- bnc#836239 - SLES 11 SP3 Xen security patch does not

automatically update UEFI boot binary xen.spec - Upstream patches from Jan 51d5334e-x86-mm-Ensure-useful-progress-in-alloc_l2_table.patch 51dd155c-adjust-x86-EFI-build.patch 51e63d80-x86-cpuidle-Change-logging-for-unknown-APIC-IDs.patch 51e6540d-x86-don-t-use-destroy_xen_mappings-for-vunmap.patch 51e7963f-x86-time-Update-wallclock-in-shared-info-when-altering-domain-time-offset.patch 51ffd577-fix-off-by-one-mistakes-in-vm_alloc.patch 51ffd5fd-x86-refine-FPU-selector-handling-code-for-XSAVEOPT.patch 520114bb-Nested-VMX-Flush-TLBs-and-Caches-if-paging-mode-changed.patch 520a5504-VMX-add-boot-parameter-to-enable-disable-APIC-v-dynamically.patch 520a24f6-x86-AMD-Fix-nested-svm-crash-due-to-assertion-in-__virt_to_maddr.patch 520a2570-x86-AMD-Inject-GP-instead-of-UD-when-unable-to-map-vmcb.patch 520b4b60-VT-d-protect-against-bogus-information-coming-from-BIOS.patch 520b4bda-x86-MTRR-fix-range-check-in-mtrr_add_page.patch 520cb8b6-x86-time-fix-check-for-negative-time-in-__update_vcpu_system_time.patch 520d417d-xen-Add-stdbool.h-workaround-for-BSD.patch OBS-URL: https://build.opensuse.org/package/show/Virtualization/xen?expand=0&rev=266
2013-08-29 18:19:23 +00:00 · 2013-08-29 18:19:23 +00:00 · 73291eb01a
commit 73291eb01a
parent eb43d7473d
17 changed files with 803 additions and 7 deletions
--- a/51d5334e-x86-mm-Ensure-useful-progress-in-alloc_l2_table.patch
+++ b/51d5334e-x86-mm-Ensure-useful-progress-in-alloc_l2_table.patch
@ -0,0 +1,30 @@
 # Commit d3a55d7d9bb518efe08143d050deff9f4ee80ec1
 # Date 2013-07-04 10:33:18 +0200
 # Author Andrew Cooper <andrew.cooper3@citrix.com>
 # Committer Jan Beulich <jbeulich@suse.com>
 x86/mm: Ensure useful progress in alloc_l2_table()
 While debugging the issue which turned out to be XSA-58, a printk in this loop
 showed that it was quite easy to never make useful progress, because of
 consistently failing the preemption check.
 One single l2 entry is a reasonable amount of work to do, even if an action is
 pending, and also assures forwards progress across repeat continuations.
 Tweak the continuation criteria to fail on the first iteration of the loop.
 Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
 Acked-by: Keir Fraser <keir@xen.org>
 --- a/xen/arch/x86/mm.c
 +++ b/xen/arch/x86/mm.c
@@ -1278,7 +1278,8 @@ static int alloc_l2_table(struct page_in
     for ( i = page->nr_validated_ptes; i < L2_PAGETABLE_ENTRIES; i++ )
     {
 -        if ( preemptible && i && hypercall_preempt_check() )
 +        if ( preemptible && i > page->nr_validated_ptes
 +             && hypercall_preempt_check() )
         {
             page->nr_validated_ptes = i;
             rc = -EAGAIN;
--- a/51dd155c-adjust-x86-EFI-build.patch
+++ b/51dd155c-adjust-x86-EFI-build.patch
@ -0,0 +1,27 @@
 # Commit 5656b93d215d7c5160790ea87758625ba1de16b1
 # Date 2013-07-10 10:03:40 +0200
 # Author Jan Beulich <jbeulich@suse.com>
 # Committer Jan Beulich <jbeulich@suse.com>
 adjust x86 EFI build
 While the rule to generate .init.o files from .o ones already correctly
 included $(extra-y), the setting of the necessary compiler flag didn't
 have the same. With some yet to be posted patch this resulted in build
 breakage because of the compiler deciding not to inline a few functions
 (which then results in .text not being empty as required for these
 object files).
 Signed-off-by: Jan Beulich <jbeulich@suse.com>
 Acked-by: Keir Fraser <keir@xen.org>
 --- a/xen/Rules.mk
 +++ b/xen/Rules.mk
@@ -101,7 +101,7 @@ obj-y    := $(patsubst %/,%/built-in.o,$
 subdir-all := $(subdir-y) $(subdir-n)
 -$(filter %.init.o,$(obj-y) $(obj-bin-y)): CFLAGS += -DINIT_SECTIONS_ONLY
 +$(filter %.init.o,$(obj-y) $(obj-bin-y) $(extra-y)): CFLAGS += -DINIT_SECTIONS_ONLY
 $(obj-$(coverage)): CFLAGS += -fprofile-arcs -ftest-coverage -DTEST_COVERAGE
--- a/51e63d80-x86-cpuidle-Change-logging-for-unknown-APIC-IDs.patch
+++ b/51e63d80-x86-cpuidle-Change-logging-for-unknown-APIC-IDs.patch
@ -0,0 +1,44 @@
 # Commit 85047d9e4f4afeb73bca1e98f705a2f4f1d51c03
 # Date 2013-07-17 08:45:20 +0200
 # Author Andrew Cooper <andrew.cooper3@citrix.com>
 # Committer Jan Beulich <jbeulich@suse.com>
 x86/cpuidle: Change logging for unknown APIC IDs
 Dom0 uses this hypercall to pass ACPI information to Xen.  It is not very
 uncommon for more cpus to be listed in the ACPI tables than are present on the
 system, particularly on systems with a common BIOS for a 2 and 4 socket server
 varients.
 As Dom0 does not control the number of entries in the ACPI tables, and is
 required to pass everything it finds to Xen, change the logging.
 There is now an single unconditional warning for the first unknown ID, and
 further warnings if "cpuinfo" is requested by the user on the command line.
 Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
 --- a/xen/arch/x86/acpi/cpu_idle.c
 +++ b/xen/arch/x86/acpi/cpu_idle.c
@@ -1031,7 +1031,10 @@ long set_cx_pminfo(uint32_t cpu, struct 
     cpu_id = get_cpu_id(cpu);
     if ( cpu_id == -1 )
     {
 -        printk(XENLOG_ERR "no cpu_id for acpi_id %d\n", cpu);
 +        static bool_t warn_once = 1;
 +        if ( warn_once || opt_cpu_info )
 +            printk(XENLOG_WARNING "No CPU ID for APIC ID %#x\n", cpu);
 +        warn_once = 0;
         return -EINVAL;
     }
 --- a/xen/arch/x86/cpu/common.c
 +++ b/xen/arch/x86/cpu/common.c
@@ -63,7 +63,7 @@ static struct cpu_dev default_cpu = {
 };
 static struct cpu_dev * this_cpu = &default_cpu;
 -bool_t __cpuinitdata opt_cpu_info;
 +bool_t opt_cpu_info;
 boolean_param("cpuinfo", opt_cpu_info);
 int __cpuinit get_model_name(struct cpuinfo_x86 *c)
--- a/51e6540d-x86-don-t-use-destroy_xen_mappings-for-vunmap.patch
+++ b/51e6540d-x86-don-t-use-destroy_xen_mappings-for-vunmap.patch
@ -0,0 +1,41 @@
 # Commit 68caac7f6f4687241a24e804a9fca19aa26fe183
 # Date 2013-07-17 10:21:33 +0200
 # Author Jan Beulich <jbeulich@suse.com>
 # Committer Jan Beulich <jbeulich@suse.com>
 x86: don't use destroy_xen_mappings() for vunmap()
 Its attempt to tear down intermediate page table levels may race with
 map_pages_to_xen() establishing them, and now that
 map_domain_page_global() is backed by vmap() this teardown is also
 wasteful (as it's very likely to need the same address space populated
 again within foreseeable time).
 Signed-off-by: Jan Beulich <jbeulich@suse.com>
 Acked-by: Keir Fraser <keir@xen.org>
 --- a/xen/common/vmap.c
 +++ b/xen/common/vmap.c
@@ -196,9 +196,13 @@ void *vmap(const unsigned long *mfn, uns
 void vunmap(const void *va)
 {
 +#ifndef _PAGE_NONE
     unsigned long addr = (unsigned long)va;
     destroy_xen_mappings(addr, addr + PAGE_SIZE * vm_size(va));
 +#else /* Avoid tearing down intermediate page tables. */
 +    map_pages_to_xen((unsigned long)va, 0, vm_size(va), _PAGE_NONE);
 +#endif
     vm_free(va);
 }
 #endif
 --- a/xen/include/asm-x86/page.h
 +++ b/xen/include/asm-x86/page.h
@@ -288,6 +288,7 @@ extern l1_pgentry_t l1_identmap[L1_PAGET
 void paging_init(void);
 #endif /* !defined(__ASSEMBLY__) */
 +#define _PAGE_NONE     _AC(0x000,U)
 #define _PAGE_PRESENT  _AC(0x001,U)
 #define _PAGE_RW       _AC(0x002,U)
 #define _PAGE_USER     _AC(0x004,U)
--- a/51e7963f-x86-time-Update-wallclock-in-shared-info-when-altering-domain-time-offset.patch
+++ b/51e7963f-x86-time-Update-wallclock-in-shared-info-when-altering-domain-time-offset.patch
@ -0,0 +1,24 @@
 # Commit 915a59f25c5eddd86bc2cae6389d0ed2ab87e69e
 # Date 2013-07-18 09:16:15 +0200
 # Author Andrew Cooper <andrew.cooper3@citrix.com>
 # Committer Jan Beulich <jbeulich@suse.com>
 x86/time: Update wallclock in shared info when altering domain time offset
 domain_set_time_offset() udpates d->time_offset_seconds, but does not correct
 the wallclock in the shared info, meaning that it is incorrect until the next
 XENPF_settime hypercall from dom0 which resynchronises the wallclock for all
 domains.
 Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
 Acked-by: Keir Fraser <keir@xen.org>
 --- a/xen/arch/x86/time.c
 +++ b/xen/arch/x86/time.c
@@ -931,6 +931,7 @@ void domain_set_time_offset(struct domai
     d->time_offset_seconds = time_offset_seconds;
     if ( is_hvm_domain(d) )
         rtc_update_clock(d);
 +    update_domain_wallclock_time(d);
 }
 int cpu_frequency_change(u64 freq)
--- a/51ffd577-fix-off-by-one-mistakes-in-vm_alloc.patch
+++ b/51ffd577-fix-off-by-one-mistakes-in-vm_alloc.patch
@ -0,0 +1,62 @@
 # Commit b0e55bd49725c7c0183eb18670997b9e5930adac
 # Date 2013-08-05 18:40:23 +0200
 # Author Jan Beulich <jbeulich@suse.com>
 # Committer Jan Beulich <jbeulich@suse.com>
 fix off-by-one mistakes in vm_alloc()
 Also add another pair of assertions to catch eventual further cases of
 incorrect accounting.
 Signed-off-by: Jan Beulich <jbeulich@suse.com>
 Reviewed-by Andrew Cooper <andrew.cooper3@citrix.com>
 Acked-by: Keir Fraser <keir@xen.org>
 --- a/xen/common/vmap.c
 +++ b/xen/common/vmap.c
@@ -57,8 +57,8 @@ void *vm_alloc(unsigned int nr, unsigned
     {
         struct page_info *pg;
 -        ASSERT(!test_bit(vm_low, vm_bitmap));
 -        for ( start = vm_low; ; )
 +        ASSERT(vm_low == vm_top || !test_bit(vm_low, vm_bitmap));
 +        for ( start = vm_low; start < vm_top; )
         {
             bit = find_next_bit(vm_bitmap, vm_top, start + 1);
             if ( bit > vm_top )
@@ -68,12 +68,18 @@ void *vm_alloc(unsigned int nr, unsigned
              * corresponding page a guard one.
              */
             start = (start + align) & ~(align - 1);
 -            if ( start + nr <= bit )
 -                break;
 -            start = bit < vm_top ?
