dgit.raspbian.org Git

Declare fast forward from 4.8.0~rc5-1

[dgit --overwrite]

Commit Debian 3.0 (quilt) metadata

[dgit (2.13) quilt-fixup]

finalise 4.8.0-1

Signed-off-by: Ian Jackson <Ian.Jackson@eu.citrix.com>

debian/.gitignore

Signed-off-by: Ian Jackson <Ian.Jackson@eu.citrix.com>

changelog: document fix cherry pick

Signed-off-by: Ian Jackson <Ian.Jackson@eu.citrix.com>

Look for xenstored with xenstore-read from PATH

"Check that xenstored has actually started before talking to it"
invoked /usr/sbin/xenstored, which does not exist.

Absolute paths are EBW anyway.

Signed-off-by: Ian Jackson <Ian.Jackson@eu.citrix.com>

changelog: make a final line for 4.8.0-1~ to work around #849081

Signed-off-by: Ian Jackson <Ian.Jackson@eu.citrix.com>

x86/emul: add likely()/unlikely() to test harness

Fix a build problem introduced in c/s 122dd9575c7 "x86emul:
in_longmode() should not ignore ->read_msr() errors" by providing an
implementation of likely()/unlikely().

Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
Reviewed-by: Jan Beulich <jbeulich@suse.com>
Cherrypicked out of:

master commit: 3e84c8da7d2c5442a12789dae7163dca6c0e154f
master date: 2016-12-02 17:23:01 +0000

control: regenerate

Signed-off-by: Ian Jackson <Ian.Jackson@eu.citrix.com>

Include a reportbug control file to redirect bugs to src:xen

(cherry picked from commit 084b7cf56dd2ccfbf1c04796689222dac9d58ac6)

Conflicts:
debian/changelog
debian/rules.real

Signed-off-by: Ian Jackson <ian.jackson@eu.citrix.com>

Apply SELinux labels to directories created by initscripts.

Patch from Russell Coker. (Closes: #764912)

(cherry picked from commit 46a8d71bec748f3c6dfb98bf4ba3973a5b3cd951)

Conflicts:
debian/changelog

Correcly use cls in xen-init-list:SXPParser.loads

(cherry picked from commit c617b4af156647ad4d390c4061ca3ee72100f99f)

Correct syntax error in xen-init-list

(cherry picked from commit bbd22332c24478f86a5cff52531c1bc3697d8d96)

Conflicts:
debian/changelog

Check that xenstored has actually started before talking to it.

Incorporate a timeout so as not to block boot (Mitigates #737613).

This code was taken from the upstream initscript and adapted, so it is
pretty well tested.

(cherry picked from commit 57e0a490c53a029d0921edde9e1acdc158ac2164)

Conflicts:
debian/changelog
debian/xen-utils-common.xen.init

Signed-off-by: Ian Jackson <ian.jackson@eu.citrix.com>

control: Change my email address

Signed-off-by: Ian Jackson <Ian.Jackson@eu.citrix.com>

changelog: More XSA gardening

Signed-off-by: Ian Jackson <Ian.Jackson@eu.citrix.com>

changelog: Document security fixes

Signed-off-by: Ian Jackson <Ian.Jackson@eu.citrix.com>

x86/emul: Correct the handling of eflags with SYSCALL

A singlestep #DB is determined by the resulting eflags value from the
execution of SYSCALL, not the original eflags value.

By using the original eflags value, we negate the guest kernels attempt to
protect itself from a privilege escalation by masking TF.

Have the SYSCALL emulation recalculate tf after the instruction is complete.

This is XSA-204

Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
Reviewed-by: Jan Beulich <jbeulich@suse.com>

x86/HVM: add missing NULL check before using VMFUNC hook

This is XSA-203.

Signed-off-by: Jan Beulich <jbeulich@suse.com>
Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>

x86: force EFLAGS.IF on when exiting to PV guests

Guest kernels modifying instructions in the process of being emulated
for another of their vCPU-s may effect EFLAGS.IF to be cleared upon
next exiting to guest context, by converting the being emulated
instruction to CLI (at the right point in time). Prevent any such bad
effects by always forcing EFLAGS.IF on. And to cover hypothetical other
similar issues, also force EFLAGS.{IOPL,NT,VM} to zero.

This is XSA-202.

Signed-off-by: Jan Beulich <jbeulich@suse.com>
Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>

changelog: Document XSA fixes

Signed-off-by: Ian Jackson <Ian.Jackson@eu.citrix.com>

changelog: Rebased to 4.8.0

Signed-off-by: Ian Jackson <Ian.Jackson@eu.citrix.com>

Fix xen-init-name to not fail looking for a nonexistent 'config' entry in xl's JSON output. Closes:#818129.

