[Pkg-xen-changes] r1157 - in trunk/xen: . debian debian/patches
Bastian Blank
waldi at alioth.debian.org
Fri May 10 20:00:21 UTC 2013
Author: waldi
Date: Fri May 10 20:00:21 2013
New Revision: 1157
Log:
Merge /branches/wheezy/xen.
Added:
trunk/xen/debian/patches/CVE-2013-1917
- copied, changed from r1156, branches/wheezy/xen/debian/patches/CVE-2013-1917
trunk/xen/debian/patches/CVE-2013-1918-1
- copied, changed from r1156, branches/wheezy/xen/debian/patches/CVE-2013-1918-1
trunk/xen/debian/patches/CVE-2013-1918-2
- copied, changed from r1156, branches/wheezy/xen/debian/patches/CVE-2013-1918-2
trunk/xen/debian/patches/CVE-2013-1918-3
- copied, changed from r1156, branches/wheezy/xen/debian/patches/CVE-2013-1918-3
trunk/xen/debian/patches/CVE-2013-1918-4
- copied, changed from r1156, branches/wheezy/xen/debian/patches/CVE-2013-1918-4
trunk/xen/debian/patches/CVE-2013-1918-5
- copied, changed from r1156, branches/wheezy/xen/debian/patches/CVE-2013-1918-5
trunk/xen/debian/patches/CVE-2013-1918-6
- copied, changed from r1156, branches/wheezy/xen/debian/patches/CVE-2013-1918-6
trunk/xen/debian/patches/CVE-2013-1918-7
- copied, changed from r1156, branches/wheezy/xen/debian/patches/CVE-2013-1918-7
trunk/xen/debian/patches/CVE-2013-1919
- copied, changed from r1156, branches/wheezy/xen/debian/patches/CVE-2013-1919
trunk/xen/debian/patches/CVE-2013-1920
- copied, changed from r1156, branches/wheezy/xen/debian/patches/CVE-2013-1920
trunk/xen/debian/patches/CVE-2013-1952
- copied, changed from r1156, branches/wheezy/xen/debian/patches/CVE-2013-1952
Modified:
trunk/xen/ (props changed)
trunk/xen/debian/changelog
trunk/xen/debian/patches/series
Modified: trunk/xen/debian/changelog
==============================================================================
--- trunk/xen/debian/changelog Sun May 5 18:51:59 2013 (r1156)
+++ trunk/xen/debian/changelog Fri May 10 20:00:21 2013 (r1157)
@@ -32,6 +32,28 @@
-- Bastian Blank <waldi at debian.org> Sun, 13 May 2012 12:21:10 +0000
+xen (4.1.4-4) unstable; urgency=high
+
+ * Make several long runing operations preemptible.
+ CVE-2013-1918
+ * Fix source validation for VT-d interrupt remapping.
+ CVE-2013-1952
+
+ -- Bastian Blank <waldi at debian.org> Thu, 02 May 2013 14:30:29 +0200
+
+xen (4.1.4-3) unstable; urgency=high
+
+ * Fix return from SYSENTER.
+ CVE-2013-1917
+ * Fix various problems with guest interrupt handling.
+ CVE-2013-1919
+ * Only save pointer after access checks.
+ CVE-2013-1920
+ * Fix domain locking for transitive grants.
+ CVE-2013-1964
+
+ -- Bastian Blank <waldi at debian.org> Fri, 19 Apr 2013 13:01:57 +0200
+
xen (4.1.4-2) unstable; urgency=low
* Use pre-device interrupt remapping mode per default. Fix removing old
Copied and modified: trunk/xen/debian/patches/CVE-2013-1917 (from r1156, branches/wheezy/xen/debian/patches/CVE-2013-1917)
==============================================================================
--- branches/wheezy/xen/debian/patches/CVE-2013-1917 Sun May 5 18:51:59 2013 (r1156, copy source)
+++ trunk/xen/debian/patches/CVE-2013-1917 Fri May 10 20:00:21 2013 (r1157)
@@ -21,9 +21,9 @@
Origin: upstream, commit:b5d22afa109d
Id: CVE-2013-1917 XSA-44
---
---- a/xen/arch/x86/acpi/suspend.c Thu Apr 18 15:29:45 2013 +0200
-+++ b/xen/arch/x86/acpi/suspend.c Thu Apr 18 16:23:07 2013 +0200
-@@ -81,8 +81,12 @@
+--- a/xen/arch/x86/acpi/suspend.c
++++ b/xen/arch/x86/acpi/suspend.c
+@@ -81,8 +81,12 @@ void restore_rest_processor_state(void)
}
#else /* !defined(CONFIG_X86_64) */
@@ -38,9 +38,9 @@
#endif
/* Maybe load the debug registers. */
---- a/xen/arch/x86/cpu/common.c Thu Apr 18 15:29:45 2013 +0200
-+++ b/xen/arch/x86/cpu/common.c Thu Apr 18 16:23:07 2013 +0200
-@@ -715,8 +715,11 @@
+--- a/xen/arch/x86/cpu/common.c
++++ b/xen/arch/x86/cpu/common.c
+@@ -655,8 +655,11 @@ void __cpuinit cpu_init(void)
#if defined(CONFIG_X86_32)
t->ss0 = __HYPERVISOR_DS;
t->esp0 = get_stack_bottom();
@@ -53,11 +53,10 @@
#elif defined(CONFIG_X86_64)
/* Bottom-of-stack must be 16-byte aligned! */
BUG_ON((get_stack_bottom() & 15) != 0);
-diff -r 8f3d4607baee -r b5d22afa109d xen/arch/x86/x86_64/entry.S
---- a/xen/arch/x86/x86_64/entry.S Thu Apr 18 15:29:45 2013 +0200
-+++ b/xen/arch/x86/x86_64/entry.S Thu Apr 18 16:23:07 2013 +0200
-@@ -288,7 +288,14 @@
- movl $3,UREGS_cs(%rsp) /* ring 3 null cs */
+--- a/xen/arch/x86/x86_64/entry.S
++++ b/xen/arch/x86/x86_64/entry.S
+@@ -284,7 +284,14 @@ sysenter_eflags_saved:
+ cmpb $0,VCPU_sysenter_disables_events(%rbx)
movq VCPU_sysenter_addr(%rbx),%rax
setne %cl
+ testl $X86_EFLAGS_NT,UREGS_eflags(%rsp)
@@ -71,4 +70,3 @@
testq %rax,%rax
leal (,%rcx,TBF_INTERRUPT),%ecx
UNLIKELY_START(z, sysenter_gpf)
-
Copied and modified: trunk/xen/debian/patches/CVE-2013-1918-1 (from r1156, branches/wheezy/xen/debian/patches/CVE-2013-1918-1)
==============================================================================
--- branches/wheezy/xen/debian/patches/CVE-2013-1918-1 Sun May 5 18:51:59 2013 (r1156, copy source)
+++ trunk/xen/debian/patches/CVE-2013-1918-1 Fri May 10 20:00:21 2013 (r1157)
@@ -12,16 +12,16 @@
---
--- a/xen/arch/x86/domain.c
+++ b/xen/arch/x86/domain.c
-@@ -70,8 +70,6 @@ void (*dead_idle) (void) __read_mostly =
+@@ -73,8 +73,6 @@ void (*dead_idle) (void) __read_mostly =
static void paravirt_ctxt_switch_from(struct vcpu *v);
static void paravirt_ctxt_switch_to(struct vcpu *v);
