[Pkg-xen-changes] [xen] 10/11: merge patched-develop into develop

Bastian Blank waldi at moszumanska.debian.org
Sun Nov 1 20:39:28 UTC 2015


This is an automated email from the git hooks/post-receive script.

waldi pushed a commit to branch develop
in repository xen.

commit 6ce09782a9ff9341e8e5e0dcaf83dd95ed0048f4
Merge: c213f67 2cc6e92
Author: Bastian Blank <waldi at debian.org>
Date:   Sun Nov 1 21:38:21 2015 +0100

    merge patched-develop into develop

 debian/.git-dpm                     |   4 +-
 debian/patches/CVE-2015-7812.diff   |  59 ++++++++++
 debian/patches/CVE-2015-7813.diff   |  55 +++++++++
 debian/patches/CVE-2015-7814.diff   |  50 ++++++++
 debian/patches/CVE-2015-7835.diff   |  57 ++++++++++
 debian/patches/CVE-2015-7969.1.diff |  42 +++++++
 debian/patches/CVE-2015-7969.diff   |  35 ++++++
 debian/patches/CVE-2015-7970.diff   | 221 ++++++++++++++++++++++++++++++++++++
 debian/patches/CVE-2015-7971.diff   |  83 ++++++++++++++
 debian/patches/CVE-2015-7972.diff   |  86 ++++++++++++++
 debian/patches/series               |   9 ++
 tools/libxl/libxl.c                 |   2 +-
 tools/libxl/libxl_dom.c             |   9 +-
 xen/arch/arm/domain.c               |  13 ++-
 xen/arch/arm/hvm.c                  |   2 +-
 xen/arch/arm/physdev.c              |   3 +-
 xen/arch/x86/cpu/vpmu.c             |   8 +-
 xen/arch/x86/mm.c                   |  10 +-
 xen/arch/x86/mm/p2m-pod.c           |  86 +++++++++-----
 xen/arch/x86/mm/p2m.c               |   4 +
 xen/common/domain.c                 |   1 +
 xen/common/xenoprof.c               |  11 +-
 xen/include/asm-x86/p2m.h           |  18 ++-
 23 files changed, 813 insertions(+), 55 deletions(-)

diff --cc debian/.git-dpm
index 2db5360,0000000..d855409
mode 100644,000000..100644
--- a/debian/.git-dpm
+++ b/debian/.git-dpm
@@@ -1,8 -1,0 +1,8 @@@
 +# see git-dpm(1) from git-dpm package
- b00b02f0283fa7536ab44264a21c2dcdaa22d631
- b00b02f0283fa7536ab44264a21c2dcdaa22d631
++2cc6e92b8046952534df6e27abc16740a0ce9b0d
++2cc6e92b8046952534df6e27abc16740a0ce9b0d
 +9fafe903bcadf774d3eb5fbef4666166aa876d2d
 +9fafe903bcadf774d3eb5fbef4666166aa876d2d
 +xen_4.6.0.orig.tar.xz
 +3a298ab580a62dd4ffbe63567d4114f9c36d570c
 +3525684
diff --cc debian/patches/CVE-2015-7812.diff
index 0000000,0000000..e4cad28
new file mode 100644
--- /dev/null
+++ b/debian/patches/CVE-2015-7812.diff
@@@ -1,0 -1,0 +1,59 @@@
++From 1440439d8552e98995b91234480505c5eb154eb5 Mon Sep 17 00:00:00 2001
++From: Julien Grall <julien.grall at citrix.com>
++Date: Thu, 29 Oct 2015 13:46:45 +0100
++Subject: arm: Support hypercall_create_continuation for multicall
++
++Multicall for ARM has been supported since commit f0dbdc6 "xen: arm: fully
++implement multicall interface.". Although, if an hypercall in multicall
++requires preemption, it will crash the host:
++
++(XEN) Xen BUG at domain.c:347
++(XEN) ----[ Xen-4.7-unstable  arm64  debug=y  Tainted:    C ]----
++[...]
++(XEN) Xen call trace:
++(XEN)    [<00000000002420cc>] hypercall_create_continuation+0x64/0x380 (PC)
++(XEN)    [<0000000000217274>] do_memory_op+0x1b00/0x2334 (LR)
++(XEN)    [<0000000000250d2c>] do_multicall_call+0x114/0x124
++(XEN)    [<0000000000217ff0>] do_multicall+0x17c/0x23c
++(XEN)    [<000000000024f97c>] do_trap_hypercall+0x90/0x12c
++(XEN)    [<0000000000251ca8>] do_trap_hypervisor+0xd2c/0x1ba4
++(XEN)    [<00000000002582cc>] guest_sync+0x88/0xb8
++(XEN)
++(XEN)
++(XEN) ****************************************
++(XEN) Panic on CPU 5:
++(XEN) Xen BUG at domain.c:347
++(XEN) ****************************************
++(XEN)
++(XEN) Manual reset required ('noreboot' specified)
++
++Looking to the code, the support of multicall looks valid to me, as we only
++need to fill call.args[...]. So drop the BUG();
++
++This is CVE-2015-7812 / XSA-145.
