Look for xenstored with xenstore-read from PATH

"Check that xenstored has actually started before talking to it"
invoked /usr/sbin/xenstored, which does not exist.

Absolute paths are EBW anyway.

Signed-off-by: Ian Jackson <Ian.Jackson@eu.citrix.com>

changelog: make a final line for 4.8.0-1~ to work around #849081

Signed-off-by: Ian Jackson <Ian.Jackson@eu.citrix.com>

control: regenerate

Signed-off-by: Ian Jackson <Ian.Jackson@eu.citrix.com>

Include a reportbug control file to redirect bugs to src:xen

(cherry picked from commit 084b7cf56dd2ccfbf1c04796689222dac9d58ac6)

Conflicts:
debian/changelog
debian/rules.real

Signed-off-by: Ian Jackson <ian.jackson@eu.citrix.com>

Apply SELinux labels to directories created by initscripts.

Patch from Russell Coker. (Closes: #764912)

(cherry picked from commit 46a8d71bec748f3c6dfb98bf4ba3973a5b3cd951)

Conflicts:
debian/changelog

Correcly use cls in xen-init-list:SXPParser.loads

(cherry picked from commit c617b4af156647ad4d390c4061ca3ee72100f99f)

Correct syntax error in xen-init-list

(cherry picked from commit bbd22332c24478f86a5cff52531c1bc3697d8d96)

Conflicts:
debian/changelog

Check that xenstored has actually started before talking to it.

Incorporate a timeout so as not to block boot (Mitigates #737613).

This code was taken from the upstream initscript and adapted, so it is
pretty well tested.

(cherry picked from commit 57e0a490c53a029d0921edde9e1acdc158ac2164)

Conflicts:
debian/changelog
debian/xen-utils-common.xen.init

Signed-off-by: Ian Jackson <ian.jackson@eu.citrix.com>

control: Change my email address

Signed-off-by: Ian Jackson <Ian.Jackson@eu.citrix.com>

changelog: More XSA gardening

Signed-off-by: Ian Jackson <Ian.Jackson@eu.citrix.com>

changelog: Document security fixes

Signed-off-by: Ian Jackson <Ian.Jackson@eu.citrix.com>

changelog: Document XSA fixes

Signed-off-by: Ian Jackson <Ian.Jackson@eu.citrix.com>

changelog: Rebased to 4.8.0

Signed-off-by: Ian Jackson <Ian.Jackson@eu.citrix.com>

Fix xen-init-name to not fail looking for a nonexistent 'config' entry in xl's JSON output.  Closes:#818129.

Signed-off-by: Ian Jackson <ian.jackson@citrix.com>

Start a qemu process in dom0 to service the toolstacks loopback disk attaches.

This is used to e.g. run pygrub on a VM with a qcow2 disk image.

(Closes: #770456)

Also, remove correct pidfile when stopping xenconsoled.

(cherry picked from commit fcdd6e3c9596e900748e93ae3be4e6a3dc278f26)
(from alioth alioth/feature/bug770456)

Signed-off-by: Ian Jackson <ian.jackson@citrix.com>

Drop -lcrypto search from upstream configure, and from our Build-Depends.

Signed-off-by: Ian Jackson <ian.jackson@citrix.com>

changelog: start 4.8.0~rc5-2

changelog: Declare 4.8.0~rc5-1

Signed-off-by: Ian Jackson <ian.jackson@citrix.com>

tools/tests/x86_emulator: Pass -no-pie -fno-pic to gcc on x86_32

The current build fails with GCC6 on Debian sid i386 (unstable):

 /tmp/ccqjaueF.s: Assembler messages:
 /tmp/ccqjaueF.s:3713: Error: missing or invalid displacement expression `vmovd_to_reg_len@GOT'

This is due to the combination of GCC6, and Debian's decision to
enable some hardening flags by default (to try to make runtime
addresses less predictable):
  https://wiki.debian.org/Hardening/PIEByDefaultTransition

This is of no benefit for the x86 instruction emulator test, which is
a rebuild of the emulator code for testing purposes only.  So pass
options to disable this.

These options will be no-ops if they are the same as the compiler
default.

On amd64, the -fno-pic breaks the build in a different way.  So do
this only on i386.

