aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorNatanael Copa <ncopa@alpinelinux.org>2016-06-23 10:45:11 +0000
committerNatanael Copa <ncopa@alpinelinux.org>2016-06-23 10:45:20 +0000
commit08e33d0f02c353d47b25b57f4f56a6ba9918fe32 (patch)
treee1439083ca6c69950a2fc61c584655d61d3a9668
parent34a184ba931dbb3ae96e346f438955810f0eb765 (diff)
downloadaports-08e33d0f02c353d47b25b57f4f56a6ba9918fe32.tar.bz2
aports-08e33d0f02c353d47b25b57f4f56a6ba9918fe32.tar.xz
main/xen: security upgrade to 4.6.3
XSA-181 CVE-2016-5242 arm: Host crash caused by VMID exhaustion XSA-180 CVE-2014-3672 Unrestricted qemu logging XSA-179 CVE-2016-3710 CVE-2016-3712 QEMU: Banked access to VGA memory (VBE) uses inconsistent bounds checks XSA-178 CVE-2016-4963 Unsanitised driver domain input in libxl device handling XSA-176 CVE-2016-4480 x86 software guest page walk PS bit handling flaw XSA-175 CVE-2016-4962 Unsanitised guest input in libxl device handling code XSA-174 CVE-2016-3961 hugetlbfs use may crash PV Linux guests
Diffstat
-rw-r--r--main/xen/APKBUILD47
-rw-r--r--main/xen/xsa154-4.6.patch359
-rw-r--r--main/xen/xsa155-xen-0001-xen-Add-RING_COPY_REQUEST.patch56
-rw-r--r--main/xen/xsa155-xen-0002-blktap2-Use-RING_COPY_REQUEST.patch75
-rw-r--r--main/xen/xsa155-xen-0003-libvchan-Read-prod-cons-only-once.patch41
-rw-r--r--main/xen/xsa170.patch79
-rw-r--r--main/xen/xsa172.patch39
-rw-r--r--main/xen/xsa173-4.6.patch244
8 files changed, 5 insertions, 935 deletions
diff --git a/main/xen/APKBUILD b/main/xen/APKBUILD
index d1c2342a85..f39d7a890f 100644
--- a/main/xen/APKBUILD
+++ b/main/xen/APKBUILD
@@ -2,8 +2,8 @@
# Contributor: Roger Pau Monne <roger.pau@entel.upc.edu>
# Maintainer: William Pitcock <nenolod@dereferenced.org>
pkgname=xen
-pkgver=4.6.1
-pkgrel=2
+pkgver=4.6.3
+pkgrel=0
pkgdesc="Xen hypervisor"
url="http://www.xen.org/"
arch="x86_64"
@@ -42,21 +42,11 @@ source="http://bits.xensource.com/oss-xen/release/$pkgver/$pkgname-$pkgver.tar.g
http://xenbits.xen.org/xen-extfiles/zlib-$_ZLIB_VERSION.tar.gz
http://xenbits.xen.org/xen-extfiles/ipxe-git-$_IPXE_GIT_TAG.tar.gz
- xsa154-4.6.patch
- xsa155-xen-0001-xen-Add-RING_COPY_REQUEST.patch
- xsa155-xen-0002-blktap2-Use-RING_COPY_REQUEST.patch
- xsa155-xen-0003-libvchan-Read-prod-cons-only-once.patch
- xsa170.patch
- xsa172.patch
- xsa173-4.6.patch
-
- x86emul-suppress-writeback-upon-unsuccessful-MMX-SSE-AVX.patch
qemu-coroutine-gthread.patch
qemu-xen_paths.patch
hotplug-vif-vtrill.patch
0001-ipxe-dont-clobber-ebp.patch
- gnutls-3.4.0.patch
gcc5-cflags.patch
init-xenstore-domain.patch
@@ -236,7 +226,7 @@ hypervisor() {
mv "$pkgdir"/boot "$subpkgdir"/
}
-md5sums="df2d854c3c90ffeefaf71e7f868fb326 xen-4.6.1.tar.gz
+md5sums="26419d8477082dbdb32ec75b00f00643 xen-4.6.3.tar.gz
dd60683d7057917e34630b4a787932e8 gmp-4.3.2.tar.bz2
cd3f3eb54446be6003156158d51f4884 grub-0.97.tar.gz
36cc57650cffda9a0269493be2a169bb lwip-1.3.0.tar.gz
@@ -246,19 +236,10 @@ cec05e7785497c5e19da2f114b934ffd pciutils-2.2.9.tar.bz2
e26becb8a6a2b6695f6b3e8097593db8 tpm_emulator-0.7.4.tar.gz
debc62758716a169df9f62e6ab2bc634 zlib-1.2.3.tar.gz
7496268cebf47d5c9ccb0696e3b26065 ipxe-git-9a93db3f0947484e30e753bbd61a10b17336e20e.tar.gz
-2109cf26a61f99158615d0e8566aa7d9 xsa154-4.6.patch
-8e87b1bcd1e5c057c8d7ad41010c27f1 xsa155-xen-0001-xen-Add-RING_COPY_REQUEST.patch
-48be8e53712d8656549fcdf1a96ffdec xsa155-xen-0002-blktap2-Use-RING_COPY_REQUEST.patch
-21448f920d1643580e261ac3650d1ef9 xsa155-xen-0003-libvchan-Read-prod-cons-only-once.patch
-e0fd8934b37592a6a3e6ab107a2ab41a xsa170.patch
-b14d9a4247ae654579cb757c9b0e949a xsa172.patch
-a29812dc4cf1d8013d650496cb107fd0 xsa173-4.6.patch
-64760deb1ae50fc87e03bf0386f0a48b x86emul-suppress-writeback-upon-unsuccessful-MMX-SSE-AVX.patch
de1a3db370b87cfb0bddb51796b50315 qemu-coroutine-gthread.patch
08bfdf8caff5d631f53660bf3fd4edaf qemu-xen_paths.patch
e449bb3359b490804ffc7b0ae08d62a0 hotplug-vif-vtrill.patch
3a04998db5cc3c5c86f3b46e97e9cd82 0001-ipxe-dont-clobber-ebp.patch
-a0a0294eccbaef77a2f8f5c2789f011c gnutls-3.4.0.patch
a0b70cd1190345396d97170bf2d11663 gcc5-cflags.patch
cadc904edee45ea4824439b1e9558b37 init-xenstore-domain.patch
0984e3000de17a6d14b8014a3ced46a4 musl-support.patch
@@ -276,7 +257,7 @@ dcdd1de2c29e469e834a02ede4f47806 xendomains.confd
9df68ac65dc3f372f5d61183abdc83ff xen-consoles.logrotate
6a2f777c16678d84039acf670d86fff6 xenqemu.confd
e1c9e1c83a5cc49224608a48060bd677 xenqemu.initd"
-sha256sums="44cc2fccba1e147ef4c8da0584ce0f24189c8743de0e3e9a9226da88ddb5f589 xen-4.6.1.tar.gz
+sha256sums="02badfce9a037bd1bd4a94210c1f6b85467746216c71795805102b514bcf1fc4 xen-4.6.3.tar.gz
936162c0312886c21581002b79932829aa048cfaf9937c6265aeaa14f1cd1775 gmp-4.3.2.tar.bz2
4e1d15d12dbd3e9208111d6b806ad5a9857ca8850c47877d36575b904559260b grub-0.97.tar.gz
772e4d550e07826665ed0528c071dd5404ef7dbe1825a38c8adbc2a00bca948f lwip-1.3.0.tar.gz
@@ -286,19 +267,10 @@ f60ae61cfbd5da1d849d0beaa21f593c38dac9359f0b3ddc612f447408265b24 pciutils-2.2.9
