On 2023-03-29 23:27:11 +0200, Maximilian Engelhardt wrote:
> Package: release.debian.org
> Severity: normal
> User: release.debian....@packages.debian.org
> Usertags: unblock
> X-Debbugs-Cc: x...@packages.debian.org, m...@daemonizer.de,
> t...@security.debian.org
> Control: affects -1 + src:xen
>
> Please approve an upload of xen to unstable and later unblock package
> xen. See the "Other info" section below on why this is a pre-approval
> request.
Please go ahead
Cheers
>
> [ Reason ]
> Xen in bookworm (and unstable) is currently affected by CVE-2022-42331,
> CVE-2022-42332, CVE-2022-42333 and CVE-2022-42334 (see #1033297).
>
> [ Impact ]
> The above mentioned CVEs are not fixed.
>
> [ Tests ]
> The Debian package is based only on upstream commits that have passed
> the upstream automated tests.
> The Debian package has been successfully tested by the xen packaging
> team on their test machines.
>
> [ Risks ]
> There could be upstream changes unrelated to the above mentioned
> security fixes that cause regressions. However upstream has an automated
> testing machinery (osstest) that only allows a commit in the upstream
> stable branch if all test pass.
>
> [ Checklist ]
> [x] all changes are documented in the d/changelog
> [x] I reviewed all changes and I approve them
> [x] attach debdiff against the package in testing
>
> [ Other info ]
> This security fix is based on the latest upstream stable-4.17 branch.
> The branch in general only accepts bug fixes and does not allow new
> features, so the changes there are mainly security and other bug fixes.
> This does not exactly follow the "only targeted fixes" release policy,
> so we are asking for a pre-approval.
> The package we have prepared is exactly what we would have done as a
> security update in a stable release, what we have historically done
> together with the security team and are planning to continue to do.
> As upstream does extensive automated testing on their stable branches
> chances for unnoticed regressions are low. We believe this way the risk
> for bugs is lower than trying to manually pick and adjust patches
> without all the deep knowledge that upstream has. This approach is
> similar to what the linux package is doing.
>
> unblock xen/4.17.0+74-g3eac216e6e-1
>
> Thanks
> diff -Nru xen-4.17.0+46-gaaf74a532c/debian/changelog
> xen-4.17.0+74-g3eac216e6e/debian/changelog
> --- xen-4.17.0+46-gaaf74a532c/debian/changelog 2023-02-24
> 18:06:42.000000000 +0100
> +++ xen-4.17.0+74-g3eac216e6e/debian/changelog 2023-03-23
> 22:22:48.000000000 +0100
> @@ -1,3 +1,16 @@
> +xen (4.17.0+74-g3eac216e6e-1) unstable; urgency=medium
> +
> + * Update to new upstream version 4.17.0+74-g3eac216e6e, which also contains
> + security fixes for the following issues: (Closes: #1033297)
> + - x86 shadow plus log-dirty mode use-after-free
> + XSA-427 CVE-2022-42332
> + - x86/HVM pinned cache attributes mis-handling
> + XSA-428 CVE-2022-42333 CVE-2022-42334
> + - x86: speculative vulnerability in 32bit SYSCALL path
> + XSA-429 CVE-2022-42331
> +
> + -- Maximilian Engelhardt <m...@daemonizer.de> Thu, 23 Mar 2023 22:22:48
> +0100
> +
> xen (4.17.0+46-gaaf74a532c-1) unstable; urgency=medium
>
> * Update to new upstream version 4.17.0+46-gaaf74a532c, which also contains
> diff -Nru xen-4.17.0+46-gaaf74a532c/docs/misc/xen-command-line.pandoc
> xen-4.17.0+74-g3eac216e6e/docs/misc/xen-command-line.pandoc
> --- xen-4.17.0+46-gaaf74a532c/docs/misc/xen-command-line.pandoc
> 2023-02-22 15:14:33.000000000 +0100
> +++ xen-4.17.0+74-g3eac216e6e/docs/misc/xen-command-line.pandoc
> 2023-03-21 13:47:52.000000000 +0100
> @@ -287,10 +287,15 @@
> protection.
>
> The option is available when `CONFIG_XEN_SHSTK` is compiled in, and
> - defaults to `true` on hardware supporting CET-SS. Specifying
> + generally defaults to `true` on hardware supporting CET-SS. Specifying
> `cet=no-shstk` will cause Xen not to use Shadow Stacks even when support
> is available in hardware.
>
> + Some hardware suffers from an issue known as Supervisor Shadow Stack
> + Fracturing. On such hardware, Xen will default to not using Shadow
> Stacks
> + when virtualised. Specifying `cet=shstk` will override this heuristic
> and
> + enable Shadow Stacks unilaterally.
> +
> * The `ibt=` boolean controls whether Xen uses Indirect Branch Tracking for
> its own protection.
>
> @@ -721,6 +726,11 @@
> * `all`: just one runqueue shared by all the logical pCPUs of
> the host
>
> +Regardless of the above choice, Xen attempts to respect
> +`sched_credit2_max_cpus_runqueue` limit, which may mean more than one
> runqueue
> +for the `all` value. If that isn't intended, raise
> +the `sched_credit2_max_cpus_runqueue` value.
> +
> ### dbgp
> > `= ehci[ <integer> | @pci<bus>:<slot>.<func> ]`
> > `= xhci[ <integer> | @pci<bus>:<slot>.<func> ][,share=<bool>|hwdom]`
> @@ -2624,6 +2634,17 @@
> <major>, <minor> and <build> must be integers. The values will be
> encoded in guest CPUID 0x40000002 if viridian enlightenments are enabled.
>
> +### vm-notify-window (Intel)
> +> `= <integer>`
> +
> +> Default: `0`
> +
> +Specify the value of the VM Notify window used to detect locked VMs. Set to
> -1
> +to disable the feature. Value is in units of crystal clock cycles.
> +
> +Note the hardware might add a threshold to the provided value in order to
> make
> +it safe, and hence using 0 is fine.
> +
> ### vpid (Intel)
> > `= <boolean>`
>
> diff -Nru xen-4.17.0+46-gaaf74a532c/tools/libacpi/mk_dsdt.c
> xen-4.17.0+74-g3eac216e6e/tools/libacpi/mk_dsdt.c
> --- xen-4.17.0+46-gaaf74a532c/tools/libacpi/mk_dsdt.c 2023-02-22
> 15:14:33.000000000 +0100
> +++ xen-4.17.0+74-g3eac216e6e/tools/libacpi/mk_dsdt.c 2023-03-21
> 13:47:52.000000000 +0100
> @@ -431,7 +431,7 @@
> stmt("Store", "0x89, \\_GPE.DPT2");
> }
> if ( slot & 1 )
> - stmt("ShiftRight", "0x4, \\_GPE.PH%02X, Local1", slot & ~1);
> + stmt("ShiftRight", "\\_GPE.PH%02X, 0x04, Local1", slot & ~1);
> else
> stmt("And", "\\_GPE.PH%02X, 0x0f, Local1", slot & ~1);
> stmt("Return", "Local1"); /* IN status as the _STA */
> diff -Nru xen-4.17.0+46-gaaf74a532c/tools/libs/ctrl/Makefile
> xen-4.17.0+74-g3eac216e6e/tools/libs/ctrl/Makefile
> --- xen-4.17.0+46-gaaf74a532c/tools/libs/ctrl/Makefile 2023-02-22
> 15:14:33.000000000 +0100
> +++ xen-4.17.0+74-g3eac216e6e/tools/libs/ctrl/Makefile 2023-03-21
> 13:47:52.000000000 +0100
> @@ -4,7 +4,7 @@
> include Makefile.common
>
> LIBHEADER := xenctrl.h xenctrl_compat.h
> -PKG_CONFIG := xencontrol.pc
> +PKG_CONFIG_FILE := xencontrol.pc
> PKG_CONFIG_NAME := Xencontrol
>
> NO_HEADERS_CHK := y
> diff -Nru xen-4.17.0+46-gaaf74a532c/tools/libs/guest/xg_core_x86.c
> xen-4.17.0+74-g3eac216e6e/tools/libs/guest/xg_core_x86.c
> --- xen-4.17.0+46-gaaf74a532c/tools/libs/guest/xg_core_x86.c 2023-02-22
> 15:14:33.000000000 +0100
> +++ xen-4.17.0+74-g3eac216e6e/tools/libs/guest/xg_core_x86.c 2023-03-21
> 13:47:52.000000000 +0100
> @@ -229,11 +229,11 @@
> uint32_t dom, shared_info_any_t *live_shinfo)
> {
> /* Double and single indirect references to the live P2M table */
> - xen_pfn_t *live_p2m_frame_list_list;
> + xen_pfn_t *live_p2m_frame_list_list = NULL;
> xen_pfn_t *live_p2m_frame_list = NULL;
> /* Copies of the above. */
> xen_pfn_t *p2m_frame_list_list = NULL;
> - xen_pfn_t *p2m_frame_list;
> + xen_pfn_t *p2m_frame_list = NULL;
>
> int err;
> int i;
> @@ -297,8 +297,6 @@
>
> dinfo->p2m_frames = P2M_FL_ENTRIES;
>
> - return p2m_frame_list;
> -
> out:
> err = errno;
>
> @@ -312,7 +310,7 @@
>
> errno = err;
>
> - return NULL;
> + return p2m_frame_list;
> }
>
> static int
> diff -Nru xen-4.17.0+46-gaaf74a532c/tools/libs/guest/xg_offline_page.c
> xen-4.17.0+74-g3eac216e6e/tools/libs/guest/xg_offline_page.c
> --- xen-4.17.0+46-gaaf74a532c/tools/libs/guest/xg_offline_page.c
> 2023-02-22 15:14:33.000000000 +0100
> +++ xen-4.17.0+74-g3eac216e6e/tools/libs/guest/xg_offline_page.c
> 2023-03-21 13:47:52.000000000 +0100
> @@ -181,10 +181,16 @@
>
> if (backup->max == backup->cur)
> {
> - backup->entries = realloc(backup->entries,
> - backup->max * 2 * sizeof(struct
> pte_backup_entry));
> + void *orig = backup->entries;
> +
> + backup->entries = realloc(
> + orig, backup->max * 2 * sizeof(struct pte_backup_entry));
> +
> if (backup->entries == NULL)
> + {
> + free(orig);
> return -1;
> + }
> else
> backup->max *= 2;
> }
> diff -Nru xen-4.17.0+46-gaaf74a532c/tools/libs/libs.mk
> xen-4.17.0+74-g3eac216e6e/tools/libs/libs.mk
> --- xen-4.17.0+46-gaaf74a532c/tools/libs/libs.mk 2023-02-22
> 15:14:33.000000000 +0100
> +++ xen-4.17.0+74-g3eac216e6e/tools/libs/libs.mk 2023-03-21
> 13:47:52.000000000 +0100
> @@ -1,7 +1,7 @@
> # Common Makefile for building a lib.