-static void vcpu_destroy_pagetables(struct vcpu *v);
-
- static void continue_idle_domain(struct vcpu *v)
+ static void default_idle(void)
{
- reset_stack_and_jump(idle_loop);
-@@ -909,7 +907,7 @@ void arch_vcpu_reset(struct vcpu *v)
+ local_irq_disable();
+@@ -1058,7 +1056,7 @@ void arch_vcpu_reset(struct vcpu *v)
if ( !is_hvm_vcpu(v) )
{
destroy_gdt(v);
@@ -30,7 +30,7 @@
}
else
{
-@@ -1917,63 +1915,6 @@ static int relinquish_memory(
+@@ -2069,63 +2067,6 @@ static int relinquish_memory(
return ret;
}
@@ -94,20 +94,22 @@
int domain_relinquish_resources(struct domain *d)
{
int ret;
-@@ -1992,7 +1933,9 @@ int domain_relinquish_resources(struct d
+@@ -2143,7 +2084,11 @@ int domain_relinquish_resources(struct d
+
+ /* Drop the in-use references to page-table bases. */
for_each_vcpu ( d, v )
- {
- /* Drop the in-use references to page-table bases. */
- vcpu_destroy_pagetables(v);
++ {
+ ret = vcpu_destroy_pagetables(v, 1);
+ if ( ret )
+ return ret;
++ }
- /*
- * Relinquish GDT mappings. No need for explicit unmapping of the
+ if ( !is_hvm_domain(d) )
+ {
--- a/xen/arch/x86/mm.c
+++ b/xen/arch/x86/mm.c
-@@ -2725,6 +2725,82 @@ static void put_superpage(unsigned long
+@@ -2808,6 +2808,82 @@ static void put_superpage(unsigned long
#endif
@@ -190,7 +192,7 @@
int new_guest_cr3(unsigned long mfn)
{
-@@ -2911,12 +2987,21 @@ long do_mmuext_op(
+@@ -2994,12 +3070,21 @@ long do_mmuext_op(
unsigned int foreigndom)
{
struct mmuext_op op;
@@ -216,7 +218,7 @@
{
--- a/xen/arch/x86/x86_64/compat/mm.c
+++ b/xen/arch/x86/x86_64/compat/mm.c
-@@ -319,7 +319,7 @@ int compat_mmuext_op(XEN_GUEST_HANDLE(mm
+@@ -365,7 +365,7 @@ int compat_mmuext_op(XEN_GUEST_HANDLE(mm
: mcs->call.args[1];
unsigned int left = arg1 & ~MMU_UPDATE_PREEMPTED;
@@ -227,7 +229,7 @@
guest_handle_subtract_offset(cmp_uops, left);
--- a/xen/include/asm-x86/domain.h
+++ b/xen/include/asm-x86/domain.h
-@@ -405,6 +405,7 @@ struct arch_vcpu
+@@ -464,6 +464,7 @@ struct arch_vcpu
pagetable_t guest_table_user; /* (MFN) x86/64 user-space pagetable */
#endif
pagetable_t guest_table; /* (MFN) guest notion of cr3 */
@@ -237,7 +239,7 @@
pagetable_t shadow_table[4]; /* (MFN) shadow(s) of guest */
--- a/xen/include/asm-x86/mm.h
+++ b/xen/include/asm-x86/mm.h
-@@ -555,6 +555,7 @@ void audit_domains(void);
+@@ -605,6 +605,7 @@ void audit_domains(void);
int new_guest_cr3(unsigned long pfn);
void make_cr3(struct vcpu *v, unsigned long mfn);
void update_cr3(struct vcpu *v);
Copied and modified: trunk/xen/debian/patches/CVE-2013-1918-2 (from r1156, branches/wheezy/xen/debian/patches/CVE-2013-1918-2)
==============================================================================
--- branches/wheezy/xen/debian/patches/CVE-2013-1918-2 Sun May 5 18:51:59 2013 (r1156, copy source)
+++ trunk/xen/debian/patches/CVE-2013-1918-2 Fri May 10 20:00:21 2013 (r1157)
@@ -6,7 +6,7 @@
---
--- a/xen/arch/x86/mm.c
+++ b/xen/arch/x86/mm.c
-@@ -2806,44 +2806,69 @@ int new_guest_cr3(unsigned long mfn)
+@@ -2889,44 +2889,69 @@ int new_guest_cr3(unsigned long mfn)
{
struct vcpu *curr = current;
struct domain *d = curr->domain;
@@ -91,7 +91,7 @@
curr->arch.guest_table = pagetable_from_pfn(mfn);
update_cr3(curr);
-@@ -2852,13 +2877,25 @@ int new_guest_cr3(unsigned long mfn)
+@@ -2935,13 +2960,25 @@ int new_guest_cr3(unsigned long mfn)
if ( likely(old_base_mfn != 0) )
{
@@ -120,21 +120,36 @@
}
static struct domain *get_pg_owner(domid_t domid)
-@@ -3154,7 +3191,8 @@ long do_mmuext_op(
+@@ -3239,8 +3276,13 @@ long do_mmuext_op(
}
case MMUEXT_NEW_BASEPTR:
-- okay = new_guest_cr3(gmfn_to_mfn(d, op.arg1.mfn));
-+ rc = new_guest_cr3(gmfn_to_mfn(d, op.arg1.mfn));
-+ okay = !rc;
+- okay = (!paging_mode_translate(d)
+- && new_guest_cr3(op.arg1.mfn));
++ if ( paging_mode_translate(d) )
++ okay = 0;
++ else
++ {
++ rc = new_guest_cr3(op.arg1.mfn);
++ okay = !rc;
++ }
break;
+
- #ifdef __x86_64__
--- a/xen/arch/x86/traps.c
+++ b/xen/arch/x86/traps.c
-@@ -2317,8 +2317,15 @@ static int emulate_privileged_op(struct
- rc = new_guest_cr3(gmfn_to_mfn(v->domain, compat_cr3_to_pfn(*reg)));
+@@ -2407,12 +2407,23 @@ static int emulate_privileged_op(struct
#endif
+ }
+ page = get_page_from_gfn(v->domain, gfn, NULL, P2M_ALLOC);
+- rc = page ? new_guest_cr3(page_to_mfn(page)) : 0;
+ if ( page )
++ {
++ rc = new_guest_cr3(page_to_mfn(page));
+ put_page(page);
++ }
++ else
++ rc = -EINVAL;
domain_unlock(v->domain);
- if ( rc == 0 ) /* not okay */
+ switch ( rc )
@@ -147,5 +162,5 @@
goto fail;
+ }
break;
+ }
- case 4: /* Write CR4 */
Copied and modified: trunk/xen/debian/patches/CVE-2013-1918-3 (from r1156, branches/wheezy/xen/debian/patches/CVE-2013-1918-3)
==============================================================================
--- branches/wheezy/xen/debian/patches/CVE-2013-1918-3 Sun May 5 18:51:59 2013 (r1156, copy source)
+++ trunk/xen/debian/patches/CVE-2013-1918-3 Fri May 10 20:00:21 2013 (r1157)
@@ -6,43 +6,44 @@
---
--- a/xen/arch/x86/mm.c
+++ b/xen/arch/x86/mm.c
-@@ -3200,29 +3200,55 @@ long do_mmuext_op(
- unsigned long old_mfn, mfn;
+@@ -3296,29 +3296,56 @@ long do_mmuext_op(
+ break;
+ }
- mfn = gmfn_to_mfn(d, op.arg1.mfn);
+ old_mfn = pagetable_get_pfn(curr->arch.guest_table_user);
+ /*
+ * This is particularly important when getting restarted after the
+ * previous attempt got preempted in the put-old-MFN phase.