++
++Signed-off-by: Julien Grall <julien.grall at citrix.com>
++Acked-by: Ian Campbell <ian.campbell at citrix.com>
++master commit: 29bcf64ce8bc0b1b7aacd00c8668f255c4f0686c
++master date: 2015-10-29 13:31:10 +0100
++
++(cherry picked from commit ea95ecb8bf30f83b52a079cdfc824a3ba6ffd4ef)
++
++Patch-Name: CVE-2015-7812.diff
++---
++ xen/arch/arm/domain.c | 2 --
++ 1 file changed, 2 deletions(-)
++
++diff --git a/xen/arch/arm/domain.c b/xen/arch/arm/domain.c
++index b2bfc7d..b9a4226 100644
++--- a/xen/arch/arm/domain.c
+++++ b/xen/arch/arm/domain.c
++@@ -344,8 +344,6 @@ unsigned long hypercall_create_continuation(
++ 
++     if ( test_bit(_MCSF_in_multicall, &mcs->flags) )
++     {
++-        BUG(); /* XXX multicalls not implemented yet. */
++-
++         __set_bit(_MCSF_call_preempted, &mcs->flags);
++ 
++         for ( i = 0; *p != '\0'; i++ )
diff --cc debian/patches/CVE-2015-7813.diff
index 0000000,0000000..91eb658
new file mode 100644
--- /dev/null
+++ b/debian/patches/CVE-2015-7813.diff
@@@ -1,0 -1,0 +1,55 @@@
++From 2989d96e3d84f2e589133edf317b8aed2429f3c8 Mon Sep 17 00:00:00 2001
++From: Ian Campbell <ian.campbell at citrix.com>
++Date: Thu, 29 Oct 2015 13:47:10 +0100
++Subject: arm: rate-limit logging from unimplemented PHYSDEVOP and HVMOP.
++
++These are guest accessible and should therefore be rate-limited.
++Moreover, include them only in debug builds.
++
++This is CVE-2015-7813 / XSA-146.
++
++Signed-off-by: Ian Campbell <ian.campbell at citrix.com>
++Reviewed-by: Jan Beulich <jbeulich at suse.com>
++master commit: 1c0e59ff15764e7b0c59282365974f5b8924ce83
++master date: 2015-10-29 13:33:38 +0100
++
++(cherry picked from commit b18d995ca341d07a38fec04aa137e9ef85ee4dd0)
++
++Patch-Name: CVE-2015-7813.diff
++---
++ xen/arch/arm/hvm.c     | 2 +-
++ xen/arch/arm/physdev.c | 3 ++-
++ 2 files changed, 3 insertions(+), 2 deletions(-)
++
++diff --git a/xen/arch/arm/hvm.c b/xen/arch/arm/hvm.c
++index 471c4cd..5fd0753 100644
++--- a/xen/arch/arm/hvm.c
+++++ b/xen/arch/arm/hvm.c
++@@ -57,7 +57,7 @@ long do_hvm_op(unsigned long op, XEN_GUEST_HANDLE_PARAM(void) arg)
++ 
++     default:
++     {
++-        printk("%s: Bad HVM op %ld.\n", __func__, op);
+++        gdprintk(XENLOG_DEBUG, "HVMOP op=%lu: not implemented\n", op);
++         rc = -ENOSYS;
++         break;
++     }
++diff --git a/xen/arch/arm/physdev.c b/xen/arch/arm/physdev.c
++index 61b4a18..27bbbda 100644
++--- a/xen/arch/arm/physdev.c
+++++ b/xen/arch/arm/physdev.c
++@@ -8,12 +8,13 @@
++ #include <xen/types.h>
++ #include <xen/lib.h>
++ #include <xen/errno.h>
+++#include <xen/sched.h>
++ #include <asm/hypercall.h>
++ 
++ 
++ int do_physdev_op(int cmd, XEN_GUEST_HANDLE_PARAM(void) arg)
++ {
++-    printk("%s %d cmd=%d: not implemented yet\n", __func__, __LINE__, cmd);
+++    gdprintk(XENLOG_DEBUG, "PHYSDEVOP cmd=%d: not implemented\n", cmd);
++     return -ENOSYS;
++ }
++ 
diff --cc debian/patches/CVE-2015-7814.diff
index 0000000,0000000..8d574e5
new file mode 100644
--- /dev/null
+++ b/debian/patches/CVE-2015-7814.diff
@@@ -1,0 -1,0 +1,50 @@@
++From 0361df69e22ae145cfdd95b0a3ea75a858a4bc08 Mon Sep 17 00:00:00 2001
++From: Ian Campbell <ian.campbell at citrix.com>
++Date: Thu, 29 Oct 2015 13:47:38 +0100
++Subject: arm: handle races between relinquish_memory and free_domheap_pages
++
++Primarily this means XENMEM_decrease_reservation from a toolstack
++domain.
++
++Unlike x86 we have no requirement right now to queue such pages onto
++a separate list, if we hit this race then the other code has already
++fully accepted responsibility for freeing this page and therefore
++there is no more for relinquish_memory to do.
++
++This is CVE-2015-7814 / XSA-147.
