[Pkg-xen-changes] [xen] 08/09: merge patched-develop into develop

Bastian Blank waldi at moszumanska.debian.org
Wed Nov 26 08:38:38 UTC 2014


This is an automated email from the git hooks/post-receive script.

waldi pushed a commit to branch develop
in repository xen.

commit 4293b0ae4381e0e5130c36abf363bd772e1ac75b
Merge: 63890be 8e4e032
Author: Bastian Blank <waldi at debian.org>
Date:   Wed Nov 26 09:10:43 2014 +0100

    merge patched-develop into develop

 debian/.git-dpm                                    |   4 +-
 debian/changelog                                   |  10 +
 ...ing-make-log-dirty-operations-preemptible.patch | 655 +++++++++++++++++++++
 ...llow-page-table-updates-on-non-PV-page-ta.patch |  36 ++
 ...orce-privilege-level-restrictions-when-lo.patch | 166 ++++++
 ...a-reference-counting-error-in-MMU_MACHPHY.patch |  53 ++
 debian/patches/series                              |   4 +
 xen/arch/x86/domain.c                              |   4 +-
 xen/arch/x86/domctl.c                              |   8 +-
 xen/arch/x86/hvm/hvm.c                             |   9 +-
 xen/arch/x86/mm.c                                  |  17 +-
 xen/arch/x86/mm/paging.c                           | 261 ++++++--
 xen/arch/x86/x86_64/compat/entry.S                 |   2 +
 xen/arch/x86/x86_64/entry.S                        |   2 +
 xen/arch/x86/x86_emulate/x86_emulate.c             |  42 +-
 xen/common/domain.c                                |   1 -
 xen/include/asm-x86/domain.h                       |  14 +
 xen/include/asm-x86/paging.h                       |  13 +-
 18 files changed, 1216 insertions(+), 85 deletions(-)

diff --cc debian/.git-dpm
index a0324c0,0000000..4188fc2
mode 100644,000000..100644
--- a/debian/.git-dpm
+++ b/debian/.git-dpm
@@@ -1,8 -1,0 +1,8 @@@
 +# see git-dpm(1) from git-dpm package
- a90ace8403cf00b7eacd5cf2df1d588e15fb5610
- a90ace8403cf00b7eacd5cf2df1d588e15fb5610
++8e4e0321788113f90b061267635f9c6b4b98b750
++8e4e0321788113f90b061267635f9c6b4b98b750
 +3387be132d526263f246c24d3bbc94767a4eba76
 +3387be132d526263f246c24d3bbc94767a4eba76
 +xen_4.4.1.orig.tar.xz
 +900ed093d14caf511fa1a22f48bbf0499bb2ee11
 +3778516
diff --cc debian/changelog
index a910a4a,0000000..de53c32
mode 100644,000000..100644
--- a/debian/changelog
+++ b/debian/changelog
@@@ -1,1159 -1,0 +1,1169 @@@
 +xen (4.4.1-4) UNRELEASED; urgency=medium
 +
++  [ Bastian Blank ]
++  * Make operations pre-emptible.
++    CVE-2014-5146, CVE-2014-5149
++  * Don't allow page table updates from non-PV page tables.
++    CVE-2014-8594
++  * Enforce privilege level while loading code segment.
++    CVE-2014-8595
++  * Fix reference counter leak.
++    CVE-2014-9030
++
 +  [ Ian Campbell ]
 +  * Add licensing for tools/python/logging to debian/copyright.
 +    (Closes: #759384)
 +  * Correctly include xen-init-name in xen-utils-common. (Closes: #769543)
 +  * xen-utils recommends grub-xen-host package (Closes: #770460)
 +
 + -- Ian Campbell <ijc at debian.org>  Fri, 21 Nov 2014 13:06:49 +0000
 +
 +xen (4.4.1-3) unstable; urgency=medium
 +
 +  [ Bastian Blank ]
 +  * Remove unused build-depencencies.
 +  * Extend list affected systems for broken interrupt assignment.
 +    CVE-2013-3495
 +  * Fix race in hvm memory management.
 +    CVE-2014-7154
 +  * Fix missing privilege checks on instruction emulation.
 +    CVE-2014-7155, CVE-2014-7156
 +  * Fix uninitialized control structures in FIFO handling.
 +    CVE-2014-6268
 +  * Fix MSR range check in emulation.
 +    CVE-2014-7188
 +
 +  [ Ian Campbell ]
 +  * Install xen.efi into /boot for amd64 builds.
 +
 + -- Bastian Blank <waldi at debian.org>  Fri, 17 Oct 2014 16:27:46 +0200
 +
 +xen (4.4.1-2) unstable; urgency=medium
 +
 +  * Re-build with correct content.
 +  * Use dh_lintian.
 +
 + -- Bastian Blank <waldi at debian.org>  Wed, 24 Sep 2014 20:23:14 +0200
 +
 +xen (4.4.1-1) unstable; urgency=medium
 +
 +  * New upstream release.
 +    - Fix several vulnerabilities. (closes: #757724)
 +      CVE-2014-2599, CVE-2014-3124,
 +      CVE-2014-3967, CVE-2014-3968,
 +      CVE-2014-4021
 +
 + -- Bastian Blank <waldi at debian.org>  Sun, 21 Sep 2014 10:45:47 +0200
 +
 +xen (4.4.0-5) unstable; urgency=medium
 +
 +  [ Ian Campbell ]
 +  * Expand on the descriptions of some packages. (Closes: #466683)
 +  * Clarify where xen-utils-common is required. (Closes: #612403)
 +  * No longer depend on gawk. Xen can now use any awk one of which is always
 +    present. (Closes: #589176)
 +  * Put core dumps in /var/lib/xen/dump and ensure it exists.
 +    (Closes: #444000)
 +
 +  [ Bastian Blank ]
 +  * Handle JSON output from xl in xendomains init script.
 +
 + -- Bastian Blank <waldi at debian.org>  Sat, 06 Sep 2014 22:11:20 +0200
 +
 +xen (4.4.0-4) unstable; urgency=medium
 +
 +  [ Bastian Blank ]
 +  * Also remove unused OCaml packages from control file.
 +  * Make library packages multi-arch: same. (closes: #730417)
 +  * Use debhelper compat level 9. (closes: #692352)
 +
 +  [ Ian Campbell ]
 +  * Correct contents of /etc/xen/scripts/hotplugpath.sh (Closes: #706283)
 +  * Drop references cpuperf-xen and cpuperf-perfcntr. (Closes: #733847)
 +  * Install xentrace_format(1), xentrace(8) and xentop(1). (Closes: #407143)
 +
 + -- Bastian Blank <waldi at debian.org>  Sat, 30 Aug 2014 13:34:04 +0200
 +
 +xen (4.4.0-3) unstable; urgency=medium
 +
 +  [ Ian Campbell ]
 +  * Use correct SeaBIOS binary which supports Xen (Closes: #737905).
 +
 +  [ Bastian Blank ]
 +  * Really update config.{sub,guess}.
 +
 + -- Bastian Blank <waldi at debian.org>  Fri, 29 Aug 2014 16:33:19 +0200
 +
 +xen (4.4.0-2) unstable; urgency=medium
 +
 +  * Remove broken and unused OCaml-support.
 +
 + -- Bastian Blank <waldi at debian.org>  Mon, 18 Aug 2014 15:18:42 +0200
 +
 +xen (4.4.0-1) unstable; urgency=medium
 +
 +  [ Bastian Blank ]
 +  * New upstream release.
 +    - Update scripts for compatiblity with latest coreutils.
 +      (closes: #718898)
 +    - Fix guest reboot with xl toolstack. (closes: #727100)
 +    - CVE-2013-6375: Insufficient TLB flushing in VT-d (iommu) code.
 +      (closes: #730254)
 +    - xl support for global VNC options. (closes: #744157)
 +    - vif scripts can now be named relative to /etc/xen/scripts.
 +      (closes: #744160)
 +    - Support for arbitrary sized SeaBIOS binaries. (closes: #737905)
 +    - pygrub searches for extlinux.conf in the expected places.
 +      (closes: #697407)
 +    - Update scripts to use correct syntax for ip command.
 +      (closes: #705659)
 +  * Fix install of xend configs to not break compatibility.
 +
 +  [ Ian Campbell ]
 +  * Disable blktap1 support using new configure option instead of by patching.
 +  * Disable qemu-traditional and rombios support using new configure option
 +    instead of by patching. No need to build-depend on ipxe any more.
 +  * Use system qemu-xen via new configure option instead of patching.
 +  * Use system seabios via new configure option instead of patching.
 +  * Use EXTRA_CFLAGS_XEN_TOOLS and APPEND_{CPPFLAGS,LDFLAGS} during build.
 +  * Add support for armhf and arm64.
 +  * Update config.{sub,guess}.
 +
 + -- Bastian Blank <waldi at debian.org>  Sat, 09 Aug 2014 13:09:00 +0200
 +
 +xen (4.3.0-3) unstable; urgency=low
 +
 +  * Revive hypervisor on i386.
 +
 + -- Bastian Blank <waldi at debian.org>  Fri, 18 Oct 2013 00:15:16 +0200
 +
 +xen (4.3.0-2) unstable; urgency=low
 +
 +  * Force proper install order. (closes: #721999)
 +
 + -- Bastian Blank <waldi at debian.org>  Sat, 05 Oct 2013 15:03:36 +0000
 +
 +xen (4.3.0-1) unstable; urgency=low
 +
 +  * New upstream release.
 +    - Fix HVM PCI passthrough. (closes: #706543)
 +  * Call configure with proper arguments.
 +  * Remove now empty xen-docs package.
 +  * Disable external code retrieval.
 +  * Drop all i386 hypervisor packages.
 +  * Drop complete blktap support.
 +  * Create /run/xen.
 +  * Make xen-utils recommend qemu-system-x86. (closes: #688311)
 +    - This version comes with audio support. (closes: #635166)
 +  * Make libxenlight and libxlutil public. (closes: #644390)
 +    - Set versioned ABI name.
 +    - Install headers.
 +    - Move libs into normal library path.
 +  * Use build flags in the tools build.
 +    - Fix fallout from harderning flags.
 +  * Update Standards-Version to 3.9.4. No changes.
 +
 + -- Bastian Blank <waldi at debian.org>  Thu, 05 Sep 2013 13:54:03 +0200
 +
 +xen (4.2.2-1) unstable; urgency=low
 +
 +  * New upstream release.
 +    - Fix build with gcc 4.8. (closes: #712376)
 +  * Build-depend on libssl-dev. (closes: #712366)
 +  * Enable hardening as much as possible.
 +  * Re-enable ocaml build fixes. (closes: #695176)
 +  * Check for out-of-bound values in CPU affinity setup.
 +    CVE-2013-2072
 +  * Fix information leak on AMD CPUs.
 +    CVE-2013-2076
 +  * Recover from faults on XRSTOR.
 +    CVE-2013-2077
 +  * Properly check guest input to XSETBV.
 +    CVE-2013-2078
 +
 + -- Bastian Blank <waldi at debian.org>  Thu, 11 Jul 2013 00:28:24 +0200
 +
 +xen (4.2.1-2) unstable; urgency=low
 +
 +  * Actually upload to unstable.
 +
 + -- Bastian Blank <waldi at debian.org>  Sun, 12 May 2013 00:20:58 +0200
 +
 +xen (4.2.1-1) experimental; urgency=low
 +
 +  * New upstream release.
 +  * Enable usage of seabios.
 +  * Fix some toolchain issues.
 +
 + -- Bastian Blank <waldi at debian.org>  Sat, 11 May 2013 23:55:46 +0200
 +
 +xen (4.2.0-2) experimental; urgency=low
 +
 +  * Support JSON output in domain init script helper.
 +
 + -- Bastian Blank <waldi at debian.org>  Mon, 01 Oct 2012 15:11:30 +0200
 +
 +xen (4.2.0-1) experimental; urgency=low
 +
 +  * New upstream release.
 +
 + -- Bastian Blank <waldi at debian.org>  Tue, 18 Sep 2012 13:54:30 +0200
 +
 +xen (4.2.0~rc3-1) experimental; urgency=low
 +
 +  * New upstream snapshot.
 +
 + -- Bastian Blank <waldi at debian.org>  Fri, 07 Sep 2012 20:28:46 +0200
 +
 +xen (4.2.0~rc2-1) experimental; urgency=low
 +
 +  * New upstream snapshot.
 +  * Build-depend against libglib2.0-dev and libyajl-dev.
 +  * Disable seabios build for now.
 +  * Remove support for Lenny and earlier.
