diff options
author | Henrik Riomar <henrik.riomar@gmail.com> | 2018-07-12 18:48:22 +0200 |
---|---|---|
committer | Leonardo Arena <rnalrd@alpinelinux.org> | 2018-07-16 08:07:59 +0000 |
commit | bafb572dda2d0814641af68fa0cceff256bc3705 (patch) | |
tree | ebc21072c36a2324a20fc78f3304281afc473c0c | |
parent | 291d3693efff8dc38574028d36c809fdf94f8ca5 (diff) | |
download | alpine_aports-bafb572dda2d0814641af68fa0cceff256bc3705.tar.bz2 alpine_aports-bafb572dda2d0814641af68fa0cceff256bc3705.tar.xz alpine_aports-bafb572dda2d0814641af68fa0cceff256bc3705.zip |
main/xen: upgrade to 4.8.4
https://www.xenproject.org/downloads/xen-archives/xen-project-48-series/xen-484.html
Fix XSA-263-267
-rw-r--r-- | main/xen/APKBUILD | 55 | ||||
-rw-r--r-- | main/xen/x86-Support-compiling-with-indirect-branch-thunks.patch | 109 | ||||
-rw-r--r-- | main/xen/x86-XPTI-reduce-.text.entry.patch | 321 | ||||
-rw-r--r-- | main/xen/x86-slightly-reduce-Meltdown-band-aid-overhead.patch | 227 | ||||
-rw-r--r-- | main/xen/x86-xpti-Hide-almost-all-of-.text-and-all-.data-.rod.patch | 343 | ||||
-rw-r--r-- | main/xen/xsa252-4.9.patch | 25 | ||||
-rw-r--r-- | main/xen/xsa255-4.9-1.patch | 126 | ||||
-rw-r--r-- | main/xen/xsa255-4.9-2.patch | 186 | ||||
-rw-r--r-- | main/xen/xsa256-4.8.patch | 46 | ||||
-rw-r--r-- | main/xen/xsa258-4.8.patch | 106 | ||||
-rw-r--r-- | main/xen/xsa259.patch | 29 | ||||
-rw-r--r-- | main/xen/xsa260-1.patch | 72 | ||||
-rw-r--r-- | main/xen/xsa260-2.patch | 110 | ||||
-rw-r--r-- | main/xen/xsa260-3.patch | 138 | ||||
-rw-r--r-- | main/xen/xsa260-4.patch | 72 | ||||
-rw-r--r-- | main/xen/xsa261-4.8.patch | 242 | ||||
-rw-r--r-- | main/xen/xsa262-4.9.patch | 76 |
17 files changed, 14 insertions, 2269 deletions
diff --git a/main/xen/APKBUILD b/main/xen/APKBUILD index 85085d45cf..c799c00213 100644 --- a/main/xen/APKBUILD +++ b/main/xen/APKBUILD | |||
@@ -2,8 +2,8 @@ | |||
2 | # Contributor: Roger Pau Monne <roger.pau@entel.upc.edu> | 2 | # Contributor: Roger Pau Monne <roger.pau@entel.upc.edu> |
3 | # Maintainer: William Pitcock <nenolod@dereferenced.org> | 3 | # Maintainer: William Pitcock <nenolod@dereferenced.org> |
4 | pkgname=xen | 4 | pkgname=xen |
5 | pkgver=4.8.3 | 5 | pkgver=4.8.4 |
6 | pkgrel=1 | 6 | pkgrel=0 |
7 | pkgdesc="Xen hypervisor" | 7 | pkgdesc="Xen hypervisor" |
8 | url="http://www.xen.org/" | 8 | url="http://www.xen.org/" |
9 | arch="x86_64 armhf" | 9 | arch="x86_64 armhf" |
@@ -89,7 +89,7 @@ options="!strip" | |||
89 | # 4.8.2-r3: | 89 | # 4.8.2-r3: |
90 | # - CVE-2017-15597 XSA-236 | 90 | # - CVE-2017-15597 XSA-236 |
91 | # - CVE-2017-15590 XSA-237 | 91 | # - CVE-2017-15590 XSA-237 |
92 | # - XSA-238 | 92 | # - CVE-2017-15591 XSA-238 |
93 | # - CVE-2017-15589 XSA-239 | 93 | # - CVE-2017-15589 XSA-239 |
94 | # - CVE-2017-15595 XSA-240 | 94 | # - CVE-2017-15595 XSA-240 |
95 | # - CVE-2017-15588 XSA-241 | 95 | # - CVE-2017-15588 XSA-241 |
@@ -98,7 +98,9 @@ options="!strip" | |||
98 | # - CVE-2017-15594 XSA-244 | 98 | # - CVE-2017-15594 XSA-244 |
99 | # - CVE-2017-17046 XSA-245 | 99 | # - CVE-2017-17046 XSA-245 |
100 | # 4.8.2-r4: | 100 | # 4.8.2-r4: |
101 | # - XSA-254 XPTI "stage 1" (CVE-2017-5753,CVE-2017-5715,CVE-2017-5754) | 101 | # - CVE-2017-5753 |
102 | # - CVE-2017-5715 | ||
103 | # - CVE-2017-5754 XSA-254 | ||
102 | # 4.8.2-r5: | 104 | # 4.8.2-r5: |
103 | # - CVE-2017-17566 XSA-248 | 105 | # - CVE-2017-17566 XSA-248 |
104 | # - CVE-2017-17563 XSA-249 | 106 | # - CVE-2017-17563 XSA-249 |
@@ -114,6 +116,13 @@ options="!strip" | |||
114 | # - CVE-2018-8897 XSA-260 | 116 | # - CVE-2018-8897 XSA-260 |
115 | # - CVE-2018-10982 XSA-261 | 117 | # - CVE-2018-10982 XSA-261 |
116 | # - CVE-2018-10981 XSA-262 | 118 | # - CVE-2018-10981 XSA-262 |
119 | # 4.8.4-r0: | ||
120 | # - CVE-2018-3639 XSA-263 | ||
121 | # - CVE-2018-12891 XSA-264 | ||
122 | # - CVE-2018-12893 XSA-265 | ||
123 | # - CVE-2018-12892 XSA-266 | ||
124 | # - CVE-2018-3665 XSA-267 | ||
125 | |||
117 | 126 | ||
118 | case "$CARCH" in | 127 | case "$CARCH" in |
119 | x86*) | 128 | x86*) |
@@ -175,26 +184,6 @@ source="https://downloads.xenproject.org/release/xen/$pkgver/xen-$pkgver.tar.gz | |||
175 | 184 | ||
176 | xenqemu-configure-ifunc.patch | 185 | xenqemu-configure-ifunc.patch |
177 | 186 | ||
178 | xsa252-4.9.patch | ||
179 | xsa255-4.9-1.patch | ||
180 | xsa255-4.9-2.patch | ||
181 | xsa256-4.8.patch | ||
182 | |||
183 | xsa258-4.8.patch | ||
184 | xsa259.patch | ||
185 | |||
186 | x86-Support-compiling-with-indirect-branch-thunks.patch | ||
187 | x86-xpti-Hide-almost-all-of-.text-and-all-.data-.rod.patch | ||
188 | x86-slightly-reduce-Meltdown-band-aid-overhead.patch | ||
189 | x86-XPTI-reduce-.text.entry.patch | ||
190 | xsa260-1.patch | ||
191 | xsa260-2.patch | ||
192 | xsa260-3.patch | ||
193 | xsa260-4.patch | ||
194 | |||
195 | xsa261-4.8.patch | ||
196 | xsa262-4.9.patch | ||
197 | |||
198 | xenstored.initd | 187 | xenstored.initd |
199 | xenstored.confd | 188 | xenstored.confd |
200 | xenconsoled.initd | 189 | xenconsoled.initd |
@@ -416,7 +405,7 @@ EOF | |||
416 | 405 | ||
417 | } | 406 | } |
418 | 407 | ||
419 | sha512sums="584d8ee6e432e291a70e8f727da6d0a71afff7509fbf2e32eeb9cfe58b8279a80770c2c5f7759dcb5c0b08ed4644039e770e280ab534673215753d598f3f6508 xen-4.8.3.tar.gz | 408 | sha512sums="b6b39fcbf9dfaa259a5cd41196aaa94b4c646c323e34c50970279a41802d49c178dad92d0841c52d7b40246745f043be3aa9845d9d757a2250c413312183b64c xen-4.8.4.tar.gz |
420 | 2e0b0fd23e6f10742a5517981e5171c6e88b0a93c83da701b296f5c0861d72c19782daab589a7eac3f9032152a0fc7eff7f5362db8fccc4859564a9aa82329cf gmp-4.3.2.tar.bz2 | 409 | 2e0b0fd23e6f10742a5517981e5171c6e88b0a93c83da701b296f5c0861d72c19782daab589a7eac3f9032152a0fc7eff7f5362db8fccc4859564a9aa82329cf gmp-4.3.2.tar.bz2 |
421 | c2bc9ffc8583aeae71cee9ddcc4418969768d4e3764d47307da54f93981c0109fb07d84b061b3a3628bd00ba4d14a54742bc04848110eb3ae8ca25dbfbaabadb grub-0.97.tar.gz | 410 | c2bc9ffc8583aeae71cee9ddcc4418969768d4e3764d47307da54f93981c0109fb07d84b061b3a3628bd00ba4d14a54742bc04848110eb3ae8ca25dbfbaabadb grub-0.97.tar.gz |
422 | 1465b58279af1647f909450e394fe002ca165f0ff4a0254bfa9fe0e64316f50facdde2729d79a4e632565b4500cf4d6c74192ac0dd3bc9fe09129bbd67ba089d lwip-1.3.0.tar.gz | 411 | 1465b58279af1647f909450e394fe002ca165f0ff4a0254bfa9fe0e64316f50facdde2729d79a4e632565b4500cf4d6c74192ac0dd3bc9fe09129bbd67ba089d lwip-1.3.0.tar.gz |
@@ -437,22 +426,6 @@ f095ea373f36381491ad36f0662fb4f53665031973721256b23166e596318581da7cbb0146d0beb2 | |||
437 | e76816c6ad0e91dc5f81947f266da3429b20e6d976c3e8c41202c6179532eec878a3f0913921ef3ac853c5dbad8082da3c9cd53b65081910516feb492577b7fc xen-fd-is-file.c | 426 | e76816c6ad0e91dc5f81947f266da3429b20e6d976c3e8c41202c6179532eec878a3f0913921ef3ac853c5dbad8082da3c9cd53b65081910516feb492577b7fc xen-fd-is-file.c |
438 | 69dfa60628ca838678862383528654ecbdf4269cbb5c9cfb6b84d976202a8dea85d711aa65a52fa1b477fb0b30604ca70cf1337192d6fb9388a08bbe7fe56077 xenstore_client_transaction_fix.patch | 427 | 69dfa60628ca838678862383528654ecbdf4269cbb5c9cfb6b84d976202a8dea85d711aa65a52fa1b477fb0b30604ca70cf1337192d6fb9388a08bbe7fe56077 xenstore_client_transaction_fix.patch |
439 | e0dd7069968d51574d6e5603d5738494b112bfda085bc75f10102658be3b2901d8d253c52927c707668e1cdb62d12c101213e42cd72d9b307fa83d1355a7526a xenqemu-configure-ifunc.patch | 428 | e0dd7069968d51574d6e5603d5738494b112bfda085bc75f10102658be3b2901d8d253c52927c707668e1cdb62d12c101213e42cd72d9b307fa83d1355a7526a xenqemu-configure-ifunc.patch |
440 | 993febe7ac7d4add0f36a519fe461a40d32f16e23003dfb23e76883ecdd86474cd4a6f9d0a9190cc6bc8cad19afa652556f125a5d5edb4fa2e9f2e6a5e77b2b9 xsa252-4.9.patch | ||
441 | 3af678f3c4271da2bb1515b9a1e76d9b85b391fbb1e9cd521c66ac52d2984a15c6c1bb6fa8a1f408380e4c7462b1ef671f77245fee6eecef274f93ca47bc12bd xsa255-4.9-1.patch | ||
442 | 22bf18c5e0120d787c9ec04d10dfb4684a0849c5d7a80cbe400f8f2ee2ee64789c9e6fe5bedab579ca4928f3168f7a5c0c817f93c73ad1cf7ce702a4afe732ab xsa255-4.9-2.patch | ||
443 | 82d75a5711c6a0521ecd34b220e4830b169aef8a52edf98b3b93e27ece734751d8d47dfdbe6979b6518c683e3f0c623cbf344a5efd893f3fafcc06c8e89a5320 xsa256-4.8.patch | ||
444 | 10a1895ed8aedb1dcfd47fbf4d1bd0d77103e15537234c98a6571e6e6add91ac87e921ace1463e15bc583b83be6b557698a5ae65918278c1f6d15e92f24d476d xsa258-4.8.patch | ||
445 | 023b34174d059d1e22a070e9f48d0601b0a6e735acef5b74af7f8613d3267e66773e662790a8f2a5b7fda32b017bf654a059e4fecd94a82ff8502900e4b24b25 xsa259.patch | ||
446 | 717c945364252756542148efc2bd598c7f776331a3124fd968376bb1462ee1a43bf5f9265171a14c80e90a6ebb595d9c9eae0b5589c906a6fc2acd25ad75b6c6 x86-Support-compiling-with-indirect-branch-thunks.patch | ||
447 | 5a8e6de6931e12945ee95406d34f65451ca770d29eaf66e8c7367d66e68367e56c82bf848e7c384dce1002f753775d5a8dfec5289defb82d81cf5d014fd4aecf x86-xpti-Hide-almost-all-of-.text-and-all-.data-.rod.patch | ||
448 | ac045457253444596856bdc8651ed4c8f5b2de162704245b0eebd60f203237c0418ec7081d98b11c446055cd02533f530197a31157593f1abb37317000726f51 x86-slightly-reduce-Meltdown-band-aid-overhead.patch | ||
449 | 896a77d4e875056ee63f83847a8043bec2d7736bd9fe3845e95956d38606b0ab0286f2a954b812ae7be820c1f12889bb37a963627a49916a131b107d31746e4e x86-XPTI-reduce-.text.entry.patch | ||
450 | 70b12f28978208027f5f180bb216dba3d0f54e0a9708047eebbab39e494e82937021c0862b82d524e5d7f2bb7bdb3c2a5c8bda80e2437ccd2f8eddd0146af600 xsa260-1.patch | ||
451 | e6dfbef65f8a220b1c5a8be88a284e4c4dafc6ff48bb13c239063647bcef39aae848fdbd055129308c7ad5d246b44653c7299a8951e29d554d4d9d5cd626750f xsa260-2.patch | ||
452 | 5daf20b0da7314d3f48ad765dd67db94473d50e4a5c8c9707b9070b40cb68eb6d413e2d532d530720afca269a4afc4cba594cc832a94e837e2423bb155c9b621 xsa260-3.patch | ||
453 | 9ca93748b8aa656c53bacdf5b87c98dc707b55a1aaa82989fa21a177a2377196071591458aa5f48ca676048524bba9ca326c00e88b3a87e9ab8bb350ef5cddd8 xsa260-4.patch | ||
454 | d981c1d3580c3a5679395d315cbe65f5f5e6b177ee186a826682b60e500633f1d1003225b7776f64342c0964e5a6a9bd71cf83fc7e5b0cc7e1e423a015458afe xsa261-4.8.patch | ||
455 | 05dc19a710290b49ba6dbd1181dd0e69fc9ad524870c008813d22c8b0c2d6af573034e7a44b0b75dd2d112989caf1447b0d6b42d007f1bffc3442828a88ac8f3 xsa262-4.9.patch | ||
456 | 52c43beb2596d645934d0f909f2d21f7587b6898ed5e5e7046799a8ed6d58f7a09c5809e1634fa26152f3fd4f3e7cfa07da7076f01b4a20cc8f5df8b9cb77e50 xenstored.initd | 429 | 52c43beb2596d645934d0f909f2d21f7587b6898ed5e5e7046799a8ed6d58f7a09c5809e1634fa26152f3fd4f3e7cfa07da7076f01b4a20cc8f5df8b9cb77e50 xenstored.initd |
457 | 093f7fbd43faf0a16a226486a0776bade5dc1681d281c5946a3191c32d74f9699c6bf5d0ab8de9d1195a2461165d1660788e92a3156c9b3c7054d7b2d52d7ff0 xenstored.confd | 430 | 093f7fbd43faf0a16a226486a0776bade5dc1681d281c5946a3191c32d74f9699c6bf5d0ab8de9d1195a2461165d1660788e92a3156c9b3c7054d7b2d52d7ff0 xenstored.confd |
458 | 3c86ed48fbee0af4051c65c4a3893f131fa66e47bf083caf20c9b6aa4b63fdead8832f84a58d0e27964bc49ec8397251b34e5be5c212c139f556916dc8da9523 xenconsoled.initd | 431 | 3c86ed48fbee0af4051c65c4a3893f131fa66e47bf083caf20c9b6aa4b63fdead8832f84a58d0e27964bc49ec8397251b34e5be5c212c139f556916dc8da9523 xenconsoled.initd |
diff --git a/main/xen/x86-Support-compiling-with-indirect-branch-thunks.patch b/main/xen/x86-Support-compiling-with-indirect-branch-thunks.patch deleted file mode 100644 index 5eaf763eee..0000000000 --- a/main/xen/x86-Support-compiling-with-indirect-branch-thunks.patch +++ /dev/null | |||
@@ -1,109 +0,0 @@ | |||
1 | From 1838e21521497cdfa6d3b1dfac0374bcce717eba Mon Sep 17 00:00:00 2001 | ||
2 | From: Andrew Cooper <andrew.cooper3@citrix.com> | ||
3 | Date: Thu, 8 Feb 2018 12:45:39 +0100 | ||
4 | Subject: [PATCH] x86: Support compiling with indirect branch thunks | ||
5 | |||
6 | Use -mindirect-branch=thunk-extern/-mindirect-branch-register when available. | ||
7 | To begin with, use the retpoline thunk. Later work will add alternative | ||
8 | thunks which can be selected at boot time. | ||
9 | |||
10 | This is part of XSA-254. | ||
11 | |||
12 | Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com> | ||
13 | Acked-by: Jan Beulich <jbeulich@suse.com> | ||
14 | master commit: 3659f0f4bcc6ca08103d1a7ae4e97535ecc978be | ||
15 | master date: 2018-01-16 17:45:50 +0000 | ||
16 | --- | ||
17 | xen/arch/x86/Makefile | 1 + | ||
18 | xen/arch/x86/Rules.mk | 7 +++++++ | ||
19 | xen/arch/x86/indirect-thunk.S | 38 ++++++++++++++++++++++++++++++++++++++ | ||
20 | xen/arch/x86/xen.lds.S | 1 + | ||
21 | 4 files changed, 47 insertions(+) | ||
22 | create mode 100644 xen/arch/x86/indirect-thunk.S | ||
23 | |||
24 | diff --git a/xen/arch/x86/Makefile b/xen/arch/x86/Makefile | ||
25 | index 931917d1d3..a9c8fd7df9 100644 | ||
26 | --- a/xen/arch/x86/Makefile | ||
27 | +++ b/xen/arch/x86/Makefile | ||
28 | @@ -34,6 +34,7 @@ obj-y += i8259.o | ||
29 | obj-y += io_apic.o | ||
30 | obj-$(CONFIG_LIVEPATCH) += alternative.o livepatch.o | ||
31 | obj-y += msi.o | ||
32 | +obj-$(CONFIG_INDIRECT_THUNK) += indirect-thunk.o | ||
33 | obj-y += ioport_emulate.o | ||
34 | obj-y += irq.o | ||
35 | obj-$(CONFIG_KEXEC) += machine_kexec.o | ||
36 | diff --git a/xen/arch/x86/Rules.mk b/xen/arch/x86/Rules.mk | ||
37 | index 42be4bc100..ad56e56ac6 100644 | ||
38 | --- a/xen/arch/x86/Rules.mk | ||
39 | +++ b/xen/arch/x86/Rules.mk | ||
40 | @@ -25,3 +25,10 @@ CFLAGS += -fno-asynchronous-unwind-tables | ||
