From 08e33d0f02c353d47b25b57f4f56a6ba9918fe32 Mon Sep 17 00:00:00 2001 From: Natanael Copa Date: Thu, 23 Jun 2016 10:45:11 +0000 Subject: main/xen: security upgrade to 4.6.3 XSA-181 CVE-2016-5242 arm: Host crash caused by VMID exhaustion XSA-180 CVE-2014-3672 Unrestricted qemu logging XSA-179 CVE-2016-3710 CVE-2016-3712 QEMU: Banked access to VGA memory (VBE) uses inconsistent bounds checks XSA-178 CVE-2016-4963 Unsanitised driver domain input in libxl device handling XSA-176 CVE-2016-4480 x86 software guest page walk PS bit handling flaw XSA-175 CVE-2016-4962 Unsanitised guest input in libxl device handling code XSA-174 CVE-2016-3961 hugetlbfs use may crash PV Linux guests --- main/xen/APKBUILD | 47 +-- main/xen/xsa154-4.6.patch | 359 --------------------- ...xsa155-xen-0001-xen-Add-RING_COPY_REQUEST.patch | 56 ---- ...55-xen-0002-blktap2-Use-RING_COPY_REQUEST.patch | 75 ----- ...en-0003-libvchan-Read-prod-cons-only-once.patch | 41 --- main/xen/xsa170.patch | 79 ----- main/xen/xsa172.patch | 39 --- main/xen/xsa173-4.6.patch | 244 -------------- 8 files changed, 5 insertions(+), 935 deletions(-) delete mode 100644 main/xen/xsa154-4.6.patch delete mode 100644 main/xen/xsa155-xen-0001-xen-Add-RING_COPY_REQUEST.patch delete mode 100644 main/xen/xsa155-xen-0002-blktap2-Use-RING_COPY_REQUEST.patch delete mode 100644 main/xen/xsa155-xen-0003-libvchan-Read-prod-cons-only-once.patch delete mode 100644 main/xen/xsa170.patch delete mode 100644 main/xen/xsa172.patch delete mode 100644 main/xen/xsa173-4.6.patch (limited to 'main/xen') diff --git a/main/xen/APKBUILD b/main/xen/APKBUILD index d1c2342a85..f39d7a890f 100644 --- a/main/xen/APKBUILD +++ b/main/xen/APKBUILD @@ -2,8 +2,8 @@ # Contributor: Roger Pau Monne # Maintainer: William Pitcock pkgname=xen -pkgver=4.6.1 -pkgrel=2 +pkgver=4.6.3 +pkgrel=0 pkgdesc="Xen hypervisor" url="http://www.xen.org/" arch="x86_64" @@ -42,21 +42,11 @@ source="http://bits.xensource.com/oss-xen/release/$pkgver/$pkgname-$pkgver.tar.g http://xenbits.xen.org/xen-extfiles/zlib-$_ZLIB_VERSION.tar.gz http://xenbits.xen.org/xen-extfiles/ipxe-git-$_IPXE_GIT_TAG.tar.gz - xsa154-4.6.patch - xsa155-xen-0001-xen-Add-RING_COPY_REQUEST.patch - xsa155-xen-0002-blktap2-Use-RING_COPY_REQUEST.patch - xsa155-xen-0003-libvchan-Read-prod-cons-only-once.patch - xsa170.patch - xsa172.patch - xsa173-4.6.patch - - x86emul-suppress-writeback-upon-unsuccessful-MMX-SSE-AVX.patch qemu-coroutine-gthread.patch qemu-xen_paths.patch hotplug-vif-vtrill.patch 0001-ipxe-dont-clobber-ebp.patch - gnutls-3.4.0.patch gcc5-cflags.patch init-xenstore-domain.patch @@ -236,7 +226,7 @@ hypervisor() { mv "$pkgdir"/boot "$subpkgdir"/ } -md5sums="df2d854c3c90ffeefaf71e7f868fb326 xen-4.6.1.tar.gz +md5sums="26419d8477082dbdb32ec75b00f00643 xen-4.6.3.tar.gz dd60683d7057917e34630b4a787932e8 gmp-4.3.2.tar.bz2 cd3f3eb54446be6003156158d51f4884 grub-0.97.tar.gz 36cc57650cffda9a0269493be2a169bb lwip-1.3.0.tar.gz @@ -246,19 +236,10 @@ cec05e7785497c5e19da2f114b934ffd pciutils-2.2.9.tar.bz2 e26becb8a6a2b6695f6b3e8097593db8 tpm_emulator-0.7.4.tar.gz debc62758716a169df9f62e6ab2bc634 zlib-1.2.3.tar.gz 7496268cebf47d5c9ccb0696e3b26065 ipxe-git-9a93db3f0947484e30e753bbd61a10b17336e20e.tar.gz -2109cf26a61f99158615d0e8566aa7d9 xsa154-4.6.patch -8e87b1bcd1e5c057c8d7ad41010c27f1 xsa155-xen-0001-xen-Add-RING_COPY_REQUEST.patch -48be8e53712d8656549fcdf1a96ffdec xsa155-xen-0002-blktap2-Use-RING_COPY_REQUEST.patch -21448f920d1643580e261ac3650d1ef9 xsa155-xen-0003-libvchan-Read-prod-cons-only-once.patch -e0fd8934b37592a6a3e6ab107a2ab41a xsa170.patch -b14d9a4247ae654579cb757c9b0e949a xsa172.patch -a29812dc4cf1d8013d650496cb107fd0 xsa173-4.6.patch -64760deb1ae50fc87e03bf0386f0a48b x86emul-suppress-writeback-upon-unsuccessful-MMX-SSE-AVX.patch de1a3db370b87cfb0bddb51796b50315 qemu-coroutine-gthread.patch 08bfdf8caff5d631f53660bf3fd4edaf qemu-xen_paths.patch e449bb3359b490804ffc7b0ae08d62a0 hotplug-vif-vtrill.patch 3a04998db5cc3c5c86f3b46e97e9cd82 0001-ipxe-dont-clobber-ebp.patch -a0a0294eccbaef77a2f8f5c2789f011c gnutls-3.4.0.patch a0b70cd1190345396d97170bf2d11663 gcc5-cflags.patch cadc904edee45ea4824439b1e9558b37 init-xenstore-domain.patch 0984e3000de17a6d14b8014a3ced46a4 musl-support.patch @@ -276,7 +257,7 @@ dcdd1de2c29e469e834a02ede4f47806 xendomains.confd 9df68ac65dc3f372f5d61183abdc83ff xen-consoles.logrotate 6a2f777c16678d84039acf670d86fff6 xenqemu.confd e1c9e1c83a5cc49224608a48060bd677 xenqemu.initd" -sha256sums="44cc2fccba1e147ef4c8da0584ce0f24189c8743de0e3e9a9226da88ddb5f589 xen-4.6.1.tar.gz +sha256sums="02badfce9a037bd1bd4a94210c1f6b85467746216c71795805102b514bcf1fc4 xen-4.6.3.tar.gz 936162c0312886c21581002b79932829aa048cfaf9937c6265aeaa14f1cd1775 gmp-4.3.2.tar.bz2 4e1d15d12dbd3e9208111d6b806ad5a9857ca8850c47877d36575b904559260b grub-0.97.tar.gz 772e4d550e07826665ed0528c071dd5404ef7dbe1825a38c8adbc2a00bca948f lwip-1.3.0.tar.gz @@ -286,19 +267,10 @@ f60ae61cfbd5da1d849d0beaa21f593c38dac9359f0b3ddc612f447408265b24 pciutils-2.2.9 4e48ea0d83dd9441cc1af04ab18cd6c961b9fa54d5cbf2c2feee038988dea459 tpm_emulator-0.7.4.tar.gz 1795c7d067a43174113fdf03447532f373e1c6c57c08d61d9e4e9be5e244b05e