 +  * Support build-arch and build-indep make targets.
 +
 + -- Bastian Blank <waldi at debian.org>  Sun, 13 May 2012 12:21:10 +0000
 +
 +xen (4.1.4-4) unstable; urgency=high
 +
 +  * Make several long runing operations preemptible.
 +    CVE-2013-1918
 +  * Fix source validation for VT-d interrupt remapping.
 +    CVE-2013-1952
 +
 + -- Bastian Blank <waldi at debian.org>  Thu, 02 May 2013 14:30:29 +0200
 +
 +xen (4.1.4-3) unstable; urgency=high
 +
 +  * Fix return from SYSENTER.
 +    CVE-2013-1917
 +  * Fix various problems with guest interrupt handling.
 +    CVE-2013-1919
 +  * Only save pointer after access checks.
 +    CVE-2013-1920
 +  * Fix domain locking for transitive grants.
 +    CVE-2013-1964
 +
 + -- Bastian Blank <waldi at debian.org>  Fri, 19 Apr 2013 13:01:57 +0200
 +
 +xen (4.1.4-2) unstable; urgency=low
 +
 +  * Use pre-device interrupt remapping mode per default. Fix removing old
 +    remappings.
 +    CVE-2013-0153
 +
 + -- Bastian Blank <waldi at debian.org>  Wed, 06 Feb 2013 13:04:52 +0100
 +
 +xen (4.1.4-1) unstable; urgency=low
 +
 +  * New upstream release.
 +    - Disable process-context identifier support in newer CPUs for all
 +      domains.
 +    - Add workarounds for AMD errata.
 +    - Don't allow any non-canonical addresses.
 +    - Use Multiboot memory map if BIOS emulation does not provide one.
 +    - Fix several problems in tmem.
 +      CVE-2012-3497
 +    - Fix error handling in domain creation.
 +    - Adjust locking and interrupt handling during S3 resume.
 +    - Tighten more resource and memory range checks.
 +    - Reset performance counters. (closes: #698651)
 +    - Remove special-case for first IO-APIC.
 +    - Fix MSI handling for HVM domains. (closes: #695123)
 +    - Revert cache value of disks in HVM domains.
 +
 + -- Bastian Blank <waldi at debian.org>  Thu, 31 Jan 2013 15:44:50 +0100
 +
 +xen (4.1.3-8) unstable; urgency=high
 +
 +  * Fix error in VT-d interrupt remapping source validation.
 +    CVE-2012-5634
 +  * Fix buffer overflow in qemu e1000 emulation.
 +    CVE-2012-6075
 +  * Update patch, mention second CVE.
 +    CVE-2012-5511, CVE-2012-6333
 +
 + -- Bastian Blank <waldi at debian.org>  Sat, 19 Jan 2013 13:55:07 +0100
 +
 +xen (4.1.3-7) unstable; urgency=low
 +
 +  * Fix clock jump due to incorrect annotated inline assembler.
 +    (closes: #599161)
 +  * Add support for XZ compressed Linux kernels to hypervisor and userspace
 +    based loaders, it is needed for any Linux kernels newer then Wheezy.
 +    (closes: #695056)
 +
 + -- Bastian Blank <waldi at debian.org>  Tue, 11 Dec 2012 18:54:59 +0100
 +
 +xen (4.1.3-6) unstable; urgency=high
 +
 +  * Fix error handling in physical to machine memory mapping.
 +    CVE-2012-5514
 +
 + -- Bastian Blank <waldi at debian.org>  Tue, 04 Dec 2012 10:51:43 +0100
 +
 +xen (4.1.3-5) unstable; urgency=high
 +
 +  * Fix state corruption due to incomplete grant table switch.
 +    CVE-2012-5510
 +  * Check range of arguments to several HVM operations.
 +    CVE-2012-5511, CVE-2012-6333
 +  * Check array index before using it in HVM memory operation.
 +    CVE-2012-5512
 +  * Check memory range in memory exchange operation.
 +    CVE-2012-5513
 +  * Don't allow too large memory size and avoid busy looping.
 +    CVE-2012-5515
 +
 + -- Bastian Blank <waldi at debian.org>  Mon, 03 Dec 2012 19:37:38 +0100
 +
 +xen (4.1.3-4) unstable; urgency=high
 +
 +  * Use linux 3.2.0-4 stuff.
 +  * Fix overflow in timer calculations.
 +    CVE-2012-4535
 +  * Check value of physical interrupts parameter before using it.
 +    CVE-2012-4536
 +  * Error out on incorrect memory mapping updates.
 +    CVE-2012-4537
 +  * Check if toplevel page tables are present.
 +    CVE-2012-4538
 +  * Fix infinite loop in compatibility code.
 +    CVE-2012-4539
 +  * Limit maximum kernel and ramdisk size.
 +    CVE-2012-2625, CVE-2012-4544
 +
 + -- Bastian Blank <waldi at debian.org>  Tue, 20 Nov 2012 15:51:01 +0100
 +
 +xen (4.1.3-3) unstable; urgency=low
 +
 +  * Xen domain init script:
 +    - Make sure Open vSwitch is started before any domain.
 +    - Properly handle and show output of failed migration and save.
 +    - Ask all domains to shut down before checking them.
 +
 + -- Bastian Blank <waldi at debian.org>  Tue, 18 Sep 2012 13:26:32 +0200
 +
 +xen (4.1.3-2) unstable; urgency=medium
 +
 +  * Don't allow writing reserved bits in debug register.
 +    CVE-2012-3494
 +  * Fix error handling in interrupt assignment.
 +    CVE-2012-3495
 +  * Don't trigger bug messages on invalid flags.
 +    CVE-2012-3496
 +  * Check array bounds in interrupt assignment.
 +    CVE-2012-3498
 +  * Properly check bounds while setting the cursor in qemu.
 +    CVE-2012-3515
 +  * Disable monitor in qemu by default.
 +    CVE-2012-4411
 +
 + -- Bastian Blank <waldi at debian.org>  Fri, 07 Sep 2012 19:41:46 +0200
 +
 +xen (4.1.3-1) unstable; urgency=medium
 +
 +  * New upstream release: (closes: #683286)
 +    - Don't leave the x86 emulation in a bad state. (closes: #683279)
 +      CVE-2012-3432
 +    - Only check for shared pages while any exist on teardown.
 +      CVE-2012-3433
 +    - Fix error handling for unexpected conditions.
 +    - Update CPUID masking to latest Intel spec.
 +    - Allow large ACPI ids.
 +    - Fix IOMMU support for PCI-to-PCIe bridges.
 +    - Disallow access to some sensitive IO-ports.
 +    - Fix wrong address in IOTLB.
 +    - Fix deadlock on CPUs without working cpufreq driver.
 +    - Use uncached disk access in qemu.
 +    - Fix buffer size on emulated e1000 device in qemu.
 +  * Fixup broken and remove applied patches.
 +
 + -- Bastian Blank <waldi at debian.org>  Fri, 17 Aug 2012 11:25:02 +0200
 +
 +xen (4.1.3~rc1+hg-20120614.a9c0a89c08f2-5) unstable; urgency=low
 +
 +  [ Ian Campbell ]
 +  * Set tap device MAC addresses to fe:ff:ff:ff:ff:ff (Closes: #671018)
 +  * Only run xendomains initscript if toolstack is xl or xm (Closes: #680528)
 +
 +  [ Bastian Blank ]
 +  * Actually build-depend on new enough version of dpkg-dev.
 +  * Add xen-sytem-* meta-packages. We are finally in a position to do
 +    automatic upgrades and this package is missing. (closes: #681376)
 +
 + -- Bastian Blank <waldi at debian.org>  Sat, 28 Jul 2012 10:23:26 +0200
 +
 +xen (4.1.3~rc1+hg-20120614.a9c0a89c08f2-4) unstable; urgency=low
 +
 +  * Add Build-Using info to xen-utils package.
 +  * Fix build-arch target.
 +
 + -- Bastian Blank <waldi at debian.org>  Sun, 01 Jul 2012 19:52:30 +0200
 +
 +xen (4.1.3~rc1+hg-20120614.a9c0a89c08f2-3) unstable; urgency=low
 +
 +  * Remove /usr/lib/xen-default. It breaks systems if xenstored is not
 +    compatible.
 +  * Fix init script usage.
 +  * Fix udev rules for emulated network devices:
 +    - Force names of emulated network devices to a predictable name.
 +
 + -- Bastian Blank <waldi at debian.org>  Sun, 01 Jul 2012 16:59:04 +0200
 +
 +xen (4.1.3~rc1+hg-20120614.a9c0a89c08f2-2) unstable; urgency=low
 +
 +  * Fix pointer missmatch in interrupt functions. Fixes build on i386.
 +
 + -- Bastian Blank <waldi at debian.org>  Fri, 15 Jun 2012 18:00:51 +0200
 +
 +xen (4.1.3~rc1+hg-20120614.a9c0a89c08f2-1) unstable; urgency=low
 +
 +  * New upstream snapshot.
 +    - Fix privilege escalation and syscall/sysenter DoS while using
 +      non-canonical addresses by untrusted PV guests. (closes: #677221)
 +      CVE-2012-0217
 +      CVE-2012-0218
 +    - Disable Xen on CPUs affected by AMD Erratum #121. PV guests can
 +      cause a DoS of the host.
 +      CVE-2012-2934
 +  * Don't fail if standard toolstacks are not available. (closes: #677244)
 +
 + -- Bastian Blank <waldi at debian.org>  Thu, 14 Jun 2012 17:06:25 +0200
 +
 +xen (4.1.2-7) unstable; urgency=low
 +
 +  * Really use ucf.
 +  * Update init script dependencies:
 +    - Start $syslog before xen.
 +    - Start drbd and iscsi before xendomains. (closes: #626356)
 +    - Start corosync and heartbeat after xendomains.
 +  * Remove /var/log/xen on purge. (closes: #656216)
 +
 + -- Bastian Blank <waldi at debian.org>  Tue, 22 May 2012 10:44:41 +0200
 +
 +xen (4.1.2-6) unstable; urgency=low
 +
 +  * Fix generation of architectures for hypervisor packages.
 +  * Remove information about loop devices, it is incorrect. (closes: #503044)
 +  * Update xendomains init script:
 +    - Create directory for domain images only root readable. (closes: #596048)
 +    - Add missing sanity checks for variables. (closes: #671750)
 +    - Remove not longer supported config options.
 +    - Don't fail if no config is available.
 +    - Remove extra output if domain was restored.
 +
 + -- Bastian Blank <waldi at debian.org>  Sun, 06 May 2012 20:07:41 +0200
 +
 +xen (4.1.2-5) unstable; urgency=low
 +
 +  * Actually force init script rename. (closes: #669341)
 +  * Fix long output from xl.
 +  * Move complete init script setup.
 +  * Rewrite xendomains init script:
 +    - Use LSB output functions.
 +    - Make output more clear.
 +    - Use xen toolstack wrapper.
 +    - Use a python script to properly read domain details.
 +  * Set name for Domain-0.
 +
 + -- Bastian Blank <waldi at debian.org>  Mon, 23 Apr 2012 11:56:45 +0200
 +
 +xen (4.1.2-4) unstable; urgency=low
 +
 +  [ Bastian Blank ]
 +  * Build-depend on ipxe-qemu instead of ipxe. (closes: #665070)
 +  * Don't longer use a4wide latex package.
 +  * Use ucf for /etc/default/xen.
 +  * Remove handling for old udev rules link and xenstored directory.
 +  * Rename xend init script to xen.
 +
 +  [ Lionel Elie Mamane ]
 +  * Fix toolstack script to work with old dash. (closes: #648029)
 +
 + -- Bastian Blank <waldi at debian.org>  Mon, 16 Apr 2012 08:47:29 +0000
 +
 +xen (4.1.2-3) unstable; urgency=low
 +
 +  * Merge xen-common source package.
 +  * Remove xend wrapper, it should not be called by users.
 +  * Support xl in init script.
 +  * Restart xen daemons on upgrade.
 +  * Restart and stop xenconsoled in init script.
 +  * Load xen-gntdev module.
 +  * Create /var/lib/xen. (closes: #658101)
 +  * Cleanup udev rules. (closes: #657745)
 +
 + -- Bastian Blank <waldi at debian.org>  Wed, 01 Feb 2012 19:28:28 +0100
 +
 +xen (4.1.2-2) unstable; urgency=low
 +
 +  [ Jon Ludlam ]
 +  * Import (partially reworked) upstream changes for OCaml support.
 +    - Rename the ocamlfind packages.
 +    - Remove uuid and log libraries.
