aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--main/xen/xsa33-4.2-unstable.patch21
-rw-r--r--main/xen/xsa34-4.2.patch30
-rw-r--r--main/xen/xsa35-4.2-with-xsa34.patch24
-rw-r--r--main/xen/xsa36-4.2.patch323
-rw-r--r--main/xen/xsa38.patch73
-rw-r--r--main/xen/xsa44-4.2.patch77
-rw-r--r--main/xen/xsa46-4.2.patch293
-rw-r--r--main/xen/xsa47-4.2-unstable.patch31
8 files changed, 0 insertions, 872 deletions
diff --git a/main/xen/xsa33-4.2-unstable.patch b/main/xen/xsa33-4.2-unstable.patch
deleted file mode 100644
index 369d65bba9..0000000000
--- a/main/xen/xsa33-4.2-unstable.patch
+++ /dev/null
@@ -1,21 +0,0 @@
-VT-d: fix interrupt remapping source validation for devices behind
-legacy bridges
-
-Using SVT_VERIFY_BUS here doesn't make sense; native Linux also
-uses SVT_VERIFY_SID_SQ here instead.
-
-This is XSA-33 / CVE-2012-5634.
-
-Signed-off-by: Jan Beulich <jbeulich@suse.com>
-
---- a/xen/drivers/passthrough/vtd/intremap.c
-+++ b/xen/drivers/passthrough/vtd/intremap.c
-@@ -466,7 +466,7 @@ static void set_msi_source_id(struct pci_dev *pdev, struct iremap_entry *ire)
- set_ire_sid(ire, SVT_VERIFY_BUS, SQ_ALL_16,
- (bus << 8) | pdev->bus);
- else if ( pdev_type(seg, bus, devfn) == DEV_TYPE_LEGACY_PCI_BRIDGE )
-- set_ire_sid(ire, SVT_VERIFY_BUS, SQ_ALL_16,
-+ set_ire_sid(ire, SVT_VERIFY_SID_SQ, SQ_ALL_16,
- PCI_BDF2(bus, devfn));
- }
- break;
diff --git a/main/xen/xsa34-4.2.patch b/main/xen/xsa34-4.2.patch
deleted file mode 100644
index f5328eff9f..0000000000
--- a/main/xen/xsa34-4.2.patch
+++ /dev/null
@@ -1,30 +0,0 @@
-x86_32: don't allow use of nested HVM
-
-There are (indirect) uses of map_domain_page() in the nested HVM code
-that are unsafe when not just using the 1:1 mapping.
-
-This is XSA-34 / CVE-2013-0151.
-
-Signed-off-by: Jan Beulich <jbeulich@suse.com>
-
---- a/xen/arch/x86/hvm/hvm.c
-+++ b/xen/arch/x86/hvm/hvm.c
-@@ -3926,6 +3926,10 @@ long do_hvm_op(unsigned long op, XEN_GUE
- rc = -EINVAL;
- break;
- case HVM_PARAM_NESTEDHVM:
-+#ifdef __i386__
-+ if ( a.value )
-+ rc = -EINVAL;
-+#else
- if ( a.value > 1 )
- rc = -EINVAL;
- if ( !is_hvm_domain(d) )
-@@ -3940,6 +3944,7 @@ long do_hvm_op(unsigned long op, XEN_GUE
- for_each_vcpu(d, v)
- if ( rc == 0 )
- rc = nestedhvm_vcpu_initialise(v);
-+#endif
- break;
- case HVM_PARAM_BUFIOREQ_EVTCHN:
- rc = -EINVAL;
diff --git a/main/xen/xsa35-4.2-with-xsa34.patch b/main/xen/xsa35-4.2-with-xsa34.patch
deleted file mode 100644
index 89230e2a46..0000000000
--- a/main/xen/xsa35-4.2-with-xsa34.patch
+++ /dev/null
@@ -1,24 +0,0 @@
-xen: Do not allow guests to enable nested HVM on themselves
-
-There is no reason for this and doing so exposes a memory leak to
-guests. Only toolstacks need write access to this HVM param.
-
-This is XSA-35 / CVE-2013-0152.
-
-Signed-off-by: Ian Campbell <ian.campbell@citrix.com>
-Acked-by: Jan Beulich <JBeulich@suse.com>
-
---- a/xen/arch/x86/hvm/hvm.c
-+++ b/xen/arch/x86/hvm/hvm.c
-@@ -3862,6 +3862,11 @@ long do_hvm_op(unsigned long op, XEN_GUEST_HANDLE(void) arg)
- rc = -EINVAL;
- break;
- case HVM_PARAM_NESTEDHVM:
-+ if ( !IS_PRIV(current->domain) )
-+ {
-+ rc = -EPERM;
-+ break;
-+ }
- #ifdef __i386__
- if ( a.value )
- rc = -EINVAL;
diff --git a/main/xen/xsa36-4.2.patch b/main/xen/xsa36-4.2.patch
deleted file mode 100644
index 8477701a22..0000000000
--- a/main/xen/xsa36-4.2.patch
+++ /dev/null
@@ -1,323 +0,0 @@
-ACPI: acpi_table_parse() should return handler's error code
-
-Currently, the error code returned by acpi_table_parse()'s handler
-is ignored. This patch will propagate handler's return value to
-acpi_table_parse()'s caller.
