From 7e0f315531fdc3c24b6b9a0bb9d391b4cb52780e Mon Sep 17 00:00:00 2001 From: Tomáš Mózes Date: Fri, 14 Apr 2023 19:03:31 +0200 Subject: Xen 4.17.1-pre-patchset-0 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Tomáš Mózes --- 0001-update-Xen-version-to-4.16.4-pre.patch | 25 - 0001-update-Xen-version-to-4.17.1-pre.patch | 136 ++++++ ...roadcast-accept-partial-broadcast-success.patch | 34 -- ...not-release-irq-until-all-cleanup-is-done.patch | 90 ++++ ...not-forward-MADT-Local-APIC-NMI-structure.patch | 103 ++++ ...prevent-overflow-with-high-frequency-TSCs.patch | 34 -- ...-t-mark-external-IRQs-as-pending-when-vLA.patch | 71 +++ ...-Restore-Xen-s-MSR_PAT-value-on-S3-resume.patch | 36 -- ...uild-with-recent-QEMU-use-enable-trace-ba.patch | 50 -- ...n-don-t-mark-IRQ-vectors-as-pending-when-.patch | 60 +++ ...-t-mark-evtchn-upcall-vector-as-pending-w.patch | 70 +++ ...culate-model-specific-LBRs-once-at-start-.patch | 342 ------------- ...roadcast-accept-partial-broadcast-success.patch | 34 ++ ...pport-for-CPUs-without-model-specific-LBR.patch | 83 ---- ...cate-the-ESRT-when-booting-via-multiboot2.patch | 195 ++++++++ ...fix-PAE-check-for-top-level-table-unshado.patch | 39 -- ...x-an-incorrect-assignment-to-uart-io_size.patch | 34 -- ...prevent-overflow-with-high-frequency-TSCs.patch | 34 ++ 0010-libxl-fix-guest-kexec-skip-cpuid-policy.patch | 72 --- ...tored-Fix-incorrect-scope-after-an-if-sta.patch | 52 ++ ...-evtchn-OCaml-5-support-fix-potential-res.patch | 68 +++ ...-xenctrl-Make-domain_getinfolist-tail-rec.patch | 71 --- ...l-evtchn-Add-binding-for-xenevtchn_fdopen.patch | 81 +++ ...-xenctrl-Use-larger-chunksize-in-domain_g.patch | 41 -- ...-evtchn-Extend-the-init-binding-with-a-cl.patch | 90 ++++ ...aml-xb-mmap-Use-Data_abstract_val-wrapper.patch | 75 --- 0014-tools-ocaml-xb-Drop-Xs_ring.write.patch | 62 --- 0014-tools-oxenstored-Style-fixes-to-Domain.patch | 64 +++ ...tored-Bind-the-DOM_EXC-VIRQ-in-in-Event.i.patch | 82 ++++ ...tored-validate-config-file-before-live-up.patch | 131 ----- ...l-libs-Don-t-declare-stubs-as-taking-void.patch | 61 --- ...tored-Rename-some-port-variables-to-remot.patch | 144 ++++++ ...-libs-Allocate-the-correct-amount-of-memo.patch | 80 --- ...oxenstored-Implement-Domain.rebind_evtchn.patch | 67 +++ ...-evtchn-Don-t-reference-Custom-objects-wi.patch | 213 -------- ...tored-Rework-Domain-evtchn-handling-to-us.patch | 209 ++++++++ ...-xc-Fix-binding-for-xc_domain_assign_devi.patch | 70 --- ...tored-Keep-dev-xen-evtchn-open-across-liv.patch | 367 ++++++++++++++ ...-xc-Don-t-reference-Abstract_Tag-objects-.patch | 76 --- ...tored-Log-live-update-issues-at-warning-l.patch | 42 ++ ...-libs-Fix-memory-resource-leaks-with-caml.patch | 61 --- ...oxenstored-Set-uncaught-exception-handler.patch | 83 ++++ ...tored-syslog-Avoid-potential-NULL-derefer.patch | 55 +++ ...rl-Mitigate-Cross-Thread-Return-Address-P.patch | 120 ----- ...Remove-clang-8-from-Debian-unstable-conta.patch | 84 ---- ...tored-Render-backtraces-more-nicely-in-Sy.patch | 83 ++++ ...s-xenstore-simplify-loop-handling-connect.patch | 136 ++++++ ...ix-parallel-build-between-flex-bison-and-.patch | 50 -- ...-Restore-Xen-s-MSR_PAT-value-on-S3-resume.patch | 36 ++ ...uid-Infrastructure-for-leaves-7-1-ecx-edx.patch | 128 ----- ...uild-with-recent-QEMU-use-enable-trace-ba.patch | 50 ++ ...isable-CET-SS-on-parts-susceptible-to-fra.patch | 191 -------- ...pect-credit2_runqueue-all-when-arranging-.patch | 69 --- ...pat-produce-stubs-for-headers-not-otherwi.patch | 74 +++ ...MD-apply-the-patch-early-on-every-logical.patch | 152 ------ ...culate-model-specific-LBRs-once-at-start-.patch | 342 +++++++++++++ ...-mem_sharing-teardown-before-paging-teard.patch | 111 ----- ...pport-for-CPUs-without-model-specific-LBR.patch | 83 ++++ ...fix-PAE-check-for-top-level-table-unshado.patch | 39 ++ ...Work-around-Clang-IAS-macro-expansion-bug.patch | 115 ----- ...uilding-flask-headers-before-descending-i.patch | 50 ++ ...ng-Wunicode-diagnostic-when-building-asm-.patch | 83 ---- ...x-an-incorrect-assignment-to-uart-io_size.patch | 34 ++ ...KG_CONFIG_FILE-instead-of-PKG_CONFIG-vari.patch | 98 ---- ...Fix-resource-leaks-in-xc_core_arch_map_p2.patch | 65 --- 0033-libxl-fix-guest-kexec-skip-cpuid-policy.patch | 72 +++ ...Fix-leak-on-realloc-failure-in-backup_pte.patch | 56 --- ...-xenctrl-Make-domain_getinfolist-tail-rec.patch | 71 +++ ...-xenctrl-Use-larger-chunksize-in-domain_g.patch | 41 ++ ...MD-late-load-the-patch-on-every-logical-t.patch | 90 ---- ...aml-xb-mmap-Use-Data_abstract_val-wrapper.patch | 75 +++ ...account-for-log-dirty-mode-when-pre-alloc.patch | 92 ---- 0037-tools-ocaml-xb-Drop-Xs_ring.write.patch | 62 +++ ...nd-number-of-pinned-cache-attribute-regio.patch | 50 -- ...tored-validate-config-file-before-live-up.patch | 131 +++++ ...ialize-pinned-cache-attribute-list-manipu.patch | 126 ----- ...l-libs-Don-t-declare-stubs-as-taking-void.patch | 61 +++ ...rl-Defer-CR4_PV32_RESTORE-on-the-cstar_en.patch | 56 --- ...-libs-Allocate-the-correct-amount-of-memo.patch | 80 +++ ...python-change-s-size-type-for-Python-3.10.patch | 72 --- ...-evtchn-Don-t-reference-Custom-objects-wi.patch | 213 ++++++++ ...s-xenmon-Fix-xenmon.py-for-with-python3.x.patch | 54 -- ...arking-fix-build-with-gcc12-and-NR_CPUS-1.patch | 95 ---- ...-xc-Fix-binding-for-xc_domain_assign_devi.patch | 70 +++ ...-xc-Don-t-reference-Abstract_Tag-objects-.patch | 76 +++ ...help-gcc13-to-avoid-it-emitting-a-warning.patch | 129 ----- 0044-VT-d-constrain-IGD-check.patch | 44 -- ...-libs-Fix-memory-resource-leaks-with-caml.patch | 61 +++ 0045-bunzip-work-around-gcc13-warning.patch | 42 -- ...rl-Mitigate-Cross-Thread-Return-Address-P.patch | 120 +++++ ...Remove-clang-8-from-Debian-unstable-conta.patch | 84 ++++ 0046-libacpi-fix-PCI-hotplug-AML.patch | 57 --- ...ithout-XT-x2APIC-needs-to-be-forced-into-.patch | 42 -- ...ix-parallel-build-between-flex-bison-and-.patch | 50 ++ ...mmu-no-igfx-if-the-IOMMU-scope-contains-f.patch | 44 -- ...uid-Infrastructure-for-leaves-7-1-ecx-edx.patch | 126 +++++ ...fix-and-improve-sh_page_has_multiple_shad.patch | 47 -- ...isable-CET-SS-on-parts-susceptible-to-fra.patch | 195 ++++++++ ...pect-credit2_runqueue-all-when-arranging-.patch | 69 +++ ...Fix-evaluate_nospec-code-generation-under.patch | 101 ---- 0051-build-make-FILE-symbol-paths-consistent.patch | 42 ++ ...x86-shadow-Fix-build-with-no-PG_log_dirty.patch | 56 --- ...MD-apply-the-patch-early-on-every-logical.patch | 154 ++++++ ...-t-spuriously-crash-the-domain-when-INIT-.patch | 51 -- ...-mem_sharing-teardown-before-paging-teard.patch | 111 +++++ ...6-ucode-Fix-error-paths-control_thread_fn.patch | 56 --- ...andle-accesses-adjacent-to-the-MSI-X-tabl.patch | 543 --------------------- ...Work-around-Clang-IAS-macro-expansion-bug.patch | 109 +++++ ...rect-name-value-pair-parsing-for-PCI-port.patch | 59 --- ...ng-Wunicode-diagnostic-when-building-asm-.patch | 83 ++++ 0056-bump-default-SeaBIOS-version-to-1.16.0.patch | 28 -- ...KG_CONFIG_FILE-instead-of-PKG_CONFIG-vari.patch | 91 ++++ 0057-CI-Drop-automation-configs.patch | 87 ---- ...Fix-resource-leaks-in-xc_core_arch_map_p2.patch | 65 +++ ...Switch-arm32-cross-builds-to-run-on-arm64.patch | 87 ---- ...Fix-leak-on-realloc-failure-in-backup_pte.patch | 56 +++ ...n-Remove-CentOS-7.2-containers-and-builds.patch | 145 ------ ...MD-late-load-the-patch-on-every-logical-t.patch | 90 ++++ ...mation-Remove-non-debug-x86_32-build-jobs.patch | 67 --- ...account-for-log-dirty-mode-when-pre-alloc.patch | 92 ++++ ...-llvm-8-from-the-Debian-Stretch-container.patch | 103 ---- ...nd-number-of-pinned-cache-attribute-regio.patch | 50 ++ ...ialize-pinned-cache-attribute-list-manipu.patch | 126 +++++ ...rl-Defer-CR4_PV32_RESTORE-on-the-cstar_en.patch | 56 +++ ...lement-VMExit-based-guest-Bus-Lock-detect.patch | 175 +++++++ ...troduce-helper-to-set-VMX_INTR_SHADOW_NMI.patch | 102 ++++ 0066-x86-vmx-implement-Notify-VM-Exit.patch | 243 +++++++++ ...python-change-s-size-type-for-Python-3.10.patch | 72 +++ ...s-xenmon-Fix-xenmon.py-for-with-python3.x.patch | 54 ++ ...rl-Add-BHI-controls-to-userspace-componen.patch | 51 ++ ...arking-fix-build-with-gcc12-and-NR_CPUS-1.patch | 95 ++++ ...help-gcc13-to-avoid-it-emitting-a-warning.patch | 129 +++++ 0072-VT-d-constrain-IGD-check.patch | 44 ++ 0073-bunzip-work-around-gcc13-warning.patch | 42 ++ 0074-libacpi-fix-PCI-hotplug-AML.patch | 57 +++ ...ithout-XT-x2APIC-needs-to-be-forced-into-.patch | 42 ++ ...mmu-no-igfx-if-the-IOMMU-scope-contains-f.patch | 44 ++ ...fix-and-improve-sh_page_has_multiple_shad.patch | 47 ++ ...Fix-evaluate_nospec-code-generation-under.patch | 101 ++++ ...x86-shadow-Fix-build-with-no-PG_log_dirty.patch | 56 +++ ...-t-spuriously-crash-the-domain-when-INIT-.patch | 51 ++ ...6-ucode-Fix-error-paths-control_thread_fn.patch | 56 +++ ...-t-mention-stub-headers-more-than-once-in.patch | 37 ++ ...andle-accesses-adjacent-to-the-MSI-X-tabl.patch | 540 ++++++++++++++++++++ ...rect-name-value-pair-parsing-for-PCI-port.patch | 59 +++ 0085-CI-Drop-automation-configs.patch | 87 ++++ ...Switch-arm32-cross-builds-to-run-on-arm64.patch | 87 ++++ ...n-Remove-CentOS-7.2-containers-and-builds.patch | 145 ++++++ ...mation-Remove-non-debug-x86_32-build-jobs.patch | 67 +++ ...-llvm-8-from-the-Debian-Stretch-container.patch | 103 ++++ info.txt | 6 +- 151 files changed, 8495 insertions(+), 5438 deletions(-) delete mode 100644 0001-update-Xen-version-to-4.16.4-pre.patch create mode 100644 0001-update-Xen-version-to-4.17.1-pre.patch delete mode 100644 0002-ioreq_broadcast-accept-partial-broadcast-success.patch create mode 100644 0002-x86-irq-do-not-release-irq-until-all-cleanup-is-done.patch create mode 100644 0003-x86-pvh-do-not-forward-MADT-Local-APIC-NMI-structure.patch delete mode 100644 0003-x86-time-prevent-overflow-with-high-frequency-TSCs.patch create mode 100644 0004-x86-HVM-don-t-mark-external-IRQs-as-pending-when-vLA.patch delete mode 100644 0004-x86-S3-Restore-Xen-s-MSR_PAT-value-on-S3-resume.patch delete mode 100644 0005-tools-Fix-build-with-recent-QEMU-use-enable-trace-ba.patch create mode 100644 0005-x86-Viridian-don-t-mark-IRQ-vectors-as-pending-when-.patch create mode 100644 0006-x86-HVM-don-t-mark-evtchn-upcall-vector-as-pending-w.patch delete mode 100644 0006-x86-vmx-Calculate-model-specific-LBRs-once-at-start-.patch create mode 100644 0007-ioreq_broadcast-accept-partial-broadcast-success.patch delete mode 100644 0007-x86-vmx-Support-for-CPUs-without-model-specific-LBR.patch create mode 100644 0008-EFI-relocate-the-ESRT-when-booting-via-multiboot2.patch delete mode 100644 0008-x86-shadow-fix-PAE-check-for-top-level-table-unshado.patch delete mode 100644 0009-ns16550-fix-an-incorrect-assignment-to-uart-io_size.patch create mode 100644 0009-x86-time-prevent-overflow-with-high-frequency-TSCs.patch delete mode 100644 0010-libxl-fix-guest-kexec-skip-cpuid-policy.patch create mode 100644 0010-tools-oxenstored-Fix-incorrect-scope-after-an-if-sta.patch create mode 100644 0011-tools-ocaml-evtchn-OCaml-5-support-fix-potential-res.patch delete mode 100644 0011-tools-ocaml-xenctrl-Make-domain_getinfolist-tail-rec.patch create mode 100644 0012-tools-ocaml-evtchn-Add-binding-for-xenevtchn_fdopen.patch delete mode 100644 0012-tools-ocaml-xenctrl-Use-larger-chunksize-in-domain_g.patch create mode 100644 0013-tools-ocaml-evtchn-Extend-the-init-binding-with-a-cl.patch delete mode 100644 0013-tools-ocaml-xb-mmap-Use-Data_abstract_val-wrapper.patch delete mode 100644 0014-tools-ocaml-xb-Drop-Xs_ring.write.patch create mode 100644 0014-tools-oxenstored-Style-fixes-to-Domain.patch create mode 100644 0015-tools-oxenstored-Bind-the-DOM_EXC-VIRQ-in-in-Event.i.patch delete mode 100644 0015-tools-oxenstored-validate-config-file-before-live-up.patch delete mode 100644 0016-tools-ocaml-libs-Don-t-declare-stubs-as-taking-void.patch create mode 100644 0016-tools-oxenstored-Rename-some-port-variables-to-remot.patch delete mode 100644 0017-tools-ocaml-libs-Allocate-the-correct-amount-of-memo.patch create mode 100644 0017-tools-oxenstored-Implement-Domain.rebind_evtchn.patch delete mode 100644 0018-tools-ocaml-evtchn-Don-t-reference-Custom-objects-wi.patch create mode 100644 0018-tools-oxenstored-Rework-Domain-evtchn-handling-to-us.patch delete mode 100644 0019-tools-ocaml-xc-Fix-binding-for-xc_domain_assign_devi.patch create mode 100644 0019-tools-oxenstored-Keep-dev-xen-evtchn-open-across-liv.patch delete mode 100644 0020-tools-ocaml-xc-Don-t-reference-Abstract_Tag-objects-.patch create mode 100644 0020-tools-oxenstored-Log-live-update-issues-at-warning-l.patch delete mode 100644 0021-tools-ocaml-libs-Fix-memory-resource-leaks-with-caml.patch create mode 100644 0021-tools-oxenstored-Set-uncaught-exception-handler.patch create mode 100644 0022-tools-oxenstored-syslog-Avoid-potential-NULL-derefer.patch delete mode 100644 0022-x86-spec-ctrl-Mitigate-Cross-Thread-Return-Address-P.patch delete mode 100644 0023-automation-Remove-clang-8-from-Debian-unstable-conta.patch create mode 100644 0023-tools-oxenstored-Render-backtraces-more-nicely-in-Sy.patch create mode 100644 0024-Revert-tools-xenstore-simplify-loop-handling-connect.patch delete mode 100644 0024-libs-util-Fix-parallel-build-between-flex-bison-and-.patch create mode 100644 0025-x86-S3-Restore-Xen-s-MSR_PAT-value-on-S3-resume.patch delete mode 100644 0025-x86-cpuid-Infrastructure-for-leaves-7-1-ecx-edx.patch create mode 100644 0026-tools-Fix-build-with-recent-QEMU-use-enable-trace-ba.patch delete mode 100644 0026-x86-shskt-Disable-CET-SS-on-parts-susceptible-to-fra.patch delete mode 100644 0027-credit2-respect-credit2_runqueue-all-when-arranging-.patch create mode 100644 0027-include-compat-produce-stubs-for-headers-not-otherwi.patch delete mode 100644 0028-x86-ucode-AMD-apply-the-patch-early-on-every-logical.patch create mode 100644 0028-x86-vmx-Calculate-model-specific-LBRs-once-at-start-.patch delete mode 100644 0029-x86-perform-mem_sharing-teardown-before-paging-teard.patch create mode 100644 0029-x86-vmx-Support-for-CPUs-without-model-specific-LBR.patch create mode 100644 0030-x86-shadow-fix-PAE-check-for-top-level-table-unshado.patch delete mode 100644 0030-xen-Work-around-Clang-IAS-macro-expansion-bug.patch create mode 100644 0031-build-fix-building-flask-headers-before-descending-i.patch delete mode 100644 0031-xen-Fix-Clang-Wunicode-diagnostic-when-building-asm-.patch create mode 100644 0032-ns16550-fix-an-incorrect-assignment-to-uart-io_size.patch delete mode 100644 0032-tools-Use-PKG_CONFIG_FILE-instead-of-PKG_CONFIG-vari.patch delete mode 100644 0033-libs-guest-Fix-resource-leaks-in-xc_core_arch_map_p2.patch create mode 100644 0033-libxl-fix-guest-kexec-skip-cpuid-policy.patch delete mode 100644 0034-libs-guest-Fix-leak-on-realloc-failure-in-backup_pte.patch create mode 100644 0034-tools-ocaml-xenctrl-Make-domain_getinfolist-tail-rec.patch create mode 100644 0035-tools-ocaml-xenctrl-Use-larger-chunksize-in-domain_g.patch delete mode 100644 0035-x86-ucode-AMD-late-load-the-patch-on-every-logical-t.patch create mode 100644 0036-tools-ocaml-xb-mmap-Use-Data_abstract_val-wrapper.patch delete mode 100644 0036-x86-shadow-account-for-log-dirty-mode-when-pre-alloc.patch create mode 100644 0037-tools-ocaml-xb-Drop-Xs_ring.write.patch delete mode 100644 0037-x86-HVM-bound-number-of-pinned-cache-attribute-regio.patch create mode 100644 0038-tools-oxenstored-validate-config-file-before-live-up.patch delete mode 100644 0038-x86-HVM-serialize-pinned-cache-attribute-list-manipu.patch create mode 100644 0039-tools-ocaml-libs-Don-t-declare-stubs-as-taking-void.patch delete mode 100644 0039-x86-spec-ctrl-Defer-CR4_PV32_RESTORE-on-the-cstar_en.patch create mode 100644 0040-tools-ocaml-libs-Allocate-the-correct-amount-of-memo.patch delete mode 100644 0040-tools-python-change-s-size-type-for-Python-3.10.patch create mode 100644 0041-tools-ocaml-evtchn-Don-t-reference-Custom-objects-wi.patch delete mode 100644 0041-tools-xenmon-Fix-xenmon.py-for-with-python3.x.patch delete mode 100644 0042-core-parking-fix-build-with-gcc12-and-NR_CPUS-1.patch create mode 100644 0042-tools-ocaml-xc-Fix-binding-for-xc_domain_assign_devi.patch create mode 100644 0043-tools-ocaml-xc-Don-t-reference-Abstract_Tag-objects-.patch delete mode 100644 0043-x86-altp2m-help-gcc13-to-avoid-it-emitting-a-warning.patch delete mode 100644 0044-VT-d-constrain-IGD-check.patch create mode 100644 0044-tools-ocaml-libs-Fix-memory-resource-leaks-with-caml.patch delete mode 100644 0045-bunzip-work-around-gcc13-warning.patch create mode 100644 0045-x86-spec-ctrl-Mitigate-Cross-Thread-Return-Address-P.patch create mode 100644 0046-automation-Remove-clang-8-from-Debian-unstable-conta.patch delete mode 100644 0046-libacpi-fix-PCI-hotplug-AML.patch delete mode 100644 0047-AMD-IOMMU-without-XT-x2APIC-needs-to-be-forced-into-.patch create mode 100644 0047-libs-util-Fix-parallel-build-between-flex-bison-and-.patch delete mode 100644 0048-VT-d-fix-iommu-no-igfx-if-the-IOMMU-scope-contains-f.patch create mode 100644 0048-x86-cpuid-Infrastructure-for-leaves-7-1-ecx-edx.patch delete mode 100644 0049-x86-shadow-fix-and-improve-sh_page_has_multiple_shad.patch create mode 100644 0049-x86-shskt-Disable-CET-SS-on-parts-susceptible-to-fra.patch create mode 100644 0050-credit2-respect-credit2_runqueue-all-when-arranging-.patch delete mode 100644 0050-x86-nospec-Fix-evaluate_nospec-code-generation-under.patch create mode 100644 0051-build-make-FILE-symbol-paths-consistent.patch delete mode 100644 0051-x86-shadow-Fix-build-with-no-PG_log_dirty.patch create mode 100644 0052-x86-ucode-AMD-apply-the-patch-early-on-every-logical.patch delete mode 100644 0052-x86-vmx-Don-t-spuriously-crash-the-domain-when-INIT-.patch create mode 100644 0053-x86-perform-mem_sharing-teardown-before-paging-teard.patch delete mode 100644 0053-x86-ucode-Fix-error-paths-control_thread_fn.patch delete mode 100644 0054-vpci-msix-handle-accesses-adjacent-to-the-MSI-X-tabl.patch create mode 100644 0054-xen-Work-around-Clang-IAS-macro-expansion-bug.patch delete mode 100644 0055-ns16550-correct-name-value-pair-parsing-for-PCI-port.patch create mode 100644 0055-xen-Fix-Clang-Wunicode-diagnostic-when-building-asm-.patch delete mode 100644 0056-bump-default-SeaBIOS-version-to-1.16.0.patch create mode 100644 0056-tools-Use-PKG_CONFIG_FILE-instead-of-PKG_CONFIG-vari.patch delete mode 100644 0057-CI-Drop-automation-configs.patch create mode 100644 0057-libs-guest-Fix-resource-leaks-in-xc_core_arch_map_p2.patch delete mode 100644 0058-automation-Switch-arm32-cross-builds-to-run-on-arm64.patch create mode 100644 0058-libs-guest-Fix-leak-on-realloc-failure-in-backup_pte.patch delete mode 100644 0059-automation-Remove-CentOS-7.2-containers-and-builds.patch create mode 100644 0059-x86-ucode-AMD-late-load-the-patch-on-every-logical-t.patch delete mode 100644 0060-automation-Remove-non-debug-x86_32-build-jobs.patch create mode 100644 0060-x86-shadow-account-for-log-dirty-mode-when-pre-alloc.patch delete mode 100644 0061-CI-Remove-llvm-8-from-the-Debian-Stretch-container.patch create mode 100644 0061-x86-HVM-bound-number-of-pinned-cache-attribute-regio.patch create mode 100644 0062-x86-HVM-serialize-pinned-cache-attribute-list-manipu.patch create mode 100644 0063-x86-spec-ctrl-Defer-CR4_PV32_RESTORE-on-the-cstar_en.patch create mode 100644 0064-x86-vmx-implement-VMExit-based-guest-Bus-Lock-detect.patch create mode 100644 0065-x86-vmx-introduce-helper-to-set-VMX_INTR_SHADOW_NMI.patch create mode 100644 0066-x86-vmx-implement-Notify-VM-Exit.patch create mode 100644 0067-tools-python-change-s-size-type-for-Python-3.10.patch create mode 100644 0068-tools-xenmon-Fix-xenmon.py-for-with-python3.x.patch create mode 100644 0069-x86-spec-ctrl-Add-BHI-controls-to-userspace-componen.patch create mode 100644 0070-core-parking-fix-build-with-gcc12-and-NR_CPUS-1.patch create mode 100644 0071-x86-altp2m-help-gcc13-to-avoid-it-emitting-a-warning.patch create mode 100644 0072-VT-d-constrain-IGD-check.patch create mode 100644 0073-bunzip-work-around-gcc13-warning.patch create mode 100644 0074-libacpi-fix-PCI-hotplug-AML.patch create mode 100644 0075-AMD-IOMMU-without-XT-x2APIC-needs-to-be-forced-into-.patch create mode 100644 0076-VT-d-fix-iommu-no-igfx-if-the-IOMMU-scope-contains-f.patch create mode 100644 0077-x86-shadow-fix-and-improve-sh_page_has_multiple_shad.patch create mode 100644 0078-x86-nospec-Fix-evaluate_nospec-code-generation-under.patch create mode 100644 0079-x86-shadow-Fix-build-with-no-PG_log_dirty.patch create mode 100644 0080-x86-vmx-Don-t-spuriously-crash-the-domain-when-INIT-.patch create mode 100644 0081-x86-ucode-Fix-error-paths-control_thread_fn.patch create mode 100644 0082-include-don-t-mention-stub-headers-more-than-once-in.patch create mode 100644 0083-vpci-msix-handle-accesses-adjacent-to-the-MSI-X-tabl.patch create mode 100644 0084-ns16550-correct-name-value-pair-parsing-for-PCI-port.patch create mode 100644 0085-CI-Drop-automation-configs.patch create mode 100644 0086-automation-Switch-arm32-cross-builds-to-run-on-arm64.patch create mode 100644 0087-automation-Remove-CentOS-7.2-containers-and-builds.patch create mode 100644 0088-automation-Remove-non-debug-x86_32-build-jobs.patch create mode 100644 0089-CI-Remove-llvm-8-from-the-Debian-Stretch-container.patch diff --git a/0001-update-Xen-version-to-4.16.4-pre.patch b/0001-update-Xen-version-to-4.16.4-pre.patch deleted file mode 100644 index 961358a..0000000 --- a/0001-update-Xen-version-to-4.16.4-pre.patch +++ /dev/null @@ -1,25 +0,0 @@ -From e3396cd8be5ee99d363a23f30c680e42fb2757bd Mon Sep 17 00:00:00 2001 -From: Jan Beulich -Date: Tue, 20 Dec 2022 13:50:16 +0100 -Subject: [PATCH 01/61] update Xen version to 4.16.4-pre - ---- - xen/Makefile | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/xen/Makefile b/xen/Makefile -index 06dde1e03c..67c5551ffd 100644 ---- a/xen/Makefile -+++ b/xen/Makefile -@@ -2,7 +2,7 @@ - # All other places this is stored (eg. compile.h) should be autogenerated. - export XEN_VERSION = 4 - export XEN_SUBVERSION = 16 --export XEN_EXTRAVERSION ?= .3$(XEN_VENDORVERSION) -+export XEN_EXTRAVERSION ?= .4-pre$(XEN_VENDORVERSION) - export XEN_FULLVERSION = $(XEN_VERSION).$(XEN_SUBVERSION)$(XEN_EXTRAVERSION) - -include xen-version - --- -2.40.0 - diff --git a/0001-update-Xen-version-to-4.17.1-pre.patch b/0001-update-Xen-version-to-4.17.1-pre.patch new file mode 100644 index 0000000..1d1bb53 --- /dev/null +++ b/0001-update-Xen-version-to-4.17.1-pre.patch @@ -0,0 +1,136 @@ +From 0b999fa2eadaeff840a8331b87f1f73abf3b14eb Mon Sep 17 00:00:00 2001 +From: Jan Beulich +Date: Tue, 20 Dec 2022 13:40:38 +0100 +Subject: [PATCH 01/89] update Xen version to 4.17.1-pre + +--- + MAINTAINERS | 92 +++++----------------------------------------------- + xen/Makefile | 2 +- + 2 files changed, 10 insertions(+), 84 deletions(-) + +diff --git a/MAINTAINERS b/MAINTAINERS +index 175f10f33f..ebb908cc37 100644 +--- a/MAINTAINERS ++++ b/MAINTAINERS +@@ -54,6 +54,15 @@ list. Remember to copy the appropriate stable branch maintainer who + will be listed in this section of the MAINTAINERS file in the + appropriate branch. + ++The maintainer for this branch is: ++ ++ Jan Beulich ++ ++Tools backport requests should also be copied to: ++ ++       Anthony Perard  ++ ++ + Unstable Subsystem Maintainers + ============================== + +@@ -104,89 +113,6 @@ Descriptions of section entries: + xen-maintainers- + + +- Check-in policy +- =============== +- +-In order for a patch to be checked in, in general, several conditions +-must be met: +- +-1. In order to get a change to a given file committed, it must have +- the approval of at least one maintainer of that file. +- +- A patch of course needs Acks from the maintainers of each file that +- it changes; so a patch which changes xen/arch/x86/traps.c, +- xen/arch/x86/mm/p2m.c, and xen/arch/x86/mm/shadow/multi.c would +- require an Ack from each of the three sets of maintainers. +- +- See below for rules on nested maintainership. +- +-2. It must have appropriate approval from someone other than the +- submitter. This can be either: +- +- a. An Acked-by from a maintainer of the code being touched (a +- co-maintainer if available, or a more general level maintainer if +- not available; see the secton on nested maintainership) +- +- b. A Reviewed-by by anyone of suitable stature in the community +- +-3. Sufficient time must have been given for anyone to respond. This +- depends in large part upon the urgency and nature of the patch. +- For a straightforward uncontroversial patch, a day or two may be +- sufficient; for a controversial patch, a week or two may be better. +- +-4. There must be no "open" objections. +- +-In a case where one person submits a patch and a maintainer gives an +-Ack, the Ack stands in for both the approval requirement (#1) and the +-Acked-by-non-submitter requirement (#2). +- +-In a case where a maintainer themselves submits a patch, the +-Signed-off-by meets the approval requirement (#1); so a Review +-from anyone in the community suffices for requirement #2. +- +-Before a maintainer checks in their own patch with another community +-member's R-b but no co-maintainer Ack, it is especially important to +-give their co-maintainer opportunity to give feedback, perhaps +-declaring their intention to check it in without their co-maintainers +-ack a day before doing so. +- +-Maintainers may choose to override non-maintainer objections in the +-case that consensus can't be reached. +- +-As always, no policy can cover all possible situations. In +-exceptional circumstances, committers may commit a patch in absence of +-one or more of the above requirements, if they are reasonably +-confident that the other maintainers will approve of their decision in +-retrospect. +- +- The meaning of nesting +- ====================== +- +-Many maintainership areas are "nested": for example, there are entries +-for xen/arch/x86 as well as xen/arch/x86/mm, and even +-xen/arch/x86/mm/shadow; and there is a section at the end called "THE +-REST" which lists all committers. The meaning of nesting is that: +- +-1. Under normal circumstances, the Ack of the most specific maintainer +-is both necessary and sufficient to get a change to a given file +-committed. So a change to xen/arch/x86/mm/shadow/multi.c requires the +-the Ack of the xen/arch/x86/mm/shadow maintainer for that part of the +-patch, but would not require the Ack of the xen/arch/x86 maintainer or +-the xen/arch/x86/mm maintainer. +- +-2. In unusual circumstances, a more general maintainer's Ack can stand +-in for or even overrule a specific maintainer's Ack. Unusual +-circumstances might include: +- - The patch is fixing a high-priority issue causing immediate pain, +- and the more specific maintainer is not available. +- - The more specific maintainer has not responded either to the +- original patch, nor to "pings", within a reasonable amount of time. +- - The more general maintainer wants to overrule the more specific +- maintainer on some issue. (This should be exceptional.) +- - In the case of a disagreement between maintainers, THE REST can +- settle the matter by majority vote. (This should be very exceptional +- indeed.) +- + + Maintainers List (try to look for most precise areas first) + +diff --git a/xen/Makefile b/xen/Makefile +index d7102a3b47..dcedfbc38e 100644 +--- a/xen/Makefile ++++ b/xen/Makefile +@@ -6,7 +6,7 @@ this-makefile := $(call lastword,$(MAKEFILE_LIST)) + # All other places this is stored (eg. compile.h) should be autogenerated. + export XEN_VERSION = 4 + export XEN_SUBVERSION = 17 +-export XEN_EXTRAVERSION ?= .0$(XEN_VENDORVERSION) ++export XEN_EXTRAVERSION ?= .1-pre$(XEN_VENDORVERSION) + export XEN_FULLVERSION = $(XEN_VERSION).$(XEN_SUBVERSION)$(XEN_EXTRAVERSION) + -include xen-version + +-- +2.40.0 + diff --git a/0002-ioreq_broadcast-accept-partial-broadcast-success.patch b/0002-ioreq_broadcast-accept-partial-broadcast-success.patch deleted file mode 100644 index 1b0ae9c..0000000 --- a/0002-ioreq_broadcast-accept-partial-broadcast-success.patch +++ /dev/null @@ -1,34 +0,0 @@ -From f2edbd79f5d5ce3b633885469852e1215dc0d4b5 Mon Sep 17 00:00:00 2001 -From: Per Bilse -Date: Tue, 20 Dec 2022 13:50:47 +0100 -Subject: [PATCH 02/61] ioreq_broadcast(): accept partial broadcast success - -Avoid incorrectly triggering an error when a broadcast buffered ioreq -is not handled by all registered clients, as long as the failure is -strictly because the client doesn't handle buffered ioreqs. - -Signed-off-by: Per Bilse -Reviewed-by: Paul Durrant -master commit: a44734df6c24fadbdb001f051cc5580c467caf7d -master date: 2022-12-07 12:17:30 +0100 ---- - xen/common/ioreq.c | 3 ++- - 1 file changed, 2 insertions(+), 1 deletion(-) - -diff --git a/xen/common/ioreq.c b/xen/common/ioreq.c -index 42414b750b..2a8d8de2d5 100644 ---- a/xen/common/ioreq.c -+++ b/xen/common/ioreq.c -@@ -1322,7 +1322,8 @@ unsigned int ioreq_broadcast(ioreq_t *p, bool buffered) - - FOR_EACH_IOREQ_SERVER(d, id, s) - { -- if ( !s->enabled ) -+ if ( !s->enabled || -+ (buffered && s->bufioreq_handling == HVM_IOREQSRV_BUFIOREQ_OFF) ) - continue; - - if ( ioreq_send(s, p, buffered) == IOREQ_STATUS_UNHANDLED ) --- -2.40.0 - diff --git a/0002-x86-irq-do-not-release-irq-until-all-cleanup-is-done.patch b/0002-x86-irq-do-not-release-irq-until-all-cleanup-is-done.patch new file mode 100644 index 0000000..1c7a13d --- /dev/null +++ b/0002-x86-irq-do-not-release-irq-until-all-cleanup-is-done.patch @@ -0,0 +1,90 @@ +From 9cbc04a95f8a7f7cc27901211cbe19a42850c4ed Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Roger=20Pau=20Monn=C3=A9?= +Date: Tue, 20 Dec 2022 13:43:04 +0100 +Subject: [PATCH 02/89] x86/irq: do not release irq until all cleanup is done +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Current code in _clear_irq_vector() will mark the irq as unused before +doing the cleanup required when move_in_progress is true. + +This can lead to races in create_irq() if the function picks an irq +desc that's been marked as unused but has move_in_progress set, as the +call to assign_irq_vector() in that function can then fail with +-EAGAIN. + +Prevent that by only marking irq descs as unused when all the cleanup +has been done. While there also use write_atomic() when setting +IRQ_UNUSED in _clear_irq_vector() and add a barrier in order to +prevent the setting of IRQ_UNUSED getting reordered by the compiler. + +The check for move_in_progress cannot be removed from +_assign_irq_vector(), as other users (io_apic_set_pci_routing() and +ioapic_guest_write()) can still pass active irq descs to +assign_irq_vector(). + +Note the trace point is not moved and is now set before the irq is +marked as unused. This is done so that the CPU mask provided in the +trace point is the one belonging to the current vector, not the old +one. + +Signed-off-by: Roger Pau Monné +Reviewed-by: Jan Beulich +master commit: e267d11969a40f0aec33dbf966f5a6490b205f43 +master date: 2022-12-02 10:32:21 +0100 +--- + xen/arch/x86/irq.c | 31 ++++++++++++++++--------------- + 1 file changed, 16 insertions(+), 15 deletions(-) + +diff --git a/xen/arch/x86/irq.c b/xen/arch/x86/irq.c +index cd0c8a30a8..20150b1c7f 100644 +--- a/xen/arch/x86/irq.c ++++ b/xen/arch/x86/irq.c +@@ -220,27 +220,28 @@ static void _clear_irq_vector(struct irq_desc *desc) + clear_bit(vector, desc->arch.used_vectors); + } + +- desc->arch.used = IRQ_UNUSED; +- + trace_irq_mask(TRC_HW_IRQ_CLEAR_VECTOR, irq, vector, tmp_mask); + +- if ( likely(!desc->arch.move_in_progress) ) +- return; ++ if ( unlikely(desc->arch.move_in_progress) ) ++ { ++ /* If we were in motion, also clear desc->arch.old_vector */ ++ old_vector = desc->arch.old_vector; ++ cpumask_and(tmp_mask, desc->arch.old_cpu_mask, &cpu_online_map); + +- /* If we were in motion, also clear desc->arch.old_vector */ +- old_vector = desc->arch.old_vector; +- cpumask_and(tmp_mask, desc->arch.old_cpu_mask, &cpu_online_map); ++ for_each_cpu(cpu, tmp_mask) ++ { ++ ASSERT(per_cpu(vector_irq, cpu)[old_vector] == irq); ++ TRACE_3D(TRC_HW_IRQ_MOVE_FINISH, irq, old_vector, cpu); ++ per_cpu(vector_irq, cpu)[old_vector] = ~irq; ++ } + +- for_each_cpu(cpu, tmp_mask) +- { +- ASSERT(per_cpu(vector_irq, cpu)[old_vector] == irq); +- TRACE_3D(TRC_HW_IRQ_MOVE_FINISH, irq, old_vector, cpu); +- per_cpu(vector_irq, cpu)[old_vector] = ~irq; +- } ++ release_old_vec(desc); + +- release_old_vec(desc); ++ desc->arch.move_in_progress = 0; ++ } + +- desc->arch.move_in_progress = 0; ++ smp_wmb(); ++ write_atomic(&desc->arch.used, IRQ_UNUSED); + } + + void __init clear_irq_vector(int irq) +-- +2.40.0 + diff --git a/0003-x86-pvh-do-not-forward-MADT-Local-APIC-NMI-structure.patch b/0003-x86-pvh-do-not-forward-MADT-Local-APIC-NMI-structure.patch new file mode 100644 index 0000000..47d6997 --- /dev/null +++ b/0003-x86-pvh-do-not-forward-MADT-Local-APIC-NMI-structure.patch @@ -0,0 +1,103 @@ +From b7b34bd66ac77326bb49b10130013b4a9f83e4a2 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Roger=20Pau=20Monn=C3=A9?= +Date: Tue, 20 Dec 2022 13:43:37 +0100 +Subject: [PATCH 03/89] x86/pvh: do not forward MADT Local APIC NMI structures + to dom0 +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Currently Xen will passthrough any Local APIC NMI Structure found in +the native ACPI MADT table to a PVH dom0. This is wrong because PVH +doesn't have access to the physical local APIC, and instead gets an +emulated local APIC by Xen, that doesn't have the LINT0 or LINT1 +pins wired to anything. Furthermore the ACPI Processor UIDs used in +the APIC NMI Structures are likely to not match the ones generated by +Xen for the Local x2APIC Structures, creating confusion to dom0. + +Fix this by removing the logic to passthrough the Local APIC NMI +Structure for PVH dom0. + +Fixes: 1d74282c45 ('x86: setup PVHv2 Dom0 ACPI tables') +Signed-off-by: Roger Pau Monné +Reviewed-by: Jan Beulich +master commit: b39e6385250ccef9509af0eab9003ad5c1478842 +master date: 2022-12-02 10:33:40 +0100 +--- + xen/arch/x86/hvm/dom0_build.c | 34 +--------------------------------- + 1 file changed, 1 insertion(+), 33 deletions(-) + +diff --git a/xen/arch/x86/hvm/dom0_build.c b/xen/arch/x86/hvm/dom0_build.c +index 1864d048a1..3ac6b7b423 100644 +--- a/xen/arch/x86/hvm/dom0_build.c ++++ b/xen/arch/x86/hvm/dom0_build.c +@@ -58,9 +58,6 @@ + static unsigned int __initdata acpi_intr_overrides; + static struct acpi_madt_interrupt_override __initdata *intsrcovr; + +-static unsigned int __initdata acpi_nmi_sources; +-static struct acpi_madt_nmi_source __initdata *nmisrc; +- + static unsigned int __initdata order_stats[MAX_ORDER + 1]; + + static void __init print_order_stats(const struct domain *d) +@@ -763,25 +760,6 @@ static int __init cf_check acpi_set_intr_ovr( + return 0; + } + +-static int __init cf_check acpi_count_nmi_src( +- struct acpi_subtable_header *header, const unsigned long end) +-{ +- acpi_nmi_sources++; +- return 0; +-} +- +-static int __init cf_check acpi_set_nmi_src( +- struct acpi_subtable_header *header, const unsigned long end) +-{ +- const struct acpi_madt_nmi_source *src = +- container_of(header, struct acpi_madt_nmi_source, header); +- +- *nmisrc = *src; +- nmisrc++; +- +- return 0; +-} +- + static int __init pvh_setup_acpi_madt(struct domain *d, paddr_t *addr) + { + struct acpi_table_madt *madt; +@@ -797,16 +775,11 @@ static int __init pvh_setup_acpi_madt(struct domain *d, paddr_t *addr) + acpi_table_parse_madt(ACPI_MADT_TYPE_INTERRUPT_OVERRIDE, + acpi_count_intr_ovr, UINT_MAX); + +- /* Count number of NMI sources in the MADT. */ +- acpi_table_parse_madt(ACPI_MADT_TYPE_NMI_SOURCE, acpi_count_nmi_src, +- UINT_MAX); +- + max_vcpus = dom0_max_vcpus(); + /* Calculate the size of the crafted MADT. */ + size = sizeof(*madt); + size += sizeof(*io_apic) * nr_ioapics; + size += sizeof(*intsrcovr) * acpi_intr_overrides; +- size += sizeof(*nmisrc) * acpi_nmi_sources; + size += sizeof(*x2apic) * max_vcpus; + + madt = xzalloc_bytes(size); +@@ -862,12 +835,7 @@ static int __init pvh_setup_acpi_madt(struct domain *d, paddr_t *addr) + acpi_table_parse_madt(ACPI_MADT_TYPE_INTERRUPT_OVERRIDE, acpi_set_intr_ovr, + acpi_intr_overrides); + +- /* Setup NMI sources. */ +- nmisrc = (void *)intsrcovr; +- acpi_table_parse_madt(ACPI_MADT_TYPE_NMI_SOURCE, acpi_set_nmi_src, +- acpi_nmi_sources); +- +- ASSERT(((void *)nmisrc - (void *)madt) == size); ++ ASSERT(((void *)intsrcovr - (void *)madt) == size); + madt->header.length = size; + /* + * Calling acpi_tb_checksum here is a layering violation, but +-- +2.40.0 + diff --git a/0003-x86-time-prevent-overflow-with-high-frequency-TSCs.patch b/0003-x86-time-prevent-overflow-with-high-frequency-TSCs.patch deleted file mode 100644 index a031317..0000000 --- a/0003-x86-time-prevent-overflow-with-high-frequency-TSCs.patch +++ /dev/null @@ -1,34 +0,0 @@ -From 65bf12135f618614bbf44626fba1c20ca8d1a127 Mon Sep 17 00:00:00 2001 -From: Neowutran -Date: Tue, 20 Dec 2022 13:51:42 +0100 -Subject: [PATCH 03/61] x86/time: prevent overflow with high frequency TSCs - -Make sure tsc_khz is promoted to a 64-bit type before multiplying by -1000 to avoid an 'overflow before widen' bug. Otherwise just above -4.294GHz the value will overflow. Processors with clocks this high are -now in production and require this to work correctly. - -Signed-off-by: Neowutran -Reviewed-by: Jan Beulich -master commit: ad15a0a8ca2515d8ac58edfc0bc1d3719219cb77 -master date: 2022-12-19 11:34:16 +0100 ---- - xen/arch/x86/time.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/xen/arch/x86/time.c b/xen/arch/x86/time.c -index 1daff92dca..db0b149ec6 100644 ---- a/xen/arch/x86/time.c -+++ b/xen/arch/x86/time.c -@@ -2490,7 +2490,7 @@ int tsc_set_info(struct domain *d, - case TSC_MODE_ALWAYS_EMULATE: - d->arch.vtsc_offset = get_s_time() - elapsed_nsec; - d->arch.tsc_khz = gtsc_khz ?: cpu_khz; -- set_time_scale(&d->arch.vtsc_to_ns, d->arch.tsc_khz * 1000); -+ set_time_scale(&d->arch.vtsc_to_ns, d->arch.tsc_khz * 1000UL); - - /* - * In default mode use native TSC if the host has safe TSC and --- -2.40.0 - diff --git a/0004-x86-HVM-don-t-mark-external-IRQs-as-pending-when-vLA.patch b/0004-x86-HVM-don-t-mark-external-IRQs-as-pending-when-vLA.patch new file mode 100644 index 0000000..01dcba8 --- /dev/null +++ b/0004-x86-HVM-don-t-mark-external-IRQs-as-pending-when-vLA.patch @@ -0,0 +1,71 @@ +From 54bb56e12868100c5ce06e33b4f57b6b2b8f37b9 Mon Sep 17 00:00:00 2001 +From: Jan Beulich +Date: Tue, 20 Dec 2022 13:44:07 +0100 +Subject: [PATCH 04/89] x86/HVM: don't mark external IRQs as pending when + vLAPIC is disabled + +In software-disabled state an LAPIC does not accept any interrupt +requests and hence no IRR bit would newly become set while in this +state. As a result it is also wrong for us to mark IO-APIC or MSI +originating vectors as having a pending request when the vLAPIC is in +this state. Such interrupts are simply lost. + +Introduce (IO-APIC) or re-use (MSI) a local variable to help +readability. + +Fixes: 4fe21ad3712e ("This patch add virtual IOAPIC support for VMX guest") +Fixes: 85715f4bc7c9 ("MSI 5/6: add MSI support to passthrough HVM domain") +Signed-off-by: Jan Beulich +Acked-by: Andrew Cooper +master commit: f1d7aac1e3c3cd164e17d41791a575a5c3e87121 +master date: 2022-12-02 10:35:01 +0100 +--- + xen/arch/x86/hvm/vioapic.c | 9 +++++++-- + xen/arch/x86/hvm/vmsi.c | 10 ++++++---- + 2 files changed, 13 insertions(+), 6 deletions(-) + +diff --git a/xen/arch/x86/hvm/vioapic.c b/xen/arch/x86/hvm/vioapic.c +index cb7f440160..41e3c4d5e4 100644 +--- a/xen/arch/x86/hvm/vioapic.c ++++ b/xen/arch/x86/hvm/vioapic.c +@@ -460,9 +460,14 @@ static void vioapic_deliver(struct hvm_vioapic *vioapic, unsigned int pin) + + case dest_Fixed: + for_each_vcpu ( d, v ) +- if ( vlapic_match_dest(vcpu_vlapic(v), NULL, 0, dest, dest_mode) ) +- ioapic_inj_irq(vioapic, vcpu_vlapic(v), vector, trig_mode, ++ { ++ struct vlapic *vlapic = vcpu_vlapic(v); ++ ++ if ( vlapic_enabled(vlapic) && ++ vlapic_match_dest(vlapic, NULL, 0, dest, dest_mode) ) ++ ioapic_inj_irq(vioapic, vlapic, vector, trig_mode, + delivery_mode); ++ } + break; + + case dest_NMI: +diff --git a/xen/arch/x86/hvm/vmsi.c b/xen/arch/x86/hvm/vmsi.c +index 75f92885dc..3cd4923060 100644 +--- a/xen/arch/x86/hvm/vmsi.c ++++ b/xen/arch/x86/hvm/vmsi.c +@@ -87,10 +87,12 @@ int vmsi_deliver( + + case dest_Fixed: + for_each_vcpu ( d, v ) +- if ( vlapic_match_dest(vcpu_vlapic(v), NULL, +- 0, dest, dest_mode) ) +- vmsi_inj_irq(vcpu_vlapic(v), vector, +- trig_mode, delivery_mode); ++ { ++ target = vcpu_vlapic(v); ++ if ( vlapic_enabled(target) && ++ vlapic_match_dest(target, NULL, 0, dest, dest_mode) ) ++ vmsi_inj_irq(target, vector, trig_mode, delivery_mode); ++ } + break; + + default: +-- +2.40.0 + diff --git a/0004-x86-S3-Restore-Xen-s-MSR_PAT-value-on-S3-resume.patch b/0004-x86-S3-Restore-Xen-s-MSR_PAT-value-on-S3-resume.patch deleted file mode 100644 index 3d1c089..0000000 --- a/0004-x86-S3-Restore-Xen-s-MSR_PAT-value-on-S3-resume.patch +++ /dev/null @@ -1,36 +0,0 @@ -From 7b1b9849e8a0d7791866d6d21c45993dfe27836c Mon Sep 17 00:00:00 2001 -From: Andrew Cooper -Date: Tue, 7 Feb 2023 17:03:09 +0100 -Subject: [PATCH 04/61] x86/S3: Restore Xen's MSR_PAT value on S3 resume - -There are two paths in the trampoline, and Xen's PAT needs setting up in both, -not just the boot path. - -Fixes: 4304ff420e51 ("x86/S3: Drop {save,restore}_rest_processor_state() completely") -Signed-off-by: Andrew Cooper -Reviewed-by: Jan Beulich -master commit: 4d975798e11579fdf405b348543061129e01b0fb -master date: 2023-01-10 21:21:30 +0000 ---- - xen/arch/x86/boot/wakeup.S | 5 +++++ - 1 file changed, 5 insertions(+) - -diff --git a/xen/arch/x86/boot/wakeup.S b/xen/arch/x86/boot/wakeup.S -index c17d613b61..08447e1934 100644 ---- a/xen/arch/x86/boot/wakeup.S -+++ b/xen/arch/x86/boot/wakeup.S -@@ -130,6 +130,11 @@ wakeup_32: - and %edi, %edx - wrmsr - 1: -+ /* Set up PAT before enabling paging. */ -+ mov $XEN_MSR_PAT & 0xffffffff, %eax -+ mov $XEN_MSR_PAT >> 32, %edx -+ mov $MSR_IA32_CR_PAT, %ecx -+ wrmsr - - /* Set up EFER (Extended Feature Enable Register). */ - movl $MSR_EFER,%ecx --- -2.40.0 - diff --git a/0005-tools-Fix-build-with-recent-QEMU-use-enable-trace-ba.patch b/0005-tools-Fix-build-with-recent-QEMU-use-enable-trace-ba.patch deleted file mode 100644 index ff66a43..0000000 --- a/0005-tools-Fix-build-with-recent-QEMU-use-enable-trace-ba.patch +++ /dev/null @@ -1,50 +0,0 @@ -From 998c03b2abfbf17ff96bccad1512de1ea18d0d75 Mon Sep 17 00:00:00 2001 -From: Anthony PERARD -Date: Tue, 7 Feb 2023 17:03:51 +0100 -Subject: [PATCH 05/61] tools: Fix build with recent QEMU, use - "--enable-trace-backends" - -The configure option "--enable-trace-backend" isn't accepted anymore -and we should use "--enable-trace-backends" instead which was -introduce in 2014 and allow multiple backends. - -"--enable-trace-backends" was introduced by: - 5b808275f3bb ("trace: Multi-backend tracing") -The backward compatible option "--enable-trace-backend" is removed by - 10229ec3b0ff ("configure: remove backwards-compatibility and obsolete options") - -As we already use ./configure options that wouldn't be accepted by -older version of QEMU's configure, we will simply use the new spelling -for the option and avoid trying to detect which spelling to use. - -We already make use if "--firmwarepath=" which was introduced by - 3d5eecab4a5a ("Add --firmwarepath to configure") -which already include the new spelling for "--enable-trace-backends". - -Signed-off-by: Anthony PERARD -Reviewed-by: Jason Andryuk -master commit: e66d450b6e0ffec635639df993ab43ce28b3383f -master date: 2023-01-11 10:45:29 +0100 ---- - tools/Makefile | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - -diff --git a/tools/Makefile b/tools/Makefile -index 757a560be0..9b6b605ec9 100644 ---- a/tools/Makefile -+++ b/tools/Makefile -@@ -218,9 +218,9 @@ subdir-all-qemu-xen-dir: qemu-xen-dir-find - mkdir -p qemu-xen-build; \ - cd qemu-xen-build; \ - if $$source/scripts/tracetool.py --check-backend --backend log ; then \ -- enable_trace_backend='--enable-trace-backend=log'; \ -+ enable_trace_backend="--enable-trace-backends=log"; \ - elif $$source/scripts/tracetool.py --check-backend --backend stderr ; then \ -- enable_trace_backend='--enable-trace-backend=stderr'; \ -+ enable_trace_backend='--enable-trace-backends=stderr'; \ - else \ - enable_trace_backend='' ; \ - fi ; \ --- -2.40.0 - diff --git a/0005-x86-Viridian-don-t-mark-IRQ-vectors-as-pending-when-.patch b/0005-x86-Viridian-don-t-mark-IRQ-vectors-as-pending-when-.patch new file mode 100644 index 0000000..3086285 --- /dev/null +++ b/0005-x86-Viridian-don-t-mark-IRQ-vectors-as-pending-when-.patch @@ -0,0 +1,60 @@ +From 5810edc049cd5828c2628a377ca8443610e54f82 Mon Sep 17 00:00:00 2001 +From: Jan Beulich +Date: Tue, 20 Dec 2022 13:44:38 +0100 +Subject: [PATCH 05/89] x86/Viridian: don't mark IRQ vectors as pending when + vLAPIC is disabled + +In software-disabled state an LAPIC does not accept any interrupt +requests and hence no IRR bit would newly become set while in this +state. As a result it is also wrong for us to mark Viridian IPI or timer +vectors as having a pending request when the vLAPIC is in this state. +Such interrupts are simply lost. + +Introduce a local variable in send_ipi() to help readability. + +Fixes: fda96b7382ea ("viridian: add implementation of the HvSendSyntheticClusterIpi hypercall") +Fixes: 26fba3c85571 ("viridian: add implementation of synthetic timers") +Signed-off-by: Jan Beulich +Acked-by: Andrew Cooper +Reviewed-by: Paul Durrant +master commit: 831419f82913417dee4e5b0f80769c5db590540b +master date: 2022-12-02 10:35:32 +0100 +--- + xen/arch/x86/hvm/viridian/synic.c | 2 +- + xen/arch/x86/hvm/viridian/viridian.c | 7 ++++++- + 2 files changed, 7 insertions(+), 2 deletions(-) + +diff --git a/xen/arch/x86/hvm/viridian/synic.c b/xen/arch/x86/hvm/viridian/synic.c +index e18538c60a..856bb898b8 100644 +--- a/xen/arch/x86/hvm/viridian/synic.c ++++ b/xen/arch/x86/hvm/viridian/synic.c +@@ -359,7 +359,7 @@ bool viridian_synic_deliver_timer_msg(struct vcpu *v, unsigned int sintx, + BUILD_BUG_ON(sizeof(payload) > sizeof(msg->u.payload)); + memcpy(msg->u.payload, &payload, sizeof(payload)); + +- if ( !vs->masked ) ++ if ( !vs->masked && vlapic_enabled(vcpu_vlapic(v)) ) + vlapic_set_irq(vcpu_vlapic(v), vs->vector, 0); + + return true; +diff --git a/xen/arch/x86/hvm/viridian/viridian.c b/xen/arch/x86/hvm/viridian/viridian.c +index 25dca93e8b..2937ddd3a8 100644 +--- a/xen/arch/x86/hvm/viridian/viridian.c ++++ b/xen/arch/x86/hvm/viridian/viridian.c +@@ -811,7 +811,12 @@ static void send_ipi(struct hypercall_vpmask *vpmask, uint8_t vector) + cpu_raise_softirq_batch_begin(); + + for_each_vp ( vpmask, vp ) +- vlapic_set_irq(vcpu_vlapic(currd->vcpu[vp]), vector, 0); ++ { ++ struct vlapic *vlapic = vcpu_vlapic(currd->vcpu[vp]); ++ ++ if ( vlapic_enabled(vlapic) ) ++ vlapic_set_irq(vlapic, vector, 0); ++ } + + if ( nr > 1 ) + cpu_raise_softirq_batch_finish(); +-- +2.40.0 + diff --git a/0006-x86-HVM-don-t-mark-evtchn-upcall-vector-as-pending-w.patch b/0006-x86-HVM-don-t-mark-evtchn-upcall-vector-as-pending-w.patch new file mode 100644 index 0000000..2577f20 --- /dev/null +++ b/0006-x86-HVM-don-t-mark-evtchn-upcall-vector-as-pending-w.patch @@ -0,0 +1,70 @@ +From 26f39b3d705b667aa21f368c252abffb0b4d3e5d Mon Sep 17 00:00:00 2001 +From: Jan Beulich +Date: Tue, 20 Dec 2022 13:45:07 +0100 +Subject: [PATCH 06/89] x86/HVM: don't mark evtchn upcall vector as pending + when vLAPIC is disabled + +Linux'es relatively new use of HVMOP_set_evtchn_upcall_vector has +exposed a problem with the marking of the respective vector as +pending: For quite some time Linux has been checking whether any stale +ISR or IRR bits would still be set while preparing the LAPIC for use. +This check is now triggering on the upcall vector, as the registration, +at least for APs, happens before the LAPIC is actually enabled. + +In software-disabled state an LAPIC would not accept any interrupt +requests and hence no IRR bit would newly become set while in this +state. As a result it is also wrong for us to mark the upcall vector as +having a pending request when the vLAPIC is in this state. + +To compensate for the "enabled" check added to the assertion logic, add +logic to (conditionally) mark the upcall vector as having a request +pending at the time the LAPIC is being software-enabled by the guest. +Note however that, like for the pt_may_unmask_irq() we already have +there, long term we may need to find a different solution. This will be +especially relevant in case yet better LAPIC acceleration would +eliminate notifications of guest writes to this and other registers. + +Fixes: 7b5b8ca7dffd ("x86/upcall: inject a spurious event after setting upcall vector") +Signed-off-by: Jan Beulich +Reviewed-by: Juergen Gross +master commit: f5d0279839b58cb622f0995dbf9cff056f03082e +master date: 2022-12-06 13:51:49 +0100 +--- + xen/arch/x86/hvm/irq.c | 5 +++-- + xen/arch/x86/hvm/vlapic.c | 3 +++ + 2 files changed, 6 insertions(+), 2 deletions(-) + +diff --git a/xen/arch/x86/hvm/irq.c b/xen/arch/x86/hvm/irq.c +index 858ab5b248..d93ffe4546 100644 +--- a/xen/arch/x86/hvm/irq.c ++++ b/xen/arch/x86/hvm/irq.c +@@ -321,9 +321,10 @@ void hvm_assert_evtchn_irq(struct vcpu *v) + + if ( v->arch.hvm.evtchn_upcall_vector != 0 ) + { +- uint8_t vector = v->arch.hvm.evtchn_upcall_vector; ++ struct vlapic *vlapic = vcpu_vlapic(v); + +- vlapic_set_irq(vcpu_vlapic(v), vector, 0); ++ if ( vlapic_enabled(vlapic) ) ++ vlapic_set_irq(vlapic, v->arch.hvm.evtchn_upcall_vector, 0); + } + else if ( is_hvm_pv_evtchn_domain(v->domain) ) + vcpu_kick(v); +diff --git a/xen/arch/x86/hvm/vlapic.c b/xen/arch/x86/hvm/vlapic.c +index 257d3b6851..eb32f12e2d 100644 +--- a/xen/arch/x86/hvm/vlapic.c ++++ b/xen/arch/x86/hvm/vlapic.c +@@ -829,6 +829,9 @@ void vlapic_reg_write(struct vcpu *v, unsigned int reg, uint32_t val) + { + vlapic->hw.disabled &= ~VLAPIC_SW_DISABLED; + pt_may_unmask_irq(vlapic_domain(vlapic), &vlapic->pt); ++ if ( v->arch.hvm.evtchn_upcall_vector && ++ vcpu_info(v, evtchn_upcall_pending) ) ++ vlapic_set_irq(vlapic, v->arch.hvm.evtchn_upcall_vector, 0); + } + break; + +-- +2.40.0 + diff --git a/0006-x86-vmx-Calculate-model-specific-LBRs-once-at-start-.patch b/0006-x86-vmx-Calculate-model-specific-LBRs-once-at-start-.patch deleted file mode 100644 index c010110..0000000 --- a/0006-x86-vmx-Calculate-model-specific-LBRs-once-at-start-.patch +++ /dev/null @@ -1,342 +0,0 @@ -From 401e9e33a04c2a9887636ef58490c764543f0538 Mon Sep 17 00:00:00 2001 -From: Andrew Cooper -Date: Tue, 7 Feb 2023 17:04:18 +0100 -Subject: [PATCH 06/61] x86/vmx: Calculate model-specific LBRs once at start of - day - -There is no point repeating this calculation at runtime, especially as it is -in the fallback path of the WRSMR/RDMSR handlers. - -Move the infrastructure higher in vmx.c to avoid forward declarations, -renaming last_branch_msr_get() to get_model_specific_lbr() to highlight that -these are model-specific only. - -No practical change. - -Signed-off-by: Andrew Cooper -Reviewed-by: Jan Beulich -Reviewed-by: Kevin Tian -master commit: e94af0d58f86c3a914b9cbbf4d9ed3d43b974771 -master date: 2023-01-12 18:42:00 +0000 ---- - xen/arch/x86/hvm/vmx/vmx.c | 276 +++++++++++++++++++------------------ - 1 file changed, 139 insertions(+), 137 deletions(-) - -diff --git a/xen/arch/x86/hvm/vmx/vmx.c b/xen/arch/x86/hvm/vmx/vmx.c -index 3f42765313..bc308d9df2 100644 ---- a/xen/arch/x86/hvm/vmx/vmx.c -+++ b/xen/arch/x86/hvm/vmx/vmx.c -@@ -394,6 +394,142 @@ void vmx_pi_hooks_deassign(struct domain *d) - domain_unpause(d); - } - -+static const struct lbr_info { -+ u32 base, count; -+} p4_lbr[] = { -+ { MSR_P4_LER_FROM_LIP, 1 }, -+ { MSR_P4_LER_TO_LIP, 1 }, -+ { MSR_P4_LASTBRANCH_TOS, 1 }, -+ { MSR_P4_LASTBRANCH_0_FROM_LIP, NUM_MSR_P4_LASTBRANCH_FROM_TO }, -+ { MSR_P4_LASTBRANCH_0_TO_LIP, NUM_MSR_P4_LASTBRANCH_FROM_TO }, -+ { 0, 0 } -+}, c2_lbr[] = { -+ { MSR_IA32_LASTINTFROMIP, 1 }, -+ { MSR_IA32_LASTINTTOIP, 1 }, -+ { MSR_C2_LASTBRANCH_TOS, 1 }, -+ { MSR_C2_LASTBRANCH_0_FROM_IP, NUM_MSR_C2_LASTBRANCH_FROM_TO }, -+ { MSR_C2_LASTBRANCH_0_TO_IP, NUM_MSR_C2_LASTBRANCH_FROM_TO }, -+ { 0, 0 } -+}, nh_lbr[] = { -+ { MSR_IA32_LASTINTFROMIP, 1 }, -+ { MSR_IA32_LASTINTTOIP, 1 }, -+ { MSR_NHL_LBR_SELECT, 1 }, -+ { MSR_NHL_LASTBRANCH_TOS, 1 }, -+ { MSR_P4_LASTBRANCH_0_FROM_LIP, NUM_MSR_P4_LASTBRANCH_FROM_TO }, -+ { MSR_P4_LASTBRANCH_0_TO_LIP, NUM_MSR_P4_LASTBRANCH_FROM_TO }, -+ { 0, 0 } -+}, sk_lbr[] = { -+ { MSR_IA32_LASTINTFROMIP, 1 }, -+ { MSR_IA32_LASTINTTOIP, 1 }, -+ { MSR_NHL_LBR_SELECT, 1 }, -+ { MSR_NHL_LASTBRANCH_TOS, 1 }, -+ { MSR_SKL_LASTBRANCH_0_FROM_IP, NUM_MSR_SKL_LASTBRANCH }, -+ { MSR_SKL_LASTBRANCH_0_TO_IP, NUM_MSR_SKL_LASTBRANCH }, -+ { MSR_SKL_LASTBRANCH_0_INFO, NUM_MSR_SKL_LASTBRANCH }, -+ { 0, 0 } -+}, at_lbr[] = { -+ { MSR_IA32_LASTINTFROMIP, 1 }, -+ { MSR_IA32_LASTINTTOIP, 1 }, -+ { MSR_C2_LASTBRANCH_TOS, 1 }, -+ { MSR_C2_LASTBRANCH_0_FROM_IP, NUM_MSR_ATOM_LASTBRANCH_FROM_TO }, -+ { MSR_C2_LASTBRANCH_0_TO_IP, NUM_MSR_ATOM_LASTBRANCH_FROM_TO }, -+ { 0, 0 } -+}, sm_lbr[] = { -+ { MSR_IA32_LASTINTFROMIP, 1 }, -+ { MSR_IA32_LASTINTTOIP, 1 }, -+ { MSR_SM_LBR_SELECT, 1 }, -+ { MSR_SM_LASTBRANCH_TOS, 1 }, -+ { MSR_C2_LASTBRANCH_0_FROM_IP, NUM_MSR_ATOM_LASTBRANCH_FROM_TO }, -+ { MSR_C2_LASTBRANCH_0_TO_IP, NUM_MSR_ATOM_LASTBRANCH_FROM_TO }, -+ { 0, 0 } -+}, gm_lbr[] = { -+ { MSR_IA32_LASTINTFROMIP, 1 }, -+ { MSR_IA32_LASTINTTOIP, 1 }, -+ { MSR_SM_LBR_SELECT, 1 }, -+ { MSR_SM_LASTBRANCH_TOS, 1 }, -+ { MSR_GM_LASTBRANCH_0_FROM_IP, NUM_MSR_GM_LASTBRANCH_FROM_TO }, -+ { MSR_GM_LASTBRANCH_0_TO_IP, NUM_MSR_GM_LASTBRANCH_FROM_TO }, -+ { 0, 0 } -+}; -+static const struct lbr_info *__read_mostly model_specific_lbr; -+ -+static const struct lbr_info *__init get_model_specific_lbr(void) -+{ -+ switch ( boot_cpu_data.x86 ) -+ { -+ case 6: -+ switch ( boot_cpu_data.x86_model ) -+ { -+ /* Core2 Duo */ -+ case 0x0f: -+ /* Enhanced Core */ -+ case 0x17: -+ /* Xeon 7400 */ -+ case 0x1d: -+ return c2_lbr; -+ /* Nehalem */ -+ case 0x1a: case 0x1e: case 0x1f: case 0x2e: -+ /* Westmere */ -+ case 0x25: case 0x2c: case 0x2f: -+ /* Sandy Bridge */ -+ case 0x2a: case 0x2d: -+ /* Ivy Bridge */ -+ case 0x3a: case 0x3e: -+ /* Haswell */ -+ case 0x3c: case 0x3f: case 0x45: case 0x46: -+ /* Broadwell */ -+ case 0x3d: case 0x47: case 0x4f: case 0x56: -+ return nh_lbr; -+ /* Skylake */ -+ case 0x4e: case 0x5e: -+ /* Xeon Scalable */ -+ case 0x55: -+ /* Cannon Lake */ -+ case 0x66: -+ /* Goldmont Plus */ -+ case 0x7a: -+ /* Ice Lake */ -+ case 0x6a: case 0x6c: case 0x7d: case 0x7e: -+ /* Tiger Lake */ -+ case 0x8c: case 0x8d: -+ /* Tremont */ -+ case 0x86: -+ /* Kaby Lake */ -+ case 0x8e: case 0x9e: -+ /* Comet Lake */ -+ case 0xa5: case 0xa6: -+ return sk_lbr; -+ /* Atom */ -+ case 0x1c: case 0x26: case 0x27: case 0x35: case 0x36: -+ return at_lbr; -+ /* Silvermont */ -+ case 0x37: case 0x4a: case 0x4d: case 0x5a: case 0x5d: -+ /* Xeon Phi Knights Landing */ -+ case 0x57: -+ /* Xeon Phi Knights Mill */ -+ case 0x85: -+ /* Airmont */ -+ case 0x4c: -+ return sm_lbr; -+ /* Goldmont */ -+ case 0x5c: case 0x5f: -+ return gm_lbr; -+ } -+ break; -+ -+ case 15: -+ switch ( boot_cpu_data.x86_model ) -+ { -+ /* Pentium4/Xeon with em64t */ -+ case 3: case 4: case 6: -+ return p4_lbr; -+ } -+ break; -+ } -+ -+ return NULL; -+} -+ - static int vmx_domain_initialise(struct domain *d) - { - static const struct arch_csw csw = { -@@ -2812,6 +2948,7 @@ const struct hvm_function_table * __init start_vmx(void) - vmx_function_table.get_guest_bndcfgs = vmx_get_guest_bndcfgs; - } - -+ model_specific_lbr = get_model_specific_lbr(); - lbr_tsx_fixup_check(); - ler_to_fixup_check(); - -@@ -2958,141 +3095,6 @@ static int vmx_cr_access(cr_access_qual_t qual) - return X86EMUL_OKAY; - } - --static const struct lbr_info { -- u32 base, count; --} p4_lbr[] = { -- { MSR_P4_LER_FROM_LIP, 1 }, -- { MSR_P4_LER_TO_LIP, 1 }, -- { MSR_P4_LASTBRANCH_TOS, 1 }, -- { MSR_P4_LASTBRANCH_0_FROM_LIP, NUM_MSR_P4_LASTBRANCH_FROM_TO }, -- { MSR_P4_LASTBRANCH_0_TO_LIP, NUM_MSR_P4_LASTBRANCH_FROM_TO }, -- { 0, 0 } --}, c2_lbr[] = { -- { MSR_IA32_LASTINTFROMIP, 1 }, -- { MSR_IA32_LASTINTTOIP, 1 }, -- { MSR_C2_LASTBRANCH_TOS, 1 }, -- { MSR_C2_LASTBRANCH_0_FROM_IP, NUM_MSR_C2_LASTBRANCH_FROM_TO }, -- { MSR_C2_LASTBRANCH_0_TO_IP, NUM_MSR_C2_LASTBRANCH_FROM_TO }, -- { 0, 0 } --}, nh_lbr[] = { -- { MSR_IA32_LASTINTFROMIP, 1 }, -- { MSR_IA32_LASTINTTOIP, 1 }, -- { MSR_NHL_LBR_SELECT, 1 }, -- { MSR_NHL_LASTBRANCH_TOS, 1 }, -- { MSR_P4_LASTBRANCH_0_FROM_LIP, NUM_MSR_P4_LASTBRANCH_FROM_TO }, -- { MSR_P4_LASTBRANCH_0_TO_LIP, NUM_MSR_P4_LASTBRANCH_FROM_TO }, -- { 0, 0 } --}, sk_lbr[] = { -- { MSR_IA32_LASTINTFROMIP, 1 }, -- { MSR_IA32_LASTINTTOIP, 1 }, -- { MSR_NHL_LBR_SELECT, 1 }, -- { MSR_NHL_LASTBRANCH_TOS, 1 }, -- { MSR_SKL_LASTBRANCH_0_FROM_IP, NUM_MSR_SKL_LASTBRANCH }, -- { MSR_SKL_LASTBRANCH_0_TO_IP, NUM_MSR_SKL_LASTBRANCH }, -- { MSR_SKL_LASTBRANCH_0_INFO, NUM_MSR_SKL_LASTBRANCH }, -- { 0, 0 } --}, at_lbr[] = { -- { MSR_IA32_LASTINTFROMIP, 1 }, -- { MSR_IA32_LASTINTTOIP, 1 }, -- { MSR_C2_LASTBRANCH_TOS, 1 }, -- { MSR_C2_LASTBRANCH_0_FROM_IP, NUM_MSR_ATOM_LASTBRANCH_FROM_TO }, -- { MSR_C2_LASTBRANCH_0_TO_IP, NUM_MSR_ATOM_LASTBRANCH_FROM_TO }, -- { 0, 0 } --}, sm_lbr[] = { -- { MSR_IA32_LASTINTFROMIP, 1 }, -- { MSR_IA32_LASTINTTOIP, 1 }, -- { MSR_SM_LBR_SELECT, 1 }, -- { MSR_SM_LASTBRANCH_TOS, 1 }, -- { MSR_C2_LASTBRANCH_0_FROM_IP, NUM_MSR_ATOM_LASTBRANCH_FROM_TO }, -- { MSR_C2_LASTBRANCH_0_TO_IP, NUM_MSR_ATOM_LASTBRANCH_FROM_TO }, -- { 0, 0 } --}, gm_lbr[] = { -- { MSR_IA32_LASTINTFROMIP, 1 }, -- { MSR_IA32_LASTINTTOIP, 1 }, -- { MSR_SM_LBR_SELECT, 1 }, -- { MSR_SM_LASTBRANCH_TOS, 1 }, -- { MSR_GM_LASTBRANCH_0_FROM_IP, NUM_MSR_GM_LASTBRANCH_FROM_TO }, -- { MSR_GM_LASTBRANCH_0_TO_IP, NUM_MSR_GM_LASTBRANCH_FROM_TO }, -- { 0, 0 } --}; -- --static const struct lbr_info *last_branch_msr_get(void) --{ -- switch ( boot_cpu_data.x86 ) -- { -- case 6: -- switch ( boot_cpu_data.x86_model ) -- { -- /* Core2 Duo */ -- case 0x0f: -- /* Enhanced Core */ -- case 0x17: -- /* Xeon 7400 */ -- case 0x1d: -- return c2_lbr; -- /* Nehalem */ -- case 0x1a: case 0x1e: case 0x1f: case 0x2e: -- /* Westmere */ -- case 0x25: case 0x2c: case 0x2f: -- /* Sandy Bridge */ -- case 0x2a: case 0x2d: -- /* Ivy Bridge */ -- case 0x3a: case 0x3e: -- /* Haswell */ -- case 0x3c: case 0x3f: case 0x45: case 0x46: -- /* Broadwell */ -- case 0x3d: case 0x47: case 0x4f: case 0x56: -- return nh_lbr; -- /* Skylake */ -- case 0x4e: case 0x5e: -- /* Xeon Scalable */ -- case 0x55: -- /* Cannon Lake */ -- case 0x66: -- /* Goldmont Plus */ -- case 0x7a: -- /* Ice Lake */ -- case 0x6a: case 0x6c: case 0x7d: case 0x7e: -- /* Tiger Lake */ -- case 0x8c: case 0x8d: -- /* Tremont */ -- case 0x86: -- /* Kaby Lake */ -- case 0x8e: case 0x9e: -- /* Comet Lake */ -- case 0xa5: case 0xa6: -- return sk_lbr; -- /* Atom */ -- case 0x1c: case 0x26: case 0x27: case 0x35: case 0x36: -- return at_lbr; -- /* Silvermont */ -- case 0x37: case 0x4a: case 0x4d: case 0x5a: case 0x5d: -- /* Xeon Phi Knights Landing */ -- case 0x57: -- /* Xeon Phi Knights Mill */ -- case 0x85: -- /* Airmont */ -- case 0x4c: -- return sm_lbr; -- /* Goldmont */ -- case 0x5c: case 0x5f: -- return gm_lbr; -- } -- break; -- -- case 15: -- switch ( boot_cpu_data.x86_model ) -- { -- /* Pentium4/Xeon with em64t */ -- case 3: case 4: case 6: -- return p4_lbr; -- } -- break; -- } -- -- return NULL; --} -- - enum - { - LBR_FORMAT_32 = 0x0, /* 32-bit record format */ -@@ -3199,7 +3201,7 @@ static void __init ler_to_fixup_check(void) - - static int is_last_branch_msr(u32 ecx) - { -- const struct lbr_info *lbr = last_branch_msr_get(); -+ const struct lbr_info *lbr = model_specific_lbr; - - if ( lbr == NULL ) - return 0; -@@ -3536,7 +3538,7 @@ static int vmx_msr_write_intercept(unsigned int msr, uint64_t msr_content) - if ( !(v->arch.hvm.vmx.lbr_flags & LBR_MSRS_INSERTED) && - (msr_content & IA32_DEBUGCTLMSR_LBR) ) - { -- const struct lbr_info *lbr = last_branch_msr_get(); -+ const struct lbr_info *lbr = model_specific_lbr; - - if ( unlikely(!lbr) ) - { --- -2.40.0 - diff --git a/0007-ioreq_broadcast-accept-partial-broadcast-success.patch b/0007-ioreq_broadcast-accept-partial-broadcast-success.patch new file mode 100644 index 0000000..654990b --- /dev/null +++ b/0007-ioreq_broadcast-accept-partial-broadcast-success.patch @@ -0,0 +1,34 @@ +From c3e37c60fbf8f8cd71db0f0846c9c7aeadf02963 Mon Sep 17 00:00:00 2001 +From: Per Bilse +Date: Tue, 20 Dec 2022 13:45:38 +0100 +Subject: [PATCH 07/89] ioreq_broadcast(): accept partial broadcast success + +Avoid incorrectly triggering an error when a broadcast buffered ioreq +is not handled by all registered clients, as long as the failure is +strictly because the client doesn't handle buffered ioreqs. + +Signed-off-by: Per Bilse +Reviewed-by: Paul Durrant +master commit: a44734df6c24fadbdb001f051cc5580c467caf7d +master date: 2022-12-07 12:17:30 +0100 +--- + xen/common/ioreq.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/xen/common/ioreq.c b/xen/common/ioreq.c +index 4617aef29b..ecb8f545e1 100644 +--- a/xen/common/ioreq.c ++++ b/xen/common/ioreq.c +@@ -1317,7 +1317,8 @@ unsigned int ioreq_broadcast(ioreq_t *p, bool buffered) + + FOR_EACH_IOREQ_SERVER(d, id, s) + { +- if ( !s->enabled ) ++ if ( !s->enabled || ++ (buffered && s->bufioreq_handling == HVM_IOREQSRV_BUFIOREQ_OFF) ) + continue; + + if ( ioreq_send(s, p, buffered) == IOREQ_STATUS_UNHANDLED ) +-- +2.40.0 + diff --git a/0007-x86-vmx-Support-for-CPUs-without-model-specific-LBR.patch b/0007-x86-vmx-Support-for-CPUs-without-model-specific-LBR.patch deleted file mode 100644 index fc81a17..0000000 --- a/0007-x86-vmx-Support-for-CPUs-without-model-specific-LBR.patch +++ /dev/null @@ -1,83 +0,0 @@ -From 9f425039ca50e8cc8db350ec54d8a7cd4175f417 Mon Sep 17 00:00:00 2001 -From: Andrew Cooper -Date: Tue, 7 Feb 2023 17:04:49 +0100 -Subject: [PATCH 07/61] x86/vmx: Support for CPUs without model-specific LBR - -Ice Lake (server at least) has both architectural LBR and model-specific LBR. -Sapphire Rapids does not have model-specific LBR at all. I.e. On SPR and -later, model_specific_lbr will always be NULL, so we must make changes to -avoid reliably hitting the domain_crash(). - -The Arch LBR spec states that CPUs without model-specific LBR implement -MSR_DBG_CTL.LBR by discarding writes and always returning 0. - -Do this for any CPU for which we lack model-specific LBR information. - -Adjust the now-stale comment, now that the Arch LBR spec has created a way to -signal "no model specific LBR" to guests. - -Signed-off-by: Andrew Cooper -Reviewed-by: Jan Beulich -Reviewed-by: Kevin Tian -master commit: 3edca52ce736297d7fcf293860cd94ef62638052 -master date: 2023-01-12 18:42:00 +0000 ---- - xen/arch/x86/hvm/vmx/vmx.c | 31 ++++++++++++++++--------------- - 1 file changed, 16 insertions(+), 15 deletions(-) - -diff --git a/xen/arch/x86/hvm/vmx/vmx.c b/xen/arch/x86/hvm/vmx/vmx.c -index bc308d9df2..094141be9a 100644 ---- a/xen/arch/x86/hvm/vmx/vmx.c -+++ b/xen/arch/x86/hvm/vmx/vmx.c -@@ -3518,18 +3518,26 @@ static int vmx_msr_write_intercept(unsigned int msr, uint64_t msr_content) - if ( msr_content & rsvd ) - goto gp_fault; - -+ /* -+ * The Arch LBR spec (new in Ice Lake) states that CPUs with no -+ * model-specific LBRs implement MSR_DBG_CTL.LBR by discarding writes -+ * and always returning 0. -+ * -+ * Use this property in all cases where we don't know any -+ * model-specific LBR information, as it matches real hardware -+ * behaviour on post-Ice Lake systems. -+ */ -+ if ( !model_specific_lbr ) -+ msr_content &= ~IA32_DEBUGCTLMSR_LBR; -+ - /* - * When a guest first enables LBR, arrange to save and restore the LBR - * MSRs and allow the guest direct access. - * -- * MSR_DEBUGCTL and LBR has existed almost as long as MSRs have -- * existed, and there is no architectural way to hide the feature, or -- * fail the attempt to enable LBR. -- * -- * Unknown host LBR MSRs or hitting -ENOSPC with the guest load/save -- * list are definitely hypervisor bugs, whereas -ENOMEM for allocating -- * the load/save list is simply unlucky (and shouldn't occur with -- * sensible management by the toolstack). -+ * Hitting -ENOSPC with the guest load/save list is definitely a -+ * hypervisor bug, whereas -ENOMEM for allocating the load/save list -+ * is simply unlucky (and shouldn't occur with sensible management by -+ * the toolstack). - * - * Either way, there is nothing we can do right now to recover, and - * the guest won't execute correctly either. Simply crash the domain -@@ -3540,13 +3548,6 @@ static int vmx_msr_write_intercept(unsigned int msr, uint64_t msr_content) - { - const struct lbr_info *lbr = model_specific_lbr; - -- if ( unlikely(!lbr) ) -- { -- gprintk(XENLOG_ERR, "Unknown Host LBR MSRs\n"); -- domain_crash(v->domain); -- return X86EMUL_OKAY; -- } -- - for ( ; lbr->count; lbr++ ) - { - unsigned int i; --- -2.40.0 - diff --git a/0008-EFI-relocate-the-ESRT-when-booting-via-multiboot2.patch b/0008-EFI-relocate-the-ESRT-when-booting-via-multiboot2.patch new file mode 100644 index 0000000..d1acae6 --- /dev/null +++ b/0008-EFI-relocate-the-ESRT-when-booting-via-multiboot2.patch @@ -0,0 +1,195 @@ +From 1dcc9b6dfe528c7815a314f9b5581804b5e23750 Mon Sep 17 00:00:00 2001 +From: Demi Marie Obenour +Date: Tue, 20 Dec 2022 13:46:09 +0100 +Subject: [PATCH 08/89] EFI: relocate the ESRT when booting via multiboot2 + +This was missed in the initial patchset. + +Move efi_relocate_esrt() up to avoid adding a forward declaration. + +Signed-off-by: Demi Marie Obenour +Reviewed-by: Jan Beulich +master commit: 8d7acf3f7d8d2555c78421dced45bc49f79ae806 +master date: 2022-12-14 12:00:35 +0100 +--- + xen/arch/x86/efi/efi-boot.h | 2 + + xen/common/efi/boot.c | 136 ++++++++++++++++++------------------ + 2 files changed, 70 insertions(+), 68 deletions(-) + +diff --git a/xen/arch/x86/efi/efi-boot.h b/xen/arch/x86/efi/efi-boot.h +index 27f928ed3c..c94e53d139 100644 +--- a/xen/arch/x86/efi/efi-boot.h ++++ b/xen/arch/x86/efi/efi-boot.h +@@ -823,6 +823,8 @@ void __init efi_multiboot2(EFI_HANDLE ImageHandle, EFI_SYSTEM_TABLE *SystemTable + if ( gop ) + efi_set_gop_mode(gop, gop_mode); + ++ efi_relocate_esrt(SystemTable); ++ + efi_exit_boot(ImageHandle, SystemTable); + } + +diff --git a/xen/common/efi/boot.c b/xen/common/efi/boot.c +index b3de1011ee..d3c6b055ae 100644 +--- a/xen/common/efi/boot.c ++++ b/xen/common/efi/boot.c +@@ -625,6 +625,74 @@ static size_t __init get_esrt_size(const EFI_MEMORY_DESCRIPTOR *desc) + return esrt_ptr->FwResourceCount * sizeof(esrt_ptr->Entries[0]); + } + ++static EFI_GUID __initdata esrt_guid = EFI_SYSTEM_RESOURCE_TABLE_GUID; ++ ++static void __init efi_relocate_esrt(EFI_SYSTEM_TABLE *SystemTable) ++{ ++ EFI_STATUS status; ++ UINTN info_size = 0, map_key, mdesc_size; ++ void *memory_map = NULL; ++ UINT32 ver; ++ unsigned int i; ++ ++ for ( ; ; ) ++ { ++ status = efi_bs->GetMemoryMap(&info_size, memory_map, &map_key, ++ &mdesc_size, &ver); ++ if ( status == EFI_SUCCESS && memory_map != NULL ) ++ break; ++ if ( status == EFI_BUFFER_TOO_SMALL || memory_map == NULL ) ++ { ++ info_size += 8 * mdesc_size; ++ if ( memory_map != NULL ) ++ efi_bs->FreePool(memory_map); ++ memory_map = NULL; ++ status = efi_bs->AllocatePool(EfiLoaderData, info_size, &memory_map); ++ if ( status == EFI_SUCCESS ) ++ continue; ++ PrintErr(L"Cannot allocate memory to relocate ESRT\r\n"); ++ } ++ else ++ PrintErr(L"Cannot obtain memory map to relocate ESRT\r\n"); ++ return; ++ } ++ ++ /* Try to obtain the ESRT. Errors are not fatal. */ ++ for ( i = 0; i < info_size; i += mdesc_size ) ++ { ++ /* ++ * ESRT needs to be moved to memory of type EfiACPIReclaimMemory ++ * so that the memory it is in will not be used for other purposes. ++ */ ++ void *new_esrt = NULL; ++ const EFI_MEMORY_DESCRIPTOR *desc = memory_map + i; ++ size_t esrt_size = get_esrt_size(desc); ++ ++ if ( !esrt_size ) ++ continue; ++ if ( desc->Type == EfiRuntimeServicesData || ++ desc->Type == EfiACPIReclaimMemory ) ++ break; /* ESRT already safe from reuse */ ++ status = efi_bs->AllocatePool(EfiACPIReclaimMemory, esrt_size, ++ &new_esrt); ++ if ( status == EFI_SUCCESS && new_esrt ) ++ { ++ memcpy(new_esrt, (void *)esrt, esrt_size); ++ status = efi_bs->InstallConfigurationTable(&esrt_guid, new_esrt); ++ if ( status != EFI_SUCCESS ) ++ { ++ PrintErr(L"Cannot install new ESRT\r\n"); ++ efi_bs->FreePool(new_esrt); ++ } ++ } ++ else ++ PrintErr(L"Cannot allocate memory for ESRT\r\n"); ++ break; ++ } ++ ++ efi_bs->FreePool(memory_map); ++} ++ + /* + * Include architecture specific implementation here, which references the + * static globals defined above. +@@ -903,8 +971,6 @@ static UINTN __init efi_find_gop_mode(EFI_GRAPHICS_OUTPUT_PROTOCOL *gop, + return gop_mode; + } + +-static EFI_GUID __initdata esrt_guid = EFI_SYSTEM_RESOURCE_TABLE_GUID; +- + static void __init efi_tables(void) + { + unsigned int i; +@@ -1113,72 +1179,6 @@ static void __init efi_set_gop_mode(EFI_GRAPHICS_OUTPUT_PROTOCOL *gop, UINTN gop + #define INVALID_VIRTUAL_ADDRESS (0xBAAADUL << \ + (EFI_PAGE_SHIFT + BITS_PER_LONG - 32)) + +-static void __init efi_relocate_esrt(EFI_SYSTEM_TABLE *SystemTable) +-{ +- EFI_STATUS status; +- UINTN info_size = 0, map_key, mdesc_size; +- void *memory_map = NULL; +- UINT32 ver; +- unsigned int i; +- +- for ( ; ; ) +- { +- status = efi_bs->GetMemoryMap(&info_size, memory_map, &map_key, +- &mdesc_size, &ver); +- if ( status == EFI_SUCCESS && memory_map != NULL ) +- break; +- if ( status == EFI_BUFFER_TOO_SMALL || memory_map == NULL ) +- { +- info_size += 8 * mdesc_size; +- if ( memory_map != NULL ) +- efi_bs->FreePool(memory_map); +- memory_map = NULL; +- status = efi_bs->AllocatePool(EfiLoaderData, info_size, &memory_map); +- if ( status == EFI_SUCCESS ) +- continue; +- PrintErr(L"Cannot allocate memory to relocate ESRT\r\n"); +- } +- else +- PrintErr(L"Cannot obtain memory map to relocate ESRT\r\n"); +- return; +- } +- +- /* Try to obtain the ESRT. Errors are not fatal. */ +- for ( i = 0; i < info_size; i += mdesc_size ) +- { +- /* +- * ESRT needs to be moved to memory of type EfiACPIReclaimMemory +- * so that the memory it is in will not be used for other purposes. +- */ +- void *new_esrt = NULL; +- const EFI_MEMORY_DESCRIPTOR *desc = memory_map + i; +- size_t esrt_size = get_esrt_size(desc); +- +- if ( !esrt_size ) +- continue; +- if ( desc->Type == EfiRuntimeServicesData || +- desc->Type == EfiACPIReclaimMemory ) +- break; /* ESRT already safe from reuse */ +- status = efi_bs->AllocatePool(EfiACPIReclaimMemory, esrt_size, +- &new_esrt); +- if ( status == EFI_SUCCESS && new_esrt ) +- { +- memcpy(new_esrt, (void *)esrt, esrt_size); +- status = efi_bs->InstallConfigurationTable(&esrt_guid, new_esrt); +- if ( status != EFI_SUCCESS ) +- { +- PrintErr(L"Cannot install new ESRT\r\n"); +- efi_bs->FreePool(new_esrt); +- } +- } +- else +- PrintErr(L"Cannot allocate memory for ESRT\r\n"); +- break; +- } +- +- efi_bs->FreePool(memory_map); +-} +- + static void __init efi_exit_boot(EFI_HANDLE ImageHandle, EFI_SYSTEM_TABLE *SystemTable) + { + EFI_STATUS status; +-- +2.40.0 + diff --git a/0008-x86-shadow-fix-PAE-check-for-top-level-table-unshado.patch b/0008-x86-shadow-fix-PAE-check-for-top-level-table-unshado.patch deleted file mode 100644 index ab7862b..0000000 --- a/0008-x86-shadow-fix-PAE-check-for-top-level-table-unshado.patch +++ /dev/null @@ -1,39 +0,0 @@ -From 1550835b381a18fc0e972e5d04925e02fab31553 Mon Sep 17 00:00:00 2001 -From: Jan Beulich -Date: Tue, 7 Feb 2023 17:05:22 +0100 -Subject: [PATCH 08/61] x86/shadow: fix PAE check for top-level table - unshadowing - -Clearly within the for_each_vcpu() the vCPU of this loop is meant, not -the (loop invariant) one the fault occurred on. - -Fixes: 3d5e6a3ff383 ("x86 hvm: implement HVMOP_pagetable_dying") -Fixes: ef3b0d8d2c39 ("x86/shadow: shadow_table[] needs only one entry for PV-only configs") -Signed-off-by: Jan Beulich -Reviewed-by: Andrew Cooper -master commit: f8fdceefbb1193ec81667eb40b83bc525cb71204 -master date: 2023-01-20 09:23:42 +0100 ---- - xen/arch/x86/mm/shadow/multi.c | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - -diff --git a/xen/arch/x86/mm/shadow/multi.c b/xen/arch/x86/mm/shadow/multi.c -index c07af0bd99..f7acd18a36 100644 ---- a/xen/arch/x86/mm/shadow/multi.c -+++ b/xen/arch/x86/mm/shadow/multi.c -@@ -2665,10 +2665,10 @@ static int sh_page_fault(struct vcpu *v, - #if GUEST_PAGING_LEVELS == 3 - unsigned int i; - -- for_each_shadow_table(v, i) -+ for_each_shadow_table(tmp, i) - { - mfn_t smfn = pagetable_get_mfn( -- v->arch.paging.shadow.shadow_table[i]); -+ tmp->arch.paging.shadow.shadow_table[i]); - - if ( mfn_valid(smfn) && (mfn_x(smfn) != 0) ) - { --- -2.40.0 - diff --git a/0009-ns16550-fix-an-incorrect-assignment-to-uart-io_size.patch b/0009-ns16550-fix-an-incorrect-assignment-to-uart-io_size.patch deleted file mode 100644 index 83e46c7..0000000 --- a/0009-ns16550-fix-an-incorrect-assignment-to-uart-io_size.patch +++ /dev/null @@ -1,34 +0,0 @@ -From 0fd9ad2b9c0c9d9c4879a566f1788d3e9cd38ef6 Mon Sep 17 00:00:00 2001 -From: Ayan Kumar Halder -Date: Tue, 7 Feb 2023 17:05:56 +0100 -Subject: [PATCH 09/61] ns16550: fix an incorrect assignment to uart->io_size - -uart->io_size represents the size in bytes. Thus, when serial_port.bit_width -is assigned to it, it should be converted to size in bytes. - -Fixes: 17b516196c ("ns16550: add ACPI support for ARM only") -Reported-by: Jan Beulich -Signed-off-by: Ayan Kumar Halder -Reviewed-by: Stefano Stabellini -master commit: 352c89f72ddb67b8d9d4e492203f8c77f85c8df1 -master date: 2023-01-24 16:54:38 +0100 ---- - xen/drivers/char/ns16550.