diff options
author | Henrik Riomar <henrik.riomar@gmail.com> | 2020-05-26 19:10:16 +0200 |
---|---|---|
committer | Leonardo Arena <rnalrd@alpinelinux.org> | 2020-05-28 07:40:12 +0000 |
commit | a9fce9546f5b7e7a98c9399462c54f578df90511 (patch) | |
tree | cbc11d94567e9674859560f3c52b6cd8424ede4a | |
parent | 45f3dffaea99494ed56e7622aca07e1c41117b1d (diff) | |
download | alpine_aports-a9fce9546f5b7e7a98c9399462c54f578df90511.tar.bz2 alpine_aports-a9fce9546f5b7e7a98c9399462c54f578df90511.tar.xz alpine_aports-a9fce9546f5b7e7a98c9399462c54f578df90511.zip |
main/xen: security upgrade to 4.13.1
-rw-r--r-- | main/xen/APKBUILD | 19 | ||||
-rw-r--r-- | main/xen/xsa313-1.patch | 26 | ||||
-rw-r--r-- | main/xen/xsa313-2.patch | 132 | ||||
-rw-r--r-- | main/xen/xsa314-4.13.patch | 121 | ||||
-rw-r--r-- | main/xen/xsa316-xen.patch | 30 | ||||
-rw-r--r-- | main/xen/xsa318.patch | 39 |
6 files changed, 5 insertions, 362 deletions
diff --git a/main/xen/APKBUILD b/main/xen/APKBUILD index 526e1e4fe4..16a2588948 100644 --- a/main/xen/APKBUILD +++ b/main/xen/APKBUILD | |||
@@ -1,8 +1,8 @@ | |||
1 | # Contributor: Roger Pau Monne <roger.pau@entel.upc.edu> | 1 | # Contributor: Roger Pau Monne <roger.pau@entel.upc.edu> |
2 | # Maintainer: Natanael Copa <ncopa@alpinelinux.org> | 2 | # Maintainer: Natanael Copa <ncopa@alpinelinux.org> |
3 | pkgname=xen | 3 | pkgname=xen |
4 | pkgver=4.13.0 | 4 | pkgver=4.13.1 |
5 | pkgrel=4 | 5 | pkgrel=0 |
6 | pkgdesc="Xen hypervisor" | 6 | pkgdesc="Xen hypervisor" |
7 | url="https://www.xenproject.org/" | 7 | url="https://www.xenproject.org/" |
8 | arch="x86_64 armhf aarch64" # enable armv7 when builds with gcc8 | 8 | arch="x86_64 armhf aarch64" # enable armv7 when builds with gcc8 |
@@ -166,6 +166,8 @@ options="!strip" | |||
166 | # - CVE-2020-11739 XSA-314 | 166 | # - CVE-2020-11739 XSA-314 |
167 | # - CVE-2020-11743 XSA-316 | 167 | # - CVE-2020-11743 XSA-316 |
168 | # - CVE-2020-11742 XSA-318 | 168 | # - CVE-2020-11742 XSA-318 |
169 | # 4.13.1-r0: | ||
170 | # - CVE-????-????? XSA-312 | ||
169 | 171 | ||
170 | case "$CARCH" in | 172 | case "$CARCH" in |
171 | x86*) | 173 | x86*) |
@@ -229,12 +231,6 @@ source="https://downloads.xenproject.org/release/xen/$pkgver/xen-$pkgver.tar.gz | |||
229 | drop-test.py.patch | 231 | drop-test.py.patch |
230 | py3-compat.patch | 232 | py3-compat.patch |
231 | 233 | ||
232 | xsa313-1.patch | ||
233 | xsa313-2.patch | ||
234 | xsa314-4.13.patch | ||
235 | xsa316-xen.patch | ||
236 | xsa318.patch | ||
237 | |||
238 | xenstored.initd | 234 | xenstored.initd |
239 | xenstored.confd | 235 | xenstored.confd |
240 | xenconsoled.initd | 236 | xenconsoled.initd |
@@ -458,7 +454,7 @@ EOF | |||
458 | 454 | ||
459 | } | 455 | } |
460 | 456 | ||
