head 1.3; access; symbols pkgsrc-2017Q4:1.2.0.2 pkgsrc-2017Q4-base:1.2 pkgsrc-2017Q3:1.1.0.2; locks; strict; comment @# @; 1.3 date 2018.01.24.23.29.32; author bouyer; state dead; branches; next 1.2; commitid WktdwS8UoS8bvboA; 1.2 date 2017.12.15.14.02.15; author bouyer; state Exp; branches 1.2.2.1; next 1.1; commitid 0ZGmm4R3nBw9FZiA; 1.1 date 2017.10.17.08.42.30; author bouyer; state Exp; branches 1.1.2.1; next ; commitid OJpItiWkoMToMnbA; 1.2.2.1 date 2018.01.28.15.23.24; author bsiegert; state dead; branches; next ; commitid hLOFEOUtck6sHEoA; 1.1.2.1 date 2017.10.17.08.42.30; author bsiegert; state dead; branches; next 1.1.2.2; commitid fTgNkUKfFJMQdrbA; 1.1.2.2 date 2017.10.17.19.02.25; author bsiegert; state Exp; branches; next ; commitid fTgNkUKfFJMQdrbA; desc @@ 1.3 log @Update xen 4.8 packages to 4.8.3. Changes since 4.8.2: include patches from all security advisory up to and including XSA254. While there pass XEN_VENDORVERSION=nb${PKGREVISION} to make so that 'xl info' shows the NetBSD PKGREVISION. If PKGREVISION is not available, define this as 'nb0'. @ text @$NetBSD: patch-XSA241,v 1.2 2017/12/15 14:02:15 bouyer Exp $ x86: don't store possibly stale TLB flush time stamp While the timing window is extremely narrow, it is theoretically possible for an update to the TLB flush clock and a subsequent flush IPI to happen between the read and write parts of the update of the per-page stamp. Exclude this possibility by disabling interrupts across the update, preventing the IPI to be serviced in the middle. This is XSA-241. Reported-by: Jann Horn Suggested-by: George Dunlap Signed-off-by: Jan Beulich Reviewed-by: George Dunlap --- xen/arch/arm/smp.c.orig +++ xen/arch/arm/smp.c @@@@ -1,4 +1,5 @@@@ #include +#include #include #include #include --- xen/arch/x86/mm.c.orig 2017-12-15 14:29:51.000000000 +0100 +++ xen/arch/x86/mm.c 2017-12-15 14:30:10.000000000 +0100 @@@@ -2500,7 +2500,7 @@@@ */ if ( !(shadow_mode_enabled(page_get_owner(page)) && (page->count_info & PGC_page_table)) ) - page->tlbflush_timestamp = tlbflush_current_time(); + page_set_tlbflush_timestamp(page); wmb(); page->u.inuse.type_info--; } @@@@ -2573,7 +2573,7 @@@@ if ( (!ptpg || !PGT_type_equal(x, ptpg->u.inuse.type_info)) && !(shadow_mode_enabled(page_get_owner(page)) && (page->count_info & PGC_page_table)) ) - page->tlbflush_timestamp = tlbflush_current_time(); + page_set_tlbflush_timestamp(page); } if ( likely((y = cmpxchg(&page->u.inuse.type_info, x, nx)) == x) ) --- xen/arch/x86/mm/shadow/common.c.orig +++ xen/arch/x86/mm/shadow/common.c @@@@ -1464,7 +1464,7 @@@@ void shadow_free(struct domain *d, mfn_t * TLBs when we reuse the page. Because the destructors leave the * contents of the pages in place, we can delay TLB flushes until * just before the allocator hands the page out again. */ - sp->tlbflush_timestamp = tlbflush_current_time(); + page_set_tlbflush_timestamp(sp); perfc_decr(shadow_alloc_count); page_list_add_tail(sp, &d->arch.paging.shadow.freelist); sp = next; --- xen/common/page_alloc.c.orig +++ xen/common/page_alloc.c @@@@ -960,7 +960,7 @@@@ static void free_heap_pages( /* If a page has no owner it will need no safety TLB flush. */ pg[i].u.free.need_tlbflush = (page_get_owner(&pg[i]) != NULL); if ( pg[i].u.free.need_tlbflush ) - pg[i].tlbflush_timestamp = tlbflush_current_time(); + page_set_tlbflush_timestamp(&pg[i]); /* This page is not a guest frame any more. */ page_set_owner(&pg[i], NULL); /* set_gpfn_from_mfn snoops pg owner */ --- xen/include/asm-arm/flushtlb.h.orig +++ xen/include/asm-arm/flushtlb.h @@@@ -12,6 +12,11 @@@@ static inline void tlbflush_filter(cpuma #define tlbflush_current_time() (0) +static inline void page_set_tlbflush_timestamp(struct page_info *page) +{ + page->tlbflush_timestamp = tlbflush_current_time(); +} + #if defined(CONFIG_ARM_32) # include #elif defined(CONFIG_ARM_64) --- xen/include/asm-x86/flushtlb.h.orig +++ xen/include/asm-x86/flushtlb.h @@@@ -23,6 +23,20 @@@@ DECLARE_PER_CPU(u32, tlbflush_time); #define tlbflush_current_time() tlbflush_clock +static inline void page_set_tlbflush_timestamp(struct page_info *page) +{ + /* + * Prevent storing a stale time stamp, which could happen if an update + * to tlbflush_clock plus a subsequent flush IPI happen between the + * reading of tlbflush_clock and the writing of the struct page_info + * field. + */ + ASSERT(local_irq_is_enabled()); + local_irq_disable(); + page->tlbflush_timestamp = tlbflush_current_time(); + local_irq_enable(); +} + /* * @@cpu_stamp is the timestamp at last TLB flush for the CPU we are testing. * @@lastuse_stamp is a timestamp taken when the PFN we are testing was last @ 1.2 log @Apply patches from upstream, fixing security issues XSA246 up to XSA251. Also update patch-XSA240 from upstream, fixing issues in linear page table handling introduced by the original XSA240 patch. Bump PKGREVISION @ text @d1 1 a1 1 $NetBSD: patch-XSA241,v 1.1 2017/10/17 08:42:30 bouyer Exp $ @ 1.2.2.1 log @Pullup ticket #5693 - requested by bouyer sysutils/xenkernel48: security fix sysutils/xentools48: security fix Revisions pulled up: - sysutils/xenkernel48/Makefile 1.12 - sysutils/xenkernel48/distinfo 1.6 - sysutils/xenkernel48/patches/patch-XSA231 deleted - sysutils/xenkernel48/patches/patch-XSA232 deleted - sysutils/xenkernel48/patches/patch-XSA234 deleted - sysutils/xenkernel48/patches/patch-XSA237 deleted - sysutils/xenkernel48/patches/patch-XSA238 deleted - sysutils/xenkernel48/patches/patch-XSA239 deleted - sysutils/xenkernel48/patches/patch-XSA240 deleted - sysutils/xenkernel48/patches/patch-XSA241 deleted - sysutils/xenkernel48/patches/patch-XSA242 deleted - sysutils/xenkernel48/patches/patch-XSA243 deleted - sysutils/xenkernel48/patches/patch-XSA244 deleted - sysutils/xenkernel48/patches/patch-XSA246 deleted - sysutils/xenkernel48/patches/patch-XSA247 deleted - sysutils/xenkernel48/patches/patch-XSA248 deleted - sysutils/xenkernel48/patches/patch-XSA249 deleted - sysutils/xenkernel48/patches/patch-XSA250 deleted - sysutils/xenkernel48/patches/patch-XSA251 deleted - sysutils/xenkernel48/patches/patch-XSA254-1 deleted - sysutils/xenkernel48/patches/patch-XSA254-2 deleted - sysutils/xenkernel48/patches/patch-XSA254-3 deleted - sysutils/xenkernel48/patches/patch-XSA254-4 deleted - sysutils/xentools48/Makefile 1.16 - sysutils/xentools48/distinfo 1.7-1.8 - sysutils/xentools48/patches/patch-XSA233 deleted - sysutils/xentools48/patches/patch-XSA240 deleted --- Module Name: pkgsrc Committed By: bouyer Date: Wed Jan 24 23:29:33 UTC 2018 Modified Files: pkgsrc/sysutils/xenkernel48: Makefile distinfo pkgsrc/sysutils/xentools48: Makefile distinfo Removed Files: pkgsrc/sysutils/xenkernel48/patches: patch-XSA231 patch-XSA232 patch-XSA234 patch-XSA237 patch-XSA238 patch-XSA239 patch-XSA240 patch-XSA241 patch-XSA242 patch-XSA243 patch-XSA244 patch-XSA246 patch-XSA247 patch-XSA248 patch-XSA249 patch-XSA250 patch-XSA251 patch-XSA254-1 patch-XSA254-2 patch-XSA254-3 patch-XSA254-4 pkgsrc/sysutils/xentools48/patches: patch-XSA233 patch-XSA240 Log Message: Update xen 4.8 packages to 4.8.3. Changes since 4.8.2: include patches from all security advisory up to and including XSA254. While there pass XEN_VENDORVERSION=nb${PKGREVISION} to make so that 'xl info' shows the NetBSD PKGREVISION. If PKGREVISION is not available, define this as 'nb0'. --- Module Name: pkgsrc Committed By: bouyer Date: Sat Jan 27 16:44:40 UTC 2018 Modified Files: pkgsrc/sysutils/xentools48: distinfo Log Message: Remove entries for patch-XSA233 and patch-XSA240 which have been deleted. @ text @d1 1 a1 1 $NetBSD: patch-XSA241,v 1.2 2017/12/15 14:02:15 bouyer Exp $ @ 1.1 log @Update xentools48 and xenkernel48 to 4.8.2, and apply security patches up to XSA244. Keep PKGREVISION to 1 to account for the fact that it's not a stock Xen 4.8.2. Note that, unlike upstream, pv-linear-pt defaults to true, so that NetBSD PV guests (including dom0) will continue to boot without changes to boot.cfg @ text @d1 1 a1 1 $NetBSD: $ d26 3 a28 3 --- xen/arch/x86/mm.c.orig +++ xen/arch/x86/mm.c @@@@ -2524,7 +2524,7 @@@@ static int _put_final_page_type(struct p d37 3 a39 21 @@@@ -2534,7 +2534,7 @@@@ static int _put_final_page_type(struct p (PGT_count_mask|PGT_validated|PGT_partial)) == 1); if ( !(shadow_mode_enabled(page_get_owner(page)) && (page->count_info & PGC_page_table)) ) - page->tlbflush_timestamp = tlbflush_current_time(); + page_set_tlbflush_timestamp(page); wmb(); page->u.inuse.type_info |= PGT_validated; } @@@@ -2588,7 +2588,7 @@@@ static int _put_page_type(struct page_in if ( ptpg && PGT_type_equal(x, ptpg->u.inuse.type_info) ) { /* - * page_set_tlbflush_timestamp() accesses the same union + * set_tlbflush_timestamp() accesses the same union * linear_pt_count lives in. Unvalidated page table pages, * however, should occur during domain destruction only * anyway. Updating of linear_pt_count luckily is not @@@@ -2609,7 +2609,7 @@@@ static int _put_page_type(struct page_in */ if ( !