Hello community,
here is the log from the commit of package xen for openSUSE:Factory checked in at 2013-10-25 13:38:55
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/xen (Old)
and /work/SRC/openSUSE:Factory/.xen.new (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "xen"
Changes:
--------
--- /work/SRC/openSUSE:Factory/xen/xen.changes 2013-10-03 13:01:44.000000000 +0200
+++ /work/SRC/openSUSE:Factory/.xen.new/xen.changes 2013-10-25 13:38:57.000000000 +0200
@@ -1,0 +2,35 @@
+Tue Oct 22 13:42:54 MDT 2013 - carnold@suse.com
+
+- domUloader can no longer be used with the xl toolstack to boot
+ sles10. Patch pygrub to get the kernel and initrd from the image.
+ pygrub-boot-legacy-sles.patch
+
+-------------------------------------------------------------------
+Mon Oct 21 09:57:54 MDT 2013 - carnold@suse.com
+
+- bnc#842515 - VUL-0: CVE-2013-4375: XSA-71: xen: qemu disk backend
+ (qdisk) resource leak
+ CVE-2013-4375-xsa71.patch
+- Upstream patches from Jan
+ 52496bea-x86-properly-handle-hvm_copy_from_guest_-phys-virt-errors.patch (Replaces CVE-2013-4355-xsa63.patch)
+ 52496c11-x86-mm-shadow-Fix-initialization-of-PV-shadow-L4-tables.patch (Replaces CVE-2013-4356-xsa64.patch)
+ 52496c32-x86-properly-set-up-fbld-emulation-operand-address.patch (Replaces CVE-2013-4361-xsa66.patch)
+ 52497c6c-x86-don-t-blindly-create-L3-tables-for-the-direct-map.patch
+ 524e971b-x86-idle-Fix-get_cpu_idle_time-s-interaction-with-offline-pcpus.patch
+ 524e9762-x86-percpu-Force-INVALID_PERCPU_AREA-to-non-canonical.patch
+ 524e983e-Nested-VMX-check-VMX-capability-before-read-VMX-related-MSRs.patch
+ 524e98b1-Nested-VMX-fix-IA32_VMX_CR4_FIXED1-msr-emulation.patch
+ 524e9dc0-xsm-forbid-PV-guest-console-reads.patch
+ 5256a979-x86-check-segment-descriptor-read-result-in-64-bit-OUTS-emulation.patch
+ 5256be57-libxl-fix-vif-rate-parsing.patch
+ 5256be84-tools-ocaml-fix-erroneous-free-of-cpumap-in-stub_xc_vcpu_getaffinity.patch
+ 5256be92-libxl-fix-out-of-memory-error-handling-in-libxl_list_cpupool.patch
+ 5257a89a-x86-correct-LDT-checks.patch
+ 5257a8e7-x86-add-address-validity-check-to-guest_map_l1e.patch
+ 5257a944-x86-check-for-canonical-address-before-doing-page-walks.patch
+ 525b95f4-scheduler-adjust-internal-locking-interface.patch
+ 525b9617-sched-fix-race-between-sched_move_domain-and-vcpu_wake.patch
+ 525e69e8-credit-unpause-parked-vcpu-before-destroying-it.patch
+ 525faf5e-x86-print-relevant-tail-part-of-filename-for-warnings-and-crashes.patch
+
+-------------------------------------------------------------------
@@ -5,0 +41,7 @@
+
+-------------------------------------------------------------------
+Tue Oct 1 15:28:25 MDT 2013 - carnold@suse.com
+
+- bnc#840196 - L3: MTU size on Dom0 gets reset when booting DomU
+ with e1000 device
+ set-mtu-from-bridge-for-tap-interface.patch
Old:
----
CVE-2013-4355-xsa63.patch
CVE-2013-4356-xsa64.patch
CVE-2013-4361-xsa66.patch
New:
----
52496bea-x86-properly-handle-hvm_copy_from_guest_-phys-virt-errors.patch
52496c11-x86-mm-shadow-Fix-initialization-of-PV-shadow-L4-tables.patch
52496c32-x86-properly-set-up-fbld-emulation-operand-address.patch
52497c6c-x86-don-t-blindly-create-L3-tables-for-the-direct-map.patch
524e971b-x86-idle-Fix-get_cpu_idle_time-s-interaction-with-offline-pcpus.patch
524e9762-x86-percpu-Force-INVALID_PERCPU_AREA-to-non-canonical.patch
524e983e-Nested-VMX-check-VMX-capability-before-read-VMX-related-MSRs.patch
524e98b1-Nested-VMX-fix-IA32_VMX_CR4_FIXED1-msr-emulation.patch
524e9dc0-xsm-forbid-PV-guest-console-reads.patch
5256a979-x86-check-segment-descriptor-read-result-in-64-bit-OUTS-emulation.patch
5256be57-libxl-fix-vif-rate-parsing.patch
5256be84-tools-ocaml-fix-erroneous-free-of-cpumap-in-stub_xc_vcpu_getaffinity.patch
5256be92-libxl-fix-out-of-memory-error-handling-in-libxl_list_cpupool.patch
5257a89a-x86-correct-LDT-checks.patch
5257a8e7-x86-add-address-validity-check-to-guest_map_l1e.patch
5257a944-x86-check-for-canonical-address-before-doing-page-walks.patch
525b95f4-scheduler-adjust-internal-locking-interface.patch
525b9617-sched-fix-race-between-sched_move_domain-and-vcpu_wake.patch
525e69e8-credit-unpause-parked-vcpu-before-destroying-it.patch
525faf5e-x86-print-relevant-tail-part-of-filename-for-warnings-and-crashes.patch
CVE-2013-4375-xsa71.patch
pygrub-boot-legacy-sles.patch
set-mtu-from-bridge-for-tap-interface.patch
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ xen.spec ++++++
--- /var/tmp/diff_new_pack.kjxygo/_old 2013-10-25 13:39:00.000000000 +0200
+++ /var/tmp/diff_new_pack.kjxygo/_new 2013-10-25 13:39:00.000000000 +0200
@@ -139,7 +139,7 @@
BuildRequires: lndir
%endif
%endif
-Version: 4.3.0_12
+Version: 4.3.0_14
Release: 0
PreReq: %insserv_prereq %fillup_prereq
Summary: Xen Virtualization: Hypervisor (aka VMM aka Microkernel)
@@ -254,9 +254,27 @@
Patch58: 523ff393-x86-HVM-linear-address-must-be-canonical-for-the-whole-accessed-range.patch
Patch59: 523ff3e2-x86-HVM-refuse-doing-string-operations-in-certain-situations.patch
Patch60: 5242a1b5-x86-xsave-initialize-extended-register-state-when-guests-enable-it.patch
-Patch6300: CVE-2013-4355-xsa63.patch
-Patch6400: CVE-2013-4356-xsa64.patch
-Patch6600: CVE-2013-4361-xsa66.patch
+Patch61: 52496bea-x86-properly-handle-hvm_copy_from_guest_-phys-virt-errors.patch
+Patch62: 52496c11-x86-mm-shadow-Fix-initialization-of-PV-shadow-L4-tables.patch
+Patch63: 52496c32-x86-properly-set-up-fbld-emulation-operand-address.patch
+Patch64: 52497c6c-x86-don-t-blindly-create-L3-tables-for-the-direct-map.patch
+Patch65: 524e971b-x86-idle-Fix-get_cpu_idle_time-s-interaction-with-offline-pcpus.patch
+Patch66: 524e9762-x86-percpu-Force-INVALID_PERCPU_AREA-to-non-canonical.patch
+Patch67: 524e983e-Nested-VMX-check-VMX-capability-before-read-VMX-related-MSRs.patch
+Patch68: 524e98b1-Nested-VMX-fix-IA32_VMX_CR4_FIXED1-msr-emulation.patch
+Patch69: 524e9dc0-xsm-forbid-PV-guest-console-reads.patch
+Patch70: 5256a979-x86-check-segment-descriptor-read-result-in-64-bit-OUTS-emulation.patch
+Patch71: 5256be57-libxl-fix-vif-rate-parsing.patch
+Patch72: 5256be84-tools-ocaml-fix-erroneous-free-of-cpumap-in-stub_xc_vcpu_getaffinity.patch
+Patch73: 5256be92-libxl-fix-out-of-memory-error-handling-in-libxl_list_cpupool.patch
+Patch74: 5257a89a-x86-correct-LDT-checks.patch
+Patch75: 5257a8e7-x86-add-address-validity-check-to-guest_map_l1e.patch
+Patch76: 5257a944-x86-check-for-canonical-address-before-doing-page-walks.patch
+Patch77: 525b95f4-scheduler-adjust-internal-locking-interface.patch
+Patch78: 525b9617-sched-fix-race-between-sched_move_domain-and-vcpu_wake.patch
+Patch79: 525e69e8-credit-unpause-parked-vcpu-before-destroying-it.patch
+Patch80: 525faf5e-x86-print-relevant-tail-part-of-filename-for-warnings-and-crashes.patch
+Patch7100: CVE-2013-4375-xsa71.patch
# Upstream qemu patches
# Our patches
Patch301: xen-destdir.patch
@@ -283,10 +301,12 @@
Patch351: stdvga-cache.patch
Patch352: ipxe-enable-nics.patch
Patch353: pygrub-netware-xnloader.patch
+Patch354: pygrub-boot-legacy-sles.patch
Patch360: blktapctrl-close-fifos.patch
Patch361: blktapctrl-default-to-ioemu.patch
Patch362: blktapctrl-disable-debug-printf.patch
Patch363: blktap-pv-cdrom.patch
+Patch364: set-mtu-from-bridge-for-tap-interface.patch
# Hypervisor and PV driver Patches
Patch501: x86-ioapic-ack-default.patch
Patch502: x86-cpufreq-report.patch
@@ -605,9 +625,27 @@
%patch58 -p1
%patch59 -p1
%patch60 -p1
-%patch6300 -p1
-%patch6400 -p1
-%patch6600 -p1
+%patch61 -p1
+%patch62 -p1
+%patch63 -p1
+%patch64 -p1
+%patch65 -p1
+%patch66 -p1
+%patch67 -p1
+%patch68 -p1
+%patch69 -p1
+%patch70 -p1
+%patch71 -p1
+%patch72 -p1
+%patch73 -p1
+%patch74 -p1
+%patch75 -p1
+%patch76 -p1
+%patch77 -p1
+%patch78 -p1
+%patch79 -p1
+%patch80 -p1
+%patch7100 -p1
%patch301 -p1
%patch302 -p1
%patch303 -p1
@@ -630,10 +668,12 @@
%patch351 -p1
%patch352 -p1
%patch353 -p1
+%patch354 -p1
%patch360 -p1
%patch361 -p1
%patch362 -p1
%patch363 -p1
+%patch364 -p1
%patch501 -p1
%patch502 -p1
%patch503 -p1
++++++ 52496bea-x86-properly-handle-hvm_copy_from_guest_-phys-virt-errors.patch ++++++
References: bnc#840592 CVE-2013-4355 XSA-63
# Commit 6bb838e7375f5b031e9ac346b353775c90de45dc
# Date 2013-09-30 14:17:46 +0200
# Author Jan Beulich
# Committer Jan Beulich
x86: properly handle hvm_copy_from_guest_{phys,virt}() errors
Ignoring them generally implies using uninitialized data and, in all
but two of the cases dealt with here, potentially leaking hypervisor
stack contents to guests.