++
++Signed-off-by: Ian Campbell <ian.campbell at citrix.com>
++Reviewed-by: Julien Grall <julien.grall at citrix.com>
++Reviewed-by: Jan Beulich <jbeulich at suse.com>
++master commit: 1ef01396fdff88b1c3331a09ca5c69619b90f4ea
++master date: 2015-10-29 13:34:17 +0100
++
++(cherry picked from commit df6fa370865717ee51530c0102d1e983a70d37c3)
++
++Patch-Name: CVE-2015-7814.diff
++---
++ xen/arch/arm/domain.c | 11 +++++++++--
++ 1 file changed, 9 insertions(+), 2 deletions(-)
++
++diff --git a/xen/arch/arm/domain.c b/xen/arch/arm/domain.c
++index b9a4226..20cc772 100644
++--- a/xen/arch/arm/domain.c
+++++ b/xen/arch/arm/domain.c
++@@ -768,8 +768,15 @@ static int relinquish_memory(struct domain *d, struct page_list_head *list)
++     {
++         /* Grab a reference to the page so it won't disappear from under us. */
++         if ( unlikely(!get_page(page, d)) )
++-            /* Couldn't get a reference -- someone is freeing this page. */
++-            BUG();
+++            /*
+++             * Couldn't get a reference -- someone is freeing this page and
+++             * has already committed to doing so, so no more to do here.
+++             *
+++             * Note that the page must be left on the list, a list_del
+++             * here will clash with the list_del done by the other
+++             * party in the race and corrupt the list head.
+++             */
+++            continue;
++ 
++         if ( test_and_clear_bit(_PGC_allocated, &page->count_info) )
++             put_page(page);
diff --cc debian/patches/CVE-2015-7835.diff
index 0000000,0000000..d43b104
new file mode 100644
--- /dev/null
+++ b/debian/patches/CVE-2015-7835.diff
@@@ -1,0 -1,0 +1,57 @@@
++From c270ef05942a8ce35d78064aaa82f4f8360aff27 Mon Sep 17 00:00:00 2001
++From: Jan Beulich <jbeulich at suse.com>
++Date: Thu, 29 Oct 2015 13:48:09 +0100
++Subject: x86: guard against undue super page PTE creation
++MIME-Version: 1.0
++Content-Type: text/plain; charset=UTF-8
++Content-Transfer-Encoding: 8bit
++
++When optional super page support got added (commit bd1cd81d64 "x86: PV
++support for hugepages"), two adjustments were missed: mod_l2_entry()
++needs to consider the PSE and RW bits when deciding whether to use the
++fast path, and the PSE bit must not be removed from L2_DISALLOW_MASK
++unconditionally.
++
++This is CVE-2015-7835 / XSA-148.
++
++Reported-by: "栾尚聪(好风)" <shangcong.lsc at alibaba-inc.com>
++Signed-off-by: Jan Beulich <jbeulich at suse.com>
++Reviewed-by: Tim Deegan <tim at xen.org>
++master commit: fe360c90ea13f309ef78810f1a2b92f2ae3b30b8
++master date: 2015-10-29 13:35:07 +0100
++
++(cherry picked from commit 2d094bd87072e26ac29b07917d31fcbf13892288)
++
++Patch-Name: CVE-2015-7835.diff
++---
++ xen/arch/x86/mm.c | 10 ++++++++--
++ 1 file changed, 8 insertions(+), 2 deletions(-)
++
++diff --git a/xen/arch/x86/mm.c b/xen/arch/x86/mm.c
++index 202ff76..fc65982 100644
++--- a/xen/arch/x86/mm.c
+++++ b/xen/arch/x86/mm.c
++@@ -160,7 +160,10 @@ static void put_superpage(unsigned long mfn);
++ static uint32_t base_disallow_mask;
++ /* Global bit is allowed to be set on L1 PTEs. Intended for user mappings. */
++ #define L1_DISALLOW_MASK ((base_disallow_mask | _PAGE_GNTTAB) & ~_PAGE_GLOBAL)
++-#define L2_DISALLOW_MASK (base_disallow_mask & ~_PAGE_PSE)
+++
+++#define L2_DISALLOW_MASK (unlikely(opt_allow_superpage) \
+++                          ? base_disallow_mask & ~_PAGE_PSE \
+++                          : base_disallow_mask)
++ 
++ #define l3_disallow_mask(d) (!is_pv_32bit_domain(d) ? \
++                              base_disallow_mask : 0xFFFFF198U)
++@@ -1839,7 +1842,10 @@ static int mod_l2_entry(l2_pgentry_t *pl2e,
++         }
++ 
++         /* Fast path for identical mapping and presence. */
++-        if ( !l2e_has_changed(ol2e, nl2e, _PAGE_PRESENT) )
+++        if ( !l2e_has_changed(ol2e, nl2e,
+++                              unlikely(opt_allow_superpage)
+++                              ? _PAGE_PSE | _PAGE_RW | _PAGE_PRESENT
+++                              : _PAGE_PRESENT) )
++         {
++             adjust_guest_l2e(nl2e, d);
++             if ( UPDATE_ENTRY(l2, pl2e, ol2e, nl2e, pfn, vcpu, preserve_ad) )
diff --cc debian/patches/CVE-2015-7969.1.diff
index 0000000,0000000..061fdc7
new file mode 100644
--- /dev/null
+++ b/debian/patches/CVE-2015-7969.1.diff
@@@ -1,0 -1,0 +1,42 @@@
++From 967130a6c0a919da36281b69f600a31c22715b8c Mon Sep 17 00:00:00 2001
++From: Jan Beulich <jbeulich at suse.com>
++Date: Thu, 29 Oct 2015 13:51:24 +0100
++Subject: xenoprof: free domain's vcpu array
++
++This was overlooked in fb442e2171 ("x86_64: allow more vCPU-s per
++guest").
