diff --git a/535a34eb-VT-d-suppress-UR-signaling-for-server-chipsets.patch b/535a34eb-VT-d-suppress-UR-signaling-for-server-chipsets.patch
new file mode 100644
index 0000000..76c92bc
--- /dev/null
+++ b/535a34eb-VT-d-suppress-UR-signaling-for-server-chipsets.patch
@@ -0,0 +1,215 @@
+References: bnc#826717 CVE-2013-3495 XSA-59
+
+# Commit d061d200eb92bcb1d86f9b55c6de73e35ce63fdf
+# Date 2014-04-25 12:11:55 +0200
+# Author Jan Beulich <jbeulich@suse.com>
+# Committer Jan Beulich <jbeulich@suse.com>
+VT-d: suppress UR signaling for server chipsets
+
+Unsupported Requests can be signaled for malformed writes to the MSI
+address region, e.g. due to buggy or malicious DMA set up to that
+region. These should normally result in IOMMU faults, but don't on
+the server chipsets dealt with here.
+
+IDs 0xe00, 0xe01, and 0xe04 ... 0xe0b (Ivytown) aren't needed here -
+Intel confirmed the issue to be fixed in hardware there.
+
+This is CVE-2013-3495 / XSA-59.
+
+Signed-off-by: Jan Beulich <jbeulich@suse.com>
+Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>
+Acked-by: Don Dugger <donald.d.dugger@intel.com>
+Acked-by: Tim Deegan <tim@xen.org>
+Acked-by: Xiantao Zhang <xiantao.zhang@intel.com>
+
+--- a/xen/drivers/passthrough/vtd/quirks.c
++++ b/xen/drivers/passthrough/vtd/quirks.c
+@@ -27,6 +27,7 @@
+ #include <xen/softirq.h>
+ #include <xen/time.h>
+ #include <xen/pci.h>
++#include <xen/pci_ids.h>
+ #include <xen/pci_regs.h>
+ #include <xen/keyhandler.h>
+ #include <asm/msi.h>
+@@ -390,12 +391,68 @@ void __init pci_vtd_quirk(struct pci_dev
+     int bus = pdev->bus;
+     int dev = PCI_SLOT(pdev->devfn);
+     int func = PCI_FUNC(pdev->devfn);
+-    int id, val;
++    int pos;
++    u32 val;
+ 
+-    id = pci_conf_read32(seg, bus, dev, func, 0);
+-    if ( id == 0x342e8086 || id == 0x3c288086 )
++    if ( pci_conf_read16(seg, bus, dev, func, PCI_VENDOR_ID) !=
++         PCI_VENDOR_ID_INTEL )
++        return;
++
++    switch ( pci_conf_read16(seg, bus, dev, func, PCI_DEVICE_ID) )
+     {
++    case 0x342e: /* Tylersburg chipset (Nehalem / Westmere systems) */
++    case 0x3c28: /* Sandybridge */
+         val = pci_conf_read32(seg, bus, dev, func, 0x1AC);
+         pci_conf_write32(seg, bus, dev, func, 0x1AC, val | (1 << 31));
++        break;
++
++    /* Tylersburg (EP)/Boxboro (MP) chipsets (NHM-EP/EX, WSM-EP/EX) */
++    case 0x3400 ... 0x3407: /* host bridges */
++    case 0x3408 ... 0x3411: case 0x3420 ... 0x3421: /* root ports */
++    /* JasperForest (Intel Xeon Processor C5500/C3500 */
++    case 0x3700 ... 0x370f: /* host bridges */
++    case 0x3720 ... 0x3724: /* root ports */
++    /* Sandybridge-EP (Romley) */
++    case 0x3c00: /* host bridge */
++    case 0x3c01 ... 0x3c0b: /* root ports */
++        pos = pci_find_ext_capability(seg, bus, pdev->devfn,
++                                      PCI_EXT_CAP_ID_ERR);
++        if ( !pos )
++        {
++            pos = pci_find_ext_capability(seg, bus, pdev->devfn,
++                                          PCI_EXT_CAP_ID_VNDR);
++            while ( pos )
++            {
++                val = pci_conf_read32(seg, bus, dev, func, pos + PCI_VNDR_HEADER);
++                if ( PCI_VNDR_HEADER_ID(val) == 4 && PCI_VNDR_HEADER_REV(val) == 1 )
++                {
++                    pos += PCI_VNDR_HEADER;
++                    break;
++                }
++                pos = pci_find_next_ext_capability(seg, bus, pdev->devfn, pos,
++                                                   PCI_EXT_CAP_ID_VNDR);
++            }
++        }
++        if ( !pos )
++        {
++            printk(XENLOG_WARNING "%04x:%02x:%02x.%u without AER capability?\n",
++                   seg, bus, dev, func);
++            break;
++        }
++
++        val = pci_conf_read32(seg, bus, dev, func, pos + PCI_ERR_UNCOR_MASK);
++        pci_conf_write32(seg, bus, dev, func, pos + PCI_ERR_UNCOR_MASK,
++                         val | PCI_ERR_UNC_UNSUP);
++        val = pci_conf_read32(seg, bus, dev, func, pos + PCI_ERR_COR_MASK);
++        pci_conf_write32(seg, bus, dev, func, pos + PCI_ERR_COR_MASK,
++                         val | PCI_ERR_COR_ADV_NFAT);
++
++        /* XPUNCERRMSK Send Completion with Unsupported Request */
++        val = pci_conf_read32(seg, bus, dev, func, 0x20c);
++        pci_conf_write32(seg, bus, dev, func, 0x20c, val | (1 << 4));
++
++        printk(XENLOG_INFO "Masked UR signaling on %04x:%02x:%02x.%u\n",
++               seg, bus, dev, func);
++        break;
+     }
+ }
+--- a/xen/drivers/pci/pci.c
++++ b/xen/drivers/pci/pci.c
+@@ -66,23 +66,33 @@ int pci_find_next_cap(u16 seg, u8 bus, u
+ 
+ /**
+  * pci_find_ext_capability - Find an extended capability
+- * @dev: PCI device to query
++ * @seg/@bus/@devfn: PCI device to query
+  * @cap: capability code
+  *
+  * Returns the address of the requested extended capability structure
+  * within the device's PCI configuration space or 0 if the device does
+- * not support it.  Possible values for @cap:
+- *
+- *  %PCI_EXT_CAP_ID_ERR         Advanced Error Reporting
+- *  %PCI_EXT_CAP_ID_VC          Virtual Channel
+- *  %PCI_EXT_CAP_ID_DSN         Device Serial Number
+- *  %PCI_EXT_CAP_ID_PWR         Power Budgeting
++ * not support it.
+  */
+ int pci_find_ext_capability(int seg, int bus, int devfn, int cap)
+ {
++    return pci_find_next_ext_capability(seg, bus, devfn, 0, cap);
++}
++
++/**
++ * pci_find_next_ext_capability - Find another extended capability
++ * @seg/@bus/@devfn: PCI device to query
++ * @pos: starting position
++ * @cap: capability code
++ *
++ * Returns the address of the requested extended capability structure
++ * within the device's PCI configuration space or 0 if the device does
++ * not support it.
++ */
++int pci_find_next_ext_capability(int seg, int bus, int devfn, int start, int cap)
++{
+     u32 header;
+     int ttl = 480; /* 3840 bytes, minimum 8 bytes per capability */
+-    int pos = 0x100;
++    int pos = max(start, 0x100);
+ 
+     header = pci_conf_read32(seg, bus, PCI_SLOT(devfn), PCI_FUNC(devfn), pos);
+ 
+@@ -92,9 +102,10 @@ int pci_find_ext_capability(int seg, int
+      */
+     if ( (header == 0) || (header == -1) )
+         return 0;
++    ASSERT(start != pos || PCI_EXT_CAP_ID(header) == cap);
+ 
+     while ( ttl-- > 0 ) {
+-        if ( PCI_EXT_CAP_ID(header) == cap )
++        if ( PCI_EXT_CAP_ID(header) == cap && pos != start )
+             return pos;
+         pos = PCI_EXT_CAP_NEXT(header);
+         if ( pos < 0x100 )
+--- a/xen/include/xen/pci.h
++++ b/xen/include/xen/pci.h
+@@ -140,6 +140,7 @@ int pci_mmcfg_write(unsigned int seg, un
+ int pci_find_cap_offset(u16 seg, u8 bus, u8 dev, u8 func, u8 cap);
+ int pci_find_next_cap(u16 seg, u8 bus, unsigned int devfn, u8 pos, int cap);
+ int pci_find_ext_capability(int seg, int bus, int devfn, int cap);
++int pci_find_next_ext_capability(int seg, int bus, int devfn, int pos, int cap);
+ const char *parse_pci(const char *, unsigned int *seg, unsigned int *bus,
+                       unsigned int *dev, unsigned int *func);
+ 
+--- /dev/null
++++ b/xen/include/xen/pci_ids.h
+@@ -0,0 +1,9 @@
++#define PCI_VENDOR_ID_AMD                0x1022
++
++#define PCI_VENDOR_ID_NVIDIA             0x10de
++
++#define PCI_VENDOR_ID_OXSEMI             0x1415
++
++#define PCI_VENDOR_ID_BROADCOM           0x14e4
++
++#define PCI_VENDOR_ID_INTEL              0x8086
+--- a/xen/include/xen/pci_regs.h
++++ b/xen/include/xen/pci_regs.h
+@@ -431,6 +431,7 @@
+ #define PCI_EXT_CAP_ID_VC	2
+ #define PCI_EXT_CAP_ID_DSN	3
+ #define PCI_EXT_CAP_ID_PWR	4
++#define PCI_EXT_CAP_ID_VNDR	11
+ #define PCI_EXT_CAP_ID_ACS	13
+ #define PCI_EXT_CAP_ID_ARI	14
+ #define PCI_EXT_CAP_ID_ATS	15
+@@ -459,6 +460,7 @@
+ #define  PCI_ERR_COR_BAD_DLLP	0x00000080	/* Bad DLLP Status */
+ #define  PCI_ERR_COR_REP_ROLL	0x00000100	/* REPLAY_NUM Rollover */
+ #define  PCI_ERR_COR_REP_TIMER	0x00001000	/* Replay Timer Timeout */
++#define  PCI_ERR_COR_ADV_NFAT	0x00002000	/* Advisory Non-Fatal */
+ #define PCI_ERR_COR_MASK	20	/* Correctable Error Mask */
+ 	/* Same bits as above */
+ #define PCI_ERR_CAP		24	/* Advanced Error Capabilities */
+@@ -510,6 +512,12 @@
+ #define PCI_PWR_CAP		12	/* Capability */
+ #define  PCI_PWR_CAP_BUDGET(x)	((x) & 1)	/* Included in system budget */
+ 
++/* Vendor-Specific (VSEC, PCI_EXT_CAP_ID_VNDR) */
++#define PCI_VNDR_HEADER		4	/* Vendor-Specific Header */
++#define  PCI_VNDR_HEADER_ID(x)	((x) & 0xffff)
++#define  PCI_VNDR_HEADER_REV(x)	(((x) >> 16) & 0xf)
++#define  PCI_VNDR_HEADER_LEN(x)	(((x) >> 20) & 0xfff)
++
+ /*
+  * Hypertransport sub capability types
+  *
diff --git a/535a3516-VT-d-suppress-UR-signaling-for-desktop-chipsets.patch b/535a3516-VT-d-suppress-UR-signaling-for-desktop-chipsets.patch
new file mode 100644
index 0000000..6e2e580
--- /dev/null
+++ b/535a3516-VT-d-suppress-UR-signaling-for-desktop-chipsets.patch
@@ -0,0 +1,66 @@
+References: bnc#826717 CVE-2013-3495 XSA-59
+
+# Commit d6cb14b34ffc2a830022d059f1aa22bf19dcf55f
+# Date 2014-04-25 12:12:38 +0200
+# Author Jan Beulich <jbeulich@suse.com>
+# Committer Jan Beulich <jbeulich@suse.com>
+VT-d: suppress UR signaling for desktop chipsets
+
+Unsupported Requests can be signaled for malformed writes to the MSI
+address region, e.g. due to buggy or malicious DMA set up to that
+region. These should normally result in IOMMU faults, but don't on
+the desktop chipsets dealt with here.
+
+This is CVE-2013-3495 / XSA-59.