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/xen/drivers/char/ns16550.c b/xen/drivers/char/ns16550.c -index 2d2bd2a024..5dd4d723f5 100644 ---- a/xen/drivers/char/ns16550.c -+++ b/xen/drivers/char/ns16550.c -@@ -1780,7 +1780,7 @@ static int __init ns16550_acpi_uart_init(const void *data) - uart->parity = spcr->parity; - uart->stop_bits = spcr->stop_bits; - uart->io_base = spcr->serial_port.address; -- uart->io_size = spcr->serial_port.bit_width; -+ uart->io_size = DIV_ROUND_UP(spcr->serial_port.bit_width, BITS_PER_BYTE); - uart->reg_shift = spcr->serial_port.bit_offset; - uart->reg_width = spcr->serial_port.access_width; - --- -2.40.0 - diff --git a/0009-x86-time-prevent-overflow-with-high-frequency-TSCs.patch b/0009-x86-time-prevent-overflow-with-high-frequency-TSCs.patch new file mode 100644 index 0000000..a9401d7 --- /dev/null +++ b/0009-x86-time-prevent-overflow-with-high-frequency-TSCs.patch @@ -0,0 +1,34 @@ +From a7a26da0b59da7233e6c6f63b180bab131398351 Mon Sep 17 00:00:00 2001 +From: Neowutran +Date: Tue, 20 Dec 2022 13:46:38 +0100 +Subject: [PATCH 09/89] x86/time: prevent overflow with high frequency TSCs + +Make sure tsc_khz is promoted to a 64-bit type before multiplying by +1000 to avoid an 'overflow before widen' bug. Otherwise just above +4.294GHz the value will overflow. Processors with clocks this high are +now in production and require this to work correctly. + +Signed-off-by: Neowutran +Reviewed-by: Jan Beulich +master commit: ad15a0a8ca2515d8ac58edfc0bc1d3719219cb77 +master date: 2022-12-19 11:34:16 +0100 +--- + xen/arch/x86/time.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/xen/arch/x86/time.c b/xen/arch/x86/time.c +index b01acd390d..d882b43cf0 100644 +--- a/xen/arch/x86/time.c ++++ b/xen/arch/x86/time.c +@@ -2585,7 +2585,7 @@ int tsc_set_info(struct domain *d, + case TSC_MODE_ALWAYS_EMULATE: + d->arch.vtsc_offset = get_s_time() - elapsed_nsec; + d->arch.tsc_khz = gtsc_khz ?: cpu_khz; +- set_time_scale(&d->arch.vtsc_to_ns, d->arch.tsc_khz * 1000); ++ set_time_scale(&d->arch.vtsc_to_ns, d->arch.tsc_khz * 1000UL); + + /* + * In default mode use native TSC if the host has safe TSC and +-- +2.40.0 + diff --git a/0010-libxl-fix-guest-kexec-skip-cpuid-policy.patch b/0010-libxl-fix-guest-kexec-skip-cpuid-policy.patch deleted file mode 100644 index 6150286..0000000 --- a/0010-libxl-fix-guest-kexec-skip-cpuid-policy.patch +++ /dev/null @@ -1,72 +0,0 @@ -From 6e081438bf8ef616d0123aab7a743476d8114ef6 Mon Sep 17 00:00:00 2001 -From: Jason Andryuk -Date: Tue, 7 Feb 2023 17:06:47 +0100 -Subject: [PATCH 10/61] libxl: fix guest kexec - skip cpuid policy - -When a domain performs a kexec (soft reset), libxl__build_pre() is -called with the existing domid. Calling libxl__cpuid_legacy() on the -existing domain fails since the cpuid policy has already been set, and -the guest isn't rebuilt and doesn't kexec. - -xc: error: Failed to set d1's policy (err leaf 0xffffffff, subleaf 0xffffffff, msr 0xffffffff) (17 = File exists): Internal error -libxl: error: libxl_cpuid.c:494:libxl__cpuid_legacy: Domain 1:Failed to apply CPUID policy: File exists -libxl: error: libxl_create.c:1641:domcreate_rebuild_done: Domain 1:cannot (re-)build domain: -3 -libxl: error: libxl_xshelp.c:201:libxl__xs_read_mandatory: xenstore read failed: `/libxl/1/type': No such file or directory -libxl: warning: libxl_dom.c:49:libxl__domain_type: unable to get domain type for domid=1, assuming HVM - -During a soft_reset, skip calling libxl__cpuid_legacy() to avoid the -issue. Before commit 34990446ca91, the libxl__cpuid_legacy() failure -would have been ignored, so kexec would continue. - -Fixes: 34990446ca91 ("libxl: don't ignore the return value from xc_cpuid_apply_policy") -Signed-off-by: Jason Andryuk -Reviewed-by: Anthony PERARD -master commit: 1e454c2b5b1172e0fc7457e411ebaba61db8fc87 -master date: 2023-01-26 10:58:23 +0100 ---- - tools/libs/light/libxl_create.c | 2 ++ - tools/libs/light/libxl_dom.c | 2 +- - tools/libs/light/libxl_internal.h | 1 + - 3 files changed, 4 insertions(+), 1 deletion(-) - -diff --git a/tools/libs/light/libxl_create.c b/tools/libs/light/libxl_create.c -index 885675591f..2e6357a9d7 100644 ---- a/tools/libs/light/libxl_create.c -+++ b/tools/libs/light/libxl_create.c -@@ -2176,6 +2176,8 @@ static int do_domain_soft_reset(libxl_ctx *ctx, - aop_console_how); - cdcs->domid_out = &domid_out; - -+ state->soft_reset = true; -+ - dom_path = libxl__xs_get_dompath(gc, domid); - if (!dom_path) { - LOGD(ERROR, domid, "failed to read domain path"); -diff --git a/tools/libs/light/libxl_dom.c b/tools/libs/light/libxl_dom.c -index 73fccd9243..a2bd2395fa 100644 ---- a/tools/libs/light/libxl_dom.c -+++ b/tools/libs/light/libxl_dom.c -@@ -384,7 +384,7 @@ int libxl__build_pre(libxl__gc *gc, uint32_t domid, - /* Construct a CPUID policy, but only for brand new domains. Domains - * being migrated-in/restored have CPUID handled during the - * static_data_done() callback. */ -- if (!state->restore) -+ if (!state->restore && !state->soft_reset) - rc = libxl__cpuid_legacy(ctx, domid, false, info); - - out: -diff --git a/tools/libs/light/libxl_internal.h b/tools/libs/light/libxl_internal.h -index 0b4671318c..ee6a251700 100644 ---- a/tools/libs/light/libxl_internal.h -+++ b/tools/libs/light/libxl_internal.h -@@ -1407,6 +1407,7 @@ typedef struct { - /* Whether this domain is being migrated/restored, or booting fresh. Only - * applicable to the primary domain, not support domains (e.g. stub QEMU). */ - bool restore; -+ bool soft_reset; - } libxl__domain_build_state; - - _hidden void libxl__domain_build_state_init(libxl__domain_build_state *s); --- -2.40.0 - diff --git a/0010-tools-oxenstored-Fix-incorrect-scope-after-an-if-sta.patch b/0010-tools-oxenstored-Fix-incorrect-scope-after-an-if-sta.patch new file mode 100644 index 0000000..a8c427d --- /dev/null +++ b/0010-tools-oxenstored-Fix-incorrect-scope-after-an-if-sta.patch @@ -0,0 +1,52 @@ +From 2e8d7a08bcd111fe21569e9ace1a047df76da949 Mon Sep 17 00:00:00 2001 +From: Andrew Cooper +Date: Fri, 11 Nov 2022 18:50:34 +0000 +Subject: [PATCH 10/89] tools/oxenstored: Fix incorrect scope after an if + statement +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +A debug statement got inserted into a single-expression if statement. + +Insert brackets to give the intended meaning, rather than the actual meaning +where the "let con = Connections..." is outside and executed unconditionally. + +This results in some unnecessary ring checks for domains which otherwise have +IO credit. + +Fixes: 42f0581a91d4 ("tools/oxenstored: Implement live update for socket connections") +Reported-by: Edwin Török +Signed-off-by: Andrew Cooper +Acked-by: Christian Lindig +(cherry picked from commit ee36179371fd4215a43fb179be2165f65c1cd1cd) +--- + tools/ocaml/xenstored/xenstored.ml | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/tools/ocaml/xenstored/xenstored.ml b/tools/ocaml/xenstored/xenstored.ml +index ffd43a4eee..c5dc7a28d0 100644 +--- a/tools/ocaml/xenstored/xenstored.ml ++++ b/tools/ocaml/xenstored/xenstored.ml +@@ -475,7 +475,7 @@ let _ = + + let ring_scan_checker dom = + (* no need to scan domains already marked as for processing *) +- if not (Domain.get_io_credit dom > 0) then ++ if not (Domain.get_io_credit dom > 0) then ( + debug "Looking up domid %d" (Domain.get_id dom); + let con = Connections.find_domain cons (Domain.get_id dom) in + if not (Connection.has_more_work con) then ( +@@ -490,7 +490,8 @@ let _ = + let n = 32 + 2 * (Domains.number domains) in + info "found lazy domain %d, credit %d" (Domain.get_id dom) n; + Domain.set_io_credit ~n dom +- ) in ++ ) ++ ) in + + let last_stat_time = ref 0. in + let last_scan_time = ref 0. in +-- +2.40.0 + diff --git a/0011-tools-ocaml-evtchn-OCaml-5-support-fix-potential-res.patch b/0011-tools-ocaml-evtchn-OCaml-5-support-fix-potential-res.patch new file mode 100644 index 0000000..c9cf630 --- /dev/null +++ b/0011-tools-ocaml-evtchn-OCaml-5-support-fix-potential-res.patch @@ -0,0 +1,68 @@ +From d11528a993f80c6a86f4cb0c30578c026348e3e4 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Edwin=20T=C3=B6r=C3=B6k?= +Date: Tue, 18 Jan 2022 15:04:48 +0000 +Subject: [PATCH 11/89] tools/ocaml/evtchn: OCaml 5 support, fix potential + resource leak +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +There is no binding for xenevtchn_close(). In principle, this is a resource +leak, but the typical usage is as a singleton that lives for the lifetime of +the program. + +Ocaml 5 no longer permits storing a naked C pointer in an Ocaml value. + +Therefore, use a Custom block. This allows us to use the finaliser callback +to call xenevtchn_close(), if the Ocaml object goes out of scope. + +Signed-off-by: Edwin Török +Signed-off-by: Andrew Cooper +Acked-by: Christian Lindig +(cherry picked from commit 22d5affdf0cecfa6faae46fbaec68b8018835220) +--- + tools/ocaml/libs/eventchn/xeneventchn_stubs.c | 21 +++++++++++++++++-- + 1 file changed, 19 insertions(+), 2 deletions(-) + +diff --git a/tools/ocaml/libs/eventchn/xeneventchn_stubs.c b/tools/ocaml/libs/eventchn/xeneventchn_stubs.c +index f889a7a2e4..37f1cc4e14 100644 +--- a/tools/ocaml/libs/eventchn/xeneventchn_stubs.c ++++ b/tools/ocaml/libs/eventchn/xeneventchn_stubs.c +@@ -33,7 +33,22 @@ + #include + #include + +-#define _H(__h) ((xenevtchn_handle *)(__h)) ++#define _H(__h) (*((xenevtchn_handle **)Data_custom_val(__h))) ++ ++static void stub_evtchn_finalize(value v) ++{ ++ xenevtchn_close(_H(v)); ++} ++ ++static struct custom_operations xenevtchn_ops = { ++ .identifier = "xenevtchn", ++ .finalize = stub_evtchn_finalize, ++ .compare = custom_compare_default, /* Can't compare */ ++ .hash = custom_hash_default, /* Can't hash */ ++ .serialize = custom_serialize_default, /* Can't serialize */ ++ .deserialize = custom_deserialize_default, /* Can't deserialize */ ++ .compare_ext = custom_compare_ext_default, /* Can't compare */ ++}; + + CAMLprim value stub_eventchn_init(void) + { +@@ -48,7 +63,9 @@ CAMLprim value stub_eventchn_init(void) + if (xce == NULL) + caml_failwith("open failed"); + +- result = (value)xce; ++ result = caml_alloc_custom(&xenevtchn_ops, sizeof(xce), 0, 1); ++ _H(result) = xce; ++ + CAMLreturn(result); + } + +-- +2.40.0 + diff --git a/0011-tools-ocaml-xenctrl-Make-domain_getinfolist-tail-rec.patch b/0011-tools-ocaml-xenctrl-Make-domain_getinfolist-tail-rec.patch deleted file mode 100644 index 1d4455f..0000000 --- a/0011-tools-ocaml-xenctrl-Make-domain_getinfolist-tail-rec.patch +++ /dev/null @@ -1,71 +0,0 @@ -From c6a3d14df051bae0323af539e34cf5a65fba1112 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Edwin=20T=C3=B6r=C3=B6k?= -Date: Tue, 1 Nov 2022 17:59:16 +0000 -Subject: [PATCH 11/61] tools/ocaml/xenctrl: Make domain_getinfolist tail - recursive -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -domain_getinfolist() is quadratic with the number of domains, because of the -behaviour of the underlying hypercall. xenopsd was further observed to be -wasting excessive quantites of time manipulating the list of already-obtained -domains. - -Implement a tail recursive `rev_concat` equivalent to `concat |> rev`, and use -it instead of calling `@` multiple times. - -An incidental benefit is that the list of domains will now be in domid order, -instead of having pairs of 2 domains changing direction every time. - -In a scalability testing scenario with ~1000 VMs, a combination of this and -the subsequent change takes xenopsd's wallclock time in domain_getinfolist() -down from 88% to 0.02% - -Signed-off-by: Edwin Török -Tested-by: Pau Ruiz Safont -Acked-by: Christian Lindig -(cherry picked from commit c3b6be714c64aa62b56d0bce96f4b6a10b5c2078) ---- - tools/ocaml/libs/xc/xenctrl.ml | 23 +++++++++++++++++------ - 1 file changed, 17 insertions(+), 6 deletions(-) - -diff --git a/tools/ocaml/libs/xc/xenctrl.ml b/tools/ocaml/libs/xc/xenctrl.ml -index 7503031d8f..f10b686215 100644 ---- a/tools/ocaml/libs/xc/xenctrl.ml -+++ b/tools/ocaml/libs/xc/xenctrl.ml -@@ -212,14 +212,25 @@ external domain_shutdown: handle -> domid -> shutdown_reason -> unit - external _domain_getinfolist: handle -> domid -> int -> domaininfo list - = "stub_xc_domain_getinfolist" - -+let rev_append_fold acc e = List.rev_append e acc -+ -+(** -+ * [rev_concat lst] is equivalent to [lst |> List.concat |> List.rev] -+ * except it is tail recursive, whereas [List.concat] isn't. -+ * Example: -+ * rev_concat [[10;9;8];[7;6];[5]]] = [5; 6; 7; 8; 9; 10] -+ *) -+let rev_concat lst = List.fold_left rev_append_fold [] lst -+ - let domain_getinfolist handle first_domain = - let nb = 2 in -- let last_domid l = (List.hd l).domid + 1 in -- let rec __getlist from = -- let l = _domain_getinfolist handle from nb in -- (if List.length l = nb then __getlist (last_domid l) else []) @ l -- in -- List.rev (__getlist first_domain) -+ let rec __getlist lst from = -+ (* _domain_getinfolist returns domains in reverse order, largest first *) -+ match _domain_getinfolist handle from nb with -+ | [] -> rev_concat lst -+ | (hd :: _) as l -> __getlist (l :: lst) (hd.domid + 1) -+ in -+ __getlist [] first_domain - - external domain_getinfo: handle -> domid -> domaininfo= "stub_xc_domain_getinfo" - --- -2.40.0 - diff --git a/0012-tools-ocaml-evtchn-Add-binding-for-xenevtchn_fdopen.patch b/0012-tools-ocaml-evtchn-Add-binding-for-xenevtchn_fdopen.patch new file mode 100644 index 0000000..7e921fd --- /dev/null +++ b/0012-tools-ocaml-evtchn-Add-binding-for-xenevtchn_fdopen.patch @@ -0,0 +1,81 @@ +From 24d9dc2ae2f88249fcf81f7b7e612cdfb7c73e4b Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Edwin=20T=C3=B6r=C3=B6k?= +Date: Mon, 14 Nov 2022 13:36:19 +0000 +Subject: [PATCH 12/89] tools/ocaml/evtchn: Add binding for xenevtchn_fdopen() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +For live update, the new oxenstored needs to reconstruct an evtchn object +around an existing file descriptor. + +Signed-off-by: Edwin Török +Signed-off-by: Andrew Cooper +Acked-by: Christian Lindig +(cherry picked from commit 7ba68a6c558e1fd811c95cb7215a5cd07a3cc2ea) +--- + tools/ocaml/libs/eventchn/xeneventchn.ml | 1 + + tools/ocaml/libs/eventchn/xeneventchn.mli | 4 ++++ + tools/ocaml/libs/eventchn/xeneventchn_stubs.c | 19 +++++++++++++++++++ + 3 files changed, 24 insertions(+) + +diff --git a/tools/ocaml/libs/eventchn/xeneventchn.ml b/tools/ocaml/libs/eventchn/xeneventchn.ml +index dd00a1f0ea..be4de82f46 100644 +--- a/tools/ocaml/libs/eventchn/xeneventchn.ml ++++ b/tools/ocaml/libs/eventchn/xeneventchn.ml +@@ -17,6 +17,7 @@ + type handle + + external init: unit -> handle = "stub_eventchn_init" ++external fdopen: Unix.file_descr -> handle = "stub_eventchn_fdopen" + external fd: handle -> Unix.file_descr = "stub_eventchn_fd" + + type t = int +diff --git a/tools/ocaml/libs/eventchn/xeneventchn.mli b/tools/ocaml/libs/eventchn/xeneventchn.mli +index 08c7337643..98b3c86f37 100644 +--- a/tools/ocaml/libs/eventchn/xeneventchn.mli ++++ b/tools/ocaml/libs/eventchn/xeneventchn.mli +@@ -47,6 +47,10 @@ val init: unit -> handle + (** Return an initialised event channel interface. On error it + will throw a Failure exception. *) + ++val fdopen: Unix.file_descr -> handle ++(** Return an initialised event channel interface, from an already open evtchn ++ file descriptor. On error it will throw a Failure exception. *) ++ + val fd: handle -> Unix.file_descr + (** Return a file descriptor suitable for Unix.select. When + the descriptor becomes readable, it is safe to call 'pending'. +diff --git a/tools/ocaml/libs/eventchn/xeneventchn_stubs.c b/tools/ocaml/libs/eventchn/xeneventchn_stubs.c +index 37f1cc4e14..7bdf711bc1 100644 +--- a/tools/ocaml/libs/eventchn/xeneventchn_stubs.c ++++ b/tools/ocaml/libs/eventchn/xeneventchn_stubs.c +@@ -69,6 +69,25 @@ CAMLprim value stub_eventchn_init(void) + CAMLreturn(result); + } + ++CAMLprim value stub_eventchn_fdopen(value fdval) ++{ ++ CAMLparam1(fdval); ++ CAMLlocal1(result); ++ xenevtchn_handle *xce; ++ ++ caml_enter_blocking_section(); ++ xce = xenevtchn_fdopen(NULL, Int_val(fdval), 0); ++ caml_leave_blocking_section(); ++ ++ if (xce == NULL) ++ caml_failwith("evtchn fdopen failed"); ++ ++ result = caml_alloc_custom(&xenevtchn_ops, sizeof(xce), 0, 1); ++ _H(result) = xce; ++ ++ CAMLreturn(result); ++} ++ + CAMLprim value stub_eventchn_fd(value xce) + { + CAMLparam1(xce); +-- +2.40.0 + diff --git a/0012-tools-ocaml-xenctrl-Use-larger-chunksize-in-domain_g.patch b/0012-tools-ocaml-xenctrl-Use-larger-chunksize-in-domain_g.patch deleted file mode 100644 index fc352ad..0000000 --- a/0012-tools-ocaml-xenctrl-Use-larger-chunksize-in-domain_g.patch +++ /dev/null @@ -1,41 +0,0 @@ -From 8c66a2d88a9f17e5b5099fcb83231b7a1169ca25 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Edwin=20T=C3=B6r=C3=B6k?= -Date: Tue, 1 Nov 2022 17:59:17 +0000 -Subject: [PATCH 12/61] tools/ocaml/xenctrl: Use larger chunksize in - domain_getinfolist -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -domain_getinfolist() is quadratic with the number of domains, because of the -behaviour of the underlying hypercall. Nevertheless, getting domain info in -blocks of 1024 is far more efficient than blocks of 2. - -In a scalability testing scenario with ~1000 VMs, a combination of this and -the previous change takes xenopsd's wallclock time in domain_getinfolist() -down from 88% to 0.02% - -Signed-off-by: Edwin Török -Tested-by: Pau Ruiz Safont -Acked-by: Christian Lindig -(cherry picked from commit 95db09b1b154fb72fad861815ceae1f3fa49fc4e) ---- - tools/ocaml/libs/xc/xenctrl.ml | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/tools/ocaml/libs/xc/xenctrl.ml b/tools/ocaml/libs/xc/xenctrl.ml -index f10b686215..b40c70d33f 100644 ---- a/tools/ocaml/libs/xc/xenctrl.ml -+++ b/tools/ocaml/libs/xc/xenctrl.ml -@@ -223,7 +223,7 @@ let rev_append_fold acc e = List.rev_append e acc - let rev_concat lst = List.fold_left rev_append_fold [] lst - - let domain_getinfolist handle first_domain = -- let nb = 2 in -+ let nb = 1024 in - let rec __getlist lst from = - (* _domain_getinfolist returns domains in reverse order, largest first *) - match _domain_getinfolist handle from nb with --- -2.40.0 - diff --git a/0013-tools-ocaml-evtchn-Extend-the-init-binding-with-a-cl.patch b/0013-tools-ocaml-evtchn-Extend-the-init-binding-with-a-cl.patch new file mode 100644 index 0000000..af889eb --- /dev/null +++ b/0013-tools-ocaml-evtchn-Extend-the-init-binding-with-a-cl.patch @@ -0,0 +1,90 @@ +From c7cf603836e40de1b4a6ca7d1d52736eb4a10327 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Edwin=20T=C3=B6r=C3=B6k?= +Date: Thu, 3 Nov 2022 14:50:38 +0000 +Subject: [PATCH 13/89] tools/ocaml/evtchn: Extend the init() binding with a + cloexec flag +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +For live update, oxenstored wants to clear CLOEXEC on the evtchn handle, so it +survives the execve() into the new oxenstored. + +Have the new interface match how cloexec works in other Ocaml standard +libraries. + +Signed-off-by: Edwin Török +Signed-off-by: Andrew Cooper +Acked-by: Christian Lindig +(cherry picked from commit 9bafe4a53306e7aa2ce6ffc96f7477c6f329f7a7) +--- + tools/ocaml/libs/eventchn/xeneventchn.ml | 5 ++++- + tools/ocaml/libs/eventchn/xeneventchn.mli | 9 ++++++--- + tools/ocaml/libs/eventchn/xeneventchn_stubs.c | 10 +++++++--- + 3 files changed, 17 insertions(+), 7 deletions(-) + +diff --git a/tools/ocaml/libs/eventchn/xeneventchn.ml b/tools/ocaml/libs/eventchn/xeneventchn.ml +index be4de82f46..c16fdd4674 100644 +--- a/tools/ocaml/libs/eventchn/xeneventchn.ml ++++ b/tools/ocaml/libs/eventchn/xeneventchn.ml +@@ -16,7 +16,10 @@ + + type handle + +-external init: unit -> handle = "stub_eventchn_init" ++external _init: bool -> handle = "stub_eventchn_init" ++ ++let init ?(cloexec=true) () = _init cloexec ++ + external fdopen: Unix.file_descr -> handle = "stub_eventchn_fdopen" + external fd: handle -> Unix.file_descr = "stub_eventchn_fd" + +diff --git a/tools/ocaml/libs/eventchn/xeneventchn.mli b/tools/ocaml/libs/eventchn/xeneventchn.mli +index 98b3c86f37..870429b6b5 100644 +--- a/tools/ocaml/libs/eventchn/xeneventchn.mli ++++ b/tools/ocaml/libs/eventchn/xeneventchn.mli +@@ -43,9 +43,12 @@ val to_int: t -> int + + val of_int: int -> t + +-val init: unit -> handle +-(** Return an initialised event channel interface. On error it +- will throw a Failure exception. *) ++val init: ?cloexec:bool -> unit -> handle ++(** [init ?cloexec ()] ++ Return an initialised event channel interface. ++ The default is to close the underlying file descriptor ++ on [execve], which can be overriden with [~cloexec:false]. ++ On error it will throw a Failure exception. *) + + val fdopen: Unix.file_descr -> handle + (** Return an initialised event channel interface, from an already open evtchn +diff --git a/tools/ocaml/libs/eventchn/xeneventchn_stubs.c b/tools/ocaml/libs/eventchn/xeneventchn_stubs.c +index 7bdf711bc1..aa8a69cc1e 100644 +--- a/tools/ocaml/libs/eventchn/xeneventchn_stubs.c ++++ b/tools/ocaml/libs/eventchn/xeneventchn_stubs.c +@@ -50,14 +50,18 @@ static struct custom_operations xenevtchn_ops = { + .compare_ext = custom_compare_ext_default, /* Can't compare */ + }; + +-CAMLprim value stub_eventchn_init(void) ++CAMLprim value stub_eventchn_init(value cloexec) + { +- CAMLparam0(); ++ CAMLparam1(cloexec); + CAMLlocal1(result); + xenevtchn_handle *xce; ++ unsigned int flags = 0; ++ ++ if ( !Bool_val(cloexec) ) ++ flags |= XENEVTCHN_NO_CLOEXEC; + + caml_enter_blocking_section(); +- xce = xenevtchn_open(NULL, 0); ++ xce = xenevtchn_open(NULL, flags); + caml_leave_blocking_section(); + + if (xce == NULL) +-- +2.40.0 + diff --git a/0013-tools-ocaml-xb-mmap-Use-Data_abstract_val-wrapper.patch b/0013-tools-ocaml-xb-mmap-Use-Data_abstract_val-wrapper.patch deleted file mode 100644 index a999dd8..0000000 --- a/0013-tools-ocaml-xb-mmap-Use-Data_abstract_val-wrapper.patch +++ /dev/null @@ -1,75 +0,0 @@ -From 049d16c8ce900dfc8f4b657849aeb82b95ed857c Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Edwin=20T=C3=B6r=C3=B6k?= -Date: Fri, 16 Dec 2022 18:25:10 +0000 -Subject: [PATCH 13/61] tools/ocaml/xb,mmap: Use Data_abstract_val wrapper -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -This is not strictly necessary since it is essentially a no-op currently: a -cast to void * and value *, even in OCaml 5.0. - -However it does make it clearer that what we have here is not a regular OCaml -value, but one allocated with Abstract_tag or Custom_tag, and follows the -example from the manual more closely: -https://v2.ocaml.org/manual/intfc.html#ss:c-outside-head - -It also makes it clearer that these modules have been reviewed for -compat with OCaml 5.0. - -We cannot use OCaml finalizers here, because we want exact control over when -to unmap these pages from remote domains. - -No functional change. - -Signed-off-by: Edwin Török -Acked-by: Christian Lindig -(cherry picked from commit d2ccc637111d6dbcf808aaffeec7a46f0b1e1c81) ---- - tools/ocaml/libs/mmap/mmap_stubs.h | 4 ++++ - tools/ocaml/libs/mmap/xenmmap_stubs.c | 2 +- - tools/ocaml/libs/xb/xs_ring_stubs.c | 2 +- - 3 files changed, 6 insertions(+), 2 deletions(-) - -diff --git a/tools/ocaml/libs/mmap/mmap_stubs.h b/tools/ocaml/libs/mmap/mmap_stubs.h -index 65e4239890..f4784e4715 100644 ---- a/tools/ocaml/libs/mmap/mmap_stubs.h -+++ b/tools/ocaml/libs/mmap/mmap_stubs.h -@@ -30,4 +30,8 @@ struct mmap_interface - int len; - }; - -+#ifndef Data_abstract_val -+#define Data_abstract_val(x) ((void *)Op_val(x)) -+#endif -+ - #endif -diff --git a/tools/ocaml/libs/mmap/xenmmap_stubs.c b/tools/ocaml/libs/mmap/xenmmap_stubs.c -index e2ce088e25..e03951d781 100644 ---- a/tools/ocaml/libs/mmap/xenmmap_stubs.c -+++ b/tools/ocaml/libs/mmap/xenmmap_stubs.c -@@ -28,7 +28,7 @@ - #include - #include - --#define Intf_val(a) ((struct mmap_interface *) a) -+#define Intf_val(a) ((struct mmap_interface *)Data_abstract_val(a)) - - static int mmap_interface_init(struct mmap_interface *intf, - int fd, int pflag, int mflag, -diff --git a/tools/ocaml/libs/xb/xs_ring_stubs.c b/tools/ocaml/libs/xb/xs_ring_stubs.c -index 7a91fdee75..1f58524535 100644 ---- a/tools/ocaml/libs/xb/xs_ring_stubs.c -+++ b/tools/ocaml/libs/xb/xs_ring_stubs.c -@@ -35,7 +35,7 @@ - #include - #include "mmap_stubs.h" - --#define GET_C_STRUCT(a) ((struct mmap_interface *) a) -+#define GET_C_STRUCT(a) ((struct mmap_interface *)Data_abstract_val(a)) - - /* - * Bytes_val has been introduced by Ocaml 4.06.1. So define our own version --- -2.40.0 - diff --git a/0014-tools-ocaml-xb-Drop-Xs_ring.write.patch b/0014-tools-ocaml-xb-Drop-Xs_ring.write.patch deleted file mode 100644 index 813f041..0000000 --- a/0014-tools-ocaml-xb-Drop-Xs_ring.write.patch +++ /dev/null @@ -1,62 +0,0 @@ -From f7c4fab9b50af74d0e1170fbf35367ced48d8209 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Edwin=20T=C3=B6r=C3=B6k?= -Date: Fri, 16 Dec 2022 18:25:20 +0000 -Subject: [PATCH 14/61] tools/ocaml/xb: Drop Xs_ring.write -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -This function is unusued (only Xs_ring.write_substring is used), and the -bytes/string conversion here is backwards: the C stub implements the bytes -version and then we use a Bytes.unsafe_of_string to convert a string into -bytes. - -However the operation here really is read-only: we read from the string and -write it to the ring, so the C stub should implement the read-only string -version, and if needed we could use Bytes.unsafe_to_string to be able to send -'bytes'. However that is not necessary as the 'bytes' version is dropped above. - -Signed-off-by: Edwin Török -Acked-by: Christian Lindig -(cherry picked from commit 01f139215e678c2dc7d4bb3f9f2777069bb1b091) ---- - tools/ocaml/libs/xb/xs_ring.ml | 5 +---- - tools/ocaml/libs/xb/xs_ring_stubs.c | 2 +- - 2 files changed, 2 insertions(+), 5 deletions(-) - -diff --git a/tools/ocaml/libs/xb/xs_ring.ml b/tools/ocaml/libs/xb/xs_ring.ml -index db7f86bd27..dd5e014a33 100644 ---- a/tools/ocaml/libs/xb/xs_ring.ml -+++ b/tools/ocaml/libs/xb/xs_ring.ml -@@ -25,14 +25,11 @@ module Server_features = Set.Make(struct - end) - - external read: Xenmmap.mmap_interface -> bytes -> int -> int = "ml_interface_read" --external write: Xenmmap.mmap_interface -> bytes -> int -> int = "ml_interface_write" -+external write_substring: Xenmmap.mmap_interface -> string -> int -> int = "ml_interface_write" - - external _internal_set_server_features: Xenmmap.mmap_interface -> int -> unit = "ml_interface_set_server_features" [@@noalloc] - external _internal_get_server_features: Xenmmap.mmap_interface -> int = "ml_interface_get_server_features" [@@noalloc] - --let write_substring mmap buff len = -- write mmap (Bytes.unsafe_of_string buff) len -- - let get_server_features mmap = - (* NB only one feature currently defined above *) - let x = _internal_get_server_features mmap in -diff --git a/tools/ocaml/libs/xb/xs_ring_stubs.c b/tools/ocaml/libs/xb/xs_ring_stubs.c -index 1f58524535..1243c63f03 100644 ---- a/tools/ocaml/libs/xb/xs_ring_stubs.c -+++ b/tools/ocaml/libs/xb/xs_ring_stubs.c -@@ -112,7 +112,7 @@ CAMLprim value ml_interface_write(value ml_interface, - CAMLlocal1(ml_result); - - struct mmap_interface *interface = GET_C_STRUCT(ml_interface); -- const unsigned char *buffer = Bytes_val(ml_buffer); -+ const char *buffer = String_val(ml_buffer); - int len = Int_val(ml_len); - int result; - --- -2.40.0 - diff --git a/0014-tools-oxenstored-Style-fixes-to-Domain.patch b/0014-tools-oxenstored-Style-fixes-to-Domain.patch new file mode 100644 index 0000000..aad4399 --- /dev/null +++ b/0014-tools-oxenstored-Style-fixes-to-Domain.patch @@ -0,0 +1,64 @@ +From 0929960173bc76b8d90df73c8ee665747c233e18 Mon Sep 17 00:00:00 2001 +From: Andrew Cooper +Date: Wed, 30 Nov 2022 14:56:43 +0000 +Subject: [PATCH 14/89] tools/oxenstored: Style fixes to Domain +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +This file has some style problems so severe that they interfere with the +readability of the subsequent bugfix patches. + +Fix these issues ahead of time, to make the subsequent changes more readable. + +No functional change. + +Signed-off-by: Andrew Cooper +Reviewed-by: Edwin Török +Acked-by: Christian Lindig +(cherry picked from commit b45bfaf359e4821b1bf98a4fcd194d7fd176f167) +--- + tools/ocaml/xenstored/domain.ml | 16 +++++++--------- + 1 file changed, 7 insertions(+), 9 deletions(-) + +diff --git a/tools/ocaml/xenstored/domain.ml b/tools/ocaml/xenstored/domain.ml +index 81cb59b8f1..ab08dcf37f 100644 +--- a/tools/ocaml/xenstored/domain.ml ++++ b/tools/ocaml/xenstored/domain.ml +@@ -57,17 +57,16 @@ let is_paused_for_conflict dom = dom.conflict_credit <= 0.0 + let is_free_to_conflict = is_dom0 + + let string_of_port = function +-| None -> "None" +-| Some x -> string_of_int (Xeneventchn.to_int x) ++ | None -> "None" ++ | Some x -> string_of_int (Xeneventchn.to_int x) + + let dump d chan = + fprintf chan "dom,%d,%nd,%d\n" d.id d.mfn d.remote_port + +-let notify dom = match dom.port with +-| None -> +- warn "domain %d: attempt to notify on unknown port" dom.id +-| Some port -> +- Event.notify dom.eventchn port ++let notify dom = ++ match dom.port with ++ | None -> warn "domain %d: attempt to notify on unknown port" dom.id ++ | Some port -> Event.notify dom.eventchn port + + let bind_interdomain dom = + begin match dom.port with +@@ -84,8 +83,7 @@ let close dom = + | None -> () + | Some port -> Event.unbind dom.eventchn port + end; +- Xenmmap.unmap dom.interface; +- () ++ Xenmmap.unmap dom.interface + + let make id mfn remote_port interface eventchn = { + id = id; +-- +2.40.0 + diff --git a/0015-tools-oxenstored-Bind-the-DOM_EXC-VIRQ-in-in-Event.i.patch b/0015-tools-oxenstored-Bind-the-DOM_EXC-VIRQ-in-in-Event.i.patch new file mode 100644 index 0000000..8b83edf --- /dev/null +++ b/0015-tools-oxenstored-Bind-the-DOM_EXC-VIRQ-in-in-Event.i.patch @@ -0,0 +1,82 @@ +From bc5cc00868ea29d814bb3d783e28b49d1acf63e9 Mon Sep 17 00:00:00 2001 +From: Andrew Cooper +Date: Tue, 29 Nov 2022 21:05:43 +0000 +Subject: [PATCH 15/89] tools/oxenstored: Bind the DOM_EXC VIRQ in in + Event.init() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Xenstored always needs to bind the DOM_EXC VIRQ. + +Instead of doing it shortly after the call to Event.init(), do it in the +constructor directly. This removes the need for the field to be a mutable +option. + +It will also simplify a future change to support live update. Rename the +field from virq_port (which could be any VIRQ) to it's proper name. + +Signed-off-by: Andrew Cooper +Reviewed-by: Edwin Török +Acked-by: Christian Lindig +(cherry picked from commit 9804a5db435fe40c8ded8cf36c2d2b2281c56f1d) +--- + tools/ocaml/xenstored/event.ml | 9 ++++++--- + tools/ocaml/xenstored/xenstored.ml | 4 +--- + 2 files changed, 7 insertions(+), 6 deletions(-) + +diff --git a/tools/ocaml/xenstored/event.ml b/tools/ocaml/xenstored/event.ml +index ccca90b6fc..a3be296374 100644 +--- a/tools/ocaml/xenstored/event.ml ++++ b/tools/ocaml/xenstored/event.ml +@@ -17,12 +17,15 @@ + (**************** high level binding ****************) + type t = { + handle: Xeneventchn.handle; +- mutable virq_port: Xeneventchn.t option; ++ domexc: Xeneventchn.t; + } + +-let init () = { handle = Xeneventchn.init (); virq_port = None; } ++let init () = ++ let handle = Xeneventchn.init () in ++ let domexc = Xeneventchn.bind_dom_exc_virq handle in ++ { handle; domexc } ++ + let fd eventchn = Xeneventchn.fd eventchn.handle +-let bind_dom_exc_virq eventchn = eventchn.virq_port <- Some (Xeneventchn.bind_dom_exc_virq eventchn.handle) + let bind_interdomain eventchn domid port = Xeneventchn.bind_interdomain eventchn.handle domid port + let unbind eventchn port = Xeneventchn.unbind eventchn.handle port + let notify eventchn port = Xeneventchn.notify eventchn.handle port +diff --git a/tools/ocaml/xenstored/xenstored.ml b/tools/ocaml/xenstored/xenstored.ml +index c5dc7a28d0..55071b49ec 100644 +--- a/tools/ocaml/xenstored/xenstored.ml ++++ b/tools/ocaml/xenstored/xenstored.ml +@@ -397,7 +397,6 @@ let _ = + if cf.restart && Sys.file_exists Disk.xs_daemon_database then ( + let rwro = DB.from_file store domains cons Disk.xs_daemon_database in + info "Live reload: database loaded"; +- Event.bind_dom_exc_virq eventchn; + Process.LiveUpdate.completed (); + rwro + ) else ( +@@ -413,7 +412,6 @@ let _ = + + if cf.domain_init then ( + Connections.add_domain cons (Domains.create0 domains); +- Event.bind_dom_exc_virq eventchn + ); + rw_sock + ) in +@@ -451,7 +449,7 @@ let _ = + let port = Event.pending eventchn in + debug "pending port %d" (Xeneventchn.to_int port); + finally (fun () -> +- if Some port = eventchn.Event.virq_port then ( ++ if port = eventchn.Event.domexc then ( + let (notify, deaddom) = Domains.cleanup domains in + List.iter (Store.reset_permissions store) deaddom; + List.iter (Connections.del_domain cons) deaddom; +-- +2.40.0 + diff --git a/0015-tools-oxenstored-validate-config-file-before-live-up.patch b/0015-tools-oxenstored-validate-config-file-before-live-up.patch deleted file mode 100644 index f65fbd6..0000000 --- a/0015-tools-oxenstored-validate-config-file-before-live-up.patch +++ /dev/null @@ -1,131 +0,0 @@ -From fd1c70442d3aa962be4d041d5f8fce9d2fa72ce1 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Edwin=20T=C3=B6r=C3=B6k?= -Date: Tue, 11 May 2021 15:56:50 +0000 -Subject: [PATCH 15/61] tools/oxenstored: validate config file before live - update -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -The configuration file can contain typos or various errors that could prevent -live update from succeeding (e.g. a flag only valid on a different version). -Unknown entries in the config file would be ignored on startup normally, -add a strict --config-test that live-update can use to check that the config file -is valid *for the new binary*. - -For compatibility with running old code during live update recognize ---live --help as an equivalent to --config-test. - -Signed-off-by: Edwin Török -Acked-by: Christian Lindig -(cherry picked from commit e6f07052ce4a0f0b7d4dc522d87465efb2d9ee86) ---- - tools/ocaml/xenstored/parse_arg.ml | 26 ++++++++++++++++++++++++++ - tools/ocaml/xenstored/xenstored.ml | 11 +++++++++-- - 2 files changed, 35 insertions(+), 2 deletions(-) - -diff --git a/tools/ocaml/xenstored/parse_arg.ml b/tools/ocaml/xenstored/parse_arg.ml -index 7c0478e76a..5e4ca6f1f7 100644 ---- a/tools/ocaml/xenstored/parse_arg.ml -+++ b/tools/ocaml/xenstored/parse_arg.ml -@@ -26,8 +26,14 @@ type config = - restart: bool; - live_reload: bool; - disable_socket: bool; -+ config_test: bool; - } - -+let get_config_filename config_file = -+ match config_file with -+ | Some name -> name -+ | None -> Define.default_config_dir ^ "/oxenstored.conf" -+ - let do_argv = - let pidfile = ref "" and tracefile = ref "" (* old xenstored compatibility *) - and domain_init = ref true -@@ -38,6 +44,8 @@ let do_argv = - and restart = ref false - and live_reload = ref false - and disable_socket = ref false -+ and config_test = ref false -+ and help = ref false - in - - let speclist = -@@ -55,10 +63,27 @@ let do_argv = - ("-T", Arg.Set_string tracefile, ""); (* for compatibility *) - ("--restart", Arg.Set restart, "Read database on starting"); - ("--live", Arg.Set live_reload, "Read live dump on startup"); -+ ("--config-test", Arg.Set config_test, "Test validity of config file"); - ("--disable-socket", Arg.Unit (fun () -> disable_socket := true), "Disable socket"); -+ ("--help", Arg.Set help, "Display this list of options") - ] in - let usage_msg = "usage : xenstored [--config-file ] [--no-domain-init] [--help] [--no-fork] [--reraise-top-level] [--restart] [--disable-socket]" in - Arg.parse speclist (fun _ -> ()) usage_msg; -+ let () = -+ if !help then begin -+ if !live_reload then -+ (* -+ * Transform --live --help into --config-test for backward compat with -+ * running code during live update. -+ * Caller will validate config and exit -+ *) -+ config_test := true -+ else begin -+ Arg.usage_string speclist usage_msg |> print_endline; -+ exit 0 -+ end -+ end -+ in - { - domain_init = !domain_init; - activate_access_log = !activate_access_log; -@@ -70,4 +95,5 @@ let do_argv = - restart = !restart; - live_reload = !live_reload; - disable_socket = !disable_socket; -+ config_test = !config_test; - } -diff --git a/tools/ocaml/xenstored/xenstored.ml b/tools/ocaml/xenstored/xenstored.ml -index 4d5851c5cb..e2638a5af2 100644 ---- a/tools/ocaml/xenstored/xenstored.ml -+++ b/tools/ocaml/xenstored/xenstored.ml -@@ -88,7 +88,7 @@ let default_pidfile = Paths.xen_run_dir ^ "/xenstored.pid" - - let ring_scan_interval = ref 20 - --let parse_config filename = -+let parse_config ?(strict=false) filename = - let pidfile = ref default_pidfile in - let options = [ - ("merge-activate", Config.Set_bool Transaction.do_coalesce); -@@ -129,11 +129,12 @@ let parse_config filename = - ("xenstored-port", Config.Set_string Domains.xenstored_port); ] in - begin try Config.read filename options (fun _ _ -> raise Not_found) - with -- | Config.Error err -> List.iter (fun (k, e) -> -+ | Config.Error err as e -> List.iter (fun (k, e) -> - match e with - | "unknown key" -> eprintf "config: unknown key %s\n" k - | _ -> eprintf "config: %s: %s\n" k e - ) err; -+ if strict then raise e - | Sys_error m -> eprintf "error: config: %s\n" m; - end; - !pidfile -@@ -358,6 +359,12 @@ let tweak_gc () = - let () = - Printexc.set_uncaught_exception_handler Logging.fallback_exception_handler; - let cf = do_argv in -+ if cf.config_test then begin -+ let path = config_filename cf in -+ let _pidfile:string = parse_config ~strict:true path in -+ Printf.printf "Configuration valid at %s\n%!" path; -+ exit 0 -+ end; - let pidfile = - if Sys.file_exists (config_filename cf) then - parse_config (config_filename cf) --- -2.40.0 - diff --git a/0016-tools-ocaml-libs-Don-t-declare-stubs-as-taking-void.patch b/0016-tools-ocaml-libs-Don-t-declare-stubs-as-taking-void.patch deleted file mode 100644 index a64d657..0000000 --- a/0016-tools-ocaml-libs-Don-t-declare-stubs-as-taking-void.patch +++ /dev/null @@ -1,61 +0,0 @@ -From 552e5f28d411c1a1a92f2fd3592a76e74f47610b Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Edwin=20T=C3=B6r=C3=B6k?= -Date: Thu, 12 Jan 2023 11:28:29 +0000 -Subject: [PATCH 16/61] tools/ocaml/libs: Don't declare stubs as taking void -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -There is no such thing as an Ocaml function (C stub or otherwise) taking no -parameters. In the absence of any other parameters, unit is still passed. - -This doesn't explode with any ABI we care about, but would malfunction for an -ABI environment such as stdcall. - -Fixes: c3afd398ba7f ("ocaml: Add XS bindings.") -Fixes: 8b7ce06a2d34 ("ocaml: Add XC bindings.") -Signed-off-by: Edwin Török -Signed-off-by: Andrew Cooper -Acked-by: Christian Lindig -(cherry picked from commit ff8b560be80b9211c303d74df7e4b3921d2bb8ca) ---- - tools/ocaml/libs/xb/xenbus_stubs.c | 5 ++--- - tools/ocaml/libs/xc/xenctrl_stubs.c | 4 ++-- - 2 files changed, 4 insertions(+), 5 deletions(-) - -diff --git a/tools/ocaml/libs/xb/xenbus_stubs.c b/tools/ocaml/libs/xb/xenbus_stubs.c -index 3065181a55..97116b0782 100644 ---- a/tools/ocaml/libs/xb/xenbus_stubs.c -+++ b/tools/ocaml/libs/xb/xenbus_stubs.c -@@ -30,10 +30,9 @@ - #include - #include - --CAMLprim value stub_header_size(void) -+CAMLprim value stub_header_size(value unit) - { -- CAMLparam0(); -- CAMLreturn(Val_int(sizeof(struct xsd_sockmsg))); -+ return Val_int(sizeof(struct xsd_sockmsg)); - } - - CAMLprim value stub_header_of_string(value s) -diff --git a/tools/ocaml/libs/xc/xenctrl_stubs.c b/tools/ocaml/libs/xc/xenctrl_stubs.c -index 5b4fe72c8d..434fc0345b 100644 ---- a/tools/ocaml/libs/xc/xenctrl_stubs.c -+++ b/tools/ocaml/libs/xc/xenctrl_stubs.c -@@ -67,9 +67,9 @@ static void Noreturn failwith_xc(xc_interface *xch) - caml_raise_with_string(*caml_named_value("xc.error"), error_str); - } - --CAMLprim value stub_xc_interface_open(void) -+CAMLprim value stub_xc_interface_open(value unit) - { -- CAMLparam0(); -+ CAMLparam1(unit); - xc_interface *xch; - - /* Don't assert XC_OPENFLAG_NON_REENTRANT because these bindings --- -2.40.0 - diff --git a/0016-tools-oxenstored-Rename-some-port-variables-to-remot.patch b/0016-tools-oxenstored-Rename-some-port-variables-to-remot.patch new file mode 100644 index 0000000..4f168d6 --- /dev/null +++ b/0016-tools-oxenstored-Rename-some-port-variables-to-remot.patch @@ -0,0 +1,144 @@ +From fd0d9b05970986545656c8f6f688f70f3e78a29b Mon Sep 17 00:00:00 2001 +From: Andrew Cooper +Date: Wed, 30 Nov 2022 03:17:28 +0000 +Subject: [PATCH 16/89] tools/oxenstored: Rename some 'port' variables to + 'remote_port' +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +This will make the logic clearer when we plumb local_port through these +functions. + +While doing this, rearrange the construct in Domains.create0 to separate the +remote port handling from the interface handling. (The interface logic is +dubious in several ways, but not altered by this cleanup.) + +Signed-off-by: Andrew Cooper +Reviewed-by: Edwin Török +Acked-by: Christian Lindig +(cherry picked from commit 31fbee749a75621039ca601eaee7222050a7dd83) +--- + tools/ocaml/xenstored/domains.ml | 26 ++++++++++++-------------- + tools/ocaml/xenstored/process.ml | 12 ++++++------ + tools/ocaml/xenstored/xenstored.ml | 8 ++++---- + 3 files changed, 22 insertions(+), 24 deletions(-) + +diff --git a/tools/ocaml/xenstored/domains.ml b/tools/ocaml/xenstored/domains.ml +index 17fe2fa257..26018ac0dd 100644 +--- a/tools/ocaml/xenstored/domains.ml ++++ b/tools/ocaml/xenstored/domains.ml +@@ -122,9 +122,9 @@ let cleanup doms = + let resume _doms _domid = + () + +-let create doms domid mfn port = ++let create doms domid mfn remote_port = + let interface = Xenctrl.map_foreign_range xc domid (Xenmmap.getpagesize()) mfn in +- let dom = Domain.make domid mfn port interface doms.eventchn in ++ let dom = Domain.make domid mfn remote_port interface doms.eventchn in + Hashtbl.add doms.table domid dom; + Domain.bind_interdomain dom; + dom +@@ -133,18 +133,16 @@ let xenstored_kva = ref "" + let xenstored_port = ref "" + + let create0 doms = +- let port, interface = +- ( +- let port = Utils.read_file_single_integer !xenstored_port +- and fd = Unix.openfile !xenstored_kva +- [ Unix.O_RDWR ] 0o600 in +- let interface = Xenmmap.mmap fd Xenmmap.RDWR Xenmmap.SHARED +- (Xenmmap.getpagesize()) 0 in +- Unix.close fd; +- port, interface +- ) +- in +- let dom = Domain.make 0 Nativeint.zero port interface doms.eventchn in ++ let remote_port = Utils.read_file_single_integer !xenstored_port in ++ ++ let interface = ++ let fd = Unix.openfile !xenstored_kva [ Unix.O_RDWR ] 0o600 in ++ let interface = Xenmmap.mmap fd Xenmmap.RDWR Xenmmap.SHARED (Xenmmap.getpagesize()) 0 in ++ Unix.close fd; ++ interface ++ in ++ ++ let dom = Domain.make 0 Nativeint.zero remote_port interface doms.eventchn in + Hashtbl.add doms.table 0 dom; + Domain.bind_interdomain dom; + Domain.notify dom; +diff --git a/tools/ocaml/xenstored/process.ml b/tools/ocaml/xenstored/process.ml +index 72a79e9328..b2973aca2a 100644 +--- a/tools/ocaml/xenstored/process.ml ++++ b/tools/ocaml/xenstored/process.ml +@@ -558,10 +558,10 @@ let do_transaction_end con t domains cons data = + let do_introduce con t domains cons data = + if not (Connection.is_dom0 con) + then raise Define.Permission_denied; +- let (domid, mfn, port) = ++ let (domid, mfn, remote_port) = + match (split None '\000' data) with +- | domid :: mfn :: port :: _ -> +- int_of_string domid, Nativeint.of_string mfn, int_of_string port ++ | domid :: mfn :: remote_port :: _ -> ++ int_of_string domid, Nativeint.of_string mfn, int_of_string remote_port + | _ -> raise Invalid_Cmd_Args; + in + let dom = +@@ -569,18 +569,18 @@ let do_introduce con t domains cons data = + let edom = Domains.find domains domid in + if (Domain.get_mfn edom) = mfn && (Connections.find_domain cons domid) != con then begin + (* Use XS_INTRODUCE for recreating the xenbus event-channel. *) +- edom.remote_port <- port; ++ edom.remote_port <- remote_port; + Domain.bind_interdomain edom; + end; + edom + else try +- let ndom = Domains.create domains domid mfn port in ++ let ndom = Domains.create domains domid mfn remote_port in + Connections.add_domain cons ndom; + Connections.fire_spec_watches (Transaction.get_root t) cons Store.Path.introduce_domain; + ndom + with _ -> raise Invalid_Cmd_Args + in +- if (Domain.get_remote_port dom) <> port || (Domain.get_mfn dom) <> mfn then ++ if (Domain.get_remote_port dom) <> remote_port || (Domain.get_mfn dom) <> mfn then + raise Domain_not_match + + let do_release con t domains cons data = +diff --git a/tools/ocaml/xenstored/xenstored.ml b/tools/ocaml/xenstored/xenstored.ml +index 55071b49ec..1f11f576b5 100644 +--- a/tools/ocaml/xenstored/xenstored.ml ++++ b/tools/ocaml/xenstored/xenstored.ml +@@ -167,10 +167,10 @@ let from_channel_f chan global_f socket_f domain_f watch_f store_f = + global_f ~rw + | "socket" :: fd :: [] -> + socket_f ~fd:(int_of_string fd) +- | "dom" :: domid :: mfn :: port :: []-> ++ | "dom" :: domid :: mfn :: remote_port :: []-> + domain_f (int_of_string domid) + (Nativeint.of_string mfn) +- (int_of_string port) ++ (int_of_string remote_port) + | "watch" :: domid :: path :: token :: [] -> + watch_f (int_of_string domid) + (unhexify path) (unhexify token) +@@ -209,10 +209,10 @@ let from_channel store cons doms chan = + else + warn "Ignoring invalid socket FD %d" fd + in +- let domain_f domid mfn port = ++ let domain_f domid mfn remote_port = + let ndom = + if domid > 0 then +- Domains.create doms domid mfn port ++ Domains.create doms domid mfn remote_port + else + Domains.create0 doms + in +-- +2.40.0 + diff --git a/0017-tools-ocaml-libs-Allocate-the-correct-amount-of-memo.patch b/0017-tools-ocaml-libs-Allocate-the-correct-amount-of-memo.patch deleted file mode 100644 index 9fa8d08..0000000 --- a/0017-tools-ocaml-libs-Allocate-the-correct-amount-of-memo.patch +++ /dev/null @@ -1,80 +0,0 @@ -From 6d66fb984cc768406158353cabf9a55652b0dea7 Mon Sep 17 00:00:00 2001 -From: Andrew Cooper -Date: Tue, 31 Jan 2023 10:59:42 +0000 -Subject: [PATCH 17/61] tools/ocaml/libs: Allocate the correct amount of memory - for Abstract_tag - -caml_alloc() takes units of Wsize (word size), not bytes. As a consequence, -we're allocating 4 or 8 times too much memory. - -Ocaml has a helper, Wsize_bsize(), but it truncates cases which aren't an -exact multiple. Use a BUILD_BUG_ON() to cover the potential for truncation, -as there's no rounding-up form of the helper. - -Fixes: 8b7ce06a2d34 ("ocaml: Add XC bindings.") -Fixes: d3e649277a13 ("ocaml: add mmap bindings implementation.") -Signed-off-by: Andrew Cooper -Acked-by: Christian Lindig -(cherry picked from commit 36eb2de31b6ecb8787698fb1a701bd708c8971b2) ---- - tools/ocaml/libs/mmap/Makefile | 2 ++ - tools/ocaml/libs/mmap/xenmmap_stubs.c | 6 +++++- - tools/ocaml/libs/xc/xenctrl_stubs.c | 5 ++++- - 3 files changed, 11 insertions(+), 2 deletions(-) - -diff --git a/tools/ocaml/libs/mmap/Makefile b/tools/ocaml/libs/mmap/Makefile -index df45819df5..a3bd75e33a 100644 ---- a/tools/ocaml/libs/mmap/Makefile -+++ b/tools/ocaml/libs/mmap/Makefile -@@ -2,6 +2,8 @@ TOPLEVEL=$(CURDIR)/../.. - XEN_ROOT=$(TOPLEVEL)/../.. - include $(TOPLEVEL)/common.make - -+CFLAGS += $(CFLAGS_xeninclude) -+ - OBJS = xenmmap - INTF = $(foreach obj, $(OBJS),$(obj).cmi) - LIBS = xenmmap.cma xenmmap.cmxa -diff --git a/tools/ocaml/libs/mmap/xenmmap_stubs.c b/tools/ocaml/libs/mmap/xenmmap_stubs.c -index e03951d781..d623ad390e 100644 ---- a/tools/ocaml/libs/mmap/xenmmap_stubs.c -+++ b/tools/ocaml/libs/mmap/xenmmap_stubs.c -@@ -21,6 +21,8 @@ - #include - #include "mmap_stubs.h" - -+#include -+ - #include - #include - #include -@@ -59,7 +61,9 @@ CAMLprim value stub_mmap_init(value fd, value pflag, value mflag, - default: caml_invalid_argument("maptype"); - } - -- result = caml_alloc(sizeof(struct mmap_interface), Abstract_tag); -+ BUILD_BUG_ON((sizeof(struct mmap_interface) % sizeof(value)) != 0); -+ result = caml_alloc(Wsize_bsize(sizeof(struct mmap_interface)), -+ Abstract_tag); - - if (mmap_interface_init(Intf_val(result), Int_val(fd), - c_pflag, c_mflag, -diff --git a/tools/ocaml/libs/xc/xenctrl_stubs.c b/tools/ocaml/libs/xc/xenctrl_stubs.c -index 434fc0345b..ec64341a9a 100644 ---- a/tools/ocaml/libs/xc/xenctrl_stubs.c -+++ b/tools/ocaml/libs/xc/xenctrl_stubs.c -@@ -940,7 +940,10 @@ CAMLprim value stub_map_foreign_range(value xch, value dom, - uint32_t c_dom; - unsigned long c_mfn; - -- result = caml_alloc(sizeof(struct mmap_interface), Abstract_tag); -+ BUILD_BUG_ON((sizeof(struct mmap_interface) % sizeof(value)) != 0); -+ result = caml_alloc(Wsize_bsize(sizeof(struct mmap_interface)), -+ Abstract_tag); -+ - intf = (struct mmap_interface *) result; - - intf->len = Int_val(size); --- -2.40.0 - diff --git a/0017-tools-oxenstored-Implement-Domain.rebind_evtchn.patch b/0017-tools-oxenstored-Implement-Domain.rebind_evtchn.patch new file mode 100644 index 0000000..72bcae0 --- /dev/null +++ b/0017-tools-oxenstored-Implement-Domain.rebind_evtchn.patch @@ -0,0 +1,67 @@ +From a20daa7ffda7ccc0e65abe77532a5dc8059bf128 Mon Sep 17 00:00:00 2001 +From: Andrew Cooper +Date: Wed, 30 Nov 2022 11:55:58 +0000 +Subject: [PATCH 17/89] tools/oxenstored: Implement Domain.rebind_evtchn +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Generally speaking, the event channel local/remote port is fixed for the +lifetime of the associated domain object. The exception to this is a +secondary XS_INTRODUCE (defined to re-bind to a new event channel) which pokes +around at the domain object's internal state. + +We need to refactor the evtchn handling to support live update, so start by +moving the relevant manipulation into Domain. + +No practical change. + +Signed-off-by: Andrew Cooper +Reviewed-by: Edwin Török +Acked-by: Christian Lindig +(cherry picked from commit aecdc28d9538ca2a1028ef9bc6550cb171dbbed4) +--- + tools/ocaml/xenstored/domain.ml | 12 ++++++++++++ + tools/ocaml/xenstored/process.ml | 3 +-- + 2 files changed, 13 insertions(+), 2 deletions(-) + +diff --git a/tools/ocaml/xenstored/domain.ml b/tools/ocaml/xenstored/domain.ml +index ab08dcf37f..d59a9401e2 100644 +--- a/tools/ocaml/xenstored/domain.ml ++++ b/tools/ocaml/xenstored/domain.ml +@@ -63,6 +63,18 @@ let string_of_port = function + let dump d chan = + fprintf chan "dom,%d,%nd,%d\n" d.id d.mfn d.remote_port + ++let rebind_evtchn d remote_port = ++ begin match d.port with ++ | None -> () ++ | Some p -> Event.unbind d.eventchn p ++ end; ++ let local = Event.bind_interdomain d.eventchn d.id remote_port in ++ debug "domain %d rebind (l %s, r %d) => (l %d, r %d)" ++ d.id (string_of_port d.port) d.remote_port ++ (Xeneventchn.to_int local) remote_port; ++ d.remote_port <- remote_port; ++ d.port <- Some (local) ++ + let notify dom = + match dom.port with + | None -> warn "domain %d: attempt to notify on unknown port" dom.id +diff --git a/tools/ocaml/xenstored/process.ml b/tools/ocaml/xenstored/process.ml +index b2973aca2a..1c80e7198d 100644 +--- a/tools/ocaml/xenstored/process.ml ++++ b/tools/ocaml/xenstored/process.ml +@@ -569,8 +569,7 @@ let do_introduce con t domains cons data = + let edom = Domains.find domains domid in + if (Domain.get_mfn edom) = mfn && (Connections.find_domain cons domid) != con then begin + (* Use XS_INTRODUCE for recreating the xenbus event-channel. *) +- edom.remote_port <- remote_port; +- Domain.bind_interdomain edom; ++ Domain.rebind_evtchn edom remote_port; + end; + edom + else try +-- +2.40.0 + diff --git a/0018-tools-ocaml-evtchn-Don-t-reference-Custom-objects-wi.patch b/0018-tools-ocaml-evtchn-Don-t-reference-Custom-objects-wi.patch deleted file mode 100644 index 8e1c860..0000000 --- a/0018-tools-ocaml-evtchn-Don-t-reference-Custom-objects-wi.patch +++ /dev/null @@ -1,213 +0,0 @@ -From e18faeb91e620624106b94c8821f8c9574eddb17 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Edwin=20T=C3=B6r=C3=B6k?= -Date: Thu, 12 Jan 2023 17:48:29 +0000 -Subject: [PATCH 18/61] tools/ocaml/evtchn: Don't reference Custom objects with - the GC lock released -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -The modification to the _H() macro for Ocaml 5 support introduced a subtle -bug. From the manual: - - https://ocaml.org/manual/intfc.html#ss:parallel-execution-long-running-c-code - -"After caml_release_runtime_system() was called and until -caml_acquire_runtime_system() is called, the C code must not access any OCaml -data, nor call any function of the run-time system, nor call back into OCaml -code." - -Previously, the value was a naked C pointer, so dereferencing it wasn't -"accessing any Ocaml data", but the fix to avoid naked C pointers added a -layer of indirection through an Ocaml Custom object, meaning that the common -pattern of using _H() in a blocking section is unsafe. - -In order to fix: - - * Drop the _H() macro and replace it with a static inline xce_of_val(). - * Opencode the assignment into Data_custom_val() in the two constructors. - * Rename "value xce" parameters to "value xce_val" so we can consistently - have "xenevtchn_handle *xce" on the stack, and obtain the pointer with the - GC lock still held. - -Fixes: 22d5affdf0ce ("tools/ocaml/evtchn: OCaml 5 support, fix potential resource leak") -Signed-off-by: Edwin Török -Signed-off-by: Andrew Cooper -Acked-by: Christian Lindig -(cherry picked from commit 2636d8ff7a670c4d2485757dbe966e36c259a960) ---- - tools/ocaml/libs/eventchn/xeneventchn_stubs.c | 60 +++++++++++-------- - 1 file changed, 35 insertions(+), 25 deletions(-) - -diff --git a/tools/ocaml/libs/eventchn/xeneventchn_stubs.c b/tools/ocaml/libs/eventchn/xeneventchn_stubs.c -index aa8a69cc1e..d7881ca95f 100644 ---- a/tools/ocaml/libs/eventchn/xeneventchn_stubs.c -+++ b/tools/ocaml/libs/eventchn/xeneventchn_stubs.c -@@ -33,11 +33,14 @@ - #include - #include - --#define _H(__h) (*((xenevtchn_handle **)Data_custom_val(__h))) -+static inline xenevtchn_handle *xce_of_val(value v) -+{ -+ return *(xenevtchn_handle **)Data_custom_val(v); -+} - - static void stub_evtchn_finalize(value v) - { -- xenevtchn_close(_H(v)); -+ xenevtchn_close(xce_of_val(v)); - } - - static struct custom_operations xenevtchn_ops = { -@@ -68,7 +71,7 @@ CAMLprim value stub_eventchn_init(value cloexec) - caml_failwith("open failed"); - - result = caml_alloc_custom(&xenevtchn_ops, sizeof(xce), 0, 1); -- _H(result) = xce; -+ *(xenevtchn_handle **)Data_custom_val(result) = xce; - - CAMLreturn(result); - } -@@ -87,18 +90,19 @@ CAMLprim value stub_eventchn_fdopen(value fdval) - caml_failwith("evtchn fdopen failed"); - - result = caml_alloc_custom(&xenevtchn_ops, sizeof(xce), 0, 1); -- _H(result) = xce; -+ *(xenevtchn_handle **)Data_custom_val(result) = xce; - - CAMLreturn(result); - } - --CAMLprim value stub_eventchn_fd(value xce) -+CAMLprim value stub_eventchn_fd(value xce_val) - { -- CAMLparam1(xce); -+ CAMLparam1(xce_val); - CAMLlocal1(result); -+ xenevtchn_handle *xce = xce_of_val(xce_val); - int fd; - -- fd = xenevtchn_fd(_H(xce)); -+ fd = xenevtchn_fd(xce); - if (fd == -1) - caml_failwith("evtchn fd failed"); - -@@ -107,13 +111,14 @@ CAMLprim value stub_eventchn_fd(value xce) - CAMLreturn(result); - } - --CAMLprim value stub_eventchn_notify(value xce, value port) -+CAMLprim value stub_eventchn_notify(value xce_val, value port) - { -- CAMLparam2(xce, port); -+ CAMLparam2(xce_val, port); -+ xenevtchn_handle *xce = xce_of_val(xce_val); - int rc; - - caml_enter_blocking_section(); -- rc = xenevtchn_notify(_H(xce), Int_val(port)); -+ rc = xenevtchn_notify(xce, Int_val(port)); - caml_leave_blocking_section(); - - if (rc == -1) -@@ -122,15 +127,16 @@ CAMLprim value stub_eventchn_notify(value xce, value port) - CAMLreturn(Val_unit); - } - --CAMLprim value stub_eventchn_bind_interdomain(value xce, value domid, -+CAMLprim value stub_eventchn_bind_interdomain(value xce_val, value domid, - value remote_port) - { -- CAMLparam3(xce, domid, remote_port); -+ CAMLparam3(xce_val, domid, remote_port); - CAMLlocal1(port); -+ xenevtchn_handle *xce = xce_of_val(xce_val); - xenevtchn_port_or_error_t rc; - - caml_enter_blocking_section(); -- rc = xenevtchn_bind_interdomain(_H(xce), Int_val(domid), Int_val(remote_port)); -+ rc = xenevtchn_bind_interdomain(xce, Int_val(domid), Int_val(remote_port)); - caml_leave_blocking_section(); - - if (rc == -1) -@@ -140,14 +146,15 @@ CAMLprim value stub_eventchn_bind_interdomain(value xce, value domid, - CAMLreturn(port); - } - --CAMLprim value stub_eventchn_bind_virq(value xce, value virq_type) -+CAMLprim value stub_eventchn_bind_virq(value xce_val, value virq_type) - { -- CAMLparam2(xce, virq_type); -+ CAMLparam2(xce_val, virq_type); - CAMLlocal1(port); -+ xenevtchn_handle *xce = xce_of_val(xce_val); - xenevtchn_port_or_error_t rc; - - caml_enter_blocking_section(); -- rc = xenevtchn_bind_virq(_H(xce), Int_val(virq_type)); -+ rc = xenevtchn_bind_virq(xce, Int_val(virq_type)); - caml_leave_blocking_section(); - - if (rc == -1) -@@ -157,13 +164,14 @@ CAMLprim value stub_eventchn_bind_virq(value xce, value virq_type) - CAMLreturn(port); - } - --CAMLprim value stub_eventchn_unbind(value xce, value port) -+CAMLprim value stub_eventchn_unbind(value xce_val, value port) - { -- CAMLparam2(xce, port); -+ CAMLparam2(xce_val, port); -+ xenevtchn_handle *xce = xce_of_val(xce_val); - int rc; - - caml_enter_blocking_section(); -- rc = xenevtchn_unbind(_H(xce), Int_val(port)); -+ rc = xenevtchn_unbind(xce, Int_val(port)); - caml_leave_blocking_section(); - - if (rc == -1) -@@ -172,14 +180,15 @@ CAMLprim value stub_eventchn_unbind(value xce, value port) - CAMLreturn(Val_unit); - } - --CAMLprim value stub_eventchn_pending(value xce) -+CAMLprim value stub_eventchn_pending(value xce_val) - { -- CAMLparam1(xce); -+ CAMLparam1(xce_val); - CAMLlocal1(result); -+ xenevtchn_handle *xce = xce_of_val(xce_val); - xenevtchn_port_or_error_t port; - - caml_enter_blocking_section(); -- port = xenevtchn_pending(_H(xce)); -+ port = xenevtchn_pending(xce); - caml_leave_blocking_section(); - - if (port == -1) -@@ -189,16 +198,17 @@ CAMLprim value stub_eventchn_pending(value xce) - CAMLreturn(result); - } - --CAMLprim value stub_eventchn_unmask(value xce, value _port) -+CAMLprim value stub_eventchn_unmask(value xce_val, value _port) - { -- CAMLparam2(xce, _port); -+ CAMLparam2(xce_val, _port); -+ xenevtchn_handle *xce = xce_of_val(xce_val); - evtchn_port_t port; - int rc; - - port = Int_val(_port); - - caml_enter_blocking_section(); -- rc = xenevtchn_unmask(_H(xce), port); -+ rc = xenevtchn_unmask(xce, port); - caml_leave_blocking_section(); - - if (rc) --- -2.40.0 - diff --git a/0018-tools-oxenstored-Rework-Domain-evtchn-handling-to-us.patch b/0018-tools-oxenstored-Rework-Domain-evtchn-handling-to-us.patch new file mode 100644 index 0000000..1392b34 --- /dev/null +++ b/0018-tools-oxenstored-Rework-Domain-evtchn-handling-to-us.patch @@ -0,0 +1,209 @@ +From 4b418768ef4d75d0f70e4ce7cb5710404527bf47 Mon Sep 17 00:00:00 2001 +From: Andrew Cooper +Date: Wed, 30 Nov 2022 11:59:34 +0000 +Subject: [PATCH 18/89] tools/oxenstored: Rework Domain evtchn handling to use + port_pair +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Inter-domain event channels are always a pair of local and remote ports. +Right now the handling is asymmetric, caused by the fact that the evtchn is +bound after the associated Domain object is constructed. + +First, move binding of the event channel into the Domain.make() constructor. +This means the local port no longer needs to be an option. It also removes +the final callers of Domain.bind_interdomain. + +Next, introduce a new port_pair type to encapsulate the fact that these two +should be updated together, and replace the previous port and remote_port +fields. This refactoring also changes the Domain.get_port interface (removing +an option) so take the opportunity to name it get_local_port instead. + +Also, this fixes a use-after-free risk with Domain.close. Once the evtchn has +been unbound, the same local port number can be reused for a different +purpose, so explicitly invalidate the ports to prevent their accidental misuse +in the future. + +This also cleans up some of the debugging, to always print a port pair. + +Signed-off-by: Andrew Cooper +Reviewed-by: Edwin Török +Acked-by: Christian Lindig +(cherry picked from commit df2db174b36eba67c218763ef621c67912202fc6) +--- + tools/ocaml/xenstored/connections.ml | 9 +--- + tools/ocaml/xenstored/domain.ml | 75 ++++++++++++++-------------- + tools/ocaml/xenstored/domains.ml | 2 - + 3 files changed, 39 insertions(+), 47 deletions(-) + +diff --git a/tools/ocaml/xenstored/connections.ml b/tools/ocaml/xenstored/connections.ml +index 7d68c583b4..a80ae0bed2 100644 +--- a/tools/ocaml/xenstored/connections.ml ++++ b/tools/ocaml/xenstored/connections.ml +@@ -48,9 +48,7 @@ let add_domain cons dom = + let xbcon = Xenbus.Xb.open_mmap ~capacity (Domain.get_interface dom) (fun () -> Domain.notify dom) in + let con = Connection.create xbcon (Some dom) in + Hashtbl.add cons.domains (Domain.get_id dom) con; +- match Domain.get_port dom with +- | Some p -> Hashtbl.add cons.ports p con; +- | None -> () ++ Hashtbl.add cons.ports (Domain.get_local_port dom) con + + let select ?