461 | sha512sums="5b2ded9a2fe3f7ddf40eed1fa9858baead06233a01eb6099cc45b3c78b6c3823acfe7b731910733e87125dfa49d08c53f74c215fb1b320a92b44b87a0a105225 xen-4.13.0.tar.gz | 457 | sha512sums="b56d20704155d98d803496cba83eb928e0f986a750831cd5600fc88d0ae772fe1456571654375054043d2da8daca255cc98385ebf08b1b1a75ecf7f4b7a0ee90 xen-4.13.1.tar.gz |
462 | 2e0b0fd23e6f10742a5517981e5171c6e88b0a93c83da701b296f5c0861d72c19782daab589a7eac3f9032152a0fc7eff7f5362db8fccc4859564a9aa82329cf gmp-4.3.2.tar.bz2 | 458 | 2e0b0fd23e6f10742a5517981e5171c6e88b0a93c83da701b296f5c0861d72c19782daab589a7eac3f9032152a0fc7eff7f5362db8fccc4859564a9aa82329cf gmp-4.3.2.tar.bz2 |
463 | c2bc9ffc8583aeae71cee9ddcc4418969768d4e3764d47307da54f93981c0109fb07d84b061b3a3628bd00ba4d14a54742bc04848110eb3ae8ca25dbfbaabadb grub-0.97.tar.gz | 459 | c2bc9ffc8583aeae71cee9ddcc4418969768d4e3764d47307da54f93981c0109fb07d84b061b3a3628bd00ba4d14a54742bc04848110eb3ae8ca25dbfbaabadb grub-0.97.tar.gz |
464 | 1465b58279af1647f909450e394fe002ca165f0ff4a0254bfa9fe0e64316f50facdde2729d79a4e632565b4500cf4d6c74192ac0dd3bc9fe09129bbd67ba089d lwip-1.3.0.tar.gz | 460 | 1465b58279af1647f909450e394fe002ca165f0ff4a0254bfa9fe0e64316f50facdde2729d79a4e632565b4500cf4d6c74192ac0dd3bc9fe09129bbd67ba089d lwip-1.3.0.tar.gz |
@@ -480,11 +476,6 @@ e76816c6ad0e91dc5f81947f266da3429b20e6d976c3e8c41202c6179532eec878a3f0913921ef3a | |||
480 | 8c9cfc6afca325df1d8026e21ed03fa8cd2c7e1a21a56cc1968301c5ab634bfe849951899e75d328951d7a41273d1e49a2448edbadec0029ed410c43c0549812 hotplug-Linux-iscsi-block-handle-lun-1.patch | 476 | 8c9cfc6afca325df1d8026e21ed03fa8cd2c7e1a21a56cc1968301c5ab634bfe849951899e75d328951d7a41273d1e49a2448edbadec0029ed410c43c0549812 hotplug-Linux-iscsi-block-handle-lun-1.patch |
481 | 61f66bab603778fb41bfe8e85320c15f2bf3e5d8583e077b56a93784dbdb9b2c7c5e55ce18f06b87501429086f8410d102d3ed5f2a77d54bcfa328bc07681f4d drop-test.py.patch | 477 | 61f66bab603778fb41bfe8e85320c15f2bf3e5d8583e077b56a93784dbdb9b2c7c5e55ce18f06b87501429086f8410d102d3ed5f2a77d54bcfa328bc07681f4d drop-test.py.patch |
482 | 8cb12dbfc05a53898a97d47d71ab6b8a6f81c5e5579fd765b37303faea95c645cb8dedc05e3d064bdf070e93814e00bf8939767acc1127513375bab0fe2f4436 py3-compat.patch | 478 | 8cb12dbfc05a53898a97d47d71ab6b8a6f81c5e5579fd765b37303faea95c645cb8dedc05e3d064bdf070e93814e00bf8939767acc1127513375bab0fe2f4436 py3-compat.patch |
483 | a5443da59c75a786ecd0c5ad5df4c84de8b0f7ac92bc11d840d1fb4c2c33653f7e883640c2081ba594fb1ca92a61f5c970b821a5f2d37c6e666bc2e7da6c8e8f xsa313-1.patch | ||
484 | afc34c39e14b3b3d7bcd5b9bb7d2e6eaeb52fdc8733845cafd0b200c764ebd5a79f540cd818143f99bf084d1a33e50ad1614e5e98af6582412975bd73a5c48dd xsa313-2.patch | ||
485 | 6e319c3856ed4a4d96705a258c2654c89a7d645d8b16c03dd257c57d320ee220ffa675eeef615c5bbcf4d5d25b66ceb8b77f57df59da757a3a554a316db074b6 xsa314-4.13.patch | ||
486 | cd6ac97375742bacd55f51062849ba5dcef6026f673d3fb6ab73723befbf52570ea08765af44d636df65b7c16a9dce2fe6c9b6c47b671872ffb83c8121a181df xsa316-xen.patch | ||