+
+Signed-off-by: Jan Beulich <jbeulich@suse.com>
+Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>
+Acked-by: Don Dugger <donald.d.dugger@intel.com>
+Acked-by: Tim Deegan <tim@xen.org>
+Acked-by: Xiantao Zhang <xiantao.zhang@intel.com>
+
+--- a/xen/drivers/passthrough/vtd/quirks.c
++++ b/xen/drivers/passthrough/vtd/quirks.c
+@@ -393,6 +393,8 @@ void __init pci_vtd_quirk(struct pci_dev
+     int func = PCI_FUNC(pdev->devfn);
+     int pos;
+     u32 val;
++    u64 bar;
++    paddr_t pa;
+ 
+     if ( pci_conf_read16(seg, bus, dev, func, PCI_VENDOR_ID) !=
+          PCI_VENDOR_ID_INTEL )
+@@ -454,5 +456,33 @@ void __init pci_vtd_quirk(struct pci_dev
+         printk(XENLOG_INFO "Masked UR signaling on %04x:%02x:%02x.%u\n",
+                seg, bus, dev, func);
+         break;
++
++    case 0x100: case 0x104: case 0x108: /* Sandybridge */
++    case 0x150: case 0x154: case 0x158: /* Ivybridge */
++    case 0xa04: /* Haswell ULT */
++    case 0xc00: case 0xc04: case 0xc08: /* Haswell */
++        bar = pci_conf_read32(seg, bus, dev, func, 0x6c);
++        bar = (bar << 32) | pci_conf_read32(seg, bus, dev, func, 0x68);
++        pa = bar & 0x7fffff000; /* bits 12...38 */
++        if ( (bar & 1) && pa &&
++             page_is_ram_type(paddr_to_pfn(pa), RAM_TYPE_RESERVED) )
++        {
++            u32 __iomem *va = ioremap(pa, PAGE_SIZE);
++
++            if ( va )
++            {
++                __set_bit(0x1c8 * 8 + 20, va);
++                iounmap(va);
++                printk(XENLOG_INFO "Masked UR signaling on %04x:%02x:%02x.%u\n",
++                       seg, bus, dev, func);
++            }
++            else
++                printk(XENLOG_ERR "Could not map %"PRIpaddr" for %04x:%02x:%02x.%u\n",
++                       pa, seg, bus, dev, func);
++        }
++        else
++            printk(XENLOG_WARNING "Bogus DMIBAR %#"PRIx64" on %04x:%02x:%02x.%u\n",
++                   bar, seg, bus, dev, func);
++        break;
+     }
+ }
diff --git a/535a354b-passthrough-allow-to-suppress-SERR-and-PERR-signaling.patch b/535a354b-passthrough-allow-to-suppress-SERR-and-PERR-signaling.patch
new file mode 100644
index 0000000..198f64f
--- /dev/null
+++ b/535a354b-passthrough-allow-to-suppress-SERR-and-PERR-signaling.patch
@@ -0,0 +1,187 @@
+# Commit 1a2a390a560e8319a6be98c7ab6cfaebd230f67e
+# Date 2014-04-25 12:13:31 +0200
+# Author Jan Beulich <jbeulich@suse.com>
+# Committer Jan Beulich <jbeulich@suse.com>
+passthrough: allow to suppress SERR and PERR signaling altogether
+
+This is just to have a workaround at hand in case other chipsets (not
+covered by the previous two patches) also have similar issues.
+
+Signed-off-by: Jan Beulich <jbeulich@suse.com>
+Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>
+Acked-by: Don Dugger <donald.d.dugger@intel.com>
+Acked-by: Tim Deegan <tim@xen.org>
+Acked-by: Xiantao Zhang <xiantao.zhang@intel.com>
+
+--- a/docs/misc/xen-command-line.markdown
++++ b/docs/misc/xen-command-line.markdown
+@@ -772,6 +772,14 @@ Defaults to booting secondary processors
+ 
+ Default: `on`
+ 
++### pci
++> `= {no-}serr | {no-}perr`
++
++Disable signaling of SERR (system errors) and/or PERR (parity errors)
++on all PCI devices.
++
++Default: Signaling left as set by firmware.
++
+ ### pci-phantom
+ > `=[<seg>:]<bus>:<device>,<stride>`
+ 
+--- a/xen/drivers/passthrough/pci.c
++++ b/xen/drivers/passthrough/pci.c
+@@ -154,6 +154,115 @@ static void __init parse_phantom_dev(cha
+ }
+ custom_param("pci-phantom", parse_phantom_dev);
+ 
++static u16 __read_mostly command_mask;
++static u16 __read_mostly bridge_ctl_mask;
++
++/*
++ * The 'pci' parameter controls certain PCI device aspects.
++ * Optional comma separated value may contain:
++ *
++ *   serr                       don't suppress system errors (default)
++ *   no-serr                    suppress system errors
++ *   perr                       don't suppress parity errors (default)
++ *   no-perr                    suppress parity errors
++ */
++static void __init parse_pci_param(char *s)
++{
++    char *ss;
++
++    do {
++        bool_t on = !!strncmp(s, "no-", 3);
++        u16 cmd_mask = 0, brctl_mask = 0;
++
++        if ( !on )
++            s += 3;
++
++        ss = strchr(s, ',');
++        if ( ss )
++            *ss = '\0';
++
++        if ( !strcmp(s, "serr") )
++        {
++            cmd_mask = PCI_COMMAND_SERR;
++            brctl_mask = PCI_BRIDGE_CTL_SERR | PCI_BRIDGE_CTL_DTMR_SERR;
++        }
++        else if ( !strcmp(s, "perr") )
++        {
++            cmd_mask = PCI_COMMAND_PARITY;
++            brctl_mask = PCI_BRIDGE_CTL_PARITY;
++        }
++
++        if ( on )
++        {
++            command_mask &= ~cmd_mask;
++            bridge_ctl_mask &= ~brctl_mask;
++        }
++        else
++        {
++            command_mask |= cmd_mask;
++            bridge_ctl_mask |= brctl_mask;
++        }
++
++        s = ss + 1;
++    } while ( ss );
++}
++custom_param("pci", parse_pci_param);
++
++static void check_pdev(const struct pci_dev *pdev)
++{
++#define PCI_STATUS_CHECK \
++    (PCI_STATUS_PARITY | PCI_STATUS_SIG_TARGET_ABORT | \
++     PCI_STATUS_REC_TARGET_ABORT | PCI_STATUS_REC_MASTER_ABORT | \
++     PCI_STATUS_SIG_SYSTEM_ERROR | PCI_STATUS_DETECTED_PARITY)
++    u16 seg = pdev->seg;
++    u8 bus = pdev->bus;
++    u8 dev = PCI_SLOT(pdev->devfn);
++    u8 func = PCI_FUNC(pdev->devfn);
++    u16 val;
++
++    if ( command_mask )
++    {
++        val = pci_conf_read16(seg, bus, dev, func, PCI_COMMAND);
++        if ( val & command_mask )
++            pci_conf_write16(seg, bus, dev, func, PCI_COMMAND,
++                             val & ~command_mask);
++        val = pci_conf_read16(seg, bus, dev, func, PCI_STATUS);
++        if ( val & PCI_STATUS_CHECK )
++        {
++            printk(XENLOG_INFO "%04x:%02x:%02x.%u status %04x -> %04x\n",
++                   seg, bus, dev, func, val, val & ~PCI_STATUS_CHECK);
++            pci_conf_write16(seg, bus, dev, func, PCI_STATUS,
++                             val & PCI_STATUS_CHECK);
++        }
++    }
++
++    switch ( pci_conf_read8(seg, bus, dev, func, PCI_HEADER_TYPE) & 0x7f )
++    {
++    case PCI_HEADER_TYPE_BRIDGE:
++        if ( !bridge_ctl_mask )
++            break;
++        val = pci_conf_read16(seg, bus, dev, func, PCI_BRIDGE_CONTROL);
++        if ( val & bridge_ctl_mask )
++            pci_conf_write16(seg, bus, dev, func, PCI_BRIDGE_CONTROL,
++                             val & ~bridge_ctl_mask);
++        val = pci_conf_read16(seg, bus, dev, func, PCI_SEC_STATUS);
++        if ( val & PCI_STATUS_CHECK )
++        {
++            printk(XENLOG_INFO
++                   "%04x:%02x:%02x.%u secondary status %04x -> %04x\n",
++                   seg, bus, dev, func, val, val & ~PCI_STATUS_CHECK);
++            pci_conf_write16(seg, bus, dev, func, PCI_SEC_STATUS,
++                             val & PCI_STATUS_CHECK);
++        }
++        break;
++
++    case PCI_HEADER_TYPE_CARDBUS:
++        /* TODO */
++        break;
++    }
++#undef PCI_STATUS_CHECK
++}
++
+ static struct pci_dev *alloc_pdev(struct pci_seg *pseg, u8 bus, u8 devfn)
+ {
+     struct pci_dev *pdev;
+@@ -252,6 +361,8 @@ static struct pci_dev *alloc_pdev(struct
+             break;
+     }
+ 
++    check_pdev(pdev);
++
+     return pdev;
+ }
+ 
+@@ -566,6 +677,8 @@ int pci_add_device(u16 seg, u8 bus, u8 d
+                    seg, bus, slot, func, ctrl);
+     }
+ 
++    check_pdev(pdev);
++
+     ret = 0;
+     if ( !pdev->domain )
+     {
+--- a/xen/include/xen/pci_regs.h
++++ b/xen/include/xen/pci_regs.h
+@@ -125,7 +125,7 @@
+ #define  PCI_IO_RANGE_TYPE_16	0x00
+ #define  PCI_IO_RANGE_TYPE_32	0x01
+ #define  PCI_IO_RANGE_MASK	(~0x0fUL)
+-#define PCI_SEC_STATUS		0x1e	/* Secondary status register, only bit 14 used */
++#define PCI_SEC_STATUS		0x1e	/* Secondary status register */
+ #define PCI_MEMORY_BASE		0x20	/* Memory range behind */
+ #define PCI_MEMORY_LIMIT	0x22
+ #define  PCI_MEMORY_RANGE_TYPE_MASK 0x0fUL
+@@ -152,6 +152,7 @@
+ #define  PCI_BRIDGE_CTL_MASTER_ABORT	0x20  /* Report master aborts */
+ #define  PCI_BRIDGE_CTL_BUS_RESET	0x40	/* Secondary bus reset */
+ #define  PCI_BRIDGE_CTL_FAST_BACK	0x80	/* Fast Back2Back enabled on secondary interface */
++#define  PCI_BRIDGE_CTL_DTMR_SERR	0x800	/* SERR upon discard timer expiry */
+ 
+ /* Header type 2 (CardBus bridges) */
+ #define PCI_CB_CAPABILITY_LIST	0x14
diff --git a/535e31bc-x86-HVM-correct-the-SMEP-logic-for-HVM_CR0_GUEST_RESERVED_BITS.patch b/535e31bc-x86-HVM-correct-the-SMEP-logic-for-HVM_CR0_GUEST_RESERVED_BITS.patch
new file mode 100644
index 0000000..39d8864
--- /dev/null
+++ b/535e31bc-x86-HVM-correct-the-SMEP-logic-for-HVM_CR0_GUEST_RESERVED_BITS.patch
@@ -0,0 +1,43 @@
+# Commit 31ee951a3bee6e7cc21f94f900fe989e3701a79a
+# Date 2014-04-28 12:47:24 +0200
+# Author Feng Wu <feng.wu@intel.com>
+# Committer Jan Beulich <jbeulich@suse.com>
+x86/HVM: correct the SMEP logic for HVM_CR0_GUEST_RESERVED_BITS
+
+When checking the SMEP feature for HVM guests, we should check the
+VCPU instead of the host CPU.
