libxl: adjust PoD target by memory fudge, too

PoD guests need to balloon at least as far as required by PoD, or risk
crashing.  Currently they don't necessarily know what the right value
is, because our memory accounting is (at the very least) confusing.

Apply the memory limit fudge factor to the in-hypervisor PoD memory
target, too.  This will increase the size of the guest's PoD cache by
the fudge factor LIBXL_MAXMEM_CONSTANT (currently 1Mby).  This ensures
that even with a slightly-off balloon driver, the guest will be
stable even under memory pressure.

There are two call sites of xc_domain_set_pod_target that need fixing:

The one in libxl_set_memory_target is straightforward.

The one in xc_hvm_build_x86.c:setup_guest is more awkward.  Simply
setting the PoD target differently does not work because the various
amounts of memory during domain construction no longer match up.
Instead, we adjust the guest memory target in xenstore (but only for
PoD guests).

This introduces a 1Mby discrepancy between the balloon target of a PoD
guest at boot, and the target set by an apparently-equivalent `xl
mem-set' (or similar) later.  This approach is low-risk for a security
fix but we need to fix this up properly in xen.git#staging and
probably also in stable trees.

This is XSA-153.

Signed-off-by: Ian Jackson <Ian.Jackson@eu.citrix.com>
(cherry picked from commit 56fb5fd62320eb40a7517206f9706aa9188d6f7b)

Patch-Name: CVE-2015-7972.diff

Gbp-Pq: Name CVE-2015-7972.diff

x86: rate-limit logging in do_xen{oprof,pmu}_op()

Some of the sub-ops are acessible to all guests, and hence should be
rate-limited. In the xenoprof case, just like for XSA-146, include them
only in debug builds. Since the vPMU code is rather new, allow them to
be always present, but downgrade them to (rate limited) guest messages.

This is CVE-2015-7971 / XSA-152.

Signed-off-by: Jan Beulich <jbeulich@suse.com>
Reviewed-by: Ian Campbell <ian.campbell@citrix.com>
master commit: 95e7415843b94c346e5ba8682665f508f220e04b
master date: 2015-10-29 13:37:19 +0100

(cherry picked from commit bdc9fdf9d468cb94ca0fbed1b969c20bf173dc9b)

Patch-Name: CVE-2015-7971.diff

Gbp-Pq: Name CVE-2015-7971.diff

xenoprof: free domain's vcpu array

This was overlooked in fb442e2171 ("x86_64: allow more vCPU-s per
guest").

This is CVE-2015-7969 / XSA-151.

Signed-off-by: Jan Beulich <jbeulich@suse.com>
Reviewed-by: Ian Campbell <ian.campbell@citrix.com>
master commit: 6e97c4b37386c2d09e09e9b5d5d232e37728b960
master date: 2015-10-29 13:36:52 +0100

(cherry picked from commit 429f0cd270851462783fc6d56d6bae9cbb40bdca)

Patch-Name: CVE-2015-7969.1.diff

Gbp-Pq: Name CVE-2015-7969.1.diff

x86/PoD: Eager sweep for zeroed pages

Based on the contents of a guests physical address space,
p2m_pod_emergency_sweep() could degrade into a linear memcmp() from 0 to
max_gfn, which runs non-preemptibly.

As p2m_pod_emergency_sweep() runs behind the scenes in a number of contexts,
making it preemptible is not feasible.

Instead, a different approach is taken.  Recently-populated pages are eagerly
checked for reclaimation, which amortises the p2m_pod_emergency_sweep()
operation across each p2m_pod_demand_populate() operation.

Note that in the case that a 2M superpage can't be reclaimed as a superpage,
it is shattered if 4K pages of zeros can be reclaimed.  This is unfortunate
but matches the previous behaviour, and is required to avoid regressions
(domain crash from PoD exhaustion) with VMs configured close to the limit.

This is CVE-2015-7970 / XSA-150.

Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
Reviewed-by: Jan Beulich <jbeulich@suse.com>
Reviewed-by: George Dunlap <george.dunlap@citrix.com>
master commit: 101ce53266866144e724ed593173bc4098b300b9
master date: 2015-10-29 13:36:25 +0100

(cherry picked from commit 4a32fbd95af6503ea1314ff2aa9a0b0a473d46c0)

Patch-Name: CVE-2015-7970.diff

Gbp-Pq: Name CVE-2015-7970.diff

free domain's vcpu array

This was overlooked in fb442e2171 ("x86_64: allow more vCPU-s per
guest").

This is CVE-2015-7969 / XSA-149.

Reported-by: Ian Campbell <ian.campbell@citrix.com>
Signed-off-by: Jan Beulich <jbeulich@suse.com>
Reviewed-by: Ian Campbell <ian.campbell@citrix.com>
master commit: d46896ebbb23f3a9fef2eb6066ae614fd1acfd96
master date: 2015-10-29 13:35:40 +0100

(cherry picked from commit 2c57108c36eaa10885b7d0daad534348717e4f9d)

Patch-Name: CVE-2015-7969.diff

Gbp-Pq: Name CVE-2015-7969.diff

x86: guard against undue super page PTE creation

When optional super page support got added (commit bd1cd81d64 "x86: PV
support for hugepages"), two adjustments were missed: mod_l2_entry()
needs to consider the PSE and RW bits when deciding whether to use the
fast path, and the PSE bit must not be removed from L2_DISALLOW_MASK
unconditionally.