487 | 66e178a859844a3839333b19934ede5db1d83d8b84bfcce70c51a46077287811a92a8ad2ad60663a88162112d65a867815605202a2c9ca44ba32251b42f0ca23 xsa318.patch | ||
488 | 52c43beb2596d645934d0f909f2d21f7587b6898ed5e5e7046799a8ed6d58f7a09c5809e1634fa26152f3fd4f3e7cfa07da7076f01b4a20cc8f5df8b9cb77e50 xenstored.initd | 479 | 52c43beb2596d645934d0f909f2d21f7587b6898ed5e5e7046799a8ed6d58f7a09c5809e1634fa26152f3fd4f3e7cfa07da7076f01b4a20cc8f5df8b9cb77e50 xenstored.initd |
489 | 093f7fbd43faf0a16a226486a0776bade5dc1681d281c5946a3191c32d74f9699c6bf5d0ab8de9d1195a2461165d1660788e92a3156c9b3c7054d7b2d52d7ff0 xenstored.confd | 480 | 093f7fbd43faf0a16a226486a0776bade5dc1681d281c5946a3191c32d74f9699c6bf5d0ab8de9d1195a2461165d1660788e92a3156c9b3c7054d7b2d52d7ff0 xenstored.confd |
490 | 3c86ed48fbee0af4051c65c4a3893f131fa66e47bf083caf20c9b6aa4b63fdead8832f84a58d0e27964bc49ec8397251b34e5be5c212c139f556916dc8da9523 xenconsoled.initd | 481 | 3c86ed48fbee0af4051c65c4a3893f131fa66e47bf083caf20c9b6aa4b63fdead8832f84a58d0e27964bc49ec8397251b34e5be5c212c139f556916dc8da9523 xenconsoled.initd |
diff --git a/main/xen/xsa313-1.patch b/main/xen/xsa313-1.patch deleted file mode 100644 index 95fde7ead4..0000000000 --- a/main/xen/xsa313-1.patch +++ /dev/null | |||
@@ -1,26 +0,0 @@ | |||
1 | From: Jan Beulich <jbeulich@suse.com> | ||
2 | Subject: xenoprof: clear buffer intended to be shared with guests | ||
3 | |||
4 | alloc_xenheap_pages() making use of MEMF_no_scrub is fine for Xen | ||
5 | internally used allocations, but buffers allocated to be shared with | ||
6 | (unpriviliged) guests need to be zapped of their prior content. | ||
7 | |||
8 | This is part of XSA-313. | ||
9 | |||
10 | Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com> | ||
11 | Signed-off-by: Jan Beulich <jbeulich@suse.com> | ||
12 | Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com> | ||
13 | Reviewed-by: Wei Liu <wl@xen.org> | ||
14 | |||
15 | --- a/xen/common/xenoprof.c | ||
16 | +++ b/xen/common/xenoprof.c | ||
17 | @@ -253,6 +253,9 @@ static int alloc_xenoprof_struct( | ||
18 | return -ENOMEM; | ||
19 | } | ||
20 | |||
21 | + for ( i = 0; i < npages; ++i ) | ||
22 | + clear_page(d->xenoprof->rawbuf + i * PAGE_SIZE); | ||
23 | + | ||
24 | d->xenoprof->npages = npages; | ||
25 | d->xenoprof->nbuf = nvcpu; | ||
26 | d->xenoprof->bufsize = bufsize; | ||
diff --git a/main/xen/xsa313-2.patch b/main/xen/xsa313-2.patch deleted file mode 100644 index d81b8232d2..0000000000 --- a/main/xen/xsa313-2.patch +++ /dev/null | |||
@@ -1,132 +0,0 @@ | |||
1 | From: Jan Beulich <jbeulich@suse.com> | ||
2 | Subject: xenoprof: limit consumption of shared buffer data | ||
3 | |||
4 | Since a shared buffer can be written to by the guest, we may only read | ||