+
+Signed-off-by: Feng Wu <feng.wu@intel.com>
+Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>
+
+--- a/xen/include/asm-x86/hvm/hvm.h
++++ b/xen/include/asm-x86/hvm/hvm.h
+@@ -347,6 +347,19 @@ static inline int hvm_event_pending(stru
+     return hvm_funcs.event_pending(v);
+ }
+ 
++static inline bool_t hvm_vcpu_has_smep(void)
++{
++    unsigned int eax, ebx;
++
++    hvm_cpuid(0, &eax, NULL, NULL, NULL);
++
++    if ( eax < 7 )
++        return 0;
++
++    hvm_cpuid(7, NULL, &ebx, NULL, NULL);
++    return !!(ebx & cpufeat_mask(X86_FEATURE_SMEP));
++}
++
+ /* These reserved bits in lower 32 remain 0 after any load of CR0 */
+ #define HVM_CR0_GUEST_RESERVED_BITS             \
+     (~((unsigned long)                          \
+@@ -366,7 +379,7 @@ static inline int hvm_event_pending(stru
+         X86_CR4_DE  | X86_CR4_PSE | X86_CR4_PAE |       \
+         X86_CR4_MCE | X86_CR4_PGE | X86_CR4_PCE |       \
+         X86_CR4_OSFXSR | X86_CR4_OSXMMEXCPT |           \
+-        (cpu_has_smep ? X86_CR4_SMEP : 0) |             \
++        (hvm_vcpu_has_smep() ? X86_CR4_SMEP : 0) |      \
+         (cpu_has_fsgsbase ? X86_CR4_FSGSBASE : 0) |     \
+         ((nestedhvm_enabled((_v)->domain) && cpu_has_vmx)\
+                       ? X86_CR4_VMXE : 0)  |             \
diff --git a/xsa92.patch b/535fa503-x86-HVM-restrict-HVMOP_set_mem_type.patch
similarity index 84%
rename from xsa92.patch
rename to 535fa503-x86-HVM-restrict-HVMOP_set_mem_type.patch
index 2969992..8988d48 100644
--- a/xsa92.patch
+++ b/535fa503-x86-HVM-restrict-HVMOP_set_mem_type.patch
@@ -1,3 +1,9 @@
+References: bnc#875668 CVE-2014-3124 XSA-92
+
+# Commit 83bb5eb4d340acebf27b34108fb1dae062146a68
+# Date 2014-04-29 15:11:31 +0200
+# Author Jan Beulich <jbeulich@suse.com>
+# Committer Jan Beulich <jbeulich@suse.com>
 x86/HVM: restrict HVMOP_set_mem_type
 
 Permitting arbitrary type changes here has the potential of creating
@@ -12,7 +18,7 @@ message.
 
 Afaict the similar operation in p2m_set_mem_access() is safe.
 
-This is XSA-92.
+This is CVE-2014-3124 / XSA-92.
 
 Signed-off-by: Jan Beulich <jbeulich@suse.com>
 Reviewed-by: Tim Deegan <tim@xen.org>
diff --git a/53636978-hvm_set_ioreq_page-releases-wrong-page-in-error-path.patch b/53636978-hvm_set_ioreq_page-releases-wrong-page-in-error-path.patch
new file mode 100644
index 0000000..b1e4d28
--- /dev/null
+++ b/53636978-hvm_set_ioreq_page-releases-wrong-page-in-error-path.patch
@@ -0,0 +1,27 @@
+# Commit 16e2a7596e9fc86881c73cef57602b2c88155528
+# Date 2014-05-02 11:46:32 +0200
+# Author Paul Durrant <paul.durrant@citrix.com>
+# Committer Jan Beulich <jbeulich@suse.com>
+hvm_set_ioreq_page() releases wrong page in error path
+
+The function calls prepare_ring_for_helper() to acquire a mapping for the
+given gmfn, then checks (under lock) to see if the ioreq page is already
+set up but, if it is, the function then releases the in-use ioreq page
+mapping on the error path rather than the one it just acquired. This patch
+fixes this bug.
+
+Signed-off-by: Paul Durrant <paul.durrant@citrix.com>
+Reviewed-by: Jan Beulich <jbeulich@suse.com>
+Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>
+
+--- a/xen/arch/x86/hvm/hvm.c
++++ b/xen/arch/x86/hvm/hvm.c
+@@ -478,7 +478,7 @@ static int hvm_set_ioreq_page(
+ 
+     if ( (iorp->va != NULL) || d->is_dying )
+     {
+-        destroy_ring_for_helper(&iorp->va, iorp->page);
++        destroy_ring_for_helper(&va, page);
+         spin_unlock(&iorp->lock);
+         return -EINVAL;
+     }
diff --git a/53636ebf-x86-fix-guest-CPUID-handling.patch b/53636ebf-x86-fix-guest-CPUID-handling.patch
new file mode 100644
index 0000000..206f9d9
--- /dev/null
+++ b/53636ebf-x86-fix-guest-CPUID-handling.patch
@@ -0,0 +1,81 @@
+# Commit 4c0ff6bd54b5a67f8f820f9ed0a89a79f1a26a1c
+# Date 2014-05-02 12:09:03 +0200
+# Author Jan Beulich <jbeulich@suse.com>
+# Committer Jan Beulich <jbeulich@suse.com>
+x86: fix guest CPUID handling
+
+The way XEN_DOMCTL_set_cpuid got handled so far allowed for surprises
+to the caller. With this set of operations
+- set leaf A (using array index 0)
+- set leaf B (using array index 1)
+- clear leaf A (clearing array index 0)
+- set leaf B (using array index 0)
+- clear leaf B (clearing array index 0)
+the entry for leaf B at array index 1 would still be in place, while
+the caller would expect it to be cleared.
+
+While looking at the use sites of d->arch.cpuid[] I also noticed that
+the allocation of the array needlessly uses the zeroing form - the
+relevant fields of the array elements get set in a loop immediately
+following the allocation.
+
+Signed-off-by: Jan Beulich <jbeulich@suse.com>
+Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>
+Reviewed-by: Tim Deegan <tim@xen.org>
+
+--- a/xen/arch/x86/domain.c
++++ b/xen/arch/x86/domain.c
+@@ -553,7 +553,7 @@ int arch_domain_create(struct domain *d,
+ 
+     if ( !is_idle_domain(d) )
+     {
+-        d->arch.cpuids = xzalloc_array(cpuid_input_t, MAX_CPUID_INPUT);
++        d->arch.cpuids = xmalloc_array(cpuid_input_t, MAX_CPUID_INPUT);
+         rc = -ENOMEM;
+         if ( d->arch.cpuids == NULL )
+             goto fail;
+--- a/xen/arch/x86/domctl.c
++++ b/xen/arch/x86/domctl.c
+@@ -920,7 +920,7 @@ long arch_do_domctl(
+     case XEN_DOMCTL_set_cpuid:
+     {
+         xen_domctl_cpuid_t *ctl = &domctl->u.cpuid;
+-        cpuid_input_t *cpuid = NULL; 
++        cpuid_input_t *cpuid, *unused = NULL;
+         int i;
+ 
+         for ( i = 0; i < MAX_CPUID_INPUT; i++ )
+@@ -928,7 +928,11 @@ long arch_do_domctl(
+             cpuid = &d->arch.cpuids[i];
+ 
+             if ( cpuid->input[0] == XEN_CPUID_INPUT_UNUSED )
+-                break;
++            {
++                if ( !unused )
++                    unused = cpuid;
++                continue;
++            }
+ 
+             if ( (cpuid->input[0] == ctl->input[0]) &&
+                  ((cpuid->input[1] == XEN_CPUID_INPUT_UNUSED) ||
+@@ -936,15 +940,12 @@ long arch_do_domctl(
+                 break;
+         }
+         
+-        if ( i == MAX_CPUID_INPUT )
+-        {
+-            ret = -ENOENT;
+-        }
++        if ( i < MAX_CPUID_INPUT )
++            *cpuid = *ctl;
++        else if ( unused )
++            *unused = *ctl;
+         else
+-        {
+-            memcpy(cpuid, ctl, sizeof(cpuid_input_t));
+-            ret = 0;
+-        }
++            ret = -ENOENT;
+     }
+     break;
+ 
diff --git a/libxl.add-option-for-discard-support-to-xl-disk-conf.patch b/libxl.add-option-for-discard-support-to-xl-disk-conf.patch
index 8b1a050..aca3f65 100644
--- a/libxl.add-option-for-discard-support-to-xl-disk-conf.patch
+++ b/libxl.add-option-for-discard-support-to-xl-disk-conf.patch
@@ -54,7 +54,7 @@ Index: xen-4.4.0-testing/tools/libxl/libxl.c
 ===================================================================
 --- xen-4.4.0-testing.orig/tools/libxl/libxl.c
 +++ xen-4.4.0-testing/tools/libxl/libxl.c
-@@ -2213,6 +2213,8 @@ static void device_disk_add(libxl__egc *
+@@ -2480,6 +2480,8 @@ static void device_disk_add(libxl__egc *
          flexarray_append(back, disk->readwrite ? "w" : "r");
          flexarray_append(back, "device-type");
          flexarray_append(back, disk->is_cdrom ? "cdrom" : "disk");
diff --git a/libxl.pvscsi.patch b/libxl.pvscsi.patch
new file mode 100644
index 0000000..31e759f
--- /dev/null
+++ b/libxl.pvscsi.patch
@@ -0,0 +1,1189 @@
+* local-fate316613-pvscsi-staging-4.4
+ git://github.com/olafhering/xen.git : local-fate316613-pvscsi-staging-4.4
+
+Implement pvscsi in xl/libxl
+fate#316613 , https://fate.suse.com/316613
+
+10bd594 pvscsi: move parse_vscsi_config code block to avoid fuzz
+06914e1 Merge pull request #4 from aaannz/pvscsi
+fe65eb3 define SUSE PVSCSI extension for 3rd party use
+8a34a98 pvscsi: check null pointer in libxl__add_vscsis
+09fa151 pvscsi: avoid double assignment of host devices
+aa88928 pvscsi: fix double free in scsi-attach
+2de1507 pvscsi: update comments about libxl.so ABI
+483f7e9 Merge pull request #3 from aaannz/pvscsi
+d98458c Xen4.2 ABI compat
+73744a5 preserve Xen4.2 ABI, WIP
+0f8e701 fix minor memory leaks
+1b1c55d pvscsi: correct comment for DEFINE_DEVICES_ADD
+6f50972 pvscsi: move libxl__add_vscsis call
+6fd1327 pvscsi: add comment for DEFINE_DEVICES_ADD
+e4bf1fd pvscsi: fix DEFINE_DEVICE_REMOVE destroy
+51b63a6 pvscsi: man pages
+e461042 pvscsi: implememnt single device scsi-detach
+540e524 Merge pull request #2 from aaannz/pvscsi
+919a851 implement vscsi-attach
+e07db68 fix indentation
+b087b9d pvscsi: implement simple scsi-detach
+824f286 pvscsi: simplify sysfs parsing in parse_vscsi_config
+977d81d pvscsi: include stddef in xl_cmdimpl.c to get offsetof
+ee2e7e5 Merge pull request #1 from aaannz/pvscsi
+7de6f49 support character devices too
+c84381b allow /dev/sda as scsi devspec
+f11e3a2 pvscsi
+Index: xen-4.4.0-testing/docs/man/xl.cfg.pod.5
+===================================================================
+--- xen-4.4.0-testing.orig/docs/man/xl.cfg.pod.5
++++ xen-4.4.0-testing/docs/man/xl.cfg.pod.5
+@@ -380,6 +380,36 @@ value is optional if this is a guest dom
+ 
+ =back
+ 
++=item B<vscsi=[ "VSCSI_SPEC_STRING", "VSCSI_SPEC_STRING", ...]>
++
++Specifies the PVSCSI devices to be provided to the guest. PVSCSI passes
++dom0 SCSI devices as-is to the guest.
++
++Each B<VSCSI_SPEC_STRING> is a mapping from dom0 SCSI devices to guest visible
++SCSI devices, like 'pvdev,vdev[,option]'. Example: '/dev/sdm,3:0:4:5,feature-host'
++
++=over 4
++
++=item C<pdev>
++
++Specifies the dom0 visible SCSI device. The string can be either a device path
++like to a block device like /dev/disk/by-id/scsi-XYZ. Or it can be a device path
++to a char device like /dev/sg5. Or it can be specified in the SCSI notation
++HOST:CHANNEL:TARGET:LUN. Note that the latter format is unreliable because
++the HOST value can change across dom0 reboots.
++
++=item C<vdev>
++
++Specifies how the SCSI device is mapped into the guest. The notation is in
++SCSI notation HOST:CHANNEL:TARGET:LUN. HOST in this case means a virthal
++SCSI host within the guest.
++
++=item C<option>
++
++Right now only one option is recognized: feature-host.
++
++=back
++
+ =item B<vfb=[ "VFB_SPEC_STRING", "VFB_SPEC_STRING", ...]>
+ 
+ Specifies the paravirtual framebuffer devices which should be supplied
+Index: xen-4.4.0-testing/docs/man/xl.pod.1
+===================================================================
+--- xen-4.4.0-testing.orig/docs/man/xl.pod.1
++++ xen-4.4.0-testing/docs/man/xl.pod.1
+@@ -1208,6 +1208,26 @@ List virtual trusted platform modules fo
+ 
+ =back
+ 
++=head2 PVSCSI DEVICES
++
++=over 4
++
++=item B<scsi-attach> I<domain-id> I<pdev> I<vdev> I<[feature-host]>
++
++Creates a new vscsi device in the domain specified by I<domain-id>.
