rpm/xen
SHA256
1
0
Fork 0
forked from pool/xen
Code Pull Requests Activity

- Modify how we check for libvirt managed domains

Browse Source 
xl-check-for-libvirt-managed-domain.patch

- bnc#878841 - VUL-0: XSA-96: Xen: Vulnerabilities in HVM MSI
  injection
  538dcada-x86-HVM-eliminate-vulnerabilities-from-hvm_inject_msi.patch
- Upstream patches from Jan
  537cd0b0-hvmloader-also-cover-PCI-MMIO-ranges-above-4G-with-UC-MTRR-ranges.patch
  537cd0cc-hvmloader-PA-range-0xfc000000-0xffffffff-should-be-UC.patch
  5383167d-ACPI-ERST-fix-table-mapping.patch
  5383175e-VT-d-fix-mask-applied-to-DMIBAR-in-desktop-chipset-XSA-59-workaround.patch
  53859549-AMD-IOMMU-don-t-free-page-table-prematurely.patch
  5385956b-x86-don-t-use-VA-for-cache-flush-when-also-flushing-TLB.patch
  53859956-timers-set-the-deadline-more-accurately.patch

OBS-URL: https://build.opensuse.org/package/show/Virtualization/xen?expand=0&rev=318
This commit is contained in:
Charles Arnold 2014-06-12 05:11:30 +00:00 committed by Git OBS Bridge
parent fb53ca5547
commit a428832eb0
11 changed files with 585 additions and 30 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

274
537cd0b0-hvmloader-also-cover-PCI-MMIO-ranges-above-4G-with-UC-MTRR-ranges.patch Normal file
View File

