head	1.2;
access;
symbols
	pkgsrc-2022Q2:1.1.0.2
	pkgsrc-2022Q2-base:1.1;
locks; strict;
comment	@# @;


1.2
date	2022.07.05.15.53.45;	author bouyer;	state dead;
branches;
next	1.1;
commitid	pHgqNRXMqhBQOIKD;

1.1
date	2022.06.24.13.07.52;	author bouyer;	state Exp;
branches;
next	;
commitid	R8u1OixCq1w7giJD;


desc
@@


1.2
log
@Update xenkernel415 to 4.15.3.
Changes are mostly bugfixes, including all security fixes up to XSA404
(which we already had in 4.15.2nb2)
@
text
@$NetBSD: patch-XSA399,v 1.1 2022/06/24 13:07:52 bouyer Exp $

From: Jan Beulich <jbeulich@@suse.com>
Subject: VT-d: correct ordering of operations in cleanup_domid_map()

The function may be called without any locks held (leaving aside the
domctl one, which we surely don't want to depend on here), so needs to
play safe wrt other accesses to domid_map[] and domid_bitmap[]. This is
to avoid context_set_domain_id()'s writing of domid_map[] to be reset to
zero right away in the case of it racing the freeing of a DID.

For the interaction with context_set_domain_id() and ->domid_map[] reads
see the code comment.

{check_,}cleanup_domid_map() are called with pcidevs_lock held or during
domain cleanup only (and pcidevs_lock is also held around
context_set_domain_id()), i.e. racing calls with the same (dom, iommu)
tuple cannot occur.

domain_iommu_domid(), besides its use by cleanup_domid_map(), has its
result used only to control flushing, and hence a stale result would
only lead to a stray extra flush.

This is CVE-2022-26357 / XSA-399.

Fixes: b9c20c78789f ("VT-d: per-iommu domain-id")
Signed-off-by: Jan Beulich <jbeulich@@suse.com>
Reviewed-by: Roger Pau Monné <roger.pau@@citrix.com>

--- xen/drivers/passthrough/vtd/iommu.c.orig
+++ xen/drivers/passthrough/vtd/iommu.c
@@@@ -152,8 +152,14 @@@@ static void cleanup_domid_map(struct dom
 
     if ( iommu_domid >= 0 )
     {
+        /*
+         * Update domid_map[] /before/ domid_bitmap[] to avoid a race with
+         * context_set_domain_id(), setting the slot to DOMID_INVALID for
+         * ->domid_map[] reads to produce a suitable value while the bit is
+         * still set.
+         */
+        iommu->domid_map[iommu_domid] = DOMID_INVALID;
         clear_bit(iommu_domid, iommu->domid_bitmap);
-        iommu->domid_map[iommu_domid] = 0;
     }
 }
 
@


1.1
log
@Apply patches for Xen security advisory 397 up to 402, and 404 (XSA403 still
not released).
Bump PKGREVISION
@
text
@d1 1
a1 1
$NetBSD: $
@