 +    - Fix 2 bit-twiddling bugs and an off-by-one
 +  * Fix build of OCaml libraries.
 +  * Add OCaml library and development package.
 +  * Include some missing headers.
 +
 + -- Bastian Blank <waldi at debian.org>  Sat, 10 Dec 2011 19:13:25 +0000
 +
 +xen (4.1.2-1) unstable; urgency=low
 +
 +  * New upstream release.
 +  * Build-depend on pkg-config.
 +  * Add package libxen-4.1. Includes some shared libs.
 +
 + -- Bastian Blank <waldi at debian.org>  Sat, 26 Nov 2011 18:28:06 +0100
 +
 +xen (4.1.1-3) unstable; urgency=low
 +
 +  [ Julien Danjou ]
 +  * Remove Julien Danjou from the Uploaders field. (closes: #590439)
 +
 +  [ Bastian Blank ]
 +  * Use current version of python. (closes: #646660)
 +  * Build-depend against liblzma-dev, it is used if available.
 +    (closes: #646694)
 +  * Update Standards-Version to 3.9.2. No changes.
 +  * Don't use brace-expansion in debhelper install files.
 +
 + -- Bastian Blank <waldi at debian.org>  Wed, 26 Oct 2011 14:42:33 +0200
 +
 +xen (4.1.1-2) unstable; urgency=low
 +
 +  * Fix hvmloader with gcc 4.6.
 +
 + -- Bastian Blank <waldi at debian.org>  Fri, 05 Aug 2011 23:58:36 +0200
 +
 +xen (4.1.1-1) unstable; urgency=low
 +
 +  * New upstream release.
 +  * Don't use qemu-dm if it is not needed. (Backport from xen-unstable.)
 +  * Use dh_python2.
 +
 + -- Bastian Blank <waldi at debian.org>  Mon, 18 Jul 2011 19:38:38 +0200
 +
 +xen (4.1.0-3) unstable; urgency=low
 +
 +  * Add ghostscript to build-deps.
 +  * Enable qemu-dm build.
 +    - Add qemu as another orig tar.
 +    - Remove blktap1, bluetooth and sdl support from qemu.
 +    - Recommend qemu-keymaps and qemu-utils.
 +
 + -- Bastian Blank <waldi at debian.org>  Thu, 28 Apr 2011 15:20:45 +0200
 +
 +xen (4.1.0-2) unstable; urgency=low
 +
 +  * Re-enable hvmloader:
 +    - Use packaged ipxe.
 +  * Workaround incompatibility with xenstored of Xen 4.0.
 +
 + -- Bastian Blank <waldi at debian.org>  Fri, 15 Apr 2011 11:38:25 +0200
 +
 +xen (4.1.0-1) unstable; urgency=low
 +
 +  * New upstream release.
 +
 + -- Bastian Blank <waldi at debian.org>  Sun, 27 Mar 2011 18:09:28 +0000
 +
 +xen (4.1.0~rc6-1) unstable; urgency=low
 +
 +  * New upstream release candidate.
 +  * Build documentation using pdflatex.
 +  * Use python 2.6. (closes: #596545)
 +  * Fix lintian override.
 +  * Install new tools: xl, xenpaging.
 +  * Enable blktap2.
 +    - Use own md5 implementation.
 +    - Fix includes.
 +    - Fix linking of blktap2 binaries.
 +    - Remove optimization setting.
 +  * Temporarily disable hvmloader, wants to download ipxe.
 +  * Remove xenstored pid check from xl.
 +
 + -- Bastian Blank <waldi at debian.org>  Thu, 17 Mar 2011 16:12:45 +0100
 +
 +xen (4.0.1-2) unstable; urgency=low
 +
 +  * Fix races in memory management.
 +  * Make sure that frame-table compression leaves enough alligned.
 +  * Disable XSAVE support. (closes: #595490)
 +  * Check for dying domain instead of raising an assertion.
 +  * Add C6 state with EOI errata for Intel.
 +  * Make some memory management interrupt safe. Unsure if really needed.
 +  * Raise bar for inter-socket migrations on mostly-idle systems.
 +  * Fix interrupt handling for legacy routed interrupts.
 +  * Allow to set maximal domain memory even during a running change.
 +  * Support new partition name in pygrub. (closes: #599243)
 +  * Fix some comparisions "< 0" that may be optimized away.
 +  * Check for MWAIT support before using it.
 +  * Fix endless loop on interrupts on Nehalem cpus.
 +  * Don't crash upon direct GDT/LDT access. (closes: #609531)
 +    CVE-2010-4255  
 +  * Don't loose timer ticks after domain restore.
 +  * Reserve some space for IOMMU area in dom0. (closes: #608715)
 +  * Fix hypercall arguments after trace callout.
 +  * Fix some error paths in vtd support. Memory leak.
 +  * Reinstate ACPI DMAR table.
 +
 + -- Bastian Blank <waldi at debian.org>  Wed, 12 Jan 2011 15:01:40 +0100
 +
 +xen (4.0.1-1) unstable; urgency=low
 +
 +  * New upstream release.
 +    - Fix IOAPIC S3 with interrupt remapping enabled.
 +
 + -- Bastian Blank <waldi at debian.org>  Fri, 03 Sep 2010 17:14:28 +0200
 +
 +xen (4.0.1~rc6-1) unstable; urgency=low
 +
 +  * New upstream release candidate.
 +    - Add some missing locks for page table walk.
 +    - Fix NMU injection into guest.
 +    - Fix ioapic updates for vt-d.
 +    - Add check for GRUB2 commandline behaviour.
 +    - Fix handling of invalid kernel images.
 +    - Allow usage of powernow.
 +  * Remove lowlevel python modules usage from pygrub. (closes: #588811)
 +
 + -- Bastian Blank <waldi at debian.org>  Tue, 17 Aug 2010 23:15:34 +0200
 +
 +xen (4.0.1~rc5-1) unstable; urgency=low
 +
 +  * New upstream release candidate.
 +
 + -- Bastian Blank <waldi at debian.org>  Mon, 02 Aug 2010 17:06:27 +0200
 +
 +xen (4.0.1~rc3-1) unstable; urgency=low
 +
 +  * New upstream release candidate.
 +  * Call dh_pyversion with the correct version.
 +  * Restart xen daemon on upgrade.
 +
 + -- Bastian Blank <waldi at debian.org>  Wed, 30 Jun 2010 16:30:47 +0200
 +
 +xen (4.0.0-2) unstable; urgency=low
 +
 +  * Fix python dependency. (closes: #586666)
 +    - Use python-support.
 +    - Hardcode to use python 2.5 for now.
 +
 + -- Bastian Blank <waldi at debian.org>  Mon, 21 Jun 2010 17:23:16 +0200
 +
 +xen (4.0.0-1) unstable; urgency=low
 +
 +  * Update to unstable.
 +  * Fix spelling in README.
 +  * Remove unnecessary build-depends.
 +  * Fixup xend to use different filename lookup.
 +
 + -- Bastian Blank <waldi at debian.org>  Thu, 17 Jun 2010 11:16:55 +0200
 +
 +xen (4.0.0-1~experimental.2) experimental; urgency=low
 +
 +  * Merge changes from 3.4.3-1.
 +
 + -- Bastian Blank <waldi at debian.org>  Fri, 28 May 2010 12:58:12 +0200
 +
 +xen (4.0.0-1~experimental.1) experimental; urgency=low
 +
 +  * New upstream version.
 +  * Rename source package to xen.
 +  * Build depend against iasl and uuid-dev.
 +  * Disable blktap2 support, it links against OpenSSL.
 +  * Update copyright file.
 +
 + -- Bastian Blank <waldi at debian.org>  Thu, 06 May 2010 15:47:38 +0200
 +
 +xen-3 (3.4.3-1) unstable; urgency=low
 +
 +  * New upstream version.
 +  * Disable blktap support, it is unusable with current kernels.
 +  * Disable libaio, was only used by blktap.
 +  * Drop device creation support. (closes: #583283)
 +
 + -- Bastian Blank <waldi at debian.org>  Fri, 28 May 2010 11:43:18 +0200
 +
 +xen-3 (3.4.3~rc6-1) unstable; urgency=low
 +
 +  * New upstream release candidate.
 +    - Relocate multiboot modules. (closes: #580045)
 +    - Support grub2 in pygrub. (closes: #573311)
 +
 + -- Bastian Blank <waldi at debian.org>  Sat, 08 May 2010 11:32:29 +0200
 +
 +xen-3 (3.4.3~rc3-2) unstable; urgency=low
 +
 +  * Again list the complete version in the hypervisor.
 +  * Fix path detection for bootloader, document it. (closes: #481105)
 +  * Rewrite README.
 +
 + -- Bastian Blank <waldi at debian.org>  Thu, 08 Apr 2010 16:14:58 +0200
 +
 +xen-3 (3.4.3~rc3-1) unstable; urgency=low
 +
 +  * New upstream release candidate.
 +  * Use 3.0 (quilt) source format.
 +  * Always use current python version.
 +
 + -- Bastian Blank <waldi at debian.org>  Mon, 01 Mar 2010 22:14:22 +0100
 +
 +xen-3 (3.4.2-2) unstable; urgency=low
 +
 +  * Remove Jeremy T. Bouse from uploaders.
 +  * Export blktap lib and headers.
 +  * Build amd64 hypervisor on i386. (closes: #366315)
 +
 + -- Bastian Blank <waldi at debian.org>  Sun, 22 Nov 2009 16:54:47 +0100
 +
 +xen-3 (3.4.2-1) unstable; urgency=low
 +
 +  * New upstream version.
 +  * Strip hvmloader by hand.
 +  * Remove extra license file from libxen-dev.
 +
 + -- Bastian Blank <waldi at debian.org>  Mon, 16 Nov 2009 20:57:07 +0100
 +
 +xen-3 (3.4.1-1) unstable; urgency=low
 +
 +  * New upstream version.
 +
 + -- Bastian Blank <waldi at debian.org>  Fri, 21 Aug 2009 21:34:38 +0200
 +
 +xen-3 (3.4.0-2) unstable; urgency=low
 +
 +  * Add symbols file for libxenstore3.0. (closes: #536173)
 +  * Document that ioemu is currently unsupported. (closes: #536175)
 +  * Fix location of fsimage plugins. (closes: #536174)
 +
 + -- Bastian Blank <waldi at debian.org>  Sat, 18 Jul 2009 18:05:35 +0200
 +
 +xen-3 (3.4.0-1) unstable; urgency=low
 +
 +  [ Bastian Blank ]
 +  * New upstream version.
 +  * Remove ioemu for now. (closes: #490409, #496367)
 +  * Remove non-pae hypervisor.
 +  * Use debhelper compat level 7.
 +  * Make the init script start all daemons.
 +
 + -- Bastian Blank <waldi at debian.org>  Tue, 30 Jun 2009 22:33:22 +0200
 +
 +xen-3 (3.2.1-2) unstable; urgency=low
 +
 +  * Use e2fslibs based ext2 support for pygrub. (closes: #476366)
 +  * Fix missing checks in pvfb code.
 +    See CVE-2008-1952. (closes: #487095)
 +  * Add support for loading bzImage files. (closes: #474509)
 +  * Enable TLS support in ioemu code.
 +  * Drop libcrypto usage because of GPL-incompatibility.
 +  * Remove AES code from blktap drivers. Considered broken.
 +
 + -- Bastian Blank <waldi at debian.org>  Sat, 28 Jun 2008 11:30:43 +0200
 +
 +xen-3 (3.2.1-1) unstable; urgency=low
 +
 +  * New upstream version.
 +  * Set rpath relative to ${ORIGIN}.
 +  * Add lintian override to xen-utils package.
 +
 + -- Bastian Blank <waldi at debian.org>  Thu, 22 May 2008 14:01:47 +0200
 +
 +xen-3 (3.2.0-5) unstable; urgency=low
 +
 +  * Provide correct directory to dh_pycentral.
 +
 + -- Bastian Blank <waldi at debian.org>  Mon, 14 Apr 2008 21:43:49 +0200
 +
 +xen-3 (3.2.0-4) unstable; urgency=low
 +
 +  * Pull in newer xen-utils-common.
 +  * Fix missing size checks in the ioemu block driver. (closes: #469654)
 +    See: CVE-2008-0928
 +
 + -- Bastian Blank <waldi at debian.org>  Fri, 07 Mar 2008 14:21:38 +0100
 +
 +xen-3 (3.2.0-3) unstable; urgency=low
 +
 +  * Clean environment for build.
 +  * Add packages libxenstore3.0 and xenstore-utils.
