[Pkg-xen-changes] [xen] 10/11: merge patched-develop into develop
Bastian Blank
waldi at moszumanska.debian.org
Sun Nov 1 20:39:28 UTC 2015
This is an automated email from the git hooks/post-receive script.
waldi pushed a commit to branch develop
in repository xen.
commit 6ce09782a9ff9341e8e5e0dcaf83dd95ed0048f4
Merge: c213f67 2cc6e92
Author: Bastian Blank <waldi at debian.org>
Date: Sun Nov 1 21:38:21 2015 +0100
merge patched-develop into develop
debian/.git-dpm | 4 +-
debian/patches/CVE-2015-7812.diff | 59 ++++++++++
debian/patches/CVE-2015-7813.diff | 55 +++++++++
debian/patches/CVE-2015-7814.diff | 50 ++++++++
debian/patches/CVE-2015-7835.diff | 57 ++++++++++
debian/patches/CVE-2015-7969.1.diff | 42 +++++++
debian/patches/CVE-2015-7969.diff | 35 ++++++
debian/patches/CVE-2015-7970.diff | 221 ++++++++++++++++++++++++++++++++++++
debian/patches/CVE-2015-7971.diff | 83 ++++++++++++++
debian/patches/CVE-2015-7972.diff | 86 ++++++++++++++
debian/patches/series | 9 ++
tools/libxl/libxl.c | 2 +-
tools/libxl/libxl_dom.c | 9 +-
xen/arch/arm/domain.c | 13 ++-
xen/arch/arm/hvm.c | 2 +-
xen/arch/arm/physdev.c | 3 +-
xen/arch/x86/cpu/vpmu.c | 8 +-
xen/arch/x86/mm.c | 10 +-
xen/arch/x86/mm/p2m-pod.c | 86 +++++++++-----
xen/arch/x86/mm/p2m.c | 4 +
xen/common/domain.c | 1 +
xen/common/xenoprof.c | 11 +-
xen/include/asm-x86/p2m.h | 18 ++-
23 files changed, 813 insertions(+), 55 deletions(-)
diff --cc debian/.git-dpm
index 2db5360,0000000..d855409
mode 100644,000000..100644
--- a/debian/.git-dpm
+++ b/debian/.git-dpm
@@@ -1,8 -1,0 +1,8 @@@
+# see git-dpm(1) from git-dpm package
- b00b02f0283fa7536ab44264a21c2dcdaa22d631
- b00b02f0283fa7536ab44264a21c2dcdaa22d631
++2cc6e92b8046952534df6e27abc16740a0ce9b0d
++2cc6e92b8046952534df6e27abc16740a0ce9b0d
+9fafe903bcadf774d3eb5fbef4666166aa876d2d
+9fafe903bcadf774d3eb5fbef4666166aa876d2d
+xen_4.6.0.orig.tar.xz
+3a298ab580a62dd4ffbe63567d4114f9c36d570c
+3525684
diff --cc debian/patches/CVE-2015-7812.diff
index 0000000,0000000..e4cad28
new file mode 100644
--- /dev/null
+++ b/debian/patches/CVE-2015-7812.diff
@@@ -1,0 -1,0 +1,59 @@@
++From 1440439d8552e98995b91234480505c5eb154eb5 Mon Sep 17 00:00:00 2001
++From: Julien Grall <julien.grall at citrix.com>
++Date: Thu, 29 Oct 2015 13:46:45 +0100
++Subject: arm: Support hypercall_create_continuation for multicall
++
++Multicall for ARM has been supported since commit f0dbdc6 "xen: arm: fully
++implement multicall interface.". Although, if an hypercall in multicall
++requires preemption, it will crash the host:
++
++(XEN) Xen BUG at domain.c:347
++(XEN) ----[ Xen-4.7-unstable arm64 debug=y Tainted: C ]----
++[...]
++(XEN) Xen call trace:
++(XEN) [<00000000002420cc>] hypercall_create_continuation+0x64/0x380 (PC)
++(XEN) [<0000000000217274>] do_memory_op+0x1b00/0x2334 (LR)
++(XEN) [<0000000000250d2c>] do_multicall_call+0x114/0x124
++(XEN) [<0000000000217ff0>] do_multicall+0x17c/0x23c
++(XEN) [<000000000024f97c>] do_trap_hypercall+0x90/0x12c
++(XEN) [<0000000000251ca8>] do_trap_hypervisor+0xd2c/0x1ba4
++(XEN) [<00000000002582cc>] guest_sync+0x88/0xb8
++(XEN)
++(XEN)
++(XEN) ****************************************
++(XEN) Panic on CPU 5:
++(XEN) Xen BUG at domain.c:347
++(XEN) ****************************************
++(XEN)
++(XEN) Manual reset required ('noreboot' specified)
++
++Looking to the code, the support of multicall looks valid to me, as we only
++need to fill call.args[...]. So drop the BUG();
++
++This is CVE-2015-7812 / XSA-145.