-
-AMD,IOMMU: Clean up old entries in remapping tables when creating new
-interrupt mapping.
-
-When changing the affinity of an IRQ associated with a passed
-through PCI device, clear previous mapping.
-
-In addition, because some BIOSes may incorrectly program IVRS
-entries for IOAPIC try to check for entry's consistency. Specifically,
-if conflicting entries are found disable IOMMU if per-device
-remapping table is used. If entries refer to bogus IOAPIC IDs
-disable IOMMU unconditionally
-
-AMD,IOMMU: Disable IOMMU if SATA Combined mode is on
-
-AMD's SP5100 chipset can be placed into SATA Combined mode
-that may cause prevent dom0 from booting when IOMMU is
-enabled and per-device interrupt remapping table is used.
-While SP5100 erratum 28 requires BIOSes to disable this mode,
-some may still use it.
-
-This patch checks whether this mode is on and, if per-device
-table is in use, disables IOMMU.
-
-AMD,IOMMU: Make per-device interrupt remapping table default
-
-Using global interrupt remapping table may be insecure, as
-described by XSA-36. This patch makes per-device mode default.
-
-This is XSA-36 / CVE-2013-0153.
-
-Signed-off-by: Jan Beulich <jbeulich@suse.com>
-Signed-off-by: Boris Ostrovsky <boris.ostrovsky@amd.com>
-
---- a/xen/arch/x86/irq.c
-+++ b/xen/arch/x86/irq.c
-@@ -1942,9 +1942,6 @@ int map_domain_pirq(
- spin_lock_irqsave(&desc->lock, flags);
- set_domain_irq_pirq(d, irq, info);
- spin_unlock_irqrestore(&desc->lock, flags);
--
-- if ( opt_irq_vector_map == OPT_IRQ_VECTOR_MAP_PERDEV )
-- printk(XENLOG_INFO "Per-device vector maps for GSIs not implemented yet.\n");
- }
-
- done:
---- a/xen/drivers/acpi/tables.c
-+++ b/xen/drivers/acpi/tables.c
-@@ -267,7 +267,7 @@ acpi_table_parse_madt(enum acpi_madt_typ
- * @handler: handler to run
- *
- * Scan the ACPI System Descriptor Table (STD) for a table matching @id,
-- * run @handler on it. Return 0 if table found, return on if not.
-+ * run @handler on it.
- */
- int __init acpi_table_parse(char *id, acpi_table_handler handler)
- {
-@@ -282,8 +282,7 @@ int __init acpi_table_parse(char *id, ac
- acpi_get_table(id, 0, &table);
-
- if (table) {
-- handler(table);
-- return 0;
-+ return handler(table);
- } else
- return 1;
- }
---- a/xen/drivers/passthrough/amd/iommu_acpi.c
-+++ b/xen/drivers/passthrough/amd/iommu_acpi.c
-@@ -22,6 +22,7 @@
- #include <xen/errno.h>
- #include <xen/acpi.h>
- #include <asm/apicdef.h>
-+#include <asm/io_apic.h>
- #include <asm/amd-iommu.h>
- #include <asm/hvm/svm/amd-iommu-proto.h>
-
-@@ -635,6 +636,7 @@ static u16 __init parse_ivhd_device_spec
- u16 header_length, u16 block_length, struct amd_iommu *iommu)
- {
- u16 dev_length, bdf;
-+ int apic;
-
- dev_length = sizeof(*special);
- if ( header_length < (block_length + dev_length) )
-@@ -651,10 +653,59 @@ static u16 __init parse_ivhd_device_spec
- }
-
- add_ivrs_mapping_entry(bdf, bdf, special->header.data_setting, iommu);
-- /* set device id of ioapic */
-- ioapic_sbdf[special->handle].bdf = bdf;
-- ioapic_sbdf[special->handle].seg = seg;
-- return dev_length;
-+
-+ if ( special->variety != ACPI_IVHD_IOAPIC )
-+ {
-+ if ( special->variety != ACPI_IVHD_HPET )
-+ printk(XENLOG_ERR "Unrecognized IVHD special variety %#x\n",
-+ special->variety);
-+ return dev_length;
-+ }
-+
-+ /*
-+ * Some BIOSes have IOAPIC broken entries so we check for IVRS
-+ * consistency here --- whether entry's IOAPIC ID is valid and
-+ * whether there are conflicting/duplicated entries.
