flight 22359 xen-4.3-testing real [real] http://www.chiark.greenend.org.uk/~xensrcts/logs/22359/ Regressions :-( Tests which did not succeed and are blocking, including tests which could not be run: test-armhf-armhf-xl 4 xen-install fail REGR. vs. 22298 Tests which did not succeed, but are not blocking: test-amd64-amd64-xl-pcipt-intel 9 guest-start fail never pass test-amd64-amd64-xl-qemuu-win7-amd64 13 guest-stop fail never pass test-amd64-i386-xend-winxpsp3 16 leak-check/check fail never pass test-amd64-i386-xl-win7-amd64 13 guest-stop fail never pass test-amd64-i386-xl-qemut-win7-amd64 13 guest-stop fail never pass test-amd64-amd64-xl-win7-amd64 13 guest-stop fail never pass test-amd64-i386-xl-winxpsp3-vcpus1 13 guest-stop fail never pass test-amd64-i386-xl-qemut-winxpsp3-vcpus1 13 guest-stop fail never pass test-amd64-i386-xend-qemut-winxpsp3 16 leak-check/check fail never pass test-amd64-amd64-xl-qemut-winxpsp3 13 guest-stop fail never pass test-amd64-amd64-xl-qemut-win7-amd64 13 guest-stop fail never pass test-amd64-amd64-xl-qemuu-winxpsp3 13 guest-stop fail never pass test-amd64-amd64-xl-winxpsp3 13 guest-stop fail never pass version targeted for testing: xen 68903c912ebf25843bae8ce372f4c875681be824 baseline version: xen 922dc04b354fdf45dfd176552098853c79e3033a ------------------------------------------------------------ People who touched revisions under test: Andrew Cooper <andrew.cooper3@citrix.com> Daniel Kiper <daniel.kiper@oracle.com> Eddie Dong <eddie.dong@intel.com> Feng Wu <feng.wu@intel.com> Ian Campbell <ian.campbell@citrix.com> Jan Beulich <jbeulich@suse.com> Jean-Yves Migeon <jym@NetBSD.org> Jun Nakajima <jun.nakajima@intel.com> Keir Fraser <keir@xen.org> Liu Jinsong <jinsong.liu@intel.com> Matthew Daley <mattd@bugfuzz.com> Tim Deegan <tim@xen.org> Yang Zhang <yang.z.zhang@Intel.com> ------------------------------------------------------------ jobs: build-amd64 pass build-armhf pass build-i386 pass build-amd64-oldkern pass build-i386-oldkern pass build-amd64-pvops pass build-armhf-pvops pass build-i386-pvops pass test-amd64-amd64-xl pass test-armhf-armhf-xl fail test-amd64-i386-xl pass test-amd64-i386-rhel6hvm-amd pass test-amd64-i386-qemut-rhel6hvm-amd pass test-amd64-i386-qemuu-rhel6hvm-amd pass test-amd64-i386-freebsd10-amd64 pass test-amd64-amd64-xl-qemut-win7-amd64 fail test-amd64-i386-xl-qemut-win7-amd64 fail test-amd64-amd64-xl-qemuu-win7-amd64 fail test-amd64-amd64-xl-win7-amd64 fail test-amd64-i386-xl-win7-amd64 fail test-amd64-i386-xl-credit2 pass test-amd64-i386-freebsd10-i386 pass test-amd64-amd64-xl-pcipt-intel fail test-amd64-i386-rhel6hvm-intel pass test-amd64-i386-qemut-rhel6hvm-intel pass test-amd64-i386-qemuu-rhel6hvm-intel pass test-amd64-i386-xl-multivcpu pass test-amd64-amd64-pair pass test-amd64-i386-pair pass test-amd64-amd64-xl-sedf-pin pass test-amd64-amd64-pv pass test-amd64-i386-pv pass test-amd64-amd64-xl-sedf pass test-amd64-i386-xl-qemut-winxpsp3-vcpus1 fail test-amd64-i386-xl-winxpsp3-vcpus1 fail test-amd64-i386-xend-qemut-winxpsp3 fail test-amd64-amd64-xl-qemut-winxpsp3 fail test-amd64-amd64-xl-qemuu-winxpsp3 fail test-amd64-i386-xend-winxpsp3 fail test-amd64-amd64-xl-winxpsp3 fail ------------------------------------------------------------ sg-report-flight on woking.cam.xci-test.com logs: /home/xc_osstest/logs images: /home/xc_osstest/images Logs, config files, etc. are available at http://www.chiark.greenend.org.uk/~xensrcts/logs Test harness code can be found at http://xenbits.xensource.com/gitweb?p=osstest.git;a=summary Not pushing. ------------------------------------------------------------ commit 68903c912ebf25843bae8ce372f4c875681be824 Author: Andrew Cooper <andrew.cooper3@citrix.com> Date: Mon Dec 9 14:34:24 2013 +0100 x86/boot: fix BIOS memory corruption on certain IBM systems IBM System x3530 M4 BIOSes (including the latest available at the time of this patch) will corrupt a byte at physical address 0x105ff1 to the value of 0x86 if %esp has the value 0x00080000 when issuing an `int $0x15 (ax=0xec00)` to inform the system about our intended operating mode. Xen gets unhappy when the bootloader has placed it''s .text section in over this specific region of RAM. After dropping into 16bit mode, clear all 32 bits of %esp, and for the BIOS call already documented to be affected by BIOS bugs clear all GPRs. Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com> Acked-by: Keir Fraser <keir@xen.org> Release-acked-by: George Dunlap <george.dunlap@eu.citrix.com> Reviewed-by: Jan Beulich <jbeulich@suse.com> master commit: 1ed76797439e384de18fcd6810bd4743d4f38b1e master date: 2013-12-06 11:28:00 +0100 commit 6a64987e1176e69eadfa91b9be23479991e6aeb5 Author: Yang Zhang <yang.z.zhang@Intel.com> Date: Mon Dec 9 14:33:33 2013 +0100 Nested VMX: CR emulation fix up This patch fixs two issues: 1. The CR_READ_SHADOW should only cover the value that L2 wirtes to CR when L2 is running. But currently, L0 wirtes wrong value to it during virtual vmentry and L2''s CR access emualtion. 2. L2 changed cr[0/4] in a way that did not change any of L1''s shadowed bits, but did change L0 shadowed bits. In this case, the effective cr[0/4] value that L1 would like to write into the hardware is consist of the L2-owned bits from the new value combined with the L1-owned bits from L1''s guest cr[0/4]. Signed-off-by: Yang Zhang <yang.z.zhang@Intel.com> Acked-by: Eddie Dong <eddie.dong@intel.com> master commit: ef17e127c4111d8e01fe208495d83d15e8834cce master date: 2013-12-06 11:08:20 +0100 commit cd279948564daedb4e19673f50e71729e01f39c2 Author: Daniel Kiper <daniel.kiper@oracle.com> Date: Mon Dec 9 14:32:54 2013 +0100 x86: fix early boot command line parsing There is no reliable way to encode NUL character as a character so encode it as a number. Read: http://sourceware.org/binutils/docs/as/Characters.html. Octal and hex encoding do not work on at least one system (GNU assembler version 2.22 (x86_64-linux-gnu) using BFD version (GNU Binutils for Debian) 2.22). Without this fix e.g. no-real-mode option at the end of xen.gz command line is not detected. Signed-off-by: Daniel Kiper <daniel.kiper@oracle.com> Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com> Acked-by: Keir Fraser <keir@xen.org> master commit: dc37e0bfffc673f4bdce1d69ad86098bfb0ab531 master date: 2013-12-04 13:26:37 +0100 commit 5fff433162d9b48c3bb94f2b453f45176a39eb5f Author: Jan Beulich <jbeulich@suse.com> Date: Mon Dec 9 14:32:16 2013 +0100 nested VMX: fix I/O port exit emulation For multi-byte operations all affected ports'' bits in the bitmap need to be checked, not just the first port''s one. Reported-by: Matthew Daley <mattd@bugfuzz.com> Signed-off-by: Jan Beulich <jbeulich@suse.com> Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com> Acked-by: Eddie Dong <eddie.dong@intel.com> master commit: e1978480c76e36bc22ec12657121ac91d08aca6b master date: 2013-12-04 13:23:27 +0100 commit 82008c842e6fb015606541e92bff7b0db5537591 Author: Jan Beulich <jbeulich@suse.com> Date: Mon Dec 9 14:31:40 2013 +0100 fix locking in offline_page() Coverity ID 1055655 Apart from the Coverity-detected lock order reversal (a domain''s page_alloc_lock taken with the heap lock already held), calling put_page() with