00000000000026f0 -(XEN) cr3: 00000000dba9d000 cr2: 0000000000000000 -(XEN) ds: 0000 es: 0000 fs: 0000 gs: 0000 ss: 0000 cs: e008 -(XEN) ... ... ... -(XEN) Xen call trace: -(XEN) [] csched_schedule+0x4be/0xb97 -(XEN) [] schedule+0x12a/0x63c -(XEN) [] __do_softirq+0x82/0x8d -(XEN) [] do_softirq+0x13/0x15 -(XEN) [] idle_loop+0x5b/0x6b -(XEN) -(XEN) **************************************** -(XEN) Panic on CPU 8: -(XEN) GENERAL PROTECTION FAULT -(XEN) [error_code=0000] -(XEN) **************************************** - -The reason why the error is a #GP fault is that, without -this commit, we try to access the per-cpu area of a not -yet allocated and initialized pCPU. -In fact, %rax, which is what is used as pointer, is -80007d2f7fccb780, and we also have this: - -#define INVALID_PERCPU_AREA (0x8000000000000000L - (long)__per_cpu_start) - -Signed-off-by: Dario Faggioli -Acked-by: Andrew Cooper -Acked-by: Juergen Gross - ---- a/xen/arch/x86/smpboot.c -+++ b/xen/arch/x86/smpboot.c -@@ -816,7 +816,6 @@ void __cpu_disable(void) - remove_siblinginfo(cpu); - - /* It's now safe to remove this processor from the online map */ -- cpumask_clear_cpu(cpu, cpupool0->cpu_valid); - cpumask_clear_cpu(cpu, &cpu_online_map); - fixup_irqs(); - ---- a/xen/common/cpupool.c -+++ b/xen/common/cpupool.c -@@ -529,6 +529,7 @@ static int cpupool_cpu_remove(unsigned i - if ( cpumask_test_cpu(cpu, (*c)->cpu_valid ) ) - { - cpumask_set_cpu(cpu, (*c)->cpu_suspended); -+ cpumask_clear_cpu(cpu, (*c)->cpu_valid); - break; - } - } -@@ -551,6 +552,7 @@ static int cpupool_cpu_remove(unsigned i - * If we are not suspending, we are hot-unplugging cpu, and that is - * allowed only for CPUs in pool0. - */ -+ cpumask_clear_cpu(cpu, cpupool0->cpu_valid); - ret = 0; - } - diff --git a/559bc64e-credit1-properly-deal-with-CPUs-not-in-any-pool.patch b/559bc64e-credit1-properly-deal-with-CPUs-not-in-any-pool.patch deleted file mode 100644 index ef7bbfd..0000000 --- a/559bc64e-credit1-properly-deal-with-CPUs-not-in-any-pool.patch +++ /dev/null @@ -1,141 +0,0 @@ -# Commit 02ea5031825d984d52eb9a982b8457e3434137f0 -# Date 2015-07-07 14:30:06 +0200 -# Author Dario Faggioli -# Committer Jan Beulich -credit1: properly deal with pCPUs not in any cpupool - -Ideally, the pCPUs that are 'free', i.e., not assigned -to any cpupool, should not be considred by the scheduler -for load balancing or anything. In Credit1, we fail at -this, because of how we use cpupool_scheduler_cpumask(). -In fact, for a free pCPU, cpupool_scheduler_cpumask() -returns a pointer to cpupool_free_cpus, and hence, near -the top of csched_load_balance(): - - if ( unlikely(!cpumask_test_cpu(cpu, online)) ) - goto out; - -is false (the pCPU _is_ free!), and we therefore do not -jump to the end right away, as we should. This, causes -the following splat when resuming from ACPI S3 with -pCPUs not assigned to any pool: - -(XEN) ----[ Xen-4.6-unstable x86_64 debug=y Tainted: C ]---- -(XEN) ... ... ... -(XEN) Xen call trace: -(XEN) [] csched_load_balance+0x213/0x794 -(XEN) [] csched_schedule+0x321/0x452 -(XEN) [] schedule+0x12a/0x63c -(XEN) [] __do_softirq+0x82/0x8d -(XEN) [] do_softirq+0x13/0x15 -(XEN) [] idle_loop+0x5b/0x6b -(XEN) -(XEN) -(XEN) **************************************** -(XEN) Panic on CPU 8: -(XEN) GENERAL PROTECTION FAULT -(XEN) [error_code=0000] -(XEN) **************************************** - -The cure is: - * use cpupool_online_cpumask(), as a better guard to the - case when the cpu is being offlined; - * explicitly check whether the cpu is free. - -SEDF is in a similar situation, so fix it too. - -Still in Credit1, we must make sure that free (or offline) -CPUs are not considered "ticklable". Not doing so would impair -the load balancing algorithm, making the scheduler think that -it is possible to 'ask' the pCPU to pick up some work, while -in reallity, that will never happen! Evidence of such behavior -is shown in this trace: - - Name CPU list - Pool-0 0,1,2,3,4,5,6,7,8,9,10,11,12,13,14 - - 0.112998198 | ||.|| -|x||-|- d0v0 runstate_change d0v4 offline->runnable - ] 0.112998198 | ||.|| -|x||-|- d0v0 22006(2:2:6) 1 [ f ] - ] 0.112999612 | ||.|| -|x||-|- d0v0 28004(2:8:4) 2 [ 0 4 ] - 0.113003387 | ||.|| -||||-|x d32767v15 runstate_continue d32767v15 running->running - -where "22006(2:2:6) 1 [ f ]" means that pCPU 15, which is -free from any pool, is tickled. - -The cure, in this case, is to filter out the free pCPUs, -within __runq_tickle(). - -Signed-off-by: Dario Faggioli -Acked-by: Juergen Gross -Reviewed-by: George Dunlap - ---- a/xen/common/sched_credit.c -+++ b/xen/common/sched_credit.c -@@ -350,12 +350,17 @@ __runq_tickle(unsigned int cpu, struct c - { - struct csched_vcpu * const cur = CSCHED_VCPU(curr_on_cpu(cpu)); - struct csched_private *prv = CSCHED_PRIV(per_cpu(scheduler, cpu)); -- cpumask_t mask, idle_mask; -+ cpumask_t mask, idle_mask, *online; - int balance_step, idlers_empty; - - ASSERT(cur); - cpumask_clear(&mask); -- idlers_empty = cpumask_empty(prv->idlers); -+ -+ /* cpu is vc->processor, so it must be in a cpupool. */ -+ ASSERT(per_cpu(cpupool, cpu) != NULL); -+ online = cpupool_online_cpumask(per_cpu(cpupool, cpu)); -+ cpumask_and(&idle_mask, prv->idlers, online); -+ idlers_empty = cpumask_empty(&idle_mask); - - - /* -@@ -392,8 +397,8 @@ __runq_tickle(unsigned int cpu, struct c - /* Are there idlers suitable for new (for this balance step)? */ - csched_balance_cpumask(new->vcpu, balance_step, - csched_balance_mask); -- cpumask_and(&idle_mask, prv->idlers, csched_balance_mask); -- new_idlers_empty = cpumask_empty(&idle_mask); -+ cpumask_and(csched_balance_mask, csched_balance_mask, &idle_mask); -+ new_idlers_empty = cpumask_empty(csched_balance_mask); - - /* - * Let's not be too harsh! If there aren't idlers suitable -@@ -1494,6 +1499,7 @@ static struct csched_vcpu * - csched_load_balance(struct csched_private *prv, int cpu, - struct csched_vcpu *snext, bool_t *stolen) - { -+ struct cpupool *c = per_cpu(cpupool, cpu); - struct csched_vcpu *speer; - cpumask_t workers; - cpumask_t *online; -@@ -1501,10 +1507,13 @@ csched_load_balance(struct csched_privat - int node = cpu_to_node(cpu); - - BUG_ON( cpu != snext->vcpu->processor ); -- online = cpupool_scheduler_cpumask(per_cpu(cpupool, cpu)); -+ online = cpupool_online_cpumask(c); - -- /* If this CPU is going offline we shouldn't steal work. */ -- if ( unlikely(!cpumask_test_cpu(cpu, online)) ) -+ /* -+ * If this CPU is going offline, or is not (yet) part of any cpupool -+ * (as it happens, e.g., during cpu bringup), we shouldn't steal work. -+ */ -+ if ( unlikely(!cpumask_test_cpu(cpu, online) || c == NULL) ) - goto out; - - if ( snext->pri == CSCHED_PRI_IDLE ) ---- a/xen/common/sched_sedf.c -+++ b/xen/common/sched_sedf.c -@@ -791,7 +791,8 @@ static struct task_slice sedf_do_schedul - if ( tasklet_work_scheduled || - (list_empty(runq) && list_empty(waitq)) || - unlikely(!cpumask_test_cpu(cpu, -- cpupool_scheduler_cpumask(per_cpu(cpupool, cpu)))) ) -+ cpupool_online_cpumask(per_cpu(cpupool, cpu))) || -+ per_cpu(cpupool, cpu) == NULL) ) - { - ret.task = IDLETASK(cpu); - ret.time = SECONDS(1); diff --git a/559bc87f-x86-hvmloader-avoid-data-corruption-with-xenstore-rw.patch b/559bc87f-x86-hvmloader-avoid-data-corruption-with-xenstore-rw.patch deleted file mode 100644 index 03c649a..0000000 --- a/559bc87f-x86-hvmloader-avoid-data-corruption-with-xenstore-rw.patch +++ /dev/null @@ -1,68 +0,0 @@ -# Commit bbbe7e7157a964c485fb861765be291734676932 -# Date 2015-07-07 14:39:27 +0200 -# Author Andrew Cooper -# Committer Jan Beulich -x86/hvmloader: avoid data corruption with xenstore reads/writes - -The functions ring_read and ring_write() have logic to try and deal with -partial reads and writes. - -However, in all cases where the "while (len)" loop executed twice, data -corruption would occur as the second memcpy() starts from the beginning of -"data" again, rather than from where it got to. - -This bug manifested itself as protocol corruption when a reply header crossed -the first wrap of the response ring. However, similar corruption would also -occur if hvmloader observed xenstored performing partial writes of the block -in question, or if hvmloader had to wait for xenstored to make space in either -ring. - -Reported-by: Adam Kucia -Signed-off-by: Andrew Cooper - ---- a/tools/firmware/hvmloader/xenbus.c -+++ b/tools/firmware/hvmloader/xenbus.c -@@ -105,7 +105,7 @@ void xenbus_shutdown(void) - /* Helper functions: copy data in and out of the ring */ - static void ring_write(const char *data, uint32_t len) - { -- uint32_t part; -+ uint32_t part, done = 0; - - ASSERT(len <= XENSTORE_PAYLOAD_MAX); - -@@ -122,16 +122,18 @@ static void ring_write(const char *data, - if ( part > len ) - part = len; - -- memcpy(rings->req + MASK_XENSTORE_IDX(rings->req_prod), data, part); -+ memcpy(rings->req + MASK_XENSTORE_IDX(rings->req_prod), -+ data + done, part); - barrier(); /* = wmb before prod write, rmb before next cons read */ - rings->req_prod += part; - len -= part; -+ done += part; - } - } - - static void ring_read(char *data, uint32_t len) - { -- uint32_t part; -+ uint32_t part, done = 0; - - ASSERT(len <= XENSTORE_PAYLOAD_MAX); - -@@ -148,10 +150,12 @@ static void ring_read(char *data, uint32 - if ( part > len ) - part = len; - -- memcpy(data, rings->rsp + MASK_XENSTORE_IDX(rings->rsp_cons), part); -+ memcpy(data + done, -+ rings->rsp + MASK_XENSTORE_IDX(rings->rsp_cons), part); - barrier(); /* = wmb before cons write, rmb before next prod read */ - rings->rsp_cons += part; - len -= part; -+ done += part; - } - } - diff --git a/559bdde5-pull-in-latest-linux-earlycpio.patch b/559bdde5-pull-in-latest-linux-earlycpio.patch deleted file mode 100644 index 8106811..0000000 --- a/559bdde5-pull-in-latest-linux-earlycpio.patch +++ /dev/null @@ -1,102 +0,0 @@ -# Commit 39c6664a0e6e1b4ed80660d545dff34ce41bee31 -# Date 2015-07-07 15:10:45 +0100 -# Author Ian Campbell -# Committer Ian Campbell -xen: earlycpio: Pull in latest linux earlycpio.[ch] - -AFAICT our current version does not correspond to any version in the -Linux history. This commit resynchronised to the state in Linux -commit 598bae70c2a8e35c8d39b610cca2b32afcf047af. - -Differences from upstream: find_cpio_data is __init, printk instead of -pr_*. - -This appears to fix Debian bug #785187. "Appears" because my test box -happens to be AMD and the issue is that the (valid) cpio generated by -the Intel ucode is not liked by the old Xen code. I've tested by -hacking the hypervisor to look for the Intel path. - -Reported-by: Stephan Seitz -Signed-off-by: Ian Campbell -Cc: Konrad Rzeszutek Wilk -Cc: Jan Beulich -Cc: Stephan Seitz -Cc: 785187@bugs.debian.org -Acked-by: Jan Beulich - ---- a/xen/common/earlycpio.c -+++ b/xen/common/earlycpio.c -@@ -54,25 +54,26 @@ enum cpio_fields { - - /** - * cpio_data find_cpio_data - Search for files in an uncompressed cpio -- * @path: The directory to search for, including a slash at the end -- * @data: Pointer to the the cpio archive or a header inside -- * @len: Remaining length of the cpio based on data pointer -- * @offset: When a matching file is found, this is the offset to the -- * beginning of the cpio. It can be used to iterate through -- * the cpio to find all files inside of a directory path -+ * @path: The directory to search for, including a slash at the end -+ * @data: Pointer to the the cpio archive or a header inside -+ * @len: Remaining length of the cpio based on data pointer -+ * @nextoff: When a matching file is found, this is the offset from the -+ * beginning of the cpio to the beginning of the next file, not the -+ * matching file itself. It can be used to iterate through the cpio -+ * to find all files inside of a directory path. - * -- * @return: struct cpio_data containing the address, length and -- * filename (with the directory path cut off) of the found file. -- * If you search for a filename and not for files in a directory, -- * pass the absolute path of the filename in the cpio and make sure -- * the match returned an empty filename string. -+ * @return: struct cpio_data containing the address, length and -+ * filename (with the directory path cut off) of the found file. -+ * If you search for a filename and not for files in a directory, -+ * pass the absolute path of the filename in the cpio and make sure -+ * the match returned an empty filename string. - */ - - struct cpio_data __init find_cpio_data(const char *path, void *data, -- size_t len, long *offset) -+ size_t len, long *nextoff) - { - const size_t cpio_header_len = 8*C_NFIELDS - 2; -- struct cpio_data cd = { NULL, 0 }; -+ struct cpio_data cd = { NULL, 0, "" }; - const char *p, *dptr, *nptr; - unsigned int ch[C_NFIELDS], *chp, v; - unsigned char c, x; -@@ -129,17 +130,17 @@ struct cpio_data __init find_cpio_data(c - if ((ch[C_MODE] & 0170000) == 0100000 && - ch[C_NAMESIZE] >= mypathsize && - !memcmp(p, path, mypathsize)) { -- *offset = (long)nptr - (long)data; -+ *nextoff = (long)nptr - (long)data; - if (ch[C_NAMESIZE] - mypathsize >= MAX_CPIO_FILE_NAME) { - printk( - "File %s exceeding MAX_CPIO_FILE_NAME [%d]\n", - p, MAX_CPIO_FILE_NAME); - } -- if (ch[C_NAMESIZE] - 1 /* includes \0 */ == mypathsize) { -- cd.data = (void *)dptr; -- cd.size = ch[C_FILESIZE]; -- return cd; /* Found it! */ -- } -+ strlcpy(cd.name, p + mypathsize, MAX_CPIO_FILE_NAME); -+ -+ cd.data = (void *)dptr; -+ cd.size = ch[C_FILESIZE]; -+ return cd; /* Found it! */ - } - len -= (nptr - p); - p = nptr; ---- a/xen/include/xen/earlycpio.h -+++ b/xen/include/xen/earlycpio.h -@@ -6,6 +6,7 @@ - struct cpio_data { - void *data; - size_t size; -+ char name[MAX_CPIO_FILE_NAME]; - }; - - struct cpio_data find_cpio_data(const char *path, void *data, size_t len, diff --git a/55a62eb0-xl-correct-handling-of-extra_config-in-main_cpupoolcreate.patch b/55a62eb0-xl-correct-handling-of-extra_config-in-main_cpupoolcreate.patch deleted file mode 100644 index 66b02e0..0000000 --- a/55a62eb0-xl-correct-handling-of-extra_config-in-main_cpupoolcreate.patch +++ /dev/null @@ -1,37 +0,0 @@ -Subject: xl: correct handling of extra_config in main_cpupoolcreate -From: Wei Liu wei.liu2@citrix.com Tue Jul 14 17:41:10 2015 +0100 -Date: Wed Jul 15 10:58:08 2015 +0100: -Git: 705c9e12426cba82804cb578fc70785281655d94 - -Don't dereference extra_config if it's NULL. Don't leak extra_config in -the end. - -Also fixed a typo in error string while I was there. - -Signed-off-by: Wei Liu -Acked-by: Ian Jackson - -Index: xen-4.5.1-testing/tools/libxl/xl_cmdimpl.c -=================================================================== ---- xen-4.5.1-testing.orig/tools/libxl/xl_cmdimpl.c -+++ xen-4.5.1-testing/tools/libxl/xl_cmdimpl.c -@@ -7085,9 +7085,9 @@ int main_cpupoolcreate(int argc, char ** - else - config_src="command line"; - -- if (strlen(extra_config)) { -+ if (extra_config && strlen(extra_config)) { - if (config_len > INT_MAX - (strlen(extra_config) + 2)) { -- fprintf(stderr, "Failed to attach extra configration\n"); -+ fprintf(stderr, "Failed to attach extra configuration\n"); - goto out; - } - config_data = xrealloc(config_data, -@@ -7211,6 +7211,7 @@ out_cfg: - out: - free(name); - free(config_data); -+ free(extra_config); - return rc; - } - diff --git a/55a66a1e-make-rangeset_report_ranges-report-all-ranges.patch b/55a66a1e-make-rangeset_report_ranges-report-all-ranges.patch deleted file mode 100644 index 142d0c4..0000000 --- a/55a66a1e-make-rangeset_report_ranges-report-all-ranges.patch +++ /dev/null @@ -1,24 +0,0 @@ -# Commit b1c780cd315eb4db06be3bbb5c6d80b1cabd27a9 -# Date 2015-07-15 16:11:42 +0200 -# Author Jan Beulich -# Committer Jan Beulich -make rangeset_report_ranges() report all ranges - -find_range() returns NULL when s is below the lowest range, so we have -to use first_range() here (which is as good performance wise), or else -no range gets reported at all in that case. - -Signed-off-by: Jan Beulich -Acked-by: Ian Campbell - ---- a/xen/common/rangeset.c -+++ b/xen/common/rangeset.c -@@ -289,7 +289,7 @@ int rangeset_report_ranges( - - read_lock(&r->lock); - -- for ( x = find_range(r, s); x && (x->s <= e) && !rc; x = next_range(r, x) ) -+ for ( x = first_range(r); x && (x->s <= e) && !rc; x = next_range(r, x) ) - if ( x->e >= s ) - rc = cb(max(x->s, s), min(x->e, e), ctxt); - diff --git a/55a77e4f-dmar-device-scope-mem-leak-fix.patch b/55a77e4f-dmar-device-scope-mem-leak-fix.patch deleted file mode 100644 index 6ac0554..0000000 --- a/55a77e4f-dmar-device-scope-mem-leak-fix.patch +++ /dev/null @@ -1,135 +0,0 @@ -# Commit a8bc99b981c5ad773bd646f5986e616d26fb94d7 -# Date 2015-07-16 11:50:07 +0200 -# Author Elena Ufimtseva -# Committer Jan Beulich -dmar: device scope mem leak fix - -Release memory allocated for scope.devices dmar units on various -failure paths and when disabling dmar. Set device count after -sucessfull memory allocation, not before, in device scope parsing function. - -Signed-off-by: Elena Ufimtseva -Reviewed-by: Jan Beulich -Acked-by: Yang Zhang - -# Commit 132231d10343608faf5892785a08acc500326d04 -# Date 2015-07-16 15:23:37 +0200 -# Author Andrew Cooper -# Committer Jan Beulich -dmar: fix double free in error paths following c/s a8bc99b - -Several error paths would end up freeing scope->devices twice. - -Signed-off-by: Andrew Cooper -Reviewed-by: Jan Beulich - ---- a/xen/drivers/passthrough/vtd/dmar.c -+++ b/xen/drivers/passthrough/vtd/dmar.c -@@ -80,6 +80,16 @@ static int __init acpi_register_rmrr_uni - return 0; - } - -+static void scope_devices_free(struct dmar_scope *scope) -+{ -+ if ( !scope ) -+ return; -+ -+ scope->devices_cnt = 0; -+ xfree(scope->devices); -+ scope->devices = NULL; -+} -+ - static void __init disable_all_dmar_units(void) - { - struct acpi_drhd_unit *drhd, *_drhd; -@@ -89,16 +99,19 @@ static void __init disable_all_dmar_unit - list_for_each_entry_safe ( drhd, _drhd, &acpi_drhd_units, list ) - { - list_del(&drhd->list); -+ scope_devices_free(&drhd->scope); - xfree(drhd); - } - list_for_each_entry_safe ( rmrr, _rmrr, &acpi_rmrr_units, list ) - { - list_del(&rmrr->list); -+ scope_devices_free(&rmrr->scope); - xfree(rmrr); - } - list_for_each_entry_safe ( atsr, _atsr, &acpi_atsr_units, list ) - { - list_del(&atsr->list); -+ scope_devices_free(&atsr->scope); - xfree(atsr); - } - } -@@ -317,13 +330,13 @@ static int __init acpi_parse_dev_scope( - if ( (cnt = scope_device_count(start, end)) < 0 ) - return cnt; - -- scope->devices_cnt = cnt; - if ( cnt > 0 ) - { - scope->devices = xzalloc_array(u16, cnt); - if ( !scope->devices ) - return -ENOMEM; - } -+ scope->devices_cnt = cnt; - - while ( start < end ) - { -@@ -426,7 +439,7 @@ static int __init acpi_parse_dev_scope( - - out: - if ( ret ) -- xfree(scope->devices); -+ scope_devices_free(scope); - - return ret; - } -@@ -541,6 +554,7 @@ acpi_parse_one_drhd(struct acpi_dmar_hea - " Workaround BIOS bug: ignore the DRHD due to all " - "devices under its scope are not PCI discoverable!\n"); - -+ scope_devices_free(&dmaru->scope); - iommu_free(dmaru); - xfree(dmaru); - } -@@ -561,9 +575,11 @@ acpi_parse_one_drhd(struct acpi_dmar_hea - out: - if ( ret ) - { -+ scope_devices_free(&dmaru->scope); - iommu_free(dmaru); - xfree(dmaru); - } -+ - return ret; - } - -@@ -657,6 +673,7 @@ acpi_parse_one_rmrr(struct acpi_dmar_hea - " Ignore the RMRR (%"PRIx64", %"PRIx64") due to " - "devices under its scope are not PCI discoverable!\n", - rmrru->base_address, rmrru->end_address); -+ scope_devices_free(&rmrru->scope); - xfree(rmrru); - } - else if ( base_addr > end_addr ) -@@ -664,6 +681,7 @@ acpi_parse_one_rmrr(struct acpi_dmar_hea - dprintk(XENLOG_WARNING VTDPREFIX, - " The RMRR (%"PRIx64", %"PRIx64") is incorrect!\n", - rmrru->base_address, rmrru->end_address); -+ scope_devices_free(&rmrru->scope); - xfree(rmrru); - ret = -EFAULT; - } -@@ -726,7 +744,10 @@ acpi_parse_one_atsr(struct acpi_dmar_hea - } - - if ( ret ) -+ { -+ scope_devices_free(&atsru->scope); - xfree(atsru); -+ } - else - acpi_register_atsr_unit(atsru); - return ret; diff --git a/55b0a218-x86-PCI-CFG-write-intercept.patch b/55b0a218-x86-PCI-CFG-write-intercept.patch index ed46235..bc13e94 100644 --- a/55b0a218-x86-PCI-CFG-write-intercept.patch +++ b/55b0a218-x86-PCI-CFG-write-intercept.patch @@ -12,9 +12,11 @@ MMCFG accesses by Dom0. Signed-off-by: Jan Beulich Reviewed-by: Andrew Cooper ---- a/xen/arch/x86/msi.c -+++ b/xen/arch/x86/msi.c -@@ -1108,6 +1108,12 @@ void pci_cleanup_msi(struct pci_dev *pde +Index: xen-4.5.2-testing/xen/arch/x86/msi.c +=================================================================== +--- xen-4.5.2-testing.orig/xen/arch/x86/msi.c ++++ xen-4.5.2-testing/xen/arch/x86/msi.c +@@ -1110,6 +1110,12 @@ void pci_cleanup_msi(struct pci_dev *pde msi_free_irqs(pdev); } @@ -27,8 +29,10 @@ Reviewed-by: Andrew Cooper int pci_restore_msi_state(struct pci_dev *pdev) { unsigned long flags; ---- a/xen/arch/x86/pci.c -+++ b/xen/arch/x86/pci.c +Index: xen-4.5.2-testing/xen/arch/x86/pci.c +=================================================================== +--- xen-4.5.2-testing.orig/xen/arch/x86/pci.c ++++ xen-4.5.2-testing/xen/arch/x86/pci.c @@ -67,3 +67,28 @@ void pci_conf_write(uint32_t cf8, uint8_ spin_unlock_irqrestore(&pci_config_lock, flags); @@ -58,9 +62,11 @@ Reviewed-by: Andrew Cooper + + return rc; +} ---- a/xen/arch/x86/traps.c -+++ b/xen/arch/x86/traps.c -@@ -1708,8 +1708,8 @@ static int admin_io_okay( +Index: xen-4.5.2-testing/xen/arch/x86/traps.c +=================================================================== +--- xen-4.5.2-testing.orig/xen/arch/x86/traps.c ++++ xen-4.5.2-testing/xen/arch/x86/traps.c +@@ -1709,8 +1709,8 @@ static int admin_io_okay( return ioports_access_permitted(v->domain, port, port + bytes - 1); } @@ -71,7 +77,7 @@ Reviewed-by: Andrew Cooper { uint32_t machine_bdf; -@@ -1741,8 +1741,12 @@ static bool_t pci_cfg_ok(struct domain * +@@ -1742,8 +1742,12 @@ static bool_t pci_cfg_ok(struct domain * start |= CF8_ADDR_HI(currd->arch.pci_cf8); } @@ -86,7 +92,7 @@ Reviewed-by: Andrew Cooper } uint32_t guest_io_read( -@@ -1796,7 +1800,7 @@ uint32_t guest_io_read( +@@ -1797,7 +1801,7 @@ uint32_t guest_io_read( size = min(bytes, 4 - (port & 3)); if ( size == 3 ) size = 2; @@ -95,7 +101,7 @@ Reviewed-by: Andrew Cooper sub_data = pci_conf_read(v->domain->arch.pci_cf8, port & 3, size); } -@@ -1869,7 +1873,7 @@ void guest_io_write( +@@ -1870,7 +1874,7 @@ void guest_io_write( size = min(bytes, 4 - (port & 3)); if ( size == 3 ) size = 2; @@ -104,8 +110,10 @@ Reviewed-by: Andrew Cooper pci_conf_write(v->domain->arch.pci_cf8, port & 3, size, data); } ---- a/xen/include/asm-x86/pci.h -+++ b/xen/include/asm-x86/pci.h +Index: xen-4.5.2-testing/xen/include/asm-x86/pci.h +=================================================================== +--- xen-4.5.2-testing.orig/xen/include/asm-x86/pci.h ++++ xen-4.5.2-testing/xen/include/asm-x86/pci.h @@ -15,4 +15,11 @@ struct arch_pci_dev { vmask_t used_vectors; }; diff --git a/55b0a255-x86-MSI-X-maskall.patch b/55b0a255-x86-MSI-X-maskall.patch index 4161a39..bcb6354 100644 --- a/55b0a255-x86-MSI-X-maskall.patch +++ b/55b0a255-x86-MSI-X-maskall.patch @@ -13,9 +13,11 @@ a guest). Signed-off-by: Jan Beulich Reviewed-by: Andrew Cooper ---- a/xen/arch/x86/msi.c -+++ b/xen/arch/x86/msi.c -@@ -843,6 +843,12 @@ static int msix_capability_init(struct p +Index: xen-4.5.2-testing/xen/arch/x86/msi.c +=================================================================== +--- xen-4.5.2-testing.orig/xen/arch/x86/msi.c ++++ xen-4.5.2-testing/xen/arch/x86/msi.c +@@ -845,6 +845,12 @@ static int msix_capability_init(struct p if ( !msix->used_entries ) { @@ -28,7 +30,7 @@ Reviewed-by: Andrew Cooper if ( rangeset_add_range(mmio_ro_ranges, msix->table.first, msix->table.last) ) WARN(); -@@ -1111,6 +1117,34 @@ void pci_cleanup_msi(struct pci_dev *pde +@@ -1113,6 +1119,34 @@ void pci_cleanup_msi(struct pci_dev *pde int pci_msi_conf_write_intercept(struct pci_dev *pdev, unsigned int reg, unsigned int size, uint32_t *data) { @@ -63,8 +65,10 @@ Reviewed-by: Andrew Cooper return 0; } ---- a/xen/include/asm-x86/msi.h -+++ b/xen/include/asm-x86/msi.h +Index: xen-4.5.2-testing/xen/include/asm-x86/msi.h +=================================================================== +--- xen-4.5.2-testing.orig/xen/include/asm-x86/msi.h ++++ xen-4.5.2-testing/xen/include/asm-x86/msi.h @@ -228,6 +228,7 @@ struct arch_msix { int table_refcnt[MAX_MSIX_TABLE_PAGES]; int table_idx[MAX_MSIX_TABLE_PAGES]; diff --git a/55b0a283-x86-MSI-X-teardown.patch b/55b0a283-x86-MSI-X-teardown.patch index 45f1d6c..561ac81 100644 --- a/55b0a283-x86-MSI-X-teardown.patch +++ b/55b0a283-x86-MSI-X-teardown.patch @@ -30,8 +30,10 @@ Backporting note (largely to myself): "x86/MSI: drop workaround for insecure Dom0 kernels" (due to re-use of struct arch_msix's warned field). ---- a/xen/arch/x86/irq.c -+++ b/xen/arch/x86/irq.c +Index: xen-4.5.2-testing/xen/arch/x86/irq.c +=================================================================== +--- xen-4.5.2-testing.orig/xen/arch/x86/irq.c ++++ xen-4.5.2-testing/xen/arch/x86/irq.c @@ -217,9 +217,9 @@ void destroy_irq(unsigned int irq) } @@ -63,8 +65,10 @@ Backporting note (largely to myself): /* * Mark any remaining pending EOIs as ready to flush. ---- a/xen/arch/x86/msi.c -+++ b/xen/arch/x86/msi.c +Index: xen-4.5.2-testing/xen/arch/x86/msi.c +=================================================================== +--- xen-4.5.2-testing.orig/xen/arch/x86/msi.c ++++ xen-4.5.2-testing/xen/arch/x86/msi.c @@ -123,6 +123,27 @@ static void msix_put_fixmap(struct arch_ spin_unlock(&msix->table_lock); } @@ -283,7 +287,7 @@ Backporting note (largely to myself): } void ack_nonmaskable_msi_irq(struct irq_desc *desc) -@@ -740,6 +809,9 @@ static int msix_capability_init(struct p +@@ -742,6 +811,9 @@ static int msix_capability_init(struct p control = pci_conf_read16(seg, bus, slot, func, msix_control_reg(pos)); msix_set_enable(dev, 0);/* Ensure msix is disabled as I set it up */ @@ -293,7 +297,7 @@ Backporting note (largely to myself): if ( desc ) { entry = alloc_msi_entry(1); -@@ -879,7 +951,8 @@ static int msix_capability_init(struct p +@@ -881,7 +953,8 @@ static int msix_capability_init(struct p ++msix->used_entries; /* Restore MSI-X enabled bits */ @@ -303,7 +307,7 @@ Backporting note (largely to myself): return 0; } -@@ -1024,8 +1097,16 @@ static void __pci_disable_msix(struct ms +@@ -1026,8 +1099,16 @@ static void __pci_disable_msix(struct ms BUG_ON(list_empty(&dev->msi_list)); @@ -322,7 +326,7 @@ Backporting note (largely to myself): pci_conf_write16(seg, bus, slot, func, msix_control_reg(pos), control); _pci_cleanup_msix(dev->msix); -@@ -1199,15 +1280,24 @@ int pci_restore_msi_state(struct pci_dev +@@ -1201,15 +1282,24 @@ int pci_restore_msi_state(struct pci_dev nr = entry->msi.nvec; } else if ( entry->msi_attrib.type == PCI_CAP_ID_MSIX ) diff --git a/55b0a2ab-x86-MSI-X-enable.patch b/55b0a2ab-x86-MSI-X-enable.patch index c609af2..8fbc273 100644 --- a/55b0a2ab-x86-MSI-X-enable.patch +++ b/55b0a2ab-x86-MSI-X-enable.patch @@ -14,8 +14,10 @@ instead to prevent interrupts from occurring. Signed-off-by: Jan Beulich Reviewed-by: Andrew Cooper ---- a/xen/arch/x86/msi.c -+++ b/xen/arch/x86/msi.c +Index: xen-4.5.2-testing/xen/arch/x86/msi.c +=================================================================== +--- xen-4.5.2-testing.orig/xen/arch/x86/msi.c ++++ xen-4.5.2-testing/xen/arch/x86/msi.c @@ -144,6 +144,17 @@ static bool_t memory_decoded(const struc PCI_COMMAND_MEMORY); } @@ -171,7 +173,7 @@ Reviewed-by: Andrew Cooper } int __setup_msi_irq(struct irq_desc *desc, struct msi_desc *msidesc, -@@ -803,20 +848,38 @@ static int msix_capability_init(struct p +@@ -805,20 +850,38 @@ static int msix_capability_init(struct p u8 bus = dev->bus; u8 slot = PCI_SLOT(dev->devfn); u8 func = PCI_FUNC(dev->devfn); @@ -211,7 +213,7 @@ Reviewed-by: Andrew Cooper ASSERT(msi); } -@@ -847,6 +910,8 @@ static int msix_capability_init(struct p +@@ -849,6 +912,8 @@ static int msix_capability_init(struct p { if ( !msi || !msi->table_base ) { @@ -220,7 +222,7 @@ Reviewed-by: Andrew Cooper xfree(entry); return -ENXIO; } -@@ -889,6 +954,8 @@ static int msix_capability_init(struct p +@@ -891,6 +956,8 @@ static int msix_capability_init(struct p if ( idx < 0 ) { @@ -229,7 +231,7 @@ Reviewed-by: Andrew Cooper xfree(entry); return idx; } -@@ -915,7 +982,7 @@ static int msix_capability_init(struct p +@@ -917,7 +984,7 @@ static int msix_capability_init(struct p if ( !msix->used_entries ) { @@ -238,7 +240,7 @@ Reviewed-by: Andrew Cooper if ( !msix->guest_maskall ) control &= ~PCI_MSIX_FLAGS_MASKALL; else -@@ -951,8 +1018,8 @@ static int msix_capability_init(struct p +@@ -953,8 +1020,8 @@ static int msix_capability_init(struct p ++msix->used_entries; /* Restore MSI-X enabled bits */ @@ -249,7 +251,7 @@ Reviewed-by: Andrew Cooper return 0; } -@@ -1092,8 +1159,15 @@ static void __pci_disable_msix(struct ms +@@ -1094,8 +1161,15 @@ static void __pci_disable_msix(struct ms PCI_CAP_ID_MSIX); u16 control = pci_conf_read16(seg, bus, slot, func, msix_control_reg(entry->msi_attrib.pos)); @@ -266,7 +268,7 @@ Reviewed-by: Andrew Cooper BUG_ON(list_empty(&dev->msi_list)); -@@ -1105,8 +1179,11 @@ static void __pci_disable_msix(struct ms +@@ -1107,8 +1181,11 @@ static void __pci_disable_msix(struct ms "cannot disable IRQ %d: masking MSI-X on %04x:%02x:%02x.