5 | the head and tail pointers from there (all other fields should only ever | ||
6 | be written to). Furthermore, for any particular operation the two values | ||
7 | must be read exactly once, with both checks and consumption happening | ||
8 | with the thus read values. (The backtrace related xenoprof_buf_space() | ||
9 | use in xenoprof_log_event() is an exception: The values used there get | ||
10 | re-checked by every subsequent xenoprof_add_sample().) | ||
11 | |||
12 | Since that code needed touching, also fix the double increment of the | ||
13 | lost samples count in case the backtrace related xenoprof_add_sample() | ||
14 | invocation in xenoprof_log_event() fails. | ||
15 | |||
16 | Where code is being touched anyway, add const as appropriate, but take | ||
17 | the opportunity to entirely drop the now unused domain parameter of | ||
18 | xenoprof_buf_space(). | ||
19 | |||
20 | This is part of XSA-313. | ||
21 | |||
22 | Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com> | ||
23 | Signed-off-by: Jan Beulich <jbeulich@suse.com> | ||
24 | Reviewed-by: George Dunlap <george.dunlap@citrix.com> | ||
25 | Reviewed-by: Wei Liu <wl@xen.org> | ||
26 | |||
27 | --- a/xen/common/xenoprof.c | ||
28 | +++ b/xen/common/xenoprof.c | ||
29 | @@ -479,25 +479,22 @@ static int add_passive_list(XEN_GUEST_HA | ||
30 | |||
31 | |||
32 | /* Get space in the buffer */ | ||
33 | -static int xenoprof_buf_space(struct domain *d, xenoprof_buf_t * buf, int size) | ||
34 | +static int xenoprof_buf_space(int head, int tail, int size) | ||
35 | { | ||
36 | - int head, tail; | ||
37 | - | ||
38 | - head = xenoprof_buf(d, buf, event_head); | ||
39 | - tail = xenoprof_buf(d, buf, event_tail); | ||
40 | - | ||
41 | return ((tail > head) ? 0 : size) + tail - head - 1; | ||
42 | } | ||
43 | |||
44 | /* Check for space and add a sample. Return 1 if successful, 0 otherwise. */ | ||
45 | -static int xenoprof_add_sample(struct domain *d, xenoprof_buf_t *buf, | ||
46 | +static int xenoprof_add_sample(const struct domain *d, | ||
47 | + const struct xenoprof_vcpu *v, | ||
48 | uint64_t eip, int mode, int event) | ||
49 | { | ||
50 | + xenoprof_buf_t *buf = v->buffer; | ||
51 | int head, tail, size; | ||
52 | |||
53 | head = xenoprof_buf(d, buf, event_head); | ||
54 | tail = xenoprof_buf(d, buf, event_tail); | ||
55 | - size = xenoprof_buf(d, buf, event_size); | ||
56 | + size = v->event_size; | ||
57 | |||
58 | /* make sure indexes in shared buffer are sane */ | ||
59 | if ( (head < 0) || (head >= size) || (tail < 0) || (tail >= size) ) | ||
60 | @@ -506,7 +503,7 @@ static int xenoprof_add_sample(struct do | ||
61 | return 0; | ||
62 | } | ||
63 | |||
64 | - if ( xenoprof_buf_space(d, buf, size) > 0 ) | ||
65 | + if ( xenoprof_buf_space(head, tail, size) > 0 ) | ||
66 | { | ||
67 | xenoprof_buf(d, buf, event_log[head].eip) = eip; | ||
