From 7f6bd728fd39c4280f06c7ea6f52ec4227f962e01fd9a0f65c567f800f2b0e7f Mon Sep 17 00:00:00 2001
From: Charles Arnold <carnold@suse.com>
Date: Mon, 5 Mar 2012 20:59:08 +0000
Subject: [PATCH] - bnc#745880 - cpuid setting is not preserved across xend
 restarts   xend-cpuid.patch

- Rename 2XXXX-vif-bridge.patch -> vif-bridge-tap-fix.patch

- bnc#747331 - XEN: standard "newburn" kernel QA stress test on guest
  (+ smartd on Dom0?) freezes the guest
  24883-x86-guest-walk-not-present.patch
- bnc#745367 - MCE bank handling during migration
  24781-x86-vmce-mcg_ctl.patch
  24886-x86-vmce-mcg_ctl-default.patch
  24887-x86-vmce-sr.patch
- bnc#744771 - L3: VM with passed through PCI card fails to reboot
  under dom0 load
  24888-pci-release-devices.patch
- Upstream patches from Jan
  24517-VT-d-fault-softirq.patch
  24527-AMD-Vi-fault-softirq.patch
  24535-x86-vMSI-misc.patch
  24615-VESA-lfb-flush.patch
  24690-x86-PCI-SERR-no-deadlock.patch
  24701-gnttab-map-grant-ref-recovery.patch
  24742-gnttab-misc.patch
  24780-x86-paging-use-clear_guest.patch
  24805-x86-MSI-X-dom0-ro.patch
  ioemu-9869-MSI-X-init.patch
  ioemu-9873-MSI-X-fix-unregister_iomem.patch

- bnc#745005 - Update vif configuration examples in xmexample*
  Updated xen-xmexample.diff

OBS-URL: https://build.opensuse.org/package/show/Virtualization/xen?expand=0&rev=172
---
 24517-VT-d-fault-softirq.patch                |  89 +++
 24527-AMD-Vi-fault-softirq.patch              | 124 ++++
 24535-x86-vMSI-misc.patch                     | 208 +++++++
 24615-VESA-lfb-flush.patch                    |  75 +++
 24690-x86-PCI-SERR-no-deadlock.patch          |  67 +++
 24701-gnttab-map-grant-ref-recovery.patch     |  37 ++
 24742-gnttab-misc.patch                       |  97 +++
 24780-x86-paging-use-clear_guest.patch        | 382 ++++++++++++
 24781-x86-vmce-mcg_ctl.patch                  |  98 +++
 24805-x86-MSI-X-dom0-ro.patch                 |  30 +
 24883-x86-guest-walk-not-present.patch        |  70 +++
 24886-x86-vmce-mcg_ctl-default.patch          |  49 ++
 24887-x86-vmce-sr.patch                       | 559 ++++++++++++++++++
 24888-pci-release-devices.patch               |  84 +++
 blktap-disable-debug-printf.patch             |  12 +-
 ioemu-9869-MSI-X-init.patch                   |  53 ++
 ...oemu-9873-MSI-X-fix-unregister_iomem.patch |   0
 ...f-bridge.patch => vif-bridge-tap-fix.patch |  19 +-
 xen-warnings-unused.diff                      | 272 ++++++---
 xen-xmexample.diff                            | 184 +++++-
 xen.changes                                   |  43 ++
 xen.spec                                      |  72 +--
 xend-cpuid.patch                              |  26 +
 xenpaging.autostart.patch                     |   2 +-
 xenpaging.mem_event-use-wait_queue.patch      |  50 +-
 xenpaging.p2m_is_paged.patch                  |  14 +-
 26 files changed, 2525 insertions(+), 191 deletions(-)
 create mode 100644 24517-VT-d-fault-softirq.patch
 create mode 100644 24527-AMD-Vi-fault-softirq.patch
 create mode 100644 24535-x86-vMSI-misc.patch
 create mode 100644 24615-VESA-lfb-flush.patch
 create mode 100644 24690-x86-PCI-SERR-no-deadlock.patch
 create mode 100644 24701-gnttab-map-grant-ref-recovery.patch
 create mode 100644 24742-gnttab-misc.patch
 create mode 100644 24780-x86-paging-use-clear_guest.patch
 create mode 100644 24781-x86-vmce-mcg_ctl.patch
 create mode 100644 24805-x86-MSI-X-dom0-ro.patch
 create mode 100644 24883-x86-guest-walk-not-present.patch
 create mode 100644 24886-x86-vmce-mcg_ctl-default.patch
 create mode 100644 24887-x86-vmce-sr.patch
 create mode 100644 24888-pci-release-devices.patch
 create mode 100644 ioemu-9869-MSI-X-init.patch
 rename ioemu-MSI-X-fix-unregister_iomem.patch => ioemu-9873-MSI-X-fix-unregister_iomem.patch (100%)
 rename 2XXXX-vif-bridge.patch => vif-bridge-tap-fix.patch (66%)
 create mode 100644 xend-cpuid.patch