zlib-1.2.3.tar.gz 632ce8c193ccacc3012bd354bdb733a4be126f7c098e111930aa41dad537405c ipxe-git-9a93db3f0947484e30e753bbd61a10b17336e20e.tar.gz -eec88c2a57466f83a81844cb7025f70c2b671d07a75d85487d4ed73cdabbb020 xsa154-4.6.patch -e52467fcec73bcc86d3e96d06f8ca8085ae56a83d2c42a30c16bc3dc630d8f8a xsa155-xen-0001-xen-Add-RING_COPY_REQUEST.patch -eae34c8ccc096ad93a74190506b3d55020a88afb0cc504a3a514590e9fd746fd xsa155-xen-0002-blktap2-Use-RING_COPY_REQUEST.patch -42780265014085a4221ad32b026214693d751789eb5219e2e83862c0006c66f4 xsa155-xen-0003-libvchan-Read-prod-cons-only-once.patch -77b4b14b2c93da5f68e724cf74e1616f7df2e78305f66d164b3de2d980221a9a xsa170.patch -f18282fcb794b8772bc3af51d56860050071bd62a5a909b8f2fc2018e2958154 xsa172.patch -6dbc34e3e2d4415967c4406e0f8392a9395bff74da115ae20f26bd112b19017c xsa173-4.6.patch -8c88792adbe91b5f4c5b0446b79020c220aed0786b0325064fac085f0a5b7292 x86emul-suppress-writeback-upon-unsuccessful-MMX-SSE-AVX.patch 3941f99b49c7e8dafc9fae8aad2136a14c6d84533cd542cc5f1040a41ef7c6fe qemu-coroutine-gthread.patch e4e5e838e259a3116978aabbcebc1865a895179a7fcbf4bad195c83e9b4c0f98 qemu-xen_paths.patch dd1e784bc455eb62cb85b3fa24bfc34f575ceaab9597ef6a2f1ee7ff7b3cae0a hotplug-vif-vtrill.patch ac8bbd0b864c7de278fd9b68392b71863581ec21622c2e9b87e501e492e414d3 0001-ipxe-dont-clobber-ebp.patch -e25d38376e22f6f935d2c0ce1b9d6e6b47ff261b5e6056bc3b47168739d7a992 gnutls-3.4.0.patch 8226200f17448e20784ad985ffe47aba1e8401364d9a2b6301818ca043f9ec35 gcc5-cflags.patch f246382763746536bafc77f117cc6e689c6c9ee8dd2608c02dbfe9f025701589 init-xenstore-domain.patch 2fea4ceec8872f5560023fa135e3ff03d6deee4299e53d3a33ec59c31779b2c5 musl-support.patch @@ -316,7 +288,7 @@ d13719093a2c3824525f36ac91ac3c9bd1154e5ba0974e5441e4a2ab5e883521 xenconsoled.in 0da87a4b9094f934e3de937e8ef8d3afc752e76793aa3d730182d0241e118b19 xen-consoles.logrotate 4cfcddcade5d055422ab4543e8caa6e5c5eee7625c41880a9000b7a87c7c424e xenqemu.confd c92bbb1166edd61141fdf678116974209c4422daf373cdd5bc438aa4adb25b8d xenqemu.initd" -sha512sums="f01a0b7874abf8b3a81432428d7ba2d5aceb9d75ae20310f8ef49a3a0df927720a51d49090f74fda7f374c779e121ad26da6966a6f2623ed1a7743b4c080427c xen-4.6.1.tar.gz +sha512sums="187a860b40c05139f22b8498a5fae1db173c3110d957147af29a56cb83b7111c9dc4946d65f9dffc847001fc01c5e9bf51886eaa1194bb9cfd0b6dbcd43a2c5c xen-4.6.3.tar.gz 2e0b0fd23e6f10742a5517981e5171c6e88b0a93c83da701b296f5c0861d72c19782daab589a7eac3f9032152a0fc7eff7f5362db8fccc4859564a9aa82329cf gmp-4.3.2.tar.bz2 c2bc9ffc8583aeae71cee9ddcc4418969768d4e3764d47307da54f93981c0109fb07d84b061b3a3628bd00ba4d14a54742bc04848110eb3ae8ca25dbfbaabadb grub-0.97.tar.gz 1465b58279af1647f909450e394fe002ca165f0ff4a0254bfa9fe0e64316f50facdde2729d79a4e632565b4500cf4d6c74192ac0dd3bc9fe09129bbd67ba089d lwip-1.3.0.tar.gz @@ -326,19 +298,10 @@ c2bc9ffc8583aeae71cee9ddcc4418969768d4e3764d47307da54f93981c0109fb07d84b061b3a36 4928b5b82f57645be9408362706ff2c4d9baa635b21b0d41b1c82930e8c60a759b1ea4fa74d7e6c7cae1b7692d006aa5cb72df0c3b88bf049779aa2b566f9d35 tpm_emulator-0.7.4.tar.gz 021b958fcd0d346c4ba761bcf0cc40f3522de6186cf5a0a6ea34a70504ce9622b1c2626fce40675bc8282cf5f5ade18473656abc38050f72f5d6480507a2106e zlib-1.2.3.tar.gz c5cb1cdff40d2d71fd3e692a9d0efadf2aa17290daf5195391a1c81ddd9dfc913a8e44d5be2b12be85b2a5565ea31631c99c7053564f2fb2225c80ea0bb0e4a4 ipxe-git-9a93db3f0947484e30e753bbd61a10b17336e20e.tar.gz -fde4c58acb857bd4eec807a78bee356a02358174e8c52a66555a6ad9cf5670b43391429ff973e74d27ee43a27c338b89bc3e63d2d821ee85682d8799d3bdd35c xsa154-4.6.patch -96574c07cc31b11cddbe90bbfd0ff92ec9a2aa52903f74258e1291c1dec91e85c65c18ce10ed85aa659e3c363a460375153f2f45f1bbc4cebcc904398518a8f4 xsa155-xen-0001-xen-Add-RING_COPY_REQUEST.patch -d64d7e0dd96e31fa45d9d9b0cad9c543484709d699d9ab2efe1992f9375e8e0d67b0164e9ea8d3e75998388964f2fbfd96b5520a4acf13804dcf8c3472e37791 xsa155-xen-0002-blktap2-Use-RING_COPY_REQUEST.patch -cad6b571ccca123e2a797cf82669ad0fe2e1ec99b7a68396beb3a2279e2cf87d8f0cf75e22dcd98238dd5031b2c7e9cb86d02ecaa82ae973fba6d26b2acfb514 xsa155-xen-0003-libvchan-Read-prod-cons-only-once.patch -09a6defca0f32319dddf4325fb0105a468517a7150c8a8ea287677b4a55f09bf776f5aa673bae22a0708537cf075d5e2143a24aa1b08629ef911a7cdfd8376f0 xsa170.patch -8636f74b270b0ccf56ea6bab4c90d0ee909e5d2891987b4572df4a0906e2230e046aad0c99add6c1d70f7023cc6d99bcfd2947c953f600074a6ed7c176a5d3dc xsa172.patch -d56d7403163fb7eeb2b5c44027c150f9edd1c4df86b38e3834b4b2cb58db94472fe0030c0ec667e41faed00bd6540fab10a4d909c82280d075482d06f8ac4cfb xsa173-4.6.patch -ba3e23ac46be7f7a5ba9b7bdb4821ead8f54a524f3e4a528350c118c588615e697102aa7c077f6580eaad701488e6128c01dcfbc7a991cdfed94e8546420828c x86emul-suppress-writeback-upon-unsuccessful-MMX-SSE-AVX.patch c3c46f232f0bd9f767b232af7e8ce910a6166b126bd5427bb8dc325aeb2c634b956de3fc225cab5af72649070c8205cc8e1cab7689fc266c204f525086f1a562 qemu-coroutine-gthread.patch 1936ab39a1867957fa640eb81c4070214ca4856a2743ba7e49c0cd017917071a9680d015f002c57fa7b9600dbadd29dcea5887f50e6c133305df2669a7a933f3 qemu-xen_paths.patch f095ea373f36381491ad36f0662fb4f53665031973721256b23166e596318581da7cbb0146d0beb2446729adfdb321e01468e377793f6563a67d68b8b0f7ffe3 hotplug-vif-vtrill.patch