main/xen: security fixes

CVE-2018-19961, CVE-2018-19962, XSA-275
CVE-2018-18883, XSA-278
CVE-2018-19965, XSA-279
CVE-2018-19966, XSA-280
CVE-2018-19967, XSA-282

Fixes #9845

1 files changed, 87 insertions, 0 deletions

diff --git a/main/xen/xsa282-4.9-1.patch b/main/xen/xsa282-4.9-1.patch
new file mode 100644
index 0000000000..580933d4b0
--- /dev/null
+++ b/main/xen/xsa282-4.9-1.patch
@@ -0,0 +1,87 @@
+From: Jan Beulich <jbeulich@suse.com>
+Subject: x86: extend get_platform_badpages() interface
+
+Use a structure so along with an address (now frame number) an order can
+also be specified.
+
+This is part of XSA-282.
+
+Signed-off-by: Jan Beulich <jbeulich@suse.com>
+Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>
+
+--- a/xen/arch/x86/mm.c
++++ b/xen/arch/x86/mm.c
+@@ -7111,23 +7111,23 @@ void arch_dump_shared_mem_info(void)
+             mem_sharing_get_nr_saved_mfns());
+ }
+ 
+-const unsigned long *__init get_platform_badpages(unsigned int *array_size)
++const struct platform_bad_page *__init get_platform_badpages(unsigned int *array_size)
+ {
+     u32 igd_id;
+-    static unsigned long __initdata bad_pages[] = {
+-        0x20050000,
+-        0x20110000,
+-        0x20130000,
+-        0x20138000,
+-        0x40004000,
++    static const struct platform_bad_page __initconst snb_bad_pages[] = {
++        { .mfn = 0x20050000 >> PAGE_SHIFT },
++        { .mfn = 0x20110000 >> PAGE_SHIFT },
++        { .mfn = 0x20130000 >> PAGE_SHIFT },
++        { .mfn = 0x20138000 >> PAGE_SHIFT },
++        { .mfn = 0x40004000 >> PAGE_SHIFT },
+     };
+ 
+-    *array_size = ARRAY_SIZE(bad_pages);
++    *array_size = ARRAY_SIZE(snb_bad_pages);
+     igd_id = pci_conf_read32(0, 0, 2, 0, 0);
+-    if ( !IS_SNB_GFX(igd_id) )
+-        return NULL;
++    if ( IS_SNB_GFX(igd_id) )
++        return snb_bad_pages;
+ 
+-    return bad_pages;
++    return NULL;
+ }
+ 
+ void paging_invlpg(struct vcpu *v, unsigned long va)
+--- a/xen/common/page_alloc.c
++++ b/xen/common/page_alloc.c
+@@ -270,7 +270,7 @@ void __init init_boot_pages(paddr_t ps,
+     unsigned long bad_spfn, bad_epfn;
+     const char *p;
+ #ifdef CONFIG_X86
+-    const unsigned long *badpage = NULL;
++    const struct platform_bad_page *badpage;
+     unsigned int i, array_size;
+ #endif
+ 
+@@ -295,8 +295,8 @@ void __init init_boot_pages(paddr_t ps,
+     {
+         for ( i = 0; i < array_size; i++ )
+         {
+-            bootmem_region_zap(*badpage >> PAGE_SHIFT,
+-                               (*badpage >> PAGE_SHIFT) + 1);
++            bootmem_region_zap(badpage->mfn,
++                               badpage->mfn + (1U << badpage->order));
+             badpage++;
+         }
+     }
+--- a/xen/include/asm-x86/mm.h
++++ b/xen/include/asm-x86/mm.h
+@@ -350,7 +350,13 @@ bool is_iomem_page(mfn_t mfn);
+ 
+ void clear_superpage_mark(struct page_info *page);
+ 
+-const unsigned long *get_platform_badpages(unsigned int *array_size);
++struct platform_bad_page {
++    unsigned long mfn;
++    unsigned int order;
++};
++
++const struct platform_bad_page *get_platform_badpages(unsigned int *array_size);
++
+ /* Per page locks:
+  * page_lock() is used for two purposes: pte serialization, and memory sharing.
+  *