++
++Signed-off-by: Julien Grall <julien.grall at citrix.com>
++Acked-by: Ian Campbell <ian.campbell at citrix.com>
++master commit: 29bcf64ce8bc0b1b7aacd00c8668f255c4f0686c
++master date: 2015-10-29 13:31:10 +0100
++
++(cherry picked from commit ea95ecb8bf30f83b52a079cdfc824a3ba6ffd4ef)
++
++Patch-Name: CVE-2015-7812.diff
++---
++ xen/arch/arm/domain.c | 2 --
++ 1 file changed, 2 deletions(-)
++
++diff --git a/xen/arch/arm/domain.c b/xen/arch/arm/domain.c
++index b2bfc7d..b9a4226 100644
++--- a/xen/arch/arm/domain.c
+++++ b/xen/arch/arm/domain.c
++@@ -344,8 +344,6 @@ unsigned long hypercall_create_continuation(
++
++ if ( test_bit(_MCSF_in_multicall, &mcs->flags) )
++ {
++- BUG(); /* XXX multicalls not implemented yet. */
++-
++ __set_bit(_MCSF_call_preempted, &mcs->flags);
++
++ for ( i = 0; *p != '\0'; i++ )
diff --cc debian/patches/CVE-2015-7813.diff
index 0000000,0000000..91eb658
new file mode 100644
--- /dev/null
+++ b/debian/patches/CVE-2015-7813.diff
@@@ -1,0 -1,0 +1,55 @@@
++From 2989d96e3d84f2e589133edf317b8aed2429f3c8 Mon Sep 17 00:00:00 2001
++From: Ian Campbell <ian.campbell at citrix.com>
++Date: Thu, 29 Oct 2015 13:47:10 +0100
++Subject: arm: rate-limit logging from unimplemented PHYSDEVOP and HVMOP.
++
++These are guest accessible and should therefore be rate-limited.
++Moreover, include them only in debug builds.
++
++This is CVE-2015-7813 / XSA-146.
++
++Signed-off-by: Ian Campbell <ian.campbell at citrix.com>
++Reviewed-by: Jan Beulich <jbeulich at suse.com>
++master commit: 1c0e59ff15764e7b0c59282365974f5b8924ce83
++master date: 2015-10-29 13:33:38 +0100
++
++(cherry picked from commit b18d995ca341d07a38fec04aa137e9ef85ee4dd0)
++
++Patch-Name: CVE-2015-7813.diff
++---
++ xen/arch/arm/hvm.c | 2 +-
++ xen/arch/arm/physdev.c | 3 ++-
++ 2 files changed, 3 insertions(+), 2 deletions(-)
++
++diff --git a/xen/arch/arm/hvm.c b/xen/arch/arm/hvm.c
++index 471c4cd..5fd0753 100644
++--- a/xen/arch/arm/hvm.c
+++++ b/xen/arch/arm/hvm.c
++@@ -57,7 +57,7 @@ long do_hvm_op(unsigned long op, XEN_GUEST_HANDLE_PARAM(void) arg)
++
++ default:
++ {
++- printk("%s: Bad HVM op %ld.\n", __func__, op);
+++ gdprintk(XENLOG_DEBUG, "HVMOP op=%lu: not implemented\n", op);
++ rc = -ENOSYS;
++ break;
++ }
++diff --git a/xen/arch/arm/physdev.c b/xen/arch/arm/physdev.c
++index 61b4a18..27bbbda 100644
++--- a/xen/arch/arm/physdev.c
+++++ b/xen/arch/arm/physdev.c
++@@ -8,12 +8,13 @@
++ #include <xen/types.h>
++ #include <xen/lib.h>
++ #include <xen/errno.h>
+++#include <xen/sched.h>
++ #include <asm/hypercall.h>
++
++
++ int do_physdev_op(int cmd, XEN_GUEST_HANDLE_PARAM(void) arg)
++ {
++- printk("%s %d cmd=%d: not implemented yet\n", __func__, __LINE__, cmd);
+++ gdprintk(XENLOG_DEBUG, "PHYSDEVOP cmd=%d: not implemented\n", cmd);
++ return -ENOSYS;
++ }
++
diff --cc debian/patches/CVE-2015-7814.diff
index 0000000,0000000..8d574e5
new file mode 100644
--- /dev/null
+++ b/debian/patches/CVE-2015-7814.diff
@@@ -1,0 -1,0 +1,50 @@@
++From 0361df69e22ae145cfdd95b0a3ea75a858a4bc08 Mon Sep 17 00:00:00 2001
++From: Ian Campbell <ian.campbell at citrix.com>
++Date: Thu, 29 Oct 2015 13:47:38 +0100
++Subject: arm: handle races between relinquish_memory and free_domheap_pages
++
++Primarily this means XENMEM_decrease_reservation from a toolstack
++domain.
++
++Unlike x86 we have no requirement right now to queue such pages onto
++a separate list, if we hit this race then the other code has already
++fully accepted responsibility for freeing this page and therefore
++there is no more for relinquish_memory to do.
++
++This is CVE-2015-7814 / XSA-147.