> #
> # Variables taken as input:
> -# PKG_CONFIG: name of pkg-config file (xen$(LIBNAME).pc if empty)
> +# PKG_CONFIG_FILE: name of pkg-config file (xen$(LIBNAME).pc if empty)
> # MAJOR: major version of lib (Xen version if empty)
> # MINOR: minor version of lib (0 if empty)
>
> @@ -26,7 +26,7 @@
> TARGETS += lib$(LIB_FILE_NAME).so
> endif
>
> -PKG_CONFIG ?= $(LIB_FILE_NAME).pc
> +PKG_CONFIG_FILE ?= $(LIB_FILE_NAME).pc
> PKG_CONFIG_NAME ?= Xen$(LIBNAME)
> PKG_CONFIG_DESC ?= The $(PKG_CONFIG_NAME) library for Xen hypervisor
> PKG_CONFIG_VERSION := $(MAJOR).$(MINOR)
> @@ -35,13 +35,13 @@
> PKG_CONFIG_REQPRIV := $(subst $(space),$(comma),$(strip $(foreach
> lib,$(patsubst ctrl,control,$(USELIBS_$(LIBNAME))),xen$(lib))))
>
> ifneq ($(CONFIG_LIBXC_MINIOS),y)
> -TARGETS += $(PKG_CONFIG)
> -$(PKG_CONFIG): PKG_CONFIG_PREFIX = $(prefix)
> -$(PKG_CONFIG): PKG_CONFIG_INCDIR = $(includedir)
> -$(PKG_CONFIG): PKG_CONFIG_LIBDIR = $(libdir)
> +TARGETS += $(PKG_CONFIG_FILE)
> +$(PKG_CONFIG_FILE): PKG_CONFIG_PREFIX = $(prefix)
> +$(PKG_CONFIG_FILE): PKG_CONFIG_INCDIR = $(includedir)
> +$(PKG_CONFIG_FILE): PKG_CONFIG_LIBDIR = $(libdir)
> endif
>
> -PKG_CONFIG_LOCAL := $(PKG_CONFIG_DIR)/$(PKG_CONFIG)
> +PKG_CONFIG_LOCAL := $(PKG_CONFIG_DIR)/$(PKG_CONFIG_FILE)
>
> LIBHEADER ?= $(LIB_FILE_NAME).h
> LIBHEADERS = $(foreach h, $(LIBHEADER), $(XEN_INCLUDE)/$(h))
> @@ -103,7 +103,7 @@
> $(SYMLINK_SHLIB) lib$(LIB_FILE_NAME).so.$(MAJOR).$(MINOR)
> $(DESTDIR)$(libdir)/lib$(LIB_FILE_NAME).so.$(MAJOR)
> $(SYMLINK_SHLIB) lib$(LIB_FILE_NAME).so.$(MAJOR)
> $(DESTDIR)$(libdir)/lib$(LIB_FILE_NAME).so
> for i in $(LIBHEADERS); do $(INSTALL_DATA) $$i $(DESTDIR)$(includedir);
> done
> - $(INSTALL_DATA) $(PKG_CONFIG) $(DESTDIR)$(PKG_INSTALLDIR)
> + $(INSTALL_DATA) $(PKG_CONFIG_FILE) $(DESTDIR)$(PKG_INSTALLDIR)
>
> .PHONY: uninstall
> uninstall::
> diff -Nru xen-4.17.0+46-gaaf74a532c/tools/libs/light/libxl_cpuid.c
> xen-4.17.0+74-g3eac216e6e/tools/libs/light/libxl_cpuid.c
> --- xen-4.17.0+46-gaaf74a532c/tools/libs/light/libxl_cpuid.c 2023-02-22
> 15:14:33.000000000 +0100
> +++ xen-4.17.0+74-g3eac216e6e/tools/libs/light/libxl_cpuid.c 2023-03-21
> 13:47:52.000000000 +0100
> @@ -235,7 +235,12 @@
> {"fsrs", 0x00000007, 1, CPUID_REG_EAX, 11, 1},
> {"fsrcs", 0x00000007, 1, CPUID_REG_EAX, 12, 1},
>
> + {"cet-sss", 0x00000007, 1, CPUID_REG_EDX, 18, 1},
> +
> {"intel-psfd", 0x00000007, 2, CPUID_REG_EDX, 0, 1},
> + {"ipred-ctrl", 0x00000007, 2, CPUID_REG_EDX, 1, 1},
> + {"rrsba-ctrl", 0x00000007, 2, CPUID_REG_EDX, 2, 1},
> + {"bhi-ctrl", 0x00000007, 2, CPUID_REG_EDX, 4, 1},
> {"mcdt-no", 0x00000007, 2, CPUID_REG_EDX, 5, 1},
>
> {"lahfsahf", 0x80000001, NA, CPUID_REG_ECX, 0, 1},
> diff -Nru xen-4.17.0+46-gaaf74a532c/tools/libs/util/Makefile
> xen-4.17.0+74-g3eac216e6e/tools/libs/util/Makefile
> --- xen-4.17.0+46-gaaf74a532c/tools/libs/util/Makefile 2023-02-22
> 15:14:33.000000000 +0100
> +++ xen-4.17.0+74-g3eac216e6e/tools/libs/util/Makefile 2023-03-21
> 13:47:52.000000000 +0100
> @@ -40,6 +40,14 @@
>
> $(OBJS-y) $(PIC_OBJS): $(AUTOINCS)
>
> +# Adding the .c conterparts of the headers generated by flex/bison as
> +# prerequisite of all objects.
> +# This is to tell make that if only the .c file is out-of-date but not the
> +# header, it should still wait for the .c file to be rebuilt.
> +# Otherwise, make doesn't considered "%.c %.h" as grouped targets, and will
> run
> +# the flex/bison rules in parallel of CC rules which only need the header.
> +$(OBJS-y) $(PIC_OBJS): libxlu_cfg_l.c libxlu_cfg_y.c libxlu_disk_l.c
> +
> %.c %.h:: %.y
> @rm -f $*.[ch]
> $(BISON) --output=$*.c $<
> diff -Nru xen-4.17.0+46-gaaf74a532c/tools/misc/xen-cpuid.c
> xen-4.17.0+74-g3eac216e6e/tools/misc/xen-cpuid.c
> --- xen-4.17.0+46-gaaf74a532c/tools/misc/xen-cpuid.c 2023-02-22
> 15:14:33.000000000 +0100
> +++ xen-4.17.0+74-g3eac216e6e/tools/misc/xen-cpuid.c 2023-03-21
> 13:47:52.000000000 +0100
> @@ -202,11 +202,20 @@
> [ 0] = "ppin",
> };
>
> -static const char *const str_7d2[32] =
> +static const char *const str_7c1[32] =
> {
> - [ 0] = "intel-psfd",
> +};
>
> - /* 4 */ [ 5] = "mcdt-no",
> +static const char *const str_7d1[32] =
> +{
> + [18] = "cet-sss",
> +};
> +
> +static const char *const str_7d2[32] =
> +{
> + [ 0] = "intel-psfd", [ 1] = "ipred-ctrl",
> + [ 2] = "rrsba-ctrl",
> + [ 4] = "bhi-ctrl", [ 5] = "mcdt-no",
> };
>
> static const struct {
> @@ -229,6 +238,8 @@
> { "0x80000021.eax", "e21a", str_e21a },
> { "0x00000007:1.ebx", "7b1", str_7b1 },
> { "0x00000007:2.edx", "7d2", str_7d2 },
> + { "0x00000007:1.ecx", "7c1", str_7c1 },
> + { "0x00000007:1.edx", "7d1", str_7d1 },
> };
>
> #define COL_ALIGN "18"
> diff -Nru xen-4.17.0+46-gaaf74a532c/tools/python/xen/lowlevel/xc/xc.c
> xen-4.17.0+74-g3eac216e6e/tools/python/xen/lowlevel/xc/xc.c
> --- xen-4.17.0+46-gaaf74a532c/tools/python/xen/lowlevel/xc/xc.c
> 2023-02-22 15:14:33.000000000 +0100
> +++ xen-4.17.0+74-g3eac216e6e/tools/python/xen/lowlevel/xc/xc.c
> 2023-03-21 13:47:52.000000000 +0100
> @@ -4,6 +4,7 @@
> * Copyright (c) 2003-2004, K A Fraser (University of Cambridge)
> */
>
> +#define PY_SSIZE_T_CLEAN
> #include <Python.h>
> #define XC_WANT_COMPAT_MAP_FOREIGN_API
> #include <xenctrl.h>
> @@ -1774,7 +1775,7 @@
> {
> xc_interface *xc_handle;
> char *policy;
> - uint32_t len;
> + Py_ssize_t len;
> int ret;
>
> static char *kwd_list[] = { "policy", NULL };
> diff -Nru xen-4.17.0+46-gaaf74a532c/tools/python/xen/lowlevel/xs/xs.c
> xen-4.17.0+74-g3eac216e6e/tools/python/xen/lowlevel/xs/xs.c
> --- xen-4.17.0+46-gaaf74a532c/tools/python/xen/lowlevel/xs/xs.c
> 2023-02-22 15:14:33.000000000 +0100
> +++ xen-4.17.0+74-g3eac216e6e/tools/python/xen/lowlevel/xs/xs.c
> 2023-03-21 13:47:52.000000000 +0100
> @@ -18,6 +18,7 @@
> * Copyright (C) 2005 XenSource Ltd.
