Received: by mail.netbsd.org (Postfix, from userid 605)
	id 0CDD28513D; Wed,  3 Feb 2021 22:27:18 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1])
	by mail.netbsd.org (Postfix) with ESMTP id 4635684D71
	for <pkgsrc-changes@NetBSD.org>; Wed,  3 Feb 2021 22:27:17 +0000 (UTC)
X-Virus-Scanned: amavisd-new at netbsd.org
Received: from mail.netbsd.org ([127.0.0.1])
	by localhost (mail.netbsd.org [127.0.0.1]) (amavisd-new, port 10025)
	with ESMTP id vMfHmnRnNY-0 for <pkgsrc-changes@netbsd.org>;
	Wed,  3 Feb 2021 22:27:16 +0000 (UTC)
Received: from cvs.NetBSD.org (ivanova.NetBSD.org [IPv6:2001:470:a085:999:28c:faff:fe03:5984])
	by mail.netbsd.org (Postfix) with ESMTP id 76E5084D0D
	for <pkgsrc-changes@NetBSD.org>; Wed,  3 Feb 2021 22:27:16 +0000 (UTC)
Received: by cvs.NetBSD.org (Postfix, from userid 500)
	id 6F698FA94; Wed,  3 Feb 2021 22:27:16 +0000 (UTC)
Content-Transfer-Encoding: 7bit
Content-Type: multipart/mixed; boundary="_----------=_161239123682140"
MIME-Version: 1.0
Date: Wed, 3 Feb 2021 22:27:16 +0000
From: "Manuel Bouyer" <bouyer@netbsd.org>
Subject: CVS commit: pkgsrc/sysutils/xenkernel413
To: pkgsrc-changes@NetBSD.org
Reply-To: bouyer@netbsd.org
X-Mailer: log_accum
Message-Id: <20210203222716.6F698FA94@cvs.NetBSD.org>
Sender: pkgsrc-changes-owner@NetBSD.org
List-Id: <pkgsrc-changes.NetBSD.org>
Precedence: bulk
List-Unsubscribe: <mailto:majordomo@NetBSD.org?subject=Unsubscribe%20pkgsrc-changes&body=unsubscribe%20pkgsrc-changes>

This is a multi-part message in MIME format.

--_----------=_161239123682140
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
Content-Type: text/plain; charset="US-ASCII"

Module Name:	pkgsrc
Committed By:	bouyer
Date:		Wed Feb  3 22:27:16 UTC 2021

Modified Files:
	pkgsrc/sysutils/xenkernel413: Makefile distinfo
Added Files:
	pkgsrc/sysutils/xenkernel413/patches: patch-XSA355 patch-XSA360

Log Message:
Add upstream patches for Xen security advisory 355 and 360.
Bump PKGREVSION


To generate a diff of this commit:
cvs rdiff -u -r1.11 -r1.12 pkgsrc/sysutils/xenkernel413/Makefile
cvs rdiff -u -r1.8 -r1.9 pkgsrc/sysutils/xenkernel413/distinfo
cvs rdiff -u -r0 -r1.1 pkgsrc/sysutils/xenkernel413/patches/patch-XSA355 \
    pkgsrc/sysutils/xenkernel413/patches/patch-XSA360

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.


--_----------=_161239123682140
Content-Disposition: inline
Content-Length: 6778
Content-Transfer-Encoding: binary
Content-Type: text/x-diff; charset=utf-8

Modified files:

Index: pkgsrc/sysutils/xenkernel413/Makefile
diff -u pkgsrc/sysutils/xenkernel413/Makefile:1.11 pkgsrc/sysutils/xenkernel413/Makefile:1.12
--- pkgsrc/sysutils/xenkernel413/Makefile:1.11	Wed Dec 16 17:15:22 2020
+++ pkgsrc/sysutils/xenkernel413/Makefile	Wed Feb  3 22:27:16 2021
@@ -1,7 +1,7 @@
-# $NetBSD: Makefile,v 1.11 2020/12/16 17:15:22 bouyer Exp $
+# $NetBSD: Makefile,v 1.12 2021/02/03 22:27:16 bouyer Exp $
 
 VERSION=	4.13.2
-PKGREVISION=	4
+PKGREVISION=	5
 DISTNAME=	xen-${VERSION}
 PKGNAME=	xenkernel413-${VERSION}
 CATEGORIES=	sysutils