4e48ea0d83dd9441cc1af04ab18cd6c961b9fa54d5cbf2c2feee038988dea459 tpm_emulator-0.7.4.tar.gz
1795c7d067a43174113fdf03447532f373e1c6c57c08d61d9e4e9be5e244b05e zlib-1.2.3.tar.gz
632ce8c193ccacc3012bd354bdb733a4be126f7c098e111930aa41dad537405c ipxe-git-9a93db3f0947484e30e753bbd61a10b17336e20e.tar.gz
-eec88c2a57466f83a81844cb7025f70c2b671d07a75d85487d4ed73cdabbb020 xsa154-4.6.patch
-e52467fcec73bcc86d3e96d06f8ca8085ae56a83d2c42a30c16bc3dc630d8f8a xsa155-xen-0001-xen-Add-RING_COPY_REQUEST.patch
-eae34c8ccc096ad93a74190506b3d55020a88afb0cc504a3a514590e9fd746fd xsa155-xen-0002-blktap2-Use-RING_COPY_REQUEST.patch
-42780265014085a4221ad32b026214693d751789eb5219e2e83862c0006c66f4 xsa155-xen-0003-libvchan-Read-prod-cons-only-once.patch
-77b4b14b2c93da5f68e724cf74e1616f7df2e78305f66d164b3de2d980221a9a xsa170.patch
-f18282fcb794b8772bc3af51d56860050071bd62a5a909b8f2fc2018e2958154 xsa172.patch
-6dbc34e3e2d4415967c4406e0f8392a9395bff74da115ae20f26bd112b19017c xsa173-4.6.patch
-8c88792adbe91b5f4c5b0446b79020c220aed0786b0325064fac085f0a5b7292 x86emul-suppress-writeback-upon-unsuccessful-MMX-SSE-AVX.patch
3941f99b49c7e8dafc9fae8aad2136a14c6d84533cd542cc5f1040a41ef7c6fe qemu-coroutine-gthread.patch
e4e5e838e259a3116978aabbcebc1865a895179a7fcbf4bad195c83e9b4c0f98 qemu-xen_paths.patch
dd1e784bc455eb62cb85b3fa24bfc34f575ceaab9597ef6a2f1ee7ff7b3cae0a hotplug-vif-vtrill.patch
ac8bbd0b864c7de278fd9b68392b71863581ec21622c2e9b87e501e492e414d3 0001-ipxe-dont-clobber-ebp.patch
-e25d38376e22f6f935d2c0ce1b9d6e6b47ff261b5e6056bc3b47168739d7a992 gnutls-3.4.0.patch
8226200f17448e20784ad985ffe47aba1e8401364d9a2b6301818ca043f9ec35 gcc5-cflags.patch
f246382763746536bafc77f117cc6e689c6c9ee8dd2608c02dbfe9f025701589 init-xenstore-domain.patch
2fea4ceec8872f5560023fa135e3ff03d6deee4299e53d3a33ec59c31779b2c5 musl-support.patch
@@ -316,7 +288,7 @@ d13719093a2c3824525f36ac91ac3c9bd1154e5ba0974e5441e4a2ab5e883521 xenconsoled.in
0da87a4b9094f934e3de937e8ef8d3afc752e76793aa3d730182d0241e118b19 xen-consoles.logrotate
4cfcddcade5d055422ab4543e8caa6e5c5eee7625c41880a9000b7a87c7c424e xenqemu.confd
c92bbb1166edd61141fdf678116974209c4422daf373cdd5bc438aa4adb25b8d xenqemu.initd"
-sha512sums="f01a0b7874abf8b3a81432428d7ba2d5aceb9d75ae20310f8ef49a3a0df927720a51d49090f74fda7f374c779e121ad26da6966a6f2623ed1a7743b4c080427c xen-4.6.1.tar.gz
+sha512sums="187a860b40c05139f22b8498a5fae1db173c3110d957147af29a56cb83b7111c9dc4946d65f9dffc847001fc01c5e9bf51886eaa1194bb9cfd0b6dbcd43a2c5c xen-4.6.3.tar.gz
2e0b0fd23e6f10742a5517981e5171c6e88b0a93c83da701b296f5c0861d72c19782daab589a7eac3f9032152a0fc7eff7f5362db8fccc4859564a9aa82329cf gmp-4.3.2.tar.bz2
c2bc9ffc8583aeae71cee9ddcc4418969768d4e3764d47307da54f93981c0109fb07d84b061b3a3628bd00ba4d14a54742bc04848110eb3ae8ca25dbfbaabadb grub-0.97.tar.gz
1465b58279af1647f909450e394fe002ca165f0ff4a0254bfa9fe0e64316f50facdde2729d79a4e632565b4500cf4d6c74192ac0dd3bc9fe09129bbd67ba089d lwip-1.3.0.tar.gz
@@ -326,19 +298,10 @@ c2bc9ffc8583aeae71cee9ddcc4418969768d4e3764d47307da54f93981c0109fb07d84b061b3a36
4928b5b82f57645be9408362706ff2c4d9baa635b21b0d41b1c82930e8c60a759b1ea4fa74d7e6c7cae1b7692d006aa5cb72df0c3b88bf049779aa2b566f9d35 tpm_emulator-0.7.4.tar.gz
021b958fcd0d346c4ba761bcf0cc40f3522de6186cf5a0a6ea34a70504ce9622b1c2626fce40675bc8282cf5f5ade18473656abc38050f72f5d6480507a2106e zlib-1.2.3.tar.gz
c5cb1cdff40d2d71fd3e692a9d0efadf2aa17290daf5195391a1c81ddd9dfc913a8e44d5be2b12be85b2a5565ea31631c99c7053564f2fb2225c80ea0bb0e4a4 ipxe-git-9a93db3f0947484e30e753bbd61a10b17336e20e.tar.gz
-fde4c58acb857bd4eec807a78bee356a02358174e8c52a66555a6ad9cf5670b43391429ff973e74d27ee43a27c338b89bc3e63d2d821ee85682d8799d3bdd35c xsa154-4.6.patch
-96574c07cc31b11cddbe90bbfd0ff92ec9a2aa52903f74258e1291c1dec91e85c65c18ce10ed85aa659e3c363a460375153f2f45f1bbc4cebcc904398518a8f4 xsa155-xen-0001-xen-Add-RING_COPY_REQUEST.patch
-d64d7e0dd96e31fa45d9d9b0cad9c543484709d699d9ab2efe1992f9375e8e0d67b0164e9ea8d3e75998388964f2fbfd96b5520a4acf13804dcf8c3472e37791 xsa155-xen-0002-blktap2-Use-RING_COPY_REQUEST.patch
-cad6b571ccca123e2a797cf82669ad0fe2e1ec99b7a68396beb3a2279e2cf87d8f0cf75e22dcd98238dd5031b2c7e9cb86d02ecaa82ae973fba6d26b2acfb514 xsa155-xen-0003-libvchan-Read-prod-cons-only-once.patch
-09a6defca0f32319dddf4325fb0105a468517a7150c8a8ea287677b4a55f09bf776f5aa673bae22a0708537cf075d5e2143a24aa1b08629ef911a7cdfd8376f0 xsa170.patch
-8636f74b270b0ccf56ea6bab4c90d0ee909e5d2891987b4572df4a0906e2230e046aad0c99add6c1d70f7023cc6d99bcfd2947c953f600074a6ed7c176a5d3dc xsa172.patch
-d56d7403163fb7eeb2b5c44027c150f9edd1c4df86b38e3834b4b2cb58db94472fe0030c0ec667e41faed00bd6540fab10a4d909c82280d075482d06f8ac4cfb xsa173-4.6.patch
-ba3e23ac46be7f7a5ba9b7bdb4821ead8f54a524f3e4a528350c118c588615e697102aa7c077f6580eaad701488e6128c01dcfbc7a991cdfed94e8546420828c x86emul-suppress-writeback-upon-unsuccessful-MMX-SSE-AVX.patch
