- NetWare will not boot or install on Xen 4.2

reverse-24757-use-grant-references.patch 

- fate#313222 - xenstore-chmod should support 256 permissions
  26189-xenstore-chmod.patch

- bnc#789945 - VUL-0: CVE-2012-5510: xen: Grant table version
  switch list corruption vulnerability (XSA-26)
  CVE-2012-5510-xsa26.patch
- bnc#789944 - VUL-0: CVE-2012-5511: xen: Several HVM operations do
  not validate the range of their inputs (XSA-27)
  CVE-2012-5511-xsa27.patch
- bnc#789951 - VUL-0: CVE-2012-5513: xen: XENMEM_exchange may
  overwrite hypervisor memory (XSA-29)
  CVE-2012-5513-xsa29.patch
- bnc#789948 - VUL-0: CVE-2012-5514: xen: Missing unlock in
  guest_physmap_mark_populate_on_demand() (XSA-30)
  CVE-2012-5514-xsa30.patch
- bnc#789950 - VUL-0: CVE-2012-5515: xen: Several memory hypercall
  operations allow invalid extent order values (XSA-31)
  CVE-2012-5515-xsa31.patch
- bnc#789952 - VUL-0: CVE-2012-5525: xen: Several hypercalls do not
  validate input GFNs (XSA-32)
  CVE-2012-5525-xsa32.patch
- Upstream patches from Jan
  26129-ACPI-BGRT-invalidate.patch
  26132-tmem-save-NULL-check.patch
  26134-x86-shadow-invlpg-check.patch
  26139-cpumap-masking.patch
  26148-vcpu-timer-overflow.patch (Replaces CVE-2012-4535-xsa20.patch)

OBS-URL: https://build.opensuse.org/package/show/Virtualization/xen?expand=0&rev=219