++
++Signed-off-by: Ian Campbell <ian.campbell at citrix.com>
++Reviewed-by: Julien Grall <julien.grall at citrix.com>
++Reviewed-by: Jan Beulich <jbeulich at suse.com>
++master commit: 1ef01396fdff88b1c3331a09ca5c69619b90f4ea
++master date: 2015-10-29 13:34:17 +0100
++
++(cherry picked from commit df6fa370865717ee51530c0102d1e983a70d37c3)
++
++Patch-Name: CVE-2015-7814.diff
++---
++ xen/arch/arm/domain.c | 11 +++++++++--
++ 1 file changed, 9 insertions(+), 2 deletions(-)
++
++diff --git a/xen/arch/arm/domain.c b/xen/arch/arm/domain.c
++index b9a4226..20cc772 100644
++--- a/xen/arch/arm/domain.c
+++++ b/xen/arch/arm/domain.c
++@@ -768,8 +768,15 @@ static int relinquish_memory(struct domain *d, struct page_list_head *list)
++ {
++ /* Grab a reference to the page so it won't disappear from under us. */
++ if ( unlikely(!get_page(page, d)) )
++- /* Couldn't get a reference -- someone is freeing this page. */
++- BUG();
+++ /*
+++ * Couldn't get a reference -- someone is freeing this page and
+++ * has already committed to doing so, so no more to do here.
+++ *
+++ * Note that the page must be left on the list, a list_del
+++ * here will clash with the list_del done by the other
+++ * party in the race and corrupt the list head.
+++ */
+++ continue;
++
++ if ( test_and_clear_bit(_PGC_allocated, &page->count_info) )
++ put_page(page);
diff --cc debian/patches/CVE-2015-7835.diff
index 0000000,0000000..d43b104
new file mode 100644
--- /dev/null
+++ b/debian/patches/CVE-2015-7835.diff
@@@ -1,0 -1,0 +1,57 @@@
++From c270ef05942a8ce35d78064aaa82f4f8360aff27 Mon Sep 17 00:00:00 2001
++From: Jan Beulich <jbeulich at suse.com>
++Date: Thu, 29 Oct 2015 13:48:09 +0100
++Subject: x86: guard against undue super page PTE creation
++MIME-Version: 1.0
++Content-Type: text/plain; charset=UTF-8
++Content-Transfer-Encoding: 8bit
++
++When optional super page support got added (commit bd1cd81d64 "x86: PV
++support for hugepages"), two adjustments were missed: mod_l2_entry()
++needs to consider the PSE and RW bits when deciding whether to use the
++fast path, and the PSE bit must not be removed from L2_DISALLOW_MASK
++unconditionally.
++
++This is CVE-2015-7835 / XSA-148.
++
++Reported-by: "栾尚聪(好风)" <shangcong.lsc at alibaba-inc.com>
++Signed-off-by: Jan Beulich <jbeulich at suse.com>
++Reviewed-by: Tim Deegan <tim at xen.org>
++master commit: fe360c90ea13f309ef78810f1a2b92f2ae3b30b8
++master date: 2015-10-29 13:35:07 +0100
++
++(cherry picked from commit 2d094bd87072e26ac29b07917d31fcbf13892288)
++
++Patch-Name: CVE-2015-7835.diff
++---
++ xen/arch/x86/mm.c | 10 ++++++++--
++ 1 file changed, 8 insertions(+), 2 deletions(-)
++
++diff --git a/xen/arch/x86/mm.c b/xen/arch/x86/mm.c
++index 202ff76..fc65982 100644
++--- a/xen/arch/x86/mm.c
+++++ b/xen/arch/x86/mm.c
++@@ -160,7 +160,10 @@ static void put_superpage(unsigned long mfn);
++ static uint32_t base_disallow_mask;
++ /* Global bit is allowed to be set on L1 PTEs. Intended for user mappings. */
++ #define L1_DISALLOW_MASK ((base_disallow_mask | _PAGE_GNTTAB) & ~_PAGE_GLOBAL)
++-#define L2_DISALLOW_MASK (base_disallow_mask & ~_PAGE_PSE)
+++
+++#define L2_DISALLOW_MASK (unlikely(opt_allow_superpage) \
+++ ? base_disallow_mask & ~_PAGE_PSE \
+++ : base_disallow_mask)
++
++ #define l3_disallow_mask(d) (!is_pv_32bit_domain(d) ? \
++ base_disallow_mask : 0xFFFFF198U)
++@@ -1839,7 +1842,10 @@ static int mod_l2_entry(l2_pgentry_t *pl2e,
++ }
++
++ /* Fast path for identical mapping and presence. */
++- if ( !l2e_has_changed(ol2e, nl2e, _PAGE_PRESENT) )
+++ if ( !l2e_has_changed(ol2e, nl2e,
+++ unlikely(opt_allow_superpage)
+++ ? _PAGE_PSE | _PAGE_RW | _PAGE_PRESENT
+++ : _PAGE_PRESENT) )
++ {
++ adjust_guest_l2e(nl2e, d);
++ if ( UPDATE_ENTRY(l2, pl2e, ol2e, nl2e, pfn, vcpu, preserve_ad) )
diff --cc debian/patches/CVE-2015-7969.1.diff
index 0000000,0000000..061fdc7
new file mode 100644
--- /dev/null
+++ b/debian/patches/CVE-2015-7969.1.diff
@@@ -1,0 -1,0 +1,42 @@@
++From 967130a6c0a919da36281b69f600a31c22715b8c Mon Sep 17 00:00:00 2001
++From: Jan Beulich <jbeulich at suse.com>
++Date: Thu, 29 Oct 2015 13:51:24 +0100
++Subject: xenoprof: free domain's vcpu array
++
++This was overlooked in fb442e2171 ("x86_64: allow more vCPU-s per
++guest").
