aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorHenrik Riomar <henrik.riomar@gmail.com>2018-07-12 18:48:22 +0200
committerLeonardo Arena <rnalrd@alpinelinux.org>2018-07-16 08:07:59 +0000
commitbafb572dda2d0814641af68fa0cceff256bc3705 (patch)
treeebc21072c36a2324a20fc78f3304281afc473c0c
parent291d3693efff8dc38574028d36c809fdf94f8ca5 (diff)
downloadalpine_aports-bafb572dda2d0814641af68fa0cceff256bc3705.tar.bz2
alpine_aports-bafb572dda2d0814641af68fa0cceff256bc3705.tar.xz
alpine_aports-bafb572dda2d0814641af68fa0cceff256bc3705.zip
main/xen: upgrade to 4.8.4
https://www.xenproject.org/downloads/xen-archives/xen-project-48-series/xen-484.html Fix XSA-263-267
Diffstat
-rw-r--r--main/xen/APKBUILD55
-rw-r--r--main/xen/x86-Support-compiling-with-indirect-branch-thunks.patch109
-rw-r--r--main/xen/x86-XPTI-reduce-.text.entry.patch321
-rw-r--r--main/xen/x86-slightly-reduce-Meltdown-band-aid-overhead.patch227
-rw-r--r--main/xen/x86-xpti-Hide-almost-all-of-.text-and-all-.data-.rod.patch343
-rw-r--r--main/xen/xsa252-4.9.patch25
-rw-r--r--main/xen/xsa255-4.9-1.patch126
-rw-r--r--main/xen/xsa255-4.9-2.patch186
-rw-r--r--main/xen/xsa256-4.8.patch46
-rw-r--r--main/xen/xsa258-4.8.patch106
-rw-r--r--main/xen/xsa259.patch29
-rw-r--r--main/xen/xsa260-1.patch72
-rw-r--r--main/xen/xsa260-2.patch110
-rw-r--r--main/xen/xsa260-3.patch138
-rw-r--r--main/xen/xsa260-4.patch72
-rw-r--r--main/xen/xsa261-4.8.patch242
-rw-r--r--main/xen/xsa262-4.9.patch76
17 files changed, 14 insertions, 2269 deletions
diff --git a/main/xen/APKBUILD b/main/xen/APKBUILD
index 85085d45cf..c799c00213 100644
--- a/main/xen/APKBUILD
+++ b/main/xen/APKBUILD
@@ -2,8 +2,8 @@
2# Contributor: Roger Pau Monne <roger.pau@entel.upc.edu> 2# Contributor: Roger Pau Monne <roger.pau@entel.upc.edu>
3# Maintainer: William Pitcock <nenolod@dereferenced.org> 3# Maintainer: William Pitcock <nenolod@dereferenced.org>
4pkgname=xen 4pkgname=xen
5pkgver=4.8.3 5pkgver=4.8.4
6pkgrel=1 6pkgrel=0
7pkgdesc="Xen hypervisor" 7pkgdesc="Xen hypervisor"
8url="http://www.xen.org/" 8url="http://www.xen.org/"
9arch="x86_64 armhf" 9arch="x86_64 armhf"
@@ -89,7 +89,7 @@ options="!strip"
89# 4.8.2-r3: 89# 4.8.2-r3:
90# - CVE-2017-15597 XSA-236 90# - CVE-2017-15597 XSA-236
91# - CVE-2017-15590 XSA-237 91# - CVE-2017-15590 XSA-237
92# - XSA-238 92# - CVE-2017-15591 XSA-238
93# - CVE-2017-15589 XSA-239 93# - CVE-2017-15589 XSA-239
94# - CVE-2017-15595 XSA-240 94# - CVE-2017-15595 XSA-240
95# - CVE-2017-15588 XSA-241 95# - CVE-2017-15588 XSA-241
@@ -98,7 +98,9 @@ options="!strip"
98# - CVE-2017-15594 XSA-244 98# - CVE-2017-15594 XSA-244
99# - CVE-2017-17046 XSA-245 99# - CVE-2017-17046 XSA-245
100# 4.8.2-r4: 100# 4.8.2-r4:
101# - XSA-254 XPTI "stage 1" (CVE-2017-5753,CVE-2017-5715,CVE-2017-5754) 101# - CVE-2017-5753
102# - CVE-2017-5715
103# - CVE-2017-5754 XSA-254
102# 4.8.2-r5: 104# 4.8.2-r5:
103# - CVE-2017-17566 XSA-248 105# - CVE-2017-17566 XSA-248
104# - CVE-2017-17563 XSA-249 106# - CVE-2017-17563 XSA-249
@@ -114,6 +116,13 @@ options="!strip"
114# - CVE-2018-8897 XSA-260 116# - CVE-2018-8897 XSA-260
115# - CVE-2018-10982 XSA-261 117# - CVE-2018-10982 XSA-261
116# - CVE-2018-10981 XSA-262 118# - CVE-2018-10981 XSA-262
119# 4.8.4-r0:
120# - CVE-2018-3639 XSA-263
121# - CVE-2018-12891 XSA-264
122# - CVE-2018-12893 XSA-265
123# - CVE-2018-12892 XSA-266
124# - CVE-2018-3665 XSA-267
125
117 126
118case "$CARCH" in 127case "$CARCH" in
119x86*) 128x86*)
@@ -175,26 +184,6 @@ source="https://downloads.xenproject.org/release/xen/$pkgver/xen-$pkgver.tar.gz
175 184
176 xenqemu-configure-ifunc.patch 185 xenqemu-configure-ifunc.patch
177 186
178 xsa252-4.9.patch
179 xsa255-4.9-1.patch
180 xsa255-4.9-2.patch
181 xsa256-4.8.patch
182
183 xsa258-4.8.patch
184 xsa259.patch
185
186 x86-Support-compiling-with-indirect-branch-thunks.patch
187 x86-xpti-Hide-almost-all-of-.text-and-all-.data-.rod.patch
188 x86-slightly-reduce-Meltdown-band-aid-overhead.patch
189 x86-XPTI-reduce-.text.entry.patch
190 xsa260-1.patch
191 xsa260-2.patch
192 xsa260-3.patch
193 xsa260-4.patch
194
195 xsa261-4.8.patch
196 xsa262-4.9.patch
197
198 xenstored.initd 187 xenstored.initd
199 xenstored.confd 188 xenstored.confd
200 xenconsoled.initd 189 xenconsoled.initd
@@ -416,7 +405,7 @@ EOF
416 405
417} 406}
418 407
419sha512sums="584d8ee6e432e291a70e8f727da6d0a71afff7509fbf2e32eeb9cfe58b8279a80770c2c5f7759dcb5c0b08ed4644039e770e280ab534673215753d598f3f6508 xen-4.8.3.tar.gz 408sha512sums="b6b39fcbf9dfaa259a5cd41196aaa94b4c646c323e34c50970279a41802d49c178dad92d0841c52d7b40246745f043be3aa9845d9d757a2250c413312183b64c xen-4.8.4.tar.gz
4202e0b0fd23e6f10742a5517981e5171c6e88b0a93c83da701b296f5c0861d72c19782daab589a7eac3f9032152a0fc7eff7f5362db8fccc4859564a9aa82329cf gmp-4.3.2.tar.bz2 4092e0b0fd23e6f10742a5517981e5171c6e88b0a93c83da701b296f5c0861d72c19782daab589a7eac3f9032152a0fc7eff7f5362db8fccc4859564a9aa82329cf gmp-4.3.2.tar.bz2
421c2bc9ffc8583aeae71cee9ddcc4418969768d4e3764d47307da54f93981c0109fb07d84b061b3a3628bd00ba4d14a54742bc04848110eb3ae8ca25dbfbaabadb grub-0.97.tar.gz 410c2bc9ffc8583aeae71cee9ddcc4418969768d4e3764d47307da54f93981c0109fb07d84b061b3a3628bd00ba4d14a54742bc04848110eb3ae8ca25dbfbaabadb grub-0.97.tar.gz
4221465b58279af1647f909450e394fe002ca165f0ff4a0254bfa9fe0e64316f50facdde2729d79a4e632565b4500cf4d6c74192ac0dd3bc9fe09129bbd67ba089d lwip-1.3.0.tar.gz 4111465b58279af1647f909450e394fe002ca165f0ff4a0254bfa9fe0e64316f50facdde2729d79a4e632565b4500cf4d6c74192ac0dd3bc9fe09129bbd67ba089d lwip-1.3.0.tar.gz
@@ -437,22 +426,6 @@ f095ea373f36381491ad36f0662fb4f53665031973721256b23166e596318581da7cbb0146d0beb2
437e76816c6ad0e91dc5f81947f266da3429b20e6d976c3e8c41202c6179532eec878a3f0913921ef3ac853c5dbad8082da3c9cd53b65081910516feb492577b7fc xen-fd-is-file.c 426e76816c6ad0e91dc5f81947f266da3429b20e6d976c3e8c41202c6179532eec878a3f0913921ef3ac853c5dbad8082da3c9cd53b65081910516feb492577b7fc xen-fd-is-file.c
43869dfa60628ca838678862383528654ecbdf4269cbb5c9cfb6b84d976202a8dea85d711aa65a52fa1b477fb0b30604ca70cf1337192d6fb9388a08bbe7fe56077 xenstore_client_transaction_fix.patch 42769dfa60628ca838678862383528654ecbdf4269cbb5c9cfb6b84d976202a8dea85d711aa65a52fa1b477fb0b30604ca70cf1337192d6fb9388a08bbe7fe56077 xenstore_client_transaction_fix.patch
439e0dd7069968d51574d6e5603d5738494b112bfda085bc75f10102658be3b2901d8d253c52927c707668e1cdb62d12c101213e42cd72d9b307fa83d1355a7526a xenqemu-configure-ifunc.patch 428e0dd7069968d51574d6e5603d5738494b112bfda085bc75f10102658be3b2901d8d253c52927c707668e1cdb62d12c101213e42cd72d9b307fa83d1355a7526a xenqemu-configure-ifunc.patch
440993febe7ac7d4add0f36a519fe461a40d32f16e23003dfb23e76883ecdd86474cd4a6f9d0a9190cc6bc8cad19afa652556f125a5d5edb4fa2e9f2e6a5e77b2b9 xsa252-4.9.patch
4413af678f3c4271da2bb1515b9a1e76d9b85b391fbb1e9cd521c66ac52d2984a15c6c1bb6fa8a1f408380e4c7462b1ef671f77245fee6eecef274f93ca47bc12bd xsa255-4.9-1.patch
44222bf18c5e0120d787c9ec04d10dfb4684a0849c5d7a80cbe400f8f2ee2ee64789c9e6fe5bedab579ca4928f3168f7a5c0c817f93c73ad1cf7ce702a4afe732ab xsa255-4.9-2.patch
44382d75a5711c6a0521ecd34b220e4830b169aef8a52edf98b3b93e27ece734751d8d47dfdbe6979b6518c683e3f0c623cbf344a5efd893f3fafcc06c8e89a5320 xsa256-4.8.patch
44410a1895ed8aedb1dcfd47fbf4d1bd0d77103e15537234c98a6571e6e6add91ac87e921ace1463e15bc583b83be6b557698a5ae65918278c1f6d15e92f24d476d xsa258-4.8.patch
445023b34174d059d1e22a070e9f48d0601b0a6e735acef5b74af7f8613d3267e66773e662790a8f2a5b7fda32b017bf654a059e4fecd94a82ff8502900e4b24b25 xsa259.patch
446717c945364252756542148efc2bd598c7f776331a3124fd968376bb1462ee1a43bf5f9265171a14c80e90a6ebb595d9c9eae0b5589c906a6fc2acd25ad75b6c6 x86-Support-compiling-with-indirect-branch-thunks.patch
4475a8e6de6931e12945ee95406d34f65451ca770d29eaf66e8c7367d66e68367e56c82bf848e7c384dce1002f753775d5a8dfec5289defb82d81cf5d014fd4aecf x86-xpti-Hide-almost-all-of-.text-and-all-.data-.rod.patch
448ac045457253444596856bdc8651ed4c8f5b2de162704245b0eebd60f203237c0418ec7081d98b11c446055cd02533f530197a31157593f1abb37317000726f51 x86-slightly-reduce-Meltdown-band-aid-overhead.patch
449896a77d4e875056ee63f83847a8043bec2d7736bd9fe3845e95956d38606b0ab0286f2a954b812ae7be820c1f12889bb37a963627a49916a131b107d31746e4e x86-XPTI-reduce-.text.entry.patch
45070b12f28978208027f5f180bb216dba3d0f54e0a9708047eebbab39e494e82937021c0862b82d524e5d7f2bb7bdb3c2a5c8bda80e2437ccd2f8eddd0146af600 xsa260-1.patch
451e6dfbef65f8a220b1c5a8be88a284e4c4dafc6ff48bb13c239063647bcef39aae848fdbd055129308c7ad5d246b44653c7299a8951e29d554d4d9d5cd626750f xsa260-2.patch
4525daf20b0da7314d3f48ad765dd67db94473d50e4a5c8c9707b9070b40cb68eb6d413e2d532d530720afca269a4afc4cba594cc832a94e837e2423bb155c9b621 xsa260-3.patch
4539ca93748b8aa656c53bacdf5b87c98dc707b55a1aaa82989fa21a177a2377196071591458aa5f48ca676048524bba9ca326c00e88b3a87e9ab8bb350ef5cddd8 xsa260-4.patch
454d981c1d3580c3a5679395d315cbe65f5f5e6b177ee186a826682b60e500633f1d1003225b7776f64342c0964e5a6a9bd71cf83fc7e5b0cc7e1e423a015458afe xsa261-4.8.patch
45505dc19a710290b49ba6dbd1181dd0e69fc9ad524870c008813d22c8b0c2d6af573034e7a44b0b75dd2d112989caf1447b0d6b42d007f1bffc3442828a88ac8f3 xsa262-4.9.patch
45652c43beb2596d645934d0f909f2d21f7587b6898ed5e5e7046799a8ed6d58f7a09c5809e1634fa26152f3fd4f3e7cfa07da7076f01b4a20cc8f5df8b9cb77e50 xenstored.initd 42952c43beb2596d645934d0f909f2d21f7587b6898ed5e5e7046799a8ed6d58f7a09c5809e1634fa26152f3fd4f3e7cfa07da7076f01b4a20cc8f5df8b9cb77e50 xenstored.initd
457093f7fbd43faf0a16a226486a0776bade5dc1681d281c5946a3191c32d74f9699c6bf5d0ab8de9d1195a2461165d1660788e92a3156c9b3c7054d7b2d52d7ff0 xenstored.confd 430093f7fbd43faf0a16a226486a0776bade5dc1681d281c5946a3191c32d74f9699c6bf5d0ab8de9d1195a2461165d1660788e92a3156c9b3c7054d7b2d52d7ff0 xenstored.confd
4583c86ed48fbee0af4051c65c4a3893f131fa66e47bf083caf20c9b6aa4b63fdead8832f84a58d0e27964bc49ec8397251b34e5be5c212c139f556916dc8da9523 xenconsoled.initd 4313c86ed48fbee0af4051c65c4a3893f131fa66e47bf083caf20c9b6aa4b63fdead8832f84a58d0e27964bc49ec8397251b34e5be5c212c139f556916dc8da9523 xenconsoled.initd
diff --git a/main/xen/x86-Support-compiling-with-indirect-branch-thunks.patch b/main/xen/x86-Support-compiling-with-indirect-branch-thunks.patch
deleted file mode 100644
index 5eaf763eee..0000000000
--- a/main/xen/x86-Support-compiling-with-indirect-branch-thunks.patch
+++ /dev/null
@@ -1,109 +0,0 @@
1From 1838e21521497cdfa6d3b1dfac0374bcce717eba Mon Sep 17 00:00:00 2001
2From: Andrew Cooper <andrew.cooper3@citrix.com>
3Date: Thu, 8 Feb 2018 12:45:39 +0100
4Subject: [PATCH] x86: Support compiling with indirect branch thunks
5
6Use -mindirect-branch=thunk-extern/-mindirect-branch-register when available.