Signed-off-by: Ian Jackson <ian.jackson@citrix.com>

Start a qemu process in dom0 to service the toolstacks loopback disk attaches.

This is used to e.g. run pygrub on a VM with a qcow2 disk image.

(Closes: #770456)

Also, remove correct pidfile when stopping xenconsoled.

(cherry picked from commit fcdd6e3c9596e900748e93ae3be4e6a3dc278f26)
(from alioth alioth/feature/bug770456)

Signed-off-by: Ian Jackson <ian.jackson@citrix.com>

Drop -lcrypto search from upstream configure, and from our Build-Depends.

Signed-off-by: Ian Jackson <ian.jackson@citrix.com>

changelog: start 4.8.0~rc5-2

changelog: Declare 4.8.0~rc5-1

Signed-off-by: Ian Jackson <ian.jackson@citrix.com>

tools/tests/x86_emulator: Pass -no-pie -fno-pic to gcc on x86_32

The current build fails with GCC6 on Debian sid i386 (unstable):

/tmp/ccqjaueF.s: Assembler messages:
/tmp/ccqjaueF.s:3713: Error: missing or invalid displacement expression `vmovd_to_reg_len@GOT'

This is due to the combination of GCC6, and Debian's decision to
enable some hardening flags by default (to try to make runtime
addresses less predictable):
  https://wiki.debian.org/Hardening/PIEByDefaultTransition

This is of no benefit for the x86 instruction emulator test, which is
a rebuild of the emulator code for testing purposes only.  So pass
options to disable this.

These options will be no-ops if they are the same as the compiler
default.

On amd64, the -fno-pic breaks the build in a different way.  So do
this only on i386.

Signed-off-by: Ian Jackson <ian.jackson@citrix.com>
CC: Jan Beulich <jbeulich@suse.com>
CC: Andrew Cooper <andrew.cooper3@citrix.com>
squash! tools/tests/x86_emulator: Pass -no-pie -fno-pic to gcc