@ -0,0 +1,274 @@
# Commit d06886694328a31369addc1f614cf326728d65a6
# Date 2014-05-21 18:13:36 +0200
# Author Jan Beulich <jbeulich@suse.com>
# Committer Jan Beulich <jbeulich@suse.com>
hvmloader: also cover PCI MMIO ranges above 4G with UC MTRR ranges
When adding support for BAR assignments to addresses above 4G, the MTRR
side of things was left out.
Additionally the MMIO ranges in the DSDT's \_SB.PCI0._CRS were having
memory types not matching the ones put into MTRRs: The legacy VGA range
is supposed to be WC, and the other ones should be UC.
Signed-off-by: Jan Beulich <jbeulich@suse.com>
Acked-by: Ian Campbell <ian.campbell@citrix.com>
# Commit 119d8a42d3bfe6ebc1785720e1a7260e5c698632
# Date 2014-05-22 14:20:19 +0200
# Author Jan Beulich <jbeulich@suse.com>
# Committer Jan Beulich <jbeulich@suse.com>
hvmloader: fix build with certain iasl versions
While most of them support what we have now, Wheezy's dislikes the
empty range. Put a fake one in place - it's getting overwritten upon
evaluation of _CRS anyway.
The range could be grown (downwards) if necessary; the way it is now
it is
- the highest possible one below the 36-bit boundary (with 36 bits
being the lowest common denominator for all supported systems),
- the smallest possible one that said iasl accepts.
Reported-by: Sander Eikelenboom <linux@eikelenboom.it>
Signed-off-by: Jan Beulich <jbeulich@suse.com>
Acked-by: Ian Campbell <ian.campbell@citrix.com>
# Commit 7f8d8abcf6dfb85fae591a547b24f9b27d92272c
# Date 2014-05-28 10:57:18 +0200
# Author Jan Beulich <jbeulich@suse.com>
# Committer Jan Beulich <jbeulich@suse.com>
hvmloader: don't use AML operations on 64-bit fields
WinXP and Win2K3, while having no problem with the QWordMemory resource
(there was another one there before), don't like operations on 64-bit
fields. Split the fields d0688669 ("hvmloader: also cover PCI MMIO
ranges above 4G with UC MTRR ranges") added to 32-bit ones, handling
carry over explicitly.
Sadly the constructs needed to create the sub-fields - nominally
CreateDWordField(PRT0, \_SB.PCI0._CRS._Y02._MIN, MINL)
CreateDWordField(PRT0, Add(\_SB.PCI0._CRS._Y02._MIN, 4), MINH)
- can't be used: The former gets warned upon by newer iasl, i.e. would
need to be replaced by the latter just with the addend changed to 0,
and the latter doesn't translate properly with recent iasl). Hence,
short of having an ASL/iasl expert at hand, we need to work around the
shortcomings of various iasl versions. See the code comment.
Signed-off-by: Jan Beulich <jbeulich@suse.com>
Acked-by: Ian Campbell <ian.campbell@citrix.com>
--- a/tools/firmware/hvmloader/acpi/build.c
+++ b/tools/firmware/hvmloader/acpi/build.c
@@ -51,6 +51,7 @@ struct acpi_info {
uint32_t madt_csum_addr; /* 12 - Address of MADT checksum */
uint32_t madt_lapic0_addr; /* 16 - Address of first MADT LAPIC struct */
uint32_t vm_gid_addr; /* 20 - Address of VM generation id buffer */
+ uint64_t pci_hi_min, pci_hi_len; /* 24, 32 - PCI I/O hole boundaries */
};
/* Number of processor objects in the chosen DSDT. */
@@ -525,6 +526,11 @@ void acpi_build_tables(struct acpi_confi
acpi_info->hpet_present = hpet_exists(ACPI_HPET_ADDRESS);
acpi_info->pci_min = pci_mem_start;
acpi_info->pci_len = pci_mem_end - pci_mem_start;
+ if ( pci_hi_mem_end > pci_hi_mem_start )
+ {
+ acpi_info->pci_hi_min = pci_hi_mem_start;
+ acpi_info->pci_hi_len = pci_hi_mem_end - pci_hi_mem_start;
+ }
return;
--- a/tools/firmware/hvmloader/acpi/dsdt.asl
+++ b/tools/firmware/hvmloader/acpi/dsdt.asl
@@ -45,7 +45,7 @@ DefinitionBlock ("DSDT.aml", "DSDT", 2,
Scope (\_SB)
{
/* ACPI_INFO_PHYSICAL_ADDRESS == 0xFC000000 */
- OperationRegion(BIOS, SystemMemory, 0xFC000000, 24)
+ OperationRegion(BIOS, SystemMemory, 0xFC000000, 40)
Field(BIOS, ByteAcc, NoLock, Preserve) {
UAR1, 1,
UAR2, 1,
@@ -56,7 +56,11 @@ DefinitionBlock ("DSDT.aml", "DSDT", 2,
PLEN, 32,
MSUA, 32, /* MADT checksum address */
MAPA, 32, /* MADT LAPIC0 address */
- VGIA, 32 /* VM generation id address */
+ VGIA, 32, /* VM generation id address */
+ LMIN, 32,
+ HMIN, 32,
+ LLEN, 32,
+ HLEN, 32
}
/* Fix HCT test for 0x400 pci memory:
@@ -136,7 +140,7 @@ DefinitionBlock ("DSDT.aml", "DSDT", 2,
/* reserve memory for pci devices */
DWordMemory(
ResourceProducer, PosDecode, MinFixed, MaxFixed,
- Cacheable, ReadWrite,
