Mail archive
alpine-aports

[alpine-aports] [PATCH v3.2] main/xen: security upgrade to 4.5.5 - fixes #6573

From: Sergey Lukin <sergej.lukin_at_gmail.com>
Date: Fri, 23 Dec 2016 13:41:44 +0000

Removed patches that are already applied in xen-4.5.5
https://www.xenproject.org/downloads/xen-archives/xen-45-series/xen-455.html

New fixes:
CVE-2016-10024, XSA-202: x86 PV guests may be able to mask interrupts
http://xenbits.xen.org/xsa/advisory-202.html

CVE-2016-10013, XSA-204: x86: Mishandling of SYSCALL singlestep during emulation
http://xenbits.xen.org/xsa/advisory-204.html
---
 ...copy-of-every-xs-backend-in-libxl-in-_gen.patch |  98 ---------
 ...ord-backend-frontend-paths-in-libxl-DOMID.patch | 195 ----------------
 ...not-trust-backend-in-libxl__device_exists.patch |  32 ---
 ...xl-Provide-libxl__backendpath_parse_domid.patch |  62 ------
 ...t-trust-backend-for-vtpm-in-getinfo-excep.patch |  55 -----
 ...t-trust-frontend-in-libxl__devices_destro.patch |  77 -------
 ...ot-trust-backend-for-vtpm-in-getinfo-uuid.patch |  46 ----
 ...ot-trust-frontend-in-libxl__device_nextid.patch |  43 ----
 ...o-not-trust-frontend-for-disk-eject-event.patch | 104 ---------
 ...bxl-cdrom-eject-and-insert-write-to-libxl.patch |  73 ------
 ...-Do-not-trust-backend-for-disk-eject-vdev.patch |  67 ------
 ...Do-not-trust-frontend-for-disk-in-getinfo.patch |  79 -------
 ...t-trust-backend-for-disk-fix-driver-domai.patch | 245 ---------------------
 ...libxl-Do-not-trust-frontend-for-vtpm-list.patch |  67 ------
 ...-Do-not-trust-backend-for-disk-in-getinfo.patch |  35 ---
 ...Do-not-trust-frontend-for-vtpm-in-getinfo.patch |  61 -----
 ...bxl-Do-not-trust-backend-for-cdrom-insert.patch |  94 --------
 ...t-trust-frontend-for-nic-in-libxl_devid_t.patch |  47 ----
 ...-not-trust-backend-for-channel-in-getinfo.patch |  38 ----
 ...-Do-not-trust-frontend-for-nic-in-getinfo.patch |  73 ------
 ...Do-not-trust-frontend-for-channel-in-list.patch | 104 ---------
 ...e-libxl__device_-nic-channel-_from_xs_be-.patch |  87 --------
 ...not-trust-frontend-for-channel-in-getinfo.patch | 121 ----------
 ...ibxl-Rename-READ_BACKEND-to-READ_LIBXLDEV.patch | 101 ---------
 ...READ_LIBXLDEV-use-libxl_path-rather-than-.patch |  62 ------
 ...libxl-Do-not-trust-backend-in-nic-getinfo.patch |  33 ---
 ...t-trust-backend-for-nic-in-devid_to_devic.patch |  48 ----
 ...ibxl-Do-not-trust-backend-for-nic-in-list.patch |  80 -------
 ...ibxl-Do-not-trust-backend-in-channel-list.patch |  58 -----
 ...-Cleanup-Have-libxl__alloc_vdev-use-libxl.patch |  48 ----
 ...up-use-libxl__backendpath_parse_domid-in-.patch |  38 ----
 .../xen/0020-libxl-Document-serial-correctly.patch |  38 ----
 main/xen/APKBUILD                                  | 209 ++----------------
 main/xen/gnutls-3.4.0.patch                        |  36 ---
 main/xen/xsa169.patch                              |  33 ---
 main/xen/xsa172.patch                              |  39 ----
 main/xen/xsa173-4.5.patch                          | 244 --------------------
 main/xen/xsa176.patch                              |  45 ----
 main/xen/xsa181.patch                              |  38 ----
 main/xen/xsa182-4.5.patch                          | 102 ---------
 main/xen/xsa183-4.6.patch                          |  75 -------
 main/xen/xsa184-qemut-master.patch                 |  43 ----
 main/xen/xsa184-qemuu-master.patch                 |  43 ----
 main/xen/xsa185.patch                              |  38 ----
 ...-Correct-boundary-interactions-of-emulate.patch |  73 ------
 ...llow-testing-of-instructions-crossing-the.patch |  41 ----
 ...nt-Bounds-check-accesses-to-emulation-ctx.patch | 142 ------------
 ...-x86-shadow-Avoid-overflowing-sh_ctxt-seg.patch |  42 ----
 main/xen/xsa202-4.6.patch                          |  73 ++++++
 main/xen/xsa204-4.5.patch                          |  69 ++++++
 50 files changed, 156 insertions(+), 3638 deletions(-)
 delete mode 100644 main/xen/0001-libxl-Make-copy-of-every-xs-backend-in-libxl-in-_gen.patch
 delete mode 100644 main/xen/0001-libxl-Record-backend-frontend-paths-in-libxl-DOMID.patch
 delete mode 100644 main/xen/0002-libxl-Do-not-trust-backend-in-libxl__device_exists.patch
 delete mode 100644 main/xen/0002-libxl-Provide-libxl__backendpath_parse_domid.patch
 delete mode 100644 main/xen/0003-libxl-Do-not-trust-backend-for-vtpm-in-getinfo-excep.patch
 delete mode 100644 main/xen/0003-libxl-Do-not-trust-frontend-in-libxl__devices_destro.patch
 delete mode 100644 main/xen/0004-libxl-Do-not-trust-backend-for-vtpm-in-getinfo-uuid.patch
 delete mode 100644 main/xen/0004-libxl-Do-not-trust-frontend-in-libxl__device_nextid.patch
 delete mode 100644 main/xen/0005-libxl-Do-not-trust-frontend-for-disk-eject-event.patch
 delete mode 100644 main/xen/0005-libxl-cdrom-eject-and-insert-write-to-libxl.patch
 delete mode 100644 main/xen/0006-libxl-Do-not-trust-backend-for-disk-eject-vdev.patch
 delete mode 100644 main/xen/0006-libxl-Do-not-trust-frontend-for-disk-in-getinfo.patch
 delete mode 100644 main/xen/0007-libxl-Do-not-trust-backend-for-disk-fix-driver-domai.patch
 delete mode 100644 main/xen/0007-libxl-Do-not-trust-frontend-for-vtpm-list.patch
 delete mode 100644 main/xen/0008-libxl-Do-not-trust-backend-for-disk-in-getinfo.patch
 delete mode 100644 main/xen/0008-libxl-Do-not-trust-frontend-for-vtpm-in-getinfo.patch
 delete mode 100644 main/xen/0009-libxl-Do-not-trust-backend-for-cdrom-insert.patch
 delete mode 100644 main/xen/0009-libxl-Do-not-trust-frontend-for-nic-in-libxl_devid_t.patch
 delete mode 100644 main/xen/0010-libxl-Do-not-trust-backend-for-channel-in-getinfo.patch
 delete mode 100644 main/xen/0010-libxl-Do-not-trust-frontend-for-nic-in-getinfo.patch
 delete mode 100644 main/xen/0011-libxl-Do-not-trust-frontend-for-channel-in-list.patch
 delete mode 100644 main/xen/0011-libxl-Rename-libxl__device_-nic-channel-_from_xs_be-.patch
 delete mode 100644 main/xen/0012-libxl-Do-not-trust-frontend-for-channel-in-getinfo.patch
 delete mode 100644 main/xen/0012-libxl-Rename-READ_BACKEND-to-READ_LIBXLDEV.patch
 delete mode 100644 main/xen/0013-libxl-Have-READ_LIBXLDEV-use-libxl_path-rather-than-.patch
 delete mode 100644 main/xen/0014-libxl-Do-not-trust-backend-in-nic-getinfo.patch
 delete mode 100644 main/xen/0015-libxl-Do-not-trust-backend-for-nic-in-devid_to_devic.patch
 delete mode 100644 main/xen/0016-libxl-Do-not-trust-backend-for-nic-in-list.patch
 delete mode 100644 main/xen/0017-libxl-Do-not-trust-backend-in-channel-list.patch
 delete mode 100644 main/xen/0018-libxl-Cleanup-Have-libxl__alloc_vdev-use-libxl.patch
 delete mode 100644 main/xen/0019-libxl-Cleanup-use-libxl__backendpath_parse_domid-in-.patch
 delete mode 100644 main/xen/0020-libxl-Document-serial-correctly.patch
 delete mode 100644 main/xen/gnutls-3.4.0.patch
 delete mode 100644 main/xen/xsa169.patch
 delete mode 100644 main/xen/xsa172.patch
 delete mode 100644 main/xen/xsa173-4.5.patch
 delete mode 100644 main/xen/xsa176.patch
 delete mode 100644 main/xen/xsa181.patch
 delete mode 100644 main/xen/xsa182-4.5.patch
 delete mode 100644 main/xen/xsa183-4.6.patch
 delete mode 100644 main/xen/xsa184-qemut-master.patch
 delete mode 100644 main/xen/xsa184-qemuu-master.patch
 delete mode 100644 main/xen/xsa185.patch
 delete mode 100644 main/xen/xsa186-0001-x86-emulate-Correct-boundary-interactions-of-emulate.patch
 delete mode 100644 main/xen/xsa186-4.6-0002-hvm-fep-Allow-testing-of-instructions-crossing-the.patch
 delete mode 100644 main/xen/xsa187-4.6-0002-x86-segment-Bounds-check-accesses-to-emulation-ctx.patch
 delete mode 100644 main/xen/xsa187-4.7-0001-x86-shadow-Avoid-overflowing-sh_ctxt-seg.patch
 create mode 100644 main/xen/xsa202-4.6.patch
 create mode 100644 main/xen/xsa204-4.5.patch
diff --git a/main/xen/0001-libxl-Make-copy-of-every-xs-backend-in-libxl-in-_gen.patch b/main/xen/0001-libxl-Make-copy-of-every-xs-backend-in-libxl-in-_gen.patch
deleted file mode 100644
index c7e26bc..0000000
--- a/main/xen/0001-libxl-Make-copy-of-every-xs-backend-in-libxl-in-_gen.patch
+++ /dev/null
_at_@ -1,98 +0,0 @@
-From 27874bcfe5a2778d3441d86ed5e2ff1adc4baa35 Mon Sep 17 00:00:00 2001
-From: Ian Jackson <ian.jackson_at_eu.citrix.com>
-Date: Fri, 29 Apr 2016 16:19:28 +0100
-Subject: [PATCH 01/20] libxl: Make copy of every xs backend in /libxl in
- _generic_add
-
-We want to stop libxl trustingly reading information from the backend
-directory (since this is, of course, writeable by the backend, which
-might be a semi-trusted driver domain).
-
-In principle it is wrong in current libxl for anything to try to
-divine virtual device configuration from xenstore: the JSON domain
-config ought to supply that, and xenstore should only tell us which
-devices actually exist.
-
-However:
-
-Firstly, there are several existing places where configuration
-information is retrieved from xenstore rather than JSON.  We do not
-want to reen gineer this in a security patch.
-
-Secondly, we want to make a security patch which can be backported to
-versions of libxl without the JSON configuration machinery.
-
-So we take the expedient approach of keeping a copy of the
-configuration somewhere we trust, namely /libxl.  This is obviously
-fairly low-risk, although it does write significantly more keys in
-xenstore.
-
-In this patch we make this change in libxl__device_generic_add.  This
-is responsible for actually writing the vast majority of device
-information to xenstore.  There are a few loose ends which will be
-dealt with in a moment.
-
-Likewise, changes to readers to use the new location will appear in
-further patches.
-
-This is part of XSA-178.
-
-Signed-off-by: Ian Jackson <Ian.Jackson_at_eu.citrix.com>
-Reviewed-by: Wei Liu <wei.liu2_at_citrix.com>
----
- docs/misc/xenstore-paths.markdown |  4 ++++
- tools/libxl/libxl_device.c        | 23 +++++++++++++++++++++++
- 2 files changed, 27 insertions(+)
-
-diff --git a/docs/misc/xenstore-paths.markdown b/docs/misc/xenstore-paths.markdown
-index 276273d..8c686ec 100644
---- a/docs/misc/xenstore-paths.markdown
-+++ b/docs/misc/xenstore-paths.markdown
-_at_@ -404,6 +404,10 @@ Path in xenstore to the frontend, normally
- Path in xenstore to the backend, normally
- /local/domain/$BACKEND_DOMID/backend/$KIND/$DOMID/$DEVID
- 
-+#### /libxl/$DOMID/device/$KIND/$DEVID/$NODE
-+
-+Trustworthy copy of /local/domain/$DOMID/backend/$KIND/$DEVID/$NODE.
-+
- #### /libxl/$DOMID/dm-version ("qemu\_xen"|"qemu\_xen\_traditional") = [n,INTERNAL]
- 
- The device model version for a domain.
-diff --git a/tools/libxl/libxl_device.c b/tools/libxl/libxl_device.c
-index 38ab393..ede7342 100644
---- a/tools/libxl/libxl_device.c
-+++ b/tools/libxl/libxl_device.c
-_at_@ -185,6 +185,29 @@ retry_transaction:
-         xs_write(ctx->xsh, t, GCSPRINTF("%s/frontend", backend_path),
-                  frontend_path, strlen(frontend_path));
-         libxl__xs_writev(gc, t, backend_path, bents);
-+
-+        /*
-+         * We make a copy of everything for the backend in the libxl
-+         * path as well.  This means we don't need to trust the
-+         * backend.  Ideally this information would not be used and we
-+         * would use the information from the json configuration
-+         * instead.  But there are still places in libxl that try to
-+         * reconstruct a config from xenstore.
-+         *
-+         * This duplication will typically produces duplicate keys
-+         * which will go out of date, but that's OK because nothing
-+         * reads those.  For example, there is usually
-+         *   /libxl/$guest/device/$kind/$devid/state
-+         * which starts out containing XenbusStateInitialising ("1")
-+         * just like the copy in
-+         *  /local/domain/$driverdom/backend/$guest/$kind/$devid/state
-+         * but which won't ever be updated.
-+         *
-+         * This duplication is superfluous and messy but as discussed
-+         * the proper fix is more intrusive than we want to do now.
-+         */
-+        rc = libxl__xs_writev(gc, t, libxl_path, bents);
-+        if (rc) goto out;
-     }
- 
-     if (!create_transaction)
--- 
-1.9.1
-
diff --git a/main/xen/0001-libxl-Record-backend-frontend-paths-in-libxl-DOMID.patch b/main/xen/0001-libxl-Record-backend-frontend-paths-in-libxl-DOMID.patch
deleted file mode 100644
index 56a8f6c..0000000
--- a/main/xen/0001-libxl-Record-backend-frontend-paths-in-libxl-DOMID.patch
+++ /dev/null
_at_@ -1,195 +0,0 @@
-From 3a4091efe0b4bcae46371491d74c15bba6f93275 Mon Sep 17 00:00:00 2001
-From: Ian Jackson <ian.jackson_at_eu.citrix.com>
-Date: Mon, 16 May 2016 14:56:57 +0100
-Subject: [PATCH 01/12] libxl: Record backend/frontend paths in /libxl/$DOMID
-
-This gives us a record of all the backends we have set up for a
-domain, which is separate from the frontends in
-  /local/domain/$DOMID/device.
-
-In particular:
-
-1. A guest has write permission for the frontend path:
-  /local/domain/$DOMID/device/$KIND/$DEVID
-which means that the guest can completely delete the frontend.
-(They can't recreate it because they don't have write permission
-on the containing directory.)
-
-2. A guest has write permission for the backend path recorded in the
-frontend, ie, it can write to
-  /local/domain/$DOMID/device/$KIND/$DEVID/backend
-which means that the guest can break the association between
-frontend and backend.
-
-So we can't rely on iterating over the frontends to find all the
-backends, or examining a frontend to discover how a device is
-configured.
-
-So, have libxl__device_generic_add record the frontend and backend
-paths in /libxl/$DOMID/device, and have libxl__device_destroy remove
-them again.
-
-Create the containing directory /libxl/GUEST/device in
-libxl__domain_make.  The already existing xs_rm in devices_destroy_cb
-will take care of removing it.
-
-This is part of XSA-175.
-
-Backport note: Backported over 7472ced, which fixes a bug in driver
-domain teardown.
-
-Signed-off-by: Ian Jackson <Ian.Jackson_at_eu.citrix.com>
-Reviewed-by: Wei Liu <wei.liu2_at_citrix.com>
----
-v2: Correct actual path computation (!)
-v3: Correct actual path computation - really this time (!)
----
- docs/misc/xenstore-paths.markdown | 15 +++++++++++++++
- tools/libxl/libxl_create.c        |  2 ++
- tools/libxl/libxl_device.c        | 34 +++++++++++++++++++++++++++++++++-
- tools/libxl/libxl_internal.h      |  1 +
- 4 files changed, 51 insertions(+), 1 deletion(-)
-
-diff --git a/docs/misc/xenstore-paths.markdown b/docs/misc/xenstore-paths.markdown
-index d94ea9d..276273d 100644
---- a/docs/misc/xenstore-paths.markdown
-+++ b/docs/misc/xenstore-paths.markdown
-_at_@ -389,6 +389,21 @@ The guest's virtual time offset from UTC in seconds.
- 
- ### libxl Specific Paths
- 
-+#### /libxl/$DOMID/device/$KIND/$DEVID
-+
-+Created by libxl for every frontend/backend pair created for $DOMID.
-+Used by libxl for enumeration and management of the device.
-+
-+#### /libxl/$DOMID/device/$KIND/$DEVID/frontend
-+
-+Path in xenstore to the frontend, normally
-+/local/domain/$DOMID/device/$KIND/$DEVID
-+
-+#### /libxl/$DOMID/device/$KIND/$DEVID/backend
-+
-+Path in xenstore to the backend, normally
-+/local/domain/$BACKEND_DOMID/backend/$KIND/$DOMID/$DEVID
-+
- #### /libxl/$DOMID/dm-version ("qemu\_xen"|"qemu\_xen\_traditional") = [n,INTERNAL]
- 
- The device model version for a domain.
-diff --git a/tools/libxl/libxl_create.c b/tools/libxl/libxl_create.c
-index 152fdbc..a4d4d4c 100644
---- a/tools/libxl/libxl_create.c
-+++ b/tools/libxl/libxl_create.c
-_at_@ -586,6 +586,8 @@ retry_transaction:
- 
-     xs_rm(ctx->xsh, t, libxl_path);
-     libxl__xs_mkdir(gc, t, libxl_path, noperm, ARRAY_SIZE(noperm));
-+    libxl__xs_mkdir(gc, t, GCSPRINTF("%s/device", libxl_path),
-+                    noperm, ARRAY_SIZE(noperm));
- 
-     xs_write(ctx->xsh, t, libxl__sprintf(gc, "%s/vm", dom_path), vm_path, strlen(vm_path));
-     rc = libxl__domain_rename(gc, *domid, 0, info->name, t);
-diff --git a/tools/libxl/libxl_device.c b/tools/libxl/libxl_device.c
-index 4b51ded..a8b97a3 100644
---- a/tools/libxl/libxl_device.c
-+++ b/tools/libxl/libxl_device.c
-_at_@ -40,6 +40,15 @@ char *libxl__device_backend_path(libxl__gc *gc, libxl__device *device)
-                      device->domid, device->devid);
- }
- 
-+char *libxl__device_libxl_path(libxl__gc *gc, libxl__device *device)
-+{
-+    char *libxl_dom_path = libxl__xs_libxl_path(gc, device->domid);
-+
-+    return GCSPRINTF("%s/device/%s/%d", libxl_dom_path,
-+                     libxl__device_kind_to_string(device->kind),
-+                     device->devid);
-+}
-+
- /* Returns 1 if device exists, 0 if not, ERROR_* (<0) on error. */
- int libxl__device_exists(libxl__gc *gc, xs_transaction_t t,
-                          libxl__device *device)
-_at_@ -105,14 +114,16 @@ int libxl__device_generic_add(libxl__gc *gc, xs_transaction_t t,
-         libxl__device *device, char **bents, char **fents, char **ro_fents)
- {
-     libxl_ctx *ctx = libxl__gc_owner(gc);
--    char *frontend_path, *backend_path;
-+    char *frontend_path, *backend_path, *libxl_path;
-     struct xs_permissions frontend_perms[2];
-     struct xs_permissions ro_frontend_perms[2];
-     struct xs_permissions backend_perms[2];
-     int create_transaction = t == XBT_NULL;
-+    int rc;
- 
-     frontend_path = libxl__device_frontend_path(gc, device);
-     backend_path = libxl__device_backend_path(gc, device);
-+    libxl_path = libxl__device_libxl_path(gc, device);
- 
-     frontend_perms[0].id = device->domid;
-     frontend_perms[0].perms = XS_PERM_NONE;
-_at_@ -127,8 +138,22 @@ int libxl__device_generic_add(libxl__gc *gc, xs_transaction_t t,
- retry_transaction:
-     if (create_transaction)
-         t = xs_transaction_start(ctx->xsh);
-+
-     /* FIXME: read frontend_path and check state before removing stuff */
- 
-+    rc = libxl__xs_rm_checked(gc, t, libxl_path);
-+    if (rc) goto out;
-+
-+    rc = libxl__xs_write_checked(gc, t, GCSPRINTF("%s/frontend",libxl_path),
-+                                 frontend_path);
-+    if (rc) goto out;
-+
-+    rc = libxl__xs_write_checked(gc, t, GCSPRINTF("%s/backend",libxl_path),
-+                                 backend_path);
-+    if (rc) goto out;
-+
-+    /* xxx much of this function lacks error checks! */
-+
-     if (fents || ro_fents) {
-         xs_rm(ctx->xsh, t, frontend_path);
-         xs_mkdir(ctx->xsh, t, frontend_path);
-_at_@ -174,6 +199,11 @@ retry_transaction:
-         }
-     }
-     return 0;
-+
-+ out:
-+    if (create_transaction && t)
-+        libxl__xs_transaction_abort(gc, &t);
-+    return rc;
- }
- 
- typedef struct {
-_at_@ -570,6 +600,7 @@ int libxl__device_destroy(libxl__gc *gc, libxl__device *dev)
- {
-     const char *be_path = libxl__device_backend_path(gc, dev);
-     const char *fe_path = libxl__device_frontend_path(gc, dev);
-+    const char *libxl_path = libxl__device_libxl_path(gc, dev);
-     const char *tapdisk_path = GCSPRINTF("%s/%s", be_path, "tapdisk-params");
-     const char *tapdisk_params;
-     xs_transaction_t t = 0;
-_at_@ -594,6 +625,7 @@ int libxl__device_destroy(libxl__gc *gc, libxl__device *dev)
-              */
-             libxl__xs_path_cleanup(gc, t, fe_path);
-             libxl__xs_path_cleanup(gc, t, be_path);
-+            libxl__xs_path_cleanup(gc, t, libxl_path);
-         } else if (dev->backend_domid == domid) {
-             /*
-              * The driver domain is in charge for removing what it can
-diff --git a/tools/libxl/libxl_internal.h b/tools/libxl/libxl_internal.h
-index ff88f3d..55b19d9 100644
---- a/tools/libxl/libxl_internal.h
-+++ b/tools/libxl/libxl_internal.h
-_at_@ -1061,6 +1061,7 @@ _hidden int libxl__device_generic_add(libxl__gc *gc, xs_transaction_t t,
-         libxl__device *device, char **bents, char **fents, char **ro_fents);
- _hidden char *libxl__device_backend_path(libxl__gc *gc, libxl__device *device);
- _hidden char *libxl__device_frontend_path(libxl__gc *gc, libxl__device *device);
-+_hidden char *libxl__device_libxl_path(libxl__gc *gc, libxl__device *device);
- _hidden int libxl__parse_backend_path(libxl__gc *gc, const char *path,
-                                       libxl__device *dev);
- _hidden int libxl__device_destroy(libxl__gc *gc, libxl__device *dev);
--- 
-2.1.4
-
diff --git a/main/xen/0002-libxl-Do-not-trust-backend-in-libxl__device_exists.patch b/main/xen/0002-libxl-Do-not-trust-backend-in-libxl__device_exists.patch
deleted file mode 100644
index 0a53f7e..0000000
--- a/main/xen/0002-libxl-Do-not-trust-backend-in-libxl__device_exists.patch
+++ /dev/null
_at_@ -1,32 +0,0 @@
-From 840a49ab13e3f07898831635ee5046d0f6098be9 Mon Sep 17 00:00:00 2001
-From: Ian Jackson <ian.jackson_at_eu.citrix.com>
-Date: Wed, 4 May 2016 15:04:35 +0100
-Subject: [PATCH 02/20] libxl: Do not trust backend in libxl__device_exists
-
-To determine whether a device is supposed to exist, look in /libxl,
-rather than the backend.
-
-This is part of XSA-178.
-
-Signed-off-by: Ian Jackson <Ian.Jackson_at_eu.citrix.com>
-Reviewed-by: Wei Liu <wei.liu2_at_citrix.com>
----
- tools/libxl/libxl_device.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/tools/libxl/libxl_device.c b/tools/libxl/libxl_device.c
-index ede7342..9d65a7e 100644
---- a/tools/libxl/libxl_device.c
-+++ b/tools/libxl/libxl_device.c
-_at_@ -54,7 +54,7 @@ int libxl__device_exists(libxl__gc *gc, xs_transaction_t t,
-                          libxl__device *device)
- {
-     int rc;
--    char *be_path = libxl__device_backend_path(gc, device);
-+    char *be_path = libxl__device_libxl_path(gc, device);
-     const char *dir;
- 
-     rc = libxl__xs_read_checked(gc, t, be_path, &dir);
--- 
-1.9.1
-
diff --git a/main/xen/0002-libxl-Provide-libxl__backendpath_parse_domid.patch b/main/xen/0002-libxl-Provide-libxl__backendpath_parse_domid.patch
deleted file mode 100644
index b0b7896..0000000
--- a/main/xen/0002-libxl-Provide-libxl__backendpath_parse_domid.patch
+++ /dev/null
_at_@ -1,62 +0,0 @@
-From c689a6c9471761b59e6d08dee1667834e0b7fc34 Mon Sep 17 00:00:00 2001
-From: Ian Jackson <ian.jackson_at_eu.citrix.com>
-Date: Wed, 27 Apr 2016 16:34:19 +0100
-Subject: [PATCH 02/12] libxl: Provide libxl__backendpath_parse_domid
-
-Multiple places in libxl need to figure out the backend domid of a
-device.  This can be discovered easily by looking at the backend path,
-which always starts /local/domain/$backend_domid/.
-
-There are no call sites yet.
-
-This is part of XSA-175.
-
-Signed-off-by: Ian Jackson <Ian.Jackson_at_eu.citrix.com>
-Reviewed-by: Wei Liu <wei.liu2_at_citrix.com>
----
- tools/libxl/libxl_device.c   | 15 +++++++++++++++
- tools/libxl/libxl_internal.h |  2 ++
- 2 files changed, 17 insertions(+)
-
-diff --git a/tools/libxl/libxl_device.c b/tools/libxl/libxl_device.c
-index a8b97a3..9136b26 100644
---- a/tools/libxl/libxl_device.c
-+++ b/tools/libxl/libxl_device.c
-_at_@ -288,6 +288,21 @@ static int disk_try_backend(disk_try_backend_args *a,
-     return 0;
- }
- 
-+int libxl__backendpath_parse_domid(libxl__gc *gc, const char *be_path,
-+                                   libxl_domid *domid_out) {
-+    int r;
-+    unsigned int domid_sc;
-+    char delim_sc;
-+
-+    r = sscanf(be_path, "/local/domain/%u%c", &domid_sc, &delim_sc);
-+    if (!(r==2 && delim_sc=='/')) {
-+        LOG(ERROR, "internal error: backend path %s unparseable!", be_path);
-+        return ERROR_FAIL;
-+    }
-+    *domid_out = domid_sc;
-+    return 0;
-+}
-+
- int libxl__device_disk_set_backend(libxl__gc *gc, libxl_device_disk *disk) {
-     libxl_disk_backend ok;
-     disk_try_backend_args a;
-diff --git a/tools/libxl/libxl_internal.h b/tools/libxl/libxl_internal.h
-index 55b19d9..bfe06bd 100644
---- a/tools/libxl/libxl_internal.h
-+++ b/tools/libxl/libxl_internal.h
-_at_@ -594,6 +594,8 @@ _hidden bool libxl__xs_mkdir(libxl__gc *gc, xs_transaction_t t,
- 
- _hidden char *libxl__xs_libxl_path(libxl__gc *gc, uint32_t domid);
- 
-+_hidden int libxl__backendpath_parse_domid(libxl__gc *gc, const char *be_path,
-+                                           libxl_domid *domid_out);
- 
- /*----- "checked" xenstore access functions -----*/
- /* Each of these functions will check that it succeeded; if it
--- 
-2.1.4
-
diff --git a/main/xen/0003-libxl-Do-not-trust-backend-for-vtpm-in-getinfo-excep.patch b/main/xen/0003-libxl-Do-not-trust-backend-for-vtpm-in-getinfo-excep.patch
deleted file mode 100644
index 501af92..0000000
--- a/main/xen/0003-libxl-Do-not-trust-backend-for-vtpm-in-getinfo-excep.patch
+++ /dev/null
_at_@ -1,55 +0,0 @@
-From eaf75a339a514007b60406eb3382ea23a9440663 Mon Sep 17 00:00:00 2001
-From: Ian Jackson <ian.jackson_at_eu.citrix.com>
-Date: Fri, 29 Apr 2016 17:18:44 +0100
-Subject: [PATCH 03/20] libxl: Do not trust backend for vtpm in getinfo (except
- uuid)
-
-* Do not check the backend for existence.  We have already read the
-  /libxl path so know that the vtpm exists (or is supposed to); if the
-  backend doesn't exist then that must be the backend's doing.
-* Get the frontend path from the /libxl directory.
-* The frontend domid is the guest domid, and does not need to be read
-  from xenstore (!)
-
-We still attempt to read the uuid from the backend.  This will be
-fixed in the next patch.
-
-This is part of XSA-178.
