commit xen for openSUSE:Factory
Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package xen for openSUSE:Factory checked in at 2024-07-18 19:15:19 Comparing /work/SRC/openSUSE:Factory/xen (Old) and /work/SRC/openSUSE:Factory/.xen.new.17339 (New) Package is "xen" Thu Jul 18 19:15:19 2024 rev:347 rq:1187952 version:4.18.2_06 Changes: --- /work/SRC/openSUSE:Factory/xen/xen.changes 2024-06-25 23:07:01.473315130 +0200 +++ /work/SRC/openSUSE:Factory/.xen.new.17339/xen.changes 2024-07-18 19:15:24.500892690 +0200 @@ -1,0 +2,7 @@ +Wed Jul 3 12:41:39 MDT 2024 - carn...@suse.com + +- bsc#1227355 - VUL-0: CVE-2024-31143: xen: double unlock in x86 + guest IRQ handling (XSA-458) + xsa458.patch + +--- @@ -21,0 +29,13 @@ + +--- +Wed Jun 12 12:03:14 UTC 2024 - Daniel Garcia + +- Fix python3 shebang in tools package (bsc#1212476) +- Depend directly on %primary_python instead of python3 so this + package will continue working without rebuilding even if python3 + changes in the system. +- Remove not needed patches, these patches adds the python3 shebang to + some scripts, but that's done during the build phase so it's not + needed: + - bin-python3-conversion.patch + - migration-python3-conversion.patch Old: bin-python3-conversion.patch migration-python3-conversion.patch New: xsa458.patch BETA DEBUG BEGIN: Old: needed: - bin-python3-conversion.patch - migration-python3-conversion.patch Old: - bin-python3-conversion.patch - migration-python3-conversion.patch BETA DEBUG END: BETA DEBUG BEGIN: New: guest IRQ handling (XSA-458) xsa458.patch BETA DEBUG END: Other differences: -- ++ xen.spec ++ --- /var/tmp/diff_new_pack.mQey2Y/_old 2024-07-18 19:15:26.836985227 +0200 +++ /var/tmp/diff_new_pack.mQey2Y/_new 2024-07-18 19:15:26.840985385 +0200 @@ -26,6 +26,8 @@ # Keep it at the original location (/usr/lib) for backward compatibility %define _libexecdir /usr/lib +%{?!primary_python:%define primary_python python3} + Name: xen ExclusiveArch: %ix86 x86_64 aarch64 %define xen_build_dir xen-4.18.2-testing @@ -117,6 +119,7 @@ %ifarch x86_64 BuildRequires: pesign-obs-integration %endif +BuildRequires: python-rpm-macros Provides: installhint(reboot-needed) Version:4.18.2_06 @@ -180,6 +183,7 @@ Patch24:6672c847-x86-CPUID-XSAVE-dynamic-leaves.patch Patch25: 6673ffdc-x86-IRQ-forward-pending-to-new-dest-in-fixup_irqs.patch # EMBARGOED security fixes +Patch100: xsa458.patch # libxc Patch301: libxc-bitmap-long.patch Patch302: libxc-sr-xl-migration-debug.patch @@ -241,8 +245,6 @@ Patch467: libxl.LIBXL_HOTPLUG_TIMEOUT.patch # python3 conversion patches Patch500: build-python3-conversion.patch -Patch501: migration-python3-conversion.patch -Patch502: bin-python3-conversion.patch # Hypervisor and PV driver Patches Patch600: xen.bug1026236.suse_vtsc_tolerance.patch Patch601: x86-ioapic-ack-default.patch @@ -306,8 +308,8 @@ Requires: %{name} = %{version}-%{release} Requires: %{name}-libs = %{version}-%{release} Recommends: multipath-tools -Requires: python3 -Requires: python3-curses +Requires: %{primary_python} +Requires: %{primary_python}-curses %ifarch %{ix86} x86_64 Requires: qemu-seabios %endif @@ -499,7 +501,7 @@ sed -i~ 's/ XENSTORETYPE=domain$/ XENSTORETYPE=daemon/' tools/hotplug/Linux/launch-xenstore.in configure_flags="${configure_flags} --disable-stubdom" %endif -export PYTHON="/usr/bin/python3" +export PYTHON=$(realpath /usr/bin/python3) configure_flags="${configure_flags} --disable-qemu-traditional" ./configure \ --disable-xen \ @@ -833,6 +835,7 @@ # Xen utilities install -m755 %SOURCE36 %{buildroot}/usr/sbin/xen2libvirt install -m755 %SOURCE10183 %{buildroot}/usr/sbin/xen_maskcalc +%python3_fix_shebang rm -f %{buildroot}/etc/xen/README* # Example config ++ xsa458.patch ++ From: Jan Beulich Subject: x86/IRQ: avoid double unlock in map_domain_pirq() Forever since its introduction the main loop in the function dealing with multi-vector MSI had error exit points ("break") with different properties: In one case no IRQ descriptor lock is being held. Nevertheless the subsequent error cleanup path assumed such a lock would uniformly need releasing. Identify the case by setting "desc" to NULL, thus allowing the unlock to be skipped as necessary. This is CVE-2024-31143 / XSA-458. Coverity ID: 1605298 Fixes: d1b6d0a02489 ("x86: enable multi-vector MSI") Signed-off-by: Jan Beulich Reviewed-by:
commit xen for openSUSE:Factory
Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package xen for openSUSE:Factory checked in at 2024-06-25 23:06:43 Comparing /work/SRC/openSUSE:Factory/xen (Old) and /work/SRC/openSUSE:Factory/.xen.new.18349 (New) Package is "xen" Tue Jun 25 23:06:43 2024 rev:346 rq:1183065 version:4.18.2_06 Changes: --- /work/SRC/openSUSE:Factory/xen/xen.changes 2024-06-06 12:31:17.085556322 +0200 +++ /work/SRC/openSUSE:Factory/.xen.new.18349/xen.changes 2024-06-25 23:07:01.473315130 +0200 @@ -1,0 +2,22 @@ +Mon Jun 24 16:20:00 CEST 2024 - jbeul...@suse.com + +- bsc#1214718 - The system hangs intermittently when Power Control + Mode is set to Minimum Power on SLES15SP5 Xen + ba52-x86-irq-remove-offline-CPUs-from-old-CPU-mask-when.patch + 666994ab-x86-SMP-no-shorthand-IPI-in-hotplug.patch + 666994f0-x86-IRQ-limit-interrupt-movement-in-fixup_irqs.patch + 66718849-x86-IRQ-old_cpu_mask-in-fixup_irqs.patch + 6671885e-x86-IRQ-handle-moving-in-_assign_irq_vector.patch + 6673ffdc-x86-IRQ-forward-pending-to-new-dest-in-fixup_irqs.patch +- Upstream bug fixes (bsc#1027519) + 66450626-sched-set-all-sched_resource-data-inside-locked.patch + 66450627-x86-respect-mapcache_domain_init-failing.patch + 6646031f-x86-ucode-further-identify-already-up-to-date.patch + 666b07ee-x86-EPT-special-page-in-epte_get_entry_emt.patch + 666b0819-x86-EPT-avoid-marking-np-ents-for-reconfig.patch + 666b085a-x86-EPT-drop-questionable-mfn_valid-from-.patch + 667187cc-x86-Intel-unlock-CPUID-earlier.patch + 6672c846-x86-xstate-initialisation-of-XSS-cache.patch + 6672c847-x86-CPUID-XSAVE-dynamic-leaves.patch + +--- New: 66450626-sched-set-all-sched_resource-data-inside-locked.patch 66450627-x86-respect-mapcache_domain_init-failing.patch 6646031f-x86-ucode-further-identify-already-up-to-date.patch ba52-x86-irq-remove-offline-CPUs-from-old-CPU-mask-when.patch 666994ab-x86-SMP-no-shorthand-IPI-in-hotplug.patch 666994f0-x86-IRQ-limit-interrupt-movement-in-fixup_irqs.patch 666b07ee-x86-EPT-special-page-in-epte_get_entry_emt.patch 666b0819-x86-EPT-avoid-marking-np-ents-for-reconfig.patch 666b085a-x86-EPT-drop-questionable-mfn_valid-from-.patch 667187cc-x86-Intel-unlock-CPUID-earlier.patch 66718849-x86-IRQ-old_cpu_mask-in-fixup_irqs.patch 6671885e-x86-IRQ-handle-moving-in-_assign_irq_vector.patch 6672c846-x86-xstate-initialisation-of-XSS-cache.patch 6672c847-x86-CPUID-XSAVE-dynamic-leaves.patch 6673ffdc-x86-IRQ-forward-pending-to-new-dest-in-fixup_irqs.patch BETA DEBUG BEGIN: New:- Upstream bug fixes (bsc#1027519) 66450626-sched-set-all-sched_resource-data-inside-locked.patch 66450627-x86-respect-mapcache_domain_init-failing.patch New: 66450626-sched-set-all-sched_resource-data-inside-locked.patch 66450627-x86-respect-mapcache_domain_init-failing.patch 6646031f-x86-ucode-further-identify-already-up-to-date.patch New: 66450627-x86-respect-mapcache_domain_init-failing.patch 6646031f-x86-ucode-further-identify-already-up-to-date.patch 666b07ee-x86-EPT-special-page-in-epte_get_entry_emt.patch New: Mode is set to Minimum Power on SLES15SP5 Xen ba52-x86-irq-remove-offline-CPUs-from-old-CPU-mask-when.patch 666994ab-x86-SMP-no-shorthand-IPI-in-hotplug.patch New: ba52-x86-irq-remove-offline-CPUs-from-old-CPU-mask-when.patch 666994ab-x86-SMP-no-shorthand-IPI-in-hotplug.patch 666994f0-x86-IRQ-limit-interrupt-movement-in-fixup_irqs.patch New: 666994ab-x86-SMP-no-shorthand-IPI-in-hotplug.patch 666994f0-x86-IRQ-limit-interrupt-movement-in-fixup_irqs.patch 66718849-x86-IRQ-old_cpu_mask-in-fixup_irqs.patch New: 6646031f-x86-ucode-further-identify-already-up-to-date.patch 666b07ee-x86-EPT-special-page-in-epte_get_entry_emt.patch 666b0819-x86-EPT-avoid-marking-np-ents-for-reconfig.patch New: 666b07ee-x86-EPT-special-page-in-epte_get_entry_emt.patch 666b0819-x86-EPT-avoid-marking-np-ents-for-reconfig.patch 666b085a-x86-EPT-drop-questionable-mfn_valid-from-.patch New: 666b0819-x86-EPT-avoid-marking-np-ents-for-reconfig.patch 666b085a-x86-EPT-drop-questionable-mfn_valid-from-.patch 667187cc-x86-Intel-unlock-CPUID-earlier.patch New: 666b085a-x86-EPT-drop-questionable-mfn_valid-from-.patch 667187cc-x86-Intel-unlock-CPUID-earlier.patch 6672c846-x86-xstate-initialisation-of-XSS-cache.patch New: 666994f0-x86-IRQ-limit-interrupt-movement-in-fixup_irqs.patch 66718849-x86-IRQ-old_cpu_mask-in-fixup_irqs.patch 6671885e-x86-IRQ-handle-moving-in-_assign_irq_vector.patch New: 66718849-x86-IRQ-old_cpu_mask-in-fixup_irqs.patch 6671885e-x86-IRQ-handle-moving-in-_assign_irq_vector.patch 6673ffdc-x86-IRQ-forward-pending-to-new-dest-in-fixup_irqs.patch New:
commit xen for openSUSE:Factory
Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package xen for openSUSE:Factory checked in at 2024-05-23 15:34:11 Comparing /work/SRC/openSUSE:Factory/xen (Old) and /work/SRC/openSUSE:Factory/.xen.new.24587 (New) Package is "xen" Thu May 23 15:34:11 2024 rev:344 rq:1175908 version:4.18.2_04 Changes: --- /work/SRC/openSUSE:Factory/xen/xen.changes 2024-04-10 17:49:16.834023025 +0200 +++ /work/SRC/openSUSE:Factory/.xen.new.24587/xen.changes 2024-05-23 15:34:32.558053096 +0200 @@ -1,0 +2,17 @@ +Wed May 15 11:15:00 CEST 2024 - jbeul...@suse.com + +- bsc#1221984 - VUL-0: CVE-2023-46842: xen: x86 HVM hypercalls may + trigger Xen bug check (XSA-454) + 6617d62c-x86-hvm-Misra-Rule-19-1-regression.patch +- Upstream bug fixes (bsc#1027519) + 6627a4ee-vRTC-UIP-set-for-longer-than-expected.patch + 6627a5fc-x86-MTRR-inverted-WC-check.patch + 662a6a4c-x86-spec-reporting-of-BHB-clearing.patch + 662a6a8d-x86-spec-adjust-logic-to-elide-LFENCE.patch + 663090fd-x86-gen-cpuid-syntax.patch + 663a383c-libxs-open-xenbus-fds-as-O_CLOEXEC.patch + 663a4f3e-x86-cpu-policy-migration-IceLake-to-CascadeLake.patch + 663d05b5-x86-ucode-distinguish-up-to-date.patch + 663eaa27-libxl-XenStore-error-handling-in-device-creation.patch + +--- New: 6617d62c-x86-hvm-Misra-Rule-19-1-regression.patch 6627a4ee-vRTC-UIP-set-for-longer-than-expected.patch 6627a5fc-x86-MTRR-inverted-WC-check.patch 662a6a4c-x86-spec-reporting-of-BHB-clearing.patch 662a6a8d-x86-spec-adjust-logic-to-elide-LFENCE.patch 663090fd-x86-gen-cpuid-syntax.patch 663a383c-libxs-open-xenbus-fds-as-O_CLOEXEC.patch 663a4f3e-x86-cpu-policy-migration-IceLake-to-CascadeLake.patch 663d05b5-x86-ucode-distinguish-up-to-date.patch 663eaa27-libxl-XenStore-error-handling-in-device-creation.patch BETA DEBUG BEGIN: New: trigger Xen bug check (XSA-454) 6617d62c-x86-hvm-Misra-Rule-19-1-regression.patch - Upstream bug fixes (bsc#1027519) New:- Upstream bug fixes (bsc#1027519) 6627a4ee-vRTC-UIP-set-for-longer-than-expected.patch 6627a5fc-x86-MTRR-inverted-WC-check.patch New: 6627a4ee-vRTC-UIP-set-for-longer-than-expected.patch 6627a5fc-x86-MTRR-inverted-WC-check.patch 662a6a4c-x86-spec-reporting-of-BHB-clearing.patch New: 6627a5fc-x86-MTRR-inverted-WC-check.patch 662a6a4c-x86-spec-reporting-of-BHB-clearing.patch 662a6a8d-x86-spec-adjust-logic-to-elide-LFENCE.patch New: 662a6a4c-x86-spec-reporting-of-BHB-clearing.patch 662a6a8d-x86-spec-adjust-logic-to-elide-LFENCE.patch 663090fd-x86-gen-cpuid-syntax.patch New: 662a6a8d-x86-spec-adjust-logic-to-elide-LFENCE.patch 663090fd-x86-gen-cpuid-syntax.patch 663a383c-libxs-open-xenbus-fds-as-O_CLOEXEC.patch New: 663090fd-x86-gen-cpuid-syntax.patch 663a383c-libxs-open-xenbus-fds-as-O_CLOEXEC.patch 663a4f3e-x86-cpu-policy-migration-IceLake-to-CascadeLake.patch New: 663a383c-libxs-open-xenbus-fds-as-O_CLOEXEC.patch 663a4f3e-x86-cpu-policy-migration-IceLake-to-CascadeLake.patch 663d05b5-x86-ucode-distinguish-up-to-date.patch New: 663a4f3e-x86-cpu-policy-migration-IceLake-to-CascadeLake.patch 663d05b5-x86-ucode-distinguish-up-to-date.patch 663eaa27-libxl-XenStore-error-handling-in-device-creation.patch New: 663d05b5-x86-ucode-distinguish-up-to-date.patch 663eaa27-libxl-XenStore-error-handling-in-device-creation.patch BETA DEBUG END: Other differences: -- ++ xen.spec ++ --- /var/tmp/diff_new_pack.FLYKYP/_old 2024-05-23 15:34:36.198185188 +0200 +++ /var/tmp/diff_new_pack.FLYKYP/_new 2024-05-23 15:34:36.198185188 +0200 @@ -119,7 +119,7 @@ %endif Provides: installhint(reboot-needed) -Version:4.18.2_02 +Version:4.18.2_04 Release:0 Summary:Xen Virtualization: Hypervisor (aka VMM aka Microkernel) License:GPL-2.0-only @@ -154,6 +154,16 @@ # For xen-libs Source99: baselibs.conf # Upstream patches +Patch1: 6617d62c-x86-hvm-Misra-Rule-19-1-regression.patch +Patch2: 6627a4ee-vRTC-UIP-set-for-longer-than-expected.patch +Patch3: 6627a5fc-x86-MTRR-inverted-WC-check.patch +Patch4: 662a6a4c-x86-spec-reporting-of-BHB-clearing.patch +Patch5: 662a6a8d-x86-spec-adjust-logic-to-elide-LFENCE.patch +Patch6: 663090fd-x86-gen-cpuid-syntax.patch +Patch7: 663a383c-libxs-open-xenbus-fds-as-O_CLOEXEC.patch +Patch8: 663a4f3e-x86-cpu-policy-migration-IceLake-to-CascadeLake.patch +Patch9: 663d05b5-x86-ucode-distinguish-up-to-date.patch +Patch10:663eaa27-libxl-XenStore-error-handling-in-device-creation.patch # EMBARGOED security fixes # libxc Patch301:
commit xen for openSUSE:Factory
Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package xen for openSUSE:Factory checked in at 2024-03-26 19:24:44 Comparing /work/SRC/openSUSE:Factory/xen (Old) and /work/SRC/openSUSE:Factory/.xen.new.1905 (New) Package is "xen" Tue Mar 26 19:24:44 2024 rev:342 rq:1162273 version:4.18.1_02 Changes: --- /work/SRC/openSUSE:Factory/xen/xen.changes 2024-03-03 20:19:52.671038480 +0100 +++ /work/SRC/openSUSE:Factory/.xen.new.1905/xen.changes2024-03-26 19:25:36.845299673 +0100 @@ -1,0 +2,37 @@ +Mon Mar 25 15:30:00 CET 2024 - jbeul...@suse.com + +- bsc#1221334 - VUL-0: CVE-2024-2193: xen: GhostRace: Speculative + Race Conditions (XSA-453) + 65f83951-x86-mm-use-block_lock_speculation-in.patch + +--- +Fri Mar 15 10:11:56 MDT 2024 - carn...@suse.com + +- Update to Xen 4.18.1 bug fix release (bsc#1027519) + xen-4.18.1-testing-src.tar.bz2 + * No upstream changelog found in sources or webpage +- bsc#1221332 - VUL-0: CVE-2023-28746: xen: x86: Register File Data + Sampling (XSA-452) +- bsc#1221334 - VUL-0: CVE-2024-2193: xen: GhostRace: Speculative + Race Conditions (XSA-453) +- Dropped patches included in new tarball + 654370e2-x86-x2APIC-remove-ACPI_FADT_APIC_CLUSTER-use.patch + 65437103-x86-i8259-dont-assume-IRQs-always-target-CPU0.patch + 655b2ba9-fix-sched_move_domain.patch + 6566fef3-x86-vLAPIC-x2APIC-derive-LDR-from-APIC-ID.patch + 6569ad03-libxg-mem-leak-in-cpu-policy-get-set.patch + 656ee5e1-x86emul-avoid-triggering-event-assertions.patch + 656ee602-cpupool-adding-offline-CPU.patch + 656ee6c3-domain_create-error-path.patch + 6571ca95-fix-sched_move_domain.patch + 6578598c-Arm-avoid-pointer-overflow-on-invalidate.patch + 65842d5c-x86-AMD-extend-CPU-erratum-1474-fix.patch + 65a7a0a4-x86-Intel-GPCC-setup.patch + 65a9911a-VMX-IRQ-handling-for-EXIT_REASON_INIT.patch + 65b27990-x86-p2m-pt-off-by-1-in-entry-check.patch + 65b29e91-x86-ucode-stability-of-raw-policy-rescan.patch + 65b8f961-PCI-fail-dev-assign-if-phantom-functions.patch + 65b8f9ab-VT-d-else-vs-endif-misplacement.patch + xsa451.patch + +--- Old: 654370e2-x86-x2APIC-remove-ACPI_FADT_APIC_CLUSTER-use.patch 65437103-x86-i8259-dont-assume-IRQs-always-target-CPU0.patch 655b2ba9-fix-sched_move_domain.patch 6566fef3-x86-vLAPIC-x2APIC-derive-LDR-from-APIC-ID.patch 6569ad03-libxg-mem-leak-in-cpu-policy-get-set.patch 656ee5e1-x86emul-avoid-triggering-event-assertions.patch 656ee602-cpupool-adding-offline-CPU.patch 656ee6c3-domain_create-error-path.patch 6571ca95-fix-sched_move_domain.patch 6578598c-Arm-avoid-pointer-overflow-on-invalidate.patch 65842d5c-x86-AMD-extend-CPU-erratum-1474-fix.patch 65a7a0a4-x86-Intel-GPCC-setup.patch 65a9911a-VMX-IRQ-handling-for-EXIT_REASON_INIT.patch 65b27990-x86-p2m-pt-off-by-1-in-entry-check.patch 65b29e91-x86-ucode-stability-of-raw-policy-rescan.patch 65b8f961-PCI-fail-dev-assign-if-phantom-functions.patch 65b8f9ab-VT-d-else-vs-endif-misplacement.patch xen-4.18.0-testing-src.tar.bz2 xsa451.patch New: 65f83951-x86-mm-use-block_lock_speculation-in.patch xen-4.18.1-testing-src.tar.bz2 BETA DEBUG BEGIN: Old:- Dropped patches included in new tarball 654370e2-x86-x2APIC-remove-ACPI_FADT_APIC_CLUSTER-use.patch 65437103-x86-i8259-dont-assume-IRQs-always-target-CPU0.patch Old: 654370e2-x86-x2APIC-remove-ACPI_FADT_APIC_CLUSTER-use.patch 65437103-x86-i8259-dont-assume-IRQs-always-target-CPU0.patch 655b2ba9-fix-sched_move_domain.patch Old: 65437103-x86-i8259-dont-assume-IRQs-always-target-CPU0.patch 655b2ba9-fix-sched_move_domain.patch 6566fef3-x86-vLAPIC-x2APIC-derive-LDR-from-APIC-ID.patch Old: 655b2ba9-fix-sched_move_domain.patch 6566fef3-x86-vLAPIC-x2APIC-derive-LDR-from-APIC-ID.patch 6569ad03-libxg-mem-leak-in-cpu-policy-get-set.patch Old: 6566fef3-x86-vLAPIC-x2APIC-derive-LDR-from-APIC-ID.patch 6569ad03-libxg-mem-leak-in-cpu-policy-get-set.patch 656ee5e1-x86emul-avoid-triggering-event-assertions.patch Old: 6569ad03-libxg-mem-leak-in-cpu-policy-get-set.patch 656ee5e1-x86emul-avoid-triggering-event-assertions.patch 656ee602-cpupool-adding-offline-CPU.patch Old: 656ee5e1-x86emul-avoid-triggering-event-assertions.patch 656ee602-cpupool-adding-offline-CPU.patch 656ee6c3-domain_create-error-path.patch Old: 656ee602-cpupool-adding-offline-CPU.patch 656ee6c3-domain_create-error-path.patch 6571ca95-fix-sched_move_domain.patch Old: 656ee6c3-domain_create-error-path.patch 6571ca95-fix-sched_move_domain.patch 6578598c-Arm-avoid-pointer-overflow-on-invalidate.patch Old: 6571ca95-fix-sched_move_domain.patch 6578598c-Arm-avoid-pointer-overflow-on-invalidate.patch
commit xen for openSUSE:Factory
Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package xen for openSUSE:Factory checked in at 2024-03-03 20:19:26 Comparing /work/SRC/openSUSE:Factory/xen (Old) and /work/SRC/openSUSE:Factory/.xen.new.1770 (New) Package is "xen" Sun Mar 3 20:19:26 2024 rev:341 rq:1154130 version:4.18.0_06 Changes: --- /work/SRC/openSUSE:Factory/xen/xen.changes 2024-02-02 15:45:11.664180648 +0100 +++ /work/SRC/openSUSE:Factory/.xen.new.1770/xen.changes2024-03-03 20:19:52.671038480 +0100 @@ -1,0 +2,7 @@ +Tue Feb 13 09:35:57 MST 2024 - carn...@suse.com + +- bsc#1219885 - VUL-0: CVE-2023-46841: xen: x86: shadow stack vs + exceptions from emulation stubs (XSA-451) + xsa451.patch + +--- New: xsa451.patch BETA DEBUG BEGIN: New: exceptions from emulation stubs (XSA-451) xsa451.patch BETA DEBUG END: Other differences: -- ++ xen.spec ++ --- /var/tmp/diff_new_pack.dloRA8/_old 2024-03-03 20:19:54.159092313 +0100 +++ /var/tmp/diff_new_pack.dloRA8/_new 2024-03-03 20:19:54.159092313 +0100 @@ -172,6 +172,7 @@ Patch16:65b8f961-PCI-fail-dev-assign-if-phantom-functions.patch Patch17:65b8f9ab-VT-d-else-vs-endif-misplacement.patch # EMBARGOED security fixes +Patch100: xsa451.patch # libxc Patch301: libxc-bitmap-long.patch Patch302: libxc-sr-xl-migration-debug.patch ++ xsa451.patch ++ From: Jan Beulich Subject: x86: account for shadow stack in exception-from-stub recovery Dealing with exceptions raised from within emulation stubs involves discarding return address (replaced by exception related information). Such discarding of course also requires removing the corresponding entry from the shadow stack. Also amend the comment in fixup_exception_return(), to further clarify why use of ptr[1] can't be an out-of-bounds access. While touching do_invalid_op() also add a missing fall-through annotation. This is CVE-2023-46841 / XSA-451. Fixes: 209fb9919b50 ("x86/extable: Adjust extable handling to be shadow stack compatible") Signed-off-by: Jan Beulich Reviewed-by: Andrew Cooper --- a/xen/arch/x86/extable.c +++ b/xen/arch/x86/extable.c @@ -86,26 +86,29 @@ search_one_extable(const struct exceptio } unsigned long -search_exception_table(const struct cpu_user_regs *regs) +search_exception_table(const struct cpu_user_regs *regs, unsigned long *stub_ra) { const struct virtual_region *region = find_text_region(regs->rip); unsigned long stub = this_cpu(stubs.addr); if ( region && region->ex ) +{ +*stub_ra = 0; return search_one_extable(region->ex, region->ex_end, regs->rip); +} if ( regs->rip >= stub + STUB_BUF_SIZE / 2 && regs->rip < stub + STUB_BUF_SIZE && regs->rsp > (unsigned long)regs && regs->rsp < (unsigned long)get_cpu_info() ) { -unsigned long retptr = *(unsigned long *)regs->rsp; +unsigned long retaddr = *(unsigned long *)regs->rsp, fixup; -region = find_text_region(retptr); -retptr = region && region->ex - ? search_one_extable(region->ex, region->ex_end, retptr) - : 0; -if ( retptr ) +region = find_text_region(retaddr); +fixup = region && region->ex +? search_one_extable(region->ex, region->ex_end, retaddr) +: 0; +if ( fixup ) { /* * Put trap number and error code on the stack (in place of the @@ -117,7 +120,8 @@ search_exception_table(const struct cpu_ }; *(unsigned long *)regs->rsp = token.raw; -return retptr; +*stub_ra = retaddr; +return fixup; } } --- a/xen/arch/x86/include/asm/uaccess.h +++ b/xen/arch/x86/include/asm/uaccess.h @@ -421,7 +421,8 @@ union stub_exception_token { unsigned long raw; }; -extern unsigned long search_exception_table(const struct cpu_user_regs *regs); +extern unsigned long search_exception_table(const struct cpu_user_regs *regs, +unsigned long *stub_ra); extern void sort_exception_tables(void); extern void sort_exception_table(struct exception_table_entry *start, const struct exception_table_entry *stop); --- a/xen/arch/x86/traps.c +++ b/xen/arch/x86/traps.c @@ -845,7 +845,7 @@ void do_unhandled_trap(struct cpu_user_r } static void fixup_exception_return(struct cpu_user_regs *regs, - unsigned long fixup) + unsigned long fixup, unsigned long stub_ra) { if (