+ WriteCombining, ReadWrite,
0x00000000,
0x000A0000,
0x000BFFFF,
@@ -145,13 +149,24 @@ DefinitionBlock ("DSDT.aml", "DSDT", 2,
DWordMemory(
ResourceProducer, PosDecode, MinFixed, MaxFixed,
- Cacheable, ReadWrite,
+ NonCacheable, ReadWrite,
0x00000000,
0xF0000000,
0xF4FFFFFF,
0x00000000,
0x05000000,
,, _Y01)
+
+ QWordMemory (
+ ResourceProducer, PosDecode, MinFixed, MaxFixed,
+ NonCacheable, ReadWrite,
+ 0x0000000000000000,
+ 0x0000000FFFFFFFF0,
+ 0x0000000FFFFFFFFF,
+ 0x0000000000000000,
+ 0x0000000000000010,
+ ,, _Y02)
+
})
CreateDWordField(PRT0, \_SB.PCI0._CRS._Y01._MIN, MMIN)
@@ -163,6 +178,43 @@ DefinitionBlock ("DSDT.aml", "DSDT", 2,
Add(MMIN, MLEN, MMAX)
Subtract(MMAX, One, MMAX)
+ /*
+ * WinXP / Win2K3 blue-screen for operations on 64-bit values.
+ * Therefore we need to split the 64-bit calculations needed
+ * here, but different iasl versions evaluate name references
+ * to integers differently:
+ * Year (approximate) 2006 2008 2012
+ * \_SB.PCI0._CRS._Y02 zero valid valid
+ * \_SB.PCI0._CRS._Y02._MIN valid valid huge
+ */
+ If(LEqual(Zero, \_SB.PCI0._CRS._Y02)) {
+ Subtract(\_SB.PCI0._CRS._Y02._MIN, 14, Local0)
+ } Else {
+ Store(\_SB.PCI0._CRS._Y02, Local0)
+ }
+ CreateDWordField(PRT0, Add(Local0, 14), MINL)
+ CreateDWordField(PRT0, Add(Local0, 18), MINH)
+ CreateDWordField(PRT0, Add(Local0, 22), MAXL)
+ CreateDWordField(PRT0, Add(Local0, 26), MAXH)
+ CreateDWordField(PRT0, Add(Local0, 38), LENL)
+ CreateDWordField(PRT0, Add(Local0, 42), LENH)
+
+ Store(\_SB.LMIN, MINL)
+ Store(\_SB.HMIN, MINH)
+ Store(\_SB.LLEN, LENL)
+ Store(\_SB.HLEN, LENH)
+ Add(MINL, LENL, MAXL)
+ Add(MINH, LENH, MAXH)
+ If(LLess(MAXL, MINL)) {
+ Add(MAXH, One, MAXH)
+ }
+ If(LOr(MINH, LENL)) {
+ If(LEqual(MAXL, 0)) {
+ Subtract(MAXH, One, MAXH)
+ }
+ Subtract(MAXL, One, MAXL)
+ }
+
Return (PRT0)
}
--- a/tools/firmware/hvmloader/cacheattr.c
+++ b/tools/firmware/hvmloader/cacheattr.c
@@ -97,8 +97,7 @@ void cacheattr_init(void)
nr_var_ranges = (uint8_t)mtrr_cap;
if ( nr_var_ranges != 0 )
{
- unsigned long base = pci_mem_start, size;
- int i;
+ uint64_t base = pci_mem_start, size;
for ( i = 0; (base != pci_mem_end) && (i < nr_var_ranges); i++ )
{
@@ -109,8 +108,22 @@ void cacheattr_init(void)
size >>= 1;
wrmsr(MSR_MTRRphysBase(i), base);
- wrmsr(MSR_MTRRphysMask(i),
- (~(uint64_t)(size-1) & addr_mask) | (1u << 11));
+ wrmsr(MSR_MTRRphysMask(i), (~(size - 1) & addr_mask) | (1u << 11));
+
+ base += size;
+ }
+
+ for ( base = pci_hi_mem_start;
+ (base != pci_hi_mem_end) && (i < nr_var_ranges); i++ )
+ {
+ size = PAGE_SIZE;
+ while ( !(base & size) )
+ size <<= 1;
+ while ( (base + size < base) || (base + size > pci_hi_mem_end) )
+ size >>= 1;
+
+ wrmsr(MSR_MTRRphysBase(i), base);
+ wrmsr(MSR_MTRRphysMask(i), (~(size - 1) & addr_mask) | (1u << 11));
base += size;
}
--- a/tools/firmware/hvmloader/config.h
+++ b/tools/firmware/hvmloader/config.h
@@ -57,7 +57,7 @@ extern struct bios_config ovmf_config;
#define PCI_MEM_END 0xfc000000
extern unsigned long pci_mem_start, pci_mem_end;
-
+extern uint64_t pci_hi_mem_start, pci_hi_mem_end;
/* Memory map. */
#define SCRATCH_PHYSICAL_ADDRESS 0x00010000
--- a/tools/firmware/hvmloader/pci.c
+++ b/tools/firmware/hvmloader/pci.c
@@ -32,6 +32,7 @@
unsigned long pci_mem_start = PCI_MEM_START;
unsigned long pci_mem_end = PCI_MEM_END;
+uint64_t pci_hi_mem_start = 0, pci_hi_mem_end = 0;
enum virtual_vga virtual_vga = VGA_none;
unsigned long igd_opregion_pgbase = 0;
@@ -345,9 +346,8 @@ void pci_setup(void)
if ( high_mem_resource.base & (bar_sz - 1) )
high_mem_resource.base = high_mem_resource.base -
(high_mem_resource.base & (bar_sz - 1)) + bar_sz;
- else
- high_mem_resource.base = high_mem_resource.base -
- (high_mem_resource.base & (bar_sz - 1));
+ if ( !pci_hi_mem_start )
+ pci_hi_mem_start = high_mem_resource.base;
resource = &high_mem_resource;
bar_data &= ~PCI_BASE_ADDRESS_MEM_MASK;
}
@@ -398,6 +398,16 @@ void pci_setup(void)
pci_writew(devfn, PCI_COMMAND, cmd);
}
+ if ( pci_hi_mem_start )
+ {
+ /*
+ * Make end address alignment match the start address one's so that
+ * fewer variable range MTRRs are needed to cover the range.
+ */
+ pci_hi_mem_end = ((high_mem_resource.base - 1) |
+ ((pci_hi_mem_start & -pci_hi_mem_start) - 1)) + 1;
+ }
+
if ( vga_devfn != 256 )
{
/*

