1.9.1
-From 2a675c69e657bfa4cac07390ffb953a662aacb35 Mon Sep 17 00:00:00 2001
+From db1a0f0ecc179b6d67da1f30acde17f3c544ca59 Mon Sep 17 00:00:00 2001
+From: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
+Date: Wed, 19 Nov 2014 12:57:11 -0500
+Subject: [PATCH] From df2922ce672cc35500e2f3ba041441021f44b41c Mon Sep 17
+ 00:00:00 2001 Subject: [PATCH] Limit XEN_DOMCTL_memory_mapping hypercall to
+ only process up to 64 GFNs (or less)
+
+Said hypercall for large BARs can take quite a while. As such
+we can require that the hypercall MUST break up the request
+in smaller values.
+
+Another approach is to add preemption to it - whether we do the
+preemption using hypercall_create_continuation or returning
+EAGAIN to userspace (and have it re-invocate the call) - either
+way the issue we cannot easily solve is that in 'map_mmio_regions'
+if we encounter an error we MUST call 'unmap_mmio_regions' for the
+whole BAR region.
+
+Since the preemption would re-use input fields such as nr_mfns,
+first_gfn, first_mfn - we would lose the original values -
+and only undo what was done in the current round (i.e. ignoring
+anything that was done prior to earlier preemptions).
+
+Unless we re-used the return value as 'EAGAIN|nr_mfns_done<<10' but
+that puts a limit (since the return value is a long) on the amount
+of nr_mfns that can provided.
+
+This patch sidesteps this problem by:
+ - Setting an hard limit of nr_mfns having to be 64 or less.
+ - Toolstack adjusts correspondingly to the nr_mfn limit.
+ - If the there is an error when adding the toolstack will call the
+ remove operation to remove the whole region.
+
+The need to break this hypercall down is for large BARs can take
+more than the guest (initial domain usually) time-slice. This has
+the negative result in that the guest is locked out for a long
+duration and is unable to act on any pending events.
+
+We also augment the code to return zero if nr_mfns instead
+of trying to the hypercall.
+
+Suggested-by: Jan Beulich <jbeulich@suse.com>
+Acked-by: Jan Beulich <jbeulich@suse.com>
+Signed-off-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
+Acked-by: Ian Campbell <ian.campbell@citrix.com>
+---
+ tools/libxc/xc_domain.c | 55 ++++++++++++++++++++++++++++++++++++++++-----
+ xen/arch/x86/domctl.c | 5 +++++
+ xen/include/public/domctl.h | 1 +
+ 3 files changed, 56 insertions(+), 5 deletions(-)
+
+diff --git a/tools/libxc/xc_domain.c b/tools/libxc/xc_domain.c
+index 369c3f3..40ca771 100644
+--- a/tools/libxc/xc_domain.c
++++ b/tools/libxc/xc_domain.c
+@@ -1641,6 +1641,13 @@ failed:
+ return -1;
+ }
+
++#ifndef min
++#define min(X, Y) ({ \
++ const typeof (X) _x = (X); \
++ const typeof (Y) _y = (Y); \
++ (void) (&_x == &_y); \
++ (_x < _y) ? _x : _y; })
++#endif
+ int xc_domain_memory_mapping(
+ xc_interface *xch,
+ uint32_t domid,
+@@ -1650,17 +1657,55 @@ int xc_domain_memory_mapping(
+ uint32_t add_mapping)
+ {
+ DECLARE_DOMCTL;
++ int ret = 0, err;
++ unsigned long done = 0, nr, max_batch_sz;
++
++ if ( !nr_mfns )
++ return 0;
+
+ domctl.cmd = XEN_DOMCTL_memory_mapping;
+ domctl.domain = domid;
+- domctl.u.memory_mapping.first_gfn = first_gfn;
+- domctl.u.memory_mapping.first_mfn = first_mfn;
+- domctl.u.memory_mapping.nr_mfns = nr_mfns;
+ domctl.u.memory_mapping.add_mapping = add_mapping;
++ max_batch_sz = nr_mfns;
++ do
++ {
++ nr = min(nr_mfns - done, max_batch_sz);
++ domctl.u.memory_mapping.nr_mfns = nr;
++ domctl.u.memory_mapping.first_gfn = first_gfn + done;
++ domctl.u.memory_mapping.first_mfn = first_mfn + done;
++ err = do_domctl(xch, &domctl);
++ if ( err && errno == E2BIG )
++ {
++ if ( max_batch_sz <= 1 )
++ break;
++ max_batch_sz >>= 1;
++ continue;
++ }
++ /* Save the first error... */
++ if ( !ret )
++ ret = err;
++ /* .. and ignore the rest of them when removing. */
++ if ( err && add_mapping != DPCI_REMOVE_MAPPING )
++ break;
+
+- return do_domctl(xch, &domctl);
+-}
++ done += nr;
++ } while ( done < nr_mfns );
+
++ /*
++ * Undo what we have done unless unmapping, by unmapping the entire region.