This is CVE-2015-7835 / XSA-148.

Reported-by: "栾尚聪(好风)" <shangcong.lsc@alibaba-inc.com>
Signed-off-by: Jan Beulich <jbeulich@suse.com>
Reviewed-by: Tim Deegan <tim@xen.org>
master commit: fe360c90ea13f309ef78810f1a2b92f2ae3b30b8
master date: 2015-10-29 13:35:07 +0100

(cherry picked from commit 2d094bd87072e26ac29b07917d31fcbf13892288)

Patch-Name: CVE-2015-7835.diff

Gbp-Pq: Name CVE-2015-7835.diff

arm: handle races between relinquish_memory and free_domheap_pages

Primarily this means XENMEM_decrease_reservation from a toolstack
domain.

Unlike x86 we have no requirement right now to queue such pages onto
a separate list, if we hit this race then the other code has already
fully accepted responsibility for freeing this page and therefore
there is no more for relinquish_memory to do.

This is CVE-2015-7814 / XSA-147.

Signed-off-by: Ian Campbell <ian.campbell@citrix.com>
Reviewed-by: Julien Grall <julien.grall@citrix.com>
Reviewed-by: Jan Beulich <jbeulich@suse.com>
master commit: 1ef01396fdff88b1c3331a09ca5c69619b90f4ea
master date: 2015-10-29 13:34:17 +0100

(cherry picked from commit df6fa370865717ee51530c0102d1e983a70d37c3)

Patch-Name: CVE-2015-7814.diff

Gbp-Pq: Name CVE-2015-7814.diff

arm: rate-limit logging from unimplemented PHYSDEVOP and HVMOP.

These are guest accessible and should therefore be rate-limited.
Moreover, include them only in debug builds.

This is CVE-2015-7813 / XSA-146.

Signed-off-by: Ian Campbell <ian.campbell@citrix.com>
Reviewed-by: Jan Beulich <jbeulich@suse.com>
master commit: 1c0e59ff15764e7b0c59282365974f5b8924ce83
master date: 2015-10-29 13:33:38 +0100

(cherry picked from commit b18d995ca341d07a38fec04aa137e9ef85ee4dd0)

Patch-Name: CVE-2015-7813.diff

Gbp-Pq: Name CVE-2015-7813.diff

arm: Support hypercall_create_continuation for multicall

Multicall for ARM has been supported since commit f0dbdc6 "xen: arm: fully
implement multicall interface.". Although, if an hypercall in multicall
requires preemption, it will crash the host:

(XEN) Xen BUG at domain.c:347
(XEN) ----[ Xen-4.7-unstable  arm64  debug=y  Tainted:    C ]----
[...]
(XEN) Xen call trace:
(XEN)    [<00000000002420cc>] hypercall_create_continuation+0x64/0x380 (PC)
(XEN)    [<0000000000217274>] do_memory_op+0x1b00/0x2334 (LR)
(XEN)    [<0000000000250d2c>] do_multicall_call+0x114/0x124
(XEN)    [<0000000000217ff0>] do_multicall+0x17c/0x23c
(XEN)    [<000000000024f97c>] do_trap_hypercall+0x90/0x12c
(XEN)    [<0000000000251ca8>] do_trap_hypervisor+0xd2c/0x1ba4
(XEN)    [<00000000002582cc>] guest_sync+0x88/0xb8
(XEN)
(XEN)
(XEN) ****************************************
(XEN) Panic on CPU 5:
(XEN) Xen BUG at domain.c:347
(XEN) ****************************************
(XEN)
(XEN) Manual reset required ('noreboot' specified)

Looking to the code, the support of multicall looks valid to me, as we only
need to fill call.args[...]. So drop the BUG();

This is CVE-2015-7812 / XSA-145.

Signed-off-by: Julien Grall <julien.grall@citrix.com>
Acked-by: Ian Campbell <ian.campbell@citrix.com>
master commit: 29bcf64ce8bc0b1b7aacd00c8668f255c4f0686c
master date: 2015-10-29 13:31:10 +0100

(cherry picked from commit ea95ecb8bf30f83b52a079cdfc824a3ba6ffd4ef)