(only_if = (fun _ -> true)) cons = + Hashtbl.fold (fun _ con (ins, outs) -> +@@ -97,10 +95,7 @@ let del_domain cons id = + let con = find_domain cons id in + Hashtbl.remove cons.domains id; + (match Connection.get_domain con with +- | Some d -> +- (match Domain.get_port d with +- | Some p -> Hashtbl.remove cons.ports p +- | None -> ()) ++ | Some d -> Hashtbl.remove cons.ports (Domain.get_local_port d) + | None -> ()); + del_watches cons con; + Connection.close con +diff --git a/tools/ocaml/xenstored/domain.ml b/tools/ocaml/xenstored/domain.ml +index d59a9401e2..481e10794d 100644 +--- a/tools/ocaml/xenstored/domain.ml ++++ b/tools/ocaml/xenstored/domain.ml +@@ -19,14 +19,31 @@ open Printf + let debug fmt = Logging.debug "domain" fmt + let warn fmt = Logging.warn "domain" fmt + ++(* A bound inter-domain event channel port pair. The remote port, and the ++ local port it is bound to. *) ++type port_pair = ++{ ++ local: Xeneventchn.t; ++ remote: int; ++} ++ ++(* Sentinal port_pair with both set to EVTCHN_INVALID *) ++let invalid_ports = ++{ ++ local = Xeneventchn.of_int 0; ++ remote = 0 ++} ++ ++let string_of_port_pair p = ++ sprintf "(l %d, r %d)" (Xeneventchn.to_int p.local) p.remote ++ + type t = + { + id: Xenctrl.domid; + mfn: nativeint; + interface: Xenmmap.mmap_interface; + eventchn: Event.t; +- mutable remote_port: int; +- mutable port: Xeneventchn.t option; ++ mutable ports: port_pair; + mutable bad_client: bool; + mutable io_credit: int; (* the rounds of ring process left to do, default is 0, + usually set to 1 when there is work detected, could +@@ -41,8 +58,8 @@ let is_dom0 d = d.id = 0 + let get_id domain = domain.id + let get_interface d = d.interface + let get_mfn d = d.mfn +-let get_remote_port d = d.remote_port +-let get_port d = d.port ++let get_remote_port d = d.ports.remote ++let get_local_port d = d.ports.local + + let is_bad_domain domain = domain.bad_client + let mark_as_bad domain = domain.bad_client <- true +@@ -56,54 +73,36 @@ let is_paused_for_conflict dom = dom.conflict_credit <= 0.0 + + let is_free_to_conflict = is_dom0 + +-let string_of_port = function +- | None -> "None" +- | Some x -> string_of_int (Xeneventchn.to_int x) +- + let dump d chan = +- fprintf chan "dom,%d,%nd,%d\n" d.id d.mfn d.remote_port ++ fprintf chan "dom,%d,%nd,%d\n" d.id d.mfn d.ports.remote + + let rebind_evtchn d remote_port = +- begin match d.port with +- | None -> () +- | Some p -> Event.unbind d.eventchn p +- end; ++ Event.unbind d.eventchn d.ports.local; + let local = Event.bind_interdomain d.eventchn d.id remote_port in +- debug "domain %d rebind (l %s, r %d) => (l %d, r %d)" +- d.id (string_of_port d.port) d.remote_port +- (Xeneventchn.to_int local) remote_port; +- d.remote_port <- remote_port; +- d.port <- Some (local) ++ let new_ports = { local; remote = remote_port } in ++ debug "domain %d rebind %s => %s" ++ d.id (string_of_port_pair d.ports) (string_of_port_pair new_ports); ++ d.ports <- new_ports + + let notify dom = +- match dom.port with +- | None -> warn "domain %d: attempt to notify on unknown port" dom.id +- | Some port -> Event.notify dom.eventchn port +- +-let bind_interdomain dom = +- begin match dom.port with +- | None -> () +- | Some port -> Event.unbind dom.eventchn port +- end; +- dom.port <- Some (Event.bind_interdomain dom.eventchn dom.id dom.remote_port); +- debug "bound domain %d remote port %d to local port %s" dom.id dom.remote_port (string_of_port dom.port) +- ++ Event.notify dom.eventchn dom.ports.local + + let close dom = +- debug "domain %d unbound port %s" dom.id (string_of_port dom.port); +- begin match dom.port with +- | None -> () +- | Some port -> Event.unbind dom.eventchn port +- end; ++ debug "domain %d unbind %s" dom.id (string_of_port_pair dom.ports); ++ Event.unbind dom.eventchn dom.ports.local; ++ dom.ports <- invalid_ports; + Xenmmap.unmap dom.interface + +-let make id mfn remote_port interface eventchn = { ++let make id mfn remote_port interface eventchn = ++ let local = Event.bind_interdomain eventchn id remote_port in ++ let ports = { local; remote = remote_port } in ++ debug "domain %d bind %s" id (string_of_port_pair ports); ++{ + id = id; + mfn = mfn; +- remote_port = remote_port; ++ ports; + interface = interface; + eventchn = eventchn; +- port = None; + bad_client = false; + io_credit = 0; + conflict_credit = !Define.conflict_burst_limit; +diff --git a/tools/ocaml/xenstored/domains.ml b/tools/ocaml/xenstored/domains.ml +index 26018ac0dd..2ab0c5f4d8 100644 +--- a/tools/ocaml/xenstored/domains.ml ++++ b/tools/ocaml/xenstored/domains.ml +@@ -126,7 +126,6 @@ let create doms domid mfn remote_port = + let interface = Xenctrl.map_foreign_range xc domid (Xenmmap.getpagesize()) mfn in + let dom = Domain.make domid mfn remote_port interface doms.eventchn in + Hashtbl.add doms.table domid dom; +- Domain.bind_interdomain dom; + dom + + let xenstored_kva = ref "" +@@ -144,7 +143,6 @@ let create0 doms = + + let dom = Domain.make 0 Nativeint.zero remote_port interface doms.eventchn in + Hashtbl.add doms.table 0 dom; +- Domain.bind_interdomain dom; + Domain.notify dom; + dom + +-- +2.40.0 + diff --git a/0019-tools-ocaml-xc-Fix-binding-for-xc_domain_assign_devi.patch b/0019-tools-ocaml-xc-Fix-binding-for-xc_domain_assign_devi.patch deleted file mode 100644 index 5571446..0000000 --- a/0019-tools-ocaml-xc-Fix-binding-for-xc_domain_assign_devi.patch +++ /dev/null @@ -1,70 +0,0 @@ -From 854013084e2c6267af7787df8b35d85646f79a54 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Edwin=20T=C3=B6r=C3=B6k?= -Date: Thu, 12 Jan 2023 11:38:38 +0000 -Subject: [PATCH 19/61] tools/ocaml/xc: Fix binding for - xc_domain_assign_device() -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -The patch adding this binding was plain broken, and unreviewed. It modified -the C stub to add a 4th parameter without an equivalent adjustment in the -Ocaml side of the bindings. - -In 64bit builds, this causes us to dereference whatever dead value is in %rcx -when trying to interpret the rflags parameter. - -This has gone unnoticed because Xapi doesn't use this binding (it has its -own), but unbreak the binding by passing RDM_RELAXED unconditionally for -now (matching the libxl default behaviour). - -Fixes: 9b34056cb4 ("tools: extend xc_assign_device() to support rdm reservation policy") -Signed-off-by: Edwin Török -Signed-off-by: Andrew Cooper -Acked-by: Christian Lindig -(cherry picked from commit 4250683842104f02996428f93927a035c8e19266) ---- - tools/ocaml/libs/xc/xenctrl_stubs.c | 17 +++++------------ - 1 file changed, 5 insertions(+), 12 deletions(-) - -diff --git a/tools/ocaml/libs/xc/xenctrl_stubs.c b/tools/ocaml/libs/xc/xenctrl_stubs.c -index ec64341a9a..e2efcbe182 100644 ---- a/tools/ocaml/libs/xc/xenctrl_stubs.c -+++ b/tools/ocaml/libs/xc/xenctrl_stubs.c -@@ -1123,17 +1123,12 @@ CAMLprim value stub_xc_domain_test_assign_device(value xch, value domid, value d - CAMLreturn(Val_bool(ret == 0)); - } - --static int domain_assign_device_rdm_flag_table[] = { -- XEN_DOMCTL_DEV_RDM_RELAXED, --}; -- --CAMLprim value stub_xc_domain_assign_device(value xch, value domid, value desc, -- value rflag) -+CAMLprim value stub_xc_domain_assign_device(value xch, value domid, value desc) - { -- CAMLparam4(xch, domid, desc, rflag); -+ CAMLparam3(xch, domid, desc); - int ret; - int domain, bus, dev, func; -- uint32_t sbdf, flag; -+ uint32_t sbdf; - - domain = Int_val(Field(desc, 0)); - bus = Int_val(Field(desc, 1)); -@@ -1141,10 +1136,8 @@ CAMLprim value stub_xc_domain_assign_device(value xch, value domid, value desc, - func = Int_val(Field(desc, 3)); - sbdf = encode_sbdf(domain, bus, dev, func); - -- ret = Int_val(Field(rflag, 0)); -- flag = domain_assign_device_rdm_flag_table[ret]; -- -- ret = xc_assign_device(_H(xch), _D(domid), sbdf, flag); -+ ret = xc_assign_device(_H(xch), _D(domid), sbdf, -+ XEN_DOMCTL_DEV_RDM_RELAXED); - - if (ret < 0) - failwith_xc(_H(xch)); --- -2.40.0 - diff --git a/0019-tools-oxenstored-Keep-dev-xen-evtchn-open-across-liv.patch b/0019-tools-oxenstored-Keep-dev-xen-evtchn-open-across-liv.patch new file mode 100644 index 0000000..f6ae3fe --- /dev/null +++ b/0019-tools-oxenstored-Keep-dev-xen-evtchn-open-across-liv.patch @@ -0,0 +1,367 @@ +From f02171b663393e10d35123e5572c0f5b3e72c29d Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Edwin=20T=C3=B6r=C3=B6k?= +Date: Thu, 3 Nov 2022 15:31:39 +0000 +Subject: [PATCH 19/89] tools/oxenstored: Keep /dev/xen/evtchn open across live + update +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Closing the evtchn handle will unbind and free all local ports. The new +xenstored would need to rebind all evtchns, which is work that we don't want +or need to be doing during the critical handover period. + +However, it turns out that the Windows PV drivers also rebind their local port +too across suspend/resume, leaving (o)xenstored with a stale idea of the +remote port to use. In this case, reusing the established connection is the +only robust option. + +Therefore: + * Have oxenstored open /dev/xen/evtchn without CLOEXEC at start of day. + * Extend the handover information with the evtchn fd, domexc virq local port, + and the local port number for each domain connection. + * Have (the new) oxenstored recover the open handle using Xeneventchn.fdopen, + and use the provided local ports rather than trying to rebind them. + +When this new information isn't present (i.e. live updating from an oxenstored +prior to this change), the best-effort status quo will have to do. + +Signed-off-by: Edwin Török +Signed-off-by: Andrew Cooper +Acked-by: Christian Lindig +(cherry picked from commit 9b224c25293a53fcbe32da68052d861dda71a6f4) +--- + tools/ocaml/xenstored/domain.ml | 13 +++-- + tools/ocaml/xenstored/domains.ml | 9 ++-- + tools/ocaml/xenstored/event.ml | 20 +++++-- + tools/ocaml/xenstored/process.ml | 2 +- + tools/ocaml/xenstored/xenstored.ml | 85 ++++++++++++++++++++---------- + 5 files changed, 90 insertions(+), 39 deletions(-) + +diff --git a/tools/ocaml/xenstored/domain.ml b/tools/ocaml/xenstored/domain.ml +index 481e10794d..5c15752a37 100644 +--- a/tools/ocaml/xenstored/domain.ml ++++ b/tools/ocaml/xenstored/domain.ml +@@ -74,7 +74,8 @@ let is_paused_for_conflict dom = dom.conflict_credit <= 0.0 + let is_free_to_conflict = is_dom0 + + let dump d chan = +- fprintf chan "dom,%d,%nd,%d\n" d.id d.mfn d.ports.remote ++ fprintf chan "dom,%d,%nd,%d,%d\n" ++ d.id d.mfn d.ports.remote (Xeneventchn.to_int d.ports.local) + + let rebind_evtchn d remote_port = + Event.unbind d.eventchn d.ports.local; +@@ -93,8 +94,14 @@ let close dom = + dom.ports <- invalid_ports; + Xenmmap.unmap dom.interface + +-let make id mfn remote_port interface eventchn = +- let local = Event.bind_interdomain eventchn id remote_port in ++(* On clean start, local_port will be None, and we must bind the remote port ++ given. On Live Update, the event channel is already bound, and both the ++ local and remote port numbers come from the transfer record. *) ++let make ?local_port ~remote_port id mfn interface eventchn = ++ let local = match local_port with ++ | None -> Event.bind_interdomain eventchn id remote_port ++ | Some p -> Xeneventchn.of_int p ++ in + let ports = { local; remote = remote_port } in + debug "domain %d bind %s" id (string_of_port_pair ports); + { +diff --git a/tools/ocaml/xenstored/domains.ml b/tools/ocaml/xenstored/domains.ml +index 2ab0c5f4d8..b6c075c838 100644 +--- a/tools/ocaml/xenstored/domains.ml ++++ b/tools/ocaml/xenstored/domains.ml +@@ -56,6 +56,7 @@ let exist doms id = Hashtbl.mem doms.table id + let find doms id = Hashtbl.find doms.table id + let number doms = Hashtbl.length doms.table + let iter doms fct = Hashtbl.iter (fun _ b -> fct b) doms.table ++let eventchn doms = doms.eventchn + + let rec is_empty_queue q = + Queue.is_empty q || +@@ -122,16 +123,16 @@ let cleanup doms = + let resume _doms _domid = + () + +-let create doms domid mfn remote_port = ++let create doms ?local_port ~remote_port domid mfn = + let interface = Xenctrl.map_foreign_range xc domid (Xenmmap.getpagesize()) mfn in +- let dom = Domain.make domid mfn remote_port interface doms.eventchn in ++ let dom = Domain.make ?local_port ~remote_port domid mfn interface doms.eventchn in + Hashtbl.add doms.table domid dom; + dom + + let xenstored_kva = ref "" + let xenstored_port = ref "" + +-let create0 doms = ++let create0 ?local_port doms = + let remote_port = Utils.read_file_single_integer !xenstored_port in + + let interface = +@@ -141,7 +142,7 @@ let create0 doms = + interface + in + +- let dom = Domain.make 0 Nativeint.zero remote_port interface doms.eventchn in ++ let dom = Domain.make ?local_port ~remote_port 0 Nativeint.zero interface doms.eventchn in + Hashtbl.add doms.table 0 dom; + Domain.notify dom; + dom +diff --git a/tools/ocaml/xenstored/event.ml b/tools/ocaml/xenstored/event.ml +index a3be296374..629dc6041b 100644 +--- a/tools/ocaml/xenstored/event.ml ++++ b/tools/ocaml/xenstored/event.ml +@@ -20,9 +20,18 @@ type t = { + domexc: Xeneventchn.t; + } + +-let init () = +- let handle = Xeneventchn.init () in +- let domexc = Xeneventchn.bind_dom_exc_virq handle in ++(* On clean start, both parameters will be None, and we must open the evtchn ++ handle and bind the DOM_EXC VIRQ. On Live Update, the fd is preserved ++ across exec(), and the DOM_EXC VIRQ still bound. *) ++let init ?fd ?domexc_port () = ++ let handle = match fd with ++ | None -> Xeneventchn.init ~cloexec:false () ++ | Some fd -> fd |> Utils.FD.of_int |> Xeneventchn.fdopen ++ in ++ let domexc = match domexc_port with ++ | None -> Xeneventchn.bind_dom_exc_virq handle ++ | Some p -> Xeneventchn.of_int p ++ in + { handle; domexc } + + let fd eventchn = Xeneventchn.fd eventchn.handle +@@ -31,3 +40,8 @@ let unbind eventchn port = Xeneventchn.unbind eventchn.handle port + let notify eventchn port = Xeneventchn.notify eventchn.handle port + let pending eventchn = Xeneventchn.pending eventchn.handle + let unmask eventchn port = Xeneventchn.unmask eventchn.handle port ++ ++let dump e chan = ++ Printf.fprintf chan "evtchn-dev,%d,%d\n" ++ (Utils.FD.to_int @@ Xeneventchn.fd e.handle) ++ (Xeneventchn.to_int e.domexc) +diff --git a/tools/ocaml/xenstored/process.ml b/tools/ocaml/xenstored/process.ml +index 1c80e7198d..02bd0f7d80 100644 +--- a/tools/ocaml/xenstored/process.ml ++++ b/tools/ocaml/xenstored/process.ml +@@ -573,7 +573,7 @@ let do_introduce con t domains cons data = + end; + edom + else try +- let ndom = Domains.create domains domid mfn remote_port in ++ let ndom = Domains.create ~remote_port domains domid mfn in + Connections.add_domain cons ndom; + Connections.fire_spec_watches (Transaction.get_root t) cons Store.Path.introduce_domain; + ndom +diff --git a/tools/ocaml/xenstored/xenstored.ml b/tools/ocaml/xenstored/xenstored.ml +index 1f11f576b5..f526f4fb23 100644 +--- a/tools/ocaml/xenstored/xenstored.ml ++++ b/tools/ocaml/xenstored/xenstored.ml +@@ -144,7 +144,7 @@ exception Bad_format of string + + let dump_format_header = "$xenstored-dump-format" + +-let from_channel_f chan global_f socket_f domain_f watch_f store_f = ++let from_channel_f chan global_f evtchn_f socket_f domain_f watch_f store_f = + let unhexify s = Utils.unhexify s in + let getpath s = + let u = Utils.unhexify s in +@@ -165,12 +165,19 @@ let from_channel_f chan global_f socket_f domain_f watch_f store_f = + (* there might be more parameters here, + e.g. a RO socket from a previous version: ignore it *) + global_f ~rw ++ | "evtchn-dev" :: fd :: domexc_port :: [] -> ++ evtchn_f ~fd:(int_of_string fd) ++ ~domexc_port:(int_of_string domexc_port) + | "socket" :: fd :: [] -> + socket_f ~fd:(int_of_string fd) +- | "dom" :: domid :: mfn :: remote_port :: []-> +- domain_f (int_of_string domid) +- (Nativeint.of_string mfn) +- (int_of_string remote_port) ++ | "dom" :: domid :: mfn :: remote_port :: rest -> ++ let local_port = match rest with ++ | [] -> None (* backward compat: old version didn't have it *) ++ | local_port :: _ -> Some (int_of_string local_port) in ++ domain_f ?local_port ++ ~remote_port:(int_of_string remote_port) ++ (int_of_string domid) ++ (Nativeint.of_string mfn) + | "watch" :: domid :: path :: token :: [] -> + watch_f (int_of_string domid) + (unhexify path) (unhexify token) +@@ -189,10 +196,21 @@ let from_channel_f chan global_f socket_f domain_f watch_f store_f = + done; + info "Completed loading xenstore dump" + +-let from_channel store cons doms chan = ++let from_channel store cons domains_init chan = + (* don't let the permission get on our way, full perm ! *) + let op = Store.get_ops store Perms.Connection.full_rights in + let rwro = ref (None) in ++ let doms = ref (None) in ++ ++ let require_doms () = ++ match !doms with ++ | None -> ++ warn "No event channel file descriptor available in dump!"; ++ let domains = domains_init @@ Event.init () in ++ doms := Some domains; ++ domains ++ | Some d -> d ++ in + let global_f ~rw = + let get_listen_sock sockfd = + let fd = sockfd |> int_of_string |> Utils.FD.of_int in +@@ -201,6 +219,10 @@ let from_channel store cons doms chan = + in + rwro := get_listen_sock rw + in ++ let evtchn_f ~fd ~domexc_port = ++ let evtchn = Event.init ~fd ~domexc_port () in ++ doms := Some(domains_init evtchn) ++ in + let socket_f ~fd = + let ufd = Utils.FD.of_int fd in + let is_valid = try (Unix.fstat ufd).Unix.st_kind = Unix.S_SOCK with _ -> false in +@@ -209,12 +231,13 @@ let from_channel store cons doms chan = + else + warn "Ignoring invalid socket FD %d" fd + in +- let domain_f domid mfn remote_port = ++ let domain_f ?local_port ~remote_port domid mfn = ++ let doms = require_doms () in + let ndom = + if domid > 0 then +- Domains.create doms domid mfn remote_port ++ Domains.create ?local_port ~remote_port doms domid mfn + else +- Domains.create0 doms ++ Domains.create0 ?local_port doms + in + Connections.add_domain cons ndom; + in +@@ -229,8 +252,8 @@ let from_channel store cons doms chan = + op.Store.write path value; + op.Store.setperms path perms + in +- from_channel_f chan global_f socket_f domain_f watch_f store_f; +- !rwro ++ from_channel_f chan global_f evtchn_f socket_f domain_f watch_f store_f; ++ !rwro, require_doms () + + let from_file store cons doms file = + info "Loading xenstore dump from %s" file; +@@ -238,7 +261,7 @@ let from_file store cons doms file = + finally (fun () -> from_channel store doms cons channel) + (fun () -> close_in channel) + +-let to_channel store cons rw chan = ++let to_channel store cons (rw, evtchn) chan = + let hexify s = Utils.hexify s in + + fprintf chan "%s\n" dump_format_header; +@@ -248,6 +271,9 @@ let to_channel store cons rw chan = + Utils.FD.to_int fd in + fprintf chan "global,%d\n" (fdopt rw); + ++ (* dump evtchn device info *) ++ Event.dump evtchn chan; ++ + (* dump connections related to domains: domid, mfn, eventchn port/ sockets, and watches *) + Connections.iter cons (fun con -> Connection.dump con chan); + +@@ -367,7 +393,6 @@ let _ = + | None -> () end; + + let store = Store.create () in +- let eventchn = Event.init () in + let next_frequent_ops = ref 0. in + let advance_next_frequent_ops () = + next_frequent_ops := (Unix.gettimeofday () +. !Define.conflict_max_history_seconds) +@@ -375,16 +400,8 @@ let _ = + let delay_next_frequent_ops_by duration = + next_frequent_ops := !next_frequent_ops +. duration + in +- let domains = Domains.init eventchn advance_next_frequent_ops in ++ let domains_init eventchn = Domains.init eventchn advance_next_frequent_ops in + +- (* For things that need to be done periodically but more often +- * than the periodic_ops function *) +- let frequent_ops () = +- if Unix.gettimeofday () > !next_frequent_ops then ( +- History.trim (); +- Domains.incr_conflict_credit domains; +- advance_next_frequent_ops () +- ) in + let cons = Connections.create () in + + let quit = ref false in +@@ -393,14 +410,15 @@ let _ = + List.iter (fun path -> + Store.write store Perms.Connection.full_rights path "") Store.Path.specials; + +- let rw_sock = ++ let rw_sock, domains = + if cf.restart && Sys.file_exists Disk.xs_daemon_database then ( +- let rwro = DB.from_file store domains cons Disk.xs_daemon_database in ++ let rw, domains = DB.from_file store domains_init cons Disk.xs_daemon_database in + info "Live reload: database loaded"; + Process.LiveUpdate.completed (); +- rwro ++ rw, domains + ) else ( + info "No live reload: regular startup"; ++ let domains = domains_init @@ Event.init () in + if !Disk.enable then ( + info "reading store from disk"; + Disk.read store +@@ -413,9 +431,18 @@ let _ = + if cf.domain_init then ( + Connections.add_domain cons (Domains.create0 domains); + ); +- rw_sock ++ rw_sock, domains + ) in + ++ (* For things that need to be done periodically but more often ++ * than the periodic_ops function *) ++ let frequent_ops () = ++ if Unix.gettimeofday () > !next_frequent_ops then ( ++ History.trim (); ++ Domains.incr_conflict_credit domains; ++ advance_next_frequent_ops () ++ ) in ++ + (* required for xenstore-control to detect availability of live-update *) + let tool_path = Store.Path.of_string "/tool" in + if not (Store.path_exists store tool_path) then +@@ -430,8 +457,10 @@ let _ = + Sys.set_signal Sys.sigusr1 (Sys.Signal_handle (fun _ -> sigusr1_handler store)); + Sys.set_signal Sys.sigpipe Sys.Signal_ignore; + ++ let eventchn = Domains.eventchn domains in ++ + if cf.activate_access_log then begin +- let post_rotate () = DB.to_file store cons (None) Disk.xs_daemon_database in ++ let post_rotate () = DB.to_file store cons (None, eventchn) Disk.xs_daemon_database in + Logging.init_access_log post_rotate + end; + +@@ -593,7 +622,7 @@ let _ = + live_update := Process.LiveUpdate.should_run cons; + if !live_update || !quit then begin + (* don't initiate live update if saving state fails *) +- DB.to_file store cons (rw_sock) Disk.xs_daemon_database; ++ DB.to_file store cons (rw_sock, eventchn) Disk.xs_daemon_database; + quit := true; + end + with exc -> +-- +2.40.0 + diff --git a/0020-tools-ocaml-xc-Don-t-reference-Abstract_Tag-objects-.patch b/0020-tools-ocaml-xc-Don-t-reference-Abstract_Tag-objects-.patch deleted file mode 100644 index a829d36..0000000 --- a/0020-tools-ocaml-xc-Don-t-reference-Abstract_Tag-objects-.patch +++ /dev/null @@ -1,76 +0,0 @@ -From 1fdff77e26290ae1ed40e8253959d12a0c4b3d3f Mon Sep 17 00:00:00 2001 -From: Andrew Cooper -Date: Tue, 31 Jan 2023 17:19:30 +0000 -Subject: [PATCH 20/61] tools/ocaml/xc: Don't reference Abstract_Tag objects - with the GC lock released - -The intf->{addr,len} references in the xc_map_foreign_range() call are unsafe. -From the manual: - - https://ocaml.org/manual/intfc.html#ss:parallel-execution-long-running-c-code - -"After caml_release_runtime_system() was called and until -caml_acquire_runtime_system() is called, the C code must not access any OCaml -data, nor call any function of the run-time system, nor call back into OCaml -code." - -More than what the manual says, the intf pointer is (potentially) invalidated -by caml_enter_blocking_section() if another thread happens to perform garbage -collection at just the right (wrong) moment. - -Rewrite the logic. There's no need to stash data in the Ocaml object until -the success path at the very end. - -Fixes: 8b7ce06a2d34 ("ocaml: Add XC bindings.") -Signed-off-by: Andrew Cooper -Acked-by: Christian Lindig -(cherry picked from commit 9e7c74e6f9fd2e44df1212643b80af9032b45b07) ---- - tools/ocaml/libs/xc/xenctrl_stubs.c | 23 +++++++++++------------ - 1 file changed, 11 insertions(+), 12 deletions(-) - -diff --git a/tools/ocaml/libs/xc/xenctrl_stubs.c b/tools/ocaml/libs/xc/xenctrl_stubs.c -index e2efcbe182..0a0fe45c54 100644 ---- a/tools/ocaml/libs/xc/xenctrl_stubs.c -+++ b/tools/ocaml/libs/xc/xenctrl_stubs.c -@@ -937,26 +937,25 @@ CAMLprim value stub_map_foreign_range(value xch, value dom, - CAMLparam4(xch, dom, size, mfn); - CAMLlocal1(result); - struct mmap_interface *intf; -- uint32_t c_dom; -- unsigned long c_mfn; -+ unsigned long c_mfn = Nativeint_val(mfn); -+ int len = Int_val(size); -+ void *ptr; - - BUILD_BUG_ON((sizeof(struct mmap_interface) % sizeof(value)) != 0); - result = caml_alloc(Wsize_bsize(sizeof(struct mmap_interface)), - Abstract_tag); - -- intf = (struct mmap_interface *) result; -- -- intf->len = Int_val(size); -- -- c_dom = _D(dom); -- c_mfn = Nativeint_val(mfn); - caml_enter_blocking_section(); -- intf->addr = xc_map_foreign_range(_H(xch), c_dom, -- intf->len, PROT_READ|PROT_WRITE, -- c_mfn); -+ ptr = xc_map_foreign_range(_H(xch), _D(dom), len, -+ PROT_READ|PROT_WRITE, c_mfn); - caml_leave_blocking_section(); -- if (!intf->addr) -+ -+ if (!ptr) - caml_failwith("xc_map_foreign_range error"); -+ -+ intf = Data_abstract_val(result); -+ *intf = (struct mmap_interface){ ptr, len }; -+ - CAMLreturn(result); - } - --- -2.40.0 - diff --git a/0020-tools-oxenstored-Log-live-update-issues-at-warning-l.patch b/0020-tools-oxenstored-Log-live-update-issues-at-warning-l.patch new file mode 100644 index 0000000..533e3e7 --- /dev/null +++ b/0020-tools-oxenstored-Log-live-update-issues-at-warning-l.patch @@ -0,0 +1,42 @@ +From 991b512f5f69dde3c923804f887be9df56b03a74 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Edwin=20T=C3=B6r=C3=B6k?= +Date: Tue, 8 Nov 2022 08:57:47 +0000 +Subject: [PATCH 20/89] tools/oxenstored: Log live update issues at warning + level +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +During live update, oxenstored tries a best effort approach to recover as many +domains and information as possible even if it encounters errors restoring +some domains. + +However, logging about misunderstood input is more severe than simply info. +Log it at warning instead. + +Signed-off-by: Edwin Török +Acked-by: Christian Lindig +(cherry picked from commit 3f02e0a70fe9f8143454b742563433958d4a87f8) +--- + tools/ocaml/xenstored/xenstored.ml | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/tools/ocaml/xenstored/xenstored.ml b/tools/ocaml/xenstored/xenstored.ml +index f526f4fb23..35b8cbd43f 100644 +--- a/tools/ocaml/xenstored/xenstored.ml ++++ b/tools/ocaml/xenstored/xenstored.ml +@@ -186,9 +186,9 @@ let from_channel_f chan global_f evtchn_f socket_f domain_f watch_f store_f = + (Perms.Node.of_string (unhexify perms ^ "\000")) + (unhexify value) + | _ -> +- info "restoring: ignoring unknown line: %s" line ++ warn "restoring: ignoring unknown line: %s" line + with exn -> +- info "restoring: ignoring unknown line: %s (exception: %s)" ++ warn "restoring: ignoring unknown line: %s (exception: %s)" + line (Printexc.to_string exn); + () + with End_of_file -> +-- +2.40.0 + diff --git a/0021-tools-ocaml-libs-Fix-memory-resource-leaks-with-caml.patch b/0021-tools-ocaml-libs-Fix-memory-resource-leaks-with-caml.patch deleted file mode 100644 index 8ed7dfa..0000000 --- a/0021-tools-ocaml-libs-Fix-memory-resource-leaks-with-caml.patch +++ /dev/null @@ -1,61 +0,0 @@ -From 1b6acdeeb2323c53d841356da50440e274e7bf9a Mon Sep 17 00:00:00 2001 -From: Andrew Cooper -Date: Wed, 1 Feb 2023 11:27:42 +0000 -Subject: [PATCH 21/61] tools/ocaml/libs: Fix memory/resource leaks with - caml_alloc_custom() - -All caml_alloc_*() functions can throw exceptions, and longjump out of -context. If this happens, we leak the xch/xce handle. - -Reorder the logic to allocate the the Ocaml object first. - -Fixes: 8b3c06a3e545 ("tools/ocaml/xenctrl: OCaml 5 support, fix use-after-free") -Fixes: 22d5affdf0ce ("tools/ocaml/evtchn: OCaml 5 support, fix potential resource leak") -Signed-off-by: Andrew Cooper -Acked-by: Christian Lindig -(cherry picked from commit d69ccf52ad467ccc22029172a8e61dc621187889) ---- - tools/ocaml/libs/eventchn/xeneventchn_stubs.c | 6 ++++-- - 1 file changed, 4 insertions(+), 2 deletions(-) - -diff --git a/tools/ocaml/libs/eventchn/xeneventchn_stubs.c b/tools/ocaml/libs/eventchn/xeneventchn_stubs.c -index d7881ca95f..de2fc29292 100644 ---- a/tools/ocaml/libs/eventchn/xeneventchn_stubs.c -+++ b/tools/ocaml/libs/eventchn/xeneventchn_stubs.c -@@ -63,6 +63,8 @@ CAMLprim value stub_eventchn_init(value cloexec) - if ( !Bool_val(cloexec) ) - flags |= XENEVTCHN_NO_CLOEXEC; - -+ result = caml_alloc_custom(&xenevtchn_ops, sizeof(xce), 0, 1); -+ - caml_enter_blocking_section(); - xce = xenevtchn_open(NULL, flags); - caml_leave_blocking_section(); -@@ -70,7 +72,6 @@ CAMLprim value stub_eventchn_init(value cloexec) - if (xce == NULL) - caml_failwith("open failed"); - -- result = caml_alloc_custom(&xenevtchn_ops, sizeof(xce), 0, 1); - *(xenevtchn_handle **)Data_custom_val(result) = xce; - - CAMLreturn(result); -@@ -82,6 +83,8 @@ CAMLprim value stub_eventchn_fdopen(value fdval) - CAMLlocal1(result); - xenevtchn_handle *xce; - -+ result = caml_alloc_custom(&xenevtchn_ops, sizeof(xce), 0, 1); -+ - caml_enter_blocking_section(); - xce = xenevtchn_fdopen(NULL, Int_val(fdval), 0); - caml_leave_blocking_section(); -@@ -89,7 +92,6 @@ CAMLprim value stub_eventchn_fdopen(value fdval) - if (xce == NULL) - caml_failwith("evtchn fdopen failed"); - -- result = caml_alloc_custom(&xenevtchn_ops, sizeof(xce), 0, 1); - *(xenevtchn_handle **)Data_custom_val(result) = xce; - - CAMLreturn(result); --- -2.40.0 - diff --git a/0021-tools-oxenstored-Set-uncaught-exception-handler.patch b/0021-tools-oxenstored-Set-uncaught-exception-handler.patch new file mode 100644 index 0000000..8a42fcc --- /dev/null +++ b/0021-tools-oxenstored-Set-uncaught-exception-handler.patch @@ -0,0 +1,83 @@ +From e13a9a2146952859c21c0a0c7b8b07757c2aba9d Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Edwin=20T=C3=B6r=C3=B6k?= +Date: Mon, 7 Nov 2022 17:41:36 +0000 +Subject: [PATCH 21/89] tools/oxenstored: Set uncaught exception handler +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Unhandled exceptions go to stderr by default, but this doesn't typically work +for oxenstored because: + * daemonize reopens stderr as /dev/null + * systemd redirects stderr to /dev/null too + +Debugging an unhandled exception requires reproducing the issue locally when +using --no-fork, and is not conducive to figuring out what went wrong on a +remote system. + +Install a custom handler which also tries to render the backtrace to the +configured syslog facility, and DAEMON|ERR otherwise. + +Signed-off-by: Edwin Török +Signed-off-by: Andrew Cooper +Acked-by: Christian Lindig +(cherry picked from commit ee7815f49faf743e960dac9e72809eb66393bc6d) +--- + tools/ocaml/xenstored/logging.ml | 29 +++++++++++++++++++++++++++++ + tools/ocaml/xenstored/xenstored.ml | 3 ++- + 2 files changed, 31 insertions(+), 1 deletion(-) + +diff --git a/tools/ocaml/xenstored/logging.ml b/tools/ocaml/xenstored/logging.ml +index 39c3036155..255051437d 100644 +--- a/tools/ocaml/xenstored/logging.ml ++++ b/tools/ocaml/xenstored/logging.ml +@@ -342,3 +342,32 @@ let xb_answer ~tid ~con ~ty data = + let watch_not_fired ~con perms path = + let data = Printf.sprintf "EPERM perms=[%s] path=%s" perms path in + access_logging ~tid:0 ~con ~data Watch_not_fired ~level:Info ++ ++let msg_of exn bt = ++ Printf.sprintf "Fatal exception: %s\n%s\n" (Printexc.to_string exn) ++ (Printexc.raw_backtrace_to_string bt) ++ ++let fallback_exception_handler exn bt = ++ (* stderr goes to /dev/null, so use the logger where possible, ++ but always print to stderr too, in case everything else fails, ++ e.g. this can be used to debug with --no-fork ++ ++ this function should try not to raise exceptions, but if it does ++ the ocaml runtime should still print the exception, both the original, ++ and the one from this function, but to stderr this time ++ *) ++ let msg = msg_of exn bt in ++ prerr_endline msg; ++ (* See Printexc.set_uncaught_exception_handler, need to flush, ++ so has to call stop and flush *) ++ match !xenstored_logger with ++ | Some l -> error "xenstored-fallback" "%s" msg; l.stop () ++ | None -> ++ (* Too early, no logger set yet. ++ We normally try to use the configured logger so we don't flood syslog ++ during development for example, or if the user has a file set ++ *) ++ try Syslog.log Syslog.Daemon Syslog.Err msg ++ with e -> ++ let bt = Printexc.get_raw_backtrace () in ++ prerr_endline @@ msg_of e bt +diff --git a/tools/ocaml/xenstored/xenstored.ml b/tools/ocaml/xenstored/xenstored.ml +index 35b8cbd43f..4d5851c5cb 100644 +--- a/tools/ocaml/xenstored/xenstored.ml ++++ b/tools/ocaml/xenstored/xenstored.ml +@@ -355,7 +355,8 @@ let tweak_gc () = + Gc.set { (Gc.get ()) with Gc.max_overhead = !Define.gc_max_overhead } + + +-let _ = ++let () = ++ Printexc.set_uncaught_exception_handler Logging.fallback_exception_handler; + let cf = do_argv in + let pidfile = + if Sys.file_exists (config_filename cf) then +-- +2.40.0 + diff --git a/0022-tools-oxenstored-syslog-Avoid-potential-NULL-derefer.patch b/0022-tools-oxenstored-syslog-Avoid-potential-NULL-derefer.patch new file mode 100644 index 0000000..eb6d42e --- /dev/null +++ b/0022-tools-oxenstored-syslog-Avoid-potential-NULL-derefer.patch @@ -0,0 +1,55 @@ +From 91a9ac6e9be5aa94020f5c482e6c51b581e2ea39 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Edwin=20T=C3=B6r=C3=B6k?= +Date: Tue, 8 Nov 2022 14:24:19 +0000 +Subject: [PATCH 22/89] tools/oxenstored/syslog: Avoid potential NULL + dereference +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +strdup() may return NULL. Check for this before passing to syslog(). + +Drop const from c_msg. It is bogus, as demonstrated by the need to cast to +void * in order to free the memory. + +Signed-off-by: Edwin Török +Acked-by: Christian Lindig +(cherry picked from commit acd3fb6d65905f8a185dcb9fe6a330a591b96203) +--- + tools/ocaml/xenstored/syslog_stubs.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +diff --git a/tools/ocaml/xenstored/syslog_stubs.c b/tools/ocaml/xenstored/syslog_stubs.c +index 875d48ad57..e16c3a9491 100644 +--- a/tools/ocaml/xenstored/syslog_stubs.c ++++ b/tools/ocaml/xenstored/syslog_stubs.c +@@ -14,6 +14,7 @@ + + #include + #include ++#include + #include + #include + #include +@@ -35,14 +36,16 @@ static int __syslog_facility_table[] = { + value stub_syslog(value facility, value level, value msg) + { + CAMLparam3(facility, level, msg); +- const char *c_msg = strdup(String_val(msg)); ++ char *c_msg = strdup(String_val(msg)); + int c_facility = __syslog_facility_table[Int_val(facility)] + | __syslog_level_table[Int_val(level)]; + ++ if ( !c_msg ) ++ caml_raise_out_of_memory(); + caml_enter_blocking_section(); + syslog(c_facility, "%s", c_msg); + caml_leave_blocking_section(); + +- free((void*)c_msg); ++ free(c_msg); + CAMLreturn(Val_unit); + } +-- +2.40.0 + diff --git a/0022-x86-spec-ctrl-Mitigate-Cross-Thread-Return-Address-P.patch b/0022-x86-spec-ctrl-Mitigate-Cross-Thread-Return-Address-P.patch deleted file mode 100644 index 1d1edb0..0000000 --- a/0022-x86-spec-ctrl-Mitigate-Cross-Thread-Return-Address-P.patch +++ /dev/null @@ -1,120 +0,0 @@ -From d4e286db89d80c862b4a24bf971dd71008c8b53e Mon Sep 17 00:00:00 2001 -From: Andrew Cooper -Date: Thu, 8 Sep 2022 21:27:58 +0100 -Subject: [PATCH 22/61] x86/spec-ctrl: Mitigate Cross-Thread Return Address - Predictions - -This is XSA-426 / CVE-2022-27672 - -Signed-off-by: Andrew Cooper -Reviewed-by: Jan Beulich -(cherry picked from commit 63305e5392ec2d17b85e7996a97462744425db80) ---- - docs/misc/xen-command-line.pandoc | 2 +- - xen/arch/x86/spec_ctrl.c | 31 ++++++++++++++++++++++++++++--- - xen/include/asm-x86/cpufeatures.h | 3 ++- - xen/include/asm-x86/spec_ctrl.h | 15 +++++++++++++++ - 4 files changed, 46 insertions(+), 5 deletions(-) - -diff --git a/docs/misc/xen-command-line.pandoc b/docs/misc/xen-command-line.pandoc -index bd6826d0ae..b3f60cd923 100644 ---- a/docs/misc/xen-command-line.pandoc -+++ b/docs/misc/xen-command-line.pandoc -@@ -2275,7 +2275,7 @@ guests to use. - on entry and exit. These blocks are necessary to virtualise support for - guests and if disabled, guests will be unable to use IBRS/STIBP/SSBD/etc. - * `rsb=` offers control over whether to overwrite the Return Stack Buffer / -- Return Address Stack on entry to Xen. -+ Return Address Stack on entry to Xen and on idle. - * `md-clear=` offers control over whether to use VERW to flush - microarchitectural buffers on idle and exit from Xen. *Note: For - compatibility with development versions of this fix, `mds=` is also accepted -diff --git a/xen/arch/x86/spec_ctrl.c b/xen/arch/x86/spec_ctrl.c -index 90d86fe5cb..14649d92f5 100644 ---- a/xen/arch/x86/spec_ctrl.c -+++ b/xen/arch/x86/spec_ctrl.c -@@ -1317,13 +1317,38 @@ void __init init_speculation_mitigations(void) - * 3) Some CPUs have RSBs which are not full width, which allow the - * attacker's entries to alias Xen addresses. - * -+ * 4) Some CPUs have RSBs which are re-partitioned based on thread -+ * idleness, which allows an attacker to inject entries into the other -+ * thread. We still active the optimisation in this case, and mitigate -+ * in the idle path which has lower overhead. -+ * - * It is safe to turn off RSB stuffing when Xen is using SMEP itself, and - * 32bit PV guests are disabled, and when the RSB is full width. - */ - BUILD_BUG_ON(RO_MPT_VIRT_START != PML4_ADDR(256)); -- if ( opt_rsb_pv == -1 && boot_cpu_has(X86_FEATURE_XEN_SMEP) && -- !opt_pv32 && rsb_is_full_width() ) -- opt_rsb_pv = 0; -+ if ( opt_rsb_pv == -1 ) -+ { -+ opt_rsb_pv = (opt_pv32 || !boot_cpu_has(X86_FEATURE_XEN_SMEP) || -+ !rsb_is_full_width()); -+ -+ /* -+ * Cross-Thread Return Address Predictions. -+ * -+ * Vulnerable systems are Zen1/Zen2 uarch, which is AMD Fam17 / Hygon -+ * Fam18, when SMT is active. -+ * -+ * To mitigate, we must flush the RSB/RAS/RAP once between entering -+ * Xen and going idle. -+ * -+ * Most cases flush on entry to Xen anyway. The one case where we -+ * don't is when using the SMEP optimisation for PV guests. Flushing -+ * before going idle is less overhead than flushing on PV entry. -+ */ -+ if ( !opt_rsb_pv && hw_smt_enabled && -+ (boot_cpu_data.x86_vendor & (X86_VENDOR_AMD|X86_VENDOR_HYGON)) && -+ (boot_cpu_data.x86 == 0x17 || boot_cpu_data.x86 == 0x18) ) -+ setup_force_cpu_cap(X86_FEATURE_SC_RSB_IDLE); -+ } - - if ( opt_rsb_pv ) - { -diff --git a/xen/include/asm-x86/cpufeatures.h b/xen/include/asm-x86/cpufeatures.h -index ecc1bb0950..ccf9d7287c 100644 ---- a/xen/include/asm-x86/cpufeatures.h -+++ b/xen/include/asm-x86/cpufeatures.h -@@ -35,7 +35,8 @@ XEN_CPUFEATURE(SC_RSB_HVM, X86_SYNTH(19)) /* RSB overwrite needed for HVM - XEN_CPUFEATURE(XEN_SELFSNOOP, X86_SYNTH(20)) /* SELFSNOOP gets used by Xen itself */ - XEN_CPUFEATURE(SC_MSR_IDLE, X86_SYNTH(21)) /* Clear MSR_SPEC_CTRL on idle */ - XEN_CPUFEATURE(XEN_LBR, X86_SYNTH(22)) /* Xen uses MSR_DEBUGCTL.LBR */ --/* Bits 23,24 unused. */ -+/* Bits 23 unused. */ -+XEN_CPUFEATURE(SC_RSB_IDLE, X86_SYNTH(24)) /* RSB overwrite needed for idle. */ - XEN_CPUFEATURE(SC_VERW_IDLE, X86_SYNTH(25)) /* VERW used by Xen for idle */ - XEN_CPUFEATURE(XEN_SHSTK, X86_SYNTH(26)) /* Xen uses CET Shadow Stacks */ - XEN_CPUFEATURE(XEN_IBT, X86_SYNTH(27)) /* Xen uses CET Indirect Branch Tracking */ -diff --git a/xen/include/asm-x86/spec_ctrl.h b/xen/include/asm-x86/spec_ctrl.h -index 6a77c39378..391973ef6a 100644 ---- a/xen/include/asm-x86/spec_ctrl.h -+++ b/xen/include/asm-x86/spec_ctrl.h -@@ -159,6 +159,21 @@ static always_inline void spec_ctrl_enter_idle(struct cpu_info *info) - */ - alternative_input("", "verw %[sel]", X86_FEATURE_SC_VERW_IDLE, - [sel] "m" (info->verw_sel)); -+ -+ /* -+ * Cross-Thread Return Address Predictions: -+ * -+ * On vulnerable systems, the return predictions (RSB/RAS) are statically -+ * partitioned between active threads. When entering idle, our entries -+ * are re-partitioned to allow the other threads to use them. -+ * -+ * In some cases, we might still have guest entries in the RAS, so flush -+ * them before injecting them sideways to our sibling thread. -+ * -+ * (ab)use alternative_input() to specify clobbers. -+ */ -+ alternative_input("", "DO_OVERWRITE_RSB", X86_FEATURE_SC_RSB_IDLE, -+ : "rax", "rcx"); - } - - /* WARNING! `ret`, `call *`, `jmp *` not safe before this call. */ --- -2.40.0 - diff --git a/0023-automation-Remove-clang-8-from-Debian-unstable-conta.patch b/0023-automation-Remove-clang-8-from-Debian-unstable-conta.patch deleted file mode 100644 index 36dfb4f..0000000 --- a/0023-automation-Remove-clang-8-from-Debian-unstable-conta.patch +++ /dev/null @@ -1,84 +0,0 @@ -From 0802504627453a54b1ab408b6e9dc8b5c561172d Mon Sep 17 00:00:00 2001 -From: Anthony PERARD -Date: Tue, 21 Feb 2023 16:55:38 +0000 -Subject: [PATCH 23/61] automation: Remove clang-8 from Debian unstable - container - -First, apt complain that it isn't the right way to add keys anymore, -but hopefully that's just a warning. - -Second, we can't install clang-8: -The following packages have unmet dependencies: - clang-8 : Depends: libstdc++-8-dev but it is not installable - Depends: libgcc-8-dev but it is not installable - Depends: libobjc-8-dev but it is not installable - Recommends: llvm-8-dev but it is not going to be installed - Recommends: libomp-8-dev but it is not going to be installed - libllvm8 : Depends: libffi7 (>= 3.3~20180313) but it is not installable -E: Unable to correct problems, you have held broken packages. - -clang on Debian unstable is now version 14.0.6. - -Signed-off-by: Anthony PERARD -Acked-by: Andrew Cooper -(cherry picked from commit a6b1e2b80fe2053b1c9c9843fb086a668513ea36) ---- - automation/build/debian/unstable-llvm-8.list | 3 --- - automation/build/debian/unstable.dockerfile | 12 ------------ - automation/gitlab-ci/build.yaml | 10 ---------- - 3 files changed, 25 deletions(-) - delete mode 100644 automation/build/debian/unstable-llvm-8.list - -diff --git a/automation/build/debian/unstable-llvm-8.list b/automation/build/debian/unstable-llvm-8.list -deleted file mode 100644 -index dc119fa0b4..0000000000 ---- a/automation/build/debian/unstable-llvm-8.list -+++ /dev/null -@@ -1,3 +0,0 @@ --# Unstable LLVM 8 repos --deb http://apt.llvm.org/unstable/ llvm-toolchain-8 main --deb-src http://apt.llvm.org/unstable/ llvm-toolchain-8 main -diff --git a/automation/build/debian/unstable.dockerfile b/automation/build/debian/unstable.dockerfile -index bd61cd12c2..828afa2e1e 100644 ---- a/automation/build/debian/unstable.dockerfile -+++ b/automation/build/debian/unstable.dockerfile -@@ -52,15 +52,3 @@ RUN apt-get update && \ - apt-get autoremove -y && \ - apt-get clean && \ - rm -rf /var/lib/apt/lists* /tmp/* /var/tmp/* -- --RUN wget -O - https://apt.llvm.org/llvm-snapshot.gpg.key|apt-key add - --COPY unstable-llvm-8.list /etc/apt/sources.list.d/ -- --RUN apt-get update && \ -- apt-get --quiet --yes install \ -- clang-8 \ -- lld-8 \ -- && \ -- apt-get autoremove -y && \ -- apt-get clean && \ -- rm -rf /var/lib/apt/lists* /tmp/* /var/tmp/* -diff --git a/automation/gitlab-ci/build.yaml b/automation/gitlab-ci/build.yaml -index fdd5c76582..06a75a8c5a 100644 ---- a/automation/gitlab-ci/build.yaml -+++ b/automation/gitlab-ci/build.yaml -@@ -304,16 +304,6 @@ debian-unstable-clang-debug: - variables: - CONTAINER: debian:unstable - --debian-unstable-clang-8: -- extends: .clang-8-x86-64-build -- variables: -- CONTAINER: debian:unstable -- --debian-unstable-clang-8-debug: -- extends: .clang-8-x86-64-build-debug -- variables: -- CONTAINER: debian:unstable -- - debian-unstable-gcc: - extends: .gcc-x86-64-build - variables: --- -2.40.0 - diff --git a/0023-tools-oxenstored-Render-backtraces-more-nicely-in-Sy.patch b/0023-tools-oxenstored-Render-backtraces-more-nicely-in-Sy.patch new file mode 100644 index 0000000..c0343d0 --- /dev/null +++ b/0023-tools-oxenstored-Render-backtraces-more-nicely-in-Sy.patch @@ -0,0 +1,83 @@ +From c4972a4272690384b15d5706f2a833aed636895e Mon Sep 17 00:00:00 2001 +From: Andrew Cooper +Date: Thu, 1 Dec 2022 21:06:25 +0000 +Subject: [PATCH 23/89] tools/oxenstored: Render backtraces more nicely in + Syslog + +fallback_exception_handler feeds a string with embedded newlines directly into +syslog(). While this is an improvement on getting nothing, syslogd escapes +all control characters it gets, and emits one (long) log line. + +Fix the problem generally in the syslog stub. As we already have a local copy +of the string, split it in place and emit one syslog() call per line. + +Also tweak Logging.msg_of to avoid putting an extra newline on a string which +already ends with one. + +Fixes: ee7815f49faf ("tools/oxenstored: Set uncaught exception handler") +Signed-off-by: Andrew Cooper +Acked-by: Christian Lindig +(cherry picked from commit d2162d884cba0ff7b2ac0d832f4e044444bda2e1) +--- + tools/ocaml/xenstored/logging.ml | 2 +- + tools/ocaml/xenstored/syslog_stubs.c | 26 +++++++++++++++++++++++--- + 2 files changed, 24 insertions(+), 4 deletions(-) + +diff --git a/tools/ocaml/xenstored/logging.ml b/tools/ocaml/xenstored/logging.ml +index 255051437d..f233bc9a39 100644 +--- a/tools/ocaml/xenstored/logging.ml ++++ b/tools/ocaml/xenstored/logging.ml +@@ -344,7 +344,7 @@ let watch_not_fired ~con perms path = + access_logging ~tid:0 ~con ~data Watch_not_fired ~level:Info + + let msg_of exn bt = +- Printf.sprintf "Fatal exception: %s\n%s\n" (Printexc.to_string exn) ++ Printf.sprintf "Fatal exception: %s\n%s" (Printexc.to_string exn) + (Printexc.raw_backtrace_to_string bt) + + let fallback_exception_handler exn bt = +diff --git a/tools/ocaml/xenstored/syslog_stubs.c b/tools/ocaml/xenstored/syslog_stubs.c +index e16c3a9491..760e78ff73 100644 +--- a/tools/ocaml/xenstored/syslog_stubs.c ++++ b/tools/ocaml/xenstored/syslog_stubs.c +@@ -37,14 +37,34 @@ value stub_syslog(value facility, value level, value msg) + { + CAMLparam3(facility, level, msg); + char *c_msg = strdup(String_val(msg)); ++ char *s = c_msg, *ss; + int c_facility = __syslog_facility_table[Int_val(facility)] + | __syslog_level_table[Int_val(level)]; + + if ( !c_msg ) + caml_raise_out_of_memory(); +- caml_enter_blocking_section(); +- syslog(c_facility, "%s", c_msg); +- caml_leave_blocking_section(); ++ ++ /* ++ * syslog() doesn't like embedded newlines, and c_msg generally ++ * contains them. ++ * ++ * Split the message in place by converting \n to \0, and issue one ++ * syslog() call per line, skipping the final iteration if c_msg ends ++ * with a newline anyway. ++ */ ++ do { ++ ss = strchr(s, '\n'); ++ if ( ss ) ++ *ss = '\0'; ++ else if ( *s == '\0' ) ++ break; ++ ++ caml_enter_blocking_section(); ++ syslog(c_facility, "%s", s); ++ caml_leave_blocking_section(); ++ ++ s = ss + 1; ++ } while ( ss ); + + free(c_msg); + CAMLreturn(Val_unit); +-- +2.40.0 + diff --git a/0024-Revert-tools-xenstore-simplify-loop-handling-connect.patch b/0024-Revert-tools-xenstore-simplify-loop-handling-connect.patch new file mode 100644 index 0000000..81481fc --- /dev/null +++ b/0024-Revert-tools-xenstore-simplify-loop-handling-connect.patch @@ -0,0 +1,136 @@ +From 2f8851c37f88e4eb4858e16626fcb2379db71a4f Mon Sep 17 00:00:00 2001 +From: Jason Andryuk +Date: Thu, 26 Jan 2023 11:00:24 +0100 +Subject: [PATCH 24/89] Revert "tools/xenstore: simplify loop handling + connection I/O" + +I'm observing guest kexec trigger xenstored to abort on a double free. + +gdb output: +Program received signal SIGABRT, Aborted. +__pthread_kill_implementation (no_tid=0, signo=6, threadid=140645614258112) at ./nptl/pthread_kill.c:44 +44 ./nptl/pthread_kill.c: No such file or directory. +(gdb) bt + at ./nptl/pthread_kill.c:44 + at ./nptl/pthread_kill.c:78 + at ./nptl/pthread_kill.c:89 + at ../sysdeps/posix/raise.c:26 + at talloc.c:119 + ptr=ptr@entry=0x559fae724290) at talloc.c:232 + at xenstored_core.c:2945 +(gdb) frame 5 + at talloc.c:119 +119 TALLOC_ABORT("Bad talloc magic value - double free"); +(gdb) frame 7 + at xenstored_core.c:2945 +2945 talloc_increase_ref_count(conn); +(gdb) p conn +$1 = (struct connection *) 0x559fae724290 + +Looking at a xenstore trace, we have: +IN 0x559fae71f250 20230120 17:40:53 READ (/local/domain/3/image/device-model-dom +id ) +wrl: dom 0 1 msec 10000 credit 1000000 reserve 100 disc +ard +wrl: dom 3 1 msec 10000 credit 1000000 reserve 100 disc +ard +wrl: dom 0 0 msec 10000 credit 1000000 reserve 0 disc +ard +wrl: dom 3 0 msec 10000 credit 1000000 reserve 0 disc +ard +OUT 0x559fae71f250 20230120 17:40:53 ERROR (ENOENT ) +wrl: dom 0 1 msec 10000 credit 1000000 reserve 100 disc +ard +wrl: dom 3 1 msec 10000 credit 1000000 reserve 100 disc +ard +IN 0x559fae71f250 20230120 17:40:53 RELEASE (3 ) +DESTROY watch 0x559fae73f630 +DESTROY watch 0x559fae75ddf0 +DESTROY watch 0x559fae75ec30 +DESTROY watch 0x559fae75ea60 +DESTROY watch 0x559fae732c00 +DESTROY watch 0x559fae72cea0 +DESTROY watch 0x559fae728fc0 +DESTROY watch 0x559fae729570 +DESTROY connection 0x559fae724290 +orphaned node /local/domain/3/device/suspend/event-channel deleted +orphaned node /local/domain/3/device/vbd/51712 deleted +orphaned node /local/domain/3/device/vkbd/0 deleted +orphaned node /local/domain/3/device/vif/0 deleted +orphaned node /local/domain/3/control/shutdown deleted +orphaned node /local/domain/3/control/feature-poweroff deleted +orphaned node /local/domain/3/control/feature-reboot deleted +orphaned node /local/domain/3/control/feature-suspend deleted +orphaned node /local/domain/3/control/feature-s3 deleted +orphaned node /local/domain/3/control/feature-s4 deleted +orphaned node /local/domain/3/control/sysrq deleted +orphaned node /local/domain/3/data deleted +orphaned node /local/domain/3/drivers deleted +orphaned node /local/domain/3/feature deleted +orphaned node /local/domain/3/attr deleted +orphaned node /local/domain/3/error deleted +orphaned node /local/domain/3/console/backend-id deleted + +and no further output. + +The trace shows that DESTROY was called for connection 0x559fae724290, +but that is the same pointer (conn) main() was looping through from +connections. So it wasn't actually removed from the connections list? + +Reverting commit e8e6e42279a5 "tools/xenstore: simplify loop handling +connection I/O" fixes the abort/double free. I think the use of +list_for_each_entry_safe is incorrect. list_for_each_entry_safe makes +traversal safe for deleting the current iterator, but RELEASE/do_release +will delete some other entry in the connections list. I think the +observed abort is because list_for_each_entry has next pointing to the +deleted connection, and it is used in the subsequent iteration. + +Add a comment explaining the unsuitability of list_for_each_entry_safe. +Also notice that the old code takes a reference on next which would +prevents a use-after-free. + +This reverts commit e8e6e42279a5723239c5c40ba4c7f579a979465d. + +This is XSA-425/CVE-2022-42330. + +Fixes: e8e6e42279a5 ("tools/xenstore: simplify loop handling connection I/O") +Signed-off-by: Jason Andryuk +Reviewed-by: Juergen Gross +Reviewed-by: Julien Grall +--- + tools/xenstore/xenstored_core.c | 19 +++++++++++++++++-- + 1 file changed, 17 insertions(+), 2 deletions(-) + +diff --git a/tools/xenstore/xenstored_core.c b/tools/xenstore/xenstored_core.c +index 476d5c6d51..56dbdc2530 100644 +--- a/tools/xenstore/xenstored_core.c ++++ b/tools/xenstore/xenstored_core.c +@@ -2935,8 +2935,23 @@ int main(int argc, char *argv[]) + } + } + +- list_for_each_entry_safe(conn, next, &connections, list) { +- talloc_increase_ref_count(conn); ++ /* ++ * list_for_each_entry_safe is not suitable here because ++ * handle_input may delete entries besides the current one, but ++ * those may be in the temporary next which would trigger a ++ * use-after-free. list_for_each_entry_safe is only safe for ++ * deleting the current entry. ++ */ ++ next = list_entry(connections.next, typeof(*conn), list); ++ if (&next->list != &connections) ++ talloc_increase_ref_count(next); ++ while (&next->list != &connections) { ++ conn = next; ++ ++ next = list_entry(conn->list.next, ++ typeof(*conn), list); ++ if (&next->list != &connections) ++ talloc_increase_ref_count(next); + + if (conn_can_read(conn)) + handle_input(conn); +-- +2.40.0 + diff --git a/0024-libs-util-Fix-parallel-build-between-flex-bison-and-.patch b/0024-libs-util-Fix-parallel-build-between-flex-bison-and-.patch deleted file mode 100644 index 6164878..0000000 --- a/0024-libs-util-Fix-parallel-build-between-flex-bison-and-.patch +++ /dev/null @@ -1,50 +0,0 @@ -From e4b5dff3d06421847761669a3676bef1f23e705a Mon Sep 17 00:00:00 2001 -From: Anthony PERARD -Date: Fri, 3 Mar 2023 08:06:23 +0100 -Subject: [PATCH 24/61] libs/util: Fix parallel build between flex/bison and CC - rules - -flex/bison generate two targets, and when those targets are -prerequisite of other rules they are considered independently by make. - -We can have a situation where the .c file is out-of-date but not the -.h, git checkout for example. In this case, if a rule only have the .h -file as prerequiste, make will procced and start to build the object. -In parallel, another target can have the .c file as prerequisite and -make will find out it need re-generating and do so, changing the .h at -the same time. This parallel task breaks the first one. - -To avoid this scenario, we put both the header and the source as -prerequisite for all object even if they only need the header. - -Reported-by: Andrew Cooper -Signed-off-by: Anthony PERARD -Acked-by: Andrew Cooper -master commit: bf652a50fb3bb3b1b3d93db6fb79bc28f978fe75 -master date: 2023-02-09 18:26:17 +0000 ---- - tools/libs/util/Makefile | 8 ++++++++ - 1 file changed, 8 insertions(+) - -diff --git a/tools/libs/util/Makefile b/tools/libs/util/Makefile -index b739360be7..977849c056 100644 ---- a/tools/libs/util/Makefile -+++ b/tools/libs/util/Makefile -@@ -41,6 +41,14 @@ include $(XEN_ROOT)/tools/libs/libs.mk - - $(LIB_OBJS) $(PIC_OBJS): $(AUTOINCS) _paths.h - -+# Adding the .c conterparts of the headers generated by flex/bison as -+# prerequisite of all objects. -+# This is to tell make that if only the .c file is out-of-date but not the -+# header, it should still wait for the .c file to be rebuilt. -+# Otherwise, make doesn't considered "%.c %.h" as grouped targets, and will run -+# the flex/bison rules in parallel of CC rules which only need the header. -+$(LIB_OBJS) $(PIC_OBJS): libxlu_cfg_l.c libxlu_cfg_y.c libxlu_disk_l.c -+ - %.c %.h:: %.y - @rm -f $*.[ch] - $(BISON) --output=$*.c $< --- -2.40.0 - diff --git a/0025-x86-S3-Restore-Xen-s-MSR_PAT-value-on-S3-resume.patch b/0025-x86-S3-Restore-Xen-s-MSR_PAT-value-on-S3-resume.patch new file mode 100644 index 0000000..142280f --- /dev/null +++ b/0025-x86-S3-Restore-Xen-s-MSR_PAT-value-on-S3-resume.patch @@ -0,0 +1,36 @@ +From a470a83c36c07b56d90957ae1e6e9ebc458d3686 Mon Sep 17 00:00:00 2001 +From: Andrew Cooper +Date: Tue, 7 Feb 2023 16:56:14 +0100 +Subject: [PATCH 25/89] x86/S3: Restore Xen's MSR_PAT value on S3 resume + +There are two paths in the trampoline, and Xen's PAT needs setting up in both, +not just the boot path. + +Fixes: 4304ff420e51 ("x86/S3: Drop {save,restore}_rest_processor_state() completely") +Signed-off-by: Andrew Cooper +Reviewed-by: Jan Beulich +master commit: 4d975798e11579fdf405b348543061129e01b0fb +master date: 2023-01-10 21:21:30 +0000 +--- + xen/arch/x86/boot/wakeup.S | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/xen/arch/x86/boot/wakeup.S b/xen/arch/x86/boot/wakeup.S +index c17d613b61..08447e1934 100644 +--- a/xen/arch/x86/boot/wakeup.S ++++ b/xen/arch/x86/boot/wakeup.S +@@ -130,6 +130,11 @@ wakeup_32: + and %edi, %edx + wrmsr + 1: ++ /* Set up PAT before enabling paging. */ ++ mov $XEN_MSR_PAT & 0xffffffff, %eax ++ mov $XEN_MSR_PAT >> 32, %edx ++ mov $MSR_IA32_CR_PAT, %ecx ++ wrmsr + + /* Set up EFER (Extended Feature Enable Register). */ + movl $MSR_EFER,%ecx +-- +2.40.0 + diff --git a/0025-x86-cpuid-Infrastructure-for-leaves-7-1-ecx-edx.patch b/0025-x86-cpuid-Infrastructure-for-leaves-7-1-ecx-edx.patch deleted file mode 100644 index e73f62d..0000000 --- a/0025-x86-cpuid-Infrastructure-for-leaves-7-1-ecx-edx.patch +++ /dev/null @@ -1,128 +0,0 @@ -From 2094f834b85d32233c76763b014bc8764c3e36b1 Mon Sep 17 00:00:00 2001 -From: Andrew Cooper -Date: Fri, 3 Mar 2023 08:06:44 +0100 -Subject: [PATCH 25/61] x86/cpuid: Infrastructure for leaves 7:1{ecx,edx} - -We don't actually need ecx yet, but adding it in now will reduce the amount to -which leaf 7 is out of order in a featureset. - -Signed-off-by: Andrew Cooper -Reviewed-by: Jan Beulich -master commit: b4a23bf6293aadecfd03bf9e83974443e2eac9cb -master date: 2023-02-09 18:26:17 +0000 ---- - tools/misc/xen-cpuid.c | 10 ++++++++++ - xen/arch/x86/cpu/common.c | 3 ++- - xen/include/public/arch-x86/cpufeatureset.h | 4 ++++ - xen/include/xen/lib/x86/cpuid.h | 17 +++++++++++++++-- - 4 files changed, 31 insertions(+), 3 deletions(-) - -diff --git a/tools/misc/xen-cpuid.c b/tools/misc/xen-cpuid.c -index cd094427dd..3cfbbf043f 100644 ---- a/tools/misc/xen-cpuid.c -+++ b/tools/misc/xen-cpuid.c -@@ -198,6 +198,14 @@ static const char *const str_7b1[32] = - { - }; - -+static const char *const str_7c1[32] = -+{ -+}; -+ -+static const char *const str_7d1[32] = -+{ -+}; -+ - static const char *const str_7d2[32] = - { - [ 0] = "intel-psfd", -@@ -223,6 +231,8 @@ static const struct { - { "0x80000021.eax", "e21a", str_e21a }, - { "0x00000007:1.ebx", "7b1", str_7b1 }, - { "0x00000007:2.edx", "7d2", str_7d2 }, -+ { "0x00000007:1.ecx", "7c1", str_7c1 }, -+ { "0x00000007:1.edx", "7d1", str_7d1 }, - }; - - #define COL_ALIGN "18" -diff --git a/xen/arch/x86/cpu/common.c b/xen/arch/x86/cpu/common.c -index 9ce148a666..8222de6461 100644 ---- a/xen/arch/x86/cpu/common.c -+++ b/xen/arch/x86/cpu/common.c -@@ -448,7 +448,8 @@ static void generic_identify(struct cpuinfo_x86 *c) - cpuid_count(7, 1, - &c->x86_capability[FEATURESET_7a1], - &c->x86_capability[FEATURESET_7b1], -- &tmp, &tmp); -+ &c->x86_capability[FEATURESET_7c1], -+ &c->x86_capability[FEATURESET_7d1]); - if (max_subleaf >= 2) - cpuid_count(7, 2, - &tmp, &tmp, &tmp, -diff --git a/xen/include/public/arch-x86/cpufeatureset.h b/xen/include/public/arch-x86/cpufeatureset.h -index e073122140..0b01ca5e8f 100644 ---- a/xen/include/public/arch-x86/cpufeatureset.h -+++ b/xen/include/public/arch-x86/cpufeatureset.h -@@ -304,6 +304,10 @@ XEN_CPUFEATURE(NSCB, 11*32+ 6) /*A Null Selector Clears Base (and - /* Intel-defined CPU features, CPUID level 0x00000007:2.edx, word 13 */ - XEN_CPUFEATURE(INTEL_PSFD, 13*32+ 0) /*A MSR_SPEC_CTRL.PSFD */ - -+/* Intel-defined CPU features, CPUID level 0x00000007:1.ecx, word 14 */ -+ -+/* Intel-defined CPU features, CPUID level 0x00000007:1.edx, word 15 */ -+ - #endif /* XEN_CPUFEATURE */ - - /* Clean up from a default include. Close the enum (for C). */ -diff --git a/xen/include/xen/lib/x86/cpuid.h b/xen/include/xen/lib/x86/cpuid.h -index 50be07c0eb..fa98b371ee 100644 ---- a/xen/include/xen/lib/x86/cpuid.h -+++ b/xen/include/xen/lib/x86/cpuid.h -@@ -17,7 +17,9 @@ - #define FEATURESET_7a1 10 /* 0x00000007:1.eax */ - #define FEATURESET_e21a 11 /* 0x80000021.eax */ - #define FEATURESET_7b1 12 /* 0x00000007:1.ebx */ --#define FEATURESET_7d2 13 /* 0x80000007:2.edx */ -+#define FEATURESET_7d2 13 /* 0x00000007:2.edx */ -+#define FEATURESET_7c1 14 /* 0x00000007:1.ecx */ -+#define FEATURESET_7d1 15 /* 0x00000007:1.edx */ - - struct cpuid_leaf - { -@@ -194,7 +196,14 @@ struct cpuid_policy - uint32_t _7b1; - struct { DECL_BITFIELD(7b1); }; - }; -- uint32_t /* c */:32, /* d */:32; -+ union { -+ uint32_t _7c1; -+ struct { DECL_BITFIELD(7c1); }; -+ }; -+ union { -+ uint32_t _7d1; -+ struct { DECL_BITFIELD(7d1); }; -+ }; - - /* Subleaf 2. */ - uint32_t /* a */:32, /* b */:32, /* c */:32; -@@ -343,6 +352,8 @@ static inline void cpuid_policy_to_featureset( - fs[FEATURESET_e21a] = p->extd.e21a; - fs[FEATURESET_7b1] = p->feat._7b1; - fs[FEATURESET_7d2] = p->feat._7d2; -+ fs[FEATURESET_7c1] = p->feat._7c1; -+ fs[FEATURESET_7d1] = p->feat._7d1; - } - - /* Fill in a CPUID policy from a featureset bitmap. */ -@@ -363,6 +374,8 @@ static inline void cpuid_featureset_to_policy( - p->extd.e21a = fs[FEATURESET_e21a]; - p->feat._7b1 = fs[FEATURESET_7b1]; - p->feat._7d2 = fs[FEATURESET_7d2]; -+ p->feat._7c1 = fs[FEATURESET_7c1]; -+ p->feat._7d1 = fs[FEATURESET_7d1]; - } - - static inline uint64_t cpuid_policy_xcr0_max(const struct cpuid_policy *p) --- -2.40.0 - diff --git a/0026-tools-Fix-build-with-recent-QEMU-use-enable-trace-ba.patch b/0026-tools-Fix-build-with-recent-QEMU-use-enable-trace-ba.patch new file mode 100644 index 0000000..5d937d5 --- /dev/null +++ b/0026-tools-Fix-build-with-recent-QEMU-use-enable-trace-ba.patch @@ -0,0 +1,50 @@ +From 1d7a388e7b9711cbd7e14b2020b168b6789772af Mon Sep 17 00:00:00 2001 +From: Anthony PERARD +Date: Tue, 7 Feb 2023 16:57:22 +0100 +Subject: [PATCH 26/89] tools: Fix build with recent QEMU, use + "--enable-trace-backends" + +The configure option "--enable-trace-backend" isn't accepted anymore +and we should use "--enable-trace-backends" instead which was +introduce in 2014 and allow multiple backends. + +"--enable-trace-backends" was introduced by: + 5b808275f3bb ("trace: Multi-backend tracing") +The backward compatible option "--enable-trace-backend" is removed by + 10229ec3b0ff ("configure: remove backwards-compatibility and obsolete options") + +As we already use ./configure options that wouldn't be accepted by +older version of QEMU's configure, we will simply use the new spelling +for the option and avoid trying to detect which spelling to use. + +We already make use if "--firmwarepath=" which was introduced by + 3d5eecab4a5a ("Add --firmwarepath to configure") +which already include the new spelling for "--enable-trace-backends". + +Signed-off-by: Anthony PERARD +Reviewed-by: Jason Andryuk +master commit: e66d450b6e0ffec635639df993ab43ce28b3383f +master date: 2023-01-11 10:45:29 +0100 +--- + tools/Makefile | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/tools/Makefile b/tools/Makefile +index 9e28027835..4906fdbc23 100644 +--- a/tools/Makefile ++++ b/tools/Makefile +@@ -218,9 +218,9 @@ subdir-all-qemu-xen-dir: qemu-xen-dir-find + mkdir -p qemu-xen-build; \ + cd qemu-xen-build; \ + if $$source/scripts/tracetool.py --check-backend --backend log ; then \ +- enable_trace_backend='--enable-trace-backend=log'; \ ++ enable_trace_backend="--enable-trace-backends=log"; \ + elif $$source/scripts/tracetool.py --check-backend --backend stderr ; then \ +- enable_trace_backend='--enable-trace-backend=stderr'; \ ++ enable_trace_backend='--enable-trace-backends=stderr'; \ + else \ + enable_trace_backend='' ; \ + fi ; \ +-- +2.40.0 + diff --git a/0026-x86-shskt-Disable-CET-SS-on-parts-susceptible-to-fra.patch b/0026-x86-shskt-Disable-CET-SS-on-parts-susceptible-to-fra.patch deleted file mode 100644 index 7fd4031..0000000 --- a/0026-x86-shskt-Disable-CET-SS-on-parts-susceptible-to-fra.patch +++ /dev/null @@ -1,191 +0,0 @@ -From 5857cc632b884711c172c5766b8fbba59f990b47 Mon Sep 17 00:00:00 2001 -From: Andrew Cooper -Date: Fri, 3 Mar 2023 08:12:24 +0100 -Subject: [PATCH 26/61] x86/shskt: Disable CET-SS on parts susceptible to - fractured updates - -Refer to Intel SDM Rev 70 (Dec 2022), Vol3 17.2.3 "Supervisor Shadow Stack -Token". - -Architecturally, an event delivery which starts in CPL<3 and switches shadow -stack will first validate the Supervisor Shadow Stack Token (setting the busy -bit), then pushes CS/LIP/SSP. One example of this is an NMI interrupting Xen. - -Some CPUs suffer from an issue called fracturing, whereby a fault/vmexit/etc -between setting the busy bit and completing the event injection renders the -action non-restartable, because when it comes time to restart, the busy bit is -found to be already set. - -This is far more easily encountered under virt, yet it is not the fault of the -hypervisor, nor the fault of the guest kernel. The fault lies somewhere -between the architectural specification, and the uarch behaviour. - -Intel have allocated CPUID.7[1].ecx[18] CET_SSS to enumerate that supervisor -shadow stacks are safe to use. Because of how Xen lays out its shadow stacks, -fracturing is not expected to be a problem on native. - -Detect this case on boot and default to not using shstk if virtualised. -Specifying `cet=shstk` on the command line will override this heuristic and -enable shadow stacks irrespective. - -Signed-off-by: Andrew Cooper -Reviewed-by: Jan Beulich -master commit: 01e7477d1b081cff4288ff9f51ec59ee94c03ee0 -master date: 2023-02-09 18:26:17 +0000 ---- - docs/misc/xen-command-line.pandoc | 7 +++- - tools/libs/light/libxl_cpuid.c | 2 + - tools/misc/xen-cpuid.c | 1 + - xen/arch/x86/cpu/common.c | 8 +++- - xen/arch/x86/setup.c | 46 +++++++++++++++++---- - xen/include/public/arch-x86/cpufeatureset.h | 1 + - 6 files changed, 55 insertions(+), 10 deletions(-) - -diff --git a/docs/misc/xen-command-line.pandoc b/docs/misc/xen-command-line.pandoc -index b3f60cd923..a6018fd5c3 100644 ---- a/docs/misc/xen-command-line.pandoc -+++ b/docs/misc/xen-command-line.pandoc -@@ -287,10 +287,15 @@ can be maintained with the pv-shim mechanism. - protection. - - The option is available when `CONFIG_XEN_SHSTK` is compiled in, and -- defaults to `true` on hardware supporting CET-SS. Specifying -+ generally defaults to `true` on hardware supporting CET-SS. Specifying - `cet=no-shstk` will cause Xen not to use Shadow Stacks even when support - is available in hardware. - -+ Some hardware suffers from an issue known as Supervisor Shadow Stack -+ Fracturing. On such hardware, Xen will default to not using Shadow Stacks -+ when virtualised. Specifying `cet=shstk` will override this heuristic and -+ enable Shadow Stacks unilaterally. -+ - * The `ibt=` boolean controls whether Xen uses Indirect Branch Tracking for - its own protection. - -diff --git a/tools/libs/light/libxl_cpuid.c b/tools/libs/light/libxl_cpuid.c -index 691d5c6b2a..b4eacc2bd5 100644 ---- a/tools/libs/light/libxl_cpuid.c -+++ b/tools/libs/light/libxl_cpuid.c -@@ -234,6 +234,8 @@ int libxl_cpuid_parse_config(libxl_cpuid_policy_list *cpuid, const char* str) - {"fsrs", 0x00000007, 1, CPUID_REG_EAX, 11, 1}, - {"fsrcs", 0x00000007, 1, CPUID_REG_EAX, 12, 1}, - -+ {"cet-sss", 0x00000007, 1, CPUID_REG_EDX, 18, 1}, -+ - {"intel-psfd", 0x00000007, 2, CPUID_REG_EDX, 0, 1}, - - {"lahfsahf", 0x80000001, NA, CPUID_REG_ECX, 0, 1}, -diff --git a/tools/misc/xen-cpuid.c b/tools/misc/xen-cpuid.c -index 3cfbbf043f..db9c4ed8fc 100644 ---- a/tools/misc/xen-cpuid.c -+++ b/tools/misc/xen-cpuid.c -@@ -204,6 +204,7 @@ static const char *const str_7c1[32] = - - static const char *const str_7d1[32] = - { -+ [18] = "cet-sss", - }; - - static const char *const str_7d2[32] = -diff --git a/xen/arch/x86/cpu/common.c b/xen/arch/x86/cpu/common.c -index 8222de6461..e1fc034ce6 100644 ---- a/xen/arch/x86/cpu/common.c -+++ b/xen/arch/x86/cpu/common.c -@@ -344,9 +344,15 @@ void __init early_cpu_init(void) - c->x86_model, c->x86_model, c->x86_mask, eax); - - if (c->cpuid_level >= 7) { -- cpuid_count(7, 0, &eax, &ebx, &ecx, &edx); -+ uint32_t max_subleaf; -+ -+ cpuid_count(7, 0, &max_subleaf, &ebx, &ecx, &edx); - c->x86_capability[cpufeat_word(X86_FEATURE_CET_SS)] = ecx; - c->x86_capability[cpufeat_word(X86_FEATURE_CET_IBT)] = edx; -+ -+ if (max_subleaf >= 1) -+ cpuid_count(7, 1, &eax, &ebx, &ecx, -+ &c->x86_capability[FEATURESET_7d1]); - } - - eax = cpuid_eax(0x80000000); -diff --git a/xen/arch/x86/setup.c b/xen/arch/x86/setup.c -index 70b37d8afe..f0de805780 100644 ---- a/xen/arch/x86/setup.c -+++ b/xen/arch/x86/setup.c -@@ -98,11 +98,7 @@ unsigned long __initdata highmem_start; - size_param("highmem-start", highmem_start); - #endif - --#ifdef CONFIG_XEN_SHSTK --static bool __initdata opt_xen_shstk = true; --#else --#define opt_xen_shstk false --#endif -+static int8_t __initdata opt_xen_shstk = -IS_ENABLED(CONFIG_XEN_SHSTK); - - #ifdef CONFIG_XEN_IBT - static bool __initdata opt_xen_ibt = true; -@@ -1113,11 +1109,45 @@ void __init noreturn __start_xen(unsigned long mbi_p) - early_cpu_init(); - - /* Choose shadow stack early, to set infrastructure up appropriately. */ -- if ( opt_xen_shstk && boot_cpu_has(X86_FEATURE_CET_SS) ) -+ if ( !boot_cpu_has(X86_FEATURE_CET_SS) ) -+ opt_xen_shstk = 0; -+ -+ if ( opt_xen_shstk ) - { -- printk("Enabling Supervisor Shadow Stacks\n"); -+ /* -+ * Some CPUs suffer from Shadow Stack Fracturing, an issue whereby a -+ * fault/VMExit/etc between setting a Supervisor Busy bit and the -+ * event delivery completing renders the operation non-restartable. -+ * On restart, event delivery will find the Busy bit already set. -+ * -+ * This is a problem on bare metal, but outside of synthetic cases or -+ * a very badly timed #MC, it's not believed to be a problem. It is a -+ * much bigger problem under virt, because we can VMExit for a number -+ * of legitimate reasons and tickle this bug. -+ * -+ * CPUs with this addressed enumerate CET-SSS to indicate that -+ * supervisor shadow stacks are now safe to use. -+ */ -+ bool cpu_has_bug_shstk_fracture = -+ boot_cpu_data.x86_vendor == X86_VENDOR_INTEL && -+ !boot_cpu_has(X86_FEATURE_CET_SSS); - -- setup_force_cpu_cap(X86_FEATURE_XEN_SHSTK); -+ /* -+ * On bare metal, assume that Xen won't be impacted by shstk -+ * fracturing problems. Under virt, be more conservative and disable -+ * shstk by default. -+ */ -+ if ( opt_xen_shstk == -1 ) -+ opt_xen_shstk = -+ cpu_has_hypervisor ? !cpu_has_bug_shstk_fracture -+ : true; -+ -+ if ( opt_xen_shstk ) -+ { -+ printk("Enabling Supervisor Shadow Stacks\n"); -+ -+ setup_force_cpu_cap(X86_FEATURE_XEN_SHSTK); -+ } - } - - if ( opt_xen_ibt && boot_cpu_has(X86_FEATURE_CET_IBT) ) -diff --git a/xen/include/public/arch-x86/cpufeatureset.h b/xen/include/public/arch-x86/cpufeatureset.h -index 0b01ca5e8f..4832ad09df 100644 ---- a/xen/include/public/arch-x86/cpufeatureset.h -+++ b/xen/include/public/arch-x86/cpufeatureset.h -@@ -307,6 +307,7 @@ XEN_CPUFEATURE(INTEL_PSFD, 13*32+ 0) /*A MSR_SPEC_CTRL.PSFD */ - /* Intel-defined CPU features, CPUID level 0x00000007:1.ecx, word 14 */ - - /* Intel-defined CPU features, CPUID level 0x00000007:1.edx, word 15 */ -+XEN_CPUFEATURE(CET_SSS, 15*32+18) /* CET Supervisor Shadow Stacks safe to use */ - - #endif /* XEN_CPUFEATURE */ - --- -2.40.0 - diff --git a/0027-credit2-respect-credit2_runqueue-all-when-arranging-.patch b/0027-credit2-respect-credit2_runqueue-all-when-arranging-.patch deleted file mode 100644 index 6c8ab5c..0000000 --- a/0027-credit2-respect-credit2_runqueue-all-when-arranging-.patch +++ /dev/null @@ -1,69 +0,0 @@ -From 366693226ce025e8721626609b4b43b9061b55f5 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Marek=20Marczykowski-G=C3=B3recki?