heap_lock is a bad idea too (as a possible descendant from put_page() is free_heap_pages(), which wants to take this very lock). From all I can tell the region over which heap_lock was held was far too large: All we need to protect are the call to mark_page_offline() and reserve_heap_page() (and I''d even put under question the need for the former). Hence by slightly re-arranging the if/else-if chain we can drop the lock much earlier, at once no longer covering the two put_page() invocations. Once at it, do a little bit of other cleanup: Put the "pod_replace" code path inline rather than at its own label, and drop the effectively unused variable "ret". Signed-off-by: Jan Beulich <jbeulich@suse.com> Reviewed-by: Tim Deegan <tim@xen.org> Acked-by: Keir Fraser <keir@xen.org> master commit: d4837a56da4a59259dd0cf9f3bdc073159d81d7a master date: 2013-12-03 12:40:57 +0100 commit e45bf29ad84a6cb4a0a8f47f5efaaff61a288211 Author: Matthew Daley <mattd@bugfuzz.com> Date: Mon Dec 9 14:31:02 2013 +0100 nested vmx: fix I/O port bitmap indexing arithmetic The I/O port bitmap holds 8 ports per element, and hence the port number used when indexing into it should be shifted right by 3 bits, not 4. Signed-off-by: Matthew Daley <mattd@bugfuzz.com> Reviewed-by: Yang Zhang <yang.z.zhang@intel.com> Acked-by: Eddie Dong <eddie.dong@intel.com> master commit: b80e4583501904297d2ff5b0f905e68f81f8f2c9 master date: 2013-12-03 09:51:54 +0100 commit b3a75d8a744a01200c4dff2e46b69595d80bb496 Author: Jean-Yves Migeon <jym@NetBSD.org> Date: Mon Dec 9 14:30:29 2013 +0100 Fix ptr calculation when converting from a VA The ptr calculation shall take the offset into the page into account when ptr is valid. Reported regression on NetBSD''s port-xen with last known working libxen being rev 2.9. This corrupts the kernel symbol table when the table is not loaded on a page boundary. Issue was tracked down by FastIce and Jeff Rizzo. See also http://mail-index.netbsd.org/port-xen/2013/10/16/msg008088.html Signed-off-by: Jean-Yves Migeon <jym@NetBSD.org> Reviewed-by: Jan Beulich <jbeulich@suse.com> Acked-by: Ian Campbell <ian.campbell@citrix.com> master commit: cb08944a482a5e80a3ff1113f0735761cc4c6cb8 master date: 2013-11-29 11:07:01 +0000 commit 3014b79dcd8d6c9e75bf4918fb916bf89954c779 Author: Feng Wu <feng.wu@intel.com> Date: Mon Dec 9 14:29:39 2013 +0100 x86: properly handle MSI-X unmask operation from guests For a pass-through device with MSI-x capability, when guest tries to unmask the MSI-x interrupt for the passed through device, xen doesn''t clear the mask bit for MSI-x in hardware in the following scenario, which will cause network disconnection: 1. Guest masks the MSI-x interrupt 2. Guest updates the address and data for it 3. Guest unmasks the MSI-x interrupt (This is the problematic step) In the step #3 above, Xen doesn''t handle it well. When guest tries to unmask MSI-X interrupt, it traps to Xen, Xen just returns to Qemu if it notices that address or data has been modified by guest before, then Qemu will update Xen with the latest value of address/data by hypercall. However, in this whole process, the MSI-X interrupt unmask operation is missing, which means Xen doesn''t clear the mask bit in hardware for the MSI-X interrupt, so it remains disabled, that is why it loses the network connection. This patch fixes this issue. Signed-off-by: Feng Wu <feng.wu@intel.com> Only latch the address if the guest really is unmasking the entry. Clean up the entire change. Signed-off-by: Jan Beulich <jbeulich@suse.com> Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com> master commit: 