> */
>
> +#define PY_SSIZE_T_CLEAN
> #include <Python.h>
>
> #include <stdbool.h>
> @@ -141,7 +142,7 @@
> char *thstr;
> char *path;
> char *data;
> - int data_n;
> + Py_ssize_t data_n;
> bool result;
>
> if (!xh)
> diff -Nru xen-4.17.0+46-gaaf74a532c/tools/xenmon/xenmon.py
> xen-4.17.0+74-g3eac216e6e/tools/xenmon/xenmon.py
> --- xen-4.17.0+46-gaaf74a532c/tools/xenmon/xenmon.py 2023-02-22
> 15:14:33.000000000 +0100
> +++ xen-4.17.0+74-g3eac216e6e/tools/xenmon/xenmon.py 2023-03-21
> 13:47:52.000000000 +0100
> @@ -117,7 +117,7 @@
> return parser
>
> # encapsulate information about a domain
> -class DomainInfo:
> +class DomainInfo(object):
> def __init__(self):
> self.allocated_sum = 0
> self.gotten_sum = 0
> @@ -533,7 +533,7 @@
> # simple functions to allow initialization of log files without actually
> # physically creating files that are never used; only on the first real
> # write does the file get created
> -class Delayed(file):
> +class Delayed(object):
> def __init__(self, filename, mode):
> self.filename = filename
> self.saved_mode = mode
> @@ -677,8 +677,8 @@
>
> if os.uname()[0] == "SunOS":
> xenbaked_cmd = "/usr/lib/xenbaked"
> - stop_cmd = "/usr/bin/pkill -INT -z global xenbaked"
> - kill_cmd = "/usr/bin/pkill -KILL -z global xenbaked"
> + stop_cmd = "/usr/bin/pkill -INT -z global xenbaked"
> + kill_cmd = "/usr/bin/pkill -KILL -z global xenbaked"
> else:
> # assumes that xenbaked is in your path
> xenbaked_cmd = "xenbaked"
> diff -Nru xen-4.17.0+46-gaaf74a532c/xen/arch/x86/asm-macros.c
> xen-4.17.0+74-g3eac216e6e/xen/arch/x86/asm-macros.c
> --- xen-4.17.0+46-gaaf74a532c/xen/arch/x86/asm-macros.c 2023-02-22
> 15:14:33.000000000 +0100
> +++ xen-4.17.0+74-g3eac216e6e/xen/arch/x86/asm-macros.c 1970-01-01
> 01:00:00.000000000 +0100
> @@ -1,3 +0,0 @@
> -#include <asm/asm-defns.h>
> -#include <asm/alternative-asm.h>
> -#include <asm/spec_ctrl_asm.h>
> diff -Nru xen-4.17.0+46-gaaf74a532c/xen/arch/x86/asm-macros.S
> xen-4.17.0+74-g3eac216e6e/xen/arch/x86/asm-macros.S
> --- xen-4.17.0+46-gaaf74a532c/xen/arch/x86/asm-macros.S 1970-01-01
> 01:00:00.000000000 +0100
> +++ xen-4.17.0+74-g3eac216e6e/xen/arch/x86/asm-macros.S 2023-03-21
> 13:47:52.000000000 +0100
> @@ -0,0 +1,3 @@
> +#include <asm/asm-defns.h>
> +#include <asm/alternative-asm.h>
> +#include <asm/spec_ctrl_asm.h>
> diff -Nru xen-4.17.0+46-gaaf74a532c/xen/arch/x86/cpu/common.c
> xen-4.17.0+74-g3eac216e6e/xen/arch/x86/cpu/common.c
> --- xen-4.17.0+46-gaaf74a532c/xen/arch/x86/cpu/common.c 2023-02-22
> 15:14:33.000000000 +0100
> +++ xen-4.17.0+74-g3eac216e6e/xen/arch/x86/cpu/common.c 2023-03-21
> 13:47:52.000000000 +0100
> @@ -346,11 +346,18 @@
> x86_cpuid_vendor_to_str(c->x86_vendor), c->x86, c->x86,
> c->x86_model, c->x86_model, c->x86_mask, eax);
>
> - if (c->cpuid_level >= 7)
> - cpuid_count(7, 0, &eax, &ebx,
> + if (c->cpuid_level >= 7) {
> + uint32_t max_subleaf;
> +
> + cpuid_count(7, 0, &max_subleaf, &ebx,
> &c->x86_capability[FEATURESET_7c0],
> &c->x86_capability[FEATURESET_7d0]);
>
> + if (max_subleaf >= 1)
> + cpuid_count(7, 1, &eax, &ebx, &ecx,
> + &c->x86_capability[FEATURESET_7d1]);
> + }
> +
> eax = cpuid_eax(0x80000000);
> if ((eax >> 16) == 0x8000 && eax >= 0x80000008) {
> ebx = eax >= 0x8000001f ? cpuid_ebx(0x8000001f) : 0;
> @@ -450,7 +457,8 @@
> cpuid_count(7, 1,
> &c->x86_capability[FEATURESET_7a1],
> &c->x86_capability[FEATURESET_7b1],
> - &tmp, &tmp);
> + &c->x86_capability[FEATURESET_7c1],
> + &c->x86_capability[FEATURESET_7d1]);
> if (max_subleaf >= 2)
> cpuid_count(7, 2,
> &tmp, &tmp, &tmp,
> diff -Nru xen-4.17.0+46-gaaf74a532c/xen/arch/x86/cpu/microcode/amd.c
> xen-4.17.0+74-g3eac216e6e/xen/arch/x86/cpu/microcode/amd.c
> --- xen-4.17.0+46-gaaf74a532c/xen/arch/x86/cpu/microcode/amd.c
> 2023-02-22 15:14:33.000000000 +0100
> +++ xen-4.17.0+74-g3eac216e6e/xen/arch/x86/cpu/microcode/amd.c
> 2023-03-21 13:47:52.000000000 +0100
> @@ -176,8 +176,8 @@
> if ( new_rev > old_rev )
> return NEW_UCODE;
>
> - if ( opt_ucode_allow_same && new_rev == old_rev )
> - return NEW_UCODE;
> + if ( new_rev == old_rev )
> + return SAME_UCODE;
>
> return OLD_UCODE;
> }
> @@ -220,8 +220,13 @@
> unsigned int cpu = smp_processor_id();
> struct cpu_signature *sig = &per_cpu(cpu_sig, cpu);
> uint32_t rev, old_rev = sig->rev;
> + enum microcode_match_result result = microcode_fits(patch);
>
> - if ( microcode_fits(patch) != NEW_UCODE )
> + /*
> + * Allow application of the same revision to pick up SMT-specific changes
> + * even if the revision of the other SMT thread is already up-to-date.
> + */
> + if ( result != NEW_UCODE && result != SAME_UCODE )
> return -EINVAL;
>
> if ( check_final_patch_levels(sig) )
> diff -Nru xen-4.17.0+46-gaaf74a532c/xen/arch/x86/cpu/microcode/core.c
> xen-4.17.0+74-g3eac216e6e/xen/arch/x86/cpu/microcode/core.c
> --- xen-4.17.0+46-gaaf74a532c/xen/arch/x86/cpu/microcode/core.c
> 2023-02-22 15:14:33.000000000 +0100
> +++ xen-4.17.0+74-g3eac216e6e/xen/arch/x86/cpu/microcode/core.c
> 2023-03-21 13:47:52.000000000 +0100
> @@ -274,6 +274,20 @@
> return true;
> }
>
> +/* Returns true if ucode should be loaded on a given cpu */
> +static bool is_cpu_primary(unsigned int cpu)
> +{
> + if ( boot_cpu_data.x86_vendor & (X86_VENDOR_AMD | X86_VENDOR_HYGON) )
> + /* Load ucode on every logical thread/core */
> + return true;
> +
> + /* Intel CPUs should load ucode only on the first core of SMT siblings */
> + if ( cpu == cpumask_first(per_cpu(cpu_sibling_mask, cpu)) )
> + return true;
> +
> + return false;
> +}
> +
> /* Wait for a condition to be met with a timeout (us). */
> static int wait_for_condition(bool (*func)(unsigned int data),
> unsigned int data, unsigned int timeout)
> @@ -380,7 +394,7 @@
> static int cf_check microcode_nmi_callback(
> const struct cpu_user_regs *regs, int cpu)
> {
> - unsigned int primary = cpumask_first(this_cpu(cpu_sibling_mask));
> + bool primary_cpu = is_cpu_primary(cpu);
> int ret;
>
> /* System-generated NMI, leave to main handler */
> @@ -393,10 +407,10 @@
> * ucode_in_nmi.
> */
> if ( cpu == cpumask_first(&cpu_online_map) ||
> - (!ucode_in_nmi && cpu == primary) )
> + (!ucode_in_nmi && primary_cpu) )
> return 0;
>
> - if ( cpu == primary )
> + if ( primary_cpu )
> ret = primary_thread_work(nmi_patch);
> else
> ret = secondary_nmi_work();
> @@ -547,7 +561,7 @@
> */
> if ( cpu == cpumask_first(&cpu_online_map) )
> ret = control_thread_fn(patch);
> - else if ( cpu == cpumask_first(this_cpu(cpu_sibling_mask)) )
> + else if ( is_cpu_primary(cpu) )
> ret = primary_thread_fn(patch);
> else
> ret = secondary_thread_fn();
> @@ -610,17 +624,25 @@
> * that ucode revision.
> */
> spin_lock(µcode_mutex);
> - if ( microcode_cache &&
> - alternative_call(ucode_ops.compare_patch,
> - patch, microcode_cache) != NEW_UCODE )
> - {
> - spin_unlock(µcode_mutex);
> - printk(XENLOG_WARNING "microcode: couldn't find any newer revision "
> - "in the provided blob!\n");
> - microcode_free_patch(patch);
> - ret = -ENOENT;
> + if ( microcode_cache )
> + {
> + enum microcode_match_result result;
>
> - goto put;
> + result = alternative_call(ucode_ops.compare_patch, patch,
> + microcode_cache);
> +
> + if ( result != NEW_UCODE &&
> + !(opt_ucode_allow_same && result == SAME_UCODE) )
> + {
> + spin_unlock(µcode_mutex);
> + printk(XENLOG_WARNING
> + "microcode: couldn't find any newer%s revision in the
> provided blob!\n",
> + opt_ucode_allow_same ? " (or the same)" : "");
> + microcode_free_patch(patch);
> + ret = -ENOENT;
> +
> + goto put;
> + }
> }
> spin_unlock(µcode_mutex);
>
> @@ -632,7 +654,7 @@
> /* Calculate the number of online CPU core */
> nr_cores = 0;
> for_each_online_cpu(cpu)
> - if ( cpu == cpumask_first(per_cpu(cpu_sibling_mask, cpu)) )
> + if ( is_cpu_primary(cpu) )
> nr_cores++;
>
> printk(XENLOG_INFO "%u cores are to update their microcode\n", nr_cores);
> diff -Nru xen-4.17.0+46-gaaf74a532c/xen/arch/x86/cpu/microcode/intel.c
> xen-4.17.0+74-g3eac216e6e/xen/arch/x86/cpu/microcode/intel.c
> --- xen-4.17.0+46-gaaf74a532c/xen/arch/x86/cpu/microcode/intel.c
> 2023-02-22 15:14:33.000000000 +0100
> +++ xen-4.17.0+74-g3eac216e6e/xen/arch/x86/cpu/microcode/intel.c
> 2023-03-21 13:47:52.000000000 +0100
> @@ -232,8 +232,8 @@
> if ( new_rev > old_rev )
> return NEW_UCODE;
>
> - if ( opt_ucode_allow_same && new_rev == old_rev )
> - return NEW_UCODE;
> + if ( new_rev == old_rev )
> + return SAME_UCODE;
>
> /*
> * Treat pre-production as always applicable - anyone using
> pre-production
> @@ -290,8 +290,12 @@
> unsigned int cpu = smp_processor_id();
> struct cpu_signature *sig = &this_cpu(cpu_sig);
> uint32_t rev, old_rev = sig->rev;
> + enum microcode_match_result result;
> +
> + result = microcode_update_match(patch);
>
> - if ( microcode_update_match(patch) != NEW_UCODE )
> + if ( result != NEW_UCODE &&
> + !(opt_ucode_allow_same && result == SAME_UCODE) )
> return -EINVAL;
>
> wbinvd();
> diff -Nru xen-4.17.0+46-gaaf74a532c/xen/arch/x86/cpu/microcode/private.h
> xen-4.17.0+74-g3eac216e6e/xen/arch/x86/cpu/microcode/private.h
> --- xen-4.17.0+46-gaaf74a532c/xen/arch/x86/cpu/microcode/private.h
> 2023-02-22 15:14:33.000000000 +0100
> +++ xen-4.17.0+74-g3eac216e6e/xen/arch/x86/cpu/microcode/private.h
> 2023-03-21 13:47:52.000000000 +0100
> @@ -6,7 +6,8 @@
> extern bool opt_ucode_allow_same;
>
> enum microcode_match_result {
> - OLD_UCODE, /* signature matched, but revision id is older or equal */
> + OLD_UCODE, /* signature matched, but revision id is older */
> + SAME_UCODE, /* signature matched, but revision id is the same */
> NEW_UCODE, /* signature matched, but revision id is newer */
> MIS_UCODE, /* signature mismatched */
> };
> diff -Nru xen-4.17.0+46-gaaf74a532c/xen/arch/x86/domain.c
> xen-4.17.0+74-g3eac216e6e/xen/arch/x86/domain.c
> --- xen-4.17.0+46-gaaf74a532c/xen/arch/x86/domain.c 2023-02-22
> 15:14:33.000000000 +0100
> +++ xen-4.17.0+74-g3eac216e6e/xen/arch/x86/domain.c 2023-03-21
> 13:47:52.000000000 +0100
> @@ -2347,9 +2347,9 @@
>
> enum {
> PROG_iommu_pagetables = 1,
> + PROG_shared,
> PROG_paging,
> PROG_vcpu_pagetables,
> - PROG_shared,
> PROG_xen,
> PROG_l4,
> PROG_l3,
> @@ -2368,6 +2368,34 @@
> if ( ret )
> return ret;
>
> +#ifdef CONFIG_MEM_SHARING
> + PROGRESS(shared):
> +
> + if ( is_hvm_domain(d) )
> + {
> + /*
> + * If the domain has shared pages, relinquish them allowing
> + * for preemption.
