Commits

This patch adds basic spice support for pv domUs. The qemu parameters are the same as the hvm ones and they works. Therefore xl cfg parameters are the same as the hvm ones except that features not supported yet by pv domUs (vdagent and usbredirection) are kept disabled by default. It also enables vfb and vkb required to have basic spice working. Signed-off-by: Fabio Fantoni <fabio.fantoni@m2r.biz> --- Notes: - The vfb part is only a draft and needs to be improved. - Patch is tested and working, except for the pointer not visible in some cases with pv domUs but always working. - I not use the api, test the u.hvm.spice retro-compatibility with api is needed. Any feedback is appreciated. Changes in v8: - refresh all for xen 4.7 Changes in v7: - refresh xl_sxp.c Changes in v6: - refresh libxl_create.c Changes in v5: - libxl_create.c: * don't copy u.hvm.spice in the newer if the newer is already used * set default for all spice bool options in any case * spice features not supported in pv will be disabled and will show a warning about them if was setted enabled - xl_cmdimpl.c: parse all spice options out of hvm part - libxl_dm.c: changed some forgotten u.hvm.spice to spice Changes in v4: - added libxl.h changes - libxl_create.c: added older u.hvm.spice compatibility copying it in newer one Changes in v3: - xl.cfg.pod.5: moved spice out of hvm section and specified the features for now hvm only. - libxl_types.idl: added spice struct out of keyedunion hvm only. - use new generic spice struct instead of hvm only ones. Changes in v2: - xl_cmdimpl.c: always set vnc and sdl toplevel parameters in &vfb with vnc or spice enabled on pv domUs otherwise in some cases it would fail with error for one bool default value missing. - libxl_dm.c: do not add -nographic if spice is enabled, even though -nographic seems buggy in upstream qemu.

update qemu to 2.4.1 plus some other patches (from xen-unstable) and the lz4 support one update ovmf: use latest that passed the automatic test

When a guest configuration list xvdX for its disks, there is no need to provide an emulated driver for the same target. Such configuration can work with the OVMF firmware, as it supports PV disk. Signed-off-by: Anthony PERARD <anthony.perard@citrix.com>

Found that Windows driver was using a SSE2 instruction MOVD. Signed-off-by: Zhi Wang <zhi.a.wang@intel.com>

- Remove python prefix - enable debug by default NOTE: This patch is only for do fast test build with make debball. Signed-off-by: Fabio Fantoni <fabio.fantoni@m2r.biz> --- Changes from v4: - removed add of start/stop service Changes from v3: - refreshed Config.mk Changes from v2: - remove add of spice and usbredir on upstream qemu build now done with xen configure Changes from v1: - Added: Add/remove/stop of main services

If the MMIO hole is large and hvmloader needs to relocate memory to immediately above the 4 GiB boundary, the e820 presented to the guest will not have a RAM region above 4 GiB. e.g., a guest with 3 GiB of memory and a 2 GiB MMIO hole will only see 2 GiB. The required e820 memory region above 4 GiB needs to be added, and not just filled in. Signed-off-by: David Vrabel <david.vrabel@citrix.com> Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com> master commit: 24e3e35 master date: 2016-03-15 12:22:04 +0100

Commit a929bee ("x86/vmx: Fix injection of #DB traps following XSA-156") prevents an infinite loop in certain #DB traps. However, it changed the behavior to not call hvm_hw_inject_trap() for #DB and #AC traps which which means that the debug registers are not restored correctly and nullified commit b56ae5b ("VMX: fix/adjust trap injection"). To fix this, restore the original code path through hvm_inject_trap(), but ensure that the struct hvm_trap is populated with all the required data. Signed-off-by: Ross Lagerwall <ross.lagerwall@citrix.com> Reviewed-by: Jan Beulich <jbeulich@suse.com> Acked-by: Kevin Tian <kevin.tian@intel.com> master commit: ba22f1f master date: 2016-03-15 12:19:13 +0100