++
++This is CVE-2015-7969 / XSA-151.
++
++Signed-off-by: Jan Beulich <jbeulich at suse.com>
++Reviewed-by: Ian Campbell <ian.campbell at citrix.com>
++master commit: 6e97c4b37386c2d09e09e9b5d5d232e37728b960
++master date: 2015-10-29 13:36:52 +0100
++
++(cherry picked from commit 429f0cd270851462783fc6d56d6bae9cbb40bdca)
++
++Patch-Name: CVE-2015-7969.1.diff
++---
++ xen/common/xenoprof.c | 2 ++
++ 1 file changed, 2 insertions(+)
++
++diff --git a/xen/common/xenoprof.c b/xen/common/xenoprof.c
++index 1061323..53a803a 100644
++--- a/xen/common/xenoprof.c
+++++ b/xen/common/xenoprof.c
++@@ -239,6 +239,7 @@ static int alloc_xenoprof_struct(
++     d->xenoprof->rawbuf = alloc_xenheap_pages(get_order_from_pages(npages), 0);
++     if ( d->xenoprof->rawbuf == NULL )
++     {
+++        xfree(d->xenoprof->vcpu);
++         xfree(d->xenoprof);
++         d->xenoprof = NULL;
++         return -ENOMEM;
++@@ -286,6 +287,7 @@ void free_xenoprof_pages(struct domain *d)
++         free_xenheap_pages(x->rawbuf, order);
++     }
++ 
+++    xfree(x->vcpu);
++     xfree(x);
++     d->xenoprof = NULL;
++ }
diff --cc debian/patches/CVE-2015-7969.diff
index 0000000,0000000..8b7c980
new file mode 100644
--- /dev/null
+++ b/debian/patches/CVE-2015-7969.diff
@@@ -1,0 -1,0 +1,35 @@@
++From 91af405ccfba7200fec38d5c2624798794a0eb76 Mon Sep 17 00:00:00 2001
++From: Jan Beulich <jbeulich at suse.com>
++Date: Thu, 29 Oct 2015 13:49:56 +0100
++Subject: free domain's vcpu array
++
++This was overlooked in fb442e2171 ("x86_64: allow more vCPU-s per
++guest").
++
++This is CVE-2015-7969 / XSA-149.
++
++Reported-by: Ian Campbell <ian.campbell at citrix.com>
++Signed-off-by: Jan Beulich <jbeulich at suse.com>
++Reviewed-by: Ian Campbell <ian.campbell at citrix.com>
++master commit: d46896ebbb23f3a9fef2eb6066ae614fd1acfd96
++master date: 2015-10-29 13:35:40 +0100
++
++(cherry picked from commit 2c57108c36eaa10885b7d0daad534348717e4f9d)
++
++Patch-Name: CVE-2015-7969.diff
++---
++ xen/common/domain.c | 1 +
++ 1 file changed, 1 insertion(+)
++
++diff --git a/xen/common/domain.c b/xen/common/domain.c
++index 1b9fcfc..796c492 100644
++--- a/xen/common/domain.c
+++++ b/xen/common/domain.c
++@@ -833,6 +833,7 @@ static void complete_domain_destroy(struct rcu_head *head)
++ 
++     xsm_free_security_domain(d);
++     free_cpumask_var(d->domain_dirty_cpumask);
+++    xfree(d->vcpu);
++     free_domain_struct(d);
++ 
++     send_global_virq(VIRQ_DOM_EXC);
diff --cc debian/patches/CVE-2015-7970.diff
index 0000000,0000000..07cb9bf
new file mode 100644
--- /dev/null
+++ b/debian/patches/CVE-2015-7970.diff
@@@ -1,0 -1,0 +1,221 @@@
++From 86a812432587c0a6c415f935de3fb9838c0d1098 Mon Sep 17 00:00:00 2001
++From: Andrew Cooper <andrew.cooper3 at citrix.com>
++Date: Thu, 29 Oct 2015 13:50:59 +0100
++Subject: x86/PoD: Eager sweep for zeroed pages
++
++Based on the contents of a guests physical address space,
++p2m_pod_emergency_sweep() could degrade into a linear memcmp() from 0 to
++max_gfn, which runs non-preemptibly.
++
++As p2m_pod_emergency_sweep() runs behind the scenes in a number of contexts,
++making it preemptible is not feasible.
++
++Instead, a different approach is taken.  Recently-populated pages are eagerly
++checked for reclaimation, which amortises the p2m_pod_emergency_sweep()
++operation across each p2m_pod_demand_populate() operation.