a6455988477a29d856924651db5e14f96d835413b956278d2291cbb8e5877d7bf6f462890f607ecf1c7b4003997295d0ba7852e110fc20df3a3edf1845e778ba 0001-ipxe-dont-clobber-ebp.patch -e9b88234bd67c2d65fcda1a56deeaf60aaa4c8b2afff128028c6a1478c89f828584dab1ac04f8d9d53cf17d26572e5505d0bbfcc4b2a6842cc749c6c018c0e51 gnutls-3.4.0.patch 68ea6d4798f107fc2fd134c970cd7f7b9aeafe3efaf9501bbd5ec35e7e212f1d637c15c21c7a257c0709c2a2d441f6c6192abad39fd23b3ecba69bcefbb3e930 gcc5-cflags.patch 76ffe70833928a9e19dedbf42e87f6267c4d15e7dc8710fba9b7874245a5d5b4c43a27ef97c3b121cbcd5a8470f1216a3f64114cb5b83325cb30fa2040721b66 init-xenstore-domain.patch 76bd60768b296752ca11195bb03a57584686461da45255cb540977111a73c42b5b92362fd46d97bfd20487c96971dd5aed7eae7d8bf1aad7d5199adb875d4962 musl-support.patch diff --git a/main/xen/xsa154-4.6.patch b/main/xen/xsa154-4.6.patch deleted file mode 100644 index f1e598812b..0000000000 --- a/main/xen/xsa154-4.6.patch +++ /dev/null @@ -1,359 +0,0 @@ -x86: enforce consistent cachability of MMIO mappings - -We've been told by Intel that inconsistent cachability between -multiple mappings of the same page can affect system stability only -when the affected page is an MMIO one. Since the stale data issue is -of no relevance to the hypervisor (since all guest memory accesses go -through proper accessors and validation), handling of RAM pages -remains unchanged here. Any MMIO mapped by domains however needs to be -done consistently (all cachable mappings or all uncachable ones), in -order to avoid Machine Check exceptions. Since converting existing -cachable mappings to uncachable (at the time an uncachable mapping -gets established) would in the PV case require tracking all mappings, -allow MMIO to only get mapped uncachable (UC, UC-, or WC). - -This also implies that in the PV case we mustn't use the L1 PTE update -fast path when cachability flags get altered. - -Since in the HVM case at least for now we want to continue honoring -pinned cachability attributes for pages not mapped by the hypervisor, -special case handling of r/o MMIO pages (forcing UC) gets added there. -Arguably the counterpart change to p2m-pt.c may not be necessary, since -UC- (which already gets enforced there) is probably strict enough. - -Note that the shadow code changes include fixing the write protection -of r/o MMIO ranges: shadow_l1e_remove_flags() and its siblings, other -than l1e_remove_flags() and alike, return the new PTE (and hence -ignoring their return values makes them no-ops). - -This is CVE-2016-2270 / XSA-154. - -Signed-off-by: Jan Beulich -Acked-by: Andrew Cooper - ---- a/docs/misc/xen-command-line.markdown -+++ b/docs/misc/xen-command-line.markdown -@@ -1080,6 +1080,15 @@ limit is ignored by Xen. - - Specify if the MMConfig space should be enabled. - -+### mmio-relax -+> `= | all` -+ -+> Default: `false` -+ -+By default, domains may not create cached mappings to MMIO regions. -+This option relaxes the check for Domain 0 (or when using `all`, all PV -+domains), to permit the use of cacheable MMIO mappings. -+ - ### msi - > `= ` - ---- a/xen/arch/x86/hvm/mtrr.c -+++ b/xen/arch/x86/hvm/mtrr.c -@@ -807,8 +807,17 @@ int epte_get_entry_emt(struct domain *d, - if ( v->domain != d ) - v = d->vcpu ? d->vcpu[0] : NULL; - -- if ( !mfn_valid(mfn_x(mfn)) ) -+ if ( !mfn_valid(mfn_x(mfn)) || -+ rangeset_contains_range(mmio_ro_ranges, mfn_x(mfn), -+ mfn_x(mfn) + (1UL << order) - 1) ) -+ { -+ *ipat = 1; - return MTRR_TYPE_UNCACHABLE; -+ } -+ -+ if ( rangeset_overlaps_range(mmio_ro_ranges, mfn_x(mfn), -+ mfn_x(mfn) + (1UL << order) - 1) ) -+ return -1; - - switch ( hvm_get_mem_pinned_cacheattr(d, gfn, order, &type) ) - { ---- a/xen/arch/x86/mm/p2m-pt.c -+++ b/xen/arch/x86/mm/p2m-pt.c -@@ -107,6 +107,8 @@ static unsigned long p2m_type_to_flags(p - case p2m_mmio_direct: - if ( !rangeset_contains_singleton(mmio_ro_ranges, mfn_x(mfn)) ) - flags |= _PAGE_RW; -+ else -+ flags |= _PAGE_PWT; - return flags | P2M_BASE_FLAGS | _PAGE_PCD; - } - } ---- a/xen/arch/x86/mm/shadow/multi.c -+++ b/xen/arch/x86/mm/shadow/multi.c -@@ -519,6 +519,7 @@ _sh_propagate(struct vcpu *v, - gfn_t target_gfn = guest_l1e_get_gfn(guest_entry); - u32 pass_thru_flags; - u32 gflags, sflags; -+ bool_t mmio_mfn; - - /* We don't shadow PAE l3s */ - ASSERT(GUEST_PAGING_LEVELS > 3 || level != 3); -@@ -559,7 +560,10 @@ _sh_propagate(struct vcpu *v, - // mfn means that we can not usefully shadow anything, and so we - // return early. - // -- if ( !mfn_valid(target_mfn) -+ mmio_mfn = !mfn_valid(target_mfn) -+ || (level == 1 -+ && page_get_owner(mfn_to_page(target_mfn)) == dom_io); -+ if ( mmio_mfn - && !