+ */
-+ if ( old_mfn == mfn )
++ if ( old_mfn == op.arg1.mfn )
+ break;
+
- if ( mfn != 0 )
+ if ( op.arg1.mfn != 0 )
{
if ( paging_mode_refcounts(d) )
- okay = get_page_from_pagenr(mfn, d);
+ okay = get_page_from_pagenr(op.arg1.mfn, d);
else
- okay = !get_page_and_type_from_pagenr(
-- mfn, PGT_root_page_table, d, 0, 0);
+- op.arg1.mfn, PGT_root_page_table, d, 0, 0);
+ {
+ rc = get_page_and_type_from_pagenr(
-+ mfn, PGT_root_page_table, d, 0, 1);
++ op.arg1.mfn, PGT_root_page_table, d, 0, 1);
+ okay = !rc;
+ }
if ( unlikely(!okay) )
{
-- MEM_LOG("Error while installing new mfn %lx", mfn);
+- MEM_LOG("Error while installing new mfn %lx", op.arg1.mfn);
+ if ( rc == -EINTR )
+ rc = -EAGAIN;
+ else if ( rc != -EAGAIN )
-+ MEM_LOG("Error while installing new mfn %lx", mfn);
++ MEM_LOG("Error while installing new mfn %lx",
++ op.arg1.mfn);
break;
}
}
- old_mfn = pagetable_get_pfn(curr->arch.guest_table_user);
- curr->arch.guest_table_user = pagetable_from_pfn(mfn);
+ curr->arch.guest_table_user = pagetable_from_pfn(op.arg1.mfn);
if ( old_mfn != 0 )
{
Copied and modified: trunk/xen/debian/patches/CVE-2013-1918-4 (from r1156, branches/wheezy/xen/debian/patches/CVE-2013-1918-4)
==============================================================================
--- branches/wheezy/xen/debian/patches/CVE-2013-1918-4 Sun May 5 18:51:59 2013 (r1156, copy source)
+++ trunk/xen/debian/patches/CVE-2013-1918-4 Fri May 10 20:00:21 2013 (r1157)
@@ -7,7 +7,7 @@
---
--- a/xen/arch/x86/domain.c
+++ b/xen/arch/x86/domain.c
-@@ -902,17 +902,16 @@ int arch_set_info_guest(
+@@ -1051,17 +1051,16 @@ int arch_set_info_guest(
#undef c
}
@@ -30,18 +30,18 @@
}
/*
-@@ -1933,7 +1932,7 @@ int domain_relinquish_resources(struct d
+@@ -2085,7 +2084,7 @@ int domain_relinquish_resources(struct d
+ /* Drop the in-use references to page-table bases. */
for_each_vcpu ( d, v )
{
- /* Drop the in-use references to page-table bases. */
- ret = vcpu_destroy_pagetables(v, 1);
+ ret = vcpu_destroy_pagetables(v);
if ( ret )
return ret;
-
+ }
--- a/xen/arch/x86/hvm/hvm.c
+++ b/xen/arch/x86/hvm/hvm.c
-@@ -3083,8 +3083,11 @@ static void hvm_s3_suspend(struct domain
+@@ -3509,8 +3509,11 @@ static void hvm_s3_suspend(struct domain
for_each_vcpu ( d, v )
{
@@ -73,7 +73,7 @@
domain_unlock(target->domain);
--- a/xen/arch/x86/mm.c
+++ b/xen/arch/x86/mm.c
-@@ -2744,7 +2744,7 @@ static int put_old_guest_table(struct vc
+@@ -2827,7 +2827,7 @@ static int put_old_guest_table(struct vc
return rc;
}
@@ -82,7 +82,7 @@
{
unsigned long mfn = pagetable_get_pfn(v->arch.guest_table);
struct page_info *page;
-@@ -2764,7 +2764,7 @@ int vcpu_destroy_pagetables(struct vcpu
+@@ -2847,7 +2847,7 @@ int vcpu_destroy_pagetables(struct vcpu
if ( paging_mode_refcounts(v->domain) )
put_page(page);
else
@@ -91,7 +91,7 @@
}
#ifdef __x86_64__
-@@ -2790,7 +2790,7 @@ int vcpu_destroy_pagetables(struct vcpu
+@@ -2873,7 +2873,7 @@ int vcpu_destroy_pagetables(struct vcpu
if ( paging_mode_refcounts(v->domain) )
put_page(page);
else
@@ -102,8 +102,8 @@
v->arch.guest_table_user = pagetable_null();
--- a/xen/common/domain.c
+++ b/xen/common/domain.c
-@@ -770,14 +770,18 @@ int boot_vcpu(struct domain *d, int vcpu
- return arch_set_info_guest(v, ctxt);
+@@ -779,14 +779,18 @@ void domain_unpause_by_systemcontroller(
+ domain_unpause(d);
}
-void vcpu_reset(struct vcpu *v)
@@ -123,9 +123,9 @@
set_bit(_VPF_down, &v->pause_flags);
-@@ -793,9 +797,13 @@ void vcpu_reset(struct vcpu *v)
+@@ -802,9 +806,13 @@ void vcpu_reset(struct vcpu *v)
#endif
- cpus_clear(v->cpu_affinity_tmp);
+ cpumask_clear(v->cpu_affinity_tmp);
clear_bit(_VPF_blocked, &v->pause_flags);
+ clear_bit(_VPF_in_reset, &v->pause_flags);
@@ -139,7 +139,7 @@
--- a/xen/common/domctl.c
+++ b/xen/common/domctl.c
-@@ -286,8 +286,10 @@ long do_domctl(XEN_GUEST_HANDLE(xen_domc
+@@ -306,8 +306,10 @@ long do_domctl(XEN_GUEST_HANDLE(xen_domc
if ( guest_handle_is_null(op->u.vcpucontext.ctxt) )
{
@@ -154,7 +154,7 @@
--- a/xen/include/asm-x86/mm.h
+++ b/xen/include/asm-x86/mm.h
-@@ -555,7 +555,7 @@ void audit_domains(void);
+@@ -605,7 +605,7 @@ void audit_domains(void);
int new_guest_cr3(unsigned long pfn);
void make_cr3(struct vcpu *v, unsigned long mfn);
void update_cr3(struct vcpu *v);
@@ -165,30 +165,30 @@
--- a/xen/include/xen/domain.h
+++ b/xen/include/xen/domain.h
-@@ -15,7 +15,7 @@ struct vcpu *alloc_vcpu(
- int boot_vcpu(
- struct domain *d, int vcpuid, vcpu_guest_context_u ctxt);
+@@ -13,7 +13,7 @@ typedef union {
+ struct vcpu *alloc_vcpu(
+ struct domain *d, unsigned int vcpu_id, unsigned int cpu_id);
struct vcpu *alloc_dom0_vcpu0(void);
-void vcpu_reset(struct vcpu *v);
+int vcpu_reset(struct vcpu *);
struct xen_domctl_getdomaininfo;
void getdomaininfo(struct domain *d, struct xen_domctl_getdomaininfo *info);
-@@ -57,7 +57,7 @@ void arch_dump_vcpu_info(struct vcpu *v)
+@@ -67,7 +67,7 @@ void arch_dump_vcpu_info(struct vcpu *v)
void arch_dump_domain_info(struct domain *d);
-void arch_vcpu_reset(struct vcpu *v);
