diff --git a/26129-ACPI-BGRT-invalidate.patch b/26129-ACPI-BGRT-invalidate.patch deleted file mode 100644 index 1303c3a..0000000 --- a/26129-ACPI-BGRT-invalidate.patch +++ /dev/null @@ -1,643 +0,0 @@ -# HG changeset patch -# User Jan Beulich -# Date 1352368421 -3600 -# Node ID 92163b114076029842d0f2d1dbfaa445976c71a3 -# Parent aa2074529eb0183257b6f5f29821b0cd6dfd991a -x86/ACPI: invalidate BGRT if necessary - -Since the image pointed to may live in boot services memory (which we -add to the global memory pool long before ACPI tables get looked at), -we should prevent Dom0 from trying to retrieve the image data in that -case. - -The alternatives would be to -- not add boot services memory to the global pool at all, or -- defer adding boot services memory until Dom0 indicates it is safe to - do so, or -- find and parse the BGRT table in xen/arch/x86/efi/boot.c, and avoid - adding that specific region to the E820 table. -None of these are really attractive, and as Xen commonly prints to the -video console anyway (without trying to avoid any regions on the -screen), the invalidation would need to be done conditionally anyway. - -(xen/include/acpi/actbl3.h is a verbatim copy from Linux 3.7-rc4) - -Signed-off-by: Jan Beulich -Acked-by: Keir Fraser - ---- a/xen/arch/x86/acpi/boot.c -+++ b/xen/arch/x86/acpi/boot.c -@@ -28,6 +28,7 @@ - #include - #include - #include -+#include - #include - #include - #include -@@ -285,6 +286,27 @@ static int __init acpi_parse_hpet(struct - #define acpi_parse_hpet NULL - #endif - -+static int __init acpi_invalidate_bgrt(struct acpi_table_header *table) -+{ -+ struct acpi_table_bgrt *bgrt_tbl = -+ container_of(table, struct acpi_table_bgrt, header); -+ -+ if (table->length < sizeof(*bgrt_tbl)) -+ return -1; -+ -+ if (bgrt_tbl->version == 1 && bgrt_tbl->image_address -+ && !page_is_ram_type(PFN_DOWN(bgrt_tbl->image_address), -+ RAM_TYPE_CONVENTIONAL)) -+ return 0; -+ -+ printk(KERN_INFO PREFIX "BGRT: invalidating v%d image at %#"PRIx64"\n", -+ bgrt_tbl->version, bgrt_tbl->image_address); -+ bgrt_tbl->image_address = 0; -+ bgrt_tbl->status &= ~1; -+ -+ return 0; -+} -+ - #ifdef CONFIG_ACPI_SLEEP - #define acpi_fadt_copy_address(dst, src, len) do { \ - if (fadt->header.revision >= FADT2_REVISION_ID) \ -@@ -833,5 +855,7 @@ int __init acpi_boot_init(void) - - erst_init(); - -+ acpi_table_parse(ACPI_SIG_BGRT, acpi_invalidate_bgrt); -+ - return 0; - } ---- a/xen/include/acpi/actbl.h -+++ b/xen/include/acpi/actbl.h -@@ -314,6 +314,7 @@ enum acpi_prefered_pm_profiles { - - #include - #include -+#include - - /* - * Sizes of the various flavors of FADT. We need to look closely ---- /dev/null -+++ b/xen/include/acpi/actbl3.h -@@ -0,0 +1,557 @@ -+/****************************************************************************** -+ * -+ * Name: actbl3.h - ACPI Table Definitions -+ * -+ *****************************************************************************/ -+ -+/* -+ * Copyright (C) 2000 - 2012, Intel Corp. -+ * All rights reserved. -+ * -+ * Redistribution and use in source and binary forms, with or without -+ * modification, are permitted provided that the following conditions -+ * are met: -+ * 1. Redistributions of source code must retain the above copyright -+ * notice, this list of conditions, and the following disclaimer, -+ * without modification. -+ * 2. Redistributions in binary form must reproduce at minimum a disclaimer -+ * substantially similar to the "NO WARRANTY" disclaimer below -+ * ("Disclaimer") and any redistribution must be conditioned upon -+ * including a substantially similar Disclaimer requirement for further -+ * binary redistribution. -+ * 3. Neither the names of the above-listed copyright holders nor the names -+ * of any contributors may be used to endorse or promote products derived -+ * from this software without specific prior written permission. -+ * -+ * Alternatively, this software may be distributed under the terms of the -+ * GNU General Public License ("GPL") version 2 as published by the Free -+ * Software Foundation. -+ * -+ * NO WARRANTY -+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS -+ * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT -+ * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR -+ * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT -+ * HOLDERS OR CONTRIBUTORS BE LIABLE FOR SPECIAL, EXEMPLARY, OR CONSEQUENTIAL -+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS -+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, -+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING -+ * IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE -+ * POSSIBILITY OF SUCH DAMAGES. -+ */ -+ -+#ifndef __ACTBL3_H__ -+#define __ACTBL3_H__ -+ -+/******************************************************************************* -+ * -+ * Additional ACPI Tables (3) -+ * -+ * These tables are not consumed directly by the ACPICA subsystem, but are -+ * included here to support device drivers and the AML disassembler. -+ * -+ * The tables in this file are fully defined within the ACPI specification. -+ * -+ ******************************************************************************/ -+ -+/* -+ * Values for description table header signatures for tables defined in this -+ * file. Useful because they make it more difficult to inadvertently type in -+ * the wrong signature. -+ */ -+#define ACPI_SIG_BGRT "BGRT" /* Boot Graphics Resource Table */ -+#define ACPI_SIG_DRTM "DRTM" /* Dynamic Root of Trust for Measurement table */ -+#define ACPI_SIG_FPDT "FPDT" /* Firmware Performance Data Table */ -+#define ACPI_SIG_GTDT "GTDT" /* Generic Timer Description Table */ -+#define ACPI_SIG_MPST "MPST" /* Memory Power State Table */ -+#define ACPI_SIG_PCCT "PCCT" /* Platform Communications Channel Table */ -+#define ACPI_SIG_PMTT "PMTT" /* Platform Memory Topology Table */ -+#define ACPI_SIG_RASF "RASF" /* RAS Feature table */ -+ -+#define ACPI_SIG_S3PT "S3PT" /* S3 Performance (sub)Table */ -+#define ACPI_SIG_PCCS "PCC" /* PCC Shared Memory Region */ -+ -+/* Reserved table signatures */ -+ -+#define ACPI_SIG_CSRT "CSRT" /* Core System Resources Table */ -+#define ACPI_SIG_MATR "MATR" /* Memory Address Translation Table */ -+#define ACPI_SIG_MSDM "MSDM" /* Microsoft Data Management Table */ -+#define ACPI_SIG_WPBT "WPBT" /* Windows Platform Binary Table */ -+ -+/* -+ * All tables must be byte-packed to match the ACPI specification, since -+ * the tables are provided by the system BIOS. -+ */ -+#pragma pack(1) -+ -+/* -+ * Note: C bitfields are not used for this reason: -+ * -+ * "Bitfields are great and easy to read, but unfortunately the C language -+ * does not specify the layout of bitfields in memory, which means they are -+ * essentially useless for dealing with packed data in on-disk formats or -+ * binary wire protocols." (Or ACPI tables and buffers.) "If you ask me, -+ * this decision was a design error in C. Ritchie could have picked an