CVS commit: [netbsd-6-1] src/sys/arch/xen
Module Name:src Committed By: snj Date: Fri Jan 8 21:25:28 UTC 2016 Modified Files: src/sys/arch/xen/include/xen-public/io [netbsd-6-1]: ring.h src/sys/arch/xen/xen [netbsd-6-1]: pciback.c xbdback_xenbus.c xennetback_xenbus.c Log Message: Pull up following revision(s) (requested by bouyer in ticket #1358): sys/arch/xen/include/xen-public/io/ring.h: revision 1.3 via patch sys/arch/xen/xen/pciback.c: revision 1.10 via patch sys/arch/xen/xen/xbdback_xenbus.c: revision 1.62 via patch sys/arch/xen/xen/xennetback_xenbus.c: revision 1.54 via patch Apply patch from xsa155: make sure that the backend won't read parts of the request again (possibly because of compiler optimisations), by using copies and barrier. >From XSA155: The compiler can emit optimizations in the PV backend drivers which can lead to double fetch vulnerabilities. Specifically the shared memory between the frontend and backend can be fetched twice (during which time the frontend can alter the contents) possibly leading to arbitrary code execution in backend. To generate a diff of this commit: cvs rdiff -u -r1.2 -r1.2.18.1 src/sys/arch/xen/include/xen-public/io/ring.h cvs rdiff -u -r1.7 -r1.7.16.1 src/sys/arch/xen/xen/pciback.c cvs rdiff -u -r1.55.2.1.6.2 -r1.55.2.1.6.3 \ src/sys/arch/xen/xen/xbdback_xenbus.c cvs rdiff -u -r1.47 -r1.47.14.1 src/sys/arch/xen/xen/xennetback_xenbus.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/arch/xen/include/xen-public/io/ring.h diff -u src/sys/arch/xen/include/xen-public/io/ring.h:1.2 src/sys/arch/xen/include/xen-public/io/ring.h:1.2.18.1 --- src/sys/arch/xen/include/xen-public/io/ring.h:1.2 Wed Dec 7 15:40:15 2011 +++ src/sys/arch/xen/include/xen-public/io/ring.h Fri Jan 8 21:25:28 2016 @@ -1,4 +1,4 @@ -/* $NetBSD: ring.h,v 1.2 2011/12/07 15:40:15 cegger Exp $ */ +/* $NetBSD: ring.h,v 1.2.18.1 2016/01/08 21:25:28 snj Exp $ */ /** * ring.h * @@ -236,6 +236,20 @@ typedef struct __name##_back_ring __name #define RING_GET_REQUEST(_r, _idx) \ (&((_r)->sring->ring[((_idx) & (RING_SIZE(_r) - 1))].req)) +/* + * Get a local copy of a request. + * + * Use this in preference to RING_GET_REQUEST() so all processing is + * done on a local copy that cannot be modified by the other end. + * + * Note that https://gcc.gnu.org/bugzilla/show_bug.cgi?id=58145 may cause this + * to be ineffective where _req is a struct which consists of only bitfields. + */ +#define RING_COPY_REQUEST(_r, _idx, _req) do {\ + /* Use volatile to force the copy into _req. */ \ + *(_req) = *(volatile typeof(_req))RING_GET_REQUEST(_r, _idx); \ +} while (0) + #define RING_GET_RESPONSE(_r, _idx) \ (&((_r)->sring->ring[((_idx) & (RING_SIZE(_r) - 1))].rsp)) Index: src/sys/arch/xen/xen/pciback.c diff -u src/sys/arch/xen/xen/pciback.c:1.7 src/sys/arch/xen/xen/pciback.c:1.7.16.1 --- src/sys/arch/xen/xen/pciback.c:1.7 