26129-ACPI-BGRT-invalidate.patch

@@ -0,0 +1,643 @@
+# HG changeset patch
+# User Jan Beulich <jbeulich@suse.com>
+# Date 1352368421 -3600
+# Node ID 92163b114076029842d0f2d1dbfaa445976c71a3
+# Parent  aa2074529eb0183257b6f5f29821b0cd6dfd991a
+x86/ACPI: invalidate BGRT if necessary
+
+Since the image pointed to may live in boot services memory (which we
+add to the global memory pool long before ACPI tables get looked at),
+we should prevent Dom0 from trying to retrieve the image data in that
+case.
+
+The alternatives would be to
+- not add boot services memory to the global pool at all, or
+- defer adding boot services memory until Dom0 indicates it is safe to
+  do so, or
+- find and parse the BGRT table in xen/arch/x86/efi/boot.c, and avoid
+  adding that specific region to the E820 table.
+None of these are really attractive, and as Xen commonly prints to the
+video console anyway (without trying to avoid any regions on the
+screen), the invalidation would need to be done conditionally anyway.
+
+(xen/include/acpi/actbl3.h is a verbatim copy from Linux 3.7-rc4)
+
+Signed-off-by: Jan Beulich <jbeulich@suse.com>
+Acked-by: Keir Fraser <keir@xen.org>
+
+--- a/xen/arch/x86/acpi/boot.c
++++ b/xen/arch/x86/acpi/boot.c
+@@ -28,6 +28,7 @@
+ #include <xen/init.h>
+ #include <xen/acpi.h>
+ #include <xen/irq.h>
++#include <xen/mm.h>
+ #include <xen/dmi.h>
+ #include <asm/fixmap.h>
+ #include <asm/page.h>
+@@ -285,6 +286,27 @@ static int __init acpi_parse_hpet(struct
+ #define	acpi_parse_hpet	NULL
+ #endif
+ 
++static int __init acpi_invalidate_bgrt(struct acpi_table_header *table)
++{
++	struct acpi_table_bgrt *bgrt_tbl =
++		container_of(table, struct acpi_table_bgrt, header);
++
++	if (table->length < sizeof(*bgrt_tbl))
++		return -1;
++
++	if (bgrt_tbl->version == 1 && bgrt_tbl->image_address
++	    && !page_is_ram_type(PFN_DOWN(bgrt_tbl->image_address),
++				 RAM_TYPE_CONVENTIONAL))
++		return 0;
++
++	printk(KERN_INFO PREFIX "BGRT: invalidating v%d image at %#"PRIx64"\n",
++	       bgrt_tbl->version, bgrt_tbl->image_address);
++	bgrt_tbl->image_address = 0;
++	bgrt_tbl->status &= ~1;
++
++	return 0;
++}
++
+ #ifdef CONFIG_ACPI_SLEEP
+ #define acpi_fadt_copy_address(dst, src, len) do {			\
+ 	if (fadt->header.revision >= FADT2_REVISION_ID)			\
+@@ -833,5 +855,7 @@ int __init acpi_boot_init(void)
+ 
+ 	erst_init();
+ 
++	acpi_table_parse(ACPI_SIG_BGRT, acpi_invalidate_bgrt);
++
+ 	return 0;
+ }
+--- a/xen/include/acpi/actbl.h
++++ b/xen/include/acpi/actbl.h
+@@ -314,6 +314,7 @@ enum acpi_prefered_pm_profiles {
+ 
+ #include <acpi/actbl1.h>
+ #include <acpi/actbl2.h>
++#include <acpi/actbl3.h>
+ 
+ /*
+  * Sizes of the various flavors of FADT. We need to look closely
+--- /dev/null
++++ b/xen/include/acpi/actbl3.h
+@@ -0,0 +1,557 @@
++/******************************************************************************
++ *
++ * Name: actbl3.h - ACPI Table Definitions
++ *
++ *****************************************************************************/
++
++/*
++ * Copyright (C) 2000 - 2012, Intel Corp.
++ * All rights reserved.
++ *
++ * Redistribution and use in source and binary forms, with or without
++ * modification, are permitted provided that the following conditions
++ * are met:
++ * 1. Redistributions of source code must retain the above copyright
++ *    notice, this list of conditions, and the following disclaimer,
++ *    without modification.
++ * 2. Redistributions in binary form must reproduce at minimum a disclaimer
++ *    substantially similar to the "NO WARRANTY" disclaimer below
++ *    ("Disclaimer") and any redistribution must be conditioned upon
++ *    including a substantially similar Disclaimer requirement for further
++ *    binary redistribution.
++ * 3. Neither the names of the above-listed copyright holders nor the names
++ *    of any contributors may be used to endorse or promote products derived
++ *    from this software without specific prior written permission.
++ *
++ * Alternatively, this software may be distributed under the terms of the
++ * GNU General Public License ("GPL") version 2 as published by the Free
++ * Software Foundation.
++ *
++ * NO WARRANTY
++ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
++ * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
++ * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR
++ * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
++ * HOLDERS OR CONTRIBUTORS BE LIABLE FOR SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
++ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
++ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
++ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
++ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING
++ * IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
++ * POSSIBILITY OF SUCH DAMAGES.
++ */
++
++#ifndef __ACTBL3_H__
++#define __ACTBL3_H__
++
++/*******************************************************************************
++ *
++ * Additional ACPI Tables (3)
++ *
++ * These tables are not consumed directly by the ACPICA subsystem, but are
++ * included here to support device drivers and the AML disassembler.
++ *
++ * The tables in this file are fully defined within the ACPI specification.
++ *
++ ******************************************************************************/
++
++/*
++ * Values for description table header signatures for tables defined in this
++ * file. Useful because they make it more difficult to inadvertently type in
++ * the wrong signature.
++ */
++#define ACPI_SIG_BGRT           "BGRT"	/* Boot Graphics Resource Table */
++#define ACPI_SIG_DRTM           "DRTM"	/* Dynamic Root of Trust for Measurement table */
++#define ACPI_SIG_FPDT           "FPDT"	/* Firmware Performance Data Table */
++#define ACPI_SIG_GTDT           "GTDT"	/* Generic Timer Description Table */
++#define ACPI_SIG_MPST           "MPST"	/* Memory Power State Table */
++#define ACPI_SIG_PCCT           "PCCT"	/* Platform Communications Channel Table */
++#define ACPI_SIG_PMTT           "PMTT"	/* Platform Memory Topology Table */
++#define ACPI_SIG_RASF           "RASF"	/* RAS Feature table */
++
++#define ACPI_SIG_S3PT           "S3PT"	/* S3 Performance (sub)Table */
++#define ACPI_SIG_PCCS           "PCC"	/* PCC Shared Memory Region */
++
++/* Reserved table signatures */
++
++#define ACPI_SIG_CSRT           "CSRT"	/* Core System Resources Table */
++#define ACPI_SIG_MATR           "MATR"	/* Memory Address Translation Table */
++#define ACPI_SIG_MSDM           "MSDM"	/* Microsoft Data Management Table */
++#define ACPI_SIG_WPBT           "WPBT"	/* Windows Platform Binary Table */
++
++/*
++ * All tables must be byte-packed to match the ACPI specification, since
++ * the tables are provided by the system BIOS.
++ */
++#pragma pack(1)
++
++/*
++ * Note: C bitfields are not used for this reason:
++ *
++ * "Bitfields are great and easy to read, but unfortunately the C language
++ * does not specify the layout of bitfields in memory, which means they are
++ * essentially useless for dealing with packed data in on-disk formats or
++ * binary wire protocols." (Or ACPI tables and buffers.) "If you ask me,
++ * this decision was a design error in C. Ritchie could have picked an order
++ * and stuck with it." Norman Ramsey.
++ * See http://stackoverflow.com/a/1053662/41661
++ */
++
++/*******************************************************************************
++ *
++ * BGRT - Boot Graphics Resource Table (ACPI 5.0)
++ *        Version 1
++ *
++ ******************************************************************************/
++
++struct acpi_table_bgrt {
++	struct acpi_table_header header;	/* Common ACPI table header */
++	u16 version;
++	u8 status;
++	u8 image_type;
++	u64 image_address;
++	u32 image_offset_x;
++	u32 image_offset_y;
++};
++
++/*******************************************************************************
++ *
++ * DRTM - Dynamic Root of Trust for Measurement table
++ *
++ ******************************************************************************/
++
++struct acpi_table_drtm {
++	struct acpi_table_header header;	/* Common ACPI table header */
++	u64 entry_base_address;
++	u64 entry_length;
++	u32 entry_address32;
++	u64 entry_address64;
++	u64 exit_address;
++	u64 log_area_address;
++	u32 log_area_length;
++	u64 arch_dependent_address;
++	u32 flags;
++};
++
++/* 1) Validated Tables List */
++
++struct acpi_drtm_vtl_list {
++	u32 validated_table_list_count;
++};
++
++/* 2) Resources List */
++
++struct acpi_drtm_resource_list {
++	u32 resource_list_count;
++};
++
++/* 3) Platform-specific Identifiers List */
++
++struct acpi_drtm_id_list {
++	u32 id_list_count;
++};
++
++/*******************************************************************************
++ *
++ * FPDT - Firmware Performance Data Table (ACPI 5.0)
++ *        Version 1
++ *
++ ******************************************************************************/
++
++struct acpi_table_fpdt {
++	struct acpi_table_header header;	/* Common ACPI table header */
++};
++
++/* FPDT subtable header */
++
++struct acpi_fpdt_header {
++	u16 type;
++	u8 length;
++	u8 revision;
++};
++
++/* Values for Type field above */
++
++enum acpi_fpdt_type {
++	ACPI_FPDT_TYPE_BOOT = 0,
++	ACPI_FPDT_TYPE_S3PERF = 1,
++};
++
++/*
++ * FPDT subtables
++ */
++
++/* 0: Firmware Basic Boot Performance Record */
++
++struct acpi_fpdt_boot {
++	struct acpi_fpdt_header header;
++	u8 reserved[4];
++	u64 reset_end;
++	u64 load_start;
++	u64 startup_start;
++	u64 exit_services_entry;
++	u64 exit_services_exit;
++};
++
++/* 1: S3 Performance Table Pointer Record */
++
++struct acpi_fpdt_s3pt_ptr {
++	struct acpi_fpdt_header header;
++	u8 reserved[4];
++	u64 address;
++};
++
++/*
++ * S3PT - S3 Performance Table. This table is pointed to by the
++ * FPDT S3 Pointer Record above.
++ */
++struct acpi_table_s3pt {
++	u8 signature[4];	/* "S3PT" */
++	u32 length;
++};
++
++/*
++ * S3PT Subtables
++ */
++struct acpi_s3pt_header {
++	u16 type;
++	u8 length;
++	u8 revision;
++};
++
++/* Values for Type field above */
++
++enum acpi_s3pt_type {
++	ACPI_S3PT_TYPE_RESUME = 0,
++	ACPI_S3PT_TYPE_SUSPEND = 1,
++};
++
++struct acpi_s3pt_resume {
++	struct acpi_s3pt_header header;
++	u32 resume_count;
++	u64 full_resume;
++	u64 average_resume;
++};
++
++struct acpi_s3pt_suspend {
++	struct acpi_s3pt_header header;
++	u64 suspend_start;
++	u64 suspend_end;
++};
++
++/*******************************************************************************
++ *
++ * GTDT - Generic Timer Description Table (ACPI 5.0)
++ *        Version 1
++ *
++ ******************************************************************************/
++
++struct acpi_table_gtdt {
++	struct acpi_table_header header;	/* Common ACPI table header */
++	u64 address;
++	u32 flags;
++	u32 secure_pl1_interrupt;
++	u32 secure_pl1_flags;
++	u32 non_secure_pl1_interrupt;
++	u32 non_secure_pl1_flags;
++	u32 virtual_timer_interrupt;
++	u32 virtual_timer_flags;
++	u32 non_secure_pl2_interrupt;
++	u32 non_secure_pl2_flags;
++};
++
++/* Values for Flags field above */
++
++#define ACPI_GTDT_MAPPED_BLOCK_PRESENT      1
++
++/* Values for all "TimerFlags" fields above */
++
++#define ACPI_GTDT_INTERRUPT_MODE            1
++#define ACPI_GTDT_INTERRUPT_POLARITY        2
++
++/*******************************************************************************
++ *
++ * MPST - Memory Power State Table (ACPI 5.0)
++ *        Version 1
++ *
++ ******************************************************************************/
++
++#define ACPI_MPST_CHANNEL_INFO \
++	u16                             reserved1; \
++	u8                              channel_id; \
++	u8                              reserved2; \
++	u16                             power_node_count;
++
++/* Main table */
++
++struct acpi_table_mpst {
++	struct acpi_table_header header;	/* Common ACPI table header */
++	 ACPI_MPST_CHANNEL_INFO	/* Platform Communication Channel */
++};
++
++/* Memory Platform Communication Channel Info */
++
++struct acpi_mpst_channel {
++	ACPI_MPST_CHANNEL_INFO	/* Platform Communication Channel */
++};
++
++/* Memory Power Node Structure */
++
++struct acpi_mpst_power_node {
++	u8 flags;
++	u8 reserved1;
++	u16 node_id;
++	u32 length;
++	u64 range_address;
++	u64 range_length;
++	u8 num_power_states;
++	u8 num_physical_components;
++	u16 reserved2;
++};
++
++/* Values for Flags field above */
++
++#define ACPI_MPST_ENABLED               1
++#define ACPI_MPST_POWER_MANAGED         2
++#define ACPI_MPST_HOT_PLUG_CAPABLE      4
++
++/* Memory Power State Structure (follows POWER_NODE above) */
++
++struct acpi_mpst_power_state {
++	u8 power_state;
++	u8 info_index;
++};
++
++/* Physical Component ID Structure (follows POWER_STATE above) */
++
++struct acpi_mpst_component {
++	u16 component_id;
++};
++
++/* Memory Power State Characteristics Structure (follows all POWER_NODEs) */
++
++struct acpi_mpst_data_hdr {
++	u16 characteristics_count;
++};
++
++struct acpi_mpst_power_data {
++	u8 revision;
++	u8 flags;
++	u16 reserved1;
++	u32 average_power;
++	u32 power_saving;
++	u64 exit_latency;
++	u64 reserved2;
++};
++
++/* Values for Flags field above */
++
++#define ACPI_MPST_PRESERVE              1
++#define ACPI_MPST_AUTOENTRY             2
++#define ACPI_MPST_AUTOEXIT              4
++
++/* Shared Memory Region (not part of an ACPI table) */
++
++struct acpi_mpst_shared {
++	u32 signature;
++	u16 pcc_command;
++	u16 pcc_status;
++	u16 command_register;
++	u16 status_register;
++	u16 power_state_id;
++	u16 power_node_id;
++	u64 energy_consumed;
++	u64 average_power;
++};
++
++/*******************************************************************************
++ *
++ * PCCT - Platform Communications Channel Table (ACPI 5.0)
++ *        Version 1
++ *
++ ******************************************************************************/
++
++struct acpi_table_pcct {
++	struct acpi_table_header header;	/* Common ACPI table header */
++	u32 flags;
++	u32 latency;
++	u32 reserved;
++};
++
++/* Values for Flags field above */
++
++#define ACPI_PCCT_DOORBELL              1
++
++/*
++ * PCCT subtables
++ */
++
++/* 0: Generic Communications Subspace */
++
++struct acpi_pcct_subspace {
++	struct acpi_subtable_header header;
++	u8 reserved[6];
++	u64 base_address;
++	u64 length;
++	struct acpi_generic_address doorbell_register;
++	u64 preserve_mask;
++	u64 write_mask;
++};
++
++/*
++ * PCC memory structures (not part of the ACPI table)
++ */
++
++/* Shared Memory Region */
++
++struct acpi_pcct_shared_memory {
++	u32 signature;
++	u16 command;
++	u16 status;
++};
++
++/*******************************************************************************
++ *
++ * PMTT - Platform Memory Topology Table (ACPI 5.0)
++ *        Version 1
++ *
++ ******************************************************************************/
++
++struct acpi_table_pmtt {
++	struct acpi_table_header header;	/* Common ACPI table header */
++	u32 reserved;
++};
++
++/* Common header for PMTT subtables that follow main table */
++
++struct acpi_pmtt_header {
++	u8 type;
++	u8 reserved1;
++	u16 length;
++	u16 flags;
++	u16 reserved2;
++};
++
++/* Values for Type field above */
++
++#define ACPI_PMTT_TYPE_SOCKET           0
++#define ACPI_PMTT_TYPE_CONTROLLER       1
++#define ACPI_PMTT_TYPE_DIMM             2
++#define ACPI_PMTT_TYPE_RESERVED         3	/* 0x03-0xFF are reserved */
++
++/* Values for Flags field above */
++
++#define ACPI_PMTT_TOP_LEVEL             0x0001
++#define ACPI_PMTT_PHYSICAL              0x0002
++#define ACPI_PMTT_MEMORY_TYPE           0x000C
++
++/*
++ * PMTT subtables, correspond to Type in struct acpi_pmtt_header
++ */
++
++/* 0: Socket Structure */
++
++struct acpi_pmtt_socket {
++	struct acpi_pmtt_header header;
++	u16 socket_id;
++	u16 reserved;
++};
++
++/* 1: Memory Controller subtable */
++
++struct acpi_pmtt_controller {
++	struct acpi_pmtt_header header;
++	u32 read_latency;
++	u32 write_latency;
++	u32 read_bandwidth;
++	u32 write_bandwidth;
++	u16 access_width;
++	u16 alignment;
++	u16 reserved;
++	u16 domain_count;
++};
++
++/* 1a: Proximity Domain substructure */
++
++struct acpi_pmtt_domain {
++	u32 proximity_domain;
++};
++
++/* 2: Physical Component Identifier (DIMM) */
++
++struct acpi_pmtt_physical_component {
++	struct acpi_pmtt_header header;
++	u16 component_id;
++	u16 reserved;
++	u32 memory_size;
++	u32 bios_handle;
++};
++
++/*******************************************************************************
++ *
++ * RASF - RAS Feature Table (ACPI 5.0)
++ *        Version 1
++ *
++ ******************************************************************************/
++
++struct acpi_table_rasf {
++	struct acpi_table_header header;	/* Common ACPI table header */
++	u8 channel_id[12];
++};
++
++/* RASF Platform Communication Channel Shared Memory Region */
++
++struct acpi_rasf_shared_memory {
++	u32 signature;
++	u16 command;
++	u16 status;
++	u64 requested_address;
++	u64 requested_length;
++	u64 actual_address;
++	u64 actual_length;
++	u16 flags;
++	u8 speed;
++};
++
++/* Masks for Flags and Speed fields above */
++
++#define ACPI_RASF_SCRUBBER_RUNNING      1
++#define ACPI_RASF_SPEED                 (7<<1)
++
++/* Channel Commands */
++
++enum acpi_rasf_commands {
++	ACPI_RASF_GET_RAS_CAPABILITIES = 1,
++	ACPI_RASF_GET_PATROL_PARAMETERS = 2,
++	ACPI_RASF_START_PATROL_SCRUBBER = 3,
++	ACPI_RASF_STOP_PATROL_SCRUBBER = 4
++};
++
++/* Channel Command flags */
++
++#define ACPI_RASF_GENERATE_SCI          (1<<15)
++
++/* Status values */
++
++enum acpi_rasf_status {
++	ACPI_RASF_SUCCESS = 0,
++	ACPI_RASF_NOT_VALID = 1,
++	ACPI_RASF_NOT_SUPPORTED = 2,
++	ACPI_RASF_BUSY = 3,
++	ACPI_RASF_FAILED = 4,
++	ACPI_RASF_ABORTED = 5,
++	ACPI_RASF_INVALID_DATA = 6
++};
++
++/* Status flags */
++
++#define ACPI_RASF_COMMAND_COMPLETE      (1)
++#define ACPI_RASF_SCI_DOORBELL          (1<<1)
++#define ACPI_RASF_ERROR                 (1<<2)
++#define ACPI_RASF_STATUS                (0x1F<<3)
++
++/* Reset to default packing */
++
++#pragma pack()
++
++#endif				/* __ACTBL3_H__ */