++
++=item B<scsi-detach> I<domain-id> I<vdev>
++
++Removes the vscsi device from domain specified by I<domain-id>.
++Note that the whole virtual SCSI host with all its devices is removed.
++This is a BUG!
++
++=item B<vscsi-list> I<domain-id> I<[domain-id] ...>
++
++List vscsi devices for the domain specified by I<domain-id>.
++
++=back
++
+ =head1 PCI PASS-THROUGH
+ 
+ =over 4
+Index: xen-4.4.0-testing/tools/libxl/libxl.c
+===================================================================
+--- xen-4.4.0-testing.orig/tools/libxl/libxl.c
++++ xen-4.4.0-testing/tools/libxl/libxl.c
+@@ -2017,6 +2017,273 @@ int libxl_devid_to_device_vtpm(libxl_ctx
+     return rc;
+ }
+ 
++/******************************************************************************/
++static int libxl__device_from_vscsi(libxl__gc *gc, uint32_t domid,
++                                   libxl_device_vscsi *vscsi,
++                                   libxl__device *device)
++{
++   device->backend_domid   = vscsi->backend_domid;
++   device->devid           = vscsi->devid;
++   device->domid           = domid;
++   device->backend_kind    = LIBXL__DEVICE_KIND_VSCSI;
++   device->kind            = LIBXL__DEVICE_KIND_VSCSI;
++
++   return 0;
++}
++
++void libxl__device_vscsi_add(libxl__egc *egc, uint32_t domid,
++                           libxl_device_vscsi *vscsi,
++                           libxl__ao_device *aodev)
++{
++    STATE_AO_GC(aodev->ao);
++    flexarray_t *front;
++    flexarray_t *back;
++    libxl__device *device;
++    unsigned int rc, i;
++
++    i = 2 * (4 + (3 * vscsi->num_vscsi_devs));
++    front = flexarray_make(gc, 4, 1);
++    back = flexarray_make(gc, i, 1);
++
++    if (vscsi->devid == -1) {
++        rc = ERROR_FAIL;
++        goto out;
++    }
++
++    GCNEW(device);
++    rc = libxl__device_from_vscsi(gc, domid, vscsi, device);
++    if ( rc != 0 ) goto out;
++
++    /* get backend device path to check if is already present */
++    char *backend_path;
++    unsigned int ndirs = 0;
++    backend_path = libxl__device_backend_path(gc, device);
++    if (!libxl__xs_directory(gc, XBT_NULL, backend_path, &ndirs) || !ndirs) {
++        /* backend does not exist => vscsi host does not exist */
++        flexarray_append_pair(back, "frontend-id", GCSPRINTF("%d", domid));
++        flexarray_append_pair(back, "online", "1");
++        flexarray_append_pair(back, "state", "1");
++        flexarray_append_pair(back, "feature-host", GCSPRINTF("%d", !!vscsi->feature_host));
++
++        flexarray_append_pair(front, "backend-id", GCSPRINTF("%d", vscsi->backend_domid));
++        flexarray_append_pair(front, "state", "1");
++    }
++
++    for (i = 0; i < vscsi->num_vscsi_devs; i++) {
++        libxl_vscsi_dev *v = vscsi->vscsi_devs + i;
++        if (ndirs) {
++            unsigned int nb = 0;
++            /* vhost exist, check if not overwriting records */
++            if (libxl__xs_directory(gc, XBT_NULL,
++                   GCSPRINTF("%s/vscsi-devs/dev-%u", backend_path, v->vscsi_dev_id),
++                            &nb) && nb) {
++                /* trigger device removal by forwarding state to XenbusStateClosing */
++                if (v->remove)
++                    flexarray_append_pair(back, GCSPRINTF("vscsi-devs/dev-%u/state", v->vscsi_dev_id), "5");
++                continue;
++            }
++        }
++        flexarray_append_pair(back, GCSPRINTF("vscsi-devs/dev-%u/p-dev", v->vscsi_dev_id),
++                              GCSPRINTF("%u:%u:%u:%u", v->p_hst, v->p_chn, v->p_tgt, v->p_lun));
++        flexarray_append_pair(back, GCSPRINTF("vscsi-devs/dev-%u/v-dev", v->vscsi_dev_id),
++                              GCSPRINTF("%u:%u:%u:%u", vscsi->v_hst, v->v_chn, v->v_tgt, v->v_lun));
++        flexarray_append_pair(back, GCSPRINTF("vscsi-devs/dev-%u/state", v->vscsi_dev_id), "1");
++    }
++
++    aodev->dev = device;
++    if (ndirs == 0) {
++        libxl__device_generic_add(gc, XBT_NULL, device,
++                                libxl__xs_kvs_of_flexarray(gc, back, back->count),
++                                libxl__xs_kvs_of_flexarray(gc, front, front->count),
++                                NULL);
++
++        aodev->action = LIBXL__DEVICE_ACTION_ADD;
++        libxl__wait_device_connection(egc, aodev);
++    }
++    else {
++        /* we added only new vscsi devices, write them and trigger vscsi host reconfiguration */
++        libxl_ctx *ctx = libxl__gc_owner(gc);
++        xs_transaction_t t;
++retry_transaction:
++        t = xs_transaction_start(ctx->xsh);
++        libxl__xs_writev(gc, t, backend_path,
++                         libxl__xs_kvs_of_flexarray(gc, back, back->count));
++        xs_write(ctx->xsh, t, GCSPRINTF("%s/state", backend_path), "7", 2);
++        if(!xs_transaction_end(ctx->xsh, t, 0)) {
++            if (errno == EAGAIN) {
++                goto retry_transaction;
++            }
++            else {
++                LOGE(ERROR, "xs transaction failed");
++                return;
++            }
++        }
++        libxl__wait_for_backend(gc, backend_path, "4");
++
++retry_transaction2:
++        t = xs_transaction_start(ctx->xsh);
++        for (i = 0; i < vscsi->num_vscsi_devs; i++) {
++            libxl_vscsi_dev *v = vscsi->vscsi_devs + i;
++            if (v->remove) {
++                char *tmppath, *tmpval;
++                tmppath = GCSPRINTF("%s/vscsi-devs/dev-%u/state", backend_path, v->vscsi_dev_id);
++                tmpval = libxl__xs_read(gc, t, tmppath);
++                if (tmpval && strcmp(tmpval, "6") == 0) {
++                    tmppath = GCSPRINTF("%s/vscsi-devs/dev-%u/state", backend_path, v->vscsi_dev_id);
++                    xs_rm(ctx->xsh, t, tmppath);
++                    tmppath = GCSPRINTF("%s/vscsi-devs/dev-%u/p-dev", backend_path, v->vscsi_dev_id);
++                    xs_rm(ctx->xsh, t, tmppath);
++                    tmppath = GCSPRINTF("%s/vscsi-devs/dev-%u/v-dev", backend_path, v->vscsi_dev_id);
++                    xs_rm(ctx->xsh, t, tmppath);
++                    tmppath = GCSPRINTF("%s/vscsi-devs/dev-%u", backend_path, v->vscsi_dev_id);
++                    xs_rm(ctx->xsh, t, tmppath);
++                } else {
++                    LOGE(ERROR, "%s: %s has %s, expected 6", __func__, tmppath, tmpval);
++                }
++            }
++        }
++        if(!xs_transaction_end(ctx->xsh, t, 0)) {
++            if (errno == EAGAIN) {
++                goto retry_transaction2;
++            }
++            else {
++                LOGE(ERROR, "xs transaction failed");
++                return;
++            }
++        }
++        /* as we are not adding new device, skip waiting for it */
++        libxl__ao_complete(egc, aodev->ao, 0);
++    }
++
++    rc = 0;
++out:
++    aodev->rc = rc;
++    if(rc) aodev->callback(egc, aodev);
++    return;
++}
++
++libxl_device_vscsi *libxl_device_vscsi_list(libxl_ctx *ctx, uint32_t domid, int *num)
++{
++    GC_INIT(ctx);
++
++    libxl_device_vscsi *vscsi_hosts = NULL;
++    char *fe_path;
++    char **dir;
++    unsigned int ndirs = 0;
++
++    fe_path = libxl__sprintf(gc, "%s/device/vscsi", libxl__xs_get_dompath(gc, domid));
++    dir = libxl__xs_directory(gc, XBT_NULL, fe_path, &ndirs);
++    if (dir && ndirs) {
++        libxl_device_vscsi *vscsi, *end;
++        vscsi_hosts = calloc(ndirs, sizeof(*vscsi_hosts));
++        for (vscsi = vscsi_hosts, end = vscsi_hosts + ndirs; vscsi_hosts && vscsi < end; ++vscsi, ++dir) {
++            unsigned int vd_dirs = 0, i;
++            char *tmp;
++            char **vscsi_devs_dir;
++            const char *vscsi_devs_path, *be_path = libxl__xs_read(gc, XBT_NULL, GCSPRINTF("%s/%s/backend", fe_path, *dir));
++
++            libxl_device_vscsi_init(vscsi);
++
++            vscsi->devid = atoi(*dir);
++
++            tmp = libxl__xs_read(gc, XBT_NULL, GCSPRINTF("%s/%s/backend-id", fe_path, *dir));
++            vscsi->backend_domid = atoi(tmp);
++
++            vscsi_devs_path = libxl__sprintf(gc, "%s/vscsi-devs", be_path);
++            vscsi_devs_dir = libxl__xs_directory(gc, XBT_NULL, vscsi_devs_path, &vd_dirs);
++            if (vscsi_devs_dir && vd_dirs) {
++                vscsi->vscsi_devs = calloc(vd_dirs, sizeof(*vscsi->vscsi_devs));
++                vscsi->num_vscsi_devs = vd_dirs;
++                for (i = 0; i < vd_dirs; i++, vscsi_devs_dir++) {
++                    unsigned int vscsi_dev_id;
++                    if (sscanf(*vscsi_devs_dir, "dev-%u", &vscsi_dev_id) != 1) {
++                        LIBXL__LOG(ctx, LIBXL__LOG_ERROR, "%s/scsi-devs/%s failed to parse", be_path, *vscsi_devs_dir);
++                        continue;
++                    }
++                    vscsi->vscsi_devs[i].vscsi_dev_id = vscsi_dev_id;
++                    tmp = libxl__xs_read(gc, XBT_NULL, GCSPRINTF("%s/vscsi-devs/dev-%u/p-dev", be_path, vscsi_dev_id));
++                    if (tmp)
++                       sscanf(tmp, "%u:%u:%u:%u", &vscsi->vscsi_devs[i].p_hst, &vscsi->vscsi_devs[i].p_chn, &vscsi->vscsi_devs[i].p_tgt, &vscsi->vscsi_devs[i].p_lun);
++                    tmp = libxl__xs_read(gc, XBT_NULL, GCSPRINTF("%s/vscsi-devs/dev-%u/v-dev", be_path, vscsi_dev_id));
++                    if (tmp)
++                        sscanf(tmp, "%u:%u:%u:%u", &vscsi->v_hst, &vscsi->vscsi_devs[i].v_chn, &vscsi->vscsi_devs[i].v_tgt, &vscsi->vscsi_devs[i].v_lun);
++                }
++            }
++        }
++    }
++    *num = ndirs;
++
++    GC_FREE;
++    return vscsi_hosts;
++}
++
++int libxl_device_vscsi_getinfo(libxl_ctx *ctx,
++                              uint32_t domid,
++                              libxl_device_vscsi *vscsi_host,
++                              libxl_vscsi_dev *vscsi_dev,
++                              libxl_vscsiinfo *vscsiinfo)
++{
++    GC_INIT(ctx);
++    char *dompath, *vscsipath;
++    char *val;
++    int rc = 0;
++
++    libxl_vscsiinfo_init(vscsiinfo);
++    dompath = libxl__xs_get_dompath(gc, domid);
++    vscsiinfo->devid = vscsi_host->devid;
++    vscsiinfo->p_hst = vscsi_dev->p_hst;
++    vscsiinfo->p_chn = vscsi_dev->p_chn;
++    vscsiinfo->p_tgt = vscsi_dev->p_tgt;
