commit xen for openSUSE:Factory
![](https://seccdn.libravatar.org/avatar/e2145bc5cf53dda95c308a3c75e8fef3.jpg?s=120&d=mm&r=g)
2 Jul
2018
2 Jul
'18
21:30
Hello community, here is the log from the commit of package xen for openSUSE:Factory checked in at 2018-07-02 23:30:29 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/xen (Old) and /work/SRC/openSUSE:Factory/.xen.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Package is "xen" Mon Jul 2 23:30:29 2018 rev:250 rq:619824 version:4.10.1_08 Changes: -------- --- /work/SRC/openSUSE:Factory/xen/xen.changes 2018-06-08 23:08:45.490595786 +0200 +++ /work/SRC/openSUSE:Factory/.xen.new/xen.changes 2018-07-02 23:30:44.733450521 +0200 @@ -1,0 +2,62 @@ +Fri Jun 29 08:35:34 MDT 2018 - carnold@suse.com + +- Upstream patches from Jan (bsc#1027519) + 5b02c786-x86-AMD-mitigations-for-GPZ-SP4.patch (Replaces Spectre-v4-1.patch) + 5b02c786-x86-Intel-mitigations-for-GPZ-SP4.patch (Replaces Spectre-v4-2.patch) + 5b02c786-x86-msr-virtualise-SPEC_CTRL-SSBD.patch (Replaces Spectre-v4-3.patch) + 5b0bc9da-x86-XPTI-fix-S3-resume.patch + 5b0d2286-libxc-x86-PV-dont-hand-through-CPUID-leaf-0x80000008.patch + 5b0d2d91-x86-suppress-sync-when-XPTI-off.patch + 5b0d2dbc-x86-correct-default_xen_spec_ctrl.patch + 5b0d2ddc-x86-CPUID-dont-override-tool-stack-hidden-STIBP.patch + 5b150ef9-x86-fix-error-handling-of-pv-dr7-shadow.patch + 5b21825d-1-x86-support-fully-eager-FPU-context-switching.patch (Replaces xsa267-1.patch) + 5b21825d-2-x86-spec-ctrl-mitigations-for-LazyFPU.patch (Replaces xsa267-2.patch) + 5b238b92-x86-HVM-account-for-fully-eager-FPU.patch + 5b2b7172-x86-EFI-fix-FPU-state-handling-around-runtime-calls.patch + 5b31e004-x86-HVM-emul-attempts-FPU-set-fpu_initialised.patch + 5b323e3c-x86-EFI-fix-FPU-state-handling-around-runtime-calls.patch + 5b34882d-x86-mm-dont-bypass-preemption-checks.patch (Replaces xsa264.patch) + 5b348874-x86-refine-checks-in-DB-handler.patch (Replaces xsa265.patch) + 5b348897-libxl-qemu_disk_scsi_drive_string-break-out-common.patch (Replaces xsa266-1-<>.patch) + 5b3488a2-libxl-restore-passing-ro-to-qemu-for-SCSI-disks.patch (Replaces xsa266-2-<>.patch) + 5b34891a-x86-HVM-dont-cause-NM-to-be-raised.patch + 5b348954-x86-guard-against-NM.patch + +------------------------------------------------------------------- +Mon Jun 25 09:50:31 UTC 2018 - ohering@suse.de + +- Fix more build gcc8 related failures with xen.fuzz-_FORTIFY_SOURCE.patch + +------------------------------------------------------------------- +Mon Jun 25 09:44:25 UTC 2018 - ohering@suse.de + +- bsc#1098403 - fix regression introduced by changes for bsc#1079730 + a PV domU without qcow2 and/or vfb has no qemu attached. + Ignore QMP errors for PV domUs to handle PV domUs with and without + an attached qemu-xen. + xen.bug1079730.patch + +------------------------------------------------------------------- +Mon Jun 18 14:57:06 MDT 2018 - carnold@suse.com + +- bsc#1097521 - VUL-0: CVE-2018-12891: xen: preemption checks + bypassed in x86 PV MM handling (XSA-264) + xsa264.patch +- bsc#1097522 - VUL-0: CVE-2018-12893: xen: x86: #DB exception + safety check can be triggered by a guest (XSA-265) + xsa265.patch +- bsc#1097523 - VUL-0: CVE-2018-12892: xen: libxl fails to honour + readonly flag on HVM emulated SCSI disks (XSA-266) + xsa266-1-libxl-qemu_disk_scsi_drive_string-Break-out-common-p.patch + xsa266-2-libxl-restore-passing-readonly-to-qemu-for-SCSI-disk.patch + +------------------------------------------------------------------- +Wed Jun 13 14:20:14 MDT 2018 - carnold@suse.com + +- bsc#1095242 - VUL-0: CVE-2018-3665: xen: Lazy FP Save/Restore + (XSA-267) + xsa267-1.patch + xsa267-2.patch + +------------------------------------------------------------------- @@ -11 +73 @@ - Bypass aka "Memory Disambiguation" + Bypass aka "Memory Disambiguation" (XSA-263) @@ -31 +93 @@ -- always call qemus xen-save-devices-state in suspend/resume to +- Always call qemus xen-save-devices-state in suspend/resume to @@ -39,0 +102,3 @@ +- bsc#1087289 - L3: Xen BUG at sched_credit.c:1663 + 5aeaeae4-introduce-vcpu_sleep_nosync_locked.patch + 5aeaeaf0-sched-fix-races-in-vcpu-migration.patch @@ -48,2 +112,0 @@ - 5aeaeae4-introduce-vcpu_sleep_nosync_locked.patch - 5aeaeaf0-sched-fix-races-in-vcpu-migration.patch Old: ---- Spectre-v4-1.patch Spectre-v4-2.patch Spectre-v4-3.patch New: ---- 5b02c786-x86-AMD-mitigations-for-GPZ-SP4.patch 5b02c786-x86-Intel-mitigations-for-GPZ-SP4.patch 5b02c786-x86-msr-virtualise-SPEC_CTRL-SSBD.patch 5b0bc9da-x86-XPTI-fix-S3-resume.patch 5b0d2286-libxc-x86-PV-dont-hand-through-CPUID-leaf-0x80000008.patch 5b0d2d91-x86-suppress-sync-when-XPTI-off.patch 5b0d2dbc-x86-correct-default_xen_spec_ctrl.patch 5b0d2ddc-x86-CPUID-dont-override-tool-stack-hidden-STIBP.patch 5b150ef9-x86-fix-error-handling-of-pv-dr7-shadow.patch 5b21825d-1-x86-support-fully-eager-FPU-context-switching.patch 5b21825d-2-x86-spec-ctrl-mitigations-for-LazyFPU.patch 5b238b92-x86-HVM-account-for-fully-eager-FPU.patch 5b2b7172-x86-EFI-fix-FPU-state-handling-around-runtime-calls.patch 5b31e004-x86-HVM-emul-attempts-FPU-set-fpu_initialised.patch 5b323e3c-x86-EFI-fix-FPU-state-handling-around-runtime-calls.patch 5b34882d-x86-mm-dont-bypass-preemption-checks.patch 5b348874-x86-refine-checks-in-DB-handler.patch 5b348897-libxl-qemu_disk_scsi_drive_string-break-out-common.patch 5b3488a2-libxl-restore-passing-ro-to-qemu-for-SCSI-disks.patch 5b34891a-x86-HVM-dont-cause-NM-to-be-raised.patch 5b348954-x86-guard-against-NM.patch xen.fuzz-_FORTIFY_SOURCE.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ xen.spec ++++++ --- /var/tmp/diff_new_pack.CRshPV/_old 2018-07-02 23:30:46.293448584 +0200 +++ /var/tmp/diff_new_pack.CRshPV/_new 2018-07-02 23:30:46.297448579 +0200 @@ -126,7 +126,7 @@ BuildRequires: pesign-obs-integration %endif -Version: 4.10.1_02 +Version: 4.10.1_08 Release: 0 Summary: Xen Virtualization: Hypervisor (aka VMM aka Microkernel) License: GPL-2.0-only @@ -162,60 +162,78 @@ Source99: baselibs.conf # Upstream patches Patch1: 5a33a12f-domctl-improve-locking-during-domain-destruction.patch -Patch2: 5a79d7ed-libxc-packed-initrd-dont-fail-domain-creation.patch -Patch3: 5ad4923e-x86-correct-S3-resume-ordering.patch -Patch4: 5ad49293-x86-suppress-BTI-mitigations-around-S3.patch -Patch5: 5ad600d4-x86-pv-introduce-x86emul_read_dr.patch -Patch6: 5ad600d4-x86-pv-introduce-x86emul_write_dr.patch -Patch7: 5ad8c3a7-x86-spec_ctrl-update-retpoline-decision-making.patch -Patch8: 5adda097-x86-HPET-fix-race-triggering-ASSERT.patch -Patch9: 5adda0d5-x86-HVM-never-retain-emulated-insn-cache.patch -Patch10: 5adde9ed-xpti-fix-double-fault-handling.patch -Patch11: 5ae06fad-SVM-fix-intercepts-for-SYS-CALL-ENTER-MSRs.patch -Patch12: 5ae31917-x86-cpuidle-init-stats-lock-once.patch -Patch13: 5aeaeae4-introduce-vcpu_sleep_nosync_locked.patch -Patch14: 5aeaeaf0-sched-fix-races-in-vcpu-migration.patch -Patch15: 5aeb2c57-x86-retval-checks-of-set-guest-trapbounce.patch -Patch16: 5af1daa9-1-x86-traps-fix-dr6-handing-in-DB-handler.patch -Patch17: 5af1daa9-2-x86-pv-move-exception-injection-into-test_all_events.patch -Patch18: 5af1daa9-3-x86-traps-use-IST-for-DB.patch -Patch19: 5af1daa9-4-x86-traps-fix-handling-of-DB-in-hypervisor-context.patch -Patch20: 5af1daa9-x86-vpt-support-IO-APIC-routed-intr.patch -Patch21: 5af1daa9-x86-HVM-guard-against-bogus-emulator-ioreq-state.patch -Patch22: 5af97999-viridian-cpuid-leaf-40000003.patch -Patch23: 5afc13ae-1-x86-read-MSR_ARCH_CAPABILITIES-once.patch -Patch24: 5afc13ae-2-x86-express-Xen-SPEC_CTRL-choice-as-variable.patch -Patch25: 5afc13ae-3-x86-merge-bti_ist_info-use_shadow_spec_ctrl.patch -Patch26: 5afc13ae-4-x86-fold-XEN_IBRS-ALTERNATIVES.patch -Patch27: 5afc13ae-5-x86-rename-bits-of-spec_ctrl-infrastructure.patch -Patch28: 5afc13ae-6-x86-elide-MSR_SPEC_CTRL-handling-in-idle.patch -Patch29: 5afc13ae-7-x86-split-X86_FEATURE_SC_MSR.patch -Patch30: 5afc13ae-8-x86-explicitly-set-Xen-default-SPEC_CTRL.patch -Patch31: 5afc13ae-9-x86-cpuid-improve-guest-policies-for-speculative.patch -Patch32: 5afc13ae-A-x86-introduce-spec-ctrl-cmdline-opt.patch -Patch33: Spectre-v4-1.patch -Patch34: Spectre-v4-2.patch -Patch35: Spectre-v4-3.patch +Patch2: 5a6703cb-x86-move-invocations-of-hvm_flush_guest_tlbs.patch +Patch3: 5a79d7ed-libxc-packed-initrd-dont-fail-domain-creation.patch +Patch4: 5a9985bd-x86-invpcid-support.patch +Patch5: 5ad4923e-x86-correct-S3-resume-ordering.patch +Patch6: 5ad49293-x86-suppress-BTI-mitigations-around-S3.patch +Patch7: 5ad600d4-x86-pv-introduce-x86emul_read_dr.patch +Patch8: 5ad600d4-x86-pv-introduce-x86emul_write_dr.patch +Patch9: 5ad8c3a7-x86-spec_ctrl-update-retpoline-decision-making.patch +Patch10: 5adda097-x86-HPET-fix-race-triggering-ASSERT.patch +Patch11: 5adda0d5-x86-HVM-never-retain-emulated-insn-cache.patch +Patch12: 5adde9ed-xpti-fix-double-fault-handling.patch +Patch13: 5ae06fad-SVM-fix-intercepts-for-SYS-CALL-ENTER-MSRs.patch +Patch14: 5ae31917-x86-cpuidle-init-stats-lock-once.patch +Patch15: 5aeaeae4-introduce-vcpu_sleep_nosync_locked.patch +Patch16: 5aeaeaf0-sched-fix-races-in-vcpu-migration.patch +Patch17: 5aeb2c57-x86-retval-checks-of-set-guest-trapbounce.patch +Patch18: 5af1daa9-1-x86-traps-fix-dr6-handing-in-DB-handler.patch +Patch19: 5af1daa9-2-x86-pv-move-exception-injection-into-test_all_events.patch +Patch20: 5af1daa9-3-x86-traps-use-IST-for-DB.patch +Patch21: 5af1daa9-4-x86-traps-fix-handling-of-DB-in-hypervisor-context.patch +Patch22: 5af1daa9-x86-vpt-support-IO-APIC-routed-intr.patch +Patch23: 5af1daa9-x86-HVM-guard-against-bogus-emulator-ioreq-state.patch +Patch24: 5af97999-viridian-cpuid-leaf-40000003.patch +Patch25: 5afc13ae-1-x86-read-MSR_ARCH_CAPABILITIES-once.patch +Patch26: 5afc13ae-2-x86-express-Xen-SPEC_CTRL-choice-as-variable.patch +Patch27: 5afc13ae-3-x86-merge-bti_ist_info-use_shadow_spec_ctrl.patch +Patch28: 5afc13ae-4-x86-fold-XEN_IBRS-ALTERNATIVES.patch +Patch29: 5afc13ae-5-x86-rename-bits-of-spec_ctrl-infrastructure.patch +Patch30: 5afc13ae-6-x86-elide-MSR_SPEC_CTRL-handling-in-idle.patch +Patch31: 5afc13ae-7-x86-split-X86_FEATURE_SC_MSR.patch +Patch32: 5afc13ae-8-x86-explicitly-set-Xen-default-SPEC_CTRL.patch +Patch33: 5afc13ae-9-x86-cpuid-improve-guest-policies-for-speculative.patch +Patch34: 5afc13ae-A-x86-introduce-spec-ctrl-cmdline-opt.patch # XPTI speedup -Patch36: 5a6703cb-x86-move-invocations-of-hvm_flush_guest_tlbs.patch -Patch37: 5a9985bd-x86-invpcid-support.patch -Patch38: 5aec7393-1-x86-xpti-avoid-copy.patch -Patch39: 5aec7393-2-x86-xpti-write-cr3.patch -Patch40: 5aec744a-3-x86-xpti-per-domain-flag.patch -Patch41: 5aec744a-4-x86-xpti-use-invpcid.patch -Patch42: 5aec744a-5-x86-xpti-no-global-pages.patch -Patch43: 5aec744a-6-x86-xpti-cr3-valid-flag.patch -Patch44: 5aec744a-7-x86-xpti-pv_guest_cr4_to_real_cr4.patch -Patch45: 5aec744b-8-x86-xpti-cr3-helpers.patch -Patch46: 5aec74a8-9-x86-xpti-use-pcid.patch +Patch51: 5aec7393-1-x86-xpti-avoid-copy.patch +Patch52: 5aec7393-2-x86-xpti-write-cr3.patch +Patch53: 5aec744a-3-x86-xpti-per-domain-flag.patch +Patch54: 5aec744a-4-x86-xpti-use-invpcid.patch +Patch55: 5aec744a-5-x86-xpti-no-global-pages.patch +Patch56: 5aec744a-6-x86-xpti-cr3-valid-flag.patch +Patch57: 5aec744a-7-x86-xpti-pv_guest_cr4_to_real_cr4.patch +Patch58: 5aec744b-8-x86-xpti-cr3-helpers.patch +Patch59: 5aec74a8-9-x86-xpti-use-pcid.patch # gcc8 fixes -Patch81: 5ac72a48-gcc8.patch -Patch82: 5ac72a5f-gcc8.patch -Patch83: 5ac72a64-gcc8.patch -Patch84: 5ac72a69-gcc8.patch -Patch85: 5ac72a6e-gcc8.patch -Patch86: 5ac72a74-gcc8.patch -Patch87: 5ac72a7b-gcc8.patch +Patch61: 5ac72a48-gcc8.patch +Patch62: 5ac72a5f-gcc8.patch +Patch63: 5ac72a64-gcc8.patch +Patch64: 5ac72a69-gcc8.patch +Patch65: 5ac72a6e-gcc8.patch +Patch66: 5ac72a74-gcc8.patch +Patch67: 5ac72a7b-gcc8.patch +Patch70: 5b02c786-x86-AMD-mitigations-for-GPZ-SP4.patch +Patch71: 5b02c786-x86-Intel-mitigations-for-GPZ-SP4.patch +Patch72: 5b02c786-x86-msr-virtualise-SPEC_CTRL-SSBD.patch +Patch73: 5b0bc9da-x86-XPTI-fix-S3-resume.patch +Patch74: 5b0d2286-libxc-x86-PV-dont-hand-through-CPUID-leaf-0x80000008.patch +Patch75: 5b0d2d91-x86-suppress-sync-when-XPTI-off.patch +Patch76: 5b0d2dbc-x86-correct-default_xen_spec_ctrl.patch +Patch77: 5b0d2ddc-x86-CPUID-dont-override-tool-stack-hidden-STIBP.patch +Patch78: 5b150ef9-x86-fix-error-handling-of-pv-dr7-shadow.patch +Patch79: 5b21825d-1-x86-support-fully-eager-FPU-context-switching.patch +Patch80: 5b21825d-2-x86-spec-ctrl-mitigations-for-LazyFPU.patch +Patch81: 5b238b92-x86-HVM-account-for-fully-eager-FPU.patch +Patch82: 5b2b7172-x86-EFI-fix-FPU-state-handling-around-runtime-calls.patch +Patch83: 5b31e004-x86-HVM-emul-attempts-FPU-set-fpu_initialised.patch +Patch84: 5b323e3c-x86-EFI-fix-FPU-state-handling-around-runtime-calls.patch +Patch85: 5b34882d-x86-mm-dont-bypass-preemption-checks.patch +Patch86: 5b348874-x86-refine-checks-in-DB-handler.patch +Patch87: 5b348897-libxl-qemu_disk_scsi_drive_string-break-out-common.patch +Patch88: 5b3488a2-libxl-restore-passing-ro-to-qemu-for-SCSI-disks.patch +Patch89: 5b34891a-x86-HVM-dont-cause-NM-to-be-raised.patch +Patch90: 5b348954-x86-guard-against-NM.patch # Our platform specific patches Patch400: xen-destdir.patch Patch401: vif-bridge-no-iptables.patch @@ -267,6 +285,7 @@ Patch623: ipxe-no-error-logical-not-parentheses.patch Patch624: ipxe-use-rpm-opt-flags.patch # Build patches +Patch99995: xen.fuzz-_FORTIFY_SOURCE.patch Patch99996: xen.stubdom.newlib.patch Patch99998: tmp_build.patch Url: http://www.cl.cam.ac.uk/Research/SRG/netos/xen/ @@ -446,19 +465,33 @@ %patch32 -p1 %patch33 -p1 %patch34 -p1 -%patch35 -p1 -%patch36 -p1 -%patch37 -p1 -%patch38 -p1 -%patch39 -p1 -%patch40 -p1 -%patch41 -p1 -%patch42 -p1 -%patch43 -p1 -%patch44 -p1 -%patch45 -p1 -%patch46 -p1 -# gcc8 fixes +%patch51 -p1 +%patch52 -p1 +%patch53 -p1 +%patch54 -p1 +%patch55 -p1 +%patch56 -p1 +%patch57 -p1 +%patch58 -p1 +%patch59 -p1 +%patch61 -p1 +%patch62 -p1 +%patch63 -p1 +%patch64 -p1 +%patch65 -p1 +%patch66 -p1 +%patch67 -p1 +%patch70 -p1 +%patch71 -p1 +%patch72 -p1 +%patch73 -p1 +%patch74 -p1 +%patch75 -p1 +%patch76 -p1 +%patch77 -p1 +%patch78 -p1 +%patch79 -p1 +%patch80 -p1 %patch81 -p1 %patch82 -p1 %patch83 -p1 @@ -466,6 +499,9 @@ %patch85 -p1 %patch86 -p1 %patch87 -p1 +%patch88 -p1 +%patch89 -p1 +%patch90 -p1 # Our platform specific patches %patch400 -p1 %patch401 -p1 @@ -517,6 +553,7 @@ %patch623 -p1 %patch624 -p1 # Build patches +%patch99995 -p1 %patch99996 -p1 %patch99998 -p1 ++++++ 5aec744a-3-x86-xpti-per-domain-flag.patch ++++++ --- /var/tmp/diff_new_pack.CRshPV/_old 2018-07-02 23:30:46.377448479 +0200 +++ /var/tmp/diff_new_pack.CRshPV/_new 2018-07-02 23:30:46.377448479 +0200 @@ -29,7 +29,7 @@ --- a/docs/misc/xen-command-line.markdown +++ b/docs/misc/xen-command-line.markdown -@@ -1979,14 +1979,24 @@ clustered mode. The default, given no h +@@ -1972,14 +1972,24 @@ clustered mode. The default, given no h mode. ### xpti @@ -178,7 +178,7 @@ * All entry points which may need to switch page tables have to start --- a/xen/arch/x86/spec_ctrl.c +++ b/xen/arch/x86/spec_ctrl.c -@@ -233,8 +233,9 @@ static void __init print_details(enum in +@@ -225,8 +225,9 @@ static void __init print_details(enum in boot_cpu_has(X86_FEATURE_SC_MSR_HVM) ? " MSR_SPEC_CTRL" : "", boot_cpu_has(X86_FEATURE_SC_RSB_HVM) ? " RSB" : ""); @@ -190,7 +190,7 @@ } /* Calculate whether Retpoline is known-safe on this CPU. */ -@@ -320,6 +321,70 @@ static bool __init retpoline_safe(uint64 +@@ -312,6 +313,70 @@ static bool __init retpoline_safe(uint64 } } @@ -261,7 +261,7 @@ void __init init_speculation_mitigations(void) { enum ind_thunk thunk = THUNK_DEFAULT; -@@ -461,6 +526,12 @@ void __init init_speculation_mitigations +@@ -449,6 +514,12 @@ void __init init_speculation_mitigations if ( default_xen_spec_ctrl ) setup_force_cpu_cap(X86_FEATURE_SC_MSR_IDLE); @@ -311,7 +311,7 @@ --- a/xen/include/asm-x86/spec_ctrl.h +++ b/xen/include/asm-x86/spec_ctrl.h -@@ -33,6 +33,10 @@ extern bool bsp_delay_spec_ctrl; +@@ -32,6 +32,10 @@ extern bool bsp_delay_spec_ctrl; extern uint8_t default_xen_spec_ctrl; extern uint8_t default_spec_ctrl_flags; ++++++ 5aec744a-4-x86-xpti-use-invpcid.patch ++++++ --- /var/tmp/diff_new_pack.CRshPV/_old 2018-07-02 23:30:46.389448464 +0200 +++ /var/tmp/diff_new_pack.CRshPV/_new 2018-07-02 23:30:46.389448464 +0200 @@ -24,7 +24,7 @@ --- a/docs/misc/xen-command-line.markdown +++ b/docs/misc/xen-command-line.markdown -@@ -1352,6 +1352,15 @@ Because responsibility for APIC setup is +@@ -1351,6 +1351,15 @@ Because responsibility for APIC setup is domain 0 kernel this option is automatically propagated to the domain 0 command line. ++++++ 5aec74a8-9-x86-xpti-use-pcid.patch ++++++ --- /var/tmp/diff_new_pack.CRshPV/_old 2018-07-02 23:30:46.405448444 +0200 +++ /var/tmp/diff_new_pack.CRshPV/_new 2018-07-02 23:30:46.405448444 +0200 @@ -41,7 +41,7 @@ --- a/docs/misc/xen-command-line.markdown +++ b/docs/misc/xen-command-line.markdown -@@ -1439,6 +1439,20 @@ Flag to enable Memory Protection Keys. +@@ -1438,6 +1438,20 @@ Flag to enable Memory Protection Keys. The protection-key feature provides an additional mechanism by which IA-32e paging controls access to usermode addresses. ++++++ 5b02c786-x86-AMD-mitigations-for-GPZ-SP4.patch ++++++ # Commit 8c0e338086f060eba31d37b83fbdb883928aa085 # Date 2018-05-21 14:20:06 +0100 # Author Andrew Cooper# Committer Andrew Cooper x86/AMD: Mitigations for GPZ SP4 - Speculative Store Bypass AMD processors will execute loads and stores with the same base register in program order, which is typically how a compiler emits code. Therefore, by default no mitigating actions are taken, despite there being corner cases which are vulnerable to the issue. For performance testing, or for users with particularly sensitive workloads, the `spec-ctrl=ssbd` command line option is available to force Xen to disable Memory Disambiguation on applicable hardware. Signed-off-by: Andrew Cooper Reviewed-by: Jan Beulich --- a/docs/misc/xen-command-line.markdown +++ b/docs/misc/xen-command-line.markdown @@ -1726,7 +1726,7 @@ false disable the quirk workaround, whic ### spec-ctrl (x86) > `= List of [ , xen= , {pv,hvm,msr-sc,rsb}= , -> bti-thunk=retpoline|lfence|jmp, {ibrs,ibpb}= ]` +> bti-thunk=retpoline|lfence|jmp, {ibrs,ibpb,ssbd}= ]` Controls for speculative execution sidechannel mitigations. By default, Xen will pick the most appropriate mitigations based on compiled in support, @@ -1770,6 +1770,11 @@ On hardware supporting IBPB (Indirect Br option can be used to force (the default) or prevent Xen from issuing branch prediction barriers on vcpu context switches. +On hardware supporting SSBD (Speculative Store Bypass Disable), the `ssbd=` +option can be used to force or prevent Xen using the feature itself. On AMD +hardware, this is a global option applied at boot, and not virtualised for +guest use. + ### sync\_console > `= ` --- a/xen/arch/x86/cpu/amd.c +++ b/xen/arch/x86/cpu/amd.c @@ -9,6 +9,7 @@ #include #include #include /* amd_init_cpu */ +#include #include #include @@ -594,6 +595,25 @@ static void init_amd(struct cpuinfo_x86 c->x86_capability); } + /* + * If the user has explicitly chosen to disable Memory Disambiguation + * to mitigiate Speculative Store Bypass, poke the appropriate MSR. + */ + if (opt_ssbd) { + int bit = -1; + + switch (c->x86) { + case 0x15: bit = 54; break; + case 0x16: bit = 33; break; + case 0x17: bit = 10; break; + } + + if (bit >= 0 && !rdmsr_safe(MSR_AMD64_LS_CFG, value)) { + value |= 1ull << bit; + wrmsr_safe(MSR_AMD64_LS_CFG, value); + } + } + /* MFENCE stops RDTSC speculation */ if (!cpu_has_lfence_dispatch) __set_bit(X86_FEATURE_MFENCE_RDTSC, c->x86_capability); --- a/xen/arch/x86/spec_ctrl.c +++ b/xen/arch/x86/spec_ctrl.c @@ -43,6 +43,7 @@ static enum ind_thunk { } opt_thunk __initdata = THUNK_DEFAULT; static int8_t __initdata opt_ibrs = -1; bool __read_mostly opt_ibpb = true; +bool __read_mostly opt_ssbd = false; bool __initdata bsp_delay_spec_ctrl; uint8_t __read_mostly default_xen_spec_ctrl; @@ -164,6 +165,8 @@ static int __init parse_spec_ctrl(const opt_ibrs = val; else if ( (val = parse_boolean("ibpb", s, ss)) >= 0 ) opt_ibpb = val; + else if ( (val = parse_boolean("ssbd", s, ss)) >= 0 ) + opt_ssbd = val; else rc = -EINVAL; --- a/xen/include/asm-x86/spec_ctrl.h +++ b/xen/include/asm-x86/spec_ctrl.h @@ -27,6 +27,7 @@ void init_speculation_mitigations(void); extern bool opt_ibpb; +extern bool opt_ssbd; extern bool bsp_delay_spec_ctrl; extern uint8_t default_xen_spec_ctrl; ++++++ 5b02c786-x86-Intel-mitigations-for-GPZ-SP4.patch ++++++ # Commit 9df52a25e0e95a0b9971aa2fc26c5c6a5cbdf4ef # Date 2018-05-21 14:20:06 +0100 # Author Andrew Cooper # Committer Andrew Cooper x86/Intel: Mitigations for GPZ SP4 - Speculative Store Bypass To combat GPZ SP4 "Speculative Store Bypass", Intel have extended their speculative sidechannel mitigations specification as follows: * A feature bit to indicate that Speculative Store Bypass Disable is supported. * A new bit in MSR_SPEC_CTRL which, when set, disables memory disambiguation in the pipeline. * A new bit in MSR_ARCH_CAPABILITIES, which will be set in future hardware, indicating that the hardware is not susceptible to Speculative Store Bypass sidechannels. For contemporary processors, this interface will be implemented via a microcode update. Signed-off-by: Andrew Cooper Reviewed-by: Jan Beulich --- a/docs/misc/xen-command-line.markdown +++ b/docs/misc/xen-command-line.markdown @@ -496,9 +496,10 @@ accounting for hardware capabilities as Currently accepted: -The Speculation Control hardware features `ibrsb`, `stibp`, `ibpb` are used by -default if avaiable. They can be ignored, e.g. `no-ibrsb`, at which point Xen -won't use them itself, and won't offer them to guests. +The Speculation Control hardware features `ibrsb`, `stibp`, `ibpb`, `ssbd` are +used by default if available and applicable. They can be ignored, +e.g. `no-ibrsb`, at which point Xen won't use them itself, and won't offer +them to guests. ### cpuid\_mask\_cpu (AMD only) > `= fam_0f_rev_c | fam_0f_rev_d | fam_0f_rev_e | fam_0f_rev_f | fam_0f_rev_g | fam_10_rev_b | fam_10_rev_c | fam_11_rev_b` @@ -1751,7 +1752,7 @@ protect itself, and Xen's ability to vir respectively. * `msr-sc=` offers control over Xen's support for manipulating MSR\_SPEC\_CTRL on entry and exit. These blocks are necessary to virtualise support for - guests and if disabled, guests will be unable to use IBRS/STIBP/etc. + guests and if disabled, guests will be unable to use IBRS/STIBP/SSBD/etc. * `rsb=` offers control over whether to overwrite the Return Stack Buffer / Return Address Stack on entry to Xen. @@ -1773,7 +1774,8 @@ prediction barriers on vcpu context swit On hardware supporting SSBD (Speculative Store Bypass Disable), the `ssbd=` option can be used to force or prevent Xen using the feature itself. On AMD hardware, this is a global option applied at boot, and not virtualised for -guest use. +guest use. On Intel hardware, the feature is virtualised for guests, +independently of Xen's choice of setting. ### sync\_console > `= ` --- a/tools/libxl/libxl_cpuid.c +++ b/tools/libxl/libxl_cpuid.c @@ -205,6 +205,7 @@ int libxl_cpuid_parse_config(libxl_cpuid {"ibrsb", 0x00000007, 0, CPUID_REG_EDX, 26, 1}, {"stibp", 0x00000007, 0, CPUID_REG_EDX, 27, 1}, {"arch-caps", 0x00000007, 0, CPUID_REG_EDX, 29, 1}, + {"ssbd", 0x00000007, 0, CPUID_REG_EDX, 31, 1}, {"lahfsahf", 0x80000001, NA, CPUID_REG_ECX, 0, 1}, {"cmplegacy", 0x80000001, NA, CPUID_REG_ECX, 1, 1}, --- a/tools/misc/xen-cpuid.c +++ b/tools/misc/xen-cpuid.c @@ -166,8 +166,7 @@ static const char *str_7d0[32] = [26] = "ibrsb", [27] = "stibp", [28] = "REZ", [29] = "arch_caps", - - [30 ... 31] = "REZ", + [30] = "REZ", [31] = "ssbd", }; static struct { --- a/xen/arch/x86/cpuid.c +++ b/xen/arch/x86/cpuid.c @@ -43,6 +43,11 @@ static int __init parse_xen_cpuid(const if ( !val ) setup_clear_cpu_cap(X86_FEATURE_STIBP); } + else if ( (val = parse_boolean("ssbd", s, ss)) >= 0 ) + { + if ( !val ) + setup_clear_cpu_cap(X86_FEATURE_SSBD); + } else rc = -EINVAL; --- a/xen/arch/x86/spec_ctrl.c +++ b/xen/arch/x86/spec_ctrl.c @@ -192,26 +192,31 @@ static void __init print_details(enum in printk("Speculative mitigation facilities:\n"); /* Hardware features which pertain to speculative mitigations. */ - printk(" Hardware features:%s%s%s%s%s%s\n", + printk(" Hardware features:%s%s%s%s%s%s%s%s\n", (_7d0 & cpufeat_mask(X86_FEATURE_IBRSB)) ? " IBRS/IBPB" : "", (_7d0 & cpufeat_mask(X86_FEATURE_STIBP)) ? " STIBP" : "", + (_7d0 & cpufeat_mask(X86_FEATURE_SSBD)) ? " SSBD" : "", (e8b & cpufeat_mask(X86_FEATURE_IBPB)) ? " IBPB" : "", (caps & ARCH_CAPABILITIES_IBRS_ALL) ? " IBRS_ALL" : "", (caps & ARCH_CAPABILITIES_RDCL_NO) ? " RDCL_NO" : "", - (caps & ARCH_CAPS_RSBA) ? " RSBA" : ""); + (caps & ARCH_CAPS_RSBA) ? " RSBA" : "", + (caps & ARCH_CAPS_SSB_NO) ? " SSB_NO" : ""); /* Compiled-in support which pertains to BTI mitigations. */ if ( IS_ENABLED(CONFIG_INDIRECT_THUNK) ) printk(" Compiled-in support: INDIRECT_THUNK\n"); /* Settings for Xen's protection, irrespective of guests. */ - printk(" Xen settings: BTI-Thunk %s, SPEC_CTRL: %s, Other:%s\n", + printk(" Xen settings: BTI-Thunk %s, SPEC_CTRL: %s%s, Other:%s\n", thunk == THUNK_NONE ? "N/A" : thunk == THUNK_RETPOLINE ? "RETPOLINE" : thunk == THUNK_LFENCE ? "LFENCE" : thunk == THUNK_JMP ? "JMP" : "?", !use_spec_ctrl ? "No" : (default_xen_spec_ctrl & SPEC_CTRL_IBRS) ? "IBRS+" : "IBRS-", + !use_spec_ctrl || !boot_cpu_has(X86_FEATURE_SSBD) + ? "" : + (default_xen_spec_ctrl & SPEC_CTRL_SSBD) ? " SSBD+" : " SSBD-", opt_ibpb ? " IBPB" : ""); /* @@ -480,6 +485,10 @@ void __init init_speculation_mitigations } } + /* If we have SSBD available, see whether we should use it. */ + if ( boot_cpu_has(X86_FEATURE_SSBD) && use_spec_ctrl && opt_ssbd ) + default_xen_spec_ctrl |= SPEC_CTRL_SSBD; + /* * PV guests can poison the RSB to any virtual address from which * they can execute a call instruction. This is necessarily outside --- a/xen/include/asm-x86/msr-index.h +++ b/xen/include/asm-x86/msr-index.h @@ -35,6 +35,7 @@ #define MSR_SPEC_CTRL 0x00000048 #define SPEC_CTRL_IBRS (_AC(1, ULL) << 0) #define SPEC_CTRL_STIBP (_AC(1, ULL) << 1) +#define SPEC_CTRL_SSBD (_AC(1, ULL) << 2) #define MSR_PRED_CMD 0x00000049 #define PRED_CMD_IBPB (_AC(1, ULL) << 0) @@ -43,6 +44,7 @@ #define ARCH_CAPABILITIES_RDCL_NO (_AC(1, ULL) << 0) #define ARCH_CAPABILITIES_IBRS_ALL (_AC(1, ULL) << 1) #define ARCH_CAPS_RSBA (_AC(1, ULL) << 2) +#define ARCH_CAPS_SSB_NO (_AC(1, ULL) << 4) /* Intel MSRs. Some also available on other CPUs */ #define MSR_IA32_PERFCTR0 0x000000c1 --- a/xen/include/public/arch-x86/cpufeatureset.h +++ b/xen/include/public/arch-x86/cpufeatureset.h @@ -245,6 +245,7 @@ XEN_CPUFEATURE(AVX512_4FMAPS, 9*32+ 3) / XEN_CPUFEATURE(IBRSB, 9*32+26) /*A IBRS and IBPB support (used by Intel) */ XEN_CPUFEATURE(STIBP, 9*32+27) /*A! STIBP */ XEN_CPUFEATURE(ARCH_CAPS, 9*32+29) /* IA32_ARCH_CAPABILITIES MSR */ +XEN_CPUFEATURE(SSBD, 9*32+31) /* MSR_SPEC_CTRL.SSBD available */ #endif /* XEN_CPUFEATURE */ --- a/xen/tools/gen-cpuid.py +++ b/xen/tools/gen-cpuid.py @@ -257,10 +257,19 @@ def crunch_numbers(state): AVX512BW, AVX512VL, AVX512VBMI, AVX512_4VNNIW, AVX512_4FMAPS, AVX512_VPOPCNTDQ], - # Single Thread Indirect Branch Predictors enumerates a new bit in the - # MSR enumerated by Indirect Branch Restricted Speculation/Indirect - # Branch Prediction Barrier enumeration. - IBRSB: [STIBP], + # The features: + # * Single Thread Indirect Branch Predictors + # * Speculative Store Bypass Disable + # + # enumerate new bits in MSR_SPEC_CTRL, which is enumerated by Indirect + # Branch Restricted Speculation/Indirect Branch Prediction Barrier. + # + # In practice, these features also enumerate the presense of + # MSR_SPEC_CTRL. However, no real hardware will exist with SSBD but + # not IBRSB, and we pass this MSR directly to guests. Treating them + # as dependent features simplifies Xen's logic, and prevents the guest + # from seeing implausible configurations. + IBRSB: [STIBP, SSBD], } deep_features = tuple(sorted(deps.keys())) ++++++ 5b02c786-x86-msr-virtualise-SPEC_CTRL-SSBD.patch ++++++ # Commit cd53023df952cf0084be9ee3d15a90f8837049c2 # Date 2018-05-21 14:20:06 +0100 # Author Andrew Cooper # Committer Andrew Cooper x86/msr: Virtualise MSR_SPEC_CTRL.SSBD for guests to use Almost all infrastructure is already in place. Update the reserved bits calculation in guest_wrmsr(), and offer SSBD to guests by default. Signed-off-by: Andrew Cooper Reviewed-by: Jan Beulich --- a/xen/arch/x86/msr.c +++ b/xen/arch/x86/msr.c @@ -178,6 +178,8 @@ int guest_wrmsr(struct vcpu *v, uint32_t switch ( msr ) { + uint64_t rsvd; + case MSR_INTEL_PLATFORM_INFO: case MSR_ARCH_CAPABILITIES: /* Read-only */ @@ -213,8 +215,10 @@ int guest_wrmsr(struct vcpu *v, uint32_t * Note: SPEC_CTRL_STIBP is specified as safe to use (i.e. ignored) * when STIBP isn't enumerated in hardware. */ + rsvd = ~(SPEC_CTRL_IBRS | SPEC_CTRL_STIBP | + (cp->feat.ssbd ? SPEC_CTRL_SSBD : 0)); - if ( val & ~(SPEC_CTRL_IBRS | SPEC_CTRL_STIBP) ) + if ( val & rsvd ) goto gp_fault; /* Rsvd bit set? */ vp->spec_ctrl.raw = val; @@ -233,12 +237,12 @@ int guest_wrmsr(struct vcpu *v, uint32_t case MSR_INTEL_MISC_FEATURES_ENABLES: { - uint64_t rsvd = ~0ull; bool old_cpuid_faulting = vp->misc_features_enables.cpuid_faulting; if ( !vp->misc_features_enables.available ) goto gp_fault; + rsvd = ~0ull; if ( dp->plaform_info.cpuid_faulting ) rsvd &= ~MSR_MISC_FEATURES_CPUID_FAULTING; --- a/xen/include/public/arch-x86/cpufeatureset.h +++ b/xen/include/public/arch-x86/cpufeatureset.h @@ -245,7 +245,7 @@ XEN_CPUFEATURE(AVX512_4FMAPS, 9*32+ 3) / XEN_CPUFEATURE(IBRSB, 9*32+26) /*A IBRS and IBPB support (used by Intel) */ XEN_CPUFEATURE(STIBP, 9*32+27) /*A! STIBP */ XEN_CPUFEATURE(ARCH_CAPS, 9*32+29) /* IA32_ARCH_CAPABILITIES MSR */ -XEN_CPUFEATURE(SSBD, 9*32+31) /* MSR_SPEC_CTRL.SSBD available */ +XEN_CPUFEATURE(SSBD, 9*32+31) /*A MSR_SPEC_CTRL.SSBD available */ #endif /* XEN_CPUFEATURE */ ++++++ 5b0bc9da-x86-XPTI-fix-S3-resume.patch ++++++ # Commit 6b9562dac1746014ab376bd2cf8ba400acf34c6d # Date 2018-05-28 11:20:26 +0200 # Author Jan Beulich # Committer Jan Beulich x86/XPTI: fix S3 resume (and CPU offlining in general) We should index an L1 table with an L1 index. Reported-by: Simon Gaiser Signed-off-by: Jan Beulich Reviewed-by: Andrew Cooper --- a/xen/arch/x86/smpboot.c +++ b/xen/arch/x86/smpboot.c @@ -879,7 +879,7 @@ static void cleanup_cpu_root_pgt(unsigne l2_pgentry_t *l2t = l3e_to_l2e(l3t[l3_table_offset(stub_linear)]); l1_pgentry_t *l1t = l2e_to_l1e(l2t[l2_table_offset(stub_linear)]); - l1t[l2_table_offset(stub_linear)] = l1e_empty(); + l1t[l1_table_offset(stub_linear)] = l1e_empty(); } } ++++++ 5b0d2286-libxc-x86-PV-dont-hand-through-CPUID-leaf-0x80000008.patch ++++++ # Commit 849cc9ac56eff8a8d575ed9f484aad72f383862c # Date 2018-05-29 10:51:02 +0100 # Author Jan Beulich # Committer Ian Jackson libxc/x86/PV: don't hand through CPUID leaf 0x80000008 as is Just like for HVM the feature set should be used for EBX output, while EAX should be restricted to the low 16 bits and ECX/EDX should be zero. Signed-off-by: Jan Beulich Reviewed-by: Andrew Cooper --- a/tools/libxc/xc_cpuid_x86.c +++ b/tools/libxc/xc_cpuid_x86.c @@ -575,6 +575,12 @@ static void xc_cpuid_pv_policy(xc_interf break; } + case 0x80000008: + regs[0] &= 0x0000ffffu; + regs[1] = info->featureset[featureword_of(X86_FEATURE_CLZERO)]; + regs[2] = regs[3] = 0; + break; + case 0x00000005: /* MONITOR/MWAIT */ case 0x0000000b: /* Extended Topology Enumeration */ case 0x8000000a: /* SVM revision and features */ ++++++ 5b0d2d91-x86-suppress-sync-when-XPTI-off.patch ++++++ # Commit b7eb9d8bd61ecdc399e8fc41ea4bbff35cbe0755 # Date 2018-05-29 12:38:09 +0200 # Author Jan Beulich # Committer Jan Beulich x86: suppress sync when XPTI is disabled for a domain Now that we have a per-domain flag we can and should control sync-ing in a more fine grained manner: Only domains having XPTI enabled need the sync