diff --git a/24517-VT-d-fault-softirq.patch b/24517-VT-d-fault-softirq.patch
new file mode 100644
index 0000000..a7c977b
--- /dev/null
+++ b/24517-VT-d-fault-softirq.patch
@@ -0,0 +1,89 @@
+References: bnc#712051, CVE-2011-3131
+
+# HG changeset patch
+# User Dario Faggioli <dario.faggioli@citrix.com>
+# Date 1326798686 0
+# Node ID a7ae457c327cd790704643e0ed4def3e717b47b3
+# Parent  2913ccc6d70f15ffcc15c7e066c9269b15a30a09
+Move IOMMU faults handling into softirq for VT-d.
+
+Dealing with interrupts from VT-d IOMMU(s) is deferred to a
+softirq-tasklet, raised by the actual IRQ handler. Since a new
+interrupt is not generated, even if further faults occur, until we
+cleared all the pending ones, there's no need of disabling IRQs, as
+the hardware does it by its own.  Notice that this may cause the log
+to overflow, but none of the existing entry will be overwritten.
+
+Signed-off-by: Dario Faggioli <dario.faggioli@citrix.com>
+Committed-by: Keir Fraser <keir@xen.org>
+
+--- a/xen/drivers/passthrough/vtd/iommu.c
++++ b/xen/drivers/passthrough/vtd/iommu.c
+@@ -53,6 +53,8 @@ bool_t __read_mostly untrusted_msi;
+ 
+ int nr_iommus;
+ 
++static struct tasklet vtd_fault_tasklet;
++
+ static void setup_dom0_devices(struct domain *d);
+ static void setup_dom0_rmrr(struct domain *d);
+ 
+@@ -866,10 +868,8 @@ static void iommu_fault_status(u32 fault
+ }
+ 
+ #define PRIMARY_FAULT_REG_LEN (16)
+-static void iommu_page_fault(int irq, void *dev_id,
+-                             struct cpu_user_regs *regs)
++static void __do_iommu_page_fault(struct iommu *iommu)
+ {
+-    struct iommu *iommu = dev_id;
+     int reg, fault_index;
+     u32 fault_status;
+     unsigned long flags;
+@@ -943,6 +943,37 @@ clear_overflow:
+     }
+ }
+ 
++static void do_iommu_page_fault(unsigned long data)
++{
++    struct acpi_drhd_unit *drhd;
++
++    if ( list_empty(&acpi_drhd_units) )
++    {
++       INTEL_IOMMU_DEBUG("no device found, something must be very wrong!\n");
++       return;
++    }
++
++    /*
++     * No matter from whom the interrupt came from, check all the
++     * IOMMUs present in the system. This allows for having just one
++     * tasklet (instead of one per each IOMMUs) and should be more than
++     * fine, considering how rare the event of a fault should be.
++     */
++    for_each_drhd_unit ( drhd )
++        __do_iommu_page_fault(drhd->iommu);
++}
++
++static void iommu_page_fault(int irq, void *dev_id,
++                             struct cpu_user_regs *regs)
++{
++    /*
++     * Just flag the tasklet as runnable. This is fine, according to VT-d
++     * specs since a new interrupt won't be generated until we clear all
++     * the faults that caused this one to happen.
++     */
++    tasklet_schedule(&vtd_fault_tasklet);
++}
++
+ static void dma_msi_unmask(unsigned int irq)
+ {
+     struct iommu *iommu = irq_to_iommu[irq];
+@@ -2083,6 +2114,8 @@ int __init intel_vtd_setup(void)
+             iommu_hap_pt_share = FALSE;
+     }
+ 
++    softirq_tasklet_init(&vtd_fault_tasklet, do_iommu_page_fault, 0);
++
+     if ( !iommu_qinval && iommu_intremap )
+     {
+         iommu_intremap = 0;
diff --git a/24527-AMD-Vi-fault-softirq.patch b/24527-AMD-Vi-fault-softirq.patch
new file mode 100644
index 0000000..3b01e61
--- /dev/null
+++ b/24527-AMD-Vi-fault-softirq.patch
@@ -0,0 +1,124 @@
+References: bnc#712051, CVE-2011-3131
+
+# HG changeset patch
+# User Dario Faggioli <dario.faggioli@citrix.com>
+# Date 1327054832 0
+# Node ID 028230eb2359f33da48b3b7f85173a1b49b9c7d6
+# Parent  d600a3d7faeeee3cf947bf1658b873e966fc0f16
+iommu: Move IOMMU faults handling into softirq for AMD-Vi.
+
+Dealing with interrupts from AMD-Vi IOMMU(s) is deferred to a
+softirq-tasklet, raised by the actual IRQ handler. To avoid more
+interrupts being generated (because of further faults), they must be
+masked in the IOMMU within the low level IRQ handler and enabled back
+in the tasklet body. Notice that this may cause the log to overflow,
+but none of the existing entry will be overwritten.
+
+Signed-off-by: Dario Faggioli <dario.faggioli@citrix.com>
+Committed-by: Keir Fraser <keir@xen.org>
+
+--- a/xen/drivers/passthrough/amd/iommu_init.c
++++ b/xen/drivers/passthrough/amd/iommu_init.c
+@@ -33,6 +33,8 @@ static int nr_amd_iommus;
+ static long amd_iommu_cmd_buffer_entries = IOMMU_CMD_BUFFER_DEFAULT_ENTRIES;
+ static long amd_iommu_event_log_entries = IOMMU_EVENT_LOG_DEFAULT_ENTRIES;
+ 
++static struct tasklet amd_iommu_irq_tasklet;
++
+ unsigned short ivrs_bdf_entries;
+ struct ivrs_mappings *ivrs_mappings;
+ struct list_head amd_iommu_head;
+@@ -517,34 +519,70 @@ static void parse_event_log_entry(u32 en
+     }
+ }
+ 
++static void do_amd_iommu_irq(unsigned long data)
++{
++    struct amd_iommu *iommu;
++
++    if ( !iommu_found() )
++    {
++        AMD_IOMMU_DEBUG("no device found, something must be very wrong!\n");
++        return;
++   }
++
++    /*
++     * No matter from where the interrupt came from, check all the
++     * IOMMUs present in the system. This allows for having just one
++     * tasklet (instead of one per each IOMMUs).
++     */
++    for_each_amd_iommu ( iommu )
++    {
++        u32 entry;
++        unsigned long flags;
++        int of;
++
++        spin_lock_irqsave(&iommu->lock, flags);
++        amd_iommu_read_event_log(iommu);
++
++        /* check event overflow */
++        entry = readl(iommu->mmio_base + IOMMU_STATUS_MMIO_OFFSET);
++        of = get_field_from_reg_u32(entry,
++                                   IOMMU_STATUS_EVENT_OVERFLOW_MASK,
++                                   IOMMU_STATUS_EVENT_OVERFLOW_SHIFT);
++
++        /* reset event log if event overflow */
++        if ( of )
++            amd_iommu_reset_event_log(iommu);
++
++        /* reset interrupt status bit */
++        entry = readl(iommu->mmio_base + IOMMU_STATUS_MMIO_OFFSET);
++        set_field_in_reg_u32(IOMMU_CONTROL_ENABLED, entry,
++                             IOMMU_STATUS_EVENT_LOG_INT_MASK,
++                             IOMMU_STATUS_EVENT_LOG_INT_SHIFT, &entry);
++        writel(entry, iommu->mmio_base+IOMMU_STATUS_MMIO_OFFSET);
++        spin_unlock_irqrestore(&iommu->lock, flags);
++    }
++}
++
+ static void amd_iommu_page_fault(int irq, void *dev_id,
+                              struct cpu_user_regs *regs)
+ {
+     u32 entry;
+     unsigned long flags;
+-    int of;
+     struct amd_iommu *iommu = dev_id;
+ 
+     spin_lock_irqsave(&iommu->lock, flags);
+-    amd_iommu_read_event_log(iommu);
+ 
+-    /*check event overflow */
++    /* Silence interrupts from both event logging */
+     entry = readl(iommu->mmio_base + IOMMU_STATUS_MMIO_OFFSET);
+-    of = get_field_from_reg_u32(entry,
+-                               IOMMU_STATUS_EVENT_OVERFLOW_MASK,
+-                               IOMMU_STATUS_EVENT_OVERFLOW_SHIFT);
+-
+-    /* reset event log if event overflow */
+-    if ( of )
+-        amd_iommu_reset_event_log(iommu);
+-
+-    /* reset interrupt status bit */
+-    entry = readl(iommu->mmio_base + IOMMU_STATUS_MMIO_OFFSET);
+-    set_field_in_reg_u32(IOMMU_CONTROL_ENABLED, entry,
++    set_field_in_reg_u32(IOMMU_CONTROL_DISABLED, entry,
+                          IOMMU_STATUS_EVENT_LOG_INT_MASK,
+                          IOMMU_STATUS_EVENT_LOG_INT_SHIFT, &entry);
+     writel(entry, iommu->mmio_base+IOMMU_STATUS_MMIO_OFFSET);
++
+     spin_unlock_irqrestore(&iommu->lock, flags);
++
++    /* It is the tasklet that will clear the logs and re-enable interrupts */
++    tasklet_schedule(&amd_iommu_irq_tasklet);
+ }
+ 
+ static int set_iommu_interrupt_handler(struct amd_iommu *iommu)
+@@ -689,6 +727,8 @@ static int __init amd_iommu_init_one(str
+     printk("AMD-Vi: IOMMU %d Enabled.\n", nr_amd_iommus );
+     nr_amd_iommus++;
+ 
++    softirq_tasklet_init(&amd_iommu_irq_tasklet, do_amd_iommu_irq, 0);
++
+     return 0;
+ 
+ error_out:
diff --git a/24535-x86-vMSI-misc.patch b/24535-x86-vMSI-misc.patch
new file mode 100644
index 0000000..d0148ad
--- /dev/null
+++ b/24535-x86-vMSI-misc.patch
@@ -0,0 +1,208 @@
+# HG changeset patch
+# User Jan Beulich <jbeulich@suse.com>
+# Date 1327311317 0
+# Node ID fb81b807c1540eb5797b3daa4bddff99363b20ef
+# Parent  eca719b621a1201528bfec25fb1786ec21c0c9d3
+x86/vMSI: miscellaneous fixes
+
+This addresses a number of problems in msixtbl_{read,write}():
+- address alignment was not checked, allowing for memory corruption in
+  the hypervisor (write case) or returning of hypervisor private data
+  to the guest (read case)
+- the interrupt mask bit was permitted to be written by the guest
+  (while Xen's interrupt flow control routines need to control it)
+- MAX_MSIX_TABLE_{ENTRIES,PAGES} were pointlessly defined to plain
+  numbers (making it unobvious why they have these values, and making
+  the latter non-portable)
+- MAX_MSIX_TABLE_PAGES was also off by one (failing to account for a
+  non-zero table offset); this was also affecting host MSI-X code
+- struct msixtbl_entry's table_flags[] was one element larger than
+  necessary due to improper open-coding of BITS_TO_LONGS()
+- msixtbl_read() unconditionally accessed the physical table, even
+  though the data was only needed in a quarter of all cases
+- various calculations were done unnecessarily for both of the rather
+  distinct code paths in msixtbl_read()
+
+Additionally it is unclear on what basis MAX_MSIX_ACC_ENTRIES was
+chosen to be 3.
+
+Signed-off-by: Jan Beulich <jbeulich@suse.com>
+Committed-by: Keir Fraser <keir@xen.org>
+
+--- a/xen/arch/x86/hvm/vmsi.c
++++ b/xen/arch/x86/hvm/vmsi.c
+@@ -158,7 +158,7 @@ struct msixtbl_entry
+     struct pci_dev *pdev;
+     unsigned long gtable;       /* gpa of msix table */
+     unsigned long table_len;
+-    unsigned long table_flags[MAX_MSIX_TABLE_ENTRIES / BITS_PER_LONG + 1];
++    unsigned long table_flags[BITS_TO_LONGS(MAX_MSIX_TABLE_ENTRIES)];
+ #define MAX_MSIX_ACC_ENTRIES 3
+     struct { 
+         uint32_t msi_ad[3];	/* Shadow of address low, high and data */
+@@ -185,17 +185,14 @@ static struct msixtbl_entry *msixtbl_fin
+ static void __iomem *msixtbl_addr_to_virt(
+     struct msixtbl_entry *entry, unsigned long addr)
+ {
+-    int idx, nr_page;
++    unsigned int idx, nr_page;
+ 
+-    if ( !entry )
++    if ( !entry || !entry->pdev )
+         return NULL;
+ 
+     nr_page = (addr >> PAGE_SHIFT) -
+               (entry->gtable >> PAGE_SHIFT);
+ 
+-    if ( !entry->pdev )
+-        return NULL;
+-
+     idx = entry->pdev->msix_table_idx[nr_page];
+     if ( !idx )
+         return NULL;
+@@ -208,37 +205,34 @@ static int msixtbl_read(
+     struct vcpu *v, unsigned long address,
+     unsigned long len, unsigned long *pval)
+ {
+-    unsigned long offset, val;
++    unsigned long offset;
+     struct msixtbl_entry *entry;
+     void *virt;
+-    int nr_entry, index;
++    unsigned int nr_entry, index;
+     int r = X86EMUL_UNHANDLEABLE;
+ 
+-    rcu_read_lock(&msixtbl_rcu_lock);
++    if ( len != 4 || (address & 3) )
++        return r;
+ 
+-    if ( len != 4 )
+-        goto out;
++    rcu_read_lock(&msixtbl_rcu_lock);
+ 
+     entry = msixtbl_find_entry(v, address);
+-    virt = msixtbl_addr_to_virt(entry, address);
+-    if ( !virt )
+-        goto out;
+-
+-    nr_entry = (address - entry->gtable) / PCI_MSIX_ENTRY_SIZE;
+     offset = address & (PCI_MSIX_ENTRY_SIZE - 1);
+-    if ( nr_entry >= MAX_MSIX_ACC_ENTRIES && 
+-         offset != PCI_MSIX_ENTRY_VECTOR_CTRL_OFFSET )
+-        goto out;
+ 
+-    val = readl(virt);
+     if ( offset != PCI_MSIX_ENTRY_VECTOR_CTRL_OFFSET )
+     {
++        nr_entry = (address - entry->gtable) / PCI_MSIX_ENTRY_SIZE;
++        if ( nr_entry >= MAX_MSIX_ACC_ENTRIES )
++            goto out;
+         index = offset / sizeof(uint32_t);
+         *pval = entry->gentries[nr_entry].msi_ad[index];
+     }
+     else 
+     {
+-        *pval = val;
++        virt = msixtbl_addr_to_virt(entry, address);
++        if ( !virt )
++            goto out;
++        *pval = readl(virt);
+     }
+     
+     r = X86EMUL_OKAY;
+@@ -253,13 +247,13 @@ static int msixtbl_write(struct vcpu *v,
+     unsigned long offset;
+     struct msixtbl_entry *entry;
+     void *virt;
+-    int nr_entry, index;
++    unsigned int nr_entry, index;
+     int r = X86EMUL_UNHANDLEABLE;
+ 
+-    rcu_read_lock(&msixtbl_rcu_lock);
++    if ( len != 4 || (address & 3) )
++        return r;
+ 
+-    if ( len != 4 )
+-        goto out;
++    rcu_read_lock(&msixtbl_rcu_lock);
+ 
+     entry = msixtbl_find_entry(v, address);
+     nr_entry = (address - entry->gtable) / PCI_MSIX_ENTRY_SIZE;
+@@ -284,9 +278,22 @@ static int msixtbl_write(struct vcpu *v,
+     if ( !virt )
+         goto out;
+ 
++    /* Do not allow the mask bit to be changed. */
++#if 0 /* XXX
++       * As the mask bit is the only defined bit in the word, and as the
++       * host MSI-X code doesn't preserve the other bits anyway, doing
++       * this is pointless. So for now just discard the write (also
++       * saving us from having to determine the matching irq_desc).
++       */
++    spin_lock_irqsave(&desc->lock, flags);
++    orig = readl(virt);
++    val &= ~PCI_MSIX_VECTOR_BITMASK;
++    val |= orig & PCI_MSIX_VECTOR_BITMASK;
+     writel(val, virt);
+-    r = X86EMUL_OKAY;
++    spin_unlock_irqrestore(&desc->lock, flags);
++#endif
+ 
++    r = X86EMUL_OKAY;
+ out:
+     rcu_read_unlock(&msixtbl_rcu_lock);
+     return r;
+--- a/xen/include/asm-x86/msi.h
++++ b/xen/include/asm-x86/msi.h
+@@ -119,12 +119,6 @@ int msi_free_irq(struct msi_desc *entry)
+ 
+ extern const struct hw_interrupt_type pci_msi_type;
+ 
+-#define PCI_MSIX_ENTRY_SIZE			16
+-#define  PCI_MSIX_ENTRY_LOWER_ADDR_OFFSET	0
+-#define  PCI_MSIX_ENTRY_UPPER_ADDR_OFFSET	4
+-#define  PCI_MSIX_ENTRY_DATA_OFFSET		8
+-#define  PCI_MSIX_ENTRY_VECTOR_CTRL_OFFSET	12
+-
+ #define msi_control_reg(base)		(base + PCI_MSI_FLAGS)
+ #define msi_lower_address_reg(base)	(base + PCI_MSI_ADDRESS_LO)
+ #define msi_upper_address_reg(base)	(base + PCI_MSI_ADDRESS_HI)
+--- a/xen/include/xen/pci.h
++++ b/xen/include/xen/pci.h
+@@ -12,6 +12,8 @@
+ #include <xen/list.h>
+ #include <xen/spinlock.h>
+ #include <xen/irq.h>
++#include <xen/pci_regs.h>
++#include <xen/pfn.h>
+ 
+ /*
+  * The PCI interface treats multi-function devices as independent
+@@ -30,8 +32,10 @@
+ #define PCI_BDF(b,d,f)  ((((b) & 0xff) << 8) | PCI_DEVFN(d,f))
+ #define PCI_BDF2(b,df)  ((((b) & 0xff) << 8) | ((df) & 0xff))
+ 
+-#define MAX_MSIX_TABLE_ENTRIES  2048
+-#define MAX_MSIX_TABLE_PAGES    8
++#define MAX_MSIX_TABLE_ENTRIES  (PCI_MSIX_FLAGS_QSIZE + 1)
++#define MAX_MSIX_TABLE_PAGES    PFN_UP(MAX_MSIX_TABLE_ENTRIES * \
++                                       PCI_MSIX_ENTRY_SIZE + \
++                                       (~PCI_MSIX_BIRMASK & (PAGE_SIZE - 1)))
+ struct pci_dev_info {
+     unsigned is_extfn;
+     unsigned is_virtfn;
+--- a/xen/include/xen/pci_regs.h
++++ b/xen/include/xen/pci_regs.h
+@@ -305,6 +305,12 @@
+ #define PCI_MSIX_PBA		8
+ #define  PCI_MSIX_BIRMASK	(7 << 0)
+ 
++#define PCI_MSIX_ENTRY_SIZE			16
++#define  PCI_MSIX_ENTRY_LOWER_ADDR_OFFSET	0
++#define  PCI_MSIX_ENTRY_UPPER_ADDR_OFFSET	4
++#define  PCI_MSIX_ENTRY_DATA_OFFSET		8
++#define  PCI_MSIX_ENTRY_VECTOR_CTRL_OFFSET	12
++
+ #define PCI_MSIX_VECTOR_BITMASK	(1 << 0)
+ 
+ /* CompactPCI Hotswap Register */
diff --git a/24615-VESA-lfb-flush.patch b/24615-VESA-lfb-flush.patch
new file mode 100644
index 0000000..d66269a
--- /dev/null
+++ b/24615-VESA-lfb-flush.patch
@@ -0,0 +1,75 @@
+# HG changeset patch
+# User Andrew Cooper <andrew.cooper3@citrix.com>
+# Date 1327758145 0
+# Node ID ac9f32525376922fdf5b9efac7a1fe0ff866cc76
+# Parent  f8c2cf24a26cc6cdaaad9140e4b1dfc54f07bab3
+vesa: flush lfb after zeroing
+
+If Xen is going to relinquish the VGA console, flush the linear frame
+buffer after zeroing it in vesa_endboot().
+
+Failing to do so in some circumstances leads to the actual linear
+framebuffer on the graphics card still containing the output of the
+Xen boot console can lead to ugly graphics output when dom0 is setting
+up the graphics card for its own use.
+
+While the patch is quite large, it is mostly just code motion to
+prevent having to forward declare lfb_flush().  The only functional
+change to vesa_endboot() is to insert a call to lbf_flush().
+
+Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
+Committed-by: Keir Fraser <keir@xen.org>
+
+--- a/xen/drivers/video/vesa.c
++++ b/xen/drivers/video/vesa.c
+@@ -153,24 +153,6 @@ void __init vesa_init(void)
+     xfree(line_len);
+ }
+ 
+-void __init vesa_endboot(bool_t keep)
+-{
+-    if ( keep )
+-    {
+-        xpos = 0;
+-        vga_puts = vesa_scroll_puts;
+-    }
+-    else
+-    {
+-        unsigned int i, bpp = (vlfb_info.bits_per_pixel + 7) >> 3;
+-        for ( i = 0; i < vlfb_info.height; i++ )
+-            memset(lfb + i * vlfb_info.bytes_per_line, 0,
+-                   vlfb_info.width * bpp);
+-    }
+-
+-    xfree(line_len);
+-}
+-
+ #if defined(CONFIG_X86)
+ 
+ #include <asm/mtrr.h>
+@@ -217,6 +199,25 @@ static void lfb_flush(void)
+ 
+ #endif
+ 
++void __init vesa_endboot(bool_t keep)
++{
++    if ( keep )
++    {
++        xpos = 0;
++        vga_puts = vesa_scroll_puts;
++    }
++    else
++    {
++        unsigned int i, bpp = (vlfb_info.bits_per_pixel + 7) >> 3;
++        for ( i = 0; i < vlfb_info.height; i++ )
++            memset(lfb + i * vlfb_info.bytes_per_line, 0,
++                   vlfb_info.width * bpp);
++        lfb_flush();
++    }
++
++    xfree(line_len);
++}
++
+ /* Render one line of text to given linear framebuffer line. */
+ static void vesa_show_line(
+     const unsigned char *text_line,
diff --git a/24690-x86-PCI-SERR-no-deadlock.patch b/24690-x86-PCI-SERR-no-deadlock.patch
new file mode 100644
index 0000000..3ae760a
--- /dev/null
+++ b/24690-x86-PCI-SERR-no-deadlock.patch
@@ -0,0 +1,67 @@
+# HG changeset patch
+# User David Vrabel <david.vrabel@citrix.com>
+# Date 1328196538 0
+# Node ID dcc6d57e4c07728693c685a2cfa7f094ef726267
+# Parent  7091b2e4cc2cff07ad1bf24ba7b9506bae071fa8
+x86: avoid deadlock after a PCI SERR NMI
+
+If a PCI System Error (SERR) is asserted it causes an NMI. If this NMI
+occurs while the CPU is in printk() then Xen may deadlock as
+pci_serr_error() calls console_force_unlock() which screws up the
+console lock.
+
+printk() isn't safe to call from NMI context so defer the diagnostic
+message to a softirq.
+
+Signed-off-by: David Vrabel <david.vrabel@citrix.com>
+Tested-by: George Dunlap <george.dunlap@eu.citrix.com>
+Committed-by: Keir Fraser <keir@xen.org>
+
+--- a/xen/arch/x86/traps.c
++++ b/xen/arch/x86/traps.c
+@@ -3137,6 +3137,11 @@ static void nmi_mce_softirq(void)
+     st->vcpu = NULL;
+ }
+ 
++static void pci_serr_softirq(void)
++{
++    printk("\n\nNMI - PCI system error (SERR)\n");
++}
++
+ void async_exception_cleanup(struct vcpu *curr)
+ {
+     int trap;
+@@ -3223,10 +3228,11 @@ static void nmi_dom0_report(unsigned int
+ 
+ static void pci_serr_error(struct cpu_user_regs *regs)
+ {
+-    console_force_unlock();
+-    printk("\n\nNMI - PCI system error (SERR)\n");
+-
+     outb((inb(0x61) & 0x0f) | 0x04, 0x61); /* clear-and-disable the PCI SERR error line. */
++
++    /* Would like to print a diagnostic here but can't call printk()
++       from NMI context -- raise a softirq instead. */
++    raise_softirq(PCI_SERR_SOFTIRQ);
+ }
+ 
+ static void io_check_error(struct cpu_user_regs *regs)
+@@ -3529,6 +3535,7 @@ void __init trap_init(void)
+     cpu_init();
+ 
+     open_softirq(NMI_MCE_SOFTIRQ, nmi_mce_softirq);
++    open_softirq(PCI_SERR_SOFTIRQ, pci_serr_softirq);
+ }
+ 
+ long register_guest_nmi_callback(unsigned long address)
+--- a/xen/include/asm-x86/softirq.h
++++ b/xen/include/asm-x86/softirq.h
+@@ -6,6 +6,7 @@
+ #define VCPU_KICK_SOFTIRQ      (NR_COMMON_SOFTIRQS + 2)
+ 
+ #define MACHINE_CHECK_SOFTIRQ  (NR_COMMON_SOFTIRQS + 3)
+-#define NR_ARCH_SOFTIRQS       4
++#define PCI_SERR_SOFTIRQ       (NR_COMMON_SOFTIRQS + 4)
++#define NR_ARCH_SOFTIRQS       5
+ 
+ #endif /* __ASM_SOFTIRQ_H__ */
diff --git a/24701-gnttab-map-grant-ref-recovery.patch b/24701-gnttab-map-grant-ref-recovery.patch
new file mode 100644
index 0000000..f045e5c
--- /dev/null
+++ b/24701-gnttab-map-grant-ref-recovery.patch
@@ -0,0 +1,37 @@
+# HG changeset patch
+# User Haoyu Zhang <haoyu.zhang@huawei.com>
+# Date 1328563421 28800
+# Node ID 3574f4d67843733ccaabab5f8ebb859c99d7314a
+# Parent  5bd5830dea13f2a80a1b9728d3e61c34661fe764
+Fix error recovery path in __gnttab_map_grant_ref
+
+In file grant_table.c function __gnttab_map_grant_ref, if
+__get_paged_frame failed, the effect of _set_status  previously
+called should be rollback, so the flag GTF_reading and _GTF_writing
+will be recovered.
+
+
+Signed-off-by: Haoyu Zhang <haoyu.zhang@huawei.com>
+Signed-off-by: Liang Wang <hzwangliang.wang@huawei.com>
+Acked-by: Andres Lagar-Cavilla <andres@lagarcavilla.org>
+Committed-by: Keir Fraser <keir@xen.org>
+
+--- a/xen/common/grant_table.c
++++ b/xen/common/grant_table.c
+@@ -566,7 +566,7 @@ __gnttab_map_grant_ref(
+             gfn = sha1 ? sha1->frame : sha2->full_page.frame;
+             rc = __get_paged_frame(gfn, &frame, !!(op->flags & GNTMAP_readonly), rd);
+             if ( rc != GNTST_okay )
+-                goto unlock_out;
++                goto unlock_out_clear;
+             act->gfn = gfn;
+             act->domid = ld->domain_id;
+             act->frame = frame;
+@@ -722,6 +722,7 @@ __gnttab_map_grant_ref(
+         act->pin -= (op->flags & GNTMAP_readonly) ?
+             GNTPIN_hstr_inc : GNTPIN_hstw_inc;
+ 
++ unlock_out_clear:
+     if ( !(op->flags & GNTMAP_readonly) &&
+          !(act->pin & (GNTPIN_hstw_mask|GNTPIN_devw_mask)) )
+         gnttab_clear_flag(_GTF_writing, status);
diff --git a/24742-gnttab-misc.patch b/24742-gnttab-misc.patch
new file mode 100644
index 0000000..b8fe15f
--- /dev/null
+++ b/24742-gnttab-misc.patch
@@ -0,0 +1,97 @@
+# HG changeset patch
+# User Jan Beulich <jbeulich@suse.com>
+# Date 1328801956 -3600
+# Node ID 9fc810bb814558bc5c8f9d086af7576516e07244
+# Parent  fb71a97fe339282965d584663236ce71a2400659
+gnttab: miscellaneous fixes
+
+- _GTF_* constants name bit positions, so binary arithmetic on them is
+  wrong
+- gnttab_clear_flag() cannot (on x86 and ia64 at least) simply use
+  clear_bit(), as that may access more than the two bytes that are
+  intended to be accessed
+
+Signed-off-by: Jan Beulich <jbeulich@suse.com>
+Acked-by: Keir Fraser <keir@xen.org>
+
+--- a/xen/common/grant_table.c
++++ b/xen/common/grant_table.c
+@@ -389,7 +389,8 @@ static int _set_status_v2(domid_t  domid
+              (id != domid) ||
+              (!readonly && (flags & GTF_readonly)) )
+         {
+-            gnttab_clear_flag(_GTF_reading | _GTF_writing, status);
++            gnttab_clear_flag(_GTF_writing, status);
++            gnttab_clear_flag(_GTF_reading, status);
+             PIN_FAIL(done, GNTST_general_error,
+                      "Unstable flags (%x) or dom (%d). (expected dom %d) "
+                      "(r/w: %d)\n",
+@@ -1704,14 +1705,14 @@ __release_grant_for_copy(
+    under the domain's grant table lock. */
+ /* Only safe on transitive grants.  Even then, note that we don't
+    attempt to drop any pin on the referent grant. */
+-static void __fixup_status_for_pin(struct active_grant_entry *act,
++static void __fixup_status_for_pin(const struct active_grant_entry *act,
+                                    uint16_t *status)
+ {
+     if ( !(act->pin & GNTPIN_hstw_mask) )
+-        *status &= ~_GTF_writing;
++        *status &= ~GTF_writing;
+ 
+     if ( !(act->pin & GNTPIN_hstr_mask) )
+-        *status &= ~_GTF_reading;
++        *status &= ~GTF_reading;
+ }
+ 
+ /* Grab a frame number from a grant entry and update the flags and pin
+--- a/xen/include/asm-ia64/grant_table.h
++++ b/xen/include/asm-ia64/grant_table.h
+@@ -5,6 +5,8 @@
+ #ifndef __ASM_GRANT_TABLE_H__
+ #define __ASM_GRANT_TABLE_H__
+ 
++#include <asm/intrinsics.h>
++
+ #define INITIAL_NR_GRANT_FRAMES 1
+ 
+ // for grant map/unmap
+@@ -82,9 +84,19 @@ int guest_physmap_add_page(struct domain
+ 
+ #define gnttab_mark_dirty(d, f) ((void)f)
+ 
+-static inline void gnttab_clear_flag(unsigned long nr, uint16_t *addr)
++static inline void gnttab_clear_flag(unsigned int nr, volatile uint16_t *st)
+ {
+-	clear_bit(nr, addr);
++	/*
++	 * Note that this cannot be clear_bit(), as the access must be
++	 * confined to the specified 2 bytes.
++	 */
++	uint16_t mask = ~(1 << nr), old;
++	CMPXCHG_BUGCHECK_DECL
++
++	do {
++		CMPXCHG_BUGCHECK(st);
++		old = *st;
++	} while (cmpxchg_rel(st, old, old & mask) != old);
+ }
+ 
+ #define gnttab_host_mapping_get_page_type(op, ld, rd)   \
+--- a/xen/include/asm-x86/grant_table.h
++++ b/xen/include/asm-x86/grant_table.h
+@@ -48,9 +48,13 @@ int replace_grant_host_mapping(
+ 
+ #define gnttab_mark_dirty(d, f) paging_mark_dirty((d), (f))
+ 
+-static inline void gnttab_clear_flag(unsigned long nr, uint16_t *addr)
++static inline void gnttab_clear_flag(unsigned int nr, uint16_t *st)
+ {
+-    clear_bit(nr, (unsigned long *)addr);
++    /*
++     * Note that this cannot be clear_bit(), as the access must be
++     * confined to the specified 2 bytes.
++     */
++    asm volatile ("lock btrw %1,%0" : "=m" (*st) : "Ir" (nr), "m" (*st));
+ }
+ 
+ /* Foreign mappings of HHVM-guest pages do not modify the type count. */
diff --git a/24780-x86-paging-use-clear_guest.patch b/24780-x86-paging-use-clear_guest.patch
new file mode 100644
index 0000000..ca5d538
--- /dev/null
+++ b/24780-x86-paging-use-clear_guest.patch
@@ -0,0 +1,382 @@
+# HG changeset patch
+# User Jan Beulich <jbeulich@suse.com>
+# Date 1329134942 -3600
+# Node ID e953d536d3c6e344cf310f63ead9feda87cc67b0
+# Parent  9ad1e42c341bc78463b6f6610a6300f75b535fbb
+x86/paging: use clear_guest() for zero-filling guest buffers
+
+While static arrays of all zeros may be tolerable (but are simply
+inefficient now that we have the necessary infrastructure), using on-
+stack arrays for this purpose (particularly when their size doesn't
+have an upper limit enforced) is calling for eventual problems (even
+if the code can be reached via administrative interfaces only).
+
+Signed-off-by: Jan Beulich <jbeulich@suse.com>
+Acked-by: Tim Deegan <tim@xen.org>
+
+(Include necessary prerequisite bits from 24543:d6cdbc4fe078
+"Introduce clear_user and clear_guest".)
+
+--- a/xen/arch/x86/hvm/hvm.c
++++ b/xen/arch/x86/hvm/hvm.c
+@@ -2163,6 +2163,86 @@ static enum hvm_copy_result __hvm_copy(
+     return HVMCOPY_okay;
+ }
+ 
++static enum hvm_copy_result __hvm_clear(paddr_t addr, int size)
++{
++    struct vcpu *curr = current;
++    struct p2m_domain *p2m = p2m_get_hostp2m(curr->domain);
++    unsigned long gfn, mfn;
++    p2m_type_t p2mt;
++    char *p;
++    int count, todo = size;
++    uint32_t pfec = PFEC_page_present | PFEC_write_access;
++
++    /*
++     * XXX Disable for 4.1.0: PV-on-HVM drivers will do grant-table ops
++     * such as query_size. Grant-table code currently does copy_to/from_guest
++     * accesses under the big per-domain lock, which this test would disallow.
++     * The test is not needed until we implement sleeping-on-waitqueue when
++     * we access a paged-out frame, and that's post 4.1.0 now.
++     */
++#if 0
++    /*
++     * If the required guest memory is paged out, this function may sleep.
++     * Hence we bail immediately if called from atomic context.
++     */
++    if ( in_atomic() )
++        return HVMCOPY_unhandleable;
++#endif
++
++    while ( todo > 0 )
++    {
++        count = min_t(int, PAGE_SIZE - (addr & ~PAGE_MASK), todo);
++
++        gfn = paging_gva_to_gfn(curr, addr, &pfec);
++        if ( gfn == INVALID_GFN )
++        {
++            if ( pfec == PFEC_page_paged )
++                return HVMCOPY_gfn_paged_out;
++            if ( pfec == PFEC_page_shared )
++                return HVMCOPY_gfn_shared;
++            return HVMCOPY_bad_gva_to_gfn;
++        }
++
++        mfn = mfn_x(gfn_to_mfn_unshare(p2m, gfn, &p2mt, 0));
++
++        if ( p2m_is_paging(p2mt) )
++        {
++            p2m_mem_paging_populate(p2m, gfn);
++            return HVMCOPY_gfn_paged_out;
++        }
++        if ( p2m_is_shared(p2mt) )
++            return HVMCOPY_gfn_shared;
++        if ( p2m_is_grant(p2mt) )
++            return HVMCOPY_unhandleable;
++        if ( !p2m_is_ram(p2mt) )
++            return HVMCOPY_bad_gfn_to_mfn;
++        ASSERT(mfn_valid(mfn));
++
++        p = (char *)map_domain_page(mfn) + (addr & ~PAGE_MASK);
++
++        if ( p2mt == p2m_ram_ro )
++        {
++            static unsigned long lastpage;
++            if ( xchg(&lastpage, gfn) != gfn )
++                gdprintk(XENLOG_DEBUG, "guest attempted write to read-only"
++                        " memory page. gfn=%#lx, mfn=%#lx\n",
++                        gfn, mfn);
++        }
++        else
++        {
++            memset(p, 0x00, count);
++            paging_mark_dirty(curr->domain, mfn);
++        }
++
++        unmap_domain_page(p);
++
++        addr += count;
++        todo -= count;
++    }
++
++    return HVMCOPY_okay;
++}
++
+ enum hvm_copy_result hvm_copy_to_guest_phys(
+     paddr_t paddr, void *buf, int size)
+ {
+@@ -2249,6 +2329,23 @@ unsigned long copy_to_user_hvm(void *to,
+     return rc ? len : 0; /* fake a copy_to_user() return code */
+ }
+ 
++unsigned long clear_user_hvm(void *to, unsigned int len)
++{
++    int rc;
++
++#ifdef __x86_64__
++    if ( !current->arch.hvm_vcpu.hcall_64bit &&
++         is_compat_arg_xlat_range(to, len) )
++    {
++        memset(to, 0x00, len);
++        return 0;
++    }
++#endif
++
++    rc = __hvm_clear((unsigned long)to, len);
++    return rc ? len : 0; /* fake a copy_to_user() return code */
++}
++
+ unsigned long copy_from_user_hvm(void *to, const void *from, unsigned len)
+ {
+     int rc;
+--- a/xen/arch/x86/mm/paging.c
++++ b/xen/arch/x86/mm/paging.c
+@@ -21,11 +21,11 @@
+  */
+ 
+ #include <xen/init.h>
++#include <xen/guest_access.h>
+ #include <asm/paging.h>
+ #include <asm/shadow.h>
+ #include <asm/p2m.h>
+ #include <asm/hap.h>
+-#include <asm/guest_access.h>
+ #include <xen/numa.h>
+ #include <xsm/xsm.h>
+ 
+@@ -450,26 +450,30 @@ int paging_log_dirty_op(struct domain *d
+                   (pages < sc->pages) && (i2 < LOGDIRTY_NODE_ENTRIES);
+                   i2++ )
+             {
+-                static unsigned long zeroes[PAGE_SIZE/BYTES_PER_LONG];
+                 unsigned int bytes = PAGE_SIZE;
+                 l1 = ((l2 && mfn_valid(l2[i2])) ?
+-                      map_domain_page(mfn_x(l2[i2])) : zeroes);
++                      map_domain_page(mfn_x(l2[i2])) : NULL);
+                 if ( unlikely(((sc->pages - pages + 7) >> 3) < bytes) )
+                     bytes = (unsigned int)((sc->pages - pages + 7) >> 3);
+                 if ( likely(peek) )
+                 {
+-                    if ( copy_to_guest_offset(sc->dirty_bitmap, pages >> 3,
+-                                              (uint8_t *)l1, bytes) != 0 )
++                    if ( (l1 ? copy_to_guest_offset(sc->dirty_bitmap,
++                                                    pages >> 3, (uint8_t *)l1,
++                                                    bytes)
++                             : clear_guest_offset(sc->dirty_bitmap,
++                                                  pages >> 3, bytes)) != 0 )
+                     {
+                         rv = -EFAULT;
+                         goto out;
+                     }
+                 }
+-                if ( clean && l1 != zeroes )
+-                    clear_page(l1);
+                 pages += bytes << 3;
+-                if ( l1 != zeroes )
++                if ( l1 )
++                {
++                    if ( clean )
++                        clear_page(l1);
+                     unmap_domain_page(l1);
++                }
+             }
+             if ( l2 )
+                 unmap_domain_page(l2);
+@@ -529,12 +533,9 @@ int paging_log_dirty_range(struct domain
+ 
+     if ( !d->arch.paging.log_dirty.fault_count &&
+          !d->arch.paging.log_dirty.dirty_count ) {
+-        int size = (nr + BITS_PER_LONG - 1) / BITS_PER_LONG;
+-        unsigned long zeroes[size];
+-        memset(zeroes, 0x00, size * BYTES_PER_LONG);
+-        rv = 0;
+-        if ( copy_to_guest_offset(dirty_bitmap, 0, (uint8_t *) zeroes,
+-                                  size * BYTES_PER_LONG) != 0 )
++        unsigned int size = BITS_TO_LONGS(nr);
++
++        if ( clear_guest(dirty_bitmap, size * BYTES_PER_LONG) != 0 )
+             rv = -EFAULT;
+         goto out;
+     }
+@@ -562,11 +563,10 @@ int paging_log_dirty_range(struct domain
+                   (pages < nr) && (i2 < LOGDIRTY_NODE_ENTRIES);
+                   i2++ )
+             {
+-                static unsigned long zeroes[PAGE_SIZE/BYTES_PER_LONG];
+                 unsigned int bytes = PAGE_SIZE;
+                 uint8_t *s;
+                 l1 = ((l2 && mfn_valid(l2[i2])) ?
+-                      map_domain_page(mfn_x(l2[i2])) : zeroes);
++                      map_domain_page(mfn_x(l2[i2])) : NULL);
+ 
+                 s = ((uint8_t*)l1) + (b1 >> 3);
+                 bytes -= b1 >> 3;
+@@ -574,9 +574,18 @@ int paging_log_dirty_range(struct domain
+                 if ( likely(((nr - pages + 7) >> 3) < bytes) )
+                     bytes = (unsigned int)((nr - pages + 7) >> 3);
+ 
++                if ( !l1 )
++                {
++                    if ( clear_guest_offset(dirty_bitmap, pages >> 3,
++                                            bytes) != 0 )
++                    {
++                        rv = -EFAULT;
++                        goto out;
++                    }
++                }
+                 /* begin_pfn is not 32K aligned, hence we have to bit
+                  * shift the bitmap */
+-                if ( b1 & 0x7 )
++                else if ( b1 & 0x7 )
+                 {
+                     int i, j;
+                     uint32_t *l = (uint32_t*) s;
+@@ -620,11 +629,12 @@ int paging_log_dirty_range(struct domain
+                     }
+                 }
+ 
+-                if ( l1 != zeroes )
+-                    clear_page(l1);
+                 pages += bytes << 3;
+-                if ( l1 != zeroes )
++                if ( l1 )
++                {
++                    clear_page(l1);
+                     unmap_domain_page(l1);
++                }
+                 b1 = b1 & 0x7;
+             }
+             b2 = 0;
+--- a/xen/arch/x86/usercopy.c
++++ b/xen/arch/x86/usercopy.c
+@@ -110,6 +110,42 @@ copy_to_user(void __user *to, const void
+     return n;
+ }
+ 
++#define __do_clear_user(addr,size)					\
++do {									\
++	long __d0;							\
++	__asm__ __volatile__(						\
++		"0:	rep; stosl\n"					\
++		"	movl %2,%0\n"					\
++		"1:	rep; stosb\n"					\
++		"2:\n"							\
++		".section .fixup,\"ax\"\n"				\
++		"3:	lea 0(%2,%0,4),%0\n"				\
++		"	jmp 2b\n"					\
++		".previous\n"						\
++		_ASM_EXTABLE(0b,3b)					\
++		_ASM_EXTABLE(1b,2b)					\
++		: "=&c"(size), "=&D" (__d0)				\
++		: "r"(size & 3), "0"(size / 4), "1"((long)addr), "a"(0));	\
++} while (0)
++
++/**
++ * clear_user: - Zero a block of memory in user space.
++ * @to:   Destination address, in user space.
++ * @n:    Number of bytes to zero.
++ *
++ * Zero a block of memory in user space.
++ *
++ * Returns number of bytes that could not be cleared.
++ * On success, this will be zero.
++ */
++unsigned long
++clear_user(void __user *to, unsigned n)
++{
++	if ( access_ok(to, n) )
++		__do_clear_user(to, n);
++	return n;
++}
++
+ /**
+  * copy_from_user: - Copy a block of data from user space.
+  * @to:   Destination address, in kernel space.
+--- a/xen/include/asm-x86/guest_access.h
++++ b/xen/include/asm-x86/guest_access.h
+@@ -21,6 +21,10 @@
+     (is_hvm_vcpu(current) ?                     \
+      copy_from_user_hvm((dst), (src), (len)) :  \
+      copy_from_user((dst), (src), (len)))
