mirrors/aports
1
0
Fork 0
mirror of https://gitlab.alpinelinux.org/alpine/aports.git synced 2025-08-05 05:17:07 +02:00
Code Issues Packages Projects Releases Wiki Activity

main/xen: upgrade to 4.10.1

Browse Source
This commit is contained in:
Daniel Sabogal 2018-05-04 10:46:18 -04:00 committed by Leonardo Arena
parent 895798a84e
commit 95c1be17ba
8 changed files with 6 additions and 1891 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

22
main/xen/APKBUILD
View File

@ -2,8 +2,8 @@
# Contributor: Roger Pau Monne <roger.pau@entel.upc.edu> # Contributor: Roger Pau Monne <roger.pau@entel.upc.edu>
# Maintainer: William Pitcock <nenolod@dereferenced.org> # Maintainer: William Pitcock <nenolod@dereferenced.org>
pkgname=xen pkgname=xen
pkgver=4.10.0 pkgver=4.10.1
pkgrel=3 pkgrel=0
pkgdesc="Xen hypervisor" pkgdesc="Xen hypervisor"
url="http://www.xen.org/" url="http://www.xen.org/"
arch="x86_64 armhf aarch64" arch="x86_64 armhf aarch64"
@ -112,6 +112,9 @@ options="!strip"
# - CVE-2018-7540 XSA-252 # - CVE-2018-7540 XSA-252
# - CVE-2018-7541 XSA-255 # - CVE-2018-7541 XSA-255
# - CVE-2018-7542 XSA-256 # - CVE-2018-7542 XSA-256
# 4.10.1-r0:
# - CVE-2018-10472 XSA-258
# - CVE-2018-10471 XSA-259
case "$CARCH" in case "$CARCH" in
x86*) x86*)
@ -159,13 +162,6 @@ source="https://downloads.xenproject.org/release/$pkgname/$pkgver/$pkgname-$pkgv
http://xenbits.xen.org/xen-extfiles/zlib-$_ZLIB_VERSION.tar.gz http://xenbits.xen.org/xen-extfiles/zlib-$_ZLIB_VERSION.tar.gz
http://xenbits.xen.org/xen-extfiles/ipxe-git-$_IPXE_GIT_TAG.tar.gz http://xenbits.xen.org/xen-extfiles/ipxe-git-$_IPXE_GIT_TAG.tar.gz
xsa252.patch
xsa253-4.10.patch
xsa254-4.10.patch
xsa255-1.patch
xsa255-2.patch
xsa256.patch
qemu-xen_paths.patch qemu-xen_paths.patch
hotplug-vif-vtrill.patch hotplug-vif-vtrill.patch
@ -416,7 +412,7 @@ EOF
} }
sha512sums="5a37935c382f9cfe3641a35c3be0ba11689bca10c7d3c2401963513e3a834ee8d0c8a0ddcf3716dbf0a795aea1bab78caf19acf1272e5e054bf012cfa06a4690 xen-4.10.0.tar.gz sha512sums="236c02bee69e33644703ed26d323d4c491a91fc05bd0ee0990a7368579f7c82f5bb4510845bf80348fd923024d7d60d521f593dfd0365d971dc592f8ef10fbea xen-4.10.1.tar.gz
2e0b0fd23e6f10742a5517981e5171c6e88b0a93c83da701b296f5c0861d72c19782daab589a7eac3f9032152a0fc7eff7f5362db8fccc4859564a9aa82329cf gmp-4.3.2.tar.bz2 2e0b0fd23e6f10742a5517981e5171c6e88b0a93c83da701b296f5c0861d72c19782daab589a7eac3f9032152a0fc7eff7f5362db8fccc4859564a9aa82329cf gmp-4.3.2.tar.bz2
c2bc9ffc8583aeae71cee9ddcc4418969768d4e3764d47307da54f93981c0109fb07d84b061b3a3628bd00ba4d14a54742bc04848110eb3ae8ca25dbfbaabadb grub-0.97.tar.gz c2bc9ffc8583aeae71cee9ddcc4418969768d4e3764d47307da54f93981c0109fb07d84b061b3a3628bd00ba4d14a54742bc04848110eb3ae8ca25dbfbaabadb grub-0.97.tar.gz
1465b58279af1647f909450e394fe002ca165f0ff4a0254bfa9fe0e64316f50facdde2729d79a4e632565b4500cf4d6c74192ac0dd3bc9fe09129bbd67ba089d lwip-1.3.0.tar.gz 1465b58279af1647f909450e394fe002ca165f0ff4a0254bfa9fe0e64316f50facdde2729d79a4e632565b4500cf4d6c74192ac0dd3bc9fe09129bbd67ba089d lwip-1.3.0.tar.gz