= - -Date: Fri, 3 Mar 2023 08:13:20 +0100 -Subject: [PATCH 27/61] credit2: respect credit2_runqueue=all when arranging - runqueues -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -Documentation for credit2_runqueue=all says it should create one queue -for all pCPUs on the host. But since introduction -sched_credit2_max_cpus_runqueue, it actually created separate runqueue -per socket, even if the CPUs count is below -sched_credit2_max_cpus_runqueue. - -Adjust the condition to skip syblink check in case of -credit2_runqueue=all. - -Fixes: 8e2aa76dc167 ("xen: credit2: limit the max number of CPUs in a runqueue") -Signed-off-by: Marek Marczykowski-Górecki -Reviewed-by: Juergen Gross -master commit: 1f5747ee929fbbcae58d7234c6c38a77495d0cfe -master date: 2023-02-15 16:12:42 +0100 ---- - docs/misc/xen-command-line.pandoc | 5 +++++ - xen/common/sched/credit2.c | 9 +++++++-- - 2 files changed, 12 insertions(+), 2 deletions(-) - -diff --git a/docs/misc/xen-command-line.pandoc b/docs/misc/xen-command-line.pandoc -index a6018fd5c3..7b7a619c1b 100644 ---- a/docs/misc/xen-command-line.pandoc -+++ b/docs/misc/xen-command-line.pandoc -@@ -724,6 +724,11 @@ Available alternatives, with their meaning, are: - * `all`: just one runqueue shared by all the logical pCPUs of - the host - -+Regardless of the above choice, Xen attempts to respect -+`sched_credit2_max_cpus_runqueue` limit, which may mean more than one runqueue -+for the `all` value. If that isn't intended, raise -+the `sched_credit2_max_cpus_runqueue` value. -+ - ### dbgp - > `= ehci[ | @pci:. ]` - -diff --git a/xen/common/sched/credit2.c b/xen/common/sched/credit2.c -index 6396b38e04..1a240f417a 100644 ---- a/xen/common/sched/credit2.c -+++ b/xen/common/sched/credit2.c -@@ -996,9 +996,14 @@ cpu_add_to_runqueue(const struct scheduler *ops, unsigned int cpu) - * - * Otherwise, let's try to make sure that siblings stay in the - * same runqueue, pretty much under any cinrcumnstances. -+ * -+ * Furthermore, try to respect credit2_runqueue=all, as long as -+ * max_cpus_runq isn't violated. - */ -- if ( rqd->refcnt < max_cpus_runq && (ops->cpupool->gran != SCHED_GRAN_cpu || -- cpu_runqueue_siblings_match(rqd, cpu, max_cpus_runq)) ) -+ if ( rqd->refcnt < max_cpus_runq && -+ (ops->cpupool->gran != SCHED_GRAN_cpu || -+ cpu_runqueue_siblings_match(rqd, cpu, max_cpus_runq) || -+ opt_runqueue == OPT_RUNQUEUE_ALL) ) - { - /* - * This runqueue is ok, but as we said, we also want an even --- -2.40.0 - diff --git a/0027-include-compat-produce-stubs-for-headers-not-otherwi.patch b/0027-include-compat-produce-stubs-for-headers-not-otherwi.patch new file mode 100644 index 0000000..3528bd6 --- /dev/null +++ b/0027-include-compat-produce-stubs-for-headers-not-otherwi.patch @@ -0,0 +1,74 @@ +From c871e05e138aae2ac75e9b4ccebe6cf3fd1a775b Mon Sep 17 00:00:00 2001 +From: Jan Beulich +Date: Tue, 7 Feb 2023 16:57:52 +0100 +Subject: [PATCH 27/89] include/compat: produce stubs for headers not otherwise + generated + +Public headers can include other public headers. Such interdependencies +are retained in their compat counterparts. Since some compat headers are +generated only in certain configurations, the referenced headers still +need to exist. The lack thereof was observed with hvm/hvm_op.h needing +trace.h, where generation of the latter depends on TRACEBUFFER=y. Make +empty stubs in such cases (as generating the extra headers is relatively +slow and hence better to avoid). Changes to .config and incrementally +(re-)building is covered by the respective .*.cmd then no longer +matching the command to be used, resulting in the necessary re-creation +of the (possibly stub) header. + +Reported-by: Andrew Cooper +Signed-off-by: Jan Beulich +Reviewed-by: Anthony PERARD +master commit: 6bec713f871f21c6254a5783c1e39867ea828256 +master date: 2023-01-12 16:17:54 +0100 +--- + xen/include/Makefile | 14 +++++++++++++- + 1 file changed, 13 insertions(+), 1 deletion(-) + +diff --git a/xen/include/Makefile b/xen/include/Makefile +index 65be310eca..cfd7851614 100644 +--- a/xen/include/Makefile ++++ b/xen/include/Makefile +@@ -34,6 +34,8 @@ headers-$(CONFIG_TRACEBUFFER) += compat/trace.h + headers-$(CONFIG_XENOPROF) += compat/xenoprof.h + headers-$(CONFIG_XSM_FLASK) += compat/xsm/flask_op.h + ++headers-n := $(filter-out $(headers-y),$(headers-n) $(headers-)) ++ + cppflags-y := -include public/xen-compat.h -DXEN_GENERATING_COMPAT_HEADERS + cppflags-$(CONFIG_X86) += -m32 + +@@ -43,13 +45,16 @@ public-$(CONFIG_X86) := $(wildcard $(srcdir)/public/arch-x86/*.h $(srcdir)/publi + public-$(CONFIG_ARM) := $(wildcard $(srcdir)/public/arch-arm/*.h $(srcdir)/public/arch-arm/*/*.h) + + .PHONY: all +-all: $(addprefix $(obj)/,$(headers-y)) ++all: $(addprefix $(obj)/,$(headers-y) $(headers-n)) + + quiet_cmd_compat_h = GEN $@ + cmd_compat_h = \ + $(PYTHON) $(srctree)/tools/compat-build-header.py <$< $(patsubst $(obj)/%,%,$@) >>$@.new; \ + mv -f $@.new $@ + ++quiet_cmd_stub_h = GEN $@ ++cmd_stub_h = echo '/* empty */' >$@ ++ + quiet_cmd_compat_i = CPP $@ + cmd_compat_i = $(CPP) $(filter-out -Wa$(comma)% -include %/include/xen/config.h,$(XEN_CFLAGS)) $(cppflags-y) -o $@ $< + +@@ -69,6 +74,13 @@ targets += $(headers-y) + $(obj)/compat/%.h: $(obj)/compat/%.i $(srctree)/tools/compat-build-header.py FORCE + $(call if_changed,compat_h) + ++# Placeholders may be needed in case files in $(headers-y) include files we ++# don't otherwise generate. Real dependencies would need spelling out explicitly, ++# for them to appear in $(headers-y) instead. ++targets += $(headers-n) ++$(addprefix $(obj)/,$(headers-n)): FORCE ++ $(call if_changed,stub_h) ++ + .PRECIOUS: $(obj)/compat/%.i + targets += $(patsubst %.h, %.i, $(headers-y)) + $(obj)/compat/%.i: $(obj)/compat/%.c FORCE +-- +2.40.0 + diff --git a/0028-x86-ucode-AMD-apply-the-patch-early-on-every-logical.patch b/0028-x86-ucode-AMD-apply-the-patch-early-on-every-logical.patch deleted file mode 100644 index 55df5d0..0000000 --- a/0028-x86-ucode-AMD-apply-the-patch-early-on-every-logical.patch +++ /dev/null @@ -1,152 +0,0 @@ -From d1c6934b41f8288ea3169e63bce8a7eea9d9c549 Mon Sep 17 00:00:00 2001 -From: Sergey Dyasli -Date: Fri, 3 Mar 2023 08:14:01 +0100 -Subject: [PATCH 28/61] x86/ucode/AMD: apply the patch early on every logical - thread - -The original issue has been reported on AMD Bulldozer-based CPUs where -ucode loading loses the LWP feature bit in order to gain the IBPB bit. -LWP disabling is per-SMT/CMT core modification and needs to happen on -each sibling thread despite the shared microcode engine. Otherwise, -logical CPUs will end up with different cpuid capabilities. -Link: https://bugzilla.kernel.org/show_bug.cgi?id=216211 - -Guests running under Xen happen to be not affected because of levelling -logic for the feature masking/override MSRs which causes the LWP bit to -fall out and hides the issue. The latest recommendation from AMD, after -discussing this bug, is to load ucode on every logical CPU. - -In Linux kernel this issue has been addressed by e7ad18d1169c -("x86/microcode/AMD: Apply the patch early on every logical thread"). -Follow the same approach in Xen. - -Introduce SAME_UCODE match result and use it for early AMD ucode -loading. Take this opportunity and move opt_ucode_allow_same out of -compare_revisions() to the relevant callers and also modify the warning -message based on it. Intel's side of things is modified for consistency -but provides no functional change. - -Signed-off-by: Sergey Dyasli -Reviewed-by: Jan Beulich -master commit: f4ef8a41b80831db2136bdaff9f946a1a4b051e7 -master date: 2023-02-21 15:08:05 +0100 ---- - xen/arch/x86/cpu/microcode/amd.c | 11 ++++++++--- - xen/arch/x86/cpu/microcode/core.c | 24 ++++++++++++++++-------- - xen/arch/x86/cpu/microcode/intel.c | 10 +++++++--- - xen/arch/x86/cpu/microcode/private.h | 3 ++- - 4 files changed, 33 insertions(+), 15 deletions(-) - -diff --git a/xen/arch/x86/cpu/microcode/amd.c b/xen/arch/x86/cpu/microcode/amd.c -index fe92e594f1..52182c1a23 100644 ---- a/xen/arch/x86/cpu/microcode/amd.c -+++ b/xen/arch/x86/cpu/microcode/amd.c -@@ -176,8 +176,8 @@ static enum microcode_match_result compare_revisions( - if ( new_rev > old_rev ) - return NEW_UCODE; - -- if ( opt_ucode_allow_same && new_rev == old_rev ) -- return NEW_UCODE; -+ if ( new_rev == old_rev ) -+ return SAME_UCODE; - - return OLD_UCODE; - } -@@ -220,8 +220,13 @@ static int apply_microcode(const struct microcode_patch *patch) - unsigned int cpu = smp_processor_id(); - struct cpu_signature *sig = &per_cpu(cpu_sig, cpu); - uint32_t rev, old_rev = sig->rev; -+ enum microcode_match_result result = microcode_fits(patch); - -- if ( microcode_fits(patch) != NEW_UCODE ) -+ /* -+ * Allow application of the same revision to pick up SMT-specific changes -+ * even if the revision of the other SMT thread is already up-to-date. -+ */ -+ if ( result != NEW_UCODE && result != SAME_UCODE ) - return -EINVAL; - - if ( check_final_patch_levels(sig) ) -diff --git a/xen/arch/x86/cpu/microcode/core.c b/xen/arch/x86/cpu/microcode/core.c -index ac3ceb567c..ceec1f1edc 100644 ---- a/xen/arch/x86/cpu/microcode/core.c -+++ b/xen/arch/x86/cpu/microcode/core.c -@@ -608,16 +608,24 @@ static long microcode_update_helper(void *data) - * that ucode revision. - */ - spin_lock(µcode_mutex); -- if ( microcode_cache && -- microcode_ops->compare_patch(patch, microcode_cache) != NEW_UCODE ) -+ if ( microcode_cache ) - { -- spin_unlock(µcode_mutex); -- printk(XENLOG_WARNING "microcode: couldn't find any newer revision " -- "in the provided blob!\n"); -- microcode_free_patch(patch); -- ret = -ENOENT; -+ enum microcode_match_result result; - -- goto put; -+ result = microcode_ops->compare_patch(patch, microcode_cache); -+ -+ if ( result != NEW_UCODE && -+ !(opt_ucode_allow_same && result == SAME_UCODE) ) -+ { -+ spin_unlock(µcode_mutex); -+ printk(XENLOG_WARNING -+ "microcode: couldn't find any newer%s revision in the provided blob!\n", -+ opt_ucode_allow_same ? " (or the same)" : ""); -+ microcode_free_patch(patch); -+ ret = -ENOENT; -+ -+ goto put; -+ } - } - spin_unlock(µcode_mutex); - -diff --git a/xen/arch/x86/cpu/microcode/intel.c b/xen/arch/x86/cpu/microcode/intel.c -index f6d01490e0..c26fbb8cc7 100644 ---- a/xen/arch/x86/cpu/microcode/intel.c -+++ b/xen/arch/x86/cpu/microcode/intel.c -@@ -232,8 +232,8 @@ static enum microcode_match_result compare_revisions( - if ( new_rev > old_rev ) - return NEW_UCODE; - -- if ( opt_ucode_allow_same && new_rev == old_rev ) -- return NEW_UCODE; -+ if ( new_rev == old_rev ) -+ return SAME_UCODE; - - /* - * Treat pre-production as always applicable - anyone using pre-production -@@ -290,8 +290,12 @@ static int apply_microcode(const struct microcode_patch *patch) - unsigned int cpu = smp_processor_id(); - struct cpu_signature *sig = &this_cpu(cpu_sig); - uint32_t rev, old_rev = sig->rev; -+ enum microcode_match_result result; -+ -+ result = microcode_update_match(patch); - -- if ( microcode_update_match(patch) != NEW_UCODE ) -+ if ( result != NEW_UCODE && -+ !(opt_ucode_allow_same && result == SAME_UCODE) ) - return -EINVAL; - - wbinvd(); -diff --git a/xen/arch/x86/cpu/microcode/private.h b/xen/arch/x86/cpu/microcode/private.h -index c085a10268..feafab0677 100644 ---- a/xen/arch/x86/cpu/microcode/private.h -+++ b/xen/arch/x86/cpu/microcode/private.h -@@ -6,7 +6,8 @@ - extern bool opt_ucode_allow_same; - - enum microcode_match_result { -- OLD_UCODE, /* signature matched, but revision id is older or equal */ -+ OLD_UCODE, /* signature matched, but revision id is older */ -+ SAME_UCODE, /* signature matched, but revision id is the same */ - NEW_UCODE, /* signature matched, but revision id is newer */ - MIS_UCODE, /* signature mismatched */ - }; --- -2.40.0 - diff --git a/0028-x86-vmx-Calculate-model-specific-LBRs-once-at-start-.patch b/0028-x86-vmx-Calculate-model-specific-LBRs-once-at-start-.patch new file mode 100644 index 0000000..8185bee --- /dev/null +++ b/0028-x86-vmx-Calculate-model-specific-LBRs-once-at-start-.patch @@ -0,0 +1,342 @@ +From 5e3250258afbace3e5dc3f31ac99c1eebf60f238 Mon Sep 17 00:00:00 2001 +From: Andrew Cooper +Date: Tue, 7 Feb 2023 16:58:25 +0100 +Subject: [PATCH 28/89] x86/vmx: Calculate model-specific LBRs once at start of + day + +There is no point repeating this calculation at runtime, especially as it is +in the fallback path of the WRSMR/RDMSR handlers. + +Move the infrastructure higher in vmx.c to avoid forward declarations, +renaming last_branch_msr_get() to get_model_specific_lbr() to highlight that +these are model-specific only. + +No practical change. + +Signed-off-by: Andrew Cooper +Reviewed-by: Jan Beulich +Reviewed-by: Kevin Tian +master commit: e94af0d58f86c3a914b9cbbf4d9ed3d43b974771 +master date: 2023-01-12 18:42:00 +0000 +--- + xen/arch/x86/hvm/vmx/vmx.c | 276 +++++++++++++++++++------------------ + 1 file changed, 139 insertions(+), 137 deletions(-) + +diff --git a/xen/arch/x86/hvm/vmx/vmx.c b/xen/arch/x86/hvm/vmx/vmx.c +index 7c81b80710..ad91464103 100644 +--- a/xen/arch/x86/hvm/vmx/vmx.c ++++ b/xen/arch/x86/hvm/vmx/vmx.c +@@ -396,6 +396,142 @@ void vmx_pi_hooks_deassign(struct domain *d) + domain_unpause(d); + } + ++static const struct lbr_info { ++ u32 base, count; ++} p4_lbr[] = { ++ { MSR_P4_LER_FROM_LIP, 1 }, ++ { MSR_P4_LER_TO_LIP, 1 }, ++ { MSR_P4_LASTBRANCH_TOS, 1 }, ++ { MSR_P4_LASTBRANCH_0_FROM_LIP, NUM_MSR_P4_LASTBRANCH_FROM_TO }, ++ { MSR_P4_LASTBRANCH_0_TO_LIP, NUM_MSR_P4_LASTBRANCH_FROM_TO }, ++ { 0, 0 } ++}, c2_lbr[] = { ++ { MSR_IA32_LASTINTFROMIP, 1 }, ++ { MSR_IA32_LASTINTTOIP, 1 }, ++ { MSR_C2_LASTBRANCH_TOS, 1 }, ++ { MSR_C2_LASTBRANCH_0_FROM_IP, NUM_MSR_C2_LASTBRANCH_FROM_TO }, ++ { MSR_C2_LASTBRANCH_0_TO_IP, NUM_MSR_C2_LASTBRANCH_FROM_TO }, ++ { 0, 0 } ++}, nh_lbr[] = { ++ { MSR_IA32_LASTINTFROMIP, 1 }, ++ { MSR_IA32_LASTINTTOIP, 1 }, ++ { MSR_NHL_LBR_SELECT, 1 }, ++ { MSR_NHL_LASTBRANCH_TOS, 1 }, ++ { MSR_P4_LASTBRANCH_0_FROM_LIP, NUM_MSR_P4_LASTBRANCH_FROM_TO }, ++ { MSR_P4_LASTBRANCH_0_TO_LIP, NUM_MSR_P4_LASTBRANCH_FROM_TO }, ++ { 0, 0 } ++}, sk_lbr[] = { ++ { MSR_IA32_LASTINTFROMIP, 1 }, ++ { MSR_IA32_LASTINTTOIP, 1 }, ++ { MSR_NHL_LBR_SELECT, 1 }, ++ { MSR_NHL_LASTBRANCH_TOS, 1 }, ++ { MSR_SKL_LASTBRANCH_0_FROM_IP, NUM_MSR_SKL_LASTBRANCH }, ++ { MSR_SKL_LASTBRANCH_0_TO_IP, NUM_MSR_SKL_LASTBRANCH }, ++ { MSR_SKL_LASTBRANCH_0_INFO, NUM_MSR_SKL_LASTBRANCH }, ++ { 0, 0 } ++}, at_lbr[] = { ++ { MSR_IA32_LASTINTFROMIP, 1 }, ++ { MSR_IA32_LASTINTTOIP, 1 }, ++ { MSR_C2_LASTBRANCH_TOS, 1 }, ++ { MSR_C2_LASTBRANCH_0_FROM_IP, NUM_MSR_ATOM_LASTBRANCH_FROM_TO }, ++ { MSR_C2_LASTBRANCH_0_TO_IP, NUM_MSR_ATOM_LASTBRANCH_FROM_TO }, ++ { 0, 0 } ++}, sm_lbr[] = { ++ { MSR_IA32_LASTINTFROMIP, 1 }, ++ { MSR_IA32_LASTINTTOIP, 1 }, ++ { MSR_SM_LBR_SELECT, 1 }, ++ { MSR_SM_LASTBRANCH_TOS, 1 }, ++ { MSR_C2_LASTBRANCH_0_FROM_IP, NUM_MSR_ATOM_LASTBRANCH_FROM_TO }, ++ { MSR_C2_LASTBRANCH_0_TO_IP, NUM_MSR_ATOM_LASTBRANCH_FROM_TO }, ++ { 0, 0 } ++}, gm_lbr[] = { ++ { MSR_IA32_LASTINTFROMIP, 1 }, ++ { MSR_IA32_LASTINTTOIP, 1 }, ++ { MSR_SM_LBR_SELECT, 1 }, ++ { MSR_SM_LASTBRANCH_TOS, 1 }, ++ { MSR_GM_LASTBRANCH_0_FROM_IP, NUM_MSR_GM_LASTBRANCH_FROM_TO }, ++ { MSR_GM_LASTBRANCH_0_TO_IP, NUM_MSR_GM_LASTBRANCH_FROM_TO }, ++ { 0, 0 } ++}; ++static const struct lbr_info *__ro_after_init model_specific_lbr; ++ ++static const struct lbr_info *__init get_model_specific_lbr(void) ++{ ++ switch ( boot_cpu_data.x86 ) ++ { ++ case 6: ++ switch ( boot_cpu_data.x86_model ) ++ { ++ /* Core2 Duo */ ++ case 0x0f: ++ /* Enhanced Core */ ++ case 0x17: ++ /* Xeon 7400 */ ++ case 0x1d: ++ return c2_lbr; ++ /* Nehalem */ ++ case 0x1a: case 0x1e: case 0x1f: case 0x2e: ++ /* Westmere */ ++ case 0x25: case 0x2c: case 0x2f: ++ /* Sandy Bridge */ ++ case 0x2a: case 0x2d: ++ /* Ivy Bridge */ ++ case 0x3a: case 0x3e: ++ /* Haswell */ ++ case 0x3c: case 0x3f: case 0x45: case 0x46: ++ /* Broadwell */ ++ case 0x3d: case 0x47: case 0x4f: case 0x56: ++ return nh_lbr; ++ /* Skylake */ ++ case 0x4e: case 0x5e: ++ /* Xeon Scalable */ ++ case 0x55: ++ /* Cannon Lake */ ++ case 0x66: ++ /* Goldmont Plus */ ++ case 0x7a: ++ /* Ice Lake */ ++ case 0x6a: case 0x6c: case 0x7d: case 0x7e: ++ /* Tiger Lake */ ++ case 0x8c: case 0x8d: ++ /* Tremont */ ++ case 0x86: ++ /* Kaby Lake */ ++ case 0x8e: case 0x9e: ++ /* Comet Lake */ ++ case 0xa5: case 0xa6: ++ return sk_lbr; ++ /* Atom */ ++ case 0x1c: case 0x26: case 0x27: case 0x35: case 0x36: ++ return at_lbr; ++ /* Silvermont */ ++ case 0x37: case 0x4a: case 0x4d: case 0x5a: case 0x5d: ++ /* Xeon Phi Knights Landing */ ++ case 0x57: ++ /* Xeon Phi Knights Mill */ ++ case 0x85: ++ /* Airmont */ ++ case 0x4c: ++ return sm_lbr; ++ /* Goldmont */ ++ case 0x5c: case 0x5f: ++ return gm_lbr; ++ } ++ break; ++ ++ case 15: ++ switch ( boot_cpu_data.x86_model ) ++ { ++ /* Pentium4/Xeon with em64t */ ++ case 3: case 4: case 6: ++ return p4_lbr; ++ } ++ break; ++ } ++ ++ return NULL; ++} ++ + static int cf_check vmx_domain_initialise(struct domain *d) + { + static const struct arch_csw csw = { +@@ -2837,6 +2973,7 @@ const struct hvm_function_table * __init start_vmx(void) + vmx_function_table.tsc_scaling.setup = vmx_setup_tsc_scaling; + } + ++ model_specific_lbr = get_model_specific_lbr(); + lbr_tsx_fixup_check(); + ler_to_fixup_check(); + +@@ -2983,141 +3120,6 @@ static int vmx_cr_access(cr_access_qual_t qual) + return X86EMUL_OKAY; + } + +-static const struct lbr_info { +- u32 base, count; +-} p4_lbr[] = { +- { MSR_P4_LER_FROM_LIP, 1 }, +- { MSR_P4_LER_TO_LIP, 1 }, +- { MSR_P4_LASTBRANCH_TOS, 1 }, +- { MSR_P4_LASTBRANCH_0_FROM_LIP, NUM_MSR_P4_LASTBRANCH_FROM_TO }, +- { MSR_P4_LASTBRANCH_0_TO_LIP, NUM_MSR_P4_LASTBRANCH_FROM_TO }, +- { 0, 0 } +-}, c2_lbr[] = { +- { MSR_IA32_LASTINTFROMIP, 1 }, +- { MSR_IA32_LASTINTTOIP, 1 }, +- { MSR_C2_LASTBRANCH_TOS, 1 }, +- { MSR_C2_LASTBRANCH_0_FROM_IP, NUM_MSR_C2_LASTBRANCH_FROM_TO }, +- { MSR_C2_LASTBRANCH_0_TO_IP, NUM_MSR_C2_LASTBRANCH_FROM_TO }, +- { 0, 0 } +-}, nh_lbr[] = { +- { MSR_IA32_LASTINTFROMIP, 1 }, +- { MSR_IA32_LASTINTTOIP, 1 }, +- { MSR_NHL_LBR_SELECT, 1 }, +- { MSR_NHL_LASTBRANCH_TOS, 1 }, +- { MSR_P4_LASTBRANCH_0_FROM_LIP, NUM_MSR_P4_LASTBRANCH_FROM_TO }, +- { MSR_P4_LASTBRANCH_0_TO_LIP, NUM_MSR_P4_LASTBRANCH_FROM_TO }, +- { 0, 0 } +-}, sk_lbr[] = { +- { MSR_IA32_LASTINTFROMIP, 1 }, +- { MSR_IA32_LASTINTTOIP, 1 }, +- { MSR_NHL_LBR_SELECT, 1 }, +- { MSR_NHL_LASTBRANCH_TOS, 1 }, +- { MSR_SKL_LASTBRANCH_0_FROM_IP, NUM_MSR_SKL_LASTBRANCH }, +- { MSR_SKL_LASTBRANCH_0_TO_IP, NUM_MSR_SKL_LASTBRANCH }, +- { MSR_SKL_LASTBRANCH_0_INFO, NUM_MSR_SKL_LASTBRANCH }, +- { 0, 0 } +-}, at_lbr[] = { +- { MSR_IA32_LASTINTFROMIP, 1 }, +- { MSR_IA32_LASTINTTOIP, 1 }, +- { MSR_C2_LASTBRANCH_TOS, 1 }, +- { MSR_C2_LASTBRANCH_0_FROM_IP, NUM_MSR_ATOM_LASTBRANCH_FROM_TO }, +- { MSR_C2_LASTBRANCH_0_TO_IP, NUM_MSR_ATOM_LASTBRANCH_FROM_TO }, +- { 0, 0 } +-}, sm_lbr[] = { +- { MSR_IA32_LASTINTFROMIP, 1 }, +- { MSR_IA32_LASTINTTOIP, 1 }, +- { MSR_SM_LBR_SELECT, 1 }, +- { MSR_SM_LASTBRANCH_TOS, 1 }, +- { MSR_C2_LASTBRANCH_0_FROM_IP, NUM_MSR_ATOM_LASTBRANCH_FROM_TO }, +- { MSR_C2_LASTBRANCH_0_TO_IP, NUM_MSR_ATOM_LASTBRANCH_FROM_TO }, +- { 0, 0 } +-}, gm_lbr[] = { +- { MSR_IA32_LASTINTFROMIP, 1 }, +- { MSR_IA32_LASTINTTOIP, 1 }, +- { MSR_SM_LBR_SELECT, 1 }, +- { MSR_SM_LASTBRANCH_TOS, 1 }, +- { MSR_GM_LASTBRANCH_0_FROM_IP, NUM_MSR_GM_LASTBRANCH_FROM_TO }, +- { MSR_GM_LASTBRANCH_0_TO_IP, NUM_MSR_GM_LASTBRANCH_FROM_TO }, +- { 0, 0 } +-}; +- +-static const struct lbr_info *last_branch_msr_get(void) +-{ +- switch ( boot_cpu_data.x86 ) +- { +- case 6: +- switch ( boot_cpu_data.x86_model ) +- { +- /* Core2 Duo */ +- case 0x0f: +- /* Enhanced Core */ +- case 0x17: +- /* Xeon 7400 */ +- case 0x1d: +- return c2_lbr; +- /* Nehalem */ +- case 0x1a: case 0x1e: case 0x1f: case 0x2e: +- /* Westmere */ +- case 0x25: case 0x2c: case 0x2f: +- /* Sandy Bridge */ +- case 0x2a: case 0x2d: +- /* Ivy Bridge */ +- case 0x3a: case 0x3e: +- /* Haswell */ +- case 0x3c: case 0x3f: case 0x45: case 0x46: +- /* Broadwell */ +- case 0x3d: case 0x47: case 0x4f: case 0x56: +- return nh_lbr; +- /* Skylake */ +- case 0x4e: case 0x5e: +- /* Xeon Scalable */ +- case 0x55: +- /* Cannon Lake */ +- case 0x66: +- /* Goldmont Plus */ +- case 0x7a: +- /* Ice Lake */ +- case 0x6a: case 0x6c: case 0x7d: case 0x7e: +- /* Tiger Lake */ +- case 0x8c: case 0x8d: +- /* Tremont */ +- case 0x86: +- /* Kaby Lake */ +- case 0x8e: case 0x9e: +- /* Comet Lake */ +- case 0xa5: case 0xa6: +- return sk_lbr; +- /* Atom */ +- case 0x1c: case 0x26: case 0x27: case 0x35: case 0x36: +- return at_lbr; +- /* Silvermont */ +- case 0x37: case 0x4a: case 0x4d: case 0x5a: case 0x5d: +- /* Xeon Phi Knights Landing */ +- case 0x57: +- /* Xeon Phi Knights Mill */ +- case 0x85: +- /* Airmont */ +- case 0x4c: +- return sm_lbr; +- /* Goldmont */ +- case 0x5c: case 0x5f: +- return gm_lbr; +- } +- break; +- +- case 15: +- switch ( boot_cpu_data.x86_model ) +- { +- /* Pentium4/Xeon with em64t */ +- case 3: case 4: case 6: +- return p4_lbr; +- } +- break; +- } +- +- return NULL; +-} +- + enum + { + LBR_FORMAT_32 = 0x0, /* 32-bit record format */ +@@ -3224,7 +3226,7 @@ static void __init ler_to_fixup_check(void) + + static int is_last_branch_msr(u32 ecx) + { +- const struct lbr_info *lbr = last_branch_msr_get(); ++ const struct lbr_info *lbr = model_specific_lbr; + + if ( lbr == NULL ) + return 0; +@@ -3563,7 +3565,7 @@ static int cf_check vmx_msr_write_intercept( + if ( !(v->arch.hvm.vmx.lbr_flags & LBR_MSRS_INSERTED) && + (msr_content & IA32_DEBUGCTLMSR_LBR) ) + { +- const struct lbr_info *lbr = last_branch_msr_get(); ++ const struct lbr_info *lbr = model_specific_lbr; + + if ( unlikely(!lbr) ) + { +-- +2.40.0 + diff --git a/0029-x86-perform-mem_sharing-teardown-before-paging-teard.patch b/0029-x86-perform-mem_sharing-teardown-before-paging-teard.patch deleted file mode 100644 index c96f44e..0000000 --- a/0029-x86-perform-mem_sharing-teardown-before-paging-teard.patch +++ /dev/null @@ -1,111 +0,0 @@ -From 700320a79297fb5087f7dd540424c468b2d2cffe Mon Sep 17 00:00:00 2001 -From: Tamas K Lengyel -Date: Fri, 3 Mar 2023 08:14:25 +0100 -Subject: [PATCH 29/61] x86: perform mem_sharing teardown before paging - teardown - -An assert failure has been observed in p2m_teardown when performing vm -forking and then destroying the forked VM (p2m-basic.c:173). The assert -checks whether the domain's shared pages counter is 0. According to the -patch that originally added the assert (7bedbbb5c31) the p2m_teardown -should only happen after mem_sharing already relinquished all shared pages. - -In this patch we flip the order in which relinquish ops are called to avoid -tripping the assert. Conceptually sharing being torn down makes sense to -happen before paging is torn down. - -Fixes: e7aa55c0aab3 ("x86/p2m: free the paging memory pool preemptively") -Signed-off-by: Tamas K Lengyel -Reviewed-by: Jan Beulich -master commit: 2869349f0cb3a89dcbf1f1b30371f58df6309312 -master date: 2023-02-23 12:35:48 +0100 ---- - xen/arch/x86/domain.c | 56 ++++++++++++++++++++++--------------------- - 1 file changed, 29 insertions(+), 27 deletions(-) - -diff --git a/xen/arch/x86/domain.c b/xen/arch/x86/domain.c -index 3080cde62b..6eeb248908 100644 ---- a/xen/arch/x86/domain.c -+++ b/xen/arch/x86/domain.c -@@ -2343,9 +2343,9 @@ int domain_relinquish_resources(struct domain *d) - - enum { - PROG_iommu_pagetables = 1, -+ PROG_shared, - PROG_paging, - PROG_vcpu_pagetables, -- PROG_shared, - PROG_xen, - PROG_l4, - PROG_l3, -@@ -2364,6 +2364,34 @@ int domain_relinquish_resources(struct domain *d) - if ( ret ) - return ret; - -+#ifdef CONFIG_MEM_SHARING -+ PROGRESS(shared): -+ -+ if ( is_hvm_domain(d) ) -+ { -+ /* -+ * If the domain has shared pages, relinquish them allowing -+ * for preemption. -+ */ -+ ret = relinquish_shared_pages(d); -+ if ( ret ) -+ return ret; -+ -+ /* -+ * If the domain is forked, decrement the parent's pause count -+ * and release the domain. -+ */ -+ if ( mem_sharing_is_fork(d) ) -+ { -+ struct domain *parent = d->parent; -+ -+ d->parent = NULL; -+ domain_unpause(parent); -+ put_domain(parent); -+ } -+ } -+#endif -+ - PROGRESS(paging): - - /* Tear down paging-assistance stuff. */ -@@ -2404,32 +2432,6 @@ int domain_relinquish_resources(struct domain *d) - d->arch.auto_unmask = 0; - } - --#ifdef CONFIG_MEM_SHARING -- PROGRESS(shared): -- -- if ( is_hvm_domain(d) ) -- { -- /* If the domain has shared pages, relinquish them allowing -- * for preemption. */ -- ret = relinquish_shared_pages(d); -- if ( ret ) -- return ret; -- -- /* -- * If the domain is forked, decrement the parent's pause count -- * and release the domain. -- */ -- if ( mem_sharing_is_fork(d) ) -- { -- struct domain *parent = d->parent; -- -- d->parent = NULL; -- domain_unpause(parent); -- put_domain(parent); -- } -- } --#endif -- - spin_lock(&d->page_alloc_lock); - page_list_splice(&d->arch.relmem_list, &d->page_list); - INIT_PAGE_LIST_HEAD(&d->arch.relmem_list); --- -2.40.0 - diff --git a/0029-x86-vmx-Support-for-CPUs-without-model-specific-LBR.patch b/0029-x86-vmx-Support-for-CPUs-without-model-specific-LBR.patch new file mode 100644 index 0000000..2f87b83 --- /dev/null +++ b/0029-x86-vmx-Support-for-CPUs-without-model-specific-LBR.patch @@ -0,0 +1,83 @@ +From e904d8ae01a0be53368c8c388f13bf4ffcbcdf6c Mon Sep 17 00:00:00 2001 +From: Andrew Cooper +Date: Tue, 7 Feb 2023 16:59:14 +0100 +Subject: [PATCH 29/89] x86/vmx: Support for CPUs without model-specific LBR + +Ice Lake (server at least) has both architectural LBR and model-specific LBR. +Sapphire Rapids does not have model-specific LBR at all. I.e. On SPR and +later, model_specific_lbr will always be NULL, so we must make changes to +avoid reliably hitting the domain_crash(). + +The Arch LBR spec states that CPUs without model-specific LBR implement +MSR_DBG_CTL.LBR by discarding writes and always returning 0. + +Do this for any CPU for which we lack model-specific LBR information. + +Adjust the now-stale comment, now that the Arch LBR spec has created a way to +signal "no model specific LBR" to guests. + +Signed-off-by: Andrew Cooper +Reviewed-by: Jan Beulich +Reviewed-by: Kevin Tian +master commit: 3edca52ce736297d7fcf293860cd94ef62638052 +master date: 2023-01-12 18:42:00 +0000 +--- + xen/arch/x86/hvm/vmx/vmx.c | 31 ++++++++++++++++--------------- + 1 file changed, 16 insertions(+), 15 deletions(-) + +diff --git a/xen/arch/x86/hvm/vmx/vmx.c b/xen/arch/x86/hvm/vmx/vmx.c +index ad91464103..861f91f2af 100644 +--- a/xen/arch/x86/hvm/vmx/vmx.c ++++ b/xen/arch/x86/hvm/vmx/vmx.c +@@ -3545,18 +3545,26 @@ static int cf_check vmx_msr_write_intercept( + if ( msr_content & rsvd ) + goto gp_fault; + ++ /* ++ * The Arch LBR spec (new in Ice Lake) states that CPUs with no ++ * model-specific LBRs implement MSR_DBG_CTL.LBR by discarding writes ++ * and always returning 0. ++ * ++ * Use this property in all cases where we don't know any ++ * model-specific LBR information, as it matches real hardware ++ * behaviour on post-Ice Lake systems. ++ */ ++ if ( !model_specific_lbr ) ++ msr_content &= ~IA32_DEBUGCTLMSR_LBR; ++ + /* + * When a guest first enables LBR, arrange to save and restore the LBR + * MSRs and allow the guest direct access. + * +- * MSR_DEBUGCTL and LBR has existed almost as long as MSRs have +- * existed, and there is no architectural way to hide the feature, or +- * fail the attempt to enable LBR. +- * +- * Unknown host LBR MSRs or hitting -ENOSPC with the guest load/save +- * list are definitely hypervisor bugs, whereas -ENOMEM for allocating +- * the load/save list is simply unlucky (and shouldn't occur with +- * sensible management by the toolstack). ++ * Hitting -ENOSPC with the guest load/save list is definitely a ++ * hypervisor bug, whereas -ENOMEM for allocating the load/save list ++ * is simply unlucky (and shouldn't occur with sensible management by ++ * the toolstack). + * + * Either way, there is nothing we can do right now to recover, and + * the guest won't execute correctly either. Simply crash the domain +@@ -3567,13 +3575,6 @@ static int cf_check vmx_msr_write_intercept( + { + const struct lbr_info *lbr = model_specific_lbr; + +- if ( unlikely(!lbr) ) +- { +- gprintk(XENLOG_ERR, "Unknown Host LBR MSRs\n"); +- domain_crash(v->domain); +- return X86EMUL_OKAY; +- } +- + for ( ; lbr->count; lbr++ ) + { + unsigned int i; +-- +2.40.0 + diff --git a/0030-x86-shadow-fix-PAE-check-for-top-level-table-unshado.patch b/0030-x86-shadow-fix-PAE-check-for-top-level-table-unshado.patch new file mode 100644 index 0000000..e2bb8df --- /dev/null +++ b/0030-x86-shadow-fix-PAE-check-for-top-level-table-unshado.patch @@ -0,0 +1,39 @@ +From 2d74e7035bd060d662f1c4f8522377be8021be92 Mon Sep 17 00:00:00 2001 +From: Jan Beulich +Date: Tue, 7 Feb 2023 16:59:54 +0100 +Subject: [PATCH 30/89] x86/shadow: fix PAE check for top-level table + unshadowing + +Clearly within the for_each_vcpu() the vCPU of this loop is meant, not +the (loop invariant) one the fault occurred on. + +Fixes: 3d5e6a3ff383 ("x86 hvm: implement HVMOP_pagetable_dying") +Fixes: ef3b0d8d2c39 ("x86/shadow: shadow_table[] needs only one entry for PV-only configs") +Signed-off-by: Jan Beulich +Reviewed-by: Andrew Cooper +master commit: f8fdceefbb1193ec81667eb40b83bc525cb71204 +master date: 2023-01-20 09:23:42 +0100 +--- + xen/arch/x86/mm/shadow/multi.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/xen/arch/x86/mm/shadow/multi.c b/xen/arch/x86/mm/shadow/multi.c +index 2370b30602..671bf8c228 100644 +--- a/xen/arch/x86/mm/shadow/multi.c ++++ b/xen/arch/x86/mm/shadow/multi.c +@@ -2672,10 +2672,10 @@ static int cf_check sh_page_fault( + #if GUEST_PAGING_LEVELS == 3 + unsigned int i; + +- for_each_shadow_table(v, i) ++ for_each_shadow_table(tmp, i) + { + mfn_t smfn = pagetable_get_mfn( +- v->arch.paging.shadow.shadow_table[i]); ++ tmp->arch.paging.shadow.shadow_table[i]); + + if ( mfn_valid(smfn) && (mfn_x(smfn) != 0) ) + { +-- +2.40.0 + diff --git a/0030-xen-Work-around-Clang-IAS-macro-expansion-bug.patch b/0030-xen-Work-around-Clang-IAS-macro-expansion-bug.patch deleted file mode 100644 index a92f2f0..0000000 --- a/0030-xen-Work-around-Clang-IAS-macro-expansion-bug.patch +++ /dev/null @@ -1,115 +0,0 @@ -From 2b8f72a6b40dafc3fb40bce100cd62c4a377535a Mon Sep 17 00:00:00 2001 -From: Andrew Cooper -Date: Fri, 3 Mar 2023 08:14:57 +0100 -Subject: [PATCH 30/61] xen: Work around Clang-IAS macro \@ expansion bug - -https://github.com/llvm/llvm-project/issues/60792 - -It turns out that Clang-IAS does not expand \@ uniquely in a translaition -unit, and the XSA-426 change tickles this bug: - - :4:1: error: invalid symbol redefinition - .L1_fill_rsb_loop: - ^ - make[3]: *** [Rules.mk:247: arch/x86/acpi/cpu_idle.o] Error 1 - -Extend DO_OVERWRITE_RSB with an optional parameter so C callers can mix %= in -too, which Clang does seem to expand properly. - -Fixes: 63305e5392ec ("x86/spec-ctrl: Mitigate Cross-Thread Return Address Predictions") -Signed-off-by: Andrew Cooper -Reviewed-by: Jan Beulich -master commit: a2adacff0b91cc7b977abb209dc419a2ef15963f -master date: 2023-02-24 17:44:29 +0000 ---- - xen/include/asm-x86/spec_ctrl.h | 4 ++-- - xen/include/asm-x86/spec_ctrl_asm.h | 23 ++++++++++++++--------- - 2 files changed, 16 insertions(+), 11 deletions(-) - -diff --git a/xen/include/asm-x86/spec_ctrl.h b/xen/include/asm-x86/spec_ctrl.h -index 391973ef6a..a431fea587 100644 ---- a/xen/include/asm-x86/spec_ctrl.h -+++ b/xen/include/asm-x86/spec_ctrl.h -@@ -83,7 +83,7 @@ static always_inline void spec_ctrl_new_guest_context(void) - wrmsrl(MSR_PRED_CMD, PRED_CMD_IBPB); - - /* (ab)use alternative_input() to specify clobbers. */ -- alternative_input("", "DO_OVERWRITE_RSB", X86_BUG_IBPB_NO_RET, -+ alternative_input("", "DO_OVERWRITE_RSB xu=%=", X86_BUG_IBPB_NO_RET, - : "rax", "rcx"); - } - -@@ -172,7 +172,7 @@ static always_inline void spec_ctrl_enter_idle(struct cpu_info *info) - * - * (ab)use alternative_input() to specify clobbers. - */ -- alternative_input("", "DO_OVERWRITE_RSB", X86_FEATURE_SC_RSB_IDLE, -+ alternative_input("", "DO_OVERWRITE_RSB xu=%=", X86_FEATURE_SC_RSB_IDLE, - : "rax", "rcx"); - } - -diff --git a/xen/include/asm-x86/spec_ctrl_asm.h b/xen/include/asm-x86/spec_ctrl_asm.h -index 9eb4ad9ab7..b61a5571ae 100644 ---- a/xen/include/asm-x86/spec_ctrl_asm.h -+++ b/xen/include/asm-x86/spec_ctrl_asm.h -@@ -117,11 +117,16 @@ - .L\@_done: - .endm - --.macro DO_OVERWRITE_RSB tmp=rax -+.macro DO_OVERWRITE_RSB tmp=rax xu - /* - * Requires nothing - * Clobbers \tmp (%rax by default), %rcx - * -+ * xu is an optional parameter to add eXtra Uniqueness. It is intended for -+ * passing %= in from an asm() block, in order to work around -+ * https://github.com/llvm/llvm-project/issues/60792 where Clang-IAS doesn't -+ * expand \@ uniquely. -+ * - * Requires 256 bytes of {,shadow}stack space, but %rsp/SSP has no net - * change. Based on Google's performance numbers, the loop is unrolled to 16 - * iterations and two calls per iteration. -@@ -137,31 +142,31 @@ - mov $16, %ecx /* 16 iterations, two calls per loop */ - mov %rsp, %\tmp /* Store the current %rsp */ - --.L\@_fill_rsb_loop: -+.L\@_fill_rsb_loop\xu: - - .irp n, 1, 2 /* Unrolled twice. */ -- call .L\@_insert_rsb_entry_\n /* Create an RSB entry. */ -+ call .L\@_insert_rsb_entry\xu\n /* Create an RSB entry. */ - --.L\@_capture_speculation_\n: -+.L\@_capture_speculation\xu\n: - pause - lfence -- jmp .L\@_capture_speculation_\n /* Capture rogue speculation. */ -+ jmp .L\@_capture_speculation\xu\n /* Capture rogue speculation. */ - --.L\@_insert_rsb_entry_\n: -+.L\@_insert_rsb_entry\xu\n: - .endr - - sub $1, %ecx -- jnz .L\@_fill_rsb_loop -+ jnz .L\@_fill_rsb_loop\xu - mov %\tmp, %rsp /* Restore old %rsp */ - - #ifdef CONFIG_XEN_SHSTK - mov $1, %ecx - rdsspd %ecx - cmp $1, %ecx -- je .L\@_shstk_done -+ je .L\@_shstk_done\xu - mov $64, %ecx /* 64 * 4 bytes, given incsspd */ - incsspd %ecx /* Restore old SSP */ --.L\@_shstk_done: -+.L\@_shstk_done\xu: - #endif - .endm - --- -2.40.0 - diff --git a/0031-build-fix-building-flask-headers-before-descending-i.patch b/0031-build-fix-building-flask-headers-before-descending-i.patch new file mode 100644 index 0000000..273e795 --- /dev/null +++ b/0031-build-fix-building-flask-headers-before-descending-i.patch @@ -0,0 +1,50 @@ +From 819a5d4ed8b79e21843d5960a7ab8fbd16f28233 Mon Sep 17 00:00:00 2001 +From: Anthony PERARD +Date: Tue, 7 Feb 2023 17:00:29 +0100 +Subject: [PATCH 31/89] build: fix building flask headers before descending in + flask/ss/ + +Unfortunatly, adding prerequisite to "$(obj)/ss/built_in.o" doesn't +work because we have "$(obj)/%/built_in.o: $(obj)/% ;" in Rules.mk. +So, make is allow to try to build objects in "xsm/flask/ss/" before +generating the headers. + +Adding a prerequisite on "$(obj)/ss" instead will fix the issue as +that's the target used to run make in this subdirectory. + +Unfortunatly, that target is also used when running `make clean`, so +we want to ignore it in this case. $(MAKECMDGOALS) can't be used in +this case as it is empty, but we can guess which operation is done by +looking at the list of loaded makefiles. + +Fixes: 7a3bcd2babcc ("build: build everything from the root dir, use obj=$subdir") +Reported-by: "Daniel P. Smith" +Signed-off-by: Anthony PERARD +Acked-by: Daniel P. Smith +Reviewed-by: Jan Beulich +master commit: d60324d8af9404014cfcc37bba09e9facfd02fcf +master date: 2023-01-23 15:03:58 +0100 +--- + xen/xsm/flask/Makefile | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/xen/xsm/flask/Makefile b/xen/xsm/flask/Makefile +index d25312f4fa..3fdcf7727e 100644 +--- a/xen/xsm/flask/Makefile ++++ b/xen/xsm/flask/Makefile +@@ -16,7 +16,11 @@ FLASK_H_FILES := flask.h class_to_string.h initial_sid_to_string.h + AV_H_FILES := av_perm_to_string.h av_permissions.h + ALL_H_FILES := $(addprefix include/,$(FLASK_H_FILES) $(AV_H_FILES)) + +-$(addprefix $(obj)/,$(obj-y)) $(obj)/ss/built_in.o: $(addprefix $(obj)/,$(ALL_H_FILES)) ++# Adding prerequisite to descending into ss/ folder only when not running ++# `make *clean`. ++ifeq ($(filter %/Makefile.clean,$(MAKEFILE_LIST)),) ++$(addprefix $(obj)/,$(obj-y)) $(obj)/ss: $(addprefix $(obj)/,$(ALL_H_FILES)) ++endif + extra-y += $(ALL_H_FILES) + + mkflask := $(srcdir)/policy/mkflask.sh +-- +2.40.0 + diff --git a/0031-xen-Fix-Clang-Wunicode-diagnostic-when-building-asm-.patch b/0031-xen-Fix-Clang-Wunicode-diagnostic-when-building-asm-.patch deleted file mode 100644 index bad0316..0000000 --- a/0031-xen-Fix-Clang-Wunicode-diagnostic-when-building-asm-.patch +++ /dev/null @@ -1,83 +0,0 @@ -From f073db0a07c5f6800a70c91819c4b8c2ba359451 Mon Sep 17 00:00:00 2001 -From: Andrew Cooper -Date: Fri, 3 Mar 2023 08:15:50 +0100 -Subject: [PATCH 31/61] xen: Fix Clang -Wunicode diagnostic when building - asm-macros - -While trying to work around a different Clang-IAS bug (parent changeset), I -stumbled onto: - - In file included from arch/x86/asm-macros.c:3: - ./arch/x86/include/asm/spec_ctrl_asm.h:144:19: error: \u used with - no following hex digits; treating as '\' followed by identifier [-Werror,-Wunicode] - .L\@_fill_rsb_loop\uniq: - ^ - -It turns out that Clang -E is sensitive to the file extension of the source -file it is processing. Furthermore, C explicitly permits the use of \u -escapes in identifier names, so the diagnostic would be reasonable in -principle if we trying to compile the result. - -asm-macros should really have been .S from the outset, as it is ultimately -generating assembly, not C. Rename it, which causes Clang not to complain. - -We need to introduce rules for generating a .i file from .S, and substituting -c_flags for a_flags lets us drop the now-redundant -D__ASSEMBLY__. - -No functional change. - -Signed-off-by: Andrew Cooper -Reviewed-by: Jan Beulich -master commit: 53f0d02040b1df08f0589f162790ca376e1c2040 -master date: 2023-02-24 17:44:29 +0000 ---- - xen/Rules.mk | 6 ++++++ - xen/arch/x86/Makefile | 2 +- - xen/arch/x86/{asm-macros.c => asm-macros.S} | 0 - 3 files changed, 7 insertions(+), 1 deletion(-) - rename xen/arch/x86/{asm-macros.c => asm-macros.S} (100%) - -diff --git a/xen/Rules.mk b/xen/Rules.mk -index 5e0699e58b..1f171f88e2 100644 ---- a/xen/Rules.mk -+++ b/xen/Rules.mk -@@ -223,6 +223,9 @@ $(filter %.init.o,$(obj-y) $(obj-bin-y) $(extra-y)): %.init.o: %.o FORCE - quiet_cmd_cpp_i_c = CPP $@ - cmd_cpp_i_c = $(CPP) $(call cpp_flags,$(c_flags)) -MQ $@ -o $@ $< - -+quiet_cmd_cpp_i_S = CPP $@ -+cmd_cpp_i_S = $(CPP) $(call cpp_flags,$(a_flags)) -MQ $@ -o $@ $< -+ - quiet_cmd_cc_s_c = CC $@ - cmd_cc_s_c = $(CC) $(filter-out -Wa$(comma)%,$(c_flags)) -S $< -o $@ - -@@ -232,6 +235,9 @@ cmd_cpp_s_S = $(CPP) $(call cpp_flags,$(a_flags)) -MQ $@ -o $@ $< - %.i: %.c FORCE - $(call if_changed,cpp_i_c) - -+%.i: %.S FORCE -+ $(call if_changed,cpp_i_S) -+ - %.s: %.c FORCE - $(call if_changed,cc_s_c) - -diff --git a/xen/arch/x86/Makefile b/xen/arch/x86/Makefile -index 69b6cfaded..8e975f472d 100644 ---- a/xen/arch/x86/Makefile -+++ b/xen/arch/x86/Makefile -@@ -273,7 +273,7 @@ efi/buildid.o efi/relocs-dummy.o: ; - .PHONY: include - include: $(BASEDIR)/include/asm-x86/asm-macros.h - --asm-macros.i: CFLAGS-y += -D__ASSEMBLY__ -P -+asm-macros.i: CFLAGS-y += -P - - $(BASEDIR)/include/asm-x86/asm-macros.h: asm-macros.i Makefile - echo '#if 0' >$@.new -diff --git a/xen/arch/x86/asm-macros.c b/xen/arch/x86/asm-macros.S -similarity index 100% -rename from xen/arch/x86/asm-macros.c -rename to xen/arch/x86/asm-macros.S --- -2.40.0 - diff --git a/0032-ns16550-fix-an-incorrect-assignment-to-uart-io_size.patch b/0032-ns16550-fix-an-incorrect-assignment-to-uart-io_size.patch new file mode 100644 index 0000000..8b3a410 --- /dev/null +++ b/0032-ns16550-fix-an-incorrect-assignment-to-uart-io_size.patch @@ -0,0 +1,34 @@ +From d0127881376baeea1e4eb71d0f7b56d942147124 Mon Sep 17 00:00:00 2001 +From: Ayan Kumar Halder +Date: Tue, 7 Feb 2023 17:00:47 +0100 +Subject: [PATCH 32/89] ns16550: fix an incorrect assignment to uart->io_size + +uart->io_size represents the size in bytes. Thus, when serial_port.bit_width +is assigned to it, it should be converted to size in bytes. + +Fixes: 17b516196c ("ns16550: add ACPI support for ARM only") +Reported-by: Jan Beulich +Signed-off-by: Ayan Kumar Halder +Reviewed-by: Stefano Stabellini +master commit: 352c89f72ddb67b8d9d4e492203f8c77f85c8df1 +master date: 2023-01-24 16:54:38 +0100 +--- + xen/drivers/char/ns16550.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/xen/drivers/char/ns16550.c b/xen/drivers/char/ns16550.c +index 01a05c9aa8..ce013fb6a5 100644 +--- a/xen/drivers/char/ns16550.c ++++ b/xen/drivers/char/ns16550.c +@@ -1875,7 +1875,7 @@ static int __init ns16550_acpi_uart_init(const void *data) + uart->parity = spcr->parity; + uart->stop_bits = spcr->stop_bits; + uart->io_base = spcr->serial_port.address; +- uart->io_size = spcr->serial_port.bit_width; ++ uart->io_size = DIV_ROUND_UP(spcr->serial_port.bit_width, BITS_PER_BYTE); + uart->reg_shift = spcr->serial_port.bit_offset; + uart->reg_width = spcr->serial_port.access_width; + +-- +2.40.0 + diff --git a/0032-tools-Use-PKG_CONFIG_FILE-instead-of-PKG_CONFIG-vari.patch b/0032-tools-Use-PKG_CONFIG_FILE-instead-of-PKG_CONFIG-vari.patch deleted file mode 100644 index bfcdd26..0000000 --- a/0032-tools-Use-PKG_CONFIG_FILE-instead-of-PKG_CONFIG-vari.patch +++ /dev/null @@ -1,98 +0,0 @@ -From a2adc7fcc22405e81dc11290416e6140bb0244ca Mon Sep 17 00:00:00 2001 -From: Bertrand Marquis -Date: Fri, 3 Mar 2023 08:16:45 +0100 -Subject: [PATCH 32/61] tools: Use PKG_CONFIG_FILE instead of PKG_CONFIG - variable - -Replace PKG_CONFIG variable name with PKG_CONFIG_FILE for the name of -the pkg-config file. -This is preventing a conflict in some build systems where PKG_CONFIG -actually contains the path to the pkg-config executable to use, as the -default assignment in libs.mk is using a weak assignment (?=). - -This problem has been found when trying to build the latest version of -Xen tools using buildroot. - -Fixes: d400dc5729e4 ("tools: tweak tools/libs/libs.mk for being able to support libxenctrl") -Signed-off-by: Bertrand Marquis -Reviewed-by: Anthony PERARD -master commit: b97e2fe7b9e1f4706693552697239ac2b71efee4 -master date: 2023-02-24 17:44:29 +0000 ---- - tools/libs/ctrl/Makefile | 2 +- - tools/libs/libs.mk | 13 +++++++------ - 2 files changed, 8 insertions(+), 7 deletions(-) - -diff --git a/tools/libs/ctrl/Makefile b/tools/libs/ctrl/Makefile -index 6ff5918798..d3666ae7ff 100644 ---- a/tools/libs/ctrl/Makefile -+++ b/tools/libs/ctrl/Makefile -@@ -47,7 +47,7 @@ CFLAGS += -include $(XEN_ROOT)/tools/config.h - CFLAGS-$(CONFIG_Linux) += -D_GNU_SOURCE - - LIBHEADER := xenctrl.h xenctrl_compat.h --PKG_CONFIG := xencontrol.pc -+PKG_CONFIG_FILE := xencontrol.pc - PKG_CONFIG_NAME := Xencontrol - - NO_HEADERS_CHK := y -diff --git a/tools/libs/libs.mk b/tools/libs/libs.mk -index f1554462fb..0e005218e2 100644 ---- a/tools/libs/libs.mk -+++ b/tools/libs/libs.mk -@@ -1,7 +1,7 @@ - # Common Makefile for building a lib. - # - # Variables taken as input: --# PKG_CONFIG: name of pkg-config file (xen$(LIBNAME).pc if empty) -+# PKG_CONFIG_FILE: name of pkg-config file (xen$(LIBNAME).pc if empty) - # MAJOR: major version of lib (Xen version if empty) - # MINOR: minor version of lib (0 if empty) - -@@ -29,7 +29,8 @@ endif - comma:= , - empty:= - space:= $(empty) $(empty) --PKG_CONFIG ?= $(LIB_FILE_NAME).pc -+ -+PKG_CONFIG_FILE ?= $(LIB_FILE_NAME).pc - PKG_CONFIG_NAME ?= Xen$(LIBNAME) - PKG_CONFIG_DESC ?= The $(PKG_CONFIG_NAME) library for Xen hypervisor - PKG_CONFIG_VERSION := $(MAJOR).$(MINOR) -@@ -38,13 +39,13 @@ PKG_CONFIG_LIB := $(LIB_FILE_NAME) - PKG_CONFIG_REQPRIV := $(subst $(space),$(comma),$(strip $(foreach lib,$(patsubst ctrl,control,$(USELIBS_$(LIBNAME))),xen$(lib)))) - - ifneq ($(CONFIG_LIBXC_MINIOS),y) --PKG_CONFIG_INST := $(PKG_CONFIG) -+PKG_CONFIG_INST := $(PKG_CONFIG_FILE) - $(PKG_CONFIG_INST): PKG_CONFIG_PREFIX = $(prefix) - $(PKG_CONFIG_INST): PKG_CONFIG_INCDIR = $(includedir) - $(PKG_CONFIG_INST): PKG_CONFIG_LIBDIR = $(libdir) - endif - --PKG_CONFIG_LOCAL := $(PKG_CONFIG_DIR)/$(PKG_CONFIG) -+PKG_CONFIG_LOCAL := $(PKG_CONFIG_DIR)/$(PKG_CONFIG_FILE) - - LIBHEADER ?= $(LIB_FILE_NAME).h - LIBHEADERS = $(foreach h, $(LIBHEADER), $(XEN_INCLUDE)/$(h)) -@@ -114,7 +115,7 @@ install: build - $(SYMLINK_SHLIB) lib$(LIB_FILE_NAME).so.$(MAJOR).$(MINOR) $(DESTDIR)$(libdir)/lib$(LIB_FILE_NAME).so.$(MAJOR) - $(SYMLINK_SHLIB) lib$(LIB_FILE_NAME).so.$(MAJOR) $(DESTDIR)$(libdir)/lib$(LIB_FILE_NAME).so - for i in $(LIBHEADERS); do $(INSTALL_DATA) $$i $(DESTDIR)$(includedir); done -- $(INSTALL_DATA) $(PKG_CONFIG) $(DESTDIR)$(PKG_INSTALLDIR) -+ $(INSTALL_DATA) $(PKG_CONFIG_FILE) $(DESTDIR)$(PKG_INSTALLDIR) - - .PHONY: uninstall - uninstall: -@@ -134,7 +135,7 @@ clean: - rm -rf *.rpm $(LIB) *~ $(DEPS_RM) $(LIB_OBJS) $(PIC_OBJS) - rm -f lib$(LIB_FILE_NAME).so.$(MAJOR).$(MINOR) lib$(LIB_FILE_NAME).so.$(MAJOR) - rm -f headers.chk headers.lst -- rm -f $(PKG_CONFIG) -+ rm -f $(PKG_CONFIG_FILE) - rm -f _paths.h - - .PHONY: distclean --- -2.40.0 - diff --git a/0033-libs-guest-Fix-resource-leaks-in-xc_core_arch_map_p2.patch b/0033-libs-guest-Fix-resource-leaks-in-xc_core_arch_map_p2.patch deleted file mode 100644 index 5caa850..0000000 --- a/0033-libs-guest-Fix-resource-leaks-in-xc_core_arch_map_p2.patch +++ /dev/null @@ -1,65 +0,0 @@ -From b181a3a5532574d2163408284bcd785ec87fe046 Mon Sep 17 00:00:00 2001 -From: Andrew Cooper -Date: Fri, 3 Mar 2023 08:17:04 +0100 -Subject: [PATCH 33/61] libs/guest: Fix resource leaks in - xc_core_arch_map_p2m_tree_rw() -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -Edwin, with the help of GCC's -fanalyzer, identified that p2m_frame_list_list -gets leaked. What fanalyzer can't see is that the live_p2m_frame_list_list -and live_p2m_frame_list foreign mappings are leaked too. - -Rework the logic so the out path is executed unconditionally, which cleans up -all the intermediate allocations/mappings appropriately. - -Fixes: bd7a29c3d0b9 ("tools/libs/ctrl: fix xc_core_arch_map_p2m() to support linear p2m table") -Reported-by: Edwin Török -Signed-off-by: Andrew Cooper -Reviewed-by: Juergen Gross -master commit: 1868d7f22660c8980bd0a7e53f044467e8b63bb5 -master date: 2023-02-27 15:51:23 +0000 ---- - tools/libs/guest/xg_core_x86.c | 8 +++----- - 1 file changed, 3 insertions(+), 5 deletions(-) - -diff --git a/tools/libs/guest/xg_core_x86.c b/tools/libs/guest/xg_core_x86.c -index 61106b98b8..c5e4542ccc 100644 ---- a/tools/libs/guest/xg_core_x86.c -+++ b/tools/libs/guest/xg_core_x86.c -@@ -229,11 +229,11 @@ xc_core_arch_map_p2m_tree_rw(xc_interface *xch, struct domain_info_context *dinf - uint32_t dom, shared_info_any_t *live_shinfo) - { - /* Double and single indirect references to the live P2M table */ -- xen_pfn_t *live_p2m_frame_list_list; -+ xen_pfn_t *live_p2m_frame_list_list = NULL; - xen_pfn_t *live_p2m_frame_list = NULL; - /* Copies of the above. */ - xen_pfn_t *p2m_frame_list_list = NULL; -- xen_pfn_t *p2m_frame_list; -+ xen_pfn_t *p2m_frame_list = NULL; - - int err; - int i; -@@ -297,8 +297,6 @@ xc_core_arch_map_p2m_tree_rw(xc_interface *xch, struct domain_info_context *dinf - - dinfo->p2m_frames = P2M_FL_ENTRIES; - -- return p2m_frame_list; -- - out: - err = errno; - -@@ -312,7 +310,7 @@ xc_core_arch_map_p2m_tree_rw(xc_interface *xch, struct domain_info_context *dinf - - errno = err; - -- return NULL; -+ return p2m_frame_list; - } - - static int --- -2.40.0 - diff --git a/0033-libxl-fix-guest-kexec-skip-cpuid-policy.patch b/0033-libxl-fix-guest-kexec-skip-cpuid-policy.patch new file mode 100644 index 0000000..7eb3779 --- /dev/null +++ b/0033-libxl-fix-guest-kexec-skip-cpuid-policy.patch @@ -0,0 +1,72 @@ +From 3dae50283d9819c691a97f15b133124c00d39a2f Mon Sep 17 00:00:00 2001 +From: Jason Andryuk +Date: Tue, 7 Feb 2023 17:01:49 +0100 +Subject: [PATCH 33/89] libxl: fix guest kexec - skip cpuid policy + +When a domain performs a kexec (soft reset), libxl__build_pre() is +called with the existing domid. Calling libxl__cpuid_legacy() on the +existing domain fails since the cpuid policy has already been set, and +the guest isn't rebuilt and doesn't kexec. + +xc: error: Failed to set d1's policy (err leaf 0xffffffff, subleaf 0xffffffff, msr 0xffffffff) (17 = File exists): Internal error +libxl: error: libxl_cpuid.c:494:libxl__cpuid_legacy: Domain 1:Failed to apply CPUID policy: File exists +libxl: error: libxl_create.c:1641:domcreate_rebuild_done: Domain 1:cannot (re-)build domain: -3 +libxl: error: libxl_xshelp.c:201:libxl__xs_read_mandatory: xenstore read failed: `/libxl/1/type': No such file or directory +libxl: warning: libxl_dom.c:49:libxl__domain_type: unable to get domain type for domid=1, assuming HVM + +During a soft_reset, skip calling libxl__cpuid_legacy() to avoid the +issue. Before commit 34990446ca91, the libxl__cpuid_legacy() failure +would have been ignored, so kexec would continue. + +Fixes: 34990446ca91 ("libxl: don't ignore the return value from xc_cpuid_apply_policy") +Signed-off-by: Jason Andryuk +Reviewed-by: Anthony PERARD +master commit: 1e454c2b5b1172e0fc7457e411ebaba61db8fc87 +master date: 2023-01-26 10:58:23 +0100 +--- + tools/libs/light/libxl_create.c | 2 ++ + tools/libs/light/libxl_dom.c | 2 +- + tools/libs/light/libxl_internal.h | 1 + + 3 files changed, 4 insertions(+), 1 deletion(-) + +diff --git a/tools/libs/light/libxl_create.c b/tools/libs/light/libxl_create.c +index 612eacfc7f..dbee32b7b7 100644 +--- a/tools/libs/light/libxl_create.c ++++ b/tools/libs/light/libxl_create.c +@@ -2203,6 +2203,8 @@ static int do_domain_soft_reset(libxl_ctx *ctx, + aop_console_how); + cdcs->domid_out = &domid_out; + ++ state->soft_reset = true; ++ + dom_path = libxl__xs_get_dompath(gc, domid); + if (!dom_path) { + LOGD(ERROR, domid, "failed to read domain path"); +diff --git a/tools/libs/light/libxl_dom.c b/tools/libs/light/libxl_dom.c +index b454f988fb..f6311eea6e 100644 +--- a/tools/libs/light/libxl_dom.c ++++ b/tools/libs/light/libxl_dom.c +@@ -382,7 +382,7 @@ int libxl__build_pre(libxl__gc *gc, uint32_t domid, + /* Construct a CPUID policy, but only for brand new domains. Domains + * being migrated-in/restored have CPUID handled during the + * static_data_done() callback. */ +- if (!state->restore) ++ if (!state->restore && !state->soft_reset) + rc = libxl__cpuid_legacy(ctx, domid, false, info); + + out: +diff --git a/tools/libs/light/libxl_internal.h b/tools/libs/light/libxl_internal.h +index a7c447c10e..cae160351f 100644 +--- a/tools/libs/light/libxl_internal.h ++++ b/tools/libs/light/libxl_internal.h +@@ -1406,6 +1406,7 @@ typedef struct { + /* Whether this domain is being migrated/restored, or booting fresh. Only + * applicable to the primary domain, not support domains (e.g. stub QEMU). */ + bool restore; ++ bool soft_reset; + } libxl__domain_build_state; + + _hidden void libxl__domain_build_state_init(libxl__domain_build_state *s); +-- +2.40.0 + diff --git a/0034-libs-guest-Fix-leak-on-realloc-failure-in-backup_pte.patch b/0034-libs-guest-Fix-leak-on-realloc-failure-in-backup_pte.patch deleted file mode 100644 index 4be16a3..0000000 --- a/0034-libs-guest-Fix-leak-on-realloc-failure-in-backup_pte.patch +++ /dev/null @@ -1,56 +0,0 @@ -From 25d103f2eb59f021cce61f07a0bf0bfa696b4416 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Edwin=20T=C3=B6r=C3=B6k?= -Date: Fri, 3 Mar 2023 08:17:23 +0100 -Subject: [PATCH 34/61] libs/guest: Fix leak on realloc failure in - backup_ptes() -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -From `man 2 realloc`: - - If realloc() fails, the original block is left untouched; it is not freed or moved. - -Found using GCC -fanalyzer: - - | 184 | backup->entries = realloc(backup->entries, - | | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - | | | | | - | | | | (91) when ‘realloc’ fails - | | | (92) ‘old_ptes.entries’ leaks here; was allocated at (44) - | | (90) ...to here - -Signed-off-by: Edwin Török -Acked-by: Andrew Cooper -master commit: 275d13184cfa52ebe4336ed66526ce93716adbe0 -master date: 2023-02-27 15:51:23 +0000 ---- - tools/libs/guest/xg_offline_page.c | 10 ++++++++-- - 1 file changed, 8 insertions(+), 2 deletions(-) - -diff --git a/tools/libs/guest/xg_offline_page.c b/tools/libs/guest/xg_offline_page.c -index cfe0e2d537..c42b973363 100644 ---- a/tools/libs/guest/xg_offline_page.c -+++ b/tools/libs/guest/xg_offline_page.c -@@ -181,10 +181,16 @@ static int backup_ptes(xen_pfn_t table_mfn, int offset, - - if (backup->max == backup->cur) - { -- backup->entries = realloc(backup->entries, -- backup->max * 2 * sizeof(struct pte_backup_entry)); -+ void *orig = backup->entries; -+ -+ backup->entries = realloc( -+ orig, backup->max * 2 * sizeof(struct pte_backup_entry)); -+ - if (backup->entries == NULL) -+ { -+ free(orig); - return -1; -+ } - else - backup->max *= 2; - } --- -2.40.0 - diff --git a/0034-tools-ocaml-xenctrl-Make-domain_getinfolist-tail-rec.patch b/0034-tools-ocaml-xenctrl-Make-domain_getinfolist-tail-rec.patch new file mode 100644 index 0000000..8f57d4e --- /dev/null +++ b/0034-tools-ocaml-xenctrl-Make-domain_getinfolist-tail-rec.patch @@ -0,0 +1,71 @@ +From 03f545b6cf3220b4647677b588e5525a781a4813 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Edwin=20T=C3=B6r=C3=B6k?= +Date: Tue, 1 Nov 2022 17:59:16 +0000 +Subject: [PATCH 34/89] tools/ocaml/xenctrl: Make domain_getinfolist tail + recursive +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +domain_getinfolist() is quadratic with the number of domains, because of the +behaviour of the underlying hypercall. xenopsd was further observed to be +wasting excessive quantites of time manipulating the list of already-obtained +domains. + +Implement a tail recursive `rev_concat` equivalent to `concat |> rev`, and use +it instead of calling `@` multiple times. + +An incidental benefit is that the list of domains will now be in domid order, +instead of having pairs of 2 domains changing direction every time. + +In a scalability testing scenario with ~1000 VMs, a combination of this and +the subsequent change takes xenopsd's wallclock time in domain_getinfolist() +down from 88% to 0.02% + +Signed-off-by: Edwin Török +Tested-by: Pau Ruiz Safont +Acked-by: Christian Lindig +(cherry picked from commit c3b6be714c64aa62b56d0bce96f4b6a10b5c2078) +--- + tools/ocaml/libs/xc/xenctrl.ml | 23 +++++++++++++++++------ + 1 file changed, 17 insertions(+), 6 deletions(-) + +diff --git a/tools/ocaml/libs/xc/xenctrl.ml b/tools/ocaml/libs/xc/xenctrl.ml +index 83e39a8616..85b73a7f6f 100644 +--- a/tools/ocaml/libs/xc/xenctrl.ml ++++ b/tools/ocaml/libs/xc/xenctrl.ml +@@ -222,14 +222,25 @@ external domain_shutdown: handle -> domid -> shutdown_reason -> unit + external _domain_getinfolist: handle -> domid -> int -> domaininfo list + = "stub_xc_domain_getinfolist" + ++let rev_append_fold acc e = List.rev_append e acc ++ ++(** ++ * [rev_concat lst] is equivalent to [lst |> List.concat |> List.rev] ++ * except it is tail recursive, whereas [List.concat] isn't. ++ * Example: ++ * rev_concat [[10;9;8];[7;6];[5]]] = [5; 6; 7; 8; 9; 10] ++ *) ++let rev_concat lst = List.fold_left rev_append_fold [] lst ++ + let domain_getinfolist handle first_domain = + let nb = 2 in +- let last_domid l = (List.hd l).domid + 1 in +- let rec __getlist from = +- let l = _domain_getinfolist handle from nb in +- (if List.length l = nb then __getlist (last_domid l) else []) @ l +- in +- List.rev (__getlist first_domain) ++ let rec __getlist lst from = ++ (* _domain_getinfolist returns domains in reverse order, largest first *) ++ match _domain_getinfolist handle from nb with ++ | [] -> rev_concat lst ++ | (hd :: _) as l -> __getlist (l :: lst) (hd.domid + 1) ++ in ++ __getlist [] first_domain + + external domain_getinfo: handle -> domid -> domaininfo= "stub_xc_domain_getinfo" + +-- +2.40.0 + diff --git a/0035-tools-ocaml-xenctrl-Use-larger-chunksize-in-domain_g.patch b/0035-tools-ocaml-xenctrl-Use-larger-chunksize-in-domain_g.patch new file mode 100644 index 0000000..6c64355 --- /dev/null +++ b/0035-tools-ocaml-xenctrl-Use-larger-chunksize-in-domain_g.patch @@ -0,0 +1,41 @@ +From 5d8f9cfa166c55a308856e7b021d778350edbd6c Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Edwin=20T=C3=B6r=C3=B6k?= +Date: Tue, 1 Nov 2022 17:59:17 +0000 +Subject: [PATCH 35/89] tools/ocaml/xenctrl: Use larger chunksize in + domain_getinfolist +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +domain_getinfolist() is quadratic with the number of domains, because of the +behaviour of the underlying hypercall. Nevertheless, getting domain info in +blocks of 1024 is far more efficient than blocks of 2. + +In a scalability testing scenario with ~1000 VMs, a combination of this and +the previous change takes xenopsd's wallclock time in domain_getinfolist() +down from 88% to 0.02% + +Signed-off-by: Edwin Török +Tested-by: Pau Ruiz Safont +Acked-by: Christian Lindig +(cherry picked from commit 95db09b1b154fb72fad861815ceae1f3fa49fc4e) +--- + tools/ocaml/libs/xc/xenctrl.ml | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/tools/ocaml/libs/xc/xenctrl.ml b/tools/ocaml/libs/xc/xenctrl.ml +index 85b73a7f6f..aa650533f7 100644 +--- a/tools/ocaml/libs/xc/xenctrl.ml ++++ b/tools/ocaml/libs/xc/xenctrl.ml +@@ -233,7 +233,7 @@ let rev_append_fold acc e = List.rev_append e acc + let rev_concat lst = List.fold_left rev_append_fold [] lst + + let domain_getinfolist handle first_domain = +- let nb = 2 in ++ let nb = 1024 in + let rec __getlist lst from = + (* _domain_getinfolist returns domains in reverse order, largest first *) + match _domain_getinfolist handle from nb with +-- +2.40.0 + diff --git a/0035-x86-ucode-AMD-late-load-the-patch-on-every-logical-t.patch b/0035-x86-ucode-AMD-late-load-the-patch-on-every-logical-t.patch deleted file mode 100644 index 931d93f..0000000 --- a/0035-x86-ucode-AMD-late-load-the-patch-on-every-logical-t.patch +++ /dev/null @@ -1,90 +0,0 @@ -From 84dfe7a56f04a7412fa4869b3e756c49e1cfbe75 Mon Sep 17 00:00:00 2001 -From: Sergey Dyasli -Date: Fri, 3 Mar 2023 08:17:40 +0100 -Subject: [PATCH 35/61] x86/ucode/AMD: late load the patch on every logical - thread - -Currently late ucode loading is performed only on the first core of CPU -siblings. But according to the latest recommendation from AMD, late -ucode loading should happen on every logical thread/core on AMD CPUs. - -To achieve that, introduce is_cpu_primary() helper which will consider -every logical cpu as "primary" when running on AMD CPUs. Also include -Hygon in the check for future-proofing. - -Signed-off-by: Sergey Dyasli -Reviewed-by: Jan Beulich -master commit: f1315e48a03a42f78f9b03c0a384165baf02acae -master date: 2023-02-28 14:51:28 +0100 ---- - xen/arch/x86/cpu/microcode/core.c | 24 +++++++++++++++++++----- - 1 file changed, 19 insertions(+), 5 deletions(-) - -diff --git a/xen/arch/x86/cpu/microcode/core.c b/xen/arch/x86/cpu/microcode/core.c -index ceec1f1edc..ee7df9a591 100644 ---- a/xen/arch/x86/cpu/microcode/core.c -+++ b/xen/arch/x86/cpu/microcode/core.c -@@ -273,6 +273,20 @@ static bool microcode_update_cache(struct microcode_patch *patch) - return true; - } - -+/* Returns true if ucode should be loaded on a given cpu */ -+static bool is_cpu_primary(unsigned int cpu) -+{ -+ if ( boot_cpu_data.x86_vendor & (X86_VENDOR_AMD | X86_VENDOR_HYGON) ) -+ /* Load ucode on every logical thread/core */ -+ return true; -+ -+ /* Intel CPUs should load ucode only on the first core of SMT siblings */ -+ if ( cpu == cpumask_first(per_cpu(cpu_sibling_mask, cpu)) ) -+ return true; -+ -+ return false; -+} -+ - /* Wait for a condition to be met with a timeout (us). */ - static int wait_for_condition(bool (*func)(unsigned int data), - unsigned int data, unsigned int timeout) -@@ -378,7 +392,7 @@ static int primary_thread_work(const struct microcode_patch *patch) - - static int microcode_nmi_callback(const struct cpu_user_regs *regs, int cpu) - { -- unsigned int primary = cpumask_first(this_cpu(cpu_sibling_mask)); -+ bool primary_cpu = is_cpu_primary(cpu); - int ret; - - /* System-generated NMI, leave to main handler */ -@@ -391,10 +405,10 @@ static int microcode_nmi_callback(const struct cpu_user_regs *regs, int cpu) - * ucode_in_nmi. - */ - if ( cpu == cpumask_first(&cpu_online_map) || -- (!ucode_in_nmi && cpu == primary) ) -+ (!ucode_in_nmi && primary_cpu) ) - return 0; - -- if ( cpu == primary ) -+ if ( primary_cpu ) - ret = primary_thread_work(nmi_patch); - else - ret = secondary_nmi_work(); -@@ -545,7 +559,7 @@ static int do_microcode_update(void *patch) - */ - if ( cpu == cpumask_first(&cpu_online_map) ) - ret = control_thread_fn(patch); -- else if ( cpu == cpumask_first(this_cpu(cpu_sibling_mask)) ) -+ else if ( is_cpu_primary(cpu) ) - ret = primary_thread_fn(patch); - else - ret = secondary_thread_fn(); -@@ -637,7 +651,7 @@ static long microcode_update_helper(void *data) - /* Calculate the number of online CPU core */ - nr_cores = 0; - for_each_online_cpu(cpu) -- if ( cpu == cpumask_first(per_cpu(cpu_sibling_mask, cpu)) ) -+ if ( is_cpu_primary(cpu) ) - nr_cores++; - - printk(XENLOG_INFO "%u cores are to update their microcode\n", nr_cores); --- -2.40.0 - diff --git a/0036-tools-ocaml-xb-mmap-Use-Data_abstract_val-wrapper.patch b/0036-tools-ocaml-xb-mmap-Use-Data_abstract_val-wrapper.patch new file mode 100644 index 0000000..d6a324a --- /dev/null +++ b/0036-tools-ocaml-xb-mmap-Use-Data_abstract_val-wrapper.patch @@ -0,0 +1,75 @@ +From 7d516fc87637dc551494f8eca08f106f578f7112 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Edwin=20T=C3=B6r=C3=B6k?= +Date: Fri, 16 Dec 2022 18:25:10 +0000 +Subject: [PATCH 36/89] tools/ocaml/xb,mmap: Use Data_abstract_val wrapper +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +This is not strictly necessary since it is essentially a no-op currently: a +cast to void * and value *, even in OCaml 5.0. + +However it does make it clearer that what we have here is not a regular OCaml +value, but one allocated with Abstract_tag or Custom_tag, and follows the +example from the manual more closely: +https://v2.ocaml.org/manual/intfc.html#ss:c-outside-head + +It also makes it clearer that these modules have been reviewed for +compat with OCaml 5.0. + +We cannot use OCaml finalizers here, because we want exact control over when +to unmap these pages from remote domains. + +No functional change. + +Signed-off-by: Edwin Török +Acked-by: Christian Lindig +(cherry picked from commit d2ccc637111d6dbcf808aaffeec7a46f0b1e1c81) +--- + tools/ocaml/libs/mmap/mmap_stubs.h | 4 ++++ + tools/ocaml/libs/mmap/xenmmap_stubs.c | 2 +- + tools/ocaml/libs/xb/xs_ring_stubs.c | 2 +- + 3 files changed, 6 insertions(+), 2 deletions(-) + +diff --git a/tools/ocaml/libs/mmap/mmap_stubs.h b/tools/ocaml/libs/mmap/mmap_stubs.h +index 65e4239890..f4784e4715 100644 +--- a/tools/ocaml/libs/mmap/mmap_stubs.h ++++ b/tools/ocaml/libs/mmap/mmap_stubs.h +@@ -30,4 +30,8 @@ struct mmap_interface + int len; + }; + ++#ifndef Data_abstract_val ++#define Data_abstract_val(x) ((void *)Op_val(x)) ++#endif ++ + #endif +diff --git a/tools/ocaml/libs/mmap/xenmmap_stubs.c b/tools/ocaml/libs/mmap/xenmmap_stubs.c +index e2ce088e25..e03951d781 100644 +--- a/tools/ocaml/libs/mmap/xenmmap_stubs.c ++++ b/tools/ocaml/libs/mmap/xenmmap_stubs.c +@@ -28,7 +28,7 @@ + #include + #include + +-#define Intf_val(a) ((struct mmap_interface *) a) ++#define Intf_val(a) ((struct mmap_interface *)Data_abstract_val(a)) + + static int mmap_interface_init(struct mmap_interface *intf, + int fd, int pflag, int mflag, +diff --git a/tools/ocaml/libs/xb/xs_ring_stubs.c b/tools/ocaml/libs/xb/xs_ring_stubs.c +index 7a91fdee75..1f58524535 100644 +--- a/tools/ocaml/libs/xb/xs_ring_stubs.c ++++ b/tools/ocaml/libs/xb/xs_ring_stubs.c +@@ -35,7 +35,7 @@ + #include + #include "mmap_stubs.h" + +-#define GET_C_STRUCT(a) ((struct mmap_interface *) a) ++#define GET_C_STRUCT(a) ((struct mmap_interface *)Data_abstract_val(a)) + + /* + * Bytes_val has been introduced by Ocaml 4.06.1. So define our own version +-- +2.40.0 + diff --git a/0036-x86-shadow-account-for-log-dirty-mode-when-pre-alloc.patch b/0036-x86-shadow-account-for-log-dirty-mode-when-pre-alloc.patch deleted file mode 100644 index 38629a4..0000000 --- a/0036-x86-shadow-account-for-log-dirty-mode-when-pre-alloc.patch +++ /dev/null @@ -1,92 +0,0 @@ -From b0d6684ee58f7252940f5a62e4b85bdc56307eef Mon Sep 17 00:00:00 2001 -From: Jan Beulich -Date: Tue, 21 Mar 2023 11:59:44 +0000 -Subject: [PATCH 36/61] x86/shadow: account for log-dirty mode when - pre-allocating - -Pre-allocation is intended to ensure that in the course of constructing -or updating shadows there won't be any risk of just made shadows or -shadows being acted upon can disappear under our feet. The amount of -pages pre-allocated then, however, needs to account for all possible -subsequent allocations. While the use in sh_page_fault() accounts for -all shadows which may need making, so far it didn't account for -allocations coming from log-dirty tracking (which piggybacks onto the -P2M allocation functions). - -Since shadow_prealloc() takes a count of shadows (or other data -structures) rather than a count of pages, putting the adjustment at the -call site of this function won't work very well: We simply can't express -the correct count that way in all cases. Instead take care of this in -the function itself, by "snooping" for L1 type requests. (While not -applicable right now, future new request sites of L1 tables would then -also be covered right away.) - -It is relevant to note here that pre-allocations like the one done from -shadow_alloc_p2m_page() are benign when they fall in the "scope" of an -earlier pre-alloc which already included that count: The inner call will -simply find enough pages available then; it'll bail right away. - -This is CVE-2022-42332 / XSA-427. - -Signed-off-by: Jan Beulich -Reviewed-by: Tim Deegan -(cherry picked from commit 91767a71061035ae42be93de495cd976f863a41a) ---- - xen/arch/x86/mm/paging.c | 1 + - xen/arch/x86/mm/shadow/common.c | 12 +++++++++++- - xen/include/asm-x86/paging.h | 4 ++++ - 3 files changed, 16 insertions(+), 1 deletion(-) - -diff --git a/xen/arch/x86/mm/paging.c b/xen/arch/x86/mm/paging.c -index 97ac9ccf59..9fb66e65cd 100644 ---- a/xen/arch/x86/mm/paging.c -+++ b/xen/arch/x86/mm/paging.c -@@ -280,6 +280,7 @@ void paging_mark_pfn_dirty(struct domain *d, pfn_t pfn) - if ( unlikely(!VALID_M2P(pfn_x(pfn))) ) - return; - -+ BUILD_BUG_ON(paging_logdirty_levels() != 4); - i1 = L1_LOGDIRTY_IDX(pfn); - i2 = L2_LOGDIRTY_IDX(pfn); - i3 = L3_LOGDIRTY_IDX(pfn); -diff --git a/xen/arch/x86/mm/shadow/common.c b/xen/arch/x86/mm/shadow/common.c -index 1de0139742..c14a269935 100644 ---- a/xen/arch/x86/mm/shadow/common.c -+++ b/xen/arch/x86/mm/shadow/common.c -@@ -1015,7 +1015,17 @@ bool shadow_prealloc(struct domain *d, unsigned int type, unsigned int count) - if ( unlikely(d->is_dying) ) - return false; - -- ret = _shadow_prealloc(d, shadow_size(type) * count); -+ count *= shadow_size(type); -+ /* -+ * Log-dirty handling may result in allocations when populating its -+ * tracking structures. Tie this to the caller requesting space for L1 -+ * shadows. -+ */ -+ if ( paging_mode_log_dirty(d) && -+ ((SHF_L1_ANY | SHF_FL1_ANY) & (1u << type)) ) -+ count += paging_logdirty_levels(); -+ -+ ret = _shadow_prealloc(d, count); - if ( !ret && (!d->is_shutting_down || d->shutdown_code != SHUTDOWN_crash) ) - /* - * Failing to allocate memory required for shadow usage can only result in -diff --git a/xen/include/asm-x86/paging.h b/xen/include/asm-x86/paging.h -index 27890791d8..c6b429c691 100644 ---- a/xen/include/asm-x86/paging.h -+++ b/xen/include/asm-x86/paging.h -@@ -192,6 +192,10 @@ int paging_mfn_is_dirty(struct domain *d, mfn_t gmfn); - #define L4_LOGDIRTY_IDX(pfn) ((pfn_x(pfn) >> (PAGE_SHIFT + 3 + PAGETABLE_ORDER * 2)) & \ - (LOGDIRTY_NODE_ENTRIES-1)) - -+#define paging_logdirty_levels() \ -+ (DIV_ROUND_UP(PADDR_BITS - PAGE_SHIFT - (PAGE_SHIFT + 3), \ -+ PAGE_SHIFT - ilog2(sizeof(mfn_t))) + 1) -+ - #ifdef CONFIG_HVM - /* VRAM dirty tracking support */ - struct sh_dirty_vram { --- -2.40.0 - diff --git a/0037-tools-ocaml-xb-Drop-Xs_ring.write.patch b/0037-tools-ocaml-xb-Drop-Xs_ring.write.patch new file mode 100644 index 0000000..226ae52 --- /dev/null +++ b/0037-tools-ocaml-xb-Drop-Xs_ring.write.patch @@ -0,0 +1,62 @@ +From f0e653fb4aea77210b8096c170e82de3c2039d89 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Edwin=20T=C3=B6r=C3=B6k?