41 | ifneq ($(call cc-option,$(CC),-fvisibility=hidden,n),n) | ||
42 | CFLAGS += -DGCC_HAS_VISIBILITY_ATTRIBUTE | ||
43 | endif | ||
44 | + | ||
45 | +# Compile with thunk-extern, indirect-branch-register if avaiable. | ||
46 | +ifneq ($(call cc-option,$(CC),-mindirect-branch-register,n),n) | ||
47 | +CFLAGS += -mindirect-branch=thunk-extern -mindirect-branch-register | ||
48 | +CFLAGS += -DCONFIG_INDIRECT_THUNK | ||
49 | +export CONFIG_INDIRECT_THUNK=y | ||
50 | +endif | ||
51 | diff --git a/xen/arch/x86/indirect-thunk.S b/xen/arch/x86/indirect-thunk.S | ||
52 | new file mode 100644 | ||
53 | index 0000000000..3eaf505d0e | ||
54 | --- /dev/null | ||
55 | +++ b/xen/arch/x86/indirect-thunk.S | ||
56 | @@ -0,0 +1,38 @@ | ||
57 | +/* | ||
58 | + * Implement __x86_indirect_thunk_* symbols for use with compatbile compilers | ||
59 | + * and the -mindirect-branch=thunk-extern -mindirect-branch-register options. | ||
60 | + * | ||
61 | + * Copyright (c) 2017-2018 Citrix Systems Ltd. | ||
62 | + * | ||
63 | + * This source code is licensed under the GNU General Public License, | ||
64 | + * Version 2. See the file COPYING for more details. | ||
65 | + */ | ||
66 | + .file __FILE__ | ||
67 | + | ||
68 | +#include <asm/asm_defns.h> | ||
69 | + | ||
70 | +.macro IND_THUNK_RETPOLINE reg:req | ||
71 | + call 2f | ||
72 | +1: | ||
73 | + lfence | ||
74 | + jmp 1b | ||
75 | +2: | ||
76 | + mov %\reg, (%rsp) | ||
77 | + ret | ||
78 | +.endm | ||
79 | + | ||
80 | +/* | ||
81 | + * Build the __x86_indirect_thunk_* symbols. Currently implement the | ||
82 | + * retpoline thunk only. | ||
83 | + */ | ||
84 | +.macro GEN_INDIRECT_THUNK reg:req | ||
85 | + .section .text.__x86_indirect_thunk_\reg, "ax", @progbits | ||
86 | + | ||
87 | +ENTRY(__x86_indirect_thunk_\reg) | ||
88 | + IND_THUNK_RETPOLINE \reg | ||
89 | +.endm | ||
90 | + | ||
91 | +/* Instantiate GEN_INDIRECT_THUNK for each register except %rsp. */ | ||
92 | +.irp reg, ax, cx, dx, bx, bp, si, di, 8, 9, 10, 11, 12, 13, 14, 15 | ||
93 | + GEN_INDIRECT_THUNK reg=r\reg | ||
94 | +.endr | ||
95 | diff --git a/xen/arch/x86/xen.lds.S b/xen/arch/x86/xen.lds.S | ||
96 | index 11549964c0..681c795c6d 100644 | ||
97 | --- a/xen/arch/x86/xen.lds.S | ||
98 | +++ b/xen/arch/x86/xen.lds.S | ||
99 | @@ -60,6 +60,7 @@ SECTIONS | ||
100 | .text : { | ||
101 | _stext = .; /* Text and read-only data */ | ||
102 | *(.text) | ||
103 | + *(.text.__x86_indirect_thunk_*) | ||
104 | *(.text.cold) | ||
105 | *(.text.unlikely) | ||
106 | *(.fixup) | ||
107 | -- | ||
108 | 2.13.5 | ||
109 | |||
diff --git a/main/xen/x86-XPTI-reduce-.text.entry.patch b/main/xen/x86-XPTI-reduce-.text.entry.patch deleted file mode 100644 index 4fa0f97832..0000000000 --- a/main/xen/x86-XPTI-reduce-.text.entry.patch +++ /dev/null | |||
@@ -1,321 +0,0 @@ | |||
1 | From 372583c2dd4363446cb5788a865138b9aca54767 Mon Sep 17 00:00:00 2001 | ||
2 | From: Jan Beulich <jbeulich@suse.com> | ||
3 | Date: Wed, 18 Apr 2018 16:49:21 +0200 | ||
4 | Subject: [PATCH] x86/XPTI: reduce .text.entry | ||
5 | |||
6 | This exposes less code pieces and at the same time reduces the range | ||
7 | covered from slightly above 3 pages to a little below 2 of them. | ||
8 | |||
9 | The code being moved is unchanged, except for the removal of trailing | ||
10 | blanks, insertion of blanks between operands, and a pointless q suffix | ||
11 | from "retq". | ||
12 | |||
13 | A few more small pieces could be moved, but it seems better to me to | ||
14 | leave them where they are to not make it overly hard to follow code | ||
15 | paths. | ||
16 | |||
17 | Signed-off-by: Jan Beulich <jbeulich@suse.com> | ||
18 | Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com> | ||
19 | master commit: 454efb2a31b64b98e3dd55c083ce41b87375faa6 | ||
20 | master date: 2018-04-05 15:48:23 +0100 | ||
21 | --- | ||
22 | xen/arch/x86/x86_64/compat/entry.S | 9 +- | ||
23 | xen/arch/x86/x86_64/entry.S | 209 ++++++++++++++++++------------------- | ||
24 | 2 files changed, 107 insertions(+), 111 deletions(-) | ||
25 | |||
26 | diff --git a/xen/arch/x86/x86_64/compat/entry.S b/xen/arch/x86/x86_64/compat/entry.S | ||
27 | index 812f404771..6828f40f48 100644 | ||
28 | --- a/xen/arch/x86/x86_64/compat/entry.S | ||
29 | +++ b/xen/arch/x86/x86_64/compat/entry.S | ||
30 | @@ -12,8 +12,6 @@ | ||
31 | #include <public/xen.h> | ||
32 | #include <irq_vectors.h> | ||
33 | |||
34 | - .section .text.entry, "ax", @progbits | ||
35 | - | ||
36 | ENTRY(compat_hypercall) | ||
37 | ASM_CLAC | ||
38 | pushq $0 | ||
39 | @@ -205,6 +203,8 @@ ENTRY(compat_post_handle_exception) | ||
40 | movb $0,TRAPBOUNCE_flags(%rdx) | ||
41 | jmp compat_test_all_events | ||
42 | |||
43 | + .section .text.entry, "ax", @progbits | ||
44 | + | ||
45 | /* See lstar_enter for entry register state. */ | ||
46 | ENTRY(cstar_enter) | ||
47 | /* sti could live here when we don't switch page tables below. */ | ||
48 | @@ -259,6 +259,8 @@ UNLIKELY_END(compat_syscall_gpf) | ||
49 | movb %cl,TRAPBOUNCE_flags(%rdx) | ||
50 | jmp .Lcompat_bounce_exception | ||
51 | |||
52 | + .text | ||
53 | + | ||
54 | ENTRY(compat_sysenter) | ||
55 | CR4_PV32_RESTORE | ||
56 | movq VCPU_trap_ctxt(%rbx),%rcx | ||
57 | @@ -278,9 +280,6 @@ ENTRY(compat_int80_direct_trap) | ||
58 | call compat_create_bounce_frame | ||
59 | jmp compat_test_all_events | ||
60 | |||
61 | - /* compat_create_bounce_frame & helpers don't need to be in .text.entry */ | ||
62 | - .text | ||
63 | - | ||
64 | /* CREATE A BASIC EXCEPTION FRAME ON GUEST OS (RING-1) STACK: */ | ||
65 | /* {[ERRCODE,] EIP, CS, EFLAGS, [ESP, SS]} */ | ||
66 | /* %rdx: trap_bounce, %rbx: struct vcpu */ | ||
67 | diff --git a/xen/arch/x86/x86_64/entry.S b/xen/arch/x86/x86_64/entry.S | ||
68 | index ad921c4df7..9510b37ef6 100644 | ||
69 | --- a/xen/arch/x86/x86_64/entry.S | ||
70 | +++ b/xen/arch/x86/x86_64/entry.S | ||
71 | @@ -13,8 +13,6 @@ | ||
72 | #include <public/xen.h> | ||
73 | #include <irq_vectors.h> | ||
74 | |||
75 | - .section .text.entry, "ax", @progbits | ||
76 | - | ||
77 | /* %rbx: struct vcpu */ | ||
78 | ENTRY(switch_to_kernel) | ||
79 | leaq VCPU_trap_bounce(%rbx),%rdx | ||
80 | @@ -33,8 +31,111 @@ ENTRY(switch_to_kernel) | ||
81 | movb %cl,TRAPBOUNCE_flags(%rdx) | ||
82 | call create_bounce_frame | ||
83 | andl $~X86_EFLAGS_DF,UREGS_eflags(%rsp) | ||
84 | +/* %rbx: struct vcpu */ | ||
85 | +test_all_events: | ||
86 | + ASSERT_NOT_IN_ATOMIC | ||
87 | + cli # tests must not race interrupts | ||
88 | +/*test_softirqs:*/ | ||
89 | + movl VCPU_processor(%rbx), %eax | ||
90 | + shll $IRQSTAT_shift, %eax | ||
91 | + leaq irq_stat+IRQSTAT_softirq_pending(%rip), %rcx | ||
92 | + cmpl $0, (%rcx, %rax, 1) | ||
93 | + jne process_softirqs | ||
94 | + cmpb $0, VCPU_mce_pending(%rbx) | ||
95 | + jne process_mce | ||
96 | +.Ltest_guest_nmi: | ||
97 | + cmpb $0, VCPU_nmi_pending(%rbx) | ||
98 | + jne process_nmi | ||
99 | +test_guest_events: | ||
100 | + movq VCPU_vcpu_info(%rbx), %rax | ||
101 | + movzwl VCPUINFO_upcall_pending(%rax), %eax | ||
102 | + decl %eax | ||
103 | + cmpl $0xfe, %eax | ||
104 | + ja restore_all_guest | ||
105 | +/*process_guest_events:*/ | ||
106 | + sti | ||
107 | + leaq VCPU_trap_bounce(%rbx), %rdx | ||
108 | + movq VCPU_event_addr(%rbx), %rax | ||
109 | + movq %rax, TRAPBOUNCE_eip(%rdx) | ||
110 | + movb $TBF_INTERRUPT, TRAPBOUNCE_flags(%rdx) | ||
111 | + call create_bounce_frame | ||
112 | jmp test_all_events | ||
113 | |||
114 | + ALIGN | ||
115 | +/* %rbx: struct vcpu */ | ||
116 | +process_softirqs: | ||
117 | + sti | ||
118 | + call do_softirq | ||
119 | + jmp test_all_events | ||
120 | + | ||
121 | + ALIGN | ||
122 | +/* %rbx: struct vcpu */ | ||
123 | +process_mce: | ||
124 | + testb $1 << VCPU_TRAP_MCE, VCPU_async_exception_mask(%rbx) | ||
125 | + jnz .Ltest_guest_nmi | ||
126 | + sti | ||
127 | + movb $0, VCPU_mce_pending(%rbx) | ||
128 | + call set_guest_machinecheck_trapbounce | ||
129 | + test %eax, %eax | ||
130 | + jz test_all_events | ||
131 | + movzbl VCPU_async_exception_mask(%rbx), %edx # save mask for the | ||
132 | + movb %dl, VCPU_mce_old_mask(%rbx) # iret hypercall | ||
133 | + orl $1 << VCPU_TRAP_MCE, %edx | ||
134 | + movb %dl, VCPU_async_exception_mask(%rbx) | ||
135 | + jmp process_trap | ||
136 | + | ||
137 | + ALIGN | ||
138 | +/* %rbx: struct vcpu */ | ||
139 | +process_nmi: | ||
140 | + testb $1 << VCPU_TRAP_NMI, VCPU_async_exception_mask(%rbx) | ||
141 | + jnz test_guest_events | ||
142 | + sti | ||
143 | + movb $0, VCPU_nmi_pending(%rbx) | ||
144 | + call set_guest_nmi_trapbounce | ||
145 | + test %eax, %eax | ||
146 | + jz test_all_events | ||
147 | + movzbl VCPU_async_exception_mask(%rbx), %edx # save mask for the | ||
148 | + movb %dl, VCPU_nmi_old_mask(%rbx) # iret hypercall | ||
149 | + orl $1 << VCPU_TRAP_NMI, %edx | ||
150 | + movb %dl, VCPU_async_exception_mask(%rbx) | ||
151 | + /* FALLTHROUGH */ | ||
152 | +process_trap: | ||
153 | + leaq VCPU_trap_bounce(%rbx), %rdx | ||
154 | + call create_bounce_frame | ||
155 | + jmp test_all_events | ||
156 | + | ||
157 | +/* No special register assumptions. */ | ||
158 | +ENTRY(ret_from_intr) | ||
159 | + GET_CURRENT(bx) | ||
160 | + testb $3, UREGS_cs(%rsp) | ||
161 | + jz restore_all_xen | ||
162 | + movq VCPU_domain(%rbx), %rax | ||
163 | + cmpb $0, DOMAIN_is_32bit_pv(%rax) | ||
164 | + je test_all_events | ||
165 | + jmp compat_test_all_events | ||
166 | + | ||
167 | +/* Enable NMIs. No special register assumptions. Only %rax is not preserved. */ | ||
168 | +ENTRY(enable_nmis) | ||
169 | + movq %rsp, %rax /* Grab RSP before pushing */ | ||
170 | + | ||
171 | + /* Set up stack frame */ | ||
172 | + pushq $0 /* SS */ | ||
173 | + pushq %rax /* RSP */ | ||
174 | + pushfq /* RFLAGS */ | ||
175 | + pushq $__HYPERVISOR_CS /* CS */ | ||
176 | + leaq 1f(%rip),%rax | ||
177 | + pushq %rax /* RIP */ | ||
178 | + | ||
179 | +/* No op trap handler. Required for kexec crash path. */ | ||
180 | +GLOBAL(trap_nop) | ||
181 | + iretq /* Disable the hardware NMI latch */ | ||
182 | +1: | ||
183 | + retq | ||
184 | + .type enable_nmis, @function | ||
185 | + .size enable_nmis, .-enable_nmis | ||
186 | + | ||
187 | + .section .text.entry, "ax", @progbits | ||
188 | + | ||
189 | /* %rbx: struct vcpu, interrupts disabled */ | ||
190 | restore_all_guest: | ||
191 | ASSERT_INTERRUPTS_DISABLED | ||
192 | @@ -188,80 +289,8 @@ ENTRY(lstar_enter) | ||
193 | |||
194 | mov %rsp, %rdi | ||
195 | call pv_hypercall | ||
196 | - | ||
197 | -/* %rbx: struct vcpu */ | ||
198 | -test_all_events: | ||
199 | - ASSERT_NOT_IN_ATOMIC | ||
200 | - cli # tests must not race interrupts | ||
201 | -/*test_softirqs:*/ | ||
202 | - movl VCPU_processor(%rbx),%eax | ||
203 | - shll $IRQSTAT_shift,%eax | ||
204 | - leaq irq_stat+IRQSTAT_softirq_pending(%rip),%rcx | ||
205 | - cmpl $0,(%rcx,%rax,1) | ||
206 | - jne process_softirqs | ||
207 | - testb $1,VCPU_mce_pending(%rbx) | ||
208 | - jnz process_mce | ||
209 | -.Ltest_guest_nmi: | ||
210 | - testb $1,VCPU_nmi_pending(%rbx) | ||
211 | - jnz process_nmi | ||
212 | -test_guest_events: | ||
213 | - movq VCPU_vcpu_info(%rbx),%rax | ||
214 | - movzwl VCPUINFO_upcall_pending(%rax),%eax | ||
215 | - decl %eax | ||
216 | - cmpl $0xfe,%eax | ||
217 | - ja restore_all_guest | ||
218 | -/*process_guest_events:*/ | ||
219 | - sti | ||
220 | - leaq VCPU_trap_bounce(%rbx),%rdx | ||
221 | - movq VCPU_event_addr(%rbx),%rax | ||
222 | - movq %rax,TRAPBOUNCE_eip(%rdx) | ||
223 | - movb $TBF_INTERRUPT,TRAPBOUNCE_flags(%rdx) | ||
224 | - call create_bounce_frame | ||
225 | jmp test_all_events | ||
226 | |||
227 | - ALIGN | ||
228 | -/* %rbx: struct vcpu */ | ||
229 | -process_softirqs: | ||
230 | - sti | ||
231 | - call do_softirq | ||
232 | - jmp test_all_events | ||
233 | - | ||
234 | - ALIGN | ||
235 | -/* %rbx: struct vcpu */ | ||
236 | -process_mce: | ||
237 | - testb $1 << VCPU_TRAP_MCE,VCPU_async_exception_mask(%rbx) | ||
238 | - jnz .Ltest_guest_nmi | ||
239 | - sti | ||
240 | - movb $0,VCPU_mce_pending(%rbx) | ||
241 | - call set_guest_machinecheck_trapbounce | ||
242 | - test %eax,%eax | ||
243 | - jz test_all_events | ||
244 | - movzbl VCPU_async_exception_mask(%rbx),%edx # save mask for the | ||
245 | - movb %dl,VCPU_mce_old_mask(%rbx) # iret hypercall | ||
246 | - orl $1 << VCPU_TRAP_MCE,%edx | ||
247 | - movb %dl,VCPU_async_exception_mask(%rbx) | ||
248 | - jmp process_trap | ||
249 | - | ||
250 | - ALIGN | ||
251 | -/* %rbx: struct vcpu */ | ||
252 | -process_nmi: | ||
253 | - testb $1 << VCPU_TRAP_NMI,VCPU_async_exception_mask(%rbx) | ||
254 | - jnz test_guest_events | ||
255 | - sti | ||
256 | - movb $0,VCPU_nmi_pending(%rbx) | ||
257 | - call set_guest_nmi_trapbounce | ||
258 | - test %eax,%eax | ||
259 | - jz test_all_events | ||
260 | - movzbl VCPU_async_exception_mask(%rbx),%edx # save mask for the | ||
261 | - movb %dl,VCPU_nmi_old_mask(%rbx) # iret hypercall | ||
262 | - orl $1 << VCPU_TRAP_NMI,%edx | ||
263 | - movb %dl,VCPU_async_exception_mask(%rbx) | ||
264 | - /* FALLTHROUGH */ | ||
265 | -process_trap: | ||
266 | - leaq VCPU_trap_bounce(%rbx),%rdx | ||
267 | - call create_bounce_frame | ||
268 | - jmp test_all_events | ||
269 | - | ||
270 | ENTRY(sysenter_entry) | ||
271 | /* sti could live here when we don't switch page tables below. */ | ||