This is CVE-2013-4355 / XSA-63.
Signed-off-by: Jan Beulich
Reviewed-by: Tim Deegan
Reviewed-by: Andrew Cooper
--- a/xen/arch/x86/hvm/hvm.c
+++ b/xen/arch/x86/hvm/hvm.c
@@ -2316,11 +2316,7 @@ void hvm_task_switch(
rc = hvm_copy_from_guest_virt(
&tss, prev_tr.base, sizeof(tss), PFEC_page_present);
- if ( rc == HVMCOPY_bad_gva_to_gfn )
- goto out;
- if ( rc == HVMCOPY_gfn_paged_out )
- goto out;
- if ( rc == HVMCOPY_gfn_shared )
+ if ( rc != HVMCOPY_okay )
goto out;
eflags = regs->eflags;
@@ -2365,13 +2361,11 @@ void hvm_task_switch(
rc = hvm_copy_from_guest_virt(
&tss, tr.base, sizeof(tss), PFEC_page_present);
- if ( rc == HVMCOPY_bad_gva_to_gfn )
- goto out;
- if ( rc == HVMCOPY_gfn_paged_out )
- goto out;
- /* Note: this could be optimised, if the callee functions knew we want RO
- * access */
- if ( rc == HVMCOPY_gfn_shared )
+ /*
+ * Note: The HVMCOPY_gfn_shared case could be optimised, if the callee
+ * functions knew we want RO access.
+ */
+ if ( rc != HVMCOPY_okay )
goto out;
--- a/xen/arch/x86/hvm/intercept.c
+++ b/xen/arch/x86/hvm/intercept.c
@@ -87,17 +87,28 @@ static int hvm_mmio_access(struct vcpu *
{
for ( i = 0; i < p->count; i++ )
{
- int ret;
-
- ret = hvm_copy_from_guest_phys(&data,
- p->data + (sign * i * p->size),
- p->size);
- if ( (ret == HVMCOPY_gfn_paged_out) ||
- (ret == HVMCOPY_gfn_shared) )
+ switch ( hvm_copy_from_guest_phys(&data,
+ p->data + sign * i * p->size,
+ p->size) )
{
+ case HVMCOPY_okay:
+ break;
+ case HVMCOPY_gfn_paged_out:
+ case HVMCOPY_gfn_shared:
rc = X86EMUL_RETRY;
break;
+ case HVMCOPY_bad_gfn_to_mfn:
+ data = ~0;
+ break;
+ case HVMCOPY_bad_gva_to_gfn:
+ ASSERT(0);
+ /* fall through */
+ default:
+ rc = X86EMUL_UNHANDLEABLE;
+ break;
}
+ if ( rc != X86EMUL_OKAY )
+ break;
rc = write_handler(v, p->addr + (sign * i * p->size), p->size,
data);
if ( rc != X86EMUL_OKAY )
@@ -165,8 +176,28 @@ static int process_portio_intercept(port
for ( i = 0; i < p->count; i++ )
{
data = 0;
- (void)hvm_copy_from_guest_phys(&data, p->data + sign*i*p->size,
- p->size);
+ switch ( hvm_copy_from_guest_phys(&data,
+ p->data + sign * i * p->size,
+ p->size) )
+ {
+ case HVMCOPY_okay:
+ break;
+ case HVMCOPY_gfn_paged_out:
+ case HVMCOPY_gfn_shared:
+ rc = X86EMUL_RETRY;
+ break;
+ case HVMCOPY_bad_gfn_to_mfn:
+ data = ~0;
+ break;
+ case HVMCOPY_bad_gva_to_gfn:
+ ASSERT(0);
+ /* fall through */
+ default:
+ rc = X86EMUL_UNHANDLEABLE;
+ break;
+ }
+ if ( rc != X86EMUL_OKAY )
+ break;
rc = action(IOREQ_WRITE, p->addr, p->size, &data);
if ( rc != X86EMUL_OKAY )
break;
--- a/xen/arch/x86/hvm/io.c
+++ b/xen/arch/x86/hvm/io.c
@@ -340,14 +340,24 @@ static int dpci_ioport_write(uint32_t mp
data = p->data;
if ( p->data_is_ptr )
{
- int ret;
-
- ret = hvm_copy_from_guest_phys(&data,
- p->data + (sign * i * p->size),
- p->size);
- if ( (ret == HVMCOPY_gfn_paged_out) &&
- (ret == HVMCOPY_gfn_shared) )
+ switch ( hvm_copy_from_guest_phys(&data,
+ p->data + sign * i * p->size,
+ p->size) )
+ {
+ case HVMCOPY_okay:
+ break;
+ case HVMCOPY_gfn_paged_out:
+ case HVMCOPY_gfn_shared:
return X86EMUL_RETRY;
+ case HVMCOPY_bad_gfn_to_mfn:
+ data = ~0;
+ break;
+ case HVMCOPY_bad_gva_to_gfn:
+ ASSERT(0);
+ /* fall through */
+ default:
+ return X86EMUL_UNHANDLEABLE;
+ }
}
switch ( p->size )
--- a/xen/arch/x86/hvm/vmx/realmode.c
+++ b/xen/arch/x86/hvm/vmx/realmode.c
@@ -39,7 +39,9 @@ static void realmode_deliver_exception(
again:
last_byte = (vector * 4) + 3;
- if ( idtr->limit < last_byte )
+ if ( idtr->limit < last_byte ||
+ hvm_copy_from_guest_phys(&cs_eip, idtr->base + vector * 4, 4) !=
+ HVMCOPY_okay )
{
/* Software interrupt? */
if ( insn_len != 0 )
@@ -64,8 +66,6 @@ static void realmode_deliver_exception(
}
}
- (void)hvm_copy_from_guest_phys(&cs_eip, idtr->base + vector * 4, 4);
-
frame[0] = regs->eip + insn_len;
frame[1] = csr->sel;
frame[2] = regs->eflags & ~X86_EFLAGS_RF;
++++++ 52496c11-x86-mm-shadow-Fix-initialization-of-PV-shadow-L4-tables.patch ++++++
References: bnc#840593 CVE-2013-4356 XSA-64
# Commit f46befdd825c8a459c5eb21adb7d5b0dc6e30ad5
# Date 2013-09-30 14:18:25 +0200
# Author Tim Deegan
# Committer Jan Beulich
x86/mm/shadow: Fix initialization of PV shadow L4 tables.
Shadowed PV L4 tables must have the same Xen mappings as their
unshadowed equivalent. This is done by copying the Xen entries
verbatim from the idle pagetable, and then using guest_l4_slot()
in the SHADOW_FOREACH_L4E() iterator to avoid touching those entries.
adc5afbf1c70ef55c260fb93e4b8ce5ccb918706 (x86: support up to 16Tb)
changed the definition of ROOT_PAGETABLE_XEN_SLOTS to extend right to
the top of the address space, which causes the shadow code to
copy Xen mappings into guest-kernel-address slots too.
In the common case, all those slots are zero in the idle pagetable,
and no harm is done. But if any slot above #271 is non-zero, Xen will
crash when that slot is later cleared (it attempts to drop
shadow-pagetable refcounts on its own L4 pagetables).
Fix by using the new ROOT_PAGETABLE_PV_XEN_SLOTS when appropriate.
Monitor pagetables need the full Xen mappings, so they keep using the
old name (with its new semantics).
This is CVE-2013-4356 / XSA-64.
