diff options
author | bsiegert <bsiegert@pkgsrc.org> | 2021-02-16 07:57:46 +0000 |
---|---|---|
committer | bsiegert <bsiegert@pkgsrc.org> | 2021-02-16 07:57:46 +0000 |
commit | fbfa2594fad9e4323fa61652a01974671e2ebe9e (patch) | |
tree | aca2c3d0e730769072934b04d427b7618ff0bd3e | |
parent | 8035247279b45de8247a82873a2d1a3aba8e0e9f (diff) | |
download | pkgsrc-fbfa2594fad9e4323fa61652a01974671e2ebe9e.tar.gz |
Pullup ticket #6422 - requested by bouyer
sysutils/xenkernel413: security fix
Revisions pulled up:
- sysutils/xenkernel413/Makefile 1.12
- sysutils/xenkernel413/distinfo 1.9
- sysutils/xenkernel413/patches/patch-XSA355 1.1
- sysutils/xenkernel413/patches/patch-XSA360 1.1
---
Module Name: pkgsrc
Committed By: bouyer
Date: Wed Feb 3 22:27:16 UTC 2021
Modified Files:
pkgsrc/sysutils/xenkernel413: Makefile distinfo
Added Files:
pkgsrc/sysutils/xenkernel413/patches: patch-XSA355 patch-XSA360
Log Message:
Add upstream patches for Xen security advisory 355 and 360.
Bump PKGREVSION
-rw-r--r-- | sysutils/xenkernel413/Makefile | 4 | ||||
-rw-r--r-- | sysutils/xenkernel413/distinfo | 4 | ||||
-rw-r--r-- | sysutils/xenkernel413/patches/patch-XSA355 | 25 | ||||
-rw-r--r-- | sysutils/xenkernel413/patches/patch-XSA360 | 99 |
4 files changed, 129 insertions, 3 deletions
diff --git a/sysutils/xenkernel413/Makefile b/sysutils/xenkernel413/Makefile index cb1e3aa80a0..40355585048 100644 --- a/sysutils/xenkernel413/Makefile +++ b/sysutils/xenkernel413/Makefile @@ -1,7 +1,7 @@ -# $NetBSD: Makefile,v 1.11 2020/12/16 17:15:22 bouyer Exp $ +# $NetBSD: Makefile,v 1.11.2.1 2021/02/16 07:57:46 bsiegert Exp $ VERSION= 4.13.2 -PKGREVISION= 4 +PKGREVISION= 5 DISTNAME= xen-${VERSION} PKGNAME= xenkernel413-${VERSION} CATEGORIES= sysutils diff --git a/sysutils/xenkernel413/distinfo b/sysutils/xenkernel413/distinfo index a914c15978a..fbd90bcc9d8 100644 --- a/sysutils/xenkernel413/distinfo +++ b/sysutils/xenkernel413/distinfo @@ -1,4 +1,4 @@ -$NetBSD: distinfo,v 1.8 2020/12/16 17:15:22 bouyer Exp $ +$NetBSD: distinfo,v 1.8.2.1 2021/02/16 07:57:46 bsiegert Exp $ SHA1 (xen413/xen-4.13.2.tar.gz) = d514f1de9582c58676420bb2c9fb1c765b44fbff RMD160 (xen413/xen-4.13.2.tar.gz) = 96727c20bd84338f8c67c7c584c01ef877bbcb18 @@ -7,8 +7,10 @@ Size (xen413/xen-4.13.2.tar.gz) = 39037826 bytes SHA1 (patch-Config.mk) = 9372a09efd05c9fbdbc06f8121e411fcb7c7ba65 SHA1 (patch-XSA348) = 70de325f88e004228d2b69b7ae3b4106175be1e0 SHA1 (patch-XSA351) = edb0975ab0aa53d7a0ae7816fe170a081eea695e +SHA1 (patch-XSA355) = 73ca5dff042a4a54b06af36e6ace7d09673c05f0 SHA1 (patch-XSA358) = 71d5b2e3d19223b986b8572adfbe7355a3a03db6 SHA1 (patch-XSA359) = 4b778a86fffbe0e2a364e1589d573bbc7c27ff99 +SHA1 (patch-XSA360) = c1aa4bdade4d3318bc2dffa83e359f66997b11df SHA1 (patch-fixpvh) = fd71e150e0b3a461875c02c4419dbfb30548d8f6 SHA1 (patch-xen_Makefile) = 465388d80de414ca3bb84faefa0f52d817e423a6 SHA1 (patch-xen_Rules.mk) = c743dc63f51fc280d529a7d9e08650292c171dac diff --git a/sysutils/xenkernel413/patches/patch-XSA355 b/sysutils/xenkernel413/patches/patch-XSA355 new file mode 100644 index 00000000000..47840e00601 --- /dev/null +++ b/sysutils/xenkernel413/patches/patch-XSA355 @@ -0,0 +1,25 @@ +$NetBSD: patch-XSA355,v 1.1.2.2 2021/02/16 07:57:46 bsiegert Exp $ + +From: Jan Beulich <jbeulich@suse.com> +Subject: memory: fix off-by-one in XSA-346 change + +The comparison against ARRAY_SIZE() needs to be >= in order to avoid +overrunning the pages[] array. + +This is XSA-355. + +Fixes: 5777a3742d88 ("IOMMU: hold page ref until after deferred TLB flush") +Signed-off-by: Jan Beulich <jbeulich@suse.com> +Reviewed-by: Julien Grall <jgrall@amazon.com> + +--- xen/common/memory.c.orig ++++ xen/common/memory.c +@@ -854,7 +854,7 @@ int xenmem_add_to_physmap(struct