%u\n", entry->irq, dev->seg, dev->bus, PCI_SLOT(dev->devfn), PCI_FUNC(dev->devfn)); @@ -279,7 +281,7 @@ Reviewed-by: Andrew Cooper pci_conf_write16(seg, bus, slot, func, msix_control_reg(pos), control); _pci_cleanup_msix(dev->msix); -@@ -1255,6 +1332,8 @@ int pci_restore_msi_state(struct pci_dev +@@ -1257,6 +1334,8 @@ int pci_restore_msi_state(struct pci_dev list_for_each_entry_safe( entry, tmp, &pdev->msi_list, list ) { unsigned int i = 0, nr = 1; @@ -288,7 +290,7 @@ Reviewed-by: Andrew Cooper irq = entry->irq; desc = &irq_desc[irq]; -@@ -1281,10 +1360,18 @@ int pci_restore_msi_state(struct pci_dev +@@ -1283,10 +1362,18 @@ int pci_restore_msi_state(struct pci_dev } else if ( entry->msi_attrib.type == PCI_CAP_ID_MSIX ) { @@ -308,7 +310,7 @@ Reviewed-by: Andrew Cooper return -ENXIO; } } -@@ -1314,11 +1401,9 @@ int pci_restore_msi_state(struct pci_dev +@@ -1316,11 +1403,9 @@ int pci_restore_msi_state(struct pci_dev if ( entry->msi_attrib.type == PCI_CAP_ID_MSI ) { unsigned int cpos = msi_control_reg(entry->msi_attrib.pos); @@ -322,7 +324,7 @@ Reviewed-by: Andrew Cooper multi_msi_enable(control, entry->msi.nvec); pci_conf_write16(pdev->seg, pdev->bus, PCI_SLOT(pdev->devfn), PCI_FUNC(pdev->devfn), cpos, control); -@@ -1326,7 +1411,9 @@ int pci_restore_msi_state(struct pci_dev +@@ -1328,7 +1413,9 @@ int pci_restore_msi_state(struct pci_dev msi_set_enable(pdev, 1); } else if ( entry->msi_attrib.type == PCI_CAP_ID_MSIX ) diff --git a/55b0a2db-x86-MSI-track-guest-masking.patch b/55b0a2db-x86-MSI-track-guest-masking.patch index d6ec2f4..13aa4fb 100644 --- a/55b0a2db-x86-MSI-track-guest-masking.patch +++ b/55b0a2db-x86-MSI-track-guest-masking.patch @@ -13,9 +13,11 @@ This allows reverting the main effect of the XSA-129 patches in qemu. Signed-off-by: Jan Beulich Reviewed-by: Andrew Cooper ---- a/xen/arch/x86/msi.c -+++ b/xen/arch/x86/msi.c -@@ -1303,6 +1303,37 @@ int pci_msi_conf_write_intercept(struct +Index: xen-4.5.2-testing/xen/arch/x86/msi.c +=================================================================== +--- xen-4.5.2-testing.orig/xen/arch/x86/msi.c ++++ xen-4.5.2-testing/xen/arch/x86/msi.c +@@ -1305,6 +1305,37 @@ int pci_msi_conf_write_intercept(struct return 1; } diff --git a/55c1d83d-x86-gdt-Drop-write-only-xalloc-d-array.patch b/55c1d83d-x86-gdt-Drop-write-only-xalloc-d-array.patch deleted file mode 100644 index 9865296..0000000 --- a/55c1d83d-x86-gdt-Drop-write-only-xalloc-d-array.patch +++ /dev/null @@ -1,63 +0,0 @@ -# Commit a7bd9b1661304500cd18b7d216d616ecf053ebdb -# Date 2015-08-05 10:32:45 +0100 -# Author Andrew Cooper -# Committer Ian Campbell -x86/gdt: Drop write-only, xalloc()'d array from set_gdt() - -It is not used, and can cause a spurious failure of the set_gdt() hypercall in -low memory situations. - -Signed-off-by: Andrew Cooper -Reviewed-by: Wei Liu -Reviewed-by: Ian Campbell -Reviewed-by: George Dunlap - ---- a/xen/arch/x86/mm.c -+++ b/xen/arch/x86/mm.c -@@ -4383,20 +4383,15 @@ long set_gdt(struct vcpu *v, - l1_pgentry_t *pl1e; - /* NB. There are 512 8-byte entries per GDT page. */ - int i, nr_pages = (entries + 511) / 512; -- unsigned long mfn, *pfns; - - if ( entries > FIRST_RESERVED_GDT_ENTRY ) - return -EINVAL; - -- pfns = xmalloc_array(unsigned long, nr_pages); -- if ( !pfns ) -- return -ENOMEM; -- - /* Check the pages in the new GDT. */ - for ( i = 0; i < nr_pages; i++ ) - { - struct page_info *page; -- pfns[i] = frames[i]; -+ - page = get_page_from_gfn(d, frames[i], NULL, P2M_ALLOC); - if ( !page ) - goto fail; -@@ -4405,7 +4400,7 @@ long set_gdt(struct vcpu *v, - put_page(page); - goto fail; - } -- mfn = frames[i] = page_to_mfn(page); -+ frames[i] = page_to_mfn(page); - } - - /* Tear down the old GDT. */ -@@ -4420,7 +4415,6 @@ long set_gdt(struct vcpu *v, - l1e_write(&pl1e[i], l1e_from_pfn(frames[i], __PAGE_HYPERVISOR)); - } - -- xfree(pfns); - return 0; - - fail: -@@ -4428,7 +4422,6 @@ long set_gdt(struct vcpu *v, - { - put_page_and_type(mfn_to_page(frames[i])); - } -- xfree(pfns); - return -EINVAL; - } - diff --git a/55c3232b-x86-mm-Make-hap-shadow-teardown-preemptible.patch b/55c3232b-x86-mm-Make-hap-shadow-teardown-preemptible.patch deleted file mode 100644 index c8af2a2..0000000 --- a/55c3232b-x86-mm-Make-hap-shadow-teardown-preemptible.patch +++ /dev/null @@ -1,169 +0,0 @@ -# Commit 0174da5b79752e2d5d6ca0faed89536e8f3d91c7 -# Date 2015-08-06 10:04:43 +0100 -# Author Anshul Makkar -# Committer Ian Campbell -x86/mm: Make {hap, shadow}_teardown() preemptible - -A domain with sufficient shadow allocation can cause a watchdog timeout -during domain destruction. Expand the existing -ERESTART logic in -paging_teardown() to allow {hap/sh}_set_allocation() to become -restartable during the DOMCTL_destroydomain hypercall. - -Signed-off-by: Anshul Makkar -Signed-off-by: Andrew Cooper -Reviewed-by: Tim Deegan -Reviewed-by: George Dunlap - ---- a/xen/arch/x86/mm/hap/hap.c -+++ b/xen/arch/x86/mm/hap/hap.c -@@ -503,7 +503,7 @@ void hap_final_teardown(struct domain *d - } - - if ( d->arch.paging.hap.total_pages != 0 ) -- hap_teardown(d); -+ hap_teardown(d, NULL); - - p2m_teardown(p2m_get_hostp2m(d)); - /* Free any memory that the p2m teardown released */ -@@ -513,7 +513,7 @@ void hap_final_teardown(struct domain *d - paging_unlock(d); - } - --void hap_teardown(struct domain *d) -+void hap_teardown(struct domain *d, int *preempted) - { - struct vcpu *v; - mfn_t mfn; -@@ -541,18 +541,11 @@ void hap_teardown(struct domain *d) - - if ( d->arch.paging.hap.total_pages != 0 ) - { -- HAP_PRINTK("teardown of domain %u starts." -- " pages total = %u, free = %u, p2m=%u\n", -- d->domain_id, -- d->arch.paging.hap.total_pages, -- d->arch.paging.hap.free_pages, -- d->arch.paging.hap.p2m_pages); -- hap_set_allocation(d, 0, NULL); -- HAP_PRINTK("teardown done." -- " pages total = %u, free = %u, p2m=%u\n", -- d->arch.paging.hap.total_pages, -- d->arch.paging.hap.free_pages, -- d->arch.paging.hap.p2m_pages); -+ hap_set_allocation(d, 0, preempted); -+ -+ if ( preempted && *preempted ) -+ goto out; -+ - ASSERT(d->arch.paging.hap.total_pages == 0); - } - -@@ -561,6 +554,7 @@ void hap_teardown(struct domain *d) - xfree(d->arch.hvm_domain.dirty_vram); - d->arch.hvm_domain.dirty_vram = NULL; - -+out: - paging_unlock(d); - } - ---- a/xen/arch/x86/mm/paging.c -+++ b/xen/arch/x86/mm/paging.c -@@ -779,12 +779,15 @@ long paging_domctl_continuation(XEN_GUES - /* Call when destroying a domain */ - int paging_teardown(struct domain *d) - { -- int rc; -+ int rc, preempted = 0; - - if ( hap_enabled(d) ) -- hap_teardown(d); -+ hap_teardown(d, &preempted); - else -- shadow_teardown(d); -+ shadow_teardown(d, &preempted); -+ -+ if ( preempted ) -+ return -ERESTART; - - /* clean up log dirty resources. */ - rc = paging_free_log_dirty_bitmap(d, 0); ---- a/xen/arch/x86/mm/shadow/common.c -+++ b/xen/arch/x86/mm/shadow/common.c -@@ -3030,7 +3030,7 @@ int shadow_enable(struct domain *d, u32 - return rv; - } - --void shadow_teardown(struct domain *d) -+void shadow_teardown(struct domain *d, int *preempted) - /* Destroy the shadow pagetables of this domain and free its shadow memory. - * Should only be called for dying domains. */ - { -@@ -3091,23 +3091,16 @@ void shadow_teardown(struct domain *d) - - if ( d->arch.paging.shadow.total_pages != 0 ) - { -- SHADOW_PRINTK("teardown of domain %u starts." -- " Shadow pages total = %u, free = %u, p2m=%u\n", -- d->domain_id, -- d->arch.paging.shadow.total_pages, -- d->arch.paging.shadow.free_pages, -- d->arch.paging.shadow.p2m_pages); - /* Destroy all the shadows and release memory to domheap */ -- sh_set_allocation(d, 0, NULL); -+ sh_set_allocation(d, 0, preempted); -+ -+ if ( preempted && *preempted ) -+ goto out; -+ - /* Release the hash table back to xenheap */ - if (d->arch.paging.shadow.hash_table) - shadow_hash_teardown(d); -- /* Should not have any more memory held */ -- SHADOW_PRINTK("teardown done." -- " Shadow pages total = %u, free = %u, p2m=%u\n", -- d->arch.paging.shadow.total_pages, -- d->arch.paging.shadow.free_pages, -- d->arch.paging.shadow.p2m_pages); -+ - ASSERT(d->arch.paging.shadow.total_pages == 0); - } - -@@ -3138,6 +3131,7 @@ void shadow_teardown(struct domain *d) - d->arch.hvm_domain.dirty_vram = NULL; - } - -+out: - paging_unlock(d); - - /* Must be called outside the lock */ -@@ -3159,7 +3153,7 @@ void shadow_final_teardown(struct domain - * It is possible for a domain that never got domain_kill()ed - * to get here with its shadow allocation intact. */ - if ( d->arch.paging.shadow.total_pages != 0 ) -- shadow_teardown(d); -+ shadow_teardown(d, NULL); - - /* It is now safe to pull down the p2m map. */ - p2m_teardown(p2m_get_hostp2m(d)); ---- a/xen/include/asm-x86/hap.h -+++ b/xen/include/asm-x86/hap.h -@@ -54,7 +54,7 @@ int hap_domctl(struct domain *d, xen_d - XEN_GUEST_HANDLE_PARAM(void) u_domctl); - int hap_enable(struct domain *d, u32 mode); - void hap_final_teardown(struct domain *d); --void hap_teardown(struct domain *d); -+void hap_teardown(struct domain *d, int *preempted); - void hap_vcpu_init(struct vcpu *v); - int hap_track_dirty_vram(struct domain *d, - unsigned long begin_pfn, ---- a/xen/include/asm-x86/shadow.h -+++ b/xen/include/asm-x86/shadow.h -@@ -72,7 +72,7 @@ int shadow_domctl(struct domain *d, - XEN_GUEST_HANDLE_PARAM(void) u_domctl); - - /* Call when destroying a domain */ --void shadow_teardown(struct domain *d); -+void shadow_teardown(struct domain *d, int *preempted); - - /* Call once all of the references to the domain have gone away */ - void shadow_final_teardown(struct domain *d); diff --git a/55dc78e9-x86-amd_ucode-skip-updates-for-final-levels.patch b/55dc78e9-x86-amd_ucode-skip-updates-for-final-levels.patch deleted file mode 100644 index df3e5d4..0000000 --- a/55dc78e9-x86-amd_ucode-skip-updates-for-final-levels.patch +++ /dev/null @@ -1,96 +0,0 @@ -# Commit 22c5675877c8209adcfdb6bceddb561320374529 -# Date 2015-08-25 16:17:13 +0200 -# Author Aravind Gopalakrishnan -# Committer Jan Beulich -x86, amd_ucode: skip microcode updates for final levels - -Some of older[Fam10h] systems require that certain number of -applied microcode patch levels should not be overwritten by -the microcode loader. Otherwise, system hangs are known to occur. - -The 'final_levels' of patch ids have been obtained empirically. -Refer bug https://bugzilla.suse.com/show_bug.cgi?id=913996 -for details of the issue. - -The short version is that people have predominantly noticed -system hang issues when trying to update microcode levels -beyond the patch IDs below. -[0x01000098, 0x0100009f, 0x010000af] - -From internal discussions, we gathered that OS/hypervisor -cannot reliably perform microcode updates beyond these levels -due to hardware issues. Therefore, we need to abort microcode -update process if we hit any of these levels. - -In this patch, we check for those microcode versions and abort -if the current core has one of those final patch levels applied -by the BIOS - -A linux version of the patch has already made it into tip- -http://marc.info/?l=linux-kernel&m=143703405627170 - -Signed-off-by: Aravind Gopalakrishnan -Reviewed-by: Andrew Cooper -Reviewed-by: Boris Ostrovsky - ---- a/xen/arch/x86/microcode_amd.c -+++ b/xen/arch/x86/microcode_amd.c -@@ -347,6 +347,43 @@ static int container_fast_forward(const - return 0; - } - -+/* -+ * The 'final_levels' of patch ids have been obtained empirically. -+ * Refer bug https://bugzilla.suse.com/show_bug.cgi?id=913996 -+ * for details of the issue. The short version is that people -+ * using certain Fam10h systems noticed system hang issues when -+ * trying to update microcode levels beyond the patch IDs below. -+ * From internal discussions, we gathered that OS/hypervisor -+ * cannot reliably perform microcode updates beyond these levels -+ * due to hardware issues. Therefore, we need to abort microcode -+ * update process if we hit any of these levels. -+ */ -+static const unsigned int final_levels[] = { -+ 0x01000098, -+ 0x0100009f, -+ 0x010000af -+}; -+ -+static bool_t check_final_patch_levels(unsigned int cpu) -+{ -+ /* -+ * Check the current patch levels on the cpu. If they are equal to -+ * any of the 'final_levels', then we should not update the microcode -+ * patch on the cpu as system will hang otherwise. -+ */ -+ struct ucode_cpu_info *uci = &per_cpu(ucode_cpu_info, cpu); -+ unsigned int i; -+ -+ if ( boot_cpu_data.x86 != 0x10 ) -+ return 0; -+ -+ for ( i = 0; i < ARRAY_SIZE(final_levels); i++ ) -+ if ( uci->cpu_sig.rev == final_levels[i] ) -+ return 1; -+ -+ return 0; -+} -+ - static int cpu_request_microcode(int cpu, const void *buf, size_t bufsize) - { - struct microcode_amd *mc_amd, *mc_old; -@@ -369,6 +406,14 @@ static int cpu_request_microcode(int cpu - goto out; - } - -+ if ( check_final_patch_levels(cpu) ) -+ { -+ printk(XENLOG_INFO -+ "microcode: Cannot update microcode patch on the cpu as we hit a final level\n"); -+ error = -EPERM; -+ goto out; -+ } -+ - mc_amd = xmalloc(struct microcode_amd); - if ( !mc_amd ) - { diff --git a/55df2f76-IOMMU-skip-domains-without-page-tables-when-dumping.patch b/55df2f76-IOMMU-skip-domains-without-page-tables-when-dumping.patch deleted file mode 100644 index 2e3e23a..0000000 --- a/55df2f76-IOMMU-skip-domains-without-page-tables-when-dumping.patch +++ /dev/null @@ -1,21 +0,0 @@ -# Commit 5f335544cf5b716b0af51223e33373c4a7d65e8c -# Date 2015-08-27 17:40:38 +0200 -# Author Jan Beulich -# Committer Jan Beulich -IOMMU: skip domains without page tables when dumping - -Reported-by: Roger Pau Monné -Signed-off-by: Jan Beulich -Tested-by: Roger Pau Monné - ---- a/xen/drivers/passthrough/iommu.c -+++ b/xen/drivers/passthrough/iommu.c -@@ -368,7 +368,7 @@ static void iommu_dump_p2m_table(unsigne - ops = iommu_get_ops(); - for_each_domain(d) - { -- if ( is_hardware_domain(d) ) -+ if ( is_hardware_domain(d) || need_iommu(d) <= 0 ) - continue; - - if ( iommu_use_hap_pt(d) ) diff --git a/55e43fd8-x86-NUMA-fix-setup_node.patch b/55e43fd8-x86-NUMA-fix-setup_node.patch deleted file mode 100644 index 094eb22..0000000 --- a/55e43fd8-x86-NUMA-fix-setup_node.patch +++ /dev/null @@ -1,95 +0,0 @@ -# Commit 8f945d36d9bddd5b589ba23c7322b30d623dd084 -# Date 2015-08-31 13:51:52 +0200 -# Author Jan Beulich -# Committer Jan Beulich -x86/NUMA: fix setup_node() - -The function referenced an __initdata object (nodes_found). Since this -being a node mask was more complicated than needed, the variable gets -replaced by a simple counter. Check at once that the count of nodes -doesn't go beyond MAX_NUMNODES. - -Also consolidate three printk()s related to the function's use into just -one. - -Finally (quite the opposite of the above issue) __init-annotate -nodes_cover_memory(). - -Signed-off-by: Jan Beulich -Reviewed-by: Andrew Cooper - ---- a/xen/arch/x86/srat.c -+++ b/xen/arch/x86/srat.c -@@ -25,7 +25,6 @@ static struct acpi_table_slit *__read_mo - - static nodemask_t memory_nodes_parsed __initdata; - static nodemask_t processor_nodes_parsed __initdata; --static nodemask_t nodes_found __initdata; - static struct node nodes[MAX_NUMNODES] __initdata; - static u8 __read_mostly pxm2node[256] = { [0 ... 255] = NUMA_NO_NODE }; - -@@ -45,17 +44,25 @@ int pxm_to_node(int pxm) - return (signed char)pxm2node[pxm]; - } - --__devinit int setup_node(int pxm) -+int setup_node(int pxm) - { - unsigned node = pxm2node[pxm]; -- if (node == 0xff) { -- if (nodes_weight(nodes_found) >= MAX_NUMNODES) -+ -+ if (node == NUMA_NO_NODE) { -+ static bool_t warned; -+ static unsigned nodes_found; -+ -+ node = nodes_found++; -+ if (node >= MAX_NUMNODES) { -+ printk(KERN_WARNING -+ "SRAT: Too many proximity domains (%#x)\n", -+ pxm); -+ warned = 1; - return -1; -- node = first_unset_node(nodes_found); -- node_set(node, nodes_found); -+ } - pxm2node[pxm] = node; - } -- return pxm2node[pxm]; -+ return node; - } - - int valid_numa_range(u64 start, u64 end, int node) -@@ -176,7 +183,6 @@ acpi_numa_x2apic_affinity_init(struct ac - pxm = pa->proximity_domain; - node = setup_node(pxm); - if (node < 0) { -- printk(KERN_ERR "SRAT: Too many proximity domains %x\n", pxm); - bad_srat(); - return; - } -@@ -209,7 +215,6 @@ acpi_numa_processor_affinity_init(struct - } - node = setup_node(pxm); - if (node < 0) { -- printk(KERN_ERR "SRAT: Too many proximity domains %x\n", pxm); - bad_srat(); - return; - } -@@ -253,7 +258,6 @@ acpi_numa_memory_affinity_init(struct ac - pxm &= 0xff; - node = setup_node(pxm); - if (node < 0) { -- printk(KERN_ERR "SRAT: Too many proximity domains.\n"); - bad_srat(); - return; - } -@@ -295,7 +299,7 @@ acpi_numa_memory_affinity_init(struct ac - - /* Sanity check to catch more bad SRATs (they are amazingly common). - Make sure the PXMs cover all memory. */ --static int nodes_cover_memory(void) -+static int __init nodes_cover_memory(void) - { - int i; - diff --git a/55e43ff8-x86-NUMA-don-t-account-hotplug-regions.patch b/55e43ff8-x86-NUMA-don-t-account-hotplug-regions.patch deleted file mode 100644 index 0e2f995..0000000 --- a/55e43ff8-x86-NUMA-don-t-account-hotplug-regions.patch +++ /dev/null @@ -1,132 +0,0 @@ -# Commit c011f470e6e79208f5baa071b4d072b78c88e2ba -# Date 2015-08-31 13:52:24 +0200 -# Author Jan Beulich -# Committer Jan Beulich -x86/NUMA: don't account hotplug regions - -... except in cases where they really matter: node_memblk_range[] now -is the only place all regions get stored. nodes[] and NODE_DATA() track -present memory only. This improves the reporting when nodes have -disjoint "normal" and hotplug regions, with the hotplug region sitting -above the highest populated page. In such cases a node's spanned-pages -value (visible in both XEN_SYSCTL_numainfo and 'u' debug key output) -covered all the way up to top of populated memory, giving quite -different a picture from what an otherwise identically configured -system without and hotplug regions would report. Note, however, that -the actual hotplug case (as well as cases of nodes with multiple -disjoint present regions) is still not being handled such that the -reported values would represent how much memory a node really has (but -that can be considered intentional). - -Reported-by: Jim Fehlig - -This at once makes nodes_cover_memory() no longer consider E820_RAM -regions covered by SRAT hotplug regions. - -Also reject self-overlaps with mismatching hotplug flags. - -Signed-off-by: Jan Beulich -Reviewed-by: Andrew Cooper -Tested-by: Jim Fehlig - ---- a/xen/arch/x86/srat.c -+++ b/xen/arch/x86/srat.c -@@ -32,7 +32,7 @@ static u8 __read_mostly pxm2node[256] = - static int num_node_memblks; - static struct node node_memblk_range[NR_NODE_MEMBLKS]; - static int memblk_nodeid[NR_NODE_MEMBLKS]; -- -+static __initdata DECLARE_BITMAP(memblk_hotplug, NR_NODE_MEMBLKS); - - static int node_to_pxm(int n); - -@@ -89,9 +89,9 @@ static __init int conflicting_memblks(u6 - if (nd->start == nd->end) - continue; - if (nd->end > start && nd->start < end) -- return memblk_nodeid[i]; -+ return i; - if (nd->end == end && nd->start == start) -- return memblk_nodeid[i]; -+ return i; - } - return -1; - } -@@ -229,7 +229,6 @@ acpi_numa_processor_affinity_init(struct - void __init - acpi_numa_memory_affinity_init(struct acpi_srat_mem_affinity *ma) - { -- struct node *nd; - u64 start, end; - int node, pxm; - int i; -@@ -263,30 +262,40 @@ acpi_numa_memory_affinity_init(struct ac - } - /* It is fine to add this area to the nodes data it will be used later*/ - i = conflicting_memblks(start, end); -- if (i == node) { -- printk(KERN_WARNING -- "SRAT: Warning: PXM %d (%"PRIx64"-%"PRIx64") overlaps with itself (%" -- PRIx64"-%"PRIx64")\n", pxm, start, end, nodes[i].start, nodes[i].end); -- } else if (i >= 0) { -+ if (i < 0) -+ /* everything fine */; -+ else if (memblk_nodeid[i] == node) { -+ bool_t mismatch = !(ma->flags & ACPI_SRAT_MEM_HOT_PLUGGABLE) != -+ !test_bit(i, memblk_hotplug); -+ -+ printk("%sSRAT: PXM %u (%"PRIx64"-%"PRIx64") overlaps with itself (%"PRIx64"-%"PRIx64")\n", -+ mismatch ? KERN_ERR : KERN_WARNING, pxm, start, end, -+ node_memblk_range[i].start, node_memblk_range[i].end); -+ if (mismatch) { -+ bad_srat(); -+ return; -+ } -+ } else { - printk(KERN_ERR -- "SRAT: PXM %d (%"PRIx64"-%"PRIx64") overlaps with PXM %d (%" -- PRIx64"-%"PRIx64")\n", pxm, start, end, node_to_pxm(i), -- nodes[i].start, nodes[i].end); -+ "SRAT: PXM %u (%"PRIx64"-%"PRIx64") overlaps with PXM %u (%"PRIx64"-%"PRIx64")\n", -+ pxm, start, end, node_to_pxm(memblk_nodeid[i]), -+ node_memblk_range[i].start, node_memblk_range[i].end); - bad_srat(); - return; - } -- nd = &nodes[node]; -- if (!node_test_and_set(node, memory_nodes_parsed)) { -- nd->start = start; -- nd->end = end; -- } else { -- if (start < nd->start) -+ if (!(ma->flags & ACPI_SRAT_MEM_HOT_PLUGGABLE)) { -+ struct node *nd = &nodes[node]; -+ -+ if (!node_test_and_set(node, memory_nodes_parsed)) { - nd->start = start; -- if (nd->end < end) - nd->end = end; -+ } else { -+ if (start < nd->start) -+ nd->start = start; -+ if (nd->end < end) -+ nd->end = end; -+ } - } -- if ((ma->flags & ACPI_SRAT_MEM_HOT_PLUGGABLE) && end > mem_hotplug) -- mem_hotplug = end; - printk(KERN_INFO "SRAT: Node %u PXM %u %"PRIx64"-%"PRIx64"%s\n", - node, pxm, start, end, - ma->flags & ACPI_SRAT_MEM_HOT_PLUGGABLE ? " (hotplug)" : ""); -@@ -294,6 +303,11 @@ acpi_numa_memory_affinity_init(struct ac - node_memblk_range[num_node_memblks].start = start; - node_memblk_range[num_node_memblks].end = end; - memblk_nodeid[num_node_memblks] = node; -+ if (ma->flags & ACPI_SRAT_MEM_HOT_PLUGGABLE) { -+ __set_bit(num_node_memblks, memblk_hotplug); -+ if (end > mem_hotplug) -+ mem_hotplug = end; -+ } - num_node_memblks++; - } - diff --git a/55e593f1-x86-NUMA-make-init_node_heap-respect-Xen-heap-limit.patch b/55e593f1-x86-NUMA-make-init_node_heap-respect-Xen-heap-limit.patch deleted file mode 100644 index 06c9ed9..0000000 --- a/55e593f1-x86-NUMA-make-init_node_heap-respect-Xen-heap-limit.patch +++ /dev/null @@ -1,176 +0,0 @@ -# Commit 88e3ed61642bb393458acc7a9bd2f96edc337190 -# Date 2015-09-01 14:02:57 +0200 -# Author Jan Beulich -# Committer Jan Beulich -x86/NUMA: make init_node_heap() respect Xen heap limit - -On NUMA systems, where we try to use node local memory for the basic -control structures of the buddy allocator, this special case needs to -take into consideration a possible address width limit placed on the -Xen heap. In turn this (but also other, more abstract considerations) -requires that xenheap_max_mfn() not be called more than once (at most -we might permit it to be called a second time with a larger value than -was passed the first time), and be called only before calling -end_boot_allocator(). - -While inspecting all the involved code, a couple of off-by-one issues -were found (and are being corrected here at once): -- arch_init_memory() cleared one too many page table slots -- the highmem_start based invocation of xenheap_max_mfn() passed too - big a value -- xenheap_max_mfn() calculated the wrong bit count in edge cases - -Signed-off-by: Jan Beulich -Reviewed-by: Andrew Cooper -Acked-by: Ian Campbell - -# Commit 0a7167d9b20cdc48e6ea320fbbb920b3267c9757 -# Date 2015-09-04 14:58:07 +0100 -# Author Julien Grall -# Committer Ian Campbell -xen/arm64: do not (incorrectly) limit size of xenheap - -The commit 88e3ed61642bb393458acc7a9bd2f96edc337190 "x86/NUMA: make -init_node_heap() respect Xen heap limit" breaks boot on the arm64 board -X-Gene. - -The xenheap bits variable is used to know the last RAM MFN always mapped -in Xen virtual memory. If the value is 0, it means that all the memory is -always mapped in Xen virtual memory. - -On X-gene the RAM bank resides above 128GB and last xenheap MFN is -0x4400000. With the new way to calculate the number of bits, xenheap_bits -will be equal to 38 bits. This will result to hide all the RAM and the -impossibility to allocate xenheap memory. - -Given that aarch64 have always all the memory mapped in Xen virtual -memory, it's not necessary to call xenheap_max_mfn which set the number -of bits. - -Suggested-by: Jan Beulich -Signed-off-by: Julien Grall -Acked-by: Ian Campbell - ---- a/xen/arch/arm/setup.c -+++ b/xen/arch/arm/setup.c -@@ -664,7 +664,6 @@ static void __init setup_mm(unsigned lon - xenheap_virt_end = XENHEAP_VIRT_START + ram_end - ram_start; - xenheap_mfn_start = ram_start >> PAGE_SHIFT; - xenheap_mfn_end = ram_end >> PAGE_SHIFT; -- xenheap_max_mfn(xenheap_mfn_end); - - /* - * Need enough mapped pages for copying the DTB. ---- a/xen/arch/x86/mm.c -+++ b/xen/arch/x86/mm.c -@@ -372,7 +372,7 @@ void __init arch_init_memory(void) - - for ( i = 0; i < l3_table_offset(split_va); ++i ) - l3tab[i] = l3idle[i]; -- for ( ; i <= L3_PAGETABLE_ENTRIES; ++i ) -+ for ( ; i < L3_PAGETABLE_ENTRIES; ++i ) - l3tab[i] = l3e_empty(); - split_l4e = l4e_from_pfn(virt_to_mfn(l3tab), - __PAGE_HYPERVISOR); ---- a/xen/arch/x86/setup.c -+++ b/xen/arch/x86/setup.c -@@ -970,7 +970,7 @@ void __init noreturn __start_xen(unsigne - - setup_max_pdx(raw_max_page); - if ( highmem_start ) -- xenheap_max_mfn(PFN_DOWN(highmem_start)); -+ xenheap_max_mfn(PFN_DOWN(highmem_start - 1)); - - /* - * Walk every RAM region and map it in its entirety (on x86/64, at least) -@@ -1151,9 +1151,6 @@ void __init noreturn __start_xen(unsigne - - numa_initmem_init(0, raw_max_page); - -- end_boot_allocator(); -- system_state = SYS_STATE_boot; -- - if ( max_page - 1 > virt_to_mfn(HYPERVISOR_VIRT_END - 1) ) - { - unsigned long limit = virt_to_mfn(HYPERVISOR_VIRT_END - 1); -@@ -1162,6 +1159,8 @@ void __init noreturn __start_xen(unsigne - if ( !highmem_start ) - xenheap_max_mfn(limit); - -+ end_boot_allocator(); -+ - /* Pass the remaining memory to the allocator. */ - for ( i = 0; i < boot_e820.nr_map; i++ ) - { -@@ -1185,6 +1184,10 @@ void __init noreturn __start_xen(unsigne - opt_tmem = 0; - } - } -+ else -+ end_boot_allocator(); -+ -+ system_state = SYS_STATE_boot; - - vm_init(); - console_init_ring(); ---- a/xen/common/page_alloc.c -+++ b/xen/common/page_alloc.c -@@ -405,13 +405,19 @@ void get_outstanding_claims(uint64_t *fr - spin_unlock(&heap_lock); - } - -+static bool_t __read_mostly first_node_initialised; -+#ifndef CONFIG_SEPARATE_XENHEAP -+static unsigned int __read_mostly xenheap_bits; -+#else -+#define xenheap_bits 0 -+#endif -+ - static unsigned long init_node_heap(int node, unsigned long mfn, - unsigned long nr, bool_t *use_tail) - { - /* First node to be discovered has its heap metadata statically alloced. */ - static heap_by_zone_and_order_t _heap_static; - static unsigned long avail_static[NR_ZONES]; -- static int first_node_initialised; - unsigned long needed = (sizeof(**_heap) + - sizeof(**avail) * NR_ZONES + - PAGE_SIZE - 1) >> PAGE_SHIFT; -@@ -429,14 +435,18 @@ static unsigned long init_node_heap(int - } - #ifdef DIRECTMAP_VIRT_END - else if ( *use_tail && nr >= needed && -- (mfn + nr) <= (virt_to_mfn(eva - 1) + 1) ) -+ (mfn + nr) <= (virt_to_mfn(eva - 1) + 1) && -+ (!xenheap_bits || -+ !