Signed-off-by: Tim Deegan
Reviewed-by: Jan Beulich
--- a/xen/arch/x86/mm/shadow/multi.c
+++ b/xen/arch/x86/mm/shadow/multi.c
@@ -1433,15 +1433,19 @@ void sh_install_xen_entries_in_l4(struct
{
struct domain *d = v->domain;
shadow_l4e_t *sl4e;
+ unsigned int slots;
sl4e = sh_map_domain_page(sl4mfn);
ASSERT(sl4e != NULL);
ASSERT(sizeof (l4_pgentry_t) == sizeof (shadow_l4e_t));
-
+
/* Copy the common Xen mappings from the idle domain */
+ slots = (shadow_mode_external(d)
+ ? ROOT_PAGETABLE_XEN_SLOTS
+ : ROOT_PAGETABLE_PV_XEN_SLOTS);
memcpy(&sl4e[ROOT_PAGETABLE_FIRST_XEN_SLOT],
&idle_pg_table[ROOT_PAGETABLE_FIRST_XEN_SLOT],
- ROOT_PAGETABLE_XEN_SLOTS * sizeof(l4_pgentry_t));
+ slots * sizeof(l4_pgentry_t));
/* Install the per-domain mappings for this domain */
sl4e[shadow_l4_table_offset(PERDOMAIN_VIRT_START)] =
++++++ 52496c32-x86-properly-set-up-fbld-emulation-operand-address.patch ++++++
References: bnc#841766 CVE-2013-4361 XSA-66
# Commit 28b706efb6abb637fabfd74cde70a50935a5640b
# Date 2013-09-30 14:18:58 +0200
# Author Jan Beulich
# Committer Jan Beulich
x86: properly set up fbld emulation operand address
This is CVE-2013-4361 / XSA-66.
Signed-off-by: Jan Beulich
Acked-by: Ian Jackson
--- a/xen/arch/x86/x86_emulate/x86_emulate.c
+++ b/xen/arch/x86/x86_emulate/x86_emulate.c
@@ -3156,11 +3156,11 @@ x86_emulate(
break;
case 4: /* fbld m80dec */
ea.bytes = 10;
- dst = ea;
+ src = ea;
if ( (rc = ops->read(src.mem.seg, src.mem.off,
&src.val, src.bytes, ctxt)) != 0 )
goto done;
- emulate_fpu_insn_memdst("fbld", src.val);
+ emulate_fpu_insn_memsrc("fbld", src.val);
break;
case 5: /* fild m64i */
ea.bytes = 8;
++++++ 52497c6c-x86-don-t-blindly-create-L3-tables-for-the-direct-map.patch ++++++
# Commit ca145fe70bad3a25ad54c6ded1ef237e45a2311e
# Date 2013-09-30 15:28:12 +0200
# Author Jan Beulich
# Committer Jan Beulich
x86: don't blindly create L3 tables for the direct map
Now that the direct map area can extend all the way up to almost the
end of address space, this is wasteful.
Also fold two almost redundant messages in SRAT parsing into one.
Signed-off-by: Jan Beulich
Tested-by: Malcolm Crossley
Reviewed-by: Andrew Cooper
Acked-by: Keir Fraser
--- a/xen/arch/x86/mm.c
+++ b/xen/arch/x86/mm.c
@@ -137,7 +137,7 @@ l1_pgentry_t __attribute__ ((__section__
#define PTE_UPDATE_WITH_CMPXCHG
#endif
-bool_t __read_mostly mem_hotplug = 0;
+paddr_t __read_mostly mem_hotplug;
/* Private domain structs for DOMID_XEN and DOMID_IO. */
struct domain *dom_xen, *dom_io, *dom_cow;
--- a/xen/arch/x86/srat.c
+++ b/xen/arch/x86/srat.c
@@ -113,6 +113,7 @@ static __init void bad_srat(void)
apicid_to_node[i] = NUMA_NO_NODE;
for (i = 0; i < ARRAY_SIZE(pxm2node); i++)
pxm2node[i] = NUMA_NO_NODE;
+ mem_hotplug = 0;
}
/*
@@ -257,13 +258,6 @@ acpi_numa_memory_affinity_init(struct ac
return;
}
/* It is fine to add this area to the nodes data it will be used later*/
- if (ma->flags & ACPI_SRAT_MEM_HOT_PLUGGABLE)
- {
- printk(KERN_INFO "SRAT: hot plug zone found %"PRIx64" - %"PRIx64" \n",
- start, end);
- mem_hotplug = 1;
- }
-
i = conflicting_memblks(start, end);
if (i == node) {
printk(KERN_WARNING
@@ -287,8 +281,11 @@ acpi_numa_memory_affinity_init(struct ac
if (nd->end < end)
nd->end = end;
}
- printk(KERN_INFO "SRAT: Node %u PXM %u %"PRIx64"-%"PRIx64"\n", node, pxm,
- start, end);
+ if ((ma->flags & ACPI_SRAT_MEM_HOT_PLUGGABLE) && end > mem_hotplug)
+ mem_hotplug = end;
+ printk(KERN_INFO "SRAT: Node %u PXM %u %"PRIx64"-%"PRIx64"%s\n",
+ node, pxm, start, end,
+ ma->flags & ACPI_SRAT_MEM_HOT_PLUGGABLE ? " (hotplug)" : "");
node_memblk_range[num_node_memblks].start = start;
node_memblk_range[num_node_memblks].end = end;
--- a/xen/arch/x86/x86_64/mm.c
+++ b/xen/arch/x86/x86_64/mm.c
@@ -621,25 +621,20 @@ void __init paging_init(void)
* We setup the L3s for 1:1 mapping if host support memory hotplug
* to avoid sync the 1:1 mapping on page fault handler
*/
- if ( mem_hotplug )
+ for ( va = DIRECTMAP_VIRT_START;
+ va < DIRECTMAP_VIRT_END && (void *)va < __va(mem_hotplug);
+ va += (1UL << L4_PAGETABLE_SHIFT) )
{
- unsigned long va;
-
- for ( va = DIRECTMAP_VIRT_START;
- va < DIRECTMAP_VIRT_END;
- va += (1UL << L4_PAGETABLE_SHIFT) )
+ if ( !(l4e_get_flags(idle_pg_table[l4_table_offset(va)]) &
+ _PAGE_PRESENT) )
{
- if ( !(l4e_get_flags(idle_pg_table[l4_table_offset(va)]) &
- _PAGE_PRESENT) )
- {
- l3_pg = alloc_domheap_page(NULL, 0);
- if ( !l3_pg )
- goto nomem;
- l3_ro_mpt = page_to_virt(l3_pg);
- clear_page(l3_ro_mpt);
- l4e_write(&idle_pg_table[l4_table_offset(va)],
- l4e_from_page(l3_pg, __PAGE_HYPERVISOR));
- }
+ l3_pg = alloc_domheap_page(NULL, 0);
+ if ( !l3_pg )
+ goto nomem;
+ l3_ro_mpt = page_to_virt(l3_pg);
+ clear_page(l3_ro_mpt);
+ l4e_write(&idle_pg_table[l4_table_offset(va)],
+ l4e_from_page(l3_pg, __PAGE_HYPERVISOR));
}
}
--- a/xen/include/asm-x86/mm.h
+++ b/xen/include/asm-x86/mm.h
@@ -399,7 +399,7 @@ static inline int get_page_and_type(stru
int check_descriptor(const struct domain *, struct desc_struct *d);
extern bool_t opt_allow_superpage;
-extern bool_t mem_hotplug;
+extern paddr_t mem_hotplug;
/******************************************************************************
* With shadow pagetables, the different kinds of address start
++++++ 524e971b-x86-idle-Fix-get_cpu_idle_time-s-interaction-with-offline-pcpus.patch ++++++
# Commit 0aa27ce3351f7eb09d13e863a1d5f303086aa32a
# Date 2013-10-04 12:23:23 +0200
# Author Andrew Cooper
# Committer Jan Beulich
x86/idle: Fix get_cpu_idle_time()'s interaction with offline pcpus
Checking for "idle_vcpu[cpu] != NULL" is insufficient protection against
offline pcpus. From a hypercall, vcpu_runstate_get() will determine "v !=
current", and try to take the vcpu_schedule_lock(). This will try to look up
per_cpu(schedule_data, v->processor) and promptly suffer a NULL structure
deference as v->processors' __per_cpu_offset is INVALID_PERCPU_AREA.
One example might look like this:
...
Xen call trace:
[<ffff82c4c0126ddb>] vcpu_runstate_get+0x50/0x113
[<ffff82c4c0126ec6>] get_cpu_idle_time+0x28/0x2e
[<ffff82c4c012b5cb>] do_sysctl+0x3db/0xeb8
[<ffff82c4c023280d>] compat_hypercall+0xbd/0x116
Pagetable walk from 0000000000000040:
L4[0x000] = 0000000186df8027 0000000000028207
L3[0x000] = 0000000188e36027 00000000000261c9
L2[0x000] = 0000000000000000 ffffffffffffffff
****************************************
Panic on CPU 11:
...
get_cpu_idle_time() has been updated to correctly deal with offline pcpus
itself by returning 0, in the same way as it would if it was missing the
idle_vcpu[] pointer.
In doing so, XENPF_getidletime needed updating to correctly retain its
described behaviour of clearing bits in the cpumap for offline pcpus.
As this crash can only be triggered with toolstack hypercalls, it is not a
security issue and just a simple bug.