domain + ++extra.ppage; + + /* Check for continuation if it's not the last iteration. */ +- if ( (++done > ARRAY_SIZE(pages) && extra.ppage) || ++ if ( (++done >= ARRAY_SIZE(pages) && extra.ppage) || + (xatp->size > done && hypercall_preempt_check()) ) + { + rc = start + done; diff --git a/sysutils/xenkernel413/patches/patch-XSA360 b/sysutils/xenkernel413/patches/patch-XSA360 new file mode 100644 index 00000000000..197097c4596 --- /dev/null +++ b/sysutils/xenkernel413/patches/patch-XSA360 @@ -0,0 +1,99 @@ +$NetBSD: patch-XSA360,v 1.1.2.2 2021/02/16 07:57:46 bsiegert Exp $ + +From: Roger Pau Monne <roger.pau@citrix.com> +Subject: x86/dpci: do not remove pirqs from domain tree on unbind + +A fix for a previous issue removed the pirqs from the domain tree when +they are unbound in order to prevent shared pirqs from triggering a +BUG_ON in __pirq_guest_unbind if they are unbound multiple times. That +caused free_domain_pirqs to no longer unmap the pirqs because they +are gone from the domain pirq tree, thus leaving stale unbound pirqs +after domain destruction if the domain had mapped dpci pirqs after +shutdown. + +Take a different approach to fix the original issue, instead of +removing the pirq from d->pirq_tree clear the flags of the dpci pirq +struct to signal that the pirq is now unbound. This prevents calling +pirq_guest_unbind multiple times for the same pirq without having to +remove it from the domain pirq tree. + +This is XSA-360. + +Fixes: 5b58dad089 ('x86/pass-through: avoid double IRQ unbind during domain cleanup') +Signed-off-by: Roger Pau Monné <roger.pau@citrix.com> +Reviewed-by: Jan Beulich <jbeulich@suse.com> + +--- xen/arch/x86/irq.c.orig ++++ xen/arch/x86/irq.c +@@ -1331,7 +1331,7 @@ void (pirq_cleanup_check)(struct pirq *p + } + + if ( radix_tree_delete(&d->pirq_tree, pirq->pirq) != pirq ) +- BUG_ON(!d->is_dying); ++ BUG(); + } + + /* Flush all ready EOIs from the top of this CPU's pending-EOI stack. */ +--- xen/drivers/passthrough/pci.c.orig ++++ xen/drivers/passthrough/pci.c +@@ -862,6 +862,10 @@ static int pci_clean_dpci_irq(struct dom + { + struct dev_intx_gsi_link *digl, *tmp; + ++ if ( !pirq_dpci->flags ) ++ /* Already processed. */ ++ return 0; ++ + pirq_guest_unbind(d, dpci_pirq(pirq_dpci)); + + if ( pt_irq_need_timer(pirq_dpci->flags) ) +@@ -872,15 +876,10 @@ static int pci_clean_dpci_irq(struct dom + list_del(&digl->list); + xfree(digl); + } ++ /* Note the pirq is now unbound. */ ++ pirq_dpci->flags = 0; + +- radix_tree_delete(&d->pirq_tree, dpci_pirq(pirq_dpci)->pirq); +- +- if ( !pt_pirq_softirq_active(pirq_dpci) ) +- return 0; +- +- domain_get_irq_dpci(d)->pending_pirq_dpci = pirq_dpci; +- +- return -ERESTART; ++ return pt_pirq_softirq_active(pirq_dpci) ? -ERESTART : 0; + } + + static int pci_clean_dpci_irqs(struct domain *d) +@@ -897,18 +896,8 @@ static int pci_clean_dpci_irqs(struct do + hvm_irq_dpci = domain_get_irq_dpci(d); + if ( hvm_irq_dpci != NULL ) + { +- int ret = 0; +- +- if ( hvm_irq_dpci->pending_pirq_dpci ) +- { +- if ( pt_pirq_softirq_active(hvm_irq_dpci->pending_pirq_dpci) ) +- ret = -ERESTART; +- else +- hvm_irq_dpci->pending_pirq_dpci = NULL; +- } ++ int ret = pt_pirq_iterate(d, pci_clean_dpci_irq, NULL); + +- if ( !ret ) +- ret = pt_pirq_iterate(d, pci_clean_dpci_irq, NULL); + if ( ret ) + { + spin_unlock(&d->event_lock); +--- xen/include/asm-x86/hvm/irq.h.orig ++++ xen/include/asm-x86/hvm/irq.h +@@ -160,8 +160,6 @@ struct hvm_irq_dpci { + DECLARE_BITMAP(isairq_map, NR_ISAIRQS); + /* Record of mapped Links */ + uint8_t link_cnt[NR_LINK]; +- /* Clean up: Entry with a softirq invocation pending / in progress. */ +- struct hvm_pirq_dpci *pending_pirq_dpci; + }; + + /* Machine IRQ to guest device/intx mapping. */ |