Thu Feb 2 19:43:01 2012 +++ src/sys/arch/xen/xen/pciback.c Fri Jan 8 21:25:28 2016 @@ -1,4 +1,4 @@ -/* $NetBSD: pciback.c,v 1.7 2012/02/02 19:43:01 tls Exp $ */ +/* $NetBSD: pciback.c,v 1.7.16.1 2016/01/08 21:25:28 snj Exp $ */ /* * Copyright (c) 2009 Manuel Bouyer. @@ -26,7 +26,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: pciback.c,v 1.7 2012/02/02 19:43:01 tls Exp $"); +__KERNEL_RCSID(0, "$NetBSD: pciback.c,v 1.7.16.1 2016/01/08 21:25:28 snj Exp $"); #include "opt_xen.h" @@ -188,6 +188,7 @@ struct pb_xenbus_instance { /* communication with the domU */ unsigned int pbx_evtchn; /* our even channel */ struct xen_pci_sharedinfo *pbx_sh_info; +struct xen_pci_op op; grant_handle_t pbx_shinfo_handle; /* to unmap shared page */ }; @@ -712,13 +713,16 @@ pciback_xenbus_evthandler(void * arg) { struct pb_xenbus_instance *pbxi = arg; struct pciback_pci_dev *pbd; - struct xen_pci_op *op = >pbx_sh_info->op; + struct xen_pci_op *op = >op; u_int bus, dev, func; hypervisor_clear_event(pbxi->pbx_evtchn); if (xen_atomic_test_bit(>pbx_sh_info->flags, _XEN_PCIF_active) == 0) return 0; + + memcpy(op, >pbx_sh_info->op, sizeof (struct xen_pci_op)); + __insn_barrier(); if (op->domain != 0) { aprint_error("pciback: domain %d != 0", op->domain); op->err = XEN_PCI_ERR_dev_not_found; @@ -785,6 +789,8 @@ pciback_xenbus_evthandler(void * arg) aprint_error("pciback: unknown cmd %d\n", op->cmd); op->err = XEN_PCI_ERR_not_implemented; } + pbxi->pbx_sh_info->op.value = op->value; + pbxi->pbx_sh_info->op.err = op->err; end: xen_atomic_clear_bit(>pbx_sh_info->flags, _XEN_PCIF_active); hypervisor_notify_via_evtchn(pbxi->pbx_evtchn); Index: src/sys/arch/xen/xen/xbdback_xenbus.c diff -u
CVS commit: [netbsd-6-1] src/sys/arch/xen/xen
Module Name:src Committed By: msaitoh Date: Mon Nov 16 07:52:12 UTC 2015 Modified Files: src/sys/arch/xen/xen [netbsd-6-1]: xbdback_xenbus.c Log Message: Pull up following revision(s) (requested by bouyer in ticket #1347): sys/arch/xen/xen/xbdback_xenbus.c: revision 1.61 Fix typo which caused the kenrel thread to be created with a 0 priority. This would cause the thread to be almost never scheduled when a userland process could use all CPU. Should fix the problem reported by Torbj?rn Granlund on port-xen@ To generate a diff of this commit: cvs rdiff -u -r1.55.2.1.6.1 -r1.55.2.1.6.2 \ src/sys/arch/xen/xen/xbdback_xenbus.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/arch/xen/xen/xbdback_xenbus.c diff -u src/sys/arch/xen/xen/xbdback_xenbus.c:1.55.2.1.6.1 src/sys/arch/xen/xen/xbdback_xenbus.c:1.55.2.1.6.2 --- src/sys/arch/xen/xen/xbdback_xenbus.c:1.55.2.1.6.1 Thu Nov 7 20:19:40 2013 +++ src/sys/arch/xen/xen/xbdback_xenbus.c Mon Nov 16 07:52:12 2015 @@ -1,4 +1,4 @@ -/* $NetBSD: xbdback_xenbus.c,v 1.55.2.1.6.1 2013/11/07 20:19:40 snj Exp $ */ +/* $NetBSD: xbdback_xenbus.c,v 1.55.2.1.6.2 