flight 14562 xen-4.1-testing real [real] http://www.chiark.greenend.org.uk/~xensrcts/logs/14562/ Regressions :-( Tests which did not succeed and are blocking, including tests which could not be run: test-amd64-i386-xl-qemut-winxpsp3-vcpus1 12 guest-localmigrate/x10 fail REGR. vs. 14484 Regressions which are regarded as allowable (not blocking): test-amd64-amd64-xl-pcipt-intel 8 debian-fixup fail like 14484 test-amd64-amd64-xl-sedf 14 guest-localmigrate/x10 fail like 14484 Tests which did not succeed, but are not blocking: test-amd64-i386-qemuu-rhel6hvm-amd 11 leak-check/check fail never pass test-amd64-i386-qemut-rhel6hvm-amd 11 leak-check/check fail never pass test-amd64-i386-qemuu-rhel6hvm-intel 11 leak-check/check fail never pass test-amd64-i386-qemut-rhel6hvm-intel 11 leak-check/check fail never pass test-amd64-i386-rhel6hvm-intel 11 leak-check/check fail never pass test-amd64-i386-rhel6hvm-amd 11 leak-check/check fail never pass test-amd64-amd64-win 16 leak-check/check fail never pass test-amd64-i386-xl-qemut-win7-amd64 13 guest-stop fail never pass test-i386-i386-qemut-win 16 leak-check/check fail never pass test-i386-i386-xl-qemut-win 13 guest-stop fail never pass test-i386-i386-xl-win 13 guest-stop fail never pass test-i386-i386-win 16 leak-check/check fail never pass test-amd64-i386-xend-qemut-winxpsp3 16 leak-check/check fail never pass test-amd64-i386-xl-qemut-win-vcpus1 13 guest-stop fail never pass test-amd64-amd64-xl-qemuu-win7-amd64 13 guest-stop fail never pass test-amd64-amd64-xl-qemut-win7-amd64 13 guest-stop fail never pass test-amd64-amd64-xl-win7-amd64 13 guest-stop fail never pass test-amd64-i386-qemut-win-vcpus1 16 leak-check/check fail never pass test-amd64-amd64-xl-winxpsp3 13 guest-stop fail never pass test-amd64-i386-xl-win-vcpus1 13 guest-stop fail never pass test-amd64-i386-xl-win7-amd64 13 guest-stop fail never pass test-amd64-i386-win-vcpus1 16 leak-check/check fail never pass test-amd64-i386-xl-winxpsp3-vcpus1 13 guest-stop fail never pass test-amd64-i386-xend-winxpsp3 16 leak-check/check fail never pass test-amd64-i386-win 16 leak-check/check fail never pass test-amd64-amd64-xl-win 13 guest-stop fail never pass test-amd64-amd64-xl-qemut-win 13 guest-stop fail never pass test-amd64-amd64-qemut-win 16 leak-check/check fail never pass test-amd64-i386-qemut-win 16 leak-check/check fail never pass test-i386-i386-xl-winxpsp3 13 guest-stop fail never pass test-i386-i386-xl-qemut-winxpsp3 13 guest-stop fail never pass test-amd64-amd64-xl-qemut-winxpsp3 13 guest-stop fail never pass test-amd64-amd64-xl-qemuu-winxpsp3 13 guest-stop fail never pass test-i386-i386-xl-qemuu-winxpsp3 13 guest-stop fail never pass version targeted for testing: xen a8a9e1c126ea baseline version: xen d89986111f0c ------------------------------------------------------------ People who touched revisions under test: George Dunlap <george.dunlap@eu.citrix.com> Ian Campbell <ian.campbell@citrix.com> Ian Jackson <ian.jackson.citrix.com> Ian Jackson <ian.jackson@eu.citrix.com> Jan Beulich <jbeulich@suse.com> Keir Fraser <keir@xen.org> Tim Deegan <tim@xen.org> ------------------------------------------------------------ jobs: build-amd64 pass build-i386 pass build-amd64-oldkern pass build-i386-oldkern pass build-amd64-pvops pass build-i386-pvops pass test-amd64-amd64-xl pass test-amd64-i386-xl pass test-i386-i386-xl pass test-amd64-i386-rhel6hvm-amd fail test-amd64-i386-qemut-rhel6hvm-amd fail test-amd64-i386-qemuu-rhel6hvm-amd fail test-amd64-amd64-xl-qemut-win7-amd64 fail test-amd64-i386-xl-qemut-win7-amd64 fail test-amd64-amd64-xl-qemuu-win7-amd64 fail test-amd64-amd64-xl-win7-amd64 fail test-amd64-i386-xl-win7-amd64 fail test-amd64-i386-xl-credit2 pass test-amd64-amd64-xl-pcipt-intel fail test-amd64-i386-rhel6hvm-intel