- Upstream patches from Jan

5604f239-x86-PV-properly-populate-descriptor-tables.patch 561bbc8b-VT-d-don-t-suppress-invalidation-address-write-when-0.patch 561d2046-VT-d-use-proper-error-codes-in-iommu_enable_x2apic_IR.patch 561d20a0-x86-hide-MWAITX-from-PV-domains.patch 561e3283-x86-NUMA-fix-SRAT-table-processor-entry-handling.patch - bsc#951845 - VUL-0: CVE-2015-7972: xen: x86: populate-on-demand balloon size inaccuracy can crash guests (XSA-153) xsa153-libxl.patch - bsc#950703 - VUL-1: CVE-2015-7969: xen: leak of main per-domain vcpu pointer array (DoS) (XSA-149) xsa149.patch - bsc#950705 - VUL-1: CVE-2015-7969: xen: x86: leak of per-domain profiling-related vcpu pointer array (DoS) (XSA-151) xsa151.patch - bsc#950706 - VUL-0: CVE-2015-7971: xen: x86: some pmu and profiling hypercalls log without rate limiting (XSA-152) xsa152.patch - Dropped 55dc7937-x86-IO-APIC-don-t-create-pIRQ-mapping-from-masked-RTE.patch 5604f239-x86-PV-properly-populate-descriptor-tables.patch - bsc#932267 - VUL-1: CVE-2015-4037: qemu,kvm,xen: insecure temporary file use in /net/slirp.c CVE-2015-4037-qemuu-smb-config-dir-name.patch CVE-2015-4037-qemut-smb-config-dir-name.patch - bsc#877642 - VUL-0: CVE-2014-0222: qemu: qcow1: validate L2 table size to avoid integer overflows OBS-URL: https://build.opensuse.org/package/show/Virtualization/xen?expand=0&rev=382
2015-10-29 22:28:05 +00:00 · 2015-10-29 22:28:05 +00:00 · 9e9b5acb9c
commit 9e9b5acb9c
parent 0883ce22a7
29 changed files with 924 additions and 216 deletions
--- a/557eb620-gnttab-make-the-grant-table-lock-a-read-write-lock.patch
+++ b/557eb620-gnttab-make-the-grant-table-lock-a-read-write-lock.patch
@ -113,7 +113,7 @@ Reviewed-by: Jan Beulich <jbeulich@suse.com>
         if ( idx != 0 )
 --- a/xen/arch/x86/mm.c
 +++ b/xen/arch/x86/mm.c
-@@ -4592,7 +4592,7 @@ int xenmem_add_to_physmap_one(
+@@ -4595,7 +4595,7 @@ int xenmem_add_to_physmap_one(
                 mfn = virt_to_mfn(d->shared_info);
             break;
         case XENMAPSPACE_grant_table:
@ -122,7 +122,7 @@ Reviewed-by: Jan Beulich <jbeulich@suse.com>
             if ( d->grant_table->gt_version == 0 )
                 d->grant_table->gt_version = 1;
-@@ -4614,7 +4614,7 @@ int xenmem_add_to_physmap_one(
+@@ -4617,7 +4617,7 @@ int xenmem_add_to_physmap_one(
                     mfn = virt_to_mfn(d->grant_table->shared_raw[idx]);
             }
--- a/5583d9c5-x86-MSI-X-cleanup.patch
+++ b/5583d9c5-x86-MSI-X-cleanup.patch
@ -104,7 +104,7 @@ Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>
             u32 mask_bits;
             u16 seg = entry->dev->seg;
             u8 bus = entry->dev->bus;
-@@ -703,13 +707,14 @@ static u64 read_pci_mem_bar(u16 seg, u8 
+@@ -701,13 +705,14 @@ static u64 read_pci_mem_bar(u16 seg, u8
  * requested MSI-X entries with allocated irqs or non-zero for otherwise.
  **/
 static int msix_capability_init(struct pci_dev *dev,
@ -120,7 +120,7 @@ Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>
     u16 control;
     u64 table_paddr;
     u32 table_offset;
-@@ -721,7 +726,6 @@ static int msix_capability_init(struct p
+@@ -719,7 +724,6 @@ static int msix_capability_init(struct p
     ASSERT(spin_is_locked(&pcidevs_lock));
@ -128,7 +128,7 @@ Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>
     control = pci_conf_read16(seg, bus, slot, func, msix_control_reg(pos));
     msix_set_enable(dev, 0);/* Ensure msix is disabled as I set it up */
-@@ -886,10 +890,9 @@ static int __pci_enable_msi(struct msi_i
+@@ -884,10 +888,9 @@ static int __pci_enable_msi(struct msi_i
     old_desc = find_msi_entry(pdev, msi->irq, PCI_CAP_ID_MSI);
     if ( old_desc )
     {
@ -142,7 +142,7 @@ Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>
         *desc = old_desc;
         return 0;
     }
-@@ -897,10 +900,10 @@ static int __pci_enable_msi(struct msi_i
+@@ -895,10 +898,10 @@ static int __pci_enable_msi(struct msi_i
     old_desc = find_msi_entry(pdev, -1, PCI_CAP_ID_MSIX);
     if ( old_desc )
     {
@ -157,7 +157,7 @@ Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>
     }
     return msi_capability_init(pdev, msi->irq, desc, msi->entry_nr);
-@@ -914,7 +917,6 @@ static void __pci_disable_msi(struct msi
+@@ -912,7 +915,6 @@ static void __pci_disable_msi(struct msi
     msi_set_enable(dev, 0);
     BUG_ON(list_empty(&dev->msi_list));
@ -165,7 +165,7 @@ Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>
 }
 /**
-@@ -934,7 +936,7 @@ static void __pci_disable_msi(struct msi
+@@ -932,7 +934,7 @@ static void __pci_disable_msi(struct msi
  **/
 static int __pci_enable_msix(struct msi_info *msi, struct msi_desc **desc)
 {
@ -174,7 +174,7 @@ Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>
     struct pci_dev *pdev;
     u16 control;
     u8 slot = PCI_SLOT(msi->devfn);
-@@ -943,23 +945,22 @@ static int __pci_enable_msix(struct msi_
+@@ -941,23 +943,22 @@ static int __pci_enable_msix(struct msi_
     ASSERT(spin_is_locked(&pcidevs_lock));
     pdev = pci_get_pdev(msi->seg, msi->bus, msi->devfn);
@ -204,7 +204,7 @@ Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>
         *desc = old_desc;
         return 0;
     }
-@@ -967,15 +968,13 @@ static int __pci_enable_msix(struct msi_
+@@ -965,15 +966,13 @@ static int __pci_enable_msix(struct msi_
     old_desc = find_msi_entry(pdev, -1, PCI_CAP_ID_MSI);
     if ( old_desc )
     {
@ -225,7 +225,7 @@ Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>
 }
 static void _pci_cleanup_msix(struct arch_msix *msix)
-@@ -993,19 +992,16 @@ static void _pci_cleanup_msix(struct arc
+@@ -991,19 +990,16 @@ static void _pci_cleanup_msix(struct arc
 static void __pci_disable_msix(struct msi_desc *entry)
 {
@ -254,7 +254,7 @@ Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>
     msix_set_enable(dev, 0);
     BUG_ON(list_empty(&dev->msi_list));
-@@ -1047,7 +1043,7 @@ int pci_prepare_msix(u16 seg, u8 bus, u8
+@@ -1045,7 +1041,7 @@ int pci_prepare_msix(u16 seg, u8 bus, u8
         u16 control = pci_conf_read16(seg, bus, slot, func,
                                       msix_control_reg(pos));
@ -263,7 +263,7 @@ Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>
                                   multi_msix_capable(control));
     }
     spin_unlock(&pcidevs_lock);
-@@ -1066,8 +1062,8 @@ int pci_enable_msi(struct msi_info *msi,
+@@ -1064,8 +1060,8 @@ int pci_enable_msi(struct msi_info *msi,
     if ( !use_msi )
         return -EPERM;
@ -274,7 +274,7 @@ Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>
 }
 /*
-@@ -1117,7 +1113,9 @@ int pci_restore_msi_state(struct pci_dev
+@@ -1115,7 +1111,9 @@ int pci_restore_msi_state(struct pci_dev
     if ( !pdev )
         return -EINVAL;
--- a/5583da09-x86-MSI-track-host-and-guest-masking-separately.patch
+++ b/5583da09-x86-MSI-track-host-and-guest-masking-separately.patch
@ -137,7 +137,7 @@ Acked-by: Ian Campbell <ian.campbell@citrix.com>
     spin_unlock_irqrestore(&desc->lock, flags);
 --- a/xen/arch/x86/irq.c
 +++ b/xen/arch/x86/irq.c
-@@ -2503,6 +2503,25 @@ int unmap_domain_pirq_emuirq(struct doma
+@@ -2502,6 +2502,25 @@ int unmap_domain_pirq_emuirq(struct doma
     return ret;
 }
@ -230,7 +230,7 @@ Acked-by: Ian Campbell <ian.campbell@citrix.com>
     .enable       = unmask_msi_irq,
     .disable      = mask_msi_irq,
     .ack          = ack_maskable_msi_irq,
-@@ -593,7 +605,8 @@ static int msi_capability_init(struct pc
+@@ -591,7 +603,8 @@ static int msi_capability_init(struct pc
         entry[i].msi_attrib.is_64 = is_64bit_address(control);
         entry[i].msi_attrib.entry_nr = i;
         entry[i].msi_attrib.maskbit = is_mask_bit_support(control);
@ -240,7 +240,7 @@ Acked-by: Ian Campbell <ian.campbell@citrix.com>
         entry[i].msi_attrib.pos = pos;
         if ( entry[i].msi_attrib.maskbit )
             entry[i].msi.mpos = mpos;
-@@ -819,7 +832,8 @@ static int msix_capability_init(struct p
+@@ -817,7 +830,8 @@ static int msix_capability_init(struct p
         entry->msi_attrib.is_64 = 1;
         entry->msi_attrib.entry_nr = msi->entry_nr;
         entry->msi_attrib.maskbit = 1;
@ -250,7 +250,7 @@ Acked-by: Ian Campbell <ian.campbell@citrix.com>
         entry->msi_attrib.pos = pos;
         entry->irq = msi->irq;
         entry->dev = dev;
-@@ -1154,7 +1168,8 @@ int pci_restore_msi_state(struct pci_dev
+@@ -1152,7 +1166,8 @@ int pci_restore_msi_state(struct pci_dev
         for ( i = 0; ; )
         {
@ -260,7 +260,7 @@ Acked-by: Ian Campbell <ian.campbell@citrix.com>
             if ( !--nr )
                 break;
-@@ -1306,7 +1321,7 @@ static void dump_msi(unsigned char key)
+@@ -1304,7 +1319,7 @@ static void dump_msi(unsigned char key)
         else
             mask = '?';
         printk(" %-6s%4u vec=%02x%7s%6s%3sassert%5s%7s"
@ -269,7 +269,7 @@ Acked-by: Ian Campbell <ian.campbell@citrix.com>
                type, irq,
                (data & MSI_DATA_VECTOR_MASK) >> MSI_DATA_VECTOR_SHIFT,
                data & MSI_DATA_DELIVERY_LOWPRI ? "lowest" : "fixed",
-@@ -1314,7 +1329,10 @@ static void dump_msi(unsigned char key)
+@@ -1312,7 +1327,10 @@ static void dump_msi(unsigned char key)
                data & MSI_DATA_LEVEL_ASSERT ? "" : "de",
                addr & MSI_ADDR_DESTMODE_LOGIC ? "log" : "phys",