commit xen for openSUSE:Factory
Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package xen for openSUSE:Factory checked in at 2023-09-22 21:47:14 Comparing /work/SRC/openSUSE:Factory/xen (Old) and /work/SRC/openSUSE:Factory/.xen.new.1770 (New) Package is "xen" Fri Sep 22 21:47:14 2023 rev:336 rq:1112599 version:4.17.2_04 Changes: --- /work/SRC/openSUSE:Factory/xen/xen.changes 2023-08-11 15:55:25.499724005 +0200 +++ /work/SRC/openSUSE:Factory/.xen.new.1770/xen.changes2023-09-22 21:48:15.474698284 +0200 @@ -1,0 +2,30 @@ +Mon Sep 18 11:36:39 MDT 2023 - carn...@suse.com + +- bsc#1215474 - VUL-0: CVE-2023-20588: xen: AMD CPU transitional + execution leak via division by zero (XSA-439) + xsa439-00.patch + xsa439-01.patch + xsa439-02.patch + xsa439-03.patch + xsa439-04.patch + xsa439-05.patch + xsa439-06.patch + xsa439-07.patch + xsa439-08.patch + xsa439-09.patch + +--- +Fri Sep 8 10:10:18 MDT 2023 - carn...@suse.com + +- bsc#1215145 - VUL-0: CVE-2023-34322: xen: top-level shadow + reference dropped too early for 64-bit PV guests (XSA-438) + xsa438.patch + +--- +Sun Aug 13 13:13:13 UTC 2023 - oher...@suse.de + +- Handle potential unaligned access to bitmap in + libxc-sr-restore-hvm-legacy-superpage.patch + If setting BITS_PER_LONG at once, the initial bit must be aligned + +--- New: xsa438.patch xsa439-00.patch xsa439-01.patch xsa439-02.patch xsa439-03.patch xsa439-04.patch xsa439-05.patch xsa439-06.patch xsa439-07.patch xsa439-08.patch xsa439-09.patch Other differences: -- ++ xen.spec ++ --- /var/tmp/diff_new_pack.sat1Rp/_old 2023-09-22 21:48:22.502953429 +0200 +++ /var/tmp/diff_new_pack.sat1Rp/_new 2023-09-22 21:48:22.506953574 +0200 @@ -119,7 +119,7 @@ %endif Provides: installhint(reboot-needed) -Version:4.17.2_02 +Version:4.17.2_04 Release:0 Summary:Xen Virtualization: Hypervisor (aka VMM aka Microkernel) License:GPL-2.0-only @@ -160,6 +160,17 @@ Patch3: 643e387f-xen-update-CONFIG_DEBUG_INFO-help-text.patch Patch4: 6447a8fd-x86-EFI-permit-crash-dump-analysis.patch Patch5: 64d33a57-libxenstat-Linux-nul-terminate-string.patch +Patch9: xsa438.patch +Patch10:xsa439-00.patch +Patch11:xsa439-01.patch +Patch12:xsa439-02.patch +Patch13:xsa439-03.patch +Patch14:xsa439-04.patch +Patch15:xsa439-05.patch +Patch16:xsa439-06.patch +Patch17:xsa439-07.patch +Patch18:xsa439-08.patch +Patch19:xsa439-09.patch # EMBARGOED security fixes # libxc Patch301: libxc-bitmap-long.patch ++ libxc-sr-restore-hvm-legacy-superpage.patch ++ --- /var/tmp/diff_new_pack.sat1Rp/_old 2023-09-22 21:48:22.678959819 +0200 +++ /var/tmp/diff_new_pack.sat1Rp/_new 2023-09-22 21:48:22.678959819 +0200 @@ -438,7 +438,7 @@ +return -1; + +do { -+if ( sp.count >= BITS_PER_LONG ) { ++if ( sp.count >= BITS_PER_LONG && (sp.count % BITS_PER_LONG) == 0 ) { +sp.count -= BITS_PER_LONG; +ctx->restore.tot_pages += BITS_PER_LONG; +pfn_set_long_allocated(ctx, sp.base_pfn + sp.count); ++ xsa438.patch ++ From: Jan Beulich Subject: x86/shadow: defer releasing of PV's top-level shadow reference sh_set_toplevel_shadow() re-pinning the top-level shadow we may be running on is not enough (and at the same time unnecessary when the shadow isn't what we're running on): That shadow becomes eligible for blowing away (from e.g. shadow_prealloc()) immediately after the paging lock was dropped. Yet it needs to remain valid until the actual page table switch occurred. Propagate up the call chain the shadow entry that needs releasing eventually, and carry out the release immediately after switching page tables. Handle update_cr3() failures by switching to idle pagetables. Note that various further uses of update_cr3() are HVM-only or only act on paused vCPU-s, in which case sh_set_toplevel_shadow() will not defer releasing of the reference. While changing the update_cr3() hook, also convert the "do_locking" parameter to boolean. This is CVE-2023-34322 / XSA-438. Signed-off-by: Jan Beulich Reviewed-by: George Dunlap --- a/xen/arch/x86/include/asm/mm.h +++ b/xen/arch/x86/include/asm/mm.h @@ -552,7 +552,7 @@ void audit_domains(void); #endif void make_cr3(struct vcpu *v, mfn_t mfn); -void update_cr3(struct vcpu *v); +pagetable_t update_cr3(struct vcpu *v); int vcpu_destroy_pagetables(struct vcpu *);
commit xen for openSUSE:Factory
Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package xen for openSUSE:Factory checked in at 2023-08-11 15:55:17 Comparing /work/SRC/openSUSE:Factory/xen (Old) and /work/SRC/openSUSE:Factory/.xen.new.11712 (New) Package is "xen" Fri Aug 11 15:55:17 2023 rev:335 rq:1103355 version:4.17.2_02 Changes: --- /work/SRC/openSUSE:Factory/xen/xen.changes 2023-08-06 16:29:30.279675762 +0200 +++ /work/SRC/openSUSE:Factory/.xen.new.11712/xen.changes 2023-08-11 15:55:25.499724005 +0200 @@ -1,0 +2,32 @@ +Thu Aug 10 11:10:00 CEST 2023 - jbeul...@suse.com + +- bsc#1212684 - xentop fails with long interface name + 64d33a57-libxenstat-Linux-nul-terminate-string.patch + +--- +Tue Aug 8 11:36:00 MDT 2023 - carn...@suse.com + +- Update to Xen 4.17.2 bug fix release (bsc#1027519) + xen-4.17.2-testing-src.tar.bz2 + * No upstream changelog found in sources or webpage +- bsc#1214082 - VUL-0: CVE-2023-20569: xen: x86/AMD: Speculative + Return Stack Overflow (XSA-434) +- bsc#1214083 - VUL-0: CVE-2022-40982: xen: x86/Intel: Gather Data + Sampling (XSA-435) +- Dropped patches contained in new tarball + 64525c61-tools-libs-guest-assist-gcc13s-realloc-analyzer.patch + 645dec48-AMD-IOMMU-assert-boolean-enum.patch + 64639e84-amd-fix-legacy-setting-of-SSBD-on-AMD-Family-17h.patch + 646b782b-PCI-pci_get_pdev-respect-segment.patch + 647dfb0e-x86-missing-unlock-in-microcode_update_helper.patch + 648863fc-AMD-IOMMU-Invalidate-All-check.patch + 64bea1b2-x86-AMD-Zenbleed.patch + +--- +Tue Aug 1 11:11:11 UTC 2023 - oher...@suse.de + +- Handle potential off-by-one errors in libxc-sr-xg_sr_bitmap.patch + A bit is an index in bitmap, while bits is the allocated size + of the bitmap. + +--- Old: 64525c61-tools-libs-guest-assist-gcc13s-realloc-analyzer.patch 645dec48-AMD-IOMMU-assert-boolean-enum.patch 64639e84-amd-fix-legacy-setting-of-SSBD-on-AMD-Family-17h.patch 646b782b-PCI-pci_get_pdev-respect-segment.patch 647dfb0e-x86-missing-unlock-in-microcode_update_helper.patch 648863fc-AMD-IOMMU-Invalidate-All-check.patch 64bea1b2-x86-AMD-Zenbleed.patch xen-4.17.1-testing-src.tar.bz2 New: 64d33a57-libxenstat-Linux-nul-terminate-string.patch xen-4.17.2-testing-src.tar.bz2 Other differences: -- ++ xen.spec ++ --- /var/tmp/diff_new_pack.HwViuV/_old 2023-08-11 15:55:26.979732824 +0200 +++ /var/tmp/diff_new_pack.HwViuV/_new 2023-08-11 15:55:26.983732848 +0200 @@ -28,7 +28,7 @@ Name: xen ExclusiveArch: %ix86 x86_64 aarch64 -%define xen_build_dir xen-4.17.1-testing +%define xen_build_dir xen-4.17.2-testing # %define with_gdbsx 0 %define with_dom0_support 0 @@ -119,12 +119,12 @@ %endif Provides: installhint(reboot-needed) -Version:4.17.1_06 +Version:4.17.2_02 Release:0 Summary:Xen Virtualization: Hypervisor (aka VMM aka Microkernel) License:GPL-2.0-only Group: System/Kernel -Source0:xen-4.17.1-testing-src.tar.bz2 +Source0:xen-4.17.2-testing-src.tar.bz2 Source1:stubdom.tar.bz2 Source2:mini-os.tar.bz2 Source3:xen-utils-0.1.tar.bz2 @@ -159,13 +159,7 @@ Patch2: 643e3810-CONFIG_DEBUG_INFO-no-EXPERT.patch Patch3: 643e387f-xen-update-CONFIG_DEBUG_INFO-help-text.patch Patch4: 6447a8fd-x86-EFI-permit-crash-dump-analysis.patch -Patch5: 64525c61-tools-libs-guest-assist-gcc13s-realloc-analyzer.patch -Patch6: 645dec48-AMD-IOMMU-assert-boolean-enum.patch -Patch7: 64639e84-amd-fix-legacy-setting-of-SSBD-on-AMD-Family-17h.patch -Patch8: 646b782b-PCI-pci_get_pdev-respect-segment.patch -Patch9: 647dfb0e-x86-missing-unlock-in-microcode_update_helper.patch -Patch10:648863fc-AMD-IOMMU-Invalidate-All-check.patch -Patch11:64bea1b2-x86-AMD-Zenbleed.patch +Patch5: 64d33a57-libxenstat-Linux-nul-terminate-string.patch # EMBARGOED security fixes # libxc Patch301: libxc-bitmap-long.patch ++ 6447a8fd-x86-EFI-permit-crash-dump-analysis.patch ++ --- /var/tmp/diff_new_pack.HwViuV/_old 2023-08-11 15:55:27.019733062 +0200 +++ /var/tmp/diff_new_pack.HwViuV/_new 2023-08-11 15:55:27.023733086 +0200 @@ -52,7 +52,7 @@ rm -f cppcheck-misra.* xen-cppcheck.xml --- a/xen/arch/x86/Makefile +++ b/xen/arch/x86/Makefile -@@ -224,6 +224,9 @@ endif +@@ -225,6 +225,9 @@ endif $(@D)/.$(@F).1r.o $(@D)/.$(@F).1s.o $(orphan-handling-y) $(note_file_option) -o $@ $(NM) -pa --format=sysv $(@D)/$(@F) \
commit xen for openSUSE:Factory
Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package xen for openSUSE:Factory checked in at 2023-08-06 16:29:24 Comparing /work/SRC/openSUSE:Factory/xen (Old) and /work/SRC/openSUSE:Factory/.xen.new.22712 (New) Package is "xen" Sun Aug 6 16:29:24 2023 rev:334 rq:1102421 version:4.17.1_06 Changes: --- /work/SRC/openSUSE:Factory/xen/xen.changes 2023-07-09 20:42:51.694040301 +0200 +++ /work/SRC/openSUSE:Factory/.xen.new.22712/xen.changes 2023-08-06 16:29:30.279675762 +0200 @@ -1,0 +2,14 @@ +Fri Jul 28 15:15:15 UTC 2023 - oher...@suse.de + +- Add more debug to libxc-sr-track-migration-time.patch + This is supposed to help with doing the math in case xl restore + fails with ERANGE as reported in bug#1209311 + +--- +Tue Jul 25 10:44:08 MDT 2023 - carn...@suse.com + +- bsc#1213616 - VUL-0: CVE-2023-20593: xen: x86/AMD: Zenbleed + (XSA-433) + 64bea1b2-x86-AMD-Zenbleed.patch + +--- New: 64bea1b2-x86-AMD-Zenbleed.patch Other differences: -- ++ xen.spec ++ --- /var/tmp/diff_new_pack.KPhJ4Z/_old 2023-08-06 16:29:31.775685344 +0200 +++ /var/tmp/diff_new_pack.KPhJ4Z/_new 2023-08-06 16:29:31.779685370 +0200 @@ -165,6 +165,7 @@ Patch8: 646b782b-PCI-pci_get_pdev-respect-segment.patch Patch9: 647dfb0e-x86-missing-unlock-in-microcode_update_helper.patch Patch10:648863fc-AMD-IOMMU-Invalidate-All-check.patch +Patch11:64bea1b2-x86-AMD-Zenbleed.patch # EMBARGOED security fixes # libxc Patch301: libxc-bitmap-long.patch ++ 64bea1b2-x86-AMD-Zenbleed.patch ++ # Commit f91c5ea970675637721bb7f18adaa189837eb783 # Date 2023-07-24 17:07:14 +0100 # Author Andrew Cooper # Committer Andrew Cooper x86/amd: Mitigations for Zenbleed Zenbleed is a malfunction on AMD Zen2 uarch parts which results in corruption of the vector registers. An attacker can trigger this bug deliberately in order to access stale data in the physical vector register file. This can include data from sibling threads, or a higher-privilege context. Microcode is the preferred mitigation but in the case that's not available use the chickenbit as instructed by AMD. Re-evaluate the mitigation on late microcode load too. This is XSA-433 / CVE-2023-20593. Signed-off-by: Andrew Cooper Acked-by: Roger Pau Monné --- a/xen/arch/x86/cpu/amd.c +++ b/xen/arch/x86/cpu/amd.c @@ -13,6 +13,7 @@ #include #include #include +#include #include "cpu.h" @@ -878,6 +879,72 @@ void __init detect_zen2_null_seg_behavio } +void amd_check_zenbleed(void) +{ + const struct cpu_signature *sig = _cpu(cpu_sig); + unsigned int good_rev, chickenbit = (1 << 9); + uint64_t val, old_val; + + /* +* If we're virtualised, we can't do family/model checks safely, and +* we likely wouldn't have access to DE_CFG even if we could see a +* microcode revision. +* +* A hypervisor may hide AVX as a stopgap mitigation. We're not in a +* position to care either way. An admin doesn't want to be disabling +* AVX as a mitigation on any build of Xen with this logic present. +*/ + if (cpu_has_hypervisor || boot_cpu_data.x86 != 0x17) + return; + + switch (boot_cpu_data.x86_model) { + case 0x30 ... 0x3f: good_rev = 0x0830107a; break; + case 0x60 ... 0x67: good_rev = 0x0860010b; break; + case 0x68 ... 0x6f: good_rev = 0x08608105; break; + case 0x70 ... 0x7f: good_rev = 0x08701032; break; + case 0xa0 ... 0xaf: good_rev = 0x08a8; break; + default: + /* +* With the Fam17h check above, parts getting here are Zen1. +* They're not affected. +*/ + return; + } + + rdmsrl(MSR_AMD64_DE_CFG, val); + old_val = val; + + /* +* Microcode is the preferred mitigation, in terms of performance. +* However, without microcode, this chickenbit (specific to the Zen2 +* uarch) disables Floating Point Mov-Elimination to mitigate the +* issue. +*/ + val &= ~chickenbit; + if (sig->rev < good_rev) + val |= chickenbit; + + if (val == old_val) + /* Nothing to change. */ + return; + + /* +* DE_CFG is a Core-scoped MSR, and this write is racy during late +* microcode load. However, both threads calculate the new value from +* state which is shared, and unrelated to the old value, so the +* result should be consistent. +*/ +
commit xen for openSUSE:Factory
Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package xen for openSUSE:Factory checked in at 2023-07-09 20:40:46 Comparing /work/SRC/openSUSE:Factory/xen (Old) and /work/SRC/openSUSE:Factory/.xen.new.23466 (New) Package is "xen" Sun Jul 9 20:40:46 2023 rev:333 rq:1097441 version:4.17.1_06 Changes: --- /work/SRC/openSUSE:Factory/xen/xen.changes 2023-05-26 20:15:37.788318570 +0200 +++ /work/SRC/openSUSE:Factory/.xen.new.23466/xen.changes 2023-07-09 20:42:51.694040301 +0200 @@ -1,0 +2,9 @@ +Thu Jul 6 13:41:00 CET 2023 - jbeul...@suse.com + +- Upstream bug fixes (bsc#1027519) + 645dec48-AMD-IOMMU-assert-boolean-enum.patch + 646b782b-PCI-pci_get_pdev-respect-segment.patch + 647dfb0e-x86-missing-unlock-in-microcode_update_helper.patch + 648863fc-AMD-IOMMU-Invalidate-All-check.patch + +--- New: 645dec48-AMD-IOMMU-assert-boolean-enum.patch 646b782b-PCI-pci_get_pdev-respect-segment.patch 647dfb0e-x86-missing-unlock-in-microcode_update_helper.patch 648863fc-AMD-IOMMU-Invalidate-All-check.patch Other differences: -- ++ xen.spec ++ --- /var/tmp/diff_new_pack.1m0yOy/_old 2023-07-09 20:42:53.314050047 +0200 +++ /var/tmp/diff_new_pack.1m0yOy/_new 2023-07-09 20:42:53.318050071 +0200 @@ -119,7 +119,7 @@ %endif Provides: installhint(reboot-needed) -Version:4.17.1_04 +Version:4.17.1_06 Release:0 Summary:Xen Virtualization: Hypervisor (aka VMM aka Microkernel) License:GPL-2.0-only @@ -160,7 +160,11 @@ Patch3: 643e387f-xen-update-CONFIG_DEBUG_INFO-help-text.patch Patch4: 6447a8fd-x86-EFI-permit-crash-dump-analysis.patch Patch5: 64525c61-tools-libs-guest-assist-gcc13s-realloc-analyzer.patch -Patch6: 64639e84-amd-fix-legacy-setting-of-SSBD-on-AMD-Family-17h.patch +Patch6: 645dec48-AMD-IOMMU-assert-boolean-enum.patch +Patch7: 64639e84-amd-fix-legacy-setting-of-SSBD-on-AMD-Family-17h.patch +Patch8: 646b782b-PCI-pci_get_pdev-respect-segment.patch +Patch9: 647dfb0e-x86-missing-unlock-in-microcode_update_helper.patch +Patch10:648863fc-AMD-IOMMU-Invalidate-All-check.patch # EMBARGOED security fixes # libxc Patch301: libxc-bitmap-long.patch ++ 645dec48-AMD-IOMMU-assert-boolean-enum.patch ++ # Commit 4c507d8a6b6e8be90881a335b0a66eb28e0f7737 # Date 2023-05-12 09:35:36 +0200 # Author Roger Pau Monné # Committer Jan Beulich iommu/amd-vi: fix assert comparing boolean to enum Or else when iommu_intremap is set to iommu_intremap_full the assert triggers. Fixes: 1ba66a870eba ('AMD/IOMMU: without XT, x2APIC needs to be forced into physical mode') Signed-off-by: Roger Pau Monné Reviewed-by: Jan Beulich --- a/xen/drivers/passthrough/amd/pci_amd_iommu.c +++ b/xen/drivers/passthrough/amd/pci_amd_iommu.c @@ -240,7 +240,7 @@ static int __must_check amd_iommu_setup_ */ if ( dte->it_root ) ASSERT(dte->int_ctl == IOMMU_DEV_TABLE_INT_CONTROL_TRANSLATED); -ASSERT(dte->iv == iommu_intremap); +ASSERT(dte->iv == !!iommu_intremap); ASSERT(dte->ex == ivrs_dev->dte_allow_exclusion); ASSERT(dte->sys_mgt == MASK_EXTR(ivrs_dev->device_flags, ACPI_IVHD_SYSTEM_MGMT)); ++ 646b782b-PCI-pci_get_pdev-respect-segment.patch ++ # Commit c7908869ac26961a3919491705e521179ad3fc0e # Date 2023-05-22 16:11:55 +0200 # Author Roger Pau Monné # Committer Jan Beulich pci: fix pci_get_pdev() to always account for the segment When a domain parameter is provided to pci_get_pdev() the search function would match against the bdf, without taking the segment into account. Fix this and also account for the passed segment. Fixes: 8cf6e0738906 ('PCI: simplify (and thus correct) pci_get_pdev{,_by_domain}()') Signed-off-by: Roger Pau Monné Reviewed-by: Andrew Cooper Reviewed-by: Jan Beulich --- a/xen/drivers/passthrough/pci.c +++ b/xen/drivers/passthrough/pci.c @@ -552,7 +552,7 @@ struct pci_dev *pci_get_pdev(const struc } else list_for_each_entry ( pdev, >pdev_list, domain_list ) -if ( pdev->sbdf.bdf == sbdf.bdf ) +if ( pdev->sbdf.sbdf == sbdf.sbdf ) return pdev; return NULL; ++ 647dfb0e-x86-missing-unlock-in-microcode_update_helper.patch ++ # Commit b35b22acb887f682efe8385b3df165220bc84c86 # Date 2023-06-05 16:11:10 +0100 # Author Alejandro Vallejo # Committer Andrew Cooper x86/microcode: Add missing unlock in microcode_update_helper() microcode_update_helper() may return early while holding cpu_add_remove_lock, hence preventing any
commit xen for openSUSE:Factory
Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package xen for openSUSE:Factory checked in at 2023-05-26 20:15:25 Comparing /work/SRC/openSUSE:Factory/xen (Old) and /work/SRC/openSUSE:Factory/.xen.new.1533 (New) Package is "xen" Fri May 26 20:15:25 2023 rev:332 rq:1089051 version:4.17.1_04 Changes: --- /work/SRC/openSUSE:Factory/xen/xen.changes 2023-05-09 13:08:17.165359616 +0200 +++ /work/SRC/openSUSE:Factory/.xen.new.1533/xen.changes2023-05-26 20:15:37.788318570 +0200 @@ -1,0 +2,7 @@ +Mon May 22 07:52:57 MDT 2023 - carn...@suse.com + +- bsc#1211433 - VUL-0: CVE-2022-42336: xen: Mishandling of guest + SSBD selection on AMD hardware (XSA-431) + 64639e84-amd-fix-legacy-setting-of-SSBD-on-AMD-Family-17h.patch + +--- New: 64639e84-amd-fix-legacy-setting-of-SSBD-on-AMD-Family-17h.patch Other differences: -- ++ xen.spec ++ --- /var/tmp/diff_new_pack.cTk9Zo/_old 2023-05-26 20:15:38.928325365 +0200 +++ /var/tmp/diff_new_pack.cTk9Zo/_new 2023-05-26 20:15:38.936325413 +0200 @@ -119,7 +119,7 @@ %endif Provides: installhint(reboot-needed) -Version:4.17.1_02 +Version:4.17.1_04 Release:0 Summary:Xen Virtualization: Hypervisor (aka VMM aka Microkernel) License:GPL-2.0-only @@ -160,6 +160,7 @@ Patch3: 643e387f-xen-update-CONFIG_DEBUG_INFO-help-text.patch Patch4: 6447a8fd-x86-EFI-permit-crash-dump-analysis.patch Patch5: 64525c61-tools-libs-guest-assist-gcc13s-realloc-analyzer.patch +Patch6: 64639e84-amd-fix-legacy-setting-of-SSBD-on-AMD-Family-17h.patch # EMBARGOED security fixes # libxc Patch301: libxc-bitmap-long.patch ++ 64639e84-amd-fix-legacy-setting-of-SSBD-on-AMD-Family-17h.patch ++ Subject: x86/amd: fix legacy setting of SSBD on AMD Family 17h From: Roger Pau Monné roger@citrix.com Tue May 16 17:22:35 2023 +0200 Date: Tue May 16 17:22:35 2023 +0200: Git: 66c930ceac3989b6dc6031bfc30e1e894fc6aebe The current logic to set SSBD on AMD Family 17h and Hygon Family 18h processors requires that the setting of SSBD is coordinated at a core level, as the setting is shared between threads. Logic was introduced to keep track of how many threads require SSBD active in order to coordinate it, such logic relies on using a per-core counter of threads that have SSBD active. Given the current logic, it's possible for a guest to under or overflow the thread counter, because each write to VIRT_SPEC_CTRL.SSBD by the guest gets propagated to the helper that does the per-core active accounting. Overflowing the counter is not so much of an issue, as this would just make SSBD sticky. Underflowing however is more problematic: on non-debug Xen builds a guest can perform empty writes to VIRT_SPEC_CTRL that would cause the counter to underflow and thus the value gets saturated to the max value of unsigned int. At which points attempts from any thread to set VIRT_SPEC_CTRL.SSBD won't get propagated to the hardware anymore, because the logic will see that the counter is greater than 1 and assume that SSBD is already active, effectively loosing the setting of SSBD and the protection it provides. Fix this by introducing a per-CPU variable that keeps track of whether the current thread has legacy SSBD active or not, and thus only attempt to propagate the value to the hardware once the thread selected value changes. This is XSA-431 / CVE-2022-42336 Fixes: b2030e6730a2 ('amd/virt_ssbd: set SSBD at vCPU context switch') Reported-by: Andrew Cooper Signed-off-by: Roger Pau Monné Reviewed-by: Jan Beulich master commit: eda98ea870803ea204a1928519b3f21ec6a679b6 master date: 2023-05-16 17:17:24 +0200 diff --git a/xen/arch/x86/cpu/amd.c b/xen/arch/x86/cpu/amd.c index 1ddb55cbe5..b6a20d375a 100644 --- a/xen/arch/x86/cpu/amd.c +++ b/xen/arch/x86/cpu/amd.c @@ -783,12 +783,23 @@ bool __init amd_setup_legacy_ssbd(void) return true; } +/* + * legacy_ssbd is always initialized to false because when SSBD is set + * from the command line guest attempts to change it are a no-op (see + * amd_set_legacy_ssbd()), whereas when SSBD is inactive hardware will + * be forced into that mode (see amd_init_ssbd()). + */ +static DEFINE_PER_CPU(bool, legacy_ssbd); + +/* Must be called only when the SSBD setting needs toggling. */ static void core_set_legacy_ssbd(bool enable) { const struct cpuinfo_x86 *c = _cpu_data; struct ssbd_ls_cfg *status; unsigned long flags; + BUG_ON(this_cpu(legacy_ssbd) == enable); + if ((c->x86 != 0x17 && c->x86 != 0x18) || c->x86_num_siblings <= 1) {