order -+ * and stuck with it." Norman Ramsey. -+ * See http://stackoverflow.com/a/1053662/41661 -+ */ -+ -+/******************************************************************************* -+ * -+ * BGRT - Boot Graphics Resource Table (ACPI 5.0) -+ * Version 1 -+ * -+ ******************************************************************************/ -+ -+struct acpi_table_bgrt { -+ struct acpi_table_header header; /* Common ACPI table header */ -+ u16 version; -+ u8 status; -+ u8 image_type; -+ u64 image_address; -+ u32 image_offset_x; -+ u32 image_offset_y; -+}; -+ -+/******************************************************************************* -+ * -+ * DRTM - Dynamic Root of Trust for Measurement table -+ * -+ ******************************************************************************/ -+ -+struct acpi_table_drtm { -+ struct acpi_table_header header; /* Common ACPI table header */ -+ u64 entry_base_address; -+ u64 entry_length; -+ u32 entry_address32; -+ u64 entry_address64; -+ u64 exit_address; -+ u64 log_area_address; -+ u32 log_area_length; -+ u64 arch_dependent_address; -+ u32 flags; -+}; -+ -+/* 1) Validated Tables List */ -+ -+struct acpi_drtm_vtl_list { -+ u32 validated_table_list_count; -+}; -+ -+/* 2) Resources List */ -+ -+struct acpi_drtm_resource_list { -+ u32 resource_list_count; -+}; -+ -+/* 3) Platform-specific Identifiers List */ -+ -+struct acpi_drtm_id_list { -+ u32 id_list_count; -+}; -+ -+/******************************************************************************* -+ * -+ * FPDT - Firmware Performance Data Table (ACPI 5.0) -+ * Version 1 -+ * -+ ******************************************************************************/ -+ -+struct acpi_table_fpdt { -+ struct acpi_table_header header; /* Common ACPI table header */ -+}; -+ -+/* FPDT subtable header */ -+ -+struct acpi_fpdt_header { -+ u16 type; -+ u8 length; -+ u8 revision; -+}; -+ -+/* Values for Type field above */ -+ -+enum acpi_fpdt_type { -+ ACPI_FPDT_TYPE_BOOT = 0, -+ ACPI_FPDT_TYPE_S3PERF = 1, -+}; -+ -+/* -+ * FPDT subtables -+ */ -+ -+/* 0: Firmware Basic Boot Performance Record */ -+ -+struct acpi_fpdt_boot { -+ struct acpi_fpdt_header header; -+ u8 reserved[4]; -+ u64 reset_end; -+ u64 load_start; -+ u64 startup_start; -+ u64 exit_services_entry; -+ u64 exit_services_exit; -+}; -+ -+/* 1: S3 Performance Table Pointer Record */ -+ -+struct acpi_fpdt_s3pt_ptr { -+ struct acpi_fpdt_header header; -+ u8 reserved[4]; -+ u64 address; -+}; -+ -+/* -+ * S3PT - S3 Performance Table. This table is pointed to by the -+ * FPDT S3 Pointer Record above. -+ */ -+struct acpi_table_s3pt { -+ u8 signature[4]; /* "S3PT" */ -+ u32 length; -+}; -+ -+/* -+ * S3PT Subtables -+ */ -+struct acpi_s3pt_header { -+ u16 type; -+ u8 length; -+ u8 revision; -+}; -+ -+/* Values for Type field above */ -+ -+enum acpi_s3pt_type { -+ ACPI_S3PT_TYPE_RESUME = 0, -+ ACPI_S3PT_TYPE_SUSPEND = 1, -+}; -+ -+struct acpi_s3pt_resume { -+ struct acpi_s3pt_header header; -+ u32 resume_count; -+ u64 full_resume; -+ u64 average_resume; -+}; -+ -+struct acpi_s3pt_suspend { -+ struct acpi_s3pt_header header; -+ u64 suspend_start; -+ u64 suspend_end; -+}; -+ -+/******************************************************************************* -+ * -+ * GTDT - Generic Timer Description Table (ACPI 5.0) -+ * Version 1 -+ * -+ ******************************************************************************/ -+ -+struct acpi_table_gtdt { -+ struct acpi_table_header header; /* Common ACPI table header */ -+ u64 address; -+ u32 flags; -+ u32 secure_pl1_interrupt; -+ u32 secure_pl1_flags; -+ u32 non_secure_pl1_interrupt; -+ u32 non_secure_pl1_flags; -+ u32 virtual_timer_interrupt; -+ u32 virtual_timer_flags; -+ u32 non_secure_pl2_interrupt; -+ u32 non_secure_pl2_flags; -+}; -+ -+/* Values for Flags field above */ -+ -+#define ACPI_GTDT_MAPPED_BLOCK_PRESENT 1 -+ -+/* Values for all "TimerFlags" fields above */ -+ -+#define ACPI_GTDT_INTERRUPT_MODE 1 -+#define ACPI_GTDT_INTERRUPT_POLARITY 2 -+ -+/******************************************************************************* -+ * -+ * MPST - Memory Power State Table (ACPI 5.0) -+ * Version 1 -+ * -+ ******************************************************************************/ -+ -+#define ACPI_MPST_CHANNEL_INFO \ -+ u16 reserved1; \ -+ u8 channel_id; \ -+ u8 reserved2; \ -+ u16 power_node_count; -+ -+/* Main table */ -+ -+struct acpi_table_mpst { -+ struct acpi_table_header header; /* Common ACPI table header */ -+ ACPI_MPST_CHANNEL_INFO /* Platform Communication Channel */ -+}; -+ -+/* Memory Platform Communication Channel Info */ -+ -+struct acpi_mpst_channel { -+ ACPI_MPST_CHANNEL_INFO /* Platform Communication Channel */ -+}; -+ -+/* Memory Power Node Structure */ -+ -+struct acpi_mpst_power_node { -+ u8 flags; -+ u8 reserved1; -+ u16 node_id; -+ u32 length; -+ u64 range_address; -+ u64 range_length; -+ u8 num_power_states; -+ u8 num_physical_components; -+ u16 reserved2; -+}; -+ -+/* Values for Flags field above */ -+ -+#define ACPI_MPST_ENABLED 1 -+#define ACPI_MPST_POWER_MANAGED 2 -+#define ACPI_MPST_HOT_PLUG_CAPABLE 4 -+ -+/* Memory Power State Structure (follows POWER_NODE above) */ -+ -+struct acpi_mpst_power_state { -+ u8 power_state; -+ u8 info_index; -+}; -+ -+/* Physical Component ID Structure (follows POWER_STATE above) */ -+ -+struct acpi_mpst_component { -+ u16 component_id; -+}; -+ -+/* Memory Power State Characteristics Structure (follows all POWER_NODEs) */ -+ -+struct acpi_mpst_data_hdr { -+ u16 characteristics_count; -+}; -+ -+struct acpi_mpst_power_data { -+ u8 revision; -+ u8 flags; -+ u16 reserved1; -+ u32 average_power; -+ u32 power_saving; -+ u64 exit_latency; -+ u64 reserved2; -+}; -+ -+/* Values for Flags field above */ -+ -+#define ACPI_MPST_PRESERVE 1 -+#define ACPI_MPST_AUTOENTRY 2 -+#define ACPI_MPST_AUTOEXIT 4 -+ -+/* Shared Memory Region (not part of an ACPI table) */ -+ -+struct acpi_mpst_shared { -+ u32 signature; -+ u16 pcc_command; -+ u16 pcc_status; -+ u16 command_register; -+ u16 status_register; -+ u16 power_state_id; -+ u16 power_node_id; -+ u64 energy_consumed; -+ u64 average_power; -+}; -+ -+/******************************************************************************* -+ * -+ * PCCT - Platform Communications Channel Table (ACPI 5.0) -+ * Version 1 -+ * -+ ******************************************************************************/ -+ -+struct acpi_table_pcct { -+ struct acpi_table_header header; /* Common ACPI table header */ -+ u32 flags; -+ u32 latency; -+ u32 reserved; -+}; -+ -+/* Values for Flags field above */ -+ -+#define ACPI_PCCT_DOORBELL 1 -+ -+/* -+ * PCCT subtables -+ */ -+ -+/* 0: Generic Communications Subspace */ -+ -+struct acpi_pcct_subspace { -+ struct acpi_subtable_header header; -+ u8 reserved[6]; -+ u64 base_address; -+ u64 length; -+ struct acpi_generic_address doorbell_register; -+ u64 preserve_mask; -+ u64 write_mask; -+}; -+ -+/* -+ * PCC memory