xen/CVE-2013-1918-xsa45-3-new-user-base-preemptible.patch

x86: make MMUEXT_NEW_USER_BASEPTR preemptible

... as it may take significant amounts of time.

This is part of CVE-2013-1918 / XSA-45.

Signed-off-by: Jan Beulich <jbeulich@suse.com>
Acked-by: Tim Deegan <tim@xen.org>

Index: xen-4.2.1-testing/xen/arch/x86/mm.c
===================================================================
--- xen-4.2.1-testing.orig/xen/arch/x86/mm.c
+++ xen-4.2.1-testing/xen/arch/x86/mm.c
@@ -3313,29 +3313,56 @@ long do_mmuext_op(
                 break;
             }
 
+            old_mfn = pagetable_get_pfn(curr->arch.guest_table_user);
+            /*
+             * This is particularly important when getting restarted after the
+             * previous attempt got preempted in the put-old-MFN phase.
+             */
+            if ( old_mfn == op.arg1.mfn )
+                break;
+
             if ( op.arg1.mfn != 0 )
             {
                 if ( paging_mode_refcounts(d) )
                     okay = get_page_from_pagenr(op.arg1.mfn, d);
                 else
-                    okay = !get_page_and_type_from_pagenr(
-                        op.arg1.mfn, PGT_root_page_table, d, 0, 0);
+                {
+                    rc = get_page_and_type_from_pagenr(
+                        op.arg1.mfn, PGT_root_page_table, d, 0, 1);
+                    okay = !rc;
+                }
                 if ( unlikely(!okay) )
                 {
-                    MEM_LOG("Error while installing new mfn %lx", op.arg1.mfn);
+                    if ( rc == -EINTR )
+                        rc = -EAGAIN;
+                    else if ( rc != -EAGAIN )
+                        MEM_LOG("Error while installing new mfn %lx",
+                                op.arg1.mfn);
                     break;
                 }
             }
 
-            old_mfn = pagetable_get_pfn(curr->arch.guest_table_user);
             curr->arch.guest_table_user = pagetable_from_pfn(op.arg1.mfn);
 
             if ( old_mfn != 0 )
             {
+                struct page_info *page = mfn_to_page(old_mfn);
+
                 if ( paging_mode_refcounts(d) )
-                    put_page(mfn_to_page(old_mfn));
+                    put_page(page);
                 else
-                    put_page_and_type(mfn_to_page(old_mfn));
+                    switch ( rc = put_page_and_type_preemptible(page, 1) )
+                    {
+                    case -EINTR:
+                        rc = -EAGAIN;
+                    case -EAGAIN:
+                        curr->arch.old_guest_table = page;
+                        okay = 0;
+                        break;
+                    default:
+                        BUG_ON(rc);
+                        break;
+                    }
             }
 
             break;
- add xorg-x11-util-devel to BuildRequires to get lndir(1) - remove xen.migrate.tools_notify_restore_to_hangup_during_migration_--abort_if_busy.patch It changed migration protocol and upstream wants a different solution - bnc#802221 - fix xenpaging readd xenpaging.qemu.flush-cache.patch - Upstream patches from Jan 26891-x86-S3-Fix-cpu-pool-scheduling-after-suspend-resume.patch 26930-x86-EFI-fix-runtime-call-status-for-compat-mode-Dom0.patch - Additional fix for bnc#816159 CVE-2013-1918-xsa45-followup.patch - bnc#817068 - Xen guest with >1 sr-iov vf won't start xen-managed-pci-device.patch - Update to Xen 4.2.2 c/s 26064 The following recent security patches are included in the tarball CVE-2013-0151-xsa34.patch (bnc#797285) CVE-2012-6075-xsa41.patch (bnc#797523) CVE-2013-1917-xsa44.patch (bnc#813673) CVE-2013-1919-xsa46.patch (bnc#813675) - Upstream patch from Jan 26902-x86-EFI-pass-boot-services-variable-info-to-runtime-code.patch - bnc#816159 - VUL-0: xen: CVE-2013-1918: XSA-45: Several long latency operations are not preemptible CVE-2013-1918-xsa45-1-vcpu-destroy-pagetables-preemptible.patch OBS-URL: https://build.opensuse.org/package/show/Virtualization/xen?expand=0&rev=237 2013-05-07 14:35:00 +00:00			`x86: make MMUEXT_NEW_USER_BASEPTR preemptible`

			`... as it may take significant amounts of time.`

			`This is part of CVE-2013-1918 / XSA-45.`

			`Signed-off-by: Jan Beulich <jbeulich@suse.com>`
			`Acked-by: Tim Deegan <tim@xen.org>`

			`Index: xen-4.2.1-testing/xen/arch/x86/mm.c`
			`===================================================================`
			`--- xen-4.2.1-testing.orig/xen/arch/x86/mm.c`
			`+++ xen-4.2.1-testing/xen/arch/x86/mm.c`
			`@@ -3313,29 +3313,56 @@ long do_mmuext_op(`
			`break;`
			`}`

			`+ old_mfn = pagetable_get_pfn(curr->arch.guest_table_user);`
			`+ /*`
			`+ * This is particularly important when getting restarted after the`
			`+ * previous attempt got preempted in the put-old-MFN phase.`
			`+ */`
			`+ if ( old_mfn == op.arg1.mfn )`
			`+ break;`
			`+`
			`if ( op.arg1.mfn != 0 )`
			`{`
			`if ( paging_mode_refcounts(d) )`
			`okay = get_page_from_pagenr(op.arg1.mfn, d);`
			`else`
			`- okay = !get_page_and_type_from_pagenr(`
			`- op.arg1.mfn, PGT_root_page_table, d, 0, 0);`
			`+ {`
			`+ rc = get_page_and_type_from_pagenr(`
			`+ op.arg1.mfn, PGT_root_page_table, d, 0, 1);`
			`+ okay = !rc;`
			`+ }`
			`if ( unlikely(!okay) )`
			`{`
			`- MEM_LOG("Error while installing new mfn %lx", op.arg1.mfn);`
			`+ if ( rc == -EINTR )`
			`+ rc = -EAGAIN;`
			`+ else if ( rc != -EAGAIN )`
			`+ MEM_LOG("Error while installing new mfn %lx",`
			`+ op.arg1.mfn);`
			`break;`
			`}`
			`}`

			`- old_mfn = pagetable_get_pfn(curr->arch.guest_table_user);`
			`curr->arch.guest_table_user = pagetable_from_pfn(op.arg1.mfn);`

			`if ( old_mfn != 0 )`
			`{`
			`+ struct page_info *page = mfn_to_page(old_mfn);`
			`+`
			`if ( paging_mode_refcounts(d) )`
			`- put_page(mfn_to_page(old_mfn));`
			`+ put_page(page);`
			`else`
			`- put_page_and_type(mfn_to_page(old_mfn));`
			`+ switch ( rc = put_page_and_type_preemptible(page, 1) )`
			`+ {`
			`+ case -EINTR:`
			`+ rc = -EAGAIN;`
			`+ case -EAGAIN:`
			`+ curr->arch.old_guest_table = page;`
			`+ okay = 0;`
			`+ break;`
			`+ default:`
			`+ BUG_ON(rc);`
			`+ break;`
			`+ }`
			`}`

			`break;`