++#define raw_clear_guest(dst,  len)              \
++    (is_hvm_vcpu(current) ?                     \
++     clear_user_hvm((dst), (len)) :             \
++     clear_user((dst), (len)))
+ #define __raw_copy_to_guest(dst, src, len)      \
+     (is_hvm_vcpu(current) ?                     \
+      copy_to_user_hvm((dst), (src), (len)) :    \
+@@ -29,6 +33,10 @@
+     (is_hvm_vcpu(current) ?                     \
+      copy_from_user_hvm((dst), (src), (len)) :  \
+      __copy_from_user((dst), (src), (len)))
++#define __raw_clear_guest(dst,  len)            \
++    (is_hvm_vcpu(current) ?                     \
++     clear_user_hvm((dst), (len)) :             \
++     clear_user((dst), (len)))
+ 
+ /* Is the guest handle a NULL reference? */
+ #define guest_handle_is_null(hnd)        ((hnd).p == NULL)
+@@ -69,6 +77,11 @@
+     raw_copy_from_guest(_d, _s+(off), sizeof(*_d)*(nr));\
+ })
+ 
++#define clear_guest_offset(hnd, off, nr) ({    \
++    void *_d = (hnd).p;                        \
++    raw_clear_guest(_d+(off), nr);             \
++})
++
+ /* Copy sub-field of a structure to guest context via a guest handle. */
+ #define copy_field_to_guest(hnd, ptr, field) ({         \
+     const typeof(&(ptr)->field) _s = &(ptr)->field;     \
+@@ -110,6 +123,11 @@
+     __raw_copy_from_guest(_d, _s+(off), sizeof(*_d)*(nr));\
+ })
+ 
++#define __clear_guest_offset(hnd, off, nr) ({    \
++    void *_d = (hnd).p;                          \
++    __raw_clear_guest(_d+(off), nr);             \
++})
++
+ #define __copy_field_to_guest(hnd, ptr, field) ({       \
+     const typeof(&(ptr)->field) _s = &(ptr)->field;     \
+     void *_d = &(hnd).p->field;                         \
+--- a/xen/include/asm-x86/hvm/guest_access.h
++++ b/xen/include/asm-x86/hvm/guest_access.h
+@@ -2,6 +2,7 @@
+ #define __ASM_X86_HVM_GUEST_ACCESS_H__
+ 
+ unsigned long copy_to_user_hvm(void *to, const void *from, unsigned len);
++unsigned long clear_user_hvm(void *to, unsigned int len);
+ unsigned long copy_from_user_hvm(void *to, const void *from, unsigned len);
+ 
+ #endif /* __ASM_X86_HVM_GUEST_ACCESS_H__ */
+--- a/xen/include/asm-x86/uaccess.h
++++ b/xen/include/asm-x86/uaccess.h
+@@ -16,6 +16,7 @@
+ #endif
+ 
+ unsigned long copy_to_user(void *to, const void *from, unsigned len);
++unsigned long clear_user(void *to, unsigned len);
+ unsigned long copy_from_user(void *to, const void *from, unsigned len);
+ /* Handles exceptions in both to and from, but doesn't do access_ok */
+ unsigned long __copy_to_user_ll(void *to, const void *from, unsigned n);
+--- a/xen/include/xen/guest_access.h
++++ b/xen/include/xen/guest_access.h
+@@ -15,10 +15,16 @@
+ #define copy_from_guest(ptr, hnd, nr)                   \
+     copy_from_guest_offset(ptr, hnd, 0, nr)
+ 
++#define clear_guest(hnd, nr)                            \
++    clear_guest_offset(hnd, 0, nr)
++
+ #define __copy_to_guest(hnd, ptr, nr)                   \
+     __copy_to_guest_offset(hnd, 0, ptr, nr)
+ 
+ #define __copy_from_guest(ptr, hnd, nr)                 \
+     __copy_from_guest_offset(ptr, hnd, 0, nr)
+ 
++#define __clear_guest(hnd, nr)                          \
++    __clear_guest_offset(hnd, 0, nr)
++
+ #endif /* __XEN_GUEST_ACCESS_H__ */
diff --git a/24781-x86-vmce-mcg_ctl.patch b/24781-x86-vmce-mcg_ctl.patch
new file mode 100644
index 0000000..3560879
--- /dev/null
+++ b/24781-x86-vmce-mcg_ctl.patch
@@ -0,0 +1,98 @@
+References: bnc#745367
+
+# HG changeset patch
+# User Jan Beulich <jbeulich@suse.com>
+# Date 1329135150 -3600
+# Node ID 6ae5506e49abbe07b3b84c56cda114f59beb7ebe
+# Parent  e953d536d3c6e344cf310f63ead9feda87cc67b0
+x86/vMCE: MC{G,i}_CTL handling adjustments
+
+- g_mcg_cap was read to determine whether MCG_CTL exists before it got
+  initialized
+- h_mci_ctrl[] and dom_vmce()->mci_ctl[] both got initialized via
+  memset() with an inappropriate size (hence causing a [minor?]
+  information leak)
+
+Signed-off-by: Jan Beulich <jbeulich@suse.com>
+Acked-by: Keir Fraser <keir@xen.org>
+
+--- a/xen/arch/x86/cpu/mcheck/mce.c
++++ b/xen/arch/x86/cpu/mcheck/mce.c
+@@ -29,7 +29,7 @@ invbool_param("mce", mce_disabled);
+ bool_t __read_mostly mce_broadcast = 0;
+ bool_t is_mc_panic;
+ unsigned int __read_mostly nr_mce_banks;
+-int __read_mostly firstbank;
++unsigned int __read_mostly firstbank;
+ 
+ static void intpose_init(void);
+ static void mcinfo_clear(struct mc_info *);
+@@ -646,7 +646,7 @@ int mce_available(struct cpuinfo_x86 *c)
+  * Check if bank 0 is usable for MCE. It isn't for AMD K7,
+  * and Intel P6 family before model 0x1a.
+  */
+-int mce_firstbank(struct cpuinfo_x86 *c)
++unsigned int mce_firstbank(struct cpuinfo_x86 *c)
+ {
+     if (c->x86 == 6) {
+         if (c->x86_vendor == X86_VENDOR_AMD)
+--- a/xen/arch/x86/cpu/mcheck/mce.h
++++ b/xen/arch/x86/cpu/mcheck/mce.h
+@@ -52,13 +52,13 @@ int is_vmce_ready(struct mcinfo_bank *ba
+ int unmmap_broken_page(struct domain *d, mfn_t mfn, unsigned long gfn);
+ 
+ u64 mce_cap_init(void);
+-extern int firstbank;
++extern unsigned int firstbank;
+ 
+ int intel_mce_rdmsr(uint32_t msr, uint64_t *val);
+ int intel_mce_wrmsr(uint32_t msr, uint64_t val);
+ 
+ int mce_available(struct cpuinfo_x86 *c);
+-int mce_firstbank(struct cpuinfo_x86 *c);
++unsigned int mce_firstbank(struct cpuinfo_x86 *c);
+ /* Helper functions used for collecting error telemetry */
+ struct mc_info *x86_mcinfo_getptr(void);
+ void mc_panic(char *s);
+--- a/xen/arch/x86/cpu/mcheck/vmce.c
++++ b/xen/arch/x86/cpu/mcheck/vmce.c
+@@ -39,7 +39,7 @@ int vmce_init_msr(struct domain *d)
+         return -ENOMEM;
+     }
+     memset(dom_vmce(d)->mci_ctl, ~0,
+-           sizeof(dom_vmce(d)->mci_ctl));
++           nr_mce_banks * sizeof(*dom_vmce(d)->mci_ctl));
+ 
+     dom_vmce(d)->mcg_status = 0x0;
+     dom_vmce(d)->mcg_cap = g_mcg_cap;
+@@ -437,7 +437,7 @@ int vmce_domain_inject(
+ int vmce_init(struct cpuinfo_x86 *c)
+ {
+     u64 value;
+-    int i;
++    unsigned int i;
+ 
+     if ( !h_mci_ctrl )
+     {
+@@ -448,17 +448,17 @@ int vmce_init(struct cpuinfo_x86 *c)
+             return -ENOMEM;
+         }
+         /* Don't care banks before firstbank */
+-        memset(h_mci_ctrl, 0xff, sizeof(h_mci_ctrl));
++        memset(h_mci_ctrl, ~0,
++               min(firstbank, nr_mce_banks) * sizeof(*h_mci_ctrl));
+         for (i = firstbank; i < nr_mce_banks; i++)
+             rdmsrl(MSR_IA32_MCx_CTL(i), h_mci_ctrl[i]);
+     }
+ 
+-    if (g_mcg_cap & MCG_CTL_P)
+-        rdmsrl(MSR_IA32_MCG_CTL, h_mcg_ctl);
+-
+     rdmsrl(MSR_IA32_MCG_CAP, value);
+     /* For Guest vMCE usage */
+     g_mcg_cap = value & ~MCG_CMCI_P;
++    if (value & MCG_CTL_P)
++        rdmsrl(MSR_IA32_MCG_CTL, h_mcg_ctl);
+ 
+     return 0;
+ }
diff --git a/24805-x86-MSI-X-dom0-ro.patch b/24805-x86-MSI-X-dom0-ro.patch
new file mode 100644
index 0000000..42e3942
--- /dev/null
+++ b/24805-x86-MSI-X-dom0-ro.patch
@@ -0,0 +1,30 @@
+# HG changeset patch
+# User Jan Beulich <jbeulich@suse.com>
+# Date 1329303884 -3600
+# Node ID 618cbd27bac06fe39b1c6f28ded6d4d7f444e7bd
+# Parent  0ba87b95e80bae059fe70b4b117dcc409f2471ef
+x86: don't allow Dom0 to map MSI-X table writably
+
+With the traditional qemu tree fixed to not use PROT_WRITE anymore in
+the mmap() call for this region, and with the upstream qemu tree not
+being capable of handling passthrough, yet, there's no need to treat
+Dom specially here anymore.
+
+This continues to leave unaddressed the case where PV guests map the
+MSI-X table page(s) before setting up the first MSI-X interrupt (see
+the original c/s 22182:68cc3c514a0a description for options).
+
+Signed-off-by: Jan Beulich <jbeulich@suse.com>
+Acked-by: Keir Fraser <keir@xen.org>
+
+--- a/xen/arch/x86/mm.c
++++ b/xen/arch/x86/mm.c
+@@ -835,7 +835,7 @@ get_page_from_l1e(
+             return -EINVAL;
+         }
+ 
+-        if ( !(l1f & _PAGE_RW) || IS_PRIV(pg_owner) ||
++        if ( !(l1f & _PAGE_RW) ||
+              !rangeset_contains_singleton(mmio_ro_ranges, mfn) )
+             return 0;
+         dprintk(XENLOG_G_WARNING,
diff --git a/24883-x86-guest-walk-not-present.patch b/24883-x86-guest-walk-not-present.patch
new file mode 100644
index 0000000..5fcc062
--- /dev/null
+++ b/24883-x86-guest-walk-not-present.patch
@@ -0,0 +1,70 @@
+References: bnc#747331
+
+# HG changeset patch
+# User Tim Deegan <tim@xen.org>
+# Date 1329992967 0
+# Node ID adcd6ab160fae996d53c6843da0c5728ca8a8bd3
+# Parent  3d4955cbcb67a1c41e6b71af783b0921a3f7b081
+x86/mm: Don't check for invalid bits in non-present PTEs.
+
+If _PAGE_PRESENT is clean in a pagetable entry, any pattern of bits
+is valid in the rest of the entry.  OSes that special-case
+PFEC_invalid_bits (since it should never happen) will be confused
+by our setting it in this way.
+
+Signed-off-by: Tim Deegan <tim@xen.org>
+
+--- a/xen/arch/x86/mm/guest_walk.c
++++ b/xen/arch/x86/mm/guest_walk.c
+@@ -162,8 +162,11 @@ guest_walk_tables(struct vcpu *v, struct
+     l4p = (guest_l4e_t *) top_map;
+     gw->l4e = l4p[guest_l4_table_offset(va)];
+     gflags = guest_l4e_get_flags(gw->l4e) ^ iflags;
++    if ( !(gflags & _PAGE_PRESENT) ) {
++        rc |= _PAGE_PRESENT;
++        goto out;
++    }
+     rc |= ((gflags & mflags) ^ mflags);
+-    if ( rc & _PAGE_PRESENT ) goto out;
+ 
+     /* Map the l3 table */
+     l3p = map_domain_gfn(p2m, 
+@@ -176,9 +179,11 @@ guest_walk_tables(struct vcpu *v, struct
+     /* Get the l3e and check its flags*/
+     gw->l3e = l3p[guest_l3_table_offset(va)];
+     gflags = guest_l3e_get_flags(gw->l3e) ^ iflags;
+-    rc |= ((gflags & mflags) ^ mflags);
+-    if ( rc & _PAGE_PRESENT )
++    if ( !(gflags & _PAGE_PRESENT) ) {
++        rc |= _PAGE_PRESENT;
+         goto out;
++    }
++    rc |= ((gflags & mflags) ^ mflags);
+ 
+ #else /* PAE only... */
+ 
+@@ -213,9 +218,11 @@ guest_walk_tables(struct vcpu *v, struct
+ #endif /* All levels... */
+ 
+     gflags = guest_l2e_get_flags(gw->l2e) ^ iflags;
+-    rc |= ((gflags & mflags) ^ mflags);
+-    if ( rc & _PAGE_PRESENT )
++    if ( !(gflags & _PAGE_PRESENT) ) {
++        rc |= _PAGE_PRESENT;
+         goto out;
++    }
++    rc |= ((gflags & mflags) ^ mflags);
+ 
+     pse = (guest_supports_superpages(v) && 
+            (guest_l2e_get_flags(gw->l2e) & _PAGE_PSE)); 
+@@ -277,6 +284,10 @@ guest_walk_tables(struct vcpu *v, struct
+             goto out;
+         gw->l1e = l1p[guest_l1_table_offset(va)];
+         gflags = guest_l1e_get_flags(gw->l1e) ^ iflags;
++        if ( !(gflags & _PAGE_PRESENT) ) {
++            rc |= _PAGE_PRESENT;
++            goto out;
++        }
+         rc |= ((gflags & mflags) ^ mflags);
+     }
+ 
diff --git a/24886-x86-vmce-mcg_ctl-default.patch b/24886-x86-vmce-mcg_ctl-default.patch
new file mode 100644
index 0000000..b44f28d
--- /dev/null
+++ b/24886-x86-vmce-mcg_ctl-default.patch
@@ -0,0 +1,49 @@
+References: bnc#745367
+
+# HG changeset patch
+# User Jan Beulich <jbeulich@suse.com>
+# Date 1330070623 -3600
+# Node ID e80b0bb4470b944a5b52a91c0ec85a1d65d18c55
+# Parent  0c3d19f40ab145d101de84051c3e00eef17fa1cb
+x86/vMCE: don't advertise features we don't support
+
+... or even know of. Apart from CMCI, which was masked off already,
+this now also suppresses the advertising of extended state registers
+(reading of which would likely be meaningless in a guest and represent
+an information leak).
+
+Signed-off-by: Jan Beulich <jbeulich@suse.com>
+Acked-by: Keir Fraser <keir@xen.org>
+
+--- a/xen/arch/x86/cpu/mcheck/vmce.c
++++ b/xen/arch/x86/cpu/mcheck/vmce.c
+@@ -456,7 +456,7 @@ int vmce_init(struct cpuinfo_x86 *c)
+ 
+     rdmsrl(MSR_IA32_MCG_CAP, value);
+     /* For Guest vMCE usage */
+-    g_mcg_cap = value & ~MCG_CMCI_P;
++    g_mcg_cap = value & (MCG_CAP_COUNT | MCG_CTL_P | MCG_TES_P | MCG_SER_P);
+     if (value & MCG_CTL_P)
+         rdmsrl(MSR_IA32_MCG_CTL, h_mcg_ctl);
+ 
+--- a/xen/arch/x86/cpu/mcheck/x86_mca.h
++++ b/xen/arch/x86/cpu/mcheck/x86_mca.h
+@@ -30,12 +30,13 @@
+ 
+ 
+ /* Bitfield of the MSR_IA32_MCG_CAP register */
+-#define MCG_SER_P               (1UL<<24)
+ #define MCG_CAP_COUNT           0x00000000000000ffULL
+-#define MCG_CTL_P               0x0000000000000100ULL
+-#define MCG_EXT_P		(1UL<<9)
+-#define MCG_EXT_CNT		(16)
+-#define MCG_CMCI_P		(1UL<<10)
++#define MCG_CTL_P               (1ULL<<8)
++#define MCG_EXT_P               (1ULL<<9)
++#define MCG_CMCI_P              (1ULL<<10)
++#define MCG_TES_P               (1ULL<<11)
++#define MCG_EXT_CNT             16
++#define MCG_SER_P               (1ULL<<24)
+ /* Other bits are reserved */
+ 
+ /* Bitfield of the MSR_IA32_MCG_STATUS register */
diff --git a/24887-x86-vmce-sr.patch b/24887-x86-vmce-sr.patch
new file mode 100644
index 0000000..0c4ac0f
--- /dev/null
+++ b/24887-x86-vmce-sr.patch
@@ -0,0 +1,559 @@
+References: bnc#745367
+
+# HG changeset patch
+# User Jan Beulich <jbeulich@suse.com>
+# Date 1330070874 -3600
+# Node ID 35d855e520038bf5814f53d105dc4adf58a670f2
+# Parent  e80b0bb4470b944a5b52a91c0ec85a1d65d18c55
+x86/vMCE: save/restore MCA capabilities
+
+This allows migration to a host with less MCA banks than the source
+host had, while without this patch accesses to the excess banks' MSRs
+caused #GP-s in the guest after migration (and it depended on the guest
+kernel whether this would be fatal).
+
+A fundamental question is whether we should also save/restore MCG_CTL
+and MCi_CTL, as the HVM save record would better be defined to the
+complete state that needs saving from the beginning (I'm unsure whether
+the save/restore logic allows for future extension of an existing
+record).
+
+Of course, this change is expected to make migration from new to older
+Xen impossible (again I'm unsure what the save/restore logic does with
+records it doesn't even know about).
+
+The (trivial) tools side change may seem unrelated, but the code should
+have been that way from the beginning to allow the hypervisor to look
+at currently unused ext_vcpucontext fields without risking to read
+garbage when those fields get a meaning assigned in the future. This
+isn't being enforced here - should it be? (Obviously, for backwards
+compatibility, the hypervisor must assume these fields to be clear only
+when the extended context's size exceeds the old original one.)
+
+A future addition to this change might be to allow configuration of the
+number of banks and other MCA capabilities for a guest before it starts
+(i.e. to not inherits the values seen on the first host it runs on).
+
+Signed-off-by: Jan Beulich <jbeulich@suse.com>
+Acked-by: Keir Fraser <keir@xen.org>
+
+--- a/tools/libxc/xc_domain_save.c
++++ b/tools/libxc/xc_domain_save.c
+@@ -1766,6 +1766,7 @@ int xc_domain_save(xc_interface *xch, in
+ 
+         domctl.cmd = XEN_DOMCTL_get_ext_vcpucontext;
+         domctl.domain = dom;
++        memset(&domctl.u, 0, sizeof(domctl.u));
+         domctl.u.ext_vcpucontext.vcpu = i;
+         if ( xc_domctl(xch, &domctl) < 0 )
+         {
+--- a/tools/misc/xen-hvmctx.c
++++ b/tools/misc/xen-hvmctx.c
+@@ -375,6 +375,13 @@ static void dump_viridian(void)
+            (unsigned long long) p.guest_os_id);           
+ }
+ 
++static void dump_vmce_vcpu(void)
++{
++    HVM_SAVE_TYPE(VMCE_VCPU) p;
++    READ(p);
++    printf("    VMCE_VCPU: caps %" PRIx64 "\n", p.caps);
++}
++
+ int main(int argc, char **argv)
+ {
+     int entry, domid;
+@@ -440,6 +447,7 @@ int main(int argc, char **argv)
+         case HVM_SAVE_CODE(PMTIMER): dump_pmtimer(); break;
+         case HVM_SAVE_CODE(MTRR): dump_mtrr(); break;
+         case HVM_SAVE_CODE(VIRIDIAN): dump_viridian(); break;
++        case HVM_SAVE_CODE(VMCE_VCPU): dump_vmce_vcpu(); break;
+         case HVM_SAVE_CODE(END): break;
+         default:
+             printf(" ** Don't understand type %u: skipping\n",
+--- a/xen/arch/x86/cpu/mcheck/mce.h
++++ b/xen/arch/x86/cpu/mcheck/mce.h
+@@ -3,6 +3,7 @@
+ #define _MCE_H
+ 
+ #include <xen/init.h>
++#include <xen/sched.h>
+ #include <xen/smp.h>
+ #include <asm/types.h>
+ #include <asm/traps.h>
+@@ -54,8 +55,8 @@ int unmmap_broken_page(struct domain *d,
+ u64 mce_cap_init(void);
+ extern unsigned int firstbank;
+ 
+-int intel_mce_rdmsr(uint32_t msr, uint64_t *val);
+-int intel_mce_wrmsr(uint32_t msr, uint64_t val);
++int intel_mce_rdmsr(const struct vcpu *, uint32_t msr, uint64_t *val);
++int intel_mce_wrmsr(struct vcpu *, uint32_t msr, uint64_t val);
+ 
+ int mce_available(struct cpuinfo_x86 *c);
+ unsigned int mce_firstbank(struct cpuinfo_x86 *c);
+@@ -169,18 +170,20 @@ int vmce_domain_inject(struct mcinfo_ban
+ 
+ extern int vmce_init(struct cpuinfo_x86 *c);
+ 
+-static inline int mce_vendor_bank_msr(uint32_t msr)
++static inline int mce_vendor_bank_msr(const struct vcpu *v, uint32_t msr)
+ {
+     if ( boot_cpu_data.x86_vendor == X86_VENDOR_INTEL &&
+-         msr >= MSR_IA32_MC0_CTL2 && msr < (MSR_IA32_MC0_CTL2 + nr_mce_banks) )
++         msr >= MSR_IA32_MC0_CTL2 &&
++         msr < MSR_IA32_MCx_CTL2(v->arch.mcg_cap & MCG_CAP_COUNT) )
+           return 1;
+     return 0;
+ }
+ 
+-static inline int mce_bank_msr(uint32_t msr)
++static inline int mce_bank_msr(const struct vcpu *v, uint32_t msr)
+ {
+-    if ( (msr >= MSR_IA32_MC0_CTL && msr < MSR_IA32_MCx_CTL(nr_mce_banks)) ||
+-        mce_vendor_bank_msr(msr) )
++    if ( (msr >= MSR_IA32_MC0_CTL &&
++          msr < MSR_IA32_MCx_CTL(v->arch.mcg_cap & MCG_CAP_COUNT)) ||
++         mce_vendor_bank_msr(v, msr) )
+         return 1;
+     return 0;
+ }
+--- a/xen/arch/x86/cpu/mcheck/mce_intel.c
++++ b/xen/arch/x86/cpu/mcheck/mce_intel.c
+@@ -1322,11 +1322,12 @@ enum mcheck_type intel_mcheck_init(struc
+ }
+ 
+ /* intel specific MCA MSR */
+-int intel_mce_wrmsr(uint32_t msr, uint64_t val)
++int intel_mce_wrmsr(struct vcpu *v, uint32_t msr, uint64_t val)
+ {
+     int ret = 0;
+ 
+-    if (msr >= MSR_IA32_MC0_CTL2 && msr < (MSR_IA32_MC0_CTL2 + nr_mce_banks))
++    if ( msr >= MSR_IA32_MC0_CTL2 &&
++         msr < MSR_IA32_MCx_CTL2(v->arch.mcg_cap & MCG_CAP_COUNT) )
+     {
+         mce_printk(MCE_QUIET, "We have disabled CMCI capability, "
+                  "Guest should not write this MSR!\n");
+@@ -1336,11 +1337,12 @@ int intel_mce_wrmsr(uint32_t msr, uint64
+     return ret;
+ }
+ 
+-int intel_mce_rdmsr(uint32_t msr, uint64_t *val)
++int intel_mce_rdmsr(const struct vcpu *v, uint32_t msr, uint64_t *val)
+ {
+     int ret = 0;
+ 
+-    if (msr >= MSR_IA32_MC0_CTL2 && msr < (MSR_IA32_MC0_CTL2 + nr_mce_banks))
++    if ( msr >= MSR_IA32_MC0_CTL2 &&
++         msr < MSR_IA32_MCx_CTL2(v->arch.mcg_cap & MCG_CAP_COUNT) )
+     {
+         mce_printk(MCE_QUIET, "We have disabled CMCI capability, "
+                  "Guest should not read this MSR!\n");
+--- a/xen/arch/x86/cpu/mcheck/vmce.c
++++ b/xen/arch/x86/cpu/mcheck/vmce.c
+@@ -10,6 +10,7 @@
+ #include <xen/delay.h>
+ #include <xen/smp.h>
+ #include <xen/mm.h>
++#include <xen/hvm/save.h>
+ #include <asm/processor.h>
+ #include <public/sysctl.h>
+ #include <asm/system.h>
+@@ -42,7 +43,6 @@ int vmce_init_msr(struct domain *d)
+            nr_mce_banks * sizeof(*dom_vmce(d)->mci_ctl));
+ 
+     dom_vmce(d)->mcg_status = 0x0;
+-    dom_vmce(d)->mcg_cap = g_mcg_cap;
+     dom_vmce(d)->mcg_ctl = ~(uint64_t)0x0;
+     dom_vmce(d)->nr_injection = 0;
+ 
+@@ -61,21 +61,41 @@ void vmce_destroy_msr(struct domain *d)
+     dom_vmce(d) = NULL;
+ }
+ 
+-static int bank_mce_rdmsr(struct domain *d, uint32_t msr, uint64_t *val)
++void vmce_init_vcpu(struct vcpu *v)
+ {
+-    int bank, ret = 1;
+-    struct domain_mca_msrs *vmce = dom_vmce(d);
++    v->arch.mcg_cap = g_mcg_cap;
++}
++
++int vmce_restore_vcpu(struct vcpu *v, uint64_t caps)
++{
++    if ( caps & ~g_mcg_cap & ~MCG_CAP_COUNT & ~MCG_CTL_P )
++    {
++        dprintk(XENLOG_G_ERR, "%s restore: unsupported MCA capabilities"
++                " %#" PRIx64 " for d%d:v%u (supported: %#Lx)\n",
++                is_hvm_vcpu(v) ? "HVM" : "PV", caps, v->domain->domain_id,
++                v->vcpu_id, g_mcg_cap & ~MCG_CAP_COUNT);
++        return -EPERM;
++    }
++
++    v->arch.mcg_cap = caps;
++    return 0;
++}
++
++static int bank_mce_rdmsr(const struct vcpu *v, uint32_t msr, uint64_t *val)
++{
++    int ret = 1;
++    unsigned int bank = (msr - MSR_IA32_MC0_CTL) / 4;
++    struct domain_mca_msrs *vmce = dom_vmce(v->domain);
+     struct bank_entry *entry;
+ 
+-    bank = (msr - MSR_IA32_MC0_CTL) / 4;
+-    if ( bank >= nr_mce_banks )
+-        return -1;
++    *val = 0;
+ 
+     switch ( msr & (MSR_IA32_MC0_CTL | 3) )
+     {
+     case MSR_IA32_MC0_CTL:
+-        *val = vmce->mci_ctl[bank] &
+-            (h_mci_ctrl ? h_mci_ctrl[bank] : ~0UL);
++        if ( bank < nr_mce_banks )
++            *val = vmce->mci_ctl[bank] &
++                   (h_mci_ctrl ? h_mci_ctrl[bank] : ~0UL);
+         mce_printk(MCE_VERBOSE, "MCE: rdmsr MC%u_CTL 0x%"PRIx64"\n",
+                    bank, *val);
+         break;
+@@ -126,7 +146,7 @@ static int bank_mce_rdmsr(struct domain 
+         switch ( boot_cpu_data.x86_vendor )
+         {
+         case X86_VENDOR_INTEL:
+-            ret = intel_mce_rdmsr(msr, val);
++            ret = intel_mce_rdmsr(v, msr, val);
+             break;
+         default:
+             ret = 0;
+@@ -145,13 +165,13 @@ static int bank_mce_rdmsr(struct domain 
+  */
+ int vmce_rdmsr(uint32_t msr, uint64_t *val)
+ {
+-    struct domain *d = current->domain;
+-    struct domain_mca_msrs *vmce = dom_vmce(d);
++    const struct vcpu *cur = current;
++    struct domain_mca_msrs *vmce = dom_vmce(cur->domain);
+     int ret = 1;
+ 
+     *val = 0;
+ 
+-    spin_lock(&dom_vmce(d)->lock);
++    spin_lock(&vmce->lock);
+ 
+     switch ( msr )
+     {
+@@ -162,39 +182,38 @@ int vmce_rdmsr(uint32_t msr, uint64_t *v
+                        "MCE: rdmsr MCG_STATUS 0x%"PRIx64"\n", *val);
+         break;
+     case MSR_IA32_MCG_CAP:
+-        *val = vmce->mcg_cap;
++        *val = cur->arch.mcg_cap;
+         mce_printk(MCE_VERBOSE, "MCE: rdmsr MCG_CAP 0x%"PRIx64"\n",
+                    *val);
+         break;
+     case MSR_IA32_MCG_CTL:
+         /* Always 0 if no CTL support */
+-        *val = vmce->mcg_ctl & h_mcg_ctl;
++        if ( cur->arch.mcg_cap & MCG_CTL_P )
++            *val = vmce->mcg_ctl & h_mcg_ctl;
+         mce_printk(MCE_VERBOSE, "MCE: rdmsr MCG_CTL 0x%"PRIx64"\n",
+                    *val);
+         break;
+     default:
+-        ret = mce_bank_msr(msr) ? bank_mce_rdmsr(d, msr, val) : 0;
++        ret = mce_bank_msr(cur, msr) ? bank_mce_rdmsr(cur, msr, val) : 0;
+         break;
+     }
+ 
+-    spin_unlock(&dom_vmce(d)->lock);
++    spin_unlock(&vmce->lock);
+     return ret;
+ }
+ 
+-static int bank_mce_wrmsr(struct domain *d, u32 msr, u64 val)
++static int bank_mce_wrmsr(struct vcpu *v, u32 msr, u64 val)
+ {
+-    int bank, ret = 1;
+-    struct domain_mca_msrs *vmce = dom_vmce(d);
++    int ret = 1;
++    unsigned int bank = (msr - MSR_IA32_MC0_CTL) / 4;
++    struct domain_mca_msrs *vmce = dom_vmce(v->domain);
+     struct bank_entry *entry = NULL;
+ 
+-    bank = (msr - MSR_IA32_MC0_CTL) / 4;
+-    if ( bank >= nr_mce_banks )
+-        return -EINVAL;
+-
+     switch ( msr & (MSR_IA32_MC0_CTL | 3) )
+     {
+     case MSR_IA32_MC0_CTL:
+-        vmce->mci_ctl[bank] = val;
++        if ( bank < nr_mce_banks )
++            vmce->mci_ctl[bank] = val;
+         break;
+     case MSR_IA32_MC0_STATUS:
+         /* Give the first entry of the list, it corresponds to current
+@@ -202,9 +221,9 @@ static int bank_mce_wrmsr(struct domain 
+          * the guest, this node will be deleted.
+          * Only error bank is written. Non-error banks simply return.
+          */
+-        if ( !list_empty(&dom_vmce(d)->impact_header) )
++        if ( !list_empty(&vmce->impact_header) )
+         {
+-            entry = list_entry(dom_vmce(d)->impact_header.next,
++            entry = list_entry(vmce->impact_header.next,
+                                struct bank_entry, list);
+             if ( entry->bank == bank )
+                 entry->mci_status = val;
+@@ -228,7 +247,7 @@ static int bank_mce_wrmsr(struct domain 
+         switch ( boot_cpu_data.x86_vendor )
+         {
+         case X86_VENDOR_INTEL:
+-            ret = intel_mce_wrmsr(msr, val);
++            ret = intel_mce_wrmsr(v, msr, val);
+             break;
+         default:
+             ret = 0;
+@@ -247,9 +266,9 @@ static int bank_mce_wrmsr(struct domain 
+  */
+ int vmce_wrmsr(u32 msr, u64 val)
+ {
+-    struct domain *d = current->domain;
++    struct vcpu *cur = current;
+     struct bank_entry *entry = NULL;
+-    struct domain_mca_msrs *vmce = dom_vmce(d);
++    struct domain_mca_msrs *vmce = dom_vmce(cur->domain);
+     int ret = 1;
+ 
+     if ( !g_mcg_cap )
+@@ -266,7 +285,7 @@ int vmce_wrmsr(u32 msr, u64 val)
+         vmce->mcg_status = val;
+         mce_printk(MCE_VERBOSE, "MCE: wrmsr MCG_STATUS %"PRIx64"\n", val);
+         /* For HVM guest, this is the point for deleting vMCE injection node */
+-        if ( d->is_hvm && (vmce->nr_injection > 0) )
++        if ( is_hvm_vcpu(cur) && (vmce->nr_injection > 0) )
+         {
+             vmce->nr_injection--; /* Should be 0 */
+             if ( !list_empty(&vmce->impact_header) )
+@@ -293,7 +312,7 @@ int vmce_wrmsr(u32 msr, u64 val)
+         ret = -1;
+         break;
+     default:
+-        ret = mce_bank_msr(msr) ? bank_mce_wrmsr(d, msr, val) : 0;
++        ret = mce_bank_msr(cur, msr) ? bank_mce_wrmsr(cur, msr, val) : 0;
+         break;
+     }
+ 
+@@ -301,6 +320,46 @@ int vmce_wrmsr(u32 msr, u64 val)
+     return ret;
+ }
+ 
++static int vmce_save_vcpu_ctxt(struct domain *d, hvm_domain_context_t *h)
++{
++    struct vcpu *v;
++    int err = 0;
++
++    for_each_vcpu( d, v ) {
++        struct hvm_vmce_vcpu ctxt = {
++            .caps = v->arch.mcg_cap
++        };
++
++        err = hvm_save_entry(VMCE_VCPU, v->vcpu_id, h, &ctxt);
++        if ( err )
++            break;
++    }
++
++    return err;
++}
++
++static int vmce_load_vcpu_ctxt(struct domain *d, hvm_domain_context_t *h)
++{
++    unsigned int vcpuid = hvm_load_instance(h);
++    struct vcpu *v;
++    struct hvm_vmce_vcpu ctxt;
++    int err;
++
++    if ( vcpuid >= d->max_vcpus || (v = d->vcpu[vcpuid]) == NULL )
++    {
++        dprintk(XENLOG_G_ERR, "HVM restore: dom%d has no vcpu%u\n",
++                d->domain_id, vcpuid);
++        err = -EINVAL;
++    }
++    else
++        err = hvm_load_entry(VMCE_VCPU, h, &ctxt);
++
++    return err ?: vmce_restore_vcpu(v, ctxt.caps);
++}
++
++HVM_REGISTER_SAVE_RESTORE(VMCE_VCPU, vmce_save_vcpu_ctxt,
++                          vmce_load_vcpu_ctxt, 1, HVMSR_PER_VCPU);
++
+ int inject_vmce(struct domain *d)
+ {
+     int cpu = smp_processor_id();
+--- a/xen/arch/x86/domain.c
++++ b/xen/arch/x86/domain.c
+@@ -376,6 +376,8 @@ int vcpu_initialise(struct vcpu *v)
+     if ( (rc = xsave_alloc_save_area(v)) != 0 )
+         return rc;
+ 
++    vmce_init_vcpu(v);
++
+     if ( is_hvm_domain(d) )
+     {
+         if ( (rc = hvm_vcpu_initialise(v)) != 0 )
+--- a/xen/arch/x86/domctl.c
++++ b/xen/arch/x86/domctl.c
+@@ -1137,11 +1137,12 @@ long arch_do_domctl(
+             evc->syscall32_callback_eip    = 0;
+             evc->syscall32_disables_events = 0;
+ #endif
++            evc->mcg_cap = v->arch.mcg_cap;
+         }
+         else
+         {
+             ret = -EINVAL;
+-            if ( evc->size != sizeof(*evc) )
++            if ( evc->size < offsetof(typeof(*evc), mcg_cap) )
+                 goto ext_vcpucontext_out;
+ #ifdef __x86_64__
+             fixup_guest_code_selector(d, evc->sysenter_callback_cs);
+@@ -1160,6 +1161,9 @@ long arch_do_domctl(
+                  evc->syscall32_callback_eip )
+                 goto ext_vcpucontext_out;
+ #endif
++            if ( evc->size >= offsetof(typeof(*evc), mcg_cap) +
++                              sizeof(evc->mcg_cap) )
++                ret = vmce_restore_vcpu(v, evc->mcg_cap);
+         }
+ 
+         ret = 0;
+--- a/xen/include/asm-x86/domain.h
++++ b/xen/include/asm-x86/domain.h
+@@ -425,6 +425,8 @@ struct arch_vcpu
+      */
+     uint64_t xcr0_accum;
+ 
++    uint64_t mcg_cap;
++
+     /* Current LDT details. */
+     unsigned long shadow_ldt_mapcnt;
+     spinlock_t shadow_ldt_lock;
+--- a/xen/include/asm-x86/mce.h
++++ b/xen/include/asm-x86/mce.h
+@@ -16,7 +16,6 @@ struct bank_entry {
+ struct domain_mca_msrs
+ {
+     /* Guest should not change below values after DOM boot up */
+-    uint64_t mcg_cap;
+     uint64_t mcg_ctl;
+     uint64_t mcg_status;
+     uint64_t *mci_ctl;
+@@ -28,6 +27,8 @@ struct domain_mca_msrs
+ /* Guest vMCE MSRs virtualization */
+ extern int vmce_init_msr(struct domain *d);
+ extern void vmce_destroy_msr(struct domain *d);
++extern void vmce_init_vcpu(struct vcpu *);
++extern int vmce_restore_vcpu(struct vcpu *, uint64_t caps);
+ extern int vmce_wrmsr(uint32_t msr, uint64_t val);
+ extern int vmce_rdmsr(uint32_t msr, uint64_t *val);
+ #endif
+--- a/xen/include/asm-x86/msr-index.h
++++ b/xen/include/asm-x86/msr-index.h
+@@ -101,48 +101,40 @@
+ #define MSR_AMD64_MC0_MASK		0xc0010044
+ 
+ #define MSR_IA32_MC1_CTL		0x00000404
+-#define MSR_IA32_MC1_CTL2		0x00000281
+ #define MSR_IA32_MC1_STATUS		0x00000405
+ #define MSR_IA32_MC1_ADDR		0x00000406
+ #define MSR_IA32_MC1_MISC		0x00000407
+ 
+ #define MSR_IA32_MC2_CTL		0x00000408
+-#define MSR_IA32_MC2_CTL2		0x00000282
+ #define MSR_IA32_MC2_STATUS		0x00000409
+ #define MSR_IA32_MC2_ADDR		0x0000040A
+ #define MSR_IA32_MC2_MISC		0x0000040B
+ 
+-#define MSR_IA32_MC3_CTL2		0x00000283
+ #define MSR_IA32_MC3_CTL		0x0000040C
+ #define MSR_IA32_MC3_STATUS		0x0000040D
+ #define MSR_IA32_MC3_ADDR		0x0000040E
+ #define MSR_IA32_MC3_MISC		0x0000040F
+ 
+-#define MSR_IA32_MC4_CTL2		0x00000284
+ #define MSR_IA32_MC4_CTL		0x00000410
+ #define MSR_IA32_MC4_STATUS		0x00000411
+ #define MSR_IA32_MC4_ADDR		0x00000412
+ #define MSR_IA32_MC4_MISC		0x00000413
+ 
+-#define MSR_IA32_MC5_CTL2		0x00000285
+ #define MSR_IA32_MC5_CTL		0x00000414
+ #define MSR_IA32_MC5_STATUS		0x00000415
+ #define MSR_IA32_MC5_ADDR		0x00000416
+ #define MSR_IA32_MC5_MISC		0x00000417
+ 
+-#define MSR_IA32_MC6_CTL2		0x00000286
+ #define MSR_IA32_MC6_CTL		0x00000418
+ #define MSR_IA32_MC6_STATUS		0x00000419
+ #define MSR_IA32_MC6_ADDR		0x0000041A
+ #define MSR_IA32_MC6_MISC		0x0000041B
+ 
+-#define MSR_IA32_MC7_CTL2		0x00000287
+ #define MSR_IA32_MC7_CTL		0x0000041C
+ #define MSR_IA32_MC7_STATUS		0x0000041D
+ #define MSR_IA32_MC7_ADDR		0x0000041E
+ #define MSR_IA32_MC7_MISC		0x0000041F
+ 
+-#define MSR_IA32_MC8_CTL2		0x00000288
+ #define MSR_IA32_MC8_CTL		0x00000420
+ #define MSR_IA32_MC8_STATUS		0x00000421
+ #define MSR_IA32_MC8_ADDR		0x00000422
+@@ -152,6 +144,7 @@
+ #define MSR_IA32_MCx_STATUS(x)		(MSR_IA32_MC0_STATUS + 4*(x))
+ #define MSR_IA32_MCx_ADDR(x)		(MSR_IA32_MC0_ADDR + 4*(x))
+ #define MSR_IA32_MCx_MISC(x)		(MSR_IA32_MC0_MISC + 4*(x)) 
++#define MSR_IA32_MCx_CTL2(x)		(MSR_IA32_MC0_CTL2 + (x))
+ 
+ #define MSR_AMD64_MCx_MASK(x)		(MSR_AMD64_MC0_MASK + (x))
+ 
+--- a/xen/include/public/arch-x86/hvm/save.h
++++ b/xen/include/public/arch-x86/hvm/save.h
+@@ -580,9 +580,15 @@ struct hvm_hw_cpu_xsave {
+ 
+ #define CPU_XSAVE_CODE  16
+ 
++struct hvm_vmce_vcpu {
++    uint64_t caps;
++};
++
++DECLARE_HVM_SAVE_TYPE(VMCE_VCPU, 18, struct hvm_vmce_vcpu);
++
+ /* 
+  * Largest type-code in use
+  */
+-#define HVM_SAVE_CODE_MAX 16
++#define HVM_SAVE_CODE_MAX 18
+ 
+ #endif /* __XEN_PUBLIC_HVM_SAVE_X86_H__ */
+--- a/xen/include/public/domctl.h
++++ b/xen/include/public/domctl.h
+@@ -558,7 +558,7 @@ struct xen_domctl_ext_vcpucontext {
+     uint32_t         vcpu;
+     /*
+      * SET: Size of struct (IN)
+-     * GET: Size of struct (OUT)
++     * GET: Size of struct (OUT, up to 128 bytes)
+      */
+     uint32_t         size;
+ #if defined(__i386__) || defined(__x86_64__)
+@@ -570,6 +570,7 @@ struct xen_domctl_ext_vcpucontext {
+     uint16_t         sysenter_callback_cs;
+     uint8_t          syscall32_disables_events;
+     uint8_t          sysenter_disables_events;
++    uint64_aligned_t mcg_cap;
+ #endif
+ };
+ typedef struct xen_domctl_ext_vcpucontext xen_domctl_ext_vcpucontext_t;
diff --git a/24888-pci-release-devices.patch b/24888-pci-release-devices.patch
new file mode 100644
index 0000000..8a44db5
--- /dev/null
+++ b/24888-pci-release-devices.patch
@@ -0,0 +1,84 @@
+References: bnc#744771
+
+# HG changeset patch
+# User Jan Beulich <jbeulich@suse.com>
+# Date 1330080392 -3600
+# Node ID 71159fb049f253030c3820c260d092d4aec6b166
+# Parent  35d855e520038bf5814f53d105dc4adf58a670f2
+passthrough: release assigned PCI devices earlier during domain shutdown
+
+At least with xend, where there's not even a tool stack side attempt to
+de-assign devices during domain shutdown, this allows immediate re-
+starts of a domain to work reliably. (There's no apparent reason why
+c/s 18010:c1577f094ae4 chose to put this in the asynchronous part of
+domain destruction).
+
+Signed-off-by: Jan Beulich <jbeulich@suse.com>
+Acked-by: Keir Fraser <keir@xen.org>
+
+--- a/xen/arch/ia64/xen/dom0_ops.c
++++ b/xen/arch/ia64/xen/dom0_ops.c
+@@ -330,7 +330,8 @@ long arch_do_domctl(xen_domctl_t *op, XE
+             break;
+ 
+         ret = -EINVAL;
+-        if ( unlikely((d = get_domain_by_id(op->domain)) == NULL) )
++        if ( unlikely((d = get_domain_by_id(op->domain)) == NULL) ||
++             unlikely(d->is_dying) )
+         {
+             gdprintk(XENLOG_ERR,
+                 "XEN_DOMCTL_assign_device: get_domain_by_id() failed\n");
+--- a/xen/arch/ia64/xen/domain.c
++++ b/xen/arch/ia64/xen/domain.c
+@@ -671,10 +671,8 @@ void arch_domain_destroy(struct domain *
+ 		free_xenheap_pages(d->shared_info,
+ 				   get_order_from_shift(XSI_SHIFT));
+ 
+-	if ( iommu_enabled && need_iommu(d) )	{
+-		pci_release_devices(d);
++	if ( iommu_enabled && need_iommu(d) )
+ 		iommu_domain_destroy(d);
+-	}
+ 
+ 	tlb_track_destroy(d);
+ 
+@@ -1719,6 +1717,8 @@ int domain_relinquish_resources(struct d
+ 
+ 	switch (d->arch.relres) {
+ 	case RELRES_not_started:
++		pci_release_devices(d);
++
+ 		/* Relinquish guest resources for VT-i domain. */
+ 		if (is_hvm_domain(d))
+ 			vmx_relinquish_guest_resources(d);
+--- a/xen/arch/x86/domain.c
++++ b/xen/arch/x86/domain.c
+@@ -607,7 +607,6 @@ void arch_domain_destroy(struct domain *
+         hvm_domain_destroy(d);
+ 
+     vmce_destroy_msr(d);
+-    pci_release_devices(d);
+     free_domain_pirqs(d);
+     if ( !is_idle_domain(d) )
+         iommu_domain_destroy(d);
+@@ -1956,6 +1955,8 @@ int domain_relinquish_resources(struct d
+     switch ( d->arch.relmem )
+     {
+     case RELMEM_not_started:
++        pci_release_devices(d);
++
+         /* Tear down paging-assistance stuff. */
+         paging_teardown(d);
+ 
+--- a/xen/arch/x86/domctl.c
++++ b/xen/arch/x86/domctl.c
+@@ -828,7 +828,8 @@ long arch_do_domctl(
+             break;
+ 
+         ret = -EINVAL;
+-        if ( unlikely((d = get_domain_by_id(domctl->domain)) == NULL) )
++        if ( unlikely((d = get_domain_by_id(domctl->domain)) == NULL) ||
++             unlikely(d->is_dying) )
+         {
+             gdprintk(XENLOG_ERR,
+                 "XEN_DOMCTL_assign_device: get_domain_by_id() failed\n");
diff --git a/blktap-disable-debug-printf.patch b/blktap-disable-debug-printf.patch
index 5d1dc3d..ec933ca 100644
--- a/blktap-disable-debug-printf.patch
+++ b/blktap-disable-debug-printf.patch
@@ -1,7 +1,7 @@
-Index: xen-4.0.2-testing/tools/blktap/drivers/blktapctrl.c
+Index: xen-4.1.2-testing/tools/blktap/drivers/blktapctrl.c
 ===================================================================
---- xen-4.0.2-testing.orig/tools/blktap/drivers/blktapctrl.c
-+++ xen-4.0.2-testing/tools/blktap/drivers/blktapctrl.c
+--- xen-4.1.2-testing.orig/tools/blktap/drivers/blktapctrl.c
++++ xen-4.1.2-testing/tools/blktap/drivers/blktapctrl.c
 @@ -59,6 +59,9 @@
  #include "list.h"
  #include "xs_api.h" /* for xs_fire_next_watch() */
@@ -12,10 +12,10 @@ Index: xen-4.0.2-testing/tools/blktap/drivers/blktapctrl.c
  #define PIDFILE "/var/run/blktapctrl.pid"
  