++
++This is CVE-2015-7969 / XSA-151.
++
++Signed-off-by: Jan Beulich <jbeulich at suse.com>
++Reviewed-by: Ian Campbell <ian.campbell at citrix.com>
++master commit: 6e97c4b37386c2d09e09e9b5d5d232e37728b960
++master date: 2015-10-29 13:36:52 +0100
++
++(cherry picked from commit 429f0cd270851462783fc6d56d6bae9cbb40bdca)
++
++Patch-Name: CVE-2015-7969.1.diff
++---
++ xen/common/xenoprof.c | 2 ++
++ 1 file changed, 2 insertions(+)
++
++diff --git a/xen/common/xenoprof.c b/xen/common/xenoprof.c
++index 1061323..53a803a 100644
++--- a/xen/common/xenoprof.c
+++++ b/xen/common/xenoprof.c
++@@ -239,6 +239,7 @@ static int alloc_xenoprof_struct(
++ d->xenoprof->rawbuf = alloc_xenheap_pages(get_order_from_pages(npages), 0);
++ if ( d->xenoprof->rawbuf == NULL )
++ {
+++ xfree(d->xenoprof->vcpu);
++ xfree(d->xenoprof);
++ d->xenoprof = NULL;
++ return -ENOMEM;
++@@ -286,6 +287,7 @@ void free_xenoprof_pages(struct domain *d)
++ free_xenheap_pages(x->rawbuf, order);
++ }
++
+++ xfree(x->vcpu);
++ xfree(x);
++ d->xenoprof = NULL;
++ }
diff --cc debian/patches/CVE-2015-7969.diff
index 0000000,0000000..8b7c980
new file mode 100644
--- /dev/null
+++ b/debian/patches/CVE-2015-7969.diff
@@@ -1,0 -1,0 +1,35 @@@
++From 91af405ccfba7200fec38d5c2624798794a0eb76 Mon Sep 17 00:00:00 2001
++From: Jan Beulich <jbeulich at suse.com>
++Date: Thu, 29 Oct 2015 13:49:56 +0100
++Subject: free domain's vcpu array
++
++This was overlooked in fb442e2171 ("x86_64: allow more vCPU-s per
++guest").
++
++This is CVE-2015-7969 / XSA-149.
++
++Reported-by: Ian Campbell <ian.campbell at citrix.com>
++Signed-off-by: Jan Beulich <jbeulich at suse.com>
++Reviewed-by: Ian Campbell <ian.campbell at citrix.com>
++master commit: d46896ebbb23f3a9fef2eb6066ae614fd1acfd96
++master date: 2015-10-29 13:35:40 +0100
++
++(cherry picked from commit 2c57108c36eaa10885b7d0daad534348717e4f9d)
++
++Patch-Name: CVE-2015-7969.diff
++---
++ xen/common/domain.c | 1 +
++ 1 file changed, 1 insertion(+)
++
++diff --git a/xen/common/domain.c b/xen/common/domain.c
++index 1b9fcfc..796c492 100644
++--- a/xen/common/domain.c
+++++ b/xen/common/domain.c
++@@ -833,6 +833,7 @@ static void complete_domain_destroy(struct rcu_head *head)
++
++ xsm_free_security_domain(d);
++ free_cpumask_var(d->domain_dirty_cpumask);
+++ xfree(d->vcpu);
++ free_domain_struct(d);
++
++ send_global_virq(VIRQ_DOM_EXC);
diff --cc debian/patches/CVE-2015-7970.diff
index 0000000,0000000..07cb9bf
new file mode 100644
--- /dev/null
+++ b/debian/patches/CVE-2015-7970.diff
@@@ -1,0 -1,0 +1,221 @@@
++From 86a812432587c0a6c415f935de3fb9838c0d1098 Mon Sep 17 00:00:00 2001
++From: Andrew Cooper <andrew.cooper3 at citrix.com>
++Date: Thu, 29 Oct 2015 13:50:59 +0100
++Subject: x86/PoD: Eager sweep for zeroed pages
++
++Based on the contents of a guests physical address space,
++p2m_pod_emergency_sweep() could degrade into a linear memcmp() from 0 to
++max_gfn, which runs non-preemptibly.
++
++As p2m_pod_emergency_sweep() runs behind the scenes in a number of contexts,
++making it preemptible is not feasible.
++
++Instead, a different approach is taken. Recently-populated pages are eagerly
++checked for reclaimation, which amortises the p2m_pod_emergency_sweep()
++operation across each p2m_pod_demand_populate() operation.