68 | xenoprof_buf(d, buf, event_log[head].mode) = mode; | ||
69 | @@ -530,7 +527,6 @@ static int xenoprof_add_sample(struct do | ||
70 | int xenoprof_add_trace(struct vcpu *vcpu, uint64_t pc, int mode) | ||
71 | { | ||
72 | struct domain *d = vcpu->domain; | ||
73 | - xenoprof_buf_t *buf = d->xenoprof->vcpu[vcpu->vcpu_id].buffer; | ||
74 | |||
75 | /* Do not accidentally write an escape code due to a broken frame. */ | ||
76 | if ( pc == XENOPROF_ESCAPE_CODE ) | ||
77 | @@ -539,7 +535,8 @@ int xenoprof_add_trace(struct vcpu *vcpu | ||
78 | return 0; | ||
79 | } | ||
80 | |||
81 | - return xenoprof_add_sample(d, buf, pc, mode, 0); | ||
82 | + return xenoprof_add_sample(d, &d->xenoprof->vcpu[vcpu->vcpu_id], | ||
83 | + pc, mode, 0); | ||
84 | } | ||
85 | |||
86 | void xenoprof_log_event(struct vcpu *vcpu, const struct cpu_user_regs *regs, | ||
87 | @@ -570,17 +567,22 @@ void xenoprof_log_event(struct vcpu *vcp | ||
88 | /* Provide backtrace if requested. */ | ||
89 | if ( backtrace_depth > 0 ) | ||
90 | { | ||
91 | - if ( (xenoprof_buf_space(d, buf, v->event_size) < 2) || | ||
92 | - !xenoprof_add_sample(d, buf, XENOPROF_ESCAPE_CODE, mode, | ||
93 | - XENOPROF_TRACE_BEGIN) ) | ||
94 | + if ( xenoprof_buf_space(xenoprof_buf(d, buf, event_head), | ||
95 | + xenoprof_buf(d, buf, event_tail), | ||
96 | + v->event_size) < 2 ) | ||
97 | { | ||
98 | xenoprof_buf(d, buf, lost_samples)++; | ||
99 | lost_samples++; | ||
100 | return; | ||
101 | } | ||
102 | + | ||
103 | + /* xenoprof_add_sample() will increment lost_samples on failure */ | ||
104 | + if ( !xenoprof_add_sample(d, v, XENOPROF_ESCAPE_CODE, mode, | ||
105 | + XENOPROF_TRACE_BEGIN) ) | ||
106 | + return; | ||
107 | } | ||
108 | |||
109 | - if ( xenoprof_add_sample(d, buf, pc, mode, event) ) | ||
110 | + if ( xenoprof_add_sample(d, v, pc, mode, event) ) | ||
111 | { | ||
112 | if ( is_active(vcpu->domain) ) | ||
113 | active_samples++; | ||
114 | --- a/xen/include/xen/xenoprof.h | ||
115 | +++ b/xen/include/xen/xenoprof.h | ||
116 | @@ -61,12 +61,12 @@ struct xenoprof { | ||
117 | |||
118 | #ifndef CONFIG_COMPAT | ||
119 | #define XENOPROF_COMPAT(x) 0 | ||
120 | -#define xenoprof_buf(d, b, field) ((b)->field) | ||
121 | +#define xenoprof_buf(d, b, field) ACCESS_ONCE((b)->field) | ||
122 | #else | ||
123 | #define XENOPROF_COMPAT(x) ((x)->is_compat) | ||
124 | -#define xenoprof_buf(d, b, field) (*(!(d)->xenoprof->is_compat ? \ | ||
125 | - &(b)->native.field : \ | ||
126 | - &(b)->compat.field)) | ||
127 | +#define xenoprof_buf(d, b, field) ACCESS_ONCE(*(!(d)->xenoprof->is_compat \ | ||
128 | + ? &(b)->native.field \ | ||
129 | + : &(b)->compat.field)) | ||
130 | #endif | ||
131 | |||
132 | struct domain; | ||
diff --git a/main/xen/xsa314-4.13.patch b/main/xen/xsa314-4.13.patch deleted file mode 100644 index 67e006681e..0000000000 --- a/main/xen/xsa314-4.13.patch +++ /dev/null | |||