(level == 1 && (!shadow_mode_refcounts(d) - || p2mt == p2m_mmio_direct)) ) - { -@@ -577,7 +581,7 @@ _sh_propagate(struct vcpu *v, - _PAGE_RW | _PAGE_PRESENT); - if ( guest_supports_nx(v) ) - pass_thru_flags |= _PAGE_NX_BIT; -- if ( !shadow_mode_refcounts(d) && !mfn_valid(target_mfn) ) -+ if ( level == 1 && !shadow_mode_refcounts(d) && mmio_mfn ) - pass_thru_flags |= _PAGE_PAT | _PAGE_PCD | _PAGE_PWT; - sflags = gflags & pass_thru_flags; - -@@ -676,10 +680,14 @@ _sh_propagate(struct vcpu *v, - } - - /* Read-only memory */ -- if ( p2m_is_readonly(p2mt) || -- (p2mt == p2m_mmio_direct && -- rangeset_contains_singleton(mmio_ro_ranges, mfn_x(target_mfn))) ) -+ if ( p2m_is_readonly(p2mt) ) - sflags &= ~_PAGE_RW; -+ else if ( p2mt == p2m_mmio_direct && -+ rangeset_contains_singleton(mmio_ro_ranges, mfn_x(target_mfn)) ) -+ { -+ sflags &= ~(_PAGE_RW | _PAGE_PAT); -+ sflags |= _PAGE_PCD | _PAGE_PWT; -+ } - - // protect guest page tables - // -@@ -1185,22 +1193,28 @@ static int shadow_set_l1e(struct domain - && !sh_l1e_is_magic(new_sl1e) ) - { - /* About to install a new reference */ -- if ( shadow_mode_refcounts(d) ) { -+ if ( shadow_mode_refcounts(d) ) -+ { -+#define PAGE_FLIPPABLE (_PAGE_RW | _PAGE_PWT | _PAGE_PCD | _PAGE_PAT) -+ int rc; -+ - TRACE_SHADOW_PATH_FLAG(TRCE_SFLAG_SHADOW_L1_GET_REF); -- switch ( shadow_get_page_from_l1e(new_sl1e, d, new_type) ) -+ switch ( rc = shadow_get_page_from_l1e(new_sl1e, d, new_type) ) - { - default: - /* Doesn't look like a pagetable. */ - flags |= SHADOW_SET_ERROR; - new_sl1e = shadow_l1e_empty(); - break; -- case 1: -- shadow_l1e_remove_flags(new_sl1e, _PAGE_RW); -+ case PAGE_FLIPPABLE & -PAGE_FLIPPABLE ... PAGE_FLIPPABLE: -+ ASSERT(!(rc & ~PAGE_FLIPPABLE)); -+ new_sl1e = shadow_l1e_flip_flags(new_sl1e, rc); - /* fall through */ - case 0: - shadow_vram_get_l1e(new_sl1e, sl1e, sl1mfn, d); - break; - } -+#undef PAGE_FLIPPABLE - } - } - ---- a/xen/arch/x86/mm/shadow/types.h -+++ b/xen/arch/x86/mm/shadow/types.h -@@ -99,6 +99,9 @@ static inline u32 shadow_l4e_get_flags(s - static inline shadow_l1e_t - shadow_l1e_remove_flags(shadow_l1e_t sl1e, u32 flags) - { l1e_remove_flags(sl1e, flags); return sl1e; } -+static inline shadow_l1e_t -+shadow_l1e_flip_flags(shadow_l1e_t sl1e, u32 flags) -+{ l1e_flip_flags(sl1e, flags); return sl1e; } - - static inline shadow_l1e_t shadow_l1e_empty(void) - { return l1e_empty(); } ---- a/xen/arch/x86/mm.c -+++ b/xen/arch/x86/mm.c -@@ -178,6 +178,18 @@ static uint32_t base_disallow_mask; - is_pv_domain(d)) ? \ - L1_DISALLOW_MASK : (L1_DISALLOW_MASK & ~PAGE_CACHE_ATTRS)) - -+static s8 __read_mostly opt_mmio_relax; -+static void __init parse_mmio_relax(const char *s) -+{ -+ if ( !*s ) -+ opt_mmio_relax = 1; -+ else -+ opt_mmio_relax = parse_bool(s); -+ if ( opt_mmio_relax < 0 && strcmp(s, "all") ) -+ opt_mmio_relax = 0; -+} -+custom_param("mmio-relax", parse_mmio_relax); -+ - static void __init init_frametable_chunk(void *start, void *end) - { - unsigned long s = (unsigned long)start; -@@ -799,10 +811,7 @@ get_page_from_l1e( - if ( !mfn_valid(mfn) || - (real_pg_owner = page_get_owner_and_reference(page)) == dom_io ) - { --#ifndef NDEBUG -- const unsigned long *ro_map; -- unsigned int seg, bdf; --#endif -+ int flip = 0; - - /* Only needed the reference to confirm dom_io ownership. */ - if ( mfn_valid(mfn) ) -@@ -836,24 +845,55 @@ get_page_from_l1e( - return -EINVAL; - } - -- if ( !(l1f & _PAGE_RW) || -- !rangeset_contains_singleton(mmio_ro_ranges, mfn) ) -- return 0; -+ if ( !rangeset_contains_singleton(mmio_ro_ranges, mfn) ) -+ { -+ /* MMIO pages must not be mapped cachable unless requested so. */ -+ switch ( opt_mmio_relax ) -+ { -+ case 0: -+ break; -+ case 1: -+ if ( is_hardware_domain(l1e_owner) ) -+ case -1: -+ return 0; -+ default: -+ ASSERT_UNREACHABLE(); -+ } -+ } -+ else if ( l1f & _PAGE_RW ) -+ { - #ifndef NDEBUG -- if ( !pci_mmcfg_decode(mfn, &seg, &bdf) || -- ((ro_map = pci_get_ro_map(seg)) != NULL && -- test_bit(bdf, ro_map)) ) -- printk(XENLOG_G_WARNING -- "d%d: Forcing read-only access to MFN %lx\n", -- l1e_owner->domain_id, mfn); -- else -- rangeset_report_ranges(mmio_ro_ranges, 0, ~0UL, -- print_mmio_emul_range, -- &(struct mmio_emul_range_ctxt){ -- .d = l1e_owner, -- .mfn = mfn }); -+ const unsigned long *ro_map; -+ unsigned int seg, bdf; -+ -+ if ( !pci_mmcfg_decode(mfn, &seg, &bdf) || -+ ((ro_map = pci_get_ro_map(seg)) != NULL && -+ test_bit(bdf, ro_map)) ) -+ printk(XENLOG_G_WARNING -+ "d%d: Forcing read-only access to MFN %lx\n", -+ l1e_owner->domain_id, mfn); -+ else -+ rangeset_report_ranges(mmio_ro_ranges, 0, ~0UL, -+ print_mmio_emul_range, -+ &(struct mmio_emul_range_ctxt){ -+ .d = l1e_owner, -+ .mfn = mfn }); - #endif -- return 1; -+ flip = _PAGE_RW; -+ } -+ -+ switch ( l1f & PAGE_CACHE_ATTRS ) -+ { -+ case 0: /* WB */ -+ flip |= _PAGE_PWT | _PAGE_PCD; -+ break; -+ case _PAGE_PWT: /* WT */ -+ case _PAGE_PWT | _PAGE_PAT: /* WP */ -+ flip |= _PAGE_PCD | (l1f & _PAGE_PAT); -+ break; -+ } -+ -+ return flip; - } - - if ( unlikely( (real_pg_owner != pg_owner) && -@@ -1243,8 +1283,9 @@ static int alloc_l1_table(struct page_in - goto fail; - case 0: - break; -- case 1: -- l1e_remove_flags(pl1e[i], _PAGE_RW); -+ case _PAGE_RW ... _PAGE_RW | PAGE_CACHE_ATTRS: -+ ASSERT(!(ret & ~(_PAGE_RW | PAGE_CACHE_ATTRS))); -+ l1e_flip_flags(pl1e[i], ret); - break; - } - -@@ -1759,8 +1800,9 @@ static int mod_l1_entry(l1_pgentry_t *pl - return -EINVAL; - } - -- /* Fast path for identical mapping, r/w and presence. */ -- if ( !l1e_has_changed(ol1e, nl1e, _PAGE_RW | _PAGE_PRESENT) ) -+ /* Fast path for identical mapping, r/w, presence, and cachability. */ -+ if ( !l1e_has_changed(ol1e, nl1e, -+ PAGE_CACHE_ATTRS | _PAGE_RW | _PAGE_PRESENT) ) - { - adjust_guest_l1e(nl1e, pt_dom); - if ( UPDATE_ENTRY(l1, pl1e, ol1e, nl1e, gl1mfn, pt_vcpu, -@@ -1783,8 +1825,9 @@ static int mod_l1_entry(l1_pgentry_t *pl - return rc; - case 0: - break; -- case 1: -- l1e_remove_flags(nl1e, _PAGE_RW); -+ case _PAGE_RW ... _PAGE_RW | PAGE_CACHE_ATTRS: -+ ASSERT(!