@ -426,12 +422,6 @@ c2bc9ffc8583aeae71cee9ddcc4418969768d4e3764d47307da54f93981c0109fb07d84b061b3a36
4928b5b82f57645be9408362706ff2c4d9baa635b21b0d41b1c82930e8c60a759b1ea4fa74d7e6c7cae1b7692d006aa5cb72df0c3b88bf049779aa2b566f9d35 tpm_emulator-0.7.4.tar.gz 4928b5b82f57645be9408362706ff2c4d9baa635b21b0d41b1c82930e8c60a759b1ea4fa74d7e6c7cae1b7692d006aa5cb72df0c3b88bf049779aa2b566f9d35 tpm_emulator-0.7.4.tar.gz
021b958fcd0d346c4ba761bcf0cc40f3522de6186cf5a0a6ea34a70504ce9622b1c2626fce40675bc8282cf5f5ade18473656abc38050f72f5d6480507a2106e zlib-1.2.3.tar.gz 021b958fcd0d346c4ba761bcf0cc40f3522de6186cf5a0a6ea34a70504ce9622b1c2626fce40675bc8282cf5f5ade18473656abc38050f72f5d6480507a2106e zlib-1.2.3.tar.gz
bbcce5e55040e7e29adebd4a5253a046016a6e2e7ff34cf801a42d147e1ec1af57e0297318249bfa9c5bbeac969fe4b37c18cbf845a80b2136d65387a4fc31da ipxe-git-356f6c1b64d7a97746d1816cef8ca22bdd8d0b5d.tar.gz bbcce5e55040e7e29adebd4a5253a046016a6e2e7ff34cf801a42d147e1ec1af57e0297318249bfa9c5bbeac969fe4b37c18cbf845a80b2136d65387a4fc31da ipxe-git-356f6c1b64d7a97746d1816cef8ca22bdd8d0b5d.tar.gz
63fd6cee56ef04506efd6bf632998dc90514ff967e9435514a5ba8d2c5781735f986241344a479b6f44df9c6e6a278a165ba14834b0b3236064e24f71cd600f1 xsa252.patch
58f288fb3087ecdd42075031b5604a493adef0754f68d596dce8576fbc46bfe8b1bf3dc429269cab3797b6f193036bdafeb32cf2c7cca34d9c89d5fe95a0453c xsa253-4.10.patch
f15350c0b44d3a6d5a3056dfac81d25f2af047135c528f6258f3d42ef26e6d87511d8e148a63e8d7d88108e07dc5b3551ed54c915be6dc3fe3f978ab72094321 xsa254-4.10.patch
d16ead93486beee767c3c80d11981d940dfce55d9aabfe7adee480d02f575a2df074bb83a1e62e455ac754f6d8f3fb83abe7139b93b94b77233c2918b46dc2e2 xsa255-1.patch
2f0719fbbde261a51e1ec66eb677fb2b17c94e0631d583c0a99357b7c2dfb2c695b6970ebbe8e05f68154344af74fa31e8b47b0d25c778b3aef1b284101ae528 xsa255-2.patch
3bd2697a8ad66197264af8a713bf97152ed414c4b11910cc986c6adaa85bd86b4d35319675799edccf04aaff9ae48a58ca5c438cb6b5b95f60fffbfeec5e4faf xsa256.patch
1936ab39a1867957fa640eb81c4070214ca4856a2743ba7e49c0cd017917071a9680d015f002c57fa7b9600dbadd29dcea5887f50e6c133305df2669a7a933f3 qemu-xen_paths.patch 1936ab39a1867957fa640eb81c4070214ca4856a2743ba7e49c0cd017917071a9680d015f002c57fa7b9600dbadd29dcea5887f50e6c133305df2669a7a933f3 qemu-xen_paths.patch
f095ea373f36381491ad36f0662fb4f53665031973721256b23166e596318581da7cbb0146d0beb2446729adfdb321e01468e377793f6563a67d68b8b0f7ffe3 hotplug-vif-vtrill.patch f095ea373f36381491ad36f0662fb4f53665031973721256b23166e596318581da7cbb0146d0beb2446729adfdb321e01468e377793f6563a67d68b8b0f7ffe3 hotplug-vif-vtrill.patch
77b08e9655e091b0352e4630d520b54c6ca6d659d1d38fbb4b3bfc9ff3e66db433a2e194ead32bb10ff962c382d800a670e82b7a62835b238e294b22808290ea musl-hvmloader-fix-stdint.patch 77b08e9655e091b0352e4630d520b54c6ca6d659d1d38fbb4b3bfc9ff3e66db433a2e194ead32bb10ff962c382d800a670e82b7a62835b238e294b22808290ea musl-hvmloader-fix-stdint.patch