++    vscsiinfo->p_lun = vscsi_dev->p_lun;
++    vscsiinfo->v_hst = vscsi_host->v_hst;
++    vscsiinfo->v_chn = vscsi_dev->v_chn;
++    vscsiinfo->v_tgt = vscsi_dev->v_tgt;
++    vscsiinfo->v_lun = vscsi_dev->v_lun;
++
++    vscsipath = GCSPRINTF("%s/device/vscsi/%d", dompath, vscsiinfo->devid);
++    vscsiinfo->backend = xs_read(ctx->xsh, XBT_NULL,
++          GCSPRINTF("%s/backend", vscsipath), NULL);
++    if (!vscsiinfo->backend) {
++        goto err;
++    }
++    if(!libxl__xs_read(gc, XBT_NULL, vscsiinfo->backend)) {
++       goto err;
++    }
++
++    val = libxl__xs_read(gc, XBT_NULL,
++          GCSPRINTF("%s/backend-id", vscsipath));
++    vscsiinfo->backend_id = val ? strtoul(val, NULL, 10) : -1;
++
++    val = libxl__xs_read(gc, XBT_NULL,
++          GCSPRINTF("%s/state", vscsipath));
++    vscsiinfo->vscsi_host_state = val ? strtoul(val, NULL, 10) : -1;
++
++    val = libxl__xs_read(gc, XBT_NULL,
++          GCSPRINTF("%s/event-channel", vscsipath));
++    vscsiinfo->evtch = val ? strtoul(val, NULL, 10) : -1;
++
++    val = libxl__xs_read(gc, XBT_NULL,
++          GCSPRINTF("%s/ring-ref", vscsipath));
++    vscsiinfo->rref = val ? strtoul(val, NULL, 10) : -1;
++
++    vscsiinfo->frontend = xs_read(ctx->xsh, XBT_NULL,
++          GCSPRINTF("%s/frontend", vscsiinfo->backend), NULL);
++
++    val = libxl__xs_read(gc, XBT_NULL,
++          GCSPRINTF("%s/frontend-id", vscsiinfo->backend));
++    vscsiinfo->frontend_id = val ? strtoul(val, NULL, 10) : -1;
++
++    val = libxl__xs_read(gc, XBT_NULL,
++          GCSPRINTF("%s/vscsi-devs/dev-%u/state", vscsiinfo->backend, vscsi_dev->vscsi_dev_id));
++    vscsiinfo->vscsi_dev_state = val ? strtoul(val, NULL, 10) : -1;
++
++    goto exit;
++err:
++    rc = ERROR_FAIL;
++exit:
++    GC_FREE;
++    return rc;
++}
+ 
+ /******************************************************************************/
+ 
+@@ -3485,6 +3752,8 @@ out:
+  * libxl_device_vkb_destroy
+  * libxl_device_vfb_remove
+  * libxl_device_vfb_destroy
++ * libxl_device_vscsi_remove
++ * libxl_device_vscsi_destroy
+  */
+ #define DEFINE_DEVICE_REMOVE(type, removedestroy, f)                    \
+     int libxl_device_##type##_##removedestroy(libxl_ctx *ctx,           \
+@@ -3536,6 +3805,10 @@ DEFINE_DEVICE_REMOVE(vfb, destroy, 1)
+ DEFINE_DEVICE_REMOVE(vtpm, remove, 0)
+ DEFINE_DEVICE_REMOVE(vtpm, destroy, 1)
+ 
++/* vscsi */
++DEFINE_DEVICE_REMOVE(vscsi, remove, 0)
++DEFINE_DEVICE_REMOVE(vscsi, destroy, 1)
++
+ #undef DEFINE_DEVICE_REMOVE
+ 
+ /******************************************************************************/
+@@ -3545,6 +3818,7 @@ DEFINE_DEVICE_REMOVE(vtpm, destroy, 1)
+  * libxl_device_disk_add
+  * libxl_device_nic_add
+  * libxl_device_vtpm_add
++ * libxl_device_vscsi_add
+  */
+ 
+ #define DEFINE_DEVICE_ADD(type)                                         \
+@@ -3574,6 +3848,9 @@ DEFINE_DEVICE_ADD(nic)
+ /* vtpm */
+ DEFINE_DEVICE_ADD(vtpm)
+ 
++/* vscsi */
++DEFINE_DEVICE_ADD(vscsi)
++
+ #undef DEFINE_DEVICE_ADD
+ 
+ /******************************************************************************/
+@@ -5678,6 +5955,20 @@ int libxl_fd_set_cloexec(libxl_ctx *ctx,
+ int libxl_fd_set_nonblock(libxl_ctx *ctx, int fd, int nonblock)
+   { return fd_set_flags(ctx,fd, F_GETFL,F_SETFL,"FL", O_NONBLOCK, nonblock); }
+ 
++/* libxl.so.4.4 ABI compatilibity hack - do not do this at home */
++static libxl_device_vscsi_suse* libxl__global_vscsi_list_suse;
++
++libxl_device_vscsi_suse* libxl_get_vscsi_devices_suse(void)
++{
++    return libxl__global_vscsi_list_suse;
++}
++
++void libxl_set_vscsi_devices_suse(libxl_device_vscsi_suse* vscsi_host)
++{
++    libxl__global_vscsi_list_suse = vscsi_host;
++}
++/* EOF libxl.so.4.4 ABI compat hack */
++
+ /*
+  * Local variables:
+  * mode: C
+Index: xen-4.4.0-testing/tools/libxl/libxl.h
+===================================================================
+--- xen-4.4.0-testing.orig/tools/libxl/libxl.h
++++ xen-4.4.0-testing/tools/libxl/libxl.h
+@@ -951,6 +951,26 @@ libxl_device_vtpm *libxl_device_vtpm_lis
+ int libxl_device_vtpm_getinfo(libxl_ctx *ctx, uint32_t domid,
+                                libxl_device_vtpm *vtpm, libxl_vtpminfo *vtpminfo);
+ 
++/* Virtual SCSI */
++int libxl_device_vscsi_add(libxl_ctx *ctx, uint32_t domid, libxl_device_vscsi *vscsi,
++                          const libxl_asyncop_how *ao_how)
++                          LIBXL_EXTERNAL_CALLERS_ONLY;
++int libxl_device_vscsi_remove(libxl_ctx *ctx, uint32_t domid,
++                            libxl_device_vscsi *vscsi,
++                            const libxl_asyncop_how *ao_how)
++                            LIBXL_EXTERNAL_CALLERS_ONLY;
++int libxl_device_vscsi_destroy(libxl_ctx *ctx, uint32_t domid,
++                              libxl_device_vscsi *vscsi,
++                              const libxl_asyncop_how *ao_how)
++                              LIBXL_EXTERNAL_CALLERS_ONLY;
++
++libxl_device_vscsi *libxl_device_vscsi_list(libxl_ctx *ctx, uint32_t domid, int *num);
++int libxl_device_vscsi_getinfo(libxl_ctx *ctx,
++                              uint32_t domid,
++                              libxl_device_vscsi *vscsi_host,
++                              libxl_vscsi_dev *vscsi_dev,
++                              libxl_vscsiinfo *vscsiinfo);
++
+ /* Keyboard */
+ int libxl_device_vkb_add(libxl_ctx *ctx, uint32_t domid, libxl_device_vkb *vkb,
+                          const libxl_asyncop_how *ao_how)
+@@ -1166,6 +1186,27 @@ int libxl_fd_set_nonblock(libxl_ctx *ctx
+ 
+ #include <libxl_event.h>
+ 
++/* libxl.so.4.4 ABI compatilibity hack - do not do this at home */
++
++/*
++ * LIBXL_HAVE_DEVICE_PVSCSI_SUSE
++ *
++ * If this is defined, set pvscsi devices through helpers
++ * libxl_get_vscsi_devices_suse and libxl_set_vscsi_devices_suse.
++ *
++ * If this is not defined, pvscsi is either unavailable or available through
++ * libxl_domain_config structure
++ */
++#define LIBXL_HAVE_DEVICE_PVSCSI_SUSE 1
++typedef struct {
++    libxl_device_vscsi* vscsi_devices;
++    int num_vscsi_devices;
++} libxl_device_vscsi_suse;
++
++libxl_device_vscsi_suse* libxl_get_vscsi_devices_suse(void);
++void libxl_set_vscsi_devices_suse(libxl_device_vscsi_suse* vscsi_host);
++/* EOF libxl.so.4.4 ABI compat hack */
++
+ #endif /* LIBXL_H */
+ 
+ /*
+Index: xen-4.4.0-testing/tools/libxl/libxl_create.c
+===================================================================
+--- xen-4.4.0-testing.orig/tools/libxl/libxl_create.c
++++ xen-4.4.0-testing/tools/libxl/libxl_create.c
+@@ -1029,6 +1029,7 @@ static void domcreate_rebuild_done(libxl
+     libxl__multidev_begin(ao, &dcs->multidev);
+     dcs->multidev.callback = domcreate_launch_dm;
+     libxl__add_disks(egc, ao, domid, d_config, &dcs->multidev);
++    libxl__add_vscsis(egc, ao, domid, d_config, &dcs->multidev);
+     libxl__multidev_prepared(egc, &dcs->multidev, 0);
+ 
+     return;
+Index: xen-4.4.0-testing/tools/libxl/libxl_device.c
+===================================================================
+--- xen-4.4.0-testing.orig/tools/libxl/libxl_device.c
++++ xen-4.4.0-testing/tools/libxl/libxl_device.c
+@@ -523,6 +523,7 @@ void libxl__multidev_prepared(libxl__egc
+  * The following functions are defined:
+  * libxl__add_disks
+  * libxl__add_nics
++ * libxl__add_vscsis
+  * libxl__add_vtpms
+  */
+ 
+@@ -542,10 +543,32 @@ void libxl__multidev_prepared(libxl__egc
+ 
+ DEFINE_DEVICES_ADD(disk)
+ DEFINE_DEVICES_ADD(nic)
++// DEFINE_DEVICES_ADD(vscsi)
+ DEFINE_DEVICES_ADD(vtpm)
+ 
+ #undef DEFINE_DEVICES_ADD
+ 
++// to preserve libxl.so.4.4 ABI custom define libxl__add_vscsi
++void libxl__add_vscsis(libxl__egc *egc, libxl__ao *ao, uint32_t domid,
++                      libxl_domain_config *d_config,
++                      libxl__multidev *multidev)
++{
++    AO_GC;
++    int i;
++
++    libxl_device_vscsi *vhosts;
++    int num_vhosts;
++    libxl_device_vscsi_suse* vscsi_hosts_suse = libxl_get_vscsi_devices_suse();
++    if (!vscsi_hosts_suse)
++        return;
++    num_vhosts = vscsi_hosts_suse->num_vscsi_devices;
++    vhosts = vscsi_hosts_suse->vscsi_devices;
++    for (i = 0; i < num_vhosts; i++) {
++        libxl__ao_device *aodev = libxl__multidev_prepare(multidev);
++        libxl__device_vscsi_add(egc, domid, vhosts+i, aodev);
++    }
++}
++
+ /******************************************************************************/
+ 
+ int libxl__device_destroy(libxl__gc *gc, libxl__device *dev)
+Index: xen-4.4.0-testing/tools/libxl/libxl_internal.h
+===================================================================
+--- xen-4.4.0-testing.orig/tools/libxl/libxl_internal.h
++++ xen-4.4.0-testing/tools/libxl/libxl_internal.h
+@@ -982,6 +982,7 @@ _hidden int libxl__device_disk_setdefaul
+ _hidden int libxl__device_nic_setdefault(libxl__gc *gc, libxl_device_nic *nic,
+                                          uint32_t domid);
+ _hidden int libxl__device_vtpm_setdefault(libxl__gc *gc, libxl_device_vtpm *vtpm);
++_hidden int libxl__device_vscsi_setdefault(libxl__gc *gc, libxl_device_vscsi *vscsi);
+ _hidden int libxl__device_vfb_setdefault(libxl__gc *gc, libxl_device_vfb *vfb);
+ _hidden int libxl__device_vkb_setdefault(libxl__gc *gc, libxl_device_vkb *vkb);
+ _hidden int libxl__device_pci_setdefault(libxl__gc *gc, libxl_device_pci *pci);
+@@ -2082,6 +2083,10 @@ _hidden void libxl__device_vtpm_add(libx
+                                    libxl_device_vtpm *vtpm,
+                                    libxl__ao_device *aodev);
+ 
++_hidden void libxl__device_vscsi_add(libxl__egc *egc, uint32_t domid,
++                                   libxl_device_vscsi *vscsi,
++                                   libxl__ao_device *aodev);
++
+ /* Internal function to connect a vkb device */
+ _hidden int libxl__device_vkb_add(libxl__gc *gc, uint32_t domid,
+                                   libxl_device_vkb *vkb);
+@@ -2522,6 +2527,10 @@ _hidden void libxl__add_vtpms(libxl__egc
+                              libxl_domain_config *d_config,
+                              libxl__multidev *multidev);
+ 
++_hidden void libxl__add_vscsis(libxl__egc *egc, libxl__ao *ao, uint32_t domid,
