From a428832eb0d617aea77fa7d9ae6f938db9534290e04a9003b67e325f7e7a1346 Mon Sep 17 00:00:00 2001 From: Charles Arnold Date: Thu, 12 Jun 2014 05:11:30 +0000 Subject: [PATCH] - Modify how we check for libvirt managed domains xl-check-for-libvirt-managed-domain.patch - bnc#878841 - VUL-0: XSA-96: Xen: Vulnerabilities in HVM MSI injection 538dcada-x86-HVM-eliminate-vulnerabilities-from-hvm_inject_msi.patch - Upstream patches from Jan 537cd0b0-hvmloader-also-cover-PCI-MMIO-ranges-above-4G-with-UC-MTRR-ranges.patch 537cd0cc-hvmloader-PA-range-0xfc000000-0xffffffff-should-be-UC.patch 5383167d-ACPI-ERST-fix-table-mapping.patch 5383175e-VT-d-fix-mask-applied-to-DMIBAR-in-desktop-chipset-XSA-59-workaround.patch 53859549-AMD-IOMMU-don-t-free-page-table-prematurely.patch 5385956b-x86-don-t-use-VA-for-cache-flush-when-also-flushing-TLB.patch 53859956-timers-set-the-deadline-more-accurately.patch OBS-URL: https://build.opensuse.org/package/show/Virtualization/xen?expand=0&rev=318 --- ...-ranges-above-4G-with-UC-MTRR-ranges.patch | 274 ++++++++++++++++++ ...e-0xfc000000-0xffffffff-should-be-UC.patch | 34 +++ 5383167d-ACPI-ERST-fix-table-mapping.patch | 46 +++ ...in-desktop-chipset-XSA-59-workaround.patch | 30 ++ ...MU-don-t-free-page-table-prematurely.patch | 38 +++ ...r-cache-flush-when-also-flushing-TLB.patch | 35 +++ ...ers-set-the-deadline-more-accurately.patch | 29 ++ ...-vulnerabilities-from-hvm_inject_msi.patch | 44 +++ xen.changes | 21 ++ xen.spec | 18 +- xl-check-for-libvirt-managed-domain.patch | 46 ++- 11 files changed, 585 insertions(+), 30 deletions(-) create mode 100644 537cd0b0-hvmloader-also-cover-PCI-MMIO-ranges-above-4G-with-UC-MTRR-ranges.patch create mode 100644 537cd0cc-hvmloader-PA-range-0xfc000000-0xffffffff-should-be-UC.patch create mode 100644 5383167d-ACPI-ERST-fix-table-mapping.patch create mode 100644 5383175e-VT-d-fix-mask-applied-to-DMIBAR-in-desktop-chipset-XSA-59-workaround.patch create mode 100644 53859549-AMD-IOMMU-don-t-free-page-table-prematurely.patch create mode 100644 5385956b-x86-don-t-use-VA-for-cache-flush-when-also-flushing-TLB.patch create mode 100644 53859956-timers-set-the-deadline-more-accurately.patch create mode 100644 538dcada-x86-HVM-eliminate-vulnerabilities-from-hvm_inject_msi.patch diff --git a/537cd0b0-hvmloader-also-cover-PCI-MMIO-ranges-above-4G-with-UC-MTRR-ranges.patch b/537cd0b0-hvmloader-also-cover-PCI-MMIO-ranges-above-4G-with-UC-MTRR-ranges.patch new file mode 100644 index 0000000..8d62ae9 --- /dev/null +++ b/537cd0b0-hvmloader-also-cover-PCI-MMIO-ranges-above-4G-with-UC-MTRR-ranges.patch @@ -0,0 +1,274 @@ +# Commit d06886694328a31369addc1f614cf326728d65a6 +# Date 2014-05-21 18:13:36 +0200 +# Author Jan Beulich +# Committer Jan Beulich +hvmloader: also cover PCI MMIO ranges above 4G with UC MTRR ranges + +When adding support for BAR assignments to addresses above 4G, the MTRR +side of things was left out. + +Additionally the MMIO ranges in the DSDT's \_SB.PCI0._CRS were having +memory types not matching the ones put into MTRRs: The legacy VGA range +is supposed to be WC, and the other ones should be UC. + +Signed-off-by: Jan Beulich +Acked-by: Ian Campbell + +# Commit 119d8a42d3bfe6ebc1785720e1a7260e5c698632 +# Date 2014-05-22 14:20:19 +0200 +# Author Jan Beulich +# Committer Jan Beulich +hvmloader: fix build with certain iasl versions + +While most of them