109
main/xen/xsa247-4.9-2.patch
View File

@ -1,109 +0,0 @@
From d4bc7833707351a5341a6bdf04c752a028d9560d Mon Sep 17 00:00:00 2001
From: George Dunlap <george.dunlap@citrix.com>
Date: Fri, 10 Nov 2017 16:53:55 +0000
Subject: [PATCH 2/2] p2m: Check return value of p2m_set_entry() when
decreasing reservation
If the entire range specified to p2m_pod_decrease_reservation() is marked
populate-on-demand, then it will make a single p2m_set_entry() call,
reducing its PoD entry count.
Unfortunately, in the right circumstances, this p2m_set_entry() call
may fail. It that case, repeated calls to decrease_reservation() may
cause p2m->pod.entry_count to fall below zero, potentially tripping
over BUG_ON()s to the contrary.
Instead, check to see if the entry succeeded, and return false if not.
The caller will then call guest_remove_page() on the gfns, which will
return -EINVAL upon finding no valid memory there to return.
Unfortunately if the order > 0, the entry may have partially changed.
A domain_crash() is probably the safest thing in that case.
Other p2m_set_entry() calls in the same function should be fine,
because they are writing the entry at its current order. Nonetheless,
check the return value and crash if our assumption turns otu to be
wrong.
This is part of XSA-247.
Reported-by: XXX PERSON <XXX EMAIL>
Signed-off-by: George Dunlap <george.dunlap@citrix.com>
Reviewed-by: Jan Beulich <jbeulich@suse.com>
---
v2: Crash the domain if we're not sure it's safe (or if we think it
can't happen)
---
xen/arch/x86/mm/p2m-pod.c | 42 +++++++++++++++++++++++++++++++++---------
1 file changed, 33 insertions(+), 9 deletions(-)
diff --git a/xen/arch/x86/mm/p2m-pod.c b/xen/arch/x86/mm/p2m-pod.c
index f2ed751892..473d6a6dbf 100644
--- a/xen/arch/x86/mm/p2m-pod.c
+++ b/xen/arch/x86/mm/p2m-pod.c
@@ -555,11 +555,23 @@ p2m_pod_decrease_reservation(struct domain *d,
if ( !nonpod )
{
- /* All PoD: Mark the whole region invalid and tell caller
- * we're done. */
- p2m_set_entry(p2m, gpfn, INVALID_MFN, order, p2m_invalid,
- p2m->default_access);
- p2m->pod.entry_count-=(1<<order);
+ /*
+ * All PoD: Mark the whole region invalid and tell caller
+ * we're done.
+ */
+ if ( p2m_set_entry(p2m, gpfn, INVALID_MFN, order, p2m_invalid,
+ p2m->default_access) )
+ {
+ /*
+ * If this fails, we can't tell how much of the range was changed.
+ * Best to crash the domain unless we're sure a partial change is
+ * impossible.
+ */
+ if ( order != 0 )
+ domain_crash(d);
+ goto out_unlock;
+ }
+ p2m->pod.entry_count -= 1UL << order;
BUG_ON(p2m->pod.entry_count < 0);
ret = 1;
goto out_entry_check;
@@ -600,8 +612,14 @@ p2m_pod_decrease_reservation(struct domain *d,
n = 1UL << cur_order;
if ( t == p2m_populate_on_demand )
{
- p2m_set_entry(p2m, gpfn + i, INVALID_MFN, cur_order,
- p2m_invalid, p2m->default_access);
+ /* This shouldn't be able to fail */
+ if ( p2m_set_entry(p2m, gpfn + i, INVALID_MFN, cur_order,
+ p2m_invalid, p2m->default_access) )
+ {
+ ASSERT_UNREACHABLE();
+ domain_crash(d);
+ goto out_unlock;
+ }
p2m->pod.entry_count -= n;
BUG_ON(p2m->pod.entry_count < 0);
pod -= n;
@@ -622,8 +640,14 @@ p2m_pod_decrease_reservation(struct domain *d,
page = mfn_to_page(mfn);
- p2m_set_entry(p2m, gpfn + i, INVALID_MFN, cur_order,
- p2m_invalid, p2m->default_access);
+ /* This shouldn't be able to fail */
+ if ( p2m_set_entry(p2m, gpfn + i, INVALID_MFN, cur_order,
+ p2m_invalid, p2m->default_access) )
+ {
+ ASSERT_UNREACHABLE();
+ domain_crash(d);
+ goto out_unlock;
+ }
p2m_tlb_flush_sync(p2m);
for ( j = 0; j < n; ++j )
set_gpfn_from_mfn(mfn_x(mfn), INVALID_M2P_ENTRY);
--
2.15.0