to occur. Signed-off-by: Jan Beulich Reviewed-by: Andrew Cooper --- a/xen/arch/x86/mm.c +++ b/xen/arch/x86/mm.c @@ -3723,7 +3723,7 @@ long do_mmu_update( case PGT_l4_page_table: rc = mod_l4_entry(va, l4e_from_intpte(req.val), mfn, cmd == MMU_PT_UPDATE_PRESERVE_AD, v); - if ( !rc && !cpu_has_no_xpti ) + if ( !rc && pt_owner->arch.pv_domain.xpti ) { bool local_in_use = false; ++++++ 5b0d2dbc-x86-correct-default_xen_spec_ctrl.patch ++++++ # Commit d6239f64713df819278bf048446d3187c6ac4734 # Date 2018-05-29 12:38:52 +0200 # Author Jan Beulich # Committer Jan Beulich x86: correct default_xen_spec_ctrl calculation Even with opt_msr_sc_{pv,hvm} both false we should set up the variable as usual, to ensure proper one-time setup during boot and CPU bringup. This then also brings the code in line with the comment immediately ahead of the printk() being modified saying "irrespective of guests". Signed-off-by: Jan Beulich Reviewed-by: Andrew Cooper --- a/xen/arch/x86/spec_ctrl.c +++ b/xen/arch/x86/spec_ctrl.c @@ -179,8 +179,6 @@ custom_param("spec-ctrl", parse_spec_ctr static void __init print_details(enum ind_thunk thunk, uint64_t caps) { - bool use_spec_ctrl = (boot_cpu_has(X86_FEATURE_SC_MSR_PV) || - boot_cpu_has(X86_FEATURE_SC_MSR_HVM)); unsigned int _7d0 = 0, e8b = 0, tmp; /* Collect diagnostics about available mitigations. */ @@ -212,10 +210,9 @@ static void __init print_details(enum in thunk == THUNK_RETPOLINE ? "RETPOLINE" : thunk == THUNK_LFENCE ? "LFENCE" : thunk == THUNK_JMP ? "JMP" : "?", - !use_spec_ctrl ? "No" : - (default_xen_spec_ctrl & SPEC_CTRL_IBRS) ? "IBRS+" : "IBRS-", - !use_spec_ctrl || !boot_cpu_has(X86_FEATURE_SSBD) - ? "" : + !boot_cpu_has(X86_FEATURE_IBRSB) ? "No" : + (default_xen_spec_ctrl & SPEC_CTRL_IBRS) ? "IBRS+" : "IBRS-", + !boot_cpu_has(X86_FEATURE_SSBD) ? "" : (default_xen_spec_ctrl & SPEC_CTRL_SSBD) ? " SSBD+" : " SSBD-", opt_ibpb ? " IBPB" : ""); @@ -477,16 +474,14 @@ void __init init_speculation_mitigations } if ( use_spec_ctrl ) - { - if ( ibrs ) - default_xen_spec_ctrl |= SPEC_CTRL_IBRS; - default_spec_ctrl_flags |= SCF_ist_wrmsr; - } + + if ( ibrs ) + default_xen_spec_ctrl |= SPEC_CTRL_IBRS; } /* If we have SSBD available, see whether we should use it. */ - if ( boot_cpu_has(X86_FEATURE_SSBD) && use_spec_ctrl && opt_ssbd ) + if ( boot_cpu_has(X86_FEATURE_SSBD) && opt_ssbd ) default_xen_spec_ctrl |= SPEC_CTRL_SSBD; /* ++++++ 5b0d2ddc-x86-CPUID-dont-override-tool-stack-hidden-STIBP.patch ++++++ # Commit 06f542f8f2e446c01bd0edab51e9450af7f6e05b # Date 2018-05-29 12:39:24 +0200 # Author Jan Beulich # Committer Jan Beulich x86/CPUID: don't override tool stack decision to hide STIBP Other than in the feature sets, where we indeed want to offer the feature even if not enumerated on hardware, we shouldn't dictate the feature being available if tool stack or host admin have decided to not expose it (for whatever [questionable?] reason). That feature set side override is sufficient to achieve the intended guest side safety property (in offering - by default - STIBP independent of actual availability in hardware). Signed-off-by: Jan Beulich Reviewed-by: Andrew Cooper --- a/xen/arch/x86/cpuid.c +++ b/xen/arch/x86/cpuid.c @@ -620,14 +620,6 @@ void recalculate_cpuid_policy(struct dom recalculate_xstate(p); recalculate_misc(p); - /* - * Override STIBP to match IBRS. Guests can safely use STIBP - * functionality on non-HT hardware, but can't necesserily protect - * themselves from SP2/Spectre/Branch Target Injection if STIBP is hidden - * on HT-capable hardware. - */ - p->feat.stibp = p->feat.ibrsb; - for ( i = 0; i < ARRAY_SIZE(p->cache.raw); ++i ) { if ( p->cache.subleaf[i].type >= 1 && --- a/xen/include/public/arch-x86/cpufeatureset.h +++ b/xen/include/public/arch-x86/cpufeatureset.h @@ -243,7 +243,7 @@ XEN_CPUFEATURE(IBPB, 8*32+12) / XEN_CPUFEATURE(AVX512_4VNNIW, 9*32+ 2) /*A AVX512 Neural Network Instructions */ XEN_CPUFEATURE(AVX512_4FMAPS, 9*32+ 3) /*A AVX512 Multiply Accumulation Single Precision */ XEN_CPUFEATURE(IBRSB, 9*32+26) /*A IBRS and IBPB support (used by Intel) */ -XEN_CPUFEATURE(STIBP, 9*32+27) /*A! STIBP */ +XEN_CPUFEATURE(STIBP, 9*32+27) /*A STIBP */ XEN_CPUFEATURE(ARCH_CAPS, 9*32+29) /* IA32_ARCH_CAPABILITIES MSR */ XEN_CPUFEATURE(SSBD, 9*32+31) /*A MSR_SPEC_CTRL.SSBD available */ ++++++ 5b150ef9-x86-fix-error-handling-of-pv-dr7-shadow.patch ++++++ # Commit 237c31b5a1d5aa88cdb59b8c31b1b62eb13e82d1 # Date 2018-06-04 11:05:45 +0100 # Author Andrew Cooper # Committer Andrew Cooper x86/traps: Fix error handling of the pv %dr7 shadow state c/s "x86/pv: Introduce and use x86emul_write_dr()" fixed a bug with IO shadow handling, in that it remained stale and visible until %dr7.L/G got set again. However, it neglected the -EPERM return inbetween these two hunks, introducing a different bug in which a write to %dr7 which tries to set IO breakpoints without %cr4.DE being set clobbers the IO state, rather than leaves it alone. Instead, move the zeroing slightly later, which guarentees that the shadow gets written exactly once, on a successful update to %dr7. Signed-off-by: Andrew Cooper Reviewed-by: Jan Beulich --- a/xen/arch/x86/traps.c +++ b/xen/arch/x86/traps.c @@ -2120,9 +2120,6 @@ long set_debugreg(struct vcpu *v, unsign if ( value & DR_GENERAL_DETECT ) return -EPERM; - /* Zero the IO shadow before recalculating the real %dr7 */ - v->arch.debugreg[5] = 0; - /* DR7.{G,L}E = 0 => debugging disabled for this domain. */ if ( value & DR7_ACTIVE_MASK ) { @@ -2151,6 +2148,10 @@ long set_debugreg(struct vcpu *v, unsign !(v->arch.debugreg[7] & DR7_ACTIVE_MASK) ) activate_debugregs(v); } + else + /* Zero the emulated controls if %dr7 isn't active. */ + v->arch.debugreg[5] = 0; + if ( v == curr ) write_debugreg(7, value); break; ++++++ 5b21825d-1-x86-support-fully-eager-FPU-context-switching.patch ++++++ # Commit 146dfe9277c2b4a8c399b229e00d819065e3167b # Date 2018-06-13 21:45:17 +0100 # Author Andrew Cooper # Committer Andrew Cooper x86: Support fully eager FPU context switching This is controlled on a per-vcpu bases for flexibility. This is part of XSA-267 / CVE-2018-3665 Signed-off-by: Andrew Cooper Reviewed-by: Jan Beulich --- a/xen/arch/x86/i387.c +++ b/xen/arch/x86/i387.c @@ -210,7 +210,7 @@ void vcpu_restore_fpu_eager(struct vcpu ASSERT(!is_idle_vcpu(v)); /* Restore nonlazy extended state (i.e. parts not tracked by CR0.TS). */ - if ( !v->arch.nonlazy_xstate_used ) + if ( !v->arch.fully_eager_fpu && !v->arch.nonlazy_xstate_used ) return; /* Avoid recursion */ @@ -221,11 +221,19 @@ void vcpu_restore_fpu_eager(struct vcpu * above) we also need to restore full state, to prevent subsequently * saving state belonging to another vCPU. */ - if ( xstate_all(v) ) + if ( v->arch.fully_eager_fpu || (v->arch.xsave_area && xstate_all(v)) ) { - fpu_xrstor(v, XSTATE_ALL); + if ( cpu_has_xsave ) + fpu_xrstor(v, XSTATE_ALL); + else + fpu_fxrstor(v); + v->fpu_initialised = 1; v->fpu_dirtied = 1; + + /* Xen doesn't need TS set, but the guest might. */ + if ( is_pv_vcpu(v) && (v->arch.pv_vcpu.ctrlreg[0] & X86_CR0_TS) ) + stts(); } else { @@ -247,6 +255,8 @@ void vcpu_restore_fpu_lazy(struct vcpu * if ( v->fpu_dirtied ) return; + ASSERT(!v->arch.fully_eager_fpu); + if ( cpu_has_xsave ) fpu_xrstor(v, XSTATE_LAZY); else --- a/xen/include/asm-x86/domain.h +++ b/xen/include/asm-x86/domain.h @@ -569,6 +569,9 @@ struct arch_vcpu * and thus should be saved/restored. */ bool_t nonlazy_xstate_used; + /* Restore all FPU state (lazy and non-lazy state) on context switch? */ + bool fully_eager_fpu; + /* * The SMAP check policy when updating runstate_guest(v) and the * secondary system time. ++++++ 5b21825d-2-x86-spec-ctrl-mitigations-for-LazyFPU.patch ++++++ # Commit 243435bf67e8159495194f623b9e4d8c90140384 # Date 2018-06-13 21:45:17 +0100 # Author Andrew Cooper # Committer Andrew Cooper x86/spec-ctrl: Mitigations for LazyFPU Intel Core processors since at least Nehalem speculate past #NM, which is the mechanism by which lazy FPU context switching is implemented. On affected processors, Xen must use fully eager FPU context switching to prevent guests from being able to read FPU state (SSE/AVX/etc) from previously scheduled vcpus. This is part of XSA-267 / CVE-2018-3665 Signed-off-by: Andrew Cooper Reviewed-by: Jan Beulich --- a/docs/misc/xen-command-line.markdown +++ b/docs/misc/xen-command-line.markdown @@ -1727,7 +1727,7 @@ false disable the quirk workaround, whic ### spec-ctrl (x86) > `= List of [ , xen= , {pv,hvm,msr-sc,rsb}= , -> bti-thunk=retpoline|lfence|jmp, {ibrs,ibpb,ssbd}= ]` +> bti-thunk=retpoline|lfence|jmp, {ibrs,ibpb,ssbd,eager-fpu}= ]` Controls for speculative execution sidechannel mitigations. By default, Xen will pick the most appropriate mitigations based on compiled in support, @@ -1777,6 +1777,11 @@ hardware, this is a global option applie guest use. On Intel hardware, the feature is virtualised for guests, independently of Xen's choice of setting. +On all hardware, the `eager-fpu=` option can be used to force or prevent Xen +from using fully eager FPU context switches. This is currently implemented as +a global control. By default, Xen will choose to use fully eager context +switches on hardware believed to speculate past #NM exceptions. + ### sync\_console > `= ` --- a/xen/arch/x86/i387.c +++ b/xen/arch/x86/i387.c @@ -15,6 +15,7 @@ #include #include #include +#include /*******************************/ /* FPU Restore Functions */ @@ -307,6 +308,8 @@ int vcpu_init_fpu(struct vcpu *v) { int rc; + v->arch.fully_eager_fpu = opt_eager_fpu; + if ( (rc = xstate_alloc_save_area(v)) != 0 ) return rc; --- a/xen/arch/x86/spec_ctrl.c +++ b/xen/arch/x86/spec_ctrl.c @@ -44,6 +44,7 @@ static enum ind_thunk { static int8_t __initdata opt_ibrs = -1; bool __read_mostly opt_ibpb = true; bool __read_mostly opt_ssbd = false; +int8_t __read_mostly opt_eager_fpu = -1; bool __initdata bsp_delay_spec_ctrl; uint8_t __read_mostly default_xen_spec_ctrl; @@ -114,6 +115,7 @@ static int __init parse_spec_ctrl(const opt_thunk = THUNK_JMP; opt_ibrs = 0; opt_ibpb = false; + opt_eager_fpu = 0; } else if ( val > 0 ) rc = -EINVAL; @@ -167,6 +169,8 @@ static int __init parse_spec_ctrl(const opt_ibpb = val; else if ( (val = parse_boolean("ssbd", s, ss)) >= 0 ) opt_ssbd = val; + else if ( (val = parse_boolean("eager-fpu", s, ss)) >= 0 ) + opt_eager_fpu = val; else rc = -EINVAL; @@ -220,15 +224,19 @@ static void __init print_details(enum in * Alternatives blocks for protecting against and/or virtualising * mitigation support for guests. */ - printk(" Support for VMs: PV:%s%s%s, HVM:%s%s%s\n", + printk(" Support for VMs: PV:%s%s%s%s, HVM:%s%s%s%s\n", (boot_cpu_has(X86_FEATURE_SC_MSR_PV) || - boot_cpu_has(X86_FEATURE_SC_RSB_PV)) ? "" : " None", + boot_cpu_has(X86_FEATURE_SC_RSB_PV) || + opt_eager_fpu) ? "" : " None", boot_cpu_has(X86_FEATURE_SC_MSR_PV) ? " MSR_SPEC_CTRL" : "", boot_cpu_has(X86_FEATURE_SC_RSB_PV) ? " RSB" : "", + opt_eager_fpu ? " EAGER_FPU" : "", (boot_cpu_has(X86_FEATURE_SC_MSR_HVM) || - boot_cpu_has(X86_FEATURE_SC_RSB_HVM)) ? "" : " None", + boot_cpu_has(X86_FEATURE_SC_RSB_HVM) || + opt_eager_fpu) ? "" : " None", boot_cpu_has(X86_FEATURE_SC_MSR_HVM) ? " MSR_SPEC_CTRL" : "", - boot_cpu_has(X86_FEATURE_SC_RSB_HVM) ? " RSB" : ""); + boot_cpu_has(X86_FEATURE_SC_RSB_HVM) ? " RSB" : "", + opt_eager_fpu ? " EAGER_FPU" : ""); printk(" XPTI (64-bit PV only): Dom0 %s, DomU %s\n", opt_xpti & OPT_XPTI_DOM0 ? "enabled" : "disabled", @@ -318,6 +326,82 @@ static bool __init retpoline_safe(uint64 } } +/* Calculate whether this CPU speculates past #NM */ +static bool __init should_use_eager_fpu(void) +{ + /* + * Assume all unrecognised processors are ok. This is only known to + * affect Intel Family 6 processors. + */ + if ( boot_cpu_data.x86_vendor != X86_VENDOR_INTEL || + boot_cpu_data.x86 != 6 ) + return false; + + switch ( boot_cpu_data.x86_model ) + { + /* + * Core processors since at least Nehalem are vulnerable. + */ + case 0x1e: /* Nehalem */ + case 0x1f: /* Auburndale / Havendale */ + case 0x1a: /* Nehalem EP */ + case 0x2e: /* Nehalem EX */ + case 0x25: /* Westmere */ + case 0x2c: /* Westmere EP */ + case 0x2f: /* Westmere EX */ + case 0x2a: /* SandyBridge */ + case 0x2d: /* SandyBridge EP/EX */ + case 0x3a: /* IvyBridge */ + case 0x3e: /* IvyBridge EP/EX */ + case 0x3c: /* Haswell */ + case 0x3f: /* Haswell EX/EP */ + case 0x45: /* Haswell D */ + case 0x46: /* Haswell H */ + case 0x3d: /* Broadwell */ + case 0x47: /* Broadwell H */ + case 0x4f: /* Broadwell EP/EX */ + case 0x56: /* Broadwell D */ + case 0x4e: /* Skylake M */ + case 0x55: /* Skylake X */ + case 0x5e: /* Skylake D */ + case 0x66: /* Cannonlake */ + case 0x67: /* Cannonlake? */ + case 0x8e: /* Kabylake M */ + case 0x9e: /* Kabylake D */ + return true; + + /* + * Atom processors are not vulnerable. + */ + case 0x1c: /* Pineview */ + case 0x26: /* Lincroft */ + case 0x27: /* Penwell */ + case 0x35: /* Cloverview */ + case 0x36: /* Cedarview */ + case 0x37: /* Baytrail / Valleyview (Silvermont) */ + case 0x4d: /* Avaton / Rangely (Silvermont) */ + case 0x4c: /* Cherrytrail / Brasswell */ + case 0x4a: /* Merrifield */ + case 0x5a: /* Moorefield */ + case 0x5c: /* Goldmont */ + case 0x5f: /* Denverton */ + case 0x7a: /* Gemini Lake */ + return false; + + /* + * Knights processors are not vulnerable. + */ + case 0x57: /* Knights Landing */ + case 0x85: /* Knights Mill */ + return false; + + default: + printk("Unrecognised CPU model %#x - assuming vulnerable to LazyFPU\n", + boot_cpu_data.x86_model); + return true; + } +} + #define OPT_XPTI_DEFAULT 0xff uint8_t __read_mostly opt_xpti = OPT_XPTI_DEFAULT; @@ -514,6 +598,10 @@ void __init init_speculation_mitigations if ( !boot_cpu_has(X86_FEATURE_IBRSB) && !boot_cpu_has(X86_FEATURE_IBPB) ) opt_ibpb = false; + /* Check whether Eager FPU should be enabled by default. */ + if ( opt_eager_fpu == -1 ) + opt_eager_fpu = should_use_eager_fpu(); + /* (Re)init BSP state now that default_spec_ctrl_flags has been calculated. */ init_shadow_spec_ctrl_state(); --- a/xen/include/asm-x86/spec_ctrl.h +++ b/xen/include/asm-x86/spec_ctrl.h @@ -28,6 +28,7 @@ void init_speculation_mitigations(void); extern bool opt_ibpb; extern bool opt_ssbd; +extern int8_t opt_eager_fpu; extern bool bsp_delay_spec_ctrl; extern uint8_t default_xen_spec_ctrl; ++++++ 5b238b92-x86-HVM-account-for-fully-eager-FPU.patch ++++++ # Commit e23d2234e08872ac1c719f3e338994581483440f # Date 2018-06-15 11:49:06 +0200 # Author Jan Beulich # Committer Jan Beulich x86/HVM: account for fully eager FPU mode in emulation In fully eager mode we must not clear fpu_dirtied, set CR0.TS, or invoke the fpu_leave() hook. Instead do what the mode's name says: Restore state right away. Signed-off-by: Jan Beulich Reviewed-by: Andrew Cooper --- a/xen/arch/x86/hvm/emulate.c +++ b/xen/arch/x86/hvm/emulate.c @@ -1991,13 +1991,20 @@ static void hvmemul_put_fpu( if ( backout == X86EMUL_FPU_fpu ) { /* - * To back out changes to the register file simply adjust state such - * that upon next FPU insn use by the guest we'll reload the state - * saved (or freshly loaded) by hvmemul_get_fpu(). + * To back out changes to the register file + * - in fully eager mode, restore original state immediately, + * - in lazy mode, simply adjust state such that upon next FPU insn + * use by the guest we'll reload the state saved (or freshly loaded) + * by hvmemul_get_fpu(). */ - curr->fpu_dirtied = false; - stts(); - hvm_funcs.fpu_leave(curr); + if ( curr->arch.fully_eager_fpu ) + vcpu_restore_fpu_eager(curr); + else + { + curr->fpu_dirtied = false; + stts(); + hvm_funcs.fpu_leave(curr); + } } } ++++++ 5b2b7172-x86-EFI-fix-FPU-state-handling-around-runtime-calls.patch ++++++ # Commit 437211cb696515ee5bd5dae0ab72866c9f382a33 # Date 2018-06-21 11:35:46 +0200 # Author Jan Beulich # Committer Jan Beulich x86/EFI: fix FPU state handling around runtime calls There are two issues. First, the nonlazy xstates were never restored after returning from the runtime call. Secondly, with the fully_eager_fpu mitigation for XSA-267 / LazyFPU, the unilateral stts() is no longer correct, and hits an assertion later when a lazy state restore tries to occur for a fully eager vcpu. Fix both of these issues by calling vcpu_restore_fpu_eager(). As EFI runtime services can be used in the idle context, the idle assertion needs to move until after the fully_eager_fpu check. Introduce a "curr" local variable and replace other uses of "current" at the same time. Reported-by: Andrew Cooper Signed-off-by: Jan Beulich Signed-off-by: Andrew Cooper Tested-by: Juergen Gross --- a/xen/arch/x86/i387.c +++ b/xen/arch/x86/i387.c @@ -208,12 +208,12 @@ static inline void fpu_fxsave(struct vcp /* Restore FPU state whenever VCPU is schduled in. */ void vcpu_restore_fpu_eager(struct vcpu *v) { - ASSERT(!is_idle_vcpu(v)); - /* Restore nonlazy extended state (i.e. parts not tracked by CR0.TS). */ if ( !v->arch.fully_eager_fpu && !v->arch.nonlazy_xstate_used ) return; + ASSERT(!is_idle_vcpu(v)); + /* Avoid recursion */ clts(); --- a/xen/common/efi/runtime.c +++ b/xen/common/efi/runtime.c @@ -118,14 +118,16 @@ struct efi_rs_state efi_rs_enter(void) void efi_rs_leave(struct efi_rs_state *state) { + struct vcpu *curr = current; + if ( !state->cr3 ) return; switch_cr3_cr4(state->cr3, read_cr4()); - if ( is_pv_vcpu(current) && !is_idle_vcpu(current) ) + if ( is_pv_vcpu(curr) && !is_idle_vcpu(curr) ) { struct desc_ptr gdt_desc = { .limit = LAST_RESERVED_GDT_BYTE, - .base = GDT_VIRT_START(current) + .base = GDT_VIRT_START(curr) }; asm volatile ( "lgdt %0" : : "m" (gdt_desc) ); @@ -133,7 +135,7 @@ void efi_rs_leave(struct efi_rs_state *s irq_exit(); efi_rs_on_cpu = NR_CPUS; spin_unlock(&efi_rs_lock); - stts(); + vcpu_restore_fpu_eager(curr); } bool efi_rs_using_pgtables(void) ++++++ 5b31e004-x86-HVM-emul-attempts-FPU-set-fpu_initialised.patch ++++++ # Commit 3310e3cd648f3713c824790bd71d8ec405a09d05 # Date 2018-06-26 08:41:08 +0200 # Author Jan Beulich # Committer Jan Beulich x86/HVM: attempts to emulate FPU insns need to set fpu_initialised My original way of thinking here was that this would be set anyway at the point state gets reloaded after the adjustments hvmemul_put_fpu() does, but the flag should already be set before that - after all the guest may never again touch the FPU before e.g. getting migrated/saved. Signed-off-by: Jan Beulich Reviewed-by: Andrew Cooper Acked-by: Paul Durrant --- a/xen/arch/x86/hvm/emulate.c +++ b/xen/arch/x86/hvm/emulate.c @@ -1900,6 +1900,7 @@ static int hvmemul_get_fpu( * masking of all exceptions by FNSTENV.) */ save_fpu_enable(); + curr->fpu_initialised = true; curr->fpu_dirtied = true; if ( (fpu_ctxt->fcw & 0x3f) != 0x3f ) { ++++++ 5b323e3c-x86-EFI-fix-FPU-state-handling-around-runtime-calls.patch ++++++ # Commit 23839a0fa0bbe78c174cd2bb49083e153f0f99df # Date 2018-06-26 15:23:08 +0200 # Author Jan Beulich # Committer Jan Beulich x86/EFI: further correct FPU state handling around runtime calls We must not leave a vCPU with CR0.TS clear when it is not in fully eager mode and has not touched non-lazy state. Instead of adding a 3rd invocation of stts() to vcpu_restore_fpu_eager(), consolidate all of them into a single one done at the end of the function. Rename the function at the same time to better reflect its purpose, as the patches touches all of its occurences anyway. The new function parameter is not really well named, but "need_stts_if_not_fully_eager" seemed excessive to me. Signed-off-by: Jan Beulich Reviewed-by: Andrew Cooper Reviewed-by: Paul Durrant --- a/xen/arch/x86/domain.c +++ b/xen/arch/x86/domain.c @@ -1635,7 +1635,7 @@ static void __context_switch(void) if ( cpu_has_xsaves && is_hvm_vcpu(n) ) set_msr_xss(n->arch.hvm_vcpu.msr_xss); } - vcpu_restore_fpu_eager(n); + vcpu_restore_fpu_nonlazy(n, false); nd->arch.ctxt_switch->to(n); } --- a/xen/arch/x86/hvm/emulate.c +++ b/xen/arch/x86/hvm/emulate.c @@ -1999,7 +1999,7 @@ static void hvmemul_put_fpu( * by hvmemul_get_fpu(). */ if ( curr->arch.fully_eager_fpu ) - vcpu_restore_fpu_eager(curr); + vcpu_restore_fpu_nonlazy(curr, false); else { curr->fpu_dirtied = false; --- a/xen/arch/x86/i387.c +++ b/xen/arch/x86/i387.c @@ -206,11 +206,11 @@ static inline void fpu_fxsave(struct vcp /* VCPU FPU Functions */ /*******************************/ /* Restore FPU state whenever VCPU is schduled in. */ -void vcpu_restore_fpu_eager(struct vcpu *v) +void vcpu_restore_fpu_nonlazy(struct vcpu *v, bool need_stts) { /* Restore nonlazy extended state (i.e. parts not tracked by CR0.TS). */ if ( !v->arch.fully_eager_fpu && !v->arch.nonlazy_xstate_used ) - return; + goto maybe_stts; ASSERT(!is_idle_vcpu(v)); @@ -233,14 +233,17 @@ void vcpu_restore_fpu_eager(struct vcpu v->fpu_dirtied = 1; /* Xen doesn't need TS set, but the guest might. */ - if ( is_pv_vcpu(v) && (v->arch.pv_vcpu.ctrlreg[0] & X86_CR0_TS) ) - stts(); + need_stts = is_pv_vcpu(v) && (v->arch.pv_vcpu.ctrlreg[0] & X86_CR0_TS); } else { fpu_xrstor(v, XSTATE_NONLAZY); - stts(); + need_stts = true; } + + maybe_stts: + if ( need_stts ) + stts(); } /* --- a/xen/common/efi/runtime.c +++ b/xen/common/efi/runtime.c @@ -135,7 +135,7 @@ void efi_rs_leave(struct efi_rs_state *s irq_exit(); efi_rs_on_cpu = NR_CPUS; spin_unlock(&efi_rs_lock); - vcpu_restore_fpu_eager(curr); + vcpu_restore_fpu_nonlazy(curr, true); } bool efi_rs_using_pgtables(void) --- a/xen/include/asm-x86/i387.h +++ b/xen/include/asm-x86/i387.h @@ -28,7 +28,7 @@ struct ix87_env { uint16_t fds, _res6; }; -void vcpu_restore_fpu_eager(struct vcpu *v); +void vcpu_restore_fpu_nonlazy(struct vcpu *v, bool need_stts); void vcpu_restore_fpu_lazy(struct vcpu *v); void vcpu_save_fpu(struct vcpu *v); void save_fpu_enable(void); ++++++ 5b34882d-x86-mm-dont-bypass-preemption-checks.patch ++++++ # Commit 17608703c65bf080b0a9f024f9b370872b9f2c05 # Date 2018-06-28 09:03:09 +0200 # Author Jan Beulich # Committer Jan Beulich x86/mm: don't bypass preemption checks While unlikely, it is not impossible for a multi-vCPU guest to leverage bypasses of preemption checks to drive Xen into an unbounded loop. This is XSA-264. Signed-off-by: Jan Beulich Reviewed-by: Andrew Cooper --- a/xen/arch/x86/mm.c +++ b/xen/arch/x86/mm.c @@ -2526,7 +2526,7 @@ static int _put_page_type(struct page_in nx = x & ~(PGT_validated|PGT_partial); if ( unlikely((y = cmpxchg(&page->u.inuse.type_info, x, nx)) != x) ) - continue; + goto maybe_preempt; /* We cleared the 'valid bit' so we do the clean up. */ rc = _put_final_page_type(page, x, preemptible, ptpg); ptpg = NULL; @@ -2558,12 +2558,13 @@ static int _put_page_type(struct page_in */ cpu_relax(); y = page->u.inuse.type_info; - continue; + goto maybe_preempt; } if ( likely((y = cmpxchg(&page->u.inuse.type_info, x, nx)) == x) ) break; + maybe_preempt: if ( preemptible && hypercall_preempt_check() ) return -EINTR; } @@ -2676,12 +2677,11 @@ static int __get_page_type(struct page_i if ( !