Hello community, here is the log from the commit of package xen for openSUSE:Factory checked in at 2016-03-07 13:22:56 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/xen (Old) and /work/SRC/openSUSE:Factory/.xen.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "xen" Changes: -------- --- /work/SRC/openSUSE:Factory/xen/xen.changes 2016-03-02 14:21:07.000000000 +0100 +++ /work/SRC/openSUSE:Factory/.xen.new/xen.changes 2016-03-07 13:22:58.000000000 +0100 @@ -1,0 +2,54 @@ +Fri Mar 4 16:11:02 MST 2016 - [email protected] + +- bsc#969377 - xen does not build with GCC 6 + ipxe-use-rpm-opt-flags.patch + gcc6-warnings-as-errors.patch + +------------------------------------------------------------------- +Thu Mar 3 10:27:55 MST 2016 - [email protected] + +- bsc#969351 - VUL-0: CVE-2016-2841: xen: net: ne2000: infinite + loop in ne2000_receive + CVE-2016-2841-qemut-ne2000-infinite-loop-in-ne2000_receive.patch +- Drop xsa154-fix.patch + +------------------------------------------------------------------- +Wed Mar 2 16:53:51 UTC 2016 - [email protected] + +- Use system qemu instead of building/installing yet another qemu + FATE#320638 +- Dropped files + qemu-xen-dir-remote.tar.bz2 + CVE-2014-0222-qemuu-qcow1-validate-l2-table-size.patch + CVE-2015-1779-qemuu-incrementally-decode-websocket-frames.patch + CVE-2015-1779-qemuu-limit-size-of-HTTP-headers-from-websockets-clients.patch + CVE-2015-4037-qemuu-smb-config-dir-name.patch + CVE-2015-7512-qemuu-net-pcnet-buffer-overflow-in-non-loopback-mode.patch + CVE-2015-7549-qemuu-pci-null-pointer-dereference-issue.patch + CVE-2015-8345-qemuu-eepro100-infinite-loop-fix.patch + CVE-2015-8504-qemuu-vnc-avoid-floating-point-exception.patch + CVE-2015-8558-qemuu-usb-infinite-loop-in-ehci_advance_state-results-in-DoS.patch + CVE-2015-8568-qemuu-net-vmxnet3-avoid-memory-leakage-in-activate_device.patch + CVE-2015-8613-qemuu-scsi-initialise-info-object-with-appropriate-size.patch + CVE-2015-8743-qemuu-ne2000-OOB-memory-access-in-ioport-rw-functions.patch + CVE-2015-8744-qemuu-net-vmxnet3-incorrect-l2-header-validation-leads-to-crash.patch + CVE-2015-8745-qemuu-net-vmxnet3-read-IMR-registers-instead-of-assert.patch + CVE-2016-1568-qemuu-ide-ahci-reset-ncq-object-to-unused-on-error.patch + CVE-2016-1714-qemuu-fw_cfg-add-check-to-validate-current-entry-value.patch + CVE-2014-7815-qemut-vnc-sanitize-bits_per_pixel-from-the-client.patch + CVE-2016-1981-qemuu-e1000-eliminate-infinite-loops-on-out-of-bounds-transfer.patch + CVE-2016-2538-qemuu-usb-integer-overflow-in-remote-NDIS-message-handling.patch + CVE-2015-8619-qemuu-stack-based-OOB-write-in-hmp_sendkey-routine.patch + qemu-xen-enable-spice-support.patch + qemu-xen-upstream-qdisk-cache-unsafe.patch + tigervnc-long-press.patch + xsa162-qemuu.patch + +------------------------------------------------------------------- +Mon Feb 29 09:40:43 MST 2016 - [email protected] + +- bsc#962321 - VUL-0: CVE-2016-1922: xen: i386: null pointer + dereference in vapic_write() + CVE-2016-1922-qemuu-i386-null-pointer-dereference-in-vapic_write.patch + +------------------------------------------------------------------- @@ -22,0 +77 @@ + CVE-2016-2391-qemut-usb-null-pointer-dereference-in-ohci-module.patch @@ -70 +124,0 @@ - xsa154-fix.patch @@ -86,0 +141,3 @@ +- bsc#965112 - VUL-0: CVE-2014-3640: xen: slirp: NULL pointer deref + in sosendto() + CVE-2014-3640-qemut-slirp-NULL-pointer-deref-in-sosendto.patch @@ -115,0 +173,3 @@ +- bsc#964452 - VUL-0: CVE-2013-4534: xen: openpic: buffer overrun + on incoming migration + CVE-2013-4534-qemut-openpic-buffer-overrun-on-incoming-migration.patch @@ -453 +512,0 @@ - CVE-2015-5154-qemut-fix-START-STOP-UNIT-command-completion.patch @@ -456 +514,0 @@ - CVE-2015-6815-qemut-e1000-fix-infinite-loop.patch Old: ---- CVE-2014-7815-qemut-vnc-sanitize-bits_per_pixel-from-the-client.patch CVE-2015-1779-qemuu-incrementally-decode-websocket-frames.patch CVE-2015-1779-qemuu-limit-size-of-HTTP-headers-from-websockets-clients.patch CVE-2015-4037-qemuu-smb-config-dir-name.patch CVE-2015-6855-qemuu-ide-divide-by-zero-issue.patch CVE-2015-7512-qemuu-net-pcnet-buffer-overflow-in-non-loopback-mode.patch CVE-2015-7549-qemuu-pci-null-pointer-dereference-issue.patch CVE-2015-8345-qemuu-eepro100-infinite-loop-fix.patch CVE-2015-8504-qemuu-vnc-avoid-floating-point-exception.patch CVE-2015-8558-qemuu-usb-infinite-loop-in-ehci_advance_state-results-in-DoS.patch CVE-2015-8568-qemuu-net-vmxnet3-avoid-memory-leakage-in-activate_device.patch CVE-2015-8613-qemuu-scsi-initialise-info-object-with-appropriate-size.patch CVE-2015-8619-qemuu-stack-based-OOB-write-in-hmp_sendkey-routine.patch CVE-2015-8743-qemuu-ne2000-OOB-memory-access-in-ioport-rw-functions.patch CVE-2015-8744-qemuu-net-vmxnet3-incorrect-l2-header-validation-leads-to-crash.patch CVE-2015-8745-qemuu-net-vmxnet3-read-IMR-registers-instead-of-assert.patch CVE-2016-1568-qemuu-ide-ahci-reset-ncq-object-to-unused-on-error.patch