26132-tmem-save-NULL-check.patch

@@ -0,0 +1,31 @@
+# HG changeset patch
+# User Matthew Daley <mattjd@gmail.com>
+# Date 1352709297 -3600
+# Node ID 286ef4ced2164f4e9bf52fd0c52248182e69a6e6
+# Parent  62885b3c34c84354ead017703a86f0465cb58cf7
+tmem: Prevent NULL dereference on error case
+
+If the client / pool IDs given to tmemc_save_get_next_page are invalid,
+the calculation of pagesize will dereference NULL.
+
+Fix this by moving the calculation below the appropriate NULL check.
+
+Signed-off-by: Matthew Daley <mattjd@gmail.com>
+Committed-by: Jan Beulich <jbeulich@suse.com>
+
+--- a/xen/common/tmem.c
++++ b/xen/common/tmem.c
+@@ -2446,10 +2446,12 @@ static NOINLINE int tmemc_save_get_next_
+     OID oid;
+     int ret = 0;
+     struct tmem_handle h;
+-    unsigned int pagesize = 1 << (pool->pageshift+12);
++    unsigned int pagesize;
+ 
+     if ( pool == NULL || is_ephemeral(pool) )
+         return -1;
++
++    pagesize = 1 << (pool->pageshift + 12);
+     if ( bufsize < pagesize + sizeof(struct tmem_handle) )
+         return -ENOMEM;
+ 

26134-x86-shadow-invlpg-check.patch

@@ -0,0 +1,22 @@
+# HG changeset patch
+# User Matthew Daley <mattjd@gmail.com>
+# Date 1352715420 0
+# Node ID 279bbf2a0b485fce18af26473eca5e60d794c17b
+# Parent  fdb69dd527cd01a46f87efb380050559dcf12d37
+x86/mm x86 shadow: Fix typo in sh_invlpg sl3 page presence check
+
+Signed-off-by: Matthew Daley <mattjd@gmail.com>
+Acked-by: Tim Deegan <tim@xen.org>
+Committed-by: Tim Deegan <tim@xen.org>
+
+--- a/xen/arch/x86/mm/shadow/multi.c
++++ b/xen/arch/x86/mm/shadow/multi.c
+@@ -3665,7 +3665,7 @@ sh_invlpg(struct vcpu *v, unsigned long 
+             perfc_incr(shadow_invlpg_fault);
+             return 0;
+         }
+-        if ( (!shadow_l3e_get_flags(sl3e) & _PAGE_PRESENT) )
++        if ( !(shadow_l3e_get_flags(sl3e) & _PAGE_PRESENT) )
+             return 0;
+     }
+ #else /* SHADOW_PAGING_LEVELS == 3 */

26139-cpumap-masking.patch

@@ -0,0 +1,39 @@
+# HG changeset patch
+# User Matthew Daley <mattjd@gmail.com>
+# Date 1352802490 -3600
+# Node ID 56400658f0962099988678487e525d12f869a96a
+# Parent  a3cde70320ada4a5424c37f65b8fe3753fc95205
+fix xenctl_cpumap_to_cpumask() buffer size check
+
+xenctl_cpumap_to_cpumask incorrectly uses sizeof when checking whether
+bits should be masked off from the input cpumap bitmap or not.
+
+Fix by using the correct cpumask buffer size in place of sizeof.
+
+Signed-off-by: Matthew Daley <mattjd@gmail.com>
+
+Compare against copy_bytes instead, and use equality rather than less-
+or-equal.
+
+Further, this issue (introduced with c/s 23991:a7ccbc79fc17) is not
+security relevant (i.e. the bug could not cause memory corruption):
+_xmalloc() never returns chunks of data smaller than the size of a
+pointer, i.e. even if sizeof(void*) > guest_bytes > copy_bytes, the
+piece of memory erroneously written to would still be inside the
+allocation done at the top of the function.
+
+Signed-off-by: Jan Beulich <jbeulich@suse.com>
+Acked-by: Keir Fraser <keir@xen.org>
+Committed-by: Jan Beulich <jbeulich@suse.com>
+
+--- a/xen/common/domctl.c
++++ b/xen/common/domctl.c
+@@ -78,7 +78,7 @@ int xenctl_cpumap_to_cpumask(
+     {
+         if ( copy_from_guest(bytemap, xenctl_cpumap->bitmap, copy_bytes) )
+             err = -EFAULT;
+-        if ( (xenctl_cpumap->nr_cpus & 7) && (guest_bytes <= sizeof(bytemap)) )
++        if ( (xenctl_cpumap->nr_cpus & 7) && (guest_bytes == copy_bytes) )
+             bytemap[guest_bytes-1] &= ~(0xff << (xenctl_cpumap->nr_cpus & 7));
+     }
+ 

26148-vcpu-timer-overflow.patch

@@ -1,5 +1,10 @@
 References: CVE-2012-4535 XSA-20 bnc#786516
 
+# HG changeset patch
+# User Ian Jackson <Ian.Jackson@eu.citrix.com>
+# Date 1352892634 0
+# Node ID bf58b94b3cef4db8d9ad9c8686bf10910ccc0644
+# Parent  3186c04af5829a242059ffe4f6427853b7bfc408
 VCPU/timers: Prevent overflow in calculations, leading to DoS vulnerability
 
 The timer action for a vcpu periodic timer is to calculate the next
@@ -12,11 +17,10 @@ This is a security problem, XSA-20 / CVE-2012-4535.
 
 Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
 Acked-by: Ian Campbell <ian.campbell@citrix.com>
+Committed-by: Ian Jackson <ian.jackson@eu.citrix.com>
 
-Index: xen-4.2.0-testing/xen/common/domain.c
+--- a/xen/common/domain.c
-===================================================================
++++ b/xen/common/domain.c
---- xen-4.2.0-testing.orig/xen/common/domain.c
-+++ xen-4.2.0-testing/xen/common/domain.c
 @@ -882,6 +882,9 @@ long do_vcpu_op(int cmd, int vcpuid, XEN
          if ( set.period_ns < MILLISECS(1) )
              return -EINVAL;
@@ -27,10 +31,8 @@ Index: xen-4.2.0-testing/xen/common/domain.c
          v->periodic_period = set.period_ns;
          vcpu_force_reschedule(v);
  
-Index: xen-4.2.0-testing/xen/include/xen/time.h
+--- a/xen/include/xen/time.h
-===================================================================
++++ b/xen/include/xen/time.h
---- xen-4.2.0-testing.orig/xen/include/xen/time.h
-+++ xen-4.2.0-testing/xen/include/xen/time.h
 @@ -55,6 +55,8 @@ struct tm gmtime(unsigned long t);
  #define MILLISECS(_ms)  ((s_time_t)((_ms) * 1000000ULL))
  #define MICROSECS(_us)  ((s_time_t)((_us) * 1000ULL))

26149-x86-p2m-physmap-error-path.patch

@@ -1,5 +1,10 @@
 References: CVE-2012-4537 XSA-22 bnc#786517
 
+# HG changeset patch
+# User Ian Jackson <Ian.Jackson@eu.citrix.com>
+# Date 1352892962 0
+# Node ID 6b6a4007a6091610a29b71cc32908c74113b852b
+# Parent  bf58b94b3cef4db8d9ad9c8686bf10910ccc0644
 x86/physmap: Prevent incorrect updates of m2p mappings
 
 In certain conditions, such as low memory, set_p2m_entry() can fail.
@@ -17,11 +22,10 @@ This is a security problem, XSA-22 / CVE-2012-4537.
 Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
 Acked-by: Ian Campbell <ian.campbell@citrix.com>
 Acked-by: Ian Jackson <ian.jackson@eu.citrix.com>
+Committed-by: Ian Jackson <ian.jackson@eu.citrix.com>
 
-Index: xen-4.2.0-testing/xen/arch/x86/mm/p2m.c
+--- a/xen/arch/x86/mm/p2m.c
-===================================================================
++++ b/xen/arch/x86/mm/p2m.c
---- xen-4.2.0-testing.orig/xen/arch/x86/mm/p2m.c
-+++ xen-4.2.0-testing/xen/arch/x86/mm/p2m.c
 @@ -654,7 +654,10 @@ guest_physmap_add_entry(struct domain *d
      if ( mfn_valid(_mfn(mfn)) ) 
      {

26150-x86-shadow-unhook-toplevel-check.patch

@@ -1,5 +1,10 @@
 References: CVE-2012-4538 XSA-23 bnc#786519
 
+# HG changeset patch
+# User Ian Jackson <Ian.Jackson@eu.citrix.com>
+# Date 1352893341 0
+# Node ID c7a01b6450e483ca839228bf1e1e44de692e3458
+# Parent  6b6a4007a6091610a29b71cc32908c74113b852b
 xen/mm/shadow: check toplevel pagetables are present before unhooking them.
 