 +  * Move docs package in docs section to match overwrites.
 +  * Make the hypervisor only recommend the utils.
 +  * Cleanup installation. (closes: #462989)
 +
 + -- Bastian Blank <waldi at debian.org>  Tue, 12 Feb 2008 12:40:56 +0000
 +
 +xen-3 (3.2.0-2) unstable; urgency=low
 +
 +  * Fix broken patch. (closes: #462522)
 +
 + -- Bastian Blank <waldi at debian.org>  Sat, 26 Jan 2008 17:21:52 +0000
 +
 +xen-3 (3.2.0-1) unstable; urgency=low
 +
 +  * New upstream version.
 +  * Add package libxen-dev. Including public headers and static libs.
 +    (closes: #402249)
 +  * Don't longer install xenfb, removed upstream.
 +
 + -- Bastian Blank <waldi at debian.org>  Tue, 22 Jan 2008 12:51:49 +0000
 +
 +xen-3 (3.1.2-2) unstable; urgency=low
 +
 +  * Add missing rpath definitions.
 +  * Fix building of pae version.
 +
 + -- Bastian Blank <waldi at debian.org>  Sat, 08 Dec 2007 12:07:42 +0000
 +
 +xen-3 (3.1.2-1) unstable; urgency=high
 +
 +  * New upstream release:
 +    - Move shared file into /var/run. (closes: #447795)
 +      See CVE-2007-3919.
 +    - x86: Fix various problems with debug-register handling. (closes: #451626)
 +      See CVE-2007-5906.
 +
 + -- Bastian Blank <waldi at debian.org>  Sat, 24 Nov 2007 13:24:45 +0000
 +
 +xen-3 (3.1.1-1) unstable; urgency=low
 +
 +  * New upstream release:
 +    - Don't use exec with untrusted values in pygrub. (closes: #444430)
 +      See CVE-2007-4993.
 +
 + -- Bastian Blank <waldi at debian.org>  Fri, 19 Oct 2007 16:02:37 +0000
 +
 +xen-3 (3.1.0-2) unstable; urgency=low
 +
 +  * Switch to texlive for documentation.
 +  * Drop unused transfig.
 +  * Drop unused latex features from documentation.
 +  * Build depend against gcc-multilib for amd64. (closes: #439662)
 +
 + -- Bastian Blank <waldi at debian.org>  Fri, 31 Aug 2007 08:15:50 +0000
 +
 +xen-3 (3.1.0-1) unstable; urgency=low
 +
 +  [ Julien Danjou ]
 +  * New upstream version.
 +
 +  [ Ralph Passgang ]
 +  * Added graphviz to Build-Indeps
 +
 +  [ Bastian Blank ]
 +  * Upstream removed one part of the version. Do it also.
 +  * Merge utils packages.
 +  * Install blktap support.
 +  * Install pygrub.
 +  * Install xenfb tools.
 +  * xenconsoled startup is racy, wait a little bit.
 +
 + -- Bastian Blank <waldi at debian.org>  Mon, 20 Aug 2007 15:05:08 +0000
 +
 +xen-3.0 (3.0.4-1-1) unstable; urgency=low
 +
 +  [ Bastian Blank ]
 +  * New upstream version (closes: #394411)
 +
 +  [ Guido Trotter ]
 +  * Actually try to build and release xen 3.0.4
 +  * Update build dependencies
 +
 + -- Guido Trotter <ultrotter at debian.org>  Wed, 23 May 2007 11:57:29 +0100
 +
 +xen-3.0 (3.0.3-0-2) unstable; urgency=medium
 +
 +  [Bastian Blank]
 +  * Remove device recreate code.
 +  * Remove build dependency on linux-support-X
 +
 +  [ Guido Trotter ]
 +  * Add missing build dependency on zlib1g-dev (closes: #396557)
 +  * Add missing build dependencies on libncurses5-dev and x11proto-core-dev
 +    (closes: #396561, #396567)
 +
 + -- Guido Trotter <ultrotter at debian.org>  Thu,  2 Nov 2006 16:38:02 +0000
 +
 +xen-3.0 (3.0.3-0-1) unstable; urgency=low
 +
 +  * New upstream version.
 +
 + -- Bastian Blank <waldi at debian.org>  Fri, 20 Oct 2006 11:04:35 +0000
 +
 +xen-3.0 (3.0.3~rc4+hg11760-1) unstable; urgency=low
 +
 +  * New upstream snapshot.
 +  * Ignore update-grub errors. (closes: #392534)
 +
 + -- Bastian Blank <waldi at debian.org>  Sat, 14 Oct 2006 13:09:53 +0000
 +
 +xen-3.0 (3.0.3~rc1+hg11686-1) unstable; urgency=low
 +
 +  * New upstream snapshot.
 +  * Rename ioemu package to include the complete version.
 +  * Fix name of hypervisor. (closes: #391771)
 +
 + -- Bastian Blank <waldi at debian.org>  Mon,  9 Oct 2006 12:48:13 +0000
 +
 +xen-3.0 (3.0.2-3+hg9762-1) unstable; urgency=low
 +
 +  * New upstream snapshot.
 +  * Rename hypervisor and utils packages to include the complete version.
 +  * Redo build environment.
 +
 + -- Bastian Blank <waldi at debian.org>  Mon,  4 Sep 2006 18:43:12 +0000
 +
 +xen-3.0 (3.0.2+hg9697-2) unstable; urgency=low
 +
 +  [ Guido Trotter ]
 +  * Update xen-utils' README.Debian (closes: #372524)
 +
 +  [ Bastian Blank ]
 +  * Adopt new python policy. (closes: #380990)
 +  * Add patch to make new kernels working on the hypervisor.
 +
 + -- Bastian Blank <waldi at debian.org>  Tue, 15 Aug 2006 19:20:08 +0000
 +
 +xen-3.0 (3.0.2+hg9697-1) unstable; urgency=low
 +
 +  [ Guido Trotter ]
 +  * Update Standards Version
 +  * Merge upstream fixes trunk (upstream 3.0.2-3 + a couple of fixes)
 +
 +  [ Bastian Blank ]
 +  * Add xen-ioemu-3.0 package to support HVM guests (closes: #368496)
 +
 + -- Guido Trotter <ultrotter at debian.org>  Wed, 31 May 2006 10:50:05 +0200
 +
 +xen-3.0 (3.0.2+hg9681-1) unstable; urgency=low
 +
 +  * Update xen-hypervisor-3.0-i386 and xen-hypervisor-3.0-i386-pae
 +    descriptions, specifying what the difference between the two packages is
 +    (closes: #366019)
 +  * Merge upstream fixes trunk
 +
 + -- Guido Trotter <ultrotter at debian.org>  Thu, 18 May 2006 15:25:02 +0200
 +
 +xen-3.0 (3.0.2+hg9656-1) unstable; urgency=low
 +
 +  * Merge upstream fixes trunk
 +    - This includes a fix for CVE-2006-1056
 +
 + -- Guido Trotter <ultrotter at debian.org>  Thu, 27 Apr 2006 17:34:03 +0200
 +
 +xen-3.0 (3.0.2+hg9651-1) unstable; urgency=low
 +
 +  * Merge upstream fixes trunk
 +  * Fix PAE disabled in pae build (Closes: #364875) 
 +
 + -- Julien Danjou <acid at debian.org>  Wed, 26 Apr 2006 13:19:39 +0200
 +
 +xen-3.0 (3.0.2+hg9646-1) unstable; urgency=low
 +
 +  [ Guido Trotter ]
 +  * Merge upstream fixes trunk
 +
 +  [ Bastian Blank ]
 +  * debian/patches/libdir.dpatch: Update to make xm save work
 +
 + -- Julien Danjou <acid at debian.org>  Mon, 24 Apr 2006 18:02:07 +0200
 +
 +xen-3.0 (3.0.2+hg9611-1) unstable; urgency=low
 +
 +  * Merge upstream bug fixes
 +  * Fix bug with xend init.d script
 +
 + -- Julien Danjou <acid at debian.org>  Wed, 12 Apr 2006 17:35:35 +0200
 +
 +xen-3.0 (3.0.2+hg9598-1) unstable; urgency=low
 +
 +  * New upstream release
 +  * Fix copyright file
 +
 + -- Julien Danjou <acid at debian.org>  Mon, 10 Apr 2006 17:02:55 +0200
 +
 +xen-3.0 (3.0.1+hg8762-1) unstable; urgency=low
 +
 +  * The "preserve our homes" release
 +  * Now cooperatively maintained by the Debian Xen Team
 +  * New upstream release (closes: #327493, #342249)
 +  * Build depend on transfig (closes: #321157)
 +  * Use gcc rather than gcc-3.4 to compile (closes: #323698)
 +  * Split xen-hypervisor-3.0 and xen-utils-3.0
 +  * Build both normal and pae hypervisor packages
 +  * Change maintainer and add uploaders field
 +  * Add force-reload support for init script xendomains
 +  * Remove dependency against bash
 +  * Bump standards version to 3.6.2.2
 +  * xen-utils-3.0 conflicts and replaces xen
 +  * Add dpatch structure to the package
 +  * Remove build-dependency on gcc (it's build essential anyway)
 +  * Make SrvServer.py not executable
 +  * Create NEWS.Debian file with important upgrade notices
 +  * Update copyright file
 +  * Remove the linux-patch-xen package
 +  * Removed useless build-dependencies: libncurses5-dev, wget
 +  * Changed xendomains config path to /etc/default
 +  * xen-utils-3.0 now provides xen-utils and xen-hypervisor-3.0-i386 &
 +    xen-hypervisor-3.0-i386-pae & xen-hypervizor-amd64 now provide
 +    xen-hypervisor
 +  * Made xen-utils-3.0.postinst more fault-tolerant, so that upgrading
 +    xen2 -> xen3 don't fail because of a running xen2 hypervisor
 +  * Updated the "Replaces & Conflicts"
 +  * Install only and correctly udev files
 +  * Compile date is no more in current locale
 +  * Add patch which add the debian version and maintainer in the version
 +    string and removes the banner.
 +  * Don't install unusable cruft in xen-utils
 +  * Remove libxen packages (no stable API/ABI)
 +
 + -- Julien Danjou <acid at debian.org>  Wed,  5 Apr 2006 16:05:07 +0200
 +
 +xen (2.0.6-1) unstable; urgency=low
 +
 +  * Patches applied upstream: non-xen-init-exit.patch, add-build.patch,
 +    python-install.patch, disable-html-docs.patch.
 +  * New upstream released.  Closes: #311336.
 +  * Remove comparison to UML from xen short description.  Closes: #317066.
 +  * Make packages conflicts with 1.2 doc debs.  Closes: #304285.
 +  * Add iproute to xen depends, as it uses /bin/ip.  Closes: #300488,
 +    #317468.
 +
 + -- Adam Heath <doogie at brainfood.com>  Wed, 06 Jul 2005 12:35:50 -0500
 +
 +xen (2.0.5-3) experimental; urgency=low
 +
 +  * Change priority/section to match the overrides file.
 +
 + -- Adam Heath <doogie at brainfood.com>  Fri, 18 Mar 2005 12:43:50 -0600
 +
 +xen (2.0.5-2) experimental; urgency=low
 +
 +  * Mike McCallister <mike+debian at metalogue.com>,
 +    Tommi Virtanen <tv at debian.org>, Tom Hibbert <tom at nsp.co.nz>:
 +    Fix missing '.' in update-rc.d call in xen.postinst.  Closes: #299384
 +
 + -- Adam Heath <doogie at brainfood.com>  Fri, 18 Mar 2005 11:39:56 -0600
 +
 +xen (2.0.5-1) experimental; urgency=low
 +
 +  * New upstream.
 +  * Remove pic-lib.patch, tools-misc-TARGETS.patch, and clean-mttr.patch
 +    as they have been applied upstream(in various forms).
 +  * xend now starts at priority 20, stops at 21, while xendomains starts
 +    at 21, and stops at 20.
 +
 + -- Adam Heath <doogie at brainfood.com>  Fri, 11 Mar 2005 14:33:33 -0600
 +
 +xen (2.0.4-4) experimental; urgency=low
 +
 +  * Bah, major booboo.  Add /boot to debian/xen.install, so xen.gz will
 +    get shipped.  Reported by Clint Adams <schizo at debian.org>.
 +
 + -- Adam Heath <doogie at brainfood.com>  Tue, 15 Feb 2005 13:00:57 -0600
 +
 +xen (2.0.4-3) experimental; urgency=low
 +
 +  * Fix file overlap(/usr/share/doc/xen/examples/*) between xen and
 +    xen-docs.  Reported by Tupshin Harper <tupshin at tupshin.com>.