7To begin with, use the retpoline thunk. Later work will add alternative
8thunks which can be selected at boot time.
9
10This is part of XSA-254.
11
12Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
13Acked-by: Jan Beulich <jbeulich@suse.com>
14master commit: 3659f0f4bcc6ca08103d1a7ae4e97535ecc978be
15master date: 2018-01-16 17:45:50 +0000
16---
17 xen/arch/x86/Makefile | 1 +
18 xen/arch/x86/Rules.mk | 7 +++++++
19 xen/arch/x86/indirect-thunk.S | 38 ++++++++++++++++++++++++++++++++++++++
20 xen/arch/x86/xen.lds.S | 1 +
21 4 files changed, 47 insertions(+)
22 create mode 100644 xen/arch/x86/indirect-thunk.S
23
24diff --git a/xen/arch/x86/Makefile b/xen/arch/x86/Makefile
25index 931917d1d3..a9c8fd7df9 100644
26--- a/xen/arch/x86/Makefile
27+++ b/xen/arch/x86/Makefile
28@@ -34,6 +34,7 @@ obj-y += i8259.o
29 obj-y += io_apic.o
30 obj-$(CONFIG_LIVEPATCH) += alternative.o livepatch.o
31 obj-y += msi.o
32+obj-$(CONFIG_INDIRECT_THUNK) += indirect-thunk.o
33 obj-y += ioport_emulate.o
34 obj-y += irq.o
35 obj-$(CONFIG_KEXEC) += machine_kexec.o
36diff --git a/xen/arch/x86/Rules.mk b/xen/arch/x86/Rules.mk
37index 42be4bc100..ad56e56ac6 100644
38--- a/xen/arch/x86/Rules.mk
39+++ b/xen/arch/x86/Rules.mk
40@@ -25,3 +25,10 @@ CFLAGS += -fno-asynchronous-unwind-tables
41 ifneq ($(call cc-option,$(CC),-fvisibility=hidden,n),n)
42 CFLAGS += -DGCC_HAS_VISIBILITY_ATTRIBUTE
43 endif
44+
45+# Compile with thunk-extern, indirect-branch-register if avaiable.
46+ifneq ($(call cc-option,$(CC),-mindirect-branch-register,n),n)
47+CFLAGS += -mindirect-branch=thunk-extern -mindirect-branch-register
48+CFLAGS += -DCONFIG_INDIRECT_THUNK
49+export CONFIG_INDIRECT_THUNK=y
50+endif
51diff --git a/xen/arch/x86/indirect-thunk.S b/xen/arch/x86/indirect-thunk.S
52new file mode 100644
53index 0000000000..3eaf505d0e
54--- /dev/null
55+++ b/xen/arch/x86/indirect-thunk.S
56@@ -0,0 +1,38 @@
57+/*
58+ * Implement __x86_indirect_thunk_* symbols for use with compatbile compilers
59+ * and the -mindirect-branch=thunk-extern -mindirect-branch-register options.
60+ *
61+ * Copyright (c) 2017-2018 Citrix Systems Ltd.
62+ *
63+ * This source code is licensed under the GNU General Public License,
64+ * Version 2. See the file COPYING for more details.
65+ */
66+ .file __FILE__
67+
68+#include <asm/asm_defns.h>
69+
70+.macro IND_THUNK_RETPOLINE reg:req
71+ call 2f
72+1:
73+ lfence
74+ jmp 1b
75+2:
76+ mov %\reg, (%rsp)
77+ ret
78+.endm
79+
80+/*
81+ * Build the __x86_indirect_thunk_* symbols. Currently implement the
82+ * retpoline thunk only.
83+ */
84+.macro GEN_INDIRECT_THUNK reg:req
85+ .section .text.__x86_indirect_thunk_\reg, "ax", @progbits
86+
87+ENTRY(__x86_indirect_thunk_\reg)
88+ IND_THUNK_RETPOLINE \reg
89+.endm
90+
91+/* Instantiate GEN_INDIRECT_THUNK for each register except %rsp. */
92+.irp reg, ax, cx, dx, bx, bp, si, di, 8, 9, 10, 11, 12, 13, 14, 15
93+ GEN_INDIRECT_THUNK reg=r\reg
94+.endr
95diff --git a/xen/arch/x86/xen.lds.S b/xen/arch/x86/xen.lds.S
96index 11549964c0..681c795c6d 100644
97--- a/xen/arch/x86/xen.lds.S
98+++ b/xen/arch/x86/xen.lds.S
99@@ -60,6 +60,7 @@ SECTIONS
100 .text : {
101 _stext = .; /* Text and read-only data */
102 *(.text)
103+ *(.text.__x86_indirect_thunk_*)
104 *(.text.cold)
105 *(.text.unlikely)
106 *(.fixup)
107--
1082.13.5
109
diff --git a/main/xen/x86-XPTI-reduce-.text.entry.patch b/main/xen/x86-XPTI-reduce-.text.entry.patch
deleted file mode 100644
index 4fa0f97832..0000000000
--- a/main/xen/x86-XPTI-reduce-.text.entry.patch
+++ /dev/null
@@ -1,321 +0,0 @@
1From 372583c2dd4363446cb5788a865138b9aca54767 Mon Sep 17 00:00:00 2001
2From: Jan Beulich <jbeulich@suse.com>
3Date: Wed, 18 Apr 2018 16:49:21 +0200
4Subject: [PATCH] x86/XPTI: reduce .text.entry
5
6This exposes less code pieces and at the same time reduces the range
7covered from slightly above 3 pages to a little below 2 of them.
8
9The code being moved is unchanged, except for the removal of trailing
10blanks, insertion of blanks between operands, and a pointless q suffix
11from "retq".
12
13A few more small pieces could be moved, but it seems better to me to
14leave them where they are to not make it overly hard to follow code
15paths.
16
17Signed-off-by: Jan Beulich <jbeulich@suse.com>
18Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>
19master commit: 454efb2a31b64b98e3dd55c083ce41b87375faa6
20master date: 2018-04-05 15:48:23 +0100
21---
22 xen/arch/x86/x86_64/compat/entry.S | 9 +-
23 xen/arch/x86/x86_64/entry.S | 209 ++++++++++++++++++-------------------
24 2 files changed, 107 insertions(+), 111 deletions(-)
25
26diff --git a/xen/arch/x86/x86_64/compat/entry.S b/xen/arch/x86/x86_64/compat/entry.S
27index 812f404771..6828f40f48 100644
28--- a/xen/arch/x86/x86_64/compat/entry.S
29+++ b/xen/arch/x86/x86_64/compat/entry.S
30@@ -12,8 +12,6 @@
31 #include <public/xen.h>
32 #include <irq_vectors.h>
33
34- .section .text.entry, "ax", @progbits
35-
36 ENTRY(compat_hypercall)
37 ASM_CLAC
38 pushq $0
39@@ -205,6 +203,8 @@ ENTRY(compat_post_handle_exception)
40 movb $0,TRAPBOUNCE_flags(%rdx)
41 jmp compat_test_all_events
42
43+ .section .text.entry, "ax", @progbits
44+
45 /* See lstar_enter for entry register state. */
46 ENTRY(cstar_enter)
47 /* sti could live here when we don't switch page tables below. */
48@@ -259,6 +259,8 @@ UNLIKELY_END(compat_syscall_gpf)
49 movb %cl,TRAPBOUNCE_flags(%rdx)
50 jmp .Lcompat_bounce_exception
51
52+ .text
53+
54 ENTRY(compat_sysenter)
55 CR4_PV32_RESTORE
56 movq VCPU_trap_ctxt(%rbx),%rcx
57@@ -278,9 +280,6 @@ ENTRY(compat_int80_direct_trap)
58 call compat_create_bounce_frame
59 jmp compat_test_all_events
60
61- /* compat_create_bounce_frame & helpers don't need to be in .text.entry */
62- .text
63-
64 /* CREATE A BASIC EXCEPTION FRAME ON GUEST OS (RING-1) STACK: */
65 /* {[ERRCODE,] EIP, CS, EFLAGS, [ESP, SS]} */
66 /* %rdx: trap_bounce, %rbx: struct vcpu */
67diff --git a/xen/arch/x86/x86_64/entry.S b/xen/arch/x86/x86_64/entry.S
68index ad921c4df7..9510b37ef6 100644
69--- a/xen/arch/x86/x86_64/entry.S
70+++ b/xen/arch/x86/x86_64/entry.S
71@@ -13,8 +13,6 @@
72 #include <public/xen.h>
73 #include <irq_vectors.h>
74
75- .section .text.entry, "ax", @progbits
76-
77 /* %rbx: struct vcpu */
78 ENTRY(switch_to_kernel)
79 leaq VCPU_trap_bounce(%rbx),%rdx
80@@ -33,8 +31,111 @@ ENTRY(switch_to_kernel)
81 movb %cl,TRAPBOUNCE_flags(%rdx)
82 call create_bounce_frame
83 andl $~X86_EFLAGS_DF,UREGS_eflags(%rsp)
84+/* %rbx: struct vcpu */
85+test_all_events:
86+ ASSERT_NOT_IN_ATOMIC
87+ cli # tests must not race interrupts
88+/*test_softirqs:*/
89+ movl VCPU_processor(%rbx), %eax
90+ shll $IRQSTAT_shift, %eax
91+ leaq irq_stat+IRQSTAT_softirq_pending(%rip), %rcx
92+ cmpl $0, (%rcx, %rax, 1)
93+ jne process_softirqs
94+ cmpb $0, VCPU_mce_pending(%rbx)
95+ jne process_mce
96+.Ltest_guest_nmi:
97+ cmpb $0, VCPU_nmi_pending(%rbx)
98+ jne process_nmi
99+test_guest_events:
100+ movq VCPU_vcpu_info(%rbx), %rax
101+ movzwl VCPUINFO_upcall_pending(%rax), %eax
102+ decl %eax
103+ cmpl $0xfe, %eax
104+ ja restore_all_guest
105+/*process_guest_events:*/
106+ sti
107+ leaq VCPU_trap_bounce(%rbx), %rdx
108+ movq VCPU_event_addr(%rbx), %rax
109+ movq %rax, TRAPBOUNCE_eip(%rdx)
110+ movb $TBF_INTERRUPT, TRAPBOUNCE_flags(%rdx)
111+ call create_bounce_frame
112 jmp test_all_events
113
114+ ALIGN
115+/* %rbx: struct vcpu */
116+process_softirqs:
117+ sti
118+ call do_softirq
119+ jmp test_all_events
120+
121+ ALIGN
122+/* %rbx: struct vcpu */
123+process_mce:
124+ testb $1 << VCPU_TRAP_MCE, VCPU_async_exception_mask(%rbx)
125+ jnz .Ltest_guest_nmi
126+ sti
127+ movb $0, VCPU_mce_pending(%rbx)
128+ call set_guest_machinecheck_trapbounce
129+ test %eax, %eax
130+ jz test_all_events
131+ movzbl VCPU_async_exception_mask(%rbx), %edx # save mask for the
132+ movb %dl, VCPU_mce_old_mask(%rbx) # iret hypercall
133+ orl $1 << VCPU_TRAP_MCE, %edx
134+ movb %dl, VCPU_async_exception_mask(%rbx)
135+ jmp process_trap
136+
137+ ALIGN
138+/* %rbx: struct vcpu */
139+process_nmi:
140+ testb $1 << VCPU_TRAP_NMI, VCPU_async_exception_mask(%rbx)
141+ jnz test_guest_events
142+ sti
143+ movb $0, VCPU_nmi_pending(%rbx)
144+ call set_guest_nmi_trapbounce
145+ test %eax, %eax
146+ jz test_all_events
147+ movzbl VCPU_async_exception_mask(%rbx), %edx # save mask for the
148+ movb %dl, VCPU_nmi_old_mask(%rbx) # iret hypercall
149+ orl $1 << VCPU_TRAP_NMI, %edx
150+ movb %dl, VCPU_async_exception_mask(%rbx)
151+ /* FALLTHROUGH */
152+process_trap:
153+ leaq VCPU_trap_bounce(%rbx), %rdx
154+ call create_bounce_frame
155+ jmp test_all_events
156+
157+/* No special register assumptions. */
158+ENTRY(ret_from_intr)
159+ GET_CURRENT(bx)
160+ testb $3, UREGS_cs(%rsp)
161+ jz restore_all_xen
162+ movq VCPU_domain(%rbx), %rax
163+ cmpb $0, DOMAIN_is_32bit_pv(%rax)
164+ je test_all_events
165+ jmp compat_test_all_events
166+
167+/* Enable NMIs. No special register assumptions. Only %rax is not preserved. */
168+ENTRY(enable_nmis)
169+ movq %rsp, %rax /* Grab RSP before pushing */
170+
171+ /* Set up stack frame */
172+ pushq $0 /* SS */
173+ pushq %rax /* RSP */
174+ pushfq /* RFLAGS */
175+ pushq $__HYPERVISOR_CS /* CS */
176+ leaq 1f(%rip),%rax
177+ pushq %rax /* RIP */
178+
179+/* No op trap handler. Required for kexec crash path. */
180+GLOBAL(trap_nop)
181+ iretq /* Disable the hardware NMI latch */
182+1:
183+ retq
184+ .type enable_nmis, @function
185+ .size enable_nmis, .-enable_nmis
186+
187+ .section .text.entry, "ax", @progbits
188+
189 /* %rbx: struct vcpu, interrupts disabled */
190 restore_all_guest:
191 ASSERT_INTERRUPTS_DISABLED
192@@ -188,80 +289,8 @@ ENTRY(lstar_enter)
193
194 mov %rsp, %rdi
195 call pv_hypercall
196-
197-/* %rbx: struct vcpu */
198-test_all_events:
199- ASSERT_NOT_IN_ATOMIC
200- cli # tests must not race interrupts
201-/*test_softirqs:*/
202- movl VCPU_processor(%rbx),%eax
203- shll $IRQSTAT_shift,%eax
204- leaq irq_stat+IRQSTAT_softirq_pending(%rip),%rcx
205- cmpl $0,(%rcx,%rax,1)
206- jne process_softirqs
207- testb $1,VCPU_mce_pending(%rbx)
208- jnz process_mce
209-.Ltest_guest_nmi:
210- testb $1,VCPU_nmi_pending(%rbx)
211- jnz process_nmi
212-test_guest_events:
213- movq VCPU_vcpu_info(%rbx),%rax
214- movzwl VCPUINFO_upcall_pending(%rax),%eax
215- decl %eax
216- cmpl $0xfe,%eax
217- ja restore_all_guest
218-/*process_guest_events:*/
219- sti
220- leaq VCPU_trap_bounce(%rbx),%rdx
221- movq VCPU_event_addr(%rbx),%rax
222- movq %rax,TRAPBOUNCE_eip(%rdx)
223- movb $TBF_INTERRUPT,TRAPBOUNCE_flags(%rdx)
224- call create_bounce_frame
225 jmp test_all_events
226
227- ALIGN
228-/* %rbx: struct vcpu */
229-process_softirqs:
230- sti
231- call do_softirq
232- jmp test_all_events
233-
234- ALIGN
235-/* %rbx: struct vcpu */
236-process_mce:
237- testb $1 << VCPU_TRAP_MCE,VCPU_async_exception_mask(%rbx)
238- jnz .Ltest_guest_nmi
239- sti
240- movb $0,VCPU_mce_pending(%rbx)
241- call set_guest_machinecheck_trapbounce
242- test %eax,%eax
243- jz test_all_events