 If the guest has not fully populated its top-level PAE entries when it calls
@@ -13,11 +18,10 @@ This is a security problem, XSA-23 / CVE-2012-4538.
 Signed-off-by: Tim Deegan <tim@xen.org>
 Tested-by: Andrew Cooper <andrew.cooper3@citrix.com>
 Acked-by: Ian Campbell <ian.campbell@citrix.com>
+Committed-by: Ian Jackson <ian.jackson@eu.citrix.com>
 
-Index: xen-4.2.0-testing/xen/arch/x86/mm/shadow/multi.c
+--- a/xen/arch/x86/mm/shadow/multi.c
-===================================================================
++++ b/xen/arch/x86/mm/shadow/multi.c
---- xen-4.2.0-testing.orig/xen/arch/x86/mm/shadow/multi.c
-+++ xen-4.2.0-testing/xen/arch/x86/mm/shadow/multi.c
 @@ -4734,8 +4734,12 @@ static void sh_pagetable_dying(struct vc
          unsigned long gfn;
          mfn_t smfn, gmfn;

26151-gnttab-compat-get-status-frames.patch

@@ -1,5 +1,10 @@
 References: CVE-2012-4539 XSA-24 bnc#786520
 
+# HG changeset patch
+# User Ian Jackson <Ian.Jackson@eu.citrix.com>
+# Date 1352893537 0
+# Node ID b64a7d868f06c730a444e990da1a4d816ce3f5dc
+# Parent  c7a01b6450e483ca839228bf1e1e44de692e3458
 compat/gnttab: Prevent infinite loop in compat code
 
 c/s 20281:95ea2052b41b, which introduces Grant Table version 2
@@ -13,11 +18,10 @@ This is a security problem, XSA-24 / CVE-2012-4539.
 Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
 Acked-by: Jan Beulich <jbeulich@suse.com>
 Acked-by: Ian Jackson <ian.jackson@eu.citrix.com>
+Committed-by: Ian Jackson <ian.jackson@eu.citrix.com>
 
-Index: xen-4.2.0-testing/xen/common/compat/grant_table.c
+--- a/xen/common/compat/grant_table.c
-===================================================================
++++ b/xen/common/compat/grant_table.c
---- xen-4.2.0-testing.orig/xen/common/compat/grant_table.c
-+++ xen-4.2.0-testing/xen/common/compat/grant_table.c
 @@ -318,6 +318,8 @@ int compat_grant_table_op(unsigned int c
  #undef XLAT_gnttab_get_status_frames_HNDL_frame_list
                  if ( unlikely(__copy_to_guest(cmp_uop, &cmp.get_status, 1)) )

26179-PCI-find-next-cap.patch

@@ -0,0 +1,59 @@
+# HG changeset patch
+# User Jan Beulich <jbeulich@suse.com>
+# Date 1353398311 -3600
+# Node ID ae6fb202b233af815466055d9f1a635802a50855
+# Parent  02b9d9a25feecd76d56143afa9bbb853fd01f602
+passthrough/PCI: replace improper uses of pci_find_next_cap()
+
+Using pci_find_next_cap() without prior pci_find_cap_offset() is bogus
+(and possibly wrong, given that the latter doesn't check the
+PCI_STATUS_CAP_LIST flag, which so far was checked in an open-coded way
+only for the non-bridge case).
+
+Once at it, fold the two calls into one, as we need its result in any
+case.
+
+Question is whether, without any caller left, pci_find_next_cap()
+should be purged as well.
+
+Signed-off-by: Jan Beulich <jbeulich@suse.com>
+Acked-by: Xiantao Zhang <xiantao.zhang@intel.com>
+
+--- a/xen/drivers/passthrough/pci.c
++++ b/xen/drivers/passthrough/pci.c
+@@ -565,16 +565,13 @@ void pci_release_devices(struct domain *
+ 
+ int pdev_type(u16 seg, u8 bus, u8 devfn)
+ {
+-    u16 class_device;
+-    u16 status, creg;
+-    int pos;
++    u16 class_device, creg;
+     u8 d = PCI_SLOT(devfn), f = PCI_FUNC(devfn);
++    int pos = pci_find_cap_offset(seg, bus, d, f, PCI_CAP_ID_EXP);
+ 
+     class_device = pci_conf_read16(seg, bus, d, f, PCI_CLASS_DEVICE);
+     if ( class_device == PCI_CLASS_BRIDGE_PCI )
+     {
+-        pos = pci_find_next_cap(seg, bus, devfn,
+-                                PCI_CAPABILITY_LIST, PCI_CAP_ID_EXP);
+         if ( !pos )
+             return DEV_TYPE_LEGACY_PCI_BRIDGE;
+         creg = pci_conf_read16(seg, bus, d, f, pos + PCI_EXP_FLAGS);
+@@ -582,15 +579,7 @@ int pdev_type(u16 seg, u8 bus, u8 devfn)
+             DEV_TYPE_PCIe2PCI_BRIDGE : DEV_TYPE_PCIe_BRIDGE;
+     }
+ 
+-    status = pci_conf_read16(seg, bus, d, f, PCI_STATUS);
+-    if ( !(status & PCI_STATUS_CAP_LIST) )
+-        return DEV_TYPE_PCI;
+-
+-    if ( pci_find_next_cap(seg, bus, devfn, PCI_CAPABILITY_LIST,
+-                           PCI_CAP_ID_EXP) )
+-        return DEV_TYPE_PCIe_ENDPOINT;
+-
+-    return DEV_TYPE_PCI;
++    return pos ? DEV_TYPE_PCIe_ENDPOINT : DEV_TYPE_PCI;
+ }
+ 
+ /*

26183-x86-HPET-masking.patch

@@ -0,0 +1,88 @@
+# HG changeset patch
+# User Jan Beulich <jbeulich@suse.com>
+# Date 1353575003 -3600
+# Node ID c139ca92edca2fab8ec95deb7fd9e4246c3fe28d
+# Parent  af6b72a224e99a4a516fbc2eecc06ada569304e8
+x86/HPET: fix FSB interrupt masking
+
+HPET_TN_FSB is not really suitable for masking interrupts - it merely
+switches between the two delivery methods. The right way of masking is
+through the HPET_TN_ENABLE bit (which really is an interrupt enable,
+not a counter enable or some such). This is even more so with certain
+chip sets not even allowing HPET_TN_FSB to be cleared on some of the
+channels.
+
+Further, all the setup of the channel should happen before actually
+enabling the interrupt, which requires splitting legacy and FSB logic.
+
+Finally this also fixes an S3 resume problem (HPET_TN_FSB did not get
+set in hpet_broadcast_resume(), and hpet_msi_unmask() doesn't get
+called from the general resume code either afaict).
+
+Signed-off-by: Jan Beulich <jbeulich@suse.com>
+Acked-by: Keir Fraser <keir@xen.org>
+
+--- a/xen/arch/x86/hpet.c
++++ b/xen/arch/x86/hpet.c
+@@ -236,7 +236,7 @@ static void hpet_msi_unmask(struct irq_d
+     struct hpet_event_channel *ch = desc->action->dev_id;
+ 
+     cfg = hpet_read32(HPET_Tn_CFG(ch->idx));
+-    cfg |= HPET_TN_FSB;
++    cfg |= HPET_TN_ENABLE;
+     hpet_write32(cfg, HPET_Tn_CFG(ch->idx));
+ }
+ 
+@@ -246,7 +246,7 @@ static void hpet_msi_mask(struct irq_des
+     struct hpet_event_channel *ch = desc->action->dev_id;
+ 
+     cfg = hpet_read32(HPET_Tn_CFG(ch->idx));
+-    cfg &= ~HPET_TN_FSB;
++    cfg &= ~HPET_TN_ENABLE;
+     hpet_write32(cfg, HPET_Tn_CFG(ch->idx));
+ }
+ 
+@@ -319,8 +319,14 @@ static void __hpet_setup_msi_irq(struct 
+ static int __init hpet_setup_msi_irq(unsigned int irq, struct hpet_event_channel *ch)
+ {
+     int ret;
++    u32 cfg = hpet_read32(HPET_Tn_CFG(ch->idx));
+     irq_desc_t *desc = irq_to_desc(irq);
+ 
++    /* set HPET Tn as oneshot */
++    cfg &= ~(HPET_TN_LEVEL | HPET_TN_PERIODIC);
++    cfg |= HPET_TN_FSB | HPET_TN_32BIT;
++    hpet_write32(cfg, HPET_Tn_CFG(ch->idx));
++
+     desc->handler = &hpet_msi_type;
+     ret = request_irq(irq, hpet_interrupt_handler, 0, "HPET", ch);
+     if ( ret < 0 )
+@@ -541,11 +547,14 @@ void __init hpet_broadcast_init(void)
+ 
+     for ( i = 0; i < n; i++ )
+     {
+-        /* set HPET Tn as oneshot */
+-        cfg = hpet_read32(HPET_Tn_CFG(hpet_events[i].idx));
+-        cfg &= ~(HPET_TN_LEVEL | HPET_TN_PERIODIC);
+-        cfg |= HPET_TN_ENABLE | HPET_TN_32BIT;
+-        hpet_write32(cfg, HPET_Tn_CFG(hpet_events[i].idx));
++        if ( i == 0 && (cfg & HPET_CFG_LEGACY) )
++        {
++            /* set HPET T0 as oneshot */
++            cfg = hpet_read32(HPET_Tn_CFG(0));
++            cfg &= ~(HPET_TN_LEVEL | HPET_TN_PERIODIC);
++            cfg |= HPET_TN_ENABLE | HPET_TN_32BIT;
++            hpet_write32(cfg, HPET_Tn_CFG(0));
++        }
+ 
+         /*
+          * The period is a femto seconds value. We need to calculate the scaled
+@@ -602,6 +611,8 @@ void hpet_broadcast_resume(void)
+         cfg = hpet_read32(HPET_Tn_CFG(hpet_events[i].idx));
+         cfg &= ~(HPET_TN_LEVEL | HPET_TN_PERIODIC);
+         cfg |= HPET_TN_ENABLE | HPET_TN_32BIT;
++        if ( !(hpet_events[i].flags & HPET_EVT_LEGACY) )
++            cfg |= HPET_TN_FSB;
+         hpet_write32(cfg, HPET_Tn_CFG(hpet_events[i].idx));
+ 
+         hpet_events[i].next_event = STIME_MAX;