27
main/xen/xsa252.patch
View File

@ -1,27 +0,0 @@
From: Jan Beulich <jbeulich@suse.com>
Subject: memory: don't implicitly unpin for decrease-reservation
It very likely was a mistake (copy-and-paste from domain cleanup code)
to implicitly unpin here: The caller should really unpin itself before
(or after, if they so wish) requesting the page to be removed.
This is XSA-252.
Reported-by: Jann Horn <jannh@google.com>
Signed-off-by: Jan Beulich <jbeulich@suse.com>
Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>
--- a/xen/common/memory.c
+++ b/xen/common/memory.c
@@ -357,11 +357,6 @@ int guest_remove_page(struct domain *d,
rc = guest_physmap_remove_page(d, _gfn(gmfn), mfn, 0);
-#ifdef _PGT_pinned
- if ( !rc && test_and_clear_bit(_PGT_pinned, &page->u.inuse.type_info) )
- put_page_and_type(page);
-#endif
-
/*
* With the lack of an IOMMU on some platforms, domains with DMA-capable
* device must retrieve the same pfn when the hypercall populate_physmap

26
main/xen/xsa253-4.10.patch
View File

@ -1,26 +0,0 @@
From: Andrew Cooper <andrew.cooper3@citrix.com>
Subject: x86/msr: Free msr_vcpu_policy during vcpu destruction
c/s 4187f79dc7 "x86/msr: introduce struct msr_vcpu_policy" introduced a
per-vcpu memory allocation, but failed to free it in the clean vcpu
destruction case.
This is XSA-253
Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
Reviewed-by: Jan Beulich <jbeulich@suse.com>
diff --git a/xen/arch/x86/domain.c b/xen/arch/x86/domain.c
index b17468c..0ae715d 100644
--- a/xen/arch/x86/domain.c
+++ b/xen/arch/x86/domain.c
@@ -382,6 +382,9 @@ void vcpu_destroy(struct vcpu *v)
vcpu_destroy_fpu(v);
+ xfree(v->arch.msr);
+ v->arch.msr = NULL;
+
if ( !is_idle_domain(v->domain) )
vpmu_destroy(v);