> + */
> + ret = relinquish_shared_pages(d);
> + if ( ret )
> + return ret;
> +
> + /*
> + * If the domain is forked, decrement the parent's pause count
> + * and release the domain.
> + */
> + if ( mem_sharing_is_fork(d) )
> + {
> + struct domain *parent = d->parent;
> +
> + d->parent = NULL;
> + domain_unpause(parent);
> + put_domain(parent);
> + }
> + }
> +#endif
> +
> PROGRESS(paging):
>
> /* Tear down paging-assistance stuff. */
> @@ -2408,32 +2436,6 @@
> d->arch.auto_unmask = 0;
> }
>
> -#ifdef CONFIG_MEM_SHARING
> - PROGRESS(shared):
> -
> - if ( is_hvm_domain(d) )
> - {
> - /* If the domain has shared pages, relinquish them allowing
> - * for preemption. */
> - ret = relinquish_shared_pages(d);
> - if ( ret )
> - return ret;
> -
> - /*
> - * If the domain is forked, decrement the parent's pause count
> - * and release the domain.
> - */
> - if ( mem_sharing_is_fork(d) )
> - {
> - struct domain *parent = d->parent;
> -
> - d->parent = NULL;
> - domain_unpause(parent);
> - put_domain(parent);
> - }
> - }
> -#endif
> -
> spin_lock(&d->page_alloc_lock);
> page_list_splice(&d->arch.relmem_list, &d->page_list);
> INIT_PAGE_LIST_HEAD(&d->arch.relmem_list);
> diff -Nru xen-4.17.0+46-gaaf74a532c/xen/arch/x86/hvm/mtrr.c
> xen-4.17.0+74-g3eac216e6e/xen/arch/x86/hvm/mtrr.c
> --- xen-4.17.0+46-gaaf74a532c/xen/arch/x86/hvm/mtrr.c 2023-02-22
> 15:14:33.000000000 +0100
> +++ xen-4.17.0+74-g3eac216e6e/xen/arch/x86/hvm/mtrr.c 2023-03-21
> 13:47:52.000000000 +0100
> @@ -594,7 +594,8 @@
> int hvm_set_mem_pinned_cacheattr(struct domain *d, uint64_t gfn_start,
> uint64_t gfn_end, uint32_t type)
> {
> - struct hvm_mem_pinned_cacheattr_range *range;
> + struct hvm_mem_pinned_cacheattr_range *range, *newr;
> + unsigned int nr = 0;
> int rc = 1;
>
> if ( !is_hvm_domain(d) )
> @@ -607,14 +608,15 @@
> {
> case XEN_DOMCTL_DELETE_MEM_CACHEATTR:
> /* Remove the requested range. */
> - rcu_read_lock(&pinned_cacheattr_rcu_lock);
> - list_for_each_entry_rcu ( range,
> - &d->arch.hvm.pinned_cacheattr_ranges,
> - list )
> + domain_lock(d);
> + list_for_each_entry ( range,
> + &d->arch.hvm.pinned_cacheattr_ranges,
> + list )
> if ( range->start == gfn_start && range->end == gfn_end )
> {
> - rcu_read_unlock(&pinned_cacheattr_rcu_lock);
> list_del_rcu(&range->list);
> + domain_unlock(d);
> +
> type = range->type;
> call_rcu(&range->rcu, free_pinned_cacheattr_entry);
> p2m_memory_type_changed(d);
> @@ -635,7 +637,7 @@
> }
> return 0;
> }
> - rcu_read_unlock(&pinned_cacheattr_rcu_lock);
> + domain_unlock(d);
> return -ENOENT;
>
> case PAT_TYPE_UC_MINUS:
> @@ -650,7 +652,10 @@
> return -EINVAL;
> }
>
> - rcu_read_lock(&pinned_cacheattr_rcu_lock);
> + newr = xzalloc(struct hvm_mem_pinned_cacheattr_range);
> +
> + domain_lock(d);
> +
> list_for_each_entry_rcu ( range,
> &d->arch.hvm.pinned_cacheattr_ranges,
> list )
> @@ -666,25 +671,36 @@
> rc = -EBUSY;
> break;
> }
> + ++nr;
> }
> - rcu_read_unlock(&pinned_cacheattr_rcu_lock);
> +
> if ( rc <= 0 )
> - return rc;
> + /* nothing */;
> + else if ( nr >= 64 /* The limit is arbitrary. */ )
> + rc = -ENOSPC;
> + else if ( !newr )
> + rc = -ENOMEM;
> + else
> + {
> + newr->start = gfn_start;
> + newr->end = gfn_end;
> + newr->type = type;
> +
> + list_add_rcu(&newr->list, &d->arch.hvm.pinned_cacheattr_ranges);
> +
> + newr = NULL;
> + rc = 0;
> + }
>
> - range = xzalloc(struct hvm_mem_pinned_cacheattr_range);
> - if ( range == NULL )
> - return -ENOMEM;
> + domain_unlock(d);
>
> - range->start = gfn_start;
> - range->end = gfn_end;
> - range->type = type;
> + xfree(newr);
>
> - list_add_rcu(&range->list, &d->arch.hvm.pinned_cacheattr_ranges);
> p2m_memory_type_changed(d);
> if ( type != PAT_TYPE_WRBACK )
> flush_all(FLUSH_CACHE);
>
> - return 0;
> + return rc;
> }
>
> static int cf_check hvm_save_mtrr_msr(struct vcpu *v, hvm_domain_context_t
> *h)
> diff -Nru xen-4.17.0+46-gaaf74a532c/xen/arch/x86/hvm/vmx/vmcs.c
> xen-4.17.0+74-g3eac216e6e/xen/arch/x86/hvm/vmx/vmcs.c
> --- xen-4.17.0+46-gaaf74a532c/xen/arch/x86/hvm/vmx/vmcs.c 2023-02-22
> 15:14:33.000000000 +0100
> +++ xen-4.17.0+74-g3eac216e6e/xen/arch/x86/hvm/vmx/vmcs.c 2023-03-21
> 13:47:52.000000000 +0100
> @@ -67,6 +67,9 @@
> static unsigned int __read_mostly ple_window = 4096;
> integer_param("ple_window", ple_window);
>
> +static unsigned int __ro_after_init vm_notify_window;
> +integer_param("vm-notify-window", vm_notify_window);
> +
> static bool __read_mostly opt_ept_pml = true;
> static s8 __read_mostly opt_ept_ad = -1;
> int8_t __read_mostly opt_ept_exec_sp = -1;
> @@ -209,6 +212,8 @@
> P(cpu_has_vmx_virt_exceptions, "Virtualisation Exceptions");
> P(cpu_has_vmx_pml, "Page Modification Logging");
> P(cpu_has_vmx_tsc_scaling, "TSC Scaling");
> + P(cpu_has_vmx_bus_lock_detection, "Bus Lock Detection");
> + P(cpu_has_vmx_notify_vm_exiting, "Notify VM Exit");
> #undef P
>
> if ( !printed )
> @@ -318,7 +323,8 @@
> SECONDARY_EXEC_ENABLE_VM_FUNCTIONS |
> SECONDARY_EXEC_ENABLE_VIRT_EXCEPTIONS |
> SECONDARY_EXEC_XSAVES |
> - SECONDARY_EXEC_TSC_SCALING);
> + SECONDARY_EXEC_TSC_SCALING |
> + SECONDARY_EXEC_BUS_LOCK_DETECTION);
> if ( _vmx_misc_cap & VMX_MISC_VMWRITE_ALL )
> opt |= SECONDARY_EXEC_ENABLE_VMCS_SHADOWING;
> if ( opt_vpid_enabled )
> @@ -327,6 +333,8 @@
> opt |= SECONDARY_EXEC_UNRESTRICTED_GUEST;
> if ( opt_ept_pml )
> opt |= SECONDARY_EXEC_ENABLE_PML;
> + if ( vm_notify_window != ~0u )
> + opt |= SECONDARY_EXEC_NOTIFY_VM_EXITING;
>
> /*
> * "APIC Register Virtualization" and "Virtual Interrupt Delivery"
> @@ -1288,6 +1296,10 @@
> v->arch.hvm.vmx.exception_bitmap = HVM_TRAP_MASK
> | (paging_mode_hap(d) ? 0 : (1U << TRAP_page_fault))
> | (v->arch.fully_eager_fpu ? 0 : (1U << TRAP_no_device));
> +
> + if ( cpu_has_vmx_notify_vm_exiting )
> + __vmwrite(NOTIFY_WINDOW, vm_notify_window);
> +
> vmx_update_exception_bitmap(v);
>
> v->arch.hvm.guest_cr[0] = X86_CR0_PE | X86_CR0_ET;
> diff -Nru xen-4.17.0+46-gaaf74a532c/xen/arch/x86/hvm/vmx/vmx.c
> xen-4.17.0+74-g3eac216e6e/xen/arch/x86/hvm/vmx/vmx.c
> --- xen-4.17.0+46-gaaf74a532c/xen/arch/x86/hvm/vmx/vmx.c 2023-02-22
> 15:14:33.000000000 +0100
> +++ xen-4.17.0+74-g3eac216e6e/xen/arch/x86/hvm/vmx/vmx.c 2023-03-21
> 13:47:52.000000000 +0100
> @@ -3967,6 +3967,15 @@
> return vlapic_apicv_write(current, exit_qualification & 0xfff);
> }
>
> +static void undo_nmis_unblocked_by_iret(void)
> +{
