head 1.3; access; symbols pkgsrc-2020Q2:1.2.0.22 pkgsrc-2020Q2-base:1.2 pkgsrc-2020Q1:1.2.0.18 pkgsrc-2020Q1-base:1.2 pkgsrc-2019Q4:1.2.0.20 pkgsrc-2019Q4-base:1.2 pkgsrc-2019Q3:1.2.0.16 pkgsrc-2019Q3-base:1.2 pkgsrc-2019Q2:1.2.0.14 pkgsrc-2019Q2-base:1.2 pkgsrc-2019Q1:1.2.0.12 pkgsrc-2019Q1-base:1.2 pkgsrc-2018Q4:1.2.0.10 pkgsrc-2018Q4-base:1.2 pkgsrc-2018Q3:1.2.0.8 pkgsrc-2018Q3-base:1.2 pkgsrc-2018Q2:1.2.0.6 pkgsrc-2018Q2-base:1.2 pkgsrc-2018Q1:1.2.0.4 pkgsrc-2018Q1-base:1.2 pkgsrc-2017Q4:1.2.0.2 pkgsrc-2017Q4-base:1.2 pkgsrc-2017Q3:1.1.0.2; locks; strict; comment @# @; 1.3 date 2020.08.19.10.39.23; author bouyer; state dead; branches; next 1.2; commitid DGAMglRf0Jde6FkC; 1.2 date 2017.12.15.14.00.44; author bouyer; state Exp; branches; next 1.1; commitid vstkKXHtT1V3EZiA; 1.1 date 2017.10.17.10.57.34; author bouyer; state Exp; branches 1.1.2.1; next ; commitid Op7VCttvsVltwobA; 1.1.2.1 date 2017.10.17.10.57.34; author bsiegert; state dead; branches; next 1.1.2.2; commitid hV2F1sd8zeL8jrbA; 1.1.2.2 date 2017.10.17.19.17.50; author bsiegert; state Exp; branches; next ; commitid hV2F1sd8zeL8jrbA; desc @@ 1.3 log @Remove xenkernel and xentools packages older than 4.11. They're not maintained anymore upstream, and don't build on supported NetBSD releases. @ text @$NetBSD: patch-XSA241,v 1.2 2017/12/15 14:00:44 bouyer Exp $ x86: don't store possibly stale TLB flush time stamp While the timing window is extremely narrow, it is theoretically possible for an update to the TLB flush clock and a subsequent flush IPI to happen between the read and write parts of the update of the per-page stamp. Exclude this possibility by disabling interrupts across the update, preventing the IPI to be serviced in the middle. This is XSA-241. Reported-by: Jann Horn Suggested-by: George Dunlap Signed-off-by: Jan Beulich Reviewed-by: George Dunlap --- xen/arch/arm/smp.c.orig +++ xen/arch/arm/smp.c @@@@ -1,4 +1,5 @@@@ #include +#include #include #include #include --- xen/arch/x86/mm.c.orig +++ xen/arch/x86/mm.c @@@@ -2440,7 +2440,7 @@@@ static int _put_final_page_type(struct p */ if ( !(shadow_mode_enabled(page_get_owner(page)) && (page->count_info & PGC_page_table)) ) - page->tlbflush_timestamp = tlbflush_current_time(); + page_set_tlbflush_timestamp(page); wmb(); page->u.inuse.type_info--; } @@@@ -2510,7 +2510,7 @@@@ if ( (!ptpg || !PGT_type_equal(x, ptpg->u.inuse.type_info)) && !(shadow_mode_enabled(page_get_owner(page)) && (page->count_info & PGC_page_table)) ) - page->tlbflush_timestamp = tlbflush_current_time(); + page_set_tlbflush_timestamp(page); } if ( likely((y = cmpxchg(&page->u.inuse.type_info, x, nx)) == x) ) --- xen/arch/x86/mm/shadow/common.c.orig +++ xen/arch/x86/mm/shadow/common.c @@@@ -1464,7 +1464,7 @@@@ void shadow_free(struct domain *d, mfn_t * TLBs when we reuse the page. Because the destructors leave the * contents of the pages in place, we can delay TLB flushes until * just before the allocator hands the page out again. */ - sp->tlbflush_timestamp = tlbflush_current_time(); + page_set_tlbflush_timestamp(sp); perfc_decr(shadow_alloc_count); page_list_add_tail(sp, &d->arch.paging.shadow.freelist); sp = next; --- xen/common/page_alloc.c.orig +++ xen/common/page_alloc.c @@@@ -960,7 +960,7 @@@@ static void free_heap_pages( /* If a page has no owner it will need no safety TLB