                addr & MSI_ADDR_REDIRECTION_LOWPRI ? "lowest" : "cpu",
@ -317,18 +317,18 @@ Acked-by: Ian Campbell <ian.campbell@citrix.com>
 static unsigned int iommu_msi_startup(struct irq_desc *desc)
 --- a/xen/drivers/passthrough/vtd/iommu.c
 +++ b/xen/drivers/passthrough/vtd/iommu.c
-@@ -999,7 +999,7 @@ static void dma_msi_unmask(struct irq_de
+@@ -996,7 +996,7 @@ static void dma_msi_unmask(struct irq_de
-     sts &= ~DMA_FECTL_IM;
+     spin_lock_irqsave(&iommu->register_lock, flags);
-     dmar_writel(iommu->reg, DMAR_FECTL_REG, sts);
+     dmar_writel(iommu->reg, DMAR_FECTL_REG, 0);
     spin_unlock_irqrestore(&iommu->register_lock, flags);
 -    iommu->msi.msi_attrib.masked = 0;
 +    iommu->msi.msi_attrib.host_masked = 0;
 }
 static void dma_msi_mask(struct irq_desc *desc)
-@@ -1014,7 +1014,7 @@ static void dma_msi_mask(struct irq_desc
+@@ -1008,7 +1008,7 @@ static void dma_msi_mask(struct irq_desc
-     sts |= DMA_FECTL_IM;
+     spin_lock_irqsave(&iommu->register_lock, flags);
-     dmar_writel(iommu->reg, DMAR_FECTL_REG, sts);
+     dmar_writel(iommu->reg, DMAR_FECTL_REG, DMA_FECTL_IM);
     spin_unlock_irqrestore(&iommu->register_lock, flags);
 -    iommu->msi.msi_attrib.masked = 1;
 +    iommu->msi.msi_attrib.host_masked = 1;
--- a/55b0a218-x86-PCI-CFG-write-intercept.patch
+++ b/55b0a218-x86-PCI-CFG-write-intercept.patch
@ -14,7 +14,7 @@ Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>
 --- a/xen/arch/x86/msi.c
 +++ b/xen/arch/x86/msi.c
-@@ -1110,6 +1110,12 @@ void pci_cleanup_msi(struct pci_dev *pde
+@@ -1108,6 +1108,12 @@ void pci_cleanup_msi(struct pci_dev *pde
     msi_free_irqs(pdev);
 }
--- a/55b0a255-x86-MSI-X-maskall.patch
+++ b/55b0a255-x86-MSI-X-maskall.patch
@ -15,7 +15,7 @@ Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>
 --- a/xen/arch/x86/msi.c
 +++ b/xen/arch/x86/msi.c
-@@ -845,6 +845,12 @@ static int msix_capability_init(struct p
+@@ -843,6 +843,12 @@ static int msix_capability_init(struct p
     if ( !msix->used_entries )
     {
@ -28,7 +28,7 @@ Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>
         if ( rangeset_add_range(mmio_ro_ranges, msix->table.first,
                                 msix->table.last) )
             WARN();
-@@ -1113,6 +1119,34 @@ void pci_cleanup_msi(struct pci_dev *pde
+@@ -1111,6 +1117,34 @@ void pci_cleanup_msi(struct pci_dev *pde
 int pci_msi_conf_write_intercept(struct pci_dev *pdev, unsigned int reg,
                                  unsigned int size, uint32_t *data)
 {
--- a/55b0a283-x86-MSI-X-teardown.patch
+++ b/55b0a283-x86-MSI-X-teardown.patch
@ -283,7 +283,7 @@ Backporting note (largely to myself):
 }
 void ack_nonmaskable_msi_irq(struct irq_desc *desc)
-@@ -742,6 +811,9 @@ static int msix_capability_init(struct p
+@@ -740,6 +809,9 @@ static int msix_capability_init(struct p
     control = pci_conf_read16(seg, bus, slot, func, msix_control_reg(pos));
     msix_set_enable(dev, 0);/* Ensure msix is disabled as I set it up */
@ -293,7 +293,7 @@ Backporting note (largely to myself):
     if ( desc )
     {
         entry = alloc_msi_entry(1);
-@@ -881,7 +953,8 @@ static int msix_capability_init(struct p
+@@ -879,7 +951,8 @@ static int msix_capability_init(struct p
     ++msix->used_entries;
     /* Restore MSI-X enabled bits */
@ -303,7 +303,7 @@ Backporting note (largely to myself):
     return 0;
 }
-@@ -1026,8 +1099,16 @@ static void __pci_disable_msix(struct ms
+@@ -1024,8 +1097,16 @@ static void __pci_disable_msix(struct ms
     BUG_ON(list_empty(&dev->msi_list));
@ -322,7 +322,7 @@ Backporting note (largely to myself):
     pci_conf_write16(seg, bus, slot, func, msix_control_reg(pos), control);
     _pci_cleanup_msix(dev->msix);
-@@ -1201,15 +1282,24 @@ int pci_restore_msi_state(struct pci_dev
+@@ -1199,15 +1280,24 @@ int pci_restore_msi_state(struct pci_dev
             nr = entry->msi.nvec;
         }
         else if ( entry->msi_attrib.type == PCI_CAP_ID_MSIX )
--- a/55b0a2ab-x86-MSI-X-enable.patch
+++ b/55b0a2ab-x86-MSI-X-enable.patch
@ -171,7 +171,7 @@ Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>
 }
 int __setup_msi_irq(struct irq_desc *desc, struct msi_desc *msidesc,
-@@ -805,20 +850,38 @@ static int msix_capability_init(struct p
+@@ -803,20 +848,38 @@ static int msix_capability_init(struct p
     u8 bus = dev->bus;
     u8 slot = PCI_SLOT(dev->devfn);
     u8 func = PCI_FUNC(dev->devfn);
@ -211,7 +211,7 @@ Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>
         ASSERT(msi);
     }
-@@ -849,6 +912,8 @@ static int msix_capability_init(struct p
+@@ -847,6 +910,8 @@ static int msix_capability_init(struct p
     {
         if ( !msi || !msi->table_base )
         {
@ -220,7 +220,7 @@ Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>
             xfree(entry);
             return -ENXIO;
         }
-@@ -891,6 +956,8 @@ static int msix_capability_init(struct p
+@@ -889,6 +954,8 @@ static int msix_capability_init(struct p
         if ( idx < 0 )
         {
@ -229,7 +229,7 @@ Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>
             xfree(entry);
             return idx;
         }
-@@ -917,7 +984,7 @@ static int msix_capability_init(struct p
+@@ -915,7 +982,7 @@ static int msix_capability_init(struct p
     if ( !msix->used_entries )
     {
@ -238,7 +238,7 @@ Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>
         if ( !msix->guest_maskall )
             control &= ~PCI_MSIX_FLAGS_MASKALL;
         else
-@@ -953,8 +1020,8 @@ static int msix_capability_init(struct p
+@@ -951,8 +1018,8 @@ static int msix_capability_init(struct p
     ++msix->used_entries;
     /* Restore MSI-X enabled bits */
@ -249,7 +249,7 @@ Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>
     return 0;
 }
-@@ -1094,8 +1161,15 @@ static void __pci_disable_msix(struct ms
+@@ -1092,8 +1159,15 @@ static void __pci_disable_msix(struct ms
                                            PCI_CAP_ID_MSIX);
     u16 control = pci_conf_read16(seg, bus, slot, func,
                                   msix_control_reg(entry->msi_attrib.pos));
@ -266,7 +266,7 @@ Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>
     BUG_ON(list_empty(&dev->msi_list));
-@@ -1107,8 +1181,11 @@ static void __pci_disable_msix(struct ms
+@@ -1105,8 +1179,11 @@ static void __pci_disable_msix(struct ms
                "cannot disable IRQ %d: masking MSI-X on %04x:%02x:%02x.%u\n",
                entry->irq, dev->seg, dev->bus,
                PCI_SLOT(dev->devfn), PCI_FUNC(dev->devfn));
@ -279,7 +279,7 @@ Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>
     pci_conf_write16(seg, bus, slot, func, msix_control_reg(pos), control);
     _pci_cleanup_msix(dev->msix);
-@@ -1257,6 +1334,8 @@ int pci_restore_msi_state(struct pci_dev
+@@ -1255,6 +1332,8 @@ int pci_restore_msi_state(struct pci_dev
     list_for_each_entry_safe( entry, tmp, &pdev->msi_list, list )
     {
         unsigned int i = 0, nr = 1;
@ -288,7 +288,7 @@ Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>
         irq = entry->irq;
         desc = &irq_desc[irq];
-@@ -1283,10 +1362,18 @@ int pci_restore_msi_state(struct pci_dev
+@@ -1281,10 +1360,18 @@ int pci_restore_msi_state(struct pci_dev
         }
         else if ( entry->msi_attrib.type == PCI_CAP_ID_MSIX )
         {
@ -308,7 +308,7 @@ Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>
                 return -ENXIO;
             }
         }
-@@ -1316,11 +1403,9 @@ int pci_restore_msi_state(struct pci_dev
+@@ -1314,11 +1401,9 @@ int pci_restore_msi_state(struct pci_dev
         if ( entry->msi_attrib.type == PCI_CAP_ID_MSI )
         {
             unsigned int cpos = msi_control_reg(entry->msi_attrib.pos);
@ -322,7 +322,7 @@ Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>
             multi_msi_enable(control, entry->msi.nvec);
             pci_conf_write16(pdev->seg, pdev->bus, PCI_SLOT(pdev->devfn),
                              PCI_FUNC(pdev->devfn), cpos, control);
-@@ -1328,7 +1413,9 @@ int pci_restore_msi_state(struct pci_dev
+@@ -1326,7 +1411,9 @@ int pci_restore_msi_state(struct pci_dev
             msi_set_enable(pdev, 1);
         }
         else if ( entry->msi_attrib.type == PCI_CAP_ID_MSIX )
--- a/55b0a2db-x86-MSI-track-guest-masking.patch
+++ b/55b0a2db-x86-MSI-track-guest-masking.patch
@ -15,7 +15,7 @@ Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>
 --- a/xen/arch/x86/msi.c
 +++ b/xen/arch/x86/msi.c
-@@ -1305,6 +1305,37 @@ int pci_msi_conf_write_intercept(struct 
+@@ -1303,6 +1303,37 @@ int pci_msi_conf_write_intercept(struct
         return 1;
     }
--- a/55dc7937-x86-IO-APIC-don-t-create-pIRQ-mapping-from-masked-RTE.patch
+++ b/55dc7937-x86-IO-APIC-don-t-create-pIRQ-mapping-from-masked-RTE.patch
@ -1,84 +0,0 @@
 # Commit 669d4b85c433674ab3b52ef707af0d3a551c941f
 # Date 2015-08-25 16:18:31 +0200
 # Author Jan Beulich <jbeulich@suse.com>
 # Committer Jan Beulich <jbeulich@suse.com>
 x86/IO-APIC: don't create pIRQ mapping from masked RTE
 While moving our XenoLinux patches to 4.2-rc I noticed bogus "already
 mapped" messages resulting from Linux (legitimately) writing RTEs with
 only the mask bit set. Clearly we shouldn't even attempt to create a
 pIRQ <-> IRQ mapping from such RTEs.