74fd0036deb585a139b63b26db025805ecedc37a master date: 2013-11-27 15:15:43 +0100 commit 32abacd714b04e6167450b76341966d48187e4ad Author: Tim Deegan <tim@xen.org> Date: Mon Dec 9 14:28:06 2013 +0100 x86/hvm: fix segment validation Also Coverity CID 1055180. Reported-by: David Binderman <dcb314@hotmail.com> Signed-off-by: Tim Deegan <tim@xen.org> Use _SEGMENT_* instead of plain numbers and adjust a comment. Signed-off-by: Jan Beulich <jbeulich@suse.com> Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com> master commit: 6ed4bfbabd487b41021caa7ed03cee1f00ecbabf master date: 2013-11-26 09:54:21 +0100 commit 064275dcfb6002dc4327ba94b6bd758806735538 Author: Liu Jinsong <jinsong.liu@intel.com> Date: Mon Dec 9 14:27:04 2013 +0100 VMX: fix cr0.cd handling This patch solves XSA-60 security hole: 1. For guest w/o VT-d, and for guest with VT-d but snooped, Xen need do nothing, since hardware snoop mechanism has ensured cache coherency. 2. For guest with VT-d but non-snooped, cache coherency can not be guaranteed by h/w snoop, therefore it need emulate UC type to guest: 2.1). if it works w/ Intel EPT, set guest IA32_PAT fields as UC so that guest memory type are all UC. 2.2). if it works w/ shadow, drop all shadows so that any new ones would be created on demand w/ UC. This patch also fix a bug of shadow cr0.cd setting. Current shadow has a small window between cache flush and TLB invalidation, resulting in possilbe cache pollution. This patch pause vcpus so that no vcpus context involved into the window. This is CVE-2013-2212 / XSA-60. Signed-off-by: Liu Jinsong <jinsong.liu@intel.com> Reviewed-by: Jan Beulich <jbeulich@suse.com> Reviewed-by: Tim Deegan <tim@xen.org> Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com> Acked-by: Jun Nakajima <jun.nakajima@intel.com> Acked-by: Keir Fraser <keir@xen.org> master commit: 62652c00efa55fb45374bcc92f7d96fc411aebb2 master date: 2013-11-06 10:12:36 +0100 commit e81d0ac25464825b3828cff5dc9e8285612992c4 Author: Liu Jinsong <jinsong.liu@intel.com> Date: Mon Dec 9 14:26:03 2013 +0100 VMX: remove the problematic set_uc_mode logic XSA-60 security hole comes from the problematic vmx_set_uc_mode. This patch remove vmx_set_uc_mode logic, which will be replaced by PAT approach at later patch. This is CVE-2013-2212 / XSA-60. Signed-off-by: Liu Jinsong <jinsong.liu@intel.com> Reviewed-by: Jan Beulich <jbeulich@suse.com> Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com> Reviewed-by: Tim Deegan <tim@xen.org> Acked-by: Jun Nakajima <jun.nakajima@intel.com> master commit: 1c84d046735102e02d2df454ab07f14ac51f235d master date: 2013-11-06 10:12:00 +0100 commit 72380ecbcd9f870db1c60e698c9df71bdea6d819 Author: Liu Jinsong <jinsong.liu@intel.com> Date: Mon Dec 9 14:24:20 2013 +0100 VMX: disable EPT when !cpu_has_vmx_pat Recently Oracle developers found a Xen security issue as DOS affecting, named as XSA-60. Please refer http://xenbits.xen.org/xsa/advisory-60.html Basically it involves how to handle guest cr0.cd setting, which under some environment it consumes much time resulting in DOS-like behavior. This is a preparing patch for fixing XSA-60. Later patch will fix XSA-60 via PAT under Intel EPT case, which depends on cpu_has_vmx_pat. This is CVE-2013-2212 / XSA-60. Signed-off-by: Liu Jinsong <jinsong.liu@intel.com> Reviewed-by: Jan Beulich <jbeulich@suse.com> Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com> Reviewed-by: Tim Deegan <tim@xen.org> Acked-by: Jun Nakajima <jun.nakajima@intel.com> master commit: c13b0d65ddedd74508edef5cd66defffe30468fc master date: 2013-11-06 10:11:18 +0100 (qemu changes not included)