-+ */
-+ for ( apic = 0; apic < nr_ioapics; apic++ )
-+ {
-+ if ( IO_APIC_ID(apic) != special->handle )
-+ continue;
-+
-+ if ( ioapic_sbdf[special->handle].pin_setup )
-+ {
-+ if ( ioapic_sbdf[special->handle].bdf == bdf &&
-+ ioapic_sbdf[special->handle].seg == seg )
-+ AMD_IOMMU_DEBUG("IVHD Warning: Duplicate IO-APIC %#x entries\n",
-+ special->handle);
-+ else
-+ {
-+ printk(XENLOG_ERR "IVHD Error: Conflicting IO-APIC %#x entries\n",
-+ special->handle);
-+ if ( amd_iommu_perdev_intremap )
-+ return 0;
-+ }
-+ }
-+ else
-+ {
-+ /* set device id of ioapic */
-+ ioapic_sbdf[special->handle].bdf = bdf;
-+ ioapic_sbdf[special->handle].seg = seg;
-+
-+ ioapic_sbdf[special->handle].pin_setup = xzalloc_array(
-+ unsigned long, BITS_TO_LONGS(nr_ioapic_entries[apic]));
-+ if ( nr_ioapic_entries[apic] &&
-+ !ioapic_sbdf[IO_APIC_ID(apic)].pin_setup )
-+ {
-+ printk(XENLOG_ERR "IVHD Error: Out of memory\n");
-+ return 0;
-+ }
-+ }
-+ return dev_length;
-+ }
-+
-+ printk(XENLOG_ERR "IVHD Error: Invalid IO-APIC %#x\n", special->handle);
-+ return 0;
- }
-
- static int __init parse_ivhd_block(const struct acpi_ivrs_hardware *ivhd_block)
---- a/xen/drivers/passthrough/amd/iommu_init.c
-+++ b/xen/drivers/passthrough/amd/iommu_init.c
-@@ -1126,12 +1126,45 @@ static int __init amd_iommu_setup_device
- return 0;
- }
-
-+/* Check whether SP5100 SATA Combined mode is on */
-+static bool_t __init amd_sp5100_erratum28(void)
-+{
-+ u32 bus, id;
-+ u16 vendor_id, dev_id;
-+ u8 byte;
-+
-+ for (bus = 0; bus < 256; bus++)
-+ {
-+ id = pci_conf_read32(0, bus, 0x14, 0, PCI_VENDOR_ID);
-+
-+ vendor_id = id & 0xffff;
-+ dev_id = (id >> 16) & 0xffff;
-+
-+ /* SP5100 SMBus module sets Combined mode on */
-+ if (vendor_id != 0x1002 || dev_id != 0x4385)
-+ continue;
-+
-+ byte = pci_conf_read8(0, bus, 0x14, 0, 0xad);
-+ if ( (byte >> 3) & 1 )
-+ {
-+ printk(XENLOG_WARNING "AMD-Vi: SP5100 erratum 28 detected, disabling IOMMU.\n"
-+ "If possible, disable SATA Combined mode in BIOS or contact your vendor for BIOS update.\n");
-+ return 1;
-+ }
-+ }
-+
-+ return 0;
-+}
-+
- int __init amd_iommu_init(void)
- {
- struct amd_iommu *iommu;
-
- BUG_ON( !iommu_found() );
-
-+ if ( amd_iommu_perdev_intremap && amd_sp5100_erratum28() )
-+ goto error_out;
-+
- ivrs_bdf_entries = amd_iommu_get_ivrs_dev_entries();
-
- if ( !ivrs_bdf_entries )
---- a/xen/drivers/passthrough/amd/iommu_intr.c
-+++ b/xen/drivers/passthrough/amd/iommu_intr.c
-@@ -99,12 +99,12 @@ static void update_intremap_entry(u32* e
- static void update_intremap_entry_from_ioapic(
- int bdf,
- struct amd_iommu *iommu,
-- struct IO_APIC_route_entry *ioapic_rte)
-+ const struct IO_APIC_route_entry *rte,
-+ const struct IO_APIC_route_entry *old_rte)
- {
- unsigned long flags;
- u32* entry;
- u8 delivery_mode, dest, vector, dest_mode;
-- struct IO_APIC_route_entry *rte = ioapic_rte;
- int req_id;
- spinlock_t *lock;
- int offset;
-@@ -120,6 +120,14 @@ static void update_intremap_entry_from_i
- spin_lock_irqsave(lock, flags);
-
- offset = get_intremap_offset(vector, delivery_mode);
-+ if ( old_rte )
-+ {
-+ int old_offset = get_intremap_offset(old_rte->vector,
-+ old_rte->delivery_mode);
-+
-+ if ( offset != old_offset )
-+ free_intremap_entry(iommu->seg, bdf, old_offset);
-+ }
- entry = (u32*)get_intremap_entry(iommu->seg, req_id, offset);
- update_intremap_entry(entry, vector, delivery_mode, dest_mode, dest);
-
-@@ -188,6 +196,7 @@ int __init amd_iommu_setup_ioapic_remapp