244- movzbl VCPU_async_exception_mask(%rbx),%edx # save mask for the
245- movb %dl,VCPU_mce_old_mask(%rbx) # iret hypercall
246- orl $1 << VCPU_TRAP_MCE,%edx
247- movb %dl,VCPU_async_exception_mask(%rbx)
248- jmp process_trap
249-
250- ALIGN
251-/* %rbx: struct vcpu */
252-process_nmi:
253- testb $1 << VCPU_TRAP_NMI,VCPU_async_exception_mask(%rbx)
254- jnz test_guest_events
255- sti
256- movb $0,VCPU_nmi_pending(%rbx)
257- call set_guest_nmi_trapbounce
258- test %eax,%eax
259- jz test_all_events
260- movzbl VCPU_async_exception_mask(%rbx),%edx # save mask for the
261- movb %dl,VCPU_nmi_old_mask(%rbx) # iret hypercall
262- orl $1 << VCPU_TRAP_NMI,%edx
263- movb %dl,VCPU_async_exception_mask(%rbx)
264- /* FALLTHROUGH */
265-process_trap:
266- leaq VCPU_trap_bounce(%rbx),%rdx
267- call create_bounce_frame
268- jmp test_all_events
269-
270 ENTRY(sysenter_entry)
271 /* sti could live here when we don't switch page tables below. */
272 pushq $FLAT_USER_SS
273@@ -530,16 +559,6 @@ ENTRY(common_interrupt)
274 mov %r15, STACK_CPUINFO_FIELD(xen_cr3)(%r14)
275 jmp ret_from_intr
276
277-/* No special register assumptions. */
278-ENTRY(ret_from_intr)
279- GET_CURRENT(bx)
280- testb $3,UREGS_cs(%rsp)
281- jz restore_all_xen
282- movq VCPU_domain(%rbx),%rax
283- testb $1,DOMAIN_is_32bit_pv(%rax)
284- jz test_all_events
285- jmp compat_test_all_events
286-
287 ENTRY(page_fault)
288 movl $TRAP_page_fault,4(%rsp)
289 /* No special register assumptions. */
290@@ -838,28 +857,6 @@ ENTRY(machine_check)
291 movl $TRAP_machine_check,4(%rsp)
292 jmp handle_ist_exception
293
294-/* Enable NMIs. No special register assumptions. Only %rax is not preserved. */
295-ENTRY(enable_nmis)
296- movq %rsp, %rax /* Grab RSP before pushing */
297-
298- /* Set up stack frame */
299- pushq $0 /* SS */
300- pushq %rax /* RSP */
301- pushfq /* RFLAGS */
302- pushq $__HYPERVISOR_CS /* CS */
303- leaq 1f(%rip),%rax
304- pushq %rax /* RIP */
305-
306- iretq /* Disable the hardware NMI latch */
307-1:
308- retq
309-
310-/* No op trap handler. Required for kexec crash path. */
311-GLOBAL(trap_nop)
312- iretq
313-
314-
315-
316 .pushsection .rodata, "a", @progbits
317 ENTRY(exception_table)
318 .quad do_trap
319--
3202.13.5
321
diff --git a/main/xen/x86-slightly-reduce-Meltdown-band-aid-overhead.patch b/main/xen/x86-slightly-reduce-Meltdown-band-aid-overhead.patch
deleted file mode 100644
index cb7be435e7..0000000000
--- a/main/xen/x86-slightly-reduce-Meltdown-band-aid-overhead.patch
+++ /dev/null
@@ -1,227 +0,0 @@
1From 813fe211f290843baed75aab88c2f9a249b42e68 Mon Sep 17 00:00:00 2001
2From: Jan Beulich <jbeulich@suse.com>
3Date: Tue, 20 Mar 2018 14:39:41 +0100
4Subject: [PATCH] x86: slightly reduce Meltdown band-aid overhead
5
6I'm not sure why I didn't do this right away: By avoiding the use of
7global PTEs in the cloned directmap, there's no need to fiddle with
8CR4.PGE on any of the entry paths. Only the exit paths need to flush
9global mappings.
10
11The reduced flushing, however, requires that we now have interrupts off
12on all entry paths until after the page table switch, so that flush IPIs
13can't be serviced while on the restricted pagetables, leaving a window
14where a potentially stale guest global mapping can be brought into the
15TLB. Along those lines the "sync" IPI after L4 entry updates now needs
16to become a real (and global) flush IPI, so that inside Xen we'll also
17pick up such changes.
18
19Signed-off-by: Jan Beulich <jbeulich@suse.com>
20Tested-by: Juergen Gross <jgross@suse.com>
21Reviewed-by: Juergen Gross <jgross@suse.com>
22Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>
23
24x86: correct EFLAGS.IF in SYSENTER frame
25
26Commit 9d1d31ad94 ("x86: slightly reduce Meltdown band-aid overhead")
27moved the STI past the PUSHF. While this isn't an active problem (as we
28force EFLAGS.IF to 1 before exiting to guest context), let's not risk
29internal confusion by finding a PV guest frame with interrupts
30apparently off.
31
32Signed-off-by: Jan Beulich <jbeulich@suse.com>
33Acked-by: Andrew Cooper <andrew.cooper3@citrix.com>
34master commit: 9d1d31ad9498e6ceb285d5774e34fed5f648c273
35master date: 2018-03-06 16:48:44 +0100
36master commit: c4dd58f0cf23cdf119bbccedfb8c24435fc6f3ab
37master date: 2018-03-16 17:27:36 +0100
38---
39 xen/arch/x86/mm.c | 9 ++-------
40 xen/arch/x86/smpboot.c | 10 ++++++++++
41 xen/arch/x86/x86_64/compat/entry.S | 7 ++++---
42 xen/arch/x86/x86_64/entry.S | 23 ++++++++++++++---------
43 4 files changed, 30 insertions(+), 19 deletions(-)
44
45diff --git a/xen/arch/x86/mm.c b/xen/arch/x86/mm.c
46index 987ab1bb3d..78ba28b4c6 100644
47--- a/xen/arch/x86/mm.c
48+++ b/xen/arch/x86/mm.c
49@@ -4128,14 +4128,9 @@ long do_mmu_update(
50 {
51 /*
52 * Force other vCPU-s of the affected guest to pick up L4 entry
53- * changes (if any). Issue a flush IPI with empty operation mask to
54- * facilitate this (including ourselves waiting for the IPI to
55- * actually have arrived). Utilize the fact that FLUSH_VA_VALID is
56- * meaningless without FLUSH_CACHE, but will allow to pass the no-op
57- * check in flush_area_mask().
58+ * changes (if any).
59 */
60- flush_area_mask(pt_owner->domain_dirty_cpumask,
61- ZERO_BLOCK_PTR, FLUSH_VA_VALID);
62+ flush_mask(pt_owner->domain_dirty_cpumask, FLUSH_TLB_GLOBAL);
63 }
64
65 perfc_add(num_page_updates, i);
66diff --git a/xen/arch/x86/smpboot.c b/xen/arch/x86/smpboot.c
67index e75adbe084..f40a7bdcdf 100644
68--- a/xen/arch/x86/smpboot.c
69+++ b/xen/arch/x86/smpboot.c
70@@ -730,6 +730,7 @@ static int clone_mapping(const void *ptr, root_pgentry_t *rpt)
71 }
72
73 pl1e += l1_table_offset(linear);
74+ flags &= ~_PAGE_GLOBAL;
75
76 if ( l1e_get_flags(*pl1e) & _PAGE_PRESENT )
77 {
78@@ -1036,8 +1037,17 @@ void __init smp_prepare_cpus(unsigned int max_cpus)
79 if ( rc )
80 panic("Error %d setting up PV root page table\n", rc);
81 if ( per_cpu(root_pgt, 0) )
82+ {
83 get_cpu_info()->pv_cr3 = __pa(per_cpu(root_pgt, 0));
84
85+ /*
86+ * All entry points which may need to switch page tables have to start
87+ * with interrupts off. Re-write what pv_trap_init() has put there.
88+ */
89+ _set_gate(idt_table + LEGACY_SYSCALL_VECTOR, SYS_DESC_irq_gate, 3,
90+ &int80_direct_trap);
91+ }
92+
93 set_nr_sockets();
94
95 socket_cpumask = xzalloc_array(cpumask_t *, nr_sockets);
96diff --git a/xen/arch/x86/x86_64/compat/entry.S b/xen/arch/x86/x86_64/compat/entry.S
97index 1c5cc9dacf..812f404771 100644
98--- a/xen/arch/x86/x86_64/compat/entry.S
99+++ b/xen/arch/x86/x86_64/compat/entry.S
100@@ -207,7 +207,7 @@ ENTRY(compat_post_handle_exception)
101
102 /* See lstar_enter for entry register state. */
103 ENTRY(cstar_enter)
104- sti
105+ /* sti could live here when we don't switch page tables below. */
106 CR4_PV32_RESTORE
107 movq 8(%rsp),%rax /* Restore %rax. */
108 movq $FLAT_KERNEL_SS,8(%rsp)
109@@ -227,11 +227,12 @@ ENTRY(cstar_enter)
110 jz .Lcstar_cr3_okay
111 mov %rcx, STACK_CPUINFO_FIELD(xen_cr3)(%rbx)
112 neg %rcx
113- write_cr3 rcx, rdi, rsi
114+ mov %rcx, %cr3
115 movq $0, STACK_CPUINFO_FIELD(xen_cr3)(%rbx)
116 .Lcstar_cr3_okay:
117+ sti
118
119- GET_CURRENT(bx)
120+ __GET_CURRENT(bx)
121 movq VCPU_domain(%rbx),%rcx
122 cmpb $0,DOMAIN_is_32bit_pv(%rcx)
123 je switch_to_kernel
124diff --git a/xen/arch/x86/x86_64/entry.S b/xen/arch/x86/x86_64/entry.S
125index 4080da65db..c169d17159 100644
126--- a/xen/arch/x86/x86_64/entry.S
127+++ b/xen/arch/x86/x86_64/entry.S
128@@ -148,7 +148,7 @@ UNLIKELY_END(exit_cr3)
129 * %ss must be saved into the space left by the trampoline.
130 */
131 ENTRY(lstar_enter)
132- sti
133+ /* sti could live here when we don't switch page tables below. */
134 movq 8(%rsp),%rax /* Restore %rax. */
135 movq $FLAT_KERNEL_SS,8(%rsp)
136 pushq %r11
137@@ -167,9 +167,10 @@ ENTRY(lstar_enter)
138 jz .Llstar_cr3_okay
139 mov %rcx, STACK_CPUINFO_FIELD(xen_cr3)(%rbx)
140 neg %rcx
141- write_cr3 rcx, rdi, rsi
142+ mov %rcx, %cr3
143 movq $0, STACK_CPUINFO_FIELD(xen_cr3)(%rbx)
144 .Llstar_cr3_okay:
145+ sti
146
147 __GET_CURRENT(bx)
148 testb $TF_kernel_mode,VCPU_thread_flags(%rbx)
149@@ -252,7 +253,7 @@ process_trap:
150 jmp test_all_events
151
152 ENTRY(sysenter_entry)
153- sti
154+ /* sti could live here when we don't switch page tables below. */
155 pushq $FLAT_USER_SS
156 pushq $0
157 pushfq
158@@ -268,14 +269,17 @@ GLOBAL(sysenter_eflags_saved)
159 /* WARNING! `ret`, `call *`, `jmp *` not safe before this point. */
160
161 GET_STACK_END(bx)
162+ /* PUSHF above has saved EFLAGS.IF clear (the caller had it set). */
163+ orl $X86_EFLAGS_IF, UREGS_eflags(%rsp)
164 mov STACK_CPUINFO_FIELD(xen_cr3)(%rbx), %rcx
165 neg %rcx
166 jz .Lsyse_cr3_okay
167 mov %rcx, STACK_CPUINFO_FIELD(xen_cr3)(%rbx)
168 neg %rcx
169- write_cr3 rcx, rdi, rsi
170+ mov %rcx, %cr3
171 movq $0, STACK_CPUINFO_FIELD(xen_cr3)(%rbx)
172 .Lsyse_cr3_okay:
173+ sti
174
175 __GET_CURRENT(bx)
176 cmpb $0,VCPU_sysenter_disables_events(%rbx)
177@@ -322,9 +326,10 @@ ENTRY(int80_direct_trap)
178 jz .Lint80_cr3_okay
179 mov %rcx, STACK_CPUINFO_FIELD(xen_cr3)(%rbx)
180 neg %rcx
181- write_cr3 rcx, rdi, rsi
182+ mov %rcx, %cr3
183 movq $0, STACK_CPUINFO_FIELD(xen_cr3)(%rbx)
184 .Lint80_cr3_okay:
185+ sti
186
187 cmpb $0,untrusted_msi(%rip)
188 UNLIKELY_START(ne, msi_check)
189@@ -502,7 +507,7 @@ ENTRY(common_interrupt)
190 mov %rcx, STACK_CPUINFO_FIELD(xen_cr3)(%r14)
191 neg %rcx
192 .Lintr_cr3_load:
193- write_cr3 rcx, rdi, rsi
194+ mov %rcx, %cr3
195 xor %ecx, %ecx
196 mov %rcx, STACK_CPUINFO_FIELD(xen_cr3)(%r14)
197 testb $3, UREGS_cs(%rsp)
198@@ -544,7 +549,7 @@ GLOBAL(handle_exception)
199 mov %rcx, STACK_CPUINFO_FIELD(xen_cr3)(%r14)
200 neg %rcx
201 .Lxcpt_cr3_load:
202- write_cr3 rcx, rdi, rsi
203+ mov %rcx, %cr3
204 xor %ecx, %ecx
205 mov %rcx, STACK_CPUINFO_FIELD(xen_cr3)(%r14)
206 testb $3, UREGS_cs(%rsp)
207@@ -740,7 +745,7 @@ ENTRY(double_fault)
208 jns .Ldblf_cr3_load
209 neg %rbx
210 .Ldblf_cr3_load:
211- write_cr3 rbx, rdi, rsi
212+ mov %rbx, %cr3
213 .Ldblf_cr3_okay:
214
215 movq %rsp,%rdi
216@@ -775,7 +780,7 @@ handle_ist_exception:
217 mov %rcx, STACK_CPUINFO_FIELD(xen_cr3)(%r14)
218 neg %rcx
219 .List_cr3_load:
220- write_cr3 rcx, rdi, rsi
221+ mov %rcx, %cr3
222 movq $0, STACK_CPUINFO_FIELD(xen_cr3)(%r14)
223 .List_cr3_okay:
224
225--
2262.13.5
227
diff --git a/main/xen/x86-xpti-Hide-almost-all-of-.text-and-all-.data-.rod.patch b/main/xen/x86-xpti-Hide-almost-all-of-.text-and-all-.data-.rod.patch
deleted file mode 100644
index e029080b17..0000000000
--- a/main/xen/x86-xpti-Hide-almost-all-of-.text-and-all-.data-.rod.patch
+++ /dev/null
@@ -1,343 +0,0 @@
1From f7bf4d230aaa2de40b2440f63045180a0cb07547 Mon Sep 17 00:00:00 2001
2From: Andrew Cooper <andrew.cooper3@citrix.com>
3Date: Tue, 20 Mar 2018 14:38:26 +0100
4Subject: [PATCH] x86/xpti: Hide almost all of .text and all .data/.rodata/.bss
5 mappings
6
7The current XPTI implementation isolates the directmap (and therefore a lot of
8guest data), but a large quantity of CPU0's state (including its stack)
9remains visible.