-
-Signed-off-by: Ian Jackson <ian.jackson_at_eu.citrix.com>
-Reviewed-by: Wei Liu <wei.liu2_at_citrix.com>
----
- tools/libxl/libxl.c | 10 ++--------
- 1 file changed, 2 insertions(+), 8 deletions(-)
-
-diff --git a/tools/libxl/libxl.c b/tools/libxl/libxl.c
-index 2dd2467..1c241ce 100644
---- a/tools/libxl/libxl.c
-+++ b/tools/libxl/libxl.c
-_at_@ -2238,9 +2238,6 @@ int libxl_device_vtpm_getinfo(libxl_ctx *ctx,
-     if (!vtpminfo->backend) {
-         goto err;
-     }
--    if(!libxl__xs_read(gc, XBT_NULL, vtpminfo->backend)) {
--       goto err;
--    }
- 
-     rc = libxl__backendpath_parse_domid(gc, vtpminfo->backend,
-                                         &vtpminfo->backend_id);
-_at_@ -2259,11 +2256,8 @@ int libxl_device_vtpm_getinfo(libxl_ctx *ctx,
-     vtpminfo->rref = val ? strtoul(val, NULL, 10) : -1;
- 
-     vtpminfo->frontend = xs_read(ctx->xsh, XBT_NULL,
--          GCSPRINTF("%s/frontend", vtpminfo->backend), NULL);
--
--    val = libxl__xs_read(gc, XBT_NULL,
--          GCSPRINTF("%s/frontend-id", vtpminfo->backend));
--    vtpminfo->frontend_id = val ? strtoul(val, NULL, 10) : -1;
-+          GCSPRINTF("%s/frontend", libxl_path), NULL);
-+    vtpminfo->frontend_id = domid;
- 
-     val = libxl__xs_read(gc, XBT_NULL,
-           GCSPRINTF("%s/uuid", vtpminfo->backend));
--- 
-1.9.1
-
diff --git a/main/xen/0003-libxl-Do-not-trust-frontend-in-libxl__devices_destro.patch b/main/xen/0003-libxl-Do-not-trust-frontend-in-libxl__devices_destro.patch
deleted file mode 100644
index a21a853..0000000
--- a/main/xen/0003-libxl-Do-not-trust-frontend-in-libxl__devices_destro.patch
+++ /dev/null
_at_@ -1,77 +0,0 @@
-From 924ac76cba810c3c8d594f78f96fbf7c792c3f54 Mon Sep 17 00:00:00 2001
-From: Ian Jackson <ian.jackson_at_eu.citrix.com>
-Date: Tue, 3 May 2016 18:39:36 +0100
-Subject: [PATCH 03/12] libxl: Do not trust frontend in libxl__devices_destroy
-
-We need to enumerate the devices we have provided to a domain, without
-trusting the guest-writeable (or, at least, guest-deletable) frontend
-paths.
-
-Instead, enumerate via, and read the backend path from, /libxl.
-
-The console /libxl path is regular, so the special case for console 0
-is not relevant any more: /libxl/GUEST/device/console/0 will be found,
-and then libxl__device_destroy will DTRT to the right frontend path.
-
-This is part of XSA-175.
-
-Signed-off-by: Ian Jackson <Ian.Jackson_at_eu.citrix.com>
-Reviewed-by: Wei Liu <wei.liu2_at_citrix.com>
----
- tools/libxl/libxl_device.c | 22 +++-------------------
- 1 file changed, 3 insertions(+), 19 deletions(-)
-
-diff --git a/tools/libxl/libxl_device.c b/tools/libxl/libxl_device.c
-index 9136b26..38ab393 100644
---- a/tools/libxl/libxl_device.c
-+++ b/tools/libxl/libxl_device.c
-_at_@ -683,7 +683,7 @@ void libxl__devices_destroy(libxl__egc *egc, libxl__devices_remove_state *drs)
-     libxl__multidev_begin(ao, multidev);
-     multidev->callback = devices_remove_callback;
- 
--    path = GCSPRINTF("/local/domain/%d/device", domid);
-+    path = GCSPRINTF("/libxl/%d/device", domid);
-     kinds = libxl__xs_directory(gc, XBT_NULL, path, &num_kinds);
-     if (!kinds) {
-         if (errno != ENOENT) {
-_at_@ -696,12 +696,12 @@ void libxl__devices_destroy(libxl__egc *egc, libxl__devices_remove_state *drs)
-         if (libxl__device_kind_from_string(kinds[i], &kind))
-             continue;
- 
--        path = GCSPRINTF("/local/domain/%d/device/%s", domid, kinds[i]);
-+        path = GCSPRINTF("/libxl/%d/device/%s", domid, kinds[i]);
-         devs = libxl__xs_directory(gc, XBT_NULL, path, &num_dev_xsentries);
-         if (!devs)
-             continue;
-         for (j = 0; j < num_dev_xsentries; j++) {
--            path = GCSPRINTF("/local/domain/%d/device/%s/%s/backend",
-+            path = GCSPRINTF("/libxl/%d/device/%s/%s/backend",
-                              domid, kinds[i], devs[j]);
-             path = libxl__xs_read(gc, XBT_NULL, path);
-             GCNEW(dev);
-_at_@ -726,22 +726,6 @@ void libxl__devices_destroy(libxl__egc *egc, libxl__devices_remove_state *drs)
-         }
-     }
- 
--    /* console 0 frontend directory is not under /local/domain/<domid>/device */
--    path = GCSPRINTF("/local/domain/%d/console/backend", domid);
--    path = libxl__xs_read(gc, XBT_NULL, path);
--    GCNEW(dev);
--    if (path && strcmp(path, "") &&
--        libxl__parse_backend_path(gc, path, dev) == 0) {
--        dev->domid = domid;
--        dev->kind = LIBXL__DEVICE_KIND_CONSOLE;
--        dev->devid = 0;
--
--        /* Currently console devices can be destroyed synchronously by just
--         * removing xenstore entries, this is what libxl__device_destroy does.
--         */
--        libxl__device_destroy(gc, dev);
--    }
--
- out:
-     libxl__multidev_prepared(egc, multidev, rc);
- }
--- 
-2.1.4
-
diff --git a/main/xen/0004-libxl-Do-not-trust-backend-for-vtpm-in-getinfo-uuid.patch b/main/xen/0004-libxl-Do-not-trust-backend-for-vtpm-in-getinfo-uuid.patch
deleted file mode 100644
index cb5dfc5..0000000
--- a/main/xen/0004-libxl-Do-not-trust-backend-for-vtpm-in-getinfo-uuid.patch
+++ /dev/null
_at_@ -1,46 +0,0 @@
-From 2cd66e8bf49f5ff1aa03506aab74dd0ebe2776fa Mon Sep 17 00:00:00 2001
-From: Ian Jackson <ian.jackson_at_eu.citrix.com>
-Date: Fri, 29 Apr 2016 16:57:14 +0100
-Subject: [PATCH 04/20] libxl: Do not trust backend for vtpm in getinfo (uuid)
-
-Use uuid from /libxl, rather than from backend.  I think the backend
-is not supposed to change the uuid, since it seems to be set by libxl
-during setup.
-
-If in fact the backend is supposed to be able to change the uuid, this
-patch needs to be dropped and replaced by a patch which makes the vtpm
-uuid lookup tolerate bad or missing data.
-
-This is part of XSA-178.
-
-Signed-off-by: Ian Jackson <Ian.Jackson_at_eu.citrix.com>
-Reviewed-by: Wei Liu <wei.liu2_at_citrix.com>
----
- tools/libxl/libxl.c | 4 ++--
- 1 file changed, 2 insertions(+), 2 deletions(-)
-
-diff --git a/tools/libxl/libxl.c b/tools/libxl/libxl.c
-index 1c241ce..23ff871 100644
---- a/tools/libxl/libxl.c
-+++ b/tools/libxl/libxl.c
-_at_@ -2200,7 +2200,7 @@ libxl_device_vtpm *libxl_device_vtpm_list(libxl_ctx *ctx, uint32_t domid, int *n
-                                               &vtpm->backend_domid);
-           if (rc) return NULL;
- 
--          tmp = libxl__xs_read(gc, XBT_NULL, GCSPRINTF("%s/uuid", be_path));
-+          tmp = libxl__xs_read(gc, XBT_NULL, GCSPRINTF("%s/uuid", libxl_path));
-           if (tmp) {
-               if(libxl_uuid_from_string(&(vtpm->uuid), tmp)) {
-                   LOG(ERROR, "%s/uuid is a malformed uuid?? (%s) Probably a bug!!\n", be_path, tmp);
-_at_@ -2260,7 +2260,7 @@ int libxl_device_vtpm_getinfo(libxl_ctx *ctx,
-     vtpminfo->frontend_id = domid;
- 
-     val = libxl__xs_read(gc, XBT_NULL,
--          GCSPRINTF("%s/uuid", vtpminfo->backend));
-+          GCSPRINTF("%s/uuid", libxl_path));
-     if(val == NULL) {
-        LOG(ERROR, "%s/uuid does not exist!\n", vtpminfo->backend);
-        goto err;
--- 
-1.9.1
-
diff --git a/main/xen/0004-libxl-Do-not-trust-frontend-in-libxl__device_nextid.patch b/main/xen/0004-libxl-Do-not-trust-frontend-in-libxl__device_nextid.patch
deleted file mode 100644
index cdbbc26..0000000
--- a/main/xen/0004-libxl-Do-not-trust-frontend-in-libxl__device_nextid.patch
+++ /dev/null
_at_@ -1,43 +0,0 @@
-From 1070d8daa6a73a66ceabd9cd6c89ce712b69bafe Mon Sep 17 00:00:00 2001
-From: Ian Jackson <ian.jackson_at_eu.citrix.com>
-Date: Wed, 4 May 2016 15:30:32 +0100
-Subject: [PATCH 04/12] libxl: Do not trust frontend in libxl__device_nextid
-
-When selecting the devid for a new device, we should look in
-/libxl/device for existing devices, not in the frontend area.
-
-This is part of XSA-175.
-
-Signed-off-by: Ian Jackson <Ian.Jackson_at_eu.citrix.com>
-Reviewed-by: Wei Liu <wei.liu2_at_citrix.com>
----
- tools/libxl/libxl.c | 7 ++++---
- 1 file changed, 4 insertions(+), 3 deletions(-)
-
-diff --git a/tools/libxl/libxl.c b/tools/libxl/libxl.c
-index 312a371..170dd45 100644
---- a/tools/libxl/libxl.c
-+++ b/tools/libxl/libxl.c
-_at_@ -1985,15 +1985,16 @@ out:
- /* common function to get next device id */
- static int libxl__device_nextid(libxl__gc *gc, uint32_t domid, char *device)
- {
--    char *dompath, **l;
-+    char *libxl_dom_path, **l;
-     unsigned int nb;
-     int nextid = -1;
- 
--    if (!(dompath = libxl__xs_get_dompath(gc, domid)))
-+    if (!(libxl_dom_path = libxl__xs_libxl_path(gc, domid)))
-         return nextid;
- 
-     l = libxl__xs_directory(gc, XBT_NULL,
--                            GCSPRINTF("%s/device/%s", dompath, device), &nb);
-+        GCSPRINTF("%s/device/%s", libxl_dom_path, device),
-+                            &nb);
-     if (l == NULL || nb == 0)
-         nextid = 0;
-     else
--- 
-2.1.4
-
diff --git a/main/xen/0005-libxl-Do-not-trust-frontend-for-disk-eject-event.patch b/main/xen/0005-libxl-Do-not-trust-frontend-for-disk-eject-event.patch
deleted file mode 100644
index 2d9f922..0000000
--- a/main/xen/0005-libxl-Do-not-trust-frontend-for-disk-eject-event.patch
+++ /dev/null
_at_@ -1,104 +0,0 @@
-From 1d70543c4e53c2fc283e520d098069ac41583469 Mon Sep 17 00:00:00 2001
-From: Ian Jackson <ian.jackson_at_eu.citrix.com>
-Date: Wed, 27 Apr 2016 16:08:49 +0100
-Subject: [PATCH 05/12] libxl: Do not trust frontend for disk eject event
-
-Use the /libxl path for interpreting disk eject watch events: do not
-read the backend path out of the frontend.  Instead, use the version
-in /libxl.  That avoids us relying on the guest-modifiable
-$frontend/backend pointer.
-
-To implement this we store the path
-  /libxl/$guest/device/vbd/$devid/backend
-in the evgen structure.
-
-This is part of XSA-175.
-
-Signed-off-by: Ian Jackson <Ian.Jackson_at_eu.citrix.com>
-Reviewed-by: Wei Liu <wei.liu2_at_citrix.com>
----
- tools/libxl/libxl.c          | 28 ++++++++++++++++++++++------
- tools/libxl/libxl_internal.h |  2 +-
- 2 files changed, 23 insertions(+), 7 deletions(-)
-
-diff --git a/tools/libxl/libxl.c b/tools/libxl/libxl.c
-index 170dd45..9c0fed4 100644
---- a/tools/libxl/libxl.c
-+++ b/tools/libxl/libxl.c
-_at_@ -1323,9 +1323,10 @@ static void disk_eject_xswatch_callback(libxl__egc *egc, libxl__ev_xswatch *w,
-                                         const char *wpath, const char *epath) {
-     EGC_GC;
-     libxl_evgen_disk_eject *evg = (void*)w;
--    char *backend;
-+    const char *backend;
-     char *value;
-     char backend_type[BACKEND_STRING_SIZE+1];
-+    int rc;
- 
-     value = libxl__xs_read(gc, XBT_NULL, wpath);
- 
-_at_@ -1341,9 +1342,16 @@ static void disk_eject_xswatch_callback(libxl__egc *egc, libxl__ev_xswatch *w,
-     libxl_event *ev = NEW_EVENT(egc, DISK_EJECT, evg->domid, evg->user);
-     libxl_device_disk *disk = &ev->u.disk_eject.disk;
-     
--    backend = libxl__xs_read(gc, XBT_NULL,
--                             libxl__sprintf(gc, "%.*s/backend",
--                                            (int)strlen(wpath)-6, wpath));
-+    rc = libxl__xs_read_checked(gc, XBT_NULL, evg->be_ptr_path, &backend);
-+    if (rc) {
-+        LIBXL__EVENT_DISASTER(egc, "xs_read failed reading be_ptr_path",
-+                              errno, LIBXL_EVENT_TYPE_DISK_EJECT);
-+        return;
-+    }
-+    if (!backend) {
-+        /* device has been removed, not simply ejected */
-+        return;
-+    }
- 
-     sscanf(backend,
-             "/local/domain/%d/backend/%" TOSTRING(BACKEND_STRING_SIZE)
-_at_@ -1392,11 +1400,18 @@ int libxl_evenable_disk_eject(libxl_ctx *ctx, uint32_t guest_domid,
-     if (!domid)
-         domid = guest_domid;
- 
--    path = libxl__sprintf(gc, "%s/device/vbd/%d/eject",
-+    int devid = libxl__device_disk_dev_number(vdev, NULL, NULL);
-+
-+    path = GCSPRINTF("%s/device/vbd/%d/eject",
-                  libxl__xs_get_dompath(gc, domid),
--                 libxl__device_disk_dev_number(vdev, NULL, NULL));
-+                 devid);
-     if (!path) { rc = ERROR_NOMEM; goto out; }
- 
-+    const char *libxl_path = GCSPRINTF("%s/device/vbd/%d",
-+                                 libxl__xs_libxl_path(gc, domid),
-+                                 devid);
-+    evg->be_ptr_path = libxl__sprintf(NOGC, "%s/backend", libxl_path);
-+
-     rc = libxl__ev_xswatch_register(gc, &evg->watch,
-                                     disk_eject_xswatch_callback, path);
-     if (rc) goto out;
-_at_@ -1423,6 +1438,7 @@ void libxl__evdisable_disk_eject(libxl__gc *gc, libxl_evgen_disk_eject *evg) {
-         libxl__ev_xswatch_deregister(gc, &evg->watch);
- 
-     free(evg->vdev);
-+    free(evg->be_ptr_path);
-     free(evg);
- 
-     CTX_UNLOCK;
-diff --git a/tools/libxl/libxl_internal.h b/tools/libxl/libxl_internal.h
-index bfe06bd..302585c 100644
---- a/tools/libxl/libxl_internal.h
-+++ b/tools/libxl/libxl_internal.h
-_at_@ -271,7 +271,7 @@ struct libxl__evgen_disk_eject {
-     uint32_t domid;
-     LIBXL_LIST_ENTRY(libxl_evgen_disk_eject) entry;
-     libxl_ev_user user;
--    char *vdev;
-+    char *vdev, *be_ptr_path;
- };
- _hidden void
- libxl__evdisable_disk_eject(libxl__gc*, libxl_evgen_disk_eject*);
--- 
-2.1.4
-
diff --git a/main/xen/0005-libxl-cdrom-eject-and-insert-write-to-libxl.patch b/main/xen/0005-libxl-cdrom-eject-and-insert-write-to-libxl.patch
deleted file mode 100644
index 625dd97..0000000
--- a/main/xen/0005-libxl-cdrom-eject-and-insert-write-to-libxl.patch
+++ /dev/null
_at_@ -1,73 +0,0 @@
-From 2388be01dffb8a3aae85ea58052f6020057ae3bc Mon Sep 17 00:00:00 2001
-From: Ian Jackson <ian.jackson_at_eu.citrix.com>
-Date: Fri, 29 Apr 2016 19:15:13 +0100
-Subject: [PATCH 05/20] libxl: cdrom eject and insert: write to /libxl
-
-Copy the new type and params values to /libxl, so that the information
-in /libxl is kept up to date.
-
-This is needed so that we can return this trustworthy information,
-rather than trusting the backend-writeable parts of xenstore.
-
-This is part of XSA-178.
-
-Signed-off-by: Ian Jackson <ian.jackson_at_eu.citrix.com>
-Reviewed-by: Wei Liu <wei.liu2_at_citrix.com>
----
- tools/libxl/libxl.c | 19 ++++++++++++++-----
- 1 file changed, 14 insertions(+), 5 deletions(-)
-
-diff --git a/tools/libxl/libxl.c b/tools/libxl/libxl.c
-index 23ff871..7dcd672 100644
---- a/tools/libxl/libxl.c
-+++ b/tools/libxl/libxl.c
-_at_@ -2843,7 +2843,7 @@ int libxl_cdrom_insert(libxl_ctx *ctx, uint32_t domid, libxl_device_disk *disk,
-     libxl_domain_config d_config;
-     int rc, dm_ver;
-     libxl__device device;
--    const char * path;
-+    const char *path, *libxl_path;
-     char * tmp;
-     libxl__domain_userdata_lock *lock = NULL;
-     xs_transaction_t t = XBT_NULL;
-_at_@ -2911,6 +2911,7 @@ int libxl_cdrom_insert(libxl_ctx *ctx, uint32_t domid, libxl_device_disk *disk,
-     if (rc) goto out;
- 
-     path = libxl__device_backend_path(gc, &device);
-+    libxl_path = libxl__device_libxl_path(gc, &device);
- 
-     insert = flexarray_make(gc, 4, 1);
- 
-_at_@ -2959,8 +2960,12 @@ int libxl_cdrom_insert(libxl_ctx *ctx, uint32_t domid, libxl_device_disk *disk,
-             goto out;
-         }
- 
--        rc = libxl__xs_writev(gc, t, path,
--                              libxl__xs_kvs_of_flexarray(gc, empty, empty->count));
-+        char **kvs = libxl__xs_kvs_of_flexarray(gc, empty, empty->count);
-+
-+        rc = libxl__xs_writev(gc, t, path, kvs);
-+        if (rc) goto out;
-+
-+        rc = libxl__xs_writev(gc, t, libxl_path, kvs);
-         if (rc) goto out;
- 
-         rc = libxl__xs_transaction_commit(gc, &t);
-_at_@ -2994,8 +2999,12 @@ int libxl_cdrom_insert(libxl_ctx *ctx, uint32_t domid, libxl_device_disk *disk,
-         rc = libxl__set_domain_configuration(gc, domid, &d_config);
-         if (rc) goto out;
- 
--        rc = libxl__xs_writev(gc, t, path,
--                              libxl__xs_kvs_of_flexarray(gc, insert, insert->count));
-+        char **kvs = libxl__xs_kvs_of_flexarray(gc, insert, insert->count);
-+
-+        rc = libxl__xs_writev(gc, t, path, kvs);
-+        if (rc) goto out;
-+
-+        rc = libxl__xs_writev(gc, t, libxl_path, kvs);
-         if (rc) goto out;
- 
-         rc = libxl__xs_transaction_commit(gc, &t);
--- 
-1.9.1
-
diff --git a/main/xen/0006-libxl-Do-not-trust-backend-for-disk-eject-vdev.patch b/main/xen/0006-libxl-Do-not-trust-backend-for-disk-eject-vdev.patch
deleted file mode 100644
index b3e42da..0000000
--- a/main/xen/0006-libxl-Do-not-trust-backend-for-disk-eject-vdev.patch
+++ /dev/null
_at_@ -1,67 +0,0 @@
-From c7e9c4b1231effdc1283d9a4a2645e395adb01d5 Mon Sep 17 00:00:00 2001
-From: Ian Jackson <ian.jackson_at_eu.citrix.com>
-Date: Fri, 29 Apr 2016 16:23:35 +0100
-Subject: [PATCH 06/20] libxl: Do not trust backend for disk eject vdev
-
-For disk eject, use configured vdev from /libxl, not backend.
-
-The backend directory is writeable by driver domains.  This means that
-a malicious driver domain could cause libxl to see a wrong vdev,
-confusing the user or the toolstack.
-
-Use the vdev from the /libxl space, rather than the backend.
-
-For convenience, we read the vdev from the /libxl space into the evg
-during setup and copy it on each event, rather than reading it afresh
-each time (which would in any case involve generating or saving a copy
-of the relevant /libxl path).
-
-This is part of XSA-178.
-
-Signed-off-by: Ian Jackson <ian.jackson_at_eu.citrix.com>
-Reviewed-by: Wei Liu <wei.liu2_at_citrix.com>
----
- tools/libxl/libxl.c | 13 ++++++++-----
- 1 file changed, 8 insertions(+), 5 deletions(-)
-
-diff --git a/tools/libxl/libxl.c b/tools/libxl/libxl.c
-index 7dcd672..138167d 100644
---- a/tools/libxl/libxl.c
-+++ b/tools/libxl/libxl.c
-_at_@ -1368,8 +1368,7 @@ static void disk_eject_xswatch_callback(libxl__egc *egc, libxl__ev_xswatch *w,
-     disk->pdev_path = strdup(""); /* xxx fixme malloc failure */
-     disk->format = LIBXL_DISK_FORMAT_EMPTY;
-     /* this value is returned to the user: do not free right away */
--    disk->vdev = xs_read(CTX->xsh, XBT_NULL,
--                         libxl__sprintf(gc, "%s/dev", backend), NULL);
-+    disk->vdev = libxl__strdup(NOGC, evg->vdev);
-     disk->removable = 1;
-     disk->readwrite = 0;
-     disk->is_cdrom = 1;
-_at_@ -1392,9 +1391,6 @@ int libxl_evenable_disk_eject(libxl_ctx *ctx, uint32_t guest_domid,
-     evg->domid = guest_domid;
-     LIBXL_LIST_INSERT_HEAD(&CTX->disk_eject_evgens, evg, entry);
- 
--    evg->vdev = strdup(vdev);
--    if (!evg->vdev) { rc = ERROR_NOMEM; goto out; }
--
-     uint32_t domid = libxl_get_stubdom_id(ctx, guest_domid);
- 
-     if (!domid)
-_at_@ -1412,6 +1408,13 @@ int libxl_evenable_disk_eject(libxl_ctx *ctx, uint32_t guest_domid,
-                                  devid);
-     evg->be_ptr_path = libxl__sprintf(NOGC, "%s/backend", libxl_path);
- 
-+    const char *configured_vdev;
-+    rc = libxl__xs_read_checked(gc, XBT_NULL,
-+            GCSPRINTF("%s/vdev", libxl_path), &configured_vdev);
-+    if (rc) goto out;
-+
-+    evg->vdev = libxl__strdup(NOGC, configured_vdev);
-+
-     rc = libxl__ev_xswatch_register(gc, &evg->watch,
-                                     disk_eject_xswatch_callback, path);
-     if (rc) goto out;
--- 
-1.9.1
-
diff --git a/main/xen/0006-libxl-Do-not-trust-frontend-for-disk-in-getinfo.patch b/main/xen/0006-libxl-Do-not-trust-frontend-for-disk-in-getinfo.patch
deleted file mode 100644
index 2f8b633..0000000
--- a/main/xen/0006-libxl-Do-not-trust-frontend-for-disk-in-getinfo.patch
+++ /dev/null
_at_@ -1,79 +0,0 @@
-From 11770db72bc644c322ad9044dbf86f9c6cb3a780 Mon Sep 17 00:00:00 2001
-From: Ian Jackson <ian.jackson_at_eu.citrix.com>
-Date: Fri, 29 Apr 2016 19:21:51 +0100
-Subject: [PATCH 06/12] libxl: Do not trust frontend for disk in getinfo
-
-* Rename the frontend variable to `fe_path' to check we caught them all
-* Read the backend path from /libxl, rather than from the frontend
-* Parse the backend domid from the backend path, rather than reading it
-  from the frontend (and add the appropriate error path and initialisation)
-
-This is part of XSA-175.
-
-Signed-off-by: Ian Jackson <Ian.Jackson_at_eu.citrix.com>
-Reviewed-by: Wei Liu <wei.liu2_at_citrix.com>
----
- tools/libxl/libxl.c | 27 +++++++++++++++++++--------
- 1 file changed, 19 insertions(+), 8 deletions(-)
-
-diff --git a/tools/libxl/libxl.c b/tools/libxl/libxl.c
-index 9c0fed4..69b7da7 100644
---- a/tools/libxl/libxl.c
-+++ b/tools/libxl/libxl.c
-_at_@ -2796,27 +2796,34 @@ int libxl_device_disk_getinfo(libxl_ctx *ctx, uint32_t domid,
-                               libxl_device_disk *disk, libxl_diskinfo *diskinfo)
- {
-     GC_INIT(ctx);
--    char *dompath, *diskpath;
-+    char *dompath, *fe_path, *libxl_path;
-     char *val;
-+    int rc;
-+
-+    diskinfo->backend = NULL;
- 
-     dompath = libxl__xs_get_dompath(gc, domid);
-     diskinfo->devid = libxl__device_disk_dev_number(disk->vdev, NULL, NULL);
- 
-     /* tap devices entries in xenstore are written as vbd devices. */
--    diskpath = libxl__sprintf(gc, "%s/device/vbd/%d", dompath, diskinfo->devid);
-+    fe_path = GCSPRINTF("%s/device/vbd/%d", dompath, diskinfo->devid);
-+    libxl_path = GCSPRINTF("%s/device/vbd/%d",
-+                           libxl__xs_libxl_path(gc, domid), diskinfo->devid);
-     diskinfo->backend = xs_read(ctx->xsh, XBT_NULL,
--                                libxl__sprintf(gc, "%s/backend", diskpath), NULL);
-+                                GCSPRINTF("%s/backend", libxl_path), NULL);
-     if (!diskinfo->backend) {
-         GC_FREE;
-         return ERROR_FAIL;
-     }
--    val = libxl__xs_read(gc, XBT_NULL, libxl__sprintf(gc, "%s/backend-id", diskpath));
--    diskinfo->backend_id = val ? strtoul(val, NULL, 10) : -1;
--    val = libxl__xs_read(gc, XBT_NULL, libxl__sprintf(gc, "%s/state", diskpath));
-+    rc = libxl__backendpath_parse_domid(gc, diskinfo->backend,
-+                                        &diskinfo->backend_id);
-+    if (rc) goto out;
-+
-+    val = libxl__xs_read(gc, XBT_NULL, GCSPRINTF("%s/state", fe_path));
-     diskinfo->state = val ? strtoul(val, NULL, 10) : -1;
--    val = libxl__xs_read(gc, XBT_NULL, libxl__sprintf(gc, "%s/event-channel", diskpath));
-+    val = libxl__xs_read(gc, XBT_NULL, GCSPRINTF("%s/event-channel", fe_path));
-     diskinfo->evtch = val ? strtoul(val, NULL, 10) : -1;
--    val = libxl__xs_read(gc, XBT_NULL, libxl__sprintf(gc, "%s/ring-ref", diskpath));
-+    val = libxl__xs_read(gc, XBT_NULL, GCSPRINTF("%s/ring-ref", fe_path));
-     diskinfo->rref = val ? strtoul(val, NULL, 10) : -1;
-     diskinfo->frontend = xs_read(ctx->xsh, XBT_NULL,
-                                  libxl__sprintf(gc, "%s/frontend", diskinfo->backend), NULL);
-_at_@ -2825,6 +2832,10 @@ int libxl_device_disk_getinfo(libxl_ctx *ctx, uint32_t domid,
- 
-     GC_FREE;
-     return 0;
-+
-+ out:
-+    free(diskinfo->backend);
-+    return rc;
- }
- 
- int libxl_cdrom_insert(libxl_ctx *ctx, uint32_t domid, libxl_device_disk *disk,
--- 
-2.1.4
-
diff --git a/main/xen/0007-libxl-Do-not-trust-backend-for-disk-fix-driver-domai.patch b/main/xen/0007-libxl-Do-not-trust-backend-for-disk-fix-driver-domai.patch
deleted file mode 100644
index 8fcf0f4..0000000
--- a/main/xen/0007-libxl-Do-not-trust-backend-for-disk-fix-driver-domai.patch
+++ /dev/null
_at_@ -1,245 +0,0 @@
-From a81a94db7bdf0f6fbf24a79182d1d246cfc1dd96 Mon Sep 17 00:00:00 2001
-From: Ian Jackson <ian.jackson_at_eu.citrix.com>
-Date: Fri, 29 Apr 2016 18:29:45 +0100
-Subject: [PATCH 07/20] libxl: Do not trust backend for disk; fix driver domain
- disks list
-
-Rework libxl__device_disk_from_xs_be (which takes a backend path) into
-to libxl__device_disk_from_xenstore (which takes a libxl path).
-
-libxl__device_disk_from_xenstore now finds the backend path itself,
-although it doesn't use it any more for most of its functions.  We
-rename the variable from be_path to backend_path to make sure we
-didn't miss any cases.
-
-All the data collection is now done by reading from the copy in
-/libxl.
-
-libxl_device_disk_list and its helper libxl__append_disk_list (which
-used to be libxl__append_disk_list_of_type) need extensive rework,
-because they now need to specify the /libxl path rather than the
-backend path.