- amd_iommu_flush_intremap(iommu, req_id);
- spin_unlock_irqrestore(&iommu->lock, flags);
- }
-+ set_bit(pin, ioapic_sbdf[IO_APIC_ID(apic)].pin_setup);
- }
- }
- return 0;
-@@ -199,6 +208,7 @@ void amd_iommu_ioapic_update_ire(
- struct IO_APIC_route_entry old_rte = { 0 };
- struct IO_APIC_route_entry new_rte = { 0 };
- unsigned int rte_lo = (reg & 1) ? reg - 1 : reg;
-+ unsigned int pin = (reg - 0x10) / 2;
- int saved_mask, seg, bdf;
- struct amd_iommu *iommu;
-
-@@ -236,6 +246,14 @@ void amd_iommu_ioapic_update_ire(
- *(((u32 *)&new_rte) + 1) = value;
- }
-
-+ if ( new_rte.mask &&
-+ !test_bit(pin, ioapic_sbdf[IO_APIC_ID(apic)].pin_setup) )
-+ {
-+ ASSERT(saved_mask);
-+ __io_apic_write(apic, reg, value);
-+ return;
-+ }
-+
- /* mask the interrupt while we change the intremap table */
- if ( !saved_mask )
- {
-@@ -244,7 +262,11 @@ void amd_iommu_ioapic_update_ire(
- }
-
- /* Update interrupt remapping entry */
-- update_intremap_entry_from_ioapic(bdf, iommu, &new_rte);
-+ update_intremap_entry_from_ioapic(
-+ bdf, iommu, &new_rte,
-+ test_and_set_bit(pin,
-+ ioapic_sbdf[IO_APIC_ID(apic)].pin_setup) ? &old_rte
-+ : NULL);
-
- /* Forward write access to IO-APIC RTE */
- __io_apic_write(apic, reg, value);
-@@ -354,6 +376,12 @@ void amd_iommu_msi_msg_update_ire(
- return;
- }
-
-+ if ( msi_desc->remap_index >= 0 )
-+ update_intremap_entry_from_msi_msg(iommu, pdev, msi_desc, NULL);
-+
-+ if ( !msg )
-+ return;
-+
- update_intremap_entry_from_msi_msg(iommu, pdev, msi_desc, msg);
- }
-
---- a/xen/drivers/passthrough/amd/pci_amd_iommu.c
-+++ b/xen/drivers/passthrough/amd/pci_amd_iommu.c
-@@ -205,6 +205,8 @@ int __init amd_iov_detect(void)
- {
- printk("AMD-Vi: Not overriding irq_vector_map setting\n");
- }
-+ if ( !amd_iommu_perdev_intremap )
-+ printk(XENLOG_WARNING "AMD-Vi: Using global interrupt remap table is not recommended (see XSA-36)!\n");
- return scan_pci_devices();
- }
-
---- a/xen/drivers/passthrough/iommu.c
-+++ b/xen/drivers/passthrough/iommu.c
-@@ -52,7 +52,7 @@ bool_t __read_mostly iommu_qinval = 1;
- bool_t __read_mostly iommu_intremap = 1;
- bool_t __read_mostly iommu_hap_pt_share = 1;
- bool_t __read_mostly iommu_debug;
--bool_t __read_mostly amd_iommu_perdev_intremap;
-+bool_t __read_mostly amd_iommu_perdev_intremap = 1;
-
- DEFINE_PER_CPU(bool_t, iommu_dont_flush_iotlb);
-
---- a/xen/include/asm-x86/hvm/svm/amd-iommu-proto.h
-+++ b/xen/include/asm-x86/hvm/svm/amd-iommu-proto.h
-@@ -100,6 +100,7 @@ void amd_iommu_read_msi_from_ire(
-
- extern struct ioapic_sbdf {
- u16 bdf, seg;
-+ unsigned long *pin_setup;
- } ioapic_sbdf[MAX_IO_APICS];
- extern void *shared_intremap_table;
-
diff --git a/main/xen/xsa38.patch b/main/xen/xsa38.patch
deleted file mode 100644
index f4a5dc0881..0000000000
--- a/main/xen/xsa38.patch
+++ /dev/null
@@ -1,73 +0,0 @@
-diff --git a/tools/ocaml/libs/xb/partial.ml b/tools/ocaml/libs/xb/partial.ml
-index 3558889..d4d1c7b 100644
---- a/tools/ocaml/libs/xb/partial.ml
-+++ b/tools/ocaml/libs/xb/partial.ml
-@@ -27,8 +27,15 @@ external header_size: unit -> int = "stub_header_size"
- external header_of_string_internal: string -> int * int * int * int
- = "stub_header_of_string"
-
-+let xenstore_payload_max = 4096 (* xen/include/public/io/xs_wire.h *)
-+
- let of_string s =
- let tid, rid, opint, dlen = header_of_string_internal s in
-+ (* A packet which is bigger than xenstore_payload_max is illegal.