34
537cd0cc-hvmloader-PA-range-0xfc000000-0xffffffff-should-be-UC.patch Normal file
View File

@ -0,0 +1,34 @@
# Commit c22bd567ce22f6ad9bd93318ad0d7fd1c2eadb0d
# Date 2014-05-21 18:14:04 +0200
# Author Jan Beulich <jbeulich@suse.com>
# Committer Jan Beulich <jbeulich@suse.com>
hvmloader: PA range 0xfc000000-0xffffffff should be UC
Rather than leaving the range from PCI_MEM_END (0xfc000000) to 4G
uncovered, we should include this in the UC range created for the (low)
PCI range. Besides being more correct, this also has the advantage that
with the way pci_setup() currently works the range will always be
mappable with a single variable range MTRR (rather than from 2 to 5
depending on how much the lower boundary gets shifted down to
accommodate all devices).
Signed-off-by: Jan Beulich <jbeulich@suse.com>
Acked-by: Ian Campbell <ian.campbell@citrix.com>
--- a/tools/firmware/hvmloader/cacheattr.c
+++ b/tools/firmware/hvmloader/cacheattr.c
@@ -99,12 +99,12 @@ void cacheattr_init(void)
{
uint64_t base = pci_mem_start, size;
- for ( i = 0; (base != pci_mem_end) && (i < nr_var_ranges); i++ )
+ for ( i = 0; !(base >> 32) && (i < nr_var_ranges); i++ )
{
size = PAGE_SIZE;
while ( !(base & size) )
size <<= 1;
- while ( ((base + size) < base) || ((base + size) > pci_mem_end) )
+ while ( ((base + size) < base) || ((base + size - 1) >> 32) )
size >>= 1;
wrmsr(MSR_MTRRphysBase(i), base);