-
-To do that they enumerate disks by looking in the appropriate area in
-/libxl.  Previously they scanned various of the backend directories in
-dom0 (which was broken for driver domains).  It is no longer necessary
-to enumerate the various disk backends, because they all use the same
-paths in /devices.  libxl__device_disk_from_xenstore will parse the
-type out of the backend path, for itself.  (Indeed, it did so before -
-the now-gone type parameter to libxl__append_disk_list_of_type wasn't
-used other than to construct the directory to list.)
-
-Finally, remove a redundant store to pdisk->backend_domid in
-libxl__append_disk_list[_of_type].  Even before this commit, that
-store was not needed because libxl_device_disk_init (called by
-libxl__device_disk_from_xenstore) would zero it.  Now it overwrites
-the correct backend domid with zero; so remove it.
-
-This is part of XSA-178.
-
-Signed-off-by: Ian Jackson <Ian.Jackson_at_eu.citrix.com>
-Reviewed-by: Wei Liu <wei.liu2_at_citrix.com>
----
-v2: Also fix up COLO reads, following rebase
----
- tools/libxl/libxl.c | 84 +++++++++++++++++++++++++++--------------------------
- 1 file changed, 43 insertions(+), 41 deletions(-)
-
-diff --git a/tools/libxl/libxl.c b/tools/libxl/libxl.c
-index 138167d..6c59a6f 100644
---- a/tools/libxl/libxl.c
-+++ b/tools/libxl/libxl.c
-_at_@ -2617,8 +2617,8 @@ void libxl__device_disk_add(libxl__egc *egc, uint32_t domid,
-     device_disk_add(egc, domid, disk, aodev, NULL, NULL);
- }
- 
--static int libxl__device_disk_from_xs_be(libxl__gc *gc,
--                                         const char *be_path,
-+static int libxl__device_disk_from_xenstore(libxl__gc *gc,
-+                                         const char *libxl_path,
-                                          libxl_device_disk *disk)
- {
-     libxl_ctx *ctx = libxl__gc_owner(gc);
-_at_@ -2628,15 +2628,27 @@ static int libxl__device_disk_from_xs_be(libxl__gc *gc,
- 
-     libxl_device_disk_init(disk);
- 
--    rc = sscanf(be_path, "/local/domain/%d/", &disk->backend_domid);
-+    const char *backend_path;
-+    rc = libxl__xs_read_checked(gc, XBT_NULL,
-+                                GCSPRINTF("%s/backend", libxl_path),
-+                                &backend_path);
-+    if (rc) goto out;
-+
-+    if (!backend_path) {
-+        LOG(ERROR, "disk %s does not exist (no backend path", libxl_path);
-+        rc = ERROR_FAIL;
-+        goto out;
-+    }
-+
-+    rc = sscanf(backend_path, "/local/domain/%d/", &disk->backend_domid);
-     if (rc != 1) {
--        LOG(ERROR, "Unable to fetch device backend domid from %s", be_path);
-+        LOG(ERROR, "Unable to fetch device backend domid from %s", backend_path);
-         goto cleanup;
-     }
- 
-     /* "params" may not be present; but everything else must be. */
-     tmp = xs_read(ctx->xsh, XBT_NULL,
--                  libxl__sprintf(gc, "%s/params", be_path), &len);
-+                  libxl__sprintf(gc, "%s/params", libxl_path), &len);
-     if (tmp && strchr(tmp, ':')) {
-         disk->pdev_path = strdup(strchr(tmp, ':') + 1);
-         free(tmp);
-_at_@ -2646,31 +2658,31 @@ static int libxl__device_disk_from_xs_be(libxl__gc *gc,
- 
- 
-     tmp = libxl__xs_read(gc, XBT_NULL,
--                         libxl__sprintf(gc, "%s/type", be_path));
-+                         libxl__sprintf(gc, "%s/type", libxl_path));
-     if (!tmp) {
--        LOG(ERROR, "Missing xenstore node %s/type", be_path);
-+        LOG(ERROR, "Missing xenstore node %s/type", libxl_path);
-         goto cleanup;
-     }
-     libxl_string_to_backend(ctx, tmp, &(disk->backend));
- 
-     disk->vdev = xs_read(ctx->xsh, XBT_NULL,
--                         libxl__sprintf(gc, "%s/dev", be_path), &len);
-+                         libxl__sprintf(gc, "%s/dev", libxl_path), &len);
-     if (!disk->vdev) {
--        LOG(ERROR, "Missing xenstore node %s/dev", be_path);
-+        LOG(ERROR, "Missing xenstore node %s/dev", libxl_path);
-         goto cleanup;
-     }
- 
-     tmp = libxl__xs_read(gc, XBT_NULL, libxl__sprintf
--                         (gc, "%s/removable", be_path));
-+                         (gc, "%s/removable", libxl_path));
-     if (!tmp) {
--        LOG(ERROR, "Missing xenstore node %s/removable", be_path);
-+        LOG(ERROR, "Missing xenstore node %s/removable", libxl_path);
-         goto cleanup;
-     }
-     disk->removable = atoi(tmp);
- 
--    tmp = libxl__xs_read(gc, XBT_NULL, libxl__sprintf(gc, "%s/mode", be_path));
-+    tmp = libxl__xs_read(gc, XBT_NULL, libxl__sprintf(gc, "%s/mode", libxl_path));
-     if (!tmp) {
--        LOG(ERROR, "Missing xenstore node %s/mode", be_path);
-+        LOG(ERROR, "Missing xenstore node %s/mode", libxl_path);
-         goto cleanup;
-     }
-     if (!strcmp(tmp, "w"))
-_at_@ -2679,9 +2691,9 @@ static int libxl__device_disk_from_xs_be(libxl__gc *gc,
-         disk->readwrite = 0;
- 
-     tmp = libxl__xs_read(gc, XBT_NULL,
--                         libxl__sprintf(gc, "%s/device-type", be_path));
-+                         libxl__sprintf(gc, "%s/device-type", libxl_path));
-     if (!tmp) {
--        LOG(ERROR, "Missing xenstore node %s/device-type", be_path);
-+        LOG(ERROR, "Missing xenstore node %s/device-type", libxl_path);
-         goto cleanup;
-     }
-     disk->is_cdrom = !strcmp(tmp, "cdrom");
-_at_@ -2690,15 +2702,17 @@ static int libxl__device_disk_from_xs_be(libxl__gc *gc,
- 
-     return 0;
- cleanup:
-+    rc = ERROR_FAIL;
-+ out:
-     libxl_device_disk_dispose(disk);
--    return ERROR_FAIL;
-+    return rc;
- }
- 
- int libxl_vdev_to_device_disk(libxl_ctx *ctx, uint32_t domid,
-                               const char *vdev, libxl_device_disk *disk)
- {
-     GC_INIT(ctx);
--    char *dompath, *path;
-+    char *dom_xl_path, *libxl_path;
-     int devid = libxl__device_disk_dev_number(vdev, NULL, NULL);
-     int rc = ERROR_FAIL;
- 
-_at_@ -2707,39 +2721,34 @@ int libxl_vdev_to_device_disk(libxl_ctx *ctx, uint32_t domid,
- 
-     libxl_device_disk_init(disk);
- 
--    dompath = libxl__xs_get_dompath(gc, domid);
--    if (!dompath) {
-+    dom_xl_path = libxl__xs_libxl_path(gc, domid);
-+    if (!dom_xl_path) {
-         goto out;
-     }
--    path = libxl__xs_read(gc, XBT_NULL,
--                          libxl__sprintf(gc, "%s/device/vbd/%d/backend",
--                                         dompath, devid));
--    if (!path)
--        goto out;
-+    libxl_path = GCSPRINTF("%s/device/vbd/%d", dom_xl_path, devid);
- 
--    rc = libxl__device_disk_from_xs_be(gc, path, disk);
-+    rc = libxl__device_disk_from_xenstore(gc, libxl_path, disk);
- out:
-     GC_FREE;
-     return rc;
- }
- 
- 
--static int libxl__append_disk_list_of_type(libxl__gc *gc,
-+static int libxl__append_disk_list(libxl__gc *gc,
-                                            uint32_t domid,
--                                           const char *type,
-                                            libxl_device_disk **disks,
-                                            int *ndisks)
- {
--    char *be_path = NULL;
-+    char *libxl_dir_path = NULL;
-     char **dir = NULL;
-     unsigned int n = 0;
-     libxl_device_disk *pdisk = NULL, *pdisk_end = NULL;
-     int rc=0;
-     int initial_disks = *ndisks;
- 
--    be_path = libxl__sprintf(gc, "%s/backend/%s/%d",
--                             libxl__xs_get_dompath(gc, 0), type, domid);
--    dir = libxl__xs_directory(gc, XBT_NULL, be_path, &n);
-+    libxl_dir_path = GCSPRINTF("%s/device/vbd",
-+                        libxl__xs_libxl_path(gc, domid));
-+    dir = libxl__xs_directory(gc, XBT_NULL, libxl_dir_path, &n);
-     if (dir && n) {
-         libxl_device_disk *tmp;
-         tmp = realloc(*disks, sizeof (libxl_device_disk) * (*ndisks + n));
-_at_@ -2750,10 +2759,9 @@ static int libxl__append_disk_list_of_type(libxl__gc *gc,
-         pdisk_end = *disks + initial_disks + n;
-         for (; pdisk < pdisk_end; pdisk++, dir++) {
-             const char *p;
--            p = libxl__sprintf(gc, "%s/%s", be_path, *dir);
--            if ((rc=libxl__device_disk_from_xs_be(gc, p, pdisk)))
-+            p = libxl__sprintf(gc, "%s/%s", libxl_dir_path, *dir);
-+            if ((rc=libxl__device_disk_from_xenstore(gc, p, pdisk)))
-                 goto out;
--            pdisk->backend_domid = 0;
-             *ndisks += 1;
-         }
-     }
-_at_@ -2769,13 +2777,7 @@ libxl_device_disk *libxl_device_disk_list(libxl_ctx *ctx, uint32_t domid, int *n
- 
-     *num = 0;
- 
--    rc = libxl__append_disk_list_of_type(gc, domid, "vbd", &disks, num);
--    if (rc) goto out_err;
--
--    rc = libxl__append_disk_list_of_type(gc, domid, "tap", &disks, num);
--    if (rc) goto out_err;
--
--    rc = libxl__append_disk_list_of_type(gc, domid, "qdisk", &disks, num);
-+    rc = libxl__append_disk_list(gc, domid, &disks, num);
-     if (rc) goto out_err;
- 
-     GC_FREE;
--- 
-1.9.1
-
diff --git a/main/xen/0007-libxl-Do-not-trust-frontend-for-vtpm-list.patch b/main/xen/0007-libxl-Do-not-trust-frontend-for-vtpm-list.patch
deleted file mode 100644
index 6f0d487..0000000
--- a/main/xen/0007-libxl-Do-not-trust-frontend-for-vtpm-list.patch
+++ /dev/null
_at_@ -1,67 +0,0 @@
-From 54a34ac83f0826cd0213a6ebdb0c414cb5051ed2 Mon Sep 17 00:00:00 2001
-From: Ian Jackson <ian.jackson_at_eu.citrix.com>
-Date: Tue, 3 May 2016 15:58:32 +0100
-Subject: [PATCH 07/12] libxl: Do not trust frontend for vtpm list
-
-libxl_device_vtpm_list needs to enumerate and identify devices without
-trusting frontend-controlled data.  So
-
-* Use the /libxl path to enumerate vtpms.
-* Use the /libxl path to find the corresponding backends.
-* Parse the backend path to find the backend domid.
-
-This is part of XSA-175.
-
-Signed-off-by: Ian Jackson <Ian.Jackson_at_eu.citrix.com>
-Reviewed-by: Wei Liu <wei.liu2_at_citrix.com>
----
- tools/libxl/libxl.c | 16 ++++++++--------
- 1 file changed, 8 insertions(+), 8 deletions(-)
-
-diff --git a/tools/libxl/libxl.c b/tools/libxl/libxl.c
-index 69b7da7..b91eee8 100644
---- a/tools/libxl/libxl.c
-+++ b/tools/libxl/libxl.c
-_at_@ -2173,14 +2173,15 @@ libxl_device_vtpm *libxl_device_vtpm_list(libxl_ctx *ctx, uint32_t domid, int *n
-     GC_INIT(ctx);
- 
-     libxl_device_vtpm* vtpms = NULL;
--    char* fe_path = NULL;
-+    char *libxl_path;
-     char** dir = NULL;
-     unsigned int ndirs = 0;
-+    int rc;
- 
-     *num = 0;
- 
--    fe_path = libxl__sprintf(gc, "%s/device/vtpm", libxl__xs_get_dompath(gc, domid));
--    dir = libxl__xs_directory(gc, XBT_NULL, fe_path, &ndirs);
-+    libxl_path = GCSPRINTF("%s/device/vtpm", libxl__xs_libxl_path(gc, domid));
-+    dir = libxl__xs_directory(gc, XBT_NULL, libxl_path, &ndirs);
-     if (dir && ndirs) {
-        vtpms = malloc(sizeof(*vtpms) * ndirs);
-        libxl_device_vtpm* vtpm;
-_at_@ -2189,16 +2190,15 @@ libxl_device_vtpm *libxl_device_vtpm_list(libxl_ctx *ctx, uint32_t domid, int *n
-           char* tmp;
-           const char* be_path = libxl__xs_read(gc, XBT_NULL,
-                 GCSPRINTF("%s/%s/backend",
--                   fe_path, *dir));
-+                   libxl_path, *dir));
- 
-           libxl_device_vtpm_init(vtpm);
- 
-           vtpm->devid = atoi(*dir);
- 
--          tmp = libxl__xs_read(gc, XBT_NULL,
--                GCSPRINTF("%s/%s/backend-id",
--                   fe_path, *dir));
--          vtpm->backend_domid = atoi(tmp);
-+          rc = libxl__backendpath_parse_domid(gc, be_path,
-+                                              &vtpm->backend_domid);
-+          if (rc) return NULL;
- 
-           tmp = libxl__xs_read(gc, XBT_NULL, GCSPRINTF("%s/uuid", be_path));
-           if (tmp) {
--- 
-2.1.4
-
diff --git a/main/xen/0008-libxl-Do-not-trust-backend-for-disk-in-getinfo.patch b/main/xen/0008-libxl-Do-not-trust-backend-for-disk-in-getinfo.patch
deleted file mode 100644
index d93e4f7..0000000
--- a/main/xen/0008-libxl-Do-not-trust-backend-for-disk-in-getinfo.patch
+++ /dev/null
_at_@ -1,35 +0,0 @@
-From 2614f9ac7c96b3b0045cf38a1ec6edb89552a724 Mon Sep 17 00:00:00 2001
-From: Ian Jackson <ian.jackson_at_eu.citrix.com>
-Date: Fri, 29 Apr 2016 19:10:45 +0100
-Subject: [PATCH 08/20] libxl: Do not trust backend for disk in getinfo
-
-Do not read the frontend path out of the backend.  We have it in our
-hand.  Likewise the guest (frontend) domid was one of our parameters (!)
-
-This is part of XSA-178.
-
-Signed-off-by: Ian Jackson <Ian.Jackson_at_eu.citrix.com>
-Reviewed-by: Wei Liu <wei.liu2_at_citrix.com>
----
- tools/libxl/libxl.c | 5 ++---
- 1 file changed, 2 insertions(+), 3 deletions(-)
-
-diff --git a/tools/libxl/libxl.c b/tools/libxl/libxl.c
-index 6c59a6f..6f70cb8 100644
---- a/tools/libxl/libxl.c
-+++ b/tools/libxl/libxl.c
-_at_@ -2827,9 +2827,8 @@ int libxl_device_disk_getinfo(libxl_ctx *ctx, uint32_t domid,
-     val = libxl__xs_read(gc, XBT_NULL, GCSPRINTF("%s/ring-ref", fe_path));
-     diskinfo->rref = val ? strtoul(val, NULL, 10) : -1;
-     diskinfo->frontend = xs_read(ctx->xsh, XBT_NULL,
--                                 libxl__sprintf(gc, "%s/frontend", diskinfo->backend), NULL);
--    val = libxl__xs_read(gc, XBT_NULL, libxl__sprintf(gc, "%s/frontend-id", diskinfo->backend));
--    diskinfo->frontend_id = val ? strtoul(val, NULL, 10) : -1;
-+                                 GCSPRINTF("%s/frontend", libxl_path), NULL);
-+    diskinfo->frontend_id = domid;
- 
-     GC_FREE;
-     return 0;
--- 
-1.9.1
-
diff --git a/main/xen/0008-libxl-Do-not-trust-frontend-for-vtpm-in-getinfo.patch b/main/xen/0008-libxl-Do-not-trust-frontend-for-vtpm-in-getinfo.patch
deleted file mode 100644
index 2c95766..0000000
--- a/main/xen/0008-libxl-Do-not-trust-frontend-for-vtpm-in-getinfo.patch
+++ /dev/null
_at_@ -1,61 +0,0 @@
-From b83d66dfb3905dfd627f5e4833d74be274771e43 Mon Sep 17 00:00:00 2001
-From: Ian Jackson <ian.jackson_at_eu.citrix.com>
-Date: Tue, 3 May 2016 16:00:20 +0100
-Subject: [PATCH 08/12] libxl: Do not trust frontend for vtpm in getinfo
-
-libxl_device_vtpm_getinfo needs to examine devices without trusting
-frontend-controlled data.  So:
-
-* Use /libxl to find the backend path.
-* Parse the backend path to find the backend domid, rather than
-  reading it from the frontend.
-
-This is part of XSA-175.
-
-Signed-off-by: Ian Jackson <Ian.Jackson_at_eu.citrix.com>
-Reviewed-by: Wei Liu <wei.liu2_at_citrix.com>
----
- tools/libxl/libxl.c | 12 +++++++-----
- 1 file changed, 7 insertions(+), 5 deletions(-)
-
-diff --git a/tools/libxl/libxl.c b/tools/libxl/libxl.c
-index b91eee8..65b9953 100644
---- a/tools/libxl/libxl.c
-+++ b/tools/libxl/libxl.c
-_at_@ -2222,7 +2222,7 @@ int libxl_device_vtpm_getinfo(libxl_ctx *ctx,
-                               libxl_vtpminfo *vtpminfo)
- {
-     GC_INIT(ctx);
--    char *dompath, *vtpmpath;
-+    char *libxl_path, *dompath, *vtpmpath;
-     char *val;
-     int rc = 0;
- 
-_at_@ -2231,8 +2231,10 @@ int libxl_device_vtpm_getinfo(libxl_ctx *ctx,
-     vtpminfo->devid = vtpm->devid;
- 
-     vtpmpath = GCSPRINTF("%s/device/vtpm/%d", dompath, vtpminfo->devid);
-+    libxl_path = GCSPRINTF("%s/device/vtpm/%d",
-+                           libxl__xs_libxl_path(gc, domid), vtpminfo->devid);
-     vtpminfo->backend = xs_read(ctx->xsh, XBT_NULL,
--          GCSPRINTF("%s/backend", vtpmpath), NULL);
-+          GCSPRINTF("%s/backend", libxl_path), NULL);
-     if (!vtpminfo->backend) {
-         goto err;
-     }
-_at_@ -2240,9 +2242,9 @@ int libxl_device_vtpm_getinfo(libxl_ctx *ctx,
-        goto err;
-     }
- 
--    val = libxl__xs_read(gc, XBT_NULL,
--          GCSPRINTF("%s/backend-id", vtpmpath));
--    vtpminfo->backend_id = val ? strtoul(val, NULL, 10) : -1;
-+    rc = libxl__backendpath_parse_domid(gc, vtpminfo->backend,
-+                                        &vtpminfo->backend_id);
-+    if (rc) goto exit;
- 
-     val = libxl__xs_read(gc, XBT_NULL,
-           GCSPRINTF("%s/state", vtpmpath));
--- 
-2.1.4
-
diff --git a/main/xen/0009-libxl-Do-not-trust-backend-for-cdrom-insert.patch b/main/xen/0009-libxl-Do-not-trust-backend-for-cdrom-insert.patch
deleted file mode 100644
index 8f1573a..0000000
--- a/main/xen/0009-libxl-Do-not-trust-backend-for-cdrom-insert.patch
+++ /dev/null
_at_@ -1,94 +0,0 @@
-From 3a3c8b2702263eaec271564e6fde1400efb3716a Mon Sep 17 00:00:00 2001
-From: Ian Jackson <ian.jackson_at_eu.citrix.com>
-Date: Fri, 29 Apr 2016 19:13:17 +0100
-Subject: [PATCH 09/20] libxl: Do not trust backend for cdrom insert
-
-Use the /libxl path where appropriate.  Rename `path' variable to
-`be_path' to make sure we caught all the occurrences.
-
-Specifically, when checking that the device still exists, check the
-`frontend' value in /libxl, rather than anything in the backend
-directory.
-
-This is part of XSA-178.
-
-Signed-off-by: Ian Jackson <Ian.Jackson_at_eu.citrix.com>
-Reviewed-by: Wei Liu <wei.liu2_at_citrix.com>
----
- tools/libxl/libxl.c | 20 ++++++++++----------
- 1 file changed, 10 insertions(+), 10 deletions(-)
-
-diff --git a/tools/libxl/libxl.c b/tools/libxl/libxl.c
-index 6f70cb8..9f77269 100644
---- a/tools/libxl/libxl.c
-+++ b/tools/libxl/libxl.c
-_at_@ -2847,7 +2847,7 @@ int libxl_cdrom_insert(libxl_ctx *ctx, uint32_t domid, libxl_device_disk *disk,
-     libxl_domain_config d_config;
-     int rc, dm_ver;
-     libxl__device device;
--    const char *path, *libxl_path;
-+    const char *be_path, *libxl_path;
-     char * tmp;
-     libxl__domain_userdata_lock *lock = NULL;
-     xs_transaction_t t = XBT_NULL;
-_at_@ -2914,7 +2914,7 @@ int libxl_cdrom_insert(libxl_ctx *ctx, uint32_t domid, libxl_device_disk *disk,
-     rc = libxl__device_from_disk(gc, domid, disk, &device);
-     if (rc) goto out;
- 
--    path = libxl__device_backend_path(gc, &device);
-+    be_path = libxl__device_backend_path(gc, &device);
-     libxl_path = libxl__device_libxl_path(gc, &device);
- 
-     insert = flexarray_make(gc, 4, 1);
-_at_@ -2954,19 +2954,19 @@ int libxl_cdrom_insert(libxl_ctx *ctx, uint32_t domid, libxl_device_disk *disk,
-     for (;;) {
-         rc = libxl__xs_transaction_start(gc, &t);
-         if (rc) goto out;
--        /* Sanity check: make sure the backend exists before writing here */
--        tmp = libxl__xs_read(gc, t, libxl__sprintf(gc, "%s/frontend", path));
-+        /* Sanity check: make sure the device exists before writing here */
-+        tmp = libxl__xs_read(gc, t, GCSPRINTF("%s/frontend", libxl_path));
-         if (!tmp)
-         {
-             LIBXL__LOG(ctx, LIBXL__LOG_ERROR, "Internal error: %s does not exist",
--                       libxl__sprintf(gc, "%s/frontend", path));
-+                       libxl__sprintf(gc, "%s/frontend", libxl_path));
-             rc = ERROR_FAIL;
-             goto out;
-         }
- 
-         char **kvs = libxl__xs_kvs_of_flexarray(gc, empty, empty->count);
- 
--        rc = libxl__xs_writev(gc, t, path, kvs);
-+        rc = libxl__xs_writev(gc, t, be_path, kvs);
-         if (rc) goto out;
- 
-         rc = libxl__xs_writev(gc, t, libxl_path, kvs);
-_at_@ -2990,12 +2990,12 @@ int libxl_cdrom_insert(libxl_ctx *ctx, uint32_t domid, libxl_device_disk *disk,
-     for (;;) {
-         rc = libxl__xs_transaction_start(gc, &t);
-         if (rc) goto out;
--        /* Sanity check: make sure the backend exists before writing here */
--        tmp = libxl__xs_read(gc, t, libxl__sprintf(gc, "%s/frontend", path));
-+        /* Sanity check: make sure the device exists before writing here */
-+        tmp = libxl__xs_read(gc, t, GCSPRINTF("%s/frontend", libxl_path));
-         if (!tmp)
-         {
-             LIBXL__LOG(ctx, LIBXL__LOG_ERROR, "Internal error: %s does not exist",
--                       libxl__sprintf(gc, "%s/frontend", path));
-+                       libxl__sprintf(gc, "%s/frontend", libxl_path));
-             rc = ERROR_FAIL;
-             goto out;
-         }
-_at_@ -3005,7 +3005,7 @@ int libxl_cdrom_insert(libxl_ctx *ctx, uint32_t domid, libxl_device_disk *disk,
- 
-         char **kvs = libxl__xs_kvs_of_flexarray(gc, insert, insert->count);
- 
--        rc = libxl__xs_writev(gc, t, path, kvs);
-+        rc = libxl__xs_writev(gc, t, be_path, kvs);
-         if (rc) goto out;
- 
-         rc = libxl__xs_writev(gc, t, libxl_path, kvs);
--- 
-1.9.1
-
diff --git a/main/xen/0009-libxl-Do-not-trust-frontend-for-nic-in-libxl_devid_t.patch b/main/xen/0009-libxl-Do-not-trust-frontend-for-nic-in-libxl_devid_t.patch
deleted file mode 100644
index fd86cb8..0000000
--- a/main/xen/0009-libxl-Do-not-trust-frontend-for-nic-in-libxl_devid_t.patch
+++ /dev/null
_at_@ -1,47 +0,0 @@
-From c626ea4768294b73ef24fafe7af9ad1221c1c48d Mon Sep 17 00:00:00 2001
-From: Ian Jackson <ian.jackson_at_eu.citrix.com>
-Date: Tue, 3 May 2016 15:52:53 +0100
-Subject: [PATCH 09/12] libxl: Do not trust frontend for nic in
- libxl_devid_to_device_nic
-
-Find the backend by reading the pointer in /libxl rather than in the
-guest's frontend area.
-
-This is part of XSA-175.
-
-Signed-off-by: Ian Jackson <Ian.Jackson_at_eu.citrix.com>
-Reviewed-by: Wei Liu <wei.liu2_at_citrix.com>
----
- tools/libxl/libxl.c | 10 +++++-----
- 1 file changed, 5 insertions(+), 5 deletions(-)
-
-diff --git a/tools/libxl/libxl.c b/tools/libxl/libxl.c
-index 65b9953..4c45269 100644
---- a/tools/libxl/libxl.c
-+++ b/tools/libxl/libxl.c
-_at_@ -3540,17 +3540,17 @@ int libxl_devid_to_device_nic(libxl_ctx *ctx, uint32_t domid,
-                               int devid, libxl_device_nic *nic)
- {
-     GC_INIT(ctx);
--    char *dompath, *path;
-+    char *libxl_dom_path, *path;
-     int rc = ERROR_FAIL;
- 
-     libxl_device_nic_init(nic);
--    dompath = libxl__xs_get_dompath(gc, domid);
--    if (!dompath)
-+    libxl_dom_path = libxl__xs_libxl_path(gc, domid);
-+    if (!libxl_dom_path)
-         goto out;
- 
-     path = libxl__xs_read(gc, XBT_NULL,
--                          libxl__sprintf(gc, "%s/device/vif/%d/backend",
--                                         dompath, devid));
-+                          GCSPRINTF("%s/device/vif/%d/backend", libxl_dom_path,
-+                                    devid));
-     if (!path)
-         goto out;
- 
--- 
-2.1.4
-
diff --git a/main/xen/0010-libxl-Do-not-trust-backend-for-channel-in-getinfo.patch b/main/xen/0010-libxl-Do-not-trust-backend-for-channel-in-getinfo.patch
deleted file mode 100644
index 8295796..0000000
--- a/main/xen/0010-libxl-Do-not-trust-backend-for-channel-in-getinfo.patch
+++ /dev/null
_at_@ -1,38 +0,0 @@
-From c9b8314ee99f30a62b7ff6db253598fa4e14ba54 Mon Sep 17 00:00:00 2001
-From: Ian Jackson <ian.jackson_at_eu.citrix.com>
-Date: Wed, 4 May 2016 15:57:10 +0100
-Subject: [PATCH 10/20] libxl: Do not trust backend for channel in getinfo
-
-Do not read the frontend path out of the backend.  We have it in our
-hand.  Likewise the guest (frontend) domid was one of our parameters (!)
-
-This is part of XSA-178.
-
-Signed-off-by: Ian Jackson <Ian.Jackson_at_eu.citrix.com>
-Reviewed-by: Wei Liu <wei.liu2_at_citrix.com>
----
- tools/libxl/libxl.c | 8 ++------
- 1 file changed, 2 insertions(+), 6 deletions(-)
-
-diff --git a/tools/libxl/libxl.c b/tools/libxl/libxl.c
-index 9f77269..35cfffe 100644
---- a/tools/libxl/libxl.c
-+++ b/tools/libxl/libxl.c
-_at_@ -3977,12 +3977,8 @@ int libxl_device_channel_getinfo(libxl_ctx *ctx, uint32_t domid,
- 
-     val = libxl__xs_read(gc, XBT_NULL, GCSPRINTF("%s/state", fe_path));
-     channelinfo->state = val ? strtoul(val, NULL, 10) : -1;
--    channelinfo->frontend = xs_read(ctx->xsh, XBT_NULL,
--                                    GCSPRINTF("%s/frontend",
--                                    channelinfo->backend), NULL);
--    val = libxl__xs_read(gc, XBT_NULL, GCSPRINTF("%s/frontend-id",
--                         channelinfo->backend));
--    channelinfo->frontend_id = val ? strtoul(val, NULL, 10) : -1;
-+    channelinfo->frontend = libxl__strdup(NOGC, fe_path);
-+    channelinfo->frontend_id = domid;
-     val = libxl__xs_read(gc, XBT_NULL, GCSPRINTF("%s/ring-ref", fe_path));
-     channelinfo->rref = val ? strtoul(val, NULL, 10) : -1;
-     val = libxl__xs_read(gc, XBT_NULL, GCSPRINTF("%s/port", fe_path));
--- 
-1.9.1
-
diff --git a/main/xen/0010-libxl-Do-not-trust-frontend-for-nic-in-getinfo.patch b/main/xen/0010-libxl-Do-not-trust-frontend-for-nic-in-getinfo.patch
deleted file mode 100644
index 60afaff..0000000
--- a/main/xen/0010-libxl-Do-not-trust-frontend-for-nic-in-getinfo.patch
+++ /dev/null
_at_@ -1,73 +0,0 @@
-From 9d1982995e8d5645ae149bce670bea82fda31421 Mon Sep 17 00:00:00 2001
-From: Ian Jackson <ian.jackson_at_eu.citrix.com>
-Date: Tue, 3 May 2016 16:31:07 +0100
-Subject: [PATCH 10/12] libxl: Do not trust frontend for nic in getinfo
-
-libxl_device_nic_getinfo needs to examine devices without trusting
-frontend-controlled data.  So:
-
-* Use /libxl to find the backend path.