272 | pushq $FLAT_USER_SS | ||
273 | @@ -530,16 +559,6 @@ ENTRY(common_interrupt) | ||
274 | mov %r15, STACK_CPUINFO_FIELD(xen_cr3)(%r14) | ||
275 | jmp ret_from_intr | ||
276 | |||
277 | -/* No special register assumptions. */ | ||
278 | -ENTRY(ret_from_intr) | ||
279 | - GET_CURRENT(bx) | ||
280 | - testb $3,UREGS_cs(%rsp) | ||
281 | - jz restore_all_xen | ||
282 | - movq VCPU_domain(%rbx),%rax | ||
283 | - testb $1,DOMAIN_is_32bit_pv(%rax) | ||
284 | - jz test_all_events | ||
285 | - jmp compat_test_all_events | ||
286 | - | ||
287 | ENTRY(page_fault) | ||
288 | movl $TRAP_page_fault,4(%rsp) | ||
289 | /* No special register assumptions. */ | ||
290 | @@ -838,28 +857,6 @@ ENTRY(machine_check) | ||
291 | movl $TRAP_machine_check,4(%rsp) | ||
292 | jmp handle_ist_exception | ||
293 | |||
294 | -/* Enable NMIs. No special register assumptions. Only %rax is not preserved. */ | ||
295 | -ENTRY(enable_nmis) | ||
296 | - movq %rsp, %rax /* Grab RSP before pushing */ | ||
297 | - | ||
298 | - /* Set up stack frame */ | ||
299 | - pushq $0 /* SS */ | ||
300 | - pushq %rax /* RSP */ | ||
301 | - pushfq /* RFLAGS */ | ||
302 | - pushq $__HYPERVISOR_CS /* CS */ | ||
303 | - leaq 1f(%rip),%rax | ||
304 | - pushq %rax /* RIP */ | ||
305 | - | ||
306 | - iretq /* Disable the hardware NMI latch */ | ||
307 | -1: | ||
308 | - retq | ||
309 | - | ||
310 | -/* No op trap handler. Required for kexec crash path. */ | ||
311 | -GLOBAL(trap_nop) | ||
312 | - iretq | ||
313 | - | ||
314 | - | ||
315 | - | ||
316 | .pushsection .rodata, "a", @progbits | ||
317 | ENTRY(exception_table) | ||
318 | .quad do_trap | ||
319 | -- | ||
320 | 2.13.5 | ||
321 | |||
diff --git a/main/xen/x86-slightly-reduce-Meltdown-band-aid-overhead.patch b/main/xen/x86-slightly-reduce-Meltdown-band-aid-overhead.patch deleted file mode 100644 index cb7be435e7..0000000000 --- a/main/xen/x86-slightly-reduce-Meltdown-band-aid-overhead.patch +++ /dev/null | |||
@@ -1,227 +0,0 @@ | |||
1 | From 813fe211f290843baed75aab88c2f9a249b42e68 Mon Sep 17 00:00:00 2001 | ||
2 | From: Jan Beulich <jbeulich@suse.com> | ||
3 | Date: Tue, 20 Mar 2018 14:39:41 +0100 | ||
4 | Subject: [PATCH] x86: slightly reduce Meltdown band-aid overhead | ||
5 | |||
6 | I'm not sure why I didn't do this right away: By avoiding the use of | ||
7 | global PTEs in the cloned directmap, there's no need to fiddle with | ||
8 | CR4.PGE on any of the entry paths. Only the exit paths need to flush | ||
9 | global mappings. | ||
10 | |||
11 | The reduced flushing, however, requires that we now have interrupts off | ||
12 | on all entry paths until after the page table switch, so that flush IPIs | ||
13 | can't be serviced while on the restricted pagetables, leaving a window | ||
14 | where a potentially stale guest global mapping can be brought into the | ||
15 | TLB. Along those lines the "sync" IPI after L4 entry updates now needs | ||
16 | to become a real (and global) flush IPI, so that inside Xen we'll also | ||
17 | pick up such changes. | ||
18 | |||
19 | Signed-off-by: Jan Beulich <jbeulich@suse.com> | ||
20 | Tested-by: Juergen Gross <jgross@suse.com> | ||
21 | Reviewed-by: Juergen Gross <jgross@suse.com> | ||
22 | Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com> | ||
23 | |||
24 | x86: correct EFLAGS.IF in SYSENTER frame | ||
25 | |||
26 | Commit 9d1d31ad94 ("x86: slightly reduce Meltdown band-aid overhead") | ||
27 | moved the STI past the PUSHF. While this isn't an active problem (as we | ||
28 | force EFLAGS.IF to 1 before exiting to guest context), let's not risk | ||
29 | internal confusion by finding a PV guest frame with interrupts | ||
30 | apparently off. | ||
31 | |||
32 | Signed-off-by: Jan Beulich <jbeulich@suse.com> | ||
33 | Acked-by: Andrew Cooper <andrew.cooper3@citrix.com> | ||
34 | master commit: 9d1d31ad9498e6ceb285d5774e34fed5f648c273 | ||
35 | master date: 2018-03-06 16:48:44 +0100 | ||
36 | master commit: c4dd58f0cf23cdf119bbccedfb8c24435fc6f3ab | ||
37 | master date: 2018-03-16 17:27:36 +0100 | ||
38 | --- | ||
39 | xen/arch/x86/mm.c | 9 ++------- | ||
40 | xen/arch/x86/smpboot.c | 10 ++++++++++ | ||
41 | xen/arch/x86/x86_64/compat/entry.S | 7 ++++--- | ||
42 | xen/arch/x86/x86_64/entry.S | 23 ++++++++++++++--------- | ||
43 | 4 files changed, 30 insertions(+), 19 deletions(-) | ||
44 | |||
45 | diff --git a/xen/arch/x86/mm.c b/xen/arch/x86/mm.c | ||
46 | index 987ab1bb3d..78ba28b4c6 100644 | ||
47 | --- a/xen/arch/x86/mm.c | ||
48 | +++ b/xen/arch/x86/mm.c | ||
49 | @@ -4128,14 +4128,9 @@ long do_mmu_update( | ||
50 | { | ||
51 | /* | ||
52 | * Force other vCPU-s of the affected guest to pick up L4 entry | ||
53 | - * changes (if any). Issue a flush IPI with empty operation mask to | ||
54 | - * facilitate this (including ourselves waiting for the IPI to | ||
55 | - * actually have arrived). Utilize the fact that FLUSH_VA_VALID is | ||
56 | - * meaningless without FLUSH_CACHE, but will allow to pass the no-op | ||
57 | - * check in flush_area_mask(). | ||
58 | + * changes (if any). | ||
59 | */ | ||
60 | - flush_area_mask(pt_owner->domain_dirty_cpumask, | ||
61 | - ZERO_BLOCK_PTR, FLUSH_VA_VALID); | ||
62 | + flush_mask(pt_owner->domain_dirty_cpumask, FLUSH_TLB_GLOBAL); | ||
63 | } | ||
64 | |||
65 | perfc_add(num_page_updates, i); | ||
66 | diff --git a/xen/arch/x86/smpboot.c b/xen/arch/x86/smpboot.c | ||
67 | index e75adbe084..f40a7bdcdf 100644 | ||
68 | --- a/xen/arch/x86/smpboot.c | ||
69 | +++ b/xen/arch/x86/smpboot.c | ||
70 | @@ -730,6 +730,7 @@ static int clone_mapping(const void *ptr, root_pgentry_t *rpt) | ||
71 | } | ||
72 | |||
73 | pl1e += l1_table_offset(linear); | ||
74 | + flags &= ~_PAGE_GLOBAL; | ||
75 | |||
76 | if ( l1e_get_flags(*pl1e) & _PAGE_PRESENT ) | ||
77 | { | ||
78 | @@ -1036,8 +1037,17 @@ void __init smp_prepare_cpus(unsigned int max_cpus) | ||
79 | if ( rc ) | ||
80 | panic("Error %d setting up PV root page table\n", rc); | ||
81 | if ( per_cpu(root_pgt, 0) ) | ||
82 | + { | ||
83 | get_cpu_info()->pv_cr3 = __pa(per_cpu(root_pgt, 0)); | ||
84 | |||
85 | + /* | ||
86 | + * All entry points which may need to switch page tables have to start | ||
87 | + * with interrupts off. Re-write what pv_trap_init() has put there. | ||
88 | + */ | ||
89 | + _set_gate(idt_table + LEGACY_SYSCALL_VECTOR, SYS_DESC_irq_gate, 3, | ||
90 | + &int80_direct_trap); | ||
91 | + } | ||
92 | + | ||
93 | set_nr_sockets(); | ||
94 | |||
95 | socket_cpumask = xzalloc_array(cpumask_t *, nr_sockets); | ||
96 | diff --git a/xen/arch/x86/x86_64/compat/entry.S b/xen/arch/x86/x86_64/compat/entry.S | ||
97 | index 1c5cc9dacf..812f404771 100644 | ||
98 | --- a/xen/arch/x86/x86_64/compat/entry.S | ||
99 | +++ b/xen/arch/x86/x86_64/compat/entry.S | ||
100 | @@ -207,7 +207,7 @@ ENTRY(compat_post_handle_exception) | ||
101 | |||
102 | /* See lstar_enter for entry register state. */ | ||
103 | ENTRY(cstar_enter) | ||
104 | - sti | ||
105 | + /* sti could live here when we don't switch page tables below. */ | ||
106 | CR4_PV32_RESTORE | ||
107 | movq 8(%rsp),%rax /* Restore %rax. */ | ||
108 | movq $FLAT_KERNEL_SS,8(%rsp) | ||
109 | @@ -227,11 +227,12 @@ ENTRY(cstar_enter) | ||
110 | jz .Lcstar_cr3_okay | ||
111 | mov %rcx, STACK_CPUINFO_FIELD(xen_cr3)(%rbx) | ||
112 | neg %rcx | ||
113 | - write_cr3 rcx, rdi, rsi | ||
114 | + mov %rcx, %cr3 | ||
115 | movq $0, STACK_CPUINFO_FIELD(xen_cr3)(%rbx) | ||
116 | .Lcstar_cr3_okay: | ||
117 | + sti | ||
118 | |||
119 | - GET_CURRENT(bx) | ||
120 | + __GET_CURRENT(bx) | ||
121 | movq VCPU_domain(%rbx),%rcx | ||
122 | cmpb $0,DOMAIN_is_32bit_pv(%rcx) | ||
123 | je switch_to_kernel | ||
124 | diff --git a/xen/arch/x86/x86_64/entry.S b/xen/arch/x86/x86_64/entry.S | ||
125 | index 4080da65db..c169d17159 100644 | ||
126 | --- a/xen/arch/x86/x86_64/entry.S | ||
127 | +++ b/xen/arch/x86/x86_64/entry.S | ||
128 | @@ -148,7 +148,7 @@ UNLIKELY_END(exit_cr3) | ||
129 | * %ss must be saved into the space left by the trampoline. | ||
130 | */ | ||
131 | ENTRY(lstar_enter) | ||
132 | - sti | ||
133 | + /* sti could live here when we don't switch page tables below. */ | ||
134 | movq 8(%rsp),%rax /* Restore %rax. */ | ||
135 | movq $FLAT_KERNEL_SS,8(%rsp) | ||
136 | pushq %r11 | ||
137 | @@ -167,9 +167,10 @@ ENTRY(lstar_enter) | ||
138 | jz .Llstar_cr3_okay | ||
139 | mov %rcx, STACK_CPUINFO_FIELD(xen_cr3)(%rbx) | ||
140 | neg %rcx | ||
141 | - write_cr3 rcx, rdi, rsi | ||
142 | + mov %rcx, %cr3 | ||
143 | movq $0, STACK_CPUINFO_FIELD(xen_cr3)(%rbx) | ||
144 | .Llstar_cr3_okay: | ||
145 | + sti | ||
146 | |||
147 | __GET_CURRENT(bx) | ||
148 | testb $TF_kernel_mode,VCPU_thread_flags(%rbx) | ||
149 | @@ -252,7 +253,7 @@ process_trap: | ||
150 | jmp test_all_events | ||
151 | |||
152 | ENTRY(sysenter_entry) | ||
153 | - sti | ||
154 | + /* sti could live here when we don't switch page tables below. */ | ||
155 | pushq $FLAT_USER_SS | ||
156 | pushq $0 | ||
157 | pushfq | ||
158 | @@ -268,14 +269,17 @@ GLOBAL(sysenter_eflags_saved) | ||
159 | /* WARNING! `ret`, `call *`, `jmp *` not safe before this point. */ | ||
160 | |||
161 | GET_STACK_END(bx) | ||
162 | + /* PUSHF above has saved EFLAGS.IF clear (the caller had it set). */ | ||
163 | + orl $X86_EFLAGS_IF, UREGS_eflags(%rsp) | ||
164 | mov STACK_CPUINFO_FIELD(xen_cr3)(%rbx), %rcx | ||
165 | neg %rcx | ||
166 | jz .Lsyse_cr3_okay | ||
167 | mov %rcx, STACK_CPUINFO_FIELD(xen_cr3)(%rbx) | ||
168 | neg %rcx | ||
169 | - write_cr3 rcx, rdi, rsi | ||
170 | + mov %rcx, %cr3 | ||
171 | movq $0, STACK_CPUINFO_FIELD(xen_cr3)(%rbx) | ||
172 | .Lsyse_cr3_okay: | ||
173 | + sti | ||
174 | |||
175 | __GET_CURRENT(bx) | ||
176 | cmpb $0,VCPU_sysenter_disables_events(%rbx) | ||
177 | @@ -322,9 +326,10 @@ ENTRY(int80_direct_trap) | ||
178 | jz .Lint80_cr3_okay | ||
179 | mov %rcx, STACK_CPUINFO_FIELD(xen_cr3)(%rbx) | ||
180 | neg %rcx | ||
181 | - write_cr3 rcx, rdi, rsi | ||
182 | + mov %rcx, %cr3 | ||
183 | movq $0, STACK_CPUINFO_FIELD(xen_cr3)(%rbx) | ||
184 | .Lint80_cr3_okay: | ||
185 | + sti | ||
186 | |||
187 | cmpb $0,untrusted_msi(%rip) | ||
188 | UNLIKELY_START(ne, msi_check) | ||
189 | @@ -502,7 +507,7 @@ ENTRY(common_interrupt) | ||
190 | mov %rcx, STACK_CPUINFO_FIELD(xen_cr3)(%r14) | ||
191 | neg %rcx | ||
192 | .Lintr_cr3_load: | ||
193 | - write_cr3 rcx, rdi, rsi | ||
194 | + mov %rcx, %cr3 | ||
195 | xor %ecx, %ecx | ||
196 | mov %rcx, STACK_CPUINFO_FIELD(xen_cr3)(%r14) | ||
197 | testb $3, UREGS_cs(%rsp) | ||
198 | @@ -544,7 +549,7 @@ GLOBAL(handle_exception) | ||
199 | mov %rcx, STACK_CPUINFO_FIELD(xen_cr3)(%r14) | ||
200 | neg %rcx | ||
201 | .Lxcpt_cr3_load: | ||
202 | - write_cr3 rcx, rdi, rsi | ||
203 | + mov %rcx, %cr3 | ||
204 | xor %ecx, %ecx | ||
205 | mov %rcx, STACK_CPUINFO_FIELD(xen_cr3)(%r14) | ||
206 | testb $3, UREGS_cs(%rsp) | ||
207 | @@ -740,7 +745,7 @@ ENTRY(double_fault) | ||
208 | jns .Ldblf_cr3_load | ||
209 | neg %rbx | ||
210 | .Ldblf_cr3_load: | ||
211 | - write_cr3 rbx, rdi, rsi | ||
212 | + mov %rbx, %cr3 | ||
213 | .Ldblf_cr3_okay: | ||
214 | |||
215 | movq %rsp,%rdi | ||
216 | @@ -775,7 +780,7 @@ handle_ist_exception: | ||
217 | mov %rcx, STACK_CPUINFO_FIELD(xen_cr3)(%r14) | ||
218 | neg %rcx | ||
219 | .List_cr3_load: | ||
220 | - write_cr3 rcx, rdi, rsi | ||
221 | + mov %rcx, %cr3 | ||
222 | movq $0, STACK_CPUINFO_FIELD(xen_cr3)(%r14) | ||
223 | .List_cr3_okay: | ||
224 | |||
225 | -- | ||
226 | 2.13.5 | ||
227 | |||
diff --git a/main/xen/x86-xpti-Hide-almost-all-of-.text-and-all-.data-.rod.patch b/main/xen/x86-xpti-Hide-almost-all-of-.text-and-all-.data-.rod.patch deleted file mode 100644 index e029080b17..0000000000 --- a/main/xen/x86-xpti-Hide-almost-all-of-.text-and-all-.data-.rod.patch +++ /dev/null | |||
@@ -1,343 +0,0 @@ | |||
1 | From f7bf4d230aaa2de40b2440f63045180a0cb07547 Mon Sep 17 00:00:00 2001 | ||
2 | From: Andrew Cooper <andrew.cooper3@citrix.com> | ||
3 | Date: Tue, 20 Mar 2018 14:38:26 +0100 | ||
4 | Subject: [PATCH] x86/xpti: Hide almost all of .text and all .data/.rodata/.bss | ||
5 | mappings | ||
6 | |||
7 | The current XPTI implementation isolates the directmap (and therefore a lot of | ||
8 | guest data), but a large quantity of CPU0's state (including its stack) | ||
9 | remains visible. | ||
10 | |||
11 | Furthermore, an attacker able to read .text is in a vastly superior position | ||
12 | to normal when it comes to fingerprinting Xen for known vulnerabilities, or | ||
13 | scanning for ROP/Spectre gadgets. | ||
14 | |||
15 | Collect together the entrypoints in .text.entry (currently 3x4k frames, but | ||
16 | can almost certainly be slimmed down), and create a common mapping which is | ||
17 | inserted into each per-cpu shadow. The stubs are also inserted into this | ||
18 | mapping by pointing at the in-use L2. This allows stubs allocated later (SMP | ||
19 | boot, or CPU hotplug) to work without further changes to the common mappings. | ||
20 | |||
21 | Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com> | ||
22 | Reviewed-by: Jan Beulich <jbeulich@suse.com> | ||
23 | |||
24 | x86/xpti: really hide almost all of Xen image | ||
25 | |||
26 | Commit 422588e885 ("x86/xpti: Hide almost all of .text and all | ||