CVE-2016-1714-qemuu-fw_cfg-add-check-to-validate-current-entry-value.patch CVE-2016-1981-qemuu-e1000-eliminate-infinite-loops-on-out-of-bounds-transfer.patch CVE-2016-2198-qemuu-usb-ehci-null-pointer-dereference-in-ehci_caps_write.patch CVE-2016-2391-qemuu-usb-null-pointer-dereference-in-ohci-module.patch CVE-2016-2392-qemuu-usb-null-pointer-dereference-in-NDIS-message-handling.patch CVE-2016-2538-qemuu-usb-integer-overflow-in-remote-NDIS-message-handling.patch qemu-xen-dir-remote.tar.bz2 qemu-xen-enable-spice-support.patch qemu-xen-upstream-qdisk-cache-unsafe.patch tigervnc-long-press.patch xsa154-fix.patch xsa162-qemuu.patch New: ---- CVE-2013-4534-qemut-openpic-buffer-overrun-on-incoming-migration.patch CVE-2014-3640-qemut-slirp-NULL-pointer-deref-in-sosendto.patch CVE-2015-5154-qemut-fix-START-STOP-UNIT-command-completion.patch CVE-2015-6815-qemut-e1000-fix-infinite-loop.patch CVE-2016-2391-qemut-usb-null-pointer-dereference-in-ohci-module.patch CVE-2016-2841-qemut-ne2000-infinite-loop-in-ne2000_receive.patch gcc6-warnings-as-errors.patch ipxe-use-rpm-opt-flags.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ xen.spec ++++++ --- /var/tmp/diff_new_pack.o9CL6m/_old 2016-03-07 13:23:19.000000000 +0100 +++ /var/tmp/diff_new_pack.o9CL6m/_new 2016-03-07 13:23:19.000000000 +0100 @@ -170,7 +170,6 @@ Source0: xen-4.6.1-testing-src.tar.bz2 Source1: stubdom.tar.bz2 Source2: qemu-xen-traditional-dir-remote.tar.bz2 -Source3: qemu-xen-dir-remote.tar.bz2 Source4: seabios-dir-remote.tar.bz2 Source5: ipxe.tar.bz2 Source6: mini-os.tar.bz2 @@ -206,15 +205,13 @@ Patch2: 5628fc67-libxl-No-emulated-disk-driver-for-xvdX-disk.patch Patch3: 5644b756-x86-HVM-don-t-inject-DB-with-error-code.patch Patch4: 5649bcbe-libxl-relax-readonly-check-introduced-by-XSA-142-fix.patch -Patch15401: xsa154.patch -Patch15402: xsa154-fix.patch +Patch154: xsa154.patch Patch15501: xsa155-xen-0001-xen-Add-RING_COPY_REQUEST.patch Patch15502: xsa155-xen-0002-blktap2-Use-RING_COPY_REQUEST.patch Patch15503: xsa155-xen-0003-libvchan-Read-prod-cons-only-once.patch -Patch162: xsa162-qemuu.patch Patch164: xsa164.patch Patch170: xsa170.patch -# Upstream qemu +# Upstream qemu-traditional patches Patch250: VNC-Support-for-ExtendedKeyEvent-client-message.patch Patch251: 0001-net-move-the-tap-buffer-into-TAPState.patch Patch252: 0002-net-increase-tap-buffer-size.patch @@ -224,53 +221,25 @@ Patch256: 0006-e1000-clear-EOP-for-multi-buffer-descriptors.patch Patch257: 0007-e1000-verify-we-have-buffers-upfront.patch Patch258: 0008-e1000-check-buffer-availability.patch -Patch259: CVE-2015-4037-qemuu-smb-config-dir-name.patch -Patch260: CVE-2015-4037-qemut-smb-config-dir-name.patch -Patch262: CVE-2014-0222-qemut-qcow1-validate-l2-table-size.patch -Patch263: CVE-2015-8345-qemuu-eepro100-infinite-loop-fix.patch -Patch264: CVE-2015-8345-qemut-eepro100-infinite-loop-fix.patch -Patch265: CVE-2015-8504-qemut-vnc-avoid-floating-point-exception.patch -Patch266: CVE-2015-8504-qemuu-vnc-avoid-floating-point-exception.patch -Patch267: CVE-2015-7549-qemuu-pci-null-pointer-dereference-issue.patch -Patch268: CVE-2015-8558-qemuu-usb-infinite-loop-in-ehci_advance_state-results-in-DoS.patch -Patch269: CVE-2015-8568-qemuu-net-vmxnet3-avoid-memory-leakage-in-activate_device.patch -Patch270: CVE-2015-8745-qemuu-net-vmxnet3-read-IMR-registers-instead-of-assert.patch -Patch271: CVE-2015-8744-qemuu-net-vmxnet3-incorrect-l2-header-validation-leads-to-crash.patch -Patch272: CVE-2015-8743-qemuu-ne2000-OOB-memory-access-in-ioport-rw-functions.patch -Patch273: CVE-2015-8613-qemuu-scsi-initialise-info-object-with-appropriate-size.patch -Patch274: CVE-2016-1568-qemuu-ide-ahci-reset-ncq-object-to-unused-on-error.patch -Patch275: CVE-2016-1714-qemuu-fw_cfg-add-check-to-validate-current-entry-value.patch -Patch276: CVE-2016-1714-qemut-fw_cfg-add-check-to-validate-current-entry-value.patch -Patch277: CVE-2013-4538-qemut-ssd0323-fix-buffer-overun-on-invalid-state.patch -Patch278: CVE-2015-7512-qemuu-net-pcnet-buffer-overflow-in-non-loopback-mode.patch -Patch279: CVE-2015-7512-qemut-net-pcnet-buffer-overflow-in-non-loopback-mode.patch -Patch280: CVE-2014-7815-qemut-vnc-sanitize-bits_per_pixel-from-the-client.patch -Patch281: CVE-2013-4537-qemut-ssi-sd-fix-buffer-overrun-on-invalid-state-load.patch -Patch282: CVE-2015-1779-qemuu-incrementally-decode-websocket-frames.patch -Patch283: CVE-2015-1779-qemuu-limit-size-of-HTTP-headers-from-websockets-clients.patch -Patch284: CVE-2013-4539-qemut-tsc210x-fix-buffer-overrun-on-invalid-state-load.patch -Patch285: CVE-2016-1981-qemuu-e1000-eliminate-infinite-loops-on-out-of-bounds-transfer.patch -Patch286: CVE-2016-1981-qemut-e1000-eliminate-infinite-loops-on-out-of-bounds-transfer.patch -Patch287: CVE-2016-2198-qemuu-usb-ehci-null-pointer-dereference-in-ehci_caps_write.patch -Patch288: CVE-2013-4533-qemut-pxa2xx-buffer-overrun-on-incoming-migration.patch -Patch289: CVE-2015-5278-qemut-Infinite-loop-in-ne2000_receive-function.patch -Patch290: CVE-2015-6855-qemuu-ide-divide-by-zero-issue.patch -Patch291: CVE-2015-8619-qemuu-stack-based-OOB-write-in-hmp_sendkey-routine.patch -Patch292: CVE-2016-2392-qemuu-usb-null-pointer-dereference-in-NDIS-message-handling.patch -Patch293: CVE-2016-2391-qemuu-usb-null-pointer-dereference-in-ohci-module.patch -Patch294: CVE-2016-2538-qemuu-usb-integer-overflow-in-remote-NDIS-message-handling.patch -# Our platform specific patches -Patch321: xen-destdir.patch -Patch322: vif-bridge-no-iptables.patch -Patch323: vif-bridge-tap-fix.patch -Patch324: xl-conf-default-bridge.patch -# Needs to go upstream -Patch330: suspend_evtchn_lock.patch -Patch331: xenpaging.doc.patch -Patch332: xen-c99-fix.patch -Patch333: stubdom-have-iovec.patch -Patch334: hotplug-Linux-block-performance-fix.patch -# Qemu traditional +Patch259: CVE-2013-4533-qemut-pxa2xx-buffer-overrun-on-incoming-migration.patch +Patch260: CVE-2013-4534-qemut-openpic-buffer-overrun-on-incoming-migration.patch +Patch261: CVE-2013-4537-qemut-ssi-sd-fix-buffer-overrun-on-invalid-state-load.patch +Patch262: CVE-2013-4538-qemut-ssd0323-fix-buffer-overun-on-invalid-state.patch +Patch263: CVE-2013-4539-qemut-tsc210x-fix-buffer-overrun-on-invalid-state-load.patch +Patch264: CVE-2014-0222-qemut-qcow1-validate-l2-table-size.patch +Patch265: CVE-2014-3640-qemut-slirp-NULL-pointer-deref-in-sosendto.patch +Patch266: CVE-2015-4037-qemut-smb-config-dir-name.patch +Patch267: CVE-2015-5154-qemut-fix-START-STOP-UNIT-command-completion.patch +Patch268: CVE-2015-5278-qemut-Infinite-loop-in-ne2000_receive-function.patch +Patch269: CVE-2015-6815-qemut-e1000-fix-infinite-loop.patch +Patch270: CVE-2015-7512-qemut-net-pcnet-buffer-overflow-in-non-loopback-mode.patch +Patch271: CVE-2015-8345-qemut-eepro100-infinite-loop-fix.patch +Patch272: CVE-2015-8504-qemut-vnc-avoid-floating-point-exception.patch +Patch273: CVE-2016-1714-qemut-fw_cfg-add-check-to-validate-current-entry-value.patch +Patch274: CVE-2016-1981-qemut-e1000-eliminate-infinite-loops-on-out-of-bounds-transfer.patch +Patch275: CVE-2016-2391-qemut-usb-null-pointer-dereference-in-ohci-module.patch +Patch276: CVE-2016-2841-qemut-ne2000-infinite-loop-in-ne2000_receive.patch +# qemu-traditional patches that are not upstream Patch350: blktap.patch Patch351: cdrom-removable.patch Patch353: xen-qemu-iscsi-fix.patch @@ -296,9 +265,17 @@ Patch381: ioemu-disable-scsi.patch Patch382: ioemu-disable-emulated-ide-if-pv.patch Patch383: xenpaging.qemu.flush-cache.patch -Patch385: xen_pvonhvm.xen_emul_unplug.patch -Patch387: libxl.pvscsi.patch -Patch388: blktap2-no-uninit.patch +# Our platform specific patches +Patch400: xen-destdir.patch +Patch401: vif-bridge-no-iptables.patch +Patch402: vif-bridge-tap-fix.patch +Patch403: xl-conf-default-bridge.patch +# Needs to go upstream +Patch420: suspend_evtchn_lock.patch +Patch421: xenpaging.doc.patch +Patch422: xen-c99-fix.patch +Patch423: stubdom-have-iovec.patch +Patch424: hotplug-Linux-block-performance-fix.patch # Other bug fixes or features Patch451: xenconsole-no-multiple-connections.patch Patch452: hibernate.patch @@ -306,24 +283,26 @@ Patch454: ipxe-enable-nics.patch Patch455: pygrub-netware-xnloader.patch Patch456: pygrub-boot-legacy-sles.patch -Patch460: set-mtu-from-bridge-for-tap-interface.patch -Patch466: aarch64-rename-PSR_MODE_ELxx-to-match-linux-headers.patch -Patch467: libxl.add-option-to-disable-disk-cache-flushes-in-qdisk.patch -Patch470: qemu-xen-upstream-qdisk-cache-unsafe.patch -Patch471: qemu-xen-enable-spice-support.patch -Patch472: tigervnc-long-press.patch -Patch473: xendomains-libvirtd-conflict.patch -Patch474: CVE-2014-0222-blktap-qcow1-validate-l2-table-size.patch -Patch475: xen.libxl.dmmd.patch +Patch457: set-mtu-from-bridge-for-tap-interface.patch +Patch458: aarch64-rename-PSR_MODE_ELxx-to-match-linux-headers.patch +Patch459: xendomains-libvirtd-conflict.patch +Patch460: CVE-2014-0222-blktap-qcow1-validate-l2-table-size.patch +Patch461: libxl.pvscsi.patch +Patch462: xen.libxl.dmmd.patch +Patch463: libxl.add-option-to-disable-disk-cache-flushes-in-qdisk.patch +Patch464: blktap2-no-uninit.patch # Hypervisor and PV driver Patches Patch501: x86-ioapic-ack-default.patch Patch502: x86-cpufreq-report.patch -Patch520: supported_module.patch -Patch521: magic_ioport_compat.patch +Patch520: xen_pvonhvm.xen_emul_unplug.patch +Patch521: supported_module.patch +Patch522: magic_ioport_compat.patch Patch601: xen.build-compare.doc_html.patch Patch602: xen.build-compare.seabios.patch Patch603: xen.build-compare.man.patch Patch604: ipxe-no-error-logical-not-parentheses.patch +Patch605: ipxe-use-rpm-opt-flags.patch +Patch606: gcc6-warnings-as-errors.patch # Build patches Patch99996: xen.stubdom.newlib.patch Patch99998: tmp_build.patch @@ -410,10 +389,14 @@ Summary: Xen Virtualization: Control tools for domain 0 Group: System/Kernel Requires: bridge-utils -%if %suse_version >= 1315 %ifarch x86_64 +%if %suse_version >= 1315 Requires: grub2-x86_64-xen %endif +Requires: qemu-x86 +%endif +%ifarch %arm aarch64 +Requires: qemu-arm %endif Requires: multipath-tools Requires: python @@ -528,18 +511,16 @@ %endif %prep -%setup -q -n %xen_build_dir -a 1 -a 2 -a 3 -a 4 -a 5 -a 6 -a 57 +%setup -q -n %xen_build_dir -a 1 -a 2 -a 4 -a 5 -a 6 -a 57 # Upstream patches %patch1 -p1 %patch2 -p1 %patch3 -p1 %patch4 -p1 -%patch15401 -p1 -%patch15402 -p1 +%patch154 -p1 %patch15501 -p1 %patch15502 -p1 %patch15503 -p1 -%patch162 -p1 %patch164 -p1 %patch170 -p1 # Upstream qemu patches @@ -554,6 +535,7 @@ %patch258 -p1 %patch259 -p1 %patch260 -p1 +%patch261 -p1 %patch262 -p1 %patch263 -p1 %patch264 -p1 @@ -569,35 +551,6 @@ %patch274 -p1 %patch275 -p1 %patch276 -p1 -%patch277 -p1 -%patch278 -p1 -%patch279 -p1 -%patch280 -p1 -%patch281 -p1 -%patch282 -p1 -%patch283 -p1 -%patch284 -p1 -%patch285 -p1 -%patch286 -p1 -%patch287 -p1 -%patch288 -p1 -%patch289 -p1 -%patch290 -p1 -%patch291 -p1 -%patch292 -p1 -%patch293 -p1 -%patch294 -p1 -# Our platform specific patches -%patch321 -p1 -%patch322 -p1 -%patch323 -p1 -%patch324 -p1 -# Needs to go upstream -%patch330 -p1 -%patch331 -p1 -%patch332 -p1 -%patch333 -p1 -%patch334 -p1 # Qemu traditional %patch350 -p1 %patch351 -p1 @@ -624,9 +577,17 @@ %patch381 -p1 %patch382 -p1 %patch383 -p1 -%patch385 -p1 -%patch387 -p1 -%patch388 -p1 +# Our platform specific patches +%patch400 -p1 +%patch401 -p1 +%patch402 -p1 +%patch403 -p1 +# Needs to go upstream +%patch420 -p1 +%patch421 -p1 +%patch422 -p1 +%patch423 -p1 +%patch424 -p1 # Other bug fixes or features %patch451 -p1 %patch452 -p1 @@ -634,24 +595,26 @@ %patch454 -p1 %patch455 -p1 %patch456 -p1 +%patch457 -p1 +%patch458 -p1 +%patch459 -p1 %patch460 -p1 -%patch466 -p1 -%patch467 -p1 -%patch470 -p1 -%patch471 -p1 -%patch472 -p1 -%patch473 -p1 -%patch474 -p1 -%patch475 -p1 +%patch461 -p1 +%patch462 -p1 +%patch463 -p1 +%patch464 -p1 # Hypervisor and PV driver Patches %patch501 -p1 %patch502 -p1 %patch520 -p1 %patch521 -p1 +%patch522 -p1 %patch601 -p1 %patch602 -p1 %patch603 -p1 %patch604 -p1 +%patch605 -p1 +%patch606 -p1 # Build patches %patch99996 -p1 %patch99998 -p1 @@ -689,7 +652,6 @@ export GIT=$(type -P false) export EXTRA_CFLAGS_XEN_TOOLS="$RPM_OPT_FLAGS" export EXTRA_CFLAGS_QEMU_TRADITIONAL="$RPM_OPT_FLAGS" -export EXTRA_CFLAGS_QEMU_XEN="$RPM_OPT_FLAGS" export SMBIOS_DATE="$SMBIOS_DATE" export RELDATE="$RELDATE" export SEABIOS_DATE="$SEABIOS_DATE" @@ -714,11 +676,6 @@ then : no changes? fi -%ifarch x86_64 -%if 0%{?suse_version} > 1230 -export QEMU_XEN_ENABLE_SPICE="--enable-spice --enable-usb-redir" -%endif -%endif configure_flags= %if %{?with_stubdom}0 configure_flags=--enable-stubdom @@ -756,6 +713,7 @@ %else --disable-systemd \ %endif + --with-system-qemu=%{_bindir}/qemu-system-%{_arch} \ ${configure_flags} make -C tools/include/xen-foreign %{?_smp_mflags} make %{?_smp_mflags} @@ -850,6 +808,20 @@ done %endif +# On x86_64, qemu-xen was installed as /usr/lib/xen/bin/qemu-system-i386 +# and advertised as the <emulator> in libvirt capabilities. Tool such as +# virt-install include <emulator> in domXML they produce, so we need to +# preserve the path. For x86_64, create a simple wrapper that invokes +# /usr/bin/qemu-system-x86_64 +%ifarch x86_64 +cat > $RPM_BUILD_ROOT/usr/lib/xen/bin/qemu-system-i386 << 'EOF' +#!/bin/sh + +exec %{_bindir}/qemu-system-x86_64 "$@" +EOF +chmod 0755 $RPM_BUILD_ROOT/usr/lib/xen/bin/qemu-system-i386 +%endif + # Stubdom %if %{?with_dom0_support}0 # Docs @@ -978,7 +950,6 @@ rm -rf $RPM_BUILD_ROOT%{with_systemd_modules_load} rm -rf $RPM_BUILD_ROOT/usr/sbin rm -rf $RPM_BUILD_ROOT/etc/xen -rm -rf $RPM_BUILD_ROOT/%{_datadir}/qemu-xen rm -rf $RPM_BUILD_ROOT/var rm -f $RPM_BUILD_ROOT/%{_sysconfdir}/bash_completion.d/xl.sh rm -f $RPM_BUILD_ROOT/%{_sysconfdir}/init.d/xen* @@ -1114,7 +1085,6 @@ %endif %dir /etc/modprobe.d /etc/bash_completion.d/xl.sh -%{_datadir}/qemu-xen %if %{?with_qemu_traditional}0 %dir %{_datadir}/xen %dir %{_datadir}/xen/qemu ++++++ CVE-2013-4534-qemut-openpic-buffer-overrun-on-incoming-migration.patch ++++++ References: bsc#964452 CVE-2013-4534 Subject: openpic: avoid buffer overrun on incoming migration From: Michael Roth [email protected] Mon Apr 28 16:08:17 2014 +0300 Date: Mon May 5 22:15:03 2014 +0200: Git: 73d963c0a75cb99c6aaa3f6f25e427aa0b35a02e CVE-2013-4534 opp->nb_cpus is read from the wire and used to determine how many IRQDest elements to read into opp->dst[]. If the value exceeds the length of opp->dst[], MAX_CPU, opp->dst[] can be overrun with arbitrary data from the wire. Fix this by failing migration if the value read from the wire exceeds MAX_CPU. Signed-off-by: Michael Roth <[email protected]> Reviewed-by: Alexander Graf <[email protected]> Signed-off-by: Michael S. Tsirkin <[email protected]> Signed-off-by: Juan Quintela <[email protected]> Index: xen-4.6.1-testing/tools/qemu-xen-traditional-dir-remote/hw/openpic.c =================================================================== --- xen-4.6.1-testing.orig/tools/qemu-xen-traditional-dir-remote/hw/openpic.c +++ xen-4.6.1-testing/tools/qemu-xen-traditional-dir-remote/hw/openpic.c @@ -36,6 +36,7 @@ #include "ppc_mac.h" #include "pci.h" #include "openpic.h" +#include "qemu/qerror.h" //#define DEBUG_OPENPIC @@ -1132,7 +1133,7 @@ static void openpic_load_IRQ_queue(QEMUF static int openpic_load(QEMUFile* f, void *opaque, int version_id) { openpic_t *opp = (openpic_t *)opaque; - unsigned int i; + unsigned int i, nb_cpus; if (version_id != 1) return -EINVAL; @@ -1153,7 +1154,11 @@ static int openpic_load(QEMUFile* f, voi qemu_get_sbe32s(f, &opp->src[i].pending); } - qemu_get_sbe32s(f, &opp->nb_cpus); + qemu_get_be32s(f, &nb_cpus); + if (opp->nb_cpus != nb_cpus) { + return -EINVAL; + } + assert(nb_cpus > 0 && nb_cpus <= MAX_CPU); for (i = 0; i < opp->nb_cpus; i++) { qemu_get_be32s(f, &opp->dst[i].tfrr); ++++++ CVE-2014-3640-qemut-slirp-NULL-pointer-deref-in-sosendto.patch ++++++ Subject: slirp: udp: fix NULL pointer dereference because of uninitialized socket From: Petr Matousek [email protected] Thu Sep 18 08:35:37 2014 +0200 Date: Tue Sep 23 19:15:05 2014 +0100: Git: 01f7cecf0037997cb0e58ec0d56bf9b5a6f7cb2a When guest sends udp packet with source port and source addr 0, uninitialized socket is picked up when looking for matching and already created udp sockets, and later passed to sosendto() where NULL pointer dereference is hit during so->slirp->vnetwork_mask.s_addr access. Fix this by checking that the socket is not just a socket stub. This is CVE-2014-3640. Signed-off-by: Petr Matousek <[email protected]> Reported-by: Xavier Mehrenberger <[email protected]> Reported-by: Stephane Duverger <[email protected]> Reviewed-by: Jan Kiszka <[email protected]> Reviewed-by: Michael S. Tsirkin <[email protected]> Reviewed-by: Michael Tokarev <[email protected]> Message-id: [email protected] Signed-off-by: Peter Maydell <[email protected]> Index: xen-4.6.1-testing/tools/qemu-xen-traditional-dir-remote/slirp/udp.c =================================================================== --- xen-4.6.1-testing.orig/tools/qemu-xen-traditional-dir-remote/slirp/udp.c +++ xen-4.6.1-testing/tools/qemu-xen-traditional-dir-remote/slirp/udp.c @@ -168,7 +168,7 @@ udp_input(m, iphlen) * Locate pcb for datagram. */ so = udp_last_so; - if (so->so_lport != uh->uh_sport || + if (so == &slirp->udb || so->so_lport != uh->uh_sport || so->so_laddr.s_addr != ip->ip_src.s_addr) { struct socket *tmp; ++++++ CVE-2015-5154-qemut-fix-START-STOP-UNIT-command-completion.patch ++++++ Subject: ATAPI: STARTSTOPUNIT only eject/load media if powercondition is 0 From: Ronnie Sahlberg [email protected] Tue Jul 31 11:28:26 2012 +1000 Date: Wed Sep 12 15:50:09 2012 +0200: Git: ce560dcf20c14194db5ef3b9fc1ea592d4e68109 The START STOP UNIT command will only eject/load media if power condition is zero. If power condition is !0 then LOEJ and START will be ignored. >From MMC (sbc contains similar wordings too) The Power Conditions field requests the block device to be placed in the power condition defined in Table 558. If this field has a value other than 0h then the Start and LoEj bits shall be ignored. Signed-off-by: Ronnie Sahlberg <[email protected]> Signed-off-by: Kevin Wolf <[email protected]> >From aa851d30acfbb9580098ac1dc82885530cb8b3c1 Mon Sep 17 00:00:00 2001 From: Kevin Wolf <[email protected]> Date: Wed, 3 Jun 2015 14:17:46 +0200 Subject: [PATCH 2/3] ide/atapi: Fix START STOP UNIT command completion The command must be completed on all code paths. START STOP UNIT with pwrcnd set should succeed without doing anything. Signed-off-by: Kevin Wolf <[email protected]> --- hw/ide/atapi.c | 1 + 1 file changed, 1 insertion(+) Index: xen-4.6.1-testing/tools/qemu-xen-traditional-dir-remote/hw/ide.c =================================================================== --- xen-4.6.1-testing.orig/tools/qemu-xen-traditional-dir-remote/hw/ide.c +++ xen-4.6.1-testing/tools/qemu-xen-traditional-dir-remote/hw/ide.c @@ -2098,9 +2098,16 @@ static void ide_atapi_cmd(IDEState *s) break; case GPCMD_START_STOP_UNIT: { - int start, eject; + int start, eject, pwrcnd; start = packet[4] & 1; eject = (packet[4] >> 1) & 1; + pwrcnd = buf[4] & 0xf0; + + if (pwrcnd) { + /* eject/load only happens for power condition == 0 */ + ide_atapi_cmd_ok(s); + return; + } if (eject && !start) { /* eject the disk */ ++++++ CVE-2015-6815-qemut-e1000-fix-infinite-loop.patch ++++++ References: bsc#944697 From: P J P <address@hidden> While processing transmit descriptors, it could lead to an infinite loop if 'bytes' was to become zero; Add a check to avoid it. [The guest can force 'bytes' to 0 by setting the hdr_len and mss descriptor fields to 0. --Stefan] Signed-off-by: P J P <address@hidden> Signed-off-by: Stefan Hajnoczi <address@hidden> --- hw/net/e1000.