xen/528a0e5b-TLB-flushing-in-dma_pte_clear_one.patch

References: bnc#851386 CVE-2013-6375 XSA-78

# HG changeset patch
# User Jan Beulich <jbeulich@suse.com>
# Date 1384779355 -3600
# Node ID 81fec8e36840041ca5779a4c4f2eed98180eda2e
# Parent  de9b11c80e2d3bd795d6329e0979c4734c3b4f96
VT-d: fix TLB flushing in dma_pte_clear_one()

The third parameter of __intel_iommu_iotlb_flush() is to indicate
whether the to be flushed entry was a present one. A few lines before,
we bailed if !dma_pte_present(*pte), so there's no need to check the
flag here again - we can simply always pass TRUE here.

This is CVE-2013-6375 / XSA-78.

Suggested-by: Cheng Yueqiang <yqcheng.2008@phdis.smu.edu.sg>
Signed-off-by: Jan Beulich <jbeulich@suse.com>
Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>
Acked-by: Keir Fraser <keir@xen.org>

--- a/xen/drivers/passthrough/vtd/iommu.c
+++ b/xen/drivers/passthrough/vtd/iommu.c
@@ -646,7 +646,7 @@ static void dma_pte_clear_one(struct dom
     iommu_flush_cache_entry(pte, sizeof(struct dma_pte));
 
     if ( !this_cpu(iommu_dont_flush_iotlb) )
-        __intel_iommu_iotlb_flush(domain, addr >> PAGE_SHIFT_4K , 0, 1);
+        __intel_iommu_iotlb_flush(domain, addr >> PAGE_SHIFT_4K, 1, 1);
 
     unmap_vtd_domain_page(page);
- Upstream patches from Jan 5281fad4-numa-sched-leave-node-affinity-alone-if-not-in-auto-mode.patch 52820823-nested-SVM-adjust-guest-handling-of-structure-mappings.patch 52820863-VMX-don-t-crash-processing-d-debug-key.patch 5282492f-x86-eliminate-has_arch_mmios.patch 52864df2-credit-Update-other-parameters-when-setting-tslice_ms.patch 52864f30-fix-leaking-of-v-cpu_affinity_saved-on-domain-destruction.patch 5289d225-nested-VMX-don-t-ignore-mapping-errors.patch 528a0eb0-x86-consider-modules-when-cutting-off-memory.patch 528f606c-x86-hvm-reset-TSC-to-0-after-domain-resume-from-S3.patch 528f609c-x86-crash-disable-the-watchdog-NMIs-on-the-crashing-cpu.patch 52932418-x86-xsave-fix-nonlazy-state-handling.patch - Add missing requires to pciutils package for xend-tools - bnc#851749 - Xen service file does not call xend properly xend.service - bnc#851386 - VUL-0: xen: XSA-78: Insufficient TLB flushing in VT-d (iommu) code 528a0e5b-TLB-flushing-in-dma_pte_clear_one.patch - bnc#849667 - VUL-0: xen: XSA-74: Lock order reversal between page_alloc_lock and mm_rwlock CVE-2013-4553-xsa74.patch - bnc#849665 - VUL-0: CVE-2013-4551: xen: XSA-75: Host crash due to guest VMX instruction execution 52809208-nested-VMX-VMLANUCH-VMRESUME-emulation-must-check-permission-1st.patch - bnc#849668 - VUL-0: xen: XSA-76: Hypercalls exposed to privilege rings 1 and 2 of HVM guests OBS-URL: https://build.opensuse.org/package/show/Virtualization/xen?expand=0&rev=279 2013-11-26 20:18:36 +00:00			`References: bnc#851386 CVE-2013-6375 XSA-78`

			`# HG changeset patch`
			`# User Jan Beulich <jbeulich@suse.com>`
			`# Date 1384779355 -3600`
			`# Node ID 81fec8e36840041ca5779a4c4f2eed98180eda2e`
			`# Parent de9b11c80e2d3bd795d6329e0979c4734c3b4f96`
			`VT-d: fix TLB flushing in dma_pte_clear_one()`

			`The third parameter of __intel_iommu_iotlb_flush() is to indicate`
			`whether the to be flushed entry was a present one. A few lines before,`
			`we bailed if !dma_pte_present(*pte), so there's no need to check the`
			`flag here again - we can simply always pass TRUE here.`

			`This is CVE-2013-6375 / XSA-78.`

			`Suggested-by: Cheng Yueqiang <yqcheng.2008@phdis.smu.edu.sg>`
			`Signed-off-by: Jan Beulich <jbeulich@suse.com>`
			`Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>`
			`Acked-by: Keir Fraser <keir@xen.org>`

			`--- a/xen/drivers/passthrough/vtd/iommu.c`
			`+++ b/xen/drivers/passthrough/vtd/iommu.c`
			`@@ -646,7 +646,7 @@ static void dma_pte_clear_one(struct dom`
			`iommu_flush_cache_entry(pte, sizeof(struct dma_pte));`

			`if ( !this_cpu(iommu_dont_flush_iotlb) )`
			`- __intel_iommu_iotlb_flush(domain, addr >> PAGE_SHIFT_4K , 0, 1);`
			`+ __intel_iommu_iotlb_flush(domain, addr >> PAGE_SHIFT_4K, 1, 1);`

			`unmap_vtd_domain_page(page);`