head 1.3; access; symbols pkgsrc-2017Q4:1.2.0.2 pkgsrc-2017Q4-base:1.2 pkgsrc-2017Q3:1.1.0.2; locks; strict; comment @# @; 1.3 date 2018.01.24.23.29.32; author bouyer; state dead; branches; next 1.2; commitid WktdwS8UoS8bvboA; 1.2 date 2017.12.15.14.02.15; author bouyer; state Exp; branches 1.2.2.1; next 1.1; commitid 0ZGmm4R3nBw9FZiA; 1.1 date 2017.10.17.08.42.30; author bouyer; state Exp; branches 1.1.2.1; next ; commitid OJpItiWkoMToMnbA; 1.2.2.1 date 2018.01.28.15.23.24; author bsiegert; state dead; branches; next ; commitid hLOFEOUtck6sHEoA; 1.1.2.1 date 2017.10.17.08.42.30; author bsiegert; state dead; branches; next 1.1.2.2; commitid fTgNkUKfFJMQdrbA; 1.1.2.2 date 2017.10.17.19.02.25; author bsiegert; state Exp; branches; next ; commitid fTgNkUKfFJMQdrbA; desc @@ 1.3 log @Update xen 4.8 packages to 4.8.3. Changes since 4.8.2: include patches from all security advisory up to and including XSA254. While there pass XEN_VENDORVERSION=nb${PKGREVISION} to make so that 'xl info' shows the NetBSD PKGREVISION. If PKGREVISION is not available, define this as 'nb0'. @ text @$NetBSD: patch-XSA242,v 1.2 2017/12/15 14:02:15 bouyer Exp $ From: Jan Beulich Subject: x86: don't allow page_unlock() to drop the last type reference Only _put_page_type() does the necessary cleanup, and hence not all domain pages can be released during guest cleanup (leaving around zombie domains) if we get this wrong. This is XSA-242. Signed-off-by: Jan Beulich --- xen/arch/x86/mm.c.orig 2017-12-15 14:30:10.000000000 +0100 +++ xen/arch/x86/mm.c 2017-12-15 14:31:32.000000000 +0100 @@@@ -1906,7 +1906,11 @@@@ do { x = y; + ASSERT((x & PGT_count_mask) && (x & PGT_locked)); + nx = x - (1 | PGT_locked); + /* We must not drop the last reference here. */ + ASSERT(nx & PGT_count_mask); } while ( (y = cmpxchg(&page->u.inuse.type_info, x, nx)) != x ); } @@@@ -2575,6 +2579,17 @@@@ (page->count_info & PGC_page_table)) ) page_set_tlbflush_timestamp(page); } + else if ( unlikely((nx & (PGT_locked | PGT_count_mask)) == + (PGT_locked | 1)) ) + { + /* + * We must not drop the second to last reference when the page is + * locked, as page_unlock() doesn't do any cleanup of the type. + */ + cpu_relax(); + y = page->u.inuse.type_info; + continue; + } if ( likely((y = cmpxchg(&page->u.inuse.type_info, x, nx)) == x) ) break; @ 1.2 log @Apply patches from upstream, fixing security issues XSA246 up to XSA251. Also update patch-XSA240 from upstream, fixing issues in linear page table handling introduced by the original XSA240 patch. Bump PKGREVISION @ text @d1 1 a1 1 $NetBSD: patch-XSA242,v 1.1 2017/10/17 08:42:30 bouyer Exp $ @ 1.2.2.1 log @Pullup ticket #5693 - requested by bouyer sysutils/xenkernel48: security fix sysutils/xentools48: security fix Revisions pulled up: - sysutils/xenkernel48/Makefile 1.12 - sysutils/xenkernel48/distinfo 1.6 - sysutils/xenkernel48/patches/patch-XSA231 deleted - sysutils/xenkernel48/patches/patch-XSA232 deleted - sysutils/xenkernel48/patches/patch-XSA234 deleted - sysutils/xenkernel48/patches/patch-XSA237 deleted - sysutils/xenkernel48/patches/patch-XSA238 