commit xen for openSUSE:Factory
Hello community, here is the log from the commit of package xen for openSUSE:Factory checked in at 2018-03-01 12:02:20 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/xen (Old) and /work/SRC/openSUSE:Factory/.xen.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Package is "xen" Thu Mar 1 12:02:20 2018 rev:243 rq:580646 version:4.10.0_13 Changes: -------- --- /work/SRC/openSUSE:Factory/xen/xen.changes 2018-02-18 11:38:14.490480633 +0100 +++ /work/SRC/openSUSE:Factory/.xen.new/xen.changes 2018-03-01 12:02:21.481832679 +0100 @@ -1,0 +2,36 @@ +Mon Feb 12 13:26:38 MST 2018 - carnold@suse.com + +- bsc#1080635 - VUL-0: xen: DoS via non-preemptable L3/L4 pagetable + freeing (XSA-252) + xsa252.patch +- bsc#1080662 - VUL-0: xen: grant table v2 -> v1 transition may + crash Xen (XSA-255) + xsa255-1.patch + xsa255-2.patch +- bsc#1080634 - VUL-0: xen: x86 PVH guest without LAPIC may DoS the + host (XSA-256) + xsa256.patch + +------------------------------------------------------------------- +Fri Feb 9 12:59:12 UTC 2018 - ohering@suse.de + +- Remove stale systemd presets code for 13.2 and older + +------------------------------------------------------------------- +Fri Feb 9 12:31:33 UTC 2018 - ohering@suse.de + +- fate#324965 - add script, udev rule and systemd service to watch + for vcpu online/offline events in a HVM domU + They are triggered via xl vcpu-set domU N + +------------------------------------------------------------------- +Fri Feb 9 10:23:15 UTC 2018 - ohering@suse.de + +- Replace hardcoded xen with Name tag when refering to subpkgs + +------------------------------------------------------------------- +Fri Feb 9 10:19:49 UTC 2018 - ohering@suse.de + +- Make sure tools and tools-domU require libs from the very same build + +------------------------------------------------------------------- New: ---- xsa252.patch xsa255-1.patch xsa255-2.patch xsa256.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ xen.spec ++++++ --- /var/tmp/diff_new_pack.BKiFK0/_old 2018-03-01 12:02:27.993599148 +0100 +++ /var/tmp/diff_new_pack.BKiFK0/_new 2018-03-01 12:02:27.997599005 +0100 @@ -14,10 +14,9 @@ # Please submit bugfixes or comments via http://bugs.opensuse.org/ # - - # needssslcertforbuild + #Compat macro for new _fillupdir macro introduced in Nov 2017 %if ! %{defined _fillupdir} %define _fillupdir /var/adm/fillup-templates @@ -60,10 +59,6 @@ %define with_gcc47 0 %define with_gcc48 0 %define _fwdefdir /etc/sysconfig/SuSEfirewall2.d/services -%define include_systemd_preset 0 -%if 0%{?suse_version} <= 1320 && 0%{?sle_version} < 120300 -%define include_systemd_preset 1 -%endif %systemd_requires BuildRequires: systemd-devel %define with_systemd_modules_load %{_prefix}/lib/modules-load.d @@ -131,7 +126,7 @@ BuildRequires: pesign-obs-integration %endif -Version: 4.10.0_12 +Version: 4.10.0_13 Release: 0 Summary: Xen Virtualization: Hypervisor (aka VMM aka Microkernel) License: GPL-2.0 @@ -211,6 +206,10 @@ Patch43: 5a6b36cd-9-x86-issue-speculation-barrier.patch Patch44: 5a6b36cd-A-x86-offer-Indirect-Branch-Controls-to-guests.patch Patch45: 5a6b36cd-B-x86-clear-SPEC_CTRL-while-idle.patch +Patch252: xsa252.patch +Patch25501: xsa255-1.patch +Patch25502: xsa255-2.patch +Patch256: xsa256.patch # Our platform specific patches Patch400: xen-destdir.patch Patch401: vif-bridge-no-iptables.patch @@ -308,11 +307,11 @@ %ifarch %arm aarch64 Requires: qemu-arm %endif +Requires: %{name}-libs = %{version}-%{release} Requires: multipath-tools Requires: python3 Requires: python3-curses Requires: qemu-seabios -Requires: xen-libs = %{version} # subpackage existed in 10.3 Provides: xen-tools-ioemu = %{version} Obsoletes: xen-tools-ioemu < %{version} @@ -340,7 +339,8 @@ %package tools-domU Summary: Xen Virtualization: Control tools for domain U Group: System/Kernel -Conflicts: xen-tools +Conflicts: %{name}-tools +Requires: %{name}-libs = %{version}-%{release} %description tools-domU Xen is a virtual machine monitor for x86 that supports execution of @@ -359,8 +359,8 @@ %package devel Summary: Xen Virtualization: Headers and libraries for development Group: System/Kernel +Requires: %{name}-libs = %{version} Requires: libuuid-devel -Requires: xen-libs = %{version} %description devel Xen is a virtual machine monitor for x86 that supports execution of @@ -445,6 +445,10 @@ %patch43 -p1 %patch44 -p1 %patch45 -p1 +%patch252 -p1 +%patch25501 -p1 +%patch25502 -p1 +%patch256 -p1 # Our platform specific patches %patch400 -p1 %patch401 -p1 @@ -609,8 +613,77 @@ mv -v $i ${i%/*}/sysconfig.${i##*/} done +# udev_rulesdir=$RPM_BUILD_ROOT%{_udevrulesdir} +tools_domU_dir=$RPM_BUILD_ROOT%{_libexecdir}/%{name}-tools-domU mkdir -p ${udev_rulesdir} +mkdir -p ${tools_domU_dir} +# +tee ${udev_rulesdir}/80-%{name}-tools-domU.rules <<'_EOR_' +# XenSource, Inc. Xen Platform Device +SUBSYSTEM=="pci", ATTR{modalias}=="pci:v00005853d00000001sv00005853sd00000001bcFFsc80i00", TAG+="systemd", ENV{SYSTEMD_WANTS}+="%{name}-vcpu-watch.service" +_EOR_ +# +tee $RPM_BUILD_ROOT%{_unitdir}/%{name}-vcpu-watch.service <<'_EOS_' +[Unit] +Description=Listen to CPU online/offline events from dom0 toolstack + +[Service] +Type=simple +ExecStart=%{_libexecdir}/%{name}-tools-domU/%{name}-vcpu-watch.sh +Restart=always +RestartSec=2 +_EOS_ +# +tee $RPM_BUILD_ROOT%{_libexecdir}/%{name}-tools-domU/%{name}-vcpu-watch.sh <<'_EOS_' +#!/bin/bash +unset LANG +unset ${!LC_*} +echo "$0 starting" >&2 +xenstore-watch cpu | while read +do + : xenstore event: ${REPLY} + case "${REPLY}" in + cpu) + : just started + ;; + cpu/[0-9]/availability|cpu/[0-9][0-9]/availability) + vcpu="${REPLY%/*}" + vcpu="${vcpu#*/}" + sysfs="/sys/devices/system/cpu/cpu${vcpu}/online" + if test -f "${sysfs}" + then + availability="`xenstore-read \"${REPLY}\"`" + case "${availability}" in + online|offline) + if test "${availability}" = "online" + then + new_sysfs_state=1 + else + new_sysfs_state=0 + fi + read cur_sysfs_state rest < "${sysfs}" + if test "${cur_sysfs_state}" = "${new_sysfs_state}" + then + : the vcpu "${vcpu}" already has state "${availability}" via "${sysfs}" + else + : setting vcpu "${vcpu}" to "${availability}" via "${sysfs}" + echo "setting vcpu ${vcpu} to ${availability}" >&2 + echo "${new_sysfs_state}" > "${sysfs}" + fi + ;; + esac + fi + ;; + *) + : unhandled + ;; + esac +done +exit 1 +_EOS_ +chmod 755 $RPM_BUILD_ROOT%{_libexecdir}/%{name}-tools-domU/%{name}-vcpu-watch.sh +# tee ${udev_rulesdir}/60-persistent-xvd.rules <<'_EOR_' ACTION=="remove", GOTO="xvd_aliases_end" SUBSYSTEM!="block", GOTO="xvd_aliases_end" @@ -679,7 +752,7 @@ test -n "${dev}" && echo "VBD_HD_SYMLINK=${dev}" _EOS_ # -tee ${udev_programdir}/%{name}-channel-setup.sh.sh <<'_EOF_' +tee ${udev_programdir}/%{name}-channel-setup.sh <<'_EOF_' #!