[packages/xen] - obsolete, fixed upstream
hawk
hawk at pld-linux.org
Mon Oct 13 10:21:36 CEST 2014
commit 160885b80a9dcecb1758c852850cc35c909bac71
Author: Marcin Krol <hawk at tld-linux.org>
Date: Mon Oct 13 08:19:23 2014 +0000
- obsolete, fixed upstream
CVE-2014-2599.patch | 108 ----------------------------------
xen-pvh_fixes.patch | 165 ----------------------------------------------------
xsa92.patch | 36 ------------
xsa96.patch | 38 ------------
4 files changed, 347 deletions(-)
---
diff --git a/CVE-2014-2599.patch b/CVE-2014-2599.patch
deleted file mode 100644
index fc407c8..0000000
--- a/CVE-2014-2599.patch
+++ /dev/null
@@ -1,108 +0,0 @@
-commit babcef372ae2ca9c4f4212398803015eb250f764
-Author: Jan Beulich <jbeulich at suse.com>
-Date: Tue Mar 25 17:20:47 2014 +0100
-
- x86: enforce preemption in HVM_set_mem_access / p2m_set_mem_access()
-
- Processing up to 4G PFNs may take almost arbitrarily long, so
- preemption is needed here.
-
- This is CVE-2014-2599 / XSA-89.
-
- Signed-off-by: Jan Beulich <jbeulich at suse.com>
- Reviewed-by: Tim Deegan <tim at xen.org>
- master commit: 0fe53c4f279e1a8ef913e71ed000236d21ce96de
- master date: 2014-03-25 15:23:57 +0100
-
-diff --git a/xen/arch/x86/hvm/hvm.c b/xen/arch/x86/hvm/hvm.c
-index 69f7e74..6150899 100644
---- a/xen/arch/x86/hvm/hvm.c
-+++ b/xen/arch/x86/hvm/hvm.c
-@@ -4465,6 +4465,15 @@ long do_hvm_op(unsigned long op, XEN_GUEST_HANDLE_PARAM(void) arg)
- goto param_fail5;
-
- rc = p2m_set_mem_access(d, a.first_pfn, a.nr, a.hvmmem_access);
-+ if ( rc > 0 )
-+ {
-+ a.first_pfn += a.nr - rc;
-+ a.nr = rc;
-+ if ( __copy_to_guest(arg, &a, 1) )
-+ rc = -EFAULT;
-+ else
-+ rc = -EAGAIN;
-+ }
-
- param_fail5:
- rcu_unlock_domain(d);
-diff --git a/xen/arch/x86/mm/p2m.c b/xen/arch/x86/mm/p2m.c
-index 8f380ed..e0e5840 100644
---- a/xen/arch/x86/mm/p2m.c
-+++ b/xen/arch/x86/mm/p2m.c
-@@ -1366,15 +1366,14 @@ void p2m_mem_access_resume(struct domain *d)
-
- /* Set access type for a region of pfns.
- * If start_pfn == -1ul, sets the default access type */
--int p2m_set_mem_access(struct domain *d, unsigned long start_pfn,
-- uint32_t nr, hvmmem_access_t access)
-+long p2m_set_mem_access(struct domain *d, unsigned long pfn, uint32_t nr,
-+ hvmmem_access_t access)
- {
- struct p2m_domain *p2m = p2m_get_hostp2m(d);
-- unsigned long pfn;
- p2m_access_t a, _a;
- p2m_type_t t;
- mfn_t mfn;
-- int rc = 0;
-+ long rc;
-
- /* N.B. _not_ static: initializer depends on p2m->default_access */
- p2m_access_t memaccess[] = {
-@@ -1397,14 +1396,17 @@ int p2m_set_mem_access(struct domain *d, unsigned long start_pfn,
- a = memaccess[access];
-
- /* If request to set default access */
-- if ( start_pfn == ~0ull )
-+ if ( pfn == ~0ul )
- {
- p2m->default_access = a;
- return 0;
- }
-
-+ if ( !nr )
-+ return 0;
-+
- p2m_lock(p2m);
-- for ( pfn = start_pfn; pfn < start_pfn + nr; pfn++ )
-+ for ( ; ; ++pfn )
- {
- mfn = p2m->get_entry(p2m, pfn, &t, &_a, 0, NULL);
- if ( p2m->set_entry(p2m, pfn, mfn, PAGE_ORDER_4K, t, a) == 0 )
-@@ -1412,6 +1414,13 @@ int p2m_set_mem_access(struct domain *d, unsigned long start_pfn,
- rc = -ENOMEM;
- break;
- }
-+
-+ /* Check for continuation if it's not the last interation. */
-+ if ( !--nr || hypercall_preempt_check() )
-+ {
-+ rc = nr;
-+ break;
-+ }
- }
- p2m_unlock(p2m);
- return rc;
-diff --git a/xen/include/asm-x86/p2m.h b/xen/include/asm-x86/p2m.h
-index f4e7253..a2cb1b7 100644
---- a/xen/include/asm-x86/p2m.h
-+++ b/xen/include/asm-x86/p2m.h
-@@ -576,8 +576,8 @@ void p2m_mem_access_resume(struct domain *d);
-
- /* Set access type for a region of pfns.