+int arch_vcpu_reset(struct vcpu *);
+ extern spinlock_t vcpu_alloc_lock;
bool_t domctl_lock_acquire(void);
- void domctl_lock_release(void);
--- a/xen/include/xen/sched.h
+++ b/xen/include/xen/sched.h
-@@ -597,6 +597,9 @@ extern struct domain *domain_list;
- /* VCPU is blocked on memory-event ring. */
- #define _VPF_mem_event 4
- #define VPF_mem_event (1UL<<_VPF_mem_event)
+@@ -644,6 +644,9 @@ static inline struct domain *next_domain
+ /* VCPU is blocked due to missing mem_sharing ring. */
+ #define _VPF_mem_sharing 6
+ #define VPF_mem_sharing (1UL<<_VPF_mem_sharing)
+ /* VCPU is being reset. */
+#define _VPF_in_reset 7
+#define VPF_in_reset (1UL<<_VPF_in_reset)
Copied and modified: trunk/xen/debian/patches/CVE-2013-1918-5 (from r1156, branches/wheezy/xen/debian/patches/CVE-2013-1918-5)
==============================================================================
--- branches/wheezy/xen/debian/patches/CVE-2013-1918-5 Sun May 5 18:51:59 2013 (r1156, copy source)
+++ trunk/xen/debian/patches/CVE-2013-1918-5 Fri May 10 20:00:21 2013 (r1157)
@@ -7,15 +7,17 @@
---
--- a/xen/arch/x86/domain.c
+++ b/xen/arch/x86/domain.c
-@@ -676,6 +676,7 @@ int arch_set_info_guest(
- {
- struct domain *d = v->domain;
- unsigned long cr3_pfn = INVALID_MFN;
-+ struct page_info *cr3_page;
- unsigned long flags, cr4;
- int i, rc = 0, compat;
+@@ -858,6 +858,9 @@ int arch_set_info_guest(
-@@ -815,72 +816,103 @@ int arch_set_info_guest(
+ if ( !v->is_initialised )
+ {
++ if ( !compat && !(flags & VGCF_in_kernel) && !c.nat->ctrlreg[1] )
++ return -EINVAL;
++
+ v->arch.pv_vcpu.ldt_base = c(ldt_base);
+ v->arch.pv_vcpu.ldt_ents = c(ldt_ents);
+ }
+@@ -955,24 +958,44 @@ int arch_set_info_guest(
if ( rc != 0 )
return rc;
@@ -23,27 +25,29 @@
+
if ( !compat )
- {
- cr3_pfn = gmfn_to_mfn(d, xen_cr3_to_pfn(c.nat->ctrlreg[3]));
-+#ifdef __x86_64__
-+ else
-+ cr3_pfn = gmfn_to_mfn(d, compat_cr3_to_pfn(c.cmp->ctrlreg[3]));
-+#endif
-+ cr3_page = mfn_to_page(cr3_pfn);
-
-- if ( !mfn_valid(cr3_pfn) ||
-- (paging_mode_refcounts(d)
-- ? !get_page(mfn_to_page(cr3_pfn), d)
-- : !get_page_and_type(mfn_to_page(cr3_pfn), d,
-- PGT_base_page_table)) )
+ cr3_gfn = xen_cr3_to_pfn(c.nat->ctrlreg[3]);
+- cr3_page = get_page_from_gfn(d, cr3_gfn, NULL, P2M_ALLOC);
+-
+- if ( !cr3_page )
- {
- destroy_gdt(v);
- return -EINVAL;
- }
-+ if ( !mfn_valid(cr3_pfn) || !get_page(cr3_page, d) )
-+ {
-+ cr3_page = NULL;
+- if ( !paging_mode_refcounts(d)
+- && !get_page_type(cr3_page, PGT_base_page_table) )
+- {
+- put_page(cr3_page);
+- destroy_gdt(v);
+- return -EINVAL;
+- }
++#ifdef CONFIG_COMPAT
++ else
++ cr3_gfn = compat_cr3_to_pfn(c.cmp->ctrlreg[3]);
++#endif
++ cr3_page = get_page_from_gfn(d, cr3_gfn, NULL, P2M_ALLOC);
+
++ if ( !cr3_page )
+ rc = -EINVAL;
-+ }
+ else if ( paging_mode_refcounts(d) )
+ /* nothing */;
+ else if ( cr3_page == v->arch.old_guest_table )
@@ -66,39 +70,34 @@
+ if ( rc == -EINTR )
+ rc = -EAGAIN;
+ }
-
+ if ( rc )
+ /* handled below */;
+ else if ( !compat )
+ {
- v->arch.guest_table = pagetable_from_pfn(cr3_pfn);
-
+ v->arch.guest_table = pagetable_from_page(cr3_page);
#ifdef __x86_64__
if ( c.nat->ctrlreg[1] )
- {
- cr3_pfn = gmfn_to_mfn(d, xen_cr3_to_pfn(c.nat->ctrlreg[1]));
-+ cr3_page = mfn_to_page(cr3_pfn);
-
-- if ( !mfn_valid(cr3_pfn) ||
-- (paging_mode_refcounts(d)
-- ? !get_page(mfn_to_page(cr3_pfn), d)
-- : !get_page_and_type(mfn_to_page(cr3_pfn), d,
-- PGT_base_page_table)) )
-+ if ( !mfn_valid(cr3_pfn) || !get_page(cr3_page, d) )
+@@ -980,56 +1003,44 @@ int arch_set_info_guest(
+ cr3_gfn = xen_cr3_to_pfn(c.nat->ctrlreg[1]);
+ cr3_page = get_page_from_gfn(d, cr3_gfn, NULL, P2M_ALLOC);
+
+- if ( !cr3_page ||
+- (!paging_mode_refcounts(d)
+- && !get_page_type(cr3_page, PGT_base_page_table)) )
++ if ( !cr3_page )
++ rc = -EINVAL;
++ else if ( !paging_mode_refcounts(d) )
{
-- cr3_pfn = pagetable_get_pfn(v->arch.guest_table);
+- if (cr3_page)
+- put_page(cr3_page);
+- cr3_page = pagetable_get_page(v->arch.guest_table);
- v->arch.guest_table = pagetable_null();
- if ( paging_mode_refcounts(d) )
-- put_page(mfn_to_page(cr3_pfn));
+- put_page(cr3_page);
- else
-- put_page_and_type(mfn_to_page(cr3_pfn));
+- put_page_and_type(cr3_page);
- destroy_gdt(v);
- return -EINVAL;
-+ cr3_page = NULL;
-+ rc = -EINVAL;
-+ }
-+ else if ( !paging_mode_refcounts(d) )
-+ {
+ rc = get_page_type_preemptible(cr3_page, PGT_root_page_table);
+ switch ( rc )
+ {
@@ -111,38 +110,41 @@
+ break;
+ }
}
-
-- v->arch.guest_table_user = pagetable_from_pfn(cr3_pfn);
-+ if ( !rc )
-+ v->arch.guest_table_user = pagetable_from_pfn(cr3_pfn);
- }
- else if ( !(flags & VGCF_in_kernel) )
- {
+-
+- v->arch.guest_table_user = pagetable_from_page(cr3_page);
+- }
+- else if ( !(flags & VGCF_in_kernel) )
+- {
- destroy_gdt(v);
- return -EINVAL;
-+ cr3_page = NULL;
-+ rc = -EINVAL;
++ if ( !rc )
++ v->arch.guest_table_user = pagetable_from_page(cr3_page);
}
}
else
{
l4_pgentry_t *l4tab;
-- cr3_pfn = gmfn_to_mfn(d, compat_cr3_to_pfn(c.cmp->ctrlreg[3]));