27 | .data/.rodata/.bss mappings") carefully limited the Xen image cloning to | ||
28 | just entry code, but then overwrote the just allocated and populated L3 | ||
29 | entry with the normal one again covering both Xen image and stubs. | ||
30 | |||
31 | Drop the respective code in favor of an explicit clone_mapping() | ||
32 | invocation. This in turn now requires setup_cpu_root_pgt() to run after | ||
33 | stub setup in all cases. Additionally, with (almost) no unintended | ||
34 | mappings left, the BSP's IDT now also needs to be page aligned. | ||
35 | |||
36 | The moving ahead of cleanup_cpu_root_pgt() is not strictly necessary | ||
37 | for functionality, but things are more logical this way, and we retain | ||
38 | cleanup being done in the inverse order of setup. | ||
39 | |||
40 | Signed-off-by: Jan Beulich <jbeulich@suse.com> | ||
41 | Acked-by: Andrew Cooper <andrew.cooper3@citrix.com> | ||
42 | |||
43 | x86/traps: Put idt_table[] back into .bss | ||
44 | |||
45 | c/s d1d6fc97d "x86/xpti: really hide almost all of Xen image" accidentially | ||
46 | moved idt_table[] from .bss to .data by virtue of using the page_aligned | ||
47 | section. We also have .bss.page_aligned, so use that. | ||
48 | |||
49 | Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com> | ||
50 | Reviewed-by: Jan Beulich <jbeulich@suse.com> | ||
51 | Reviewed-by: Wei Liu <wei.liu2@citrix.com> | ||
52 | master commit: 422588e88511d17984544c0f017a927de3315290 | ||
53 | master date: 2018-02-15 11:08:27 +0000 | ||
54 | master commit: d1d6fc97d66cf56847fc0bcc2ddc370707c22378 | ||
55 | master date: 2018-03-06 16:46:27 +0100 | ||
56 | master commit: 044fedfaa29b5d5774196e3fc7d955a48bfceac4 | ||
57 | master date: 2018-03-09 15:42:24 +0000 | ||
58 | --- | ||
59 | docs/misc/xen-command-line.markdown | 3 -- | ||
60 | xen/arch/x86/smpboot.c | 65 ++++++++++++++++++++++++++++++------- | ||
61 | xen/arch/x86/traps.c | 3 +- | ||
62 | xen/arch/x86/x86_64/compat/entry.S | 5 +++ | ||
63 | xen/arch/x86/x86_64/entry.S | 15 ++++++--- | ||
64 | xen/arch/x86/xen.lds.S | 7 ++++ | ||
65 | 6 files changed, 79 insertions(+), 19 deletions(-) | ||
66 | |||
67 | diff --git a/docs/misc/xen-command-line.markdown b/docs/misc/xen-command-line.markdown | ||
68 | index de5b79e41e..7ad971735f 100644 | ||
69 | --- a/docs/misc/xen-command-line.markdown | ||
70 | +++ b/docs/misc/xen-command-line.markdown | ||
71 | @@ -1735,9 +1735,6 @@ mode. | ||
72 | Override default selection of whether to isolate 64-bit PV guest page | ||
73 | tables. | ||
74 | |||
75 | -** WARNING: Not yet a complete isolation implementation, but better than | ||
76 | -nothing. ** | ||
77 | - | ||
78 | ### xsave | ||
79 | > `= <boolean>` | ||
80 | |||
81 | diff --git a/xen/arch/x86/smpboot.c b/xen/arch/x86/smpboot.c | ||
82 | index 535104065a..7ad2eebaa6 100644 | ||
83 | --- a/xen/arch/x86/smpboot.c | ||
84 | +++ b/xen/arch/x86/smpboot.c | ||
85 | @@ -637,13 +637,24 @@ static int clone_mapping(const void *ptr, root_pgentry_t *rpt) | ||
86 | { | ||
87 | unsigned long linear = (unsigned long)ptr, pfn; | ||
88 | unsigned int flags; | ||
89 | - l3_pgentry_t *pl3e = l4e_to_l3e(idle_pg_table[root_table_offset(linear)]) + | ||
90 | - l3_table_offset(linear); | ||
91 | + l3_pgentry_t *pl3e; | ||
92 | l2_pgentry_t *pl2e; | ||
93 | l1_pgentry_t *pl1e; | ||
94 | |||
95 | - if ( linear < DIRECTMAP_VIRT_START ) | ||
96 | - return 0; | ||
97 | + /* | ||
98 | + * Sanity check 'linear'. We only allow cloning from the Xen virtual | ||
99 | + * range, and in particular, only from the directmap and .text ranges. | ||
100 | + */ | ||
101 | + if ( root_table_offset(linear) > ROOT_PAGETABLE_LAST_XEN_SLOT || | ||
102 | + root_table_offset(linear) < ROOT_PAGETABLE_FIRST_XEN_SLOT ) | ||
103 | + return -EINVAL; | ||
104 | + | ||
105 | + if ( linear < XEN_VIRT_START || | ||
106 | + (linear >= XEN_VIRT_END && linear < DIRECTMAP_VIRT_START) ) | ||
107 | + return -EINVAL; | ||
108 | + | ||
109 | + pl3e = l4e_to_l3e(idle_pg_table[root_table_offset(linear)]) + | ||
110 | + l3_table_offset(linear); | ||
111 | |||
112 | flags = l3e_get_flags(*pl3e); | ||
113 | ASSERT(flags & _PAGE_PRESENT); | ||
114 | @@ -735,6 +746,10 @@ static __read_mostly int8_t opt_xpti = -1; | ||
115 | boolean_param("xpti", opt_xpti); | ||
116 | DEFINE_PER_CPU(root_pgentry_t *, root_pgt); | ||
117 | |||
118 | +static root_pgentry_t common_pgt; | ||
119 | + | ||
120 | +extern const char _stextentry[], _etextentry[]; | ||
121 | + | ||
122 | static int setup_cpu_root_pgt(unsigned int cpu) | ||
123 | { | ||
124 | root_pgentry_t *rpt; | ||
125 | @@ -755,8 +770,23 @@ static int setup_cpu_root_pgt(unsigned int cpu) | ||
126 | idle_pg_table[root_table_offset(RO_MPT_VIRT_START)]; | ||
127 | /* SH_LINEAR_PT inserted together with guest mappings. */ | ||
128 | /* PERDOMAIN inserted during context switch. */ | ||
129 | - rpt[root_table_offset(XEN_VIRT_START)] = | ||
130 | - idle_pg_table[root_table_offset(XEN_VIRT_START)]; | ||
131 | + | ||
132 | + /* One-time setup of common_pgt, which maps .text.entry and the stubs. */ | ||
133 | + if ( unlikely(!root_get_intpte(common_pgt)) ) | ||
134 | + { | ||
135 | + const char *ptr; | ||
136 | + | ||
137 | + for ( rc = 0, ptr = _stextentry; | ||
138 | + !rc && ptr < _etextentry; ptr += PAGE_SIZE ) | ||
139 | + rc = clone_mapping(ptr, rpt); | ||
140 | + | ||
141 | + if ( rc ) | ||
142 | + return rc; | ||
143 | + | ||
144 | + common_pgt = rpt[root_table_offset(XEN_VIRT_START)]; | ||
145 | + } | ||
146 | + | ||
147 | + rpt[root_table_offset(XEN_VIRT_START)] = common_pgt; | ||
148 | |||
149 | /* Install direct map page table entries for stack, IDT, and TSS. */ | ||
150 | for ( off = rc = 0; !rc && off < STACK_SIZE; off += PAGE_SIZE ) | ||
151 | @@ -766,6 +796,8 @@ static int setup_cpu_root_pgt(unsigned int cpu) | ||
152 | rc = clone_mapping(idt_tables[cpu], rpt); | ||
153 | if ( !rc ) | ||
154 | rc = clone_mapping(&per_cpu(init_tss, cpu), rpt); | ||
155 | + if ( !rc ) | ||
156 | + rc = clone_mapping((void *)per_cpu(stubs.addr, cpu), rpt); | ||
157 | |||
158 | return rc; | ||
159 | } | ||
160 | @@ -774,6 +806,7 @@ static void cleanup_cpu_root_pgt(unsigned int cpu) | ||
161 | { | ||
162 | root_pgentry_t *rpt = per_cpu(root_pgt, cpu); | ||
163 | unsigned int r; | ||
164 | + unsigned long stub_linear = per_cpu(stubs.addr, cpu); | ||
165 | |||
166 | if ( !rpt ) | ||
167 | return; | ||
168 | @@ -818,6 +851,16 @@ static void cleanup_cpu_root_pgt(unsigned int cpu) | ||
169 | } | ||
170 | |||
171 | free_xen_pagetable(rpt); | ||
172 | + | ||
173 | + /* Also zap the stub mapping for this CPU. */ | ||
174 | + if ( stub_linear ) | ||
175 | + { | ||
176 | + l3_pgentry_t *l3t = l4e_to_l3e(common_pgt); | ||
177 | + l2_pgentry_t *l2t = l3e_to_l2e(l3t[l3_table_offset(stub_linear)]); | ||
178 | + l1_pgentry_t *l1t = l2e_to_l1e(l2t[l2_table_offset(stub_linear)]); | ||
179 | + | ||
180 | + l1t[l2_table_offset(stub_linear)] = l1e_empty(); | ||
181 | + } | ||
182 | } | ||
183 | |||
184 | static void cpu_smpboot_free(unsigned int cpu) | ||
185 | @@ -839,6 +882,8 @@ static void cpu_smpboot_free(unsigned int cpu) | ||
186 | free_cpumask_var(per_cpu(cpu_sibling_mask, cpu)); | ||
187 | free_cpumask_var(per_cpu(cpu_core_mask, cpu)); | ||
188 | |||
189 | + cleanup_cpu_root_pgt(cpu); | ||
190 | + | ||
191 | if ( per_cpu(stubs.addr, cpu) ) | ||
192 | { | ||
193 | unsigned long mfn = per_cpu(stubs.mfn, cpu); | ||
194 | @@ -856,8 +901,6 @@ static void cpu_smpboot_free(unsigned int cpu) | ||
195 | free_domheap_page(mfn_to_page(mfn)); | ||
196 | } | ||
197 | |||
198 | - cleanup_cpu_root_pgt(cpu); | ||
199 | - | ||
200 | order = get_order_from_pages(NR_RESERVED_GDT_PAGES); | ||
201 | free_xenheap_pages(per_cpu(gdt_table, cpu), order); | ||
202 | |||
203 | @@ -913,9 +956,6 @@ static int cpu_smpboot_alloc(unsigned int cpu) | ||
204 | set_ist(&idt_tables[cpu][TRAP_nmi], IST_NONE); | ||
205 | set_ist(&idt_tables[cpu][TRAP_machine_check], IST_NONE); | ||
206 | |||
207 | - if ( setup_cpu_root_pgt(cpu) ) | ||
208 | - goto oom; | ||
209 | - | ||
210 | for ( stub_page = 0, i = cpu & ~(STUBS_PER_PAGE - 1); | ||
211 | i < nr_cpu_ids && i <= (cpu | (STUBS_PER_PAGE - 1)); ++i ) | ||
212 | if ( cpu_online(i) && cpu_to_node(i) == node ) | ||
213 | @@ -929,6 +969,9 @@ static int cpu_smpboot_alloc(unsigned int cpu) | ||
214 | goto oom; | ||
215 | per_cpu(stubs.addr, cpu) = stub_page + STUB_BUF_CPU_OFFS(cpu); | ||
216 | |||
217 | + if ( setup_cpu_root_pgt(cpu) ) | ||
218 | + goto oom; | ||
219 | + | ||
220 | if ( secondary_socket_cpumask == NULL && | ||
221 | (secondary_socket_cpumask = xzalloc(cpumask_t)) == NULL ) | ||
222 | goto oom; | ||
223 | diff --git a/xen/arch/x86/traps.c b/xen/arch/x86/traps.c | ||
224 | index 480094a93a..4053721b64 100644 | ||
225 | --- a/xen/arch/x86/traps.c | ||
226 | +++ b/xen/arch/x86/traps.c | ||
227 | @@ -100,7 +100,8 @@ DEFINE_PER_CPU_READ_MOSTLY(struct desc_struct *, gdt_table); | ||
228 | DEFINE_PER_CPU_READ_MOSTLY(struct desc_struct *, compat_gdt_table); | ||
229 | |||
230 | /* Master table, used by CPU0. */ | ||
231 | -idt_entry_t idt_table[IDT_ENTRIES]; | ||
232 | +idt_entry_t __section(".bss.page_aligned") __aligned(PAGE_SIZE) | ||
233 | + idt_table[IDT_ENTRIES]; | ||
234 | |||
235 | /* Pointer to the IDT of every CPU. */ | ||
236 | idt_entry_t *idt_tables[NR_CPUS] __read_mostly; | ||
237 | diff --git a/xen/arch/x86/x86_64/compat/entry.S b/xen/arch/x86/x86_64/compat/entry.S | ||
238 | index 9f65e91d7b..1c5cc9dacf 100644 | ||
239 | --- a/xen/arch/x86/x86_64/compat/entry.S | ||
240 | +++ b/xen/arch/x86/x86_64/compat/entry.S | ||
241 | @@ -12,6 +12,8 @@ | ||
242 | #include <public/xen.h> | ||
243 | #include <irq_vectors.h> | ||
244 | |||
245 | + .section .text.entry, "ax", @progbits | ||
246 | + | ||
247 | ENTRY(compat_hypercall) | ||
248 | ASM_CLAC | ||
249 | pushq $0 | ||
250 | @@ -275,6 +277,9 @@ ENTRY(compat_int80_direct_trap) | ||
251 | call compat_create_bounce_frame | ||
252 | jmp compat_test_all_events | ||
253 | |||
254 | + /* compat_create_bounce_frame & helpers don't need to be in .text.entry */ | ||
255 | + .text | ||
256 | + | ||
257 | /* CREATE A BASIC EXCEPTION FRAME ON GUEST OS (RING-1) STACK: */ | ||
258 | /* {[ERRCODE,] EIP, CS, EFLAGS, [ESP, SS]} */ | ||
259 | /* %rdx: trap_bounce, %rbx: struct vcpu */ | ||
260 | diff --git a/xen/arch/x86/x86_64/entry.S b/xen/arch/x86/x86_64/entry.S | ||
261 | index f24bffb574..4080da65db 100644 | ||
262 | --- a/xen/arch/x86/x86_64/entry.S | ||
263 | +++ b/xen/arch/x86/x86_64/entry.S | ||
264 | @@ -13,6 +13,8 @@ | ||
265 | #include <public/xen.h> | ||
266 | #include <irq_vectors.h> | ||
267 | |||
268 | + .section .text.entry, "ax", @progbits | ||
269 | + | ||
270 | /* %rbx: struct vcpu */ | ||
271 | ENTRY(switch_to_kernel) | ||
272 | leaq VCPU_trap_bounce(%rbx),%rdx | ||
273 | @@ -355,6 +357,9 @@ int80_slow_path: | ||
274 | subq $2,UREGS_rip(%rsp) | ||
275 | jmp handle_exception_saved | ||
276 | |||
277 | + /* create_bounce_frame & helpers don't need to be in .text.entry */ | ||
278 | + .text | ||
279 | + | ||
280 | /* CREATE A BASIC EXCEPTION FRAME ON GUEST OS STACK: */ | ||
281 | /* { RCX, R11, [DS-GS,] [CR2,] [ERRCODE,] RIP, CS, RFLAGS, RSP, SS } */ | ||
282 | /* %rdx: trap_bounce, %rbx: struct vcpu */ | ||
283 | @@ -479,6 +484,8 @@ ENTRY(dom_crash_sync_extable) | ||
284 | xorl %edi,%edi | ||
285 | jmp asm_domain_crash_synchronous /* Does not return */ | ||
286 | |||
287 | + .section .text.entry, "ax", @progbits | ||
288 | + | ||
289 | ENTRY(common_interrupt) | ||
290 | SAVE_ALL CLAC | ||
291 | |||
292 | @@ -838,8 +845,7 @@ GLOBAL(trap_nop) | ||
293 | |||
294 | |||
295 | |||
296 | -.section .rodata, "a", @progbits | ||
297 | - | ||
298 | + .pushsection .rodata, "a", @progbits | ||
299 | ENTRY(exception_table) | ||
300 | .quad do_trap | ||
301 | .quad do_debug | ||
302 | @@ -865,9 +871,10 @@ ENTRY(exception_table) | ||
303 | .quad do_reserved_trap /* Architecturally reserved exceptions. */ | ||
304 | .endr | ||
305 | .size exception_table, . - exception_table | ||
306 | + .popsection | ||
307 | |||
308 | /* Table of automatically generated entry points. One per vector. */ | ||
309 | - .section .init.rodata, "a", @progbits | ||
310 | + .pushsection .init.rodata, "a", @progbits | ||
311 | GLOBAL(autogen_entrypoints) | ||
312 | /* pop into the .init.rodata section and record an entry point. */ | ||
313 | .macro entrypoint ent | ||
314 | @@ -876,7 +883,7 @@ GLOBAL(autogen_entrypoints) | ||
315 | .popsection | ||
316 | .endm | ||
317 | |||
318 | - .text | ||
319 | + .popsection | ||
320 | autogen_stubs: /* Automatically generated stubs. */ | ||
321 | |||
322 | vec = 0 | ||
323 | diff --git a/xen/arch/x86/xen.lds.S b/xen/arch/x86/xen.lds.S | ||
324 | index 681c795c6d..500fe3a9cc 100644 | ||
325 | --- a/xen/arch/x86/xen.lds.S | ||
326 | +++ b/xen/arch/x86/xen.lds.S | ||
327 | @@ -61,6 +61,13 @@ SECTIONS | ||
328 | _stext = .; /* Text and read-only data */ | ||
329 | *(.text) | ||
330 | *(.text.__x86_indirect_thunk_*) | ||
331 | + | ||
332 | + . = ALIGN(PAGE_SIZE); | ||
333 | + _stextentry = .; | ||
334 | + *(.text.entry) | ||
335 | + . = ALIGN(PAGE_SIZE); | ||
336 | + _etextentry = .; | ||
337 | + | ||
338 | *(.text.cold) | ||
339 | *(.text.unlikely) | ||
340 | *(.fixup) | ||