support what we have now, Wheezy's dislikes the +empty range. Put a fake one in place - it's getting overwritten upon +evaluation of _CRS anyway. + +The range could be grown (downwards) if necessary; the way it is now +it is +- the highest possible one below the 36-bit boundary (with 36 bits + being the lowest common denominator for all supported systems), +- the smallest possible one that said iasl accepts. + +Reported-by: Sander Eikelenboom +Signed-off-by: Jan Beulich +Acked-by: Ian Campbell + +# Commit 7f8d8abcf6dfb85fae591a547b24f9b27d92272c +# Date 2014-05-28 10:57:18 +0200 +# Author Jan Beulich +# Committer Jan Beulich +hvmloader: don't use AML operations on 64-bit fields + +WinXP and Win2K3, while having no problem with the QWordMemory resource +(there was another one there before), don't like operations on 64-bit +fields. Split the fields d0688669 ("hvmloader: also cover PCI MMIO +ranges above 4G with UC MTRR ranges") added to 32-bit ones, handling +carry over explicitly. + +Sadly the constructs needed to create the sub-fields - nominally + + CreateDWordField(PRT0, \_SB.PCI0._CRS._Y02._MIN, MINL) + CreateDWordField(PRT0, Add(\_SB.PCI0._CRS._Y02._MIN, 4), MINH) + +- can't be used: The former gets warned upon by newer iasl, i.e. would +need to be replaced by the latter just with the addend changed to 0, +and the latter doesn't translate properly with recent iasl). Hence, +short of having an ASL/iasl expert at hand, we need to work around the +shortcomings of various iasl versions. See the code comment. + +Signed-off-by: Jan Beulich +Acked-by: Ian Campbell + +--- a/tools/firmware/hvmloader/acpi/build.c ++++ b/tools/firmware/hvmloader/acpi/build.c +@@ -51,6 +51,7 @@ struct acpi_info { + uint32_t madt_csum_addr; /* 12 - Address of MADT checksum */ + uint32_t madt_lapic0_addr; /* 16 - Address of first MADT LAPIC struct */ + uint32_t vm_gid_addr; /* 20 - Address of VM generation id buffer */ ++ uint64_t pci_hi_min, pci_hi_len; /* 24, 32 - PCI I/O hole boundaries */ + }; + + /* Number of processor objects in the chosen DSDT. */ +@@ -525,6 +526,11 @@ void acpi_build_tables(struct acpi_confi + acpi_info->hpet_present = hpet_exists(ACPI_HPET_ADDRESS); + acpi_info->pci_min = pci_mem_start; + acpi_info->pci_len = pci_mem_end - pci_mem_start; ++ if ( pci_hi_mem_end > pci_hi_mem_start ) ++ { ++ acpi_info->pci_hi_min = pci_hi_mem_start; ++ acpi_info->pci_hi_len = pci_hi_mem_end - pci_hi_mem_start; ++ } + + return; + +--- a/tools/firmware/hvmloader/acpi/dsdt.asl ++++ b/tools/firmware/hvmloader/acpi/dsdt.asl +@@ -45,7 +45,7 @@ DefinitionBlock ("DSDT.aml", "DSDT", 2, + Scope (\_SB) + { + /* ACPI_INFO_PHYSICAL_ADDRESS == 0xFC000000 */ +- OperationRegion(BIOS, SystemMemory, 0xFC000000, 24) ++ OperationRegion(BIOS, SystemMemory, 0xFC000000, 40) + Field(BIOS, ByteAcc, NoLock, Preserve) { + UAR1, 1, + UAR2, 1, +@@ -56,7 +56,11 @@ DefinitionBlock ("DSDT.aml", "DSDT", 2, + PLEN, 32, + MSUA, 32, /* MADT checksum address */ + MAPA, 32, /* MADT LAPIC0 address */ +- VGIA, 32 /* VM generation id address */ ++ VGIA, 32, /* VM generation id address */ ++ LMIN, 32, ++ HMIN, 32, ++ LLEN, 32, ++ HLEN, 32 + } + + /* Fix HCT test for 0x400 pci memory: +@@ -136,7 +140,7 @@ DefinitionBlock ("DSDT.aml", "DSDT", 2, + /* reserve memory for pci devices */ + DWordMemory( + ResourceProducer, PosDecode, MinFixed, MaxFixed, +- Cacheable, ReadWrite, ++ WriteCombining, ReadWrite, + 0x00000000, + 0x000A0000, + 0x000BFFFF, +@@ -145,13 +149,24 @@ DefinitionBlock ("DSDT.aml", "DSDT", 2, + + DWordMemory( + ResourceProducer, PosDecode, MinFixed, MaxFixed, +- Cacheable, ReadWrite, ++ NonCacheable, ReadWrite, + 0x00000000, + 0xF0000000, + 0xF4FFFFFF, + 0x00000000, + 0x05000000, + ,, _Y01) ++ ++ QWordMemory ( ++ ResourceProducer, PosDecode, MinFixed, MaxFixed, ++ NonCacheable, ReadWrite, ++ 0x0000000000000000, ++ 0x0000000FFFFFFFF0, ++ 0x0000000FFFFFFFFF, ++ 0x0000000000000000, ++ 0x0000000000000010, ++ ,, _Y02) ++ + }) + + CreateDWordField(PRT0, \_SB.PCI0._CRS._Y01._MIN, MMIN) +@@ -163,6 +178,43 @@ DefinitionBlock ("DSDT.aml", "DSDT", 2, + Add(MMIN, MLEN, MMAX) + Subtract(MMAX, One, MMAX) + ++ /* ++ * WinXP / Win2K3 blue-screen for operations on 64-bit values. ++ * Therefore we need to split the 64-bit calculations needed ++ * here, but different iasl versions evaluate name references ++ * to integers differently: ++ * Year (approximate) 2006 2008 2012 ++ * \_SB.PCI0._CRS._Y02 zero valid valid ++ * \_SB.PCI0._CRS._Y02._MIN valid valid huge ++ */ ++ If(LEqual(Zero, \_SB.PCI0._CRS._Y02)) { ++ Subtract(\_SB.PCI0._CRS._Y02._MIN, 14, Local0) ++ } Else { ++ Store(\_SB.PCI0._CRS._Y02, Local0) ++ } ++ CreateDWordField(PRT0, Add(Local0, 14), MINL) ++ CreateDWordField(PRT0, Add(Local0, 18), MINH) ++ CreateDWordField(PRT0, Add(Local0, 22), MAXL) ++ CreateDWordField(PRT0, Add(Local0, 26), MAXH) ++ CreateDWordField(PRT0, Add(Local0, 38), LENL) ++ CreateDWordField(PRT0, Add(Local0, 42), LENH) ++ ++ Store(\_SB.LMIN, MINL) ++ Store(\_SB.HMIN, MINH) ++ Store(\_SB.LLEN, LENL) ++ Store(\_SB.HLEN, LENH) ++ Add(MINL, LENL, MAXL) ++ Add(MINH, LENH, MAXH) ++ If(LLess(MAXL, MINL)) { ++ Add(MAXH, One, MAXH) ++ } ++ If(LOr(MINH, LENL)) { ++ If(LEqual(MAXL, 0)) { ++ Subtract(MAXH, One, MAXH) ++ } ++ Subtract(MAXL, One, MAXL) ++ } ++ + Return (PRT0) + } + +--- a/tools/firmware/hvmloader/cacheattr.c ++++ b/tools/firmware/hvmloader/cacheattr.c +@@ -97,8 +97,7 @@ void cacheattr_init(void) + nr_var_ranges = (uint8_t)mtrr_cap; + if ( nr_var_ranges != 0 ) + { +- unsigned long base = pci_mem_start, size; +- int i; ++ uint64_t base = pci_mem_start, size; + + for ( i = 0; (base != pci_mem_end) && (i < nr_var_ranges); i++ ) + { +@@ -109,8 +108,22 @@ void cacheattr_init(void) + size >>= 1; + + wrmsr(MSR_MTRRphysBase(i), base); +- wrmsr(MSR_MTRRphysMask(i), +- (~(uint64_t)(size-1) & addr_mask) | (1u << 11)); ++ wrmsr(MSR_MTRRphysMask(i), (~(size - 1) & addr_mask) | (1u << 11)); ++ ++ base += size; ++ } ++ ++ for ( base = pci_hi_mem_start; ++ (base != pci_hi_mem_end) && (i < nr_var_ranges); i++ ) ++ { ++ size = PAGE_SIZE; ++ while ( !(base & size) ) ++ size <<= 1; ++ while ( (base + size < base) || (base + size > pci_hi_mem_end) ) ++ size >>= 1; ++ ++ wrmsr(MSR_MTRRphysBase(i), base); ++ wrmsr(MSR_MTRRphysMask(i), (~(size - 1) & addr_mask) | (1u << 11)); + + base += size; + } +--- a/tools/firmware/hvmloader/config.h ++++ b/tools/firmware/hvmloader/config.h +@@ -57,7 +57,7 @@ extern struct bios_config ovmf_config; + #define PCI_MEM_END 0xfc000000 + + extern unsigned long pci_mem_start, pci_mem_end; +- ++extern uint64_t pci_hi_mem_start, pci_hi_mem_end; + + /* Memory map. */ + #define SCRATCH_PHYSICAL_ADDRESS 0x00010000 +--- a/tools/firmware/hvmloader/pci.c ++++ b/tools/firmware/hvmloader/pci.c +@@ -32,6 +32,7 @@ + + unsigned long pci_mem_start = PCI_MEM_START; + unsigned long pci_mem_end = PCI_MEM_END; ++uint64_t pci_hi_mem_start = 0, pci_hi_mem_end = 0; + + enum virtual_vga virtual_vga = VGA_none; + unsigned long igd_opregion_pgbase = 0; +@@ -345,9 +346,8 @@ void pci_setup(void) + if ( high_mem_resource.base & (bar_sz - 1) ) + high_mem_resource.base = high_mem_resource.base - + (high_mem_resource.base & (bar_sz - 1)) + bar_sz; +- else +- high_mem_resource.base = high_mem_resource.base - +- (high_mem_resource.base & (bar_sz - 1)); ++ if ( !pci_hi_mem_start ) ++ pci_hi_mem_start = high_mem_resource.base; + resource = &high_mem_resource; + bar_data &= ~PCI_BASE_ADDRESS_MEM_MASK; + } +@@ -398,6 +398,16 @@ void pci_setup(void) + pci_writew(devfn, PCI_COMMAND, cmd); + } + ++ if ( pci_hi_mem_start ) ++ { ++ /* ++ * Make end address alignment match the start address one's so that ++ * fewer variable range MTRRs are needed to cover the range. ++ */ ++ pci_hi_mem_end = ((high_mem_resource.base - 1) | ++ ((pci_hi_mem_start & -pci_hi_mem_start) - 1)) + 1; ++ } ++ + if ( vga_devfn != 256 ) + { + /* diff --git a/537cd0cc-hvmloader-PA-range-0xfc000000-0xffffffff-should-be-UC.patch b/537cd0cc-hvmloader-PA-range-0xfc000000-0xffffffff-should-be-UC.patch new file mode 100644 index 0000000..47aa269 --- /dev/null +++ b/537cd0cc-hvmloader-PA-range-0xfc000000-0xffffffff-should-be-UC.patch @@ -0,0 +1,34 @@ +# Commit c22bd567ce22f6ad9bd93318ad0d7fd1c2eadb0d +# Date 2014-05-21 18:14:04 +0200 +# Author Jan Beulich +# Committer Jan Beulich +hvmloader: PA range 0xfc000000-0xffffffff should be UC + +Rather than leaving the range from PCI_MEM_END (0xfc000000) to 4G +uncovered, we should include this in the UC range created for the (low) +PCI range. Besides being more correct, this also has the advantage that +with the way pci_setup() currently works the range will always be +mappable with a single variable range MTRR (rather than from 2 to 5 +depending on how much the lower boundary gets shifted down to +accommodate all devices). + +Signed-off-by: Jan Beulich +Acked-by: Ian Campbell + +--- a/tools/firmware/hvmloader/cacheattr.c ++++ b/tools/firmware/hvmloader/cacheattr.c +@@ -99,12 +99,12 @@ void cacheattr_init(void) + { + uint64_t base = pci_mem_start, size; + +- for ( i = 0; (base != pci_mem_end) && (i < nr_var_ranges); i++ ) ++ for ( i = 0; !(base >> 32) && (i < nr_var_ranges); i++ ) + { + size = PAGE_SIZE; + while ( !(base & size) ) + size <<= 1; +- while ( ((base + size) < base) || ((base + size) > pci_mem_end) ) ++ while ( ((base + size) < base) || ((base + size - 1) >> 32) ) + size >>= 1; + + wrmsr(MSR_MTRRphysBase(i), base); diff --git a/5383167d-ACPI-ERST-fix-table-mapping.patch b/5383167d-ACPI-ERST-fix-table-mapping.patch new file mode 100644 index 0000000..a4552e1 --- /dev/null +++ b/5383167d-ACPI-ERST-fix-table-mapping.patch @@ -0,0 +1,46 @@ +# Commit fca69b1fc606ece62430076ca4a157e4bed749a8 +# Date 2014-05-26 12:25:01 +0200 +# Author Jan Beulich +# Committer Jan Beulich +ACPI/ERST: fix table mapping + +acpi_get_table(), when executed before reaching SYS_STATE_active, will +return a mapping valid only until the next invocation of that funciton. +Consequently storing the returned pointer for later use is incorrect. +Copy the logic used in VT-d's DMAR handling. + +Signed-off-by: Jan Beulich + +--- a/xen/drivers/acpi/apei/erst.c ++++ b/xen/drivers/acpi/apei/erst.c +@@ -760,21 +760,27 @@ int __init erst_init(void) + { + int rc = 0; + acpi_status status; ++ acpi_physical_address erst_addr; ++ acpi_native_uint erst_len; + struct apei_exec_context ctx; + + if (acpi_disabled) + return -ENODEV; + +- status = acpi_get_table(ACPI_SIG_ERST, 0, +- (struct acpi_table_header **)&erst_tab); ++ status = acpi_get_table_phys(ACPI_SIG_ERST, 0, &erst_addr, &erst_len); + if (status == AE_NOT_FOUND) { + printk(KERN_INFO "ERST table was not found\n"); + return -ENODEV; +- } else if (ACPI_FAILURE(status)) { ++ } ++ if (ACPI_FAILURE(status)) { + const char *msg = acpi_format_exception(status); + printk(KERN_WARNING "Failed to get ERST table: %s\n", msg); + return -EINVAL; + } ++ map_pages_to_xen((unsigned long)__va(erst_addr), PFN_DOWN(erst_addr), ++ PFN_UP(erst_addr + erst_len) - PFN_DOWN(erst_addr), ++ PAGE_HYPERVISOR); ++ erst_tab = __va(erst_addr); + + rc = erst_check_table(erst_tab); + if (rc) { diff --git a/5383175e-VT-d-fix-mask-applied-to-DMIBAR-in-desktop-chipset-XSA-59-workaround.patch b/5383175e-VT-d-fix-mask-applied-to-DMIBAR-in-desktop-chipset-XSA-59-workaround.patch new file mode 100644 index 0000000..cffc362 --- /dev/null +++ b/5383175e-VT-d-fix-mask-applied-to-DMIBAR-in-desktop-chipset-XSA-59-workaround.patch @@ -0,0 +1,30 @@ +# Commit f8ecf31c31906552522c2a1b0d1cada07d78876e +# Date 2014-05-26 12:28:46 +0200 +# Author Jan Beulich +# Committer Jan Beulich +VT-d: fix mask applied to DMIBAR in desktop chipset XSA-59 workaround + +In commit ("VT-d: suppress UR signaling for desktop chipsets") +the mask applied to the value read from DMIBAR is to narrow, only the +comment accompanying it was correct. Fix that and tag the literal +number as "long" at once to avoid eventual compiler warnings. + +The widest possible value so far is 39 bits; all chipsets covered here +but having less than this number of bits have the remaining bits marked +reserved (zero), and hence there's no need for making the mask chipset +specific. + +Signed-off-by: Jan Beulich +Acked-by: Yang Zhang + +--- a/xen/drivers/passthrough/vtd/quirks.c ++++ b/xen/drivers/passthrough/vtd/quirks.c +@@ -467,7 +467,7 @@ void pci_vtd_quirk(const struct pci_dev + case 0xc00: case 0xc04: case 0xc08: /* Haswell */ + bar = pci_conf_read32(seg, bus, dev, func, 0x6c); + bar = (bar << 32) | pci_conf_read32(seg, bus, dev, func, 0x68); +- pa = bar & 0x7fffff000; /* bits 12...38 */ ++ pa = bar & 0x7ffffff000UL; /* bits 12...38 */ + if ( (bar & 1) && pa && + page_is_ram_type(paddr_to_pfn(pa), RAM_TYPE_RESERVED) ) + { diff --git a/53859549-AMD-IOMMU-don-t-free-page-table-prematurely.patch b/53859549-AMD-IOMMU-don-t-free-page-table-prematurely.patch new file mode 100644 index 0000000..2ebc0cd --- /dev/null +++ b/53859549-AMD-IOMMU-don-t-free-page-table-prematurely.patch @@ -0,0 +1,38 @@ +# Commit 6b4d71d028f445cba7426a144751fddc8bfdd67b +# Date 2014-05-28 09:50:33 +0200 +# Author Jan Beulich +# Committer Jan Beulich +AMD IOMMU: don't free page table prematurely + +iommu_merge_pages() still wants to look at the next level page table, +the TLB flush necessary before freeing too happens in that function, +and if it fails no free should happen at all. Hence the freeing must +be done after that function returned successfully, not before it's +being called. + +Signed-off-by: Jan Beulich +Reviewed-by: Andrew Cooper +Reviewed-by: Suravee Suthikulpanit +Tested-by: Suravee Suthikulpanit + +--- a/xen/drivers/passthrough/amd/iommu_map.c ++++ b/xen/drivers/passthrough/amd/iommu_map.c +@@ -691,8 +691,6 @@ int amd_iommu_map_page(struct domain *d, + if ( !iommu_update_pde_count(d, pt_mfn[merge_level], + gfn, mfn, merge_level) ) + break; +- /* Deallocate lower level page table */ +- free_amd_iommu_pgtable(mfn_to_page(pt_mfn[merge_level - 1])); + + if ( iommu_merge_pages(d, pt_mfn[merge_level], gfn, + flags, merge_level) ) +@@ -703,6 +701,9 @@ int amd_iommu_map_page(struct domain *d, + domain_crash(d); + return -EFAULT; + } ++ ++ /* Deallocate lower level page table */ ++ free_amd_iommu_pgtable(mfn_to_page(pt_mfn[merge_level - 1])); + } + + out: diff --git a/5385956b-x86-don-t-use-VA-for-cache-flush-when-also-flushing-TLB.patch b/5385956b-x86-don-t-use-VA-for-cache-flush-when-also-flushing-TLB.patch new file mode 100644 index 0000000..4fa0d7d --- /dev/null +++ b/5385956b-x86-don-t-use-VA-for-cache-flush-when-also-flushing-TLB.patch @@ -0,0 +1,35 @@ +# Commit 50df6f7429f73364bbddb0970a3a34faa01a7790 +# Date 2014-05-28 09:51:07 +0200 +# Author Jan Beulich +# Committer Jan Beulich +x86: don't use VA for cache flush when also flushing TLB + +Doing both flushes at once is a strong indication for the address +mapping to either having got dropped (in which case the cache flush, +when done via INVLPG, would fault) or its physical address having +changed (in which case the cache flush would end up being done on the +wrong address range). There is no adverse effect (other than the +obvious performance one) using WBINVD in this case regardless of the +range's size; only map_pages_to_xen() uses combined flushes at present. + +This problem was observed with the 2nd try backport of d6cb14b3 ("VT-d: +suppress UR signaling for desktop chipsets") to 4.2 (where ioremap() +needs to be replaced with set_fixmap_nocache(); the now commented out +__set_fixmap(, 0, 0) there to undo the mapping resulted in the first of +the above two scenarios). + +Signed-off-by: Jan Beulich +Reviewed-by: Andrew Cooper + +--- a/xen/arch/x86/flushtlb.c ++++ b/xen/arch/x86/flushtlb.c +@@ -152,7 +152,8 @@ void flush_area_local(const void *va, un + if ( order < (BITS_PER_LONG - PAGE_SHIFT) ) + sz = 1UL << (order + PAGE_SHIFT); + +- if ( c->x86_clflush_size && c->x86_cache_size && sz && ++ if ( !(flags & (FLUSH_TLB|FLUSH_TLB_GLOBAL)) && ++ c->x86_clflush_size && c->x86_cache_size && sz && + ((sz >> 10) < c->x86_cache_size) ) + { + va = (const void *)((unsigned long)va & ~(sz - 1)); diff --git a/53859956-timers-set-the-deadline-more-accurately.patch b/53859956-timers-set-the-deadline-more-accurately.patch new file mode 100644 index 0000000..cad23d5 --- /dev/null +++ b/53859956-timers-set-the-deadline-more-accurately.patch @@ -0,0 +1,29 @@ +# Commit 054b6dfb61eab00d86ddd5d0ac508f5302da0d52 +# Date 2014-05-28 10:07:50 +0200 +# Author Ross Lagerwall +# Committer Jan Beulich +timers: set the deadline more accurately + +Program the timer to the deadline of the closest timer if it is further +than 50us ahead, otherwise set it 50us ahead. This way a single event +fires on time rather than 50us late (as it would have previously) while +still preventing too many timer wakeups in the case of having many +timers scheduled close together. + +(where 50us is the timer_slop) + +Signed-off-by: Ross Lagerwall + +--- a/xen/common/timer.c ++++ b/xen/common/timer.c +@@ -492,8 +492,9 @@ static void timer_softirq_action(void) + deadline = heap[1]->expires; + if ( (ts->list != NULL) && (ts->list->expires < deadline) ) + deadline = ts->list->expires; ++ now = NOW(); + this_cpu(timer_deadline) = +- (deadline == STIME_MAX) ? 