c3c46f232f0bd9f767b232af7e8ce910a6166b126bd5427bb8dc325aeb2c634b956de3fc225cab5af72649070c8205cc8e1cab7689fc266c204f525086f1a562 qemu-coroutine-gthread.patch
1936ab39a1867957fa640eb81c4070214ca4856a2743ba7e49c0cd017917071a9680d015f002c57fa7b9600dbadd29dcea5887f50e6c133305df2669a7a933f3 qemu-xen_paths.patch
f095ea373f36381491ad36f0662fb4f53665031973721256b23166e596318581da7cbb0146d0beb2446729adfdb321e01468e377793f6563a67d68b8b0f7ffe3 hotplug-vif-vtrill.patch
a6455988477a29d856924651db5e14f96d835413b956278d2291cbb8e5877d7bf6f462890f607ecf1c7b4003997295d0ba7852e110fc20df3a3edf1845e778ba 0001-ipxe-dont-clobber-ebp.patch
-e9b88234bd67c2d65fcda1a56deeaf60aaa4c8b2afff128028c6a1478c89f828584dab1ac04f8d9d53cf17d26572e5505d0bbfcc4b2a6842cc749c6c018c0e51 gnutls-3.4.0.patch
68ea6d4798f107fc2fd134c970cd7f7b9aeafe3efaf9501bbd5ec35e7e212f1d637c15c21c7a257c0709c2a2d441f6c6192abad39fd23b3ecba69bcefbb3e930 gcc5-cflags.patch
76ffe70833928a9e19dedbf42e87f6267c4d15e7dc8710fba9b7874245a5d5b4c43a27ef97c3b121cbcd5a8470f1216a3f64114cb5b83325cb30fa2040721b66 init-xenstore-domain.patch
76bd60768b296752ca11195bb03a57584686461da45255cb540977111a73c42b5b92362fd46d97bfd20487c96971dd5aed7eae7d8bf1aad7d5199adb875d4962 musl-support.patch
diff --git a/main/xen/xsa154-4.6.patch b/main/xen/xsa154-4.6.patch
deleted file mode 100644
index f1e598812b..0000000000
--- a/main/xen/xsa154-4.6.patch
+++ /dev/null
@@ -1,359 +0,0 @@
-x86: enforce consistent cachability of MMIO mappings
-
-We've been told by Intel that inconsistent cachability between
-multiple mappings of the same page can affect system stability only
-when the affected page is an MMIO one. Since the stale data issue is
-of no relevance to the hypervisor (since all guest memory accesses go
-through proper accessors and validation), handling of RAM pages
-remains unchanged here. Any MMIO mapped by domains however needs to be
-done consistently (all cachable mappings or all uncachable ones), in
-order to avoid Machine Check exceptions. Since converting existing
-cachable mappings to uncachable (at the time an uncachable mapping
-gets established) would in the PV case require tracking all mappings,
-allow MMIO to only get mapped uncachable (UC, UC-, or WC).
-
-This also implies that in the PV case we mustn't use the L1 PTE update
-fast path when cachability flags get altered.
-
-Since in the HVM case at least for now we want to continue honoring
-pinned cachability attributes for pages not mapped by the hypervisor,
-special case handling of r/o MMIO pages (forcing UC) gets added there.
-Arguably the counterpart change to p2m-pt.c may not be necessary, since
-UC- (which already gets enforced there) is probably strict enough.
-
-Note that the shadow code changes include fixing the write protection
-of r/o MMIO ranges: shadow_l1e_remove_flags() and its siblings, other
-than l1e_remove_flags() and alike, return the new PTE (and hence
-ignoring their return values makes them no-ops).
-
-This is CVE-2016-2270 / XSA-154.
-
-Signed-off-by: Jan Beulich <jbeulich@suse.com>
-Acked-by: Andrew Cooper <andrew.cooper3@citrix.com>
-
---- a/docs/misc/xen-command-line.markdown
-+++ b/docs/misc/xen-command-line.markdown
-@@ -1080,6 +1080,15 @@ limit is ignored by Xen.
-
- Specify if the MMConfig space should be enabled.
-
-+### mmio-relax
-+> `= <boolean> | all`
-+
-+> Default: `false`
-+
-+By default, domains may not create cached mappings to MMIO regions.
-+This option relaxes the check for Domain 0 (or when using `all`, all PV
-+domains), to permit the use of cacheable MMIO mappings.
-+
- ### msi
- > `= <boolean>`
-
---- a/xen/arch/x86/hvm/mtrr.c
-+++ b/xen/arch/x86/hvm/mtrr.c
-@@ -807,8 +807,17 @@ int epte_get_entry_emt(struct domain *d,
- if ( v->domain != d )
- v = d->vcpu ? d->vcpu[0] : NULL;
-
-- if ( !mfn_valid(mfn_x(mfn)) )
-+ if ( !mfn_valid(mfn_x(mfn)) ||
-+ rangeset_contains_range(mmio_ro_ranges, mfn_x(mfn),
-+ mfn_x(mfn) + (1UL << order) - 1) )
-+ {
-+ *ipat = 1;
- return MTRR_TYPE_UNCACHABLE;
-+ }
-+
-+ if ( rangeset_overlaps_range(mmio_ro_ranges, mfn_x(mfn),
-+ mfn_x(mfn) + (1UL << order) - 1) )
-+ return -1;
-
- switch ( hvm_get_mem_pinned_cacheattr(d, gfn, order, &type) )
- {
---- a/xen/arch/x86/mm/p2m-pt.c
-+++ b/xen/arch/x86/mm/p2m-pt.c
-@@ -107,6 +107,8 @@ static unsigned long p2m_type_to_flags(p
- case p2m_mmio_direct:
- if ( !rangeset_contains_singleton(mmio_ro_ranges, mfn_x(mfn)) )
- flags |= _PAGE_RW;
-+ else
-+ flags |= _PAGE_PWT;
- return flags | P2M_BASE_FLAGS | _PAGE_PCD;
- }
- }
---- a/xen/arch/x86/mm/shadow/multi.c
-+++ b/xen/arch/x86/mm/shadow/multi.c
-@@ -519,6 +519,7 @@ _sh_propagate(struct vcpu *v,
- gfn_t target_gfn = guest_l1e_get_gfn(guest_entry);
- u32 pass_thru_flags;
- u32 gflags, sflags;
-+ bool_t mmio_mfn;
-
- /* We don't shadow PAE l3s */
- ASSERT(GUEST_PAGING_LEVELS > 3 || level != 3);
-@@ -559,7 +560,10 @@ _sh_propagate(struct vcpu *v,
- // mfn means that we can not usefully shadow anything, and so we
- // return early.
