head 1.2; access; symbols pkgsrc-2013Q2:1.2.0.2 pkgsrc-2013Q2-base:1.2 pkgsrc-2012Q4:1.1.0.2 pkgsrc-2012Q4-base:1.1; locks; strict; comment @# @; 1.2 date 2013.01.17.19.37.55; author drochner; state dead; branches; next 1.1; 1.1 date 2012.12.05.19.16.26; author drochner; state Exp; branches; next ; desc @@ 1.2 log @update to 4.1.4 changes: -fixes for many vulnerabilities (were mostly patched in pkgsrc) -bug fixes and improvements (almost 100 since Xen 4.1.3). Highlights are: -A fix for a long standing time management issue -Bug fixes for S3 (suspend to RAM) handling -Bug fixes for other low level system state handling pkgsrc note: fixes for CVE-2012-5634 (interrupt issue on IOMMU systems) and CVE-2012-6075 (oversized packets from e1000 driver) are already included @ text @$NetBSD: patch-CVE-2012-5510,v 1.1 2012/12/05 19:16:26 drochner Exp $ see http://lists.xen.org/archives/html/xen-announce/2012-12/msg00000.html --- xen/common/grant_table.c.orig 2012-08-10 13:51:47.000000000 +0000 +++ xen/common/grant_table.c @@@@ -1102,12 +1102,13 @@@@ fault: } static int -gnttab_populate_status_frames(struct domain *d, struct grant_table *gt) +gnttab_populate_status_frames(struct domain *d, struct grant_table *gt, + unsigned int req_nr_frames) { unsigned i; unsigned req_status_frames; - req_status_frames = grant_to_status_frames(gt->nr_grant_frames); + req_status_frames = grant_to_status_frames(req_nr_frames); for ( i = nr_status_frames(gt); i < req_status_frames; i++ ) { if ( (gt->status[i] = alloc_xenheap_page()) == NULL ) @@@@ -1138,7 +1139,12 @@@@ gnttab_unpopulate_status_frames(struct d for ( i = 0; i < nr_status_frames(gt); i++ ) { - page_set_owner(virt_to_page(gt->status[i]), dom_xen); + struct page_info *pg = virt_to_page(gt->status[i]); + + BUG_ON(page_get_owner(pg) != d); + if ( test_and_clear_bit(_PGC_allocated, &pg->count_info) ) + put_page(pg); + BUG_ON(pg->count_info & ~PGC_xen_heap); free_xenheap_page(gt->status[i]); gt->status[i] = NULL; } @@@@ -1176,19 +1182,18 @@@@ gnttab_grow_table(struct domain *d, unsi clear_page(gt->shared_raw[i]); } - /* Share the new shared frames with the recipient domain */ - for ( i = nr_grant_frames(gt); i < req_nr_frames; i++ ) - gnttab_create_shared_page(d, gt, i); - - gt->nr_grant_frames = req_nr_frames; - /* Status pages - version 2 */ if (gt->gt_version > 1) { - if ( gnttab_populate_status_frames(d, gt) ) + if ( gnttab_populate_status_frames(d, gt, req_nr_frames) ) goto shared_alloc_failed; } + /* Share the new shared frames with the recipient domain */ + for ( i = nr_grant_frames(gt); i < req_nr_frames; i++ ) + gnttab_create_shared_page(d, gt, i); + gt->nr_grant_frames = req_nr_frames; + return 1; shared_alloc_failed: @@@@ -2129,7 +2134,7 @@@@ gnttab_set_version(XEN_GUEST_HANDLE(gntt if ( op.version == 2 && gt->gt_version < 2 ) { - res = gnttab_populate_status_frames(d, gt); + res = gnttab_populate_status_frames(d, gt, nr_grant_frames(gt)); if ( res < 0) goto out_unlock; } @@@@ -2450,9 +2455,6 @@@@ grant_table_create( clear_page(t->shared_raw[i]); } - for ( i = 0; i < INITIAL_NR_GRANT_FRAMES; i++ ) - gnttab_create_shared_page(d, t, i); - /* Status pages for grant table - for version 2 */ t->status = xmalloc_array(grant_status_t *, grant_to_status_frames(max_nr_grant_frames)); @@@@ -2460,6 +2462,10 @@@@ grant_table_create( goto no_mem_4; memset(t->status, 0, grant_to_status_frames(max_nr_grant_frames) * sizeof(t->status[0])); + + for ( i = 0; i < INITIAL_NR_GRANT_FRAMES; i++ ) + gnttab_create_shared_page(d, t, i); + t->nr_status_frames = 0; /* Okay, install the structure. */ @ 1.1 log @add another batch of security patches from upstream bump PKGREV @ text @d1 1 a1 1 $NetBSD$ @