26188-x86-time-scale-asm.patch

@@ -0,0 +1,34 @@
+# HG changeset patch
+# User Jan Beulich <jbeulich@suse.com>
+# Date 1353946839 -3600
+# Node ID 16bf7f3069a77c8a15b785cfdb5f2f634661d7fc
+# Parent  0049de3827bcfe3488dc6c7b7a60327a562aee5c
+x86/time: fix scale_delta() inline assembly
+
+The way it was coded, it clobbered %rdx without telling the compiler.
+This generally didn't cause any problems except when there are two back
+to back invocations (as in plt_overflow()), as in that case the
+compiler may validly assume that it can re-use for the second instance
+the value loaded into %rdx before the first one.
+
+Once at it, also properly relax the second operand of "mul" (there's no
+need for it to be in %rdx, or a register at all), and switch away from
+using explicit register names in the instruction operands.
+
+Signed-off-by: Jan Beulich <jbeulich@suse.com>
+Acked-by: Keir Fraser <keir@xen.org>
+
+--- a/xen/arch/x86/time.c
++++ b/xen/arch/x86/time.c
+@@ -142,8 +142,9 @@ static inline u64 scale_delta(u64 delta,
+         : "a" ((u32)delta), "1" ((u32)(delta >> 32)), "2" (scale->mul_frac) );
+ #else
+     asm (
+-        "mul %%rdx ; shrd $32,%%rdx,%%rax"
+-        : "=a" (product) : "0" (delta), "d" ((u64)scale->mul_frac) );
++        "mul %2 ; shrd $32,%1,%0"
++        : "=a" (product), "=d" (delta)
++        : "rm" (delta), "0" ((u64)scale->mul_frac) );
+ #endif
+ 
+     return product;

26189-xenstore-chmod.patch

@@ -0,0 +1,85 @@
+# HG changeset patch
+# Parent 8b93ac0c93f3fb8a140b4688ba71841ac927d4e3
+xenstore-chmod: handle arbitrary number of perms rather than MAX_PERMS constant
+
+Constant MAX_PERMS 16 is too small to use in some occasions, e.g. if
+there are more than 16 domU(s) on one hypervisor (it's easy to
+achieve) and one wants to do xenstore-chmod PATH to all domU(s). So,
+remove MAX_PERMS limitation and make it as arbitrary number of perms.
+
+Signed-off-by: Chunyan Liu <cyliu@suse.com>
+Acked-by: Ian Campbell <ian.campbell@citrix.com>
+
+diff -r 8b93ac0c93f3 tools/xenstore/xenstore_client.c
+--- a/tools/xenstore/xenstore_client.c	Tue Nov 13 11:19:17 2012 +0000
++++ b/tools/xenstore/xenstore_client.c	Mon Nov 26 11:33:38 2012 +0800
+@@ -25,7 +25,6 @@
+ #define PATH_SEP '/'
+ #define MAX_PATH_LEN 256
+ 
+-#define MAX_PERMS 16
+ 
+ enum mode {
+     MODE_unknown,
+@@ -407,44 +406,41 @@ perform(enum mode mode, int optind, int 
+                 output("%s\n", list[i]);
+             }
+             free(list);
+-	    optind++;
+-	    break;
+-	}
+-	case MODE_ls: {
+-	    do_ls(xsh, argv[optind], 0, prefix);
+- 	    optind++;
+- 	    break;
++            optind++;
++            break;
++        }
++        case MODE_ls: {
++            do_ls(xsh, argv[optind], 0, prefix);
++            optind++;
++            break;
+         }
+         case MODE_chmod: {
+-            struct xs_permissions perms[MAX_PERMS];
+-            int nperms = 0;
+             /* save path pointer: */
+             char *path = argv[optind++];
+-            for (; argv[optind]; optind++, nperms++)
++            int nperms = argc - optind;
++            struct xs_permissions perms[nperms];
++            int i;
++            for (i = 0; argv[optind]; optind++, i++)
+             {
+-                if (MAX_PERMS <= nperms)
+-                    errx(1, "Too many permissions specified.  "
+-			 "Maximum per invocation is %d.", MAX_PERMS);
+-
+-                perms[nperms].id = atoi(argv[optind]+1);
++                perms[i].id = atoi(argv[optind]+1);
+ 
+                 switch (argv[optind][0])
+                 {
+                 case 'n':
+-                    perms[nperms].perms = XS_PERM_NONE;
++                    perms[i].perms = XS_PERM_NONE;
+                     break;
+                 case 'r':
+-                    perms[nperms].perms = XS_PERM_READ;
++                    perms[i].perms = XS_PERM_READ;
+                     break;
+                 case 'w':
+-                    perms[nperms].perms = XS_PERM_WRITE;
++                    perms[i].perms = XS_PERM_WRITE;
+                     break;
+                 case 'b':
+-                    perms[nperms].perms = XS_PERM_READ | XS_PERM_WRITE;
++                    perms[i].perms = XS_PERM_READ | XS_PERM_WRITE;
+                     break;
+                 default:
+                     errx(1, "Invalid permission specification: '%c'",
+-			 argv[optind][0]);
++                         argv[optind][0]);
+                 }
+             }
+ 

CVE-2012-5510-xsa26.patch

@@ -0,0 +1,105 @@
+References: CVE-2012-5510 XSA-26 bnc#789945
+
+gnttab: fix releasing of memory upon switches between versions
+
+gnttab_unpopulate_status_frames() incompletely freed the pages
+previously used as status frame in that they did not get removed from
+the domain's xenpage_list, thus causing subsequent list corruption
+when those pages did get allocated again for the same or another purpose.
+
+Similarly, grant_table_create() and gnttab_grow_table() both improperly
+clean up in the event of an error - pages already shared with the guest
+can't be freed by just passing them to free_xenheap_page(). Fix this by
+sharing the pages only after all allocations succeeded.
+
+This is CVE-2012-5510 / XSA-26.
+
+Signed-off-by: Jan Beulich <jbeulich@suse.com>
+Acked-by: Ian Campbell <ian.campbell@citrix.com>
+
+--- a/xen/common/grant_table.c
++++ b/xen/common/grant_table.c
+@@ -1170,12 +1170,13 @@ fault:
+ }
+ 
+ static int
+-gnttab_populate_status_frames(struct domain *d, struct grant_table *gt)
++gnttab_populate_status_frames(struct domain *d, struct grant_table *gt,
++                              unsigned int req_nr_frames)
+ {
+     unsigned i;
+     unsigned req_status_frames;
+ 
+-    req_status_frames = grant_to_status_frames(gt->nr_grant_frames);
++    req_status_frames = grant_to_status_frames(req_nr_frames);
+     for ( i = nr_status_frames(gt); i < req_status_frames; i++ )
+     {
+         if ( (gt->status[i] = alloc_xenheap_page()) == NULL )
+@@ -1206,7 +1207,12 @@ gnttab_unpopulate_status_frames(struct d
+ 
+     for ( i = 0; i < nr_status_frames(gt); i++ )
+     {
+-        page_set_owner(virt_to_page(gt->status[i]), dom_xen);
++        struct page_info *pg = virt_to_page(gt->status[i]);
++
++        BUG_ON(page_get_owner(pg) != d);
++        if ( test_and_clear_bit(_PGC_allocated, &pg->count_info) )
++            put_page(pg);
++        BUG_ON(pg->count_info & ~PGC_xen_heap);
+         free_xenheap_page(gt->status[i]);
+         gt->status[i] = NULL;
+     }
+@@ -1244,19 +1250,18 @@ gnttab_grow_table(struct domain *d, unsi
+         clear_page(gt->shared_raw[i]);
+     }
+ 
+-    /* Share the new shared frames with the recipient domain */
+-    for ( i = nr_grant_frames(gt); i < req_nr_frames; i++ )
+-        gnttab_create_shared_page(d, gt, i);
+-
+-    gt->nr_grant_frames = req_nr_frames;
+-
+     /* Status pages - version 2 */
+     if (gt->gt_version > 1)
+     {
+-        if ( gnttab_populate_status_frames(d, gt) )
++        if ( gnttab_populate_status_frames(d, gt, req_nr_frames) )
+             goto shared_alloc_failed;
+     }
+ 
++    /* Share the new shared frames with the recipient domain */
++    for ( i = nr_grant_frames(gt); i < req_nr_frames; i++ )
++        gnttab_create_shared_page(d, gt, i);
++    gt->nr_grant_frames = req_nr_frames;
++
+     return 1;
+ 
+ shared_alloc_failed:
+@@ -2154,7 +2159,7 @@ gnttab_set_version(XEN_GUEST_HANDLE(gntt
+ 
+     if ( op.version == 2 && gt->gt_version < 2 )
+     {
+-        res = gnttab_populate_status_frames(d, gt);
++        res = gnttab_populate_status_frames(d, gt, nr_grant_frames(gt));
+         if ( res < 0)
+             goto out_unlock;
+     }
+@@ -2597,14 +2602,15 @@ grant_table_create(
+         clear_page(t->shared_raw[i]);
+     }
+     
+-    for ( i = 0; i < INITIAL_NR_GRANT_FRAMES; i++ )
+-        gnttab_create_shared_page(d, t, i);
+-
+     /* Status pages for grant table - for version 2 */
+     t->status = xzalloc_array(grant_status_t *,
+                               grant_to_status_frames(max_nr_grant_frames));
+     if ( t->status == NULL )
+         goto no_mem_4;
++
++    for ( i = 0; i < INITIAL_NR_GRANT_FRAMES; i++ )
++        gnttab_create_shared_page(d, t, i);
++
+     t->nr_status_frames = 0;
+ 
+     /* Okay, install the structure. */