 In the course of this I also found that the respective message isn't
 really useful without also printing the pre-existing mapping. And I
 noticed that map_domain_pirq() allowed IRQ0 to get through, despite us
 never allowing a domain to control that interrupt.
 Signed-off-by: Jan Beulich <jbeulich@suse.com>
 Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>
 --- a/xen/arch/x86/io_apic.c
 +++ b/xen/arch/x86/io_apic.c
@@ -2371,9 +2371,14 @@ int ioapic_guest_write(unsigned long phy
      * pirq and irq mapping. Where the GSI is greater than 256, we assume
      * that dom0 pirq == irq.
      */
 -    pirq = (irq >= 256) ? irq : rte.vector;
 -    if ( (pirq < 0) || (pirq >= hardware_domain->nr_pirqs) )
 -        return -EINVAL;
 +    if ( !rte.mask )
 +    {
 +        pirq = (irq >= 256) ? irq : rte.vector;
 +        if ( pirq >= hardware_domain->nr_pirqs )
 +            return -EINVAL;
 +    }
 +    else
 +        pirq = -1;
     if ( desc->action )
     {
@@ -2408,12 +2413,15 @@ int ioapic_guest_write(unsigned long phy
         printk(XENLOG_INFO "allocated vector %02x for irq %d\n", ret, irq);
     }
 -    spin_lock(&hardware_domain->event_lock);
 -    ret = map_domain_pirq(hardware_domain, pirq, irq,
 -            MAP_PIRQ_TYPE_GSI, NULL);
 -    spin_unlock(&hardware_domain->event_lock);
 -    if ( ret < 0 )
 -        return ret;
 +    if ( pirq >= 0 )
 +    {
 +        spin_lock(&hardware_domain->event_lock);
 +        ret = map_domain_pirq(hardware_domain, pirq, irq,
 +                              MAP_PIRQ_TYPE_GSI, NULL);
 +        spin_unlock(&hardware_domain->event_lock);
 +        if ( ret < 0 )
 +            return ret;
 +    }
     spin_lock_irqsave(&ioapic_lock, flags);
     /* Set the correct irq-handling type. */
 --- a/xen/arch/x86/irq.c
 +++ b/xen/arch/x86/irq.c
@@ -1906,7 +1906,7 @@ int map_domain_pirq(
     if ( !irq_access_permitted(current->domain, irq))
         return -EPERM;
 -    if ( pirq < 0 || pirq >= d->nr_pirqs || irq < 0 || irq >= nr_irqs )
 +    if ( pirq < 0 || pirq >= d->nr_pirqs || irq <= 0 || irq >= nr_irqs )
     {
         dprintk(XENLOG_G_ERR, "dom%d: invalid pirq %d or irq %d\n",
                 d->domain_id, pirq, irq);
@@ -1919,8 +1919,9 @@ int map_domain_pirq(
     if ( (old_irq > 0 && (old_irq != irq) ) ||
          (old_pirq && (old_pirq != pirq)) )
     {
 -        dprintk(XENLOG_G_WARNING, "dom%d: pirq %d or irq %d already mapped\n",
 -                d->domain_id, pirq, irq);
 +        dprintk(XENLOG_G_WARNING,
 +                "dom%d: pirq %d or irq %d already mapped (%d,%d)\n",
 +                d->domain_id, pirq, irq, old_pirq, old_irq);
         return 0;
     }
--- a/55f9345b-x86-MSI-fail-if-no-hardware-support.patch
+++ b/55f9345b-x86-MSI-fail-if-no-hardware-support.patch
@ -12,7 +12,7 @@ Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>
 --- a/xen/arch/x86/msi.c
 +++ b/xen/arch/x86/msi.c
-@@ -566,6 +566,8 @@ static int msi_capability_init(struct pc
+@@ -696,6 +696,8 @@ static int msi_capability_init(struct pc
     ASSERT(spin_is_locked(&pcidevs_lock));
     pos = pci_find_cap_offset(seg, bus, slot, func, PCI_CAP_ID_MSI);
--- a/5604f239-x86-PV-properly-populate-descriptor-tables.patch
+++ b/5604f239-x86-PV-properly-populate-descriptor-tables.patch
@ -18,9 +18,25 @@ Reported-by: Andrew Cooper <andrew.cooper3@citrix.com>
 Signed-off-by: Jan Beulich <jbeulich@suse.com>
 Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>
 # Commit 61031e64d3dafd2fb1953436444bf02eccb9b146
 # Date 2015-10-27 14:46:12 +0100
 # Author Jan Beulich <jbeulich@suse.com>
 # Committer Jan Beulich <jbeulich@suse.com>
 x86/PV: don't zero-map LDT
 This effectvely reverts the LDT related part of commit cf6d39f819
 ("x86/PV: properly populate descriptor tables"), which broke demand
 paged LDT handling in guests.
 Reported-by: David Vrabel <david.vrabel@citrix.com>
 Diagnosed-by: Andrew Cooper <andrew.cooper3@citrix.com>
 Signed-off-by: Jan Beulich <jbeulich@suse.com>
 Tested-by: David Vrabel <david.vrabel@citrix.com>
 Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>
 --- a/xen/arch/x86/mm.c
 +++ b/xen/arch/x86/mm.c
-@@ -505,12 +505,13 @@ void update_cr3(struct vcpu *v)
+@@ -505,12 +505,12 @@ void update_cr3(struct vcpu *v)
     make_cr3(v, cr3_mfn);
 }
@ -32,24 +48,24 @@ Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>
 -    int i;
 -    unsigned long pfn;
 +    unsigned int i;
 +    unsigned long pfn, zero_pfn = PFN_DOWN(__pa(zero_page));
     struct page_info *page;
     BUG_ON(unlikely(in_irq()));
-@@ -526,8 +527,10 @@ static void invalidate_shadow_ldt(struct
+@@ -525,10 +525,10 @@ static void invalidate_shadow_ldt(struct
     for ( i = 16; i < 32; i++ )
     {
-         pfn = l1e_get_pfn(pl1e[i]);
+-        pfn = l1e_get_pfn(pl1e[i]);
 -        if ( pfn == 0 ) continue;
-        l1e_write(&pl1e[i], l1e_empty());
+        if ( !(l1e_get_flags(pl1e[i]) & _PAGE_PRESENT) )
 +        if ( !(l1e_get_flags(pl1e[i]) & _PAGE_PRESENT) || pfn == zero_pfn )
 +            continue;
-+        l1e_write(&pl1e[i],
+        page = l1e_get_page(pl1e[i]);
-+                  l1e_from_pfn(zero_pfn, __PAGE_HYPERVISOR & ~_PAGE_RW));
+         l1e_write(&pl1e[i], l1e_empty());
-         page = mfn_to_page(pfn);
+-        page = mfn_to_page(pfn);
         ASSERT_PAGE_IS_TYPE(page, PGT_seg_desc_page);
         ASSERT_PAGE_IS_DOMAIN(page, v->domain);
-@@ -4360,16 +4363,18 @@ long do_update_va_mapping_otherdomain(un
+         put_page_and_type(page);
@@ -4360,16 +4360,18 @@ long do_update_va_mapping_otherdomain(un
 void destroy_gdt(struct vcpu *v)
 {
     l1_pgentry_t *pl1e;
@ -72,7 +88,7 @@ Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>
         v->arch.pv_vcpu.gdt_frames[i] = 0;
     }
 }
-@@ -4382,7 +4387,7 @@ long set_gdt(struct vcpu *v, 
+@@ -4382,7 +4384,7 @@ long set_gdt(struct vcpu *v,
     struct domain *d = v->domain;
     l1_pgentry_t *pl1e;
     /* NB. There are 512 8-byte entries per GDT page. */
--- a/5604f2e6-vt-d-fix-IM-bit-mask-and-unmask-of-FECTL_REG.patch
+++ b/5604f2e6-vt-d-fix-IM-bit-mask-and-unmask-of-FECTL_REG.patch
@ -39,7 +39,7 @@ Signed-off-by: Quan Xu <quan.xu@intel.com>
 +    sts &= ~DMA_FECTL_IM;
 +    dmar_writel(iommu->reg, DMAR_FECTL_REG, sts);
     spin_unlock_irqrestore(&iommu->register_lock, flags);
-     iommu->msi.msi_attrib.masked = 0;
+     iommu->msi.msi_attrib.host_masked = 0;
 }
@@ -1003,10 +1006,13 @@ static void dma_msi_mask(struct irq_desc
 {
@ -54,7 +54,7 @@ Signed-off-by: Quan Xu <quan.xu@intel.com>
 +    sts |= DMA_FECTL_IM;
 +    dmar_writel(iommu->reg, DMAR_FECTL_REG, sts);
     spin_unlock_irqrestore(&iommu->register_lock, flags);
-     iommu->msi.msi_attrib.masked = 1;
+     iommu->msi.msi_attrib.host_masked = 1;
 }
@@ -2002,6 +2008,7 @@ static int init_vtd_hw(void)
     struct iommu_flush *flush = NULL;
--- a/561bbc8b-VT-d-don-t-suppress-invalidation-address-write-when-0.patch
+++ b/561bbc8b-VT-d-don-t-suppress-invalidation-address-write-when-0.patch
@ -0,0 +1,55 @@
 # Commit 710942e57fb42ff8f344ca82f6b678f67e38ae63
 # Date 2015-10-12 15:58:35 +0200
 # Author Jan Beulich <jbeulich@suse.com>
 # Committer Jan Beulich <jbeulich@suse.com>
 VT-d: don't suppress invalidation address write when it is zero
 GFN zero is a valid address, and hence may need invalidation done for
 it just like for any other GFN.