(rc & ~(_PAGE_RW | PAGE_CACHE_ATTRS))); -+ l1e_flip_flags(nl1e, rc); - rc = 0; - break; - } -@@ -5000,6 +5043,7 @@ static int ptwr_emulated_update( - l1_pgentry_t pte, ol1e, nl1e, *pl1e; - struct vcpu *v = current; - struct domain *d = v->domain; -+ int ret; - - /* Only allow naturally-aligned stores within the original %cr2 page. */ - if ( unlikely(((addr^ptwr_ctxt->cr2) & PAGE_MASK) || (addr & (bytes-1))) ) -@@ -5047,7 +5091,7 @@ static int ptwr_emulated_update( - - /* Check the new PTE. */ - nl1e = l1e_from_intpte(val); -- switch ( get_page_from_l1e(nl1e, d, d) ) -+ switch ( ret = get_page_from_l1e(nl1e, d, d) ) - { - default: - if ( is_pv_32bit_domain(d) && (bytes == 4) && (unaligned_addr & 4) && -@@ -5071,8 +5115,9 @@ static int ptwr_emulated_update( - break; - case 0: - break; -- case 1: -- l1e_remove_flags(nl1e, _PAGE_RW); -+ case _PAGE_RW ... _PAGE_RW | PAGE_CACHE_ATTRS: -+ ASSERT(!(ret & ~(_PAGE_RW | PAGE_CACHE_ATTRS))); -+ l1e_flip_flags(nl1e, ret); - break; - } - ---- a/xen/include/asm-x86/page.h -+++ b/xen/include/asm-x86/page.h -@@ -157,6 +157,9 @@ static inline l4_pgentry_t l4e_from_padd - #define l3e_remove_flags(x, flags) ((x).l3 &= ~put_pte_flags(flags)) - #define l4e_remove_flags(x, flags) ((x).l4 &= ~put_pte_flags(flags)) - -+/* Flip flags in an existing L1 PTE. */ -+#define l1e_flip_flags(x, flags) ((x).l1 ^= put_pte_flags(flags)) -+ - /* Check if a pte's page mapping or significant access flags have changed. */ - #define l1e_has_changed(x,y,flags) \ - ( !!(((x).l1 ^ (y).l1) & ((PADDR_MASK&PAGE_MASK)|put_pte_flags(flags))) ) diff --git a/main/xen/xsa155-xen-0001-xen-Add-RING_COPY_REQUEST.patch b/main/xen/xsa155-xen-0001-xen-Add-RING_COPY_REQUEST.patch deleted file mode 100644 index 7935e58c40..0000000000 --- a/main/xen/xsa155-xen-0001-xen-Add-RING_COPY_REQUEST.patch +++ /dev/null @@ -1,56 +0,0 @@ -From 12b11658a9d6a654a1e7acbf2f2d56ce9a396c86 Mon Sep 17 00:00:00 2001 -From: David Vrabel -Date: Fri, 20 Nov 2015 11:59:05 -0500 -Subject: [PATCH 1/3] xen: Add RING_COPY_REQUEST() - -Using RING_GET_REQUEST() on a shared ring is easy to use incorrectly -(i.e., by not considering that the other end may alter the data in the -shared ring while it is being inspected). Safe usage of a request -generally requires taking a local copy. - -Provide a RING_COPY_REQUEST() macro to use instead of -RING_GET_REQUEST() and an open-coded memcpy(). This takes care of -ensuring that the copy is done correctly regardless of any possible -compiler optimizations. - -Use a volatile source to prevent the compiler from reordering or -omitting the copy. - -This is part of XSA155. - -Signed-off-by: David Vrabel -Signed-off-by: Konrad Rzeszutek Wilk ---- -v2: Add comment about GCC bug. ---- - xen/include/public/io/ring.h | 14 ++++++++++++++ - 1 file changed, 14 insertions(+) - -diff --git a/xen/include/public/io/ring.h b/xen/include/public/io/ring.h -index ba9401b..801c0da 100644 ---- a/xen/include/public/io/ring.h -+++ b/xen/include/public/io/ring.h -@@ -212,6 +212,20 @@ typedef struct __name##_back_ring __name##_back_ring_t - #define RING_GET_REQUEST(_r, _idx) \ - (&((_r)->sring->ring[((_idx) & (RING_SIZE(_r) - 1))].req)) - -+/* -+ * Get a local copy of a request. -+ * -+ * Use this in preference to RING_GET_REQUEST() so all processing is -+ * done on a local copy that cannot be modified by the other end. -+ * -+ * Note that https://gcc.gnu.org/bugzilla/show_bug.cgi?id=58145 may cause this -+ * to be ineffective where _req is a struct which consists of only bitfields. -+ */ -+#define RING_COPY_REQUEST(_r, _idx, _req) do { \ -+ /* Use volatile to force the copy into _req. */ \ -+ *(_req) = *(volatile typeof(_req))RING_GET_REQUEST(_r, _idx); \ -+} while (0) -+ - #define RING_GET_RESPONSE(_r, _idx) \ - (&((_r)->sring->ring[((_idx) & (RING_SIZE(_r) - 1))].rsp)) - --- -2.1.0 - diff --git a/main/xen/xsa155-xen-0002-blktap2-Use-RING_COPY_REQUEST.patch b/main/xen/xsa155-xen-0002-blktap2-Use-RING_COPY_REQUEST.patch deleted file mode 100644 index 2d80a7bd43..0000000000 --- a/main/xen/xsa155-xen-0002-blktap2-Use-RING_COPY_REQUEST.patch +++ /dev/null @@ -1,75 +0,0 @@ -From 851ffb4eea917e2708c912291dea4d133026c0ac Mon Sep 17 00:00:00 2001 -From: Konrad Rzeszutek Wilk -Date: Fri, 20 Nov 2015 12:16:02 -0500 -Subject: [PATCH 2/3] blktap2: Use RING_COPY_REQUEST - -Instead of RING_GET_REQUEST. Using a local copy of the -ring (and also with proper memory barriers) will mean -we can do not have to worry about the compiler optimizing -the code and doing a double-fetch in the shared memory space. - -This is part of XSA155. - -Signed-off-by: Konrad Rzeszutek Wilk - ---- -v2: Fix compile issues with tapdisk-vbd ---- - tools/blktap2/drivers/block-log.c | 3 ++- - tools/blktap2/drivers/tapdisk-vbd.c | 8 ++++---- - 2 files changed, 6 