1373
main/xen/xsa254-4.10.patch
View File

File diff suppressed because it is too large Load Diff

133
main/xen/xsa255-1.patch
View File

@ -1,133 +0,0 @@
From: Jan Beulich <jbeulich@suse.com>
Subject: gnttab/ARM: don't corrupt shared GFN array
... by writing status GFNs to it. Introduce a second array instead.
Also implement gnttab_status_gmfn() properly now that the information is
suitably being tracked.
While touching it anyway, remove a misguided (but luckily benign) upper
bound check from gnttab_shared_gmfn(): We should never access beyond the
bounds of that array.
This is part of XSA-255.
Signed-off-by: Jan Beulich <jbeulich@suse.com>
Reviewed-by: Stefano Stabellini <sstabellini@kernel.org>
Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>
---
v3: Don't init the ARM GFN arrays to zero anymore, use INVALID_GFN.
v2: New.
--- a/xen/common/grant_table.c
+++ b/xen/common/grant_table.c
@@ -3775,6 +3775,7 @@ int gnttab_map_frame(struct domain *d, u
{
int rc = 0;
struct grant_table *gt = d->grant_table;
+ bool status = false;
grant_write_lock(gt);
@@ -3785,6 +3786,7 @@ int gnttab_map_frame(struct domain *d, u
(idx & XENMAPIDX_grant_table_status) )
{
idx &= ~XENMAPIDX_grant_table_status;
+ status = true;
if ( idx < nr_status_frames(gt) )
*mfn = _mfn(virt_to_mfn(gt->status[idx]));
else
@@ -3802,7 +3804,7 @@ int gnttab_map_frame(struct domain *d, u
}
if ( !rc )
- gnttab_set_frame_gfn(gt, idx, gfn);
+ gnttab_set_frame_gfn(gt, status, idx, gfn);
grant_write_unlock(gt);
--- a/xen/include/asm-arm/grant_table.h
+++ b/xen/include/asm-arm/grant_table.h
@@ -9,7 +9,8 @@
#define INITIAL_NR_GRANT_FRAMES 1U
struct grant_table_arch {
- gfn_t *gfn;
+ gfn_t *shared_gfn;
+ gfn_t *status_gfn;
};
void gnttab_clear_flag(unsigned long nr, uint16_t *addr);
@@ -21,7 +22,6 @@ int replace_grant_host_mapping(unsigned
unsigned long new_gpaddr, unsigned int flags);
void gnttab_mark_dirty(struct domain *d, unsigned long l);
#define gnttab_create_status_page(d, t, i) do {} while (0)
-#define gnttab_status_gmfn(d, t, i) (0)
#define gnttab_release_host_mappings(domain) 1
static inline int replace_grant_supported(void)
{
@@ -42,19 +42,35 @@ static inline unsigned int gnttab_dom0_m
#define gnttab_init_arch(gt) \
({ \
- (gt)->arch.gfn = xzalloc_array(gfn_t, (gt)->max_grant_frames); \
- ( (gt)->arch.gfn ? 0 : -ENOMEM ); \
+ unsigned int ngf_ = (gt)->max_grant_frames; \
+ unsigned int nsf_ = grant_to_status_frames(ngf_); \
+ \
+ (gt)->arch.shared_gfn = xmalloc_array(gfn_t, ngf_); \
+ (gt)->arch.status_gfn = xmalloc_array(gfn_t, nsf_); \
+ if ( (gt)->arch.shared_gfn && (gt)->arch.status_gfn ) \
+ { \
+ while ( ngf_-- ) \
+ (gt)->arch.shared_gfn[ngf_] = INVALID_GFN; \
+ while ( nsf_-- ) \
+ (gt)->arch.status_gfn[nsf_] = INVALID_GFN; \
+ } \
+ else \
+ gnttab_destroy_arch(gt); \
+ (gt)->arch.shared_gfn ? 0 : -ENOMEM; \
})
#define gnttab_destroy_arch(gt) \
do { \
- xfree((gt)->arch.gfn); \
- (gt)->arch.gfn = NULL; \
+ xfree((gt)->arch.shared_gfn); \
+ (gt)->arch.shared_gfn = NULL; \
+ xfree((gt)->arch.status_gfn); \
+ (gt)->arch.status_gfn = NULL; \
} while ( 0 )
-#define gnttab_set_frame_gfn(gt, idx, gfn) \
+#define gnttab_set_frame_gfn(gt, st, idx, gfn) \
do { \
- (gt)->arch.gfn[idx] = gfn; \
+ ((st) ? (gt)->arch.status_gfn : (gt)->arch.shared_gfn)[idx] = \
+ (gfn); \
} while ( 0 )
#define gnttab_create_shared_page(d, t, i) \
@@ -65,8 +81,10 @@ static inline unsigned int gnttab_dom0_m
} while ( 0 )
#define gnttab_shared_gmfn(d, t, i) \
- ( ((i >= nr_grant_frames(t)) && \
- (i < (t)->max_grant_frames))? 0 : gfn_x((t)->arch.gfn[i]))
+ gfn_x(((i) >= nr_grant_frames(t)) ? INVALID_GFN : (t)->arch.shared_gfn[i])
+
+#define gnttab_status_gmfn(d, t, i) \
+ gfn_x(((i) >= nr_status_frames(t)) ? INVALID_GFN : (t)->arch.status_gfn[i])
#define gnttab_need_iommu_mapping(d) \
(is_domain_direct_mapped(d) && need_iommu(d))
--- a/xen/include/asm-x86/grant_table.h
+++ b/xen/include/asm-x86/grant_table.h
@@ -46,7 +46,7 @@ static inline unsigned int gnttab_dom0_m
#define gnttab_init_arch(gt) 0
#define gnttab_destroy_arch(gt) do {} while ( 0 )
-#define gnttab_set_frame_gfn(gt, idx, gfn) do {} while ( 0 )
+#define gnttab_set_frame_gfn(gt, st, idx, gfn) do {} while ( 0 )
#define gnttab_create_shared_page(d, t, i) \
do { \

