Xen project Mailing List

Re: [Xen-devel] [BUG] Error applying XSA240 update 5 on 4.8 and 4.9 (patch 3 references CONFIG_PV_LINEAR_PT, 3285e75dea89, x86/mm: Make PV linear pagetables optional)

To: Jan Beulich <JBeulich@xxxxxxxx>, Steven Haigh <netwiz@xxxxxxxxx>

From: George Dunlap <george.dunlap@xxxxxxxxxx>

Date: Thu, 16 Nov 2017 13:19:55 +0000

Cc: xen-devel@xxxxxxxxxxxxx, "Xen.org security team" <security@xxxxxxx>, John Thomson <lists@xxxxxxxxxxxxxxxxxxxxxxxxxxx>

Delivery-date: Thu, 16 Nov 2017 13:20:09 +0000

List-id: Xen developer discussion <xen-devel.lists.xen.org>

On 11/16/2017 01:04 PM, Jan Beulich wrote: >>>> On 16.11.17 at 13:30, <netwiz@xxxxxxxxx> wrote: >> On Thursday, 16 November 2017 8:30:39 PM AEDT Jan Beulich wrote: >>>>>> On 15.11.17 at 23:48, <lists@xxxxxxxxxxxxxxxxxxxxxxxxxxx> wrote: >>>> I am having trouble applying the patch 3 from XSA240 update 5 for xen >>>> stable 4.8 and 4.9 >>>> xsa240 0003 contains: >>>> >>>> CONFIG_PV_LINEAR_PT >>>> >>>> from: >>>> >>>> x86/mm: Make PV linear pagetables optional >>>> https://xenbits.xen.org/gitweb/?p=xen.git;a=commitdiff;h=3285e75dea89afb0e >>>> f5 b3ee39bd15194bd7cc110 >>>> >>>> I cannot find this string in an XSA, nor is an XSA referenced in the >>>> commit. >>>> Am I missing a patch, or doing something wrong? >>> >>> Well, you're expected to apply all patched which haven't been >>> applied so far. In particular, in the stable version trees, the 2nd >>> patch hasn't gone in yet (I'm intending to do this later today), >>> largely because it (a) wasn't ready at the time the first patch >>> went in and (b) it is more a courtesy patch than an actual part of >>> the security fix. >> >> I'm not quite sure this is a great idea... They should work on the released >> versions - hence xsa240 patchset should apply to the base tarball + current >> XSA patches. If there is something in the git that *isn't* in the latest >> release, it should be included in the XSA patchset - otherwise the set is >> incomplete. > > Well, I've been taking a different view: The only valid (or so to say > canonical) base to supply patches against is the current tip of the > respective staging branch. Anyone wanting to apply to anything > older will need to make adjustments, if need be. Otherwise what > would keep you or others to request, say, not only patches against > 4.7.3, but also against 4.7.0, 4.7.1, and 4.7.2? Jan, These are two different things. Steve's reluctance to backport a potentially arbitrary number of non-security-related patches is completely reasonable. Steve, one of the problems with what you ask is that as a security team, we'd like to be able to take the patches given in the advisory and check it in, as-is, to the staging branches. That makes it easier, for instance, to make sure that all the XSAs have been applied before we do a release; and it means that we only need to review one patch per supported release (up to 5 potential patches at this time in addition to the one to xen-unstable) rather than two (up to 10 potential patches). -George _______________________________________________ Xen-devel mailing list Xen-devel@xxxxxxxxxxxxx https://lists.xen.org/xen-devel

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.