> + unsigned long guest_info;
> +
> + __vmread(GUEST_INTERRUPTIBILITY_INFO, &guest_info);
> + __vmwrite(GUEST_INTERRUPTIBILITY_INFO,
> + guest_info | VMX_INTR_SHADOW_NMI);
> +}
> +
> void vmx_vmexit_handler(struct cpu_user_regs *regs)
> {
> unsigned long exit_qualification, exit_reason, idtv_info, intr_info = 0;
> @@ -4063,13 +4072,7 @@
> }
> }
>
> - if ( idx != vcpu_altp2m(v).p2midx )
> - {
> - BUG_ON(idx >= MAX_ALTP2M);
> - atomic_dec(&p2m_get_altp2m(v)->active_vcpus);
> - vcpu_altp2m(v).p2midx = idx;
> - atomic_inc(&p2m_get_altp2m(v)->active_vcpus);
> - }
> + p2m_set_altp2m(v, idx);
> }
>
> if ( unlikely(currd->arch.monitor.vmexit_enabled) )
> @@ -4084,6 +4087,12 @@
> return;
> }
>
> + if ( unlikely(exit_reason & VMX_EXIT_REASONS_BUS_LOCK) )
> + {
> + perfc_incr(buslock);
> + exit_reason &= ~VMX_EXIT_REASONS_BUS_LOCK;
> + }
> +
> /* XXX: This looks ugly, but we need a mechanism to ensure
> * any pending vmresume has really happened
> */
> @@ -4161,13 +4170,7 @@
> if ( unlikely(intr_info & INTR_INFO_NMI_UNBLOCKED_BY_IRET) &&
> !(idtv_info & INTR_INFO_VALID_MASK) &&
> (vector != TRAP_double_fault) )
> - {
> - unsigned long guest_info;
> -
> - __vmread(GUEST_INTERRUPTIBILITY_INFO, &guest_info);
> - __vmwrite(GUEST_INTERRUPTIBILITY_INFO,
> - guest_info | VMX_INTR_SHADOW_NMI);
> - }
> + undo_nmis_unblocked_by_iret();
>
> perfc_incra(cause_vector, vector);
>
> @@ -4533,6 +4536,11 @@
>
> __vmread(GUEST_PHYSICAL_ADDRESS, &gpa);
> __vmread(EXIT_QUALIFICATION, &exit_qualification);
> +
> + if ( unlikely(exit_qualification & INTR_INFO_NMI_UNBLOCKED_BY_IRET)
> &&
> + !(idtv_info & INTR_INFO_VALID_MASK) )
> + undo_nmis_unblocked_by_iret();
> +
> ept_handle_violation(exit_qualification, gpa);
> break;
> }
> @@ -4577,6 +4585,12 @@
> break;
>
> case EXIT_REASON_PML_FULL:
> + __vmread(EXIT_QUALIFICATION, &exit_qualification);
> +
> + if ( unlikely(exit_qualification & INTR_INFO_NMI_UNBLOCKED_BY_IRET)
> &&
> + !(idtv_info & INTR_INFO_VALID_MASK) )
> + undo_nmis_unblocked_by_iret();
> +
> vmx_vcpu_flush_pml_buffer(v);
> break;
>
> @@ -4593,6 +4607,31 @@
> vmx_handle_descriptor_access(exit_reason);
> break;
>
> + case EXIT_REASON_BUS_LOCK:
> + /*
> + * Nothing to do: just taking a vmexit should be enough of a pause to
> + * prevent a VM from crippling the host with bus locks. Note
> + * EXIT_REASON_BUS_LOCK will always have bit 26 set in exit_reason,
> and
> + * hence the perf counter is already increased.
> + */
> + break;
> +
> + case EXIT_REASON_NOTIFY:
> + __vmread(EXIT_QUALIFICATION, &exit_qualification);
> +
> + if ( unlikely(exit_qualification & NOTIFY_VM_CONTEXT_INVALID) )
> + {
> + perfc_incr(vmnotify_crash);
> + gprintk(XENLOG_ERR, "invalid VM context after notify vmexit\n");
> + domain_crash(v->domain);
> + break;
> + }
> +
> + if ( unlikely(exit_qualification & INTR_INFO_NMI_UNBLOCKED_BY_IRET) )
> + undo_nmis_unblocked_by_iret();
> +
> + break;
> +
> case EXIT_REASON_VMX_PREEMPTION_TIMER_EXPIRED:
> case EXIT_REASON_INVPCID:
> /* fall through */
> diff -Nru xen-4.17.0+46-gaaf74a532c/xen/arch/x86/hvm/vmx/vvmx.c
> xen-4.17.0+74-g3eac216e6e/xen/arch/x86/hvm/vmx/vvmx.c
> --- xen-4.17.0+46-gaaf74a532c/xen/arch/x86/hvm/vmx/vvmx.c 2023-02-22
> 15:14:33.000000000 +0100
> +++ xen-4.17.0+74-g3eac216e6e/xen/arch/x86/hvm/vmx/vvmx.c 2023-03-21
> 13:47:52.000000000 +0100
> @@ -2405,7 +2405,7 @@
> * be reinjected, otherwise, pass to L1.
> */
> __vmread(VM_EXIT_REASON, &reason);
> - if ( reason != EXIT_REASON_EPT_VIOLATION ?
> + if ( (uint16_t)reason != EXIT_REASON_EPT_VIOLATION ?
> !(nvmx->intr.intr_info & INTR_INFO_VALID_MASK) :
> !nvcpu->nv_vmexit_pending )
> {
> @@ -2486,6 +2486,8 @@
> case EXIT_REASON_EPT_VIOLATION:
> case EXIT_REASON_EPT_MISCONFIG:
> case EXIT_REASON_EXTERNAL_INTERRUPT:
> + case EXIT_REASON_BUS_LOCK:
> + case EXIT_REASON_NOTIFY:
> /* pass to L0 handler */
> break;
> case VMX_EXIT_REASONS_FAILED_VMENTRY:
> diff -Nru xen-4.17.0+46-gaaf74a532c/xen/arch/x86/include/asm/hvm/vmx/vmcs.h
> xen-4.17.0+74-g3eac216e6e/xen/arch/x86/include/asm/hvm/vmx/vmcs.h
> --- xen-4.17.0+46-gaaf74a532c/xen/arch/x86/include/asm/hvm/vmx/vmcs.h
> 2023-02-22 15:14:33.000000000 +0100
> +++ xen-4.17.0+74-g3eac216e6e/xen/arch/x86/include/asm/hvm/vmx/vmcs.h
> 2023-03-21 13:47:52.000000000 +0100
> @@ -267,6 +267,8 @@
> #define SECONDARY_EXEC_ENABLE_VIRT_EXCEPTIONS 0x00040000
> #define SECONDARY_EXEC_XSAVES 0x00100000
> #define SECONDARY_EXEC_TSC_SCALING 0x02000000
> +#define SECONDARY_EXEC_BUS_LOCK_DETECTION 0x40000000
> +#define SECONDARY_EXEC_NOTIFY_VM_EXITING 0x80000000
> extern u32 vmx_secondary_exec_control;
>
> #define VMX_EPT_EXEC_ONLY_SUPPORTED 0x00000001
> @@ -346,6 +348,10 @@
> (vmx_secondary_exec_control & SECONDARY_EXEC_XSAVES)
> #define cpu_has_vmx_tsc_scaling \
> (vmx_secondary_exec_control & SECONDARY_EXEC_TSC_SCALING)
> +#define cpu_has_vmx_bus_lock_detection \
> + (vmx_secondary_exec_control & SECONDARY_EXEC_BUS_LOCK_DETECTION)
> +#define cpu_has_vmx_notify_vm_exiting \
> + (vmx_secondary_exec_control & SECONDARY_EXEC_NOTIFY_VM_EXITING)
>
> #define VMCS_RID_TYPE_MASK 0x80000000
>
> @@ -453,6 +459,7 @@
> SECONDARY_VM_EXEC_CONTROL = 0x0000401e,
> PLE_GAP = 0x00004020,
> PLE_WINDOW = 0x00004022,
> + NOTIFY_WINDOW = 0x00004024,
> VM_INSTRUCTION_ERROR = 0x00004400,
> VM_EXIT_REASON = 0x00004402,
> VM_EXIT_INTR_INFO = 0x00004404,
> diff -Nru xen-4.17.0+46-gaaf74a532c/xen/arch/x86/include/asm/hvm/vmx/vmx.h
> xen-4.17.0+74-g3eac216e6e/xen/arch/x86/include/asm/hvm/vmx/vmx.h
> --- xen-4.17.0+46-gaaf74a532c/xen/arch/x86/include/asm/hvm/vmx/vmx.h
> 2023-02-22 15:14:33.000000000 +0100
> +++ xen-4.17.0+74-g3eac216e6e/xen/arch/x86/include/asm/hvm/vmx/vmx.h
> 2023-03-21 13:47:52.000000000 +0100
> @@ -159,6 +159,7 @@
> * Exit Reasons
> */
> #define VMX_EXIT_REASONS_FAILED_VMENTRY 0x80000000
> +#define VMX_EXIT_REASONS_BUS_LOCK (1u << 26)
>
> #define EXIT_REASON_EXCEPTION_NMI 0
> #define EXIT_REASON_EXTERNAL_INTERRUPT 1
> @@ -219,10 +220,15 @@
> #define EXIT_REASON_PML_FULL 62
> #define EXIT_REASON_XSAVES 63
> #define EXIT_REASON_XRSTORS 64
> +#define EXIT_REASON_BUS_LOCK 74
> +#define EXIT_REASON_NOTIFY 75
> /* Remember to also update VMX_PERF_EXIT_REASON_SIZE! */
>
> /*
> * Interruption-information format
> + *
> + * Note INTR_INFO_NMI_UNBLOCKED_BY_IRET is also used with Exit Qualification
> + * field for EPT violations, PML full and SPP-related event vmexits.