Introduce the FLUSH_VA_VALID flag to flush_area_mask() and friends to say that it is safe to use CLFLUSH (i.e., the virtual address is still valid). Use this when changing the cachability of the Xen direct mappings (in response to the guest changing the cachability of its mappings). This significantly improves performance by avoiding an expensive WBINVD. This fixes a performance regression introduced by c61a6f7 (x86: enforce consistent cachability of MMIO mappings), the fix for XSA-154. e.g., A set_memory_wc() call in Linux: before: 4097 us after: 47 us Signed-off-by: David Vrabel <david.vrabel@citrix.com> Reviewed-by: Jan Beulich <jbeulich@suse.com> master commit: dff593c master date: 2016-03-10 16:51:03 +0100

Make sure the near JMP/CALL check doesn't consume uninitialized data, not even in a benign way. And relax the length check at once. Signed-off-by: Jan Beulich <jbeulich@suse.com> Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com> master commit: cd29140 master date: 2016-03-09 16:51:16 +0100

The VMX RDMSR intercept for MSR_IA32_MISC_ENABLE falls through into vpmu_do_rdmsr(), so that core2_vpmu_do_rdmsr() may play with the PTS and PEBS UNAVAIL bits. Some 64bit Windows include IA32_MISC_ENABLE in the set of items checked by PatchGuard, and will suffer a BSOD 0x109 CRITICAL_STRUCTURE_CORRUPTION if the contents change on migrate. The vPMU infrastructure should not clobber IA32_MISC_ENABLE at all. Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com> Reviewed-by: Boris Ostrovsky <boris.ostrovsky@oracle.com> master commit: 0aa1330 master date: 2016-03-07 17:46:25 +0100

We must ensure that the prod/cons are only read once and that the compiler won't try to optimize the reads. That is split the read of these in multiple instructions influencing later branch code. As such insert barriers when fetching the cons and prod index. This is part of XSA155. Signed-off-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com> master commit: 7d66a4b master date: 2015-12-18 09:50:02 -0500

All branches need to #GP when their target violates the segment limit (in 16- and 32-bit modes) or is non-canonical (in 64-bit mode). For near branches facilitate this via a zero-byte instruction fetch from the target address (resulting in address translation and validation without an actual read from memory), while far branches get dealt with by breaking up the segment register loading into a read-and-validate part and a write one. The latter at once allows correcting some ordering issues in how the individual emulation steps get carried out: Before updating machine state, all exceptions unrelated to that state updating should have got raised (i.e. the only ones possibly resulting in partly updated state are faulting memory writes [pushes]). Note that while not immediately needed here, write and distinct read emulation routines get updated to deal with zero byte accesses too, for overall consistency. Reported-by: 刘令 <liuling-it@360.cn> Signed-off-by: Jan Beulich <jbeulich@suse.com> Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com> Acked-by: Tim Deegan <tim@xen.org> master commit: 81d3a0b master date: 2016-02-26 12:14:39 +0100

A sample looks like: (XEN) d1v0 Triple fault - invoking HVM shutdown action 1 (XEN) *** Dumping Dom1 vcpu#0 state: *** (XEN) ----[ Xen-4.7-unstable x86_64 debug=y Not tainted ]---- (XEN) CPU: 2 (XEN) RIP: 0000:[<0000000000100005>] (XEN) RFLAGS: 0000000000010002 CONTEXT: hvm guest (d1v0) (XEN) rax: 0000000000000020 rbx: 0000000000000000 rcx: 0000000000000000 (XEN) rdx: 0000000000000000 rsi: 0000000000000000 rdi: 0000000000000000 (XEN) rbp: 0000000000000000 rsp: 0000000000000000 r8: 0000000000000000 (XEN) r9: 0000000000000000 r10: 0000000000000000 r11: 0000000000000000 (XEN) r12: 0000000000000000 r13: 0000000000000000 r14: 0000000000000000 (XEN) r15: 0000000000000000 cr0: 0000000000000011 cr4: 0000000000000000 (XEN) cr3: 0000000000000000 cr2: 0000000000000000 (XEN) ds: 0000 es: 0000 fs: 0000 gs: 0000 ss: 0000 cs: 0000 Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com> Acked-by: Jan Beulich <jbeulich@suse.com> master commit: 1329105 master date: 2016-02-25 13:02:29 +0100

Deal with rIP just like with any other register: Truncate to designated width upon entry, write back the zero-extended 32-bit value when emulating 32-bit code, and leave the upper 48 bits unchanged for 16-bit code. Signed-off-by: Jan Beulich <jbeulich@suse.com> Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com> master commit: 0640ffb master date: 2016-02-18 15:05:34 +0100