Signed-off-by: Andrew Cooper
Acked-by: Keir Fraser
--- a/xen/arch/x86/platform_hypercall.c
+++ b/xen/arch/x86/platform_hypercall.c
@@ -355,10 +355,14 @@ ret_t do_platform_op(XEN_GUEST_HANDLE_PA
for_each_cpu ( cpu, cpumap )
{
- if ( idle_vcpu[cpu] == NULL )
- cpumask_clear_cpu(cpu, cpumap);
idletime = get_cpu_idle_time(cpu);
+ if ( !idletime )
+ {
+ cpumask_clear_cpu(cpu, cpumap);
+ continue;
+ }
+
if ( copy_to_guest_offset(idletimes, cpu, &idletime, 1) )
{
ret = -EFAULT;
--- a/xen/common/schedule.c
+++ b/xen/common/schedule.c
@@ -176,13 +176,12 @@ void vcpu_runstate_get(struct vcpu *v, s
uint64_t get_cpu_idle_time(unsigned int cpu)
{
- struct vcpu_runstate_info state;
- struct vcpu *v;
+ struct vcpu_runstate_info state = { 0 };
+ struct vcpu *v = idle_vcpu[cpu];
- if ( (v = idle_vcpu[cpu]) == NULL )
- return 0;
+ if ( cpu_online(cpu) && v )
+ vcpu_runstate_get(v, &state);
- vcpu_runstate_get(v, &state);
return state.time[RUNSTATE_running];
}
++++++ 524e9762-x86-percpu-Force-INVALID_PERCPU_AREA-to-non-canonical.patch ++++++
# Commit 7cfb0053629c4dd1a6f01dc43cca7c0c25b8b7bf
# Date 2013-10-04 12:24:34 +0200
# Author Andrew Cooper
# Committer Jan Beulich
x86/percpu: Force INVALID_PERCPU_AREA into the non-canonical address region
This causes accidental uses of per_cpu() on a pcpu with an INVALID_PERCPU_AREA
to result in a #GF for attempting to access the middle of the non-canonical
virtual address region.
This is preferable to the current behaviour, where incorrect use of per_cpu()
will result in an effective NULL structure dereference which has security
implication in the context of PV guests.
Signed-off-by: Andrew Cooper
Acked-by: Keir Fraser
--- a/xen/arch/x86/percpu.c
+++ b/xen/arch/x86/percpu.c
@@ -6,7 +6,14 @@
#include
unsigned long __per_cpu_offset[NR_CPUS];
-#define INVALID_PERCPU_AREA (-(long)__per_cpu_start)
+
+/*
+ * Force uses of per_cpu() with an invalid area to attempt to access the
+ * middle of the non-canonical address space resulting in a #GP, rather than a
+ * possible #PF at (NULL + a little) which has security implications in the
+ * context of PV guests.
+ */
+#define INVALID_PERCPU_AREA (0x8000000000000000L - (long)__per_cpu_start)
#define PERCPU_ORDER (get_order_from_bytes(__per_cpu_data_end-__per_cpu_start))
void __init percpu_init_areas(void)
++++++ 524e983e-Nested-VMX-check-VMX-capability-before-read-VMX-related-MSRs.patch ++++++
# Commit 190b667ac20e8175758f4a3a0f13c4d990e6af7e
# Date 2013-10-04 12:28:14 +0200
# Author Yang Zhang
# Committer Jan Beulich
Nested VMX: check VMX capability before read VMX related MSRs
VMX MSRs only available when the CPU support the VMX feature. In addition,
VMX_TRUE* MSRs only available when bit 55 of VMX_BASIC MSR is set.
Signed-off-by: Yang Zhang
Cleanup.
Signed-off-by: Jan Beulich
Acked-by: Jun Nakajima
--- a/xen/arch/x86/hvm/vmx/vmcs.c
+++ b/xen/arch/x86/hvm/vmx/vmcs.c
@@ -78,6 +78,7 @@ static DEFINE_PER_CPU(struct list_head,
static DEFINE_PER_CPU(bool_t, vmxon);
static u32 vmcs_revision_id __read_mostly;
+u64 __read_mostly vmx_basic_msr;
static void __init vmx_display_features(void)
{
@@ -301,6 +302,8 @@ static int vmx_init_vmcs_config(void)
vmx_vmexit_control = _vmx_vmexit_control;
vmx_vmentry_control = _vmx_vmentry_control;
cpu_has_vmx_ins_outs_instr_info = !!(vmx_basic_msr_high & (1U<<22));
+ vmx_basic_msr = ((u64)vmx_basic_msr_high << 32) |
+ vmx_basic_msr_low;
vmx_display_features();
}
else
--- a/xen/arch/x86/hvm/vmx/vvmx.c
+++ b/xen/arch/x86/hvm/vmx/vvmx.c
@@ -1814,12 +1814,33 @@ int nvmx_handle_invvpid(struct cpu_user_
int nvmx_msr_read_intercept(unsigned int msr, u64 *msr_content)
{
struct vcpu *v = current;
+ unsigned int ecx, dummy;
u64 data = 0, host_data = 0;
int r = 1;
if ( !nestedhvm_enabled(v->domain) )
return 0;
+ /* VMX capablity MSRs are available only when guest supports VMX. */
+ hvm_cpuid(0x1, &dummy, &dummy, &ecx, &dummy);
+ if ( !(ecx & cpufeat_mask(X86_FEATURE_VMXE)) )
+ return 0;
+
+ /*
+ * Those MSRs are available only when bit 55 of
+ * MSR_IA32_VMX_BASIC is set.
+ */
+ switch ( msr )
+ {
+ case MSR_IA32_VMX_TRUE_PINBASED_CTLS:
+ case MSR_IA32_VMX_TRUE_PROCBASED_CTLS:
+ case MSR_IA32_VMX_TRUE_EXIT_CTLS:
+ case MSR_IA32_VMX_TRUE_ENTRY_CTLS:
+ if ( !(vmx_basic_msr & VMX_BASIC_DEFAULT1_ZERO) )
+ return 0;
+ break;
+ }
+
rdmsrl(msr, host_data);
/*
--- a/xen/include/asm-x86/hvm/vmx/vmcs.h
+++ b/xen/include/asm-x86/hvm/vmx/vmcs.h
@@ -284,6 +284,8 @@ extern bool_t cpu_has_vmx_ins_outs_instr
*/
#define VMX_BASIC_DEFAULT1_ZERO (1ULL << 55)
+extern u64 vmx_basic_msr;
+
/* Guest interrupt status */
#define VMX_GUEST_INTR_STATUS_SUBFIELD_BITMASK 0x0FF
#define VMX_GUEST_INTR_STATUS_SVI_OFFSET 8
++++++ 524e98b1-Nested-VMX-fix-IA32_VMX_CR4_FIXED1-msr-emulation.patch ++++++
# Commit c6f92aed0e209df823d2cb5780dbb1ea12fc6d4a
# Date 2013-10-04 12:30:09 +0200
# Author Yang Zhang
# Committer Jan Beulich
Nested VMX: fix IA32_VMX_CR4_FIXED1 msr emulation
Currently, it use hardcode value for IA32_VMX_CR4_FIXED1. This is wrong.
We should check guest's cpuid to know which bits are writeable in CR4 by guest
and allow the guest to set the corresponding bit only when guest has the feature.
Signed-off-by: Yang Zhang
Cleanup.
Signed-off-by: Jan Beulich
Acked-by: Jun Nakajima
--- a/xen/arch/x86/hvm/vmx/vvmx.c
+++ b/xen/arch/x86/hvm/vmx/vvmx.c
@@ -1814,7 +1814,7 @@ int nvmx_handle_invvpid(struct cpu_user_
int nvmx_msr_read_intercept(unsigned int msr, u64 *msr_content)
{
struct vcpu *v = current;
- unsigned int ecx, dummy;
+ unsigned int eax, ebx, ecx, edx, dummy;
u64 data = 0, host_data = 0;
int r = 1;
@@ -1822,7 +1822,7 @@ int nvmx_msr_read_intercept(unsigned int
return 0;
/* VMX capablity MSRs are available only when guest supports VMX. */
- hvm_cpuid(0x1, &dummy, &dummy, &ecx, &dummy);
+ hvm_cpuid(0x1, &dummy, &dummy, &ecx, &edx);
if ( !(ecx & cpufeat_mask(X86_FEATURE_VMXE)) )
return 0;
@@ -1946,8 +1946,55 @@ int nvmx_msr_read_intercept(unsigned int
data = X86_CR4_VMXE;
break;
case MSR_IA32_VMX_CR4_FIXED1:
- /* allow 0-settings except SMXE */
- data = 0x267ff & ~X86_CR4_SMXE;
+ if ( edx & cpufeat_mask(X86_FEATURE_VME) )
+ data |= X86_CR4_VME | X86_CR4_PVI;
+ if ( edx & cpufeat_mask(X86_FEATURE_TSC) )
+ data |= X86_CR4_TSD;
+ if ( edx & cpufeat_mask(X86_FEATURE_DE) )
+ data |= X86_CR4_DE;
+ if ( edx & cpufeat_mask(X86_FEATURE_PSE) )
+ data |= X86_CR4_PSE;
+ if ( edx & cpufeat_mask(X86_FEATURE_PAE) )
+ data |= X86_CR4_PAE;
+ if ( edx & cpufeat_mask(X86_FEATURE_MCE) )
+ data |= X86_CR4_MCE;
+ if ( edx & cpufeat_mask(X86_FEATURE_PGE) )
+ data |= X86_CR4_PGE;
+ if ( edx & cpufeat_mask(X86_FEATURE_FXSR) )
+ data |= X86_CR4_OSFXSR;
+ if ( edx & cpufeat_mask(X86_FEATURE_XMM) )
+ data |= X86_CR4_OSXMMEXCPT;
+ if ( ecx & cpufeat_mask(X86_FEATURE_VMXE) )
+ data |= X86_CR4_VMXE;
+ if ( ecx & cpufeat_mask(X86_FEATURE_SMXE) )
+ data |= X86_CR4_SMXE;
+ if ( ecx & cpufeat_mask(X86_FEATURE_PCID) )
+ data |= X86_CR4_PCIDE;
+ if ( ecx & cpufeat_mask(X86_FEATURE_XSAVE) )
+ data |= X86_CR4_OSXSAVE;
+
+ hvm_cpuid(0x0, &eax, &dummy, &dummy, &dummy);
+ switch ( eax )
+ {
+ default:
+ hvm_cpuid(0xa, &eax, &dummy, &dummy, &dummy);
+ /* Check whether guest has the perf monitor feature. */
+ if ( (eax & 0xff) && (eax & 0xff00) )
+ data |= X86_CR4_PCE;
+ /* fall through */
+ case 0x7 ... 0x9:
+ ecx = 0;
+ hvm_cpuid(0x7, &dummy, &ebx, &ecx, &dummy);
+ if ( ebx & cpufeat_mask(X86_FEATURE_FSGSBASE) )
+ data |= X86_CR4_FSGSBASE;
+ if ( ebx & cpufeat_mask(X86_FEATURE_SMEP) )
+ data |= X86_CR4_SMEP;
+ if ( ebx & cpufeat_mask(X86_FEATURE_SMAP) )
+ data |= X86_CR4_SMAP;
+ /* fall through */
+ case 0x0 ... 0x6:
+ break;
+ }
break;
case MSR_IA32_VMX_MISC:
/* Do not support CR3-target feature now */
--- a/xen/include/asm-x86/cpufeature.h
+++ b/xen/include/asm-x86/cpufeature.h
@@ -148,6 +148,7 @@
#define X86_FEATURE_INVPCID (7*32+10) /* Invalidate Process Context ID */
#define X86_FEATURE_RTM (7*32+11) /* Restricted Transactional Memory */
#define X86_FEATURE_NO_FPU_SEL (7*32+13) /* FPU CS/DS stored as zero */
+#define X86_FEATURE_SMAP (7*32+20) /* Supervisor Mode Access Prevention */
#define cpu_has(c, bit) test_bit(bit, (c)->x86_capability)
#define boot_cpu_has(bit) test_bit(bit, boot_cpu_data.x86_capability)
--- a/xen/include/asm-x86/processor.h
+++ b/xen/include/asm-x86/processor.h
@@ -87,6 +87,7 @@
#define X86_CR4_PCIDE 0x20000 /* enable PCID */
#define X86_CR4_OSXSAVE 0x40000 /* enable XSAVE/XRSTOR */
#define X86_CR4_SMEP 0x100000/* enable SMEP */
+#define X86_CR4_SMAP 0x200000/* enable SMAP */
/*
* Trap/fault mnemonics.