 +
 + -- Adam Heath <doogie at brainfood.com>  Sun, 06 Feb 2005 01:22:45 -0600
 +
 +xen (2.0.4-2) experimental; urgency=low
 +
 +  * Fix kernel patch generation.  It was broken when I integrated with
 +    debian's kernel source.  I used a symlink, and diff doesn't follow
 +    those.
 +
 + -- Adam Heath <doogie at brainfood.com>  Sat, 05 Feb 2005 18:16:35 -0600
 +
 +xen (2.0.4-1) experimental; urgency=low
 +
 +  * New upstream.
 +  * xen.deb can now install on a plain kernel; that is, the init scripts
 +    exit successfully if /proc/xen/privcmd doesn't exist.  This allows
 +    for dual-boot setups.
 +  * Manpages do not yet exist xend, xenperf, xensv, xfrd, nor xm.  xend
 +    xfrd are daemons, and take little if any options.  I've not had a need
 +    to use xenperf nor xensv yet.  xm has nice built in help(xm help).
 +  * Upstream now requires either linux 2.4.29, or 2.6.10.  Since 2.4.29 is
 +    not yet in debian, disable the 2.4 patch generation.  Closes: #271245.
 +  * Not certain how the kernel-patch-xen was empty.  It's not now, with
 +    the repackaging.  Closes: #272299.
 +  * Xen no longer produces kernel images, so problems about missing features
 +    are no longer valid.  Closes: #253924.
 +  * Acknowledge nmu bugs:
 +    * No longer build-depend on gcc 3.3, as the default gcc works. Closes:
 +      #243048.
 +
 + -- Adam Heath <doogie at brainfood.com>  Sat, 05 Feb 2005 18:04:27 -0600
 +
 +xen (2.0.3-0.1) unstable; urgency=low
 +
 +  * Changes from Tommi Virtanen:
 +    * Added dh-kpatches and libcurl3-dev to Build-Depends.
 +    * Add /etc/xen/sv/params.py and /etc/xen/xend/params.py.
 +    * Add xmexample1 and xmexample2 to xen/doc/examples.
 +
 + -- Adam Heath <doogie at brainfood.com>  Wed, 26 Jan 2005 10:55:07 -0600
 +
 +xen (2.0.3-0) unstable; urgency=low
 +
 +  * New upstream.  Closes: #280733.
 +  * Repackaged from scratch.
 +  * Using unreleased patch management system.  See debian/README.build.
 +    * After extracting the .dsc, there are no special steps needed
 +    * Those wanting to change the source, use the normal procedures for
 +      any package, including using interdiff(or other tool) to send a
 +      patch to me or the bts.
 +  * No longer try to do anything fancy with regard to the layout of the
 +    built kernels.  Now, only patches are distributed.  Please make use of
 +    the xen support in kernel-package.
 +  * Early preview release to #debian-devel.
 +
 + -- Adam Heath <doogie at brainfood.com>  Tue, 25 Jan 2005 13:24:54 -0600
 +
 +xen (1.2-4.1) unstable; urgency=high
 +
 +  * NMU
 +  * Remove gcc-3.2 from Build-Depends as isn't used during build
 +    (Closes: #243048)
 +
 + -- Frank Lichtenheld <djpig at debian.org>  Sat, 21 Aug 2004 17:42:28 +0200
 +
 +xen (1.2-4) unstable; urgency=low
 +
 +  * Added xen-docs.README.Debian, which explains the kernel image layout,
 +    and contains references on the locations differ from what is mentioned
 +    by the upstream documentation.  Closes: #230345.
 +
 + -- Adam Heath <doogie at brainfood.com>  Fri, 26 Mar 2004 17:36:41 -0600
 +
 +xen (1.2-3) unstable; urgency=low
 +
 +  * Add kernel-source-2.4.25 and kernel-patch-debian-2.4.25 to
 +    Build-Depends-Indep.
 +
 + -- Adam Heath <doogie at brainfood.com>  Tue, 23 Mar 2004 20:14:39 -0600
 +
 +xen (1.2-2) unstable; urgency=low
 +
 +  * xen: moved /boot/xen.gz to /usr/lib/kernels/xen-i386/images/vmlinuz
 +  * kernel-image, kernel-modules: swapped i386/xeno to xeno/i386 in
 +    /usr/lib/kernels.
 +  * Add kernel-patch-nfs-swap deb.
 +  * Apply additional patches to kernel-image-xen:
 +    * nfs-group
 +    * nfs-swap
 +
 + -- Adam Heath <doogie at brainfood.com>  Thu, 04 Mar 2004 12:47:47 -0600
 +
 +xen (1.2-1) unstable; urgency=low
 +
 +  * Initial version.
 +
 + -- Adam Heath <doogie at brainfood.com>  Tue, 02 Mar 2004 13:21:52 -0600
diff --cc debian/patches/0039-x86-paging-make-log-dirty-operations-preemptible.patch
index 0000000,0000000..5f09fd2
new file mode 100644
--- /dev/null
+++ b/debian/patches/0039-x86-paging-make-log-dirty-operations-preemptible.patch
@@@ -1,0 -1,0 +1,655 @@@
++From d02bd66997ff7126172be0cfc9124974747a6d4d Mon Sep 17 00:00:00 2001
++From: Jan Beulich <jbeulich at suse.com>
++Date: Fri, 17 Oct 2014 15:57:42 +0200
++Subject: x86/paging: make log-dirty operations preemptible
++
++Both the freeing and the inspection of the bitmap get done in (nested)
++loops which - besides having a rather high iteration count in general,
++albeit that would be covered by XSA-77 - have the number of non-trivial
++iterations they need to perform (indirectly) controllable by both the
++guest they are for and any domain controlling the guest (including the
++one running qemu for it).
++
++Note that the tying of the continuations to the invoking domain (which
++previously [wrongly] used the invoking vCPU instead) implies that the
++tools requesting such operations have to make sure they don't issue
++multiple similar operations in parallel.
++
++Note further that this breaks supervisor-mode kernel assumptions in
++hypercall_create_continuation() (where regs->eip gets rewound to the
++current hypercall stub beginning), but otoh
++hypercall_cancel_continuation() doesn't work in that mode either.
++Perhaps time to rip out all the remains of that feature?
++
++This is part of CVE-2014-5146 / XSA-97.
++
++Signed-off-by: Jan Beulich <jbeulich at suse.com>
++Reviewed-by: Tim Deegan <tim at xen.org>
++Tested-by: Andrew Cooper <andrew.cooper3 at citrix.com>
++master commit: 070493dfd2788e061b53f074b7ba97507fbcbf65
++master date: 2014-10-06 11:22:04 +0200
++---
++ xen/arch/x86/domain.c              |   4 +-
++ xen/arch/x86/domctl.c              |   8 +-
++ xen/arch/x86/hvm/hvm.c             |   9 +-
++ xen/arch/x86/mm/paging.c           | 261 ++++++++++++++++++++++++++++++-------
++ xen/arch/x86/x86_64/compat/entry.S |   2 +
++ xen/arch/x86/x86_64/entry.S        |   2 +
++ xen/common/domain.c                |   1 -
++ xen/include/asm-x86/domain.h       |  14 ++
++ xen/include/asm-x86/paging.h       |  13 +-
++ 9 files changed, 252 insertions(+), 62 deletions(-)
++
++diff --git a/xen/arch/x86/domain.c b/xen/arch/x86/domain.c
++index 195b07f..789e4a0 100644
++--- a/xen/arch/x86/domain.c
+++++ b/xen/arch/x86/domain.c
++@@ -1915,7 +1915,9 @@ int domain_relinquish_resources(struct domain *d)
++         pci_release_devices(d);
++ 
++         /* Tear down paging-assistance stuff. */
++-        paging_teardown(d);
+++        ret = paging_teardown(d);
+++        if ( ret )
+++            return ret;
++ 
++         /* Drop the in-use references to page-table bases. */
++         for_each_vcpu ( d, v )
++diff --git a/xen/arch/x86/domctl.c b/xen/arch/x86/domctl.c
++index a967b65..f5e9e2c 100644
++--- a/xen/arch/x86/domctl.c
+++++ b/xen/arch/x86/domctl.c
++@@ -58,9 +58,11 @@ long arch_do_domctl(
++ 
++     case XEN_DOMCTL_shadow_op:
++     {
++-        ret = paging_domctl(d,
++-                            &domctl->u.shadow_op,
++-                            guest_handle_cast(u_domctl, void));
+++        ret = paging_domctl(d, &domctl->u.shadow_op,
+++                            guest_handle_cast(u_domctl, void), 0);
+++        if ( ret == -EAGAIN )
+++            return hypercall_create_continuation(__HYPERVISOR_arch_1,
+++                                                 "h", u_domctl);
++         copyback = 1;
++     }
++     break;
++diff --git a/xen/arch/x86/hvm/hvm.c b/xen/arch/x86/hvm/hvm.c
++index 3289604..0c04972 100644
++--- a/xen/arch/x86/hvm/hvm.c
+++++ b/xen/arch/x86/hvm/hvm.c
++@@ -3440,7 +3440,8 @@ static hvm_hypercall_t *const hvm_hypercall64_table[NR_hypercalls] = {
++     HYPERCALL(hvm_op),
++     HYPERCALL(sysctl),
++     HYPERCALL(domctl),
++-    HYPERCALL(tmem_op)
+++    HYPERCALL(tmem_op),
+++    [ __HYPERVISOR_arch_1 ] = (hvm_hypercall_t *)paging_domctl_continuation
++ };
++ 
++ #define COMPAT_CALL(x)                                        \
++@@ -3460,7 +3461,8 @@ static hvm_hypercall_t *const hvm_hypercall32_table[NR_hypercalls] = {
++     HYPERCALL(hvm_op),
++     HYPERCALL(sysctl),
++     HYPERCALL(domctl),
++-    HYPERCALL(tmem_op)
+++    HYPERCALL(tmem_op),
+++    [ __HYPERVISOR_arch_1 ] = (hvm_hypercall_t *)paging_domctl_continuation
++ };
++ 
++ /* PVH 32bitfixme. */
++@@ -3478,7 +3480,8 @@ static hvm_hypercall_t *const pvh_hypercall64_table[NR_hypercalls] = {
++     [ __HYPERVISOR_physdev_op ]      = (hvm_hypercall_t *)hvm_physdev_op,
++     HYPERCALL(hvm_op),
++     HYPERCALL(sysctl),
++-    HYPERCALL(domctl)
+++    HYPERCALL(domctl),
+++    [ __HYPERVISOR_arch_1 ] = (hvm_hypercall_t *)paging_domctl_continuation
++ };
++ 
++ int hvm_do_hypercall(struct cpu_user_regs *regs)
++diff --git a/xen/arch/x86/mm/paging.c b/xen/arch/x86/mm/paging.c
++index ab5eacb..fb418fe 100644
++--- a/xen/arch/x86/mm/paging.c
+++++ b/xen/arch/x86/mm/paging.c
++@@ -26,6 +26,7 @@
++ #include <asm/shadow.h>
++ #include <asm/p2m.h>
++ #include <asm/hap.h>
+++#include <asm/event.h>
++ #include <asm/hvm/nestedhvm.h>
++ #include <xen/numa.h>
++ #include <xsm/xsm.h>
++@@ -116,26 +117,46 @@ static void paging_free_log_dirty_page(struct domain *d, mfn_t mfn)
++     d->arch.paging.free_page(d, mfn_to_page(mfn));
++ }
++ 
++-void paging_free_log_dirty_bitmap(struct domain *d)
+++static int paging_free_log_dirty_bitmap(struct domain *d, int rc)
++ {
++     mfn_t *l4, *l3, *l2;
++     int i4, i3, i2;
++ 
+++    paging_lock(d);
+++
++     if ( !mfn_valid(d->arch.paging.log_dirty.top) )
++-        return;
+++    {
+++        paging_unlock(d);
+++        return 0;
+++    }
++ 
++-    paging_lock(d);
+++    if ( !d->arch.paging.preempt.dom )
+++    {
+++        memset(&d->arch.paging.preempt.log_dirty, 0,
+++               sizeof(d->arch.paging.preempt.log_dirty));
+++        ASSERT(rc <= 0);
+++        d->arch.paging.preempt.log_dirty.done = -rc;
+++    }
+++    else if ( d->arch.paging.preempt.dom != current->domain ||
+++              d->arch.paging.preempt.op != XEN_DOMCTL_SHADOW_OP_OFF )
+++    {
+++        paging_unlock(d);
+++        return -EBUSY;
+++    }
++ 