@@ -1,121 +0,0 @@ | |||
1 | From ab49f005f7d01d4004d76f2e295d31aca7d4f93a Mon Sep 17 00:00:00 2001 | ||
2 | From: Julien Grall <jgrall@amazon.com> | ||
3 | Date: Thu, 20 Feb 2020 20:54:40 +0000 | ||
4 | Subject: [PATCH] xen/rwlock: Add missing memory barrier in the unlock path of | ||
5 | rwlock | ||
6 | |||
7 | The rwlock unlock paths are using atomic_sub() to release the lock. | ||
8 | However the implementation of atomic_sub() rightfully doesn't contain a | ||
9 | memory barrier. On Arm, this means a processor is allowed to re-order | ||
10 | the memory access with the preceeding access. | ||
11 | |||
12 | In other words, the unlock may be seen by another processor before all | ||
13 | the memory accesses within the "critical" section. | ||
14 | |||
15 | The rwlock paths already contains barrier indirectly, but they are not | ||
16 | very useful without the counterpart in the unlock paths. | ||
17 | |||
18 | The memory barriers are not necessary on x86 because loads/stores are | ||
19 | not re-ordered with lock instructions. | ||
20 | |||
21 | So add arch_lock_release_barrier() in the unlock paths that will only | ||
22 | add memory barrier on Arm. | ||
23 | |||
24 | Take the opportunity to document each lock paths explaining why a | ||
25 | barrier is not necessary. | ||
26 | |||
27 | This is XSA-314. | ||
28 | |||
29 | Signed-off-by: Julien Grall <jgrall@amazon.com> | ||
30 | Reviewed-by: Jan Beulich <jbeulich@suse.com> | ||
31 | Reviewed-by: Stefano Stabellini <sstabellini@kernel.org> | ||
32 | |||
33 | --- | ||
34 | xen/include/xen/rwlock.h | 29 ++++++++++++++++++++++++++++- | ||
35 | 1 file changed, 28 insertions(+), 1 deletion(-) | ||
36 | |||
37 | diff --git a/xen/include/xen/rwlock.h b/xen/include/xen/rwlock.h | ||
38 | index 3dfea1ac2a..516486306f 100644 | ||
39 | --- a/xen/include/xen/rwlock.h | ||
40 | +++ b/xen/include/xen/rwlock.h | ||
41 | @@ -48,6 +48,10 @@ static inline int _read_trylock(rwlock_t *lock) | ||
42 | if ( likely(!(cnts & _QW_WMASK)) ) | ||
43 | { | ||
44 | cnts = (u32)atomic_add_return(_QR_BIAS, &lock->cnts); | ||
45 | + /* | ||
46 | + * atomic_add_return() is a full barrier so no need for an | ||
47 | + * arch_lock_acquire_barrier(). | ||
48 | + */ | ||
49 | if ( likely(!(cnts & _QW_WMASK)) ) | ||
50 | return 1; | ||
51 | atomic_sub(_QR_BIAS, &lock->cnts); | ||
52 | @@ -64,11 +68,19 @@ static inline void _read_lock(rwlock_t *lock) | ||
53 | u32 cnts; | ||
54 | |||
55 | cnts = atomic_add_return(_QR_BIAS, &lock->cnts); | ||
56 | + /* | ||
57 | + * atomic_add_return() is a full barrier so no need for an | ||
58 | + * arch_lock_acquire_barrier(). | ||
59 | + */ | ||
60 | if ( likely(!(cnts & _QW_WMASK)) ) | ||
61 | return; | ||
62 | |||