- * If start_pfn == -1ul, sets the default access type */
--int p2m_set_mem_access(struct domain *d, unsigned long start_pfn,
-- uint32_t nr, hvmmem_access_t access);
-+long p2m_set_mem_access(struct domain *d, unsigned long start_pfn,
-+ uint32_t nr, hvmmem_access_t access);
-
- /* Get access type for a pfn
- * If pfn == -1ul, gets the default access type */
diff --git a/xen-pvh_fixes.patch b/xen-pvh_fixes.patch
deleted file mode 100644
index 8c03276..0000000
--- a/xen-pvh_fixes.patch
+++ /dev/null
@@ -1,165 +0,0 @@
-commit 3a148e0a7ee0ae56a498be5ba973314ec50cd999
-Author: Mukesh Rathor <mukesh.rathor at oracle.com>
-Date: Fri Apr 4 10:36:29 2014 +0200
-
- x86: call pit_init for pvh also
-
- During halt of a pvh guest, the guest may do speaker shutdown. This
- results in call to handle_speaker_io in xen. It will hang on the vpit
- spin lock because it has not been initialized.
- Since, pit_init is also called for both pv and hvm, the call is
- moved to a more generic place.
-
- Signed-off-by: Mukesh Rathor <mukesh.rathor at oracle.com>
- Reviewed-by: Jan Beulich <jbeulich at suse.com>
- master commit: c30c544b199f70eada597c7352cdcb44648f6dcd
- master date: 2014-03-11 13:56:50 +0100
-
-diff --git a/xen/arch/x86/domain.c b/xen/arch/x86/domain.c
-index 6618ae6..bc073e5 100644
---- a/xen/arch/x86/domain.c
-+++ b/xen/arch/x86/domain.c
-@@ -422,10 +422,6 @@ int vcpu_initialise(struct vcpu *v)
-
- /* PV guests by default have a 100Hz ticker. */
- v->periodic_period = MILLISECS(10);
--
-- /* PV guests get an emulated PIT too for video BIOSes to use. */
-- if ( v->vcpu_id == 0 )
-- pit_init(v, cpu_khz);
- }
-
- v->arch.schedule_tail = continue_nonidle_domain;
-@@ -579,6 +575,9 @@ int arch_domain_create(struct domain *d, unsigned int domcr_flags)
- tsc_set_info(d, TSC_MODE_DEFAULT, 0UL, 0, 0);
- spin_lock_init(&d->arch.vtsc_lock);
-
-+ /* PV/PVH guests get an emulated PIT too for video BIOSes to use. */
-+ pit_init(d, cpu_khz);
-+
- return 0;
-
- fail:
-@@ -1980,6 +1979,8 @@ int domain_relinquish_resources(struct domain *d)
- BUG();
- }
-
-+ pit_deinit(d);
-+
- if ( has_hvm_container_domain(d) )
- hvm_domain_relinquish_resources(d);
-
-diff --git a/xen/arch/x86/hvm/hvm.c b/xen/arch/x86/hvm/hvm.c
-index 6150899..a666471 100644
---- a/xen/arch/x86/hvm/hvm.c
-+++ b/xen/arch/x86/hvm/hvm.c
-@@ -643,7 +643,6 @@ void hvm_domain_relinquish_resources(struct domain *d)
- rtc_deinit(d);
- if ( d->vcpu != NULL && d->vcpu[0] != NULL )
- {
-- pit_deinit(d);
- pmtimer_deinit(d);
- hpet_deinit(d);
- }
-@@ -1217,7 +1216,6 @@ int hvm_vcpu_initialise(struct vcpu *v)
- if ( v->vcpu_id == 0 )
- {
- /* NB. All these really belong in hvm_domain_initialise(). */