++ * Errors here are ignored.
++ */
++ if ( ret && add_mapping != DPCI_REMOVE_MAPPING )
++ xc_domain_memory_mapping(xch, domid, first_gfn, first_mfn, nr_mfns,
++ DPCI_REMOVE_MAPPING);
++
++ /* We might get E2BIG so many times that we never advance. */
++ if ( !done && !ret )
++ ret = -1;
++
++ return ret;
++}
++#undef min
+ int xc_domain_ioport_mapping(
+ xc_interface *xch,
+ uint32_t domid,
+diff --git a/xen/arch/x86/domctl.c b/xen/arch/x86/domctl.c
+index a967b65..9b72c22 100644
+--- a/xen/arch/x86/domctl.c
++++ b/xen/arch/x86/domctl.c
+@@ -653,6 +653,11 @@ long arch_do_domctl(
+ (gfn + nr_mfns - 1) < gfn ) /* wrap? */
+ break;
+
++ ret = -E2BIG;
++ /* Must break hypercall up as this could take a while. */
++ if ( nr_mfns > 64 )
++ break;
++
+ ret = -EPERM;
+ if ( !iomem_access_permitted(current->domain, mfn, mfn + nr_mfns - 1) )
+ break;
+diff --git a/xen/include/public/domctl.h b/xen/include/public/domctl.h
+index f22fe2e..c45bc59 100644
+--- a/xen/include/public/domctl.h
++++ b/xen/include/public/domctl.h
+@@ -518,6 +518,7 @@ DEFINE_XEN_GUEST_HANDLE(xen_domctl_bind_pt_irq_t);
+
+
+ /* Bind machine I/O address range -> HVM address range. */
++/* If this returns -E2BIG lower nr_mfns value. */
+ /* XEN_DOMCTL_memory_mapping */
+ #define DPCI_ADD_MAPPING 1
+ #define DPCI_REMOVE_MAPPING 0
+--
+1.9.1
+
+
+From 49896204a3a0654f228d0c926b761cef06795cd4 Mon Sep 17 00:00:00 2001
+From: George Dunlap <george.dunlap@eu.citrix.com>
+Date: Thu, 19 Mar 2015 17:24:34 +0000
+Subject: [PATCH] domctl: don't allow a toolstack domain to call domain_pause()
+ on itself
+
+These DOMCTL subops were accidentally declared safe for disaggregation
+in the wake of XSA-77.
+
+This is XSA-127.