-* Parse the backend path to find the backend domid, rather than
-  reading it from the frontend.
-
-This is part of XSA-175.
-
-Signed-off-by: Ian Jackson <Ian.Jackson_at_eu.citrix.com>
-Reviewed-by: Wei Liu <wei.liu2_at_citrix.com>
----
- tools/libxl/libxl.c | 21 ++++++++++++++-------
- 1 file changed, 14 insertions(+), 7 deletions(-)
-
-diff --git a/tools/libxl/libxl.c b/tools/libxl/libxl.c
-index 4c45269..34853f8 100644
---- a/tools/libxl/libxl.c
-+++ b/tools/libxl/libxl.c
-_at_@ -3629,22 +3629,27 @@ int libxl_device_nic_getinfo(libxl_ctx *ctx, uint32_t domid,
-                               libxl_device_nic *nic, libxl_nicinfo *nicinfo)
- {
-     GC_INIT(ctx);
--    char *dompath, *nicpath;
-+    char *dompath, *nicpath, *libxl_path;
-     char *val;
-+    int rc;
- 
-     dompath = libxl__xs_get_dompath(gc, domid);
-     nicinfo->devid = nic->devid;
- 
--    nicpath = libxl__sprintf(gc, "%s/device/vif/%d", dompath, nicinfo->devid);
-+    nicpath = GCSPRINTF("%s/device/vif/%d", dompath, nicinfo->devid);
-+    libxl_path = GCSPRINTF("%s/device/vif/%d",
-+                           libxl__xs_libxl_path(gc, domid), nicinfo->devid);
-     nicinfo->backend = xs_read(ctx->xsh, XBT_NULL,
--                                libxl__sprintf(gc, "%s/backend", nicpath), NULL);
-+                                GCSPRINTF("%s/backend", libxl_path), NULL);
-     if (!nicinfo->backend) {
-         GC_FREE;
-         return ERROR_FAIL;
-     }
--    val = libxl__xs_read(gc, XBT_NULL, libxl__sprintf(gc, "%s/backend-id", nicpath));
--    nicinfo->backend_id = val ? strtoul(val, NULL, 10) : -1;
--    val = libxl__xs_read(gc, XBT_NULL, libxl__sprintf(gc, "%s/state", nicpath));
-+    rc = libxl__backendpath_parse_domid(gc, nicinfo->backend,
-+                                        &nicinfo->backend_id);
-+    if (rc) goto out;
-+
-+    val = libxl__xs_read(gc, XBT_NULL, GCSPRINTF("%s/state", nicpath));
-     nicinfo->state = val ? strtoul(val, NULL, 10) : -1;
-     val = libxl__xs_read(gc, XBT_NULL, libxl__sprintf(gc, "%s/event-channel", nicpath));
-     nicinfo->evtch = val ? strtoul(val, NULL, 10) : -1;
-_at_@ -3657,8 +3662,10 @@ int libxl_device_nic_getinfo(libxl_ctx *ctx, uint32_t domid,
-     val = libxl__xs_read(gc, XBT_NULL, libxl__sprintf(gc, "%s/frontend-id", nicinfo->backend));
-     nicinfo->frontend_id = val ? strtoul(val, NULL, 10) : -1;
- 
-+    rc = 0;
-+ out:
-     GC_FREE;
--    return 0;
-+    return rc;
- }
- 
- const char *libxl__device_nic_devname(libxl__gc *gc,
--- 
-2.1.4
-
diff --git a/main/xen/0011-libxl-Do-not-trust-frontend-for-channel-in-list.patch b/main/xen/0011-libxl-Do-not-trust-frontend-for-channel-in-list.patch
deleted file mode 100644
index b6c767a..0000000
--- a/main/xen/0011-libxl-Do-not-trust-frontend-for-channel-in-list.patch
+++ /dev/null
_at_@ -1,104 +0,0 @@
-From 55fcc20fa75d9458805bf8130ce257cddd8db71f Mon Sep 17 00:00:00 2001
-From: Ian Jackson <ian.jackson_at_eu.citrix.com>
-Date: Tue, 3 May 2016 17:01:56 +0100
-Subject: [PATCH 11/12] libxl: Do not trust frontend for channel in list
-
-libxl_device_channel_list should not trust frontend-provided data.
-
-So it needs to iterate using the /libxl paths, and read the backend
-path out of /libxl.
-
-However, it also filters out pure "consoles", which are channels
-without a "name".  But the name was stored only in the frontend
-directory, which the frontend can delete.
-
-So store the name in the backend too.  (Ideally we would store it in
-/libxl, where the backend can't write to it either, but
-libxl__device_console_add not currently have access to the xenstore
-transaction used by libxl__device_generic_add.  Protection against the
-backend will come later, in XSA-178.)
-
-Because the libxl paths are defined to be in terms of the frontend
-device types, not the backend device types, it is no longer correct
-for libxl__append_channel_list to take a type argument.  Abolish this
-(with no functional effect).
-
-This is part of XSA-175.
-
-Signed-off-by: Ian Jackson <Ian.Jackson_at_eu.citrix.com>
-Reviewed-by: Wei Liu <wei.liu2_at_citrix.com>
----
- tools/libxl/libxl.c | 25 ++++++++++++++-----------
- 1 file changed, 14 insertions(+), 11 deletions(-)
-
-diff --git a/tools/libxl/libxl.c b/tools/libxl/libxl.c
-index 34853f8..6ffb173 100644
---- a/tools/libxl/libxl.c
-+++ b/tools/libxl/libxl.c
-_at_@ -3726,6 +3726,8 @@ int libxl__device_console_add(libxl__gc *gc, uint32_t domid,
-     if (console->name) {
-         flexarray_append(ro_front, "name");
-         flexarray_append(ro_front, console->name);
-+        flexarray_append(back, "name");
-+        flexarray_append(back, console->name);
-     }
-     if (console->connection) {
-         flexarray_append(back, "connection");
-_at_@ -3864,34 +3866,35 @@ static int libxl__device_channel_from_xs_be(libxl__gc *gc,
-     return rc;
- }
- 
--static int libxl__append_channel_list_of_type(libxl__gc *gc,
-+static int libxl__append_channel_list(libxl__gc *gc,
-                                               uint32_t domid,
--                                              const char *type,
-                                               libxl_device_channel **channels,
-                                               int *nchannels)
- {
--    char *fe_path = NULL, *be_path = NULL;
-+    char *libxl_dir_path = NULL, *be_path = NULL;
-     char **dir = NULL;
-     unsigned int n = 0, devid = 0;
-     libxl_device_channel *next = NULL;
-     int rc = 0, i;
- 
--    fe_path = GCSPRINTF("%s/device/%s",
--                        libxl__xs_get_dompath(gc, domid), type);
--    dir = libxl__xs_directory(gc, XBT_NULL, fe_path, &n);
-+    libxl_dir_path = GCSPRINTF("%s/device/console",
-+                               libxl__xs_libxl_path(gc, domid));
-+    dir = libxl__xs_directory(gc, XBT_NULL, libxl_dir_path, &n);
-     if (!dir || !n)
-       goto out;
- 
-     for (i = 0; i < n; i++) {
--        const char *p, *name;
-+        const char *libxl_path, *name;
-         libxl_device_channel *tmp;
- 
--        p = libxl__sprintf(gc, "%s/%s", fe_path, dir[i]);
--        name = libxl__xs_read(gc, XBT_NULL, GCSPRINTF("%s/name", p));
-+        libxl_path = GCSPRINTF("%s/%s", libxl_dir_path, dir[i]);
-+        be_path = libxl__xs_read(gc, XBT_NULL,
-+                                 GCSPRINTF("%s/backend", libxl_path));
-+        if (!be_path) continue;
-+        name = libxl__xs_read(gc, XBT_NULL, GCSPRINTF("%s/name", be_path));
-         /* 'channels' are consoles with names, so ignore all consoles
-            without names */
-         if (!name) continue;
--        be_path = libxl__xs_read(gc, XBT_NULL, GCSPRINTF("%s/backend", p));
-         tmp = realloc(*channels,
-                       sizeof(libxl_device_channel) * (*nchannels + devid + 1));
-         if (!tmp) {
-_at_@ -3922,7 +3925,7 @@ libxl_device_channel *libxl_device_channel_list(libxl_ctx *ctx,
- 
-     *num = 0;
- 
--    rc = libxl__append_channel_list_of_type(gc, domid, "console", &channels, num);
-+    rc = libxl__append_channel_list(gc, domid, &channels, num);
-     if (rc) goto out_err;
- 
-     GC_FREE;
--- 
-2.1.4
-
diff --git a/main/xen/0011-libxl-Rename-libxl__device_-nic-channel-_from_xs_be-.patch b/main/xen/0011-libxl-Rename-libxl__device_-nic-channel-_from_xs_be-.patch
deleted file mode 100644
index 91c68a5..0000000
--- a/main/xen/0011-libxl-Rename-libxl__device_-nic-channel-_from_xs_be-.patch
+++ /dev/null
_at_@ -1,87 +0,0 @@
-From 382ed2f090cc79e52fd5ab2e0b51b278c5f61232 Mon Sep 17 00:00:00 2001
-From: Ian Jackson <ian.jackson_at_eu.citrix.com>
-Date: Wed, 4 May 2016 16:18:36 +0100
-Subject: [PATCH 11/20] libxl: Rename libxl__device_{nic,channel}_from_xs_be to
- _from_xenstore
-
-We are going to change these functions to expect, and be passed, a
-/libxl path.  So it is wrong that they are called _from_xs_be.
-
-Neither function reads anything which isn't found in both places, so
-we can and will change the call sites later.
-
-The only remaining function in libxl called *_from_xs_be relates to
-PCI devices, for which the backend domain is hardcoded to 0 throughout
-the libxl_pci.c.
-
-No functional change.
-
-This is part of XSA-178.
-
-Signed-off-by: Ian Jackson <Ian.Jackson_at_eu.citrix.com>
-Reviewed-by: Wei Liu <wei.liu2_at_citrix.com>
----
- tools/libxl/libxl.c | 12 ++++++------
- 1 file changed, 6 insertions(+), 6 deletions(-)
-
-diff --git a/tools/libxl/libxl.c b/tools/libxl/libxl.c
-index 35cfffe..35cb6b0 100644
---- a/tools/libxl/libxl.c
-+++ b/tools/libxl/libxl.c
-_at_@ -3498,7 +3498,7 @@ out:
-     return;
- }
- 
--static int libxl__device_nic_from_xs_be(libxl__gc *gc,
-+static int libxl__device_nic_from_xenstore(libxl__gc *gc,
-                                         const char *be_path,
-                                         libxl_device_nic *nic)
- {
-_at_@ -3561,7 +3561,7 @@ int libxl_devid_to_device_nic(libxl_ctx *ctx, uint32_t domid,
-     if (!path)
-         goto out;
- 
--    rc = libxl__device_nic_from_xs_be(gc, path, nic);
-+    rc = libxl__device_nic_from_xenstore(gc, path, nic);
-     if (rc) goto out;
- 
-     rc = 0;
-_at_@ -3596,7 +3596,7 @@ static int libxl__append_nic_list_of_type(libxl__gc *gc,
-         for (; pnic < pnic_end; pnic++, dir++) {
-             const char *p;
-             p = libxl__sprintf(gc, "%s/%s", be_path, *dir);
--            rc = libxl__device_nic_from_xs_be(gc, p, pnic);
-+            rc = libxl__device_nic_from_xenstore(gc, p, pnic);
-             if (rc) goto out;
-             pnic->backend_domid = 0;
-         }
-_at_@ -3846,7 +3846,7 @@ int libxl__init_console_from_channel(libxl__gc *gc,
-     return 0;
- }
- 
--static int libxl__device_channel_from_xs_be(libxl__gc *gc,
-+static int libxl__device_channel_from_xenstore(libxl__gc *gc,
-                                             const char *be_path,
-                                             libxl_device_channel *channel)
- {
-_at_@ -3855,7 +3855,7 @@ static int libxl__device_channel_from_xs_be(libxl__gc *gc,
- 
-     libxl_device_channel_init(channel);
- 
--    /* READ_BACKEND is from libxl__device_nic_from_xs_be above */
-+    /* READ_BACKEND is from libxl__device_nic_from_xenstore above */
-     channel->name = READ_BACKEND(NOGC, "name");
-     tmp = READ_BACKEND(gc, "connection");
-     if (!strcmp(tmp, "pty")) {
-_at_@ -3910,7 +3910,7 @@ static int libxl__append_channel_list(libxl__gc *gc,
-         }
-         *channels = tmp;
-         next = *channels + *nchannels + devid;
--        rc = libxl__device_channel_from_xs_be(gc, be_path, next);
-+        rc = libxl__device_channel_from_xenstore(gc, be_path, next);
-         if (rc) goto out;
-         next->devid = devid;
-         devid++;
--- 
-1.9.1
-
diff --git a/main/xen/0012-libxl-Do-not-trust-frontend-for-channel-in-getinfo.patch b/main/xen/0012-libxl-Do-not-trust-frontend-for-channel-in-getinfo.patch
deleted file mode 100644
index 5018fac..0000000
--- a/main/xen/0012-libxl-Do-not-trust-frontend-for-channel-in-getinfo.patch
+++ /dev/null
_at_@ -1,121 +0,0 @@
-From 0333ec931e023a66dc03392c9bcb1040018b00e8 Mon Sep 17 00:00:00 2001
-From: Ian Jackson <ian.jackson_at_eu.citrix.com>
-Date: Tue, 3 May 2016 17:24:32 +0100
-Subject: [PATCH 12/12] libxl: Do not trust frontend for channel in getinfo
-
-libxl_device_channel_getinfo needs to examine devices without trusting
-frontend-controlled data.  So:
-
-* Use /libxl to find the backend path.
-* Parse the backend path to find the backend domid, rather than
-  reading it from the frontend.
-* Tolerate FRONTEND/tty vanishing.
-
-Note that there is a strange off-by-one error in the computation of
-both fe_path and libxl_path in libxl_device_channel_getinfo: the
-incoming channel->devid, which is copied to channelinfo->devid, has +1
-applied to calculate the frontend path (and, after this patch, the
-libxl path).  I.e., the devid passed to libxl_device_channel_getinfo
-must be one less than the actual devid for the device being asked
-about.
-
-This is actually a bug which mirrors a bug in
-libxl__append_channel_list, which fills in the devids of the channel
-devices it finds with sequentially increasing numbers starting at 0.
-
-In the usual case channels have real devids starting at 1 (because
-there is the console, which is devid 0, but not a channel).  So these
-bugs usually cancel out.
-
-We do not address this problem at this time.  This bug does not have
-any security implications.
-
-This patch is part of XSA-175.
-
-Signed-off-by: Ian Jackson <Ian.Jackson_at_eu.citrix.com>
-Reviewed-by: Wei Liu <wei.liu2_at_citrix.com>
----
- tools/libxl/libxl.c | 44 ++++++++++++++++++++++++++++++++++++--------
- 1 file changed, 36 insertions(+), 8 deletions(-)
-
-diff --git a/tools/libxl/libxl.c b/tools/libxl/libxl.c
-index 6ffb173..2dd2467 100644
---- a/tools/libxl/libxl.c
-+++ b/tools/libxl/libxl.c
-_at_@ -3946,23 +3946,28 @@ int libxl_device_channel_getinfo(libxl_ctx *ctx, uint32_t domid,
-                                  libxl_channelinfo *channelinfo)
- {
-     GC_INIT(ctx);
--    char *dompath, *fe_path;
-+    char *dompath, *fe_path, *libxl_path;
-     char *val;
-+    int rc;
- 
-     dompath = libxl__xs_get_dompath(gc, domid);
-     channelinfo->devid = channel->devid;
- 
--    fe_path = libxl__sprintf(gc, "%s/device/console/%d", dompath,
--                             channelinfo->devid + 1);
-+    fe_path = GCSPRINTF("%s/device/console/%d", dompath,
-+                        channelinfo->devid + 1);
-+    libxl_path = GCSPRINTF("%s/device/console/%d",
-+                           libxl__xs_libxl_path(gc, domid),
-+                           channelinfo->devid + 1);
-     channelinfo->backend = xs_read(ctx->xsh, XBT_NULL,
--                                   libxl__sprintf(gc, "%s/backend",
--                                   fe_path), NULL);
-+                                   GCSPRINTF("%s/backend", libxl_path), NULL);
-     if (!channelinfo->backend) {
-         GC_FREE;
-         return ERROR_FAIL;
-     }
--    val = libxl__xs_read(gc, XBT_NULL, GCSPRINTF("%s/backend-id", fe_path));
--    channelinfo->backend_id = val ? strtoul(val, NULL, 10) : -1;
-+    rc = libxl__backendpath_parse_domid(gc, channelinfo->backend,
-+                                        &channelinfo->backend_id);
-+    if (rc) goto out;
-+
-     val = libxl__xs_read(gc, XBT_NULL, GCSPRINTF("%s/state", fe_path));
-     channelinfo->state = val ? strtoul(val, NULL, 10) : -1;
-     channelinfo->frontend = xs_read(ctx->xsh, XBT_NULL,
-_at_@ -3980,13 +3985,36 @@ int libxl_device_channel_getinfo(libxl_ctx *ctx, uint32_t domid,
-     switch (channel->connection) {
-          case LIBXL_CHANNEL_CONNECTION_PTY:
-              val = libxl__xs_read(gc, XBT_NULL, GCSPRINTF("%s/tty", fe_path));
-+             /*
-+              * It is obviously very wrong for this value to be in the
-+              * frontend.  But in XSA-175 we don't want to re-engineer
-+              * this because other xenconsole code elsewhere (some
-+              * even out of tree, perhaps) expects this node to be
-+              * here.
-+              *
-+              * FE/pty is readonly for the guest.  It always exists if
-+              * FE does because libxl__device_console_add
-+              * unconditionally creates it and nothing deletes it.
-+              *
-+              * The guest can delete the whole FE (which it has write
-+              * privilege on) but the containing directories
-+              * /local/GUEST[/device[/console]] are also RO for the
-+              * guest.  So if the guest deletes FE it cannot recreate
-+              * it.
-+              *
-+              * Therefore the guest cannot cause FE/pty to contain bad
-+              * data, although it can cause it to not exist.
-+              */
-+             if (!val) val = "/NO-SUCH-PATH";
-              channelinfo->u.pty.path = strdup(val);
-              break;
-          default:
-              break;
-     }
-+    rc = 0;
-+ out:
-     GC_FREE;
--    return 0;
-+    return rc;
- }
- 
- /******************************************************************************/
--- 
-2.1.4
-
diff --git a/main/xen/0012-libxl-Rename-READ_BACKEND-to-READ_LIBXLDEV.patch b/main/xen/0012-libxl-Rename-READ_BACKEND-to-READ_LIBXLDEV.patch
deleted file mode 100644
index 37dfca7..0000000
--- a/main/xen/0012-libxl-Rename-READ_BACKEND-to-READ_LIBXLDEV.patch
+++ /dev/null
_at_@ -1,101 +0,0 @@
-From bbbe635e7c1824d4daa4920c24c369e332ba5236 Mon Sep 17 00:00:00 2001
-From: Ian Jackson <ian.jackson_at_eu.citrix.com>
-Date: Wed, 4 May 2016 16:07:02 +0100
-Subject: [PATCH 12/20] libxl: Rename READ_BACKEND to READ_LIBXLDEV
-
-We are going to want to change all the functions that use READ_BACKEND
-to get untrustworthy information from the backend, to use trustworthy
-information from /libxl.
-
-This will involve replacing READ_BACKEND, which reads from be_path,
-with a similar macro READ_LIBXLDEV, which reads from libxl_path.
-
-The macro name change generates a lot of clutter in the diff.  So we
-break it out into this separate patch.  Here, we rename the macro, but
-the implementation does not really match the new name.
-
-So, another way to look at this, is that we have transformed the bug:
- * All of the backends use READ_BACKEND, which is unsafe
-into the new bug:
- * READ_LIBXLDEV actually reads be_path, which is unsafe.
-
-There is no functional change as yet.
-
-This is part of XSA-178.
-
-Signed-off-by: Ian Jackson <ian.jackson_at_eu.citrix.com>
-Reviewed-by: Wei Liu <wei.liu2_at_citrix.com>
----
- tools/libxl/libxl.c | 22 +++++++++++-----------
- 1 file changed, 11 insertions(+), 11 deletions(-)
-
-diff --git a/tools/libxl/libxl.c b/tools/libxl/libxl.c
-index 35cb6b0..a174382 100644
---- a/tools/libxl/libxl.c
-+++ b/tools/libxl/libxl.c
-_at_@ -21,8 +21,8 @@
- #define PAGE_TO_MEMKB(pages) ((pages) * 4)
- #define BACKEND_STRING_SIZE 5
- 
--/* Utility to read backend xenstore keys */
--#define READ_BACKEND(tgc, subpath) ({                                   \
-+/* Utility to read /libxl or backend xenstore keys, from be_path */
-+#define READ_LIBXLDEV(tgc, subpath) ({                                  \
-         rc = libxl__xs_read_checked(tgc, XBT_NULL,                      \
-                                     GCSPRINTF("%s/" subpath, be_path),  \
-                                     &tmp);                              \
-_at_@ -3507,7 +3507,7 @@ static int libxl__device_nic_from_xenstore(libxl__gc *gc,
- 
-     libxl_device_nic_init(nic);
- 
--    tmp = READ_BACKEND(gc, "handle");
-+    tmp = READ_LIBXLDEV(gc, "handle");
-     if (tmp)
-         nic->devid = atoi(tmp);
-     else
-_at_@ -3515,7 +3515,7 @@ static int libxl__device_nic_from_xenstore(libxl__gc *gc,
- 
-     /* nic->mtu = */
- 
--    tmp = READ_BACKEND(gc, "mac");
-+    tmp = READ_LIBXLDEV(gc, "mac");
-     if (tmp) {
-         rc = libxl__parse_mac(tmp, nic->mac);
-         if (rc) goto out;
-_at_@ -3523,12 +3523,12 @@ static int libxl__device_nic_from_xenstore(libxl__gc *gc,
-         memset(nic->mac, 0, sizeof(nic->mac));
-     }
- 
--    nic->ip = READ_BACKEND(NOGC, "ip");
--    nic->bridge = READ_BACKEND(NOGC, "bridge");
--    nic->script = READ_BACKEND(NOGC, "script");
-+    nic->ip = READ_LIBXLDEV(NOGC, "ip");
-+    nic->bridge = READ_LIBXLDEV(NOGC, "bridge");
-+    nic->script = READ_LIBXLDEV(NOGC, "script");
- 
-     /* vif_ioemu nics use the same xenstore entries as vif interfaces */
--    tmp = READ_BACKEND(gc, "type");
-+    tmp = READ_LIBXLDEV(gc, "type");
-     if (tmp) {
-         rc = libxl_nic_type_from_string(tmp, &nic->nictype);
-         if (rc) goto out;
-_at_@ -3856,13 +3856,13 @@ static int libxl__device_channel_from_xenstore(libxl__gc *gc,
-     libxl_device_channel_init(channel);
- 
-     /* READ_BACKEND is from libxl__device_nic_from_xenstore above */
--    channel->name = READ_BACKEND(NOGC, "name");
--    tmp = READ_BACKEND(gc, "connection");
-+    channel->name = READ_LIBXLDEV(NOGC, "name");
-+    tmp = READ_LIBXLDEV(gc, "connection");
-     if (!strcmp(tmp, "pty")) {
-         channel->connection = LIBXL_CHANNEL_CONNECTION_PTY;
-     } else if (!strcmp(tmp, "socket")) {
-         channel->connection = LIBXL_CHANNEL_CONNECTION_SOCKET;
--        channel->u.socket.path = READ_BACKEND(NOGC, "path");
-+        channel->u.socket.path = READ_LIBXLDEV(NOGC, "path");
-     } else {
-         rc = ERROR_INVAL;
-         goto out;
--- 
-1.9.1
-
diff --git a/main/xen/0013-libxl-Have-READ_LIBXLDEV-use-libxl_path-rather-than-.patch b/main/xen/0013-libxl-Have-READ_LIBXLDEV-use-libxl_path-rather-than-.patch
deleted file mode 100644
index f4dce8c..0000000
--- a/main/xen/0013-libxl-Have-READ_LIBXLDEV-use-libxl_path-rather-than-.patch
+++ /dev/null
_at_@ -1,62 +0,0 @@
-From 31be4b98a2d7ab851e37f9bc23cd446f3bdf367e Mon Sep 17 00:00:00 2001
-From: Ian Jackson <ian.jackson_at_eu.citrix.com>
-Date: Tue, 3 May 2016 15:40:18 +0100
-Subject: [PATCH 13/20] libxl: Have READ_LIBXLDEV use libxl_path rather than
- be_path
-
-Fix the just-introduced bug in this macro: now it reads the
-trustworthy libxl_path.  Change the variable name in the two functions
-(nic and channel) which use it.
-
-Shuffling the bump in the carpet along, we now introduce three new
-bugs: the three call sites pass a backend path where a frontend path
-is expected.
-
-No functional change.
-
-This is part of XSA-178.
-
-Signed-off-by: Ian Jackson <ian.jackson_at_eu.citrix.com>
-Reviewed-by: Wei Liu <wei.liu2_at_citrix.com>
----
- tools/libxl/libxl.c | 8 ++++----
- 1 file changed, 4 insertions(+), 4 deletions(-)
-
-diff --git a/tools/libxl/libxl.c b/tools/libxl/libxl.c
-index a174382..702ac75 100644
---- a/tools/libxl/libxl.c
-+++ b/tools/libxl/libxl.c
-_at_@ -21,10 +21,10 @@
- #define PAGE_TO_MEMKB(pages) ((pages) * 4)
- #define BACKEND_STRING_SIZE 5
- 
--/* Utility to read /libxl or backend xenstore keys, from be_path */
-+/* Utility to read /libxl xenstore keys, from libxl_path */
- #define READ_LIBXLDEV(tgc, subpath) ({                                  \
-         rc = libxl__xs_read_checked(tgc, XBT_NULL,                      \
--                                    GCSPRINTF("%s/" subpath, be_path),  \
-+                                    GCSPRINTF("%s/" subpath, libxl_path),  \
-                                     &tmp);                              \
-         if (rc) goto out;                                               \
-         (char*)tmp;                                                     \
-_at_@ -3499,7 +3499,7 @@ out:
- }
- 
- static int libxl__device_nic_from_xenstore(libxl__gc *gc,
--                                        const char *be_path,
-+                                        const char *libxl_path,
-                                         libxl_device_nic *nic)
- {
-     const char *tmp;
-_at_@ -3847,7 +3847,7 @@ int libxl__init_console_from_channel(libxl__gc *gc,
- }
- 
- static int libxl__device_channel_from_xenstore(libxl__gc *gc,
--                                            const char *be_path,
-+                                            const char *libxl_path,
-                                             libxl_device_channel *channel)
- {
-     const char *tmp;
--- 
-1.9.1
-
diff --git a/main/xen/0014-libxl-Do-not-trust-backend-in-nic-getinfo.patch b/main/xen/0014-libxl-Do-not-trust-backend-in-nic-getinfo.patch
deleted file mode 100644
index e45a8c9..0000000
--- a/main/xen/0014-libxl-Do-not-trust-backend-in-nic-getinfo.patch
+++ /dev/null
_at_@ -1,33 +0,0 @@
-From 517d1d86e158d12f634db1fabda13931bffe32fe Mon Sep 17 00:00:00 2001
-From: Ian Jackson <ian.jackson_at_eu.citrix.com>
-Date: Tue, 3 May 2016 16:35:21 +0100
-Subject: [PATCH 14/20] libxl: Do not trust backend in nic getinfo
-
-This is part of XSA-178.
-
-Signed-off-by: Ian Jackson <ian.jackson_at_eu.citrix.com>
-Reviewed-by: Wei Liu <wei.liu2_at_citrix.com>
----
- tools/libxl/libxl.c | 6 ++----
- 1 file changed, 2 insertions(+), 4 deletions(-)
-
-diff --git a/tools/libxl/libxl.c b/tools/libxl/libxl.c
-index 702ac75..558d198 100644
---- a/tools/libxl/libxl.c
-+++ b/tools/libxl/libxl.c
-_at_@ -3664,10 +3664,8 @@ int libxl_device_nic_getinfo(libxl_ctx *ctx, uint32_t domid,
-     nicinfo->rref_tx = val ? strtoul(val, NULL, 10) : -1;
-     val = libxl__xs_read(gc, XBT_NULL, libxl__sprintf(gc, "%s/rx-ring-ref", nicpath));
-     nicinfo->rref_rx = val ? strtoul(val, NULL, 10) : -1;
--    nicinfo->frontend = xs_read(ctx->xsh, XBT_NULL,
--                                 libxl__sprintf(gc, "%s/frontend", nicinfo->backend), NULL);
--    val = libxl__xs_read(gc, XBT_NULL, libxl__sprintf(gc, "%s/frontend-id", nicinfo->backend));
--    nicinfo->frontend_id = val ? strtoul(val, NULL, 10) : -1;
-+    nicinfo->frontend = libxl__strdup(NOGC, nicpath);
-+    nicinfo->frontend_id = domid;
- 
-     rc = 0;
-  out:
--- 
-1.9.1
-
diff --git a/main/xen/0015-libxl-Do-not-trust-backend-for-nic-in-devid_to_devic.patch b/main/xen/0015-libxl-Do-not-trust-backend-for-nic-in-devid_to_devic.patch
deleted file mode 100644
index 15af351..0000000
--- a/main/xen/0015-libxl-Do-not-trust-backend-for-nic-in-devid_to_devic.patch
+++ /dev/null
_at_@ -1,48 +0,0 @@
-From 6925b22ac3e1e876db542ab6ede6a88651cfaa44 Mon Sep 17 00:00:00 2001
-From: Ian Jackson <ian.jackson_at_eu.citrix.com>
-Date: Wed, 4 May 2016 16:20:05 +0100
-Subject: [PATCH 15/20] libxl: Do not trust backend for nic in devid_to_device
-
-libxl_devid_to_device_nic should read the information it needs from
-the /libxl/device path, not the backend.