++
++Note that in the case that a 2M superpage can't be reclaimed as a superpage,
++it is shattered if 4K pages of zeros can be reclaimed.  This is unfortunate
++but matches the previous behaviour, and is required to avoid regressions
++(domain crash from PoD exhaustion) with VMs configured close to the limit.
++
++This is CVE-2015-7970 / XSA-150.
++
++Signed-off-by: Andrew Cooper <andrew.cooper3 at citrix.com>
++Reviewed-by: Jan Beulich <jbeulich at suse.com>
++Reviewed-by: George Dunlap <george.dunlap at citrix.com>
++master commit: 101ce53266866144e724ed593173bc4098b300b9
++master date: 2015-10-29 13:36:25 +0100
++
++(cherry picked from commit 4a32fbd95af6503ea1314ff2aa9a0b0a473d46c0)
++
++Patch-Name: CVE-2015-7970.diff
++---
++ xen/arch/x86/mm/p2m-pod.c | 86 +++++++++++++++++++++++++++++++----------------
++ xen/arch/x86/mm/p2m.c     |  4 +++
++ xen/include/asm-x86/p2m.h | 18 +++++++---
++ 3 files changed, 75 insertions(+), 33 deletions(-)
++
++diff --git a/xen/arch/x86/mm/p2m-pod.c b/xen/arch/x86/mm/p2m-pod.c
++index 8156525..9196a5d 100644
++--- a/xen/arch/x86/mm/p2m-pod.c
+++++ b/xen/arch/x86/mm/p2m-pod.c
++@@ -901,28 +901,6 @@ p2m_pod_zero_check(struct p2m_domain *p2m, unsigned long *gfns, int count)
++ }
++ 
++ #define POD_SWEEP_LIMIT 1024
++-
++-/* When populating a new superpage, look at recently populated superpages
++- * hoping that they've been zeroed.  This will snap up zeroed pages as soon as 
++- * the guest OS is done with them. */
++-static void
++-p2m_pod_check_last_super(struct p2m_domain *p2m, unsigned long gfn_aligned)
++-{
++-    unsigned long check_gfn;
++-
++-    ASSERT(p2m->pod.last_populated_index < POD_HISTORY_MAX);
++-
++-    check_gfn = p2m->pod.last_populated[p2m->pod.last_populated_index];
++-
++-    p2m->pod.last_populated[p2m->pod.last_populated_index] = gfn_aligned;
++-
++-    p2m->pod.last_populated_index =
++-        ( p2m->pod.last_populated_index + 1 ) % POD_HISTORY_MAX;
++-
++-    p2m_pod_zero_check_superpage(p2m, check_gfn);
++-}
++-
++-
++ #define POD_SWEEP_STRIDE  16
++ static void
++ p2m_pod_emergency_sweep(struct p2m_domain *p2m)
++@@ -963,7 +941,7 @@ p2m_pod_emergency_sweep(struct p2m_domain *p2m)
++          * NB that this is a zero-sum game; we're increasing our cache size
++          * by re-increasing our 'debt'.  Since we hold the pod lock,
++          * (entry_count - count) must remain the same. */
++-        if ( p2m->pod.count > 0 && i < limit )
+++        if ( i < limit && (p2m->pod.count > 0 || hypercall_preempt_check()) )
++             break;
++     }
++ 
++@@ -975,6 +953,58 @@ p2m_pod_emergency_sweep(struct p2m_domain *p2m)
++ 
++ }
++ 
+++static void pod_eager_reclaim(struct p2m_domain *p2m)
+++{
+++    struct pod_mrp_list *mrp = &p2m->pod.mrp;
+++    unsigned int i = 0;
+++
+++    /*
+++     * Always check one page for reclaimation.
+++     *
+++     * If the PoD pool is empty, keep checking some space is found, or all
+++     * entries have been exhaused.