341 | -- | ||
342 | 2.13.5 | ||
343 | |||
diff --git a/main/xen/xsa252-4.9.patch b/main/xen/xsa252-4.9.patch deleted file mode 100644 index 4afc22a6f1..0000000000 --- a/main/xen/xsa252-4.9.patch +++ /dev/null | |||
@@ -1,25 +0,0 @@ | |||
1 | From: Jan Beulich <jbeulich@suse.com> | ||
2 | Subject: memory: don't implicitly unpin for decrease-reservation | ||
3 | |||
4 | It very likely was a mistake (copy-and-paste from domain cleanup code) | ||
5 | to implicitly unpin here: The caller should really unpin itself before | ||
6 | (or after, if they so wish) requesting the page to be removed. | ||
7 | |||
8 | This is XSA-252. | ||
9 | |||
10 | Reported-by: Jann Horn <jannh@google.com> | ||
11 | Signed-off-by: Jan Beulich <jbeulich@suse.com> | ||
12 | Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com> | ||
13 | |||
14 | --- a/xen/common/memory.c | ||
15 | +++ b/xen/common/memory.c | ||
16 | @@ -341,9 +341,6 @@ int guest_remove_page(struct domain *d, | ||
17 | |||
18 | rc = guest_physmap_remove_page(d, _gfn(gmfn), mfn, 0); | ||
19 | |||
20 | - if ( !rc && test_and_clear_bit(_PGT_pinned, &page->u.inuse.type_info) ) | ||
21 | - put_page_and_type(page); | ||
22 | - | ||
23 | /* | ||
24 | * With the lack of an IOMMU on some platforms, domains with DMA-capable | ||
25 | * device must retrieve the same pfn when the hypercall populate_physmap | ||
diff --git a/main/xen/xsa255-4.9-1.patch b/main/xen/xsa255-4.9-1.patch deleted file mode 100644 index 0365adf750..0000000000 --- a/main/xen/xsa255-4.9-1.patch +++ /dev/null | |||
@@ -1,126 +0,0 @@ | |||
1 | From: Jan Beulich <jbeulich@suse.com> | ||
2 | Subject: gnttab/ARM: don't corrupt shared GFN array | ||
3 | |||
4 | ... by writing status GFNs to it. Introduce a second array instead. | ||
5 | Also implement gnttab_status_gmfn() properly now that the information is | ||
6 | suitably being tracked. | ||
7 | |||
8 | While touching it anyway, remove a misguided (but luckily benign) upper | ||
9 | bound check from gnttab_shared_gmfn(): We should never access beyond the | ||
10 | bounds of that array. | ||
11 | |||
12 | This is part of XSA-255. | ||
13 | |||
14 | Signed-off-by: Jan Beulich <jbeulich@suse.com> | ||
15 | Reviewed-by: Stefano Stabellini <sstabellini@kernel.org> | ||
16 | Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com> | ||
17 | |||
18 | --- a/xen/arch/arm/domain.c | ||
19 | +++ b/xen/arch/arm/domain.c | ||
20 | @@ -461,19 +461,37 @@ void startup_cpu_idle_loop(void) | ||
21 | struct domain *alloc_domain_struct(void) | ||
22 | { | ||
23 | struct domain *d; | ||
24 | + unsigned int i, max_status_frames; | ||
25 | + | ||
26 | BUILD_BUG_ON(sizeof(*d) > PAGE_SIZE); | ||
27 | d = alloc_xenheap_pages(0, 0); | ||
28 | if ( d == NULL ) | ||
29 | return NULL; | ||
30 | |||
31 | clear_page(d); | ||
32 | - d->arch.grant_table_gfn = xzalloc_array(gfn_t, max_grant_frames); | ||
33 | + | ||
34 | + d->arch.grant_shared_gfn = xmalloc_array(gfn_t, max_grant_frames); | ||
35 | + max_status_frames = grant_to_status_frames(max_grant_frames); | ||
36 | + d->arch.grant_status_gfn = xmalloc_array(gfn_t, max_status_frames); | ||
37 | + if ( !d->arch.grant_shared_gfn || !d->arch.grant_status_gfn ) | ||
38 | + { | ||
39 | + free_domain_struct(d); | ||
40 | + return NULL; | ||
41 | + } | ||
42 | + | ||
43 | + for ( i = 0; i < max_grant_frames; ++i ) | ||
44 | + d->arch.grant_shared_gfn[i] = INVALID_GFN; | ||
45 | + | ||
46 | + for ( i = 0; i < max_status_frames; ++i ) | ||
47 | + d->arch.grant_status_gfn[i] = INVALID_GFN; | ||
48 | + | ||
49 | return d; | ||
50 | } | ||
51 | |||
52 | void free_domain_struct(struct domain *d) | ||
53 | { | ||
54 | - xfree(d->arch.grant_table_gfn); | ||
55 | + xfree(d->arch.grant_shared_gfn); | ||
56 | + xfree(d->arch.grant_status_gfn); | ||
57 | free_xenheap_page(d); | ||
58 | } | ||
59 | |||
60 | --- a/xen/arch/arm/mm.c | ||
61 | +++ b/xen/arch/arm/mm.c | ||
62 | @@ -1148,6 +1148,7 @@ int xenmem_add_to_physmap_one( | ||
63 | int rc; | ||
64 | p2m_type_t t; | ||
65 | struct page_info *page = NULL; | ||
66 | + bool status = false; | ||
67 | |||
68 | switch ( space ) | ||
69 | { | ||
70 | @@ -1165,6 +1166,7 @@ int xenmem_add_to_physmap_one( | ||
71 | mfn = virt_to_mfn(d->grant_table->status[idx]); | ||
72 | else | ||
73 | mfn = mfn_x(INVALID_MFN); | ||
74 | + status = true; | ||
75 | } | ||
76 | else | ||
77 | { | ||
78 | @@ -1180,7 +1182,10 @@ int xenmem_add_to_physmap_one( | ||
79 | |||
80 | if ( mfn != mfn_x(INVALID_MFN) ) | ||
81 | { | ||
82 | - d->arch.grant_table_gfn[idx] = gfn; | ||
83 | + if ( status ) | ||
84 | + d->arch.grant_status_gfn[idx] = gfn; | ||
85 | + else | ||
86 | + d->arch.grant_shared_gfn[idx] = gfn; | ||
87 | |||
88 | t = p2m_ram_rw; | ||
89 | } | ||
90 | --- a/xen/include/asm-arm/domain.h | ||
91 | +++ b/xen/include/asm-arm/domain.h | ||
92 | @@ -50,7 +50,8 @@ struct arch_domain | ||
93 | struct p2m_domain p2m; | ||
94 | |||
95 | struct hvm_domain hvm_domain; | ||
96 | - gfn_t *grant_table_gfn; | ||
97 | + gfn_t *grant_shared_gfn; | ||
98 | + gfn_t *grant_status_gfn; | ||
99 | |||
100 | struct vmmio vmmio; | ||
101 | |||
102 | --- a/xen/include/asm-arm/grant_table.h | ||
103 | +++ b/xen/include/asm-arm/grant_table.h | ||
104 | @@ -14,7 +14,6 @@ int replace_grant_host_mapping(unsigned | ||
105 | unsigned long new_gpaddr, unsigned int flags); | ||
106 | void gnttab_mark_dirty(struct domain *d, unsigned long l); | ||
107 | #define gnttab_create_status_page(d, t, i) do {} while (0) | ||
108 | -#define gnttab_status_gmfn(d, t, i) (0) | ||
109 | #define gnttab_release_host_mappings(domain) 1 | ||
110 | static inline int replace_grant_supported(void) | ||
111 | { | ||
112 | @@ -29,8 +28,12 @@ static inline int replace_grant_supporte | ||
113 | } while ( 0 ) | ||
114 | |||
115 | #define gnttab_shared_gmfn(d, t, i) \ | ||
116 | - ( ((i >= nr_grant_frames(d->grant_table)) && \ | ||
117 | - (i < max_grant_frames)) ? 0 : gfn_x(d->arch.grant_table_gfn[i])) | ||
118 | + gfn_x(((i) >= nr_grant_frames(t)) ? INVALID_GFN \ | ||
119 | + : (d)->arch.grant_shared_gfn[i]) | ||
120 | + | ||
121 | +#define gnttab_status_gmfn(d, t, i) \ | ||
122 | + gfn_x(((i) >= nr_status_frames(t)) ? INVALID_GFN \ | ||
123 | + : (d)->arch.grant_status_gfn[i]) | ||
124 | |||
125 | #define gnttab_need_iommu_mapping(d) \ | ||
126 | (is_domain_direct_mapped(d) && need_iommu(d)) | ||
diff --git a/main/xen/xsa255-4.9-2.patch b/main/xen/xsa255-4.9-2.patch deleted file mode 100644 index ce225bde28..0000000000 --- a/main/xen/xsa255-4.9-2.patch +++ /dev/null | |||
@@ -1,186 +0,0 @@ | |||
1 | From: Jan Beulich <jbeulich@suse.com> | ||
2 | Subject: gnttab: don't blindly free status pages upon version change | ||
3 | |||
4 | There may still be active mappings, which would trigger the respective | ||
5 | BUG_ON(). Split the loop into one dealing with the page attributes and | ||
6 | the second (when the first fully passed) freeing the pages. Return an | ||
7 | error if any pages still have pending references. | ||
8 | |||
9 | This is part of XSA-255. | ||
10 | |||
11 | Signed-off-by: Jan Beulich <jbeulich@suse.com> | ||
12 | Reviewed-by: Stefano Stabellini <sstabellini@kernel.org> | ||
13 | Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com> | ||
14 | |||
15 | --- a/xen/arch/arm/mm.c | ||
16 | +++ b/xen/arch/arm/mm.c | ||
17 | @@ -1180,12 +1180,22 @@ int xenmem_add_to_physmap_one( | ||
18 | mfn = mfn_x(INVALID_MFN); | ||
19 | } | ||
20 | |||
21 | + if ( mfn != mfn_x(INVALID_MFN) && | ||
22 | + !gfn_eq(gnttab_get_frame_gfn(d, status, idx), INVALID_GFN) ) | ||
23 | + { | ||
24 | + rc = guest_physmap_remove_page(d, | ||
25 | + gnttab_get_frame_gfn(d, status, idx), | ||
26 | + _mfn(mfn), 0); | ||
27 | + if ( rc ) | ||
28 | + { | ||
29 | + grant_write_unlock(d->grant_table); | ||
30 | + return rc; | ||
31 | + } | ||
32 | + } | ||
33 | + | ||
34 | if ( mfn != mfn_x(INVALID_MFN) ) | ||
35 | { | ||
36 | - if ( status ) | ||
37 | - d->arch.grant_status_gfn[idx] = gfn; | ||
38 | - else | ||
39 | - d->arch.grant_shared_gfn[idx] = gfn; | ||
40 | + gnttab_set_frame_gfn(d, status, idx, gfn); | ||
41 | |||
42 | t = p2m_ram_rw; | ||
43 | } | ||
44 | --- a/xen/common/grant_table.c | ||
45 | +++ b/xen/common/grant_table.c | ||
46 | @@ -1516,23 +1516,74 @@ status_alloc_failed: | ||
47 | return -ENOMEM; | ||
48 | } | ||
49 | |||
50 | -static void | ||
51 | +static int | ||
52 | gnttab_unpopulate_status_frames(struct domain *d, struct grant_table *gt) | ||
53 | { | ||
54 | - int i; | ||
55 | + unsigned int i; | ||
56 | |||
57 | for ( i = 0; i < nr_status_frames(gt); i++ ) | ||
58 | { | ||
59 | struct page_info *pg = virt_to_page(gt->status[i]); | ||
60 | + gfn_t gfn = gnttab_get_frame_gfn(d, true, i); | ||
61 | + | ||
62 | + /* | ||
63 | + * For translated domains, recovering from failure after partial | ||
64 | + * changes were made is more complicated than it seems worth | ||
65 | + * implementing at this time. Hence respective error paths below | ||
66 | + * crash the domain in such a case. | ||
67 | + */ | ||
68 | + if ( paging_mode_translate(d) ) | ||
69 | + { | ||
70 | + int rc = gfn_eq(gfn, INVALID_GFN) | ||
71 | + ? 0 | ||
72 | + : guest_physmap_remove_page(d, gfn, | ||
73 | + _mfn(page_to_mfn(pg)), 0); | ||
74 | + | ||
75 | + if ( rc ) | ||
76 | + { | ||
77 | + gprintk(XENLOG_ERR, | ||
78 | + "Could not remove status frame %u (GFN %#lx) from P2M\n", | ||
79 | + i, gfn_x(gfn)); | ||
80 | + domain_crash(d); | ||
81 | + return rc; | ||
82 | + } | ||
83 | + gnttab_set_frame_gfn(d, true, i, INVALID_GFN); | ||
84 | + } | ||
85 | |||
86 | BUG_ON(page_get_owner(pg) != d); | ||
87 | if ( test_and_clear_bit(_PGC_allocated, &pg->count_info) ) | ||
88 | put_page(pg); | ||
89 | - BUG_ON(pg->count_info & ~PGC_xen_heap); | ||
90 | + | ||
91 | + if ( pg->count_info & ~PGC_xen_heap ) | ||
92 | + { | ||
93 | + if ( paging_mode_translate(d) ) | ||
94 | + { | ||
95 | + gprintk(XENLOG_ERR, | ||
96 | + "Wrong page state %#lx of status frame %u (GFN %#lx)\n", | ||
97 | + pg->count_info, i, gfn_x(gfn)); | ||
98 | + domain_crash(d); | ||
99 | + } | ||
100 | + else | ||
101 | + { | ||
102 | + if ( get_page(pg, d) ) | ||
103 | + set_bit(_PGC_allocated, &pg->count_info); | ||
104 | + while ( i-- ) | ||
105 | + gnttab_create_status_page(d, gt, i); | ||
106 | + } | ||
107 | + return -EBUSY; | ||
108 | + } | ||
109 | + | ||
110 | + page_set_owner(pg, NULL); | ||
111 | + } | ||
112 | + | ||
113 | + for ( i = 0; i < nr_status_frames(gt); i++ ) | ||
114 | + { | ||
115 | free_xenheap_page(gt->status[i]); | ||
116 | gt->status[i] = NULL; | ||
117 | } | ||
118 | gt->nr_status_frames = 0; | ||
119 | + | ||
120 | + return 0; | ||
121 | } | ||
122 | |||
123 | /* | ||
124 | @@ -2774,8 +2825,9 @@ gnttab_set_version(XEN_GUEST_HANDLE_PARA | ||
125 | break; | ||
126 | } | ||
127 | |||
128 | - if ( op.version < 2 && gt->gt_version == 2 ) | ||
129 | - gnttab_unpopulate_status_frames(currd, gt); | ||
130 | + if ( op.version < 2 && gt->gt_version == 2 && | ||
131 | + (res = gnttab_unpopulate_status_frames(currd, gt)) != 0 ) | ||
132 | + goto out_unlock; | ||
133 | |||
134 | /* Make sure there's no crud left over from the old version. */ | ||
135 | for ( i = 0; i < nr_grant_frames(gt); i++ ) | ||
136 | --- a/xen/include/asm-arm/grant_table.h | ||
137 | +++ b/xen/include/asm-arm/grant_table.h | ||
138 | @@ -20,6 +20,17 @@ static inline int replace_grant_supporte | ||
139 | return 1; | ||
140 | } | ||
141 | |||
142 | +#define gnttab_set_frame_gfn(d, st, idx, gfn) \ | ||
143 | + do { \ | ||
144 | + ((st) ? (d)->arch.grant_status_gfn \ | ||
145 | + : (d)->arch.grant_shared_gfn)[idx] = (gfn); \ | ||
146 | + } while ( 0 ) | ||
147 | + | ||
148 | +#define gnttab_get_frame_gfn(d, st, idx) ({ \ | ||
149 | + _gfn((st) ? gnttab_status_gmfn(d, (d)->grant_table, idx) \ | ||
150 | + : gnttab_shared_gmfn(d, (d)->grant_table, idx)); \ | ||
151 | +}) | ||
152 | + | ||
153 | #define gnttab_create_shared_page(d, t, i) \ | ||
154 | do { \ | ||
155 | share_xen_page_with_guest( \ | ||
156 | --- a/xen/include/asm-x86/grant_table.h | ||
157 | +++ b/xen/include/asm-x86/grant_table.h | ||
158 | @@ -18,6 +18,14 @@ int create_grant_host_mapping(uint64_t a | ||
159 | int replace_grant_host_mapping( | ||
160 | uint64_t addr, unsigned long frame, uint64_t new_addr, unsigned int flags); | ||
161 | |||
162 | +#define gnttab_set_frame_gfn(d, st, idx, gfn) do {} while ( 0 ) | ||
163 | +#define gnttab_get_frame_gfn(d, st, idx) ({ \ | ||
164 | + unsigned long mfn_ = (st) ? gnttab_status_mfn((d)->grant_table, idx) \ | ||
165 | + : gnttab_shared_mfn((d)->grant_table, idx); \ | ||
166 | + unsigned long gpfn_ = get_gpfn_from_mfn(mfn_); \ | ||
167 | + VALID_M2P(gpfn_) ? _gfn(gpfn_) : INVALID_GFN; \ | ||
168 | +}) | ||
169 | + | ||
170 | #define gnttab_create_shared_page(d, t, i) \ | ||
171 | do { \ | ||
172 | share_xen_page_with_guest( \ | ||
173 | @@ -33,11 +41,11 @@ int replace_grant_host_mapping( | ||
174 | } while ( 0 ) | ||
175 | |||
176 | |||
177 | -#define gnttab_shared_mfn(d, t, i) \ | ||
178 | +#define gnttab_shared_mfn(t, i) \ | ||
179 | ((virt_to_maddr((t)->shared_raw[i]) >> PAGE_SHIFT)) | ||
180 | |||
181 | #define gnttab_shared_gmfn(d, t, i) \ | ||
182 | - (mfn_to_gmfn(d, gnttab_shared_mfn(d, t, i))) | ||