+- cr3_gfn = compat_cr3_to_pfn(c.cmp->ctrlreg[3]);
+- cr3_page = get_page_from_gfn(d, cr3_gfn, NULL, P2M_ALLOC);
+-
+- if ( !cr3_page)
+- {
+- destroy_gdt(v);
+- return -EINVAL;
+- }
-
-- if ( !mfn_valid(cr3_pfn) ||
-- (paging_mode_refcounts(d)
-- ? !get_page(mfn_to_page(cr3_pfn), d)
-- : !get_page_and_type(mfn_to_page(cr3_pfn), d,
-- PGT_l3_page_table)) )
+- if (!paging_mode_refcounts(d)
+- && !get_page_type(cr3_page, PGT_l3_page_table) )
- {
+- put_page(cr3_page);
- destroy_gdt(v);
- return -EINVAL;
- }
-
l4tab = __va(pagetable_get_paddr(v->arch.guest_table));
- *l4tab = l4e_from_pfn(
- cr3_pfn, _PAGE_PRESENT|_PAGE_RW|_PAGE_USER|_PAGE_ACCESSED);
+ *l4tab = l4e_from_pfn(page_to_mfn(cr3_page),
+ _PAGE_PRESENT|_PAGE_RW|_PAGE_USER|_PAGE_ACCESSED);
#endif
}
+ if ( rc )
@@ -159,8 +161,8 @@
update_domain_wallclock_time(d);
--- a/xen/common/compat/domain.c
+++ b/xen/common/compat/domain.c
-@@ -52,6 +52,10 @@ int compat_vcpu_op(int cmd, int vcpuid,
- rc = boot_vcpu(d, vcpuid, cmp_ctxt);
+@@ -50,6 +50,10 @@ int compat_vcpu_op(int cmd, int vcpuid,
+ rc = v->is_initialised ? -EEXIST : arch_set_info_guest(v, cmp_ctxt);
domain_unlock(d);
+ if ( rc == -EAGAIN )
@@ -172,10 +174,10 @@
}
--- a/xen/common/domain.c
+++ b/xen/common/domain.c
-@@ -842,6 +842,11 @@ long do_vcpu_op(int cmd, int vcpuid, XEN
+@@ -849,6 +849,11 @@ long do_vcpu_op(int cmd, int vcpuid, XEN
domain_unlock(d);
- xfree(ctxt);
+ free_vcpu_guest_context(ctxt);
+
+ if ( rc == -EAGAIN )
+ rc = hypercall_create_continuation(__HYPERVISOR_vcpu_op, "iih",
@@ -183,10 +185,10 @@
+
break;
- case VCPUOP_up:
+ case VCPUOP_up: {
--- a/xen/common/domctl.c
+++ b/xen/common/domctl.c
-@@ -318,6 +318,10 @@ long do_domctl(XEN_GUEST_HANDLE(xen_domc
+@@ -338,6 +338,10 @@ long do_domctl(XEN_GUEST_HANDLE(xen_domc
domain_pause(d);
ret = arch_set_info_guest(v, c);
domain_unpause(d);
Copied and modified: trunk/xen/debian/patches/CVE-2013-1918-6 (from r1156, branches/wheezy/xen/debian/patches/CVE-2013-1918-6)
==============================================================================
--- branches/wheezy/xen/debian/patches/CVE-2013-1918-6 Sun May 5 18:51:59 2013 (r1156, copy source)
+++ trunk/xen/debian/patches/CVE-2013-1918-6 Fri May 10 20:00:21 2013 (r1157)
@@ -11,7 +11,7 @@
---
--- a/xen/arch/x86/mm.c
+++ b/xen/arch/x86/mm.c
-@@ -3040,6 +3040,14 @@ long do_mmuext_op(
+@@ -3123,6 +3123,14 @@ long do_mmuext_op(
return rc;
}
@@ -26,7 +26,7 @@
if ( unlikely(count & MMU_UPDATE_PREEMPTED) )
{
count &= ~MMU_UPDATE_PREEMPTED;
-@@ -3063,7 +3071,7 @@ long do_mmuext_op(
+@@ -3146,7 +3154,7 @@ long do_mmuext_op(
for ( i = 0; i < count; i++ )
{
@@ -35,7 +35,7 @@
{
rc = -EAGAIN;
break;
-@@ -3181,7 +3189,17 @@ long do_mmuext_op(
+@@ -3266,7 +3274,17 @@ long do_mmuext_op(
break;
}
@@ -54,7 +54,7 @@
put_page(page);
/* A page is dirtied when its pin status is cleared. */
-@@ -3487,9 +3505,27 @@ long do_mmuext_op(
+@@ -3587,9 +3605,27 @@ long do_mmuext_op(
}
if ( rc == -EAGAIN )
@@ -84,7 +84,7 @@
--- a/xen/arch/x86/x86_64/compat/mm.c
+++ b/xen/arch/x86/x86_64/compat/mm.c
-@@ -222,6 +222,13 @@ int compat_mmuext_op(XEN_GUEST_HANDLE(mm
+@@ -268,6 +268,13 @@ int compat_mmuext_op(XEN_GUEST_HANDLE(mm
int rc = 0;
XEN_GUEST_HANDLE(mmuext_op_t) nat_ops;
@@ -98,7 +98,7 @@
preempt_mask = count & MMU_UPDATE_PREEMPTED;
count ^= preempt_mask;
-@@ -324,12 +331,18 @@ int compat_mmuext_op(XEN_GUEST_HANDLE(mm
+@@ -370,12 +377,18 @@ int compat_mmuext_op(XEN_GUEST_HANDLE(mm
guest_handle_add_offset(nat_ops, i - left);
guest_handle_subtract_offset(cmp_uops, left);
left = 1;
Copied and modified: trunk/xen/debian/patches/CVE-2013-1918-7 (from r1156, branches/wheezy/xen/debian/patches/CVE-2013-1918-7)
==============================================================================
--- branches/wheezy/xen/debian/patches/CVE-2013-1918-7 Sun May 5 18:51:59 2013 (r1156, copy source)
+++ trunk/xen/debian/patches/CVE-2013-1918-7 Fri May 10 20:00:21 2013 (r1157)
@@ -16,7 +16,7 @@
---
--- a/xen/arch/x86/mm.c
+++ b/xen/arch/x86/mm.c
-@@ -1183,7 +1183,16 @@ static int put_page_from_l3e(l3_pgentry_
+@@ -1241,7 +1241,16 @@ static int put_page_from_l3e(l3_pgentry_
#endif
if ( unlikely(partial > 0) )
@@ -33,7 +33,7 @@
return put_page_and_type_preemptible(l3e_get_page(l3e), preemptible);
}
-@@ -1196,7 +1205,17 @@ static int put_page_from_l4e(l4_pgentry_
+@@ -1254,7 +1263,17 @@ static int put_page_from_l4e(l4_pgentry_
(l4e_get_pfn(l4e) != pfn) )
{
if ( unlikely(partial > 0) )
@@ -51,7 +51,7 @@
return put_page_and_type_preemptible(l4e_get_page(l4e), preemptible);
}
return 1;
-@@ -1486,12 +1505,17 @@ static int alloc_l3_table(struct page_in
+@@ -1549,12 +1568,17 @@ static int alloc_l3_table(struct page_in
if ( rc < 0 && rc != -EAGAIN && rc != -EINTR )
{
MEM_LOG("Failure in alloc_l3_table: entry %d", i);
@@ -70,7 +70,7 @@
}
}
-@@ -1521,22 +1545,24 @@ static int alloc_l4_table(struct page_in
+@@ -1584,22 +1608,24 @@ static int alloc_l4_table(struct page_in
page->nr_validated_ptes = i;
page->partial_pte = partial ?: 1;
}