structures (not part of the ACPI table) -+ */ -+ -+/* Shared Memory Region */ -+ -+struct acpi_pcct_shared_memory { -+ u32 signature; -+ u16 command; -+ u16 status; -+}; -+ -+/******************************************************************************* -+ * -+ * PMTT - Platform Memory Topology Table (ACPI 5.0) -+ * Version 1 -+ * -+ ******************************************************************************/ -+ -+struct acpi_table_pmtt { -+ struct acpi_table_header header; /* Common ACPI table header */ -+ u32 reserved; -+}; -+ -+/* Common header for PMTT subtables that follow main table */ -+ -+struct acpi_pmtt_header { -+ u8 type; -+ u8 reserved1; -+ u16 length; -+ u16 flags; -+ u16 reserved2; -+}; -+ -+/* Values for Type field above */ -+ -+#define ACPI_PMTT_TYPE_SOCKET 0 -+#define ACPI_PMTT_TYPE_CONTROLLER 1 -+#define ACPI_PMTT_TYPE_DIMM 2 -+#define ACPI_PMTT_TYPE_RESERVED 3 /* 0x03-0xFF are reserved */ -+ -+/* Values for Flags field above */ -+ -+#define ACPI_PMTT_TOP_LEVEL 0x0001 -+#define ACPI_PMTT_PHYSICAL 0x0002 -+#define ACPI_PMTT_MEMORY_TYPE 0x000C -+ -+/* -+ * PMTT subtables, correspond to Type in struct acpi_pmtt_header -+ */ -+ -+/* 0: Socket Structure */ -+ -+struct acpi_pmtt_socket { -+ struct acpi_pmtt_header header; -+ u16 socket_id; -+ u16 reserved; -+}; -+ -+/* 1: Memory Controller subtable */ -+ -+struct acpi_pmtt_controller { -+ struct acpi_pmtt_header header; -+ u32 read_latency; -+ u32 write_latency; -+ u32 read_bandwidth; -+ u32 write_bandwidth; -+ u16 access_width; -+ u16 alignment; -+ u16 reserved; -+ u16 domain_count; -+}; -+ -+/* 1a: Proximity Domain substructure */ -+ -+struct acpi_pmtt_domain { -+ u32 proximity_domain; -+}; -+ -+/* 2: Physical Component Identifier (DIMM) */ -+ -+struct acpi_pmtt_physical_component { -+ struct acpi_pmtt_header header; -+ u16 component_id; -+ u16 reserved; -+ u32 memory_size; -+ u32 bios_handle; -+}; -+ -+/******************************************************************************* -+ * -+ * RASF - RAS Feature Table (ACPI 5.0) -+ * Version 1 -+ * -+ ******************************************************************************/ -+ -+struct acpi_table_rasf { -+ struct acpi_table_header header; /* Common ACPI table header */ -+ u8 channel_id[12]; -+}; -+ -+/* RASF Platform Communication Channel Shared Memory Region */ -+ -+struct acpi_rasf_shared_memory { -+ u32 signature; -+ u16 command; -+ u16 status; -+ u64 requested_address; -+ u64 requested_length; -+ u64 actual_address; -+ u64 actual_length; -+ u16 flags; -+ u8 speed; -+}; -+ -+/* Masks for Flags and Speed fields above */ -+ -+#define ACPI_RASF_SCRUBBER_RUNNING 1 -+#define ACPI_RASF_SPEED (7<<1) -+ -+/* Channel Commands */ -+ -+enum acpi_rasf_commands { -+ ACPI_RASF_GET_RAS_CAPABILITIES = 1, -+ ACPI_RASF_GET_PATROL_PARAMETERS = 2, -+ ACPI_RASF_START_PATROL_SCRUBBER = 3, -+ ACPI_RASF_STOP_PATROL_SCRUBBER = 4 -+}; -+ -+/* Channel Command flags */ -+ -+#define ACPI_RASF_GENERATE_SCI (1<<15) -+ -+/* Status values */ -+ -+enum acpi_rasf_status { -+ ACPI_RASF_SUCCESS = 0, -+ ACPI_RASF_NOT_VALID = 1, -+ ACPI_RASF_NOT_SUPPORTED = 2, -+ ACPI_RASF_BUSY = 3, -+ ACPI_RASF_FAILED = 4, -+ ACPI_RASF_ABORTED = 5, -+ ACPI_RASF_INVALID_DATA = 6 -+}; -+ -+/* Status flags */ -+ -+#define ACPI_RASF_COMMAND_COMPLETE (1) -+#define ACPI_RASF_SCI_DOORBELL (1<<1) -+#define ACPI_RASF_ERROR (1<<2) -+#define ACPI_RASF_STATUS (0x1F<<3) -+ -+/* Reset to default packing */ -+ -+#pragma pack() -+ -+#endif /* __ACTBL3_H__ */ diff --git a/26132-tmem-save-NULL-check.patch b/26132-tmem-save-NULL-check.patch deleted file mode 100644 index bd18e7f..0000000 --- a/26132-tmem-save-NULL-check.patch +++ /dev/null @@ -1,31 +0,0 @@ -# HG changeset patch -# User Matthew Daley -# Date 1352709297 -3600 -# Node ID 286ef4ced2164f4e9bf52fd0c52248182e69a6e6 -# Parent 62885b3c34c84354ead017703a86f0465cb58cf7 -tmem: Prevent NULL dereference on error case - -If the client / pool IDs given to tmemc_save_get_next_page are invalid, -the calculation of pagesize will dereference NULL. - -Fix this by moving the calculation below the appropriate NULL check. - -Signed-off-by: Matthew Daley -Committed-by: Jan Beulich - ---- a/xen/common/tmem.c -+++ b/xen/common/tmem.c -@@ -2446,10 +2446,12 @@ static NOINLINE int tmemc_save_get_next_ - OID oid; - int ret = 0; - struct tmem_handle h; -- unsigned int pagesize = 1 << (pool->pageshift+12); -+ unsigned int pagesize; - - if ( pool == NULL || is_ephemeral(pool) ) - return -1; -+ -+ pagesize = 1 << (pool->pageshift + 12); - if ( bufsize < pagesize + sizeof(struct tmem_handle) ) - return -ENOMEM; - diff --git a/26134-x86-shadow-invlpg-check.patch b/26134-x86-shadow-invlpg-check.patch deleted file mode 100644 index 48f7ed1..0000000 --- a/26134-x86-shadow-invlpg-check.patch +++ /dev/null @@ -1,22 +0,0 @@ -# HG changeset patch -# User Matthew Daley -# Date 1352715420 0 -# Node ID 279bbf2a0b485fce18af26473eca5e60d794c17b -# Parent fdb69dd527cd01a46f87efb380050559dcf12d37 -x86/mm x86 shadow: Fix typo in sh_invlpg sl3 page presence check - -Signed-off-by: Matthew Daley -Acked-by: Tim Deegan -Committed-by: Tim Deegan - ---- a/xen/arch/x86/mm/shadow/multi.c -+++ b/xen/arch/x86/mm/shadow/multi.c -@@ -3665,7 +3665,7 @@ sh_invlpg(struct vcpu *v, unsigned long - perfc_incr(shadow_invlpg_fault); - return 0; - } -- if ( (!shadow_l3e_get_flags(sl3e) & _PAGE_PRESENT) ) -+ if ( !(shadow_l3e_get_flags(sl3e) & _PAGE_PRESENT) ) - return 0; - } - #else /* SHADOW_PAGING_LEVELS == 3 */ diff --git a/26139-cpumap-masking.patch b/26139-cpumap-masking.patch deleted file mode 100644 index 49afe5e..0000000 --- a/26139-cpumap-masking.patch +++ /dev/null @@ -1,39 +0,0 @@ -# HG changeset patch -# User Matthew Daley -# Date 1352802490 -3600 -# Node ID 56400658f0962099988678487e525d12f869a96a -# Parent a3cde70320ada4a5424c37f65b8fe3753fc95205 -fix xenctl_cpumap_to_cpumask() buffer size check - -xenctl_cpumap_to_cpumask incorrectly uses sizeof when checking whether -bits should be masked off from the input cpumap bitmap or not. - -Fix by using the correct cpumask buffer size in place of sizeof. - -Signed-off-by: Matthew Daley - -Compare against copy_bytes instead, and use equality rather than less- -or-equal. - -Further, this issue (introduced with c/s 23991:a7ccbc79fc17) is not -security relevant (i.e. the bug could not cause memory corruption): -_xmalloc() never returns chunks of data smaller than the size of a -pointer, i.e. even if sizeof(void*) > guest_bytes > copy_bytes, the -piece of memory erroneously written to would still be inside the -allocation done at the top of the function. - -Signed-off-by: Jan Beulich -Acked-by: Keir Fraser -Committed-by: Jan Beulich - ---- a/xen/common/domctl.c -+++ b/xen/common/domctl.c -@@ -78,7 +78,7 @@ int xenctl_cpumap_to_cpumask( - { - if ( copy_from_guest(bytemap, xenctl_cpumap->bitmap, copy_bytes) ) - err = -EFAULT; -- if ( (xenctl_cpumap->nr_cpus & 7) && (guest_bytes <= sizeof(bytemap)) ) -+ if ( (xenctl_cpumap->nr_cpus & 7) && (guest_bytes == copy_bytes) ) - bytemap[guest_bytes-1] &= ~(0xff << (xenctl_cpumap->nr_cpus & 7)); - } - diff --git a/26179-PCI-find-next-cap.patch b/26179-PCI-find-next-cap.patch deleted file mode 100644 index 8bf3e8c..0000000 --- a/26179-PCI-find-next-cap.patch +++ /dev/null @@ -1,59 +0,0 @@ -# HG changeset patch -# User Jan Beulich -# Date 1353398311 -3600 -# Node ID ae6fb202b233af815466055d9f1a635802a50855 -# Parent 02b9d9a25feecd76d56143afa9bbb853fd01f602 -passthrough/PCI: replace improper uses of pci_find_next_cap() - -Using pci_find_next_cap() without prior pci_find_cap_offset() is bogus -(and possibly wrong, given that the latter doesn't check the -PCI_STATUS_CAP_LIST flag, which so far was checked in an open-coded way -only for the non-bridge case). - -Once at it, fold the two calls into one, as we need its result in any -case. - -Question is whether, without any caller left, pci_find_next_cap() -should be purged as well. - -Signed-off-by: Jan Beulich -Acked-by: Xiantao Zhang - ---- a/xen/drivers/passthrough/pci.c -+++ b/xen/drivers/passthrough/pci.c -@@ -565,16 +565,13 @@ void pci_release_devices(struct domain * - - int pdev_type(u16 seg, u8 bus, u8 devfn) - { -- u16 class_device; -- u16 status, creg; -- int pos; -+ u16 class_device, creg; - u8 d = PCI_SLOT(devfn), f = PCI_FUNC(devfn); -+ int pos = pci_find_cap_offset(seg, bus, d, f, PCI_CAP_ID_EXP); - - class_device = pci_conf_read16(seg, bus, d, f, PCI_CLASS_DEVICE); - if ( class_device == PCI_CLASS_BRIDGE_PCI ) - { -- pos = pci_find_next_cap(seg, bus, devfn, -- PCI_CAPABILITY_LIST, PCI_CAP_ID_EXP); - if ( !pos ) - return DEV_TYPE_LEGACY_PCI_BRIDGE; - creg = pci_conf_read16(seg, bus, d, f, pos + PCI_EXP_FLAGS); -@@ -582,15 +579,7 @@ int pdev_type(u16 seg, u8 bus, u8 devfn) - DEV_TYPE_PCIe2PCI_BRIDGE : DEV_TYPE_PCIe_BRIDGE; - } - -- status = pci_conf_read16(seg, bus, d, f, PCI_STATUS); -- if ( !(status & PCI_STATUS_CAP_LIST) ) -- return DEV_TYPE_PCI; -- -- if ( pci_find_next_cap(seg, bus, devfn, PCI_CAPABILITY_LIST, -- PCI_CAP_ID_EXP) ) -- return DEV_TYPE_PCIe_ENDPOINT; -- -- return DEV_TYPE_PCI; -+ return pos ? DEV_TYPE_PCIe_ENDPOINT : DEV_TYPE_PCI; - } - - /* diff --git a/26183-x86-HPET-masking.patch b/26183-x86-HPET-masking.patch deleted file mode 100644 index c8cb5e0..0000000 --- a/26183-x86-HPET-masking.patch +++ /dev/null @@ -1,88 +0,0 @@ -# HG changeset patch -# User Jan Beulich -# Date 1353575003 -3600 -# Node ID c139ca92edca2fab8ec95deb7fd9e4246c3fe28d -# Parent af6b72a224e99a4a516fbc2eecc06ada569304e8 -x86/HPET: fix FSB interrupt masking - -HPET_TN_FSB is not really suitable for masking interrupts - it merely -switches between the two delivery methods. The right way of masking is -through the HPET_TN_ENABLE bit (which really is an interrupt enable, -not a counter enable or some such). This is even more so with certain -chip sets not even allowing HPET_TN_FSB to be cleared on some of the -channels. - -Further, all the setup of the channel should happen before actually -enabling the interrupt, which requires splitting legacy and FSB logic. - -Finally this also fixes an S3 resume problem (HPET_TN_FSB did not get -set in hpet_broadcast_resume(), and hpet_msi_unmask() doesn't get -called from the general resume code either afaict). - -Signed-off-by: Jan Beulich -Acked-by: Keir Fraser - ---- a/xen/arch/x86/hpet.c -+++ b/xen/arch/x86/hpet.c -@@ -236,7 +236,7 @@ static void hpet_msi_unmask(struct irq_d - struct hpet_event_channel *ch = desc->action->dev_id; - - cfg = hpet_read32(HPET_Tn_CFG(ch->idx)); -- cfg |= HPET_TN_FSB; -+ cfg |= HPET_TN_ENABLE; - hpet_write32(cfg, HPET_Tn_CFG(ch->idx)); - } - -@@ -246,7 +246,7 @@ static void hpet_msi_mask(struct irq_des - struct hpet_event_channel *ch = desc->action->dev_id; - - cfg = hpet_read32(HPET_Tn_CFG(ch->idx)); -- cfg &= ~HPET_TN_FSB; -+ cfg &= ~HPET_TN_ENABLE; - hpet_write32(cfg, HPET_Tn_CFG(ch->idx)); - } - -@@ -319,8 +319,14 @@ static void __hpet_setup_msi_irq(struct - static int __init hpet_setup_msi_irq(unsigned int irq, struct hpet_event_channel *ch) - { - int ret; -+ u32 cfg = hpet_read32(HPET_Tn_CFG(ch->idx)); - irq_desc_t *desc = irq_to_desc(irq); - -+ /* set HPET Tn as oneshot */ -+ cfg &= ~(HPET_TN_LEVEL | HPET_TN_PERIODIC); -+ cfg |= HPET_TN_FSB | HPET_TN_32BIT; -+ hpet_write32(cfg, HPET_Tn_CFG(ch->idx)); -+ - desc->handler = &hpet_msi_type; - ret = request_irq(irq, hpet_interrupt_handler, 0, "HPET", ch); - if ( ret < 0 ) -@@ -541,11 +547,14 @@ void __init hpet_broadcast_init(void) - - for ( i = 0; i < n; i++ ) - { -- /* set HPET Tn as oneshot */ -- cfg = hpet_read32(HPET_Tn_CFG(hpet_events[i].idx)); -- cfg &= ~(HPET_TN_LEVEL | HPET_TN_PERIODIC); -- cfg |= HPET_TN_ENABLE | HPET_TN_32BIT; -- hpet_write32(cfg, HPET_Tn_CFG(hpet_events[i].idx)); -+ if ( i == 0 && (cfg & HPET_CFG_LEGACY) ) -+ { -+ /* set HPET T0 as oneshot */ -+ cfg = hpet_read32(HPET_Tn_CFG(0)); -+ cfg &= ~(HPET_TN_LEVEL | HPET_TN_PERIODIC); -+ cfg |= HPET_TN_ENABLE | HPET_TN_32BIT; -+ hpet_write32(cfg, HPET_Tn_CFG(0)); -+ } - - /* - * The period is a femto seconds value. We need to calculate the scaled -@@ -602,6 +611,8 @@ void hpet_broadcast_resume(void) - cfg = hpet_read32(HPET_Tn_CFG(hpet_events[i].idx)); - cfg &= ~(HPET_TN_LEVEL | HPET_TN_PERIODIC); - cfg |= HPET_TN_ENABLE | HPET_TN_32BIT; -+ if ( !(hpet_events[i].flags & HPET_EVT_LEGACY) ) -+ cfg |= HPET_TN_FSB; - hpet_write32(cfg, HPET_Tn_CFG(hpet_events[i].idx)); - - hpet_events[i].next_event = STIME_MAX; diff --git a/26188-x86-time-scale-asm.patch b/26188-x86-time-scale-asm.patch deleted file mode 100644 index 5c720a4..0000000 --- a/26188-x86-time-scale-asm.patch +++ /dev/null @@ -1,34 +0,0 @@ -# HG changeset patch -# User Jan Beulich -# Date 1353946839 -3600 -# Node ID 16bf7f3069a77c8a15b785cfdb5f2f634661d7fc -# Parent 0049de3827bcfe3488dc6c7b7a60327a562aee5c -x86/time: fix scale_delta() inline assembly - -The way it was coded, it clobbered %rdx without telling the compiler. -This generally didn't cause any problems except when there are two back -to back invocations (as in plt_overflow()), as in that case the -compiler may validly assume that it can re-use for the second instance -the value loaded into %rdx before the first one. - -Once at it, also properly relax the second operand of "mul" (there's no -need for it to be in %rdx, or a register at all), and switch away from -using explicit register names in the instruction operands. - -Signed-off-by: Jan Beulich -Acked-by: Keir Fraser - ---- a/xen/arch/x86/time.c -+++ b/xen/arch/x86/time.c -@@ -142,8 +142,9 @@ static inline u64 scale_delta(u64 delta, - : "a" ((u32)delta), "1" ((u32)(delta >> 32)), "2" (scale->mul_frac) ); - #else - asm ( -- "mul %%rdx ; shrd $32,%%rdx,%%rax" -- : "=a" (product) : "0" (delta), "d" ((u64)scale->mul_frac) ); -+ "mul %2 ; shrd $32,%1,%0" -+ : "=a" (product), "=d" (delta) -+ : "rm" (delta), "0" ((u64)scale->mul_frac) ); - #endif - - return product; diff --git a/26189-xenstore-chmod.patch b/26189-xenstore-chmod.patch deleted file mode 100644 index 7fe1545..0000000 --- a/26189-xenstore-chmod.patch +++ /dev/null @@ -1,85 +0,0 @@ -# HG changeset patch -# Parent 8b93ac0c93f3fb8a140b4688ba71841ac927d4e3 -xenstore-chmod: handle arbitrary number of perms rather than MAX_PERMS constant - -Constant MAX_PERMS 16 is too small to use in some occasions, e.g. if -there are more than 16 domU(s) on one hypervisor (it's easy to -achieve) and one wants to do xenstore-chmod PATH to all domU(s). So, -remove MAX_PERMS limitation and make it as arbitrary number of perms. - -Signed-off-by: Chunyan Liu -Acked-by: Ian Campbell - -diff -r 8b93ac0c93f3 tools/xenstore/xenstore_client.c ---- a/tools/xenstore/xenstore_client.c Tue Nov 13 11:19:17 2012 +0000 -+++ b/tools/xenstore/xenstore_client.c Mon Nov 26 11:33:38 2012 +0800 -@@ -25,7 +25,6 @@ - #define PATH_SEP '/' - #define MAX_PATH_LEN 256 - --#define MAX_PERMS 16 - - enum mode { - MODE_unknown, -@@ -407,44 +406,41 @@ perform(enum mode mode, int optind, int - output("%s\n", list[i]); - } - free(list); -- optind++; -- break; -- } -- case MODE_ls: { -- do_ls(xsh, argv[optind], 0, prefix); -- optind++; -- break; -+ optind++; -+ break; -+ } -+ case MODE_ls: { -+ do_ls(xsh, argv[optind], 0, prefix); -+ optind++; -+ break; - } - case MODE_chmod: { -- struct xs_permissions perms[MAX_PERMS]; -- int nperms = 0; - /* save path pointer: */ - char *path = argv[optind++]; -- for (; argv[optind]; optind++, nperms++) -+ int nperms = argc - optind; -+ struct xs_permissions perms[nperms]; -+ int i; -+ for (i = 0; argv[optind]; optind++, i++) - { -- if (MAX_PERMS <= nperms) -- errx(1, "Too many permissions specified. " -- "Maximum per invocation is %d.", MAX_PERMS); -- -- perms[nperms].id = atoi(argv[optind]+1); -+ perms[i].id = atoi(argv[optind]+1); - - switch (argv[optind][0]) - { - case 'n': -- perms[nperms].perms = XS_PERM_NONE; -+ perms[i].perms = XS_PERM_NONE; - break; - case 'r': -- perms[nperms].perms = XS_PERM_READ; -+ perms[i].perms = XS_PERM_READ; - break; - case 'w': -- perms[nperms].perms = XS_PERM_WRITE; -+ perms[i].perms = XS_PERM_WRITE; - break; - case 'b': -- perms[nperms].perms = XS_PERM_READ | XS_PERM_WRITE; -+ perms[i].perms = XS_PERM_READ | XS_PERM_WRITE; - break; - default: - errx(1, "Invalid permission specification: '%c'", -- argv[optind][0]); -+ argv[optind][0]); - } - } - diff --git a/26148-vcpu-timer-overflow.patch b/CVE-2012-4535-xsa20.patch similarity index 76% rename from 26148-vcpu-timer-overflow.patch rename to CVE-2012-4535-xsa20.patch index 29e2e8f..dcc4357 100644 --- a/26148-vcpu-timer-overflow.patch +++ b/CVE-2012-4535-xsa20.patch @@ -1,10 +1,5 @@ References: CVE-2012-4535 XSA-20 bnc#786516 -# HG changeset patch -# User Ian Jackson -# Date 1352892634 0 -# Node ID bf58b94b3cef4db8d9ad9c8686bf10910ccc0644 -# Parent 3186c04af5829a242059ffe4f6427853b7bfc408 VCPU/timers: Prevent overflow in calculations, leading to DoS vulnerability The timer action for a vcpu periodic timer is to calculate the next @@ -17,10 +12,11 @@ This is a security problem, XSA-20 / CVE-2012-4535. Signed-off-by: Andrew Cooper Acked-by: Ian Campbell -Committed-by: Ian Jackson ---- a/xen/common/domain.c -+++ b/xen/common/domain.c +Index: xen-4.2.0-testing/xen/common/domain.c +=================================================================== +--- xen-4.2.0-testing.orig/xen/common/domain.c ++++ xen-4.2.0-testing/xen/common/domain.c @@ -882,6 +882,9 @@ long do_vcpu_op(int cmd, int vcpuid, XEN if ( set.period_ns < MILLISECS(1) ) return -EINVAL; @@ -31,8 +27,10 @@ Committed-by: Ian Jackson v->periodic_period = set.period_ns; vcpu_force_reschedule(v); ---- a/xen/include/xen/time.h -+++ b/xen/include/xen/time.h +Index: xen-4.2.0-testing/xen/include/xen/time.h +=================================================================== +--- xen-4.2.0-testing.orig/xen/include/xen/time.h ++++ xen-4.2.0-testing/xen/include/xen/time.h @@ -55,6 +55,8 @@ struct tm gmtime(unsigned long t); #define MILLISECS(_ms) ((s_time_t)((_ms) * 1000000ULL)) #define MICROSECS(_us) ((s_time_t)((_us) * 1000ULL)) diff --git a/26149-x86-p2m-physmap-error-path.patch b/CVE-2012-4537-xsa22.patch similarity index 80% rename from 26149-x86-p2m-physmap-error-path.patch rename to CVE-2012-4537-xsa22.patch index b6d6cbf..93c9b4c 100644 --- a/26149-x86-p2m-physmap-error-path.patch +++ b/CVE-2012-4537-xsa22.patch @@ -1,10 +1,5 @@ References: CVE-2012-4537 XSA-22 bnc#786517 -# HG changeset patch -# User Ian Jackson -# Date 1352892962 0 -# Node ID 6b6a4007a6091610a29b71cc32908c74113b852b -# Parent bf58b94b3cef4db8d9ad9c8686bf10910ccc0644 x86/physmap: Prevent incorrect updates of m2p mappings In certain conditions, such as low memory, set_p2m_entry() can fail. @@ -22,10 +17,11 @@ This is a security problem, XSA-22 / CVE-2012-4537. Signed-off-by: Andrew Cooper Acked-by: Ian Campbell Acked-by: Ian Jackson -Committed-by: Ian Jackson ---- a/xen/arch/x86/mm/p2m.c -+++ b/xen/arch/x86/mm/p2m.c +Index: xen-4.2.0-testing/xen/arch/x86/mm/p2m.c +=================================================================== +--- xen-4.2.0-testing.orig/xen/arch/x86/mm/p2m.c ++++ xen-4.2.0-testing/xen/arch/x86/mm/p2m.c @@ -654,7 +654,10 @@ guest_physmap_add_entry(struct domain *d if ( mfn_valid(_mfn(mfn)) ) { diff --git a/26150-x86-shadow-unhook-toplevel-check.patch b/CVE-2012-4538-xsa23.patch similarity index 77% rename from 26150-x86-shadow-unhook-toplevel-check.patch rename to CVE-2012-4538-xsa23.patch index 4ee4e86..cf22858 100644 --- a/26150-x86-shadow-unhook-toplevel-check.patch +++ b/CVE-2012-4538-xsa23.patch @@ -1,10 +1,5 @@ References: CVE-2012-4538 XSA-23 bnc#786519 -# HG changeset patch -# User Ian Jackson -# Date 1352893341 0 -# Node ID c7a01b6450e483ca839228bf1e1e44de692e3458 -# Parent 6b6a4007a6091610a29b71cc32908c74113b852b xen/mm/shadow: check toplevel pagetables are present before unhooking them. If the guest has not fully populated its top-level PAE entries when it calls @@ -18,10 +13,11 @@ This is a security problem, XSA-23 / CVE-2012-4538. Signed-off-by: Tim Deegan Tested-by: Andrew Cooper Acked-by: Ian Campbell -Committed-by: Ian Jackson ---- a/xen/arch/x86/mm/shadow/multi.c -+++ b/xen/arch/x86/mm/shadow/multi.c +Index: xen-4.2.0-testing/xen/arch/x86/mm/shadow/multi.c +=================================================================== +--- xen-4.2.0-testing.orig/xen/arch/x86/mm/shadow/multi.c ++++ xen-4.2.0-testing/xen/arch/x86/mm/shadow/multi.c @@ -4734,8 +4734,12 @@ static void sh_pagetable_dying(struct vc unsigned long gfn; mfn_t smfn, gmfn; diff --git a/26151-gnttab-compat-get-status-frames.patch b/CVE-2012-4539-xsa24.patch similarity index 72% rename from 26151-gnttab-compat-get-status-frames.patch rename to CVE-2012-4539-xsa24.patch index fb6c2f1..3851920 100644 --- a/26151-gnttab-compat-get-status-frames.patch +++ b/CVE-2012-4539-xsa24.patch @@ -1,10 +1,5 @@ References: CVE-2012-4539 XSA-24 