++                             libxl_domain_config *d_config,
++                             libxl__multidev *multidev);
++
+ /*----- device model creation -----*/
+ 
+ /* First layer; wraps libxl__spawn_spawn. */
+Index: xen-4.4.0-testing/tools/libxl/libxl_types.idl
+===================================================================
+--- xen-4.4.0-testing.orig/tools/libxl/libxl_types.idl
++++ xen-4.4.0-testing/tools/libxl/libxl_types.idl
+@@ -453,6 +453,26 @@ libxl_device_vtpm = Struct("device_vtpm"
+     ("uuid",             libxl_uuid),
+ ])
+ 
++libxl_vscsi_dev = Struct("vscsi_dev", [
++    ("vscsi_dev_id",     libxl_devid),
++    ("remove",           bool),
++    ("p_hst",            uint32),
++    ("p_chn",            uint32),
++    ("p_tgt",            uint32),
++    ("p_lun",            uint32),
++    ("v_chn",            uint32),
++    ("v_tgt",            uint32),
++    ("v_lun",            uint32),
++    ])
++
++libxl_device_vscsi = Struct("device_vscsi", [
++    ("backend_domid",    libxl_domid),
++    ("devid",            libxl_devid),
++    ("v_hst",            uint32),
++    ("vscsi_devs",       Array(libxl_vscsi_dev, "num_vscsi_devs")),
++    ("feature_host",     bool),
++    ])
++
+ libxl_domain_config = Struct("domain_config", [
+     ("c_info", libxl_domain_create_info),
+     ("b_info", libxl_domain_build_info),
+@@ -463,6 +483,8 @@ libxl_domain_config = Struct("domain_con
+     ("vfbs", Array(libxl_device_vfb, "num_vfbs")),
+     ("vkbs", Array(libxl_device_vkb, "num_vkbs")),
+     ("vtpms", Array(libxl_device_vtpm, "num_vtpms")),
++# preserve libxl.so.4.4 ABI
++#   ("vscsis", Array(libxl_device_vscsi, "num_vscsis")),
+ 
+     ("on_poweroff", libxl_action_on_shutdown),
+     ("on_reboot", libxl_action_on_shutdown),
+@@ -505,6 +527,28 @@ libxl_vtpminfo = Struct("vtpminfo", [
+     ("uuid", libxl_uuid),
+     ], dir=DIR_OUT)
+ 
++libxl_vscsiinfo = Struct("vscsiinfo", [
++    ("backend", string),
++    ("backend_id", uint32),
++    ("frontend", string),
++    ("frontend_id", uint32),
++    ("devid", libxl_devid),
++    ("p_hst", uint32),
++    ("p_chn", uint32),
++    ("p_tgt", uint32),
++    ("p_lun", uint32),
++    ("vscsi_dev_id", libxl_devid),
++    ("v_hst", uint32),
++    ("v_chn", uint32),
++    ("v_tgt", uint32),
++    ("v_lun", uint32),
++    ("feature_host", bool),
++    ("vscsi_host_state", integer),
++    ("vscsi_dev_state", integer),
++    ("evtch", integer),
++    ("rref", integer),
++    ], dir=DIR_OUT)
++
+ libxl_vcpuinfo = Struct("vcpuinfo", [
+     ("vcpuid", uint32),
+     ("cpu", uint32),
+Index: xen-4.4.0-testing/tools/libxl/libxl_types_internal.idl
+===================================================================
+--- xen-4.4.0-testing.orig/tools/libxl/libxl_types_internal.idl
++++ xen-4.4.0-testing/tools/libxl/libxl_types_internal.idl
+@@ -20,6 +20,7 @@ libxl__device_kind = Enumeration("device
+     (6, "VKBD"),
+     (7, "CONSOLE"),
+     (8, "VTPM"),
++    (9, "VSCSI"),
+     ])
+ 
+ libxl__console_backend = Enumeration("console_backend", [
+Index: xen-4.4.0-testing/tools/libxl/xl.h
+===================================================================
+--- xen-4.4.0-testing.orig/tools/libxl/xl.h
++++ xen-4.4.0-testing/tools/libxl/xl.h
+@@ -81,6 +81,9 @@ int main_networkdetach(int argc, char **
+ int main_blockattach(int argc, char **argv);
+ int main_blocklist(int argc, char **argv);
+ int main_blockdetach(int argc, char **argv);
++int main_vscsiattach(int argc, char **argv);
++int main_vscsilist(int argc, char **argv);
++int main_vscsidetach(int argc, char **argv);
+ int main_vtpmattach(int argc, char **argv);
+ int main_vtpmlist(int argc, char **argv);
+ int main_vtpmdetach(int argc, char **argv);
+Index: xen-4.4.0-testing/tools/libxl/xl_cmdimpl.c
+===================================================================
+--- xen-4.4.0-testing.orig/tools/libxl/xl_cmdimpl.c
++++ xen-4.4.0-testing/tools/libxl/xl_cmdimpl.c
+@@ -17,6 +17,7 @@
+ #include "libxl_osdeps.h"
+ 
+ #include <stdio.h>
++#include <stddef.h>
+ #include <stdlib.h>
+ #include <string.h>
+ #include <unistd.h>
+@@ -34,6 +35,7 @@
+ #include <ctype.h>
+ #include <inttypes.h>
+ #include <limits.h>
++#include <dirent.h>
+ 
+ #include "libxl.h"
+ #include "libxl_utils.h"
+@@ -544,6 +546,122 @@ static void parse_vif_rate(XLU_Config **
+     }
+ }
+ 
++static char *vscsi_trim_string(char *s)
++{
++    unsigned int len;
++
++    while (isspace(*s))
++        s++;
++    len = strlen(s);
++    while (len-- > 1 && isspace(s[len]))
++        s[len] = '\0';
++    return s;
++}
++
++static void parse_vscsi_config(libxl_device_vscsi *vscsi_host,
++                              libxl_vscsi_dev *vscsi_dev,
++                              char *buf)
++{
++    char *pdev, *vdev, *fhost;
++    unsigned int hst, chn, tgt, lun;
++
++    libxl_device_vscsi_init(vscsi_host);
++    pdev = strtok(buf, ",");
++    vdev = strtok(NULL, ",");
++    fhost = strtok(NULL, ",");
++    if (!(pdev && vdev)) {
++        fprintf(stderr, "invalid vscsi= devspec: '%s'\n", buf);
++        exit(1);
++    }
++
++    pdev = vscsi_trim_string(pdev);
++    vdev = vscsi_trim_string(vdev);
++
++    if (strncmp(pdev, "/dev/", 5) == 0) {
++#ifdef __linux__
++        struct stat pdev_stat;
++        char pdev_sysfs_path[PATH_MAX];
++        const char *type;
++        int result = 0;
++        DIR *dirp;
++        struct dirent *de;
++
++        /* stat pdev to get device's sysfs entry */
++        if (stat (pdev, &pdev_stat) == -1) {
++            fprintf(stderr, "vscsi: invalid %s '%s' in vscsi= devspec: '%s', device not found or cannot be read\n", "pdev", pdev, buf);
++            exit(1);
++        }
++        if (S_ISBLK (pdev_stat.st_mode)) {
++            type = "block";
++        } else if (S_ISCHR (pdev_stat.st_mode)) {
++            type = "char";
++        } else {
++            fprintf(stderr, "vscsi: invalid %s '%s' in vscsi= devspec: '%s', not a valid block or char device\n", "pdev", pdev, buf);
++            exit(1);
++        }
++
++        /* get pdev scsi address - subdir of scsi_device sysfs entry */
++        snprintf(pdev_sysfs_path, sizeof(pdev_sysfs_path), "/sys/dev/%s/%u:%u/device/scsi_device",
++                type,
++                major(pdev_stat.st_rdev),
++                minor(pdev_stat.st_rdev));
++
++        dirp = opendir(pdev_sysfs_path);
++        if (!dirp) {
++            fprintf(stderr, "vscsi: invalid %s '%s' in vscsi= devspec: '%s', cannot find scsi device\n", "pdev", pdev, buf);
++            exit(1);
++        }
++
++        while ((de = readdir(dirp))) {
++            if (!strcmp(de->d_name, ".") || !strcmp(de->d_name, ".."))
++                continue;
++
++            if (sscanf(de->d_name, "%u:%u:%u:%u", &hst, &chn, &tgt, &lun) != 4) {
++                fprintf(stderr, "vscsi: ignoring unknown devspec '%s' for device '%s'\n",
++                        de->d_name, pdev);
++                continue;
++            }
++            result = 1;
++            break;
++        }
++        closedir(dirp);
++
++        if (!result) {
++            fprintf(stderr, "vscsi: invalid %s '%s' in vscsi= devspec: '%s', cannot find scsi device in sysfs\n", "pdev", pdev, buf);
++            exit(1);
++        }
++#else
++        fprintf(stderr, "vscsi: invalid %s '%s' in vscsi= devspec: '%s', expecting hst:chn:tgt:lun\n", "pdev", pdev, buf);
++        exit(1);
++#endif
++    } else if (sscanf(pdev, "%u:%u:%u:%u", &hst, &chn, &tgt, &lun) != 4) {
++        fprintf(stderr, "vscsi: invalid %s '%s' in vscsi= devspec: '%s', expecting hst:chn:tgt:lun\n", "pdev", pdev, buf);
++        exit(1);
++    }
++    vscsi_dev->p_hst = hst;
++    vscsi_dev->p_chn = chn;
++    vscsi_dev->p_tgt = tgt;
++    vscsi_dev->p_lun = lun;
++
++    if (sscanf(vdev, "%u:%u:%u:%u", &hst, &chn, &tgt, &lun) != 4) {
++        fprintf(stderr, "vscsi: invalid %s '%s' in vscsi= devspec: '%s', expecting hst:chn:tgt:lun\n", "vdev", vdev, buf);
++        exit(1);
++    }
++    vscsi_host->v_hst = hst;
++    vscsi_dev->v_chn = chn;
++    vscsi_dev->v_tgt = tgt;
++    vscsi_dev->v_lun = lun;
++
++    if (fhost) {
++        fhost = vscsi_trim_string(fhost);
++        vscsi_host->feature_host = strcmp(fhost, "feature-host") == 0;
++        if (!vscsi_host->feature_host) {
++            fprintf(stderr, "vscsi: invalid option '%s' in vscsi= devspec: '%s', expecting %s\n", fhost, buf, "feature-host");
++            exit(1);
++        }
++    }
++}
++
+ static void split_string_into_string_list(const char *str,
+                                           const char *delim,
+                                           libxl_string_list *psl)
+@@ -740,7 +858,7 @@ static void parse_config_data(const char
+     const char *buf;
+     long l;
+     XLU_Config *config;
+-    XLU_ConfigList *cpus, *vbds, *nics, *pcis, *cvfbs, *cpuids, *vtpms;
++    XLU_ConfigList *cpus, *vbds, *nics, *pcis, *cvfbs, *cpuids, *vtpms, *vscsis;
+     XLU_ConfigList *ioports, *irqs, *iomem;
+     int num_ioports, num_irqs, num_iomem;
+     int pci_power_mgmt = 0;
+@@ -1246,6 +1364,66 @@ static void parse_config_data(const char
+         }
+     }
+ 
++    if (!xlu_cfg_get_list(config, "vscsi", &vscsis, 0, 0)) {
++        int cnt_vscsi_devs = 0;
++
++        /*
++         * to preserve libxl.so.4.4 ABI, do not store vscsis to d_config
++         * we are using extra array for that
++         */
++        libxl_device_vscsi* vscsi_hosts = calloc(1, sizeof(libxl_device_vscsi));
++        int num_vscsi_hosts = 0;
++
++        while ((buf = xlu_cfg_get_listitem (vscsis, cnt_vscsi_devs)) != NULL) {
++            libxl_vscsi_dev vscsi_dev = { };
++            libxl_device_vscsi vscsi_host = { };
++            libxl_device_vscsi *host;
++            char *tmp_buf;
++            int num_vscsis, host_found = 0;
++
++            /*
++             * #1: parse the devspec and place it in temporary host+dev part
++             * #2: find existing vscsi_host with number v_hst
++             *     if found, append the vscsi_dev to this vscsi_host
++             * #3: otherwise, create new vscsi_host and append vscsi_dev
++             * Note: v_hst does not represent the index named "num_vscsis",