  #define NUM_POLL_FDS 2
-Index: xen-4.0.2-testing/tools/ioemu-qemu-xen/hw/xen_blktap.c
+Index: xen-4.1.2-testing/tools/ioemu-qemu-xen/hw/xen_blktap.c
 ===================================================================
---- xen-4.0.2-testing.orig/tools/ioemu-qemu-xen/hw/xen_blktap.c
-+++ xen-4.0.2-testing/tools/ioemu-qemu-xen/hw/xen_blktap.c
+--- xen-4.1.2-testing.orig/tools/ioemu-qemu-xen/hw/xen_blktap.c
++++ xen-4.1.2-testing/tools/ioemu-qemu-xen/hw/xen_blktap.c
 @@ -48,7 +48,7 @@
  #define BLKTAP_CTRL_DIR "/var/run/tap"
  
diff --git a/ioemu-9869-MSI-X-init.patch b/ioemu-9869-MSI-X-init.patch
new file mode 100644
index 0000000..f47849d
--- /dev/null
+++ b/ioemu-9869-MSI-X-init.patch
@@ -0,0 +1,53 @@
+# HG changeset patch
+# User Jan Beulich <jbeulich@suse.com>
+# Date 1325783746 0
+# Node ID db6c7b83d4165ada5498339b87031a09f5b79d8a
+# Parent  11ca857d983420a9f54e4d0e6919f8e6bd5fca48
+qemu-xen: fix sequence of operations in pt_msix_init()
+
+Checking the return value of mmap() must be done before adjusting the
+value, otherwise failure may not be detected.
+
+Closing the file handle, on the other hand, can be done before checking
+the return value.
+
+Finally, printing the errno value without knowing whether the previous
+function actually failed is bogus (and superfluous since a subsequent
+message prints the strerror() representaton anyway).
+
+Signed-off-by: Jan Beulich <jbeulich@suse.com>
+Acked-by: Stefano Stabellini <stefano.stabellini@eu.citrix.com>
+
+committer: Ian Jackson <Ian.Jackson@eu.citrix.com>
+
+--- a/tools/ioemu-qemu-xen/hw/pt-msi.c
++++ b/tools/ioemu-qemu-xen/hw/pt-msi.c
+@@ -537,7 +537,6 @@ int pt_msix_init(struct pt_dev *dev, int
+     int i, total_entries, table_off, bar_index;
+     struct pci_dev *pd = dev->pci_dev;
+     int fd;
+-    int err;
+ 
+     id = pci_read_byte(pd, pos + PCI_CAP_LIST_ID);
+ 
+@@ -585,17 +584,14 @@ int pt_msix_init(struct pt_dev *dev, int
+     dev->msix->phys_iomem_base = mmap(0, total_entries * 16 + dev->msix->table_offset_adjust,
+                           PROT_READ, MAP_SHARED | MAP_LOCKED,
+                           fd, dev->msix->table_base + table_off - dev->msix->table_offset_adjust);
+-    dev->msix->phys_iomem_base = (void *)((char *)dev->msix->phys_iomem_base + 
+-                          dev->msix->table_offset_adjust);
+-    err = errno;
+-    PT_LOG("errno = %d\n",err);
++    close(fd);
+     if ( dev->msix->phys_iomem_base == MAP_FAILED )
+     {
+         PT_LOG("Error: Can't map physical MSI-X table: %s\n", strerror(errno));
+-        close(fd);
+         goto error_out;
+     }
+-    close(fd);
++
++    dev->msix->phys_iomem_base += dev->msix->table_offset_adjust;
+ 
+     PT_LOG("mapping physical MSI-X table to %lx\n",
+            (unsigned long)dev->msix->phys_iomem_base);
diff --git a/ioemu-MSI-X-fix-unregister_iomem.patch b/ioemu-9873-MSI-X-fix-unregister_iomem.patch
similarity index 100%
rename from ioemu-MSI-X-fix-unregister_iomem.patch
rename to ioemu-9873-MSI-X-fix-unregister_iomem.patch
diff --git a/2XXXX-vif-bridge.patch b/vif-bridge-tap-fix.patch
similarity index 66%
rename from 2XXXX-vif-bridge.patch
rename to vif-bridge-tap-fix.patch
index 0d480b0..2aa3cab 100644
--- a/2XXXX-vif-bridge.patch
+++ b/vif-bridge-tap-fix.patch
@@ -10,20 +10,21 @@ it from adding user-created taps to bridges.
 