- //
-- if ( !mfn_valid(target_mfn)
-+ mmio_mfn = !mfn_valid(target_mfn)
-+ || (level == 1
-+ && page_get_owner(mfn_to_page(target_mfn)) == dom_io);
-+ if ( mmio_mfn
- && !(level == 1 && (!shadow_mode_refcounts(d)
- || p2mt == p2m_mmio_direct)) )
- {
-@@ -577,7 +581,7 @@ _sh_propagate(struct vcpu *v,
- _PAGE_RW | _PAGE_PRESENT);
- if ( guest_supports_nx(v) )
- pass_thru_flags |= _PAGE_NX_BIT;
-- if ( !shadow_mode_refcounts(d) && !mfn_valid(target_mfn) )
-+ if ( level == 1 && !shadow_mode_refcounts(d) && mmio_mfn )
- pass_thru_flags |= _PAGE_PAT | _PAGE_PCD | _PAGE_PWT;
- sflags = gflags & pass_thru_flags;
-
-@@ -676,10 +680,14 @@ _sh_propagate(struct vcpu *v,
- }
-
- /* Read-only memory */
-- if ( p2m_is_readonly(p2mt) ||
-- (p2mt == p2m_mmio_direct &&
-- rangeset_contains_singleton(mmio_ro_ranges, mfn_x(target_mfn))) )
-+ if ( p2m_is_readonly(p2mt) )
- sflags &= ~_PAGE_RW;
-+ else if ( p2mt == p2m_mmio_direct &&
-+ rangeset_contains_singleton(mmio_ro_ranges, mfn_x(target_mfn)) )
-+ {
-+ sflags &= ~(_PAGE_RW | _PAGE_PAT);
-+ sflags |= _PAGE_PCD | _PAGE_PWT;
-+ }
-
- // protect guest page tables
- //
-@@ -1185,22 +1193,28 @@ static int shadow_set_l1e(struct domain
- && !sh_l1e_is_magic(new_sl1e) )
- {
- /* About to install a new reference */
-- if ( shadow_mode_refcounts(d) ) {
-+ if ( shadow_mode_refcounts(d) )
-+ {
-+#define PAGE_FLIPPABLE (_PAGE_RW | _PAGE_PWT | _PAGE_PCD | _PAGE_PAT)
-+ int rc;
-+
- TRACE_SHADOW_PATH_FLAG(TRCE_SFLAG_SHADOW_L1_GET_REF);
-- switch ( shadow_get_page_from_l1e(new_sl1e, d, new_type) )
-+ switch ( rc = shadow_get_page_from_l1e(new_sl1e, d, new_type) )
- {
- default:
- /* Doesn't look like a pagetable. */
- flags |= SHADOW_SET_ERROR;
- new_sl1e = shadow_l1e_empty();
- break;
-- case 1:
-- shadow_l1e_remove_flags(new_sl1e, _PAGE_RW);
-+ case PAGE_FLIPPABLE & -PAGE_FLIPPABLE ... PAGE_FLIPPABLE:
-+ ASSERT(!(rc & ~PAGE_FLIPPABLE));
-+ new_sl1e = shadow_l1e_flip_flags(new_sl1e, rc);
- /* fall through */
- case 0:
- shadow_vram_get_l1e(new_sl1e, sl1e, sl1mfn, d);
- break;
- }
-+#undef PAGE_FLIPPABLE
- }
- }
-
---- a/xen/arch/x86/mm/shadow/types.h
-+++ b/xen/arch/x86/mm/shadow/types.h
-@@ -99,6 +99,9 @@ static inline u32 shadow_l4e_get_flags(s
- static inline shadow_l1e_t
- shadow_l1e_remove_flags(shadow_l1e_t sl1e, u32 flags)
- { l1e_remove_flags(sl1e, flags); return sl1e; }
-+static inline shadow_l1e_t
-+shadow_l1e_flip_flags(shadow_l1e_t sl1e, u32 flags)
-+{ l1e_flip_flags(sl1e, flags); return sl1e; }
-
- static inline shadow_l1e_t shadow_l1e_empty(void)
- { return l1e_empty(); }
---- a/xen/arch/x86/mm.c
-+++ b/xen/arch/x86/mm.c
-@@ -178,6 +178,18 @@ static uint32_t base_disallow_mask;
- is_pv_domain(d)) ? \
- L1_DISALLOW_MASK : (L1_DISALLOW_MASK & ~PAGE_CACHE_ATTRS))
-
-+static s8 __read_mostly opt_mmio_relax;
-+static void __init parse_mmio_relax(const char *s)
-+{
-+ if ( !*s )
-+ opt_mmio_relax = 1;
-+ else
-+ opt_mmio_relax = parse_bool(s);
-+ if ( opt_mmio_relax < 0 && strcmp(s, "all") )
-+ opt_mmio_relax = 0;
-+}
-+custom_param("mmio-relax", parse_mmio_relax);
-+
- static void __init init_frametable_chunk(void *start, void *end)
- {
- unsigned long s = (unsigned long)start;
-@@ -799,10 +811,7 @@ get_page_from_l1e(
- if ( !mfn_valid(mfn) ||
- (real_pg_owner = page_get_owner_and_reference(page)) == dom_io )
- {
--#ifndef NDEBUG
-- const unsigned long *ro_map;
-- unsigned int seg, bdf;
--#endif
-+ int flip = 0;
-
- /* Only needed the reference to confirm dom_io ownership. */
- if ( mfn_valid(mfn) )
-@@ -836,24 +845,55 @@ get_page_from_l1e(
- return -EINVAL;
- }
-
-- if ( !(l1f & _PAGE_RW) ||
-- !rangeset_contains_singleton(mmio_ro_ranges, mfn) )
-- return 0;
-+ if ( !rangeset_contains_singleton(mmio_ro_ranges, mfn) )
-+ {
-+ /* MMIO pages must not be mapped cachable unless requested so. */
-+ switch ( opt_mmio_relax )
-+ {
-+ case 0:
-+ break;
-+ case 1:
-+ if ( is_hardware_domain(l1e_owner) )
-+ case -1:
-+ return 0;
-+ default:
-+ ASSERT_UNREACHABLE();
-+ }
-+ }
-+ else if ( l1f & _PAGE_RW )
-+ {
- #ifndef NDEBUG
-- if ( !pci_mmcfg_decode(mfn, &seg, &bdf) ||
-- ((ro_map = pci_get_ro_map(seg)) != NULL &&
-- test_bit(bdf, ro_map)) )
-- printk(XENLOG_G_WARNING
-- "d%d: Forcing read-only access to MFN %lx\n",
-- l1e_owner->domain_id, mfn);
-- else
-- rangeset_report_ranges(mmio_ro_ranges, 0, ~0UL,
-- print_mmio_emul_range,
-- &(struct mmio_emul_range_ctxt){
-- .d = l1e_owner,
-- .mfn = mfn });
-+ const unsigned long *ro_map;
-+ unsigned int seg, bdf;
-+
-+ if ( !pci_mmcfg_decode(mfn, &seg, &bdf) ||
-+ ((ro_map = pci_get_ro_map(seg)) != NULL &&
-+ test_bit(bdf, ro_map)) )
-+ printk(XENLOG_G_WARNING
-+ "d%d: Forcing read-only access to MFN %lx\n",
-+ l1e_owner->domain_id, mfn);
-+ else
-+ rangeset_report_ranges(mmio_ro_ranges, 0, ~0UL,
-+ print_mmio_emul_range,
-+ &(struct mmio_emul_range_ctxt){
-+ .d = l1e_owner,
-+ .mfn = mfn });
- #endif
-- return 1;
-+ flip = _PAGE_RW;
-+ }
-+
-+ switch ( l1f & PAGE_CACHE_ATTRS )
-+ {
-+ case 0: /* WB */
-+ flip |= _PAGE_PWT | _PAGE_PCD;
-+ break;
-+ case _PAGE_PWT: /* WT */
-+ case _PAGE_PWT | _PAGE_PAT: /* WP */
-+ flip |= _PAGE_PCD | (l1f & _PAGE_PAT);
-+ break;
-+ }
-+
-+ return flip;
- }
-
- if ( unlikely( (real_pg_owner != pg_owner) &&
-@@ -1243,8 +1283,9 @@ static int alloc_l1_table(struct page_in
- goto fail;
- case 0:
- break;
-- case 1:
-- l1e_remove_flags(pl1e[i], _PAGE_RW);
-+ case _PAGE_RW ... _PAGE_RW | PAGE_CACHE_ATTRS:
-+ ASSERT(!(ret & ~(_PAGE_RW | PAGE_CACHE_ATTRS)));