 Signed-off-by: Jan Beulich <jbeulich@suse.com>
 Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>
 Acked-by: Yang Zhang <yang.z.zhang@intel.com>
 --- a/xen/drivers/passthrough/vtd/iommu.c
 +++ b/xen/drivers/passthrough/vtd/iommu.c
@@ -414,7 +414,7 @@ static int flush_iotlb_reg(void *_iommu,
 {
     struct iommu *iommu = (struct iommu *) _iommu;
     int tlb_offset = ecap_iotlb_offset(iommu->ecap);
 -    u64 val = 0, val_iva = 0;
 +    u64 val = 0;
     unsigned long flags;
     /*
@@ -435,7 +435,6 @@ static int flush_iotlb_reg(void *_iommu,
     switch ( type )
     {
     case DMA_TLB_GLOBAL_FLUSH:
 -        /* global flush doesn't need set IVA_REG */
         val = DMA_TLB_GLOBAL_FLUSH|DMA_TLB_IVT;
         break;
     case DMA_TLB_DSI_FLUSH:
@@ -443,8 +442,6 @@ static int flush_iotlb_reg(void *_iommu,
         break;
     case DMA_TLB_PSI_FLUSH:
         val = DMA_TLB_PSI_FLUSH|DMA_TLB_IVT|DMA_TLB_DID(did);
 -        /* Note: always flush non-leaf currently */
 -        val_iva = size_order | addr;
         break;
     default:
         BUG();
@@ -457,8 +454,11 @@ static int flush_iotlb_reg(void *_iommu,
     spin_lock_irqsave(&iommu->register_lock, flags);
     /* Note: Only uses first TLB reg currently */
 -    if ( val_iva )
 -        dmar_writeq(iommu->reg, tlb_offset, val_iva);
 +    if ( type == DMA_TLB_PSI_FLUSH )
 +    {
 +        /* Note: always flush non-leaf currently. */
 +        dmar_writeq(iommu->reg, tlb_offset, size_order | addr);
 +    }
     dmar_writeq(iommu->reg, tlb_offset + 8, val);
     /* Make sure hardware complete it */
--- a/561d2046-VT-d-use-proper-error-codes-in-iommu_enable_x2apic_IR.patch
+++ b/561d2046-VT-d-use-proper-error-codes-in-iommu_enable_x2apic_IR.patch
@ -0,0 +1,113 @@
 # Commit 6851e979874ebc05d270ea94360c49d920d3eaf4
 # Date 2015-10-13 17:16:22 +0200
 # Author Jan Beulich <jbeulich@suse.com>
 # Committer Jan Beulich <jbeulich@suse.com>
 VT-d: use proper error codes in iommu_enable_x2apic_IR()
 ... allowing to suppress a confusing message combination: When
 ACPI_DMAR_X2APIC_OPT_OUT is set, so far we first logged a message
 that IR could not be enabled (hence not using x2APIC), followed by
 one indicating successful initialization of IR (if no other problems
 prevented that).
 Also adjust the return type of iommu_supports_eim() and fix some
 broken indentation in the function.
 Signed-off-by: Jan Beulich <jbeulich@suse.com>
 Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>
 Acked-by: Yang Zhang <yang.z.zhang@intel.com>
 --- a/xen/arch/x86/apic.c
 +++ b/xen/arch/x86/apic.c
@@ -946,8 +946,18 @@ void __init x2apic_bsp_setup(void)
     mask_8259A();
     mask_IO_APIC_setup(ioapic_entries);
 -    if ( iommu_enable_x2apic_IR() )
 +    switch ( iommu_enable_x2apic_IR() )
     {
 +    case 0:
 +        break;
 +    case -ENXIO: /* ACPI_DMAR_X2APIC_OPT_OUT set */
 +        if ( !x2apic_enabled )
 +        {
 +            printk("Not enabling x2APIC (upon firmware request)\n");
 +            goto restore_out;
 +        }
 +        /* fall through */
 +    default:
         if ( x2apic_enabled )
             panic("Interrupt remapping could not be enabled while "
                   "x2APIC is already enabled by BIOS");
 --- a/xen/drivers/passthrough/vtd/intremap.c
 +++ b/xen/drivers/passthrough/vtd/intremap.c
@@ -144,10 +144,10 @@ static void set_hpet_source_id(unsigned
     set_ire_sid(ire, SVT_VERIFY_SID_SQ, SQ_13_IGNORE_3, hpetid_to_bdf(id));
 }
 -int iommu_supports_eim(void)
 +bool_t iommu_supports_eim(void)
 {
     struct acpi_drhd_unit *drhd;
 -    int apic;
 +    unsigned int apic;
     if ( !iommu_qinval || !iommu_intremap || list_empty(&acpi_drhd_units) )
         return 0;
@@ -155,12 +155,12 @@ int iommu_supports_eim(void)
     /* We MUST have a DRHD unit for each IOAPIC. */
     for ( apic = 0; apic < nr_ioapics; apic++ )
         if ( !ioapic_to_drhd(IO_APIC_ID(apic)) )
 -    {
 +        {
             dprintk(XENLOG_WARNING VTDPREFIX,
                     "There is not a DRHD for IOAPIC %#x (id: %#x)!\n",
                     apic, IO_APIC_ID(apic));
             return 0;
 -    }
 +        }
     for_each_drhd_unit ( drhd )
         if ( !ecap_queued_inval(drhd->iommu->ecap) ||
@@ -834,10 +834,10 @@ int iommu_enable_x2apic_IR(void)
     struct iommu *iommu;
     if ( !iommu_supports_eim() )
 -        return -1;
 +        return -EOPNOTSUPP;
     if ( !platform_supports_x2apic() )
 -        return -1;
 +        return -ENXIO;
     for_each_drhd_unit ( drhd )
     {
@@ -862,7 +862,7 @@ int iommu_enable_x2apic_IR(void)
         {
             dprintk(XENLOG_INFO VTDPREFIX,
                     "Failed to enable Queued Invalidation!\n");
 -            return -1;
 +            return -EIO;
         }
     }
@@ -874,7 +874,7 @@ int iommu_enable_x2apic_IR(void)
         {
             dprintk(XENLOG_INFO VTDPREFIX,
                     "Failed to enable Interrupt Remapping!\n");
 -            return -1;
 +            return -EIO;
         }
     }
 --- a/xen/include/asm-x86/iommu.h
 +++ b/xen/include/asm-x86/iommu.h
@@ -28,7 +28,7 @@ int iommu_setup_hpet_msi(struct msi_desc
 /* While VT-d specific, this must get declared in a generic header. */
 int adjust_vtd_irq_affinities(void);
 void iommu_pte_flush(struct domain *d, u64 gfn, u64 *pte, int order, int present);
 -int iommu_supports_eim(void);
 +bool_t iommu_supports_eim(void);
 int iommu_enable_x2apic_IR(void);
 void iommu_disable_x2apic_IR(void);
--- a/561d20a0-x86-hide-MWAITX-from-PV-domains.patch
+++ b/561d20a0-x86-hide-MWAITX-from-PV-domains.patch
@ -0,0 +1,32 @@
 # Commit 941cd44324db7eddc46cba4596fa13d505066ccf
 # Date 2015-10-13 17:17:52 +0200
 # Author Jan Beulich <jbeulich@suse.com>
 # Committer Jan Beulich <jbeulich@suse.com>
 x86: hide MWAITX from PV domains
 Since MWAIT is hidden too. (Linux starting with 4.3 is making use of
 that feature, and is checking for it without looking at the MWAIT one.)
 Signed-off-by: Jan Beulich <jbeulich@suse.com>
 Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>
 --- a/xen/arch/x86/traps.c
 +++ b/xen/arch/x86/traps.c
@@ -904,6 +904,7 @@ void pv_cpuid(struct cpu_user_regs *regs
         __clear_bit(X86_FEATURE_LWP % 32, &c);
         __clear_bit(X86_FEATURE_NODEID_MSR % 32, &c);
         __clear_bit(X86_FEATURE_TOPOEXT % 32, &c);
 +        __clear_bit(X86_FEATURE_MWAITX % 32, &c);
         break;
     case 0x00000005: /* MONITOR/MWAIT */
 --- a/xen/include/asm-x86/cpufeature.h
 +++ b/xen/include/asm-x86/cpufeature.h
@@ -137,6 +137,7 @@
 #define X86_FEATURE_TBM         (6*32+21) /* trailing bit manipulations */
 #define X86_FEATURE_TOPOEXT     (6*32+22) /* topology extensions CPUID leafs */
 #define X86_FEATURE_DBEXT       (6*32+26) /* data breakpoint extension */
 +#define X86_FEATURE_MWAITX      (6*32+29) /* MWAIT extension (MONITORX/MWAITX) */
 /* Intel-defined CPU features, CPUID level 0x00000007:0 (ebx), word 7 */
 #define X86_FEATURE_FSGSBASE	(7*32+ 0) /* {RD,WR}{FS,GS}BASE instructions */
--- a/561e3283-x86-NUMA-fix-SRAT-table-processor-entry-handling.patch
+++ b/561e3283-x86-NUMA-fix-SRAT-table-processor-entry-handling.patch
@ -0,0 +1,114 @@
 # Commit 83281fc9b31396e94c0bfb6550b75c165037a0ad
 # Date 2015-10-14 12:46:27 +0200
 # Author Jan Beulich <jbeulich@suse.com>
 # Committer Jan Beulich <jbeulich@suse.com>
 x86/NUMA: fix SRAT table processor entry parsing and consumption
 - don't overrun apicid_to_node[] (possible in the x2APIC case)
 - don't limit number of processor related SRAT entries we can consume
 - make acpi_numa_{processor,x2apic}_affinity_init() as similar to one
  another as possible
 - print APIC IDs in hex (to ease matching with other log messages), at
  once making legacy and x2APIC ones distinguishable (by width)
 Signed-off-by: Jan Beulich <jbeulich@suse.com>
 Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>
 --- a/xen/arch/x86/numa.c
 +++ b/xen/arch/x86/numa.c
@@ -347,7 +347,7 @@ void __init init_cpu_to_node(void)
         u32 apicid = x86_cpu_to_apicid[i];
         if ( apicid == BAD_APICID )
             continue;
 -        node = apicid_to_node[apicid];
 +        node = apicid < MAX_LOCAL_APIC ? apicid_to_node[apicid] : NUMA_NO_NODE;
         if ( node == NUMA_NO_NODE || !node_online(node) )
             node = 0;
         numa_set_node(i, node);
 --- a/xen/arch/x86/setup.c
 +++ b/xen/arch/x86/setup.c
@@ -191,7 +191,7 @@ void __devinit srat_detect_node(int cpu)
     unsigned node;
     u32 apicid = x86_cpu_to_apicid[cpu];
 -    node = apicid_to_node[apicid];
 +    node = apicid < MAX_LOCAL_APIC ? apicid_to_node[apicid] : NUMA_NO_NODE;
     if ( node == NUMA_NO_NODE )