Correct dependencies for _paths.h to avoid build failure with make -j. Only main.c requires _paths.h. This fixes commit 8398ec7 ("xenconsole: Ensure exclusive access to console using locks") Signed-off-by: Olaf Hering <olaf@aepfle.de> Cc: Ian Jackson <ian.jackson@eu.citrix.com> Cc: Stefano Stabellini <stefano.stabellini@eu.citrix.com> Cc: Ian Campbell <ian.campbell@citrix.com> Cc: Wei Liu <wei.liu2@citrix.com> Acked-by: Ian Campbell <ian.campbell@citrix.com> (cherry picked from commit 77fec3a)

pygrub (in identify_disk_image()) detects a DOS style partition table via the presence of the 0xaa55 signature at the end of the first sector of the disk. However this signature is also present in whole-disk configurations when there is an MBR on the disk. Many filesystems (e.g. ext[234]) include leading padding in their on disk format specifically to enable this. So if we think we have a DOS partition table but do not find any actual partition table entries we may as well try looking at it as a whole disk image. Worst case is we probe and find there isn't anything there. This was reported by Sjors Gielen in Debian bug #745419. The fix was inspired by a patch by Adi Kriegisch in https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=745419#27 Tested by genext2fs'ing my /boot into a new raw image (works) and then: dd if=/usr/lib/grub/i386-pc/g2ldr.mbr of=img conv=notrunc bs=512 count=1 to add an MBR (with 0xaa55 signature) to it, which after this patch also works. Signed-off-by: Ian Campbell <ian.campbell@citrix.com> Acked-by: Wei Liu <wei.liu2@citrix.com> Acked-by: Ian Jackson <ian.jackson@eu.citrix.com> Cc: 745419-forwarded@bugs.debian.org (cherry picked from commit fb31b14)

Starting in the wrong ELx mode I get the following debug output: ... - Current EL 00000004 - - Xen must be entered in NS EL2 mode - - Boot failed - The output of "Please update the bootloader" is missing here, because string concatenation in gas, unlike in C, keeps the \0 between each individual string. Make sure this is output, too. With this, we get ... - Current EL 00000004 - - Xen must be entered in NS EL2 mode - - Please update the bootloader - - Boot failed - as intended. Signed-off-by: Dirk Behme <dirk.behme@de.bosch.com> Acked-by: Ian Campbell <ian.campbell@citrix.com> [ ijc -- added same change to arm32 case ] master commit: c31d340 master date: 2016-02-18 10:13:42 +0000

... and annotate the other deliberate one: Coverity objects otherwise. Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com> One of the two instances was actually a bug. Signed-off-by: Jan Beulich <jbeulich@suse.com> master commit: 8dd6d1c master date: 2016-02-18 15:10:07 +0100

scratch_alloc() set scratch_start to the last byte of the current allocation. The value of scratch_start is then reused as is (if it is already aligned) in the next allocation. This result in a potential reuse of the last byte of the previous allocation. Signed-off-by: Anthony PERARD <anthony.perard@citrix.com> Reviewed-by: Jan Beulich <jbeulich@suse.com> master commit: 4ab3ac0 master date: 2016-02-10 14:46:45 +0100

When intercepting (or emulating) L1 guest INVLPG, the nested P2M pointer may be (is?) NULL, and hence there's no point in calling p2m_flush(). In fact doing so would cause a dereference of that NULL pointer at least in the ASSERT() right at the beginning of the function. While so far nothing supports hap_invlpg() being reachable from the INVLPG intercept paths (only INVLPG insn emulation would lead there), and hence the code in question (added by dd6de3a ["Implement Nested-on-Nested"]) appears to be dead, this seems to be the change which can be agreed on as an immediate fix. Ideally, however, the problematic code would go away altogether. See thread at lists.xenproject.org/archives/html/xen-devel/2016-01/msg03762.html. Reported-by: 刘令 <liuling-it@360.cn> Signed-off-by: Jan Beulich <jbeulich@suse.com> Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com> Acked-by: George Dunlap <george.dunlap@citrix.com> master commit: 86c5961 master date: 2016-02-09 13:22:13 +0100