CVE-2012-5511-xsa27.patch

@@ -0,0 +1,136 @@
+References: CVE-2012-5511 XSA-27 bnc#789944
+
+hvm: Limit the size of large HVM op batches
+
+Doing large p2m updates for HVMOP_track_dirty_vram without preemption
+ties up the physical processor. Integrating preemption into the p2m
+updates is hard so simply limit to 1GB which is sufficient for a 15000
+* 15000 * 32bpp framebuffer.
+
+For HVMOP_modified_memory and HVMOP_set_mem_type preemptible add the
+necessary machinery to handle preemption.
+
+This is CVE-2012-5511 / XSA-27.
+
+Signed-off-by: Tim Deegan <tim@xen.org>
+Signed-off-by: Ian Campbell <ian.campbell@citrix.com>
+Acked-by: Ian Jackson <ian.jackson@eu.citrix.com>
+
+v2: Provide definition of GB to fix x86-32 compile.
+
+Signed-off-by: Jan Beulich <JBeulich@suse.com>
+Acked-by: Ian Jackson <ian.jackson@eu.citrix.com>
+
+
+--- a/xen/arch/x86/hvm/hvm.c
++++ b/xen/arch/x86/hvm/hvm.c
+@@ -4033,6 +4033,9 @@ long do_hvm_op(unsigned long op, XEN_GUE
+         if ( !is_hvm_domain(d) )
+             goto param_fail2;
+ 
++        if ( a.nr > GB(1) >> PAGE_SHIFT )
++            goto param_fail2;
++
+         rc = xsm_hvm_param(d, op);
+         if ( rc )
+             goto param_fail2;
+@@ -4059,7 +4062,6 @@ long do_hvm_op(unsigned long op, XEN_GUE
+     {
+         struct xen_hvm_modified_memory a;
+         struct domain *d;
+-        unsigned long pfn;
+ 
+         if ( copy_from_guest(&a, arg, 1) )
+             return -EFAULT;
+@@ -4086,9 +4088,11 @@ long do_hvm_op(unsigned long op, XEN_GUE
+         if ( !paging_mode_log_dirty(d) )
+             goto param_fail3;
+ 
+-        for ( pfn = a.first_pfn; pfn < a.first_pfn + a.nr; pfn++ )
++        while ( a.nr > 0 )
+         {
++            unsigned long pfn = a.first_pfn;
+             struct page_info *page;
++
+             page = get_page_from_gfn(d, pfn, NULL, P2M_UNSHARE);
+             if ( page )
+             {
+@@ -4098,6 +4102,19 @@ long do_hvm_op(unsigned long op, XEN_GUE
+                 sh_remove_shadows(d->vcpu[0], _mfn(page_to_mfn(page)), 1, 0);
+                 put_page(page);
+             }
++
++            a.first_pfn++;
++            a.nr--;
++
++            /* Check for continuation if it's not the last interation */
++            if ( a.nr > 0 && hypercall_preempt_check() )
++            {
++                if ( copy_to_guest(arg, &a, 1) )
++                    rc = -EFAULT;
++                else
++                    rc = -EAGAIN;
++                break;
++            }
+         }
+ 
+     param_fail3:
+@@ -4153,7 +4170,6 @@ long do_hvm_op(unsigned long op, XEN_GUE
+     {
+         struct xen_hvm_set_mem_type a;
+         struct domain *d;
+-        unsigned long pfn;
+         
+         /* Interface types to internal p2m types */
+         p2m_type_t memtype[] = {
+@@ -4186,8 +4202,9 @@ long do_hvm_op(unsigned long op, XEN_GUE
+         if ( a.hvmmem_type >= ARRAY_SIZE(memtype) )
+             goto param_fail4;
+ 
+-        for ( pfn = a.first_pfn; pfn < a.first_pfn + a.nr; pfn++ )
++        while ( a.nr )
+         {
++            unsigned long pfn = a.first_pfn;
+             p2m_type_t t;
+             p2m_type_t nt;
+             mfn_t mfn;
+@@ -4227,6 +4244,19 @@ long do_hvm_op(unsigned long op, XEN_GUE
+                 }
+             }
+             put_gfn(d, pfn);
++
++            a.first_pfn++;
++            a.nr--;
++
++            /* Check for continuation if it's not the last interation */
++            if ( a.nr > 0 && hypercall_preempt_check() )
++            {
++                if ( copy_to_guest(arg, &a, 1) )
++                    rc = -EFAULT;
++                else
++                    rc = -EAGAIN;
++                goto param_fail4;
++            }
+         }
+ 
+         rc = 0;
+--- a/xen/include/asm-x86/config.h
++++ b/xen/include/asm-x86/config.h
+@@ -119,6 +119,9 @@ extern char wakeup_start[];
+ extern unsigned int video_mode, video_flags;
+ extern unsigned short boot_edid_caps;
+ extern unsigned char boot_edid_info[128];
++
++#define GB(_gb) (_gb ## UL << 30)
++
+ #endif
+ 
+ #define asmlinkage
+@@ -134,7 +137,6 @@ extern unsigned char boot_edid_info[128]
+ #define PML4_ADDR(_slot)                             \
+     ((((_slot ## UL) >> 8) * 0xffff000000000000UL) | \
+      (_slot ## UL << PML4_ENTRY_BITS))
+-#define GB(_gb) (_gb ## UL << 30)
+ #else
+ #define PML4_ENTRY_BYTES (1 << PML4_ENTRY_BITS)
+ #define PML4_ADDR(_slot)                             \

CVE-2012-5513-xsa29.patch

@@ -0,0 +1,47 @@
+References: CVE-2012-5513 XSA-29 bnc#789951
+
+xen: add missing guest address range checks to XENMEM_exchange handlers
+
+Ever since its existence (3.0.3 iirc) the handler for this has been
+using non address range checking guest memory accessors (i.e.
+the ones prefixed with two underscores) without first range
+checking the accessed space (via guest_handle_okay()), allowing
+a guest to access and overwrite hypervisor memory.
+
+This is XSA-29 / CVE-2012-5513.
+
+Signed-off-by: Jan Beulich <jbeulich@suse.com>
+Acked-by: Ian Campbell <ian.campbell@citrix.com>
+Acked-by: Ian Jackson <ian.jackson@eu.citrix.com>
+
+--- a/xen/common/compat/memory.c
++++ b/xen/common/compat/memory.c
+@@ -115,6 +115,12 @@ int compat_memory_op(unsigned int cmd, X
+                   (cmp.xchg.out.nr_extents << cmp.xchg.out.extent_order)) )
+                 return -EINVAL;
+ 
++            if ( !compat_handle_okay(cmp.xchg.in.extent_start,
++                                     cmp.xchg.in.nr_extents) ||
++                 !compat_handle_okay(cmp.xchg.out.extent_start,
++                                     cmp.xchg.out.nr_extents) )
++                return -EFAULT;
++
+             start_extent = cmp.xchg.nr_exchanged;
+             end_extent = (COMPAT_ARG_XLAT_SIZE - sizeof(*nat.xchg)) /
+                          (((1U << ABS(order_delta)) + 1) *
+--- a/xen/common/memory.c
++++ b/xen/common/memory.c
+@@ -308,6 +308,13 @@ static long memory_exchange(XEN_GUEST_HA
+         goto fail_early;
+     }
+ 
++    if ( !guest_handle_okay(exch.in.extent_start, exch.in.nr_extents) ||
++         !guest_handle_okay(exch.out.extent_start, exch.out.nr_extents) )
++    {
++        rc = -EFAULT;
++        goto fail_early;
++    }
++
+     /* Only privileged guests can allocate multi-page contiguous extents. */
+     if ( !multipage_allocation_permitted(current->domain,
+                                          exch.in.extent_order) ||

CVE-2012-5514-xsa30.patch

@@ -0,0 +1,57 @@
+References: CVE-2012-5514 XSA-30 bnc#789948
+
+fix error handling of guest_physmap_mark_populate_on_demand()
+
+The only user of the "out" label bypasses a necessary unlock, thus
+enabling the caller to lock up Xen.
+
+Also, the function was never meant to be called by a guest for itself,
+so rather than inspecting the code paths in depth for potential other
+problems this might cause, and adjusting e.g. the non-guest printk()
+in the above error path, just disallow the guest access to it.
+
+Finally, the printk() (considering its potential of spamming the log,
+the more that it's not using XENLOG_GUEST), is being converted to
+P2M_DEBUG(), as debugging is what it apparently was added for in the
+first place.
+
+This is XSA-30 / CVE-2012-5514.
+
+Signed-off-by: Jan Beulich <jbeulich@suse.com>
+Acked-by: Ian Campbell <ian.campbell@citrix.com>
+Acked-by: George Dunlap <george.dunlap@eu.citrix.com>
+Acked-by: Ian Jackson <ian.jackson@eu.citrix.com>
+
+--- a/xen/arch/x86/mm/p2m-pod.c
++++ b/xen/arch/x86/mm/p2m-pod.c
+@@ -1117,6 +1117,9 @@ guest_physmap_mark_populate_on_demand(st
+     mfn_t omfn;
+     int rc = 0;
+ 
++    if ( !IS_PRIV_FOR(current->domain, d) )
++        return -EPERM;
++
+     if ( !paging_mode_translate(d) )
+         return -EINVAL;
+ 
+@@ -1135,8 +1138,7 @@ guest_physmap_mark_populate_on_demand(st
+         omfn = p2m->get_entry(p2m, gfn + i, &ot, &a, 0, NULL);
+         if ( p2m_is_ram(ot) )
+         {
+-            printk("%s: gfn_to_mfn returned type %d!\n",
+-                   __func__, ot);
++            P2M_DEBUG("gfn_to_mfn returned type %d!\n", ot);
+             rc = -EBUSY;
+             goto out;
+         }
+@@ -1160,9 +1162,9 @@ guest_physmap_mark_populate_on_demand(st
+         pod_unlock(p2m);
+     }
+ 
++out:
+     gfn_unlock(p2m, gfn, order);
+ 
+-out:
+     return rc;
+ }
+ 