(x & PGT_partial) ) { /* Someone else is updating validation of this page. Wait... */ - while ( (y = page->u.inuse.type_info) == x ) - { + do { if ( preemptible && hypercall_preempt_check() ) return -EINTR; cpu_relax(); - } + } while ( (y = page->u.inuse.type_info) == x ); continue; } /* Type ref count was left at 1 when PGT_partial got set. */ ++++++ 5b348874-x86-refine-checks-in-DB-handler.patch ++++++ # Commit 17bf51297220dcd74da29de99320b6b1c72d1fa5 # Date 2018-06-28 09:04:20 +0200 # Author Andrew Cooper # Committer Jan Beulich x86: Refine checks in #DB handler for faulting conditions One of the fix for XSA-260 (c/s 75d6828bc2 "x86/traps: Fix handling of #DB exceptions in hypervisor context") added some safety checks to help avoid livelocks of #DB faults. While a General Detect #DB exception does have fault semantics, hardware clears %dr7.gd on entry to the handler, meaning that it is actually safe to return to. Furthermore, %dr6.gd is guest controlled and sticky (never cleared by hardware). A malicious PV guest can therefore trigger the fatal_trap() and crash Xen. Instruction breakpoints are more tricky. The breakpoint match bits in %dr6 are not sticky, but the Intel manual warns that they may be set for non-enabled breakpoints, so add a breakpoint enabled check. Beyond that, because of the restriction on the linear addresses PV guests can set, and the fault (rather than trap) nature of instruction breakpoints (i.e. can't be deferred by a MovSS shadow), there should be no way to encounter an instruction breakpoint in Xen context. However, for extra robustness, deal with this situation by clearing the breakpoint configuration, rather than crashing. This is XSA-265 Signed-off-by: Andrew Cooper Reviewed-by: Jan Beulich --- a/xen/arch/x86/traps.c +++ b/xen/arch/x86/traps.c @@ -1793,6 +1793,13 @@ void do_debug(struct cpu_user_regs *regs if ( !guest_mode(regs) ) { + /* + * !!! WARNING !!! + * + * %dr6 is mostly guest controlled at this point. Any decsions base + * on its value must be crosschecked with non-guest controlled state. + */ + if ( regs->eflags & X86_EFLAGS_TF ) { /* In SYSENTER entry path we can't zap TF until EFLAGS is saved. */ @@ -1814,33 +1821,44 @@ void do_debug(struct cpu_user_regs *regs * Check for fault conditions. General Detect, and instruction * breakpoints are faults rather than traps, at which point attempting * to ignore and continue will result in a livelock. + * + * However, on entering the #DB handler, hardware clears %dr7.gd for + * us (as confirmed by the earlier %dr6 accesses succeeding), meaning + * that a real General Detect exception is restartable. + * + * PV guests are not permitted to point %dr{0..3} at Xen linear + * addresses, and Instruction Breakpoints (being faults) don't get + * delayed by a MovSS shadow, so we should never encounter one in + * hypervisor context. + * + * If however we do, safety measures need to be enacted. Use a big + * hammer and clear all debug settings. */ - if ( dr6 & DR_GENERAL_DETECT ) - { - printk(XENLOG_ERR "Hit General Detect in Xen context\n"); - fatal_trap(regs, 0); - } - if ( dr6 & (DR_TRAP3 | DR_TRAP2 | DR_TRAP1 | DR_TRAP0) ) { - unsigned int bp, dr7 = read_debugreg(7) >> DR_CONTROL_SHIFT; + unsigned int bp, dr7 = read_debugreg(7); for ( bp = 0; bp < 4; ++bp ) { if ( (dr6 & (1u << bp)) && /* Breakpoint triggered? */ - ((dr7 & (3u << (bp * DR_CONTROL_SIZE))) == 0) /* Insn? */ ) + (dr7 & (3u << (bp * DR_ENABLE_SIZE))) && /* Enabled? */ + ((dr7 & (3u << ((bp * DR_CONTROL_SIZE) + /* Insn? */ + DR_CONTROL_SHIFT))) == DR_RW_EXECUTE) ) { + ASSERT_UNREACHABLE(); + printk(XENLOG_ERR "Hit instruction breakpoint in Xen context\n"); - fatal_trap(regs, 0); + write_debugreg(7, 0); + break; } } } /* - * Whatever caused this #DB should be a trap. Note it and continue. - * Guests can trigger this in certain corner cases, so ensure the - * message is ratelimited. + * Whatever caused this #DB should be restartable by this point. Note + * it and continue. Guests can trigger this in certain corner cases, + * so ensure the message is ratelimited. */ gprintk(XENLOG_WARNING, "Hit #DB in Xen context: %04x:%p [%ps], stk %04x:%p, dr6 %lx\n", ++++++ 5b348897-libxl-qemu_disk_scsi_drive_string-break-out-common.patch ++++++ # Commit 724e5aa31b58d1e430ad36b484cf0ec021497399 # Date 2018-06-28 09:04:55 +0200 # Author Ian Jackson # Committer Jan Beulich libxl: qemu_disk_scsi_drive_string: Break out common parts of disk config The generated configurations are identical apart from, in some cases, reordering of the id=%s element. So, overall, no functional change. This is part of XSA-266. Reported-by: Andrew Reimers Signed-off-by: Jan Beulich Signed-off-by: Ian Jackson --- a/tools/libxl/libxl_dm.c +++ b/tools/libxl/libxl_dm.c @@ -798,6 +798,7 @@ static char *qemu_disk_scsi_drive_string int colo_mode) { char *drive = NULL; + char *common = GCSPRINTF("cache=writeback"); const char *exportname = disk->colo_export; const char *active_disk = disk->active_disk; const char *hidden_disk = disk->hidden_disk; @@ -805,8 +806,8 @@ static char *qemu_disk_scsi_drive_string switch (colo_mode) { case LIBXL__COLO_NONE: drive = libxl__sprintf - (gc, "file=%s,if=scsi,bus=0,unit=%d,format=%s,cache=writeback", - target_path, unit, format); + (gc, "%s,file=%s,if=scsi,bus=0,unit=%d,format=%s", + common, target_path, unit, format); break; case LIBXL__COLO_PRIMARY: /* @@ -819,13 +820,13 @@ static char *qemu_disk_scsi_drive_string * vote-threshold=1 */ drive = GCSPRINTF( - "if=scsi,bus=0,unit=%d,cache=writeback,driver=quorum," + "%s,if=scsi,bus=0,unit=%d,,driver=quorum," "id=%s," "children.0.file.filename=%s," "children.0.driver=%s," "read-pattern=fifo," "vote-threshold=1", - unit, exportname, target_path, format); + common, unit, exportname, target_path, format); break; case LIBXL__COLO_SECONDARY: /* @@ -839,7 +840,7 @@ static char *qemu_disk_scsi_drive_string * file.backing.backing=exportname, */ drive = GCSPRINTF( - "if=scsi,id=top-colo,bus=0,unit=%d,cache=writeback," + "%s,if=scsi,id=top-colo,bus=0,unit=%d," "driver=replication," "mode=secondary," "top-id=top-colo," @@ -848,7 +849,7 @@ static char *qemu_disk_scsi_drive_string "file.backing.driver=qcow2," "file.backing.file.filename=%s," "file.backing.backing=%s", - unit, active_disk, hidden_disk, exportname); + common, unit, active_disk, hidden_disk, exportname); break; default: abort(); ++++++ 5b3488a2-libxl-restore-passing-ro-to-qemu-for-SCSI-disks.patch ++++++ # Commit dd64d3c41a2d15139c3a35d22d4cb6b78f4c5c59 # Date 2018-06-28 09:05:06 +0200 # Author Ian Jackson # Committer Jan Beulich libxl: restore passing "readonly=" to qemu for SCSI disks A read-only check was introduced for XSA-142, commit ef6cb76026 ("libxl: relax readonly check introduced by XSA-142 fix") added the passing of the extra setting, but commit dab0539568 ("Introduce COLO mode and refactor relevant function") dropped the passing of the setting again, quite likely due to improper re-basing. Restore the readonly= parameter to SCSI disks. For IDE disks this is supposed to be rejected; add an assert. And there is a bare ad-hoc disk drive string in libxl__build_device_model_args_new, which we also update. This is XSA-266. Reported-by: Andrew Reimers Signed-off-by: Jan Beulich Signed-off-by: Ian Jackson --- a/tools/libxl/libxl_dm.c +++ b/tools/libxl/libxl_dm.c @@ -798,7 +798,8 @@ static char *qemu_disk_scsi_drive_string int colo_mode) { char *drive = NULL; - char *common = GCSPRINTF("cache=writeback"); + char *common = GCSPRINTF("cache=writeback,readonly=%s", + disk->readwrite ? "off" : "on"); const char *exportname = disk->colo_export; const char *active_disk = disk->active_disk; const char *hidden_disk = disk->hidden_disk; @@ -867,6 +868,8 @@ static char *qemu_disk_ide_drive_string( const char *exportname = disk->colo_export; const char *active_disk = disk->active_disk; const char *hidden_disk = disk->hidden_disk; + + assert(disk->readwrite); /* should have been checked earlier */ switch (colo_mode) { case LIBXL__COLO_NONE: @@ -1576,8 +1579,9 @@ static int libxl__build_device_model_arg if (strncmp(disks[i].vdev, "sd", 2) == 0) { if (colo_mode == LIBXL__COLO_SECONDARY) { drive = libxl__sprintf - (gc, "if=none,driver=%s,file=%s,id=%s", - format, target_path, disks[i].colo_export); + (gc, "if=none,driver=%s,file=%s,id=%s,readonly=%s", + format, target_path, disks[i].colo_export, + disks[i].readwrite ? "off" : "on"); flexarray_append(dm_args, "-drive"); flexarray_append(dm_args, drive); ++++++ 5b34891a-x86-HVM-dont-cause-NM-to-be-raised.patch ++++++ # Commit 488efc29e4e996bb3805c982200f65061390cdce # Date 2018-06-28 09:07:06 +0200 # Author Jan Beulich # Committer Jan Beulich x86/HVM: don't cause #NM to be raised in Xen The changes for XSA-267 did not touch management of CR0.TS for HVM guests. In fully eager mode this bit should never be set when respective vCPU-s are active, or else hvmemul_get_fpu() might leave it wrongly set, leading to #NM in hypervisor context. {svm,vmx}_enter() and {svm,vmx}_fpu_dirty_intercept() become unreachable this way. Explicit {svm,vmx}_fpu_leave() invocations need to be guarded now. With no CR0.TS management necessary in fully eager mode, there's also no need anymore to intercept #NM. Reported-by: Charles Arnold Signed-off-by: Jan Beulich Reviewed-by: Andrew Cooper --- a/xen/arch/x86/hvm/svm/svm.c +++ b/xen/arch/x86/hvm/svm/svm.c @@ -546,7 +546,10 @@ void svm_update_guest_cr(struct vcpu *v, if ( !