     Signed-off-by: Jim Fehlig <jfehlig@suse.com>
 
-diff -r 6c583d35d76d -r 74da2a3a1db1 tools/hotplug/Linux/vif-bridge
---- a/tools/hotplug/Linux/vif-bridge	Thu Oct 20 15:36:01 2011 +0100
-+++ b/tools/hotplug/Linux/vif-bridge	Tue Oct 25 16:32:32 2011 -0600
-@@ -31,6 +31,13 @@
- 
+Index: xen-4.1.2-testing/tools/hotplug/Linux/vif-bridge
+===================================================================
+--- xen-4.1.2-testing.orig/tools/hotplug/Linux/vif-bridge
++++ xen-4.1.2-testing/tools/hotplug/Linux/vif-bridge
+@@ -32,6 +32,13 @@
  dir=$(dirname "$0")
  . "$dir/vif-common.sh"
-+
-+domu=$(xenstore_read_default "$XENBUS_PATH/domain" "")
-+if [ -z "$domu" ]
+ 
++mac=$(xenstore_read_default "$XENBUS_PATH/mac" "")
++if [ -z "$mac" ]
 +then
 +    log debug "No device details in $XENBUS_PATH, exiting."
 +    exit 0
 +fi
- 
++
  bridge=${bridge:-}
  bridge=$(xenstore_read_default "$XENBUS_PATH/bridge" "$bridge")
+ 
diff --git a/xen-warnings-unused.diff b/xen-warnings-unused.diff
index 98e0256..4173f5f 100644
--- a/xen-warnings-unused.diff
+++ b/xen-warnings-unused.diff
@@ -1,5 +1,7 @@
---- a/tools/libxc/xc_tmem.c
-+++ b/tools/libxc/xc_tmem.c
+Index: xen-4.1.2-testing/tools/libxc/xc_tmem.c
+===================================================================
+--- xen-4.1.2-testing.orig/tools/libxc/xc_tmem.c
++++ xen-4.1.2-testing/tools/libxc/xc_tmem.c
 @@ -390,7 +390,8 @@ static int xc_tmem_restore_new_pool(
  
  int xc_tmem_restore(xc_interface *xch, int dom, int io_fd)
@@ -10,8 +12,10 @@
      uint32_t this_max_pools, this_version;
      uint32_t pool_id;
      uint32_t minusone;
---- a/tools/libxc/xc_domain_restore.c
-+++ b/tools/libxc/xc_domain_restore.c
+Index: xen-4.1.2-testing/tools/libxc/xc_domain_restore.c
+===================================================================
+--- xen-4.1.2-testing.orig/tools/libxc/xc_domain_restore.c
++++ xen-4.1.2-testing/tools/libxc/xc_domain_restore.c
 @@ -1087,7 +1087,6 @@ int xc_domain_restore(xc_interface *xch,
      int vcpuextstate = 0;
      uint32_t vcpuextstate_size = 0;
@@ -28,8 +32,10 @@
  
      n = m = 0;
   loadpages:
---- a/tools/misc/gtraceview.c
-+++ b/tools/misc/gtraceview.c
+Index: xen-4.1.2-testing/tools/misc/gtraceview.c
+===================================================================
+--- xen-4.1.2-testing.orig/tools/misc/gtraceview.c
++++ xen-4.1.2-testing/tools/misc/gtraceview.c
 @@ -622,7 +622,8 @@ void crt_init(void)
  void nr_addch(int nr, int ch)
  {
@@ -40,8 +46,10 @@
      getyx(stdscr, y, x);
      for (i = 0; i < nr; i++) {
          if (x == COLS-1)
---- a/tools/xcutils/xc_restore.c
-+++ b/tools/xcutils/xc_restore.c
+Index: xen-4.1.2-testing/tools/xcutils/xc_restore.c
+===================================================================
+--- xen-4.1.2-testing.orig/tools/xcutils/xc_restore.c
++++ xen-4.1.2-testing/tools/xcutils/xc_restore.c
 @@ -19,7 +19,8 @@ int
  main(int argc, char **argv)
  {
@@ -52,8 +60,10 @@
      xc_interface *xch;
      int io_fd, ret;
      int superpages;
---- a/tools/firmware/rombios/32bit/tcgbios/tcgbios.c
-+++ b/tools/firmware/rombios/32bit/tcgbios/tcgbios.c
+Index: xen-4.1.2-testing/tools/firmware/rombios/32bit/tcgbios/tcgbios.c
+===================================================================
+--- xen-4.1.2-testing.orig/tools/firmware/rombios/32bit/tcgbios/tcgbios.c
++++ xen-4.1.2-testing/tools/firmware/rombios/32bit/tcgbios/tcgbios.c
 @@ -1064,7 +1064,7 @@ uint32_t HashLogEvent32(struct hlei *hle
  	uint32_t rc = 0;
  	uint16_t size;
@@ -63,8 +73,10 @@
  	uint32_t hashdataptr;
  	uint32_t hashdatalen;
  