167
main/xen/xsa255-2.patch
View File

@ -1,167 +0,0 @@
From: Jan Beulich <jbeulich@suse.com>
Subject: gnttab: don't blindly free status pages upon version change
There may still be active mappings, which would trigger the respective
BUG_ON(). Split the loop into one dealing with the page attributes and
the second (when the first fully passed) freeing the pages. Return an
error if any pages still have pending references.
This is part of XSA-255.
Signed-off-by: Jan Beulich <jbeulich@suse.com>
Reviewed-by: Stefano Stabellini <sstabellini@kernel.org>
Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>
---
v4: Add gprintk(XENLOG_ERR, ...) to domain_crash() invocations.
v3: Call guest_physmap_remove_page() from gnttab_map_frame(), making the
code unconditional at the same time. Re-base over changes to first
patch.
v2: Also deal with translated guests.
--- a/xen/common/grant_table.c
+++ b/xen/common/grant_table.c
@@ -1636,23 +1636,74 @@ status_alloc_failed:
return -ENOMEM;
}
-static void
+static int
gnttab_unpopulate_status_frames(struct domain *d, struct grant_table *gt)
{
- int i;
+ unsigned int i;
for ( i = 0; i < nr_status_frames(gt); i++ )
{
struct page_info *pg = virt_to_page(gt->status[i]);
+ gfn_t gfn = gnttab_get_frame_gfn(gt, true, i);
+
+ /*
+ * For translated domains, recovering from failure after partial
+ * changes were made is more complicated than it seems worth
+ * implementing at this time. Hence respective error paths below
+ * crash the domain in such a case.
+ */
+ if ( paging_mode_translate(d) )
+ {
+ int rc = gfn_eq(gfn, INVALID_GFN)
+ ? 0
+ : guest_physmap_remove_page(d, gfn,
+ _mfn(page_to_mfn(pg)), 0);
+
+ if ( rc )
+ {
+ gprintk(XENLOG_ERR,
+ "Could not remove status frame %u (GFN %#lx) from P2M\n",
+ i, gfn_x(gfn));
+ domain_crash(d);
+ return rc;
+ }
+ gnttab_set_frame_gfn(gt, true, i, INVALID_GFN);
+ }
BUG_ON(page_get_owner(pg) != d);
if ( test_and_clear_bit(_PGC_allocated, &pg->count_info) )
put_page(pg);
- BUG_ON(pg->count_info & ~PGC_xen_heap);
+
+ if ( pg->count_info & ~PGC_xen_heap )
+ {
+ if ( paging_mode_translate(d) )
+ {
+ gprintk(XENLOG_ERR,
+ "Wrong page state %#lx of status frame %u (GFN %#lx)\n",
+ pg->count_info, i, gfn_x(gfn));
+ domain_crash(d);
+ }
+ else
+ {
+ if ( get_page(pg, d) )
+ set_bit(_PGC_allocated, &pg->count_info);
+ while ( i-- )
+ gnttab_create_status_page(d, gt, i);
+ }
+ return -EBUSY;
+ }
+
+ page_set_owner(pg, NULL);
+ }
+
+ for ( i = 0; i < nr_status_frames(gt); i++ )
+ {
free_xenheap_page(gt->status[i]);
gt->status[i] = NULL;
}
gt->nr_status_frames = 0;
+
+ return 0;
}
/*
@@ -2962,8 +3013,9 @@ gnttab_set_version(XEN_GUEST_HANDLE_PARA
break;
}
- if ( op.version < 2 && gt->gt_version == 2 )
- gnttab_unpopulate_status_frames(currd, gt);
+ if ( op.version < 2 && gt->gt_version == 2 &&
+ (res = gnttab_unpopulate_status_frames(currd, gt)) != 0 )
+ goto out_unlock;
/* Make sure there's no crud left over from the old version. */
for ( i = 0; i < nr_grant_frames(gt); i++ )
@@ -3803,6 +3855,11 @@ int gnttab_map_frame(struct domain *d, u
rc = -EINVAL;
}
+ if ( !rc && paging_mode_translate(d) &&
+ !gfn_eq(gnttab_get_frame_gfn(gt, status, idx), INVALID_GFN) )
+ rc = guest_physmap_remove_page(d, gnttab_get_frame_gfn(gt, status, idx),
+ *mfn, 0);
+
if ( !rc )
gnttab_set_frame_gfn(gt, status, idx, gfn);
--- a/xen/include/asm-arm/grant_table.h
+++ b/xen/include/asm-arm/grant_table.h
@@ -73,6 +73,11 @@ static inline unsigned int gnttab_dom0_m
(gfn); \
} while ( 0 )
+#define gnttab_get_frame_gfn(gt, st, idx) ({ \
+ _gfn((st) ? gnttab_status_gmfn(NULL, gt, idx) \
+ : gnttab_shared_gmfn(NULL, gt, idx)); \
+})
+
#define gnttab_create_shared_page(d, t, i) \
do { \
share_xen_page_with_guest( \
--- a/xen/include/asm-x86/grant_table.h
+++ b/xen/include/asm-x86/grant_table.h
@@ -47,6 +47,12 @@ static inline unsigned int gnttab_dom0_m
#define gnttab_init_arch(gt) 0
#define gnttab_destroy_arch(gt) do {} while ( 0 )
#define gnttab_set_frame_gfn(gt, st, idx, gfn) do {} while ( 0 )
+#define gnttab_get_frame_gfn(gt, st, idx) ({ \
+ unsigned long mfn_ = (st) ? gnttab_status_mfn(gt, idx) \
+ : gnttab_shared_mfn(gt, idx); \
+ unsigned long gpfn_ = get_gpfn_from_mfn(mfn_); \
+ VALID_M2P(gpfn_) ? _gfn(gpfn_) : INVALID_GFN; \
+})
#define gnttab_create_shared_page(d, t, i) \
do { \
@@ -63,11 +69,11 @@ static inline unsigned int gnttab_dom0_m
} while ( 0 )
-#define gnttab_shared_mfn(d, t, i) \
+#define gnttab_shared_mfn(t, i) \
((virt_to_maddr((t)->shared_raw[i]) >> PAGE_SHIFT))
#define gnttab_shared_gmfn(d, t, i) \
- (mfn_to_gmfn(d, gnttab_shared_mfn(d, t, i)))
+ (mfn_to_gmfn(d, gnttab_shared_mfn(t, i)))
#define gnttab_status_mfn(t, i) \