++             *       it is a private index used just in the config file
++             */
++            tmp_buf = strdup(buf);
++            parse_vscsi_config(&vscsi_host, &vscsi_dev, tmp_buf);
++            free(tmp_buf);
++
++            if (num_vscsi_hosts) {
++                for (num_vscsis = 0; num_vscsis < num_vscsi_hosts; num_vscsis++) {
++                    if (vscsi_hosts[num_vscsis].v_hst == vscsi_host.v_hst) {
++                        host = vscsi_hosts + num_vscsis;
++                        host->vscsi_devs = realloc(host->vscsi_devs, sizeof(libxl_vscsi_dev) * (host->num_vscsi_devs + 1));
++                        vscsi_dev.vscsi_dev_id = host->num_vscsi_devs;
++                        memcpy(host->vscsi_devs + host->num_vscsi_devs, &vscsi_dev, sizeof(vscsi_dev));
++                        host->num_vscsi_devs++;
++                        host_found = 1;
++                    break;
++                    }
++                }
++            }
++            if (!host_found || !num_vscsi_hosts) {
++                vscsi_hosts = realloc(vscsi_hosts, sizeof(libxl_device_vscsi) * (num_vscsi_hosts + 1));
++                vscsi_host.vscsi_devs = malloc(sizeof(libxl_vscsi_dev));
++                vscsi_dev.vscsi_dev_id = 0;
++                memcpy(vscsi_host.vscsi_devs, &vscsi_dev, sizeof(vscsi_dev));
++                vscsi_host.num_vscsi_devs++;
++                vscsi_host.devid = num_vscsi_hosts;
++                memcpy(vscsi_hosts + num_vscsi_hosts, &vscsi_host, sizeof(vscsi_host));
++                num_vscsi_hosts++;
++            }
++            cnt_vscsi_devs++;
++        }
++        libxl_device_vscsi_suse* vscsis_suse = calloc(1, sizeof(libxl_device_vscsi_suse));
++        vscsis_suse->vscsi_devices = vscsi_hosts;
++        vscsis_suse->num_vscsi_devices = num_vscsi_hosts;
++        libxl_set_vscsi_devices_suse(vscsis_suse);
++    }
++
+     if (!xlu_cfg_get_list(config, "vtpm", &vtpms, 0, 0)) {
+         d_config->num_vtpms = 0;
+         d_config->vtpms = NULL;
+@@ -6041,6 +6219,256 @@ int main_blockdetach(int argc, char **ar
+     return rc;
+ }
+ 
++int main_vscsiattach(int argc, char **argv)
++{
++    int opt;
++    int num_hosts, i = 0, found_host = -1, res = 0;
++    libxl_vscsi_dev *vscsi_dev;
++    libxl_device_vscsi *vscsi_host, *vscsi_tmphst;
++    libxl_device_vscsi *vscsi_hosts_existing = NULL;
++    uint32_t domid;
++    char *tmp_buf, *feat_buf = NULL;
++
++    SWITCH_FOREACH_OPT(opt, "", NULL, "scsi-attach", 1) {
++        /* No options */
++    }
++
++    if (argc < 4) {
++        help("scsi-attach");
++        return 1;
++    }
++    if (libxl_domain_qualifier_to_domid(ctx, argv[optind], &domid) < 0) {
++        fprintf(stderr, "%s is an invalid domain identifier\n", argv[optind]);
++        return 1;
++    }
++    ++optind;
++
++    if (argc < 4) {
++        fprintf(stderr, "scsi-attach: 3 options required.\n");
++        return 1;
++    }
++    if (argc == 5) {
++        if (asprintf(&feat_buf, ",%s", argv[4]) < 0) {
++        perror("asprintf");
++        return 1;
++        }
++    }
++    if (asprintf(&tmp_buf, "%s,%s%s", argv[2], argv[3], feat_buf ?: "") < 0) {
++        perror("asprintf");
++        return 1;
++    }
++
++    vscsi_dev = calloc(1, sizeof(*vscsi_dev));
++    vscsi_host = calloc(1, sizeof(*vscsi_host));
++    if (!(vscsi_dev && vscsi_host)) {
++        fprintf(stderr, "%s ENOMEM\n", __func__);
++        res = 1;
++        goto vscsi_attach_out;
++    }
++    parse_vscsi_config(vscsi_host, vscsi_dev, tmp_buf);
++
++    /* look for existing vscsi_host for given domain */
++    vscsi_hosts_existing = libxl_device_vscsi_list(ctx, domid, &num_hosts);
++    if (vscsi_hosts_existing) {
++        for (i = 0; i < num_hosts; ++i) {
++            int j;
++            for (j = 0; j < vscsi_hosts_existing[i].num_vscsi_devs; j++) {
++                if (vscsi_hosts_existing[i].vscsi_devs[j].p_hst == vscsi_dev->p_hst &&
++                    vscsi_hosts_existing[i].vscsi_devs[j].p_chn == vscsi_dev->p_chn &&
++                    vscsi_hosts_existing[i].vscsi_devs[j].p_tgt == vscsi_dev->p_tgt &&
++                    vscsi_hosts_existing[i].vscsi_devs[j].p_lun == vscsi_dev->p_lun) {
++                    fprintf(stderr, "Host device '%u:%u:%u:%u' is already in use"
++                            " by guest vscsi specification '%u:%u:%u:%u'.\n",
++                            vscsi_dev->p_hst, vscsi_dev->p_chn, vscsi_dev->p_tgt, vscsi_dev->p_lun,
++                            vscsi_hosts_existing[i].v_hst, vscsi_dev->v_chn, vscsi_dev->v_tgt, vscsi_dev->v_lun);
++                    res = 1;
++                    goto vscsi_attach_out;
++                }
++            }
++            if (vscsi_host->v_hst == vscsi_hosts_existing[i].v_hst) {
++                found_host = i;
++                break;
++            }
++        }
++    }
++    if (found_host == -1) {
++        vscsi_host->devid = i;
++        vscsi_host->vscsi_devs = vscsi_dev;
++        vscsi_host->num_vscsi_devs = 1;
++        vscsi_tmphst = vscsi_host;
++    } else {
++        /* look if the vdev address is not taken */
++        vscsi_tmphst = vscsi_hosts_existing + found_host;
++        for (i = 0; i < vscsi_tmphst->num_vscsi_devs; ++i) {
++            if (vscsi_tmphst->vscsi_devs[i].v_chn == vscsi_dev->v_chn &&
++                vscsi_tmphst->vscsi_devs[i].v_tgt == vscsi_dev->v_tgt &&
++                vscsi_tmphst->vscsi_devs[i].v_lun == vscsi_dev->v_lun) {
++                fprintf(stderr, "Target vscsi specification '%u:%u:%u:%u' is already taken\n",
++                        vscsi_tmphst->v_hst, vscsi_dev->v_chn,
++                        vscsi_dev->v_tgt, vscsi_dev->v_lun);
++                res = 1;
++                goto vscsi_attach_out;
++            }
++        }
++        vscsi_tmphst->vscsi_devs = realloc(vscsi_tmphst->vscsi_devs,
++                                         sizeof(libxl_vscsi_dev) *
++                                         (vscsi_tmphst->num_vscsi_devs + 1));
++        if (vscsi_tmphst->vscsi_devs == NULL) {
++            fprintf(stderr, "%s ENOMEM\n", __func__);
++            res = 1;
++            goto vscsi_attach_out;
++        }
++        vscsi_dev->vscsi_dev_id = vscsi_tmphst->num_vscsi_devs;
++        memcpy(vscsi_tmphst->vscsi_devs + vscsi_tmphst->num_vscsi_devs,
++               vscsi_dev, sizeof(*vscsi_dev));
++        vscsi_tmphst->num_vscsi_devs++;
++    }
++
++    if (dryrun_only) {
++        char* json = libxl_device_vscsi_to_json(ctx, vscsi_tmphst);
++        printf("vscsi: %s\n", json);
++        free(json);
++        if (ferror(stdout) || fflush(stdout)) { perror("stdout"); exit(-1); }
++    }
++    else if (libxl_device_vscsi_add(ctx, domid, vscsi_tmphst, 0)) {
++        fprintf(stderr, "libxl_device_vscsi_add failed.\n");
++        res = 1;
++    }
++
++vscsi_attach_out:
++    if (vscsi_hosts_existing) {
++        for (i = 0; i < num_hosts; ++i)
++            libxl_device_vscsi_dispose(vscsi_hosts_existing+i);
++        free(vscsi_hosts_existing);
++    }
++    free(vscsi_host);
++    free(vscsi_dev);
++    free(tmp_buf);
++    free(feat_buf);
++    return res;
++}
++
++int main_vscsilist(int argc, char **argv)
++{
++    int opt;
++    libxl_device_vscsi *vscsi_hosts;
++    libxl_vscsiinfo vscsiinfo;
++    int num_hosts, h, d;
++
++    SWITCH_FOREACH_OPT(opt, "", NULL, "scsi-list", 1) {
++        /* No options */
++    }
++    if (argc < 2) {
++        help("scsi-list");
++        return 1;
++    }
++    /*      Idx  BE  state host p_hst v_hst state */
++    printf("%-3s %-3s %-5s %-5s %-10s %-10s %-5s\n",
++           "Idx", "BE", "state", "host", "phy-hctl", "vir-hctl", "devstate");
++    for (argv += optind, argc -= optind; argc > 0; --argc, ++argv) {
++        uint32_t domid;
++        if (libxl_domain_qualifier_to_domid(ctx, *argv, &domid) < 0) {
++            fprintf(stderr, "%s is an invalid domain identifier\n", *argv);
++            continue;
++        }
++        if (!(vscsi_hosts = libxl_device_vscsi_list(ctx, domid, &num_hosts))) {
++            continue;
++        }
++        for (h = 0; h < num_hosts; ++h) {
++           for (d = 0; d < vscsi_hosts[h].num_vscsi_devs; d++) {
++               if (!libxl_device_vscsi_getinfo(ctx, domid, &vscsi_hosts[h], &vscsi_hosts[h].vscsi_devs[d], &vscsiinfo)) {
++                   char pdev[64], vdev[64];
++                   snprintf(pdev, sizeof(pdev), "%u:%u:%u:%u",
++                         vscsiinfo.p_hst, vscsiinfo.p_chn, vscsiinfo.p_tgt, vscsiinfo.p_lun);
++                   snprintf(vdev, sizeof(vdev), "%u:%u:%u:%u",
++                         vscsiinfo.v_hst, vscsiinfo.v_chn, vscsiinfo.v_tgt, vscsiinfo.v_lun);
++                   /*      Idx  BE  state Sta */
++                   printf("%-3d %-3d %-5d %-5d %-10s %-10s %d\n",
++                         vscsiinfo.devid,
++			 vscsiinfo.backend_id,
++                         vscsiinfo.vscsi_host_state,
++			 vscsiinfo.backend_id,
++                         pdev, vdev,
++                         vscsiinfo.vscsi_dev_state);
++
++                   libxl_vscsiinfo_dispose(&vscsiinfo);
++               }
++           }
++           libxl_device_vscsi_dispose(&vscsi_hosts[h]);
++        }
++        free(vscsi_hosts);
++    }
++    return 0;
++}
++
++int main_vscsidetach(int argc, char **argv)
++{
++    int opt;
++    libxl_vscsi_dev *vscsi_dev, *vd;
++    libxl_device_vscsi *vscsi_host, *vh;
++    libxl_device_vscsi *vscsi_hosts;
++    char *tmp_buf, *dom = argv[1], *vdev = argv[2];
++    uint32_t domid;
++    int num_hosts, h, d, found = 0;
++
++    SWITCH_FOREACH_OPT(opt, "", NULL, "scsi-detach", 1) {
++        /* No options */
++    }
++    if (argc < 3) {
++        help("scsi-detach");
++        return 1;
++    }
++    if (libxl_domain_qualifier_to_domid(ctx, dom, &domid) < 0) {
++        fprintf(stderr, "%s is an invalid domain identifier\n", dom);
++        return 1;
++    }
++    vscsi_hosts = libxl_device_vscsi_list(ctx, domid, &num_hosts);
++    if (!vscsi_hosts)
++        return 0;
++
++    if (asprintf(&tmp_buf, "0:0:0:0,%s", vdev) < 0) {
++        perror("asprintf");