         node = 0;
 --- a/xen/arch/x86/smpboot.c
 +++ b/xen/arch/x86/smpboot.c
@@ -885,7 +885,8 @@ int cpu_add(uint32_t apic_id, uint32_t a
             cpu = node;
             goto out;
         }
 -        apicid_to_node[apic_id] = node;
 +        if ( apic_id < MAX_LOCAL_APIC )
 +             apicid_to_node[apic_id] = node;
     }
     /* Physically added CPUs do not have synchronised TSC. */
 --- a/xen/arch/x86/srat.c
 +++ b/xen/arch/x86/srat.c
@@ -170,7 +170,6 @@ void __init
 acpi_numa_x2apic_affinity_init(struct acpi_srat_x2apic_cpu_affinity *pa)
 {
 	int pxm, node;
 -	int apic_id;
 	if (srat_disabled())
 		return;
@@ -178,8 +177,13 @@ acpi_numa_x2apic_affinity_init(struct ac
 		bad_srat();
 		return;
 	}
 -	if ((pa->flags & ACPI_SRAT_CPU_ENABLED) == 0)
 +	if (!(pa->flags & ACPI_SRAT_CPU_ENABLED))
 +		return;
 +	if (pa->apic_id >= MAX_LOCAL_APIC) {
 +		printk(KERN_INFO "SRAT: APIC %08x ignored\n", pa->apic_id);
 		return;
 +	}
 +
 	pxm = pa->proximity_domain;
 	node = setup_node(pxm);
 	if (node < 0) {
@@ -187,11 +191,11 @@ acpi_numa_x2apic_affinity_init(struct ac
 		return;
 	}
 -	apic_id = pa->apic_id;
 -	apicid_to_node[apic_id] = node;
 +	apicid_to_node[pa->apic_id] = node;
 +	node_set(node, processor_nodes_parsed);
 	acpi_numa = 1;
 -	printk(KERN_INFO "SRAT: PXM %u -> APIC %u -> Node %u\n",
 -	       pxm, apic_id, node);
 +	printk(KERN_INFO "SRAT: PXM %u -> APIC %08x -> Node %u\n",
 +	       pxm, pa->apic_id, node);
 }
 /* Callback for Proximity Domain -> LAPIC mapping */
@@ -221,7 +225,7 @@ acpi_numa_processor_affinity_init(struct
 	apicid_to_node[pa->apic_id] = node;
 	node_set(node, processor_nodes_parsed);
 	acpi_numa = 1;
 -	printk(KERN_INFO "SRAT: PXM %u -> APIC %u -> Node %u\n",
 +	printk(KERN_INFO "SRAT: PXM %u -> APIC %02x -> Node %u\n",
 	       pxm, pa->apic_id, node);
 }
 --- a/xen/drivers/acpi/numa.c
 +++ b/xen/drivers/acpi/numa.c
@@ -199,9 +199,9 @@ int __init acpi_numa_init(void)
 	/* SRAT: Static Resource Affinity Table */
 	if (!acpi_table_parse(ACPI_SIG_SRAT, acpi_parse_srat)) {
 		acpi_table_parse_srat(ACPI_SRAT_TYPE_X2APIC_CPU_AFFINITY,
 -				      acpi_parse_x2apic_affinity, NR_CPUS);
 +				      acpi_parse_x2apic_affinity, 0);
 		acpi_table_parse_srat(ACPI_SRAT_TYPE_CPU_AFFINITY,
 -				      acpi_parse_processor_affinity, NR_CPUS);
 +				      acpi_parse_processor_affinity, 0);
 		acpi_table_parse_srat(ACPI_SRAT_TYPE_MEMORY_AFFINITY,
 				      acpi_parse_memory_affinity,
 				      NR_NODE_MEMBLKS);
--- a/CVE-2014-0222-qemut-qcow1-validate-l2-table-size.patch
+++ b/CVE-2014-0222-qemut-qcow1-validate-l2-table-size.patch
@ -0,0 +1,38 @@
 References: bsc#877642
 Subject: qcow1: Validate L2 table size (CVE-2014-0222)
 From: Kevin Wolf kwolf@redhat.com Thu May 15 16:10:11 2014 +0200
 Date: Mon May 19 11:36:49 2014 +0200:
 Git: 42eb58179b3b215bb507da3262b682b8a2ec10b5
 Too large L2 table sizes cause unbounded allocations. Images actually
 created by qemu-img only have 512 byte or 4k L2 tables.
 To keep things consistent with cluster sizes, allow ranges between 512
 bytes and 64k (in fact, down to 1 entry = 8 bytes is technically
 working, but L2 table sizes smaller than a cluster don't make a lot of
 sense).
 This also means that the number of bytes on the virtual disk that are
 described by the same L2 table is limited to at most 8k * 64k or 2^29,
 preventively avoiding any integer overflows.
 Cc: qemu-stable@nongnu.org
 Signed-off-by: Kevin Wolf <kwolf@redhat.com>
 Reviewed-by: Benoit Canet <benoit@irqsave.net>
 Index: xen-4.5.1-testing/tools/qemu-xen-traditional-dir-remote/block-qcow.c
 ===================================================================
 --- xen-4.5.1-testing.orig/tools/qemu-xen-traditional-dir-remote/block-qcow.c
 +++ xen-4.5.1-testing/tools/qemu-xen-traditional-dir-remote/block-qcow.c
@@ -126,6 +126,10 @@ static int qcow_open(BlockDriverState *b
         goto fail;
     if (header.size <= 1 || header.cluster_bits < 9)
         goto fail;
 +    /* l2_bits specifies number of entries; storing a uint64_t in each entry,
 +     * so bytes = num_entries << 3. */
 +    if (header.l2_bits < 9 - 3 || header.l2_bits > 16 - 3)
 +        goto fail;
     if (header.crypt_method > QCOW_CRYPT_AES)
         goto fail;
     s->crypt_method_header = header.crypt_method;
--- a/CVE-2014-0222-qemuu-qcow1-validate-l2-table-size.patch
+++ b/CVE-2014-0222-qemuu-qcow1-validate-l2-table-size.patch
@ -0,0 +1,42 @@
 References: bsc#877642
 Subject: qcow1: Validate L2 table size (CVE-2014-0222)
 From: Kevin Wolf kwolf@redhat.com Thu May 15 16:10:11 2014 +0200
 Date: Mon May 19 11:36:49 2014 +0200:
 Git: 42eb58179b3b215bb507da3262b682b8a2ec10b5
 Too large L2 table sizes cause unbounded allocations. Images actually
 created by qemu-img only have 512 byte or 4k L2 tables.
 To keep things consistent with cluster sizes, allow ranges between 512
 bytes and 64k (in fact, down to 1 entry = 8 bytes is technically
 working, but L2 table sizes smaller than a cluster don't make a lot of
 sense).
 This also means that the number of bytes on the virtual disk that are
 described by the same L2 table is limited to at most 8k * 64k or 2^29,
 preventively avoiding any integer overflows.
 Cc: qemu-stable@nongnu.org
 Signed-off-by: Kevin Wolf <kwolf@redhat.com>
 Reviewed-by: Benoit Canet <benoit@irqsave.net>
 Index: xen-4.5.1-testing/tools/qemu-xen-dir-remote/block/qcow.c
 ===================================================================
 --- xen-4.5.1-testing.orig/tools/qemu-xen-dir-remote/block/qcow.c
 +++ xen-4.5.1-testing/tools/qemu-xen-dir-remote/block/qcow.c
@@ -147,6 +147,14 @@ static int qcow_open(BlockDriverState *b
         goto fail;
     }
 +    /* l2_bits specifies number of entries; storing a uint64_t in each entry,
 +     * so bytes = num_entries << 3. */
 +    if (header.l2_bits < 9 - 3 || header.l2_bits > 16 - 3) {
 +        error_setg(errp, "L2 table size must be between 512 and 64k");
 +        ret = -EINVAL;
 +        goto fail;
 +    }
 +
     if (header.crypt_method > QCOW_CRYPT_AES) {
         error_setg(errp, "invalid encryption method in qcow header");
         ret = -EINVAL;
--- a/CVE-2015-4037-qemut-smb-config-dir-name.patch
+++ b/CVE-2015-4037-qemut-smb-config-dir-name.patch
@ -0,0 +1,39 @@
 References: bsc#932267
 Subject: slirp: use less predictable directory name in /tmp for smb config (CVE-2015-4037)
 From: Michael Tokarev mjt@tls.msk.ru Thu May 28 14:12:26 2015 +0300
 Date: Wed Jun 3 14:21:45 2015 +0300:
 Git: 8b8f1c7e9ddb2e88a144638f6527bf70e32343e3
 In this version I used mkdtemp(3) which is:
        _BSD_SOURCE
        || /* Since glibc 2.10: */
            (_POSIX_C_SOURCE >= 200809L || _XOPEN_SOURCE >= 700)
 (POSIX.1-2008), so should be available on systems we care about.
 While at it, reset the resulting directory name within smb structure
 on error so cleanup function wont try to remove directory which we
 failed to create.
 Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
 Reviewed-by: Markus Armbruster <armbru@redhat.com>
 Index: xen-4.5.1-testing/tools/qemu-xen-traditional-dir-remote/net.c
 ===================================================================
 --- xen-4.5.1-testing.orig/tools/qemu-xen-traditional-dir-remote/net.c
 +++ xen-4.5.1-testing/tools/qemu-xen-traditional-dir-remote/net.c
@@ -624,9 +624,10 @@ void net_slirp_smb(const char *exported_
     }
     /* XXX: better tmp dir construction */
 -    snprintf(smb_dir, sizeof(smb_dir), "/tmp/qemu-smb.%d", getpid());
 -    if (mkdir(smb_dir, 0700) < 0) {
 +    snprintf(smb_dir, sizeof(smb_dir), "/tmp/qemu-smb.XXXXXX");
 +    if (!mkdtemp(smb_dir)) {
         fprintf(stderr, "qemu: could not create samba server dir '%s'\n", smb_dir);
 +        smb_dir[0] = 0;
         exit(1);
     }
     snprintf(smb_conf, sizeof(smb_conf), "%s/%s", smb_dir, "smb.conf");
--- a/CVE-2015-4037-qemuu-smb-config-dir-name.patch
+++ b/CVE-2015-4037-qemuu-smb-config-dir-name.patch
@ -0,0 +1,48 @@
 References: bsc#932267
 Subject: slirp: use less predictable directory name in /tmp for smb config (CVE-2015-4037)
 From: Michael Tokarev mjt@tls.msk.ru Thu May 28 14:12:26 2015 +0300
 Date: Wed Jun 3 14:21:45 2015 +0300:
 Git: 8b8f1c7e9ddb2e88a144638f6527bf70e32343e3
 In this version I used mkdtemp(3) which is:
        _BSD_SOURCE
        || /* Since glibc 2.10: */
            (_POSIX_C_SOURCE >= 200809L || _XOPEN_SOURCE >= 700)
 (POSIX.1-2008), so should be available on systems we care about.
 While at it, reset the resulting directory name within smb structure
 on error so cleanup function wont try to remove directory which we
 failed to create.
 Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
 Reviewed-by: Markus Armbruster <armbru@redhat.com>
 Index: xen-4.5.1-testing/tools/qemu-xen-dir-remote/net/slirp.c
 ===================================================================
 --- xen-4.5.1-testing.orig/tools/qemu-xen-dir-remote/net/slirp.c
 +++ xen-4.5.1-testing/tools/qemu-xen-dir-remote/net/slirp.c
@@ -481,7 +481,6 @@ static void slirp_smb_cleanup(SlirpState
 static int slirp_smb(SlirpState* s, const char *exported_dir,
                      struct in_addr vserver_addr)
 {
 -    static int instance;
     char smb_conf[128];
     char smb_cmdline[128];
     struct passwd *passwd;
@@ -505,10 +504,10 @@ static int slirp_smb(SlirpState* s, cons
         return -1;
     }
 -    snprintf(s->smb_dir, sizeof(s->smb_dir), "/tmp/qemu-smb.%ld-%d",
 -             (long)getpid(), instance++);
 -    if (mkdir(s->smb_dir, 0700) < 0) {
 +    snprintf(s->smb_dir, sizeof(s->smb_dir), "/tmp/qemu-smb.XXXXXX");
 +    if (!mkdtemp(s->smb_dir)) {
         error_report("could not create samba server dir '%s'", s->smb_dir);
 +        s->smb_dir[0] = 0;
         return -1;
     }
     snprintf(smb_conf, sizeof(smb_conf), "%s/%s", s->smb_dir, "smb.conf");
--- a/CVE-2015-7835-xsa148.patch
+++ b/CVE-2015-7835-xsa148.patch
@ -0,0 +1,43 @@
 References: bsc#950367 CVE-2015-7835 XSA-148
 x86: guard against undue super page PTE creation
 When optional super page support got added (commit bd1cd81d64 "x86: PV
 support for hugepages"), two adjustments were missed: mod_l2_entry()
 needs to consider the PSE and RW bits when deciding whether to use the
 fast path, and the PSE bit must not be removed from L2_DISALLOW_MASK
 unconditionally.
 This is CVE-2015-7835 / XSA-148.
 Signed-off-by: Jan Beulich <jbeulich@suse.com>
 Reviewed-by: Tim Deegan <tim@xen.org>
 Index: xen-4.5.1-testing/xen/arch/x86/mm.c
 ===================================================================
 --- xen-4.5.1-testing.orig/xen/arch/x86/mm.c
 +++ xen-4.5.1-testing/xen/arch/x86/mm.c
@@ -162,7 +162,10 @@ static void put_superpage(unsigned long
 static uint32_t base_disallow_mask;
 /* Global bit is allowed to be set on L1 PTEs. Intended for user mappings. */
 #define L1_DISALLOW_MASK ((base_disallow_mask | _PAGE_GNTTAB) & ~_PAGE_GLOBAL)
 -#define L2_DISALLOW_MASK (base_disallow_mask & ~_PAGE_PSE)
 +
 +#define L2_DISALLOW_MASK (unlikely(opt_allow_superpage) \
 +                          ? base_disallow_mask & ~_PAGE_PSE \
 +                          : base_disallow_mask)
 #define l3_disallow_mask(d) (!is_pv_32on64_domain(d) ?  \
                              base_disallow_mask :       \
@@ -1790,7 +1793,10 @@ static int mod_l2_entry(l2_pgentry_t *pl
         }
         /* Fast path for identical mapping and presence. */
 -        if ( !l2e_has_changed(ol2e, nl2e, _PAGE_PRESENT) )
 +        if ( !l2e_has_changed(ol2e, nl2e,
 +                              unlikely(opt_allow_superpage)
 +                              ? _PAGE_PSE | _PAGE_RW | _PAGE_PRESENT
 +                              : _PAGE_PRESENT) )
         {
             adjust_guest_l2e(nl2e, d);
             if ( UPDATE_ENTRY(l2, pl2e, ol2e, nl2e, pfn, vcpu, preserve_ad) )
--- a/libxl.set-migration-constraints-from-cmdline.patch
+++ b/libxl.set-migration-constraints-from-cmdline.patch
@ -323,7 +323,7 @@ Index: xen-4.5.1-testing/tools/libxl/libxl_dom.c
 ===================================================================
 --- xen-4.5.1-testing.orig/tools/libxl/libxl_dom.c
 +++ xen-4.5.1-testing/tools/libxl/libxl_dom.c
-@@ -1808,6 +1808,7 @@ void libxl__domain_suspend(libxl__egc *e
+@@ -1815,6 +1815,7 @@ void libxl__domain_suspend(libxl__egc *e
     dss->xcflags = (live ? XCFLAGS_LIVE : 0)
           | (debug ? XCFLAGS_DEBUG : 0)
--- a/xen-hvm-default-bridge.patch
+++ b/xen-hvm-default-bridge.patch
@ -1,7 +1,7 @@
-Index: xen-4.2.3-testing/tools/qemu-xen-traditional-dir-remote/net.h
+Index: xen-4.5.1-testing/tools/qemu-xen-traditional-dir-remote/net.h
 ===================================================================
--- xen-4.2.3-testing.orig/tools/qemu-xen-traditional-dir-remote/net.h
+--- xen-4.5.1-testing.orig/tools/qemu-xen-traditional-dir-remote/net.h
-+++ xen-4.2.3-testing/tools/qemu-xen-traditional-dir-remote/net.h
+++ xen-4.5.1-testing/tools/qemu-xen-traditional-dir-remote/net.h
@@ -107,8 +107,8 @@ void net_host_device_add(const char *dev
 void net_host_device_remove(int vlan_id, const char *device);
@ -13,11 +13,11 @@ Index: xen-4.2.3-testing/tools/qemu-xen-traditional-dir-remote/net.h
 #endif
 #ifdef __sun__
 #define SMBD_COMMAND "/usr/sfw/sbin/smbd"
-Index: xen-4.2.3-testing/tools/qemu-xen-traditional-dir-remote/net.c
+Index: xen-4.5.1-testing/tools/qemu-xen-traditional-dir-remote/net.c
 ===================================================================
--- xen-4.2.3-testing.orig/tools/qemu-xen-traditional-dir-remote/net.c
+--- xen-4.5.1-testing.orig/tools/qemu-xen-traditional-dir-remote/net.c
-+++ xen-4.2.3-testing/tools/qemu-xen-traditional-dir-remote/net.c
+++ xen-4.5.1-testing/tools/qemu-xen-traditional-dir-remote/net.c
-@@ -1764,9 +1764,10 @@ int net_client_init(const char *device,
+@@ -1765,9 +1765,10 @@ int net_client_init(const char *device,
             }
             if (get_param_value(script_arg, sizeof(script_arg), "scriptarg", p) == 0 &&
                 get_param_value(script_arg, sizeof(script_arg), "bridge", p) == 0) { /* deprecated; for xend compatibility */
@ -30,10 +30,10 @@ Index: xen-4.2.3-testing/tools/qemu-xen-traditional-dir-remote/net.c
         }
     } else
 #endif
-Index: xen-4.2.3-testing/tools/qemu-xen-traditional-dir-remote/i386-dm/qemu-ifup-Linux
+Index: xen-4.5.1-testing/tools/qemu-xen-traditional-dir-remote/i386-dm/qemu-ifup-Linux
 ===================================================================
--- xen-4.2.3-testing.orig/tools/qemu-xen-traditional-dir-remote/i386-dm/qemu-ifup-Linux
+--- xen-4.5.1-testing.orig/tools/qemu-xen-traditional-dir-remote/i386-dm/qemu-ifup-Linux
-+++ xen-4.2.3-testing/tools/qemu-xen-traditional-dir-remote/i386-dm/qemu-ifup-Linux
+++ xen-4.5.1-testing/tools/qemu-xen-traditional-dir-remote/i386-dm/qemu-ifup-Linux
@@ -1,36 +1,22 @@
 #!/bin/sh
--- a/xen.changes
+++ b/xen.changes
@ -1,3 +1,55 @@
 -------------------------------------------------------------------
 Wed Oct 28 09:47:38 MDT 2015 - carnold@suse.com
 - Upstream patches from Jan
  5604f239-x86-PV-properly-populate-descriptor-tables.patch
  561bbc8b-VT-d-don-t-suppress-invalidation-address-write-when-0.patch
  561d2046-VT-d-use-proper-error-codes-in-iommu_enable_x2apic_IR.patch
  561d20a0-x86-hide-MWAITX-from-PV-domains.patch
  561e3283-x86-NUMA-fix-SRAT-table-processor-entry-handling.patch
 -------------------------------------------------------------------
 Fri Oct 23 13:35:59 MDT 2015 - carnold@suse.com
 - bsc#951845 - VUL-0: CVE-2015-7972: xen: x86: populate-on-demand
  balloon size inaccuracy can crash guests (XSA-153)
  xsa153-libxl.patch
 -------------------------------------------------------------------
 Fri Oct 16 08:40:31 MDT 2015 - carnold@suse.com
 - bsc#950703 - VUL-1: CVE-2015-7969: xen: leak of main per-domain
  vcpu pointer array (DoS) (XSA-149)
  xsa149.patch
 - bsc#950705 - VUL-1: CVE-2015-7969: xen: x86: leak of per-domain
  profiling-related vcpu pointer array (DoS) (XSA-151)
  xsa151.patch
 - bsc#950706 - VUL-0: CVE-2015-7971: xen: x86: some pmu and
  profiling hypercalls log without rate limiting (XSA-152)
  xsa152.patch
 - Dropped
  55dc7937-x86-IO-APIC-don-t-create-pIRQ-mapping-from-masked-RTE.patch
  5604f239-x86-PV-properly-populate-descriptor-tables.patch
 -------------------------------------------------------------------
 Thu Oct 15 11:43:23 MDT 2015 - carnold@suse.com
 - bsc#932267 - VUL-1: CVE-2015-4037: qemu,kvm,xen: insecure
  temporary file use in /net/slirp.c
  CVE-2015-4037-qemuu-smb-config-dir-name.patch
  CVE-2015-4037-qemut-smb-config-dir-name.patch
 - bsc#877642 - VUL-0: CVE-2014-0222: qemu: qcow1: validate L2 table
  size to avoid integer overflows
  CVE-2014-0222-qemuu-qcow1-validate-l2-table-size.patch
  CVE-2014-0222-qemut-qcow1-validate-l2-table-size.patch
 -------------------------------------------------------------------
 Wed Oct 14 10:24:15 MDT 2015 - carnold@suse.com
 - bsc#950367 - VUL-0: CVE-2015-7835: xen: x86: Uncontrolled
  creation of large page mappings by PV guests (XSA-148)
  CVE-2015-7835-xsa148.patch
 -------------------------------------------------------------------
 Tue Oct  6 14:52:30 MDT 2015 - jfehlig@suse.com
--- a/xen.spec
+++ b/xen.spec
@ -158,7 +158,7 @@ BuildRequires:  xorg-x11-util-devel
 %endif
 %endif
-Version:        4.5.1_10
+Version:        4.5.1_13
 Release:        0
 Summary:        Xen Virtualization: Hypervisor (aka VMM aka Microkernel)
 License:        GPL-2.0
@ -205,41 +205,55 @@ Patch1:         54f4985f-libxl-fix-libvirtd-double-free.patch
 Patch2:         55103616-vm-assist-prepare-for-discontiguous-used-bit-numbers.patch
 Patch3:         551ac326-xentop-add-support-for-qdisk.patch
 Patch4:         552d0f49-x86-traps-identify-the-vcpu-in-context-when-dumping-regs.patch
-Patch5:         5537a4d8-libxl-use-DEBUG-log-level-instead-of-INFO.patch
+Patch5:         552d293b-x86-vMSI-X-honor-all-mask-requests.patch
-Patch6:         5548e903-domctl-don-t-truncate-XEN_DOMCTL_max_mem-requests.patch
+Patch6:         552d2966-x86-vMSI-X-add-valid-bits-for-read-acceleration.patch
-Patch7:         5548e95d-x86-allow-to-suppress-M2P-user-mode-exposure.patch
+Patch7:         5537a4d8-libxl-use-DEBUG-log-level-instead-of-INFO.patch
-Patch8:         554cc211-libxl-add-qxl.patch