++++++ 524e9dc0-xsm-forbid-PV-guest-console-reads.patch ++++++
# Commit 65ba631bcb62c79eb33ebfde8a0471fd012c37a8
# Date 2013-10-04 12:51:44 +0200
# Author Daniel De Graaf
# Committer Jan Beulich
xsm: forbid PV guest console reads
The CONSOLEIO_read operation was incorrectly allowed to PV guests if the
hypervisor was compiled in debug mode (with VERBOSE defined).
Reported-by: Jan Beulich
Signed-off-by: Daniel De Graaf
--- a/xen/include/xsm/dummy.h
+++ b/xen/include/xsm/dummy.h
@@ -222,10 +222,10 @@ static XSM_INLINE int xsm_console_io(XSM
{
XSM_ASSERT_ACTION(XSM_OTHER);
#ifdef VERBOSE
- return xsm_default_action(XSM_HOOK, current->domain, NULL);
-#else
- return xsm_default_action(XSM_PRIV, current->domain, NULL);
+ if ( cmd == CONSOLEIO_write )
+ return xsm_default_action(XSM_HOOK, d, NULL);
#endif
+ return xsm_default_action(XSM_PRIV, d, NULL);
}
static XSM_INLINE int xsm_profile(XSM_DEFAULT_ARG struct domain *d, int op)
++++++ 5256a979-x86-check-segment-descriptor-read-result-in-64-bit-OUTS-emulation.patch ++++++
References: bnc#842511 CVE-2013-4368 XSA-67
# Commit 0771faba163769089c9f05f7f76b63e397677613
# Date 2013-10-10 15:19:53 +0200
# Author Matthew Daley
# Committer Jan Beulich
x86: check segment descriptor read result in 64-bit OUTS emulation
When emulating such an operation from a 64-bit context (CS has long
mode set), and the data segment is overridden to FS/GS, the result of
reading the overridden segment's descriptor (read_descriptor) is not
checked. If it fails, data_base is left uninitialized.
This can lead to 8 bytes of Xen's stack being leaked to the guest
(implicitly, i.e. via the address given in a #PF).
Coverity-ID: 1055116
This is CVE-2013-4368 / XSA-67.
Signed-off-by: Matthew Daley
Fix formatting.
Signed-off-by: Jan Beulich
--- a/xen/arch/x86/traps.c
+++ b/xen/arch/x86/traps.c
@@ -1990,10 +1990,10 @@ static int emulate_privileged_op(struct
break;
}
}
- else
- read_descriptor(data_sel, v, regs,
- &data_base, &data_limit, &ar,
- 0);
+ else if ( !read_descriptor(data_sel, v, regs,
+ &data_base, &data_limit, &ar, 0) ||
+ !(ar & _SEGMENT_S) || !(ar & _SEGMENT_P) )
+ goto fail;
data_limit = ~0UL;
ar = _SEGMENT_WR|_SEGMENT_S|_SEGMENT_DPL|_SEGMENT_P;
}
++++++ 5256be57-libxl-fix-vif-rate-parsing.patch ++++++
References: bnc#842512 CVE-2013-4369 XSA-68
# Commit c53702cee1d6f9f1b72f0cae0b412e21bcda8724
# Date 2013-10-10 15:48:55 +0100
# Author Ian Jackson
# Committer Ian Jackson
libxl: fix vif rate parsing
strtok can return NULL here. We don't need to use strtok anyway, so just
use a simple strchr method.
Coverity-ID: 1055642
This is CVE-2013-4369 / XSA-68
Signed-off-by: Matthew Daley
Fix type. Add test case
Signed-off-by: Ian Campbell
--- a/tools/libxl/check-xl-vif-parse
+++ b/tools/libxl/check-xl-vif-parse
@@ -206,4 +206,8 @@ expected
# Committer Ian Jackson
tools/ocaml: fix erroneous free of cpumap in stub_xc_vcpu_getaffinity
Not sure how it got there...
Coverity-ID: 1056196
This is CVE-2013-4370 / XSA-69
Signed-off-by: Matthew Daley
Acked-by: Ian Campbell
--- a/tools/ocaml/libs/xc/xenctrl_stubs.c
+++ b/tools/ocaml/libs/xc/xenctrl_stubs.c
@@ -461,8 +461,6 @@ CAMLprim value stub_xc_vcpu_getaffinity(
retval = xc_vcpu_getaffinity(_H(xch), _D(domid),
Int_val(vcpu), c_cpumap);
- free(c_cpumap);
-
if (retval < 0) {
free(c_cpumap);
failwith_xc(_H(xch));
++++++ 5256be92-libxl-fix-out-of-memory-error-handling-in-libxl_list_cpupool.patch ++++++
References: bnc#842514 CVE-2013-4371 XSA-70
# Commit 4c37ed562224295c0f8b00211287d57cae629782
# Date 2013-10-10 15:49:54 +0100
# Author Matthew Daley
# Committer Ian Jackson
libxl: fix out-of-memory error handling in libxl_list_cpupool
...otherwise it will return freed memory. All the current users of this
function check already for a NULL return, so use that.
Coverity-ID: 1056194
This is CVE-2013-4371 / XSA-70
Signed-off-by: Matthew Daley
Acked-by: Ian Campbell
--- a/tools/libxl/libxl.c
+++ b/tools/libxl/libxl.c
@@ -649,6 +649,7 @@ libxl_cpupoolinfo * libxl_list_cpupool(l
if (!tmp) {
LIBXL__LOG_ERRNO(ctx, LIBXL__LOG_ERROR, "allocating cpupool info");
libxl_cpupoolinfo_list_free(ptr, i);
+ ptr = NULL;
goto out;
}
ptr = tmp;
++++++ 5257a89a-x86-correct-LDT-checks.patch ++++++
# Commit 40d66baa46ca8a9ffa6df3e063a967d08ec92bcf
# Date 2013-10-11 09:28:26 +0200
# Author Jan Beulich
# Committer Jan Beulich
x86: correct LDT checks
- MMUEXT_SET_LDT should behave as similarly to the LLDT instruction as
possible: fail only if the base address is non-canonical
- instead LDT descriptor accesses should fault if the descriptor
address ends up being non-canonical (by ensuring this we at once
avoid reading an entry from the mach-to-phys table and consider it a
page table entry)
- fault propagation on using LDT selectors must distinguish #PF and #GP
(the latter must be raised for a non-canonical descriptor address,
which also applies to several other uses of propagate_page_fault(),
and hence the problem is being fixed there)
- map_ldt_shadow_page() should properly wrap addresses for 32-bit VMs
At once remove the odd invokation of map_ldt_shadow_page() from the
MMUEXT_SET_LDT handler: There's nothing really telling us that the
first LDT page is going to be preferred over others.