(shadow_mode_enabled(page_get_owner(page)) && @ 1.1.2.1 log @file patch-XSA241 was added on branch pkgsrc-2017Q3 on 2017-10-17 19:02:25 +0000 @ text @d1 122 @ 1.1.2.2 log @Pullup ticket #5579 - requested by bouyer sysutils/xenkernel48, sysutils/xentools48: security fix Revisions pulled up: - sysutils/xenkernel48/MESSAGE 1.2 - sysutils/xenkernel48/Makefile 1.6 - sysutils/xenkernel48/distinfo 1.3 - sysutils/xenkernel48/patches/patch-XSA-212 deleted - sysutils/xenkernel48/patches/patch-XSA231 1.1 - sysutils/xenkernel48/patches/patch-XSA232 1.1 - sysutils/xenkernel48/patches/patch-XSA234 1.1 - sysutils/xenkernel48/patches/patch-XSA237 1.1 - sysutils/xenkernel48/patches/patch-XSA238 1.1 - sysutils/xenkernel48/patches/patch-XSA239 1.1 - sysutils/xenkernel48/patches/patch-XSA240 1.1 - sysutils/xenkernel48/patches/patch-XSA241 1.1 - sysutils/xenkernel48/patches/patch-XSA242 1.1 - sysutils/xenkernel48/patches/patch-XSA243 1.1 - sysutils/xenkernel48/patches/patch-XSA244 1.1 - sysutils/xentools48/Makefile 1.8 - sysutils/xentools48/distinfo 1.4 - sysutils/xentools48/patches/patch-XSA-211-1 deleted - sysutils/xentools48/patches/patch-XSA-211-2 deleted - sysutils/xentools48/patches/patch-XSA233 1.1 - sysutils/xentools48/patches/patch-XSA240 1.1 --- Module Name: pkgsrc Committed By: bouyer Date: Tue Oct 17 08:42:30 UTC 2017 Modified Files: pkgsrc/sysutils/xenkernel48: MESSAGE Makefile distinfo pkgsrc/sysutils/xentools48: Makefile distinfo Added Files: pkgsrc/sysutils/xenkernel48/patches: patch-XSA231 patch-XSA232 patch-XSA234 patch-XSA237 patch-XSA238 patch-XSA239 patch-XSA240 patch-XSA241 patch-XSA242 patch-XSA243 patch-XSA244 pkgsrc/sysutils/xentools48/patches: patch-XSA233 patch-XSA240 Removed Files: pkgsrc/sysutils/xenkernel48/patches: patch-XSA-212 pkgsrc/sysutils/xentools48/patches: patch-XSA-211-1 patch-XSA-211-2 Log Message: Update xentools48 and xenkernel48 to 4.8.2, and apply security patches up to XSA244. Keep PKGREVISION to 1 to account for the fact that it's not a stock Xen 4.8.2. Note that, unlike upstream, pv-linear-pt defaults to true, so that NetBSD PV guests (including dom0) will continue to boot without changes to boot.cfg @ text @a0 122 $NetBSD: patch-XSA241,v 1.1 2017/10/17 08:42:30 bouyer Exp $ x86: don't store possibly stale TLB flush time stamp While the timing window is extremely narrow, it is theoretically possible for an update to the TLB flush clock and a subsequent flush IPI to happen between the read and write parts of the update of the per-page stamp. Exclude this possibility by disabling interrupts across the update, preventing the IPI to be serviced in the middle. This is XSA-241. Reported-by: Jann Horn Suggested-by: George Dunlap Signed-off-by: Jan Beulich Reviewed-by: George Dunlap --- xen/arch/arm/smp.c.orig +++ xen/arch/arm/smp.c @@@@ -1,4 +1,5 @@@@ #include +#include #include #include #include --- xen/arch/x86/mm.c.orig +++ xen/arch/x86/mm.c @@@@ -2524,7 +2524,7 @@@@ static int _put_final_page_type(struct p */ if ( !(shadow_mode_enabled(page_get_owner(page)) && (page->count_info & PGC_page_table)) ) - page->tlbflush_timestamp = tlbflush_current_time(); + page_set_tlbflush_timestamp(page); wmb(); page->u.inuse.type_info--; } @@@@ -2534,7 +2534,7 @@@@ static int _put_final_page_type(struct p (PGT_count_mask|PGT_validated|PGT_partial)) == 1); if ( !