40
main/xen/xsa256.patch
View File

@ -1,40 +0,0 @@
From: Andrew Cooper <andrew.cooper3@citrix.com>
Subject: x86/hvm: Disallow the creation of HVM domains without Local APIC emulation
There are multiple problems, not necesserily limited to:
* Guests which configure event channels via hvmop_set_evtchn_upcall_vector(),
or which hit %cr8 emulation will cause Xen to fall over a NULL vlapic->regs
pointer.
* On Intel hardware, disabling the TPR_SHADOW execution control without
reenabling CR8_{LOAD,STORE} interception means that the guests %cr8
accesses interact with the real TPR. Amongst other things, setting the
real TPR to 0xf blocks even IPIs from interrupting this CPU.
* On hardware which sets up the use of Interrupt Posting, including
IOMMU-Posting, guests run without the appropriate non-root configuration,
which at a minimum will result in dropped interrupts.
Whether no-LAPIC mode is of any use at all remains to be seen.
This is XSA-256.
Reported-by: Ian Jackson <ian.jackson@eu.citrix.com>
Reviewed-by: Roger Pau Monné <roger.pau@citrix.com>
Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
Reviewed-by: Jan Beulich <jbeulich@suse.com>
diff --git a/xen/arch/x86/domain.c b/xen/arch/x86/domain.c
index f93327b..f65fc12 100644
--- a/xen/arch/x86/domain.c
+++ b/xen/arch/x86/domain.c
@@ -413,7 +413,7 @@ static bool emulation_flags_ok(const struct domain *d, uint32_t emflags)
if ( is_hardware_domain(d) &&
emflags != (XEN_X86_EMU_LAPIC|XEN_X86_EMU_IOAPIC) )
return false;
- if ( !is_hardware_domain(d) && emflags &&
+ if ( !is_hardware_domain(d) &&
emflags != XEN_X86_EMU_ALL && emflags != XEN_X86_EMU_LAPIC )
return false;
}