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) Index: xen-4.6.1-testing/tools/qemu-xen-traditional-dir-remote/hw/e1000.c =================================================================== --- xen-4.6.1-testing.orig/tools/qemu-xen-traditional-dir-remote/hw/e1000.c +++ xen-4.6.1-testing/tools/qemu-xen-traditional-dir-remote/hw/e1000.c @@ -470,7 +470,8 @@ process_tx_desc(E1000State *s, struct e1 memmove(tp->data, tp->header, hdr); tp->size = hdr; } - } while (split_size -= bytes); + split_size -= bytes; + } while (bytes && split_size); } else if (!tp->tse && tp->cptse) { // context descriptor TSE is not set, while data descriptor TSE is set DBGOUT(TXERR, "TCP segmentaion Error\n"); ++++++ CVE-2016-1981-qemut-e1000-eliminate-infinite-loops-on-out-of-bounds-transfer.patch ++++++ --- /var/tmp/diff_new_pack.o9CL6m/_old 2016-03-07 13:23:19.000000000 +0100 +++ /var/tmp/diff_new_pack.o9CL6m/_new 2016-03-07 13:23:19.000000000 +0100 @@ -68,11 +68,11 @@ hw/net/e1000.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) -Index: xen-4.6.0-testing/tools/qemu-xen-traditional-dir-remote/hw/e1000.c +Index: xen-4.6.1-testing/tools/qemu-xen-traditional-dir-remote/hw/e1000.c =================================================================== ---- xen-4.6.0-testing.orig/tools/qemu-xen-traditional-dir-remote/hw/e1000.c -+++ xen-4.6.0-testing/tools/qemu-xen-traditional-dir-remote/hw/e1000.c -@@ -537,7 +537,8 @@ start_xmit(E1000State *s) +--- xen-4.6.1-testing.orig/tools/qemu-xen-traditional-dir-remote/hw/e1000.c ++++ xen-4.6.1-testing/tools/qemu-xen-traditional-dir-remote/hw/e1000.c +@@ -538,7 +538,8 @@ start_xmit(E1000State *s) * bogus values to TDT/TDLEN. * there's nothing too intelligent we could do about this. */ @@ -82,7 +82,7 @@ DBGOUT(TXERR, "TDH wraparound @%x, TDT %x, TDLEN %x\n", tdh_start, s->mac_reg[TDT], s->mac_reg[TDLEN]); break; -@@ -727,7 +728,8 @@ e1000_receive(void *opaque, const uint8_ +@@ -728,7 +729,8 @@ e1000_receive(void *opaque, const uint8_ s->mac_reg[RDH] = 0; s->check_rxov = 1; /* see comment in start_xmit; same here */ ++++++ CVE-2016-2391-qemut-usb-null-pointer-dereference-in-ohci-module.patch ++++++ References: bsc#967101 CVE-2016-2391 >From d1b07becc481e09225cfe905ec357807ae07f095 Mon Sep 17 00:00:00 2001 From: Gerd Hoffmann <address@hidden> Date: Tue, 16 Feb 2016 15:15:04 +0100 Subject: [PATCH] ohci timer fix Signed-off-by: Gerd Hoffmann <address@hidden> --- hw/usb/hcd-ohci.c | 31 +++++-------------------------- 1 file changed, 5 insertions(+), 26 deletions(-) Index: xen-4.6.1-testing/tools/qemu-xen-traditional-dir-remote/hw/usb-ohci.c =================================================================== --- xen-4.6.1-testing.orig/tools/qemu-xen-traditional-dir-remote/hw/usb-ohci.c +++ xen-4.6.1-testing/tools/qemu-xen-traditional-dir-remote/hw/usb-ohci.c @@ -1139,16 +1139,6 @@ static void ohci_frame_boundary(void *op */ static int ohci_bus_start(OHCIState *ohci) { - ohci->eof_timer = qemu_new_timer(vm_clock, - ohci_frame_boundary, - ohci); - - if (ohci->eof_timer == NULL) { - fprintf(stderr, "usb-ohci: %s: qemu_new_timer failed\n", ohci->name); - /* TODO: Signal unrecoverable error */ - return 0; - } - dprintf("usb-ohci: %s: USB Operational\n", ohci->name); ohci_sof(ohci); @@ -1159,9 +1149,7 @@ static int ohci_bus_start(OHCIState *ohc /* Stop sending SOF tokens on the bus */ static void ohci_bus_stop(OHCIState *ohci) { - if (ohci->eof_timer) - qemu_del_timer(ohci->eof_timer); - ohci->eof_timer = NULL; + qemu_del_timer(ohci->eof_timer); } /* Sets a flag in a port status register but only set it if the port is @@ -1654,6 +1642,9 @@ static void usb_ohci_init(OHCIState *ohc ohci->async_td = 0; qemu_register_reset(ohci_reset, ohci); ohci_reset(ohci); + + ohci->eof_timer = qemu_new_timer(vm_clock, + ohci_frame_boundary, ohci); } typedef struct { ++++++ CVE-2016-2841-qemut-ne2000-infinite-loop-in-ne2000_receive.patch ++++++ References: bsc#969351 CVE-2016-2841 From: Prasad J Pandit <address@hidden> Ne2000 NIC uses ring buffer of NE2000_MEM_SIZE(49152) bytes to process network packets. Registers PSTART & PSTOP define ring buffer size & location. Setting these registers to invalid values could lead to infinite loop or OOB r/w access issues. Add check to avoid it. Reported-by: Yang Hongke <address@hidden> Signed-off-by: Prasad J Pandit <address@hidden> --- hw/net/ne2000.c | 4 ++++ 1 file changed, 4 insertions(+) Update per review: -> https://lists.gnu.org/archive/html/qemu-devel/2016-02/msg05522.html Index: xen-4.6.1-testing/tools/qemu-xen-traditional-dir-remote/hw/ne2000.c =================================================================== --- xen-4.6.1-testing.orig/tools/qemu-xen-traditional-dir-remote/hw/ne2000.c +++ xen-4.6.1-testing/tools/qemu-xen-traditional-dir-remote/hw/ne2000.c @@ -202,6 +202,10 @@ static int ne2000_buffer_full(NE2000Stat { int avail, index, boundary; + if (s->stop <= s->start) { + return 1; + } + index = s->curpag << 8; boundary = s->boundary << 8; if (index < boundary) ++++++ gcc6-warnings-as-errors.patch ++++++ References: bsc#969377 - xen does not build with GCC 6 --- xen-4.6.1-testing/xen/arch/x86/cpu/mcheck/non-fatal.c.orig 2016-03-04 15:59:08.000000000 -0700 +++ xen-4.6.1-testing/xen/arch/x86/cpu/mcheck/non-fatal.c 2016-03-04 16:00:25.000000000 -0700 @@ -94,8 +94,8 @@ static int __init init_nonfatal_mce_chec if (mce_disabled || !mce_available(c)) return -ENODEV; - if ( __get_cpu_var(poll_bankmask) == NULL ) - return -EINVAL; + if ( __get_cpu_var(poll_bankmask) == NULL ) + return -EINVAL; /* * Check for non-fatal errors every MCE_RATE s --- xen-4.6.1-testing/extras/mini-os-remote/lib/sys.c.orig 2016-03-04 15:27:26.000000000 -0700 +++ xen-4.6.1-testing/extras/mini-os-remote/lib/sys.c 2016-03-04 15:30:32.000000000 -0700 @@ -634,6 +634,7 @@ int closedir(DIR *dir) /* We assume that only the main thread calls select(). */ +#if defined(LIBC_VERBOSE) || defined(LIBC_DEBUG) static const char file_types[] = { [FTYPE_NONE] = 'N', [FTYPE_CONSOLE] = 'C', @@ -646,6 +647,7 @@ static const char file_types[] = { [FTYPE_KBD] = 'K', [FTYPE_FB] = 'G', }; +#endif #ifdef LIBC_DEBUG static void dump_set(int nfds, fd_set *readfds, fd_set *writefds, fd_set *exceptfds, struct timeval *timeout) { ++++++ ioemu-vnc-resize.patch ++++++ --- /var/tmp/diff_new_pack.o9CL6m/_old 2016-03-07 13:23:20.000000000 +0100 +++ /var/tmp/diff_new_pack.o9CL6m/_new 2016-03-07 13:23:20.000000000 +0100 @@ -2,7 +2,7 @@ =================================================================== --- xen-4.6.1-testing.orig/tools/qemu-xen-traditional-dir-remote/vnc.c +++ xen-4.6.1-testing/tools/qemu-xen-traditional-dir-remote/vnc.c -@@ -1771,6 +1771,25 @@ static int protocol_client_msg(VncState +@@ -1761,6 +1761,25 @@ static int protocol_client_msg(VncState } set_encodings(vs, (int32_t *)(data + 4), limit); ++++++ ipxe-use-rpm-opt-flags.patch ++++++ References: bsc#969377 - xen does not build with GCC 6 Index: xen-4.6.1-testing/tools/firmware/etherboot/patches/ipxe-use-rpm-opt-flags.patch =================================================================== --- /dev/null +++ xen-4.6.1-testing/tools/firmware/etherboot/patches/ipxe-use-rpm-opt-flags.patch @@ -0,0 +1,11 @@ +--- ipxe/src/Makefile.orig 2016-03-04 15:48:15.000000000 -0700 ++++ ipxe/src/Makefile 2016-03-04 15:48:40.000000000 -0700 +@@ -4,7 +4,7 @@ + # + + CLEANUP := +-CFLAGS := ++CFLAGS := $(RPM_OPT_FLAGS) -Wno-error=array-bounds + ASFLAGS := + LDFLAGS := + MAKEDEPS := Makefile Index: xen-4.6.1-testing/tools/firmware/etherboot/patches/series =================================================================== --- xen-4.6.1-testing.orig/tools/firmware/etherboot/patches/series +++ xen-4.6.1-testing/tools/firmware/etherboot/patches/series @@ -5,3 +5,4 @@ build_fix_3.patch build-compare.patch build_fix_4.patch ipxe-no-error-logical-not-parentheses.patch +ipxe-use-rpm-opt-flags.patch ++++++ libxl.add-option-to-disable-disk-cache-flushes-in-qdisk.patch ++++++ --- /var/tmp/diff_new_pack.o9CL6m/_old 2016-03-07 13:23:20.000000000 +0100 +++ /var/tmp/diff_new_pack.o9CL6m/_new 2016-03-07 13:23:20.000000000 +0100 @@ -7,11 +7,11 @@ tools/libxl/libxlu_disk_l.l | 1 + 5 files changed, 18 insertions(+), 1 deletion(-) -Index: xen-4.6.0-testing/tools/libxl/libxl.c +Index: xen-4.6.1-testing/tools/libxl/libxl.c =================================================================== ---- xen-4.6.0-testing.orig/tools/libxl/libxl.c -+++ xen-4.6.0-testing/tools/libxl/libxl.c -@@ -2829,6 +2829,8 @@ static void device_disk_add(libxl__egc * +--- xen-4.6.1-testing.orig/tools/libxl/libxl.c ++++ xen-4.6.1-testing/tools/libxl/libxl.c +@@ -2833,6 +2833,8 @@ static void device_disk_add(libxl__egc * flexarray_append_pair(back, "discard-enable", libxl_defbool_val(disk->discard_enable) ? "1" : "0"); @@ -20,10 +20,10 @@ flexarray_append(front, "backend-id"); flexarray_append(front, libxl__sprintf(gc, "%d", disk->backend_domid)); -Index: xen-4.6.0-testing/tools/libxl/libxl.h +Index: xen-4.6.1-testing/tools/libxl/libxl.h =================================================================== ---- xen-4.6.0-testing.orig/tools/libxl/libxl.h -+++ xen-4.6.0-testing/tools/libxl/libxl.h +--- xen-4.6.1-testing.orig/tools/libxl/libxl.h ++++ xen-4.6.1-testing/tools/libxl/libxl.h @@ -205,6 +205,18 @@ #define LIBXL_HAVE_BUILDINFO_ARM_GIC_VERSION 1 @@ -43,10 +43,10 @@ * libxl ABI compatibility * * The only guarantee which libxl makes regarding ABI compatibility -Index: xen-4.6.0-testing/tools/libxl/libxlu_disk.c +Index: xen-4.6.1-testing/tools/libxl/libxlu_disk.c =================================================================== ---- xen-4.6.0-testing.orig/tools/libxl/libxlu_disk.c -+++ xen-4.6.0-testing/tools/libxl/libxlu_disk.c +--- xen-4.6.1-testing.orig/tools/libxl/libxlu_disk.c ++++ xen-4.6.1-testing/tools/libxl/libxlu_disk.c @@ -79,6 +79,8 @@ int