fail test-amd64-i386-qemut-rhel6hvm-intel fail test-amd64-i386-qemuu-rhel6hvm-intel fail test-amd64-i386-xl-multivcpu pass test-amd64-amd64-pair pass test-amd64-i386-pair pass test-i386-i386-pair pass test-amd64-amd64-xl-sedf-pin pass test-amd64-amd64-pv pass test-amd64-i386-pv pass test-i386-i386-pv pass test-amd64-amd64-xl-sedf fail test-amd64-i386-win-vcpus1 fail test-amd64-i386-qemut-win-vcpus1 fail test-amd64-i386-xl-qemut-win-vcpus1 fail test-amd64-i386-xl-win-vcpus1 fail test-amd64-i386-xl-qemut-winxpsp3-vcpus1 fail test-amd64-i386-xl-winxpsp3-vcpus1 fail test-amd64-amd64-win fail test-amd64-i386-win fail test-i386-i386-win fail test-amd64-amd64-qemut-win fail test-amd64-i386-qemut-win fail test-i386-i386-qemut-win fail test-amd64-amd64-xl-qemut-win fail test-i386-i386-xl-qemut-win fail test-amd64-amd64-xl-win fail test-i386-i386-xl-win fail test-amd64-i386-xend-qemut-winxpsp3 fail test-amd64-amd64-xl-qemut-winxpsp3 fail test-i386-i386-xl-qemut-winxpsp3 fail test-amd64-amd64-xl-qemuu-winxpsp3 fail test-i386-i386-xl-qemuu-winxpsp3 fail test-amd64-i386-xend-winxpsp3 fail test-amd64-amd64-xl-winxpsp3 fail test-i386-i386-xl-winxpsp3 fail ------------------------------------------------------------ sg-report-flight on woking.cam.xci-test.com logs: /home/xc_osstest/logs images: /home/xc_osstest/images Logs, config files, etc. are available at http://www.chiark.greenend.org.uk/~xensrcts/logs Test harness code can be found at http://xenbits.xensource.com/gitweb?p=osstest.git;a=summary Not pushing. ------------------------------------------------------------ changeset: 23421:a8a9e1c126ea tag: tip user: Jan Beulich <jbeulich@suse.com> date: Tue Dec 04 18:50:03 2012 +0000 memop: limit guest specified extent order Allowing unbounded order values here causes almost unbounded loops and/or partially incomplete requests, particularly in PoD code. The added range checks in populate_physmap(), decrease_reservation(), and the "in" one in memory_exchange() architecturally all could use PADDR_BITS - PAGE_SHIFT, and are being artificially constrained to MAX_ORDER. This is XSA-31 / CVE-2012-5515. Signed-off-by: Jan Beulich <jbeulich@suse.com> Acked-by: Tim Deegan <tim@xen.org> Acked-by: Ian Jackson <ian.jackson@eu.citrix.com> Committed-by: Ian Jackson <ian.jackson.citrix.com> changeset: 23420:cadc212c8ef3 user: Jan Beulich <jbeulich@suse.com> date: Tue Dec 04 18:50:01 2012 +0000 xen: fix error handling of guest_physmap_mark_populate_on_demand() The only user of the "out" label bypasses a necessary unlock, thus enabling the caller to lock up Xen. Also, the function was never meant to be called by a guest for itself, so rather than inspecting the code paths in depth for potential other problems this might cause, and adjusting e.g. the non-guest printk() in the above error path, just disallow the guest access to it. Finally, the printk() (considering its potential of spamming the log, the more that it''s not using XENLOG_GUEST), is being converted to P2M_DEBUG(), as debugging is what it apparently was added for in the first place. This is XSA-30 / CVE-2012-5514. Signed-off-by: Jan Beulich <jbeulich@suse.com> Acked-by: Ian Campbell <ian.campbell@citrix.com> Acked-by: George Dunlap <george.dunlap@eu.citrix.com> Acked-by: Ian Jackson <ian.jackson@eu.citrix.com> Committed-by: Ian Jackson <ian.jackson.citrix.com> changeset: 23419:f81286b3be32 user: Jan Beulich <jbeulich@suse.com> date: Tue Dec 04 18:49:56 2012 +0000 xen: add missing guest address range checks to XENMEM_exchange handlers Ever since its existence (3.0.3 iirc) the handler for this has been using non address range checking guest memory accessors (i.e. the ones prefixed with two underscores) without first range checking the accessed space (via