((mfn + nr - 1) >> (xenheap_bits - PAGE_SHIFT))) ) - { - _heap[node] = mfn_to_virt(mfn + nr - needed); - avail[node] = mfn_to_virt(mfn + nr - 1) + - PAGE_SIZE - sizeof(**avail) * NR_ZONES; - } - else if ( nr >= needed && -- (mfn + needed) <= (virt_to_mfn(eva - 1) + 1) ) -+ (mfn + needed) <= (virt_to_mfn(eva - 1) + 1) && -+ (!xenheap_bits || -+ !((mfn + needed - 1) >> (xenheap_bits - PAGE_SHIFT))) ) - { - _heap[node] = mfn_to_virt(mfn); - avail[node] = mfn_to_virt(mfn + needed - 1) + -@@ -1541,11 +1551,13 @@ void free_xenheap_pages(void *v, unsigne - - #else - --static unsigned int __read_mostly xenheap_bits; -- - void __init xenheap_max_mfn(unsigned long mfn) - { -- xenheap_bits = fls(mfn) + PAGE_SHIFT; -+ ASSERT(!first_node_initialised); -+ ASSERT(!xenheap_bits); -+ BUILD_BUG_ON(PADDR_BITS >= BITS_PER_LONG); -+ xenheap_bits = min(fls(mfn + 1) - 1 + PAGE_SHIFT, PADDR_BITS); -+ printk(XENLOG_INFO "Xen heap: %u bits\n", xenheap_bits); - } - - void init_xenheap_pages(paddr_t ps, paddr_t pe) diff --git a/55f2e438-x86-hvm-fix-saved-pmtimer-and-hpet-values.patch b/55f2e438-x86-hvm-fix-saved-pmtimer-and-hpet-values.patch deleted file mode 100644 index 54eb7bf..0000000 --- a/55f2e438-x86-hvm-fix-saved-pmtimer-and-hpet-values.patch +++ /dev/null @@ -1,68 +0,0 @@ -# Commit 244582a01dcb49fa30083725964a066937cc94f2 -# Date 2015-09-11 16:24:56 +0200 -# Author Kouya Shimura -# Committer Jan Beulich -x86/hvm: fix saved pmtimer and hpet values - -The ACPI PM timer is sometimes broken on live migration. -Since vcpu->arch.hvm_vcpu.guest_time is always zero in other than -"delay for missed ticks mode". Even in "delay for missed ticks mode", -vcpu's guest_time field is not valid (i.e. zero) when -the state of vcpu is "blocked". (see pt_save_timer function) - -The original author (Tim Deegan) of pmtimer_save() must have intended -that it saves the last scheduled time of the vcpu. Unfortunately it was -already implied this bug. FYI, there is no other timer mode than -"delay for missed ticks mode" then. - -For consistency with HPET, pmtimer_save() should refer hvm_get_guest_time() -to update the counter as well as hpet_save() does. - -Without this patch, the clock of windows server 2012R2 without HPET -might leap forward several minutes on live migration. - -Signed-off-by: Kouya Shimura - -Retain use of ->arch.hvm_vcpu.guest_time when non-zero. Do the inverse -adjustment for vHPET. - -Signed-off-by: Jan Beulich -Reviewed-by: Tim Deegan -Reviewed-by: Kouya Shimura - ---- a/xen/arch/x86/hvm/hpet.c -+++ b/xen/arch/x86/hvm/hpet.c -@@ -506,11 +506,13 @@ const struct hvm_mmio_handler hpet_mmio_ - static int hpet_save(struct domain *d, hvm_domain_context_t *h) - { - HPETState *hp = domain_vhpet(d); -+ struct vcpu *v = pt_global_vcpu_target(d); - int rc; - uint64_t guest_time; - - write_lock(&hp->lock); -- guest_time = guest_time_hpet(hp); -+ guest_time = (v->arch.hvm_vcpu.guest_time ?: hvm_get_guest_time(v)) / -+ STIME_PER_HPET_TICK; - - /* Write the proper value into the main counter */ - if ( hpet_enabled(hp) ) ---- a/xen/arch/x86/hvm/pmtimer.c -+++ b/xen/arch/x86/hvm/pmtimer.c -@@ -250,10 +250,12 @@ static int pmtimer_save(struct domain *d - - spin_lock(&s->lock); - -- /* Update the counter to the guest's current time. We always save -- * with the domain paused, so the saved time should be after the -- * last_gtime, but just in case, make sure we only go forwards */ -- x = ((s->vcpu->arch.hvm_vcpu.guest_time - s->last_gtime) * s->scale) >> 32; -+ /* -+ * Update the counter to the guest's current time. Make sure it only -+ * goes forwards. -+ */ -+ x = (((s->vcpu->arch.hvm_vcpu.guest_time ?: hvm_get_guest_time(s->vcpu)) - -+ s->last_gtime) * s->scale) >> 32; - if ( x < 1UL<<31 ) - s->pm.tmr_val += x; - if ( (s->pm.tmr_val & TMR_VAL_MSB) != msb ) diff --git a/55f9345b-x86-MSI-fail-if-no-hardware-support.patch b/55f9345b-x86-MSI-fail-if-no-hardware-support.patch deleted file mode 100644 index 8fb59a6..0000000 --- a/55f9345b-x86-MSI-fail-if-no-hardware-support.patch +++ /dev/null @@ -1,23 +0,0 @@ -# Commit c7d5d5d8ea1ecbd6ef8b47dace4dec825f0f6e48 -# Date 2015-09-16 11:20:27 +0200 -# Author Jan Beulich -# Committer Jan Beulich -x86/MSI: fail if no hardware support - -This is to guard against buggy callers (luckily Dom0 only) invoking -the respective hypercall for a device not being MSI-capable. - -Signed-off-by: Jan Beulich -Reviewed-by: Andrew Cooper - ---- a/xen/arch/x86/msi.c -+++ b/xen/arch/x86/msi.c -@@ -696,6 +696,8 @@ static int msi_capability_init(struct pc - - ASSERT(spin_is_locked(&pcidevs_lock)); - pos = pci_find_cap_offset(seg, bus, slot, func, PCI_CAP_ID_MSI); -+ if ( !pos ) -+ return -ENODEV; - control = pci_conf_read16(seg, bus, slot, func, msi_control_reg(pos)); - maxvec = multi_msi_capable(control); - if ( nvec > maxvec ) diff --git a/5604f239-x86-PV-properly-populate-descriptor-tables.patch b/5604f239-x86-PV-properly-populate-descriptor-tables.patch index c2275ba..7fa594b 100644 --- a/5604f239-x86-PV-properly-populate-descriptor-tables.patch +++ b/5604f239-x86-PV-properly-populate-descriptor-tables.patch @@ -34,9 +34,11 @@ Signed-off-by: Jan Beulich Tested-by: David Vrabel Reviewed-by: Andrew Cooper ---- a/xen/arch/x86/mm.c -+++ b/xen/arch/x86/mm.c -@@ -505,12 +505,12 @@ void update_cr3(struct vcpu *v) +Index: xen-4.5.2-testing/xen/arch/x86/mm.c +=================================================================== +--- xen-4.5.2-testing.orig/xen/arch/x86/mm.c ++++ xen-4.5.2-testing/xen/arch/x86/mm.c +@@ -508,12 +508,12 @@ void update_cr3(struct vcpu *v) make_cr3(v, cr3_mfn); } @@ -51,7 +53,7 @@ Reviewed-by: Andrew Cooper struct page_info *page; BUG_ON(unlikely(in_irq())); -@@ -525,10 +525,10 @@ static void invalidate_shadow_ldt(struct +@@ -528,10 +528,10 @@ static void invalidate_shadow_ldt(struct for ( i = 16; i < 32; i++ ) { @@ -65,7 +67,7 @@ Reviewed-by: Andrew Cooper ASSERT_PAGE_IS_TYPE(page, PGT_seg_desc_page); ASSERT_PAGE_IS_DOMAIN(page, v->domain); put_page_and_type(page); -@@ -4360,16 +4360,18 @@ long do_update_va_mapping_otherdomain(un +@@ -4366,16 +4366,18 @@ long do_update_va_mapping_otherdomain(un void destroy_gdt(struct vcpu *v) { l1_pgentry_t *pl1e; @@ -88,7 +90,7 @@ Reviewed-by: Andrew Cooper v->arch.pv_vcpu.gdt_frames[i] = 0; } } -@@ -4382,7 +4384,7 @@ long set_gdt(struct vcpu *v, +@@ -4388,7 +4390,7 @@ long set_gdt(struct vcpu *v, struct domain *d = v->domain; l1_pgentry_t *pl1e; /* NB. There are 512 8-byte entries per GDT page. */ diff --git a/5604f2e6-vt-d-fix-IM-bit-mask-and-unmask-of-FECTL_REG.patch b/5604f2e6-vt-d-fix-IM-bit-mask-and-unmask-of-FECTL_REG.patch deleted file mode 100644 index 8badd8b..0000000 --- a/5604f2e6-vt-d-fix-IM-bit-mask-and-unmask-of-FECTL_REG.patch +++ /dev/null @@ -1,77 +0,0 @@ -# Commit 86f3ff9fc4cc3cb69b96c1de74bcc51f738fe2b9 -# Date 2015-09-25 09:08:22 +0200 -# Author Quan Xu -# Committer Jan Beulich -vt-d: fix IM bit mask and unmask of Fault Event Control Register - -Bit 0:29 in Fault Event Control Register are 'Reserved and Preserved', -software cannot write 0 to it unconditionally. Software must preserve -the value read for writes. - -Signed-off-by: Quan Xu -Acked-by: Yang Zhang - -# Commit 26b300bd727ef00a8f60329212a83c3b027a48f7 -# Date 2015-09-25 18:03:04 +0200 -# Author Quan Xu -# Committer Jan Beulich -vt-d: fix IM bit unmask of Fault Event Control Register in init_vtd_hw() - -Bit 0:29 in Fault Event Control Register are 'Reserved and Preserved', -software cannot write 0 to it unconditionally. Software must preserve -the value read for writes. - -Suggested-by: Jan Beulich -Signed-off-by: Quan Xu - ---- a/xen/drivers/passthrough/vtd/iommu.c -+++ b/xen/drivers/passthrough/vtd/iommu.c -@@ -991,10 +991,13 @@ static void dma_msi_unmask(struct irq_de - { - struct iommu *iommu = desc->action->dev_id; - unsigned long flags; -+ u32 sts; - - /* unmask it */ - spin_lock_irqsave(&iommu->register_lock, flags); -- dmar_writel(iommu->reg, DMAR_FECTL_REG, 0); -+ sts = dmar_readl(iommu->reg, DMAR_FECTL_REG); -+ sts &= ~DMA_FECTL_IM; -+ dmar_writel(iommu->reg, DMAR_FECTL_REG, sts); - spin_unlock_irqrestore(&iommu->register_lock, flags); - iommu->msi.msi_attrib.host_masked = 0; - } -@@ -1003,10 +1006,13 @@ static void dma_msi_mask(struct irq_desc - { - unsigned long flags; - struct iommu *iommu = desc->action->dev_id; -+ u32 sts; - - /* mask it */ - spin_lock_irqsave(&iommu->register_lock, flags); -- dmar_writel(iommu->reg, DMAR_FECTL_REG, DMA_FECTL_IM); -+ sts = dmar_readl(iommu->reg, DMAR_FECTL_REG); -+ sts |= DMA_FECTL_IM; -+ dmar_writel(iommu->reg, DMAR_FECTL_REG, sts); - spin_unlock_irqrestore(&iommu->register_lock, flags); - iommu->msi.msi_attrib.host_masked = 1; - } -@@ -2002,6 +2008,7 @@ static int init_vtd_hw(void) - struct iommu_flush *flush = NULL; - int ret; - unsigned long flags; -+ u32 sts; - - /* - * Basic VT-d HW init: set VT-d interrupt, clear VT-d faults. -@@ -2015,7 +2022,9 @@ static int init_vtd_hw(void) - clear_fault_bits(iommu); - - spin_lock_irqsave(&iommu->register_lock, flags); -- dmar_writel(iommu->reg, DMAR_FECTL_REG, 0); -+ sts = dmar_readl(iommu->reg, DMAR_FECTL_REG); -+ sts &= ~DMA_FECTL_IM; -+ dmar_writel(iommu->reg, DMAR_FECTL_REG, sts); - spin_unlock_irqrestore(&iommu->register_lock, flags); - } - diff --git a/560a4af9-x86-EPT-tighten-conditions-of-IOMMU-mapping-updates.patch b/560a4af9-x86-EPT-tighten-conditions-of-IOMMU-mapping-updates.patch deleted file mode 100644 index 63c71a8..0000000 --- a/560a4af9-x86-EPT-tighten-conditions-of-IOMMU-mapping-updates.patch +++ /dev/null @@ -1,48 +0,0 @@ -# Commit 6c0e4ad60850032c9bbd5d18b8446421c97e08e4 -# Date 2015-09-29 10:25:29 +0200 -# Author Jan Beulich -# Committer Jan Beulich -x86/EPT: tighten conditions of IOMMU mapping updates - -Permission changes should also result in updates or TLB flushes. - -Signed-off-by: Jan Beulich -Acked-by: Kevin Tian -Reviewed-by: George Dunlap - ---- a/xen/arch/x86/mm/p2m-ept.c -+++ b/xen/arch/x86/mm/p2m-ept.c -@@ -619,6 +619,7 @@ ept_set_entry(struct p2m_domain *p2m, un - uint8_t ipat = 0; - int need_modify_vtd_table = 1; - int vtd_pte_present = 0; -+ unsigned int iommu_flags = p2m_get_iommu_flags(p2mt); - enum { sync_off, sync_on, sync_check } needs_sync = sync_check; - ept_entry_t old_entry = { .epte = 0 }; - ept_entry_t new_entry = { .epte = 0 }; -@@ -749,8 +750,9 @@ ept_set_entry(struct p2m_domain *p2m, un - new_entry.mfn = mfn_x(mfn); - - /* Safe to read-then-write because we hold the p2m lock */ -- if ( ept_entry->mfn == new_entry.mfn ) -- need_modify_vtd_table = 0; -+ if ( ept_entry->mfn == new_entry.mfn && -+ p2m_get_iommu_flags(ept_entry->sa_p2mt) == iommu_flags ) -+ need_modify_vtd_table = 0; - - ept_p2m_type_to_flags(&new_entry, p2mt, p2ma); - } -@@ -775,11 +777,9 @@ out: - iommu_pte_flush(d, gfn, &ept_entry->epte, order, vtd_pte_present); - else - { -- unsigned int flags = p2m_get_iommu_flags(p2mt); -- -- if ( flags != 0 ) -+ if ( iommu_flags ) - for ( i = 0; i < (1 << order); i++ ) -- iommu_map_page(d, gfn + i, mfn_x(mfn) + i, flags); -+ iommu_map_page(d, gfn + i, mfn_x(mfn) + i, iommu_flags); - else - for ( i = 0; i < (1 << order); i++ ) - iommu_unmap_page(d, gfn + i); diff --git a/560a7c36-x86-p2m-pt-delay-freeing-of-intermediate-page-tables.patch b/560a7c36-x86-p2m-pt-delay-freeing-of-intermediate-page-tables.patch deleted file mode 100644 index 8b32a40..0000000 --- a/560a7c36-x86-p2m-pt-delay-freeing-of-intermediate-page-tables.patch +++ /dev/null @@ -1,97 +0,0 @@ -# Commit 960265fbd878cdc9841473b755e4ccc9eb1942d2 -# Date 2015-09-29 13:55:34 +0200 -# Author Jan Beulich -# Committer Jan Beulich -x86/p2m-pt: delay freeing of intermediate page tables - -Old intermediate page tables must be freed only after IOMMU side -updates/flushes have got carried out. - -Signed-off-by: Jan Beulich -Reviewed-by: George Dunlap - ---- a/xen/arch/x86/mm/p2m-pt.c -+++ b/xen/arch/x86/mm/p2m-pt.c -@@ -486,8 +486,9 @@ p2m_pt_set_entry(struct p2m_domain *p2m, - /* XXX -- this might be able to be faster iff current->domain == d */ - void *table; - unsigned long i, gfn_remainder = gfn; -- l1_pgentry_t *p2m_entry; -- l1_pgentry_t entry_content; -+ l1_pgentry_t *p2m_entry, entry_content; -+ /* Intermediate table to free if we're replacing it with a superpage. */ -+ l1_pgentry_t intermediate_entry = l1e_empty(); - l2_pgentry_t l2e_content; - l3_pgentry_t l3e_content; - int rc; -@@ -535,7 +536,6 @@ p2m_pt_set_entry(struct p2m_domain *p2m, - */ - if ( page_order == PAGE_ORDER_1G ) - { -- l1_pgentry_t old_entry = l1e_empty(); - p2m_entry = p2m_find_entry(table, &gfn_remainder, gfn, - L3_PAGETABLE_SHIFT - PAGE_SHIFT, - L3_PAGETABLE_ENTRIES); -@@ -545,7 +545,7 @@ p2m_pt_set_entry(struct p2m_domain *p2m, - { - /* We're replacing a non-SP page with a superpage. Make sure to - * handle freeing the table properly. */ -- old_entry = *p2m_entry; -+ intermediate_entry = *p2m_entry; - } - - ASSERT(!mfn_valid(mfn) || p2mt != p2m_mmio_direct); -@@ -563,10 +563,6 @@ p2m_pt_set_entry(struct p2m_domain *p2m, - - p2m->write_p2m_entry(p2m, gfn, p2m_entry, entry_content, 3); - /* NB: paging_write_p2m_entry() handles tlb flushes properly */ -- -- /* Free old intermediate tables if necessary */ -- if ( l1e_get_flags(old_entry) & _PAGE_PRESENT ) -- p2m_free_entry(p2m, &old_entry, page_order); - } - else - { -@@ -607,7 +603,6 @@ p2m_pt_set_entry(struct p2m_domain *p2m, - } - else if ( page_order == PAGE_ORDER_2M ) - { -- l1_pgentry_t old_entry = l1e_empty(); - p2m_entry = p2m_find_entry(table, &gfn_remainder, gfn, - L2_PAGETABLE_SHIFT - PAGE_SHIFT, - L2_PAGETABLE_ENTRIES); -@@ -619,7 +614,7 @@ p2m_pt_set_entry(struct p2m_domain *p2m, - { - /* We're replacing a non-SP page with a superpage. Make sure to - * handle freeing the table properly. */ -- old_entry = *p2m_entry; -+ intermediate_entry = *p2m_entry; - } - - ASSERT(!mfn_valid(mfn) || p2mt != p2m_mmio_direct); -@@ -640,10 +635,6 @@ p2m_pt_set_entry(struct p2m_domain *p2m, - - p2m->write_p2m_entry(p2m, gfn, p2m_entry, entry_content, 2); - /* NB: paging_write_p2m_entry() handles tlb flushes properly */ -- -- /* Free old intermediate tables if necessary */ -- if ( l1e_get_flags(old_entry) & _PAGE_PRESENT ) -- p2m_free_entry(p2m, &old_entry, page_order); - } - - /* Track the highest gfn for which we have ever had a valid mapping */ -@@ -671,6 +662,14 @@ p2m_pt_set_entry(struct p2m_domain *p2m, - } - } - -+ /* -+ * Free old intermediate tables if necessary. This has to be the -+ * last thing we do, after removal from the IOMMU tables, so as to -+ * avoid a potential use-after-free. -+ */ -+ if ( l1e_get_flags(intermediate_entry) & _PAGE_PRESENT ) -+ p2m_free_entry(p2m, &intermediate_entry, page_order); -+ - out: - unmap_domain_page(table); - return rc; diff --git a/560a7c53-x86-p2m-pt-ignore-pt-share-flag-for-shadow-mode-guests.patch b/560a7c53-x86-p2m-pt-ignore-pt-share-flag-for-shadow-mode-guests.patch deleted file mode 100644 index 398054a..0000000 --- a/560a7c53-x86-p2m-pt-ignore-pt-share-flag-for-shadow-mode-guests.patch +++ /dev/null @@ -1,22 +0,0 @@ -# Commit c0a85795d864dd64c116af661bf676d66ddfd5fc -# Date 2015-09-29 13:56:03 +0200 -# Author Jan Beulich -# Committer Jan Beulich -x86/p2m-pt: ignore pt-share flag for shadow mode guests - -There is no page table sharing in shadow mode. - -Signed-off-by: Jan Beulich -Reviewed-by: George Dunlap - ---- a/xen/arch/x86/mm/p2m-pt.c -+++ b/xen/arch/x86/mm/p2m-pt.c -@@ -644,7 +644,7 @@ p2m_pt_set_entry(struct p2m_domain *p2m, - - if ( iommu_enabled && need_iommu(p2m->domain) ) - { -- if ( iommu_hap_pt_share ) -+ if ( iommu_use_hap_pt(p2m->domain) ) - { - if ( old_mfn && (old_mfn != mfn_x(mfn)) ) - amd_iommu_flush_pages(p2m->domain, gfn, page_order); diff --git a/560bd926-credit1-fix-tickling-when-it-happens-from-a-remote-pCPU.patch b/560bd926-credit1-fix-tickling-when-it-happens-from-a-remote-pCPU.patch deleted file mode 100644 index 66fa10d..0000000 --- a/560bd926-credit1-fix-tickling-when-it-happens-from-a-remote-pCPU.patch +++ /dev/null @@ -1,104 +0,0 @@ -# Commit ea5637968a09a81a64fa5fd73ce49b4ea9789e12 -# Date 2015-09-30 14:44:22 +0200 -# Author Dario Faggioli -# Committer Jan Beulich -credit1: fix tickling when it happens from a remote pCPU - -especially if that is also from a different cpupool than the -processor of the vCPU that triggered the tickling. - -In fact, it is possible that we get as far as calling vcpu_unblock()--> -vcpu_wake()-->csched_vcpu_wake()-->__runq_tickle() for the vCPU 'vc', -but all while running on a pCPU that is different from 'vc->processor'. - -For instance, this can happen when an HVM domain runs in a cpupool, -with a different scheduler than the default one, and issues IOREQs -to Dom0, running in Pool-0 with the default scheduler. -In fact, right in this case, the following crash can be observed: - -(XEN) ----[ Xen-4.7-unstable x86_64 debug=y Tainted: C ]---- -(XEN) CPU: 7 -(XEN) RIP: e008:[] __runq_tickle+0x18f/0x430 -(XEN) RFLAGS: 0000000000010086 CONTEXT: hypervisor (d1v0) -(XEN) rax: 0000000000000001 rbx: ffff8303184fee00 rcx: 0000000000000000 -(XEN) ... ... ... -(XEN) Xen stack trace from rsp=ffff83031fa57a08: -(XEN) ffff82d0801fe664 ffff82d08033c820 0000000100000002 0000000a00000001 -(XEN) 0000000000006831 0000000000000000 0000000000000000 0000000000000000 -(XEN) ... ... ... -(XEN) Xen call trace: -(XEN) [] __runq_tickle+0x18f/0x430 -(XEN) [] csched_vcpu_wake+0x10b/0x110 -(XEN) [] vcpu_wake+0x20a/0x3ce -(XEN) [] vcpu_unblock+0x4b/0x4e -(XEN) [] vcpu_kick+0x17/0x61 -(XEN) [] vcpu_mark_events_pending+0x2c/0x2f -(XEN) [] evtchn_fifo_set_pending+0x381/0x3f6 -(XEN) [] notify_via_xen_event_channel+0xc9/0xd6 -(XEN) [] hvm_send_ioreq+0x3e9/0x441 -(XEN) [] hvmemul_do_io+0x23f/0x2d2 -(XEN) [] hvmemul_do_io_buffer+0x33/0x64 -(XEN) [] hvmemul_do_pio_buffer+0x35/0x37 -(XEN) [] handle_pio+0x58/0x14c -(XEN) [] vmx_vmexit_handler+0x16b3/0x1bea -(XEN) [] vmx_asm_vmexit_handler+0x41/0xc0 - -In this case, pCPU 7 is not in Pool-0, while the (Dom0's) vCPU being -woken is. pCPU's 7 pool has a different scheduler than credit, but it -is, however, right from pCPU 7 that we are waking the Dom0's vCPUs. -Therefore, the current code tries to access csched_balance_mask for -pCPU 7, but that is not defined, and hence the Oops. - -(Note that, in case the two pools run the same scheduler we see no -Oops, but things are still conceptually wrong.) - -Cure things by making the csched_balance_mask macro accept a -parameter for fetching a specific pCPU's mask (instead than always -using smp_processor_id()). - -Signed-off-by: Dario Faggioli -Reviewed-by: Juergen Gross -Reviewed-by: George Dunlap - ---- a/xen/common/sched_credit.c -+++ b/xen/common/sched_credit.c -@@ -154,10 +154,10 @@ struct csched_pcpu { - * Convenience macro for accessing the per-PCPU cpumask we need for - * implementing the two steps (soft and hard affinity) balancing logic. - * It is stored in csched_pcpu so that serialization is not an issue, -- * as there is a csched_pcpu for each PCPU and we always hold the -- * runqueue spin-lock when using this. -+ * as there is a csched_pcpu for each PCPU, and we always hold the -+ * runqueue lock for the proper PCPU when using this. - */ --#define csched_balance_mask (CSCHED_PCPU(smp_processor_id())->balance_mask) -+#define csched_balance_mask(c) (CSCHED_PCPU(c)->balance_mask) - - /* - * Virtual CPU -@@ -396,9 +396,10 @@ __runq_tickle(unsigned int cpu, struct c - - /* Are there idlers suitable for new (for this balance step)? */ - csched_balance_cpumask(new->vcpu, balance_step, -- csched_balance_mask); -- cpumask_and(csched_balance_mask, csched_balance_mask, &idle_mask); -- new_idlers_empty = cpumask_empty(csched_balance_mask); -+ csched_balance_mask(cpu)); -+ cpumask_and(csched_balance_mask(cpu), -+ csched_balance_mask(cpu), &idle_mask); -+ new_idlers_empty = cpumask_empty(csched_balance_mask(cpu)); - - /* - * Let's not be too harsh! If there aren't idlers suitable -@@ -1475,8 +1476,9 @@ csched_runq_steal(int peer_cpu, int cpu, - && !__vcpu_has_soft_affinity(vc, vc->cpu_hard_affinity) ) - continue; - -- csched_balance_cpumask(vc, balance_step, csched_balance_mask); -- if ( __csched_vcpu_is_migrateable(vc, cpu, csched_balance_mask) ) -+ csched_balance_cpumask(vc, balance_step, csched_balance_mask(cpu)); -+ if ( __csched_vcpu_is_migrateable(vc, cpu, -+ csched_balance_mask(cpu)) ) - { - /* We got a candidate. Grab it! */ - TRACE_3D(TRC_CSCHED_STOLEN_VCPU, peer_cpu, diff --git a/560e6d34-x86-p2m-pt-tighten-conditions-of-IOMMU-mapping-updates.patch b/560e6d34-x86-p2m-pt-tighten-conditions-of-IOMMU-mapping-updates.patch deleted file mode 100644 index a859f63..0000000 --- a/560e6d34-x86-p2m-pt-tighten-conditions-of-IOMMU-mapping-updates.patch +++ /dev/null @@ -1,159 +0,0 @@ -# Commit 660fd65d5578a95ec5eac522128bba23325179eb -# Date 2015-10-02 13:40:36 +0200 -# Author Jan Beulich -# Committer Jan Beulich -x86/p2m-pt: tighten conditions of IOMMU mapping updates - -Whether the MFN changes does not depend on the new entry being valid -(but solely on the old one), and the need to update or TLB-flush also -depends on permission changes. - -Signed-off-by: Jan Beulich -Reviewed-by: Andrew Cooper -Reviewed-by: George Dunlap - ---- a/xen/arch/x86/mm/p2m-pt.c -+++ b/xen/arch/x86/mm/p2m-pt.c -@@ -493,7 +493,18 @@ p2m_pt_set_entry(struct p2m_domain *p2m, - l3_pgentry_t l3e_content; - int rc; - unsigned int iommu_pte_flags = p2m_get_iommu_flags(p2mt); -- unsigned long old_mfn = 0; -+ /* -+ * old_mfn and iommu_old_flags control possible flush/update needs on the -+ * IOMMU: We need to flush when MFN or flags (i.e. permissions) change. -+ * iommu_old_flags being initialized to zero covers the case of the entry -+ * getting replaced being a non-present (leaf or intermediate) one. For -+ * present leaf entries the real value will get calculated below, while -+ * for present intermediate entries ~0 (guaranteed != iommu_pte_flags) -+ * will be used (to cover all cases of what the leaf entries underneath -+ * the intermediate one might be). -+ */ -+ unsigned int flags, iommu_old_flags = 0; -+ unsigned long old_mfn = INVALID_MFN; - - if ( tb_init_done ) - { -@@ -540,12 +551,20 @@ p2m_pt_set_entry(struct p2m_domain *p2m, - L3_PAGETABLE_SHIFT - PAGE_SHIFT, - L3_PAGETABLE_ENTRIES); - ASSERT(p2m_entry); -- if ( (l1e_get_flags(*p2m_entry) & _PAGE_PRESENT) && -- !(l1e_get_flags(*p2m_entry) & _PAGE_PSE) ) -+ flags = l1e_get_flags(*p2m_entry); -+ if ( flags & _PAGE_PRESENT ) - { -- /* We're replacing a non-SP page with a superpage. Make sure to -- * handle freeing the table properly. */ -- intermediate_entry = *p2m_entry; -+ if ( flags & _PAGE_PSE ) -+ { -+ iommu_old_flags = -+ p2m_get_iommu_flags(p2m_flags_to_type(flags)); -+ old_mfn = l1e_get_pfn(*p2m_entry); -+ } -+ else -+ { -+ iommu_old_flags = ~0; -+ intermediate_entry = *p2m_entry; -+ } - } - - ASSERT(!mfn_valid(mfn) || p2mt != p2m_mmio_direct); -@@ -556,10 +575,7 @@ p2m_pt_set_entry(struct p2m_domain *p2m, - entry_content.l1 = l3e_content.l3; - - if ( entry_content.l1 != 0 ) -- { - p2m_add_iommu_flags(&entry_content, 0, iommu_pte_flags); -- old_mfn = l1e_get_pfn(*p2m_entry); -- } - - p2m->write_p2m_entry(p2m, gfn, p2m_entry, entry_content, 3); - /* NB: paging_write_p2m_entry() handles tlb flushes properly */ -@@ -584,7 +600,10 @@ p2m_pt_set_entry(struct p2m_domain *p2m, - p2m_entry = p2m_find_entry(table, &gfn_remainder, gfn, - 0, L1_PAGETABLE_ENTRIES); - ASSERT(p2m_entry); -- -+ iommu_old_flags = -+ p2m_get_iommu_flags(p2m_flags_to_type(l1e_get_flags(*p2m_entry))); -+ old_mfn = l1e_get_pfn(*p2m_entry); -+ - if ( mfn_valid(mfn) || (p2mt == p2m_mmio_direct) - || p2m_is_paging(p2mt) ) - entry_content = p2m_l1e_from_pfn(mfn_x(mfn), -@@ -593,10 +612,8 @@ p2m_pt_set_entry(struct p2m_domain *p2m, - entry_content = l1e_empty(); - - if ( entry_content.l1 != 0 ) -- { - p2m_add_iommu_flags(&entry_content, 0, iommu_pte_flags); -- old_mfn = l1e_get_pfn(*p2m_entry); -- } -+ - /* level 1 entry */ - p2m->write_p2m_entry(p2m, gfn, p2m_entry, entry_content, 1); - /* NB: paging_write_p2m_entry() handles tlb flushes properly */ -@@ -607,14 +624,20 @@ p2m_pt_set_entry(struct p2m_domain *p2m, - L2_PAGETABLE_SHIFT - PAGE_SHIFT, - L2_PAGETABLE_ENTRIES); - ASSERT(p2m_entry); -- -- /* FIXME: Deal with 4k replaced by 2meg pages */ -- if ( (l1e_get_flags(*p2m_entry) & _PAGE_PRESENT) && -- !