-
-This is part of XSA-178.
-
-Signed-off-by: Ian Jackson <Ian.Jackson_at_eu.citrix.com>
-Reviewed-by: Wei Liu <wei.liu2_at_citrix.com>
----
- tools/libxl/libxl.c | 10 +++-------
- 1 file changed, 3 insertions(+), 7 deletions(-)
-
-diff --git a/tools/libxl/libxl.c b/tools/libxl/libxl.c
-index 558d198..0f87ad7 100644
---- a/tools/libxl/libxl.c
-+++ b/tools/libxl/libxl.c
-_at_@ -3547,7 +3547,7 @@ int libxl_devid_to_device_nic(libxl_ctx *ctx, uint32_t domid,
-                               int devid, libxl_device_nic *nic)
- {
-     GC_INIT(ctx);
--    char *libxl_dom_path, *path;
-+    char *libxl_dom_path, *libxl_path;
-     int rc = ERROR_FAIL;
- 
-     libxl_device_nic_init(nic);
-_at_@ -3555,13 +3555,9 @@ int libxl_devid_to_device_nic(libxl_ctx *ctx, uint32_t domid,
-     if (!libxl_dom_path)
-         goto out;
- 
--    path = libxl__xs_read(gc, XBT_NULL,
--                          GCSPRINTF("%s/device/vif/%d/backend", libxl_dom_path,
--                                    devid));
--    if (!path)
--        goto out;
-+    libxl_path = GCSPRINTF("%s/device/vif/%d", libxl_dom_path, devid);
- 
--    rc = libxl__device_nic_from_xenstore(gc, path, nic);
-+    rc = libxl__device_nic_from_xenstore(gc, libxl_path, nic);
-     if (rc) goto out;
- 
-     rc = 0;
--- 
-1.9.1
-
diff --git a/main/xen/0016-libxl-Do-not-trust-backend-for-nic-in-list.patch b/main/xen/0016-libxl-Do-not-trust-backend-for-nic-in-list.patch
deleted file mode 100644
index 210ebbd..0000000
--- a/main/xen/0016-libxl-Do-not-trust-backend-for-nic-in-list.patch
+++ /dev/null
_at_@ -1,80 +0,0 @@
-From 1a75ae14d0e6b2969dc3b09f4f5963cd09a8118a Mon Sep 17 00:00:00 2001
-From: Ian Jackson <ian.jackson_at_eu.citrix.com>
-Date: Wed, 4 May 2016 16:23:57 +0100
-Subject: [PATCH 16/20] libxl: Do not trust backend for nic in list
-
-libxl_device_nic_list should use the /libxl path to search for
-devices, and for obtaining the device information.
-
-The "type" parameter was always "vif".  Abolish it.  (In any case,
-paths in /libxl/device are named after the frontend type which is
-constant, not the backend type which might in future vary.)
-
-Abolish a redundant store to pnic->backend_domid.  Before this commit,
-that store was not needed because libxl_device_nic_init (called by
-libxl__device_nic_from_xenstore) would zero it.  Now it overwrites the
-correct backend domid with zero; so remove it.
-
-This is part of XSA-178.
-
-Signed-off-by: Ian Jackson <Ian.Jackson_at_eu.citrix.com>
-Reviewed-by: Wei Liu <wei.liu2_at_citrix.com>
----
- tools/libxl/libxl.c | 16 +++++++---------
- 1 file changed, 7 insertions(+), 9 deletions(-)
-
-diff --git a/tools/libxl/libxl.c b/tools/libxl/libxl.c
-index 0f87ad7..9aebc9e 100644
---- a/tools/libxl/libxl.c
-+++ b/tools/libxl/libxl.c
-_at_@ -3566,21 +3566,20 @@ out:
-     return rc;
- }
- 
--static int libxl__append_nic_list_of_type(libxl__gc *gc,
-+static int libxl__append_nic_list(libxl__gc *gc,
-                                            uint32_t domid,
--                                           const char *type,
-                                            libxl_device_nic **nics,
-                                            int *nnics)
- {
--    char *be_path = NULL;
-+    char *libxl_dir_path = NULL;
-     char **dir = NULL;
-     unsigned int n = 0;
-     libxl_device_nic *pnic = NULL, *pnic_end = NULL;
-     int rc;
- 
--    be_path = libxl__sprintf(gc, "%s/backend/%s/%d",
--                             libxl__xs_get_dompath(gc, 0), type, domid);
--    dir = libxl__xs_directory(gc, XBT_NULL, be_path, &n);
-+    libxl_dir_path = GCSPRINTF("%s/device/vif",
-+                               libxl__xs_libxl_path(gc, domid));
-+    dir = libxl__xs_directory(gc, XBT_NULL, libxl_dir_path, &n);
-     if (dir && n) {
-         libxl_device_nic *tmp;
-         tmp = realloc(*nics, sizeof (libxl_device_nic) * (*nnics + n));
-_at_@ -3591,10 +3590,9 @@ static int libxl__append_nic_list_of_type(libxl__gc *gc,
-         pnic_end = *nics + *nnics + n;
-         for (; pnic < pnic_end; pnic++, dir++) {
-             const char *p;
--            p = libxl__sprintf(gc, "%s/%s", be_path, *dir);
-+            p = GCSPRINTF("%s/%s", libxl_dir_path, *dir);
-             rc = libxl__device_nic_from_xenstore(gc, p, pnic);
-             if (rc) goto out;
--            pnic->backend_domid = 0;
-         }
-         *nnics += n;
-     }
-_at_@ -3612,7 +3610,7 @@ libxl_device_nic *libxl_device_nic_list(libxl_ctx *ctx, uint32_t domid, int *num
- 
-     *num = 0;
- 
--    rc = libxl__append_nic_list_of_type(gc, domid, "vif", &nics, num);
-+    rc = libxl__append_nic_list(gc, domid, &nics, num);
-     if (rc) goto out_err;
- 
-     GC_FREE;
--- 
-1.9.1
-
diff --git a/main/xen/0017-libxl-Do-not-trust-backend-in-channel-list.patch b/main/xen/0017-libxl-Do-not-trust-backend-in-channel-list.patch
deleted file mode 100644
index c31383b..0000000
--- a/main/xen/0017-libxl-Do-not-trust-backend-in-channel-list.patch
+++ /dev/null
_at_@ -1,58 +0,0 @@
-From 8df6d984e41c4a2f3f1ebc989063223eabb2cc0f Mon Sep 17 00:00:00 2001
-From: Ian Jackson <ian.jackson_at_eu.citrix.com>
-Date: Wed, 4 May 2016 16:59:38 +0100
-Subject: [PATCH 17/20] libxl: Do not trust backend in channel list
-
-Read the name from /libxl/device.  Pass the /libxl path to
-libxl__device_channel_from_xenstore.
-
-This removes the final route by which READ_LIBXLDEV might receive a
-backend path.
-
-This is part of XSA-178.
-
-Signed-off-by: Ian Jackson <Ian.Jackson_at_eu.citrix.com>
-Reviewed-by: Wei Liu <wei.liu2_at_citrix.com>
----
-v2: Remove be_path variable which is now no longer used.
----
- tools/libxl/libxl.c | 9 +++------
- 1 file changed, 3 insertions(+), 6 deletions(-)
-
-diff --git a/tools/libxl/libxl.c b/tools/libxl/libxl.c
-index 9aebc9e..a6701d4 100644
---- a/tools/libxl/libxl.c
-+++ b/tools/libxl/libxl.c
-_at_@ -3870,7 +3870,7 @@ static int libxl__append_channel_list(libxl__gc *gc,
-                                               libxl_device_channel **channels,
-                                               int *nchannels)
- {
--    char *libxl_dir_path = NULL, *be_path = NULL;
-+    char *libxl_dir_path = NULL;
-     char **dir = NULL;
-     unsigned int n = 0, devid = 0;
-     libxl_device_channel *next = NULL;
-_at_@ -3887,10 +3887,7 @@ static int libxl__append_channel_list(libxl__gc *gc,
-         libxl_device_channel *tmp;
- 
-         libxl_path = GCSPRINTF("%s/%s", libxl_dir_path, dir[i]);
--        be_path = libxl__xs_read(gc, XBT_NULL,
--                                 GCSPRINTF("%s/backend", libxl_path));
--        if (!be_path) continue;
--        name = libxl__xs_read(gc, XBT_NULL, GCSPRINTF("%s/name", be_path));
-+        name = libxl__xs_read(gc, XBT_NULL, GCSPRINTF("%s/name", libxl_path));
-         /* 'channels' are consoles with names, so ignore all consoles
-            without names */
-         if (!name) continue;
-_at_@ -3902,7 +3899,7 @@ static int libxl__append_channel_list(libxl__gc *gc,
-         }
-         *channels = tmp;
-         next = *channels + *nchannels + devid;
--        rc = libxl__device_channel_from_xenstore(gc, be_path, next);
-+        rc = libxl__device_channel_from_xenstore(gc, libxl_path, next);
-         if (rc) goto out;
-         next->devid = devid;
-         devid++;
--- 
-1.9.1
-
diff --git a/main/xen/0018-libxl-Cleanup-Have-libxl__alloc_vdev-use-libxl.patch b/main/xen/0018-libxl-Cleanup-Have-libxl__alloc_vdev-use-libxl.patch
deleted file mode 100644
index 95d1480..0000000
--- a/main/xen/0018-libxl-Cleanup-Have-libxl__alloc_vdev-use-libxl.patch
+++ /dev/null
_at_@ -1,48 +0,0 @@
-From 3675172b342d1c03b01e2ac0a9fe851391921ab7 Mon Sep 17 00:00:00 2001
-From: Ian Jackson <ian.jackson_at_eu.citrix.com>
-Date: Tue, 3 May 2016 15:25:19 +0100
-Subject: [PATCH 18/20] libxl: Cleanup: Have libxl__alloc_vdev use /libxl
-
-When allocating a vdev for a new disk, look in /libxl/device, rather
-than the frontends directory in xenstore.
-
-This is more in line with the other parts of libxl, which ought not to
-trust frontends.  In this case, though, there is no security bug prior
-to this patch because the frontend is the toolstack domain itself.
-
-If libxl__alloc_vdev were ever changed to take a frontend domain
-argument, this patch will fix a latent security bug.
-
-This is a followup to XSA-175.
-
-Signed-off-by: Ian Jackson <Ian.Jackson_at_eu.citrix.com>
-Reviewed-by: Wei Liu <wei.liu2_at_citrix.com>
----
- tools/libxl/libxl.c | 4 ++--
- 1 file changed, 2 insertions(+), 2 deletions(-)
-
-diff --git a/tools/libxl/libxl.c b/tools/libxl/libxl.c
-index a6701d4..20a8960 100644
---- a/tools/libxl/libxl.c
-+++ b/tools/libxl/libxl.c
-_at_@ -3043,7 +3043,7 @@ static char * libxl__alloc_vdev(libxl__gc *gc, void *get_vdev_user,
- {
-     const char *blkdev_start = (const char *) get_vdev_user;
-     int devid = 0, disk = 0, part = 0;
--    char *dompath = libxl__xs_get_dompath(gc, LIBXL_TOOLSTACK_DOMID);
-+    char *libxl_dom_path = libxl__xs_libxl_path(gc, LIBXL_TOOLSTACK_DOMID);
- 
-     libxl__device_disk_dev_number(blkdev_start, &disk, &part);
-     if (part != 0) {
-_at_@ -3058,7 +3058,7 @@ static char * libxl__alloc_vdev(libxl__gc *gc, void *get_vdev_user,
-             return NULL;
-         if (libxl__xs_read(gc, t,
-                     libxl__sprintf(gc, "%s/device/vbd/%d/backend",
--                        dompath, devid)) == NULL) {
-+                        libxl_dom_path, devid)) == NULL) {
-             if (errno == ENOENT)
-                 return libxl__devid_to_localdev(gc, devid);
-             else
--- 
-1.9.1
-
diff --git a/main/xen/0019-libxl-Cleanup-use-libxl__backendpath_parse_domid-in-.patch b/main/xen/0019-libxl-Cleanup-use-libxl__backendpath_parse_domid-in-.patch
deleted file mode 100644
index 8bdd209..0000000
--- a/main/xen/0019-libxl-Cleanup-use-libxl__backendpath_parse_domid-in-.patch
+++ /dev/null
_at_@ -1,38 +0,0 @@
-From 509ae901dc25c51553c49e6f4428ac8023b42625 Mon Sep 17 00:00:00 2001
-From: Ian Jackson <ian.jackson_at_eu.citrix.com>
-Date: Fri, 29 Apr 2016 16:08:19 +0100
-Subject: [PATCH 19/20] libxl: Cleanup: use libxl__backendpath_parse_domid in
- libxl__device_disk_from_xs_be
-
-Rather than an open-coded sscanf.  No functional change with correct
-input.
-
-This is a followup to XSA-175 and XSA-178.
-
-Signed-off-by: Ian Jackson <Ian.Jackson_at_eu.citrix.com>
-Reviewed-by: Wei Liu <wei.liu2_at_citrix.com>
----
- tools/libxl/libxl.c | 6 +++---
- 1 file changed, 3 insertions(+), 3 deletions(-)
-
-diff --git a/tools/libxl/libxl.c b/tools/libxl/libxl.c
-index 20a8960..c0a80cb 100644
---- a/tools/libxl/libxl.c
-+++ b/tools/libxl/libxl.c
-_at_@ -2640,10 +2640,10 @@ static int libxl__device_disk_from_xenstore(libxl__gc *gc,
-         goto out;
-     }
- 
--    rc = sscanf(backend_path, "/local/domain/%d/", &disk->backend_domid);
--    if (rc != 1) {
-+    rc = libxl__backendpath_parse_domid(gc, backend_path, &disk->backend_domid);
-+    if (rc) {
-         LOG(ERROR, "Unable to fetch device backend domid from %s", backend_path);
--        goto cleanup;
-+        goto out;
-     }
- 
-     /* "params" may not be present; but everything else must be. */
--- 
-1.9.1
-
diff --git a/main/xen/0020-libxl-Document-serial-correctly.patch b/main/xen/0020-libxl-Document-serial-correctly.patch
deleted file mode 100644
index 6c41be2..0000000
--- a/main/xen/0020-libxl-Document-serial-correctly.patch
+++ /dev/null
_at_@ -1,38 +0,0 @@
-From d8ac67eff778ae0c6b3286ab46328be5c6c90163 Mon Sep 17 00:00:00 2001
-From: Ian Jackson <ian.jackson_at_eu.citrix.com>
-Date: Wed, 4 May 2016 15:17:45 +0100
-Subject: [PATCH 20/20] libxl: Document ~/serial/ correctly
-
-xenstore-paths.markdown talked about ~/device/serial/, but that's not
-used.
-
-(It is very wrong for this value, which contains a driver domain
-filesystem path, to be in the guest's area of xenstore.  However, it
-is only ever created by libxl and ready by xenconsoled.  When it is
-created, it inherits the read-only permissions of /local/domain/DOMID.
-So there is no security bug.)
-
-This is a followup to XSA-175.
-
-Signed-off-by: Ian Jackson <Ian.Jackson_at_eu.citrix.com>
-Reviewed-by: Wei Liu <wei.liu2_at_citrix.com>
----
- docs/misc/xenstore-paths.markdown | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/docs/misc/xenstore-paths.markdown b/docs/misc/xenstore-paths.markdown
-index 8c686ec..bfa6a79 100644
---- a/docs/misc/xenstore-paths.markdown
-+++ b/docs/misc/xenstore-paths.markdown
-_at_@ -240,7 +240,7 @@ The primary PV console device. Described in [console.txt](console.txt)
- 
- A secondary PV console device. Described in [console.txt](console.txt)
- 
--#### ~/device/serial/$DEVID/* [HVM]
-+#### ~/serial/$DEVID/* [HVM]
- 
- An emulated serial device. Described in [console.txt](console.txt)
- 
--- 
-1.9.1
-
diff --git a/main/xen/APKBUILD b/main/xen/APKBUILD
index 4c31811..e68129c 100644
--- a/main/xen/APKBUILD
+++ b/main/xen/APKBUILD
_at_@ -1,9 +1,10 @@
+# Contributor: Sergey Lukin <sergej.lukin_at_gmail.com>
 # Contributor: William Pitcock <nenolod_at_dereferenced.org>
 # Contributor: Roger Pau Monne <roger.pau_at_entel.upc.edu>
 # Maintainer: William Pitcock <nenolod_at_dereferenced.org>
 pkgname=xen
-pkgver=4.5.3
-pkgrel=3
+pkgver=4.5.5
+pkgrel=0
 pkgdesc="Xen hypervisor"
 url="http://www.xen.org/"
 arch="x86_64"
_at_@ -17,20 +18,6 @@ makedepends="$depends_dev autoconf automake libtool"
 install=""
 subpackages="$pkgname-doc $pkgname-dev $pkgname-libs $pkgname-hypervisor"
 source="http://bits.xensource.com/oss-xen/release/$pkgver/$pkgname-$pkgver.tar.gz
-	xsa169.patch
-	xsa172.patch
-	xsa173-4.5.patch
-	xsa176.patch
-	xsa181.patch
-	xsa182-4.5.patch
-	xsa183-4.6.patch
-	xsa184-qemut-master.patch
-	xsa184-qemuu-master.patch
-	xsa185.patch
-	xsa186-0001-x86-emulate-Correct-boundary-interactions-of-emulate.patch
-	xsa186-4.6-0002-hvm-fep-Allow-testing-of-instructions-crossing-the.patch
-	xsa187-4.7-0001-x86-shadow-Avoid-overflowing-sh_ctxt-seg.patch
-	xsa187-4.6-0002-x86-segment-Bounds-check-accesses-to-emulation-ctx.patch
 	xsa190-4.5-CVE-2016-7777.patch
 	xsa191-4.6-CVE-2016-9386.patch
 	xsa192-4.5-CVE-2016-9382.patch
_at_@ -45,40 +32,8 @@ source="http://bits.xensource.com/oss-xen/release/$pkgver/$pkgname-$pkgver.tar.g
 	xsa201-1.patch
 	xsa201-2.patch
 	xsa201-4.patch
-
-	0001-libxl-Record-backend-frontend-paths-in-libxl-DOMID.patch
-	0002-libxl-Provide-libxl__backendpath_parse_domid.patch
-	0003-libxl-Do-not-trust-frontend-in-libxl__devices_destro.patch
-	0004-libxl-Do-not-trust-frontend-in-libxl__device_nextid.patch
-	0005-libxl-Do-not-trust-frontend-for-disk-eject-event.patch
-	0006-libxl-Do-not-trust-frontend-for-disk-in-getinfo.patch
-	0007-libxl-Do-not-trust-frontend-for-vtpm-list.patch
-	0008-libxl-Do-not-trust-frontend-for-vtpm-in-getinfo.patch
-	0009-libxl-Do-not-trust-frontend-for-nic-in-libxl_devid_t.patch
-	0010-libxl-Do-not-trust-frontend-for-nic-in-getinfo.patch
-	0011-libxl-Do-not-trust-frontend-for-channel-in-list.patch
-	0012-libxl-Do-not-trust-frontend-for-channel-in-getinfo.patch
-
-	0001-libxl-Make-copy-of-every-xs-backend-in-libxl-in-_gen.patch
-	0002-libxl-Do-not-trust-backend-in-libxl__device_exists.patch
-	0003-libxl-Do-not-trust-backend-for-vtpm-in-getinfo-excep.patch
-	0004-libxl-Do-not-trust-backend-for-vtpm-in-getinfo-uuid.patch
-	0005-libxl-cdrom-eject-and-insert-write-to-libxl.patch
-	0006-libxl-Do-not-trust-backend-for-disk-eject-vdev.patch
-	0007-libxl-Do-not-trust-backend-for-disk-fix-driver-domai.patch
-	0008-libxl-Do-not-trust-backend-for-disk-in-getinfo.patch
-	0009-libxl-Do-not-trust-backend-for-cdrom-insert.patch
-	0010-libxl-Do-not-trust-backend-for-channel-in-getinfo.patch
-	0011-libxl-Rename-libxl__device_-nic-channel-_from_xs_be-.patch
-	0012-libxl-Rename-READ_BACKEND-to-READ_LIBXLDEV.patch
-	0013-libxl-Have-READ_LIBXLDEV-use-libxl_path-rather-than-.patch
-	0014-libxl-Do-not-trust-backend-in-nic-getinfo.patch
-	0015-libxl-Do-not-trust-backend-for-nic-in-devid_to_devic.patch
-	0016-libxl-Do-not-trust-backend-for-nic-in-list.patch
-	0017-libxl-Do-not-trust-backend-in-channel-list.patch
-	0018-libxl-Cleanup-Have-libxl__alloc_vdev-use-libxl.patch
-	0019-libxl-Cleanup-use-libxl__backendpath_parse_domid-in-.patch
-	0020-libxl-Document-serial-correctly.patch
+	xsa202-4.6.patch
+	xsa204-4.5.patch
 
 	qemu-coroutine-gthread.patch
 	qemu-xen-musl-openpty.patch
_at_@ -86,7 +41,6 @@ source="http://bits.xensource.com/oss-xen/release/$pkgver/$pkgname-$pkgver.tar.g
 
 	hotplug-vif-vtrill.patch
 	0001-ipxe-dont-clobber-ebp.patch
-	gnutls-3.4.0.patch
 
 	init-xenstore-domain.patch
 
_at_@ -264,21 +218,7 @@ hypervisor() {
 	mv "$pkgdir"/boot "$subpkgdir"/
 }
 
-md5sums="a41baeb8ab0098dd2bce4249a95d1118  xen-4.5.3.tar.gz
-0931b87a6b9ba846c5797dbbbacdf324  xsa169.patch
-b14d9a4247ae654579cb757c9b0e949a  xsa172.patch
-335182c09c3b8e887a35c9677f2dc658  xsa173-4.5.patch
-f5a889df9c86a2cda28da20ec7cd7adc  xsa176.patch
-fb3b353a4a4e334ef6bf1ed3f35552d6  xsa181.patch
-732af8942ffbc31ca34fd9a7001e1923  xsa182-4.5.patch
-f137255f6928d439a5ddf18ebab402d7  xsa183-4.6.patch
-95bc220677fc2bb9a3df4dc14a0b31f6  xsa184-qemut-master.patch
-cc0904605d03a9e4f6f21d16824e41c9  xsa184-qemuu-master.patch
-8ae22c70681f3daf97ee7ef8ad947e76  xsa185.patch
-9a2b74f2079ba0b7a6e2420e6887cc3a  xsa186-0001-x86-emulate-Correct-boundary-interactions-of-emulate.patch
-3d812cf9ccc8443874b36e061392d388  xsa186-4.6-0002-hvm-fep-Allow-testing-of-instructions-crossing-the.patch
-c426383254acdcbb9466bbec2d6f8d9b  xsa187-4.7-0001-x86-shadow-Avoid-overflowing-sh_ctxt-seg.patch
-a98c0fa2579965d72272f381f193195d  xsa187-4.6-0002-x86-segment-Bounds-check-accesses-to-emulation-ctx.patch
+md5sums="a99baacf82aa111ed3130d6c361d74a8  xen-4.5.5.tar.gz
 478b88d2ef7e67bc03d3637def41a485  xsa190-4.5-CVE-2016-7777.patch
 5399accd478266047e9fada57bba1bf8  xsa191-4.6-CVE-2016-9386.patch
 fa8512910a0dbe7f49b1800518f9c204  xsa192-4.5-CVE-2016-9382.patch
_at_@ -293,44 +233,13 @@ add3ad7828d582fc272073e906ce17a1  xsa200-4.6.patch
 6580371b4b8db7cb6876f2b42ab3fc61  xsa201-1.patch
 76394482eaf0caeb3e0611ba70e8923c  xsa201-2.patch
 9cb1516d783fc9c765e9a37574bb3cbd  xsa201-4.patch
-e60400a02f24b70dd9d39628a731dcda  0001-libxl-Record-backend-frontend-paths-in-libxl-DOMID.patch
-83f68ebe641fde827b56996ffc5bbc5e  0002-libxl-Provide-libxl__backendpath_parse_domid.patch
-197b0a2273b68c1cfe2a4482ceffdf4d  0003-libxl-Do-not-trust-frontend-in-libxl__devices_destro.patch
-29cc618079c3f586043d665fe8daed24  0004-libxl-Do-not-trust-frontend-in-libxl__device_nextid.patch
-f290be1ba26f480fd345ada649d59660  0005-libxl-Do-not-trust-frontend-for-disk-eject-event.patch
-171dca83420ad3f706ba0466adf030fd  0006-libxl-Do-not-trust-frontend-for-disk-in-getinfo.patch
-45bc938047bc7716b57eeb8508977a0f  0007-libxl-Do-not-trust-frontend-for-vtpm-list.patch
-ba83d5ea9a1615f2b1693acc3e54f298  0008-libxl-Do-not-trust-frontend-for-vtpm-in-getinfo.patch
-141f2b28b04b4efbf909a4650696d71c  0009-libxl-Do-not-trust-frontend-for-nic-in-libxl_devid_t.patch
-6611449c2c056fa074685b18443149e0  0010-libxl-Do-not-trust-frontend-for-nic-in-getinfo.patch
-3264f8403d5cd025c25416a5de7aeb50  0011-libxl-Do-not-trust-frontend-for-channel-in-list.patch
-ae82256edf948e1c8ace6c576a4b2597  0012-libxl-Do-not-trust-frontend-for-channel-in-getinfo.patch
-14719f6189df1270053184d8a90cc7d1  0001-libxl-Make-copy-of-every-xs-backend-in-libxl-in-_gen.patch
-1ef583ccc14b6fea78d1891d13b3631c  0002-libxl-Do-not-trust-backend-in-libxl__device_exists.patch
-f1f2c41ebc7ccda0f8a786a6170694c1  0003-libxl-Do-not-trust-backend-for-vtpm-in-getinfo-excep.patch
-456b9afc8eb908d5147d9766169acec7  0004-libxl-Do-not-trust-backend-for-vtpm-in-getinfo-uuid.patch
-e6902e354cbfd0f8e56c7c2653c8a953  0005-libxl-cdrom-eject-and-insert-write-to-libxl.patch
-be2e9a515e6cc108abae8f2a726001ad  0006-libxl-Do-not-trust-backend-for-disk-eject-vdev.patch
-1ee13d702779674ef6c717621ffa9382  0007-libxl-Do-not-trust-backend-for-disk-fix-driver-domai.patch
-b5626d90c850d9598dede0740df96e09  0008-libxl-Do-not-trust-backend-for-disk-in-getinfo.patch
-d7ddba3f759d47495b72e8397f64363d  0009-libxl-Do-not-trust-backend-for-cdrom-insert.patch
-f8d01a242f6a65c801d8d201e13dffe4  0010-libxl-Do-not-trust-backend-for-channel-in-getinfo.patch
-bcf81392d6f29e737d72b548e4cb1378  0011-libxl-Rename-libxl__device_-nic-channel-_from_xs_be-.patch
-1b484a77201c181a16518f566ea7f239  0012-libxl-Rename-READ_BACKEND-to-READ_LIBXLDEV.patch
-b69c6497bd05ce7f597062beb5f50305  0013-libxl-Have-READ_LIBXLDEV-use-libxl_path-rather-than-.patch
-d2d173fca2b2148f4cc0e1b70d67b29f  0014-libxl-Do-not-trust-backend-in-nic-getinfo.patch
-dbc827c44937e3d6f4d8a3387842a2dd  0015-libxl-Do-not-trust-backend-for-nic-in-devid_to_devic.patch
-0fce7f760b34193fec742bba74423182  0016-libxl-Do-not-trust-backend-for-nic-in-list.patch
-48673e67de7272a2495da63902f56bce  0017-libxl-Do-not-trust-backend-in-channel-list.patch
-e6550be82f81c1e43c44a17acb5ca80e  0018-libxl-Cleanup-Have-libxl__alloc_vdev-use-libxl.patch
-39714ef39a07b62887c726eeedb7197f  0019-libxl-Cleanup-use-libxl__backendpath_parse_domid-in-.patch
-e0138ef232bd7c5d8e28db853692e303  0020-libxl-Document-serial-correctly.patch
+a5a39c6354c952095e1d78a582385933  xsa202-4.6.patch
+9449168ccbc38442b8f55ad9c0964b9f  xsa204-4.5.patch
 de1a3db370b87cfb0bddb51796b50315  qemu-coroutine-gthread.patch
 dd8603eaab5857816843bfc37647d569  qemu-xen-musl-openpty.patch
 08bfdf8caff5d631f53660bf3fd4edaf  qemu-xen_paths.patch
 e449bb3359b490804ffc7b0ae08d62a0  hotplug-vif-vtrill.patch
 229539a822e14a6a62babffd71ecfbf3  0001-ipxe-dont-clobber-ebp.patch