2015/11/16 07:52:12 msaitoh Exp $ */ /* * Copyright (c) 2006 Manuel Bouyer. @@ -26,7 +26,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: xbdback_xenbus.c,v 1.55.2.1.6.1 2013/11/07 20:19:40 snj Exp $"); +__KERNEL_RCSID(0, "$NetBSD: xbdback_xenbus.c,v 1.55.2.1.6.2 2015/11/16 07:52:12 msaitoh Exp $"); #include #include @@ -648,7 +648,7 @@ xbdback_connect(struct xbdback_instance hypervisor_enable_event(xbdi->xbdi_evtchn); hypervisor_notify_via_evtchn(xbdi->xbdi_evtchn); - if (kthread_create(IPL_NONE, KTHREAD_MPSAFE, NULL, + if (kthread_create(PRI_NONE, KTHREAD_MPSAFE, NULL, xbdback_thread, xbdi, NULL, "%s", xbdi->xbdi_name) == 0) return 0;
CVS commit: [netbsd-6-1] src/sys/arch/xen/xen
Module Name:src Committed By: msaitoh Date: Wed May 27 05:56:42 UTC 2015 Modified Files: src/sys/arch/xen/xen [netbsd-6-1]: xenevt.c Log Message: Pull up following revision(s) (requested by bouyer in ticket #1299): sys/arch/xen/xen/xenevt.c: revision 1.42 Fix off by one error, pointed out by Wei Liu in port-xen/49919 To generate a diff of this commit: cvs rdiff -u -r1.39 -r1.39.18.1 src/sys/arch/xen/xen/xenevt.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/arch/xen/xen/xenevt.c diff -u src/sys/arch/xen/xen/xenevt.c:1.39 src/sys/arch/xen/xen/xenevt.c:1.39.18.1 --- src/sys/arch/xen/xen/xenevt.c:1.39 Sat Dec 3 22:41:40 2011 +++ src/sys/arch/xen/xen/xenevt.c Wed May 27 05:56:42 2015 @@ -1,4 +1,4 @@ -/* $NetBSD: xenevt.c,v 1.39 2011/12/03 22:41:40 bouyer Exp $ */ +/* $NetBSD: xenevt.c,v 1.39.18.1 2015/05/27 05:56:42 msaitoh Exp $ */ /* * Copyright (c) 2005 Manuel Bouyer. @@ -26,7 +26,7 @@ */ #include sys/cdefs.h -__KERNEL_RCSID(0, $NetBSD: xenevt.c,v 1.39 2011/12/03 22:41:40 bouyer Exp $); +__KERNEL_RCSID(0, $NetBSD: xenevt.c,v 1.39.18.1 2015/05/27 05:56:42 msaitoh Exp $); #include opt_xen.h #include sys/param.h @@ -479,7 +479,7 @@ xenevt_fwrite(struct file *fp, off_t *of if (uio-uio_resid == 0) return (0); nentries = uio-uio_resid / sizeof(uint16_t); - if (nentries NR_EVENT_CHANNELS) + if (nentries = NR_EVENT_CHANNELS) return EMSGSIZE; chans = kmem_alloc(nentries * sizeof(uint16_t), KM_SLEEP); if (chans == NULL) @@ -572,7 +572,7 @@ xenevt_fioctl(struct file *fp, u_long cm { struct ioctl_evtchn_unbind *unbind = addr; - if (unbind-port NR_EVENT_CHANNELS) + if (unbind-port = NR_EVENT_CHANNELS) return EINVAL; mutex_enter(devevent_lock); if (devevent[unbind-port] != d) { @@ -593,7 +593,7 @@ xenevt_fioctl(struct file *fp, u_long cm { struct ioctl_evtchn_notify *notify = addr; - if (notify-port NR_EVENT_CHANNELS) + if (notify-port = NR_EVENT_CHANNELS) return EINVAL; mutex_enter(devevent_lock); if (devevent[notify-port] != d) {
CVS commit: [netbsd-6-1] src/sys/arch/xen/xen