@@ -104,7 +104,7 @@
if ( rc < 0 )
return rc;
-@@ -1966,7 +1992,7 @@ static int mod_l3_entry(l3_pgentry_t *pl
+@@ -2047,7 +2073,7 @@ static int mod_l3_entry(l3_pgentry_t *pl
pae_flush_pgd(pfn, pgentry_ptr_to_slot(pl3e), nl3e);
}
@@ -113,7 +113,7 @@
return rc;
}
-@@ -2029,7 +2055,7 @@ static int mod_l4_entry(l4_pgentry_t *pl
+@@ -2110,7 +2136,7 @@ static int mod_l4_entry(l4_pgentry_t *pl
return -EFAULT;
}
@@ -122,7 +122,7 @@
return rc;
}
-@@ -2187,7 +2213,15 @@ static int alloc_page_type(struct page_i
+@@ -2268,7 +2294,15 @@ static int alloc_page_type(struct page_i
PRtype_info ": caf=%08lx taf=%" PRtype_info,
page_to_mfn(page), get_gpfn_from_mfn(page_to_mfn(page)),
type, page->count_info, page->u.inuse.type_info);
@@ -139,10 +139,10 @@
}
else
{
-@@ -3131,21 +3165,17 @@ long do_mmuext_op(
- page = mfn_to_page(mfn);
+@@ -3218,21 +3252,17 @@ long do_mmuext_op(
+ }
- if ( (rc = xsm_memory_pin_page(d, page)) != 0 )
+ if ( (rc = xsm_memory_pin_page(d, pg_owner, page)) != 0 )
- {
- put_page_and_type(page);
okay = 0;
@@ -154,7 +154,7 @@
+ else if ( unlikely(test_and_set_bit(_PGT_pinned,
+ &page->u.inuse.type_info)) )
{
- MEM_LOG("Mfn %lx already pinned", mfn);
+ MEM_LOG("Mfn %lx already pinned", page_to_mfn(page));
- put_page_and_type(page);
okay = 0;
- break;
@@ -164,9 +164,9 @@
+ goto pin_drop;
+
/* A page is dirtied when its pin status is set. */
- paging_mark_dirty(pg_owner, mfn);
-
-@@ -3159,7 +3189,13 @@ long do_mmuext_op(
+ paging_mark_dirty(pg_owner, page_to_mfn(page));
+
+@@ -3246,7 +3276,13 @@ long do_mmuext_op(
&page->u.inuse.type_info));
spin_unlock(&pg_owner->page_alloc_lock);
if ( drop_ref )
@@ -181,18 +181,18 @@
}
break;
-@@ -3552,11 +3588,28 @@ long do_mmu_update(
+@@ -3652,11 +3688,28 @@ long do_mmu_update(
void *va;
unsigned long gpfn, gmfn, mfn;
struct page_info *page;
-- int rc = 0, okay = 1, i = 0;
+- int rc = 0, i = 0;
- unsigned int cmd, done = 0, pt_dom;
- struct vcpu *v = current;
+ unsigned int cmd, i = 0, done = 0, pt_dom;
+ struct vcpu *curr = current, *v = curr;
struct domain *d = v->domain, *pt_owner = d, *pg_owner;
struct domain_mmap_cache mapcache;
-+ int rc = put_old_guest_table(curr), okay = 1;
++ int rc = put_old_guest_table(curr);
+
+ if ( unlikely(rc) )
+ {
@@ -213,7 +213,7 @@
if ( unlikely(count & MMU_UPDATE_PREEMPTED) )
{
-@@ -3605,7 +3658,7 @@ long do_mmu_update(
+@@ -3705,7 +3758,7 @@ long do_mmu_update(
for ( i = 0; i < count; i++ )
{
@@ -222,7 +222,7 @@
{
rc = -EAGAIN;
break;
-@@ -3870,9 +3923,27 @@ long do_mmu_update(
+@@ -3886,9 +3939,27 @@ long do_mmu_update(
}
if ( rc == -EAGAIN )
Copied and modified: trunk/xen/debian/patches/CVE-2013-1919 (from r1156, branches/wheezy/xen/debian/patches/CVE-2013-1919)
==============================================================================
--- branches/wheezy/xen/debian/patches/CVE-2013-1919 Sun May 5 18:51:59 2013 (r1156, copy source)
+++ trunk/xen/debian/patches/CVE-2013-1919 Fri May 10 20:00:21 2013 (r1157)
@@ -8,9 +8,33 @@
Origin: upstream
Id: CVE-2013-1919 XSA-46
---
---- a/tools/python/xen/xend/server/irqif.py Thu Apr 18 16:23:07 2013 +0200
-+++ b/tools/python/xen/xend/server/irqif.py Thu Apr 18 16:24:08 2013 +0200
-@@ -73,6 +73,12 @@
+--- a/tools/libxl/libxl_create.c
++++ b/tools/libxl/libxl_create.c
+@@ -968,14 +968,16 @@ static void domcreate_launch_dm(libxl__e
+ }
+
+ for (i = 0; i < d_config->b_info.num_irqs; i++) {
+- uint32_t irq = d_config->b_info.irqs[i];
++ int irq = d_config->b_info.irqs[i];
+
+- LOG(DEBUG, "dom%d irq %"PRIx32, domid, irq);
++ LOG(DEBUG, "dom%d irq %d", domid, irq);
+
+- ret = xc_domain_irq_permission(CTX->xch, domid, irq, 1);
++ ret = irq >= 0 ? xc_physdev_map_pirq(CTX->xch, domid, irq, &irq)
++ : -EOVERFLOW;
++ if (!ret)
++ ret = xc_domain_irq_permission(CTX->xch, domid, irq, 1);
+ if ( ret<0 ){
+- LOGE(ERROR,
+- "failed give dom%d access to irq %"PRId32, domid, irq);
++ LOGE(ERROR, "failed give dom%d access to irq %d", domid, irq);
+ ret = ERROR_FAIL;
+ }
+ }
+--- a/tools/python/xen/xend/server/irqif.py
++++ b/tools/python/xen/xend/server/irqif.py
+@@ -73,6 +73,12 @@ class IRQController(DevController):
pirq = get_param('irq')
@@ -23,7 +47,7 @@
rc = xc.domain_irq_permission(domid = self.getDomid(),
pirq = pirq,
allow_access = True)
-@@ -81,12 +87,6 @@
+@@ -81,12 +87,6 @@ class IRQController(DevController):
#todo non-fatal
raise VmError(
'irq: Failed to configure irq: %d' % (pirq))
@@ -36,9 +60,9 @@
back = dict([(k, config[k]) for k in self.valid_cfg if k in config])
return (self.allocateDeviceID(), back, {})
---- a/xen/arch/x86/domain_build.c Thu Apr 18 16:23:07 2013 +0200
-+++ b/xen/arch/x86/domain_build.c Thu Apr 18 16:24:08 2013 +0200
-@@ -1201,7 +1201,7 @@
+--- a/xen/arch/x86/domain_build.c
++++ b/xen/arch/x86/domain_build.c
+@@ -1219,7 +1219,7 @@ int __init construct_dom0(
/* DOM0 is permitted full I/O capabilities. */
rc |= ioports_permit_access(dom0, 0, 0xFFFF);
rc |= iomem_permit_access(dom0, 0UL, ~0UL);
@@ -47,9 +71,9 @@
/*
* Modify I/O port access permissions.