Signed-off-by: Ian Jackson <ian.jackson@citrix.com>

ubuntu-tools-libs-abiname

Gbp-Pq: Name ubuntu-tools-libs-abiname.diff

tools-xenstore-compatibility.diff

Patch-Name: tools-xenstore-compatibility.diff

Gbp-Pq: Name tools-xenstore-compatibility.diff

tools-xenmon-install.diff

Patch-Name: tools-xenmon-install.diff

Gbp-Pq: Name tools-xenmon-install.diff

tools-include-install.diff

Patch-Name: tools-include-install.diff

Gbp-Pq: Name tools-include-install.diff

Remove static solaris support from pygrub

Patch-Name: tools-pygrub-remove-static-solaris-support

Gbp-Pq: Name tools-pygrub-remove-static-solaris-support

tools-xentrace-prefix.diff

Patch-Name: tools-xentrace-prefix.diff

Gbp-Pq: Name tools-xentrace-prefix.diff

tools-xenstore-prefix.diff

Patch-Name: tools-xenstore-prefix.diff

Gbp-Pq: Name tools-xenstore-prefix.diff

tools-xenstat-prefix.diff

Patch-Name: tools-xenstat-prefix.diff

Gbp-Pq: Name tools-xenstat-prefix.diff

tools-xenpmd-prefix.diff

Patch-Name: tools-xenpmd-prefix.diff

Gbp-Pq: Name tools-xenpmd-prefix.diff

tools-xenpaging-prefix.diff

Patch-Name: tools-xenpaging-prefix.diff

Gbp-Pq: Name tools-xenpaging-prefix.diff

tools-xenmon-prefix.diff

Patch-Name: tools-xenmon-prefix.diff

Gbp-Pq: Name tools-xenmon-prefix.diff

tools-xcutils-rpath.diff

Patch-Name: tools-xcutils-rpath.diff

Gbp-Pq: Name tools-xcutils-rpath.diff

tools-python-prefix.diff

Patch-Name: tools-python-prefix.diff

Gbp-Pq: Name tools-python-prefix.diff

tools-pygrub-prefix.diff

Patch-Name: tools-pygrub-prefix.diff

Gbp-Pq: Name tools-pygrub-prefix.diff

tools-misc-prefix.diff

Patch-Name: tools-misc-prefix.diff

Gbp-Pq: Name tools-misc-prefix.diff

tools-libxl-prefix.diff

Patch-Name: tools-libxl-prefix.diff

Gbp-Pq: Name tools-libxl-prefix.diff

tools-libfsimage-prefix.diff

Patch-Name: tools-libfsimage-prefix.diff

Gbp-Pq: Name tools-libfsimage-prefix.diff

tools-console-prefix.diff

Patch-Name: tools-console-prefix.diff

Gbp-Pq: Name tools-console-prefix.diff

tools-blktap2-prefix.diff

Patch-Name: tools-blktap2-prefix.diff

Gbp-Pq: Name tools-blktap2-prefix.diff

tools-rpath.diff

Patch-Name: tools-rpath.diff

Gbp-Pq: Name tools-rpath.diff

tools-xenstat-abiname.diff

Patch-Name: tools-xenstat-abiname.diff

Gbp-Pq: Name tools-xenstat-abiname.diff

tools-libxl-abiname.diff

Patch-Name: tools-libxl-abiname.diff

Gbp-Pq: Name tools-libxl-abiname.diff

tools-libxc-abiname.diff

Patch-Name: tools-libxc-abiname.diff

Gbp-Pq: Name tools-libxc-abiname.diff

tools-libfsimage-abiname.diff

Patch-Name: tools-libfsimage-abiname.diff

Gbp-Pq: Name tools-libfsimage-abiname.diff

config-prefix.diff

Patch-Name: config-prefix.diff

Gbp-Pq: Name config-prefix.diff

version

Patch-Name: version.diff

Gbp-Pq: Name version.diff

Rerun autogen.sh (stretch)

Using autoconf 2.69-10 (amd64)

Signed-off-by: Ian Jackson <ian.jackson@citrix.com>

Add patch to reset .gitarchive-info.

We have to provide this patch ourselves because dgit can't see how to
find it.

Signed-off-by: Ian Jackson <Ian.Jackson@eu.citrix.com>

Copy debian/ directory from archive/debian/4.8.0_rc3-1

(And discard old debian/patches/)

Signed-off-by: Ian Jackson <ian.jackson@citrix.com>

Version numbers: Finalise 4.8.0.

Signed-off-by: Ian Jackson <Ian.Jackson@eu.citrix.com>

Config.mk: Update subtrees to 4.8.0 release tags

No functional change.

All these tags have been pushed to the corresponding trees on xenbits.

Signed-off-by: Ian Jackson <Ian.Jackson@eu.citrix.com>

Config.mk: Drop stale QEMU_TRADITIONAL_REVISION commentary

Signed-off-by: Ian Jackson <Ian.Jackson@eu.citrix.com>

Merge branch 'staging' of xenbits.xen.org:/home/xen/git/xen into staging

Update QEMU_TRADITIONAL_REVISION and QEMU_UPSTREAM_REVISION to -rc7

These commits include the fix for XSA-197.

Signed-off-by: Ian Jackson <Ian.Jackson@eu.citrix.com>

credit2: make runqueues be per-socket by default

Benchmarks have shown that per-socket runqueues arrangement
behaves better (e.g., we achieve better load balancing)
than the current per-core default.

Here's an example (coming from
https://lists.xen.org/archives/html/xen-devel/2016-06/msg02287.html ):

|=======================================|
| XEN BUILD TIME, LOW LOAD, NO NOISE    |
|---------------------------------------|
|       runq=core   runq=socket         |
|         35.200       33.433           |
|---------------------------------------|------------------------------|
| XEN BUILD TIME, HIGH LOAD, NO NOISE   | IPERF, HIGH LOAD, NO NOISE   |
|---------------------------------------|------------------------------|
|       runq=core   runq=socket         |     runq=core runq=socket    |
|         18.013       18.530           |       23.200     23.466      |
|---------------------------------------|------------------------------|
| XEN BUILD TIME, LOW LOAD, WITH NOISE  |
|-------------------------------------  |
|       runq=core   runq=socket         |
|         45.866       39.493           |
|---------------------------------------|------------------------------|
| XEN BUILD TIME, HIGH LOAD, WITH NOISE | IPERF, HIGH LOAD, WITH NOISE |
|---------------------------------------|------------------------------|
|       runq=core   runq=socket         |     runq=core runq=socket    |
|         36.840       29.080           |       19.967     21.000      |
|=======================================|==============================|

The only reason why we went for per-core, initially, was to
introduce some form of hyperthreading support. Now we have
hyperthreading support, independently from how runqueues
are organized (9bb9c7388 "xen: credit2: implement true SMT
support"), and thus we can switch to per-socket.

Signed-off-by: Dario Faggioli <dario.faggioli@citrix.com>
Acked-by: George Dunlap <george.dunlap@eu.citrix.com>
Release-acked-by: Wei Liu <wei.liu2@citrix.com>

libacpi: fix compilation when cross building the tools

The tools (such as mk_dsdt) can be cross-built when it may not be
desirable to build them on the target.

The commit c4ac1077 "libxl/arm: Generate static ACPI DSDT table"
introduced support of ARM64 in mk_dsdt but also break cross-building
tools because the ACPI tables are not correct.

While mk_dsdt should generate ACPI table for the target architecture, it
currently generates the one for the host. This is because the source
code contains reference to the host architecture (__aarch64__,
__x86_64__, __i386__) when it should be the target architecture.