Signed-off-by: Ian Jackson <ian.jackson@citrix.com>
CC: Jan Beulich <jbeulich@suse.com>
CC: Andrew Cooper <andrew.cooper3@citrix.com>
squash! tools/tests/x86_emulator: Pass -no-pie -fno-pic to gcc

Signed-off-by: Ian Jackson <ian.jackson@citrix.com>

ubuntu-tools-libs-abiname

Gbp-Pq: Name ubuntu-tools-libs-abiname.diff

tools-xenstore-compatibility.diff

Patch-Name: tools-xenstore-compatibility.diff

Gbp-Pq: Name tools-xenstore-compatibility.diff

tools-xenmon-install.diff

Patch-Name: tools-xenmon-install.diff

Gbp-Pq: Name tools-xenmon-install.diff

tools-include-install.diff

Patch-Name: tools-include-install.diff

Gbp-Pq: Name tools-include-install.diff

Remove static solaris support from pygrub

Patch-Name: tools-pygrub-remove-static-solaris-support

Gbp-Pq: Name tools-pygrub-remove-static-solaris-support

tools-xentrace-prefix.diff

Patch-Name: tools-xentrace-prefix.diff

Gbp-Pq: Name tools-xentrace-prefix.diff

tools-xenstore-prefix.diff

Patch-Name: tools-xenstore-prefix.diff

Gbp-Pq: Name tools-xenstore-prefix.diff

tools-xenstat-prefix.diff

Patch-Name: tools-xenstat-prefix.diff

Gbp-Pq: Name tools-xenstat-prefix.diff

tools-xenpmd-prefix.diff

Patch-Name: tools-xenpmd-prefix.diff

Gbp-Pq: Name tools-xenpmd-prefix.diff

tools-xenpaging-prefix.diff

Patch-Name: tools-xenpaging-prefix.diff

Gbp-Pq: Name tools-xenpaging-prefix.diff

tools-xenmon-prefix.diff

Patch-Name: tools-xenmon-prefix.diff

Gbp-Pq: Name tools-xenmon-prefix.diff

tools-xcutils-rpath.diff

Patch-Name: tools-xcutils-rpath.diff

Gbp-Pq: Name tools-xcutils-rpath.diff

tools-python-prefix.diff

Patch-Name: tools-python-prefix.diff

Gbp-Pq: Name tools-python-prefix.diff

tools-pygrub-prefix.diff

Patch-Name: tools-pygrub-prefix.diff

Gbp-Pq: Name tools-pygrub-prefix.diff

tools-misc-prefix.diff

Patch-Name: tools-misc-prefix.diff

Gbp-Pq: Name tools-misc-prefix.diff

tools-libxl-prefix.diff

Patch-Name: tools-libxl-prefix.diff

Gbp-Pq: Name tools-libxl-prefix.diff

tools-libfsimage-prefix.diff

Patch-Name: tools-libfsimage-prefix.diff

Gbp-Pq: Name tools-libfsimage-prefix.diff

tools-console-prefix.diff

Patch-Name: tools-console-prefix.diff

Gbp-Pq: Name tools-console-prefix.diff

tools-blktap2-prefix.diff

Patch-Name: tools-blktap2-prefix.diff

Gbp-Pq: Name tools-blktap2-prefix.diff

tools-rpath.diff

Patch-Name: tools-rpath.diff

Gbp-Pq: Name tools-rpath.diff

tools-xenstat-abiname.diff

Patch-Name: tools-xenstat-abiname.diff

Gbp-Pq: Name tools-xenstat-abiname.diff

tools-libxl-abiname.diff

Patch-Name: tools-libxl-abiname.diff

Gbp-Pq: Name tools-libxl-abiname.diff

tools-libxc-abiname.diff

Patch-Name: tools-libxc-abiname.diff

Gbp-Pq: Name tools-libxc-abiname.diff

tools-libfsimage-abiname.diff

Patch-Name: tools-libfsimage-abiname.diff

Gbp-Pq: Name tools-libfsimage-abiname.diff

config-prefix.diff

Patch-Name: config-prefix.diff

Gbp-Pq: Name config-prefix.diff

version

Patch-Name: version.diff

Gbp-Pq: Name version.diff

Rerun autogen.sh (stretch)

Using autoconf 2.69-10 (amd64)

Signed-off-by: Ian Jackson <ian.jackson@citrix.com>

Copy debian/ directory from archive/debian/4.8.0_rc3-1

(And discard old debian/patches/)

Signed-off-by: Ian Jackson <ian.jackson@citrix.com>

libxl: fix libxl_set_memory_target

Commit 26dbc93a ("libxl: Remove pointless hypercall from
libxl_set_memory_target") removed the call to xc_domain_getinfolist, but
it failed to notice that "info" was actually needed later.

Put that back. While at it, make the code conform to coding style
requirement.