183 | + (mfn_to_gmfn(d, gnttab_shared_mfn(t, i))) | ||
184 | |||
185 | |||
186 | #define gnttab_status_mfn(t, i) \ | ||
diff --git a/main/xen/xsa256-4.8.patch b/main/xen/xsa256-4.8.patch deleted file mode 100644 index 019e6e6b97..0000000000 --- a/main/xen/xsa256-4.8.patch +++ /dev/null | |||
@@ -1,46 +0,0 @@ | |||
1 | From: Andrew Cooper <andrew.cooper3@citrix.com> | ||
2 | Subject: x86/hvm: Disallow the creation of HVM domains without Local APIC emulation | ||
3 | |||
4 | There are multiple problems, not necesserily limited to: | ||
5 | |||
6 | * Guests which configure event channels via hvmop_set_evtchn_upcall_vector(), | ||
7 | or which hit %cr8 emulation will cause Xen to fall over a NULL vlapic->regs | ||
8 | pointer. | ||
9 | |||
10 | * On Intel hardware, disabling the TPR_SHADOW execution control without | ||
11 | reenabling CR8_{LOAD,STORE} interception means that the guests %cr8 | ||
12 | accesses interact with the real TPR. Amongst other things, setting the | ||
13 | real TPR to 0xf blocks even IPIs from interrupting this CPU. | ||
14 | |||
15 | * On hardware which sets up the use of Interrupt Posting, including | ||
16 | IOMMU-Posting, guests run without the appropriate non-root configuration, | ||
17 | which at a minimum will result in dropped interrupts. | ||
18 | |||
19 | Whether no-LAPIC mode is of any use at all remains to be seen. | ||
20 | |||
21 | This is XSA-256. | ||
22 | |||
23 | Reported-by: Ian Jackson <ian.jackson@eu.citrix.com> | ||
24 | Reviewed-by: Roger Pau Monné <roger.pau@citrix.com> | ||
25 | Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com> | ||
26 | Reviewed-by: Jan Beulich <jbeulich@suse.com> | ||
27 | |||
28 | diff --git a/xen/arch/x86/domain.c b/xen/arch/x86/domain.c | ||
29 | index 8817263..91b9ab7 100644 | ||
30 | --- a/xen/arch/x86/domain.c | ||
31 | +++ b/xen/arch/x86/domain.c | ||
32 | @@ -557,11 +557,9 @@ int arch_domain_create(struct domain *d, unsigned int domcr_flags, | ||
33 | return -EINVAL; | ||
34 | } | ||
35 | |||
36 | - /* PVHv2 guests can request emulated APIC. */ | ||
37 | - if ( emflags && | ||
38 | - (is_hvm_domain(d) ? ((emflags != XEN_X86_EMU_ALL) && | ||
39 | - (emflags != XEN_X86_EMU_LAPIC)) : | ||
40 | - (emflags != XEN_X86_EMU_PIT)) ) | ||
41 | + if ( is_hvm_domain(d) ? ((emflags != XEN_X86_EMU_ALL) && | ||
42 | + (emflags != XEN_X86_EMU_LAPIC)) | ||
43 | + : (emflags && emflags != XEN_X86_EMU_PIT) ) | ||
44 | { | ||
45 | printk(XENLOG_G_ERR "d%d: Xen does not allow %s domain creation " | ||
46 | "with the current selection of emulators: %#x\n", | ||
diff --git a/main/xen/xsa258-4.8.patch b/main/xen/xsa258-4.8.patch deleted file mode 100644 index 2c6ba32ce0..0000000000 --- a/main/xen/xsa258-4.8.patch +++ /dev/null | |||
@@ -1,106 +0,0 @@ | |||
1 | From 437c3b3ad337c43056903e4824448428d3b5a956 Mon Sep 17 00:00:00 2001 | ||
2 | From: Anthony PERARD <anthony.perard@citrix.com> | ||
3 | Date: Thu, 8 Mar 2018 18:16:41 +0000 | ||
4 | Subject: [PATCH] libxl: Specify format of inserted cdrom | ||
5 | |||
6 | Without this extra parameter on the QMP command, QEMU will guess the | ||
7 | format of the new file. | ||
8 | |||
9 | This is XSA-258. | ||
10 | |||
11 | Reported-by: Anthony PERARD <anthony.perard@citrix.com> | ||
12 | Signed-off-by: Anthony PERARD <anthony.perard@citrix.com> | ||
13 | Acked-by: Ian Jackson <ian.jackson@eu.citrix.com> | ||
14 | --- | ||
15 | tools/libxl/libxl_device.c | 12 ++++++++++++ | ||
16 | tools/libxl/libxl_dm.c | 16 ++-------------- | ||
17 | tools/libxl/libxl_internal.h | 1 + | ||
18 | tools/libxl/libxl_qmp.c | 2 ++ | ||
19 | 4 files changed, 17 insertions(+), 14 deletions(-) | ||
20 | |||
21 | diff --git a/tools/libxl/libxl_device.c b/tools/libxl/libxl_device.c | ||
22 | index 3e7a1026c4..cd2a980f18 100644 | ||
23 | --- a/tools/libxl/libxl_device.c | ||
24 | +++ b/tools/libxl/libxl_device.c | ||
25 | @@ -425,6 +425,18 @@ char *libxl__device_disk_string_of_backend(libxl_disk_backend backend) | ||
26 | } | ||
27 | } | ||
28 | |||
29 | +const char *libxl__qemu_disk_format_string(libxl_disk_format format) | ||
30 | +{ | ||
31 | + switch (format) { | ||
32 | + case LIBXL_DISK_FORMAT_QCOW: return "qcow"; | ||
33 | + case LIBXL_DISK_FORMAT_QCOW2: return "qcow2"; | ||
34 | + case LIBXL_DISK_FORMAT_VHD: return "vpc"; | ||
35 | + case LIBXL_DISK_FORMAT_RAW: return "raw"; | ||
36 | + case LIBXL_DISK_FORMAT_EMPTY: return NULL; | ||
37 | + default: return NULL; | ||
38 | + } | ||
39 | +} | ||
40 | + | ||
41 | int libxl__device_physdisk_major_minor(const char *physpath, int *major, int *minor) | ||
42 | { | ||
43 | struct stat buf; | ||
44 | diff --git a/tools/libxl/libxl_dm.c b/tools/libxl/libxl_dm.c | ||
45 | index ad366a8cd3..b6bc407795 100644 | ||
46 | --- a/tools/libxl/libxl_dm.c | ||
47 | +++ b/tools/libxl/libxl_dm.c | ||
48 | @@ -669,18 +669,6 @@ static int libxl__build_device_model_args_old(libxl__gc *gc, | ||
49 | return 0; | ||
50 | } | ||
51 | |||
52 | -static const char *qemu_disk_format_string(libxl_disk_format format) | ||
53 | -{ | ||
54 | - switch (format) { | ||
55 | - case LIBXL_DISK_FORMAT_QCOW: return "qcow"; | ||
56 | - case LIBXL_DISK_FORMAT_QCOW2: return "qcow2"; | ||
57 | - case LIBXL_DISK_FORMAT_VHD: return "vpc"; | ||
58 | - case LIBXL_DISK_FORMAT_RAW: return "raw"; | ||
59 | - case LIBXL_DISK_FORMAT_EMPTY: return NULL; | ||
60 | - default: return NULL; | ||
61 | - } | ||
62 | -} | ||
63 | - | ||
64 | static char *dm_spice_options(libxl__gc *gc, | ||
65 | const libxl_spice_info *spice) | ||
66 | { | ||
67 | @@ -1342,9 +1330,9 @@ static int libxl__build_device_model_args_new(libxl__gc *gc, | ||
68 | * always raw | ||
69 | */ | ||
70 | if (disks[i].backend == LIBXL_DISK_BACKEND_QDISK) | ||
71 | - format = qemu_disk_format_string(disks[i].format); | ||
72 | + format = libxl__qemu_disk_format_string(disks[i].format); | ||
73 | else | ||
74 | - format = qemu_disk_format_string(LIBXL_DISK_FORMAT_RAW); | ||
75 | + format = libxl__qemu_disk_format_string(LIBXL_DISK_FORMAT_RAW); | ||
76 | |||
77 | if (disks[i].format == LIBXL_DISK_FORMAT_EMPTY) { | ||
78 | if (!disks[i].is_cdrom) { | ||
79 | diff --git a/tools/libxl/libxl_internal.h b/tools/libxl/libxl_internal.h | ||
80 | index 8366fee25f..c32a40576a 100644 | ||
81 | --- a/tools/libxl/libxl_internal.h | ||
82 | +++ b/tools/libxl/libxl_internal.h | ||
83 | @@ -1170,6 +1170,7 @@ _hidden int libxl__domain_pvcontrol_write(libxl__gc *gc, xs_transaction_t t, | ||
84 | /* from xl_device */ | ||
85 | _hidden char *libxl__device_disk_string_of_backend(libxl_disk_backend backend); | ||
86 | _hidden char *libxl__device_disk_string_of_format(libxl_disk_format format); | ||
87 | +_hidden const char *libxl__qemu_disk_format_string(libxl_disk_format format); | ||
88 | _hidden int libxl__device_disk_set_backend(libxl__gc*, libxl_device_disk*); | ||
89 | |||
90 | _hidden int libxl__device_physdisk_major_minor(const char *physpath, int *major, int *minor); | ||
91 | diff --git a/tools/libxl/libxl_qmp.c b/tools/libxl/libxl_qmp.c | ||
92 | index f8addf9ba6..6fc5454a6e 100644 | ||
93 | --- a/tools/libxl/libxl_qmp.c | ||
94 | +++ b/tools/libxl/libxl_qmp.c | ||
95 | @@ -982,6 +982,8 @@ int libxl__qmp_insert_cdrom(libxl__gc *gc, int domid, | ||
96 | return qmp_run_command(gc, domid, "eject", args, NULL, NULL); | ||
97 | } else { | ||
98 | qmp_parameters_add_string(gc, &args, "target", disk->pdev_path); | ||
99 | + qmp_parameters_add_string(gc, &args, "arg", | ||
100 | + libxl__qemu_disk_format_string(disk->format)); | ||
101 | return qmp_run_command(gc, domid, "change", args, NULL, NULL); | ||
102 | } | ||
103 | } | ||
104 | -- | ||
105 | 2.16.2 | ||
106 | |||
diff --git a/main/xen/xsa259.patch b/main/xen/xsa259.patch deleted file mode 100644 index 7848fa87e9..0000000000 --- a/main/xen/xsa259.patch +++ /dev/null | |||
@@ -1,29 +0,0 @@ | |||
1 | From: Jan Beulich <jbeulich@suse.com> | ||
2 | Subject: x86: fix slow int80 path after XPTI additions | ||
3 | |||
4 | For the int80 slow path to jump to handle_exception_saved, %r14 needs to | ||
5 | be set up suitably for XPTI purposes. This is because of the difference | ||
6 | in nature between the int80 path (which is synchronous WRT guest | ||
7 | actions) and the exception path which is potentially asynchronous. | ||
8 | |||
9 | This is XSA-259. | ||
10 | |||
11 | Reported-by: Andrew Cooper <andrew.cooper3@citrix.com> | ||
12 | Signed-off-by: Jan Beulich <jbeulich@suse.com> | ||
13 | Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com> | ||
14 | |||
15 | --- a/xen/arch/x86/x86_64/entry.S | ||
16 | +++ b/xen/arch/x86/x86_64/entry.S | ||
17 | @@ -396,6 +396,12 @@ int80_slow_path: | ||
18 | movl $TRAP_gp_fault,UREGS_entry_vector(%rsp) | ||
19 | /* A GPF wouldn't have incremented the instruction pointer. */ | ||
20 | subq $2,UREGS_rip(%rsp) | ||
21 | + /* | ||
22 | + * While we've cleared xen_cr3 above already, normal exception handling | ||
23 | + * code has logic to restore the original value from %r15. Therefore we | ||
24 | + * need to set up %r14 here, while %r15 is required to still be zero. | ||
25 | + */ | ||
26 | + GET_STACK_END(14) | ||
27 | jmp handle_exception_saved | ||
28 | |||
29 | /* create_bounce_frame & helpers don't need to be in .text.entry */ | ||
diff --git a/main/xen/xsa260-1.patch b/main/xen/xsa260-1.patch deleted file mode 100644 index aa86dc1db6..0000000000 --- a/main/xen/xsa260-1.patch +++ /dev/null | |||
@@ -1,72 +0,0 @@ | |||
1 | From: Andrew Cooper <andrew.cooper3@citrix.com> | ||
2 | Subject: x86/traps: Fix %dr6 handing in #DB handler | ||
3 | |||
4 | Most bits in %dr6 accumulate, rather than being set directly based on the | ||
5 | current source of #DB. Have the handler follow the manuals guidance, which | ||
6 | avoids leaking hypervisor debugging activities into guest context. | ||
7 | |||
8 | This is part of XSA-260 / CVE-2018-8897. | ||
9 | |||
10 | Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com> | ||
11 | Reviewed-by: Jan Beulich <jbeulich@suse.com> | ||
12 | |||
13 | --- a/xen/arch/x86/traps.c | ||
14 | +++ b/xen/arch/x86/traps.c | ||
15 | @@ -4038,11 +4038,36 @@ static void ler_enable(void) | ||
16 | |||
17 | void do_debug(struct cpu_user_regs *regs) | ||
18 | { | ||
19 | + unsigned long dr6; | ||
20 | struct vcpu *v = current; | ||
21 | |||
22 | + /* Stash dr6 as early as possible. */ | ||
23 | + dr6 = read_debugreg(6); | ||
24 | + | ||
25 | if ( debugger_trap_entry(TRAP_debug, regs) ) | ||
26 | return; | ||
27 | |||
28 | + /* | ||
29 | + * At the time of writing (March 2018), on the subject of %dr6: | ||
30 | + * | ||
31 | + * The Intel manual says: | ||
32 | + * Certain debug exceptions may clear bits 0-3. The remaining contents | ||
33 | + * of the DR6 register are never cleared by the processor. To avoid | ||
34 | + * confusion in identifying debug exceptions, debug handlers should | ||
35 | + * clear the register (except bit 16, which they should set) before | ||
36 | + * returning to the interrupted task. | ||
37 | + * | ||
38 | + * The AMD manual says: | ||
39 | + * Bits 15:13 of the DR6 register are not cleared by the processor and | ||
40 | + * must be cleared by software after the contents have been read. | ||
41 | + * | ||
42 | + * Some bits are reserved set, some are reserved clear, and some bits | ||
43 | + * which were previously reserved set are reused and cleared by hardware. | ||
44 | + * For future compatibility, reset to the default value, which will allow | ||
45 | + * us to spot any bit being changed by hardware to its non-default value. | ||
46 | + */ | ||
47 | + write_debugreg(6, X86_DR6_DEFAULT); | ||
48 | + | ||
49 | if ( !guest_mode(regs) ) | ||
50 | { | ||
51 | if ( regs->eflags & X86_EFLAGS_TF ) | ||
52 | @@ -4075,7 +4100,8 @@ void do_debug(struct cpu_user_regs *regs | ||
53 | } | ||
54 | |||
55 | /* Save debug status register where guest OS can peek at it */ | ||
56 | - v->arch.debugreg[6] = read_debugreg(6); | ||
57 | + v->arch.debugreg[6] |= (dr6 & ~X86_DR6_DEFAULT); | ||
58 | + v->arch.debugreg[6] &= (dr6 | ~X86_DR6_DEFAULT); | ||
59 | |||
60 | ler_enable(); | ||
61 | do_guest_trap(TRAP_debug, regs); | ||
62 | --- a/xen/include/asm-x86/debugreg.h | ||
63 | +++ b/xen/include/asm-x86/debugreg.h | ||
64 | @@ -24,6 +24,8 @@ | ||
65 | #define DR_STATUS_RESERVED_ZERO (~0xffffeffful) /* Reserved, read as zero */ | ||
66 | #define DR_STATUS_RESERVED_ONE 0xffff0ff0ul /* Reserved, read as one */ | ||
67 | |||
68 | +#define X86_DR6_DEFAULT 0xffff0ff0ul /* Default %dr6 value. */ | ||
69 | + | ||
70 | /* Now define a bunch of things for manipulating the control register. | ||
71 | The top two bytes of the control register consist of 4 fields of 4 | ||
72 | bits - each field corresponds to one of the four debug registers, | ||
diff --git a/main/xen/xsa260-2.patch b/main/xen/xsa260-2.patch deleted file mode 100644 index d7aefe6b4d..0000000000 --- a/main/xen/xsa260-2.patch +++ /dev/null | |||
@@ -1,110 +0,0 @@ | |||
1 | From: Andrew Cooper <andrew.cooper3@citrix.com> | ||
2 | Subject: x86/pv: Move exception injection into {,compat_}test_all_events() | ||
3 | |||
4 | This allows paths to jump straight to {,compat_}test_all_events() and have | ||
5 | injection of pending exceptions happen automatically, rather than requiring | ||