Replace all __aarch64__, __x86_64__, __i386__ by the corresponding
CONFIG_*.

Also expose the CONFIG_* to the source code as the currently only
exposed to the Makefile.

Reported-by: Andrii Anisov <andrii.anisov@gmail.com>
Suggested-by: Wei Liu <wei.liu2@citrix.com>
Signed-off-by: Julien Grall <julien.grall@arm.com>
Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>
Reviewed-by: Jan Beulich <jbeulich@suse.com>
Release-acked-by: Wei Liu <wei.liu2@citrix.com>

arm32: handle async aborts delivered while at HYP

If guest generates an asynchronous abort and then traps into HYP
(by HVC or IRQ) before the abort has been delivered, the hypervisor
could not catch it, because the PSTATE.A bit is masked all the time
in hypervisor. So this asynchronous abort may be slipped to next
running guest with PSTATE.A bit unmasked.

In order to avoid this, it is necessary to take the abort at HYP, by
clearing the PSTATE.A bit. In this patch, we unmask the PSTATE.A bit
to open a window to catch guest-generated asynchronous abort in all
Guest -> HYP switch paths. If we caught such asynchronous abort in
checking window, the HYP data abort exception will be triggered and
the abort source guest will be crashed.

This is part of XSA-201.

Signed-off-by: Wei Chen <Wei.Chen@arm.com>
Reviewed-by: Julien Grall <julien.grall@arm.com>
Acked-by: Stefano Stabellini <sstabellini@kernel.org>

arm: crash the guest when it traps on external abort

If we spot a data or prefetch abort bearing the ESR_EL2.EA bit set, we
know that this is an external abort, and that should crash the guest.

This is part of XSA-201.

Signed-off-by: Wei Chen <Wei.Chen@arm.com>
Reviewed-by: Stefano Stabellini <sstabellini@kernel.org>
Reviewed-by: Steve Capper <steve.capper@arm.com>
Reviewed-by: Julien Grall <Julien.Grall@arm.com>

arm64: handle async aborts delivered while at EL2

If EL1 generates an asynchronous abort and then traps into EL2
(by HVC or IRQ) before the abort has been delivered, the hypervisor
could not catch it, because the PSTATE.A bit is masked all the time
in hypervisor. So this asynchronous abort may be slipped to next
running guest with PSTATE.A bit unmasked.

In order to avoid this, it is necessary to take the abort at EL2, by
clearing the PSTATE.A bit. In this patch, we unmask the PSTATE.A bit
to open a window to catch guest-generated asynchronous abort in all
EL1 -> EL2 swich paths. If we catched such asynchronous abort in
checking window, the hyp_error exception will be triggered and the
abort source guest will be crashed.

This is part of XSA-201.

Signed-off-by: Wei Chen <Wei.Chen@arm.com>
Reviewed-by: Julien Grall <julien.grall@arm.com>
Acked-by: Stefano Stabellini <sstabellini@kernel.org>

arm64: handle guest-generated EL1 asynchronous abort

In current code, when the hypervisor receives an asynchronous abort
from a guest, the hypervisor will do panic, the host will be down.
We have to prevent such security issue, so, in this patch we crash
the guest, when the hypervisor receives an asynchronous abort from
the guest.

This is part of XSA-201.

Signed-off-by: Wei Chen <Wei.Chen@arm.com>
Reviewed-by: Stefano Stabellini <sstabellini@kernel.org>
Reviewed-by: Steve Capper <steve.capper@arm.com>
Reviewed-by: Julien Grall <Julien.Grall@arm.com>

x86/cpu: reposition stack alignment check

As identified during review, using BUG_ON() before `lidt` will result in a
triple fault, even on APs.

Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
Reviewed-by: Jan Beulich <jbeulich@suse.com>
Release-acked-by: Wei Liu <wei.liu2@citrix.com>

remove reference to xensource.com

xen/include/public/hvm/pvdrivers.h contains a reference to
xen-devel@lists.xensource.com. Replace it by the correct address
xen-devel@lists.xenproject.org

Signed-off-by: Juergen Gross <jgross@suse.com>
Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>

blkif: kill some repetitions in protocol description

The whole block describing multiqueue support was repeated
two times.

There also was some repetition in the description of the
'discard-enable' property.

Signed-off-by: Dario Faggioli <dario.faggioli@citrix.com>
Acked-by: Jan Beulich <jbeulich@suse.com>
Release-acked-by: Wei Liu <wei.liu2@citrix.com>
Reviewed-by: Konrad Rzeszutek Will <Konrad.wilk@oracle.com>

x86emul: CMOVcc always writes its destination

This would be benign if there wasn't the zero-extending side effect of
32-bit operations in 64-bit mode.