-+ This will leave the guest connection is a bad state and will
-+ be hard to recover from without restarting the connection
-+ (ie rebooting the guest) *)
-+ let dlen = min xenstore_payload_max dlen in
- {
- tid = tid;
- rid = rid;
-@@ -38,6 +45,7 @@ let of_string s =
- }
-
- let append pkt s sz =
-+ if pkt.len > 4096 then failwith "Buffer.add: cannot grow buffer";
- Buffer.add_string pkt.buf (String.sub s 0 sz)
-
- let to_complete pkt =
-diff --git a/tools/ocaml/libs/xb/xs_ring_stubs.c b/tools/ocaml/libs/xb/xs_ring_stubs.c
-index 00414c5..4888ac5 100644
---- a/tools/ocaml/libs/xb/xs_ring_stubs.c
-+++ b/tools/ocaml/libs/xb/xs_ring_stubs.c
-@@ -39,21 +39,23 @@ static int xs_ring_read(struct mmap_interface *interface,
- char *buffer, int len)
- {
- struct xenstore_domain_interface *intf = interface->addr;
-- XENSTORE_RING_IDX cons, prod;
-+ XENSTORE_RING_IDX cons, prod; /* offsets only */
- int to_read;
-
-- cons = intf->req_cons;
-- prod = intf->req_prod;
-+ cons = *(volatile uint32*)&intf->req_cons;
-+ prod = *(volatile uint32*)&intf->req_prod;
- xen_mb();
-+ cons = MASK_XENSTORE_IDX(cons);
-+ prod = MASK_XENSTORE_IDX(prod);
- if (prod == cons)
- return 0;
-- if (MASK_XENSTORE_IDX(prod) > MASK_XENSTORE_IDX(cons))
-+ if (prod > cons)
- to_read = prod - cons;
- else
-- to_read = XENSTORE_RING_SIZE - MASK_XENSTORE_IDX(cons);
-+ to_read = XENSTORE_RING_SIZE - cons;
- if (to_read < len)
- len = to_read;
-- memcpy(buffer, intf->req + MASK_XENSTORE_IDX(cons), len);
-+ memcpy(buffer, intf->req + cons, len);
- xen_mb();
- intf->req_cons += len;
- return len;
-@@ -66,8 +68,8 @@ static int xs_ring_write(struct mmap_interface *interface,
- XENSTORE_RING_IDX cons, prod;
- int can_write;
-
-- cons = intf->rsp_cons;
-- prod = intf->rsp_prod;
-+ cons = *(volatile uint32*)&intf->rsp_cons;
-+ prod = *(volatile uint32*)&intf->rsp_prod;
- xen_mb();
- if ( (prod - cons) >= XENSTORE_RING_SIZE )
- return 0;
diff --git a/main/xen/xsa44-4.2.patch b/main/xen/xsa44-4.2.patch
deleted file mode 100644
index 07ed9386f6..0000000000
--- a/main/xen/xsa44-4.2.patch
+++ /dev/null
@@ -1,77 +0,0 @@
-x86: clear EFLAGS.NT in SYSENTER entry path
-
-... as it causes problems if we happen to exit back via IRET: In the
-course of trying to handle the fault, the hypervisor creates a stack
-frame by hand, and uses PUSHFQ to set the respective EFLAGS field, but
-expects to be able to IRET through that stack frame to the second
-portion of the fixup code (which causes a #GP due to the stored EFLAGS
-having NT set).
-
-And even if this worked (e.g if we cleared NT in that path), it would
-then (through the fail safe callback) cause a #GP in the guest with the
-SYSENTER handler's first instruction as the source, which in turn would
-allow guest user mode code to crash the guest kernel.
-
-Inject a #GP on the fake (NULL) address of the SYSENTER instruction
-instead, just like in the case where the guest kernel didn't register
-a corresponding entry point.
-
-On 32-bit we also need to make sure we clear SYSENTER_CS for all CPUs
-(neither #RESET nor #INIT guarantee this).
-
-This is CVE-2013-1917 / XSA-44.
-
-Reported-by: Andrew Cooper <andrew.cooper3@citirx.com>
-Signed-off-by: Jan Beulich <jbeulich@suse.com>
-Tested-by: Andrew Cooper <andrew.cooper3@citrix.com>
-Acked-by: Andrew Cooper <andrew.cooper3@citrix.com>
-
---- a/xen/arch/x86/acpi/suspend.c
-+++ b/xen/arch/x86/acpi/suspend.c
-@@ -81,8 +81,12 @@ void restore_rest_processor_state(void)
- }
-
- #else /* !defined(CONFIG_X86_64) */
-- if ( supervisor_mode_kernel && cpu_has_sep )
-- wrmsr(MSR_IA32_SYSENTER_ESP, &this_cpu(init_tss).esp1, 0);
-+ if ( cpu_has_sep )
-+ {
-+ wrmsr(MSR_IA32_SYSENTER_CS, 0, 0);
-+ if ( supervisor_mode_kernel )
-+ wrmsr(MSR_IA32_SYSENTER_ESP, &this_cpu(init_tss).esp1, 0);
-+ }
- #endif