commit xen for openSUSE:Factory
Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package xen for openSUSE:Factory checked in at 2023-05-09 13:08:08 Comparing /work/SRC/openSUSE:Factory/xen (Old) and /work/SRC/openSUSE:Factory/.xen.new.1533 (New) Package is "xen" Tue May 9 13:08:08 2023 rev:331 rq:1085553 version:4.17.1_02 Changes: --- /work/SRC/openSUSE:Factory/xen/xen.changes 2023-04-01 23:26:56.439318701 +0200 +++ /work/SRC/openSUSE:Factory/.xen.new.1533/xen.changes2023-05-09 13:08:17.165359616 +0200 @@ -1,0 +2,57 @@ +Thu May 4 11:22:27 MDT 2023 - carn...@suse.com + +- bsc#1210570 - gcc-13 realloc use-after-free analysis error + 64525c61-tools-libs-guest-assist-gcc13s-realloc-analyzer.patch + +--- +Fri Apr 28 14:53:15 MDT 2023 - carn...@suse.com + +- bsc#1209237 - xen-syms doesn't contain debug-info + 643e3810-CONFIG_DEBUG_INFO-no-EXPERT.patch + 643e387f-xen-update-CONFIG_DEBUG_INFO-help-text.patch + 6447a8fd-x86-EFI-permit-crash-dump-analysis.patch + +--- +Thu Apr 27 11:40:25 MDT 2023 - carn...@suse.com + +- Update to Xen 4.17.1 bug fix release (bsc#1027519) + xen-4.17.1-testing-src.tar.bz2 + * No upstream changelog found in sources or webpage +- Dropped patches contained in new tarball + 63a03b73-VMX-VMExit-based-BusLock-detection.patch + 63a03ba6-VMX-INTR_SHADOW_NMI-helper.patch + 63a03bce-VMX-Notify-VMExit.patch + 63a03e28-x86-high-freq-TSC-overflow.patch + 63c05478-VMX-calculate-model-specific-LBRs-once.patch + 63c05478-VMX-support-CPUs-without-model-specific-LBR.patch + 63d24e91-tools-xenstore-revert-simplify-loop-handling.patch + 63e53ac9-x86-CPUID-leaves-7-1-ecx-edx.patch + 63e53ac9-x86-disable-CET-SS-when-fractured-updates.patch + 63ebca9c-x86-spec-ctrl-Mitigate-Cross-Thread-Return-Address-Predictions.patch + 63f4d045-x86-ucode-AMD-apply-early-on-all-threads.patch + 63fe06e0-x86-ucode-AMD-apply-late-on-all-threads.patch + 640f3035-x86-altp2m-help-gcc13.patch + 641041e8-VT-d-constrain-IGD-check.patch + 64104238-bunzip-gcc13.patch + 6419697d-AMD-IOMMU-no-XT-x2APIC-phys.patch + 64199e0c-x86-shadow-account-for-log-dirty-mode.patch + 64199e0d-x86-HVM-bound-number-of-pca-regions.patch + 64199e0e-x86-HVM-serialize-pca-list-manipulation.patch + 64199e0f-x86-spec-ctrl-defer-CR4_PV32_RESTORE-for-CSTAR.patch + libxl.fix-guest-kexec-skip-cpuid-policy.patch + xsa430.patch + +--- +Tue Apr 11 09:36:33 MDT 2023 - carn...@suse.com + +- bsc#1210315 - VUL-0: CVE-2022-42335: xen: x86 shadow paging + arbitrary pointer dereference (XSA-430) + xsa430.patch + +--- +Fri Mar 31 11:02:49 MDT 2023 - carn...@suse.com + +- Not building the shim is correctly handled by --disable-pvshim + Drop disable-building-pv-shim.patch + +--- Old: 63a03b73-VMX-VMExit-based-BusLock-detection.patch 63a03ba6-VMX-INTR_SHADOW_NMI-helper.patch 63a03bce-VMX-Notify-VMExit.patch 63a03e28-x86-high-freq-TSC-overflow.patch 63c05478-VMX-calculate-model-specific-LBRs-once.patch 63c05478-VMX-support-CPUs-without-model-specific-LBR.patch 63d24e91-tools-xenstore-revert-simplify-loop-handling.patch 63e53ac9-x86-CPUID-leaves-7-1-ecx-edx.patch 63e53ac9-x86-disable-CET-SS-when-fractured-updates.patch 63ebca9c-x86-spec-ctrl-Mitigate-Cross-Thread-Return-Address-Predictions.patch 63f4d045-x86-ucode-AMD-apply-early-on-all-threads.patch 63fe06e0-x86-ucode-AMD-apply-late-on-all-threads.patch 640f3035-x86-altp2m-help-gcc13.patch 641041e8-VT-d-constrain-IGD-check.patch 64104238-bunzip-gcc13.patch 6419697d-AMD-IOMMU-no-XT-x2APIC-phys.patch 64199e0c-x86-shadow-account-for-log-dirty-mode.patch 64199e0d-x86-HVM-bound-number-of-pca-regions.patch 64199e0e-x86-HVM-serialize-pca-list-manipulation.patch 64199e0f-x86-spec-ctrl-defer-CR4_PV32_RESTORE-for-CSTAR.patch disable-building-pv-shim.patch libxl.fix-guest-kexec-skip-cpuid-policy.patch xen-4.17.0-testing-src.tar.bz2 New: 643e3810-CONFIG_DEBUG_INFO-no-EXPERT.patch 643e387f-xen-update-CONFIG_DEBUG_INFO-help-text.patch 6447a8fd-x86-EFI-permit-crash-dump-analysis.patch 64525c61-tools-libs-guest-assist-gcc13s-realloc-analyzer.patch xen-4.17.1-testing-src.tar.bz2 Other differences: -- ++ xen.spec ++ --- /var/tmp/diff_new_pack.U87ehu/_old 2023-05-09 13:08:19.381372805 +0200 +++ /var/tmp/diff_new_pack.U87ehu/_new 2023-05-09 13:08:19.385372829 +0200 @@ -28,7 +28,7 @@ Name: xen ExclusiveArch: %ix86 x86_64 aarch64 -%define
commit xen for openSUSE:Factory
Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package xen for openSUSE:Factory checked in at 2023-04-01 23:26:54 Comparing /work/SRC/openSUSE:Factory/xen (Old) and /work/SRC/openSUSE:Factory/.xen.new.9019 (New) Package is "xen" Sat Apr 1 23:26:54 2023 rev:330 rq:1075603 version:4.17.0_06 Changes: --- /work/SRC/openSUSE:Factory/xen/xen.changes 2023-03-11 18:23:12.274619379 +0100 +++ /work/SRC/openSUSE:Factory/.xen.new.9019/xen.changes2023-04-01 23:26:56.439318701 +0200 @@ -1,0 +2,48 @@ +Thu Mar 23 08:10:00 CET 2023 - jbeul...@suse.com + +- Upstream bug fixes (bsc#1027519) + 63a03b73-VMX-VMExit-based-BusLock-detection.patch + 63a03ba6-VMX-INTR_SHADOW_NMI-helper.patch + 63a03bce-VMX-Notify-VMExit.patch + 63e53ac9-x86-CPUID-leaves-7-1-ecx-edx.patch + 63e53ac9-x86-disable-CET-SS-when-fractured-updates.patch + 63f4d045-x86-ucode-AMD-apply-early-on-all-threads.patch + 63fe06e0-x86-ucode-AMD-apply-late-on-all-threads.patch + 641041e8-VT-d-constrain-IGD-check.patch + 6419697d-AMD-IOMMU-no-XT-x2APIC-phys.patch +- Use "proper" upstream backports: + 640f3035-x86-altp2m-help-gcc13.patch + 64104238-bunzip-gcc13.patch + 64199e0c-x86-shadow-account-for-log-dirty-mode.patch + 64199e0d-x86-HVM-bound-number-of-pca-regions.patch + 64199e0e-x86-HVM-serialize-pca-list-manipulation.patch + 64199e0f-x86-spec-ctrl-defer-CR4_PV32_RESTORE-for-CSTAR.patch +- ... in place of: + bunzip-gcc13.patch + altp2m-gcc13.patch + xsa427.patch + xsa428-1.patch + xsa428-2.patch + xsa429.patch + +--- +Thu Mar 16 08:08:08 UTC 2023 - oher...@suse.de + +- bsc#1209245 - fix host-assisted kexec/kdump for HVM domUs + libxl.fix-guest-kexec-skip-cpuid-policy.patch + +--- +Tue Mar 7 10:44:12 MST 2023 - carn...@suse.com + +- bsc#1209017 - VUL-0: CVE-2022-42332: xen: x86 shadow plus + log-dirty mode use-after-free (XSA-427) + xsa427.patch +- bsc#1209018 - VUL-0: CVE-2022-42333,CVE-2022-42334: xen: x86/HVM + pinned cache attributes mis-handling (XSA-428) + xsa428-1.patch + xsa428-2.patch +- bsc#1209019 - VUL-0: CVE-2022-42331: xen: x86: speculative + vulnerability in 32bit SYSCALL path (XSA-429) + xsa429.patch + +--- Old: altp2m-gcc13.patch bunzip-gcc13.patch New: 63a03b73-VMX-VMExit-based-BusLock-detection.patch 63a03ba6-VMX-INTR_SHADOW_NMI-helper.patch 63a03bce-VMX-Notify-VMExit.patch 63e53ac9-x86-CPUID-leaves-7-1-ecx-edx.patch 63e53ac9-x86-disable-CET-SS-when-fractured-updates.patch 63f4d045-x86-ucode-AMD-apply-early-on-all-threads.patch 63fe06e0-x86-ucode-AMD-apply-late-on-all-threads.patch 640f3035-x86-altp2m-help-gcc13.patch 641041e8-VT-d-constrain-IGD-check.patch 64104238-bunzip-gcc13.patch 6419697d-AMD-IOMMU-no-XT-x2APIC-phys.patch 64199e0c-x86-shadow-account-for-log-dirty-mode.patch 64199e0d-x86-HVM-bound-number-of-pca-regions.patch 64199e0e-x86-HVM-serialize-pca-list-manipulation.patch 64199e0f-x86-spec-ctrl-defer-CR4_PV32_RESTORE-for-CSTAR.patch libxl.fix-guest-kexec-skip-cpuid-policy.patch Other differences: -- ++ xen.spec ++ --- /var/tmp/diff_new_pack.p2IWAX/_old 2023-04-01 23:26:58.367328836 +0200 +++ /var/tmp/diff_new_pack.p2IWAX/_new 2023-04-01 23:26:58.375328878 +0200 @@ -119,7 +119,7 @@ %endif Provides: installhint(reboot-needed) -Version:4.17.0_04 +Version:4.17.0_06 Release:0 Summary:Xen Virtualization: Hypervisor (aka VMM aka Microkernel) License:GPL-2.0-only @@ -155,12 +155,27 @@ # For xen-libs Source99: baselibs.conf # Upstream patches -Patch1: 63a03e28-x86-high-freq-TSC-overflow.patch -Patch2: 63c05478-VMX-calculate-model-specific-LBRs-once.patch -Patch3: 63c05478-VMX-support-CPUs-without-model-specific-LBR.patch -Patch4: 63d24e91-tools-xenstore-revert-simplify-loop-handling.patch -Patch5: 63e4da00-dont-log-errors-when-trying-to-load-PVH-xenstore-stubdom.patch -Patch6: 63ebca9c-x86-spec-ctrl-Mitigate-Cross-Thread-Return-Address-Predictions.patch +Patch1: 63a03b73-VMX-VMExit-based-BusLock-detection.patch +Patch2: 63a03ba6-VMX-INTR_SHADOW_NMI-helper.patch +Patch3: 63a03bce-VMX-Notify-VMExit.patch +Patch4: 63a03e28-x86-high-freq-TSC-overflow.patch +Patch5: 63c05478-VMX-calculate-model-specific-LBRs-once.patch +Patch6: 63c05478-VMX-support-CPUs-without-model-specific-LBR.patch +Patch7: 63d24e91-tools-xenstore-revert-simplify-loop-handling.patch +Patch8:
commit xen for openSUSE:Factory
Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package xen for openSUSE:Factory checked in at 2023-03-11 18:23:10 Comparing /work/SRC/openSUSE:Factory/xen (Old) and /work/SRC/openSUSE:Factory/.xen.new.31432 (New) Package is "xen" Sat Mar 11 18:23:10 2023 rev:329 rq:1070523 version:4.17.0_04 Changes: --- /work/SRC/openSUSE:Factory/xen/xen.changes 2023-03-02 23:03:15.903323840 +0100 +++ /work/SRC/openSUSE:Factory/.xen.new.31432/xen.changes 2023-03-11 18:23:12.274619379 +0100 @@ -1,0 +2,8 @@ +Thu Mar 2 10:33:46 MST 2023 - carn...@suse.com + +- bsc#1208736 - GCC 13: xen package fails + bunzip-gcc13.patch + altp2m-gcc13.patch +- Drop gcc13-fixes.patch + +--- Old: gcc13-fixes.patch New: altp2m-gcc13.patch bunzip-gcc13.patch Other differences: -- ++ xen.spec ++ --- /var/tmp/diff_new_pack.JuKbCg/_old 2023-03-11 18:23:13.814627404 +0100 +++ /var/tmp/diff_new_pack.JuKbCg/_new 2023-03-11 18:23:13.814627404 +0100 @@ -207,7 +207,8 @@ # Needs to go upstream Patch420: suspend_evtchn_lock.patch Patch421: vif-route.patch -Patch422: gcc13-fixes.patch +Patch422: bunzip-gcc13.patch +Patch423: altp2m-gcc13.patch # Other bug fixes or features Patch450: xen.sysconfig-fillup.patch Patch451: xenconsole-no-multiple-connections.patch ++ altp2m-gcc13.patch ++ x86/altp2m: help gcc13 to avoid it emitting a warning Switches of altp2m-s always expect a valid altp2m to be in place (and indeed altp2m_vcpu_initialise() sets the active one to be at index 0). The compiler, however, cannot know that, and hence it cannot eliminate p2m_get_altp2m()'s case of returnin (literal) NULL. If then the compiler decides to special case that code path, the dereference in instances of atomic_dec(_get_altp2m(v)->active_vcpus); will, to the code generator, appear to be NULL dereferences, leading to In function 'atomic_dec', inlined from '...' at ...: ./arch/x86/include/asm/atomic.h:182:5: error: array subscript 0 is outside array bounds of 'int[0]' [-Werror=array-bounds=] Aid the compiler by adding a BUG_ON() checking the return value of the problematic p2m_get_altp2m(). Since with the use of the local variable the 2nd p2m_get_altp2m() each will look questionable at the first glance (Why is the local variable not used here?), open-code the only relevant piece of p2m_get_altp2m() there. To avoid repeatedly doing these transformations, and also to limit how "bad" the open-coding really is, convert the entire operation to an inline helper, used by all three instances (and accepting the redundant BUG_ON(idx >= MAX_ALTP2M) in two of the three cases). Reported-by: Charles Arnold Signed-off-by: Jan Beulich --- a/xen/arch/x86/hvm/vmx/vmx.c +++ b/xen/arch/x86/hvm/vmx/vmx.c @@ -4063,13 +4063,7 @@ void vmx_vmexit_handler(struct cpu_user_ } } -if ( idx != vcpu_altp2m(v).p2midx ) -{ -BUG_ON(idx >= MAX_ALTP2M); -atomic_dec(_get_altp2m(v)->active_vcpus); -vcpu_altp2m(v).p2midx = idx; -atomic_inc(_get_altp2m(v)->active_vcpus); -} +p2m_set_altp2m(v, idx); } if ( unlikely(currd->arch.monitor.vmexit_enabled) ) --- a/xen/arch/x86/include/asm/p2m.h +++ b/xen/arch/x86/include/asm/p2m.h @@ -879,6 +879,26 @@ static inline struct p2m_domain *p2m_get return v->domain->arch.altp2m_p2m[index]; } +/* set current alternate p2m table */ +static inline bool p2m_set_altp2m(struct vcpu *v, unsigned int idx) +{ +struct p2m_domain *orig; + +BUG_ON(idx >= MAX_ALTP2M); + +if ( idx == vcpu_altp2m(v).p2midx ) +return false; + +orig = p2m_get_altp2m(v); +BUG_ON(!orig); +atomic_dec(>active_vcpus); + +vcpu_altp2m(v).p2midx = idx; +atomic_inc(>domain->arch.altp2m_p2m[idx]->active_vcpus); + +return true; +} + /* Switch alternate p2m for a single vcpu */ bool_t p2m_switch_vcpu_altp2m_by_id(struct vcpu *v, unsigned int idx); --- a/xen/arch/x86/mm/p2m.c +++ b/xen/arch/x86/mm/p2m.c @@ -1787,13 +1787,8 @@ bool_t p2m_switch_vcpu_altp2m_by_id(stru if ( d->arch.altp2m_eptp[idx] != mfn_x(INVALID_MFN) ) { -if ( idx != vcpu_altp2m(v).p2midx ) -{ -atomic_dec(_get_altp2m(v)->active_vcpus); -vcpu_altp2m(v).p2midx = idx; -atomic_inc(_get_altp2m(v)->active_vcpus); +if ( p2m_set_altp2m(v, idx) ) altp2m_vcpu_update_p2m(v); -} rc = 1; } @@ -2070,13 +2065,8 @@ int p2m_switch_domain_altp2m_by_id(struc if ( d->arch.altp2m_visible_eptp[idx] != mfn_x(INVALID_MFN) ) {
commit xen for openSUSE:Factory
Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package xen for openSUSE:Factory checked in at 2023-03-02 23:02:53 Comparing /work/SRC/openSUSE:Factory/xen (Old) and /work/SRC/openSUSE:Factory/.xen.new.31432 (New) Package is "xen" Thu Mar 2 23:02:53 2023 rev:328 rq:1068230 version:4.17.0_04 Changes: --- /work/SRC/openSUSE:Factory/xen/xen.changes 2023-02-19 18:18:44.289395707 +0100 +++ /work/SRC/openSUSE:Factory/.xen.new.31432/xen.changes 2023-03-02 23:03:15.903323840 +0100 @@ -1,0 +2,6 @@ +Tue Feb 28 08:56:55 MST 2023 - carn...@suse.com + +- bsc#1208736 - GCC 13: xen package fails + gcc13-fixes.patch + +--- New: gcc13-fixes.patch Other differences: -- ++ xen.spec ++ --- /var/tmp/diff_new_pack.d1G9L6/_old 2023-03-02 23:03:17.903352428 +0100 +++ /var/tmp/diff_new_pack.d1G9L6/_new 2023-03-02 23:03:17.907352485 +0100 @@ -207,6 +207,7 @@ # Needs to go upstream Patch420: suspend_evtchn_lock.patch Patch421: vif-route.patch +Patch422: gcc13-fixes.patch # Other bug fixes or features Patch450: xen.sysconfig-fillup.patch Patch451: xenconsole-no-multiple-connections.patch ++ gcc13-fixes.patch ++ References: bsc#1208736 common/bunzip2.c: In function 'get_next_block': common/bunzip2.c:261:41: error: 'length' may be used uninitialized [-Werror=maybe-uninitialized] 261 | minLen = maxLen = length[0]; | ~~^~~ common/bunzip2.c:224:31: note: 'length' declared here 224 | unsigned char length[MAX_SYMBOLS], temp[MAX_HUFCODE_BITS+1]; | ^~ In function 'atomic_dec', inlined from 'vmx_vmexit_handler' at arch/x86/hvm/vmx/vmx.c:4069:13: ./arch/x86/include/asm/atomic.h:182:5: error: array subscript 0 is outside array bounds of 'int[0]' [-Werror=array-bounds=] 182 | asm volatile ( | ^~~ In function 'vmx_vmexit_handler': cc1: note: source object is likely at address zero In function 'atomic_dec', inlined from 'p2m_switch_vcpu_altp2m_by_id' at arch/x86/mm/p2m.c:1792:13: ./arch/x86/include/asm/atomic.h:182:5: error: array subscript 0 is outside array bounds of 'int[0]' [-Werror=array-bounds=] 182 | asm volatile ( | ^~~ In function 'p2m_switch_vcpu_altp2m_by_id': cc1: note: source object is likely at address zero --- xen-4.17.0-testing/xen/common/bunzip2.c.orig2023-02-28 08:51:03.301930999 -0700 +++ xen-4.17.0-testing/xen/common/bunzip2.c 2023-02-28 08:53:52.865925508 -0700 @@ -142,6 +142,10 @@ static unsigned int __init get_bits(stru return bits; } +#if __GNUC__ >= 13 +#pragma GCC diagnostic ignored "-Wmaybe-uninitialized" +#endif + /* Unpacks the next block and sets up for the inverse burrows-wheeler step. */ static int __init get_next_block(struct bunzip_data *bd) --- xen-4.17.0-testing/xen/arch/x86/include/asm/atomic.h.orig 2023-02-28 09:22:51.037869226 -0700 +++ xen-4.17.0-testing/xen/arch/x86/include/asm/atomic.h2023-02-28 09:23:26.261868085 -0700 @@ -177,6 +177,10 @@ static inline int atomic_inc_and_test(at return c; } +#if __GNUC__ >= 12 +#pragma GCC diagnostic ignored "-Warray-bounds" +#endif + static inline void atomic_dec(atomic_t *v) { asm volatile (
commit xen for openSUSE:Factory
Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package xen for openSUSE:Factory checked in at 2023-02-19 18:18:41 Comparing /work/SRC/openSUSE:Factory/xen (Old) and /work/SRC/openSUSE:Factory/.xen.new.22824 (New) Package is "xen" Sun Feb 19 18:18:41 2023 rev:327 rq:1066241 version:4.17.0_04 Changes: --- /work/SRC/openSUSE:Factory/xen/xen.changes 2023-02-14 16:43:06.889621005 +0100 +++ /work/SRC/openSUSE:Factory/.xen.new.22824/xen.changes 2023-02-19 18:18:44.289395707 +0100 @@ -1,0 +2,7 @@ +Wed Feb 15 11:07:08 MST 2023 - carn...@suse.com + +- bsc#1208286 - VUL-0: CVE-2022-27672: xen: Cross-Thread Return + Address Predictions (XSA-426) + 63ebca9c-x86-spec-ctrl-Mitigate-Cross-Thread-Return-Address-Predictions.patch + +--- New: 63ebca9c-x86-spec-ctrl-Mitigate-Cross-Thread-Return-Address-Predictions.patch Other differences: -- ++ xen.spec ++ --- /var/tmp/diff_new_pack.VNeVtW/_old 2023-02-19 18:18:45.561403790 +0100 +++ /var/tmp/diff_new_pack.VNeVtW/_new 2023-02-19 18:18:45.565403815 +0100 @@ -160,6 +160,7 @@ Patch3: 63c05478-VMX-support-CPUs-without-model-specific-LBR.patch Patch4: 63d24e91-tools-xenstore-revert-simplify-loop-handling.patch Patch5: 63e4da00-dont-log-errors-when-trying-to-load-PVH-xenstore-stubdom.patch +Patch6: 63ebca9c-x86-spec-ctrl-Mitigate-Cross-Thread-Return-Address-Predictions.patch # EMBARGOED security fixes # libxc Patch301: libxc-bitmap-long.patch ++ 63ebca9c-x86-spec-ctrl-Mitigate-Cross-Thread-Return-Address-Predictions.patch ++ Subject: x86/spec-ctrl: Mitigate Cross-Thread Return Address Predictions From: Andrew Cooper andrew.coop...@citrix.com Thu Sep 8 21:27:58 2022 +0100 Date: Tue Feb 14 17:53:49 2023 +: Git: 3685e754e6017c616769b28133286d06bf07b613 This is XSA-426 / CVE-2022-27672 Signed-off-by: Andrew Cooper Reviewed-by: Jan Beulich (cherry picked from commit 63305e5392ec2d17b85e7996a97462744425db80) diff --git a/docs/misc/xen-command-line.pandoc b/docs/misc/xen-command-line.pandoc index 424b12cfb2..e7fe8b0cc9 100644 --- a/docs/misc/xen-command-line.pandoc +++ b/docs/misc/xen-command-line.pandoc @@ -2343,7 +2343,7 @@ guests to use. on entry and exit. These blocks are necessary to virtualise support for guests and if disabled, guests will be unable to use IBRS/STIBP/SSBD/etc. * `rsb=` offers control over whether to overwrite the Return Stack Buffer / - Return Address Stack on entry to Xen. + Return Address Stack on entry to Xen and on idle. * `md-clear=` offers control over whether to use VERW to flush microarchitectural buffers on idle and exit from Xen. *Note: For compatibility with development versions of this fix, `mds=` is also accepted diff --git a/xen/arch/x86/include/asm/cpufeatures.h b/xen/arch/x86/include/asm/cpufeatures.h index 865f110986..da0593de85 100644 --- a/xen/arch/x86/include/asm/cpufeatures.h +++ b/xen/arch/x86/include/asm/cpufeatures.h @@ -35,7 +35,8 @@ XEN_CPUFEATURE(SC_RSB_HVM,X86_SYNTH(19)) /* RSB overwrite needed for HVM XEN_CPUFEATURE(XEN_SELFSNOOP, X86_SYNTH(20)) /* SELFSNOOP gets used by Xen itself */ XEN_CPUFEATURE(SC_MSR_IDLE, X86_SYNTH(21)) /* Clear MSR_SPEC_CTRL on idle */ XEN_CPUFEATURE(XEN_LBR, X86_SYNTH(22)) /* Xen uses MSR_DEBUGCTL.LBR */ -/* Bits 23,24 unused. */ +/* Bits 23 unused. */ +XEN_CPUFEATURE(SC_RSB_IDLE, X86_SYNTH(24)) /* RSB overwrite needed for idle. */ XEN_CPUFEATURE(SC_VERW_IDLE, X86_SYNTH(25)) /* VERW used by Xen for idle */ XEN_CPUFEATURE(XEN_SHSTK, X86_SYNTH(26)) /* Xen uses CET Shadow Stacks */ XEN_CPUFEATURE(XEN_IBT, X86_SYNTH(27)) /* Xen uses CET Indirect Branch Tracking */ diff --git a/xen/arch/x86/include/asm/spec_ctrl.h b/xen/arch/x86/include/asm/spec_ctrl.h index 6a77c39378..391973ef6a 100644 --- a/xen/arch/x86/include/asm/spec_ctrl.h +++ b/xen/arch/x86/include/asm/spec_ctrl.h @@ -159,6 +159,21 @@ static always_inline void spec_ctrl_enter_idle(struct cpu_info *info) */ alternative_input("", "verw %[sel]", X86_FEATURE_SC_VERW_IDLE, [sel] "m" (info->verw_sel)); + +/* + * Cross-Thread Return Address Predictions: + * + * On vulnerable systems, the return predictions (RSB/RAS) are statically + * partitioned between active threads. When entering idle, our entries + * are re-partitioned to allow the other threads to use them. + * + * In some cases, we might still have guest entries in the RAS, so flush + * them before injecting them sideways to our sibling thread. + * + * (ab)use alternative_input() to
commit xen for openSUSE:Factory
Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package xen for openSUSE:Factory checked in at 2023-02-14 16:43:02 Comparing /work/SRC/openSUSE:Factory/xen (Old) and /work/SRC/openSUSE:Factory/.xen.new.27156 (New) Package is "xen" Tue Feb 14 16:43:02 2023 rev:326 rq:1065597 version:4.17.0_04 Changes: --- /work/SRC/openSUSE:Factory/xen/xen.changes 2023-01-27 10:23:53.489964341 +0100 +++ /work/SRC/openSUSE:Factory/.xen.new.27156/xen.changes 2023-02-14 16:43:06.889621005 +0100 @@ -1,0 +2,24 @@ +Thu Feb 9 09:56:27 MST 2023 - carn...@suse.com + +- bsc#1205792 - Partner-L3: launch-xenstore error messages show in + SLES15 SP4 xen kernel. + 63e4da00-dont-log-errors-when-trying-to-load-PVH-xenstore-stubdom.patch + +--- +Mon Feb 6 12:17:00 CET 2023 - jbeul...@suse.com + +- bsc#1026236 - tidy/modernize patch + xen.bug1026236.suse_vtsc_tolerance.patch + +--- +Mon Feb 6 12:15:00 CET 2023 - jbeul...@suse.com + +- Upstream bug fixes (bsc#1027519) + 63c05478-VMX-calculate-model-specific-LBRs-once.patch + 63c05478-VMX-support-CPUs-without-model-specific-LBR.patch +- bsc#1207544 - VUL-0: CVE-2022-42330: xen: Guests can cause + Xenstore crash via soft reset (XSA-425) + xsa425.patch -> + 63d24e91-tools-xenstore-revert-simplify-loop-handling.patch + +--- Old: xsa425.patch New: 63c05478-VMX-calculate-model-specific-LBRs-once.patch 63c05478-VMX-support-CPUs-without-model-specific-LBR.patch 63d24e91-tools-xenstore-revert-simplify-loop-handling.patch 63e4da00-dont-log-errors-when-trying-to-load-PVH-xenstore-stubdom.patch Other differences: -- ++ xen.spec ++ --- /var/tmp/diff_new_pack.dLb4nZ/_old 2023-02-14 16:43:08.337629599 +0100 +++ /var/tmp/diff_new_pack.dLb4nZ/_new 2023-02-14 16:43:08.341629623 +0100 @@ -156,7 +156,10 @@ Source99: baselibs.conf # Upstream patches Patch1: 63a03e28-x86-high-freq-TSC-overflow.patch -Patch100: xsa425.patch +Patch2: 63c05478-VMX-calculate-model-specific-LBRs-once.patch +Patch3: 63c05478-VMX-support-CPUs-without-model-specific-LBR.patch +Patch4: 63d24e91-tools-xenstore-revert-simplify-loop-handling.patch +Patch5: 63e4da00-dont-log-errors-when-trying-to-load-PVH-xenstore-stubdom.patch # EMBARGOED security fixes # libxc Patch301: libxc-bitmap-long.patch ++ 63c05478-VMX-calculate-model-specific-LBRs-once.patch ++ # Commit e94af0d58f86c3a914b9cbbf4d9ed3d43b974771 # Date 2023-01-12 18:42:00 + # Author Andrew Cooper # Committer Andrew Cooper x86/vmx: Calculate model-specific LBRs once at start of day There is no point repeating this calculation at runtime, especially as it is in the fallback path of the WRSMR/RDMSR handlers. Move the infrastructure higher in vmx.c to avoid forward declarations, renaming last_branch_msr_get() to get_model_specific_lbr() to highlight that these are model-specific only. No practical change. Signed-off-by: Andrew Cooper Reviewed-by: Jan Beulich Reviewed-by: Kevin Tian --- a/xen/arch/x86/hvm/vmx/vmx.c +++ b/xen/arch/x86/hvm/vmx/vmx.c @@ -396,6 +396,142 @@ void vmx_pi_hooks_deassign(struct domain domain_unpause(d); } +static const struct lbr_info { +u32 base, count; +} p4_lbr[] = { +{ MSR_P4_LER_FROM_LIP, 1 }, +{ MSR_P4_LER_TO_LIP,1 }, +{ MSR_P4_LASTBRANCH_TOS,1 }, +{ MSR_P4_LASTBRANCH_0_FROM_LIP, NUM_MSR_P4_LASTBRANCH_FROM_TO }, +{ MSR_P4_LASTBRANCH_0_TO_LIP, NUM_MSR_P4_LASTBRANCH_FROM_TO }, +{ 0, 0 } +}, c2_lbr[] = { +{ MSR_IA32_LASTINTFROMIP, 1 }, +{ MSR_IA32_LASTINTTOIP, 1 }, +{ MSR_C2_LASTBRANCH_TOS,1 }, +{ MSR_C2_LASTBRANCH_0_FROM_IP, NUM_MSR_C2_LASTBRANCH_FROM_TO }, +{ MSR_C2_LASTBRANCH_0_TO_IP,NUM_MSR_C2_LASTBRANCH_FROM_TO }, +{ 0, 0 } +}, nh_lbr[] = { +{ MSR_IA32_LASTINTFROMIP, 1 }, +{ MSR_IA32_LASTINTTOIP, 1 }, +{ MSR_NHL_LBR_SELECT, 1 }, +{ MSR_NHL_LASTBRANCH_TOS, 1 }, +{ MSR_P4_LASTBRANCH_0_FROM_LIP, NUM_MSR_P4_LASTBRANCH_FROM_TO }, +{ MSR_P4_LASTBRANCH_0_TO_LIP, NUM_MSR_P4_LASTBRANCH_FROM_TO }, +{ 0, 0 } +}, sk_lbr[] = { +{ MSR_IA32_LASTINTFROMIP, 1 }, +{ MSR_IA32_LASTINTTOIP, 1 }, +{ MSR_NHL_LBR_SELECT, 1 }, +{ MSR_NHL_LASTBRANCH_TOS, 1 }, +{ MSR_SKL_LASTBRANCH_0_FROM_IP, NUM_MSR_SKL_LASTBRANCH }, +{ MSR_SKL_LASTBRANCH_0_TO_IP, NUM_MSR_SKL_LASTBRANCH }, +{ MSR_SKL_LASTBRANCH_0_INFO,NUM_MSR_SKL_LASTBRANCH
commit xen for openSUSE:Factory
Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package xen for openSUSE:Factory checked in at 2023-01-27 10:15:16 Comparing /work/SRC/openSUSE:Factory/xen (Old) and /work/SRC/openSUSE:Factory/.xen.new.32243 (New) Package is "xen" Fri Jan 27 10:15:16 2023 rev:325 rq:1061070 version:4.17.0_04 Changes: --- /work/SRC/openSUSE:Factory/xen/xen.changes 2023-01-04 18:10:43.000587609 +0100 +++ /work/SRC/openSUSE:Factory/.xen.new.32243/xen.changes 2023-01-27 10:23:53.489964341 +0100 @@ -1,0 +2,7 @@ +Wed Jan 25 10:39:54 MST 2023 - carn...@suse.com + +- bsc#1207544 - VUL-0: CVE-2022-42330: xen: Guests can cause + Xenstore crash via soft reset (XSA-425) + xsa425.patch + +--- @@ -4,0 +12,6 @@ + +--- +Tue Dec 20 13:35:00 CET 2022 - jbeul...@suse.com + +- Upstream bug fixes (bsc#1027519) + 63a03e28-x86-high-freq-TSC-overflow.patch New: 63a03e28-x86-high-freq-TSC-overflow.patch xsa425.patch Other differences: -- ++ xen.spec ++ --- /var/tmp/diff_new_pack.4Q4ydH/_old 2023-01-27 10:23:55.313974205 +0100 +++ /var/tmp/diff_new_pack.4Q4ydH/_new 2023-01-27 10:23:55.317974227 +0100 @@ -119,7 +119,7 @@ %endif Provides: installhint(reboot-needed) -Version:4.17.0_02 +Version:4.17.0_04 Release:0 Summary:Xen Virtualization: Hypervisor (aka VMM aka Microkernel) License:GPL-2.0-only @@ -155,6 +155,8 @@ # For xen-libs Source99: baselibs.conf # Upstream patches +Patch1: 63a03e28-x86-high-freq-TSC-overflow.patch +Patch100: xsa425.patch # EMBARGOED security fixes # libxc Patch301: libxc-bitmap-long.patch ++ 63a03e28-x86-high-freq-TSC-overflow.patch ++ # Commit ad15a0a8ca2515d8ac58edfc0bc1d3719219cb77 # Date 2022-12-19 11:34:16 +0100 # Author Neowutran # Committer Jan Beulich x86/time: prevent overflow with high frequency TSCs Make sure tsc_khz is promoted to a 64-bit type before multiplying by 1000 to avoid an 'overflow before widen' bug. Otherwise just above 4.294GHz the value will overflow. Processors with clocks this high are now in production and require this to work correctly. Signed-off-by: Neowutran Reviewed-by: Jan Beulich --- a/xen/arch/x86/time.c +++ b/xen/arch/x86/time.c @@ -2585,7 +2585,7 @@ int tsc_set_info(struct domain *d, case TSC_MODE_ALWAYS_EMULATE: d->arch.vtsc_offset = get_s_time() - elapsed_nsec; d->arch.tsc_khz = gtsc_khz ?: cpu_khz; -set_time_scale(>arch.vtsc_to_ns, d->arch.tsc_khz * 1000); +set_time_scale(>arch.vtsc_to_ns, d->arch.tsc_khz * 1000UL); /* * In default mode use native TSC if the host has safe TSC and ++ xsa425.patch ++ From: Jason Andryuk Subject: Revert "tools/xenstore: simplify loop handling connection I/O" I'm observing guest kexec trigger xenstored to abort on a double free. gdb output: Program received signal SIGABRT, Aborted. __pthread_kill_implementation (no_tid=0, signo=6, threadid=140645614258112) at ./nptl/pthread_kill.c:44 44./nptl/pthread_kill.c: No such file or directory. (gdb) bt at ./nptl/pthread_kill.c:44 at ./nptl/pthread_kill.c:78 at ./nptl/pthread_kill.c:89 at ../sysdeps/posix/raise.c:26 at talloc.c:119 ptr=ptr@entry=0x559fae724290) at talloc.c:232 at xenstored_core.c:2945 (gdb) frame 5 at talloc.c:119 119TALLOC_ABORT("Bad talloc magic value - double free"); (gdb) frame 7 at xenstored_core.c:2945 2945talloc_increase_ref_count(conn); (gdb) p conn $1 = (struct connection *) 0x559fae724290 Looking at a xenstore trace, we have: IN 0x559fae71f250 20230120 17:40:53 READ (/local/domain/3/image/device-model-dom id ) wrl: dom0 1 msec 1 credit 100 reserve100 disc ard wrl: dom3 1 msec 1 credit 100 reserve100 disc ard wrl: dom0 0 msec 1 credit 100 reserve 0 disc ard wrl: dom3 0 msec 1 credit 100 reserve 0 disc ard OUT 0x559fae71f250 20230120 17:40:53 ERROR (ENOENT ) wrl: dom0 1 msec 1 credit 100 reserve100 disc ard wrl: dom3 1 msec 1 credit 100 reserve100 disc ard IN 0x559fae71f250 20230120 17:40:53 RELEASE (3 ) DESTROY watch 0x559fae73f630 DESTROY watch 0x559fae75ddf0 DESTROY watch 0x559fae75ec30 DESTROY watch 0x559fae75ea60 DESTROY watch 0x559fae732c00 DESTROY watch 0x559fae72cea0 DESTROY watch 0x559fae728fc0 DESTROY watch 0x559fae729570 DESTROY connection 0x559fae724290 orphaned node
commit xen for openSUSE:Factory
Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package xen for openSUSE:Factory checked in at 2023-01-04 18:10:31 Comparing /work/SRC/openSUSE:Factory/xen (Old) and /work/SRC/openSUSE:Factory/.xen.new.1563 (New) Package is "xen" Wed Jan 4 18:10:31 2023 rev:324 rq:1046568 version:4.17.0_02 Changes: --- /work/SRC/openSUSE:Factory/xen/xen.changes 2022-12-10 21:18:07.845662587 +0100 +++ /work/SRC/openSUSE:Factory/.xen.new.1563/xen.changes2023-01-04 18:10:43.000587609 +0100 @@ -1,0 +2,5 @@ +Tue Jan 3 14:10:18 UTC 2023 - Stefan Schubert + +- Migration of PAM settings to /usr/lib/pam.d. + +--- Other differences: -- ++ xen.spec ++ --- /var/tmp/diff_new_pack.TokY4g/_old 2023-01-04 18:10:44.236594895 +0100 +++ /var/tmp/diff_new_pack.TokY4g/_new 2023-01-04 18:10:44.240594919 +0100 @@ -1,7 +1,7 @@ # # spec file for package xen # -# Copyright (c) 2022 SUSE LLC +# Copyright (c) 2023 SUSE LLC # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -269,6 +269,9 @@ Summary:Xen Virtualization: Control tools for domain 0 License:GPL-2.0-only Group: System/Kernel +%if 0%{?suse_version} > 1500 +BuildRequires: pam-devel +%endif %ifarch x86_64 %if 0%{?suse_version} >= 1315 Requires: grub2-x86_64-xen @@ -825,17 +828,17 @@ mkdir -p %{buildroot}/usr/lib/supportconfig/plugins install -m 755 %SOURCE13 %{buildroot}/usr/lib/supportconfig/plugins/xen -# Xen API remote authentication files -install -d %{buildroot}/etc/pam.d -install -m644 %SOURCE30 %{buildroot}/etc/pam.d/xen-api +# Xen API remote authentication files and Logrotate files install -m644 %SOURCE31 %{buildroot}/etc/xen/ - -# Logrotate %if 0%{?suse_version} > 1500 mkdir -p %{buildroot}%{_distconfdir}/logrotate.d install -m644 -D %SOURCE14 %{buildroot}%{_distconfdir}/logrotate.d/xen +install -d %{buildroot}%{_pam_vendordir} +install -m644 %SOURCE30 %{buildroot}/%{_pam_vendordir}/xen-api %else install -m644 -D %SOURCE14 %{buildroot}%{_sysconfdir}/logrotate.d/xen +install -d %{buildroot}/etc/pam.d +install -m644 %SOURCE30 %{buildroot}/etc/pam.d/xen-api %endif # Directories @@ -1067,8 +1070,10 @@ %dir /var/log/xen/console %if 0%{?suse_version} > 1500 %{_distconfdir}/logrotate.d/xen +%{_pam_vendordir}/xen-api %else %config(noreplace) %{_sysconfdir}/logrotate.d/xen +%config /etc/pam.d/xen-api %endif /etc/xen/auto %config /etc/xen/examples @@ -1076,7 +1081,6 @@ %config /etc/xen/vm %config(noreplace) /etc/xen/xenapiusers %config(noreplace) /etc/xen/xl.conf -%config /etc/pam.d/xen-api %config %{_unitdir} %exclude %{_unitdir}/%{name}-vcpu-watch.service %exclude %{_unitdir}/xendomains-wait-disks.service @@ -1170,7 +1174,7 @@ %service_add_pre xen-qemu-dom0-disk-backend.service %if 0%{?suse_version} > 1500 # Prepare for migration to /usr/etc; save any old .rpmsave -for i in logrotate.d/xen ; do +for i in logrotate.d/xen pam.d/xen-api ; do test -f %{_sysconfdir}/${i}.rpmsave && mv -v %{_sysconfdir}/${i}.rpmsave %{_sysconfdir}/${i}.rpmsave.old ||: done %endif @@ -1178,7 +1182,7 @@ %if 0%{?suse_version} > 1500 %posttrans tools # Migration to /usr/etc, restore just created .rpmsave -for i in logrotate.d/xen ; do +for i in logrotate.d/xen pam.d/xen-api ; do test -f %{_sysconfdir}/${i}.rpmsave && mv -v %{_sysconfdir}/${i}.rpmsave %{_sysconfdir}/${i} ||: done %endif
commit xen for openSUSE:Factory
Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package xen for openSUSE:Factory checked in at 2022-12-10 21:17:47 Comparing /work/SRC/openSUSE:Factory/xen (Old) and /work/SRC/openSUSE:Factory/.xen.new.1835 (New) Package is "xen" Sat Dec 10 21:17:47 2022 rev:323 rq:1041918 version:4.17.0_02 Changes: --- /work/SRC/openSUSE:Factory/xen/xen.changes 2022-09-02 21:56:43.224322251 +0200 +++ /work/SRC/openSUSE:Factory/.xen.new.1835/xen.changes2022-12-10 21:18:07.845662587 +0100 @@ -1,0 +2,76 @@ +Thu Dec 8 10:54:29 MST 2022 - carn...@suse.com + +- Update to Xen 4.17.0 FCS release (jsc#PED-1858) + xen-4.17.0-testing-src.tar.bz2 + * On x86 "vga=current" can now be used together with GrUB2's gfxpayload setting. Note that +this requires use of "multiboot2" (and "module2") as the GrUB commands loading Xen. + * The "gnttab" option now has a new command line sub-option for disabling the +GNTTABOP_transfer functionality. + * The x86 MCE command line option info is now updated. + * Out-of-tree builds for the hypervisor now supported. + * __ro_after_init support, for marking data as immutable after boot. + * The project has officially adopted 4 directives and 24 rules of MISRA-C, +added MISRA-C checker build integration, and defined how to document +deviations. + * IOMMU superpage support on x86, affecting PV guests as well as HVM/PVH ones +when they don't share page tables with the CPU (HAP / EPT / NPT). + * Support for VIRT_SSBD and MSR_SPEC_CTRL for HVM guests on AMD. + * Improved TSC, CPU, and APIC clock frequency calibration on x86. + * Support for Xen using x86 Control Flow Enforcement technology for its own +protection. Both Shadow Stacks (ROP protection) and Indirect Branch +Tracking (COP/JOP protection). + * Add mwait-idle support for SPR and ADL on x86. + * Extend security support for hosts to 12 TiB of memory on x86. + * Add command line option to set cpuid parameters for dom0 at boot time on x86. + * Improved static configuration options on Arm. + * cpupools can be specified at boot using device tree on Arm. + * It is possible to use PV drivers with dom0less guests, allowing statically +booted dom0less guests with PV devices. + * On Arm, p2m structures are now allocated out of a pool of memory set aside at +domain creation. + * Improved mitigations against Spectre-BHB on Arm. + * Support VirtIO-MMIO devices device-tree binding creation in toolstack on Arm. + * Allow setting the number of CPUs to activate at runtime from command line +option on Arm. + * Grant-table support on Arm was improved and hardened by implementing +"simplified M2P-like approach for the xenheap pages" + * Add Renesas R-Car Gen4 IPMMU-VMSA support on Arm. + * Add i.MX lpuart and i.MX8QM support on Arm. + * Improved toolstack build system. + * Add Xue - console over USB 3 Debug Capability. + * gitlab-ci automation: Fixes and improvements together with new tests. + * dropped support for the (x86-only) "vesa-mtrr" and "vesa-remap" command line options +- Drop patches contained in new tarball or invalid + 62fde97e-tools-libxl-Replace-deprecated-soundhw-on-QEMU-command-line.patch + xsa410-01.patch + xsa410-02.patch + xsa410-03.patch + xsa410-04.patch + xsa410-05.patch + xsa410-06.patch + xsa410-07.patch + xsa410-08.patch + xsa410-09.patch + xsa410-10.patch + xsa411.patch + +--- +Wed Sep 28 10:14:10 MDT 2022 - carn...@suse.com + +- bsc#1203806 - VUL-0: CVE-2022-33746: xen: P2M pool freeing may + take excessively long (XSA-410) + xsa410-01.patch + xsa410-02.patch + xsa410-03.patch + xsa410-04.patch + xsa410-05.patch + xsa410-06.patch + xsa410-07.patch + xsa410-08.patch + xsa410-09.patch + xsa410-10.patch +- bsc#1203807 - VUL-0: CVE-2022-33748: xen: lock order inversion in + transitive grant copy handling (XSA-411) + xsa411.patch + +--- @@ -23,0 +100 @@ + * No upstream changelog found in sources or webpage Old: 62fde97e-tools-libxl-Replace-deprecated-soundhw-on-QEMU-command-line.patch xen-4.16.2-testing-src.tar.bz2 New: xen-4.17.0-testing-src.tar.bz2 Other differences: -- ++ xen.spec ++ --- /var/tmp/diff_new_pack.y0ZhNI/_old 2022-12-10 21:18:09.125670071 +0100 +++ /var/tmp/diff_new_pack.y0ZhNI/_new 2022-12-10 21:18:09.129670094 +0100 @@ -28,7 +28,7 @@ Name: xen ExclusiveArch: %ix86 x86_64 aarch64 -%define xen_build_dir xen-4.16.2-testing +%define xen_build_dir xen-4.17.0-testing # %define with_gdbsx 0 %define with_dom0_support 0 @@ -119,12 +119,12 @@ %endif Provides:
commit xen for openSUSE:Factory
Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package xen for openSUSE:Factory checked in at 2022-09-02 21:56:26 Comparing /work/SRC/openSUSE:Factory/xen (Old) and /work/SRC/openSUSE:Factory/.xen.new.2083 (New) Package is "xen" Fri Sep 2 21:56:26 2022 rev:322 rq:1000665 version:4.16.2_04 Changes: --- /work/SRC/openSUSE:Factory/xen/xen.changes 2022-08-30 14:48:53.788031084 +0200 +++ /work/SRC/openSUSE:Factory/.xen.new.2083/xen.changes2022-09-02 21:56:43.224322251 +0200 @@ -1,0 +2,6 @@ +Thu Sep 1 06:21:39 UTC 2022 - Stefan Schubert + +- Migration to /usr/etc: Saving user changed configuration files + in /etc and restoring them while an RPM update. + +--- Other differences: -- ++ xen.spec ++ --- /var/tmp/diff_new_pack.MVDYgY/_old 2022-09-02 21:56:44.736325910 +0200 +++ /var/tmp/diff_new_pack.MVDYgY/_new 2022-09-02 21:56:44.740325920 +0200 @@ -1169,6 +1169,20 @@ %service_add_pre xenconsoled.service %service_add_pre xen-init-dom0.service %service_add_pre xen-qemu-dom0-disk-backend.service +%if 0%{?suse_version} > 1500 +# Prepare for migration to /usr/etc; save any old .rpmsave +for i in logrotate.d/xen ; do + test -f %{_sysconfdir}/${i}.rpmsave && mv -v %{_sysconfdir}/${i}.rpmsave %{_sysconfdir}/${i}.rpmsave.old ||: +done +%endif + +%if 0%{?suse_version} > 1500 +%posttrans tools +# Migration to /usr/etc, restore just created .rpmsave +for i in logrotate.d/xen ; do + test -f %{_sysconfdir}/${i}.rpmsave && mv -v %{_sysconfdir}/${i}.rpmsave %{_sysconfdir}/${i} ||: +done +%endif %post tools %{fillup_only -n xencommons xencommons}
commit xen for openSUSE:Factory
Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package xen for openSUSE:Factory checked in at 2022-08-30 14:48:41 Comparing /work/SRC/openSUSE:Factory/xen (Old) and /work/SRC/openSUSE:Factory/.xen.new.2083 (New) Package is "xen" Tue Aug 30 14:48:41 2022 rev:321 rq:183 version:4.16.2_04 Changes: --- /work/SRC/openSUSE:Factory/xen/xen.changes 2022-08-24 15:10:20.520438132 +0200 +++ /work/SRC/openSUSE:Factory/.xen.new.2083/xen.changes2022-08-30 14:48:53.788031084 +0200 @@ -1,0 +2,12 @@ +Mon Aug 29 10:24:31 MDT 2022 - carn...@suse.com + +- bsc#1201994 - Xen DomU unable to emulate audio device + 62fde97e-tools-libxl-Replace-deprecated-soundhw-on-QEMU-command-line.patch + +--- +Tue Aug 23 08:52:05 MDT 2022 - carn...@suse.com + +- Things are compiling fine now with gcc12. + Drop gcc12-fixes.patch + +--- Old: gcc12-fixes.patch New: 62fde97e-tools-libxl-Replace-deprecated-soundhw-on-QEMU-command-line.patch Other differences: -- ++ xen.spec ++ --- /var/tmp/diff_new_pack.nuVQB4/_old 2022-08-30 14:48:55.300034942 +0200 +++ /var/tmp/diff_new_pack.nuVQB4/_new 2022-08-30 14:48:55.304034953 +0200 @@ -119,7 +119,7 @@ %endif Provides: installhint(reboot-needed) -Version:4.16.2_02 +Version:4.16.2_04 Release:0 Summary:Xen Virtualization: Hypervisor (aka VMM aka Microkernel) License:GPL-2.0-only @@ -155,6 +155,7 @@ # For xen-libs Source99: baselibs.conf # Upstream patches +Patch1: 62fde97e-tools-libxl-Replace-deprecated-soundhw-on-QEMU-command-line.patch # EMBARGOED security fixes # libxc Patch301: libxc-bitmap-long.patch @@ -228,7 +229,6 @@ Patch621: xen.build-compare.doc_html.patch # Build patches Patch6: xen.stubdom.newlib.patch -Patch7: gcc12-fixes.patch URL:http://www.cl.cam.ac.uk/Research/SRG/netos/xen/ BuildRoot: %{_tmppath}/%{name}-%{version}-build %define pyver %(python3 -c "import sys; print(sys.version.rpartition('.')[0])") ++ 62fde97e-tools-libxl-Replace-deprecated-soundhw-on-QEMU-command-line.patch ++ Subject: tools/libxl: Replace deprecated -soundhw on QEMU command line From: Anthony PERARD anthony.per...@citrix.com Thu Aug 18 09:25:50 2022 +0200 Date: Thu Aug 18 09:25:50 2022 +0200: Git: 62ca138c2c052187783aca3957d3f47c4dcfd683 -soundhw is deprecated since 825ff02911c9 ("audio: add soundhw deprecation notice"), QEMU v5.1, and is been remove for upcoming v7.1 by 039a68373c45 ("introduce -audio as a replacement for -soundhw"). Instead we can just add the sound card with "-device", for most option that "-soundhw" could handle. "-device" is an option that existed before QEMU 1.0, and could already be used to add audio hardware. The list of possible option for libxl's "soundhw" is taken the list from QEMU 7.0. The list of options for "soundhw" are listed in order of preference in the manual. The first three (hda, ac97, es1370) are PCI devices and easy to test on Linux, and the last four are ISA devices which doesn't seems to work out of the box on linux. The sound card 'pcspk' isn't listed even if it used to be accepted by '-soundhw' because QEMU crash when trying to add it to a Xen domain. Also, it wouldn't work with "-device" might need to be "-machine pcspk-audiodev=default" instead. Signed-off-by: Anthony PERARD Reviewed-by: Jason Andryuk --- a/docs/man/xl.cfg.5.pod.in +++ b/docs/man/xl.cfg.5.pod.in @@ -2540,9 +2540,9 @@ The form serial=DEVICE is also accepted =item B -Select the virtual sound card to expose to the guest. The valid -devices are defined by the device model configuration, please see the -B manpage for details. The default is not to export any sound +Select the virtual sound card to expose to the guest. The valid devices are +B, B, B, B, B, B, B if there are +available with the device model QEMU. The default is not to export any sound device. =item B --- a/tools/libs/light/libxl_dm.c +++ b/tools/libs/light/libxl_dm.c @@ -1204,6 +1204,7 @@ static int libxl__build_device_model_arg uint64_t ram_size; const char *path, *chardev; bool is_stubdom = libxl_defbool_val(b_info->device_model_stubdomain); +int rc; dm_args = flexarray_make(gc, 16, 1); dm_envs = flexarray_make(gc, 16, 1); @@ -1531,7 +1532,23 @@ static int libxl__build_device_model_arg } } if (b_info->u.hvm.soundhw) { -flexarray_vappend(dm_args, "-soundhw", b_info->u.hvm.soundhw, NULL); +libxl__qemu_soundhw soundhw; + +rc =
commit xen for openSUSE:Factory
Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package xen for openSUSE:Factory checked in at 2022-08-24 15:10:19 Comparing /work/SRC/openSUSE:Factory/xen (Old) and /work/SRC/openSUSE:Factory/.xen.new.2083 (New) Package is "xen" Wed Aug 24 15:10:19 2022 rev:320 rq:998682 version:4.16.2_02 Changes: --- /work/SRC/openSUSE:Factory/xen/xen.changes 2022-08-01 21:28:11.237275758 +0200 +++ /work/SRC/openSUSE:Factory/.xen.new.2083/xen.changes2022-08-24 15:10:20.520438132 +0200 @@ -1,0 +2,45 @@ +Thu Aug 18 14:18:46 MDT 2022 - carn...@suse.com + +- Update to Xen 4.16.2 bug fix release (bsc#1027519) + xen-4.16.2-testing-src.tar.bz2 +- Drop patches contained in new tarball + 625fca42-VT-d-reserved-CAP-ND.patch + 626f7ee8-x86-MSR-handle-P5-MC-reads.patch + 627549d6-IO-shutdown-race.patch + 62a1e594-x86-clean-up-_get_page_type.patch + 62a1e5b0-x86-ABAC-race-in-_get_page_type.patch + 62a1e5d2-x86-introduce-_PAGE_-for-mem-types.patch + 62a1e5f0-x86-dont-change-cacheability-of-directmap.patch + 62a1e60e-x86-split-cache_flush-out-of-cache_writeback.patch + 62a1e62b-x86-AMD-work-around-CLFLUSH-ordering.patch + 62a1e649-x86-track-and-flush-non-coherent.patch + 62a99614-IOMMU-x86-gcc12.patch + 62ab0fab-x86-spec-ctrl-VERW-flushing-runtime-cond.patch + 62ab0fac-x86-spec-ctrl-enum-for-MMIO-Stale-Data.patch + 62ab0fad-x86-spec-ctrl-add-unpriv-mmio.patch + 62bdd840-x86-spec-ctrl-only-adjust-idle-with-legacy-IBRS.patch + 62bdd841-x86-spec-ctrl-knobs-for-STIBP-and-PSFD.patch + 62c56cc0-libxc-fix-compilation-error-with-gcc13.patch + 62cc31ed-x86-honour-spec-ctrl-0-for-unpriv-mmio.patch + 62cc31ee-cmdline-extend-parse_boolean.patch + 62cc31ef-x86-spec-ctrl-fine-grained-cmdline-subopts.patch + 62cd91d0-x86-spec-ctrl-rework-context-switching.patch + 62cd91d1-x86-spec-ctrl-rename-SCF_ist_wrmsr.patch + 62cd91d2-x86-spec-ctrl-rename-opt_ibpb.patch + 62cd91d3-x86-spec-ctrl-rework-SPEC_CTRL_ENTRY_FROM_INTR_IST.patch + 62cd91d4-x86-spec-ctrl-IBPB-on-entry.patch + 62cd91d5-x86-cpuid-BTC_NO-enum.patch + 62cd91d6-x86-spec-ctrl-enable-Zen2-chickenbit.patch + 62cd91d7-x86-spec-ctrl-mitigate-Branch-Type-Confusion.patch + xsa408.patch + +--- +Thu Jul 28 07:07:07 UTC 2022 - oher...@suse.de + +- bsc#1167608, bsc#1201631 - fix built-in default of max_event_channels + A previous change to the built-in default had a logic error, + effectively restoring the upstream limit of 1023 channels per domU. + Fix the logic to calculate the default based on the number of vcpus. + adjust libxl.max_event_channels.patch + +--- Old: 625fca42-VT-d-reserved-CAP-ND.patch 626f7ee8-x86-MSR-handle-P5-MC-reads.patch 627549d6-IO-shutdown-race.patch 62a1e594-x86-clean-up-_get_page_type.patch 62a1e5b0-x86-ABAC-race-in-_get_page_type.patch 62a1e5d2-x86-introduce-_PAGE_-for-mem-types.patch 62a1e5f0-x86-dont-change-cacheability-of-directmap.patch 62a1e60e-x86-split-cache_flush-out-of-cache_writeback.patch 62a1e62b-x86-AMD-work-around-CLFLUSH-ordering.patch 62a1e649-x86-track-and-flush-non-coherent.patch 62a99614-IOMMU-x86-gcc12.patch 62ab0fab-x86-spec-ctrl-VERW-flushing-runtime-cond.patch 62ab0fac-x86-spec-ctrl-enum-for-MMIO-Stale-Data.patch 62ab0fad-x86-spec-ctrl-add-unpriv-mmio.patch 62bdd840-x86-spec-ctrl-only-adjust-idle-with-legacy-IBRS.patch 62bdd841-x86-spec-ctrl-knobs-for-STIBP-and-PSFD.patch 62c56cc0-libxc-fix-compilation-error-with-gcc13.patch 62cc31ed-x86-honour-spec-ctrl-0-for-unpriv-mmio.patch 62cc31ee-cmdline-extend-parse_boolean.patch 62cc31ef-x86-spec-ctrl-fine-grained-cmdline-subopts.patch 62cd91d0-x86-spec-ctrl-rework-context-switching.patch 62cd91d1-x86-spec-ctrl-rename-SCF_ist_wrmsr.patch 62cd91d2-x86-spec-ctrl-rename-opt_ibpb.patch 62cd91d3-x86-spec-ctrl-rework-SPEC_CTRL_ENTRY_FROM_INTR_IST.patch 62cd91d4-x86-spec-ctrl-IBPB-on-entry.patch 62cd91d5-x86-cpuid-BTC_NO-enum.patch 62cd91d6-x86-spec-ctrl-enable-Zen2-chickenbit.patch 62cd91d7-x86-spec-ctrl-mitigate-Branch-Type-Confusion.patch xen-4.16.1-testing-src.tar.bz2 xsa408.patch New: xen-4.16.2-testing-src.tar.bz2 Other differences: -- ++ xen.spec ++ --- /var/tmp/diff_new_pack.hGJYLi/_old 2022-08-24 15:10:21.91336 +0200 +++ /var/tmp/diff_new_pack.hGJYLi/_new 2022-08-24 15:10:21.948441346 +0200 @@ -28,7 +28,7 @@ Name: xen ExclusiveArch: %ix86 x86_64 aarch64 -%define xen_build_dir xen-4.16.1-testing +%define xen_build_dir xen-4.16.2-testing # %define with_gdbsx 0 %define with_dom0_support 0 @@ -119,12 +119,12 @@ %endif Provides:
commit xen for openSUSE:Factory
Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package xen for openSUSE:Factory checked in at 2022-07-01 13:43:49 Comparing /work/SRC/openSUSE:Factory/xen (Old) and /work/SRC/openSUSE:Factory/.xen.new.1548 (New) Package is "xen" Fri Jul 1 13:43:49 2022 rev:318 rq:985936 version:4.16.1_02 Changes: --- /work/SRC/openSUSE:Factory/xen/xen.changes 2022-05-12 22:58:11.772622463 +0200 +++ /work/SRC/openSUSE:Factory/.xen.new.1548/xen.changes2022-07-01 13:43:51.674799559 +0200 @@ -1,0 +2,6 @@ +Tue Jun 28 14:31:48 UTC 2022 - Stefan Schubert + +- Moved logrotate files from user specific directory /etc/logrotate.d + to vendor specific directory /usr/etc/logrotate.d. + +--- Other differences: -- ++ xen.spec ++ --- /var/tmp/diff_new_pack.cacpdD/_old 2022-07-01 13:43:53.414802173 +0200 +++ /var/tmp/diff_new_pack.cacpdD/_new 2022-07-01 13:43:53.418802180 +0200 @@ -831,7 +831,12 @@ install -m644 %SOURCE31 %{buildroot}/etc/xen/ # Logrotate -install -m644 -D %SOURCE14 %{buildroot}/etc/logrotate.d/xen +%if 0%{?suse_version} > 1500 +mkdir -p %{buildroot}%{_distconfdir}/logrotate.d +install -m644 -D %SOURCE14 %{buildroot}%{_distconfdir}/logrotate.d/xen +%else +install -m644 -D %SOURCE14 %{buildroot}%{_sysconfdir}/logrotate.d/xen +%endif # Directories mkdir -p %{buildroot}/var/lib/xenstored @@ -1060,7 +1065,11 @@ %dir /var/lib/xenstored %dir /var/log/xen %dir /var/log/xen/console -%config /etc/logrotate.d/xen +%if 0%{?suse_version} > 1500 +%{_distconfdir}/logrotate.d/xen +%else +%config(noreplace) %{_sysconfdir}/logrotate.d/xen +%endif /etc/xen/auto %config /etc/xen/examples %config /etc/xen/cpupool
commit xen for openSUSE:Factory
Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package xen for openSUSE:Factory checked in at 2022-05-12 22:57:49 Comparing /work/SRC/openSUSE:Factory/xen (Old) and /work/SRC/openSUSE:Factory/.xen.new.1538 (New) Package is "xen" Thu May 12 22:57:49 2022 rev:317 rq:976117 version:4.16.1_02 Changes: --- /work/SRC/openSUSE:Factory/xen/xen.changes 2022-04-16 00:13:02.953552960 +0200 +++ /work/SRC/openSUSE:Factory/.xen.new.1538/xen.changes2022-05-12 22:58:11.772622463 +0200 @@ -1,0 +2,5 @@ +Tue May 10 16:08:02 UTC 2022 - Dirk M??ller + +- fix python3 >= 3.10 version detection + +--- Other differences: -- ++ xen.spec ++ --- /var/tmp/diff_new_pack.9Nla62/_old 2022-05-12 22:58:13.292624504 +0200 +++ /var/tmp/diff_new_pack.9Nla62/_new 2022-05-12 22:58:13.304624520 +0200 @@ -231,7 +231,7 @@ Patch7: gcc12-fixes.patch URL:http://www.cl.cam.ac.uk/Research/SRG/netos/xen/ BuildRoot: %{_tmppath}/%{name}-%{version}-build -%define pyver %(python3 -c "import sys; print(sys.version[:3])") +%define pyver %(python3 -c "import sys; print(sys.version.rpartition('.')[0])") %description Xen is a virtual machine monitor for x86 that supports execution of
commit xen for openSUSE:Factory
Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package xen for openSUSE:Factory checked in at 2022-04-16 00:12:55 Comparing /work/SRC/openSUSE:Factory/xen (Old) and /work/SRC/openSUSE:Factory/.xen.new.1941 (New) Package is "xen" Sat Apr 16 00:12:55 2022 rev:316 rq:969996 version:4.16.1_02 Changes: --- /work/SRC/openSUSE:Factory/xen/xen.changes 2022-04-08 00:27:01.482789653 +0200 +++ /work/SRC/openSUSE:Factory/.xen.new.1941/xen.changes2022-04-16 00:13:02.953552960 +0200 @@ -1,0 +2,77 @@ +Wed Apr 13 08:54:02 MDT 2022 - carn...@suse.com + +- Update to Xen 4.16.1 bug fix release (bsc#1027519) + xen-4.16.1-testing-src.tar.bz2 +- Drop patches contained in new tarball + 61b31d5c-x86-restrict-all-but-self-IPI.patch + 61b88e78-x86-CPUID-TSXLDTRK-definition.patch + 61bc429f-revert-hvmloader-PA-range-should-be-UC.patch + 61d5687a-x86-spec-ctrl-opt_srb_lock-default.patch + 61d6ea2d-VT-d-split-domid-map-cleanup-check-into-a-function.patch + 61d6ea7b-VT-d-dont-leak-domid-mapping-on-error-path.patch + 61e0296a-x86-time-calibration-relative-counts.patch + 61e029c8-x86-time-TSC-freq-calibration-accuracy.patch + 61e02a1c-libxl-PCI-PV-hotplug-stubdom-coldplug.patch + 61e98e88-x86-introduce-get-set-reg-infra.patch + 61e98e89-x86-MSR-split-SPEC_CTRL-handling.patch + 61e98e8a-x86-spec-ctrl-drop-ENTRY-EXIT-HVM.patch + 61e98e8b-VT-x-SPEC_CTRL-NMI-race-condition.patch + 61eaaa23-x86-get-set-reg-infra-build.patch + 61efec1d-Arm-P2M-always-clear-entry-on-mapping-removal.patch + 61efec4d-gnttab-only-decrement-refcounter-on-final-unmap.patch + 61efec96-IOMMU-x86-stop-pirq-iteration-immediately-on-error.patch + 61f2d886-x86-CPUID-disentangle-new-leaves-logic.patch + 61f2d887-x86-CPUID-leaf-7-1-EBX-infra.patch + 61f2dd76-x86-SPEC_CTRL-migration-compatibility.patch + 61f7b2af-libxl-dont-touch-nr_vcpus_out-if-listing.patch + 61f933a4-x86-cpuid-advertise-SSB_NO.patch + 61f933a5-x86-drop-use_spec_ctrl-boolean.patch + 61f933a6-x86-new-has_spec_ctrl-boolean.patch + 61f933a7-x86-dont-use-spec_ctrl-enter-exit-for-S3.patch + 61f933a8-x86-SPEC_CTRL-record-last-write.patch + 61f933a9-x86-SPEC_CTRL-use-common-logic-for-AMD.patch + 61f933aa-SVM-SPEC_CTRL-entry-exit-logic.patch + 61f933ab-x86-AMD-SPEC_CTRL-infra.patch + 61f933ac-SVM-enable-MSR_SPEC_CTRL-for-guests.patch + 61f946a2-VMX-drop-SPEC_CTRL-load-on-VMEntry.patch + 6202afa3-x86-clean-up-MSR_MCU_OPT_CTRL-handling.patch + 6202afa4-x86-TSX-move-has_rtm_always_abort.patch + 6202afa5-x86-TSX-cope-with-deprecation-on-WHL-R-CFL-R.patch + 6202afa7-x86-CPUID-leaf-7-2-EDX-infra.patch + 6202afa8-x86-Intel-PSFD-for-guests.patch + 62278667-Arm-introduce-new-processors.patch + 62278668-Arm-move-errata-CSV2-check-earlier.patch + 62278669-Arm-add-ECBHB-and-CLEARBHB-ID-fields.patch + 6227866a-Arm-Spectre-BHB-handling.patch + 6227866b-Arm-allow-SMCCC_ARCH_WORKAROUND_3-use.patch + 6227866c-x86-AMD-cease-using-thunk-lfence.patch + 6229ba46-VT-d-drop-undue-address-of-from-check_cleanup_domid_map.patch + 624ebcef-VT-d-dont-needlessly-look-up-DID.patch + 624ebd3b-VT-d-avoid-NULL-deref-on-dcmo-error-paths.patch + 624ebd74-VT-d-avoid-infinite-recursion-on-dcmo-error-path.patch + xsa397.patch + xsa399.patch + xsa400-01.patch + xsa400-02.patch + xsa400-03.patch + xsa400-04.patch + xsa400-05.patch + xsa400-06.patch + xsa400-07.patch + xsa400-08.patch + xsa400-09.patch + xsa400-10.patch + xsa400-11.patch + xsa400-12.patch + +--- +Fri Apr 8 12:00:00 CEST 2022 - jbeul...@suse.com + +- bsc#1197426 - VUL-0: CVE-2022-26358,CVE-2022-26359, + CVE-2022-26360,CVE-2022-26361: xen: IOMMU: RMRR (VT-d) and unity + map (AMD-Vi) handling issues (XSA-400) + 624ebcef-VT-d-dont-needlessly-look-up-DID.patch + 624ebd3b-VT-d-avoid-NULL-deref-on-dcmo-error-paths.patch + 624ebd74-VT-d-avoid-infinite-recursion-on-dcmo-error-path.patch + +--- Old: 61b31d5c-x86-restrict-all-but-self-IPI.patch 61b88e78-x86-CPUID-TSXLDTRK-definition.patch 61bc429f-revert-hvmloader-PA-range-should-be-UC.patch 61d5687a-x86-spec-ctrl-opt_srb_lock-default.patch 61d6ea2d-VT-d-split-domid-map-cleanup-check-into-a-function.patch 61d6ea7b-VT-d-dont-leak-domid-mapping-on-error-path.patch 61e0296a-x86-time-calibration-relative-counts.patch 61e029c8-x86-time-TSC-freq-calibration-accuracy.patch 61e02a1c-libxl-PCI-PV-hotplug-stubdom-coldplug.patch 61e98e88-x86-introduce-get-set-reg-infra.patch 61e98e89-x86-MSR-split-SPEC_CTRL-handling.patch 61e98e8a-x86-spec-ctrl-drop-ENTRY-EXIT-HVM.patch 61e98e8b-VT-x-SPEC_CTRL-NMI-race-condition.patch 61eaaa23-x86-get-set-reg-infra-build.patch
commit xen for openSUSE:Factory
Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package xen for openSUSE:Factory checked in at 2022-04-08 00:26:39 Comparing /work/SRC/openSUSE:Factory/xen (Old) and /work/SRC/openSUSE:Factory/.xen.new.1900 (New) Package is "xen" Fri Apr 8 00:26:39 2022 rev:315 rq:967124 version:4.16.0_08 Changes: --- /work/SRC/openSUSE:Factory/xen/xen.changes 2022-03-16 21:30:17.503390239 +0100 +++ /work/SRC/openSUSE:Factory/.xen.new.1900/xen.changes2022-04-08 00:27:01.482789653 +0200 @@ -1,0 +2,30 @@ +Mon Apr 4 09:58:24 MDT 2022 - carn...@suse.com + +- bsc#1197423 - VUL-0: CVE-2022-26356: xen: Racy interactions + between dirty vram tracking and paging log dirty hypercalls + (XSA-397) + xsa397.patch +- bsc#1197425 - VUL-0: CVE-2022-26357: xen: race in VT-d domain ID + cleanup (XSA-399) + xsa399.patch +- bsc#1197426 - VUL-0: CVE-2022-26358,CVE-2022-26359, + CVE-2022-26360,CVE-2022-26361: xen: IOMMU: RMRR (VT-d) and unity + map (AMD-Vi) handling issues (XSA-400) + xsa400-01.patch + xsa400-02.patch + xsa400-03.patch + xsa400-04.patch + xsa400-05.patch + xsa400-06.patch + xsa400-07.patch + xsa400-08.patch + xsa400-09.patch + xsa400-10.patch + xsa400-11.patch + xsa400-12.patch +- Additional upstream bug fixes for XSA-400 (bsc#1027519) + 61d6ea2d-VT-d-split-domid-map-cleanup-check-into-a-function.patch + 61d6ea7b-VT-d-dont-leak-domid-mapping-on-error-path.patch + 6229ba46-VT-d-drop-undue-address-of-from-check_cleanup_domid_map.patch + +--- @@ -78 +108 @@ - list not giving any output + list not giving any output (see also bsc#1194267) New: 61d6ea2d-VT-d-split-domid-map-cleanup-check-into-a-function.patch 61d6ea7b-VT-d-dont-leak-domid-mapping-on-error-path.patch 6229ba46-VT-d-drop-undue-address-of-from-check_cleanup_domid_map.patch xsa397.patch xsa399.patch xsa400-01.patch xsa400-02.patch xsa400-03.patch xsa400-04.patch xsa400-05.patch xsa400-06.patch xsa400-07.patch xsa400-08.patch xsa400-09.patch xsa400-10.patch xsa400-11.patch xsa400-12.patch Other differences: -- ++ xen.spec ++ --- /var/tmp/diff_new_pack.0b60M3/_old 2022-04-08 00:27:04.294758093 +0200 +++ /var/tmp/diff_new_pack.0b60M3/_new 2022-04-08 00:27:04.294758093 +0200 @@ -119,7 +119,7 @@ %endif Provides: installhint(reboot-needed) -Version:4.16.0_06 +Version:4.16.0_08 Release:0 Summary:Xen Virtualization: Hypervisor (aka VMM aka Microkernel) License:GPL-2.0-only @@ -195,7 +195,24 @@ Patch38:6227866a-Arm-Spectre-BHB-handling.patch Patch39:6227866b-Arm-allow-SMCCC_ARCH_WORKAROUND_3-use.patch Patch40:6227866c-x86-AMD-cease-using-thunk-lfence.patch +Patch41: 61d6ea2d-VT-d-split-domid-map-cleanup-check-into-a-function.patch +Patch42:61d6ea7b-VT-d-dont-leak-domid-mapping-on-error-path.patch +Patch43: 6229ba46-VT-d-drop-undue-address-of-from-check_cleanup_domid_map.patch # EMBARGOED security fixes +Patch97:xsa397.patch +Patch99:xsa399.patch +Patch101: xsa400-01.patch +Patch102: xsa400-02.patch +Patch103: xsa400-03.patch +Patch104: xsa400-04.patch +Patch105: xsa400-05.patch +Patch106: xsa400-06.patch +Patch107: xsa400-07.patch +Patch108: xsa400-08.patch +Patch109: xsa400-09.patch +Patch110: xsa400-10.patch +Patch111: xsa400-11.patch +Patch112: xsa400-12.patch # libxc Patch301: libxc-bitmap-long.patch Patch302: libxc-sr-xl-migration-debug.patch ++ 61d6ea2d-VT-d-split-domid-map-cleanup-check-into-a-function.patch ++ Subject: VT-d: split domid map cleanup check into a function From: Jan Beulich jbeul...@suse.com Thu Jan 6 14:10:05 2022 +0100 Date: Thu Jan 6 14:10:05 2022 +0100: Git: fa45f6b5560e738955993fe061a04d64c6f71c14 This logic will want invoking from elsewhere. No functional change intended. Signed-off-by: Jan Beulich Reviewed-by: Roger Pau Monn?? Reviewed-by: Kevin Tian master commit: 9fdc10abe9457e4c9879a266f82372cb08e88ffb master date: 2021-11-24 11:06:20 +0100 diff --git a/xen/drivers/passthrough/vtd/iommu.c b/xen/drivers/passthrough/vtd/iommu.c index f9ce402f22..de11c258ca 100644 --- a/xen/drivers/passthrough/vtd/iommu.c +++ b/xen/drivers/passthrough/vtd/iommu.c @@ -157,6 +157,51 @@ static void cleanup_domid_map(struct domain *domain, struct vtd_iommu *iommu) } } +static bool any_pdev_behind_iommu(const struct domain *d, + const struct pci_dev *exclude, + const struct vtd_iommu *iommu) +{ +const struct pci_dev *pdev; + +
commit xen for openSUSE:Factory
Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package xen for openSUSE:Factory checked in at 2022-03-16 21:30:16 Comparing /work/SRC/openSUSE:Factory/xen (Old) and /work/SRC/openSUSE:Factory/.xen.new.25692 (New) Package is "xen" Wed Mar 16 21:30:16 2022 rev:314 rq:961753 version:4.16.0_06 Changes: --- /work/SRC/openSUSE:Factory/xen/xen.changes 2022-03-05 14:44:42.331720428 +0100 +++ /work/SRC/openSUSE:Factory/.xen.new.25692/xen.changes 2022-03-16 21:30:17.503390239 +0100 @@ -1,0 +2,12 @@ +Mon Mar 14 10:14:00 CET 2022 - jbeul...@suse.com + +- bsc#1196915 - VUL-0: CVE-2022-0001, CVE-2022-0002,CVE-2021-26401: + xen: BHB speculation issues (XSA-398) + 62278667-Arm-introduce-new-processors.patch + 62278668-Arm-move-errata-CSV2-check-earlier.patch + 62278669-Arm-add-ECBHB-and-CLEARBHB-ID-fields.patch + 6227866a-Arm-Spectre-BHB-handling.patch + 6227866b-Arm-allow-SMCCC_ARCH_WORKAROUND_3-use.patch + 6227866c-x86-AMD-cease-using-thunk-lfence.patch + +--- New: 62278667-Arm-introduce-new-processors.patch 62278668-Arm-move-errata-CSV2-check-earlier.patch 62278669-Arm-add-ECBHB-and-CLEARBHB-ID-fields.patch 6227866a-Arm-Spectre-BHB-handling.patch 6227866b-Arm-allow-SMCCC_ARCH_WORKAROUND_3-use.patch 6227866c-x86-AMD-cease-using-thunk-lfence.patch Other differences: -- ++ xen.spec ++ --- /var/tmp/diff_new_pack.ZyhYrp/_old 2022-03-16 21:30:19.539391781 +0100 +++ /var/tmp/diff_new_pack.ZyhYrp/_new 2022-03-16 21:30:19.543391785 +0100 @@ -189,6 +189,12 @@ Patch32:6202afa5-x86-TSX-cope-with-deprecation-on-WHL-R-CFL-R.patch Patch33:6202afa7-x86-CPUID-leaf-7-2-EDX-infra.patch Patch34:6202afa8-x86-Intel-PSFD-for-guests.patch +Patch35:62278667-Arm-introduce-new-processors.patch +Patch36:62278668-Arm-move-errata-CSV2-check-earlier.patch +Patch37:62278669-Arm-add-ECBHB-and-CLEARBHB-ID-fields.patch +Patch38:6227866a-Arm-Spectre-BHB-handling.patch +Patch39:6227866b-Arm-allow-SMCCC_ARCH_WORKAROUND_3-use.patch +Patch40:6227866c-x86-AMD-cease-using-thunk-lfence.patch # EMBARGOED security fixes # libxc Patch301: libxc-bitmap-long.patch ++ 62278667-Arm-introduce-new-processors.patch ++ # Commit 35d1b85a6b43483f6bd007d48757434e54743e98 # Date 2022-03-08 16:38:02 + # Author Bertrand Marquis # Committer Andrew Cooper xen/arm: Introduce new Arm processors Add some new processor identifiers in processor.h and sync Xen definitions with status of Linux 5.17 (declared in arch/arm64/include/asm/cputype.h). This is part of XSA-398 / CVE-2022-23960. Signed-off-by: Bertrand Marquis Acked-by: Julien Grall --- a/xen/include/asm-arm/processor.h +++ b/xen/include/asm-arm/processor.h @@ -65,6 +65,7 @@ #define ARM_CPU_PART_CORTEX_A17 0xC0E #define ARM_CPU_PART_CORTEX_A15 0xC0F #define ARM_CPU_PART_CORTEX_A53 0xD03 +#define ARM_CPU_PART_CORTEX_A35 0xD04 #define ARM_CPU_PART_CORTEX_A55 0xD05 #define ARM_CPU_PART_CORTEX_A57 0xD07 #define ARM_CPU_PART_CORTEX_A72 0xD08 @@ -72,11 +73,20 @@ #define ARM_CPU_PART_CORTEX_A75 0xD0A #define ARM_CPU_PART_CORTEX_A76 0xD0B #define ARM_CPU_PART_NEOVERSE_N10xD0C +#define ARM_CPU_PART_CORTEX_A77 0xD0D +#define ARM_CPU_PART_NEOVERSE_V10xD40 +#define ARM_CPU_PART_CORTEX_A78 0xD41 +#define ARM_CPU_PART_CORTEX_X1 0xD44 +#define ARM_CPU_PART_CORTEX_A7100xD47 +#define ARM_CPU_PART_CORTEX_X2 0xD48 +#define ARM_CPU_PART_NEOVERSE_N20xD49 +#define ARM_CPU_PART_CORTEX_A78C0xD4B #define MIDR_CORTEX_A12 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_CORTEX_A12) #define MIDR_CORTEX_A17 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_CORTEX_A17) #define MIDR_CORTEX_A15 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_CORTEX_A15) #define MIDR_CORTEX_A53 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_CORTEX_A53) +#define MIDR_CORTEX_A35 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_CORTEX_A35) #define MIDR_CORTEX_A55 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_CORTEX_A55) #define MIDR_CORTEX_A57 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_CORTEX_A57) #define MIDR_CORTEX_A72 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_CORTEX_A72) @@ -84,6 +94,14 @@ #define MIDR_CORTEX_A75 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_CORTEX_A75) #define MIDR_CORTEX_A76 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_CORTEX_A76) #define MIDR_NEOVERSE_N1 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_NEOVERSE_N1) +#define MIDR_CORTEX_A77 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_CORTEX_A77) +#define MIDR_NEOVERSE_V1 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM,
commit xen for openSUSE:Factory
Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package xen for openSUSE:Factory checked in at 2022-03-05 14:43:58 Comparing /work/SRC/openSUSE:Factory/xen (Old) and /work/SRC/openSUSE:Factory/.xen.new.1958 (New) Package is "xen" Sat Mar 5 14:43:58 2022 rev:313 rq:959301 version:4.16.0_06 Changes: --- /work/SRC/openSUSE:Factory/xen/xen.changes 2022-02-22 21:18:18.214287469 +0100 +++ /work/SRC/openSUSE:Factory/.xen.new.1958/xen.changes2022-03-05 14:44:42.331720428 +0100 @@ -1,0 +2,6 @@ +Thu Mar 3 14:42:07 MST 2022 - carn...@suse.com + +- bsc#1196545 - GCC 12: xen package fails + gcc12-fixes.patch + +--- New: gcc12-fixes.patch Other differences: -- ++ xen.spec ++ --- /var/tmp/diff_new_pack.69cyPx/_old 2022-03-05 14:44:44.175720892 +0100 +++ /var/tmp/diff_new_pack.69cyPx/_new 2022-03-05 14:44:44.183720895 +0100 @@ -262,6 +262,7 @@ Patch621: xen.build-compare.doc_html.patch # Build patches Patch6: xen.stubdom.newlib.patch +Patch7: gcc12-fixes.patch URL:http://www.cl.cam.ac.uk/Research/SRG/netos/xen/ BuildRoot: %{_tmppath}/%{name}-%{version}-build %define pyver %(python3 -c "import sys; print(sys.version[:3])") ++ gcc12-fixes.patch ++ References: bsc#1196545 Compiling against gcc12. Many of the failures are -Werror=array-bounds where macros from mm.h are being used. Common Examples are, include/asm/mm.h:528:61: error: array subscript 0 is outside array bounds of 'long unsigned int[0]' [-Werror=array-bounds] include/xen/mm.h:287:21: error: array subscript [0, 288230376151711743] is outside array bounds of 'struct page_info[0]' [-Werror=array-bounds] There are also several other headers that generate array-bounds macro failures. The pragmas to override are mostly in '.c' files with the exception of, xen/arch/x86/mm/shadow/private.h xen/include/asm-x86/paging.h --- a/xen/drivers/passthrough/amd/iommu_intr.c +++ b/xen/drivers/passthrough/amd/iommu_intr.c @@ -23,6 +23,10 @@ #include "iommu.h" +#if __GNUC__ >= 12 +#pragma GCC diagnostic ignored "-Warray-bounds" +#endif + union irte32 { uint32_t raw; struct { --- a/xen/drivers/passthrough/x86/hvm.c +++ b/xen/drivers/passthrough/x86/hvm.c @@ -901,6 +901,9 @@ static void __hvm_dpci_eoi(struct domain hvm_pirq_eoi(pirq); } +#if __GNUC__ >= 12 +#pragma GCC diagnostic ignored "-Waddress" +#endif static void hvm_gsi_eoi(struct domain *d, unsigned int gsi) { struct pirq *pirq = pirq_info(d, gsi); --- a/xen/common/domctl.c +++ b/xen/common/domctl.c @@ -32,6 +32,10 @@ #include #include +#if __GNUC__ >= 12 +#pragma GCC diagnostic ignored "-Warray-bounds" +#endif + static DEFINE_SPINLOCK(domctl_lock); static int nodemask_to_xenctl_bitmap(struct xenctl_bitmap *xenctl_nodemap, --- a/xen/common/efi/boot.c +++ b/xen/common/efi/boot.c @@ -31,6 +31,10 @@ #undef __ASSEMBLY__ #endif +#if __GNUC__ >= 12 +#pragma GCC diagnostic ignored "-Warray-bounds" +#endif + #define EFI_REVISION(major, minor) (((major) << 16) | (minor)) #define SMBIOS3_TABLE_GUID \ --- a/xen/common/xmalloc_tlsf.c +++ b/xen/common/xmalloc_tlsf.c @@ -28,6 +28,10 @@ #include #include +#if __GNUC__ >= 12 +#pragma GCC diagnostic ignored "-Warray-bounds" +#endif + #define MAX_POOL_NAME_LEN 16 /* Some IMPORTANT TLSF parameters */ --- a/xen/common/memory.c +++ b/xen/common/memory.c @@ -35,6 +35,10 @@ #include #endif +#if __GNUC__ >= 12 +#pragma GCC diagnostic ignored "-Warray-bounds" +#endif + struct memop_args { /* INPUT */ struct domain *domain; /* Domain to be affected. */ --- a/xen/common/page_alloc.c +++ b/xen/common/page_alloc.c @@ -155,6 +155,10 @@ #define PGC_reserved 0 #endif +#if __GNUC__ >= 12 +#pragma GCC diagnostic ignored "-Warray-bounds" +#endif + /* * Comma-separated list of hexadecimal page numbers containing bad bytes. * e.g. 'badpage=0x3f45,0x8a321'. @@ -1529,6 +1533,7 @@ static void free_heap_pages( } + /* * Following rules applied for page offline: * Once a page is broken, it can't be assigned anymore --- a/xen/common/vmap.c +++ b/xen/common/vmap.c @@ -9,6 +9,10 @@ #include #include +#if __GNUC__ >= 12 +#pragma GCC diagnostic ignored "-Warray-bounds" +#endif + static DEFINE_SPINLOCK(vm_lock); static void *__read_mostly vm_base[VMAP_REGION_NR]; #define vm_bitmap(x) ((unsigned long *)vm_base[x]) --- a/xen/include/asm-x86/paging.h +++ b/xen/include/asm-x86/paging.h @@ -32,6 +32,10 @@ #include #include +#if __GNUC__ >= 12 +#pragma GCC diagnostic ignored "-Warray-bounds" +#endif +
commit xen for openSUSE:Factory
Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package xen for openSUSE:Factory checked in at 2022-02-22 21:17:55 Comparing /work/SRC/openSUSE:Factory/xen (Old) and /work/SRC/openSUSE:Factory/.xen.new.1958 (New) Package is "xen" Tue Feb 22 21:17:55 2022 rev:312 rq:956542 version:4.16.0_06 Changes: --- /work/SRC/openSUSE:Factory/xen/xen.changes 2022-01-27 23:16:44.727069963 +0100 +++ /work/SRC/openSUSE:Factory/.xen.new.1958/xen.changes2022-02-22 21:18:18.214287469 +0100 @@ -1,0 +2,42 @@ +Mon Feb 14 11:40:00 CET 2022 - jbeul...@suse.com + +- Upstream bug fixes (bsc#1027519) + 61e0296a-x86-time-calibration-relative-counts.patch + 61e029c8-x86-time-TSC-freq-calibration-accuracy.patch + 61e02a1c-libxl-PCI-PV-hotplug-stubdom-coldplug.patch + 61e98e88-x86-introduce-get-set-reg-infra.patch + 61e98e89-x86-MSR-split-SPEC_CTRL-handling.patch + 61e98e8a-x86-spec-ctrl-drop-ENTRY-EXIT-HVM.patch + 61e98e8b-VT-x-SPEC_CTRL-NMI-race-condition.patch + 61eaaa23-x86-get-set-reg-infra-build.patch + 61efec1d-Arm-P2M-always-clear-entry-on-mapping-removal.patch + 61efec4d-gnttab-only-decrement-refcounter-on-final-unmap.patch + 61efec96-IOMMU-x86-stop-pirq-iteration-immediately-on-error.patch + 61f2d886-x86-CPUID-disentangle-new-leaves-logic.patch + 61f2d887-x86-CPUID-leaf-7-1-EBX-infra.patch + 61f2dd76-x86-SPEC_CTRL-migration-compatibility.patch + 61f7b2af-libxl-dont-touch-nr_vcpus_out-if-listing.patch + 61f933a4-x86-cpuid-advertise-SSB_NO.patch + 61f933a5-x86-drop-use_spec_ctrl-boolean.patch + 61f933a6-x86-new-has_spec_ctrl-boolean.patch + 61f933a7-x86-dont-use-spec_ctrl-enter-exit-for-S3.patch + 61f933a8-x86-SPEC_CTRL-record-last-write.patch + 61f933a9-x86-SPEC_CTRL-use-common-logic-for-AMD.patch + 61f933aa-SVM-SPEC_CTRL-entry-exit-logic.patch + 61f933ab-x86-AMD-SPEC_CTRL-infra.patch + 61f933ac-SVM-enable-MSR_SPEC_CTRL-for-guests.patch + 61f946a2-VMX-drop-SPEC_CTRL-load-on-VMEntry.patch + 6202afa3-x86-clean-up-MSR_MCU_OPT_CTRL-handling.patch + 6202afa4-x86-TSX-move-has_rtm_always_abort.patch + 6202afa5-x86-TSX-cope-with-deprecation-on-WHL-R-CFL-R.patch + 6202afa7-x86-CPUID-leaf-7-2-EDX-infra.patch + 6202afa8-x86-Intel-PSFD-for-guests.patch +- Drop patches replaced by the above: + xsa393.patch + xsa394.patch + xsa395.patch + libxl-Fix-PV-hotplug-and-stubdom-coldplug.patch + libxl-dont-try-to-free-a-NULL-list-of-vcpus.patch + libxl-dont-touch-nr_vcpus_out-if-listing-vcpus-and-returning-NULL.patch + +--- Old: libxl-Fix-PV-hotplug-and-stubdom-coldplug.patch libxl-dont-touch-nr_vcpus_out-if-listing-vcpus-and-returning-NULL.patch libxl-dont-try-to-free-a-NULL-list-of-vcpus.patch xsa393.patch xsa394.patch xsa395.patch New: 61e0296a-x86-time-calibration-relative-counts.patch 61e029c8-x86-time-TSC-freq-calibration-accuracy.patch 61e02a1c-libxl-PCI-PV-hotplug-stubdom-coldplug.patch 61e98e88-x86-introduce-get-set-reg-infra.patch 61e98e89-x86-MSR-split-SPEC_CTRL-handling.patch 61e98e8a-x86-spec-ctrl-drop-ENTRY-EXIT-HVM.patch 61e98e8b-VT-x-SPEC_CTRL-NMI-race-condition.patch 61eaaa23-x86-get-set-reg-infra-build.patch 61efec1d-Arm-P2M-always-clear-entry-on-mapping-removal.patch 61efec4d-gnttab-only-decrement-refcounter-on-final-unmap.patch 61efec96-IOMMU-x86-stop-pirq-iteration-immediately-on-error.patch 61f2d886-x86-CPUID-disentangle-new-leaves-logic.patch 61f2d887-x86-CPUID-leaf-7-1-EBX-infra.patch 61f2dd76-x86-SPEC_CTRL-migration-compatibility.patch 61f7b2af-libxl-dont-touch-nr_vcpus_out-if-listing.patch 61f933a4-x86-cpuid-advertise-SSB_NO.patch 61f933a5-x86-drop-use_spec_ctrl-boolean.patch 61f933a6-x86-new-has_spec_ctrl-boolean.patch 61f933a7-x86-dont-use-spec_ctrl-enter-exit-for-S3.patch 61f933a8-x86-SPEC_CTRL-record-last-write.patch 61f933a9-x86-SPEC_CTRL-use-common-logic-for-AMD.patch 61f933aa-SVM-SPEC_CTRL-entry-exit-logic.patch 61f933ab-x86-AMD-SPEC_CTRL-infra.patch 61f933ac-SVM-enable-MSR_SPEC_CTRL-for-guests.patch 61f946a2-VMX-drop-SPEC_CTRL-load-on-VMEntry.patch 6202afa3-x86-clean-up-MSR_MCU_OPT_CTRL-handling.patch 6202afa4-x86-TSX-move-has_rtm_always_abort.patch 6202afa5-x86-TSX-cope-with-deprecation-on-WHL-R-CFL-R.patch 6202afa7-x86-CPUID-leaf-7-2-EDX-infra.patch 6202afa8-x86-Intel-PSFD-for-guests.patch Other differences: -- ++ xen.spec ++ --- /var/tmp/diff_new_pack.HGscrv/_old 2022-02-22 21:18:24.086288548 +0100 +++ /var/tmp/diff_new_pack.HGscrv/_new 2022-02-22 21:18:24.090288548 +0100 @@ -119,7 +119,7 @@ %endif Provides: installhint(reboot-needed) -Version:4.16.0_04 +Version:4.16.0_06 Release:0
commit xen for openSUSE:Factory
Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package xen for openSUSE:Factory checked in at 2022-01-27 23:16:27 Comparing /work/SRC/openSUSE:Factory/xen (Old) and /work/SRC/openSUSE:Factory/.xen.new.1898 (New) Package is "xen" Thu Jan 27 23:16:27 2022 rev:311 rq:949116 version:4.16.0_04 Changes: --- /work/SRC/openSUSE:Factory/xen/xen.changes 2022-01-13 00:22:32.451937599 +0100 +++ /work/SRC/openSUSE:Factory/.xen.new.1898/xen.changes2022-01-27 23:16:44.727069963 +0100 @@ -1,0 +2,21 @@ +Thu Jan 13 10:55:58 MST 2022 - carn...@suse.com + +- bsc#1194576 - VUL-0: CVE-2022-23033: xen: arm: + guest_physmap_remove_page not removing the p2m mappings (XSA-393) + xsa393.patch +- bsc#1194581 - VUL-0: CVE-2022-23034: xen: a PV guest could DoS + Xen while unmapping a grant (XSA-394) + xsa394.patch +- bsc#1194588 - VUL-0: CVE-2022-23035: xen: insufficient cleanup of + passed-through device IRQs (XSA-395) + xsa395.patch + +--- +Wed Jan 12 14:16:53 MST 2022 - carn...@suse.com + +- bsc#1191668 - L3: issue around xl and virsh operation - virsh + list not giving any output + libxl-dont-try-to-free-a-NULL-list-of-vcpus.patch + libxl-dont-touch-nr_vcpus_out-if-listing-vcpus-and-returning-NULL.patch + +--- New: libxl-dont-touch-nr_vcpus_out-if-listing-vcpus-and-returning-NULL.patch libxl-dont-try-to-free-a-NULL-list-of-vcpus.patch xsa393.patch xsa394.patch xsa395.patch Other differences: -- ++ xen.spec ++ --- /var/tmp/diff_new_pack.BvXlHj/_old 2022-01-27 23:16:46.467057942 +0100 +++ /var/tmp/diff_new_pack.BvXlHj/_new 2022-01-27 23:16:46.471057914 +0100 @@ -160,6 +160,9 @@ Patch3: 61bc429f-revert-hvmloader-PA-range-should-be-UC.patch Patch4: 61d5687a-x86-spec-ctrl-opt_srb_lock-default.patch # EMBARGOED security fixes +Patch11:xsa393.patch +Patch12:xsa394.patch +Patch13:xsa395.patch # libxc Patch301: libxc-bitmap-long.patch Patch302: libxc-sr-xl-migration-debug.patch @@ -222,6 +225,8 @@ Patch468: libxl.helper_done-crash.patch Patch469: libxl.LIBXL_HOTPLUG_TIMEOUT.patch Patch470: libxl-Fix-PV-hotplug-and-stubdom-coldplug.patch +Patch471: libxl-dont-try-to-free-a-NULL-list-of-vcpus.patch +Patch472: libxl-dont-touch-nr_vcpus_out-if-listing-vcpus-and-returning-NULL.patch # python3 conversion patches Patch500: build-python3-conversion.patch Patch501: migration-python3-conversion.patch ++ libxl-dont-touch-nr_vcpus_out-if-listing-vcpus-and-returning-NULL.patch ++ References: bsc#1191668, bsc#1194267 If we are in libvxl_list_vcpu() and we are returning NULL, let's avoid touching the output parameter *nr_vcpus_out (which should contain the number of vcpus in the list). Ideally, the caller initialized it to 0, which is therefore consistent with us returning NULL (or, as an alternative, we can explicitly set it to 0 if we're returning null... But just not touching it seems the best behavior). In fact, the current behavior is especially problematic if, for instance, a domain is destroyed after we have done some steps of the for() loop. In which case, calls like xc_vcpu_getinfo() or xc_vcpu_getaffinity() will start to fail, and we return back to the caller inconsistent information, such as a NULL list of vcpus, but a modified and not 0 any longer, number of vcpus in the list. Signed-off-by: Dario Faggioli Tested-by: James Fehlig --- Cc: Wei Liu Cc: Anthony PERARD Cc: Juergen Gross --- tools/libs/light/libxl_domain.c | 14 -- tools/libs/light/libxl_numa.c |4 +++- 2 files changed, 11 insertions(+), 7 deletions(-) --- a/tools/libs/light/libxl_domain.c +++ b/tools/libs/light/libxl_domain.c @@ -1680,6 +1680,7 @@ libxl_vcpuinfo *libxl_list_vcpu(libxl_ct libxl_vcpuinfo *ptr, *ret; xc_domaininfo_t domaininfo; xc_vcpuinfo_t vcpuinfo; +int nr_vcpus; if (xc_domain_getinfolist(ctx->xch, domid, 1, ) != 1) { LOGED(ERROR, domid, "Getting infolist"); @@ -1696,27 +1697,27 @@ libxl_vcpuinfo *libxl_list_vcpu(libxl_ct ret = ptr = libxl__calloc(NOGC, domaininfo.max_vcpu_id + 1, sizeof(libxl_vcpuinfo)); -for (*nr_vcpus_out = 0; - *nr_vcpus_out <= domaininfo.max_vcpu_id; - ++*nr_vcpus_out, ++ptr) { +for (nr_vcpus = 0; + nr_vcpus <= domaininfo.max_vcpu_id; + ++nr_vcpus, ++ptr) { libxl_bitmap_init(>cpumap); if (libxl_cpu_bitmap_alloc(ctx, >cpumap, 0)) goto err; libxl_bitmap_init(>cpumap_soft); if
commit xen for openSUSE:Factory
Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package xen for openSUSE:Factory checked in at 2022-01-13 00:22:11 Comparing /work/SRC/openSUSE:Factory/xen (Old) and /work/SRC/openSUSE:Factory/.xen.new.1892 (New) Package is "xen" Thu Jan 13 00:22:11 2022 rev:310 rq:945654 version:4.16.0_04 Changes: --- /work/SRC/openSUSE:Factory/xen/xen.changes 2022-01-08 23:23:04.390204899 +0100 +++ /work/SRC/openSUSE:Factory/.xen.new.1892/xen.changes2022-01-13 00:22:32.451937599 +0100 @@ -1,0 +2,8 @@ +Tue Jan 11 10:47:10 MST 2022 - carn...@suse.com + +- bsc#1193307 - pci backend does not exist when attach a vf to a pv + guest + libxl-Fix-PV-hotplug-and-stubdom-coldplug.patch + Drop libxl-PCI-defer-backend-wait.patch + +--- Old: libxl-PCI-defer-backend-wait.patch New: libxl-Fix-PV-hotplug-and-stubdom-coldplug.patch Other differences: -- ++ xen.spec ++ --- /var/tmp/diff_new_pack.sXgD8I/_old 2022-01-13 00:22:34.071938765 +0100 +++ /var/tmp/diff_new_pack.sXgD8I/_new 2022-01-13 00:22:34.075938768 +0100 @@ -221,7 +221,7 @@ Patch467: xenstore-run-in-studomain.patch Patch468: libxl.helper_done-crash.patch Patch469: libxl.LIBXL_HOTPLUG_TIMEOUT.patch -Patch470: libxl-PCI-defer-backend-wait.patch +Patch470: libxl-Fix-PV-hotplug-and-stubdom-coldplug.patch # python3 conversion patches Patch500: build-python3-conversion.patch Patch501: migration-python3-conversion.patch ++ libxl-Fix-PV-hotplug-and-stubdom-coldplug.patch ++ libxl/PCI: Fix PV hotplug & stubdom coldplug Commit 0fdb48ffe7a1 "libxl: Make sure devices added by pci-attach are reflected in the config" broken PCI hotplug (xl pci-attach) for PV domains when it moved libxl__create_pci_backend() later in the function. This also broke HVM + stubdom PCI passthrough coldplug. For that, the PCI devices are hotplugged to a running PV stubdom, and then the QEMU QMP device_add commands are made to QEMU inside the stubdom. Are running PV domain calls libxl__wait_for_backend(). With the current placement of libxl__create_pci_backend(), the path does not exist and the call immediately fails: libxl: error: libxl_device.c:1388:libxl__wait_for_backend: Backend /local/domain/0/backend/pci/43/0 does not exist libxl: error: libxl_pci.c:1764:device_pci_add_done: Domain 42:libxl__device_pci_add failed for PCI device 0:2:0.0 (rc -3) libxl: error: libxl_create.c:1857:domcreate_attach_devices: Domain 42:unable to add pci devices The wait is only relevant when the backend is already present. num_devs is already used to determine if the backend needs to be created. Re-use num_devs to determine if the backend wait is necessary. The wait is necessary to avoid racing with another PCI attachment reconfiguring the front/back or changing to some other state like closing. If we are creating the backend, then we don't have to worry about the state since it is being created. Fixes: 0fdb48ffe7a1 ("libxl: Make sure devices added by pci-attach are reflected in the config") Signed-off-by: Jason Andryuk diff --git a/tools/libs/light/libxl_pci.c b/tools/libs/light/libxl_pci.c index 4c2d7aeefb..e8fd3bd937 100644 --- a/tools/libs/light/libxl_pci.c +++ b/tools/libs/light/libxl_pci.c @@ -157,8 +157,10 @@ static int libxl__device_pci_add_xenstore(libxl__gc *gc, if (domtype == LIBXL_DOMAIN_TYPE_INVALID) return ERROR_FAIL; -if (!starting && domtype == LIBXL_DOMAIN_TYPE_PV) { -if (libxl__wait_for_backend(gc, be_path, GCSPRINTF("%d", XenbusStateConnected)) < 0) +/* wait is only needed if the backend already exists (num_devs != NULL) */ +if (num_devs && !starting && domtype == LIBXL_DOMAIN_TYPE_PV) { +if (libxl__wait_for_backend(gc, be_path, +GCSPRINTF("%d", XenbusStateConnected)) < 0) return ERROR_FAIL; }
commit xen for openSUSE:Factory
Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package xen for openSUSE:Factory checked in at 2022-01-08 23:23:02 Comparing /work/SRC/openSUSE:Factory/xen (Old) and /work/SRC/openSUSE:Factory/.xen.new.1892 (New) Package is "xen" Sat Jan 8 23:23:02 2022 rev:309 rq:944512 version:4.16.0_04 Changes: --- /work/SRC/openSUSE:Factory/xen/xen.changes 2021-12-16 21:18:48.302509658 +0100 +++ /work/SRC/openSUSE:Factory/.xen.new.1892/xen.changes2022-01-08 23:23:04.390204899 +0100 @@ -1,0 +2,17 @@ +Thu Jan 6 16:05:00 CET 2022 - jbeul...@suse.com + +- bsc#1193447 - Slow execution of hvmloader+ovmf when VM contains + an sriov device + 61bc429f-revert-hvmloader-PA-range-should-be-UC.patch +- Upstream bug fixes (bsc#1027519) + 61b31d5c-x86-restrict-all-but-self-IPI.patch + 61b88e78-x86-CPUID-TSXLDTRK-definition.patch + 61d5687a-x86-spec-ctrl-opt_srb_lock-default.patch + +--- +Tue Jan 4 15:51:15 UTC 2022 - James Fehlig + +- Collect active VM config files in the supportconfig plugin + xen-supportconfig + +--- New: 61b31d5c-x86-restrict-all-but-self-IPI.patch 61b88e78-x86-CPUID-TSXLDTRK-definition.patch 61bc429f-revert-hvmloader-PA-range-should-be-UC.patch 61d5687a-x86-spec-ctrl-opt_srb_lock-default.patch Other differences: -- ++ xen.spec ++ --- /var/tmp/diff_new_pack.NfxPMJ/_old 2022-01-08 23:23:05.878206113 +0100 +++ /var/tmp/diff_new_pack.NfxPMJ/_new 2022-01-08 23:23:05.878206113 +0100 @@ -1,7 +1,7 @@ # # spec file for package xen # -# Copyright (c) 2021 SUSE LLC +# Copyright (c) 2022 SUSE LLC # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -119,7 +119,7 @@ %endif Provides: installhint(reboot-needed) -Version:4.16.0_02 +Version:4.16.0_04 Release:0 Summary:Xen Virtualization: Hypervisor (aka VMM aka Microkernel) License:GPL-2.0-only @@ -155,6 +155,10 @@ # For xen-libs Source99: baselibs.conf # Upstream patches +Patch1: 61b31d5c-x86-restrict-all-but-self-IPI.patch +Patch2: 61b88e78-x86-CPUID-TSXLDTRK-definition.patch +Patch3: 61bc429f-revert-hvmloader-PA-range-should-be-UC.patch +Patch4: 61d5687a-x86-spec-ctrl-opt_srb_lock-default.patch # EMBARGOED security fixes # libxc Patch301: libxc-bitmap-long.patch ++ 61b31d5c-x86-restrict-all-but-self-IPI.patch ++ # Commit 7621880de0bb40bae6436a5b106babc0e4718f4d # Date 2021-12-10 10:26:52 +0100 # Author Jan Beulich # Committer Jan Beulich x86: avoid wrong use of all-but-self IPI shorthand With "nosmp" I did observe a flood of "APIC error on CPU0: 04(04), Send accept error" log messages on an AMD system. And rightly so - nothing excludes the use of the shorthand in send_IPI_mask() in this case. Set "unaccounted_cpus" to "true" also when command line restrictions are the cause. Note that PV-shim mode is unaffected by this change, first and foremost because "nosmp" and "maxcpus=" are ignored in this case. Fixes: 5500d265a2a8 ("x86/smp: use APIC ALLBUT destination shorthand when possible") Signed-off-by: Jan Beulich Acked-by: Andrew Cooper --- a/xen/arch/x86/mpparse.c +++ b/xen/arch/x86/mpparse.c @@ -85,9 +85,14 @@ void __init set_nr_cpu_ids(unsigned int if (!park_offline_cpus) tot_cpus = max_cpus; nr_cpu_ids = min(tot_cpus, NR_CPUS + 0u); - if (park_offline_cpus && nr_cpu_ids < num_processors) - printk(XENLOG_WARNING "SMP: Cannot bring up %u further CPUs\n", - num_processors - nr_cpu_ids); + if (nr_cpu_ids < num_processors) + { + unaccounted_cpus = true; + if (park_offline_cpus) + printk(XENLOG_WARNING + "SMP: Cannot bring up %u further CPUs\n", + num_processors - nr_cpu_ids); + } #ifndef nr_cpumask_bits nr_cpumask_bits = ROUNDUP(nr_cpu_ids, BITS_PER_LONG); ++ 61b88e78-x86-CPUID-TSXLDTRK-definition.patch ++ # Commit 249e0f1d8f203188ccdcced5a05c2149739e1566 # Date 2021-12-14 12:30:48 + # Author Andrew Cooper # Committer Andrew Cooper x86/cpuid: Fix TSXLDTRK definition TSXLDTRK lives in CPUID leaf 7[0].edx, not 7[0].ecx. Bit 16 in ecx is LA57. Fixes: a6d1b558471f ("x86emul: support X{SUS,RES}LDTRK") Signed-off-by: Andrew Cooper Reviewed-by: Jan Beulich --- a/tools/libs/light/libxl_cpuid.c +++ b/tools/libs/light/libxl_cpuid.c @@ -209,7 +209,6 @@ int
commit xen for openSUSE:Factory
Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package xen for openSUSE:Factory checked in at 2021-12-16 21:18:42 Comparing /work/SRC/openSUSE:Factory/xen (Old) and /work/SRC/openSUSE:Factory/.xen.new.2520 (New) Package is "xen" Thu Dec 16 21:18:42 2021 rev:308 rq:940365 version:4.16.0_02 Changes: --- /work/SRC/openSUSE:Factory/xen/xen.changes 2021-12-03 20:35:32.584191426 +0100 +++ /work/SRC/openSUSE:Factory/.xen.new.2520/xen.changes2021-12-16 21:18:48.302509658 +0100 @@ -1,0 +2,7 @@ +Thu Dec 9 09:36:20 MST 2021 - carn...@suse.com + +- bsc#1193307 - pci backend does not exist when attach a vf to a pv + guest + libxl-PCI-defer-backend-wait.patch + +--- New: libxl-PCI-defer-backend-wait.patch Other differences: -- ++ xen.spec ++ --- /var/tmp/diff_new_pack.A3cfjc/_old 2021-12-16 21:18:49.978510296 +0100 +++ /var/tmp/diff_new_pack.A3cfjc/_new 2021-12-16 21:18:49.982510297 +0100 @@ -217,6 +217,7 @@ Patch467: xenstore-run-in-studomain.patch Patch468: libxl.helper_done-crash.patch Patch469: libxl.LIBXL_HOTPLUG_TIMEOUT.patch +Patch470: libxl-PCI-defer-backend-wait.patch # python3 conversion patches Patch500: build-python3-conversion.patch Patch501: migration-python3-conversion.patch ++ libxl-PCI-defer-backend-wait.patch ++ libxl/PCI: defer backend wait upon attaching to PV guest Attempting to wait when the backend hasn't been created yet can't work: the function will complain "Backend ... does not exist". Move the waiting past the creation of the backend (and that of other related nodes), hoping that there are no other dependencies that would now be broken. Fixes: 0fdb48ffe7a1 ("libxl: Make sure devices added by pci-attach are reflected in the config") Signed-off-by: Jan Beulich --- unstable.orig/tools/libs/light/libxl_pci.c 2021-11-17 12:05:49.0 +0100 +++ unstable/tools/libs/light/libxl_pci.c 2021-12-09 17:02:15.265069154 +0100 @@ -157,11 +157,6 @@ static int libxl__device_pci_add_xenstor if (domtype == LIBXL_DOMAIN_TYPE_INVALID) return ERROR_FAIL; -if (!starting && domtype == LIBXL_DOMAIN_TYPE_PV) { -if (libxl__wait_for_backend(gc, be_path, GCSPRINTF("%d", XenbusStateConnected)) < 0) -return ERROR_FAIL; -} - back = flexarray_make(gc, 16, 1); LOGD(DEBUG, domid, "Adding new pci device to xenstore"); @@ -213,6 +208,9 @@ static int libxl__device_pci_add_xenstor if (rc < 0) goto out; } +if (!starting && domtype == LIBXL_DOMAIN_TYPE_PV) +rc = libxl__wait_for_backend(gc, be_path, GCSPRINTF("%d", XenbusStateConnected)); + out: libxl__xs_transaction_abort(gc, ); if (lock) libxl__unlock_file(lock);