 -                    find_next_zero_bit(vm_bitmap, vm_top, bit + 1) : bit;
 -            if ( start >= vm_top )
 -                break;
 +            if ( bit < vm_top )
 +            {
 +                if ( start + nr < bit )
 +                    break;
 +                start = find_next_zero_bit(vm_bitmap, vm_top, bit + 1);
 +            }
 +            else
 +            {
 +                if ( start + nr <= bit )
 +                    break;
 +                start = bit;
 +            }
         }
         if ( start < vm_top )
@@ -115,6 +121,10 @@ void *vm_alloc(unsigned int nr, unsigned
     for ( bit = start; bit < start + nr; ++bit )
         __set_bit(bit, vm_bitmap);
 +    if ( bit < vm_top )
 +        ASSERT(!test_bit(bit, vm_bitmap));
 +    else
 +        ASSERT(bit == vm_top);
     if ( start <= vm_low + 2 )
         vm_low = bit;
     spin_unlock(&vm_lock);
--- a/51ffd5fd-x86-refine-FPU-selector-handling-code-for-XSAVEOPT.patch
+++ b/51ffd5fd-x86-refine-FPU-selector-handling-code-for-XSAVEOPT.patch
@ -0,0 +1,60 @@
 # Commit c58d9f2f4844c2ce8859a8d0f26a54cd058eb51f
 # Date 2013-08-05 18:42:37 +0200
 # Author Jan Beulich <jbeulich@suse.com>
 # Committer Jan Beulich <jbeulich@suse.com>
 x86: refine FPU selector handling code for XSAVEOPT
 Some extra tweaks are necessary to deal with the situation of XSAVEOPT
 not writing the FPU portion of the save image (due to it detecting that
 the register state did not get modified since the last XRSTOR).
 Signed-off-by: Jan Beulich <jbeulich@suse.com>
 Tested-by: Ben Guthro <ben.guthro@gmail.com>
 Acked-by: Keir Fraser <keir@xen.org>
 --- a/xen/arch/x86/xstate.c
 +++ b/xen/arch/x86/xstate.c
@@ -71,10 +71,28 @@ void xsave(struct vcpu *v, uint64_t mask
     if ( word_size <= 0 || !is_pv_32bit_vcpu(v) )
     {
 +        typeof(ptr->fpu_sse.fip.sel) fcs = ptr->fpu_sse.fip.sel;
 +        typeof(ptr->fpu_sse.fdp.sel) fds = ptr->fpu_sse.fdp.sel;
 +
         if ( cpu_has_xsaveopt )
 +        {
 +            /*
 +             * xsaveopt may not write the FPU portion even when the respective
 +             * mask bit is set. For the check further down to work we hence
 +             * need to put the save image back into the state that it was in
 +             * right after the previous xsaveopt.
 +             */
 +            if ( word_size > 0 &&
 +                 (ptr->fpu_sse.x[FPU_WORD_SIZE_OFFSET] == 4 ||
 +                  ptr->fpu_sse.x[FPU_WORD_SIZE_OFFSET] == 2) )
 +            {
 +                ptr->fpu_sse.fip.sel = 0;
 +                ptr->fpu_sse.fdp.sel = 0;
 +            }
             asm volatile ( ".byte 0x48,0x0f,0xae,0x37"
                            : "=m" (*ptr)
                            : "a" (lmask), "d" (hmask), "D" (ptr) );
 +        }
         else
             asm volatile ( ".byte 0x48,0x0f,0xae,0x27"
                            : "=m" (*ptr)
@@ -87,7 +105,14 @@ void xsave(struct vcpu *v, uint64_t mask
               */
              (!(ptr->fpu_sse.fsw & 0x0080) &&
               boot_cpu_data.x86_vendor == X86_VENDOR_AMD) )
 +        {
 +            if ( cpu_has_xsaveopt && word_size > 0 )
 +            {
 +                ptr->fpu_sse.fip.sel = fcs;
 +                ptr->fpu_sse.fdp.sel = fds;
 +            }
             return;
 +        }
         if ( word_size > 0 &&
              !((ptr->fpu_sse.fip.addr | ptr->fpu_sse.fdp.addr) >> 32) )
--- a/520114bb-Nested-VMX-Flush-TLBs-and-Caches-if-paging-mode-changed.patch
+++ b/520114bb-Nested-VMX-Flush-TLBs-and-Caches-if-paging-mode-changed.patch
@ -0,0 +1,23 @@
 # Commit e1ab5c77b44b7bd835a2c032fa4963b36545fdb3
 # Date 2013-08-06 17:22:35 +0200
 # Author Yang Zhang <yang.z.zhang@Intel.com>
 # Committer Jan Beulich <jbeulich@suse.com>
 Nested VMX: Flush TLBs and Caches if paging mode changed
 According to SDM, if paging mode is changed, then whole TLBs and caches will
 be flushed. This is missed in nested handle logic. Also this fixed the issue
 that 64 bits windows cannot boot up on top of L1 kvm.
 Signed-off-by: Yang Zhang <yang.z.zhang@Intel.com>
 Acked-by: Keir Fraser <keir@xen.org>
 --- a/xen/arch/x86/mm/paging.c
 +++ b/xen/arch/x86/mm/paging.c
@@ -709,6 +709,7 @@ void paging_update_nestedmode(struct vcp
     else
         /* TODO: shadow-on-shadow */
         v->arch.paging.nestedmode = NULL;
 +    hvm_asid_flush_vcpu(v);
 }
 void paging_write_p2m_entry(struct p2m_domain *p2m, unsigned long gfn,
--- a/520a24f6-x86-AMD-Fix-nested-svm-crash-due-to-assertion-in-__virt_to_maddr.patch
+++ b/520a24f6-x86-AMD-Fix-nested-svm-crash-due-to-assertion-in-__virt_to_maddr.patch
@ -0,0 +1,138 @@
 # Commit 85fc517ec3055e8e8d9c9e36e15a81e630237252
 # Date 2013-08-13 14:22:14 +0200
 # Author Suravee Suthikulpanit <suravee.suthikulpanit@amd.com>
 # Committer Jan Beulich <jbeulich@suse.com>
 x86/AMD: Fix nested svm crash due to assertion in __virt_to_maddr
 Fix assertion in __virt_to_maddr when starting nested SVM guest
 in debug mode. Investigation has shown that svm_vmsave/svm_vmload
 make use of __pa() with invalid address.