46
5383167d-ACPI-ERST-fix-table-mapping.patch Normal file
View File

@ -0,0 +1,46 @@
# Commit fca69b1fc606ece62430076ca4a157e4bed749a8
# Date 2014-05-26 12:25:01 +0200
# Author Jan Beulich <jbeulich@suse.com>
# Committer Jan Beulich <jbeulich@suse.com>
ACPI/ERST: fix table mapping
acpi_get_table(), when executed before reaching SYS_STATE_active, will
return a mapping valid only until the next invocation of that funciton.
Consequently storing the returned pointer for later use is incorrect.
Copy the logic used in VT-d's DMAR handling.
Signed-off-by: Jan Beulich <jbeulich@suse.com>
--- a/xen/drivers/acpi/apei/erst.c
+++ b/xen/drivers/acpi/apei/erst.c
@@ -760,21 +760,27 @@ int __init erst_init(void)
{
int rc = 0;
acpi_status status;
+ acpi_physical_address erst_addr;
+ acpi_native_uint erst_len;
struct apei_exec_context ctx;
if (acpi_disabled)
return -ENODEV;
- status = acpi_get_table(ACPI_SIG_ERST, 0,
- (struct acpi_table_header **)&erst_tab);
+ status = acpi_get_table_phys(ACPI_SIG_ERST, 0, &erst_addr, &erst_len);
if (status == AE_NOT_FOUND) {
printk(KERN_INFO "ERST table was not found\n");
return -ENODEV;
- } else if (ACPI_FAILURE(status)) {
+ }
+ if (ACPI_FAILURE(status)) {
const char *msg = acpi_format_exception(status);
printk(KERN_WARNING "Failed to get ERST table: %s\n", msg);
return -EINVAL;
}
+ map_pages_to_xen((unsigned long)__va(erst_addr), PFN_DOWN(erst_addr),
+ PFN_UP(erst_addr + erst_len) - PFN_DOWN(erst_addr),
+ PAGE_HYPERVISOR);
+ erst_tab = __va(erst_addr);
rc = erst_check_table(erst_tab);
if (rc) {

30
5383175e-VT-d-fix-mask-applied-to-DMIBAR-in-desktop-chipset-XSA-59-workaround.patch Normal file
View File

@ -0,0 +1,30 @@
# Commit f8ecf31c31906552522c2a1b0d1cada07d78876e
# Date 2014-05-26 12:28:46 +0200
# Author Jan Beulich <jbeulich@suse.com>
# Committer Jan Beulich <jbeulich@suse.com>
VT-d: fix mask applied to DMIBAR in desktop chipset XSA-59 workaround
In commit ("VT-d: suppress UR signaling for desktop chipsets")
the mask applied to the value read from DMIBAR is to narrow, only the
comment accompanying it was correct. Fix that and tag the literal
number as "long" at once to avoid eventual compiler warnings.
The widest possible value so far is 39 bits; all chipsets covered here
but having less than this number of bits have the remaining bits marked
reserved (zero), and hence there's no need for making the mask chipset
specific.
Signed-off-by: Jan Beulich <jbeulich@suse.com>
Acked-by: Yang Zhang <yang.z.zhang@intel.com>
--- a/xen/drivers/passthrough/vtd/quirks.c
+++ b/xen/drivers/passthrough/vtd/quirks.c
@@ -467,7 +467,7 @@ void pci_vtd_quirk(const struct pci_dev
case 0xc00: case 0xc04: case 0xc08: /* Haswell */
bar = pci_conf_read32(seg, bus, dev, func, 0x6c);
bar = (bar << 32) | pci_conf_read32(seg, bus, dev, func, 0x68);
- pa = bar & 0x7fffff000; /* bits 12...38 */
+ pa = bar & 0x7ffffff000UL; /* bits 12...38 */
if ( (bar & 1) && pa &&
page_is_ram_type(paddr_to_pfn(pa), RAM_TYPE_RESERVED) )
{

38
53859549-AMD-IOMMU-don-t-free-page-table-prematurely.patch Normal file
View File

@ -0,0 +1,38 @@
# Commit 6b4d71d028f445cba7426a144751fddc8bfdd67b
# Date 2014-05-28 09:50:33 +0200
# Author Jan Beulich <jbeulich@suse.com>
# Committer Jan Beulich <jbeulich@suse.com>
AMD IOMMU: don't free page table prematurely
iommu_merge_pages() still wants to look at the next level page table,
the TLB flush necessary before freeing too happens in that function,
and if it fails no free should happen at all. Hence the freeing must
be done after that function returned successfully, not before it's
being called.
Signed-off-by: Jan Beulich <jbeulich@suse.com>
Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>
Reviewed-by: Suravee Suthikulpanit <suravee.suthikulpanit@amd.com>
Tested-by: Suravee Suthikulpanit <suravee.suthikulpanit@amd.com>
--- a/xen/drivers/passthrough/amd/iommu_map.c
+++ b/xen/drivers/passthrough/amd/iommu_map.c
@@ -691,8 +691,6 @@ int amd_iommu_map_page(struct domain *d,
if ( !iommu_update_pde_count(d, pt_mfn[merge_level],
gfn, mfn, merge_level) )
break;
- /* Deallocate lower level page table */
- free_amd_iommu_pgtable(mfn_to_page(pt_mfn[merge_level - 1]));
if ( iommu_merge_pages(d, pt_mfn[merge_level], gfn,
flags, merge_level) )
@@ -703,6 +701,9 @@ int amd_iommu_map_page(struct domain *d,
domain_crash(d);
return -EFAULT;
}
+
+ /* Deallocate lower level page table */
+ free_amd_iommu_pgtable(mfn_to_page(pt_mfn[merge_level - 1]));
}
out:

35
5385956b-x86-don-t-use-VA-for-cache-flush-when-also-flushing-TLB.patch Normal file
View File

@ -0,0 +1,35 @@
# Commit 50df6f7429f73364bbddb0970a3a34faa01a7790
# Date 2014-05-28 09:51:07 +0200
# Author Jan Beulich <jbeulich@suse.com>
# Committer Jan Beulich <jbeulich@suse.com>
x86: don't use VA for cache flush when also flushing TLB
Doing both flushes at once is a strong indication for the address
mapping to either having got dropped (in which case the cache flush,
when done via INVLPG, would fault) or its physical address having
changed (in which case the cache flush would end up being done on the
wrong address range). There is no adverse effect (other than the
obvious performance one) using WBINVD in this case regardless of the
range's size; only map_pages_to_xen() uses combined flushes at present.
This problem was observed with the 2nd try backport of d6cb14b3 ("VT-d:
suppress UR signaling for desktop chipsets") to 4.2 (where ioremap()
needs to be replaced with set_fixmap_nocache(); the now commented out
__set_fixmap(, 0, 0) there to undo the mapping resulted in the first of
the above two scenarios).
Signed-off-by: Jan Beulich <jbeulich@suse.com>
Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>
--- a/xen/arch/x86/flushtlb.c
+++ b/xen/arch/x86/flushtlb.c
@@ -152,7 +152,8 @@ void flush_area_local(const void *va, un
if ( order < (BITS_PER_LONG - PAGE_SHIFT) )
sz = 1UL << (order + PAGE_SHIFT);
- if ( c->x86_clflush_size && c->x86_cache_size && sz &&
+ if ( !(flags & (FLUSH_TLB|FLUSH_TLB_GLOBAL)) &&
+ c->x86_clflush_size && c->x86_cache_size && sz &&
((sz >> 10) < c->x86_cache_size) )
{
va = (const void *)((unsigned long)va & ~(sz - 1));

29
53859956-timers-set-the-deadline-more-accurately.patch Normal file
View File

@ -0,0 +1,29 @@
# Commit 054b6dfb61eab00d86ddd5d0ac508f5302da0d52
# Date 2014-05-28 10:07:50 +0200
# Author Ross Lagerwall <ross.lagerwall@citrix.com>
# Committer Jan Beulich <jbeulich@suse.com>
timers: set the deadline more accurately
Program the timer to the deadline of the closest timer if it is further
than 50us ahead, otherwise set it 50us ahead. This way a single event
fires on time rather than 50us late (as it would have previously) while
still preventing too many timer wakeups in the case of having many
timers scheduled close together.
(where 50us is the timer_slop)
Signed-off-by: Ross Lagerwall <ross.lagerwall@citrix.com>
--- a/xen/common/timer.c
+++ b/xen/common/timer.c
@@ -492,8 +492,9 @@ static void timer_softirq_action(void)
deadline = heap[1]->expires;
if ( (ts->list != NULL) && (ts->list->expires < deadline) )
deadline = ts->list->expires;
+ now = NOW();
this_cpu(timer_deadline) =
- (deadline == STIME_MAX) ? 0 : deadline + timer_slop;
+ (deadline == STIME_MAX) ? 0 : MAX(deadline, now + timer_slop);
if ( !reprogram_timer(this_cpu(timer_deadline)) )
raise_softirq(TIMER_SOFTIRQ);

44
538dcada-x86-HVM-eliminate-vulnerabilities-from-hvm_inject_msi.patch Normal file
View File