Reported-by: Juergen Gross <jgross@suse.com>
Signed-off-by: Wei Liu <wei.liu2@citrix.com>
(cherry picked from commit ed5f19aea66fe5a72060d6a795ffcd23b7643ee3)

xen/arm: gic-v3: Make sure read from ICC_IAR1_EL1 is visible on the redistributor

"The effects of reading ICC_IAR0_EL1 and ICC_IAR1_EL1 on the state of a
returned INTID are not guaranteed to be visible until after the execution
of a DSB".

Because of the GIC is an external component, a dsb sy is required.
Without it the sysreg read may not have been made visible on the
redistributor.

Signed-off-by: Julien Grall <julien.grall@arm.com>
Reviewed-by: Stefano Stabellini <sstabellini@kernel.org>

x86/cpu: Don't update this_cpu for get_cpu_vendor(, gcv_guest)

Otherwise booting a cross-vendor guest would cause PCPU hotplug to
malfunction, because of trying to use the wrong CPU driver.

Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
Reviewed-by: Jan Beulich <jbeulich@suse.com>
master commit: 291dcb4dd0140fac0e439760b4d51b2892ff9264
master date: 2017-01-03 13:33:16 +0000

x86/emul: Correct the return value handling of VMFUNC

The bracketing of x86_emulate() calling the ops->vmfunc() hook is wrong with
respect to the assignment to rc, which can trip the new assertions in
x86_emulate_wrapper().

The hvmemul_vmfunc() hook should only raise #UD if X86EMUL_EXCEPTION is
returned.  This is only a latent bug at the moment.

Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
Reviewed-by: Jan Beulich <jbeulich@suse.com>
master commit: 3ab1876504d409689824e161a8b04e57e1e5dd46
master date: 2016-12-22 13:32:46 +0000

x86/boot: fix build with certain older gcc versions

Despite all attempts so far (ending in commit fecf584294 ["Config.mk:
fix comment for debug option"] adjusting the respective comment),
Config.mk's debug= setting still affects the hypervisor build: CFLAGS
gets -g added there.

xen/arch/x86/boot/build32.mk includes that file, and hence inherits the
setting too. Some gcc versions take -g to create an .eh_frame section
despite -fno-asynchronous-unwind-tables (which instead one would expect
to produce .debug_frame).

In turn, commit 93c0c0287a ("x86/boot: create *.lnk files with linker
script") was - in my understanding - supposed to make sure .text is
first, but apparently it did also not really achieve that effect: Both
reloc.lnk and reloc.bin in the case here ended up with .eh_frame first,
which obviously rendered the whole final binary unusable.

Explicitly suppress generation of any kind of debug info when building
reloc.o.

Signed-off-by: Jan Beulich <jbeulich@suse.com>
Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>
master commit: 620b3c7eee78e90167f591877177c922ae619b92
master date: 2016-12-16 14:37:35 +0100

x86emul: CMPXCHG16B requires an aligned operand

This distinguishes it from CMPXCHG8B.

Signed-off-by: Jan Beulich <jbeulich@suse.com>
Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>
master commit: d7d3a82c28a1102ee6c9707071a946164bae0d57
master date: 2016-12-16 14:37:11 +0100

VT-d: correct dma_msi_set_affinity()

Commit 83cd2038fe ("VT-d: use msi_compose_msg()) together with
15aa6c6748 ("amd iommu: use base platform MSI implementation"),
introducing the use of a per-CPU scratch CPU mask, went too far:
dma_msi_set_affinity() may, at least in theory, be called in
interrupt context, and hence the use of that scratch variable is not
correct.

Since the function overwrites the destination information anyway,
allow msi_compose_msg() to be called with a NULL CPU mask, avoiding
the use of that scratch variable.

Signed-off-by: Jan Beulich <jbeulich@suse.com>
Reviewed-by: Kevin Tian <kevin.tian@intel.com>
Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>
master commit: 7f885a1f49a75c770360b030666a5c1545156e5c
master date: 2016-12-16 14:33:43 +0100

x86emul: ignore most segment bases for 64-bit mode in is_aligned()

ops->read_segment() will report whatever is actually there in the
register, so we need to actively distinguish ES/CS/SS/DS from FS/GS.

Signed-off-by: Jan Beulich <jbeulich@suse.com>
Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>
master commit: 6e616a3cef4d782253787904bf3d641112eafa14
master date: 2016-12-15 11:13:32 +0100

x86emul: MOVNTI does not allow REP prefixes

Just like 66, prefixes F3 and F2 cause #UD.

Also adjust a related comment, which in its previous wording was
misleading (as in 16-bit mode there would nothing be undone when
adjusting operand size from 2 to 4).

Signed-off-by: Jan Beulich <jbeulich@suse.com>
Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>
master commit: 96a7cb37b921d2b320183d194d143262e1dd5b53
master date: 2016-12-14 10:11:08 +0100

x86/VPMU: clear the overflow status of which counter happened to overflow

Just set the corresponding bits of counters which happened to overflow,
rather than setting all the available bits of IA32_PERF_GLOBAL_OVF_CTRL
when pmu interrupt happened.