-a0a0294eccbaef77a2f8f5c2789f011c  gnutls-3.4.0.patch
 08a30d56902b660f5102a5c208e545c9  init-xenstore-domain.patch
 0984e3000de17a6d14b8014a3ced46a4  musl-support.patch
 513456607a2adfaa0baf1e3ae5124b23  musl-hvmloader-fix-stdint.patch
_at_@ -347,21 +256,7 @@ dcdd1de2c29e469e834a02ede4f47806  xendomains.confd
 9df68ac65dc3f372f5d61183abdc83ff  xen-consoles.logrotate
 6a2f777c16678d84039acf670d86fff6  xenqemu.confd
 e1c9e1c83a5cc49224608a48060bd677  xenqemu.initd"
-sha256sums="22b6dcb6725434e4baa48f1482328a04064e21d951d7c7c4b994b3d7ad4910fa  xen-4.5.3.tar.gz
-b818922880313cdbc12ea68ae757da5eabed9b3c9e1f8acefe1653683545ccbe  xsa169.patch
-f18282fcb794b8772bc3af51d56860050071bd62a5a909b8f2fc2018e2958154  xsa172.patch
-8cd255416975b5589b85911142b385cc1ed78b8ea5e16ebe9d6c60e2679b23aa  xsa173-4.5.patch
-e61c52477a8d8aa79111d686b103202ff8a558d8b3356635288c1290789b7eb3  xsa176.patch
-6756fcf44446675e5277f6d6c0e8a0aaa51a7909ad9a55af89a09367fded8733  xsa181.patch
-2383695b1dc114e4e31e42dd05d4c86239ce9606478b5e1a71db1111d95b63a2  xsa182-4.5.patch
-0fee41f21a3eb4af1487590098047f4625688bcef7419572a8f418f9fb728468  xsa183-4.6.patch
-88c939c64b8f9fc9f86d0a30517d5455462d1ff837aa4285a9cb189b54c0cf20  xsa184-qemut-master.patch
-3877e19992c4532b8b2a37e151fe6a6187a1bbee2b54c1718b995260bb0fcf65  xsa184-qemuu-master.patch
-3328a1953ecdf4de35462ea8396b0927171d718e95f73a87a7f651427bd8f8b4  xsa185.patch
-f2082a36d968a47e477bb5082d0e0aaa58e6cb3dc20b26389f043a9b7b595fa6  xsa186-0001-x86-emulate-Correct-boundary-interactions-of-emulate.patch
-7482a823c3443e26dee1111c4904162845eaa9f826aa7bf8348007406d91bddd  xsa186-4.6-0002-hvm-fep-Allow-testing-of-instructions-crossing-the.patch
-be9fe85d36c2c1fbca246c1f4d834c3ef11b6ab3d5467da0ac8c079aa5a68de9  xsa187-4.7-0001-x86-shadow-Avoid-overflowing-sh_ctxt-seg.patch
-b96731379ea77d49ffff31d969f4742dde985ef7a86af9422dcac8327c2a1916  xsa187-4.6-0002-x86-segment-Bounds-check-accesses-to-emulation-ctx.patch
+sha256sums="e2216e31f774be6bb1bba922288fbbc00bb549c2feb9c12472f60fe689aee4f8  xen-4.5.5.tar.gz
 477d56c41cc2101432459ab79e4d5663aade779c36285f5c1d6d6ed4e34e1009  xsa190-4.5-CVE-2016-7777.patch
 d95a1f0dd5c45497ca56e2e1390fc688bf0a4a7a7fd10c65ae25b4bbb3353b69  xsa191-4.6-CVE-2016-9386.patch
 bb0c6622c6f5c5eb9a680020d865802069446830b4a170bcb82336f6c3b77f55  xsa192-4.5-CVE-2016-9382.patch
_at_@ -376,44 +271,13 @@ d662353629117b9c978cf5444995b41e77b079cc665e078ae7868b715c47c382  xsa197-4.5-qem
 163aeb9ae3ffce28e0bc95bdfff490d2df6f6f0b85ac1d4f447bea921f0a0dda  xsa201-1.patch
 0ba570ed7df172475bc745e02b89670608251634895e5279edcf534619d6d81b  xsa201-2.patch
 388d548cd4e30883ae100863d33e792869e7dbd86054299a91b64db6d6599919  xsa201-4.patch
-a262c85f9145f71df512338ef1a4b77c05086a894d58ba3d911ea6984bbeaed5  0001-libxl-Record-backend-frontend-paths-in-libxl-DOMID.patch
-676806c5713a60f113264298c48c3ac34e3370a6bfb8628d5b8700edfe2415e3  0002-libxl-Provide-libxl__backendpath_parse_domid.patch
-50518f86aedf7857ca3644a2f073745017d12263880990cb7f0d4b3b9e264ac5  0003-libxl-Do-not-trust-frontend-in-libxl__devices_destro.patch
-e9207a4a35c13061b502935a31ad09cf4ca8048804f1a62d1c1ccfde5ff3432c  0004-libxl-Do-not-trust-frontend-in-libxl__device_nextid.patch
-78baa5268af36baa546e4cd8e7f62d830c860ee3051bba5273266ca0f95627ae  0005-libxl-Do-not-trust-frontend-for-disk-eject-event.patch
-c59be732bbf602d7d3b5dcbf3a0ca86d6f624585ba2e29f8d0f82c74f7bd33a3  0006-libxl-Do-not-trust-frontend-for-disk-in-getinfo.patch
-5c1aa2cc37240cdc4dce5c5067f18c36466d9271ab81c6a7a38d8674b534cd86  0007-libxl-Do-not-trust-frontend-for-vtpm-list.patch
-020287ae99d9c049c12087d828ea2d898686ab8600c0f9f8f2042b297ebc968e  0008-libxl-Do-not-trust-frontend-for-vtpm-in-getinfo.patch
-4781d673403b3bb0f43196af1aec52f8769bcf7352afd239d874f381a1d0e9cc  0009-libxl-Do-not-trust-frontend-for-nic-in-libxl_devid_t.patch
-c6a0fb210488794188924a90df4450e42782f99651b7a016e072a7df7d26d3d6  0010-libxl-Do-not-trust-frontend-for-nic-in-getinfo.patch
-3f3eec4f45925a9de39fcfd14e7709b3fc8245425b8ae45213afee1ede2b09a0  0011-libxl-Do-not-trust-frontend-for-channel-in-list.patch
-084b0054f223addeab3ff951ac1362b7d48379ddf0556eae9971f1a87507c2d4  0012-libxl-Do-not-trust-frontend-for-channel-in-getinfo.patch
-129eb3792374c1970cbd7518ac36f31988950d9f1d7bdf84932862d5eac311b1  0001-libxl-Make-copy-of-every-xs-backend-in-libxl-in-_gen.patch
-938bda668578c153696af0ce5f43f4dbdb822a299edb7c8e530c13d2ecb308e6  0002-libxl-Do-not-trust-backend-in-libxl__device_exists.patch
-f928280f0a4dde6cbe81c52320ea5ff4f0424e34c217c558a8effe8a54522048  0003-libxl-Do-not-trust-backend-for-vtpm-in-getinfo-excep.patch
-a606cf11ba60f9449a9b295c4d7ffdb8b4cd60d2ff9c92ee24d2054ce0f1f8b9  0004-libxl-Do-not-trust-backend-for-vtpm-in-getinfo-uuid.patch
-29fc43237fb525c1e56fd9e90c59a461dad79de542273125a6bbb26286b7c71e  0005-libxl-cdrom-eject-and-insert-write-to-libxl.patch
-1ed713cc915ecd0aceba4725f24edeedb13db0ad6771846c7a9b897f95af10d8  0006-libxl-Do-not-trust-backend-for-disk-eject-vdev.patch
-eb83ac44edb61932c8b0f97754329c14b951b5d71ac33a37d483efb05c199cac  0007-libxl-Do-not-trust-backend-for-disk-fix-driver-domai.patch
-236c65539a4c2b5563cd968cebafa6cf4fc9ba2e92b502168548ff210a791be3  0008-libxl-Do-not-trust-backend-for-disk-in-getinfo.patch
-43117dac4db02a0b480a6fc63baaf0f60623ea6da13e5658d95d8a7cafb49951  0009-libxl-Do-not-trust-backend-for-cdrom-insert.patch
-e104ad6054ff8d994b4967f9fb382b900e65c0727f4549662f3163b9eaa530e7  0010-libxl-Do-not-trust-backend-for-channel-in-getinfo.patch
-422939d58850d39584e57daf5f7c1db8368763c9bfe9af7668a4dab40602eca5  0011-libxl-Rename-libxl__device_-nic-channel-_from_xs_be-.patch
-37c7b5a3a0365120b07219bb584d6bc5967e30cb98301ac7d9ba92a9750055c4  0012-libxl-Rename-READ_BACKEND-to-READ_LIBXLDEV.patch
-89616deb7983a298a4943d7b49658625d08a41bfe6188c3cb771e484b564667b  0013-libxl-Have-READ_LIBXLDEV-use-libxl_path-rather-than-.patch
-8c7a2a4714013f8868d1357d498b63e7dfa9fe59c4f8adaaa3388e9c9341ed92  0014-libxl-Do-not-trust-backend-in-nic-getinfo.patch
-e812adffc3960974775a4cf44e24b47a297036d88b606e2b0af1e402477062e9  0015-libxl-Do-not-trust-backend-for-nic-in-devid_to_devic.patch
-63f6852cb78051b2475a7dfe2e0f7a77c2eb5f59f5e9d2b36658ff89b4bd3e2a  0016-libxl-Do-not-trust-backend-for-nic-in-list.patch
-b480b7873eea48ae4c316840519b1a4a986e81d4b32112bd72055fae468c8ab2  0017-libxl-Do-not-trust-backend-in-channel-list.patch
-d4e37a3f3f4ecf8f03716ade37f6b285ec60f16d7725491ca5a06f1f3f98ec88  0018-libxl-Cleanup-Have-libxl__alloc_vdev-use-libxl.patch
-368526875f928f4877e4047e86da726a7ad8e70d2c56fd10b5d12d45743e0f8f  0019-libxl-Cleanup-use-libxl__backendpath_parse_domid-in-.patch
-300a4ea3dbf57ac523d7903adcd4545d2a972215d948759dc5ac872ac47ceea9  0020-libxl-Document-serial-correctly.patch
+e007187639f5392a9256979504d50eff0ae38309a61524ea42c4150fab38b6f4  xsa202-4.6.patch
+e523b65ba122c8e22d32004d2035facaf06295094fdc8b67c151b6f44799ef0b  xsa204-4.5.patch
 3941f99b49c7e8dafc9fae8aad2136a14c6d84533cd542cc5f1040a41ef7c6fe  qemu-coroutine-gthread.patch
 fe76c7c8faf686060b20491bfed4a13ce37b1bc3dcdbf33d242e388cee14c7c1  qemu-xen-musl-openpty.patch
 e4e5e838e259a3116978aabbcebc1865a895179a7fcbf4bad195c83e9b4c0f98  qemu-xen_paths.patch
 dd1e784bc455eb62cb85b3fa24bfc34f575ceaab9597ef6a2f1ee7ff7b3cae0a  hotplug-vif-vtrill.patch
 751ef06569de66578b8713dc170976832b0671ac2696f32eb9ad69d60332d594  0001-ipxe-dont-clobber-ebp.patch
-e25d38376e22f6f935d2c0ce1b9d6e6b47ff261b5e6056bc3b47168739d7a992  gnutls-3.4.0.patch
 0204d69804e83864cd6b2122f51b9c1940588158a35c159a7ef0c3b8fb0af4cb  init-xenstore-domain.patch
 2fea4ceec8872f5560023fa135e3ff03d6deee4299e53d3a33ec59c31779b2c5  musl-support.patch
 479b9605e85c865be6117b6d1993124dbbb7da7f95d0e896e4c0fe5cdfeb74d3  musl-hvmloader-fix-stdint.patch
_at_@ -430,21 +294,7 @@ d13719093a2c3824525f36ac91ac3c9bd1154e5ba0974e5441e4a2ab5e883521  xenconsoled.in
 0da87a4b9094f934e3de937e8ef8d3afc752e76793aa3d730182d0241e118b19  xen-consoles.logrotate
 4cfcddcade5d055422ab4543e8caa6e5c5eee7625c41880a9000b7a87c7c424e  xenqemu.confd
 c92bbb1166edd61141fdf678116974209c4422daf373cdd5bc438aa4adb25b8d  xenqemu.initd"
-sha512sums="086b9b75e97d836498fd4f34b645c9b2f941db44efe8c7d23e53aa6455d40e1672962aaa7bac0db1db82255dba490c4fe996f356c184e71ea7fa5b483d9e9c0f  xen-4.5.3.tar.gz
-5bc99d5b4e8e57852c88401c49cc97f82706763f88682ed8faad6344fb0e17782ed7ba063fd463c3da46e28994af11e575ce6e02aa957ff042e3c86269d15acc  xsa169.patch
-8636f74b270b0ccf56ea6bab4c90d0ee909e5d2891987b4572df4a0906e2230e046aad0c99add6c1d70f7023cc6d99bcfd2947c953f600074a6ed7c176a5d3dc  xsa172.patch
-14b017f2e1b39adbb55ba35eafe139172609dada23e16999272d8c712e14045752933400721bc6eb6cb80a3427f3d44d829e492590e2cd5b7fe9bcfaa356b9e7  xsa173-4.5.patch
-0f86e4e4ee94c22166174d018954f60d9700ea4d880f4ca41b6ae1b242a4e1649da305851ef4d9b3aa91d512411a3a423f1aadceb20714d160d4d97d145dc312  xsa176.patch
-4505d0b8740609db6a6013f72bda7693ef57f4febbd0e8a20a86a7bf717234495824e895e39bf7dc710a6ae78320723b10e1c3570018b1e7fbe26959f252eb05  xsa181.patch
-9e2cba41ef7df8d74e74b030340f5c9a58fd95d55e5853c35aab011bcbc7d207479b9c374e3912d8ac0f4e8eb01fa4f9a1e281ca13bb9472dc66f0e110ba6d6a  xsa182-4.5.patch
-f3495976ab219cfd376bae3ad409b452169df11ebcd36b106212db1b1fc8db8c50e721a5d1e23efbc25146946f922556014eda652517ee95efbfb3b482327e99  xsa183-4.6.patch
-14c07d077a9d60a03859ca1b92347517c93faf88db06f8cb0515e486a3919afa8401203161ff671dda8fbdb64e6ca5e86120f1b8f65e6bfaa63a8c6a33211bad  xsa184-qemut-master.patch
-862e00d9cd126f8323f9c9706bf6ce7896d97e68e647416c699d9f2e01b88083a5fea346b13403577311384946912123f64bf5a568f1a6f92077d28923df54c6  xsa184-qemuu-master.patch
-6b774cfef049d457d89149a973b5a5af674b995726c88ce09278f4a64cb94f5b3c2c2380a6273475a13eb9cdd972f5429f393247ecca6463f6068d606ea74886  xsa185.patch
-bf899dde20cee730598b90e0a07941155b20e0ea17b9a3017a53bd0e1495fb6e5dc251934e01d02937b56ad65faf3accecf695b4fd7f6dcc0bae91290bd87b19  xsa186-0001-x86-emulate-Correct-boundary-interactions-of-emulate.patch
-6583c843855d300b3d40321d909b64ab0df6b03da62b3400cb7e58a9249077112e5951e14449880cfc8d593dabd9afcffc15ff77555f745b478f7af939b3219e  xsa186-4.6-0002-hvm-fep-Allow-testing-of-instructions-crossing-the.patch
-d85bc3c56805ff5b3df6b85b2b34ff97d15fe254fc5a873b5c43c2c15564eea42753723a6296292a543e7b7dc83ad71f0fafe01fa6a6ebf82fa0a7268fc67486  xsa187-4.7-0001-x86-shadow-Avoid-overflowing-sh_ctxt-seg.patch
-63f30d4a6842fc516d33334b25806e10a89228fec32315df27c9c271303d02619be4a88e638e41920ad808215280c3fce697574d05c5fb3f184844069383a201  xsa187-4.6-0002-x86-segment-Bounds-check-accesses-to-emulation-ctx.patch
+sha512sums="7e8d7e0248daa91389db0250c5f214dc1ab46c058d556a4326c801933ead05cc450cb9510108586418de029b81a80fd9f272ec1749d288a8250e69599aa2d769  xen-4.5.5.tar.gz
 23ca5b5c86186b3683be38b65ed30d0ddf15d9ae29e462ae9b2606d78d84ceafa3913a2648d0430872aef1e6209c443b81d8bd4ae4c01b9021c75db1ed05ba5a  xsa190-4.5-CVE-2016-7777.patch
 502f50bece05d52b127c497eda0236a9011e56885fb0b5fac74ab449c2eac94d0f2cf64da16808c25f8a3091aef0a9586ad5c19f6b98a8c459908149d629b321  xsa191-4.6-CVE-2016-9386.patch
 d158cd493ccc516814201cb147ad99688223437938e655c5c8d75c2b73e14c319dc94e6077a9ec6521f2ca5e6af5d118f923f333702a83266c0ba44cc18efa9e  xsa192-4.5-CVE-2016-9382.patch
_at_@ -459,44 +309,13 @@ b61429fbf4d1677a8dab2710ab21335f18b3f998f2e5e19e45a4727f71b9671b3d1bd709bef3594c
 67006c1ac5d0b01eb65b5a9b6583ef31c0df0cdb6331af983d972d9b0c4bc21416484d88445edb8ee8470becdc11bc88fad4a617aac40ae26610eb2bee40bd01  xsa201-1.patch
 afed1ed3c5b4dd3a1d2c1c0fe824cdeb58efdc40fdaf5ce439deb2feef63141168114ea362fc5c683eb0494bb6bd3c76773b099495af21550ae3a1e5cb4e924d  xsa201-2.patch
 1761ca422fe9e3caee3442b43b84da49721a01ed8417f653c568695b08718c40be1493cc7a0a6145c7ce195c7fb0c753b190fe2f1782d5242e1e304c18005610  xsa201-4.patch
-3868b99fc9048d8eef58e949bc5caace6b964345fff92322a191b49fc3991373d785b9287e23d4fc1572a02ba278de5eba299caeeb6e6e46ecb87c2c309c943e  0001-libxl-Record-backend-frontend-paths-in-libxl-DOMID.patch
-60b9289891b3d69798da5c55abe06c4fda2ada1657178042a6f560fddd9d3495c7725516dd94d8a22c53990f63de873fa8d0363a57804b351f84e36de3bb4452  0002-libxl-Provide-libxl__backendpath_parse_domid.patch
-f13b453de38ef3e4847e819b82eecec0e4461f824cb6b15b752a364ee4ec4c4d8c5e9193964976d1d937e422938d13c8271fcd113abd1b3e4a8875114f4075c2  0003-libxl-Do-not-trust-frontend-in-libxl__devices_destro.patch
-31d2370b4479bd06510b04bd5a5d3e6d58688960d37bea16a2b5b7ae7cd427bf322a63864eef5251b358bfe3ec9550b2b0bff568194c85e2e7ab44771edb5b4b  0004-libxl-Do-not-trust-frontend-in-libxl__device_nextid.patch
-011e859a6be428f9da6545607f0f0ab9487c61051623c6d45d89d64631dc50305ed0a0717785ccc5f671ee1c24282a1f598704b4b6fd4227bf0eecafb0e88e67  0005-libxl-Do-not-trust-frontend-for-disk-eject-event.patch
-7ce011b474a2d29f3efe883733280ac79eaad959ceb606a72924bf3824c79b049a6773d1c300af38c24d2d3fbbbeab73252997497a29fa0cf32e1394d6309e92  0006-libxl-Do-not-trust-frontend-for-disk-in-getinfo.patch
-d01d5080d110327077d237d0e9d2c3977915f00bfdd85b339a04ef095b9651a51991807aae74567b0d2bb874020e9ac4f44548d9f8a61effb7188793a8c17f73  0007-libxl-Do-not-trust-frontend-for-vtpm-list.patch
-b30c0086d5056678237d34bcf0a4aeb0f22221d3c6c692765fa1ab775a8ad49227a47d0594331978f2c7e6851a814d0348ca408e82b046c9b25218954c092516  0008-libxl-Do-not-trust-frontend-for-vtpm-in-getinfo.patch
-9cf217d2d6063c985393df9e330190f3cabad9e3d70dad18d5b169145fae59c1a401f04040a04ef7b17b9b21a406230c6b048d05b9ebd6518edeb4e69e91b6b4  0009-libxl-Do-not-trust-frontend-for-nic-in-libxl_devid_t.patch
-d6003448e456cd42f0a28f887a2859b399058cdd76f286d7f9617cd462976d0a8781dba9132f5db00387c6fd60867a6c8b090b0d10eccbf74462d5dc63dc5294  0010-libxl-Do-not-trust-frontend-for-nic-in-getinfo.patch
-3ffcf00f4ba76841b1af4145983160016d329f140d2363ccadfcd7f3de2ff752a6bbd65d0b4f0bf06a06518e066ba49243b1d12dda2f8e557eb8c82c8c1a12b1  0011-libxl-Do-not-trust-frontend-for-channel-in-list.patch
-f0d383c623cafae7f4aad9bf0444aa2bcf4baeb73e2c2c815136b19ed28cdbb8d6b7db1074949d322d4e3b3d5ff12770bac942f594743405111829f91368c3eb  0012-libxl-Do-not-trust-frontend-for-channel-in-getinfo.patch
-a4f4d4832a11bdbfceeac47f057ac1ab587a772107fca1b3b54d442a4ea42c10d9b031aa876705bb7d0399f532f674b5044596fc82dfeba709e73825ffb4be7c  0001-libxl-Make-copy-of-every-xs-backend-in-libxl-in-_gen.patch
-56fbd31171868c16d0c4b9218bdc91034e8c12c18f7028222d99fcaba0a8c9cbf215e3fd638db8eafb08a6967f7236b8fd3a0d09c26f23e41643e27520b8848c  0002-libxl-Do-not-trust-backend-in-libxl__device_exists.patch
-7258a9199744242a5c2d4ebd279c130c3fe58dd30512ba1dae43e8fabd6eef407285f2a91e9ffc136be67e584249f836196fb3bdc3f1071324f3eb06f5adcfe5  0003-libxl-Do-not-trust-backend-for-vtpm-in-getinfo-excep.patch
-6383c34a639d389e9b04c736fa57386a3ff31654ad8c288a327d6982c9ff2dc802568deb3d0936db0e806863c300d2c361ab85b3f01bcc38fc1e8ed630fc7be9  0004-libxl-Do-not-trust-backend-for-vtpm-in-getinfo-uuid.patch
-971368329285d11893ec470354549318051f29f23ba10eaf97340b95acdac2f7e07879fd119e6a5c3746fbdab9d80f2235e166f4240c0d1ea27b00998b43afd3  0005-libxl-cdrom-eject-and-insert-write-to-libxl.patch
-4b801e725e8f6b32c8a78fe8249a0e57297cf12687614fd61b964b5d017c4a1a2fbae0e274d89ed8ef0d817ae7a29aff07380e007cf4451b297011459caeb3ff  0006-libxl-Do-not-trust-backend-for-disk-eject-vdev.patch
-ee157ddf088dd12be957aa9df6b70df6743631c3669009be82a335cadcf5d8d7ae4b6332e05881160d5891f6e89294d853d199b4b36243f0c315d95003c4d0fc  0007-libxl-Do-not-trust-backend-for-disk-fix-driver-domai.patch
-5878ca43f14f5c8562c40fb217a87d96c2b65120b73968d5ac6fe8273490f00c4dc2925cf5b60a9b8ccc245a6461ad2671c76e6317a99ba73d3fa3e5a58fd8b7  0008-libxl-Do-not-trust-backend-for-disk-in-getinfo.patch
-c45b8a5baefa928135841d0d8fa53cb636d74351d151cc004bf306996ec6b5e8b5cb433083941dd46c67b35016b0db8acf3554a11a60273c9bbd539a96103ddd  0009-libxl-Do-not-trust-backend-for-cdrom-insert.patch
-6101486f20e8167b3424cb0ae410dded7266d9e6f77059ee61d9704d492272f7e2f8407a66f71ce04b6a36239ea200c9373c91046a06ba869bd439e54a740d51  0010-libxl-Do-not-trust-backend-for-channel-in-getinfo.patch
-cb8625745a11907b2193e03c890fdb809abc9245b2ef7351d9f8da3f98a5503f94786522f891a353ea7e8bc5cd87c6d822a4e3243ab10b411c29dbc1c61e656b  0011-libxl-Rename-libxl__device_-nic-channel-_from_xs_be-.patch
-bfed26b4bf72321f8807c38dfdb90d46317d1c46f91e72ff7fc4843933a9af8bbedf1b7acb51d5d63d2faf304b6ee5db81fa73339de0bc02d8f9c6fe275025c6  0012-libxl-Rename-READ_BACKEND-to-READ_LIBXLDEV.patch
-a7a4877e7694cfede4c999b887e6acc74863ed7d0356cb11dee14b422f217b3d3eae7429430d911fb45a437eeb6753c0ab67aa5a5f07a286f37e77e3892ed314  0013-libxl-Have-READ_LIBXLDEV-use-libxl_path-rather-than-.patch
-56d4f648bd6923d51a7fc4d4a13f23f840a9885054413f5d56b5b085993b567548d2e88bf1e19b071261e050ff19243228d67e1bec797e6f5fe05c5add2ac4ee  0014-libxl-Do-not-trust-backend-in-nic-getinfo.patch
-b27845729c1c2409922d97398d5da6186e37860be627b17bf46a9df9defbefb9c9f5233b11f1f9b13d6e251a9da0c9c23ddb875ffef8b18a8a461cec05f6c00a  0015-libxl-Do-not-trust-backend-for-nic-in-devid_to_devic.patch
-ceb8025b56dc93d99cb6d0017ce1349c1f2bab723aed0fc71378a8becc1e11af9eab2f63190d7de8b3cd4405317dcab67675ffcfb4013879a0e4d575d7117a5c  0016-libxl-Do-not-trust-backend-for-nic-in-list.patch
-0874114b826d40d994c9fb17b17debbf5a461ddd9cdad84a8b8f4ced4ab946e8592f059b36a4712aff13889c344e25d7dc49dc169987349aa5727a45e0b81b78  0017-libxl-Do-not-trust-backend-in-channel-list.patch
-0f623c6055d8a0c7fd3da2f252418c2d86a847c70496eb937588d7dd479032394ba1f3f77b92e9026101be12bdfcd7862573e5b619856c7f917f23b8efde24f1  0018-libxl-Cleanup-Have-libxl__alloc_vdev-use-libxl.patch
-1bf024ed18f27ae13c7071ed3b59f0334d51843f6ece66e815e71d5a2b107ca4b91c8b40d9742f6a1d56e41177080b5cba18922a44f4fecead2b3c7e97218d05  0019-libxl-Cleanup-use-libxl__backendpath_parse_domid-in-.patch
-1988754ebacf96768b3a4efcef60af69107ad5b4882a4dadb5c13ec2b0b0eb6ec54fb7d3092418e0f35257dacc02cb71c5a981f112e9104e9662072a4e5f62ef  0020-libxl-Document-serial-correctly.patch
+dee7a595324ea5de3754c9aad2422fc2021bcb53999e344dbe6e4edfd4772a5ed20e8ebfb40750b81287a2a022037d49cbe4f0f7ba481ae0ac79a4249ef630bf  xsa202-4.6.patch
+0ab83e29f10288f24f46de6f9ea267a3ee6eaef356e1905318006d20ffa1dba43c7661229246e394c8454c15e3127df7de026bde02ab3614e1c2ef8fc7396850  xsa204-4.5.patch
 c3c46f232f0bd9f767b232af7e8ce910a6166b126bd5427bb8dc325aeb2c634b956de3fc225cab5af72649070c8205cc8e1cab7689fc266c204f525086f1a562  qemu-coroutine-gthread.patch
 a8b7378516172389450834985e8558d7a86d7cd808154bdc846bb98325e40fc4e87b1fc6d725297f4bef6eb54ebcbcbfa4d9d0363d83f635755795fb0726e006  qemu-xen-musl-openpty.patch
 1936ab39a1867957fa640eb81c4070214ca4856a2743ba7e49c0cd017917071a9680d015f002c57fa7b9600dbadd29dcea5887f50e6c133305df2669a7a933f3  qemu-xen_paths.patch
 f095ea373f36381491ad36f0662fb4f53665031973721256b23166e596318581da7cbb0146d0beb2446729adfdb321e01468e377793f6563a67d68b8b0f7ffe3  hotplug-vif-vtrill.patch
 c3a1b270347a99c8ce21118010ad8d817b4462a31cc5c75352faa7086969ef0646f3f4d0922d85c2e504cff091ce7e9fe79c92f983c2ba4af2fae85c52c3835a  0001-ipxe-dont-clobber-ebp.patch
-e9b88234bd67c2d65fcda1a56deeaf60aaa4c8b2afff128028c6a1478c89f828584dab1ac04f8d9d53cf17d26572e5505d0bbfcc4b2a6842cc749c6c018c0e51  gnutls-3.4.0.patch
 475eb800660dc928914b8c15562f18f24d6e7a76f4cc7bed9249ce52d444c29aec1aef843eb37ade0c7c9616195bbbc1606a3195e25b2bd4b6a1d1af5f69256e  init-xenstore-domain.patch
 76bd60768b296752ca11195bb03a57584686461da45255cb540977111a73c42b5b92362fd46d97bfd20487c96971dd5aed7eae7d8bf1aad7d5199adb875d4962  musl-support.patch
 08cf7fac825dd3da5f33856abf6692da00d8928ab73050b3ae0a643ddb97c8ae323238a80152fd31595ac1c31678d559232264258c189e2c05ecaf33e295f13e  musl-hvmloader-fix-stdint.patch
diff --git a/main/xen/gnutls-3.4.0.patch b/main/xen/gnutls-3.4.0.patch
deleted file mode 100644
index 9d2ed16..0000000
--- a/main/xen/gnutls-3.4.0.patch
+++ /dev/null
_at_@ -1,36 +0,0 @@
---- ./tools/qemu-xen-traditional/vnc.c.orig
-+++ ./tools/qemu-xen-traditional/vnc.c
-_at_@ -2137,10 +2137,6 @@
- 
- 
- static int vnc_start_tls(struct VncState *vs) {
--    static const int cert_type_priority[] = { GNUTLS_CRT_X509, 0 };
--    static const int protocol_priority[]= { GNUTLS_TLS1_1, GNUTLS_TLS1_0, GNUTLS_SSL3, 0 };
--    static const int kx_anon[] = {GNUTLS_KX_ANON_DH, 0};
--    static const int kx_x509[] = {GNUTLS_KX_DHE_DSS, GNUTLS_KX_RSA, GNUTLS_KX_DHE_RSA, GNUTLS_KX_SRP, 0};
- 
-     VNC_DEBUG("Do TLS setup\n");
-     if (vnc_tls_initialize() < 0) {
-_at_@ -2161,21 +2157,7 @@
- 	    return -1;
- 	}
- 
--	if (gnutls_kx_set_priority(vs->tls_session, NEED_X509_AUTH(vs) ? kx_x509 : kx_anon) < 0) {
--	    gnutls_deinit(vs->tls_session);
--	    vs->tls_session = NULL;
--	    vnc_client_error(vs);
--	    return -1;
--	}
--
--	if (gnutls_certificate_type_set_priority(vs->tls_session, cert_type_priority) < 0) {
--	    gnutls_deinit(vs->tls_session);
--	    vs->tls_session = NULL;
--	    vnc_client_error(vs);
--	    return -1;
--	}
--
--	if (gnutls_protocol_set_priority(vs->tls_session, protocol_priority) < 0) {
-+	if (gnutls_priority_set_direct(vs->tls_session, NEED_X509_AUTH(vs) ? "NORMAL" : "NORMAL:+ANON-DH", NULL) < 0) {
- 	    gnutls_deinit(vs->tls_session);
- 	    vs->tls_session = NULL;
- 	    vnc_client_error(vs);
diff --git a/main/xen/xsa169.patch b/main/xen/xsa169.patch
deleted file mode 100644
index 617e457..0000000
--- a/main/xen/xsa169.patch
+++ /dev/null
_at_@ -1,33 +0,0 @@
-x86: make debug output consistent in hvm_set_callback_via
-
-The unconditional printks in the switch statement of the
-hvm_set_callback_via function results in Xen log spam in non debug
-versions of Xen. The printks are for debug output only so conditionally
-compile the entire switch statement on debug versions of Xen only.