= +Date: Fri, 16 Dec 2022 18:25:20 +0000 +Subject: [PATCH 37/89] tools/ocaml/xb: Drop Xs_ring.write +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +This function is unusued (only Xs_ring.write_substring is used), and the +bytes/string conversion here is backwards: the C stub implements the bytes +version and then we use a Bytes.unsafe_of_string to convert a string into +bytes. + +However the operation here really is read-only: we read from the string and +write it to the ring, so the C stub should implement the read-only string +version, and if needed we could use Bytes.unsafe_to_string to be able to send +'bytes'. However that is not necessary as the 'bytes' version is dropped above. + +Signed-off-by: Edwin Török +Acked-by: Christian Lindig +(cherry picked from commit 01f139215e678c2dc7d4bb3f9f2777069bb1b091) +--- + tools/ocaml/libs/xb/xs_ring.ml | 5 +---- + tools/ocaml/libs/xb/xs_ring_stubs.c | 2 +- + 2 files changed, 2 insertions(+), 5 deletions(-) + +diff --git a/tools/ocaml/libs/xb/xs_ring.ml b/tools/ocaml/libs/xb/xs_ring.ml +index db7f86bd27..dd5e014a33 100644 +--- a/tools/ocaml/libs/xb/xs_ring.ml ++++ b/tools/ocaml/libs/xb/xs_ring.ml +@@ -25,14 +25,11 @@ module Server_features = Set.Make(struct + end) + + external read: Xenmmap.mmap_interface -> bytes -> int -> int = "ml_interface_read" +-external write: Xenmmap.mmap_interface -> bytes -> int -> int = "ml_interface_write" ++external write_substring: Xenmmap.mmap_interface -> string -> int -> int = "ml_interface_write" + + external _internal_set_server_features: Xenmmap.mmap_interface -> int -> unit = "ml_interface_set_server_features" [@@noalloc] + external _internal_get_server_features: Xenmmap.mmap_interface -> int = "ml_interface_get_server_features" [@@noalloc] + +-let write_substring mmap buff len = +- write mmap (Bytes.unsafe_of_string buff) len +- + let get_server_features mmap = + (* NB only one feature currently defined above *) + let x = _internal_get_server_features mmap in +diff --git a/tools/ocaml/libs/xb/xs_ring_stubs.c b/tools/ocaml/libs/xb/xs_ring_stubs.c +index 1f58524535..1243c63f03 100644 +--- a/tools/ocaml/libs/xb/xs_ring_stubs.c ++++ b/tools/ocaml/libs/xb/xs_ring_stubs.c +@@ -112,7 +112,7 @@ CAMLprim value ml_interface_write(value ml_interface, + CAMLlocal1(ml_result); + + struct mmap_interface *interface = GET_C_STRUCT(ml_interface); +- const unsigned char *buffer = Bytes_val(ml_buffer); ++ const char *buffer = String_val(ml_buffer); + int len = Int_val(ml_len); + int result; + +-- +2.40.0 + diff --git a/0037-x86-HVM-bound-number-of-pinned-cache-attribute-regio.patch b/0037-x86-HVM-bound-number-of-pinned-cache-attribute-regio.patch deleted file mode 100644 index 6730b2d..0000000 --- a/0037-x86-HVM-bound-number-of-pinned-cache-attribute-regio.patch +++ /dev/null @@ -1,50 +0,0 @@ -From 2fe1517a00e088f6b1f1aff7d4ea1b477b288987 Mon Sep 17 00:00:00 2001 -From: Jan Beulich -Date: Tue, 21 Mar 2023 12:01:01 +0000 -Subject: [PATCH 37/61] x86/HVM: bound number of pinned cache attribute regions - -This is exposed via DMOP, i.e. to potentially not fully privileged -device models. With that we may not permit registration of an (almost) -unbounded amount of such regions. - -This is CVE-2022-42333 / part of XSA-428. - -Fixes: 642123c5123f ("x86/hvm: provide XEN_DMOP_pin_memory_cacheattr") -Signed-off-by: Jan Beulich -Reviewed-by: Andrew Cooper -(cherry picked from commit a5e768640f786b681063f4e08af45d0c4e91debf) ---- - xen/arch/x86/hvm/mtrr.c | 5 +++++ - 1 file changed, 5 insertions(+) - -diff --git a/xen/arch/x86/hvm/mtrr.c b/xen/arch/x86/hvm/mtrr.c -index 4a9f3177ed..98e55bbdbd 100644 ---- a/xen/arch/x86/hvm/mtrr.c -+++ b/xen/arch/x86/hvm/mtrr.c -@@ -595,6 +595,7 @@ int hvm_set_mem_pinned_cacheattr(struct domain *d, uint64_t gfn_start, - uint64_t gfn_end, uint32_t type) - { - struct hvm_mem_pinned_cacheattr_range *range; -+ unsigned int nr = 0; - int rc = 1; - - if ( !is_hvm_domain(d) ) -@@ -666,11 +667,15 @@ int hvm_set_mem_pinned_cacheattr(struct domain *d, uint64_t gfn_start, - rc = -EBUSY; - break; - } -+ ++nr; - } - rcu_read_unlock(&pinned_cacheattr_rcu_lock); - if ( rc <= 0 ) - return rc; - -+ if ( nr >= 64 /* The limit is arbitrary. */ ) -+ return -ENOSPC; -+ - range = xzalloc(struct hvm_mem_pinned_cacheattr_range); - if ( range == NULL ) - return -ENOMEM; --- -2.40.0 - diff --git a/0038-tools-oxenstored-validate-config-file-before-live-up.patch b/0038-tools-oxenstored-validate-config-file-before-live-up.patch new file mode 100644 index 0000000..5b7f58a --- /dev/null +++ b/0038-tools-oxenstored-validate-config-file-before-live-up.patch @@ -0,0 +1,131 @@ +From e74d868b48d55dfb20f5a41ec20fbec93d8e5deb Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Edwin=20T=C3=B6r=C3=B6k?= +Date: Tue, 11 May 2021 15:56:50 +0000 +Subject: [PATCH 38/89] tools/oxenstored: validate config file before live + update +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +The configuration file can contain typos or various errors that could prevent +live update from succeeding (e.g. a flag only valid on a different version). +Unknown entries in the config file would be ignored on startup normally, +add a strict --config-test that live-update can use to check that the config file +is valid *for the new binary*. + +For compatibility with running old code during live update recognize +--live --help as an equivalent to --config-test. + +Signed-off-by: Edwin Török +Acked-by: Christian Lindig +(cherry picked from commit e6f07052ce4a0f0b7d4dc522d87465efb2d9ee86) +--- + tools/ocaml/xenstored/parse_arg.ml | 26 ++++++++++++++++++++++++++ + tools/ocaml/xenstored/xenstored.ml | 11 +++++++++-- + 2 files changed, 35 insertions(+), 2 deletions(-) + +diff --git a/tools/ocaml/xenstored/parse_arg.ml b/tools/ocaml/xenstored/parse_arg.ml +index 7c0478e76a..5e4ca6f1f7 100644 +--- a/tools/ocaml/xenstored/parse_arg.ml ++++ b/tools/ocaml/xenstored/parse_arg.ml +@@ -26,8 +26,14 @@ type config = + restart: bool; + live_reload: bool; + disable_socket: bool; ++ config_test: bool; + } + ++let get_config_filename config_file = ++ match config_file with ++ | Some name -> name ++ | None -> Define.default_config_dir ^ "/oxenstored.conf" ++ + let do_argv = + let pidfile = ref "" and tracefile = ref "" (* old xenstored compatibility *) + and domain_init = ref true +@@ -38,6 +44,8 @@ let do_argv = + and restart = ref false + and live_reload = ref false + and disable_socket = ref false ++ and config_test = ref false ++ and help = ref false + in + + let speclist = +@@ -55,10 +63,27 @@ let do_argv = + ("-T", Arg.Set_string tracefile, ""); (* for compatibility *) + ("--restart", Arg.Set restart, "Read database on starting"); + ("--live", Arg.Set live_reload, "Read live dump on startup"); ++ ("--config-test", Arg.Set config_test, "Test validity of config file"); + ("--disable-socket", Arg.Unit (fun () -> disable_socket := true), "Disable socket"); ++ ("--help", Arg.Set help, "Display this list of options") + ] in + let usage_msg = "usage : xenstored [--config-file ] [--no-domain-init] [--help] [--no-fork] [--reraise-top-level] [--restart] [--disable-socket]" in + Arg.parse speclist (fun _ -> ()) usage_msg; ++ let () = ++ if !help then begin ++ if !live_reload then ++ (* ++ * Transform --live --help into --config-test for backward compat with ++ * running code during live update. ++ * Caller will validate config and exit ++ *) ++ config_test := true ++ else begin ++ Arg.usage_string speclist usage_msg |> print_endline; ++ exit 0 ++ end ++ end ++ in + { + domain_init = !domain_init; + activate_access_log = !activate_access_log; +@@ -70,4 +95,5 @@ let do_argv = + restart = !restart; + live_reload = !live_reload; + disable_socket = !disable_socket; ++ config_test = !config_test; + } +diff --git a/tools/ocaml/xenstored/xenstored.ml b/tools/ocaml/xenstored/xenstored.ml +index 4d5851c5cb..e2638a5af2 100644 +--- a/tools/ocaml/xenstored/xenstored.ml ++++ b/tools/ocaml/xenstored/xenstored.ml +@@ -88,7 +88,7 @@ let default_pidfile = Paths.xen_run_dir ^ "/xenstored.pid" + + let ring_scan_interval = ref 20 + +-let parse_config filename = ++let parse_config ?(strict=false) filename = + let pidfile = ref default_pidfile in + let options = [ + ("merge-activate", Config.Set_bool Transaction.do_coalesce); +@@ -129,11 +129,12 @@ let parse_config filename = + ("xenstored-port", Config.Set_string Domains.xenstored_port); ] in + begin try Config.read filename options (fun _ _ -> raise Not_found) + with +- | Config.Error err -> List.iter (fun (k, e) -> ++ | Config.Error err as e -> List.iter (fun (k, e) -> + match e with + | "unknown key" -> eprintf "config: unknown key %s\n" k + | _ -> eprintf "config: %s: %s\n" k e + ) err; ++ if strict then raise e + | Sys_error m -> eprintf "error: config: %s\n" m; + end; + !pidfile +@@ -358,6 +359,12 @@ let tweak_gc () = + let () = + Printexc.set_uncaught_exception_handler Logging.fallback_exception_handler; + let cf = do_argv in ++ if cf.config_test then begin ++ let path = config_filename cf in ++ let _pidfile:string = parse_config ~strict:true path in ++ Printf.printf "Configuration valid at %s\n%!" path; ++ exit 0 ++ end; + let pidfile = + if Sys.file_exists (config_filename cf) then + parse_config (config_filename cf) +-- +2.40.0 + diff --git a/0038-x86-HVM-serialize-pinned-cache-attribute-list-manipu.patch b/0038-x86-HVM-serialize-pinned-cache-attribute-list-manipu.patch deleted file mode 100644 index ca8528f..0000000 --- a/0038-x86-HVM-serialize-pinned-cache-attribute-list-manipu.patch +++ /dev/null @@ -1,126 +0,0 @@ -From 564de020d29fbc4efd20ef8052051e86b2465a1a Mon Sep 17 00:00:00 2001 -From: Jan Beulich -Date: Tue, 21 Mar 2023 12:01:01 +0000 -Subject: [PATCH 38/61] x86/HVM: serialize pinned cache attribute list - manipulation - -While the RCU variants of list insertion and removal allow lockless list -traversal (with RCU just read-locked), insertions and removals still -need serializing amongst themselves. To keep things simple, use the -domain lock for this purpose. - -This is CVE-2022-42334 / part of XSA-428. - -Fixes: 642123c5123f ("x86/hvm: provide XEN_DMOP_pin_memory_cacheattr") -Signed-off-by: Jan Beulich -Reviewed-by: Julien Grall -(cherry picked from commit 829ec245cf66560e3b50d140ccb3168e7fb7c945) ---- - xen/arch/x86/hvm/mtrr.c | 51 +++++++++++++++++++++++++---------------- - 1 file changed, 31 insertions(+), 20 deletions(-) - -diff --git a/xen/arch/x86/hvm/mtrr.c b/xen/arch/x86/hvm/mtrr.c -index 98e55bbdbd..9b3b33012b 100644 ---- a/xen/arch/x86/hvm/mtrr.c -+++ b/xen/arch/x86/hvm/mtrr.c -@@ -594,7 +594,7 @@ static void free_pinned_cacheattr_entry(struct rcu_head *rcu) - int hvm_set_mem_pinned_cacheattr(struct domain *d, uint64_t gfn_start, - uint64_t gfn_end, uint32_t type) - { -- struct hvm_mem_pinned_cacheattr_range *range; -+ struct hvm_mem_pinned_cacheattr_range *range, *newr; - unsigned int nr = 0; - int rc = 1; - -@@ -608,14 +608,15 @@ int hvm_set_mem_pinned_cacheattr(struct domain *d, uint64_t gfn_start, - { - case XEN_DOMCTL_DELETE_MEM_CACHEATTR: - /* Remove the requested range. */ -- rcu_read_lock(&pinned_cacheattr_rcu_lock); -- list_for_each_entry_rcu ( range, -- &d->arch.hvm.pinned_cacheattr_ranges, -- list ) -+ domain_lock(d); -+ list_for_each_entry ( range, -+ &d->arch.hvm.pinned_cacheattr_ranges, -+ list ) - if ( range->start == gfn_start && range->end == gfn_end ) - { -- rcu_read_unlock(&pinned_cacheattr_rcu_lock); - list_del_rcu(&range->list); -+ domain_unlock(d); -+ - type = range->type; - call_rcu(&range->rcu, free_pinned_cacheattr_entry); - p2m_memory_type_changed(d); -@@ -636,7 +637,7 @@ int hvm_set_mem_pinned_cacheattr(struct domain *d, uint64_t gfn_start, - } - return 0; - } -- rcu_read_unlock(&pinned_cacheattr_rcu_lock); -+ domain_unlock(d); - return -ENOENT; - - case PAT_TYPE_UC_MINUS: -@@ -651,7 +652,10 @@ int hvm_set_mem_pinned_cacheattr(struct domain *d, uint64_t gfn_start, - return -EINVAL; - } - -- rcu_read_lock(&pinned_cacheattr_rcu_lock); -+ newr = xzalloc(struct hvm_mem_pinned_cacheattr_range); -+ -+ domain_lock(d); -+ - list_for_each_entry_rcu ( range, - &d->arch.hvm.pinned_cacheattr_ranges, - list ) -@@ -669,27 +673,34 @@ int hvm_set_mem_pinned_cacheattr(struct domain *d, uint64_t gfn_start, - } - ++nr; - } -- rcu_read_unlock(&pinned_cacheattr_rcu_lock); -+ - if ( rc <= 0 ) -- return rc; -+ /* nothing */; -+ else if ( nr >= 64 /* The limit is arbitrary. */ ) -+ rc = -ENOSPC; -+ else if ( !newr ) -+ rc = -ENOMEM; -+ else -+ { -+ newr->start = gfn_start; -+ newr->end = gfn_end; -+ newr->type = type; - -- if ( nr >= 64 /* The limit is arbitrary. */ ) -- return -ENOSPC; -+ list_add_rcu(&newr->list, &d->arch.hvm.pinned_cacheattr_ranges); - -- range = xzalloc(struct hvm_mem_pinned_cacheattr_range); -- if ( range == NULL ) -- return -ENOMEM; -+ newr = NULL; -+ rc = 0; -+ } -+ -+ domain_unlock(d); - -- range->start = gfn_start; -- range->end = gfn_end; -- range->type = type; -+ xfree(newr); - -- list_add_rcu(&range->list, &d->arch.hvm.pinned_cacheattr_ranges); - p2m_memory_type_changed(d); - if ( type != PAT_TYPE_WRBACK ) - flush_all(FLUSH_CACHE); - -- return 0; -+ return rc; - } - - static int hvm_save_mtrr_msr(struct vcpu *v, hvm_domain_context_t *h) --- -2.40.0 - diff --git a/0039-tools-ocaml-libs-Don-t-declare-stubs-as-taking-void.patch b/0039-tools-ocaml-libs-Don-t-declare-stubs-as-taking-void.patch new file mode 100644 index 0000000..c967391 --- /dev/null +++ b/0039-tools-ocaml-libs-Don-t-declare-stubs-as-taking-void.patch @@ -0,0 +1,61 @@ +From 2c21e1bee6d62cbd523069e839086addf35da9f2 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Edwin=20T=C3=B6r=C3=B6k?= +Date: Thu, 12 Jan 2023 11:28:29 +0000 +Subject: [PATCH 39/89] tools/ocaml/libs: Don't declare stubs as taking void +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +There is no such thing as an Ocaml function (C stub or otherwise) taking no +parameters. In the absence of any other parameters, unit is still passed. + +This doesn't explode with any ABI we care about, but would malfunction for an +ABI environment such as stdcall. + +Fixes: c3afd398ba7f ("ocaml: Add XS bindings.") +Fixes: 8b7ce06a2d34 ("ocaml: Add XC bindings.") +Signed-off-by: Edwin Török +Signed-off-by: Andrew Cooper +Acked-by: Christian Lindig +(cherry picked from commit ff8b560be80b9211c303d74df7e4b3921d2bb8ca) +--- + tools/ocaml/libs/xb/xenbus_stubs.c | 5 ++--- + tools/ocaml/libs/xc/xenctrl_stubs.c | 4 ++-- + 2 files changed, 4 insertions(+), 5 deletions(-) + +diff --git a/tools/ocaml/libs/xb/xenbus_stubs.c b/tools/ocaml/libs/xb/xenbus_stubs.c +index 3065181a55..97116b0782 100644 +--- a/tools/ocaml/libs/xb/xenbus_stubs.c ++++ b/tools/ocaml/libs/xb/xenbus_stubs.c +@@ -30,10 +30,9 @@ + #include + #include + +-CAMLprim value stub_header_size(void) ++CAMLprim value stub_header_size(value unit) + { +- CAMLparam0(); +- CAMLreturn(Val_int(sizeof(struct xsd_sockmsg))); ++ return Val_int(sizeof(struct xsd_sockmsg)); + } + + CAMLprim value stub_header_of_string(value s) +diff --git a/tools/ocaml/libs/xc/xenctrl_stubs.c b/tools/ocaml/libs/xc/xenctrl_stubs.c +index f37848ae0b..6eb0ea69da 100644 +--- a/tools/ocaml/libs/xc/xenctrl_stubs.c ++++ b/tools/ocaml/libs/xc/xenctrl_stubs.c +@@ -67,9 +67,9 @@ static void Noreturn failwith_xc(xc_interface *xch) + caml_raise_with_string(*caml_named_value("xc.error"), error_str); + } + +-CAMLprim value stub_xc_interface_open(void) ++CAMLprim value stub_xc_interface_open(value unit) + { +- CAMLparam0(); ++ CAMLparam1(unit); + xc_interface *xch; + + /* Don't assert XC_OPENFLAG_NON_REENTRANT because these bindings +-- +2.40.0 + diff --git a/0039-x86-spec-ctrl-Defer-CR4_PV32_RESTORE-on-the-cstar_en.patch b/0039-x86-spec-ctrl-Defer-CR4_PV32_RESTORE-on-the-cstar_en.patch deleted file mode 100644 index 74bcf67..0000000 --- a/0039-x86-spec-ctrl-Defer-CR4_PV32_RESTORE-on-the-cstar_en.patch +++ /dev/null @@ -1,56 +0,0 @@ -From 3c924fe46b455834b5c04268db6b528b549668d1 Mon Sep 17 00:00:00 2001 -From: Andrew Cooper -Date: Fri, 10 Feb 2023 21:11:14 +0000 -Subject: [PATCH 39/61] x86/spec-ctrl: Defer CR4_PV32_RESTORE on the - cstar_enter path - -As stated (correctly) by the comment next to SPEC_CTRL_ENTRY_FROM_PV, between -the two hunks visible in the patch, RET's are not safe prior to this point. - -CR4_PV32_RESTORE hides a CALL/RET pair in certain configurations (PV32 -compiled in, SMEP or SMAP active), and the RET can be attacked with one of -several known speculative issues. - -Furthermore, CR4_PV32_RESTORE also hides a reference to the cr4_pv32_mask -global variable, which is not safe when XPTI is active before restoring Xen's -full pagetables. - -This crash has gone unnoticed because it is only AMD CPUs which permit the -SYSCALL instruction in compatibility mode, and these are not vulnerable to -Meltdown so don't activate XPTI by default. - -This is XSA-429 / CVE-2022-42331 - -Fixes: 5e7962901131 ("x86/entry: Organise the use of MSR_SPEC_CTRL at each entry/exit point") -Fixes: 5784de3e2067 ("x86: Meltdown band-aid against malicious 64-bit PV guests") -Signed-off-by: Andrew Cooper -Reviewed-by: Jan Beulich -(cherry picked from commit df5b055b12116d9e63ced59ae5389e69a2a3de48) ---- - xen/arch/x86/x86_64/entry.S | 3 ++- - 1 file changed, 2 insertions(+), 1 deletion(-) - -diff --git a/xen/arch/x86/x86_64/entry.S b/xen/arch/x86/x86_64/entry.S -index fba8ae498f..db2ea7871e 100644 ---- a/xen/arch/x86/x86_64/entry.S -+++ b/xen/arch/x86/x86_64/entry.S -@@ -288,7 +288,6 @@ ENTRY(cstar_enter) - ALTERNATIVE "", "setssbsy", X86_FEATURE_XEN_SHSTK - #endif - push %rax /* Guest %rsp */ -- CR4_PV32_RESTORE - movq 8(%rsp), %rax /* Restore guest %rax. */ - movq $FLAT_USER_SS32, 8(%rsp) /* Assume a 64bit domain. Compat handled lower. */ - pushq %r11 -@@ -312,6 +311,8 @@ ENTRY(cstar_enter) - .Lcstar_cr3_okay: - sti - -+ CR4_PV32_RESTORE -+ - movq STACK_CPUINFO_FIELD(current_vcpu)(%rbx), %rbx - - #ifdef CONFIG_PV32 --- -2.40.0 - diff --git a/0040-tools-ocaml-libs-Allocate-the-correct-amount-of-memo.patch b/0040-tools-ocaml-libs-Allocate-the-correct-amount-of-memo.patch new file mode 100644 index 0000000..5a26683 --- /dev/null +++ b/0040-tools-ocaml-libs-Allocate-the-correct-amount-of-memo.patch @@ -0,0 +1,80 @@ +From 5797b798a542a7e5be34698463152cb92f18776f Mon Sep 17 00:00:00 2001 +From: Andrew Cooper +Date: Tue, 31 Jan 2023 10:59:42 +0000 +Subject: [PATCH 40/89] tools/ocaml/libs: Allocate the correct amount of memory + for Abstract_tag + +caml_alloc() takes units of Wsize (word size), not bytes. As a consequence, +we're allocating 4 or 8 times too much memory. + +Ocaml has a helper, Wsize_bsize(), but it truncates cases which aren't an +exact multiple. Use a BUILD_BUG_ON() to cover the potential for truncation, +as there's no rounding-up form of the helper. + +Fixes: 8b7ce06a2d34 ("ocaml: Add XC bindings.") +Fixes: d3e649277a13 ("ocaml: add mmap bindings implementation.") +Signed-off-by: Andrew Cooper +Acked-by: Christian Lindig +(cherry picked from commit 36eb2de31b6ecb8787698fb1a701bd708c8971b2) +--- + tools/ocaml/libs/mmap/Makefile | 2 ++ + tools/ocaml/libs/mmap/xenmmap_stubs.c | 6 +++++- + tools/ocaml/libs/xc/xenctrl_stubs.c | 5 ++++- + 3 files changed, 11 insertions(+), 2 deletions(-) + +diff --git a/tools/ocaml/libs/mmap/Makefile b/tools/ocaml/libs/mmap/Makefile +index a621537135..855b8b2c98 100644 +--- a/tools/ocaml/libs/mmap/Makefile ++++ b/tools/ocaml/libs/mmap/Makefile +@@ -2,6 +2,8 @@ OCAML_TOPLEVEL=$(CURDIR)/../.. + XEN_ROOT=$(OCAML_TOPLEVEL)/../.. + include $(OCAML_TOPLEVEL)/common.make + ++CFLAGS += $(CFLAGS_xeninclude) ++ + OBJS = xenmmap + INTF = $(foreach obj, $(OBJS),$(obj).cmi) + LIBS = xenmmap.cma xenmmap.cmxa +diff --git a/tools/ocaml/libs/mmap/xenmmap_stubs.c b/tools/ocaml/libs/mmap/xenmmap_stubs.c +index e03951d781..d623ad390e 100644 +--- a/tools/ocaml/libs/mmap/xenmmap_stubs.c ++++ b/tools/ocaml/libs/mmap/xenmmap_stubs.c +@@ -21,6 +21,8 @@ + #include + #include "mmap_stubs.h" + ++#include ++ + #include + #include + #include +@@ -59,7 +61,9 @@ CAMLprim value stub_mmap_init(value fd, value pflag, value mflag, + default: caml_invalid_argument("maptype"); + } + +- result = caml_alloc(sizeof(struct mmap_interface), Abstract_tag); ++ BUILD_BUG_ON((sizeof(struct mmap_interface) % sizeof(value)) != 0); ++ result = caml_alloc(Wsize_bsize(sizeof(struct mmap_interface)), ++ Abstract_tag); + + if (mmap_interface_init(Intf_val(result), Int_val(fd), + c_pflag, c_mflag, +diff --git a/tools/ocaml/libs/xc/xenctrl_stubs.c b/tools/ocaml/libs/xc/xenctrl_stubs.c +index 6eb0ea69da..e25367531b 100644 +--- a/tools/ocaml/libs/xc/xenctrl_stubs.c ++++ b/tools/ocaml/libs/xc/xenctrl_stubs.c +@@ -956,7 +956,10 @@ CAMLprim value stub_map_foreign_range(value xch, value dom, + uint32_t c_dom; + unsigned long c_mfn; + +- result = caml_alloc(sizeof(struct mmap_interface), Abstract_tag); ++ BUILD_BUG_ON((sizeof(struct mmap_interface) % sizeof(value)) != 0); ++ result = caml_alloc(Wsize_bsize(sizeof(struct mmap_interface)), ++ Abstract_tag); ++ + intf = (struct mmap_interface *) result; + + intf->len = Int_val(size); +-- +2.40.0 + diff --git a/0040-tools-python-change-s-size-type-for-Python-3.10.patch b/0040-tools-python-change-s-size-type-for-Python-3.10.patch deleted file mode 100644 index 979fd6f..0000000 --- a/0040-tools-python-change-s-size-type-for-Python-3.10.patch +++ /dev/null @@ -1,72 +0,0 @@ -From 0cbffc6099db7fd01041910a98b99ccad50af11b Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Marek=20Marczykowski-G=C3=B3recki?= - -Date: Tue, 21 Mar 2023 13:49:28 +0100 -Subject: [PATCH 40/61] tools/python: change 's#' size type for Python >= 3.10 -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -Python < 3.10 by default uses 'int' type for data+size string types -(s#), unless PY_SSIZE_T_CLEAN is defined - in which case it uses -Py_ssize_t. The former behavior was removed in Python 3.10 and now it's -required to define PY_SSIZE_T_CLEAN before including Python.h, and using -Py_ssize_t for the length argument. The PY_SSIZE_T_CLEAN behavior is -supported since Python 2.5. - -Adjust bindings accordingly. - -Signed-off-by: Marek Marczykowski-Górecki -Reviewed-by: Anthony PERARD -master commit: 897257ba49d0a6ddcf084960fd792ccce9c40f94 -master date: 2023-02-06 08:50:13 +0100 ---- - tools/python/xen/lowlevel/xc/xc.c | 3 ++- - tools/python/xen/lowlevel/xs/xs.c | 3 ++- - 2 files changed, 4 insertions(+), 2 deletions(-) - -diff --git a/tools/python/xen/lowlevel/xc/xc.c b/tools/python/xen/lowlevel/xc/xc.c -index fd00861032..cfb2734a99 100644 ---- a/tools/python/xen/lowlevel/xc/xc.c -+++ b/tools/python/xen/lowlevel/xc/xc.c -@@ -4,6 +4,7 @@ - * Copyright (c) 2003-2004, K A Fraser (University of Cambridge) - */ - -+#define PY_SSIZE_T_CLEAN - #include - #define XC_WANT_COMPAT_MAP_FOREIGN_API - #include -@@ -1774,7 +1775,7 @@ static PyObject *pyflask_load(PyObject *self, PyObject *args, PyObject *kwds) - { - xc_interface *xc_handle; - char *policy; -- uint32_t len; -+ Py_ssize_t len; - int ret; - - static char *kwd_list[] = { "policy", NULL }; -diff --git a/tools/python/xen/lowlevel/xs/xs.c b/tools/python/xen/lowlevel/xs/xs.c -index 0dad7fa5f2..3ba5a8b893 100644 ---- a/tools/python/xen/lowlevel/xs/xs.c -+++ b/tools/python/xen/lowlevel/xs/xs.c -@@ -18,6 +18,7 @@ - * Copyright (C) 2005 XenSource Ltd. - */ - -+#define PY_SSIZE_T_CLEAN - #include - - #include -@@ -141,7 +142,7 @@ static PyObject *xspy_write(XsHandle *self, PyObject *args) - char *thstr; - char *path; - char *data; -- int data_n; -+ Py_ssize_t data_n; - bool result; - - if (!xh) --- -2.40.0 - diff --git a/0041-tools-ocaml-evtchn-Don-t-reference-Custom-objects-wi.patch b/0041-tools-ocaml-evtchn-Don-t-reference-Custom-objects-wi.patch new file mode 100644 index 0000000..cabcdd0 --- /dev/null +++ b/0041-tools-ocaml-evtchn-Don-t-reference-Custom-objects-wi.patch @@ -0,0 +1,213 @@ +From 021b82cc0c71ba592439f175c1ededa800b172a9 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Edwin=20T=C3=B6r=C3=B6k?= +Date: Thu, 12 Jan 2023 17:48:29 +0000 +Subject: [PATCH 41/89] tools/ocaml/evtchn: Don't reference Custom objects with + the GC lock released +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +The modification to the _H() macro for Ocaml 5 support introduced a subtle +bug. From the manual: + + https://ocaml.org/manual/intfc.html#ss:parallel-execution-long-running-c-code + +"After caml_release_runtime_system() was called and until +caml_acquire_runtime_system() is called, the C code must not access any OCaml +data, nor call any function of the run-time system, nor call back into OCaml +code." + +Previously, the value was a naked C pointer, so dereferencing it wasn't +"accessing any Ocaml data", but the fix to avoid naked C pointers added a +layer of indirection through an Ocaml Custom object, meaning that the common +pattern of using _H() in a blocking section is unsafe. + +In order to fix: + + * Drop the _H() macro and replace it with a static inline xce_of_val(). + * Opencode the assignment into Data_custom_val() in the two constructors. + * Rename "value xce" parameters to "value xce_val" so we can consistently + have "xenevtchn_handle *xce" on the stack, and obtain the pointer with the + GC lock still held. + +Fixes: 22d5affdf0ce ("tools/ocaml/evtchn: OCaml 5 support, fix potential resource leak") +Signed-off-by: Edwin Török +Signed-off-by: Andrew Cooper +Acked-by: Christian Lindig +(cherry picked from commit 2636d8ff7a670c4d2485757dbe966e36c259a960) +--- + tools/ocaml/libs/eventchn/xeneventchn_stubs.c | 60 +++++++++++-------- + 1 file changed, 35 insertions(+), 25 deletions(-) + +diff --git a/tools/ocaml/libs/eventchn/xeneventchn_stubs.c b/tools/ocaml/libs/eventchn/xeneventchn_stubs.c +index aa8a69cc1e..d7881ca95f 100644 +--- a/tools/ocaml/libs/eventchn/xeneventchn_stubs.c ++++ b/tools/ocaml/libs/eventchn/xeneventchn_stubs.c +@@ -33,11 +33,14 @@ + #include + #include + +-#define _H(__h) (*((xenevtchn_handle **)Data_custom_val(__h))) ++static inline xenevtchn_handle *xce_of_val(value v) ++{ ++ return *(xenevtchn_handle **)Data_custom_val(v); ++} + + static void stub_evtchn_finalize(value v) + { +- xenevtchn_close(_H(v)); ++ xenevtchn_close(xce_of_val(v)); + } + + static struct custom_operations xenevtchn_ops = { +@@ -68,7 +71,7 @@ CAMLprim value stub_eventchn_init(value cloexec) + caml_failwith("open failed"); + + result = caml_alloc_custom(&xenevtchn_ops, sizeof(xce), 0, 1); +- _H(result) = xce; ++ *(xenevtchn_handle **)Data_custom_val(result) = xce; + + CAMLreturn(result); + } +@@ -87,18 +90,19 @@ CAMLprim value stub_eventchn_fdopen(value fdval) + caml_failwith("evtchn fdopen failed"); + + result = caml_alloc_custom(&xenevtchn_ops, sizeof(xce), 0, 1); +- _H(result) = xce; ++ *(xenevtchn_handle **)Data_custom_val(result) = xce; + + CAMLreturn(result); + } + +-CAMLprim value stub_eventchn_fd(value xce) ++CAMLprim value stub_eventchn_fd(value xce_val) + { +- CAMLparam1(xce); ++ CAMLparam1(xce_val); + CAMLlocal1(result); ++ xenevtchn_handle *xce = xce_of_val(xce_val); + int fd; + +- fd = xenevtchn_fd(_H(xce)); ++ fd = xenevtchn_fd(xce); + if (fd == -1) + caml_failwith("evtchn fd failed"); + +@@ -107,13 +111,14 @@ CAMLprim value stub_eventchn_fd(value xce) + CAMLreturn(result); + } + +-CAMLprim value stub_eventchn_notify(value xce, value port) ++CAMLprim value stub_eventchn_notify(value xce_val, value port) + { +- CAMLparam2(xce, port); ++ CAMLparam2(xce_val, port); ++ xenevtchn_handle *xce = xce_of_val(xce_val); + int rc; + + caml_enter_blocking_section(); +- rc = xenevtchn_notify(_H(xce), Int_val(port)); ++ rc = xenevtchn_notify(xce, Int_val(port)); + caml_leave_blocking_section(); + + if (rc == -1) +@@ -122,15 +127,16 @@ CAMLprim value stub_eventchn_notify(value xce, value port) + CAMLreturn(Val_unit); + } + +-CAMLprim value stub_eventchn_bind_interdomain(value xce, value domid, ++CAMLprim value stub_eventchn_bind_interdomain(value xce_val, value domid, + value remote_port) + { +- CAMLparam3(xce, domid, remote_port); ++ CAMLparam3(xce_val, domid, remote_port); + CAMLlocal1(port); ++ xenevtchn_handle *xce = xce_of_val(xce_val); + xenevtchn_port_or_error_t rc; + + caml_enter_blocking_section(); +- rc = xenevtchn_bind_interdomain(_H(xce), Int_val(domid), Int_val(remote_port)); ++ rc = xenevtchn_bind_interdomain(xce, Int_val(domid), Int_val(remote_port)); + caml_leave_blocking_section(); + + if (rc == -1) +@@ -140,14 +146,15 @@ CAMLprim value stub_eventchn_bind_interdomain(value xce, value domid, + CAMLreturn(port); + } + +-CAMLprim value stub_eventchn_bind_virq(value xce, value virq_type) ++CAMLprim value stub_eventchn_bind_virq(value xce_val, value virq_type) + { +- CAMLparam2(xce, virq_type); ++ CAMLparam2(xce_val, virq_type); + CAMLlocal1(port); ++ xenevtchn_handle *xce = xce_of_val(xce_val); + xenevtchn_port_or_error_t rc; + + caml_enter_blocking_section(); +- rc = xenevtchn_bind_virq(_H(xce), Int_val(virq_type)); ++ rc = xenevtchn_bind_virq(xce, Int_val(virq_type)); + caml_leave_blocking_section(); + + if (rc == -1) +@@ -157,13 +164,14 @@ CAMLprim value stub_eventchn_bind_virq(value xce, value virq_type) + CAMLreturn(port); + } + +-CAMLprim value stub_eventchn_unbind(value xce, value port) ++CAMLprim value stub_eventchn_unbind(value xce_val, value port) + { +- CAMLparam2(xce, port); ++ CAMLparam2(xce_val, port); ++ xenevtchn_handle *xce = xce_of_val(xce_val); + int rc; + + caml_enter_blocking_section(); +- rc = xenevtchn_unbind(_H(xce), Int_val(port)); ++ rc = xenevtchn_unbind(xce, Int_val(port)); + caml_leave_blocking_section(); + + if (rc == -1) +@@ -172,14 +180,15 @@ CAMLprim value stub_eventchn_unbind(value xce, value port) + CAMLreturn(Val_unit); + } + +-CAMLprim value stub_eventchn_pending(value xce) ++CAMLprim value stub_eventchn_pending(value xce_val) + { +- CAMLparam1(xce); ++ CAMLparam1(xce_val); + CAMLlocal1(result); ++ xenevtchn_handle *xce = xce_of_val(xce_val); + xenevtchn_port_or_error_t port; + + caml_enter_blocking_section(); +- port = xenevtchn_pending(_H(xce)); ++ port = xenevtchn_pending(xce); + caml_leave_blocking_section(); + + if (port == -1) +@@ -189,16 +198,17 @@ CAMLprim value stub_eventchn_pending(value xce) + CAMLreturn(result); + } + +-CAMLprim value stub_eventchn_unmask(value xce, value _port) ++CAMLprim value stub_eventchn_unmask(value xce_val, value _port) + { +- CAMLparam2(xce, _port); ++ CAMLparam2(xce_val, _port); ++ xenevtchn_handle *xce = xce_of_val(xce_val); + evtchn_port_t port; + int rc; + + port = Int_val(_port); + + caml_enter_blocking_section(); +- rc = xenevtchn_unmask(_H(xce), port); ++ rc = xenevtchn_unmask(xce, port); + caml_leave_blocking_section(); + + if (rc) +-- +2.40.0 + diff --git a/0041-tools-xenmon-Fix-xenmon.py-for-with-python3.x.patch b/0041-tools-xenmon-Fix-xenmon.py-for-with-python3.x.patch deleted file mode 100644 index ff97af6..0000000 --- a/0041-tools-xenmon-Fix-xenmon.py-for-with-python3.x.patch +++ /dev/null @@ -1,54 +0,0 @@ -From 5ce8d2aef85f590e4fb42d18784512203069d0c0 Mon Sep 17 00:00:00 2001 -From: Bernhard Kaindl -Date: Tue, 21 Mar 2023 13:49:47 +0100 -Subject: [PATCH 41/61] tools/xenmon: Fix xenmon.py for with python3.x - -Fixes for Py3: -* class Delayed(): file not defined; also an error for pylint -E. Inherit - object instead for Py2 compatibility. Fix DomainInfo() too. -* Inconsistent use of tabs and spaces for indentation (in one block) - -Signed-off-by: Bernhard Kaindl -Acked-by: Andrew Cooper -master commit: 3a59443c1d5ae0677a792c660ccd3796ce036732 -master date: 2023-02-06 10:22:12 +0000 ---- - tools/xenmon/xenmon.py | 8 ++++---- - 1 file changed, 4 insertions(+), 4 deletions(-) - -diff --git a/tools/xenmon/xenmon.py b/tools/xenmon/xenmon.py -index 175eacd2cb..977ada6887 100644 ---- a/tools/xenmon/xenmon.py -+++ b/tools/xenmon/xenmon.py -@@ -117,7 +117,7 @@ def setup_cmdline_parser(): - return parser - - # encapsulate information about a domain --class DomainInfo: -+class DomainInfo(object): - def __init__(self): - self.allocated_sum = 0 - self.gotten_sum = 0 -@@ -533,7 +533,7 @@ def show_livestats(cpu): - # simple functions to allow initialization of log files without actually - # physically creating files that are never used; only on the first real - # write does the file get created --class Delayed(file): -+class Delayed(object): - def __init__(self, filename, mode): - self.filename = filename - self.saved_mode = mode -@@ -677,8 +677,8 @@ def main(): - - if os.uname()[0] == "SunOS": - xenbaked_cmd = "/usr/lib/xenbaked" -- stop_cmd = "/usr/bin/pkill -INT -z global xenbaked" -- kill_cmd = "/usr/bin/pkill -KILL -z global xenbaked" -+ stop_cmd = "/usr/bin/pkill -INT -z global xenbaked" -+ kill_cmd = "/usr/bin/pkill -KILL -z global xenbaked" - else: - # assumes that xenbaked is in your path - xenbaked_cmd = "xenbaked" --- -2.40.0 - diff --git a/0042-core-parking-fix-build-with-gcc12-and-NR_CPUS-1.patch b/0042-core-parking-fix-build-with-gcc12-and-NR_CPUS-1.patch deleted file mode 100644 index c425c43..0000000 --- a/0042-core-parking-fix-build-with-gcc12-and-NR_CPUS-1.patch +++ /dev/null @@ -1,95 +0,0 @@ -From 4a6bedefe589dab12182d6b974de8ea3b2fcc681 Mon Sep 17 00:00:00 2001 -From: Jan Beulich -Date: Tue, 21 Mar 2023 13:50:18 +0100 -Subject: [PATCH 42/61] core-parking: fix build with gcc12 and NR_CPUS=1 - -Gcc12 takes issue with core_parking_remove()'s - - for ( ; i < cur_idle_nums; ++i ) - core_parking_cpunum[i] = core_parking_cpunum[i + 1]; - -complaining that the right hand side array access is past the bounds of -1. Clearly the compiler can't know that cur_idle_nums can only ever be -zero in this case (as the sole CPU cannot be parked). - -Arrange for core_parking.c's contents to not be needed altogether, and -then disable its building when NR_CPUS == 1. - -Signed-off-by: Jan Beulich -Acked-by: Andrew Cooper -master commit: 4b0422f70feb4b1cd04598ffde805fc224f3812e -master date: 2023-03-13 15:15:42 +0100 ---- - xen/arch/x86/Kconfig | 2 +- - xen/arch/x86/platform_hypercall.c | 11 ++++++++--- - xen/arch/x86/sysctl.c | 3 +++ - xen/common/Kconfig | 1 + - 4 files changed, 13 insertions(+), 4 deletions(-) - -diff --git a/xen/arch/x86/Kconfig b/xen/arch/x86/Kconfig -index 3c14096c80..8e2b504923 100644 ---- a/xen/arch/x86/Kconfig -+++ b/xen/arch/x86/Kconfig -@@ -8,7 +8,7 @@ config X86 - select ACPI_LEGACY_TABLES_LOOKUP - select ALTERNATIVE_CALL - select ARCH_SUPPORTS_INT128 -- select CORE_PARKING -+ imply CORE_PARKING - select HAS_ALTERNATIVE - select HAS_COMPAT - select HAS_CPUFREQ -diff --git a/xen/arch/x86/platform_hypercall.c b/xen/arch/x86/platform_hypercall.c -index bf4090c942..c35e5669a4 100644 ---- a/xen/arch/x86/platform_hypercall.c -+++ b/xen/arch/x86/platform_hypercall.c -@@ -725,12 +725,17 @@ ret_t do_platform_op(XEN_GUEST_HANDLE_PARAM(xen_platform_op_t) u_xenpf_op) - case XEN_CORE_PARKING_SET: - idle_nums = min_t(uint32_t, - op->u.core_parking.idle_nums, num_present_cpus() - 1); -- ret = continue_hypercall_on_cpu( -- 0, core_parking_helper, (void *)(unsigned long)idle_nums); -+ if ( CONFIG_NR_CPUS > 1 ) -+ ret = continue_hypercall_on_cpu( -+ 0, core_parking_helper, -+ (void *)(unsigned long)idle_nums); -+ else if ( idle_nums ) -+ ret = -EINVAL; - break; - - case XEN_CORE_PARKING_GET: -- op->u.core_parking.idle_nums = get_cur_idle_nums(); -+ op->u.core_parking.idle_nums = CONFIG_NR_CPUS > 1 -+ ? get_cur_idle_nums() : 0; - ret = __copy_field_to_guest(u_xenpf_op, op, u.core_parking) ? - -EFAULT : 0; - break; -diff --git a/xen/arch/x86/sysctl.c b/xen/arch/x86/sysctl.c -index aff52a13f3..ff843eaee2 100644 ---- a/xen/arch/x86/sysctl.c -+++ b/xen/arch/x86/sysctl.c -@@ -179,6 +179,9 @@ long arch_do_sysctl( - ret = -EBUSY; - break; - } -+ if ( CONFIG_NR_CPUS <= 1 ) -+ /* Mimic behavior of smt_up_down_helper(). */ -+ return 0; - plug = op == XEN_SYSCTL_CPU_HOTPLUG_SMT_ENABLE; - fn = smt_up_down_helper; - hcpu = _p(plug); -diff --git a/xen/common/Kconfig b/xen/common/Kconfig -index 6443943889..c9f4b7f492 100644 ---- a/xen/common/Kconfig -+++ b/xen/common/Kconfig -@@ -10,6 +10,7 @@ config COMPAT - - config CORE_PARKING - bool -+ depends on NR_CPUS > 1 - - config GRANT_TABLE - bool "Grant table support" if EXPERT --- -2.40.0 - diff --git a/0042-tools-ocaml-xc-Fix-binding-for-xc_domain_assign_devi.patch b/0042-tools-ocaml-xc-Fix-binding-for-xc_domain_assign_devi.patch new file mode 100644 index 0000000..ac3e86d --- /dev/null +++ b/0042-tools-ocaml-xc-Fix-binding-for-xc_domain_assign_devi.patch @@ -0,0 +1,70 @@ +From afdcc108566e5a4ee352b6427c98ebad6885a81d Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Edwin=20T=C3=B6r=C3=B6k?= +Date: Thu, 12 Jan 2023 11:38:38 +0000 +Subject: [PATCH 42/89] tools/ocaml/xc: Fix binding for + xc_domain_assign_device() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +The patch adding this binding was plain broken, and unreviewed. It modified +the C stub to add a 4th parameter without an equivalent adjustment in the +Ocaml side of the bindings. + +In 64bit builds, this causes us to dereference whatever dead value is in %rcx +when trying to interpret the rflags parameter. + +This has gone unnoticed because Xapi doesn't use this binding (it has its +own), but unbreak the binding by passing RDM_RELAXED unconditionally for +now (matching the libxl default behaviour). + +Fixes: 9b34056cb4 ("tools: extend xc_assign_device() to support rdm reservation policy") +Signed-off-by: Edwin Török +Signed-off-by: Andrew Cooper +Acked-by: Christian Lindig +(cherry picked from commit 4250683842104f02996428f93927a035c8e19266) +--- + tools/ocaml/libs/xc/xenctrl_stubs.c | 17 +++++------------ + 1 file changed, 5 insertions(+), 12 deletions(-) + +diff --git a/tools/ocaml/libs/xc/xenctrl_stubs.c b/tools/ocaml/libs/xc/xenctrl_stubs.c +index e25367531b..f376d94334 100644 +--- a/tools/ocaml/libs/xc/xenctrl_stubs.c ++++ b/tools/ocaml/libs/xc/xenctrl_stubs.c +@@ -1139,17 +1139,12 @@ CAMLprim value stub_xc_domain_test_assign_device(value xch, value domid, value d + CAMLreturn(Val_bool(ret == 0)); + } + +-static int domain_assign_device_rdm_flag_table[] = { +- XEN_DOMCTL_DEV_RDM_RELAXED, +-}; +- +-CAMLprim value stub_xc_domain_assign_device(value xch, value domid, value desc, +- value rflag) ++CAMLprim value stub_xc_domain_assign_device(value xch, value domid, value desc) + { +- CAMLparam4(xch, domid, desc, rflag); ++ CAMLparam3(xch, domid, desc); + int ret; + int domain, bus, dev, func; +- uint32_t sbdf, flag; ++ uint32_t sbdf; + + domain = Int_val(Field(desc, 0)); + bus = Int_val(Field(desc, 1)); +@@ -1157,10 +1152,8 @@ CAMLprim value stub_xc_domain_assign_device(value xch, value domid, value desc, + func = Int_val(Field(desc, 3)); + sbdf = encode_sbdf(domain, bus, dev, func); + +- ret = Int_val(Field(rflag, 0)); +- flag = domain_assign_device_rdm_flag_table[ret]; +- +- ret = xc_assign_device(_H(xch), _D(domid), sbdf, flag); ++ ret = xc_assign_device(_H(xch), _D(domid), sbdf, ++ XEN_DOMCTL_DEV_RDM_RELAXED); + + if (ret < 0) + failwith_xc(_H(xch)); +-- +2.40.0 + diff --git a/0043-tools-ocaml-xc-Don-t-reference-Abstract_Tag-objects-.patch b/0043-tools-ocaml-xc-Don-t-reference-Abstract_Tag-objects-.patch new file mode 100644 index 0000000..b7fec46 --- /dev/null +++ b/0043-tools-ocaml-xc-Don-t-reference-Abstract_Tag-objects-.patch @@ -0,0 +1,76 @@ +From bf935b1ff7cc76b2d25f877e56a359afaafcac1f Mon Sep 17 00:00:00 2001 +From: Andrew Cooper +Date: Tue, 31 Jan 2023 17:19:30 +0000 +Subject: [PATCH 43/89] tools/ocaml/xc: Don't reference Abstract_Tag objects + with the GC lock released + +The intf->{addr,len} references in the xc_map_foreign_range() call are unsafe. +From the manual: + + https://ocaml.org/manual/intfc.html#ss:parallel-execution-long-running-c-code + +"After caml_release_runtime_system() was called and until +caml_acquire_runtime_system() is called, the C code must not access any OCaml +data, nor call any function of the run-time system, nor call back into OCaml +code." + +More than what the manual says, the intf pointer is (potentially) invalidated +by caml_enter_blocking_section() if another thread happens to perform garbage +collection at just the right (wrong) moment. + +Rewrite the logic. There's no need to stash data in the Ocaml object until +the success path at the very end. + +Fixes: 8b7ce06a2d34 ("ocaml: Add XC bindings.") +Signed-off-by: Andrew Cooper +Acked-by: Christian Lindig +(cherry picked from commit 9e7c74e6f9fd2e44df1212643b80af9032b45b07) +--- + tools/ocaml/libs/xc/xenctrl_stubs.c | 23 +++++++++++------------ + 1 file changed, 11 insertions(+), 12 deletions(-) + +diff --git a/tools/ocaml/libs/xc/xenctrl_stubs.c b/tools/ocaml/libs/xc/xenctrl_stubs.c +index f376d94334..facb561577 100644 +--- a/tools/ocaml/libs/xc/xenctrl_stubs.c ++++ b/tools/ocaml/libs/xc/xenctrl_stubs.c +@@ -953,26 +953,25 @@ CAMLprim value stub_map_foreign_range(value xch, value dom, + CAMLparam4(xch, dom, size, mfn); + CAMLlocal1(result); + struct mmap_interface *intf; +- uint32_t c_dom; +- unsigned long c_mfn; ++ unsigned long c_mfn = Nativeint_val(mfn); ++ int len = Int_val(size); ++ void *ptr; + + BUILD_BUG_ON((sizeof(struct mmap_interface) % sizeof(value)) != 0); + result = caml_alloc(Wsize_bsize(sizeof(struct mmap_interface)), + Abstract_tag); + +- intf = (struct mmap_interface *) result; +- +- intf->len = Int_val(size); +- +- c_dom = _D(dom); +- c_mfn = Nativeint_val(mfn); + caml_enter_blocking_section(); +- intf->addr = xc_map_foreign_range(_H(xch), c_dom, +- intf->len, PROT_READ|PROT_WRITE, +- c_mfn); ++ ptr = xc_map_foreign_range(_H(xch), _D(dom), len, ++ PROT_READ|PROT_WRITE, c_mfn); + caml_leave_blocking_section(); +- if (!intf->addr) ++ ++ if (!ptr) + caml_failwith("xc_map_foreign_range error"); ++ ++ intf = Data_abstract_val(result); ++ *intf = (struct mmap_interface){ ptr, len }; ++ + CAMLreturn(result); + } + +-- +2.40.0 + diff --git a/0043-x86-altp2m-help-gcc13-to-avoid-it-emitting-a-warning.patch b/0043-x86-altp2m-help-gcc13-to-avoid-it-emitting-a-warning.patch deleted file mode 100644 index 0e040ad..0000000 --- a/0043-x86-altp2m-help-gcc13-to-avoid-it-emitting-a-warning.patch +++ /dev/null @@ -1,129 +0,0 @@ -From cdde3171a2a932a6836b094c4387412e27414ec9 Mon Sep 17 00:00:00 2001 -From: Jan Beulich -Date: Tue, 21 Mar 2023 13:51:42 +0100 -Subject: [PATCH 43/61] x86/altp2m: help gcc13 to avoid it emitting a warning - -Switches of altp2m-s always expect a valid altp2m to be in place (and -indeed altp2m_vcpu_initialise() sets the active one to be at index 0). -The compiler, however, cannot know that, and hence it cannot eliminate -p2m_get_altp2m()'s case of returnin (literal) NULL. If then the compiler -decides to special case that code path in the caller, the dereference in -instances of - - atomic_dec(&p2m_get_altp2m(v)->active_vcpus); - -can, to the code generator, appear to be NULL dereferences, leading to - -In function 'atomic_dec', - inlined from '...' at ...: -./arch/x86/include/asm/atomic.h:182:5: error: array subscript 0 is outside array bounds of 'int[0]' [-Werror=array-bounds=] - -Aid the compiler by adding a BUG_ON() checking the return value of the -problematic p2m_get_altp2m(). Since with the use of the local variable -the 2nd p2m_get_altp2m() each will look questionable at the first glance -(Why is the local variable not used here?), open-code the only relevant -piece of p2m_get_altp2m() there. - -To avoid repeatedly doing these transformations, and also to limit how -"bad" the open-coding really is, convert the entire operation to an -inline helper, used by all three instances (and accepting the redundant -BUG_ON(idx >= MAX_ALTP2M) in two of the three cases). - -Reported-by: Charles Arnold -Signed-off-by: Jan Beulich -Acked-by: Andrew Cooper -master commit: be62b1fc2aa7375d553603fca07299da765a89fe -master date: 2023-03-13 15:16:21 +0100 ---- - xen/arch/x86/hvm/vmx/vmx.c | 8 +------- - xen/arch/x86/mm/p2m.c | 14 ++------------ - xen/include/asm-x86/p2m.h | 20 ++++++++++++++++++++ - 3 files changed, 23 insertions(+), 19 deletions(-) - -diff --git a/xen/arch/x86/hvm/vmx/vmx.c b/xen/arch/x86/hvm/vmx/vmx.c -index 094141be9a..c8a839cd5e 100644 ---- a/xen/arch/x86/hvm/vmx/vmx.c -+++ b/xen/arch/x86/hvm/vmx/vmx.c -@@ -4036,13 +4036,7 @@ void vmx_vmexit_handler(struct cpu_user_regs *regs) - } - } - -- if ( idx != vcpu_altp2m(v).p2midx ) -- { -- BUG_ON(idx >= MAX_ALTP2M); -- atomic_dec(&p2m_get_altp2m(v)->active_vcpus); -- vcpu_altp2m(v).p2midx = idx; -- atomic_inc(&p2m_get_altp2m(v)->active_vcpus); -- } -+ p2m_set_altp2m(v, idx); - } - - /* XXX: This looks ugly, but we need a mechanism to ensure -diff --git a/xen/arch/x86/mm/p2m.c b/xen/arch/x86/mm/p2m.c -index 8781df9dda..2d41446a69 100644 ---- a/xen/arch/x86/mm/p2m.c -+++ b/xen/arch/x86/mm/p2m.c -@@ -2194,13 +2194,8 @@ bool_t p2m_switch_vcpu_altp2m_by_id(struct vcpu *v, unsigned int idx) - - if ( d->arch.altp2m_eptp[idx] != mfn_x(INVALID_MFN) ) - { -- if ( idx != vcpu_altp2m(v).p2midx ) -- { -- atomic_dec(&p2m_get_altp2m(v)->active_vcpus); -- vcpu_altp2m(v).p2midx = idx; -- atomic_inc(&p2m_get_altp2m(v)->active_vcpus); -+ if ( p2m_set_altp2m(v, idx) ) - altp2m_vcpu_update_p2m(v); -- } - rc = 1; - } - -@@ -2471,13 +2466,8 @@ int p2m_switch_domain_altp2m_by_id(struct domain *d, unsigned int idx) - if ( d->arch.altp2m_visible_eptp[idx] != mfn_x(INVALID_MFN) ) - { - for_each_vcpu( d, v ) -- if ( idx != vcpu_altp2m(v).p2midx ) -- { -- atomic_dec(&p2m_get_altp2m(v)->active_vcpus); -- vcpu_altp2m(v).p2midx = idx; -- atomic_inc(&p2m_get_altp2m(v)->active_vcpus); -+ if ( p2m_set_altp2m(v, idx) ) - altp2m_vcpu_update_p2m(v); -- } - - rc = 0; - } -diff --git a/xen/include/asm-x86/p2m.h b/xen/include/asm-x86/p2m.h -index 2db9ab0122..f92bb97394 100644 ---- a/xen/include/asm-x86/p2m.h -+++ b/xen/include/asm-x86/p2m.h -@@ -841,6 +841,26 @@ static inline struct p2m_domain *p2m_get_altp2m(struct vcpu *v) - return v->domain->arch.altp2m_p2m[index]; - } - -+/* set current alternate p2m table */ -+static inline bool p2m_set_altp2m(struct vcpu *v, unsigned int idx) -+{ -+ struct p2m_domain *orig; -+ -+ BUG_ON(idx >= MAX_ALTP2M); -+ -+ if ( idx == vcpu_altp2m(v).p2midx ) -+ return false; -+ -+ orig = p2m_get_altp2m(v); -+ BUG_ON(!orig); -+ atomic_dec(&orig->active_vcpus); -+ -+ vcpu_altp2m(v).p2midx = idx; -+ atomic_inc(&v->domain->arch.altp2m_p2m[idx]->active_vcpus); -+ -+ return true; -+} -+ - /* Switch alternate p2m for a single vcpu */ - bool_t p2m_switch_vcpu_altp2m_by_id(struct vcpu *v, unsigned int idx); - --- -2.40.0 - diff --git a/0044-VT-d-constrain-IGD-check.patch b/0044-VT-d-constrain-IGD-check.patch deleted file mode 100644 index 13ca74e..0000000 --- a/0044-VT-d-constrain-IGD-check.patch +++ /dev/null @@ -1,44 +0,0 @@ -From 4d42cc4d25c35ca381370a1fa0b45350723d1308 Mon Sep 17 00:00:00 2001 -From: Jan Beulich -Date: Tue, 21 Mar 2023 13:52:20 +0100 -Subject: [PATCH 44/61] VT-d: constrain IGD check - -Marking a DRHD as controlling an IGD isn't very sensible without -checking that at the very least it's a graphics device that lives at -0000:00:02.0. Re-use the reading of the class-code to control both the -clearing of "gfx_only" and the setting of "igd_drhd_address". - -Signed-off-by: Jan Beulich -Reviewed-by: Kevin Tian -master commit: f8c4317295fa1cde1a81779b7e362651c084efb8 -master date: 2023-03-14 10:44:08 +0100 ---- - xen/drivers/passthrough/vtd/dmar.c | 9 +++------ - 1 file changed, 3 insertions(+), 6 deletions(-) - -diff --git a/xen/drivers/passthrough/vtd/dmar.c b/xen/drivers/passthrough/vtd/dmar.c -index 33a12b2ae9..9ec49936b8 100644 ---- a/xen/drivers/passthrough/vtd/dmar.c -+++ b/xen/drivers/passthrough/vtd/dmar.c -@@ -391,15 +391,12 @@ static int __init acpi_parse_dev_scope( - - if ( drhd ) - { -- if ( (seg == 0) && (bus == 0) && (path->dev == 2) && -- (path->fn == 0) ) -- igd_drhd_address = drhd->address; -- -- if ( gfx_only && -- pci_conf_read8(PCI_SBDF(seg, bus, path->dev, path->fn), -+ if ( pci_conf_read8(PCI_SBDF(seg, bus, path->dev, path->fn), - PCI_CLASS_DEVICE + 1) != 0x03 - /* PCI_BASE_CLASS_DISPLAY */ ) - gfx_only = false; -+ else if ( !seg && !bus && path->dev == 2 && !path->fn ) -+ igd_drhd_address = drhd->address; - } - - break; --- -2.40.0 - diff --git a/0044-tools-ocaml-libs-Fix-memory-resource-leaks-with-caml.patch b/0044-tools-ocaml-libs-Fix-memory-resource-leaks-with-caml.patch new file mode 100644 index 0000000..8876ab7 --- /dev/null +++ b/0044-tools-ocaml-libs-Fix-memory-resource-leaks-with-caml.patch @@ -0,0 +1,61 @@ +From 587823eca162d063027faf1826ec3544f0a06e78 Mon Sep 17 00:00:00 2001 +From: Andrew Cooper +Date: Wed, 1 Feb 2023 11:27:42 +0000 +Subject: [PATCH 44/89] tools/ocaml/libs: Fix memory/resource leaks with + caml_alloc_custom() + +All caml_alloc_*() functions can throw exceptions, and longjump out of +context. If this happens, we leak the xch/xce handle. + +Reorder the logic to allocate the the Ocaml object first. + +Fixes: 8b3c06a3e545 ("tools/ocaml/xenctrl: OCaml 5 support, fix use-after-free") +Fixes: 22d5affdf0ce ("tools/ocaml/evtchn: OCaml 5 support, fix potential resource leak") +Signed-off-by: Andrew Cooper +Acked-by: Christian Lindig +(cherry picked from commit d69ccf52ad467ccc22029172a8e61dc621187889) +--- + tools/ocaml/libs/eventchn/xeneventchn_stubs.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/tools/ocaml/libs/eventchn/xeneventchn_stubs.c b/tools/ocaml/libs/eventchn/xeneventchn_stubs.c +index d7881ca95f..de2fc29292 100644 +--- a/tools/ocaml/libs/eventchn/xeneventchn_stubs.c ++++ b/tools/ocaml/libs/eventchn/xeneventchn_stubs.c +@@ -63,6 +63,8 @@ CAMLprim value stub_eventchn_init(value cloexec) + if ( !Bool_val(cloexec) ) + flags |= XENEVTCHN_NO_CLOEXEC; + ++ result = caml_alloc_custom(&xenevtchn_ops, sizeof(xce), 0, 1); ++ + caml_enter_blocking_section(); + xce = xenevtchn_open(NULL, flags); + caml_leave_blocking_section(); +@@ -70,7 +72,6 @@ CAMLprim value stub_eventchn_init(value cloexec) + if (xce == NULL) + caml_failwith("open failed"); + +- result = caml_alloc_custom(&xenevtchn_ops, sizeof(xce), 0, 1); + *(xenevtchn_handle **)Data_custom_val(result) = xce; + + CAMLreturn(result); +@@ -82,6 +83,8 @@ CAMLprim value stub_eventchn_fdopen(value fdval) + CAMLlocal1(result); + xenevtchn_handle *xce; + ++ result = caml_alloc_custom(&xenevtchn_ops, sizeof(xce), 0, 1); ++ + caml_enter_blocking_section(); + xce = xenevtchn_fdopen(NULL, Int_val(fdval), 0); + caml_leave_blocking_section(); +@@ -89,7 +92,6 @@ CAMLprim value stub_eventchn_fdopen(value fdval) + if (xce == NULL) + caml_failwith("evtchn fdopen failed"); + +- result = caml_alloc_custom(&xenevtchn_ops, sizeof(xce), 0, 1); + *(xenevtchn_handle **)Data_custom_val(result) = xce; + + CAMLreturn(result); +-- +2.40.0 + diff --git a/0045-bunzip-work-around-gcc13-warning.patch b/0045-bunzip-work-around-gcc13-warning.patch deleted file mode 100644 index 9b26011..0000000 --- a/0045-bunzip-work-around-gcc13-warning.patch +++ /dev/null @@ -1,42 +0,0 @@ -From 49116b2101094c3d6658928f03db88d035ba97be Mon Sep 17 00:00:00 2001 -From: Jan Beulich -Date: Tue, 21 Mar 2023 13:52:58 +0100 -Subject: [PATCH 45/61] bunzip: work around gcc13 warning -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -While provable that length[0] is always initialized (because symCount -cannot be zero), upcoming gcc13 fails to recognize this and warns about -the unconditional use of the value immediately following the loop. - -See also https://gcc.gnu.org/bugzilla/show_bug.cgi?id=106511. - -Reported-by: Martin Liška -Signed-off-by: Jan Beulich -Acked-by: Andrew Cooper -master commit: 402195e56de0aacf97e05c80ed367d464ca6938b -master date: 2023-03-14 10:45:28 +0100 ---- - xen/common/bunzip2.c | 5 +++++ - 1 file changed, 5 insertions(+) - -diff --git a/xen/common/bunzip2.c b/xen/common/bunzip2.c -index 2087cfbbed..5108e570ed 100644 ---- a/xen/common/bunzip2.c -+++ b/xen/common/bunzip2.c -@@ -233,6 +233,11 @@ static int __init get_next_block(struct bunzip_data *bd) - becomes negative, so an unsigned inequality catches - it.) */ - t = get_bits(bd, 5)-1; -+ /* GCC 13 has apparently improved use-before-set detection, but -+ it can't figure out that length[0] is always intialized by -+ virtue of symCount always being positive when making it here. -+ See https://gcc.gnu.org/bugzilla/show_bug.cgi?id=106511. */ -+ length[0] = 0; - for (i = 0; i < symCount; i++) { - for (;;) { - if (((unsigned)t) > (MAX_HUFCODE_BITS-1)) --- -2.40.0 - diff --git a/0045-x86-spec-ctrl-Mitigate-Cross-Thread-Return-Address-P.patch b/0045-x86-spec-ctrl-Mitigate-Cross-Thread-Return-Address-P.patch new file mode 100644 index 0000000..1720bdd --- /dev/null +++ b/0045-x86-spec-ctrl-Mitigate-Cross-Thread-Return-Address-P.patch @@ -0,0 +1,120 @@ +From 3685e754e6017c616769b28133286d06bf07b613 Mon Sep 17 00:00:00 2001 +From: Andrew Cooper +Date: Thu, 8 Sep 2022 21:27:58 +0100 +Subject: [PATCH 45/89] x86/spec-ctrl: Mitigate Cross-Thread Return Address + Predictions + +This is XSA-426 / CVE-2022-27672 + +Signed-off-by: Andrew Cooper +Reviewed-by: Jan Beulich +(cherry picked from commit 63305e5392ec2d17b85e7996a97462744425db80) +--- + docs/misc/xen-command-line.pandoc | 2 +- + xen/arch/x86/include/asm/cpufeatures.h | 3 ++- + xen/arch/x86/include/asm/spec_ctrl.h | 15 +++++++++++++ + xen/arch/x86/spec_ctrl.c | 31 +++++++++++++++++++++++--- + 4 files changed, 46 insertions(+), 5 deletions(-) + +diff --git a/docs/misc/xen-command-line.pandoc b/docs/misc/xen-command-line.pandoc +index 424b12cfb2..e7fe8b0cc9 100644 +--- a/docs/misc/xen-command-line.pandoc ++++ b/docs/misc/xen-command-line.pandoc +@@ -2343,7 +2343,7 @@ guests to use. + on entry and exit. These blocks are necessary to virtualise support for + guests and if disabled, guests will be unable to use IBRS/STIBP/SSBD/etc. + * `rsb=` offers control over whether to overwrite the Return Stack Buffer / +- Return Address Stack on entry to Xen. ++ Return Address Stack on entry to Xen and on idle. + * `md-clear=` offers control over whether to use VERW to flush + microarchitectural buffers on idle and exit from Xen. *Note: For + compatibility with development versions of this fix, `mds=` is also accepted +diff --git a/xen/arch/x86/include/asm/cpufeatures.h b/xen/arch/x86/include/asm/cpufeatures.h +index 865f110986..da0593de85 100644 +--- a/xen/arch/x86/include/asm/cpufeatures.h ++++ b/xen/arch/x86/include/asm/cpufeatures.h +@@ -35,7 +35,8 @@ XEN_CPUFEATURE(SC_RSB_HVM, X86_SYNTH(19)) /* RSB overwrite needed for HVM + XEN_CPUFEATURE(XEN_SELFSNOOP, X86_SYNTH(20)) /* SELFSNOOP gets used by Xen itself */ + XEN_CPUFEATURE(SC_MSR_IDLE, X86_SYNTH(21)) /* Clear MSR_SPEC_CTRL on idle */ + XEN_CPUFEATURE(XEN_LBR, X86_SYNTH(22)) /* Xen uses MSR_DEBUGCTL.LBR */ +-/* Bits 23,24 unused. */ ++/* Bits 23 unused. */ ++XEN_CPUFEATURE(SC_RSB_IDLE, X86_SYNTH(24)) /* RSB overwrite needed for idle. */ + XEN_CPUFEATURE(SC_VERW_IDLE, X86_SYNTH(25)) /* VERW used by Xen for idle */ + XEN_CPUFEATURE(XEN_SHSTK, X86_SYNTH(26)) /* Xen uses CET Shadow Stacks */ + XEN_CPUFEATURE(XEN_IBT, X86_SYNTH(27)) /* Xen uses CET Indirect Branch Tracking */ +diff --git a/xen/arch/x86/include/asm/spec_ctrl.h b/xen/arch/x86/include/asm/spec_ctrl.h +index 6a77c39378..391973ef6a 100644 +--- a/xen/arch/x86/include/asm/spec_ctrl.h ++++ b/xen/arch/x86/include/asm/spec_ctrl.h +@@ -159,6 +159,21 @@ static always_inline void spec_ctrl_enter_idle(struct cpu_info *info) + */ + alternative_input("", "verw %[sel]", X86_FEATURE_SC_VERW_IDLE, + [sel] "m" (info->verw_sel)); ++ ++ /* ++ * Cross-Thread Return Address Predictions: ++ * ++ * On vulnerable systems, the return predictions (RSB/RAS) are statically ++ * partitioned between active threads. When entering idle, our entries ++ * are re-partitioned to allow the other threads to use them. ++ * ++ * In some cases, we might still have guest entries in the RAS, so flush ++ * them before injecting them sideways to our sibling thread. ++ * ++ * (ab)use alternative_input() to specify clobbers. ++ */ ++ alternative_input("", "DO_OVERWRITE_RSB", X86_FEATURE_SC_RSB_IDLE, ++ : "rax", "rcx"); + } + + /* WARNING! `ret`, `call *`, `jmp *` not safe before this call. */ +diff --git a/xen/arch/x86/spec_ctrl.c b/xen/arch/x86/spec_ctrl.c +index a320b81947..e80e2a5ed1 100644 +--- a/xen/arch/x86/spec_ctrl.c ++++ b/xen/arch/x86/spec_ctrl.c +@@ -1327,13 +1327,38 @@ void __init init_speculation_mitigations(void) + * 3) Some CPUs have RSBs which are not full width, which allow the + * attacker's entries to alias Xen addresses. + * ++ * 4) Some CPUs have RSBs which are re-partitioned based on thread ++ * idleness, which allows an attacker to inject entries into the other ++ * thread. We still active the optimisation in this case, and mitigate ++ * in the idle path which has lower overhead. ++ * + * It is safe to turn off RSB stuffing when Xen is using SMEP itself, and + * 32bit PV guests are disabled, and when the RSB is full width. + */ + BUILD_BUG_ON(RO_MPT_VIRT_START != PML4_ADDR(256)); +- if ( opt_rsb_pv == -1 && boot_cpu_has(X86_FEATURE_XEN_SMEP) && +- !opt_pv32 && rsb_is_full_width() ) +- opt_rsb_pv = 0; ++ if ( opt_rsb_pv == -1 ) ++ { ++ opt_rsb_pv = (opt_pv32 || !boot_cpu_has(X86_FEATURE_XEN_SMEP) || ++ !rsb_is_full_width()); ++ ++ /* ++ * Cross-Thread Return Address Predictions. ++ * ++ * Vulnerable systems are Zen1/Zen2 uarch, which is AMD Fam17 / Hygon ++ * Fam18, when SMT is active. ++ * ++ * To mitigate, we must flush the RSB/RAS/RAP once between entering ++ * Xen and going idle. ++ * ++ * Most cases flush on entry to Xen anyway. The one case where we ++ * don't is when using the SMEP optimisation for PV guests. Flushing ++ * before going idle is less overhead than flushing on PV entry. ++ */ ++ if ( !opt_rsb_pv && hw_smt_enabled && ++ (boot_cpu_data.x86_vendor & (X86_VENDOR_AMD|X86_VENDOR_HYGON)) && ++ (boot_cpu_data.x86 == 0x17 || boot_cpu_data.x86 == 0x18) ) ++ setup_force_cpu_cap(X86_FEATURE_SC_RSB_IDLE); ++ } + + if ( opt_rsb_pv ) + { +-- +2.40.0 + diff --git a/0046-automation-Remove-clang-8-from-Debian-unstable-conta.patch b/0046-automation-Remove-clang-8-from-Debian-unstable-conta.patch new file mode 100644 index 0000000..6fc3323 --- /dev/null +++ b/0046-automation-Remove-clang-8-from-Debian-unstable-conta.patch @@ -0,0 +1,84 @@ +From aaf74a532c02017998492c0bf60a9c6be3332f20 Mon Sep 17 00:00:00 2001 +From: Anthony PERARD +Date: Tue, 21 Feb 2023 16:55:38 +0000 +Subject: [PATCH 46/89] automation: Remove clang-8 from Debian unstable + container + +First, apt complain that it isn't the right way to add keys anymore, +but hopefully that's just a warning. + +Second, we can't install clang-8: +The following packages have unmet dependencies: + clang-8 : Depends: libstdc++-8-dev but it is not installable + Depends: libgcc-8-dev but it is not installable + Depends: libobjc-8-dev but it is not installable + Recommends: llvm-8-dev but it is not going to be installed + Recommends: libomp-8-dev but it is not going to be installed + libllvm8 : Depends: libffi7 (>= 3.3~20180313) but it is not installable +E: Unable to correct problems, you have held broken packages. + +clang on Debian unstable is now version 14.0.6. + +Signed-off-by: Anthony PERARD +Acked-by: Andrew Cooper +(cherry picked from commit a6b1e2b80fe2053b1c9c9843fb086a668513ea36) +--- + automation/build/debian/unstable-llvm-8.list | 3 --- + automation/build/debian/unstable.dockerfile | 12 ------------ + automation/gitlab-ci/build.yaml | 10 ---------- + 3 files changed, 25 deletions(-) + delete mode 100644 automation/build/debian/unstable-llvm-8.list + +diff --git a/automation/build/debian/unstable-llvm-8.list b/automation/build/debian/unstable-llvm-8.list +deleted file mode 100644 +index dc119fa0b4..0000000000 +--- a/automation/build/debian/unstable-llvm-8.list ++++ /dev/null +@@ -1,3 +0,0 @@ +-# Unstable LLVM 8 repos +-deb http://apt.llvm.org/unstable/ llvm-toolchain-8 main +-deb-src http://apt.llvm.org/unstable/ llvm-toolchain-8 main +diff --git a/automation/build/debian/unstable.dockerfile b/automation/build/debian/unstable.dockerfile +index 9de766d596..b560337b7a 100644 +--- a/automation/build/debian/unstable.dockerfile ++++ b/automation/build/debian/unstable.dockerfile +@@ -51,15 +51,3 @@ RUN apt-get update && \ + apt-get autoremove -y && \ + apt-get clean && \ + rm -rf /var/lib/apt/lists* /tmp/* /var/tmp/* +- +-RUN wget -O - https://apt.llvm.org/llvm-snapshot.gpg.key|apt-key add - +-COPY unstable-llvm-8.list /etc/apt/sources.list.d/ +- +-RUN apt-get update && \ +- apt-get --quiet --yes install \ +- clang-8 \ +- lld-8 \ +- && \ +- apt-get autoremove -y && \ +- apt-get clean && \ +- rm -rf /var/lib/apt/lists* /tmp/* /var/tmp/* +diff --git a/automation/gitlab-ci/build.yaml b/automation/gitlab-ci/build.yaml +index 716ee0b1e4..bed161b471 100644 +--- a/automation/gitlab-ci/build.yaml ++++ b/automation/gitlab-ci/build.yaml +@@ -312,16 +312,6 @@ debian-unstable-clang-debug: + variables: + CONTAINER: debian:unstable + +-debian-unstable-clang-8: +- extends: .clang-8-x86-64-build +- variables: +- CONTAINER: debian:unstable +- +-debian-unstable-clang-8-debug: +- extends: .clang-8-x86-64-build-debug +- variables: +- CONTAINER: debian:unstable +- + debian-unstable-gcc: + extends: .gcc-x86-64-build + variables: +-- +2.40.0 + diff --git a/0046-libacpi-fix-PCI-hotplug-AML.patch b/0046-libacpi-fix-PCI-hotplug-AML.patch deleted file mode 100644 index b1c79f5..0000000 --- a/0046-libacpi-fix-PCI-hotplug-AML.patch +++ /dev/null @@ -1,57 +0,0 @@ -From 54102e428ba3f677904278479f8110c8eef6fedc Mon Sep 17 00:00:00 2001 -From: David Woodhouse -Date: Tue, 21 Mar 2023 13:53:25 +0100 -Subject: [PATCH 46/61] libacpi: fix PCI hotplug AML - -The emulated PIIX3 uses a nybble for the status of each PCI function, -so the status for e.g. slot 0 functions 0 and 1 respectively can be -read as (\_GPE.PH00 & 0x0F), and (\_GPE.PH00 >> 0x04). - -The AML that Xen gives to a guest gets the operand order for the odd- -numbered functions the wrong way round, returning (0x04 >> \_GPE.PH00) -instead. - -As far as I can tell, this was the wrong way round in Xen from the -moment that PCI hotplug was first introduced in commit 83d82e6f35a8: - -+ ShiftRight (0x4, \_GPE.PH00, Local1) -+ Return (Local1) /* IN status as the _STA */ - -Or maybe there's bizarre AML operand ordering going on there, like -Intel's wrong-way-round assembler, and it only broke later when it was -changed to being generated? - -Either way, it's definitely wrong now, and instrumenting a Linux guest -shows that it correctly sees _STA being 0x00 in function 0 of an empty -slot, but then the loop in acpiphp_glue.c::get_slot_status() goes on to -look at function 1 and sees that _STA evaluates to 0x04. Thus reporting -an adapter is present in every slot in /sys/bus/pci/slots/* - -Quite why Linux wants to look for function 1 being physically present -when function 0 isn't... I don't want to think about right now. - -Fixes: 83d82e6f35a8 ("hvmloader: pass-through: multi-function PCI hot-plug") -Signed-off-by: David Woodhouse -Reviewed-by: Jan Beulich -master commit: b190af7d3e90f58da5f58044b8dea7261b8b483d -master date: 2023-03-20 17:12:34 +0100 ---- - tools/libacpi/mk_dsdt.