(l1e_get_flags(*p2m_entry) & _PAGE_PSE) ) -- { -- /* We're replacing a non-SP page with a superpage. Make sure to -- * handle freeing the table properly. */ -- intermediate_entry = *p2m_entry; -+ flags = l1e_get_flags(*p2m_entry); -+ if ( flags & _PAGE_PRESENT ) -+ { -+ if ( flags & _PAGE_PSE ) -+ { -+ iommu_old_flags = -+ p2m_get_iommu_flags(p2m_flags_to_type(flags)); -+ old_mfn = l1e_get_pfn(*p2m_entry); -+ } -+ else -+ { -+ iommu_old_flags = ~0; -+ intermediate_entry = *p2m_entry; -+ } - } - - ASSERT(!mfn_valid(mfn) || p2mt != p2m_mmio_direct); -@@ -628,10 +651,7 @@ p2m_pt_set_entry(struct p2m_domain *p2m, - entry_content.l1 = l2e_content.l2; - - if ( entry_content.l1 != 0 ) -- { - p2m_add_iommu_flags(&entry_content, 0, iommu_pte_flags); -- old_mfn = l1e_get_pfn(*p2m_entry); -- } - - p2m->write_p2m_entry(p2m, gfn, p2m_entry, entry_content, 2); - /* NB: paging_write_p2m_entry() handles tlb flushes properly */ -@@ -642,17 +662,17 @@ p2m_pt_set_entry(struct p2m_domain *p2m, - && (gfn + (1UL << page_order) - 1 > p2m->max_mapped_pfn) ) - p2m->max_mapped_pfn = gfn + (1UL << page_order) - 1; - -- if ( iommu_enabled && need_iommu(p2m->domain) ) -+ if ( iommu_enabled && need_iommu(p2m->domain) && -+ (iommu_old_flags != iommu_pte_flags || old_mfn != mfn_x(mfn)) ) - { - if ( iommu_use_hap_pt(p2m->domain) ) - { -- if ( old_mfn && (old_mfn != mfn_x(mfn)) ) -+ if ( iommu_old_flags ) - amd_iommu_flush_pages(p2m->domain, gfn, page_order); - } - else - { -- unsigned int flags = p2m_get_iommu_flags(p2mt); -- -+ flags = p2m_get_iommu_flags(p2mt); - if ( flags != 0 ) - for ( i = 0; i < (1UL << page_order); i++ ) - iommu_map_page(p2m->domain, gfn+i, mfn_x(mfn)+i, flags); diff --git a/561bbc8b-VT-d-don-t-suppress-invalidation-address-write-when-0.patch b/561bbc8b-VT-d-don-t-suppress-invalidation-address-write-when-0.patch deleted file mode 100644 index 8d71053..0000000 --- a/561bbc8b-VT-d-don-t-suppress-invalidation-address-write-when-0.patch +++ /dev/null @@ -1,55 +0,0 @@ -# Commit 710942e57fb42ff8f344ca82f6b678f67e38ae63 -# Date 2015-10-12 15:58:35 +0200 -# Author Jan Beulich -# Committer Jan Beulich -VT-d: don't suppress invalidation address write when it is zero - -GFN zero is a valid address, and hence may need invalidation done for -it just like for any other GFN. - -Signed-off-by: Jan Beulich -Reviewed-by: Andrew Cooper -Acked-by: Yang Zhang - ---- a/xen/drivers/passthrough/vtd/iommu.c -+++ b/xen/drivers/passthrough/vtd/iommu.c -@@ -414,7 +414,7 @@ static int flush_iotlb_reg(void *_iommu, - { - struct iommu *iommu = (struct iommu *) _iommu; - int tlb_offset = ecap_iotlb_offset(iommu->ecap); -- u64 val = 0, val_iva = 0; -+ u64 val = 0; - unsigned long flags; - - /* -@@ -435,7 +435,6 @@ static int flush_iotlb_reg(void *_iommu, - switch ( type ) - { - case DMA_TLB_GLOBAL_FLUSH: -- /* global flush doesn't need set IVA_REG */ - val = DMA_TLB_GLOBAL_FLUSH|DMA_TLB_IVT; - break; - case DMA_TLB_DSI_FLUSH: -@@ -443,8 +442,6 @@ static int flush_iotlb_reg(void *_iommu, - break; - case DMA_TLB_PSI_FLUSH: - val = DMA_TLB_PSI_FLUSH|DMA_TLB_IVT|DMA_TLB_DID(did); -- /* Note: always flush non-leaf currently */ -- val_iva = size_order | addr; - break; - default: - BUG(); -@@ -457,8 +454,11 @@ static int flush_iotlb_reg(void *_iommu, - - spin_lock_irqsave(&iommu->register_lock, flags); - /* Note: Only uses first TLB reg currently */ -- if ( val_iva ) -- dmar_writeq(iommu->reg, tlb_offset, val_iva); -+ if ( type == DMA_TLB_PSI_FLUSH ) -+ { -+ /* Note: always flush non-leaf currently. */ -+ dmar_writeq(iommu->reg, tlb_offset, size_order | addr); -+ } - dmar_writeq(iommu->reg, tlb_offset + 8, val); - - /* Make sure hardware complete it */ diff --git a/561d20a0-x86-hide-MWAITX-from-PV-domains.patch b/561d20a0-x86-hide-MWAITX-from-PV-domains.patch deleted file mode 100644 index ad6c566..0000000 --- a/561d20a0-x86-hide-MWAITX-from-PV-domains.patch +++ /dev/null @@ -1,32 +0,0 @@ -# Commit 941cd44324db7eddc46cba4596fa13d505066ccf -# Date 2015-10-13 17:17:52 +0200 -# Author Jan Beulich -# Committer Jan Beulich -x86: hide MWAITX from PV domains - -Since MWAIT is hidden too. (Linux starting with 4.3 is making use of -that feature, and is checking for it without looking at the MWAIT one.) - -Signed-off-by: Jan Beulich -Reviewed-by: Andrew Cooper - ---- a/xen/arch/x86/traps.c -+++ b/xen/arch/x86/traps.c -@@ -904,6 +904,7 @@ void pv_cpuid(struct cpu_user_regs *regs - __clear_bit(X86_FEATURE_LWP % 32, &c); - __clear_bit(X86_FEATURE_NODEID_MSR % 32, &c); - __clear_bit(X86_FEATURE_TOPOEXT % 32, &c); -+ __clear_bit(X86_FEATURE_MWAITX % 32, &c); - break; - - case 0x00000005: /* MONITOR/MWAIT */ ---- a/xen/include/asm-x86/cpufeature.h -+++ b/xen/include/asm-x86/cpufeature.h -@@ -137,6 +137,7 @@ - #define X86_FEATURE_TBM (6*32+21) /* trailing bit manipulations */ - #define X86_FEATURE_TOPOEXT (6*32+22) /* topology extensions CPUID leafs */ - #define X86_FEATURE_DBEXT (6*32+26) /* data breakpoint extension */ -+#define X86_FEATURE_MWAITX (6*32+29) /* MWAIT extension (MONITORX/MWAITX) */ - - /* Intel-defined CPU features, CPUID level 0x00000007:0 (ebx), word 7 */ - #define X86_FEATURE_FSGSBASE (7*32+ 0) /* {RD,WR}{FS,GS}BASE instructions */ diff --git a/561e3283-x86-NUMA-fix-SRAT-table-processor-entry-handling.patch b/561e3283-x86-NUMA-fix-SRAT-table-processor-entry-handling.patch deleted file mode 100644 index d6c20ab..0000000 --- a/561e3283-x86-NUMA-fix-SRAT-table-processor-entry-handling.patch +++ /dev/null @@ -1,114 +0,0 @@ -# Commit 83281fc9b31396e94c0bfb6550b75c165037a0ad -# Date 2015-10-14 12:46:27 +0200 -# Author Jan Beulich -# Committer Jan Beulich -x86/NUMA: fix SRAT table processor entry parsing and consumption - -- don't overrun apicid_to_node[] (possible in the x2APIC case) -- don't limit number of processor related SRAT entries we can consume -- make acpi_numa_{processor,x2apic}_affinity_init() as similar to one - another as possible -- print APIC IDs in hex (to ease matching with other log messages), at - once making legacy and x2APIC ones distinguishable (by width) - -Signed-off-by: Jan Beulich -Reviewed-by: Andrew Cooper - ---- a/xen/arch/x86/numa.c -+++ b/xen/arch/x86/numa.c -@@ -347,7 +347,7 @@ void __init init_cpu_to_node(void) - u32 apicid = x86_cpu_to_apicid[i]; - if ( apicid == BAD_APICID ) - continue; -- node = apicid_to_node[apicid]; -+ node = apicid < MAX_LOCAL_APIC ? apicid_to_node[apicid] : NUMA_NO_NODE; - if ( node == NUMA_NO_NODE || !node_online(node) ) - node = 0; - numa_set_node(i, node); ---- a/xen/arch/x86/setup.c -+++ b/xen/arch/x86/setup.c -@@ -191,7 +191,7 @@ void __devinit srat_detect_node(int cpu) - unsigned node; - u32 apicid = x86_cpu_to_apicid[cpu]; - -- node = apicid_to_node[apicid]; -+ node = apicid < MAX_LOCAL_APIC ? apicid_to_node[apicid] : NUMA_NO_NODE; - if ( node == NUMA_NO_NODE ) - node = 0; - ---- a/xen/arch/x86/smpboot.c -+++ b/xen/arch/x86/smpboot.c -@@ -885,7 +885,8 @@ int cpu_add(uint32_t apic_id, uint32_t a - cpu = node; - goto out; - } -- apicid_to_node[apic_id] = node; -+ if ( apic_id < MAX_LOCAL_APIC ) -+ apicid_to_node[apic_id] = node; - } - - /* Physically added CPUs do not have synchronised TSC. */ ---- a/xen/arch/x86/srat.c -+++ b/xen/arch/x86/srat.c -@@ -170,7 +170,6 @@ void __init - acpi_numa_x2apic_affinity_init(struct acpi_srat_x2apic_cpu_affinity *pa) - { - int pxm, node; -- int apic_id; - - if (srat_disabled()) - return; -@@ -178,8 +177,13 @@ acpi_numa_x2apic_affinity_init(struct ac - bad_srat(); - return; - } -- if ((pa->flags & ACPI_SRAT_CPU_ENABLED) == 0) -+ if (!(pa->flags & ACPI_SRAT_CPU_ENABLED)) -+ return; -+ if (pa->apic_id >= MAX_LOCAL_APIC) { -+ printk(KERN_INFO "SRAT: APIC %08x ignored\n", pa->apic_id); - return; -+ } -+ - pxm = pa->proximity_domain; - node = setup_node(pxm); - if (node < 0) { -@@ -187,11 +191,11 @@ acpi_numa_x2apic_affinity_init(struct ac - return; - } - -- apic_id = pa->apic_id; -- apicid_to_node[apic_id] = node; -+ apicid_to_node[pa->apic_id] = node; -+ node_set(node, processor_nodes_parsed); - acpi_numa = 1; -- printk(KERN_INFO "SRAT: PXM %u -> APIC %u -> Node %u\n", -- pxm, apic_id, node); -+ printk(KERN_INFO "SRAT: PXM %u -> APIC %08x -> Node %u\n", -+ pxm, pa->apic_id, node); - } - - /* Callback for Proximity Domain -> LAPIC mapping */ -@@ -221,7 +225,7 @@ acpi_numa_processor_affinity_init(struct - apicid_to_node[pa->apic_id] = node; - node_set(node, processor_nodes_parsed); - acpi_numa = 1; -- printk(KERN_INFO "SRAT: PXM %u -> APIC %u -> Node %u\n", -+ printk(KERN_INFO "SRAT: PXM %u -> APIC %02x -> Node %u\n", - pxm, pa->apic_id, node); - } - ---- a/xen/drivers/acpi/numa.c -+++ b/xen/drivers/acpi/numa.c -@@ -199,9 +199,9 @@ int __init acpi_numa_init(void) - /* SRAT: Static Resource Affinity Table */ - if (!acpi_table_parse(ACPI_SIG_SRAT, acpi_parse_srat)) { - acpi_table_parse_srat(ACPI_SRAT_TYPE_X2APIC_CPU_AFFINITY, -- acpi_parse_x2apic_affinity, NR_CPUS); -+ acpi_parse_x2apic_affinity, 0); - acpi_table_parse_srat(ACPI_SRAT_TYPE_CPU_AFFINITY, -- acpi_parse_processor_affinity, NR_CPUS); -+ acpi_parse_processor_affinity, 0); - acpi_table_parse_srat(ACPI_SRAT_TYPE_MEMORY_AFFINITY, - acpi_parse_memory_affinity, - NR_NODE_MEMBLKS); diff --git a/CVE-2015-3259-xsa137.patch b/CVE-2015-3259-xsa137.patch deleted file mode 100644 index 354a972..0000000 --- a/CVE-2015-3259-xsa137.patch +++ /dev/null @@ -1,216 +0,0 @@ -xl: Sane handling of extra config file arguments - -Various xl sub-commands take additional parameters containing = as -additional config fragments. - -The handling of these config fragments has a number of bugs: - - 1. Use of a static 1024-byte buffer. (If truncation would occur, - with semi-trusted input, a security risk arises due to quotes - being lost.) - - 2. Mishandling of the return value from snprintf, so that if - truncation occurs, the to-write pointer is updated with the - wanted-to-write length, resulting in stack corruption. (This is - XSA-137.) - - 3. Clone-and-hack of the code for constructing the appended - config file. - -These are fixed here, by introducing a new function -`string_realloc_append' and using it everywhere. The `extra_info' -buffers are replaced by pointers, which start off NULL and are -explicitly freed on all return paths. - -The separate variable which will become dom_info.extra_config is -abolished (which involves moving the clearing of dom_info). - -Additional bugs I observe, not fixed here: - - 4. The functions which now call string_realloc_append use ad-hoc - error returns, with multiple calls to `return'. This currently - necessitates multiple new calls to `free'. - - 5. Many of the paths in xl call exit(-rc) where rc is a libxl status - code. This is a ridiculous exit status `convention'. - - 6. The loops for handling extra config data are clone-and-hacks. - - 7. Once the extra config buffer is accumulated, it must be combined - with the appropriate main config file. The code to do this - combining is clone-and-hacked too. - -Signed-off-by: Ian Jackson -Tested-by: Ian Jackson -Acked-by: Ian Campbell - ---- a/tools/libxl/xl_cmdimpl.c -+++ b/tools/libxl/xl_cmdimpl.c -@@ -151,7 +151,7 @@ struct domain_create { - int console_autoconnect; - int checkpointed_stream; - const char *config_file; -- const char *extra_config; /* extra config string */ -+ char *extra_config; /* extra config string */ - const char *restore_file; - int migrate_fd; /* -1 means none */ - char **migration_domname_r; /* from malloc */ -@@ -4572,11 +4572,25 @@ int main_vm_list(int argc, char **argv) - return 0; - } - -+static void string_realloc_append(char **accumulate, const char *more) -+{ -+ /* Appends more to accumulate. Accumulate is either NULL, or -+ * points (always) to a malloc'd nul-terminated string. */ -+ -+ size_t oldlen = *accumulate ? strlen(*accumulate) : 0; -+ size_t morelen = strlen(more) + 1/*nul*/; -+ if (oldlen > SSIZE_MAX || morelen > SSIZE_MAX - oldlen) { -+ fprintf(stderr,"Additional config data far too large\n"); -+ exit(-ERROR_FAIL); -+ } -+ -+ *accumulate = xrealloc(*accumulate, oldlen + morelen); -+ memcpy(*accumulate + oldlen, more, morelen); -+} -+ - int main_create(int argc, char **argv) - { - const char *filename = NULL; -- char *p; -- char extra_config[1024]; - struct domain_create dom_info; - int paused = 0, debug = 0, daemonize = 1, console_autoconnect = 0, - quiet = 0, monitor = 1, vnc = 0, vncautopass = 0; -@@ -4591,6 +4605,8 @@ int main_create(int argc, char **argv) - {0, 0, 0, 0} - }; - -+ dom_info.extra_config = NULL; -+ - if (argv[1] && argv[1][0] != '-' && !strchr(argv[1], '=')) { - filename = argv[1]; - argc--; argv++; -@@ -4630,20 +4646,21 @@ int main_create(int argc, char **argv) - break; - } - -- extra_config[0] = '\0'; -- for (p = extra_config; optind < argc; optind++) { -+ memset(&dom_info, 0, sizeof(dom_info)); -+ -+ for (; optind < argc; optind++) { - if (strchr(argv[optind], '=') != NULL) { -- p += snprintf(p, sizeof(extra_config) - (p - extra_config), -- "%s\n", argv[optind]); -+ string_realloc_append(&dom_info.extra_config, argv[optind]); -+ string_realloc_append(&dom_info.extra_config, "\n"); - } else if (!filename) { - filename = argv[optind]; - } else { - help("create"); -+ free(dom_info.extra_config); - return 2; - } - } - -- memset(&dom_info, 0, sizeof(dom_info)); - dom_info.debug = debug; - dom_info.daemonize = daemonize; - dom_info.monitor = monitor; -@@ -4651,16 +4668,18 @@ int main_create(int argc, char **argv) - dom_info.dryrun = dryrun_only; - dom_info.quiet = quiet; - dom_info.config_file = filename; -- dom_info.extra_config = extra_config; - dom_info.migrate_fd = -1; - dom_info.vnc = vnc; - dom_info.vncautopass = vncautopass; - dom_info.console_autoconnect = console_autoconnect; - - rc = create_domain(&dom_info); -- if (rc < 0) -+ if (rc < 0) { -+ free(dom_info.extra_config); - return -rc; -+ } - -+ free(dom_info.extra_config); - return 0; - } - -@@ -4668,8 +4687,7 @@ int main_config_update(int argc, char ** - { - uint32_t domid; - const char *filename = NULL; -- char *p; -- char extra_config[1024]; -+ char *extra_config = NULL; - void *config_data = 0; - int config_len = 0; - libxl_domain_config d_config; -@@ -4707,15 +4725,15 @@ int main_config_update(int argc, char ** - break; - } - -- extra_config[0] = '\0'; -- for (p = extra_config; optind < argc; optind++) { -+ for (; optind < argc; optind++) { - if (strchr(argv[optind], '=') != NULL) { -- p += snprintf(p, sizeof(extra_config) - (p - extra_config), -- "%s\n", argv[optind]); -+ string_realloc_append(&extra_config, argv[optind]); -+ string_realloc_append(&extra_config, "\n"); - } else if (!filename) { - filename = argv[optind]; - } else { - help("create"); -+ free(extra_config); - return 2; - } - } -@@ -4724,7 +4742,8 @@ int main_config_update(int argc, char ** - rc = libxl_read_file_contents(ctx, filename, - &config_data, &config_len); - if (rc) { fprintf(stderr, "Failed to read config file: %s: %s\n", -- filename, strerror(errno)); return ERROR_FAIL; } -+ filename, strerror(errno)); -+ free(extra_config); return ERROR_FAIL; } - if (strlen(extra_config)) { - if (config_len > INT_MAX - (strlen(extra_config) + 2 + 1)) { - fprintf(stderr, "Failed to attach extra configration\n"); -@@ -4765,7 +4784,7 @@ int main_config_update(int argc, char ** - libxl_domain_config_dispose(&d_config); - - free(config_data); -- -+ free(extra_config); - return 0; - } - -@@ -7022,7 +7041,7 @@ int main_cpupoolcreate(int argc, char ** - { - const char *filename = NULL, *config_src=NULL; - const char *p; -- char extra_config[1024]; -+ char *extra_config = NULL; - int opt; - static struct option opts[] = { - {"defconfig", 1, 0, 'f'}, -@@ -7056,13 +7075,10 @@ int main_cpupoolcreate(int argc, char ** - break; - } - -- memset(extra_config, 0, sizeof(extra_config)); - while (optind < argc) { - if ((p = strchr(argv[optind], '='))) { -- if (strlen(extra_config) + 1 + strlen(argv[optind]) < sizeof(extra_config)) { -- strcat(extra_config, "\n"); -- strcat(extra_config, argv[optind]); -- } -+ string_realloc_append(&extra_config, "\n"); -+ string_realloc_append(&extra_config, argv[optind]); - } else if (!filename) { - filename = argv[optind]; - } else { diff --git a/CVE-2015-4106-xsa131-9.patch b/CVE-2015-4106-xsa131-9.patch deleted file mode 100644 index aa980d5..0000000 --- a/CVE-2015-4106-xsa131-9.patch +++ /dev/null @@ -1,37 +0,0 @@ -tools: libxl: allow permissive qemu-upstream pci passthrough - -Since XSA-131 qemu-xen now restricts access to PCI cfg by default. In -order to allow local configuration of the existing libxl_device_pci -"permissive" flag needs to be plumbed through via the new QMP property -added by the XSA-131 patches. - -Versions of QEMU prior to XSA-131 did not support this permissive -property, so we only pass it if it is true. Older versions only -supported permissive mode. - -qemu-xen-traditional already supports the permissive mode setting via -xenstore. - -Signed-off-by: Ian Campbell - ---- a/tools/libxl/libxl_qmp.c -+++ b/tools/libxl/libxl_qmp.c -@@ -835,6 +835,18 @@ int libxl__qmp_pci_add(libxl__gc *gc, in - QMP_PARAMETERS_SPRINTF(&args, "addr", "%x.%x", - PCI_SLOT(pcidev->vdevfn), PCI_FUNC(pcidev->vdevfn)); - } -+ /* -+ * Version of QEMU prior to the XSA-131 fix did not support this -+ * property and were effectively always in permissive mode. The -+ * fix for XSA-131 switched the default to be restricted by -+ * default and added the permissive property. -+ * -+ * Therefore in order to support both old and new QEMU we only set -+ * the permissive flag if it is true. Users of older QEMU have no -+ * reason to set the flag so this is ok. -+ */ -+ if (pcidev->permissive) -+ qmp_parameters_add_bool(gc, &args, "permissive", true); - - rc = qmp_synchronous_send(qmp, "device_add", args, - NULL, NULL, qmp->timeout); diff --git a/CVE-2015-5154-qemut-check-array-bounds-before-writing-to-io_buffer.patch b/CVE-2015-5154-qemut-check-array-bounds-before-writing-to-io_buffer.patch deleted file mode 100644 index e0fa101..0000000 --- a/CVE-2015-5154-qemut-check-array-bounds-before-writing-to-io_buffer.patch +++ /dev/null @@ -1,74 +0,0 @@ -From a9de14175548c04e0f8be7fae219246509ba46a9 Mon Sep 17 00:00:00 2001 -From: Kevin Wolf -Date: Wed, 3 Jun 2015 14:13:31 +0200 -Subject: [PATCH 1/3] ide: Check array bounds before writing to io_buffer - (CVE-2015-5154) - -If the end_transfer_func of a command is called because enough data has -been read or written for the current PIO transfer, and it fails to -correctly call the command completion functions, the DRQ bit in the -status register and s->end_transfer_func may remain set. This allows the -guest to access further bytes in s->io_buffer beyond s->data_end, and -eventually overflowing the io_buffer. - -One case where this currently happens is emulation of the ATAPI command -START STOP UNIT. - -This patch fixes the problem by adding explicit array bounds checks -before accessing the buffer instead of relying on end_transfer_func to -function correctly. - -Cc: qemu-stable@nongnu.org -Signed-off-by: Kevin Wolf ---- - hw/ide/core.c | 16 ++++++++++++++++ - 1 file changed, 16 insertions(+) - -Index: xen-4.2.5-testing/tools/qemu-xen-traditional-dir-remote/hw/ide.c -=================================================================== ---- xen-4.2.5-testing.orig/tools/qemu-xen-traditional-dir-remote/hw/ide.c -+++ xen-4.2.5-testing/tools/qemu-xen-traditional-dir-remote/hw/ide.c -@@ -3002,6 +3002,10 @@ static void ide_data_writew(void *opaque - buffered_pio_write(s, addr, 2); - - p = s->data_ptr; -+ if (p + 2 > s->data_end) { -+ return; -+ } -+ - *(uint16_t *)p = le16_to_cpu(val); - p += 2; - s->data_ptr = p; -@@ -3021,6 +3025,10 @@ static uint32_t ide_data_readw(void *opa - buffered_pio_read(s, addr, 2); - - p = s->data_ptr; -+ if (p + 2 > s->data_end) { -+ return 0; -+ } -+ - ret = cpu_to_le16(*(uint16_t *)p); - p += 2; - s->data_ptr = p; -@@ -3040,6 +3048,10 @@ static void ide_data_writel(void *opaque - buffered_pio_write(s, addr, 4); - - p = s->data_ptr; -+ if (p + 4 > s->data_end) { -+ return; -+ } -+ - *(uint32_t *)p = le32_to_cpu(val); - p += 4; - s->data_ptr = p; -@@ -3059,6 +3071,10 @@ static uint32_t ide_data_readl(void *opa - buffered_pio_read(s, addr, 4); - - p = s->data_ptr; -+ if (p + 4 > s->data_end) { -+ return 0; -+ } -+ - ret = cpu_to_le32(*(uint32_t *)p); - p += 4; - s->data_ptr = p; diff --git a/CVE-2015-5154-qemut-clear-DRQ-after-handling-all-expected-accesses.patch b/CVE-2015-5154-qemut-clear-DRQ-after-handling-all-expected-accesses.patch deleted file mode 100644 index acbfd6c..0000000 --- a/CVE-2015-5154-qemut-clear-DRQ-after-handling-all-expected-accesses.patch +++ /dev/null @@ -1,68 +0,0 @@ -From 1d3c2268f8708126a34064c2e0c1000b40e6f3e5 Mon Sep 17 00:00:00 2001 -From: Kevin Wolf -Date: Wed, 3 Jun 2015 14:41:27 +0200 -Subject: [PATCH 3/3] ide: Clear DRQ after handling all expected accesses - -This is additional hardening against an end_transfer_func that fails to -clear the DRQ status bit. The bit must be unset as soon as the PIO -transfer has completed, so it's better to do this in a central place -instead of duplicating the code in all commands (and forgetting it in -some). - -Signed-off-by: Kevin Wolf ---- - hw/ide/core.c | 16 ++++++++++++---- - 1 file changed, 12 insertions(+), 4 deletions(-) - -Index: xen-4.2.5-testing/tools/qemu-xen-traditional-dir-remote/hw/ide.c -=================================================================== ---- xen-4.2.5-testing.orig/tools/qemu-xen-traditional-dir-remote/hw/ide.c -+++ xen-4.2.5-testing/tools/qemu-xen-traditional-dir-remote/hw/ide.c -@@ -3016,8 +3016,10 @@ static void ide_data_writew(void *opaque - *(uint16_t *)p = le16_to_cpu(val); - p += 2; - s->data_ptr = p; -- if (p >= s->data_end) -+ if (p >= s->data_end) { -+ s->status &= ~DRQ_STAT; - s->end_transfer_func(s); -+ } - } - - static uint32_t ide_data_readw(void *opaque, uint32_t addr) -@@ -3039,8 +3041,10 @@ static uint32_t ide_data_readw(void *opa - ret = cpu_to_le16(*(uint16_t *)p); - p += 2; - s->data_ptr = p; -- if (p >= s->data_end) -+ if (p >= s->data_end) { -+ s->status &= ~DRQ_STAT; - s->end_transfer_func(s); -+ } - return ret; - } - -@@ -3062,8 +3066,10 @@ static void ide_data_writel(void *opaque - *(uint32_t *)p = le32_to_cpu(val); - p += 4; - s->data_ptr = p; -- if (p >= s->data_end) -+ if (p >= s->data_end) { -+ s->status &= ~DRQ_STAT; - s->end_transfer_func(s); -+ } - } - - static uint32_t ide_data_readl(void *opaque, uint32_t addr) -@@ -3085,8 +3091,10 @@ static uint32_t ide_data_readl(void *opa - ret = cpu_to_le32(*(uint32_t *)p); - p += 4; - s->data_ptr = p; -- if (p >= s->data_end) -+ if (p >= s->data_end) { -+ s->status &= ~DRQ_STAT; - s->end_transfer_func(s); -+ } - return ret; - } - diff --git a/CVE-2015-5154-qemut-fix-START-STOP-UNIT-command-completion.patch b/CVE-2015-5154-qemut-fix-START-STOP-UNIT-command-completion.patch deleted file mode 100644 index c670850..0000000 --- a/CVE-2015-5154-qemut-fix-START-STOP-UNIT-command-completion.patch +++ /dev/null @@ -1,54 +0,0 @@ -Subject: ATAPI: STARTSTOPUNIT only eject/load media if powercondition is 0 -From: Ronnie Sahlberg ronniesahlberg@gmail.com Tue Jul 31 11:28:26 2012 +1000 -Date: Wed Sep 12 15:50:09 2012 +0200: -Git: ce560dcf20c14194db5ef3b9fc1ea592d4e68109 - -The START STOP UNIT command will only eject/load media if -power condition is zero. - -If power condition is !0 then LOEJ and START will be ignored. - -From MMC (sbc contains similar wordings too) - The Power Conditions field requests the block device to be placed - in the power condition defined in - Table 558. If this field has a value other than 0h then the Start - and LoEj bits shall be ignored. - -Signed-off-by: Ronnie Sahlberg -Signed-off-by: Kevin Wolf - -From aa851d30acfbb9580098ac1dc82885530cb8b3c1 Mon Sep 17 00:00:00 2001 -From: Kevin Wolf -Date: Wed, 3 Jun 2015 14:17:46 +0200 -Subject: [PATCH 2/3] ide/atapi: Fix START STOP UNIT command completion - -The command must be completed on all code paths. START STOP UNIT with -pwrcnd set should succeed without doing anything. - -Signed-off-by: Kevin Wolf ---- - hw/ide/atapi.c | 1 + - 1 file changed, 1 insertion(+) - -Index: xen-4.2.5-testing/tools/qemu-xen-traditional-dir-remote/hw/ide.c -=================================================================== ---- xen-4.2.5-testing.orig/tools/qemu-xen-traditional-dir-remote/hw/ide.c -+++ xen-4.2.5-testing/tools/qemu-xen-traditional-dir-remote/hw/ide.c -@@ -2095,9 +2095,16 @@ static void ide_atapi_cmd(IDEState *s) - break; - case GPCMD_START_STOP_UNIT: - { -- int start, eject; -+ int start, eject, pwrcnd; - start = packet[4] & 1; - eject = (packet[4] >> 1) & 1; -+ pwrcnd = buf[4] & 0xf0; -+ -+ if (pwrcnd) { -+ /* eject/load only happens for power condition == 0 */ -+ ide_atapi_cmd_ok(s); -+ return; -+ } - - if (eject && !start) { - /* eject the disk */ diff --git a/CVE-2015-5154-qemuu-check-array-bounds-before-writing-to-io_buffer.patch b/CVE-2015-5154-qemuu-check-array-bounds-before-writing-to-io_buffer.patch deleted file mode 100644 index 4a08fcb..0000000 --- a/CVE-2015-5154-qemuu-check-array-bounds-before-writing-to-io_buffer.patch +++ /dev/null @@ -1,74 +0,0 @@ -From a9de14175548c04e0f8be7fae219246509ba46a9 Mon Sep 17 00:00:00 2001 -From: Kevin Wolf -Date: Wed, 3 Jun 2015 14:13:31 +0200 -Subject: [PATCH 1/3] ide: Check array bounds before writing to io_buffer - (CVE-2015-5154) - -If the end_transfer_func of a command is called because enough data has -been read or written for the current PIO transfer, and it fails to -correctly call the command completion functions, the DRQ bit in the -status register and s->end_transfer_func may remain set. This allows the -guest to access further bytes in s->io_buffer beyond s->data_end, and -eventually overflowing the io_buffer. - -One case where this currently happens is emulation of the ATAPI command -START STOP UNIT. - -This patch fixes the problem by adding explicit array bounds checks -before accessing the buffer instead of relying on end_transfer_func to -function correctly. - -Cc: qemu-stable@nongnu.org -Signed-off-by: Kevin Wolf ---- - hw/ide/core.c | 16 ++++++++++++++++ - 1 file changed, 16 insertions(+) - -Index: xen-4.5.1-testing/tools/qemu-xen-dir-remote/hw/ide/core.c -=================================================================== ---- xen-4.5.1-testing.orig/tools/qemu-xen-dir-remote/hw/ide/core.c -+++ xen-4.5.1-testing/tools/qemu-xen-dir-remote/hw/ide/core.c -@@ -1901,6 +1901,10 @@ void ide_data_writew(void *opaque, uint3 - } - - p = s->data_ptr; -+ if (p + 2 > s->data_end) { -+ return; -+ } -+ - *(uint16_t *)p = le16_to_cpu(val); - p += 2; - s->data_ptr = p; -@@ -1922,6 +1926,10 @@ uint32_t ide_data_readw(void *opaque, ui - } - - p = s->data_ptr; -+ if (p + 2 > s->data_end) { -+ return 0; -+ } -+ - ret = cpu_to_le16(*(uint16_t *)p); - p += 2; - s->data_ptr = p; -@@ -1943,6 +1951,10 @@ void ide_data_writel(void *opaque, uint3 - } - - p = s->data_ptr; -+ if (p + 4 > s->data_end) { -+ return; -+ } -+ - *(uint32_t *)p = le32_to_cpu(val); - p += 4; - s->data_ptr = p; -@@ -1964,6 +1976,10 @@ uint32_t ide_data_readl(void *opaque, ui - } - - p = s->data_ptr; -+ if (p + 4 > s->data_end) { -+ return 0; -+ } -+ - ret = cpu_to_le32(*(uint32_t *)p); - p += 4; - s->data_ptr = p; diff --git a/CVE-2015-5154-qemuu-clear-DRQ-after-handling-all-expected-accesses.patch b/CVE-2015-5154-qemuu-clear-DRQ-after-handling-all-expected-accesses.patch deleted file mode 100644 index f6d0f19..0000000 --- a/CVE-2015-5154-qemuu-clear-DRQ-after-handling-all-expected-accesses.patch +++ /dev/null @@ -1,68 +0,0 @@ -From 1d3c2268f8708126a34064c2e0c1000b40e6f3e5 Mon Sep 17 00:00:00 2001 -From: Kevin Wolf -Date: Wed, 3 Jun 2015 14:41:27 +0200 -Subject: [PATCH 3/3] ide: Clear DRQ after handling all expected accesses - -This is additional hardening against an end_transfer_func that fails to -clear the DRQ status bit. The bit must be unset as soon as the PIO -transfer has completed, so it's better to do this in a central place -instead of duplicating the code in all commands (and forgetting it in -some). - -Signed-off-by: Kevin Wolf ---- - hw/ide/core.c | 16 ++++++++++++---- - 1 file changed, 12 insertions(+), 4 deletions(-) - -Index: xen-4.5.1-testing/tools/qemu-xen-dir-remote/hw/ide/core.c -=================================================================== ---- xen-4.5.1-testing.orig/tools/qemu-xen-dir-remote/hw/ide/core.c -+++ xen-4.5.1-testing/tools/qemu-xen-dir-remote/hw/ide/core.c -@@ -1908,8 +1908,10 @@ void ide_data_writew(void *opaque, uint3 - *(uint16_t *)p = le16_to_cpu(val); - p += 2; - s->data_ptr = p; -- if (p >= s->data_end) -+ if (p >= s->data_end) { -+ s->status &= ~DRQ_STAT; - s->end_transfer_func(s); -+ } - } - - uint32_t ide_data_readw(void *opaque, uint32_t addr) -@@ -1933,8 +1935,10 @@ uint32_t ide_data_readw(void *opaque, ui - ret = cpu_to_le16(*(uint16_t *)p); - p += 2; - s->data_ptr = p; -- if (p >= s->data_end) -+ if (p >= s->data_end) { -+ s->status &= ~DRQ_STAT; - s->end_transfer_func(s); -+ } - return ret; - } - -@@ -1958,8 +1962,10 @@ void ide_data_writel(void *opaque, uint3 - *(uint32_t *)p = le32_to_cpu(val); - p += 4; - s->data_ptr = p; -- if (p >= s->data_end) -+ if (p >= s->data_end) { -+ s->status &= ~DRQ_STAT; - s->end_transfer_func(s); -+ } - } - - uint32_t ide_data_readl(void *opaque, uint32_t addr) -@@ -1983,8 +1989,10 @@ uint32_t ide_data_readl(void *opaque, ui - ret = cpu_to_le32(*(uint32_t *)p); - p += 4; - s->data_ptr = p; -- if (p >= s->data_end) -+ if (p >= s->data_end) { -+ s->status &= ~DRQ_STAT; - s->end_transfer_func(s); -+ } - return ret; - } - diff --git a/CVE-2015-5154-qemuu-fix-START-STOP-UNIT-command-completion.patch b/CVE-2015-5154-qemuu-fix-START-STOP-UNIT-command-completion.patch deleted file mode 100644 index d355907..0000000 --- a/CVE-2015-5154-qemuu-fix-START-STOP-UNIT-command-completion.patch +++ /dev/null @@ -1,25 +0,0 @@ -From aa851d30acfbb9580098ac1dc82885530cb8b3c1 Mon Sep 17 00:00:00 2001 -From: Kevin Wolf -Date: Wed, 3 Jun 2015 14:17:46 +0200 -Subject: [PATCH 2/3] ide/atapi: Fix START STOP UNIT command completion - -The command must be completed on all code paths. START STOP UNIT with -pwrcnd set should succeed without doing anything. - -Signed-off-by: Kevin Wolf ---- - hw/ide/atapi.c | 1 + - 1 file changed, 1 insertion(+) - -Index: xen-4.5.1-testing/tools/qemu-xen-dir-remote/hw/ide/atapi.c -=================================================================== ---- xen-4.5.1-testing.orig/tools/qemu-xen-dir-remote/hw/ide/atapi.c -+++ xen-4.5.1-testing/tools/qemu-xen-dir-remote/hw/ide/atapi.c -@@ -879,6 +879,7 @@ static void cmd_start_stop_unit(IDEState - - if (pwrcnd) { - /* eject/load only happens for power condition == 0 */ -+ ide_atapi_cmd_ok(s); - return; - } - diff --git a/CVE-2015-5239-qemut-limit-client_cut_text-msg-payload-size.patch b/CVE-2015-5239-qemut-limit-client_cut_text-msg-payload-size.patch deleted file mode 100644 index a205307..0000000 --- a/CVE-2015-5239-qemut-limit-client_cut_text-msg-payload-size.patch +++ /dev/null @@ -1,50 +0,0 @@ -References: bsc#944463 - -Subject: ui/vnc: limit client_cut_text msg payload size -From: Peter Lieven pl@kamp.de Mon Jun 30 10:07:54 2014 +0200 -Date: Tue Jul 1 13:26:40 2014 +0200: -Git: f9a70e79391f6d7c2a912d785239ee8effc1922d - -currently a malicious client could define a payload -size of 2^32 - 1 bytes and send up to that size of -data to the vnc server. The server would allocated -that amount of memory which could easily create an -out of memory condition. - -This patch limits the payload size to 1MB max. - -Please note that client_cut_text messages are currently -silently ignored. - -Signed-off-by: Peter Lieven -Signed-off-by: Gerd Hoffmann - -Index: xen-4.5.1-testing/tools/qemu-xen-traditional-dir-remote/vnc.c -=================================================================== ---- xen-4.5.1-testing.orig/tools/qemu-xen-traditional-dir-remote/vnc.c -+++ xen-4.5.1-testing/tools/qemu-xen-traditional-dir-remote/vnc.c -@@ -1779,14 +1779,21 @@ static int protocol_client_msg(VncState - pointer_event(vs, read_u8(data, 1), read_u16(data, 2), read_u16(data, 4)); - break; - case 6: -- if (len == 1) -+ if (len == 1) { - return 8; -- -+ } - if (len == 8) { - uint32_t v; - v = read_u32(data, 4); -- if (v) -+ if (v > (1 << 20)) { -+ VNC_DEBUG("vnc: client_cut_text msg payload has %u bytes" -+ " which exceeds our limit of 1MB.", v); -+ vnc_client_error(vs); -+ break; -+ } -+ if (v > 0) { - return 8 + v; -+ } - } - - client_cut_text(vs, read_u32(data, 4), (char *)(data + 8)); diff --git a/CVE-2015-5239-qemuu-limit-client_cut_text-msg-payload-size.patch b/CVE-2015-5239-qemuu-limit-client_cut_text-msg-payload-size.patch deleted file mode 100644 index 68a555f..0000000 --- a/CVE-2015-5239-qemuu-limit-client_cut_text-msg-payload-size.patch +++ /dev/null @@ -1,49 +0,0 @@ -References: bsc#944463 - -Subject: ui/vnc: limit client_cut_text msg payload size -From: Peter Lieven pl@kamp.de Mon Jun 30 10:07:54 2014 +0200 -Date: Tue Jul 1 13:26:40 2014 +0200: -Git: f9a70e79391f6d7c2a912d785239ee8effc1922d - -currently a malicious client could define a payload -size of 2^32 - 1 bytes and send up to that size of -data to the vnc server. The server would allocated -that amount of memory which could easily create an -out of memory condition. - -This patch limits the payload size to 1MB max. - -Please note that client_cut_text messages are currently -silently ignored. - -Signed-off-by: Peter Lieven -Signed-off-by: Gerd Hoffmann - -Index: xen-4.5.1-testing/tools/qemu-xen-dir-remote/ui/vnc.c -=================================================================== ---- xen-4.5.1-testing.orig/tools/qemu-xen-dir-remote/ui/vnc.c -+++ xen-4.5.1-testing/tools/qemu-xen-dir-remote/ui/vnc.c -@@ -2149,13 +2149,20 @@ static int protocol_client_msg(VncState - pointer_event(vs, read_u8(data, 1), read_u16(data, 2), read_u16(data, 4)); - break; - case VNC_MSG_CLIENT_CUT_TEXT: -- if (len == 1) -+ if (len == 1) { - return 8; -- -+ } - if (len == 8) { - uint32_t dlen = read_u32(data, 4); -- if (dlen > 0) -+ if (dlen > (1 << 20)) { -+ error_report("vnc: client_cut_text msg payload has %u bytes" -+ " which exceeds our limit of 1MB.", dlen); -+ vnc_client_error(vs); -+ break; -+ } -+ if (dlen > 0) { - return 8 + dlen; -+ } - } - - client_cut_text(vs, read_u32(data, 4), data + 8); diff --git a/CVE-2015-6815-qemut-e1000-fix-infinite-loop.patch b/CVE-2015-6815-qemut-e1000-fix-infinite-loop.patch deleted file mode 100644 index 25e36a6..0000000 --- a/CVE-2015-6815-qemut-e1000-fix-infinite-loop.patch +++ /dev/null @@ -1,31 +0,0 @@ -References: bsc#944697 - -From: P J P - -While processing transmit descriptors, it could lead to an infinite -loop if 'bytes' was to become zero; Add a check to avoid it. - -[The guest can force 'bytes' to 0 by setting the hdr_len and mss -descriptor fields to 0. ---Stefan] - -Signed-off-by: P J P -Signed-off-by: Stefan Hajnoczi ---- - hw/net/e1000.c | 3 ++- - 1 file changed, 2 insertions(+), 1 deletion(-) - -Index: xen-4.5.1-testing/tools/qemu-xen-traditional-dir-remote/hw/e1000.c -=================================================================== ---- xen-4.5.1-testing.orig/tools/qemu-xen-traditional-dir-remote/hw/e1000.c -+++ xen-4.5.1-testing/tools/qemu-xen-traditional-dir-remote/hw/e1000.c -@@ -470,7 +470,8 @@ process_tx_desc(E1000State *s, struct e1 - memmove(tp->data, tp->header, hdr); - tp->size = hdr; - } -- } while (split_size -= bytes); -+ split_size -= bytes; -+ } while (bytes && split_size); - } else if (!tp->tse && tp->cptse) { - // context descriptor TSE is not set, while data descriptor TSE is set - DBGOUT(TXERR, "TCP segmentaion Error\n"); diff --git a/CVE-2015-6815-qemuu-e1000-fix-infinite-loop.patch b/CVE-2015-6815-qemuu-e1000-fix-infinite-loop.patch deleted file mode 100644 index 2368019..0000000 --- a/CVE-2015-6815-qemuu-e1000-fix-infinite-loop.patch +++ /dev/null @@ -1,31 +0,0 @@ -References: bsc#944697 - -From: P J P - -While processing transmit descriptors, it could lead to an infinite -loop if 'bytes' was to become zero; Add a check to avoid it. - -[The guest can force 'bytes' to 0 by setting the hdr_len and mss -descriptor fields to 0. ---Stefan] - -Signed-off-by: P J P -Signed-off-by: Stefan Hajnoczi ---- - hw/net/e1000.c | 3 ++- - 1 file changed, 2 insertions(+), 1 deletion(-) - -Index: xen-4.5.1-testing/tools/qemu-xen-dir-remote/hw/net/e1000.c -=================================================================== ---- xen-4.5.1-testing.orig/tools/qemu-xen-dir-remote/hw/net/e1000.c -+++ xen-4.5.1-testing/tools/qemu-xen-dir-remote/hw/net/e1000.c -@@ -707,7 +707,8 @@ process_tx_desc(E1000State *s, struct e1 - memmove(tp->data, tp->header, tp->hdr_len); - tp->size = tp->hdr_len; - } -- } while (split_size -= bytes); -+ split_size -= bytes; -+ } while (bytes && split_size); - } else if (!tp->tse && tp->cptse) { - // context descriptor TSE is not set, while data descriptor TSE is set - DBGOUT(TXERR, "TCP segmentation error\n"); diff --git a/CVE-2015-7311-xsa142.patch b/CVE-2015-7311-xsa142.patch deleted file mode 100644 index 6e79a19..0000000 --- a/CVE-2015-7311-xsa142.patch +++ /dev/null @@ -1,50 +0,0 @@ -From 07ca00703f76ad392eda5ee52cce1197cf49c30a Mon Sep 17 00:00:00 2001 -From: Stefano Stabellini -Subject: [PATCH v2.1 for-4.5] libxl: handle read-only drives with qemu-xen - -The current libxl code doesn't deal with read-only drives at all. - -Upstream QEMU and qemu-xen only support read-only cdrom drives: make -sure to specify "readonly=on" for cdrom drives and return error in case -the user requested a non-cdrom read-only drive. - -This is XSA-142, discovered by Lin Liu -(https://bugzilla.redhat.com/show_bug.cgi?id=1257893). - -Signed-off-by: Stefano Stabellini - -Backport to Xen 4.5 and earlier, apropos of report and review from -Michael Young. - -Signed-off-by: Ian Jackson ---- - tools/libxl/libxl_dm.c | 13 +++++++++---- - 1 file changed, 9 insertions(+), 4 deletions(-) - -Index: xen-4.5.1-testing/tools/libxl/libxl_dm.c -=================================================================== ---- xen-4.5.1-testing.orig/tools/libxl/libxl_dm.c -+++ xen-4.5.1-testing/tools/libxl/libxl_dm.c -@@ -812,13 +812,18 @@ static char ** libxl__build_device_model - if (disks[i].is_cdrom) { - if (disks[i].format == LIBXL_DISK_FORMAT_EMPTY) - drive = libxl__sprintf -- (gc, "if=ide,index=%d,media=cdrom,cache=writeback,id=ide-%i", -- disk, dev_number); -+ (gc, "if=ide,index=%d,readonly=%s,media=cdrom,cache=writeback,id=ide-%i", -+ disk, disks[i].readwrite ? "off" : "on", dev_number); - else - drive = libxl__sprintf -- (gc, "file=%s,if=ide,index=%d,media=cdrom,format=%s,cache=writeback,id=ide-%i", -- disks[i].pdev_path, disk, format, dev_number); -+ (gc, "file=%s,if=ide,index=%d,readonly=%s,media=cdrom,format=%s,cache=writeback,id=ide-%i", -+ disks[i].pdev_path, disk, disks[i].readwrite ? "off" : "on", format, dev_number); - } else { -+ if (!disks[i].readwrite) { -+ LIBXL__LOG(ctx, LIBXL__LOG_ERROR, "qemu-xen doesn't support read-only disk drivers"); -+ return NULL; -+ } -+ - if (disks[i].format == LIBXL_DISK_FORMAT_EMPTY) { - LIBXL__LOG(ctx, LIBXL__LOG_WARNING, "cannot support" - " empty disk format for %s", disks[i].vdev); diff --git a/CVE-2015-7835-xsa148.patch b/CVE-2015-7835-xsa148.patch deleted file mode 100644 index c66440a..0000000 --- a/CVE-2015-7835-xsa148.patch +++ /dev/null @@ -1,43 +0,0 @@ -References: bsc#950367 CVE-2015-7835 XSA-148 - -x86: guard against undue super page PTE creation - -When optional super page support got added (commit bd1cd81d64 "x86: PV -support for hugepages"), two adjustments were missed: mod_l2_entry() -needs to consider the PSE and RW bits when deciding whether to use the -fast path, and the PSE bit must not be removed from L2_DISALLOW_MASK -unconditionally. - -This is CVE-2015-7835 / XSA-148. - -Signed-off-by: Jan Beulich -Reviewed-by: Tim Deegan - -Index: xen-4.5.1-testing/xen/arch/x86/mm.c -=================================================================== ---- xen-4.5.1-testing.orig/xen/arch/x86/mm.c -+++ xen-4.5.1-testing/xen/arch/x86/mm.c -@@ -162,7 +162,10 @@ static void put_superpage(unsigned long - static uint32_t base_disallow_mask; - /* Global bit is allowed to be set on L1 PTEs. Intended for user mappings. */ - #define L1_DISALLOW_MASK ((base_disallow_mask | _PAGE_GNTTAB) & ~_PAGE_GLOBAL) --#define L2_DISALLOW_MASK (base_disallow_mask & ~_PAGE_PSE) -+ -+#define L2_DISALLOW_MASK (unlikely(opt_allow_superpage) \ -+ ? base_disallow_mask & ~_PAGE_PSE \ -+ : base_disallow_mask) - - #define l3_disallow_mask(d) (!is_pv_32on64_domain(d) ? \ - base_disallow_mask : \ -@@ -1790,7 +1793,10 @@ static int mod_l2_entry(l2_pgentry_t *pl - } - - /* Fast path for identical mapping and presence. */ -- if ( !l2e_has_changed(ol2e, nl2e, _PAGE_PRESENT) ) -+ if ( !l2e_has_changed(ol2e, nl2e, -+ unlikely(opt_allow_superpage) -+ ? _PAGE_PSE | _PAGE_RW | _PAGE_PRESENT -+ : _PAGE_PRESENT) ) - { - adjust_guest_l2e(nl2e, d); - if ( UPDATE_ENTRY(l2, pl2e, ol2e, nl2e, pfn, vcpu, preserve_ad) ) diff --git a/VNC-Support-for-ExtendedKeyEvent-client-message.patch b/VNC-Support-for-ExtendedKeyEvent-client-message.patch index 3cf1c65..954217c 100644 --- a/VNC-Support-for-ExtendedKeyEvent-client-message.patch +++ b/VNC-Support-for-ExtendedKeyEvent-client-message.patch @@ -20,10 +20,10 @@ git-svn-id: svn://svn.savannah.nongnu.org/qemu/trunk@5076 c046a42c-6fe2-441c-8c8 vnc.c | 59 ++++++++++++++++++++++++++++++++++++++++++++++++++--------- 1 files changed, 50 insertions(+), 9 deletions(-) -Index: xen-4.2.0-testing/tools/qemu-xen-traditional-dir-remote/vnc.c +Index: xen-4.5.2-testing/tools/qemu-xen-traditional-dir-remote/vnc.c =================================================================== ---- xen-4.2.0-testing.orig/tools/qemu-xen-traditional-dir-remote/vnc.c -+++ xen-4.2.0-testing/tools/qemu-xen-traditional-dir-remote/vnc.c +--- xen-4.5.2-testing.orig/tools/qemu-xen-traditional-dir-remote/vnc.c ++++ xen-4.5.2-testing/tools/qemu-xen-traditional-dir-remote/vnc.c @@ -1285,35 +1285,22 @@ static void press_key_altgr_down(VncStat } } @@ -115,7 +115,7 @@ Index: xen-4.2.0-testing/tools/qemu-xen-traditional-dir-remote/vnc.c case 0x574D5669: vs->has_WMVi = 1; default: -@@ -1774,6 +1791,24 @@ static int protocol_client_msg(VncState +@@ -1780,6 +1797,24 @@ static int protocol_client_msg(VncState client_cut_text(vs, read_u32(data, 4), (char *)(data + 8)); break; @@ -140,7 +140,7 @@ Index: xen-4.2.0-testing/tools/qemu-xen-traditional-dir-remote/vnc.c default: printf("Msg: %d\n", data[0]); vnc_client_error(vs); -@@ -2445,10 +2480,11 @@ void vnc_display_init(DisplayState *ds) +@@ -2451,10 +2486,11 @@ void vnc_display_init(DisplayState *ds) vs->ds = ds; diff --git a/ipxe.tar.bz2 b/ipxe.tar.bz2 index 54af855..f5c3ef8 100644 --- a/ipxe.tar.bz2 +++ b/ipxe.tar.bz2 @@ -1,3 +1,3 @@ version https://git-lfs.github.com/spec/v1 -oid sha256:6fcae87011b70d922b3532ca8ba9aa649f60068fbece975abdf2b419a4fd7826 -size 2877505 +oid sha256:a7b3bed4f4132e9b65970b89a23e7d234728b44ae9c7a3c068ff33ea86fa48f5 +size 2877798 diff --git a/libxl.add-option-to-disable-disk-cache-flushes-in-qdisk.patch b/libxl.add-option-to-disable-disk-cache-flushes-in-qdisk.patch index 9b82951..e2582a4 100644 --- a/libxl.add-option-to-disable-disk-cache-flushes-in-qdisk.patch +++ b/libxl.add-option-to-disable-disk-cache-flushes-in-qdisk.patch @@ -7,11 +7,11 @@ https://bugzilla.novell.com/show_bug.cgi?id=879425 tools/libxl/libxlu_disk_l.l | 1 + 5 files changed, 18 insertions(+), 1 deletion(-) -Index: xen-4.5.1-testing/tools/libxl/libxl.c +Index: xen-4.5.2-testing/tools/libxl/libxl.c =================================================================== ---- xen-4.5.1-testing.orig/tools/libxl/libxl.c -+++ xen-4.5.1-testing/tools/libxl/libxl.c -@@ -2825,6 +2825,8 @@ static void device_disk_add(libxl__egc * +--- xen-4.5.2-testing.orig/tools/libxl/libxl.c ++++ xen-4.5.2-testing/tools/libxl/libxl.c +@@ -2832,6 +2832,8 @@ static void device_disk_add(libxl__egc * flexarray_append_pair(back, "discard-enable", libxl_defbool_val(disk->discard_enable) ? "1" : "0"); @@ -20,10 +20,10 @@ Index: xen-4.5.1-testing/tools/libxl/libxl.c flexarray_append(front, "backend-id"); flexarray_append(front, libxl__sprintf(gc, "%d", disk->backend_domid)); -Index: xen-4.5.1-testing/tools/libxl/libxl.h +Index: xen-4.5.2-testing/tools/libxl/libxl.h =================================================================== ---- xen-4.5.1-testing.orig/tools/libxl/libxl.h -+++ xen-4.5.1-testing/tools/libxl/libxl.h +--- xen-4.5.2-testing.orig/tools/libxl/libxl.h ++++ xen-4.5.2-testing/tools/libxl/libxl.h @@ -163,6 +163,18 @@ #define LIBXL_HAVE_BUILDINFO_HVM_MMIO_HOLE_MEMKB 1 @@ -43,10 +43,10 @@ Index: xen-4.5.1-testing/tools/libxl/libxl.h * libxl ABI compatibility * * The only guarantee which libxl makes regarding ABI compatibility -Index: xen-4.5.1-testing/tools/libxl/libxlu_disk.c +Index: xen-4.5.2-testing/tools/libxl/libxlu_disk.c =================================================================== ---- xen-4.5.1-testing.orig/tools/libxl/libxlu_disk.c -+++ xen-4.5.1-testing/tools/libxl/libxlu_disk.c +--- xen-4.5.2-testing.orig/tools/libxl/libxlu_disk.c ++++ xen-4.5.2-testing/tools/libxl/libxlu_disk.c @@ -79,6 +79,8 @@ int xlu_disk_parse(XLU_Config *cfg, if (!disk->pdev_path || !strcmp(disk->pdev_path, "")) disk->format = LIBXL_DISK_FORMAT_EMPTY; @@ -56,10 +56,10 @@ Index: xen-4.5.1-testing/tools/libxl/libxlu_disk.c if (!disk->vdev) { xlu__disk_err(&dpc,0, "no vdev specified"); -Index: xen-4.5.1-testing/tools/libxl/libxlu_disk_i.h +Index: xen-4.5.2-testing/tools/libxl/libxlu_disk_i.h =================================================================== ---- xen-4.5.1-testing.orig/tools/libxl/libxlu_disk_i.h -+++ xen-4.5.1-testing/tools/libxl/libxlu_disk_i.h +--- xen-4.5.2-testing.orig/tools/libxl/libxlu_disk_i.h ++++ xen-4.5.2-testing/tools/libxl/libxlu_disk_i.h @@ -10,7 +10,7 @@ typedef struct { void *scanner; YY_BUFFER_STATE buf; @@ -69,10 +69,10 @@ Index: xen-4.5.1-testing/tools/libxl/libxlu_disk_i.h const char *spec; } DiskParseContext; -Index: xen-4.5.1-testing/tools/libxl/libxlu_disk_l.l +Index: xen-4.5.2-testing/tools/libxl/libxlu_disk_l.l =================================================================== ---- xen-4.5.1-testing.orig/tools/libxl/libxlu_disk_l.l -+++ xen-4.5.1-testing/tools/libxl/libxlu_disk_l.l +--- xen-4.5.2-testing.orig/tools/libxl/libxlu_disk_l.l ++++ xen-4.5.2-testing/tools/libxl/libxlu_disk_l.l @@ -176,6 +176,7 @@ script=[^,]*,? { STRIP(','); SAVESTRING( direct-io-safe,? { DPC->disk->direct_io_safe = 1; } discard,? { libxl_defbool_set(&DPC->disk->discard_enable, true); } diff --git a/libxl.pvscsi.patch b/libxl.pvscsi.patch index 845cd67..e63ec30 100644 --- a/libxl.pvscsi.patch +++ b/libxl.pvscsi.patch @@ -31,10 +31,10 @@ ee2e7e5 Merge pull request #1 from aaannz/pvscsi 7de6f49 support character devices too c84381b allow /dev/sda as scsi devspec f11e3a2 pvscsi -Index: xen-4.5.1-testing/docs/man/xl.cfg.pod.5 +Index: xen-4.5.2-testing/docs/man/xl.cfg.pod.5 =================================================================== ---- xen-4.5.1-testing.orig/docs/man/xl.cfg.pod.5 -+++ xen-4.5.1-testing/docs/man/xl.cfg.pod.5 +--- xen-4.5.2-testing.orig/docs/man/xl.cfg.pod.5 ++++ xen-4.5.2-testing/docs/man/xl.cfg.pod.5 @@ -448,6 +448,36 @@ value is optional if this is a guest dom =back @@ -72,10 +72,10 @@ Index: xen-4.5.1-testing/docs/man/xl.cfg.pod.5 =item B Specifies the paravirtual framebuffer devices which should be supplied -Index: xen-4.5.1-testing/docs/man/xl.pod.1 +Index: xen-4.5.2-testing/docs/man/xl.pod.1 =================================================================== ---- xen-4.5.1-testing.orig/docs/man/xl.pod.1 -+++ xen-4.5.1-testing/docs/man/xl.pod.1 +--- xen-4.5.2-testing.orig/docs/man/xl.pod.1 ++++ xen-4.5.2-testing/docs/man/xl.pod.1 @@ -1323,6 +1323,26 @@ List virtual trusted platform modules fo =back @@ -103,11 +103,11 @@ Index: xen-4.5.1-testing/docs/man/xl.pod.1 =head1 PCI PASS-THROUGH =over 4 -Index: xen-4.5.1-testing/tools/libxl/libxl.c +Index: xen-4.5.2-testing/tools/libxl/libxl.c =================================================================== ---- xen-4.5.1-testing.orig/tools/libxl/libxl.c -+++ xen-4.5.1-testing/tools/libxl/libxl.c -@@ -2317,6 +2317,273 @@ int libxl_devid_to_device_vtpm(libxl_ctx +--- xen-4.5.2-testing.orig/tools/libxl/libxl.c ++++ xen-4.5.2-testing/tools/libxl/libxl.c +@@ -2324,6 +2324,273 @@ int libxl_devid_to_device_vtpm(libxl_ctx return rc; } @@ -381,7 +381,7 @@ Index: xen-4.5.1-testing/tools/libxl/libxl.c /******************************************************************************/ -@@ -4192,6 +4459,8 @@ out: +@@ -4199,6 +4466,8 @@ out: * libxl_device_vkb_destroy * libxl_device_vfb_remove * libxl_device_vfb_destroy @@ -390,7 +390,7 @@ Index: xen-4.5.1-testing/tools/libxl/libxl.c */ #define DEFINE_DEVICE_REMOVE(type, removedestroy, f) \ int libxl_device_##type##_##removedestroy(libxl_ctx *ctx, \ -@@ -4247,6 +4516,10 @@ DEFINE_DEVICE_REMOVE(vtpm, destroy, 1) +@@ -4254,6 +4523,10 @@ DEFINE_DEVICE_REMOVE(vtpm, destroy, 1) * 1. add support for secondary consoles to xenconsoled * 2. dynamically add/remove qemu chardevs via qmp messages. */ @@ -401,7 +401,7 @@ Index: xen-4.5.1-testing/tools/libxl/libxl.c #undef DEFINE_DEVICE_REMOVE /******************************************************************************/ -@@ -4256,6 +4529,7 @@ DEFINE_DEVICE_REMOVE(vtpm, destroy, 1) +@@ -4263,6 +4536,7 @@ DEFINE_DEVICE_REMOVE(vtpm, destroy, 1) * libxl_device_disk_add * libxl_device_nic_add * libxl_device_vtpm_add @@ -409,7 +409,7 @@ Index: xen-4.5.1-testing/tools/libxl/libxl.c */ #define DEFINE_DEVICE_ADD(type) \ -@@ -4287,6 +4561,9 @@ DEFINE_DEVICE_ADD(nic) +@@ -4294,6 +4568,9 @@ DEFINE_DEVICE_ADD(nic) /* vtpm */ DEFINE_DEVICE_ADD(vtpm) @@ -419,7 +419,7 @@ Index: xen-4.5.1-testing/tools/libxl/libxl.c #undef DEFINE_DEVICE_ADD /******************************************************************************/ -@@ -6829,6 +7106,20 @@ out: +@@ -6836,6 +7113,20 @@ out: return rc; } @@ -440,10 +440,10 @@ Index: xen-4.5.1-testing/tools/libxl/libxl.c /* * Local variables: * mode: C -Index: xen-4.5.1-testing/tools/libxl/libxl.h +Index: xen-4.5.2-testing/tools/libxl/libxl.h =================================================================== ---- xen-4.5.1-testing.orig/tools/libxl/libxl.h -+++ xen-4.5.1-testing/tools/libxl/libxl.h +--- xen-4.5.2-testing.orig/tools/libxl/libxl.h ++++ xen-4.5.2-testing/tools/libxl/libxl.h @@ -1238,6 +1238,26 @@ libxl_device_vtpm *libxl_device_vtpm_lis int libxl_device_vtpm_getinfo(libxl_ctx *ctx, uint32_t domid, libxl_device_vtpm *vtpm, libxl_vtpminfo *vtpminfo); @@ -499,10 +499,10 @@ Index: xen-4.5.1-testing/tools/libxl/libxl.h #endif /* LIBXL_H */ /* -Index: xen-4.5.1-testing/tools/libxl/libxl_create.c +Index: xen-4.5.2-testing/tools/libxl/libxl_create.c =================================================================== ---- xen-4.5.1-testing.orig/tools/libxl/libxl_create.c -+++ xen-4.5.1-testing/tools/libxl/libxl_create.c +--- xen-4.5.2-testing.orig/tools/libxl/libxl_create.c ++++ xen-4.5.2-testing/tools/libxl/libxl_create.c @@ -1141,6 +1141,7 @@ static void domcreate_rebuild_done(libxl libxl__multidev_begin(ao, &dcs->multidev); dcs->multidev.callback = domcreate_launch_dm; @@ -511,10 +511,10 @@ Index: xen-4.5.1-testing/tools/libxl/libxl_create.c libxl__multidev_prepared(egc, &dcs->multidev, 0); return; -Index: xen-4.5.1-testing/tools/libxl/libxl_device.c +Index: xen-4.5.2-testing/tools/libxl/libxl_device.c =================================================================== ---- xen-4.5.1-testing.orig/tools/libxl/libxl_device.c -+++ xen-4.5.1-testing/tools/libxl/libxl_device.c +--- xen-4.5.2-testing.orig/tools/libxl/libxl_device.c ++++ xen-4.5.2-testing/tools/libxl/libxl_device.c @@ -541,6 +541,7 @@ void libxl__multidev_prepared(libxl__egc * The following functions are defined: * libxl__add_disks @@ -556,11 +556,11 @@ Index: xen-4.5.1-testing/tools/libxl/libxl_device.c /******************************************************************************/ int libxl__device_destroy(libxl__gc *gc, libxl__device *dev) -Index: xen-4.5.1-testing/tools/libxl/libxl_internal.h +Index: xen-4.5.2-testing/tools/libxl/libxl_internal.h =================================================================== ---- xen-4.5.1-testing.orig/tools/libxl/libxl_internal.h -+++ xen-4.5.1-testing/tools/libxl/libxl_internal.h -@@ -1079,6 +1079,7 @@ _hidden int libxl__device_disk_setdefaul +--- xen-4.5.2-testing.orig/tools/libxl/libxl_internal.h ++++ xen-4.5.2-testing/tools/libxl/libxl_internal.h +@@ -1094,6 +1094,7 @@ _hidden int libxl__device_disk_setdefaul _hidden int libxl__device_nic_setdefault(libxl__gc *gc, libxl_device_nic *nic, uint32_t domid); _hidden int libxl__device_vtpm_setdefault(libxl__gc *gc, libxl_device_vtpm *vtpm); @@ -568,7 +568,7 @@ Index: xen-4.5.1-testing/tools/libxl/libxl_internal.h _hidden int libxl__device_vfb_setdefault(libxl__gc *gc, libxl_device_vfb *vfb); _hidden int libxl__device_vkb_setdefault(libxl__gc *gc, libxl_device_vkb *vkb); _hidden int libxl__device_pci_setdefault(libxl__gc *gc, libxl_device_pci *pci); -@@ -2390,6 +2391,10 @@ _hidden void libxl__device_vtpm_add(libx +@@ -2405,6 +2406,10 @@ _hidden void libxl__device_vtpm_add(libx libxl_device_vtpm *vtpm, libxl__ao_device *aodev); @@ -579,7 +579,7 @@ Index: xen-4.5.1-testing/tools/libxl/libxl_internal.h /* Internal function to connect a vkb device */ _hidden int libxl__device_vkb_add(libxl__gc *gc, uint32_t domid, libxl_device_vkb *vkb); -@@ -3014,6 +3019,10 @@ _hidden void libxl__add_vtpms(libxl__egc +@@ -3029,6 +3034,10 @@ _hidden void libxl__add_vtpms(libxl__egc libxl_domain_config *d_config, libxl__multidev *multidev); @@ -590,10 +590,10 @@ Index: xen-4.5.1-testing/tools/libxl/libxl_internal.h /*----- device model creation -----*/ /* First layer; wraps libxl__spawn_spawn. */ -Index: xen-4.5.1-testing/tools/libxl/libxl_types.idl +Index: xen-4.5.2-testing/tools/libxl/libxl_types.idl =================================================================== ---- xen-4.5.1-testing.orig/tools/libxl/libxl_types.idl -+++ xen-4.5.1-testing/tools/libxl/libxl_types.idl +--- xen-4.5.2-testing.orig/tools/libxl/libxl_types.idl ++++ xen-4.5.2-testing/tools/libxl/libxl_types.idl @@ -540,6 +540,26 @@ libxl_device_channel = Struct("device_ch ])), ]) @@ -659,10 +659,10 @@ Index: xen-4.5.1-testing/tools/libxl/libxl_types.idl libxl_vcpuinfo = Struct("vcpuinfo", [ ("vcpuid", uint32), ("cpu", uint32), -Index: xen-4.5.1-testing/tools/libxl/libxl_types_internal.idl +Index: xen-4.5.2-testing/tools/libxl/libxl_types_internal.idl =================================================================== ---- xen-4.5.1-testing.orig/tools/libxl/libxl_types_internal.idl -+++ xen-4.5.1-testing/tools/libxl/libxl_types_internal.idl +--- xen-4.5.2-testing.orig/tools/libxl/libxl_types_internal.idl ++++ xen-4.5.2-testing/tools/libxl/libxl_types_internal.idl @@ -22,6 +22,7 @@ libxl__device_kind = Enumeration("device (6, "VKBD"), (7, "CONSOLE"), @@ -671,10 +671,10 @@ Index: xen-4.5.1-testing/tools/libxl/libxl_types_internal.idl ]) libxl__console_backend = Enumeration("console_backend", [ -Index: xen-4.5.1-testing/tools/libxl/xl.h +Index: xen-4.5.2-testing/tools/libxl/xl.h =================================================================== ---- xen-4.5.1-testing.orig/tools/libxl/xl.h -+++ xen-4.5.1-testing/tools/libxl/xl.h +--- xen-4.5.2-testing.orig/tools/libxl/xl.h ++++ xen-4.5.2-testing/tools/libxl/xl.h @@ -83,6 +83,9 @@ int main_channellist(int argc, char **ar int main_blockattach(int argc, char **argv); int main_blocklist(int argc, char **argv); @@ -685,10 +685,10 @@ Index: xen-4.5.1-testing/tools/libxl/xl.h int main_vtpmattach(int argc, char **argv); int main_vtpmlist(int argc, char **argv); int main_vtpmdetach(int argc, char **argv); -Index: xen-4.5.1-testing/tools/libxl/xl_cmdimpl.c +Index: xen-4.5.2-testing/tools/libxl/xl_cmdimpl.c =================================================================== ---- xen-4.5.1-testing.orig/tools/libxl/xl_cmdimpl.c -+++ xen-4.5.1-testing/tools/libxl/xl_cmdimpl.c +--- xen-4.5.2-testing.orig/tools/libxl/xl_cmdimpl.c ++++ xen-4.5.2-testing/tools/libxl/xl_cmdimpl.c @@ -17,6 +17,7 @@ #include "libxl_osdeps.h" @@ -1161,10 +1161,10 @@ Index: xen-4.5.1-testing/tools/libxl/xl_cmdimpl.c int main_vtpmattach(int argc, char **argv) { int opt; -Index: xen-4.5.1-testing/tools/libxl/xl_cmdtable.c +Index: xen-4.5.2-testing/tools/libxl/xl_cmdtable.c =================================================================== ---- xen-4.5.1-testing.orig/tools/libxl/xl_cmdtable.c -+++ xen-4.5.1-testing/tools/libxl/xl_cmdtable.c +--- xen-4.5.2-testing.orig/tools/libxl/xl_cmdtable.c ++++ xen-4.5.2-testing/tools/libxl/xl_cmdtable.c @@ -372,6 +372,21 @@ struct cmd_spec cmd_table[] = { "Destroy a domain's virtual block device", " ", diff --git a/libxl.set-migration-constraints-from-cmdline.patch b/libxl.set-migration-constraints-from-cmdline.patch index 3f53861..515ef4d 100644 --- a/libxl.set-migration-constraints-from-cmdline.patch +++ b/libxl.set-migration-constraints-from-cmdline.patch @@ -88,10 +88,10 @@ Signed-off-by: Olaf Hering tools/libxl/xl_cmdtable.c | 23 ++++++++++++++------- 12 files changed, 159 insertions(+), 21 deletions(-) -Index: xen-4.5.1-testing/docs/man/xl.pod.1 +Index: xen-4.5.2-testing/docs/man/xl.pod.1 =================================================================== ---- xen-4.5.1-testing.orig/docs/man/xl.pod.1 -+++ xen-4.5.1-testing/docs/man/xl.pod.1 +--- xen-4.5.2-testing.orig/docs/man/xl.pod.1 ++++ xen-4.5.2-testing/docs/man/xl.pod.1 @@ -428,6 +428,26 @@ Send instead of config file fro Print huge (!) amount of debug during the migration process. @@ -119,10 +119,10 @@ Index: xen-4.5.1-testing/docs/man/xl.pod.1 =back =item B [I] I I -Index: xen-4.5.1-testing/tools/libxc/include/xenguest.h +Index: xen-4.5.2-testing/tools/libxc/include/xenguest.h =================================================================== ---- xen-4.5.1-testing.orig/tools/libxc/include/xenguest.h -+++ xen-4.5.1-testing/tools/libxc/include/xenguest.h +--- xen-4.5.2-testing.orig/tools/libxc/include/xenguest.h ++++ xen-4.5.2-testing/tools/libxc/include/xenguest.h @@ -28,6 +28,7 @@ #define XCFLAGS_HVM (1 << 2) #define XCFLAGS_STDVGA (1 << 3) @@ -143,10 +143,10 @@ Index: xen-4.5.1-testing/tools/libxc/include/xenguest.h /* callbacks provided by xc_domain_restore */ struct restore_callbacks { -Index: xen-4.5.1-testing/tools/libxc/xc_domain_save.c +Index: xen-4.5.2-testing/tools/libxc/xc_domain_save.c =================================================================== ---- xen-4.5.1-testing.orig/tools/libxc/xc_domain_save.c -+++ xen-4.5.1-testing/tools/libxc/xc_domain_save.c +--- xen-4.5.2-testing.orig/tools/libxc/xc_domain_save.c ++++ xen-4.5.2-testing/tools/libxc/xc_domain_save.c @@ -44,6 +44,7 @@ */ #define DEF_MAX_ITERS 29 /* limit us to 30 times round loop */ @@ -219,10 +219,10 @@ Index: xen-4.5.1-testing/tools/libxc/xc_domain_save.c /* * Local variables: * mode: C -Index: xen-4.5.1-testing/tools/libxc/xc_nomigrate.c +Index: xen-4.5.2-testing/tools/libxc/xc_nomigrate.c =================================================================== ---- xen-4.5.1-testing.orig/tools/libxc/xc_nomigrate.c -+++ xen-4.5.1-testing/tools/libxc/xc_nomigrate.c +--- xen-4.5.2-testing.orig/tools/libxc/xc_nomigrate.c ++++ xen-4.5.2-testing/tools/libxc/xc_nomigrate.c @@ -21,6 +21,15 @@ #include #include @@ -239,11 +239,11 @@ Index: xen-4.5.1-testing/tools/libxc/xc_nomigrate.c int xc_domain_save(xc_interface *xch, int io_fd, uint32_t dom, uint32_t max_iters, uint32_t max_factor, uint32_t flags, struct save_callbacks* callbacks, int hvm) -Index: xen-4.5.1-testing/tools/libxl/libxl.c +Index: xen-4.5.2-testing/tools/libxl/libxl.c =================================================================== ---- xen-4.5.1-testing.orig/tools/libxl/libxl.c -+++ xen-4.5.1-testing/tools/libxl/libxl.c -@@ -951,7 +951,8 @@ static void domain_suspend_cb(libxl__egc +--- xen-4.5.2-testing.orig/tools/libxl/libxl.c ++++ xen-4.5.2-testing/tools/libxl/libxl.c +@@ -958,7 +958,8 @@ static void domain_suspend_cb(libxl__egc } @@ -253,7 +253,7 @@ Index: xen-4.5.1-testing/tools/libxl/libxl.c const libxl_asyncop_how *ao_how) { AO_CREATE(ctx, domid, ao_how); -@@ -972,8 +973,14 @@ int libxl_domain_suspend(libxl_ctx *ctx, +@@ -979,8 +980,14 @@ int libxl_domain_suspend(libxl_ctx *ctx, dss->domid = domid; dss->fd = fd; dss->type = type; @@ -270,7 +270,7 @@ Index: xen-4.5.1-testing/tools/libxl/libxl.c libxl__domain_suspend(egc, dss); return AO_INPROGRESS; -@@ -982,6 +989,20 @@ int libxl_domain_suspend(libxl_ctx *ctx, +@@ -989,6 +996,20 @@ int libxl_domain_suspend(libxl_ctx *ctx, return AO_ABORT(rc); } @@ -291,10 +291,10 @@ Index: xen-4.5.1-testing/tools/libxl/libxl.c int libxl_domain_pause(libxl_ctx *ctx, uint32_t domid) { int ret; -Index: xen-4.5.1-testing/tools/libxl/libxl.h +Index: xen-4.5.2-testing/tools/libxl/libxl.h =================================================================== ---- xen-4.5.1-testing.orig/tools/libxl/libxl.h -+++ xen-4.5.1-testing/tools/libxl/libxl.h +--- xen-4.5.2-testing.orig/tools/libxl/libxl.h ++++ xen-4.5.2-testing/tools/libxl/libxl.h @@ -959,8 +959,23 @@ int libxl_domain_suspend(libxl_ctx *ctx, int flags, /* LIBXL_SUSPEND_* */ const libxl_asyncop_how *ao_how) @@ -319,10 +319,10 @@ Index: xen-4.5.1-testing/tools/libxl/libxl.h /* @param suspend_cancel [from xenctrl.h:xc_domain_resume( @param fast )] * If this parameter is true, use co-operative resume. The guest -Index: xen-4.5.1-testing/tools/libxl/libxl_dom.c +Index: xen-4.5.2-testing/tools/libxl/libxl_dom.c =================================================================== ---- xen-4.5.1-testing.orig/tools/libxl/libxl_dom.c -+++ xen-4.5.1-testing/tools/libxl/libxl_dom.c +--- xen-4.5.2-testing.orig/tools/libxl/libxl_dom.c ++++ xen-4.5.2-testing/tools/libxl/libxl_dom.c @@ -1815,6 +1815,7 @@ void libxl__domain_suspend(libxl__egc *e dss->xcflags = (live ? XCFLAGS_LIVE : 0) @@ -331,11 +331,11 @@ Index: xen-4.5.1-testing/tools/libxl/libxl_dom.c | (dss->hvm ? XCFLAGS_HVM : 0); dss->guest_evtchn.port = -1; -Index: xen-4.5.1-testing/tools/libxl/libxl_internal.h +Index: xen-4.5.2-testing/tools/libxl/libxl_internal.h =================================================================== ---- xen-4.5.1-testing.orig/tools/libxl/libxl_internal.h -+++ xen-4.5.1-testing/tools/libxl/libxl_internal.h -@@ -2803,6 +2803,10 @@ struct libxl__domain_suspend_state { +--- xen-4.5.2-testing.orig/tools/libxl/libxl_internal.h ++++ xen-4.5.2-testing/tools/libxl/libxl_internal.h +@@ -2818,6 +2818,10 @@ struct libxl__domain_suspend_state { libxl__ev_evtchn guest_evtchn; int guest_evtchn_lockfd; int hvm; @@ -346,10 +346,10 @@ Index: xen-4.5.1-testing/tools/libxl/libxl_internal.h int xcflags; int guest_responded; libxl__xswait_state pvcontrol; -Index: xen-4.5.1-testing/tools/libxl/libxl_save_callout.c +Index: xen-4.5.2-testing/tools/libxl/libxl_save_callout.c =================================================================== ---- xen-4.5.1-testing.orig/tools/libxl/libxl_save_callout.c -+++ xen-4.5.1-testing/tools/libxl/libxl_save_callout.c +--- xen-4.5.2-testing.orig/tools/libxl/libxl_save_callout.c ++++ xen-4.5.2-testing/tools/libxl/libxl_save_callout.c @@ -110,7 +110,9 @@ void libxl__xc_domain_save(libxl__egc *e } @@ -361,10 +361,10 @@ Index: xen-4.5.1-testing/tools/libxl/libxl_save_callout.c toolstack_data_fd, toolstack_data_len, cbflags, }; -Index: xen-4.5.1-testing/tools/libxl/libxl_save_helper.c +Index: xen-4.5.2-testing/tools/libxl/libxl_save_helper.c =================================================================== ---- xen-4.5.1-testing.orig/tools/libxl/libxl_save_helper.c -+++ xen-4.5.1-testing/tools/libxl/libxl_save_helper.c +--- xen-4.5.2-testing.orig/tools/libxl/libxl_save_helper.c ++++ xen-4.5.2-testing/tools/libxl/libxl_save_helper.c @@ -215,6 +215,7 @@ int main(int argc, char **argv) uint32_t dom = strtoul(NEXTARG,0,10); uint32_t max_iters = strtoul(NEXTARG,0,10); @@ -383,10 +383,10 @@ Index: xen-4.5.1-testing/tools/libxl/libxl_save_helper.c &helper_save_callbacks, hvm); complete(r); -Index: xen-4.5.1-testing/tools/libxl/xl_cmdimpl.c +Index: xen-4.5.2-testing/tools/libxl/xl_cmdimpl.c =================================================================== ---- xen-4.5.1-testing.orig/tools/libxl/xl_cmdimpl.c -+++ xen-4.5.1-testing/tools/libxl/xl_cmdimpl.c +--- xen-4.5.2-testing.orig/tools/libxl/xl_cmdimpl.c ++++ xen-4.5.2-testing/tools/libxl/xl_cmdimpl.c @@ -3880,6 +3880,8 @@ static void migrate_do_preamble(int send } @@ -477,10 +477,10 @@ Index: xen-4.5.1-testing/tools/libxl/xl_cmdimpl.c return 0; } #endif -Index: xen-4.5.1-testing/tools/libxl/xl_cmdtable.c +Index: xen-4.5.2-testing/tools/libxl/xl_cmdtable.c =================================================================== ---- xen-4.5.1-testing.orig/tools/libxl/xl_cmdtable.c -+++ xen-4.5.1-testing/tools/libxl/xl_cmdtable.c +--- xen-4.5.2-testing.orig/tools/libxl/xl_cmdtable.c ++++ xen-4.5.2-testing/tools/libxl/xl_cmdtable.c @@ -155,14 +155,21 @@ struct cmd_spec cmd_table[] = { &main_migrate, 0, 1, "Migrate a domain to another host", diff --git a/local_attach_support_for_phy.patch b/local_attach_support_for_phy.patch index b04ffc1..ad98e88 100644 --- a/local_attach_support_for_phy.patch +++ b/local_attach_support_for_phy.patch @@ -10,11 +10,11 @@ Date: Wed Feb 12 11:15:17 2014 +0100 Suggested-by: Ian Campbell -Index: xen-4.5.1-testing/tools/libxl/libxl.c +Index: xen-4.5.2-testing/tools/libxl/libxl.c =================================================================== ---- xen-4.5.1-testing.orig/tools/libxl/libxl.c -+++ xen-4.5.1-testing/tools/libxl/libxl.c -@@ -3060,6 +3060,16 @@ void libxl__device_disk_local_initiate_a +--- xen-4.5.2-testing.orig/tools/libxl/libxl.c ++++ xen-4.5.2-testing/tools/libxl/libxl.c +@@ -3067,6 +3067,16 @@ void libxl__device_disk_local_initiate_a switch (disk->backend) { case LIBXL_DISK_BACKEND_PHY: @@ -31,7 +31,7 @@ Index: xen-4.5.1-testing/tools/libxl/libxl.c LIBXL__LOG(ctx, LIBXL__LOG_DEBUG, "locally attaching PHY disk %s", disk->pdev_path); dev = disk->pdev_path; -@@ -3139,7 +3149,7 @@ static void local_device_attach_cb(libxl +@@ -3146,7 +3156,7 @@ static void local_device_attach_cb(libxl } dev = GCSPRINTF("/dev/%s", disk->vdev); @@ -40,7 +40,7 @@ Index: xen-4.5.1-testing/tools/libxl/libxl.c rc = libxl__device_from_disk(gc, LIBXL_TOOLSTACK_DOMID, disk, &device); if (rc < 0) -@@ -3179,6 +3189,7 @@ void libxl__device_disk_local_initiate_d +@@ -3186,6 +3196,7 @@ void libxl__device_disk_local_initiate_d if (!dls->diskpath) goto out; switch (disk->backend) { @@ -48,7 +48,7 @@ Index: xen-4.5.1-testing/tools/libxl/libxl.c case LIBXL_DISK_BACKEND_QDISK: if (disk->vdev != NULL) { GCNEW(device); -@@ -3196,7 +3207,6 @@ void libxl__device_disk_local_initiate_d +@@ -3203,7 +3214,6 @@ void libxl__device_disk_local_initiate_d /* disk->vdev == NULL; fall through */ default: /* diff --git a/qemu-dm-segfault.patch b/qemu-dm-segfault.patch index 5dc60e4..df87084 100644 --- a/qemu-dm-segfault.patch +++ b/qemu-dm-segfault.patch @@ -1,7 +1,7 @@ -Index: xen-4.5.1-testing/tools/qemu-xen-traditional-dir-remote/hw/ide.c +Index: xen-4.5.2-testing/tools/qemu-xen-traditional-dir-remote/hw/ide.c =================================================================== ---- xen-4.5.1-testing.orig/tools/qemu-xen-traditional-dir-remote/hw/ide.c -+++ xen-4.5.1-testing/tools/qemu-xen-traditional-dir-remote/hw/ide.c +--- xen-4.5.2-testing.orig/tools/qemu-xen-traditional-dir-remote/hw/ide.c ++++ xen-4.5.2-testing/tools/qemu-xen-traditional-dir-remote/hw/ide.c @@ -935,8 +935,9 @@ static inline void ide_dma_submit_check( static inline void ide_set_irq(IDEState *s) @@ -74,7 +74,7 @@ Index: xen-4.5.1-testing/tools/qemu-xen-traditional-dir-remote/hw/ide.c if (ret < 0) { ide_atapi_io_error(s, ret); -@@ -2372,7 +2375,7 @@ static void cdrom_change_cb(void *opaque +@@ -2365,7 +2368,7 @@ static void cdrom_change_cb(void *opaque IDEState *s = opaque; uint64_t nb_sectors; diff --git a/qemu-xen-dir-remote.tar.bz2 b/qemu-xen-dir-remote.tar.bz2 index 62490b1..465314b 100644 --- a/qemu-xen-dir-remote.tar.bz2 +++ b/qemu-xen-dir-remote.tar.bz2 @@ -1,3 +1,3 @@ version https://git-lfs.github.com/spec/v1 -oid sha256:c1f3014c64957d0943cdef7b63bc57e2b753f9be658a031b441f6231814e6ba4 -size 8191253 +oid sha256:22d2fccd2c9f323897279d5adefaaf21e8c3eb61670f4bb4937a5c993b012643 +size 8167861 diff --git a/qemu-xen-traditional-dir-remote.tar.bz2 b/qemu-xen-traditional-dir-remote.tar.bz2 index ba78fee..5012c52 100644 --- a/qemu-xen-traditional-dir-remote.tar.bz2 +++ b/qemu-xen-traditional-dir-remote.tar.bz2 @@ -1,3 +1,3 @@ version https://git-lfs.github.com/spec/v1 -oid sha256:1d948c7524aee977d46bee0cb7666fd5fd6871ea5e201fcdc0680440d5b9b2b5 -size 3231835 +oid sha256:d08a4031b593048672772d438366f2242ca09a792949935293de5d663042f587 +size 3230082 diff --git a/seabios-dir-remote.tar.bz2 b/seabios-dir-remote.tar.bz2 index 5110a6c..3e80d16 100644 --- a/seabios-dir-remote.tar.bz2 +++ b/seabios-dir-remote.tar.bz2 @@ -1,3 +1,3 @@ version https://git-lfs.github.com/spec/v1 -oid sha256:886bc593d99d6c7d7c1bf23cd9ea1254edcbc603a6ca300bcd96fa6961dc8df3 -size 444471 +oid sha256:772e5efd44072d44438d7e0b93ce9dec70823d6affc516249e3aabe65ebd607d +size 444597 diff --git a/stubdom.tar.bz2 b/stubdom.tar.bz2 index 113cc6a..f721f7d 100644 --- a/stubdom.tar.bz2 +++ b/stubdom.tar.bz2 @@ -1,3 +1,3 @@ version https://git-lfs.github.com/spec/v1 -oid sha256:fe87c8073c4c8ccb0a1d9bf955fbace904018f3e52b80bc29b48de511175dfcc -size 17477740 +oid sha256:990c3470aa76d9106da860b0e67b1fb36c33281a3e26e58ec89df6f44a0be037 +size 17477301 diff --git a/xen-4.5.1-testing-src.tar.bz2 b/xen-4.5.1-testing-src.tar.bz2 deleted file mode 100644 index 70880da..0000000 --- a/xen-4.5.1-testing-src.tar.bz2 +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:f8a182d001a54238b2420b7e0160e9f5827b4bf802fa958d31e8a44ec697fe7b -size 4119504 diff --git a/xen-4.5.2-testing-src.tar.bz2 b/xen-4.5.2-testing-src.tar.bz2 new file mode 100644 index 0000000..ee9bac1 --- /dev/null +++ b/xen-4.5.2-testing-src.tar.bz2 @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:ef9016f97076f85298500a01a3d4b4f6a4a3d608780233ef8bc78bd80ee71734 +size 4124919 diff --git a/xen.changes b/xen.changes index 03fe56c..d9defd8 100644 --- a/xen.changes +++ b/xen.changes @@ -1,3 +1,68 @@ +------------------------------------------------------------------- +Wed Nov 4 10:33:59 MST 2015 - carnold@suse.com + +- Update to Xen 4.5.2 + xen-4.5.2-testing-src.tar.bz2 +- Drop the following + xen-4.5.1-testing-src.tar.bz2 + 552d0f49-x86-traps-identify-the-vcpu-in-context-when-dumping-regs.patch + 5576f178-kexec-add-more-pages-to-v1-environment.patch + 55780be1-x86-EFI-adjust-EFI_MEMORY_WP-handling-for-spec-version-2.5.patch + 558bfaa0-x86-traps-avoid-using-current-too-early.patch + 5592a116-nested-EPT-fix-the-handling-of-nested-EPT.patch + 559b9dd6-x86-p2m-ept-don-t-unmap-in-use-EPT-pagetable.patch + 559bc633-x86-cpupool-clear-proper-cpu_valid-bit-on-CPU-teardown.patch + 559bc64e-credit1-properly-deal-with-CPUs-not-in-any-pool.patch + 559bc87f-x86-hvmloader-avoid-data-corruption-with-xenstore-rw.patch + 559bdde5-pull-in-latest-linux-earlycpio.patch + 55a62eb0-xl-correct-handling-of-extra_config-in-main_cpupoolcreate.patch + 55a66a1e-make-rangeset_report_ranges-report-all-ranges.patch + 55a77e4f-dmar-device-scope-mem-leak-fix.patch + 55c1d83d-x86-gdt-Drop-write-only-xalloc-d-array.patch + 55c3232b-x86-mm-Make-hap-shadow-teardown-preemptible.patch + 55dc78e9-x86-amd_ucode-skip-updates-for-final-levels.patch + 55df2f76-IOMMU-skip-domains-without-page-tables-when-dumping.patch + 55e43fd8-x86-NUMA-fix-setup_node.patch + 55e43ff8-x86-NUMA-don-t-account-hotplug-regions.patch + 55e593f1-x86-NUMA-make-init_node_heap-respect-Xen-heap-limit.patch + 55f2e438-x86-hvm-fix-saved-pmtimer-and-hpet-values.patch + 55f9345b-x86-MSI-fail-if-no-hardware-support.patch + 5604f2e6-vt-d-fix-IM-bit-mask-and-unmask-of-FECTL_REG.patch + 560a4af9-x86-EPT-tighten-conditions-of-IOMMU-mapping-updates.patch + 560a7c36-x86-p2m-pt-delay-freeing-of-intermediate-page-tables.patch + 560a7c53-x86-p2m-pt-ignore-pt-share-flag-for-shadow-mode-guests.patch + 560bd926-credit1-fix-tickling-when-it-happens-from-a-remote-pCPU.patch + 560e6d34-x86-p2m-pt-tighten-conditions-of-IOMMU-mapping-updates.patch + 561bbc8b-VT-d-don-t-suppress-invalidation-address-write-when-0.patch + 561d20a0-x86-hide-MWAITX-from-PV-domains.patch + 561e3283-x86-NUMA-fix-SRAT-table-processor-entry-handling.patch + 563212c9-x86-PoD-Eager-sweep-for-zeroed-pages.patch + CVE-2015-4106-xsa131-9.patch CVE-2015-3259-xsa137.patch + CVE-2015-7311-xsa142.patch CVE-2015-7835-xsa148.patch + xsa139-qemuu.patch xsa140-qemuu-1.patch xsa140-qemuu-2.patch + xsa140-qemuu-3.patch xsa140-qemuu-4.patch xsa140-qemuu-5.patch + xsa140-qemuu-6.patch xsa140-qemuu-7.patch xsa140-qemut-1.patch + xsa140-qemut-2.patch xsa140-qemut-3.patch xsa140-qemut-4.patch + xsa140-qemut-5.patch xsa140-qemut-6.patch xsa140-qemut-7.patch + xsa151.patch xsa152.patch xsa153-libxl.patch + CVE-2015-5154-qemuu-check-array-bounds-before-writing-to-io_buffer.patch + CVE-2015-5154-qemuu-fix-START-STOP-UNIT-command-completion.patch + CVE-2015-5154-qemuu-clear-DRQ-after-handling-all-expected-accesses.patch + CVE-2015-5154-qemut-check-array-bounds-before-writing-to-io_buffer.patch + CVE-2015-5154-qemut-fix-START-STOP-UNIT-command-completion.patch + CVE-2015-5154-qemut-clear-DRQ-after-handling-all-expected-accesses.patch + CVE-2015-6815-qemuu-e1000-fix-infinite-loop.patch + CVE-2015-6815-qemut-e1000-fix-infinite-loop.patch + CVE-2015-5239-qemuu-limit-client_cut_text-msg-payload-size.patch + CVE-2015-5239-qemut-limit-client_cut_text-msg-payload-size.patch" + +------------------------------------------------------------------- +Mon Nov 2 11:21:15 MST 2015 - carnold@suse.com + +- bsc#950704 - CVE-2015-7970 VUL-1: xen: x86: Long latency + populate-on-demand operation is not preemptible (XSA-150) + 563212c9-x86-PoD-Eager-sweep-for-zeroed-pages.patch + ------------------------------------------------------------------- Wed Oct 28 09:47:38 MDT 2015 - carnold@suse.com diff --git a/xen.spec b/xen.spec index 6bd7b9d..df76960 100644 --- a/xen.spec +++ b/xen.spec @@ -20,7 +20,7 @@ Name: xen ExclusiveArch: %ix86 x86_64 %arm aarch64 %define changeset 30152 -%define xen_build_dir xen-4.5.1-testing +%define xen_build_dir xen-4.5.2-testing # %define with_kmp 0 %define with_debug 0 @@ -31,7 +31,7 @@ ExclusiveArch: %ix86 x86_64 %arm aarch64 %define with_oxenstored 0 # %ifarch x86_64 -%define with_kmp 1 +%define with_kmp 0 %define with_debug 1 %define with_stubdom 1 %define with_gdbsx 1 @@ -158,12 +158,12 @@ BuildRequires: xorg-x11-util-devel %endif %endif -Version: 4.5.1_13 +Version: 4.5.2_01 Release: 0 Summary: Xen Virtualization: Hypervisor (aka VMM aka Microkernel) License: GPL-2.0 Group: System/Kernel -Source0: xen-4.5.1-testing-src.tar.bz2 +Source0: xen-4.5.2-testing-src.tar.bz2 Source1: stubdom.tar.bz2 Source2: qemu-xen-traditional-dir-remote.tar.bz2 Source3: qemu-xen-dir-remote.tar.bz2 @@ -204,79 +204,26 @@ Source20000: xenalyze.hg.tar.bz2 Patch1: 54f4985f-libxl-fix-libvirtd-double-free.patch Patch2: 55103616-vm-assist-prepare-for-discontiguous-used-bit-numbers.patch Patch3: 551ac326-xentop-add-support-for-qdisk.patch -Patch4: 552d0f49-x86-traps-identify-the-vcpu-in-context-when-dumping-regs.patch -Patch5: 552d293b-x86-vMSI-X-honor-all-mask-requests.patch -Patch6: 552d2966-x86-vMSI-X-add-valid-bits-for-read-acceleration.patch -Patch7: 5537a4d8-libxl-use-DEBUG-log-level-instead-of-INFO.patch -Patch8: 5548e903-domctl-don-t-truncate-XEN_DOMCTL_max_mem-requests.patch -Patch9: 5548e95d-x86-allow-to-suppress-M2P-user-mode-exposure.patch -Patch10: 554cc211-libxl-add-qxl.patch -Patch11: 556d973f-unmodified-drivers-tolerate-IRQF_DISABLED-being-undefined.patch -Patch12: 5576f143-x86-adjust-PV-I-O-emulation-functions-types.patch -Patch13: 5576f178-kexec-add-more-pages-to-v1-environment.patch -Patch14: 55780be1-x86-EFI-adjust-EFI_MEMORY_WP-handling-for-spec-version-2.5.patch -Patch15: 55795a52-x86-vMSI-X-support-qword-MMIO-access.patch -Patch16: 5583d9c5-x86-MSI-X-cleanup.patch -Patch17: 5583da09-x86-MSI-track-host-and-guest-masking-separately.patch -Patch18: 558bfaa0-x86-traps-avoid-using-current-too-early.patch -Patch19: 5592a116-nested-EPT-fix-the-handling-of-nested-EPT.patch -Patch20: 559b9dd6-x86-p2m-ept-don-t-unmap-in-use-EPT-pagetable.patch -Patch21: 559bc633-x86-cpupool-clear-proper-cpu_valid-bit-on-CPU-teardown.patch -Patch22: 559bc64e-credit1-properly-deal-with-CPUs-not-in-any-pool.patch -Patch23: 559bc87f-x86-hvmloader-avoid-data-corruption-with-xenstore-rw.patch -Patch24: 559bdde5-pull-in-latest-linux-earlycpio.patch -Patch25: 55a62eb0-xl-correct-handling-of-extra_config-in-main_cpupoolcreate.patch -Patch26: 55a66a1e-make-rangeset_report_ranges-report-all-ranges.patch -Patch27: 55a77e4f-dmar-device-scope-mem-leak-fix.patch -Patch28: 55b0a218-x86-PCI-CFG-write-intercept.patch -Patch29: 55b0a255-x86-MSI-X-maskall.patch -Patch30: 55b0a283-x86-MSI-X-teardown.patch -Patch31: 55b0a2ab-x86-MSI-X-enable.patch -Patch32: 55b0a2db-x86-MSI-track-guest-masking.patch -Patch33: 55c1d83d-x86-gdt-Drop-write-only-xalloc-d-array.patch -Patch34: 55c3232b-x86-mm-Make-hap-shadow-teardown-preemptible.patch -Patch35: 55dc78e9-x86-amd_ucode-skip-updates-for-final-levels.patch -Patch36: 55df2f76-IOMMU-skip-domains-without-page-tables-when-dumping.patch -Patch37: 55e43fd8-x86-NUMA-fix-setup_node.patch -Patch38: 55e43ff8-x86-NUMA-don-t-account-hotplug-regions.patch -Patch39: 55e593f1-x86-NUMA-make-init_node_heap-respect-Xen-heap-limit.patch -Patch40: 55f2e438-x86-hvm-fix-saved-pmtimer-and-hpet-values.patch -Patch41: 55f7f9d2-libxl-slightly-refine-pci-assignable-add-remove-handling.patch -Patch42: 55f9345b-x86-MSI-fail-if-no-hardware-support.patch -Patch43: 5604f239-x86-PV-properly-populate-descriptor-tables.patch -Patch44: 5604f2e6-vt-d-fix-IM-bit-mask-and-unmask-of-FECTL_REG.patch -Patch45: 560a4af9-x86-EPT-tighten-conditions-of-IOMMU-mapping-updates.patch -Patch46: 560a7c36-x86-p2m-pt-delay-freeing-of-intermediate-page-tables.patch -Patch47: 560a7c53-x86-p2m-pt-ignore-pt-share-flag-for-shadow-mode-guests.patch -Patch48: 560bd926-credit1-fix-tickling-when-it-happens-from-a-remote-pCPU.patch -Patch49: 560e6d34-x86-p2m-pt-tighten-conditions-of-IOMMU-mapping-updates.patch -Patch50: 561bbc8b-VT-d-don-t-suppress-invalidation-address-write-when-0.patch -Patch51: 561d2046-VT-d-use-proper-error-codes-in-iommu_enable_x2apic_IR.patch -Patch52: 561d20a0-x86-hide-MWAITX-from-PV-domains.patch -Patch53: 561e3283-x86-NUMA-fix-SRAT-table-processor-entry-handling.patch -Patch131: CVE-2015-4106-xsa131-9.patch -Patch137: CVE-2015-3259-xsa137.patch -Patch139: xsa139-qemuu.patch -Patch14001: xsa140-qemuu-1.patch -Patch14002: xsa140-qemuu-2.patch -Patch14003: xsa140-qemuu-3.patch -Patch14004: xsa140-qemuu-4.patch -Patch14005: xsa140-qemuu-5.patch -Patch14006: xsa140-qemuu-6.patch -Patch14007: xsa140-qemuu-7.patch -Patch14011: xsa140-qemut-1.patch -Patch14012: xsa140-qemut-2.patch -Patch14013: xsa140-qemut-3.patch -Patch14014: xsa140-qemut-4.patch -Patch14015: xsa140-qemut-5.patch -Patch14016: xsa140-qemut-6.patch -Patch14017: xsa140-qemut-7.patch -Patch142: CVE-2015-7311-xsa142.patch -Patch148: CVE-2015-7835-xsa148.patch +Patch4: 552d293b-x86-vMSI-X-honor-all-mask-requests.patch +Patch5: 552d2966-x86-vMSI-X-add-valid-bits-for-read-acceleration.patch +Patch6: 5537a4d8-libxl-use-DEBUG-log-level-instead-of-INFO.patch +Patch7: 5548e903-domctl-don-t-truncate-XEN_DOMCTL_max_mem-requests.patch +Patch8: 5548e95d-x86-allow-to-suppress-M2P-user-mode-exposure.patch +Patch9: 554cc211-libxl-add-qxl.patch +Patch10: 556d973f-unmodified-drivers-tolerate-IRQF_DISABLED-being-undefined.patch +Patch11: 5576f143-x86-adjust-PV-I-O-emulation-functions-types.patch +Patch12: 55795a52-x86-vMSI-X-support-qword-MMIO-access.patch +Patch13: 5583d9c5-x86-MSI-X-cleanup.patch +Patch14: 5583da09-x86-MSI-track-host-and-guest-masking-separately.patch +Patch15: 55b0a218-x86-PCI-CFG-write-intercept.patch +Patch16: 55b0a255-x86-MSI-X-maskall.patch +Patch17: 55b0a283-x86-MSI-X-teardown.patch +Patch18: 55b0a2ab-x86-MSI-X-enable.patch +Patch19: 55b0a2db-x86-MSI-track-guest-masking.patch +Patch20: 55f7f9d2-libxl-slightly-refine-pci-assignable-add-remove-handling.patch +Patch21: 5604f239-x86-PV-properly-populate-descriptor-tables.patch +Patch22: 561d2046-VT-d-use-proper-error-codes-in-iommu_enable_x2apic_IR.patch Patch149: xsa149.patch -Patch151: xsa151.patch -Patch152: xsa152.patch -Patch153: xsa153-libxl.patch # Upstream qemu Patch250: VNC-Support-for-ExtendedKeyEvent-client-message.patch Patch251: 0001-net-move-the-tap-buffer-into-TAPState.patch @@ -287,20 +234,10 @@ Patch255: 0005-e1000-multi-buffer-packet-support.patch Patch256: 0006-e1000-clear-EOP-for-multi-buffer-descriptors.patch Patch257: 0007-e1000-verify-we-have-buffers-upfront.patch Patch258: 0008-e1000-check-buffer-availability.patch -Patch259: CVE-2015-5154-qemuu-check-array-bounds-before-writing-to-io_buffer.patch -Patch260: CVE-2015-5154-qemuu-fix-START-STOP-UNIT-command-completion.patch -Patch261: CVE-2015-5154-qemuu-clear-DRQ-after-handling-all-expected-accesses.patch -Patch262: CVE-2015-5154-qemut-check-array-bounds-before-writing-to-io_buffer.patch -Patch263: CVE-2015-5154-qemut-fix-START-STOP-UNIT-command-completion.patch -Patch264: CVE-2015-5154-qemut-clear-DRQ-after-handling-all-expected-accesses.patch -Patch265: CVE-2015-6815-qemuu-e1000-fix-infinite-loop.patch -Patch266: CVE-2015-6815-qemut-e1000-fix-infinite-loop.patch -Patch267: CVE-2015-5239-qemuu-limit-client_cut_text-msg-payload-size.patch -Patch268: CVE-2015-5239-qemut-limit-client_cut_text-msg-payload-size.patch -Patch269: CVE-2015-4037-qemuu-smb-config-dir-name.patch -Patch270: CVE-2015-4037-qemut-smb-config-dir-name.patch -Patch271: CVE-2014-0222-qemuu-qcow1-validate-l2-table-size.patch -Patch272: CVE-2014-0222-qemut-qcow1-validate-l2-table-size.patch +Patch259: CVE-2015-4037-qemuu-smb-config-dir-name.patch +Patch260: CVE-2015-4037-qemut-smb-config-dir-name.patch +Patch261: CVE-2014-0222-qemuu-qcow1-validate-l2-table-size.patch +Patch262: CVE-2014-0222-qemut-qcow1-validate-l2-table-size.patch # Our platform specific patches Patch301: xen-destdir.patch Patch302: vif-bridge-no-iptables.patch @@ -642,60 +579,7 @@ Authors: %patch20 -p1 %patch21 -p1 %patch22 -p1 -%patch23 -p1 -%patch24 -p1 -%patch25 -p1 -%patch26 -p1 -%patch27 -p1 -%patch28 -p1 -%patch29 -p1 -%patch30 -p1 -%patch31 -p1 -%patch32 -p1 -%patch33 -p1 -%patch34 -p1 -%patch35 -p1 -%patch36 -p1 -%patch37 -p1 -%patch38 -p1 -%patch39 -p1 -%patch40 -p1 -%patch41 -p1 -%patch42 -p1 -%patch43 -p1 -%patch44 -p1 -%patch45 -p1 -%patch46 -p1 -%patch47 -p1 -%patch48 -p1 -%patch49 -p1 -%patch50 -p1 -%patch51 -p1 -%patch52 -p1 -%patch53 -p1 -%patch131 -p1 -%patch137 -p1 -%patch139 -p1 -%patch14001 -p1 -%patch14002 -p1 -%patch14003 -p1 -%patch14004 -p1 -%patch14005 -p1 -%patch14006 -p1 -%patch14007 -p1 -%patch14011 -p1 -%patch14012 -p1 -%patch14013 -p1 -%patch14014 -p1 -%patch14015 -p1 -%patch14016 -p1 -%patch14017 -p1 -%patch142 -p1 -%patch148 -p1 %patch149 -p1 -%patch151 -p1 -%patch152 -p1 -%patch153 -p1 # Upstream qemu patches %patch250 -p1 %patch251 -p1 @@ -710,16 +594,6 @@ Authors: %patch260 -p1 %patch261 -p1 %patch262 -p1 -%patch263 -p1 -%patch264 -p1 -%patch265 -p1 -%patch266 -p1 -%patch267 -p1 -%patch268 -p1 -%patch269 -p1 -%patch270 -p1 -%patch271 -p1 -%patch272 -p1 # Our platform specific patches %patch301 -p1 %patch302 -p1 diff --git a/xsa139-qemuu.patch b/xsa139-qemuu.patch deleted file mode 100644 index 5316f1e..0000000 --- a/xsa139-qemuu.patch +++ /dev/null @@ -1,37 +0,0 @@ -References: bsc#939709 XSA-139 - -pci_piix3_xen_ide_unplug should completely unhook the unplugged -IDEDevice from the corresponding BlockBackend, otherwise the next call -to release_drive will try to detach the drive again. - -Suggested-by: Kevin Wolf -Signed-off-by: Stefano Stabellini ---- - hw/ide/piix.c | 7 +++++++ - 1 file changed, 7 insertions(+) - -Index: xen-4.5.1-testing/tools/qemu-xen-dir-remote/hw/ide/piix.c -=================================================================== ---- xen-4.5.1-testing.orig/tools/qemu-xen-dir-remote/hw/ide/piix.c -+++ xen-4.5.1-testing/tools/qemu-xen-dir-remote/hw/ide/piix.c -@@ -172,6 +172,7 @@ int pci_piix3_xen_ide_unplug(DeviceState - PCIIDEState *pci_ide; - DriveInfo *di; - int i = 0; -+ IDEDevice *idedev; - - pci_ide = PCI_IDE(dev); - -@@ -184,6 +185,12 @@ int pci_piix3_xen_ide_unplug(DeviceState - } - bdrv_close(di->bdrv); - pci_ide->bus[di->bus].ifs[di->unit].bs = NULL; -+ if (!