> */
> #define INTR_INFO_VECTOR_MASK 0xff /* 7:0 */
> #define INTR_INFO_INTR_TYPE_MASK 0x700 /* 10:8 */
> @@ -232,6 +238,11 @@
> #define INTR_INFO_RESVD_BITS_MASK 0x7ffff000
>
> /*
> + * Exit Qualifications for NOTIFY VM EXIT
> + */
> +#define NOTIFY_VM_CONTEXT_INVALID 1u
> +
> +/*
> * Exit Qualifications for MOV for Control Register Access
> */
> enum {
> diff -Nru xen-4.17.0+46-gaaf74a532c/xen/arch/x86/include/asm/p2m.h
> xen-4.17.0+74-g3eac216e6e/xen/arch/x86/include/asm/p2m.h
> --- xen-4.17.0+46-gaaf74a532c/xen/arch/x86/include/asm/p2m.h 2023-02-22
> 15:14:33.000000000 +0100
> +++ xen-4.17.0+74-g3eac216e6e/xen/arch/x86/include/asm/p2m.h 2023-03-21
> 13:47:52.000000000 +0100
> @@ -879,6 +879,26 @@
> return v->domain->arch.altp2m_p2m[index];
> }
>
> +/* set current alternate p2m table */
> +static inline bool p2m_set_altp2m(struct vcpu *v, unsigned int idx)
> +{
> + struct p2m_domain *orig;
> +
> + BUG_ON(idx >= MAX_ALTP2M);
> +
> + if ( idx == vcpu_altp2m(v).p2midx )
> + return false;
> +
> + orig = p2m_get_altp2m(v);
> + BUG_ON(!orig);
> + atomic_dec(&orig->active_vcpus);
> +
> + vcpu_altp2m(v).p2midx = idx;
> + atomic_inc(&v->domain->arch.altp2m_p2m[idx]->active_vcpus);
> +
> + return true;
> +}
> +
> /* Switch alternate p2m for a single vcpu */
> bool_t p2m_switch_vcpu_altp2m_by_id(struct vcpu *v, unsigned int idx);
>
> diff -Nru xen-4.17.0+46-gaaf74a532c/xen/arch/x86/include/asm/paging.h
> xen-4.17.0+74-g3eac216e6e/xen/arch/x86/include/asm/paging.h
> --- xen-4.17.0+46-gaaf74a532c/xen/arch/x86/include/asm/paging.h
> 2023-02-22 15:14:33.000000000 +0100
> +++ xen-4.17.0+74-g3eac216e6e/xen/arch/x86/include/asm/paging.h
> 2023-03-21 13:47:52.000000000 +0100
> @@ -190,6 +190,10 @@
> #define L4_LOGDIRTY_IDX(pfn) ((pfn_x(pfn) >> (PAGE_SHIFT + 3 +
> PAGETABLE_ORDER * 2)) & \
> (LOGDIRTY_NODE_ENTRIES-1))
>
> +#define paging_logdirty_levels() \
> + (DIV_ROUND_UP(PADDR_BITS - PAGE_SHIFT - (PAGE_SHIFT + 3), \
> + PAGE_SHIFT - ilog2(sizeof(mfn_t))) + 1)
> +
> #ifdef CONFIG_HVM
> /* VRAM dirty tracking support */
> struct sh_dirty_vram {
> diff -Nru xen-4.17.0+46-gaaf74a532c/xen/arch/x86/include/asm/perfc_defn.h
> xen-4.17.0+74-g3eac216e6e/xen/arch/x86/include/asm/perfc_defn.h
> --- xen-4.17.0+46-gaaf74a532c/xen/arch/x86/include/asm/perfc_defn.h
> 2023-02-22 15:14:33.000000000 +0100
> +++ xen-4.17.0+74-g3eac216e6e/xen/arch/x86/include/asm/perfc_defn.h
> 2023-03-21 13:47:52.000000000 +0100
> @@ -6,7 +6,7 @@
>
> #ifdef CONFIG_HVM
>
> -#define VMX_PERF_EXIT_REASON_SIZE 65
> +#define VMX_PERF_EXIT_REASON_SIZE 76
> #define VMEXIT_NPF_PERFC 143
> #define SVM_PERF_EXIT_REASON_SIZE (VMEXIT_NPF_PERFC + 1)
> PERFCOUNTER_ARRAY(vmexits, "vmexits",
> @@ -128,4 +128,7 @@
> PERFCOUNTER(iommu_pt_shatters, "IOMMU page table shatters")
> PERFCOUNTER(iommu_pt_coalesces, "IOMMU page table coalesces")
>
> +PERFCOUNTER(buslock, "Bus Locks Detected")
> +PERFCOUNTER(vmnotify_crash, "domain crashes by Notify VM Exit")
> +
> /*#endif*/ /* __XEN_PERFC_DEFN_H__ */
> diff -Nru xen-4.17.0+46-gaaf74a532c/xen/arch/x86/include/asm/spec_ctrl_asm.h
> xen-4.17.0+74-g3eac216e6e/xen/arch/x86/include/asm/spec_ctrl_asm.h
> --- xen-4.17.0+46-gaaf74a532c/xen/arch/x86/include/asm/spec_ctrl_asm.h
> 2023-02-22 15:14:33.000000000 +0100
> +++ xen-4.17.0+74-g3eac216e6e/xen/arch/x86/include/asm/spec_ctrl_asm.h
> 2023-03-21 13:47:52.000000000 +0100
> @@ -117,11 +117,16 @@
> .L\@_done:
> .endm
>
> -.macro DO_OVERWRITE_RSB tmp=rax
> +.macro DO_OVERWRITE_RSB tmp=rax xu
> /*
> * Requires nothing
> * Clobbers \tmp (%rax by default), %rcx
> *
> + * xu is an optional parameter to add eXtra Uniqueness. It is intended for
> + * passing %= in from an asm() block, in order to work around
> + * https://github.com/llvm/llvm-project/issues/60792 where Clang-IAS doesn't
> + * expand \@ uniquely.
> + *
> * Requires 256 bytes of {,shadow}stack space, but %rsp/SSP has no net
> * change. Based on Google's performance numbers, the loop is unrolled to 16
> * iterations and two calls per iteration.
> @@ -136,27 +141,27 @@
> mov $16, %ecx /* 16 iterations, two calls per loop */
> mov %rsp, %\tmp /* Store the current %rsp */
>
> -.L\@_fill_rsb_loop:
> +.L\@_fill_rsb_loop\xu:
>
> .irp n, 1, 2 /* Unrolled twice. */
> - call .L\@_insert_rsb_entry_\n /* Create an RSB entry. */
> + call .L\@_insert_rsb_entry\xu\n /* Create an RSB entry. */
> int3 /* Halt rogue speculation. */
>
> -.L\@_insert_rsb_entry_\n:
> +.L\@_insert_rsb_entry\xu\n:
> .endr
>
> sub $1, %ecx
> - jnz .L\@_fill_rsb_loop
> + jnz .L\@_fill_rsb_loop\xu
> mov %\tmp, %rsp /* Restore old %rsp */
>
> #ifdef CONFIG_XEN_SHSTK
> mov $1, %ecx
> rdsspd %ecx
> cmp $1, %ecx
> - je .L\@_shstk_done
> + je .L\@_shstk_done\xu
> mov $64, %ecx /* 64 * 4 bytes, given incsspd */
> incsspd %ecx /* Restore old SSP */
> -.L\@_shstk_done:
> +.L\@_shstk_done\xu:
> #endif
> .endm
>
> diff -Nru xen-4.17.0+46-gaaf74a532c/xen/arch/x86/include/asm/spec_ctrl.h
> xen-4.17.0+74-g3eac216e6e/xen/arch/x86/include/asm/spec_ctrl.h
> --- xen-4.17.0+46-gaaf74a532c/xen/arch/x86/include/asm/spec_ctrl.h
> 2023-02-22 15:14:33.000000000 +0100
> +++ xen-4.17.0+74-g3eac216e6e/xen/arch/x86/include/asm/spec_ctrl.h
> 2023-03-21 13:47:52.000000000 +0100
> @@ -83,7 +83,7 @@
> wrmsrl(MSR_PRED_CMD, PRED_CMD_IBPB);
>
> /* (ab)use alternative_input() to specify clobbers. */
> - alternative_input("", "DO_OVERWRITE_RSB", X86_BUG_IBPB_NO_RET,
> + alternative_input("", "DO_OVERWRITE_RSB xu=%=", X86_BUG_IBPB_NO_RET,
> : "rax", "rcx");
> }
>
> @@ -172,7 +172,7 @@
> *
> * (ab)use alternative_input() to specify clobbers.