-+ l1e_flip_flags(pl1e[i], ret);
- break;
- }
-
-@@ -1759,8 +1800,9 @@ static int mod_l1_entry(l1_pgentry_t *pl
- return -EINVAL;
- }
-
-- /* Fast path for identical mapping, r/w and presence. */
-- if ( !l1e_has_changed(ol1e, nl1e, _PAGE_RW | _PAGE_PRESENT) )
-+ /* Fast path for identical mapping, r/w, presence, and cachability. */
-+ if ( !l1e_has_changed(ol1e, nl1e,
-+ PAGE_CACHE_ATTRS | _PAGE_RW | _PAGE_PRESENT) )
- {
- adjust_guest_l1e(nl1e, pt_dom);
- if ( UPDATE_ENTRY(l1, pl1e, ol1e, nl1e, gl1mfn, pt_vcpu,
-@@ -1783,8 +1825,9 @@ static int mod_l1_entry(l1_pgentry_t *pl
- return rc;
- case 0:
- break;
-- case 1:
-- l1e_remove_flags(nl1e, _PAGE_RW);
-+ case _PAGE_RW ... _PAGE_RW | PAGE_CACHE_ATTRS:
-+ ASSERT(!(rc & ~(_PAGE_RW | PAGE_CACHE_ATTRS)));
-+ l1e_flip_flags(nl1e, rc);
- rc = 0;
- break;
- }
-@@ -5000,6 +5043,7 @@ static int ptwr_emulated_update(
- l1_pgentry_t pte, ol1e, nl1e, *pl1e;
- struct vcpu *v = current;
- struct domain *d = v->domain;
-+ int ret;
-
- /* Only allow naturally-aligned stores within the original %cr2 page. */
- if ( unlikely(((addr^ptwr_ctxt->cr2) & PAGE_MASK) || (addr & (bytes-1))) )
-@@ -5047,7 +5091,7 @@ static int ptwr_emulated_update(
-
- /* Check the new PTE. */
- nl1e = l1e_from_intpte(val);
-- switch ( get_page_from_l1e(nl1e, d, d) )
-+ switch ( ret = get_page_from_l1e(nl1e, d, d) )
- {
- default:
- if ( is_pv_32bit_domain(d) && (bytes == 4) && (unaligned_addr & 4) &&
-@@ -5071,8 +5115,9 @@ static int ptwr_emulated_update(
- break;
- case 0:
- break;
-- case 1:
-- l1e_remove_flags(nl1e, _PAGE_RW);
-+ case _PAGE_RW ... _PAGE_RW | PAGE_CACHE_ATTRS:
-+ ASSERT(!(ret & ~(_PAGE_RW | PAGE_CACHE_ATTRS)));
-+ l1e_flip_flags(nl1e, ret);
- break;
- }
-
---- a/xen/include/asm-x86/page.h
-+++ b/xen/include/asm-x86/page.h
-@@ -157,6 +157,9 @@ static inline l4_pgentry_t l4e_from_padd
- #define l3e_remove_flags(x, flags) ((x).l3 &= ~put_pte_flags(flags))
- #define l4e_remove_flags(x, flags) ((x).l4 &= ~put_pte_flags(flags))
-
-+/* Flip flags in an existing L1 PTE. */
-+#define l1e_flip_flags(x, flags) ((x).l1 ^= put_pte_flags(flags))
-+
- /* Check if a pte's page mapping or significant access flags have changed. */
- #define l1e_has_changed(x,y,flags) \
- ( !!(((x).l1 ^ (y).l1) & ((PADDR_MASK&PAGE_MASK)|put_pte_flags(flags))) )
diff --git a/main/xen/xsa155-xen-0001-xen-Add-RING_COPY_REQUEST.patch b/main/xen/xsa155-xen-0001-xen-Add-RING_COPY_REQUEST.patch
deleted file mode 100644
index 7935e58c40..0000000000
--- a/main/xen/xsa155-xen-0001-xen-Add-RING_COPY_REQUEST.patch
+++ /dev/null
@@ -1,56 +0,0 @@
-From 12b11658a9d6a654a1e7acbf2f2d56ce9a396c86 Mon Sep 17 00:00:00 2001
-From: David Vrabel <david.vrabel@citrix.com>
-Date: Fri, 20 Nov 2015 11:59:05 -0500
-Subject: [PATCH 1/3] xen: Add RING_COPY_REQUEST()
-
-Using RING_GET_REQUEST() on a shared ring is easy to use incorrectly
-(i.e., by not considering that the other end may alter the data in the
-shared ring while it is being inspected). Safe usage of a request
-generally requires taking a local copy.
-
-Provide a RING_COPY_REQUEST() macro to use instead of
-RING_GET_REQUEST() and an open-coded memcpy(). This takes care of
-ensuring that the copy is done correctly regardless of any possible
-compiler optimizations.
-
-Use a volatile source to prevent the compiler from reordering or
-omitting the copy.
-
-This is part of XSA155.
-
-Signed-off-by: David Vrabel <david.vrabel@citrix.com>
-Signed-off-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
----
-v2: Add comment about GCC bug.
----
- xen/include/public/io/ring.h | 14 ++++++++++++++
- 1 file changed, 14 insertions(+)
-
-diff --git a/xen/include/public/io/ring.h b/xen/include/public/io/ring.h
-index ba9401b..801c0da 100644
---- a/xen/include/public/io/ring.h
-+++ b/xen/include/public/io/ring.h
-@@ -212,6 +212,20 @@ typedef struct __name##_back_ring __name##_back_ring_t
- #define RING_GET_REQUEST(_r, _idx) \
- (&((_r)->sring->ring[((_idx) & (RING_SIZE(_r) - 1))].req))
-
-+/*
-+ * Get a local copy of a request.
-+ *
-+ * Use this in preference to RING_GET_REQUEST() so all processing is
-+ * done on a local copy that cannot be modified by the other end.
-+ *
-+ * Note that https://gcc.gnu.org/bugzilla/show_bug.cgi?id=58145 may cause this
-+ * to be ineffective where _req is a struct which consists of only bitfields.
-+ */
-+#define RING_COPY_REQUEST(_r, _idx, _req) do { \
-+ /* Use volatile to force the copy into _req. */ \
-+ *(_req) = *(volatile typeof(_req))RING_GET_REQUEST(_r, _idx); \
-+} while (0)
-+
- #define RING_GET_RESPONSE(_r, _idx) \
- (&((_r)->sring->ring[((_idx) & (RING_SIZE(_r) - 1))].rsp))
-
---
-2.1.0
-
diff --git a/main/xen/xsa155-xen-0002-blktap2-Use-RING_COPY_REQUEST.patch b/main/xen/xsa155-xen-0002-blktap2-Use-RING_COPY_REQUEST.patch
deleted file mode 100644
index 2d80a7bd43..0000000000
--- a/main/xen/xsa155-xen-0002-blktap2-Use-RING_COPY_REQUEST.patch
+++ /dev/null
@@ -1,75 +0,0 @@
-From 851ffb4eea917e2708c912291dea4d133026c0ac Mon Sep 17 00:00:00 2001
-From: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
-Date: Fri, 20 Nov 2015 12:16:02 -0500
-Subject: [PATCH 2/3] blktap2: Use RING_COPY_REQUEST
-
-Instead of RING_GET_REQUEST. Using a local copy of the
-ring (and also with proper memory barriers) will mean
-we can do not have to worry about the compiler optimizing
-the code and doing a double-fetch in the shared memory space.
-
-This is part of XSA155.