+Patch8:         5548e903-domctl-don-t-truncate-XEN_DOMCTL_max_mem-requests.patch
-Patch9:         556d973f-unmodified-drivers-tolerate-IRQF_DISABLED-being-undefined.patch
+Patch9:         5548e95d-x86-allow-to-suppress-M2P-user-mode-exposure.patch
-Patch10:        5576f178-kexec-add-more-pages-to-v1-environment.patch
+Patch10:        554cc211-libxl-add-qxl.patch
-Patch11:        55780be1-x86-EFI-adjust-EFI_MEMORY_WP-handling-for-spec-version-2.5.patch
+Patch11:        556d973f-unmodified-drivers-tolerate-IRQF_DISABLED-being-undefined.patch
-Patch12:        558bfaa0-x86-traps-avoid-using-current-too-early.patch
+Patch12:        5576f143-x86-adjust-PV-I-O-emulation-functions-types.patch
-Patch13:        5592a116-nested-EPT-fix-the-handling-of-nested-EPT.patch
+Patch13:        5576f178-kexec-add-more-pages-to-v1-environment.patch
-Patch14:        559b9dd6-x86-p2m-ept-don-t-unmap-in-use-EPT-pagetable.patch
+Patch14:        55780be1-x86-EFI-adjust-EFI_MEMORY_WP-handling-for-spec-version-2.5.patch
-Patch15:        559bc633-x86-cpupool-clear-proper-cpu_valid-bit-on-CPU-teardown.patch
+Patch15:        55795a52-x86-vMSI-X-support-qword-MMIO-access.patch
-Patch16:        559bc64e-credit1-properly-deal-with-CPUs-not-in-any-pool.patch
+Patch16:        5583d9c5-x86-MSI-X-cleanup.patch
-Patch17:        559bc87f-x86-hvmloader-avoid-data-corruption-with-xenstore-rw.patch
+Patch17:        5583da09-x86-MSI-track-host-and-guest-masking-separately.patch
-Patch18:        559bdde5-pull-in-latest-linux-earlycpio.patch
+Patch18:        558bfaa0-x86-traps-avoid-using-current-too-early.patch
-Patch19:        55a62eb0-xl-correct-handling-of-extra_config-in-main_cpupoolcreate.patch
+Patch19:        5592a116-nested-EPT-fix-the-handling-of-nested-EPT.patch
-Patch20:        55a66a1e-make-rangeset_report_ranges-report-all-ranges.patch
+Patch20:        559b9dd6-x86-p2m-ept-don-t-unmap-in-use-EPT-pagetable.patch
-Patch21:        55a77e4f-dmar-device-scope-mem-leak-fix.patch
+Patch21:        559bc633-x86-cpupool-clear-proper-cpu_valid-bit-on-CPU-teardown.patch
-Patch22:        55c1d83d-x86-gdt-Drop-write-only-xalloc-d-array.patch
+Patch22:        559bc64e-credit1-properly-deal-with-CPUs-not-in-any-pool.patch
-Patch23:        55c3232b-x86-mm-Make-hap-shadow-teardown-preemptible.patch
+Patch23:        559bc87f-x86-hvmloader-avoid-data-corruption-with-xenstore-rw.patch
-Patch24:        55dc78e9-x86-amd_ucode-skip-updates-for-final-levels.patch
+Patch24:        559bdde5-pull-in-latest-linux-earlycpio.patch
-Patch25:        55dc7937-x86-IO-APIC-don-t-create-pIRQ-mapping-from-masked-RTE.patch
+Patch25:        55a62eb0-xl-correct-handling-of-extra_config-in-main_cpupoolcreate.patch
-Patch26:        55df2f76-IOMMU-skip-domains-without-page-tables-when-dumping.patch
+Patch26:        55a66a1e-make-rangeset_report_ranges-report-all-ranges.patch
-Patch27:        55e43fd8-x86-NUMA-fix-setup_node.patch
+Patch27:        55a77e4f-dmar-device-scope-mem-leak-fix.patch
-Patch28:        55e43ff8-x86-NUMA-don-t-account-hotplug-regions.patch
+Patch28:        55b0a218-x86-PCI-CFG-write-intercept.patch
-Patch29:        55e593f1-x86-NUMA-make-init_node_heap-respect-Xen-heap-limit.patch
+Patch29:        55b0a255-x86-MSI-X-maskall.patch
-Patch30:        55f2e438-x86-hvm-fix-saved-pmtimer-and-hpet-values.patch
+Patch30:        55b0a283-x86-MSI-X-teardown.patch
-Patch31:        55f7f9d2-libxl-slightly-refine-pci-assignable-add-remove-handling.patch
+Patch31:        55b0a2ab-x86-MSI-X-enable.patch
-Patch32:        55f9345b-x86-MSI-fail-if-no-hardware-support.patch
+Patch32:        55b0a2db-x86-MSI-track-guest-masking.patch
-Patch33:        5604f239-x86-PV-properly-populate-descriptor-tables.patch
+Patch33:        55c1d83d-x86-gdt-Drop-write-only-xalloc-d-array.patch
-Patch34:        5604f2e6-vt-d-fix-IM-bit-mask-and-unmask-of-FECTL_REG.patch
+Patch34:        55c3232b-x86-mm-Make-hap-shadow-teardown-preemptible.patch
-Patch35:        560a4af9-x86-EPT-tighten-conditions-of-IOMMU-mapping-updates.patch
+Patch35:        55dc78e9-x86-amd_ucode-skip-updates-for-final-levels.patch
-Patch36:        560a7c36-x86-p2m-pt-delay-freeing-of-intermediate-page-tables.patch
+Patch36:        55df2f76-IOMMU-skip-domains-without-page-tables-when-dumping.patch
-Patch37:        560a7c53-x86-p2m-pt-ignore-pt-share-flag-for-shadow-mode-guests.patch
+Patch37:        55e43fd8-x86-NUMA-fix-setup_node.patch
-Patch38:        560bd926-credit1-fix-tickling-when-it-happens-from-a-remote-pCPU.patch
+Patch38:        55e43ff8-x86-NUMA-don-t-account-hotplug-regions.patch
-Patch39:        560e6d34-x86-p2m-pt-tighten-conditions-of-IOMMU-mapping-updates.patch
+Patch39:        55e593f1-x86-NUMA-make-init_node_heap-respect-Xen-heap-limit.patch
 Patch40:        55f2e438-x86-hvm-fix-saved-pmtimer-and-hpet-values.patch
 Patch41:        55f7f9d2-libxl-slightly-refine-pci-assignable-add-remove-handling.patch
 Patch42:        55f9345b-x86-MSI-fail-if-no-hardware-support.patch
 Patch43:        5604f239-x86-PV-properly-populate-descriptor-tables.patch
 Patch44:        5604f2e6-vt-d-fix-IM-bit-mask-and-unmask-of-FECTL_REG.patch
 Patch45:        560a4af9-x86-EPT-tighten-conditions-of-IOMMU-mapping-updates.patch
 Patch46:        560a7c36-x86-p2m-pt-delay-freeing-of-intermediate-page-tables.patch
 Patch47:        560a7c53-x86-p2m-pt-ignore-pt-share-flag-for-shadow-mode-guests.patch
 Patch48:        560bd926-credit1-fix-tickling-when-it-happens-from-a-remote-pCPU.patch
 Patch49:        560e6d34-x86-p2m-pt-tighten-conditions-of-IOMMU-mapping-updates.patch
 Patch50:        561bbc8b-VT-d-don-t-suppress-invalidation-address-write-when-0.patch
 Patch51:        561d2046-VT-d-use-proper-error-codes-in-iommu_enable_x2apic_IR.patch
 Patch52:        561d20a0-x86-hide-MWAITX-from-PV-domains.patch
 Patch53:        561e3283-x86-NUMA-fix-SRAT-table-processor-entry-handling.patch
 Patch131:       CVE-2015-4106-xsa131-9.patch
 Patch137:       CVE-2015-3259-xsa137.patch
 Patch139:       xsa139-qemuu.patch
@ -258,6 +272,11 @@ Patch14015:     xsa140-qemut-5.patch
 Patch14016:     xsa140-qemut-6.patch
 Patch14017:     xsa140-qemut-7.patch
 Patch142:       CVE-2015-7311-xsa142.patch
 Patch148:       CVE-2015-7835-xsa148.patch
 Patch149:       xsa149.patch
 Patch151:       xsa151.patch
 Patch152:       xsa152.patch
 Patch153:       xsa153-libxl.patch
 # Upstream qemu
 Patch250:       VNC-Support-for-ExtendedKeyEvent-client-message.patch
 Patch251:       0001-net-move-the-tap-buffer-into-TAPState.patch
@ -278,6 +297,10 @@ Patch265:       CVE-2015-6815-qemuu-e1000-fix-infinite-loop.patch
 Patch266:       CVE-2015-6815-qemut-e1000-fix-infinite-loop.patch
 Patch267:       CVE-2015-5239-qemuu-limit-client_cut_text-msg-payload-size.patch
 Patch268:       CVE-2015-5239-qemut-limit-client_cut_text-msg-payload-size.patch
 Patch269:       CVE-2015-4037-qemuu-smb-config-dir-name.patch
 Patch270:       CVE-2015-4037-qemut-smb-config-dir-name.patch
 Patch271:       CVE-2014-0222-qemuu-qcow1-validate-l2-table-size.patch
 Patch272:       CVE-2014-0222-qemut-qcow1-validate-l2-table-size.patch
 # Our platform specific patches
 Patch301:       xen-destdir.patch
 Patch302:       vif-bridge-no-iptables.patch
@ -363,18 +386,6 @@ Patch605:       xen.build-compare.vgabios.patch
 Patch606:       xen.build-compare.seabios.patch
 Patch607:       xen.build-compare.man.patch
 Patch608:       ipxe-no-error-logical-not-parentheses.patch
 # MSI issues (bsc#907514 bsc#910258 bsc#918984 bsc#923967)
 Patch700:       552d293b-x86-vMSI-X-honor-all-mask-requests.patch
 Patch701:       552d2966-x86-vMSI-X-add-valid-bits-for-read-acceleration.patch
 Patch702:       5576f143-x86-adjust-PV-I-O-emulation-functions-types.patch
 Patch703:       55795a52-x86-vMSI-X-support-qword-MMIO-access.patch
 Patch704:       5583d9c5-x86-MSI-X-cleanup.patch
 Patch705:       5583da09-x86-MSI-track-host-and-guest-masking-separately.patch
 Patch706:       55b0a218-x86-PCI-CFG-write-intercept.patch
 Patch707:       55b0a255-x86-MSI-X-maskall.patch
 Patch708:       55b0a283-x86-MSI-X-teardown.patch
 Patch709:       55b0a2ab-x86-MSI-X-enable.patch
 Patch710:       55b0a2db-x86-MSI-track-guest-masking.patch
 # grant table performance improvements
 Patch715:       54c2553c-grant-table-use-uint16_t-consistently-for-offset-and-length.patch
 Patch716:       54ca33bc-grant-table-refactor-grant-copy-to-reduce-duplicate-code.patch
@ -648,6 +659,20 @@ Authors:
 %patch37 -p1
 %patch38 -p1
 %patch39 -p1
 %patch40 -p1
 %patch41 -p1
 %patch42 -p1
 %patch43 -p1
 %patch44 -p1
 %patch45 -p1
 %patch46 -p1
 %patch47 -p1
 %patch48 -p1
 %patch49 -p1
 %patch50 -p1
 %patch51 -p1
 %patch52 -p1
 %patch53 -p1
 %patch131 -p1
 %patch137 -p1
 %patch139 -p1
@ -666,6 +691,11 @@ Authors:
 %patch14016 -p1
 %patch14017 -p1
 %patch142 -p1
 %patch148 -p1
 %patch149 -p1
 %patch151 -p1
 %patch152 -p1
 %patch153 -p1
 # Upstream qemu patches
 %patch250 -p1
 %patch251 -p1
@ -686,6 +716,10 @@ Authors:
 %patch266 -p1
 %patch267 -p1
 %patch268 -p1
 %patch269 -p1
 %patch270 -p1
 %patch271 -p1
 %patch272 -p1
 # Our platform specific patches
 %patch301 -p1
 %patch302 -p1
@ -770,18 +804,6 @@ Authors:
 %patch606 -p1
 %patch607 -p1
 %patch608 -p1
 # MSI issues (bsc#907514 bsc#910258 bsc#918984 bsc#923967)
 %patch700 -p1
 %patch701 -p1
 %patch702 -p1
 %patch703 -p1
 %patch704 -p1
 %patch705 -p1
 %patch706 -p1
 %patch707 -p1
 %patch708 -p1
 %patch709 -p1
 %patch710 -p1
 # grant table performance improvements
 %patch715 -p1
 %patch716 -p1
--- a/xsa149.patch
+++ b/xsa149.patch
@ -0,0 +1,22 @@
 xen: free domain's vcpu array
 This was overlooked in fb442e2171 ("x86_64: allow more vCPU-s per
 guest").