(v->arch.hvm_vcpu.guest_cr[0] & X86_CR0_TS) ) { if ( v != current ) - hw_cr0_mask |= X86_CR0_TS; + { + if ( !v->arch.fully_eager_fpu ) + hw_cr0_mask |= X86_CR0_TS; + } else if ( vmcb_get_cr0(vmcb) & X86_CR0_TS ) svm_fpu_enter(v); } @@ -1033,7 +1036,8 @@ static void svm_ctxt_switch_from(struct if ( unlikely((read_efer() & EFER_SVME) == 0) ) return; - svm_fpu_leave(v); + if ( !v->arch.fully_eager_fpu ) + svm_fpu_leave(v); svm_save_dr(v); svm_lwp_save(v); --- a/xen/arch/x86/hvm/svm/vmcb.c +++ b/xen/arch/x86/hvm/svm/vmcb.c @@ -178,8 +178,8 @@ static int construct_vmcb(struct vcpu *v paging_update_paging_modes(v); vmcb->_exception_intercepts = - HVM_TRAP_MASK - | (1U << TRAP_no_device); + HVM_TRAP_MASK | + (v->arch.fully_eager_fpu ? 0 : (1U << TRAP_no_device)); if ( paging_mode_hap(v->domain) ) { --- a/xen/arch/x86/hvm/vmx/vmcs.c +++ b/xen/arch/x86/hvm/vmx/vmcs.c @@ -1146,7 +1146,9 @@ static int construct_vmcs(struct vcpu *v __vmwrite(HOST_GS_BASE, 0); /* Host control registers. */ - v->arch.hvm_vmx.host_cr0 = read_cr0() | X86_CR0_TS; + v->arch.hvm_vmx.host_cr0 = read_cr0() & ~X86_CR0_TS; + if ( !v->arch.fully_eager_fpu ) + v->arch.hvm_vmx.host_cr0 |= X86_CR0_TS; __vmwrite(HOST_CR0, v->arch.hvm_vmx.host_cr0); __vmwrite(HOST_CR4, mmu_cr4_features); @@ -1226,7 +1228,7 @@ static int construct_vmcs(struct vcpu *v v->arch.hvm_vmx.exception_bitmap = HVM_TRAP_MASK | (paging_mode_hap(d) ? 0 : (1U << TRAP_page_fault)) - | (1U << TRAP_no_device); + | (v->arch.fully_eager_fpu ? 0 : (1U << TRAP_no_device)); vmx_update_exception_bitmap(v); v->arch.hvm_vcpu.guest_cr[0] = X86_CR0_PE | X86_CR0_ET; --- a/xen/arch/x86/hvm/vmx/vmx.c +++ b/xen/arch/x86/hvm/vmx/vmx.c @@ -1035,7 +1035,8 @@ static void vmx_ctxt_switch_from(struct vmx_vmcs_reload(v); } - vmx_fpu_leave(v); + if ( !v->arch.fully_eager_fpu ) + vmx_fpu_leave(v); vmx_save_guest_msrs(v); vmx_restore_host_msrs(); vmx_save_dr(v); @@ -1597,7 +1598,10 @@ static void vmx_update_guest_cr(struct v if ( !(v->arch.hvm_vcpu.guest_cr[0] & X86_CR0_TS) ) { if ( v != current ) - hw_cr0_mask |= X86_CR0_TS; + { + if ( !v->arch.fully_eager_fpu ) + hw_cr0_mask |= X86_CR0_TS; + } else if ( v->arch.hvm_vcpu.hw_cr[0] & X86_CR0_TS ) vmx_fpu_enter(v); } ++++++ 5b348954-x86-guard-against-NM.patch ++++++ # Commit 00cebd6f22beb6d5fa65ed2d8d1ff9acf59bce61 # Date 2018-06-28 09:08:04 +0200 # Author Jan Beulich # Committer Jan Beulich x86: guard against #NM Just in case we still don't get CR0.TS handling right, prevent a host crash by honoring exception fixups in do_device_not_available(). This would in particular cover emulator stubs raising #NM. Signed-off-by: Jan Beulich Reviewed-by: Andrew Cooper --- a/xen/arch/x86/traps.c +++ b/xen/arch/x86/traps.c @@ -1722,7 +1722,21 @@ void do_device_not_available(struct cpu_ { struct vcpu *curr = current; - BUG_ON(!guest_mode(regs)); + if ( !guest_mode(regs) ) + { + unsigned long fixup = search_exception_table(regs); + + gprintk(XENLOG_ERR, "#NM: %p [%ps] -> %p\n", + _p(regs->rip), _p(regs->rip), _p(fixup)); + /* + * We shouldn't be able to reach here, but for release builds have + * the recovery logic in place nevertheless. + */ + ASSERT_UNREACHABLE(); + BUG_ON(!fixup); + regs->rip = fixup; + return; + } vcpu_restore_fpu_lazy(curr); ++++++ libxl.add-option-to-disable-disk-cache-flushes-in-qdisk.patch ++++++ --- /var/tmp/diff_new_pack.CRshPV/_old 2018-07-02 23:30:46.813447938 +0200 +++ /var/tmp/diff_new_pack.CRshPV/_new 2018-07-02 23:30:46.813447938 +0200 @@ -7,10 +7,10 @@ tools/libxl/libxlu_disk_l.l | 1 + 5 files changed, 18 insertions(+), 1 deletion(-) -Index: xen-4.10.0-testing/docs/man/xl-disk-configuration.pod.5 +Index: xen-4.10.1-testing/docs/man/xl-disk-configuration.pod.5 =================================================================== ---- xen-4.10.0-testing.orig/docs/man/xl-disk-configuration.pod.5 -+++ xen-4.10.0-testing/docs/man/xl-disk-configuration.pod.5 +--- xen-4.10.1-testing.orig/docs/man/xl-disk-configuration.pod.5 ++++ xen-4.10.1-testing/docs/man/xl-disk-configuration.pod.5 @@ -344,6 +344,32 @@ can be used to disable "hole punching" f were intentionally created non-sparse to avoid fragmentation of the file. @@ -44,10 +44,10 @@ =back -Index: xen-4.10.0-testing/tools/libxl/libxl.h +Index: xen-4.10.1-testing/tools/libxl/libxl.h =================================================================== ---- xen-4.10.0-testing.orig/tools/libxl/libxl.h -+++ xen-4.10.0-testing/tools/libxl/libxl.h +--- xen-4.10.1-testing.orig/tools/libxl/libxl.h ++++ xen-4.10.1-testing/tools/libxl/libxl.h @@ -348,6 +348,21 @@ #define LIBXL_HAVE_BUILDINFO_BOOTLOADER_ARGS 1 @@ -70,10 +70,10 @@ * libxl ABI compatibility * * The only guarantee which libxl makes regarding ABI compatibility -Index: xen-4.10.0-testing/tools/libxl/libxl_disk.c +Index: xen-4.10.1-testing/tools/libxl/libxl_disk.c =================================================================== ---- xen-4.10.0-testing.orig/tools/libxl/libxl_disk.c -+++ xen-4.10.0-testing/tools/libxl/libxl_disk.c +--- xen-4.10.1-testing.orig/tools/libxl/libxl_disk.c ++++ xen-4.10.1-testing/tools/libxl/libxl_disk.c @@ -406,6 +406,8 @@ static void device_disk_add(libxl__egc * flexarray_append_pair(back, "discard-enable", libxl_defbool_val(disk->discard_enable) ? @@ -83,11 +83,11 @@ flexarray_append(front, "backend-id"); flexarray_append(front, GCSPRINTF("%d", disk->backend_domid)); -Index: xen-4.10.0-testing/tools/libxl/libxl_dm.c +Index: xen-4.10.1-testing/tools/libxl/libxl_dm.c =================================================================== ---- xen-4.10.0-testing.orig/tools/libxl/libxl_dm.c -+++ xen-4.10.0-testing/tools/libxl/libxl_dm.c -@@ -792,6 +792,19 @@ enum { +--- xen-4.10.1-testing.orig/tools/libxl/libxl_dm.c ++++ xen-4.10.1-testing/tools/libxl/libxl_dm.c +@@ -792,13 +792,27 @@ enum { LIBXL__COLO_SECONDARY, }; @@ -107,56 +107,16 @@ static char *qemu_disk_scsi_drive_string(libxl__gc *gc, const char *target_path, int unit, const char *format, const libxl_device_disk *disk, -@@ -805,8 +818,8 @@ static char *qemu_disk_scsi_drive_string - switch (colo_mode) { - case LIBXL__COLO_NONE: - drive = libxl__sprintf -- (gc, "file=%s,if=scsi,bus=0,unit=%d,format=%s,cache=writeback", -- target_path, unit, format); -+ (gc, "file=%s,if=scsi,bus=0,unit=%d,format=%s,cache=%s", -+ target_path, unit, format, qemu_cache_mode(disk)); - break; - case LIBXL__COLO_PRIMARY: - /* -@@ -819,13 +832,15 @@ static char *qemu_disk_scsi_drive_string - * vote-threshold=1 - */ - drive = GCSPRINTF( -- "if=scsi,bus=0,unit=%d,cache=writeback,driver=quorum," -+ "if=scsi,bus=0,unit=%d,cache=%s,driver=quorum," - "id=%s," - "children.0.file.filename=%s," - "children.0.driver=%s," - "read-pattern=fifo," - "vote-threshold=1", -- unit, exportname, target_path, format); -+ unit, -+ qemu_cache_mode(disk), -+ exportname, target_path, format); - break; - case LIBXL__COLO_SECONDARY: - /* -@@ -839,7 +854,7 @@ static char *qemu_disk_scsi_drive_string - * file.backing.backing=exportname, - */ - drive = GCSPRINTF( -- "if=scsi,id=top-colo,bus=0,unit=%d,cache=writeback," -+ "if=scsi,id=top-colo,bus=0,unit=%d,cache=%s," - "driver=replication," - "mode=secondary," - "top-id=top-colo," -@@ -848,7 +863,9 @@ static char *qemu_disk_scsi_drive_string - "file.backing.driver=qcow2," - "file.backing.file.filename=%s," - "file.backing.backing=%s", -- unit, active_disk, hidden_disk, exportname); -+ unit, -+ qemu_cache_mode(disk), -+ active_disk, hidden_disk, exportname); - break; - default: - abort(); -@@ -870,8 +887,8 @@ static char *qemu_disk_ide_drive_string( + int colo_mode) + { + char *drive = NULL; +- char *common = GCSPRINTF("cache=writeback,readonly=%s", ++ char *common = GCSPRINTF("cache=%s,readonly=%s", ++ qemu_cache_mode(disk), + disk->readwrite ? "off" : "on"); + const char *exportname = disk->colo_export; + const char *active_disk = disk->active_disk; +@@ -874,8 +888,8 @@ static char *qemu_disk_ide_drive_string( switch (colo_mode) { case LIBXL__COLO_NONE: drive = GCSPRINTF @@ -167,7 +127,7 @@ break; case LIBXL__COLO_PRIMARY: /* -@@ -884,13 +901,15 @@ static char *qemu_disk_ide_drive_string( +@@ -888,13 +902,13 @@ static char *qemu_disk_ide_drive_string( * vote-threshold=1 */ drive = GCSPRINTF( @@ -179,13 +139,11 @@ "read-pattern=fifo," "vote-threshold=1", - unit, exportname, target_path, format); -+ unit, -+ qemu_cache_mode(disk), -+ exportname, target_path, format); ++ unit, qemu_cache_mode(disk), exportname, target_path, format); break; case LIBXL__COLO_SECONDARY: /* -@@ -904,7 +923,7 @@ static char *qemu_disk_ide_drive_string( +@@ -908,7 +922,7 @@ static char *qemu_disk_ide_drive_string( * file.backing.backing=exportname, */ drive = GCSPRINTF( @@ -194,7 +152,7 @@ "driver=replication," "mode=secondary," "top-id=top-colo," -@@ -913,7 +932,9 @@ static char *qemu_disk_ide_drive_string( +@@ -917,7 +931,9 @@ static char *qemu_disk_ide_drive_string( "file.backing.driver=qcow2," "file.backing.file.filename=%s," "file.backing.backing=%s", @@ -205,7 +163,7 @@ break; default: abort(); -@@ -1592,8 +1613,8 @@ static int libxl__build_device_model_arg +@@ -1597,8 +1613,8 @@ static int libxl__build_device_model_arg return ERROR_INVAL; } flexarray_vappend(dm_args, "-drive", @@ -216,10 +174,10 @@ "-device", GCSPRINTF("ide-hd,bus=ahci0.