This went unnoticed until a backport of this to an older Xen got used, causing migration of guests enabling this VM assist to fail, because page table pinning there precedes vCPU context loading, and hence L4 tables get initialized for the wrong mode. Fix this by post-processing L4 tables when setting the intended VM assist flags for the guest. Note that this leaves in place a dependency on vCPU 0 getting its guest context restored first, but afaict the logic here is not the only thing depending on that. Signed-off-by: Jan Beulich <jbeulich@suse.com> Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com> master commit: be05b53 master date: 2016-02-03 14:12:00 +0100

When modifying the timeslice of the credit scheduler in a cpupool the cpupool global credit value (n_cpus * credits_per_tslice) isn't recalculated. This will lead to wrong scheduling decisions later. Do the recalculation when updating the timeslice. Signed-off-by: Juergen Gross <jgross@suse.com> Tested-by: Alan.Robinson <alan.robinson@ts.fujitsu.com> Reviewed-by: Dario Faggioli <dario.faggioli@citrix.com> master commit: ffc342f master date: 2016-02-02 14:03:40 +0100

When updating the timeslice of the credit scheduler protect the scheduler's private data by it's lock. Today a possible race could result only in some weird scheduling decisions during one timeslice, but further adjustments will need the lock anyway. Signed-off-by: Juergen Gross <jgross@suse.com> Reviewed-by: Dario Faggioli <dario.faggioli@citrix.com> master commit: f2c96ac master date: 2016-02-02 14:03:06 +0100

…d real mode Most updates to the exception bitmaps set or clear an individual bits. However, entering or exiting emulated real mode unilaterally clobbers it, leaving the exit code to recalculate what it should have been. This is error prone, and indeed currently fails to recalculate the TRAP_no_device intercept appropriately. Instead of overwriting exception_bitmap when entering emulated real mode, move the override into vmx_update_exception_bitmap() and leave exception_bitmap unmodified. This means that recalculation is unnecessary, and that the use of vmx_fpu_leave() and vmx_update_debug_state() while in emulated real mode doesn't result in TRAP_no_device and TRAP_int3 being un-intercepted. This is only a functional change on hardware lacking unrestricted guest support. Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com> Reviewed-by: Jan Beulich <jbeulich@suse.com> Acked-by: Kevin Tian <kevin.tian@intel.com> master commit: 78c93ad master date: 2016-02-02 14:00:52 +0100

Debian bug 812166[0] reported this build failure due to Wmisleading-indentation with gcc-6: non-fatal.c: In function 'init_nonfatal_mce_checker': non-fatal.c:103:2: error: statement is indented as if it were guarded by... [-Werror=misleading-indentation] switch (c->x86_vendor) { ^~~~~~ non-fatal.c:97:5: note: ...this 'if' clause, but it is not if ( __get_cpu_var(poll_bankmask) == NULL ) ^~ I was unable to reproduce (xen builds cleanly for me with "6.0.0 20160117 (experimental) [trunk revision 232481]") but looking at the code the issue above is clearly real. Correctly reindent the if statement. This file uses Linux coding style (infact the use of Xen style for this line is the root cause of the wanring) so use tabs and while there remove the whitespace inside the if as Linux does. [0] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=812166 Signed-off-by: Ian Campbell <ian.campbell@citrix.com> Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com> master commit: 2e46e3f master date: 2016-01-22 16:19:51 +0100

Obtaining one individual range per variable range register (via get_mtrr_range()) was bogus from the beginning, as these registers may cover multiple disjoint ranges. Do away with that, in favor of simply comparing masked addresses. Also, for is_var_mtrr_overlapped()'s result to be correct when called from mtrr_wrmsr(), generic_set_mtrr() must update saved state first. As minor cleanup changes, constify is_var_mtrr_overlapped()'s parameter and make mtrr_wrmsr() static. Signed-off-by: Jan Beulich <jbeulich@suse.com> Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com> master commit: 3272230 master date: 2016-01-21 16:11:04 +0100

Addresses passed by PV guests should be subjected to __addr_ok(), avoiding undue TLB flushes. Signed-off-by: Jan Beulich <jbeulich@suse.com> Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com> master commit: 828e114 master date: 2016-01-21 16:09:22 +0100