Signed-off-by: Jan Beulich <jbeulich@suse.com>
Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>
Release-acked-by: Wei Liu <wei.liu2@citrix.com>

x86: re-add stack alignment check

Commit 279840d5ea ("x86/boot: install trap handlers much earlier on
boot"), perhaps not really intentionally, removed this check. Add it
back,
- preventing it from triggering before any output is set up,
- accompanying it with a (weaker, due to its open coding of what
get_stack_bottom() does) build time check.

Signed-off-by: Jan Beulich <jbeulich@suse.com>
Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>
Release-acked-by: Wei Liu <wei.liu2@citrix.com>

x86/vmx: Don't deliver #MC with an error code

Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
Reviewed-by: Jan Beulich <jbeulich@suse.com>
Acked-by: Kevin Tian <kevin.tian@intel.com>
Release-acked-by: Wei Liu <wei.liu2@citrix.com>

x86/emul: Don't deliver #UD with an error code

Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
Reviewed-by: Jan Beulich <jbeulich@suse.com>
Release-acked-by: Wei Liu <wei.liu2@citrix.com>

x86/SVM: don't deliver #GP without error code

Signed-off-by: Jan Beulich <jbeulich@suse.com>
Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>
Release-acked-by: Wei Liu <wei.liu2@citrix.com>

x86/hvm: Rename hvm_emulate_init() and hvm_emulate_prepare() for clarity

* Move hvm_emulate_init() to immediately after hvm_emulate_prepare(), as they
   are very closely related.
* Rename hvm_emulate_prepare() to hvm_emulate_init_once() and
   hvm_emulate_init() to hvm_emulate_init_per_insn() to make it clearer how to
   and when to use them.

No functional change.

Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
Reviewed-by: Paul Durrant <paul.durrant@citrix.com>
Reviewed-by: Boris Ostrovsky <boris.ostrovsky@oracle.com>
Reviewed-by: Jan Beulich <jbeulich@suse.com>
Reviewed-by: Wei Liu <wei.liu2@citrix.com>
Release-acked-by: Wei Liu <wei.liu2@citrix.com>

libxl: fix creation of pkgconf install dir

When PKG_INSTALLDIR was introduced the creation of the previous pkgconf install
directory was not changed. Fix this by correctly using PKG_INSTALLDIR for the
directory creation in libxl Makefile.

Signed-off-by: Roger Pau Monné <roger.pau@citrix.com>
Acked-by: Wei Liu <wei.liu2@citrix.com>
Release-acked-by: Wei Liu <wei.liu2@citrix.com>

x86emul: in_longmode() should not ignore ->read_msr() errors

All present hook implementations succeed for EFER, but we shouldn't
really build on this being the case.

Suggested-by: George Dunlap <george.dunlap@citrix.com>
Signed-off-by: Jan Beulich <jbeulich@suse.com>
Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>
Release-acked-by: Wei Liu <wei.liu2@citrix.com>

x86emul: simplify DstBitBase handling code

..., at once making it more obvious that even in the negative bit
offset case the resulting bit offset to be used by the inlined
instructions will always be constrained to the operand size of the
original instruction.

Also add a test case which would have failed without the XSA-195 fix.

Signed-off-by: Jan Beulich <jbeulich@suse.com>
Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>
Release-acked-by: Wei Liu <wei.liu2@citrix.com>

x86/HVM: correct error code writing during task switch

Whether to write 32 or just 16 bits depends on the D bit of the target
CS. The width of the stack pointer to use depends on the B bit of the
target SS.

Also avoid using the no-fault copying routine.

Finally avoid using yet another struct segment_register variable here.

Signed-off-by: Jan Beulich <jbeulich@suse.com>
Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>
Release-acked-by: Wei Liu <wei.liu2@citrix.com>

x86/HVM: limit writes to outgoing TSS during task switch

The only fields modified are EIP, EFLAGS, GPRs, and segment selectors.
CR3 in particular is not supposed to be updated.

Signed-off-by: Jan Beulich <jbeulich@suse.com>
Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>
Release-acked-by: Wei Liu <wei.liu2@citrix.com>

x86/HVM: limit writes to incoming TSS during task switch

The only field modified (and even that conditionally) is the back link.
Write only that field, and only when it actually has been written to.

Take the opportunity and also ditch the pointless initializer from the
"tss" local variable, which gets completely filled anyway by reading
from guest memory.

Signed-off-by: Jan Beulich <jbeulich@suse.com>
Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>
Release-acked-by: Wei Liu <wei.liu2@citrix.com>

libelf: fix symtab/strtab loading for 32bit domains

Commit ed04ca introduced a bug in the symtab/strtab loading for 32bit
guests, that corrupted the section headers array due to the padding
introduced by the elf_shdr union.

The Elf section header array on 32bit should be accessible as an array of
Elf32_Shdr elements, and the union with Elf64_Shdr done in elf_shdr was
breaking this due to size differences between Elf32_Shdr and Elf64_Shdr.