++
++Note that in the case that a 2M superpage can't be reclaimed as a superpage,
++it is shattered if 4K pages of zeros can be reclaimed. This is unfortunate
++but matches the previous behaviour, and is required to avoid regressions
++(domain crash from PoD exhaustion) with VMs configured close to the limit.
++
++This is CVE-2015-7970 / XSA-150.
++
++Signed-off-by: Andrew Cooper <andrew.cooper3 at citrix.com>
++Reviewed-by: Jan Beulich <jbeulich at suse.com>
++Reviewed-by: George Dunlap <george.dunlap at citrix.com>
++master commit: 101ce53266866144e724ed593173bc4098b300b9
++master date: 2015-10-29 13:36:25 +0100
++
++(cherry picked from commit 4a32fbd95af6503ea1314ff2aa9a0b0a473d46c0)
++
++Patch-Name: CVE-2015-7970.diff
++---
++ xen/arch/x86/mm/p2m-pod.c | 86 +++++++++++++++++++++++++++++++----------------
++ xen/arch/x86/mm/p2m.c | 4 +++
++ xen/include/asm-x86/p2m.h | 18 +++++++---
++ 3 files changed, 75 insertions(+), 33 deletions(-)
++
++diff --git a/xen/arch/x86/mm/p2m-pod.c b/xen/arch/x86/mm/p2m-pod.c
++index 8156525..9196a5d 100644
++--- a/xen/arch/x86/mm/p2m-pod.c
+++++ b/xen/arch/x86/mm/p2m-pod.c
++@@ -901,28 +901,6 @@ p2m_pod_zero_check(struct p2m_domain *p2m, unsigned long *gfns, int count)
++ }
++
++ #define POD_SWEEP_LIMIT 1024
++-
++-/* When populating a new superpage, look at recently populated superpages
++- * hoping that they've been zeroed. This will snap up zeroed pages as soon as
++- * the guest OS is done with them. */
++-static void
++-p2m_pod_check_last_super(struct p2m_domain *p2m, unsigned long gfn_aligned)
++-{
++- unsigned long check_gfn;
++-
++- ASSERT(p2m->pod.last_populated_index < POD_HISTORY_MAX);
++-
++- check_gfn = p2m->pod.last_populated[p2m->pod.last_populated_index];
++-
++- p2m->pod.last_populated[p2m->pod.last_populated_index] = gfn_aligned;
++-
++- p2m->pod.last_populated_index =
++- ( p2m->pod.last_populated_index + 1 ) % POD_HISTORY_MAX;
++-
++- p2m_pod_zero_check_superpage(p2m, check_gfn);
++-}
++-
++-
++ #define POD_SWEEP_STRIDE 16
++ static void
++ p2m_pod_emergency_sweep(struct p2m_domain *p2m)
++@@ -963,7 +941,7 @@ p2m_pod_emergency_sweep(struct p2m_domain *p2m)
++ * NB that this is a zero-sum game; we're increasing our cache size
++ * by re-increasing our 'debt'. Since we hold the pod lock,
++ * (entry_count - count) must remain the same. */
++- if ( p2m->pod.count > 0 && i < limit )
+++ if ( i < limit && (p2m->pod.count > 0 || hypercall_preempt_check()) )
++ break;
++ }
++
++@@ -975,6 +953,58 @@ p2m_pod_emergency_sweep(struct p2m_domain *p2m)
++
++ }
++
+++static void pod_eager_reclaim(struct p2m_domain *p2m)
+++{
+++ struct pod_mrp_list *mrp = &p2m->pod.mrp;
+++ unsigned int i = 0;
+++
+++ /*
+++ * Always check one page for reclaimation.
+++ *
+++ * If the PoD pool is empty, keep checking some space is found, or all
+++ * entries have been exhaused.