-
- /* Maybe load the debug registers. */
---- a/xen/arch/x86/cpu/common.c
-+++ b/xen/arch/x86/cpu/common.c
-@@ -655,8 +655,11 @@ void __cpuinit cpu_init(void)
- #if defined(CONFIG_X86_32)
- t->ss0 = __HYPERVISOR_DS;
- t->esp0 = get_stack_bottom();
-- if ( supervisor_mode_kernel && cpu_has_sep )
-+ if ( cpu_has_sep ) {
-+ wrmsr(MSR_IA32_SYSENTER_CS, 0, 0);
-+ if ( supervisor_mode_kernel )
- wrmsr(MSR_IA32_SYSENTER_ESP, &t->esp1, 0);
-+ }
- #elif defined(CONFIG_X86_64)
- /* Bottom-of-stack must be 16-byte aligned! */
- BUG_ON((get_stack_bottom() & 15) != 0);
---- a/xen/arch/x86/x86_64/entry.S
-+++ b/xen/arch/x86/x86_64/entry.S
-@@ -284,7 +284,14 @@ sysenter_eflags_saved:
- cmpb $0,VCPU_sysenter_disables_events(%rbx)
- movq VCPU_sysenter_addr(%rbx),%rax
- setne %cl
-+ testl $X86_EFLAGS_NT,UREGS_eflags(%rsp)
- leaq VCPU_trap_bounce(%rbx),%rdx
-+UNLIKELY_START(nz, sysenter_nt_set)
-+ pushfq
-+ andl $~X86_EFLAGS_NT,(%rsp)
-+ popfq
-+ xorl %eax,%eax
-+UNLIKELY_END(sysenter_nt_set)
- testq %rax,%rax
- leal (,%rcx,TBF_INTERRUPT),%ecx
- UNLIKELY_START(z, sysenter_gpf)
diff --git a/main/xen/xsa46-4.2.patch b/main/xen/xsa46-4.2.patch
deleted file mode 100644
index 9448ea9c67..0000000000
--- a/main/xen/xsa46-4.2.patch
+++ /dev/null
@@ -1,293 +0,0 @@
-x86: fix various issues with handling guest IRQs
-
-- properly revoke IRQ access in map_domain_pirq() error path
-- don't permit replacing an in use IRQ
-- don't accept inputs in the GSI range for MAP_PIRQ_TYPE_MSI
-- track IRQ access permission in host IRQ terms, not guest IRQ ones
- (and with that, also disallow Dom0 access to IRQ0)
-
-This is CVE-2013-1919 / XSA-46.
-
-Signed-off-by: Jan Beulich <jbeulich@suse.com>
-Acked-by: Stefano Stabellini <stefano.stabellini@eu.citrix.com>
-
---- a/tools/libxl/libxl_create.c
-+++ b/tools/libxl/libxl_create.c
-@@ -968,14 +968,16 @@ static void domcreate_launch_dm(libxl__e
- }
-
- for (i = 0; i < d_config->b_info.num_irqs; i++) {
-- uint32_t irq = d_config->b_info.irqs[i];
-+ int irq = d_config->b_info.irqs[i];
-
-- LOG(DEBUG, "dom%d irq %"PRIx32, domid, irq);
-+ LOG(DEBUG, "dom%d irq %d", domid, irq);
-
-- ret = xc_domain_irq_permission(CTX->xch, domid, irq, 1);
-+ ret = irq >= 0 ? xc_physdev_map_pirq(CTX->xch, domid, irq, &irq)
-+ : -EOVERFLOW;
-+ if (!ret)
-+ ret = xc_domain_irq_permission(CTX->xch, domid, irq, 1);
- if ( ret<0 ){
-- LOGE(ERROR,
-- "failed give dom%d access to irq %"PRId32, domid, irq);
-+ LOGE(ERROR, "failed give dom%d access to irq %d", domid, irq);
- ret = ERROR_FAIL;
- }
- }
---- a/tools/python/xen/xend/server/irqif.py
-+++ b/tools/python/xen/xend/server/irqif.py
-@@ -73,6 +73,12 @@ class IRQController(DevController):
-
- pirq = get_param('irq')
-
-+ rc = xc.physdev_map_pirq(domid = self.getDomid(),
-+ index = pirq,
-+ pirq = pirq)
-+ if rc < 0:
-+ raise VmError('irq: Failed to map irq %x' % (pirq))
-+
- rc = xc.domain_irq_permission(domid = self.getDomid(),
- pirq = pirq,
- allow_access = True)
-@@ -81,12 +87,6 @@ class IRQController(DevController):
- #todo non-fatal
- raise VmError(
- 'irq: Failed to configure irq: %d' % (pirq))
-- rc = xc.physdev_map_pirq(domid = self.getDomid(),
-- index = pirq,
-- pirq = pirq)
-- if rc < 0:
-- raise VmError(
-- 'irq: Failed to map irq %x' % (pirq))
- back = dict([(k, config[k]) for k in self.valid_cfg if k in config])
- return (self.allocateDeviceID(), back, {})
-
---- a/xen/arch/x86/domain_build.c
-+++ b/xen/arch/x86/domain_build.c
-@@ -1219,7 +1219,7 @@ int __init construct_dom0(
- /* DOM0 is permitted full I/O capabilities. */
- rc |= ioports_permit_access(dom0, 0, 0xFFFF);
- rc |= iomem_permit_access(dom0, 0UL, ~0UL);
-- rc |= irqs_permit_access(dom0, 0, d->nr_pirqs - 1);
-+ rc |= irqs_permit_access(dom0, 1, nr_irqs_gsi - 1);
-
- /*
- * Modify I/O port access permissions.