 This is XSA-149.
 Signed-off-by: Jan Beulich <jbeulich@suse.com>
 Reviewed-by: Ian Campbell <ian.campbell@citrix.com>
 Index: xen-4.5.1-testing/xen/common/domain.c
 ===================================================================
 --- xen-4.5.1-testing.orig/xen/common/domain.c
 +++ xen-4.5.1-testing/xen/common/domain.c
@@ -831,6 +831,7 @@ static void complete_domain_destroy(stru
     xsm_free_security_domain(d);
     free_cpumask_var(d->domain_dirty_cpumask);
 +    xfree(d->vcpu);
     free_domain_struct(d);
     send_global_virq(VIRQ_DOM_EXC);
--- a/xsa151.patch
+++ b/xsa151.patch
@ -0,0 +1,30 @@
 xenoprof: free domain's vcpu array
 This was overlooked in fb442e2171 ("x86_64: allow more vCPU-s per
 guest").
 This is XSA-151.
 Signed-off-by: Jan Beulich <jbeulich@suse.com>
 Reviewed-by: Ian Campbell <ian.campbell@citrix.com>
 Index: xen-4.5.1-testing/xen/common/xenoprof.c
 ===================================================================
 --- xen-4.5.1-testing.orig/xen/common/xenoprof.c
 +++ xen-4.5.1-testing/xen/common/xenoprof.c
@@ -239,6 +239,7 @@ static int alloc_xenoprof_struct(
     d->xenoprof->rawbuf = alloc_xenheap_pages(get_order_from_pages(npages), 0);
     if ( d->xenoprof->rawbuf == NULL )
     {
 +        xfree(d->xenoprof->vcpu);
         xfree(d->xenoprof);
         d->xenoprof = NULL;
         return -ENOMEM;
@@ -286,6 +287,7 @@ void free_xenoprof_pages(struct domain *
         free_xenheap_pages(x->rawbuf, order);
     }
 +    xfree(x->vcpu);
     xfree(x);
     d->xenoprof = NULL;
 }
--- a/xsa152.patch
+++ b/xsa152.patch
@ -0,0 +1,43 @@
 x86: rate-limit logging in do_xen{oprof,pmu}_op()
 Some of the sub-ops are acessible to all guests, and hence should be
 rate-limited. In the xenoprof case, just like for XSA-146, include them
 only in debug builds. Since the vPMU code is rather new, allow them to
 be always present, but downgrade them to (rate limited) guest messages.
 This is XSA-152.
 Signed-off-by: Jan Beulich <jbeulich@suse.com>
 Index: xen-4.5.1-testing/xen/common/xenoprof.c
 ===================================================================
 --- xen-4.5.1-testing.orig/xen/common/xenoprof.c
 +++ xen-4.5.1-testing/xen/common/xenoprof.c
@@ -676,15 +676,13 @@ ret_t do_xenoprof_op(int op, XEN_GUEST_H
     if ( (op < 0) || (op > XENOPROF_last_op) )
     {
 -        printk("xenoprof: invalid operation %d for domain %d\n",
 -               op, current->domain->domain_id);
 +        gdprintk(XENLOG_DEBUG, "invalid operation %d\n", op);
         return -EINVAL;
     }
     if ( !NONPRIV_OP(op) && (current->domain != xenoprof_primary_profiler) )
     {
 -        printk("xenoprof: dom %d denied privileged operation %d\n",
 -               current->domain->domain_id, op);
 +        gdprintk(XENLOG_DEBUG, "denied privileged operation %d\n", op);
         return -EPERM;
     }
@@ -907,8 +905,7 @@ ret_t do_xenoprof_op(int op, XEN_GUEST_H
     spin_unlock(&xenoprof_lock);
     if ( ret < 0 )
 -        printk("xenoprof: operation %d failed for dom %d (status : %d)\n",
 -               op, current->domain->domain_id, ret);
 +        gdprintk(XENLOG_DEBUG, "operation %d failed: %d\n", op, ret);
     return ret;
 }
--- a/xsa153-libxl.patch
+++ b/xsa153-libxl.patch
@ -0,0 +1,83 @@
 From 27593ec62bdad8621df910931349d964a6dbaa8c Mon Sep 17 00:00:00 2001
 From: Ian Jackson <ian.jackson@eu.citrix.com>
 Date: Wed, 21 Oct 2015 16:18:30 +0100
 Subject: [PATCH XSA-153 v3] libxl: adjust PoD target by memory fudge, too
 PoD guests need to balloon at least as far as required by PoD, or risk
 crashing.  Currently they don't necessarily know what the right value
 is, because our memory accounting is (at the very least) confusing.
 Apply the memory limit fudge factor to the in-hypervisor PoD memory
 target, too.  This will increase the size of the guest's PoD cache by
 the fudge factor LIBXL_MAXMEM_CONSTANT (currently 1Mby).  This ensures
 that even with a slightly-off balloon driver, the guest will be
 stable even under memory pressure.
 There are two call sites of xc_domain_set_pod_target that need fixing:
 The one in libxl_set_memory_target is straightforward.
 The one in xc_hvm_build_x86.c:setup_guest is more awkward.  Simply
 setting the PoD target differently does not work because the various
 amounts of memory during domain construction no longer match up.
 Instead, we adjust the guest memory target in xenstore (but only for
 PoD guests).
 This introduces a 1Mby discrepancy between the balloon target of a PoD
 guest at boot, and the target set by an apparently-equivalent `xl
 mem-set' (or similar) later.  This approach is low-risk for a security
 fix but we need to fix this up properly in xen.git#staging and
 probably also in stable trees.
 This is XSA-153.
 Signed-off-by: Ian Jackson <Ian.Jackson@eu.citrix.com>
 ---
 tools/libxl/libxl.c     |    2 +-
 tools/libxl/libxl_dom.c |    9 ++++++++-
 2 files changed, 9 insertions(+), 2 deletions(-)
 Index: xen-4.5.1-testing/tools/libxl/libxl.c
 ===================================================================
 --- xen-4.5.1-testing.orig/tools/libxl/libxl.c
 +++ xen-4.5.1-testing/tools/libxl/libxl.c
@@ -4859,7 +4859,7 @@ retry_transaction:
     new_target_memkb -= videoram;
     rc = xc_domain_set_pod_target(ctx->xch, domid,
 -            new_target_memkb / 4, NULL, NULL, NULL);
 +            (new_target_memkb + LIBXL_MAXMEM_CONSTANT) / 4, NULL, NULL, NULL);
     if (rc != 0) {
         LIBXL__LOG_ERRNO(ctx, LIBXL__LOG_ERROR,
                 "xc_domain_set_pod_target domid=%d, memkb=%d "
 Index: xen-4.5.1-testing/tools/libxl/libxl_dom.c
 ===================================================================
 --- xen-4.5.1-testing.orig/tools/libxl/libxl_dom.c
 +++ xen-4.5.1-testing/tools/libxl/libxl_dom.c
@@ -446,6 +446,7 @@ int libxl__build_post(libxl__gc *gc, uin
     xs_transaction_t t;
     char **ents;
     int i, rc;
 +    int64_t mem_target_fudge;
     rc = libxl_domain_sched_params_set(CTX, domid, &info->sched_params);
     if (rc)
@@ -472,11 +473,17 @@ int libxl__build_post(libxl__gc *gc, uin
         }
     }
 +    mem_target_fudge =
 +        (info->type == LIBXL_DOMAIN_TYPE_HVM &&
 +         info->max_memkb > info->target_memkb)
 +        ? LIBXL_MAXMEM_CONSTANT : 0;
 +
     ents = libxl__calloc(gc, 12 + (info->max_vcpus * 2) + 2, sizeof(char *));
     ents[0] = "memory/static-max";
     ents[1] = GCSPRINTF("%"PRId64, info->max_memkb);
     ents[2] = "memory/target";
 -    ents[3] = GCSPRINTF("%"PRId64, info->target_memkb - info->video_memkb);
 +    ents[3] = GCSPRINTF("%"PRId64, info->target_memkb - info->video_memkb
 +                        - mem_target_fudge);
     ents[4] = "memory/videoram";
     ents[5] = GCSPRINTF("%"PRId64, info->video_memkb);
     ents[6] = "domid";