-
-Signed-off-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
-
----
-v2: Fix compile issues with tapdisk-vbd
----
- tools/blktap2/drivers/block-log.c | 3 ++-
- tools/blktap2/drivers/tapdisk-vbd.c | 8 ++++----
- 2 files changed, 6 insertions(+), 5 deletions(-)
-
-diff --git a/tools/blktap2/drivers/block-log.c b/tools/blktap2/drivers/block-log.c
-index 5330cdc..5f3bd35 100644
---- a/tools/blktap2/drivers/block-log.c
-+++ b/tools/blktap2/drivers/block-log.c
-@@ -494,11 +494,12 @@ static int ctl_kick(struct tdlog_state* s, int fd)
- reqstart = s->bring.req_cons;
- reqend = s->sring->req_prod;
-
-+ xen_mb();
- BDPRINTF("ctl: ring kicked (start = %u, end = %u)", reqstart, reqend);
-
- while (reqstart != reqend) {
- /* XXX actually submit these! */
-- memcpy(&req, RING_GET_REQUEST(&s->bring, reqstart), sizeof(req));
-+ RING_COPY_REQUEST(&s->bring, reqstart, &req);
- BDPRINTF("ctl: read request %"PRIu64":%u", req.sector, req.count);
- s->bring.req_cons = ++reqstart;
-
-diff --git a/tools/blktap2/drivers/tapdisk-vbd.c b/tools/blktap2/drivers/tapdisk-vbd.c
-index 6d1d94a..89ef9ed 100644
---- a/tools/blktap2/drivers/tapdisk-vbd.c
-+++ b/tools/blktap2/drivers/tapdisk-vbd.c
-@@ -1555,7 +1555,7 @@ tapdisk_vbd_pull_ring_requests(td_vbd_t *vbd)
- int idx;
- RING_IDX rp, rc;
- td_ring_t *ring;
-- blkif_request_t *req;
-+ blkif_request_t req;
- td_vbd_request_t *vreq;
-
- ring = &vbd->ring;
-@@ -1566,16 +1566,16 @@ tapdisk_vbd_pull_ring_requests(td_vbd_t *vbd)
- xen_rmb();
-
- for (rc = ring->fe_ring.req_cons; rc != rp; rc++) {
-- req = RING_GET_REQUEST(&ring->fe_ring, rc);
-+ RING_COPY_REQUEST(&ring->fe_ring, rc, &req);
- ++ring->fe_ring.req_cons;
-
-- idx = req->id;
-+ idx = req.id;
- vreq = &vbd->request_list[idx];
-
- ASSERT(list_empty(&vreq->next));
- ASSERT(vreq->secs_pending == 0);
-
-- memcpy(&vreq->req, req, sizeof(blkif_request_t));
-+ memcpy(&vreq->req, &req, sizeof(blkif_request_t));
- vbd->received++;
- vreq->vbd = vbd;
-
---
-2.1.4
-
diff --git a/main/xen/xsa155-xen-0003-libvchan-Read-prod-cons-only-once.patch b/main/xen/xsa155-xen-0003-libvchan-Read-prod-cons-only-once.patch
deleted file mode 100644
index 56a6e538f4..0000000000
--- a/main/xen/xsa155-xen-0003-libvchan-Read-prod-cons-only-once.patch
+++ /dev/null
@@ -1,41 +0,0 @@
-From c1fce65e2b720684ea6ba76ae59921542bd154bb Mon Sep 17 00:00:00 2001
-From: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
-Date: Fri, 20 Nov 2015 12:22:14 -0500
-Subject: [PATCH 3/3] libvchan: Read prod/cons only once.
-
-We must ensure that the prod/cons are only read once and that
-the compiler won't try to optimize the reads. That is split
-the read of these in multiple instructions influencing later
-branch code. As such insert barriers when fetching the cons
-and prod index.
-
-This is part of XSA155.
-
-Signed-off-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
----
- tools/libvchan/io.c | 2 ++
- 1 file changed, 2 insertions(+)
-
-diff --git a/tools/libvchan/io.c b/tools/libvchan/io.c
-index 8a9629b..381cc05 100644
---- a/tools/libvchan/io.c
-+++ b/tools/libvchan/io.c
-@@ -117,6 +117,7 @@ static inline int send_notify(struct libxenvchan *ctrl, uint8_t bit)
- static inline int raw_get_data_ready(struct libxenvchan *ctrl)
- {
- uint32_t ready = rd_prod(ctrl) - rd_cons(ctrl);
-+ xen_mb(); /* Ensure 'ready' is read only once. */
- if (ready > rd_ring_size(ctrl))
- /* We have no way to return errors. Locking up the ring is
- * better than the alternatives. */
-@@ -158,6 +159,7 @@ int libxenvchan_data_ready(struct libxenvchan *ctrl)
- static inline int raw_get_buffer_space(struct libxenvchan *ctrl)
- {
- uint32_t ready = wr_ring_size(ctrl) - (wr_prod(ctrl) - wr_cons(ctrl));
-+ xen_mb(); /* Ensure 'ready' is read only once. */
- if (ready > wr_ring_size(ctrl))
- /* We have no way to return errors. Locking up the ring is
- * better than the alternatives. */
---
-2.1.0
-
diff --git a/main/xen/xsa170.patch b/main/xen/xsa170.patch
deleted file mode 100644
index f71fa19130..0000000000
--- a/main/xen/xsa170.patch
+++ /dev/null
@@ -1,79 +0,0 @@
-x86/VMX: sanitize rIP before re-entering guest
-
-... to prevent guest user mode arranging for a guest crash (due to
-failed VM entry). (On the AMD system I checked, hardware is doing
-exactly the canonicalization being added here.)
-
-Note that fixing this in an architecturally correct way would be quite
-a bit more involved: Making the x86 instruction emulator check all
-branch targets for validity, plus dealing with invalid rIP resulting
-from update_guest_eip() or incoming directly during a VM exit. The only
-way to get the latter right would be by not having hardware do the
-injection.
-
-Note further that there are a two early returns from
-vmx_vmexit_handler(): One (through vmx_failed_vmentry()) leads to
-domain_crash() anyway, and the other covers real mode only and can
-neither occur with a non-canonical rIP nor result in an altered rIP,
-so we don't need to force those paths through the checking logic.
-
-This is XSA-170.
-
-Reported-by: 刘令 <liuling-it@360.cn>
-Signed-off-by: Jan Beulich <jbeulich@suse.com>
-Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>
-Tested-by: Andrew Cooper <andrew.cooper3@citrix.com>
-
---- a/xen/arch/x86/hvm/vmx/vmx.c
-+++ b/xen/arch/x86/hvm/vmx/vmx.c
-@@ -2968,7 +2968,7 @@ static int vmx_handle_apic_write(void)
- void vmx_vmexit_handler(struct cpu_user_regs *regs)
- {
- unsigned long exit_qualification, exit_reason, idtv_info, intr_info = 0;
-- unsigned int vector = 0;
-+ unsigned int vector = 0, mode;
- struct vcpu *v = current;
-
- __vmread(GUEST_RIP, &regs->rip);
-@@ -3566,6 +3566,41 @@ void vmx_vmexit_handler(struct cpu_user_
- out:
- if ( nestedhvm_vcpu_in_guestmode(v) )
- nvmx_idtv_handling();
-+
-+ /*
-+ * VM entry will fail (causing the guest to get crashed) if rIP (and
-+ * rFLAGS, but we don't have an issue there) doesn't meet certain
-+ * criteria. As we must not allow less than fully privileged mode to have
-+ * such an effect on the domain, we correct rIP in that case (accepting
-+ * this not being architecturally correct behavior, as the injected #GP
-+ * fault will then not see the correct [invalid] return address).
-+ * And since we know the guest will crash, we crash it right away if it
-+ * already is in most privileged mode.
