[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-devel] [BUG] Error applying XSA240 update 5 on 4.8 and 4.9 (patch 3 references CONFIG_PV_LINEAR_PT, 3285e75dea89, x86/mm: Make PV linear pagetables optional)



On 11/16/2017 01:04 PM, Jan Beulich wrote:
>>>> On 16.11.17 at 13:30, <netwiz@xxxxxxxxx> wrote:
>> On Thursday, 16 November 2017 8:30:39 PM AEDT Jan Beulich wrote:
>>>>>> On 15.11.17 at 23:48, <lists@xxxxxxxxxxxxxxxxxxxxxxxxxxx> wrote:
>>>> I am having trouble applying the patch 3 from XSA240 update 5 for xen
>>>> stable 4.8 and 4.9
>>>> xsa240 0003 contains:
>>>>
>>>> CONFIG_PV_LINEAR_PT
>>>>
>>>> from:
>>>>
>>>> x86/mm: Make PV linear pagetables optional
>>>> https://xenbits.xen.org/gitweb/?p=xen.git;a=commitdiff;h=3285e75dea89afb0e 
>>>> f5 b3ee39bd15194bd7cc110
>>>>
>>>> I cannot find this string in an XSA, nor is an XSA referenced in the
>>>> commit.
>>>> Am I missing a patch, or doing something wrong?
>>>
>>> Well, you're expected to apply all patched which haven't been
>>> applied so far. In particular, in the stable version trees, the 2nd
>>> patch hasn't gone in yet (I'm intending to do this later today),
>>> largely because it (a) wasn't ready at the time the first patch
>>> went in and (b) it is more a courtesy patch than an actual part of
>>> the security fix.
>>
>> I'm not quite sure this is a great idea... They should work on the released 
>> versions - hence xsa240 patchset should apply to the base tarball + current 
>> XSA patches. If there is something in the git that *isn't* in the latest 
>> release, it should be included in the XSA patchset - otherwise the set is 
>> incomplete.
> 
> Well, I've been taking a different view: The only valid (or so to say
> canonical) base to supply patches against is the current tip of the
> respective staging branch. Anyone wanting to apply to anything
> older will need to make adjustments, if need be. Otherwise what
> would keep you or others to request, say, not only patches against
> 4.7.3, but also against 4.7.0, 4.7.1, and 4.7.2?

Jan,

These are two different things.  Steve's reluctance to backport a
potentially arbitrary number of non-security-related patches is
completely reasonable.

Steve, one of the problems with what you ask is that as a security team,
we'd like to be able to take the patches given in the advisory and check
it in, as-is, to the staging branches.  That makes it easier, for
instance, to make sure that all the XSAs have been applied before we do
a release; and it means that we only need to review one patch per
supported release (up to 5 potential patches at this time in addition to
the one to xen-unstable) rather than two (up to 10 potential patches).

 -George

_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxx
https://lists.xen.org/xen-devel

 


Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.