%d,unit=0,drive=ahcidisk-%d", disk, disk), NULL); continue; -Index: xen-4.10.0-testing/tools/libxl/libxlu_disk.c +Index: xen-4.10.1-testing/tools/libxl/libxlu_disk.c =================================================================== ---- xen-4.10.0-testing.orig/tools/libxl/libxlu_disk.c -+++ xen-4.10.0-testing/tools/libxl/libxlu_disk.c +--- xen-4.10.1-testing.orig/tools/libxl/libxlu_disk.c ++++ xen-4.10.1-testing/tools/libxl/libxlu_disk.c @@ -79,6 +79,8 @@ int xlu_disk_parse(XLU_Config *cfg, if (!disk->pdev_path || !strcmp(disk->pdev_path, "")) disk->format = LIBXL_DISK_FORMAT_EMPTY; @@ -229,10 +187,10 @@ if (!disk->vdev) { xlu__disk_err(&dpc,0, "no vdev specified"); -Index: xen-4.10.0-testing/tools/libxl/libxlu_disk_i.h +Index: xen-4.10.1-testing/tools/libxl/libxlu_disk_i.h =================================================================== ---- xen-4.10.0-testing.orig/tools/libxl/libxlu_disk_i.h -+++ xen-4.10.0-testing/tools/libxl/libxlu_disk_i.h +--- xen-4.10.1-testing.orig/tools/libxl/libxlu_disk_i.h ++++ xen-4.10.1-testing/tools/libxl/libxlu_disk_i.h @@ -10,7 +10,7 @@ typedef struct { void *scanner; YY_BUFFER_STATE buf; @@ -242,10 +200,10 @@ const char *spec; } DiskParseContext; -Index: xen-4.10.0-testing/tools/libxl/libxlu_disk_l.l +Index: xen-4.10.1-testing/tools/libxl/libxlu_disk_l.l =================================================================== ---- xen-4.10.0-testing.orig/tools/libxl/libxlu_disk_l.l -+++ xen-4.10.0-testing/tools/libxl/libxlu_disk_l.l +--- xen-4.10.1-testing.orig/tools/libxl/libxlu_disk_l.l ++++ xen-4.10.1-testing/tools/libxl/libxlu_disk_l.l @@ -196,6 +196,7 @@ colo-port=[^,]*,? { STRIP(','); setcolop colo-export=[^,]*,? { STRIP(','); SAVESTRING("colo-export", colo_export, FROMEQUALS); } active-disk=[^,]*,? { STRIP(','); SAVESTRING("active-disk", active_disk, FROMEQUALS); } ++++++ xen.bug1079730.patch ++++++ --- /var/tmp/diff_new_pack.CRshPV/_old 2018-07-02 23:30:46.933447789 +0200 +++ /var/tmp/diff_new_pack.CRshPV/_new 2018-07-02 23:30:46.933447789 +0200 @@ -1,6 +1,7 @@ From: Olaf Hering Date: Thu, 17 May 2018 17:41:31 +0200 Subject: libxl: always call qemus xen-save-devices-state in suspend/resume +References: bsc#1079730, bsc#1098403 If a domU has a qemu-xen instance attached, it is required to call qemus "xen-save-devices-state" method. Without it, the receiving side of a PV @@ -16,6 +17,11 @@ libxl_domain_config available in these places, it should be enough to check if xenstore contains the relevant info. +PS: +Unfortunately, libxl sets 'qemu_xen' unconditionally even for PV. +As a quick fix, ignore QMP errors in case of PV and ENOENT. This fixes +domUs without qcow2 and without vfb=. + Signed-off-by: Olaf Hering --- tools/libxl/libxl_dom_suspend.c | 8 ++++++-- @@ -45,3 +51,140 @@ rc = libxl__domain_resume_device_model(gc, domid); if (rc) { LOGD(ERROR, domid, "failed to resume device model:%d", rc); +--- a/tools/libxl/libxl_internal.h ++++ b/tools/libxl/libxl_internal.h +@@ -1803,6 +1803,7 @@ typedef struct libxl__qmp_handler libxl_ + * Return an handler or NULL if there is an error + */ + _hidden libxl__qmp_handler *libxl__qmp_initialize(libxl__gc *gc, ++ libxl_domain_type type, + uint32_t domid); + _hidden int libxl__qmp_run_command_flexarray(libxl__gc *gc, int domid, + const char *cmd, +--- a/tools/libxl/libxl_qmp.c ++++ b/tools/libxl/libxl_qmp.c +@@ -386,17 +386,22 @@ static int qmp_open(libxl__qmp_handler * + { + int ret = -1; + int i = 0; ++ int o_errno = 0; + ++ errno = 0; + qmp->qmp_fd = socket(AF_UNIX, SOCK_STREAM, 0); ++ o_errno = errno; + if (qmp->qmp_fd < 0) { + goto out; + } + ret = libxl_fd_set_nonblock(qmp->ctx, qmp->qmp_fd, 1); ++ o_errno = errno; + if (ret) { + ret = -1; + goto out; + } + ret = libxl_fd_set_cloexec(qmp->ctx, qmp->qmp_fd, 1); ++ o_errno = errno; + if (ret) { + ret = -1; + goto out; +@@ -414,6 +419,7 @@ static int qmp_open(libxl__qmp_handler * + do { + ret = connect(qmp->qmp_fd, (struct sockaddr *) &qmp->addr, + sizeof (qmp->addr)); ++ o_errno = errno; + if (ret == 0) + break; + if (errno == ENOENT || errno == ECONNREFUSED) { +@@ -428,6 +434,7 @@ static int qmp_open(libxl__qmp_handler * + out: + if (ret == -1 && qmp->qmp_fd > -1) close(qmp->qmp_fd); + ++ errno = o_errno; + return ret; + } + +@@ -715,19 +722,27 @@ static void qmp_parameters_add_integer(l + * API + */ + +-libxl__qmp_handler *libxl__qmp_initialize(libxl__gc *gc, uint32_t domid) ++libxl__qmp_handler *libxl__qmp_initialize(libxl__gc *gc, libxl_domain_type type, uint32_t domid) + { + int ret = 0; ++ int o_errno; + libxl__qmp_handler *qmp = NULL; + char *qmp_socket; + ++ LOGD(DEBUG, domid, "%s", __func__); + qmp = qmp_init_handler(gc, domid); + if (!qmp) return NULL; + + qmp_socket = GCSPRINTF("%s/qmp-libxl-%d", libxl__run_dir_path(), domid); + if ((ret = qmp_open(qmp, qmp_socket, QMP_SOCKET_CONNECT_TIMEOUT)) < 0) { ++ o_errno = errno; ++ if (errno == ENOENT && type == LIBXL_DOMAIN_TYPE_PV) { ++ /* nothing to do, PV may not have a qemu attached */; ++ LOGED(DEBUG, domid, "Connection error"); ++ } else + LOGED(ERROR, domid, "Connection error"); + qmp_free_handler(qmp); ++ errno = o_errno; + return NULL; + } + +@@ -843,10 +858,12 @@ static int qmp_run_command(libxl__gc *gc + { + libxl__qmp_handler *qmp = NULL; + int rc = 0; ++ libxl_domain_type type = libxl__domain_type(gc, domid); + +- qmp = libxl__qmp_initialize(gc, domid); ++ LOGD(DEBUG, domid, "%s: %s", __func__, cmd); ++ qmp = libxl__qmp_initialize(gc, type, domid); + if (!qmp) +- return ERROR_FAIL; ++ return (errno == ENOENT && type == LIBXL_DOMAIN_TYPE_PV) ? 0 : ERROR_FAIL; + + rc = qmp_synchronous_send(qmp, cmd, args, callback, opaque, qmp->timeout); + +@@ -876,8 +893,10 @@ int libxl__qmp_pci_add(libxl__gc *gc, in + libxl__json_object *args = NULL; + char *hostaddr = NULL; + int rc = 0; ++ libxl_domain_type type = libxl__domain_type(gc, domid); + +- qmp = libxl__qmp_initialize(gc, domid); ++ LOGD(DEBUG, domid, "%s", __func__); ++ qmp = libxl__qmp_initialize(gc, type, domid); + if (!qmp) + return -1; + +@@ -945,10 +964,12 @@ int libxl__qmp_save(libxl__gc *gc, int d + libxl__json_object *args = NULL; + libxl__qmp_handler *qmp = NULL; + int rc; ++ libxl_domain_type type = libxl__domain_type(gc, domid); + +- qmp = libxl__qmp_initialize(gc, domid); ++ LOGD(DEBUG, domid, "%s: %s", __func__, filename); ++ qmp = libxl__qmp_initialize(gc, type, domid); + if (!qmp) +- return ERROR_FAIL; ++ return (errno == ENOENT && type == LIBXL_DOMAIN_TYPE_PV) ? 0 : ERROR_FAIL; + + qmp_parameters_add_string(gc, &args, "filename", (char *)filename); + +@@ -1219,10 +1240,12 @@ int libxl__qmp_initializations(libxl__gc + const libxl_vnc_info *vnc = libxl__dm_vnc(guest_config); + libxl__qmp_handler *qmp = NULL; + int ret = 0; ++ libxl_domain_type type = libxl__domain_type(gc, domid); + +- qmp = libxl__qmp_initialize(gc, domid); ++ LOGD(DEBUG, domid, "%s", __func__); ++ qmp = libxl__qmp_initialize(gc, type, domid); + if (!qmp) +- return -1; ++ return (errno == ENOENT && type == LIBXL_DOMAIN_TYPE_PV) ? 0 : ERROR_FAIL; + ret = libxl__qmp_query_serial(qmp); + if (!ret && vnc && vnc->passwd) { + ret = qmp_change(gc, qmp, "vnc", "password", vnc->passwd); ++++++ xen.fuzz-_FORTIFY_SOURCE.patch ++++++ From: Olaf Hering Date: Mon, 18 Jun 2018 14:43:58 +0200 Subject: fuzz _FORTIFY_SOURCE [ 78s] fuzz-emul.c: In function 'input_read': [ 78s] /usr/include/bits/string_fortified.h:31:1: error: inlining failed in call to always_inline 'memcpy': target specific option mismatch [ 78s] from fuzz-emul.c:1: [ 78s] /usr/include/bits/string_fortified.h:31:1: error: inlining failed in call to always_inline 'memcpy': target specific option mismatch [ 78s] x86_emulate/x86_emulate.c: In function 'protmode_load_seg': [ 78s] /usr/include/bits/string_fortified.h:59:1: error: inlining failed in call to always_inline 'memset': target specific option mismatch [ 78s] wrappers.c: In function 'emul_memcpy': [ 78s] /usr/include/bits/string_fortified.h:31:1: error: inlining failed in call to always_inline 'memcpy': target specific option mismatch Signed-off-by: Olaf Hering --- stubdom/Makefile | 1 + tools/fuzz/x86_instruction_emulator/Makefile | 1 + 2 files changed, 2 insertions(+) Index: xen-4.10.1-testing/stubdom/Makefile =================================================================== --- xen-4.10.1-testing.orig/stubdom/Makefile +++ xen-4.10.1-testing/stubdom/Makefile @@ -13,6 +13,7 @@ export stubdom=y export debug=y # Moved from config/StdGNU.mk CFLAGS += -O1 -fno-omit-frame-pointer +CFLAGS += -U_FORTIFY_SOURCE ifeq (,$(findstring clean,$(MAKECMDGOALS))) ifeq ($(wildcard $(MINI_OS)/Config.mk),) ++++++ xen.libxl.dmmd.patch ++++++ --- /var/tmp/diff_new_pack.CRshPV/_old 2018-07-02 23:30:46.957447759 +0200 +++ /var/tmp/diff_new_pack.CRshPV/_new 2018-07-02 23:30:46.957447759 +0200 @@ -49,7 +49,7 @@ =================================================================== --- xen-4.10.1-testing.orig/tools/libxl/libxl_dm.c +++ xen-4.10.1-testing/tools/libxl/libxl_dm.c -@@ -943,6 +943,30 @@ static char *qemu_disk_ide_drive_string( +@@ -942,6 +942,30 @@ static char *qemu_disk_ide_drive_string( return drive; } @@ -80,7 +80,7 @@ static int libxl__build_device_model_args_new(libxl__gc *gc, const char *dm, int guest_domid, const libxl_domain_config *guest_config, -@@ -1510,9 +1534,11 @@ static int libxl__build_device_model_arg +@@ -1509,9 +1533,11 @@ static int libxl__build_device_model_arg libxl__device_disk_dev_number(disks[i].vdev, &disk, &part); const char *format; char *drive; @@ -93,7 +93,7 @@ if (dev_number == -1) { LOGD(WARN, guest_domid, "unable to determine"" disk number for %s", disks[i].vdev); -@@ -1553,7 +1579,7 @@ static int libxl__build_device_model_arg +@@ -1552,7 +1578,7 @@ static int libxl__build_device_model_arg * the bootloader path. */ if (disks[i].backend == LIBXL_DISK_BACKEND_TAP) ++++++ xen.stubdom.newlib.patch ++++++ --- /var/tmp/diff_new_pack.CRshPV/_old 2018-07-02 23:30:46.969447745 +0200 +++ /var/tmp/diff_new_pack.CRshPV/_new 2018-07-02 23:30:46.969447745 +0200 @@ -24,11 +24,11 @@ Signed-off-by: Olaf Hering -Index: xen-4.9.0-testing/stubdom/Makefile +Index: xen-4.10.1-testing/stubdom/Makefile =================================================================== ---- xen-4.9.0-testing.orig/stubdom/Makefile -+++ xen-4.9.0-testing/stubdom/Makefile -@@ -87,6 +87,8 @@ newlib-$(NEWLIB_VERSION): newlib-$(NEWLI +--- xen-4.10.1-testing.orig/stubdom/Makefile ++++ xen-4.10.1-testing/stubdom/Makefile +@@ -88,6 +88,8 @@ newlib-$(NEWLIB_VERSION): newlib-$(NEWLI patch -d $@ -p0 < newlib.patch patch -d $@ -p0 < newlib-chk.patch patch -d $@ -p1 < newlib-stdint-size_max-fix-from-1.17.0.patch @@ -37,10 +37,10 @@ find $@ -type f | xargs perl -i.bak \ -pe 's/\b_(tzname|daylight|timezone)\b/$$1/g' touch $@ -Index: xen-4.9.0-testing/stubdom/newlib-cygmon-gmon.patch +Index: xen-4.10.1-testing/stubdom/newlib-cygmon-gmon.patch =================================================================== --- /dev/null -+++ xen-4.9.0-testing/stubdom/newlib-cygmon-gmon.patch ++++ xen-4.10.1-testing/stubdom/newlib-cygmon-gmon.patch @@ -0,0 +1,60 @@ + +I: A function uses a 'return;' statement, but has actually a value @@ -102,10 +102,10 @@ + moncontrol(mode) + int mode; + { -Index: xen-4.9.0-testing/stubdom/newlib-makedoc.patch +Index: xen-4.10.1-testing/stubdom/newlib-makedoc.patch =================================================================== --- /dev/null -+++ xen-4.9.0-testing/stubdom/newlib-makedoc.patch ++++ xen-4.10.1-testing/stubdom/newlib-makedoc.patch @@ -0,0 +1,10 @@ +--- newlib-1.16.0/newlib/doc/makedoc.c.orig 2015-04-08 11:56:39.283090914 +0200 ++++ newlib-1.16.0/newlib/doc/makedoc.c 2015-04-08 11:56:51.245227742 +0200
2183
Age (days ago)
2183
Last active (days ago)
0 comments
1 participants
participants (1)
-
root