+++     */
+++    do
+++    {
+++        unsigned int idx = (mrp->idx + i++) % ARRAY_SIZE(mrp->list);
+++        unsigned long gfn = mrp->list[idx];
+++
+++        if ( gfn != INVALID_GFN )
+++        {
+++            if ( gfn & POD_LAST_SUPERPAGE )
+++            {
+++                gfn &= ~POD_LAST_SUPERPAGE;
+++
+++                if ( p2m_pod_zero_check_superpage(p2m, gfn) == 0 )
+++                {
+++                    unsigned int x;
+++
+++                    for ( x = 0; x < SUPERPAGE_PAGES; ++x, ++gfn )
+++                        p2m_pod_zero_check(p2m, &gfn, 1);
+++                }
+++            }
+++            else
+++                p2m_pod_zero_check(p2m, &gfn, 1);
+++
+++            mrp->list[idx] = INVALID_GFN;
+++        }
+++
+++    } while ( (p2m->pod.count == 0) && (i < ARRAY_SIZE(mrp->list)) );
+++}
+++
+++static void pod_eager_record(struct p2m_domain *p2m,
+++                             unsigned long gfn, unsigned int order)
+++{
+++    struct pod_mrp_list *mrp = &p2m->pod.mrp;
+++
+++    ASSERT(mrp->list[mrp->idx] == INVALID_GFN);
+++    ASSERT(gfn != INVALID_GFN);
+++
+++    mrp->list[mrp->idx++] =
+++        gfn | (order == PAGE_ORDER_2M ? POD_LAST_SUPERPAGE : 0);
+++    mrp->idx %= ARRAY_SIZE(mrp->list);
+++}
+++
++ int
++ p2m_pod_demand_populate(struct p2m_domain *p2m, unsigned long gfn,
++                         unsigned int order,
++@@ -1015,6 +1045,8 @@ p2m_pod_demand_populate(struct p2m_domain *p2m, unsigned long gfn,
++         return 0;
++     }
++ 
+++    pod_eager_reclaim(p2m);
+++
++     /* Only sweep if we're actually out of memory.  Doing anything else
++      * causes unnecessary time and fragmentation of superpages in the p2m. */
++     if ( p2m->pod.count == 0 )
++@@ -1051,6 +1083,8 @@ p2m_pod_demand_populate(struct p2m_domain *p2m, unsigned long gfn,
++     p2m->pod.entry_count -= (1 << order);
++     BUG_ON(p2m->pod.entry_count < 0);
++ 
+++    pod_eager_record(p2m, gfn_aligned, order);
+++
++     if ( tb_init_done )
++     {
++         struct {
++@@ -1066,12 +1100,6 @@ p2m_pod_demand_populate(struct p2m_domain *p2m, unsigned long gfn,
++         __trace_var(TRC_MEM_POD_POPULATE, 0, sizeof(t), &t);
++     }
++ 
++-    /* Check the last guest demand-populate */
++-    if ( p2m->pod.entry_count > p2m->pod.count 
++-         && (order == PAGE_ORDER_2M)
++-         && (q & P2M_ALLOC) )
++-        p2m_pod_check_last_super(p2m, gfn_aligned);
++-
++     pod_unlock(p2m);
++     return 0;
++ out_of_memory:
++diff --git a/xen/arch/x86/mm/p2m.c b/xen/arch/x86/mm/p2m.c
++index c6b883d..cbe3f24 100644
++--- a/xen/arch/x86/mm/p2m.c
+++++ b/xen/arch/x86/mm/p2m.c
++@@ -60,6 +60,7 @@ boolean_param("hap_2mb", opt_hap_2mb);
++ /* Init the datastructures for later use by the p2m code */
++ static int p2m_initialise(struct domain *d, struct p2m_domain *p2m)
++ {
+++    unsigned int i;
++     int ret = 0;
++ 
++     mm_rwlock_init(&p2m->lock);
++@@ -75,6 +76,9 @@ static int p2m_initialise(struct domain *d, struct p2m_domain *p2m)
++ 
++     p2m->np2m_base = P2M_BASE_EADDR;
++ 
+++    for ( i = 0; i < ARRAY_SIZE(p2m->pod.mrp.list); ++i )
+++        p2m->pod.mrp.list[i] = INVALID_GFN;
+++
++     if ( hap_enabled(d) && cpu_has_vmx )
++         ret = ept_p2m_init(p2m);
++     else
++diff --git a/xen/include/asm-x86/p2m.h b/xen/include/asm-x86/p2m.h
++index 5e99ac6..e91a875 100644
++--- a/xen/include/asm-x86/p2m.h
+++++ b/xen/include/asm-x86/p2m.h
++@@ -292,10 +292,20 @@ struct p2m_domain {
++                          entry_count;  /* # of pages in p2m marked pod      */
++         unsigned long    reclaim_single; /* Last gpfn of a scan */
++         unsigned long    max_guest;    /* gpfn of max guest demand-populate */
++-#define POD_HISTORY_MAX 128
++-        /* gpfn of last guest superpage demand-populated */
++-        unsigned long    last_populated[POD_HISTORY_MAX]; 
++-        unsigned int     last_populated_index;
+++
+++        /*
+++         * Tracking of the most recently populated PoD pages, for eager
+++         * reclamation.
+++         */
+++        struct pod_mrp_list {
+++#define NR_POD_MRP_ENTRIES 32
+++
+++/* Encode ORDER_2M superpage in top bit of GFN */
+++#define POD_LAST_SUPERPAGE (INVALID_GFN & ~(INVALID_GFN >> 1))
+++
+++            unsigned long list[NR_POD_MRP_ENTRIES];
+++            unsigned int idx;
+++        } mrp;
++         mm_lock_t        lock;         /* Locking of private pod structs,   *
++                                         * not relying on the p2m lock.      */
++     } pod;
diff --cc debian/patches/CVE-2015-7971.diff
index 0000000,0000000..3e0f7d9
new file mode 100644
--- /dev/null
+++ b/debian/patches/CVE-2015-7971.diff
@@@ -1,0 -1,0 +1,83 @@@
++From 2c55f2480b83990081dc43541eebf391635014ca Mon Sep 17 00:00:00 2001
++From: Jan Beulich <jbeulich at suse.com>
++Date: Thu, 29 Oct 2015 13:52:02 +0100
++Subject: x86: rate-limit logging in do_xen{oprof,pmu}_op()
++
++Some of the sub-ops are acessible to all guests, and hence should be
++rate-limited. In the xenoprof case, just like for XSA-146, include them
++only in debug builds. Since the vPMU code is rather new, allow them to
++be always present, but downgrade them to (rate limited) guest messages.