-+ */
-+ mode = vmx_guest_x86_mode(v);
-+ if ( mode == 8 ? !is_canonical_address(regs->rip)
-+ : regs->rip != regs->_eip )
-+ {
-+ struct segment_register ss;
-+
-+ gprintk(XENLOG_WARNING, "Bad rIP %lx for mode %u\n", regs->rip, mode);
-+
-+ vmx_get_segment_register(v, x86_seg_ss, &ss);
-+ if ( ss.attr.fields.dpl )
-+ {
-+ __vmread(VM_ENTRY_INTR_INFO, &intr_info);
-+ if ( !(intr_info & INTR_INFO_VALID_MASK) )
-+ hvm_inject_hw_exception(TRAP_gp_fault, 0);
-+ /* Need to fix rIP nevertheless. */
-+ if ( mode == 8 )
-+ regs->rip = (long)(regs->rip << (64 - VADDR_BITS)) >>
-+ (64 - VADDR_BITS);
-+ else
-+ regs->rip = regs->_eip;
-+ }
-+ else
-+ domain_crash(v->domain);
-+ }
- }
-
- void vmx_vmenter_helper(const struct cpu_user_regs *regs)
diff --git a/main/xen/xsa172.patch b/main/xen/xsa172.patch
deleted file mode 100644
index 8b1d01fa84..0000000000
--- a/main/xen/xsa172.patch
+++ /dev/null
@@ -1,39 +0,0 @@
-x86: fix information leak on AMD CPUs
-
-The fix for XSA-52 was wrong, and so was the change synchronizing that
-new behavior to the FXRSTOR logic: AMD's manuals explictly state that
-writes to the ES bit are ignored, and it instead gets calculated from
-the exception and mask bits (it gets set whenever there is an unmasked
-exception, and cleared otherwise). Hence we need to follow that model
-in our workaround.
-
-This is XSA-172.
-
-The first hunk (xen/arch/x86/i387.c:fpu_fxrstor) is CVE-2016-3159.
-The second hunk (xen/arch/x86/xstate.c:xrstor) is CVE-2016-3158.
-
-Signed-off-by: Jan Beulich <jbeulich@suse.com>
-Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>
-
---- a/xen/arch/x86/i387.c
-+++ b/xen/arch/x86/i387.c
-@@ -49,7 +49,7 @@ static inline void fpu_fxrstor(struct vc
- * sometimes new user value. Both should be ok. Use the FPU saved
- * data block as a safe address because it should be in L1.
- */
-- if ( !(fpu_ctxt->fsw & 0x0080) &&
-+ if ( !(fpu_ctxt->fsw & ~fpu_ctxt->fcw & 0x003f) &&
- boot_cpu_data.x86_vendor == X86_VENDOR_AMD )
- {
- asm volatile ( "fnclex\n\t"
---- a/xen/arch/x86/xstate.c
-+++ b/xen/arch/x86/xstate.c
-@@ -344,7 +344,7 @@ void xrstor(struct vcpu *v, uint64_t mas
- * data block as a safe address because it should be in L1.
- */
- if ( (mask & ptr->xsave_hdr.xstate_bv & XSTATE_FP) &&
-- !(ptr->fpu_sse.fsw & 0x0080) &&
-+ !(ptr->fpu_sse.fsw & ~ptr->fpu_sse.fcw & 0x003f) &&
- boot_cpu_data.x86_vendor == X86_VENDOR_AMD )
- asm volatile ( "fnclex\n\t" /* clear exceptions */
- "ffree %%st(7)\n\t" /* clear stack tag */
diff --git a/main/xen/xsa173-4.6.patch b/main/xen/xsa173-4.6.patch
deleted file mode 100644
index aecf120c74..0000000000
--- a/main/xen/xsa173-4.6.patch
+++ /dev/null
@@ -1,244 +0,0 @@
-commit 54a4651cb4e744960fb375ed99909d7dfb943caf
-Author: Tim Deegan <tim@xen.org>
-Date: Wed Mar 16 16:51:27 2016 +0000
-
- x86: limit GFNs to 32 bits for shadowed superpages.
-
- Superpage shadows store the shadowed GFN in the backpointer field,
- which for non-BIGMEM builds is 32 bits wide. Shadowing a superpage
- mapping of a guest-physical address above 2^44 would lead to the GFN
- being truncated there, and a crash when we come to remove the shadow
- from the hash table.
-
- Track the valid width of a GFN for each guest, including reporting it
- through CPUID, and enforce it in the shadow pagetables. Set the
- maximum witth to 32 for guests where this truncation could occur.
-
- This is XSA-173.
-
- Signed-off-by: Tim Deegan <tim@xen.org>
- Signed-off-by: Jan Beulich <jbeulich@suse.com>
-
-Reported-by: Ling Liu <liuling-it@360.cn>
-diff --git a/xen/arch/x86/cpu/common.c b/xen/arch/x86/cpu/common.c
-index 35ef21b..528c283 100644
---- a/xen/arch/x86/cpu/common.c
-+++ b/xen/arch/x86/cpu/common.c
-@@ -38,6 +38,7 @@ integer_param("cpuid_mask_ext_edx", opt_cpuid_mask_ext_edx);
- const struct cpu_dev *__read_mostly cpu_devs[X86_VENDOR_NUM] = {};
-
- unsigned int paddr_bits __read_mostly = 36;
-+unsigned int hap_paddr_bits __read_mostly = 36;
-
- /*
- * Default host IA32_CR_PAT value to cover all memory types.
-@@ -211,7 +212,7 @@ static void __init early_cpu_detect(void)
-
- static void __cpuinit generic_identify(struct cpuinfo_x86 *c)
- {
-- u32 tfms, capability, excap, ebx;
-+ u32 tfms, capability, excap, ebx, eax;
-
- /* Get vendor name */
- cpuid(0x00000000, &c->cpuid_level,
-@@ -248,8 +249,11 @@ static void __cpuinit generic_identify(struct cpuinfo_x86 *c)
- }
- if ( c->extended_cpuid_level >= 0x80000004 )
- get_model_name(c); /* Default name */
-- if ( c->extended_cpuid_level >= 0x80000008 )
-- paddr_bits = cpuid_eax(0x80000008) & 0xff;
-+ if ( c->extended_cpuid_level >= 0x80000008 ) {
-+ eax = cpuid_eax(0x80000008);
-+ paddr_bits = eax & 0xff;
-+ hap_paddr_bits = ((eax >> 16) & 0xff) ?: paddr_bits;
-+ }
- }
-
- /* Might lift BIOS max_leaf=3 limit. */
-diff --git a/xen/arch/x86/hvm/hvm.c b/xen/arch/x86/hvm/hvm.c
-index e200aab..0b4d9f0 100644
---- a/xen/arch/x86/hvm/hvm.c
-+++ b/xen/arch/x86/hvm/hvm.c
-@@ -4567,8 +4567,7 @@ void hvm_cpuid(unsigned int input, unsigned int *eax, unsigned int *ebx,
- break;
-
- case 0x80000008:
-- count = cpuid_eax(0x80000008);
-- count = (count >> 16) & 0xff ?: count & 0xff;
-+ count = d->arch.paging.gfn_bits + PAGE_SHIFT;
- if ( (*eax & 0xff) > count )
- *eax = (*eax & ~0xff) | count;
-
-diff --git a/xen/arch/x86/mm/guest_walk.c b/xen/arch/x86/mm/guest_walk.c
-index 773454d..06543d3 100644
---- a/xen/arch/x86/mm/guest_walk.c
-+++ b/xen/arch/x86/mm/guest_walk.c
-@@ -93,6 +93,12 @@ void *map_domain_gfn(struct p2m_domain *p2m, gfn_t gfn, mfn_t *mfn,
- struct page_info *page;
- void *map;
-
-+ if ( gfn_x(gfn) >> p2m->domain->arch.paging.gfn_bits )
-+ {
-+ *rc = _PAGE_INVALID_BIT;
-+ return NULL;
-+ }
-+
- /* Translate the gfn, unsharing if shared */
- page = get_page_from_gfn_p2m(p2m->domain, p2m, gfn_x(gfn), p2mt, NULL,
- q);
-@@ -326,20 +332,8 @@ guest_walk_tables(struct vcpu *v, struct p2m_domain *p2m,
- flags &= ~_PAGE_PAT;
-
- if ( gfn_x(start) & GUEST_L2_GFN_MASK & ~0x1 )
-- {
--#if GUEST_PAGING_LEVELS == 2
-- /*
-- * Note that _PAGE_INVALID_BITS is zero in this case, yielding a
-- * no-op here.
