[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [Xen-changelog] [xen stable-4.12] xen: Use guest atomics helpers when modifying atomically guest memory
commit 497f924b205260cd8ecd3564fa8153051f50dedb Author: Julien Grall <julien.grall@xxxxxxx> AuthorDate: Mon Apr 29 15:05:28 2019 +0100 Commit: Julien Grall <julien.grall@xxxxxxx> CommitDate: Fri Jun 14 14:32:19 2019 +0100 xen: Use guest atomics helpers when modifying atomically guest memory On Arm, exclusive load-store atomics should only be used between trusted thread. As not all the guests are trusted, it may be possible to DoS Xen when updating shared memory with guest atomically. This patch replaces all the atomics operations on shared memory with a guest by the new guest atomics helpers. The x86 code was not audited to know where guest atomics helpers could be used. I will leave that to the x86 folks. Note that some rework was required in order to plumb use the new guest atomics in event channel and grant-table. Because guest_test_bit is ignoring the parameter "d" for now, it means there a lot of places do not need to drop the const. We may want to revisit this in the future if the parameter "d" becomes necessary. This is part of XSA-295. Signed-off-by: Julien Grall <julien.grall@xxxxxxx> Reviewed-by: Stefano Stabellini <sstabellini@xxxxxxxxxx> --- xen/arch/arm/domain.c | 3 +- xen/arch/arm/mm.c | 6 ++-- xen/common/event_2l.c | 26 +++++++++-------- xen/common/event_fifo.c | 44 +++++++++++++++-------------- xen/common/grant_table.c | 59 +++++++++++++++++++++------------------ xen/include/asm-arm/grant_table.h | 2 +- xen/include/asm-x86/grant_table.h | 3 +- 7 files changed, 79 insertions(+), 64 deletions(-) diff --git a/xen/arch/arm/domain.c b/xen/arch/arm/domain.c index 6dc633ed50..c3d9d42ada 100644 --- a/xen/arch/arm/domain.c +++ b/xen/arch/arm/domain.c @@ -27,6 +27,7 @@ #include <asm/event.h> #include <asm/gic.h> #include <asm/guest_access.h> +#include <asm/guest_atomics.h> #include <asm/irq.h> #include <asm/p2m.h> #include <asm/platform.h> @@ -1017,7 +1018,7 @@ void arch_dump_vcpu_info(struct vcpu *v) void vcpu_mark_events_pending(struct vcpu *v) { - int already_pending = test_and_set_bit( + bool already_pending = guest_test_and_set_bit(v->domain, 0, (unsigned long *)&vcpu_info(v, evtchn_upcall_pending)); if ( already_pending ) diff --git a/xen/arch/arm/mm.c b/xen/arch/arm/mm.c index 01ae2cccc0..3a7cfb1b50 100644 --- a/xen/arch/arm/mm.c +++ b/xen/arch/arm/mm.c @@ -40,6 +40,8 @@ #include <xen/pfn.h> #include <xen/sizes.h> #include <xen/libfdt/libfdt.h> + +#include <asm/guest_atomics.h> #include <asm/setup.h> struct domain *dom_xen, *dom_io, *dom_cow; @@ -1380,7 +1382,7 @@ void put_page_type(struct page_info *page) return; } -void gnttab_clear_flag(unsigned long nr, uint16_t *addr) +void gnttab_clear_flag(struct domain *d, unsigned long nr, uint16_t *addr) { /* * Note that this cannot be clear_bit(), as the access must be @@ -1390,7 +1392,7 @@ void gnttab_clear_flag(unsigned long nr, uint16_t *addr) do { old = *addr; - } while (cmpxchg(addr, old, old & mask) != old); + } while (guest_cmpxchg(d, addr, old, old & mask) != old); } void gnttab_mark_dirty(struct domain *d, mfn_t mfn) diff --git a/xen/common/event_2l.c b/xen/common/event_2l.c index 8ca90899ab..e1dbb860f4 100644 --- a/xen/common/event_2l.c +++ b/xen/common/event_2l.c @@ -13,6 +13,8 @@ #include <xen/sched.h> #include <xen/event.h> +#include <asm/guest_atomics.h> + static void evtchn_2l_set_pending(struct vcpu *v, struct evtchn *evtchn) { struct domain *d = v->domain; @@ -25,12 +27,12 @@ static void evtchn_2l_set_pending(struct vcpu *v, struct evtchn *evtchn) * others may require explicit memory barriers. */ - if ( test_and_set_bit(port, &shared_info(d, evtchn_pending)) ) + if ( guest_test_and_set_bit(d, port, &shared_info(d, evtchn_pending)) ) return; - if ( !test_bit (port, &shared_info(d, evtchn_mask)) && - !test_and_set_bit(port / BITS_PER_EVTCHN_WORD(d), - &vcpu_info(v, evtchn_pending_sel)) ) + if ( !guest_test_bit(d, port, &shared_info(d, evtchn_mask)) && + !guest_test_and_set_bit(d, port / BITS_PER_EVTCHN_WORD(d), + &vcpu_info(v, evtchn_pending_sel)) ) { vcpu_mark_events_pending(v); } @@ -40,7 +42,7 @@ static void evtchn_2l_set_pending(struct vcpu *v, struct evtchn *evtchn) static void evtchn_2l_clear_pending(struct domain *d, struct evtchn *evtchn) { - clear_bit(evtchn->port, &shared_info(d, evtchn_pending)); + guest_clear_bit(d, evtchn->port, &shared_info(d, evtchn_pending)); } static void evtchn_2l_unmask(struct domain *d, struct evtchn *evtchn) @@ -52,10 +54,10 @@ static void evtchn_2l_unmask(struct domain *d, struct evtchn *evtchn) * These operations must happen in strict order. Based on * evtchn_2l_set_pending() above. */ - if ( test_and_clear_bit(port, &shared_info(d, evtchn_mask)) && - test_bit (port, &shared_info(d, evtchn_pending)) && - !test_and_set_bit (port / BITS_PER_EVTCHN_WORD(d), - &vcpu_info(v, evtchn_pending_sel)) ) + if ( guest_test_and_clear_bit(d, port, &shared_info(d, evtchn_mask)) && + guest_test_bit(d, port, &shared_info(d, evtchn_pending)) && + !guest_test_and_set_bit(d, port / BITS_PER_EVTCHN_WORD(d), + &vcpu_info(v, evtchn_pending_sel)) ) { vcpu_mark_events_pending(v); } @@ -66,7 +68,8 @@ static bool evtchn_2l_is_pending(const struct domain *d, evtchn_port_t port) unsigned int max_ports = BITS_PER_EVTCHN_WORD(d) * BITS_PER_EVTCHN_WORD(d); ASSERT(port < max_ports); - return port < max_ports && test_bit(port, &shared_info(d, evtchn_pending)); + return (port < max_ports && + guest_test_bit(d, port, &shared_info(d, evtchn_pending))); } static bool evtchn_2l_is_masked(const struct domain *d, evtchn_port_t port) @@ -74,7 +77,8 @@ static bool evtchn_2l_is_masked(const struct domain *d, evtchn_port_t port) unsigned int max_ports = BITS_PER_EVTCHN_WORD(d) * BITS_PER_EVTCHN_WORD(d); ASSERT(port < max_ports); - return port >= max_ports || test_bit(port, &shared_info(d, evtchn_mask)); + return (port >= max_ports || + guest_test_bit(d, port, &shared_info(d, evtchn_mask))); } static void evtchn_2l_print_state(struct domain *d, diff --git a/xen/common/event_fifo.c b/xen/common/event_fifo.c index 3eecab3f22..230f440f14 100644 --- a/xen/common/event_fifo.c +++ b/xen/common/event_fifo.c @@ -17,6 +17,8 @@ #include <xen/mm.h> #include <xen/domain_page.h> +#include <asm/guest_atomics.h> + #include <public/event_channel.h> static inline event_word_t *evtchn_fifo_word_from_port(const struct domain *d, @@ -51,7 +53,7 @@ static void evtchn_fifo_init(struct domain *d, struct evtchn *evtchn) * on the wrong VCPU or with an unexpected priority. */ word = evtchn_fifo_word_from_port(d, evtchn->port); - if ( word && test_bit(EVTCHN_FIFO_LINKED, word) ) + if ( word && guest_test_bit(d, EVTCHN_FIFO_LINKED, word) ) gdprintk(XENLOG_WARNING, "domain %d, port %d already on a queue\n", d->domain_id, evtchn->port); } @@ -116,7 +118,7 @@ static int try_set_link(event_word_t *word, event_word_t *w, uint32_t link) * We block unmasking by the guest by marking the tail word as BUSY, * therefore, the cmpxchg() may fail at most 4 times. */ -static bool_t evtchn_fifo_set_link(const struct domain *d, event_word_t *word, +static bool_t evtchn_fifo_set_link(struct domain *d, event_word_t *word, uint32_t link) { event_word_t w; @@ -130,7 +132,7 @@ static bool_t evtchn_fifo_set_link(const struct domain *d, event_word_t *word, return ret; /* Lock the word to prevent guest unmasking. */ - set_bit(EVTCHN_FIFO_BUSY, word); + guest_set_bit(d, EVTCHN_FIFO_BUSY, word); w = read_atomic(word); @@ -140,13 +142,13 @@ static bool_t evtchn_fifo_set_link(const struct domain *d, event_word_t *word, if ( ret >= 0 ) { if ( ret == 0 ) - clear_bit(EVTCHN_FIFO_BUSY, word); + guest_clear_bit(d, EVTCHN_FIFO_BUSY, word); return ret; } } gdprintk(XENLOG_WARNING, "domain %d, port %d not linked\n", d->domain_id, link); - clear_bit(EVTCHN_FIFO_BUSY, word); + guest_clear_bit(d, EVTCHN_FIFO_BUSY, word); return 1; } @@ -171,13 +173,13 @@ static void evtchn_fifo_set_pending(struct vcpu *v, struct evtchn *evtchn) return; } - was_pending = test_and_set_bit(EVTCHN_FIFO_PENDING, word); + was_pending = guest_test_and_set_bit(d, EVTCHN_FIFO_PENDING, word); /* * Link the event if it unmasked and not already linked. */ - if ( !test_bit(EVTCHN_FIFO_MASKED, word) - && !test_bit(EVTCHN_FIFO_LINKED, word) ) + if ( !guest_test_bit(d, EVTCHN_FIFO_MASKED, word) && + !guest_test_bit(d, EVTCHN_FIFO_LINKED, word) ) { struct evtchn_fifo_queue *q, *old_q; event_word_t *tail_word; @@ -206,7 +208,7 @@ static void evtchn_fifo_set_pending(struct vcpu *v, struct evtchn *evtchn) if ( !old_q ) goto done; - if ( test_and_set_bit(EVTCHN_FIFO_LINKED, word) ) + if ( guest_test_and_set_bit(d, EVTCHN_FIFO_LINKED, word) ) { spin_unlock_irqrestore(&old_q->lock, flags); goto done; @@ -252,8 +254,8 @@ static void evtchn_fifo_set_pending(struct vcpu *v, struct evtchn *evtchn) spin_unlock_irqrestore(&q->lock, flags); if ( !linked - && !test_and_set_bit(q->priority, - &v->evtchn_fifo->control_block->ready) ) + && !guest_test_and_set_bit(d, q->priority, + &v->evtchn_fifo->control_block->ready) ) vcpu_mark_events_pending(v); } done: @@ -275,7 +277,7 @@ static void evtchn_fifo_clear_pending(struct domain *d, struct evtchn *evtchn) * No need to unlink as the guest will unlink and ignore * non-pending events. */ - clear_bit(EVTCHN_FIFO_PENDING, word); + guest_clear_bit(d, EVTCHN_FIFO_PENDING, word); } static void evtchn_fifo_unmask(struct domain *d, struct evtchn *evtchn) @@ -287,10 +289,10 @@ static void evtchn_fifo_unmask(struct domain *d, struct evtchn *evtchn) if ( unlikely(!word) ) return; - clear_bit(EVTCHN_FIFO_MASKED, word); + guest_clear_bit(d, EVTCHN_FIFO_MASKED, word); /* Relink if pending. */ - if ( test_bit(EVTCHN_FIFO_PENDING, word) ) + if ( guest_test_bit(d, EVTCHN_FIFO_PENDING, word) ) evtchn_fifo_set_pending(v, evtchn); } @@ -298,21 +300,21 @@ static bool evtchn_fifo_is_pending(const struct domain *d, evtchn_port_t port) { const event_word_t *word = evtchn_fifo_word_from_port(d, port); - return word && test_bit(EVTCHN_FIFO_PENDING, word); + return word && guest_test_bit(d, EVTCHN_FIFO_PENDING, word); } static bool_t evtchn_fifo_is_masked(const struct domain *d, evtchn_port_t port) { const event_word_t *word = evtchn_fifo_word_from_port(d, port); - return !word || test_bit(EVTCHN_FIFO_MASKED, word); + return !word || guest_test_bit(d, EVTCHN_FIFO_MASKED, word); } static bool_t evtchn_fifo_is_busy(const struct domain *d, evtchn_port_t port) { const event_word_t *word = evtchn_fifo_word_from_port(d, port); - return word && test_bit(EVTCHN_FIFO_LINKED, word); + return word && guest_test_bit(d, EVTCHN_FIFO_LINKED, word); } static int evtchn_fifo_set_priority(struct domain *d, struct evtchn *evtchn, @@ -339,11 +341,11 @@ static void evtchn_fifo_print_state(struct domain *d, word = evtchn_fifo_word_from_port(d, evtchn->port); if ( !word ) printk("? "); - else if ( test_bit(EVTCHN_FIFO_LINKED, word) ) - printk("%c %-4u", test_bit(EVTCHN_FIFO_BUSY, word) ? 'B' : ' ', + else if ( guest_test_bit(d, EVTCHN_FIFO_LINKED, word) ) + printk("%c %-4u", guest_test_bit(d, EVTCHN_FIFO_BUSY, word) ? 'B' : ' ', *word & EVTCHN_FIFO_LINK_MASK); else - printk("%c - ", test_bit(EVTCHN_FIFO_BUSY, word) ? 'B' : ' '); + printk("%c - ", guest_test_bit(d, EVTCHN_FIFO_BUSY, word) ? 'B' : ' '); } static const struct evtchn_port_ops evtchn_port_ops_fifo = @@ -495,7 +497,7 @@ static void setup_ports(struct domain *d) evtchn = evtchn_from_port(d, port); - if ( test_bit(port, &shared_info(d, evtchn_pending)) ) + if ( guest_test_bit(d, port, &shared_info(d, evtchn_pending)) ) evtchn->pending = 1; evtchn_fifo_set_priority(d, evtchn, EVTCHN_FIFO_PRIORITY_DEFAULT); diff --git a/xen/common/grant_table.c b/xen/common/grant_table.c index 1b82d534a3..e9ce0ac473 100644 --- a/xen/common/grant_table.c +++ b/xen/common/grant_table.c @@ -39,6 +39,7 @@ #include <xen/vmap.h> #include <xsm/xsm.h> #include <asm/flushtlb.h> +#include <asm/guest_atomics.h> /* Per-domain grant information. */ struct grant_table { @@ -646,6 +647,7 @@ static unsigned int nr_grant_entries(struct grant_table *gt) } static int _set_status_v1(const grant_entry_header_t *shah, + struct domain *rd, struct active_grant_entry *act, int readonly, int mapflag, @@ -701,8 +703,8 @@ static int _set_status_v1(const grant_entry_header_t *shah, "Attempt to write-pin a r/o grant entry\n"); } - prev_scombo.word = cmpxchg((u32 *)shah, - scombo.word, new_scombo.word); + prev_scombo.word = guest_cmpxchg(rd, (u32 *)shah, + scombo.word, new_scombo.word); if ( likely(prev_scombo.word == scombo.word) ) break; @@ -719,6 +721,7 @@ done: static int _set_status_v2(const grant_entry_header_t *shah, grant_status_t *status, + struct domain *rd, struct active_grant_entry *act, int readonly, int mapflag, @@ -781,8 +784,8 @@ static int _set_status_v2(const grant_entry_header_t *shah, (id != ldomid) || (!readonly && (flags & GTF_readonly)) ) { - gnttab_clear_flag(_GTF_writing, status); - gnttab_clear_flag(_GTF_reading, status); + gnttab_clear_flag(rd, _GTF_writing, status); + gnttab_clear_flag(rd, _GTF_reading, status); PIN_FAIL(done, GNTST_general_error, "Unstable flags (%x) or dom (%d); expected d%d (r/w: %d)\n", flags, id, ldomid, !readonly); @@ -792,7 +795,7 @@ static int _set_status_v2(const grant_entry_header_t *shah, { if ( unlikely(flags & GTF_readonly) ) { - gnttab_clear_flag(_GTF_writing, status); + gnttab_clear_flag(rd, _GTF_writing, status); PIN_FAIL(done, GNTST_general_error, "Unstable grant readonly flag\n"); } @@ -805,6 +808,7 @@ done: static int _set_status(const grant_entry_header_t *shah, grant_status_t *status, + struct domain *rd, unsigned rgt_version, struct active_grant_entry *act, int readonly, @@ -813,9 +817,9 @@ static int _set_status(const grant_entry_header_t *shah, { if ( rgt_version == 1 ) - return _set_status_v1(shah, act, readonly, mapflag, ldomid); + return _set_status_v1(shah, rd, act, readonly, mapflag, ldomid); else - return _set_status_v2(shah, status, act, readonly, mapflag, ldomid); + return _set_status_v2(shah, status, rd, act, readonly, mapflag, ldomid); } static struct active_grant_entry *grant_map_exists(const struct domain *ld, @@ -980,7 +984,7 @@ map_grant_ref( (!(op->flags & GNTMAP_readonly) && !(act->pin & (GNTPIN_hstw_mask|GNTPIN_devw_mask))) ) { - if ( (rc = _set_status(shah, status, rgt->gt_version, act, + if ( (rc = _set_status(shah, status, rd, rgt->gt_version, act, op->flags & GNTMAP_readonly, 1, ld->domain_id) != GNTST_okay) ) goto act_release_out; @@ -1204,10 +1208,10 @@ map_grant_ref( unlock_out_clear: if ( !(op->flags & GNTMAP_readonly) && !(act->pin & (GNTPIN_hstw_mask|GNTPIN_devw_mask)) ) - gnttab_clear_flag(_GTF_writing, status); + gnttab_clear_flag(rd, _GTF_writing, status); if ( !act->pin ) - gnttab_clear_flag(_GTF_reading, status); + gnttab_clear_flag(rd, _GTF_reading, status); act_release_out: active_entry_release(act); @@ -1477,10 +1481,10 @@ unmap_common_complete(struct gnttab_unmap_common *op) if ( ((act->pin & (GNTPIN_devw_mask|GNTPIN_hstw_mask)) == 0) && !(op->done & GNTMAP_readonly) ) - gnttab_clear_flag(_GTF_writing, status); + gnttab_clear_flag(rd, _GTF_writing, status); if ( act->pin == 0 ) - gnttab_clear_flag(_GTF_reading, status); + gnttab_clear_flag(rd, _GTF_reading, status); active_entry_release(act); grant_read_unlock(rgt); @@ -2045,8 +2049,8 @@ gnttab_prepare_for_transfer( new_scombo = scombo; new_scombo.shorts.flags |= GTF_transfer_committed; - prev_scombo.word = cmpxchg((u32 *)&sha->flags, - scombo.word, new_scombo.word); + prev_scombo.word = guest_cmpxchg(rd, (u32 *)&sha->flags, + scombo.word, new_scombo.word); if ( likely(prev_scombo.word == scombo.word) ) break; @@ -2339,11 +2343,11 @@ release_grant_for_copy( act->pin -= GNTPIN_hstw_inc; if ( !(act->pin & (GNTPIN_devw_mask|GNTPIN_hstw_mask)) ) - gnttab_clear_flag(_GTF_writing, status); + gnttab_clear_flag(rd, _GTF_writing, status); } if ( !act->pin ) - gnttab_clear_flag(_GTF_reading, status); + gnttab_clear_flag(rd, _GTF_reading, status); active_entry_release(act); grant_read_unlock(rgt); @@ -2365,14 +2369,15 @@ release_grant_for_copy( under the domain's grant table lock. */ /* Only safe on transitive grants. Even then, note that we don't attempt to drop any pin on the referent grant. */ -static void fixup_status_for_copy_pin(const struct active_grant_entry *act, +static void fixup_status_for_copy_pin(struct domain *rd, + const struct active_grant_entry *act, uint16_t *status) { if ( !(act->pin & (GNTPIN_hstw_mask | GNTPIN_devw_mask)) ) - gnttab_clear_flag(_GTF_writing, status); + gnttab_clear_flag(rd, _GTF_writing, status); if ( !act->pin ) - gnttab_clear_flag(_GTF_reading, status); + gnttab_clear_flag(rd, _GTF_reading, status); } /* @@ -2434,7 +2439,7 @@ acquire_grant_for_copy( { if ( (!old_pin || (!readonly && !