Fix this by copying each section header one by one, and using the proper
size depending on the bitness of the guest kernel. While there, also fix
a couple of consistency issues, by making sure we always use the sizes of
our local versions of the ELF header and the ELF sections headers.

Reported-by: Brian Marcotte <marcotte@panix.com>
Signed-off-by: Roger Pau Monné <roger.pau@citrix.com>
Acked-by: Ian Jackson <ian.jackson@eu.citrix.com>
Reviewed-by: Jan Beulich <jbeulich@suse.com>
Release-acked-by: Wei Liu <wei.liu2@citrix.com>

x86/memshr: properly check grant references

They need to be range checked against the current table limit in any
event.

Reported-by: Huawei PSIRT <psirt@huawei.com>
Move the code to where it belongs, eliminating a number of duplicate
definitions. Add locking. Produce proper error codes, and consume them
instead of making one up. Check grant type. Convert parameter types at
once.

Signed-off-by: Jan Beulich <jbeulich@suse.com>
Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>
Acked-by: Tamas K Lengyel <tamas@tklengyel.com>
Release-acked-by: Wei Liu <wei.liu2@citrix.com>

credit2: fix wrong assert in runq_tickle()

Since b047f888d489 ("xen: sched: leave CPUs doing tasklet
work alone") a cpu executing a tasklet, is not marked as
idle.

Therefore:
- avoid asserting that we can't find the idle vcpu running
   on one of them, which is not true,
- avoid triggering a preemption on them (and add an assert
   checking that).

This fixes a bug identified by OSSTest, in flight 102372
(on ARM, but it's not at all ARM specific), where the
ASSERT() was triggering like this:

(XEN) Xen call trace:
(XEN)    [<0022af78>] sched_credit2.c#runq_tickle+0x3e8/0x61c (PC)
(XEN)    [<0022aedc>] sched_credit2.c#runq_tickle+0x34c/0x61c (LR)
(XEN)    [<0022b644>] sched_credit2.c#csched2_context_saved+0x128/0x1a4
(XEN)    [<0023303c>] context_saved+0x7c/0xa4
(XEN)    [<0024f660>] domain.c#schedule_tail+0x2b4/0x308
(XEN)    [<0024faac>] context_switch+0x80/0x94
(XEN)    [<0022ff48>] schedule.c#schedule+0x76c/0x7ec
(XEN)    [<002338d4>] softirq.c#__do_softirq+0xcc/0xec
(XEN)    [<00233968>] do_softirq+0x18/0x28
(XEN)    [<00261084>] leave_hypervisor_tail+0x58/0x88
(XEN)    [<002649d0>] entry.o#return_to_guest+0xc/0xb8
(XEN)
(XEN) ****************************************
(XEN) Panic on CPU 1:
(XEN) Assertion '!is_idle_vcpu(cur->vcpu)' failed at sched_credit2.c:1009
(XEN) ****************************************

Signed-off-by: Dario Faggioli <dario.faggioli@citrix.com>
Reviewed-by: Jan Beulich <jbeulich@suse.com>
Release-acked-by: Wei Liu <wei.liu2@citrix.com>

x86/EFI: meet further spec requirements for runtime calls

So far we didn't guarantee 16-byte alignment of the stack: While (so
far) we don't tell the compiler to use smaller alignment, we also don't
guarantee 16-byte alignment when establishing stack pointers for new
vCPU-s. Runtime service functions using SSE instructions may end with
#GP(0) without that.

Note that making use of -mpreferred-stack-boundary=3, as mentioned in
the comment, wouldn't help to reduce the needed alignment: The compiler
would then be free to align the stack of the function with the aligned
object, but would be permitted to place an odd number of 8-byte objects
there, resulting in the callee to still run on an unaligned stack.

(The only working alternative to the approach chosen here would be to
use -mincoming-stack-boundary=3, but that would affect all functions in
runtime.c, not just the ones actually making runtime services calls.
And it would still require the manual alignment logic here to be used
with gcc 5.2 and earlier - not permitting that command line option -,
just that then the alignment amount would become conditional.)

Hence enforce the needed alignment by making efi_rs_enter() return a
suitably aligned structure, which the caller then necessarily has to
store in a suitably aligned local variable, the address of which then
gets passed to efi_rs_leave(). Also (to limit exposure) move the
function declarations to where they belong: They're local to runtime.c,
and shared only with compat.c (by the latter including the former).

Furthermore we should avoid #MF to be raised on the FLDCW we do.

Signed-off-by: Jan Beulich <jbeulich@suse.com>
Acked-by: Andrew Cooper <andrew.cooper3@citrix.com>
Release-acked-by: Wei Liu <wei.liu2@citrix.com>

pygrub: Properly quote results, when returning them to the caller:

* When the caller wants sexpr output, use `repr()'
  This is what Xend expects.

