Filter and check hypercalls from userspace

Xen cannot determine whether a hypercall originates from userspace or kernel
space. A malicious userspace may use Xen to attack the dom0 kernel.

To avoid this, instead of allowing all hypercalls verbatim, block all
hypercalls by default. Allow through certain hypercalls with checks.

Checking involves:

1) Any pointers need to point at valid userspace memory. For this, we also need
   to know the size of the buffer.
2) Buffers containing pointers need to be bounced to avoid userspace changing
   the memory after it has been checked. After the hypercall completes, the
   memory needs to be bounced back.

In addition, for the kexec_load call, verify the kernel to maintain Secure Boot
integrity.

This patch is technical debt and should be replaced by a stable hypervisor ABI
and a generic mechanism for the dom0 kernel to check hypercalls made from
userspace.

Signed-off-by: Ross Lagerwall <ross.lagerwall@citrix.com>
Signed-off-by: Frediano Ziglio <frediano.ziglio@citrix.com>

[ Corentin: rebase from XS-9 kernel (v6.6.98 based) to UEK8 kernel (v6.12 based):
- 260017f `("lsm: use default hook return value in call_int_hook()") simplified the `call_int_hook`
macro, so align our usage in `security_locked_down_nowarn()`]

Author: Vates Git Importer

drivers/pci/pci.c

@@ -5458,6 +5458,8 @@ int pci_reset_function(struct pci_dev *dev)
 	pci_dev_save_and_disable(dev);
 
 	rc = __pci_reset_function_locked(dev);
+	if (rc >= 0 && dev->quarantined)
+		dev->unsafe = 0;
 
 	pci_dev_restore(dev);
 	pci_dev_unlock(dev);

drivers/xen/Makefile

@@ -38,7 +38,7 @@ xen-evtchn-y				:= evtchn.o
 xen-gntdev-y				:= gntdev.o
 xen-gntdev-$(CONFIG_XEN_GNTDEV_DMABUF)	+= gntdev-dmabuf.o
 xen-gntalloc-y				:= gntalloc.o
-xen-privcmd-y				:= privcmd.o privcmd-buf.o
+xen-privcmd-y				:= privcmd.o privcmd-buf.o filter-hypercall.o
 obj-$(CONFIG_XEN_FRONT_PGDIR_SHBUF)	+= xen-front-pgdir-shbuf.o
 obj-$(CONFIG_XEN_UNPOPULATED_ALLOC)	+= unpopulated-alloc.o
 obj-$(CONFIG_XEN_GRANT_DMA_OPS)		+= grant-dma-ops.o