-- *
-- * Architecturally, the walk should fail if bit 21 is set (others
-- * aren't being checked at least in PSE36 mode), but we'll ignore
-- * this here in order to avoid specifying a non-natural, non-zero
-- * _PAGE_INVALID_BITS value just for that case.
-- */
--#endif
- rc |= _PAGE_INVALID_BITS;
-- }
-+
- /* Increment the pfn by the right number of 4k pages.
- * Mask out PAT and invalid bits. */
- start = _gfn((gfn_x(start) & ~GUEST_L2_GFN_MASK) +
-@@ -422,5 +416,11 @@ set_ad:
- put_page(mfn_to_page(mfn_x(gw->l1mfn)));
- }
-
-+ /* If this guest has a restricted physical address space then the
-+ * target GFN must fit within it. */
-+ if ( !(rc & _PAGE_PRESENT)
-+ && gfn_x(guest_l1e_get_gfn(gw->l1e)) >> d->arch.paging.gfn_bits )
-+ rc |= _PAGE_INVALID_BITS;
-+
- return rc;
- }
-diff --git a/xen/arch/x86/mm/hap/hap.c b/xen/arch/x86/mm/hap/hap.c
-index 6eb2167..f3475c6 100644
---- a/xen/arch/x86/mm/hap/hap.c
-+++ b/xen/arch/x86/mm/hap/hap.c
-@@ -448,6 +448,8 @@ void hap_domain_init(struct domain *d)
- {
- INIT_PAGE_LIST_HEAD(&d->arch.paging.hap.freelist);
-
-+ d->arch.paging.gfn_bits = hap_paddr_bits - PAGE_SHIFT;
-+
- /* Use HAP logdirty mechanism. */
- paging_log_dirty_init(d, hap_enable_log_dirty,
- hap_disable_log_dirty,
-diff --git a/xen/arch/x86/mm/shadow/common.c b/xen/arch/x86/mm/shadow/common.c
-index bad8360..98d0d2c 100644
---- a/xen/arch/x86/mm/shadow/common.c
-+++ b/xen/arch/x86/mm/shadow/common.c
-@@ -51,6 +51,16 @@ int shadow_domain_init(struct domain *d, unsigned int domcr_flags)
- INIT_PAGE_LIST_HEAD(&d->arch.paging.shadow.freelist);
- INIT_PAGE_LIST_HEAD(&d->arch.paging.shadow.pinned_shadows);
-
-+ d->arch.paging.gfn_bits = paddr_bits - PAGE_SHIFT;
-+#ifndef CONFIG_BIGMEM
-+ /*
-+ * Shadowed superpages store GFNs in 32-bit page_info fields.
-+ * Note that we cannot use guest_supports_superpages() here.
-+ */
-+ if ( !is_pv_domain(d) || opt_allow_superpage )
-+ d->arch.paging.gfn_bits = 32;
-+#endif
-+
- /* Use shadow pagetables for log-dirty support */
- paging_log_dirty_init(d, sh_enable_log_dirty,
- sh_disable_log_dirty, sh_clean_dirty_bitmap);
-diff --git a/xen/arch/x86/mm/shadow/multi.c b/xen/arch/x86/mm/shadow/multi.c
-index 43c9488..71477fe 100644
---- a/xen/arch/x86/mm/shadow/multi.c
-+++ b/xen/arch/x86/mm/shadow/multi.c
-@@ -525,7 +525,8 @@ _sh_propagate(struct vcpu *v,
- ASSERT(GUEST_PAGING_LEVELS > 3 || level != 3);
-
- /* Check there's something for the shadows to map to */
-- if ( !p2m_is_valid(p2mt) && !p2m_is_grant(p2mt) )
-+ if ( (!p2m_is_valid(p2mt) && !p2m_is_grant(p2mt))
-+ || gfn_x(target_gfn) >> d->arch.paging.gfn_bits )
- {
- *sp = shadow_l1e_empty();
- goto done;
-diff --git a/xen/include/asm-x86/domain.h b/xen/include/asm-x86/domain.h
-index c6c6e71..74c3a52 100644
---- a/xen/include/asm-x86/domain.h
-+++ b/xen/include/asm-x86/domain.h
-@@ -193,6 +193,9 @@ struct paging_domain {
- /* log dirty support */
- struct log_dirty_domain log_dirty;
-
-+ /* Number of valid bits in a gfn. */
-+ unsigned int gfn_bits;
-+
- /* preemption handling */
- struct {
- const struct domain *dom;
-diff --git a/xen/include/asm-x86/guest_pt.h b/xen/include/asm-x86/guest_pt.h
-index f8a0d76..b5db401 100644
---- a/xen/include/asm-x86/guest_pt.h
-+++ b/xen/include/asm-x86/guest_pt.h
-@@ -210,15 +210,17 @@ guest_supports_nx(struct vcpu *v)
- }
-
-
--/* Some bits are invalid in any pagetable entry. */
--#if GUEST_PAGING_LEVELS == 2
--#define _PAGE_INVALID_BITS (0)
--#elif GUEST_PAGING_LEVELS == 3
--#define _PAGE_INVALID_BITS \
-- get_pte_flags(((1ull<<63) - 1) & ~((1ull<<paddr_bits) - 1))
--#else /* GUEST_PAGING_LEVELS == 4 */
-+/*
-+ * Some bits are invalid in any pagetable entry.
-+ * Normal flags values get represented in 24-bit values (see
-+ * get_pte_flags() and put_pte_flags()), so set bit 24 in
-+ * addition to be able to flag out of range frame numbers.
-+ */
-+#if GUEST_PAGING_LEVELS == 3
- #define _PAGE_INVALID_BITS \
-- get_pte_flags(((1ull<<52) - 1) & ~((1ull<<paddr_bits) - 1))
-+ (_PAGE_INVALID_BIT | get_pte_flags(((1ull << 63) - 1) & ~(PAGE_SIZE - 1)))
-+#else /* 2-level and 4-level */
-+#define _PAGE_INVALID_BITS _PAGE_INVALID_BIT
- #endif
-
-
-diff --git a/xen/include/asm-x86/processor.h b/xen/include/asm-x86/processor.h
-index f507f5e..a200470 100644
---- a/xen/include/asm-x86/processor.h
-+++ b/xen/include/asm-x86/processor.h
-@@ -212,6 +212,8 @@ extern u32 cpuid_ext_features;
-
- /* Maximum width of physical addresses supported by the hardware */
- extern unsigned int paddr_bits;
-+/* Max physical address width supported within HAP guests */
-+extern unsigned int hap_paddr_bits;
-
- extern const struct x86_cpu_id *x86_match_cpu(const struct x86_cpu_id table[]);
-
-diff --git a/xen/include/asm-x86/x86_64/page.h b/xen/include/asm-x86/x86_64/page.h
-index 19ab4d0..eb5e2fd 100644
---- a/xen/include/asm-x86/x86_64/page.h
-+++ b/xen/include/asm-x86/x86_64/page.h
-@@ -141,6 +141,12 @@ typedef l4_pgentry_t root_pgentry_t;
- #define _PAGE_GNTTAB (1U<<22)
-
- /*
-+ * Bit 24 of a 24-bit flag mask! This is not any bit of a real pte,
-+ * and is only used for signalling in variables that contain flags.
-+ */
-+#define _PAGE_INVALID_BIT (1U<<24)
-+
-+/*
- * Bit 12 of a 24-bit flag mask. This corresponds to bit 52 of a pte.
- * This is needed to distinguish between user and kernel PTEs since _PAGE_USER
- * is asserted for both.
generated by cgit v1.2.3 (git 2.25.1) at 2024-09-17 02:00:42 +0000