Signed-off-by: Jan Beulich
Reviewed-by: Andrew Cooper
Acked-by: Keir Fraser
--- a/xen/arch/x86/domain.c
+++ b/xen/arch/x86/domain.c
@@ -674,12 +674,7 @@ int arch_set_info_guest(
fixup_guest_code_selector(d, c.nat->trap_ctxt[i].cs);
}
- /* LDT safety checks. */
- if ( ((c.nat->ldt_base & (PAGE_SIZE-1)) != 0) ||
- (c.nat->ldt_ents > 8192) ||
- !array_access_ok(c.nat->ldt_base,
- c.nat->ldt_ents,
- LDT_ENTRY_SIZE) )
+ if ( !__addr_ok(c.nat->ldt_base) )
return -EINVAL;
}
else
@@ -692,15 +687,12 @@ int arch_set_info_guest(
for ( i = 0; i < ARRAY_SIZE(c.cmp->trap_ctxt); i++ )
fixup_guest_code_selector(d, c.cmp->trap_ctxt[i].cs);
-
- /* LDT safety checks. */
- if ( ((c.cmp->ldt_base & (PAGE_SIZE-1)) != 0) ||
- (c.cmp->ldt_ents > 8192) ||
- !compat_array_access_ok(c.cmp->ldt_base,
- c.cmp->ldt_ents,
- LDT_ENTRY_SIZE) )
- return -EINVAL;
}
+
+ /* LDT safety checks. */
+ if ( ((c(ldt_base) & (PAGE_SIZE - 1)) != 0) ||
+ (c(ldt_ents) > 8192) )
+ return -EINVAL;
}
v->fpu_initialised = !!(flags & VGCF_I387_VALID);
--- a/xen/arch/x86/mm.c
+++ b/xen/arch/x86/mm.c
@@ -582,6 +582,8 @@ int map_ldt_shadow_page(unsigned int off
BUG_ON(unlikely(in_irq()));
+ if ( is_pv_32bit_domain(d) )
+ gva = (u32)gva;
guest_get_eff_kern_l1e(v, gva, &l1e);
if ( unlikely(!(l1e_get_flags(l1e) & _PAGE_PRESENT)) )
return 0;
@@ -3229,9 +3231,8 @@ long do_mmuext_op(
MEM_LOG("ignoring SET_LDT hypercall from external domain");
okay = 0;
}
- else if ( ((ptr & (PAGE_SIZE-1)) != 0) ||
- (ents > 8192) ||
- !array_access_ok(ptr, ents, LDT_ENTRY_SIZE) )
+ else if ( ((ptr & (PAGE_SIZE - 1)) != 0) || !__addr_ok(ptr) ||
+ (ents > 8192) )
{
okay = 0;
MEM_LOG("Bad args to SET_LDT: ptr=%lx, ents=%lx", ptr, ents);
@@ -3244,8 +3245,6 @@ long do_mmuext_op(
curr->arch.pv_vcpu.ldt_base = ptr;
curr->arch.pv_vcpu.ldt_ents = ents;
load_LDT(curr);
- if ( ents != 0 )
- (void)map_ldt_shadow_page(0);
}
break;
}
--- a/xen/arch/x86/traps.c
+++ b/xen/arch/x86/traps.c
@@ -1070,12 +1070,24 @@ static void reserved_bit_page_fault(
show_execution_state(regs);
}
-void propagate_page_fault(unsigned long addr, u16 error_code)
+struct trap_bounce *propagate_page_fault(unsigned long addr, u16 error_code)
{
struct trap_info *ti;
struct vcpu *v = current;
struct trap_bounce *tb = &v->arch.pv_vcpu.trap_bounce;
+ if ( unlikely(!is_canonical_address(addr)) )
+ {
+ ti = &v->arch.pv_vcpu.trap_ctxt[TRAP_gp_fault];
+ tb->flags = TBF_EXCEPTION | TBF_EXCEPTION_ERRCODE;
+ tb->error_code = 0;
+ tb->cs = ti->cs;
+ tb->eip = ti->address;
+ if ( TI_GET_IF(ti) )
+ tb->flags |= TBF_INTERRUPT;
+ return tb;
+ }
+
v->arch.pv_vcpu.ctrlreg[2] = addr;
arch_set_cr2(v, addr);
@@ -1102,6 +1114,8 @@ void propagate_page_fault(unsigned long
if ( unlikely(error_code & PFEC_reserved_bit) )
reserved_bit_page_fault(addr, guest_cpu_user_regs());
+
+ return NULL;
}
static int handle_gdt_ldt_mapping_fault(
@@ -1135,13 +1149,16 @@ static int handle_gdt_ldt_mapping_fault(
}
else
{
+ struct trap_bounce *tb;
+
/* In hypervisor mode? Leave it to the #PF handler to fix up. */
if ( !guest_mode(regs) )
return 0;
- /* In guest mode? Propagate #PF to guest, with adjusted %cr2. */
- propagate_page_fault(
- curr->arch.pv_vcpu.ldt_base + offset,
- regs->error_code);
+ /* In guest mode? Propagate fault to guest, with adjusted %cr2. */
+ tb = propagate_page_fault(curr->arch.pv_vcpu.ldt_base + offset,
+ regs->error_code);
+ if ( tb )
+ tb->error_code = ((u16)offset & ~3) | 4;
}
}
else
--- a/xen/include/asm-x86/mm.h
+++ b/xen/include/asm-x86/mm.h
@@ -555,7 +555,7 @@ int new_guest_cr3(unsigned long pfn);
void make_cr3(struct vcpu *v, unsigned long mfn);
void update_cr3(struct vcpu *v);
int vcpu_destroy_pagetables(struct vcpu *);
-void propagate_page_fault(unsigned long addr, u16 error_code);
+struct trap_bounce *propagate_page_fault(unsigned long addr, u16 error_code);
void *do_page_walk(struct vcpu *v, unsigned long addr);
int __sync_local_execstate(void);
--- a/xen/include/asm-x86/paging.h
+++ b/xen/include/asm-x86/paging.h
@@ -386,7 +386,8 @@ guest_get_eff_l1e(struct vcpu *v, unsign
if ( likely(!paging_mode_translate(v->domain)) )
{
ASSERT(!paging_mode_external(v->domain));
- if ( __copy_from_user(eff_l1e,
+ if ( !__addr_ok(addr) ||
+ __copy_from_user(eff_l1e,
&__linear_l1_table[l1_linear_offset(addr)],
sizeof(l1_pgentry_t)) != 0 )
*(l1_pgentry_t *)eff_l1e = l1e_empty();
++++++ 5257a8e7-x86-add-address-validity-check-to-guest_map_l1e.patch ++++++
# Commit d06a0d715ec1423b6c42141ab1b0ff69a3effb56
# Date 2013-10-11 09:29:43 +0200
# Author Jan Beulich
# Committer Jan Beulich
x86: add address validity check to guest_map_l1e()
Just like for guest_get_eff_l1e() this prevents accessing as page
tables (and with the wrong memory attribute) internal data inside Xen
happening to be mapped with 1Gb pages.
Signed-off-by: Jan Beulich
Reviewed-by: Andrew Cooper
Acked-by: Keir Fraser
--- a/xen/include/asm-x86/paging.h
+++ b/xen/include/asm-x86/paging.h
@@ -360,7 +360,8 @@ guest_map_l1e(struct vcpu *v, unsigned l
return paging_get_hostmode(v)->guest_map_l1e(v, addr, gl1mfn);
/* Find this l1e and its enclosing l1mfn in the linear map */
- if ( __copy_from_user(&l2e,
+ if ( !__addr_ok(addr) ||
+ __copy_from_user(&l2e,
&__linear_l2_table[l2_linear_offset(addr)],
sizeof(l2_pgentry_t)) != 0 )
return NULL;
++++++ 5257a944-x86-check-for-canonical-address-before-doing-page-walks.patch ++++++
# Commit 6fd9b0361e2eb5a7f12bdd5cbf7e42c0d1937d26
# Date 2013-10-11 09:31:16 +0200
# Author Jan Beulich
# Committer Jan Beulich
x86: check for canonical address before doing page walks
... as there doesn't really exists any valid mapping for them.
Particularly in the case of do_page_walk() this also avoids returning
non-NULL for such invalid input.
Suggested-by: Andrew Cooper
Signed-off-by: Jan Beulich
Reviewed-by: Andrew Cooper
Acked-by: Keir Fraser
--- a/xen/arch/x86/x86_64/mm.c
+++ b/xen/arch/x86/x86_64/mm.c
@@ -135,7 +135,7 @@ void *do_page_walk(struct vcpu *v, unsig
l2_pgentry_t l2e, *l2t;
l1_pgentry_t l1e, *l1t;
- if ( is_hvm_vcpu(v) )
+ if ( is_hvm_vcpu(v) || !is_canonical_address(addr) )
return NULL;
l4t = map_domain_page(mfn);
--- a/xen/arch/x86/x86_64/traps.c
+++ b/xen/arch/x86/x86_64/traps.c
@@ -169,6 +169,8 @@ void show_page_walk(unsigned long addr)
l1_pgentry_t l1e, *l1t;
printk("Pagetable walk from %016lx:\n", addr);
+ if ( !is_canonical_address(addr) )
+ return;
l4t = map_domain_page(mfn);
l4e = l4t[l4_table_offset(addr)];
++++++ 525b95f4-scheduler-adjust-internal-locking-interface.patch ++++++
++++ 632 lines (skipped)
++++++ 525b9617-sched-fix-race-between-sched_move_domain-and-vcpu_wake.patch ++++++
# Commit ef55257bc81204e34691f1c2aa9e01f2d0768bdd
# Date 2013-10-14 08:58:31 +0200
# Author David Vrabel
# Committer Jan Beulich
sched: fix race between sched_move_domain() and vcpu_wake()
From: David Vrabel
sched_move_domain() changes v->processor for all the domain's VCPUs.
If another domain, softirq etc. triggers a simultaneous call to
vcpu_wake() (e.g., by setting an event channel as pending), then
vcpu_wake() may lock one schedule lock and try to unlock another.
vcpu_schedule_lock() attempts to handle this but only does so for the
window between reading the schedule_lock from the per-CPU data and the
spin_lock() call. This does not help with sched_move_domain()
changing v->processor between the calls to vcpu_schedule_lock() and
vcpu_schedule_unlock().