0 : deadline + timer_slop; ++ (deadline == STIME_MAX) ? 0 : MAX(deadline, now + timer_slop); + + if ( !reprogram_timer(this_cpu(timer_deadline)) ) + raise_softirq(TIMER_SOFTIRQ); diff --git a/538dcada-x86-HVM-eliminate-vulnerabilities-from-hvm_inject_msi.patch b/538dcada-x86-HVM-eliminate-vulnerabilities-from-hvm_inject_msi.patch new file mode 100644 index 0000000..3e6db38 --- /dev/null +++ b/538dcada-x86-HVM-eliminate-vulnerabilities-from-hvm_inject_msi.patch @@ -0,0 +1,44 @@ +References: bnc#878841 CVE-2014-3967 CVE-2014-3968 XSA-96 + +# Commit 6f4cc0ac41625a054861b417ea1fc3ab88e2e40a +# Date 2014-06-03 15:17:14 +0200 +# Author Jan Beulich +# Committer Jan Beulich +x86/HVM: eliminate vulnerabilities from hvm_inject_msi() + +- pirq_info() returns NULL for a non-allocated pIRQ, and hence we + mustn't unconditionally de-reference it, and we need to invoke it + another time after having called map_domain_emuirq_pirq() +- don't use printk(), namely without XENLOG_GUEST, for error reporting + +This is XSA-96. + +Signed-off-by: Jan Beulich + +--- a/xen/arch/x86/hvm/irq.c ++++ b/xen/arch/x86/hvm/irq.c +@@ -289,20 +289,18 @@ void hvm_inject_msi(struct domain *d, ui + struct pirq *info = pirq_info(d, pirq); + + /* if it is the first time, allocate the pirq */ +- if (info->arch.hvm.emuirq == IRQ_UNBOUND) ++ if ( !info || info->arch.hvm.emuirq == IRQ_UNBOUND ) + { + spin_lock(&d->event_lock); + map_domain_emuirq_pirq(d, pirq, IRQ_MSI_EMU); + spin_unlock(&d->event_lock); ++ info = pirq_info(d, pirq); ++ if ( !info ) ++ return; + } else if (info->arch.hvm.emuirq != IRQ_MSI_EMU) +- { +- printk("%s: pirq %d does not correspond to an emulated MSI\n", __func__, pirq); + return; +- } + send_guest_pirq(d, info); + return; +- } else { +- printk("%s: error getting pirq from MSI: pirq = %d\n", __func__, pirq); + } + } + diff --git a/xen.changes b/xen.changes index 643c265..246dc8c 100644 --- a/xen.changes +++ b/xen.changes @@ -1,3 +1,24 @@ +------------------------------------------------------------------- +Thu Jun 6 15:50:19 MDT 2014 - carnold@suse.com + +- Modify how we check for libvirt managed domains + xl-check-for-libvirt-managed-domain.patch + +------------------------------------------------------------------- +Thu Jun 5 08:56:13 MDT 2014 - carnold@suse.com + +- bnc#878841 - VUL-0: XSA-96: Xen: Vulnerabilities in HVM MSI + injection + 538dcada-x86-HVM-eliminate-vulnerabilities-from-hvm_inject_msi.patch +- Upstream patches from Jan + 537cd0b0-hvmloader-also-cover-PCI-MMIO-ranges-above-4G-with-UC-MTRR-ranges.patch + 537cd0cc-hvmloader-PA-range-0xfc000000-0xffffffff-should-be-UC.patch + 5383167d-ACPI-ERST-fix-table-mapping.patch + 5383175e-VT-d-fix-mask-applied-to-DMIBAR-in-desktop-chipset-XSA-59-workaround.patch + 53859549-AMD-IOMMU-don-t-free-page-table-prematurely.patch + 5385956b-x86-don-t-use-VA-for-cache-flush-when-also-flushing-TLB.patch + 53859956-timers-set-the-deadline-more-accurately.patch + ------------------------------------------------------------------- Tue May 27 