rpm/xen
SHA256
1
0
Fork 0
forked from pool/xen
Code Pull Requests Activity
xen/524e971b-x86-idle-Fix-get_cpu_idle_time-s-interaction-with-offline-pcpus.patch
Charles Arnold b244ce9e91 - domUloader can no longer be used with the xl toolstack to boot 
sles10. Patch pygrub to get the kernel and initrd from the image.
  pygrub-boot-legacy-sles.patch

- bnc#842515 - VUL-0: CVE-2013-4375: XSA-71: xen: qemu disk backend
  (qdisk) resource leak
  CVE-2013-4375-xsa71.patch
- Upstream patches from Jan
  52496bea-x86-properly-handle-hvm_copy_from_guest_-phys-virt-errors.patch (Replaces CVE-2013-4355-xsa63.patch)
  52496c11-x86-mm-shadow-Fix-initialization-of-PV-shadow-L4-tables.patch (Replaces CVE-2013-4356-xsa64.patch)
  52496c32-x86-properly-set-up-fbld-emulation-operand-address.patch (Replaces CVE-2013-4361-xsa66.patch)
  52497c6c-x86-don-t-blindly-create-L3-tables-for-the-direct-map.patch
  524e971b-x86-idle-Fix-get_cpu_idle_time-s-interaction-with-offline-pcpus.patch
  524e9762-x86-percpu-Force-INVALID_PERCPU_AREA-to-non-canonical.patch
  524e983e-Nested-VMX-check-VMX-capability-before-read-VMX-related-MSRs.patch
  524e98b1-Nested-VMX-fix-IA32_VMX_CR4_FIXED1-msr-emulation.patch
  524e9dc0-xsm-forbid-PV-guest-console-reads.patch
  5256a979-x86-check-segment-descriptor-read-result-in-64-bit-OUTS-emulation.patch
  5256be57-libxl-fix-vif-rate-parsing.patch
  5256be84-tools-ocaml-fix-erroneous-free-of-cpumap-in-stub_xc_vcpu_getaffinity.patch
  5256be92-libxl-fix-out-of-memory-error-handling-in-libxl_list_cpupool.patch
  5257a89a-x86-correct-LDT-checks.patch
  5257a8e7-x86-add-address-validity-check-to-guest_map_l1e.patch
  5257a944-x86-check-for-canonical-address-before-doing-page-walks.patch
  525b95f4-scheduler-adjust-internal-locking-interface.patch
  525b9617-sched-fix-race-between-sched_move_domain-and-vcpu_wake.patch
  525e69e8-credit-unpause-parked-vcpu-before-destroying-it.patch
  525faf5e-x86-print-relevant-tail-part-of-filename-for-warnings-and-crashes.patch

- bnc#840196 - L3: MTU size on Dom0 gets reset when booting DomU

OBS-URL: https://build.opensuse.org/package/show/Virtualization/xen?expand=0&rev=276
2013-10-24 21:00:35 +00:00

83 lines
2.7 KiB
Diff
Raw Blame History

# Commit 0aa27ce3351f7eb09d13e863a1d5f303086aa32a
# Date 2013-10-04 12:23:23 +0200
# Author Andrew Cooper <andrew.cooper3@citrix.com>
# Committer Jan Beulich <jbeulich@suse.com>
x86/idle: Fix get_cpu_idle_time()'s interaction with offline pcpus
Checking for "idle_vcpu[cpu] != NULL" is insufficient protection against
offline pcpus. From a hypercall, vcpu_runstate_get() will determine "v !=
current", and try to take the vcpu_schedule_lock(). This will try to look up
per_cpu(schedule_data, v->processor) and promptly suffer a NULL structure
deference as v->processors' __per_cpu_offset is INVALID_PERCPU_AREA.
One example might look like this:
...
Xen call trace:
[<ffff82c4c0126ddb>] vcpu_runstate_get+0x50/0x113
[<ffff82c4c0126ec6>] get_cpu_idle_time+0x28/0x2e
[<ffff82c4c012b5cb>] do_sysctl+0x3db/0xeb8
[<ffff82c4c023280d>] compat_hypercall+0xbd/0x116
Pagetable walk from 0000000000000040:
L4[0x000] = 0000000186df8027 0000000000028207
L3[0x000] = 0000000188e36027 00000000000261c9
L2[0x000] = 0000000000000000 ffffffffffffffff
****************************************
Panic on CPU 11:
...
get_cpu_idle_time() has been updated to correctly deal with offline pcpus
itself by returning 0, in the same way as it would if it was missing the
idle_vcpu[] pointer.
In doing so, XENPF_getidletime needed updating to correctly retain its
described behaviour of clearing bits in the cpumap for offline pcpus.
As this crash can only be triggered with toolstack hypercalls, it is not a
security issue and just a simple bug.
Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
Acked-by: Keir Fraser <keir@xen.org>
--- a/xen/arch/x86/platform_hypercall.c
+++ b/xen/arch/x86/platform_hypercall.c
@@ -355,10 +355,14 @@ ret_t do_platform_op(XEN_GUEST_HANDLE_PA
for_each_cpu ( cpu, cpumap )
{
- if ( idle_vcpu[cpu] == NULL )
- cpumask_clear_cpu(cpu, cpumap);
idletime = get_cpu_idle_time(cpu);
+ if ( !idletime )
+ {
+ cpumask_clear_cpu(cpu, cpumap);
+ continue;
+ }
+
if ( copy_to_guest_offset(idletimes, cpu, &idletime, 1) )
{
ret = -EFAULT;
--- a/xen/common/schedule.c
+++ b/xen/common/schedule.c
@@ -176,13 +176,12 @@ void vcpu_runstate_get(struct vcpu *v, s
uint64_t get_cpu_idle_time(unsigned int cpu)
{
- struct vcpu_runstate_info state;
- struct vcpu *v;
+ struct vcpu_runstate_info state = { 0 };
+ struct vcpu *v = idle_vcpu[cpu];
- if ( (v = idle_vcpu[cpu]) == NULL )
- return 0;
+ if ( cpu_online(cpu) && v )
+ vcpu_runstate_get(v, &state);
- vcpu_runstate_get(v, &state);
return state.time[RUNSTATE_running];
}
View Git Blame Copy Permalink