Module Name:src Committed By: riz Date: Tue Dec 17 22:40:15 UTC 2013 Modified Files: src/sys/arch/xen/xen [netbsd-6-1]: evtchn.c Log Message: Pull up following revision(s) (requested by bouyer in ticket #995): sys/arch/xen/xen/evtchn.c: revision 1.70 Remove the evtchn_do_event: handler %p didn't lower ipl %d %d\n printf. With help from Robert Elz we've finally figured out what's going on, and it actually isn't a bug in the handler, but related to spin mutexes. When a spin mutex is released, the IPL isn't lowered back if the curcpu is holding other spin mutexes. This is because mutexes may not be released in order (and, in this case, the CPU in interrupted while it holds a spin mutex at IPL IPL_SCHED). Also remove the test and resetting the IPL, it will be reset anyway inside the loop, or at the end of the loop. To generate a diff of this commit: cvs rdiff -u -r1.62 -r1.62.10.1 src/sys/arch/xen/xen/evtchn.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/arch/xen/xen/evtchn.c diff -u src/sys/arch/xen/xen/evtchn.c:1.62 src/sys/arch/xen/xen/evtchn.c:1.62.10.1 --- src/sys/arch/xen/xen/evtchn.c:1.62 Sun Feb 12 14:24:08 2012 +++ src/sys/arch/xen/xen/evtchn.c Tue Dec 17 22:40:15 2013 @@ -1,4 +1,4 @@ -/* $NetBSD: evtchn.c,v 1.62 2012/02/12 14:24:08 jym Exp $ */ +/* $NetBSD: evtchn.c,v 1.62.10.1 2013/12/17 22:40:15 riz Exp $ */ /* * Copyright (c) 2006 Manuel Bouyer. @@ -54,7 +54,7 @@ #include sys/cdefs.h -__KERNEL_RCSID(0, $NetBSD: evtchn.c,v 1.62 2012/02/12 14:24:08 jym Exp $); +__KERNEL_RCSID(0, $NetBSD: evtchn.c,v 1.62.10.1 2013/12/17 22:40:15 riz Exp $); #include opt_xen.h #include isa.h @@ -347,13 +347,6 @@ splx: ih_fun = (void *)ih-ih_fun; ih_fun(ih-ih_arg, regs); cli(); - if (ci-ci_ilevel != i) { - printf(evtchn_do_event: - handler %p didn't lower - ipl %d %d\n, - ih_fun, ci-ci_ilevel, i); - ci-ci_ilevel = i; - } } hypervisor_enable_ipl(i); /* more pending IPLs may have been registered */
CVS commit: [netbsd-6-1] src/sys/arch/xen/xen
Module Name:src Committed By: snj Date: Thu Nov 7 20:19:40 UTC 2013 Modified Files: src/sys/arch/xen/xen [netbsd-6-1]: xbdback_xenbus.c Log Message: Pull up following revision(s) (requested by bouyer in ticket #974): sys/arch/xen/xen/xbdback_xenbus.c: revision 1.58 Add more XENPRINTF() to xbdback_connect() in xbdback_backend_changed(), fix memory leak. Do not free an uninitialized pointer in xbdback_connect(). Should fix hypervisor or dom0 reboot when using windows PV drivers, as reported by several users on port-xen. To generate a diff of this commit: cvs rdiff -u -r1.55.2.1 -r1.55.2.1.6.1 src/sys/arch/xen/xen/xbdback_xenbus.