---- a/tools/console/client/main.c
-+++ b/tools/console/client/main.c
+Index: xen-4.1.2-testing/tools/console/client/main.c
+===================================================================
+--- xen-4.1.2-testing.orig/tools/console/client/main.c
++++ xen-4.1.2-testing/tools/console/client/main.c
 @@ -277,7 +277,8 @@ int main(int argc, char **argv)
  
  	};
@@ -75,8 +87,10 @@
  	struct xs_handle *xs;
  	char *end;
  	console_type type = CONSOLE_INVAL;
---- a/tools/xenstat/xentop/xentop.c
-+++ b/tools/xenstat/xentop/xentop.c
+Index: xen-4.1.2-testing/tools/xenstat/xentop/xentop.c
+===================================================================
+--- xen-4.1.2-testing.orig/tools/xenstat/xentop/xentop.c
++++ xen-4.1.2-testing/tools/xenstat/xentop/xentop.c
 @@ -272,7 +272,8 @@ static void fail(const char *str)
  /* Return the row containing the cursor. */
  static int current_row(void)
@@ -97,9 +111,11 @@
  	getmaxyx(stdscr, y, x);
  	return y;
  }
---- a/tools/libxl/libxlu_cfg.c
-+++ b/tools/libxl/libxlu_cfg.c
-@@ -348,7 +348,7 @@ char *xlu__cfgl_dequote(CfgParseContext 
+Index: xen-4.1.2-testing/tools/libxl/libxlu_cfg.c
+===================================================================
+--- xen-4.1.2-testing.orig/tools/libxl/libxlu_cfg.c
++++ xen-4.1.2-testing/tools/libxl/libxlu_cfg.c
+@@ -348,7 +348,7 @@ char *xlu__cfgl_dequote(CfgParseContext
  
  #define NUMERIC_CHAR(minlen,maxlen,base,basetext) do{                        \
                  char numbuf[(maxlen)+1], *ep;                                \
@@ -108,9 +124,11 @@
                                                                               \
                  strncpy(numbuf,p,(maxlen));                                  \
                  numbuf[(maxlen)]= 0;                                         \
---- a/tools/libxl/libxl.c
-+++ b/tools/libxl/libxl.c
-@@ -221,7 +221,7 @@ int libxl_domain_rename(libxl_ctx *ctx, 
+Index: xen-4.1.2-testing/tools/libxl/libxl.c
+===================================================================
+--- xen-4.1.2-testing.orig/tools/libxl/libxl.c
++++ xen-4.1.2-testing/tools/libxl/libxl.c
+@@ -221,7 +221,7 @@ int libxl_domain_rename(libxl_ctx *ctx,
  int libxl_domain_resume(libxl_ctx *ctx, uint32_t domid)
  {
      libxl__gc gc = LIBXL_INIT_GC(ctx);
@@ -119,7 +137,7 @@
  
      if (libxl__domain_is_hvm(ctx, domid)) {
          LIBXL__LOG(ctx, LIBXL__LOG_DEBUG, "Called domain_resume on "
-@@ -1291,7 +1291,7 @@ libxl_nicinfo *libxl_list_nics(libxl_ctx
+@@ -1297,7 +1297,7 @@ libxl_nicinfo *libxl_list_nics(libxl_ctx
  {
      libxl__gc gc = LIBXL_INIT_GC(ctx);
      char *dompath, *nic_path_fe;
@@ -128,7 +146,7 @@
      char *val, *tok;
      unsigned int nb_nics, i;
      libxl_nicinfo *res, *nics;
-@@ -1299,7 +1299,7 @@ libxl_nicinfo *libxl_list_nics(libxl_ctx
+@@ -1305,7 +1305,7 @@ libxl_nicinfo *libxl_list_nics(libxl_ctx
      dompath = libxl__xs_get_dompath(&gc, domid);
      if (!dompath)
          goto err;
@@ -137,8 +155,10 @@
                             libxl__sprintf(&gc, "%s/device/vif", dompath), &nb_nics);
      if (!l)
          goto err;
---- a/tools/libxl/libxl_pci.c
-+++ b/tools/libxl/libxl_pci.c
+Index: xen-4.1.2-testing/tools/libxl/libxl_pci.c
+===================================================================
+--- xen-4.1.2-testing.orig/tools/libxl/libxl_pci.c
++++ xen-4.1.2-testing/tools/libxl/libxl_pci.c
 @@ -240,7 +240,7 @@ static int libxl_create_pci_backend(libx
      flexarray_t *front = NULL;
      flexarray_t *back = NULL;
@@ -157,8 +177,10 @@
      LIBXL__LOG(ctx, LIBXL__LOG_DEBUG, "Creating pci backend");
  
      /* add pci device */
---- a/tools/libxl/libxl_dom.c
-+++ b/tools/libxl/libxl_dom.c
+Index: xen-4.1.2-testing/tools/libxl/libxl_dom.c
+===================================================================
+--- xen-4.1.2-testing.orig/tools/libxl/libxl_dom.c
++++ xen-4.1.2-testing/tools/libxl/libxl_dom.c
 @@ -265,14 +265,13 @@ int libxl__build_hvm(libxl_ctx *ctx, uin
                libxl_domain_build_info *info, libxl_domain_build_state *state)
  {
@@ -183,8 +205,10 @@
  out:
      libxl__free_all(&gc);
      return 0;
---- a/tools/libxl/libxl_utils.c
-+++ b/tools/libxl/libxl_utils.c
+Index: xen-4.1.2-testing/tools/libxl/libxl_utils.c
+===================================================================
+--- xen-4.1.2-testing.orig/tools/libxl/libxl_utils.c
++++ xen-4.1.2-testing/tools/libxl/libxl_utils.c
 @@ -531,7 +531,7 @@ int libxl_devid_to_device_disk(libxl_ctx
      libxl__gc gc = LIBXL_INIT_GC(ctx);
      char *val;
@@ -194,8 +218,10 @@
      int rc = ERROR_INVAL;
  
      devid_n = libxl__device_disk_dev_number(devid);
---- a/tools/libxl/xl_cmdimpl.c
-+++ b/tools/libxl/xl_cmdimpl.c
+Index: xen-4.1.2-testing/tools/libxl/xl_cmdimpl.c
+===================================================================
+--- xen-4.1.2-testing.orig/tools/libxl/xl_cmdimpl.c
++++ xen-4.1.2-testing/tools/libxl/xl_cmdimpl.c
 @@ -5448,7 +5448,7 @@ int main_cpupoollist(int argc, char **ar
          {"cpus", 0, 0, 'c'},
          {0, 0, 0, 0}
@@ -205,8 +231,10 @@
      int opt_cpus = 0;
      const char *pool = NULL;
      libxl_cpupoolinfo *poolinfo;
---- a/tools/debugger/gdbsx/gx/gx_comm.c
-+++ b/tools/debugger/gdbsx/gx/gx_comm.c
+Index: xen-4.1.2-testing/tools/debugger/gdbsx/gx/gx_comm.c
+===================================================================
+--- xen-4.1.2-testing.orig/tools/debugger/gdbsx/gx/gx_comm.c
++++ xen-4.1.2-testing/tools/debugger/gdbsx/gx/gx_comm.c
 @@ -163,7 +163,7 @@ readchar(void)
      static char buf[BUFSIZ];
      static int bufcnt = 0;
@@ -216,8 +244,10 @@
  
      if (bufcnt-- > 0)
          return *bufp++ & 0x7f;
---- a/tools/python/xen/lowlevel/checkpoint/libcheckpoint.c
-+++ b/tools/python/xen/lowlevel/checkpoint/libcheckpoint.c
+Index: xen-4.1.2-testing/tools/python/xen/lowlevel/checkpoint/libcheckpoint.c
+===================================================================
+--- xen-4.1.2-testing.orig/tools/python/xen/lowlevel/checkpoint/libcheckpoint.c
++++ xen-4.1.2-testing/tools/python/xen/lowlevel/checkpoint/libcheckpoint.c
 @@ -820,7 +820,7 @@ static int create_suspend_thread(checkpo
  
  static void stop_suspend_thread(checkpoint_state* s)
@@ -227,8 +257,10 @@
  
    s->done = 1;
  
---- a/tools/python/xen/lowlevel/netlink/libnetlink.c
-+++ b/tools/python/xen/lowlevel/netlink/libnetlink.c
+Index: xen-4.1.2-testing/tools/python/xen/lowlevel/netlink/libnetlink.c
+===================================================================
+--- xen-4.1.2-testing.orig/tools/python/xen/lowlevel/netlink/libnetlink.c
++++ xen-4.1.2-testing/tools/python/xen/lowlevel/netlink/libnetlink.c
 @@ -433,7 +433,8 @@ int rtnl_from_file(FILE *rtnl, rtnl_filt
         nladdr.nl_groups = 0;
  
@@ -239,8 +271,10 @@
                 int l;
  
                 status = fread(&buf, 1, sizeof(*h), rtnl);
---- a/xen/arch/x86/msi.c
-+++ b/xen/arch/x86/msi.c
+Index: xen-4.1.2-testing/xen/arch/x86/msi.c
+===================================================================
+--- xen-4.1.2-testing.orig/xen/arch/x86/msi.c
++++ xen-4.1.2-testing/xen/arch/x86/msi.c
 @@ -799,7 +799,7 @@ static void __pci_disable_msi(struct msi
  {
      struct pci_dev *dev;
@@ -250,8 +284,10 @@
      u8 bus, slot, func;
  
      dev = entry->dev;
---- a/xen/common/cpupool.c
-+++ b/xen/common/cpupool.c
+Index: xen-4.1.2-testing/xen/common/cpupool.c
+===================================================================
+--- xen-4.1.2-testing.orig/xen/common/cpupool.c
++++ xen-4.1.2-testing/xen/common/cpupool.c
 @@ -356,7 +356,7 @@ int cpupool_add_domain(struct domain *d,
  {
      struct cpupool *c;
@@ -272,9 +308,11 @@
  
      if ( d->cpupool == NULL )
          return;
---- a/xen/common/grant_table.c
-+++ b/xen/common/grant_table.c
-@@ -765,7 +765,7 @@ __gnttab_unmap_common(
+Index: xen-4.1.2-testing/xen/common/grant_table.c
+===================================================================
+--- xen-4.1.2-testing.orig/xen/common/grant_table.c
++++ xen-4.1.2-testing/xen/common/grant_table.c
+@@ -767,7 +767,7 @@ __gnttab_unmap_common(
      struct domain   *ld, *rd;
      struct active_grant_entry *act;
      s16              rc = 0;
@@ -283,8 +321,10 @@
  
      ld = current->domain;
  
---- a/xen/common/kexec.c
-+++ b/xen/common/kexec.c
+Index: xen-4.1.2-testing/xen/common/kexec.c
+===================================================================
+--- xen-4.1.2-testing.orig/xen/common/kexec.c
++++ xen-4.1.2-testing/xen/common/kexec.c
 @@ -573,7 +573,8 @@ static int kexec_exec(XEN_GUEST_HANDLE(v
  {
      xen_kexec_exec_t exec;
@@ -295,8 +335,10 @@
  
      if ( unlikely(copy_from_guest(&exec, uarg, 1)) )
          return -EFAULT;
---- a/xen/drivers/passthrough/vtd/intremap.c
-+++ b/xen/drivers/passthrough/vtd/intremap.c
+Index: xen-4.1.2-testing/xen/drivers/passthrough/vtd/intremap.c
+===================================================================
+--- xen-4.1.2-testing.orig/xen/drivers/passthrough/vtd/intremap.c
++++ xen-4.1.2-testing/xen/drivers/passthrough/vtd/intremap.c
 @@ -367,7 +367,7 @@ unsigned int io_apic_read_remap_rte(
      unsigned int ioapic_pin = (reg - 0x10) / 2;
      int index;
@@ -315,8 +357,10 @@
  
          iommu = drhd->iommu;
          qi_ctrl = iommu_qi_ctrl(iommu);
---- a/xen/common/sched_credit2.c
-+++ b/xen/common/sched_credit2.c
+Index: xen-4.1.2-testing/xen/common/sched_credit2.c
+===================================================================
+--- xen-4.1.2-testing.orig/xen/common/sched_credit2.c
++++ xen-4.1.2-testing/xen/common/sched_credit2.c
 @@ -1854,7 +1854,8 @@ static void deactivate_runqueue(struct c
  
  static void init_pcpu(const struct scheduler *ops, int cpu)
@@ -327,9 +371,11 @@
      struct csched_private *prv = CSCHED_PRIV(ops);
      struct csched_runqueue_data *rqd;
      spinlock_t *old_lock;
---- a/xen/common/unlzo.c
-+++ b/xen/common/unlzo.c
-@@ -68,7 +68,7 @@ static int INIT parse_header(u8 *input, 
+Index: xen-4.1.2-testing/xen/common/unlzo.c
+===================================================================
+--- xen-4.1.2-testing.orig/xen/common/unlzo.c
++++ xen-4.1.2-testing/xen/common/unlzo.c
+@@ -68,7 +68,7 @@ static int INIT parse_header(u8 *input,
  {
  	int l;
  	u8 *parse = input;
@@ -338,8 +384,10 @@
  	u16 version;
  
  	/* read magic: 9 first bits */
---- a/xen/arch/x86/time.c
-+++ b/xen/arch/x86/time.c
+Index: xen-4.1.2-testing/xen/arch/x86/time.c
+===================================================================
+--- xen-4.1.2-testing.orig/xen/arch/x86/time.c
++++ xen-4.1.2-testing/xen/arch/x86/time.c
 @@ -1009,7 +1009,8 @@ static void local_time_calibration(void)
       * System timestamps, extrapolated from local and master oscillators,
       * taken during this calibration and the previous calibration.
@@ -350,8 +398,10 @@
      s_time_t prev_master_stime, curr_master_stime;
  
      /* TSC timestamps taken during this calibration and prev calibration. */
---- a/xen/arch/x86/cpu/amd.c
-+++ b/xen/arch/x86/cpu/amd.c
+Index: xen-4.1.2-testing/xen/arch/x86/cpu/amd.c
+===================================================================
+--- xen-4.1.2-testing.orig/xen/arch/x86/cpu/amd.c
++++ xen-4.1.2-testing/xen/arch/x86/cpu/amd.c
 @@ -391,7 +391,7 @@ static void __devinit init_amd(struct cp
  {
  	u32 l, h;
@@ -361,9 +411,11 @@
  
  #ifdef CONFIG_SMP
  	unsigned long long value;
---- a/xen/arch/x86/mm/p2m.c
-+++ b/xen/arch/x86/mm/p2m.c
-@@ -2339,7 +2339,7 @@ p2m_remove_page(struct p2m_domain *p2m, 
+Index: xen-4.1.2-testing/xen/arch/x86/mm/p2m.c
+===================================================================
+--- xen-4.1.2-testing.orig/xen/arch/x86/mm/p2m.c
++++ xen-4.1.2-testing/xen/arch/x86/mm/p2m.c
+@@ -2339,7 +2339,7 @@ p2m_remove_page(struct p2m_domain *p2m,
                  unsigned int page_order)
  {
      unsigned long i;
@@ -381,8 +433,10 @@
      int pod_count = 0;
      int rc = 0;
  
---- a/xen/arch/x86/hvm/emulate.c
-+++ b/xen/arch/x86/hvm/emulate.c
+Index: xen-4.1.2-testing/xen/arch/x86/hvm/emulate.c
+===================================================================
+--- xen-4.1.2-testing.orig/xen/arch/x86/hvm/emulate.c
++++ xen-4.1.2-testing/xen/arch/x86/hvm/emulate.c
 @@ -59,7 +59,7 @@ static int hvmemul_do_io(
      ioreq_t *p = get_ioreq(curr);
      unsigned long ram_gfn = paddr_to_pfn(ram_gpa);
@@ -392,8 +446,10 @@
      int rc;
  
      /* Check for paged out page */
---- a/xen/arch/x86/hvm/hvm.c
-+++ b/xen/arch/x86/hvm/hvm.c
+Index: xen-4.1.2-testing/xen/arch/x86/hvm/hvm.c
+===================================================================
+--- xen-4.1.2-testing.orig/xen/arch/x86/hvm/hvm.c
++++ xen-4.1.2-testing/xen/arch/x86/hvm/hvm.c
 @@ -253,7 +253,8 @@ void hvm_migrate_timers(struct vcpu *v)
  
  void hvm_migrate_pirqs(struct vcpu *v)
@@ -404,7 +460,7 @@
      struct irq_desc *desc;
      struct domain *d = v->domain;
      struct hvm_irq_dpci *hvm_irq_dpci = d->arch.hvm_domain.irq.dpci;
-@@ -3589,7 +3590,7 @@ long do_hvm_op(unsigned long op, XEN_GUE
+@@ -3686,7 +3687,7 @@ long do_hvm_op(unsigned long op, XEN_GUE
          {
              p2m_type_t t;
              p2m_type_t nt;
@@ -413,8 +469,10 @@
              mfn = gfn_to_mfn_unshare(p2m, pfn, &t, 0);
              if ( p2m_is_paging(t) )
              {
---- a/xen/arch/x86/acpi/cpu_idle.c
-+++ b/xen/arch/x86/acpi/cpu_idle.c
+Index: xen-4.1.2-testing/xen/arch/x86/acpi/cpu_idle.c
+===================================================================
+--- xen-4.1.2-testing.orig/xen/arch/x86/acpi/cpu_idle.c
++++ xen-4.1.2-testing/xen/arch/x86/acpi/cpu_idle.c
 @@ -276,7 +276,7 @@ static void acpi_processor_ffh_cstate_en
  
  static void acpi_idle_do_entry(struct acpi_processor_cx *cx)
@@ -424,8 +482,10 @@
  
      switch ( cx->entry_method )
      {
---- a/xen/arch/x86/cpu/intel_cacheinfo.c
-+++ b/xen/arch/x86/cpu/intel_cacheinfo.c
+Index: xen-4.1.2-testing/xen/arch/x86/cpu/intel_cacheinfo.c
+===================================================================
+--- xen-4.1.2-testing.orig/xen/arch/x86/cpu/intel_cacheinfo.c
++++ xen-4.1.2-testing/xen/arch/x86/cpu/intel_cacheinfo.c
 @@ -170,7 +170,8 @@ unsigned int __cpuinit init_intel_cachei
  	unsigned int trace = 0, l1i = 0, l1d = 0, l2 = 0, l3 = 0; /* Cache sizes */
  	unsigned int new_l1d = 0, new_l1i = 0; /* Cache sizes from cpuid(4) */
@@ -436,9 +496,11 @@
  
  	if (c->cpuid_level > 3) {
  		static int is_initialized;
---- a/xen/arch/x86/mm/mem_sharing.c
-+++ b/xen/arch/x86/mm/mem_sharing.c
-@@ -375,7 +375,7 @@ int mem_sharing_debug_gfn(struct domain 
+Index: xen-4.1.2-testing/xen/arch/x86/mm/mem_sharing.c
+===================================================================
+--- xen-4.1.2-testing.orig/xen/arch/x86/mm/mem_sharing.c
++++ xen-4.1.2-testing/xen/arch/x86/mm/mem_sharing.c
+@@ -375,7 +375,7 @@ int mem_sharing_debug_gfn(struct domain
  {
      p2m_type_t p2mt;
      mfn_t mfn;
@@ -447,8 +509,10 @@
  
      mfn = gfn_to_mfn(p2m_get_hostp2m(d), gfn, &p2mt);
      page = mfn_to_page(mfn);
---- a/xen/arch/x86/hvm/viridian.c
-+++ b/xen/arch/x86/hvm/viridian.c
+Index: xen-4.1.2-testing/xen/arch/x86/hvm/viridian.c
+===================================================================
+--- xen-4.1.2-testing.orig/xen/arch/x86/hvm/viridian.c
++++ xen-4.1.2-testing/xen/arch/x86/hvm/viridian.c
 @@ -270,7 +270,7 @@ int rdmsr_viridian_regs(uint32_t idx, ui
  int viridian_hypercall(struct cpu_user_regs *regs)
  {
@@ -458,8 +522,10 @@
      uint16_t status = HV_STATUS_SUCCESS;
  
      union hypercall_input {
---- a/xen/arch/x86/mm.c
-+++ b/xen/arch/x86/mm.c
+Index: xen-4.1.2-testing/xen/arch/x86/mm.c
+===================================================================
+--- xen-4.1.2-testing.orig/xen/arch/x86/mm.c
++++ xen-4.1.2-testing/xen/arch/x86/mm.c
 @@ -4914,7 +4914,7 @@ static int ptwr_emulated_update(
  {
      unsigned long mfn;
@@ -469,8 +535,10 @@
      l1_pgentry_t pte, ol1e, nl1e, *pl1e;
      struct vcpu *v = current;
      struct domain *d = v->domain;
---- a/xen/arch/x86/x86_64/mm.c
-+++ b/xen/arch/x86/x86_64/mm.c
+Index: xen-4.1.2-testing/xen/arch/x86/x86_64/mm.c
+===================================================================
+--- xen-4.1.2-testing.orig/xen/arch/x86/x86_64/mm.c
++++ xen-4.1.2-testing/xen/arch/x86/x86_64/mm.c
 @@ -436,7 +436,8 @@ void destroy_m2p_mapping(struct mem_hota
  static int setup_compat_m2p_table(struct mem_hotadd_info *info)
  {
@@ -481,8 +549,10 @@
      l3_pgentry_t *l3_ro_mpt = NULL;
      l2_pgentry_t *l2_ro_mpt = NULL;
      struct page_info *l1_pg;
---- a/xen/arch/x86/cpu/mcheck/mce.c
-+++ b/xen/arch/x86/cpu/mcheck/mce.c
+Index: xen-4.1.2-testing/xen/arch/x86/cpu/mcheck/mce.c
+===================================================================
+--- xen-4.1.2-testing.orig/xen/arch/x86/cpu/mcheck/mce.c
++++ xen-4.1.2-testing/xen/arch/x86/cpu/mcheck/mce.c
 @@ -151,7 +151,6 @@ static struct mcinfo_bank *mca_init_bank
                                           struct mc_info *mi, int bank)
  {
@@ -499,7 +569,7 @@
      if (mib->mc_status & MCi_STATUS_MISCV)
          mib->mc_misc = mca_rdmsr(MSR_IA32_MCx_MISC(bank));
  