63 | /* The slowpath will decrement the reader count, if necessary. */ | ||
64 | queue_read_lock_slowpath(lock); | ||
65 | + /* | ||
66 | + * queue_read_lock_slowpath() is using spinlock and therefore is a | ||
67 | + * full barrier. So no need for an arch_lock_acquire_barrier(). | ||
68 | + */ | ||
69 | } | ||
70 | |||
71 | static inline void _read_lock_irq(rwlock_t *lock) | ||
72 | @@ -92,6 +104,7 @@ static inline unsigned long _read_lock_irqsave(rwlock_t *lock) | ||
73 | */ | ||
74 | static inline void _read_unlock(rwlock_t *lock) | ||
75 | { | ||
76 | + arch_lock_release_barrier(); | ||
77 | /* | ||
78 | * Atomically decrement the reader count | ||
79 | */ | ||
80 | @@ -121,11 +134,20 @@ static inline int _rw_is_locked(rwlock_t *lock) | ||
81 | */ | ||
82 | static inline void _write_lock(rwlock_t *lock) | ||
83 | { | ||
84 | - /* Optimize for the unfair lock case where the fair flag is 0. */ | ||
85 | + /* | ||
86 | + * Optimize for the unfair lock case where the fair flag is 0. | ||
87 | + * | ||
88 | + * atomic_cmpxchg() is a full barrier so no need for an | ||
89 | + * arch_lock_acquire_barrier(). | ||
90 | + */ | ||
91 | if ( atomic_cmpxchg(&lock->cnts, 0, _QW_LOCKED) == 0 ) | ||
92 | return; | ||
93 | |||
94 | queue_write_lock_slowpath(lock); | ||
95 | + /* | ||
96 | + * queue_write_lock_slowpath() is using spinlock and therefore is a | ||
97 | + * full barrier. So no need for an arch_lock_acquire_barrier(). | ||
98 | + */ | ||
99 | } | ||
100 | |||
101 | static inline void _write_lock_irq(rwlock_t *lock) | ||
102 | @@ -157,11 +179,16 @@ static inline int _write_trylock(rwlock_t *lock) | ||
103 | if ( unlikely(cnts) ) | ||
104 | return 0; | ||
105 | |||
106 | + /* | ||
107 | + * atomic_cmpxchg() is a full barrier so no need for an | ||
108 | + * arch_lock_acquire_barrier(). | ||
109 | + */ | ||
110 | return likely(atomic_cmpxchg(&lock->cnts, 0, _QW_LOCKED) == 0); | ||
111 | } | ||
112 | |||
113 | static inline void _write_unlock(rwlock_t *lock) | ||
114 | { | ||
115 | + arch_lock_release_barrier(); | ||
116 | /* | ||
117 | * If the writer field is atomic, it can be cleared directly. | ||
118 | * Otherwise, an atomic subtraction will be used to clear it. | ||
119 | -- | ||
120 | 2.17.1 | ||
121 | |||
diff --git a/main/xen/xsa316-xen.patch b/main/xen/xsa316-xen.patch deleted file mode 100644 index 4962b4e716..0000000000 --- a/main/xen/xsa316-xen.patch +++ /dev/null | |||
@@ -1,30 +0,0 @@ | |||
1 | From: Ross Lagerwall <ross.lagerwall@citrix.com> | ||
2 | Subject: xen/gnttab: Fix error path in map_grant_ref() | ||
3 | |||
4 | Part of XSA-295 (c/s 863e74eb2cffb) inadvertently re-positioned the brackets, | ||
5 | changing the logic. If the _set_status() call fails, the grant_map hypercall | ||
6 | would fail with a status of 1 (rc != GNTST_okay) instead of the expected | ||