+++ */
+++ do
+++ {
+++ unsigned int idx = (mrp->idx + i++) % ARRAY_SIZE(mrp->list);
+++ unsigned long gfn = mrp->list[idx];
+++
+++ if ( gfn != INVALID_GFN )
+++ {
+++ if ( gfn & POD_LAST_SUPERPAGE )
+++ {
+++ gfn &= ~POD_LAST_SUPERPAGE;
+++
+++ if ( p2m_pod_zero_check_superpage(p2m, gfn) == 0 )
+++ {
+++ unsigned int x;
+++
+++ for ( x = 0; x < SUPERPAGE_PAGES; ++x, ++gfn )
+++ p2m_pod_zero_check(p2m, &gfn, 1);
+++ }
+++ }
+++ else
+++ p2m_pod_zero_check(p2m, &gfn, 1);
+++
+++ mrp->list[idx] = INVALID_GFN;
+++ }
+++
+++ } while ( (p2m->pod.count == 0) && (i < ARRAY_SIZE(mrp->list)) );
+++}
+++
+++static void pod_eager_record(struct p2m_domain *p2m,
+++ unsigned long gfn, unsigned int order)
+++{
+++ struct pod_mrp_list *mrp = &p2m->pod.mrp;
+++
+++ ASSERT(mrp->list[mrp->idx] == INVALID_GFN);
+++ ASSERT(gfn != INVALID_GFN);
+++
+++ mrp->list[mrp->idx++] =
+++ gfn | (order == PAGE_ORDER_2M ? POD_LAST_SUPERPAGE : 0);
+++ mrp->idx %= ARRAY_SIZE(mrp->list);
+++}
+++
++ int
++ p2m_pod_demand_populate(struct p2m_domain *p2m, unsigned long gfn,
++ unsigned int order,
++@@ -1015,6 +1045,8 @@ p2m_pod_demand_populate(struct p2m_domain *p2m, unsigned long gfn,
++ return 0;
++ }
++
+++ pod_eager_reclaim(p2m);
+++
++ /* Only sweep if we're actually out of memory. Doing anything else
++ * causes unnecessary time and fragmentation of superpages in the p2m. */
++ if ( p2m->pod.count == 0 )
++@@ -1051,6 +1083,8 @@ p2m_pod_demand_populate(struct p2m_domain *p2m, unsigned long gfn,
++ p2m->pod.entry_count -= (1 << order);
++ BUG_ON(p2m->pod.entry_count < 0);
++
+++ pod_eager_record(p2m, gfn_aligned, order);
+++
++ if ( tb_init_done )
++ {
++ struct {
++@@ -1066,12 +1100,6 @@ p2m_pod_demand_populate(struct p2m_domain *p2m, unsigned long gfn,
++ __trace_var(TRC_MEM_POD_POPULATE, 0, sizeof(t), &t);
++ }
++
++- /* Check the last guest demand-populate */
++- if ( p2m->pod.entry_count > p2m->pod.count
++- && (order == PAGE_ORDER_2M)
++- && (q & P2M_ALLOC) )
++- p2m_pod_check_last_super(p2m, gfn_aligned);
++-
++ pod_unlock(p2m);
++ return 0;
++ out_of_memory:
++diff --git a/xen/arch/x86/mm/p2m.c b/xen/arch/x86/mm/p2m.c
++index c6b883d..cbe3f24 100644
++--- a/xen/arch/x86/mm/p2m.c
+++++ b/xen/arch/x86/mm/p2m.c
++@@ -60,6 +60,7 @@ boolean_param("hap_2mb", opt_hap_2mb);
++ /* Init the datastructures for later use by the p2m code */
++ static int p2m_initialise(struct domain *d, struct p2m_domain *p2m)
++ {
+++ unsigned int i;
++ int ret = 0;
++
++ mm_rwlock_init(&p2m->lock);
++@@ -75,6 +76,9 @@ static int p2m_initialise(struct domain *d, struct p2m_domain *p2m)
++
++ p2m->np2m_base = P2M_BASE_EADDR;
++
+++ for ( i = 0; i < ARRAY_SIZE(p2m->pod.mrp.list); ++i )
+++ p2m->pod.mrp.list[i] = INVALID_GFN;
+++
++ if ( hap_enabled(d) && cpu_has_vmx )
++ ret = ept_p2m_init(p2m);
++ else
++diff --git a/xen/include/asm-x86/p2m.h b/xen/include/asm-x86/p2m.h
++index 5e99ac6..e91a875 100644
++--- a/xen/include/asm-x86/p2m.h
+++++ b/xen/include/asm-x86/p2m.h
++@@ -292,10 +292,20 @@ struct p2m_domain {
++ entry_count; /* # of pages in p2m marked pod */
++ unsigned long reclaim_single; /* Last gpfn of a scan */
++ unsigned long max_guest; /* gpfn of max guest demand-populate */
++-#define POD_HISTORY_MAX 128
++- /* gpfn of last guest superpage demand-populated */
++- unsigned long last_populated[POD_HISTORY_MAX];
++- unsigned int last_populated_index;
+++
+++ /*
+++ * Tracking of the most recently populated PoD pages, for eager
+++ * reclamation.
+++ */
+++ struct pod_mrp_list {
+++#define NR_POD_MRP_ENTRIES 32
+++
+++/* Encode ORDER_2M superpage in top bit of GFN */
+++#define POD_LAST_SUPERPAGE (INVALID_GFN & ~(INVALID_GFN >> 1))
+++
+++ unsigned long list[NR_POD_MRP_ENTRIES];
+++ unsigned int idx;
+++ } mrp;
++ mm_lock_t lock; /* Locking of private pod structs, *
++ * not relying on the p2m lock. */
++ } pod;
diff --cc debian/patches/CVE-2015-7971.diff
index 0000000,0000000..3e0f7d9
new file mode 100644
--- /dev/null
+++ b/debian/patches/CVE-2015-7971.diff
@@@ -1,0 -1,0 +1,83 @@@
++From 2c55f2480b83990081dc43541eebf391635014ca Mon Sep 17 00:00:00 2001
++From: Jan Beulich <jbeulich at suse.com>
++Date: Thu, 29 Oct 2015 13:52:02 +0100
++Subject: x86: rate-limit logging in do_xen{oprof,pmu}_op()
++
++Some of the sub-ops are acessible to all guests, and hence should be
++rate-limited. In the xenoprof case, just like for XSA-146, include them
++only in debug builds. Since the vPMU code is rather new, allow them to
++be always present, but downgrade them to (rate limited) guest messages.
