File xsa244.patch of Package xen.6121

From: Andrew Cooper <andrew.cooper3@citrix.com>
Subject: x86/cpu: fix IST handling during PCPU bringup

Clear IST references in newly allocated IDTs.  Nothing good will come of
having them set before the TSS is suitably constructed (although the chances
of the CPU surviving such an IST interrupt/exception is extremely slim).

Uniformly set the IST references after the TSS is in place.  This fixes an
issue on AMD hardware, where onlining a PCPU while PCPU0 is in HVM context
will cause IST_NONE to be copied into the new IDT, making that PCPU vulnerable
to privilege escalation from PV guests until it subsequently schedules an HVM
guest.

This is XSA-244.

Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
Reviewed-by: Jan Beulich <jbeulich@suse.com>

Index: xen-4.4.4-testing/xen/arch/x86/cpu/common.c
===================================================================
--- xen-4.4.4-testing.orig/xen/arch/x86/cpu/common.c
+++ xen-4.4.4-testing/xen/arch/x86/cpu/common.c
@@ -577,6 +577,10 @@ void __cpuinit cpu_init(void)
 	load_TR();
 	asm volatile ( "lldt %%ax" : : "a" (0) );
 
+	set_ist(&idt_tables[cpu][TRAP_double_fault],  IST_DF);
+	set_ist(&idt_tables[cpu][TRAP_nmi],	      IST_NMI);
+	set_ist(&idt_tables[cpu][TRAP_machine_check], IST_MCE);
+
 	/* Clear all 6 debug registers: */
 #define CD(register) asm volatile ( "mov %0,%%db" #register : : "r"(0UL) );
 	CD(0); CD(1); CD(2); CD(3); /* no db4 and db5 */; CD(6); CD(7);
Index: xen-4.4.4-testing/xen/arch/x86/smpboot.c
===================================================================
--- xen-4.4.4-testing.orig/xen/arch/x86/smpboot.c
+++ xen-4.4.4-testing/xen/arch/x86/smpboot.c
@@ -682,6 +682,9 @@ static int cpu_smpboot_alloc(unsigned in
     if ( idt_tables[cpu] == NULL )
         goto oom;
     memcpy(idt_tables[cpu], idt_table, IDT_ENTRIES * sizeof(idt_entry_t));
+    set_ist(&idt_tables[cpu][TRAP_double_fault],  IST_NONE);
+    set_ist(&idt_tables[cpu][TRAP_nmi],           IST_NONE);
+    set_ist(&idt_tables[cpu][TRAP_machine_check], IST_NONE);
 
     if ( zalloc_cpumask_var(&per_cpu(cpu_sibling_mask, cpu)) &&
          zalloc_cpumask_var(&per_cpu(cpu_core_mask, cpu)) )