---- a/xen/arch/x86/domctl.c
-+++ b/xen/arch/x86/domctl.c
-@@ -772,9 +772,13 @@ long arch_do_domctl(
- goto bind_out;
-
- ret = -EPERM;
-- if ( !IS_PRIV(current->domain) &&
-- !irq_access_permitted(current->domain, bind->machine_irq) )
-- goto bind_out;
-+ if ( !IS_PRIV(current->domain) )
-+ {
-+ int irq = domain_pirq_to_irq(d, bind->machine_irq);
-+
-+ if ( irq <= 0 || !irq_access_permitted(current->domain, irq) )
-+ goto bind_out;
-+ }
-
- ret = -ESRCH;
- if ( iommu_enabled )
-@@ -803,9 +807,13 @@ long arch_do_domctl(
- bind = &(domctl->u.bind_pt_irq);
-
- ret = -EPERM;
-- if ( !IS_PRIV(current->domain) &&
-- !irq_access_permitted(current->domain, bind->machine_irq) )
-- goto unbind_out;
-+ if ( !IS_PRIV(current->domain) )
-+ {
-+ int irq = domain_pirq_to_irq(d, bind->machine_irq);
-+
-+ if ( irq <= 0 || !irq_access_permitted(current->domain, irq) )
-+ goto unbind_out;
-+ }
-
- if ( iommu_enabled )
- {
---- a/xen/arch/x86/irq.c
-+++ b/xen/arch/x86/irq.c
-@@ -184,6 +184,14 @@ int create_irq(int node)
- desc->arch.used = IRQ_UNUSED;
- irq = ret;
- }
-+ else if ( dom0 )
-+ {
-+ ret = irq_permit_access(dom0, irq);
-+ if ( ret )
-+ printk(XENLOG_G_ERR
-+ "Could not grant Dom0 access to IRQ%d (error %d)\n",
-+ irq, ret);
-+ }
-
- return irq;
- }
-@@ -280,6 +288,17 @@ void clear_irq_vector(int irq)
- void destroy_irq(unsigned int irq)
- {
- BUG_ON(!MSI_IRQ(irq));
-+
-+ if ( dom0 )
-+ {
-+ int err = irq_deny_access(dom0, irq);
-+
-+ if ( err )
-+ printk(XENLOG_G_ERR
-+ "Could not revoke Dom0 access to IRQ%u (error %d)\n",
-+ irq, err);
-+ }
-+
- dynamic_irq_cleanup(irq);
- clear_irq_vector(irq);
- }
-@@ -1858,7 +1877,7 @@ int map_domain_pirq(
-
- if ( !IS_PRIV(current->domain) &&
- !(IS_PRIV_FOR(current->domain, d) &&
-- irq_access_permitted(current->domain, pirq)))
-+ irq_access_permitted(current->domain, irq)))
- return -EPERM;
-
- if ( pirq < 0 || pirq >= d->nr_pirqs || irq < 0 || irq >= nr_irqs )
-@@ -1887,17 +1906,18 @@ int map_domain_pirq(
- return ret;
- }
-
-- ret = irq_permit_access(d, pirq);
-+ ret = irq_permit_access(d, irq);
- if ( ret )
- {
-- dprintk(XENLOG_G_ERR, "dom%d: could not permit access to irq %d\n",
-- d->domain_id, pirq);
-+ printk(XENLOG_G_ERR
-+ "dom%d: could not permit access to IRQ%d (pirq %d)\n",
-+ d->domain_id, irq, pirq);
- return ret;
- }
-
- ret = prepare_domain_irq_pirq(d, irq, pirq, &info);
- if ( ret )
-- return ret;
-+ goto revoke;
-
- desc = irq_to_desc(irq);
-
-@@ -1921,8 +1941,14 @@ int map_domain_pirq(
- spin_lock_irqsave(&desc->lock, flags);
-
- if ( desc->handler != &no_irq_type )
-+ {
-+ spin_unlock_irqrestore(&desc->lock, flags);
- dprintk(XENLOG_G_ERR, "dom%d: irq %d in use\n",
- d->domain_id, irq);
-+ pci_disable_msi(msi_desc);
-+ ret = -EBUSY;
-+ goto done;
-+ }
- setup_msi_handler(desc, msi_desc);
-
- if ( opt_irq_vector_map == OPT_IRQ_VECTOR_MAP_PERDEV
-@@ -1951,7 +1977,14 @@ int map_domain_pirq(
-
- done:
- if ( ret )
-+ {
- cleanup_domain_irq_pirq(d, irq, info);
-+ revoke:
-+ if ( irq_deny_access(d, irq) )
-+ printk(XENLOG_G_ERR
-+ "dom%d: could not revoke access to IRQ%d (pirq %d)\n",
-+ d->domain_id, irq, pirq);
-+ }
- return ret;
- }
-
-@@ -2017,10 +2050,11 @@ int unmap_domain_pirq(struct domain *d,
- if ( !forced_unbind )
- cleanup_domain_irq_pirq(d, irq, info);
-
-- ret = irq_deny_access(d, pirq);
-+ ret = irq_deny_access(d, irq);