insertions(+), 5 deletions(-) - -diff --git a/tools/blktap2/drivers/block-log.c b/tools/blktap2/drivers/block-log.c -index 5330cdc..5f3bd35 100644 ---- a/tools/blktap2/drivers/block-log.c -+++ b/tools/blktap2/drivers/block-log.c -@@ -494,11 +494,12 @@ static int ctl_kick(struct tdlog_state* s, int fd) - reqstart = s->bring.req_cons; - reqend = s->sring->req_prod; - -+ xen_mb(); - BDPRINTF("ctl: ring kicked (start = %u, end = %u)", reqstart, reqend); - - while (reqstart != reqend) { - /* XXX actually submit these! */ -- memcpy(&req, RING_GET_REQUEST(&s->bring, reqstart), sizeof(req)); -+ RING_COPY_REQUEST(&s->bring, reqstart, &req); - BDPRINTF("ctl: read request %"PRIu64":%u", req.sector, req.count); - s->bring.req_cons = ++reqstart; - -diff --git a/tools/blktap2/drivers/tapdisk-vbd.c b/tools/blktap2/drivers/tapdisk-vbd.c -index 6d1d94a..89ef9ed 100644 ---- a/tools/blktap2/drivers/tapdisk-vbd.c -+++ b/tools/blktap2/drivers/tapdisk-vbd.c -@@ -1555,7 +1555,7 @@ tapdisk_vbd_pull_ring_requests(td_vbd_t *vbd) - int idx; - RING_IDX rp, rc; - td_ring_t *ring; -- blkif_request_t *req; -+ blkif_request_t req; - td_vbd_request_t *vreq; - - ring = &vbd->ring; -@@ -1566,16 +1566,16 @@ tapdisk_vbd_pull_ring_requests(td_vbd_t *vbd) - xen_rmb(); - - for (rc = ring->fe_ring.req_cons; rc != rp; rc++) { -- req = RING_GET_REQUEST(&ring->fe_ring, rc); -+ RING_COPY_REQUEST(&ring->fe_ring, rc, &req); - ++ring->fe_ring.req_cons; - -- idx = req->id; -+ idx = req.id; - vreq = &vbd->request_list[idx]; - - ASSERT(list_empty(&vreq->next)); - ASSERT(vreq->secs_pending == 0); - -- memcpy(&vreq->req, req, sizeof(blkif_request_t)); -+ memcpy(&vreq->req, &req, sizeof(blkif_request_t)); - vbd->received++; - vreq->vbd = vbd; - --- -2.1.4 - diff --git a/main/xen/xsa155-xen-0003-libvchan-Read-prod-cons-only-once.patch b/main/xen/xsa155-xen-0003-libvchan-Read-prod-cons-only-once.patch deleted file mode 100644 index 56a6e538f4..0000000000 --- a/main/xen/xsa155-xen-0003-libvchan-Read-prod-cons-only-once.patch +++ /dev/null @@ -1,41 +0,0 @@ -From c1fce65e2b720684ea6ba76ae59921542bd154bb Mon Sep 17 00:00:00 2001 -From: Konrad Rzeszutek Wilk -Date: Fri, 20 Nov 2015 12:22:14 -0500 -Subject: [PATCH 3/3] libvchan: Read prod/cons only once. - -We must ensure that the prod/cons are only read once and that -the compiler won't try to optimize the reads. That is split -the read of these in multiple instructions influencing later -branch code. As such insert barriers when fetching the cons -and prod index. - -This is part of XSA155. - -Signed-off-by: Konrad Rzeszutek Wilk ---- - tools/libvchan/io.c | 2 ++ - 1 file changed, 2 insertions(+) - -diff --git a/tools/libvchan/io.c b/tools/libvchan/io.c -index 8a9629b..381cc05 100644 ---- a/tools/libvchan/io.c -+++ b/tools/libvchan/io.c -@@ -117,6 +117,7 @@ static inline int send_notify(struct libxenvchan *ctrl, uint8_t bit) - static inline int raw_get_data_ready(struct libxenvchan *ctrl) - { - uint32_t ready = rd_prod(ctrl) - rd_cons(ctrl); -+ xen_mb(); /* Ensure 'ready' is read only once. */ - if (ready > rd_ring_size(ctrl)) - /* We have no way to return errors. Locking up the ring is - * better than the alternatives. */ -@@ -158,6 +159,7 @@ int libxenvchan_data_ready(struct libxenvchan *ctrl) - static inline int raw_get_buffer_space(struct libxenvchan *ctrl) - { - uint32_t ready = wr_ring_size(ctrl) - (wr_prod(ctrl) - wr_cons(ctrl)); -+ xen_mb(); /* Ensure 'ready' is read only once. */ - if (ready > wr_ring_size(ctrl)) - /* We have no way to return errors. Locking up the ring is - * better than the alternatives. */ --- -2.1.0 - diff --git a/main/xen/xsa170.patch b/main/xen/xsa170.patch deleted file mode 100644 index f71fa19130..0000000000 --- a/main/xen/xsa170.patch +++ /dev/null @@ -1,79 +0,0 @@ -x86/VMX: sanitize rIP before re-entering guest - -... to prevent guest user mode arranging for a guest crash (due to -failed VM entry). (On the AMD system I checked, hardware is doing -exactly the canonicalization being added here.) - -Note that fixing this in an architecturally correct way would be quite -a bit more involved: Making the x86 instruction emulator check all -branch targets for validity, plus dealing with invalid rIP resulting -from update_guest_eip() or incoming directly during a VM exit. The only -way to get the latter right would be by not having hardware do the -injection. - -Note further that there are a two early returns from -vmx_vmexit_handler(): One (through vmx_failed_vmentry()) leads to -domain_crash() anyway, and the other covers real mode only and can -neither occur with a non-canonical rIP nor result in an altered rIP, -so we don't need to force those paths through the checking logic. - -This is XSA-170. - -Reported-by: 刘令 -Signed-off-by: Jan Beulich -Reviewed-by: Andrew Cooper -Tested-by: Andrew Cooper - ---- a/xen/arch/x86/hvm/vmx/vmx.c -+++ b/xen/arch/x86/hvm/vmx/vmx.c -@@ -2968,7 +2968,7 @@ static int vmx_handle_apic_write(void) - void vmx_vmexit_handler(struct cpu_user_regs *regs) - { - unsigned long exit_qualification, exit_reason, idtv_info, intr_info = 0; -- unsigned int vector = 0; -+ unsigned int vector = 