++     l4 = map_domain_page(mfn_x(d->arch.paging.log_dirty.top));
+++    i4 = d->arch.paging.preempt.log_dirty.i4;
+++    i3 = d->arch.paging.preempt.log_dirty.i3;
+++    rc = 0;
++ 
++-    for ( i4 = 0; i4 < LOGDIRTY_NODE_ENTRIES; i4++ )
+++    for ( ; i4 < LOGDIRTY_NODE_ENTRIES; i4++, i3 = 0 )
++     {
++         if ( !mfn_valid(l4[i4]) )
++             continue;
++ 
++         l3 = map_domain_page(mfn_x(l4[i4]));
++ 
++-        for ( i3 = 0; i3 < LOGDIRTY_NODE_ENTRIES; i3++ )
+++        for ( ; i3 < LOGDIRTY_NODE_ENTRIES; i3++ )
++         {
++             if ( !mfn_valid(l3[i3]) )
++                 continue;
++@@ -148,20 +169,54 @@ void paging_free_log_dirty_bitmap(struct domain *d)
++ 
++             unmap_domain_page(l2);
++             paging_free_log_dirty_page(d, l3[i3]);
+++            l3[i3] = _mfn(INVALID_MFN);
+++
+++            if ( i3 < LOGDIRTY_NODE_ENTRIES - 1 && hypercall_preempt_check() )
+++            {
+++                d->arch.paging.preempt.log_dirty.i3 = i3 + 1;
+++                d->arch.paging.preempt.log_dirty.i4 = i4;
+++                rc = -EAGAIN;
+++                break;
+++            }
++         }
++ 
++         unmap_domain_page(l3);
+++        if ( rc )
+++            break;
++         paging_free_log_dirty_page(d, l4[i4]);
+++        l4[i4] = _mfn(INVALID_MFN);
+++
+++        if ( i4 < LOGDIRTY_NODE_ENTRIES - 1 && hypercall_preempt_check() )
+++        {
+++            d->arch.paging.preempt.log_dirty.i3 = 0;
+++            d->arch.paging.preempt.log_dirty.i4 = i4 + 1;
+++            rc = -EAGAIN;
+++            break;
+++        }
++     }
++ 
++     unmap_domain_page(l4);
++-    paging_free_log_dirty_page(d, d->arch.paging.log_dirty.top);
++-    d->arch.paging.log_dirty.top = _mfn(INVALID_MFN);
++ 
++-    ASSERT(d->arch.paging.log_dirty.allocs == 0);
++-    d->arch.paging.log_dirty.failed_allocs = 0;
+++    if ( !rc )
+++    {
+++        paging_free_log_dirty_page(d, d->arch.paging.log_dirty.top);
+++        d->arch.paging.log_dirty.top = _mfn(INVALID_MFN);
+++
+++        ASSERT(d->arch.paging.log_dirty.allocs == 0);
+++        d->arch.paging.log_dirty.failed_allocs = 0;
+++
+++        rc = -d->arch.paging.preempt.log_dirty.done;
+++        d->arch.paging.preempt.dom = NULL;
+++    }
+++    else
+++    {
+++        d->arch.paging.preempt.dom = current->domain;
+++        d->arch.paging.preempt.op = XEN_DOMCTL_SHADOW_OP_OFF;
+++    }
++ 
++     paging_unlock(d);
+++
+++    return rc;
++ }
++ 
++ int paging_log_dirty_enable(struct domain *d, bool_t log_global)
++@@ -178,15 +233,25 @@ int paging_log_dirty_enable(struct domain *d, bool_t log_global)
++     return ret;
++ }
++ 
++-int paging_log_dirty_disable(struct domain *d)
+++static int paging_log_dirty_disable(struct domain *d, bool_t resuming)
++ {
++-    int ret;
+++    int ret = 1;
+++
+++    if ( !resuming )
+++    {
+++        domain_pause(d);
+++        /* Safe because the domain is paused. */
+++        if ( paging_mode_log_dirty(d) )
+++        {
+++            ret = d->arch.paging.log_dirty.disable_log_dirty(d);
+++            ASSERT(ret <= 0);
+++        }
+++    }
+++
+++    ret = paging_free_log_dirty_bitmap(d, ret);
+++    if ( ret == -EAGAIN )
+++        return ret;
++ 
++-    domain_pause(d);
++-    /* Safe because the domain is paused. */
++-    ret = d->arch.paging.log_dirty.disable_log_dirty(d);
++-    if ( !paging_mode_log_dirty(d) )
++-        paging_free_log_dirty_bitmap(d);
++     domain_unpause(d);
++ 
++     return ret;
++@@ -326,7 +391,9 @@ int paging_mfn_is_dirty(struct domain *d, mfn_t gmfn)
++ 
++ /* Read a domain's log-dirty bitmap and stats.  If the operation is a CLEAN,
++  * clear the bitmap and stats as well. */
++-int paging_log_dirty_op(struct domain *d, struct xen_domctl_shadow_op *sc)
+++static int paging_log_dirty_op(struct domain *d,
+++                               struct xen_domctl_shadow_op *sc,
+++                               bool_t resuming)
++ {
++     int rv = 0, clean = 0, peek = 1;
++     unsigned long pages = 0;
++@@ -334,9 +401,22 @@ int paging_log_dirty_op(struct domain *d, struct xen_domctl_shadow_op *sc)
++     unsigned long *l1 = NULL;
++     int i4, i3, i2;
++ 
++-    domain_pause(d);
+++    if ( !resuming )
+++        domain_pause(d);
++     paging_lock(d);
++ 
+++    if ( !d->arch.paging.preempt.dom )
+++        memset(&d->arch.paging.preempt.log_dirty, 0,
+++               sizeof(d->arch.paging.preempt.log_dirty));
+++    else if ( d->arch.paging.preempt.dom != current->domain ||
+++              d->arch.paging.preempt.op != sc->op )
+++    {
+++        paging_unlock(d);
+++        ASSERT(!resuming);
+++        domain_unpause(d);
+++        return -EBUSY;
+++    }
+++
++     clean = (sc->op == XEN_DOMCTL_SHADOW_OP_CLEAN);
++ 
++     PAGING_DEBUG(LOGDIRTY, "log-dirty %s: dom %u faults=%u dirty=%u\n",
++@@ -348,12 +428,6 @@ int paging_log_dirty_op(struct domain *d, struct xen_domctl_shadow_op *sc)
++     sc->stats.fault_count = d->arch.paging.log_dirty.fault_count;
++     sc->stats.dirty_count = d->arch.paging.log_dirty.dirty_count;
++ 
++-    if ( clean )
++-    {
++-        d->arch.paging.log_dirty.fault_count = 0;
++-        d->arch.paging.log_dirty.dirty_count = 0;
++-    }
++-
++     if ( guest_handle_is_null(sc->dirty_bitmap) )
++         /* caller may have wanted just to clean the state or access stats. */
++         peek = 0;
++@@ -365,17 +439,15 @@ int paging_log_dirty_op(struct domain *d, struct xen_domctl_shadow_op *sc)
++         goto out;
++     }
++ 
++-    pages = 0;
++     l4 = paging_map_log_dirty_bitmap(d);
+++    i4 = d->arch.paging.preempt.log_dirty.i4;
+++    i3 = d->arch.paging.preempt.log_dirty.i3;
+++    pages = d->arch.paging.preempt.log_dirty.done;
++ 
++-    for ( i4 = 0;
++-          (pages < sc->pages) && (i4 < LOGDIRTY_NODE_ENTRIES);
++-          i4++ )
+++    for ( ; (pages < sc->pages) && (i4 < LOGDIRTY_NODE_ENTRIES); i4++, i3 = 0 )
++     {
++         l3 = (l4 && mfn_valid(l4[i4])) ? map_domain_page(mfn_x(l4[i4])) : NULL;
++-        for ( i3 = 0;
++-              (pages < sc->pages) && (i3 < LOGDIRTY_NODE_ENTRIES);
++-              i3++ )
+++        for ( ; (pages < sc->pages) && (i3 < LOGDIRTY_NODE_ENTRIES); i3++ )
++         {
++             l2 = ((l3 && mfn_valid(l3[i3])) ?
++                   map_domain_page(mfn_x(l3[i3])) : NULL);
++@@ -410,18 +482,58 @@ int paging_log_dirty_op(struct domain *d, struct xen_domctl_shadow_op *sc)
++             }
++             if ( l2 )
++                 unmap_domain_page(l2);
+++
+++            if ( i3 < LOGDIRTY_NODE_ENTRIES - 1 && hypercall_preempt_check() )
+++            {
+++                d->arch.paging.preempt.log_dirty.i4 = i4;
+++                d->arch.paging.preempt.log_dirty.i3 = i3 + 1;
+++                rv = -EAGAIN;
+++                break;
+++            }
++         }
++         if ( l3 )
++             unmap_domain_page(l3);
+++
+++        if ( !rv && i4 < LOGDIRTY_NODE_ENTRIES - 1 &&
+++             hypercall_preempt_check() )
+++        {
+++            d->arch.paging.preempt.log_dirty.i4 = i4 + 1;
+++            d->arch.paging.preempt.log_dirty.i3 = 0;
+++            rv = -EAGAIN;
+++        }
+++        if ( rv )
+++            break;
++     }
++     if ( l4 )
++         unmap_domain_page(l4);
++ 
++-    if ( pages < sc->pages )
++-        sc->pages = pages;
+++    if ( !rv )
+++    {
+++        d->arch.paging.preempt.dom = NULL;
+++        if ( clean )
+++        {
+++            d->arch.paging.log_dirty.fault_count = 0;
+++            d->arch.paging.log_dirty.dirty_count = 0;
+++        }
+++    }
+++    else
+++    {
+++        d->arch.paging.preempt.dom = current->domain;
+++        d->arch.paging.preempt.op = sc->op;
+++        d->arch.paging.preempt.log_dirty.done = pages;
+++    }
++ 
++     paging_unlock(d);
++ 
+++    if ( rv )
+++    {
+++        /* Never leave the domain paused on real errors. */
+++        ASSERT(rv == -EAGAIN);
+++        return rv;
+++    }
+++
+++    if ( pages < sc->pages )
+++        sc->pages = pages;
++     if ( clean )
++     {
++         /* We need to further call clean_dirty_bitmap() functions of specific
++@@ -432,6 +544,7 @@ int paging_log_dirty_op(struct domain *d, struct xen_domctl_shadow_op *sc)
++     return rv;
++ 
++  out:
+++    d->arch.paging.preempt.dom = NULL;
++     paging_unlock(d);
++     domain_unpause(d);
++ 
++@@ -499,12 +612,6 @@ void paging_log_dirty_init(struct domain *d,
++     d->arch.paging.log_dirty.clean_dirty_bitmap = clean_dirty_bitmap;
++ }
++ 
++-/* This function fress log dirty bitmap resources. */
++-static void paging_log_dirty_teardown(struct domain*d)
++-{
++-    paging_free_log_dirty_bitmap(d);
++-}
++-
++ /************************************************/
++ /*           CODE FOR PAGING SUPPORT            */
++ /************************************************/
++@@ -546,7 +653,7 @@ void paging_vcpu_init(struct vcpu *v)
++ 
++ 
++ int paging_domctl(struct domain *d, xen_domctl_shadow_op_t *sc,
++-                  XEN_GUEST_HANDLE_PARAM(void) u_domctl)
+++                  XEN_GUEST_HANDLE_PARAM(void) u_domctl, bool_t resuming)
++ {
++     int rc;
++ 
++@@ -570,6 +677,21 @@ int paging_domctl(struct domain *d, xen_domctl_shadow_op_t *sc,
++         return -EINVAL;
++     }
++ 
+++    if ( resuming
+++         ? (d->arch.paging.preempt.dom != current->domain ||
+++            d->arch.paging.preempt.op != sc->op)
+++         : (d->arch.paging.preempt.dom &&
+++            sc->op != XEN_DOMCTL_SHADOW_OP_GET_ALLOCATION) )
+++    {
+++        printk(XENLOG_G_DEBUG
+++               "d%d:v%d: Paging op %#x on Dom%u with unfinished prior op %#x by Dom%u\n",
+++               current->domain->domain_id, current->vcpu_id,
+++               sc->op, d->domain_id, d->arch.paging.preempt.op,
+++               d->arch.paging.preempt.dom
+++               ? d->arch.paging.preempt.dom->domain_id : DOMID_INVALID);
+++        return -EBUSY;
+++    }
+++
++     rc = xsm_shadow_control(XSM_HOOK, d, sc->op);
++     if ( rc )
++         return rc;
