system/xen: XSA 207-210 update.

Signed-off-by: Mario Preksavec <mario@slackware.hr>

1 files changed, 41 insertions, 0 deletions

diff --git a/system/xen/xsa/xsa210.patch b/system/xen/xsa/xsa210.patch
new file mode 100644
index 000000000000..0696570c085b
--- /dev/null
+++ b/system/xen/xsa/xsa210.patch
@@ -0,0 +1,41 @@
+From: Julien Grall <julien.grall@arm.com>
+Subject: arm/p2m: remove the page from p2m->pages list before freeing it
+
+The p2m code is using the page list field to link all the pages used
+for the stage-2 page tables. The page is added into the p2m->pages
+list just after the allocation but never removed from the list.
+
+The page list field is also used by the allocator, not removing may
+result a later Xen crash due to inconsistency (see [1]).
+
+This bug was introduced by the reworking of p2m code in commit 2ef3e36ec7
+"xen/arm: p2m: Introduce p2m_set_entry and __p2m_set_entry".
+
+[1] https://lists.xenproject.org/archives/html/xen-devel/2017-02/msg00524.html
+
+Reported-by: Vijaya Kumar K <Vijaya.Kumar@cavium.com>
+Signed-off-by: Julien Grall <julien.grall@arm.com>
+Reviewed-by: Stefano Stabellini <sstabellini@kernel.org>
+
+--- a/xen/arch/arm/p2m.c
++++ b/xen/arch/arm/p2m.c
+@@ -660,6 +660,7 @@ static void p2m_free_entry(struct p2m_domain *p2m,
+     unsigned int i;
+     lpae_t *table;
+     mfn_t mfn;
++    struct page_info *pg;
+ 
+     /* Nothing to do if the entry is invalid. */
+     if ( !p2m_valid(entry) )
+@@ -697,7 +698,10 @@ static void p2m_free_entry(struct p2m_domain *p2m,
+     mfn = _mfn(entry.p2m.base);
+     ASSERT(mfn_valid(mfn_x(mfn)));
+ 
+-    free_domheap_page(mfn_to_page(mfn_x(mfn)));
++    pg = mfn_to_page(mfn_x(mfn));
++
++    page_list_del(pg, &p2m->pages);
++    free_domheap_page(pg);
+ }
+ 
+ static bool p2m_split_superpage(struct p2m_domain *p2m, lpae_t *entry,