> */
> - alternative_input("", "DO_OVERWRITE_RSB", X86_FEATURE_SC_RSB_IDLE,
> + alternative_input("", "DO_OVERWRITE_RSB xu=%=", X86_FEATURE_SC_RSB_IDLE,
> : "rax", "rcx");
> }
>
> diff -Nru xen-4.17.0+46-gaaf74a532c/xen/arch/x86/Kconfig
> xen-4.17.0+74-g3eac216e6e/xen/arch/x86/Kconfig
> --- xen-4.17.0+46-gaaf74a532c/xen/arch/x86/Kconfig 2023-02-22
> 15:14:33.000000000 +0100
> +++ xen-4.17.0+74-g3eac216e6e/xen/arch/x86/Kconfig 2023-03-21
> 13:47:52.000000000 +0100
> @@ -10,7 +10,7 @@
> select ALTERNATIVE_CALL
> select ARCH_MAP_DOMAIN_PAGE
> select ARCH_SUPPORTS_INT128
> - select CORE_PARKING
> + imply CORE_PARKING
> select HAS_ALTERNATIVE
> select HAS_COMPAT
> select HAS_CPUFREQ
> diff -Nru xen-4.17.0+46-gaaf74a532c/xen/arch/x86/Makefile
> xen-4.17.0+74-g3eac216e6e/xen/arch/x86/Makefile
> --- xen-4.17.0+46-gaaf74a532c/xen/arch/x86/Makefile 2023-02-22
> 15:14:33.000000000 +0100
> +++ xen-4.17.0+74-g3eac216e6e/xen/arch/x86/Makefile 2023-03-21
> 13:47:52.000000000 +0100
> @@ -240,7 +240,7 @@
> .PHONY: include
> include: $(objtree)/arch/x86/include/asm/asm-macros.h
>
> -$(obj)/asm-macros.i: CFLAGS-y += -D__ASSEMBLY__ -P
> +$(obj)/asm-macros.i: CFLAGS-y += -P
>
> $(objtree)/arch/x86/include/asm/asm-macros.h: $(obj)/asm-macros.i
> $(src)/Makefile
> $(call filechk,asm-macros.h)
> diff -Nru xen-4.17.0+46-gaaf74a532c/xen/arch/x86/mm/p2m.c
> xen-4.17.0+74-g3eac216e6e/xen/arch/x86/mm/p2m.c
> --- xen-4.17.0+46-gaaf74a532c/xen/arch/x86/mm/p2m.c 2023-02-22
> 15:14:33.000000000 +0100
> +++ xen-4.17.0+74-g3eac216e6e/xen/arch/x86/mm/p2m.c 2023-03-21
> 13:47:52.000000000 +0100
> @@ -1787,13 +1787,8 @@
>
> if ( d->arch.altp2m_eptp[idx] != mfn_x(INVALID_MFN) )
> {
> - if ( idx != vcpu_altp2m(v).p2midx )
> - {
> - atomic_dec(&p2m_get_altp2m(v)->active_vcpus);
> - vcpu_altp2m(v).p2midx = idx;
> - atomic_inc(&p2m_get_altp2m(v)->active_vcpus);
> + if ( p2m_set_altp2m(v, idx) )
> altp2m_vcpu_update_p2m(v);
> - }
> rc = 1;
> }
>
> @@ -2070,13 +2065,8 @@
> if ( d->arch.altp2m_visible_eptp[idx] != mfn_x(INVALID_MFN) )
> {
> for_each_vcpu( d, v )
> - if ( idx != vcpu_altp2m(v).p2midx )
> - {
> - atomic_dec(&p2m_get_altp2m(v)->active_vcpus);
> - vcpu_altp2m(v).p2midx = idx;
> - atomic_inc(&p2m_get_altp2m(v)->active_vcpus);
> + if ( p2m_set_altp2m(v, idx) )
> altp2m_vcpu_update_p2m(v);
> - }
>
> rc = 0;
> }
> diff -Nru xen-4.17.0+46-gaaf74a532c/xen/arch/x86/mm/paging.c
> xen-4.17.0+74-g3eac216e6e/xen/arch/x86/mm/paging.c
> --- xen-4.17.0+46-gaaf74a532c/xen/arch/x86/mm/paging.c 2023-02-22
> 15:14:33.000000000 +0100
> +++ xen-4.17.0+74-g3eac216e6e/xen/arch/x86/mm/paging.c 2023-03-21
> 13:47:52.000000000 +0100
> @@ -282,6 +282,7 @@
> if ( unlikely(!VALID_M2P(pfn_x(pfn))) )
> return;
>
> + BUILD_BUG_ON(paging_logdirty_levels() != 4);
> i1 = L1_LOGDIRTY_IDX(pfn);
> i2 = L2_LOGDIRTY_IDX(pfn);
> i3 = L3_LOGDIRTY_IDX(pfn);
> diff -Nru xen-4.17.0+46-gaaf74a532c/xen/arch/x86/mm/shadow/common.c
> xen-4.17.0+74-g3eac216e6e/xen/arch/x86/mm/shadow/common.c
> --- xen-4.17.0+46-gaaf74a532c/xen/arch/x86/mm/shadow/common.c 2023-02-22
> 15:14:33.000000000 +0100
> +++ xen-4.17.0+74-g3eac216e6e/xen/arch/x86/mm/shadow/common.c 2023-03-21
> 13:47:52.000000000 +0100
> @@ -1015,7 +1015,17 @@
> if ( unlikely(d->is_dying) )
> return false;
>
> - ret = _shadow_prealloc(d, shadow_size(type) * count);
> + count *= shadow_size(type);
> + /*
> + * Log-dirty handling may result in allocations when populating its
> + * tracking structures. Tie this to the caller requesting space for L1
> + * shadows.
> + */
> + if ( paging_mode_log_dirty(d) &&
> + ((SHF_L1_ANY | SHF_FL1_ANY) & (1u << type)) )
> + count += paging_logdirty_levels();
> +
> + ret = _shadow_prealloc(d, count);
> if ( !ret && (!d->is_shutting_down || d->shutdown_code !=
> SHUTDOWN_crash) )
> /*
> * Failing to allocate memory required for shadow usage can only
> result in
> diff -Nru xen-4.17.0+46-gaaf74a532c/xen/arch/x86/platform_hypercall.c
> xen-4.17.0+74-g3eac216e6e/xen/arch/x86/platform_hypercall.c
> --- xen-4.17.0+46-gaaf74a532c/xen/arch/x86/platform_hypercall.c
> 2023-02-22 15:14:33.000000000 +0100
> +++ xen-4.17.0+74-g3eac216e6e/xen/arch/x86/platform_hypercall.c
> 2023-03-21 13:47:52.000000000 +0100
> @@ -727,12 +727,17 @@
> case XEN_CORE_PARKING_SET:
> idle_nums = min_t(uint32_t,
> op->u.core_parking.idle_nums, num_present_cpus() - 1);
> - ret = continue_hypercall_on_cpu(
> - 0, core_parking_helper, (void *)(unsigned
> long)idle_nums);
> + if ( CONFIG_NR_CPUS > 1 )
> + ret = continue_hypercall_on_cpu(
> + 0, core_parking_helper,
> + (void *)(unsigned long)idle_nums);
> + else if ( idle_nums )
> + ret = -EINVAL;
> break;
>
> case XEN_CORE_PARKING_GET:
> - op->u.core_parking.idle_nums = get_cur_idle_nums();
> + op->u.core_parking.idle_nums = CONFIG_NR_CPUS > 1
> + ? get_cur_idle_nums() : 0;
> ret = __copy_field_to_guest(u_xenpf_op, op, u.core_parking) ?
> -EFAULT : 0;
> break;
> diff -Nru xen-4.17.0+46-gaaf74a532c/xen/arch/x86/setup.c
> xen-4.17.0+74-g3eac216e6e/xen/arch/x86/setup.c
> --- xen-4.17.0+46-gaaf74a532c/xen/arch/x86/setup.c 2023-02-22
> 15:14:33.000000000 +0100
> +++ xen-4.17.0+74-g3eac216e6e/xen/arch/x86/setup.c 2023-03-21
> 13:47:52.000000000 +0100
> @@ -95,11 +95,7 @@
> size_param("highmem-start", highmem_start);
> #endif
>
> -#ifdef CONFIG_XEN_SHSTK
> -static bool __initdata opt_xen_shstk = true;
> -#else
> -#define opt_xen_shstk false
> -#endif
> +static int8_t __initdata opt_xen_shstk = -IS_ENABLED(CONFIG_XEN_SHSTK);
>
> #ifdef CONFIG_XEN_IBT
> static bool __initdata opt_xen_ibt = true;
> @@ -1104,11 +1100,45 @@
> early_cpu_init();
>
> /* Choose shadow stack early, to set infrastructure up appropriately. */
> - if ( opt_xen_shstk && boot_cpu_has(X86_FEATURE_CET_SS) )
> + if ( !boot_cpu_has(X86_FEATURE_CET_SS) )
> + opt_xen_shstk = 0;
> +
> + if ( opt_xen_shstk )
> {
> - printk("Enabling Supervisor Shadow Stacks\n");
> + /*
> + * Some CPUs suffer from Shadow Stack Fracturing, an issue whereby a
> + * fault/VMExit/etc between setting a Supervisor Busy bit and the
> + * event delivery completing renders the operation non-restartable.
> + * On restart, event delivery will find the Busy bit already set.
> + *
> + * This is a problem on bare metal, but outside of synthetic cases or
> + * a very badly timed #MC, it's not believed to be a problem. It is
> a
> + * much bigger problem under virt, because we can VMExit for a number
> + * of legitimate reasons and tickle this bug.
> + *
> + * CPUs with this addressed enumerate CET-SSS to indicate that
> + * supervisor shadow stacks are now safe to use.
> + */
> + bool cpu_has_bug_shstk_fracture =
> + boot_cpu_data.x86_vendor == X86_VENDOR_INTEL &&
> + !boot_cpu_has(X86_FEATURE_CET_SSS);
>
> - setup_force_cpu_cap(X86_FEATURE_XEN_SHSTK);
> + /*
> + * On bare metal, assume that Xen won't be impacted by shstk
> + * fracturing problems. Under virt, be more conservative and disable
> + * shstk by default.
> + */
> + if ( opt_xen_shstk == -1 )
> + opt_xen_shstk =
> + cpu_has_hypervisor ? !cpu_has_bug_shstk_fracture
> + : true;
> +
> + if ( opt_xen_shstk )
> + {
> + printk("Enabling Supervisor Shadow Stacks\n");
> +
> + setup_force_cpu_cap(X86_FEATURE_XEN_SHSTK);
> + }
> }
>
> if ( opt_xen_ibt && boot_cpu_has(X86_FEATURE_CET_IBT) )
> diff -Nru xen-4.17.0+46-gaaf74a532c/xen/arch/x86/sysctl.c
> xen-4.17.0+74-g3eac216e6e/xen/arch/x86/sysctl.c
> --- xen-4.17.0+46-gaaf74a532c/xen/arch/x86/sysctl.c 2023-02-22
> 15:14:33.000000000 +0100
> +++ xen-4.17.0+74-g3eac216e6e/xen/arch/x86/sysctl.c 2023-03-21
> 13:47:52.000000000 +0100
> @@ -179,6 +179,9 @@
> ret = -EBUSY;
> break;
> }
> + if ( CONFIG_NR_CPUS <= 1 )
> + /* Mimic behavior of smt_up_down_helper(). */
> + return 0;
> plug = op == XEN_SYSCTL_CPU_HOTPLUG_SMT_ENABLE;
> fn = smt_up_down_helper;
> hcpu = _p(plug);
> diff -Nru xen-4.17.0+46-gaaf74a532c/xen/arch/x86/x86_64/entry.S
> xen-4.17.0+74-g3eac216e6e/xen/arch/x86/x86_64/entry.S
> --- xen-4.17.0+46-gaaf74a532c/xen/arch/x86/x86_64/entry.S 2023-02-22
> 15:14:33.000000000 +0100
> +++ xen-4.17.0+74-g3eac216e6e/xen/arch/x86/x86_64/entry.S 2023-03-21
> 13:47:52.000000000 +0100
> @@ -288,7 +288,6 @@
> ALTERNATIVE "", "setssbsy", X86_FEATURE_XEN_SHSTK
> #endif
> push %rax /* Guest %rsp */
> - CR4_PV32_RESTORE
> movq 8(%rsp), %rax /* Restore guest %rax. */
> movq $FLAT_USER_SS32, 8(%rsp) /* Assume a 64bit domain. Compat
> handled lower. */
> pushq %r11
> @@ -312,6 +311,8 @@
> .Lcstar_cr3_okay:
> sti
>
> + CR4_PV32_RESTORE
> +
> movq STACK_CPUINFO_FIELD(current_vcpu)(%rbx), %rbx
>
> #ifdef CONFIG_PV32
> diff -Nru xen-4.17.0+46-gaaf74a532c/xen/common/bunzip2.c
> xen-4.17.0+74-g3eac216e6e/xen/common/bunzip2.c
> --- xen-4.17.0+46-gaaf74a532c/xen/common/bunzip2.c 2023-02-22
> 15:14:33.000000000 +0100
> +++ xen-4.17.0+74-g3eac216e6e/xen/common/bunzip2.c 2023-03-21
> 13:47:52.000000000 +0100
> @@ -233,6 +233,11 @@
> becomes negative, so an unsigned inequality catches
> it.) */
> t = get_bits(bd, 5)-1;
> + /* GCC 13 has apparently improved use-before-set detection, but
> + it can't figure out that length[0] is always intialized by
> + virtue of symCount always being positive when making it here.