 Signed-off-by: Suravee Suthikulpanit <suravee.suthikulpanit@amd.com>
 Reviewed-by: Tim Deegan <tim@xen.org>
 --- a/xen/arch/x86/hvm/svm/svm.c
 +++ b/xen/arch/x86/hvm/svm/svm.c
@@ -1792,6 +1792,32 @@ svm_vmexit_do_vmrun(struct cpu_user_regs
     return;
 }
 +static struct page_info *
 +nsvm_get_nvmcb_page(struct vcpu *v, uint64_t vmcbaddr)
 +{
 +    p2m_type_t p2mt;
 +    struct page_info *page;
 +    struct nestedvcpu *nv = &vcpu_nestedhvm(v);
 +
 +    if ( !nestedsvm_vmcb_map(v, vmcbaddr) )
 +        return NULL;
 +
 +    /* Need to translate L1-GPA to MPA */
 +    page = get_page_from_gfn(v->domain,
 +                            nv->nv_vvmcxaddr >> PAGE_SHIFT,
 +                            &p2mt, P2M_ALLOC | P2M_UNSHARE);
 +    if ( !page )
 +        return NULL;
 +
 +    if ( !p2m_is_ram(p2mt) || p2m_is_readonly(p2mt) )
 +    {
 +        put_page(page);
 +        return NULL;
 +    }
 +
 +    return  page;
 +}
 +
 static void
 svm_vmexit_do_vmload(struct vmcb_struct *vmcb,
                      struct cpu_user_regs *regs,
@@ -1799,7 +1825,7 @@ svm_vmexit_do_vmload(struct vmcb_struct 
 {
     int ret;
     unsigned int inst_len;
 -    struct nestedvcpu *nv = &vcpu_nestedhvm(v);
 +    struct page_info *page;
     if ( (inst_len = __get_instruction_length(v, INSTR_VMLOAD)) == 0 )
         return;
@@ -1810,13 +1836,18 @@ svm_vmexit_do_vmload(struct vmcb_struct 
         goto inject;
     }
 -    if (!nestedsvm_vmcb_map(v, vmcbaddr)) {
 -        gdprintk(XENLOG_ERR, "VMLOAD: mapping vmcb failed, injecting #UD\n");
 +    page = nsvm_get_nvmcb_page(v, vmcbaddr);
 +    if ( !page )
 +    {
 +        gdprintk(XENLOG_ERR,
 +            "VMLOAD: mapping failed, injecting #UD\n");
         ret = TRAP_invalid_op;
         goto inject;
     }
 -    svm_vmload(nv->nv_vvmcx);
 +    svm_vmload_pa(page_to_maddr(page));
 +    put_page(page);
 +
     /* State in L1 VMCB is stale now */
     v->arch.hvm_svm.vmcb_in_sync = 0;
@@ -1835,7 +1866,7 @@ svm_vmexit_do_vmsave(struct vmcb_struct 
 {
     int ret;
     unsigned int inst_len;
 -    struct nestedvcpu *nv = &vcpu_nestedhvm(v);
 +    struct page_info *page;
     if ( (inst_len = __get_instruction_length(v, INSTR_VMSAVE)) == 0 )
         return;
@@ -1846,14 +1877,17 @@ svm_vmexit_do_vmsave(struct vmcb_struct 
         goto inject;
     }
 -    if (!nestedsvm_vmcb_map(v, vmcbaddr)) {
 -        gdprintk(XENLOG_ERR, "VMSAVE: mapping vmcb failed, injecting #UD\n");
 +    page = nsvm_get_nvmcb_page(v, vmcbaddr);
 +    if ( !page )
 +    {
 +        gdprintk(XENLOG_ERR,
 +            "VMSAVE: mapping vmcb failed, injecting #UD\n");
         ret = TRAP_invalid_op;
         goto inject;
     }
 -    svm_vmsave(nv->nv_vvmcx);
 -
 +    svm_vmsave_pa(page_to_maddr(page));
 +    put_page(page);
     __update_guest_eip(regs, inst_len);
     return;
 --- a/xen/include/asm-x86/hvm/svm/svm.h
 +++ b/xen/include/asm-x86/hvm/svm/svm.h
@@ -41,18 +41,21 @@
 #define SVM_REG_R14 (14)
 #define SVM_REG_R15 (15)
 -static inline void svm_vmload(void *vmcb)
 +#define svm_vmload(x)     svm_vmload_pa(__pa(x))
 +#define svm_vmsave(x)     svm_vmsave_pa(__pa(x))
 +
 +static inline void svm_vmload_pa(paddr_t vmcb)
 {
     asm volatile (
         ".byte 0x0f,0x01,0xda" /* vmload */
 -        : : "a" (__pa(vmcb)) : "memory" );
 +        : : "a" (vmcb) : "memory" );
 }
 -static inline void svm_vmsave(void *vmcb)
 +static inline void svm_vmsave_pa(paddr_t vmcb)
 {
     asm volatile (
         ".byte 0x0f,0x01,0xdb" /* vmsave */
 -        : : "a" (__pa(vmcb)) : "memory" );
 +        : : "a" (vmcb) : "memory" );
 }
 static inline void svm_invlpga(unsigned long vaddr, uint32_t asid)
--- a/520a2570-x86-AMD-Inject-GP-instead-of-UD-when-unable-to-map-vmcb.patch
+++ b/520a2570-x86-AMD-Inject-GP-instead-of-UD-when-unable-to-map-vmcb.patch
@ -0,0 +1,91 @@
 # Commit 910daaf5aaa837624099c0fc5c373bea7202ff43
 # Date 2013-08-13 14:24:16 +0200
 # Author Suravee Suthikulpanit <suravee.suthikulpanit@amd.com>
 # Committer Jan Beulich <jbeulich@suse.com>
 x86/AMD: Inject #GP instead of #UD when unable to map vmcb
 According to AMD Programmer's Manual vol2, vmrun, vmsave and vmload
 should inject #GP instead of #UD when unable to access memory
 location for vmcb.  Also, the code should make sure that L1 guest
 EFER.SVME is not zero.  Otherwise, #UD should be injected.