++        return 1;
++    }
++    vscsi_dev = calloc(1, sizeof(*vscsi_dev));
++    vscsi_host = calloc(1, sizeof(*vscsi_host));
++    if (!(vscsi_dev && vscsi_host)) {
++        fprintf(stderr, "%s ENOMEM\n", __func__);
++        goto done;
++    }
++    parse_vscsi_config(vscsi_host, vscsi_dev, tmp_buf);
++
++    for (h = 0; h < num_hosts; ++h) {
++       vh = &vscsi_hosts[h];
++       for (d = 0; !found && d < vh->num_vscsi_devs; d++) {
++#define CMP(member) (vd->member == vscsi_dev->member)
++           vd = &vh->vscsi_devs[d];
++           if (vh->v_hst == vscsi_host->v_hst && CMP(v_chn) && CMP(v_tgt) && CMP(v_lun)) {
++               if (vh->num_vscsi_devs > 1) {
++                   vd->remove = true;
++                   if (libxl_device_vscsi_add(ctx, domid, vh, 0)) {
++                       fprintf(stderr, "libxl_device_vscsi_remove failed.\n");
++                       goto done;
++                   }
++               } else {
++                   libxl_device_vscsi_remove(ctx, domid, vh, 0);
++               }
++               found = 1;
++           }
++#undef CMP
++       }
++       libxl_device_vscsi_dispose(vh);
++    }
++    if (!found)
++        fprintf(stderr, "%s(%u) vdev %s does not exist in domain %s\n", __func__, __LINE__, vdev, dom);
++done:
++    free(vscsi_hosts);
++    free(vscsi_host);
++    free(vscsi_dev);
++    free(tmp_buf);
++    return !found;
++}
++
+ int main_vtpmattach(int argc, char **argv)
+ {
+     int opt;
+Index: xen-4.4.0-testing/tools/libxl/xl_cmdtable.c
+===================================================================
+--- xen-4.4.0-testing.orig/tools/libxl/xl_cmdtable.c
++++ xen-4.4.0-testing/tools/libxl/xl_cmdtable.c
+@@ -354,6 +354,21 @@ struct cmd_spec cmd_table[] = {
+       "Destroy a domain's virtual block device",
+       "<Domain> <DevId>",
+     },
++    { "scsi-attach",
++      &main_vscsiattach, 1, 1,
++      "Attach a dom0 SCSI device to a domain.",
++      "<Domain> <PhysDevice> <VirtDevice>",
++    },
++    { "scsi-list",
++      &main_vscsilist, 0, 0,
++      "List all dom0 SCSI devices currently attached.",
++      "<Domain(s)>",
++    },
++    { "scsi-detach",
++      &main_vscsidetach, 0, 1,
++      "Detach a specified SCSI device from a domain.",
++      "<Domain> <VirtDevice>",
++    },
+     { "vtpm-attach",
+       &main_vtpmattach, 1, 1,
+       "Create a new virtual TPM device",
diff --git a/pygrub-boot-legacy-sles.patch b/pygrub-boot-legacy-sles.patch
index bd4388f..552d1d1 100644
--- a/pygrub-boot-legacy-sles.patch
+++ b/pygrub-boot-legacy-sles.patch
@@ -1,23 +1,38 @@
-Index: xen-4.3.1-testing/tools/pygrub/src/pygrub
+Index: xen-4.4.0-testing/tools/pygrub/src/pygrub
 ===================================================================
---- xen-4.3.1-testing.orig/tools/pygrub/src/pygrub
-+++ xen-4.3.1-testing/tools/pygrub/src/pygrub
-@@ -607,6 +607,14 @@ def run_grub(file, entry, fs, cfg_args):
-             print "  args: %s" % img.args
-             print "  initrd: %s" % img.initrd[1]
+--- xen-4.4.0-testing.orig/tools/pygrub/src/pygrub
++++ xen-4.4.0-testing/tools/pygrub/src/pygrub
+@@ -452,7 +452,7 @@ class Grub:
+                 self.cf.filename = f
+                 break
+         if self.__dict__.get('cf', None) is None:
+-            raise RuntimeError, "couldn't find bootloader config file in the image provided."
++            return
+         f = fs.open_file(self.cf.filename)
+         # limit read size to avoid pathological cases
+         buf = f.read(FS_READ_MAX)
+@@ -598,6 +598,20 @@ def run_grub(file, entry, fs, cfg_args):
  
-+    # If grub has no menu entries to select, look for vmlinuz-xen and initrd-xen in /boot
-+    if len(g.cf.images) == 0:
-+        chosencfg = { "kernel": None, "ramdisk": None, "args": "" }
-+        chosencfg = sniff_xen_kernel(fs, incfg)
-+        if chosencfg["kernel"] and chosencfg["ramdisk"]:
-+            chosencfg["args"] = cfg_args
-+            return chosencfg
+     g = Grub(file, fs)
+ 
++    # If missing config or grub has no menu entries to select, look for
++    # vmlinuz-xen and initrd-xen in /boot
++    if g.__dict__.get('cf', None) is None or len(g.cf.images) == 0:
++        if not list_entries:
++            chosencfg = { "kernel": None, "ramdisk": None, "args": "" }
++            chosencfg = sniff_xen_kernel(fs, incfg)
++            if chosencfg["kernel"] and chosencfg["ramdisk"]:
++                chosencfg["args"] = cfg_args
++                return chosencfg
++        if g.__dict__.get('cf', None) is None:
++            raise RuntimeError, "couldn't find bootloader config file in the image provided."
++        else:
++            return
 +
-     if interactive and not list_entries:
-         curses.wrapper(run_main)
-     else:
-@@ -693,6 +701,14 @@ def sniff_netware(fs, cfg):
+     if list_entries:
+         for i in range(len(g.cf.images)):
+             img = g.cf.images[i]
+@@ -693,6 +707,14 @@ def sniff_netware(fs, cfg):
  
      return cfg
  
@@ -32,3 +47,12 @@ Index: xen-4.3.1-testing/tools/pygrub/src/pygrub
  def format_sxp(kernel, ramdisk, args):
      s = "linux (kernel %s)" % kernel
      if ramdisk:
+@@ -773,7 +795,7 @@ if __name__ == "__main__":
+     debug = False
+     not_really = False
+     output_format = "sxp"
+-    output_directory = "/var/run/xend/boot"
++    output_directory = "/var/run/xen"
+ 
+     # what was passed in
+     incfg = { "kernel": None, "ramdisk": None, "args": "" }
diff --git a/xen.changes b/xen.changes
index 05b70a9..4ca9f32 100644
--- a/xen.changes
+++ b/xen.changes
@@ -1,3 +1,32 @@
+-------------------------------------------------------------------
+Mon May 12 18:00:14 CEST 2014 - ohering@suse.de
+
+- fate#316613: Implement pvscsi in xl/libxl
+  libxl.pvscsi.patch
+
+-------------------------------------------------------------------
+Fri May  9 08:07:34 MDT 2014 - carnold@suse.com
+
+- bnc#875668 - VUL-0: CVE-2014-3124: xen: XSA-92:
+  HVMOP_set_mem_type allows invalid P2M entries to be created
+  535fa503-x86-HVM-restrict-HVMOP_set_mem_type.patch (replaces xsa92.patch)
+- bnc#826717 - VUL-0: CVE-2013-3495: XSA-59: xen: Intel VT-d
+  Interrupt Remapping engines can be evaded by native NMI interrupts
+  535a34eb-VT-d-suppress-UR-signaling-for-server-chipsets.patch
+  535a3516-VT-d-suppress-UR-signaling-for-desktop-chipsets.patch
+- Upstream patches from Jan
+  535a354b-passthrough-allow-to-suppress-SERR-and-PERR-signaling.patch
+  535e31bc-x86-HVM-correct-the-SMEP-logic-for-HVM_CR0_GUEST_RESERVED_BITS.patch
+  53636978-hvm_set_ioreq_page-releases-wrong-page-in-error-path.patch
+  53636ebf-x86-fix-guest-CPUID-handling.patch
+
+-------------------------------------------------------------------
+Tue May  6 13:24:14 MDT 2014 - carnold@suse.com
+
+- Fix pygrub to handle VM with no grub/menu.lst file.
+- Don't use /var/run/xend/boot for temporary boot directory
+  pygrub-boot-legacy-sles.patch
+
 -------------------------------------------------------------------
 Sat Apr 26 09:56:36 MDT 2014 - carnold@suse.com
 
diff --git a/xen.spec b/xen.spec
index d3321c3..fa2055d 100644
--- a/xen.spec
+++ b/xen.spec
@@ -15,7 +15,6 @@
 # Please submit bugfixes or comments via http://bugs.opensuse.org/
 #
 
-
 # needssslcertforbuild
 
 Name:           xen
@@ -154,7 +153,7 @@ BuildRequires:  xorg-x11-util-devel
 %endif
 %endif
 
-Version:        4.4.0_16
+Version:        4.4.0_18
 Release:        0
 PreReq:         %insserv_prereq %fillup_prereq
 Summary:        Xen Virtualization: Hypervisor (aka VMM aka Microkernel)
@@ -243,7 +242,13 @@ Patch27:        534bbd90-x86-nested-HAP-don-t-BUG-on-legitimate-error.patch
 Patch28:        534bdf47-x86-HAP-also-flush-TLB-when-altering-a-present-1G-or-intermediate-entry.patch
 Patch29:        53563ea4-x86-MSI-drop-workaround-for-insecure-Dom0-kernels.patch
 Patch30:        5357baff-x86-add-missing-break-in-dom0_pit_access.patch
-Patch92:        xsa92.patch
+Patch31:        535a34eb-VT-d-suppress-UR-signaling-for-server-chipsets.patch
+Patch32:        535a3516-VT-d-suppress-UR-signaling-for-desktop-chipsets.patch
+Patch33:        535a354b-passthrough-allow-to-suppress-SERR-and-PERR-signaling.patch
+Patch34:        535e31bc-x86-HVM-correct-the-SMEP-logic-for-HVM_CR0_GUEST_RESERVED_BITS.patch
+Patch35:        535fa503-x86-HVM-restrict-HVMOP_set_mem_type.patch
+Patch36:        53636978-hvm_set_ioreq_page-releases-wrong-page-in-error-path.patch
+Patch37:        53636ebf-x86-fix-guest-CPUID-handling.patch
 # Upstream qemu
 Patch250:       VNC-Support-for-ExtendedKeyEvent-client-message.patch
 Patch251:       0001-net-move-the-tap-buffer-into-TAPState.patch
@@ -311,6 +316,7 @@ Patch386:       libxc-pass-errno-to-callers-of-xc_domain_save.patch
 Patch387:       libxl.set-migration-constraints-from-cmdline.patch
 Patch388:       libxl.honor-more-top-level-vfb-options.patch
 Patch389:       qemu-xen-upstream-megasas-buildtime.patch
+Patch390:       libxl.pvscsi.patch
 # Xend
 Patch400:       xend-set-migration-constraints-from-cmdline.patch
 Patch402:       xen.migrate.tools-xend_move_assert_to_exception_block.patch
@@ -633,7 +639,13 @@ Authors:
 %patch28 -p1
 %patch29 -p1
 %patch30 -p1
-%patch92 -p1
+%patch31 -p1
+%patch32 -p1
+%patch33 -p1
+%patch34 -p1
+%patch35 -p1
+%patch36 -p1
+%patch37 -p1
 # Upstream qemu patches
 %patch250 -p1
 %patch251 -p1
@@ -700,6 +712,7 @@ Authors:
 %patch387 -p1
 %patch388 -p1
 %patch389 -p1
+%patch390 -p1
 # Xend
 %patch400 -p1
 %patch402 -p1
diff --git a/xend-tools-watchdog-support.patch b/xend-tools-watchdog-support.patch
index 106e29a..e167d14 100644
--- a/xend-tools-watchdog-support.patch
+++ b/xend-tools-watchdog-support.patch
@@ -129,7 +129,7 @@ Index: xen-4.4.0-testing/tools/libxl/xl_cmdimpl.c
 ===================================================================
 --- xen-4.4.0-testing.orig/tools/libxl/xl_cmdimpl.c
 +++ xen-4.4.0-testing/tools/libxl/xl_cmdimpl.c
-@@ -1737,6 +1737,8 @@ skip_vfb:
+@@ -1915,6 +1915,8 @@ skip_vfb:
          xlu_cfg_replace_string (config, "soundhw", &b_info->u.hvm.soundhw, 0);
          xlu_cfg_get_defbool(config, "xen_platform_pci",
                              &b_info->u.hvm.xen_platform_pci, 0);