Signed-off-by: Luwei Kang <luwei.kang@intel.com>
Acked-by: Kevin Tian <kevin.tian@intel.com>
Reviewed-by: Jan Beulich <jbeulich@suse.com>
master commit: 7a0c70482580234868fcc53b8d72e31966dc7c52
master date: 2016-12-13 14:21:26 +0100

x86/hvm: don't unconditionally create a default ioreq server

Avoid doing so if the domain is not under construction.

If upstream QEMU is in use then it will explicitly create an ioreq server
rather than implicitly creating the default ioreq server, which is a
side-effect of reading HVM_PARAM_IOREQ_PFN, HVM_PARAM_BUFIOREQ_PFN,
or HVM_PARAM_BUFIOREQ_EVTCHN (as is done by legacy QEMUs).

However, if the domain is subsequently saved/migrated then those parameters
are read and hence the default server will be unnecessarily instantiated.

This patch adds an extra check of the 'creation_finished' flag when those
HVM params are read and will only instantiate the server if the domain is
under construction, which will always be the case when QEMU is invoked.

Signed-off-by: Paul Durrant <paul.durrant@citrix.com>
Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>
Tested-by: Zhang Chen <zhangchen.fnst@cn.fujitsu.com>
Reviewed-by: Jan Beulich <jbeulich@suse.com>
x86/hvm: Fix HVMOP_get_param when skipping creating the default ioreq server

c/s e7dabe5 "x86/hvm: don't unconditionally create a default ioreq server"
added a break statement, but the logic previously depended on falling through
into the default case to fill in the value the caller asked for.

This causes the sending migration code to put a junk PARAM into the stream,
and the receiving side to fail to zero the IOREQ pages, causing QEMU to object
when it finds stale requests while starting up.

Reorder the code so it more clearly falls through into the default case.

Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
Reviewed-by: Jan Beulich <jbeulich@suse.com>
Reviewed-by: Paul Durrant <paul.durrant@citrix.com>
master commit: e7dabe59c3239dc9ef9edbc49ed54f754616ebf7
master date: 2016-12-12 09:49:10 +0100
master commit: 451c9938c68ccb77ff94765f7ac47e8de51d3f43
master date: 2016-12-13 09:58:33 +0000

libelf: section index 0 is special

When iterating over sections, table entry zero needs to be ignored.

Signed-off-by: Jan Beulich <jbeulich@suse.com>
Reviewed-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
Reviewed-by: Roger Pau Monné <roger.pau@citrix.com>
master commit: 41fe9cabf29ea15c1f8edee49326dfde705013d3
master date: 2016-12-07 13:52:35 +0100

x86emul: CMPXCHG{8,16}B ignore prefixes

This removes 0F C7 from the list of two-byte opcodes treating prefixes
66, F3, and F2 as opcode extensions. We better manually handle this in
the opcode specific code:
- CMPXCHG8B ignores all these prefixes (its handling is being adjusted
  accordingly, with a respective test case added as well, to avoid
  re-introducing the subject of XSA-200),
- RDRAND/RDSEED (support to be added subsequently) honor 66, but treat
  F3 and F2 as opcode extensions (resolving to RDPID in the RDSEED
  case, which in turn ignores 66).

Signed-off-by: Jan Beulich <jbeulich@suse.com>
Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>
master commit: 54abe826c8297e12f805be2bcf318ef75cc7f58d
master date: 2016-12-14 10:08:22 +0100

xen: Fix determining when domain creation is complete

d->creation_finished is used in several places alter behaviour depending on
whether the domain is being created, or is already running.

However, there is a latent bug if a toolstack component makes a pair of
pause/unpause calls, where creation will be considered finished prematurely.

Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
Reviewed-by: Jan Beulich <jbeulich@suse.com>
Tested-by: Paul Durrant <paul.durrant@citrix.com>
master commit: 9d71e02e8420b5d4a48d92446a1edbff498ee1c6
master date: 2016-12-13 09:58:33 +0000

x86emul: correct PUSHF/POPF

Both need to raise #GP(0) when in VM86 mode with IOPL < 3.

Additionally PUSHF is documented to clear VM and RF from the value
placed onto the stack.

Signed-off-by: Jan Beulich <jbeulich@suse.com>
Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>
master commit: e5c1b8145bccb7fc587ee5b0c95ace6c5e0c7ffd
master date: 2016-12-07 13:55:42 +0100

init/FreeBSD: fix incorrect usage of $rc_pids in xendriverdomain

It should be rc_pid.