xlu_disk_parse(XLU_Config *cfg, if (!disk->pdev_path || !strcmp(disk->pdev_path, "")) disk->format = LIBXL_DISK_FORMAT_EMPTY; @@ -56,10 +56,10 @@ if (!disk->vdev) { xlu__disk_err(&dpc,0, "no vdev specified"); -Index: xen-4.6.0-testing/tools/libxl/libxlu_disk_i.h +Index: xen-4.6.1-testing/tools/libxl/libxlu_disk_i.h =================================================================== ---- xen-4.6.0-testing.orig/tools/libxl/libxlu_disk_i.h -+++ xen-4.6.0-testing/tools/libxl/libxlu_disk_i.h +--- xen-4.6.1-testing.orig/tools/libxl/libxlu_disk_i.h ++++ xen-4.6.1-testing/tools/libxl/libxlu_disk_i.h @@ -10,7 +10,7 @@ typedef struct { void *scanner; YY_BUFFER_STATE buf; @@ -69,10 +69,10 @@ const char *spec; } DiskParseContext; -Index: xen-4.6.0-testing/tools/libxl/libxlu_disk_l.l +Index: xen-4.6.1-testing/tools/libxl/libxlu_disk_l.l =================================================================== ---- xen-4.6.0-testing.orig/tools/libxl/libxlu_disk_l.l -+++ xen-4.6.0-testing/tools/libxl/libxlu_disk_l.l +--- xen-4.6.1-testing.orig/tools/libxl/libxlu_disk_l.l ++++ xen-4.6.1-testing/tools/libxl/libxlu_disk_l.l @@ -176,6 +176,7 @@ script=[^,]*,? { STRIP(','); SAVESTRING( direct-io-safe,? { DPC->disk->direct_io_safe = 1; } discard,? { libxl_defbool_set(&DPC->disk->discard_enable, true); } ++++++ qemu-dm-segfault.patch ++++++ --- /var/tmp/diff_new_pack.o9CL6m/_old 2016-03-07 13:23:20.000000000 +0100 +++ /var/tmp/diff_new_pack.o9CL6m/_new 2016-03-07 13:23:20.000000000 +0100 @@ -41,7 +41,7 @@ if (ret < 0) { ide_atapi_io_error(s, ret); -@@ -2368,7 +2371,7 @@ static void cdrom_change_cb(void *opaque +@@ -2375,7 +2378,7 @@ static void cdrom_change_cb(void *opaque IDEState *s = opaque; uint64_t nb_sectors; ++++++ qemu-security-etch1.patch ++++++ --- /var/tmp/diff_new_pack.o9CL6m/_old 2016-03-07 13:23:20.000000000 +0100 +++ /var/tmp/diff_new_pack.o9CL6m/_new 2016-03-07 13:23:20.000000000 +0100 @@ -2,7 +2,7 @@ =================================================================== --- xen-4.6.1-testing.orig/tools/qemu-xen-traditional-dir-remote/hw/ne2000.c +++ xen-4.6.1-testing/tools/qemu-xen-traditional-dir-remote/hw/ne2000.c -@@ -218,7 +218,7 @@ static int ne2000_can_receive(void *opaq +@@ -222,7 +222,7 @@ static int ne2000_can_receive(void *opaq NE2000State *s = opaque; if (s->cmd & E8390_STOP) ++++++ xen.libxl.dmmd.patch ++++++ --- /var/tmp/diff_new_pack.o9CL6m/_old 2016-03-07 13:23:20.000000000 +0100 +++ /var/tmp/diff_new_pack.o9CL6m/_new 2016-03-07 13:23:20.000000000 +0100 @@ -107,7 +107,7 @@ =================================================================== --- xen-4.6.1-testing.orig/tools/libxl/libxlu_disk_l.l +++ xen-4.6.1-testing/tools/libxl/libxlu_disk_l.l -@@ -210,6 +210,8 @@ target=.* { STRIP(','); SAVESTRING("targ +@@ -209,6 +209,8 @@ target=.* { STRIP(','); SAVESTRING("targ free(newscript); } ++++++ xsa154.patch ++++++ --- /var/tmp/diff_new_pack.o9CL6m/_old 2016-03-07 13:23:20.000000000 +0100 +++ /var/tmp/diff_new_pack.o9CL6m/_new 2016-03-07 13:23:20.000000000 +0100 @@ -236,7 +236,7 @@ /* Only needed the reference to confirm dom_io ownership. */ if ( mfn_valid(mfn) ) -@@ -836,24 +845,55 @@ get_page_from_l1e( +@@ -836,24 +845,57 @@ get_page_from_l1e( return -EINVAL; } @@ -251,9 +251,11 @@ + case 0: + break; + case 1: -+ if ( is_hardware_domain(l1e_owner) ) ++ if ( !is_hardware_domain(l1e_owner) ) ++ break; ++ /* fallthrough */ + case -1: -+ return 0; ++ return 0; + default: + ASSERT_UNREACHABLE(); + } @@ -308,7 +310,7 @@ } if ( unlikely( (real_pg_owner != pg_owner) && -@@ -1243,8 +1283,9 @@ static int alloc_l1_table(struct page_in +@@ -1243,8 +1285,9 @@ static int alloc_l1_table(struct page_in goto fail; case 0: break; @@ -320,7 +322,7 @@ break; } -@@ -1759,8 +1800,9 @@ static int mod_l1_entry(l1_pgentry_t *pl +@@ -1759,8 +1802,9 @@ static int mod_l1_entry(l1_pgentry_t *pl return -EINVAL; } @@ -332,7 +334,7 @@ { adjust_guest_l1e(nl1e, pt_dom); if ( UPDATE_ENTRY(l1, pl1e, ol1e, nl1e, gl1mfn, pt_vcpu, -@@ -1783,8 +1825,9 @@ static int mod_l1_entry(l1_pgentry_t *pl +@@ -1783,8 +1827,9 @@ static int mod_l1_entry(l1_pgentry_t *pl return rc; case 0: break; @@ -344,7 +346,7 @@ rc = 0; break; } -@@ -5000,6 +5043,7 @@ static int ptwr_emulated_update( +@@ -5000,6 +5045,7 @@ static int ptwr_emulated_update( l1_pgentry_t pte, ol1e, nl1e, *pl1e; struct vcpu *v = current; struct domain *d = v->domain; @@ -352,7 +354,7 @@ /* Only allow naturally-aligned stores within the original %cr2 page. */ if ( unlikely(((addr^ptwr_ctxt->cr2) & PAGE_MASK) || (addr & (bytes-1))) ) -@@ -5047,7 +5091,7 @@ static int ptwr_emulated_update( +@@ -5047,7 +5093,7 @@ static int ptwr_emulated_update( /* Check the new PTE. */ nl1e = l1e_from_intpte(val); @@ -361,7 +363,7 @@ { default: if ( is_pv_32bit_domain(d) && (bytes == 4) && (unaligned_addr & 4) && -@@ -5071,8 +5115,9 @@ static int ptwr_emulated_update( +@@ -5071,8 +5117,9 @@ static int ptwr_emulated_update( break; case 0: break;