deleted - sysutils/xenkernel48/patches/patch-XSA239 deleted - sysutils/xenkernel48/patches/patch-XSA240 deleted - sysutils/xenkernel48/patches/patch-XSA241 deleted - sysutils/xenkernel48/patches/patch-XSA242 deleted - sysutils/xenkernel48/patches/patch-XSA243 deleted - sysutils/xenkernel48/patches/patch-XSA244 deleted - sysutils/xenkernel48/patches/patch-XSA246 deleted - sysutils/xenkernel48/patches/patch-XSA247 deleted - sysutils/xenkernel48/patches/patch-XSA248 deleted - sysutils/xenkernel48/patches/patch-XSA249 deleted - sysutils/xenkernel48/patches/patch-XSA250 deleted - sysutils/xenkernel48/patches/patch-XSA251 deleted - sysutils/xenkernel48/patches/patch-XSA254-1 deleted - sysutils/xenkernel48/patches/patch-XSA254-2 deleted - sysutils/xenkernel48/patches/patch-XSA254-3 deleted - sysutils/xenkernel48/patches/patch-XSA254-4 deleted - sysutils/xentools48/Makefile 1.16 - sysutils/xentools48/distinfo 1.7-1.8 - sysutils/xentools48/patches/patch-XSA233 deleted - sysutils/xentools48/patches/patch-XSA240 deleted --- Module Name: pkgsrc Committed By: bouyer Date: Wed Jan 24 23:29:33 UTC 2018 Modified Files: pkgsrc/sysutils/xenkernel48: Makefile distinfo pkgsrc/sysutils/xentools48: Makefile distinfo Removed Files: pkgsrc/sysutils/xenkernel48/patches: patch-XSA231 patch-XSA232 patch-XSA234 patch-XSA237 patch-XSA238 patch-XSA239 patch-XSA240 patch-XSA241 patch-XSA242 patch-XSA243 patch-XSA244 patch-XSA246 patch-XSA247 patch-XSA248 patch-XSA249 patch-XSA250 patch-XSA251 patch-XSA254-1 patch-XSA254-2 patch-XSA254-3 patch-XSA254-4 pkgsrc/sysutils/xentools48/patches: patch-XSA233 patch-XSA240 Log Message: Update xen 4.8 packages to 4.8.3. Changes since 4.8.2: include patches from all security advisory up to and including XSA254. While there pass XEN_VENDORVERSION=nb${PKGREVISION} to make so that 'xl info' shows the NetBSD PKGREVISION. If PKGREVISION is not available, define this as 'nb0'. --- Module Name: pkgsrc Committed By: bouyer Date: Sat Jan 27 16:44:40 UTC 2018 Modified Files: pkgsrc/sysutils/xentools48: distinfo Log Message: Remove entries for patch-XSA233 and patch-XSA240 which have been deleted. @ text @d1 1 a1 1 $NetBSD: patch-XSA242,v 1.2 2017/12/15 14:02:15 bouyer Exp $ @ 1.1 log @Update xentools48 and xenkernel48 to 4.8.2, and apply security patches up to XSA244. Keep PKGREVISION to 1 to account for the fact that it's not a stock Xen 4.8.2. Note that, unlike upstream, pv-linear-pt defaults to true, so that NetBSD PV guests (including dom0) will continue to boot without changes to boot.cfg @ text @d1 1 a1 1 $NetBSD: $ d14 3 a16 3 --- xen/arch/x86/mm.c.orig +++ xen/arch/x86/mm.c @@@@ -1923,7 +1923,11 @@@@ void page_unlock(struct page_info *page) d28 1 a28 1 @@@@ -2611,6 +2615,17 @@@@ static int _put_page_type(struct page_in @ 1.1.2.1 log @file patch-XSA242 was added on branch pkgsrc-2017Q3 on 2017-10-17 19:02:25 +0000 @ text @d1 45 @ 1.1.2.2 log @Pullup ticket #5579 - requested by bouyer sysutils/xenkernel48, sysutils/xentools48: security fix Revisions pulled up: - sysutils/xenkernel48/MESSAGE 1.2 - sysutils/xenkernel48/Makefile 1.6 - sysutils/xenkernel48/distinfo 1.3 - sysutils/xenkernel48/patches/patch-XSA-212 deleted - sysutils/xenkernel48/patches/patch-XSA231 1.1 - sysutils/xenkernel48/patches/patch-XSA232 1.1 - sysutils/xenkernel48/patches/patch-XSA234 1.1 - sysutils/xenkernel48/patches/patch-XSA237 1.1 - sysutils/xenkernel48/patches/patch-XSA238 1.1 - sysutils/xenkernel48/patches/patch-XSA239 1.1 - sysutils/xenkernel48/patches/patch-XSA240 1.1 - sysutils/xenkernel48/patches/patch-XSA241 1.1 - sysutils/xenkernel48/patches/patch-XSA242 1.1 - sysutils/xenkernel48/patches/patch-XSA243 1.1 - sysutils/xenkernel48/patches/patch-XSA244 1.1 - sysutils/xentools48/Makefile 1.8 - sysutils/xentools48/distinfo 1.4 - sysutils/xentools48/patches/patch-XSA-211-1 deleted - sysutils/xentools48/patches/patch-XSA-211-2 deleted - sysutils/xentools48/patches/patch-XSA233 1.1 - sysutils/xentools48/patches/patch-XSA240 1.1 --- Module Name: pkgsrc Committed By: bouyer Date: Tue Oct 17 08:42:30 UTC 2017 Modified Files: pkgsrc/sysutils/xenkernel48: MESSAGE Makefile distinfo pkgsrc/sysutils/xentools48: Makefile distinfo Added Files: pkgsrc/sysutils/xenkernel48/patches: patch-XSA231 patch-XSA232 patch-XSA234 patch-XSA237 patch-XSA238 patch-XSA239 patch-XSA240 patch-XSA241 patch-XSA242 patch-XSA243 patch-XSA244 pkgsrc/sysutils/xentools48/patches: patch-XSA233 patch-XSA240 Removed Files: pkgsrc/sysutils/xenkernel48/patches: patch-XSA-212 pkgsrc/sysutils/xentools48/patches: patch-XSA-211-1 patch-XSA-211-2 Log Message: Update xentools48 and xenkernel48 to 4.8.2, and apply security patches up to XSA244. Keep PKGREVISION to 1 to account for the fact that it's not a stock Xen 4.8.2. Note that, unlike upstream, pv-linear-pt defaults to true, so that NetBSD PV guests (including dom0) will continue to boot without changes to boot.cfg @ text @a0 45 $NetBSD: patch-XSA242,v 1.1 2017/10/17 08:42:30 bouyer Exp $ From: Jan Beulich Subject: x86: don't allow page_unlock() to drop the last type reference Only _put_page_type() does the necessary cleanup, and hence not all domain pages can be released during guest cleanup (leaving around zombie domains) if we get this wrong. This is XSA-242. Signed-off-by: Jan Beulich --- xen/arch/x86/mm.c.orig +++ xen/arch/x86/mm.c @@@@ -1923,7 +1923,11 @@@@ void page_unlock(struct page_info *page) do { x = y; + ASSERT((x & PGT_count_mask) && (x & PGT_locked)); + nx = x - (1 | PGT_locked); + /* We must not drop the last reference here. */ + ASSERT(nx & PGT_count_mask); } while ( (y = cmpxchg(&page->u.inuse.type_info, x, nx)) != x ); } @@@@ -2611,6 +2615,17 @@@@ static int _put_page_type(struct page_in (page->count_info & PGC_page_table)) ) page_set_tlbflush_timestamp(page); } + else if ( unlikely((nx & (PGT_locked | PGT_count_mask)) == + (PGT_locked | 1)) ) + { + /* + * We must not drop the second to last reference when the page is + * locked, as page_unlock() doesn't do any cleanup of the type. + */ + cpu_relax(); + y = page->u.inuse.type_info; + continue; + } if ( likely((y = cmpxchg(&page->u.inuse.type_info, x, nx)) == x) ) break; @