10
11Furthermore, an attacker able to read .text is in a vastly superior position
12to normal when it comes to fingerprinting Xen for known vulnerabilities, or
13scanning for ROP/Spectre gadgets.
14
15Collect together the entrypoints in .text.entry (currently 3x4k frames, but
16can almost certainly be slimmed down), and create a common mapping which is
17inserted into each per-cpu shadow. The stubs are also inserted into this
18mapping by pointing at the in-use L2. This allows stubs allocated later (SMP
19boot, or CPU hotplug) to work without further changes to the common mappings.
20
21Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
22Reviewed-by: Jan Beulich <jbeulich@suse.com>
23
24x86/xpti: really hide almost all of Xen image
25
26Commit 422588e885 ("x86/xpti: Hide almost all of .text and all
27.data/.rodata/.bss mappings") carefully limited the Xen image cloning to
28just entry code, but then overwrote the just allocated and populated L3
29entry with the normal one again covering both Xen image and stubs.
30
31Drop the respective code in favor of an explicit clone_mapping()
32invocation. This in turn now requires setup_cpu_root_pgt() to run after
33stub setup in all cases. Additionally, with (almost) no unintended
34mappings left, the BSP's IDT now also needs to be page aligned.
35
36The moving ahead of cleanup_cpu_root_pgt() is not strictly necessary
37for functionality, but things are more logical this way, and we retain
38cleanup being done in the inverse order of setup.
39
40Signed-off-by: Jan Beulich <jbeulich@suse.com>
41Acked-by: Andrew Cooper <andrew.cooper3@citrix.com>
42
43x86/traps: Put idt_table[] back into .bss
44
45c/s d1d6fc97d "x86/xpti: really hide almost all of Xen image" accidentially
46moved idt_table[] from .bss to .data by virtue of using the page_aligned
47section. We also have .bss.page_aligned, so use that.
48
49Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
50Reviewed-by: Jan Beulich <jbeulich@suse.com>
51Reviewed-by: Wei Liu <wei.liu2@citrix.com>
52master commit: 422588e88511d17984544c0f017a927de3315290
53master date: 2018-02-15 11:08:27 +0000
54master commit: d1d6fc97d66cf56847fc0bcc2ddc370707c22378
55master date: 2018-03-06 16:46:27 +0100
56master commit: 044fedfaa29b5d5774196e3fc7d955a48bfceac4
57master date: 2018-03-09 15:42:24 +0000
58---
59 docs/misc/xen-command-line.markdown | 3 --
60 xen/arch/x86/smpboot.c | 65 ++++++++++++++++++++++++++++++-------
61 xen/arch/x86/traps.c | 3 +-
62 xen/arch/x86/x86_64/compat/entry.S | 5 +++
63 xen/arch/x86/x86_64/entry.S | 15 ++++++---
64 xen/arch/x86/xen.lds.S | 7 ++++
65 6 files changed, 79 insertions(+), 19 deletions(-)
66
67diff --git a/docs/misc/xen-command-line.markdown b/docs/misc/xen-command-line.markdown
68index de5b79e41e..7ad971735f 100644
69--- a/docs/misc/xen-command-line.markdown
70+++ b/docs/misc/xen-command-line.markdown
71@@ -1735,9 +1735,6 @@ mode.
72 Override default selection of whether to isolate 64-bit PV guest page
73 tables.
74
75-** WARNING: Not yet a complete isolation implementation, but better than
76-nothing. **
77-
78 ### xsave
79 > `= <boolean>`
80
81diff --git a/xen/arch/x86/smpboot.c b/xen/arch/x86/smpboot.c
82index 535104065a..7ad2eebaa6 100644
83--- a/xen/arch/x86/smpboot.c
84+++ b/xen/arch/x86/smpboot.c
85@@ -637,13 +637,24 @@ static int clone_mapping(const void *ptr, root_pgentry_t *rpt)
86 {
87 unsigned long linear = (unsigned long)ptr, pfn;
88 unsigned int flags;
89- l3_pgentry_t *pl3e = l4e_to_l3e(idle_pg_table[root_table_offset(linear)]) +
90- l3_table_offset(linear);
91+ l3_pgentry_t *pl3e;
92 l2_pgentry_t *pl2e;
93 l1_pgentry_t *pl1e;
94
95- if ( linear < DIRECTMAP_VIRT_START )
96- return 0;
97+ /*
98+ * Sanity check 'linear'. We only allow cloning from the Xen virtual
99+ * range, and in particular, only from the directmap and .text ranges.
100+ */
101+ if ( root_table_offset(linear) > ROOT_PAGETABLE_LAST_XEN_SLOT ||
102+ root_table_offset(linear) < ROOT_PAGETABLE_FIRST_XEN_SLOT )
103+ return -EINVAL;
104+
105+ if ( linear < XEN_VIRT_START ||
106+ (linear >= XEN_VIRT_END && linear < DIRECTMAP_VIRT_START) )
107+ return -EINVAL;
108+
109+ pl3e = l4e_to_l3e(idle_pg_table[root_table_offset(linear)]) +
110+ l3_table_offset(linear);
111
112 flags = l3e_get_flags(*pl3e);
113 ASSERT(flags & _PAGE_PRESENT);
114@@ -735,6 +746,10 @@ static __read_mostly int8_t opt_xpti = -1;
115 boolean_param("xpti", opt_xpti);
116 DEFINE_PER_CPU(root_pgentry_t *, root_pgt);
117
118+static root_pgentry_t common_pgt;
119+
120+extern const char _stextentry[], _etextentry[];
121+
122 static int setup_cpu_root_pgt(unsigned int cpu)
123 {
124 root_pgentry_t *rpt;
125@@ -755,8 +770,23 @@ static int setup_cpu_root_pgt(unsigned int cpu)
126 idle_pg_table[root_table_offset(RO_MPT_VIRT_START)];
127 /* SH_LINEAR_PT inserted together with guest mappings. */
128 /* PERDOMAIN inserted during context switch. */
129- rpt[root_table_offset(XEN_VIRT_START)] =
130- idle_pg_table[root_table_offset(XEN_VIRT_START)];
131+
132+ /* One-time setup of common_pgt, which maps .text.entry and the stubs. */
133+ if ( unlikely(!root_get_intpte(common_pgt)) )
134+ {
135+ const char *ptr;
136+
137+ for ( rc = 0, ptr = _stextentry;
138+ !rc && ptr < _etextentry; ptr += PAGE_SIZE )
139+ rc = clone_mapping(ptr, rpt);
140+
141+ if ( rc )
142+ return rc;
143+
144+ common_pgt = rpt[root_table_offset(XEN_VIRT_START)];
145+ }
146+
147+ rpt[root_table_offset(XEN_VIRT_START)] = common_pgt;
148
149 /* Install direct map page table entries for stack, IDT, and TSS. */
150 for ( off = rc = 0; !rc && off < STACK_SIZE; off += PAGE_SIZE )
151@@ -766,6 +796,8 @@ static int setup_cpu_root_pgt(unsigned int cpu)
152 rc = clone_mapping(idt_tables[cpu], rpt);
153 if ( !rc )
154 rc = clone_mapping(&per_cpu(init_tss, cpu), rpt);
155+ if ( !rc )
156+ rc = clone_mapping((void *)per_cpu(stubs.addr, cpu), rpt);
157
158 return rc;
159 }
160@@ -774,6 +806,7 @@ static void cleanup_cpu_root_pgt(unsigned int cpu)
161 {
162 root_pgentry_t *rpt = per_cpu(root_pgt, cpu);
163 unsigned int r;
164+ unsigned long stub_linear = per_cpu(stubs.addr, cpu);
165
166 if ( !rpt )
167 return;
168@@ -818,6 +851,16 @@ static void cleanup_cpu_root_pgt(unsigned int cpu)
169 }
170
171 free_xen_pagetable(rpt);
172+
173+ /* Also zap the stub mapping for this CPU. */
174+ if ( stub_linear )
175+ {
176+ l3_pgentry_t *l3t = l4e_to_l3e(common_pgt);
177+ l2_pgentry_t *l2t = l3e_to_l2e(l3t[l3_table_offset(stub_linear)]);
178+ l1_pgentry_t *l1t = l2e_to_l1e(l2t[l2_table_offset(stub_linear)]);
179+
180+ l1t[l2_table_offset(stub_linear)] = l1e_empty();
181+ }
182 }
183
184 static void cpu_smpboot_free(unsigned int cpu)
185@@ -839,6 +882,8 @@ static void cpu_smpboot_free(unsigned int cpu)
186 free_cpumask_var(per_cpu(cpu_sibling_mask, cpu));
187 free_cpumask_var(per_cpu(cpu_core_mask, cpu));
188
189+ cleanup_cpu_root_pgt(cpu);
190+
191 if ( per_cpu(stubs.addr, cpu) )
192 {
193 unsigned long mfn = per_cpu(stubs.mfn, cpu);
194@@ -856,8 +901,6 @@ static void cpu_smpboot_free(unsigned int cpu)
195 free_domheap_page(mfn_to_page(mfn));
196 }
197
198- cleanup_cpu_root_pgt(cpu);
199-
200 order = get_order_from_pages(NR_RESERVED_GDT_PAGES);
201 free_xenheap_pages(per_cpu(gdt_table, cpu), order);
202
203@@ -913,9 +956,6 @@ static int cpu_smpboot_alloc(unsigned int cpu)
204 set_ist(&idt_tables[cpu][TRAP_nmi], IST_NONE);
205 set_ist(&idt_tables[cpu][TRAP_machine_check], IST_NONE);
206
207- if ( setup_cpu_root_pgt(cpu) )
208- goto oom;
209-
210 for ( stub_page = 0, i = cpu & ~(STUBS_PER_PAGE - 1);
211 i < nr_cpu_ids && i <= (cpu | (STUBS_PER_PAGE - 1)); ++i )
212 if ( cpu_online(i) && cpu_to_node(i) == node )
213@@ -929,6 +969,9 @@ static int cpu_smpboot_alloc(unsigned int cpu)
214 goto oom;
215 per_cpu(stubs.addr, cpu) = stub_page + STUB_BUF_CPU_OFFS(cpu);
216
217+ if ( setup_cpu_root_pgt(cpu) )
218+ goto oom;
219+
220 if ( secondary_socket_cpumask == NULL &&
221 (secondary_socket_cpumask = xzalloc(cpumask_t)) == NULL )
222 goto oom;
223diff --git a/xen/arch/x86/traps.c b/xen/arch/x86/traps.c
224index 480094a93a..4053721b64 100644
225--- a/xen/arch/x86/traps.c
226+++ b/xen/arch/x86/traps.c
227@@ -100,7 +100,8 @@ DEFINE_PER_CPU_READ_MOSTLY(struct desc_struct *, gdt_table);
228 DEFINE_PER_CPU_READ_MOSTLY(struct desc_struct *, compat_gdt_table);
229
230 /* Master table, used by CPU0. */
231-idt_entry_t idt_table[IDT_ENTRIES];
232+idt_entry_t __section(".bss.page_aligned") __aligned(PAGE_SIZE)
233+ idt_table[IDT_ENTRIES];
234
235 /* Pointer to the IDT of every CPU. */
236 idt_entry_t *idt_tables[NR_CPUS] __read_mostly;
237diff --git a/xen/arch/x86/x86_64/compat/entry.S b/xen/arch/x86/x86_64/compat/entry.S
238index 9f65e91d7b..1c5cc9dacf 100644
239--- a/xen/arch/x86/x86_64/compat/entry.S
240+++ b/xen/arch/x86/x86_64/compat/entry.S
241@@ -12,6 +12,8 @@
242 #include <public/xen.h>
243 #include <irq_vectors.h>
244
245+ .section .text.entry, "ax", @progbits
246+
247 ENTRY(compat_hypercall)
248 ASM_CLAC
249 pushq $0
250@@ -275,6 +277,9 @@ ENTRY(compat_int80_direct_trap)
251 call compat_create_bounce_frame
252 jmp compat_test_all_events
253
254+ /* compat_create_bounce_frame & helpers don't need to be in .text.entry */
255+ .text
256+
257 /* CREATE A BASIC EXCEPTION FRAME ON GUEST OS (RING-1) STACK: */
258 /* {[ERRCODE,] EIP, CS, EFLAGS, [ESP, SS]} */
259 /* %rdx: trap_bounce, %rbx: struct vcpu */
260diff --git a/xen/arch/x86/x86_64/entry.S b/xen/arch/x86/x86_64/entry.S
261index f24bffb574..4080da65db 100644
262--- a/xen/arch/x86/x86_64/entry.S
263+++ b/xen/arch/x86/x86_64/entry.S
264@@ -13,6 +13,8 @@
265 #include <public/xen.h>
266 #include <irq_vectors.h>
267
268+ .section .text.entry, "ax", @progbits
269+
270 /* %rbx: struct vcpu */
271 ENTRY(switch_to_kernel)
272 leaq VCPU_trap_bounce(%rbx),%rdx
273@@ -355,6 +357,9 @@ int80_slow_path:
274 subq $2,UREGS_rip(%rsp)
275 jmp handle_exception_saved
276
277+ /* create_bounce_frame & helpers don't need to be in .text.entry */
278+ .text
279+
280 /* CREATE A BASIC EXCEPTION FRAME ON GUEST OS STACK: */
281 /* { RCX, R11, [DS-GS,] [CR2,] [ERRCODE,] RIP, CS, RFLAGS, RSP, SS } */
282 /* %rdx: trap_bounce, %rbx: struct vcpu */
283@@ -479,6 +484,8 @@ ENTRY(dom_crash_sync_extable)
284 xorl %edi,%edi
285 jmp asm_domain_crash_synchronous /* Does not return */
286
287+ .section .text.entry, "ax", @progbits
288+
289 ENTRY(common_interrupt)
290 SAVE_ALL CLAC
291
292@@ -838,8 +845,7 @@ GLOBAL(trap_nop)
293
294
295
296-.section .rodata, "a", @progbits
297-
298+ .pushsection .rodata, "a", @progbits
299 ENTRY(exception_table)
300 .quad do_trap
301 .quad do_debug
302@@ -865,9 +871,10 @@ ENTRY(exception_table)
303 .quad do_reserved_trap /* Architecturally reserved exceptions. */
304 .endr
305 .size exception_table, . - exception_table
306+ .popsection
307
308 /* Table of automatically generated entry points. One per vector. */
309- .section .init.rodata, "a", @progbits
310+ .pushsection .init.rodata, "a", @progbits
311 GLOBAL(autogen_entrypoints)
312 /* pop into the .init.rodata section and record an entry point. */
313 .macro entrypoint ent
314@@ -876,7 +883,7 @@ GLOBAL(autogen_entrypoints)
315 .popsection
316 .endm
317
318- .text
319+ .popsection
320 autogen_stubs: /* Automatically generated stubs. */
321
322 vec = 0
323diff --git a/xen/arch/x86/xen.lds.S b/xen/arch/x86/xen.lds.S
324index 681c795c6d..500fe3a9cc 100644
325--- a/xen/arch/x86/xen.lds.S
326+++ b/xen/arch/x86/xen.lds.S
327@@ -61,6 +61,13 @@ SECTIONS
328 _stext = .; /* Text and read-only data */
329 *(.text)
330 *(.text.__x86_indirect_thunk_*)
331+
332+ . = ALIGN(PAGE_SIZE);
333+ _stextentry = .;
334+ *(.text.entry)
335+ . = ALIGN(PAGE_SIZE);
336+ _etextentry = .;
337+
338 *(.text.cold)
339 *(.text.unlikely)
340 *(.fixup)
341--
3422.13.5
343
diff --git a/main/xen/xsa252-4.9.patch b/main/xen/xsa252-4.9.patch
deleted file mode 100644
index 4afc22a6f1..0000000000
--- a/main/xen/xsa252-4.9.patch
+++ /dev/null
@@ -1,25 +0,0 @@
1From: Jan Beulich <jbeulich@suse.com>
2Subject: memory: don't implicitly unpin for decrease-reservation
3
4It very likely was a mistake (copy-and-paste from domain cleanup code)
5to implicitly unpin here: The caller should really unpin itself before
6(or after, if they so wish) requesting the page to be removed.