(i % 2)) { -+ idedev = pci_ide->bus[di->bus].master; -+ } else { -+ idedev = pci_ide->bus[di->bus].slave; -+ } -+ idedev->conf.bs = NULL; - drive_put_ref(di); - } - } diff --git a/xsa140-qemut-1.patch b/xsa140-qemut-1.patch deleted file mode 100644 index 041ebbb..0000000 --- a/xsa140-qemut-1.patch +++ /dev/null @@ -1,78 +0,0 @@ -References: bsc#939712 XSA-140 - -From 5e0c290415b9d57077a86e70c8e6a058868334d3 Mon Sep 17 00:00:00 2001 -From: Stefan Hajnoczi -Date: Wed, 15 Jul 2015 18:16:58 +0100 -Subject: [PATCH 1/7] rtl8139: avoid nested ifs in IP header parsing - -Transmit offload needs to parse packet headers. If header fields have -unexpected values the offload processing is skipped. - -The code currently uses nested ifs because there is relatively little -input validation. The next patches will add missing input validation -and a goto label is more appropriate to avoid deep if statement nesting. - -Signed-off-by: Stefan Hajnoczi ---- - hw/rtl8139.c | 41 ++++++++++++++++++++++------------------- - 1 file changed, 22 insertions(+), 19 deletions(-) - -Index: xen-4.5.1-testing/tools/qemu-xen-traditional-dir-remote/hw/rtl8139.c -=================================================================== ---- xen-4.5.1-testing.orig/tools/qemu-xen-traditional-dir-remote/hw/rtl8139.c -+++ xen-4.5.1-testing/tools/qemu-xen-traditional-dir-remote/hw/rtl8139.c -@@ -2113,26 +2113,30 @@ static int rtl8139_cplus_transmit_one(RT - size_t eth_payload_len = 0; - - int proto = be16_to_cpu(*(uint16_t *)(saved_buffer + 12)); -- if (proto == ETH_P_IP) -+ if (proto != ETH_P_IP) - { -- DEBUG_PRINT(("RTL8139: +++ C+ mode has IP packet\n")); -+ goto skip_offload; -+ } - -- /* not aligned */ -- eth_payload_data = saved_buffer + ETH_HLEN; -- eth_payload_len = saved_size - ETH_HLEN; -- -- ip = (ip_header*)eth_payload_data; -- -- if (IP_HEADER_VERSION(ip) != IP_HEADER_VERSION_4) { -- DEBUG_PRINT(("RTL8139: +++ C+ mode packet has bad IP version %d expected %d\n", IP_HEADER_VERSION(ip), IP_HEADER_VERSION_4)); -- ip = NULL; -- } else { -- hlen = IP_HEADER_LENGTH(ip); -- ip_protocol = ip->ip_p; -- ip_data_len = be16_to_cpu(ip->ip_len) - hlen; -- } -+ DEBUG_PRINT(("RTL8139: +++ C+ mode has IP packet\n")); -+ -+ /* not aligned */ -+ eth_payload_data = saved_buffer + ETH_HLEN; -+ eth_payload_len = saved_size - ETH_HLEN; -+ -+ ip = (ip_header*)eth_payload_data; -+ -+ if (IP_HEADER_VERSION(ip) != IP_HEADER_VERSION_4) { -+ DEBUG_PRINT(("RTL8139: +++ C+ mode packet has bad IP version %d " -+ "expected %d\n", IP_HEADER_VERSION(ip), -+ IP_HEADER_VERSION_4)); -+ goto skip_offload; - } - -+ hlen = IP_HEADER_LENGTH(ip); -+ ip_protocol = ip->ip_p; -+ ip_data_len = be16_to_cpu(ip->ip_len) - hlen; -+ - if (ip) - { - if (txdw0 & CP_TX_IPCS) -@@ -2315,6 +2319,7 @@ static int rtl8139_cplus_transmit_one(RT - } - } - -+skip_offload: - /* update tally counter */ - ++s->tally_counters.TxOk; - diff --git a/xsa140-qemut-2.patch b/xsa140-qemut-2.patch deleted file mode 100644 index d659e37..0000000 --- a/xsa140-qemut-2.patch +++ /dev/null @@ -1,339 +0,0 @@ -References: bsc#939712 XSA-140 - -From 2d7d80e8dc160904fa7276cc05da26c062a50066 Mon Sep 17 00:00:00 2001 -From: Stefan Hajnoczi -Date: Wed, 15 Jul 2015 18:16:59 +0100 -Subject: [PATCH 2/7] rtl8139: drop tautologous if (ip) {...} statement - -The previous patch stopped using the ip pointer as an indicator that the -IP header is present. When we reach the if (ip) {...} statement we know -ip is always non-NULL. - -Remove the if statement to reduce nesting. - -Signed-off-by: Stefan Hajnoczi ---- - hw/rtl8139.c | 305 +++++++++++++++++++++++++++---------------------------- - 1 file changed, 151 insertions(+), 154 deletions(-) - -Index: xen-4.5.1-testing/tools/qemu-xen-traditional-dir-remote/hw/rtl8139.c -=================================================================== ---- xen-4.5.1-testing.orig/tools/qemu-xen-traditional-dir-remote/hw/rtl8139.c -+++ xen-4.5.1-testing/tools/qemu-xen-traditional-dir-remote/hw/rtl8139.c -@@ -2137,187 +2137,184 @@ static int rtl8139_cplus_transmit_one(RT - ip_protocol = ip->ip_p; - ip_data_len = be16_to_cpu(ip->ip_len) - hlen; - -- if (ip) -+ if (txdw0 & CP_TX_IPCS) - { -- if (txdw0 & CP_TX_IPCS) -- { -- DEBUG_PRINT(("RTL8139: +++ C+ mode need IP checksum\n")); -+ DEBUG_PRINT(("RTL8139: +++ C+ mode need IP checksum\n")); - -- if (hleneth_payload_len) {/* min header length */ -- /* bad packet header len */ -- /* or packet too short */ -- } -- else -- { -- ip->ip_sum = 0; -- ip->ip_sum = ip_checksum(ip, hlen); -- DEBUG_PRINT(("RTL8139: +++ C+ mode IP header len=%d checksum=%04x\n", hlen, ip->ip_sum)); -- } -+ if (hleneth_payload_len) {/* min header length */ -+ /* bad packet header len */ -+ /* or packet too short */ - } -- -- if ((txdw0 & CP_TX_LGSEN) && ip_protocol == IP_PROTO_TCP) -+ else - { --#if defined (DEBUG_RTL8139) -- int large_send_mss = (txdw0 >> 16) & CP_TC_LGSEN_MSS_MASK; --#endif -- DEBUG_PRINT(("RTL8139: +++ C+ mode offloaded task TSO MTU=%d IP data %d frame data %d specified MSS=%d\n", -- ETH_MTU, ip_data_len, saved_size - ETH_HLEN, large_send_mss)); -- -- int tcp_send_offset = 0; -- int send_count = 0; -+ ip->ip_sum = 0; -+ ip->ip_sum = ip_checksum(ip, hlen); -+ DEBUG_PRINT(("RTL8139: +++ C+ mode IP header len=%d checksum=%04x\n", hlen, ip->ip_sum)); -+ } -+ } - -- /* maximum IP header length is 60 bytes */ -- uint8_t saved_ip_header[60]; -+ if ((txdw0 & CP_TX_LGSEN) && ip_protocol == IP_PROTO_TCP) -+ { -+ int large_send_mss = (txdw0 >> 16) & CP_TC_LGSEN_MSS_MASK; - -- /* save IP header template; data area is used in tcp checksum calculation */ -- memcpy(saved_ip_header, eth_payload_data, hlen); -+ DEBUG_PRINT(("RTL8139: +++ C+ mode offloaded task TSO MTU=%d IP data %d frame data %d specified MSS=%d\n", -+ ETH_MTU, ip_data_len, saved_size - ETH_HLEN, large_send_mss)); - -- /* a placeholder for checksum calculation routine in tcp case */ -- uint8_t *data_to_checksum = eth_payload_data + hlen - 12; -- // size_t data_to_checksum_len = eth_payload_len - hlen + 12; -+ int tcp_send_offset = 0; -+ int send_count = 0; - -- /* pointer to TCP header */ -- tcp_header *p_tcp_hdr = (tcp_header*)(eth_payload_data + hlen); -+ /* maximum IP header length is 60 bytes */ -+ uint8_t saved_ip_header[60]; - -- int tcp_hlen = TCP_HEADER_DATA_OFFSET(p_tcp_hdr); -+ /* save IP header template; data area is used in tcp checksum calculation */ -+ memcpy(saved_ip_header, eth_payload_data, hlen); - -- /* ETH_MTU = ip header len + tcp header len + payload */ -- int tcp_data_len = ip_data_len - tcp_hlen; -- int tcp_chunk_size = ETH_MTU - hlen - tcp_hlen; -+ /* a placeholder for checksum calculation routine in tcp case */ -+ uint8_t *data_to_checksum = eth_payload_data + hlen - 12; -+ // size_t data_to_checksum_len = eth_payload_len - hlen + 12; - -- DEBUG_PRINT(("RTL8139: +++ C+ mode TSO IP data len %d TCP hlen %d TCP data len %d TCP chunk size %d\n", -- ip_data_len, tcp_hlen, tcp_data_len, tcp_chunk_size)); -+ /* pointer to TCP header */ -+ tcp_header *p_tcp_hdr = (tcp_header*)(eth_payload_data + hlen); - -- /* note the cycle below overwrites IP header data, -- but restores it from saved_ip_header before sending packet */ -+ int tcp_hlen = TCP_HEADER_DATA_OFFSET(p_tcp_hdr); - -- int is_last_frame = 0; -+ /* ETH_MTU = ip header len + tcp header len + payload */ -+ int tcp_data_len = ip_data_len - tcp_hlen; -+ int tcp_chunk_size = ETH_MTU - hlen - tcp_hlen; - -- for (tcp_send_offset = 0; tcp_send_offset < tcp_data_len; tcp_send_offset += tcp_chunk_size) -- { -- uint16_t chunk_size = tcp_chunk_size; -+ DEBUG_PRINT(("RTL8139: +++ C+ mode TSO IP data len %d TCP hlen %d TCP data len %d TCP chunk size %d\n", -+ ip_data_len, tcp_hlen, tcp_data_len, tcp_chunk_size)); - -- /* check if this is the last frame */ -- if (tcp_send_offset + tcp_chunk_size >= tcp_data_len) -- { -- is_last_frame = 1; -- chunk_size = tcp_data_len - tcp_send_offset; -- } -+ /* note the cycle below overwrites IP header data, -+ but restores it from saved_ip_header before sending packet */ - -- DEBUG_PRINT(("RTL8139: +++ C+ mode TSO TCP seqno %08x\n", be32_to_cpu(p_tcp_hdr->th_seq))); -+ int is_last_frame = 0; - -- /* add 4 TCP pseudoheader fields */ -- /* copy IP source and destination fields */ -- memcpy(data_to_checksum, saved_ip_header + 12, 8); -+ for (tcp_send_offset = 0; tcp_send_offset < tcp_data_len; tcp_send_offset += tcp_chunk_size) -+ { -+ uint16_t chunk_size = tcp_chunk_size; - -- DEBUG_PRINT(("RTL8139: +++ C+ mode TSO calculating TCP checksum for packet with %d bytes data\n", tcp_hlen + chunk_size)); -+ /* check if this is the last frame */ -+ if (tcp_send_offset + tcp_chunk_size >= tcp_data_len) -+ { -+ is_last_frame = 1; -+ chunk_size = tcp_data_len - tcp_send_offset; -+ } - -- if (tcp_send_offset) -- { -- memcpy((uint8_t*)p_tcp_hdr + tcp_hlen, (uint8_t*)p_tcp_hdr + tcp_hlen + tcp_send_offset, chunk_size); -- } -+ DEBUG_PRINT(("RTL8139: +++ C+ mode TSO TCP seqno %08x\n", be32_to_cpu(p_tcp_hdr->th_seq))); - -- /* keep PUSH and FIN flags only for the last frame */ -- if (!is_last_frame) -- { -- TCP_HEADER_CLEAR_FLAGS(p_tcp_hdr, TCP_FLAG_PUSH|TCP_FLAG_FIN); -- } -+ /* add 4 TCP pseudoheader fields */ -+ /* copy IP source and destination fields */ -+ memcpy(data_to_checksum, saved_ip_header + 12, 8); - -- /* recalculate TCP checksum */ -- ip_pseudo_header *p_tcpip_hdr = (ip_pseudo_header *)data_to_checksum; -- p_tcpip_hdr->zeros = 0; -- p_tcpip_hdr->ip_proto = IP_PROTO_TCP; -- p_tcpip_hdr->ip_payload = cpu_to_be16(tcp_hlen + chunk_size); -+ DEBUG_PRINT(("RTL8139: +++ C+ mode TSO calculating TCP checksum for packet with %d bytes data\n", tcp_hlen + chunk_size)); - -- p_tcp_hdr->th_sum = 0; -+ if (tcp_send_offset) -+ { -+ DEBUG_PRINT(("RTL8139: +++ C+ mode calculating TCP checksum for packet with %d bytes data\n", ip_data_len)); -+ memcpy((uint8_t*)p_tcp_hdr + tcp_hlen, (uint8_t*)p_tcp_hdr + tcp_hlen + tcp_send_offset, chunk_size); -+ } - -- int tcp_checksum = ip_checksum(data_to_checksum, tcp_hlen + chunk_size + 12); -- DEBUG_PRINT(("RTL8139: +++ C+ mode TSO TCP checksum %04x\n", tcp_checksum)); -+ /* keep PUSH and FIN flags only for the last frame */ -+ if (!is_last_frame) -+ { -+ TCP_HEADER_CLEAR_FLAGS(p_tcp_hdr, TCP_FLAG_PUSH|TCP_FLAG_FIN); -+ } - -- p_tcp_hdr->th_sum = tcp_checksum; -+ /* recalculate TCP checksum */ -+ ip_pseudo_header *p_tcpip_hdr = (ip_pseudo_header *)data_to_checksum; -+ p_tcpip_hdr->zeros = 0; -+ p_tcpip_hdr->ip_proto = IP_PROTO_TCP; -+ p_tcpip_hdr->ip_payload = cpu_to_be16(tcp_hlen + chunk_size); - -- /* restore IP header */ -- memcpy(eth_payload_data, saved_ip_header, hlen); -+ p_tcp_hdr->th_sum = 0; - -- /* set IP data length and recalculate IP checksum */ -- ip->ip_len = cpu_to_be16(hlen + tcp_hlen + chunk_size); -+ int tcp_checksum = ip_checksum(data_to_checksum, tcp_hlen + chunk_size + 12); -+ DEBUG_PRINT(("RTL8139: +++ C+ mode TSO TCP checksum %04x\n", tcp_checksum)); - -- /* increment IP id for subsequent frames */ -- ip->ip_id = cpu_to_be16(tcp_send_offset/tcp_chunk_size + be16_to_cpu(ip->ip_id)); -+ p_tcp_hdr->th_sum = tcp_checksum; - -- ip->ip_sum = 0; -- ip->ip_sum = ip_checksum(eth_payload_data, hlen); -- DEBUG_PRINT(("RTL8139: +++ C+ mode TSO IP header len=%d checksum=%04x\n", hlen, ip->ip_sum)); -+ /* restore IP header */ -+ memcpy(eth_payload_data, saved_ip_header, hlen); - -- int tso_send_size = ETH_HLEN + hlen + tcp_hlen + chunk_size; -- DEBUG_PRINT(("RTL8139: +++ C+ mode TSO transferring packet size %d\n", tso_send_size)); -- rtl8139_transfer_frame(s, saved_buffer, tso_send_size, 0); -+ /* set IP data length and recalculate IP checksum */ -+ ip->ip_len = cpu_to_be16(hlen + tcp_hlen + chunk_size); - -- /* add transferred count to TCP sequence number */ -- p_tcp_hdr->th_seq = cpu_to_be32(chunk_size + be32_to_cpu(p_tcp_hdr->th_seq)); -- ++send_count; -- } -+ /* increment IP id for subsequent frames */ -+ ip->ip_id = cpu_to_be16(tcp_send_offset/tcp_chunk_size + be16_to_cpu(ip->ip_id)); - -- /* Stop sending this frame */ -- saved_size = 0; -+ ip->ip_sum = 0; -+ ip->ip_sum = ip_checksum(eth_payload_data, hlen); -+ DEBUG_PRINT(("RTL8139: +++ C+ mode TSO IP header len=%d checksum=%04x\n", hlen, ip->ip_sum)); -+ -+ int tso_send_size = ETH_HLEN + hlen + tcp_hlen + chunk_size; -+ DEBUG_PRINT(("RTL8139: +++ C+ mode TSO transferring packet size %d\n", tso_send_size)); -+ rtl8139_transfer_frame(s, saved_buffer, tso_send_size, 0); -+ -+ /* add transferred count to TCP sequence number */ -+ p_tcp_hdr->th_seq = cpu_to_be32(chunk_size + be32_to_cpu(p_tcp_hdr->th_seq)); -+ ++send_count; - } -- else if (txdw0 & (CP_TX_TCPCS|CP_TX_UDPCS)) -- { -- DEBUG_PRINT(("RTL8139: +++ C+ mode need TCP or UDP checksum\n")); - -- /* maximum IP header length is 60 bytes */ -- uint8_t saved_ip_header[60]; -- memcpy(saved_ip_header, eth_payload_data, hlen); -+ /* Stop sending this frame */ -+ saved_size = 0; -+ } -+ else if (txdw0 & (CP_TX_TCPCS|CP_TX_UDPCS)) -+ { -+ DEBUG_PRINT(("RTL8139: +++ C+ mode need TCP or UDP checksum\n")); - -- uint8_t *data_to_checksum = eth_payload_data + hlen - 12; -- // size_t data_to_checksum_len = eth_payload_len - hlen + 12; -+ /* maximum IP header length is 60 bytes */ -+ uint8_t saved_ip_header[60]; -+ memcpy(saved_ip_header, eth_payload_data, hlen); - -- /* add 4 TCP pseudoheader fields */ -- /* copy IP source and destination fields */ -- memcpy(data_to_checksum, saved_ip_header + 12, 8); -+ uint8_t *data_to_checksum = eth_payload_data + hlen - 12; -+ // size_t data_to_checksum_len = eth_payload_len - hlen + 12; - -- if ((txdw0 & CP_TX_TCPCS) && ip_protocol == IP_PROTO_TCP) -- { -- DEBUG_PRINT(("RTL8139: +++ C+ mode calculating TCP checksum for packet with %d bytes data\n", ip_data_len)); -+ /* add 4 TCP pseudoheader fields */ -+ /* copy IP source and destination fields */ -+ memcpy(data_to_checksum, saved_ip_header + 12, 8); - -- ip_pseudo_header *p_tcpip_hdr = (ip_pseudo_header *)data_to_checksum; -- p_tcpip_hdr->zeros = 0; -- p_tcpip_hdr->ip_proto = IP_PROTO_TCP; -- p_tcpip_hdr->ip_payload = cpu_to_be16(ip_data_len); -+ if ((txdw0 & CP_TX_TCPCS) && ip_protocol == IP_PROTO_TCP) -+ { -+ DEBUG_PRINT(("RTL8139: +++ C+ mode calculating TCP checksum for packet with %d bytes data\n", ip_data_len)); - -- tcp_header* p_tcp_hdr = (tcp_header *) (data_to_checksum+12); -+ ip_pseudo_header *p_tcpip_hdr = (ip_pseudo_header *)data_to_checksum; -+ p_tcpip_hdr->zeros = 0; -+ p_tcpip_hdr->ip_proto = IP_PROTO_TCP; -+ p_tcpip_hdr->ip_payload = cpu_to_be16(ip_data_len); - -- p_tcp_hdr->th_sum = 0; -+ tcp_header* p_tcp_hdr = (tcp_header *) (data_to_checksum+12); - -- int tcp_checksum = ip_checksum(data_to_checksum, ip_data_len + 12); -- DEBUG_PRINT(("RTL8139: +++ C+ mode TCP checksum %04x\n", tcp_checksum)); -+ p_tcp_hdr->th_sum = 0; - -- p_tcp_hdr->th_sum = tcp_checksum; -- } -- else if ((txdw0 & CP_TX_UDPCS) && ip_protocol == IP_PROTO_UDP) -- { -- DEBUG_PRINT(("RTL8139: +++ C+ mode calculating UDP checksum for packet with %d bytes data\n", ip_data_len)); -+ int tcp_checksum = ip_checksum(data_to_checksum, ip_data_len + 12); -+ DEBUG_PRINT(("RTL8139: +++ C+ mode TCP checksum %04x\n", tcp_checksum)); - -- ip_pseudo_header *p_udpip_hdr = (ip_pseudo_header *)data_to_checksum; -- p_udpip_hdr->zeros = 0; -- p_udpip_hdr->ip_proto = IP_PROTO_UDP; -- p_udpip_hdr->ip_payload = cpu_to_be16(ip_data_len); -+ p_tcp_hdr->th_sum = tcp_checksum; -+ } -+ else if ((txdw0 & CP_TX_UDPCS) && ip_protocol == IP_PROTO_UDP) -+ { -+ DEBUG_PRINT(("RTL8139: +++ C+ mode calculating UDP checksum for packet with %d bytes data\n", ip_data_len)); - -- udp_header *p_udp_hdr = (udp_header *) (data_to_checksum+12); -+ ip_pseudo_header *p_udpip_hdr = (ip_pseudo_header *)data_to_checksum; -+ p_udpip_hdr->zeros = 0; -+ p_udpip_hdr->ip_proto = IP_PROTO_UDP; -+ p_udpip_hdr->ip_payload = cpu_to_be16(ip_data_len); - -- p_udp_hdr->uh_sum = 0; -+ udp_header *p_udp_hdr = (udp_header *) (data_to_checksum+12); - -- int udp_checksum = ip_checksum(data_to_checksum, ip_data_len + 12); -- DEBUG_PRINT(("RTL8139: +++ C+ mode UDP checksum %04x\n", udp_checksum)); -+ p_udp_hdr->uh_sum = 0; - -- p_udp_hdr->uh_sum = udp_checksum; -- } -+ int udp_checksum = ip_checksum(data_to_checksum, ip_data_len + 12); -+ DEBUG_PRINT(("RTL8139: +++ C+ mode UDP checksum %04x\n", udp_checksum)); - -- /* restore IP header */ -- memcpy(eth_payload_data, saved_ip_header, hlen); -+ p_udp_hdr->uh_sum = udp_checksum; - } -+ -+ /* restore IP header */ -+ memcpy(eth_payload_data, saved_ip_header, hlen); - } -- } -+ } - - skip_offload: - /* update tally counter */ diff --git a/xsa140-qemut-3.patch b/xsa140-qemut-3.patch deleted file mode 100644 index a60e186..0000000 --- a/xsa140-qemut-3.patch +++ /dev/null @@ -1,38 +0,0 @@ -References: bsc#939712 XSA-140 - -From 043d28507ef7c5fdc34866f5e3b27a72bd0cd072 Mon Sep 17 00:00:00 2001 -From: Stefan Hajnoczi -Date: Wed, 15 Jul 2015 18:17:00 +0100 -Subject: [PATCH 3/7] rtl8139: skip offload on short Ethernet/IP header - -Transmit offload features access Ethernet and IP headers the packet. If -the packet is too short we must not attempt to access header fields: - - int proto = be16_to_cpu(*(uint16_t *)(saved_buffer + 12)); - ... - eth_payload_data = saved_buffer + ETH_HLEN; - ... - ip = (ip_header*)eth_payload_data; - if (IP_HEADER_VERSION(ip) != IP_HEADER_VERSION_4) { - -Signed-off-by: Stefan Hajnoczi ---- - hw/rtl8139.c | 5 +++++ - 1 file changed, 5 insertions(+) - -Index: xen-4.5.1-testing/tools/qemu-xen-traditional-dir-remote/hw/rtl8139.c -=================================================================== ---- xen-4.5.1-testing.orig/tools/qemu-xen-traditional-dir-remote/hw/rtl8139.c -+++ xen-4.5.1-testing/tools/qemu-xen-traditional-dir-remote/hw/rtl8139.c -@@ -2103,6 +2103,11 @@ static int rtl8139_cplus_transmit_one(RT - #define ETH_HLEN 14 - #define ETH_MTU 1500 - -+ /* Large enough for Ethernet and IP headers? */ -+ if (saved_size < ETH_HLEN + sizeof(ip_header)) { -+ goto skip_offload; -+ } -+ - /* ip packet header */ - ip_header *ip = 0; - int hlen = 0; diff --git a/xsa140-qemut-4.patch b/xsa140-qemut-4.patch deleted file mode 100644 index d31890d..0000000 --- a/xsa140-qemut-4.patch +++ /dev/null @@ -1,50 +0,0 @@ -References: bsc#939712 XSA-140 - -From 5a75d242fe019d05b46ef9bc330a6892525c84a7 Mon Sep 17 00:00:00 2001 -From: Stefan Hajnoczi -Date: Wed, 15 Jul 2015 18:17:01 +0100 -Subject: [PATCH 4/7] rtl8139: check IP Header Length field - -The IP Header Length field was only checked in the IP checksum case, but -is used in other cases too. - -Signed-off-by: Stefan Hajnoczi ---- - hw/rtl8139.c | 19 ++++++++----------- - 1 file changed, 8 insertions(+), 11 deletions(-) - -Index: xen-4.5.1-testing/tools/qemu-xen-traditional-dir-remote/hw/rtl8139.c -=================================================================== ---- xen-4.5.1-testing.orig/tools/qemu-xen-traditional-dir-remote/hw/rtl8139.c -+++ xen-4.5.1-testing/tools/qemu-xen-traditional-dir-remote/hw/rtl8139.c -@@ -2139,6 +2139,10 @@ static int rtl8139_cplus_transmit_one(RT - } - - hlen = IP_HEADER_LENGTH(ip); -+ if (hlen < sizeof(ip_header) || hlen > eth_payload_len) { -+ goto skip_offload; -+ } -+ - ip_protocol = ip->ip_p; - ip_data_len = be16_to_cpu(ip->ip_len) - hlen; - -@@ -2146,16 +2150,9 @@ static int rtl8139_cplus_transmit_one(RT - { - DEBUG_PRINT(("RTL8139: +++ C+ mode need IP checksum\n")); - -- if (hleneth_payload_len) {/* min header length */ -- /* bad packet header len */ -- /* or packet too short */ -- } -- else -- { -- ip->ip_sum = 0; -- ip->ip_sum = ip_checksum(ip, hlen); -- DEBUG_PRINT(("RTL8139: +++ C+ mode IP header len=%d checksum=%04x\n", hlen, ip->ip_sum)); -- } -+ ip->ip_sum = 0; -+ ip->ip_sum = ip_checksum(ip, hlen); -+ DEBUG_PRINT(("RTL8139: +++ C+ mode IP header len=%d checksum=%04x\n", hlen, ip->ip_sum)); - } - - if ((txdw0 & CP_TX_LGSEN) && ip_protocol == IP_PROTO_TCP) diff --git a/xsa140-qemut-5.patch b/xsa140-qemut-5.patch deleted file mode 100644 index 11e7b88..0000000 --- a/xsa140-qemut-5.patch +++ /dev/null @@ -1,33 +0,0 @@ -References: bsc#939712 XSA-140 - -From 6c79ea275d72bc1fd88bdcf1e7d231b2c9c865de Mon Sep 17 00:00:00 2001 -From: Stefan Hajnoczi -Date: Wed, 15 Jul 2015 18:17:02 +0100 -Subject: [PATCH 5/7] rtl8139: check IP Total Length field - -The IP Total Length field includes the IP header and data. Make sure it -is valid and does not exceed the Ethernet payload size. - -Signed-off-by: Stefan Hajnoczi ---- - hw/rtl8139.c | 7 ++++++- - 1 file changed, 6 insertions(+), 1 deletion(-) - -Index: xen-4.5.1-testing/tools/qemu-xen-traditional-dir-remote/hw/rtl8139.c -=================================================================== ---- xen-4.5.1-testing.orig/tools/qemu-xen-traditional-dir-remote/hw/rtl8139.c -+++ xen-4.5.1-testing/tools/qemu-xen-traditional-dir-remote/hw/rtl8139.c -@@ -2144,7 +2144,12 @@ static int rtl8139_cplus_transmit_one(RT - } - - ip_protocol = ip->ip_p; -- ip_data_len = be16_to_cpu(ip->ip_len) - hlen; -+ -+ ip_data_len = be16_to_cpu(ip->ip_len); -+ if (ip_data_len < hlen || ip_data_len > eth_payload_len) { -+ goto skip_offload; -+ } -+ ip_data_len -= hlen; - - if (txdw0 & CP_TX_IPCS) - { diff --git a/xsa140-qemut-6.patch b/xsa140-qemut-6.patch deleted file mode 100644 index e24e11a..0000000 --- a/xsa140-qemut-6.patch +++ /dev/null @@ -1,34 +0,0 @@ -References: bsc#939712 XSA-140 - -From 30aa7be430e7c982e9163f3bcc745d3aa57b6aa4 Mon Sep 17 00:00:00 2001 -From: Stefan Hajnoczi -Date: Wed, 15 Jul 2015 18:17:03 +0100 -Subject: [PATCH 6/7] rtl8139: skip offload on short TCP header - -TCP Large Segment Offload accesses the TCP header in the packet. If the -packet is too short we must not attempt to access header fields: - - tcp_header *p_tcp_hdr = (tcp_header*)(eth_payload_data + hlen); - int tcp_hlen = TCP_HEADER_DATA_OFFSET(p_tcp_hdr); - -Signed-off-by: Stefan Hajnoczi ---- - hw/rtl8139.c | 5 +++++ - 1 file changed, 5 insertions(+) - -Index: xen-4.5.1-testing/tools/qemu-xen-traditional-dir-remote/hw/rtl8139.c -=================================================================== ---- xen-4.5.1-testing.orig/tools/qemu-xen-traditional-dir-remote/hw/rtl8139.c -+++ xen-4.5.1-testing/tools/qemu-xen-traditional-dir-remote/hw/rtl8139.c -@@ -2162,6 +2162,11 @@ static int rtl8139_cplus_transmit_one(RT - - if ((txdw0 & CP_TX_LGSEN) && ip_protocol == IP_PROTO_TCP) - { -+ /* Large enough for the TCP header? */ -+ if (ip_data_len < sizeof(tcp_header)) { -+ goto skip_offload; -+ } -+ - int large_send_mss = (txdw0 >> 16) & CP_TC_LGSEN_MSS_MASK; - - DEBUG_PRINT(("RTL8139: +++ C+ mode offloaded task TSO MTU=%d IP data %d frame data %d specified MSS=%d\n", diff --git a/xsa140-qemut-7.patch b/xsa140-qemut-7.patch deleted file mode 100644 index 5680e29..0000000 --- a/xsa140-qemut-7.patch +++ /dev/null @@ -1,31 +0,0 @@ -References: bsc#939712 XSA-140 - -From 9a084807bf6ca7c16d997a236d304111894a6539 Mon Sep 17 00:00:00 2001 -From: Stefan Hajnoczi -Date: Wed, 15 Jul 2015 18:17:04 +0100 -Subject: [PATCH 7/7] rtl8139: check TCP Data Offset field - -The TCP Data Offset field contains the length of the header. Make sure -it is valid and does not exceed the IP data length. - -Signed-off-by: Stefan Hajnoczi ---- - hw/rtl8139.c | 5 +++++ - 1 file changed, 5 insertions(+) - -Index: xen-4.5.1-testing/tools/qemu-xen-traditional-dir-remote/hw/rtl8139.c -=================================================================== ---- xen-4.5.1-testing.orig/tools/qemu-xen-traditional-dir-remote/hw/rtl8139.c -+++ xen-4.5.1-testing/tools/qemu-xen-traditional-dir-remote/hw/rtl8139.c -@@ -2190,6 +2190,11 @@ static int rtl8139_cplus_transmit_one(RT - - int tcp_hlen = TCP_HEADER_DATA_OFFSET(p_tcp_hdr); - -+ /* Invalid TCP data offset? */ -+ if (tcp_hlen < sizeof(tcp_header) || tcp_hlen > ip_data_len) { -+ goto skip_offload; -+ } -+ - /* ETH_MTU = ip header len + tcp header len + payload */ - int tcp_data_len = ip_data_len - tcp_hlen; - int tcp_chunk_size = ETH_MTU - hlen - tcp_hlen; diff --git a/xsa140-qemuu-1.patch b/xsa140-qemuu-1.patch deleted file mode 100644 index 9b515ff..0000000 --- a/xsa140-qemuu-1.patch +++ /dev/null @@ -1,80 +0,0 @@ -References: bsc#939712 XSA-140 - -From 5e0c290415b9d57077a86e70c8e6a058868334d3 Mon Sep 17 00:00:00 2001 -From: Stefan Hajnoczi -Date: Wed, 15 Jul 2015 18:16:58 +0100 -Subject: [PATCH 1/7] rtl8139: avoid nested ifs in IP header parsing - -Transmit offload needs to parse packet headers. If header fields have -unexpected values the offload processing is skipped. - -The code currently uses nested ifs because there is relatively little -input validation. The next patches will add missing input validation -and a goto label is more appropriate to avoid deep if statement nesting. - -Signed-off-by: Stefan Hajnoczi ---- - hw/net/rtl8139.c | 41 ++++++++++++++++++++++------------------- - 1 file changed, 22 insertions(+), 19 deletions(-) - -Index: xen-4.5.1-testing/tools/qemu-xen-dir-remote/hw/net/rtl8139.c -=================================================================== ---- xen-4.5.1-testing.orig/tools/qemu-xen-dir-remote/hw/net/rtl8139.c -+++ xen-4.5.1-testing/tools/qemu-xen-dir-remote/hw/net/rtl8139.c -@@ -2171,28 +2171,30 @@ static int rtl8139_cplus_transmit_one(RT - size_t eth_payload_len = 0; - - int proto = be16_to_cpu(*(uint16_t *)(saved_buffer + 12)); -- if (proto == ETH_P_IP) -+ if (proto != ETH_P_IP) - { -- DPRINTF("+++ C+ mode has IP packet\n"); -+ goto skip_offload; -+ } - -- /* not aligned */ -- eth_payload_data = saved_buffer + ETH_HLEN; -- eth_payload_len = saved_size - ETH_HLEN; -- -- ip = (ip_header*)eth_payload_data; -- -- if (IP_HEADER_VERSION(ip) != IP_HEADER_VERSION_4) { -- DPRINTF("+++ C+ mode packet has bad IP version %d " -- "expected %d\n", IP_HEADER_VERSION(ip), -- IP_HEADER_VERSION_4); -- ip = NULL; -- } else { -- hlen = IP_HEADER_LENGTH(ip); -- ip_protocol = ip->ip_p; -- ip_data_len = be16_to_cpu(ip->ip_len) - hlen; -- } -+ DPRINTF("+++ C+ mode has IP packet\n"); -+ -+ /* not aligned */ -+ eth_payload_data = saved_buffer + ETH_HLEN; -+ eth_payload_len = saved_size - ETH_HLEN; -+ -+ ip = (ip_header*)eth_payload_data; -+ -+ if (IP_HEADER_VERSION(ip) != IP_HEADER_VERSION_4) { -+ DPRINTF("+++ C+ mode packet has bad IP version %d " -+ "expected %d\n", IP_HEADER_VERSION(ip), -+ IP_HEADER_VERSION_4); -+ goto skip_offload; - } - -+ hlen = IP_HEADER_LENGTH(ip); -+ ip_protocol = ip->ip_p; -+ ip_data_len = be16_to_cpu(ip->ip_len) - hlen; -+ - if (ip) - { - if (txdw0 & CP_TX_IPCS) -@@ -2388,6 +2390,7 @@ static int rtl8139_cplus_transmit_one(RT - } - } - -+skip_offload: - /* update tally counter */ - ++s->tally_counters.TxOk; - diff --git a/xsa140-qemuu-2.patch b/xsa140-qemuu-2.patch deleted file mode 100644 index ab6e2ae..0000000 --- a/xsa140-qemuu-2.patch +++ /dev/null @@ -1,372 +0,0 @@ -References: bsc#939712 XSA-140 - -From 2d7d80e8dc160904fa7276cc05da26c062a50066 Mon Sep 17 00:00:00 2001 -From: Stefan Hajnoczi -Date: Wed, 15 Jul 2015 18:16:59 +0100 -Subject: [PATCH 2/7] rtl8139: drop tautologous if (ip) {...