CVE-2012-5515-xsa31.patch

@@ -0,0 +1,50 @@
+References: CVE-2012-5515 XSA-31 bnc#789950
+
+memop: limit guest specified extent order
+
+Allowing unbounded order values here causes almost unbounded loops
+and/or partially incomplete requests, particularly in PoD code.
+
+The added range checks in populate_physmap(), decrease_reservation(),
+and the "in" one in memory_exchange() architecturally all could use
+PADDR_BITS - PAGE_SHIFT, and are being artificially constrained to
+MAX_ORDER.
+
+This is XSA-31 / CVE-2012-5515.
+
+Signed-off-by: Jan Beulich <jbeulich@suse.com>
+Acked-by: Tim Deegan <tim@xen.org>
+Acked-by: Ian Jackson <ian.jackson@eu.citrix.com>
+
+--- a/xen/common/memory.c
++++ b/xen/common/memory.c
+@@ -115,7 +115,8 @@ static void populate_physmap(struct memo
+ 
+         if ( a->memflags & MEMF_populate_on_demand )
+         {
+-            if ( guest_physmap_mark_populate_on_demand(d, gpfn,
++            if ( a->extent_order > MAX_ORDER ||
++                 guest_physmap_mark_populate_on_demand(d, gpfn,
+                                                        a->extent_order) < 0 )
+                 goto out;
+         }
+@@ -235,7 +236,8 @@ static void decrease_reservation(struct 
+     xen_pfn_t gmfn;
+ 
+     if ( !guest_handle_subrange_okay(a->extent_list, a->nr_done,
+-                                     a->nr_extents-1) )
++                                     a->nr_extents-1) ||
++         a->extent_order > MAX_ORDER )
+         return;
+ 
+     for ( i = a->nr_done; i < a->nr_extents; i++ )
+@@ -297,6 +299,9 @@ static long memory_exchange(XEN_GUEST_HA
+     if ( (exch.nr_exchanged > exch.in.nr_extents) ||
+          /* Input and output domain identifiers match? */
+          (exch.in.domid != exch.out.domid) ||
++         /* Extent orders are sensible? */
++         (exch.in.extent_order > MAX_ORDER) ||
++         (exch.out.extent_order > MAX_ORDER) ||
+          /* Sizes of input and output lists do not overflow a long? */
+          ((~0UL >> exch.in.extent_order) < exch.in.nr_extents) ||
+          ((~0UL >> exch.out.extent_order) < exch.out.nr_extents) ||

CVE-2012-5525-xsa32.patch

@@ -0,0 +1,22 @@
+References: CVE-2012-5525 XSA-32 bnc#789952
+
+x86: get_page_from_gfn() must return NULL for invalid GFNs
+
+... also in the non-translated case.
+
+This is XSA-32 / CVE-2012-5525.
+
+Signed-off-by: Jan Beulich <jbeulich@suse.com>
+Acked-by: Tim Deegan <tim@xen.org>
+
+--- a/xen/include/asm-x86/p2m.h
++++ b/xen/include/asm-x86/p2m.h
+@@ -400,7 +400,7 @@ static inline struct page_info *get_page
+     if (t)
+         *t = p2m_ram_rw;
+     page = __mfn_to_page(gfn);
+-    return get_page(page, d) ? page : NULL;
++    return mfn_valid(gfn) && get_page(page, d) ? page : NULL;
+ }
+ 
+ 

reverse-24757-use-grant-references.patch

@@ -0,0 +1,145 @@
+Reverse c/s 24757.  Breaks booting NetWare.
+
+# HG changeset patch
+# User Alex Zeffertt <alex.zeffertt@eu.citrix.com>
+# Date 1328812412 0
+# Node ID aae516b78fce679f9c367231b7a3891814fcfdbb
+# Parent  585caf50a9260d3fc6a4ece0450d10d34e73489f
+
+xenstored: use grant references instead of map_foreign_range
+
+make xenstored use grantref rather than map_foreign_range (which can
+only be used by privileged domains)
+
+This patch modifies the xenstore daemon to use xc_gnttab_map_grant_ref
+instead of xc_map_foreign_range where available.
+
+Previous versions of this patch have been sent to xen-devel. See
+http://lists.xensource.com/archives/html/xen-devel/2008-07/msg00610.html
+http://lists.xensource.com/archives/html/xen-devel/2009-03/msg01492.html
+
+Signed-off-by: Diego Ongaro <diego.ongaro@citrix.com>
+Signed-off-by: Alex Zeffertt <alex.zeffertt@eu.citrix.com>
+Signed-off-by: Daniel De Graaf <dgdegra@tycho.nsa.gov>
+Acked-by: Ian Campbell <ian.campbell@citrix.com>
+Cc: Ian Jackson <ian.jackson@eu.citrix.com>
+Cc: Stefano Stabellini <stefano.stabellini@eu.citrix.com>
+Committed-by: Ian Jackson <Ian.Jackson@eu.citrix.com>
+
+Index: xen-4.2.0-testing/tools/xenstore/xenstored_domain.c
+===================================================================
+--- xen-4.2.0-testing.orig/tools/xenstore/xenstored_domain.c
++++ xen-4.2.0-testing/tools/xenstore/xenstored_domain.c
+@@ -32,10 +32,8 @@
+ #include "xenstored_watch.h"
+ 
+ #include <xenctrl.h>
+-#include <xen/grant_table.h>
+ 
+ static xc_interface **xc_handle;
+-xc_gnttab **xcg_handle;
+ static evtchn_port_t virq_port;
+ 
+ xc_evtchn *xce_handle = NULL;
+@@ -165,26 +163,6 @@ static int readchn(struct connection *co
+ 	return len;
+ }
+ 
+-static void *map_interface(domid_t domid, unsigned long mfn)
+-{
+-	if (*xcg_handle != NULL) {
+-		/* this is the preferred method */
+-		return xc_gnttab_map_grant_ref(*xcg_handle, domid,
+-			GNTTAB_RESERVED_XENSTORE, PROT_READ|PROT_WRITE);
+-	} else {
+-		return xc_map_foreign_range(*xc_handle, domid,
+-			getpagesize(), PROT_READ|PROT_WRITE, mfn);
+-	}
+-}
+-
+-static void unmap_interface(void *interface)
+-{
+-	if (*xcg_handle != NULL)
+-		xc_gnttab_munmap(*xcg_handle, interface, 1);
+-	else
+-		munmap(interface, getpagesize());
+-}
+-
+ static int destroy_domain(void *_domain)
+ {
+ 	struct domain *domain = _domain;
+@@ -196,14 +174,8 @@ static int destroy_domain(void *_domain)
+ 			eprintf("> Unbinding port %i failed!\n", domain->port);
+ 	}
+ 
+-	if (domain->interface) {
+-		/* Domain 0 was mapped by dom0_init, so it must be unmapped
+-		   using munmap() and not the grant unmap call. */
+-		if (domain->domid == 0)
+-			unmap_xenbus(domain->interface);
+-		else
+-			unmap_interface(domain->interface);
+-	}
++	if (domain->interface)
++		munmap(domain->interface, getpagesize());
+ 
+ 	fire_watches(NULL, "@releaseDomain", false);
+ 
+@@ -372,7 +344,9 @@ void do_introduce(struct connection *con
+ 	domain = find_domain_by_domid(domid);
+ 
+ 	if (domain == NULL) {
+-		interface = map_interface(domid, mfn);
++		interface = xc_map_foreign_range(
++			*xc_handle, domid,
++			getpagesize(), PROT_READ|PROT_WRITE, mfn);
+ 		if (!interface) {
+ 			send_error(conn, errno);
+ 			return;
+@@ -380,7 +354,7 @@ void do_introduce(struct connection *con
+ 		/* Hang domain off "in" until we're finished. */
+ 		domain = new_domain(in, domid, port);
+ 		if (!domain) {
+-			unmap_interface(interface);
++			munmap(interface, getpagesize());
+ 			send_error(conn, errno);
+ 			return;
+ 		}
+@@ -572,18 +546,6 @@ void do_reset_watches(struct connection
+ 	send_ack(conn, XS_RESET_WATCHES);
+ }
+ 
+-static int close_xc_handle(void *_handle)
+-{
+-	xc_interface_close(*(xc_interface**)_handle);
+-	return 0;
+-}
+-
+-static int close_xcg_handle(void *_handle)
+-{
+-	xc_gnttab_close(*(xc_gnttab **)_handle);
+-	return 0;
+-}
+-
+ /* Returns the implicit path of a connection (only domains have this) */
+ const char *get_implicit_path(const struct connection *conn)
+ {
+@@ -633,18 +595,6 @@ void domain_init(void)
+ 	if (!*xc_handle)
+ 		barf_perror("Failed to open connection to hypervisor");
+ 
+-	talloc_set_destructor(xc_handle, close_xc_handle);
+-
+-	xcg_handle = talloc(talloc_autofree_context(), xc_gnttab*);
+-	if (!xcg_handle)
+-		barf_perror("Failed to allocate domain gnttab handle");
+-
+-	*xcg_handle = xc_gnttab_open(NULL, 0);
+-	if (*xcg_handle < 0)
+-		xprintf("WARNING: Failed to open connection to gnttab\n");
+-	else
+-		talloc_set_destructor(xcg_handle, close_xcg_handle);
+-
+ 	xce_handle = xc_evtchn_open(NULL, 0);
+ 
+ 	if (xce_handle == NULL)