+
+Reviewed-by: Jan Beulich <jbeulich@suse.com>
+Acked-by: Ian Campbell <ian.campbell@citrix.com>
+---
+ xen/arch/x86/domctl.c | 8 ++++++++
+ xen/common/domctl.c | 6 ++++--
+ 2 files changed, 12 insertions(+), 2 deletions(-)
+
+diff --git a/xen/arch/x86/domctl.c b/xen/arch/x86/domctl.c
+index 9b72c22..29b7167 100644
+--- a/xen/arch/x86/domctl.c
++++ b/xen/arch/x86/domctl.c
+@@ -958,6 +958,10 @@ long arch_do_domctl(
+ {
+ xen_guest_tsc_info_t info;
+
++ ret = -EINVAL;
++ if ( d == current->domain ) /* no domain_pause() */
++ break;
++
+ domain_pause(d);
+ tsc_get_info(d, &info.tsc_mode,
+ &info.elapsed_nsec,
+@@ -973,6 +977,10 @@ long arch_do_domctl(
+
+ case XEN_DOMCTL_settscinfo:
+ {
++ ret = -EINVAL;
++ if ( d == current->domain ) /* no domain_pause() */
++ break;
++
+ domain_pause(d);
+ tsc_set_info(d, domctl->u.tsc_info.info.tsc_mode,
+ domctl->u.tsc_info.info.elapsed_nsec,
+diff --git a/xen/common/domctl.c b/xen/common/domctl.c
+index 060af1b..022940c 100644
+--- a/xen/common/domctl.c
++++ b/xen/common/domctl.c
+@@ -395,8 +395,10 @@ long do_domctl(XEN_GUEST_HANDLE_PARAM(xen_domctl_t) u_domctl)
+
+ case XEN_DOMCTL_resumedomain:
+ {
+- domain_resume(d);
+- ret = 0;
++ if ( d == current->domain ) /* no domain_pause() */
++ ret = -EINVAL;
++ else
++ domain_resume(d);
+ }
+ break;
+
+--
+1.9.1
+
+
+From 04f56e9dbd67e8dd89add22edace9855a061acb6 Mon Sep 17 00:00:00 2001
From: Wen Congyang <wency@cn.fujitsu.com>
Date: Thu, 11 Dec 2014 16:21:21 +0000
Subject: [PATCH] tools: libxl: pass correct file to qemu if we use blktap2
1.9.1
-From 1f5dc43f8b7bb1b24b5b95b0bac00051cc6b8d2d Mon Sep 17 00:00:00 2001
+From 1ee88a66d461c8f75666077904bebfa007738d7a Mon Sep 17 00:00:00 2001
From: George Dunlap <george.dunlap@eu.citrix.com>
Date: Thu, 11 Dec 2014 16:23:09 +0000
Subject: [PATCH] it: George Dunlap <george.dunlap@eu.citrix.com>
1.9.1
-From da32c47a7418e338938fc985e0462eaef69550a7 Mon Sep 17 00:00:00 2001
+From c48afa9c10367eeb606347bbdcd15aec08ecdd28 Mon Sep 17 00:00:00 2001
From: Don Koch <dkoch@verizon.com>
Date: Thu, 11 Dec 2014 17:02:21 +0000
Subject: [PATCH] x86/HVM: sanity check xsave area when migrating or restoring
1.9.1
-From 20f859d711b8e18a96d7b386c006a3f0317ab606 Mon Sep 17 00:00:00 2001
+From 5b6fb27ce1c10f9b6ef2706f3208af114d407e18 Mon Sep 17 00:00:00 2001
From: Juergen Gross <jgross@suse.com>
Date: Thu, 11 Dec 2014 17:02:33 +0000
Subject: [PATCH] adjust number of domains in cpupools when destroying domain
1.9.1
-From cb97f6ae474c71a7b6d912ded12125fd7a714250 Mon Sep 17 00:00:00 2001
+From 94fbb0730863bd960774c85ee66e55e0e61872e8 Mon Sep 17 00:00:00 2001
From: George Dunlap <george.dunlap@eu.citrix.com>
Date: Mon, 15 Dec 2014 15:56:14 +0000
Subject: [PATCH] Revert "libxl: prefer qdisk over blktap when choosing disk
1.9.1
-From 951cc979ba60c64e378e950e5eb9e97b49e578a5 Mon Sep 17 00:00:00 2001
+From da24c4ef97699b28cd874ac70e7880466b8062ac Mon Sep 17 00:00:00 2001
From: George Dunlap <george.dunlap@eu.citrix.com>
Date: Wed, 15 Oct 2014 15:36:23 +0100
Subject: [PATCH] xen-centos-disable-CFLAGS-for-qemu.patch
1.9.1
-From b6a65188b1488a5ee88a4a9083f3821320b955c8 Mon Sep 17 00:00:00 2001
+From 0bb8fb64ad6e058f1a574a1bf59c0ea98be74323 Mon Sep 17 00:00:00 2001
From: George Dunlap <george.dunlap@eu.citrix.com>
Date: Wed, 15 Oct 2014 15:36:23 +0100
Subject: [PATCH] Adapt libxl to use blktap 2.5 v0.9.2
--- /dev/null
+xen: limit guest control of command register
+
+Otherwise the guest can abuse that control to cause e.g. PCIe
+Unsupported Request responses (by disabling memory and/or I/O decoding
+and subsequently causing [CPU side] accesses to the respective address
+ranges), which (depending on system configuration) may be fatal to the
+host.