commit xen for openSUSE:Factory
Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package xen for openSUSE:Factory checked in at 2021-12-03 20:35:25 Comparing /work/SRC/openSUSE:Factory/xen (Old) and /work/SRC/openSUSE:Factory/.xen.new.31177 (New) Package is "xen" Fri Dec 3 20:35:25 2021 rev:307 rq:935029 version:4.16.0_02 Changes: --- /work/SRC/openSUSE:Factory/xen/xen.changes 2021-11-20 02:39:17.320750755 +0100 +++ /work/SRC/openSUSE:Factory/.xen.new.31177/xen.changes 2021-12-03 20:35:32.584191426 +0100 @@ -1,0 +2,24 @@ +Wed Dec 1 09:45:10 MST 2021 - carn...@suse.com + +- Update to Xen 4.16.0 FCS release + xen-4.16.0-testing-src.tar.bz2 + * Miscellaneous fixes to the TPM manager software in preparation +for TPM 2.0 support. + * Increased reliance on the PV shim as 32-bit PV guests will only +be supported in shim mode going forward. This change reduces +the attack surface in the hypervisor. + * Increased hardware support by allowing Xen to boot on Intel +devices that lack a Programmable Interval Timer. + * Cleanup of legacy components by no longer building QEMU +Traditional or PV-Grub by default. Note both projects have +upstream Xen support merged now, so it is no longer recommended +to use the Xen specific forks. + * Initial support for guest virtualized Performance Monitor +Counters on Arm. + * Improved support for dom0less mode by allowing the usage on +Arm 64bit hardware with EFI firmware. + * Improved support for Arm 64-bit heterogeneous systems by +leveling the CPU features across all to improve big.LITTLE +support. + +--- Other differences: -- ++ xen.spec ++ --- /var/tmp/diff_new_pack.TG7EYh/_old 2021-12-03 20:35:34.120185814 +0100 +++ /var/tmp/diff_new_pack.TG7EYh/_new 2021-12-03 20:35:34.128185784 +0100 @@ -28,7 +28,6 @@ Name: xen ExclusiveArch: %ix86 x86_64 aarch64 -%define changeset 41121 %define xen_build_dir xen-4.16.0-testing # %define with_gdbsx 0 @@ -120,7 +119,7 @@ %endif Provides: installhint(reboot-needed) -Version:4.16.0_01 +Version:4.16.0_02 Release:0 Summary:Xen Virtualization: Hypervisor (aka VMM aka Microkernel) License:GPL-2.0-only @@ -452,7 +451,6 @@ XEN_FULLVERSION=$XEN_FULLVERSION _EOV_ source ./.our_xenversion -echo "%{changeset}" > xen/.scmversion sed -i~ " s/XEN_VERSION[[:blank:]]*=.*/XEN_VERSION = $XEN_VERSION/ s/XEN_SUBVERSION[[:blank:]]*=.*/XEN_SUBVERSION = $XEN_SUBVERSION/ ++ xen-4.16.0-testing-src.tar.bz2 ++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/xen-4.16.0-testing/CHANGELOG.md new/xen-4.16.0-testing/CHANGELOG.md --- old/xen-4.16.0-testing/CHANGELOG.md 2021-11-17 15:24:23.0 +0100 +++ new/xen-4.16.0-testing/CHANGELOG.md 2021-12-01 17:44:20.0 +0100 @@ -4,7 +4,7 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/) -## [unstable UNRELEASED](https://xenbits.xen.org/gitweb/?p=xen.git;a=shortlog;h=staging) - TBD +## [4.16.0](https://xenbits.xen.org/gitweb/?p=xen.git;a=shortlog;h=staging) - 2021-12-02 ### Removed - XENSTORED_ROOTDIR environment variable from configuartion files and @@ -21,8 +21,33 @@ - qemu-traditional based device models (both, qemu-traditional and ioemu-stubdom) will no longer be built per default. In order to be able to use those, configure needs to be called with "--enable-qemu-traditional" as parameter. + - Fixes for credit2 scheduler stability in corner case conditions. + - Ongoing improvements in the hypervisor build system. + - vtpmmgr miscellaneous fixes in preparation for TPM 2.0 support. + - 32bit PV guests only supported in shim mode. + - Improved PVH dom0 debug key handling. + - Fix booting on some Intel systems without a PIT (i8254). + - Cleanup of the xenstore library interface. + - Fix truncation of return value from xencall2 by introducing a new helper + that returns a long instead. + - Fix system register accesses on Arm to use the proper 32/64bit access size. + - Various fixes for Arm OP-TEE mediator. + - Switch to domheap for Xen page tables. + +### Added + - 32bit Arm builds to the gitlab-ci automated tests. + - x86 full system tests to the gitlab-ci automated tests. + - Arm limited vPMU support for guests. + - Static physical memory allocation for dom0less on arm64. + - dom0less EFI support on arm64. + - GICD_ICPENDR register handling in vGIC emulation to support Zephyr OS. + - CPU feature leveling on arm64 platform with heterogeneous cores. + - Report unpopulated memory regions safe to use for external mappings, Arm and + device
commit xen for openSUSE:Factory
Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package xen for openSUSE:Factory checked in at 2021-11-20 02:38:28 Comparing /work/SRC/openSUSE:Factory/xen (Old) and /work/SRC/openSUSE:Factory/.xen.new.1895 (New) Package is "xen" Sat Nov 20 02:38:28 2021 rev:306 rq:932003 version:4.16.0_01 Changes: --- /work/SRC/openSUSE:Factory/xen/xen.changes 2021-11-12 15:59:03.598559302 +0100 +++ /work/SRC/openSUSE:Factory/.xen.new.1895/xen.changes2021-11-20 02:39:17.320750755 +0100 @@ -1,0 +2,14 @@ +Wed Nov 17 07:25:37 MST 2021 - carn...@suse.com + +- Update to Xen 4.16.0 RC3 release + xen-4.16.0-testing-src.tar.bz2 +- Drop iPXE sources and patches. iPXE is only used by QEMU + traditional which has never shipped with SLE15. + ipxe.tar.bz2 + ipxe-enable-nics.patch + ipxe-no-error-logical-not-parentheses.patch + ipxe-use-rpm-opt-flags.patch +- Drop building ocaml xenstored in the spec file. There are no + plans or need to support this version. + +--- Old: ipxe-enable-nics.patch ipxe-no-error-logical-not-parentheses.patch ipxe-use-rpm-opt-flags.patch ipxe.tar.bz2 Other differences: -- ++ xen.spec ++ --- /var/tmp/diff_new_pack.s1grCB/_old 2021-11-20 02:39:19.004745198 +0100 +++ /var/tmp/diff_new_pack.s1grCB/_new 2021-11-20 02:39:19.004745198 +0100 @@ -33,7 +33,6 @@ # %define with_gdbsx 0 %define with_dom0_support 0 -%bcond_withxen_oxenstored %ifarch x86_64 %bcond_without xen_debug %bcond_without xen_stubdom @@ -97,17 +96,8 @@ BuildRequires: makeinfo %endif %endif -BuildRequires: ncurses-devel -%if %{?with_dom0_support}0 -%if %{with xen_oxenstored} -BuildRequires: ocaml -BuildRequires: ocaml-compiler-libs -BuildRequires: ocaml-findlib -BuildRequires: ocaml-ocamldoc -BuildRequires: ocaml-runtime -%endif -%endif BuildRequires: acpica +BuildRequires: ncurses-devel BuildRequires: openssl-devel BuildRequires: python3-devel BuildRequires: xz-devel @@ -137,9 +127,8 @@ Group: System/Kernel Source0:xen-4.16.0-testing-src.tar.bz2 Source1:stubdom.tar.bz2 -Source2:ipxe.tar.bz2 -Source3:mini-os.tar.bz2 -Source4:xen-utils-0.1.tar.bz2 +Source2:mini-os.tar.bz2 +Source3:xen-utils-0.1.tar.bz2 Source9:xen.changes Source10: README.SUSE Source11: boot.xen @@ -218,11 +207,10 @@ Patch451: xenconsole-no-multiple-connections.patch Patch452: hibernate.patch Patch453: stdvga-cache.patch -Patch454: ipxe-enable-nics.patch -Patch455: xl-save-pc.patch -Patch456: pygrub-boot-legacy-sles.patch -Patch457: pygrub-handle-one-line-menu-entries.patch -Patch458: aarch64-rename-PSR_MODE_ELxx-to-match-linux-headers.patch +Patch454: xl-save-pc.patch +Patch455: pygrub-boot-legacy-sles.patch +Patch456: pygrub-handle-one-line-menu-entries.patch +Patch457: aarch64-rename-PSR_MODE_ELxx-to-match-linux-headers.patch Patch461: libxl.max_event_channels.patch Patch463: libxl.add-option-to-disable-disk-cache-flushes-in-qdisk.patch Patch464: libxl.pvscsi.patch @@ -239,8 +227,6 @@ Patch601: x86-ioapic-ack-default.patch Patch602: xenwatchdogd-restart.patch Patch621: xen.build-compare.doc_html.patch -Patch623: ipxe-no-error-logical-not-parentheses.patch -Patch624: ipxe-use-rpm-opt-flags.patch # Build patches Patch6: xen.stubdom.newlib.patch URL:http://www.cl.cam.ac.uk/Research/SRG/netos/xen/ @@ -416,7 +402,7 @@ %endif %prep -%setup -q -n %xen_build_dir -a 1 -a 2 -a 3 -a 4 +%setup -q -n %xen_build_dir -a 1 -a 2 -a 3 %autosetup -D -T -n %xen_build_dir -p1 %build @@ -497,7 +483,6 @@ --disable-xen \ --enable-tools \ --enable-docs \ ---disable-rombios \ --prefix=/usr \ --exec_prefix=/usr \ --bindir=%{_bindir} \ @@ -511,11 +496,6 @@ --docdir=%{_defaultdocdir}/xen \ --with-initddir=%{_initddir} \ --with-rundir=%{_rundir} \ -%if %{?with_dom0_support}0 -%if %{with xen_oxenstored} - --with-xenstored=oxenstored \ -%endif -%endif --enable-systemd \ --with-systemd=%{_unitdir} \ --with-systemd-modules-load=%{with_systemd_modules_load} \ @@ -952,7 +932,6 @@ rm -rf %{buildroot}/%{_datadir}/man rm -rf %{buildroot}/%{_libexecdir}/%{name} rm -rf %{buildroot}/%{_libdir}/python* -rm -rf %{buildroot}/%{_libdir}/ocaml* rm -rf %{buildroot}/%{_unitdir} rm -rf %{buildroot}/%{_fillupdir} rm -rf %{buildroot}/%{with_systemd_modules_load} @@ -,48 +1090,6 @@ %{_defaultdocdir}/xen/boot.xen %{_mandir}/man*/*
commit xen for openSUSE:Factory
Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package xen for openSUSE:Factory checked in at 2021-11-12 15:58:59 Comparing /work/SRC/openSUSE:Factory/xen (Old) and /work/SRC/openSUSE:Factory/.xen.new.1890 (New) Package is "xen" Fri Nov 12 15:58:59 2021 rev:305 rq:930561 version:4.16.0_01 Changes: --- /work/SRC/openSUSE:Factory/xen/xen.changes 2021-09-16 23:16:48.839931376 +0200 +++ /work/SRC/openSUSE:Factory/.xen.new.1890/xen.changes2021-11-12 15:59:03.598559302 +0100 @@ -1,0 +2,34 @@ +Mon Nov 8 09:09:58 MST 2021 - carn...@suse.com + +- Update to Xen 4.16.0 RC2 release + xen-4.16.0-testing-src.tar.bz2 +- Modified files + ipxe-use-rpm-opt-flags.patch + ipxe.tar.bz2 (new version) + +--- +Mon Nov 1 11:15:13 MDT 2021 - carn...@suse.com + +- Update to Xen 4.16.0 RC1 release + xen-4.16.0-testing-src.tar.bz2 +- Drop patches contained in new tarball or invalid + 615c9fd0-VT-d-fix-deassign-of-device-with-RMRR.patch + libxc-sr-383b41974d5543b62f3181d216070fe3691fb130.patch + libxc-sr-5588ebcfca774477cf823949e5703b0ac48818cc.patch + libxc-sr-9e59d9f8ee3808acde9833192211da25f66d8cc2.patch + libxc-sr-f17a73b3c0264c62dd6b5dae01ed621c051c3038.patch + xenstore-launch.patch + +--- +Wed Oct 6 08:19:42 MDT 2021 - carn...@suse.com + +- bsc#1191363 - VUL-0: CVE-2021-28702: xen: PCI devices with RMRRs + not deassigned correctly (XSA-386) + 615c9fd0-VT-d-fix-deassign-of-device-with-RMRR.patch + +--- +Mon Sep 13 11:50:00 CEST 2021 - jbeul...@suse.com + +- Revert "Simplify %autosetup". + +--- Old: libxc-sr-383b41974d5543b62f3181d216070fe3691fb130.patch libxc-sr-5588ebcfca774477cf823949e5703b0ac48818cc.patch libxc-sr-9e59d9f8ee3808acde9833192211da25f66d8cc2.patch libxc-sr-f17a73b3c0264c62dd6b5dae01ed621c051c3038.patch xen-4.15.1-testing-src.tar.bz2 xenstore-launch.patch New: xen-4.16.0-testing-src.tar.bz2 Other differences: -- ++ xen.spec ++ --- /var/tmp/diff_new_pack.0sUO7F/_old 2021-11-12 15:59:05.410560126 +0100 +++ /var/tmp/diff_new_pack.0sUO7F/_new 2021-11-12 15:59:05.414560127 +0100 @@ -29,7 +29,7 @@ Name: xen ExclusiveArch: %ix86 x86_64 aarch64 %define changeset 41121 -%define xen_build_dir xen-4.15.1-testing +%define xen_build_dir xen-4.16.0-testing # %define with_gdbsx 0 %define with_dom0_support 0 @@ -130,12 +130,12 @@ %endif Provides: installhint(reboot-needed) -Version:4.15.1_01 +Version:4.16.0_01 Release:0 Summary:Xen Virtualization: Hypervisor (aka VMM aka Microkernel) License:GPL-2.0-only Group: System/Kernel -Source0:xen-4.15.1-testing-src.tar.bz2 +Source0:xen-4.16.0-testing-src.tar.bz2 Source1:stubdom.tar.bz2 Source2:ipxe.tar.bz2 Source3:mini-os.tar.bz2 @@ -169,40 +169,36 @@ # Upstream patches # EMBARGOED security fixes # libxc -Patch301: libxc-sr-383b41974d5543b62f3181d216070fe3691fb130.patch -Patch302: libxc-sr-9e59d9f8ee3808acde9833192211da25f66d8cc2.patch -Patch303: libxc-sr-5588ebcfca774477cf823949e5703b0ac48818cc.patch -Patch304: libxc-sr-f17a73b3c0264c62dd6b5dae01ed621c051c3038.patch -Patch305: libxc-bitmap-long.patch -Patch306: libxc-sr-xl-migration-debug.patch -Patch307: libxc-sr-readv_exact.patch -Patch308: libxc-sr-save-show_transfer_rate.patch -Patch309: libxc-sr-save-mfns.patch -Patch310: libxc-sr-save-types.patch -Patch311: libxc-sr-save-errors.patch -Patch312: libxc-sr-save-iov.patch -Patch313: libxc-sr-save-rec_pfns.patch -Patch314: libxc-sr-save-guest_data.patch -Patch315: libxc-sr-save-local_pages.patch -Patch316: libxc-sr-restore-pfns.patch -Patch317: libxc-sr-restore-types.patch -Patch318: libxc-sr-restore-mfns.patch -Patch319: libxc-sr-restore-map_errs.patch -Patch320: libxc-sr-restore-populate_pfns-pfns.patch -Patch321: libxc-sr-restore-populate_pfns-mfns.patch -Patch322: libxc-sr-restore-read_record.patch -Patch323: libxc-sr-restore-handle_buffered_page_data.patch -Patch324: libxc-sr-restore-handle_incoming_page_data.patch -Patch325: libxc-sr-LIBXL_HAVE_DOMAIN_SUSPEND_PROPS.patch -Patch326: libxc-sr-precopy_policy.patch -Patch327: libxc-sr-max_iters.patch -Patch328: libxc-sr-min_remaining.patch -Patch329: libxc-sr-abort_if_busy.patch -Patch330: libxc-sr-xg_sr_bitmap.patch -Patch331:
commit xen for openSUSE:Factory
Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package xen for openSUSE:Factory checked in at 2021-07-26 17:37:53 Comparing /work/SRC/openSUSE:Factory/xen (Old) and /work/SRC/openSUSE:Factory/.xen.new.1899 (New) Package is "xen" Mon Jul 26 17:37:53 2021 rev:303 rq:907839 version:4.15.0_01 Changes: --- /work/SRC/openSUSE:Factory/xen/xen.changes 2021-06-05 23:30:11.264297234 +0200 +++ /work/SRC/openSUSE:Factory/.xen.new.1899/xen.changes2021-07-26 17:37:56.450105330 +0200 @@ -1,0 +2,10 @@ +Thu Jul 22 22:33:51 UTC 2021 - James Fehlig + +- spec: Change the '--with-system-ovmf' configure option to use + the new Xen-specific ovmf firmware. The traditional, unified + firmwares will no longer support multi-VMM. For more information + + https://bugzilla.tianocore.org/show_bug.cgi?id=1689 + https://bugzilla.tianocore.org/show_bug.cgi?id=2122 + +--- Other differences: -- ++ xen.spec ++ --- /var/tmp/diff_new_pack.g7x2f4/_old 2021-07-26 17:37:58.078103374 +0200 +++ /var/tmp/diff_new_pack.g7x2f4/_new 2021-07-26 17:37:58.082103370 +0200 @@ -517,7 +517,7 @@ --enable-systemd \ --with-systemd=%{_unitdir} \ --with-systemd-modules-load=%{with_systemd_modules_load} \ - --with-system-ovmf=%{_datadir}/qemu/ovmf-x86_64-ms.bin \ + --with-system-ovmf=%{_datadir}/qemu/ovmf-x86_64-xen-4m.bin \ --with-system-seabios=%{_datadir}/qemu/bios-256k.bin \ ${configure_flags} make -C tools/include/xen-foreign %{?_smp_mflags}
commit xen for openSUSE:Factory
Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package xen for openSUSE:Factory checked in at 2021-04-23 17:49:38 Comparing /work/SRC/openSUSE:Factory/xen (Old) and /work/SRC/openSUSE:Factory/.xen.new.12324 (New) Package is "xen" Fri Apr 23 17:49:38 2021 rev:301 rq:886799 version:4.14.1_16 Changes: --- /work/SRC/openSUSE:Factory/xen/xen.changes 2021-03-21 23:19:27.340720399 +0100 +++ /work/SRC/openSUSE:Factory/.xen.new.12324/xen.changes 2021-04-23 17:49:41.650698085 +0200 @@ -1,0 +2,19 @@ +Mon Apr 19 12:03:30 MDT 2021 - carn...@suse.com + +- bsc#1180491 - "Panic on CPU 0: IO-APIC + timer doesn't work!" + 60787714-x86-HPET-avoid-legacy-replacement-mode.patch + 60787714-x86-HPET-factor-legacy-replacement-mode-enabling.patch +- Upstream bug fixes (bsc#1027519) + 60410127-gcc11-adjust-rijndaelEncrypt.patch + 60422428-x86-shadow-avoid-fast-fault-path.patch + 604b9070-VT-d-disable-QI-IR-before-init.patch + 60535c11-libxl-domain-soft-reset.patch (Replaces xsa368.patch) + 60700077-x86-vpt-avoid-pt_migrate-rwlock.patch + +--- +Thu Mar 25 10:10:10 UTC 2021 - oher...@suse.de + +- bsc#1137251 - Restore changes for xen-dom0-modules.service which + were silently removed on 2019-10-17 + +--- @@ -23,2 +42,2 @@ -- bsc#1183072 - VUL-0: xen: HVM soft-reset crashes toolstack (XSA-368) - Also resolves, +- bsc#1183072 - VUL-0: CVE-2021-28687: xen: HVM soft-reset crashes + toolstack (XSA-368). Also resolves, Old: xsa368.patch New: 60410127-gcc11-adjust-rijndaelEncrypt.patch 60422428-x86-shadow-avoid-fast-fault-path.patch 604b9070-VT-d-disable-QI-IR-before-init.patch 60535c11-libxl-domain-soft-reset.patch 60700077-x86-vpt-avoid-pt_migrate-rwlock.patch 60787714-x86-HPET-avoid-legacy-replacement-mode.patch 60787714-x86-HPET-factor-legacy-replacement-mode-enabling.patch Other differences: -- ++ xen.spec ++ --- /var/tmp/diff_new_pack.L3j0Cr/_old 2021-04-23 17:49:43.218700781 +0200 +++ /var/tmp/diff_new_pack.L3j0Cr/_new 2021-04-23 17:49:43.222700788 +0200 @@ -130,7 +130,7 @@ %endif Provides: installhint(reboot-needed) -Version:4.14.1_14 +Version:4.14.1_16 Release:0 Summary:Xen Virtualization: Hypervisor (aka VMM aka Microkernel) License:GPL-2.0-only @@ -186,7 +186,13 @@ Patch16:602e5abb-gnttab-bypass-IOMMU-when-mapping-own-grant.patch Patch17:602ffae9-tools-libs-light-fix-xl-save--c-handling.patch Patch18:6037b02e-x86-EFI-suppress-ld-2-36-base-relocs.patch -Patch200: xsa368.patch +Patch19:60410127-gcc11-adjust-rijndaelEncrypt.patch +Patch20:60422428-x86-shadow-avoid-fast-fault-path.patch +Patch21:604b9070-VT-d-disable-QI-IR-before-init.patch +Patch22:60535c11-libxl-domain-soft-reset.patch +Patch23:60700077-x86-vpt-avoid-pt_migrate-rwlock.patch +Patch24:60787714-x86-HPET-factor-legacy-replacement-mode-enabling.patch +Patch25:60787714-x86-HPET-avoid-legacy-replacement-mode.patch # libxc Patch300: libxc-sr-3cccdae45242dab27198b8e150be0c85acd5d3c9.patch Patch301: libxc-sr-readv_exact.patch @@ -901,10 +907,35 @@ echo -n > $conf done `" +> mods for mod in $mods do - echo "ExecStart=-/bin/sh -c 'modprobe $mod || :'" >> %{buildroot}/%{_unitdir}/${bn} + # load by alias, if possible, to handle pvops and xenlinux + alias="$mod" + case "$mod" in + xen-evtchn) ;; + xen-gntdev) ;; + xen-gntalloc) ;; + xen-blkback) alias='xen-backend:vbd' ;; + xen-netback) alias='xen-backend:vif' ;; + xen-pciback) alias='xen-backend:pci' ;; + evtchn) unset alias ;; + gntdev) unset alias ;; + netbk) alias='xen-backend:vif' ;; + blkbk) alias='xen-backend:vbd' ;; + xen-scsibk) unset alias ;; + usbbk) unset alias ;; + pciback) alias='xen-backend:pci' ;; + xen-acpi-processor) ;; + blktap2) unset alias ;; + *) ;; + esac + if test -n "${alias}" + then + echo "ExecStart=-/bin/sh -c 'modprobe $alias || :'" >> mods + fi done +sort -u mods | tee -a %{buildroot}/%{_unitdir}/${bn} rm -rfv %{buildroot}/%{_initddir} install -m644 %SOURCE35 %{buildroot}/%{_fillupdir}/sysconfig.pciback ++ 60410127-gcc11-adjust-rijndaelEncrypt.patch ++ # Commit c6ad5a701b9a6df443a6c98d9e7201c958bbcafc # Date 2021-03-04 16:47:51 +0100 # Author Jan Beulich #
commit xen for openSUSE:Factory
Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package xen for openSUSE:Factory checked in at 2021-03-21 23:19:24 Comparing /work/SRC/openSUSE:Factory/xen (Old) and /work/SRC/openSUSE:Factory/.xen.new.2401 (New) Package is "xen" Sun Mar 21 23:19:24 2021 rev:300 rq:879873 version:4.14.1_14 Changes: --- /work/SRC/openSUSE:Factory/xen/xen.changes 2021-03-02 12:31:08.571610683 +0100 +++ /work/SRC/openSUSE:Factory/.xen.new.2401/xen.changes2021-03-21 23:19:27.340720399 +0100 @@ -1,0 +2,29 @@ +Fri Mar 12 19:19:19 UTC 2021 - oher...@suse.de + +- bsc#1177112 - Fix libxc.sr.superpage.patch + The receiving side did detect holes in a to-be-allocated superpage, + but allocated a superpage anyway. This resulted to over-allocation. + +--- +Mon Mar 8 16:16:16 UTC 2021 - oher...@suse.de + +- bsc#1167608 - adjust limit for max_event_channels + A previous change allowed an unbound number of event channels + to make sure even large domUs can start of of the box. + This may have a bad side effect in the light of XSA-344. + Adjust the built-in limit based on the number of vcpus. + In case this is not enough, max_event_channels=/maxEventChannels= + has to be used to set the limit as needed for large domUs + adjust libxl.max_event_channels.patch + +--- +Fri Mar 5 08:49:56 MST 2021 - carn...@suse.com + +- bsc#1183072 - VUL-0: xen: HVM soft-reset crashes toolstack (XSA-368) + Also resolves, +bsc#1179148 - kdump of HVM fails, soft-reset not handled by libxl +bsc#1181989 - openQA job causes libvirtd to dump core when +running kdump inside domain + xsa368.patch + +--- New: xsa368.patch Other differences: -- ++ xen.spec ++ --- /var/tmp/diff_new_pack.GSkM1v/_old 2021-03-21 23:19:28.812720904 +0100 +++ /var/tmp/diff_new_pack.GSkM1v/_new 2021-03-21 23:19:28.816720906 +0100 @@ -130,7 +130,7 @@ %endif Provides: installhint(reboot-needed) -Version:4.14.1_12 +Version:4.14.1_14 Release:0 Summary:Xen Virtualization: Hypervisor (aka VMM aka Microkernel) License:GPL-2.0-only @@ -186,6 +186,7 @@ Patch16:602e5abb-gnttab-bypass-IOMMU-when-mapping-own-grant.patch Patch17:602ffae9-tools-libs-light-fix-xl-save--c-handling.patch Patch18:6037b02e-x86-EFI-suppress-ld-2-36-base-relocs.patch +Patch200: xsa368.patch # libxc Patch300: libxc-sr-3cccdae45242dab27198b8e150be0c85acd5d3c9.patch Patch301: libxc-sr-readv_exact.patch ++ libxc.sr.superpage.patch ++ --- /var/tmp/diff_new_pack.GSkM1v/_old 2021-03-21 23:19:29.116721009 +0100 +++ /var/tmp/diff_new_pack.GSkM1v/_new 2021-03-21 23:19:29.116721009 +0100 @@ -470,7 +470,7 @@ free(ctx->x86.restore.cpuid.ptr); free(ctx->x86.restore.msr.ptr); -@@ -249,6 +277,368 @@ static int x86_hvm_cleanup(struct xc_sr_ +@@ -249,6 +277,380 @@ static int x86_hvm_cleanup(struct xc_sr_ return 0; } @@ -707,6 +707,18 @@ +return -1; +} + ++pfn = gap_start >> SUPERPAGE_1GB_SHIFT; ++do ++{ ++xc_sr_set_bit(pfn, >x86.hvm.restore.attempted_1g); ++} while (++pfn <= gap_end >> SUPERPAGE_1GB_SHIFT); ++ ++pfn = gap_start >> SUPERPAGE_2MB_SHIFT; ++do ++{ ++xc_sr_set_bit(pfn, >x86.hvm.restore.attempted_2m); ++} while (++pfn <= gap_end >> SUPERPAGE_2MB_SHIFT); ++ +pfn = gap_start; + +while ( pfn <= gap_end ) @@ -839,7 +851,7 @@ struct xc_sr_restore_ops restore_ops_x86_hvm = { .pfn_is_valid= x86_hvm_pfn_is_valid, -@@ -257,6 +647,7 @@ struct xc_sr_restore_ops restore_ops_x86 +@@ -257,6 +659,7 @@ struct xc_sr_restore_ops restore_ops_x86 .set_page_type = x86_hvm_set_page_type, .localise_page = x86_hvm_localise_page, .setup = x86_hvm_setup, ++ libxl.LIBXL_HOTPLUG_TIMEOUT.patch ++ --- /var/tmp/diff_new_pack.GSkM1v/_old 2021-03-21 23:19:29.128721013 +0100 +++ /var/tmp/diff_new_pack.GSkM1v/_new 2021-03-21 23:19:29.128721013 +0100 @@ -294,7 +294,7 @@ /* private */ libxl__ev_time time; libxl__ev_child child; -@@ -4845,6 +4848,9 @@ int libxl__is_domid_recent(libxl__gc *gc +@@ -4847,6 +4850,9 @@ int libxl__is_domid_recent(libxl__gc *gc #endif ++ libxl.max_event_channels.patch ++ --- /var/tmp/diff_new_pack.GSkM1v/_old 2021-03-21 23:19:29.144721018 +0100 +++ /var/tmp/diff_new_pack.GSkM1v/_new 2021-03-21 23:19:29.148721020 +0100 @@ -3,6 +3,11 @@ 1023 is too low for a three digit value of vcpus it is difficult to make the