Fix the race by taking the schedule_lock for v->processor in
sched_move_domain().
Signed-off-by: David Vrabel
Acked-by: Juergen Gross
Use vcpu_schedule_lock_irq() (which now returns the lock) to properly
retry the locking should the to be used lock have changed in the course
of acquiring it (issue pointed out by George Dunlap).
Add a comment explaining the state after the v->processor adjustment.
Signed-off-by: Jan Beulich
Reviewed-by: Andrew Cooper
Acked-by: Keir Fraser
--- a/xen/common/schedule.c
+++ b/xen/common/schedule.c
@@ -276,6 +276,8 @@ int sched_move_domain(struct domain *d,
new_p = cpumask_first(c->cpu_valid);
for_each_vcpu ( d, v )
{
+ spinlock_t *lock;
+
vcpudata = v->sched_priv;
migrate_timer(&v->periodic_timer, new_p);
@@ -283,7 +285,16 @@ int sched_move_domain(struct domain *d,
migrate_timer(&v->poll_timer, new_p);
cpumask_setall(v->cpu_affinity);
+
+ lock = vcpu_schedule_lock_irq(v);
v->processor = new_p;
+ /*
+ * With v->processor modified we must not
+ * - make any further changes assuming we hold the scheduler lock,
+ * - use vcpu_schedule_unlock_irq().
+ */
+ spin_unlock_irq(lock);
+
v->sched_priv = vcpu_priv[v->vcpu_id];
evtchn_move_pirqs(v);
++++++ 525e69e8-credit-unpause-parked-vcpu-before-destroying-it.patch ++++++
# Commit d38a668b6ef8c84d1d3fda9947ffb0056d01fe3a
# Date 2013-10-16 12:26:48 +0200
# Author Juergen Gross
# Committer Jan Beulich
credit: unpause parked vcpu before destroying it
A capped out vcpu must be unpaused in case of moving it to another cpupool,
otherwise it will be paused forever.
Signed-off-by: Juergen Gross
Acked-by: George Dunlap
--- a/xen/common/sched_credit.c
+++ b/xen/common/sched_credit.c
@@ -931,6 +931,12 @@ csched_vcpu_remove(const struct schedule
SCHED_STAT_CRANK(vcpu_destroy);
+ if ( test_and_clear_bit(CSCHED_FLAG_VCPU_PARKED, &svc->flags) )
+ {
+ SCHED_STAT_CRANK(vcpu_unpark);
+ vcpu_unpause(svc->vcpu);
+ }
+
if ( __vcpu_on_runq(svc) )
__runq_remove(svc);
++++++ 525faf5e-x86-print-relevant-tail-part-of-filename-for-warnings-and-crashes.patch ++++++
# Commit f72cb6bbc10348f4f7671428e5db509731e9e6a5
# Date 2013-10-17 11:35:26 +0200
# Author Jan Beulich
# Committer Jan Beulich
x86: print relevant (tail) part of filename for warnings and crashes
In particular when the origin construct is in a header file (and
hence the file name is an absolute path instead of just the file name
portion) the information can otherwise become rather useless when the
build tree isn't sitting relatively close to the file system root.
Signed-off-by: Jan Beulich
Acked-by: Keir Fraser
--- a/xen/arch/x86/traps.c
+++ b/xen/arch/x86/traps.c
@@ -953,7 +953,7 @@ void do_invalid_op(struct cpu_user_regs
{
struct bug_frame bug;
struct bug_frame_str bug_str;
- const char *p, *filename, *predicate, *eip = (char *)regs->eip;
+ const char *p, *prefix = "", *filename, *predicate, *eip = (char *)regs->eip;
unsigned long fixup;
int id, lineno;
@@ -995,12 +995,19 @@ void do_invalid_op(struct cpu_user_regs
}
/* WARN, BUG or ASSERT: decode the filename pointer and line number. */
- filename = p;
+ fixup = strlen(p);
+ if ( fixup > 50 )
+ {
+ filename = p + fixup - 47;
+ prefix = "...";
+ }
+ else
+ filename = p;
lineno = bug.id >> 2;
if ( id == BUGFRAME_warn )
{
- printk("Xen WARN at %.50s:%d\n", filename, lineno);
+ printk("Xen WARN at %s%s:%d\n", prefix, filename, lineno);
show_execution_state(regs);
regs->eip = (unsigned long)eip;
return;
@@ -1008,10 +1015,10 @@ void do_invalid_op(struct cpu_user_regs
if ( id == BUGFRAME_bug )
{
- printk("Xen BUG at %.50s:%d\n", filename, lineno);
+ printk("Xen BUG at %s%s:%d\n", prefix, filename, lineno);
DEBUGGER_trap_fatal(TRAP_invalid_op, regs);
show_execution_state(regs);
- panic("Xen BUG at %.50s:%d\n", filename, lineno);
+ panic("Xen BUG at %s%s:%d\n", prefix, filename, lineno);
}
/* ASSERT: decode the predicate string pointer. */
@@ -1025,12 +1032,12 @@ void do_invalid_op(struct cpu_user_regs
if ( !is_kernel(predicate) )
predicate = "<unknown>";
- printk("Assertion '%s' failed at %.50s:%d\n",
- predicate, filename, lineno);
+ printk("Assertion '%s' failed at %s%s:%d\n",
+ predicate, prefix, filename, lineno);
DEBUGGER_trap_fatal(TRAP_invalid_op, regs);
show_execution_state(regs);
- panic("Assertion '%s' failed at %.50s:%d\n",
- predicate, filename, lineno);
+ panic("Assertion '%s' failed at %s%s:%d\n",
+ predicate, prefix, filename, lineno);
die:
if ( (fixup = search_exception_table(regs->eip)) != 0 )
++++++ CVE-2013-4355-xsa63.patch -> CVE-2013-4375-xsa71.patch ++++++
--- /work/SRC/openSUSE:Factory/xen/CVE-2013-4355-xsa63.patch 2013-10-03 13:01:44.000000000 +0200
+++ /work/SRC/openSUSE:Factory/.xen.new/CVE-2013-4375-xsa71.patch 2013-10-25 13:38:57.000000000 +0200
@@ -1,173 +1,33 @@
-References: bnc#840592 CVE-2013-4355 XSA-63
+References: bnc#842515 CVE-2013-4375 XSA-71
-x86: properly handle hvm_copy_from_guest_{phys,virt}() errors
+xen_disk: mark ioreq as mapped before unmapping in error case
-Ignoring them generally implies using uninitialized data and, in all
-but two of the cases dealt with here, potentially leaking hypervisor
-stack contents to guests.
-
-This is CVE-2013-4355 / XSA-63.
-
-Signed-off-by: Jan Beulich
-Reviewed-by: Tim Deegan
-Reviewed-by: Andrew Cooper
-
---- a/xen/arch/x86/hvm/hvm.c
-+++ b/xen/arch/x86/hvm/hvm.c
-@@ -2316,11 +2316,7 @@ void hvm_task_switch(
-
- rc = hvm_copy_from_guest_virt(
- &tss, prev_tr.base, sizeof(tss), PFEC_page_present);
-- if ( rc == HVMCOPY_bad_gva_to_gfn )
-- goto out;
-- if ( rc == HVMCOPY_gfn_paged_out )
-- goto out;
-- if ( rc == HVMCOPY_gfn_shared )
-+ if ( rc != HVMCOPY_okay )
- goto out;
-
- eflags = regs->eflags;
-@@ -2365,13 +2361,11 @@ void hvm_task_switch(
-
- rc = hvm_copy_from_guest_virt(
- &tss, tr.base, sizeof(tss), PFEC_page_present);
-- if ( rc == HVMCOPY_bad_gva_to_gfn )
-- goto out;
-- if ( rc == HVMCOPY_gfn_paged_out )
-- goto out;
-- /* Note: this could be optimised, if the callee functions knew we want RO
-- * access */
-- if ( rc == HVMCOPY_gfn_shared )
-+ /*
-+ * Note: The HVMCOPY_gfn_shared case could be optimised, if the callee
-+ * functions knew we want RO access.
-+ */
-+ if ( rc != HVMCOPY_okay )
- goto out;
-
-
---- a/xen/arch/x86/hvm/intercept.c
-+++ b/xen/arch/x86/hvm/intercept.c
-@@ -87,17 +87,28 @@ static int hvm_mmio_access(struct vcpu *
- {
- for ( i = 0; i < p->count; i++ )
- {
-- int ret;
--
-- ret = hvm_copy_from_guest_phys(&data,
-- p->data + (sign * i * p->size),
-- p->size);
-- if ( (ret == HVMCOPY_gfn_paged_out) ||
-- (ret == HVMCOPY_gfn_shared) )
-+ switch ( hvm_copy_from_guest_phys(&data,
-+ p->data + sign * i * p->size,
-+ p->size) )
- {
-+ case HVMCOPY_okay:
-+ break;
-+ case HVMCOPY_gfn_paged_out:
-+ case HVMCOPY_gfn_shared:
- rc = X86EMUL_RETRY;
- break;
-+ case HVMCOPY_bad_gfn_to_mfn:
-+ data = ~0;
-+ break;
-+ case HVMCOPY_bad_gva_to_gfn:
-+ ASSERT(0);
-+ /* fall through */
-+ default:
-+ rc = X86EMUL_UNHANDLEABLE;
-+ break;
+Commit c6961b7d ("xen_disk: use bdrv_aio_flush instead of bdrv_flush")
+modified the semantics of ioreq_{un,}map so that they are idempotent if
+called when they're not needed (ie., twice in a row). However, it neglected
+to handle the case where batch mapping is not being used (the default), and
+one of the grants fails to map. In this case, ioreq_unmap will be called to
+unwind and unmap any mappings already performed, but ioreq_unmap simply
+returns due to the aforementioned change (the ioreq has not already been
+marked as mapped).