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/tools/libacpi/mk_dsdt.c b/tools/libacpi/mk_dsdt.c -index c5ba4c0b2f..250a50b7eb 100644 ---- a/tools/libacpi/mk_dsdt.c -+++ b/tools/libacpi/mk_dsdt.c -@@ -431,7 +431,7 @@ int main(int argc, char **argv) - stmt("Store", "0x89, \\_GPE.DPT2"); - } - if ( slot & 1 ) -- stmt("ShiftRight", "0x4, \\_GPE.PH%02X, Local1", slot & ~1); -+ stmt("ShiftRight", "\\_GPE.PH%02X, 0x04, Local1", slot & ~1); - else - stmt("And", "\\_GPE.PH%02X, 0x0f, Local1", slot & ~1); - stmt("Return", "Local1"); /* IN status as the _STA */ --- -2.40.0 - diff --git a/0047-AMD-IOMMU-without-XT-x2APIC-needs-to-be-forced-into-.patch b/0047-AMD-IOMMU-without-XT-x2APIC-needs-to-be-forced-into-.patch deleted file mode 100644 index 54940ba..0000000 --- a/0047-AMD-IOMMU-without-XT-x2APIC-needs-to-be-forced-into-.patch +++ /dev/null @@ -1,42 +0,0 @@ -From 8e9690a2252eda09537275a951ee0af0b3b330f2 Mon Sep 17 00:00:00 2001 -From: Jan Beulich -Date: Fri, 31 Mar 2023 08:36:59 +0200 -Subject: [PATCH 47/61] AMD/IOMMU: without XT, x2APIC needs to be forced into - physical mode - -An earlier change with the same title (commit 1ba66a870eba) altered only -the path where x2apic_phys was already set to false (perhaps from the -command line). The same of course needs applying when the variable -wasn't modified yet from its initial value. - -Reported-by: Elliott Mitchell -Signed-off-by: Jan Beulich -Reviewed-by: Andrew Cooper -master commit: 0d2686f6b66b4b1b3c72c3525083b0ce02830054 -master date: 2023-03-21 09:23:25 +0100 ---- - xen/arch/x86/genapic/x2apic.c | 6 +++--- - 1 file changed, 3 insertions(+), 3 deletions(-) - -diff --git a/xen/arch/x86/genapic/x2apic.c b/xen/arch/x86/genapic/x2apic.c -index 628b441da5..247364af58 100644 ---- a/xen/arch/x86/genapic/x2apic.c -+++ b/xen/arch/x86/genapic/x2apic.c -@@ -239,11 +239,11 @@ const struct genapic *__init apic_x2apic_probe(void) - if ( x2apic_phys < 0 ) - { - /* -- * Force physical mode if there's no interrupt remapping support: The -- * ID in clustered mode requires a 32 bit destination field due to -+ * Force physical mode if there's no (full) interrupt remapping support: -+ * The ID in clustered mode requires a 32 bit destination field due to - * the usage of the high 16 bits to hold the cluster ID. - */ -- x2apic_phys = !iommu_intremap || -+ x2apic_phys = iommu_intremap != iommu_intremap_full || - (acpi_gbl_FADT.flags & ACPI_FADT_APIC_PHYSICAL); - } - else if ( !x2apic_phys ) --- -2.40.0 - diff --git a/0047-libs-util-Fix-parallel-build-between-flex-bison-and-.patch b/0047-libs-util-Fix-parallel-build-between-flex-bison-and-.patch new file mode 100644 index 0000000..f3e6d36 --- /dev/null +++ b/0047-libs-util-Fix-parallel-build-between-flex-bison-and-.patch @@ -0,0 +1,50 @@ +From c622b8ace93cc38c73f47f5044dc3663ef93f815 Mon Sep 17 00:00:00 2001 +From: Anthony PERARD +Date: Fri, 3 Mar 2023 07:55:24 +0100 +Subject: [PATCH 47/89] libs/util: Fix parallel build between flex/bison and CC + rules + +flex/bison generate two targets, and when those targets are +prerequisite of other rules they are considered independently by make. + +We can have a situation where the .c file is out-of-date but not the +.h, git checkout for example. In this case, if a rule only have the .h +file as prerequiste, make will procced and start to build the object. +In parallel, another target can have the .c file as prerequisite and +make will find out it need re-generating and do so, changing the .h at +the same time. This parallel task breaks the first one. + +To avoid this scenario, we put both the header and the source as +prerequisite for all object even if they only need the header. + +Reported-by: Andrew Cooper +Signed-off-by: Anthony PERARD +Acked-by: Andrew Cooper +master commit: bf652a50fb3bb3b1b3d93db6fb79bc28f978fe75 +master date: 2023-02-09 18:26:17 +0000 +--- + tools/libs/util/Makefile | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/tools/libs/util/Makefile b/tools/libs/util/Makefile +index 493d2e00be..fee4ea0dc7 100644 +--- a/tools/libs/util/Makefile ++++ b/tools/libs/util/Makefile +@@ -40,6 +40,14 @@ include $(XEN_ROOT)/tools/libs/libs.mk + + $(OBJS-y) $(PIC_OBJS): $(AUTOINCS) + ++# Adding the .c conterparts of the headers generated by flex/bison as ++# prerequisite of all objects. ++# This is to tell make that if only the .c file is out-of-date but not the ++# header, it should still wait for the .c file to be rebuilt. ++# Otherwise, make doesn't considered "%.c %.h" as grouped targets, and will run ++# the flex/bison rules in parallel of CC rules which only need the header. ++$(OBJS-y) $(PIC_OBJS): libxlu_cfg_l.c libxlu_cfg_y.c libxlu_disk_l.c ++ + %.c %.h:: %.y + @rm -f $*.[ch] + $(BISON) --output=$*.c $< +-- +2.40.0 + diff --git a/0048-VT-d-fix-iommu-no-igfx-if-the-IOMMU-scope-contains-f.patch b/0048-VT-d-fix-iommu-no-igfx-if-the-IOMMU-scope-contains-f.patch deleted file mode 100644 index 4c480b0..0000000 --- a/0048-VT-d-fix-iommu-no-igfx-if-the-IOMMU-scope-contains-f.patch +++ /dev/null @@ -1,44 +0,0 @@ -From 07e8f5b3d1300327a9f2e67b03dead0e2138b92f Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Marek=20Marczykowski-G=C3=B3recki?= - -Date: Fri, 31 Mar 2023 08:38:07 +0200 -Subject: [PATCH 48/61] VT-d: fix iommu=no-igfx if the IOMMU scope contains - fake device(s) -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -If the scope for IGD's IOMMU contains additional device that doesn't -actually exist, iommu=no-igfx would not disable that IOMMU. In this -particular case (Thinkpad x230) it included 00:02.1, but there is no -such device on this platform. Consider only existing devices for the -"gfx only" check as well as the establishing of IGD DRHD address -(underlying is_igd_drhd(), which is used to determine applicability of -two workarounds). - -Fixes: 2d7f191b392e ("VT-d: generalize and correct "iommu=no-igfx" handling") -Signed-off-by: Marek Marczykowski-Górecki -Signed-off-by: Jan Beulich -Reviewed-by: Kevin Tian -master commit: 49de6749baa8d0addc3048defd4ef3e85cb135e9 -master date: 2023-03-23 09:16:41 +0100 ---- - xen/drivers/passthrough/vtd/dmar.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/xen/drivers/passthrough/vtd/dmar.c b/xen/drivers/passthrough/vtd/dmar.c -index 9ec49936b8..bfec40f47d 100644 ---- a/xen/drivers/passthrough/vtd/dmar.c -+++ b/xen/drivers/passthrough/vtd/dmar.c -@@ -389,7 +389,7 @@ static int __init acpi_parse_dev_scope( - printk(VTDPREFIX " endpoint: %pp\n", - &PCI_SBDF(seg, bus, path->dev, path->fn)); - -- if ( drhd ) -+ if ( drhd && pci_device_detect(seg, bus, path->dev, path->fn) ) - { - if ( pci_conf_read8(PCI_SBDF(seg, bus, path->dev, path->fn), - PCI_CLASS_DEVICE + 1) != 0x03 --- -2.40.0 - diff --git a/0048-x86-cpuid-Infrastructure-for-leaves-7-1-ecx-edx.patch b/0048-x86-cpuid-Infrastructure-for-leaves-7-1-ecx-edx.patch new file mode 100644 index 0000000..46c48de --- /dev/null +++ b/0048-x86-cpuid-Infrastructure-for-leaves-7-1-ecx-edx.patch @@ -0,0 +1,126 @@ +From cdc23d47ad85e756540eaa8655ebc2a0445612ed Mon Sep 17 00:00:00 2001 +From: Andrew Cooper +Date: Fri, 3 Mar 2023 07:55:54 +0100 +Subject: [PATCH 48/89] x86/cpuid: Infrastructure for leaves 7:1{ecx,edx} + +We don't actually need ecx yet, but adding it in now will reduce the amount to +which leaf 7 is out of order in a featureset. + +Signed-off-by: Andrew Cooper +Reviewed-by: Jan Beulich +master commit: b4a23bf6293aadecfd03bf9e83974443e2eac9cb +master date: 2023-02-09 18:26:17 +0000 +--- + tools/misc/xen-cpuid.c | 10 ++++++++++ + xen/arch/x86/cpu/common.c | 3 ++- + xen/include/public/arch-x86/cpufeatureset.h | 4 ++++ + xen/include/xen/lib/x86/cpuid.h | 15 ++++++++++++++- + 4 files changed, 30 insertions(+), 2 deletions(-) + +diff --git a/tools/misc/xen-cpuid.c b/tools/misc/xen-cpuid.c +index d5833e9ce8..addb3a39a1 100644 +--- a/tools/misc/xen-cpuid.c ++++ b/tools/misc/xen-cpuid.c +@@ -202,6 +202,14 @@ static const char *const str_7b1[32] = + [ 0] = "ppin", + }; + ++static const char *const str_7c1[32] = ++{ ++}; ++ ++static const char *const str_7d1[32] = ++{ ++}; ++ + static const char *const str_7d2[32] = + { + [ 0] = "intel-psfd", +@@ -229,6 +237,8 @@ static const struct { + { "0x80000021.eax", "e21a", str_e21a }, + { "0x00000007:1.ebx", "7b1", str_7b1 }, + { "0x00000007:2.edx", "7d2", str_7d2 }, ++ { "0x00000007:1.ecx", "7c1", str_7c1 }, ++ { "0x00000007:1.edx", "7d1", str_7d1 }, + }; + + #define COL_ALIGN "18" +diff --git a/xen/arch/x86/cpu/common.c b/xen/arch/x86/cpu/common.c +index 0412dbc915..b3fcf4680f 100644 +--- a/xen/arch/x86/cpu/common.c ++++ b/xen/arch/x86/cpu/common.c +@@ -450,7 +450,8 @@ static void generic_identify(struct cpuinfo_x86 *c) + cpuid_count(7, 1, + &c->x86_capability[FEATURESET_7a1], + &c->x86_capability[FEATURESET_7b1], +- &tmp, &tmp); ++ &c->x86_capability[FEATURESET_7c1], ++ &c->x86_capability[FEATURESET_7d1]); + if (max_subleaf >= 2) + cpuid_count(7, 2, + &tmp, &tmp, &tmp, +diff --git a/xen/include/public/arch-x86/cpufeatureset.h b/xen/include/public/arch-x86/cpufeatureset.h +index 7915f5826f..f43cdcd0f9 100644 +--- a/xen/include/public/arch-x86/cpufeatureset.h ++++ b/xen/include/public/arch-x86/cpufeatureset.h +@@ -295,6 +295,10 @@ XEN_CPUFEATURE(RRSBA_CTRL, 13*32+ 2) /* MSR_SPEC_CTRL.RRSBA_DIS_* */ + XEN_CPUFEATURE(BHI_CTRL, 13*32+ 4) /* MSR_SPEC_CTRL.BHI_DIS_S */ + XEN_CPUFEATURE(MCDT_NO, 13*32+ 5) /*A MCDT_NO */ + ++/* Intel-defined CPU features, CPUID level 0x00000007:1.ecx, word 14 */ ++ ++/* Intel-defined CPU features, CPUID level 0x00000007:1.edx, word 15 */ ++ + #endif /* XEN_CPUFEATURE */ + + /* Clean up from a default include. Close the enum (for C). */ +diff --git a/xen/include/xen/lib/x86/cpuid.h b/xen/include/xen/lib/x86/cpuid.h +index 73a5c33036..fa98b371ee 100644 +--- a/xen/include/xen/lib/x86/cpuid.h ++++ b/xen/include/xen/lib/x86/cpuid.h +@@ -18,6 +18,8 @@ + #define FEATURESET_e21a 11 /* 0x80000021.eax */ + #define FEATURESET_7b1 12 /* 0x00000007:1.ebx */ + #define FEATURESET_7d2 13 /* 0x00000007:2.edx */ ++#define FEATURESET_7c1 14 /* 0x00000007:1.ecx */ ++#define FEATURESET_7d1 15 /* 0x00000007:1.edx */ + + struct cpuid_leaf + { +@@ -194,7 +196,14 @@ struct cpuid_policy + uint32_t _7b1; + struct { DECL_BITFIELD(7b1); }; + }; +- uint32_t /* c */:32, /* d */:32; ++ union { ++ uint32_t _7c1; ++ struct { DECL_BITFIELD(7c1); }; ++ }; ++ union { ++ uint32_t _7d1; ++ struct { DECL_BITFIELD(7d1); }; ++ }; + + /* Subleaf 2. */ + uint32_t /* a */:32, /* b */:32, /* c */:32; +@@ -343,6 +352,8 @@ static inline void cpuid_policy_to_featureset( + fs[FEATURESET_e21a] = p->extd.e21a; + fs[FEATURESET_7b1] = p->feat._7b1; + fs[FEATURESET_7d2] = p->feat._7d2; ++ fs[FEATURESET_7c1] = p->feat._7c1; ++ fs[FEATURESET_7d1] = p->feat._7d1; + } + + /* Fill in a CPUID policy from a featureset bitmap. */ +@@ -363,6 +374,8 @@ static inline void cpuid_featureset_to_policy( + p->extd.e21a = fs[FEATURESET_e21a]; + p->feat._7b1 = fs[FEATURESET_7b1]; + p->feat._7d2 = fs[FEATURESET_7d2]; ++ p->feat._7c1 = fs[FEATURESET_7c1]; ++ p->feat._7d1 = fs[FEATURESET_7d1]; + } + + static inline uint64_t cpuid_policy_xcr0_max(const struct cpuid_policy *p) +-- +2.40.0 + diff --git a/0049-x86-shadow-fix-and-improve-sh_page_has_multiple_shad.patch b/0049-x86-shadow-fix-and-improve-sh_page_has_multiple_shad.patch deleted file mode 100644 index 0abf7e9..0000000 --- a/0049-x86-shadow-fix-and-improve-sh_page_has_multiple_shad.patch +++ /dev/null @@ -1,47 +0,0 @@ -From cab866ee62d860e9ff4abe701163972d4e9f896d Mon Sep 17 00:00:00 2001 -From: Jan Beulich -Date: Fri, 31 Mar 2023 08:38:42 +0200 -Subject: [PATCH 49/61] x86/shadow: fix and improve - sh_page_has_multiple_shadows() - -While no caller currently invokes the function without first making sure -there is at least one shadow [1], we'd better eliminate UB here: -find_first_set_bit() requires input to be non-zero to return a well- -defined result. - -Further, using find_first_set_bit() isn't very efficient in the first -place for the intended purpose. - -Signed-off-by: Jan Beulich -Reviewed-by: Andrew Cooper - -[1] The function has exactly two uses, and both are from OOS code, which - is HVM-only. For HVM (but not for PV) sh_mfn_is_a_page_table(), - guarding the call to sh_unsync(), guarantees at least one shadow. - Hence even if sh_page_has_multiple_shadows() returned a bogus value - when invoked for a PV domain, the subsequent is_hvm_vcpu() and - oos_active checks (the former being redundant with the latter) will - compensate. (Arguably that oos_active check should come first, for - both clarity and efficiency reasons.) -master commit: 2896224a4e294652c33f487b603d20bd30955f21 -master date: 2023-03-24 11:07:08 +0100 ---- - xen/arch/x86/mm/shadow/private.h | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/xen/arch/x86/mm/shadow/private.h b/xen/arch/x86/mm/shadow/private.h -index 738214f75e..762214f73c 100644 ---- a/xen/arch/x86/mm/shadow/private.h -+++ b/xen/arch/x86/mm/shadow/private.h -@@ -324,7 +324,7 @@ static inline int sh_page_has_multiple_shadows(struct page_info *pg) - return 0; - shadows = pg->shadow_flags & SHF_page_type_mask; - /* More than one type bit set in shadow-flags? */ -- return ( (shadows & ~(1UL << find_first_set_bit(shadows))) != 0 ); -+ return shadows && (shadows & (shadows - 1)); - } - - #if (SHADOW_OPTIMIZATIONS & SHOPT_OUT_OF_SYNC) --- -2.40.0 - diff --git a/0049-x86-shskt-Disable-CET-SS-on-parts-susceptible-to-fra.patch b/0049-x86-shskt-Disable-CET-SS-on-parts-susceptible-to-fra.patch new file mode 100644 index 0000000..a34217e --- /dev/null +++ b/0049-x86-shskt-Disable-CET-SS-on-parts-susceptible-to-fra.patch @@ -0,0 +1,195 @@ +From 8202b9cf84674c5b23a89c4b8722afbb9787f917 Mon Sep 17 00:00:00 2001 +From: Andrew Cooper +Date: Fri, 3 Mar 2023 07:56:16 +0100 +Subject: [PATCH 49/89] x86/shskt: Disable CET-SS on parts susceptible to + fractured updates + +Refer to Intel SDM Rev 70 (Dec 2022), Vol3 17.2.3 "Supervisor Shadow Stack +Token". + +Architecturally, an event delivery which starts in CPL<3 and switches shadow +stack will first validate the Supervisor Shadow Stack Token (setting the busy +bit), then pushes CS/LIP/SSP. One example of this is an NMI interrupting Xen. + +Some CPUs suffer from an issue called fracturing, whereby a fault/vmexit/etc +between setting the busy bit and completing the event injection renders the +action non-restartable, because when it comes time to restart, the busy bit is +found to be already set. + +This is far more easily encountered under virt, yet it is not the fault of the +hypervisor, nor the fault of the guest kernel. The fault lies somewhere +between the architectural specification, and the uarch behaviour. + +Intel have allocated CPUID.7[1].ecx[18] CET_SSS to enumerate that supervisor +shadow stacks are safe to use. Because of how Xen lays out its shadow stacks, +fracturing is not expected to be a problem on native. + +Detect this case on boot and default to not using shstk if virtualised. +Specifying `cet=shstk` on the command line will override this heuristic and +enable shadow stacks irrespective. + +Signed-off-by: Andrew Cooper +Reviewed-by: Jan Beulich +master commit: 01e7477d1b081cff4288ff9f51ec59ee94c03ee0 +master date: 2023-02-09 18:26:17 +0000 +--- + docs/misc/xen-command-line.pandoc | 7 +++- + tools/libs/light/libxl_cpuid.c | 2 + + tools/misc/xen-cpuid.c | 1 + + xen/arch/x86/cpu/common.c | 11 ++++- + xen/arch/x86/setup.c | 46 +++++++++++++++++---- + xen/include/public/arch-x86/cpufeatureset.h | 1 + + 6 files changed, 57 insertions(+), 11 deletions(-) + +diff --git a/docs/misc/xen-command-line.pandoc b/docs/misc/xen-command-line.pandoc +index e7fe8b0cc9..807ca51fb2 100644 +--- a/docs/misc/xen-command-line.pandoc ++++ b/docs/misc/xen-command-line.pandoc +@@ -287,10 +287,15 @@ can be maintained with the pv-shim mechanism. + protection. + + The option is available when `CONFIG_XEN_SHSTK` is compiled in, and +- defaults to `true` on hardware supporting CET-SS. Specifying ++ generally defaults to `true` on hardware supporting CET-SS. Specifying + `cet=no-shstk` will cause Xen not to use Shadow Stacks even when support + is available in hardware. + ++ Some hardware suffers from an issue known as Supervisor Shadow Stack ++ Fracturing. On such hardware, Xen will default to not using Shadow Stacks ++ when virtualised. Specifying `cet=shstk` will override this heuristic and ++ enable Shadow Stacks unilaterally. ++ + * The `ibt=` boolean controls whether Xen uses Indirect Branch Tracking for + its own protection. + +diff --git a/tools/libs/light/libxl_cpuid.c b/tools/libs/light/libxl_cpuid.c +index 2aa23225f4..d97a2f3338 100644 +--- a/tools/libs/light/libxl_cpuid.c ++++ b/tools/libs/light/libxl_cpuid.c +@@ -235,6 +235,8 @@ int libxl_cpuid_parse_config(libxl_cpuid_policy_list *cpuid, const char* str) + {"fsrs", 0x00000007, 1, CPUID_REG_EAX, 11, 1}, + {"fsrcs", 0x00000007, 1, CPUID_REG_EAX, 12, 1}, + ++ {"cet-sss", 0x00000007, 1, CPUID_REG_EDX, 18, 1}, ++ + {"intel-psfd", 0x00000007, 2, CPUID_REG_EDX, 0, 1}, + {"mcdt-no", 0x00000007, 2, CPUID_REG_EDX, 5, 1}, + +diff --git a/tools/misc/xen-cpuid.c b/tools/misc/xen-cpuid.c +index addb3a39a1..0248eaef44 100644 +--- a/tools/misc/xen-cpuid.c ++++ b/tools/misc/xen-cpuid.c +@@ -208,6 +208,7 @@ static const char *const str_7c1[32] = + + static const char *const str_7d1[32] = + { ++ [18] = "cet-sss", + }; + + static const char *const str_7d2[32] = +diff --git a/xen/arch/x86/cpu/common.c b/xen/arch/x86/cpu/common.c +index b3fcf4680f..27f73d3bbe 100644 +--- a/xen/arch/x86/cpu/common.c ++++ b/xen/arch/x86/cpu/common.c +@@ -346,11 +346,18 @@ void __init early_cpu_init(void) + x86_cpuid_vendor_to_str(c->x86_vendor), c->x86, c->x86, + c->x86_model, c->x86_model, c->x86_mask, eax); + +- if (c->cpuid_level >= 7) +- cpuid_count(7, 0, &eax, &ebx, ++ if (c->cpuid_level >= 7) { ++ uint32_t max_subleaf; ++ ++ cpuid_count(7, 0, &max_subleaf, &ebx, + &c->x86_capability[FEATURESET_7c0], + &c->x86_capability[FEATURESET_7d0]); + ++ if (max_subleaf >= 1) ++ cpuid_count(7, 1, &eax, &ebx, &ecx, ++ &c->x86_capability[FEATURESET_7d1]); ++ } ++ + eax = cpuid_eax(0x80000000); + if ((eax >> 16) == 0x8000 && eax >= 0x80000008) { + ebx = eax >= 0x8000001f ? cpuid_ebx(0x8000001f) : 0; +diff --git a/xen/arch/x86/setup.c b/xen/arch/x86/setup.c +index e05189f649..09c17b1016 100644 +--- a/xen/arch/x86/setup.c ++++ b/xen/arch/x86/setup.c +@@ -95,11 +95,7 @@ unsigned long __initdata highmem_start; + size_param("highmem-start", highmem_start); + #endif + +-#ifdef CONFIG_XEN_SHSTK +-static bool __initdata opt_xen_shstk = true; +-#else +-#define opt_xen_shstk false +-#endif ++static int8_t __initdata opt_xen_shstk = -IS_ENABLED(CONFIG_XEN_SHSTK); + + #ifdef CONFIG_XEN_IBT + static bool __initdata opt_xen_ibt = true; +@@ -1104,11 +1100,45 @@ void __init noreturn __start_xen(unsigned long mbi_p) + early_cpu_init(); + + /* Choose shadow stack early, to set infrastructure up appropriately. */ +- if ( opt_xen_shstk && boot_cpu_has(X86_FEATURE_CET_SS) ) ++ if ( !boot_cpu_has(X86_FEATURE_CET_SS) ) ++ opt_xen_shstk = 0; ++ ++ if ( opt_xen_shstk ) + { +- printk("Enabling Supervisor Shadow Stacks\n"); ++ /* ++ * Some CPUs suffer from Shadow Stack Fracturing, an issue whereby a ++ * fault/VMExit/etc between setting a Supervisor Busy bit and the ++ * event delivery completing renders the operation non-restartable. ++ * On restart, event delivery will find the Busy bit already set. ++ * ++ * This is a problem on bare metal, but outside of synthetic cases or ++ * a very badly timed #MC, it's not believed to be a problem. It is a ++ * much bigger problem under virt, because we can VMExit for a number ++ * of legitimate reasons and tickle this bug. ++ * ++ * CPUs with this addressed enumerate CET-SSS to indicate that ++ * supervisor shadow stacks are now safe to use. ++ */ ++ bool cpu_has_bug_shstk_fracture = ++ boot_cpu_data.x86_vendor == X86_VENDOR_INTEL && ++ !boot_cpu_has(X86_FEATURE_CET_SSS); + +- setup_force_cpu_cap(X86_FEATURE_XEN_SHSTK); ++ /* ++ * On bare metal, assume that Xen won't be impacted by shstk ++ * fracturing problems. Under virt, be more conservative and disable ++ * shstk by default. ++ */ ++ if ( opt_xen_shstk == -1 ) ++ opt_xen_shstk = ++ cpu_has_hypervisor ? !cpu_has_bug_shstk_fracture ++ : true; ++ ++ if ( opt_xen_shstk ) ++ { ++ printk("Enabling Supervisor Shadow Stacks\n"); ++ ++ setup_force_cpu_cap(X86_FEATURE_XEN_SHSTK); ++ } + } + + if ( opt_xen_ibt && boot_cpu_has(X86_FEATURE_CET_IBT) ) +diff --git a/xen/include/public/arch-x86/cpufeatureset.h b/xen/include/public/arch-x86/cpufeatureset.h +index f43cdcd0f9..08600cfdc7 100644 +--- a/xen/include/public/arch-x86/cpufeatureset.h ++++ b/xen/include/public/arch-x86/cpufeatureset.h +@@ -298,6 +298,7 @@ XEN_CPUFEATURE(MCDT_NO, 13*32+ 5) /*A MCDT_NO */ + /* Intel-defined CPU features, CPUID level 0x00000007:1.ecx, word 14 */ + + /* Intel-defined CPU features, CPUID level 0x00000007:1.edx, word 15 */ ++XEN_CPUFEATURE(CET_SSS, 15*32+18) /* CET Supervisor Shadow Stacks safe to use */ + + #endif /* XEN_CPUFEATURE */ + +-- +2.40.0 + diff --git a/0050-credit2-respect-credit2_runqueue-all-when-arranging-.patch b/0050-credit2-respect-credit2_runqueue-all-when-arranging-.patch new file mode 100644 index 0000000..0444aa9 --- /dev/null +++ b/0050-credit2-respect-credit2_runqueue-all-when-arranging-.patch @@ -0,0 +1,69 @@ +From 74b76704fd4059e9133e84c1384501858e9663b7 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Marek=20Marczykowski-G=C3=B3recki?= + +Date: Fri, 3 Mar 2023 07:57:39 +0100 +Subject: [PATCH 50/89] credit2: respect credit2_runqueue=all when arranging + runqueues +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Documentation for credit2_runqueue=all says it should create one queue +for all pCPUs on the host. But since introduction +sched_credit2_max_cpus_runqueue, it actually created separate runqueue +per socket, even if the CPUs count is below +sched_credit2_max_cpus_runqueue. + +Adjust the condition to skip syblink check in case of +credit2_runqueue=all. + +Fixes: 8e2aa76dc167 ("xen: credit2: limit the max number of CPUs in a runqueue") +Signed-off-by: Marek Marczykowski-Górecki +Reviewed-by: Juergen Gross +master commit: 1f5747ee929fbbcae58d7234c6c38a77495d0cfe +master date: 2023-02-15 16:12:42 +0100 +--- + docs/misc/xen-command-line.pandoc | 5 +++++ + xen/common/sched/credit2.c | 9 +++++++-- + 2 files changed, 12 insertions(+), 2 deletions(-) + +diff --git a/docs/misc/xen-command-line.pandoc b/docs/misc/xen-command-line.pandoc +index 807ca51fb2..5be5ce10c6 100644 +--- a/docs/misc/xen-command-line.pandoc ++++ b/docs/misc/xen-command-line.pandoc +@@ -726,6 +726,11 @@ Available alternatives, with their meaning, are: + * `all`: just one runqueue shared by all the logical pCPUs of + the host + ++Regardless of the above choice, Xen attempts to respect ++`sched_credit2_max_cpus_runqueue` limit, which may mean more than one runqueue ++for the `all` value. If that isn't intended, raise ++the `sched_credit2_max_cpus_runqueue` value. ++ + ### dbgp + > `= ehci[ | @pci:. ]` + > `= xhci[ | @pci:. ][,share=|hwdom]` +diff --git a/xen/common/sched/credit2.c b/xen/common/sched/credit2.c +index 0e3f89e537..ae55feea34 100644 +--- a/xen/common/sched/credit2.c ++++ b/xen/common/sched/credit2.c +@@ -996,9 +996,14 @@ cpu_add_to_runqueue(const struct scheduler *ops, unsigned int cpu) + * + * Otherwise, let's try to make sure that siblings stay in the + * same runqueue, pretty much under any cinrcumnstances. ++ * ++ * Furthermore, try to respect credit2_runqueue=all, as long as ++ * max_cpus_runq isn't violated. + */ +- if ( rqd->refcnt < max_cpus_runq && (ops->cpupool->gran != SCHED_GRAN_cpu || +- cpu_runqueue_siblings_match(rqd, cpu, max_cpus_runq)) ) ++ if ( rqd->refcnt < max_cpus_runq && ++ (ops->cpupool->gran != SCHED_GRAN_cpu || ++ cpu_runqueue_siblings_match(rqd, cpu, max_cpus_runq) || ++ opt_runqueue == OPT_RUNQUEUE_ALL) ) + { + /* + * This runqueue is ok, but as we said, we also want an even +-- +2.40.0 + diff --git a/0050-x86-nospec-Fix-evaluate_nospec-code-generation-under.patch b/0050-x86-nospec-Fix-evaluate_nospec-code-generation-under.patch deleted file mode 100644 index 14a8e14..0000000 --- a/0050-x86-nospec-Fix-evaluate_nospec-code-generation-under.patch +++ /dev/null @@ -1,101 +0,0 @@ -From 90320fd05991d7817cea85e1d45674b757abf03c Mon Sep 17 00:00:00 2001 -From: Andrew Cooper -Date: Fri, 31 Mar 2023 08:39:32 +0200 -Subject: [PATCH 50/61] x86/nospec: Fix evaluate_nospec() code generation under - Clang -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -It turns out that evaluate_nospec() code generation is not safe under Clang. -Given: - - void eval_nospec_test(int x) - { - if ( evaluate_nospec(x) ) - asm volatile ("nop #true" ::: "memory"); - else - asm volatile ("nop #false" ::: "memory"); - } - -Clang emits: - - : - 0f ae e8 lfence - 85 ff test %edi,%edi - 74 02 je - 90 nop - c3 ret - 90 nop - c3 ret - -which is not safe because the lfence has been hoisted above the conditional -jump. Clang concludes that both barrier_nospec_true()'s have identical side -effects and can safely be merged. - -Clang can be persuaded that the side effects are different if there are -different comments in the asm blocks. This is fragile, but no more fragile -that other aspects of this construct. - -Introduce barrier_nospec_false() with a separate internal comment to prevent -Clang merging it with barrier_nospec_true() despite the otherwise-identical -content. The generated code now becomes: - - : - 85 ff test %edi,%edi - 74 05 je - 0f ae e8 lfence - 90 nop - c3 ret - 0f ae e8 lfence - 90 nop - c3 ret - -which has the correct number of lfence's, and in the correct place. - -Link: https://github.com/llvm/llvm-project/issues/55084 -Signed-off-by: Andrew Cooper -Reviewed-by: Roger Pau Monné -Reviewed-by: Jan Beulich -master commit: bc3c133841435829ba5c0a48427e2a77633502ab -master date: 2023-03-24 12:16:31 +0000 ---- - xen/include/asm-x86/nospec.h | 15 +++++++++++++-- - 1 file changed, 13 insertions(+), 2 deletions(-) - -diff --git a/xen/include/asm-x86/nospec.h b/xen/include/asm-x86/nospec.h -index 5312ae4c6f..7150e76b87 100644 ---- a/xen/include/asm-x86/nospec.h -+++ b/xen/include/asm-x86/nospec.h -@@ -10,15 +10,26 @@ - static always_inline bool barrier_nospec_true(void) - { - #ifdef CONFIG_SPECULATIVE_HARDEN_BRANCH -- alternative("lfence", "", X86_FEATURE_SC_NO_BRANCH_HARDEN); -+ alternative("lfence #nospec-true", "", X86_FEATURE_SC_NO_BRANCH_HARDEN); - #endif - return true; - } - -+static always_inline bool barrier_nospec_false(void) -+{ -+#ifdef CONFIG_SPECULATIVE_HARDEN_BRANCH -+ alternative("lfence #nospec-false", "", X86_FEATURE_SC_NO_BRANCH_HARDEN); -+#endif -+ return false; -+} -+ - /* Allow to protect evaluation of conditionals with respect to speculation */ - static always_inline bool evaluate_nospec(bool condition) - { -- return condition ? barrier_nospec_true() : !barrier_nospec_true(); -+ if ( condition ) -+ return barrier_nospec_true(); -+ else -+ return barrier_nospec_false(); - } - - /* Allow to block speculative execution in generic code */ --- -2.40.0 - diff --git a/0051-build-make-FILE-symbol-paths-consistent.patch b/0051-build-make-FILE-symbol-paths-consistent.patch new file mode 100644 index 0000000..47528c2 --- /dev/null +++ b/0051-build-make-FILE-symbol-paths-consistent.patch @@ -0,0 +1,42 @@ +From 46c104cce0bf340193cb1eacaee5dcd75e264c8f Mon Sep 17 00:00:00 2001 +From: Ross Lagerwall +Date: Fri, 3 Mar 2023 07:58:12 +0100 +Subject: [PATCH 51/89] build: make FILE symbol paths consistent + +The FILE symbols in out-of-tree builds may be either a relative path to +the object dir or an absolute path depending on how the build is +invoked. Fix the paths for C files so that they are consistent with +in-tree builds - the path is relative to the "xen" directory (e.g. +common/irq.c). + +This fixes livepatch builds when the original Xen build was out-of-tree +since livepatch-build always does in-tree builds. Note that this doesn't +fix the behaviour for Clang < 6 which always embeds full paths. + +Fixes: 7115fa562fe7 ("build: adding out-of-tree support to the xen build") +Signed-off-by: Ross Lagerwall +Reviewed-by: Jan Beulich +master commit: 5b9bb91abba7c983def3b4bef71ab08ad360a242 +master date: 2023-02-15 16:13:49 +0100 +--- + xen/Rules.mk | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/xen/Rules.mk b/xen/Rules.mk +index 70b7489ea8..d6b7cec0a8 100644 +--- a/xen/Rules.mk ++++ b/xen/Rules.mk +@@ -228,8 +228,9 @@ quiet_cmd_cc_o_c = CC $@ + ifeq ($(CONFIG_ENFORCE_UNIQUE_SYMBOLS),y) + cmd_cc_o_c = $(CC) $(c_flags) -c $< -o $(dot-target).tmp -MQ $@ + ifneq ($(CONFIG_CC_IS_CLANG)$(call clang-ifversion,-lt,600,y),yy) ++ rel-path = $(patsubst $(abs_srctree)/%,%,$(call realpath,$(1))) + cmd_objcopy_fix_sym = \ +- $(OBJCOPY) --redefine-sym $( -Date: Fri, 31 Mar 2023 08:39:49 +0200 -Subject: [PATCH 51/61] x86/shadow: Fix build with no PG_log_dirty - -Gitlab Randconfig found: - - arch/x86/mm/shadow/common.c: In function 'shadow_prealloc': - arch/x86/mm/shadow/common.c:1023:18: error: implicit declaration of function - 'paging_logdirty_levels'; did you mean 'paging_log_dirty_init'? [-Werror=implicit-function-declaration] - 1023 | count += paging_logdirty_levels(); - | ^~~~~~~~~~~~~~~~~~~~~~ - | paging_log_dirty_init - arch/x86/mm/shadow/common.c:1023:18: error: nested extern declaration of 'paging_logdirty_levels' [-Werror=nested-externs] - -The '#if PG_log_dirty' expression is currently SHADOW_PAGING && !HVM && -PV_SHIM_EXCLUSIVE. Move the declaration outside. - -Fixes: 33fb3a661223 ("x86/shadow: account for log-dirty mode when pre-allocating") -Signed-off-by: Andrew Cooper -Reviewed-by: Jan Beulich -master commit: 6d14cb105b1c54ad7b4228d858ae85aa8a672bbd -master date: 2023-03-24 12:16:31 +0000 ---- - xen/include/asm-x86/paging.h | 8 ++++---- - 1 file changed, 4 insertions(+), 4 deletions(-) - -diff --git a/xen/include/asm-x86/paging.h b/xen/include/asm-x86/paging.h -index c6b429c691..43abaa5bd1 100644 ---- a/xen/include/asm-x86/paging.h -+++ b/xen/include/asm-x86/paging.h -@@ -154,6 +154,10 @@ struct paging_mode { - /***************************************************************************** - * Log dirty code */ - -+#define paging_logdirty_levels() \ -+ (DIV_ROUND_UP(PADDR_BITS - PAGE_SHIFT - (PAGE_SHIFT + 3), \ -+ PAGE_SHIFT - ilog2(sizeof(mfn_t))) + 1) -+ - #if PG_log_dirty - - /* get the dirty bitmap for a specific range of pfns */ -@@ -192,10 +196,6 @@ int paging_mfn_is_dirty(struct domain *d, mfn_t gmfn); - #define L4_LOGDIRTY_IDX(pfn) ((pfn_x(pfn) >> (PAGE_SHIFT + 3 + PAGETABLE_ORDER * 2)) & \ - (LOGDIRTY_NODE_ENTRIES-1)) - --#define paging_logdirty_levels() \ -- (DIV_ROUND_UP(PADDR_BITS - PAGE_SHIFT - (PAGE_SHIFT + 3), \ -- PAGE_SHIFT - ilog2(sizeof(mfn_t))) + 1) -- - #ifdef CONFIG_HVM - /* VRAM dirty tracking support */ - struct sh_dirty_vram { --- -2.40.0 - diff --git a/0052-x86-ucode-AMD-apply-the-patch-early-on-every-logical.patch b/0052-x86-ucode-AMD-apply-the-patch-early-on-every-logical.patch new file mode 100644 index 0000000..22a214b --- /dev/null +++ b/0052-x86-ucode-AMD-apply-the-patch-early-on-every-logical.patch @@ -0,0 +1,154 @@ +From e9a7942f6c1638c668605fbf6d6e02bc7bff2582 Mon Sep 17 00:00:00 2001 +From: Sergey Dyasli +Date: Fri, 3 Mar 2023 07:58:35 +0100 +Subject: [PATCH 52/89] x86/ucode/AMD: apply the patch early on every logical + thread + +The original issue has been reported on AMD Bulldozer-based CPUs where +ucode loading loses the LWP feature bit in order to gain the IBPB bit. +LWP disabling is per-SMT/CMT core modification and needs to happen on +each sibling thread despite the shared microcode engine. Otherwise, +logical CPUs will end up with different cpuid capabilities. +Link: https://bugzilla.kernel.org/show_bug.cgi?id=216211 + +Guests running under Xen happen to be not affected because of levelling +logic for the feature masking/override MSRs which causes the LWP bit to +fall out and hides the issue. The latest recommendation from AMD, after +discussing this bug, is to load ucode on every logical CPU. + +In Linux kernel this issue has been addressed by e7ad18d1169c +("x86/microcode/AMD: Apply the patch early on every logical thread"). +Follow the same approach in Xen. + +Introduce SAME_UCODE match result and use it for early AMD ucode +loading. Take this opportunity and move opt_ucode_allow_same out of +compare_revisions() to the relevant callers and also modify the warning +message based on it. Intel's side of things is modified for consistency +but provides no functional change. + +Signed-off-by: Sergey Dyasli +Reviewed-by: Jan Beulich +master commit: f4ef8a41b80831db2136bdaff9f946a1a4b051e7 +master date: 2023-02-21 15:08:05 +0100 +--- + xen/arch/x86/cpu/microcode/amd.c | 11 ++++++++--- + xen/arch/x86/cpu/microcode/core.c | 26 +++++++++++++++++--------- + xen/arch/x86/cpu/microcode/intel.c | 10 +++++++--- + xen/arch/x86/cpu/microcode/private.h | 3 ++- + 4 files changed, 34 insertions(+), 16 deletions(-) + +diff --git a/xen/arch/x86/cpu/microcode/amd.c b/xen/arch/x86/cpu/microcode/amd.c +index 8195707ee1..ded8fe90e6 100644 +--- a/xen/arch/x86/cpu/microcode/amd.c ++++ b/xen/arch/x86/cpu/microcode/amd.c +@@ -176,8 +176,8 @@ static enum microcode_match_result compare_revisions( + if ( new_rev > old_rev ) + return NEW_UCODE; + +- if ( opt_ucode_allow_same && new_rev == old_rev ) +- return NEW_UCODE; ++ if ( new_rev == old_rev ) ++ return SAME_UCODE; + + return OLD_UCODE; + } +@@ -220,8 +220,13 @@ static int cf_check apply_microcode(const struct microcode_patch *patch) + unsigned int cpu = smp_processor_id(); + struct cpu_signature *sig = &per_cpu(cpu_sig, cpu); + uint32_t rev, old_rev = sig->rev; ++ enum microcode_match_result result = microcode_fits(patch); + +- if ( microcode_fits(patch) != NEW_UCODE ) ++ /* ++ * Allow application of the same revision to pick up SMT-specific changes ++ * even if the revision of the other SMT thread is already up-to-date. ++ */ ++ if ( result != NEW_UCODE && result != SAME_UCODE ) + return -EINVAL; + + if ( check_final_patch_levels(sig) ) +diff --git a/xen/arch/x86/cpu/microcode/core.c b/xen/arch/x86/cpu/microcode/core.c +index 452a7ca773..57ecc5358b 100644 +--- a/xen/arch/x86/cpu/microcode/core.c ++++ b/xen/arch/x86/cpu/microcode/core.c +@@ -610,17 +610,25 @@ static long cf_check microcode_update_helper(void *data) + * that ucode revision. + */ + spin_lock(µcode_mutex); +- if ( microcode_cache && +- alternative_call(ucode_ops.compare_patch, +- patch, microcode_cache) != NEW_UCODE ) ++ if ( microcode_cache ) + { +- spin_unlock(µcode_mutex); +- printk(XENLOG_WARNING "microcode: couldn't find any newer revision " +- "in the provided blob!\n"); +- microcode_free_patch(patch); +- ret = -ENOENT; ++ enum microcode_match_result result; + +- goto put; ++ result = alternative_call(ucode_ops.compare_patch, patch, ++ microcode_cache); ++ ++ if ( result != NEW_UCODE && ++ !(opt_ucode_allow_same && result == SAME_UCODE) ) ++ { ++ spin_unlock(µcode_mutex); ++ printk(XENLOG_WARNING ++ "microcode: couldn't find any newer%s revision in the provided blob!\n", ++ opt_ucode_allow_same ? " (or the same)" : ""); ++ microcode_free_patch(patch); ++ ret = -ENOENT; ++ ++ goto put; ++ } + } + spin_unlock(µcode_mutex); + +diff --git a/xen/arch/x86/cpu/microcode/intel.c b/xen/arch/x86/cpu/microcode/intel.c +index f5ba6d76d7..cb08f63d2e 100644 +--- a/xen/arch/x86/cpu/microcode/intel.c ++++ b/xen/arch/x86/cpu/microcode/intel.c +@@ -232,8 +232,8 @@ static enum microcode_match_result compare_revisions( + if ( new_rev > old_rev ) + return NEW_UCODE; + +- if ( opt_ucode_allow_same && new_rev == old_rev ) +- return NEW_UCODE; ++ if ( new_rev == old_rev ) ++ return SAME_UCODE; + + /* + * Treat pre-production as always applicable - anyone using pre-production +@@ -290,8 +290,12 @@ static int cf_check apply_microcode(const struct microcode_patch *patch) + unsigned int cpu = smp_processor_id(); + struct cpu_signature *sig = &this_cpu(cpu_sig); + uint32_t rev, old_rev = sig->rev; ++ enum microcode_match_result result; ++ ++ result = microcode_update_match(patch); + +- if ( microcode_update_match(patch) != NEW_UCODE ) ++ if ( result != NEW_UCODE && ++ !(opt_ucode_allow_same && result == SAME_UCODE) ) + return -EINVAL; + + wbinvd(); +diff --git a/xen/arch/x86/cpu/microcode/private.h b/xen/arch/x86/cpu/microcode/private.h +index c085a10268..feafab0677 100644 +--- a/xen/arch/x86/cpu/microcode/private.h ++++ b/xen/arch/x86/cpu/microcode/private.h +@@ -6,7 +6,8 @@ + extern bool opt_ucode_allow_same; + + enum microcode_match_result { +- OLD_UCODE, /* signature matched, but revision id is older or equal */ ++ OLD_UCODE, /* signature matched, but revision id is older */ ++ SAME_UCODE, /* signature matched, but revision id is the same */ + NEW_UCODE, /* signature matched, but revision id is newer */ + MIS_UCODE, /* signature mismatched */ + }; +-- +2.40.0 + diff --git a/0052-x86-vmx-Don-t-spuriously-crash-the-domain-when-INIT-.patch b/0052-x86-vmx-Don-t-spuriously-crash-the-domain-when-INIT-.patch deleted file mode 100644 index c408fbb..0000000 --- a/0052-x86-vmx-Don-t-spuriously-crash-the-domain-when-INIT-.patch +++ /dev/null @@ -1,51 +0,0 @@ -From b1022b65de59828d40d9d71cc734a42c1c30c972 Mon Sep 17 00:00:00 2001 -From: Andrew Cooper -Date: Fri, 31 Mar 2023 08:40:27 +0200 -Subject: [PATCH 52/61] x86/vmx: Don't spuriously crash the domain when INIT is - received - -In VMX operation, the handling of INIT IPIs is changed. Instead of the CPU -resetting, the next VMEntry fails with EXIT_REASON_INIT. From the TXT spec, -the intent of this behaviour is so that an entity which cares can scrub -secrets from RAM before participating in an orderly shutdown. - -Right now, Xen's behaviour is that when an INIT arrives, the HVM VM which -schedules next is killed (citing an unknown VMExit), *and* we ignore the INIT -and continue blindly onwards anyway. - -This patch addresses only the first of these two problems by ignoring the INIT -and continuing without crashing the VM in question. - -The second wants addressing too, just as soon as we've figured out something -better to do... - -Discovered as collateral damage from when an AP triple faults on S3 resume on -Intel TigerLake platforms. - -Link: https://github.com/QubesOS/qubes-issues/issues/7283 -Signed-off-by: Andrew Cooper -Reviewed-by: Kevin Tian -master commit: b1f11273d5a774cc88a3685c96c2e7cf6385e3b6 -master date: 2023-03-24 22:49:58 +0000 ---- - xen/arch/x86/hvm/vmx/vmx.c | 4 ++++ - 1 file changed, 4 insertions(+) - -diff --git a/xen/arch/x86/hvm/vmx/vmx.c b/xen/arch/x86/hvm/vmx/vmx.c -index c8a839cd5e..cebe46ef6a 100644 ---- a/xen/arch/x86/hvm/vmx/vmx.c -+++ b/xen/arch/x86/hvm/vmx/vmx.c -@@ -4002,6 +4002,10 @@ void vmx_vmexit_handler(struct cpu_user_regs *regs) - case EXIT_REASON_MCE_DURING_VMENTRY: - do_machine_check(regs); - break; -+ -+ case EXIT_REASON_INIT: -+ printk(XENLOG_ERR "Error: INIT received - ignoring\n"); -+ return; /* Renter the guest without further processing */ - } - - /* Now enable interrupts so it's safe to take locks. */ --- -2.40.0 - diff --git a/0053-x86-perform-mem_sharing-teardown-before-paging-teard.patch b/0053-x86-perform-mem_sharing-teardown-before-paging-teard.patch new file mode 100644 index 0000000..934c0f5 --- /dev/null +++ b/0053-x86-perform-mem_sharing-teardown-before-paging-teard.patch @@ -0,0 +1,111 @@ +From e8f28e129d23c940749c66150a89c4ed683a0fb9 Mon Sep 17 00:00:00 2001 +From: Tamas K Lengyel +Date: Fri, 3 Mar 2023 07:59:08 +0100 +Subject: [PATCH 53/89] x86: perform mem_sharing teardown before paging + teardown + +An assert failure has been observed in p2m_teardown when performing vm +forking and then destroying the forked VM (p2m-basic.c:173). The assert +checks whether the domain's shared pages counter is 0. According to the +patch that originally added the assert (7bedbbb5c31) the p2m_teardown +should only happen after mem_sharing already relinquished all shared pages. + +In this patch we flip the order in which relinquish ops are called to avoid +tripping the assert. Conceptually sharing being torn down makes sense to +happen before paging is torn down. + +Fixes: e7aa55c0aab3 ("x86/p2m: free the paging memory pool preemptively") +Signed-off-by: Tamas K Lengyel +Reviewed-by: Jan Beulich +master commit: 2869349f0cb3a89dcbf1f1b30371f58df6309312 +master date: 2023-02-23 12:35:48 +0100 +--- + xen/arch/x86/domain.c | 56 ++++++++++++++++++++++--------------------- + 1 file changed, 29 insertions(+), 27 deletions(-) + +diff --git a/xen/arch/x86/domain.c b/xen/arch/x86/domain.c +index 5a119eec3a..e546c98322 100644 +--- a/xen/arch/x86/domain.c ++++ b/xen/arch/x86/domain.c +@@ -2347,9 +2347,9 @@ int domain_relinquish_resources(struct domain *d) + + enum { + PROG_iommu_pagetables = 1, ++ PROG_shared, + PROG_paging, + PROG_vcpu_pagetables, +- PROG_shared, + PROG_xen, + PROG_l4, + PROG_l3, +@@ -2368,6 +2368,34 @@ int domain_relinquish_resources(struct domain *d) + if ( ret ) + return ret; + ++#ifdef CONFIG_MEM_SHARING ++ PROGRESS(shared): ++ ++ if ( is_hvm_domain(d) ) ++ { ++ /* ++ * If the domain has shared pages, relinquish them allowing ++ * for preemption. ++ */ ++ ret = relinquish_shared_pages(d); ++ if ( ret ) ++ return ret; ++ ++ /* ++ * If the domain is forked, decrement the parent's pause count ++ * and release the domain. ++ */ ++ if ( mem_sharing_is_fork(d) ) ++ { ++ struct domain *parent = d->parent; ++ ++ d->parent = NULL; ++ domain_unpause(parent); ++ put_domain(parent); ++ } ++ } ++#endif ++ + PROGRESS(paging): + + /* Tear down paging-assistance stuff. */ +@@ -2408,32 +2436,6 @@ int domain_relinquish_resources(struct domain *d) + d->arch.auto_unmask = 0; + } + +-#ifdef CONFIG_MEM_SHARING +- PROGRESS(shared): +- +- if ( is_hvm_domain(d) ) +- { +- /* If the domain has shared pages, relinquish them allowing +- * for preemption. */ +- ret = relinquish_shared_pages(d); +- if ( ret ) +- return ret; +- +- /* +- * If the domain is forked, decrement the parent's pause count +- * and release the domain. +- */ +- if ( mem_sharing_is_fork(d) ) +- { +- struct domain *parent = d->parent; +- +- d->parent = NULL; +- domain_unpause(parent); +- put_domain(parent); +- } +- } +-#endif +- + spin_lock(&d->page_alloc_lock); + page_list_splice(&d->arch.relmem_list, &d->page_list); + INIT_PAGE_LIST_HEAD(&d->arch.relmem_list); +-- +2.40.0 + diff --git a/0053-x86-ucode-Fix-error-paths-control_thread_fn.patch b/0053-x86-ucode-Fix-error-paths-control_thread_fn.patch deleted file mode 100644 index 7bb2c27..0000000 --- a/0053-x86-ucode-Fix-error-paths-control_thread_fn.patch +++ /dev/null @@ -1,56 +0,0 @@ -From 0f81c5a2c8e0432d5af3d9f4e6398376cd514516 Mon Sep 17 00:00:00 2001 -From: Andrew Cooper -Date: Fri, 31 Mar 2023 08:40:56 +0200 -Subject: [PATCH 53/61] x86/ucode: Fix error paths control_thread_fn() - -These two early exits skipped re-enabling the watchdog, restoring the NMI -callback, and clearing the nmi_patch global pointer. Always execute the tail -of the function on the way out. - -Fixes: 8dd4dfa92d62 ("x86/microcode: Synchronize late microcode loading") -Signed-off-by: Andrew Cooper -Reviewed-by: Sergey Dyasli -Reviewed-by: Jan Beulich -master commit: fc2e1f3aad602a66c14b8285a1bd38a82f8fd02d -master date: 2023-03-28 11:57:56 +0100 ---- - xen/arch/x86/cpu/microcode/core.c | 9 +++------ - 1 file changed, 3 insertions(+), 6 deletions(-) - -diff --git a/xen/arch/x86/cpu/microcode/core.c b/xen/arch/x86/cpu/microcode/core.c -index ee7df9a591..ad150e5963 100644 ---- a/xen/arch/x86/cpu/microcode/core.c -+++ b/xen/arch/x86/cpu/microcode/core.c -@@ -488,10 +488,7 @@ static int control_thread_fn(const struct microcode_patch *patch) - ret = wait_for_condition(wait_cpu_callin, num_online_cpus(), - MICROCODE_CALLIN_TIMEOUT_US); - if ( ret ) -- { -- set_state(LOADING_EXIT); -- return ret; -- } -+ goto out; - - /* Control thread loads ucode first while others are in NMI handler. */ - ret = microcode_ops->apply_microcode(patch); -@@ -503,8 +500,7 @@ static int control_thread_fn(const struct microcode_patch *patch) - { - printk(XENLOG_ERR - "Late loading aborted: CPU%u failed to update ucode\n", cpu); -- set_state(LOADING_EXIT); -- return ret; -+ goto out; - } - - /* Let primary threads load the given ucode update */ -@@ -535,6 +531,7 @@ static int control_thread_fn(const struct microcode_patch *patch) - } - } - -+ out: - /* Mark loading is done to unblock other threads */ - set_state(LOADING_EXIT); - --- -2.40.0 - diff --git a/0054-vpci-msix-handle-accesses-adjacent-to-the-MSI-X-tabl.patch b/0054-vpci-msix-handle-accesses-adjacent-to-the-MSI-X-tabl.patch deleted file mode 100644 index 4973ae7..0000000 --- a/0054-vpci-msix-handle-accesses-adjacent-to-the-MSI-X-tabl.patch +++ /dev/null @@ -1,543 +0,0 @@ -From d080287c2a8dce11baee1d7bbf9276757e8572e4 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Roger=20Pau=20Monn=C3=A9?= -Date: Fri, 31 Mar 2023 08:41:27 +0200 -Subject: [PATCH 54/61] vpci/msix: handle accesses adjacent to the MSI-X table -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -The handling of the MSI-X table accesses by Xen requires that any -pages part of the MSI-X related tables are not mapped into the domain -physmap. As a result, any device registers in the same pages as the -start or the end of the MSIX or PBA tables is not currently -accessible, as the accesses are just dropped. - -Note the spec forbids such placing of registers, as the MSIX and PBA -tables must be 4K isolated from any other registers: - -"If a Base Address register that maps address space for the MSI-X -Table or MSI-X PBA also maps other usable address space that is not -associated with MSI-X structures, locations (e.g., for CSRs) used in -the other address space must not share any naturally aligned 4-KB -address range with one where either MSI-X structure resides." - -Yet the 'Intel Wi-Fi 6 AX201' device on one of my boxes has registers -in the same page as the MSIX tables, and thus won't work on a PVH dom0 -without this fix. - -In order to cope with the behavior passthrough any accesses that fall -on the same page as the MSIX tables (but don't fall in between) to the -underlying hardware. Such forwarding also takes care of the PBA -accesses, so it allows to remove the code doing this handling in -msix_{read,write}. Note that as a result accesses to the PBA array -are no longer limited to 4 and 8 byte sizes, there's no access size -restriction for PBA accesses documented in the specification. - -Signed-off-by: Roger Pau Monné -Reviewed-by: Jan Beulich - -vpci/msix: restore PBA access length and alignment restrictions - -Accesses to the PBA array have the same length and alignment -limitations as accesses to the MSI-X table: - -"For all accesses to MSI-X Table and MSI-X PBA fields, software must -use aligned full DWORD or aligned full QWORD transactions; otherwise, -the result is undefined." - -Introduce such length and alignment checks into the handling of PBA -accesses for vPCI. This was a mistake of mine for not reading the -specification correctly. - -Note that accesses must now be aligned, and hence there's no longer a -need to check that the end of the access falls into the PBA region as -both the access and the region addresses must be aligned. - -Fixes: b177892d2d ('vpci/msix: handle accesses adjacent to the MSI-X table') -Reported-by: Jan Beulich -Signed-off-by: Roger Pau Monné -Reviewed-by: Jan Beulich -master commit: b177892d2d0e8a31122c218989f43130aeba5282 -master date: 2023-03-28 14:20:35 +0200 -master commit: 7a502b4fbc339e9d3d3d45fb37f09da06bc3081c -master date: 2023-03-29 14:56:33 +0200 ---- - xen/drivers/vpci/msix.c | 357 +++++++++++++++++++++++++++++----------- - xen/drivers/vpci/vpci.c | 7 +- - xen/include/xen/vpci.h | 8 +- - 3 files changed, 275 insertions(+), 97 deletions(-) - -diff --git a/xen/drivers/vpci/msix.c b/xen/drivers/vpci/msix.c -index ea5d73a02a..7e1bfb2f0a 100644 ---- a/xen/drivers/vpci/msix.c -+++ b/xen/drivers/vpci/msix.c -@@ -27,6 +27,11 @@ - ((addr) >= vmsix_table_addr(vpci, nr) && \ - (addr) < vmsix_table_addr(vpci, nr) + vmsix_table_size(vpci, nr)) - -+#define VMSIX_ADDR_SAME_PAGE(addr, vpci, nr) \ -+ (PFN_DOWN(addr) >= PFN_DOWN(vmsix_table_addr(vpci, nr)) && \ -+ PFN_DOWN(addr) <= PFN_DOWN(vmsix_table_addr(vpci, nr) + \ -+ vmsix_table_size(vpci, nr) - 1)) -+ - static uint32_t control_read(const struct pci_dev *pdev, unsigned int reg, - void *data) - { -@@ -149,7 +154,7 @@ static struct vpci_msix *msix_find(const struct domain *d, unsigned long addr) - - for ( i = 0; i < ARRAY_SIZE(msix->tables); i++ ) - if ( bars[msix->tables[i] & PCI_MSIX_BIRMASK].enabled && -- VMSIX_ADDR_IN_RANGE(addr, msix->pdev->vpci, i) ) -+ VMSIX_ADDR_SAME_PAGE(addr, msix->pdev->vpci, i) ) - return msix; - } - -@@ -182,36 +187,172 @@ static struct vpci_msix_entry *get_entry(struct vpci_msix *msix, - return &msix->entries[(addr - start) / PCI_MSIX_ENTRY_SIZE]; - } - --static void __iomem *get_pba(struct vpci *vpci) -+static void __iomem *get_table(struct vpci *vpci, unsigned int slot) - { - struct vpci_msix *msix = vpci->msix; -+ paddr_t addr = 0; -+ -+ ASSERT(spin_is_locked(&vpci->lock)); -+ -+ if ( likely(msix->table[slot]) ) -+ return msix->table[slot]; -+ -+ switch ( slot ) -+ { -+ case VPCI_MSIX_TBL_TAIL: -+ addr = vmsix_table_size(vpci, VPCI_MSIX_TABLE); -+ fallthrough; -+ case VPCI_MSIX_TBL_HEAD: -+ addr += vmsix_table_addr(vpci, VPCI_MSIX_TABLE); -+ break; -+ -+ case VPCI_MSIX_PBA_TAIL: -+ addr = vmsix_table_size(vpci, VPCI_MSIX_PBA); -+ fallthrough; -+ case VPCI_MSIX_PBA_HEAD: -+ addr += vmsix_table_addr(vpci, VPCI_MSIX_PBA); -+ break; -+ -+ default: -+ ASSERT_UNREACHABLE(); -+ return NULL; -+ } -+ -+ msix->table[slot] = ioremap(round_pgdown(addr), PAGE_SIZE); -+ -+ return msix->table[slot]; -+} -+ -+unsigned int get_slot(const struct vpci *vpci, unsigned long addr) -+{ -+ unsigned long pfn = PFN_DOWN(addr); -+ - /* -- * PBA will only be unmapped when the device is deassigned, so access it -- * without holding the vpci lock. -+ * The logic below relies on having the tables identity mapped to the guest -+ * address space, or for the `addr` parameter to be translated into its -+ * host physical memory address equivalent. - */ -- void __iomem *pba = read_atomic(&msix->pba); - -- if ( likely(pba) ) -- return pba; -+ if ( pfn == PFN_DOWN(vmsix_table_addr(vpci, VPCI_MSIX_TABLE)) ) -+ return VPCI_MSIX_TBL_HEAD; -+ if ( pfn == PFN_DOWN(vmsix_table_addr(vpci, VPCI_MSIX_TABLE) + -+ vmsix_table_size(vpci, VPCI_MSIX_TABLE) - 1) ) -+ return VPCI_MSIX_TBL_TAIL; -+ if ( pfn == PFN_DOWN(vmsix_table_addr(vpci, VPCI_MSIX_PBA)) ) -+ return VPCI_MSIX_PBA_HEAD; -+ if ( pfn == PFN_DOWN(vmsix_table_addr(vpci, VPCI_MSIX_PBA) + -+ vmsix_table_size(vpci, VPCI_MSIX_PBA) - 1) ) -+ return VPCI_MSIX_PBA_TAIL; -+ -+ ASSERT_UNREACHABLE(); -+ return -1; -+} -+ -+static bool adjacent_handle(const struct vpci_msix *msix, unsigned long addr) -+{ -+ unsigned int i; -+ -+ if ( VMSIX_ADDR_IN_RANGE(addr, msix->pdev->vpci, VPCI_MSIX_PBA) ) -+ return true; -+ -+ if ( VMSIX_ADDR_IN_RANGE(addr, msix->pdev->vpci, VPCI_MSIX_TABLE) ) -+ return false; -+ -+ for ( i = 0; i < ARRAY_SIZE(msix->tables); i++ ) -+ if ( VMSIX_ADDR_SAME_PAGE(addr, msix->pdev->vpci, i) ) -+ return true; -+ -+ return false; -+} -+ -+static int adjacent_read(const struct domain *d, const struct vpci_msix *msix, -+ unsigned long addr, unsigned int len, -+ unsigned long *data) -+{ -+ const void __iomem *mem; -+ struct vpci *vpci = msix->pdev->vpci; -+ unsigned int slot; -+ -+ *data = ~0ul; -+ -+ if ( !adjacent_handle(msix, addr + len - 1) ) -+ return X86EMUL_OKAY; -+ -+ if ( VMSIX_ADDR_IN_RANGE(addr, vpci, VPCI_MSIX_PBA) && -+ !access_allowed(msix->pdev, addr, len) ) -+ /* PBA accesses must be aligned and 4 or 8 bytes in size. */ -+ return X86EMUL_OKAY; -+ -+ slot = get_slot(vpci, addr); -+ if ( slot >= ARRAY_SIZE(msix->table) ) -+ return X86EMUL_OKAY; -+ -+ if ( unlikely(!IS_ALIGNED(addr, len)) ) -+ { -+ unsigned int i; - -- pba = ioremap(vmsix_table_addr(vpci, VPCI_MSIX_PBA), -- vmsix_table_size(vpci, VPCI_MSIX_PBA)); -- if ( !pba ) -- return read_atomic(&msix->pba); -+ gprintk(XENLOG_DEBUG, "%pp: unaligned read to MSI-X related page\n", -+ &msix->pdev->sbdf); -+ -+ /* -+ * Split unaligned accesses into byte sized ones. Shouldn't happen in -+ * the first place, but devices shouldn't have registers in the same 4K -+ * page as the MSIX tables either. -+ * -+ * It's unclear whether this could cause issues if a guest expects -+ * registers to be accessed atomically, it better use an aligned access -+ * if it has such expectations. -+ */ -+ for ( i = 0; i < len; i++ ) -+ { -+ unsigned long partial = ~0ul; -+ int rc = adjacent_read(d, msix, addr + i, 1, &partial); -+ -+ if ( rc != X86EMUL_OKAY ) -+ return rc; -+ -+ *data &= ~(0xfful << (i * 8)); -+ *data |= (partial & 0xff) << (i * 8); -+ } -+ -+ return X86EMUL_OKAY; -+ } - - spin_lock(&vpci->lock); -- if ( !msix->pba ) -+ mem = get_table(vpci, slot); -+ if ( !mem ) - { -- write_atomic(&msix->pba, pba); - spin_unlock(&vpci->lock); -+ gprintk(XENLOG_WARNING, -+ "%pp: unable to map MSI-X page, returning all bits set\n", -+ &msix->pdev->sbdf); -+ return X86EMUL_OKAY; - } -- else -+ -+ switch ( len ) - { -- spin_unlock(&vpci->lock); -- iounmap(pba); -+ case 1: -+ *data = readb(mem + PAGE_OFFSET(addr)); -+ break; -+ -+ case 2: -+ *data = readw(mem + PAGE_OFFSET(addr)); -+ break; -+ -+ case 4: -+ *data = readl(mem + PAGE_OFFSET(addr)); -+ break; -+ -+ case 8: -+ *data = readq(mem + PAGE_OFFSET(addr)); -+ break; -+ -+ default: -+ ASSERT_UNREACHABLE(); - } -+ spin_unlock(&vpci->lock); - -- return read_atomic(&msix->pba); -+ return X86EMUL_OKAY; - } - - static int msix_read(struct vcpu *v, unsigned long addr, unsigned int len, -@@ -227,47 +368,11 @@ static int msix_read(struct vcpu *v, unsigned long addr, unsigned int len, - if ( !msix ) - return X86EMUL_RETRY; - -- if ( !access_allowed(msix->pdev, addr, len) ) -- return X86EMUL_OKAY; -- -- if ( VMSIX_ADDR_IN_RANGE(addr, msix->pdev->vpci, VPCI_MSIX_PBA) ) -- { -- struct vpci *vpci = msix->pdev->vpci; -- unsigned int idx = addr - vmsix_table_addr(vpci, VPCI_MSIX_PBA); -- const void __iomem *pba = get_pba(vpci); -- -- /* -- * Access to PBA. -- * -- * TODO: note that this relies on having the PBA identity mapped to the -- * guest address space. If this changes the address will need to be -- * translated. -- */ -- if ( !pba ) -- { -- gprintk(XENLOG_WARNING, -- "%pp: unable to map MSI-X PBA, report all pending\n", -- &msix->pdev->sbdf); -- return X86EMUL_OKAY; -- } -- -- switch ( len ) -- { -- case 4: -- *data = readl(pba + idx); -- break; -- -- case 8: -- *data = readq(pba + idx); -- break; -- -- default: -- ASSERT_UNREACHABLE(); -- break; -- } -+ if ( adjacent_handle(msix, addr) ) -+ return adjacent_read(d, msix, addr, len, data); - -+ if ( !access_allowed(msix->pdev, addr, len) ) - return X86EMUL_OKAY; -- } - - spin_lock(&msix->pdev->vpci->lock); - entry = get_entry(msix, addr); -@@ -303,57 +408,103 @@ static int msix_read(struct vcpu *v, unsigned long addr, unsigned int len, - return X86EMUL_OKAY; - } - --static int msix_write(struct vcpu *v, unsigned long addr, unsigned int len, -- unsigned long data) -+static int adjacent_write(const struct domain *d, const struct vpci_msix *msix, -+ unsigned long addr, unsigned int len, -+ unsigned long data) - { -- const struct domain *d = v->domain; -- struct vpci_msix *msix = msix_find(d, addr); -- struct vpci_msix_entry *entry; -- unsigned int offset; -+ void __iomem *mem; -+ struct vpci *vpci = msix->pdev->vpci; -+ unsigned int slot; - -- if ( !msix ) -- return X86EMUL_RETRY; -+ if ( !adjacent_handle(msix, addr + len - 1) ) -+ return X86EMUL_OKAY; - -- if ( !access_allowed(msix->pdev, addr, len) ) -+ /* -+ * Only check start and end of the access because the size of the PBA is -+ * assumed to be equal or bigger (8 bytes) than the length of any access -+ * handled here. -+ */ -+ if ( VMSIX_ADDR_IN_RANGE(addr, vpci, VPCI_MSIX_PBA) && -+ (!access_allowed(msix->pdev, addr, len) || !is_hardware_domain(d)) ) -+ /* Ignore writes to PBA for DomUs, it's undefined behavior. */ - return X86EMUL_OKAY; - -- if ( VMSIX_ADDR_IN_RANGE(addr, msix->pdev->vpci, VPCI_MSIX_PBA) ) -- { -- /* Ignore writes to PBA for DomUs, it's behavior is undefined. */ -- if ( is_hardware_domain(d) ) -- { -- struct vpci *vpci = msix->pdev->vpci; -- unsigned int idx = addr - vmsix_table_addr(vpci, VPCI_MSIX_PBA); -- const void __iomem *pba = get_pba(vpci); -+ slot = get_slot(vpci, addr); -+ if ( slot >= ARRAY_SIZE(msix->table) ) -+ return X86EMUL_OKAY; - -- if ( !pba ) -- { -- /* Unable to map the PBA, ignore write. */ -- gprintk(XENLOG_WARNING, -- "%pp: unable to map MSI-X PBA, write ignored\n", -- &msix->pdev->sbdf); -- return X86EMUL_OKAY; -- } -+ if ( unlikely(!IS_ALIGNED(addr, len)) ) -+ { -+ unsigned int i; - -- switch ( len ) -- { -- case 4: -- writel(data, pba + idx); -- break; -+ gprintk(XENLOG_DEBUG, "%pp: unaligned write to MSI-X related page\n", -+ &msix->pdev->sbdf); - -- case 8: -- writeq(data, pba + idx); -- break; -+ for ( i = 0; i < len; i++ ) -+ { -+ int rc = adjacent_write(d, msix, addr + i, 1, data >> (i * 8)); - -- default: -- ASSERT_UNREACHABLE(); -- break; -- } -+ if ( rc != X86EMUL_OKAY ) -+ return rc; - } - - return X86EMUL_OKAY; - } - -+ spin_lock(&vpci->lock); -+ mem = get_table(vpci, slot); -+ if ( !mem ) -+ { -+ spin_unlock(&vpci->lock); -+ gprintk(XENLOG_WARNING, -+ "%pp: unable to map MSI-X page, dropping write\n", -+ &msix->pdev->sbdf); -+ return X86EMUL_OKAY; -+ } -+ -+ switch ( len ) -+ { -+ case 1: -+ writeb(data, mem + PAGE_OFFSET(addr)); -+ break; -+ -+ case 2: -+ writew(data, mem + PAGE_OFFSET(addr)); -+ break; -+ -+ case 4: -+ writel(data, mem + PAGE_OFFSET(addr)); -+ break; -+ -+ case 8: -+ writeq(data, mem + PAGE_OFFSET(addr)); -+ break; -+ -+ default: -+ ASSERT_UNREACHABLE(); -+ } -+ spin_unlock(&vpci->lock); -+ -+ return X86EMUL_OKAY; -+} -+ -+static int msix_write(struct vcpu *v, unsigned long addr, unsigned int len, -+ unsigned long data) -+{ -+ const struct domain *d = v->domain; -+ struct vpci_msix *msix = msix_find(d, addr); -+ struct vpci_msix_entry *entry; -+ unsigned int offset; -+ -+ if ( !msix ) -+ return X86EMUL_RETRY; -+ -+ if ( adjacent_handle(msix, addr) ) -+ return adjacent_write(d, msix, addr, len, data); -+ -+ if ( !access_allowed(msix->pdev, addr, len) ) -+ return X86EMUL_OKAY; -+ - spin_lock(&msix->pdev->vpci->lock); - entry = get_entry(msix, addr); - offset = addr & (PCI_MSIX_ENTRY_SIZE - 1); -@@ -482,6 +633,26 @@ int vpci_make_msix_hole(const struct pci_dev *pdev) - } - } - -+ if ( is_hardware_domain(d) ) -+ { -+ /* -+ * For dom0 only: remove any hypervisor mappings of the MSIX or PBA -+ * related areas, as dom0 is capable of moving the position of the BARs -+ * in the host address space. -+ * -+ * We rely on being called with the vPCI lock held once the domain is -+ * running, so the maps are not in use. -+ */ -+ for ( i = 0; i < ARRAY_SIZE(pdev->vpci->msix->table); i++ ) -+ if ( pdev->vpci->msix->table[i] ) -+ { -+ /* If there are any maps, the domain must be running. */ -+ ASSERT(spin_is_locked(&pdev->vpci->lock)); -+ iounmap(pdev->vpci->msix->table[i]); -+ pdev->vpci->msix->table[i] = NULL; -+ } -+ } -+ - return 0; - } - -diff --git a/xen/drivers/vpci/vpci.c b/xen/drivers/vpci/vpci.c -index b9339f8f3e..60b5f45cd1 100644 ---- a/xen/drivers/vpci/vpci.c -+++ b/xen/drivers/vpci/vpci.c -@@ -53,9 +53,12 @@ void vpci_remove_device(struct pci_dev *pdev) - spin_unlock(&pdev->vpci->lock); - if ( pdev->vpci->msix ) - { -+ unsigned int i; -+ - list_del(&pdev->vpci->msix->next); -- if ( pdev->vpci->msix->pba ) -- iounmap(pdev->vpci->msix->pba); -+ for ( i = 0; i < ARRAY_SIZE(pdev->vpci->msix->table); i++ ) -+ if ( pdev->vpci->msix->table[i] ) -+ iounmap(pdev->vpci->msix->table[i]); - } - xfree(pdev->vpci->msix); - xfree(pdev->vpci->msi); -diff --git a/xen/include/xen/vpci.h b/xen/include/xen/vpci.h -index 755b4fd5c8..3326d9026e 100644 ---- a/xen/include/xen/vpci.h -+++ b/xen/include/xen/vpci.h -@@ -129,8 +129,12 @@ struct vpci { - bool enabled : 1; - /* Masked? */ - bool masked : 1; -- /* PBA map */ -- void __iomem *pba; -+ /* Partial table map. */ -+#define VPCI_MSIX_TBL_HEAD 0 -+#define VPCI_MSIX_TBL_TAIL 1 -+#define VPCI_MSIX_PBA_HEAD 2 -+#define VPCI_MSIX_PBA_TAIL 3 -+ void __iomem *table[4]; - /* Entries. */ - struct vpci_msix_entry { - uint64_t addr; --- -2.40.0 - diff --git a/0054-xen-Work-around-Clang-IAS-macro-expansion-bug.patch b/0054-xen-Work-around-Clang-IAS-macro-expansion-bug.patch new file mode 100644 index 0000000..525dc49 --- /dev/null +++ b/0054-xen-Work-around-Clang-IAS-macro-expansion-bug.patch @@ -0,0 +1,109 @@ +From 837bdc6eb2df796e832302347f363afc820694fe Mon Sep 17 00:00:00 2001 +From: Andrew Cooper +Date: Fri, 3 Mar 2023 08:00:04 +0100 +Subject: [PATCH 54/89] xen: Work around Clang-IAS macro \@ expansion bug + +https://github.com/llvm/llvm-project/issues/60792 + +It turns out that Clang-IAS does not expand \@ uniquely in a translaition +unit, and the XSA-426 change tickles this bug: + + :4:1: error: invalid symbol redefinition + .L1_fill_rsb_loop: + ^ + make[3]: *** [Rules.mk:247: arch/x86/acpi/cpu_idle.o] Error 1 + +Extend DO_OVERWRITE_RSB with an optional parameter so C callers can mix %= in +too, which Clang does seem to expand properly. + +Fixes: 63305e5392ec ("x86/spec-ctrl: Mitigate Cross-Thread Return Address Predictions") +Signed-off-by: Andrew Cooper +Reviewed-by: Jan Beulich +master commit: a2adacff0b91cc7b977abb209dc419a2ef15963f +master date: 2023-02-24 17:44:29 +0000 +--- + xen/arch/x86/include/asm/spec_ctrl.h | 4 ++-- + xen/arch/x86/include/asm/spec_ctrl_asm.h | 19 ++++++++++++------- + 2 files changed, 14 insertions(+), 9 deletions(-) + +diff --git a/xen/arch/x86/include/asm/spec_ctrl.h b/xen/arch/x86/include/asm/spec_ctrl.h +index 391973ef6a..a431fea587 100644 +--- a/xen/arch/x86/include/asm/spec_ctrl.h ++++ b/xen/arch/x86/include/asm/spec_ctrl.h +@@ -83,7 +83,7 @@ static always_inline void spec_ctrl_new_guest_context(void) + wrmsrl(MSR_PRED_CMD, PRED_CMD_IBPB); + + /* (ab)use alternative_input() to specify clobbers. */ +- alternative_input("", "DO_OVERWRITE_RSB", X86_BUG_IBPB_NO_RET, ++ alternative_input("", "DO_OVERWRITE_RSB xu=%=", X86_BUG_IBPB_NO_RET, + : "rax", "rcx"); + } + +@@ -172,7 +172,7 @@ static always_inline void spec_ctrl_enter_idle(struct cpu_info *info) + * + * (ab)use alternative_input() to specify clobbers. + */ +- alternative_input("", "DO_OVERWRITE_RSB", X86_FEATURE_SC_RSB_IDLE, ++ alternative_input("", "DO_OVERWRITE_RSB xu=%=", X86_FEATURE_SC_RSB_IDLE, + : "rax", "rcx"); + } + +diff --git a/xen/arch/x86/include/asm/spec_ctrl_asm.h b/xen/arch/x86/include/asm/spec_ctrl_asm.h +index fab27ff553..f23bb105c5 100644 +--- a/xen/arch/x86/include/asm/spec_ctrl_asm.h ++++ b/xen/arch/x86/include/asm/spec_ctrl_asm.h +@@ -117,11 +117,16 @@ + .L\@_done: + .endm + +-.macro DO_OVERWRITE_RSB tmp=rax ++.macro DO_OVERWRITE_RSB tmp=rax xu + /* + * Requires nothing + * Clobbers \tmp (%rax by default), %rcx + * ++ * xu is an optional parameter to add eXtra Uniqueness. It is intended for ++ * passing %= in from an asm() block, in order to work around ++ * https://github.com/llvm/llvm-project/issues/60792 where Clang-IAS doesn't ++ * expand \@ uniquely. ++ * + * Requires 256 bytes of {,shadow}stack space, but %rsp/SSP has no net + * change. Based on Google's performance numbers, the loop is unrolled to 16 + * iterations and two calls per iteration. +@@ -136,27 +141,27 @@ + mov $16, %ecx /* 16 iterations, two calls per loop */ + mov %rsp, %\tmp /* Store the current %rsp */ + +-.L\@_fill_rsb_loop: ++.L\@_fill_rsb_loop\xu: + + .irp n, 1, 2 /* Unrolled twice. */ +- call .L\@_insert_rsb_entry_\n /* Create an RSB entry. */ ++ call .L\@_insert_rsb_entry\xu\n /* Create an RSB entry. */ + int3 /* Halt rogue speculation. */ + +-.L\@_insert_rsb_entry_\n: ++.L\@_insert_rsb_entry\xu\n: + .endr + + sub $1, %ecx +- jnz .L\@_fill_rsb_loop ++ jnz .L\@_fill_rsb_loop\xu + mov %\tmp, %rsp /* Restore old %rsp */ + + #ifdef CONFIG_XEN_SHSTK + mov $1, %ecx + rdsspd %ecx + cmp $1, %ecx +- je .L\@_shstk_done ++ je .L\@_shstk_done\xu + mov $64, %ecx /* 64 * 4 bytes, given incsspd */ + incsspd %ecx /* Restore old SSP */ +-.L\@_shstk_done: ++.L\@_shstk_done\xu: + #endif + .endm + +-- +2.40.0 + diff --git a/0055-ns16550-correct-name-value-pair-parsing-for-PCI-port.patch b/0055-ns16550-correct-name-value-pair-parsing-for-PCI-port.patch deleted file mode 100644 index 9c05f3a..0000000 --- a/0055-ns16550-correct-name-value-pair-parsing-for-PCI-port.patch +++ /dev/null @@ -1,59 +0,0 @@ -From 06264af090ac69a95cdadbc261cc82d964dcb568 Mon Sep 17 00:00:00 2001 -From: Jan Beulich -Date: Fri, 31 Mar 2023 08:42:02 +0200 -Subject: [PATCH 55/61] ns16550: correct name/value pair parsing for PCI - port/bridge - -First of all these were inverted: "bridge=" caused the port coordinates -to be established, while "port=" controlled the bridge coordinates. And -then the error messages being identical also wasn't helpful. While -correcting this also move both case blocks close together. - -Fixes: 97fd49a7e074 ("ns16550: add support for UART parameters to be specifed with name-value pairs") -Signed-off-by: Jan Beulich -Acked-by: Andrew Cooper -master commit: e692b22230b411d762ac9e278a398e28df474eae -master date: 2023-03-29 14:55:37 +0200 ---- - xen/drivers/char/ns16550.c | 16 ++++++++-------- - 1 file changed, 8 insertions(+), 8 deletions(-) - -diff --git a/xen/drivers/char/ns16550.c b/xen/drivers/char/ns16550.c -index 5dd4d723f5..3651e0c0d4 100644 ---- a/xen/drivers/char/ns16550.c -+++ b/xen/drivers/char/ns16550.c -@@ -1536,13 +1536,6 @@ static bool __init parse_namevalue_pairs(char *str, struct ns16550 *uart) - break; - - #ifdef CONFIG_HAS_PCI -- case bridge_bdf: -- if ( !parse_pci(param_value, NULL, &uart->ps_bdf[0], -- &uart->ps_bdf[1], &uart->ps_bdf[2]) ) -- PARSE_ERR_RET("Bad port PCI coordinates\n"); -- uart->ps_bdf_enable = true; -- break; -- - case device: - if ( strncmp(param_value, "pci", 3) == 0 ) - { -@@ -1557,9 +1550,16 @@ static bool __init parse_namevalue_pairs(char *str, struct ns16550 *uart) - break; - - case port_bdf: -+ if ( !parse_pci(param_value, NULL, &uart->ps_bdf[0], -+ &uart->ps_bdf[1], &uart->ps_bdf[2]) ) -+ PARSE_ERR_RET("Bad port PCI coordinates\n"); -+ uart->ps_bdf_enable = true; -+ break; -+ -+ case bridge_bdf: - if ( !parse_pci(param_value, NULL, &uart->pb_bdf[0], - &uart->pb_bdf[1], &uart->pb_bdf[2]) ) -- PARSE_ERR_RET("Bad port PCI coordinates\n"); -+ PARSE_ERR_RET("Bad bridge PCI coordinates\n"); - uart->pb_bdf_enable = true; - break; - #endif --- -2.40.0 - diff --git a/0055-xen-Fix-Clang-Wunicode-diagnostic-when-building-asm-.patch b/0055-xen-Fix-Clang-Wunicode-diagnostic-when-building-asm-.patch new file mode 100644 index 0000000..02755a9 --- /dev/null +++ b/0055-xen-Fix-Clang-Wunicode-diagnostic-when-building-asm-.patch @@ -0,0 +1,83 @@ +From b10cf1561a638c835481ae923b571cb8f7350a89 Mon Sep 17 00:00:00 2001 +From: Andrew Cooper +Date: Fri, 3 Mar 2023 08:01:21 +0100 +Subject: [PATCH 55/89] xen: Fix Clang -Wunicode diagnostic when building + asm-macros + +While trying to work around a different Clang-IAS bug (parent changeset), I +stumbled onto: + + In file included from arch/x86/asm-macros.c:3: + ./arch/x86/include/asm/spec_ctrl_asm.h:144:19: error: \u used with + no following hex digits; treating as '\' followed by identifier [-Werror,-Wunicode] + .L\@_fill_rsb_loop\uniq: + ^ + +It turns out that Clang -E is sensitive to the file extension of the source +file it is processing. Furthermore, C explicitly permits the use of \u +escapes in identifier names, so the diagnostic would be reasonable in +principle if we trying to compile the result. + +asm-macros should really have been .S from the outset, as it is ultimately +generating assembly, not C. Rename it, which causes Clang not to complain. + +We need to introduce rules for generating a .i file from .S, and substituting +c_flags for a_flags lets us drop the now-redundant -D__ASSEMBLY__. + +No functional change. + +Signed-off-by: Andrew Cooper +Reviewed-by: Jan Beulich +master commit: 53f0d02040b1df08f0589f162790ca376e1c2040 +master date: 2023-02-24 17:44:29 +0000 +--- + xen/Rules.mk | 6 ++++++ + xen/arch/x86/Makefile | 2 +- + xen/arch/x86/{asm-macros.c => asm-macros.S} | 0 + 3 files changed, 7 insertions(+), 1 deletion(-) + rename xen/arch/x86/{asm-macros.c => asm-macros.S} (100%) + +diff --git a/xen/Rules.mk b/xen/Rules.mk +index d6b7cec0a8..59072ae8df 100644 +--- a/xen/Rules.mk ++++ b/xen/Rules.mk +@@ -273,6 +273,9 @@ $(filter %.init.o,$(obj-y) $(obj-bin-y) $(extra-y)): $(obj)/%.init.o: $(obj)/%.o + quiet_cmd_cpp_i_c = CPP $@ + cmd_cpp_i_c = $(CPP) $(call cpp_flags,$(c_flags)) -MQ $@ -o $@ $< + ++quiet_cmd_cpp_i_S = CPP $@ ++cmd_cpp_i_S = $(CPP) $(call cpp_flags,$(a_flags)) -MQ $@ -o $@ $< ++ + quiet_cmd_cc_s_c = CC $@ + cmd_cc_s_c = $(CC) $(filter-out -Wa$(comma)%,$(c_flags)) -S $< -o $@ + +@@ -282,6 +285,9 @@ cmd_cpp_s_S = $(CPP) $(call cpp_flags,$(a_flags)) -MQ $@ -o $@ $< + $(obj)/%.i: $(src)/%.c FORCE + $(call if_changed_dep,cpp_i_c) + ++$(obj)/%.i: $(src)/%.S FORCE ++ $(call if_changed_dep,cpp_i_S) ++ + $(obj)/%.s: $(src)/%.c FORCE + $(call if_changed_dep,cc_s_c) + +diff --git a/xen/arch/x86/Makefile b/xen/arch/x86/Makefile +index 177a2ff742..5accbe4c67 100644 +--- a/xen/arch/x86/Makefile ++++ b/xen/arch/x86/Makefile +@@ -240,7 +240,7 @@ $(obj)/efi/buildid.o $(obj)/efi/relocs-dummy.o: ; + .PHONY: include + include: $(objtree)/arch/x86/include/asm/asm-macros.h + +-$(obj)/asm-macros.i: CFLAGS-y += -D__ASSEMBLY__ -P ++$(obj)/asm-macros.i: CFLAGS-y += -P + + $(objtree)/arch/x86/include/asm/asm-macros.h: $(obj)/asm-macros.i $(src)/Makefile + $(call filechk,asm-macros.h) +diff --git a/xen/arch/x86/asm-macros.c b/xen/arch/x86/asm-macros.S +similarity index 100% +rename from xen/arch/x86/asm-macros.c +rename to xen/arch/x86/asm-macros.S +-- +2.40.0 + diff --git a/0056-bump-default-SeaBIOS-version-to-1.16.0.patch b/0056-bump-default-SeaBIOS-version-to-1.16.0.patch deleted file mode 100644 index 37d9b67..0000000 --- a/0056-bump-default-SeaBIOS-version-to-1.16.0.patch +++ /dev/null @@ -1,28 +0,0 @@ -From 2a4d327387601b60c9844a5b0cc44de28792ea52 Mon Sep 17 00:00:00 2001 -From: Jan Beulich -Date: Fri, 6 May 2022 14:46:52 +0200 -Subject: [PATCH 56/61] bump default SeaBIOS version to 1.16.0 - -Signed-off-by: Jan Beulich -Acked-by: Julien Grall -(cherry picked from commit 944e389daa133dd310d87c4eebacba9f6da76018) ---- - Config.mk | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/Config.mk b/Config.mk -index 1215c2725b..073715c28d 100644 ---- a/Config.mk -+++ b/Config.mk -@@ -241,7 +241,7 @@ OVMF_UPSTREAM_REVISION ?