@ -0,0 +1,44 @@
References: bnc#878841 CVE-2014-3967 CVE-2014-3968 XSA-96
# Commit 6f4cc0ac41625a054861b417ea1fc3ab88e2e40a
# Date 2014-06-03 15:17:14 +0200
# Author Jan Beulich <jbeulich@suse.com>
# Committer Jan Beulich <jbeulich@suse.com>
x86/HVM: eliminate vulnerabilities from hvm_inject_msi()
- pirq_info() returns NULL for a non-allocated pIRQ, and hence we
mustn't unconditionally de-reference it, and we need to invoke it
another time after having called map_domain_emuirq_pirq()
- don't use printk(), namely without XENLOG_GUEST, for error reporting
This is XSA-96.
Signed-off-by: Jan Beulich <jbeulich@suse.com>
--- a/xen/arch/x86/hvm/irq.c
+++ b/xen/arch/x86/hvm/irq.c
@@ -289,20 +289,18 @@ void hvm_inject_msi(struct domain *d, ui
struct pirq *info = pirq_info(d, pirq);
/* if it is the first time, allocate the pirq */
- if (info->arch.hvm.emuirq == IRQ_UNBOUND)
+ if ( !info || info->arch.hvm.emuirq == IRQ_UNBOUND )
{
spin_lock(&d->event_lock);
map_domain_emuirq_pirq(d, pirq, IRQ_MSI_EMU);
spin_unlock(&d->event_lock);
+ info = pirq_info(d, pirq);
+ if ( !info )
+ return;
} else if (info->arch.hvm.emuirq != IRQ_MSI_EMU)
- {
- printk("%s: pirq %d does not correspond to an emulated MSI\n", __func__, pirq);
return;
- }
send_guest_pirq(d, info);
return;
- } else {
- printk("%s: error getting pirq from MSI: pirq = %d\n", __func__, pirq);
}
}

21
xen.changes
View File

@ -1,3 +1,24 @@
-------------------------------------------------------------------
Thu Jun 6 15:50:19 MDT 2014 - carnold@suse.com
- Modify how we check for libvirt managed domains
xl-check-for-libvirt-managed-domain.patch
-------------------------------------------------------------------
Thu Jun 5 08:56:13 MDT 2014 - carnold@suse.com
- bnc#878841 - VUL-0: XSA-96: Xen: Vulnerabilities in HVM MSI
injection
538dcada-x86-HVM-eliminate-vulnerabilities-from-hvm_inject_msi.patch
- Upstream patches from Jan
537cd0b0-hvmloader-also-cover-PCI-MMIO-ranges-above-4G-with-UC-MTRR-ranges.patch
537cd0cc-hvmloader-PA-range-0xfc000000-0xffffffff-should-be-UC.patch
5383167d-ACPI-ERST-fix-table-mapping.patch
5383175e-VT-d-fix-mask-applied-to-DMIBAR-in-desktop-chipset-XSA-59-workaround.patch
53859549-AMD-IOMMU-don-t-free-page-table-prematurely.patch
5385956b-x86-don-t-use-VA-for-cache-flush-when-also-flushing-TLB.patch
53859956-timers-set-the-deadline-more-accurately.patch
-------------------------------------------------------------------
Tue May 27 16:54:13 CEST 2014 - ohering@suse.de