7
8This is XSA-252.
9
10Reported-by: Jann Horn <jannh@google.com>
11Signed-off-by: Jan Beulich <jbeulich@suse.com>
12Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>
13
14--- a/xen/common/memory.c
15+++ b/xen/common/memory.c
16@@ -341,9 +341,6 @@ int guest_remove_page(struct domain *d,
17
18 rc = guest_physmap_remove_page(d, _gfn(gmfn), mfn, 0);
19
20- if ( !rc && test_and_clear_bit(_PGT_pinned, &page->u.inuse.type_info) )
21- put_page_and_type(page);
22-
23 /*
24 * With the lack of an IOMMU on some platforms, domains with DMA-capable
25 * device must retrieve the same pfn when the hypercall populate_physmap
diff --git a/main/xen/xsa255-4.9-1.patch b/main/xen/xsa255-4.9-1.patch
deleted file mode 100644
index 0365adf750..0000000000
--- a/main/xen/xsa255-4.9-1.patch
+++ /dev/null
@@ -1,126 +0,0 @@
1From: Jan Beulich <jbeulich@suse.com>
2Subject: gnttab/ARM: don't corrupt shared GFN array
3
4... by writing status GFNs to it. Introduce a second array instead.
5Also implement gnttab_status_gmfn() properly now that the information is
6suitably being tracked.
7
8While touching it anyway, remove a misguided (but luckily benign) upper
9bound check from gnttab_shared_gmfn(): We should never access beyond the
10bounds of that array.
11
12This is part of XSA-255.
13
14Signed-off-by: Jan Beulich <jbeulich@suse.com>
15Reviewed-by: Stefano Stabellini <sstabellini@kernel.org>
16Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>
17
18--- a/xen/arch/arm/domain.c
19+++ b/xen/arch/arm/domain.c
20@@ -461,19 +461,37 @@ void startup_cpu_idle_loop(void)
21 struct domain *alloc_domain_struct(void)
22 {
23 struct domain *d;
24+ unsigned int i, max_status_frames;
25+
26 BUILD_BUG_ON(sizeof(*d) > PAGE_SIZE);
27 d = alloc_xenheap_pages(0, 0);
28 if ( d == NULL )
29 return NULL;
30
31 clear_page(d);
32- d->arch.grant_table_gfn = xzalloc_array(gfn_t, max_grant_frames);
33+
34+ d->arch.grant_shared_gfn = xmalloc_array(gfn_t, max_grant_frames);
35+ max_status_frames = grant_to_status_frames(max_grant_frames);
36+ d->arch.grant_status_gfn = xmalloc_array(gfn_t, max_status_frames);
37+ if ( !d->arch.grant_shared_gfn || !d->arch.grant_status_gfn )
38+ {
39+ free_domain_struct(d);
40+ return NULL;
41+ }
42+
43+ for ( i = 0; i < max_grant_frames; ++i )
44+ d->arch.grant_shared_gfn[i] = INVALID_GFN;
45+
46+ for ( i = 0; i < max_status_frames; ++i )
47+ d->arch.grant_status_gfn[i] = INVALID_GFN;
48+
49 return d;
50 }
51
52 void free_domain_struct(struct domain *d)
53 {
54- xfree(d->arch.grant_table_gfn);
55+ xfree(d->arch.grant_shared_gfn);
56+ xfree(d->arch.grant_status_gfn);
57 free_xenheap_page(d);
58 }
59
60--- a/xen/arch/arm/mm.c
61+++ b/xen/arch/arm/mm.c
62@@ -1148,6 +1148,7 @@ int xenmem_add_to_physmap_one(
63 int rc;
64 p2m_type_t t;
65 struct page_info *page = NULL;
66+ bool status = false;
67
68 switch ( space )
69 {
70@@ -1165,6 +1166,7 @@ int xenmem_add_to_physmap_one(
71 mfn = virt_to_mfn(d->grant_table->status[idx]);
72 else
73 mfn = mfn_x(INVALID_MFN);
74+ status = true;
75 }
76 else
77 {
78@@ -1180,7 +1182,10 @@ int xenmem_add_to_physmap_one(
79
80 if ( mfn != mfn_x(INVALID_MFN) )
81 {
82- d->arch.grant_table_gfn[idx] = gfn;
83+ if ( status )
84+ d->arch.grant_status_gfn[idx] = gfn;
85+ else
86+ d->arch.grant_shared_gfn[idx] = gfn;
87
88 t = p2m_ram_rw;
89 }
90--- a/xen/include/asm-arm/domain.h
91+++ b/xen/include/asm-arm/domain.h
92@@ -50,7 +50,8 @@ struct arch_domain
93 struct p2m_domain p2m;
94
95 struct hvm_domain hvm_domain;
96- gfn_t *grant_table_gfn;
97+ gfn_t *grant_shared_gfn;
98+ gfn_t *grant_status_gfn;
99
100 struct vmmio vmmio;
101
102--- a/xen/include/asm-arm/grant_table.h
103+++ b/xen/include/asm-arm/grant_table.h
104@@ -14,7 +14,6 @@ int replace_grant_host_mapping(unsigned
105 unsigned long new_gpaddr, unsigned int flags);
106 void gnttab_mark_dirty(struct domain *d, unsigned long l);
107 #define gnttab_create_status_page(d, t, i) do {} while (0)
108-#define gnttab_status_gmfn(d, t, i) (0)
109 #define gnttab_release_host_mappings(domain) 1
110 static inline int replace_grant_supported(void)
111 {
112@@ -29,8 +28,12 @@ static inline int replace_grant_supporte
113 } while ( 0 )
114
115 #define gnttab_shared_gmfn(d, t, i) \
116- ( ((i >= nr_grant_frames(d->grant_table)) && \
117- (i < max_grant_frames)) ? 0 : gfn_x(d->arch.grant_table_gfn[i]))
118+ gfn_x(((i) >= nr_grant_frames(t)) ? INVALID_GFN \
119+ : (d)->arch.grant_shared_gfn[i])
120+
121+#define gnttab_status_gmfn(d, t, i) \
122+ gfn_x(((i) >= nr_status_frames(t)) ? INVALID_GFN \
123+ : (d)->arch.grant_status_gfn[i])
124
125 #define gnttab_need_iommu_mapping(d) \
126 (is_domain_direct_mapped(d) && need_iommu(d))
diff --git a/main/xen/xsa255-4.9-2.patch b/main/xen/xsa255-4.9-2.patch
deleted file mode 100644
index ce225bde28..0000000000
--- a/main/xen/xsa255-4.9-2.patch
+++ /dev/null
@@ -1,186 +0,0 @@
1From: Jan Beulich <jbeulich@suse.com>
2Subject: gnttab: don't blindly free status pages upon version change
3
4There may still be active mappings, which would trigger the respective
5BUG_ON(). Split the loop into one dealing with the page attributes and
6the second (when the first fully passed) freeing the pages. Return an
7error if any pages still have pending references.
8
9This is part of XSA-255.
10
11Signed-off-by: Jan Beulich <jbeulich@suse.com>
12Reviewed-by: Stefano Stabellini <sstabellini@kernel.org>
13Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>
14
15--- a/xen/arch/arm/mm.c
16+++ b/xen/arch/arm/mm.c
17@@ -1180,12 +1180,22 @@ int xenmem_add_to_physmap_one(
18 mfn = mfn_x(INVALID_MFN);
19 }
20
21+ if ( mfn != mfn_x(INVALID_MFN) &&
22+ !gfn_eq(gnttab_get_frame_gfn(d, status, idx), INVALID_GFN) )
23+ {
24+ rc = guest_physmap_remove_page(d,
25+ gnttab_get_frame_gfn(d, status, idx),
26+ _mfn(mfn), 0);
27+ if ( rc )
28+ {
29+ grant_write_unlock(d->grant_table);
30+ return rc;
31+ }
32+ }
33+
34 if ( mfn != mfn_x(INVALID_MFN) )
35 {
36- if ( status )
37- d->arch.grant_status_gfn[idx] = gfn;
38- else
39- d->arch.grant_shared_gfn[idx] = gfn;
40+ gnttab_set_frame_gfn(d, status, idx, gfn);
41
42 t = p2m_ram_rw;
43 }
44--- a/xen/common/grant_table.c
45+++ b/xen/common/grant_table.c
46@@ -1516,23 +1516,74 @@ status_alloc_failed:
47 return -ENOMEM;
48 }
49
50-static void
51+static int
52 gnttab_unpopulate_status_frames(struct domain *d, struct grant_table *gt)
53 {
54- int i;
55+ unsigned int i;
56
57 for ( i = 0; i < nr_status_frames(gt); i++ )
58 {
59 struct page_info *pg = virt_to_page(gt->status[i]);
60+ gfn_t gfn = gnttab_get_frame_gfn(d, true, i);
61+
62+ /*
63+ * For translated domains, recovering from failure after partial
64+ * changes were made is more complicated than it seems worth
65+ * implementing at this time. Hence respective error paths below
66+ * crash the domain in such a case.
67+ */
68+ if ( paging_mode_translate(d) )
69+ {
70+ int rc = gfn_eq(gfn, INVALID_GFN)
71+ ? 0
72+ : guest_physmap_remove_page(d, gfn,
73+ _mfn(page_to_mfn(pg)), 0);
74+
75+ if ( rc )
76+ {
77+ gprintk(XENLOG_ERR,
78+ "Could not remove status frame %u (GFN %#lx) from P2M\n",
79+ i, gfn_x(gfn));
80+ domain_crash(d);
81+ return rc;
82+ }
83+ gnttab_set_frame_gfn(d, true, i, INVALID_GFN);
84+ }
85
86 BUG_ON(page_get_owner(pg) != d);
87 if ( test_and_clear_bit(_PGC_allocated, &pg->count_info) )
88 put_page(pg);
89- BUG_ON(pg->count_info & ~PGC_xen_heap);
90+
91+ if ( pg->count_info & ~PGC_xen_heap )
92+ {
93+ if ( paging_mode_translate(d) )
94+ {
95+ gprintk(XENLOG_ERR,
96+ "Wrong page state %#lx of status frame %u (GFN %#lx)\n",
97+ pg->count_info, i, gfn_x(gfn));
98+ domain_crash(d);
99+ }
100+ else
101+ {
102+ if ( get_page(pg, d) )
103+ set_bit(_PGC_allocated, &pg->count_info);
104+ while ( i-- )
105+ gnttab_create_status_page(d, gt, i);
106+ }
107+ return -EBUSY;
108+ }
109+
110+ page_set_owner(pg, NULL);
111+ }
112+
113+ for ( i = 0; i < nr_status_frames(gt); i++ )
114+ {
115 free_xenheap_page(gt->status[i]);
116 gt->status[i] = NULL;
117 }
118 gt->nr_status_frames = 0;
119+
120+ return 0;
121 }
122
123 /*
124@@ -2774,8 +2825,9 @@ gnttab_set_version(XEN_GUEST_HANDLE_PARA
125 break;
126 }
127
128- if ( op.version < 2 && gt->gt_version == 2 )
129- gnttab_unpopulate_status_frames(currd, gt);
130+ if ( op.version < 2 && gt->gt_version == 2 &&
131+ (res = gnttab_unpopulate_status_frames(currd, gt)) != 0 )
132+ goto out_unlock;
133
134 /* Make sure there's no crud left over from the old version. */
135 for ( i = 0; i < nr_grant_frames(gt); i++ )
136--- a/xen/include/asm-arm/grant_table.h
137+++ b/xen/include/asm-arm/grant_table.h
138@@ -20,6 +20,17 @@ static inline int replace_grant_supporte
139 return 1;
140 }
141
142+#define gnttab_set_frame_gfn(d, st, idx, gfn) \
143+ do { \
144+ ((st) ? (d)->arch.grant_status_gfn \
145+ : (d)->arch.grant_shared_gfn)[idx] = (gfn); \
146+ } while ( 0 )
147+
148+#define gnttab_get_frame_gfn(d, st, idx) ({ \
149+ _gfn((st) ? gnttab_status_gmfn(d, (d)->grant_table, idx) \
150+ : gnttab_shared_gmfn(d, (d)->grant_table, idx)); \
151+})
152+
153 #define gnttab_create_shared_page(d, t, i) \
154 do { \
155 share_xen_page_with_guest( \
156--- a/xen/include/asm-x86/grant_table.h
157+++ b/xen/include/asm-x86/grant_table.h
158@@ -18,6 +18,14 @@ int create_grant_host_mapping(uint64_t a
159 int replace_grant_host_mapping(
160 uint64_t addr, unsigned long frame, uint64_t new_addr, unsigned int flags);
161
162+#define gnttab_set_frame_gfn(d, st, idx, gfn) do {} while ( 0 )
163+#define gnttab_get_frame_gfn(d, st, idx) ({ \
164+ unsigned long mfn_ = (st) ? gnttab_status_mfn((d)->grant_table, idx) \
165+ : gnttab_shared_mfn((d)->grant_table, idx); \
166+ unsigned long gpfn_ = get_gpfn_from_mfn(mfn_); \
167+ VALID_M2P(gpfn_) ? _gfn(gpfn_) : INVALID_GFN; \
168+})
169+
170 #define gnttab_create_shared_page(d, t, i) \
171 do { \
172 share_xen_page_with_guest( \
173@@ -33,11 +41,11 @@ int replace_grant_host_mapping(
174 } while ( 0 )
175
176
177-#define gnttab_shared_mfn(d, t, i) \
178+#define gnttab_shared_mfn(t, i) \
179 ((virt_to_maddr((t)->shared_raw[i]) >> PAGE_SHIFT))
180
181 #define gnttab_shared_gmfn(d, t, i) \
182- (mfn_to_gmfn(d, gnttab_shared_mfn(d, t, i)))
183+ (mfn_to_gmfn(d, gnttab_shared_mfn(t, i)))
184
185
186 #define gnttab_status_mfn(t, i) \
diff --git a/main/xen/xsa256-4.8.patch b/main/xen/xsa256-4.8.patch
deleted file mode 100644
index 019e6e6b97..0000000000
--- a/main/xen/xsa256-4.8.patch
+++ /dev/null
@@ -1,46 +0,0 @@
1From: Andrew Cooper <andrew.cooper3@citrix.com>
2Subject: x86/hvm: Disallow the creation of HVM domains without Local APIC emulation
3
4There are multiple problems, not necesserily limited to:
5
6 * Guests which configure event channels via hvmop_set_evtchn_upcall_vector(),
7 or which hit %cr8 emulation will cause Xen to fall over a NULL vlapic->regs
8 pointer.