-- pit_init(v, cpu_khz);
- pmtimer_init(v);
- hpet_init(v);
-
-diff --git a/xen/arch/x86/hvm/i8254.c b/xen/arch/x86/hvm/i8254.c
-index c0d6bc2..f7493b8 100644
---- a/xen/arch/x86/hvm/i8254.c
-+++ b/xen/arch/x86/hvm/i8254.c
-@@ -447,9 +447,8 @@ void pit_reset(struct domain *d)
- spin_unlock(&pit->lock);
- }
-
--void pit_init(struct vcpu *v, unsigned long cpu_khz)
-+void pit_init(struct domain *d, unsigned long cpu_khz)
- {
-- struct domain *d = v->domain;
- PITState *pit = domain_vpit(d);
-
- spin_lock_init(&pit->lock);
-diff --git a/xen/include/asm-x86/hvm/vpt.h b/xen/include/asm-x86/hvm/vpt.h
-index 87c3a66..9f3ec8d 100644
---- a/xen/include/asm-x86/hvm/vpt.h
-+++ b/xen/include/asm-x86/hvm/vpt.h
-@@ -175,7 +175,7 @@ void destroy_periodic_time(struct periodic_time *pt);
- int pv_pit_handler(int port, int data, int write);
- void pit_reset(struct domain *d);
-
--void pit_init(struct vcpu *v, unsigned long cpu_khz);
-+void pit_init(struct domain *d, unsigned long cpu_khz);
- void pit_stop_channel0_irq(PITState * pit);
- void pit_deinit(struct domain *d);
- void rtc_init(struct domain *d);
-
-commit b44b5d2fe0ae1546a14d0800e094535aa3359334
-Author: Mukesh Rathor <mukesh.rathor at oracle.com>
-Date: Fri Apr 4 10:37:57 2014 +0200
-
- x86: fix pirq path for pvh
-
- Just like hvm, pirq eoi shared page is not there for pvh. pvh should
- not touch any pv_domain fields.
-
- Signed-off-by: Mukesh Rathor <mukesh.rathor at oracle.com>
- master commit: bea8ee1a5ff2bbe04fcc6297db45fac178a5abc9
- master date: 2014-03-13 14:24:19 +0100
-
-diff --git a/xen/arch/x86/irq.c b/xen/arch/x86/irq.c
-index db70077..88444be 100644
---- a/xen/arch/x86/irq.c
-+++ b/xen/arch/x86/irq.c
-@@ -1068,13 +1068,13 @@ bool_t cpu_has_pending_apic_eoi(void)
-
- static inline void set_pirq_eoi(struct domain *d, unsigned int irq)
- {
-- if ( !is_hvm_domain(d) && d->arch.pv_domain.pirq_eoi_map )
-+ if ( is_pv_domain(d) && d->arch.pv_domain.pirq_eoi_map )
- set_bit(irq, d->arch.pv_domain.pirq_eoi_map);
- }
-
- static inline void clear_pirq_eoi(struct domain *d, unsigned int irq)
- {
-- if ( !is_hvm_domain(d) && d->arch.pv_domain.pirq_eoi_map )
-+ if ( is_pv_domain(d) && d->arch.pv_domain.pirq_eoi_map )
- clear_bit(irq, d->arch.pv_domain.pirq_eoi_map);
- }
-
-
-commit 1e83fa5ee8064cc81e25f2a04cd47aeb5104413c
-Author: Mukesh Rathor <mukesh.rathor at oracle.com>
-Date: Fri Apr 4 10:38:52 2014 +0200
-
- x86/pvh: disallow PHYSDEVOP_pirq_eoi_gmfn_v2/v1
-
- A call to do_physdev_op with PHYSDEVOP_pirq_eoi_gmfn_v2/v1 will corrupt
- struct hvm_domain when it writes to domain->arch.pv_domain.pirq_eoi_map.
- Disallow that. Currently, such a path exists for linux dom0 pvh.