---- a/xen/arch/x86/domctl.c Thu Apr 18 16:23:07 2013 +0200
-+++ b/xen/arch/x86/domctl.c Thu Apr 18 16:24:08 2013 +0200
-@@ -908,9 +908,13 @@
+--- a/xen/arch/x86/domctl.c
++++ b/xen/arch/x86/domctl.c
+@@ -772,9 +772,13 @@ long arch_do_domctl(
goto bind_out;
ret = -EPERM;
@@ -66,7 +90,7 @@
ret = -ESRCH;
if ( iommu_enabled )
-@@ -938,9 +942,13 @@
+@@ -803,9 +807,13 @@ long arch_do_domctl(
bind = &(domctl->u.bind_pt_irq);
ret = -EPERM;
@@ -83,13 +107,13 @@
if ( iommu_enabled )
{
---- a/xen/arch/x86/irq.c Thu Apr 18 16:23:07 2013 +0200
-+++ b/xen/arch/x86/irq.c Thu Apr 18 16:24:08 2013 +0200
-@@ -174,6 +174,15 @@
- out:
- spin_unlock_irqrestore(&vector_lock, flags);
-
-+ if ( irq > 0 && dom0 )
+--- a/xen/arch/x86/irq.c
++++ b/xen/arch/x86/irq.c
+@@ -184,6 +184,14 @@ int create_irq(int node)
+ desc->arch.used = IRQ_UNUSED;
+ irq = ret;
+ }
++ else if ( dom0 )
+ {
+ ret = irq_permit_access(dom0, irq);
+ if ( ret )
@@ -97,11 +121,10 @@
+ "Could not grant Dom0 access to IRQ%d (error %d)\n",
+ irq, ret);
+ }
-+
+
return irq;
}
-
-@@ -258,6 +267,17 @@
+@@ -280,6 +288,17 @@ void clear_irq_vector(int irq)
void destroy_irq(unsigned int irq)
{
BUG_ON(!MSI_IRQ(irq));
@@ -119,7 +142,7 @@
dynamic_irq_cleanup(irq);
clear_irq_vector(irq);
}
-@@ -1604,7 +1624,7 @@
+@@ -1858,7 +1877,7 @@ int map_domain_pirq(
if ( !IS_PRIV(current->domain) &&
!(IS_PRIV_FOR(current->domain, d) &&
@@ -128,8 +151,8 @@
return -EPERM;
if ( pirq < 0 || pirq >= d->nr_pirqs || irq < 0 || irq >= nr_irqs )
-@@ -1625,11 +1645,12 @@
- return 0;
+@@ -1887,17 +1906,18 @@ int map_domain_pirq(
+ return ret;
}
- ret = irq_permit_access(d, pirq);
@@ -144,7 +167,14 @@
return ret;
}
-@@ -1651,8 +1672,14 @@
+ ret = prepare_domain_irq_pirq(d, irq, pirq, &info);
+ if ( ret )
+- return ret;
++ goto revoke;
+
+ desc = irq_to_desc(irq);
+
+@@ -1921,8 +1941,14 @@ int map_domain_pirq(
spin_lock_irqsave(&desc->lock, flags);
if ( desc->handler != &no_irq_type )
@@ -156,23 +186,27 @@
+ ret = -EBUSY;
+ goto done;
+ }
- desc->handler = &pci_msi_type;
+ setup_msi_handler(desc, msi_desc);
+
if ( opt_irq_vector_map == OPT_IRQ_VECTOR_MAP_PERDEV
- && !desc->chip_data->used_vectors )
-@@ -1680,6 +1707,10 @@
- }
+@@ -1951,7 +1977,14 @@ int map_domain_pirq(
done:
-+ if ( ret && irq_deny_access(d, irq) )
-+ printk(XENLOG_G_ERR
-+ "dom%d: could not revoke access to IRQ%d (pirq %d)\n",
-+ d->domain_id, irq, pirq);
+ if ( ret )
++ {
+ cleanup_domain_irq_pirq(d, irq, info);
++ revoke:
++ if ( irq_deny_access(d, irq) )
++ printk(XENLOG_G_ERR
++ "dom%d: could not revoke access to IRQ%d (pirq %d)\n",
++ d->domain_id, irq, pirq);
++ }
return ret;
}
-@@ -1736,10 +1767,11 @@
- if (msi_desc)
- msi_free_irq(msi_desc);
+@@ -2017,10 +2050,11 @@ int unmap_domain_pirq(struct domain *d,
+ if ( !forced_unbind )
+ cleanup_domain_irq_pirq(d, irq, info);
- ret = irq_deny_access(d, pirq);
+ ret = irq_deny_access(d, irq);
@@ -183,25 +217,33 @@
+ "dom%d: could not deny access to IRQ%d (pirq %d)\n",
+ d->domain_id, irq, pirq);
- if ( desc->handler == &pci_msi_type )
- desc->handler = &no_irq_type;
---- a/xen/arch/x86/physdev.c Thu Apr 18 16:23:07 2013 +0200
-+++ b/xen/arch/x86/physdev.c Thu Apr 18 16:24:08 2013 +0200
-@@ -147,7 +147,7 @@
+ done:
+ return ret;
+--- a/xen/arch/x86/physdev.c
++++ b/xen/arch/x86/physdev.c
+@@ -147,7 +147,7 @@ int physdev_map_pirq(domid_t domid, int
if ( irq == -1 )
- irq = create_irq();
+ irq = create_irq(NUMA_NO_NODE);
- if ( irq < 0 || irq >= nr_irqs )
+ if ( irq < nr_irqs_gsi || irq >= nr_irqs )
{
dprintk(XENLOG_G_ERR, "dom%d: can't create irq for msi!\n",
d->domain_id);
---- a/xen/common/domctl.c Thu Apr 18 16:23:07 2013 +0200
-+++ b/xen/common/domctl.c Thu Apr 18 16:24:08 2013 +0200
-@@ -854,9 +854,9 @@
- if ( pirq >= d->nr_pirqs )
- ret = -EINVAL;
- else if ( op->u.irq_permission.allow_access )
+--- a/xen/common/domctl.c
++++ b/xen/common/domctl.c
+@@ -25,6 +25,7 @@
+ #include <xen/paging.h>
+ #include <xen/hypercall.h>
+ #include <asm/current.h>
++#include <asm/irq.h>
+ #include <asm/page.h>
+ #include <public/domctl.h>
+ #include <xsm/xsm.h>
+@@ -897,9 +898,9 @@ long do_domctl(XEN_GUEST_HANDLE(xen_domc
+ else if ( xsm_irq_permission(d, pirq, allow) )
+ ret = -EPERM;
+ else if ( allow )
- ret = irq_permit_access(d, pirq);
+ ret = pirq_permit_access(d, pirq);