} statement - -The previous patch stopped using the ip pointer as an indicator that the -IP header is present. When we reach the if (ip) {...} statement we know -ip is always non-NULL. - -Remove the if statement to reduce nesting. - -Signed-off-by: Stefan Hajnoczi ---- - hw/net/rtl8139.c | 305 +++++++++++++++++++++++++++---------------------------- - 1 file changed, 151 insertions(+), 154 deletions(-) - -Index: xen-4.5.1-testing/tools/qemu-xen-dir-remote/hw/net/rtl8139.c -=================================================================== ---- xen-4.5.1-testing.orig/tools/qemu-xen-dir-remote/hw/net/rtl8139.c -+++ xen-4.5.1-testing/tools/qemu-xen-dir-remote/hw/net/rtl8139.c -@@ -2195,198 +2195,195 @@ static int rtl8139_cplus_transmit_one(RT - ip_protocol = ip->ip_p; - ip_data_len = be16_to_cpu(ip->ip_len) - hlen; - -- if (ip) -+ if (txdw0 & CP_TX_IPCS) - { -- if (txdw0 & CP_TX_IPCS) -- { -- DPRINTF("+++ C+ mode need IP checksum\n"); -+ DPRINTF("+++ C+ mode need IP checksum\n"); - -- if (hleneth_payload_len) {/* min header length */ -- /* bad packet header len */ -- /* or packet too short */ -- } -- else -- { -- ip->ip_sum = 0; -- ip->ip_sum = ip_checksum(ip, hlen); -- DPRINTF("+++ C+ mode IP header len=%d checksum=%04x\n", -- hlen, ip->ip_sum); -- } -+ if (hleneth_payload_len) {/* min header length */ -+ /* bad packet header len */ -+ /* or packet too short */ - } -- -- if ((txdw0 & CP_TX_LGSEN) && ip_protocol == IP_PROTO_TCP) -+ else - { -- int large_send_mss = (txdw0 >> 16) & CP_TC_LGSEN_MSS_MASK; -- -- DPRINTF("+++ C+ mode offloaded task TSO MTU=%d IP data %d " -- "frame data %d specified MSS=%d\n", ETH_MTU, -- ip_data_len, saved_size - ETH_HLEN, large_send_mss); -+ ip->ip_sum = 0; -+ ip->ip_sum = ip_checksum(ip, hlen); -+ DPRINTF("+++ C+ mode IP header len=%d checksum=%04x\n", -+ hlen, ip->ip_sum); -+ } -+ } - -- int tcp_send_offset = 0; -- int send_count = 0; -+ if ((txdw0 & CP_TX_LGSEN) && ip_protocol == IP_PROTO_TCP) -+ { -+ int large_send_mss = (txdw0 >> 16) & CP_TC_LGSEN_MSS_MASK; - -- /* maximum IP header length is 60 bytes */ -- uint8_t saved_ip_header[60]; -+ DPRINTF("+++ C+ mode offloaded task TSO MTU=%d IP data %d " -+ "frame data %d specified MSS=%d\n", ETH_MTU, -+ ip_data_len, saved_size - ETH_HLEN, large_send_mss); - -- /* save IP header template; data area is used in tcp checksum calculation */ -- memcpy(saved_ip_header, eth_payload_data, hlen); -+ int tcp_send_offset = 0; -+ int send_count = 0; - -- /* a placeholder for checksum calculation routine in tcp case */ -- uint8_t *data_to_checksum = eth_payload_data + hlen - 12; -- // size_t data_to_checksum_len = eth_payload_len - hlen + 12; -+ /* maximum IP header length is 60 bytes */ -+ uint8_t saved_ip_header[60]; - -- /* pointer to TCP header */ -- tcp_header *p_tcp_hdr = (tcp_header*)(eth_payload_data + hlen); -+ /* save IP header template; data area is used in tcp checksum calculation */ -+ memcpy(saved_ip_header, eth_payload_data, hlen); - -- int tcp_hlen = TCP_HEADER_DATA_OFFSET(p_tcp_hdr); -+ /* a placeholder for checksum calculation routine in tcp case */ -+ uint8_t *data_to_checksum = eth_payload_data + hlen - 12; -+ // size_t data_to_checksum_len = eth_payload_len - hlen + 12; - -- /* ETH_MTU = ip header len + tcp header len + payload */ -- int tcp_data_len = ip_data_len - tcp_hlen; -- int tcp_chunk_size = ETH_MTU - hlen - tcp_hlen; -+ /* pointer to TCP header */ -+ tcp_header *p_tcp_hdr = (tcp_header*)(eth_payload_data + hlen); - -- DPRINTF("+++ C+ mode TSO IP data len %d TCP hlen %d TCP " -- "data len %d TCP chunk size %d\n", ip_data_len, -- tcp_hlen, tcp_data_len, tcp_chunk_size); -+ int tcp_hlen = TCP_HEADER_DATA_OFFSET(p_tcp_hdr); - -- /* note the cycle below overwrites IP header data, -- but restores it from saved_ip_header before sending packet */ -+ /* ETH_MTU = ip header len + tcp header len + payload */ -+ int tcp_data_len = ip_data_len - tcp_hlen; -+ int tcp_chunk_size = ETH_MTU - hlen - tcp_hlen; - -- int is_last_frame = 0; -+ DPRINTF("+++ C+ mode TSO IP data len %d TCP hlen %d TCP " -+ "data len %d TCP chunk size %d\n", ip_data_len, -+ tcp_hlen, tcp_data_len, tcp_chunk_size); - -- for (tcp_send_offset = 0; tcp_send_offset < tcp_data_len; tcp_send_offset += tcp_chunk_size) -- { -- uint16_t chunk_size = tcp_chunk_size; -+ /* note the cycle below overwrites IP header data, -+ but restores it from saved_ip_header before sending packet */ - -- /* check if this is the last frame */ -- if (tcp_send_offset + tcp_chunk_size >= tcp_data_len) -- { -- is_last_frame = 1; -- chunk_size = tcp_data_len - tcp_send_offset; -- } -- -- DPRINTF("+++ C+ mode TSO TCP seqno %08x\n", -- be32_to_cpu(p_tcp_hdr->th_seq)); -- -- /* add 4 TCP pseudoheader fields */ -- /* copy IP source and destination fields */ -- memcpy(data_to_checksum, saved_ip_header + 12, 8); -- -- DPRINTF("+++ C+ mode TSO calculating TCP checksum for " -- "packet with %d bytes data\n", tcp_hlen + -- chunk_size); -- -- if (tcp_send_offset) -- { -- memcpy((uint8_t*)p_tcp_hdr + tcp_hlen, (uint8_t*)p_tcp_hdr + tcp_hlen + tcp_send_offset, chunk_size); -- } -- -- /* keep PUSH and FIN flags only for the last frame */ -- if (!is_last_frame) -- { -- TCP_HEADER_CLEAR_FLAGS(p_tcp_hdr, TCP_FLAG_PUSH|TCP_FLAG_FIN); -- } -- -- /* recalculate TCP checksum */ -- ip_pseudo_header *p_tcpip_hdr = (ip_pseudo_header *)data_to_checksum; -- p_tcpip_hdr->zeros = 0; -- p_tcpip_hdr->ip_proto = IP_PROTO_TCP; -- p_tcpip_hdr->ip_payload = cpu_to_be16(tcp_hlen + chunk_size); -- -- p_tcp_hdr->th_sum = 0; -- -- int tcp_checksum = ip_checksum(data_to_checksum, tcp_hlen + chunk_size + 12); -- DPRINTF("+++ C+ mode TSO TCP checksum %04x\n", -- tcp_checksum); -- -- p_tcp_hdr->th_sum = tcp_checksum; -- -- /* restore IP header */ -- memcpy(eth_payload_data, saved_ip_header, hlen); -- -- /* set IP data length and recalculate IP checksum */ -- ip->ip_len = cpu_to_be16(hlen + tcp_hlen + chunk_size); -- -- /* increment IP id for subsequent frames */ -- ip->ip_id = cpu_to_be16(tcp_send_offset/tcp_chunk_size + be16_to_cpu(ip->ip_id)); -- -- ip->ip_sum = 0; -- ip->ip_sum = ip_checksum(eth_payload_data, hlen); -- DPRINTF("+++ C+ mode TSO IP header len=%d " -- "checksum=%04x\n", hlen, ip->ip_sum); -- -- int tso_send_size = ETH_HLEN + hlen + tcp_hlen + chunk_size; -- DPRINTF("+++ C+ mode TSO transferring packet size " -- "%d\n", tso_send_size); -- rtl8139_transfer_frame(s, saved_buffer, tso_send_size, -- 0, (uint8_t *) dot1q_buffer); -- -- /* add transferred count to TCP sequence number */ -- p_tcp_hdr->th_seq = cpu_to_be32(chunk_size + be32_to_cpu(p_tcp_hdr->th_seq)); -- ++send_count; -- } -+ int is_last_frame = 0; - -- /* Stop sending this frame */ -- saved_size = 0; -- } -- else if (txdw0 & (CP_TX_TCPCS|CP_TX_UDPCS)) -+ for (tcp_send_offset = 0; tcp_send_offset < tcp_data_len; tcp_send_offset += tcp_chunk_size) - { -- DPRINTF("+++ C+ mode need TCP or UDP checksum\n"); -+ uint16_t chunk_size = tcp_chunk_size; - -- /* maximum IP header length is 60 bytes */ -- uint8_t saved_ip_header[60]; -- memcpy(saved_ip_header, eth_payload_data, hlen); -+ /* check if this is the last frame */ -+ if (tcp_send_offset + tcp_chunk_size >= tcp_data_len) -+ { -+ is_last_frame = 1; -+ chunk_size = tcp_data_len - tcp_send_offset; -+ } - -- uint8_t *data_to_checksum = eth_payload_data + hlen - 12; -- // size_t data_to_checksum_len = eth_payload_len - hlen + 12; -+ DPRINTF("+++ C+ mode TSO TCP seqno %08x\n", -+ be32_to_cpu(p_tcp_hdr->th_seq)); - - /* add 4 TCP pseudoheader fields */ - /* copy IP source and destination fields */ - memcpy(data_to_checksum, saved_ip_header + 12, 8); - -- if ((txdw0 & CP_TX_TCPCS) && ip_protocol == IP_PROTO_TCP) -+ DPRINTF("+++ C+ mode TSO calculating TCP checksum for " -+ "packet with %d bytes data\n", tcp_hlen + -+ chunk_size); -+ -+ if (tcp_send_offset) - { -- DPRINTF("+++ C+ mode calculating TCP checksum for " -- "packet with %d bytes data\n", ip_data_len); -+ memcpy((uint8_t*)p_tcp_hdr + tcp_hlen, (uint8_t*)p_tcp_hdr + tcp_hlen + tcp_send_offset, chunk_size); -+ } - -- ip_pseudo_header *p_tcpip_hdr = (ip_pseudo_header *)data_to_checksum; -- p_tcpip_hdr->zeros = 0; -- p_tcpip_hdr->ip_proto = IP_PROTO_TCP; -- p_tcpip_hdr->ip_payload = cpu_to_be16(ip_data_len); -+ /* keep PUSH and FIN flags only for the last frame */ -+ if (!is_last_frame) -+ { -+ TCP_HEADER_CLEAR_FLAGS(p_tcp_hdr, TCP_FLAG_PUSH|TCP_FLAG_FIN); -+ } - -- tcp_header* p_tcp_hdr = (tcp_header *) (data_to_checksum+12); -+ /* recalculate TCP checksum */ -+ ip_pseudo_header *p_tcpip_hdr = (ip_pseudo_header *)data_to_checksum; -+ p_tcpip_hdr->zeros = 0; -+ p_tcpip_hdr->ip_proto = IP_PROTO_TCP; -+ p_tcpip_hdr->ip_payload = cpu_to_be16(tcp_hlen + chunk_size); -+ -+ p_tcp_hdr->th_sum = 0; -+ -+ int tcp_checksum = ip_checksum(data_to_checksum, tcp_hlen + chunk_size + 12); -+ DPRINTF("+++ C+ mode TSO TCP checksum %04x\n", -+ tcp_checksum); - -- p_tcp_hdr->th_sum = 0; -+ p_tcp_hdr->th_sum = tcp_checksum; - -- int tcp_checksum = ip_checksum(data_to_checksum, ip_data_len + 12); -- DPRINTF("+++ C+ mode TCP checksum %04x\n", -- tcp_checksum); -+ /* restore IP header */ -+ memcpy(eth_payload_data, saved_ip_header, hlen); - -- p_tcp_hdr->th_sum = tcp_checksum; -- } -- else if ((txdw0 & CP_TX_UDPCS) && ip_protocol == IP_PROTO_UDP) -- { -- DPRINTF("+++ C+ mode calculating UDP checksum for " -- "packet with %d bytes data\n", ip_data_len); -+ /* set IP data length and recalculate IP checksum */ -+ ip->ip_len = cpu_to_be16(hlen + tcp_hlen + chunk_size); - -- ip_pseudo_header *p_udpip_hdr = (ip_pseudo_header *)data_to_checksum; -- p_udpip_hdr->zeros = 0; -- p_udpip_hdr->ip_proto = IP_PROTO_UDP; -- p_udpip_hdr->ip_payload = cpu_to_be16(ip_data_len); -+ /* increment IP id for subsequent frames */ -+ ip->ip_id = cpu_to_be16(tcp_send_offset/tcp_chunk_size + be16_to_cpu(ip->ip_id)); - -- udp_header *p_udp_hdr = (udp_header *) (data_to_checksum+12); -+ ip->ip_sum = 0; -+ ip->ip_sum = ip_checksum(eth_payload_data, hlen); -+ DPRINTF("+++ C+ mode TSO IP header len=%d " -+ "checksum=%04x\n", hlen, ip->ip_sum); -+ -+ int tso_send_size = ETH_HLEN + hlen + tcp_hlen + chunk_size; -+ DPRINTF("+++ C+ mode TSO transferring packet size " -+ "%d\n", tso_send_size); -+ rtl8139_transfer_frame(s, saved_buffer, tso_send_size, -+ 0, (uint8_t *) dot1q_buffer); -+ -+ /* add transferred count to TCP sequence number */ -+ p_tcp_hdr->th_seq = cpu_to_be32(chunk_size + be32_to_cpu(p_tcp_hdr->th_seq)); -+ ++send_count; -+ } - -- p_udp_hdr->uh_sum = 0; -+ /* Stop sending this frame */ -+ saved_size = 0; -+ } -+ else if (txdw0 & (CP_TX_TCPCS|CP_TX_UDPCS)) -+ { -+ DPRINTF("+++ C+ mode need TCP or UDP checksum\n"); - -- int udp_checksum = ip_checksum(data_to_checksum, ip_data_len + 12); -- DPRINTF("+++ C+ mode UDP checksum %04x\n", -- udp_checksum); -+ /* maximum IP header length is 60 bytes */ -+ uint8_t saved_ip_header[60]; -+ memcpy(saved_ip_header, eth_payload_data, hlen); - -- p_udp_hdr->uh_sum = udp_checksum; -- } -+ uint8_t *data_to_checksum = eth_payload_data + hlen - 12; -+ // size_t data_to_checksum_len = eth_payload_len - hlen + 12; - -- /* restore IP header */ -- memcpy(eth_payload_data, saved_ip_header, hlen); -+ /* add 4 TCP pseudoheader fields */ -+ /* copy IP source and destination fields */ -+ memcpy(data_to_checksum, saved_ip_header + 12, 8); -+ -+ if ((txdw0 & CP_TX_TCPCS) && ip_protocol == IP_PROTO_TCP) -+ { -+ DPRINTF("+++ C+ mode calculating TCP checksum for " -+ "packet with %d bytes data\n", ip_data_len); -+ -+ ip_pseudo_header *p_tcpip_hdr = (ip_pseudo_header *)data_to_checksum; -+ p_tcpip_hdr->zeros = 0; -+ p_tcpip_hdr->ip_proto = IP_PROTO_TCP; -+ p_tcpip_hdr->ip_payload = cpu_to_be16(ip_data_len); -+ -+ tcp_header* p_tcp_hdr = (tcp_header *) (data_to_checksum+12); -+ -+ p_tcp_hdr->th_sum = 0; -+ -+ int tcp_checksum = ip_checksum(data_to_checksum, ip_data_len + 12); -+ DPRINTF("+++ C+ mode TCP checksum %04x\n", -+ tcp_checksum); -+ -+ p_tcp_hdr->th_sum = tcp_checksum; -+ } -+ else if ((txdw0 & CP_TX_UDPCS) && ip_protocol == IP_PROTO_UDP) -+ { -+ DPRINTF("+++ C+ mode calculating UDP checksum for " -+ "packet with %d bytes data\n", ip_data_len); -+ -+ ip_pseudo_header *p_udpip_hdr = (ip_pseudo_header *)data_to_checksum; -+ p_udpip_hdr->zeros = 0; -+ p_udpip_hdr->ip_proto = IP_PROTO_UDP; -+ p_udpip_hdr->ip_payload = cpu_to_be16(ip_data_len); -+ -+ udp_header *p_udp_hdr = (udp_header *) (data_to_checksum+12); -+ -+ p_udp_hdr->uh_sum = 0; -+ -+ int udp_checksum = ip_checksum(data_to_checksum, ip_data_len + 12); -+ DPRINTF("+++ C+ mode UDP checksum %04x\n", -+ udp_checksum); -+ -+ p_udp_hdr->uh_sum = udp_checksum; - } -+ -+ /* restore IP header */ -+ memcpy(eth_payload_data, saved_ip_header, hlen); - } - } - diff --git a/xsa140-qemuu-3.patch b/xsa140-qemuu-3.patch deleted file mode 100644 index 6335da1..0000000 --- a/xsa140-qemuu-3.patch +++ /dev/null @@ -1,38 +0,0 @@ -References: bsc#939712 XSA-140 - -From 043d28507ef7c5fdc34866f5e3b27a72bd0cd072 Mon Sep 17 00:00:00 2001 -From: Stefan Hajnoczi -Date: Wed, 15 Jul 2015 18:17:00 +0100 -Subject: [PATCH 3/7] rtl8139: skip offload on short Ethernet/IP header - -Transmit offload features access Ethernet and IP headers the packet. If -the packet is too short we must not attempt to access header fields: - - int proto = be16_to_cpu(*(uint16_t *)(saved_buffer + 12)); - ... - eth_payload_data = saved_buffer + ETH_HLEN; - ... - ip = (ip_header*)eth_payload_data; - if (IP_HEADER_VERSION(ip) != IP_HEADER_VERSION_4) { - -Signed-off-by: Stefan Hajnoczi ---- - hw/net/rtl8139.c | 5 +++++ - 1 file changed, 5 insertions(+) - -Index: xen-4.5.1-testing/tools/qemu-xen-dir-remote/hw/net/rtl8139.c -=================================================================== ---- xen-4.5.1-testing.orig/tools/qemu-xen-dir-remote/hw/net/rtl8139.c -+++ xen-4.5.1-testing/tools/qemu-xen-dir-remote/hw/net/rtl8139.c -@@ -2161,6 +2161,11 @@ static int rtl8139_cplus_transmit_one(RT - { - DPRINTF("+++ C+ mode offloaded task checksum\n"); - -+ /* Large enough for Ethernet and IP headers? */ -+ if (saved_size < ETH_HLEN + sizeof(ip_header)) { -+ goto skip_offload; -+ } -+ - /* ip packet header */ - ip_header *ip = NULL; - int hlen = 0; diff --git a/xsa140-qemuu-4.patch b/xsa140-qemuu-4.patch deleted file mode 100644 index d9466ba..0000000 --- a/xsa140-qemuu-4.patch +++ /dev/null @@ -1,52 +0,0 @@ -References: bsc#939712 XSA-140 - -From 5a75d242fe019d05b46ef9bc330a6892525c84a7 Mon Sep 17 00:00:00 2001 -From: Stefan Hajnoczi -Date: Wed, 15 Jul 2015 18:17:01 +0100 -Subject: [PATCH 4/7] rtl8139: check IP Header Length field - -The IP Header Length field was only checked in the IP checksum case, but -is used in other cases too. - -Signed-off-by: Stefan Hajnoczi ---- - hw/net/rtl8139.c | 19 ++++++++----------- - 1 file changed, 8 insertions(+), 11 deletions(-) - -Index: xen-4.5.1-testing/tools/qemu-xen-dir-remote/hw/net/rtl8139.c -=================================================================== ---- xen-4.5.1-testing.orig/tools/qemu-xen-dir-remote/hw/net/rtl8139.c -+++ xen-4.5.1-testing/tools/qemu-xen-dir-remote/hw/net/rtl8139.c -@@ -2197,6 +2197,10 @@ static int rtl8139_cplus_transmit_one(RT - } - - hlen = IP_HEADER_LENGTH(ip); -+ if (hlen < sizeof(ip_header) || hlen > eth_payload_len) { -+ goto skip_offload; -+ } -+ - ip_protocol = ip->ip_p; - ip_data_len = be16_to_cpu(ip->ip_len) - hlen; - -@@ -2204,17 +2208,10 @@ static int rtl8139_cplus_transmit_one(RT - { - DPRINTF("+++ C+ mode need IP checksum\n"); - -- if (hleneth_payload_len) {/* min header length */ -- /* bad packet header len */ -- /* or packet too short */ -- } -- else -- { -- ip->ip_sum = 0; -- ip->ip_sum = ip_checksum(ip, hlen); -- DPRINTF("+++ C+ mode IP header len=%d checksum=%04x\n", -- hlen, ip->ip_sum); -- } -+ ip->ip_sum = 0; -+ ip->ip_sum = ip_checksum(ip, hlen); -+ DPRINTF("+++ C+ mode IP header len=%d checksum=%04x\n", -+ hlen, ip->ip_sum); - } - - if ((txdw0 & CP_TX_LGSEN) && ip_protocol == IP_PROTO_TCP) diff --git a/xsa140-qemuu-5.patch b/xsa140-qemuu-5.patch deleted file mode 100644 index 9f92ea3..0000000 --- a/xsa140-qemuu-5.patch +++ /dev/null @@ -1,33 +0,0 @@ -References: bsc#939712 XSA-140 - -From 6c79ea275d72bc1fd88bdcf1e7d231b2c9c865de Mon Sep 17 00:00:00 2001 -From: Stefan Hajnoczi -Date: Wed, 15 Jul 2015 18:17:02 +0100 -Subject: [PATCH 5/7] rtl8139: check IP Total Length field - -The IP Total Length field includes the IP header and data. Make sure it -is valid and does not exceed the Ethernet payload size. - -Signed-off-by: Stefan Hajnoczi ---- - hw/net/rtl8139.c | 7 ++++++- - 1 file changed, 6 insertions(+), 1 deletion(-) - -Index: xen-4.5.1-testing/tools/qemu-xen-dir-remote/hw/net/rtl8139.c -=================================================================== ---- xen-4.5.1-testing.orig/tools/qemu-xen-dir-remote/hw/net/rtl8139.c -+++ xen-4.5.1-testing/tools/qemu-xen-dir-remote/hw/net/rtl8139.c -@@ -2202,7 +2202,12 @@ static int rtl8139_cplus_transmit_one(RT - } - - ip_protocol = ip->ip_p; -- ip_data_len = be16_to_cpu(ip->ip_len) - hlen; -+ -+ ip_data_len = be16_to_cpu(ip->ip_len); -+ if (ip_data_len < hlen || ip_data_len > eth_payload_len) { -+ goto skip_offload; -+ } -+ ip_data_len -= hlen; - - if (txdw0 & CP_TX_IPCS) - { diff --git a/xsa140-qemuu-6.patch b/xsa140-qemuu-6.patch deleted file mode 100644 index 6fc2a64..0000000 --- a/xsa140-qemuu-6.patch +++ /dev/null @@ -1,34 +0,0 @@ -References: bsc#939712 XSA-140 - -From 30aa7be430e7c982e9163f3bcc745d3aa57b6aa4 Mon Sep 17 00:00:00 2001 -From: Stefan Hajnoczi -Date: Wed, 15 Jul 2015 18:17:03 +0100 -Subject: [PATCH 6/7] rtl8139: skip offload on short TCP header - -TCP Large Segment Offload accesses the TCP header in the packet. If the -packet is too short we must not attempt to access header fields: - - tcp_header *p_tcp_hdr = (tcp_header*)(eth_payload_data + hlen); - int tcp_hlen = TCP_HEADER_DATA_OFFSET(p_tcp_hdr); - -Signed-off-by: Stefan Hajnoczi ---- - hw/net/rtl8139.c | 5 +++++ - 1 file changed, 5 insertions(+) - -Index: xen-4.5.1-testing/tools/qemu-xen-dir-remote/hw/net/rtl8139.c -=================================================================== ---- xen-4.5.1-testing.orig/tools/qemu-xen-dir-remote/hw/net/rtl8139.c -+++ xen-4.5.1-testing/tools/qemu-xen-dir-remote/hw/net/rtl8139.c -@@ -2221,6 +2221,11 @@ static int rtl8139_cplus_transmit_one(RT - - if ((txdw0 & CP_TX_LGSEN) && ip_protocol == IP_PROTO_TCP) - { -+ /* Large enough for the TCP header? */ -+ if (ip_data_len < sizeof(tcp_header)) { -+ goto skip_offload; -+ } -+ - int large_send_mss = (txdw0 >> 16) & CP_TC_LGSEN_MSS_MASK; - - DPRINTF("+++ C+ mode offloaded task TSO MTU=%d IP data %d " diff --git a/xsa140-qemuu-7.patch b/xsa140-qemuu-7.patch deleted file mode 100644 index 544c960..0000000 --- a/xsa140-qemuu-7.patch +++ /dev/null @@ -1,31 +0,0 @@ -References: bsc#939712 XSA-140 - -From 9a084807bf6ca7c16d997a236d304111894a6539 Mon Sep 17 00:00:00 2001 -From: Stefan Hajnoczi -Date: Wed, 15 Jul 2015 18:17:04 +0100 -Subject: [PATCH 7/7] rtl8139: check TCP Data Offset field - -The TCP Data Offset field contains the length of the header. Make sure -it is valid and does not exceed the IP data length. - -Signed-off-by: Stefan Hajnoczi ---- - hw/net/rtl8139.c | 5 +++++ - 1 file changed, 5 insertions(+) - -Index: xen-4.5.1-testing/tools/qemu-xen-dir-remote/hw/net/rtl8139.c -=================================================================== ---- xen-4.5.1-testing.orig/tools/qemu-xen-dir-remote/hw/net/rtl8139.c -+++ xen-4.5.1-testing/tools/qemu-xen-dir-remote/hw/net/rtl8139.c -@@ -2250,6 +2250,11 @@ static int rtl8139_cplus_transmit_one(RT - - int tcp_hlen = TCP_HEADER_DATA_OFFSET(p_tcp_hdr); - -+ /* Invalid TCP data offset? */ -+ if (tcp_hlen < sizeof(tcp_header) || tcp_hlen > ip_data_len) { -+ goto skip_offload; -+ } -+ - /* ETH_MTU = ip header len + tcp header len + payload */ - int tcp_data_len = ip_data_len - tcp_hlen; - int tcp_chunk_size = ETH_MTU - hlen - tcp_hlen; diff --git a/xsa149.patch b/xsa149.patch index 927135f..6e348c4 100644 --- a/xsa149.patch +++ b/xsa149.patch @@ -8,15 +8,15 @@ This is XSA-149. Signed-off-by: Jan Beulich Reviewed-by: Ian Campbell -Index: xen-4.5.1-testing/xen/common/domain.c +Index: xen-4.5.2-testing/xen/common/domain.c =================================================================== ---- xen-4.5.1-testing.orig/xen/common/domain.c -+++ xen-4.5.1-testing/xen/common/domain.c -@@ -831,6 +831,7 @@ static void complete_domain_destroy(stru - - xsm_free_security_domain(d); +--- xen-4.5.2-testing.orig/xen/common/domain.c ++++ xen-4.5.2-testing/xen/common/domain.c +@@ -406,6 +406,7 @@ struct domain *domain_create( + if ( init_status & INIT_xsm ) + xsm_free_security_domain(d); free_cpumask_var(d->domain_dirty_cpumask); + xfree(d->vcpu); free_domain_struct(d); - - send_global_virq(VIRQ_DOM_EXC); + return ERR_PTR(err); + } diff --git a/xsa151.patch b/xsa151.patch deleted file mode 100644 index e10b4b2..0000000 --- a/xsa151.patch +++ /dev/null @@ -1,30 +0,0 @@ -xenoprof: free domain's vcpu array - -This was overlooked in fb442e2171 ("x86_64: allow more vCPU-s per -guest"). - -This is XSA-151. - -Signed-off-by: Jan Beulich -Reviewed-by: Ian Campbell - -Index: xen-4.5.1-testing/xen/common/xenoprof.c -=================================================================== ---- xen-4.5.1-testing.orig/xen/common/xenoprof.c -+++ xen-4.5.1-testing/xen/common/xenoprof.c -@@ -239,6 +239,7 @@ static int alloc_xenoprof_struct( - d->xenoprof->rawbuf = alloc_xenheap_pages(get_order_from_pages(npages), 0); - if ( d->xenoprof->rawbuf == NULL ) - { -+ xfree(d->xenoprof->vcpu); - xfree(d->xenoprof); - d->xenoprof = NULL; - return -ENOMEM; -@@ -286,6 +287,7 @@ void free_xenoprof_pages(struct domain * - free_xenheap_pages(x->rawbuf, order); - } - -+ xfree(x->vcpu); - xfree(x); - d->xenoprof = NULL; - } diff --git a/xsa152.patch b/xsa152.patch deleted file mode 100644 index 7b4acff..0000000 --- a/xsa152.patch +++ /dev/null @@ -1,43 +0,0 @@ -x86: rate-limit logging in do_xen{oprof,pmu}_op() - -Some of the sub-ops are acessible to all guests, and hence should be -rate-limited. In the xenoprof case, just like for XSA-146, include them -only in debug builds. Since the vPMU code is rather new, allow them to -be always present, but downgrade them to (rate limited) guest messages. - -This is XSA-152. - -Signed-off-by: Jan Beulich - -Index: xen-4.5.1-testing/xen/common/xenoprof.c -=================================================================== ---- xen-4.5.1-testing.orig/xen/common/xenoprof.c -+++ xen-4.5.1-testing/xen/common/xenoprof.c -@@ -676,15 +676,13 @@ ret_t do_xenoprof_op(int op, XEN_GUEST_H - - if ( (op < 0) || (op > XENOPROF_last_op) ) - { -- printk("xenoprof: invalid operation %d for domain %d\n", -- op, current->domain->domain_id); -+ gdprintk(XENLOG_DEBUG, "invalid operation %d\n", op); - return -EINVAL; - } - - if ( !NONPRIV_OP(op) && (current->domain != xenoprof_primary_profiler) ) - { -- printk("xenoprof: dom %d denied privileged operation %d\n", -- current->domain->domain_id, op); -+ gdprintk(XENLOG_DEBUG, "denied privileged operation %d\n", op); - return -EPERM; - } - -@@ -907,8 +905,7 @@ ret_t do_xenoprof_op(int op, XEN_GUEST_H - spin_unlock(&xenoprof_lock); - - if ( ret < 0 ) -- printk("xenoprof: operation %d failed for dom %d (status : %d)\n", -- op, current->domain->domain_id, ret); -+ gdprintk(XENLOG_DEBUG, "operation %d failed: %d\n", op, ret); - - return ret; - } diff --git a/xsa153-libxl.patch b/xsa153-libxl.patch deleted file mode 100644 index b6f5509..0000000 --- a/xsa153-libxl.patch +++ /dev/null @@ -1,83 +0,0 @@ -From 27593ec62bdad8621df910931349d964a6dbaa8c Mon Sep 17 00:00:00 2001 -From: Ian Jackson -Date: Wed, 21 Oct 2015 16:18:30 +0100 -Subject: [PATCH XSA-153 v3] libxl: adjust PoD target by memory fudge, too - -PoD guests need to balloon at least as far as required by PoD, or risk -crashing. Currently they don't necessarily know what the right value -is, because our memory accounting is (at the very least) confusing. - -Apply the memory limit fudge factor to the in-hypervisor PoD memory -target, too. This will increase the size of the guest's PoD cache by -the fudge factor LIBXL_MAXMEM_CONSTANT (currently 1Mby). This ensures -that even with a slightly-off balloon driver, the guest will be -stable even under memory pressure. - -There are two call sites of xc_domain_set_pod_target that need fixing: - -The one in libxl_set_memory_target is straightforward. - -The one in xc_hvm_build_x86.c:setup_guest is more awkward. Simply -setting the PoD target differently does not work because the various -amounts of memory during domain construction no longer match up. -Instead, we adjust the guest memory target in xenstore (but only for -PoD guests). - -This introduces a 1Mby discrepancy between the balloon target of a PoD -guest at boot, and the target set by an apparently-equivalent `xl -mem-set' (or similar) later. This approach is low-risk for a security -fix but we need to fix this up properly in xen.git#staging and -probably also in stable trees. - -This is XSA-153. - -Signed-off-by: Ian Jackson ---- - tools/libxl/libxl.c | 2 +- - tools/libxl/libxl_dom.c | 9 ++++++++- - 2 files changed, 9 insertions(+), 2 deletions(-) - -Index: xen-4.5.1-testing/tools/libxl/libxl.c -=================================================================== ---- xen-4.5.1-testing.orig/tools/libxl/libxl.c -+++ xen-4.5.1-testing/tools/libxl/libxl.c -@@ -4859,7 +4859,7 @@ retry_transaction: - - new_target_memkb -= videoram; - rc = xc_domain_set_pod_target(ctx->xch, domid, -- new_target_memkb / 4, NULL, NULL, NULL); -+ (new_target_memkb + LIBXL_MAXMEM_CONSTANT) / 4, NULL, NULL, NULL); - if (rc != 0) { - LIBXL__LOG_ERRNO(ctx, LIBXL__LOG_ERROR, - "xc_domain_set_pod_target domid=%d, memkb=%d " -Index: xen-4.5.1-testing/tools/libxl/libxl_dom.c -=================================================================== ---- xen-4.5.1-testing.orig/tools/libxl/libxl_dom.c -+++ xen-4.5.1-testing/tools/libxl/libxl_dom.c -@@ -446,6 +446,7 @@ int libxl__build_post(libxl__gc *gc, uin - xs_transaction_t t; - char **ents; - int i, rc; -+ int64_t mem_target_fudge; - - rc = libxl_domain_sched_params_set(CTX, domid, &info->sched_params); - if (rc) -@@ -472,11 +473,17 @@ int libxl__build_post(libxl__gc *gc, uin - } - } - -+ mem_target_fudge = -+ (info->type == LIBXL_DOMAIN_TYPE_HVM && -+ info->max_memkb > info->target_memkb) -+ ? LIBXL_MAXMEM_CONSTANT : 0; -+ - ents = libxl__calloc(gc, 12 + (info->max_vcpus * 2) + 2, sizeof(char *)); - ents[0] = "memory/static-max"; - ents[1] = GCSPRINTF("%"PRId64, info->max_memkb); - ents[2] = "memory/target"; -- ents[3] = GCSPRINTF("%"PRId64, info->target_memkb - info->video_memkb); -+ ents[3] = GCSPRINTF("%"PRId64, info->target_memkb - info->video_memkb -+ - mem_target_fudge); - ents[4] = "memory/videoram"; - ents[5] = GCSPRINTF("%"PRId64, info->video_memkb); - ents[6] = "domid";