-
-This is XSA-169.
-
-Signed-off-by: Malcolm Crossley <malcolm.crossley_at_citrix.com>
-Reviewed-by: Jan Beulich <jbeulich_at_suse.com>
-Acked-by: Ian Campbell <ian.campbell_at_citrix.com>
-
---- a/xen/arch/x86/hvm/irq.c
-+++ b/xen/arch/x86/hvm/irq.c
-_at_@ -386,7 +386,8 @@ void hvm_set_callback_via(struct domain
- 
-     spin_unlock(&d->arch.hvm_domain.irq_lock);
- 
--    dprintk(XENLOG_G_INFO, "Dom%u callback via changed to ", d->domain_id);
-+#ifndef NDEBUG
-+    printk(XENLOG_G_INFO "Dom%u callback via changed to ", d->domain_id);
-     switch ( via_type )
-     {
-     case HVMIRQ_callback_gsi:
-_at_@ -402,6 +403,7 @@ void hvm_set_callback_via(struct domain
-         printk("None\n");
-         break;
-     }
-+#endif
- }
- 
- struct hvm_intack hvm_vcpu_has_pending_irq(struct vcpu *v)
diff --git a/main/xen/xsa172.patch b/main/xen/xsa172.patch
deleted file mode 100644
index 8b1d01f..0000000
--- a/main/xen/xsa172.patch
+++ /dev/null
_at_@ -1,39 +0,0 @@
-x86: fix information leak on AMD CPUs
-
-The fix for XSA-52 was wrong, and so was the change synchronizing that
-new behavior to the FXRSTOR logic: AMD's manuals explictly state that
-writes to the ES bit are ignored, and it instead gets calculated from
-the exception and mask bits (it gets set whenever there is an unmasked
-exception, and cleared otherwise). Hence we need to follow that model
-in our workaround.
-
-This is XSA-172.
-
-The first hunk (xen/arch/x86/i387.c:fpu_fxrstor) is CVE-2016-3159.
-The second hunk (xen/arch/x86/xstate.c:xrstor) is CVE-2016-3158.
-
-Signed-off-by: Jan Beulich <jbeulich_at_suse.com>
-Reviewed-by: Andrew Cooper <andrew.cooper3_at_citrix.com>
-
---- a/xen/arch/x86/i387.c
-+++ b/xen/arch/x86/i387.c
-_at_@ -49,7 +49,7 @@ static inline void fpu_fxrstor(struct vc
-      * sometimes new user value. Both should be ok. Use the FPU saved
-      * data block as a safe address because it should be in L1.
-      */
--    if ( !(fpu_ctxt->fsw & 0x0080) &&
-+    if ( !(fpu_ctxt->fsw & ~fpu_ctxt->fcw & 0x003f) &&
-          boot_cpu_data.x86_vendor == X86_VENDOR_AMD )
-     {
-         asm volatile ( "fnclex\n\t"
---- a/xen/arch/x86/xstate.c
-+++ b/xen/arch/x86/xstate.c
-_at_@ -344,7 +344,7 @@ void xrstor(struct vcpu *v, uint64_t mas
-      * data block as a safe address because it should be in L1.
-      */
-     if ( (mask & ptr->xsave_hdr.xstate_bv & XSTATE_FP) &&
--         !(ptr->fpu_sse.fsw & 0x0080) &&
-+         !(ptr->fpu_sse.fsw & ~ptr->fpu_sse.fcw & 0x003f) &&
-          boot_cpu_data.x86_vendor == X86_VENDOR_AMD )
-         asm volatile ( "fnclex\n\t"        /* clear exceptions */
-                        "ffree %%st(7)\n\t" /* clear stack tag */
diff --git a/main/xen/xsa173-4.5.patch b/main/xen/xsa173-4.5.patch
deleted file mode 100644
index d0ebe4a..0000000
--- a/main/xen/xsa173-4.5.patch
+++ /dev/null
_at_@ -1,244 +0,0 @@
-commit 9d7687d60ae2e09ad2a77b05bd820e7850709375
-Author: Tim Deegan <tim_at_xen.org>
-Date:   Wed Mar 16 16:56:04 2016 +0000
-
-    x86: limit GFNs to 32 bits for shadowed superpages.
-    
-    Superpage shadows store the shadowed GFN in the backpointer field,
-    which for non-BIGMEM builds is 32 bits wide.  Shadowing a superpage
-    mapping of a guest-physical address above 2^44 would lead to the GFN
-    being truncated there, and a crash when we come to remove the shadow
-    from the hash table.
-    
-    Track the valid width of a GFN for each guest, including reporting it
-    through CPUID, and enforce it in the shadow pagetables.  Set the
-    maximum witth to 32 for guests where this truncation could occur.
-    
-    This is XSA-173.
-    
-    Signed-off-by: Tim Deegan <tim_at_xen.org>
-    Signed-off-by: Jan Beulich <jbeulich_at_suse.com>
-
-Reported-by: Ling Liu <liuling-it_at_360.cn>
-diff --git a/xen/arch/x86/cpu/common.c b/xen/arch/x86/cpu/common.c
-index 5c8d3c2..7dc8220 100644
---- a/xen/arch/x86/cpu/common.c
-+++ b/xen/arch/x86/cpu/common.c
-_at_@ -37,6 +37,7 @@ integer_param("cpuid_mask_ext_edx", opt_cpuid_mask_ext_edx);
- struct cpu_dev * cpu_devs[X86_VENDOR_NUM] = {};
- 
- unsigned int paddr_bits __read_mostly = 36;
-+unsigned int hap_paddr_bits __read_mostly = 36;
- 
- /*
-  * Default host IA32_CR_PAT value to cover all memory types.
-_at_@ -209,7 +210,7 @@ static void __init early_cpu_detect(void)
- 
- static void __cpuinit generic_identify(struct cpuinfo_x86 *c)
- {
--	u32 tfms, capability, excap, ebx;
-+	u32 tfms, capability, excap, ebx, eax;
- 
- 	/* Get vendor name */
- 	cpuid(0x00000000, &c->cpuid_level,
-_at_@ -246,8 +247,11 @@ static void __cpuinit generic_identify(struct cpuinfo_x86 *c)
- 		}
- 		if ( c->extended_cpuid_level >= 0x80000004 )
- 			get_model_name(c); /* Default name */
--		if ( c->extended_cpuid_level >= 0x80000008 )
--			paddr_bits = cpuid_eax(0x80000008) & 0xff;
-+		if ( c->extended_cpuid_level >= 0x80000008 ) {
-+			eax = cpuid_eax(0x80000008);
-+			paddr_bits = eax & 0xff;
-+			hap_paddr_bits = ((eax >> 16) & 0xff) ?: paddr_bits;
-+		}
- 	}
- 
- 	/* Might lift BIOS max_leaf=3 limit. */
-diff --git a/xen/arch/x86/hvm/hvm.c b/xen/arch/x86/hvm/hvm.c
-index 41fb10a..cac458a 100644
---- a/xen/arch/x86/hvm/hvm.c
-+++ b/xen/arch/x86/hvm/hvm.c
-_at_@ -4327,8 +4327,7 @@ void hvm_cpuid(unsigned int input, unsigned int *eax, unsigned int *ebx,
-         break;
- 
-     case 0x80000008:
--        count = cpuid_eax(0x80000008);
--        count = (count >> 16) & 0xff ?: count & 0xff;
-+        count = d->arch.paging.gfn_bits + PAGE_SHIFT;
-         if ( (*eax & 0xff) > count )
-             *eax = (*eax & ~0xff) | count;
- 
-diff --git a/xen/arch/x86/mm/guest_walk.c b/xen/arch/x86/mm/guest_walk.c
-index 1b26175..50ba7d5 100644
---- a/xen/arch/x86/mm/guest_walk.c
-+++ b/xen/arch/x86/mm/guest_walk.c
-_at_@ -94,6 +94,12 @@ void *map_domain_gfn(struct p2m_domain *p2m, gfn_t gfn, mfn_t *mfn,
-     struct page_info *page;
-     void *map;
- 
-+    if ( gfn_x(gfn) >> p2m->domain->arch.paging.gfn_bits )
-+    {
-+        *rc = _PAGE_INVALID_BIT;
-+        return NULL;
-+    }
-+
-     /* Translate the gfn, unsharing if shared */
-     page = get_page_from_gfn_p2m(p2m->domain, p2m, gfn_x(gfn), p2mt, NULL,
-                                  q);
-_at_@ -327,20 +333,8 @@ guest_walk_tables(struct vcpu *v, struct p2m_domain *p2m,
-             flags &= ~_PAGE_PAT;
- 
-         if ( gfn_x(start) & GUEST_L2_GFN_MASK & ~0x1 )
--        {
--#if GUEST_PAGING_LEVELS == 2
--            /*
--             * Note that _PAGE_INVALID_BITS is zero in this case, yielding a
--             * no-op here.
--             *
--             * Architecturally, the walk should fail if bit 21 is set (others
--             * aren't being checked at least in PSE36 mode), but we'll ignore
--             * this here in order to avoid specifying a non-natural, non-zero
--             * _PAGE_INVALID_BITS value just for that case.
--             */
--#endif
-             rc |= _PAGE_INVALID_BITS;
--        }
-+
-         /* Increment the pfn by the right number of 4k pages.  
-          * Mask out PAT and invalid bits. */
-         start = _gfn((gfn_x(start) & ~GUEST_L2_GFN_MASK) +
-_at_@ -423,5 +417,11 @@ set_ad:
-         put_page(mfn_to_page(mfn_x(gw->l1mfn)));
-     }
- 
-+    /* If this guest has a restricted physical address space then the
-+     * target GFN must fit within it. */
-+    if ( !(rc & _PAGE_PRESENT)
-+         && gfn_x(guest_l1e_get_gfn(gw->l1e)) >> d->arch.paging.gfn_bits )
-+        rc |= _PAGE_INVALID_BITS;
-+
-     return rc;
- }
-diff --git a/xen/arch/x86/mm/hap/hap.c b/xen/arch/x86/mm/hap/hap.c
-index 0c80012..84531b1 100644
---- a/xen/arch/x86/mm/hap/hap.c
-+++ b/xen/arch/x86/mm/hap/hap.c
-_at_@ -429,6 +429,8 @@ void hap_domain_init(struct domain *d)
- {
-     INIT_PAGE_LIST_HEAD(&d->arch.paging.hap.freelist);
- 
-+    d->arch.paging.gfn_bits = hap_paddr_bits - PAGE_SHIFT;
-+
-     /* Use HAP logdirty mechanism. */
-     paging_log_dirty_init(d, hap_enable_log_dirty,
-                           hap_disable_log_dirty,
-diff --git a/xen/arch/x86/mm/shadow/common.c b/xen/arch/x86/mm/shadow/common.c
-index 18026fe..9028d82 100644
---- a/xen/arch/x86/mm/shadow/common.c
-+++ b/xen/arch/x86/mm/shadow/common.c
-_at_@ -48,6 +48,16 @@ void shadow_domain_init(struct domain *d, unsigned int domcr_flags)
-     INIT_PAGE_LIST_HEAD(&d->arch.paging.shadow.freelist);
-     INIT_PAGE_LIST_HEAD(&d->arch.paging.shadow.pinned_shadows);
- 
-+    d->arch.paging.gfn_bits = paddr_bits - PAGE_SHIFT;
-+#ifndef CONFIG_BIGMEM
-+    /*
-+     * Shadowed superpages store GFNs in 32-bit page_info fields.
-+     * Note that we cannot use guest_supports_superpages() here.
-+     */
-+    if ( !is_pv_domain(d) || opt_allow_superpage )
-+        d->arch.paging.gfn_bits = 32;
-+#endif
-+
-     /* Use shadow pagetables for log-dirty support */
-     paging_log_dirty_init(d, shadow_enable_log_dirty, 
-                           shadow_disable_log_dirty, shadow_clean_dirty_bitmap);
-diff --git a/xen/arch/x86/mm/shadow/multi.c b/xen/arch/x86/mm/shadow/multi.c
-index d6802ff..7589d23 100644
---- a/xen/arch/x86/mm/shadow/multi.c
-+++ b/xen/arch/x86/mm/shadow/multi.c
-_at_@ -527,7 +527,8 @@ _sh_propagate(struct vcpu *v,
-     ASSERT(GUEST_PAGING_LEVELS > 3 || level != 3);
- 
-     /* Check there's something for the shadows to map to */
--    if ( !p2m_is_valid(p2mt) && !p2m_is_grant(p2mt) )
-+    if ( (!p2m_is_valid(p2mt) && !p2m_is_grant(p2mt))
-+         || gfn_x(target_gfn) >> d->arch.paging.gfn_bits )
-     {
-         *sp = shadow_l1e_empty();
-         goto done;
-diff --git a/xen/include/asm-x86/domain.h b/xen/include/asm-x86/domain.h
-index 6a77a93..e8df4a9 100644
---- a/xen/include/asm-x86/domain.h
-+++ b/xen/include/asm-x86/domain.h
-_at_@ -188,6 +188,9 @@ struct paging_domain {
-     /* log dirty support */
-     struct log_dirty_domain log_dirty;
- 
-+    /* Number of valid bits in a gfn. */
-+    unsigned int gfn_bits;
-+
-     /* preemption handling */
-     struct {
-         const struct domain *dom;
-diff --git a/xen/include/asm-x86/guest_pt.h b/xen/include/asm-x86/guest_pt.h
-index d2a8250..d95f835 100644
---- a/xen/include/asm-x86/guest_pt.h
-+++ b/xen/include/asm-x86/guest_pt.h
-_at_@ -220,15 +220,17 @@ guest_supports_nx(struct vcpu *v)
- }
- 
- 
--/* Some bits are invalid in any pagetable entry. */
--#if GUEST_PAGING_LEVELS == 2
--#define _PAGE_INVALID_BITS (0)
--#elif GUEST_PAGING_LEVELS == 3
--#define _PAGE_INVALID_BITS \
--    get_pte_flags(((1ull<<63) - 1) & ~((1ull<<paddr_bits) - 1))
--#else /* GUEST_PAGING_LEVELS == 4 */
-+/*
-+ * Some bits are invalid in any pagetable entry.
-+ * Normal flags values get represented in 24-bit values (see
-+ * get_pte_flags() and put_pte_flags()), so set bit 24 in
-+ * addition to be able to flag out of range frame numbers.
-+ */
-+#if GUEST_PAGING_LEVELS == 3
- #define _PAGE_INVALID_BITS \
--    get_pte_flags(((1ull<<52) - 1) & ~((1ull<<paddr_bits) - 1))
-+    (_PAGE_INVALID_BIT | get_pte_flags(((1ull << 63) - 1) & ~(PAGE_SIZE - 1)))
-+#else /* 2-level and 4-level */
-+#define _PAGE_INVALID_BITS _PAGE_INVALID_BIT
- #endif
- 
- 
-diff --git a/xen/include/asm-x86/processor.h b/xen/include/asm-x86/processor.h
-index b4e4731..56fc5a2 100644
---- a/xen/include/asm-x86/processor.h
-+++ b/xen/include/asm-x86/processor.h
-_at_@ -203,6 +203,8 @@ extern u32 cpuid_ext_features;
- 
- /* Maximum width of physical addresses supported by the hardware */
- extern unsigned int paddr_bits;
-+/* Max physical address width supported within HAP guests */
-+extern unsigned int hap_paddr_bits;
- 
- extern void identify_cpu(struct cpuinfo_x86 *);
- extern void setup_clear_cpu_cap(unsigned int);
-diff --git a/xen/include/asm-x86/x86_64/page.h b/xen/include/asm-x86/x86_64/page.h
-index 1d54587..f1d1b6c 100644
---- a/xen/include/asm-x86/x86_64/page.h
-+++ b/xen/include/asm-x86/x86_64/page.h
-_at_@ -141,6 +141,12 @@ typedef l4_pgentry_t root_pgentry_t;
- #define _PAGE_GNTTAB (1U<<22)
- 
- /*
-+ * Bit 24 of a 24-bit flag mask!  This is not any bit of a real pte,
-+ * and is only used for signalling in variables that contain flags.
-+ */
-+#define _PAGE_INVALID_BIT (1U<<24)
-+
-+/*
-  * Bit 12 of a 24-bit flag mask. This corresponds to bit 52 of a pte.
-  * This is needed to distinguish between user and kernel PTEs since _PAGE_USER
-  * is asserted for both.
diff --git a/main/xen/xsa176.patch b/main/xen/xsa176.patch
deleted file mode 100644
index 1c15abd..0000000
--- a/main/xen/xsa176.patch
+++ /dev/null
_at_@ -1,45 +0,0 @@
-x86/mm: fully honor PS bits in guest page table walks
-
-In L4 entries it is currently unconditionally reserved (and hence
-should, when set, always result in a reserved bit page fault), and is
-reserved on hardware not supporting 1Gb pages (and hence should, when
-set, similarly cause a reserved bit page fault on such hardware).
-
-This is CVE-2016-4480 / XSA-176.
-
-Signed-off-by: Jan Beulich <jbeulich_at_suse.com>
-Reviewed-by: Andrew Cooper <andrew.cooper3_at_citrix.com>
-Tested-by: Andrew Cooper <andrew.cooper3_at_citrix.com>
-
---- a/xen/arch/x86/mm/guest_walk.c
-+++ b/xen/arch/x86/mm/guest_walk.c
-_at_@ -226,6 +226,11 @@ guest_walk_tables(struct vcpu *v, struct
-         rc |= _PAGE_PRESENT;
-         goto out;
-     }
-+    if ( gflags & _PAGE_PSE )
-+    {
-+        rc |= _PAGE_PSE | _PAGE_INVALID_BIT;
-+        goto out;
-+    }
-     rc |= ((gflags & mflags) ^ mflags);
- 
-     /* Map the l3 table */
-_at_@ -247,7 +252,7 @@ guest_walk_tables(struct vcpu *v, struct
-     }
-     rc |= ((gflags & mflags) ^ mflags);
-     
--    pse1G = (gflags & _PAGE_PSE) && guest_supports_1G_superpages(v); 
-+    pse1G = !!(gflags & _PAGE_PSE);
- 
-     if ( pse1G )
-     {
-_at_@ -267,6 +272,8 @@ guest_walk_tables(struct vcpu *v, struct
-             /* _PAGE_PSE_PAT not set: remove _PAGE_PAT from flags. */
-             flags &= ~_PAGE_PAT;
- 
-+        if ( !guest_supports_1G_superpages(v) )
-+            rc |= _PAGE_PSE | _PAGE_INVALID_BIT;
-         if ( gfn_x(start) & GUEST_L3_GFN_MASK & ~0x1 )
-             rc |= _PAGE_INVALID_BITS;
- 
diff --git a/main/xen/xsa181.patch b/main/xen/xsa181.patch
deleted file mode 100644
index c44541e..0000000
--- a/main/xen/xsa181.patch
+++ /dev/null
_at_@ -1,38 +0,0 @@
-From ee488e2133e581967d13d5287d7bd654e9b2e2a6 Mon Sep 17 00:00:00 2001
-From: Andrew Cooper <andrew.cooper3_at_citrix.com>
-Date: Thu, 2 Jun 2016 14:19:00 +0100
-Subject: [PATCH] xen/arm: Don't free p2m->root in p2m_teardown() before it has
- been allocated
-
-If p2m_init() didn't complete successfully, (e.g. due to VMID
-exhaustion), p2m_teardown() is called and unconditionally tries to free
-p2m->root before it has been allocated.  free_domheap_pages() doesn't
-tolerate NULL pointers.
-
-This is XSA-181
-
-Reported-by: Aaron Cornelius <Aaron.Cornelius_at_dornerworks.com>
-Signed-off-by: Andrew Cooper <andrew.cooper3_at_citrix.com>
-Reviewed-by: Jan Beulich <jbeulich_at_suse.com>
-Reviewed-by: Julien Grall <julien.grall_at_arm.com>
----
- xen/arch/arm/p2m.c | 3 ++-
- 1 file changed, 2 insertions(+), 1 deletion(-)
-
-diff --git a/xen/arch/arm/p2m.c b/xen/arch/arm/p2m.c
-index 838d004..6a19c57 100644
---- a/xen/arch/arm/p2m.c
-+++ b/xen/arch/arm/p2m.c
-_at_@ -1408,7 +1408,8 @@ void p2m_teardown(struct domain *d)
-     while ( (pg = page_list_remove_head(&p2m->pages)) )
-         free_domheap_page(pg);
- 
--    free_domheap_pages(p2m->root, P2M_ROOT_ORDER);
-+    if ( p2m->root )
-+        free_domheap_pages(p2m->root, P2M_ROOT_ORDER);
- 
-     p2m->root = NULL;
- 
--- 
-2.1.4
-
diff --git a/main/xen/xsa182-4.5.patch b/main/xen/xsa182-4.5.patch
deleted file mode 100644
index 95971a4..0000000
--- a/main/xen/xsa182-4.5.patch
+++ /dev/null
_at_@ -1,102 +0,0 @@
-From 798c1498f764bfaa7b0b955bab40b01b0610d372 Mon Sep 17 00:00:00 2001
-From: Andrew Cooper <andrew.cooper3_at_citrix.com>
-Date: Mon, 11 Jul 2016 14:32:03 +0100
-Subject: [PATCH] x86/pv: Remove unsafe bits from the mod_l?_entry() fastpath
-
-All changes in writeability and cacheability must go through full
-re-validation.
-
-Rework the logic as a whitelist, to make it clearer to follow.
-
-This is XSA-182
-
-Reported-by: Jérémie Boutoille <jboutoille_at_ext.quarkslab.com>
-Signed-off-by: Andrew Cooper <andrew.cooper3_at_citrix.com>
-Reviewed-by: Tim Deegan <tim_at_xen.org>
----
- xen/arch/x86/mm.c          | 28 ++++++++++++++++------------
- xen/include/asm-x86/page.h |  1 +
- 2 files changed, 17 insertions(+), 12 deletions(-)
-
-diff --git a/xen/arch/x86/mm.c b/xen/arch/x86/mm.c
-index b4c4fa4..a68a1ab 100644
---- a/xen/arch/x86/mm.c
-+++ b/xen/arch/x86/mm.c
-_at_@ -1695,6 +1695,14 @@ static inline int update_intpte(intpte_t *p,
-                   _t ## e_get_intpte(_o), _t ## e_get_intpte(_n),   \
-                   (_m), (_v), (_ad))
- 
-+/*
-+ * PTE flags that a guest may change without re-validating the PTE.
-+ * All other bits affect translation, caching, or Xen's safety.
-+ */
-+#define FASTPATH_FLAG_WHITELIST                                     \
-+    (_PAGE_NX_BIT | _PAGE_AVAIL_HIGH | _PAGE_AVAIL | _PAGE_GLOBAL | \
-+     _PAGE_DIRTY | _PAGE_ACCESSED | _PAGE_USER)
-+
- /* Update the L1 entry at pl1e to new value nl1e. */
- static int mod_l1_entry(l1_pgentry_t *pl1e, l1_pgentry_t nl1e,
-                         unsigned long gl1mfn, int preserve_ad,
-_at_@ -1735,9 +1743,8 @@ static int mod_l1_entry(l1_pgentry_t *pl1e, l1_pgentry_t nl1e,
-             return -EINVAL;
-         }
- 
--        /* Fast path for identical mapping, r/w, presence, and cachability. */
--        if ( !l1e_has_changed(ol1e, nl1e,
--                              PAGE_CACHE_ATTRS | _PAGE_RW | _PAGE_PRESENT) )
-+        /* Fast path for sufficiently-similar mappings. */
-+        if ( !l1e_has_changed(ol1e, nl1e, ~FASTPATH_FLAG_WHITELIST) )
-         {
-             adjust_guest_l1e(nl1e, pt_dom);
-             if ( UPDATE_ENTRY(l1, pl1e, ol1e, nl1e, gl1mfn, pt_vcpu,
-_at_@ -1819,11 +1826,8 @@ static int mod_l2_entry(l2_pgentry_t *pl2e,
-             return -EINVAL;
-         }
- 
--        /* Fast path for identical mapping and presence. */
--        if ( !l2e_has_changed(ol2e, nl2e,
--                              unlikely(opt_allow_superpage)
--                              ? _PAGE_PSE | _PAGE_RW | _PAGE_PRESENT
--                              : _PAGE_PRESENT) )
-+        /* Fast path for sufficiently-similar mappings. */
-+        if ( !l2e_has_changed(ol2e, nl2e, ~FASTPATH_FLAG_WHITELIST) )
-         {
-             adjust_guest_l2e(nl2e, d);
-             if ( UPDATE_ENTRY(l2, pl2e, ol2e, nl2e, pfn, vcpu, preserve_ad) )
-_at_@ -1888,8 +1892,8 @@ static int mod_l3_entry(l3_pgentry_t *pl3e,
-             return -EINVAL;
-         }
- 
--        /* Fast path for identical mapping and presence. */
--        if ( !l3e_has_changed(ol3e, nl3e, _PAGE_PRESENT) )
-+        /* Fast path for sufficiently-similar mappings. */
-+        if ( !l3e_has_changed(ol3e, nl3e, ~FASTPATH_FLAG_WHITELIST) )
-         {
-             adjust_guest_l3e(nl3e, d);
-             rc = UPDATE_ENTRY(l3, pl3e, ol3e, nl3e, pfn, vcpu, preserve_ad);
-_at_@ -1952,8 +1956,8 @@ static int mod_l4_entry(l4_pgentry_t *pl4e,
-             return -EINVAL;
-         }
- 
--        /* Fast path for identical mapping and presence. */
--        if ( !l4e_has_changed(ol4e, nl4e, _PAGE_PRESENT) )
-+        /* Fast path for sufficiently-similar mappings. */
-+        if ( !l4e_has_changed(ol4e, nl4e, ~FASTPATH_FLAG_WHITELIST) )
-         {
-             adjust_guest_l4e(nl4e, d);
-             rc = UPDATE_ENTRY(l4, pl4e, ol4e, nl4e, pfn, vcpu, preserve_ad);
-diff --git a/xen/include/asm-x86/page.h b/xen/include/asm-x86/page.h
-index 6dc9646..03c024c 100644
---- a/xen/include/asm-x86/page.h
-+++ b/xen/include/asm-x86/page.h
-_at_@ -308,6 +308,7 @@ void efi_update_l4_pgtable(unsigned int l4idx, l4_pgentry_t);
- #define _PAGE_AVAIL2   _AC(0x800,U)
- #define _PAGE_AVAIL    _AC(0xE00,U)
- #define _PAGE_PSE_PAT _AC(0x1000,U)
-+#define _PAGE_AVAIL_HIGH (_AC(0x7ff, U) << 12)
- /* non-architectural flags */
- #define _PAGE_PAGED   0x2000U
- #define _PAGE_SHARED  0x4000U
--- 
-2.1.4
-
diff --git a/main/xen/xsa183-4.6.patch b/main/xen/xsa183-4.6.patch
deleted file mode 100644
index 84d7007..0000000
--- a/main/xen/xsa183-4.6.patch
+++ /dev/null
_at_@ -1,75 +0,0 @@
-From 777ebe30e81ab284f9b78392875fe884a593df35 Mon Sep 17 00:00:00 2001
-From: Andrew Cooper <andrew.cooper3_at_citrix.com>
-Date: Wed, 15 Jun 2016 18:32:14 +0100
-Subject: [PATCH] x86/entry: Avoid SMAP violation in
- compat_create_bounce_frame()
-
-A 32bit guest kernel might be running on user mappings.
-compat_create_bounce_frame() must whitelist its guest accesses to avoid
-risking a SMAP violation.
-
-For both variants of create_bounce_frame(), re-blacklist user accesses if
-execution exits via an exception table redirection.
-
-This is XSA-183 / CVE-2016-6259
-
-Signed-off-by: Andrew Cooper <andrew.cooper3_at_citrix.com>
-Reviewed-by: George Dunlap <george.dunlap_at_citrix.com>
-Reviewed-by: Jan Beulich <jbeulich_at_suse.com>
----
-v2:
- * Include CLAC on the exit paths from compat_create_bounce_frame which occur
-   from faults attempting to load %fs
- * Reposition ASM_STAC to avoid breaking the macro-op fusion of test/jz
----
- xen/arch/x86/x86_64/compat/entry.S | 3 +++
- xen/arch/x86/x86_64/entry.S        | 2 ++
- 2 files changed, 5 insertions(+)
-
-diff --git a/xen/arch/x86/x86_64/compat/entry.S b/xen/arch/x86/x86_64/compat/entry.S
-index 0e3db7c..1eaf4bb 100644
---- a/xen/arch/x86/x86_64/compat/entry.S
-+++ b/xen/arch/x86/x86_64/compat/entry.S
-_at_@ -350,6 +350,7 @@ ENTRY(compat_int80_direct_trap)
- compat_create_bounce_frame:
-         ASSERT_INTERRUPTS_ENABLED
-         mov   %fs,%edi
-+        ASM_STAC
-         testb $2,UREGS_cs+8(%rsp)
-         jz    1f
-         /* Push new frame at registered guest-OS stack base. */
-_at_@ -403,6 +404,7 @@ UNLIKELY_START(nz, compat_bounce_failsafe)
-         movl  %ds,%eax
- .Lft12: movl  %eax,%fs:0*4(%rsi)        # DS
- UNLIKELY_END(compat_bounce_failsafe)
-+        ASM_CLAC
-         /* Rewrite our stack frame and return to guest-OS mode. */
-         /* IA32 Ref. Vol. 3: TF, VM, RF and NT flags are cleared on trap. */
-         andl  $~(X86_EFLAGS_VM|X86_EFLAGS_RF|\
-_at_@ -448,6 +450,7 @@ compat_crash_page_fault_4:
-         addl  $4,%esi
- compat_crash_page_fault:
- .Lft14: mov   %edi,%fs
-+        ASM_CLAC
-         movl  %esi,%edi
-         call  show_page_walk
-         jmp   dom_crash_sync_extable
-diff --git a/xen/arch/x86/x86_64/entry.S b/xen/arch/x86/x86_64/entry.S
-index 6e27508..0c2e63a 100644
---- a/xen/arch/x86/x86_64/entry.S
-+++ b/xen/arch/x86/x86_64/entry.S
-_at_@ -462,9 +462,11 @@ domain_crash_page_fault_16:
- domain_crash_page_fault_8:
-         addq  $8,%rsi
- domain_crash_page_fault:
-+        ASM_CLAC
-         movq  %rsi,%rdi
-         call  show_page_walk
- ENTRY(dom_crash_sync_extable)
-+        ASM_CLAC
-         # Get out of the guest-save area of the stack.