  The returned S-expressions are now escaped and quoted by Python,
  generally using '...'.  Previously kernel and ramdisk were unquoted
  and args was quoted with "..." but without proper escaping.  This
  change may break toolstacks which do not properly dequote the
  returned S-expressions.

* When the caller wants "simple" output, crash if the delimiter is
  contained in the returned value.

  With --output-format=simple it does not seem like this could ever
  happen, because the bootloader config parsers all take line-based
  input from the various bootloader config files.

  With --output-format=simple0, this can happen if the bootloader
  config file contains nul bytes.

This is CVE-2016-9379 and CVE-2016-9380 / XSA-198.

Signed-off-by: Ian Jackson <Ian.Jackson@eu.citrix.com>
Tested-by: Ian Jackson <Ian.Jackson@eu.citrix.com>
Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>

x86/svm: fix injection of software interrupts

The non-NextRip logic in c/s 36ebf14eb "x86/emulate: support for emulating
software event injection" was based on an older version of the AMD software
manual.  The manual was later corrected, following findings from that series.

I took the original wording of "not supported without NextRIP" to mean that
X86_EVENTTYPE_SW_INTERRUPT was not eligible for use.  It turns out that this
is not the case, and the new wording is clearer on the matter.

Despite testing the original patch series on non-NRip hardware, the
swint-emulation XTF test case focuses on the debug vectors; it never ended up
executing an `int $n` instruction for a vector which wasn't also an exception.

During a vmentry, the use of X86_EVENTTYPE_HW_EXCEPTION comes with a vector
check to ensure that it is only used with exception vectors.  Xen's use of
X86_EVENTTYPE_HW_EXCEPTION for `int $n` injection has always been buggy on AMD
hardware.

Fix this by always using X86_EVENTTYPE_SW_INTERRUPT.

Print and decode the eventinj information in svm_vmcb_dump(), as it has
several invalid combinations which cause vmentry failures.

This is CVE-2016-9378 / part of XSA-196.

Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
Reviewed-by: Jan Beulich <jbeulich@suse.com>

x86/emul: correct the IDT entry calculation in inject_swint()

The logic, as introduced in c/s 36ebf14ebe "x86/emulate: support for emulating
software event injection" is buggy.  The size of an IDT entry depends on long
mode being active, not the width of the code segment currently in use.

In particular, this means that a compatibility code segment which hits
emulation for software event injection will end up using an incorrect offset
in the IDT for DPL/Presence checking.  In practice, this only occurs on old
AMD hardware lacking NRip support; all newer AMD hardware, and all Intel
hardware bypass this path in the emulator.

While here, fix a minor issue with reading the IDT entry.  The return value
from ops->read() wasn't checked, but in reality the only failure case is if a
pagefault occurs.  This is not a realistic problem as the kernel will almost
certainly crash with a double fault if this setup actually occured.

This is CVE-2016-9377 / part of XSA-196.

Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
Reviewed-by: Jan Beulich <jbeulich@suse.com>

x86emul: fix huge bit offset handling

We must never chop off the high 32 bits.

This is CVE-2016-9383 / XSA-195.

Reported-by: George Dunlap <george.dunlap@citrix.com>
Signed-off-by: Jan Beulich <jbeulich@suse.com>
Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>

libelf: fix stack memory leak when loading 32 bit symbol tables

The 32 bit Elf structs are smaller than the 64 bit ones, which means that
when loading them there's some padding left uninitialized at the end of each
struct (because the size indicated in e_ehsize and e_shentsize is
smaller than the size of elf_ehdr and elf_shdr).

Fix this by introducing a new helper that is used to set
[caller_]xdest_{base/size} and that takes care of performing the appropriate
memset of the region. This newly introduced helper is then used to set and
unset xdest_{base/size} in elf_load_bsdsyms. Now that the full struct
is zeroed, there's no need to specifically zero the undefined section.

This is CVE-2016-9384 / XSA-164.

Suggested-by: Ian Jackson <ian.jackson@eu.citrix.com>
Signed-off-by: Roger Pau Monné <roger.pau@citrix.com>
Also remove the open coded (and redundant with the earlier
elf_memset_unchecked()) use of caller_xdest_* from elf_init().

Signed-off-by: Jan Beulich <jbeulich@suse.com>
Signed-off-by: Ian Jackson <Ian.Jackson@eu.citrix.com>

x86/PV: writes of %fs and %gs base MSRs require canonical addresses

Commit c42494acb2 ("x86: fix FS/GS base handling when using the
fsgsbase feature") replaced the use of wrmsr_safe() on these paths
without recognizing that wr{f,g}sbase() use just wrmsrl() and that the
WR{F,G}SBASE instructions also raise #GP for non-canonical input.