flush. */ pg[i].u.free.need_tlbflush = (page_get_owner(&pg[i]) != NULL); if ( pg[i].u.free.need_tlbflush ) - pg[i].tlbflush_timestamp = tlbflush_current_time(); + page_set_tlbflush_timestamp(&pg[i]); /* This page is not a guest frame any more. */ page_set_owner(&pg[i], NULL); /* set_gpfn_from_mfn snoops pg owner */ --- xen/include/asm-arm/flushtlb.h.orig +++ xen/include/asm-arm/flushtlb.h @@@@ -12,6 +12,11 @@@@ static inline void tlbflush_filter(cpuma #define tlbflush_current_time() (0) +static inline void page_set_tlbflush_timestamp(struct page_info *page) +{ + page->tlbflush_timestamp = tlbflush_current_time(); +} + #if defined(CONFIG_ARM_32) # include #elif defined(CONFIG_ARM_64) --- xen/include/asm-x86/flushtlb.h.orig +++ xen/include/asm-x86/flushtlb.h @@@@ -23,6 +23,20 @@@@ DECLARE_PER_CPU(u32, tlbflush_time); #define tlbflush_current_time() tlbflush_clock +static inline void page_set_tlbflush_timestamp(struct page_info *page) +{ + /* + * Prevent storing a stale time stamp, which could happen if an update + * to tlbflush_clock plus a subsequent flush IPI happen between the + * reading of tlbflush_clock and the writing of the struct page_info + * field. + */ + ASSERT(local_irq_is_enabled()); + local_irq_disable(); + page->tlbflush_timestamp = tlbflush_current_time(); + local_irq_enable(); +} + /* * @@cpu_stamp is the timestamp at last TLB flush for the CPU we are testing. * @@lastuse_stamp is a timestamp taken when the PFN we are testing was last @ 1.2 log @Apply patches from upstream, fixing security issues XSA246 up to XSA251. Also update patch-XSA240 from upstream, fixing issues in linear page table handling introduced by the original XSA240 patch. Bump PKGREVISION @ text @d1 1 a1 1 $NetBSD: patch-XSA241,v 1.1 2017/10/17 10:57:34 bouyer Exp $ @ 1.1 log @Update xen*46 to 4.6.6, including fixes up to XSA244. changes since Xen 4.6.5: mostly bug fixes, including security fixes for XSA206, XSA211 to XSA244. PKGREVISION set to 1 to account for the fact that it's not a stock Xen 4.6.6. Note that, unlike upstream, pv-linear-pt defaults to true, so that NetBSD PV guests (including dom0) will continue to boot without changes to boot.cfg @ text @d1 1 a1 1 $NetBSD: $ d28 1 a28 1 @@@@ -2524,7 +2524,7 @@@@ static int _put_final_page_type(struct p d37 3 a39 21 @@@@ -2534,7 +2534,7 @@@@ static int _put_final_page_type(struct p (PGT_count_mask|PGT_validated|PGT_partial)) == 1); if ( !(shadow_mode_enabled(page_get_owner(page)) && (page->count_info & PGC_page_table)) ) - page->tlbflush_timestamp = tlbflush_current_time(); + page_set_tlbflush_timestamp(page); wmb(); page->u.inuse.type_info |= PGT_validated; } @@@@ -2588,7 +2588,7 @@@@ static int _put_page_type(struct page_in if ( ptpg && PGT_type_equal(x, ptpg->u.inuse.type_info) ) { /* - * page_set_tlbflush_timestamp() accesses the same union + * set_tlbflush_timestamp() accesses the same union * linear_pt_count lives in. Unvalidated page table pages, * however, should occur during domain destruction only * anyway. Updating of linear_pt_count luckily is not @@@@ -2609,7 +2609,7 @@@@ static int _put_page_type(struct page_in */ if ( !