Signed-off-by: Roger Pau Monné <roger.pau@citrix.com>
Reported-by: Nathan Friess <nathan.friess@gmail.com>
Acked-by: Wei Liu <wei.liu2@citrix.com>
(cherry picked from commit fb4c92ffa661516e41d24974d3d0a2a3608caf68)

init/FreeBSD: add rc control variables

Those are used in order to decide which scripts are executed at init.

Ref: https://www.freebsd.org/doc/en/articles/rc-scripting/article.html#rcng-confdummy

Signed-off-by: Roger Pau Monné <roger.pau@citrix.com>
Acked-by: Wei Liu <wei.liu2@citrix.com>
[ wei: fix up conflict ]
Signed-off-by: Wei Liu <wei.liu2@citrix.com>
(cherry picked from commit 4d362ce02aaf1699957fb7c0edc6ae5839ccb30e)

init/FreeBSD: fix xencommons so it can only be launched by Dom0

At the moment the execution of xencommons is gated on the presence of the
privcmd device, but that's not correct, since privcmd is available to all Xen
domains (privileged or unprivileged). Instead of using privcmd use the
xenstored device, which will only be available to the domain that's in charge
of running xenstored, and thus xencommons.

Signed-off-by: Roger Pau Monné <roger.pau@citrix.com>
Acked-by: Wei Liu <wei.liu2@citrix.com>
(cherry picked from commit c875b9778da0c56a0c118626771465b87df31fe8)

init/FreeBSD: remove xendriverdomain_precmd

...because it's empty. While there also rename xendriverdomain_startcmd to
xendriverdomain_start in order to match the nomenclature of the file.

Signed-off-by: Roger Pau Monné <roger.pau@citrix.com>
Acked-by: Wei Liu <wei.liu2@citrix.com>
[ wei: fix up minor error ]
Signed-off-by: Wei Liu <wei.liu2@citrix.com>
(cherry picked from commit 29b968e46b215bea8881abdfd06a046417b83006)

init/FreeBSD: set correct PATH for xl devd

FreeBSD init scripts don't have /usr/local/{bin/sbin} in it's PATH, which
prevents `xl devd` from working properly since hotplug scripts require the set
of xenstore cli tools to be in PATH.

While there also fix the usage of --pidfile, which according to the xl help
doesn't use "=", and add braces around XLDEVD_PIDFILE.

Signed-off-by: Roger Pau Monné <roger.pau@citrix.com>
Acked-by: Wei Liu <wei.liu2@citrix.com>
(cherry picked from commit 1d52073334d7615934fe804bc656b7aab0e92ebd)

xsm: allow relevant permission during migrate and gpu-passthrough.

During guest migrate allow permission to prevent
spurious page faults.
Prevents these errors:
d73: Non-privileged (73) attempt to map I/O space 00000000

avc: denied  { set_misc_info } for domid=0 target=11
scontext=system_u:system_r:dom0_t
tcontext=system_u:system_r:domU_t tclass=domain

GPU passthrough for hvm guest:
avc:  denied  { send_irq } for domid=0 target=10
scontext=system_u:system_r:dom0_t
tcontext=system_u:system_r:domU_t tclass=hvm

Signed-off-by: Anshul Makkar <anshul.makkar@citrix.com>
Acked-by: Daniel De Graaf <dgdegra@tycho.nsa.gov>
(cherry picked from commit f04722f78b0f64e1f147389962d8f393a2fa8a7a)

libxl: init_acpi_config should return rc in exit path, and set to 0 on success

init_acpi_config should return rc in exit path

... otherwise it returns 0 even if the function fails.

Coverity-ID: 1397121

Signed-off-by: Wei Liu <wei.liu2@citrix.com>
Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>
Acked-by: Ian Jackson <ian.jackson@eu.citrix.com>
(cherry picked from commit 1361db0ed3ad1217bd039a3cac5df49a622e12a9)

AND:

set rc to 0 in init_acpi_config in success path

xc_doamin_getinfo returns >=0 in success path, and if there is no vnode
configured, that rc will be returned to caller, which indicates error.

Fix that by setting rc to 0 in success path.

Reported-by: Boris Ostrovsky <boris.ostrovsky@oracle.com>
Signed-off-by: Wei Liu <wei.liu2@citrix.com>
Tested-by: Boris Ostrovsky <boris.ostrovsky@oracle.com>
(cherry picked from commit 08ccb46924385c833bd0da9e087fb6b96fa76849)

Signed-off-by: Ian Jackson <ian.jackson@eu.citrix.com>

x86/emul: add likely()/unlikely() to test harness

Fix a build problem introduced in c/s 122dd9575c7 "x86emul:
in_longmode() should not ignore ->read_msr() errors" by providing an
implementation of likely()/unlikely().

Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
Reviewed-by: Jan Beulich <jbeulich@suse.com>
Cherrypicked out of:

master commit: 3e84c8da7d2c5442a12789dae7163dca6c0e154f
master date: 2016-12-02 17:23:01 +0000

x86/HVM: add missing NULL check before using VMFUNC hook

This is CVE-2016-10025 / XSA-203.

Signed-off-by: Jan Beulich <jbeulich@suse.com>
Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>
master commit: 74dcd0ce6f4fadce8093e54f0fc1a45426577e13
master date: 2016-12-21 16:47:19 +0100

x86: force EFLAGS.IF on when exiting to PV guests

Guest kernels modifying instructions in the process of being emulated
for another of their vCPU-s may effect EFLAGS.IF to be cleared upon
next exiting to guest context, by converting the being emulated
instruction to CLI (at the right point in time). Prevent any such bad
effects by always forcing EFLAGS.IF on. And to cover hypothetical other
similar issues, also force EFLAGS.{IOPL,NT,VM} to zero.

This is CVE-2016-10024 / XSA-202.

Signed-off-by: Jan Beulich <jbeulich@suse.com>
Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>
master commit: 0e47f92b072548800223f9a21ea051a017173915
master date: 2016-12-21 16:46:13 +0100

x86/emul: Correct the handling of eflags with SYSCALL

A singlestep #DB is determined by the resulting eflags value from the
execution of SYSCALL, not the original eflags value.

By using the original eflags value, we negate the guest kernels attempt to
protect itself from a privilege escalation by masking TF.

Have the SYSCALL emulation recalculate tf after the instruction is complete.

This is XSA-204

Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
Reviewed-by: Jan Beulich <jbeulich@suse.com>

QEMU_TAG update

update Xen version to 4.8.1-pre

Version numbers: Finalise 4.8.0.

Signed-off-by: Ian Jackson <Ian.Jackson@eu.citrix.com>

Config.mk: Update subtrees to 4.8.0 release tags

No functional change.

All these tags have been pushed to the corresponding trees on xenbits.

Signed-off-by: Ian Jackson <Ian.Jackson@eu.citrix.com>

Config.mk: Drop stale QEMU_TRADITIONAL_REVISION commentary

Signed-off-by: Ian Jackson <Ian.Jackson@eu.citrix.com>

Merge branch 'staging' of xenbits.xen.org:/home/xen/git/xen into staging

Update QEMU_TRADITIONAL_REVISION and QEMU_UPSTREAM_REVISION to -rc7

These commits include the fix for XSA-197.

Signed-off-by: Ian Jackson <Ian.Jackson@eu.citrix.com>

credit2: make runqueues be per-socket by default

Benchmarks have shown that per-socket runqueues arrangement
behaves better (e.g., we achieve better load balancing)
than the current per-core default.

Here's an example (coming from
https://lists.xen.org/archives/html/xen-devel/2016-06/msg02287.html ):

|=======================================|
| XEN BUILD TIME, LOW LOAD, NO NOISE    |
|---------------------------------------|
|       runq=core   runq=socket         |
|         35.200       33.433           |
|---------------------------------------|------------------------------|
| XEN BUILD TIME, HIGH LOAD, NO NOISE   | IPERF, HIGH LOAD, NO NOISE   |
|---------------------------------------|------------------------------|
|       runq=core   runq=socket         |     runq=core runq=socket    |
|         18.013       18.530           |       23.200     23.466      |
|---------------------------------------|------------------------------|
| XEN BUILD TIME, LOW LOAD, WITH NOISE  |
|-------------------------------------  |
|       runq=core   runq=socket         |
|         45.866       39.493           |
|---------------------------------------|------------------------------|
| XEN BUILD TIME, HIGH LOAD, WITH NOISE | IPERF, HIGH LOAD, WITH NOISE |
|---------------------------------------|------------------------------|
|       runq=core   runq=socket         |     runq=core runq=socket    |
|         36.840       29.080           |       19.967     21.000      |
|=======================================|==============================|

The only reason why we went for per-core, initially, was to
introduce some form of hyperthreading support. Now we have
hyperthreading support, independently from how runqueues
are organized (9bb9c7388 "xen: credit2: implement true SMT
support"), and thus we can switch to per-socket.

Signed-off-by: Dario Faggioli <dario.faggioli@citrix.com>
Acked-by: George Dunlap <george.dunlap@eu.citrix.com>
Release-acked-by: Wei Liu <wei.liu2@citrix.com>

libacpi: fix compilation when cross building the tools

The tools (such as mk_dsdt) can be cross-built when it may not be
desirable to build them on the target.

