Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package xen for openSUSE:Factory checked in at 2021-01-26 14:44:43 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/xen (Old) and /work/SRC/openSUSE:Factory/.xen.new.28504 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "xen" Tue Jan 26 14:44:43 2021 rev:297 rq:866148 version:4.14.1_08 Changes: -------- --- /work/SRC/openSUSE:Factory/xen/xen.changes 2021-01-22 21:49:20.501595301 +0100 +++ /work/SRC/openSUSE:Factory/.xen.new.28504/xen.changes 2021-01-26 14:44:46.639257780 +0100 @@ -1,0 +2,6 @@ +Thu Jan 21 08:46:20 MST 2021 - [email protected] + +- bsc#1181254 - VUL-0: xen: IRQ vector leak on x86 (XSA-360) + xsa360.patch + +------------------------------------------------------------------- New: ---- xsa360.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ xen.spec ++++++ --- /var/tmp/diff_new_pack.2qywNC/_old 2021-01-26 14:44:48.399260504 +0100 +++ /var/tmp/diff_new_pack.2qywNC/_new 2021-01-26 14:44:48.403260510 +0100 @@ -130,7 +130,7 @@ %endif Provides: installhint(reboot-needed) -Version: 4.14.1_06 +Version: 4.14.1_08 Release: 0 Summary: Xen Virtualization: Hypervisor (aka VMM aka Microkernel) License: GPL-2.0-only @@ -169,6 +169,7 @@ Source99: baselibs.conf # Upstream patches Patch1: 5fca3b32-tools-libs-ctrl-fix-dumping-of-ballooned-guest.patch +Patch36001: xsa360.patch # libxc Patch300: libxc-sr-3cccdae45242dab27198b8e150be0c85acd5d3c9.patch Patch301: libxc-sr-readv_exact.patch @@ -426,6 +427,7 @@ %setup -q -n %xen_build_dir -a 1 -a 5 -a 6 -a 57 # Upstream patches %patch1 -p1 +%patch36001 -p1 # libxc %patch300 -p1 %patch301 -p1 ++++++ libxc.migrate_tracking.patch ++++++ --- /var/tmp/diff_new_pack.2qywNC/_old 2021-01-26 14:44:48.663260912 +0100 +++ /var/tmp/diff_new_pack.2qywNC/_new 2021-01-26 14:44:48.663260912 +0100 @@ -1,8 +1,6 @@ Track live migration state unconditionally in logfiles to see how long a domU was suspended. Depends on libxc.sr.superpage.patch -Index: xen-4.14.1-testing/tools/libs/toollog/include/xentoollog.h -=================================================================== --- xen-4.14.1-testing.orig/tools/libs/toollog/include/xentoollog.h +++ xen-4.14.1-testing/tools/libs/toollog/include/xentoollog.h @@ -133,6 +133,7 @@ const char *xtl_level_to_string(xentooll @@ -13,8 +11,6 @@ #endif /* XENTOOLLOG_H */ /* -Index: xen-4.14.1-testing/tools/libxc/xc_domain.c -=================================================================== --- xen-4.14.1-testing.orig/tools/libxc/xc_domain.c +++ xen-4.14.1-testing/tools/libxc/xc_domain.c @@ -69,20 +69,28 @@ int xc_domain_cacheflush(xc_interface *x @@ -48,8 +44,6 @@ } -Index: xen-4.14.1-testing/tools/libxc/xc_private.h -=================================================================== --- xen-4.14.1-testing.orig/tools/libxc/xc_private.h +++ xen-4.14.1-testing/tools/libxc/xc_private.h @@ -42,6 +42,15 @@ @@ -68,8 +62,6 @@ #if defined(HAVE_VALGRIND_MEMCHECK_H) && !defined(NDEBUG) && !defined(__MINIOS__) /* Compile in Valgrind client requests? */ #include <valgrind/memcheck.h> -Index: xen-4.14.1-testing/tools/libxc/xc_resume.c -=================================================================== --- xen-4.14.1-testing.orig/tools/libxc/xc_resume.c +++ xen-4.14.1-testing/tools/libxc/xc_resume.c @@ -284,7 +284,10 @@ out: @@ -84,8 +76,6 @@ + SUSEINFO("domid %u: %s%s returned %d", domid, __func__, fast ? " fast" : "", ret); + return ret; } -Index: xen-4.14.1-testing/tools/libxc/xc_sr_common.c -=================================================================== --- xen-4.14.1-testing.orig/tools/libxc/xc_sr_common.c +++ xen-4.14.1-testing/tools/libxc/xc_sr_common.c @@ -204,6 +204,65 @@ bool _xc_sr_bitmap_resize(struct xc_sr_b @@ -154,8 +144,6 @@ /* * Local variables: * mode: C -Index: xen-4.14.1-testing/tools/libxc/xc_sr_common.h -=================================================================== --- xen-4.14.1-testing.orig/tools/libxc/xc_sr_common.h +++ xen-4.14.1-testing/tools/libxc/xc_sr_common.h @@ -268,6 +268,7 @@ struct xc_sr_context @@ -175,8 +163,6 @@ struct xc_sr_record { uint32_t type; -Index: xen-4.14.1-testing/tools/libxc/xc_sr_restore.c -=================================================================== --- xen-4.14.1-testing.orig/tools/libxc/xc_sr_restore.c +++ xen-4.14.1-testing/tools/libxc/xc_sr_restore.c @@ -875,6 +875,7 @@ static int restore(struct xc_sr_context @@ -203,8 +189,6 @@ if ( read_headers(&ctx) ) return -1; -Index: xen-4.14.1-testing/tools/libxc/xc_sr_save.c -=================================================================== --- xen-4.14.1-testing.orig/tools/libxc/xc_sr_save.c +++ xen-4.14.1-testing/tools/libxc/xc_sr_save.c @@ -354,7 +354,7 @@ static void show_transfer_rate(struct xc @@ -216,7 +200,7 @@ ctx->save.overhead_sent, ctx->save.pages_sent, diff.tv_sec, diff.tv_nsec, MiB_sec); } -@@ -871,6 +871,7 @@ static int save(struct xc_sr_context *ct +@@ -861,6 +861,7 @@ static int save(struct xc_sr_context *ct xc_interface *xch = ctx->xch; int rc, saved_rc = 0, saved_errno = 0; @@ -224,7 +208,7 @@ IPRINTF("Saving domain %d, type %s", ctx->domid, dhdr_type_to_str(guest_type)); -@@ -991,6 +992,7 @@ static int save(struct xc_sr_context *ct +@@ -981,6 +982,7 @@ static int save(struct xc_sr_context *ct PERROR("Save failed"); done: @@ -232,7 +216,7 @@ cleanup(ctx); if ( saved_rc ) -@@ -1059,6 +1061,8 @@ out: +@@ -1041,6 +1043,8 @@ out: return XGS_POLICY_ABORT; } suspend: @@ -241,7 +225,7 @@ return XGS_POLICY_STOP_AND_COPY; } -@@ -1128,6 +1132,7 @@ int xc_domain_save_suse(xc_interface *xc +@@ -1109,6 +1113,7 @@ int xc_domain_save_suse(xc_interface *xc io_fd, dom, flags, ctx.dominfo.hvm); ctx.domid = dom; @@ -249,8 +233,6 @@ if ( ctx.dominfo.hvm ) { -Index: xen-4.14.1-testing/tools/xl/xl.c -=================================================================== --- xen-4.14.1-testing.orig/tools/xl/xl.c +++ xen-4.14.1-testing/tools/xl/xl.c @@ -398,6 +398,8 @@ int main(int argc, char **argv) ++++++ libxl.LIBXL_HOTPLUG_TIMEOUT.patch ++++++ --- /var/tmp/diff_new_pack.2qywNC/_old 2021-01-26 14:44:48.675260931 +0100 +++ /var/tmp/diff_new_pack.2qywNC/_new 2021-01-26 14:44:48.679260937 +0100 @@ -52,10 +52,8 @@ The change for libxl which handles this xenstore value will enable additional logging if the key is found. That extra logging will show how the execution time of each script. -Index: xen-4.14.0-testing/tools/libxl/libxl_aoutils.c -=================================================================== ---- xen-4.14.0-testing.orig/tools/libxl/libxl_aoutils.c -+++ xen-4.14.0-testing/tools/libxl/libxl_aoutils.c +--- xen-4.14.1-testing.orig/tools/libxl/libxl_aoutils.c ++++ xen-4.14.1-testing/tools/libxl/libxl_aoutils.c @@ -529,6 +529,8 @@ static void async_exec_timeout(libxl__eg { libxl__async_exec_state *aes = CONTAINER_OF(ev, *aes, time); @@ -85,10 +83,8 @@ libxl__ev_time_deregister(gc, &aes->time); -Index: xen-4.14.0-testing/tools/libxl/libxl_create.c -=================================================================== ---- xen-4.14.0-testing.orig/tools/libxl/libxl_create.c -+++ xen-4.14.0-testing/tools/libxl/libxl_create.c +--- xen-4.14.1-testing.orig/tools/libxl/libxl_create.c ++++ xen-4.14.1-testing/tools/libxl/libxl_create.c @@ -1247,6 +1247,7 @@ static void initiate_domain_create(libxl * build info around just to know if the domain has a device model or not. */ @@ -97,10 +93,8 @@ for (i = 0; i < d_config->num_disks; i++) { ret = libxl__disk_devtype.set_default(gc, domid, &d_config->disks[i], -Index: xen-4.14.0-testing/tools/libxl/libxl_device.c -=================================================================== ---- xen-4.14.0-testing.orig/tools/libxl/libxl_device.c -+++ xen-4.14.0-testing/tools/libxl/libxl_device.c +--- xen-4.14.1-testing.orig/tools/libxl/libxl_device.c ++++ xen-4.14.1-testing/tools/libxl/libxl_device.c @@ -1212,7 +1212,7 @@ static void device_hotplug(libxl__egc *e } @@ -126,10 +120,8 @@ rc = libxl__async_exec_start(aes); if (rc) goto out; -Index: xen-4.14.0-testing/tools/libxl/libxl_event.c -=================================================================== ---- xen-4.14.0-testing.orig/tools/libxl/libxl_event.c -+++ xen-4.14.0-testing/tools/libxl/libxl_event.c +--- xen-4.14.1-testing.orig/tools/libxl/libxl_event.c ++++ xen-4.14.1-testing/tools/libxl/libxl_event.c @@ -1033,27 +1033,29 @@ static void devstate_callback(libxl__egc { EGC_GC; @@ -176,10 +168,8 @@ rc = libxl__xswait_start(gc, &ds->w); if (rc) goto out; -Index: xen-4.14.0-testing/tools/libxl/libxl_internal.c -=================================================================== ---- xen-4.14.0-testing.orig/tools/libxl/libxl_internal.c -+++ xen-4.14.0-testing/tools/libxl/libxl_internal.c +--- xen-4.14.1-testing.orig/tools/libxl/libxl_internal.c ++++ xen-4.14.1-testing/tools/libxl/libxl_internal.c @@ -17,6 +17,97 @@ #include "libxl_internal.h" @@ -278,10 +268,8 @@ void libxl__alloc_failed(libxl_ctx *ctx, const char *func, size_t nmemb, size_t size) { #define M "libxl: FATAL ERROR: memory allocation failure" -Index: xen-4.14.0-testing/tools/libxl/libxl_internal.h -=================================================================== ---- xen-4.14.0-testing.orig/tools/libxl/libxl_internal.h -+++ xen-4.14.0-testing/tools/libxl/libxl_internal.h +--- xen-4.14.1-testing.orig/tools/libxl/libxl_internal.h ++++ xen-4.14.1-testing/tools/libxl/libxl_internal.h @@ -50,6 +50,7 @@ #include <sys/un.h> #include <sys/file.h> @@ -306,7 +294,7 @@ /* private */ libxl__ev_time time; libxl__ev_child child; -@@ -4846,6 +4849,9 @@ int libxl__is_domid_recent(libxl__gc *gc +@@ -4845,6 +4848,9 @@ int libxl__is_domid_recent(libxl__gc *gc #endif ++++++ libxl.helper_done-crash.patch ++++++ --- /var/tmp/diff_new_pack.2qywNC/_old 2021-01-26 14:44:48.691260955 +0100 +++ /var/tmp/diff_new_pack.2qywNC/_new 2021-01-26 14:44:48.695260962 +0100 @@ -35,11 +35,9 @@ tools/libxl/libxl_save_callout.