++
++This is CVE-2015-7971 / XSA-152.
++
++Signed-off-by: Jan Beulich <jbeulich at suse.com>
++Reviewed-by: Ian Campbell <ian.campbell at citrix.com>
++master commit: 95e7415843b94c346e5ba8682665f508f220e04b
++master date: 2015-10-29 13:37:19 +0100
++
++(cherry picked from commit bdc9fdf9d468cb94ca0fbed1b969c20bf173dc9b)
++
++Patch-Name: CVE-2015-7971.diff
++---
++ xen/arch/x86/cpu/vpmu.c | 8 ++++----
++ xen/common/xenoprof.c | 9 +++------
++ 2 files changed, 7 insertions(+), 10 deletions(-)
++
++diff --git a/xen/arch/x86/cpu/vpmu.c b/xen/arch/x86/cpu/vpmu.c
++index 8af3df1..2f5156a 100644
++--- a/xen/arch/x86/cpu/vpmu.c
+++++ b/xen/arch/x86/cpu/vpmu.c
++@@ -682,8 +682,8 @@ long do_xenpmu_op(unsigned int op, XEN_GUEST_HANDLE_PARAM(xen_pmu_params_t) arg)
++ vpmu_mode = pmu_params.val;
++ else if ( vpmu_mode != pmu_params.val )
++ {
++- printk(XENLOG_WARNING
++- "VPMU: Cannot change mode while active VPMUs exist\n");
+++ gprintk(XENLOG_WARNING,
+++ "VPMU: Cannot change mode while active VPMUs exist\n");
++ ret = -EBUSY;
++ }
++
++@@ -714,8 +714,8 @@ long do_xenpmu_op(unsigned int op, XEN_GUEST_HANDLE_PARAM(xen_pmu_params_t) arg)
++ vpmu_features = pmu_params.val;
++ else
++ {
++- printk(XENLOG_WARNING "VPMU: Cannot change features while"
++- " active VPMUs exist\n");
+++ gprintk(XENLOG_WARNING,
+++ "VPMU: Cannot change features while active VPMUs exist\n");
++ ret = -EBUSY;
++ }
++
++diff --git a/xen/common/xenoprof.c b/xen/common/xenoprof.c
++index 53a803a..19b4605 100644
++--- a/xen/common/xenoprof.c
+++++ b/xen/common/xenoprof.c
++@@ -676,15 +676,13 @@ ret_t do_xenoprof_op(int op, XEN_GUEST_HANDLE_PARAM(void) arg)
++
++ if ( (op < 0) || (op > XENOPROF_last_op) )
++ {
++- printk("xenoprof: invalid operation %d for domain %d\n",
++- op, current->domain->domain_id);
+++ gdprintk(XENLOG_DEBUG, "invalid operation %d\n", op);
++ return -EINVAL;
++ }
++
++ if ( !NONPRIV_OP(op) && (current->domain != xenoprof_primary_profiler) )
++ {
++- printk("xenoprof: dom %d denied privileged operation %d\n",
++- current->domain->domain_id, op);
+++ gdprintk(XENLOG_DEBUG, "denied privileged operation %d\n", op);
++ return -EPERM;
++ }
++
++@@ -907,8 +905,7 @@ ret_t do_xenoprof_op(int op, XEN_GUEST_HANDLE_PARAM(void) arg)
++ spin_unlock(&xenoprof_lock);
++
++ if ( ret < 0 )
++- printk("xenoprof: operation %d failed for dom %d (status : %d)\n",
++- op, current->domain->domain_id, ret);
+++ gdprintk(XENLOG_DEBUG, "operation %d failed: %d\n", op, ret);
++
++ return ret;
++ }
diff --cc debian/patches/CVE-2015-7972.diff
index 0000000,0000000..b122b41
new file mode 100644
--- /dev/null
+++ b/debian/patches/CVE-2015-7972.diff
@@@ -1,0 -1,0 +1,86 @@@
++From 2cc6e92b8046952534df6e27abc16740a0ce9b0d Mon Sep 17 00:00:00 2001
++From: Ian Jackson <ian.jackson at eu.citrix.com>
++Date: Wed, 21 Oct 2015 16:18:30 +0100
++Subject: libxl: adjust PoD target by memory fudge, too
++
++PoD guests need to balloon at least as far as required by PoD, or risk
++crashing. Currently they don't necessarily know what the right value
++is, because our memory accounting is (at the very least) confusing.
++
++Apply the memory limit fudge factor to the in-hypervisor PoD memory
++target, too. This will increase the size of the guest's PoD cache by
++the fudge factor LIBXL_MAXMEM_CONSTANT (currently 1Mby). This ensures
++that even with a slightly-off balloon driver, the guest will be
++stable even under memory pressure.