The commit c4ac1077 "libxl/arm: Generate static ACPI DSDT table"
introduced support of ARM64 in mk_dsdt but also break cross-building
tools because the ACPI tables are not correct.

While mk_dsdt should generate ACPI table for the target architecture, it
currently generates the one for the host. This is because the source
code contains reference to the host architecture (__aarch64__,
__x86_64__, __i386__) when it should be the target architecture.

Replace all __aarch64__, __x86_64__, __i386__ by the corresponding
CONFIG_*.

Also expose the CONFIG_* to the source code as the currently only
exposed to the Makefile.

Reported-by: Andrii Anisov <andrii.anisov@gmail.com>
Suggested-by: Wei Liu <wei.liu2@citrix.com>
Signed-off-by: Julien Grall <julien.grall@arm.com>
Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>
Reviewed-by: Jan Beulich <jbeulich@suse.com>
Release-acked-by: Wei Liu <wei.liu2@citrix.com>

arm32: handle async aborts delivered while at HYP

If guest generates an asynchronous abort and then traps into HYP
(by HVC or IRQ) before the abort has been delivered, the hypervisor
could not catch it, because the PSTATE.A bit is masked all the time
in hypervisor. So this asynchronous abort may be slipped to next
running guest with PSTATE.A bit unmasked.

In order to avoid this, it is necessary to take the abort at HYP, by
clearing the PSTATE.A bit. In this patch, we unmask the PSTATE.A bit
to open a window to catch guest-generated asynchronous abort in all
Guest -> HYP switch paths. If we caught such asynchronous abort in
checking window, the HYP data abort exception will be triggered and
the abort source guest will be crashed.

This is part of XSA-201.

Signed-off-by: Wei Chen <Wei.Chen@arm.com>
Reviewed-by: Julien Grall <julien.grall@arm.com>
Acked-by: Stefano Stabellini <sstabellini@kernel.org>

arm: crash the guest when it traps on external abort

If we spot a data or prefetch abort bearing the ESR_EL2.EA bit set, we
know that this is an external abort, and that should crash the guest.

This is part of XSA-201.

Signed-off-by: Wei Chen <Wei.Chen@arm.com>
Reviewed-by: Stefano Stabellini <sstabellini@kernel.org>
Reviewed-by: Steve Capper <steve.capper@arm.com>
Reviewed-by: Julien Grall <Julien.Grall@arm.com>

arm64: handle async aborts delivered while at EL2

If EL1 generates an asynchronous abort and then traps into EL2
(by HVC or IRQ) before the abort has been delivered, the hypervisor
could not catch it, because the PSTATE.A bit is masked all the time
in hypervisor. So this asynchronous abort may be slipped to next
running guest with PSTATE.A bit unmasked.

In order to avoid this, it is necessary to take the abort at EL2, by
clearing the PSTATE.A bit. In this patch, we unmask the PSTATE.A bit
to open a window to catch guest-generated asynchronous abort in all
EL1 -> EL2 swich paths. If we catched such asynchronous abort in
checking window, the hyp_error exception will be triggered and the
abort source guest will be crashed.

This is part of XSA-201.

Signed-off-by: Wei Chen <Wei.Chen@arm.com>
Reviewed-by: Julien Grall <julien.grall@arm.com>
Acked-by: Stefano Stabellini <sstabellini@kernel.org>

arm64: handle guest-generated EL1 asynchronous abort

In current code, when the hypervisor receives an asynchronous abort
from a guest, the hypervisor will do panic, the host will be down.
We have to prevent such security issue, so, in this patch we crash
the guest, when the hypervisor receives an asynchronous abort from
the guest.

This is part of XSA-201.

Signed-off-by: Wei Chen <Wei.Chen@arm.com>
Reviewed-by: Stefano Stabellini <sstabellini@kernel.org>
Reviewed-by: Steve Capper <steve.capper@arm.com>
Reviewed-by: Julien Grall <Julien.Grall@arm.com>

x86/cpu: reposition stack alignment check

As identified during review, using BUG_ON() before `lidt` will result in a
triple fault, even on APs.

Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
Reviewed-by: Jan Beulich <jbeulich@suse.com>
Release-acked-by: Wei Liu <wei.liu2@citrix.com>

remove reference to xensource.com

xen/include/public/hvm/pvdrivers.h contains a reference to
xen-devel@lists.xensource.com. Replace it by the correct address
xen-devel@lists.xenproject.org

Signed-off-by: Juergen Gross <jgross@suse.com>
Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>

blkif: kill some repetitions in protocol description

The whole block describing multiqueue support was repeated
two times.