 Signed-off-by: Suravee Suthikulpanit <suravee.suthikulpanit@amd.com>
 Reviewed-by: Tim Deegan <tim@xen.org>
 --- a/xen/arch/x86/hvm/svm/svm.c
 +++ b/xen/arch/x86/hvm/svm/svm.c
@@ -1776,15 +1776,17 @@ static void
 svm_vmexit_do_vmrun(struct cpu_user_regs *regs,
                     struct vcpu *v, uint64_t vmcbaddr)
 {
 -    if (!nestedhvm_enabled(v->domain)) {
 +    if ( !nsvm_efer_svm_enabled(v) )
 +    {
         gdprintk(XENLOG_ERR, "VMRUN: nestedhvm disabled, injecting #UD\n");
         hvm_inject_hw_exception(TRAP_invalid_op, HVM_DELIVER_NO_ERROR_CODE);
         return;
     }
 -    if (!nestedsvm_vmcb_map(v, vmcbaddr)) {
 -        gdprintk(XENLOG_ERR, "VMRUN: mapping vmcb failed, injecting #UD\n");
 -        hvm_inject_hw_exception(TRAP_invalid_op, HVM_DELIVER_NO_ERROR_CODE);
 +    if ( !nestedsvm_vmcb_map(v, vmcbaddr) )
 +    {
 +        gdprintk(XENLOG_ERR, "VMRUN: mapping vmcb failed, injecting #GP\n");
 +        hvm_inject_hw_exception(TRAP_gp_fault, HVM_DELIVER_NO_ERROR_CODE);
         return;
     }
@@ -1830,7 +1832,8 @@ svm_vmexit_do_vmload(struct vmcb_struct 
     if ( (inst_len = __get_instruction_length(v, INSTR_VMLOAD)) == 0 )
         return;
 -    if (!nestedhvm_enabled(v->domain)) {
 +    if ( !nsvm_efer_svm_enabled(v) )
 +    {
         gdprintk(XENLOG_ERR, "VMLOAD: nestedhvm disabled, injecting #UD\n");
         ret = TRAP_invalid_op;
         goto inject;
@@ -1840,8 +1843,8 @@ svm_vmexit_do_vmload(struct vmcb_struct 
     if ( !page )
     {
         gdprintk(XENLOG_ERR,
 -            "VMLOAD: mapping failed, injecting #UD\n");
 -        ret = TRAP_invalid_op;
 +            "VMLOAD: mapping failed, injecting #GP\n");
 +        ret = TRAP_gp_fault;
         goto inject;
     }
@@ -1871,7 +1874,8 @@ svm_vmexit_do_vmsave(struct vmcb_struct 
     if ( (inst_len = __get_instruction_length(v, INSTR_VMSAVE)) == 0 )
         return;
 -    if (!nestedhvm_enabled(v->domain)) {
 +    if ( !nsvm_efer_svm_enabled(v) )
 +    {
         gdprintk(XENLOG_ERR, "VMSAVE: nestedhvm disabled, injecting #UD\n");
         ret = TRAP_invalid_op;
         goto inject;
@@ -1881,8 +1885,8 @@ svm_vmexit_do_vmsave(struct vmcb_struct 
     if ( !page )
     {
         gdprintk(XENLOG_ERR,
 -            "VMSAVE: mapping vmcb failed, injecting #UD\n");
 -        ret = TRAP_invalid_op;
 +            "VMSAVE: mapping vmcb failed, injecting #GP\n");
 +        ret = TRAP_gp_fault;
         goto inject;
     }
 --- a/xen/include/asm-x86/hvm/svm/nestedsvm.h
 +++ b/xen/include/asm-x86/hvm/svm/nestedsvm.h
@@ -94,7 +94,7 @@ struct nestedsvm {
 #define vcpu_nestedsvm(v) (vcpu_nestedhvm(v).u.nsvm)
 /* True when l1 guest enabled SVM in EFER */
 -#define hvm_svm_enabled(v) \
 +#define nsvm_efer_svm_enabled(v) \
     (!!((v)->arch.hvm_vcpu.guest_efer & EFER_SVME))
 int nestedsvm_vmcb_map(struct vcpu *v, uint64_t vmcbaddr);
--- a/520a5504-VMX-add-boot-parameter-to-enable-disable-APIC-v-dynamically.patch
+++ b/520a5504-VMX-add-boot-parameter-to-enable-disable-APIC-v-dynamically.patch
@ -0,0 +1,38 @@
 # Commit 0c006b41a283a0a569c863d44abde5aa5750ae01
 # Date 2013-08-13 17:47:16 +0200
 # Author Yang Zhang <yang.z.zhang@Intel.com>
 # Committer Jan Beulich <jbeulich@suse.com>
 VMX: add boot parameter to enable/disable APIC-v dynamically
 Add a boot parameter to enable/disable the APIC-v dynamically. APIC-v is
 enabled by default. User can use apicv=0 to disable it.