16:54:13 CEST 2014 - ohering@suse.de diff --git a/xen.spec b/xen.spec index 451151f..df0aec2 100644 --- a/xen.spec +++ b/xen.spec @@ -154,7 +154,7 @@ BuildRequires: xorg-x11-util-devel %endif %endif -Version: 4.4.0_20 +Version: 4.4.0_22 Release: 0 PreReq: %insserv_prereq %fillup_prereq Summary: Xen Virtualization: Hypervisor (aka VMM aka Microkernel) @@ -255,6 +255,14 @@ Patch39: 53732f4f-x86-MCE-bypass-uninitialized-vcpu-in-vMCE-injection.pat Patch40: 537b5e50-VT-d-apply-quirks-at-device-setup-time-rather-than-only-at-boot.patch Patch41: 537b5e79-VT-d-extend-error-report-masking-workaround-to-newer-chipsets.patch Patch42: 537b5ede-move-domain-to-cpupool0-before-destroying-it.patch +Patch43: 537cd0b0-hvmloader-also-cover-PCI-MMIO-ranges-above-4G-with-UC-MTRR-ranges.patch +Patch44: 537cd0cc-hvmloader-PA-range-0xfc000000-0xffffffff-should-be-UC.patch +Patch45: 5383167d-ACPI-ERST-fix-table-mapping.patch +Patch46: 5383175e-VT-d-fix-mask-applied-to-DMIBAR-in-desktop-chipset-XSA-59-workaround.patch +Patch47: 53859549-AMD-IOMMU-don-t-free-page-table-prematurely.patch +Patch48: 5385956b-x86-don-t-use-VA-for-cache-flush-when-also-flushing-TLB.patch +Patch49: 53859956-timers-set-the-deadline-more-accurately.patch +Patch50: 538dcada-x86-HVM-eliminate-vulnerabilities-from-hvm_inject_msi.patch # Upstream qemu Patch250: VNC-Support-for-ExtendedKeyEvent-client-message.patch Patch251: 0001-net-move-the-tap-buffer-into-TAPState.patch @@ -660,6 +668,14 @@ Authors: %patch40 -p1 %patch41 -p1 %patch42 -p1 +%patch43 -p1 +%patch44 -p1 +%patch45 -p1 +%patch46 -p1 +%patch47 -p1 +%patch48 -p1 +%patch49 -p1 +%patch50 -p1 # Upstream qemu patches %patch250 -p1 %patch251 -p1 diff --git a/xl-check-for-libvirt-managed-domain.patch b/xl-check-for-libvirt-managed-domain.patch index eb2a675..7805a6c 100644 --- a/xl-check-for-libvirt-managed-domain.patch +++ b/xl-check-for-libvirt-managed-domain.patch @@ -2,57 +2,45 @@ Index: xen-4.4.0-testing/tools/libxl/xl.c =================================================================== --- xen-4.4.0-testing.orig/tools/libxl/xl.c +++ xen-4.4.0-testing/tools/libxl/xl.c -@@ -282,6 +282,44 @@ static void xl_ctx_free(void) +@@ -282,6 +282,32 @@ static void xl_ctx_free(void) } } +/* + Return 0 if domain is managed by libvirt +*/ -+static int xl_lookup_libvirt_managed_domains(int argc, char **argv) ++static int xl_lookup_libvirt_managed_domain(int argc, char **argv) +{ -+ FILE *fp; -+ int i; -+ char line[1024]; -+ char *libvirt_sock = "/run/libvirt/libvirt-sock"; ++ uint32_t domid; ++ uint8_t *t_data; ++ char *domname; ++ int i, rc, t_len; + -+ /* Check for the libvirt socket file */ -+ if (access(libvirt_sock, F_OK) != 0) { -+ return 1; -+ } -+ -+ /* Run virsh to get a list of running domains managed by libvirt */ -+ fp = popen("/usr/bin/virsh list --name 2>&1", "r"); -+ if (fp == NULL) { -+ return 1; -+ } -+ -+ /* Read the list of domains looking for each name in the xl command */ -+ while (fgets(line, sizeof(line)-1, fp) != NULL) { -+ line[strlen(line)-1] = '\0'; -+ for (i=0; imodifies && !dryrun_only) { + if (!force_execution) { -+ if (!xl_lookup_libvirt_managed_domains(argc, argv)) { ++ if (!xl_lookup_libvirt_managed_domain(argc, argv)) { + fprintf(stderr, +"Warning: This domain is managed by libvirt. Using xl commands to modify this\n" +"domain will result in errors when virsh or virt-manager is used.\n"