There also was some repetition in the description of the
'discard-enable' property.

Signed-off-by: Dario Faggioli <dario.faggioli@citrix.com>
Acked-by: Jan Beulich <jbeulich@suse.com>
Release-acked-by: Wei Liu <wei.liu2@citrix.com>
Reviewed-by: Konrad Rzeszutek Will <Konrad.wilk@oracle.com>

x86emul: CMOVcc always writes its destination

This would be benign if there wasn't the zero-extending side effect of
32-bit operations in 64-bit mode.

Signed-off-by: Jan Beulich <jbeulich@suse.com>
Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>
Release-acked-by: Wei Liu <wei.liu2@citrix.com>

x86: re-add stack alignment check

Commit 279840d5ea ("x86/boot: install trap handlers much earlier on
boot"), perhaps not really intentionally, removed this check. Add it
back,
- preventing it from triggering before any output is set up,
- accompanying it with a (weaker, due to its open coding of what
  get_stack_bottom() does) build time check.

Signed-off-by: Jan Beulich <jbeulich@suse.com>
Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>
Release-acked-by: Wei Liu <wei.liu2@citrix.com>

x86/vmx: Don't deliver #MC with an error code

Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
Reviewed-by: Jan Beulich <jbeulich@suse.com>
Acked-by: Kevin Tian <kevin.tian@intel.com>
Release-acked-by: Wei Liu <wei.liu2@citrix.com>

x86/emul: Don't deliver #UD with an error code

Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
Reviewed-by: Jan Beulich <jbeulich@suse.com>
Release-acked-by: Wei Liu <wei.liu2@citrix.com>

x86/SVM: don't deliver #GP without error code

Signed-off-by: Jan Beulich <jbeulich@suse.com>
Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>
Release-acked-by: Wei Liu <wei.liu2@citrix.com>

x86/hvm: Rename hvm_emulate_init() and hvm_emulate_prepare() for clarity

 * Move hvm_emulate_init() to immediately after hvm_emulate_prepare(), as they
   are very closely related.
 * Rename hvm_emulate_prepare() to hvm_emulate_init_once() and
   hvm_emulate_init() to hvm_emulate_init_per_insn() to make it clearer how to
   and when to use them.

No functional change.

Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
Reviewed-by: Paul Durrant <paul.durrant@citrix.com>
Reviewed-by: Boris Ostrovsky <boris.ostrovsky@oracle.com>
Reviewed-by: Jan Beulich <jbeulich@suse.com>
Reviewed-by: Wei Liu <wei.liu2@citrix.com>
Release-acked-by: Wei Liu <wei.liu2@citrix.com>

libxl: fix creation of pkgconf install dir

When PKG_INSTALLDIR was introduced the creation of the previous pkgconf install
directory was not changed. Fix this by correctly using PKG_INSTALLDIR for the
directory creation in libxl Makefile.

Signed-off-by: Roger Pau Monné <roger.pau@citrix.com>
Acked-by: Wei Liu <wei.liu2@citrix.com>
Release-acked-by: Wei Liu <wei.liu2@citrix.com>

x86emul: in_longmode() should not ignore ->read_msr() errors

All present hook implementations succeed for EFER, but we shouldn't
really build on this being the case.

Suggested-by: George Dunlap <george.dunlap@citrix.com>
Signed-off-by: Jan Beulich <jbeulich@suse.com>
Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>
Release-acked-by: Wei Liu <wei.liu2@citrix.com>

x86emul: simplify DstBitBase handling code

..., at once making it more obvious that even in the negative bit
offset case the resulting bit offset to be used by the inlined
instructions will always be constrained to the operand size of the
original instruction.

Also add a test case which would have failed without the XSA-195 fix.

Signed-off-by: Jan Beulich <jbeulich@suse.com>
Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>
Release-acked-by: Wei Liu <wei.liu2@citrix.com>

x86/HVM: correct error code writing during task switch

Whether to write 32 or just 16 bits depends on the D bit of the target
CS. The width of the stack pointer to use depends on the B bit of the
target SS.

Also avoid using the no-fault copying routine.

Finally avoid using yet another struct segment_register variable here.

Signed-off-by: Jan Beulich <jbeulich@suse.com>
Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>
Release-acked-by: Wei Liu <wei.liu2@citrix.com>

x86/HVM: limit writes to outgoing TSS during task switch

The only fields modified are EIP, EFLAGS, GPRs, and segment selectors.
CR3 in particular is not supposed to be updated.

Signed-off-by: Jan Beulich <jbeulich@suse.com>
Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>
Release-acked-by: Wei Liu <wei.liu2@citrix.com>