(shadow_mode_enabled(page_get_owner(page)) && @ 1.1.2.1 log @file patch-XSA241 was added on branch pkgsrc-2017Q3 on 2017-10-17 19:17:50 +0000 @ text @d1 122 @ 1.1.2.2 log @Pullup ticket #5580 - requested by bouyer sysutils/xenkernel46, sysutils/xentools46: security fix Revisions pulled up: - sysutils/xenkernel46/MESSAGE 1.2 - sysutils/xenkernel46/Makefile 1.14 - sysutils/xenkernel46/distinfo 1.10 - sysutils/xenkernel46/patches/patch-XSA-212 deleted - sysutils/xenkernel46/patches/patch-XSA226 1.1 - sysutils/xenkernel46/patches/patch-XSA227 1.1 - sysutils/xenkernel46/patches/patch-XSA228 1.1 - sysutils/xenkernel46/patches/patch-XSA230 1.1 - sysutils/xenkernel46/patches/patch-XSA231 1.1 - sysutils/xenkernel46/patches/patch-XSA232 1.1 - sysutils/xenkernel46/patches/patch-XSA234 1.1 - sysutils/xenkernel46/patches/patch-XSA237 1.1 - sysutils/xenkernel46/patches/patch-XSA238 1.1 - sysutils/xenkernel46/patches/patch-XSA239 1.1 - sysutils/xenkernel46/patches/patch-XSA240 1.1 - sysutils/xenkernel46/patches/patch-XSA241 1.1 - sysutils/xenkernel46/patches/patch-XSA242 1.1 - sysutils/xenkernel46/patches/patch-XSA243 1.1 - sysutils/xenkernel46/patches/patch-XSA244 1.1 - sysutils/xentools46/Makefile 1.21 - sysutils/xentools46/distinfo 1.9 - sysutils/xentools46/patches/patch-XSA-211-1 deleted - sysutils/xentools46/patches/patch-XSA-211-2 deleted - sysutils/xentools46/patches/patch-XSA228 1.1 - sysutils/xentools46/patches/patch-XSA233 1.1 - sysutils/xentools46/patches/patch-XSA240 1.1 - sysutils/xentools46/version.mk 1.3 --- Module Name: pkgsrc Committed By: bouyer Date: Tue Oct 17 10:57:35 UTC 2017 Modified Files: pkgsrc/sysutils/xenkernel46: MESSAGE Makefile distinfo pkgsrc/sysutils/xentools46: Makefile distinfo version.mk Added Files: pkgsrc/sysutils/xenkernel46/patches: patch-XSA226 patch-XSA227 patch-XSA228 patch-XSA230 patch-XSA231 patch-XSA232 patch-XSA234 patch-XSA237 patch-XSA238 patch-XSA239 patch-XSA240 patch-XSA241 patch-XSA242 patch-XSA243 patch-XSA244 pkgsrc/sysutils/xentools46/patches: patch-XSA228 patch-XSA233 patch-XSA240 Removed Files: pkgsrc/sysutils/xenkernel46/patches: patch-XSA-212 pkgsrc/sysutils/xentools46/patches: patch-XSA-211-1 patch-XSA-211-2 Log Message: Update xen*46 to 4.6.6, including fixes up to XSA244. changes since Xen 4.6.5: mostly bug fixes, including security fixes for XSA206, XSA211 to XSA244. PKGREVISION set to 1 to account for the fact that it's not a stock Xen 4.6.6. Note that, unlike upstream, pv-linear-pt defaults to true, so that NetBSD PV guests (including dom0) will continue to boot without changes to boot.cfg @ text @a0 122 $NetBSD: patch-XSA241,v 1.1 2017/10/17 10:57:34 bouyer Exp $ x86: don't store possibly stale TLB flush time stamp While the timing window is extremely narrow, it is theoretically possible for an update to the TLB flush clock and a subsequent flush IPI to happen between the read and write parts of the update of the per-page stamp. Exclude this possibility by disabling interrupts across the update, preventing the IPI to be serviced in the middle. This is XSA-241. Reported-by: Jann Horn Suggested-by: George Dunlap Signed-off-by: Jan Beulich Reviewed-by: George Dunlap --- xen/arch/arm/smp.c.orig +++ xen/arch/arm/smp.c @@@@ -1,4 +1,5 @@@@ #include +#include #include #include #include --- xen/arch/x86/mm.c.orig +++ xen/arch/x86/mm.c @@@@ -2524,7 +2524,7 @@@@ static int _put_final_page_type(struct p */ if ( !