bnc#786520 -# HG changeset patch -# User Ian Jackson -# Date 1352893537 0 -# Node ID b64a7d868f06c730a444e990da1a4d816ce3f5dc -# Parent c7a01b6450e483ca839228bf1e1e44de692e3458 compat/gnttab: Prevent infinite loop in compat code c/s 20281:95ea2052b41b, which introduces Grant Table version 2 @@ -18,10 +13,11 @@ This is a security problem, XSA-24 / CVE-2012-4539. Signed-off-by: Andrew Cooper Acked-by: Jan Beulich Acked-by: Ian Jackson -Committed-by: Ian Jackson ---- a/xen/common/compat/grant_table.c -+++ b/xen/common/compat/grant_table.c +Index: xen-4.2.0-testing/xen/common/compat/grant_table.c +=================================================================== +--- xen-4.2.0-testing.orig/xen/common/compat/grant_table.c ++++ xen-4.2.0-testing/xen/common/compat/grant_table.c @@ -318,6 +318,8 @@ int compat_grant_table_op(unsigned int c #undef XLAT_gnttab_get_status_frames_HNDL_frame_list if ( unlikely(__copy_to_guest(cmp_uop, &cmp.get_status, 1)) ) diff --git a/CVE-2012-5510-xsa26.patch b/CVE-2012-5510-xsa26.patch deleted file mode 100644 index 57e7ac0..0000000 --- a/CVE-2012-5510-xsa26.patch +++ /dev/null @@ -1,105 +0,0 @@ -References: CVE-2012-5510 XSA-26 bnc#789945 - -gnttab: fix releasing of memory upon switches between versions - -gnttab_unpopulate_status_frames() incompletely freed the pages -previously used as status frame in that they did not get removed from -the domain's xenpage_list, thus causing subsequent list corruption -when those pages did get allocated again for the same or another purpose. - -Similarly, grant_table_create() and gnttab_grow_table() both improperly -clean up in the event of an error - pages already shared with the guest -can't be freed by just passing them to free_xenheap_page(). Fix this by -sharing the pages only after all allocations succeeded. - -This is CVE-2012-5510 / XSA-26. - -Signed-off-by: Jan Beulich -Acked-by: Ian Campbell - ---- a/xen/common/grant_table.c -+++ b/xen/common/grant_table.c -@@ -1170,12 +1170,13 @@ fault: - } - - static int --gnttab_populate_status_frames(struct domain *d, struct grant_table *gt) -+gnttab_populate_status_frames(struct domain *d, struct grant_table *gt, -+ unsigned int req_nr_frames) - { - unsigned i; - unsigned req_status_frames; - -- req_status_frames = grant_to_status_frames(gt->nr_grant_frames); -+ req_status_frames = grant_to_status_frames(req_nr_frames); - for ( i = nr_status_frames(gt); i < req_status_frames; i++ ) - { - if ( (gt->status[i] = alloc_xenheap_page()) == NULL ) -@@ -1206,7 +1207,12 @@ gnttab_unpopulate_status_frames(struct d - - for ( i = 0; i < nr_status_frames(gt); i++ ) - { -- page_set_owner(virt_to_page(gt->status[i]), dom_xen); -+ struct page_info *pg = virt_to_page(gt->status[i]); -+ -+ BUG_ON(page_get_owner(pg) != d); -+ if ( test_and_clear_bit(_PGC_allocated, &pg->count_info) ) -+ put_page(pg); -+ BUG_ON(pg->count_info & ~PGC_xen_heap); - free_xenheap_page(gt->status[i]); - gt->status[i] = NULL; - } -@@ -1244,19 +1250,18 @@ gnttab_grow_table(struct domain *d, unsi - clear_page(gt->shared_raw[i]); - } - -- /* Share the new shared frames with the recipient domain */ -- for ( i = nr_grant_frames(gt); i < req_nr_frames; i++ ) -- gnttab_create_shared_page(d, gt, i); -- -- gt->nr_grant_frames = req_nr_frames; -- - /* Status pages - version 2 */ - if (gt->gt_version > 1) - { -- if ( gnttab_populate_status_frames(d, gt) ) -+ if ( gnttab_populate_status_frames(d, gt, req_nr_frames) ) - goto shared_alloc_failed; - } - -+ /* Share the new shared frames with the recipient domain */ -+ for ( i = nr_grant_frames(gt); i < req_nr_frames; i++ ) -+ gnttab_create_shared_page(d, gt, i); -+ gt->nr_grant_frames = req_nr_frames; -+ - return 1; - - shared_alloc_failed: -@@ -2154,7 +2159,7 @@ gnttab_set_version(XEN_GUEST_HANDLE(gntt - - if ( op.version == 2 && gt->gt_version < 2 ) - { -- res = gnttab_populate_status_frames(d, gt); -+ res = gnttab_populate_status_frames(d, gt, nr_grant_frames(gt)); - if ( res < 0) - goto out_unlock; - } -@@ -2597,14 +2602,15 @@ grant_table_create( - clear_page(t->shared_raw[i]); - } - -- for ( i = 0; i < INITIAL_NR_GRANT_FRAMES; i++ ) -- gnttab_create_shared_page(d, t, i); -- - /* Status pages for grant table - for version 2 */ - t->status = xzalloc_array(grant_status_t *, - grant_to_status_frames(max_nr_grant_frames)); - if ( t->status == NULL ) - goto no_mem_4; -+ -+ for ( i = 0; i < INITIAL_NR_GRANT_FRAMES; i++ ) -+ gnttab_create_shared_page(d, t, i); -+ - t->nr_status_frames = 0; - - /* Okay, install the structure. */ diff --git a/CVE-2012-5511-xsa27.patch b/CVE-2012-5511-xsa27.patch deleted file mode 100644 index 8ff2ec6..0000000 --- a/CVE-2012-5511-xsa27.patch +++ /dev/null @@ -1,136 +0,0 @@ -References: CVE-2012-5511 XSA-27 bnc#789944 - -hvm: Limit the size of large HVM op batches - -Doing large p2m updates for HVMOP_track_dirty_vram without preemption -ties up the physical processor. Integrating preemption into the p2m -updates is hard so simply limit to 1GB which is sufficient for a 15000 -* 15000 * 32bpp framebuffer. - -For HVMOP_modified_memory and HVMOP_set_mem_type preemptible add the -necessary machinery to handle preemption. - -This is CVE-2012-5511 / XSA-27. - -Signed-off-by: Tim Deegan -Signed-off-by: Ian Campbell -Acked-by: Ian Jackson - -v2: Provide definition of GB to fix x86-32 compile. - -Signed-off-by: Jan Beulich -Acked-by: Ian Jackson - - ---- a/xen/arch/x86/hvm/hvm.c -+++ b/xen/arch/x86/hvm/hvm.c -@@ -4033,6 +4033,9 @@ long do_hvm_op(unsigned long op, XEN_GUE - if ( !is_hvm_domain(d) ) - goto param_fail2; - -+ if ( a.nr > GB(1) >> PAGE_SHIFT ) -+ goto param_fail2; -+ - rc = xsm_hvm_param(d, op); - if ( rc ) - goto param_fail2; -@@ -4059,7 +4062,6 @@ long do_hvm_op(unsigned long op, XEN_GUE - { - struct xen_hvm_modified_memory a; - struct domain *d; -- unsigned long pfn; - - if ( copy_from_guest(&a, arg, 1) ) - return -EFAULT; -@@ -4086,9 +4088,11 @@ long do_hvm_op(unsigned long op, XEN_GUE - if ( !paging_mode_log_dirty(d) ) - goto param_fail3; - -- for ( pfn = a.first_pfn; pfn < a.first_pfn + a.nr; pfn++ ) -+ while ( a.nr > 0 ) - { -+ unsigned long pfn = a.first_pfn; - struct page_info *page; -+ - page = get_page_from_gfn(d, pfn, NULL, P2M_UNSHARE); - if ( page ) - { -@@ -4098,6 +4102,19 @@ long do_hvm_op(unsigned long op, XEN_GUE - sh_remove_shadows(d->vcpu[0], _mfn(page_to_mfn(page)), 1, 0); - put_page(page); - } -+ -+ a.first_pfn++; -+ a.nr--; -+ -+ /* Check for continuation if it's not the last interation */ -+ if ( a.nr > 0 && hypercall_preempt_check() ) -+ { -+ if ( copy_to_guest(arg, &a, 1) ) -+ rc = -EFAULT; -+ else -+ rc = -EAGAIN; -+ break; -+ } - } - - param_fail3: -@@ -4153,7 +4170,6 @@ long do_hvm_op(unsigned long op, XEN_GUE - { - struct xen_hvm_set_mem_type a; - struct domain *d; -- unsigned long pfn; - - /* Interface types to internal p2m types */ - p2m_type_t memtype[] = { -@@ -4186,8 +4202,9 @@ long do_hvm_op(unsigned long op, XEN_GUE - if ( a.hvmmem_type >= ARRAY_SIZE(memtype) ) - goto param_fail4; - -- for ( pfn = a.first_pfn; pfn < a.first_pfn + a.nr; pfn++ ) -+ while ( a.nr ) - { -+ unsigned long pfn = a.first_pfn; - p2m_type_t t; - p2m_type_t nt; - mfn_t mfn; -@@ -4227,6 +4244,19 @@ long do_hvm_op(unsigned long op, XEN_GUE - } - } - put_gfn(d, pfn); -+ -+ a.first_pfn++; -+ a.nr--; -+ -+ /* Check for continuation if it's not the last interation */ -+ if ( a.nr > 0 && hypercall_preempt_check() ) -+ { -+ if ( copy_to_guest(arg, &a, 1) ) -+ rc = -EFAULT; -+ else -+ rc = -EAGAIN; -+ goto param_fail4; -+ } - } - - rc = 0; ---- a/xen/include/asm-x86/config.h -+++ b/xen/include/asm-x86/config.h -@@ -119,6 +119,9 @@ extern char wakeup_start[]; - extern unsigned int video_mode, video_flags; - extern unsigned short boot_edid_caps; - extern unsigned char boot_edid_info[128]; -+ -+#define GB(_gb) (_gb ## UL << 30) -+ - #endif - - #define asmlinkage -@@ -134,7 +137,6 @@ extern unsigned char boot_edid_info[128] - #define PML4_ADDR(_slot) \ - ((((_slot ## UL) >> 8) * 0xffff000000000000UL) | \ - (_slot ## UL << PML4_ENTRY_BITS)) --#define GB(_gb) (_gb ## UL << 30) - #else - #define PML4_ENTRY_BYTES (1 << PML4_ENTRY_BITS) - #define PML4_ADDR(_slot) \ diff --git a/CVE-2012-5513-xsa29.patch b/CVE-2012-5513-xsa29.patch deleted file mode 100644 index 3fd7c69..0000000 --- a/CVE-2012-5513-xsa29.patch +++ /dev/null @@ -1,47 +0,0 @@ -References: CVE-2012-5513 XSA-29 bnc#789951 - -xen: add missing guest address range checks to XENMEM_exchange handlers - -Ever since its existence (3.0.3 iirc) the handler for this has been -using non address range checking guest memory accessors (i.e. -the ones prefixed with two underscores) without first range -checking the accessed space (via guest_handle_okay()), allowing -a guest to access and overwrite hypervisor memory. - -This is XSA-29 / CVE-2012-5513. - -Signed-off-by: Jan Beulich -Acked-by: Ian Campbell -Acked-by: Ian Jackson - ---- a/xen/common/compat/memory.c -+++ b/xen/common/compat/memory.c -@@ -115,6 +115,12 @@ int compat_memory_op(unsigned int cmd, X - (cmp.xchg.out.nr_extents << cmp.xchg.out.extent_order)) ) - return -EINVAL; - -+ if ( !compat_handle_okay(cmp.xchg.in.extent_start, -+ cmp.xchg.in.nr_extents) || -+ !compat_handle_okay(cmp.xchg.out.extent_start, -+ cmp.xchg.out.nr_extents) ) -+ return -EFAULT; -+ - start_extent = cmp.xchg.nr_exchanged; - end_extent = (COMPAT_ARG_XLAT_SIZE - sizeof(*nat.xchg)) / - (((1U << ABS(order_delta)) + 1) * ---- a/xen/common/memory.c -+++ b/xen/common/memory.c -@@ -308,6 +308,13 @@ static long memory_exchange(XEN_GUEST_HA - goto fail_early; - } - -+ if ( !guest_handle_okay(exch.in.extent_start, exch.in.nr_extents) || -+ !guest_handle_okay(exch.out.extent_start, exch.out.nr_extents) ) -+ { -+ rc = -EFAULT; -+ goto fail_early; -+ } -+ - /* Only privileged guests can allocate multi-page contiguous extents. */ - if ( !multipage_allocation_permitted(current->domain, - exch.in.extent_order) || diff --git a/CVE-2012-5514-xsa30.patch b/CVE-2012-5514-xsa30.patch deleted file mode 100644 index 70b5650..0000000 --- a/CVE-2012-5514-xsa30.patch +++ /dev/null @@ -1,57 +0,0 @@ -References: CVE-2012-5514 XSA-30 bnc#789948 - -fix error handling of guest_physmap_mark_populate_on_demand() - -The only user of the "out" label bypasses a necessary unlock, thus -enabling the caller to lock up Xen. - -Also, the function was never meant to be called by a guest for itself, -so rather than inspecting the code paths in depth for potential other -problems this might cause, and adjusting e.g. the non-guest printk() -in the above error path, just disallow the guest access to it. - -Finally, the printk() (considering its potential of spamming the log, -the more that it's not using XENLOG_GUEST), is being converted to -P2M_DEBUG(), as debugging is what it apparently was added for in the -first place. - -This is XSA-30 / CVE-2012-5514. - -Signed-off-by: Jan Beulich -Acked-by: Ian Campbell -Acked-by: George Dunlap -Acked-by: Ian Jackson - ---- a/xen/arch/x86/mm/p2m-pod.c -+++ b/xen/arch/x86/mm/p2m-pod.c -@@ -1117,6 +1117,9 @@ guest_physmap_mark_populate_on_demand(st - mfn_t omfn; - int rc = 0; - -+ if ( !IS_PRIV_FOR(current->domain, d) ) -+ return -EPERM; -+ - if ( !paging_mode_translate(d) ) - return -EINVAL; - -@@ -1135,8 +1138,7 @@ guest_physmap_mark_populate_on_demand(st - omfn = p2m->get_entry(p2m, gfn + i, &ot, &a, 0, NULL); - if ( p2m_is_ram(ot) ) - { -- printk("%s: gfn_to_mfn returned type %d!\n", -- __func__, ot); -+ P2M_DEBUG("gfn_to_mfn returned type %d!\n", ot); - rc = -EBUSY; - goto out; - } -@@ -1160,9 +1162,9 @@ guest_physmap_mark_populate_on_demand(st - pod_unlock(p2m); - } - -+out: - gfn_unlock(p2m, gfn, order); - --out: - return rc; - } - diff --git a/CVE-2012-5515-xsa31.patch b/CVE-2012-5515-xsa31.patch deleted file mode 100644 index f4e6fc6..0000000 --- a/CVE-2012-5515-xsa31.patch +++ /dev/null @@ -1,50 +0,0 @@ -References: CVE-2012-5515 XSA-31 bnc#789950 - -memop: limit guest specified extent order - -Allowing unbounded order values here causes almost unbounded loops -and/or partially incomplete requests, particularly in PoD code. - -The added range checks in populate_physmap(), decrease_reservation(), -and the "in" one in memory_exchange() architecturally all could use -PADDR_BITS - PAGE_SHIFT, and are being artificially constrained to -MAX_ORDER. - -This is XSA-31 / CVE-2012-5515. - -Signed-off-by: Jan Beulich -Acked-by: Tim Deegan -Acked-by: Ian Jackson - ---- a/xen/common/memory.c -+++ b/xen/common/memory.c -@@ -115,7 +115,8 @@ static void populate_physmap(struct memo - - if ( a->memflags & MEMF_populate_on_demand ) - { -- if ( guest_physmap_mark_populate_on_demand(d, gpfn, -+ if ( a->extent_order > MAX_ORDER || -+ guest_physmap_mark_populate_on_demand(d, gpfn, - a->extent_order) < 0 ) - goto out; - } -@@ -235,7 +236,8 @@ static void decrease_reservation(struct - xen_pfn_t gmfn; - - if ( !guest_handle_subrange_okay(a->extent_list, a->nr_done, -- a->nr_extents-1) ) -+ a->nr_extents-1) || -+ a->extent_order > MAX_ORDER ) - return; - - for ( i = a->nr_done; i < a->nr_extents; i++ ) -@@ -297,6 +299,9 @@ static long memory_exchange(XEN_GUEST_HA - if ( (exch.nr_exchanged > exch.in.nr_extents) || - /* Input and output domain identifiers match? */ - (exch.in.domid != exch.out.domid) || -+ /* Extent orders are sensible? */ -+ (exch.in.extent_order > MAX_ORDER) || -+ (exch.out.extent_order > MAX_ORDER) || - /* Sizes of input and output lists do not overflow a long? */ - ((~0UL >> exch.in.extent_order) < exch.in.nr_extents) || - ((~0UL >> exch.out.extent_order) < exch.out.nr_extents) || diff --git a/CVE-2012-5525-xsa32.patch b/CVE-2012-5525-xsa32.patch deleted file mode 100644 index 9722c07..0000000 --- a/CVE-2012-5525-xsa32.patch +++ /dev/null @@ -1,22 +0,0 @@ -References: CVE-2012-5525 XSA-32 bnc#789952 - -x86: get_page_from_gfn() must return NULL for invalid GFNs - -... also in the non-translated case. - -This