Similarly arch_set_info_guest() needs to prevent non-canonical
addresses from getting stored into state later to be loaded by context
switch code. For consistency also check stack pointers and LDT base.
DR0..3, otoh, already get properly checked in set_debugreg() (albeit
we discard the error there).

The SHADOW_GS_BASE check isn't strictly necessary, but I think we
better avoid trying the WRMSR if we know it's going to fail.

This is CVE-2016-9385 / XSA-193.

Reported-by: Andrew Cooper <andrew.cooper3@citrix.com>
Signed-off-by: Jan Beulich <jbeulich@suse.com>
Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>

x86/HVM: don't load LDTR with VM86 mode attrs during task switch

Just like TR, LDTR is purely a protected mode facility and hence needs
to be loaded accordingly. Also move its loading to where it
architecurally belongs.

This is CVE-2016-9382 / XSA-192.

Signed-off-by: Jan Beulich <jbeulich@suse.com>
Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>
Tested-by: Andrew Cooper <andrew.cooper3@citrix.com>

x86/hvm: Fix the handling of non-present segments

In 32bit, the data segments may be NULL to indicate that the segment is
ineligible for use.  In both 32bit and 64bit, the LDT selector may be NULL to
indicate that the entire LDT is ineligible for use.  However, nothing in Xen
actually checks for this condition when performing other segmentation
checks.  (Note however that limit and writeability checks are correctly
performed).

Neither Intel nor AMD specify the exact behaviour of loading a NULL segment.
Experimentally, AMD zeroes all attributes but leaves the base and limit
unmodified.  Intel zeroes the base, sets the limit to 0xfffffff and resets the
attributes to just .G and .D/B.

The use of the segment information in the VMCB/VMCS is equivalent to a native
pipeline interacting with the segment cache.  The present bit can therefore
have a subtly different meaning, and it is now cooked to uniformly indicate
whether the segment is usable or not.

GDTR and IDTR don't have access rights like the other segments, but for
consistency, they are treated as being present so no special casing is needed
elsewhere in the segmentation logic.

AMD hardware does not consider the present bit for %cs and %tr, and will
function as if they were present.  They are therefore unconditionally set to
present when reading information from the VMCB, to maintain the new meaning of
usability.

Intel hardware has a separate unusable bit in the VMCS segment attributes.
This bit is inverted and stored in the present field, so the hvm code can work
with architecturally-common state.

This is CVE-2016-9386 / XSA-191.

Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
Reviewed-by: Jan Beulich <jbeulich@suse.com>

x86/hvm: Fix non-debug build folling c/s 0745f665a5

The variable is named inst_len, not insn_len.

Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
Reviewed-by: Boris Ostrovsky <boris.ostrovsky@oracle.com>
Release-acked-by: Wei Liu <wei.liu2@citrix.com>

x86/svm: Fix svm_nextrip_insn_length() when crossing the virtual boundary to 0

vmcb->nextrip can legitimately be less than vmcb->rip when execution wraps
back around to 0. Instead, complain if the reported length is greater than 15
and use x86_decode_insn() as a fallback.

While making changes here, fix two whitespace issues with the case labels.

Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
Reviewed-by: Jan Beulich <jbeulich@suse.com>
Reviewed-by: Boris Ostrovsky <boris.ostrovsky@oracle.com>
Release-acked-by: Wei Liu <wei.liu2@citrix.com>

MAINTAINERS: update EVENT CHANNEL and KEXEC maintainer

I am no longer in a position to be a Xen maintainer. Andrew has
kindly volunteered to continue maintainance of the KEXEC subsystem.
EVENT CHANNELS (FIFO-BASED ABI) will be maintained by the "Other"
hypervisor maintainers.

Signed-off-by: David Vrabel <david.vrabel@citrix.com>
Acked-by: Andrew Cooper <andrew.cooper3@citrix.com>

tools/libacpi: Be specific about which DSDT files to build

There is no reason to build, for example, dsdt_pvh.asl for hvmloader. We
pass which DSDTs to build via DSDT_FILES parameter.

If DSDT_FILES is empty all DSDTs for a particular architecture will be built.

Signed-off-by: Boris Ostrovsky <boris.ostrovsky@oracle.com>
Acked-by: Jan Beulich <jbeulich@suse.com>
Release-acked-by: Wei Liu <wei.liu2@citrix.com>

x86/traps: Don't call hvm_hypervisor_cpuid_leaf() for PV guests

Luckily, hvm_hypervisor_cpuid_leaf() and vmx_hypervisor_cpuid_leaf() are safe
to execute in the context of a PV guest, but HVM-specific feature flags
shouldn't be visible to PV guests.

Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
Reviewed-by: Jan Beulich <jbeulich@suse.com>
Release-acked-by: Wei Liu <wei.liu2@citrix.com>