> + See https://gcc.gnu.org/bugzilla/show_bug.cgi?id=106511. */
> + length[0] = 0;
> for (i = 0; i < symCount; i++) {
> for (;;) {
> if (((unsigned)t) > (MAX_HUFCODE_BITS-1))
> diff -Nru xen-4.17.0+46-gaaf74a532c/xen/common/Kconfig
> xen-4.17.0+74-g3eac216e6e/xen/common/Kconfig
> --- xen-4.17.0+46-gaaf74a532c/xen/common/Kconfig 2023-02-22
> 15:14:33.000000000 +0100
> +++ xen-4.17.0+74-g3eac216e6e/xen/common/Kconfig 2023-03-21
> 13:47:52.000000000 +0100
> @@ -10,6 +10,7 @@
>
> config CORE_PARKING
> bool
> + depends on NR_CPUS > 1
>
> config GRANT_TABLE
> bool "Grant table support" if EXPERT
> diff -Nru xen-4.17.0+46-gaaf74a532c/xen/common/sched/credit2.c
> xen-4.17.0+74-g3eac216e6e/xen/common/sched/credit2.c
> --- xen-4.17.0+46-gaaf74a532c/xen/common/sched/credit2.c 2023-02-22
> 15:14:33.000000000 +0100
> +++ xen-4.17.0+74-g3eac216e6e/xen/common/sched/credit2.c 2023-03-21
> 13:47:52.000000000 +0100
> @@ -996,9 +996,14 @@
> *
> * Otherwise, let's try to make sure that siblings stay in the
> * same runqueue, pretty much under any cinrcumnstances.
> + *
> + * Furthermore, try to respect credit2_runqueue=all, as long as
> + * max_cpus_runq isn't violated.
> */
> - if ( rqd->refcnt < max_cpus_runq && (ops->cpupool->gran !=
> SCHED_GRAN_cpu ||
> - cpu_runqueue_siblings_match(rqd, cpu, max_cpus_runq)) )
> + if ( rqd->refcnt < max_cpus_runq &&
> + (ops->cpupool->gran != SCHED_GRAN_cpu ||
> + cpu_runqueue_siblings_match(rqd, cpu, max_cpus_runq) ||
> + opt_runqueue == OPT_RUNQUEUE_ALL) )
> {
> /*
> * This runqueue is ok, but as we said, we also want an even
> diff -Nru xen-4.17.0+46-gaaf74a532c/xen/drivers/passthrough/vtd/dmar.c
> xen-4.17.0+74-g3eac216e6e/xen/drivers/passthrough/vtd/dmar.c
> --- xen-4.17.0+46-gaaf74a532c/xen/drivers/passthrough/vtd/dmar.c
> 2023-02-22 15:14:33.000000000 +0100
> +++ xen-4.17.0+74-g3eac216e6e/xen/drivers/passthrough/vtd/dmar.c
> 2023-03-21 13:47:52.000000000 +0100
> @@ -391,15 +391,12 @@
>
> if ( drhd )
> {
> - if ( (seg == 0) && (bus == 0) && (path->dev == 2) &&
> - (path->fn == 0) )
> - igd_drhd_address = drhd->address;
> -
> - if ( gfx_only &&
> - pci_conf_read8(PCI_SBDF(seg, bus, path->dev, path->fn),
> + if ( pci_conf_read8(PCI_SBDF(seg, bus, path->dev, path->fn),
> PCI_CLASS_DEVICE + 1) != 0x03
> /* PCI_BASE_CLASS_DISPLAY */ )
> gfx_only = false;
> + else if ( !seg && !bus && path->dev == 2 && !path->fn )
> + igd_drhd_address = drhd->address;
> }
>
> break;
> diff -Nru
> xen-4.17.0+46-gaaf74a532c/xen/include/public/arch-x86/cpufeatureset.h
> xen-4.17.0+74-g3eac216e6e/xen/include/public/arch-x86/cpufeatureset.h
> --- xen-4.17.0+46-gaaf74a532c/xen/include/public/arch-x86/cpufeatureset.h
> 2023-02-22 15:14:33.000000000 +0100
> +++ xen-4.17.0+74-g3eac216e6e/xen/include/public/arch-x86/cpufeatureset.h
> 2023-03-21 13:47:52.000000000 +0100
> @@ -295,6 +295,11 @@
> XEN_CPUFEATURE(BHI_CTRL, 13*32+ 4) /* MSR_SPEC_CTRL.BHI_DIS_S */
> XEN_CPUFEATURE(MCDT_NO, 13*32+ 5) /*A MCDT_NO */
>
> +/* Intel-defined CPU features, CPUID level 0x00000007:1.ecx, word 14 */
> +
> +/* Intel-defined CPU features, CPUID level 0x00000007:1.edx, word 15 */
> +XEN_CPUFEATURE(CET_SSS, 15*32+18) /* CET Supervisor Shadow
> Stacks safe to use */
> +
> #endif /* XEN_CPUFEATURE */
>
> /* Clean up from a default include. Close the enum (for C). */
> diff -Nru xen-4.17.0+46-gaaf74a532c/xen/include/xen/lib/x86/cpuid.h
> xen-4.17.0+74-g3eac216e6e/xen/include/xen/lib/x86/cpuid.h
> --- xen-4.17.0+46-gaaf74a532c/xen/include/xen/lib/x86/cpuid.h 2023-02-22
> 15:14:33.000000000 +0100
> +++ xen-4.17.0+74-g3eac216e6e/xen/include/xen/lib/x86/cpuid.h 2023-03-21
> 13:47:52.000000000 +0100
> @@ -18,6 +18,8 @@
> #define FEATURESET_e21a 11 /* 0x80000021.eax */
> #define FEATURESET_7b1 12 /* 0x00000007:1.ebx */
> #define FEATURESET_7d2 13 /* 0x00000007:2.edx */
> +#define FEATURESET_7c1 14 /* 0x00000007:1.ecx */
> +#define FEATURESET_7d1 15 /* 0x00000007:1.edx */
>
> struct cpuid_leaf
> {
> @@ -194,7 +196,14 @@
> uint32_t _7b1;
> struct { DECL_BITFIELD(7b1); };
> };
> - uint32_t /* c */:32, /* d */:32;
> + union {
> + uint32_t _7c1;
> + struct { DECL_BITFIELD(7c1); };
> + };
> + union {
> + uint32_t _7d1;
> + struct { DECL_BITFIELD(7d1); };
> + };
>
> /* Subleaf 2. */
> uint32_t /* a */:32, /* b */:32, /* c */:32;
> @@ -343,6 +352,8 @@
> fs[FEATURESET_e21a] = p->extd.e21a;
> fs[FEATURESET_7b1] = p->feat._7b1;
> fs[FEATURESET_7d2] = p->feat._7d2;
> + fs[FEATURESET_7c1] = p->feat._7c1;
> + fs[FEATURESET_7d1] = p->feat._7d1;
> }
>
> /* Fill in a CPUID policy from a featureset bitmap. */
> @@ -363,6 +374,8 @@
> p->extd.e21a = fs[FEATURESET_e21a];
> p->feat._7b1 = fs[FEATURESET_7b1];
> p->feat._7d2 = fs[FEATURESET_7d2];
> + p->feat._7c1 = fs[FEATURESET_7c1];
> + p->feat._7d1 = fs[FEATURESET_7d1];
> }
>
> static inline uint64_t cpuid_policy_xcr0_max(const struct cpuid_policy *p)
> diff -Nru xen-4.17.0+46-gaaf74a532c/xen/Rules.mk
> xen-4.17.0+74-g3eac216e6e/xen/Rules.mk
> --- xen-4.17.0+46-gaaf74a532c/xen/Rules.mk 2023-02-22 15:14:33.000000000
> +0100
> +++ xen-4.17.0+74-g3eac216e6e/xen/Rules.mk 2023-03-21 13:47:52.000000000
> +0100
> @@ -228,8 +228,9 @@
> ifeq ($(CONFIG_ENFORCE_UNIQUE_SYMBOLS),y)
> cmd_cc_o_c = $(CC) $(c_flags) -c $< -o $(dot-target).tmp -MQ $@
> ifneq ($(CONFIG_CC_IS_CLANG)$(call clang-ifversion,-lt,600,y),yy)
> + rel-path = $(patsubst $(abs_srctree)/%,%,$(call realpath,$(1)))
> cmd_objcopy_fix_sym = \
> - $(OBJCOPY) --redefine-sym $(<F)=$< $(dot-target).tmp $@ && rm -f
> $(dot-target).tmp
> + $(OBJCOPY) --redefine-sym $(<F)=$(call rel-path,$<)
> $(dot-target).tmp $@ && rm -f $(dot-target).tmp
> else
> cmd_objcopy_fix_sym = mv -f $(dot-target).tmp $@
> endif
> @@ -272,6 +273,9 @@
> quiet_cmd_cpp_i_c = CPP $@
> cmd_cpp_i_c = $(CPP) $(call cpp_flags,$(c_flags)) -MQ $@ -o $@ $<
>
> +quiet_cmd_cpp_i_S = CPP $@
> +cmd_cpp_i_S = $(CPP) $(call cpp_flags,$(a_flags)) -MQ $@ -o $@ $<
> +
> quiet_cmd_cc_s_c = CC $@
> cmd_cc_s_c = $(CC) $(filter-out -Wa$(comma)%,$(c_flags)) -S $< -o $@
>
> @@ -281,6 +285,9 @@
> $(obj)/%.i: $(src)/%.c FORCE
> $(call if_changed_dep,cpp_i_c)
>
> +$(obj)/%.i: $(src)/%.S FORCE
> + $(call if_changed_dep,cpp_i_S)
> +
> $(obj)/%.s: $(src)/%.c FORCE
> $(call if_changed_dep,cc_s_c)
>
--
Sebastian Ramacher