is XSA-32 / CVE-2012-5525. - -Signed-off-by: Jan Beulich -Acked-by: Tim Deegan - ---- a/xen/include/asm-x86/p2m.h -+++ b/xen/include/asm-x86/p2m.h -@@ -400,7 +400,7 @@ static inline struct page_info *get_page - if (t) - *t = p2m_ram_rw; - page = __mfn_to_page(gfn); -- return get_page(page, d) ? page : NULL; -+ return mfn_valid(gfn) && get_page(page, d) ? page : NULL; - } - - diff --git a/xen-max-free-mem.diff b/xen-max-free-mem.diff index 7d5a0e5..2c17d03 100644 --- a/xen-max-free-mem.diff +++ b/xen-max-free-mem.diff @@ -71,7 +71,7 @@ Index: xen-4.2.0-testing/tools/python/xen/xend/balloon.py +def get_dom0_min_target(): + """Returns the minimum amount of memory (in KiB) that dom0 will accept.""" + -+ kb = _get_proc_balloon('min-target') ++ kb = _get_proc_balloon(labels['min-target']) + if kb == None: + raise VmError('Failed to query minimum target memory allocation of dom0.') + return kb @@ -80,7 +80,7 @@ Index: xen-4.2.0-testing/tools/python/xen/xend/balloon.py + """Returns the maximum amount of memory (in KiB) that is potentially + visible to dom0.""" + -+ kb = _get_proc_balloon('max-target') ++ kb = _get_proc_balloon(labels['max-target']) + if kb == None: + raise VmError('Failed to query maximum target memory allocation of dom0.') + return kb @@ -133,16 +133,3 @@ Index: xen-4.2.0-testing/tools/python/xen/xend/server/SrvDomain.py [['target', 'int']], req) -Index: xen-4.2.0-testing/tools/python/xen/xend/osdep.py -=================================================================== ---- xen-4.2.0-testing.orig/tools/python/xen/xend/osdep.py -+++ xen-4.2.0-testing/tools/python/xen/xend/osdep.py -@@ -42,6 +42,8 @@ def _linux_balloon_stat_proc(label): - - xend2linux_labels = { 'current' : 'Current allocation', - 'target' : 'Requested target', -+ 'min-target' : 'Minimum target', -+ 'max-target' : 'Maximum target', - 'low-balloon' : 'Low-mem balloon', - 'high-balloon' : 'High-mem balloon', - 'limit' : 'Xen hard limit' } diff --git a/xen.changes b/xen.changes index 873b102..3ed04e7 100644 --- a/xen.changes +++ b/xen.changes @@ -1,43 +1,3 @@ -------------------------------------------------------------------- -Fri Nov 30 10:30:10 CST 2012 - cyliu@suse.com - -- fate#313222 - xenstore-chmod should support 256 permissions - 26189-xenstore-chmod.patch - -------------------------------------------------------------------- -Tue Nov 27 09:17:17 MST 2012 - carnold@novell.com - -- bnc#789945 - VUL-0: CVE-2012-5510: xen: Grant table version - switch list corruption vulnerability (XSA-26) - CVE-2012-5510-xsa26.patch -- bnc#789944 - VUL-0: CVE-2012-5511: xen: Several HVM operations do - not validate the range of their inputs (XSA-27) - CVE-2012-5511-xsa27.patch -- bnc#789951 - VUL-0: CVE-2012-5513: xen: XENMEM_exchange may - overwrite hypervisor memory (XSA-29) - CVE-2012-5513-xsa29.patch -- bnc#789948 - VUL-0: CVE-2012-5514: xen: Missing unlock in - guest_physmap_mark_populate_on_demand() (XSA-30) - CVE-2012-5514-xsa30.patch -- bnc#789950 - VUL-0: CVE-2012-5515: xen: Several memory hypercall - operations allow invalid extent order values (XSA-31) - CVE-2012-5515-xsa31.patch -- bnc#789952 - VUL-0: CVE-2012-5525: xen: Several hypercalls do not - validate input GFNs (XSA-32) - CVE-2012-5525-xsa32.patch -- Upstream patches from Jan - 26129-ACPI-BGRT-invalidate.patch - 26132-tmem-save-NULL-check.patch - 26134-x86-shadow-invlpg-check.patch - 26139-cpumap-masking.patch - 26148-vcpu-timer-overflow.patch (Replaces CVE-2012-4535-xsa20.patch) - 26149-x86-p2m-physmap-error-path.patch (Replaces CVE-2012-4537-xsa22.patch) - 26150-x86-shadow-unhook-toplevel-check.patch (Replaces CVE-2012-4538-xsa23.patch) - 26151-gnttab-compat-get-status-frames.patch (Replaces CVE-2012-4539-xsa24.patch) - 26179-PCI-find-next-cap.patch - 26183-x86-HPET-masking.patch - 26188-x86-time-scale-asm.patch - ------------------------------------------------------------------- Wed Nov 21 20:57:56 CET 2012 - ohering@suse.de @@ -55,19 +15,6 @@ Tue Nov 13 16:35:55 MST 2012 - jfehlig@suse.com - bnc#777628 - guest "disappears" after live migration Updated block-dmmd script -------------------------------------------------------------------- -Fri Nov 9 10:29:51 MST 2012 - carnold@novell.com - -- Fix exception in balloon.py and osdep.py - xen-max-free-mem.diff - -------------------------------------------------------------------- -Tue Nov 6 17:41:34 MDT 2012 - carnold@novell.com - -- fate#311966: Fix XEN VNC implementation to correctly map keyboard - layouts - VNC-Support-for-ExtendedKeyEvent-client-message.patch - ------------------------------------------------------------------- Tue Oct 30 15:28:27 CET 2012 - ohering@suse.de diff --git a/xen.spec b/xen.spec index c1640e1..c610f7e 100644 --- a/xen.spec +++ b/xen.spec @@ -15,7 +15,6 @@ # Please submit bugfixes or comments via http://bugs.opensuse.org/ # - Name: xen ExclusiveArch: %ix86 x86_64 %define xvers 4.2 @@ -115,7 +114,7 @@ BuildRequires: kernel-syms BuildRequires: module-init-tools BuildRequires: xorg-x11 %endif -Version: 4.2.0_04 +Version: 4.2.0_03 Release: 0 PreReq: %insserv_prereq %fillup_prereq Summary: Xen Virtualization: Hypervisor (aka VMM aka Microkernel) @@ -233,25 +232,11 @@ Patch26096: 26096-SVM-nested-vmexit-emul.patch Patch26098: 26098-perfc-build.patch Patch26102: 26102-x86-IOAPIC-legacy-not-first.patch Patch26114: 26114-pygrub-list-entries.patch -Patch26129: 26129-ACPI-BGRT-invalidate.patch -Patch26132: 26132-tmem-save-NULL-check.patch -Patch26134: 26134-x86-shadow-invlpg-check.patch -Patch26139: 26139-cpumap-masking.patch -Patch26148: 26148-vcpu-timer-overflow.patch -Patch26149: 26149-x86-p2m-physmap-error-path.patch -Patch26150: 26150-x86-shadow-unhook-toplevel-check.patch -Patch26151: 26151-gnttab-compat-get-status-frames.patch -Patch26179: 26179-PCI-find-next-cap.patch -Patch26183: 26183-x86-HPET-masking.patch -Patch26188: 26188-x86-time-scale-asm.patch -Patch26189: 26189-xenstore-chmod.patch +Patch20: CVE-2012-4535-xsa20.patch +Patch22: CVE-2012-4537-xsa22.patch +Patch23: CVE-2012-4538-xsa23.patch +Patch24: CVE-2012-4539-xsa24.patch Patch25: CVE-2012-4544-xsa25.patch -Patch26: CVE-2012-5510-xsa26.patch -Patch27: CVE-2012-5511-xsa27.patch -Patch29: CVE-2012-5513-xsa29.patch -Patch30: CVE-2012-5514-xsa30.patch -Patch31: CVE-2012-5515-xsa31.patch -Patch32: CVE-2012-5525-xsa32.patch # Upstream qemu patches Patch100: VNC-Support-for-ExtendedKeyEvent-client-message.patch # Our patches @@ -773,25 +758,11 @@ tar xfj %{SOURCE6} -C $RPM_BUILD_DIR/%{xen_build_dir}/tools %patch26098 -p1 %patch26102 -p1 %patch26114 -p1 -%patch26129 -p1 -%patch26132 -p1 -%patch26134 -p1 -%patch26139 -p1 -%patch26148 -p1 -%patch26149 -p1 -%patch26150 -p1 -%patch26151 -p1 -%patch26179 -p1 -%patch26183 -p1 -%patch26188 -p1 -%patch26189 -p1 +%patch20 -p1 +%patch22 -p1 +%patch23 -p1 +%patch24 -p1 %patch25 -p1 -%patch26 -p1 -%patch27 -p1 -%patch29 -p1 -%patch30 -p1 -%patch31 -p1 -%patch32 -p1 # Qemu %patch100 -p1 # Our patches