9
10 * On Intel hardware, disabling the TPR_SHADOW execution control without
11 reenabling CR8_{LOAD,STORE} interception means that the guests %cr8
12 accesses interact with the real TPR. Amongst other things, setting the
13 real TPR to 0xf blocks even IPIs from interrupting this CPU.
14
15 * On hardware which sets up the use of Interrupt Posting, including
16 IOMMU-Posting, guests run without the appropriate non-root configuration,
17 which at a minimum will result in dropped interrupts.
18
19Whether no-LAPIC mode is of any use at all remains to be seen.
20
21This is XSA-256.
22
23Reported-by: Ian Jackson <ian.jackson@eu.citrix.com>
24Reviewed-by: Roger Pau Monné <roger.pau@citrix.com>
25Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
26Reviewed-by: Jan Beulich <jbeulich@suse.com>
27
28diff --git a/xen/arch/x86/domain.c b/xen/arch/x86/domain.c
29index 8817263..91b9ab7 100644
30--- a/xen/arch/x86/domain.c
31+++ b/xen/arch/x86/domain.c
32@@ -557,11 +557,9 @@ int arch_domain_create(struct domain *d, unsigned int domcr_flags,
33 return -EINVAL;
34 }
35
36- /* PVHv2 guests can request emulated APIC. */
37- if ( emflags &&
38- (is_hvm_domain(d) ? ((emflags != XEN_X86_EMU_ALL) &&
39- (emflags != XEN_X86_EMU_LAPIC)) :
40- (emflags != XEN_X86_EMU_PIT)) )
41+ if ( is_hvm_domain(d) ? ((emflags != XEN_X86_EMU_ALL) &&
42+ (emflags != XEN_X86_EMU_LAPIC))
43+ : (emflags && emflags != XEN_X86_EMU_PIT) )
44 {
45 printk(XENLOG_G_ERR "d%d: Xen does not allow %s domain creation "
46 "with the current selection of emulators: %#x\n",
diff --git a/main/xen/xsa258-4.8.patch b/main/xen/xsa258-4.8.patch
deleted file mode 100644
index 2c6ba32ce0..0000000000
--- a/main/xen/xsa258-4.8.patch
+++ /dev/null
@@ -1,106 +0,0 @@
1From 437c3b3ad337c43056903e4824448428d3b5a956 Mon Sep 17 00:00:00 2001
2From: Anthony PERARD <anthony.perard@citrix.com>
3Date: Thu, 8 Mar 2018 18:16:41 +0000
4Subject: [PATCH] libxl: Specify format of inserted cdrom
5
6Without this extra parameter on the QMP command, QEMU will guess the
7format of the new file.
8
9This is XSA-258.
10
11Reported-by: Anthony PERARD <anthony.perard@citrix.com>
12Signed-off-by: Anthony PERARD <anthony.perard@citrix.com>
13Acked-by: Ian Jackson <ian.jackson@eu.citrix.com>
14---
15 tools/libxl/libxl_device.c | 12 ++++++++++++
16 tools/libxl/libxl_dm.c | 16 ++--------------
17 tools/libxl/libxl_internal.h | 1 +
18 tools/libxl/libxl_qmp.c | 2 ++
19 4 files changed, 17 insertions(+), 14 deletions(-)
20
21diff --git a/tools/libxl/libxl_device.c b/tools/libxl/libxl_device.c
22index 3e7a1026c4..cd2a980f18 100644
23--- a/tools/libxl/libxl_device.c
24+++ b/tools/libxl/libxl_device.c
25@@ -425,6 +425,18 @@ char *libxl__device_disk_string_of_backend(libxl_disk_backend backend)
26 }
27 }
28
29+const char *libxl__qemu_disk_format_string(libxl_disk_format format)
30+{
31+ switch (format) {
32+ case LIBXL_DISK_FORMAT_QCOW: return "qcow";
33+ case LIBXL_DISK_FORMAT_QCOW2: return "qcow2";
34+ case LIBXL_DISK_FORMAT_VHD: return "vpc";
35+ case LIBXL_DISK_FORMAT_RAW: return "raw";
36+ case LIBXL_DISK_FORMAT_EMPTY: return NULL;
37+ default: return NULL;
38+ }
39+}
40+
41 int libxl__device_physdisk_major_minor(const char *physpath, int *major, int *minor)
42 {
43 struct stat buf;
44diff --git a/tools/libxl/libxl_dm.c b/tools/libxl/libxl_dm.c
45index ad366a8cd3..b6bc407795 100644
46--- a/tools/libxl/libxl_dm.c
47+++ b/tools/libxl/libxl_dm.c
48@@ -669,18 +669,6 @@ static int libxl__build_device_model_args_old(libxl__gc *gc,
49 return 0;
50 }
51
52-static const char *qemu_disk_format_string(libxl_disk_format format)
53-{
54- switch (format) {
55- case LIBXL_DISK_FORMAT_QCOW: return "qcow";
56- case LIBXL_DISK_FORMAT_QCOW2: return "qcow2";
57- case LIBXL_DISK_FORMAT_VHD: return "vpc";
58- case LIBXL_DISK_FORMAT_RAW: return "raw";
59- case LIBXL_DISK_FORMAT_EMPTY: return NULL;
60- default: return NULL;
61- }
62-}
63-
64 static char *dm_spice_options(libxl__gc *gc,
65 const libxl_spice_info *spice)
66 {
67@@ -1342,9 +1330,9 @@ static int libxl__build_device_model_args_new(libxl__gc *gc,
68 * always raw
69 */
70 if (disks[i].backend == LIBXL_DISK_BACKEND_QDISK)
71- format = qemu_disk_format_string(disks[i].format);
72+ format = libxl__qemu_disk_format_string(disks[i].format);
73 else
74- format = qemu_disk_format_string(LIBXL_DISK_FORMAT_RAW);
75+ format = libxl__qemu_disk_format_string(LIBXL_DISK_FORMAT_RAW);
76
77 if (disks[i].format == LIBXL_DISK_FORMAT_EMPTY) {
78 if (!disks[i].is_cdrom) {
79diff --git a/tools/libxl/libxl_internal.h b/tools/libxl/libxl_internal.h
80index 8366fee25f..c32a40576a 100644
81--- a/tools/libxl/libxl_internal.h
82+++ b/tools/libxl/libxl_internal.h
83@@ -1170,6 +1170,7 @@ _hidden int libxl__domain_pvcontrol_write(libxl__gc *gc, xs_transaction_t t,
84 /* from xl_device */
85 _hidden char *libxl__device_disk_string_of_backend(libxl_disk_backend backend);
86 _hidden char *libxl__device_disk_string_of_format(libxl_disk_format format);
87+_hidden const char *libxl__qemu_disk_format_string(libxl_disk_format format);
88 _hidden int libxl__device_disk_set_backend(libxl__gc*, libxl_device_disk*);
89
90 _hidden int libxl__device_physdisk_major_minor(const char *physpath, int *major, int *minor);
91diff --git a/tools/libxl/libxl_qmp.c b/tools/libxl/libxl_qmp.c
92index f8addf9ba6..6fc5454a6e 100644
93--- a/tools/libxl/libxl_qmp.c
94+++ b/tools/libxl/libxl_qmp.c
95@@ -982,6 +982,8 @@ int libxl__qmp_insert_cdrom(libxl__gc *gc, int domid,
96 return qmp_run_command(gc, domid, "eject", args, NULL, NULL);
97 } else {
98 qmp_parameters_add_string(gc, &args, "target", disk->pdev_path);
99+ qmp_parameters_add_string(gc, &args, "arg",
100+ libxl__qemu_disk_format_string(disk->format));
101 return qmp_run_command(gc, domid, "change", args, NULL, NULL);
102 }
103 }
104--
1052.16.2
106
diff --git a/main/xen/xsa259.patch b/main/xen/xsa259.patch
deleted file mode 100644
index 7848fa87e9..0000000000
--- a/main/xen/xsa259.patch
+++ /dev/null
@@ -1,29 +0,0 @@
1From: Jan Beulich <jbeulich@suse.com>
2Subject: x86: fix slow int80 path after XPTI additions
3
4For the int80 slow path to jump to handle_exception_saved, %r14 needs to
5be set up suitably for XPTI purposes. This is because of the difference
6in nature between the int80 path (which is synchronous WRT guest
7actions) and the exception path which is potentially asynchronous.
8
9This is XSA-259.
10
11Reported-by: Andrew Cooper <andrew.cooper3@citrix.com>
12Signed-off-by: Jan Beulich <jbeulich@suse.com>
13Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>
14
15--- a/xen/arch/x86/x86_64/entry.S
16+++ b/xen/arch/x86/x86_64/entry.S
17@@ -396,6 +396,12 @@ int80_slow_path:
18 movl $TRAP_gp_fault,UREGS_entry_vector(%rsp)
19 /* A GPF wouldn't have incremented the instruction pointer. */
20 subq $2,UREGS_rip(%rsp)
21+ /*
22+ * While we've cleared xen_cr3 above already, normal exception handling
23+ * code has logic to restore the original value from %r15. Therefore we
24+ * need to set up %r14 here, while %r15 is required to still be zero.
25+ */
26+ GET_STACK_END(14)
27 jmp handle_exception_saved
28
29 /* create_bounce_frame & helpers don't need to be in .text.entry */
diff --git a/main/xen/xsa260-1.patch b/main/xen/xsa260-1.patch
deleted file mode 100644
index aa86dc1db6..0000000000
--- a/main/xen/xsa260-1.patch
+++ /dev/null
@@ -1,72 +0,0 @@
1From: Andrew Cooper <andrew.cooper3@citrix.com>
2Subject: x86/traps: Fix %dr6 handing in #DB handler
3
4Most bits in %dr6 accumulate, rather than being set directly based on the
5current source of #DB. Have the handler follow the manuals guidance, which
6avoids leaking hypervisor debugging activities into guest context.
7
8This is part of XSA-260 / CVE-2018-8897.
9
10Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
11Reviewed-by: Jan Beulich <jbeulich@suse.com>
12
13--- a/xen/arch/x86/traps.c
14+++ b/xen/arch/x86/traps.c
15@@ -4038,11 +4038,36 @@ static void ler_enable(void)
16
17 void do_debug(struct cpu_user_regs *regs)
18 {
19+ unsigned long dr6;
20 struct vcpu *v = current;
21
22+ /* Stash dr6 as early as possible. */
23+ dr6 = read_debugreg(6);
24+
25 if ( debugger_trap_entry(TRAP_debug, regs) )
26 return;
27
28+ /*
29+ * At the time of writing (March 2018), on the subject of %dr6:
30+ *
31+ * The Intel manual says:
32+ * Certain debug exceptions may clear bits 0-3. The remaining contents
33+ * of the DR6 register are never cleared by the processor. To avoid
34+ * confusion in identifying debug exceptions, debug handlers should
35+ * clear the register (except bit 16, which they should set) before
36+ * returning to the interrupted task.
37+ *
38+ * The AMD manual says:
39+ * Bits 15:13 of the DR6 register are not cleared by the processor and
40+ * must be cleared by software after the contents have been read.
41+ *
42+ * Some bits are reserved set, some are reserved clear, and some bits
43+ * which were previously reserved set are reused and cleared by hardware.
44+ * For future compatibility, reset to the default value, which will allow
45+ * us to spot any bit being changed by hardware to its non-default value.
46+ */
47+ write_debugreg(6, X86_DR6_DEFAULT);
48+
49 if ( !guest_mode(regs) )
50 {
51 if ( regs->eflags & X86_EFLAGS_TF )
52@@ -4075,7 +4100,8 @@ void do_debug(struct cpu_user_regs *regs
53 }
54
55 /* Save debug status register where guest OS can peek at it */
56- v->arch.debugreg[6] = read_debugreg(6);
57+ v->arch.debugreg[6] |= (dr6 & ~X86_DR6_DEFAULT);
58+ v->arch.debugreg[6] &= (dr6 | ~X86_DR6_DEFAULT);
59
60 ler_enable();
61 do_guest_trap(TRAP_debug, regs);
62--- a/xen/include/asm-x86/debugreg.h
63+++ b/xen/include/asm-x86/debugreg.h
64@@ -24,6 +24,8 @@
65 #define DR_STATUS_RESERVED_ZERO (~0xffffeffful) /* Reserved, read as zero */
66 #define DR_STATUS_RESERVED_ONE 0xffff0ff0ul /* Reserved, read as one */
67
68+#define X86_DR6_DEFAULT 0xffff0ff0ul /* Default %dr6 value. */
69+
70 /* Now define a bunch of things for manipulating the control register.