(shadow_mode_enabled(page_get_owner(page)) && (page->count_info & PGC_page_table)) ) - page->tlbflush_timestamp = tlbflush_current_time(); + page_set_tlbflush_timestamp(page); wmb(); page->u.inuse.type_info |= PGT_validated; } @@@@ -2588,7 +2588,7 @@@@ static int _put_page_type(struct page_in if ( ptpg && PGT_type_equal(x, ptpg->u.inuse.type_info) ) { /* - * page_set_tlbflush_timestamp() accesses the same union + * set_tlbflush_timestamp() accesses the same union * linear_pt_count lives in. Unvalidated page table pages, * however, should occur during domain destruction only * anyway. Updating of linear_pt_count luckily is not @@@@ -2609,7 +2609,7 @@@@ static int _put_page_type(struct page_in */ if ( !(shadow_mode_enabled(page_get_owner(page)) && (page->count_info & PGC_page_table)) ) - page->tlbflush_timestamp = tlbflush_current_time(); + page_set_tlbflush_timestamp(page); } if ( likely((y = cmpxchg(&page->u.inuse.type_info, x, nx)) == x) ) --- xen/arch/x86/mm/shadow/common.c.orig +++ xen/arch/x86/mm/shadow/common.c @@@@ -1464,7 +1464,7 @@@@ void shadow_free(struct domain *d, mfn_t * TLBs when we reuse the page. Because the destructors leave the * contents of the pages in place, we can delay TLB flushes until * just before the allocator hands the page out again. */ - sp->tlbflush_timestamp = tlbflush_current_time(); + page_set_tlbflush_timestamp(sp); perfc_decr(shadow_alloc_count); page_list_add_tail(sp, &d->arch.paging.shadow.freelist); sp = next; --- xen/common/page_alloc.c.orig +++ xen/common/page_alloc.c @@@@ -960,7 +960,7 @@@@ static void free_heap_pages( /* If a page has no owner it will need no safety TLB flush. */ pg[i].u.free.need_tlbflush = (page_get_owner(&pg[i]) != NULL); if ( pg[i].u.free.need_tlbflush ) - pg[i].tlbflush_timestamp = tlbflush_current_time(); + page_set_tlbflush_timestamp(&pg[i]); /* This page is not a guest frame any more. */ page_set_owner(&pg[i], NULL); /* set_gpfn_from_mfn snoops pg owner */ --- xen/include/asm-arm/flushtlb.h.orig +++ xen/include/asm-arm/flushtlb.h @@@@ -12,6 +12,11 @@@@ static inline void tlbflush_filter(cpuma #define tlbflush_current_time() (0) +static inline void page_set_tlbflush_timestamp(struct page_info *page) +{ + page->tlbflush_timestamp = tlbflush_current_time(); +} + #if defined(CONFIG_ARM_32) # include #elif defined(CONFIG_ARM_64) --- xen/include/asm-x86/flushtlb.h.orig +++ xen/include/asm-x86/flushtlb.h @@@@ -23,6 +23,20 @@@@ DECLARE_PER_CPU(u32, tlbflush_time); #define tlbflush_current_time() tlbflush_clock +static inline void page_set_tlbflush_timestamp(struct page_info *page) +{ + /* + * Prevent storing a stale time stamp, which could happen if an update + * to tlbflush_clock plus a subsequent flush IPI happen between the + * reading of tlbflush_clock and the writing of the struct page_info + * field. + */ + ASSERT(local_irq_is_enabled()); + local_irq_disable(); + page->tlbflush_timestamp = tlbflush_current_time(); + local_irq_enable(); +} + /* * @@cpu_stamp is the timestamp at last TLB flush for the CPU we are testing. * @@lastuse_stamp is a timestamp taken when the PFN we are testing was last @