Index: pkgsrc/sysutils/xenkernel413/distinfo
diff -u pkgsrc/sysutils/xenkernel413/distinfo:1.8 pkgsrc/sysutils/xenkernel413/distinfo:1.9
--- pkgsrc/sysutils/xenkernel413/distinfo:1.8	Wed Dec 16 17:15:22 2020
+++ pkgsrc/sysutils/xenkernel413/distinfo	Wed Feb  3 22:27:16 2021
@@ -1,4 +1,4 @@
-$NetBSD: distinfo,v 1.8 2020/12/16 17:15:22 bouyer Exp $
+$NetBSD: distinfo,v 1.9 2021/02/03 22:27:16 bouyer Exp $
 
 SHA1 (xen413/xen-4.13.2.tar.gz) = d514f1de9582c58676420bb2c9fb1c765b44fbff
 RMD160 (xen413/xen-4.13.2.tar.gz) = 96727c20bd84338f8c67c7c584c01ef877bbcb18
@@ -7,8 +7,10 @@ Size (xen413/xen-4.13.2.tar.gz) = 390378
 SHA1 (patch-Config.mk) = 9372a09efd05c9fbdbc06f8121e411fcb7c7ba65
 SHA1 (patch-XSA348) = 70de325f88e004228d2b69b7ae3b4106175be1e0
 SHA1 (patch-XSA351) = edb0975ab0aa53d7a0ae7816fe170a081eea695e
+SHA1 (patch-XSA355) = 73ca5dff042a4a54b06af36e6ace7d09673c05f0
 SHA1 (patch-XSA358) = 71d5b2e3d19223b986b8572adfbe7355a3a03db6
 SHA1 (patch-XSA359) = 4b778a86fffbe0e2a364e1589d573bbc7c27ff99
+SHA1 (patch-XSA360) = c1aa4bdade4d3318bc2dffa83e359f66997b11df
 SHA1 (patch-fixpvh) = fd71e150e0b3a461875c02c4419dbfb30548d8f6
 SHA1 (patch-xen_Makefile) = 465388d80de414ca3bb84faefa0f52d817e423a6
 SHA1 (patch-xen_Rules.mk) = c743dc63f51fc280d529a7d9e08650292c171dac

Added files:

Index: pkgsrc/sysutils/xenkernel413/patches/patch-XSA355
diff -u /dev/null pkgsrc/sysutils/xenkernel413/patches/patch-XSA355:1.1
--- /dev/null	Wed Feb  3 22:27:16 2021
+++ pkgsrc/sysutils/xenkernel413/patches/patch-XSA355	Wed Feb  3 22:27:16 2021
@@ -0,0 +1,25 @@
+$NetBSD: patch-XSA355,v 1.1 2021/02/03 22:27:16 bouyer Exp $
+
+From: Jan Beulich <jbeulich@suse.com>
+Subject: memory: fix off-by-one in XSA-346 change
+
+The comparison against ARRAY_SIZE() needs to be >= in order to avoid
+overrunning the pages[] array.
+
+This is XSA-355.
+
+Fixes: 5777a3742d88 ("IOMMU: hold page ref until after deferred TLB flush")
+Signed-off-by: Jan Beulich <jbeulich@suse.com>
+Reviewed-by: Julien Grall <jgrall@amazon.com>
+
+--- xen/common/memory.c.orig
++++ xen/common/memory.c
+@@ -854,7 +854,7 @@ int xenmem_add_to_physmap(struct domain
+             ++extra.ppage;
+ 
+         /* Check for continuation if it's not the last iteration. */
+-        if ( (++done > ARRAY_SIZE(pages) && extra.ppage) ||
++        if ( (++done >= ARRAY_SIZE(pages) && extra.ppage) ||
+              (xatp->size > done && hypercall_preempt_check()) )
+         {
+             rc = start + done;
Index: pkgsrc/sysutils/xenkernel413/patches/patch-XSA360
diff -u /dev/null pkgsrc/sysutils/xenkernel413/patches/patch-XSA360:1.1
--- /dev/null	Wed Feb  3 22:27:16 2021
+++ pkgsrc/sysutils/xenkernel413/patches/patch-XSA360	Wed Feb  3 22:27:16 2021
@@ -0,0 +1,99 @@
+$NetBSD: patch-XSA360,v 1.1 2021/02/03 22:27:16 bouyer Exp $
+
+From: Roger Pau Monne <roger.pau@citrix.com>
+Subject: x86/dpci: do not remove pirqs from domain tree on unbind
+
+A fix for a previous issue removed the pirqs from the domain tree when
+they are unbound in order to prevent shared pirqs from triggering a
+BUG_ON in __pirq_guest_unbind if they are unbound multiple times. That
+caused free_domain_pirqs to no longer unmap the pirqs because they
+are gone from the domain pirq tree, thus leaving stale unbound pirqs
+after domain destruction if the domain had mapped dpci pirqs after
+shutdown.
+
+Take a different approach to fix the original issue, instead of
+removing the pirq from d->pirq_tree clear the flags of the dpci pirq
+struct to signal that the pirq is now unbound. This prevents calling
+pirq_guest_unbind multiple times for the same pirq without having to
+remove it from the domain pirq tree.
+
+This is XSA-360.
+
+Fixes: 5b58dad089 ('x86/pass-through: avoid double IRQ unbind during domain cleanup')
+Signed-off-by: Roger Pau Monné <roger.pau@citrix.com>
+Reviewed-by: Jan Beulich <jbeulich@suse.com>
+
+--- xen/arch/x86/irq.c.orig
++++ xen/arch/x86/irq.c
+@@ -1331,7 +1331,7 @@ void (pirq_cleanup_check)(struct pirq *p
+     }
+ 
+     if ( radix_tree_delete(&d->pirq_tree, pirq->pirq) != pirq )
+-        BUG_ON(!d->is_dying);
++        BUG();
+ }
+ 
+ /* Flush all ready EOIs from the top of this CPU's pending-EOI stack. */
+--- xen/drivers/passthrough/pci.c.orig
++++ xen/drivers/passthrough/pci.c
+@@ -862,6 +862,10 @@ static int pci_clean_dpci_irq(struct dom
+ {
+     struct dev_intx_gsi_link *digl, *tmp;
+ 
++    if ( !pirq_dpci->flags )
++        /* Already processed. */
++        return 0;
++
+     pirq_guest_unbind(d, dpci_pirq(pirq_dpci));
+ 
+     if ( pt_irq_need_timer(pirq_dpci->flags) )
+@@ -872,15 +876,10 @@ static int pci_clean_dpci_irq(struct dom
+         list_del(&digl->list);
+         xfree(digl);
+     }
++    /* Note the pirq is now unbound. */
++    pirq_dpci->flags = 0;
+ 
+-    radix_tree_delete(&d->pirq_tree, dpci_pirq(pirq_dpci)->pirq);
+-
+-    if ( !pt_pirq_softirq_active(pirq_dpci) )
+-        return 0;
+-
+-    domain_get_irq_dpci(d)->pending_pirq_dpci = pirq_dpci;
+-
+-    return -ERESTART;
++    return pt_pirq_softirq_active(pirq_dpci) ? -ERESTART : 0;
+ }
+ 
+ static int pci_clean_dpci_irqs(struct domain *d)
+@@ -897,18 +896,8 @@ static int pci_clean_dpci_irqs(struct do
+     hvm_irq_dpci = domain_get_irq_dpci(d);
+     if ( hvm_irq_dpci != NULL )
+     {
+-        int ret = 0;
+-
+-        if ( hvm_irq_dpci->pending_pirq_dpci )
+-        {
+-            if ( pt_pirq_softirq_active(hvm_irq_dpci->pending_pirq_dpci) )
+-                 ret = -ERESTART;
+-            else
+-                 hvm_irq_dpci->pending_pirq_dpci = NULL;
+-        }
++        int ret = pt_pirq_iterate(d, pci_clean_dpci_irq, NULL);
+ 
+-        if ( !ret )
+-            ret = pt_pirq_iterate(d, pci_clean_dpci_irq, NULL);
+         if ( ret )
+         {
+             spin_unlock(&d->event_lock);
+--- xen/include/asm-x86/hvm/irq.h.orig
++++ xen/include/asm-x86/hvm/irq.h
+@@ -160,8 +160,6 @@ struct hvm_irq_dpci {
+     DECLARE_BITMAP(isairq_map, NR_ISAIRQS);
+     /* Record of mapped Links */
+     uint8_t link_cnt[NR_LINK];
+-    /* Clean up: Entry with a softirq invocation pending / in progress. */
+-    struct hvm_pirq_dpci *pending_pirq_dpci;
+ };
+ 
+ /* Machine IRQ to guest device/intx mapping. */


--_----------=_161239123682140--