71 The top two bytes of the control register consist of 4 fields of 4
72 bits - each field corresponds to one of the four debug registers,
diff --git a/main/xen/xsa260-2.patch b/main/xen/xsa260-2.patch
deleted file mode 100644
index d7aefe6b4d..0000000000
--- a/main/xen/xsa260-2.patch
+++ /dev/null
@@ -1,110 +0,0 @@
1From: Andrew Cooper <andrew.cooper3@citrix.com>
2Subject: x86/pv: Move exception injection into {,compat_}test_all_events()
3
4This allows paths to jump straight to {,compat_}test_all_events() and have
5injection of pending exceptions happen automatically, rather than requiring
6all calling paths to handle exceptions themselves.
7
8The normal exception path is simplified as a result, and
9compat_post_handle_exception() is removed entirely.
10
11This is part of XSA-260 / CVE-2018-8897.
12
13Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
14Reviewed-by: Jan Beulich <jbeulich@suse.com>
15
16--- a/xen/arch/x86/x86_64/compat/entry.S
17+++ b/xen/arch/x86/x86_64/compat/entry.S
18@@ -45,6 +45,12 @@ ENTRY(compat_test_all_events)
19 leaq irq_stat+IRQSTAT_softirq_pending(%rip),%rcx
20 cmpl $0,(%rcx,%rax,1)
21 jne compat_process_softirqs
22+
23+ /* Inject exception if pending. */
24+ lea VCPU_trap_bounce(%rbx), %rdx
25+ testb $TBF_EXCEPTION, TRAPBOUNCE_flags(%rdx)
26+ jnz .Lcompat_process_trapbounce
27+
28 testb $1,VCPU_mce_pending(%rbx)
29 jnz compat_process_mce
30 .Lcompat_test_guest_nmi:
31@@ -74,6 +80,15 @@ compat_process_softirqs:
32 call do_softirq
33 jmp compat_test_all_events
34
35+ ALIGN
36+/* %rbx: struct vcpu, %rdx: struct trap_bounce */
37+.Lcompat_process_trapbounce:
38+ sti
39+.Lcompat_bounce_exception:
40+ call compat_create_bounce_frame
41+ movb $0, TRAPBOUNCE_flags(%rdx)
42+ jmp compat_test_all_events
43+
44 ALIGN
45 /* %rbx: struct vcpu */
46 compat_process_mce:
47@@ -194,15 +209,6 @@ ENTRY(cr4_pv32_restore)
48 xor %eax, %eax
49 ret
50
51-/* %rdx: trap_bounce, %rbx: struct vcpu */
52-ENTRY(compat_post_handle_exception)
53- testb $TBF_EXCEPTION,TRAPBOUNCE_flags(%rdx)
54- jz compat_test_all_events
55-.Lcompat_bounce_exception:
56- call compat_create_bounce_frame
57- movb $0,TRAPBOUNCE_flags(%rdx)
58- jmp compat_test_all_events
59-
60 .section .text.entry, "ax", @progbits
61
62 /* See lstar_enter for entry register state. */
63--- a/xen/arch/x86/x86_64/entry.S
64+++ b/xen/arch/x86/x86_64/entry.S
65@@ -41,6 +41,12 @@ test_all_events:
66 leaq irq_stat+IRQSTAT_softirq_pending(%rip), %rcx
67 cmpl $0, (%rcx, %rax, 1)
68 jne process_softirqs
69+
70+ /* Inject exception if pending. */
71+ lea VCPU_trap_bounce(%rbx), %rdx
72+ testb $TBF_EXCEPTION, TRAPBOUNCE_flags(%rdx)
73+ jnz .Lprocess_trapbounce
74+
75 cmpb $0, VCPU_mce_pending(%rbx)
76 jne process_mce
77 .Ltest_guest_nmi:
78@@ -69,6 +75,15 @@ process_softirqs:
79 jmp test_all_events
80
81 ALIGN
82+/* %rbx: struct vcpu, %rdx struct trap_bounce */
83+.Lprocess_trapbounce:
84+ sti
85+.Lbounce_exception:
86+ call create_bounce_frame
87+ movb $0, TRAPBOUNCE_flags(%rdx)
88+ jmp test_all_events
89+
90+ ALIGN
91 /* %rbx: struct vcpu */
92 process_mce:
93 testb $1 << VCPU_TRAP_MCE, VCPU_async_exception_mask(%rbx)
94@@ -659,15 +674,9 @@ handle_exception_saved:
95 mov %r15, STACK_CPUINFO_FIELD(xen_cr3)(%r14)
96 testb $3,UREGS_cs(%rsp)
97 jz restore_all_xen
98- leaq VCPU_trap_bounce(%rbx),%rdx
99 movq VCPU_domain(%rbx),%rax
100 testb $1,DOMAIN_is_32bit_pv(%rax)
101- jnz compat_post_handle_exception
102- testb $TBF_EXCEPTION,TRAPBOUNCE_flags(%rdx)
103- jz test_all_events
104-.Lbounce_exception:
105- call create_bounce_frame
106- movb $0,TRAPBOUNCE_flags(%rdx)
107+ jnz compat_test_all_events
108 jmp test_all_events
109
110 /* No special register assumptions. */
diff --git a/main/xen/xsa260-3.patch b/main/xen/xsa260-3.patch
deleted file mode 100644
index 7dcf12a679..0000000000
--- a/main/xen/xsa260-3.patch
+++ /dev/null
@@ -1,138 +0,0 @@
1From: Andrew Cooper <andrew.cooper3@citrix.com>
2Subject: x86/traps: Use an Interrupt Stack Table for #DB
3
4PV guests can use architectural corner cases to cause #DB to be raised after
5transitioning into supervisor mode.
6
7Use an interrupt stack table for #DB to prevent the exception being taken with
8a guest controlled stack pointer.
9
10This is part of XSA-260 / CVE-2018-8897.
11
12Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
13Reviewed-by: Jan Beulich <jbeulich@suse.com>
14
15--- a/xen/arch/x86/cpu/common.c
16+++ b/xen/arch/x86/cpu/common.c
17@@ -681,6 +681,7 @@ void load_system_tables(void)
18 tss->ist[IST_MCE - 1] = stack_top + IST_MCE * PAGE_SIZE;
19 tss->ist[IST_DF - 1] = stack_top + IST_DF * PAGE_SIZE;
20 tss->ist[IST_NMI - 1] = stack_top + IST_NMI * PAGE_SIZE;
21+ tss->ist[IST_DB - 1] = stack_top + IST_DB * PAGE_SIZE;
22
23 _set_tssldt_desc(
24 gdt + TSS_ENTRY,
25@@ -701,6 +702,7 @@ void load_system_tables(void)
26 set_ist(&idt_tables[cpu][TRAP_double_fault], IST_DF);
27 set_ist(&idt_tables[cpu][TRAP_nmi], IST_NMI);
28 set_ist(&idt_tables[cpu][TRAP_machine_check], IST_MCE);
29+ set_ist(&idt_tables[cpu][TRAP_debug], IST_DB);
30
31 /*
32 * Bottom-of-stack must be 16-byte aligned!
33--- a/xen/arch/x86/hvm/svm/svm.c
34+++ b/xen/arch/x86/hvm/svm/svm.c
35@@ -1042,6 +1042,7 @@ static void svm_ctxt_switch_from(struct
36 set_ist(&idt_tables[cpu][TRAP_double_fault], IST_DF);
37 set_ist(&idt_tables[cpu][TRAP_nmi], IST_NMI);
38 set_ist(&idt_tables[cpu][TRAP_machine_check], IST_MCE);
39+ set_ist(&idt_tables[cpu][TRAP_debug], IST_DB);
40 }
41
42 static void svm_ctxt_switch_to(struct vcpu *v)
43@@ -1063,6 +1064,7 @@ static void svm_ctxt_switch_to(struct vc
44 set_ist(&idt_tables[cpu][TRAP_double_fault], IST_NONE);
45 set_ist(&idt_tables[cpu][TRAP_nmi], IST_NONE);
46 set_ist(&idt_tables[cpu][TRAP_machine_check], IST_NONE);
47+ set_ist(&idt_tables[cpu][TRAP_debug], IST_NONE);
48
49 svm_restore_dr(v);
50
51--- a/xen/arch/x86/smpboot.c
52+++ b/xen/arch/x86/smpboot.c
53@@ -960,6 +960,7 @@ static int cpu_smpboot_alloc(unsigned in
54 set_ist(&idt_tables[cpu][TRAP_double_fault], IST_NONE);
55 set_ist(&idt_tables[cpu][TRAP_nmi], IST_NONE);
56 set_ist(&idt_tables[cpu][TRAP_machine_check], IST_NONE);
57+ set_ist(&idt_tables[cpu][TRAP_debug], IST_NONE);
58
59 for ( stub_page = 0, i = cpu & ~(STUBS_PER_PAGE - 1);
60 i < nr_cpu_ids && i <= (cpu | (STUBS_PER_PAGE - 1)); ++i )
61--- a/xen/arch/x86/traps.c
62+++ b/xen/arch/x86/traps.c
63@@ -259,13 +259,13 @@ static void show_guest_stack(struct vcpu
64 /*
65 * Notes for get_stack_trace_bottom() and get_stack_dump_bottom()
66 *
67- * Stack pages 0, 1 and 2:
68+ * Stack pages 0 - 3:
69 * These are all 1-page IST stacks. Each of these stacks have an exception
70 * frame and saved register state at the top. The interesting bound for a
71 * trace is the word adjacent to this, while the bound for a dump is the
72 * very top, including the exception frame.
73 *
74- * Stack pages 3, 4 and 5:
75+ * Stack pages 4 and 5:
76 * None of these are particularly interesting. With MEMORY_GUARD, page 5 is
77 * explicitly not present, so attempting to dump or trace it is
78 * counterproductive. Without MEMORY_GUARD, it is possible for a call chain
79@@ -286,12 +286,12 @@ unsigned long get_stack_trace_bottom(uns
80 {
81 switch ( get_stack_page(sp) )
82 {
83- case 0 ... 2:
84+ case 0 ... 3:
85 return ROUNDUP(sp, PAGE_SIZE) -
86 offsetof(struct cpu_user_regs, es) - sizeof(unsigned long);
87
88 #ifndef MEMORY_GUARD
89- case 3 ... 5:
90+ case 4 ... 5:
91 #endif
92 case 6 ... 7:
93 return ROUNDUP(sp, STACK_SIZE) -
94@@ -306,11 +306,11 @@ unsigned long get_stack_dump_bottom(unsi
95 {
96 switch ( get_stack_page(sp) )
97 {
98- case 0 ... 2:
99+ case 0 ... 3:
100 return ROUNDUP(sp, PAGE_SIZE) - sizeof(unsigned long);
101
102 #ifndef MEMORY_GUARD
103- case 3 ... 5:
104+ case 4 ... 5:
105 #endif
106 case 6 ... 7:
107 return ROUNDUP(sp, STACK_SIZE) - sizeof(unsigned long);
108@@ -4219,6 +4219,7 @@ void __init init_idt_traps(void)
109 set_ist(&idt_table[TRAP_double_fault], IST_DF);
110 set_ist(&idt_table[TRAP_nmi], IST_NMI);
111 set_ist(&idt_table[TRAP_machine_check], IST_MCE);
112+ set_ist(&idt_table[TRAP_debug], IST_DB);
113
114 /* CPU0 uses the master IDT. */
115 idt_tables[0] = idt_table;
116--- a/xen/arch/x86/x86_64/entry.S
117+++ b/xen/arch/x86/x86_64/entry.S
118@@ -731,7 +731,7 @@ ENTRY(device_not_available)
119 ENTRY(debug)
120 pushq $0
121 movl $TRAP_debug,4(%rsp)
122- jmp handle_exception
123+ jmp handle_ist_exception
124
125 ENTRY(int3)
126 pushq $0
127--- a/xen/include/asm-x86/processor.h
128+++ b/xen/include/asm-x86/processor.h
129@@ -505,7 +505,8 @@ struct __packed __cacheline_aligned tss_
130 #define IST_DF 1UL
131 #define IST_NMI 2UL
132 #define IST_MCE 3UL
133-#define IST_MAX 3UL
134+#define IST_DB 4UL
135+#define IST_MAX 4UL
136
137 /* Set the interrupt stack table used by a particular interrupt
138 * descriptor table entry. */
diff --git a/main/xen/xsa260-4.patch b/main/xen/xsa260-4.patch
deleted file mode 100644
index 8041b42fd6..0000000000
--- a/main/xen/xsa260-4.patch
+++ /dev/null
@@ -1,72 +0,0 @@
1From: Andrew Cooper <andrew.cooper3@citrix.com>
2Subject: x86/traps: Fix handling of #DB exceptions in hypervisor context
3
4The WARN_ON() can be triggered by guest activities, and emits a full stack
5trace without rate limiting. Swap it out for a ratelimited printk with just
6enough information to work out what is going on.
7
8Not all #DB exceptions are traps, so blindly continuing is not a safe action
9to take. We don't let PV guests select these settings in the real %dr7 to
10begin with, but for added safety against unexpected situations, detect the
11fault cases and crash in an obvious manner.
12
13This is part of XSA-260 / CVE-2018-8897.
14
15Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
16Reviewed-by: Jan Beulich <jbeulich@suse.com>
17
18--- a/xen/arch/x86/traps.c
19+++ b/xen/arch/x86/traps.c
20@@ -4086,16 +4086,44 @@ void do_debug(struct cpu_user_regs *regs
21 regs->eflags &= ~X86_EFLAGS_TF;
22 }
23 }
24- else
25+
26+ /*
27+ * Check for fault conditions. General Detect, and instruction
28+ * breakpoints are faults rather than traps, at which point attempting
29+ * to ignore and continue will result in a livelock.
30+ */
31+ if ( dr6 & DR_GENERAL_DETECT )
32+ {
33+ printk(XENLOG_ERR "Hit General Detect in Xen context\n");
34+ fatal_trap(regs, 0);
35+ }
36+
37+ if ( dr6 & (DR_TRAP3 | DR_TRAP2 | DR_TRAP1 | DR_TRAP0) )
38 {
39- /*
40- * We ignore watchpoints when they trigger within Xen. This may
41- * happen when a buffer is passed to us which previously had a
42- * watchpoint set on it. No need to bump EIP; the only faulting
43- * trap is an instruction breakpoint, which can't happen to us.
44- */
45- WARN_ON(!search_exception_table(regs->eip));
46+ unsigned int bp, dr7 = read_debugreg(7) >> DR_CONTROL_SHIFT;
47+
48+ for ( bp = 0; bp < 4; ++bp )
49+ {
50+ if ( (dr6 & (1u << bp)) && /* Breakpoint triggered? */
51+ ((dr7 & (3u << (bp * DR_CONTROL_SIZE))) == 0) /* Insn? */ )
52+ {
53+ printk(XENLOG_ERR
54+ "Hit instruction breakpoint in Xen context\n");
55+ fatal_trap(regs, 0);
56+ }
57+ }
58 }
59+
60+ /*
61+ * Whatever caused this #DB should be a trap. Note it and continue.