++
++This is CVE-2015-7971 / XSA-152.
++
++Signed-off-by: Jan Beulich <jbeulich at suse.com>
++Reviewed-by: Ian Campbell <ian.campbell at citrix.com>
++master commit: 95e7415843b94c346e5ba8682665f508f220e04b
++master date: 2015-10-29 13:37:19 +0100
++
++(cherry picked from commit bdc9fdf9d468cb94ca0fbed1b969c20bf173dc9b)
++
++Patch-Name: CVE-2015-7971.diff
++---
++ xen/arch/x86/cpu/vpmu.c | 8 ++++----
++ xen/common/xenoprof.c   | 9 +++------
++ 2 files changed, 7 insertions(+), 10 deletions(-)
++
++diff --git a/xen/arch/x86/cpu/vpmu.c b/xen/arch/x86/cpu/vpmu.c
++index 8af3df1..2f5156a 100644
++--- a/xen/arch/x86/cpu/vpmu.c
+++++ b/xen/arch/x86/cpu/vpmu.c
++@@ -682,8 +682,8 @@ long do_xenpmu_op(unsigned int op, XEN_GUEST_HANDLE_PARAM(xen_pmu_params_t) arg)
++             vpmu_mode = pmu_params.val;
++         else if ( vpmu_mode != pmu_params.val )
++         {
++-            printk(XENLOG_WARNING
++-                   "VPMU: Cannot change mode while active VPMUs exist\n");
+++            gprintk(XENLOG_WARNING,
+++                    "VPMU: Cannot change mode while active VPMUs exist\n");
++             ret = -EBUSY;
++         }
++ 
++@@ -714,8 +714,8 @@ long do_xenpmu_op(unsigned int op, XEN_GUEST_HANDLE_PARAM(xen_pmu_params_t) arg)
++             vpmu_features = pmu_params.val;
++         else
++         {
++-            printk(XENLOG_WARNING "VPMU: Cannot change features while"
++-                                  " active VPMUs exist\n");
+++            gprintk(XENLOG_WARNING,
+++                    "VPMU: Cannot change features while active VPMUs exist\n");
++             ret = -EBUSY;
++         }
++ 
++diff --git a/xen/common/xenoprof.c b/xen/common/xenoprof.c
++index 53a803a..19b4605 100644
++--- a/xen/common/xenoprof.c
+++++ b/xen/common/xenoprof.c
++@@ -676,15 +676,13 @@ ret_t do_xenoprof_op(int op, XEN_GUEST_HANDLE_PARAM(void) arg)
++     
++     if ( (op < 0) || (op > XENOPROF_last_op) )
++     {
++-        printk("xenoprof: invalid operation %d for domain %d\n",
++-               op, current->domain->domain_id);
+++        gdprintk(XENLOG_DEBUG, "invalid operation %d\n", op);
++         return -EINVAL;
++     }
++ 
++     if ( !NONPRIV_OP(op) && (current->domain != xenoprof_primary_profiler) )
++     {
++-        printk("xenoprof: dom %d denied privileged operation %d\n",
++-               current->domain->domain_id, op);
+++        gdprintk(XENLOG_DEBUG, "denied privileged operation %d\n", op);
++         return -EPERM;
++     }
++ 
++@@ -907,8 +905,7 @@ ret_t do_xenoprof_op(int op, XEN_GUEST_HANDLE_PARAM(void) arg)
++     spin_unlock(&xenoprof_lock);
++ 
++     if ( ret < 0 )
++-        printk("xenoprof: operation %d failed for dom %d (status : %d)\n",
++-               op, current->domain->domain_id, ret);
+++        gdprintk(XENLOG_DEBUG, "operation %d failed: %d\n", op, ret);
++ 
++     return ret;
++ }
diff --cc debian/patches/CVE-2015-7972.diff
index 0000000,0000000..b122b41
new file mode 100644
--- /dev/null
+++ b/debian/patches/CVE-2015-7972.diff
@@@ -1,0 -1,0 +1,86 @@@
++From 2cc6e92b8046952534df6e27abc16740a0ce9b0d Mon Sep 17 00:00:00 2001
++From: Ian Jackson <ian.jackson at eu.citrix.com>
++Date: Wed, 21 Oct 2015 16:18:30 +0100
++Subject: libxl: adjust PoD target by memory fudge, too
++
++PoD guests need to balloon at least as far as required by PoD, or risk
++crashing.  Currently they don't necessarily know what the right value
++is, because our memory accounting is (at the very least) confusing.
++
++Apply the memory limit fudge factor to the in-hypervisor PoD memory
++target, too.  This will increase the size of the guest's PoD cache by
++the fudge factor LIBXL_MAXMEM_CONSTANT (currently 1Mby).  This ensures
++that even with a slightly-off balloon driver, the guest will be
++stable even under memory pressure.