++@@ -594,14 +716,13 @@ int paging_domctl(struct domain *d, xen_domctl_shadow_op_t *sc,
++         return paging_log_dirty_enable(d, 1);
++ 
++     case XEN_DOMCTL_SHADOW_OP_OFF:
++-        if ( paging_mode_log_dirty(d) )
++-            if ( (rc = paging_log_dirty_disable(d)) != 0 )
++-                return rc;
+++        if ( (rc = paging_log_dirty_disable(d, resuming)) != 0 )
+++            return rc;
++         break;
++ 
++     case XEN_DOMCTL_SHADOW_OP_CLEAN:
++     case XEN_DOMCTL_SHADOW_OP_PEEK:
++-        return paging_log_dirty_op(d, sc);
+++        return paging_log_dirty_op(d, sc, resuming);
++     }
++ 
++     /* Here, dispatch domctl to the appropriate paging code */
++@@ -611,19 +732,67 @@ int paging_domctl(struct domain *d, xen_domctl_shadow_op_t *sc,
++         return shadow_domctl(d, sc, u_domctl);
++ }
++ 
+++long paging_domctl_continuation(XEN_GUEST_HANDLE_PARAM(xen_domctl_t) u_domctl)
+++{
+++    struct xen_domctl op;
+++    struct domain *d;
+++    int ret;
+++
+++    if ( copy_from_guest(&op, u_domctl, 1) )
+++        return -EFAULT;
+++
+++    if ( op.interface_version != XEN_DOMCTL_INTERFACE_VERSION ||
+++         op.cmd != XEN_DOMCTL_shadow_op )
+++        return -EBADRQC;
+++
+++    d = rcu_lock_domain_by_id(op.domain);
+++    if ( d == NULL )
+++        return -ESRCH;
+++
+++    ret = xsm_domctl(XSM_OTHER, d, op.cmd);
+++    if ( !ret )
+++    {
+++        if ( domctl_lock_acquire() )
+++        {
+++            ret = paging_domctl(d, &op.u.shadow_op,
+++                                guest_handle_cast(u_domctl, void), 1);
+++
+++            domctl_lock_release();
+++        }
+++        else
+++            ret = -EAGAIN;
+++    }
+++
+++    rcu_unlock_domain(d);
+++
+++    if ( ret == -EAGAIN )
+++        ret = hypercall_create_continuation(__HYPERVISOR_arch_1,
+++                                            "h", u_domctl);
+++    else if ( __copy_field_to_guest(u_domctl, &op, u.shadow_op) )
+++        ret = -EFAULT;
+++
+++    return ret;
+++}
+++
++ /* Call when destroying a domain */
++-void paging_teardown(struct domain *d)
+++int paging_teardown(struct domain *d)
++ {
+++    int rc;
+++
++     if ( hap_enabled(d) )
++         hap_teardown(d);
++     else
++         shadow_teardown(d);
++ 
++     /* clean up log dirty resources. */
++-    paging_log_dirty_teardown(d);
+++    rc = paging_free_log_dirty_bitmap(d, 0);
+++    if ( rc == -EAGAIN )
+++        return rc;
++ 
++     /* Move populate-on-demand cache back to domain_list for destruction */
++     p2m_pod_empty_cache(d);
+++
+++    return rc;
++ }
++ 
++ /* Call once all of the references to the domain have gone away */
++diff --git a/xen/arch/x86/x86_64/compat/entry.S b/xen/arch/x86/x86_64/compat/entry.S
++index 594b0b9..94f5b8d 100644
++--- a/xen/arch/x86/x86_64/compat/entry.S
+++++ b/xen/arch/x86/x86_64/compat/entry.S
++@@ -420,6 +420,7 @@ ENTRY(compat_hypercall_table)
++         .quad compat_ni_hypercall
++         .endr
++         .quad do_mca                    /* 48 */
+++        .quad paging_domctl_continuation
++         .rept NR_hypercalls-((.-compat_hypercall_table)/8)
++         .quad compat_ni_hypercall
++         .endr
++@@ -468,6 +469,7 @@ ENTRY(compat_hypercall_args_table)
++         .byte 0 /* compat_ni_hypercall      */
++         .endr
++         .byte 1 /* do_mca                   */
+++        .byte 1 /* paging_domctl_continuation      */
++         .rept NR_hypercalls-(.-compat_hypercall_args_table)
++         .byte 0 /* compat_ni_hypercall      */
++         .endr
++diff --git a/xen/arch/x86/x86_64/entry.S b/xen/arch/x86/x86_64/entry.S
++index 3ea4683..c634217 100644
++--- a/xen/arch/x86/x86_64/entry.S
+++++ b/xen/arch/x86/x86_64/entry.S
++@@ -761,6 +761,7 @@ ENTRY(hypercall_table)
++         .quad do_ni_hypercall
++         .endr
++         .quad do_mca                /* 48 */
+++        .quad paging_domctl_continuation
++         .rept NR_hypercalls-((.-hypercall_table)/8)
++         .quad do_ni_hypercall
++         .endr
++@@ -809,6 +810,7 @@ ENTRY(hypercall_args_table)
++         .byte 0 /* do_ni_hypercall      */
++         .endr
++         .byte 1 /* do_mca               */  /* 48 */
+++        .byte 1 /* paging_domctl_continuation */
++         .rept NR_hypercalls-(.-hypercall_args_table)
++         .byte 0 /* do_ni_hypercall      */
++         .endr
++diff --git a/xen/common/domain.c b/xen/common/domain.c
++index 1308193..f050af5 100644
++--- a/xen/common/domain.c
+++++ b/xen/common/domain.c
++@@ -536,7 +536,6 @@ int domain_kill(struct domain *d)
++         rc = domain_relinquish_resources(d);
++         if ( rc != 0 )
++         {
++-            BUG_ON(rc != -EAGAIN);
++             break;
++         }
++         if ( sched_move_domain(d, cpupool0) )
++diff --git a/xen/include/asm-x86/domain.h b/xen/include/asm-x86/domain.h
++index 4ff89f0..7dfbbcb 100644
++--- a/xen/include/asm-x86/domain.h
+++++ b/xen/include/asm-x86/domain.h
++@@ -186,6 +186,20 @@ struct paging_domain {
++     struct hap_domain       hap;
++     /* log dirty support */
++     struct log_dirty_domain log_dirty;
+++
+++    /* preemption handling */
+++    struct {
+++        const struct domain *dom;
+++        unsigned int op;
+++        union {
+++            struct {
+++                unsigned long done:PADDR_BITS - PAGE_SHIFT;
+++                unsigned long i4:PAGETABLE_ORDER;
+++                unsigned long i3:PAGETABLE_ORDER;
+++            } log_dirty;
+++        };
+++    } preempt;
+++
++     /* alloc/free pages from the pool for paging-assistance structures
++      * (used by p2m and log-dirty code for their tries) */
++     struct page_info * (*alloc_page)(struct domain *d);
++diff --git a/xen/include/asm-x86/paging.h b/xen/include/asm-x86/paging.h
++index 8dd2a61..0a7c73c 100644
++--- a/xen/include/asm-x86/paging.h
+++++ b/xen/include/asm-x86/paging.h
++@@ -133,9 +133,6 @@ struct paging_mode {
++ /*****************************************************************************
++  * Log dirty code */
++ 
++-/* free log dirty bitmap resource */
++-void paging_free_log_dirty_bitmap(struct domain *d);
++-
++ /* get the dirty bitmap for a specific range of pfns */
++ void paging_log_dirty_range(struct domain *d,
++                             unsigned long begin_pfn,
++@@ -145,9 +142,6 @@ void paging_log_dirty_range(struct domain *d,
++ /* enable log dirty */
++ int paging_log_dirty_enable(struct domain *d, bool_t log_global);
++ 
++-/* disable log dirty */
++-int paging_log_dirty_disable(struct domain *d);
++-
++ /* log dirty initialization */
++ void paging_log_dirty_init(struct domain *d,
++                            int  (*enable_log_dirty)(struct domain *d,
++@@ -204,10 +198,13 @@ int paging_domain_init(struct domain *d, unsigned int domcr_flags);
++  * and disable ephemeral shadow modes (test mode and log-dirty mode) and
++  * manipulate the log-dirty bitmap. */
++ int paging_domctl(struct domain *d, xen_domctl_shadow_op_t *sc,
++-                  XEN_GUEST_HANDLE_PARAM(void) u_domctl);
+++                  XEN_GUEST_HANDLE_PARAM(void) u_domctl, bool_t resuming);
+++
+++/* Helper hypercall for dealing with continuations. */
+++long paging_domctl_continuation(XEN_GUEST_HANDLE_PARAM(xen_domctl_t));
++ 
++ /* Call when destroying a domain */
++-void paging_teardown(struct domain *d);
+++int paging_teardown(struct domain *d);
++ 
++ /* Call once all of the references to the domain have gone away */
++ void paging_final_teardown(struct domain *d);
diff --cc debian/patches/0040-x86-don-t-allow-page-table-updates-on-non-PV-page-ta.patch
index 0000000,0000000..37c49b3
new file mode 100644
--- /dev/null
+++ b/debian/patches/0040-x86-don-t-allow-page-table-updates-on-non-PV-page-ta.patch
@@@ -1,0 -1,0 +1,36 @@@
++From 27d4dc69bc564e8c6307859c74225fe0806721d4 Mon Sep 17 00:00:00 2001
++From: Jan Beulich <jbeulich at suse.com>
++Date: Tue, 18 Nov 2014 14:27:46 +0100
++Subject: x86: don't allow page table updates on non-PV page tables in
++ do_mmu_update()
++
++paging_write_guest_entry() and paging_cmpxchg_guest_entry() aren't
++consistently supported for non-PV guests (they'd deref NULL for PVH or
++non-HAP HVM ones). Don't allow respective MMU_* operations on the
++page tables of such domains.
++
++This is CVE-2014-8594 / XSA-109.
++
++Signed-off-by: Jan Beulich <jbeulich at suse.com>
++Acked-by: Tim Deegan <tim at xen.org>
++master commit: e4292c5aac41b80f33d4877104348d5ee7c95aa4
++master date: 2014-11-18 14:15:21 +0100
++---
++ xen/arch/x86/mm.c | 4 ++++
++ 1 file changed, 4 insertions(+)
++
++diff --git a/xen/arch/x86/mm.c b/xen/arch/x86/mm.c
++index fdc5ed3..f88323f 100644
++--- a/xen/arch/x86/mm.c
+++++ b/xen/arch/x86/mm.c
++@@ -3508,6 +3508,10 @@ long do_mmu_update(
++         {
++             p2m_type_t p2mt;
++ 
+++            rc = -EOPNOTSUPP;
+++            if ( unlikely(paging_mode_refcounts(pt_owner)) )
+++                break;
+++
++             xsm_needed |= XSM_MMU_NORMAL_UPDATE;
++             if ( get_pte_flags(req.val) & _PAGE_PRESENT )
++             {
diff --cc debian/patches/0041-x86emul-enforce-privilege-level-restrictions-when-lo.patch
index 0000000,0000000..90a9938
new file mode 100644
--- /dev/null
+++ b/debian/patches/0041-x86emul-enforce-privilege-level-restrictions-when-lo.patch
@@@ -1,0 -1,0 +1,166 @@@
++From f858b972fb83694e140678b8bfdd812299f3af51 Mon Sep 17 00:00:00 2001
++From: Jan Beulich <jbeulich at suse.com>
++Date: Tue, 18 Nov 2014 14:28:45 +0100
++Subject: x86emul: enforce privilege level restrictions when loading CS
++
++Privilege level checks were basically missing for the CS case, the
++only check that was done (RPL == DPL for nonconforming segments)
++was solely covering a single special case (return to non-conforming
++segment).
++
++Additionally in long mode the L bit set requires the D bit to be clear,
++as was recently pointed out for KVM by Nadav Amit
++<namit at cs.technion.ac.il>.
++
++Finally we also need to force the loaded selector's RPL to CPL (at
++least as long as lret/retf emulation doesn't support privilege level
++changes).
++
++This is CVE-2014-8595 / XSA-110.