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) -Index: xen-4.14.0-testing/tools/libxl/libxl_save_callout.c -=================================================================== ---- xen-4.14.0-testing.orig/tools/libxl/libxl_save_callout.c -+++ xen-4.14.0-testing/tools/libxl/libxl_save_callout.c -@@ -366,8 +366,9 @@ static void helper_done(libxl__egc *egc, +--- xen-4.14.1-testing.orig/tools/libxl/libxl_save_callout.c ++++ xen-4.14.1-testing/tools/libxl/libxl_save_callout.c +@@ -365,8 +365,9 @@ static void helper_done(libxl__egc *egc, assert(!libxl__save_helper_inuse(shs)); shs->egc = egc; ++++++ xsa360.patch ++++++ From: Roger Pau Monne <[email protected]> Subject: x86/dpci: do not remove pirqs from domain tree on unbind A fix for a previous issue removed the pirqs from the domain tree when they are unbound in order to prevent shared pirqs from triggering a BUG_ON in __pirq_guest_unbind if they are unbound multiple times. That caused free_domain_pirqs to no longer unmap the pirqs because they are gone from the domain pirq tree, thus leaving stale unbound pirqs after domain destruction if the domain had mapped dpci pirqs after shutdown. Take a different approach to fix the original issue, instead of removing the pirq from d->pirq_tree clear the flags of the dpci pirq struct to signal that the pirq is now unbound. This prevents calling pirq_guest_unbind multiple times for the same pirq without having to remove it from the domain pirq tree. This is XSA-360. Fixes: 5b58dad089 ('x86/pass-through: avoid double IRQ unbind during domain cleanup') Signed-off-by: Roger Pau Monn?? <[email protected]> Reviewed-by: Jan Beulich <[email protected]> --- a/xen/arch/x86/irq.c +++ b/xen/arch/x86/irq.c @@ -1331,7 +1331,7 @@ void (pirq_cleanup_check)(struct pirq *p } if ( radix_tree_delete(&d->pirq_tree, pirq->pirq) != pirq ) - BUG_ON(!d->is_dying); + BUG(); } /* Flush all ready EOIs from the top of this CPU's pending-EOI stack. */ --- a/xen/drivers/passthrough/pci.c +++ b/xen/drivers/passthrough/pci.c @@ -862,6 +862,10 @@ static int pci_clean_dpci_irq(struct dom { struct dev_intx_gsi_link *digl, *tmp; + if ( !pirq_dpci->flags ) + /* Already processed. */ + return 0; + pirq_guest_unbind(d, dpci_pirq(pirq_dpci)); if ( pt_irq_need_timer(pirq_dpci->flags) ) @@ -872,15 +876,10 @@ static int pci_clean_dpci_irq(struct dom list_del(&digl->list); xfree(digl); } + /* Note the pirq is now unbound. */ + pirq_dpci->flags = 0; - radix_tree_delete(&d->pirq_tree, dpci_pirq(pirq_dpci)->pirq); - - if ( !pt_pirq_softirq_active(pirq_dpci) ) - return 0; - - domain_get_irq_dpci(d)->pending_pirq_dpci = pirq_dpci; - - return -ERESTART; + return pt_pirq_softirq_active(pirq_dpci) ? -ERESTART : 0; } static int pci_clean_dpci_irqs(struct domain *d) @@ -897,18 +896,8 @@ static int pci_clean_dpci_irqs(struct do hvm_irq_dpci = domain_get_irq_dpci(d); if ( hvm_irq_dpci != NULL ) { - int ret = 0; - - if ( hvm_irq_dpci->pending_pirq_dpci ) - { - if ( pt_pirq_softirq_active(hvm_irq_dpci->pending_pirq_dpci) ) - ret = -ERESTART; - else - hvm_irq_dpci->pending_pirq_dpci = NULL; - } + int ret = pt_pirq_iterate(d, pci_clean_dpci_irq, NULL); - if ( !ret ) - ret = pt_pirq_iterate(d, pci_clean_dpci_irq, NULL); if ( ret ) { spin_unlock(&d->event_lock); --- a/xen/include/asm-x86/hvm/irq.h +++ b/xen/include/asm-x86/hvm/irq.h @@ -160,8 +160,6 @@ struct hvm_irq_dpci { DECLARE_BITMAP(isairq_map, NR_ISAIRQS); /* Record of mapped Links */ uint8_t link_cnt[NR_LINK]; - /* Clean up: Entry with a softirq invocation pending / in progress. */ - struct hvm_pirq_dpci *pending_pirq_dpci; }; /* Machine IRQ to guest device/intx mapping. */