- if ( ret )
-- dprintk(XENLOG_G_ERR, "dom%d: could not deny access to irq %d\n",
-- d->domain_id, pirq);
-+ printk(XENLOG_G_ERR
-+ "dom%d: could not deny access to IRQ%d (pirq %d)\n",
-+ d->domain_id, irq, pirq);
-
- done:
- return ret;
---- a/xen/arch/x86/physdev.c
-+++ b/xen/arch/x86/physdev.c
-@@ -147,7 +147,7 @@ int physdev_map_pirq(domid_t domid, int
- if ( irq == -1 )
- irq = create_irq(NUMA_NO_NODE);
-
-- if ( irq < 0 || irq >= nr_irqs )
-+ if ( irq < nr_irqs_gsi || irq >= nr_irqs )
- {
- dprintk(XENLOG_G_ERR, "dom%d: can't create irq for msi!\n",
- d->domain_id);
---- a/xen/common/domctl.c
-+++ b/xen/common/domctl.c
-@@ -25,6 +25,7 @@
- #include <xen/paging.h>
- #include <xen/hypercall.h>
- #include <asm/current.h>
-+#include <asm/irq.h>
- #include <asm/page.h>
- #include <public/domctl.h>
- #include <xsm/xsm.h>
-@@ -897,9 +898,9 @@ long do_domctl(XEN_GUEST_HANDLE(xen_domc
- else if ( xsm_irq_permission(d, pirq, allow) )
- ret = -EPERM;
- else if ( allow )
-- ret = irq_permit_access(d, pirq);
-+ ret = pirq_permit_access(d, pirq);
- else
-- ret = irq_deny_access(d, pirq);
-+ ret = pirq_deny_access(d, pirq);
-
- rcu_unlock_domain(d);
- }
---- a/xen/common/event_channel.c
-+++ b/xen/common/event_channel.c
-@@ -369,7 +369,7 @@ static long evtchn_bind_pirq(evtchn_bind
- if ( (pirq < 0) || (pirq >= d->nr_pirqs) )
- return -EINVAL;
-
-- if ( !is_hvm_domain(d) && !irq_access_permitted(d, pirq) )
-+ if ( !is_hvm_domain(d) && !pirq_access_permitted(d, pirq) )
- return -EPERM;
-
- spin_lock(&d->event_lock);
---- a/xen/include/xen/iocap.h
-+++ b/xen/include/xen/iocap.h
-@@ -28,4 +28,22 @@
- #define irq_access_permitted(d, i) \
- rangeset_contains_singleton((d)->irq_caps, i)
-
-+#define pirq_permit_access(d, i) ({ \
-+ struct domain *d__ = (d); \
-+ int i__ = domain_pirq_to_irq(d__, i); \
-+ i__ > 0 ? rangeset_add_singleton(d__->irq_caps, i__)\
-+ : -EINVAL; \
-+})
-+#define pirq_deny_access(d, i) ({ \
-+ struct domain *d__ = (d); \
-+ int i__ = domain_pirq_to_irq(d__, i); \
-+ i__ > 0 ? rangeset_remove_singleton(d__->irq_caps, i__)\
-+ : -EINVAL; \
-+})
-+#define pirq_access_permitted(d, i) ({ \
-+ struct domain *d__ = (d); \
-+ rangeset_contains_singleton(d__->irq_caps, \
-+ domain_pirq_to_irq(d__, i));\
-+})
-+
- #endif /* __XEN_IOCAP_H__ */
diff --git a/main/xen/xsa47-4.2-unstable.patch b/main/xen/xsa47-4.2-unstable.patch
deleted file mode 100644
index 7ebb8c8a31..0000000000
--- a/main/xen/xsa47-4.2-unstable.patch
+++ /dev/null
@@ -1,31 +0,0 @@
-defer event channel bucket pointer store until after XSM checks
-
-Otherwise a dangling pointer can be left, which would cause subsequent
-memory corruption as soon as the space got re-allocated for some other
-purpose.
-
-This is CVE-2013-1920 / XSA-47.
-
-Reported-by: Wei Liu <wei.liu2@citrix.com>
-Signed-off-by: Jan Beulich <jbeulich@suse.com>
-Reviewed-by: Tim Deegan <tim@xen.org>
-
---- a/xen/common/event_channel.c
-+++ b/xen/common/event_channel.c
-@@ -140,7 +140,6 @@ static int get_free_port(struct domain *
- chn = xzalloc_array(struct evtchn, EVTCHNS_PER_BUCKET);
- if ( unlikely(chn == NULL) )
- return -ENOMEM;
-- bucket_from_port(d, port) = chn;
-
- for ( i = 0; i < EVTCHNS_PER_BUCKET; i++ )
- {
-@@ -153,6 +152,8 @@ static int get_free_port(struct domain *
- }
- }
-
-+ bucket_from_port(d, port) = chn;
-+
- return port;
- }
-