guest_handle_okay()), allowing a guest to access and overwrite hypervisor memory. This is XSA-29 / CVE-2012-5513. Signed-off-by: Jan Beulich <jbeulich@suse.com> Acked-by: Ian Campbell <ian.campbell@citrix.com> Acked-by: Ian Jackson <ian.jackson@eu.citrix.com> Committed-by: Ian Jackson <ian.jackson.citrix.com> changeset: 23418:e7c8ffa11596 user: Jan Beulich <jbeulich@suse.com> date: Tue Dec 04 18:49:53 2012 +0000 x86/HVM: range check xen_hvm_set_mem_access.hvmmem_access before use Otherwise an out of bounds array access can happen if changing the default access is being requested, which - if it doesn''t crash Xen - would subsequently allow reading arbitrary memory through HVMOP_get_mem_access (again, unless that operation crashes Xen). This is XSA-28 / CVE-2012-5512. Signed-off-by: Jan Beulich <jbeulich@suse.com> Acked-by: Tim Deegan <tim@xen.org> Acked-by: Ian Campbell <ian.campbell@citrix.com> Committed-by: Ian Jackson <ian.jackson.citrix.com> changeset: 23417:53ef1f35a0f8 user: Tim Deegan <tim@xen.org> date: Tue Dec 04 18:49:49 2012 +0000 hvm: Limit the size of large HVM op batches Doing large p2m updates for HVMOP_track_dirty_vram without preemption ties up the physical processor. Integrating preemption into the p2m updates is hard so simply limit to 1GB which is sufficient for a 15000 * 15000 * 32bpp framebuffer. For HVMOP_modified_memory and HVMOP_set_mem_type preemptible add the necessary machinery to handle preemption. This is CVE-2012-5511 / XSA-27. Signed-off-by: Tim Deegan <tim@xen.org> Signed-off-by: Ian Campbell <ian.campbell@citrix.com> Acked-by: Ian Jackson <ian.jackson@eu.citrix.com> Committed-by: Ian Jackson <ian.jackson.citrix.com> x86/paging: Don''t allocate user-controlled amounts of stack memory. This is XSA-27 / CVE-2012-5511. Signed-off-by: Tim Deegan <tim@xen.org> Acked-by: Jan Beulich <jbeulich@suse.com> v2: Provide definition of GB to fix x86-32 compile. Signed-off-by: Jan Beulich <JBeulich@suse.com> Acked-by: Ian Jackson <ian.jackson@eu.citrix.com> changeset: 23416:7172203aec98 user: Jan Beulich <jbeulich@suse.com> date: Tue Dec 04 18:49:42 2012 +0000 gnttab: fix releasing of memory upon switches between versions gnttab_unpopulate_status_frames() incompletely freed the pages previously used as status frame in that they did not get removed from the domain''s xenpage_list, thus causing subsequent list corruption when those pages did get allocated again for the same or another purpose. Similarly, grant_table_create() and gnttab_grow_table() both improperly clean up in the event of an error - pages already shared with the guest can''t be freed by just passing them to free_xenheap_page(). Fix this by sharing the pages only after all allocations succeeded. This is CVE-2012-5510 / XSA-26. Signed-off-by: Jan Beulich <jbeulich@suse.com> Acked-by: Ian Campbell <ian.campbell@citrix.com> Committed-by: Ian Jackson <ian.jackson.citrix.com> changeset: 23415:d89986111f0c user: Jan Beulich <jbeulich@suse.com> date: Tue Nov 27 13:28:36 2012 +0100 x86/time: fix scale_delta() inline assembly The way it was coded, it clobbered %rdx without telling the compiler. This generally didn''t cause any problems except when there are two back to back invocations (as in plt_overflow()), as in that case the compiler may validly assume that it can re-use for the second instance the value loaded into %rdx before the first one. Once at it, also properly relax the second operand of "mul" (there''s no need for it to be in %rdx, or a register at all), and switch away from using explicit register names in the instruction operands. Signed-off-by: Jan Beulich <jbeulich@suse.com> Acked-by: Keir Fraser <keir@xen.org> xen-unstable changeset: 26188:16bf7f3069a7 xen-unstable date: Mon Nov 26 16:20:39 UTC 2012 (qemu changes not included)