 Signed-off-by: Yang Zhang <yang.z.zhang@Intel.com>
 --- a/xen/arch/x86/hvm/vmx/vmcs.c
 +++ b/xen/arch/x86/hvm/vmx/vmcs.c
@@ -46,6 +46,9 @@ boolean_param("vpid", opt_vpid_enabled);
 static bool_t __read_mostly opt_unrestricted_guest_enabled = 1;
 boolean_param("unrestricted_guest", opt_unrestricted_guest_enabled);
 +static bool_t __read_mostly opt_apicv_enabled = 1;
 +boolean_param("apicv", opt_apicv_enabled);
 +
 /*
  * These two parameters are used to config the controls for Pause-Loop Exiting:
  * ple_gap:    upper bound on the amount of time between two successive
@@ -196,12 +199,12 @@ static int vmx_init_vmcs_config(void)
          * "APIC Register Virtualization" and "Virtual Interrupt Delivery"
          * can be set only when "use TPR shadow" is set
          */
 -        if ( _vmx_cpu_based_exec_control & CPU_BASED_TPR_SHADOW )
 +        if ( (_vmx_cpu_based_exec_control & CPU_BASED_TPR_SHADOW) &&
 +             opt_apicv_enabled )
             opt |= SECONDARY_EXEC_APIC_REGISTER_VIRT |
                    SECONDARY_EXEC_VIRTUAL_INTR_DELIVERY |
                    SECONDARY_EXEC_VIRTUALIZE_X2APIC_MODE;
 -
         _vmx_secondary_exec_control = adjust_vmx_controls(
             "Secondary Exec Control", min, opt,
             MSR_IA32_VMX_PROCBASED_CTLS2, &mismatch);
--- a/520b4b60-VT-d-protect-against-bogus-information-coming-from-BIOS.patch
+++ b/520b4b60-VT-d-protect-against-bogus-information-coming-from-BIOS.patch
@ -0,0 +1,41 @@
 # Commit e8e8b030ecf916fea19639f0b6a446c1c9dbe174
 # Date 2013-08-14 11:18:24 +0200
 # Author Jan Beulich <jbeulich@suse.com>
 # Committer Jan Beulich <jbeulich@suse.com>
 VT-d: protect against bogus information coming from BIOS
 Add checks similar to those done by Linux: The DRHD address must not
 be all zeros or all ones (Linux only checks for zero), and capabilities
 as well as extended capabilities must not be all ones.
 Signed-off-by: Jan Beulich <jbeulich@suse.com>
 Reviewed-by: Ben Guthro <benjamin.guthro@citrix.com>
 Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>
 Tested-by: Ben Guthro <benjamin.guthro@citrix.com>
 Acked by: Yang Zhang <yang.z.zhang@intel.com>
 Acked-by: Xiantao Zhang <xiantao.zhang@intel.com>
 --- a/xen/drivers/passthrough/vtd/dmar.c
 +++ b/xen/drivers/passthrough/vtd/dmar.c
@@ -447,6 +447,9 @@ acpi_parse_one_drhd(struct acpi_dmar_hea
     if ( (ret = acpi_dmar_check_length(header, sizeof(*drhd))) != 0 )
         return ret;
 +    if ( !drhd->address || !(drhd->address + 1) )
 +        return -ENODEV;
 +
     dmaru = xzalloc(struct acpi_drhd_unit);
     if ( !dmaru )
         return -ENOMEM;
 --- a/xen/drivers/passthrough/vtd/iommu.c
 +++ b/xen/drivers/passthrough/vtd/iommu.c
@@ -1159,6 +1159,9 @@ int __init iommu_alloc(struct acpi_drhd_
         dprintk(VTDPREFIX,
                 "cap = %"PRIx64" ecap = %"PRIx64"\n", iommu->cap, iommu->ecap);
     }
 +    if ( !(iommu->cap + 1) || !(iommu->ecap + 1) )
 +        return -ENODEV;
 +
     if ( cap_fault_reg_offset(iommu->cap) +
          cap_num_fault_regs(iommu->cap) * PRIMARY_FAULT_REG_LEN >= PAGE_SIZE ||
          ecap_iotlb_offset(iommu->ecap) >= PAGE_SIZE )
--- a/520b4bda-x86-MTRR-fix-range-check-in-mtrr_add_page.patch
+++ b/520b4bda-x86-MTRR-fix-range-check-in-mtrr_add_page.patch
@ -0,0 +1,24 @@
 # Commit f67af6d5803b6a015e30cb490a94f9547cb0437c
 # Date 2013-08-14 11:20:26 +0200
 # Author Jan Beulich <jbeulich@suse.com>
 # Committer Jan Beulich <jbeulich@suse.com>
 x86/MTRR: fix range check in mtrr_add_page()
 Extracted from Yinghai Lu's Linux commit d5c78673 ("x86: Fix /proc/mtrr
 with base/size more than 44bits").
 Signed-off-by: Jan Beulich <jbeulich@suse.com>
 Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>
 Acked-by: Keir Fraser <keir@xen.org>
 --- a/xen/arch/x86/cpu/mtrr/main.c
 +++ b/xen/arch/x86/cpu/mtrr/main.c
@@ -340,7 +340,7 @@ int mtrr_add_page(unsigned long base, un
 		return -EINVAL;
 	}
 -	if (base & size_or_mask || size & size_or_mask) {
 +	if ((base | (base + size - 1)) >> (paddr_bits - PAGE_SHIFT)) {
 		printk(KERN_WARNING "mtrr: base or size exceeds the MTRR width\n");
 		return -EINVAL;
 	}
--- a/520cb8b6-x86-time-fix-check-for-negative-time-in-__update_vcpu_system_time.patch
+++ b/520cb8b6-x86-time-fix-check-for-negative-time-in-__update_vcpu_system_time.patch
@ -0,0 +1,22 @@
 # Commit ab7f9a793c78dfea81c037b34b0dd2db7070d8f8
 # Date 2013-08-15 13:17:10 +0200
 # Author Tim Deegan <tim@xen.org>
 # Committer Jan Beulich <jbeulich@suse.com>
 x86/time: fix check for negative time in __update_vcpu_system_time()
 Clang points out that u64 stime variable is always >= 0.
 Signed-off-by: Tim Deegan <tim@xen.org>
 --- a/xen/arch/x86/time.c
 +++ b/xen/arch/x86/time.c
@@ -817,7 +817,8 @@ static void __update_vcpu_system_time(st
     if ( d->arch.vtsc )
     {
 -        u64 stime = t->stime_local_stamp;
 +        s_time_t stime = t->stime_local_stamp;
 +
         if ( is_hvm_domain(d) )
         {
             struct pl_time *pl = &v->domain->arch.hvm_domain.pl_time;
--- a/520d417d-xen-Add-stdbool.h-workaround-for-BSD.patch
+++ b/520d417d-xen-Add-stdbool.h-workaround-for-BSD.patch
@ -0,0 +1,61 @@
 # Commit 7b9685ca4ed2fd723600ce66eb20a6d0c115b6cb
 # Date 2013-08-15 22:00:45 +0100
 # Author Tim Deegan <tim@xen.org>
 # Committer Tim Deegan <tim@xen.org>
 xen: Add stdbool.h workaround for BSD.