= 7b4a99be8a39c12d3a7fc4b8db9f0eab4ac688d5 - QEMU_UPSTREAM_REVISION ?= qemu-xen-4.16.3 - MINIOS_UPSTREAM_REVISION ?= xen-RELEASE-4.16.3 - --SEABIOS_UPSTREAM_REVISION ?= rel-1.14.0 -+SEABIOS_UPSTREAM_REVISION ?= rel-1.16.0 - - ETHERBOOT_NICS ?= rtl8139 8086100e - --- -2.40.0 - diff --git a/0056-tools-Use-PKG_CONFIG_FILE-instead-of-PKG_CONFIG-vari.patch b/0056-tools-Use-PKG_CONFIG_FILE-instead-of-PKG_CONFIG-vari.patch new file mode 100644 index 0000000..59cc172 --- /dev/null +++ b/0056-tools-Use-PKG_CONFIG_FILE-instead-of-PKG_CONFIG-vari.patch @@ -0,0 +1,91 @@ +From 53bd16bcc0d0f5ed5d1ac6d6dc14bf6ecf2e2c43 Mon Sep 17 00:00:00 2001 +From: Bertrand Marquis +Date: Fri, 3 Mar 2023 08:02:30 +0100 +Subject: [PATCH 56/89] tools: Use PKG_CONFIG_FILE instead of PKG_CONFIG + variable + +Replace PKG_CONFIG variable name with PKG_CONFIG_FILE for the name of +the pkg-config file. +This is preventing a conflict in some build systems where PKG_CONFIG +actually contains the path to the pkg-config executable to use, as the +default assignment in libs.mk is using a weak assignment (?=). + +This problem has been found when trying to build the latest version of +Xen tools using buildroot. + +Fixes: d400dc5729e4 ("tools: tweak tools/libs/libs.mk for being able to support libxenctrl") +Signed-off-by: Bertrand Marquis +Reviewed-by: Anthony PERARD +master commit: b97e2fe7b9e1f4706693552697239ac2b71efee4 +master date: 2023-02-24 17:44:29 +0000 +--- + tools/libs/ctrl/Makefile | 2 +- + tools/libs/libs.mk | 16 ++++++++-------- + 2 files changed, 9 insertions(+), 9 deletions(-) + +diff --git a/tools/libs/ctrl/Makefile b/tools/libs/ctrl/Makefile +index 93442ab389..15d0ae8e4e 100644 +--- a/tools/libs/ctrl/Makefile ++++ b/tools/libs/ctrl/Makefile +@@ -4,7 +4,7 @@ include $(XEN_ROOT)/tools/Rules.mk + include Makefile.common + + LIBHEADER := xenctrl.h xenctrl_compat.h +-PKG_CONFIG := xencontrol.pc ++PKG_CONFIG_FILE := xencontrol.pc + PKG_CONFIG_NAME := Xencontrol + + NO_HEADERS_CHK := y +diff --git a/tools/libs/libs.mk b/tools/libs/libs.mk +index 3eb91fc8f3..3fab5aecff 100644 +--- a/tools/libs/libs.mk ++++ b/tools/libs/libs.mk +@@ -1,7 +1,7 @@ + # Common Makefile for building a lib. + # + # Variables taken as input: +-# PKG_CONFIG: name of pkg-config file (xen$(LIBNAME).pc if empty) ++# PKG_CONFIG_FILE: name of pkg-config file (xen$(LIBNAME).pc if empty) + # MAJOR: major version of lib (Xen version if empty) + # MINOR: minor version of lib (0 if empty) + +@@ -26,7 +26,7 @@ ifneq ($(nosharedlibs),y) + TARGETS += lib$(LIB_FILE_NAME).so + endif + +-PKG_CONFIG ?= $(LIB_FILE_NAME).pc ++PKG_CONFIG_FILE ?= $(LIB_FILE_NAME).pc + PKG_CONFIG_NAME ?= Xen$(LIBNAME) + PKG_CONFIG_DESC ?= The $(PKG_CONFIG_NAME) library for Xen hypervisor + PKG_CONFIG_VERSION := $(MAJOR).$(MINOR) +@@ -35,13 +35,13 @@ PKG_CONFIG_LIB := $(LIB_FILE_NAME) + PKG_CONFIG_REQPRIV := $(subst $(space),$(comma),$(strip $(foreach lib,$(patsubst ctrl,control,$(USELIBS_$(LIBNAME))),xen$(lib)))) + + ifneq ($(CONFIG_LIBXC_MINIOS),y) +-TARGETS += $(PKG_CONFIG) +-$(PKG_CONFIG): PKG_CONFIG_PREFIX = $(prefix) +-$(PKG_CONFIG): PKG_CONFIG_INCDIR = $(includedir) +-$(PKG_CONFIG): PKG_CONFIG_LIBDIR = $(libdir) ++TARGETS += $(PKG_CONFIG_FILE) ++$(PKG_CONFIG_FILE): PKG_CONFIG_PREFIX = $(prefix) ++$(PKG_CONFIG_FILE): PKG_CONFIG_INCDIR = $(includedir) ++$(PKG_CONFIG_FILE): PKG_CONFIG_LIBDIR = $(libdir) + endif + +-PKG_CONFIG_LOCAL := $(PKG_CONFIG_DIR)/$(PKG_CONFIG) ++PKG_CONFIG_LOCAL := $(PKG_CONFIG_DIR)/$(PKG_CONFIG_FILE) + + LIBHEADER ?= $(LIB_FILE_NAME).h + LIBHEADERS = $(foreach h, $(LIBHEADER), $(XEN_INCLUDE)/$(h)) +@@ -103,7 +103,7 @@ install:: all + $(SYMLINK_SHLIB) lib$(LIB_FILE_NAME).so.$(MAJOR).$(MINOR) $(DESTDIR)$(libdir)/lib$(LIB_FILE_NAME).so.$(MAJOR) + $(SYMLINK_SHLIB) lib$(LIB_FILE_NAME).so.$(MAJOR) $(DESTDIR)$(libdir)/lib$(LIB_FILE_NAME).so + for i in $(LIBHEADERS); do $(INSTALL_DATA) $$i $(DESTDIR)$(includedir); done +- $(INSTALL_DATA) $(PKG_CONFIG) $(DESTDIR)$(PKG_INSTALLDIR) ++ $(INSTALL_DATA) $(PKG_CONFIG_FILE) $(DESTDIR)$(PKG_INSTALLDIR) + + .PHONY: uninstall + uninstall:: +-- +2.40.0 + diff --git a/0057-CI-Drop-automation-configs.patch b/0057-CI-Drop-automation-configs.patch deleted file mode 100644 index d726468..0000000 --- a/0057-CI-Drop-automation-configs.patch +++ /dev/null @@ -1,87 +0,0 @@ -From 657dc5f5f6269008fd7484ca7cca723e21455483 Mon Sep 17 00:00:00 2001 -From: Andrew Cooper -Date: Thu, 29 Dec 2022 15:39:13 +0000 -Subject: [PATCH 57/61] CI: Drop automation/configs/ - -Having 3 extra hypervisor builds on the end of a full build is deeply -confusing to debug if one of them fails, because the .config file presented in -the artefacts is not the one which caused a build failure. Also, the log -tends to be truncated in the UI. - -PV-only is tested as part of PV-Shim in a full build anyway, so doesn't need -repeating. HVM-only and neither appear frequently in randconfig, so drop all -the logic here to simplify things. - -Signed-off-by: Andrew Cooper -Reviewed-by: Michal Orzel -Reviewed-by: Stefano Stabellini -(cherry picked from commit 7b20009a812f26e74bdbde2ab96165376b3dad34) ---- - automation/configs/x86/hvm_only_config | 3 --- - automation/configs/x86/no_hvm_pv_config | 3 --- - automation/configs/x86/pv_only_config | 3 --- - automation/scripts/build | 21 --------------------- - 4 files changed, 30 deletions(-) - delete mode 100644 automation/configs/x86/hvm_only_config - delete mode 100644 automation/configs/x86/no_hvm_pv_config - delete mode 100644 automation/configs/x86/pv_only_config - -diff --git a/automation/configs/x86/hvm_only_config b/automation/configs/x86/hvm_only_config -deleted file mode 100644 -index 9efbddd535..0000000000 ---- a/automation/configs/x86/hvm_only_config -+++ /dev/null -@@ -1,3 +0,0 @@ --CONFIG_HVM=y --# CONFIG_PV is not set --# CONFIG_DEBUG is not set -diff --git a/automation/configs/x86/no_hvm_pv_config b/automation/configs/x86/no_hvm_pv_config -deleted file mode 100644 -index 0bf6a8e468..0000000000 ---- a/automation/configs/x86/no_hvm_pv_config -+++ /dev/null -@@ -1,3 +0,0 @@ --# CONFIG_HVM is not set --# CONFIG_PV is not set --# CONFIG_DEBUG is not set -diff --git a/automation/configs/x86/pv_only_config b/automation/configs/x86/pv_only_config -deleted file mode 100644 -index e9d8b4a7c7..0000000000 ---- a/automation/configs/x86/pv_only_config -+++ /dev/null -@@ -1,3 +0,0 @@ --CONFIG_PV=y --# CONFIG_HVM is not set --# CONFIG_DEBUG is not set -diff --git a/automation/scripts/build b/automation/scripts/build -index 281f8b1fcc..2c807fa397 100755 ---- a/automation/scripts/build -+++ b/automation/scripts/build -@@ -73,24 +73,3 @@ if [[ "${XEN_TARGET_ARCH}" != "x86_32" ]]; then - cp -r dist binaries/ - fi - fi -- --if [[ "${hypervisor_only}" == "y" ]]; then -- # If we are build testing a specific Kconfig exit now, there's no point in -- # testing all the possible configs. -- exit 0 --fi -- --# Build all the configs we care about --case ${XEN_TARGET_ARCH} in -- x86_64) arch=x86 ;; -- *) exit 0 ;; --esac -- --cfg_dir="automation/configs/${arch}" --for cfg in `ls ${cfg_dir}`; do -- echo "Building $cfg" -- make -j$(nproc) -C xen clean -- rm -f xen/.config -- make -C xen KBUILD_DEFCONFIG=../../../../${cfg_dir}/${cfg} XEN_CONFIG_EXPERT=y defconfig -- make -j$(nproc) -C xen XEN_CONFIG_EXPERT=y --done --- -2.40.0 - diff --git a/0057-libs-guest-Fix-resource-leaks-in-xc_core_arch_map_p2.patch b/0057-libs-guest-Fix-resource-leaks-in-xc_core_arch_map_p2.patch new file mode 100644 index 0000000..ea80bd0 --- /dev/null +++ b/0057-libs-guest-Fix-resource-leaks-in-xc_core_arch_map_p2.patch @@ -0,0 +1,65 @@ +From 01f85d835bb10d18bdab2cc780ea5ad47004516d Mon Sep 17 00:00:00 2001 +From: Andrew Cooper +Date: Fri, 3 Mar 2023 08:02:59 +0100 +Subject: [PATCH 57/89] libs/guest: Fix resource leaks in + xc_core_arch_map_p2m_tree_rw() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Edwin, with the help of GCC's -fanalyzer, identified that p2m_frame_list_list +gets leaked. What fanalyzer can't see is that the live_p2m_frame_list_list +and live_p2m_frame_list foreign mappings are leaked too. + +Rework the logic so the out path is executed unconditionally, which cleans up +all the intermediate allocations/mappings appropriately. + +Fixes: bd7a29c3d0b9 ("tools/libs/ctrl: fix xc_core_arch_map_p2m() to support linear p2m table") +Reported-by: Edwin Török +Signed-off-by: Andrew Cooper +Reviewed-by: Juergen Gross +master commit: 1868d7f22660c8980bd0a7e53f044467e8b63bb5 +master date: 2023-02-27 15:51:23 +0000 +--- + tools/libs/guest/xg_core_x86.c | 8 +++----- + 1 file changed, 3 insertions(+), 5 deletions(-) + +diff --git a/tools/libs/guest/xg_core_x86.c b/tools/libs/guest/xg_core_x86.c +index 61106b98b8..c5e4542ccc 100644 +--- a/tools/libs/guest/xg_core_x86.c ++++ b/tools/libs/guest/xg_core_x86.c +@@ -229,11 +229,11 @@ xc_core_arch_map_p2m_tree_rw(xc_interface *xch, struct domain_info_context *dinf + uint32_t dom, shared_info_any_t *live_shinfo) + { + /* Double and single indirect references to the live P2M table */ +- xen_pfn_t *live_p2m_frame_list_list; ++ xen_pfn_t *live_p2m_frame_list_list = NULL; + xen_pfn_t *live_p2m_frame_list = NULL; + /* Copies of the above. */ + xen_pfn_t *p2m_frame_list_list = NULL; +- xen_pfn_t *p2m_frame_list; ++ xen_pfn_t *p2m_frame_list = NULL; + + int err; + int i; +@@ -297,8 +297,6 @@ xc_core_arch_map_p2m_tree_rw(xc_interface *xch, struct domain_info_context *dinf + + dinfo->p2m_frames = P2M_FL_ENTRIES; + +- return p2m_frame_list; +- + out: + err = errno; + +@@ -312,7 +310,7 @@ xc_core_arch_map_p2m_tree_rw(xc_interface *xch, struct domain_info_context *dinf + + errno = err; + +- return NULL; ++ return p2m_frame_list; + } + + static int +-- +2.40.0 + diff --git a/0058-automation-Switch-arm32-cross-builds-to-run-on-arm64.patch b/0058-automation-Switch-arm32-cross-builds-to-run-on-arm64.patch deleted file mode 100644 index 92d65ec..0000000 --- a/0058-automation-Switch-arm32-cross-builds-to-run-on-arm64.patch +++ /dev/null @@ -1,87 +0,0 @@ -From 37800cf8ab7806e506b96a13cad0fb395d86663a Mon Sep 17 00:00:00 2001 -From: Michal Orzel -Date: Tue, 14 Feb 2023 16:38:38 +0100 -Subject: [PATCH 58/61] automation: Switch arm32 cross builds to run on arm64 - -Due to the limited x86 CI resources slowing down the whole pipeline, -switch the arm32 cross builds to be executed on arm64 which is much more -capable. For that, rename the existing debian container dockerfile -from unstable-arm32-gcc to unstable-arm64v8-arm32-gcc and use -arm64v8/debian:unstable as an image. Note, that we cannot use the same -container name as we have to keep the backwards compatibility. -Take the opportunity to remove extra empty line at the end of a file. - -Modify the tag of .arm32-cross-build-tmpl to arm64 and update the build -jobs accordingly. - -Signed-off-by: Michal Orzel -Reviewed-by: Stefano Stabellini -(cherry picked from commit a35fccc8df93de7154dba87db6e7bcf391e9d51c) ---- - ...ockerfile => unstable-arm64v8-arm32-gcc.dockerfile} | 3 +-- - automation/gitlab-ci/build.yaml | 10 +++++----- - 2 files changed, 6 insertions(+), 7 deletions(-) - rename automation/build/debian/{unstable-arm32-gcc.dockerfile => unstable-arm64v8-arm32-gcc.dockerfile} (94%) - -diff --git a/automation/build/debian/unstable-arm32-gcc.dockerfile b/automation/build/debian/unstable-arm64v8-arm32-gcc.dockerfile -similarity index 94% -rename from automation/build/debian/unstable-arm32-gcc.dockerfile -rename to automation/build/debian/unstable-arm64v8-arm32-gcc.dockerfile -index b41a57f197..11860425a6 100644 ---- a/automation/build/debian/unstable-arm32-gcc.dockerfile -+++ b/automation/build/debian/unstable-arm64v8-arm32-gcc.dockerfile -@@ -1,4 +1,4 @@ --FROM debian:unstable -+FROM arm64v8/debian:unstable - LABEL maintainer.name="The Xen Project" \ - maintainer.email="xen-devel@lists.xenproject.org" - -@@ -21,4 +21,3 @@ RUN apt-get update && \ - apt-get autoremove -y && \ - apt-get clean && \ - rm -rf /var/lib/apt/lists* /tmp/* /var/tmp/* -- -diff --git a/automation/gitlab-ci/build.yaml b/automation/gitlab-ci/build.yaml -index 06a75a8c5a..f66fbca8a7 100644 ---- a/automation/gitlab-ci/build.yaml -+++ b/automation/gitlab-ci/build.yaml -@@ -123,7 +123,7 @@ - variables: - XEN_TARGET_ARCH: arm32 - tags: -- - x86_64 -+ - arm64 - - .arm32-cross-build: - extends: .arm32-cross-build-tmpl -@@ -497,23 +497,23 @@ alpine-3.12-clang-debug: - debian-unstable-gcc-arm32: - extends: .gcc-arm32-cross-build - variables: -- CONTAINER: debian:unstable-arm32-gcc -+ CONTAINER: debian:unstable-arm64v8-arm32-gcc - - debian-unstable-gcc-arm32-debug: - extends: .gcc-arm32-cross-build-debug - variables: -- CONTAINER: debian:unstable-arm32-gcc -+ CONTAINER: debian:unstable-arm64v8-arm32-gcc - - debian-unstable-gcc-arm32-randconfig: - extends: .gcc-arm32-cross-build - variables: -- CONTAINER: debian:unstable-arm32-gcc -+ CONTAINER: debian:unstable-arm64v8-arm32-gcc - RANDCONFIG: y - - debian-unstable-gcc-arm32-debug-randconfig: - extends: .gcc-arm32-cross-build-debug - variables: -- CONTAINER: debian:unstable-arm32-gcc -+ CONTAINER: debian:unstable-arm64v8-arm32-gcc - RANDCONFIG: y - - # Arm builds --- -2.40.0 - diff --git a/0058-libs-guest-Fix-leak-on-realloc-failure-in-backup_pte.patch b/0058-libs-guest-Fix-leak-on-realloc-failure-in-backup_pte.patch new file mode 100644 index 0000000..d55c095 --- /dev/null +++ b/0058-libs-guest-Fix-leak-on-realloc-failure-in-backup_pte.patch @@ -0,0 +1,56 @@ +From fa8250f1920413f02b63551a6a4d8ef0b47891a8 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Edwin=20T=C3=B6r=C3=B6k?= +Date: Fri, 3 Mar 2023 08:03:19 +0100 +Subject: [PATCH 58/89] libs/guest: Fix leak on realloc failure in + backup_ptes() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From `man 2 realloc`: + + If realloc() fails, the original block is left untouched; it is not freed or moved. + +Found using GCC -fanalyzer: + + | 184 | backup->entries = realloc(backup->entries, + | | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + | | | | | + | | | | (91) when ‘realloc’ fails + | | | (92) ‘old_ptes.entries’ leaks here; was allocated at (44) + | | (90) ...to here + +Signed-off-by: Edwin Török +Acked-by: Andrew Cooper +master commit: 275d13184cfa52ebe4336ed66526ce93716adbe0 +master date: 2023-02-27 15:51:23 +0000 +--- + tools/libs/guest/xg_offline_page.c | 10 ++++++++-- + 1 file changed, 8 insertions(+), 2 deletions(-) + +diff --git a/tools/libs/guest/xg_offline_page.c b/tools/libs/guest/xg_offline_page.c +index c594fdba41..ccd0299f0f 100644 +--- a/tools/libs/guest/xg_offline_page.c ++++ b/tools/libs/guest/xg_offline_page.c +@@ -181,10 +181,16 @@ static int backup_ptes(xen_pfn_t table_mfn, int offset, + + if (backup->max == backup->cur) + { +- backup->entries = realloc(backup->entries, +- backup->max * 2 * sizeof(struct pte_backup_entry)); ++ void *orig = backup->entries; ++ ++ backup->entries = realloc( ++ orig, backup->max * 2 * sizeof(struct pte_backup_entry)); ++ + if (backup->entries == NULL) ++ { ++ free(orig); + return -1; ++ } + else + backup->max *= 2; + } +-- +2.40.0 + diff --git a/0059-automation-Remove-CentOS-7.2-containers-and-builds.patch b/0059-automation-Remove-CentOS-7.2-containers-and-builds.patch deleted file mode 100644 index 8d58eea..0000000 --- a/0059-automation-Remove-CentOS-7.2-containers-and-builds.patch +++ /dev/null @@ -1,145 +0,0 @@ -From a4d901580b2ab3133bca13159b790914c217b0e2 Mon Sep 17 00:00:00 2001 -From: Anthony PERARD -Date: Tue, 21 Feb 2023 16:55:36 +0000 -Subject: [PATCH 59/61] automation: Remove CentOS 7.2 containers and builds - -We already have a container which track the latest CentOS 7, no need -for this one as well. - -Also, 7.2 have outdated root certificate which prevent connection to -website which use Let's Encrypt. - -Signed-off-by: Anthony PERARD -Acked-by: Andrew Cooper -(cherry picked from commit ba512629f76dfddb39ea9133ee51cdd9e392a927) ---- - automation/build/centos/7.2.dockerfile | 52 ------------------------- - automation/build/centos/CentOS-7.2.repo | 35 ----------------- - automation/gitlab-ci/build.yaml | 10 ----- - 3 files changed, 97 deletions(-) - delete mode 100644 automation/build/centos/7.2.dockerfile - delete mode 100644 automation/build/centos/CentOS-7.2.repo - -diff --git a/automation/build/centos/7.2.dockerfile b/automation/build/centos/7.2.dockerfile -deleted file mode 100644 -index 4baa097e31..0000000000 ---- a/automation/build/centos/7.2.dockerfile -+++ /dev/null -@@ -1,52 +0,0 @@ --FROM centos:7.2.1511 --LABEL maintainer.name="The Xen Project" \ -- maintainer.email="xen-devel@lists.xenproject.org" -- --# ensure we only get bits from the vault for --# the version we want --COPY CentOS-7.2.repo /etc/yum.repos.d/CentOS-Base.repo -- --# install EPEL for dev86, xz-devel and possibly other packages --RUN yum -y install https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm && \ -- yum clean all -- --RUN mkdir /build --WORKDIR /build -- --# work around https://github.com/moby/moby/issues/10180 --# and install Xen depends --RUN rpm --rebuilddb && \ -- yum -y install \ -- yum-plugin-ovl \ -- gcc \ -- gcc-c++ \ -- ncurses-devel \ -- zlib-devel \ -- openssl-devel \ -- python-devel \ -- libuuid-devel \ -- pkgconfig \ -- # gettext for Xen < 4.13 -- gettext \ -- flex \ -- bison \ -- libaio-devel \ -- glib2-devel \ -- yajl-devel \ -- pixman-devel \ -- glibc-devel \ -- # glibc-devel.i686 for Xen < 4.15 -- glibc-devel.i686 \ -- make \ -- binutils \ -- git \ -- wget \ -- acpica-tools \ -- python-markdown \ -- patch \ -- checkpolicy \ -- dev86 \ -- xz-devel \ -- bzip2 \ -- nasm \ -- && yum clean all -diff --git a/automation/build/centos/CentOS-7.2.repo b/automation/build/centos/CentOS-7.2.repo -deleted file mode 100644 -index 4da27faeb5..0000000000 ---- a/automation/build/centos/CentOS-7.2.repo -+++ /dev/null -@@ -1,35 +0,0 @@ --# CentOS-Base.repo --# --# This is a replacement file that pins things to just use CentOS 7.2 --# from the CentOS Vault. --# -- --[base] --name=CentOS-7.2.1511 - Base --baseurl=http://vault.centos.org/7.2.1511/os/$basearch/ --gpgcheck=1 --gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-7 -- --#released updates --[updates] --name=CentOS-7.2.1511 - Updates --baseurl=http://vault.centos.org/7.2.1511/updates/$basearch/ --gpgcheck=1 --gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-7 -- --#additional packages that may be useful --[extras] --name=CentOS-7.2.1511 - Extras --baseurl=http://vault.centos.org/7.2.1511/extras/$basearch/ --gpgcheck=1 --gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-7 -- --#additional packages that extend functionality of existing packages --[centosplus] --name=CentOS-7.2.1511 - Plus --baseurl=http://vault.centos.org/7.2.1511/centosplus/$basearch/ --gpgcheck=1 --gpgcheck=1 --enabled=0 --gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-7 -- -diff --git a/automation/gitlab-ci/build.yaml b/automation/gitlab-ci/build.yaml -index f66fbca8a7..bc1a732069 100644 ---- a/automation/gitlab-ci/build.yaml -+++ b/automation/gitlab-ci/build.yaml -@@ -184,16 +184,6 @@ archlinux-gcc-debug: - variables: - CONTAINER: archlinux:current - --centos-7-2-gcc: -- extends: .gcc-x86-64-build -- variables: -- CONTAINER: centos:7.2 -- --centos-7-2-gcc-debug: -- extends: .gcc-x86-64-build-debug -- variables: -- CONTAINER: centos:7.2 -- - centos-7-gcc: - extends: .gcc-x86-64-build - variables: --- -2.40.0 - diff --git a/0059-x86-ucode-AMD-late-load-the-patch-on-every-logical-t.patch b/0059-x86-ucode-AMD-late-load-the-patch-on-every-logical-t.patch new file mode 100644 index 0000000..292a61a --- /dev/null +++ b/0059-x86-ucode-AMD-late-load-the-patch-on-every-logical-t.patch @@ -0,0 +1,90 @@ +From ec5b058d2a6436a2e180315522fcf1645a8153b4 Mon Sep 17 00:00:00 2001 +From: Sergey Dyasli +Date: Fri, 3 Mar 2023 08:03:43 +0100 +Subject: [PATCH 59/89] x86/ucode/AMD: late load the patch on every logical + thread + +Currently late ucode loading is performed only on the first core of CPU +siblings. But according to the latest recommendation from AMD, late +ucode loading should happen on every logical thread/core on AMD CPUs. + +To achieve that, introduce is_cpu_primary() helper which will consider +every logical cpu as "primary" when running on AMD CPUs. Also include +Hygon in the check for future-proofing. + +Signed-off-by: Sergey Dyasli +Reviewed-by: Jan Beulich +master commit: f1315e48a03a42f78f9b03c0a384165baf02acae +master date: 2023-02-28 14:51:28 +0100 +--- + xen/arch/x86/cpu/microcode/core.c | 24 +++++++++++++++++++----- + 1 file changed, 19 insertions(+), 5 deletions(-) + +diff --git a/xen/arch/x86/cpu/microcode/core.c b/xen/arch/x86/cpu/microcode/core.c +index 57ecc5358b..2497630bbe 100644 +--- a/xen/arch/x86/cpu/microcode/core.c ++++ b/xen/arch/x86/cpu/microcode/core.c +@@ -274,6 +274,20 @@ static bool microcode_update_cache(struct microcode_patch *patch) + return true; + } + ++/* Returns true if ucode should be loaded on a given cpu */ ++static bool is_cpu_primary(unsigned int cpu) ++{ ++ if ( boot_cpu_data.x86_vendor & (X86_VENDOR_AMD | X86_VENDOR_HYGON) ) ++ /* Load ucode on every logical thread/core */ ++ return true; ++ ++ /* Intel CPUs should load ucode only on the first core of SMT siblings */ ++ if ( cpu == cpumask_first(per_cpu(cpu_sibling_mask, cpu)) ) ++ return true; ++ ++ return false; ++} ++ + /* Wait for a condition to be met with a timeout (us). */ + static int wait_for_condition(bool (*func)(unsigned int data), + unsigned int data, unsigned int timeout) +@@ -380,7 +394,7 @@ static int primary_thread_work(const struct microcode_patch *patch) + static int cf_check microcode_nmi_callback( + const struct cpu_user_regs *regs, int cpu) + { +- unsigned int primary = cpumask_first(this_cpu(cpu_sibling_mask)); ++ bool primary_cpu = is_cpu_primary(cpu); + int ret; + + /* System-generated NMI, leave to main handler */ +@@ -393,10 +407,10 @@ static int cf_check microcode_nmi_callback( + * ucode_in_nmi. + */ + if ( cpu == cpumask_first(&cpu_online_map) || +- (!ucode_in_nmi && cpu == primary) ) ++ (!ucode_in_nmi && primary_cpu) ) + return 0; + +- if ( cpu == primary ) ++ if ( primary_cpu ) + ret = primary_thread_work(nmi_patch); + else + ret = secondary_nmi_work(); +@@ -547,7 +561,7 @@ static int cf_check do_microcode_update(void *patch) + */ + if ( cpu == cpumask_first(&cpu_online_map) ) + ret = control_thread_fn(patch); +- else if ( cpu == cpumask_first(this_cpu(cpu_sibling_mask)) ) ++ else if ( is_cpu_primary(cpu) ) + ret = primary_thread_fn(patch); + else + ret = secondary_thread_fn(); +@@ -640,7 +654,7 @@ static long cf_check microcode_update_helper(void *data) + /* Calculate the number of online CPU core */ + nr_cores = 0; + for_each_online_cpu(cpu) +- if ( cpu == cpumask_first(per_cpu(cpu_sibling_mask, cpu)) ) ++ if ( is_cpu_primary(cpu) ) + nr_cores++; + + printk(XENLOG_INFO "%u cores are to update their microcode\n", nr_cores); +-- +2.40.0 + diff --git a/0060-automation-Remove-non-debug-x86_32-build-jobs.patch b/0060-automation-Remove-non-debug-x86_32-build-jobs.patch deleted file mode 100644 index c5516be..0000000 --- a/0060-automation-Remove-non-debug-x86_32-build-jobs.patch +++ /dev/null @@ -1,67 +0,0 @@ -From 27974fde92850419e385ad0355997c54d78046f2 Mon Sep 17 00:00:00 2001 -From: Anthony PERARD -Date: Fri, 24 Feb 2023 17:29:15 +0000 -Subject: [PATCH 60/61] automation: Remove non-debug x86_32 build jobs - -In the interest of having less jobs, we remove the x86_32 build jobs -that do release build. Debug build is very likely to be enough to find -32bit build issues. - -Signed-off-by: Anthony PERARD -Acked-by: Andrew Cooper -(cherry picked from commit 7b66792ea7f77fb9e587e1e9c530a7c869eecba1) ---- - automation/gitlab-ci/build.yaml | 20 -------------------- - 1 file changed, 20 deletions(-) - -diff --git a/automation/gitlab-ci/build.yaml b/automation/gitlab-ci/build.yaml -index bc1a732069..4b51ad9e34 100644 ---- a/automation/gitlab-ci/build.yaml -+++ b/automation/gitlab-ci/build.yaml -@@ -264,21 +264,11 @@ debian-stretch-gcc-debug: - variables: - CONTAINER: debian:stretch - --debian-stretch-32-clang: -- extends: .clang-x86-32-build -- variables: -- CONTAINER: debian:stretch-i386 -- - debian-stretch-32-clang-debug: - extends: .clang-x86-32-build-debug - variables: - CONTAINER: debian:stretch-i386 - --debian-stretch-32-gcc: -- extends: .gcc-x86-32-build -- variables: -- CONTAINER: debian:stretch-i386 -- - debian-stretch-32-gcc-debug: - extends: .gcc-x86-32-build-debug - variables: -@@ -316,21 +306,11 @@ debian-unstable-gcc-debug-randconfig: - CONTAINER: debian:unstable - RANDCONFIG: y - --debian-unstable-32-clang: -- extends: .clang-x86-32-build -- variables: -- CONTAINER: debian:unstable-i386 -- - debian-unstable-32-clang-debug: - extends: .clang-x86-32-build-debug - variables: - CONTAINER: debian:unstable-i386 - --debian-unstable-32-gcc: -- extends: .gcc-x86-32-build -- variables: -- CONTAINER: debian:unstable-i386 -- - debian-unstable-32-gcc-debug: - extends: .gcc-x86-32-build-debug - variables: --- -2.40.0 - diff --git a/0060-x86-shadow-account-for-log-dirty-mode-when-pre-alloc.patch b/0060-x86-shadow-account-for-log-dirty-mode-when-pre-alloc.patch new file mode 100644 index 0000000..fd397b0 --- /dev/null +++ b/0060-x86-shadow-account-for-log-dirty-mode-when-pre-alloc.patch @@ -0,0 +1,92 @@ +From f8f8f07880d3817fc7b0472420eca9fecaa55358 Mon Sep 17 00:00:00 2001 +From: Jan Beulich +Date: Tue, 21 Mar 2023 11:58:50 +0000 +Subject: [PATCH 60/89] x86/shadow: account for log-dirty mode when + pre-allocating + +Pre-allocation is intended to ensure that in the course of constructing +or updating shadows there won't be any risk of just made shadows or +shadows being acted upon can disappear under our feet. The amount of +pages pre-allocated then, however, needs to account for all possible +subsequent allocations. While the use in sh_page_fault() accounts for +all shadows which may need making, so far it didn't account for +allocations coming from log-dirty tracking (which piggybacks onto the +P2M allocation functions). + +Since shadow_prealloc() takes a count of shadows (or other data +structures) rather than a count of pages, putting the adjustment at the +call site of this function won't work very well: We simply can't express +the correct count that way in all cases. Instead take care of this in +the function itself, by "snooping" for L1 type requests. (While not +applicable right now, future new request sites of L1 tables would then +also be covered right away.) + +It is relevant to note here that pre-allocations like the one done from +shadow_alloc_p2m_page() are benign when they fall in the "scope" of an +earlier pre-alloc which already included that count: The inner call will +simply find enough pages available then; it'll bail right away. + +This is CVE-2022-42332 / XSA-427. + +Signed-off-by: Jan Beulich +Reviewed-by: Tim Deegan +(cherry picked from commit 91767a71061035ae42be93de495cd976f863a41a) +--- + xen/arch/x86/include/asm/paging.h | 4 ++++ + xen/arch/x86/mm/paging.c | 1 + + xen/arch/x86/mm/shadow/common.c | 12 +++++++++++- + 3 files changed, 16 insertions(+), 1 deletion(-) + +diff --git a/xen/arch/x86/include/asm/paging.h b/xen/arch/x86/include/asm/paging.h +index b2b243a4ff..635ccc83b1 100644 +--- a/xen/arch/x86/include/asm/paging.h ++++ b/xen/arch/x86/include/asm/paging.h +@@ -190,6 +190,10 @@ bool paging_mfn_is_dirty(const struct domain *d, mfn_t gmfn); + #define L4_LOGDIRTY_IDX(pfn) ((pfn_x(pfn) >> (PAGE_SHIFT + 3 + PAGETABLE_ORDER * 2)) & \ + (LOGDIRTY_NODE_ENTRIES-1)) + ++#define paging_logdirty_levels() \ ++ (DIV_ROUND_UP(PADDR_BITS - PAGE_SHIFT - (PAGE_SHIFT + 3), \ ++ PAGE_SHIFT - ilog2(sizeof(mfn_t))) + 1) ++ + #ifdef CONFIG_HVM + /* VRAM dirty tracking support */ + struct sh_dirty_vram { +diff --git a/xen/arch/x86/mm/paging.c b/xen/arch/x86/mm/paging.c +index 8d579fa9a3..308d44bce7 100644 +--- a/xen/arch/x86/mm/paging.c ++++ b/xen/arch/x86/mm/paging.c +@@ -282,6 +282,7 @@ void paging_mark_pfn_dirty(struct domain *d, pfn_t pfn) + if ( unlikely(!VALID_M2P(pfn_x(pfn))) ) + return; + ++ BUILD_BUG_ON(paging_logdirty_levels() != 4); + i1 = L1_LOGDIRTY_IDX(pfn); + i2 = L2_LOGDIRTY_IDX(pfn); + i3 = L3_LOGDIRTY_IDX(pfn); +diff --git a/xen/arch/x86/mm/shadow/common.c b/xen/arch/x86/mm/shadow/common.c +index a8404f97f6..cf5e181f74 100644 +--- a/xen/arch/x86/mm/shadow/common.c ++++ b/xen/arch/x86/mm/shadow/common.c +@@ -1015,7 +1015,17 @@ bool shadow_prealloc(struct domain *d, unsigned int type, unsigned int count) + if ( unlikely(d->is_dying) ) + return false; + +- ret = _shadow_prealloc(d, shadow_size(type) * count); ++ count *= shadow_size(type); ++ /* ++ * Log-dirty handling may result in allocations when populating its ++ * tracking structures. Tie this to the caller requesting space for L1 ++ * shadows. ++ */ ++ if ( paging_mode_log_dirty(d) && ++ ((SHF_L1_ANY | SHF_FL1_ANY) & (1u << type)) ) ++ count += paging_logdirty_levels(); ++ ++ ret = _shadow_prealloc(d, count); + if ( !ret && (!d->is_shutting_down || d->shutdown_code != SHUTDOWN_crash) ) + /* + * Failing to allocate memory required for shadow usage can only result in +-- +2.40.0 + diff --git a/0061-CI-Remove-llvm-8-from-the-Debian-Stretch-container.patch b/0061-CI-Remove-llvm-8-from-the-Debian-Stretch-container.patch deleted file mode 100644 index 9170382..0000000 --- a/0061-CI-Remove-llvm-8-from-the-Debian-Stretch-container.patch +++ /dev/null @@ -1,103 +0,0 @@ -From 31627a059c2e186f4ad12d171d964b09abe8a4a9 Mon Sep 17 00:00:00 2001 -From: Andrew Cooper -Date: Fri, 24 Mar 2023 17:59:56 +0000 -Subject: [PATCH 61/61] CI: Remove llvm-8 from the Debian Stretch container - -For similar reasons to c/s a6b1e2b80fe20. While this container is still -build-able for now, all the other problems with explicitly-versioned compilers -remain. - -Signed-off-by: Andrew Cooper -Reviewed-by: Stefano Stabellini -(cherry picked from commit 7a298375721636290a57f31bb0f7c2a5a38956a4) ---- - automation/build/debian/stretch-llvm-8.list | 3 --- - automation/build/debian/stretch.dockerfile | 12 --------- - automation/gitlab-ci/build.yaml | 27 --------------------- - 3 files changed, 42 deletions(-) - delete mode 100644 automation/build/debian/stretch-llvm-8.list - -diff --git a/automation/build/debian/stretch-llvm-8.list b/automation/build/debian/stretch-llvm-8.list -deleted file mode 100644 -index 09fe843fb2..0000000000 ---- a/automation/build/debian/stretch-llvm-8.list -+++ /dev/null -@@ -1,3 +0,0 @@ --# Strech LLVM 8 repos --deb http://apt.llvm.org/stretch/ llvm-toolchain-stretch-8 main --deb-src http://apt.llvm.org/stretch/ llvm-toolchain-stretch-8 main -diff --git a/automation/build/debian/stretch.dockerfile b/automation/build/debian/stretch.dockerfile -index da6aa874dd..9861acbcc3 100644 ---- a/automation/build/debian/stretch.dockerfile -+++ b/automation/build/debian/stretch.dockerfile -@@ -53,15 +53,3 @@ RUN apt-get update && \ - apt-get autoremove -y && \ - apt-get clean && \ - rm -rf /var/lib/apt/lists* /tmp/* /var/tmp/* -- --RUN wget -O - https://apt.llvm.org/llvm-snapshot.gpg.key | apt-key add - --COPY stretch-llvm-8.list /etc/apt/sources.list.d/ -- --RUN apt-get update && \ -- apt-get --quiet --yes install \ -- clang-8 \ -- lld-8 \ -- && \ -- apt-get autoremove -y && \ -- apt-get clean && \ -- rm -rf /var/lib/apt/lists* /tmp/* /var/tmp/* -diff --git a/automation/gitlab-ci/build.yaml b/automation/gitlab-ci/build.yaml -index 4b51ad9e34..fd8034b429 100644 ---- a/automation/gitlab-ci/build.yaml -+++ b/automation/gitlab-ci/build.yaml -@@ -27,13 +27,6 @@ - CXX: clang++ - clang: y - --.clang-8-tmpl: -- variables: &clang-8 -- CC: clang-8 -- CXX: clang++-8 -- LD: ld.lld-8 -- clang: y -- - .x86-64-build-tmpl: - <<: *build - variables: -@@ -98,16 +91,6 @@ - variables: - <<: *clang - --.clang-8-x86-64-build: -- extends: .x86-64-build -- variables: -- <<: *clang-8 -- --.clang-8-x86-64-build-debug: -- extends: .x86-64-build-debug -- variables: -- <<: *clang-8 -- - .clang-x86-32-build: - extends: .x86-32-build - variables: -@@ -244,16 +227,6 @@ debian-stretch-clang-debug: - variables: - CONTAINER: debian:stretch - --debian-stretch-clang-8: -- extends: .clang-8-x86-64-build -- variables: -- CONTAINER: debian:stretch -- --debian-stretch-clang-8-debug: -- extends: .clang-8-x86-64-build-debug -- variables: -- CONTAINER: debian:stretch -- - debian-stretch-gcc: - extends: .gcc-x86-64-build - variables: --- -2.40.0 - diff --git a/0061-x86-HVM-bound-number-of-pinned-cache-attribute-regio.patch b/0061-x86-HVM-bound-number-of-pinned-cache-attribute-regio.patch new file mode 100644 index 0000000..b638eca --- /dev/null +++ b/0061-x86-HVM-bound-number-of-pinned-cache-attribute-regio.patch @@ -0,0 +1,50 @@ +From d0cb66d59a956ccba3dbe794f4ec01e4a4269ee9 Mon Sep 17 00:00:00 2001 +From: Jan Beulich +Date: Tue, 21 Mar 2023 12:01:01 +0000 +Subject: [PATCH 61/89] x86/HVM: bound number of pinned cache attribute regions + +This is exposed via DMOP, i.e. to potentially not fully privileged +device models. With that we may not permit registration of an (almost) +unbounded amount of such regions. + +This is CVE-2022-42333 / part of XSA-428. + +Fixes: 642123c5123f ("x86/hvm: provide XEN_DMOP_pin_memory_cacheattr") +Signed-off-by: Jan Beulich +Reviewed-by: Andrew Cooper +(cherry picked from commit a5e768640f786b681063f4e08af45d0c4e91debf) +--- + xen/arch/x86/hvm/mtrr.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/xen/arch/x86/hvm/mtrr.c b/xen/arch/x86/hvm/mtrr.c +index 4d2aa6def8..714911dd7f 100644 +--- a/xen/arch/x86/hvm/mtrr.c ++++ b/xen/arch/x86/hvm/mtrr.c +@@ -595,6 +595,7 @@ int hvm_set_mem_pinned_cacheattr(struct domain *d, uint64_t gfn_start, + uint64_t gfn_end, uint32_t type) + { + struct hvm_mem_pinned_cacheattr_range *range; ++ unsigned int nr = 0; + int rc = 1; + + if ( !is_hvm_domain(d) ) +@@ -666,11 +667,15 @@ int hvm_set_mem_pinned_cacheattr(struct domain *d, uint64_t gfn_start, + rc = -EBUSY; + break; + } ++ ++nr; + } + rcu_read_unlock(&pinned_cacheattr_rcu_lock); + if ( rc <= 0 ) + return rc; + ++ if ( nr >= 64 /* The limit is arbitrary. */ ) ++ return -ENOSPC; ++ + range = xzalloc(struct hvm_mem_pinned_cacheattr_range); + if ( range == NULL ) + return -ENOMEM; +-- +2.40.0 + diff --git a/0062-x86-HVM-serialize-pinned-cache-attribute-list-manipu.patch b/0062-x86-HVM-serialize-pinned-cache-attribute-list-manipu.patch new file mode 100644 index 0000000..a0f6efc --- /dev/null +++ b/0062-x86-HVM-serialize-pinned-cache-attribute-list-manipu.patch @@ -0,0 +1,126 @@ +From a2a915b3960e6ab060d8be2c36e6e697700ea87c Mon Sep 17 00:00:00 2001 +From: Jan Beulich +Date: Tue, 21 Mar 2023 12:01:01 +0000 +Subject: [PATCH 62/89] x86/HVM: serialize pinned cache attribute list + manipulation + +While the RCU variants of list insertion and removal allow lockless list +traversal (with RCU just read-locked), insertions and removals still +need serializing amongst themselves. To keep things simple, use the +domain lock for this purpose. + +This is CVE-2022-42334 / part of XSA-428. + +Fixes: 642123c5123f ("x86/hvm: provide XEN_DMOP_pin_memory_cacheattr") +Signed-off-by: Jan Beulich +Reviewed-by: Julien Grall +(cherry picked from commit 829ec245cf66560e3b50d140ccb3168e7fb7c945) +--- + xen/arch/x86/hvm/mtrr.c | 51 +++++++++++++++++++++++++---------------- + 1 file changed, 31 insertions(+), 20 deletions(-) + +diff --git a/xen/arch/x86/hvm/mtrr.c b/xen/arch/x86/hvm/mtrr.c +index 714911dd7f..bd5cc42ef4 100644 +--- a/xen/arch/x86/hvm/mtrr.c ++++ b/xen/arch/x86/hvm/mtrr.c +@@ -594,7 +594,7 @@ static void cf_check free_pinned_cacheattr_entry(struct rcu_head *rcu) + int hvm_set_mem_pinned_cacheattr(struct domain *d, uint64_t gfn_start, + uint64_t gfn_end, uint32_t type) + { +- struct hvm_mem_pinned_cacheattr_range *range; ++ struct hvm_mem_pinned_cacheattr_range *range, *newr; + unsigned int nr = 0; + int rc = 1; + +@@ -608,14 +608,15 @@ int hvm_set_mem_pinned_cacheattr(struct domain *d, uint64_t gfn_start, + { + case XEN_DOMCTL_DELETE_MEM_CACHEATTR: + /* Remove the requested range. */ +- rcu_read_lock(&pinned_cacheattr_rcu_lock); +- list_for_each_entry_rcu ( range, +- &d->arch.hvm.pinned_cacheattr_ranges, +- list ) ++ domain_lock(d); ++ list_for_each_entry ( range, ++ &d->arch.hvm.pinned_cacheattr_ranges, ++ list ) + if ( range->start == gfn_start && range->end == gfn_end ) + { +- rcu_read_unlock(&pinned_cacheattr_rcu_lock); + list_del_rcu(&range->list); ++ domain_unlock(d); ++ + type = range->type; + call_rcu(&range->rcu, free_pinned_cacheattr_entry); + p2m_memory_type_changed(d); +@@ -636,7 +637,7 @@ int hvm_set_mem_pinned_cacheattr(struct domain *d, uint64_t gfn_start, + } + return 0; + } +- rcu_read_unlock(&pinned_cacheattr_rcu_lock); ++ domain_unlock(d); + return -ENOENT; + + case PAT_TYPE_UC_MINUS: +@@ -651,7 +652,10 @@ int hvm_set_mem_pinned_cacheattr(struct domain *d, uint64_t gfn_start, + return -EINVAL; + } + +- rcu_read_lock(&pinned_cacheattr_rcu_lock); ++ newr = xzalloc(struct hvm_mem_pinned_cacheattr_range); ++ ++ domain_lock(d); ++ + list_for_each_entry_rcu ( range, + &d->arch.hvm.pinned_cacheattr_ranges, + list ) +@@ -669,27 +673,34 @@ int hvm_set_mem_pinned_cacheattr(struct domain *d, uint64_t gfn_start, + } + ++nr; + } +- rcu_read_unlock(&pinned_cacheattr_rcu_lock); ++ + if ( rc <= 0 ) +- return rc; ++ /* nothing */; ++ else if ( nr >= 64 /* The limit is arbitrary. */ ) ++ rc = -ENOSPC; ++ else if ( !newr ) ++ rc = -ENOMEM; ++ else ++ { ++ newr->start = gfn_start; ++ newr->end = gfn_end; ++ newr->type = type; + +- if ( nr >= 64 /* The limit is arbitrary. */ ) +- return -ENOSPC; ++ list_add_rcu(&newr->list, &d->arch.hvm.pinned_cacheattr_ranges); + +- range = xzalloc(struct hvm_mem_pinned_cacheattr_range); +- if ( range == NULL ) +- return -ENOMEM; ++ newr = NULL; ++ rc = 0; ++ } ++ ++ domain_unlock(d); + +- range->start = gfn_start; +- range->end = gfn_end; +- range->type = type; ++ xfree(newr); + +- list_add_rcu(&range->list, &d->arch.hvm.pinned_cacheattr_ranges); + p2m_memory_type_changed(d); + if ( type != PAT_TYPE_WRBACK ) + flush_all(FLUSH_CACHE); + +- return 0; ++ return rc; + } + + static int cf_check hvm_save_mtrr_msr(struct vcpu *v, hvm_domain_context_t *h) +-- +2.40.0 + diff --git a/0063-x86-spec-ctrl-Defer-CR4_PV32_RESTORE-on-the-cstar_en.patch b/0063-x86-spec-ctrl-Defer-CR4_PV32_RESTORE-on-the-cstar_en.patch new file mode 100644 index 0000000..fa97a41 --- /dev/null +++ b/0063-x86-spec-ctrl-Defer-CR4_PV32_RESTORE-on-the-cstar_en.patch @@ -0,0 +1,56 @@ +From a730e4d1190594102784222f76a984d10bbc88a9 Mon Sep 17 00:00:00 2001 +From: Andrew Cooper +Date: Fri, 10 Feb 2023 21:11:14 +0000 +Subject: [PATCH 63/89] x86/spec-ctrl: Defer CR4_PV32_RESTORE on the + cstar_enter path + +As stated (correctly) by the comment next to SPEC_CTRL_ENTRY_FROM_PV, between +the two hunks visible in the patch, RET's are not safe prior to this point. + +CR4_PV32_RESTORE hides a CALL/RET pair in certain configurations (PV32 +compiled in, SMEP or SMAP active), and the RET can be attacked with one of +several known speculative issues. + +Furthermore, CR4_PV32_RESTORE also hides a reference to the cr4_pv32_mask +global variable, which is not safe when XPTI is active before restoring Xen's +full pagetables. + +This crash has gone unnoticed because it is only AMD CPUs which permit the +SYSCALL instruction in compatibility mode, and these are not vulnerable to +Meltdown so don't activate XPTI by default. + +This is XSA-429 / CVE-2022-42331 + +Fixes: 5e7962901131 ("x86/entry: Organise the use of MSR_SPEC_CTRL at each entry/exit point") +Fixes: 5784de3e2067 ("x86: Meltdown band-aid against malicious 64-bit PV guests") +Signed-off-by: Andrew Cooper +Reviewed-by: Jan Beulich +(cherry picked from commit df5b055b12116d9e63ced59ae5389e69a2a3de48) +--- + xen/arch/x86/x86_64/entry.S | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/xen/arch/x86/x86_64/entry.S b/xen/arch/x86/x86_64/entry.S +index ae01285181..7675a59ff0 100644 +--- a/xen/arch/x86/x86_64/entry.S ++++ b/xen/arch/x86/x86_64/entry.S +@@ -288,7 +288,6 @@ ENTRY(cstar_enter) + ALTERNATIVE "", "setssbsy", X86_FEATURE_XEN_SHSTK + #endif + push %rax /* Guest %rsp */ +- CR4_PV32_RESTORE + movq 8(%rsp), %rax /* Restore guest %rax. */ + movq $FLAT_USER_SS32, 8(%rsp) /* Assume a 64bit domain. Compat handled lower. */ + pushq %r11 +@@ -312,6 +311,8 @@ ENTRY(cstar_enter) + .Lcstar_cr3_okay: + sti + ++ CR4_PV32_RESTORE ++ + movq STACK_CPUINFO_FIELD(current_vcpu)(%rbx), %rbx + + #ifdef CONFIG_PV32 +-- +2.40.0 + diff --git a/0064-x86-vmx-implement-VMExit-based-guest-Bus-Lock-detect.patch b/0064-x86-vmx-implement-VMExit-based-guest-Bus-Lock-detect.patch new file mode 100644 index 0000000..cebb501 --- /dev/null +++ b/0064-x86-vmx-implement-VMExit-based-guest-Bus-Lock-detect.patch @@ -0,0 +1,175 @@ +From 83f12e4eafdc4b034501adf4847a09a1293fdf8b Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Roger=20Pau=20Monn=C3=A9?= +Date: Tue, 21 Mar 2023 13:40:41 +0100 +Subject: [PATCH 64/89] x86/vmx: implement VMExit based guest Bus Lock + detection +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Add support for enabling guest Bus Lock Detection on Intel systems. +Such detection works by triggering a vmexit, which ought to be enough +of a pause to prevent a guest from abusing of the Bus Lock. + +Add an extra Xen perf counter to track the number of Bus Locks detected. +This is done because Bus Locks can also be reported by setting the bit +26 in the exit reason field, so also account for those. + +Note EXIT_REASON_BUS_LOCK VMExits will always have bit 26 set in +exit_reason, and hence the performance counter doesn't need to be +increased for EXIT_REASON_BUS_LOCK handling. + +Suggested-by: Andrew Cooper +Signed-off-by: Roger Pau Monné +Reviewed-by: Kevin Tian +master commit: f7d07619d2ae0382e2922e287fbfbb27722f3f0b +master date: 2022-12-19 11:22:43 +0100 +--- + xen/arch/x86/hvm/vmx/vmcs.c | 4 +++- + xen/arch/x86/hvm/vmx/vmx.c | 15 +++++++++++++++ + xen/arch/x86/hvm/vmx/vvmx.c | 3 ++- + xen/arch/x86/include/asm/hvm/vmx/vmcs.h | 3 +++ + xen/arch/x86/include/asm/hvm/vmx/vmx.h | 2 ++ + xen/arch/x86/include/asm/perfc_defn.h | 4 +++- + 6 files changed, 28 insertions(+), 3 deletions(-) + +diff --git a/xen/arch/x86/hvm/vmx/vmcs.c b/xen/arch/x86/hvm/vmx/vmcs.c +index 84dbb88d33..a0d5e8d6ab 100644 +--- a/xen/arch/x86/hvm/vmx/vmcs.c ++++ b/xen/arch/x86/hvm/vmx/vmcs.c +@@ -209,6 +209,7 @@ static void __init vmx_display_features(void) + P(cpu_has_vmx_virt_exceptions, "Virtualisation Exceptions"); + P(cpu_has_vmx_pml, "Page Modification Logging"); + P(cpu_has_vmx_tsc_scaling, "TSC Scaling"); ++ P(cpu_has_vmx_bus_lock_detection, "Bus Lock Detection"); + #undef P + + if ( !printed ) +@@ -318,7 +319,8 @@ static int vmx_init_vmcs_config(bool bsp) + SECONDARY_EXEC_ENABLE_VM_FUNCTIONS | + SECONDARY_EXEC_ENABLE_VIRT_EXCEPTIONS | + SECONDARY_EXEC_XSAVES | +- SECONDARY_EXEC_TSC_SCALING); ++ SECONDARY_EXEC_TSC_SCALING | ++ SECONDARY_EXEC_BUS_LOCK_DETECTION); + if ( _vmx_misc_cap & VMX_MISC_VMWRITE_ALL ) + opt |= SECONDARY_EXEC_ENABLE_VMCS_SHADOWING; + if ( opt_vpid_enabled ) +diff --git a/xen/arch/x86/hvm/vmx/vmx.c b/xen/arch/x86/hvm/vmx/vmx.c +index 861f91f2af..d0f0f2e429 100644 +--- a/xen/arch/x86/hvm/vmx/vmx.c ++++ b/xen/arch/x86/hvm/vmx/vmx.c +@@ -4084,6 +4084,12 @@ void vmx_vmexit_handler(struct cpu_user_regs *regs) + return; + } + ++ if ( unlikely(exit_reason & VMX_EXIT_REASONS_BUS_LOCK) ) ++ { ++ perfc_incr(buslock); ++ exit_reason &= ~VMX_EXIT_REASONS_BUS_LOCK; ++ } ++ + /* XXX: This looks ugly, but we need a mechanism to ensure + * any pending vmresume has really happened + */ +@@ -4593,6 +4599,15 @@ void vmx_vmexit_handler(struct cpu_user_regs *regs) + vmx_handle_descriptor_access(exit_reason); + break; + ++ case EXIT_REASON_BUS_LOCK: ++ /* ++ * Nothing to do: just taking a vmexit should be enough of a pause to ++ * prevent a VM from crippling the host with bus locks. Note ++ * EXIT_REASON_BUS_LOCK will always have bit 26 set in exit_reason, and ++ * hence the perf counter is already increased. ++ */ ++ break; ++ + case EXIT_REASON_VMX_PREEMPTION_TIMER_EXPIRED: + case EXIT_REASON_INVPCID: + /* fall through */ +diff --git a/xen/arch/x86/hvm/vmx/vvmx.c b/xen/arch/x86/hvm/vmx/vvmx.c +index 5f54451475..2095c1e612 100644 +--- a/xen/arch/x86/hvm/vmx/vvmx.c ++++ b/xen/arch/x86/hvm/vmx/vvmx.c +@@ -2405,7 +2405,7 @@ void nvmx_idtv_handling(void) + * be reinjected, otherwise, pass to L1. + */ + __vmread(VM_EXIT_REASON, &reason); +- if ( reason != EXIT_REASON_EPT_VIOLATION ? ++ if ( (uint16_t)reason != EXIT_REASON_EPT_VIOLATION ? + !(nvmx->intr.intr_info & INTR_INFO_VALID_MASK) : + !nvcpu->nv_vmexit_pending ) + { +@@ -2486,6 +2486,7 @@ int nvmx_n2_vmexit_handler(struct cpu_user_regs *regs, + case EXIT_REASON_EPT_VIOLATION: + case EXIT_REASON_EPT_MISCONFIG: + case EXIT_REASON_EXTERNAL_INTERRUPT: ++ case EXIT_REASON_BUS_LOCK: + /* pass to L0 handler */ + break; + case VMX_EXIT_REASONS_FAILED_VMENTRY: +diff --git a/xen/arch/x86/include/asm/hvm/vmx/vmcs.h b/xen/arch/x86/include/asm/hvm/vmx/vmcs.h +index 75f9928abf..f3df5113d4 100644 +--- a/xen/arch/x86/include/asm/hvm/vmx/vmcs.h ++++ b/xen/arch/x86/include/asm/hvm/vmx/vmcs.h +@@ -267,6 +267,7 @@ extern u32 vmx_vmentry_control; + #define SECONDARY_EXEC_ENABLE_VIRT_EXCEPTIONS 0x00040000 + #define SECONDARY_EXEC_XSAVES 0x00100000 + #define SECONDARY_EXEC_TSC_SCALING 0x02000000 ++#define SECONDARY_EXEC_BUS_LOCK_DETECTION 0x40000000 + extern u32 vmx_secondary_exec_control; + + #define VMX_EPT_EXEC_ONLY_SUPPORTED 0x00000001 +@@ -346,6 +347,8 @@ extern u64 vmx_ept_vpid_cap; + (vmx_secondary_exec_control & SECONDARY_EXEC_XSAVES) + #define cpu_has_vmx_tsc_scaling \ + (vmx_secondary_exec_control & SECONDARY_EXEC_TSC_SCALING) ++#define cpu_has_vmx_bus_lock_detection \ ++ (vmx_secondary_exec_control & SECONDARY_EXEC_BUS_LOCK_DETECTION) + + #define VMCS_RID_TYPE_MASK 0x80000000 + +diff --git a/xen/arch/x86/include/asm/hvm/vmx/vmx.h b/xen/arch/x86/include/asm/hvm/vmx/vmx.h +index 8eedf59155..03995701a1 100644 +--- a/xen/arch/x86/include/asm/hvm/vmx/vmx.h ++++ b/xen/arch/x86/include/asm/hvm/vmx/vmx.h +@@ -159,6 +159,7 @@ static inline void pi_clear_sn(struct pi_desc *pi_desc) + * Exit Reasons + */ + #define VMX_EXIT_REASONS_FAILED_VMENTRY 0x80000000 ++#define VMX_EXIT_REASONS_BUS_LOCK (1u << 26) + + #define EXIT_REASON_EXCEPTION_NMI 0 + #define EXIT_REASON_EXTERNAL_INTERRUPT 1 +@@ -219,6 +220,7 @@ static inline void pi_clear_sn(struct pi_desc *pi_desc) + #define EXIT_REASON_PML_FULL 62 + #define EXIT_REASON_XSAVES 63 + #define EXIT_REASON_XRSTORS 64 ++#define EXIT_REASON_BUS_LOCK 74 + /* Remember to also update VMX_PERF_EXIT_REASON_SIZE! */ + + /* +diff --git a/xen/arch/x86/include/asm/perfc_defn.h b/xen/arch/x86/include/asm/perfc_defn.h +index 509afc516b..6fce21e85a 100644 +--- a/xen/arch/x86/include/asm/perfc_defn.h ++++ b/xen/arch/x86/include/asm/perfc_defn.h +@@ -6,7 +6,7 @@ PERFCOUNTER_ARRAY(exceptions, "exceptions", 32) + + #ifdef CONFIG_HVM + +-#define VMX_PERF_EXIT_REASON_SIZE 65 ++#define VMX_PERF_EXIT_REASON_SIZE 75 + #define VMEXIT_NPF_PERFC 143 + #define SVM_PERF_EXIT_REASON_SIZE (VMEXIT_NPF_PERFC + 1) + PERFCOUNTER_ARRAY(vmexits, "vmexits", +@@ -128,4 +128,6 @@ PERFCOUNTER(pauseloop_exits, "vmexits from Pause-Loop Detection") + PERFCOUNTER(iommu_pt_shatters, "IOMMU page table shatters") + PERFCOUNTER(iommu_pt_coalesces, "IOMMU page table coalesces") + ++PERFCOUNTER(buslock, "Bus Locks Detected") ++ + /*#endif*/ /* __XEN_PERFC_DEFN_H__ */ +-- +2.40.0 + diff --git a/0065-x86-vmx-introduce-helper-to-set-VMX_INTR_SHADOW_NMI.patch b/0065-x86-vmx-introduce-helper-to-set-VMX_INTR_SHADOW_NMI.patch new file mode 100644 index 0000000..847ee99 --- /dev/null +++ b/0065-x86-vmx-introduce-helper-to-set-VMX_INTR_SHADOW_NMI.patch @@ -0,0 +1,102 @@ +From 27abea1ba6fa68f81b98de31cf9b9ebb594ff238 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Roger=20Pau=20Monn=C3=A9?= +Date: Tue, 21 Mar 2023 13:41:49 +0100 +Subject: [PATCH 65/89] x86/vmx: introduce helper to set VMX_INTR_SHADOW_NMI +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Introduce a small helper to OR VMX_INTR_SHADOW_NMI in +GUEST_INTERRUPTIBILITY_INFO in order to help dealing with the NMI +unblocked by IRET case. Replace the existing usage in handling +EXIT_REASON_EXCEPTION_NMI and also add such handling to EPT violations +and page-modification log-full events. + +Reported-by: Andrew Cooper +Signed-off-by: Roger Pau Monné +Reviewed-by: Jan Beulich +Reviewed-by: Kevin Tian +master commit: d329b37d12132164c3894d0b6284be72576ef950 +master date: 2022-12-19 11:23:34 +0100 +--- + xen/arch/x86/hvm/vmx/vmx.c | 28 +++++++++++++++++++------- + xen/arch/x86/include/asm/hvm/vmx/vmx.h | 3 +++ + 2 files changed, 24 insertions(+), 7 deletions(-) + +diff --git a/xen/arch/x86/hvm/vmx/vmx.c b/xen/arch/x86/hvm/vmx/vmx.c +index d0f0f2e429..456726e897 100644 +--- a/xen/arch/x86/hvm/vmx/vmx.c ++++ b/xen/arch/x86/hvm/vmx/vmx.c +@@ -3967,6 +3967,15 @@ static int vmx_handle_apic_write(void) + return vlapic_apicv_write(current, exit_qualification & 0xfff); + } + ++static void undo_nmis_unblocked_by_iret(void) ++{ ++ unsigned long guest_info; ++ ++ __vmread(GUEST_INTERRUPTIBILITY_INFO, &guest_info); ++ __vmwrite(GUEST_INTERRUPTIBILITY_INFO, ++ guest_info | VMX_INTR_SHADOW_NMI); ++} ++ + void vmx_vmexit_handler(struct cpu_user_regs *regs) + { + unsigned long exit_qualification, exit_reason, idtv_info, intr_info = 0; +@@ -4167,13 +4176,7 @@ void vmx_vmexit_handler(struct cpu_user_regs *regs) + if ( unlikely(intr_info & INTR_INFO_NMI_UNBLOCKED_BY_IRET) && + !(idtv_info & INTR_INFO_VALID_MASK) && + (vector != TRAP_double_fault) ) +- { +- unsigned long guest_info; +- +- __vmread(GUEST_INTERRUPTIBILITY_INFO, &guest_info); +- __vmwrite(GUEST_INTERRUPTIBILITY_INFO, +- guest_info | VMX_INTR_SHADOW_NMI); +- } ++ undo_nmis_unblocked_by_iret(); + + perfc_incra(cause_vector, vector); + +@@ -4539,6 +4542,11 @@ void vmx_vmexit_handler(struct cpu_user_regs *regs) + + __vmread(GUEST_PHYSICAL_ADDRESS, &gpa); + __vmread(EXIT_QUALIFICATION, &exit_qualification); ++ ++ if ( unlikely(exit_qualification & INTR_INFO_NMI_UNBLOCKED_BY_IRET) && ++ !(idtv_info & INTR_INFO_VALID_MASK) ) ++ undo_nmis_unblocked_by_iret(); ++ + ept_handle_violation(exit_qualification, gpa); + break; + } +@@ -4583,6 +4591,12 @@ void vmx_vmexit_handler(struct cpu_user_regs *regs) + break; + + case EXIT_REASON_PML_FULL: ++ __vmread(EXIT_QUALIFICATION, &exit_qualification); ++ ++ if ( unlikely(exit_qualification & INTR_INFO_NMI_UNBLOCKED_BY_IRET) && ++ !(idtv_info & INTR_INFO_VALID_MASK) ) ++ undo_nmis_unblocked_by_iret(); ++ + vmx_vcpu_flush_pml_buffer(v); + break; + +diff --git a/xen/arch/x86/include/asm/hvm/vmx/vmx.h b/xen/arch/x86/include/asm/hvm/vmx/vmx.h +index 03995701a1..eae39365aa 100644 +--- a/xen/arch/x86/include/asm/hvm/vmx/vmx.h ++++ b/xen/arch/x86/include/asm/hvm/vmx/vmx.h +@@ -225,6 +225,9 @@ static inline void pi_clear_sn(struct pi_desc *pi_desc) + + /* + * Interruption-information format ++ * ++ * Note INTR_INFO_NMI_UNBLOCKED_BY_IRET is also used with Exit Qualification ++ * field for EPT violations, PML full and SPP-related event vmexits. + */ + #define INTR_INFO_VECTOR_MASK 0xff /* 7:0 */ + #define INTR_INFO_INTR_TYPE_MASK 0x700 /* 10:8 */ +-- +2.40.0 + diff --git a/0066-x86-vmx-implement-Notify-VM-Exit.patch b/0066-x86-vmx-implement-Notify-VM-Exit.patch new file mode 100644 index 0000000..bc54d18 --- /dev/null +++ b/0066-x86-vmx-implement-Notify-VM-Exit.patch @@ -0,0 +1,243 @@ +From b745ff30113d2bd91e2d34cf56437b2fe2e2ea35 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Roger=20Pau=20Monn=C3=A9?= +Date: Tue, 21 Mar 2023 13:42:43 +0100 +Subject: [PATCH 66/89] x86/vmx: implement Notify VM Exit +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Under certain conditions guests can get the CPU stuck in an unbounded +loop without the possibility of an interrupt window to occur on +instruction boundary. This was the case with the scenarios described +in XSA-156. + +Make use of the Notify VM Exit mechanism, that will trigger a VM Exit +if no interrupt window occurs for a specified amount of time. Note +that using the Notify VM Exit avoids having to trap #AC and #DB +exceptions, as Xen is guaranteed to get a VM Exit even if the guest +puts the CPU in a loop without an interrupt window, as such disable +the intercepts if the feature is available and enabled. + +Setting the notify VM exit window to 0 is safe because there's a +threshold added by the hardware in order to have a sane window value. + +Note the handling of EXIT_REASON_NOTIFY in the nested virtualization +case is passed to L0, and hence a nested guest being able to trigger a +notify VM exit with an invalid context would be able to crash the L1 +hypervisor (by L0 destroying the domain). Since we don't expose VM +Notify support to L1 it should already enable the required +protections in order to prevent VM Notify from triggering in the first +place. + +Suggested-by: Andrew Cooper +Signed-off-by: Roger Pau Monné +Reviewed-by: Kevin Tian + +x86/vmx: Partially revert "x86/vmx: implement Notify VM Exit" + +The original patch tried to do two things - implement VMNotify, and +re-optimise VT-x to not intercept #DB/#AC by default. + +The second part is buggy in multiple ways. Both GDBSX and Introspection need +to conditionally intercept #DB, which was not accounted for. Also, #DB +interception has nothing at all to do with cpu_has_monitor_trap_flag. + +Revert the second half, leaving #DB/#AC intercepted unilaterally, but with +VMNotify active by default when available. + +Fixes: 573279cde1c4 ("x86/vmx: implement Notify VM Exit") +Signed-off-by: Andrew Cooper +Reviewed-by: Kevin Tian +master commit: 573279cde1c4e752d4df34bc65ffafa17573148e +master date: 2022-12-19 11:24:14 +0100 +master commit: 5f08bc9404c7cfa8131e262c7dbcb4d96c752686 +master date: 2023-01-20 19:39:32 +0000 +--- + docs/misc/xen-command-line.pandoc | 11 +++++++++++ + xen/arch/x86/hvm/vmx/vmcs.c | 10 ++++++++++ + xen/arch/x86/hvm/vmx/vmx.c | 16 ++++++++++++++++ + xen/arch/x86/hvm/vmx/vvmx.c | 1 + + xen/arch/x86/include/asm/hvm/vmx/vmcs.h | 4 ++++ + xen/arch/x86/include/asm/hvm/vmx/vmx.h | 6 ++++++ + xen/arch/x86/include/asm/perfc_defn.h | 3 ++- + 7 files changed, 50 insertions(+), 1 deletion(-) + +diff --git a/docs/misc/xen-command-line.pandoc b/docs/misc/xen-command-line.pandoc +index 5be5ce10c6..d601120faa 100644 +--- a/docs/misc/xen-command-line.pandoc ++++ b/docs/misc/xen-command-line.pandoc +@@ -2634,6 +2634,17 @@ guest will notify Xen that it has failed to acquire a spinlock. + , and must be integers. The values will be + encoded in guest CPUID 0x40000002 if viridian enlightenments are enabled. + ++### vm-notify-window (Intel) ++> `= ` ++ ++> Default: `0` ++ ++Specify the value of the VM Notify window used to detect locked VMs. Set to -1 ++to disable the feature. Value is in units of crystal clock cycles. ++ ++Note the hardware might add a threshold to the provided value in order to make ++it safe, and hence using 0 is fine. ++ + ### vpid (Intel) + > `= ` + +diff --git a/xen/arch/x86/hvm/vmx/vmcs.c b/xen/arch/x86/hvm/vmx/vmcs.c +index a0d5e8d6ab..7912053bda 100644 +--- a/xen/arch/x86/hvm/vmx/vmcs.c ++++ b/xen/arch/x86/hvm/vmx/vmcs.c +@@ -67,6 +67,9 @@ integer_param("ple_gap", ple_gap); + static unsigned int __read_mostly ple_window = 4096; + integer_param("ple_window", ple_window); + ++static unsigned int __ro_after_init vm_notify_window; ++integer_param("vm-notify-window", vm_notify_window); ++ + static bool __read_mostly opt_ept_pml = true; + static s8 __read_mostly opt_ept_ad = -1; + int8_t __read_mostly opt_ept_exec_sp = -1; +@@ -210,6 +213,7 @@ static void __init vmx_display_features(void) + P(cpu_has_vmx_pml, "Page Modification Logging"); + P(cpu_has_vmx_tsc_scaling, "TSC Scaling"); + P(cpu_has_vmx_bus_lock_detection, "Bus Lock Detection"); ++ P(cpu_has_vmx_notify_vm_exiting, "Notify VM Exit"); + #undef P + + if ( !printed ) +@@ -329,6 +333,8 @@ static int vmx_init_vmcs_config(bool bsp) + opt |= SECONDARY_EXEC_UNRESTRICTED_GUEST; + if ( opt_ept_pml ) + opt |= SECONDARY_EXEC_ENABLE_PML; ++ if ( vm_notify_window != ~0u ) ++ opt |= SECONDARY_EXEC_NOTIFY_VM_EXITING; + + /* + * "APIC Register Virtualization" and "Virtual Interrupt Delivery" +@@ -1290,6 +1296,10 @@ static int construct_vmcs(struct vcpu *v) + v->arch.hvm.vmx.exception_bitmap = HVM_TRAP_MASK + | (paging_mode_hap(d) ? 0 : (1U << TRAP_page_fault)) + | (v->arch.fully_eager_fpu ? 0 : (1U << TRAP_no_device)); ++ ++ if ( cpu_has_vmx_notify_vm_exiting ) ++ __vmwrite(NOTIFY_WINDOW, vm_notify_window); ++ + vmx_update_exception_bitmap(v); + + v->arch.hvm.guest_cr[0] = X86_CR0_PE | X86_CR0_ET; +diff --git a/xen/arch/x86/hvm/vmx/vmx.c b/xen/arch/x86/hvm/vmx/vmx.c +index 456726e897..f0e759eeaf 100644 +--- a/xen/arch/x86/hvm/vmx/vmx.c ++++ b/xen/arch/x86/hvm/vmx/vmx.c +@@ -4622,6 +4622,22 @@ void vmx_vmexit_handler(struct cpu_user_regs *regs) + */ + break; + ++ case EXIT_REASON_NOTIFY: ++ __vmread(EXIT_QUALIFICATION, &exit_qualification); ++ ++ if ( unlikely(exit_qualification & NOTIFY_VM_CONTEXT_INVALID) ) ++ { ++ perfc_incr(vmnotify_crash); ++ gprintk(XENLOG_ERR, "invalid VM context after notify vmexit\n"); ++ domain_crash(v->domain); ++ break; ++ } ++ ++ if ( unlikely(exit_qualification & INTR_INFO_NMI_UNBLOCKED_BY_IRET) ) ++ undo_nmis_unblocked_by_iret(); ++ ++ break; ++ + case EXIT_REASON_VMX_PREEMPTION_TIMER_EXPIRED: + case EXIT_REASON_INVPCID: + /* fall through */ +diff --git a/xen/arch/x86/hvm/vmx/vvmx.c b/xen/arch/x86/hvm/vmx/vvmx.c +index 2095c1e612..f8fe8d0c14 100644 +--- a/xen/arch/x86/hvm/vmx/vvmx.c ++++ b/xen/arch/x86/hvm/vmx/vvmx.c +@@ -2487,6 +2487,7 @@ int nvmx_n2_vmexit_handler(struct cpu_user_regs *regs, + case EXIT_REASON_EPT_MISCONFIG: + case EXIT_REASON_EXTERNAL_INTERRUPT: + case EXIT_REASON_BUS_LOCK: ++ case EXIT_REASON_NOTIFY: + /* pass to L0 handler */ + break; + case VMX_EXIT_REASONS_FAILED_VMENTRY: +diff --git a/xen/arch/x86/include/asm/hvm/vmx/vmcs.h b/xen/arch/x86/include/asm/hvm/vmx/vmcs.h +index f3df5113d4..78404e42b3 100644 +--- a/xen/arch/x86/include/asm/hvm/vmx/vmcs.h ++++ b/xen/arch/x86/include/asm/hvm/vmx/vmcs.h +@@ -268,6 +268,7 @@ extern u32 vmx_vmentry_control; + #define SECONDARY_EXEC_XSAVES 0x00100000 + #define SECONDARY_EXEC_TSC_SCALING 0x02000000 + #define SECONDARY_EXEC_BUS_LOCK_DETECTION 0x40000000 ++#define SECONDARY_EXEC_NOTIFY_VM_EXITING 0x80000000 + extern u32 vmx_secondary_exec_control; + + #define VMX_EPT_EXEC_ONLY_SUPPORTED 0x00000001 +@@ -349,6 +350,8 @@ extern u64 vmx_ept_vpid_cap; + (vmx_secondary_exec_control & SECONDARY_EXEC_TSC_SCALING) + #define cpu_has_vmx_bus_lock_detection \ + (vmx_secondary_exec_control & SECONDARY_EXEC_BUS_LOCK_DETECTION) ++#define cpu_has_vmx_notify_vm_exiting \ ++ (vmx_secondary_exec_control & SECONDARY_EXEC_NOTIFY_VM_EXITING) + + #define VMCS_RID_TYPE_MASK 0x80000000 + +@@ -456,6 +459,7 @@ enum vmcs_field { + SECONDARY_VM_EXEC_CONTROL = 0x0000401e, + PLE_GAP = 0x00004020, + PLE_WINDOW = 0x00004022, ++ NOTIFY_WINDOW = 0x00004024, + VM_INSTRUCTION_ERROR = 0x00004400, + VM_EXIT_REASON = 0x00004402, + VM_EXIT_INTR_INFO = 0x00004404, +diff --git a/xen/arch/x86/include/asm/hvm/vmx/vmx.h b/xen/arch/x86/include/asm/hvm/vmx/vmx.h +index eae39365aa..8e1e42ac47 100644 +--- a/xen/arch/x86/include/asm/hvm/vmx/vmx.h ++++ b/xen/arch/x86/include/asm/hvm/vmx/vmx.h +@@ -221,6 +221,7 @@ static inline void pi_clear_sn(struct pi_desc *pi_desc) + #define EXIT_REASON_XSAVES 63 + #define EXIT_REASON_XRSTORS 64 + #define EXIT_REASON_BUS_LOCK 74 ++#define EXIT_REASON_NOTIFY 75 + /* Remember to also update VMX_PERF_EXIT_REASON_SIZE! */ + + /* +@@ -236,6 +237,11 @@ static inline void pi_clear_sn(struct pi_desc *pi_desc) + #define INTR_INFO_VALID_MASK 0x80000000 /* 31 */ + #define INTR_INFO_RESVD_BITS_MASK 0x7ffff000 + ++/* ++ * Exit Qualifications for NOTIFY VM EXIT ++ */ ++#define NOTIFY_VM_CONTEXT_INVALID 1u ++ + /* + * Exit Qualifications for MOV for Control Register Access + */ +diff --git a/xen/arch/x86/include/asm/perfc_defn.h b/xen/arch/x86/include/asm/perfc_defn.h +index 6fce21e85a..487e20dc97 100644 +--- a/xen/arch/x86/include/asm/perfc_defn.h ++++ b/xen/arch/x86/include/asm/perfc_defn.h +@@ -6,7 +6,7 @@ PERFCOUNTER_ARRAY(exceptions, "exceptions", 32) + + #ifdef CONFIG_HVM + +-#define VMX_PERF_EXIT_REASON_SIZE 75 ++#define VMX_PERF_EXIT_REASON_SIZE 76 + #define VMEXIT_NPF_PERFC 143 + #define SVM_PERF_EXIT_REASON_SIZE (VMEXIT_NPF_PERFC + 1) + PERFCOUNTER_ARRAY(vmexits, "vmexits", +@@ -129,5 +129,6 @@ PERFCOUNTER(iommu_pt_shatters, "IOMMU page table shatters") + PERFCOUNTER(iommu_pt_coalesces, "IOMMU page table coalesces") + + PERFCOUNTER(buslock, "Bus Locks Detected") ++PERFCOUNTER(vmnotify_crash, "domain crashes by Notify VM Exit") + + /*#endif*/ /* __XEN_PERFC_DEFN_H__ */ +-- +2.40.0 + diff --git a/0067-tools-python-change-s-size-type-for-Python-3.10.patch b/0067-tools-python-change-s-size-type-for-Python-3.10.patch new file mode 100644 index 0000000..0671c67 --- /dev/null +++ b/0067-tools-python-change-s-size-type-for-Python-3.10.patch @@ -0,0 +1,72 @@ +From 651ffe2c7847cb9922d22980984a3bea6f47bea7 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Marek=20Marczykowski-G=C3=B3recki?