-@@ -281,7 +279,7 @@ mctelem_cookie_t mcheck_mca_logout(enum 
+@@ -281,7 +279,7 @@ mctelem_cookie_t mcheck_mca_logout(enum
      recover = (mc_recoverable_scan)? 1: 0;
  
      for (i = 0; i < 32 && i < nr_mce_banks; i++) {
@@ -517,8 +587,10 @@
      uint64_t hwcr = 0;
      int intpose;
      int i;
---- a/xen/common/tmem.c
-+++ b/xen/common/tmem.c
+Index: xen-4.1.2-testing/xen/common/tmem.c
+===================================================================
+--- xen-4.1.2-testing.orig/xen/common/tmem.c
++++ xen-4.1.2-testing/xen/common/tmem.c
 @@ -1351,7 +1351,8 @@ obj_unlock:
  static int tmem_evict(void)
  {
@@ -539,8 +611,10 @@
      client_t *client = pool->client;
      int ret = client->frozen ? -EFROZEN : -ENOMEM;
  
---- a/xen/common/tmem_xen.c
-+++ b/xen/common/tmem_xen.c
+Index: xen-4.1.2-testing/xen/common/tmem_xen.c
+===================================================================
+--- xen-4.1.2-testing.orig/xen/common/tmem_xen.c
++++ xen-4.1.2-testing/xen/common/tmem_xen.c
 @@ -177,7 +177,7 @@ EXPORT int tmh_copy_from_client(pfp_t *p
  EXPORT int tmh_compress_from_client(tmem_cli_mfn_t cmfn,
      void **out_va, size_t *out_len, void *cli_va)
@@ -578,9 +652,11 @@
      tmh->persistent_pool = xmem_pool_create(name, tmh_persistent_pool_page_get,
          tmh_persistent_pool_page_put, PAGE_SIZE, 0, PAGE_SIZE);
      if ( tmh->persistent_pool == NULL )
---- a/xen/arch/x86/cpu/mcheck/vmce.c
-+++ b/xen/arch/x86/cpu/mcheck/vmce.c
-@@ -571,7 +571,7 @@ int is_vmce_ready(struct mcinfo_bank *ba
+Index: xen-4.1.2-testing/xen/arch/x86/cpu/mcheck/vmce.c
+===================================================================
+--- xen-4.1.2-testing.orig/xen/arch/x86/cpu/mcheck/vmce.c
++++ xen-4.1.2-testing/xen/arch/x86/cpu/mcheck/vmce.c
+@@ -630,7 +630,7 @@ int is_vmce_ready(struct mcinfo_bank *ba
   */
  int unmmap_broken_page(struct domain *d, mfn_t mfn, unsigned long gfn)
  {
@@ -589,9 +665,11 @@
      struct p2m_domain *p2m;
      p2m_type_t pt;
  
---- a/xen/arch/x86/mm/shadow/multi.c
-+++ b/xen/arch/x86/mm/shadow/multi.c
-@@ -124,7 +124,7 @@ set_shadow_status(struct vcpu *v, mfn_t 
+Index: xen-4.1.2-testing/xen/arch/x86/mm/shadow/multi.c
+===================================================================
+--- xen-4.1.2-testing.orig/xen/arch/x86/mm/shadow/multi.c
++++ xen-4.1.2-testing/xen/arch/x86/mm/shadow/multi.c
+@@ -124,7 +124,7 @@ set_shadow_status(struct vcpu *v, mfn_t
  /* Put a shadow into the hash table */
  {
      struct domain *d = v->domain;
@@ -609,8 +687,10 @@
      shadow_l1e_t *sl1p, sl1e;
      struct page_info *sp;
  
---- a/xen/arch/x86/domain_build.c
-+++ b/xen/arch/x86/domain_build.c
+Index: xen-4.1.2-testing/xen/arch/x86/domain_build.c
+===================================================================
+--- xen-4.1.2-testing.orig/xen/arch/x86/domain_build.c
++++ xen-4.1.2-testing/xen/arch/x86/domain_build.c
 @@ -378,8 +378,7 @@ int __init construct_dom0(
          return rc;
  
@@ -621,9 +701,11 @@
      machine = elf_uval(&elf, elf.ehdr, e_machine);
      switch (CONFIG_PAGING_LEVELS) {
      case 3: /* x86_32p */
---- a/xen/arch/x86/traps.c
-+++ b/xen/arch/x86/traps.c
-@@ -1858,7 +1858,11 @@ static int emulate_privileged_op(struct 
+Index: xen-4.1.2-testing/xen/arch/x86/traps.c
+===================================================================
+--- xen-4.1.2-testing.orig/xen/arch/x86/traps.c
++++ xen-4.1.2-testing/xen/arch/x86/traps.c
+@@ -1858,7 +1858,11 @@ static int emulate_privileged_op(struct
      struct vcpu *v = current;
      unsigned long *reg, eip = regs->eip;
      u8 opcode, modrm_reg = 0, modrm_rm = 0, rep_prefix = 0, lock = 0, rex = 0;
diff --git a/xen-xmexample.diff b/xen-xmexample.diff
index 592b29c..8a2c907 100644
--- a/xen-xmexample.diff
+++ b/xen-xmexample.diff
@@ -4,7 +4,7 @@ Index: xen-4.1.2-testing/tools/examples/xmexample1
 ===================================================================
 --- xen-4.1.2-testing.orig/tools/examples/xmexample1
 +++ xen-4.1.2-testing/tools/examples/xmexample1
-@@ -7,11 +7,13 @@
+@@ -7,11 +7,17 @@
  #============================================================================
  
  #----------------------------------------------------------------------------
@@ -17,13 +17,31 @@ Index: xen-4.1.2-testing/tools/examples/xmexample1
 +kernel = "/boot/vmlinuz-xen"
 +ramdisk = "/boot/initrd-xen"
 +
-+# Or use domUloader instead of kernel/ramdisk to get kernel from domU FS
++# Or use a bootloader instead of kernel/ramdisk to get the kernel from domU FS
++# domUloader bootloader example:
 +#bootloader = "/usr/lib/xen/boot/domUloader.py"
 +#bootentry = "hda2:/vmlinuz-xen,/initrd-xen"
++# pygrub bootloader example:
++#bootloader="/usr/bin/pygrub"
++#bootargs=""
  
  # The domain build function. Default is 'linux'.
  #builder='linux'
-@@ -131,7 +133,7 @@ disk = [ 'phy:hda1,hda1,w' ]
+@@ -49,11 +55,11 @@ name = "ExampleDomain"
+ #
+ # or optionally override backend, bridge, ip, mac, script, type, or vifname:
+ #
+-# vif = [ 'mac=00:16:3e:00:00:11, bridge=xenbr0' ]
++# vif = [ 'mac=00:16:3e:00:00:11, bridge=br0' ]
+ #
+ # or more than one interface may be configured:
+ #
+-# vif = [ '', 'bridge=xenbr1' ]
++# vif = [ '', 'bridge=br1' ]
+ 
+ vif = [ '' ]
+ 
+@@ -131,7 +137,7 @@ disk = [ 'phy:hda1,hda1,w' ]
  #hostname= "vm%d" % vmid
  
  # Set root device.
@@ -32,7 +50,7 @@ Index: xen-4.1.2-testing/tools/examples/xmexample1
  
  # Root device for nfs.
  #root = "/dev/nfs"
-@@ -140,8 +142,8 @@ root = "/dev/hda1 ro"
+@@ -140,8 +146,8 @@ root = "/dev/hda1 ro"
  # Root directory on the nfs server.
  #nfs_root   = '/full/path/to/root/directory'
  
@@ -47,7 +65,7 @@ Index: xen-4.1.2-testing/tools/examples/xmexample2
 ===================================================================
 --- xen-4.1.2-testing.orig/tools/examples/xmexample2
 +++ xen-4.1.2-testing/tools/examples/xmexample2
-@@ -35,11 +35,13 @@ xm_vars.var('vmid',
+@@ -35,11 +35,17 @@ xm_vars.var('vmid',
  xm_vars.check()
  
  #----------------------------------------------------------------------------
@@ -60,13 +78,31 @@ Index: xen-4.1.2-testing/tools/examples/xmexample2
 +kernel = "/boot/vmlinuz-xen"
 +ramdisk = "/boot/initrd-xen"
 +
-+# Or use domUloader instead of kernel/ramdisk to get kernel from domU FS
++# Or use a bootloader instead of kernel/ramdisk to get the kernel from domU FS
++# domUloader bootloader example:
 +#bootloader = "/usr/lib/xen/boot/domUloader.py"
 +#bootentry = "hda2:/vmlinuz-xen,/initrd-xen"
++# pygrub bootloader example:
++#bootloader="/usr/bin/pygrub"
++#bootargs=""
  
  # The domain build function. Default is 'linux'.
  #builder='linux'
-@@ -167,7 +169,7 @@ disk = [ 'phy:sda%d,sda1,w' % (7+vmid),
+@@ -80,11 +86,11 @@ vcpus = 4 # make your domain a 4-way
+ #
+ # or optionally override backend, bridge, ip, mac, script, type, or vifname:
+ #
+-# vif = [ 'mac=00:16:3e:00:00:11, bridge=xenbr0' ]
++# vif = [ 'mac=00:16:3e:00:00:11, bridge=br0' ]
+ #
+ # or more than one interface may be configured:
+ #
+-# vif = [ '', 'bridge=xenbr1' ]
++# vif = [ '', 'bridge=br1' ]
+ 
+ vif = [ '' ]
+ 
+@@ -167,7 +173,7 @@ disk = [ 'phy:sda%d,sda1,w' % (7+vmid),
  #hostname= "vm%d" % vmid
  
  # Set root device.
@@ -75,7 +111,7 @@ Index: xen-4.1.2-testing/tools/examples/xmexample2
  
  # Root device for nfs.
  #root = "/dev/nfs"
-@@ -176,8 +178,8 @@ root = "/dev/sda1 ro"
+@@ -176,8 +182,8 @@ root = "/dev/sda1 ro"
  # Root directory on the nfs server.
  #nfs_root   = '/full/path/to/root/directory'
  
@@ -90,7 +126,7 @@ Index: xen-4.1.2-testing/tools/examples/xmexample3
 ===================================================================
 --- xen-4.1.2-testing.orig/tools/examples/xmexample3
 +++ xen-4.1.2-testing/tools/examples/xmexample3
-@@ -35,11 +35,13 @@ xm_vars.var('vmid',
+@@ -35,11 +35,17 @@ xm_vars.var('vmid',
  xm_vars.check()
  
  #----------------------------------------------------------------------------
@@ -102,9 +138,13 @@ Index: xen-4.1.2-testing/tools/examples/xmexample3
  
 -# Optional ramdisk.
 -#ramdisk = "/boot/initrd.gz"
-+# Or use domUloader instead of kernel/ramdisk to get kernel from domU FS
++# Or use a bootloader instead of kernel/ramdisk to get the kernel from domU FS
++# domUloader bootloader example:
 +#bootloader = "/usr/lib/xen/boot/domUloader.py"
 +#bootentry = "hda2:/vmlinuz-xen,/initrd-xen"
++# pygrub bootloader example:
++#bootloader="/usr/bin/pygrub"
++#bootargs=""
  
  # The domain build function. Default is 'linux'.
  #builder='linux'
@@ -112,7 +152,39 @@ Index: xen-4.1.2-testing/tools/examples/xmexample.hvm
 ===================================================================
 --- xen-4.1.2-testing.orig/tools/examples/xmexample.hvm
 +++ xen-4.1.2-testing/tools/examples/xmexample.hvm
-@@ -78,7 +78,7 @@ vif = [ 'type=ioemu, bridge=xenbr0' ]
+@@ -64,11 +64,26 @@ name = "ExampleHVMDomain"
+ #cpus = "0-3,5,^1" # all vcpus run on cpus 0,2,3,5
+ #cpus = ["2", "3"] # VCPU0 runs on CPU2, VCPU1 runs on CPU3
+ 
+-# Optionally define mac and/or bridge for the network interfaces.
+-# Random MACs are assigned if not given.
+-#vif = [ 'type=ioemu, mac=00:16:3e:00:00:11, bridge=xenbr0, model=ne2k_pci' ]
+-# type=ioemu specify the NIC is an ioemu device not netfront
+-vif = [ 'type=ioemu, bridge=xenbr0' ]
++#----------------------------------------------------------------------------
++# Define network interfaces.
++
++# By default, no network interfaces are configured.  You may have one created
++# with sensible defaults using an empty vif clause:
++#
++# vif = [ '' ]
++#
++# or optionally override backend, bridge, ip, mac, script, type, model,
++# or vifname.
++#
++# An emulated RealTek 8139 network interface can be configured with:
++#
++# vif = [ 'mac=00:16:3e:00:00:11, type=ioemu, model=rtl8139, bridge=br0' ]
++#
++# A para-virtual network interface can be configured with:
++#
++# vif = [ 'mac=00:16:3e:00:00:11, type=netfront, bridge=br0' ]
++#
++vif = [ '' ]
+ 
+ #----------------------------------------------------------------------------
+ # Define the disk devices you want the domain to have access to, and
+@@ -78,7 +93,7 @@ vif = [ 'type=ioemu, bridge=xenbr0' ]
  # and MODE is r for read-only, w for read-write.
  
  #disk = [ 'phy:hda1,hda1,r' ]
@@ -175,3 +247,93 @@ Index: xen-4.1.2-testing/docs/man/xm.pod.1
       name=ramdisk vif='' vcpus=1 \
       memory=64 root=/dev/ram0
  
+Index: xen-4.1.2-testing/tools/examples/xmexample.hvm-stubdom
+===================================================================
+--- xen-4.1.2-testing.orig/tools/examples/xmexample.hvm-stubdom
++++ xen-4.1.2-testing/tools/examples/xmexample.hvm-stubdom
+@@ -55,11 +55,26 @@ name = "xmexample.hvm"
+ #cpus = "0-3,5,^1" # all vcpus run on cpus 0,2,3,5
+ #cpus = ["2", "3"] # VCPU0 runs on CPU2, VCPU1 runs on CPU3
+ 
+-# Optionally define mac and/or bridge for the network interfaces.
+-# Random MACs are assigned if not given.
+-#vif = [ 'type=ioemu, mac=00:16:3e:00:00:11, bridge=xenbr0, model=ne2k_pci' ]
+-# type=ioemu specify the NIC is an ioemu device not netfront
+-vif = [ 'type=ioemu, bridge=xenbr0' ]
++#----------------------------------------------------------------------------
++# Define network interfaces.
++
++# By default, no network interfaces are configured.  You may have one created
++# with sensible defaults using an empty vif clause:
++#
++# vif = [ '' ]
++#
++# or optionally override backend, bridge, ip, mac, script, type, model,
++# or vifname.
++#
++# An emulated RealTek 8139 network interface can be configured with:
++#
++# vif = [ 'mac=00:16:3e:00:00:11, type=ioemu, model=rtl8139, bridge=br0' ]
++#
++# A para-virtual network interface can be configured with:
++#
++# vif = [ 'mac=00:16:3e:00:00:11, type=netfront, bridge=br0' ]
++#
++vif = [ '' ]
+ 
+ #----------------------------------------------------------------------------
+ # Define the disk devices you want the domain to have access to, and
+Index: xen-4.1.2-testing/tools/examples/xmexample.pv-grub
+===================================================================
+--- xen-4.1.2-testing.orig/tools/examples/xmexample.pv-grub
++++ xen-4.1.2-testing/tools/examples/xmexample.pv-grub
+@@ -53,11 +53,11 @@ name = "ExampleDomain"
+ #
+ # or optionally override backend, bridge, ip, mac, script, type, or vifname:
+ #
+-# vif = [ 'mac=00:16:3e:00:00:11, bridge=xenbr0' ]
++# vif = [ 'mac=00:16:3e:00:00:11, bridge=br0' ]
+ #
+ # or more than one interface may be configured:
+ #
+-# vif = [ '', 'bridge=xenbr1' ]
++# vif = [ '', 'bridge=br1' ]
+ 
+ vif = [ '' ]
+ 
+Index: xen-4.1.2-testing/tools/examples/xmexample.vti
+===================================================================
+--- xen-4.1.2-testing.orig/tools/examples/xmexample.vti
++++ xen-4.1.2-testing/tools/examples/xmexample.vti
+@@ -40,11 +40,26 @@ name = "ExampleVTIDomain"
+ # In Windows OS, smaller size shows better performance.
+ #vhpt = 23
+ 
+-# Optionally define mac and/or bridge for the network interfaces.
+-# Random MACs are assigned if not given.
+-#vif = [ 'type=ioemu, mac=00:16:3e:00:00:11, bridge=xenbr0, model=ne2k_pci' ]
+-# type=ioemu specify the NIC is an ioemu device not netfront
+-vif = [ 'type=ioemu, bridge=xenbr0' ]
++#----------------------------------------------------------------------------
++# Define network interfaces.
++
++# By default, no network interfaces are configured.  You may have one created
++# with sensible defaults using an empty vif clause:
++#
++# vif = [ '' ]
++#
++# or optionally override backend, bridge, ip, mac, script, type, model,
++# or vifname.
++#
++# An emulated RealTek 8139 network interface can be configured with:
++#
++# vif = [ 'mac=00:16:3e:00:00:11, type=ioemu, model=rtl8139, bridge=br0' ]
++#
++# A para-virtual network interface can be configured with:
++#
++# vif = [ 'mac=00:16:3e:00:00:11, type=netfront, bridge=br0' ]
++#
++vif = [ '' ]
+ 
+ #----------------------------------------------------------------------------
+ # Define the disk devices you want the domain to have access to, and
diff --git a/xen.changes b/xen.changes
index 47fd172..aaff9a4 100644
--- a/xen.changes
+++ b/xen.changes
@@ -1,3 +1,40 @@
+-------------------------------------------------------------------
+Mon Feb 27 16:05:19 MST 2012 - jfehlig@suse.com
+
+- bnc#745880 - cpuid setting is not preserved across xend restarts
+  xend-cpuid.patch
+
+-------------------------------------------------------------------
+Mon Feb 27 15:40:02 MST 2012 - jfehlig@suse.com
+
+- Rename 2XXXX-vif-bridge.patch -> vif-bridge-tap-fix.patch
+
+-------------------------------------------------------------------
+Mon Feb 27 08:16:43 MST 2012 - carnold@novell.com
+
+- bnc#747331 - XEN: standard "newburn" kernel QA stress test on guest
+  (+ smartd on Dom0?) freezes the guest
+  24883-x86-guest-walk-not-present.patch
+- bnc#745367 - MCE bank handling during migration
+  24781-x86-vmce-mcg_ctl.patch
+  24886-x86-vmce-mcg_ctl-default.patch
+  24887-x86-vmce-sr.patch
+- bnc#744771 - L3: VM with passed through PCI card fails to reboot
+  under dom0 load
+  24888-pci-release-devices.patch
+- Upstream patches from Jan
+  24517-VT-d-fault-softirq.patch
+  24527-AMD-Vi-fault-softirq.patch
+  24535-x86-vMSI-misc.patch
+  24615-VESA-lfb-flush.patch
+  24690-x86-PCI-SERR-no-deadlock.patch
+  24701-gnttab-map-grant-ref-recovery.patch
+  24742-gnttab-misc.patch
+  24780-x86-paging-use-clear_guest.patch
+  24805-x86-MSI-X-dom0-ro.patch
+  ioemu-9869-MSI-X-init.patch
+  ioemu-9873-MSI-X-fix-unregister_iomem.patch
+
 -------------------------------------------------------------------
 Sat Feb 25 21:55:42 CET 2012 - ohering@suse.de
 
@@ -10,6 +47,12 @@ Tue Feb 14 09:23:35 MST 2012 - carnold@novell.com
   install, when maxmem > memory
   README.SuSE
 
+-------------------------------------------------------------------
+Wed Feb  8 10:16:59 MST 2012 - jfehlig@suse.com
+
+- bnc#745005 - Update vif configuration examples in xmexample*
+  Updated xen-xmexample.diff
+
 -------------------------------------------------------------------
 Thu Feb  2 17:11:28 MST 2012 - jfehlig@suse.com
 
diff --git a/xen.spec b/xen.spec
index 4f121db..7bcdb3a 100644
--- a/xen.spec
+++ b/xen.spec
@@ -15,8 +15,6 @@
 # Please submit bugfixes or comments via http://bugs.opensuse.org/
 #
 