++
++There are two call sites of xc_domain_set_pod_target that need fixing:
++
++The one in libxl_set_memory_target is straightforward.
++
++The one in xc_hvm_build_x86.c:setup_guest is more awkward.  Simply
++setting the PoD target differently does not work because the various
++amounts of memory during domain construction no longer match up.
++Instead, we adjust the guest memory target in xenstore (but only for
++PoD guests).
++
++This introduces a 1Mby discrepancy between the balloon target of a PoD
++guest at boot, and the target set by an apparently-equivalent `xl
++mem-set' (or similar) later.  This approach is low-risk for a security
++fix but we need to fix this up properly in xen.git#staging and
++probably also in stable trees.
++
++This is XSA-153.
++
++Signed-off-by: Ian Jackson <Ian.Jackson at eu.citrix.com>
++(cherry picked from commit 56fb5fd62320eb40a7517206f9706aa9188d6f7b)
++
++Patch-Name: CVE-2015-7972.diff
++---
++ tools/libxl/libxl.c     | 2 +-
++ tools/libxl/libxl_dom.c | 9 ++++++++-
++ 2 files changed, 9 insertions(+), 2 deletions(-)
++
++diff --git a/tools/libxl/libxl.c b/tools/libxl/libxl.c
++index d38d0c7..1366177 100644
++--- a/tools/libxl/libxl.c
+++++ b/tools/libxl/libxl.c
++@@ -4815,7 +4815,7 @@ retry_transaction:
++     }
++ 
++     rc = xc_domain_set_pod_target(ctx->xch, domid,
++-            new_target_memkb / 4, NULL, NULL, NULL);
+++            (new_target_memkb + LIBXL_MAXMEM_CONSTANT) / 4, NULL, NULL, NULL);
++     if (rc != 0) {
++         LIBXL__LOG_ERRNO(ctx, LIBXL__LOG_ERROR,
++                 "xc_domain_set_pod_target domid=%d, memkb=%d "
++diff --git a/tools/libxl/libxl_dom.c b/tools/libxl/libxl_dom.c
++index b514377..8019f4e 100644
++--- a/tools/libxl/libxl_dom.c
+++++ b/tools/libxl/libxl_dom.c
++@@ -486,6 +486,7 @@ int libxl__build_post(libxl__gc *gc, uint32_t domid,
++     xs_transaction_t t;
++     char **ents;
++     int i, rc;
+++    int64_t mem_target_fudge;
++ 
++     if (info->num_vnuma_nodes && !info->num_vcpu_soft_affinity) {
++         rc = set_vnuma_affinity(gc, domid, info);
++@@ -518,11 +519,17 @@ int libxl__build_post(libxl__gc *gc, uint32_t domid,
++         }
++     }
++ 
+++    mem_target_fudge =
+++        (info->type == LIBXL_DOMAIN_TYPE_HVM &&
+++         info->max_memkb > info->target_memkb)
+++        ? LIBXL_MAXMEM_CONSTANT : 0;
+++
++     ents = libxl__calloc(gc, 12 + (info->max_vcpus * 2) + 2, sizeof(char *));
++     ents[0] = "memory/static-max";
++     ents[1] = GCSPRINTF("%"PRId64, info->max_memkb);
++     ents[2] = "memory/target";
++-    ents[3] = GCSPRINTF("%"PRId64, info->target_memkb - info->video_memkb);
+++    ents[3] = GCSPRINTF("%"PRId64, info->target_memkb - info->video_memkb
+++                        - mem_target_fudge);
++     ents[4] = "memory/videoram";
++     ents[5] = GCSPRINTF("%"PRId64, info->video_memkb);
++     ents[6] = "domid";
diff --cc debian/patches/series
index d45d432,0000000..984d69c
mode 100644,000000..100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@@ -1,25 -1,0 +1,34 @@@
 +version.diff
 +config-prefix.diff
 +tools-libfsimage-abiname.diff
 +tools-libxc-abiname.diff
 +tools-libxl-abiname.diff
 +tools-xenstat-abiname.diff
 +tools-rpath.diff
 +tools-blktap2-prefix.diff
 +tools-console-prefix.diff
 +tools-libfsimage-prefix.diff
 +tools-libxl-prefix.diff
 +tools-misc-prefix.diff
 +tools-pygrub-prefix.diff
 +tools-python-prefix.diff
 +tools-xcutils-rpath.diff
 +tools-xenmon-prefix.diff
 +tools-xenpaging-prefix.diff
 +tools-xenpmd-prefix.diff
 +tools-xenstat-prefix.diff
 +tools-xenstore-prefix.diff
 +tools-xentrace-prefix.diff
 +tools-pygrub-remove-static-solaris-support
 +tools-include-install.diff
 +tools-xenmon-install.diff
 +tools-xenstore-compatibility.diff
++CVE-2015-7812.diff
++CVE-2015-7813.diff
++CVE-2015-7814.diff
++CVE-2015-7835.diff
++CVE-2015-7969.diff
++CVE-2015-7970.diff
++CVE-2015-7969.1.diff
++CVE-2015-7971.diff
++CVE-2015-7972.diff

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-xen/xen.git



More information about the Pkg-xen-changes mailing list