6 | all calling paths to handle exceptions themselves. | ||
7 | |||
8 | The normal exception path is simplified as a result, and | ||
9 | compat_post_handle_exception() is removed entirely. | ||
10 | |||
11 | This is part of XSA-260 / CVE-2018-8897. | ||
12 | |||
13 | Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com> | ||
14 | Reviewed-by: Jan Beulich <jbeulich@suse.com> | ||
15 | |||
16 | --- a/xen/arch/x86/x86_64/compat/entry.S | ||
17 | +++ b/xen/arch/x86/x86_64/compat/entry.S | ||
18 | @@ -45,6 +45,12 @@ ENTRY(compat_test_all_events) | ||
19 | leaq irq_stat+IRQSTAT_softirq_pending(%rip),%rcx | ||
20 | cmpl $0,(%rcx,%rax,1) | ||
21 | jne compat_process_softirqs | ||
22 | + | ||
23 | + /* Inject exception if pending. */ | ||
24 | + lea VCPU_trap_bounce(%rbx), %rdx | ||
25 | + testb $TBF_EXCEPTION, TRAPBOUNCE_flags(%rdx) | ||
26 | + jnz .Lcompat_process_trapbounce | ||
27 | + | ||
28 | testb $1,VCPU_mce_pending(%rbx) | ||
29 | jnz compat_process_mce | ||
30 | .Lcompat_test_guest_nmi: | ||
31 | @@ -74,6 +80,15 @@ compat_process_softirqs: | ||
32 | call do_softirq | ||
33 | jmp compat_test_all_events | ||
34 | |||
35 | + ALIGN | ||
36 | +/* %rbx: struct vcpu, %rdx: struct trap_bounce */ | ||
37 | +.Lcompat_process_trapbounce: | ||
38 | + sti | ||
39 | +.Lcompat_bounce_exception: | ||
40 | + call compat_create_bounce_frame | ||
41 | + movb $0, TRAPBOUNCE_flags(%rdx) | ||
42 | + jmp compat_test_all_events | ||
43 | + | ||
44 | ALIGN | ||
45 | /* %rbx: struct vcpu */ | ||
46 | compat_process_mce: | ||
47 | @@ -194,15 +209,6 @@ ENTRY(cr4_pv32_restore) | ||
48 | xor %eax, %eax | ||
49 | ret | ||
50 | |||
51 | -/* %rdx: trap_bounce, %rbx: struct vcpu */ | ||
52 | -ENTRY(compat_post_handle_exception) | ||
53 | - testb $TBF_EXCEPTION,TRAPBOUNCE_flags(%rdx) | ||
54 | - jz compat_test_all_events | ||
55 | -.Lcompat_bounce_exception: | ||
56 | - call compat_create_bounce_frame | ||
57 | - movb $0,TRAPBOUNCE_flags(%rdx) | ||
58 | - jmp compat_test_all_events | ||
59 | - | ||
60 | .section .text.entry, "ax", @progbits | ||
61 | |||
62 | /* See lstar_enter for entry register state. */ | ||
63 | --- a/xen/arch/x86/x86_64/entry.S | ||
64 | +++ b/xen/arch/x86/x86_64/entry.S | ||
65 | @@ -41,6 +41,12 @@ test_all_events: | ||
66 | leaq irq_stat+IRQSTAT_softirq_pending(%rip), %rcx | ||
67 | cmpl $0, (%rcx, %rax, 1) | ||
68 | jne process_softirqs | ||
69 | + | ||
70 | + /* Inject exception if pending. */ | ||
71 | + lea VCPU_trap_bounce(%rbx), %rdx | ||
72 | + testb $TBF_EXCEPTION, TRAPBOUNCE_flags(%rdx) | ||
73 | + jnz .Lprocess_trapbounce | ||
74 | + | ||
75 | cmpb $0, VCPU_mce_pending(%rbx) | ||
76 | jne process_mce | ||
77 | .Ltest_guest_nmi: | ||
78 | @@ -69,6 +75,15 @@ process_softirqs: | ||
79 | jmp test_all_events | ||
80 | |||
81 | ALIGN | ||
82 | +/* %rbx: struct vcpu, %rdx struct trap_bounce */ | ||
83 | +.Lprocess_trapbounce: | ||
84 | + sti | ||
85 | +.Lbounce_exception: | ||
86 | + call create_bounce_frame | ||
87 | + movb $0, TRAPBOUNCE_flags(%rdx) | ||
88 | + jmp test_all_events | ||
89 | + | ||
90 | + ALIGN | ||
91 | /* %rbx: struct vcpu */ | ||
92 | process_mce: | ||
93 | testb $1 << VCPU_TRAP_MCE, VCPU_async_exception_mask(%rbx) | ||
94 | @@ -659,15 +674,9 @@ handle_exception_saved: | ||
95 | mov %r15, STACK_CPUINFO_FIELD(xen_cr3)(%r14) | ||
96 | testb $3,UREGS_cs(%rsp) | ||
97 | jz restore_all_xen | ||
98 | - leaq VCPU_trap_bounce(%rbx),%rdx | ||
99 | movq VCPU_domain(%rbx),%rax | ||
100 | testb $1,DOMAIN_is_32bit_pv(%rax) | ||
101 | - jnz compat_post_handle_exception | ||
102 | - testb $TBF_EXCEPTION,TRAPBOUNCE_flags(%rdx) | ||
103 | - jz test_all_events | ||
104 | -.Lbounce_exception: | ||
105 | - call create_bounce_frame | ||
106 | - movb $0,TRAPBOUNCE_flags(%rdx) | ||
107 | + jnz compat_test_all_events | ||
108 | jmp test_all_events | ||
109 | |||
110 | /* No special register assumptions. */ | ||
diff --git a/main/xen/xsa260-3.patch b/main/xen/xsa260-3.patch deleted file mode 100644 index 7dcf12a679..0000000000 --- a/main/xen/xsa260-3.patch +++ /dev/null | |||
@@ -1,138 +0,0 @@ | |||
1 | From: Andrew Cooper <andrew.cooper3@citrix.com> | ||
2 | Subject: x86/traps: Use an Interrupt Stack Table for #DB | ||
3 | |||
4 | PV guests can use architectural corner cases to cause #DB to be raised after | ||
5 | transitioning into supervisor mode. | ||
6 | |||
7 | Use an interrupt stack table for #DB to prevent the exception being taken with | ||
8 | a guest controlled stack pointer. | ||
9 | |||
10 | This is part of XSA-260 / CVE-2018-8897. | ||
11 | |||
12 | Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com> | ||
13 | Reviewed-by: Jan Beulich <jbeulich@suse.com> | ||
14 | |||
15 | --- a/xen/arch/x86/cpu/common.c | ||
16 | +++ b/xen/arch/x86/cpu/common.c | ||
17 | @@ -681,6 +681,7 @@ void load_system_tables(void) | ||
18 | tss->ist[IST_MCE - 1] = stack_top + IST_MCE * PAGE_SIZE; | ||
19 | tss->ist[IST_DF - 1] = stack_top + IST_DF * PAGE_SIZE; | ||
20 | tss->ist[IST_NMI - 1] = stack_top + IST_NMI * PAGE_SIZE; | ||
21 | + tss->ist[IST_DB - 1] = stack_top + IST_DB * PAGE_SIZE; | ||
22 | |||
23 | _set_tssldt_desc( | ||
24 | gdt + TSS_ENTRY, | ||
25 | @@ -701,6 +702,7 @@ void load_system_tables(void) | ||
26 | set_ist(&idt_tables[cpu][TRAP_double_fault], IST_DF); | ||
27 | set_ist(&idt_tables[cpu][TRAP_nmi], IST_NMI); | ||
28 | set_ist(&idt_tables[cpu][TRAP_machine_check], IST_MCE); | ||
29 | + set_ist(&idt_tables[cpu][TRAP_debug], IST_DB); | ||
30 | |||
31 | /* | ||
32 | * Bottom-of-stack must be 16-byte aligned! | ||
33 | --- a/xen/arch/x86/hvm/svm/svm.c | ||
34 | +++ b/xen/arch/x86/hvm/svm/svm.c | ||
35 | @@ -1042,6 +1042,7 @@ static void svm_ctxt_switch_from(struct | ||
36 | set_ist(&idt_tables[cpu][TRAP_double_fault], IST_DF); | ||
37 | set_ist(&idt_tables[cpu][TRAP_nmi], IST_NMI); | ||
38 | set_ist(&idt_tables[cpu][TRAP_machine_check], IST_MCE); | ||
39 | + set_ist(&idt_tables[cpu][TRAP_debug], IST_DB); | ||
40 | } | ||
41 | |||
42 | static void svm_ctxt_switch_to(struct vcpu *v) | ||
43 | @@ -1063,6 +1064,7 @@ static void svm_ctxt_switch_to(struct vc | ||
44 | set_ist(&idt_tables[cpu][TRAP_double_fault], IST_NONE); | ||
45 | set_ist(&idt_tables[cpu][TRAP_nmi], IST_NONE); | ||
46 | set_ist(&idt_tables[cpu][TRAP_machine_check], IST_NONE); | ||
47 | + set_ist(&idt_tables[cpu][TRAP_debug], IST_NONE); | ||
48 | |||
49 | svm_restore_dr(v); | ||
50 | |||
51 | --- a/xen/arch/x86/smpboot.c | ||
52 | +++ b/xen/arch/x86/smpboot.c | ||
53 | @@ -960,6 +960,7 @@ static int cpu_smpboot_alloc(unsigned in | ||
54 | set_ist(&idt_tables[cpu][TRAP_double_fault], IST_NONE); | ||
55 | set_ist(&idt_tables[cpu][TRAP_nmi], IST_NONE); | ||
56 | set_ist(&idt_tables[cpu][TRAP_machine_check], IST_NONE); | ||
57 | + set_ist(&idt_tables[cpu][TRAP_debug], IST_NONE); | ||
58 | |||
59 | for ( stub_page = 0, i = cpu & ~(STUBS_PER_PAGE - 1); | ||
60 | i < nr_cpu_ids && i <= (cpu | (STUBS_PER_PAGE - 1)); ++i ) | ||
61 | --- a/xen/arch/x86/traps.c | ||
62 | +++ b/xen/arch/x86/traps.c | ||
63 | @@ -259,13 +259,13 @@ static void show_guest_stack(struct vcpu | ||
64 | /* | ||
65 | * Notes for get_stack_trace_bottom() and get_stack_dump_bottom() | ||
66 | * | ||
67 | - * Stack pages 0, 1 and 2: | ||
68 | + * Stack pages 0 - 3: | ||
69 | * These are all 1-page IST stacks. Each of these stacks have an exception | ||
70 | * frame and saved register state at the top. The interesting bound for a | ||
71 | * trace is the word adjacent to this, while the bound for a dump is the | ||
72 | * very top, including the exception frame. | ||
73 | * | ||
74 | - * Stack pages 3, 4 and 5: | ||
75 | + * Stack pages 4 and 5: | ||
76 | * None of these are particularly interesting. With MEMORY_GUARD, page 5 is | ||
77 | * explicitly not present, so attempting to dump or trace it is | ||
78 | * counterproductive. Without MEMORY_GUARD, it is possible for a call chain | ||
79 | @@ -286,12 +286,12 @@ unsigned long get_stack_trace_bottom(uns | ||
80 | { | ||
81 | switch ( get_stack_page(sp) ) | ||
82 | { | ||
83 | - case 0 ... 2: | ||
84 | + case 0 ... 3: | ||
85 | return ROUNDUP(sp, PAGE_SIZE) - | ||
86 | offsetof(struct cpu_user_regs, es) - sizeof(unsigned long); | ||
87 | |||
88 | #ifndef MEMORY_GUARD | ||
89 | - case 3 ... 5: | ||
90 | + case 4 ... 5: | ||
91 | #endif | ||
92 | case 6 ... 7: | ||
93 | return ROUNDUP(sp, STACK_SIZE) - | ||
94 | @@ -306,11 +306,11 @@ unsigned long get_stack_dump_bottom(unsi | ||
95 | { | ||
96 | switch ( get_stack_page(sp) ) | ||
97 | { | ||
98 | - case 0 ... 2: | ||
99 | + case 0 ... 3: | ||
100 | return ROUNDUP(sp, PAGE_SIZE) - sizeof(unsigned long); | ||
101 | |||
102 | #ifndef MEMORY_GUARD | ||
103 | - case 3 ... 5: | ||
104 | + case 4 ... 5: | ||
105 | #endif | ||
106 | case 6 ... 7: | ||
107 | return ROUNDUP(sp, STACK_SIZE) - sizeof(unsigned long); | ||
108 | @@ -4219,6 +4219,7 @@ void __init init_idt_traps(void) | ||
109 | set_ist(&idt_table[TRAP_double_fault], IST_DF); | ||
110 | set_ist(&idt_table[TRAP_nmi], IST_NMI); | ||
111 | set_ist(&idt_table[TRAP_machine_check], IST_MCE); | ||
112 | + set_ist(&idt_table[TRAP_debug], IST_DB); | ||
113 | |||
114 | /* CPU0 uses the master IDT. */ | ||
115 | idt_tables[0] = idt_table; | ||
116 | --- a/xen/arch/x86/x86_64/entry.S | ||
117 | +++ b/xen/arch/x86/x86_64/entry.S | ||
118 | @@ -731,7 +731,7 @@ ENTRY(device_not_available) | ||
119 | ENTRY(debug) | ||
120 | pushq $0 | ||
121 | movl $TRAP_debug,4(%rsp) | ||
122 | - jmp handle_exception | ||
123 | + jmp handle_ist_exception | ||
124 | |||
125 | ENTRY(int3) | ||
126 | pushq $0 | ||
127 | --- a/xen/include/asm-x86/processor.h | ||
128 | +++ b/xen/include/asm-x86/processor.h | ||
129 | @@ -505,7 +505,8 @@ struct __packed __cacheline_aligned tss_ | ||
130 | #define IST_DF 1UL | ||
131 | #define IST_NMI 2UL | ||
132 | #define IST_MCE 3UL | ||
133 | -#define IST_MAX 3UL | ||
134 | +#define IST_DB 4UL | ||
135 | +#define IST_MAX 4UL | ||
136 | |||
137 | /* Set the interrupt stack table used by a particular interrupt | ||
138 | * descriptor table entry. */ | ||
diff --git a/main/xen/xsa260-4.patch b/main/xen/xsa260-4.patch deleted file mode 100644 index 8041b42fd6..0000000000 --- a/main/xen/xsa260-4.patch +++ /dev/null | |||
@@ -1,72 +0,0 @@ | |||
1 | From: Andrew Cooper <andrew.cooper3@citrix.com> | ||
2 | Subject: x86/traps: Fix handling of #DB exceptions in hypervisor context | ||
3 | |||
4 | The WARN_ON() can be triggered by guest activities, and emits a full stack | ||
5 | trace without rate limiting. Swap it out for a ratelimited printk with just | ||
6 | enough information to work out what is going on. | ||
7 | |||
8 | Not all #DB exceptions are traps, so blindly continuing is not a safe action | ||
9 | to take. We don't let PV guests select these settings in the real %dr7 to | ||
10 | begin with, but for added safety against unexpected situations, detect the | ||
11 | fault cases and crash in an obvious manner. | ||
12 | |||
13 | This is part of XSA-260 / CVE-2018-8897. | ||
14 | |||
15 | Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com> | ||
16 | Reviewed-by: Jan Beulich <jbeulich@suse.com> | ||
17 | |||
18 | --- a/xen/arch/x86/traps.c | ||
19 | +++ b/xen/arch/x86/traps.c | ||
20 | @@ -4086,16 +4086,44 @@ void do_debug(struct cpu_user_regs *regs | ||
21 | regs->eflags &= ~X86_EFLAGS_TF; | ||
22 | } | ||
23 | } | ||
24 | - else | ||
25 | + | ||
26 | + /* | ||
27 | + * Check for fault conditions. General Detect, and instruction | ||
28 | + * breakpoints are faults rather than traps, at which point attempting | ||
29 | + * to ignore and continue will result in a livelock. | ||
30 | + */ | ||
31 | + if ( dr6 & DR_GENERAL_DETECT ) | ||
32 | + { | ||
33 | + printk(XENLOG_ERR "Hit General Detect in Xen context\n"); | ||
34 | + fatal_trap(regs, 0); | ||
35 | + } | ||
36 | + | ||
37 | + if ( dr6 & (DR_TRAP3 | DR_TRAP2 | DR_TRAP1 | DR_TRAP0) ) | ||
38 | { | ||
39 | - /* | ||
40 | - * We ignore watchpoints when they trigger within Xen. This may | ||
41 | - * happen when a buffer is passed to us which previously had a | ||
42 | - * watchpoint set on it. No need to bump EIP; the only faulting | ||
43 | - * trap is an instruction breakpoint, which can't happen to us. | ||
44 | - */ | ||
45 | - WARN_ON(!search_exception_table(regs->eip)); | ||
46 | + unsigned int bp, dr7 = read_debugreg(7) >> DR_CONTROL_SHIFT; | ||
47 | + | ||
48 | + for ( bp = 0; bp < 4; ++bp ) | ||
49 | + { | ||
50 | + if ( (dr6 & (1u << bp)) && /* Breakpoint triggered? */ | ||
51 | + ((dr7 & (3u << (bp * DR_CONTROL_SIZE))) == 0) /* Insn? */ ) | ||
52 | + { | ||
53 | + printk(XENLOG_ERR | ||
54 | + "Hit instruction breakpoint in Xen context\n"); | ||
55 | + fatal_trap(regs, 0); | ||
56 | + } | ||
57 | + } | ||
58 | } | ||
59 | + | ||
60 | + /* | ||
61 | + * Whatever caused this #DB should be a trap. Note it and continue. | ||
62 | + * Guests can trigger this in certain corner cases, so ensure the | ||
63 | + * message is ratelimited. | ||
64 | + */ | ||
65 | + gprintk(XENLOG_WARNING, | ||
66 | + "Hit #DB in Xen context: %04x:%p [%ps], stk %04x:%p, dr6 %lx\n", | ||
67 | + regs->cs, _p(regs->rip), _p(regs->rip), | ||
68 | + regs->ss, _p(regs->rsp), dr6); | ||
69 | + | ||
70 | goto out; | ||
71 | } | ||