 On *BSD, stdbool.h lives in /usr/include, but we don't want to have
 that on the search path in case we pick up any headers from the build
 host's C libraries.
 Copy the equivalent hack already in place for stdarg.h: on all
 supported compilers the contents of stdbool.h are trivial, so just
 supply the things we need in a xen/stdbool.h header.
 Signed-off-by: Tim Deegan <tim@xen.org>
 Reviewed-by: Jan Beulich <jbeulich@suse.com>
 Reviewed-by: Ian Campbell <ian.campbell@citrix.com>
 Acked-by: Keir Fraser <keir@xen.org>
 Tested-by: Patrick Welche <prlw1@cam.ac.uk>
 --- a/xen/include/xen/libelf.h
 +++ b/xen/include/xen/libelf.h
@@ -29,8 +29,6 @@
 #error define architectural endianness
 #endif
 -#include <stdbool.h>
 -
 typedef int elf_errorstatus; /* 0: ok; -ve (normally -1): error */
 typedef int elf_negerrnoval; /* 0: ok; -EFOO: error */
@@ -39,11 +37,13 @@ typedef int elf_negerrnoval; /* 0: ok; -
 #ifdef __XEN__
 #include <public/elfnote.h>
 #include <public/features.h>
 +#include <xen/stdbool.h>
 #else
 #include <xen/elfnote.h>
 #include <xen/features.h>
 #include <stdarg.h>
 +#include <stdbool.h>
 struct elf_binary;
 typedef void elf_log_callback(struct elf_binary*, void *caller_data,
 --- /dev/null
 +++ b/xen/include/xen/stdbool.h
@@ -0,0 +1,13 @@
 +#ifndef __XEN_STDBOOL_H__
 +#define __XEN_STDBOOL_H__
 +
 +#if defined(__OpenBSD__) || defined(__NetBSD__)
 +#  define bool _Bool
 +#  define true 1
 +#  define false 0
 +#  define __bool_true_false_are_defined   1
 +#else
 +#  include <stdbool.h>
 +#endif
 +
 +#endif /* __XEN_STDBOOL_H__ */
--- a/xen.changes
+++ b/xen.changes
@ -1,3 +1,30 @@
 -------------------------------------------------------------------
 Mon Aug 26 15:48:57 MDT 2013 - carnold@suse.com
 - bnc#836239 - SLES 11 SP3 Xen security patch does not
  automatically update UEFI boot binary
  xen.spec
 -------------------------------------------------------------------
 Tue Aug 20 07:56:13 MDT 2013 - carnold@suse.com
 - Upstream patches from Jan
  51d5334e-x86-mm-Ensure-useful-progress-in-alloc_l2_table.patch
  51dd155c-adjust-x86-EFI-build.patch
  51e63d80-x86-cpuidle-Change-logging-for-unknown-APIC-IDs.patch
  51e6540d-x86-don-t-use-destroy_xen_mappings-for-vunmap.patch
  51e7963f-x86-time-Update-wallclock-in-shared-info-when-altering-domain-time-offset.patch
  51ffd577-fix-off-by-one-mistakes-in-vm_alloc.patch
  51ffd5fd-x86-refine-FPU-selector-handling-code-for-XSAVEOPT.patch
  520114bb-Nested-VMX-Flush-TLBs-and-Caches-if-paging-mode-changed.patch
  520a5504-VMX-add-boot-parameter-to-enable-disable-APIC-v-dynamically.patch
  520a24f6-x86-AMD-Fix-nested-svm-crash-due-to-assertion-in-__virt_to_maddr.patch
  520a2570-x86-AMD-Inject-GP-instead-of-UD-when-unable-to-map-vmcb.patch
  520b4b60-VT-d-protect-against-bogus-information-coming-from-BIOS.patch
  520b4bda-x86-MTRR-fix-range-check-in-mtrr_add_page.patch
  520cb8b6-x86-time-fix-check-for-negative-time-in-__update_vcpu_system_time.patch
  520d417d-xen-Add-stdbool.h-workaround-for-BSD.patch
 -------------------------------------------------------------------
 Fri Aug 16 14:54:53 MDT 2013 - carnold@suse.com
--- a/xen.spec
+++ b/xen.spec
@ -15,6 +15,7 @@
 # Please submit bugfixes or comments via http://bugs.opensuse.org/
 #
 Name:           xen
 ExclusiveArch:  %ix86 x86_64 %arm aarch64
 %define xvers 4.3
@ -197,6 +198,21 @@ Patch1:         51d277a3-x86-don-t-pass-negative-time-to-gtime_to_gtsc-try-2.pat
 Patch2:         51d27807-iommu-amd-Fix-logic-for-clearing-the-IOMMU-interrupt-bits.patch
 Patch3:         51d27841-iommu-amd-Workaround-for-erratum-787.patch
 Patch4:         51daa074-Revert-hvmloader-always-include-HPET-table.patch
 Patch5:         51d5334e-x86-mm-Ensure-useful-progress-in-alloc_l2_table.patch
 Patch6:         51dd155c-adjust-x86-EFI-build.patch
 Patch7:         51e63d80-x86-cpuidle-Change-logging-for-unknown-APIC-IDs.patch
 Patch8:         51e6540d-x86-don-t-use-destroy_xen_mappings-for-vunmap.patch
 Patch9:         51e7963f-x86-time-Update-wallclock-in-shared-info-when-altering-domain-time-offset.patch