-
- Signed-off-by: Mukesh Rathor <mukesh.rathor at oracle.com>
- master commit: a7ca5c402e8cf61c5e8dd6e6797a627863f5a243
- master date: 2014-03-24 09:47:59 +0100
-
-diff --git a/xen/arch/x86/hvm/hvm.c b/xen/arch/x86/hvm/hvm.c
-index a666471..4228cf4 100644
---- a/xen/arch/x86/hvm/hvm.c
-+++ b/xen/arch/x86/hvm/hvm.c
-@@ -3292,6 +3292,12 @@ static long hvm_physdev_op(int cmd, XEN_GUEST_HANDLE_PARAM(void) arg)
- case PHYSDEVOP_irq_status_query:
- case PHYSDEVOP_get_free_pirq:
- return do_physdev_op(cmd, arg);
-+
-+ /* pvh fixme: coming soon */
-+ case PHYSDEVOP_pirq_eoi_gmfn_v1:
-+ case PHYSDEVOP_pirq_eoi_gmfn_v2:
-+ return -ENOSYS;
-+
- }
- }
-
diff --git a/xsa92.patch b/xsa92.patch
deleted file mode 100644
index 60ef934..0000000
--- a/xsa92.patch
+++ /dev/null
@@ -1,36 +0,0 @@
-x86/HVM: restrict HVMOP_set_mem_type
-
-Permitting arbitrary type changes here has the potential of creating
-present P2M (and hence EPT/NPT/IOMMU) entries pointing to an invalid
-MFN (INVALID_MFN truncated to the respective hardware structure field's
-width). This would become a problem the latest when something real sat
-at the end of the physical address space; I'm suspecting though that
-other things might break with such bogus entries.
-
-Along with that drop a bogus (and otherwise becoming stale) log
-message.
-
-Afaict the similar operation in p2m_set_mem_access() is safe.
-
-This is XSA-92.
-
-Signed-off-by: Jan Beulich <jbeulich at suse.com>
-Reviewed-by: Tim Deegan <tim at xen.org>
-
---- a/xen/arch/x86/hvm/hvm.c
-+++ b/xen/arch/x86/hvm/hvm.c
-@@ -4541,12 +4541,10 @@ long do_hvm_op(unsigned long op, XEN_GUE
- rc = -EINVAL;
- goto param_fail4;
- }
-- if ( p2m_is_grant(t) )
-+ if ( !p2m_is_ram(t) &&
-+ (!p2m_is_hole(t) || a.hvmmem_type != HVMMEM_mmio_dm) )
- {
- put_gfn(d, pfn);
-- gdprintk(XENLOG_WARNING,
-- "type for pfn %#lx changed to grant while "
-- "we were working?\n", pfn);
- goto param_fail4;
- }
- else
diff --git a/xsa96.patch b/xsa96.patch
deleted file mode 100644
index ef6443f..0000000
--- a/xsa96.patch
+++ /dev/null
@@ -1,38 +0,0 @@
-x86/HVM: eliminate vulnerabilities from hvm_inject_msi()
-
-- pirq_info() returns NULL for a non-allocated pIRQ, and hence we
- mustn't unconditionally de-reference it, and we need to invoke it
- another time after having called map_domain_emuirq_pirq()
-- don't use printk(), namely without XENLOG_GUEST, for error reporting
-
-This is XSA-96.
-
-Signed-off-by: Jan Beulich <jbeulich at suse.com>
-
---- a/xen/arch/x86/hvm/irq.c
-+++ b/xen/arch/x86/hvm/irq.c
-@@ -289,20 +289,18 @@ void hvm_inject_msi(struct domain *d, ui
- struct pirq *info = pirq_info(d, pirq);
-
- /* if it is the first time, allocate the pirq */
-- if (info->arch.hvm.emuirq == IRQ_UNBOUND)
-+ if ( !info || info->arch.hvm.emuirq == IRQ_UNBOUND )
- {
- spin_lock(&d->event_lock);
- map_domain_emuirq_pirq(d, pirq, IRQ_MSI_EMU);
- spin_unlock(&d->event_lock);
-+ info = pirq_info(d, pirq);
-+ if ( !info )
-+ return;
- } else if (info->arch.hvm.emuirq != IRQ_MSI_EMU)
-- {
-- printk("%s: pirq %d does not correspond to an emulated MSI\n", __func__, pirq);
- return;
-- }
- send_guest_pirq(d, info);
- return;
-- } else {
-- printk("%s: error getting pirq from MSI: pirq = %d\n", __func__, pirq);
- }
- }
-
================================================================
---- gitweb:
http://git.pld-linux.org/gitweb.cgi/packages/xen.git/commitdiff/05e10f1a309ca7873cc85e0ac49f403066d21d81
More information about the pld-cvs-commit
mailing list