commit xen for openSUSE:Factory
Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package xen for openSUSE:Factory checked in at 2021-03-02 12:28:08 Comparing /work/SRC/openSUSE:Factory/xen (Old) and /work/SRC/openSUSE:Factory/.xen.new.2378 (New) Package is "xen" Tue Mar 2 12:28:08 2021 rev:299 rq:875549 version:4.14.1_12 Changes: --- /work/SRC/openSUSE:Factory/xen/xen.changes 2021-02-17 18:09:09.605823781 +0100 +++ /work/SRC/openSUSE:Factory/.xen.new.2378/xen.changes2021-03-02 12:31:08.571610683 +0100 @@ -1,0 +2,29 @@ +Tue Feb 26 14:00:00 CET 2021 - jbeul...@suse.com + +- bsc#1177204 - L3-Question: conring size for XEN HV's with huge + memory to small. Inital Xen logs cut + 5ffc58c4-ACPI-reduce-verbosity-by-default.patch +- Upstream bug fixes (bsc#1027519) + 601d4396-x86-EFI-suppress-ld-2-36-debug-info.patch + 602bd768-page_alloc-only-flush-after-scrubbing.patch + 602cfe3d-IOMMU-check-if-initialized-before-teardown.patch + 602e5a8c-gnttab-never-permit-mapping-transitive-grants.patch + 602e5abb-gnttab-bypass-IOMMU-when-mapping-own-grant.patch + 6037b02e-x86-EFI-suppress-ld-2-36-base-relocs.patch +- bsc#1181921 - GCC 11: xen package fails + gcc11-fixes.patch + +--- +Tue Feb 23 10:00:26 MST 2021 - carn...@suse.com + +- bsc#1182576 - L3: XEN domU crashed on resume when using the xl + unpause command + 602ffae9-tools-libs-light-fix-xl-save--c-handling.patch + +--- +Thu Feb 18 11:42:54 MST 2021 - carn...@suse.com + +- Start using the %autosetup macro to simplify patch management + xen.spec + +--- New: 5ffc58c4-ACPI-reduce-verbosity-by-default.patch 601d4396-x86-EFI-suppress-ld-2-36-debug-info.patch 602bd768-page_alloc-only-flush-after-scrubbing.patch 602cfe3d-IOMMU-check-if-initialized-before-teardown.patch 602e5a8c-gnttab-never-permit-mapping-transitive-grants.patch 602e5abb-gnttab-bypass-IOMMU-when-mapping-own-grant.patch 602ffae9-tools-libs-light-fix-xl-save--c-handling.patch 6037b02e-x86-EFI-suppress-ld-2-36-base-relocs.patch Other differences: -- ++ xen.spec ++ --- /var/tmp/diff_new_pack.MrJpcp/_old 2021-03-02 12:31:10.319611896 +0100 +++ /var/tmp/diff_new_pack.MrJpcp/_new 2021-03-02 12:31:10.319611896 +0100 @@ -130,26 +130,27 @@ %endif Provides: installhint(reboot-needed) -Version:4.14.1_11 +Version:4.14.1_12 Release:0 Summary:Xen Virtualization: Hypervisor (aka VMM aka Microkernel) License:GPL-2.0-only Group: System/Kernel Source0:xen-4.14.1-testing-src.tar.bz2 Source1:stubdom.tar.bz2 -Source5:ipxe.tar.bz2 -Source6:mini-os.tar.bz2 +Source2:ipxe.tar.bz2 +Source3:mini-os.tar.bz2 +Source4:xen-utils-0.1.tar.bz2 Source9:xen.changes Source10: README.SUSE Source11: boot.xen Source12: boot.local.xenU Source13: xen-supportconfig -Source15: logrotate.conf +Source14: logrotate.conf Source21: block-npiv-common.sh Source22: block-npiv Source23: block-npiv-vport -Source26: init.xen_loop -Source29: block-dmmd +Source24: block-dmmd +Source28: init.xen_loop # Xen API remote authentication sources Source30: etc_pam.d_xen-api Source31: xenapiusers @@ -160,7 +161,6 @@ # Systemd service files Source41: xencommons.service Source42: xen-dom0-modules.service -Source57: xen-utils-0.1.tar.bz2 Source10172:xendomains-wait-disks.sh Source10173:xendomains-wait-disks.LICENSE Source10174:xendomains-wait-disks.README.md @@ -172,12 +172,20 @@ Patch2: 5fedf9f4-x86-hpet_setup-fix-retval.patch Patch3: 5ff458f2-x86-vPCI-tolerate-disabled-MSI-X-entry.patch Patch4: 5ff71655-x86-dpci-EOI-regardless-of-masking.patch -Patch5: 5ffc58e8-x86-ACPI-dont-overwrite-FADT.patch -Patch6: 600999ad-x86-dpci-do-not-remove-pirqs-from.patch -Patch7: 600ab341-x86-vioapic-EOI-check-IRR-before-inject.patch -Patch8: 6011bbc7-x86-timer-fix-boot-without-PIT.patch -Patch9: 6013e4bd-memory-bail-from-page-scrub-when-CPU-offline.patch -Patch10:6013e546-x86-HVM-reorder-domain-init-error-path.patch +Patch5: 5ffc58c4-ACPI-reduce-verbosity-by-default.patch +Patch6: 5ffc58e8-x86-ACPI-dont-overwrite-FADT.patch +Patch7: 600999ad-x86-dpci-do-not-remove-pirqs-from.patch +Patch8: 600ab341-x86-vioapic-EOI-check-IRR-before-inject.patch +Patch9: 6011bbc7-x86-timer-fix-boot-without-PIT.patch +Patch10:
commit xen for openSUSE:Factory
Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package xen for openSUSE:Factory checked in at 2021-02-17 18:08:47 Comparing /work/SRC/openSUSE:Factory/xen (Old) and /work/SRC/openSUSE:Factory/.xen.new.28504 (New) Package is "xen" Wed Feb 17 18:08:47 2021 rev:298 rq:871003 version:4.14.1_11 Changes: --- /work/SRC/openSUSE:Factory/xen/xen.changes 2021-01-26 14:44:46.639257780 +0100 +++ /work/SRC/openSUSE:Factory/.xen.new.28504/xen.changes 2021-02-17 18:09:09.605823781 +0100 @@ -1,0 +2,22 @@ +Wed Feb 10 12:52:00 MST 2021 - carn...@suse.com + +- bsc#1181921 - GCC 11: xen package fails + gcc11-fixes.patch +- Drop gcc10-fixes.patch + +--- +Tue Feb 2 05:37:27 MST 2021 - carn...@suse.com + +- Upstream bug fixes (bsc#1027519) + 5fedf9f4-x86-hpet_setup-fix-retval.patch + 5ff458f2-x86-vPCI-tolerate-disabled-MSI-X-entry.patch + 5ff71655-x86-dpci-EOI-regardless-of-masking.patch + 5ffc58e8-x86-ACPI-dont-overwrite-FADT.patch + 600999ad-x86-dpci-do-not-remove-pirqs-from.patch (Replaces xsa360.patch) + 600ab341-x86-vioapic-EOI-check-IRR-before-inject.patch + 6013e4bd-memory-bail-from-page-scrub-when-CPU-offline.patch + 6013e546-x86-HVM-reorder-domain-init-error-path.patch +- bsc#1180491 - "Panic on CPU 0: IO-APIC + timer doesn't work!" + 6011bbc7-x86-timer-fix-boot-without-PIT.patch + +--- Old: gcc10-fixes.patch xsa360.patch New: 5fedf9f4-x86-hpet_setup-fix-retval.patch 5ff458f2-x86-vPCI-tolerate-disabled-MSI-X-entry.patch 5ff71655-x86-dpci-EOI-regardless-of-masking.patch 5ffc58e8-x86-ACPI-dont-overwrite-FADT.patch 600999ad-x86-dpci-do-not-remove-pirqs-from.patch 600ab341-x86-vioapic-EOI-check-IRR-before-inject.patch 6011bbc7-x86-timer-fix-boot-without-PIT.patch 6013e4bd-memory-bail-from-page-scrub-when-CPU-offline.patch 6013e546-x86-HVM-reorder-domain-init-error-path.patch gcc11-fixes.patch Other differences: -- ++ xen.spec ++ --- /var/tmp/diff_new_pack.h87FzB/_old 2021-02-17 18:09:11.277825149 +0100 +++ /var/tmp/diff_new_pack.h87FzB/_new 2021-02-17 18:09:11.281825152 +0100 @@ -130,7 +130,7 @@ %endif Provides: installhint(reboot-needed) -Version:4.14.1_08 +Version:4.14.1_11 Release:0 Summary:Xen Virtualization: Hypervisor (aka VMM aka Microkernel) License:GPL-2.0-only @@ -169,7 +169,15 @@ Source99: baselibs.conf # Upstream patches Patch1: 5fca3b32-tools-libs-ctrl-fix-dumping-of-ballooned-guest.patch -Patch36001: xsa360.patch +Patch2: 5fedf9f4-x86-hpet_setup-fix-retval.patch +Patch3: 5ff458f2-x86-vPCI-tolerate-disabled-MSI-X-entry.patch +Patch4: 5ff71655-x86-dpci-EOI-regardless-of-masking.patch +Patch5: 5ffc58e8-x86-ACPI-dont-overwrite-FADT.patch +Patch6: 600999ad-x86-dpci-do-not-remove-pirqs-from.patch +Patch7: 600ab341-x86-vioapic-EOI-check-IRR-before-inject.patch +Patch8: 6011bbc7-x86-timer-fix-boot-without-PIT.patch +Patch9: 6013e4bd-memory-bail-from-page-scrub-when-CPU-offline.patch +Patch10:6013e546-x86-HVM-reorder-domain-init-error-path.patch # libxc Patch300: libxc-sr-3cccdae45242dab27198b8e150be0c85acd5d3c9.patch Patch301: libxc-sr-readv_exact.patch @@ -214,7 +222,7 @@ Patch420: suspend_evtchn_lock.patch Patch422: stubdom-have-iovec.patch Patch423: vif-route.patch -Patch424: gcc10-fixes.patch +Patch424: gcc11-fixes.patch # Other bug fixes or features Patch451: xenconsole-no-multiple-connections.patch Patch452: hibernate.patch @@ -427,7 +435,15 @@ %setup -q -n %xen_build_dir -a 1 -a 5 -a 6 -a 57 # Upstream patches %patch1 -p1 -%patch36001 -p1 +%patch2 -p1 +%patch3 -p1 +%patch4 -p1 +%patch5 -p1 +%patch6 -p1 +%patch7 -p1 +%patch8 -p1 +%patch9 -p1 +%patch10 -p1 # libxc %patch300 -p1 %patch301 -p1 ++ 5fedf9f4-x86-hpet_setup-fix-retval.patch ++ # Commit 83736c567d6b64dbce98f251ca72e7870f556421 # Date 2020-12-31 16:19:00 + # Author Andrew Cooper # Committer Andrew Cooper x86/hpet: Fix return value of hpet_setup() hpet_setup() is idempotent if the rate has already been calculated, and returns the cached value. However, this only works correctly when the return statements are identical. Use a sensibly named local variable, rather than a dead one with a bad name. Fixes: a60bb68219 ("x86/time: reduce rounding errors in calculations") Signed-off-by: Andrew Cooper Reviewed-by: Roger Pau Monn?? --- a/xen/arch/x86/hpet.c +++ b/xen/arch/x86/hpet.c @@ -769,7 +769,7 @@ u64 __init hpet_setup(void) { static
commit xen for openSUSE:Factory
Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package xen for openSUSE:Factory checked in at 2021-01-26 14:44:43 Comparing /work/SRC/openSUSE:Factory/xen (Old) and /work/SRC/openSUSE:Factory/.xen.new.28504 (New) Package is "xen" Tue Jan 26 14:44:43 2021 rev:297 rq:866148 version:4.14.1_08 Changes: --- /work/SRC/openSUSE:Factory/xen/xen.changes 2021-01-22 21:49:20.501595301 +0100 +++ /work/SRC/openSUSE:Factory/.xen.new.28504/xen.changes 2021-01-26 14:44:46.639257780 +0100 @@ -1,0 +2,6 @@ +Thu Jan 21 08:46:20 MST 2021 - carn...@suse.com + +- bsc#1181254 - VUL-0: xen: IRQ vector leak on x86 (XSA-360) + xsa360.patch + +--- New: xsa360.patch Other differences: -- ++ xen.spec ++ --- /var/tmp/diff_new_pack.2qywNC/_old 2021-01-26 14:44:48.399260504 +0100 +++ /var/tmp/diff_new_pack.2qywNC/_new 2021-01-26 14:44:48.403260510 +0100 @@ -130,7 +130,7 @@ %endif Provides: installhint(reboot-needed) -Version:4.14.1_06 +Version:4.14.1_08 Release:0 Summary:Xen Virtualization: Hypervisor (aka VMM aka Microkernel) License:GPL-2.0-only @@ -169,6 +169,7 @@ Source99: baselibs.conf # Upstream patches Patch1: 5fca3b32-tools-libs-ctrl-fix-dumping-of-ballooned-guest.patch +Patch36001: xsa360.patch # libxc Patch300: libxc-sr-3cccdae45242dab27198b8e150be0c85acd5d3c9.patch Patch301: libxc-sr-readv_exact.patch @@ -426,6 +427,7 @@ %setup -q -n %xen_build_dir -a 1 -a 5 -a 6 -a 57 # Upstream patches %patch1 -p1 +%patch36001 -p1 # libxc %patch300 -p1 %patch301 -p1 ++ libxc.migrate_tracking.patch ++ --- /var/tmp/diff_new_pack.2qywNC/_old 2021-01-26 14:44:48.663260912 +0100 +++ /var/tmp/diff_new_pack.2qywNC/_new 2021-01-26 14:44:48.663260912 +0100 @@ -1,8 +1,6 @@ Track live migration state unconditionally in logfiles to see how long a domU was suspended. Depends on libxc.sr.superpage.patch -Index: xen-4.14.1-testing/tools/libs/toollog/include/xentoollog.h -=== --- xen-4.14.1-testing.orig/tools/libs/toollog/include/xentoollog.h +++ xen-4.14.1-testing/tools/libs/toollog/include/xentoollog.h @@ -133,6 +133,7 @@ const char *xtl_level_to_string(xentooll @@ -13,8 +11,6 @@ #endif /* XENTOOLLOG_H */ /* -Index: xen-4.14.1-testing/tools/libxc/xc_domain.c -=== --- xen-4.14.1-testing.orig/tools/libxc/xc_domain.c +++ xen-4.14.1-testing/tools/libxc/xc_domain.c @@ -69,20 +69,28 @@ int xc_domain_cacheflush(xc_interface *x @@ -48,8 +44,6 @@ } -Index: xen-4.14.1-testing/tools/libxc/xc_private.h -=== --- xen-4.14.1-testing.orig/tools/libxc/xc_private.h +++ xen-4.14.1-testing/tools/libxc/xc_private.h @@ -42,6 +42,15 @@ @@ -68,8 +62,6 @@ #if defined(HAVE_VALGRIND_MEMCHECK_H) && !defined(NDEBUG) && !defined(__MINIOS__) /* Compile in Valgrind client requests? */ #include -Index: xen-4.14.1-testing/tools/libxc/xc_resume.c -=== --- xen-4.14.1-testing.orig/tools/libxc/xc_resume.c +++ xen-4.14.1-testing/tools/libxc/xc_resume.c @@ -284,7 +284,10 @@ out: @@ -84,8 +76,6 @@ +SUSEINFO("domid %u: %s%s returned %d", domid, __func__, fast ? " fast" : "", ret); +return ret; } -Index: xen-4.14.1-testing/tools/libxc/xc_sr_common.c -=== --- xen-4.14.1-testing.orig/tools/libxc/xc_sr_common.c +++ xen-4.14.1-testing/tools/libxc/xc_sr_common.c @@ -204,6 +204,65 @@ bool _xc_sr_bitmap_resize(struct xc_sr_b @@ -154,8 +144,6 @@ /* * Local variables: * mode: C -Index: xen-4.14.1-testing/tools/libxc/xc_sr_common.h -=== --- xen-4.14.1-testing.orig/tools/libxc/xc_sr_common.h +++ xen-4.14.1-testing/tools/libxc/xc_sr_common.h @@ -268,6 +268,7 @@ struct xc_sr_context @@ -175,8 +163,6 @@ struct xc_sr_record { uint32_t type; -Index: xen-4.14.1-testing/tools/libxc/xc_sr_restore.c -=== --- xen-4.14.1-testing.orig/tools/libxc/xc_sr_restore.c +++ xen-4.14.1-testing/tools/libxc/xc_sr_restore.c @@ -875,6 +875,7 @@ static int restore(struct xc_sr_context @@ -203,8 +189,6 @@ if ( read_headers() ) return -1; -Index: xen-4.14.1-testing/tools/libxc/xc_sr_save.c -=== ---
commit xen for openSUSE:Factory
Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package xen for openSUSE:Factory checked in at 2021-01-22 21:49:19 Comparing /work/SRC/openSUSE:Factory/xen (Old) and /work/SRC/openSUSE:Factory/.xen.new.28504 (New) Package is "xen" Fri Jan 22 21:49:19 2021 rev:296 rq:864498 version:4.14.1_06 Changes: --- /work/SRC/openSUSE:Factory/xen/xen.changes 2021-01-06 19:55:58.245008330 +0100 +++ /work/SRC/openSUSE:Factory/.xen.new.28504/xen.changes 2021-01-22 21:49:20.501595301 +0100 @@ -1,0 +2,13 @@ +Wed Jan 13 14:27:51 MST 2021 - carn...@suse.com + +- bsc#1180794 - bogus qemu binary path used when creating fv guest + under xen + xen.spec + +--- +Wed Jan 13 10:36:49 MST 2021 - carn...@suse.com + +- bsc#1180690 - L3-Question: xen: no needsreboot flag set + Add Provides: installhint(reboot-needed) in xen.spec for libzypp + +--- Other differences: -- ++ xen.spec ++ --- /var/tmp/diff_new_pack.jblw4X/_old 2021-01-22 21:49:22.101597570 +0100 +++ /var/tmp/diff_new_pack.jblw4X/_new 2021-01-22 21:49:22.105597576 +0100 @@ -22,6 +22,10 @@ %define _fillupdir /var/adm/fillup-templates %endif +# Tumbleweed now defines _libexecdir as /usr/libexec +# Keep it at the original location (/usr/lib) for backward compatibility +%define _libexecdir /usr/lib + Name: xen ExclusiveArch: %ix86 x86_64 aarch64 %define changeset 41121 @@ -124,8 +128,9 @@ %ifarch x86_64 BuildRequires: pesign-obs-integration %endif +Provides: installhint(reboot-needed) -Version:4.14.1_05 +Version:4.14.1_06 Release:0 Summary:Xen Virtualization: Hypervisor (aka VMM aka Microkernel) License:GPL-2.0-only @@ -862,7 +867,7 @@ # /usr/bin/qemu-system-i386 # Using qemu-system-x86_64 will result in an incompatible VM %ifarch x86_64 aarch64 -hardcoded_path_in_existing_domU_xml='/usr/lib/xen/bin' +hardcoded_path_in_existing_domU_xml='%{_libexecdir}/%{name}/bin' mkdir -vp %{buildroot}${hardcoded_path_in_existing_domU_xml} tee %{buildroot}${hardcoded_path_in_existing_domU_xml}/qemu-system-%{qemu_arch} << 'EOF' #!/bin/sh @@ -870,6 +875,7 @@ exec %{_bindir}/qemu-system-%{qemu_arch} "$@" EOF chmod 0755 %{buildroot}${hardcoded_path_in_existing_domU_xml}/qemu-system-%{qemu_arch} + # unit='%{_libexecdir}/%{name}/bin/xendomains-wait-disks' mkdir -vp '%{buildroot}%{_libexecdir}/%{name}/bin' @@ -1119,12 +1125,11 @@ %dir /usr/lib/supportconfig %dir /usr/lib/supportconfig/plugins /usr/lib/supportconfig/plugins/xen -%dir /usr/lib/xen -%dir /usr/lib/xen/bin -/usr/lib/xen/bin/qemu-system-%{qemu_arch} -%{_libexecdir}/%{name} +%dir %{_libexecdir}/%{name} +%{_libexecdir}/%{name}/bin %exclude %{_libexecdir}/%{name}-tools-domU %ifarch x86_64 +%{_libexecdir}/%{name}/boot %exclude %{_libexecdir}/%{name}/bin/xendomains-wait-disks %endif %{_fillupdir}/sysconfig.pciback
commit xen for openSUSE:Factory
Hello community, here is the log from the commit of package xen for openSUSE:Factory checked in at 2020-12-21 10:22:13 Comparing /work/SRC/openSUSE:Factory/xen (Old) and /work/SRC/openSUSE:Factory/.xen.new.5145 (New) Package is "xen" Mon Dec 21 10:22:13 2020 rev:294 rq:856892 version:4.14.1_02 Changes: --- /work/SRC/openSUSE:Factory/xen/xen.changes 2020-11-12 22:33:05.63007 +0100 +++ /work/SRC/openSUSE:Factory/.xen.new.5145/xen.changes2020-12-21 10:22:48.911948729 +0100 @@ -1,0 +2,127 @@ +Thu Dec 17 10:15:31 MST 2020 - carn...@suse.com + +- Update to Xen 4.14.1 bug fix release (bsc#1027519) + xen-4.14.1-testing-src.tar.bz2 + Contains the following recent security fixes + bsc#1179516 XSA-359 - CVE-2020-29571 + bsc#1179514 XSA-358 - CVE-2020-29570 + bsc#1179513 XSA-356 - CVE-2020-29567 + bsc#1178963 XSA-355 - CVE-2020-29040 + bsc#1178591 XSA-351 - CVE-2020-28368 + bsc#1179506 XSA-348 - CVE-2020-29566 + bsc#1179502 XSA-325 - CVE-2020-29483 + bsc#1179501 XSA-324 - CVE-2020-29484 + bsc#1179498 XSA-322 - CVE-2020-29481 + bsc#1179496 XSA-115 - CVE-2020-29480 +- Dropped patches contained in new tarball + 5f1a9916-x86-S3-put-data-sregs-into-known-state.patch + 5f21b9fd-x86-cpuid-APIC-bit-clearing.patch + 5f479d9e-x86-begin-to-support-MSR_ARCH_CAPS.patch + 5f4cf06e-x86-Dom0-expose-MSR_ARCH_CAPS.patch + 5f4cf96a-x86-PV-fix-SEGBASE_GS_USER_SEL.patch + 5f560c42-x86-PV-64bit-segbase-consistency.patch + 5f560c42-x86-PV-rewrite-segment-ctxt-switch.patch + 5f5b6b7a-hypfs-fix-custom-param-writes.patch + 5f607915-x86-HVM-more-consistent-IO-completion.patch + 5f6a002d-x86-PV-handle-MSR_MISC_ENABLE-correctly.patch + 5f6a0049-memory-dont-skip-RCU-unlock-in-acquire_resource.patch + 5f6a0067-x86-vPT-fix-race-when-migrating-timers.patch + 5f6a008e-x86-MSI-drop-read_msi_msg.patch + 5f6a00aa-x86-MSI-X-restrict-reading-of-PBA-bases.patch + 5f6a00c4-evtchn-relax-port_is_valid.patch + 5f6a00df-x86-PV-avoid-double-exception-injection.patch + 5f6a00f4-evtchn-add-missing-barriers.patch + 5f6a0111-evtchn-x86-enforce-correct-upper-limit.patch + 5f6a013f-evtchn_reset-shouldnt-succeed-with.patch + 5f6a0160-evtchn-IRQ-safe-per-channel-lock.patch + 5f6a0178-evtchn-address-races-with-evtchn_reset.patch + 5f6a01a4-evtchn-preempt-in-evtchn_destroy.patch + 5f6a01c6-evtchn-preempt-in-evtchn_reset.patch + 5f6cfb5b-x86-PV-dont-GP-for-SYSENTER-with-NT-set.patch + 5f6cfb5b-x86-PV-dont-clobber-NT-on-return-to-guest.patch + 5f71a21e-x86-S3-fix-shadow-stack-resume.patch + 5f76ca65-evtchn-Flask-prealloc-for-send.patch + 5f76caaf-evtchn-FIFO-use-stable-fields.patch + 5f897c25-x86-traps-fix-read_registers-for-DF.patch + 5f897c7b-x86-smpboot-restrict-memguard_guard_stack.patch + 5f8ed5d3-x86-mm-map_pages_to_xen-single-exit-path.patch + 5f8ed5eb-x86-mm-modify_xen_mappings-one-exit-path.patch + 5f8ed603-x86-mm-prevent-races-in-mapping-updates.patch + 5f8ed635-IOMMU-suppress-iommu_dont_flush_iotlb-when.patch + 5f8ed64c-IOMMU-hold-page-ref-until-TLB-flush.patch + 5f8ed682-AMD-IOMMU-convert-amd_iommu_pte.patch + 5f8ed69c-AMD-IOMMU-update-live-PTEs-atomically.patch + 5f8ed6b0-AMD-IOMMU-suitably-order-DTE-mods.patch + xsa286-1.patch + xsa286-2.patch + xsa286-3.patch + xsa286-4.patch + xsa286-5.patch + xsa286-6.patch + xsa351-1.patch + xsa351-2.patch + xsa351-3.patch + xsa355.patch + +--- +Tue Dec 15 15:15:15 UTC 2020 - oher...@suse.de + +- bsc#1178736 - allow restart of xenwatchdogd, enable tuning of + keep-alive interval and timeout options via XENWATCHDOGD_ARGS= + add xenwatchdogd-options.patch + add xenwatchdogd-restart.patch + +--- +Tue Dec 15 10:10:10 UTC 2020 - oher...@suse.de + +- bsc#1177112 - Fix libxc.sr.superpage.patch + The receiving side may punch holes incorrectly into optimistically + allocated superpages. Also reduce overhead in bitmap handling. + add libxc-bitmap-50a5215f30e964a6f16165ab57925ca39f31a849.patch + add libxc-bitmap-long.patch + add libxc-bitmap-longs.patch + +--- +Mon Dec 14 14:22:08 MST 2020 - carn...@suse.com + +- boo#1029961 - Move files in xen-tools-domU to /usr/bin from /bin + xen-destdir.patch + Drop tmp_build.patch + +--- +Fri Dec 4 06:54:08 MST 2020 - carn...@suse.com + +- bsc#1176782 - L3: xl dump-core shows missing nr_pages during + core. If maxmem and current are the same the issue doesn't happen + 5fca3b32-tools-libs-ctrl-fix-dumping-of-ballooned-guest.patch + +--- +Fri Nov 20 15:09:49 MST 2020 - carn...@suse.com + +- bsc#1178963 - VUL-0: xen: stack corruption