+
+This is XSA-126.
+
+Signed-off-by: Jan Beulich <jbeulich@suse.com>
+Reviewed-by: Stefano Stabellini <stefano.stabellini@eu.citrix.com>
+
+--- a/hw/pass-through.c
++++ b/hw/pass-through.c
+@@ -172,9 +172,6 @@ static int pt_word_reg_read(struct pt_de
+ static int pt_long_reg_read(struct pt_dev *ptdev,
+ struct pt_reg_tbl *cfg_entry,
+ uint32_t *value, uint32_t valid_mask);
+-static int pt_cmd_reg_read(struct pt_dev *ptdev,
+- struct pt_reg_tbl *cfg_entry,
+- uint16_t *value, uint16_t valid_mask);
+ static int pt_bar_reg_read(struct pt_dev *ptdev,
+ struct pt_reg_tbl *cfg_entry,
+ uint32_t *value, uint32_t valid_mask);
+@@ -286,9 +283,9 @@ static struct pt_reg_info_tbl pt_emu_reg
+ .size = 2,
+ .init_val = 0x0000,
+ .ro_mask = 0xF880,
+- .emu_mask = 0x0740,
++ .emu_mask = 0x0743,
+ .init = pt_common_reg_init,
+- .u.w.read = pt_cmd_reg_read,
++ .u.w.read = pt_word_reg_read,
+ .u.w.write = pt_cmd_reg_write,
+ .u.w.restore = pt_cmd_reg_restore,
+ },
+@@ -3263,27 +3260,6 @@ static int pt_long_reg_read(struct pt_de
+ return 0;
+ }
+
+-/* read Command register */
+-static int pt_cmd_reg_read(struct pt_dev *ptdev,
+- struct pt_reg_tbl *cfg_entry,
+- uint16_t *value, uint16_t valid_mask)
+-{
+- struct pt_reg_info_tbl *reg = cfg_entry->reg;
+- uint16_t valid_emu_mask = 0;
+- uint16_t emu_mask = reg->emu_mask;
+-
+- if ( ptdev->is_virtfn )
+- emu_mask |= PCI_COMMAND_MEMORY;
+- if ( pt_is_iomul(ptdev) )
+- emu_mask |= PCI_COMMAND_IO;
+-
+- /* emulate word register */
+- valid_emu_mask = emu_mask & valid_mask;
+- *value = PT_MERGE_VALUE(*value, cfg_entry->data, ~valid_emu_mask);
+-
+- return 0;
+-}
+-
+ /* read BAR */
+ static int pt_bar_reg_read(struct pt_dev *ptdev,
+ struct pt_reg_tbl *cfg_entry,
+@@ -3418,19 +3394,13 @@ static int pt_cmd_reg_write(struct pt_de
+ uint16_t writable_mask = 0;
+ uint16_t throughable_mask = 0;
+ uint16_t wr_value = *value;
+- uint16_t emu_mask = reg->emu_mask;
+-
+- if ( ptdev->is_virtfn )
+- emu_mask |= PCI_COMMAND_MEMORY;
+- if ( pt_is_iomul(ptdev) )
+- emu_mask |= PCI_COMMAND_IO;
+
+ /* modify emulate register */
+ writable_mask = ~reg->ro_mask & valid_mask;
+ cfg_entry->data = PT_MERGE_VALUE(*value, cfg_entry->data, writable_mask);
+
+ /* create value for writing to I/O device register */
+- throughable_mask = ~emu_mask & valid_mask;
++ throughable_mask = ~reg->emu_mask & valid_mask;
+
+ if (*value & PCI_COMMAND_DISABLE_INTx)
+ {
--- /dev/null
+xen: limit guest control of command register
+
+Otherwise the guest can abuse that control to cause e.g. PCIe
+Unsupported Request responses (by disabling memory and/or I/O decoding
+and subsequently causing [CPU side] accesses to the respective address
+ranges), which (depending on system configuration) may be fatal to the
+host.