18
xen.spec
View File

@ -154,7 +154,7 @@ BuildRequires: xorg-x11-util-devel
%endif
%endif
Version: 4.4.0_20
Version: 4.4.0_22
Release: 0
PreReq: %insserv_prereq %fillup_prereq
Summary: Xen Virtualization: Hypervisor (aka VMM aka Microkernel)
@ -255,6 +255,14 @@ Patch39: 53732f4f-x86-MCE-bypass-uninitialized-vcpu-in-vMCE-injection.pat
Patch40: 537b5e50-VT-d-apply-quirks-at-device-setup-time-rather-than-only-at-boot.patch
Patch41: 537b5e79-VT-d-extend-error-report-masking-workaround-to-newer-chipsets.patch
Patch42: 537b5ede-move-domain-to-cpupool0-before-destroying-it.patch
Patch43: 537cd0b0-hvmloader-also-cover-PCI-MMIO-ranges-above-4G-with-UC-MTRR-ranges.patch
Patch44: 537cd0cc-hvmloader-PA-range-0xfc000000-0xffffffff-should-be-UC.patch
Patch45: 5383167d-ACPI-ERST-fix-table-mapping.patch
Patch46: 5383175e-VT-d-fix-mask-applied-to-DMIBAR-in-desktop-chipset-XSA-59-workaround.patch
Patch47: 53859549-AMD-IOMMU-don-t-free-page-table-prematurely.patch
Patch48: 5385956b-x86-don-t-use-VA-for-cache-flush-when-also-flushing-TLB.patch
Patch49: 53859956-timers-set-the-deadline-more-accurately.patch
Patch50: 538dcada-x86-HVM-eliminate-vulnerabilities-from-hvm_inject_msi.patch
# Upstream qemu
Patch250: VNC-Support-for-ExtendedKeyEvent-client-message.patch
Patch251: 0001-net-move-the-tap-buffer-into-TAPState.patch
@ -660,6 +668,14 @@ Authors:
%patch40 -p1
%patch41 -p1
%patch42 -p1
%patch43 -p1
%patch44 -p1
%patch45 -p1
%patch46 -p1
%patch47 -p1
%patch48 -p1
%patch49 -p1
%patch50 -p1
# Upstream qemu patches
%patch250 -p1
%patch251 -p1

46
xl-check-for-libvirt-managed-domain.patch
View File

@ -2,57 +2,45 @@ Index: xen-4.4.0-testing/tools/libxl/xl.c
===================================================================
--- xen-4.4.0-testing.orig/tools/libxl/xl.c
+++ xen-4.4.0-testing/tools/libxl/xl.c
@@ -282,6 +282,44 @@ static void xl_ctx_free(void)
@@ -282,6 +282,32 @@ static void xl_ctx_free(void)
}
}
+/*
+ Return 0 if domain is managed by libvirt
+*/
+static int xl_lookup_libvirt_managed_domains(int argc, char **argv)
+static int xl_lookup_libvirt_managed_domain(int argc, char **argv)
+{
+ FILE *fp;
+ int i;
+ char line[1024];
+ char *libvirt_sock = "/run/libvirt/libvirt-sock";
+ uint32_t domid;
+ uint8_t *t_data;
+ char *domname;
+ int i, rc, t_len;
+
+ /* Check for the libvirt socket file */
+ if (access(libvirt_sock, F_OK) != 0) {
+ return 1;
+ }
+
+ /* Run virsh to get a list of running domains managed by libvirt */
+ fp = popen("/usr/bin/virsh list --name 2>&1", "r");
+ if (fp == NULL) {
+ return 1;
+ }
+
+ /* Read the list of domains looking for each name in the xl command */
+ while (fgets(line, sizeof(line)-1, fp) != NULL) {
+ line[strlen(line)-1] = '\0';
+ for (i=0; i<argc && line[0]; ++i) {
+ if (!strcmp(argv[i], line)) {
+ pclose(fp);
+ return 0;
+ for (i=0; i<argc; ++i) {
+ rc = libxl_domain_qualifier_to_domid(ctx, argv[i], &domid);
+ if (!rc) {
+ domname = libxl_domid_to_name(ctx, domid);
+ if (domname != NULL) {
+ rc = libxl_userdata_retrieve(ctx, domid, "libvirt-xml", &t_data, &t_len);
+ if (!rc && t_len)
+ return 0;
+ break;
+ }
+ }
+ }
+
+ pclose(fp);
+
+ /* Not found */
+ return 1;
+}
+
int main(int argc, char **argv)
{
int opt = 0;
@@ -345,6 +383,18 @@ int main(int argc, char **argv)
@@ -345,6 +371,18 @@ int main(int argc, char **argv)
goto xit;
}
if (cspec->modifies && !dryrun_only) {
+ if (!force_execution) {
+ if (!xl_lookup_libvirt_managed_domains(argc, argv)) {
+ if (!xl_lookup_libvirt_managed_domain(argc, argv)) {
+ fprintf(stderr,
+"Warning: This domain is managed by libvirt. Using xl commands to modify this\n"
+"domain will result in errors when virsh or virt-manager is used.\n"