-         GET_STACK_BASE(%rax)
-         leaq  STACK_CPUINFO_FIELD(guest_cpu_user_regs)(%rax),%rsp
--- 
-2.1.4
-
diff --git a/main/xen/xsa184-qemut-master.patch b/main/xen/xsa184-qemut-master.patch
deleted file mode 100644
index b376f33..0000000
--- a/main/xen/xsa184-qemut-master.patch
+++ /dev/null
_at_@ -1,43 +0,0 @@
-From 17d8c4e47dfb41cb6778520ff2eab7a11fe12dfd Mon Sep 17 00:00:00 2001
-From: P J P <ppandit_at_redhat.com>
-Date: Tue, 26 Jul 2016 15:31:59 +0100
-Subject: [PATCH] virtio: error out if guest exceeds virtqueue size
-
-A broken or malicious guest can submit more requests than the virtqueue
-size permits.
-
-The guest can submit requests without bothering to wait for completion
-and is therefore not bound by virtqueue size.  This requires reusing
-vring descriptors in more than one request, which is incorrect but
-possible.  Processing a request allocates a VirtQueueElement and
-therefore causes unbounded memory allocation controlled by the guest.
-
-Exit with an error if the guest provides more requests than the
-virtqueue size permits.  This bounds memory allocation and makes the
-buggy guest visible to the user.
-
-Reported-by: Zhenhao Hong <zhenhaohong_at_gmail.com>
-Signed-off-by: Stefan Hajnoczi <stefanha_at_redhat.com>
----
- hw/virtio.c | 5 +++++
- 1 file changed, 5 insertions(+)
-
-diff --git a/hw/virtio.c b/hw/virtio.c
-index c26feff..42897bf 100644
---- a/tools/qemu-xen-traditional/hw/virtio.c
-+++ b/tools/qemu-xen-traditional/hw/virtio.c
-_at_@ -421,6 +421,11 @@ int virtqueue_pop(VirtQueue *vq, VirtQueueElement *elem)
-     /* When we start there are none of either input nor output. */
-     elem->out_num = elem->in_num = 0;
- 
-+    if (vq->inuse >= vq->vring.num) {
-+        fprintf(stderr, "Virtqueue size exceeded");
-+        exit(1);
-+    }
-+
-     i = head = virtqueue_get_head(vq, vq->last_avail_idx++);
-     do {
-         struct iovec *sg;
--- 
-2.1.4
-
diff --git a/main/xen/xsa184-qemuu-master.patch b/main/xen/xsa184-qemuu-master.patch
deleted file mode 100644
index bbe44e8..0000000
--- a/main/xen/xsa184-qemuu-master.patch
+++ /dev/null
_at_@ -1,43 +0,0 @@
-From e469db25d6b2e5c71cd15451889226641c53a5cd Mon Sep 17 00:00:00 2001
-From: P J P <ppandit_at_redhat.com>
-Date: Mon, 25 Jul 2016 17:37:18 +0530
-Subject: [PATCH] virtio: error out if guest exceeds virtqueue size
-
-A broken or malicious guest can submit more requests than the virtqueue
-size permits.
-
-The guest can submit requests without bothering to wait for completion
-and is therefore not bound by virtqueue size.  This requires reusing
-vring descriptors in more than one request, which is incorrect but
-possible.  Processing a request allocates a VirtQueueElement and
-therefore causes unbounded memory allocation controlled by the guest.
-
-Exit with an error if the guest provides more requests than the
-virtqueue size permits.  This bounds memory allocation and makes the
-buggy guest visible to the user.
-
-Reported-by: Zhenhao Hong <zhenhaohong_at_gmail.com>
-Signed-off-by: Stefan Hajnoczi <stefanha_at_redhat.com>
----
- hw/virtio/virtio.c | 5 +++++
- 1 file changed, 5 insertions(+)
-
-diff --git a/hw/virtio/virtio.c b/hw/virtio/virtio.c
-index d24f775..f8ac0fb 100644
---- a/tools/qemu-xen/hw/virtio/virtio.c
-+++ b/tools/qemu-xen/hw/virtio/virtio.c
-_at_@ -483,6 +483,11 @@ int virtqueue_pop(VirtQueue *vq, VirtQueueElement *elem)
- 
-     max = vq->vring.num;
- 
-+    if (vq->inuse >= max) {
-+        error_report("Virtqueue size exceeded");
-+        exit(1);
-+    }
-+
-     i = head = virtqueue_get_head(vq, vq->last_avail_idx++);
-     if (virtio_vdev_has_feature(vdev, VIRTIO_RING_F_EVENT_IDX)) {
-         vring_set_avail_event(vq, vq->last_avail_idx);
--- 
-2.1.4
-
diff --git a/main/xen/xsa185.patch b/main/xen/xsa185.patch
deleted file mode 100644
index a4c133e..0000000
--- a/main/xen/xsa185.patch
+++ /dev/null
_at_@ -1,38 +0,0 @@
-From 30aba4992b18245c436f16df7326a16c01a51570 Mon Sep 17 00:00:00 2001
-From: Jan Beulich <jbeulich_at_suse.com>
-Date: Mon, 8 Aug 2016 10:58:12 +0100
-Subject: x86/32on64: don't allow recursive page tables from L3
-
-L3 entries are special in PAE mode, and hence can't reasonably be used
-for setting up recursive (and hence linear) page table mappings. Since
-abuse is possible when the guest in fact gets run on 4-level page
-tables, this needs to be excluded explicitly.
-
-This is XSA-185.
-
-Reported-by: Jérémie Boutoille <jboutoille_at_ext.quarkslab.com>
-Reported-by: 栾尚聪(好风) <shangcong.lsc_at_alibaba-inc.com>
-Signed-off-by: Jan Beulich <jbeulich_at_suse.com>
-Reviewed-by: Andrew Cooper <andrew.cooper3_at_citrix.com>
----
- xen/arch/x86/mm.c | 4 +++-
- 1 file changed, 3 insertions(+), 1 deletion(-)
-
-diff --git a/xen/arch/x86/mm.c b/xen/arch/x86/mm.c
-index 109b8be..69b8b8d 100644
---- a/xen/arch/x86/mm.c
-+++ b/xen/arch/x86/mm.c
-_at_@ -1122,7 +1122,9 @@ get_page_from_l3e(
- 
-     rc = get_page_and_type_from_pagenr(
-         l3e_get_pfn(l3e), PGT_l2_page_table, d, partial, 1);
--    if ( unlikely(rc == -EINVAL) && get_l3_linear_pagetable(l3e, pfn, d) )
-+    if ( unlikely(rc == -EINVAL) &&
-+         !is_pv_32bit_domain(d) &&
-+         get_l3_linear_pagetable(l3e, pfn, d) )
-         rc = 0;
- 
-     return rc;
--- 
-2.1.4
-
diff --git a/main/xen/xsa186-0001-x86-emulate-Correct-boundary-interactions-of-emulate.patch b/main/xen/xsa186-0001-x86-emulate-Correct-boundary-interactions-of-emulate.patch
deleted file mode 100644
index b257497..0000000
--- a/main/xen/xsa186-0001-x86-emulate-Correct-boundary-interactions-of-emulate.patch
+++ /dev/null
_at_@ -1,73 +0,0 @@
-From e938be013ba73ff08fa4f1d8670501aacefde7fb Mon Sep 17 00:00:00 2001
-From: Andrew Cooper <andrew.cooper3_at_citrix.com>
-Date: Fri, 22 Jul 2016 16:02:54 +0000
-Subject: [PATCH 1/2] x86/emulate: Correct boundary interactions of emulated
- instructions
-
-This reverts most of c/s 0640ffb6 "x86emul: fix rIP handling".
-
-Experimentally, in long mode processors will execute an instruction stream
-which crosses the 64bit -1 -> 0 virtual boundary, whether the instruction
-boundary is aligned on the virtual boundary, or is misaligned.
-
-In compatibility mode, Intel processors will execute an instruction stream
-which crosses the 32bit -1 -> 0 virtual boundary, while AMD processors raise a
-segmentation fault.  Xen's segmentation behaviour matches AMD.
-
-For 16bit code, hardware does not ever truncated %ip.  %eip is always used and
-behaves normally as a 32bit register, including in 16bit protected mode
-segments, as well as in Real and Unreal mode.
-
-This is XSA-186
-
-Reported-by: Brian Marcotte <marcotte_at_panix.com>
-Signed-off-by: Andrew Cooper <andrew.cooper3_at_citrix.com>
-Reviewed-by: Jan Beulich <jbeulich_at_suse.com>
----
- xen/arch/x86/x86_emulate/x86_emulate.c | 22 ++++------------------
- 1 file changed, 4 insertions(+), 18 deletions(-)
-
-diff --git a/xen/arch/x86/x86_emulate/x86_emulate.c b/xen/arch/x86/x86_emulate/x86_emulate.c
-index d5a56cf..bf3529a 100644
---- a/xen/arch/x86/x86_emulate/x86_emulate.c
-+++ b/xen/arch/x86/x86_emulate/x86_emulate.c
-_at_@ -1570,10 +1570,6 @@ x86_emulate(
- #endif
-     }
- 
--    /* Truncate rIP to def_ad_bytes (2 or 4) if necessary. */
--    if ( def_ad_bytes < sizeof(_regs.eip) )
--        _regs.eip &= (1UL << (def_ad_bytes * 8)) - 1;
--
-     /* Prefix bytes. */
-     for ( ; ; )
-     {
-_at_@ -3906,21 +3902,11 @@ x86_emulate(
- 
-     /* Commit shadow register state. */
-     _regs.eflags &= ~EFLG_RF;
--    switch ( __builtin_expect(def_ad_bytes, sizeof(_regs.eip)) )
--    {
--        uint16_t ip;
- 
--    case 2:
--        ip = _regs.eip;
--        _regs.eip = ctxt->regs->eip;
--        *(uint16_t *)&_regs.eip = ip;
--        break;
--#ifdef __x86_64__
--    case 4:
--        _regs.rip = _regs._eip;
--        break;
--#endif
--    }
-+    /* Zero the upper 32 bits of %rip if not in long mode. */
-+    if ( def_ad_bytes < sizeof(_regs.eip) )
-+        _regs.eip = (uint32_t)_regs.eip;
-+
-     *ctxt->regs = _regs;
- 
-  done:
--- 
-2.1.4
-
diff --git a/main/xen/xsa186-4.6-0002-hvm-fep-Allow-testing-of-instructions-crossing-the.patch b/main/xen/xsa186-4.6-0002-hvm-fep-Allow-testing-of-instructions-crossing-the.patch
deleted file mode 100644
index 07c30a2..0000000
--- a/main/xen/xsa186-4.6-0002-hvm-fep-Allow-testing-of-instructions-crossing-the.patch
+++ /dev/null
_at_@ -1,41 +0,0 @@
-From: Andrew Cooper <andrew.cooper3_at_citrix.com>
-Subject: hvm/fep: Allow testing of instructions crossing the -1 -> 0 virtual boundary
-
-The Force Emulation Prefix is named to follow its PV counterpart for cpuid or
-rdtsc, but isn't really an instruction prefix.  It behaves as a break-out into
-Xen, with the purpose of emulating the next instruction in the current state.
-
-It is important to be able to test legal situations which occur in real
-hardware, including instruction which cross certain boundaries, and
-instructions starting at 0.
-
-Reported-by: Brian Marcotte <marcotte_at_panix.com>
-Signed-off-by: Andrew Cooper <andrew.cooper3_at_citrix.com>
-Reviewed-by: Jan Beulich <jbeulich_at_suse.com>
-
---- a/xen/arch/x86/hvm/svm/svm.c
-+++ b/xen/arch/x86/hvm/svm/svm.c
-_at_@ -2139,6 +2139,10 @@ static void svm_vmexit_ud_intercept(stru
-         {
-             regs->eip += sizeof(sig);
-             regs->eflags &= ~X86_EFLAGS_RF;
-+
-+            /* Zero the upper 32 bits of %rip if not in long mode. */
-+            if ( svm_guest_x86_mode(current) != 8 )
-+                regs->eip = regs->_eip;
-         }
-     }
- 
---- a/xen/arch/x86/hvm/vmx/vmx.c
-+++ b/xen/arch/x86/hvm/vmx/vmx.c
-_at_@ -2757,6 +2757,10 @@ static void vmx_vmexit_ud_intercept(stru
-         {
-             regs->eip += sizeof(sig);
-             regs->eflags &= ~X86_EFLAGS_RF;
-+
-+            /* Zero the upper 32 bits of %rip if not in long mode. */
-+            if ( vmx_guest_x86_mode(current) != 8 )
-+                regs->eip = regs->_eip;
-         }
-     }
- 
diff --git a/main/xen/xsa187-4.6-0002-x86-segment-Bounds-check-accesses-to-emulation-ctx.patch b/main/xen/xsa187-4.6-0002-x86-segment-Bounds-check-accesses-to-emulation-ctx.patch
deleted file mode 100644
index e8cd1e7..0000000
--- a/main/xen/xsa187-4.6-0002-x86-segment-Bounds-check-accesses-to-emulation-ctx.patch
+++ /dev/null
_at_@ -1,142 +0,0 @@
-From: Andrew Cooper <andrew.cooper3_at_citrix.com>
-Subject: x86/segment: Bounds check accesses to emulation ctxt->seg_reg[]
-
-HVM HAP codepaths have space for all segment registers in the seg_reg[]
-cache (with x86_seg_none still risking an array overrun), while the shadow
-codepaths only have space for the user segments.
-
-Range check the input segment of *_get_seg_reg() against the size of the array
-used to cache the results, to avoid overruns in the case that the callers
-don't filter their input suitably.
-
-Subsume the is_x86_user_segment(seg) checks from the shadow code, which were
-an incomplete attempt at range checking, and are now superceeded.  Make
-hvm_get_seg_reg() static, as it is not used outside of shadow/common.c
-
-No functional change, but far easier to reason that no overflow is possible.
-
-Reported-by: Andrew Cooper <andrew.cooper3_at_citrix.com>
-Signed-off-by: Andrew Cooper <andrew.cooper3_at_citrix.com>
-Acked-by: Tim Deegan <tim_at_xen.org>
-Acked-by: Jan Beulich <jbeulich_at_suse.com>
-
---- a/xen/arch/x86/hvm/emulate.c
-+++ b/xen/arch/x86/hvm/emulate.c
-_at_@ -526,6 +526,8 @@ static int hvmemul_virtual_to_linear(
-                            ? 1 : 4096);
- 
-     reg = hvmemul_get_seg_reg(seg, hvmemul_ctxt);
-+    if ( IS_ERR(reg) )
-+        return -PTR_ERR(reg);
- 
-     if ( (hvmemul_ctxt->ctxt.regs->eflags & X86_EFLAGS_DF) && (*reps > 1) )
-     {
-_at_@ -1360,6 +1362,10 @@ static int hvmemul_read_segment(
-     struct hvm_emulate_ctxt *hvmemul_ctxt =
-         container_of(ctxt, struct hvm_emulate_ctxt, ctxt);
-     struct segment_register *sreg = hvmemul_get_seg_reg(seg, hvmemul_ctxt);
-+
-+    if ( IS_ERR(sreg) )
-+         return -PTR_ERR(sreg);
-+
-     memcpy(reg, sreg, sizeof(struct segment_register));
-     return X86EMUL_OKAY;
- }
-_at_@ -1373,6 +1379,9 @@ static int hvmemul_write_segment(
-         container_of(ctxt, struct hvm_emulate_ctxt, ctxt);
-     struct segment_register *sreg = hvmemul_get_seg_reg(seg, hvmemul_ctxt);
- 
-+    if ( IS_ERR(sreg) )
-+         return -PTR_ERR(sreg);
-+
-     memcpy(sreg, reg, sizeof(struct segment_register));
-     __set_bit(seg, &hvmemul_ctxt->seg_reg_dirty);
- 
-_at_@ -1911,10 +1920,17 @@ void hvm_emulate_writeback(
-     }
- }
- 
-+/*
-+ * Callers which pass a known in-range x86_segment can rely on the return
-+ * pointer being valid.  Other callers must explicitly check for errors.
-+ */
- struct segment_register *hvmemul_get_seg_reg(
-     enum x86_segment seg,
-     struct hvm_emulate_ctxt *hvmemul_ctxt)
- {
-+    if ( seg < 0 || seg >= ARRAY_SIZE(hvmemul_ctxt->seg_reg) )
-+        return ERR_PTR(-X86EMUL_UNHANDLEABLE);
-+
-     if ( !__test_and_set_bit(seg, &hvmemul_ctxt->seg_reg_accessed) )
-         hvm_get_segment_register(current, seg, &hvmemul_ctxt->seg_reg[seg]);
-     return &hvmemul_ctxt->seg_reg[seg];
---- a/xen/arch/x86/mm/shadow/common.c
-+++ b/xen/arch/x86/mm/shadow/common.c
-_at_@ -125,10 +125,19 @@ __initcall(shadow_audit_key_init);
- /* x86 emulator support for the shadow code
-  */
- 
-+/*
-+ * Callers which pass a known in-range x86_segment can rely on the return
-+ * pointer being valid.  Other callers must explicitly check for errors.
-+ */
- struct segment_register *hvm_get_seg_reg(
-     enum x86_segment seg, struct sh_emulate_ctxt *sh_ctxt)
- {
--    struct segment_register *seg_reg = &sh_ctxt->seg_reg[seg];
-+    struct segment_register *seg_reg;
-+
-+    if ( seg < 0 || seg >= ARRAY_SIZE(sh_ctxt->seg_reg) )
-+        return ERR_PTR(-X86EMUL_UNHANDLEABLE);
-+
-+    seg_reg = &sh_ctxt->seg_reg[seg];
-     if ( !__test_and_set_bit(seg, &sh_ctxt->valid_seg_regs) )
-         hvm_get_segment_register(current, seg, seg_reg);
-     return seg_reg;
-_at_@ -145,14 +154,9 @@ static int hvm_translate_linear_addr(
-     struct segment_register *reg;
-     int okay;
- 
--    /*
--     * Can arrive here with non-user segments.  However, no such cirucmstance
--     * is part of a legitimate pagetable update, so fail the emulation.
--     */
--    if ( !is_x86_user_segment(seg) )
--        return X86EMUL_UNHANDLEABLE;
--
-     reg = hvm_get_seg_reg(seg, sh_ctxt);
-+    if ( IS_ERR(reg) )
-+        return -PTR_ERR(reg);
- 
-     okay = hvm_virtual_to_linear_addr(
-         seg, reg, offset, bytes, access_type, sh_ctxt->ctxt.addr_size, paddr);
-_at_@ -254,9 +258,6 @@ hvm_emulate_write(enum x86_segment seg,
-     unsigned long addr;
-     int rc;
- 
--    if ( !is_x86_user_segment(seg) )
--        return X86EMUL_UNHANDLEABLE;
--
-     /* How many emulations could we save if we unshadowed on stack writes? */
-     if ( seg == x86_seg_ss )
-         perfc_incr(shadow_fault_emulate_stack);
-_at_@ -284,9 +285,6 @@ hvm_emulate_cmpxchg(enum x86_segment seg
-     unsigned long addr, old[2], new[2];
-     int rc;
- 
--    if ( !is_x86_user_segment(seg) )
--        return X86EMUL_UNHANDLEABLE;
--
-     rc = hvm_translate_linear_addr(
-         seg, offset, bytes, hvm_access_write, sh_ctxt, &addr);
-     if ( rc )
---- a/xen/include/asm-x86/hvm/emulate.h
-+++ b/xen/include/asm-x86/hvm/emulate.h
-_at_@ -13,6 +13,7 @@
- #define __ASM_X86_HVM_EMULATE_H__
- 
- #include <xen/config.h>
-+#include <xen/err.h>
- #include <asm/hvm/hvm.h>
- #include <asm/x86_emulate.h>
- 
diff --git a/main/xen/xsa187-4.7-0001-x86-shadow-Avoid-overflowing-sh_ctxt-seg.patch b/main/xen/xsa187-4.7-0001-x86-shadow-Avoid-overflowing-sh_ctxt-seg.patch
deleted file mode 100644
index bc99596..0000000
--- a/main/xen/xsa187-4.7-0001-x86-shadow-Avoid-overflowing-sh_ctxt-seg.patch
+++ /dev/null
_at_@ -1,42 +0,0 @@
-From: Andrew Cooper <andrew.cooper3_at_citrix.com>
-Subject: x86/shadow: Avoid overflowing sh_ctxt->seg_reg[]
-
-hvm_get_seg_reg() does not perform a range check on its input segment, calls
-hvm_get_segment_register() and writes straight into sh_ctxt->seg_reg[].
-
-x86_seg_none is outside the bounds of sh_ctxt->seg_reg[], and will hit a BUG()
-in {vmx,svm}_get_segment_register().
-
-HVM guests running with shadow paging can end up performing a virtual to
-linear translation with x86_seg_none.  This is used for addresses which are
-already linear.  However, none of this is a legitimate pagetable update, so
-fail the emulation in such a case.
-
-This is XSA-187
-
-Reported-by: Andrew Cooper <andrew.cooper3_at_citrix.com>
-Signed-off-by: Andrew Cooper <andrew.cooper3_at_citrix.com>
-Reviewed-by: Tim Deegan <tim_at_xen.org>
-
---- a/xen/arch/x86/mm/shadow/common.c
-+++ b/xen/arch/x86/mm/shadow/common.c
-_at_@ -140,9 +140,18 @@ static int hvm_translate_linear_addr(
-     struct sh_emulate_ctxt *sh_ctxt,
-     unsigned long *paddr)
- {
--    struct segment_register *reg = hvm_get_seg_reg(seg, sh_ctxt);
-+    struct segment_register *reg;
-     int okay;
- 
-+    /*
-+     * Can arrive here with non-user segments.  However, no such cirucmstance
-+     * is part of a legitimate pagetable update, so fail the emulation.
-+     */
-+    if ( !is_x86_user_segment(seg) )
-+        return X86EMUL_UNHANDLEABLE;
-+
-+    reg = hvm_get_seg_reg(seg, sh_ctxt);
-+
-     okay = hvm_virtual_to_linear_addr(
-         seg, reg, offset, bytes, access_type, sh_ctxt->ctxt.addr_size, paddr);
- 
diff --git a/main/xen/xsa202-4.6.patch b/main/xen/xsa202-4.6.patch
new file mode 100644
index 0000000..0c7fff0
--- /dev/null
+++ b/main/xen/xsa202-4.6.patch
_at_@ -0,0 +1,73 @@
+From: Jan Beulich <jbeulich_at_suse.com>
+Subject: x86: force EFLAGS.IF on when exiting to PV guests
+
+Guest kernels modifying instructions in the process of being emulated
+for another of their vCPU-s may effect EFLAGS.IF to be cleared upon
+next exiting to guest context, by converting the being emulated
+instruction to CLI (at the right point in time). Prevent any such bad
+effects by always forcing EFLAGS.IF on. And to cover hypothetical other
+similar issues, also force EFLAGS.{IOPL,NT,VM} to zero.
+
+This is XSA-202.
+
+Signed-off-by: Jan Beulich <jbeulich_at_suse.com>
+
+--- a/xen/arch/x86/x86_64/compat/entry.S
++++ b/xen/arch/x86/x86_64/compat/entry.S
+_at_@ -174,6 +174,8 @@ compat_bad_hypercall:
+ /* %rbx: struct vcpu, interrupts disabled */
+ ENTRY(compat_restore_all_guest)
+         ASSERT_INTERRUPTS_DISABLED
++        mov   $~(X86_EFLAGS_IOPL|X86_EFLAGS_NT|X86_EFLAGS_VM),%r11d
++        and   UREGS_eflags(%rsp),%r11d
+ .Lcr4_orig:
+         .skip .Lcr4_alt_end - .Lcr4_alt, 0x90
+ .Lcr4_orig_end:
+_at_@ -209,6 +211,8 @@ ENTRY(compat_restore_all_guest)
+                              (.Lcr4_orig_end - .Lcr4_orig), \
+                              (.Lcr4_alt_end - .Lcr4_alt)
+         .popsection
++        or    $X86_EFLAGS_IF,%r11
++        mov   %r11d,UREGS_eflags(%rsp)
+         RESTORE_ALL adj=8 compat=1
+ .Lft0:  iretq
+ 
+--- a/xen/arch/x86/x86_64/entry.S
++++ b/xen/arch/x86/x86_64/entry.S
+_at_@ -40,28 +40,29 @@ restore_all_guest:
+         testw $TRAP_syscall,4(%rsp)
+         jz    iret_exit_to_guest
+ 
++        movq  24(%rsp),%r11           # RFLAGS
++        andq  $~(X86_EFLAGS_IOPL|X86_EFLAGS_NT|X86_EFLAGS_VM),%r11
++        orq   $X86_EFLAGS_IF,%r11
++
+         /* Don't use SYSRET path if the return address is not canonical. */
+         movq  8(%rsp),%rcx
+         sarq  $47,%rcx
+         incl  %ecx
+         cmpl  $1,%ecx
+-        ja    .Lforce_iret
++        movq  8(%rsp),%rcx            # RIP
++        ja    iret_exit_to_guest
+ 
+         cmpw  $FLAT_USER_CS32,16(%rsp)# CS
+-        movq  8(%rsp),%rcx            # RIP
+-        movq  24(%rsp),%r11           # RFLAGS
+         movq  32(%rsp),%rsp           # RSP
+         je    1f
+         sysretq
+ 1:      sysretl
+ 
+-.Lforce_iret:
+-        /* Mimic SYSRET behavior. */
+-        movq  8(%rsp),%rcx            # RIP
+-        movq  24(%rsp),%r11           # RFLAGS
+         ALIGN
+ /* No special register assumptions. */
+ iret_exit_to_guest:
++        andl  $~(X86_EFLAGS_IOPL|X86_EFLAGS_NT|X86_EFLAGS_VM),24(%rsp)
++        orl   $X86_EFLAGS_IF,24(%rsp)
+         addq  $8,%rsp
+ .Lft0:  iretq
+ 
diff --git a/main/xen/xsa204-4.5.patch b/main/xen/xsa204-4.5.patch
new file mode 100644
index 0000000..352845a
--- /dev/null
+++ b/main/xen/xsa204-4.5.patch
_at_@ -0,0 +1,69 @@
+From: Andrew Cooper <andrew.cooper3_at_citrix.com>
+Date: Sun, 18 Dec 2016 15:42:59 +0000
+Subject: [PATCH] x86/emul: Correct the handling of eflags with SYSCALL
+
+A singlestep #DB is determined by the resulting eflags value from the
+execution of SYSCALL, not the original eflags value.
+
+By using the original eflags value, we negate the guest kernels attempt to
+protect itself from a privilege escalation by masking TF.
+
+Introduce a tf boolean and have the SYSCALL emulation recalculate it
+after the instruction is complete.
+
+This is XSA-204
+
+Signed-off-by: Andrew Cooper <andrew.cooper3_at_citrix.com>
+Reviewed-by: Jan Beulich <jbeulich_at_suse.com>
+---
+ xen/arch/x86/x86_emulate/x86_emulate.c | 23 ++++++++++++++++++++---
+ 1 file changed, 20 insertions(+), 3 deletions(-)
+
+diff --git a/xen/arch/x86/x86_emulate/x86_emulate.c b/xen/arch/x86/x86_emulate/x86_emulate.c
+index 0c43fe1..f675dc9 100644
+--- a/xen/arch/x86/x86_emulate/x86_emulate.c
++++ b/xen/arch/x86/x86_emulate/x86_emulate.c
+_at_@ -1537,6 +1537,7 @@ x86_emulate(
+     union vex vex = {};
+     unsigned int op_bytes, def_op_bytes, ad_bytes, def_ad_bytes;
+     bool_t lock_prefix = 0;
++    bool_t tf = !!(ctxt->regs->eflags & EFLG_TF);
+     int override_seg = -1, rc = X86EMUL_OKAY;
+     struct operand src = { .reg = REG_POISON };
+     struct operand dst = { .reg = REG_POISON };
+_at_@ -3881,9 +3882,8 @@ x86_emulate(
+         break;
+     }
+ 
+-    /* Inject #DB if single-step tracing was enabled at instruction start. */
+-    if ( (ctxt->regs->eflags & EFLG_TF) && (rc == X86EMUL_OKAY) &&
+-         (ops->inject_hw_exception != NULL) )
++    /* Should a singlestep #DB be raised? */
++    if ( tf && (rc == X86EMUL_OKAY) && (ops->inject_hw_exception != NULL) )
+         rc = ops->inject_hw_exception(EXC_DB, -1, ctxt) ? : X86EMUL_EXCEPTION;
+ 
+     /* Commit shadow register state. */
+_at_@ -4068,6 +4068,23 @@ x86_emulate(
+              (rc = ops->write_segment(x86_seg_ss, &ss, ctxt)) )
+             goto done;
+ 
++        /*
++         * SYSCALL (unlike most instructions) evaluates its singlestep action
++         * based on the resulting EFLG_TF, not the starting EFLG_TF.
++         *
++         * As the #DB is raised after the CPL change and before the OS can
++         * switch stack, it is a large risk for privilege escalation.
++         *
++         * 64bit kernels should mask EFLG_TF in MSR_FMASK to avoid any
++         * vulnerability.  Running the #DB handler on an IST stack is also a
++         * mitigation.
++         *
++         * 32bit kernels have no ability to mask EFLG_TF at all.  Their only
++         * mitigation is to use a task gate for handling #DB (or to not use
++         * enable EFER.SCE to start with).
++         */
++        tf = !!(_regs.eflags & EFLG_TF);
++
+         break;
+     }
+ 
-- 
2.4.11
---
Unsubscribe:  alpine-aports+unsubscribe_at_lists.alpinelinux.org
Help:         alpine-aports+help_at_lists.alpinelinux.org
---
Received on Fri Dec 23 2016 - 13:41:44 GMT