= + +Date: Tue, 21 Mar 2023 13:43:44 +0100 +Subject: [PATCH 67/89] tools/python: change 's#' size type for Python >= 3.10 +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Python < 3.10 by default uses 'int' type for data+size string types +(s#), unless PY_SSIZE_T_CLEAN is defined - in which case it uses +Py_ssize_t. The former behavior was removed in Python 3.10 and now it's +required to define PY_SSIZE_T_CLEAN before including Python.h, and using +Py_ssize_t for the length argument. The PY_SSIZE_T_CLEAN behavior is +supported since Python 2.5. + +Adjust bindings accordingly. + +Signed-off-by: Marek Marczykowski-Górecki +Reviewed-by: Anthony PERARD +master commit: 897257ba49d0a6ddcf084960fd792ccce9c40f94 +master date: 2023-02-06 08:50:13 +0100 +--- + tools/python/xen/lowlevel/xc/xc.c | 3 ++- + tools/python/xen/lowlevel/xs/xs.c | 3 ++- + 2 files changed, 4 insertions(+), 2 deletions(-) + +diff --git a/tools/python/xen/lowlevel/xc/xc.c b/tools/python/xen/lowlevel/xc/xc.c +index fd00861032..cfb2734a99 100644 +--- a/tools/python/xen/lowlevel/xc/xc.c ++++ b/tools/python/xen/lowlevel/xc/xc.c +@@ -4,6 +4,7 @@ + * Copyright (c) 2003-2004, K A Fraser (University of Cambridge) + */ + ++#define PY_SSIZE_T_CLEAN + #include + #define XC_WANT_COMPAT_MAP_FOREIGN_API + #include +@@ -1774,7 +1775,7 @@ static PyObject *pyflask_load(PyObject *self, PyObject *args, PyObject *kwds) + { + xc_interface *xc_handle; + char *policy; +- uint32_t len; ++ Py_ssize_t len; + int ret; + + static char *kwd_list[] = { "policy", NULL }; +diff --git a/tools/python/xen/lowlevel/xs/xs.c b/tools/python/xen/lowlevel/xs/xs.c +index 0dad7fa5f2..3ba5a8b893 100644 +--- a/tools/python/xen/lowlevel/xs/xs.c ++++ b/tools/python/xen/lowlevel/xs/xs.c +@@ -18,6 +18,7 @@ + * Copyright (C) 2005 XenSource Ltd. + */ + ++#define PY_SSIZE_T_CLEAN + #include + + #include +@@ -141,7 +142,7 @@ static PyObject *xspy_write(XsHandle *self, PyObject *args) + char *thstr; + char *path; + char *data; +- int data_n; ++ Py_ssize_t data_n; + bool result; + + if (!xh) +-- +2.40.0 + diff --git a/0068-tools-xenmon-Fix-xenmon.py-for-with-python3.x.patch b/0068-tools-xenmon-Fix-xenmon.py-for-with-python3.x.patch new file mode 100644 index 0000000..a47812b --- /dev/null +++ b/0068-tools-xenmon-Fix-xenmon.py-for-with-python3.x.patch @@ -0,0 +1,54 @@ +From 244d39fb13abae6c2da341b76363f169d8bbc93b Mon Sep 17 00:00:00 2001 +From: Bernhard Kaindl +Date: Tue, 21 Mar 2023 13:44:04 +0100 +Subject: [PATCH 68/89] tools/xenmon: Fix xenmon.py for with python3.x + +Fixes for Py3: +* class Delayed(): file not defined; also an error for pylint -E. Inherit + object instead for Py2 compatibility. Fix DomainInfo() too. +* Inconsistent use of tabs and spaces for indentation (in one block) + +Signed-off-by: Bernhard Kaindl +Acked-by: Andrew Cooper +master commit: 3a59443c1d5ae0677a792c660ccd3796ce036732 +master date: 2023-02-06 10:22:12 +0000 +--- + tools/xenmon/xenmon.py | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/tools/xenmon/xenmon.py b/tools/xenmon/xenmon.py +index 175eacd2cb..977ada6887 100644 +--- a/tools/xenmon/xenmon.py ++++ b/tools/xenmon/xenmon.py +@@ -117,7 +117,7 @@ def setup_cmdline_parser(): + return parser + + # encapsulate information about a domain +-class DomainInfo: ++class DomainInfo(object): + def __init__(self): + self.allocated_sum = 0 + self.gotten_sum = 0 +@@ -533,7 +533,7 @@ def show_livestats(cpu): + # simple functions to allow initialization of log files without actually + # physically creating files that are never used; only on the first real + # write does the file get created +-class Delayed(file): ++class Delayed(object): + def __init__(self, filename, mode): + self.filename = filename + self.saved_mode = mode +@@ -677,8 +677,8 @@ def main(): + + if os.uname()[0] == "SunOS": + xenbaked_cmd = "/usr/lib/xenbaked" +- stop_cmd = "/usr/bin/pkill -INT -z global xenbaked" +- kill_cmd = "/usr/bin/pkill -KILL -z global xenbaked" ++ stop_cmd = "/usr/bin/pkill -INT -z global xenbaked" ++ kill_cmd = "/usr/bin/pkill -KILL -z global xenbaked" + else: + # assumes that xenbaked is in your path + xenbaked_cmd = "xenbaked" +-- +2.40.0 + diff --git a/0069-x86-spec-ctrl-Add-BHI-controls-to-userspace-componen.patch b/0069-x86-spec-ctrl-Add-BHI-controls-to-userspace-componen.patch new file mode 100644 index 0000000..734a2e5 --- /dev/null +++ b/0069-x86-spec-ctrl-Add-BHI-controls-to-userspace-componen.patch @@ -0,0 +1,51 @@ +From b4dad09bb23c439f2e67ed2eb6d7bdd640b8bbae Mon Sep 17 00:00:00 2001 +From: Andrew Cooper +Date: Tue, 21 Mar 2023 13:44:27 +0100 +Subject: [PATCH 69/89] x86/spec-ctrl: Add BHI controls to userspace components + +This was an oversight when adding the Xen parts. + +Fixes: cea9ae062295 ("x86/spec-ctrl: Enumeration for new Intel BHI controls") +Signed-off-by: Andrew Cooper +Reviewed-by: Jan Beulich +master commit: 9276e832aef60437da13d91e66fc259fd94d6f91 +master date: 2023-03-13 11:26:26 +0000 +--- + tools/libs/light/libxl_cpuid.c | 3 +++ + tools/misc/xen-cpuid.c | 6 +++--- + 2 files changed, 6 insertions(+), 3 deletions(-) + +diff --git a/tools/libs/light/libxl_cpuid.c b/tools/libs/light/libxl_cpuid.c +index d97a2f3338..55cfbc8f23 100644 +--- a/tools/libs/light/libxl_cpuid.c ++++ b/tools/libs/light/libxl_cpuid.c +@@ -238,6 +238,9 @@ int libxl_cpuid_parse_config(libxl_cpuid_policy_list *cpuid, const char* str) + {"cet-sss", 0x00000007, 1, CPUID_REG_EDX, 18, 1}, + + {"intel-psfd", 0x00000007, 2, CPUID_REG_EDX, 0, 1}, ++ {"ipred-ctrl", 0x00000007, 2, CPUID_REG_EDX, 1, 1}, ++ {"rrsba-ctrl", 0x00000007, 2, CPUID_REG_EDX, 2, 1}, ++ {"bhi-ctrl", 0x00000007, 2, CPUID_REG_EDX, 4, 1}, + {"mcdt-no", 0x00000007, 2, CPUID_REG_EDX, 5, 1}, + + {"lahfsahf", 0x80000001, NA, CPUID_REG_ECX, 0, 1}, +diff --git a/tools/misc/xen-cpuid.c b/tools/misc/xen-cpuid.c +index 0248eaef44..45e443f5d9 100644 +--- a/tools/misc/xen-cpuid.c ++++ b/tools/misc/xen-cpuid.c +@@ -213,9 +213,9 @@ static const char *const str_7d1[32] = + + static const char *const str_7d2[32] = + { +- [ 0] = "intel-psfd", +- +- /* 4 */ [ 5] = "mcdt-no", ++ [ 0] = "intel-psfd", [ 1] = "ipred-ctrl", ++ [ 2] = "rrsba-ctrl", ++ [ 4] = "bhi-ctrl", [ 5] = "mcdt-no", + }; + + static const struct { +-- +2.40.0 + diff --git a/0070-core-parking-fix-build-with-gcc12-and-NR_CPUS-1.patch b/0070-core-parking-fix-build-with-gcc12-and-NR_CPUS-1.patch new file mode 100644 index 0000000..0b2c2b4 --- /dev/null +++ b/0070-core-parking-fix-build-with-gcc12-and-NR_CPUS-1.patch @@ -0,0 +1,95 @@ +From b5409f4e4d0722e8669123d59f15f784903d153f Mon Sep 17 00:00:00 2001 +From: Jan Beulich +Date: Tue, 21 Mar 2023 13:44:53 +0100 +Subject: [PATCH 70/89] core-parking: fix build with gcc12 and NR_CPUS=1 + +Gcc12 takes issue with core_parking_remove()'s + + for ( ; i < cur_idle_nums; ++i ) + core_parking_cpunum[i] = core_parking_cpunum[i + 1]; + +complaining that the right hand side array access is past the bounds of +1. Clearly the compiler can't know that cur_idle_nums can only ever be +zero in this case (as the sole CPU cannot be parked). + +Arrange for core_parking.c's contents to not be needed altogether, and +then disable its building when NR_CPUS == 1. + +Signed-off-by: Jan Beulich +Acked-by: Andrew Cooper +master commit: 4b0422f70feb4b1cd04598ffde805fc224f3812e +master date: 2023-03-13 15:15:42 +0100 +--- + xen/arch/x86/Kconfig | 2 +- + xen/arch/x86/platform_hypercall.c | 11 ++++++++--- + xen/arch/x86/sysctl.c | 3 +++ + xen/common/Kconfig | 1 + + 4 files changed, 13 insertions(+), 4 deletions(-) + +diff --git a/xen/arch/x86/Kconfig b/xen/arch/x86/Kconfig +index 6a7825f4ba..2a5c3304e2 100644 +--- a/xen/arch/x86/Kconfig ++++ b/xen/arch/x86/Kconfig +@@ -10,7 +10,7 @@ config X86 + select ALTERNATIVE_CALL + select ARCH_MAP_DOMAIN_PAGE + select ARCH_SUPPORTS_INT128 +- select CORE_PARKING ++ imply CORE_PARKING + select HAS_ALTERNATIVE + select HAS_COMPAT + select HAS_CPUFREQ +diff --git a/xen/arch/x86/platform_hypercall.c b/xen/arch/x86/platform_hypercall.c +index a7341dc3d7..e7deee2268 100644 +--- a/xen/arch/x86/platform_hypercall.c ++++ b/xen/arch/x86/platform_hypercall.c +@@ -727,12 +727,17 @@ ret_t do_platform_op( + case XEN_CORE_PARKING_SET: + idle_nums = min_t(uint32_t, + op->u.core_parking.idle_nums, num_present_cpus() - 1); +- ret = continue_hypercall_on_cpu( +- 0, core_parking_helper, (void *)(unsigned long)idle_nums); ++ if ( CONFIG_NR_CPUS > 1 ) ++ ret = continue_hypercall_on_cpu( ++ 0, core_parking_helper, ++ (void *)(unsigned long)idle_nums); ++ else if ( idle_nums ) ++ ret = -EINVAL; + break; + + case XEN_CORE_PARKING_GET: +- op->u.core_parking.idle_nums = get_cur_idle_nums(); ++ op->u.core_parking.idle_nums = CONFIG_NR_CPUS > 1 ++ ? get_cur_idle_nums() : 0; + ret = __copy_field_to_guest(u_xenpf_op, op, u.core_parking) ? + -EFAULT : 0; + break; +diff --git a/xen/arch/x86/sysctl.c b/xen/arch/x86/sysctl.c +index f82abc2488..f8f8d79755 100644 +--- a/xen/arch/x86/sysctl.c ++++ b/xen/arch/x86/sysctl.c +@@ -179,6 +179,9 @@ long arch_do_sysctl( + ret = -EBUSY; + break; + } ++ if ( CONFIG_NR_CPUS <= 1 ) ++ /* Mimic behavior of smt_up_down_helper(). */ ++ return 0; + plug = op == XEN_SYSCTL_CPU_HOTPLUG_SMT_ENABLE; + fn = smt_up_down_helper; + hcpu = _p(plug); +diff --git a/xen/common/Kconfig b/xen/common/Kconfig +index f1ea3199c8..855c843113 100644 +--- a/xen/common/Kconfig ++++ b/xen/common/Kconfig +@@ -10,6 +10,7 @@ config COMPAT + + config CORE_PARKING + bool ++ depends on NR_CPUS > 1 + + config GRANT_TABLE + bool "Grant table support" if EXPERT +-- +2.40.0 + diff --git a/0071-x86-altp2m-help-gcc13-to-avoid-it-emitting-a-warning.patch b/0071-x86-altp2m-help-gcc13-to-avoid-it-emitting-a-warning.patch new file mode 100644 index 0000000..b33bd11 --- /dev/null +++ b/0071-x86-altp2m-help-gcc13-to-avoid-it-emitting-a-warning.patch @@ -0,0 +1,129 @@ +From d84612ecab00ab31c09a7c5a5892906edbacaf5b Mon Sep 17 00:00:00 2001 +From: Jan Beulich +Date: Tue, 21 Mar 2023 13:45:47 +0100 +Subject: [PATCH 71/89] x86/altp2m: help gcc13 to avoid it emitting a warning + +Switches of altp2m-s always expect a valid altp2m to be in place (and +indeed altp2m_vcpu_initialise() sets the active one to be at index 0). +The compiler, however, cannot know that, and hence it cannot eliminate +p2m_get_altp2m()'s case of returnin (literal) NULL. If then the compiler +decides to special case that code path in the caller, the dereference in +instances of + + atomic_dec(&p2m_get_altp2m(v)->active_vcpus); + +can, to the code generator, appear to be NULL dereferences, leading to + +In function 'atomic_dec', + inlined from '...' at ...: +./arch/x86/include/asm/atomic.h:182:5: error: array subscript 0 is outside array bounds of 'int[0]' [-Werror=array-bounds=] + +Aid the compiler by adding a BUG_ON() checking the return value of the +problematic p2m_get_altp2m(). Since with the use of the local variable +the 2nd p2m_get_altp2m() each will look questionable at the first glance +(Why is the local variable not used here?), open-code the only relevant +piece of p2m_get_altp2m() there. + +To avoid repeatedly doing these transformations, and also to limit how +"bad" the open-coding really is, convert the entire operation to an +inline helper, used by all three instances (and accepting the redundant +BUG_ON(idx >= MAX_ALTP2M) in two of the three cases). + +Reported-by: Charles Arnold +Signed-off-by: Jan Beulich +Acked-by: Andrew Cooper +master commit: be62b1fc2aa7375d553603fca07299da765a89fe +master date: 2023-03-13 15:16:21 +0100 +--- + xen/arch/x86/hvm/vmx/vmx.c | 8 +------- + xen/arch/x86/include/asm/p2m.h | 20 ++++++++++++++++++++ + xen/arch/x86/mm/p2m.c | 14 ++------------ + 3 files changed, 23 insertions(+), 19 deletions(-) + +diff --git a/xen/arch/x86/hvm/vmx/vmx.c b/xen/arch/x86/hvm/vmx/vmx.c +index f0e759eeaf..a8fb4365ad 100644 +--- a/xen/arch/x86/hvm/vmx/vmx.c ++++ b/xen/arch/x86/hvm/vmx/vmx.c +@@ -4072,13 +4072,7 @@ void vmx_vmexit_handler(struct cpu_user_regs *regs) + } + } + +- if ( idx != vcpu_altp2m(v).p2midx ) +- { +- BUG_ON(idx >= MAX_ALTP2M); +- atomic_dec(&p2m_get_altp2m(v)->active_vcpus); +- vcpu_altp2m(v).p2midx = idx; +- atomic_inc(&p2m_get_altp2m(v)->active_vcpus); +- } ++ p2m_set_altp2m(v, idx); + } + + if ( unlikely(currd->arch.monitor.vmexit_enabled) ) +diff --git a/xen/arch/x86/include/asm/p2m.h b/xen/arch/x86/include/asm/p2m.h +index bd684d02f3..cd43d8621a 100644 +--- a/xen/arch/x86/include/asm/p2m.h ++++ b/xen/arch/x86/include/asm/p2m.h +@@ -879,6 +879,26 @@ static inline struct p2m_domain *p2m_get_altp2m(struct vcpu *v) + return v->domain->arch.altp2m_p2m[index]; + } + ++/* set current alternate p2m table */ ++static inline bool p2m_set_altp2m(struct vcpu *v, unsigned int idx) ++{ ++ struct p2m_domain *orig; ++ ++ BUG_ON(idx >= MAX_ALTP2M); ++ ++ if ( idx == vcpu_altp2m(v).p2midx ) ++ return false; ++ ++ orig = p2m_get_altp2m(v); ++ BUG_ON(!orig); ++ atomic_dec(&orig->active_vcpus); ++ ++ vcpu_altp2m(v).p2midx = idx; ++ atomic_inc(&v->domain->arch.altp2m_p2m[idx]->active_vcpus); ++ ++ return true; ++} ++ + /* Switch alternate p2m for a single vcpu */ + bool_t p2m_switch_vcpu_altp2m_by_id(struct vcpu *v, unsigned int idx); + +diff --git a/xen/arch/x86/mm/p2m.c b/xen/arch/x86/mm/p2m.c +index a405ee5fde..b28c899b5e 100644 +--- a/xen/arch/x86/mm/p2m.c ++++ b/xen/arch/x86/mm/p2m.c +@@ -1787,13 +1787,8 @@ bool_t p2m_switch_vcpu_altp2m_by_id(struct vcpu *v, unsigned int idx) + + if ( d->arch.altp2m_eptp[idx] != mfn_x(INVALID_MFN) ) + { +- if ( idx != vcpu_altp2m(v).p2midx ) +- { +- atomic_dec(&p2m_get_altp2m(v)->active_vcpus); +- vcpu_altp2m(v).p2midx = idx; +- atomic_inc(&p2m_get_altp2m(v)->active_vcpus); ++ if ( p2m_set_altp2m(v, idx) ) + altp2m_vcpu_update_p2m(v); +- } + rc = 1; + } + +@@ -2070,13 +2065,8 @@ int p2m_switch_domain_altp2m_by_id(struct domain *d, unsigned int idx) + if ( d->arch.altp2m_visible_eptp[idx] != mfn_x(INVALID_MFN) ) + { + for_each_vcpu( d, v ) +- if ( idx != vcpu_altp2m(v).p2midx ) +- { +- atomic_dec(&p2m_get_altp2m(v)->active_vcpus); +- vcpu_altp2m(v).p2midx = idx; +- atomic_inc(&p2m_get_altp2m(v)->active_vcpus); ++ if ( p2m_set_altp2m(v, idx) ) + altp2m_vcpu_update_p2m(v); +- } + + rc = 0; + } +-- +2.40.0 + diff --git a/0072-VT-d-constrain-IGD-check.patch b/0072-VT-d-constrain-IGD-check.patch new file mode 100644 index 0000000..497b04b --- /dev/null +++ b/0072-VT-d-constrain-IGD-check.patch @@ -0,0 +1,44 @@ +From f971f5c531ce6a5fd6c1ff1f525f2c6837eeb78d Mon Sep 17 00:00:00 2001 +From: Jan Beulich +Date: Tue, 21 Mar 2023 13:46:39 +0100 +Subject: [PATCH 72/89] VT-d: constrain IGD check + +Marking a DRHD as controlling an IGD isn't very sensible without +checking that at the very least it's a graphics device that lives at +0000:00:02.0. Re-use the reading of the class-code to control both the +clearing of "gfx_only" and the setting of "igd_drhd_address". + +Signed-off-by: Jan Beulich +Reviewed-by: Kevin Tian +master commit: f8c4317295fa1cde1a81779b7e362651c084efb8 +master date: 2023-03-14 10:44:08 +0100 +--- + xen/drivers/passthrough/vtd/dmar.c | 9 +++------ + 1 file changed, 3 insertions(+), 6 deletions(-) + +diff --git a/xen/drivers/passthrough/vtd/dmar.c b/xen/drivers/passthrough/vtd/dmar.c +index 78c8bad151..78d4526446 100644 +--- a/xen/drivers/passthrough/vtd/dmar.c ++++ b/xen/drivers/passthrough/vtd/dmar.c +@@ -391,15 +391,12 @@ static int __init acpi_parse_dev_scope( + + if ( drhd ) + { +- if ( (seg == 0) && (bus == 0) && (path->dev == 2) && +- (path->fn == 0) ) +- igd_drhd_address = drhd->address; +- +- if ( gfx_only && +- pci_conf_read8(PCI_SBDF(seg, bus, path->dev, path->fn), ++ if ( pci_conf_read8(PCI_SBDF(seg, bus, path->dev, path->fn), + PCI_CLASS_DEVICE + 1) != 0x03 + /* PCI_BASE_CLASS_DISPLAY */ ) + gfx_only = false; ++ else if ( !seg && !bus && path->dev == 2 && !path->fn ) ++ igd_drhd_address = drhd->address; + } + + break; +-- +2.40.0 + diff --git a/0073-bunzip-work-around-gcc13-warning.patch b/0073-bunzip-work-around-gcc13-warning.patch new file mode 100644 index 0000000..c7ec163 --- /dev/null +++ b/0073-bunzip-work-around-gcc13-warning.patch @@ -0,0 +1,42 @@ +From 7082d656ae9bcd26392caf72e50e0f7a61c8f285 Mon Sep 17 00:00:00 2001 +From: Jan Beulich +Date: Tue, 21 Mar 2023 13:47:11 +0100 +Subject: [PATCH 73/89] bunzip: work around gcc13 warning +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +While provable that length[0] is always initialized (because symCount +cannot be zero), upcoming gcc13 fails to recognize this and warns about +the unconditional use of the value immediately following the loop. + +See also https://gcc.gnu.org/bugzilla/show_bug.cgi?id=106511. + +Reported-by: Martin Liška +Signed-off-by: Jan Beulich +Acked-by: Andrew Cooper +master commit: 402195e56de0aacf97e05c80ed367d464ca6938b +master date: 2023-03-14 10:45:28 +0100 +--- + xen/common/bunzip2.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/xen/common/bunzip2.c b/xen/common/bunzip2.c +index 61b80aff1b..4466426941 100644 +--- a/xen/common/bunzip2.c ++++ b/xen/common/bunzip2.c +@@ -233,6 +233,11 @@ static int __init get_next_block(struct bunzip_data *bd) + becomes negative, so an unsigned inequality catches + it.) */ + t = get_bits(bd, 5)-1; ++ /* GCC 13 has apparently improved use-before-set detection, but ++ it can't figure out that length[0] is always intialized by ++ virtue of symCount always being positive when making it here. ++ See https://gcc.gnu.org/bugzilla/show_bug.cgi?id=106511. */ ++ length[0] = 0; + for (i = 0; i < symCount; i++) { + for (;;) { + if (((unsigned)t) > (MAX_HUFCODE_BITS-1)) +-- +2.40.0 + diff --git a/0074-libacpi-fix-PCI-hotplug-AML.patch b/0074-libacpi-fix-PCI-hotplug-AML.patch new file mode 100644 index 0000000..3583849 --- /dev/null +++ b/0074-libacpi-fix-PCI-hotplug-AML.patch @@ -0,0 +1,57 @@ +From 3eac216e6e60860bbc030602c401d3ef8efce8d9 Mon Sep 17 00:00:00 2001 +From: David Woodhouse +Date: Tue, 21 Mar 2023 13:47:52 +0100 +Subject: [PATCH 74/89] libacpi: fix PCI hotplug AML + +The emulated PIIX3 uses a nybble for the status of each PCI function, +so the status for e.g. slot 0 functions 0 and 1 respectively can be +read as (\_GPE.PH00 & 0x0F), and (\_GPE.PH00 >> 0x04). + +The AML that Xen gives to a guest gets the operand order for the odd- +numbered functions the wrong way round, returning (0x04 >> \_GPE.PH00) +instead. + +As far as I can tell, this was the wrong way round in Xen from the +moment that PCI hotplug was first introduced in commit 83d82e6f35a8: + ++ ShiftRight (0x4, \_GPE.PH00, Local1) ++ Return (Local1) /* IN status as the _STA */ + +Or maybe there's bizarre AML operand ordering going on there, like +Intel's wrong-way-round assembler, and it only broke later when it was +changed to being generated? + +Either way, it's definitely wrong now, and instrumenting a Linux guest +shows that it correctly sees _STA being 0x00 in function 0 of an empty +slot, but then the loop in acpiphp_glue.c::get_slot_status() goes on to +look at function 1 and sees that _STA evaluates to 0x04. Thus reporting +an adapter is present in every slot in /sys/bus/pci/slots/* + +Quite why Linux wants to look for function 1 being physically present +when function 0 isn't... I don't want to think about right now. + +Fixes: 83d82e6f35a8 ("hvmloader: pass-through: multi-function PCI hot-plug") +Signed-off-by: David Woodhouse +Reviewed-by: Jan Beulich +master commit: b190af7d3e90f58da5f58044b8dea7261b8b483d +master date: 2023-03-20 17:12:34 +0100 +--- + tools/libacpi/mk_dsdt.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/tools/libacpi/mk_dsdt.c b/tools/libacpi/mk_dsdt.c +index 1176da80ef..1d27809116 100644 +--- a/tools/libacpi/mk_dsdt.c ++++ b/tools/libacpi/mk_dsdt.c +@@ -431,7 +431,7 @@ int main(int argc, char **argv) + stmt("Store", "0x89, \\_GPE.DPT2"); + } + if ( slot & 1 ) +- stmt("ShiftRight", "0x4, \\_GPE.PH%02X, Local1", slot & ~1); ++ stmt("ShiftRight", "\\_GPE.PH%02X, 0x04, Local1", slot & ~1); + else + stmt("And", "\\_GPE.PH%02X, 0x0f, Local1", slot & ~1); + stmt("Return", "Local1"); /* IN status as the _STA */ +-- +2.40.0 + diff --git a/0075-AMD-IOMMU-without-XT-x2APIC-needs-to-be-forced-into-.patch b/0075-AMD-IOMMU-without-XT-x2APIC-needs-to-be-forced-into-.patch new file mode 100644 index 0000000..5decf2c --- /dev/null +++ b/0075-AMD-IOMMU-without-XT-x2APIC-needs-to-be-forced-into-.patch @@ -0,0 +1,42 @@ +From 3c85fb7b65d6a8b0fa993bc1cb67eea9b4a64aca Mon Sep 17 00:00:00 2001 +From: Jan Beulich +Date: Fri, 31 Mar 2023 08:28:56 +0200 +Subject: [PATCH 75/89] AMD/IOMMU: without XT, x2APIC needs to be forced into + physical mode + +An earlier change with the same title (commit 1ba66a870eba) altered only +the path where x2apic_phys was already set to false (perhaps from the +command line). The same of course needs applying when the variable +wasn't modified yet from its initial value. + +Reported-by: Elliott Mitchell +Signed-off-by: Jan Beulich +Reviewed-by: Andrew Cooper +master commit: 0d2686f6b66b4b1b3c72c3525083b0ce02830054 +master date: 2023-03-21 09:23:25 +0100 +--- + xen/arch/x86/genapic/x2apic.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/xen/arch/x86/genapic/x2apic.c b/xen/arch/x86/genapic/x2apic.c +index 7dfc793514..d512c50fc5 100644 +--- a/xen/arch/x86/genapic/x2apic.c ++++ b/xen/arch/x86/genapic/x2apic.c +@@ -236,11 +236,11 @@ const struct genapic *__init apic_x2apic_probe(void) + if ( x2apic_phys < 0 ) + { + /* +- * Force physical mode if there's no interrupt remapping support: The +- * ID in clustered mode requires a 32 bit destination field due to ++ * Force physical mode if there's no (full) interrupt remapping support: ++ * The ID in clustered mode requires a 32 bit destination field due to + * the usage of the high 16 bits to hold the cluster ID. + */ +- x2apic_phys = !iommu_intremap || ++ x2apic_phys = iommu_intremap != iommu_intremap_full || + (acpi_gbl_FADT.flags & ACPI_FADT_APIC_PHYSICAL) || + (IS_ENABLED(CONFIG_X2APIC_PHYSICAL) && + !(acpi_gbl_FADT.flags & ACPI_FADT_APIC_CLUSTER)); +-- +2.40.0 + diff --git a/0076-VT-d-fix-iommu-no-igfx-if-the-IOMMU-scope-contains-f.patch b/0076-VT-d-fix-iommu-no-igfx-if-the-IOMMU-scope-contains-f.patch new file mode 100644 index 0000000..d897da6 --- /dev/null +++ b/0076-VT-d-fix-iommu-no-igfx-if-the-IOMMU-scope-contains-f.patch @@ -0,0 +1,44 @@ +From 33b1c8cd86bd6c311131b8dff32bd45581e2fbc1 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Marek=20Marczykowski-G=C3=B3recki?= + +Date: Fri, 31 Mar 2023 08:29:55 +0200 +Subject: [PATCH 76/89] VT-d: fix iommu=no-igfx if the IOMMU scope contains + fake device(s) +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +If the scope for IGD's IOMMU contains additional device that doesn't +actually exist, iommu=no-igfx would not disable that IOMMU. In this +particular case (Thinkpad x230) it included 00:02.1, but there is no +such device on this platform. Consider only existing devices for the +"gfx only" check as well as the establishing of IGD DRHD address +(underlying is_igd_drhd(), which is used to determine applicability of +two workarounds). + +Fixes: 2d7f191b392e ("VT-d: generalize and correct "iommu=no-igfx" handling") +Signed-off-by: Marek Marczykowski-Górecki +Signed-off-by: Jan Beulich +Reviewed-by: Kevin Tian +master commit: 49de6749baa8d0addc3048defd4ef3e85cb135e9 +master date: 2023-03-23 09:16:41 +0100 +--- + xen/drivers/passthrough/vtd/dmar.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/xen/drivers/passthrough/vtd/dmar.c b/xen/drivers/passthrough/vtd/dmar.c +index 78d4526446..4936c20952 100644 +--- a/xen/drivers/passthrough/vtd/dmar.c ++++ b/xen/drivers/passthrough/vtd/dmar.c +@@ -389,7 +389,7 @@ static int __init acpi_parse_dev_scope( + printk(VTDPREFIX " endpoint: %pp\n", + &PCI_SBDF(seg, bus, path->dev, path->fn)); + +- if ( drhd ) ++ if ( drhd && pci_device_detect(seg, bus, path->dev, path->fn) ) + { + if ( pci_conf_read8(PCI_SBDF(seg, bus, path->dev, path->fn), + PCI_CLASS_DEVICE + 1) != 0x03 +-- +2.40.0 + diff --git a/0077-x86-shadow-fix-and-improve-sh_page_has_multiple_shad.patch b/0077-x86-shadow-fix-and-improve-sh_page_has_multiple_shad.patch new file mode 100644 index 0000000..3486ccd --- /dev/null +++ b/0077-x86-shadow-fix-and-improve-sh_page_has_multiple_shad.patch @@ -0,0 +1,47 @@ +From 6f2d89d68175e74aca9c67761aa87ffc8f5ffed1 Mon Sep 17 00:00:00 2001 +From: Jan Beulich +Date: Fri, 31 Mar 2023 08:30:41 +0200 +Subject: [PATCH 77/89] x86/shadow: fix and improve + sh_page_has_multiple_shadows() + +While no caller currently invokes the function without first making sure +there is at least one shadow [1], we'd better eliminate UB here: +find_first_set_bit() requires input to be non-zero to return a well- +defined result. + +Further, using find_first_set_bit() isn't very efficient in the first +place for the intended purpose. + +Signed-off-by: Jan Beulich +Reviewed-by: Andrew Cooper + +[1] The function has exactly two uses, and both are from OOS code, which + is HVM-only. For HVM (but not for PV) sh_mfn_is_a_page_table(), + guarding the call to sh_unsync(), guarantees at least one shadow. + Hence even if sh_page_has_multiple_shadows() returned a bogus value + when invoked for a PV domain, the subsequent is_hvm_vcpu() and + oos_active checks (the former being redundant with the latter) will + compensate. (Arguably that oos_active check should come first, for + both clarity and efficiency reasons.) +master commit: 2896224a4e294652c33f487b603d20bd30955f21 +master date: 2023-03-24 11:07:08 +0100 +--- + xen/arch/x86/mm/shadow/private.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/xen/arch/x86/mm/shadow/private.h b/xen/arch/x86/mm/shadow/private.h +index 85bb26c7ea..c2bb1ed3c3 100644 +--- a/xen/arch/x86/mm/shadow/private.h ++++ b/xen/arch/x86/mm/shadow/private.h +@@ -324,7 +324,7 @@ static inline int sh_page_has_multiple_shadows(struct page_info *pg) + return 0; + shadows = pg->shadow_flags & SHF_page_type_mask; + /* More than one type bit set in shadow-flags? */ +- return ( (shadows & ~(1UL << find_first_set_bit(shadows))) != 0 ); ++ return shadows && (shadows & (shadows - 1)); + } + + #if (SHADOW_OPTIMIZATIONS & SHOPT_OUT_OF_SYNC) +-- +2.40.0 + diff --git a/0078-x86-nospec-Fix-evaluate_nospec-code-generation-under.patch b/0078-x86-nospec-Fix-evaluate_nospec-code-generation-under.patch new file mode 100644 index 0000000..62de15a --- /dev/null +++ b/0078-x86-nospec-Fix-evaluate_nospec-code-generation-under.patch @@ -0,0 +1,101 @@ +From 00aa5c93d14c6561a69fe204cbe29f7519830782 Mon Sep 17 00:00:00 2001 +From: Andrew Cooper +Date: Fri, 31 Mar 2023 08:31:20 +0200 +Subject: [PATCH 78/89] x86/nospec: Fix evaluate_nospec() code generation under + Clang +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +It turns out that evaluate_nospec() code generation is not safe under Clang. +Given: + + void eval_nospec_test(int x) + { + if ( evaluate_nospec(x) ) + asm volatile ("nop #true" ::: "memory"); + else + asm volatile ("nop #false" ::: "memory"); + } + +Clang emits: + + : + 0f ae e8 lfence + 85 ff test %edi,%edi + 74 02 je + 90 nop + c3 ret + 90 nop + c3 ret + +which is not safe because the lfence has been hoisted above the conditional +jump. Clang concludes that both barrier_nospec_true()'s have identical side +effects and can safely be merged. + +Clang can be persuaded that the side effects are different if there are +different comments in the asm blocks. This is fragile, but no more fragile +that other aspects of this construct. + +Introduce barrier_nospec_false() with a separate internal comment to prevent +Clang merging it with barrier_nospec_true() despite the otherwise-identical +content. The generated code now becomes: + + : + 85 ff test %edi,%edi + 74 05 je + 0f ae e8 lfence + 90 nop + c3 ret + 0f ae e8 lfence + 90 nop + c3 ret + +which has the correct number of lfence's, and in the correct place. + +Link: https://github.com/llvm/llvm-project/issues/55084 +Signed-off-by: Andrew Cooper +Reviewed-by: Roger Pau Monné +Reviewed-by: Jan Beulich +master commit: bc3c133841435829ba5c0a48427e2a77633502ab +master date: 2023-03-24 12:16:31 +0000 +--- + xen/arch/x86/include/asm/nospec.h | 15 +++++++++++++-- + 1 file changed, 13 insertions(+), 2 deletions(-) + +diff --git a/xen/arch/x86/include/asm/nospec.h b/xen/arch/x86/include/asm/nospec.h +index 5312ae4c6f..7150e76b87 100644 +--- a/xen/arch/x86/include/asm/nospec.h ++++ b/xen/arch/x86/include/asm/nospec.h +@@ -10,15 +10,26 @@ + static always_inline bool barrier_nospec_true(void) + { + #ifdef CONFIG_SPECULATIVE_HARDEN_BRANCH +- alternative("lfence", "", X86_FEATURE_SC_NO_BRANCH_HARDEN); ++ alternative("lfence #nospec-true", "", X86_FEATURE_SC_NO_BRANCH_HARDEN); + #endif + return true; + } + ++static always_inline bool barrier_nospec_false(void) ++{ ++#ifdef CONFIG_SPECULATIVE_HARDEN_BRANCH ++ alternative("lfence #nospec-false", "", X86_FEATURE_SC_NO_BRANCH_HARDEN); ++#endif ++ return false; ++} ++ + /* Allow to protect evaluation of conditionals with respect to speculation */ + static always_inline bool evaluate_nospec(bool condition) + { +- return condition ? barrier_nospec_true() : !barrier_nospec_true(); ++ if ( condition ) ++ return barrier_nospec_true(); ++ else ++ return barrier_nospec_false(); + } + + /* Allow to block speculative execution in generic code */ +-- +2.40.0 + diff --git a/0079-x86-shadow-Fix-build-with-no-PG_log_dirty.patch b/0079-x86-shadow-Fix-build-with-no-PG_log_dirty.patch new file mode 100644 index 0000000..f7652a4 --- /dev/null +++ b/0079-x86-shadow-Fix-build-with-no-PG_log_dirty.patch @@ -0,0 +1,56 @@ +From 11c8ef59b9024849c0fc224354904615d5579628 Mon Sep 17 00:00:00 2001 +From: Andrew Cooper +Date: Fri, 31 Mar 2023 08:32:11 +0200 +Subject: [PATCH 79/89] x86/shadow: Fix build with no PG_log_dirty + +Gitlab Randconfig found: + + arch/x86/mm/shadow/common.c: In function 'shadow_prealloc': + arch/x86/mm/shadow/common.c:1023:18: error: implicit declaration of function + 'paging_logdirty_levels'; did you mean 'paging_log_dirty_init'? [-Werror=implicit-function-declaration] + 1023 | count += paging_logdirty_levels(); + | ^~~~~~~~~~~~~~~~~~~~~~ + | paging_log_dirty_init + arch/x86/mm/shadow/common.c:1023:18: error: nested extern declaration of 'paging_logdirty_levels' [-Werror=nested-externs] + +The '#if PG_log_dirty' expression is currently SHADOW_PAGING && !HVM && +PV_SHIM_EXCLUSIVE. Move the declaration outside. + +Fixes: 33fb3a661223 ("x86/shadow: account for log-dirty mode when pre-allocating") +Signed-off-by: Andrew Cooper +Reviewed-by: Jan Beulich +master commit: 6d14cb105b1c54ad7b4228d858ae85aa8a672bbd +master date: 2023-03-24 12:16:31 +0000 +--- + xen/arch/x86/include/asm/paging.h | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/xen/arch/x86/include/asm/paging.h b/xen/arch/x86/include/asm/paging.h +index 635ccc83b1..6f7000d5f4 100644 +--- a/xen/arch/x86/include/asm/paging.h ++++ b/xen/arch/x86/include/asm/paging.h +@@ -152,6 +152,10 @@ struct paging_mode { + /***************************************************************************** + * Log dirty code */ + ++#define paging_logdirty_levels() \ ++ (DIV_ROUND_UP(PADDR_BITS - PAGE_SHIFT - (PAGE_SHIFT + 3), \ ++ PAGE_SHIFT - ilog2(sizeof(mfn_t))) + 1) ++ + #if PG_log_dirty + + /* get the dirty bitmap for a specific range of pfns */ +@@ -190,10 +194,6 @@ bool paging_mfn_is_dirty(const struct domain *d, mfn_t gmfn); + #define L4_LOGDIRTY_IDX(pfn) ((pfn_x(pfn) >> (PAGE_SHIFT + 3 + PAGETABLE_ORDER * 2)) & \ + (LOGDIRTY_NODE_ENTRIES-1)) + +-#define paging_logdirty_levels() \ +- (DIV_ROUND_UP(PADDR_BITS - PAGE_SHIFT - (PAGE_SHIFT + 3), \ +- PAGE_SHIFT - ilog2(sizeof(mfn_t))) + 1) +- + #ifdef CONFIG_HVM + /* VRAM dirty tracking support */ + struct sh_dirty_vram { +-- +2.40.0 + diff --git a/0080-x86-vmx-Don-t-spuriously-crash-the-domain-when-INIT-.patch b/0080-x86-vmx-Don-t-spuriously-crash-the-domain-when-INIT-.patch new file mode 100644 index 0000000..539401f --- /dev/null +++ b/0080-x86-vmx-Don-t-spuriously-crash-the-domain-when-INIT-.patch @@ -0,0 +1,51 @@ +From f6a3e93b3788aa009e9b86d9cb14c243b958daa9 Mon Sep 17 00:00:00 2001 +From: Andrew Cooper +Date: Fri, 31 Mar 2023 08:32:57 +0200 +Subject: [PATCH 80/89] x86/vmx: Don't spuriously crash the domain when INIT is + received + +In VMX operation, the handling of INIT IPIs is changed. Instead of the CPU +resetting, the next VMEntry fails with EXIT_REASON_INIT. From the TXT spec, +the intent of this behaviour is so that an entity which cares can scrub +secrets from RAM before participating in an orderly shutdown. + +Right now, Xen's behaviour is that when an INIT arrives, the HVM VM which +schedules next is killed (citing an unknown VMExit), *and* we ignore the INIT +and continue blindly onwards anyway. + +This patch addresses only the first of these two problems by ignoring the INIT +and continuing without crashing the VM in question. + +The second wants addressing too, just as soon as we've figured out something +better to do... + +Discovered as collateral damage from when an AP triple faults on S3 resume on +Intel TigerLake platforms. + +Link: https://github.com/QubesOS/qubes-issues/issues/7283 +Signed-off-by: Andrew Cooper +Reviewed-by: Kevin Tian +master commit: b1f11273d5a774cc88a3685c96c2e7cf6385e3b6 +master date: 2023-03-24 22:49:58 +0000 +--- + xen/arch/x86/hvm/vmx/vmx.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/xen/arch/x86/hvm/vmx/vmx.c b/xen/arch/x86/hvm/vmx/vmx.c +index a8fb4365ad..64dbd50197 100644 +--- a/xen/arch/x86/hvm/vmx/vmx.c ++++ b/xen/arch/x86/hvm/vmx/vmx.c +@@ -4038,6 +4038,10 @@ void vmx_vmexit_handler(struct cpu_user_regs *regs) + case EXIT_REASON_MCE_DURING_VMENTRY: + do_machine_check(regs); + break; ++ ++ case EXIT_REASON_INIT: ++ printk(XENLOG_ERR "Error: INIT received - ignoring\n"); ++ return; /* Renter the guest without further processing */ + } + + /* Now enable interrupts so it's safe to take locks. */ +-- +2.40.0 + diff --git a/0081-x86-ucode-Fix-error-paths-control_thread_fn.patch b/0081-x86-ucode-Fix-error-paths-control_thread_fn.patch new file mode 100644 index 0000000..765fa84 --- /dev/null +++ b/0081-x86-ucode-Fix-error-paths-control_thread_fn.patch @@ -0,0 +1,56 @@ +From 7f55774489d2f12a23f2ac0f516b62e2709cea99 Mon Sep 17 00:00:00 2001 +From: Andrew Cooper +Date: Fri, 31 Mar 2023 08:33:28 +0200 +Subject: [PATCH 81/89] x86/ucode: Fix error paths control_thread_fn() + +These two early exits skipped re-enabling the watchdog, restoring the NMI +callback, and clearing the nmi_patch global pointer. Always execute the tail +of the function on the way out. + +Fixes: 8dd4dfa92d62 ("x86/microcode: Synchronize late microcode loading") +Signed-off-by: Andrew Cooper +Reviewed-by: Sergey Dyasli +Reviewed-by: Jan Beulich +master commit: fc2e1f3aad602a66c14b8285a1bd38a82f8fd02d +master date: 2023-03-28 11:57:56 +0100 +--- + xen/arch/x86/cpu/microcode/core.c | 9 +++------ + 1 file changed, 3 insertions(+), 6 deletions(-) + +diff --git a/xen/arch/x86/cpu/microcode/core.c b/xen/arch/x86/cpu/microcode/core.c +index 2497630bbe..c760723e4f 100644 +--- a/xen/arch/x86/cpu/microcode/core.c ++++ b/xen/arch/x86/cpu/microcode/core.c +@@ -490,10 +490,7 @@ static int control_thread_fn(const struct microcode_patch *patch) + ret = wait_for_condition(wait_cpu_callin, num_online_cpus(), + MICROCODE_CALLIN_TIMEOUT_US); + if ( ret ) +- { +- set_state(LOADING_EXIT); +- return ret; +- } ++ goto out; + + /* Control thread loads ucode first while others are in NMI handler. */ + ret = alternative_call(ucode_ops.apply_microcode, patch); +@@ -505,8 +502,7 @@ static int control_thread_fn(const struct microcode_patch *patch) + { + printk(XENLOG_ERR + "Late loading aborted: CPU%u failed to update ucode\n", cpu); +- set_state(LOADING_EXIT); +- return ret; ++ goto out; + } + + /* Let primary threads load the given ucode update */ +@@ -537,6 +533,7 @@ static int control_thread_fn(const struct microcode_patch *patch) + } + } + ++ out: + /* Mark loading is done to unblock other threads */ + set_state(LOADING_EXIT); + +-- +2.40.0 + diff --git a/0082-include-don-t-mention-stub-headers-more-than-once-in.patch b/0082-include-don-t-mention-stub-headers-more-than-once-in.patch new file mode 100644 index 0000000..cc0a914 --- /dev/null +++ b/0082-include-don-t-mention-stub-headers-more-than-once-in.patch @@ -0,0 +1,37 @@ +From 350693582427887387f21a6eeedaa0ac48aecc3f Mon Sep 17 00:00:00 2001 +From: Jan Beulich +Date: Fri, 31 Mar 2023 08:34:04 +0200 +Subject: [PATCH 82/89] include: don't mention stub headers more than once in a + make rule + +When !GRANT_TABLE and !PV_SHIM headers-n contains grant_table.h twice, +causing make to complain "target '...' given more than once in the same +rule" for the rule generating the stub headers. We don't need duplicate +entries in headers-n anywhere, so zap them (by using $(sort ...)) right +where the final value of the variable is constructed. + +Fixes: 6bec713f871f ("include/compat: produce stubs for headers not otherwise generated") +Signed-off-by: Jan Beulich +Reviewed-by: Anthony PERARD +master commit: 231ab79704cbb5b9be7700287c3b185225d34f1b +master date: 2023-03-28 14:20:16 +0200 +--- + xen/include/Makefile | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/xen/include/Makefile b/xen/include/Makefile +index cfd7851614..e19f9464fd 100644 +--- a/xen/include/Makefile ++++ b/xen/include/Makefile +@@ -34,7 +34,7 @@ headers-$(CONFIG_TRACEBUFFER) += compat/trace.h + headers-$(CONFIG_XENOPROF) += compat/xenoprof.h + headers-$(CONFIG_XSM_FLASK) += compat/xsm/flask_op.h + +-headers-n := $(filter-out $(headers-y),$(headers-n) $(headers-)) ++headers-n := $(sort $(filter-out $(headers-y),$(headers-n) $(headers-))) + + cppflags-y := -include public/xen-compat.h -DXEN_GENERATING_COMPAT_HEADERS + cppflags-$(CONFIG_X86) += -m32 +-- +2.40.0 + diff --git a/0083-vpci-msix-handle-accesses-adjacent-to-the-MSI-X-tabl.patch b/0083-vpci-msix-handle-accesses-adjacent-to-the-MSI-X-tabl.patch new file mode 100644 index 0000000..8a1f412 --- /dev/null +++ b/0083-vpci-msix-handle-accesses-adjacent-to-the-MSI-X-tabl.patch @@ -0,0 +1,540 @@ +From 85100ed78ca18f188b1ca495f132db7df705f1a4 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Roger=20Pau=20Monn=C3=A9?= +Date: Fri, 31 Mar 2023 08:34:26 +0200 +Subject: [PATCH 83/89] vpci/msix: handle accesses adjacent to the MSI-X table +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +The handling of the MSI-X table accesses by Xen requires that any +pages part of the MSI-X related tables are not mapped into the domain +physmap. As a result, any device registers in the same pages as the +start or the end of the MSIX or PBA tables is not currently +accessible, as the accesses are just dropped. + +Note the spec forbids such placing of registers, as the MSIX and PBA +tables must be 4K isolated from any other registers: + +"If a Base Address register that maps address space for the MSI-X +Table or MSI-X PBA also maps other usable address space that is not +associated with MSI-X structures, locations (e.g., for CSRs) used in +the other address space must not share any naturally aligned 4-KB +address range with one where either MSI-X structure resides." + +Yet the 'Intel Wi-Fi 6 AX201' device on one of my boxes has registers +in the same page as the MSIX tables, and thus won't work on a PVH dom0 +without this fix. + +In order to cope with the behavior passthrough any accesses that fall +on the same page as the MSIX tables (but don't fall in between) to the +underlying hardware. Such forwarding also takes care of the PBA +accesses, so it allows to remove the code doing this handling in +msix_{read,write}. Note that as a result accesses to the PBA array +are no longer limited to 4 and 8 byte sizes, there's no access size +restriction for PBA accesses documented in the specification. + +Signed-off-by: Roger Pau Monné +Reviewed-by: Jan Beulich + +vpci/msix: restore PBA access length and alignment restrictions + +Accesses to the PBA array have the same length and alignment +limitations as accesses to the MSI-X table: + +"For all accesses to MSI-X Table and MSI-X PBA fields, software must +use aligned full DWORD or aligned full QWORD transactions; otherwise, +the result is undefined." + +Introduce such length and alignment checks into the handling of PBA +accesses for vPCI. This was a mistake of mine for not reading the +specification correctly. + +Note that accesses must now be aligned, and hence there's no longer a +need to check that the end of the access falls into the PBA region as +both the access and the region addresses must be aligned. + +Fixes: b177892d2d ('vpci/msix: handle accesses adjacent to the MSI-X table') +Reported-by: Jan Beulich +Signed-off-by: Roger Pau Monné +Reviewed-by: Jan Beulich +master commit: b177892d2d0e8a31122c218989f43130aeba5282 +master date: 2023-03-28 14:20:35 +0200 +master commit: 7a502b4fbc339e9d3d3d45fb37f09da06bc3081c +master date: 2023-03-29 14:56:33 +0200 +--- + xen/drivers/vpci/msix.c | 353 +++++++++++++++++++++++++++++----------- + xen/drivers/vpci/vpci.c | 7 +- + xen/include/xen/vpci.h | 8 +- + 3 files changed, 273 insertions(+), 95 deletions(-) + +diff --git a/xen/drivers/vpci/msix.c b/xen/drivers/vpci/msix.c +index bea0cc7aed..cafddcf305 100644 +--- a/xen/drivers/vpci/msix.c ++++ b/xen/drivers/vpci/msix.c +@@ -27,6 +27,11 @@ + ((addr) >= vmsix_table_addr(vpci, nr) && \ + (addr) < vmsix_table_addr(vpci, nr) + vmsix_table_size(vpci, nr)) + ++#define VMSIX_ADDR_SAME_PAGE(addr, vpci, nr) \ ++ (PFN_DOWN(addr) >= PFN_DOWN(vmsix_table_addr(vpci, nr)) && \ ++ PFN_DOWN(addr) <= PFN_DOWN(vmsix_table_addr(vpci, nr) + \ ++ vmsix_table_size(vpci, nr) - 1)) ++ + static uint32_t cf_check control_read( + const struct pci_dev *pdev, unsigned int reg, void *data) + { +@@ -149,7 +154,7 @@ static struct vpci_msix *msix_find(const struct domain *d, unsigned long addr) + + for ( i = 0; i < ARRAY_SIZE(msix->tables); i++ ) + if ( bars[msix->tables[i] & PCI_MSIX_BIRMASK].enabled && +- VMSIX_ADDR_IN_RANGE(addr, msix->pdev->vpci, i) ) ++ VMSIX_ADDR_SAME_PAGE(addr, msix->pdev->vpci, i) ) + return msix; + } + +@@ -182,36 +187,172 @@ static struct vpci_msix_entry *get_entry(struct vpci_msix *msix, + return &msix->entries[(addr - start) / PCI_MSIX_ENTRY_SIZE]; + } + +-static void __iomem *get_pba(struct vpci *vpci) ++static void __iomem *get_table(struct vpci *vpci, unsigned int slot) + { + struct vpci_msix *msix = vpci->msix; ++ paddr_t addr = 0; ++ ++ ASSERT(spin_is_locked(&vpci->lock)); ++ ++ if ( likely(msix->table[slot]) ) ++ return msix->table[slot]; ++ ++ switch ( slot ) ++ { ++ case VPCI_MSIX_TBL_TAIL: ++ addr = vmsix_table_size(vpci, VPCI_MSIX_TABLE); ++ fallthrough; ++ case VPCI_MSIX_TBL_HEAD: ++ addr += vmsix_table_addr(vpci, VPCI_MSIX_TABLE); ++ break; ++ ++ case VPCI_MSIX_PBA_TAIL: ++ addr = vmsix_table_size(vpci, VPCI_MSIX_PBA); ++ fallthrough; ++ case VPCI_MSIX_PBA_HEAD: ++ addr += vmsix_table_addr(vpci, VPCI_MSIX_PBA); ++ break; ++ ++ default: ++ ASSERT_UNREACHABLE(); ++ return NULL; ++ } ++ ++ msix->table[slot] = ioremap(round_pgdown(addr), PAGE_SIZE); ++ ++ return msix->table[slot]; ++} ++ ++unsigned int get_slot(const struct vpci *vpci, unsigned long addr) ++{ ++ unsigned long pfn = PFN_DOWN(addr); ++ + /* +- * PBA will only be unmapped when the device is deassigned, so access it +- * without holding the vpci lock. ++ * The logic below relies on having the tables identity mapped to the guest ++ * address space, or for the `addr` parameter to be translated into its ++ * host physical memory address equivalent. + */ +- void __iomem *pba = read_atomic(&msix->pba); + +- if ( likely(pba) ) +- return pba; ++ if ( pfn == PFN_DOWN(vmsix_table_addr(vpci, VPCI_MSIX_TABLE)) ) ++ return VPCI_MSIX_TBL_HEAD; ++ if ( pfn == PFN_DOWN(vmsix_table_addr(vpci, VPCI_MSIX_TABLE) + ++ vmsix_table_size(vpci, VPCI_MSIX_TABLE) - 1) ) ++ return VPCI_MSIX_TBL_TAIL; ++ if ( pfn == PFN_DOWN(vmsix_table_addr(vpci, VPCI_MSIX_PBA)) ) ++ return VPCI_MSIX_PBA_HEAD; ++ if ( pfn == PFN_DOWN(vmsix_table_addr(vpci, VPCI_MSIX_PBA) + ++ vmsix_table_size(vpci, VPCI_MSIX_PBA) - 1) ) ++ return VPCI_MSIX_PBA_TAIL; ++ ++ ASSERT_UNREACHABLE(); ++ return -1; ++} ++ ++static bool adjacent_handle(const struct vpci_msix *msix, unsigned long addr) ++{ ++ unsigned int i; ++ ++ if ( VMSIX_ADDR_IN_RANGE(addr, msix->pdev->vpci, VPCI_MSIX_PBA) ) ++ return true; ++ ++ if ( VMSIX_ADDR_IN_RANGE(addr, msix->pdev->vpci, VPCI_MSIX_TABLE) ) ++ return false; ++ ++ for ( i = 0; i < ARRAY_SIZE(msix->tables); i++ ) ++ if ( VMSIX_ADDR_SAME_PAGE(addr, msix->pdev->vpci, i) ) ++ return true; ++ ++ return false; ++} + +- pba = ioremap(vmsix_table_addr(vpci, VPCI_MSIX_PBA), +- vmsix_table_size(vpci, VPCI_MSIX_PBA)); +- if ( !pba ) +- return read_atomic(&msix->pba); ++static int adjacent_read(const struct domain *d, const struct vpci_msix *msix, ++ unsigned long addr, unsigned int len, ++ unsigned long *data) ++{ ++ const void __iomem *mem; ++ struct vpci *vpci = msix->pdev->vpci; ++ unsigned int slot; ++ ++ *data = ~0ul; ++ ++ if ( !adjacent_handle(msix, addr + len - 1) ) ++ return X86EMUL_OKAY; ++ ++ if ( VMSIX_ADDR_IN_RANGE(addr, vpci, VPCI_MSIX_PBA) && ++ !access_allowed(msix->pdev, addr, len) ) ++ /* PBA accesses must be aligned and 4 or 8 bytes in size. */ ++ return X86EMUL_OKAY; ++ ++ slot = get_slot(vpci, addr); ++ if ( slot >= ARRAY_SIZE(msix->table) ) ++ return X86EMUL_OKAY; ++ ++ if ( unlikely(!IS_ALIGNED(addr, len)) ) ++ { ++ unsigned int i; ++ ++ gprintk(XENLOG_DEBUG, "%pp: unaligned read to MSI-X related page\n", ++ &msix->pdev->sbdf); ++ ++ /* ++ * Split unaligned accesses into byte sized ones. Shouldn't happen in ++ * the first place, but devices shouldn't have registers in the same 4K ++ * page as the MSIX tables either. ++ * ++ * It's unclear whether this could cause issues if a guest expects ++ * registers to be accessed atomically, it better use an aligned access ++ * if it has such expectations. ++ */ ++ for ( i = 0; i < len; i++ ) ++ { ++ unsigned long partial = ~0ul; ++ int rc = adjacent_read(d, msix, addr + i, 1, &partial); ++ ++ if ( rc != X86EMUL_OKAY ) ++ return rc; ++ ++ *data &= ~(0xfful << (i * 8)); ++ *data |= (partial & 0xff) << (i * 8); ++ } ++ ++ return X86EMUL_OKAY; ++ } + + spin_lock(&vpci->lock); +- if ( !msix->pba ) ++ mem = get_table(vpci, slot); ++ if ( !mem ) + { +- write_atomic(&msix->pba, pba); + spin_unlock(&vpci->lock); ++ gprintk(XENLOG_WARNING, ++ "%pp: unable to map MSI-X page, returning all bits set\n", ++ &msix->pdev->sbdf); ++ return X86EMUL_OKAY; + } +- else ++ ++ switch ( len ) + { +- spin_unlock(&vpci->lock); +- iounmap(pba); ++ case 1: ++ *data = readb(mem + PAGE_OFFSET(addr)); ++ break; ++ ++ case 2: ++ *data = readw(mem + PAGE_OFFSET(addr)); ++ break; ++ ++ case 4: ++ *data = readl(mem + PAGE_OFFSET(addr)); ++ break; ++ ++ case 8: ++ *data = readq(mem + PAGE_OFFSET(addr)); ++ break; ++ ++ default: ++ ASSERT_UNREACHABLE(); + } ++ spin_unlock(&vpci->lock); + +- return read_atomic(&msix->pba); ++ return X86EMUL_OKAY; + } + + static int cf_check msix_read( +@@ -227,47 +368,11 @@ static int cf_check msix_read( + if ( !msix ) + return X86EMUL_RETRY; + +- if ( !access_allowed(msix->pdev, addr, len) ) +- return X86EMUL_OKAY; +- +- if ( VMSIX_ADDR_IN_RANGE(addr, msix->pdev->vpci, VPCI_MSIX_PBA) ) +- { +- struct vpci *vpci = msix->pdev->vpci; +- unsigned int idx = addr - vmsix_table_addr(vpci, VPCI_MSIX_PBA); +- const void __iomem *pba = get_pba(vpci); +- +- /* +- * Access to PBA. +- * +- * TODO: note that this relies on having the PBA identity mapped to the +- * guest address space. If this changes the address will need to be +- * translated. +- */ +- if ( !pba ) +- { +- gprintk(XENLOG_WARNING, +- "%pp: unable to map MSI-X PBA, report all pending\n", +- &msix->pdev->sbdf); +- return X86EMUL_OKAY; +- } +- +- switch ( len ) +- { +- case 4: +- *data = readl(pba + idx); +- break; +- +- case 8: +- *data = readq(pba + idx); +- break; +- +- default: +- ASSERT_UNREACHABLE(); +- break; +- } ++ if ( adjacent_handle(msix, addr) ) ++ return adjacent_read(d, msix, addr, len, data); + ++ if ( !access_allowed(msix->pdev, addr, len) ) + return X86EMUL_OKAY; +- } + + spin_lock(&msix->pdev->vpci->lock); + entry = get_entry(msix, addr); +@@ -303,56 +408,102 @@ static int cf_check msix_read( + return X86EMUL_OKAY; + } + +-static int cf_check msix_write( +- struct vcpu *v, unsigned long addr, unsigned int len, unsigned long data) ++static int adjacent_write(const struct domain *d, const struct vpci_msix *msix, ++ unsigned long addr, unsigned int len, ++ unsigned long data) + { +- const struct domain *d = v->domain; +- struct vpci_msix *msix = msix_find(d, addr); +- struct vpci_msix_entry *entry; +- unsigned int offset; ++ void __iomem *mem; ++ struct vpci *vpci = msix->pdev->vpci; ++ unsigned int slot; + +- if ( !msix ) +- return X86EMUL_RETRY; ++ if ( !adjacent_handle(msix, addr + len - 1) ) ++ return X86EMUL_OKAY; + +- if ( !access_allowed(msix->pdev, addr, len) ) ++ /* ++ * Only check start and end of the access because the size of the PBA is ++ * assumed to be equal or bigger (8 bytes) than the length of any access ++ * handled here. ++ */ ++ if ( VMSIX_ADDR_IN_RANGE(addr, vpci, VPCI_MSIX_PBA) && ++ (!access_allowed(msix->pdev, addr, len) || !is_hardware_domain(d)) ) ++ /* Ignore writes to PBA for DomUs, it's undefined behavior. */ + return X86EMUL_OKAY; + +- if ( VMSIX_ADDR_IN_RANGE(addr, msix->pdev->vpci, VPCI_MSIX_PBA) ) ++ slot = get_slot(vpci, addr); ++ if ( slot >= ARRAY_SIZE(msix->table) ) ++ return X86EMUL_OKAY; ++ ++ if ( unlikely(!IS_ALIGNED(addr, len)) ) + { +- struct vpci *vpci = msix->pdev->vpci; +- unsigned int idx = addr - vmsix_table_addr(vpci, VPCI_MSIX_PBA); +- const void __iomem *pba = get_pba(vpci); ++ unsigned int i; + +- if ( !is_hardware_domain(d) ) +- /* Ignore writes to PBA for DomUs, it's behavior is undefined. */ +- return X86EMUL_OKAY; ++ gprintk(XENLOG_DEBUG, "%pp: unaligned write to MSI-X related page\n", ++ &msix->pdev->sbdf); + +- if ( !pba ) ++ for ( i = 0; i < len; i++ ) + { +- /* Unable to map the PBA, ignore write. */ +- gprintk(XENLOG_WARNING, +- "%pp: unable to map MSI-X PBA, write ignored\n", +- &msix->pdev->sbdf); +- return X86EMUL_OKAY; ++ int rc = adjacent_write(d, msix, addr + i, 1, data >> (i * 8)); ++ ++ if ( rc != X86EMUL_OKAY ) ++ return rc; + } + +- switch ( len ) +- { +- case 4: +- writel(data, pba + idx); +- break; ++ return X86EMUL_OKAY; ++ } + +- case 8: +- writeq(data, pba + idx); +- break; ++ spin_lock(&vpci->lock); ++ mem = get_table(vpci, slot); ++ if ( !mem ) ++ { ++ spin_unlock(&vpci->lock); ++ gprintk(XENLOG_WARNING, ++ "%pp: unable to map MSI-X page, dropping write\n", ++ &msix->pdev->sbdf); ++ return X86EMUL_OKAY; ++ } + +- default: +- ASSERT_UNREACHABLE(); +- break; +- } ++ switch ( len ) ++ { ++ case 1: ++ writeb(data, mem + PAGE_OFFSET(addr)); ++ break; + +- return X86EMUL_OKAY; ++ case 2: ++ writew(data, mem + PAGE_OFFSET(addr)); ++ break; ++ ++ case 4: ++ writel(data, mem + PAGE_OFFSET(addr)); ++ break; ++ ++ case 8: ++ writeq(data, mem + PAGE_OFFSET(addr)); ++ break; ++ ++ default: ++ ASSERT_UNREACHABLE(); + } ++ spin_unlock(&vpci->lock); ++ ++ return X86EMUL_OKAY; ++} ++ ++static int cf_check msix_write( ++ struct vcpu *v, unsigned long addr, unsigned int len, unsigned long data) ++{ ++ const struct domain *d = v->domain; ++ struct vpci_msix *msix = msix_find(d, addr); ++ struct vpci_msix_entry *entry; ++ unsigned int offset; ++ ++ if ( !msix ) ++ return X86EMUL_RETRY; ++ ++ if ( adjacent_handle(msix, addr) ) ++ return adjacent_write(d, msix, addr, len, data); ++ ++ if ( !access_allowed(msix->pdev, addr, len) ) ++ return X86EMUL_OKAY; + + spin_lock(&msix->pdev->vpci->lock); + entry = get_entry(msix, addr); +@@ -482,6 +633,26 @@ int vpci_make_msix_hole(const struct pci_dev *pdev) + } + } + ++ if ( is_hardware_domain(d) ) ++ { ++ /* ++ * For dom0 only: remove any hypervisor mappings of the MSIX or PBA ++ * related areas, as dom0 is capable of moving the position of the BARs ++ * in the host address space. ++ * ++ * We rely on being called with the vPCI lock held once the domain is ++ * running, so the maps are not in use. ++ */ ++ for ( i = 0; i < ARRAY_SIZE(pdev->vpci->msix->table); i++ ) ++ if ( pdev->vpci->msix->table[i] ) ++ { ++ /* If there are any maps, the domain must be running. */ ++ ASSERT(spin_is_locked(&pdev->vpci->lock)); ++ iounmap(pdev->vpci->msix->table[i]); ++ pdev->vpci->msix->table[i] = NULL; ++ } ++ } ++ + return 0; + } + +diff --git a/xen/drivers/vpci/vpci.c b/xen/drivers/vpci/vpci.c +index 6d48d496bb..652807a4a4 100644 +--- a/xen/drivers/vpci/vpci.c ++++ b/xen/drivers/vpci/vpci.c +@@ -54,9 +54,12 @@ void vpci_remove_device(struct pci_dev *pdev) + spin_unlock(&pdev->vpci->lock); + if ( pdev->vpci->msix ) + { ++ unsigned int i; ++ + list_del(&pdev->vpci->msix->next); +- if ( pdev->vpci->msix->pba ) +- iounmap(pdev->vpci->msix->pba); ++ for ( i = 0; i < ARRAY_SIZE(pdev->vpci->msix->table); i++ ) ++ if ( pdev->vpci->msix->table[i] ) ++ iounmap(pdev->vpci->msix->table[i]); + } + xfree(pdev->vpci->msix); + xfree(pdev->vpci->msi); +diff --git a/xen/include/xen/vpci.h b/xen/include/xen/vpci.h +index d8acfeba8a..0b8a2a3c74 100644 +--- a/xen/include/xen/vpci.h ++++ b/xen/include/xen/vpci.h +@@ -133,8 +133,12 @@ struct vpci { + bool enabled : 1; + /* Masked? */ + bool masked : 1; +- /* PBA map */ +- void __iomem *pba; ++ /* Partial table map. */ ++#define VPCI_MSIX_TBL_HEAD 0 ++#define VPCI_MSIX_TBL_TAIL 1 ++#define VPCI_MSIX_PBA_HEAD 2 ++#define VPCI_MSIX_PBA_TAIL 3 ++ void __iomem *table[4]; + /* Entries. */ + struct vpci_msix_entry { + uint64_t addr; +-- +2.40.0 + diff --git a/0084-ns16550-correct-name-value-pair-parsing-for-PCI-port.patch b/0084-ns16550-correct-name-value-pair-parsing-for-PCI-port.patch new file mode 100644 index 0000000..6ab5c69 --- /dev/null +++ b/0084-ns16550-correct-name-value-pair-parsing-for-PCI-port.patch @@ -0,0 +1,59 @@ +From 7758cd57e002c5096b2296ede67c59fca68724d7 Mon Sep 17 00:00:00 2001 +From: Jan Beulich +Date: Fri, 31 Mar 2023 08:35:15 +0200 +Subject: [PATCH 84/89] ns16550: correct name/value pair parsing for PCI + port/bridge + +First of all these were inverted: "bridge=" caused the port coordinates +to be established, while "port=" controlled the bridge coordinates. And +then the error messages being identical also wasn't helpful. While +correcting this also move both case blocks close together. + +Fixes: 97fd49a7e074 ("ns16550: add support for UART parameters to be specifed with name-value pairs") +Signed-off-by: Jan Beulich +Acked-by: Andrew Cooper +master commit: e692b22230b411d762ac9e278a398e28df474eae +master date: 2023-03-29 14:55:37 +0200 +--- + xen/drivers/char/ns16550.c | 16 ++++++++-------- + 1 file changed, 8 insertions(+), 8 deletions(-) + +diff --git a/xen/drivers/char/ns16550.c b/xen/drivers/char/ns16550.c +index ce013fb6a5..97b3d8d269 100644 +--- a/xen/drivers/char/ns16550.c ++++ b/xen/drivers/char/ns16550.c +@@ -1631,13 +1631,6 @@ static bool __init parse_namevalue_pairs(char *str, struct ns16550 *uart) + break; + + #ifdef CONFIG_HAS_PCI +- case bridge_bdf: +- if ( !parse_pci(param_value, NULL, &uart->ps_bdf[0], +- &uart->ps_bdf[1], &uart->ps_bdf[2]) ) +- PARSE_ERR_RET("Bad port PCI coordinates\n"); +- uart->ps_bdf_enable = true; +- break; +- + case device: + if ( strncmp(param_value, "pci", 3) == 0 ) + { +@@ -1652,9 +1645,16 @@ static bool __init parse_namevalue_pairs(char *str, struct ns16550 *uart) + break; + + case port_bdf: ++ if ( !parse_pci(param_value, NULL, &uart->ps_bdf[0], ++ &uart->ps_bdf[1], &uart->ps_bdf[2]) ) ++ PARSE_ERR_RET("Bad port PCI coordinates\n"); ++ uart->ps_bdf_enable = true; ++ break; ++ ++ case bridge_bdf: + if ( !parse_pci(param_value, NULL, &uart->pb_bdf[0], + &uart->pb_bdf[1], &uart->pb_bdf[2]) ) +- PARSE_ERR_RET("Bad port PCI coordinates\n"); ++ PARSE_ERR_RET("Bad bridge PCI coordinates\n"); + uart->pb_bdf_enable = true; + break; + #endif +-- +2.40.0 + diff --git a/0085-CI-Drop-automation-configs.patch b/0085-CI-Drop-automation-configs.patch new file mode 100644 index 0000000..bfed25a --- /dev/null +++ b/0085-CI-Drop-automation-configs.patch @@ -0,0 +1,87 @@ +From 4c0d792675f0843c6dd52acdae38e5c0e112b09e Mon Sep 17 00:00:00 2001 +From: Andrew Cooper +Date: Thu, 29 Dec 2022 15:39:13 +0000 +Subject: [PATCH 85/89] CI: Drop automation/configs/ + +Having 3 extra hypervisor builds on the end of a full build is deeply +confusing to debug if one of them fails, because the .config file presented in +the artefacts is not the one which caused a build failure. Also, the log +tends to be truncated in the UI. + +PV-only is tested as part of PV-Shim in a full build anyway, so doesn't need +repeating. HVM-only and neither appear frequently in randconfig, so drop all +the logic here to simplify things. + +Signed-off-by: Andrew Cooper +Reviewed-by: Michal Orzel +Reviewed-by: Stefano Stabellini +(cherry picked from commit 7b20009a812f26e74bdbde2ab96165376b3dad34) +--- + automation/configs/x86/hvm_only_config | 3 --- + automation/configs/x86/no_hvm_pv_config | 3 --- + automation/configs/x86/pv_only_config | 3 --- + automation/scripts/build | 21 --------------------- + 4 files changed, 30 deletions(-) + delete mode 100644 automation/configs/x86/hvm_only_config + delete mode 100644 automation/configs/x86/no_hvm_pv_config + delete mode 100644 automation/configs/x86/pv_only_config + +diff --git a/automation/configs/x86/hvm_only_config b/automation/configs/x86/hvm_only_config +deleted file mode 100644 +index 9efbddd535..0000000000 +--- a/automation/configs/x86/hvm_only_config ++++ /dev/null +@@ -1,3 +0,0 @@ +-CONFIG_HVM=y +-# CONFIG_PV is not set +-# CONFIG_DEBUG is not set +diff --git a/automation/configs/x86/no_hvm_pv_config b/automation/configs/x86/no_hvm_pv_config +deleted file mode 100644 +index 0bf6a8e468..0000000000 +--- a/automation/configs/x86/no_hvm_pv_config ++++ /dev/null +@@ -1,3 +0,0 @@ +-# CONFIG_HVM is not set +-# CONFIG_PV is not set +-# CONFIG_DEBUG is not set +diff --git a/automation/configs/x86/pv_only_config b/automation/configs/x86/pv_only_config +deleted file mode 100644 +index e9d8b4a7c7..0000000000 +--- a/automation/configs/x86/pv_only_config ++++ /dev/null +@@ -1,3 +0,0 @@ +-CONFIG_PV=y +-# CONFIG_HVM is not set +-# CONFIG_DEBUG is not set +diff --git a/automation/scripts/build b/automation/scripts/build +index a593419063..5dafa72ba5 100755 +--- a/automation/scripts/build ++++ b/automation/scripts/build +@@ -85,24 +85,3 @@ if [[ "${XEN_TARGET_ARCH}" != "x86_32" ]]; then + cp -r dist binaries/ + fi + fi +- +-if [[ "${hypervisor_only}" == "y" ]]; then +- # If we are build testing a specific Kconfig exit now, there's no point in +- # testing all the possible configs. +- exit 0 +-fi +- +-# Build all the configs we care about +-case ${XEN_TARGET_ARCH} in +- x86_64) arch=x86 ;; +- *) exit 0 ;; +-esac +- +-cfg_dir="automation/configs/${arch}" +-for cfg in `ls ${cfg_dir}`; do +- echo "Building $cfg" +- make -j$(nproc) -C xen clean +- rm -f xen/.config +- make -C xen KBUILD_DEFCONFIG=../../../../${cfg_dir}/${cfg} defconfig +- make -j$(nproc) -C xen +-done +-- +2.40.0 + diff --git a/0086-automation-Switch-arm32-cross-builds-to-run-on-arm64.patch b/0086-automation-Switch-arm32-cross-builds-to-run-on-arm64.patch new file mode 100644 index 0000000..a200cab --- /dev/null +++ b/0086-automation-Switch-arm32-cross-builds-to-run-on-arm64.patch @@ -0,0 +1,87 @@ +From e3b23da4a10fafdabce22e2eba225d9404fc646f Mon Sep 17 00:00:00 2001 +From: Michal Orzel +Date: Tue, 14 Feb 2023 16:38:38 +0100 +Subject: [PATCH 86/89] automation: Switch arm32 cross builds to run on arm64 + +Due to the limited x86 CI resources slowing down the whole pipeline, +switch the arm32 cross builds to be executed on arm64 which is much more +capable. For that, rename the existing debian container dockerfile +from unstable-arm32-gcc to unstable-arm64v8-arm32-gcc and use +arm64v8/debian:unstable as an image. Note, that we cannot use the same +container name as we have to keep the backwards compatibility. +Take the opportunity to remove extra empty line at the end of a file. + +Modify the tag of .arm32-cross-build-tmpl to arm64 and update the build +jobs accordingly. + +Signed-off-by: Michal Orzel +Reviewed-by: Stefano Stabellini +(cherry picked from commit a35fccc8df93de7154dba87db6e7bcf391e9d51c) +--- + ...ockerfile => unstable-arm64v8-arm32-gcc.dockerfile} | 3 +-- + automation/gitlab-ci/build.yaml | 10 +++++----- + 2 files changed, 6 insertions(+), 7 deletions(-) + rename automation/build/debian/{unstable-arm32-gcc.dockerfile => unstable-arm64v8-arm32-gcc.dockerfile} (94%) + +diff --git a/automation/build/debian/unstable-arm32-gcc.dockerfile b/automation/build/debian/unstable-arm64v8-arm32-gcc.dockerfile +similarity index 94% +rename from automation/build/debian/unstable-arm32-gcc.dockerfile +rename to automation/build/debian/unstable-arm64v8-arm32-gcc.dockerfile +index b41a57f197..11860425a6 100644 +--- a/automation/build/debian/unstable-arm32-gcc.dockerfile ++++ b/automation/build/debian/unstable-arm64v8-arm32-gcc.dockerfile +@@ -1,4 +1,4 @@ +-FROM debian:unstable ++FROM arm64v8/debian:unstable + LABEL maintainer.name="The Xen Project" \ + maintainer.email="xen-devel@lists.xenproject.org" + +@@ -21,4 +21,3 @@ RUN apt-get update && \ + apt-get autoremove -y && \ + apt-get clean && \ + rm -rf /var/lib/apt/lists* /tmp/* /var/tmp/* +- +diff --git a/automation/gitlab-ci/build.yaml b/automation/gitlab-ci/build.yaml +index bed161b471..b4caf159f9 100644 +--- a/automation/gitlab-ci/build.yaml ++++ b/automation/gitlab-ci/build.yaml +@@ -123,7 +123,7 @@ + variables: + XEN_TARGET_ARCH: arm32 + tags: +- - x86_64 ++ - arm64 + + .arm32-cross-build: + extends: .arm32-cross-build-tmpl +@@ -505,23 +505,23 @@ alpine-3.12-clang-debug: + debian-unstable-gcc-arm32: + extends: .gcc-arm32-cross-build + variables: +- CONTAINER: debian:unstable-arm32-gcc ++ CONTAINER: debian:unstable-arm64v8-arm32-gcc + + debian-unstable-gcc-arm32-debug: + extends: .gcc-arm32-cross-build-debug + variables: +- CONTAINER: debian:unstable-arm32-gcc ++ CONTAINER: debian:unstable-arm64v8-arm32-gcc + + debian-unstable-gcc-arm32-randconfig: + extends: .gcc-arm32-cross-build + variables: +- CONTAINER: debian:unstable-arm32-gcc ++ CONTAINER: debian:unstable-arm64v8-arm32-gcc + RANDCONFIG: y + + debian-unstable-gcc-arm32-debug-randconfig: + extends: .gcc-arm32-cross-build-debug + variables: +- CONTAINER: debian:unstable-arm32-gcc ++ CONTAINER: debian:unstable-arm64v8-arm32-gcc + RANDCONFIG: y + + # Arm builds +-- +2.40.0 + diff --git a/0087-automation-Remove-CentOS-7.2-containers-and-builds.patch b/0087-automation-Remove-CentOS-7.2-containers-and-builds.patch new file mode 100644 index 0000000..b5d629d --- /dev/null +++ b/0087-automation-Remove-CentOS-7.2-containers-and-builds.patch @@ -0,0 +1,145 @@ +From 8c414bab3092bb68ab4eaaba39b61e3804c45f0a Mon Sep 17 00:00:00 2001 +From: Anthony PERARD +Date: Tue, 21 Feb 2023 16:55:36 +0000 +Subject: [PATCH 87/89] automation: Remove CentOS 7.2 containers and builds + +We already have a container which track the latest CentOS 7, no need +for this one as well. + +Also, 7.2 have outdated root certificate which prevent connection to +website which use Let's Encrypt. + +Signed-off-by: Anthony PERARD +Acked-by: Andrew Cooper +(cherry picked from commit ba512629f76dfddb39ea9133ee51cdd9e392a927) +--- + automation/build/centos/7.2.dockerfile | 52 ------------------------- + automation/build/centos/CentOS-7.2.repo | 35 ----------------- + automation/gitlab-ci/build.yaml | 10 ----- + 3 files changed, 97 deletions(-) + delete mode 100644 automation/build/centos/7.2.dockerfile + delete mode 100644 automation/build/centos/CentOS-7.2.repo + +diff --git a/automation/build/centos/7.2.dockerfile b/automation/build/centos/7.2.dockerfile +deleted file mode 100644 +index 4baa097e31..0000000000 +--- a/automation/build/centos/7.2.dockerfile ++++ /dev/null +@@ -1,52 +0,0 @@ +-FROM centos:7.2.1511 +-LABEL maintainer.name="The Xen Project" \ +- maintainer.email="xen-devel@lists.xenproject.org" +- +-# ensure we only get bits from the vault for +-# the version we want +-COPY CentOS-7.2.repo /etc/yum.repos.d/CentOS-Base.repo +- +-# install EPEL for dev86, xz-devel and possibly other packages +-RUN yum -y install https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm && \ +- yum clean all +- +-RUN mkdir /build +-WORKDIR /build +- +-# work around https://github.com/moby/moby/issues/10180 +-# and install Xen depends +-RUN rpm --rebuilddb && \ +- yum -y install \ +- yum-plugin-ovl \ +- gcc \ +- gcc-c++ \ +- ncurses-devel \ +- zlib-devel \ +- openssl-devel \ +- python-devel \ +- libuuid-devel \ +- pkgconfig \ +- # gettext for Xen < 4.13 +- gettext \ +- flex \ +- bison \ +- libaio-devel \ +- glib2-devel \ +- yajl-devel \ +- pixman-devel \ +- glibc-devel \ +- # glibc-devel.i686 for Xen < 4.15 +- glibc-devel.i686 \ +- make \ +- binutils \ +- git \ +- wget \ +- acpica-tools \ +- python-markdown \ +- patch \ +- checkpolicy \ +- dev86 \ +- xz-devel \ +- bzip2 \ +- nasm \ +- && yum clean all +diff --git a/automation/build/centos/CentOS-7.2.repo b/automation/build/centos/CentOS-7.2.repo +deleted file mode 100644 +index 4da27faeb5..0000000000 +--- a/automation/build/centos/CentOS-7.2.repo ++++ /dev/null +@@ -1,35 +0,0 @@ +-# CentOS-Base.repo +-# +-# This is a replacement file that pins things to just use CentOS 7.2 +-# from the CentOS Vault. +-# +- +-[base] +-name=CentOS-7.2.1511 - Base +-baseurl=http://vault.centos.org/7.2.1511/os/$basearch/ +-gpgcheck=1 +-gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-7 +- +-#released updates +-[updates] +-name=CentOS-7.2.1511 - Updates +-baseurl=http://vault.centos.org/7.2.1511/updates/$basearch/ +-gpgcheck=1 +-gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-7 +- +-#additional packages that may be useful +-[extras] +-name=CentOS-7.2.1511 - Extras +-baseurl=http://vault.centos.org/7.2.1511/extras/$basearch/ +-gpgcheck=1 +-gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-7 +- +-#additional packages that extend functionality of existing packages +-[centosplus] +-name=CentOS-7.2.1511 - Plus +-baseurl=http://vault.centos.org/7.2.1511/centosplus/$basearch/ +-gpgcheck=1 +-gpgcheck=1 +-enabled=0 +-gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-7 +- +diff --git a/automation/gitlab-ci/build.yaml b/automation/gitlab-ci/build.yaml +index b4caf159f9..ff6df1cfc2 100644 +--- a/automation/gitlab-ci/build.yaml ++++ b/automation/gitlab-ci/build.yaml +@@ -184,16 +184,6 @@ archlinux-gcc-debug: + variables: + CONTAINER: archlinux:current + +-centos-7-2-gcc: +- extends: .gcc-x86-64-build +- variables: +- CONTAINER: centos:7.2 +- +-centos-7-2-gcc-debug: +- extends: .gcc-x86-64-build-debug +- variables: +- CONTAINER: centos:7.2 +- + centos-7-gcc: + extends: .gcc-x86-64-build + variables: +-- +2.40.0 + diff --git a/0088-automation-Remove-non-debug-x86_32-build-jobs.patch b/0088-automation-Remove-non-debug-x86_32-build-jobs.patch new file mode 100644 index 0000000..d16014e --- /dev/null +++ b/0088-automation-Remove-non-debug-x86_32-build-jobs.patch @@ -0,0 +1,67 @@ +From 435a1e5e8fd6fbd52cc16570dcff5982bdbec351 Mon Sep 17 00:00:00 2001 +From: Anthony PERARD +Date: Fri, 24 Feb 2023 17:29:15 +0000 +Subject: [PATCH 88/89] automation: Remove non-debug x86_32 build jobs + +In the interest of having less jobs, we remove the x86_32 build jobs +that do release build. Debug build is very likely to be enough to find +32bit build issues. + +Signed-off-by: Anthony PERARD +Acked-by: Andrew Cooper +(cherry picked from commit 7b66792ea7f77fb9e587e1e9c530a7c869eecba1) +--- + automation/gitlab-ci/build.yaml | 20 -------------------- + 1 file changed, 20 deletions(-) + +diff --git a/automation/gitlab-ci/build.yaml b/automation/gitlab-ci/build.yaml +index ff6df1cfc2..eea517aa0a 100644 +--- a/automation/gitlab-ci/build.yaml ++++ b/automation/gitlab-ci/build.yaml +@@ -264,21 +264,11 @@ debian-stretch-gcc-debug: + variables: + CONTAINER: debian:stretch + +-debian-stretch-32-clang: +- extends: .clang-x86-32-build +- variables: +- CONTAINER: debian:stretch-i386 +- + debian-stretch-32-clang-debug: + extends: .clang-x86-32-build-debug + variables: + CONTAINER: debian:stretch-i386 + +-debian-stretch-32-gcc: +- extends: .gcc-x86-32-build +- variables: +- CONTAINER: debian:stretch-i386 +- + debian-stretch-32-gcc-debug: + extends: .gcc-x86-32-build-debug + variables: +@@ -324,21 +314,11 @@ debian-unstable-gcc-debug-randconfig: + CONTAINER: debian:unstable + RANDCONFIG: y + +-debian-unstable-32-clang: +- extends: .clang-x86-32-build +- variables: +- CONTAINER: debian:unstable-i386 +- + debian-unstable-32-clang-debug: + extends: .clang-x86-32-build-debug + variables: + CONTAINER: debian:unstable-i386 + +-debian-unstable-32-gcc: +- extends: .gcc-x86-32-build +- variables: +- CONTAINER: debian:unstable-i386 +- + debian-unstable-32-gcc-debug: + extends: .gcc-x86-32-build-debug + variables: +-- +2.40.0 + diff --git a/0089-CI-Remove-llvm-8-from-the-Debian-Stretch-container.patch b/0089-CI-Remove-llvm-8-from-the-Debian-Stretch-container.patch new file mode 100644 index 0000000..c0294ec --- /dev/null +++ b/0089-CI-Remove-llvm-8-from-the-Debian-Stretch-container.patch @@ -0,0 +1,103 @@ +From e4a5fb9227889bec99ab212b839680f4d5b51e60 Mon Sep 17 00:00:00 2001 +From: Andrew Cooper +Date: Fri, 24 Mar 2023 17:59:56 +0000 +Subject: [PATCH 89/89] CI: Remove llvm-8 from the Debian Stretch container + +For similar reasons to c/s a6b1e2b80fe20. While this container is still +build-able for now, all the other problems with explicitly-versioned compilers +remain. + +Signed-off-by: Andrew Cooper +Reviewed-by: Stefano Stabellini +(cherry picked from commit 7a298375721636290a57f31bb0f7c2a5a38956a4) +--- + automation/build/debian/stretch-llvm-8.list | 3 --- + automation/build/debian/stretch.dockerfile | 12 --------- + automation/gitlab-ci/build.yaml | 27 --------------------- + 3 files changed, 42 deletions(-) + delete mode 100644 automation/build/debian/stretch-llvm-8.list + +diff --git a/automation/build/debian/stretch-llvm-8.list b/automation/build/debian/stretch-llvm-8.list +deleted file mode 100644 +index 09fe843fb2..0000000000 +--- a/automation/build/debian/stretch-llvm-8.list ++++ /dev/null +@@ -1,3 +0,0 @@ +-# Strech LLVM 8 repos +-deb http://apt.llvm.org/stretch/ llvm-toolchain-stretch-8 main +-deb-src http://apt.llvm.org/stretch/ llvm-toolchain-stretch-8 main +diff --git a/automation/build/debian/stretch.dockerfile b/automation/build/debian/stretch.dockerfile +index da6aa874dd..9861acbcc3 100644 +--- a/automation/build/debian/stretch.dockerfile ++++ b/automation/build/debian/stretch.dockerfile +@@ -53,15 +53,3 @@ RUN apt-get update && \ + apt-get autoremove -y && \ + apt-get clean && \ + rm -rf /var/lib/apt/lists* /tmp/* /var/tmp/* +- +-RUN wget -O - https://apt.llvm.org/llvm-snapshot.gpg.key | apt-key add - +-COPY stretch-llvm-8.list /etc/apt/sources.list.d/ +- +-RUN apt-get update && \ +- apt-get --quiet --yes install \ +- clang-8 \ +- lld-8 \ +- && \ +- apt-get autoremove -y && \ +- apt-get clean && \ +- rm -rf /var/lib/apt/lists* /tmp/* /var/tmp/* +diff --git a/automation/gitlab-ci/build.yaml b/automation/gitlab-ci/build.yaml +index eea517aa0a..802449cb96 100644 +--- a/automation/gitlab-ci/build.yaml ++++ b/automation/gitlab-ci/build.yaml +@@ -27,13 +27,6 @@ + CXX: clang++ + clang: y + +-.clang-8-tmpl: +- variables: &clang-8 +- CC: clang-8 +- CXX: clang++-8 +- LD: ld.lld-8 +- clang: y +- + .x86-64-build-tmpl: + <<: *build + variables: +@@ -98,16 +91,6 @@ + variables: + <<: *clang + +-.clang-8-x86-64-build: +- extends: .x86-64-build +- variables: +- <<: *clang-8 +- +-.clang-8-x86-64-build-debug: +- extends: .x86-64-build-debug +- variables: +- <<: *clang-8 +- + .clang-x86-32-build: + extends: .x86-32-build + variables: +@@ -244,16 +227,6 @@ debian-stretch-clang-debug: + variables: + CONTAINER: debian:stretch + +-debian-stretch-clang-8: +- extends: .clang-8-x86-64-build +- variables: +- CONTAINER: debian:stretch +- +-debian-stretch-clang-8-debug: +- extends: .clang-8-x86-64-build-debug +- variables: +- CONTAINER: debian:stretch +- + debian-stretch-gcc: + extends: .gcc-x86-64-build + variables: +-- +2.40.0 + diff --git a/info.txt b/info.txt index c92b6d7..45b2f7f 100644 --- a/info.txt +++ b/info.txt @@ -1,6 +1,6 @@ -Xen upstream patchset #0 for 4.16.4-pre +Xen upstream patchset #0 for 4.17.1-pre Containing patches from -RELEASE-4.16.3 (08c42cec2f3dbb8d1df62c2ad4945d127b418fd6) +RELEASE-4.17.0 (5556ac9bf224ed6b977f214653b234de45dcdfbf) to -staging-4.16 (4ad5975d4e35635f03d2cb9e86292c0daeabd75f) +staging-4.17 (e4a5fb9227889bec99ab212b839680f4d5b51e60) -- cgit v1.2.3-65-gdbad