else
@@ -210,9 +252,9 @@
rcu_unlock_domain(d);
}
---- a/xen/common/event_channel.c Thu Apr 18 16:23:07 2013 +0200
-+++ b/xen/common/event_channel.c Thu Apr 18 16:24:08 2013 +0200
-@@ -332,7 +332,7 @@
+--- a/xen/common/event_channel.c
++++ b/xen/common/event_channel.c
+@@ -369,7 +369,7 @@ static long evtchn_bind_pirq(evtchn_bind
if ( (pirq < 0) || (pirq >= d->nr_pirqs) )
return -EINVAL;
@@ -221,8 +263,8 @@
return -EPERM;
spin_lock(&d->event_lock);
---- a/xen/include/xen/iocap.h Thu Apr 18 16:23:07 2013 +0200
-+++ b/xen/include/xen/iocap.h Thu Apr 18 16:24:08 2013 +0200
+--- a/xen/include/xen/iocap.h
++++ b/xen/include/xen/iocap.h
@@ -28,4 +28,22 @@
#define irq_access_permitted(d, i) \
rangeset_contains_singleton((d)->irq_caps, i)
@@ -246,4 +288,3 @@
+})
+
#endif /* __XEN_IOCAP_H__ */
-
Copied and modified: trunk/xen/debian/patches/CVE-2013-1920 (from r1156, branches/wheezy/xen/debian/patches/CVE-2013-1920)
==============================================================================
--- branches/wheezy/xen/debian/patches/CVE-2013-1920 Sun May 5 18:51:59 2013 (r1156, copy source)
+++ trunk/xen/debian/patches/CVE-2013-1920 Fri May 10 20:00:21 2013 (r1157)
@@ -6,17 +6,17 @@
Origin: upstream
Id: CVE-2013-1920 XSA-47
---
---- a/xen/common/event_channel.c Tue Apr 02 12:39:15 2013 +0200
-+++ b/xen/common/event_channel.c Fri Apr 05 10:04:03 2013 +0200
-@@ -104,7 +104,6 @@
+--- a/xen/common/event_channel.c
++++ b/xen/common/event_channel.c
+@@ -140,7 +140,6 @@ static int get_free_port(struct domain *
+ chn = xzalloc_array(struct evtchn, EVTCHNS_PER_BUCKET);
if ( unlikely(chn == NULL) )
return -ENOMEM;
- memset(chn, 0, EVTCHNS_PER_BUCKET * sizeof(*chn));
- bucket_from_port(d, port) = chn;
for ( i = 0; i < EVTCHNS_PER_BUCKET; i++ )
{
-@@ -117,6 +116,8 @@
+@@ -153,6 +152,8 @@ static int get_free_port(struct domain *
}
}
@@ -25,4 +25,3 @@
return port;
}
-
Copied and modified: trunk/xen/debian/patches/CVE-2013-1952 (from r1156, branches/wheezy/xen/debian/patches/CVE-2013-1952)
==============================================================================
--- branches/wheezy/xen/debian/patches/CVE-2013-1952 Sun May 5 18:51:59 2013 (r1156, copy source)
+++ trunk/xen/debian/patches/CVE-2013-1952 Fri May 10 20:00:21 2013 (r1157)
@@ -7,8 +7,8 @@
---
--- a/xen/drivers/passthrough/vtd/intremap.c
+++ b/xen/drivers/passthrough/vtd/intremap.c
-@@ -477,16 +477,15 @@ static void set_msi_source_id(struct pci
- type = pdev_type(bus, devfn);
+@@ -440,16 +440,15 @@ static void set_msi_source_id(struct pci
+ type = pdev_type(seg, bus, devfn);
switch ( type )
{
+ case DEV_TYPE_PCIe_ENDPOINT:
@@ -24,23 +24,23 @@
case DEV_TYPE_PCI:
+ case DEV_TYPE_LEGACY_PCI_BRIDGE:
+ /* case DEV_TYPE_PCI2PCIe_BRIDGE: */
- ret = find_upstream_bridge(&bus, &devfn, &secbus);
+ ret = find_upstream_bridge(seg, &bus, &devfn, &secbus);
if ( ret == 0 ) /* integrated PCI device */
{
-@@ -498,10 +497,15 @@ static void set_msi_source_id(struct pci
- if ( pdev_type(bus, devfn) == DEV_TYPE_PCIe2PCI_BRIDGE )
+@@ -461,10 +460,15 @@ static void set_msi_source_id(struct pci
+ if ( pdev_type(seg, bus, devfn) == DEV_TYPE_PCIe2PCI_BRIDGE )
set_ire_sid(ire, SVT_VERIFY_BUS, SQ_ALL_16,
(bus << 8) | pdev->bus);
-- else if ( pdev_type(bus, devfn) == DEV_TYPE_LEGACY_PCI_BRIDGE )
+- else if ( pdev_type(seg, bus, devfn) == DEV_TYPE_LEGACY_PCI_BRIDGE )
+ else
set_ire_sid(ire, SVT_VERIFY_SID_SQ, SQ_ALL_16,
PCI_BDF2(bus, devfn));
}
+ else
+ dprintk(XENLOG_WARNING VTDPREFIX,
-+ "d%d: no upstream bridge for %02x:%02x.%u\n",
++ "d%d: no upstream bridge for %04x:%02x:%02x.%u\n",
+ pdev->domain->domain_id,
-+ bus, PCI_SLOT(devfn), PCI_FUNC(devfn));
++ seg, bus, PCI_SLOT(devfn), PCI_FUNC(devfn));
break;
default:
Modified: trunk/xen/debian/patches/series
==============================================================================
--- trunk/xen/debian/patches/series Sun May 5 18:51:59 2013 (r1156)
+++ trunk/xen/debian/patches/series Fri May 10 20:00:21 2013 (r1157)
@@ -3,6 +3,17 @@
CVE-2013-0153-2
CVE-2013-0153-3
CVE-2013-0153-4
+CVE-2013-1917
+CVE-2013-1918-1
+CVE-2013-1918-2
+CVE-2013-1918-3
+CVE-2013-1918-4
+CVE-2013-1918-5
+CVE-2013-1918-6
+CVE-2013-1918-7
+CVE-2013-1919
+CVE-2013-1920
+CVE-2013-1952
version.patch
More information about the Pkg-xen-changes
mailing list