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/arch/xen/xen/xbdback_xenbus.c diff -u src/sys/arch/xen/xen/xbdback_xenbus.c:1.55.2.1 src/sys/arch/xen/xen/xbdback_xenbus.c:1.55.2.1.6.1 --- src/sys/arch/xen/xen/xbdback_xenbus.c:1.55.2.1 Tue Jun 5 15:36:00 2012 +++ src/sys/arch/xen/xen/xbdback_xenbus.c Thu Nov 7 20:19:40 2013 @@ -1,4 +1,4 @@ -/* $NetBSD: xbdback_xenbus.c,v 1.55.2.1 2012/06/05 15:36:00 jdc Exp $ */ +/* $NetBSD: xbdback_xenbus.c,v 1.55.2.1.6.1 2013/11/07 20:19:40 snj Exp $ */ /* * Copyright (c) 2006 Manuel Bouyer. @@ -26,7 +26,7 @@ */ #include sys/cdefs.h -__KERNEL_RCSID(0, $NetBSD: xbdback_xenbus.c,v 1.55.2.1 2012/06/05 15:36:00 jdc Exp $); +__KERNEL_RCSID(0, $NetBSD: xbdback_xenbus.c,v 1.55.2.1.6.1 2013/11/07 20:19:40 snj Exp $); #include sys/atomic.h #include sys/buf.h @@ -531,6 +531,7 @@ xbdback_connect(struct xbdback_instance const char *proto; struct xenbus_device *xbusd = xbdi-xbdi_xbusd; + XENPRINTF((xbdback %s: connect\n, xbusd-xbusd_path)); /* read comunication informations */ err = xenbus_read_ul(NULL, xbusd-xbusd_otherend, ring-ref, ring_ref, 10); @@ -539,6 +540,7 @@ xbdback_connect(struct xbdback_instance xbusd-xbusd_otherend); return -1; } + XENPRINTF((xbdback %s: connect ring-ref %lu\n, xbusd-xbusd_path, ring_ref)); err = xenbus_read_ul(NULL, xbusd-xbusd_otherend, event-channel, revtchn, 10); if (err) { @@ -546,12 +548,15 @@ xbdback_connect(struct xbdback_instance xbusd-xbusd_otherend); return -1; } + XENPRINTF((xbdback %s: connect revtchn %lu\n, xbusd-xbusd_path, revtchn)); err = xenbus_read(NULL, xbusd-xbusd_otherend, protocol, len, xsproto); if (err) { xbdi-xbdi_proto = XBDIP_NATIVE; proto = unspecified; + XENPRINTF((xbdback %s: connect no xsproto\n, xbusd-xbusd_path)); } else { + XENPRINTF((xbdback %s: connect xsproto %s\n, xbusd-xbusd_path, xsproto)); if (strcmp(xsproto, XEN_IO_PROTO_ABI_NATIVE) == 0) { xbdi-xbdi_proto = XBDIP_NATIVE; proto = XEN_IO_PROTO_ABI_NATIVE; @@ -567,8 +572,8 @@ xbdback_connect(struct xbdback_instance free(xsproto, M_DEVBUF); return -1; } + free(xsproto, M_DEVBUF); } - free(xsproto, M_DEVBUF); /* allocate VA space and map rings */ xbdi-xbdi_ring_va = uvm_km_alloc(kernel_map, PAGE_SIZE, 0, @@ -578,6 +583,7 @@ xbdback_connect(struct xbdback_instance can't get VA for ring, xbusd-xbusd_otherend); return -1; } + XENPRINTF((xbdback %s: connect va 0x% PRIxVADDR \n, xbusd-xbusd_path, xbdi-xbdi_ring_va)); grop.host_addr = xbdi-xbdi_ring_va; grop.flags = GNTMAP_host_map; @@ -593,6 +599,7 @@ xbdback_connect(struct xbdback_instance goto err; } xbdi-xbdi_ring_handle = grop.handle; + XENPRINTF((xbdback %s: connect grhandle %d\n, xbusd-xbusd_path, grop.handle)); switch(xbdi-xbdi_proto) { case XBDIP_NATIVE: @@ -627,6 +634,7 @@ xbdback_connect(struct xbdback_instance can't bind event channel, xbusd-xbusd_otherend); goto err2; } + XENPRINTF((xbdback %s: connect evchannel %d\n, xbusd-xbusd_path, xbdi-xbdi_evtchn)); xbdi-xbdi_evtchn = evop.u.bind_interdomain.local_port; event_set_handler(xbdi-xbdi_evtchn, xbdback_evthandler, @@ -766,6 +774,7 @@ xbdback_backend_changed(struct xenbus_wa xbdi-xbdi_ro = false; else xbdi-xbdi_ro = true; + free(mode, M_DEVBUF); major = major(xbdi-xbdi_dev); devname = devsw_blk2name(major); if (devname == NULL) {