++
++There are two call sites of xc_domain_set_pod_target that need fixing:
++
++The one in libxl_set_memory_target is straightforward.
++
++The one in xc_hvm_build_x86.c:setup_guest is more awkward. Simply
++setting the PoD target differently does not work because the various
++amounts of memory during domain construction no longer match up.
++Instead, we adjust the guest memory target in xenstore (but only for
++PoD guests).
++
++This introduces a 1Mby discrepancy between the balloon target of a PoD
++guest at boot, and the target set by an apparently-equivalent `xl
++mem-set' (or similar) later. This approach is low-risk for a security
++fix but we need to fix this up properly in xen.git#staging and
++probably also in stable trees.
++
++This is XSA-153.
++
++Signed-off-by: Ian Jackson <Ian.Jackson at eu.citrix.com>
++(cherry picked from commit 56fb5fd62320eb40a7517206f9706aa9188d6f7b)
++
++Patch-Name: CVE-2015-7972.diff
++---
++ tools/libxl/libxl.c | 2 +-
++ tools/libxl/libxl_dom.c | 9 ++++++++-
++ 2 files changed, 9 insertions(+), 2 deletions(-)
++
++diff --git a/tools/libxl/libxl.c b/tools/libxl/libxl.c
++index d38d0c7..1366177 100644
++--- a/tools/libxl/libxl.c
+++++ b/tools/libxl/libxl.c
++@@ -4815,7 +4815,7 @@ retry_transaction:
++ }
++
++ rc = xc_domain_set_pod_target(ctx->xch, domid,
++- new_target_memkb / 4, NULL, NULL, NULL);
+++ (new_target_memkb + LIBXL_MAXMEM_CONSTANT) / 4, NULL, NULL, NULL);
++ if (rc != 0) {
++ LIBXL__LOG_ERRNO(ctx, LIBXL__LOG_ERROR,
++ "xc_domain_set_pod_target domid=%d, memkb=%d "
++diff --git a/tools/libxl/libxl_dom.c b/tools/libxl/libxl_dom.c
++index b514377..8019f4e 100644
++--- a/tools/libxl/libxl_dom.c
+++++ b/tools/libxl/libxl_dom.c
++@@ -486,6 +486,7 @@ int libxl__build_post(libxl__gc *gc, uint32_t domid,
++ xs_transaction_t t;
++ char **ents;
++ int i, rc;
+++ int64_t mem_target_fudge;
++
++ if (info->num_vnuma_nodes && !info->num_vcpu_soft_affinity) {
++ rc = set_vnuma_affinity(gc, domid, info);
++@@ -518,11 +519,17 @@ int libxl__build_post(libxl__gc *gc, uint32_t domid,
++ }
++ }
++
+++ mem_target_fudge =
+++ (info->type == LIBXL_DOMAIN_TYPE_HVM &&
+++ info->max_memkb > info->target_memkb)
+++ ? LIBXL_MAXMEM_CONSTANT : 0;
+++
++ ents = libxl__calloc(gc, 12 + (info->max_vcpus * 2) + 2, sizeof(char *));
++ ents[0] = "memory/static-max";
++ ents[1] = GCSPRINTF("%"PRId64, info->max_memkb);
++ ents[2] = "memory/target";
++- ents[3] = GCSPRINTF("%"PRId64, info->target_memkb - info->video_memkb);
+++ ents[3] = GCSPRINTF("%"PRId64, info->target_memkb - info->video_memkb
+++ - mem_target_fudge);
++ ents[4] = "memory/videoram";
++ ents[5] = GCSPRINTF("%"PRId64, info->video_memkb);
++ ents[6] = "domid";
diff --cc debian/patches/series
index d45d432,0000000..984d69c
mode 100644,000000..100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@@ -1,25 -1,0 +1,34 @@@
+version.diff
+config-prefix.diff
+tools-libfsimage-abiname.diff
+tools-libxc-abiname.diff
+tools-libxl-abiname.diff
+tools-xenstat-abiname.diff
+tools-rpath.diff
+tools-blktap2-prefix.diff
+tools-console-prefix.diff
+tools-libfsimage-prefix.diff
+tools-libxl-prefix.diff
+tools-misc-prefix.diff
+tools-pygrub-prefix.diff
+tools-python-prefix.diff
+tools-xcutils-rpath.diff
+tools-xenmon-prefix.diff
+tools-xenpaging-prefix.diff
+tools-xenpmd-prefix.diff
+tools-xenstat-prefix.diff
+tools-xenstore-prefix.diff
+tools-xentrace-prefix.diff
+tools-pygrub-remove-static-solaris-support
+tools-include-install.diff
+tools-xenmon-install.diff
+tools-xenstore-compatibility.diff
++CVE-2015-7812.diff
++CVE-2015-7813.diff
++CVE-2015-7814.diff
++CVE-2015-7835.diff
++CVE-2015-7969.diff
++CVE-2015-7970.diff
++CVE-2015-7969.1.diff
++CVE-2015-7971.diff
++CVE-2015-7972.diff
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-xen/xen.git
More information about the Pkg-xen-changes
mailing list