++
++Signed-off-by: Jan Beulich <jbeulich at suse.com>
++Reviewed-by: Tim Deegan <tim at xen.org>
++master commit: 1d68c1a70e00ed95ef0889cfa005379dab27b37d
++master date: 2014-11-18 14:16:23 +0100
++---
++ xen/arch/x86/x86_emulate/x86_emulate.c | 42 ++++++++++++++++++++++------------
++ 1 file changed, 28 insertions(+), 14 deletions(-)
++
++diff --git a/xen/arch/x86/x86_emulate/x86_emulate.c b/xen/arch/x86/x86_emulate/x86_emulate.c
++index 5fbe024..25571c6 100644
++--- a/xen/arch/x86/x86_emulate/x86_emulate.c
+++++ b/xen/arch/x86/x86_emulate/x86_emulate.c
++@@ -1114,7 +1114,7 @@ realmode_load_seg(
++ static int
++ protmode_load_seg(
++     enum x86_segment seg,
++-    uint16_t sel,
+++    uint16_t sel, bool_t is_ret,
++     struct x86_emulate_ctxt *ctxt,
++     const struct x86_emulate_ops *ops)
++ {
++@@ -1180,9 +1180,23 @@ protmode_load_seg(
++         /* Code segment? */
++         if ( !(desc.b & (1u<<11)) )
++             goto raise_exn;
++-        /* Non-conforming segment: check DPL against RPL. */
++-        if ( ((desc.b & (6u<<9)) != (6u<<9)) && (dpl != rpl) )
+++        if ( is_ret
+++             ? /*
+++                * Really rpl < cpl, but our sole caller doesn't handle
+++                * privilege level changes.
+++                */
+++               rpl != cpl || (desc.b & (1 << 10) ? dpl > rpl : dpl != rpl)
+++             : desc.b & (1 << 10)
+++               /* Conforming segment: check DPL against CPL. */
+++               ? dpl > cpl
+++               /* Non-conforming segment: check RPL and DPL against CPL. */
+++               : rpl > cpl || dpl != cpl )
+++            goto raise_exn;
+++        /* 64-bit code segments (L bit set) must have D bit clear. */
+++        if ( in_longmode(ctxt, ops) &&
+++             (desc.b & (1 << 21)) && (desc.b & (1 << 22)) )
++             goto raise_exn;
+++        sel = (sel ^ rpl) | cpl;
++         break;
++     case x86_seg_ss:
++         /* Writable data segment? */
++@@ -1247,7 +1261,7 @@ protmode_load_seg(
++ static int
++ load_seg(
++     enum x86_segment seg,
++-    uint16_t sel,
+++    uint16_t sel, bool_t is_ret,
++     struct x86_emulate_ctxt *ctxt,
++     const struct x86_emulate_ops *ops)
++ {
++@@ -1256,7 +1270,7 @@ load_seg(
++         return X86EMUL_UNHANDLEABLE;
++ 
++     if ( in_protmode(ctxt, ops) )
++-        return protmode_load_seg(seg, sel, ctxt, ops);
+++        return protmode_load_seg(seg, sel, is_ret, ctxt, ops);
++ 
++     return realmode_load_seg(seg, sel, ctxt, ops);
++ }
++@@ -1888,7 +1902,7 @@ x86_emulate(
++         if ( (rc = read_ulong(x86_seg_ss, sp_post_inc(op_bytes),
++                               &dst.val, op_bytes, ctxt, ops)) != 0 )
++             goto done;
++-        if ( (rc = load_seg(src.val, (uint16_t)dst.val, ctxt, ops)) != 0 )
+++        if ( (rc = load_seg(src.val, dst.val, 0, ctxt, ops)) != 0 )
++             return rc;
++         break;
++ 
++@@ -2242,7 +2256,7 @@ x86_emulate(
++         enum x86_segment seg = decode_segment(modrm_reg);
++         generate_exception_if(seg == decode_segment_failed, EXC_UD, -1);
++         generate_exception_if(seg == x86_seg_cs, EXC_UD, -1);
++-        if ( (rc = load_seg(seg, (uint16_t)src.val, ctxt, ops)) != 0 )
+++        if ( (rc = load_seg(seg, src.val, 0, ctxt, ops)) != 0 )
++             goto done;
++         if ( seg == x86_seg_ss )
++             ctxt->retire.flags.mov_ss = 1;
++@@ -2323,7 +2337,7 @@ x86_emulate(
++                               &_regs.eip, op_bytes, ctxt)) )
++             goto done;
++ 
++-        if ( (rc = load_seg(x86_seg_cs, sel, ctxt, ops)) != 0 )
+++        if ( (rc = load_seg(x86_seg_cs, sel, 0, ctxt, ops)) != 0 )
++             goto done;
++         _regs.eip = eip;
++         break;
++@@ -2547,7 +2561,7 @@ x86_emulate(
++         if ( (rc = read_ulong(src.mem.seg, src.mem.off + src.bytes,
++                               &sel, 2, ctxt, ops)) != 0 )
++             goto done;
++-        if ( (rc = load_seg(dst.val, (uint16_t)sel, ctxt, ops)) != 0 )
+++        if ( (rc = load_seg(dst.val, sel, 0, ctxt, ops)) != 0 )
++             goto done;
++         dst.val = src.val;
++         break;
++@@ -2621,7 +2635,7 @@ x86_emulate(
++                               &dst.val, op_bytes, ctxt, ops)) ||
++              (rc = read_ulong(x86_seg_ss, sp_post_inc(op_bytes + offset),
++                               &src.val, op_bytes, ctxt, ops)) ||
++-             (rc = load_seg(x86_seg_cs, (uint16_t)src.val, ctxt, ops)) )
+++             (rc = load_seg(x86_seg_cs, src.val, 1, ctxt, ops)) )
++             goto done;
++         _regs.eip = dst.val;
++         break;
++@@ -2668,7 +2682,7 @@ x86_emulate(
++         _regs.eflags &= mask;
++         _regs.eflags |= (uint32_t)(eflags & ~mask) | 0x02;
++         _regs.eip = eip;
++-        if ( (rc = load_seg(x86_seg_cs, (uint16_t)cs, ctxt, ops)) != 0 )
+++        if ( (rc = load_seg(x86_seg_cs, cs, 1, ctxt, ops)) != 0 )
++             goto done;
++         break;
++     }
++@@ -3298,7 +3312,7 @@ x86_emulate(
++         generate_exception_if(mode_64bit(), EXC_UD, -1);
++         eip = insn_fetch_bytes(op_bytes);
++         sel = insn_fetch_type(uint16_t);
++-        if ( (rc = load_seg(x86_seg_cs, sel, ctxt, ops)) != 0 )
+++        if ( (rc = load_seg(x86_seg_cs, sel, 0, ctxt, ops)) != 0 )
++             goto done;
++         _regs.eip = eip;
++         break;
++@@ -3596,7 +3610,7 @@ x86_emulate(
++                     goto done;
++             }
++ 
++-            if ( (rc = load_seg(x86_seg_cs, sel, ctxt, ops)) != 0 )
+++            if ( (rc = load_seg(x86_seg_cs, sel, 0, ctxt, ops)) != 0 )
++                 goto done;
++             _regs.eip = src.val;
++ 
++@@ -3663,7 +3677,7 @@ x86_emulate(
++         generate_exception_if(!in_protmode(ctxt, ops), EXC_UD, -1);
++         generate_exception_if(!mode_ring0(), EXC_GP, 0);
++         if ( (rc = load_seg((modrm_reg & 1) ? x86_seg_tr : x86_seg_ldtr,
++-                            src.val, ctxt, ops)) != 0 )
+++                            src.val, 0, ctxt, ops)) != 0 )
++             goto done;
++         break;
++ 
diff --cc debian/patches/0042-x86-mm-fix-a-reference-counting-error-in-MMU_MACHPHY.patch
index 0000000,0000000..22a07c4
new file mode 100644
--- /dev/null
+++ b/debian/patches/0042-x86-mm-fix-a-reference-counting-error-in-MMU_MACHPHY.patch
@@@ -1,0 -1,0 +1,53 @@@
++From 8e4e0321788113f90b061267635f9c6b4b98b750 Mon Sep 17 00:00:00 2001
++From: Andrew Cooper <andrew.cooper3 at citrix.com>
++Date: Thu, 20 Nov 2014 17:43:39 +0100
++Subject: x86/mm: fix a reference counting error in MMU_MACHPHYS_UPDATE
++
++Any domain which can pass the XSM check against a translated guest can cause a
++page reference to be leaked.
++
++While shuffling the order of checks, drop the quite-pointless MEM_LOG().  This
++brings the check in line with similar checks in the vicinity.
++
++Discovered while reviewing the XSA-109/110 followup series.
++
++This is XSA-113.
++
++Signed-off-by: Andrew Cooper <andrew.cooper3 at citrix.com>
++Reviewed-by: Jan Beulich <jbeulich at suse.com>
++Reviewed-by: Tim Deegan <tim at xen.org>
++---
++ xen/arch/x86/mm.c | 13 ++++++-------
++ 1 file changed, 6 insertions(+), 7 deletions(-)
++
++diff --git a/xen/arch/x86/mm.c b/xen/arch/x86/mm.c
++index f88323f..db0b6fe 100644
++--- a/xen/arch/x86/mm.c
+++++ b/xen/arch/x86/mm.c
++@@ -3634,6 +3634,12 @@ long do_mmu_update(
++ 
++         case MMU_MACHPHYS_UPDATE:
++ 
+++            if ( unlikely(paging_mode_translate(pg_owner)) )
+++            {
+++                rc = -EINVAL;
+++                break;
+++            }
+++
++             mfn = req.ptr >> PAGE_SHIFT;
++             gpfn = req.val;
++ 
++@@ -3653,13 +3659,6 @@ long do_mmu_update(
++                 break;
++             }
++ 
++-            if ( unlikely(paging_mode_translate(pg_owner)) )
++-            {
++-                MEM_LOG("Mach-phys update on auto-translate guest");
++-                rc = -EINVAL;
++-                break;
++-            }
++-
++             set_gpfn_from_mfn(mfn, gpfn);
++ 
++             paging_mark_dirty(pg_owner, mfn);
diff --cc debian/patches/series
index 874c871,0000000..03cc4b5
mode 100644,000000..100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@@ -1,38 -1,0 +1,42 @@@
 +0001-version.patch
 +0002-config-prefix.diff.patch
 +0003-tools-libfsimage-abiname.diff.patch
 +0004-tools-libxc-abiname.diff.patch
 +0005-tools-libxl-abiname.diff.patch
 +0006-tools-xenstat-abiname.diff.patch
 +0007-tools-rpath.diff.patch
 +0008-tools-blktap2-prefix.diff.patch
 +0009-tools-console-prefix.diff.patch
 +0010-tools-libfsimage-prefix.diff.patch
 +0011-tools-libxl-prefix.diff.patch
 +0012-tools-misc-prefix.diff.patch
 +0013-tools-pygrub-prefix.diff.patch
 +0014-tools-python-prefix.diff.patch
 +0015-tools-xcutils-rpath.diff.patch
 +0016-tools-xenmon-prefix.diff.patch
 +0017-tools-xenpaging-prefix.diff.patch
 +0018-tools-xenstat-prefix.diff.patch
 +0019-tools-xenstore-prefix.diff.patch
 +0020-tools-xentrace-prefix.diff.patch
 +0021-tools-python-xen-relative-path.diff.patch
 +0022-tools-misc-xend-startup.diff.patch
 +0023-tools-disable.diff.patch
 +0024-tools-examples-xend-disable-network.diff.patch
 +0025-tools-examples-xend-disable-relocation.diff.patch
 +0026-tools-pygrub-remove-static-solaris-support.patch
 +0027-tools-include-install.diff.patch
 +0028-tools-xenmon-install.diff.patch
 +0029-tools-hotplug-udevrules.diff.patch
 +0030-tools-python-shebang.diff.patch
 +0031-tools-xenstore-compatibility.diff.patch
 +0032-send-xl-coredumps-var-lib-xen-dump-NAME.patch
 +0033-evtchn-check-control-block-exists-when-using-FIFO-ba.patch
 +0034-x86-shadow-fix-race-condition-sampling-the-dirty-vra.patch
 +0035-x86-emulate-check-cpl-for-all-privileged-instruction.patch
 +0036-x86emul-only-emulate-software-interrupt-injection-fo.patch
 +0037-x86-HVM-properly-bound-x2APIC-MSR-range.patch
 +0038-VT-d-suppress-UR-signaling-for-further-desktop-chips.patch
++0039-x86-paging-make-log-dirty-operations-preemptible.patch
++0040-x86-don-t-allow-page-table-updates-on-non-PV-page-ta.patch
++0041-x86emul-enforce-privilege-level-restrictions-when-lo.patch
++0042-x86-mm-fix-a-reference-counting-error-in-MMU_MACHPHY.patch

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-xen/xen.git



More information about the Pkg-xen-changes mailing list