/bin/bash if test "$#" -ne 2; then @@ -833,12 +906,6 @@ install -m644 %SOURCE36 $RPM_BUILD_ROOT/%{_libdir}/python%{pyver}/site-packages # Systemd -%if %{?include_systemd_preset}0 -mkdir -vp $RPM_BUILD_ROOT%_presetdir -cat > $RPM_BUILD_ROOT%_presetdir/00-%{name}.preset <<EOF -enable xencommons.service -EOF -%endif cp -bavL %{S:41} $RPM_BUILD_ROOT%{_unitdir} bn=`basename %{S:42}` cp -bavL %{S:42} $RPM_BUILD_ROOT%{_unitdir}/${bn} @@ -1012,6 +1079,7 @@ %dir /usr/lib/supportconfig/plugins /usr/lib/supportconfig/plugins/xen %{_libexecdir}/xen +%exclude %{_libexecdir}/%{name}-tools-domU %{_fillupdir}/sysconfig.pciback %{_fillupdir}/sysconfig.xencommons %{_fillupdir}/sysconfig.xendomains @@ -1036,10 +1104,8 @@ %config /etc/pam.d/xen-api %config /etc/modprobe.d/xen_loop.conf %config %{_unitdir} +%exclude %{_unitdir}/%{name}-vcpu-watch.service %config %{with_systemd_modules_load} -%if %{?include_systemd_preset}0 -%config %_presetdir -%endif %dir /etc/modprobe.d /etc/bash_completion.d/xl.sh %dir %{_libdir}/python%{pyver}/site-packages/grub @@ -1114,6 +1180,10 @@ %endif /bin/domu-xenstore* /bin/xenstore-* +%if %{?with_dom0_support}0 +%config %{_unitdir}/%{name}-vcpu-watch.service +%endif +%{_libexecdir}/%{name}-tools-domU /usr/lib/udev /usr/lib/dracut ++++++ vif-route.patch ++++++ --- /var/tmp/diff_new_pack.BKiFK0/_old 2018-03-01 12:02:28.397584660 +0100 +++ /var/tmp/diff_new_pack.BKiFK0/_new 2018-03-01 12:02:28.397584660 +0100 @@ -1,10 +1,10 @@ References: bsc#985503 -Index: xen-4.9.0-testing/tools/hotplug/Linux/vif-route +Index: xen-4.10.0-testing/tools/hotplug/Linux/vif-route =================================================================== ---- xen-4.9.0-testing.orig/tools/hotplug/Linux/vif-route -+++ xen-4.9.0-testing/tools/hotplug/Linux/vif-route -@@ -37,7 +37,7 @@ case "${command}" in +--- xen-4.10.0-testing.orig/tools/hotplug/Linux/vif-route ++++ xen-4.10.0-testing/tools/hotplug/Linux/vif-route +@@ -45,7 +45,7 @@ case "${command}" in ;; esac ++++++ xsa252.patch ++++++ From: Jan Beulich <jbeulich@suse.com> Subject: memory: don't implicitly unpin for decrease-reservation It very likely was a mistake (copy-and-paste from domain cleanup code) to implicitly unpin here: The caller should really unpin itself before (or after, if they so wish) requesting the page to be removed. This is XSA-252. Signed-off-by: Jan Beulich <jbeulich@suse.com> Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com> --- a/xen/common/memory.c +++ b/xen/common/memory.c @@ -357,11 +357,6 @@ int guest_remove_page(struct domain *d, rc = guest_physmap_remove_page(d, _gfn(gmfn), mfn, 0); -#ifdef _PGT_pinned - if ( !rc && test_and_clear_bit(_PGT_pinned, &page->u.inuse.type_info) ) - put_page_and_type(page); -#endif - /* * With the lack of an IOMMU on some platforms, domains with DMA-capable * device must retrieve the same pfn when the hypercall populate_physmap ++++++ xsa255-1.patch ++++++ From: Jan Beulich <jbeulich@suse.com> Subject: gnttab/ARM: don't corrupt shared GFN array ... by writing status GFNs to it. Introduce a second array instead. Also implement gnttab_status_gmfn() properly now that the information is suitably being tracked. While touching it anyway, remove a misguided (but luckily benign) upper bound check from gnttab_shared_gmfn(): We should never access beyond the bounds of that array. This is part of XSA-255. Signed-off-by: Jan Beulich <jbeulich@suse.com> Reviewed-by: Stefano Stabellini <sstabellini@kernel.org> Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com> --- v3: Don't init the ARM GFN arrays to zero anymore, use INVALID_GFN. v2: New. Index: xen-4.10.0-testing/xen/common/grant_table.c =================================================================== --- xen-4.10.0-testing.orig/xen/common/grant_table.c +++ xen-4.10.0-testing/xen/common/grant_table.c @@ -3777,6 +3777,7 @@ int gnttab_map_frame(struct domain *d, u { int rc = 0; struct grant_table *gt = d->grant_table; + bool status = false; grant_write_lock(gt); @@ -3787,6 +3788,7 @@ int gnttab_map_frame(struct domain *d, u (idx & XENMAPIDX_grant_table_status) ) { idx &= ~XENMAPIDX_grant_table_status; + status = true; if ( idx < nr_status_frames(gt) ) *mfn = _mfn(virt_to_mfn(gt->status[idx])); else @@ -3804,7 +3806,7 @@ int gnttab_map_frame(struct domain *d, u } if ( !rc ) - gnttab_set_frame_gfn(gt, idx, gfn); + gnttab_set_frame_gfn(gt, status, idx, gfn); grant_write_unlock(gt); Index: xen-4.10.0-testing/xen/include/asm-arm/grant_table.h =================================================================== --- xen-4.10.0-testing.orig/xen/include/asm-arm/grant_table.h +++ xen-4.10.0-testing/xen/include/asm-arm/grant_table.h @@ -9,7 +9,8 @@ #define INITIAL_NR_GRANT_FRAMES 1U struct grant_table_arch { - gfn_t *gfn; + gfn_t *shared_gfn; + gfn_t *status_gfn; }; void gnttab_clear_flag(unsigned long nr, uint16_t *addr); @@ -21,7 +22,6 @@ int replace_grant_host_mapping(unsigned unsigned long new_gpaddr, unsigned int flags); void gnttab_mark_dirty(struct domain *d, unsigned long l); #define gnttab_create_status_page(d, t, i) do {} while (0) -#define gnttab_status_gmfn(d, t, i) (0) #define gnttab_release_host_mappings(domain) 1 static inline int replace_grant_supported(void) { @@ -42,19 +42,35 @@ static inline unsigned int gnttab_dom0_m #define gnttab_init_arch(gt) \ ({ \ - (gt)->arch.gfn = xzalloc_array(gfn_t, (gt)->max_grant_frames); \ - ( (gt)->arch.gfn ? 0 : -ENOMEM ); \ + unsigned int ngf_ = (gt)->max_grant_frames; \ + unsigned int nsf_ = grant_to_status_frames(ngf_); \ + \ + (gt)->arch.shared_gfn = xmalloc_array(gfn_t, ngf_); \ + (gt)->arch.status_gfn = xmalloc_array(gfn_t, nsf_); \ + if ( (gt)->arch.shared_gfn && (gt)->arch.status_gfn ) \ + { \ + while ( ngf_-- ) \ + (gt)->arch.shared_gfn[ngf_] = INVALID_GFN; \ + while ( nsf_-- ) \ + (gt)->arch.status_gfn[nsf_] = INVALID_GFN; \ + } \ + else \ + gnttab_destroy_arch(gt); \ + (gt)->arch.shared_gfn ? 0 : -ENOMEM; \ }) #define gnttab_destroy_arch(gt) \ do { \ - xfree((gt)->arch.gfn); \ - (gt)->arch.gfn = NULL; \ + xfree((gt)->arch.shared_gfn); \ + (gt)->arch.shared_gfn = NULL; \ + xfree((gt)->arch.status_gfn); \ + (gt)->arch.status_gfn = NULL; \ } while ( 0 ) -#define gnttab_set_frame_gfn(gt, idx, gfn) \ +#define gnttab_set_frame_gfn(gt, st, idx, gfn) \ do { \ - (gt)->arch.gfn[idx] = gfn; \ + ((st) ? (gt)->arch.status_gfn : (gt)->arch.shared_gfn)[idx] = \ + (gfn); \ } while ( 0 ) #define gnttab_create_shared_page(d, t, i) \ @@ -65,8 +81,10 @@ static inline unsigned int gnttab_dom0_m } while ( 0 ) #define gnttab_shared_gmfn(d, t, i) \ - ( ((i >= nr_grant_frames(t)) && \ - (i < (t)->max_grant_frames))? 0 : gfn_x((t)->arch.gfn[i])) + gfn_x(((i) >= nr_grant_frames(t)) ? INVALID_GFN : (t)->arch.shared_gfn[i]) + +#define gnttab_status_gmfn(d, t, i) \ + gfn_x(((i) >= nr_status_frames(t)) ? INVALID_GFN : (t)->arch.status_gfn[i]) #define gnttab_need_iommu_mapping(d) \ (is_domain_direct_mapped(d) && need_iommu(d)) Index: xen-4.10.0-testing/xen/include/asm-x86/grant_table.h =================================================================== --- xen-4.10.0-testing.orig/xen/include/asm-x86/grant_table.h +++ xen-4.10.0-testing/xen/include/asm-x86/grant_table.h @@ -46,7 +46,7 @@ static inline unsigned int gnttab_dom0_m #define gnttab_init_arch(gt) 0 #define gnttab_destroy_arch(gt) do {} while ( 0 ) -#define gnttab_set_frame_gfn(gt, idx, gfn) do {} while ( 0 ) +#define gnttab_set_frame_gfn(gt, st, idx, gfn) do {} while ( 0 ) #define gnttab_create_shared_page(d, t, i) \ do { \ ++++++ xsa255-2.patch ++++++ From: Jan Beulich <jbeulich@suse.com> Subject: gnttab: don't blindly free status pages upon version change There may still be active mappings, which would trigger the respective BUG_ON(). Split the loop into one dealing with the page attributes and the second (when the first fully passed) freeing the pages. Return an error if any pages still have pending references. This is part of XSA-255. Signed-off-by: Jan Beulich <jbeulich@suse.com> Reviewed-by: Stefano Stabellini <sstabellini@kernel.org> Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com> --- v4: Add gprintk(XENLOG_ERR, ...) to domain_crash() invocations. v3: Call guest_physmap_remove_page() from gnttab_map_frame(), making the code unconditional at the same time. Re-base over changes to first patch. v2: Also deal with translated guests. Index: xen-4.10.0-testing/xen/common/grant_table.c =================================================================== --- xen-4.10.0-testing.orig/xen/common/grant_table.c +++ xen-4.10.0-testing/xen/common/grant_table.c @@ -1644,23 +1644,74 @@ status_alloc_failed: return -ENOMEM; } -static void +static int gnttab_unpopulate_status_frames(struct domain *d, struct grant_table *gt) { - int i; + unsigned int i; for ( i = 0; i < nr_status_frames(gt); i++ ) { struct page_info *pg = virt_to_page(gt->status[i]); + gfn_t gfn = gnttab_get_frame_gfn(gt, true, i); + + /* + * For translated domains, recovering from failure after partial + * changes were made is more complicated than it seems worth + * implementing at this time. Hence respective error paths below + * crash the domain in such a case. + */ + if ( paging_mode_translate(d) ) + { + int rc = gfn_eq(gfn, INVALID_GFN) + ? 0 + : guest_physmap_remove_page(d, gfn, + _mfn(page_to_mfn(pg)), 0); + + if ( rc ) + { + gprintk(XENLOG_ERR, + "Could not remove status frame %u (GFN %#lx) from P2M\n", + i, gfn_x(gfn)); + domain_crash(d); + return rc; + } + gnttab_set_frame_gfn(gt, true, i, INVALID_GFN); + } BUG_ON(page_get_owner(pg) != d); if ( test_and_clear_bit(_PGC_allocated, &pg->count_info) ) put_page(pg); - BUG_ON(pg->count_info & ~PGC_xen_heap); + + if ( pg->count_info & ~PGC_xen_heap ) + { + if ( paging_mode_translate(d) ) + { + gprintk(XENLOG_ERR, + "Wrong page state %#lx of status frame %u (GFN %#lx)\n", + pg->count_info, i, gfn_x(gfn)); + domain_crash(d); + } + else + { + if ( get_page(pg, d) ) + set_bit(_PGC_allocated, &pg->count_info); + while ( i-- ) + gnttab_create_status_page(d, gt, i); + } + return -EBUSY; + } + + page_set_owner(pg, NULL); + } + + for ( i = 0; i < nr_status_frames(gt); i++ ) + { free_xenheap_page(gt->status[i]); gt->status[i] = NULL; } gt->nr_status_frames = 0; + + return 0; } /* @@ -2970,8 +3021,9 @@ gnttab_set_version(XEN_GUEST_HANDLE_PARA break; } - if ( op.version < 2 && gt->gt_version == 2 ) - gnttab_unpopulate_status_frames(currd, gt); + if ( op.version < 2 && gt->gt_version == 2 && + (res = gnttab_unpopulate_status_frames(currd, gt)) != 0 ) + goto out_unlock; /* Make sure there's no crud left over from the old version. */ for ( i = 0; i < nr_grant_frames(gt); i++ ) @@ -3805,6 +3857,11 @@ int gnttab_map_frame(struct domain *d, u rc = -EINVAL; } + if ( !rc && paging_mode_translate(d) && + !gfn_eq(gnttab_get_frame_gfn(gt, status, idx), INVALID_GFN) ) + rc = guest_physmap_remove_page(d, gnttab_get_frame_gfn(gt, status, idx), + *mfn, 0); + if ( !rc ) gnttab_set_frame_gfn(gt, status, idx, gfn); Index: xen-4.10.0-testing/xen/include/asm-arm/grant_table.h =================================================================== --- xen-4.10.0-testing.orig/xen/include/asm-arm/grant_table.h +++ xen-4.10.0-testing/xen/include/asm-arm/grant_table.h @@ -73,6 +73,11 @@ static inline unsigned int gnttab_dom0_m (gfn); \ } while ( 0 ) +#define gnttab_get_frame_gfn(gt, st, idx) ({ \ + _gfn((st) ? gnttab_status_gmfn(NULL, gt, idx) \ + : gnttab_shared_gmfn(NULL, gt, idx)); \ +}) + #define gnttab_create_shared_page(d, t, i) \ do { \ share_xen_page_with_guest( \ Index: xen-4.10.0-testing/xen/include/asm-x86/grant_table.h =================================================================== --- xen-4.10.0-testing.orig/xen/include/asm-x86/grant_table.h +++ xen-4.10.0-testing/xen/include/asm-x86/grant_table.h @@ -47,6 +47,12 @@ static inline unsigned int gnttab_dom0_m #define gnttab_init_arch(gt) 0 #define gnttab_destroy_arch(gt) do {} while ( 0 ) #define gnttab_set_frame_gfn(gt, st, idx, gfn) do {} while ( 0 ) +#define gnttab_get_frame_gfn(gt, st, idx) ({ \ + unsigned long mfn_ = (st) ? gnttab_status_mfn(gt, idx) \ + : gnttab_shared_mfn(gt, idx); \ + unsigned long gpfn_ = get_gpfn_from_mfn(mfn_); \ + VALID_M2P(gpfn_) ? _gfn(gpfn_) : INVALID_GFN; \ +}) #define gnttab_create_shared_page(d, t, i) \ do { \ @@ -63,11 +69,11 @@ static inline unsigned int gnttab_dom0_m } while ( 0 ) -#define gnttab_shared_mfn(d, t, i) \ +#define gnttab_shared_mfn(t, i) \ ((virt_to_maddr((t)->shared_raw[i]) >> PAGE_SHIFT)) #define gnttab_shared_gmfn(d, t, i) \ - (mfn_to_gmfn(d, gnttab_shared_mfn(d, t, i))) + (mfn_to_gmfn(d, gnttab_shared_mfn(t, i))) #define gnttab_status_mfn(t, i) \ ++++++ xsa256.patch ++++++ From: Andrew Cooper <andrew.cooper3@citrix.com> Subject: x86/hvm: Disallow the creation of HVM domains without Local APIC emulation There are multiple problems, not necesserily limited to: * Guests which configure event channels via hvmop_set_evtchn_upcall_vector(), or which hit %cr8 emulation will cause Xen to fall over a NULL vlapic->regs pointer. * On Intel hardware, disabling the TPR_SHADOW execution control without reenabling CR8_{LOAD,STORE} interception means that the guests %cr8 accesses interact with the real TPR. Amongst other things, setting the real TPR to 0xf blocks even IPIs from interrupting this CPU. * On hardware which sets up the use of Interrupt Posting, including IOMMU-Posting, guests run without the appropriate non-root configuration, which at a minimum will result in dropped interrupts. Whether no-LAPIC mode is of any use at all remains to be seen. This is XSA-256. Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com> Reviewed-by: Jan Beulich <jbeulich@suse.com> diff --git a/xen/arch/x86/domain.c b/xen/arch/x86/domain.c index f93327b..f65fc12 100644 --- a/xen/arch/x86/domain.c +++ b/xen/arch/x86/domain.c @@ -413,7 +413,7 @@ static bool emulation_flags_ok(const struct domain *d, uint32_t emflags) if ( is_hardware_domain(d) && emflags != (XEN_X86_EMU_LAPIC|XEN_X86_EMU_IOAPIC) ) return false; - if ( !is_hardware_domain(d) && emflags && + if ( !is_hardware_domain(d) && emflags != XEN_X86_EMU_ALL && emflags != XEN_X86_EMU_LAPIC ) return false; }
participants (1)
-
root@hilbert.suse.de