Commit 9256f66 ("x86/PCI: intercept all PV Dom0 MMCFG writes") added intercepts for writes to RO MMCFG space from PV dom0. Similar functionality, including access to RO non-MMCFG addresses, is needed by dom0s in HVM containers (such as PVH and, in the future, HVMlite). Signed-off-by: Boris Ostrovsky <boris.ostrovsky@oracle.com> Reviewed-by: Jan Beulich <jbeulich@suse.com> master commit: 33c19df master date: 2015-12-21 14:05:02 +0100

This is provided explicitly in SVM and implicitly in VMX (when neither of the three EPT_EFFECTIVE_* bits is set). Signed-off-by: Boris Ostrovsky <boris.ostrovsky@oracle.com> Reviewed-by: Jan Beulich <jbeulich@suse.com> Acked-by: Kevin Tian <kevin.tian@intel.com> master commit: 1a966b4 master date: 2015-12-21 13:38:53 +0100

Signed-off-by: Jan Beulich <jbeulich@suse.com> Reviewed-by: Andrew Cooper <andrew.cooper@citrix.com> master commit: 057e0e7 master date: 2015-11-12 16:59:18 +0100

... to prevent guest user mode arranging for a guest crash (due to failed VM entry). (On the AMD system I checked, hardware is doing exactly the canonicalization being added here.) Note that fixing this in an architecturally correct way would be quite a bit more involved: Making the x86 instruction emulator check all branch targets for validity, plus dealing with invalid rIP resulting from update_guest_eip() or incoming directly during a VM exit. The only way to get the latter right would be by not having hardware do the injection. Note further that there are a two early returns from vmx_vmexit_handler(): One (through vmx_failed_vmentry()) leads to domain_crash() anyway, and the other covers real mode only and can neither occur with a non-canonical rIP nor result in an altered rIP, so we don't need to force those paths through the checking logic. This is CVE-2016-2271 / XSA-170. Reported-by: 刘令 <liuling-it@360.cn> Signed-off-by: Jan Beulich <jbeulich@suse.com> Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com> Tested-by: Andrew Cooper <andrew.cooper3@citrix.com> master commit: ffbbfda master date: 2016-02-17 16:18:08 +0100

We've been told by Intel that inconsistent cachability between multiple mappings of the same page can affect system stability only when the affected page is an MMIO one. Since the stale data issue is of no relevance to the hypervisor (since all guest memory accesses go through proper accessors and validation), handling of RAM pages remains unchanged here. Any MMIO mapped by domains however needs to be done consistently (all cachable mappings or all uncachable ones), in order to avoid Machine Check exceptions. Since converting existing cachable mappings to uncachable (at the time an uncachable mapping gets established) would in the PV case require tracking all mappings, allow MMIO to only get mapped uncachable (UC, UC-, or WC). This also implies that in the PV case we mustn't use the L1 PTE update fast path when cachability flags get altered. Since in the HVM case at least for now we want to continue honoring pinned cachability attributes for pages not mapped by the hypervisor, special case handling of r/o MMIO pages (forcing UC) gets added there. Arguably the counterpart change to p2m-pt.c may not be necessary, since UC- (which already gets enforced there) is probably strict enough. Note that the shadow code changes include fixing the write protection of r/o MMIO ranges: shadow_l1e_remove_flags() and its siblings, other than l1e_remove_flags() and alike, return the new PTE (and hence ignoring their return values makes them no-ops). This is CVE-2016-2270 / XSA-154. Signed-off-by: Jan Beulich <jbeulich@suse.com> Acked-by: Andrew Cooper <andrew.cooper3@citrix.com> master commit: c61a6f7 master date: 2016-02-17 16:16:53 +0100

to avoid console corruption. Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com> Acked-by: Tim Deegan <tim@xen.org> master commit: 42940c0 master date: 2015-10-12 16:01:56 +0200

Commits on Feb 9, 2016

update Xen version to 4.6.1

jbeulich committed Feb 9, 2016

Copy the full SHA

d77bac5 View commit details

Browse the repository at this point in the history

Commits on Mar 30, 2016

Commits on Mar 18, 2016

Commits on Mar 9, 2016

Commits on Mar 4, 2016

Commits on Mar 1, 2016

Commits on Feb 29, 2016

Commits on Feb 18, 2016

Commits on Feb 17, 2016

Commits on Feb 9, 2016

Commits on Jan 21, 2016