0, mode; - struct vcpu *v = current; - - __vmread(GUEST_RIP, ®s->rip); -@@ -3566,6 +3566,41 @@ void vmx_vmexit_handler(struct cpu_user_ - out: - if ( nestedhvm_vcpu_in_guestmode(v) ) - nvmx_idtv_handling(); -+ -+ /* -+ * VM entry will fail (causing the guest to get crashed) if rIP (and -+ * rFLAGS, but we don't have an issue there) doesn't meet certain -+ * criteria. As we must not allow less than fully privileged mode to have -+ * such an effect on the domain, we correct rIP in that case (accepting -+ * this not being architecturally correct behavior, as the injected #GP -+ * fault will then not see the correct [invalid] return address). -+ * And since we know the guest will crash, we crash it right away if it -+ * already is in most privileged mode. -+ */ -+ mode = vmx_guest_x86_mode(v); -+ if ( mode == 8 ? !is_canonical_address(regs->rip) -+ : regs->rip != regs->_eip ) -+ { -+ struct segment_register ss; -+ -+ gprintk(XENLOG_WARNING, "Bad rIP %lx for mode %u\n", regs->rip, mode); -+ -+ vmx_get_segment_register(v, x86_seg_ss, &ss); -+ if ( ss.attr.fields.dpl ) -+ { -+ __vmread(VM_ENTRY_INTR_INFO, &intr_info); -+ if ( !(intr_info & INTR_INFO_VALID_MASK) ) -+ hvm_inject_hw_exception(TRAP_gp_fault, 0); -+ /* Need to fix rIP nevertheless. */ -+ if ( mode == 8 ) -+ regs->rip = (long)(regs->rip << (64 - VADDR_BITS)) >> -+ (64 - VADDR_BITS); -+ else -+ regs->rip = regs->_eip; -+ } -+ else -+ domain_crash(v->domain); -+ } - } - - void vmx_vmenter_helper(const struct cpu_user_regs *regs) diff --git a/main/xen/xsa172.patch b/main/xen/xsa172.patch deleted file mode 100644 index 8b1d01fa84..0000000000 --- a/main/xen/xsa172.patch +++ /dev/null @@ -1,39 +0,0 @@ -x86: fix information leak on AMD CPUs - -The fix for XSA-52 was wrong, and so was the change synchronizing that -new behavior to the FXRSTOR logic: AMD's manuals explictly state that -writes to the ES bit are ignored, and it instead gets calculated from -the exception and mask bits (it gets set whenever there is an unmasked -exception, and cleared otherwise). Hence we need to follow that model -in our workaround. - -This is XSA-172. - -The first hunk (xen/arch/x86/i387.c:fpu_fxrstor) is CVE-2016-3159. -The second hunk (xen/arch/x86/xstate.c:xrstor) is CVE-2016-3158. - -Signed-off-by: Jan Beulich -Reviewed-by: Andrew Cooper - ---- a/xen/arch/x86/i387.c -+++ b/xen/arch/x86/i387.c -@@ -49,7 +49,7 @@ static inline void fpu_fxrstor(struct vc - * sometimes new user value. Both should be ok. Use the FPU saved - * data block as a safe address because it should be in L1. - */ -- if ( !(fpu_ctxt->fsw & 0x0080) && -+ if ( !(fpu_ctxt->fsw & ~fpu_ctxt->fcw & 0x003f) && - boot_cpu_data.x86_vendor == X86_VENDOR_AMD ) - { - asm volatile ( "fnclex\n\t" ---- a/xen/arch/x86/xstate.c -+++ b/xen/arch/x86/xstate.c -@@ -344,7 +344,7 @@ void xrstor(struct vcpu *v, uint64_t mas - * data block as a safe address because it should be in L1. - */ - if ( (mask & ptr->xsave_hdr.xstate_bv & XSTATE_FP) && -- !(ptr->fpu_sse.fsw & 0x0080) && -+ !(ptr->fpu_sse.fsw & ~ptr->fpu_sse.fcw & 0x003f) && - boot_cpu_data.x86_vendor == X86_VENDOR_AMD ) - asm volatile ( "fnclex\n\t" /* clear exceptions */ - "ffree %%st(7)\n\t" /* clear stack tag */ diff --git a/main/xen/xsa173-4.6.patch b/main/xen/xsa173-4.6.patch deleted file mode 100644 index aecf120c74..0000000000 --- a/main/xen/xsa173-4.6.patch +++ /dev/null @@ -1,244 +0,0 @@ -commit 54a4651cb4e744960fb375ed99909d7dfb943caf -Author: Tim Deegan -Date: Wed Mar 16 16:51:27 2016 +0000 - - x86: limit GFNs to 32 bits for shadowed superpages. - - Superpage shadows store the shadowed GFN in the backpointer field, - which for non-BIGMEM builds is 32 bits wide. Shadowing a superpage - mapping of a guest-physical address above 2^44 would lead to the GFN - being truncated there, and a crash when we come to remove the shadow - from the hash table. - - Track the valid width of a GFN for each guest, including reporting it - through CPUID, and enforce it in the shadow pagetables. Set the - maximum witth to 32 for guests where this truncation could occur. - - This is XSA-173. - - Signed-off-by: Tim Deegan - Signed-off-by: Jan Beulich - -Reported-by: Ling Liu -diff --git a/xen/arch/x86/cpu/common.c b/xen/arch/x86/cpu/common.c -index 35ef21b..528c283 100644 ---- a/xen/arch/x86/cpu/common.c -+++ b/xen/arch/x86/cpu/common.c -@@ -38,6 +38,7 @@ integer_param("cpuid_mask_ext_edx", opt_cpuid_mask_ext_edx); - const struct cpu_dev *__read_mostly cpu_devs[X86_VENDOR_NUM] = {}; - - unsigned int paddr_bits __read_mostly = 36; -+unsigned int hap_paddr_bits __read_mostly = 36; - - /* - * Default host IA32_CR_PAT value to cover all memory types. -@@ -211,7 +212,7 @@ static void __init early_cpu_detect(void) - - static void __cpuinit generic_identify(struct cpuinfo_x86 *c) - { -- u32 tfms, capability, excap, ebx; -+ u32 tfms, capability, excap, ebx, eax; - - /* Get vendor name */ - cpuid(0x00000000, &c->cpuid_level, -@@ -248,8 +249,11 @@ static void __cpuinit generic_identify(struct cpuinfo_x86 *c) - } - if ( c->extended_cpuid_level >= 0x80000004 ) - get_model_name(c); /* Default name */ -- if ( c->extended_cpuid_level >= 