Patch-Name: CVE-2015-7812.diff

Gbp-Pq: Name CVE-2015-7812.diff

tools-xenstore-compatibility.diff

Patch-Name: tools-xenstore-compatibility.diff

Gbp-Pq: Name tools-xenstore-compatibility.diff

tools-xenmon-install.diff

Patch-Name: tools-xenmon-install.diff

Gbp-Pq: Name tools-xenmon-install.diff

tools-include-install.diff

Patch-Name: tools-include-install.diff

Gbp-Pq: Name tools-include-install.diff

Remove static solaris support from pygrub

Patch-Name: tools-pygrub-remove-static-solaris-support

Gbp-Pq: Name tools-pygrub-remove-static-solaris-support

tools-xentrace-prefix.diff

Patch-Name: tools-xentrace-prefix.diff

Gbp-Pq: Name tools-xentrace-prefix.diff

tools-xenstore-prefix.diff

Patch-Name: tools-xenstore-prefix.diff

Gbp-Pq: Name tools-xenstore-prefix.diff

tools-xenstat-prefix.diff

Patch-Name: tools-xenstat-prefix.diff

Gbp-Pq: Name tools-xenstat-prefix.diff

tools-xenpmd-prefix.diff

Patch-Name: tools-xenpmd-prefix.diff

Gbp-Pq: Name tools-xenpmd-prefix.diff

tools-xenpaging-prefix.diff

Patch-Name: tools-xenpaging-prefix.diff

Gbp-Pq: Name tools-xenpaging-prefix.diff

tools-xenmon-prefix.diff

Patch-Name: tools-xenmon-prefix.diff

Gbp-Pq: Name tools-xenmon-prefix.diff

tools-xcutils-rpath.diff

Patch-Name: tools-xcutils-rpath.diff

Gbp-Pq: Name tools-xcutils-rpath.diff

tools-python-prefix.diff

Patch-Name: tools-python-prefix.diff

Gbp-Pq: Name tools-python-prefix.diff

tools-pygrub-prefix.diff

Patch-Name: tools-pygrub-prefix.diff

Gbp-Pq: Name tools-pygrub-prefix.diff

tools-misc-prefix.diff

Patch-Name: tools-misc-prefix.diff

Gbp-Pq: Name tools-misc-prefix.diff

tools-libxl-prefix.diff

Patch-Name: tools-libxl-prefix.diff

Gbp-Pq: Name tools-libxl-prefix.diff

tools-libfsimage-prefix.diff

Patch-Name: tools-libfsimage-prefix.diff

Gbp-Pq: Name tools-libfsimage-prefix.diff

tools-console-prefix.diff

Patch-Name: tools-console-prefix.diff

Gbp-Pq: Name tools-console-prefix.diff

tools-blktap2-prefix.diff

Patch-Name: tools-blktap2-prefix.diff

Gbp-Pq: Name tools-blktap2-prefix.diff

tools-rpath.diff

Patch-Name: tools-rpath.diff

Gbp-Pq: Name tools-rpath.diff

tools-xenstat-abiname.diff

Patch-Name: tools-xenstat-abiname.diff

Gbp-Pq: Name tools-xenstat-abiname.diff

tools-libxl-abiname.diff

Patch-Name: tools-libxl-abiname.diff

Gbp-Pq: Name tools-libxl-abiname.diff

tools-libxc-abiname.diff

Patch-Name: tools-libxc-abiname.diff

Gbp-Pq: Name tools-libxc-abiname.diff

tools-libfsimage-abiname.diff

Patch-Name: tools-libfsimage-abiname.diff

Gbp-Pq: Name tools-libfsimage-abiname.diff

config-prefix.diff

Patch-Name: config-prefix.diff

Gbp-Pq: Name config-prefix.diff

tools: allow configure time choice of libexec subdirectory.

Currently we hardcode various paths such as $libexec/xen/{bin,boot},
however some downstreams (notably Debian) would like instead to
install things into $libexec/xen-X.Y/{bin,boot} as part of allowing
multiple versions of the tools packages to be installed.

Since this currently involves patching configure its a bit fiddly,
provide a configure option for the leaf dir instead, name it
--with-libexec-leaf-dir similar to the existing
--with-sysconfig-leaf-dir.

Rather than have the determination of the full path in both configure
and config/Paths.mk.in move it into configure only. Also for
consistency move the other LIBEXEC_* to configure, even though they
are only substituted into Paths.mk.

Signed-off-by: Ian Campbell <ian.campbell@citrix.com>
Reviewed-by: Doug Goldstein <cardoe@cardoe.com>
Acked-by: Ian Jackson <ian.jackson@eu.citrix.com>
Cc: 805508@bugs.debian.org
[ ijc -- removed stray ` ]

(cherry picked from commit de858271c16851d662b2613699401df6ecec8ef8)

Patch-Name: tools-allow-configure-time-choice-of-libexec-subdire.patch

Gbp-Pq: Name tools-allow-configure-time-choice-of-libexec-subdire.patch

version

Patch-Name: version.diff

Gbp-Pq: Name version.diff

xen (4.6.0-1+nmu2) unstable; urgency=medium

  * Ensure debian/control.md5sum is correctly updated. Fixes FTBFS of
    4.6.0-1+nmu1 on buildds where linux-support-4.2.0-1 is not expected to be
    installed.

[dgit import unpatched xen 4.6.0-1+nmu2]

Import xen_4.6.0-1+nmu2.debian.tar.xz

[dgit import tarball xen 4.6.0-1+nmu2 xen_4.6.0-1+nmu2.debian.tar.xz]

Import xen_4.6.0.orig.tar.xz

[dgit import orig xen_4.6.0.orig.tar.xz]