62+ * Guests can trigger this in certain corner cases, so ensure the
63+ * message is ratelimited.
64+ */
65+ gprintk(XENLOG_WARNING,
66+ "Hit #DB in Xen context: %04x:%p [%ps], stk %04x:%p, dr6 %lx\n",
67+ regs->cs, _p(regs->rip), _p(regs->rip),
68+ regs->ss, _p(regs->rsp), dr6);
69+
70 goto out;
71 }
72
diff --git a/main/xen/xsa261-4.8.patch b/main/xen/xsa261-4.8.patch
deleted file mode 100644
index 24b35bdce5..0000000000
--- a/main/xen/xsa261-4.8.patch
+++ /dev/null
@@ -1,242 +0,0 @@
1From: Xen Project Security Team <security@xenproject.org>
2Subject: x86/vpt: add support for IO-APIC routed interrupts
3
4And modify the HPET code to make use of it. Currently HPET interrupts
5are always treated as ISA and thus injected through the vPIC. This is
6wrong because HPET interrupts when not in legacy mode should be
7injected from the IO-APIC.
8
9To make things worse, the supported interrupt routing values are set
10to [20..23], which clearly falls outside of the ISA range, thus
11leading to an ASSERT in debug builds or memory corruption in non-debug
12builds because the interrupt injection code will write out of the
13bounds of the arch.hvm_domain.vpic array.
14
15Since the HPET interrupt source can change between ISA and IO-APIC
16always destroy the timer before changing the mode, or else Xen risks
17changing it while the timer is active.
18
19Note that vpt interrupt injection is racy in the sense that the
20vIO-APIC RTE entry can be written by the guest in between the call to
21pt_irq_masked and hvm_ioapic_assert, or the call to pt_update_irq and
22pt_intr_post. Those are not deemed to be security issues, but rather
23quirks of the current implementation. In the worse case the guest
24might lose interrupts or get multiple interrupt vectors injected for
25the same timer source.
26
27This is part of XSA-261.
28
29Address actual and potential compiler warnings. Fix formatting.
30
31Signed-off-by: Roger Pau Monné <roger.pau@citrix.com>
32Signed-off-by: Jan Beulich <jbeulich@suse.com>
33
34--- a/xen/arch/x86/hvm/hpet.c
35+++ b/xen/arch/x86/hvm/hpet.c
36@@ -264,13 +264,20 @@ static void hpet_set_timer(HPETState *h,
37 diff = (timer_is_32bit(h, tn) && (-diff > HPET_TINY_TIME_SPAN))
38 ? (uint32_t)diff : 0;
39
40+ destroy_periodic_time(&h->pt[tn]);
41 if ( (tn <= 1) && (h->hpet.config & HPET_CFG_LEGACY) )
42+ {
43 /* if LegacyReplacementRoute bit is set, HPET specification requires
44 timer0 be routed to IRQ0 in NON-APIC or IRQ2 in the I/O APIC,
45 timer1 be routed to IRQ8 in NON-APIC or IRQ8 in the I/O APIC. */
46 irq = (tn == 0) ? 0 : 8;
47+ h->pt[tn].source = PTSRC_isa;
48+ }
49 else
50+ {
51 irq = timer_int_route(h, tn);
52+ h->pt[tn].source = PTSRC_ioapic;
53+ }
54
55 /*
56 * diff is the time from now when the timer should fire, for a periodic
57--- a/xen/arch/x86/hvm/irq.c
58+++ b/xen/arch/x86/hvm/irq.c
59@@ -42,6 +42,25 @@ static void assert_gsi(struct domain *d,
60 vioapic_irq_positive_edge(d, ioapic_gsi);
61 }
62
63+int hvm_ioapic_assert(struct domain *d, unsigned int gsi, bool level)
64+{
65+ int vector;
66+
67+ if ( gsi >= VIOAPIC_NUM_PINS )
68+ {
69+ ASSERT_UNREACHABLE();
70+ return -1;
71+ }
72+
73+ spin_lock(&d->arch.hvm_domain.irq_lock);
74+ if ( !level || d->arch.hvm_domain.irq.gsi_assert_count[gsi]++ == 0 )
75+ assert_gsi(d, gsi);
76+ vector = domain_vioapic(d)->redirtbl[gsi].fields.vector;
77+ spin_unlock(&d->arch.hvm_domain.irq_lock);
78+
79+ return vector;
80+}
81+
82 static void assert_irq(struct domain *d, unsigned ioapic_gsi, unsigned pic_irq)
83 {
84 assert_gsi(d, ioapic_gsi);
85--- a/xen/arch/x86/hvm/vpt.c
86+++ b/xen/arch/x86/hvm/vpt.c
87@@ -97,22 +97,36 @@ static int pt_irq_vector(struct periodic
88 static int pt_irq_masked(struct periodic_time *pt)
89 {
90 struct vcpu *v = pt->vcpu;
91- unsigned int gsi, isa_irq;
92- uint8_t pic_imr;
93+ unsigned int gsi = pt->irq;
94
95- if ( pt->source == PTSRC_lapic )
96+ switch ( pt->source )
97+ {
98+ case PTSRC_lapic:
99 {
100 struct vlapic *vlapic = vcpu_vlapic(v);
101+
102 return (!vlapic_enabled(vlapic) ||
103 (vlapic_get_reg(vlapic, APIC_LVTT) & APIC_LVT_MASKED));
104 }
105
106- isa_irq = pt->irq;
107- gsi = hvm_isa_irq_to_gsi(isa_irq);
108- pic_imr = v->domain->arch.hvm_domain.vpic[isa_irq >> 3].imr;
109+ case PTSRC_isa:
110+ {
111+ uint8_t pic_imr = v->domain->arch.hvm_domain.vpic[pt->irq >> 3].imr;
112
113- return (((pic_imr & (1 << (isa_irq & 7))) || !vlapic_accept_pic_intr(v)) &&
114- domain_vioapic(v->domain)->redirtbl[gsi].fields.mask);
115+ /* Check if the interrupt is unmasked in the PIC. */
116+ if ( !(pic_imr & (1 << (pt->irq & 7))) && vlapic_accept_pic_intr(v) )
117+ return 0;
118+
119+ gsi = hvm_isa_irq_to_gsi(pt->irq);
120+ }
121+
122+ /* Fallthrough to check if the interrupt is masked on the IO APIC. */
123+ case PTSRC_ioapic:
124+ return domain_vioapic(v->domain)->redirtbl[gsi].fields.mask;
125+ }
126+
127+ ASSERT_UNREACHABLE();
128+ return 1;
129 }
130
131 static void pt_lock(struct periodic_time *pt)
132@@ -233,7 +247,7 @@ int pt_update_irq(struct vcpu *v)
133 struct list_head *head = &v->arch.hvm_vcpu.tm_list;
134 struct periodic_time *pt, *temp, *earliest_pt;
135 uint64_t max_lag;
136- int irq, is_lapic;
137+ int irq, pt_vector = -1;
138
139 spin_lock(&v->arch.hvm_vcpu.tm_lock);
140
141@@ -269,29 +283,42 @@ int pt_update_irq(struct vcpu *v)
142
143 earliest_pt->irq_issued = 1;
144 irq = earliest_pt->irq;
145- is_lapic = (earliest_pt->source == PTSRC_lapic);
146
147 spin_unlock(&v->arch.hvm_vcpu.tm_lock);
148
149- if ( is_lapic )
150- vlapic_set_irq(vcpu_vlapic(v), irq, 0);
151- else
152+ switch ( earliest_pt->source )
153 {
154+ case PTSRC_lapic:
155+ /*
156+ * If periodic timer interrupt is handled by lapic, its vector in
157+ * IRR is returned and used to set eoi_exit_bitmap for virtual
158+ * interrupt delivery case. Otherwise return -1 to do nothing.
159+ */
160+ vlapic_set_irq(vcpu_vlapic(v), irq, 0);
161+ pt_vector = irq;
162+ break;
163+
164+ case PTSRC_isa:
165 hvm_isa_irq_deassert(v->domain, irq);
166 hvm_isa_irq_assert(v->domain, irq);
167+
168+ if ( platform_legacy_irq(irq) && vlapic_accept_pic_intr(v) &&
169+ v->domain->arch.hvm_domain.vpic[irq >> 3].int_output )
170+ return -1;
171+
172+ pt_vector = pt_irq_vector(earliest_pt, hvm_intsrc_lapic);
173+ break;
174+
175+ case PTSRC_ioapic:
176+ /*
177+ * NB: At the moment IO-APIC routed interrupts generated by vpt devices
178+ * (HPET) are edge-triggered.
179+ */
180+ pt_vector = hvm_ioapic_assert(v->domain, irq, false);
181+ break;
182 }
183
184- /*
185- * If periodic timer interrut is handled by lapic, its vector in
186- * IRR is returned and used to set eoi_exit_bitmap for virtual
187- * interrupt delivery case. Otherwise return -1 to do nothing.
188- */
189- if ( !is_lapic &&
190- platform_legacy_irq(irq) && vlapic_accept_pic_intr(v) &&
191- (&v->domain->arch.hvm_domain)->vpic[irq >> 3].int_output )
192- return -1;
193- else
194- return pt_irq_vector(earliest_pt, hvm_intsrc_lapic);
195+ return pt_vector;
196 }
197
198 static struct periodic_time *is_pt_irq(
199@@ -386,7 +413,13 @@ void create_periodic_time(
200 struct vcpu *v, struct periodic_time *pt, uint64_t delta,
201 uint64_t period, uint8_t irq, time_cb *cb, void *data)
202 {
203- ASSERT(pt->source != 0);
204+ if ( !pt->source ||
205+ (pt->irq >= NR_ISAIRQS && pt->source == PTSRC_isa) ||
206+ (pt->irq >= VIOAPIC_NUM_PINS && pt->source == PTSRC_ioapic) )
207+ {
208+ ASSERT_UNREACHABLE();
209+ return;
210+ }
211
212 destroy_periodic_time(pt);
213
214@@ -466,7 +499,7 @@ static void pt_adjust_vcpu(struct period
215 {
216 int on_list;
217
218- ASSERT(pt->source == PTSRC_isa);
219+ ASSERT(pt->source == PTSRC_isa || pt->source == PTSRC_ioapic);
220
221 if ( pt->vcpu == NULL )
222 return;
223--- a/xen/include/asm-x86/hvm/irq.h
224+++ b/xen/include/asm-x86/hvm/irq.h
225@@ -103,4 +103,7 @@ struct hvm_intack hvm_vcpu_has_pending_i
226 struct hvm_intack hvm_vcpu_ack_pending_irq(struct vcpu *v,
227 struct hvm_intack intack);
228
229+/* Assert an IO APIC pin. */
230+int hvm_ioapic_assert(struct domain *d, unsigned int gsi, bool level);
231+
232 #endif /* __ASM_X86_HVM_IRQ_H__ */
233--- a/xen/include/asm-x86/hvm/vpt.h
234+++ b/xen/include/asm-x86/hvm/vpt.h
235@@ -45,6 +45,7 @@ struct periodic_time {
236 bool_t warned_timeout_too_short;
237 #define PTSRC_isa 1 /* ISA time source */
238 #define PTSRC_lapic 2 /* LAPIC time source */
239+#define PTSRC_ioapic 3 /* IOAPIC time source */
240 u8 source; /* PTSRC_ */
241 u8 irq;
242 struct vcpu *vcpu; /* vcpu timer interrupt delivers to */
diff --git a/main/xen/xsa262-4.9.patch b/main/xen/xsa262-4.9.patch
deleted file mode 100644
index f9a7a4ce3a..0000000000
--- a/main/xen/xsa262-4.9.patch
+++ /dev/null
@@ -1,76 +0,0 @@
1From: Jan Beulich <jbeulich@suse.com>
2Subject: x86/HVM: guard against emulator driving ioreq state in weird ways
3
4In the case where hvm_wait_for_io() calls wait_on_xen_event_channel(),
5p->state ends up being read twice in succession: once to determine that
6state != p->state, and then again at the top of the loop. This gives a
7compromised emulator a chance to change the state back between the two
8reads, potentially keeping Xen in a loop indefinitely.
9
10Instead:
11* Read p->state once in each of the wait_on_xen_event_channel() tests,
12* re-use that value the next time around,
13* and insist that the states continue to transition "forward" (with the
14 exception of the transition to STATE_IOREQ_NONE).
15
16This is XSA-262.
17
18Signed-off-by: Jan Beulich <jbeulich@suse.com>
19Reviewed-by: George Dunlap <george.dunlap@citrix.com>
20
21--- a/xen/arch/x86/hvm/ioreq.c
22+++ b/xen/arch/x86/hvm/ioreq.c
23@@ -87,14 +87,17 @@ static void hvm_io_assist(struct hvm_ior
24
25 static bool_t hvm_wait_for_io(struct hvm_ioreq_vcpu *sv, ioreq_t *p)
26 {
27+ unsigned int prev_state = STATE_IOREQ_NONE;
28+
29 while ( sv->pending )
30 {
31 unsigned int state = p->state;
32
33- rmb();
34- switch ( state )
35+ smp_rmb();
36+
37+ recheck:
38+ if ( unlikely(state == STATE_IOREQ_NONE) )
39 {
40- case STATE_IOREQ_NONE:
41 /*
42 * The only reason we should see this case is when an
43 * emulator is dying and it races with an I/O being
44@@ -102,14 +105,30 @@ static bool_t hvm_wait_for_io(struct hvm
45 */
46 hvm_io_assist(sv, ~0ul);
47 break;
48+ }
49+
50+ if ( unlikely(state < prev_state) )
51+ {
52+ gdprintk(XENLOG_ERR, "Weird HVM ioreq state transition %u -> %u\n",
53+ prev_state, state);
54+ sv->pending = 0;
55+ domain_crash(sv->vcpu->domain);
56+ return 0; /* bail */
57+ }
58+
59+ switch ( prev_state = state )
60+ {
61 case STATE_IORESP_READY: /* IORESP_READY -> NONE */
62 p->state = STATE_IOREQ_NONE;
63 hvm_io_assist(sv, p->data);
64 break;
65 case STATE_IOREQ_READY: /* IOREQ_{READY,INPROCESS} -> IORESP_READY */
66 case STATE_IOREQ_INPROCESS:
67- wait_on_xen_event_channel(sv->ioreq_evtchn, p->state != state);
68- break;
69+ wait_on_xen_event_channel(sv->ioreq_evtchn,
70+ ({ state = p->state;
71+ smp_rmb();
72+ state != prev_state; }));
73+ goto recheck;
74 default:
75 gdprintk(XENLOG_ERR, "Weird HVM iorequest state %u\n", state);
76 sv->pending = 0;
© 2015 Mike Crute