+
+The frontend user can therefore force xen_disk to leak grant mappings, a
+per-backend-domain limited resource.
+
+Fix by marking the ioreq as mapped before calling ioreq_unmap in this
+situation.
+
+This is XSA-71 / CVE-2013-4375
+
+Signed-off-by: Matthew Daley
+
+--- a/tools/qemu-xen-dir-remote/hw/xen_disk.c
++++ b/tools/qemu-xen-dir-remote/hw/xen_disk.c
+@@ -406,6 +406,7 @@ static int ioreq_map(struct ioreq *ioreq
+ xen_be_printf(&ioreq->blkdev->xendev, 0,
+ "can't map grant ref %d (%s, %d maps)\n",
+ refs[i], strerror(errno), ioreq->blkdev->cnt_map);
++ ioreq->mapped = 1;
+ ioreq_unmap(ioreq);
+ return -1;
}
-+ if ( rc != X86EMUL_OKAY )
-+ break;
- rc = write_handler(v, p->addr + (sign * i * p->size), p->size,
- data);
- if ( rc != X86EMUL_OKAY )
-@@ -165,8 +176,28 @@ static int process_portio_intercept(port
- for ( i = 0; i < p->count; i++ )
- {
- data = 0;
-- (void)hvm_copy_from_guest_phys(&data, p->data + sign*i*p->size,
-- p->size);
-+ switch ( hvm_copy_from_guest_phys(&data,
-+ p->data + sign * i * p->size,
-+ p->size) )
-+ {
-+ case HVMCOPY_okay:
-+ break;
-+ case HVMCOPY_gfn_paged_out:
-+ case HVMCOPY_gfn_shared:
-+ rc = X86EMUL_RETRY;
-+ break;
-+ case HVMCOPY_bad_gfn_to_mfn:
-+ data = ~0;
-+ break;
-+ case HVMCOPY_bad_gva_to_gfn:
-+ ASSERT(0);
-+ /* fall through */
-+ default:
-+ rc = X86EMUL_UNHANDLEABLE;
-+ break;
-+ }
-+ if ( rc != X86EMUL_OKAY )
-+ break;
- rc = action(IOREQ_WRITE, p->addr, p->size, &data);
- if ( rc != X86EMUL_OKAY )
- break;
---- a/xen/arch/x86/hvm/io.c
-+++ b/xen/arch/x86/hvm/io.c
-@@ -340,14 +340,24 @@ static int dpci_ioport_write(uint32_t mp
- data = p->data;
- if ( p->data_is_ptr )
- {
-- int ret;
--
-- ret = hvm_copy_from_guest_phys(&data,
-- p->data + (sign * i * p->size),
-- p->size);
-- if ( (ret == HVMCOPY_gfn_paged_out) &&
-- (ret == HVMCOPY_gfn_shared) )
-+ switch ( hvm_copy_from_guest_phys(&data,
-+ p->data + sign * i * p->size,
-+ p->size) )
-+ {
-+ case HVMCOPY_okay:
-+ break;
-+ case HVMCOPY_gfn_paged_out:
-+ case HVMCOPY_gfn_shared:
- return X86EMUL_RETRY;
-+ case HVMCOPY_bad_gfn_to_mfn:
-+ data = ~0;
-+ break;
-+ case HVMCOPY_bad_gva_to_gfn:
-+ ASSERT(0);
-+ /* fall through */
-+ default:
-+ return X86EMUL_UNHANDLEABLE;
-+ }
- }
-
- switch ( p->size )
---- a/xen/arch/x86/hvm/vmx/realmode.c
-+++ b/xen/arch/x86/hvm/vmx/realmode.c
-@@ -39,7 +39,9 @@ static void realmode_deliver_exception(
-
- again:
- last_byte = (vector * 4) + 3;
-- if ( idtr->limit < last_byte )
-+ if ( idtr->limit < last_byte ||
-+ hvm_copy_from_guest_phys(&cs_eip, idtr->base + vector * 4, 4) !=
-+ HVMCOPY_okay )
- {
- /* Software interrupt? */
- if ( insn_len != 0 )
-@@ -64,8 +66,6 @@ static void realmode_deliver_exception(
- }
- }
-
-- (void)hvm_copy_from_guest_phys(&cs_eip, idtr->base + vector * 4, 4);
--
- frame[0] = regs->eip + insn_len;
- frame[1] = csr->sel;
- frame[2] = regs->eflags & ~X86_EFLAGS_RF;
++++++ pygrub-boot-legacy-sles.patch ++++++
Index: xen-4.3.0-testing/tools/pygrub/src/pygrub
===================================================================
--- xen-4.3.0-testing.orig/tools/pygrub/src/pygrub
+++ xen-4.3.0-testing/tools/pygrub/src/pygrub
@@ -606,6 +606,14 @@ def run_grub(file, entry, fs, cfg_args):
print " args: %s" % img.args
print " initrd: %s" % img.initrd[1]
+ # If grub has no menu entries to select, look for vmlinuz-xen and initrd-xen in /boot
+ if len(g.cf.images) == 0:
+ chosencfg = { "kernel": None, "ramdisk": None, "args": "" }
+ chosencfg = sniff_xen_kernel(fs, incfg)
+ if chosencfg["kernel"] and chosencfg["ramdisk"]:
+ chosencfg["args"] = cfg_args
+ return chosencfg
+
if interactive and not list_entries:
curses.wrapper(run_main)
else:
@@ -692,6 +700,14 @@ def sniff_netware(fs, cfg):
return cfg
+def sniff_xen_kernel(fs, cfg):
+ if not cfg["kernel"] and fs.file_exists('/boot/vmlinuz-xen'):
+ cfg["kernel"] = '/boot/vmlinuz-xen'
+ if cfg["kernel"] and not cfg["ramdisk"]:
+ if fs.file_exists('/boot/initrd-xen'):
+ cfg["ramdisk"] = '/boot/initrd-xen'
+ return cfg
+
def format_sxp(kernel, ramdisk, args):
s = "linux (kernel %s)" % kernel
if ramdisk:
++++++ set-mtu-from-bridge-for-tap-interface.patch ++++++
# HG changeset patch
# User Charles Arnold
# Date 1379427987 -3600
# Node ID e6da6ffd6749237316d4440799f0a0272bbdae9c
# Parent 5597ce99ec7f2587a29f3b2dee0bde98d59bf327
tools/hotplug: set mtu from bridge for tap interface
With changeset 22885 support was added for setting the MTU in the vif-bridge
script for when a vif interface was set to 'online'. The was not done for the
'add' operation. The 'add' operation was added to the script for when tap
devices were specified (c/s 21944). With the setting of the MTU for the
'online' case was there a reason for omitting the 'add'?
This patch sets the MTU for both 'online' and 'add' in the vif-bridge script.
Signed-off-by: Charles Arnold
Acked-by: Ian Campbell
Index: xen-4.3.0-testing/tools/hotplug/Linux/vif-bridge
===================================================================
--- xen-4.3.0-testing.orig/tools/hotplug/Linux/vif-bridge
+++ xen-4.3.0-testing/tools/hotplug/Linux/vif-bridge
@@ -89,11 +89,7 @@ fi
case "$command" in
online)
setup_virtual_bridge_port "$dev"
- mtu="`ip link show $bridge | awk '/mtu/ { print $5 }'`"
- if [ -n "$mtu" ] && [ "$mtu" -gt 0 ]
- then
- ip link set $dev mtu $mtu || :
- fi
+ set_mtu "$bridge" "$dev"
add_to_bridge "$bridge" "$dev"
;;
@@ -104,6 +100,7 @@ case "$command" in
add)
setup_virtual_bridge_port "$dev"
+ set_mtu "$bridge" "$dev"
add_to_bridge "$bridge" "$dev"
;;
esac
Index: xen-4.3.0-testing/tools/hotplug/Linux/xen-network-common.sh
===================================================================
--- xen-4.3.0-testing.orig/tools/hotplug/Linux/xen-network-common.sh
+++ xen-4.3.0-testing/tools/hotplug/Linux/xen-network-common.sh
@@ -132,3 +132,13 @@ add_to_bridge () {
ip link set ${dev} up
}
+# Usage: set_mtu bridge dev
+set_mtu () {
+ local bridge=$1
+ local dev=$2
+ mtu="`ip link show ${bridge}| awk '/mtu/ { print $5 }'`"
+ if [ -n "$mtu" ] && [ "$mtu" -gt 0 ]
+ then
+ ip link set ${dev} mtu $mtu || :
+ fi
+}
++++++ x86-cpufreq-report.patch ++++++
--- /var/tmp/diff_new_pack.kjxygo/_old 2013-10-25 13:39:00.000000000 +0200
+++ /var/tmp/diff_new_pack.kjxygo/_new 2013-10-25 13:39:00.000000000 +0200
@@ -9,7 +9,7 @@
#include
#include
#include
-@@ -597,6 +597,41 @@ ret_t do_platform_op(XEN_GUEST_HANDLE_PA
+@@ -601,6 +601,41 @@ ret_t do_platform_op(XEN_GUEST_HANDLE_PA
}
break;
--
To unsubscribe, e-mail: opensuse-commit+unsubscribe@opensuse.org
For additional commands, e-mail: opensuse-commit+help@opensuse.org