+
+This is XSA-126.
+
+Signed-off-by: Jan Beulich <jbeulich@suse.com>
+Reviewed-by: Stefano Stabellini <stefano.stabellini@eu.citrix.com>
+
+--- a/hw/xen/xen_pt_config_init.c
++++ b/hw/xen/xen_pt_config_init.c
+@@ -286,23 +286,6 @@ static int xen_pt_irqpin_reg_init(XenPCI
+ }
+
+ /* Command register */
+-static int xen_pt_cmd_reg_read(XenPCIPassthroughState *s, XenPTReg *cfg_entry,
+- uint16_t *value, uint16_t valid_mask)
+-{
+- XenPTRegInfo *reg = cfg_entry->reg;
+- uint16_t valid_emu_mask = 0;
+- uint16_t emu_mask = reg->emu_mask;
+-
+- if (s->is_virtfn) {
+- emu_mask |= PCI_COMMAND_MEMORY;
+- }
+-
+- /* emulate word register */
+- valid_emu_mask = emu_mask & valid_mask;
+- *value = XEN_PT_MERGE_VALUE(*value, cfg_entry->data, ~valid_emu_mask);
+-
+- return 0;
+-}
+ static int xen_pt_cmd_reg_write(XenPCIPassthroughState *s, XenPTReg *cfg_entry,
+ uint16_t *val, uint16_t dev_value,
+ uint16_t valid_mask)
+@@ -310,18 +293,13 @@ static int xen_pt_cmd_reg_write(XenPCIPa
+ XenPTRegInfo *reg = cfg_entry->reg;
+ uint16_t writable_mask = 0;
+ uint16_t throughable_mask = 0;
+- uint16_t emu_mask = reg->emu_mask;
+-
+- if (s->is_virtfn) {
+- emu_mask |= PCI_COMMAND_MEMORY;
+- }
+
+ /* modify emulate register */
+ writable_mask = ~reg->ro_mask & valid_mask;
+ cfg_entry->data = XEN_PT_MERGE_VALUE(*val, cfg_entry->data, writable_mask);
+
+ /* create value for writing to I/O device register */
+- throughable_mask = ~emu_mask & valid_mask;
++ throughable_mask = ~reg->emu_mask & valid_mask;
+
+ if (*val & PCI_COMMAND_INTX_DISABLE) {
+ throughable_mask |= PCI_COMMAND_INTX_DISABLE;
+@@ -605,9 +583,9 @@ static XenPTRegInfo xen_pt_emu_reg_heade
+ .size = 2,
+ .init_val = 0x0000,
+ .ro_mask = 0xF880,
+- .emu_mask = 0x0740,
++ .emu_mask = 0x0743,
+ .init = xen_pt_common_reg_init,
+- .u.w.read = xen_pt_cmd_reg_read,
++ .u.w.read = xen_pt_word_reg_read,
+ .u.w.write = xen_pt_cmd_reg_write,
+ },
+ /* Capabilities Pointer reg */
projects / people / aperard / centos-package-xen.git / commitdiff