 Patch10:        51ffd577-fix-off-by-one-mistakes-in-vm_alloc.patch
 Patch11:        51ffd5fd-x86-refine-FPU-selector-handling-code-for-XSAVEOPT.patch
 Patch12:        520114bb-Nested-VMX-Flush-TLBs-and-Caches-if-paging-mode-changed.patch
 Patch13:        520a5504-VMX-add-boot-parameter-to-enable-disable-APIC-v-dynamically.patch
 Patch14:        520a24f6-x86-AMD-Fix-nested-svm-crash-due-to-assertion-in-__virt_to_maddr.patch
 Patch15:        520a2570-x86-AMD-Inject-GP-instead-of-UD-when-unable-to-map-vmcb.patch
 Patch16:        520b4b60-VT-d-protect-against-bogus-information-coming-from-BIOS.patch
 Patch17:        520b4bda-x86-MTRR-fix-range-check-in-mtrr_add_page.patch
 Patch18:        520cb8b6-x86-time-fix-check-for-negative-time-in-__update_vcpu_system_time.patch
 Patch19:        520d417d-xen-Add-stdbool.h-workaround-for-BSD.patch
 # Upstream qemu patches
 # Our patches
 Patch301:       xen-destdir.patch
@ -490,6 +506,21 @@ Authors
 %patch2 -p1
 %patch3 -p1
 %patch4 -p1
 %patch5 -p1
 %patch6 -p1
 %patch7 -p1
 %patch8 -p1
 %patch9 -p1
 %patch10 -p1
 %patch11 -p1
 %patch12 -p1
 %patch13 -p1
 %patch14 -p1
 %patch15 -p1
 %patch16 -p1
 %patch17 -p1
 %patch18 -p1
 %patch19 -p1
 %patch301 -p1
 %patch302 -p1
 %patch303 -p1
@ -884,12 +915,10 @@ rm -f  $RPM_BUILD_ROOT/usr/libexec/qemu-bridge-helper
 %endif
 /usr/sbin/xenconsoled
 /usr/sbin/xencov
 /usr/sbin/xen-destroy
 %ifnarch %arm aarch64
 /usr/sbin/xen-hptool
 /usr/sbin/xen-hvmcrash
 /usr/sbin/xen-hvmctx
 /usr/sbin/xen-list
 /usr/sbin/xenlockprof
 /usr/sbin/xen-lowmemd
 /usr/sbin/xenmon.py
@ -905,7 +934,6 @@ rm -f  $RPM_BUILD_ROOT/usr/libexec/qemu-bridge-helper
 /usr/sbin/xentop
 %ifnarch %arm aarch64
 /usr/sbin/xentrace_setmask
 /usr/sbin/xen-vmresync
 %endif
 /usr/sbin/xenwatchdogd
 /usr/sbin/xsview
@ -926,7 +954,6 @@ rm -f  $RPM_BUILD_ROOT/usr/libexec/qemu-bridge-helper
 %dir /etc/xen/scripts
 /etc/xen/scripts/blktap
 /etc/xen/scripts/block*
 /etc/xen/scripts/domain-lock*
 /etc/xen/scripts/external-device-migrate
 /etc/xen/scripts/hotplugpath.sh
 /etc/xen/scripts/locking.sh
@ -935,10 +962,8 @@ rm -f  $RPM_BUILD_ROOT/usr/libexec/qemu-bridge-helper
 %ifnarch %arm aarch64
 /etc/xen/scripts/qemu-ifup
 %endif
 /etc/xen/scripts/set-lock
 /etc/xen/scripts/vif2
 /etc/xen/scripts/vif-*
 /etc/xen/scripts/vm-monitor
 /etc/xen/scripts/vscsi
 /etc/xen/scripts/xen-hotplug-*
 /etc/xen/scripts/xen-network-common.sh
@ -1019,7 +1044,6 @@ rm -f  $RPM_BUILD_ROOT/usr/libexec/qemu-bridge-helper
 %{_defaultdocdir}/xen/boot.local.xenU
 %{_defaultdocdir}/xen/boot.xen
 %{_defaultdocdir}/xen/misc
 %{_mandir}/man1/xen-list.1.gz
 %{_mandir}/man1/xentop.1.gz
 %{_mandir}/man1/xentrace_format.1.gz
 %{_mandir}/man1/xl.1.gz
@ -1039,6 +1063,9 @@ rm -f  $RPM_BUILD_ROOT/usr/libexec/qemu-bridge-helper
 /usr/sbin/xend
 /usr/sbin/xen-bugtool
 /usr/sbin/xen-python-path
 /usr/sbin/xen-list
 /usr/sbin/xen-destroy
 /usr/sbin/xen-vmresync
 %dir /var/lib/xen/xend-db
 %dir /var/lib/xen/xend-db/domain
 %dir /var/lib/xen/xend-db/migrate
@ -1059,6 +1086,9 @@ rm -f  $RPM_BUILD_ROOT/usr/libexec/qemu-bridge-helper
 %config(noreplace) /etc/xen/*.xml
 %ifnarch %arm aarch64
 /etc/xen/scripts/xend-relocation.sh
 /etc/xen/scripts/domain-lock*
 /etc/xen/scripts/vm-monitor
 /etc/xen/scripts/set-lock
 %{_libdir}/python%{pyver}/site-packages/xen/remus/*
 %{_libdir}/python%{pyver}/site-packages/xen/sv/*
 %{_libdir}/python%{pyver}/site-packages/xen/util/*
@ -1069,6 +1099,7 @@ rm -f  $RPM_BUILD_ROOT/usr/libexec/qemu-bridge-helper
 %{_mandir}/man1/xm.1.gz
 %{_mandir}/man5/xmdomain.cfg.5.gz
 %{_mandir}/man5/xend-config.sxp.5.gz
 %{_mandir}/man1/xen-list.1.gz
 %endif
 %endif
@ -1095,6 +1126,18 @@ rm -f  $RPM_BUILD_ROOT/usr/libexec/qemu-bridge-helper
 %if %{?with_dom0_support}0
 %post
 # EFI
 if [ -d /boot/efi/efi/SuSE -a -e /usr/lib64/efi/xen-%{version}-%{release}.efi ]; then
    cp /usr/lib64/efi/xen-%{version}-%{release}.efi /boot/efi/efi/SuSE/
 fi
 %postun
 # EFI
 if [ -e /boot/efi/efi/SuSE/xen-%{version}-%{release}.efi ]; then
    rm /boot/efi/efi/SuSE/xen-%{version}-%{release}.efi
 fi
 %post tools
 %if %{?with_xend}0
 %if %{?with_systemd}0