7 | negative GNTST_* error. | ||
8 | |||
9 | This error path can be taken due to bad guest state, and causes net/blk-back | ||
10 | in Linux to crash. | ||
11 | |||
12 | This is XSA-316. | ||
13 | |||
14 | Signed-off-by: Ross Lagerwall <ross.lagerwall@citrix.com> | ||
15 | Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com> | ||
16 | Reviewed-by: Julien Grall <jgrall@amazon.com> | ||
17 | |||
18 | diff --git a/xen/common/grant_table.c b/xen/common/grant_table.c | ||
19 | index 9fd6e60416..4b5344dc21 100644 | ||
20 | --- a/xen/common/grant_table.c | ||
21 | +++ b/xen/common/grant_table.c | ||
22 | @@ -1031,7 +1031,7 @@ map_grant_ref( | ||
23 | { | ||
24 | if ( (rc = _set_status(shah, status, rd, rgt->gt_version, act, | ||
25 | op->flags & GNTMAP_readonly, 1, | ||
26 | - ld->domain_id) != GNTST_okay) ) | ||
27 | + ld->domain_id)) != GNTST_okay ) | ||
28 | goto act_release_out; | ||
29 | |||
30 | if ( !act->pin ) | ||
diff --git a/main/xen/xsa318.patch b/main/xen/xsa318.patch deleted file mode 100644 index f4becdf81e..0000000000 --- a/main/xen/xsa318.patch +++ /dev/null | |||
@@ -1,39 +0,0 @@ | |||
1 | From: Jan Beulich <jbeulich@suse.com> | ||
2 | Subject: gnttab: fix GNTTABOP_copy continuation handling | ||
3 | |||
4 | The XSA-226 fix was flawed - the backwards transformation on rc was done | ||
5 | too early, causing a continuation to not get invoked when the need for | ||
6 | preemption was determined at the very first iteration of the request. | ||
7 | This in particular means that all of the status fields of the individual | ||
8 | operations would be left untouched, i.e. set to whatever the caller may | ||
9 | or may not have initialized them to. | ||
10 | |||
11 | This is part of XSA-318. | ||
12 | |||
13 | Reported-by: Pawel Wieczorkiewicz <wipawel@amazon.de> | ||
14 | Tested-by: Pawel Wieczorkiewicz <wipawel@amazon.de> | ||
15 | Signed-off-by: Jan Beulich <jbeulich@suse.com> | ||
16 | Reviewed-by: Juergen Gross <jgross@suse.com> | ||
17 | |||
18 | --- a/xen/common/grant_table.c | ||
19 | +++ b/xen/common/grant_table.c | ||
20 | @@ -3576,8 +3576,7 @@ do_grant_table_op( | ||
21 | rc = gnttab_copy(copy, count); | ||
22 | if ( rc > 0 ) | ||
23 | { | ||
24 | - rc = count - rc; | ||
25 | - guest_handle_add_offset(copy, rc); | ||
26 | + guest_handle_add_offset(copy, count - rc); | ||
27 | uop = guest_handle_cast(copy, void); | ||
28 | } | ||
29 | break; | ||
30 | @@ -3644,6 +3643,9 @@ do_grant_table_op( | ||
31 | out: | ||
32 | if ( rc > 0 || opaque_out != 0 ) | ||
33 | { | ||
34 | + /* Adjust rc, see gnttab_copy() for why this is needed. */ | ||
35 | + if ( cmd == GNTTABOP_copy ) | ||
36 | + rc = count - rc; | ||
37 | ASSERT(rc < count); | ||
38 | ASSERT((opaque_out & GNTTABOP_CMD_MASK) == 0); | ||
39 | rc = hypercall_create_continuation(__HYPERVISOR_grant_table_op, "ihi", | ||