xen-max-free-mem.diff

@@ -71,7 +71,7 @@ Index: xen-4.2.0-testing/tools/python/xen/xend/balloon.py
 +def get_dom0_min_target():
 +    """Returns the minimum amount of memory (in KiB) that dom0 will accept."""
 +
-+    kb = _get_proc_balloon(labels['min-target'])
++    kb = _get_proc_balloon('min-target')
 +    if kb == None:
 +        raise VmError('Failed to query minimum target memory allocation of dom0.')
 +    return kb
@@ -80,7 +80,7 @@ Index: xen-4.2.0-testing/tools/python/xen/xend/balloon.py
 +    """Returns the maximum amount of memory (in KiB) that is potentially
 +    visible to dom0."""
 +
-+    kb = _get_proc_balloon(labels['max-target'])
++    kb = _get_proc_balloon('max-target')
 +    if kb == None:
 +        raise VmError('Failed to query maximum target memory allocation of dom0.')
 +    return kb
@@ -133,3 +133,16 @@ Index: xen-4.2.0-testing/tools/python/xen/xend/server/SrvDomain.py
                           [['target', 'int']],
                           req)
  
+Index: xen-4.2.0-testing/tools/python/xen/xend/osdep.py
+===================================================================
+--- xen-4.2.0-testing.orig/tools/python/xen/xend/osdep.py
++++ xen-4.2.0-testing/tools/python/xen/xend/osdep.py
+@@ -42,6 +42,8 @@ def _linux_balloon_stat_proc(label):
+ 
+     xend2linux_labels = { 'current'      : 'Current allocation',
+                           'target'       : 'Requested target',
++                          'min-target'   : 'Minimum target',
++                          'max-target'   : 'Maximum target',
+                           'low-balloon'  : 'Low-mem balloon',
+                           'high-balloon' : 'High-mem balloon',
+                           'limit'        : 'Xen hard limit' }

xen.changes

@@ -1,3 +1,49 @@
+-------------------------------------------------------------------
+Thu Dec  6 10:56:26 MST 2012 - carnold@novell.com
+
+- NetWare will not boot or install on Xen 4.2
+  reverse-24757-use-grant-references.patch 
+
+-------------------------------------------------------------------
+Fri Nov 30 10:30:10 CST 2012 - cyliu@suse.com
+
+- fate#313222 - xenstore-chmod should support 256 permissions
+  26189-xenstore-chmod.patch
+
+-------------------------------------------------------------------
+Tue Nov 27 09:17:17 MST 2012 - carnold@novell.com
+
+- bnc#789945 - VUL-0: CVE-2012-5510: xen: Grant table version
+  switch list corruption vulnerability (XSA-26)
+  CVE-2012-5510-xsa26.patch
+- bnc#789944 - VUL-0: CVE-2012-5511: xen: Several HVM operations do
+  not validate the range of their inputs (XSA-27)
+  CVE-2012-5511-xsa27.patch
+- bnc#789951 - VUL-0: CVE-2012-5513: xen: XENMEM_exchange may
+  overwrite hypervisor memory (XSA-29)
+  CVE-2012-5513-xsa29.patch
+- bnc#789948 - VUL-0: CVE-2012-5514: xen: Missing unlock in
+  guest_physmap_mark_populate_on_demand() (XSA-30)
+  CVE-2012-5514-xsa30.patch
+- bnc#789950 - VUL-0: CVE-2012-5515: xen: Several memory hypercall
+  operations allow invalid extent order values (XSA-31)
+  CVE-2012-5515-xsa31.patch
+- bnc#789952 - VUL-0: CVE-2012-5525: xen: Several hypercalls do not
+  validate input GFNs (XSA-32)
+  CVE-2012-5525-xsa32.patch
+- Upstream patches from Jan
+  26129-ACPI-BGRT-invalidate.patch
+  26132-tmem-save-NULL-check.patch
+  26134-x86-shadow-invlpg-check.patch
+  26139-cpumap-masking.patch
+  26148-vcpu-timer-overflow.patch (Replaces CVE-2012-4535-xsa20.patch)
+  26149-x86-p2m-physmap-error-path.patch (Replaces CVE-2012-4537-xsa22.patch)
+  26150-x86-shadow-unhook-toplevel-check.patch (Replaces CVE-2012-4538-xsa23.patch)
+  26151-gnttab-compat-get-status-frames.patch (Replaces CVE-2012-4539-xsa24.patch)
+  26179-PCI-find-next-cap.patch
+  26183-x86-HPET-masking.patch
+  26188-x86-time-scale-asm.patch
+
 -------------------------------------------------------------------
 Wed Nov 21 20:57:56 CET 2012 - ohering@suse.de
 
@@ -15,6 +61,19 @@ Tue Nov 13 16:35:55 MST 2012 - jfehlig@suse.com
 - bnc#777628 - guest "disappears" after live migration
   Updated block-dmmd script
 
+-------------------------------------------------------------------
+Fri Nov  9 10:29:51 MST 2012 - carnold@novell.com
+
+- Fix exception in balloon.py and osdep.py
+  xen-max-free-mem.diff
+
+-------------------------------------------------------------------
+Tue Nov  6 17:41:34 MDT 2012 - carnold@novell.com
+
+- fate#311966: Fix XEN VNC implementation to correctly map keyboard
+  layouts
+  VNC-Support-for-ExtendedKeyEvent-client-message.patch
+
 -------------------------------------------------------------------
 Tue Oct 30 15:28:27 CET 2012 - ohering@suse.de
 

xen.spec

@@ -114,7 +114,7 @@ BuildRequires:  kernel-syms
 BuildRequires:  module-init-tools
 BuildRequires:  xorg-x11
 %endif
-Version:        4.2.0_03
+Version:        4.2.0_04
 Release:        0
 PreReq:         %insserv_prereq %fillup_prereq
 Summary:        Xen Virtualization: Hypervisor (aka VMM aka Microkernel)
@@ -232,11 +232,25 @@ Patch26096:     26096-SVM-nested-vmexit-emul.patch
 Patch26098:     26098-perfc-build.patch
 Patch26102:     26102-x86-IOAPIC-legacy-not-first.patch
 Patch26114:     26114-pygrub-list-entries.patch
-Patch20:        CVE-2012-4535-xsa20.patch
+Patch26129:     26129-ACPI-BGRT-invalidate.patch
-Patch22:        CVE-2012-4537-xsa22.patch
+Patch26132:     26132-tmem-save-NULL-check.patch
-Patch23:        CVE-2012-4538-xsa23.patch
+Patch26134:     26134-x86-shadow-invlpg-check.patch
-Patch24:        CVE-2012-4539-xsa24.patch
+Patch26139:     26139-cpumap-masking.patch
+Patch26148:     26148-vcpu-timer-overflow.patch
+Patch26149:     26149-x86-p2m-physmap-error-path.patch
+Patch26150:     26150-x86-shadow-unhook-toplevel-check.patch
+Patch26151:     26151-gnttab-compat-get-status-frames.patch
+Patch26179:     26179-PCI-find-next-cap.patch
+Patch26183:     26183-x86-HPET-masking.patch
+Patch26188:     26188-x86-time-scale-asm.patch
+Patch26189:     26189-xenstore-chmod.patch
 Patch25:        CVE-2012-4544-xsa25.patch
+Patch26:        CVE-2012-5510-xsa26.patch
+Patch27:        CVE-2012-5511-xsa27.patch
+Patch29:        CVE-2012-5513-xsa29.patch
+Patch30:        CVE-2012-5514-xsa30.patch
+Patch31:        CVE-2012-5515-xsa31.patch
+Patch32:        CVE-2012-5525-xsa32.patch
 # Upstream qemu patches
 Patch100:       VNC-Support-for-ExtendedKeyEvent-client-message.patch
 # Our patches
@@ -330,6 +344,7 @@ Patch458:       ipxe-enable-nics.patch
 Patch459:       blktap-close-fifos.patch
 Patch460:       blktap-disable-debug-printf.patch
 Patch461:       xen-glibc217.patch
+Patch462:       reverse-24757-use-grant-references.patch
 # Jim's domain lock patch
 Patch480:       xend-domain-lock.patch
 Patch481:       xend-domain-lock-sfex.patch
@@ -758,11 +773,25 @@ tar xfj %{SOURCE6} -C $RPM_BUILD_DIR/%{xen_build_dir}/tools
 %patch26098 -p1
 %patch26102 -p1
 %patch26114 -p1
-%patch20 -p1
+%patch26129 -p1
-%patch22 -p1
+%patch26132 -p1
-%patch23 -p1
+%patch26134 -p1
-%patch24 -p1
+%patch26139 -p1
+%patch26148 -p1
+%patch26149 -p1
+%patch26150 -p1
+%patch26151 -p1
+%patch26179 -p1
+%patch26183 -p1
+%patch26188 -p1
+%patch26189 -p1
 %patch25 -p1
+%patch26 -p1
+%patch27 -p1
+%patch29 -p1
+%patch30 -p1
+%patch31 -p1
+%patch32 -p1
 # Qemu
 %patch100 -p1
 # Our patches
@@ -853,6 +882,7 @@ tar xfj %{SOURCE6} -C $RPM_BUILD_DIR/%{xen_build_dir}/tools
 %patch459 -p1
 %patch460 -p1
 %patch461 -p1
+%patch462 -p1
 %patch480 -p1
 %patch481 -p1
 %patch500 -p1