(old_pin & (GNTPIN_devw_mask|GNTPIN_hstw_mask)))) && - (rc = _set_status_v2(shah, status, act, readonly, 0, + (rc = _set_status_v2(shah, status, rd, act, readonly, 0, ldom)) != GNTST_okay ) goto unlock_out; @@ -2483,7 +2488,7 @@ acquire_grant_for_copy( if ( rc != GNTST_okay ) { - fixup_status_for_copy_pin(act, status); + fixup_status_for_copy_pin(rd, act, status); rcu_unlock_domain(td); active_entry_release(act); grant_read_unlock(rgt); @@ -2506,7 +2511,7 @@ acquire_grant_for_copy( !act->is_sub_page)) ) { release_grant_for_copy(td, trans_gref, readonly); - fixup_status_for_copy_pin(act, status); + fixup_status_for_copy_pin(rd, act, status); rcu_unlock_domain(td); active_entry_release(act); grant_read_unlock(rgt); @@ -2535,7 +2540,7 @@ acquire_grant_for_copy( else if ( !old_pin || (!readonly && !(old_pin & (GNTPIN_devw_mask|GNTPIN_hstw_mask))) ) { - if ( (rc = _set_status(shah, status, rgt->gt_version, act, + if ( (rc = _set_status(shah, status, rd, rgt->gt_version, act, readonly, 0, ldom)) != GNTST_okay ) goto unlock_out; @@ -2623,10 +2628,10 @@ acquire_grant_for_copy( unlock_out_clear: if ( !(readonly) && !(act->pin & (GNTPIN_hstw_mask | GNTPIN_devw_mask)) ) - gnttab_clear_flag(_GTF_writing, status); + gnttab_clear_flag(rd, _GTF_writing, status); if ( !act->pin ) - gnttab_clear_flag(_GTF_reading, status); + gnttab_clear_flag(rd, _GTF_reading, status); unlock_out: active_entry_release(act); @@ -3661,11 +3666,11 @@ gnttab_release_mappings( } if ( (act->pin & (GNTPIN_devw_mask|GNTPIN_hstw_mask)) == 0 ) - gnttab_clear_flag(_GTF_writing, status); + gnttab_clear_flag(rd, _GTF_writing, status); } if ( act->pin == 0 ) - gnttab_clear_flag(_GTF_reading, status); + gnttab_clear_flag(rd, _GTF_reading, status); active_entry_release(act); grant_read_unlock(rgt); diff --git a/xen/include/asm-arm/grant_table.h b/xen/include/asm-arm/grant_table.h index 816e3c6d68..5e9aa53814 100644 --- a/xen/include/asm-arm/grant_table.h +++ b/xen/include/asm-arm/grant_table.h @@ -14,7 +14,7 @@ struct grant_table_arch { gfn_t *status_gfn; }; -void gnttab_clear_flag(unsigned long nr, uint16_t *addr); +void gnttab_clear_flag(struct domain *d, unsigned long nr, uint16_t *addr); int create_grant_host_mapping(unsigned long gpaddr, mfn_t mfn, unsigned int flags, unsigned int cache_flags); #define gnttab_host_mapping_get_page_type(ro, ld, rd) (0) diff --git a/xen/include/asm-x86/grant_table.h b/xen/include/asm-x86/grant_table.h index 4b8c4f9160..11f061aa2d 100644 --- a/xen/include/asm-x86/grant_table.h +++ b/xen/include/asm-x86/grant_table.h @@ -64,7 +64,8 @@ static inline int replace_grant_host_mapping(uint64_t addr, mfn_t frame, #define gnttab_mark_dirty(d, f) paging_mark_dirty((d), f) -static inline void gnttab_clear_flag(unsigned int nr, uint16_t *st) +static inline void gnttab_clear_flag(struct domain *d, unsigned int nr, + uint16_t *st) { /* * Note that this cannot be clear_bit(), as the access must be -- generated by git-patchbot for /home/xen/git/xen.git#stable-4.12 _______________________________________________ Xen-changelog mailing list Xen-changelog@xxxxxxxxxxxxxxxxxxxx https://lists.xenproject.org/xen-changelog
|
Lists.xenproject.org is hosted with RackSpace, monitoring our |