File 528a0e5b-TLB-flushing-in-dma_pte_clear_one.patch of Package xen.openSUSE_13.1_Update

References: bnc#851386 CVE-2013-6375 XSA-78

# HG changeset patch
# User Jan Beulich <jbeulich@suse.com>
# Date 1384779355 -3600
# Node ID 81fec8e36840041ca5779a4c4f2eed98180eda2e
# Parent  de9b11c80e2d3bd795d6329e0979c4734c3b4f96
VT-d: fix TLB flushing in dma_pte_clear_one()

The third parameter of __intel_iommu_iotlb_flush() is to indicate
whether the to be flushed entry was a present one. A few lines before,
we bailed if !dma_pte_present(*pte), so there's no need to check the
flag here again - we can simply always pass TRUE here.

This is CVE-2013-6375 / XSA-78.

Suggested-by: Cheng Yueqiang <yqcheng.2008@phdis.smu.edu.sg>
Signed-off-by: Jan Beulich <jbeulich@suse.com>
Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>
Acked-by: Keir Fraser <keir@xen.org>

--- a/xen/drivers/passthrough/vtd/iommu.c
+++ b/xen/drivers/passthrough/vtd/iommu.c
@@ -646,7 +646,7 @@ static void dma_pte_clear_one(struct dom
     iommu_flush_cache_entry(pte, sizeof(struct dma_pte));
 
     if ( !this_cpu(iommu_dont_flush_iotlb) )
-        __intel_iommu_iotlb_flush(domain, addr >> PAGE_SHIFT_4K , 0, 1);
+        __intel_iommu_iotlb_flush(domain, addr >> PAGE_SHIFT_4K, 1, 1);
 
     unmap_vtd_domain_page(page);

Places

File 528a0e5b-TLB-flushing-in-dma_pte_clear_one.patch of Package xen.openSUSE_13.1_Update

Places