72 | |||
diff --git a/main/xen/xsa261-4.8.patch b/main/xen/xsa261-4.8.patch deleted file mode 100644 index 24b35bdce5..0000000000 --- a/main/xen/xsa261-4.8.patch +++ /dev/null | |||
@@ -1,242 +0,0 @@ | |||
1 | From: Xen Project Security Team <security@xenproject.org> | ||
2 | Subject: x86/vpt: add support for IO-APIC routed interrupts | ||
3 | |||
4 | And modify the HPET code to make use of it. Currently HPET interrupts | ||
5 | are always treated as ISA and thus injected through the vPIC. This is | ||
6 | wrong because HPET interrupts when not in legacy mode should be | ||
7 | injected from the IO-APIC. | ||
8 | |||
9 | To make things worse, the supported interrupt routing values are set | ||
10 | to [20..23], which clearly falls outside of the ISA range, thus | ||
11 | leading to an ASSERT in debug builds or memory corruption in non-debug | ||
12 | builds because the interrupt injection code will write out of the | ||
13 | bounds of the arch.hvm_domain.vpic array. | ||
14 | |||
15 | Since the HPET interrupt source can change between ISA and IO-APIC | ||
16 | always destroy the timer before changing the mode, or else Xen risks | ||
17 | changing it while the timer is active. | ||
18 | |||
19 | Note that vpt interrupt injection is racy in the sense that the | ||
20 | vIO-APIC RTE entry can be written by the guest in between the call to | ||
21 | pt_irq_masked and hvm_ioapic_assert, or the call to pt_update_irq and | ||
22 | pt_intr_post. Those are not deemed to be security issues, but rather | ||
23 | quirks of the current implementation. In the worse case the guest | ||
24 | might lose interrupts or get multiple interrupt vectors injected for | ||
25 | the same timer source. | ||
26 | |||
27 | This is part of XSA-261. | ||
28 | |||
29 | Address actual and potential compiler warnings. Fix formatting. | ||
30 | |||
31 | Signed-off-by: Roger Pau Monné <roger.pau@citrix.com> | ||
32 | Signed-off-by: Jan Beulich <jbeulich@suse.com> | ||
33 | |||
34 | --- a/xen/arch/x86/hvm/hpet.c | ||
35 | +++ b/xen/arch/x86/hvm/hpet.c | ||
36 | @@ -264,13 +264,20 @@ static void hpet_set_timer(HPETState *h, | ||
37 | diff = (timer_is_32bit(h, tn) && (-diff > HPET_TINY_TIME_SPAN)) | ||
38 | ? (uint32_t)diff : 0; | ||
39 | |||
40 | + destroy_periodic_time(&h->pt[tn]); | ||
41 | if ( (tn <= 1) && (h->hpet.config & HPET_CFG_LEGACY) ) | ||
42 | + { | ||
43 | /* if LegacyReplacementRoute bit is set, HPET specification requires | ||
44 | timer0 be routed to IRQ0 in NON-APIC or IRQ2 in the I/O APIC, | ||
45 | timer1 be routed to IRQ8 in NON-APIC or IRQ8 in the I/O APIC. */ | ||
46 | irq = (tn == 0) ? 0 : 8; | ||
47 | + h->pt[tn].source = PTSRC_isa; | ||
48 | + } | ||
49 | else | ||
50 | + { | ||
51 | irq = timer_int_route(h, tn); | ||
52 | + h->pt[tn].source = PTSRC_ioapic; | ||
53 | + } | ||
54 | |||
55 | /* | ||
56 | * diff is the time from now when the timer should fire, for a periodic | ||
57 | --- a/xen/arch/x86/hvm/irq.c | ||
58 | +++ b/xen/arch/x86/hvm/irq.c | ||
59 | @@ -42,6 +42,25 @@ static void assert_gsi(struct domain *d, | ||
60 | vioapic_irq_positive_edge(d, ioapic_gsi); | ||
61 | } | ||
62 | |||
63 | +int hvm_ioapic_assert(struct domain *d, unsigned int gsi, bool level) | ||
64 | +{ | ||
65 | + int vector; | ||
66 | + | ||
67 | + if ( gsi >= VIOAPIC_NUM_PINS ) | ||
68 | + { | ||
69 | + ASSERT_UNREACHABLE(); | ||
70 | + return -1; | ||
71 | + } | ||
72 | + | ||
73 | + spin_lock(&d->arch.hvm_domain.irq_lock); | ||
74 | + if ( !level || d->arch.hvm_domain.irq.gsi_assert_count[gsi]++ == 0 ) | ||
75 | + assert_gsi(d, gsi); | ||
76 | + vector = domain_vioapic(d)->redirtbl[gsi].fields.vector; | ||
77 | + spin_unlock(&d->arch.hvm_domain.irq_lock); | ||
78 | + | ||
79 | + return vector; | ||
80 | +} | ||
81 | + | ||
82 | static void assert_irq(struct domain *d, unsigned ioapic_gsi, unsigned pic_irq) | ||
83 | { | ||
84 | assert_gsi(d, ioapic_gsi); | ||
85 | --- a/xen/arch/x86/hvm/vpt.c | ||
86 | +++ b/xen/arch/x86/hvm/vpt.c | ||
87 | @@ -97,22 +97,36 @@ static int pt_irq_vector(struct periodic | ||
88 | static int pt_irq_masked(struct periodic_time *pt) | ||
89 | { | ||
90 | struct vcpu *v = pt->vcpu; | ||
91 | - unsigned int gsi, isa_irq; | ||
92 | - uint8_t pic_imr; | ||
93 | + unsigned int gsi = pt->irq; | ||
94 | |||
95 | - if ( pt->source == PTSRC_lapic ) | ||
96 | + switch ( pt->source ) | ||
97 | + { | ||
98 | + case PTSRC_lapic: | ||
99 | { | ||
100 | struct vlapic *vlapic = vcpu_vlapic(v); | ||
101 | + | ||
102 | return (!vlapic_enabled(vlapic) || | ||
103 | (vlapic_get_reg(vlapic, APIC_LVTT) & APIC_LVT_MASKED)); | ||
104 | } | ||
105 | |||
106 | - isa_irq = pt->irq; | ||
107 | - gsi = hvm_isa_irq_to_gsi(isa_irq); | ||
108 | - pic_imr = v->domain->arch.hvm_domain.vpic[isa_irq >> 3].imr; | ||
109 | + case PTSRC_isa: | ||
110 | + { | ||
111 | + uint8_t pic_imr = v->domain->arch.hvm_domain.vpic[pt->irq >> 3].imr; | ||
112 | |||
113 | - return (((pic_imr & (1 << (isa_irq & 7))) || !vlapic_accept_pic_intr(v)) && | ||
114 | - domain_vioapic(v->domain)->redirtbl[gsi].fields.mask); | ||
115 | + /* Check if the interrupt is unmasked in the PIC. */ | ||
116 | + if ( !(pic_imr & (1 << (pt->irq & 7))) && vlapic_accept_pic_intr(v) ) | ||
117 | + return 0; | ||
118 | + | ||
119 | + gsi = hvm_isa_irq_to_gsi(pt->irq); | ||
120 | + } | ||
121 | + | ||
122 | + /* Fallthrough to check if the interrupt is masked on the IO APIC. */ | ||
123 | + case PTSRC_ioapic: | ||
124 | + return domain_vioapic(v->domain)->redirtbl[gsi].fields.mask; | ||
125 | + } | ||
126 | + | ||
127 | + ASSERT_UNREACHABLE(); | ||
128 | + return 1; | ||
129 | } | ||
130 | |||
131 | static void pt_lock(struct periodic_time *pt) | ||
132 | @@ -233,7 +247,7 @@ int pt_update_irq(struct vcpu *v) | ||
133 | struct list_head *head = &v->arch.hvm_vcpu.tm_list; | ||
134 | struct periodic_time *pt, *temp, *earliest_pt; | ||
135 | uint64_t max_lag; | ||
136 | - int irq, is_lapic; | ||
137 | + int irq, pt_vector = -1; | ||
138 | |||
139 | spin_lock(&v->arch.hvm_vcpu.tm_lock); | ||
140 | |||
141 | @@ -269,29 +283,42 @@ int pt_update_irq(struct vcpu *v) | ||
142 | |||
143 | earliest_pt->irq_issued = 1; | ||
144 | irq = earliest_pt->irq; | ||
145 | - is_lapic = (earliest_pt->source == PTSRC_lapic); | ||
146 | |||
147 | spin_unlock(&v->arch.hvm_vcpu.tm_lock); | ||
148 | |||
149 | - if ( is_lapic ) | ||
150 | - vlapic_set_irq(vcpu_vlapic(v), irq, 0); | ||
151 | - else | ||
152 | + switch ( earliest_pt->source ) | ||
153 | { | ||
154 | + case PTSRC_lapic: | ||
155 | + /* | ||
156 | + * If periodic timer interrupt is handled by lapic, its vector in | ||
157 | + * IRR is returned and used to set eoi_exit_bitmap for virtual | ||
158 | + * interrupt delivery case. Otherwise return -1 to do nothing. | ||
159 | + */ | ||
160 | + vlapic_set_irq(vcpu_vlapic(v), irq, 0); | ||
161 | + pt_vector = irq; | ||
162 | + break; | ||
163 | + | ||
164 | + case PTSRC_isa: | ||
165 | hvm_isa_irq_deassert(v->domain, irq); | ||
166 | hvm_isa_irq_assert(v->domain, irq); | ||
167 | + | ||
168 | + if ( platform_legacy_irq(irq) && vlapic_accept_pic_intr(v) && | ||
169 | + v->domain->arch.hvm_domain.vpic[irq >> 3].int_output ) | ||
170 | + return -1; | ||
171 | + | ||
172 | + pt_vector = pt_irq_vector(earliest_pt, hvm_intsrc_lapic); | ||
173 | + break; | ||
174 | + | ||
175 | + case PTSRC_ioapic: | ||
176 | + /* | ||
177 | + * NB: At the moment IO-APIC routed interrupts generated by vpt devices | ||
178 | + * (HPET) are edge-triggered. | ||
179 | + */ | ||
180 | + pt_vector = hvm_ioapic_assert(v->domain, irq, false); | ||
181 | + break; | ||
182 | } | ||
183 | |||
184 | - /* | ||
185 | - * If periodic timer interrut is handled by lapic, its vector in | ||
186 | - * IRR is returned and used to set eoi_exit_bitmap for virtual | ||
187 | - * interrupt delivery case. Otherwise return -1 to do nothing. | ||
188 | - */ | ||
189 | - if ( !is_lapic && | ||
190 | - platform_legacy_irq(irq) && vlapic_accept_pic_intr(v) && | ||
191 | - (&v->domain->arch.hvm_domain)->vpic[irq >> 3].int_output ) | ||
192 | - return -1; | ||
193 | - else | ||
194 | - return pt_irq_vector(earliest_pt, hvm_intsrc_lapic); | ||
195 | + return pt_vector; | ||
196 | } | ||
197 | |||
198 | static struct periodic_time *is_pt_irq( | ||
199 | @@ -386,7 +413,13 @@ void create_periodic_time( | ||
200 | struct vcpu *v, struct periodic_time *pt, uint64_t delta, | ||
201 | uint64_t period, uint8_t irq, time_cb *cb, void *data) | ||
202 | { | ||
203 | - ASSERT(pt->source != 0); | ||
204 | + if ( !pt->source || | ||
205 | + (pt->irq >= NR_ISAIRQS && pt->source == PTSRC_isa) || | ||
206 | + (pt->irq >= VIOAPIC_NUM_PINS && pt->source == PTSRC_ioapic) ) | ||
207 | + { | ||
208 | + ASSERT_UNREACHABLE(); | ||
209 | + return; | ||
210 | + } | ||
211 | |||
212 | destroy_periodic_time(pt); | ||
213 | |||
214 | @@ -466,7 +499,7 @@ static void pt_adjust_vcpu(struct period | ||
215 | { | ||
216 | int on_list; | ||
217 | |||
218 | - ASSERT(pt->source == PTSRC_isa); | ||
219 | + ASSERT(pt->source == PTSRC_isa || pt->source == PTSRC_ioapic); | ||
220 | |||
221 | if ( pt->vcpu == NULL ) | ||
222 | return; | ||
223 | --- a/xen/include/asm-x86/hvm/irq.h | ||
224 | +++ b/xen/include/asm-x86/hvm/irq.h | ||
225 | @@ -103,4 +103,7 @@ struct hvm_intack hvm_vcpu_has_pending_i | ||
226 | struct hvm_intack hvm_vcpu_ack_pending_irq(struct vcpu *v, | ||
227 | struct hvm_intack intack); | ||
228 | |||
229 | +/* Assert an IO APIC pin. */ | ||
230 | +int hvm_ioapic_assert(struct domain *d, unsigned int gsi, bool level); | ||
231 | + | ||
232 | #endif /* __ASM_X86_HVM_IRQ_H__ */ | ||
233 | --- a/xen/include/asm-x86/hvm/vpt.h | ||
234 | +++ b/xen/include/asm-x86/hvm/vpt.h | ||
235 | @@ -45,6 +45,7 @@ struct periodic_time { | ||
236 | bool_t warned_timeout_too_short; | ||
237 | #define PTSRC_isa 1 /* ISA time source */ | ||
238 | #define PTSRC_lapic 2 /* LAPIC time source */ | ||
239 | +#define PTSRC_ioapic 3 /* IOAPIC time source */ | ||
240 | u8 source; /* PTSRC_ */ | ||
241 | u8 irq; | ||
242 | struct vcpu *vcpu; /* vcpu timer interrupt delivers to */ | ||
diff --git a/main/xen/xsa262-4.9.patch b/main/xen/xsa262-4.9.patch deleted file mode 100644 index f9a7a4ce3a..0000000000 --- a/main/xen/xsa262-4.9.patch +++ /dev/null | |||
@@ -1,76 +0,0 @@ | |||
1 | From: Jan Beulich <jbeulich@suse.com> | ||
2 | Subject: x86/HVM: guard against emulator driving ioreq state in weird ways | ||
3 | |||
4 | In the case where hvm_wait_for_io() calls wait_on_xen_event_channel(), | ||
5 | p->state ends up being read twice in succession: once to determine that | ||
6 | state != p->state, and then again at the top of the loop. This gives a | ||
7 | compromised emulator a chance to change the state back between the two | ||
8 | reads, potentially keeping Xen in a loop indefinitely. | ||
9 | |||
10 | Instead: | ||
11 | * Read p->state once in each of the wait_on_xen_event_channel() tests, | ||
12 | * re-use that value the next time around, | ||
13 | * and insist that the states continue to transition "forward" (with the | ||
14 | exception of the transition to STATE_IOREQ_NONE). | ||
15 | |||
16 | This is XSA-262. | ||
17 | |||
18 | Signed-off-by: Jan Beulich <jbeulich@suse.com> | ||
19 | Reviewed-by: George Dunlap <george.dunlap@citrix.com> | ||
20 | |||
21 | --- a/xen/arch/x86/hvm/ioreq.c | ||
22 | +++ b/xen/arch/x86/hvm/ioreq.c | ||
23 | @@ -87,14 +87,17 @@ static void hvm_io_assist(struct hvm_ior | ||
24 | |||
25 | static bool_t hvm_wait_for_io(struct hvm_ioreq_vcpu *sv, ioreq_t *p) | ||
26 | { | ||
27 | + unsigned int prev_state = STATE_IOREQ_NONE; | ||
28 | + | ||
29 | while ( sv->pending ) | ||
30 | { | ||
31 | unsigned int state = p->state; | ||
32 | |||
33 | - rmb(); | ||
34 | - switch ( state ) | ||
35 | + smp_rmb(); | ||
36 | + | ||
37 | + recheck: | ||
38 | + if ( unlikely(state == STATE_IOREQ_NONE) ) | ||
39 | { | ||
40 | - case STATE_IOREQ_NONE: | ||
41 | /* | ||
42 | * The only reason we should see this case is when an | ||
43 | * emulator is dying and it races with an I/O being | ||
44 | @@ -102,14 +105,30 @@ static bool_t hvm_wait_for_io(struct hvm | ||
45 | */ | ||
46 | hvm_io_assist(sv, ~0ul); | ||
47 | break; | ||
48 | + } | ||
49 | + | ||
50 | + if ( unlikely(state < prev_state) ) | ||
51 | + { | ||
52 | + gdprintk(XENLOG_ERR, "Weird HVM ioreq state transition %u -> %u\n", | ||
53 | + prev_state, state); | ||
54 | + sv->pending = 0; | ||
55 | + domain_crash(sv->vcpu->domain); | ||
56 | + return 0; /* bail */ | ||
57 | + } | ||
58 | + | ||
59 | + switch ( prev_state = state ) | ||
60 | + { | ||
61 | case STATE_IORESP_READY: /* IORESP_READY -> NONE */ | ||
62 | p->state = STATE_IOREQ_NONE; | ||
63 | hvm_io_assist(sv, p->data); | ||
64 | break; | ||
65 | case STATE_IOREQ_READY: /* IOREQ_{READY,INPROCESS} -> IORESP_READY */ | ||
66 | case STATE_IOREQ_INPROCESS: | ||
67 | - wait_on_xen_event_channel(sv->ioreq_evtchn, p->state != state); | ||
68 | - break; | ||
69 | + wait_on_xen_event_channel(sv->ioreq_evtchn, | ||
70 | + ({ state = p->state; | ||
71 | + smp_rmb(); | ||
72 | + state != prev_state; })); | ||
73 | + goto recheck; | ||
74 | default: | ||
75 | gdprintk(XENLOG_ERR, "Weird HVM iorequest state %u\n", state); | ||
76 | sv->pending = 0; | ||