0x80000008 ) -- paddr_bits = cpuid_eax(0x80000008) & 0xff; -+ if ( c->extended_cpuid_level >= 0x80000008 ) { -+ eax = cpuid_eax(0x80000008); -+ paddr_bits = eax & 0xff; -+ hap_paddr_bits = ((eax >> 16) & 0xff) ?: paddr_bits; -+ } - } - - /* Might lift BIOS max_leaf=3 limit. */ -diff --git a/xen/arch/x86/hvm/hvm.c b/xen/arch/x86/hvm/hvm.c -index e200aab..0b4d9f0 100644 ---- a/xen/arch/x86/hvm/hvm.c -+++ b/xen/arch/x86/hvm/hvm.c -@@ -4567,8 +4567,7 @@ void hvm_cpuid(unsigned int input, unsigned int *eax, unsigned int *ebx, - break; - - case 0x80000008: -- count = cpuid_eax(0x80000008); -- count = (count >> 16) & 0xff ?: count & 0xff; -+ count = d->arch.paging.gfn_bits + PAGE_SHIFT; - if ( (*eax & 0xff) > count ) - *eax = (*eax & ~0xff) | count; - -diff --git a/xen/arch/x86/mm/guest_walk.c b/xen/arch/x86/mm/guest_walk.c -index 773454d..06543d3 100644 ---- a/xen/arch/x86/mm/guest_walk.c -+++ b/xen/arch/x86/mm/guest_walk.c -@@ -93,6 +93,12 @@ void *map_domain_gfn(struct p2m_domain *p2m, gfn_t gfn, mfn_t *mfn, - struct page_info *page; - void *map; - -+ if ( gfn_x(gfn) >> p2m->domain->arch.paging.gfn_bits ) -+ { -+ *rc = _PAGE_INVALID_BIT; -+ return NULL; -+ } -+ - /* Translate the gfn, unsharing if shared */ - page = get_page_from_gfn_p2m(p2m->domain, p2m, gfn_x(gfn), p2mt, NULL, - q); -@@ -326,20 +332,8 @@ guest_walk_tables(struct vcpu *v, struct p2m_domain *p2m, - flags &= ~_PAGE_PAT; - - if ( gfn_x(start) & GUEST_L2_GFN_MASK & ~0x1 ) -- { --#if GUEST_PAGING_LEVELS == 2 -- /* -- * Note that _PAGE_INVALID_BITS is zero in this case, yielding a -- * no-op here. -- * -- * Architecturally, the walk should fail if bit 21 is set (others -- * aren't being checked at least in PSE36 mode), but we'll ignore -- * this here in order to avoid specifying a non-natural, non-zero -- * _PAGE_INVALID_BITS value just for that case. -- */ --#endif - rc |= _PAGE_INVALID_BITS; -- } -+ - /* Increment the pfn by the right number of 4k pages. - * Mask out PAT and invalid bits. */ - start = _gfn((gfn_x(start) & ~GUEST_L2_GFN_MASK) + -@@ -422,5 +416,11 @@ set_ad: - put_page(mfn_to_page(mfn_x(gw->l1mfn))); - } - -+ /* If this guest has a restricted physical address space then the -+ * target GFN must fit within it. */ -+ if ( !(rc & _PAGE_PRESENT) -+ && gfn_x(guest_l1e_get_gfn(gw->l1e)) >> d->arch.paging.gfn_bits ) -+ rc |= _PAGE_INVALID_BITS; -+ - return rc; - } -diff --git a/xen/arch/x86/mm/hap/hap.c b/xen/arch/x86/mm/hap/hap.c -index 6eb2167..f3475c6 100644 ---- a/xen/arch/x86/mm/hap/hap.c -+++ b/xen/arch/x86/mm/hap/hap.c -@@ -448,6 +448,8 @@ void hap_domain_init(struct domain *d) - { - INIT_PAGE_LIST_HEAD(&d->arch.paging.hap.freelist); - -+ d->arch.paging.gfn_bits = hap_paddr_bits - PAGE_SHIFT; -+ - /* Use HAP logdirty mechanism. */ - paging_log_dirty_init(d, hap_enable_log_dirty, - hap_disable_log_dirty, -diff --git a/xen/arch/x86/mm/shadow/common.c b/xen/arch/x86/mm/shadow/common.c -index bad8360..98d0d2c 100644 ---- a/xen/arch/x86/mm/shadow/common.c -+++ b/xen/arch/x86/mm/shadow/common.c -@@ -51,6 +51,16 @@ int shadow_domain_init(struct domain *d, unsigned int domcr_flags) - INIT_PAGE_LIST_HEAD(&d->arch.paging.shadow.freelist); - INIT_PAGE_LIST_HEAD(&d->arch.paging.shadow.pinned_shadows); - -+ d->arch.paging.gfn_bits = paddr_bits - PAGE_SHIFT; -+#ifndef CONFIG_BIGMEM -+ /* -+ * Shadowed superpages store GFNs in 32-bit page_info fields. -+ * Note that we cannot use guest_supports_superpages() here. -+ */ -+ if ( !is_pv_domain(d) || opt_allow_superpage ) -+ d->arch.paging.gfn_bits = 32; -+#endif -+ - /* Use shadow pagetables for log-dirty support */ - paging_log_dirty_init(d, sh_enable_log_dirty, - sh_disable_log_dirty, sh_clean_dirty_bitmap); -diff --git a/xen/arch/x86/mm/shadow/multi.c b/xen/arch/x86/mm/shadow/multi.c -index 43c9488..71477fe 100644 ---- a/xen/arch/x86/mm/shadow/multi.c -+++ b/xen/arch/x86/mm/shadow/multi.c -@@ -525,7 +525,8 @@ _sh_propagate(struct vcpu *v, - ASSERT(GUEST_PAGING_LEVELS > 3 || level != 3); - - /* Check there's something for the shadows to map to */ -- if ( !p2m_is_valid(p2mt) && !p2m_is_grant(p2mt) ) -+ if ( (!p2m_is_valid(p2mt) && !p2m_is_grant(p2mt)) -+ || gfn_x(target_gfn) >> d->arch.paging.gfn_bits ) - { - *sp = shadow_l1e_empty(); - goto done; -diff --git a/xen/include/asm-x86/domain.h b/xen/include/asm-x86/domain.h -index c6c6e71..74c3a52 100644 ---- a/xen/include/asm-x86/domain.h -+++ b/xen/include/asm-x86/domain.h -@@ -193,6 +193,9 @@ struct paging_domain { - /* log dirty support */ - struct log_dirty_domain log_dirty; - -+ /* Number of valid bits in a gfn. */ -+ unsigned int gfn_bits; -+ - /* preemption handling */ - struct { - const struct domain *dom; -diff --git a/xen/include/asm-x86/guest_pt.h b/xen/include/asm-x86/guest_pt.h -index f8a0d76..b5db401 100644 ---- a/xen/include/asm-x86/guest_pt.h -+++ b/xen/include/asm-x86/guest_pt.h -@@ -210,15 +210,17 @@ guest_supports_nx(struct vcpu *v) - } - - --/* Some bits are invalid in any pagetable entry. */ --#if GUEST_PAGING_LEVELS == 2 --#define _PAGE_INVALID_BITS (0) --#elif GUEST_PAGING_LEVELS == 3 --#define _PAGE_INVALID_BITS \ -- get_pte_flags(((1ull<<63) - 1) & ~((1ull<