(shadow_mode_enabled(page_get_owner(page)) && (page->count_info & PGC_page_table)) ) - page->tlbflush_timestamp = tlbflush_current_time(); + page_set_tlbflush_timestamp(page); wmb(); page->u.inuse.type_info--; } @@@@ -2534,7 +2534,7 @@@@ static int _put_final_page_type(struct p (PGT_count_mask|PGT_validated|PGT_partial)) == 1); if ( !(shadow_mode_enabled(page_get_owner(page)) && (page->count_info & PGC_page_table)) ) - page->tlbflush_timestamp = tlbflush_current_time(); + page_set_tlbflush_timestamp(page); wmb(); page->u.inuse.type_info |= PGT_validated; } @@@@ -2588,7 +2588,7 @@@@ static int _put_page_type(struct page_in if ( ptpg && PGT_type_equal(x, ptpg->u.inuse.type_info) ) { /* - * page_set_tlbflush_timestamp() accesses the same union + * set_tlbflush_timestamp() accesses the same union * linear_pt_count lives in. Unvalidated page table pages, * however, should occur during domain destruction only * anyway. Updating of linear_pt_count luckily is not @@@@ -2609,7 +2609,7 @@@@ static int _put_page_type(struct page_in */ if ( !(shadow_mode_enabled(page_get_owner(page)) && (page->count_info & PGC_page_table)) ) - page->tlbflush_timestamp = tlbflush_current_time(); + page_set_tlbflush_timestamp(page); } if ( likely((y = cmpxchg(&page->u.inuse.type_info, x, nx)) == x) ) --- xen/arch/x86/mm/shadow/common.c.orig +++ xen/arch/x86/mm/shadow/common.c @@@@ -1464,7 +1464,7 @@@@ void shadow_free(struct domain *d, mfn_t * TLBs when we reuse the page. Because the destructors leave the * contents of the pages in place, we can delay TLB flushes until * just before the allocator hands the page out again. */ - sp->tlbflush_timestamp = tlbflush_current_time(); + page_set_tlbflush_timestamp(sp); perfc_decr(shadow_alloc_count); page_list_add_tail(sp, &d->arch.paging.shadow.freelist); sp = next; --- xen/common/page_alloc.c.orig +++ xen/common/page_alloc.c @@@@ -960,7 +960,7 @@@@ static void free_heap_pages( /* If a page has no owner it will need no safety TLB flush. */ pg[i].u.free.need_tlbflush = (page_get_owner(&pg[i]) != NULL); if ( pg[i].u.free.need_tlbflush ) - pg[i].tlbflush_timestamp = tlbflush_current_time(); + page_set_tlbflush_timestamp(&pg[i]); /* This page is not a guest frame any more. */ page_set_owner(&pg[i], NULL); /* set_gpfn_from_mfn snoops pg owner */ --- xen/include/asm-arm/flushtlb.h.orig +++ xen/include/asm-arm/flushtlb.h @@@@ -12,6 +12,11 @@@@ static inline void tlbflush_filter(cpuma #define tlbflush_current_time() (0) +static inline void page_set_tlbflush_timestamp(struct page_info *page) +{ + page->tlbflush_timestamp = tlbflush_current_time(); +} + #if defined(CONFIG_ARM_32) # include #elif defined(CONFIG_ARM_64) --- xen/include/asm-x86/flushtlb.h.orig +++ xen/include/asm-x86/flushtlb.h @@@@ -23,6 +23,20 @@@@ DECLARE_PER_CPU(u32, tlbflush_time); #define tlbflush_current_time() tlbflush_clock +static inline void page_set_tlbflush_timestamp(struct page_info *page) +{ + /* + * Prevent storing a stale time stamp, which could happen if an update + * to tlbflush_clock plus a subsequent flush IPI happen between the + * reading of tlbflush_clock and the writing of the struct page_info + * field. + */ + ASSERT(local_irq_is_enabled()); + local_irq_disable(); + page->tlbflush_timestamp = tlbflush_current_time(); + local_irq_enable(); +} + /* * @@cpu_stamp is the timestamp at last TLB flush for the CPU we are testing. * @@lastuse_stamp is a timestamp taken when the PFN we are testing was last @