-
-
 Name:           xen
 ExclusiveArch:  %ix86 x86_64
 %define xvers 4.1
@@ -101,7 +99,7 @@ BuildRequires:  kernel-syms
 BuildRequires:  module-init-tools
 BuildRequires:  xorg-x11
 %endif
-Version:        4.1.2_13
+Version:        4.1.2_15
 Release:        0
 PreReq:         %insserv_prereq %fillup_prereq
 Summary:        Xen Virtualization: Hypervisor (aka VMM aka Microkernel)
@@ -345,14 +343,29 @@ Patch24456:     24456-x86-emul-lea.patch
 Patch24459:     24459-libxl-vifname.patch
 Patch24466:     24466-libxc_Only_retry_mapping_pages_when_ENOENT_is_returned.patch
 Patch24478:     24478-libxl_add_feature_flag_to_xenstore_for_XS_RESET_WATCHES.patch
+Patch24517:     24517-VT-d-fault-softirq.patch
+Patch24527:     24527-AMD-Vi-fault-softirq.patch
+Patch24535:     24535-x86-vMSI-misc.patch
 Patch24566:     24566-tools-libxc_fix_error_handling_in_xc_mem_paging_load.patch
 Patch24586:     24586-x86-mm_Properly_account_for_paged_out_pages.patch
 Patch24609:     24609-tools-libxc_handle_fallback_in_linux_privcmd_map_foreign_bulk_properly.patch
 Patch24610:     24610-xenpaging_make_file_op_largefile_aware.patch
+Patch24615:     24615-VESA-lfb-flush.patch
+Patch24690:     24690-x86-PCI-SERR-no-deadlock.patch
+Patch24701:     24701-gnttab-map-grant-ref-recovery.patch
+Patch24742:     24742-gnttab-misc.patch
+Patch24780:     24780-x86-paging-use-clear_guest.patch
+Patch24781:     24781-x86-vmce-mcg_ctl.patch
+Patch24805:     24805-x86-MSI-X-dom0-ro.patch
+Patch24883:     24883-x86-guest-walk-not-present.patch
+Patch24886:     24886-x86-vmce-mcg_ctl-default.patch
+Patch24887:     24887-x86-vmce-sr.patch
+Patch24888:     24888-pci-release-devices.patch
 # Upstream qemu patches
 Patch100:       ioemu-9868-MSI-X.patch
-Patch101:       ioemu-MSI-X-fix-unregister_iomem.patch
-Patch102:       cve-2012-0029-qemu-xen-unstable.patch
+Patch101:       ioemu-9869-MSI-X-init.patch
+Patch102:       ioemu-9873-MSI-X-fix-unregister_iomem.patch
+Patch103:       cve-2012-0029-qemu-xen-unstable.patch
 # Our patches
 Patch300:       xen-config.diff
 Patch301:       xend-config.diff
@@ -409,9 +422,9 @@ Patch377:       suspend_evtchn_lock.patch
 Patch378:       log-guest-console.patch
 Patch379:       xend-migration-domname-fix.patch
 Patch380:       xm-create-maxmem.patch
-# Sent upstream and tentatively ACK'ed, but not yet committed
-Patch381:       2XXXX-vif-bridge.patch
+Patch381:       vif-bridge-tap-fix.patch
 Patch382:       xencommons-xenstored-root.patch
+Patch383:       xend-cpuid.patch
 # Patches for snapshot support
 Patch400:       snapshot-ioemu-save.patch
 Patch401:       snapshot-ioemu-restore.patch
@@ -519,7 +532,6 @@ BuildRoot:      %{_tmppath}/%{name}-%{version}-build
 %suse_kernel_module_package -n xen um xen -f kmp_filelist
 %endif
 
-
 %description
 Xen is a virtual machine monitor for x86 that supports execution of
 multiple guest operating systems with unprecedented levels of
@@ -579,7 +591,6 @@ Summary:        Xen Virtualization: Libraries
 Group:          System/Kernel
 #Requires:       xen = %{version}
 
-
 %description libs
 Xen is a virtual machine monitor for x86 that supports execution of
 multiple guest operating systems with unprecedented levels of
@@ -625,7 +636,6 @@ Authors:
 
 %if %{?with_dom0_support}0
 
-
 %package tools
 Summary:        Xen Virtualization: Control tools for domain 0
 Group:          System/Kernel
@@ -635,7 +645,6 @@ Requires:       bridge-utils multipath-tools python python-curses python-openssl
 Provides:       xen-tools-ioemu = 3.2
 Obsoletes:      xen-tools-ioemu <= 3.2
 
-
 %description tools
 Xen is a virtual machine monitor for x86 that supports execution of
 multiple guest operating systems with unprecedented levels of
@@ -683,13 +692,11 @@ Authors:
     Ian Pratt <ian.pratt@cl.cam.ac.uk>
 %endif
 
-
 %package tools-domU
 Summary:        Xen Virtualization: Control tools for domain U
 Group:          System/Kernel
 Conflicts:      xen-tools
 
-
 %description tools-domU
 Xen is a virtual machine monitor for x86 that supports execution of
 multiple guest operating systems with unprecedented levels of
@@ -709,7 +716,6 @@ Summary:        Xen Virtualization: Headers and libraries for development
 Group:          System/Kernel
 Requires:       xen-libs = %{version}
 
-
 %description devel
 Xen is a virtual machine monitor for x86 that supports execution of
 multiple guest operating systems with unprecedented levels of
@@ -755,13 +761,11 @@ Authors:
 
 %if %{?with_kmp}0
 
-
 %package KMP
 Summary:        Xen para-virtual device drivers for fully virtualized guests
 Group:          System/Kernel
 Conflicts:      xen
 
-
 %description KMP
 Xen para-virtual device drivers for fully virtualized guests
 
@@ -807,12 +811,10 @@ Xen, but is not available for release due to license restrictions.
 
 %if %{?with_dom0_support}0
 
-
 %package doc-html
 Summary:        Xen Virtualization: HTML documentation
 Group:          Documentation/HTML
 
-
 %description doc-html
 Xen is a virtual machine monitor for x86 that supports execution of
 multiple guest operating systems with unprecedented levels of
@@ -831,7 +833,6 @@ Authors:
 Summary:        Xen Virtualization: PDF documentation
 Group:          Documentation/Other
 
-
 %description doc-pdf
 Xen is a virtual machine monitor for x86 that supports execution of
 multiple guest operating systems with unprecedented levels of
@@ -848,7 +849,6 @@ Authors:
     Ian Pratt <ian.pratt@cl.cam.ac.uk>
 %endif
 
-
 %prep
 %setup -q -n %xen_build_dir -a 1 -a 20000
 %patch20000 -p1
@@ -1053,14 +1053,29 @@ tar xfj %{SOURCE2} -C $RPM_BUILD_DIR/%{xen_build_dir}/tools
 %patch24459 -p1
 %patch24466 -p1
 %patch24478 -p1
+%patch24517 -p1
+%patch24527 -p1
+%patch24535 -p1
 %patch24566 -p1
 %patch24586 -p1
 %patch24609 -p1
 %patch24610 -p1
+%patch24615 -p1
+%patch24690 -p1
+%patch24701 -p1
+%patch24742 -p1
+%patch24780 -p1
+%patch24781 -p1
+%patch24805 -p1
+%patch24883 -p1
+%patch24886 -p1
+%patch24887 -p1
+%patch24888 -p1
 # Qemu
 %patch100 -p1
 %patch101 -p1
 %patch102 -p1
+%patch103 -p1
 # Our patches
 %patch300 -p1
 %patch301 -p1
@@ -1118,6 +1133,7 @@ tar xfj %{SOURCE2} -C $RPM_BUILD_DIR/%{xen_build_dir}/tools
 %patch380 -p1
 %patch381 -p1
 %patch382 -p1
+%patch383 -p1
 %patch400 -p1
 %patch401 -p1
 %patch402 -p1
@@ -1212,7 +1228,6 @@ tar xfj %{SOURCE2} -C $RPM_BUILD_DIR/%{xen_build_dir}/tools
 %patch99998 -p1
 %patch99999 -p1
 
-
 %build
 XEN_EXTRAVERSION=%version-%release
 XEN_EXTRAVERSION=${XEN_EXTRAVERSION#%{xvers}}
@@ -1248,7 +1263,6 @@ for flavor in %flavors_to_build; do
 done
 %endif
 
-
 %install
 export CFLAGS="$RPM_OPT_FLAGS"
 %if %{?with_dom0_support}0
@@ -1451,7 +1465,6 @@ rm -f $RPM_BUILD_ROOT/%{_bindir}/xencons
 
 %if %{?with_dom0_support}0
 
-
 %files -f xen.files.txt
 %defattr(-,root,root)
 /boot/xen-%{version}-%{release}.gz
@@ -1468,7 +1481,6 @@ rm -f $RPM_BUILD_ROOT/%{_bindir}/xencons
 /boot/xen.gz
 %endif
 
-
 %files libs
 %defattr(-,root,root)
 %{_libdir}/fs/
@@ -1476,7 +1488,6 @@ rm -f $RPM_BUILD_ROOT/%{_bindir}/xencons
 
 %if %{?with_dom0_support}0
 
-
 %files tools
 %defattr(-,root,root)
 /usr/bin/xenalyze
@@ -1580,14 +1591,12 @@ rm -f $RPM_BUILD_ROOT/%{_bindir}/xencons
 %config %{_fwdefdir}/xend-relocation-server
 %endif
 
-
 %files tools-domU
 %defattr(-,root,root)
 /usr/bin/xen-detect
 /bin/domu-xenstore
 /bin/xenstore-*
 
-
 %files devel
 %defattr(-,root,root)
 %{_bindir}/serial-split
@@ -1597,12 +1606,10 @@ rm -f $RPM_BUILD_ROOT/%{_bindir}/xencons
 
 %if %{?with_dom0_support}0
 
-
 %files doc-html
 %defattr(-,root,root)
 %{_defaultdocdir}/xen/html
 
-
 %files doc-pdf
 %defattr(-,root,root)
 %{_defaultdocdir}/xen/pdf
@@ -1610,7 +1617,6 @@ rm -f $RPM_BUILD_ROOT/%{_bindir}/xencons
 
 %if %{?with_dom0_support}0
 
-
 %post tools
 %if %{?with_xend}0
 # with_xend
@@ -1656,11 +1662,9 @@ if [ -f /usr/bin/qemu-nbd ]; then
     ln -s /usr/bin/qemu-nbd /usr/bin/qemu-nbd-xen
 fi
 
-
 %preun tools
 %{stop_on_removal xendomains xend xencommons}
 
-
 %postun tools
 %if %{?with_xend}0
 # with_xend
@@ -1675,12 +1679,8 @@ if [ -f /usr/bin/qemu-nbd-xen ]; then
 fi
 %endif
 
-
 %post libs -p /sbin/ldconfig
 
-
 %postun libs -p /sbin/ldconfig
 
-
-
 %changelog
diff --git a/xend-cpuid.patch b/xend-cpuid.patch
new file mode 100644
index 0000000..bc6cd6f
--- /dev/null
+++ b/xend-cpuid.patch
@@ -0,0 +1,26 @@
+Only add cpuid and cpuid_check to sexpr once
+
+When converting a XendConfig object to sexpr, cpuid and cpuid_check
+were being emitted twice in the resulting sexpr.  The first conversion
+writes incorrect sexpr, causing parsing of the sexpr to fail when xend
+is restarted and domain sexpr files in /var/lib/xend/domains/<dom-uuid>
+are read and parsed.
+
+This patch skips the first conversion, and uses only the custom
+cpuid{_check} conversion methods called later.  It is not pretty, but
+is the least invasive fix in this complex code.
+Index: xen-4.1.2-testing/tools/python/xen/xend/XendConfig.py
+===================================================================
+--- xen-4.1.2-testing.orig/tools/python/xen/xend/XendConfig.py
++++ xen-4.1.2-testing/tools/python/xen/xend/XendConfig.py
+@@ -1125,6 +1125,10 @@ class XendConfig(dict):
+         else:
+             for name, typ in XENAPI_CFG_TYPES.items():
+                 if name in self and self[name] not in (None, []):
++                    # Skip cpuid and cpuid_check.  Custom conversion
++                    # methods for these are called below.
++                    if name in ("cpuid", "cpuid_check"):
++                        continue
+                     if typ == dict:
+                         s = self[name].items()
+                     elif typ == list:
diff --git a/xenpaging.autostart.patch b/xenpaging.autostart.patch
index ae64f15..0fa2d87 100644
--- a/xenpaging.autostart.patch
+++ b/xenpaging.autostart.patch
@@ -49,7 +49,7 @@ Index: xen-4.1.2-testing/tools/examples/xmexample.hvm
 ===================================================================
 --- xen-4.1.2-testing.orig/tools/examples/xmexample.hvm
 +++ xen-4.1.2-testing/tools/examples/xmexample.hvm
-@@ -127,6 +127,15 @@ disk = [ 'file:/var/lib/xen/images/disk.
+@@ -142,6 +142,15 @@ disk = [ 'file:/var/lib/xen/images/disk.
  # Device Model to be used
  device_model = 'qemu-dm'
  
diff --git a/xenpaging.mem_event-use-wait_queue.patch b/xenpaging.mem_event-use-wait_queue.patch
index e1dc88a..9cf16d5 100644
--- a/xenpaging.mem_event-use-wait_queue.patch
+++ b/xenpaging.mem_event-use-wait_queue.patch
@@ -53,11 +53,9 @@ Signed-off-by: Olaf Hering <olaf@aepfle.de>
  xen/include/xen/sched.h         |   17 +++-
  6 files changed, 179 insertions(+), 81 deletions(-)
 
-Index: xen-4.1.2-testing/xen/arch/x86/hvm/hvm.c
-===================================================================
---- xen-4.1.2-testing.orig/xen/arch/x86/hvm/hvm.c
-+++ xen-4.1.2-testing/xen/arch/x86/hvm/hvm.c
-@@ -3915,8 +3915,8 @@ static int hvm_memory_event_traps(long p
+--- a/xen/arch/x86/hvm/hvm.c
++++ b/xen/arch/x86/hvm/hvm.c
+@@ -4013,8 +4013,8 @@ static int hvm_memory_event_traps(long p
      if ( (p & HVMPME_onchangeonly) && (value == old) )
          return 1;
      
@@ -68,10 +66,8 @@ Index: xen-4.1.2-testing/xen/arch/x86/hvm/hvm.c
          return rc;
      
      memset(&req, 0, sizeof(req));
-Index: xen-4.1.2-testing/xen/arch/x86/mm/mem_event.c
-===================================================================
---- xen-4.1.2-testing.orig/xen/arch/x86/mm/mem_event.c
-+++ xen-4.1.2-testing/xen/arch/x86/mm/mem_event.c
+--- a/xen/arch/x86/mm/mem_event.c
++++ b/xen/arch/x86/mm/mem_event.c
 @@ -23,6 +23,7 @@
  
  #include <asm/domain.h>
@@ -324,10 +320,8 @@ Index: xen-4.1.2-testing/xen/arch/x86/mm/mem_event.c
          }
          break;
  
-Index: xen-4.1.2-testing/xen/arch/x86/mm/mem_sharing.c
-===================================================================
---- xen-4.1.2-testing.orig/xen/arch/x86/mm/mem_sharing.c
-+++ xen-4.1.2-testing/xen/arch/x86/mm/mem_sharing.c
+--- a/xen/arch/x86/mm/mem_sharing.c
++++ b/xen/arch/x86/mm/mem_sharing.c
 @@ -292,44 +292,32 @@ static void mem_sharing_audit(void)
  #endif
  
@@ -349,15 +343,15 @@ Index: xen-4.1.2-testing/xen/arch/x86/mm/mem_sharing.c
 -    req.type = MEM_EVENT_TYPE_SHARED;
 -
 -    if(must_succeed) 
--    {
++    if ( v->domain != d )
+     {
 -        /* We do not support 'must_succeed' any more. External operations such
 -         * as grant table mappings may fail with OOM condition! 
 -         */
 -        BUG();
 -    }
 -    else
-+    if ( v->domain != d )
-     {
+-    {
 -        /* All foreign attempts to unshare pages should be handled through
 -         * 'must_succeed' case. */
 -        ASSERT(v->domain->domain_id == d->domain_id);
@@ -388,7 +382,7 @@ Index: xen-4.1.2-testing/xen/arch/x86/mm/mem_sharing.c
  }
  
  unsigned int mem_sharing_get_nr_saved_mfns(void)
-@@ -692,14 +680,14 @@ gfn_found:
+@@ -692,14 +680,14 @@ gfn_found: 
      if(ret == 0) goto private_page_found;
          
      old_page = page;
@@ -405,10 +399,8 @@ Index: xen-4.1.2-testing/xen/arch/x86/mm/mem_sharing.c
          return -ENOMEM;
      }
  
-Index: xen-4.1.2-testing/xen/arch/x86/mm/p2m.c
-===================================================================
---- xen-4.1.2-testing.orig/xen/arch/x86/mm/p2m.c
-+++ xen-4.1.2-testing/xen/arch/x86/mm/p2m.c
+--- a/xen/arch/x86/mm/p2m.c
++++ b/xen/arch/x86/mm/p2m.c
 @@ -2988,21 +2988,13 @@ int p2m_mem_paging_evict(struct p2m_doma
   */
  void p2m_mem_paging_drop_page(struct p2m_domain *p2m, unsigned long gfn)
@@ -464,7 +456,7 @@ Index: xen-4.1.2-testing/xen/arch/x86/mm/p2m.c
  }
  
  void p2m_mem_access_check(unsigned long gpa, bool_t gla_valid, unsigned long gla, 
-@@ -3240,7 +3232,7 @@ void p2m_mem_access_check(unsigned long
+@@ -3240,7 +3232,7 @@ void p2m_mem_access_check(unsigned long 
      p2m_unlock(p2m);
  
      /* Otherwise, check if there is a memory event listener, and send the message along */
@@ -473,7 +465,7 @@ Index: xen-4.1.2-testing/xen/arch/x86/mm/p2m.c
      if ( res < 0 ) 
      {
          /* No listener */
-@@ -3250,7 +3242,7 @@ void p2m_mem_access_check(unsigned long
+@@ -3250,7 +3242,7 @@ void p2m_mem_access_check(unsigned long 
                     "Memory access permissions failure, no mem_event listener: pausing VCPU %d, dom %d\n",
                     v->vcpu_id, d->domain_id);
  
@@ -497,10 +489,8 @@ Index: xen-4.1.2-testing/xen/arch/x86/mm/p2m.c
  }
  #endif /* __x86_64__ */
  
-Index: xen-4.1.2-testing/xen/include/asm-x86/mem_event.h
-===================================================================
---- xen-4.1.2-testing.orig/xen/include/asm-x86/mem_event.h
-+++ xen-4.1.2-testing/xen/include/asm-x86/mem_event.h
+--- a/xen/include/asm-x86/mem_event.h
++++ b/xen/include/asm-x86/mem_event.h
 @@ -24,13 +24,13 @@
  #ifndef __MEM_EVENT_H__
  #define __MEM_EVENT_H__
@@ -520,10 +510,8 @@ Index: xen-4.1.2-testing/xen/include/asm-x86/mem_event.h
  
  int mem_event_domctl(struct domain *d, xen_domctl_mem_event_op_t *mec,
                       XEN_GUEST_HANDLE(void) u_domctl);
-Index: xen-4.1.2-testing/xen/include/xen/sched.h
-===================================================================
---- xen-4.1.2-testing.orig/xen/include/xen/sched.h
-+++ xen-4.1.2-testing/xen/include/xen/sched.h
+--- a/xen/include/xen/sched.h
++++ b/xen/include/xen/sched.h
 @@ -26,6 +26,7 @@
  #include <xen/cpumask.h>
  #include <xen/nodemask.h>
diff --git a/xenpaging.p2m_is_paged.patch b/xenpaging.p2m_is_paged.patch
index 0998405..1bbaeaf 100644
--- a/xenpaging.p2m_is_paged.patch
+++ b/xenpaging.p2m_is_paged.patch
@@ -83,7 +83,17 @@ Signed-off-by: Olaf Hering <olaf@aepfle.de>
              return HVMCOPY_gfn_paged_out;
          }
          if ( p2m_is_shared(p2mt) )
-@@ -3497,7 +3500,8 @@ long do_hvm_op(unsigned long op, XEN_GUE
+@@ -2208,7 +2211,8 @@ static enum hvm_copy_result __hvm_clear(
+ 
+         if ( p2m_is_paging(p2mt) )
+         {
+-            p2m_mem_paging_populate(p2m, gfn);
++            if ( p2m_do_populate(p2mt) )
++                p2m_mem_paging_populate(p2m, gfn);
+             return HVMCOPY_gfn_paged_out;
+         }
+         if ( p2m_is_shared(p2mt) )
+@@ -3594,7 +3598,8 @@ long do_hvm_op(unsigned long op, XEN_GUE
              mfn_t mfn = gfn_to_mfn(p2m, pfn, &t);
              if ( p2m_is_paging(t) )
              {
@@ -93,7 +103,7 @@ Signed-off-by: Olaf Hering <olaf@aepfle.de>
  
                  rc = -EINVAL;
                  goto param_fail3;
-@@ -3594,7 +3598,8 @@ long do_hvm_op(unsigned long op, XEN_GUE
+@@ -3691,7 +3696,8 @@ long do_hvm_op(unsigned long op, XEN_GUE
              mfn = gfn_to_mfn_unshare(p2m, pfn, &t, 0);
              if ( p2m_is_paging(t) )
              {